1 CCIE R&S Advanced. 222 © 2007 Network Learning, Inc. Agenda Day 1 Session 1CCIE Program Overview...
-
Upload
kellie-price -
Category
Documents
-
view
217 -
download
2
Transcript of 1 CCIE R&S Advanced. 222 © 2007 Network Learning, Inc. Agenda Day 1 Session 1CCIE Program Overview...
1
CCIE R&S Advanced
222© 2007 Network Learning, Inc.
Agenda
Day 1 Session 1 CCIE Program Overview
Day 1 Session 2 CCIE Foundation Overview
Day 1 Session 3 Catalyst
Day 1 Session 4 Frame Relay
Day 1 Session 5 IPv6
Day 2 Session 6 Ripv2
Day 2 Session 7 Eigrp
Day 3 Session 8 OSPF
Day 3 Session 9 BGP
Day 4 Session 10 Multicast
Day 4 Session 11 QoS
Day 4 Session 12 Others
333© 2007 Network Learning, Inc.
Housekeeping
• Restrooms
• Kitchen - Softdrinks and snacks available
• Cellphones - PLEASE put them on vibrate or turn them off. If you need to take/make a call, please exit the classroom.
• Smoking - out side in front of building
444© 2007 Network Learning, Inc. 444
SESSION 1
CCIE R&S Program Overview
555© 2007 Network Learning, Inc.
CCIE R&S Program Overview
1. CCNA/CCNP Certification (Optional)
2. CCIE Written Exam
3. CCBOOTCAMP’s R&S Foundation Course
4. Develop a Study Plan and Timeline to Prepare for LABa) Review CCIE Blueprint
b) Purchase and Download recommended reading from Cisco Press and CCO web site
c) Purchase LAB workbooks
d) Purchase and Setup Home Lab
e) Reserve Online Rack rentals
f) Save money or work out a deal with your employer to budget for multiple lab attempts
5. Schedule a Lab Date commensurate with the Timeline
6. Study, Practice, Practice some more, and then study
7. CCIE Advanced Bootcamp
8. CCIE Mock LAB Bootcamp
666© 2007 Network Learning, Inc.
CCIE LAB Overview
• A 8-hour, hands-on, 100-point lab exam. Candidates must score 80 or above to pass.
• Students builds a network to supplied specifications on a provided Cisco equipment rack.
• Lab questions can be completed in any order, although some questions depends on the completion of previous part of the exam.
• Physical cabling is done.
• Some of the basic functionality is preconfigured.
• Some of the equipment you can not configure such as the Backbone routers.
777© 2007 Network Learning, Inc.
Cisco R&S Equipment List
• 3725 series routers - IOS 12.4 mainline – Advanced Enterprise Services
• 3825 series routers - IOS 12.4 mainline – Advanced Enterprise Services
• Catalyst 3550 series switches running IOS version 12.2 – IP Services
• Catalyst 3560 Series switches running IOS version 12.2 - Advanced IP Services
888© 2007 Network Learning, Inc.
Pre-lab Checklist
• Remove the Variables, increase your chances, and get your body physically and mentally ready!
• Get to the testing city/location at least one day prior to your exam. If your time zone is plus/minus more than six hours different than the time zone of the Cisco office you are taking your exam, plan on getting there at least two days prior to the exam.
• Drive over to the facility where your lab exam will be held. Make sure you know how long it will take you to get to the testing location.
• Look for a good place to eat breakfast near the facility.
• Eat a healthy dinner consisting of protein and complex carbohydrates. Stay away from greasy, fatty, and sugary foods. Also, if you want to eat meat, try and eat chicken or fish (avoid red meat as it takes your body longer to digest).
• Get a good night’s rest. Do not stay up the entire night trying to cram or study last minute materials. Do NOT take any type of sleep aid that could still be in your system the following day.
• Wake up at least ninety minutes before your exam start time. Get showered, dressed, and go out for breakfast.
• At breakfast, eat only healthy foods. No greasy, fatty, or sugary items should be consumed. Eat fruits, vegetables, oatmeal, etc.
• Arrive at the facility at least fifteen minutes prior to your exam.
999© 2007 Network Learning, Inc.
CCIE R&S Blueprint
• Bridging and Switching – Frame relay
– Catalyst configuration: VLANs, VTP, STP, MSTP, RSTP, Trunk, Etherchannel, management, features, advanced configuration, Layer 3
• IP IGP Routing – OSPF
– EIGRP
– RIPv2
• IPv6: Addressing, RIPng, OSPFv3
• GRE
• ODR
• Filtering, redistribution, summarization and other advanced features
• BGP
• iBGP
• eBGP
• Filtering, redistribution, summarization, synchronization, attributes and other advanced features
101010© 2007 Network Learning, Inc.
CCIE (R&S) Blueprint Cont.
• IP and IOS Features – IP addressing
– DHCP
– HSRP
– IP services
– IOS user interfaces
• System management – NAT
– NTP
– SNMP
– RMON
– Accounting
• IP Multicast – PIM, bi-directional PIM
– MSDP
– Multicast tools, source specific multicast
– DVMRP
– Anycast
• QoS
– Quality of service solutions
– Classification
– Congestion management, congestion avoidance
– Policing and shaping
– Signaling
– Link efficiency mechanisms
– Modular QoS command line
• Security
– AAA
– Security server protocols
– Traffic filtering and firewalls
– Access lists
– Routing protocols security, catalyst security
– CBAC
– Other security features
These topics would be covered in the Advanced Boot camp
111111© 2007 Network Learning, Inc. 111111
SESSION 2CCIE Advanced Bootcamp Overview
121212© 2007 Network Learning, Inc.
Advanced Class Hours - Instructor
• Monday 9:00 AM till your head hurts
• Tuesday 9:00 AM till your head hurts
• Wednesday 9:00 AM till your head hurts
• Thursday 9:00 AM till your head is spinning
• Friday 9:00 AM till 3-ish [Mock Lab]
Lunch Break at 1:00 PM to 2:00 PM (60 minutes)
131313© 2007 Network Learning, Inc.
CCBOOTCAMP R&S Rack Layout
2811
R1
S0/0/0
S0/0/1
Fas0/0 Fas0/1
S0/1/0
S0/1/1
R2S0/0/1
DCE DCE
DCE DCE
R2S0/1/0
R3S0/1/1
FRS1
SW1Fas0/1
SW2Fas0/1
2811
R2Fas0/0 Fas0/1
R1DCE
DCE DCE
R1
R4FRS2
SW1Fas0/2
SW2Fas0/2
2811
R4Fas0/0 Fas0/1
R3
DCE DCE
DCE DCE
R3
R2FRS4
SW1Fas0/4
SW2Fas0/4
2811
R5Fas0/0 Fas0/1
R6
DCE
DCE
FRS5
SW1Fas0/5
SW2Fas0/5
2811
R6Fas0/0 Fas0/1
R5
DCE
DCE
FRS6
SW1Fas0/6
SW2Fas0/6
2811
R7Fas0/0 Fas0/1
R8
DCE
DCE
FRFRS7
SW3Fas0/17
SW4Fas0/17
2811
R8Fas0/0 Fas0/1
R7
DCE
DCE
FRS8
SW3Fas0/18
SW4Fas0/18
2811
BB1Fas0/0 Fas0/1
BB2
DCE
DCE
FRS9
SW1Fas0/9
SW2Fas0/9
2811Fas0/0 Fas0/1
BB1
DCE
DCE
BB3
SW1Fas0/10
SW2Fas0/10
3640E0/0 E0/1
SW1Fas0/11
SW2Fas0/11
BB2 BB3
DCE
Fas0/20 Fas0/20
Fas0/19 Fas0/19
SW1 SW2
Frame Relay Cloud
DCE
S1
S2S3
S4
S5
S6S7
S8S9
S0
R1S0/0/0
R2R3
R4
R5
R8
R6
R7
R7
BB1
Fas0/24
S0/1/0
S0/0/0 S0/0/0 S0/0/0
S0/0/0
S0/0/0
S0/0/0S0/0/0
S0/0/0Fas0/24
S0/0/0
S0/0/1 S0/1/0
S0/1/1
S0/0/1 S0/1/0
S0/1/1 S0/0/0
S0/0/1 S0/1/0
S0/1/1 S0/1/1
2811
R3Fas0/0 Fas0/1
R4
DCE
DCE DCE
R4
R1FRS3
SW1Fas0/3
SW2Fas0/3
DCES0/0/0
S0/0/1 S0/1/0
S0/1/1
S0/1/0
S0/1/1
S0/0/0
S0/0/1
S0/0/1
S0/0/0
S0/0/1
S0/0/1
S0/0/0
S0/0/1
S0/1/0 S0
S0/0/0
S0/0/1
S0/0/0
S0/0/0S0/0/1
S0/0/1
S0/0/0
S0/0/0
S0/0/1
S0/0/1 S0/0/1 S0/1/0
S0/0/1 S0/0/1
TFTP Server Address:172.22.1.254 /24
BB2
DCES0/0S0/0/1
DCE
ACS/CA Server192.168.0.0 /16
PublicNet172.22.10X.0 /24
(DG: 172.22.10X.1)
LS1010ATM0/0/1
ATM1/0
SW3 SW4
Fas0/20 Fas0/20
Fas0/19 Fas0/19
Fas0/2
2F
as0/22
Fas0/2
1F
as0/21
Fas0/2
2F
as0/22
Fas0/2
1F
as0/21
Fas0/08
Fas0/08
Fas0/07
Fas0/07
Fas0/
08Fas0/
07
Fas0/
08Fas0/
07
141414© 2007 Network Learning, Inc. 1414
SESSION 3Switching
151515© 2007 Network Learning, Inc.
