CCIE R&S Advanced
1
Agenda
Day 1 Session 1
Day 1 Session 2
CCIE Program Overview
CCIE Foundation Overview
Day 1 Session 3
Catalyst
Day 1 Session 4
Frame Relay
Day 1 Session 5
IPv6
Day 2 Session 6
Ripv2
Day 2 Session 7
Eigrp
Day 3 Session 8
OSPF
Day 3 Session 9
Day 4 Session 10
Day 4 Session 11
Day 4 Session 12
BGP
Multicast
QoS
Others
© 2007 Network Learning, Inc.
2
Housekeeping
•
•
•
•
Restrooms
Kitchen - Softdrinks and snacks available
Cellphones - PLEASE put them on vibrate or turn
them off. If you need to take/make a call, please
exit the classroom.
Smoking - out side in front of building
© 2007 Network Learning, Inc.
3
SESSION 1
CCIE R&S Program Overview
© 2007 Network Learning, Inc.
4
CCIE R&S Program Overview
1.
2.
3.
CCNA/CCNP Certification (Optional)
CCIE Written Exam
CCBOOTCAMP’s R&S Foundation Course
4.
Develop a Study Plan and Timeline to Prepare for LAB
a)
b)
c)
d)
e)
f)
Review CCIE Blueprint
Purchase and Download recommended reading from Cisco Press and CCO web
site
Purchase LAB workbooks
Purchase and Setup Home Lab
Reserve Online Rack rentals
Save money or work out a deal with your employer to budget for multiple lab
attempts
5.
6.
Schedule a Lab Date commensurate with the Timeline
Study, Practice, Practice some more, and then study
7.
8.
CCIE Advanced Bootcamp
CCIE Mock LAB Bootcamp
© 2007 Network Learning, Inc.
5
CCIE LAB Overview
• A 8-hour, hands-on, 100-point lab exam. Candidates
must score 80 or above to pass.
• Students builds a network to supplied specifications
on a provided Cisco equipment rack.
• Lab questions can be completed in any order,
although some questions depends on the completion
of previous part of the exam.
• Physical cabling is done.
• Some of the basic functionality is preconfigured.
• Some of the equipment you can not configure such as
the Backbone routers.
© 2007 Network Learning, Inc.
6
Cisco R&S Equipment List
• 3725 series routers - IOS 12.4 mainline – Advanced
Enterprise Services
• 3825 series routers - IOS 12.4 mainline – Advanced
Enterprise Services
• Catalyst 3550 series switches running IOS version
12.2 – IP Services
• Catalyst 3560 Series switches running IOS version
12.2 - Advanced IP Services
© 2007 Network Learning, Inc.
7
Pre-lab Checklist
• Remove the Variables, increase your chances, and get your body physically and mentally
ready!
• Get to the testing city/location at least one day prior to your exam. If your time zone is
plus/minus more than six hours different than the time zone of the Cisco office you are
taking your exam, plan on getting there at least two days prior to the exam.
• Drive over to the facility where your lab exam will be held. Make sure you know how long
it will take you to get to the testing location.
• Look for a good place to eat breakfast near the facility.
• Eat a healthy dinner consisting of protein and complex carbohydrates. Stay away from
greasy, fatty, and sugary foods. Also, if you want to eat meat, try and eat chicken or fish
(avoid red meat as it takes your body longer to digest).
• Get a good night’s rest. Do not stay up the entire night trying to cram or study last
minute materials. Do NOT take any type of sleep aid that could still be in your system the
following day.
• Wake up at least ninety minutes before your exam start time. Get showered, dressed,
and go out for breakfast.
• At breakfast, eat only healthy foods. No greasy, fatty, or sugary items should be
consumed. Eat fruits, vegetables, oatmeal, etc.
• Arrive at the facility at least fifteen minutes prior to your exam.
© 2007 Network Learning, Inc.
8
CCIE R&S Blueprint
• Bridging and Switching
– Frame relay
– Catalyst configuration: VLANs, VTP, STP, MSTP, RSTP, Trunk, Etherchannel, management,
features, advanced configuration, Layer 3
• IP IGP Routing
– OSPF
– EIGRP
– RIPv2
•
•
•
•
•
•
•
•
IPv6: Addressing, RIPng, OSPFv3
GRE
ODR
Filtering, redistribution, summarization and other advanced features
BGP
iBGP
eBGP
Filtering, redistribution, summarization, synchronization, attributes and other advanced
features
© 2007 Network Learning, Inc.
9
CCIE (R&S) Blueprint Cont.
These topics would be covered in the Advanced Boot camp
• IP and IOS Features
• QoS
– IP addressing
– DHCP
– Quality of service solutions
– HSRP
– IP services
– IOS user interfaces
– Congestion management, congestion
avoidance
• System management
– NAT
– NTP
– SNMP
– RMON
– Accounting
• IP Multicast
– PIM, bi-directional PIM
– MSDP
– Multicast tools, source specific multicast
– DVMRP
– Anycast
– Classification
– Policing and shaping
– Signaling
– Link efficiency mechanisms
– Modular QoS command line
• Security
– AAA
– Security server protocols
– Traffic filtering and firewalls
– Access lists
– Routing protocols security, catalyst
security
– CBAC
– Other security features
© 2007 Network Learning, Inc.
10
SESSION 2
CCIE Advanced Bootcamp
Overview
© 2007 Network Learning, Inc.
11
Advanced Class Hours - Instructor
• Monday
9:00 AM till your head hurts
• Tuesday
9:00 AM till your head hurts
• Wednesday
9:00 AM till your head hurts
• Thursday
9:00 AM till your head is spinning
• Friday
9:00 AM till 3-ish [Mock Lab]
Lunch Break at 1:00 PM to 2:00 PM (60 minutes)
© 2007 Network Learning, Inc.
12
CCBOOTCAMP R&S Rack Layout
SW1
R2
R1
DCE
DCE
S1 S0/0/0
S0/1/1
DCE
DCE
Fas0/0
2811
R1
S0/0/1
S0/1/0
DCE
R3
S0/1/1
FR
S0/0/1 S0/1/0
S2 S0/0/0
DCE
Fas0/0
R1
SW1
SW1
R6
S0/0/1
FR
DCE
S5 S0/0/0
Fas0/1
SW1
S0/0/1
Fas0/1
Fas0/0
Fas0/1
SW2
FR
S0
DCE
2811
FR
S0/0/1
S8 S0/0/0
DCE
Fas0/1
Fas0/0
2811
Fas0/1
R8
SW4
Fas0/17
BB2
S0/0/1
Fas0/17
SW3
Fas0/18
SW4
Fas0/18
ATM1/0
S0/0
DCE
Fas0/0
2811
Fas0/1
E0/0
BB2
Fas0/9
SW2
Fas0/4
LS1010
ATM0/0/1
S0/0/1
BB1
Fas0/9
07
S0/1/0
SW3
SW2
Fas0/1
DCE
DCE
Fas0/0
Fas0/6
DCE
2811
SW1
Fas0/4
R7
S0/0/1 S0/0/0
DCE
2811
R7
DCE
BB1
DCE
R4
S0/0/1
FR
R2
S0/1/1 S0/1/1
S0/0/1
BB3
DCE
Fas0/0
SW2
S0/0/0
S0/0/1
Fas0/1
DCE
2811
Fas0/6
BB2
S4 S0/0/0
Fas0/3
S7 S0/0/0
SW1
SW2
S9 S0/0/0
Fa
s0
/
SW1
Fas0/3
Fas0/2
R6
Fas0/5
2811
FR
DCE
R8
Fas0/0
S0/0/0
SW1
Fas0/0
R1
DCE
S0/1/1
S0/0/1
R5
Fas0/5
DCE
S0/1/1
R3
S0/1/0
DCE
S0/0/1 S0/1/0
R3
DCE
Fas0/0
FR
Fas0/1
S6 S0/0/0
DCE
DCE
DCE
R5
2811
DCE
S3 S0/0/0
S0/0/1
DCE
R3
S0/0/1
S0/0/1 S0/1/0
FR
SW2
Fas0/2
Fas0/1
S0/0/1
FR
R4
R2
SW2
Fas0/1
2811
R4
S0/1/1
TFTP Server Address:
172.22.1.254 /24
S0/1/0
S0/0/1
DCE
S0/1/1
DCE
Fas0/1
R4
S0/1/0
PublicNet
172.22.10X.0 /24
(DG: 172.22.10X.1)
SW4
SW3
S0/0/0
S0/0/1 S0/1/0
FR
Fas0/20
Fas0/21
R2
S0/0/1
Fas0/20
Fas0/22
S0/0/0
Fas0/19
Fas0/21
S0/0/0
Fas0/19
Fas0/22
Frame Relay Cloud
BB1
R7
R8
08
S0/0/0
07
S0/1/0
/
s0
Fa
R6
S8
Fas0/24
/
s0
Fa
S6
S7
08
S9
R7
07
DCE
S0
Fas0/20
/
s0
Fa
S0/0/0
Fas0/21
S5
Fas0/22
S1
Fas0/21
S0/0/0
ACS/CA Server
192.168.0.0 /16
R5
S4
Fas0/20
/
s0
Fa
S2
Fas0/22
R1
Fas0/24
S0/0/0
S3
Fas0/19
0/
08
S0/0/0
S0/0/0
SW2
Fas0/19
Fa
s
R4
Fa
s0
Fa
/0
s0
7
/0
8
R3
R2
SW1
Fas0/10
3640
E0/1
BB3
SW2
Fas0/10
SW1
© 2007 Network
SW2Learning, Inc.
Fas0/11
Fas0/11
13
SESSION 3
Switching
© 2007 Network Learning, Inc.
14
First Things First (Ping Script)
tclsh
foreach address {
150.10.1.1
150.10.2.2
150.10.3.3
150.20.5.5
150.20.35.35
} {ping $address}
© 2007 Network Learning, Inc.
15
On a switch
© 2007 Network Learning, Inc.
16
Things You should already know (not covered)
• Interface Commands
• VTP
• Spanning Tree
• SPAN
• Strom Control
• Protected Ports
• 802.1X authentication
• Trunking
• MAC Address expiration
• Templates
© 2007 Network Learning, Inc.
17
Topics Covered
• Ether-channel and Load Balancing
• MST spanning tree
• Rapid Spanning Tree
• Advanced Switch Security
• Switch QoS
© 2007 Network Learning, Inc.
18
Ether channel
• PAgP can automatically groups interfaces with the same speed, duplex, mode, native
VLAN, VLAN range, and trunking status and type.
• The Ether Channel group looks like a single switch port to Spanning tree.
• PAgP modes: auto, desirable, on
• The first port in the channel that comes up provides its MAC address to the EtherChannel
© 2007 Network Learning, Inc.
19
Link Aggregation Control Protocol
• LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet
channels between switches
• Similarly configured ports are grouped based on hardware, administrative, and port
parameter constraints such as same speed, duplex mode, native VLAN, VLAN range, and
trunking status and type
• A port in the active mode can form an EtherChannel with another port that is in the active
or passive mode.
• A port in the passive mode cannot form an EtherChannel with another port that is also in
the passive mode because neither port starts LACP negotiation.
• Can have 8 active and 8 standby ports per ether channel. (16)
*Note on mode configured manually on both ends of the EtherChannel must have the same
configuration. If the group is misconfigured, packet loss or spanning-tree loops can
occur.
© 2007 Network Learning, Inc.
20
Load Balancing and Forwarding
• Reduces part of the binary pattern formed from the addresses
in the frame to a numerical value that selects one of the links
in the channel.
• EtherChannel load balancing can use MAC addresses or IP
addresses, source or destination addresses, or both source
and destination addresses.
© 2007 Network Learning, Inc.
21
Source/destination MAC load balancing
• The PCs uses different ports on sw1
• The router will use different ports to reply to the PCs
© 2007 Network Learning, Inc.
22
Switch Security
• MAC Flood Attacks
• Port Security
• ARP Inspection
• MAC ACLs
• VACLs
• Private VLANs
© 2007 Network Learning, Inc.
23
Rapid Spanning Tree Protocol (RSTP)
© 2007 Network Learning, Inc.
24
RSTP Port Roles
© 2007 Network Learning, Inc.
25
RSTP Port States
• RSTP provides rapid convergence of
the spanning tree.
• Reconfiguration of the spanning tree
can occur in less than 1 second (in
contrast to 50 seconds with the
802.1D
• Only non-edge ports moving to the
forwarding state cause a topology
change.
© 2007 Network Learning, Inc.
26
Rapid PVST
© 2007 Network Learning, Inc.
27
802.1s (Multiple Spanning Tree)
• MSTs (IEEE 802.1s) combine the best aspects from both the PVST+
and the 802.1q.
• When you enable MST you enable 802.w (RSTP)
• The idea is that several VLANs can be mapped to a reduced number
of spanning tree instances because most networks do not need more
than a few logical topologies.
• There is no need to run 1000 instances. If you map half of the 1000
VLANs to a different spanning tree instance, as shown in this
diagram, these statements are true:
–The desired load balancing scheme can still be achieved, because half of
the VLANs follow one separate instance.
–The CPU is spared because only two instances are computed.
•
© 2007 Network Learning, Inc.
28
MST Configuration
© 2007 Network Learning, Inc.
29
MAC Flood Attacks
• Affects Transparent Switches
• Switches Learn and populate the CAM table based
on Source MAC addresses
• If to many MAC addresses are sent – open fail
mode
• The switch forwards out every frame on every port
• This allows hackers to sniff other clients uni-cast
information.
© 2007 Network Learning, Inc.
30
Preventing MAC Flooding with Port Security
© 2007 Network Learning, Inc.
31
Port Security - Aging
• Static- enables timer to static entries
• Time - <1-1440> Aging time in minutes
• Type –
– absolute Absolute aging (default)
– inactivity Aging based on inactivity time period
© 2007 Network Learning, Inc.
32
Mac-address
• Can manually input the actual Mac address
• Also can store dynamically learned Mac addresses with Sticky
© 2007 Network Learning, Inc.
33
Maximum
• The total amount of Mac addresses allowed on a
port
© 2007 Network Learning, Inc.
34
Violations
• The action to take if port security is violated
– protect—When the number of port secure MAC addresses reaches the maximum
limit allowed on the port, packets with unknown source addresses are dropped until
you remove a sufficient number of secure MAC addresses to drop below the
maximum value or increase the number of maximum allowable addresses. You are
not notified that a security violation has occurred. (no syslogs/snmp)
– restrict—When the number of secure MAC addresses reaches the limit allowed on
the port, packets with unknown source addresses are dropped until you remove a
sufficient number of secure MAC addresses or increase the number of maximum
allowable addresses. An SNMP trap is sent, a syslog message is logged, and the
violation counter increments.
– shutdown—The interface is error disabled when a violation occurs, and the port LED
turns off. An SNMP trap is sent, a syslog message is logged, and the violation
counter increments
© 2007 Network Learning, Inc.
35
Apply Port Security and Verify
• If more than 3 mac-addresses are learned any
additional sources will cause the port to be
shutdown (error disabled).
© 2007 Network Learning, Inc.
36
HSRP and Port Security
• HSRP has a virtual mac-address that counts towards the
maximum allowed on a port configured for port security.
• Options:
–Switchport port-security maximum 2 (still can cause violation for
a short period of time
–Static Mac-address entry for HSRP virtual mac-address
– (Best choice) Use-bia command on the router’s interface
•standby use-bia scope interface
http://www.cisco.com/en/US/products/ps6350/products_command_
reference_chapter09186a00804462c4.html#wp1165870
© 2007 Network Learning, Inc.
37
ARP Spoofing
• Gratuitous ARP
–Detect IP conflicts. When a machine receives an ARP request
containing a source IP that matches its own, then it knows there
is an IP conflict.
–They assist in the updating of other machines' ARP tables.
–They inform switches of the MAC address of the machine on a
given switch port, so that the switch knows that it should transmit
packets sent to that MAC address on that switch port.
–Every time an IP interface or link goes up, the driver for that
interface will typically send a gratuitous ARP to preload the ARP
tables of all other local hosts.
© 2007 Network Learning, Inc.
38
ARP DoS
• Overloads a switch port with ARP traffic
• Switch can handle untrusted host connecting to as
many as 15 new hosts per second. checks every 1
second
• Exceed limit than port changes to error disabled
© 2007 Network Learning, Inc.
39
IP ARP Inspection
• This feature helps prevent malicious attacks on the
switch by not relaying invalid ARP requests and
responses to other ports in the same VLAN
• How does it work?
–DHCP Snooping (Recommended in production)
–Static ARP Access-list (Use for Lab situation)
© 2007 Network Learning, Inc.
40
ARP inspection Cont.
• Option to change defaults per port
© 2007 Network Learning, Inc.
41
IP Source Guard
• By watching which IP addresses are assigned by DHCP, a
switch can create dynamic ACL's to block all traffic except
traffic from DHCP-assigned IP addresses.
• Benefits:
–Prevents a hacker from spoofing their IP address to launch an
anonymous attack.
–Prevents users from ignoring DHCP and manually configuring a
static IP address.
© 2007 Network Learning, Inc.
42
IP Source Guard Configuration
© 2007 Network Learning, Inc.
43
DHCP Snooping
• Create a DHCP database on flash or TFTP
• Enable DHCP Snooping
• "The option-82 information contains the switch MAC address
(the remote ID suboption) and the port identifier, vlan-modport, from which the packet is received (circuit ID suboption).
The switch forwards the DHCP request that includes the
option-82 field to the DHCP server. "
• ip dhcp snooping database flash:file01.txt"
• ip dhcp snooping
• ip dhcp snooping information option
© 2007 Network Learning, Inc.
44
Show IP DHCP Snooping Bindings
Switch> show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- -------------------01:02:03:04:05:06 10.1.2.150 9837 dhcp-snooping 20
GigabitEthernet0/1
00:D0:B7:1B:35:DE 10.1.2.151 237 dhcp-snooping 20
GigabitEthernet0/2
Total number of bindings: 2
© 2007 Network Learning, Inc.
45
Mac-address Access-list
• You can configure a MAC address ACL using either of the following:
• Access-list 700-799 48-bit MAC address access-list
• or the extended version of the 48-bit MAC address access-list is 1100-1199
• To filter using the MAC address access-list, first you would define your
access-list. Say that you wanted to allow only a host with the MAC address of
0800001234567 to access-list Ethernet0/0 interface. You would define the
access-list like this:
Router(config)# access-list 700 permit 0800.0123.4567
You can use these same methods to filter by “vendor code”. All companies who
create Ethernet devices are designated a block of MAC addresses and all of
these blocks begin with a specific string. This prefix for each vendor is
known as the “vendor code”.
© 2007 Network Learning, Inc.
46
Protocol Type-Code Access-Lists (ACL)
• Used for non IP traffic
• Inbound only
© 2007 Network Learning, Inc.
47
MAC ACLs Cont.
© 2007 Network Learning, Inc.
48
Vlan ACLs (VACLs)
© 2007 Network Learning, Inc.
49
Private VLANs
• The private-VLAN feature addresses two problems
that service providers face when using VLANs:
–Scalability: The switch supports up to 1005 active VLANs.
If a service provider assigns one VLAN per customer, this
limits the numbers of customers the service provider can
support.
–To enable IP routing, each VLAN is assigned a subnet
address space or a block of addresses, which can result in
wasting the unused IP addresses, and cause IP address
management problems.
© 2007 Network Learning, Inc.
50
Primary to Secondary VLAN
• There are two types of secondary VLANs:
–Isolated VLANs—Ports within an isolated VLAN cannot
communicate with each other at the Layer 2 level.
–Community VLANs—Ports within a community VLAN can
communicate with each other but cannot communicate
with ports in other communities at the Layer 2 level.
© 2007 Network Learning, Inc.
51
Private Vlan Access Ports
• Private VLANs provide Layer 2 isolation between ports within the
same private VLAN. Private-VLAN ports are access ports that are one
of these types:
–Promiscuous—A promiscuous port belongs to the primary VLAN and can
communicate with all interfaces, including the community and isolated
host ports that belong to the secondary VLANs associated with the
primary VLAN. (Default Gateway)
–Isolated—An isolated port is a host port that belongs to an isolated
secondary VLAN. It has complete Layer 2 separation from other ports
within the same private VLAN, except for the promiscuous ports.
–Community—A community port is a host port that belongs to a
community secondary VLAN. Community ports communicate with other
ports in the same community VLAN and with promiscuous ports.
* Note Trunk ports carry traffic from regular VLANs and also from
primary, isolated, and community VLANs.
© 2007 Network Learning, Inc.
52
Issues with VTP V3 and Private VLANs
• Private VLANs need VTPv3
• If configuring in a 3550 or 3560 set VTP to
transparent
© 2007 Network Learning, Inc.
53
Private Vlan Compatibility
• Do not configure private-VLAN ports on interfaces configured
for these other features:
–– dynamic-access port VLAN membership
–– Dynamic Trunking Protocol (DTP)
–– Port Aggregation Protocol (PAgP)
–– Link Aggregation Control Protocol (LACP)
–– Multicast VLAN Registration (MVR)
–– voice VLAN
–– Web Cache Communication Protocol (WCCP)
© 2007 Network Learning, Inc.
54
Private VLAN configuration
© 2007 Network Learning, Inc.
55
Show private Vlans
© 2007 Network Learning, Inc.
56
Promiscuous Port / Default Gateway
Primary
Secondary
© 2007 Network Learning, Inc.
57
Applying a Community to interfaces
© 2007 Network Learning, Inc.
58
3560 QOS Considerations
•
•
•
•
Uses shaped round robin (SRR)
Q1 can be configured as a priority queue
Queues can operate in shaped or sharing modes
Each Interface can be assigned to one of two queue-sets
–4 queues Egress
–2 queues Inbound
• Congestion avoidance algorithm is Weighted Tail Drop (WTD)
*Note 3550 only has egress queues and queue 4 = priority
queue by default
© 2007 Network Learning, Inc.
59
Weighted Tail Drop
• Queue size is 1000 frames.
• Three drop percentages are configured: 40 percent
(400 frames), 60 percent (600 frames), and 100
percent (1000 frames).
• 400 frames can be queued at the 40-percent
threshold, up to 600 frames at the 60-percent
threshold, and up to 1000 frames at the 100-percent
threshold.
© 2007 Network Learning, Inc.
60
SRR Shaping and Sharing
• Both the ingress and egress queues are serviced
by Shaped Round Robin (SRR)
• SRR controls the rate at which packets are sent.
• On the ingress queues, SRR sends packets to the
internal ring.
• On the egress queues, SRR sends packets to the
egress port.
© 2007 Network Learning, Inc.
61
Input Queue
Bandwidth
weight queue 1 and queue 2cv
DSCP values
Queue Id
© 2007 Network Learning, Inc.
62
Output Queue
queue-set id
drop threshold
Reserved Maximum
queue id
threshold threshold
buffer
Percentage
buffer
Queue 3
Percentage
buffer
Queue 1 buffer
Percentage
Percentage
Queue 4
Queue 2
© 2007 Network Learning, Inc.
63
SRR applied
© 2007 Network Learning, Inc.
64
Frame Relay
• Interfaces
• Inverse ARP
• Mesh
• Hub and spoke
• Point-to-point
• Combination
• Issues
• Advanced Frame-relay and PPP
© 2007 Network Learning, Inc.
65
Frame-Relay Interface Configuration
© 2007 Network Learning, Inc.
66
Inverse ARP
© 2007 Network Learning, Inc.
67
Static Mappings
© 2007 Network Learning, Inc.
68
Sub Interfaces
© 2007 Network Learning, Inc.
69
Point-to-Multipoint Sub interface
© 2007 Network Learning, Inc.
70
Point-to-point Sub Interface
© 2007 Network Learning, Inc.
71
Mesh Topology
© 2007 Network Learning, Inc.