First Things First (Ping Script)
tclsh
foreach address {
150.10.1.1
150.10.2.2
150.10.3.3
150.20.5.5
150.20.35.35
} {ping $address}
161616© 2007 Network Learning, Inc.
On a switch
171717© 2007 Network Learning, Inc.
Things You should already know (not covered)
• Interface Commands
• VTP
• Spanning Tree
• SPAN
• Strom Control
• Protected Ports
• 802.1X authentication
• Trunking
• MAC Address expiration
• Templates
181818© 2007 Network Learning, Inc.
Topics Covered
• Ether-channel and Load Balancing
• MST spanning tree
• Rapid Spanning Tree
• Advanced Switch Security
• Switch QoS
191919© 2007 Network Learning, Inc.
Ether channel
• PAgP can automatically groups interfaces with the same speed, duplex, mode, native VLAN, VLAN range, and trunking status and type.
• The Ether Channel group looks like a single switch port to Spanning tree.
• PAgP modes: auto, desirable, on
• The first port in the channel that comes up provides its MAC address to the EtherChannel
202020© 2007 Network Learning, Inc.
Link Aggregation Control Protocol
• LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches
• Similarly configured ports are grouped based on hardware, administrative, and port parameter constraints such as same speed, duplex mode, native VLAN, VLAN range, and trunking status and type
• A port in the active mode can form an EtherChannel with another port that is in the active or passive mode.
• A port in the passive mode cannot form an EtherChannel with another port that is also in the passive mode because neither port starts LACP negotiation.
• Can have 8 active and 8 standby ports per ether channel. (16)
*Note on mode configured manually on both ends of the EtherChannel must have the same configuration. If the group is misconfigured, packet loss or spanning-tree loops can occur.
212121© 2007 Network Learning, Inc.
Load Balancing and Forwarding
• Reduces part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel.
• EtherChannel load balancing can use MAC addresses or IP addresses, source or destination addresses, or both source and destination addresses.
222222© 2007 Network Learning, Inc.
Source/destination MAC load balancing
• The PCs uses different ports on sw1
• The router will use different ports to reply to the PCs
232323© 2007 Network Learning, Inc.
Switch Security
• MAC Flood Attacks
• Port Security
• ARP Inspection
• MAC ACLs
• VACLs
• Private VLANs
242424© 2007 Network Learning, Inc.
Rapid Spanning Tree Protocol (RSTP)
252525© 2007 Network Learning, Inc.
RSTP Port Roles
262626© 2007 Network Learning, Inc.
RSTP Port States
• RSTP provides rapid convergence of the spanning tree.
• Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the 802.1D
• Only non-edge ports moving to the forwarding state cause a topology change.
272727© 2007 Network Learning, Inc.
Rapid PVST
282828© 2007 Network Learning, Inc.
802.1s (Multiple Spanning Tree)
• MSTs (IEEE 802.1s) combine the best aspects from both the PVST+ and the 802.1q.
• When you enable MST you enable 802.w (RSTP)
• The idea is that several VLANs can be mapped to a reduced number of spanning tree instances because most networks do not need more than a few logical topologies.
• There is no need to run 1000 instances. If you map half of the 1000 VLANs to a different spanning tree instance, as shown in this diagram, these statements are true:
–The desired load balancing scheme can still be achieved, because half of the VLANs follow one separate instance.
–The CPU is spared because only two instances are computed.
•
292929© 2007 Network Learning, Inc.
MST Configuration
303030© 2007 Network Learning, Inc.
MAC Flood Attacks
• Affects Transparent Switches
• Switches Learn and populate the CAM table based on Source MAC addresses
• If to many MAC addresses are sent – open fail mode
• The switch forwards out every frame on every port
• This allows hackers to sniff other clients uni-cast information.
313131© 2007 Network Learning, Inc.
Preventing MAC Flooding with Port Security
323232© 2007 Network Learning, Inc.
Port Security - Aging
• Static- enables timer to static entries
• Time - <1-1440> Aging time in minutes
• Type –
– absolute Absolute aging (default)
– inactivity Aging based on inactivity time period
333333© 2007 Network Learning, Inc.
Mac-address
• Can manually input the actual Mac address
• Also can store dynamically learned Mac addresses with Sticky
343434© 2007 Network Learning, Inc.
Maximum
• The total amount of Mac addresses allowed on a port
353535© 2007 Network Learning, Inc.
Violations
• The action to take if port security is violated–protect—When the number of port secure MAC addresses reaches the maximum
limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. (no syslogs/snmp)
–restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
–shutdown—The interface is error disabled when a violation occurs, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments
363636© 2007 Network Learning, Inc.
Apply Port Security and Verify
• If more than 3 mac-addresses are learned any additional sources will cause the port to be shutdown (error disabled).
373737© 2007 Network Learning, Inc.
HSRP and Port Security
• HSRP has a virtual mac-address that counts towards the maximum allowed on a port configured for port security.
• Options:
–Switchport port-security maximum 2 (still can cause violation for a short period of time
–Static Mac-address entry for HSRP virtual mac-address
– (Best choice) Use-bia command on the router’s interface
•standby use-bia scope interface
http://www.cisco.com/en/US/products/ps6350/products_command_reference_chapter09186a00804462c4.html#wp1165870
383838© 2007 Network Learning, Inc.
ARP Spoofing
• Gratuitous ARP
–Detect IP conflicts. When a machine receives an ARP request containing a source IP that matches its own, then it knows there is an IP conflict.
–They assist in the updating of other machines' ARP tables.
–They inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port.
–Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts.
393939© 2007 Network Learning, Inc.
ARP DoS
• Overloads a switch port with ARP traffic
• Switch can handle untrusted host connecting to as many as 15 new hosts per second. checks every 1 second
• Exceed limit than port changes to error disabled
404040© 2007 Network Learning, Inc.
IP ARP Inspection
• This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN
• How does it work?
–DHCP Snooping (Recommended in production)
–Static ARP Access-list (Use for Lab situation)
414141© 2007 Network Learning, Inc.
ARP inspection Cont.
• Option to change defaults per port
424242© 2007 Network Learning, Inc.
IP Source Guard
• By watching which IP addresses are assigned by DHCP, a switch can create dynamic ACL's to block all traffic except traffic from DHCP-assigned IP addresses.
• Benefits:
–Prevents a hacker from spoofing their IP address to launch an anonymous attack.
–Prevents users from ignoring DHCP and manually configuring a static IP address.
434343© 2007 Network Learning, Inc.
IP Source Guard Configuration
444444© 2007 Network Learning, Inc.
DHCP Snooping
• Create a DHCP database on flash or TFTP
• Enable DHCP Snooping
• "The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (circuit ID suboption). The switch forwards the DHCP request that includes the option-82 field to the DHCP server. "
• ip dhcp snooping database flash:file01.txt"
• ip dhcp snooping
• ip dhcp snooping information option
454545© 2007 Network Learning, Inc.
Show IP DHCP Snooping Bindings
Switch> show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
01:02:03:04:05:06 10.1.2.150 9837 dhcp-snooping 20 GigabitEthernet0/1
00:D0:B7:1B:35:DE 10.1.2.151 237 dhcp-snooping 20 GigabitEthernet0/2
Total number of bindings: 2
464646© 2007 Network Learning, Inc.
Mac-address Access-list
• You can configure a MAC address ACL using either of the following:
• Access-list 700-799 48-bit MAC address access-list
• or the extended version of the 48-bit MAC address access-list is 1100-1199
• To filter using the MAC address access-list, first you would define your access-list. Say that you wanted to allow only a host with the MAC address of 0800001234567 to access-list Ethernet0/0 interface. You would define the access-list like this:
Router(config)# access-list 700 permit 0800.0123.4567
You can use these same methods to filter by “vendor code”. All companies who create Ethernet devices are designated a block of MAC addresses and all of these blocks begin with a specific string. This prefix for each vendor is known as the “vendor code”.
474747© 2007 Network Learning, Inc.
Protocol Type-Code Access-Lists (ACL)
• Used for non IP traffic
• Inbound only
484848© 2007 Network Learning, Inc.
MAC ACLs Cont.
494949© 2007 Network Learning, Inc.
Vlan ACLs (VACLs)
505050© 2007 Network Learning, Inc.
Private VLANs
• The private-VLAN feature addresses two problems that service providers face when using VLANs:
–Scalability: The switch supports up to 1005 active VLANs. If a service provider assigns one VLAN per customer, this limits the numbers of customers the service provider can support.
–To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can result in wasting the unused IP addresses, and cause IP address management problems.
515151© 2007 Network Learning, Inc.
Primary to Secondary VLAN
• There are two types of secondary VLANs:
–Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.
–Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level.
525252© 2007 Network Learning, Inc.
Private Vlan Access Ports
• Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types:
–Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN. (Default Gateway)
–Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports.
–Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports.
* Note Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs.
535353© 2007 Network Learning, Inc.
Issues with VTP V3 and Private VLANs
• Private VLANs need VTPv3
• If configuring in a 3550 or 3560 set VTP to transparent
545454© 2007 Network Learning, Inc.
Private Vlan Compatibility
• Do not configure private-VLAN ports on interfaces configured for these other features:
–– dynamic-access port VLAN membership
–– Dynamic Trunking Protocol (DTP)
–– Port Aggregation Protocol (PAgP)
–– Link Aggregation Control Protocol (LACP)
–– Multicast VLAN Registration (MVR)
–– voice VLAN
–– Web Cache Communication Protocol (WCCP)
555555© 2007 Network Learning, Inc.
Private VLAN configuration
565656© 2007 Network Learning, Inc.
Show private Vlans
575757© 2007 Network Learning, Inc.
Promiscuous Port / Default Gateway
Primary
Secondary
585858© 2007 Network Learning, Inc.
Applying a Community to interfaces
595959© 2007 Network Learning, Inc.
3560 QOS Considerations
• Uses shaped round robin (SRR)
• Q1 can be configured as a priority queue
• Queues can operate in shaped or sharing modes
• Each Interface can be assigned to one of two queue-sets–4 queues Egress
–2 queues Inbound
• Congestion avoidance algorithm is Weighted Tail Drop (WTD)
*Note 3550 only has egress queues and queue 4 = priority queue by default
606060© 2007 Network Learning, Inc.
Weighted Tail Drop
• Queue size is 1000 frames.
• Three drop percentages are configured: 40 percent (400 frames), 60 percent (600 frames), and 100 percent (1000 frames).
• 400 frames can be queued at the 40-percent threshold, up to 600 frames at the 60-percent threshold, and up to 1000 frames at the 100-percent threshold.
616161© 2007 Network Learning, Inc.
SRR Shaping and Sharing
• Both the ingress and egress queues are serviced by Shaped Round Robin (SRR)
• SRR controls the rate at which packets are sent.
• On the ingress queues, SRR sends packets to the internal ring.
• On the egress queues, SRR sends packets to the egress port.
626262© 2007 Network Learning, Inc.
Input Queue
Bandwidth weight queue 1 and queue 2cv
Queue Id DSCP values
636363© 2007 Network Learning, Inc.
Output Queue
queue-set id queue id
drop thresholdReservedthreshold
Maximumthreshold
buffer PercentageQueue 1 buffer
PercentageQueue 2
buffer PercentageQueue 3
buffer PercentageQueue 4
646464© 2007 Network Learning, Inc.
SRR applied
656565© 2007 Network Learning, Inc.
Frame Relay
• Interfaces
• Inverse ARP
• Mesh
• Hub and spoke
• Point-to-point
• Combination
• Issues
• Advanced Frame-relay and PPP
666666© 2007 Network Learning, Inc.
Frame-Relay Interface Configuration
676767© 2007 Network Learning, Inc.
Inverse ARP
686868© 2007 Network Learning, Inc.
Static Mappings
696969© 2007 Network Learning, Inc.
Sub Interfaces
707070© 2007 Network Learning, Inc.
Point-to-Multipoint Sub interface
717171© 2007 Network Learning, Inc.
Point-to-point Sub Interface
727272© 2007 Network Learning, Inc.
Mesh Topology
737373© 2007 Network Learning, Inc.
Full Mesh Frame-relay
• Requirements Phys Interface–With Inverse ARP
•NO frame relay maps required
–NO inverse-arp allowed
–A PVC/FR Map configured between each router
–Total PVCs = k(k-1)/2 where k=router
–3 routers need 6 DLCIs
–All routers are on the same subnet
–All routers are using the physical interface
–Can support Broadcast or NBMA
747474© 2007 Network Learning, Inc.
Full Mesh Frame-relay Point-to-Multipoint Sub
• In a frame-relay mesh multipoint configuration the following must be true before two routers can communicate;
–The destination IP address must be in the routing table
–There must be a frame-relay map for the destination IP address. The destination IP address can be any IP address including yours. (need a map statement to ping your own interface)
757575© 2007 Network Learning, Inc.
Hub and Spoke Topology
767676© 2007 Network Learning, Inc.
Frame Relay Hub and Spoke
• Requirements–With Physical Interfaces and inverse-arp
•No map statements needed on spokes
•Map statements needed on hub to all spokes
–With Physical Interfaces and No inverse-arp
•Map statements needed on hub to each spoke and one map from the spoke to hub
–Enable broadcasts over the NBMA if required for routing protocol or multicast
–All routers are on a common subnet
777777© 2007 Network Learning, Inc.
Example Configuration from the HUB router
On r1lablabInt S0/0/0 Ip address 131.1.234.1 255.255.255.0 Encapsulation frame Frame-relay map ip 131.1.234.2 102 broadcast Frame-relay map ip 131.1.234.3 103 broadcast Frame-relay map ip 131.1.234.4 104 broadcast No frame-relay inverse-arp No shut
To prevent inverse-arp wait until all routers have been configured
for FR before un shutting
the interfaces
787878© 2007 Network Learning, Inc.
Frame Relay Hub and Spoke Point-to-Multipoint
• Inverse ARP not recommended should be disabled
• Need FR map statements configured on sub interface to each hub.
• Need FR map statements from each spoke to the hub.
–Enable broadcasts over the NBMA if required for routing protocol or multicast
–All routers are on a common subnet
– Still need a map statement to ping your own interface)
797979© 2007 Network Learning, Inc.
Frame Relay Point-to-Point
• Requirements–Uses sub interfaces
–A separate L3 subnet for each pair of routers
–Works the same with or without Inverse ARP
Note if the routers are configured in a point-to-point manner they will NOT generate inverse-arp requests; however, if they receive a request, they will respond. Useful for combinations of one end p2p sub and the other physical
808080© 2007 Network Learning, Inc.
Troubleshoot Frame Relay
• Show interface
• Show controllers serial
• Show frame-relay lmi
• Show frame-relay pvc
• Show frame-relay map
• Debug frame-relay lmi
818181© 2007 Network Learning, Inc.
PPP 2-way authentication (PAP and Chap)
828282© 2007 Network Learning, Inc.
Debug PPP authentication
838383© 2007 Network Learning, Inc.
PAP/CHAP configuration
R1 R2
848484© 2007 Network Learning, Inc.
FREEK (Frame relay end to end keepalives
• There are four modes determine the type of keepalive traffic each device sends and responds to:
– In bidirectional mode, the device will send keepalive requests to the other end of the VC and will respond to keepalive requests from the other end of the VC.
– In request mode, the device will send keepalive requests to the other end of the VC.
– In reply mode, the device will respond to keepalive requests from the other end of the VC.
– In passive-reply mode, the device will respond to keepalive requests from the other end of the VC, but will not track errors or successes.
858585© 2007 Network Learning, Inc.
Configuring FREEK
For example, could require3 in a row
868686© 2007 Network Learning, Inc.