72
Full Mesh Frame-relay
• Requirements Phys Interface
–With Inverse ARP
•NO frame relay maps required
–NO inverse-arp allowed
–A PVC/FR Map configured between each router
–Total PVCs = k(k-1)/2 where k=router
–3 routers need 6 DLCIs
–All routers are on the same subnet
–All routers are using the physical interface
–Can support Broadcast or NBMA
© 2007 Network Learning, Inc.
73
Full Mesh Frame-relay Point-to-Multipoint Sub
• In a frame-relay mesh multipoint configuration the
following must be true before two routers can
communicate;
–The destination IP address must be in the routing table
–There must be a frame-relay map for the destination IP
address. The destination IP address can be any IP address
including yours. (need a map statement to ping your own
interface)
© 2007 Network Learning, Inc.
74
Hub and Spoke Topology
© 2007 Network Learning, Inc.
75
Frame Relay Hub and Spoke
• Requirements
–With Physical Interfaces and inverse-arp
•No map statements needed on spokes
•Map statements needed on hub to all spokes
–With Physical Interfaces and No inverse-arp
•Map statements needed on hub to each spoke and one
map from the spoke to hub
–Enable broadcasts over the NBMA if required for routing
protocol or multicast
–All routers are on a common subnet
© 2007 Network Learning, Inc.
76
Example Configuration from the HUB router
On r1lablab
Int S0/0/0
Ip address 131.1.234.1 255.255.255.0
Encapsulation frame
Frame-relay map ip 131.1.234.2 102 broadcast
Frame-relay map ip 131.1.234.3 103 broadcast
Frame-relay map ip 131.1.234.4 104 broadcast
No frame-relay inverse-arp
No shut
To prevent inverse-arp
wait until all routers
have been configured
for FR
before un
shutting
the interfaces
© 2007 Network Learning, Inc.
77
Frame Relay Hub and Spoke Point-to-Multipoint
• Inverse ARP not recommended should be disabled
• Need FR map statements configured on sub interface to each
hub.
• Need FR map statements from each spoke to the hub.
–Enable broadcasts over the NBMA if required for routing protocol
or multicast
–All routers are on a common subnet
– Still need a map statement to ping your own interface)
© 2007 Network Learning, Inc.
78
Frame Relay Point-to-Point
• Requirements
–Uses sub interfaces
–A separate L3 subnet for each pair of routers
–Works the same with or without Inverse ARP
 Note if the routers are configured in a point-to-point manner
they will NOT generate inverse-arp requests; however, if they
receive a request, they will respond. Useful for
combinations of one end p2p sub and the other
physical
© 2007 Network Learning, Inc.
79
Troubleshoot Frame Relay
• Show interface
• Show controllers serial
• Show frame-relay lmi
• Show frame-relay pvc
• Show frame-relay map
• Debug frame-relay lmi
© 2007 Network Learning, Inc.
80
PPP 2-way authentication (PAP and Chap)
© 2007 Network Learning, Inc.
81
Debug PPP authentication
© 2007 Network Learning, Inc.
82
PAP/CHAP configuration
R1
R2
© 2007 Network Learning, Inc.
83
FREEK (Frame relay end to end keepalives
• There are four modes determine the type of keepalive traffic each device sends and
responds to:
– In bidirectional mode, the device will send keepalive requests to the other end of the
VC and will respond to keepalive requests from the other end of the VC.
– In request mode, the device will send keepalive requests to the other end of the VC.
– In reply mode, the device will respond to keepalive requests from the other end of the
VC.
– In passive-reply mode, the device will respond to keepalive requests from the other
end of the VC, but will not track errors or successes.
© 2007 Network Learning, Inc.
84
Configuring FREEK
For example, could require
3 in a row
© 2007 Network Learning, Inc.
85
Objectives
• IPv6 Addressing
• IPv6 Address Scopes
• Enabling IPv6
• RIPng
• EIGRP for IPv6
• OSPFv3
• OSPFv3 over NBMA
• IPv6 over IPv4
© 2007 Network Learning, Inc.
86
Things not covered
• IPv6 Neighbor Discovery
• Duplicate Address Detection
• Solicited Node
• Stateless Auto-configuration
• DHCPv6
• DNSv6
© 2007 Network Learning, Inc.
87
Larger Address Space
• IPv4
–32 bits or 4 bytes long
~
= • 4,200,000,000 possible addressable nodes
• IPv6
–128 bits or 16 bytes: four times the bits of IPv4
undecillion
36
~
= • 3.4 * 10 possible addressable nodes
~
= • 340,282,366,920,938,463,374,607,432,768,211,456
28
~
= • 5 * 10 address
© 2007 Network Learning, Inc.
88
IPV6 Addressing
• IPV6 addresses are 128 bits long
• Consecutive zeroes can be eliminated (::)
• 2001:0:0:A1::1E2A/64
• 2001:0:0:A1 is the network portion
• Interface portion is 0:0:0:1E2A or ::1E2A
© 2007 Network Learning, Inc.
89
IPV6 Address Scopes
• Link-local Scope
• Unique-local Scope
• Global Scope
© 2007 Network Learning, Inc.
90
Link-local
128 bits
0
Interface ID
64 bits
1111 1110 10
FE80::/10
10 bits
• Identifies all hosts within a single layer 2 domain
• Unicast addresses within this scope are called link-local addresses
• They are assigned by default when ipv6 is enabled on an interface
• Network address is always FE80::/10
• Host portion derived from MAC address (Modified EUI-64)
• Can be manually added too R3(config-if)#ipv6 address FE80::3 link-local
• Independent of the global addressing scheme
• Cannot be routed
© 2007 Network Learning, Inc.
91
IPv6 Address Configuration (Cont.)
LAN: 3ffe:b00:c18:1::/64
Ethernet0
ipv6 unicast-routing
interface Ethernet0
ipv6 address 3ffe:b00:c18:1::/64 eui-64
MAC address: 0060.3e47.1530
router# show ipv6 interface Ethernet0
Ethernet0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::160:3EFF:FE47:1530
Global unicast address(es):
3FFE:B00:C18:1:160:3EFF:FE47:1530, subnet is 3FFE:B00:C18:1::/64
Joined group address(es):
FF02::1:FF47:1530
FF02::1
FF02::2
MTU is 1500 bytes
© 2007 Network Learning, Inc.
92
Unique-local
128 bits
0
1111 1110 11
Interface ID
Subnet ID
FEC0::/10
16 bits
10 bits
• Previously referred to as site local
• Identifies all devices within an administrative domain containing
multiple distinct links
• Unicast addresses within this scope are called unicast-local
addresses
• Have a scope limited to the site
• Network address is always FEC0::/10
• 16 bits in the network address identify the subnet
• Host portion derived from MAC address (Modified EUI-64)
© 2007 Network Learning, Inc.
93
Global Unicast Addresses
Provider
Site
Interface
64 bits
Usually given a /48
Global Routing Prefix
Subnet ID
Interface ID
• Global unicast addresses are:
–Addresses for generic use of IPv6
• Identifies all devices reachable across the Internet
• Unicast addresses within this scope are called global unicast addresses
• Have to be globally unique and routable
• Addresses reserved for global scope 2000 /3
• Can have a variable subnet portion
• Last 64 bits for the interface identifier
© 2007 Network Learning, Inc.
94
Unspecified and Loopback Addresses
• Unspecified address:
–0:0:0:0:0:0:0:0
–Used as a placeholder when no address is available (initial DHCP
request, DAD)
• Loopback address:
–0:0:0:0:0:0:0:1
–Same as 127.0.0.1 in IPv4
–Identifies self
© 2007 Network Learning, Inc.
95
IPv4-Mapped Addresses
80 bits
16 bits
32 bits
0
FFFF
IPv4 Address
0:0:0:0:0:FFFF:192.168.30.1
= ::FFFF:192.168.30.1
= ::FFFF:C0A8:1E01
• IPv4-mapped addresses:
–Used to represent the addresses of IPv4 nodes as IPv6 addresses
© 2007 Network Learning, Inc.
96
IPv4-Compatible Addresses
80 bits
16 bits
32 bits
0
0000
IPv4 Address
0:0:0:0:0:0:192.168.30.1
= ::192.168.30.1
= ::C0A8:1E01
• IPv4-compatible addresses:
–Refer to an IPv4/IPv6 node that supports automatic tunneling
© 2007 Network Learning, Inc.
97
Enabling IPV6
• ipv6 unicast-routing (global config mode)
• ipv6 address 2001:200:1:1::1/64 (interface mode)
• Link-local addresses are generated by default or
use manual configuration
© 2007 Network Learning, Inc.
98
RIPng
• Neighbors need not be on the same global subnet since they
are on the same link-local subnet
• Hence router has to advertise its own prefix for the link out
that interface
• In addition to the frame-relay map ipv6 broadcast to the
Global Address you also need a map to the link local address.
• RIP messages are sent to the all RIP routers link-local
multicast address FF02::9/128
• RIPng uses the authentication headers present in IPv6 for
authentication purposes
© 2007 Network Learning, Inc.
99
RIPng Configuration
• ipv6 rip abc enable (interface mode)
• show ipv6 protocol
• show ipv6 rip
• show ipv6 rip database
© 2007 Network Learning, Inc.
100
OSPFv3
• Basic mechanisms such as flooding, DR election, areas and spf
calculations remain the same
• Additionally link lsa’s announce link-local addresses and a list of
ipv6 prefixes to associate with the link
• Intra-area prefix lsa’s carry all ipv6 prefixes to all ospfv3 routers
within an area (correspond to router and network lsa’s in ipv4)
• Inter-area prefix lsa 0x2003 replaces summary or type 3 lsa’s
• Inter-area router lsa 0x2004 replaces type 4 lsa
• ospfv3 runs on a link basis rather than on a subnet basis as in
ospfv2
• Authentication removed from ospf, relies on ipv6 authentication
© 2007 Network Learning, Inc.
101
LSA Type Review
LSA
Function Code
LSA type
Router-LSA
1
0x2001
Network-LSA
2
0x2002
Inter-Area-Prefix-LSA
3
0x2003
Inter-Area-Router-LSA
4
0x2004
AS-External-LSA
5
0x4005
Group-membership-LSA
6
0x2006
Type-7-LSA
7
0x2007
Link-LSA
8
0x0008
Intra-Area-Prefix-LSA
9
0x2009
© 2007 Network Learning, Inc.
102
OSPFv3 Configuration
• ipv6 ospf 100 area 0 (interface mode)
• In case of an ipv6 only router configure a 32 bit router id under ipv6
router ospf 100
• Summary can be configured under ipv6 router ospf 100 using the
command area 1 range 2001::/48
• show ipv6 ospf
• show ipv6 ospf neighbor
© 2007 Network Learning, Inc.
103
OSPFv3 over NBMA
• OSPFv3 over NBMA is very much similar to OSPF over NBMA
• The hub interface priority has to be increased to make it the DR
• The spokes should be configured with a priority of 0 so that they
never participate in the DR elections
© 2007 Network Learning, Inc.
104
OSPFv3 over NBMA
• Moreover neighbors have to be specified
• The address for the neighbor has to be the link local addresses
• Neighbors have to be specified only on the hub not on the spokes
• frame-relay maps have to be configured pointing to the neighbor’s
link local address on both hub and spokes as well as the global
addresses (if configured)
• sh ipv6 int s0/1/0 displays the link-local address
© 2007 Network Learning, Inc.
105
OSPFv3 over NBMA Hub
• interface Serial0/1/0
• ipv6 ospf priority 100
• ipv6 ospf neighbor FE80::20A:B8FF:FE6B:A478
• ipv6 ospf neighbor FE80::20A:B8FF:FE2C:7DC8
• ipv6 ospf 10 area 0
• frame-relay map ipv6 FE80::20A:B8FF:FE6B:A478 106
• frame-relay map ipv6 FE80::20A:B8FF:FE2C:7DC8 105
© 2007 Network Learning, Inc.