Objectives
• IPv6 Addressing
• IPv6 Address Scopes
• Enabling IPv6
• RIPng
• EIGRP for IPv6
• OSPFv3
• OSPFv3 over NBMA
• IPv6 over IPv4
878787© 2007 Network Learning, Inc.
Things not covered
• IPv6 Neighbor Discovery
• Duplicate Address Detection
• Solicited Node
• Stateless Auto-configuration
• DHCPv6
• DNSv6
888888© 2007 Network Learning, Inc.
Larger Address Space
• IPv4
–32 bits or 4 bytes long
• 4,200,000,000 possible addressable nodes
• IPv6
–128 bits or 16 bytes: four times the bits of IPv4
• 3.4 * 1036 possible addressable nodes
• 340,282,366,920,938,463,374,607,432,768,211,456
• 5 * 1028 address
~=~=
~=
~=
undecillion
898989© 2007 Network Learning, Inc.
IPV6 Addressing
• IPV6 addresses are 128 bits long
• Consecutive zeroes can be eliminated (::)
• 2001:0:0:A1::1E2A/64 • 2001:0:0:A1 is the network portion
• Interface portion is 0:0:0:1E2A or ::1E2A
909090© 2007 Network Learning, Inc.
IPV6 Address Scopes
• Link-local Scope
• Unique-local Scope
• Global Scope
919191© 2007 Network Learning, Inc.
Link-local
• Identifies all hosts within a single layer 2 domain
• Unicast addresses within this scope are called link-local addresses
• They are assigned by default when ipv6 is enabled on an interface
• Network address is always FE80::/10
• Host portion derived from MAC address (Modified EUI-64)
• Can be manually added too R3(config-if)#ipv6 address FE80::3 link-local
• Independent of the global addressing scheme
• Cannot be routed
Interface ID0
128 bits
1111 1110 10
FE80::/10
10 bits
64 bits
929292© 2007 Network Learning, Inc.
IPv6 Address Configuration (Cont.)LAN: 3ffe:b00:c18:1::/64
Ethernet0
MAC address: 0060.3e47.1530
ipv6 unicast-routinginterface Ethernet0 ipv6 address 3ffe:b00:c18:1::/64 eui-64
router# show ipv6 interface Ethernet0Ethernet0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::160:3EFF:FE47:1530Global unicast address(es): 3FFE:B00:C18:1:160:3EFF:FE47:1530, subnet is 3FFE:B00:C18:1::/64 Joined group address(es): FF02::1:FF47:1530 FF02::1 FF02::2 MTU is 1500 bytes
939393© 2007 Network Learning, Inc.
Unique-local
• Previously referred to as site local
• Identifies all devices within an administrative domain containing multiple distinct links
• Unicast addresses within this scope are called unicast-local addresses
• Have a scope limited to the site
• Network address is always FEC0::/10
• 16 bits in the network address identify the subnet
• Host portion derived from MAC address (Modified EUI-64)
Interface ID0
1111 1110 11
FEC0::/10
Subnet ID
128 bits
10 bits
16 bits
949494© 2007 Network Learning, Inc.
Global Unicast Addresses
• Global unicast addresses are:
–Addresses for generic use of IPv6
• Identifies all devices reachable across the Internet
• Unicast addresses within this scope are called global unicast addresses
• Have to be globally unique and routable
• Addresses reserved for global scope 2000 /3
• Can have a variable subnet portion
• Last 64 bits for the interface identifier
Interface IDGlobal Routing Prefix Subnet ID
64 bits
Provider Site Interface
Usually given a /48
959595© 2007 Network Learning, Inc.
Unspecified and Loopback Addresses
• Unspecified address:
–0:0:0:0:0:0:0:0
–Used as a placeholder when no address is available (initial DHCP request, DAD)
• Loopback address:
–0:0:0:0:0:0:0:1
–Same as 127.0.0.1 in IPv4
–Identifies self
969696© 2007 Network Learning, Inc.
IPv4-Mapped Addresses
• IPv4-mapped addresses:
–Used to represent the addresses of IPv4 nodes as IPv6 addresses
IPv4 Address0
32 bits80 bits
0:0:0:0:0:FFFF:192.168.30.1
= ::FFFF:192.168.30.1
= ::FFFF:C0A8:1E01
FFFF
16 bits
979797© 2007 Network Learning, Inc.
IPv4-Compatible Addresses
• IPv4-compatible addresses:
–Refer to an IPv4/IPv6 node that supports automatic tunneling
0:0:0:0:0:0:192.168.30.1
= ::192.168.30.1
= ::C0A8:1E01
IPv4 Address0
32 bits80 bits
0000
16 bits
989898© 2007 Network Learning, Inc.
Enabling IPV6
• ipv6 unicast-routing (global config mode)
• ipv6 address 2001:200:1:1::1/64 (interface mode)
• Link-local addresses are generated by default or use manual configuration
999999© 2007 Network Learning, Inc.
RIPng
• Neighbors need not be on the same global subnet since they are on the same link-local subnet
• Hence router has to advertise its own prefix for the link out that interface
• In addition to the frame-relay map ipv6 broadcast to the Global Address you also need a map to the link local address.
• RIP messages are sent to the all RIP routers link-local multicast address FF02::9/128
• RIPng uses the authentication headers present in IPv6 for authentication purposes
100100100© 2007 Network Learning, Inc.
RIPng Configuration
• ipv6 rip abc enable (interface mode)
• show ipv6 protocol
• show ipv6 rip
• show ipv6 rip database
101101101© 2007 Network Learning, Inc.
OSPFv3
• Basic mechanisms such as flooding, DR election, areas and spf calculations remain the same
• Additionally link lsa’s announce link-local addresses and a list of ipv6 prefixes to associate with the link
• Intra-area prefix lsa’s carry all ipv6 prefixes to all ospfv3 routers within an area (correspond to router and network lsa’s in ipv4)
• Inter-area prefix lsa 0x2003 replaces summary or type 3 lsa’s
• Inter-area router lsa 0x2004 replaces type 4 lsa
• ospfv3 runs on a link basis rather than on a subnet basis as in ospfv2
• Authentication removed from ospf, relies on ipv6 authentication
102102102© 2007 Network Learning, Inc.
LSA Type Review
LSA Function Code
LSA Function Code LSA typeLSA type
Router-LSARouter-LSA
Network-LSANetwork-LSA
Inter-Area-Prefix-LSAInter-Area-Prefix-LSA
Inter-Area-Router-LSAInter-Area-Router-LSA
AS-External-LSAAS-External-LSA
Group-membership-LSAGroup-membership-LSA
Type-7-LSAType-7-LSA
Link-LSALink-LSA
Intra-Area-Prefix-LSAIntra-Area-Prefix-LSA
11
22
44
33
55
66
77
88
99
0x20010x2001
0x20020x2002
0x20030x2003
0x20040x2004
0x40050x4005
0x20060x2006
0x00080x0008
0x20090x2009
0x20070x2007
103103103© 2007 Network Learning, Inc.
OSPFv3 Configuration
• ipv6 ospf 100 area 0 (interface mode)
• In case of an ipv6 only router configure a 32 bit router id under ipv6 router ospf 100
• Summary can be configured under ipv6 router ospf 100 using the command area 1 range 2001::/48
• show ipv6 ospf
• show ipv6 ospf neighbor
104104104© 2007 Network Learning, Inc.
OSPFv3 over NBMA
• OSPFv3 over NBMA is very much similar to OSPF over NBMA
• The hub interface priority has to be increased to make it the DR
• The spokes should be configured with a priority of 0 so that they never participate in the DR elections
105105105© 2007 Network Learning, Inc.
OSPFv3 over NBMA
• Moreover neighbors have to be specified • The address for the neighbor has to be the link local addresses
• Neighbors have to be specified only on the hub not on the spokes • frame-relay maps have to be configured pointing to the neighbor’s
link local address on both hub and spokes as well as the global addresses (if configured)
• sh ipv6 int s0/1/0 displays the link-local address
106106106© 2007 Network Learning, Inc.
OSPFv3 over NBMA Hub
• interface Serial0/1/0
• ipv6 ospf priority 100
• ipv6 ospf neighbor FE80::20A:B8FF:FE6B:A478
• ipv6 ospf neighbor FE80::20A:B8FF:FE2C:7DC8
• ipv6 ospf 10 area 0
• frame-relay map ipv6 FE80::20A:B8FF:FE6B:A478 106
• frame-relay map ipv6 FE80::20A:B8FF:FE2C:7DC8 105
107107107© 2007 Network Learning, Inc.