106
OSPFv3 over NBMA Spoke
• interface Serial0/1/0
• ipv6 ospf priority 0
• ipv6 ospf 10 area 0
• frame-relay map ipv6 FE80::217:95FF:FE27:B900 601
• frame-relay map ipv6 FE80::20A:B8FF:FE2C:7DC8 601
© 2007 Network Learning, Inc.
107
IPv6 over IPv4
• IPv6 can be tunneled under ipv4
• Tunnel mode by default is gre can to be changed to ipv6ip
• The tunnel itself needs an ipv6 address
• The tunnel source and destination will be ipv4 addresses
• Routing protocol can be enabled on the tunnel
interface Tunnel0
no ip address
ipv6 address 2002:100:24:1::2/64
ipv6 ospf 100 area 0
tunnel source 10.86.72.17
tunnel destination 10.86.72.18
© 2007 Network Learning, Inc.
108
ISATAP
• ISATAP is an IETF transition mechanism that allows IPv6
networks to connect over IPv4 networks, even though this is a
draft and it has not yet standardized, it is a better solution
than 6to4 tunnel mechanism.
• ISATAP works like 6to4 tunnels, with one major difference, it
is a special IPv6 address that it uses on the edge routers; this
special IPv6 address is formed as follows:
–The network portion can be any IPv6 address.
–The host portion of the IPv6 address starts with “0000.5EFE” and
then the rest of the host portion is the translated IPv4 address of
the tunnel’s source IPv4 address.
• This translation is performed automatically.
© 2007 Network Learning, Inc.
109
ISATAP cont.
© 2007 Network Learning, Inc.
110
End of Day 1 Lecture
© 2007 Network Learning, Inc.
111
SESSION 6
RIPv2
© 2007 Network Learning, Inc.
112
RIPv2
• Outline
–Updates
–Optimize
–Filtering
–Summary
–Authentication
–Default Routes
–Advanced
© 2007 Network Learning, Inc.
113
Classless Routing (RIPv2)
The version 2 extensions provide the following
enhancements to RIP:
•
SUBNET MASKING INFORMATION IS NOW INCLUDED IN
ROUTING UPDATES ALLOWING RIP TO HANDLE VLSM
ADDRESSING
•
A NEXT-HOP ADDRESS IS CARRIED WITH EACH ROUTE
ENTRY
•
EXTERNAL
ROUTE
TAGS
CAN
BE
USED
MULTICAST
ROUTING UPDATES
•
SUPPORT FOR MD5 AUTHENTICATION
© 2007 Network Learning, Inc.
114
Split Horizon
Never advertise an network on the
interface from which it was learned
© 2007 Network Learning, Inc.
115
Poison Reverse
• Once you learn of a route through an interface, than
advertise it as unreachable back through the same
interface
© 2007 Network Learning, Inc.
116
Timers
• Update - rate (time in seconds [30] between updates) at which
routing updates are sent
• Invalid - interval of time (in [180] seconds) after which a route is
declared invalid
• Hold - interval (in [180] seconds) during which routing information
regarding better paths is suppressed
• Flush - amount of time (in [240] seconds) that must pass before a
route is removed from the routing table
© 2007 Network Learning, Inc.
117
Optimize
© 2007 Network Learning, Inc.
118
Obscure Topics
• Offset List – increases the value of routing metrics
r1lab(config)# access-list 1 permit 10.1.10.0
r1lab(config)# router rip
Hops
r1lab(config-router)# offset-list 1 in 3
• Source IP address validation – Default validates the source IP address
of incoming RIP routing updates - can be disabled for “off network”
routes
r1lab(config-router)# no validate-update-source
* Note For unnumbered IP interfaces (interfaces configured as ip unnumbered), no checking is performed.
• Interpacket delay – slows down sending routing update packets;
typically useful to slow down high speed routers when communicating
with low speed routers
r1lab(config)# router rip
r1lab(config-router)# output-delay <8-50 milliseconds>
© 2007 Network Learning, Inc.
119
Filtering
• Allow only odd routes from 1.1.0.0 from R1 to other routers
Network 1.1.1.0 0.0.254.255
My network =0
My mask = 1
128 64 32 16 8 4 2 1
1.1.1.0
0 0 0 0 000 1
1.1.3.0
0 0 0 0 001 1
1.1.5.0
0 0 0 0 0 10 1
Inverse Mask
On the third octet
Odds always
include a binary 1
Evens never have a binary
1
Mask
11111111.11111111.11111110.00000000
Network 00000001.00000001.00000001.00000000
First host 00000001.00000001.00000001.00000000
In ACL Must Match on this
Binary value
The 254 translates to 11111110 which tells the acl to not care
about anything in that octet except the least significant bit.
© 2007 Network Learning, Inc.
120
Distribute List
© 2007 Network Learning, Inc.
121
RIP V2 Summarization
• Applied to an interface
r1lab(config-if)# ip summary-address rip 10.20.0.0 255.255.255.0
• Split horizon must be disabled on the interface
• Auto summary can only summarize to the classful boundary, the
summary-address allows for classless summarization
• Does not insert a NULL0 entry into the routing table
© 2007 Network Learning, Inc.
122
RIP V2 Features
• Authentication
r1lab(config)# interface s0
r1lab(config-if)# ip rip authentication key-chain cisco
r1lab(config-if)# ip rip authentication mode <md5,text>
r1lab(config)# key chain cisco
r1lab(config-keychain)# key 1
r1lab(config-keychain-key)# key-string cisco
• Classless
• Route summarization (enabled by default)
r1lab(config)# router rip
r1lab(config-router)# no auto-summary
© 2007 Network Learning, Inc.
123
IP RIP Triggered
• When you enable triggered extensions to RIP, routing updates are
transmitted on the WAN only if one of the following events occurs:
–The router receives a specific request for a routing update, which causes
the full database to be sent.
–Information from another interface modifies the routing database, which
causes only the latest changes to be sent.
–The interface comes up or goes down, which causes a partial database to
be sent.
–The router is powered on for the first time to ensure that at least one
update is sent, which causes the full database to be sent
© 2007 Network Learning, Inc.
124
Default routes in RIP
• Redistribute static <ip route 0.0.0.0 0.0.0.0 null0 permanent>
• Default information originate
• <ip default network 1.0.0.0>
© 2007 Network Learning, Inc.
125
Example of default information
© 2007 Network Learning, Inc.
126
Advanced Workaround with RIP / RSPAN
RIPv2 F1/0
• R4 must receive RIP routes from BB2 but not permitted to redistribute from
OSPF
• SPAN or RSPAN used and no validate update source
© 2007 Network Learning, Inc.
127
Redistribution
© 2007 Network Learning, Inc.
128
Advertising Routes between routing protocol
• Longest Match
• Administrative Distance
• Redistribution
• Route Maps
• Distribute Lists
• Prefix Lists
© 2007 Network Learning, Inc.
129
Longest Match
• >show ip route
D 172.33.1.0/25 via 192.168.1.1
Preferred
R 172.33.1.0/24 via 192.168.1.2
O 172.33.1.0/23 via 192.168.1.3
© 2007 Network Learning, Inc.
130
Administrative Distance
© 2007 Network Learning, Inc.
131
Allow Redistribute on R1
Maintain R routes on R1 even after redistribution
© 2007 Network Learning, Inc.
132
Example Configuration with AD
© 2007 Network Learning, Inc.
133
Route Maps
•
•
•
•
•
•
•
Route filtering
Metric control
Used extensively in BGP
Used for setting IP Precedence
Policy routing (not part of redistribution)
Can use match and sets
->rout-map lab permit 10
–>match ip access-list 1 , 3 (values separated with , creates an or
statement)
Multiple
–>match ip prefix-list lab
match lines
are
considered an
and
© 2007 Network Learning, Inc.
134
Distribute Lists
• Used with access-lists to filter incoming or outgoing updates
• Be as specific as possible when applying the distribute list
• RIP & EIGRP
–distribute-list 1 in ethernet 0 (also can use a route map)
–distribute-list 1 out ethernet 0
• OSPF – only allows inbound
–distribute-list 1 in ethernet 0
• IS-IS does not use distribute lists
• BGP – applied to the neighbor
–neighbor 2.2.2.2 distribute-list 1 in
© 2007 Network Learning, Inc.
135
Prefix Lists
• Prefix lists are more sophisticated forms that Cisco provides
for filtering route advertisements. They filter on IP address
just as distribute-lists do, however they are easier to read, and
require fewer commands to configure. The other advantage to
a distribute list is that it is easier to add, remove and organize
the statements in the manner you chose.
• For example:
prefix-list xx seq 10 permit 204.134.12.0/22
prefix-list xx seq 20 permit 204.134.16.0/21
prefix-list xx seq 30 permit 204.134.24.0/24
© 2007 Network Learning, Inc.
136
Redistribution Problems
• When redistributing OSPF in to BGP, by default, BGP only
accepts internal routes not external type 1 or type 2
• Watch for administrative distance problems
• Beware of the metric used by RIP
• Redistributing in to RIP requires a metric or default-metric
or it will get set to 16
• Redistributing in to EIGRP requires a metric or defaultmetric or it will get set to infinity
• Always filter routes when doing redistribution
© 2007 Network Learning, Inc.
137
Advanced RIP
• One static route allowed
Receive the rip routes
© 2007 Network Learning, Inc.
138
SESSION 7
EIGRP
© 2007 Network Learning, Inc.
139
EIGRP
• Outline
–Overview
–Updates
–Authentication
–Default Routes
–Summarization
–Metrics
© 2007 Network Learning, Inc.
140
EIGRP
• Eigrp is a Cisco proprietary routing protocol loosely based on their original
IGRP
• EIGRP is an advanced distance-vector routing protocol, with optimizations to
minimize both the routing instability incurred after topology changes, as well
as the use of bandwidth and processing power in the router.
• EIGRP and IGRP are compatible with each other.
• Eigrp uses the Diffusing Update Algorithm (DUAL), which guarantees loopfree operation.
• In particular, DUAL avoids the "count to infinity" behavior common in
distance-vector routing protocols.
• The maximum hop count of EIGRP-advertised routes (i.e. destination
networks) is 255. 100 is the default but in the routing process <metric
maximum-hops >
• EIGRP is considered an Advanced Distance or Hybrid routing protocol
• Classless (VLSM)
© 2007 Network Learning, Inc.
141
EIGRP Updates
•
Send Hellos between neighbors which must include
–
–
–
–
AS #
Subnet
Authentication
K- Values
1.
Neighbor Table
2.
Topology Table (Determine successor (Primary) and Feasible Successor
3.
Dual Algorithm (Loop Free)
4.
Routing Table (Move successor from primary
*Note updates sent on 224.0.0.10 and EIGRP uses IP protocol number 88
© 2007 Network Learning, Inc.
142
Successor versus Feasible Successor
• Reported Distance (RD) is from your neighbor( next hop ) to the destination.
• Feasible Distance (FD) is from the current router, all the way to the destination, this
would include all other routers in between your router and the destination.
FD--------RD---------Destination.
R1--------R2-----------R3
• To qualify as a feasible successor, a next-hop router must have an RD less than the FD of
the current successor route
• Eigrp metric = lowest bandwidth + all delays x 256
•
© 2007 Network Learning, Inc.
143
EIGRP Authentication
• Similar to RIP V2 Authentication
• Only MD5 Authentication supported
r1lab(config)# interface s0
r1lab(config-if)# ip authentication mode eigrp 222 md5
r1lab(config-if)# ip authentication key-chain eigrp 222 cisco
r1lab(config)# key chain cisco
r1lab(config-keychain)# key 1
r1lab(config-keychain-key)# key-string ccie
© 2007 Network Learning, Inc.
144
Default Routes in EIGRP
• <ip summary address eigrp 100 0.0.0.0 0.0.0.0>
• <ip default network
• <redistribute ip route 0.0.0.0 0.0.0.0 null 0>
–<redistribute static or network 0.0.0.0
© 2007 Network Learning, Inc.
145
EIGRP Summarization
• Auto summary is on by default – disable
• Summarization is done on the interface
r1lab(config-if)# ip summary-address eigrp 222 10.2.0.0 255.255.255.0 5
• No way to get rid of the NULL0 entry, it is added to
avoid loops
Default AD is 5 but higher
can be used for floating summary
You can bump the AD to 255 to remove the null0 but
Then the Summary could cause a loop if you do not properly filter
© 2007 Network Learning, Inc.