OSPFv3 over NBMA Spoke
• interface Serial0/1/0
• ipv6 ospf priority 0
• ipv6 ospf 10 area 0
• frame-relay map ipv6 FE80::217:95FF:FE27:B900 601
• frame-relay map ipv6 FE80::20A:B8FF:FE2C:7DC8 601
108108108© 2007 Network Learning, Inc.
IPv6 over IPv4
• IPv6 can be tunneled under ipv4
• Tunnel mode by default is gre can to be changed to ipv6ip
• The tunnel itself needs an ipv6 address
• The tunnel source and destination will be ipv4 addresses
• Routing protocol can be enabled on the tunnel
interface Tunnel0
no ip address
ipv6 address 2002:100:24:1::2/64
ipv6 ospf 100 area 0
tunnel source 10.86.72.17
tunnel destination 10.86.72.18
109109109© 2007 Network Learning, Inc.
ISATAP
• ISATAP is an IETF transition mechanism that allows IPv6 networks to connect over IPv4 networks, even though this is a draft and it has not yet standardized, it is a better solution than 6to4 tunnel mechanism.
• ISATAP works like 6to4 tunnels, with one major difference, it is a special IPv6 address that it uses on the edge routers; this special IPv6 address is formed as follows:
–The network portion can be any IPv6 address.
–The host portion of the IPv6 address starts with “0000.5EFE” and then the rest of the host portion is the translated IPv4 address of the tunnel’s source IPv4 address.
• This translation is performed automatically.
110110110© 2007 Network Learning, Inc.
ISATAP cont.
111111111© 2007 Network Learning, Inc. 111111
End of Day 1 Lecture
112112112© 2007 Network Learning, Inc. 112112
SESSION 6RIPv2
113113113© 2007 Network Learning, Inc.
RIPv2
• Outline
–Updates
–Optimize
–Filtering
–Summary
–Authentication
–Default Routes
–Advanced
114114114© 2007 Network Learning, Inc.
Classless Routing (RIPv2)
• SUBNET MASKING INFORMATION IS NOW INCLUDED IN
ROUTING UPDATES ALLOWING RIP TO HANDLE VLSM
ADDRESSING
• A NEXT-HOP ADDRESS IS CARRIED WITH EACH ROUTE
ENTRY
• EXTERNAL ROUTE TAGS CAN BE USED MULTICAST
ROUTING UPDATES
• SUPPORT FOR MD5 AUTHENTICATION
The version 2 extensions provide the following enhancements to RIP:
115115115© 2007 Network Learning, Inc.
Split Horizon
Never advertise an network on the interface from which it was learned
116116116© 2007 Network Learning, Inc.
Poison Reverse
• Once you learn of a route through an interface, than advertise it as unreachable back through the same interface
117117117© 2007 Network Learning, Inc.
Timers
• Update - rate (time in seconds [30] between updates) at which routing updates are sent
• Invalid - interval of time (in [180] seconds) after which a route is declared invalid
• Hold - interval (in [180] seconds) during which routing information regarding better paths is suppressed
• Flush - amount of time (in [240] seconds) that must pass before a route is removed from the routing table
118118118© 2007 Network Learning, Inc.
Optimize
119119119© 2007 Network Learning, Inc.
Obscure Topics
• Offset List – increases the value of routing metrics
r1lab(config)# access-list 1 permit 10.1.10.0
r1lab(config)# router rip
r1lab(config-router)# offset-list 1 in 3
• Source IP address validation – Default validates the source IP address of incoming RIP routing updates - can be disabled for “off network” routes
r1lab(config-router)# no validate-update-source* Note For unnumbered IP interfaces (interfaces configured as ip unnumbered), no checking is
performed.
• Interpacket delay – slows down sending routing update packets; typically useful to slow down high speed routers when communicating with low speed routers
r1lab(config)# router rip
r1lab(config-router)# output-delay <8-50 milliseconds>
Hops
120120120© 2007 Network Learning, Inc.
• Allow only odd routes from 1.1.0.0 from R1 to other routers
Network 1.1.1.0 0.0.254.255
My network =0
My mask = 1
128 64 32 16 8 4 2 1
1.1.1.0 0 0 0 0 0 0 0 1
1.1.3.0 0 0 0 0 0 0 1 1
1.1.5.0 0 0 0 0 0 1 0 1
Mask 11111111.11111111.11111110.00000000
Network 00000001.00000001.00000001.00000000
First host 00000001.00000001.00000001.00000000
Filtering
Inverse Mask
Odds alwaysinclude a binary 1Evens never have a binary 1
In ACL Must Match on thisBinary value
On the third octet
The 254 translates to 11111110 which tells the acl to not care about anything in that octet except the least significant bit.
121121121© 2007 Network Learning, Inc.
Distribute List
122122122© 2007 Network Learning, Inc.
RIP V2 Summarization
• Applied to an interfacer1lab(config-if)# ip summary-address rip 10.20.0.0 255.255.255.0
• Split horizon must be disabled on the interface
• Auto summary can only summarize to the classful boundary, the summary-address allows for classless summarization
• Does not insert a NULL0 entry into the routing table
123123123© 2007 Network Learning, Inc.
RIP V2 Features
• Authentication r1lab(config)# interface s0
r1lab(config-if)# ip rip authentication key-chain cisco
r1lab(config-if)# ip rip authentication mode <md5,text>
r1lab(config)# key chain cisco
r1lab(config-keychain)# key 1
r1lab(config-keychain-key)# key-string cisco
• Classless
• Route summarization (enabled by default)r1lab(config)# router rip
r1lab(config-router)# no auto-summary
124124124© 2007 Network Learning, Inc.
IP RIP Triggered
• When you enable triggered extensions to RIP, routing updates are transmitted on the WAN only if one of the following events occurs:
–The router receives a specific request for a routing update, which causes the full database to be sent.
–Information from another interface modifies the routing database, which causes only the latest changes to be sent.
–The interface comes up or goes down, which causes a partial database to be sent.
–The router is powered on for the first time to ensure that at least one update is sent, which causes the full database to be sent
125125125© 2007 Network Learning, Inc.
Default routes in RIP
• Redistribute static <ip route 0.0.0.0 0.0.0.0 null0 permanent>
• Default information originate
• <ip default network 1.0.0.0>
126126126© 2007 Network Learning, Inc.
Example of default information
127127127© 2007 Network Learning, Inc.
Advanced Workaround with RIP / RSPAN
RIPv2 F1/0
• R4 must receive RIP routes from BB2 but not permitted to redistribute from OSPF
• SPAN or RSPAN used and no validate update source
128128128© 2007 Network Learning, Inc. 128128
Redistribution
129129129© 2007 Network Learning, Inc.
Advertising Routes between routing protocol
• Longest Match
• Administrative Distance
• Redistribution
• Route Maps
• Distribute Lists
• Prefix Lists
130130130© 2007 Network Learning, Inc.
Longest Match
• >show ip route
D 172.33.1.0/25 via 192.168.1.1
R 172.33.1.0/24 via 192.168.1.2
O 172.33.1.0/23 via 192.168.1.3
Preferred
131131131© 2007 Network Learning, Inc.
Administrative Distance
132132132© 2007 Network Learning, Inc.
Allow Redistribute on R1
Maintain R routes on R1 even after redistribution
133133133© 2007 Network Learning, Inc.
Example Configuration with AD
134134134© 2007 Network Learning, Inc.
Route Maps
• Route filtering
• Metric control
• Used extensively in BGP
• Used for setting IP Precedence
• Policy routing (not part of redistribution)
• Can use match and sets
• ->rout-map lab permit 10–>match ip access-list 1 , 3 (values separated with , creates an or statement)
–>match ip prefix-list lab Multiple match lines are considered an and
135135135© 2007 Network Learning, Inc.
Distribute Lists
• Used with access-lists to filter incoming or outgoing updates
• Be as specific as possible when applying the distribute list
• RIP & EIGRP–distribute-list 1 in ethernet 0 (also can use a route map)
–distribute-list 1 out ethernet 0
• OSPF – only allows inbound–distribute-list 1 in ethernet 0
• IS-IS does not use distribute lists
• BGP – applied to the neighbor–neighbor 2.2.2.2 distribute-list 1 in
136136136© 2007 Network Learning, Inc.
Prefix Lists
• Prefix lists are more sophisticated forms that Cisco provides for filtering route advertisements. They filter on IP address just as distribute-lists do, however they are easier to read, and require fewer commands to configure. The other advantage to a distribute list is that it is easier to add, remove and organize the statements in the manner you chose.