146
EIGRP Leak Map
On the remote router
© 2007 Network Learning, Inc.
147
Virtual Template in PPP with Leak Map
• Problem- Can not use Leak Map with Sub Interfaces
• Must use PPP and Virtual Template
© 2007 Network Learning, Inc.
148
EIGRP Stub Areas
• Affects what the router will advertise
• Reduces processing on the router
• Controls what networks are advertised
• Four options: receive-only, summary, connected,
and static
–Router eigrp 1
Eigrp stub summary leak-map leaky
© 2007 Network Learning, Inc.
149
Problems with EIGRP Stub
• All routers in EIGRP AS need the stub command or
neighbors could become stuck inactive situation
because of no stub flag in hello packets
• Work around use Stub configuration on all routers
that need to be a stub on a single AS
• Use a separate AS for all other EIGRP routers and
redistribute between the EIGRP AS processes on
the Hub router
© 2007 Network Learning, Inc.
150
Tuning EIGRP
OPTIONAL EIGRP COMMANDS :
•
•
•
•
•
•
•
•
ip hello-interval eigrp –use this interface command to change the hello
timer
ip hold-time eigrp – use this command to change the EIGRP hold time
for routes received by this interface
metric weights - allows you to set the weight of the EIGRP metric
distance – used to change the administrative distance of routes
received from a neighbor
delay – specifies the delay of an interface in tens of microseconds
bandwidth –specifies the bandwidth of an interface in kilobits per
second
passive-interface - prevents the sending of EIGRP hellos on the link
Offset-list - used to increase the value of the routing metrics
© 2007 Network Learning, Inc.
151
Miscellaneous Topics
• Offset List
r1lab(config)# access-list 1 permit 10.2.1.0
r1lab(config)# router eigrp 222
Delay
r1lab(config-router)# offset-list 1 in 10000
• Adjust the Percentage of Bandwidth used for
routing updates - 50% is default
r1lab(config-if)# ip bandwidth-percent eigrp 222 10
Very important to summarize and use stubs in a large EIGRP
networks, otherwise the query traffic to find successor routes
could easily take 50% of the bandwidth. If we throttle the
percentage too much the convergence times will be effected
© 2007 Network Learning, Inc.
152
Equal Cost Load Balancing
Change with the maximum-paths command in EIGRP
process
© 2007 Network Learning, Inc.
153
EIGRP Unequal-Cost Load Balancing
• EIGRP offers unequal-cost Load balancing
– variance command
• Variance allows the router to include routes
with a metric smaller than multiplier times the
minimum metric route to that destination
– Multiplier is the number specified by the variance
command
© 2007 Network Learning, Inc.
154
Traffic-Share
• Determines how traffic is load balanced.
• Two options:
–Balanced (balances across paths)
–Min across-interfaces (traffic still uses lowest metric path)
Router eigrp 1
Variance 2
Traffic-share balanced (actively uses the lower speed link to load balance with higher
speed links)
* Note Min – only add to the routing table for fall back but does not load balance
Under the interface you can configure per packet or per flow load balancing
Ip load-balancing per-packet or per-destination
© 2007 Network Learning, Inc.
155
Variance Example
• Router E chooses router C to get to network Z because FD = 20.
• With a variance of 2, router E chooses router B to get to network Z (20 +
10 = 30) < [2 * 20(FD) = 40].
• Router D is not used to get to network Z (45 > 40).
• To use D we need a variance of 3 because 3x20=60 and 60 is > 45
© 2007 Network Learning, Inc.
156
End Day 2 Lecture
© 2007 Network Learning, Inc.
157
Session 8 OSPF
© 2007 Network Learning, Inc.
158
OSPF
• Outline
–OSPF Network Types
–RID
–LSA
–Adjacencies
–Area types
–New Features
–Authentication
–Summaries
–Filtering
© 2007 Network Learning, Inc.
159
Network Types
• The easiest configuration is to configure all OSPF frame relay
interfaces for point-to-multipoint
• If the lab prohibits you from changing the network type you
can try the neighbor command
Physical Frame Relay Interface
OSPF Network Type
Physical
Non-Broadcast
Multipoint Sub
Non-Broadcast
Point-to-Point Sub
Point-to-Point
© 2007 Network Learning, Inc.
160
OSPF Over NBMA Topology Summary
Mode
Non-broadcast
Preferred
Topology
Fully meshed
Broadcast
Fully meshed
Point-to-point
multipoint
nonbroadcast
Point-to-point
and Point-toMultipoint sub
interface
Partial mesh
(hub and
spoke)
Partial mesh
(hub and
spoke using
subinterfaces
Subnet
Address
Same
Adjacency
Manual
configuration
DR/BDR Elected
Same
Automatic
DR/BDR elected
Same
Manual
configuration No
DR/BDR
Different for Manual DR on
each subint.
hub
And SAME
for point-tomultipoint
© 2007 Network Learning, Inc.
161
Hello and Dead Timers
• In order to form neighbor adjacency, hello and dead
timers must match
• Timer differ based on network type configuration
broadcast–Hello time (10 seconds), dead time (40 seconds)
point-to-point–Hello time (30 seconds), dead time(120 seconds)
non-broadcast– Hello Time (30 seconds), dead time (120 seconds)
• Timers can be manually adjusted through the “ip ospf
hello-interval” and “ip ospf dead-interval” interface
commands
© 2007 Network Learning, Inc.
162
Hello and Dead Timers
Physical Interface
Non- Broadcast
Hello 30 Dead 120
Sub Interface P2P
Point-to-Point
Hello 10 Dead 40
Sub Interface Point
to multipoint
Non- Broadcast
Hello 30 Dead 120
Physical changed to Broadcast
Hello 10 Dead 40
Ip ospf Broadcast
P2P sub interface
changed to NBMA
Hello 30 Dead 120
Non-Broadcast
© 2007 Network Learning, Inc.
163
Miscellaneous OSPF - Timers
• Basic Timers
–Hello-interval
•interface serial 1/0
•ip ospf hello-interval 20 – automatically changes the
dead-interval to 80, dead = hello x 4
–Dead-interval
•interface serial 1/0
•ip ospf dead-interval 50 – does NOT change the
hello-interval
• Unless - See next slide
© 2007 Network Learning, Inc.
164
OSPF Timers – Fast Hellos
• Added in 12.2T15
• Enables faster convergence
• Sets Dead timer to 1 second, hello timer based on hellomultiplier.
• Example – set hello to 250ms
ip ospf dead-interval minimal hello-multiplier 4
© 2007 Network Learning, Inc.
165
Router ID
• Identifies an OSPF neighbor
• Dotted Decimal 32 bits
• 223.255.255.255 highest possible router ID
• Statically set the Router ID (Prefered) *note they may
reboot the routers before they grade
router ospf 1
router-id 150.5.50.5
• Uses highest IP address of all configured loopbacks
• If no loopback is present it uses the highest IP address
• Used for virtual-link commands
• Highest Router ID wins DR election – Priority can offset
election
© 2007 Network Learning, Inc.
166
Link State Announcement (LSA) Types
• 1 - Router LSA - Each OSPF router generates a single Type 1 LSA to describe the
status and cost (metric) of all links on the router. This LSA is flooded to each router within the OSPF area only.
• 2 - Network LSA - the designated router on a broadcast segment (e.g. Ethernet) lists
which routers are joined together by the segment
• 3 - Network summary LSA - an Area Border Router (ABR) takes information it has
learned on one of its attached areas and summarizes it before sending it out on other
areas
• 4 - ASBR Summary LSA - Type 5 External LSAs are flooded to all areas and the
detailed next-hop information may not be available in those other areas. The ABR floods
the information for the router (i.e. the Autonomous System Border Router) where the
type 5 originated.
• 5 - AS External LSA - these LSAs contain information imported into OSPF from
other routing processes. They are flooded to all areas (except stub areas).
• 6 - Group Membership LSA - this was defined for Multicast extensions to OSPF
(MOSPF),
• 7 - NSSA External LSA -
Not-so-stubby-area (NSSA) do not receive external LSAs
from Area Border Routers, but are allowed to send external routing information for
redistribution. They use type 7 LSAs to tell the ABRs about these external routes, which
the Area Border Router then translates to type 5 external LSAs and floods as normal to
the rest of the OSPF network.
© 2007 Network Learning, Inc.
167
LSA Table
Intra/Internal
LSA
Adv Router
R/Table
Display Database
Intra
1 (Router)
All in Area
O
<sh ip ospf
database router
Intra
2 (Network)
DR only
N/A
<sh ip ospf
database network
Inter
3 (Summary)
ABR
IA
<sh ip ospf
database summary
Inter
4 (Announce
ABR
N/A
<sh ip ospf
database ASBR
summary
5 (Type 1 or Type
2)
ASBR
E2 (default) or E1
<sh ip ospf
database external
6 (MOSPF)
Cisco can generate
a syslog error
7
ASBR (In NSSA)
N1 or N2
<sh ip ospf nssaexternal
ASBRs)
External
External
To DR Router 224.0.0.6
To Area Network 224.0.0.5
© 2007 Network Learning, Inc.
168
Problem preventing Neighbor Adjacency
• Mismatched hello
• Subnet information
• Authentication
• Area ID doesn’t match
• Area Stub flag not set
• Duplicate RID
© 2007 Network Learning, Inc.
169
Neighbor States
•
•
•
•
Down State
Init (Clear or start new OSPF process)
2way (Elect DR / BDR)
Exstart (Master/ Slave)
–Master sends data descriptor packets (Contain link-state advertisement
(LSA) headers only)
–Higher IP is Master
• Exchange
–Use ip ospf mtu ignore to avoid MTU problems (Exchange LSDB)
• Loading
–LSR (Request) -----
–---LSU (Updates)
• Full (Database synchronized and all Routes have been exchanged)
© 2007 Network Learning, Inc.
170
Electing the DR and BDR
• Hello packets are exchanged via IP multicast.
• The router with the highest OSPF priority is
selected as the DR.
• Use the OSPF router ID as the tie breaker.
•If no RID, than use highest Loopback IP
•If no Loopback than use highest interface IP
• The DR election is nonpreemptive.
© 2007 Network Learning, Inc.
171
Setting Priority for DR Election
Router(config-if)#
ip ospf priority number
• This interface configuration command assigns the
OSPF priority to an interface.
• Different interfaces on a router may be assigned
different values.
• The default priority is 1. The range is from 0 to 255.
• 0 means the router is a DROTHER; it can’t be the DR or
BDR.
© 2007 Network Learning, Inc.
172
Area Type
• All routers in an OSPF area
must have the same area type
set or no neighbor will be
formed
• Totally Stubby and Totally
NSSA have the ‘no-summary’
command added to ONLY the
ABR
• NSSA does not inject a default
route automatically. Must
configure for the default to be
sent on the ABR:
Area Type
ABR
LSA
Area
Routers
Stub
stub
2,3,4
stub
1
Totally
Stubby
NSSA
Totally
– area 2 nssa default-informationNSSA
originate
Stub nosummary
2, 0.0.0.0
stub
1
Nssa
2, 0.0.0.0
default3,4
informatio
1,7
noriginate
nssa
nssa nosummary
nssa
2, 0.0.0.0
1,7
© 2007 Network Learning, Inc.
173
Types of OSPF Routers
© 2007 Network Learning, Inc.
174
OSPF Authentication
• Uses either Clear Text or MD5
• Can do either Area Authentication or Link
Authentication
• If area 0 has authentication, any virtual links must
have the same authentication configured
• Watch for extra spaces on your passwords
© 2007 Network Learning, Inc.
175
Area Authentication
• Clear Text
r1lab(config)# router ospf 1
r1lab(config-router)# area 0 authentication
r1lab(config)# int serial 0
r1lab(config-if)# ip ospf authentication-key cisco
• MD5
r1lab(config)# router ospf 1
r1lab(config-router)# area 0 authentication message-digest
r1lab(config)# int s0
r1lab(config-if)# ip ospf message-digest-key 1 md5 cisco
© 2007 Network Learning, Inc.
176
Link Authentication
• Clear Text
r1lab(config-if)# int s0
r1lab(config-if)# ip ospf authentication
r1lab(config-if)# ip ospf authentication-key cisco
• MD5
r1lab(config-if)# int s0
r1lab(config-if)# ip ospf authentication message-digest
r1lab(config-if)# ip ospf message-digest-key 1 md5 cisco
© 2007 Network Learning, Inc.
177
Virtual Links
• Avoid in real word
• Used to connect an area to the backbone through another
area – extension of area 0
• Configuration uses router-id
• If authentication is configured on area 0 it must also be
configured on the virtual link and the far side router.
• Needed in two cases
–Discontiguous area 0
–Router touching two areas, but not area 0.
• Use Area Border routers as endpoints
© 2007 Network Learning, Inc.
178
Virtual Link Authentication
• Clear Text
r1lab(config)# router ospf 1
r1lab(config-router)# area 1 virtual-link 2.2.2.2 authentication-key cisco
• MD5
r1lab(config)# router ospf 1
r1lab(config-router)# area 1 virtual-link 2.2.2.2 message-digest-key 1 md5
cisco
• Remember that the far side of the virtual link must
know what type of authentication area 0 is using
• VL cannot traverse over a stub area
• If you are required to traverse a VL to area 0 you must negate
capability transit.
© 2007 Network Learning, Inc.
179
Connecting a Non-Backbone Area Through
a Stub Area
• Generic Routing Encapsulation (GRE) allows you to
connect a discontiguous area to the backbone through a
stub area
• GRE will cause extra packet overhead due to tunnel
header information
© 2007 Network Learning, Inc.
180
OSPF New Features
• Max LSA (Internal)
© 2007 Network Learning, Inc.
181
OSPF New Features Cont.
• Maximum Prefixes (Networks)
© 2007 Network Learning, Inc.
182
OSPF New Features Cont.
• Prevent OSPF router from being transit
• Max Metric uses 64000 – 65535 (16 bits)
© 2007 Network Learning, Inc.
183
OSPF Summarization
• Two ways to summarize
–Area range used to summarize between OSPF areas. Always
done on an ABR
•area 2 range 100.5.50.0 255.255.255.0
–Summary-address used to summarize external routes
redistributed into OSPF. Always done on an ASBR
•summary-address 100.5.50.0 255.255.255.0
• Will inject a NULL0 route into the routing table. MUST get
rid of the NULL0
•no discard-route internal – used with area range
•no discard-route external – used with summary-address
© 2007 Network Learning, Inc.
184
Configuring Route Summarization
router (config-router)#
area area-id range address mask
• Consolidates inter-area (IA) routes on an ABR
router (config-router)#
Summary-address address mask (not-advertise) (tag tag)
• Consolidates external routes, usually on an ASBR
© 2007 Network Learning, Inc.
185
Filtering in OSPF
• Distribute list only inbound and can not stop LSAs
© 2007 Network Learning, Inc.
186
Break Area 0
• R1 and R1 have full knowledge of Area 0 routes and
R3 and R4 have no knowledge.
Or on R2 OSPF
© 2007 Network Learning, Inc.
187
Prevent type 7 to 5 routes from Area 0
© 2007 Network Learning, Inc.
188
SESSION 8
BGP
© 2007 Network Learning, Inc.
189
BGP
• Outline
–Operation
–State
–Attributes
–Order/Preference
–Aggregation
–Security
–Peer Groups
–Dampening
© 2007 Network Learning, Inc.
190
iBGP Full Mesh Requirement
• All BGP speakers within an AS must be connected
together in a Full Mesh. For n BGP speakers within
an AS that requires to maintain n*(n-1)/2 unique
iBGP sessions to connect the eBGP routers
• If not meshed, routes must be redistributed into
and syncronized with IGP.
• Route Reflectors and Confederations may be used
to avoid the full mesh requirement or redistribution
© 2007 Network Learning, Inc.
191
BGP Route Reflector
• Scales well unlike full mesh
• Optional Peer groups could be used to save configuration on the route
reflector
r1lab(config-router)# neighbor 1.1.1.2 update-source loopback 0
r1lab(config-router)# neighbor 1.1.1.2 next-hop-self
r1lab(config-router)# neighbor 1.1.1.2 distribute-list 1 out
r1lab(config-router)# neighbor 1.1.1.2 route-reflector-client
r1lab(config-router)# neighbor 1.1.2.2 update-source loopback 0
r1lab(config-router)# neighbor 1.1.2.2 next-hop-self
r1lab(config-router)# neighbor 1.1.2.2 distribute-list 1 out
r1lab(config-router)# neighbor 1.1.2.2 route-reflector-client
© 2007 Network Learning, Inc.
192
Route Reflector
© 2007 Network Learning, Inc.
193
BGP Confederations
• Splits one AS into many smaller Private AS’s
–Private AS numbers are 64512 – 65535
• Connections between the Private AS’s are treated as special
eBGP connections
• External AS’s only participate in the Public AS – they are not
aware of the Private AS’s inside
© 2007 Network Learning, Inc.
194
Confederation
AS 6502
6503
AS 6503
6502
© 2007 Network Learning, Inc.
195
Manual Confederation
• Uses private AS for IBGP and Public AS for EBGP
• Need to remove the private AS information
© 2007 Network Learning, Inc.
196
Basic BGP Configuration
• Neighbors must be configured on both sides
• Neighbors must be directly connected or have a specific IGP route
(default route will not work) to the neighbor.
• Neighbors in the same AS are iBGP
– iBGP will go 255 hops by default to find a neighbor
• Neighbors in different AS’s are eBGP
– eBGP will only go 1 hop to find a neighbor
•neighbor 1.1.1.1 eBGP-multihop <1-255> (need IGP)
• If you use loopback to neighbor don’t forget to change the update
source
– BGP expects the directly connected interface to be the update source unless
you specify
•neighbor 1.1.1.1 update-source loopback 0
• Advertised networks must have an exact match in the routing table in
order for BGP to advertise the route
© 2007 Network Learning, Inc.
197
State
• Idle
• Connect
–Active – resets the retry timer kickbacks to idle
• Open send – version must be 4
• Open confirm
• Established
© 2007 Network Learning, Inc.
198
Neighbors
© 2007 Network Learning, Inc.
199
Synchronization Example
AS 45
AS 40
eBGP
C
E
D
iBG
P
B
AS 50
A
eBGP
F
31.106.0.0
• An IGP running only on Routers B and C
• 31.106.0.0 will not appear in D’s IP Routing
Table
© 2007 Network Learning, Inc.
200
Synchronization Problem
• An eBGP learned route cannot be installed in
the routing table of iBGP connected routers until
the route has already been learned by the IGP
connecting these routers
• It is almost always recommended to disable
synchronization or need to redistribute eBGP
routes directly in the IGP
r1lab(config)# router bgp 10
r1lab(config-router)# no synchronization
© 2007 Network Learning, Inc.
201
Next Hop
• IGP should carry route to next hops
• Recursive route look-up
• Decouples BGP from actual physical topology
• If an IGP router does not have a direct route to the
Next Hop EBGP than Next hop self can be used on
the IBGP/Ebgp neighbor to provide connect
© 2007 Network Learning, Inc.
202
Next Hop Example
eBGP
A
D
1.1.1.2
iBGP
31.106.0.0
1.1.1.1
eBGP
B
F
20.2.2.1/ 24
• B Does Not Advertise Network 20.2.2.0 to A
• A Will Not Install Network 31.106.0.0 in its Routing Table since
A does not know how to reach the next hop (20.2.2.1)
© 2007 Network Learning, Inc.
203
Next-Hop-Self Problem
• An eBGP learned route cannot be installed in the IP routing
table of iBGP connected routers unless the route’s next-hop
address is reachable
r1lab(config)# router bgp 10
r1lab(config-router)# neighbor 10.1.1.2 next-hop-self
• eBGP neighbors always advertise themselves as the "next
hop" for any routes sent.
• iBGP neighbors retain the original advertiser's address as the
next hop.
• The issue with next-hop information is whether or not that
next hop ( the eBGP neighbor address ) is reachable to any
iBGP neighbor.
© 2007 Network Learning, Inc.
204
Transit AS
• If an AS has 2 or more connections to the Internet,
by default some traffic not destined for your AS
may pass through your routers
• Two ways to stop this
–AS-Path access-lists
–Communities
Explained later
© 2007 Network Learning, Inc.
205
BGP Characteristics
• Distance-vector protocol with enhancements:
–Reliable updates
–Triggered updates only
–Rich metrics (called path attributes)
• Designed to scale to huge internetworks
© 2007 Network Learning, Inc.
206
BGP Path Attributes
• BGP metrics are called path attributes
• BGP attributes are categorized as well-known and
optional
• Well-known attributes must be recognized by all
compliant implementations
• Optional attributes are only recognized by some
implementations (could be private), expected not to
be recognized by everyone
© 2007 Network Learning, Inc.
207
Well-Known BGP Attributes
• Well-known attributes are divided into mandatory
and discretionary
• Well-known mandatory attributes must be present
in all update messages
• Well-known discretionary attributes are optional they could be present in update messages
• All well-known attributes are propagated to other
neighbors
© 2007 Network Learning, Inc.
208
WELL-KNOWN, MANDATORY
• AS-path: A list of the Autonomous Systems (AS) numbers that
a route passes through to reach the destination. As the
update passes through an AS the AS number is inserted at
the beginning of the list. The AS-path attribute has a reverseorder list of AS passed through to get to the destination.
• Next-hop: The next-hop address that is used to reach the
destination.
• Origin: Indicates how BGP learned a particular route. There
are three possible types -- IGP (route is internal to the AS),
EGP (learned via EBGP), or Incomplete (origin unknown or
learned in a different way).
© 2007 Network Learning, Inc.
209
WELL-KNOWN, DISCRETIONARY
• Local Preference: Defines the preferred exit point
from the local AS for a specific route.
• Atomic Aggregate: Set if a router advertises an
aggregate causes path attribute information to be
lost.
© 2007 Network Learning, Inc.
210
Optional BGP Attributes
• Optional BGP attributes are transitive or non-transitive
• Optional transitive attributes
–Aggregator: Specifies the router ID and AS of the router that
originated an aggregate prefix. Used in conjunction with the
atomic aggregate attribute.
–Community: Used to group routes that share common properties
so that policies can be applied at the group level.
• Optional non-transitive attributes
–Multi-exit-discriminator (MED): Indicates the preferred path into
an AS to external neighbors when multiple paths exist.
• Recognized optional attributes are propagated to other
neighbors based on their meaning (not constrained by
transitive bit)
© 2007 Network Learning, Inc.
211
Priority of Attributes
1.
If the path specifies a next hop that is inaccessible, drop the update.
2.
Prefer the path with the largest weight.
3.
If the weights are the same, prefer the path with the largest local
preference.
4.
If the local preferences are the same, prefer the path that was originated
by BGP running on this router.
5.
If no route was originated, prefer the route that has the shortest AS_path.
6.
If all paths have the same AS_path length, prefer the path with the lowest
origin type (where IGP is lower than EGP, and EGP is lower than
incomplete).
7.
If the origin codes are the same, prefer the path with the lowest MED
attribute.
8.
If the paths have the same MED, prefer the external path over the internal
path.
9.
If the paths are still the same, prefer the path through the closest IGP
neighbor.
10. Prefer the path with the lowest IP address, as specified by the BGP
router ID.
© 2007 Network Learning, Inc.
212
Weight
• The weight attribute is a Cisco-defined attribute
used for the path selection process. The weight is
configued locally to a router and is not propagated
to any other routers.
© 2007 Network Learning, Inc.