• For example:
prefix-list xx seq 10 permit 204.134.12.0/22
prefix-list xx seq 20 permit 204.134.16.0/21
prefix-list xx seq 30 permit 204.134.24.0/24
137137137© 2007 Network Learning, Inc.
Redistribution Problems
• When redistributing OSPF in to BGP, by default, BGP only accepts internal routes not external type 1 or type 2
• Watch for administrative distance problems
• Beware of the metric used by RIP
• Redistributing in to RIP requires a metric or default-metric or it will get set to 16
• Redistributing in to EIGRP requires a metric or default-metric or it will get set to infinity
• Always filter routes when doing redistribution
138138138© 2007 Network Learning, Inc.
Advanced RIP
• One static route allowedReceive the rip routes
139139139© 2007 Network Learning, Inc. 139139
SESSION 7EIGRP
140140140© 2007 Network Learning, Inc.
EIGRP
• Outline
–Overview
–Updates
–Authentication
–Default Routes
–Summarization
–Metrics
141141141© 2007 Network Learning, Inc.
EIGRP
• Eigrp is a Cisco proprietary routing protocol loosely based on their original IGRP
• EIGRP is an advanced distance-vector routing protocol, with optimizations to minimize both the routing instability incurred after topology changes, as well as the use of bandwidth and processing power in the router.
• EIGRP and IGRP are compatible with each other.
• Eigrp uses the Diffusing Update Algorithm (DUAL), which guarantees loop-free operation.
• In particular, DUAL avoids the "count to infinity" behavior common in distance-vector routing protocols.
• The maximum hop count of EIGRP-advertised routes (i.e. destination networks) is 255. 100 is the default but in the routing process <metric maximum-hops >
• EIGRP is considered an Advanced Distance or Hybrid routing protocol
• Classless (VLSM)
142142142© 2007 Network Learning, Inc.
EIGRP Updates
• Send Hellos between neighbors which must include– AS #
– Subnet
– Authentication
– K- Values
1. Neighbor Table
2. Topology Table (Determine successor (Primary) and Feasible Successor
3. Dual Algorithm (Loop Free)
4. Routing Table (Move successor from primary
*Note updates sent on 224.0.0.10 and EIGRP uses IP protocol number 88
143143143© 2007 Network Learning, Inc.
Successor versus Feasible Successor
• Reported Distance (RD) is from your neighbor( next hop ) to the destination.
• Feasible Distance (FD) is from the current router, all the way to the destination, this would include all other routers in between your router and the destination.
FD--------RD---------Destination. R1--------R2-----------R3
• To qualify as a feasible successor, a next-hop router must have an RD less than the FD of the current successor route
• Eigrp metric = lowest bandwidth + all delays x 256
•
144144144© 2007 Network Learning, Inc.
EIGRP Authentication
• Similar to RIP V2 Authentication
• Only MD5 Authentication supported
r1lab(config)# interface s0
r1lab(config-if)# ip authentication mode eigrp 222 md5
r1lab(config-if)# ip authentication key-chain eigrp 222 cisco
r1lab(config)# key chain cisco
r1lab(config-keychain)# key 1
r1lab(config-keychain-key)# key-string ccie
145145145© 2007 Network Learning, Inc.
Default Routes in EIGRP
• <ip summary address eigrp 100 0.0.0.0 0.0.0.0>
• <ip default network
• <redistribute ip route 0.0.0.0 0.0.0.0 null 0>
–<redistribute static or network 0.0.0.0
146146146© 2007 Network Learning, Inc.
EIGRP Summarization
• Auto summary is on by default – disable
• Summarization is done on the interface r1lab(config-if)# ip summary-address eigrp 222 10.2.0.0 255.255.255.0 5
• No way to get rid of the NULL0 entry, it is added to avoid loops
Default AD is 5 but higher can be used for floating summary
You can bump the AD to 255 to remove the null0 but Then the Summary could cause a loop if you do not properly filter
147147147© 2007 Network Learning, Inc.
EIGRP Leak Map
On the remote router
148148148© 2007 Network Learning, Inc.
Virtual Template in PPP with Leak Map
• Problem- Can not use Leak Map with Sub Interfaces
• Must use PPP and Virtual Template
149149149© 2007 Network Learning, Inc.
EIGRP Stub Areas
• Affects what the router will advertise
• Reduces processing on the router
• Controls what networks are advertised
• Four options: receive-only, summary, connected, and static
–Router eigrp 1
Eigrp stub summary leak-map leaky
150150150© 2007 Network Learning, Inc.
Problems with EIGRP Stub
• All routers in EIGRP AS need the stub command or neighbors could become stuck inactive situation because of no stub flag in hello packets
• Work around use Stub configuration on all routers that need to be a stub on a single AS
• Use a separate AS for all other EIGRP routers and redistribute between the EIGRP AS processes on the Hub router
151151151© 2007 Network Learning, Inc.
Tuning EIGRP
• ip hello-interval eigrp –use this interface command to change the hello timer
• ip hold-time eigrp – use this command to change the EIGRP hold time for routes received by this interface
• metric weights - allows you to set the weight of the EIGRP metric• distance – used to change the administrative distance of routes
received from a neighbor• delay – specifies the delay of an interface in tens of microseconds• bandwidth –specifies the bandwidth of an interface in kilobits per
second• passive-interface - prevents the sending of EIGRP hellos on the link• Offset-list - used to increase the value of the routing metrics
OPTIONAL EIGRP COMMANDS :
152152152© 2007 Network Learning, Inc.
Miscellaneous Topics
• Offset Listr1lab(config)# access-list 1 permit 10.2.1.0
r1lab(config)# router eigrp 222
r1lab(config-router)# offset-list 1 in 10000
• Adjust the Percentage of Bandwidth used for routing updates - 50% is default
r1lab(config-if)# ip bandwidth-percent eigrp 222 10
Very important to summarize and use stubs in a large EIGRP networks, otherwise the query traffic to find successor routes could easily take 50% of the bandwidth. If we throttle the percentage too much the convergence times will be effected
Delay
153153153© 2007 Network Learning, Inc.
Equal Cost Load Balancing
Change with the maximum-paths command in EIGRPprocess
154154154© 2007 Network Learning, Inc.
• EIGRP offers unequal-cost Load balancing – variance command
• Variance allows the router to include routes with a metric smaller than multiplier times the minimum metric route to that destination
– Multiplier is the number specified by the variance command
EIGRP Unequal-Cost Load Balancing
155155155© 2007 Network Learning, Inc.
Traffic-Share
• Determines how traffic is load balanced.
• Two options:–Balanced (balances across paths)
–Min across-interfaces (traffic still uses lowest metric path)Router eigrp 1
Variance 2
Traffic-share balanced (actively uses the lower speed link to load balance with higher speed links)
* Note Min – only add to the routing table for fall back but does not load balance
Under the interface you can configure per packet or per flow load balancing
Ip load-balancing per-packet or per-destination
156156156© 2007 Network Learning, Inc.
Variance Example
• Router E chooses router C to get to network Z because FD = 20.
• With a variance of 2, router E chooses router B to get to network Z (20 + 10 = 30) < [2 * 20(FD) = 40].
• Router D is not used to get to network Z (45 > 40).
• To use D we need a variance of 3 because 3x20=60 and 60 is > 45
157157157© 2007 Network Learning, Inc. 157157
End Day 2 Lecture
158158158© 2007 Network Learning, Inc. 158158
Session 8 OSPF
159159159© 2007 Network Learning, Inc.
OSPF
• Outline–OSPF Network Types
–RID
–LSA
–Adjacencies
–Area types
–New Features
–Authentication
–Summaries
–Filtering
160160160© 2007 Network Learning, Inc.
Network Types
• The easiest configuration is to configure all OSPF frame relay interfaces for point-to-multipoint
• If the lab prohibits you from changing the network type you can try the neighbor command
Physical Frame Relay Interface OSPF Network Type
Physical Non-Broadcast
Multipoint Sub Non-Broadcast
Point-to-Point Sub Point-to-Point
161161161© 2007 Network Learning, Inc.
OSPF Over NBMA Topology Summary
Mode Preferred Topology
Subnet Address
Adjacency
Non-broadcast Fully meshed Same Manual configuration
DR/BDR Elected Broadcast Fully meshed Same Automatic
DR/BDR elected Point-to-point
multipoint nonbroadcast
Partial mesh (hub and spoke)
Same Manual configuration No
DR/BDR Point-to-point and Point-to-Multipoint sub
interface
Partial mesh (hub and
spoke using subinterfaces
Different for each subint. And SAME
for point-to-multipoint
Manual DR on hub
162162162© 2007 Network Learning, Inc.