213
Origin
• The origin attribute indicates how BGP learned about
a particular route. The origin attribute can have one
of three possible values:
–IGP—The route is interior to the originating AS. This value
is set when the network router configuration command is
used to inject the route into BGP. [0] i
–EGP—The route is learned via the Exterior Border Gateway
Protocol (EGP). [1] e
–Incomplete—The origin of the route is unknown or learned
in some other way. An origin of incomplete occurs when a
route is redistributed into BGP. [?]
© 2007 Network Learning, Inc.
214
AS-Path
• The AS-path attribute is empty when a local route is inserted in the
BGP table
• The sender’s AS number is prepended to the AS-path attribute when
the routing update crosses AS boundary
• The receiver of BGP routing information can use the AS-path to
determine through which AS the information has passed
• An AS that receives routing information with its own AS number in
the AS-path silently ignores the information
Prepend as-path can be used as a metric
<routemap prepend permit 10
<match ip address 1
<set as-path prepend 100 100 100
© 2007 Network Learning, Inc.
215
Next-Hop Attribute
• Next-hop attribute indicates the next-hop IP address used for packet
forwarding
• Usually set to the IP address of the sending BGP router
© 2007 Network Learning, Inc.
216
Multi-Exit Discriminator Attribute
• The multi-exit discriminator (MED) or metric attribute is
used as a suggestion to an external AS regarding
the preferred route into the AS that is advertising
the metric.
• Only works from directly connected AS. It is not
transitive
• Default MED 0
© 2007 Network Learning, Inc.
217
Local Preference
• The local preference attribute is used to prefer an
exit point from the local autonomous system (AS).
Unlike the weight attribute, the local preference
attribute is propagated throughout the local AS. If
there are multiple exit points from the AS, the local
preference attribute is used to select the exit point
for a specific route.
• Default Local Preference 100
© 2007 Network Learning, Inc.
218
Atomic aggregate
• The Atomic aggregate serves as an indication to the receiver that it
can't "deaggregate" the prefix per some of the granularity associated
with the AS paths may have been lost when the aggregate was
created, and deaggregation could result in the introduction of loops.
• Border Gateway Protocol (BGP) allows the aggregation of specific routes into
one route with use of the aggregate-address address mask [as-set] [summaryonly] [suppress-map map-name] [advertise-map map-name] [attribute-map mapname] command. When you issue the aggregate-address command without
any arguments, there is no inheritance of the individual route attributes (such
as AS_PATH or community)
© 2007 Network Learning, Inc.
219
Aggregator
• AGGREGATOR is an optional transitive attribute of
length 6. The attribute contains the last AS number
that formed the aggregate route (encoded as 2
octets), followed by the IP address of the BGP
speaker that formed the aggregate route (encoded
as 4 octets). This SHOULD be the same address as
the one used for the BGP Identifier of the speaker.
• Created from enabling AS-Set
© 2007 Network Learning, Inc.
220
Communities
•
•
•
•
RFC1997, RFC1998
Optional attribute
Range: 0 to 4,294,901,760
Method to group destinations into communities and apply routing
decisions (accept, prefer, redistribute, etc.) using route-maps
• Route maps are used to set the community attribute. Predefined
community attributes are listed here:
–no-export—Do not advertise this route to EBGP peers.
–no-advertise—Do not advertise this route to any peer.
–internet—Advertise this route to the Internet community; all routers in the
network belong to it.
–local-AS — Use in confederation scenarios to prevent sending packets
outside the local autonomous system (AS).
• Commuties are AS specific and are stripped when transit through an
AS
© 2007 Network Learning, Inc.
221
Originator-ID
• Originator-ID is an optional, nontransitive BGP
attribute. This is a 4-byte attributed created by a
route reflector. The attribute carries the router ID of
the originator of the route in the local autonomous
system. Therefore, if a misconfiguration causes
routing information to come back to the originator,
the information is ignored.
© 2007 Network Learning, Inc.
222
Cluster List
• Cluster-list is an optional, nontransitive BGP attribute. It is a
sequence of cluster IDs that the route has passed. When a
route reflector reflects a route from its clients to nonclient
peers, and vice versa, it appends the local cluster ID to the
cluster-list. If the cluster-list is empty, it creates a new one.
Using this attribute, a route reflector can identify if routing
information is looped back to the same cluster due to
misconfiguration. If the local cluster ID is found in the clusterlist, the advertisement is ignored.
© 2007 Network Learning, Inc.
223
BGP Path Attribute Summary
Well-known mandatory attributes
–Recognized by everone, always present
–AS-Path, Next-Hop, Origin
Well-known discretionary
–Recognized by everone, optional
–Local Preference, Atomic Aggregate
Optional transitive
–Might not be recognized, propagated if not
–BGP Community, Aggregator
Optional non-transitive
–Might not be recognized, dropped if not
–Multi-exit-discriminator
© 2007 Network Learning, Inc.
224
Announcing Networks in BGP
• Only administratively defined networks are
announced in BGP
–Manually configure networks to be announced <network mask>
–Use redistribution from IGP
–Use aggregation to announce summary prefixes
© 2007 Network Learning, Inc.
225
Manually Announce Classless
Prefix in BGP
router(config-router)#
network ip-prefix-address mask subnet-mask
Configures a classless prefix to be advertised
into BGP
The prefix must exactly match an entry in the IP
forwarding table
Hint: use a static route to null 0 to create a
matching prefix in the IP forwarding table
© 2007 Network Learning, Inc.
226
Redistributing Routes
from IGP
• Easier than listing networks in BGP process in large networks
• Redistributed routes carry origin-attribute ‘incomplete’
• Always filter redistributed routes to prevent route leaking
© 2007 Network Learning, Inc.
227
Aggregating BGP Networks
• Summarization is called aggregation in BGP
–Aggregation creates summary routes (called aggregates) from
networks already in BGP table
–Individual networks could be announced or suppressed
© 2007 Network Learning, Inc.
228
Configuring Aggregation
router(config)#
router bgp as-number
aggregate-address address-prefix mask
• Specify aggregation range in BGP routing
process
• The aggregate will be announced if there is at
least one network in the specified range in the
BGP table
• Individual networks will still be announced in
outgoing BGP updates
© 2007 Network Learning, Inc.
229
Configuring Aggregation
router(config)#
router bgp as-number
aggregate-address address-prefix mask summary-only
• Configure aggregation of BGP routes
• Advertise only the aggregate and not the
individual networks
• Benefits:
• Smaller BGP routing tables
• More stable internetworks (less route
flapping)
• Drawbacks:
• Problems with multi-homed customers
© 2007 Network Learning, Inc.
230
Configuring Aggregation with other options
• Summary plus AS path
• Prevents loops in the summary
© 2007 Network Learning, Inc.
231
Aggregate cont.
• Other options that can be enabled are:
–Attribute maps are used to configure the attributes of the
aggregate route since the attributes of the original routes are
used by default when summarized
–Advertise maps allow the aggregate to inherit the attributes from
the specific networks identified in the advertise map. It is
important to note the attribute map overrides the advertise map
–Suppress maps this command overrides the summary only
keyword and suppresses on the routes configured in the
suppress map.
–Un-suppress maps selectively un-suppresses networks
suppressed in a suppress-map
© 2007 Network Learning, Inc.
232
Configuring BGP Communities
• BGP communities are configured in the following steps:
–Configure route tagging with BGP communities
–Configure BGP community propagation
–Define BGP community access-lists (community-lists) to match
BGP communities
–Configure route-maps that match on community-lists and filter
routes or set other BGP attributes
–Apply route-maps to incoming or outgoing updates
© 2007 Network Learning, Inc.
233
Community Setting Through
Route-Map
router(config)#
route-map name
match condition
set community value [ value … ] [additive]
• Route tagging with communities is always done
with a route-map
• Any number of communities can be specified
• Communities specified in the set keyword
overwrites existing communities unless you
specify the additive option
© 2007 Network Learning, Inc.
234
Attaching Communities to a Route
router(config-router)#
neighbor ip-address route-map map in | out
• Applies a route-map to inbound or outbound
BGP updates
• The route-map can set BGP communities or
other BGP attributes
router(config-router)#
redistribute protocol route-map map
• Applies a route-map to redistributed routes
© 2007 Network Learning, Inc.
235
Configure Community Propagation
router(config-router)#
neighbor ip-address send-community
• By default, communities are stripped in
outgoing BGP updates
• Community propagation to BGP neighbors has
to be manually configured
• BGP peer groups are ideal for configuring BGP
community propagation toward a large number
of neighbors
© 2007 Network Learning, Inc.
236
Related Commands
Set community none – Removes all community attributes
Set comm-list delete – Removes specific communities
ip community-list 1 permit 200:100
route map REM_COM permit 10
set comm-list 1 delete
Set community additive – Appends to existing communities
set community 450 additive
ip community-list 1 permit 200:10 – Matches any route that
has 200:10 as one of its communities
ip community-list permit 200:10 100:10 - Matches any route
that has either or both communities
ip community-list permit 200:10 100:10 exact-match –
Matches only those routes that are members of both
communities
© 2007 Network Learning, Inc.
237
AS Path Filtering
• Several scenarios require BGP route filtering based on AS-path
–Announce only local routes to the ISP - AS-path needs to be
empty
–Select routes based on a specific AS-number in the AS-path
–Accept routes for specific AS only from some BGP neighbors
• AS-path filters use regular expressions
© 2007 Network Learning, Inc.
238
Regular Expressions
Ranges and Wildcard Characters
• A range of characters matches any single character
in the range
examples:[1234] or [1-4]
• dot (.) matches any single character
© 2007 Network Learning, Inc.
239
Regular Expressions
Matching Delimiters
^ matches beginning of string
$ matches end of string
_
matches any delimiter (beginning,
whitespace, tab, comma)
end,
© 2007 Network Learning, Inc.
240
Regular Expressions
Repeating Operators
• matches zero or more instances
? matches zero or one instances
+ matches one or more instances
© 2007 Network Learning, Inc.
241
Sample Regular Expressions
• _100_
Going through AS 100
• ^100$
Directly connected to AS 100
• _100$
Originated in AS 100
• ^100_.*
networks behind AS 100
• ^ [0-9]+$
AS paths one AS long
• ^$
networks originated in local AS
• .*
matches everything
© 2007 Network Learning, Inc.
242
Regular Expression Examples
• Routes originated from a directly connected AS ( 5 ).
^5$
• Routes that passed through AS 6.
_6_
• Routes that originated in AS 7.
_7$
• Routes that originated in an odd AS.
[1,3,5,7,9]$
• Routes that originated in AS 3, or in an AS directly attached to AS 3.
^3_[0-9]*$
© 2007 Network Learning, Inc.
243
Configuring BGP AS-path Filters
router(config)#
ip as-path access-list number permit|deny regexp
• Configures AS-path access list
router(config-router)#
neighbor ip-address filter-list as-path-filter in|out
• Configures inbound or outbound AS-path filter
for specified BGP neighbor
© 2007 Network Learning, Inc.
244
Conditional Route Injection
• Used to inject more specific into BGP based on
existence of aggregated route or originate default route
based on certain route existence
© 2007 Network Learning, Inc.
245
BGP Authentication
• Authentication is MD5
• Configured on a per neighbor basis
r1lab(config)# router bgp 10
r1lab(config-router)# neighbor 2.2.2.2 remote-as 10
r1lab(config-router)# neighbor 2.2.2.2 password CISCO
r2(config)# router bgp 10
r1lab(config-router)# neighbor 1.1.1.1 remote-as 10
r2(config-router)# neighbor 1.1.1.1 password CISCO
© 2007 Network Learning, Inc.
246
BGP Route Flap Dampening Goals
• Minimize the amount of BGP update processing in the Internet
• Do not suppress routes that occasionally flap
• Suppress routes that are likely to flap in the future based on the
history of their behavior
Flap = removal of route
Suppress= do not use a route after it reappears
© 2007 Network Learning, Inc.
247
Route Flap Dampening Implementation
• Every time an eBGP route flaps it gets 1000 penalty points (iBGP
routes are not dampened)
• The penalty placed on a route is decayed using the exponential
decay algorithm
• When the penalty exceeds “suppress limit”, the route is dampened
(no longer used or propagated to other neighbors)
• A dampened route is propagated when the penalty drops below
“reuse limit”
© 2007 Network Learning, Inc.