Hello and Dead Timers
•In order to form neighbor adjacency, hello and dead timers must match
•Timer differ based on network type configuration broadcast–Hello time (10 seconds), dead time (40 seconds) point-to-point–Hello time (30 seconds), dead time(120 seconds) non-broadcast– Hello Time (30 seconds), dead time (120 seconds)
•Timers can be manually adjusted through the “ip ospf hello-interval” and “ip ospf dead-interval” interface commands
163163163© 2007 Network Learning, Inc.
Hello and Dead Timers
Physical Interface Non- Broadcast Hello 30 Dead 120
Sub Interface P2P Point-to-Point Hello 10 Dead 40
Sub Interface Point to multipoint
Non- Broadcast Hello 30 Dead 120
Physical changed to
Ip ospf Broadcast
Broadcast Hello 10 Dead 40
P2P sub interface changed to NBMA
Non-Broadcast Hello 30 Dead 120
164164164© 2007 Network Learning, Inc.
Miscellaneous OSPF - Timers
• Basic Timers
–Hello-interval
•interface serial 1/0
•ip ospf hello-interval 20 – automatically changes the dead-interval to 80, dead = hello x 4
–Dead-interval
•interface serial 1/0
•ip ospf dead-interval 50 – does NOT change the hello-interval
• Unless - See next slide
165165165© 2007 Network Learning, Inc.
OSPF Timers – Fast Hellos
• Added in 12.2T15
• Enables faster convergence
• Sets Dead timer to 1 second, hello timer based on hello-multiplier.
• Example – set hello to 250ms
ip ospf dead-interval minimal hello-multiplier 4
166166166© 2007 Network Learning, Inc.
Router ID
• Identifies an OSPF neighbor
• Dotted Decimal 32 bits
• 223.255.255.255 highest possible router ID
• Statically set the Router ID (Prefered) *note they may reboot the routers before they grade
router ospf 1
router-id 150.5.50.5
• Uses highest IP address of all configured loopbacks
• If no loopback is present it uses the highest IP address
• Used for virtual-link commands
• Highest Router ID wins DR election – Priority can offset election
167167167© 2007 Network Learning, Inc.
Link State Announcement (LSA) Types
• 1 - Router LSA - Each OSPF router generates a single Type 1 LSA to describe the status and cost (metric) of all links on the router. This LSA is flooded to each router with-in the OSPF area only.
• 2 - Network LSA - the designated router on a broadcast segment (e.g. Ethernet) lists which routers are joined together by the segment
• 3 - Network summary LSA - an Area Border Router (ABR) takes information it has learned on one of its attached areas and summarizes it before sending it out on other areas
• 4 - ASBR Summary LSA - Type 5 External LSAs are flooded to all areas and the detailed next-hop information may not be available in those other areas. The ABR floods the information for the router (i.e. the Autonomous System Border Router) where the type 5 originated.
• 5 - AS External LSA - these LSAs contain information imported into OSPF from other routing processes. They are flooded to all areas (except stub areas).
• 6 - Group Membership LSA - this was defined for Multicast extensions to OSPF (MOSPF),
• 7 - NSSA External LSA - Not-so-stubby-area (NSSA) do not receive external LSAs from Area Border Routers, but are allowed to send external routing information for redistribution. They use type 7 LSAs to tell the ABRs about these external routes, which the Area Border Router then translates to type 5 external LSAs and floods as normal to the rest of the OSPF network.
168168168© 2007 Network Learning, Inc.
LSA Table
Intra/Internal LSA Adv Router R/Table Display Database
Intra 1 (Router) All in Area O <sh ip ospf database router
Intra 2 (Network) DR only N/A <sh ip ospf database network
Inter 3 (Summary) ABR IA <sh ip ospf database summary
Inter 4 (Announce
ASBRs)
ABR N/A <sh ip ospf database ASBR summary
External 5 (Type 1 or Type 2)
ASBR E2 (default) or E1 <sh ip ospf database external
6 (MOSPF) Cisco can generate a syslog error
External 7 ASBR (In NSSA) N1 or N2 <sh ip ospf nssa-external
To DR Router 224.0.0.6To Area Network 224.0.0.5
169169169© 2007 Network Learning, Inc.
Problem preventing Neighbor Adjacency
• Mismatched hello
• Subnet information
• Authentication
• Area ID doesn’t match
• Area Stub flag not set
• Duplicate RID
170170170© 2007 Network Learning, Inc.
Neighbor States
• Down State
• Init (Clear or start new OSPF process)
• 2way (Elect DR / BDR)
• Exstart (Master/ Slave)–Master sends data descriptor packets (Contain link-state advertisement
(LSA) headers only)
–Higher IP is Master
• Exchange –Use ip ospf mtu ignore to avoid MTU problems (Exchange LSDB)
• Loading –LSR (Request) ----- ---LSU (Updates)
• Full (Database synchronized and all Routes have been exchanged)
171171171© 2007 Network Learning, Inc.
Electing the DR and BDR
• Hello packets are exchanged via IP multicast.
• The router with the highest OSPF priority is selected as the DR.
• Use the OSPF router ID as the tie breaker.
•If no RID, than use highest Loopback IP
•If no Loopback than use highest interface IP
• The DR election is nonpreemptive.
172172172© 2007 Network Learning, Inc.
Setting Priority for DR Election
ip ospf priority number
• This interface configuration command assigns the OSPF priority to an interface.
• Different interfaces on a router may be assigned different values.
• The default priority is 1. The range is from 0 to 255.• 0 means the router is a DROTHER; it can’t be the DR or
BDR.
Router(config-if)#
173173173© 2007 Network Learning, Inc.
Area Type
• All routers in an OSPF area must have the same area type set or no neighbor will be formed
• Totally Stubby and Totally NSSA have the ‘no-summary’ command added to ONLY the ABR
• NSSA does not inject a default route automatically. Must configure for the default to be sent on the ABR:
– area 2 nssa default-information-originate
Area Type ABR LSA Area Routers
Stub stub 2,3,4
1
stub
Totally
Stubby
Stub no-summary
2, 0.0.0.0
1
stub
NSSA Nssa default-information-originate
2, 0.0.0.0 3,4
1,7
nssa
Totally
NSSA
nssa no-summary
2, 0.0.0.0
1,7
nssa
174174174© 2007 Network Learning, Inc.
Types of OSPF Routers
175175175© 2007 Network Learning, Inc.
OSPF Authentication
• Uses either Clear Text or MD5
• Can do either Area Authentication or Link Authentication
• If area 0 has authentication, any virtual links must have the same authentication configured
• Watch for extra spaces on your passwords
176176176© 2007 Network Learning, Inc.
Area Authentication
• Clear Textr1lab(config)# router ospf 1
r1lab(config-router)# area 0 authentication
r1lab(config)# int serial 0
r1lab(config-if)# ip ospf authentication-key cisco
• MD5r1lab(config)# router ospf 1
r1lab(config-router)# area 0 authentication message-digest
r1lab(config)# int s0
r1lab(config-if)# ip ospf message-digest-key 1 md5 cisco
177177177© 2007 Network Learning, Inc.
Link Authentication
• Clear Textr1lab(config-if)# int s0
r1lab(config-if)# ip ospf authentication
r1lab(config-if)# ip ospf authentication-key cisco
• MD5r1lab(config-if)# int s0
r1lab(config-if)# ip ospf authentication message-digest
r1lab(config-if)# ip ospf message-digest-key 1 md5 cisco
178178178© 2007 Network Learning, Inc.
Virtual Links
• Avoid in real word
• Used to connect an area to the backbone through another area – extension of area 0
• Configuration uses router-id
• If authentication is configured on area 0 it must also be configured on the virtual link and the far side router.
• Needed in two cases–Discontiguous area 0
–Router touching two areas, but not area 0.
• Use Area Border routers as endpoints
179179179© 2007 Network Learning, Inc.
Virtual Link Authentication
• Clear Textr1lab(config)# router ospf 1
r1lab(config-router)# area 1 virtual-link 2.2.2.2 authentication-key cisco
• MD5r1lab(config)# router ospf 1
r1lab(config-router)# area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 cisco
• Remember that the far side of the virtual link must know what type of authentication area 0 is using
• VL cannot traverse over a stub area
• If you are required to traverse a VL to area 0 you must negate capability transit.
180180180© 2007 Network Learning, Inc.
Connecting a Non-Backbone Area Through a Stub Area
• Generic Routing Encapsulation (GRE) allows you to connect a discontiguous area to the backbone through a stub area
• GRE will cause extra packet overhead due to tunnel header information
181181181© 2007 Network Learning, Inc.