248
Route Flap Dampening Implementation
• Flap history is forgotten when the penalty drops below half of
“reuse limit”
• The route is never dampened for more than “max-suppress”
time
• An unreachable route with flap history is put in “history state”
- it stays in the BGP table but only to maintain the flap history
• A penalty is applied on the individual path in the BGP table,
not on the IP prefix
© 2007 Network Learning, Inc.
249
Configuring BGP Route Flap Dampening
router(config-router)#
bgp dampening [half-time [reuse-limit suppress-limit maxsuppress]] [route-map route-map]
Configures BGP route flap dampening
Parameter meaning:
Half-time
Exponential decay half-time (time in which
the penalty is halved)
Suppress-limit Penalty value where the route is starting to
be dampened
Reuse-limit
Penalty value where the dampened route is
reused
Max-suppress Maximum suppression time
Route-map
Dampening parameters are specified with a
route-map
© 2007 Network Learning, Inc.
250
Default BGP Dampening
Parameter Values
The following default dampening parameter values are used if you
don’t specify them:
– half-time
15 minutes
– per-flap penalty
1,000 (non-configurable)
– suppress limit
2,000
– reuse limit
750
– max-suppress-time60 minutes
© 2007 Network Learning, Inc.
251
Limiting the Number of Routes Received
from a Neighbor
Problem definition:
–A misconfigured BGP neighbor can send a huge number of
prefixes that exhaust router’s memory or overload the CPU
(several Internet-wide incidents have already occurred)
–All other filtering mechanisms only specify what we’re willing to
accept but not how much
–A new tool is needed to establish a hard limit on the number of
prefixes received from a neighbor
© 2007 Network Learning, Inc.
252
Maximum-Prefix Command
router(config-router)#
neighbor ip-address maximum-prefix maximum [threshold]
[warning-only]
• Controls how many prefixes can be received from a neighbor
• Optional threshold parameter specifies the percentage where a
warning message is logged (default is 75%)
• Optional warning-only keyword specifies the action on
exceeding the maximum number (default is to drop
neighborship)
© 2007 Network Learning, Inc.
253
End of Day 3 Lecture
© 2007 Network Learning, Inc.
254
SESSION 9
Multicast
© 2007 Network Learning, Inc.
255
Multicast
• Outline
–Address
–RFP
–Dense/Sparse
–Source/shared
–Static RP
–Auto-RP
–BSR
–Stub
–M-B-M
–MSDP /Anycast
© 2007 Network Learning, Inc.
256
Multicast Address Range
© 2007 Network Learning, Inc.
257
Mapping a MAC Address
© 2007 Network Learning, Inc.
258
Reverse Path Forwarding
© 2007 Network Learning, Inc.
259
RPF Calculation
© 2007 Network Learning, Inc.
260
RPF with two paths
© 2007 Network Learning, Inc.
261
Multicast Distribution Trees
Dense Mode uses Source
Push Technology that is
very chatty
© 2007 Network Learning, Inc.
262
Shared Distribution Tree
Sparse uses Shared
Pull Mode
© 2007 Network Learning, Inc.
263
Characteristics of Distribution Trees
© 2007 Network Learning, Inc.
264
Multicast Tree Creation
© 2007 Network Learning, Inc.
265
Multicast Distribution Tree Example
© 2007 Network Learning, Inc.
266
Different types of PIM
© 2007 Network Learning, Inc.
267
PIM Sparse Mode
© 2007 Network Learning, Inc.
268
How does the network know about the RP?
© 2007 Network Learning, Inc.
269
Static RPs
© 2007 Network Learning, Inc.
270
Auto RP
• Uses
–Intended for PIMv1
–C_RP Candidates
–Mapping Agent (Collects announcements and sends RP
discovery messages on 224.0.1.40)
–The RPs announce on 224.0.1.39
–Recommended to locate Can_RP and Mapping Agent on
same router
–Uses dense mode to find the RP as a fallback
© 2007 Network Learning, Inc.
271
Auto RP
© 2007 Network Learning, Inc.
272
Auto RP Cont.
© 2007 Network Learning, Inc.
273
Auto-RP configured
© 2007 Network Learning, Inc.
274
BSR Election
© 2007 Network Learning, Inc.
275
BSR Overview
PIM join messages that might inadvertently cross the border
© 2007 Network Learning, Inc.
276
BSR Highest Priority
© 2007 Network Learning, Inc.
277
Cont.
© 2007 Network Learning, Inc.
278
BSR Cont.
© 2007 Network Learning, Inc.
279
Configuring BSR
Hash Mask
Priority
RP priority
© 2007 Network Learning, Inc.
280
Anycast – RP Overview
© 2007 Network Learning, Inc.
281
MSDP
© 2007 Network Learning, Inc.
282
Anycast RP RP
© 2007 Network Learning, Inc.
283
Anycast RP Cont.
© 2007 Network Learning, Inc.
284
Multicast-Broadcast-Multicast
© 2007 Network Learning, Inc.
285
IGMP Stub
© 2007 Network Learning, Inc.
286
SESSION 10
QoS
© 2007 Network Learning, Inc.
287
QoS
• Outline
–Modular QoS CLI (MQC)
–LLQ
–Police/CAR
–WRED, CBWRED
–Marking
–Shaping, FRTS
–Fragmenting
–NBAR
© 2007 Network Learning, Inc.
288
MQC Class-maps
• <class-map lab (match all is the default)
– Match any
• <match = Classify
• ?
– Input interface f0/0
– Destination Mac address
– Source Mac address
– Fr-de, fr-dlci
– Cos, dscp, IP-prec
– Any
– Access-group
– Protocol=NBAR (download PDLMs)
•CEF requires
•Can run <ip protocol NBAR protocol discovery
– Packet length min or max
© 2007 Network Learning, Inc.
289
Policy-Map and DSCP
• Class Lab
–<set cos,dscp,ip-prec
• DSCP has 64 different colors to mark traffic
• <mls qos map dscp-map lab 31 to 41
© 2007 Network Learning, Inc.
290
CBWFQ
• <Int f0/0
–<max reserve bandwidth 100 (75% is default)
• Policy-map can use Kbps or Percent but not both
• <policy-map voice
–<class CONTROL
–<bandwidth 1000
When applying a strict priority queue
To a CBWFQ it is referred to as a LLQ
–<class VOICE
–<priority 10000
• Can have 255 classes total
© 2007 Network Learning, Inc.
291
Police/CAR
• Use on edge routers to classify and/ or rate limit traffic
• Can be applied to all traffic or a subset of the traffic selected by
an access list
• Configured on an interface
• rate- limit {input| output} bps normal- burst max- burst conformaction action exceed- action action
• rate- limit {input| output} access- group index bps normal- burst
max- burst conform- action action exceed- action action
Bits per second
Maximum burst bytes
Normal burst bytes
© 2007 Network Learning, Inc.
292
CBWFQ Architecture Insertion policy
© 2007 Network Learning, Inc.
293
Applying RED
You can change to DSCP based
random-detect dscp-based
© 2007 Network Learning, Inc.
294
Configuring WRED on an interface
mark probability
denominator
minimum threshold
maximum threshold
(number of packets) (number of packets)
When the average queue size is above the minimum threshold, RED starts
dropping packets.
The rate of packet drop increases linearly as the average queue size
increases, until the average queue size reaches the maximum threshold.
The mark probability denominator is the fraction of packets dropped when
the average queue size is at the maximum threshold. For example, one out
of every 100 packets is dropped when the average queue size is at the
maximum threshold.
© 2007 Network Learning, Inc.
295
Shaping
• Shape
© 2007 Network Learning, Inc.
296
Shape Peak
• Allow the router to peak to 64k
• Peak rate = CIR(1+BE/BC)
• Router(config-pmap-c)# shape {average | peak} cir [bc] [be]
• Shape adaptive – BECN field set to 1
• 25% slow down is BECN received if 16 TCs received with no
BECNs increase 1/16 every TC
• Can also use Fecn-adapt to send ahead to your other router to
set BECN field.
© 2007 Network Learning, Inc.
297
Frame Relay Traffic Shaping
• Time Committed (TC) = 125micro
© 2007 Network Learning, Inc.
298
Network Based Application Recognition (NBAR)
© 2007 Network Learning, Inc.
299
NBAR Application Support
© 2007 Network Learning, Inc.
300
Packet Description Language Module
© 2007 Network Learning, Inc.
301
NBAR Protocol Discovery
© 2007 Network Learning, Inc.
302
SESSION 11
Others
© 2007 Network Learning, Inc.
303
NTP
© 2007 Network Learning, Inc.
304
Optimizing HSRP
© 2007 Network Learning, Inc.
305
Gateway Load Balancing Protocol (GLBP)
© 2007 Network Learning, Inc.
306
GLBP Operations
© 2007 Network Learning, Inc.
307
GLBP Cont.
© 2007 Network Learning, Inc.
308
Virtual Router Redundancy Protocol (VRRP)
© 2007 Network Learning, Inc.
309
VRRP Operational Status
© 2007 Network Learning, Inc.
310
VRRP Configuration
© 2007 Network Learning, Inc.
311
NAT
© 2007 Network Learning, Inc.
312
NAT with Access List—Multiple Address
Pools
© 2007 Network Learning, Inc.
313
NAT with Extended Access List
Configuration
ip nat pool trusted_pool 192.168.2.1 192.168.2.254 prefix-length 24
ip nat pool untrusted_pool 192.168.3.1 192.168.3.254 prefix-length 24
!
ip nat inside source list 102 pool trusted_pool
ip nat inside source list 103 pool untrusted_pool
!
interface ethernet 0
ip address 10.1.1.1 255.255.0.0
ip nat inside
!
interface serial 0
ip address 172.16.2.1 255.255.255.0
ip nat outside
!
access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 102 permit ip 10.1.1.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 103 permit ip 10.1.1.0 0.0.0.255 any
© 2007 Network Learning, Inc.
314
Benefits of Route Maps with NAT
© 2007 Network Learning, Inc.
315
Route Map Configuration
© 2007 Network Learning, Inc.
316
Verifying NAT
© 2007 Network Learning, Inc.
317
Session 10
Security
© 2007 Network Learning, Inc.
318
Session 10 Outline
• Unicast Reverse Path Forwarding (uRPF)
• Context Based Access Control (CBAC)
© 2007 Network Learning, Inc.
319
CBAC Configuration
© 2007 Network Learning, Inc.
320
Enable Audit Trails and Alerts
© 2007 Network Learning, Inc.
321
Enable TCP Syn and Fin times
© 2007 Network Learning, Inc.
322
TCP UDP and DNS Idle Times
© 2007 Network Learning, Inc.
323
Port to Application Mapping
© 2007 Network Learning, Inc.
324
Port Mapping Configuration
© 2007 Network Learning, Inc.
325
Global Half Open Connection Limits
© 2007 Network Learning, Inc.
326
Configuring Inspection Rules
© 2007 Network Learning, Inc.
327
Apply Inspection Rule to an Interface
© 2007 Network Learning, Inc.
328
Unicast Reverse Path Forwarding (uRPF)
• Unicast Reverse Path Forwarding (uRPF) is a
feature originally created to implement Network
Ingress Filtering: Defeating Denial of Service
Attacks Which Employ IP Source Address Spoofing
© 2007 Network Learning, Inc.
329
Configuring uRPF
• By enabling Unicast Reverse Path Forwarding
(uRPF), all spoofed packets will be dropped at the
first device. To enable uRPF, use the following
commands.
© 2007 Network Learning, Inc.
330
IP Source Guard
• By watching which IP addresses are assigned by DHCP, a
switch can create dynamic ACL's to block all traffic except
traffic from DHCP-assigned IP addresses.
• Benefits:
–Prevents a hacker from spoofing their IP address to launch an
anonymous attack.
–Prevents users from ignoring DHCP and manually configuring a
static IP address.
© 2007 Network Learning, Inc.
331
IP Source Guard Configuration
© 2007 Network Learning, Inc.
332