OSPF New Features
• Max LSA (Internal)
182182182© 2007 Network Learning, Inc.
OSPF New Features Cont.
• Maximum Prefixes (Networks)
183183183© 2007 Network Learning, Inc.
OSPF New Features Cont.
• Prevent OSPF router from being transit
• Max Metric uses 64000 – 65535 (16 bits)
184184184© 2007 Network Learning, Inc.
OSPF Summarization
• Two ways to summarize
–Area range used to summarize between OSPF areas. Always done on an ABR
•area 2 range 100.5.50.0 255.255.255.0
–Summary-address used to summarize external routes redistributed into OSPF. Always done on an ASBR
•summary-address 100.5.50.0 255.255.255.0
• Will inject a NULL0 route into the routing table. MUST get rid of the NULL0
•no discard-route internal – used with area range
•no discard-route external – used with summary-address
185185185© 2007 Network Learning, Inc.
router (config-router)#
area area-id range address mask
• Consolidates inter-area (IA) routes on an ABR
router (config-router)#
Summary-address address mask (not-advertise) (tag tag)
• Consolidates external routes, usually on an ASBR
Configuring Route Summarization
186186186© 2007 Network Learning, Inc.
Filtering in OSPF
• Distribute list only inbound and can not stop LSAs
187187187© 2007 Network Learning, Inc.
Break Area 0
• R1 and R1 have full knowledge of Area 0 routes and R3 and R4 have no knowledge.
Or on R2 OSPF
188188188© 2007 Network Learning, Inc.
Prevent type 7 to 5 routes from Area 0
189189189© 2007 Network Learning, Inc. 189189
SESSION 8BGP
190190190© 2007 Network Learning, Inc.
BGP
• Outline
–Operation
–State
–Attributes
–Order/Preference
–Aggregation
–Security
–Peer Groups
–Dampening
191191191© 2007 Network Learning, Inc.
iBGP Full Mesh Requirement
• All BGP speakers within an AS must be connected together in a Full Mesh. For n BGP speakers within an AS that requires to maintain n*(n-1)/2 unique iBGP sessions to connect the eBGP routers
• If not meshed, routes must be redistributed into and syncronized with IGP.
• Route Reflectors and Confederations may be used to avoid the full mesh requirement or redistribution
192192192© 2007 Network Learning, Inc.
BGP Route Reflector
• Scales well unlike full mesh
• Optional Peer groups could be used to save configuration on the route reflector
r1lab(config-router)# neighbor 1.1.1.2 update-source loopback 0
r1lab(config-router)# neighbor 1.1.1.2 next-hop-self
r1lab(config-router)# neighbor 1.1.1.2 distribute-list 1 out
r1lab(config-router)# neighbor 1.1.1.2 route-reflector-client
r1lab(config-router)# neighbor 1.1.2.2 update-source loopback 0
r1lab(config-router)# neighbor 1.1.2.2 next-hop-self
r1lab(config-router)# neighbor 1.1.2.2 distribute-list 1 out
r1lab(config-router)# neighbor 1.1.2.2 route-reflector-client
193193193© 2007 Network Learning, Inc.
Route Reflector
194194194© 2007 Network Learning, Inc.
BGP Confederations
• Splits one AS into many smaller Private AS’s
–Private AS numbers are 64512 – 65535
• Connections between the Private AS’s are treated as special eBGP connections
• External AS’s only participate in the Public AS – they are not aware of the Private AS’s inside
195195195© 2007 Network Learning, Inc.
Confederation
AS 6502 AS 6503
6503 6502
196196196© 2007 Network Learning, Inc.
Manual Confederation
• Uses private AS for IBGP and Public AS for EBGP
• Need to remove the private AS information
197197197© 2007 Network Learning, Inc.
Basic BGP Configuration
• Neighbors must be configured on both sides
• Neighbors must be directly connected or have a specific IGP route (default route will not work) to the neighbor.
• Neighbors in the same AS are iBGP– iBGP will go 255 hops by default to find a neighbor
• Neighbors in different AS’s are eBGP–eBGP will only go 1 hop to find a neighbor
•neighbor 1.1.1.1 eBGP-multihop <1-255> (need IGP)
• If you use loopback to neighbor don’t forget to change the update source–BGP expects the directly connected interface to be the update source unless
you specify
•neighbor 1.1.1.1 update-source loopback 0
• Advertised networks must have an exact match in the routing table in order for BGP to advertise the route
198198198© 2007 Network Learning, Inc.
State
• Idle
• Connect
–Active – resets the retry timer kickbacks to idle
• Open send – version must be 4
• Open confirm
• Established
199199199© 2007 Network Learning, Inc.
Neighbors
200200200© 2007 Network Learning, Inc.
• An IGP running only on Routers B and C
• 31.106.0.0 will not appear in D’s IP Routing Table
Synchronization Example
AS 45
AS 50
AS 40
iBGP
eBGP
eBGP
31.106.0.0
DC
B A
E
F
201201201© 2007 Network Learning, Inc.
Synchronization Problem
• An eBGP learned route cannot be installed in the routing table of iBGP connected routers until the route has already been learned by the IGP connecting these routers
• It is almost always recommended to disable synchronization or need to redistribute eBGP routes directly in the IGP
r1lab(config)# router bgp 10
r1lab(config-router)# no synchronization
202202202© 2007 Network Learning, Inc.
Next Hop
• IGP should carry route to next hops
• Recursive route look-up
• Decouples BGP from actual physical topology
• If an IGP router does not have a direct route to the Next Hop EBGP than Next hop self can be used on the IBGP/Ebgp neighbor to provide connect
203203203© 2007 Network Learning, Inc.
Next Hop Example
iBGP
eBGP
eBGP
31.106.0.0
A
B
D
F 20.2.2.1/ 24
1.1.1.2
1.1.1.1
• B Does Not Advertise Network 20.2.2.0 to A
• A Will Not Install Network 31.106.0.0 in its Routing Table since
A does not know how to reach the next hop (20.2.2.1)
204204204© 2007 Network Learning, Inc.
Next-Hop-Self Problem
• An eBGP learned route cannot be installed in the IP routing table of iBGP connected routers unless the route’s next-hop address is reachable
r1lab(config)# router bgp 10
r1lab(config-router)# neighbor 10.1.1.2 next-hop-self
• eBGP neighbors always advertise themselves as the "next hop" for any routes sent.
• iBGP neighbors retain the original advertiser's address as the next hop.
• The issue with next-hop information is whether or not that next hop ( the eBGP neighbor address ) is reachable to any iBGP neighbor.
205205205© 2007 Network Learning, Inc.
• If an AS has 2 or more connections to the Internet, by default some traffic not destined for your AS may pass through your routers
• Two ways to stop this
–AS-Path access-lists
–Communities
Transit AS
Explained later
206206206© 2007 Network Learning, Inc.
BGP Characteristics
• Distance-vector protocol with enhancements:–Reliable updates
–Triggered updates only
–Rich metrics (called path attributes)
• Designed to scale to huge internetworks
207207207© 2007 Network Learning, Inc.
BGP Path Attributes
• BGP metrics are called path attributes
• BGP attributes are categorized as well-known and optional
• Well-known attributes must be recognized by all compliant implementations
• Optional attributes are only recognized by some implementations (could be private), expected not to be recognized by everyone
208208208© 2007 Network Learning, Inc.
Well-Known BGP Attributes
• Well-known attributes are divided into mandatory and discretionary
• Well-known mandatory attributes must be present in all update messages
• Well-known discretionary attributes are optional - they could be present in update messages
• All well-known attributes are propagated to other neighbors
209209209© 2007 Network Learning, Inc.
WELL-KNOWN, MANDATORY
• AS-path: A list of the Autonomous Systems (AS) numbers that a route passes through to reach the destination. As the update passes through an AS the AS number is inserted at the beginning of the list. The AS-path attribute has a reverse-order list of AS passed through to get to the destination.
• Next-hop: The next-hop address that is used to reach the destination.
• Origin: Indicates how BGP learned a particular route. There are three possible types -- IGP (route is internal to the AS), EGP (learned via EBGP), or Incomplete (origin unknown or learned in a different way).
210210210© 2007 Network Learning, Inc.
WELL-KNOWN, DISCRETIONARY
• Local Preference: Defines the preferred exit point from the local AS for a specific route.
• Atomic Aggregate: Set if a router advertises an aggregate causes path attribute information to be lost.
211211211© 2007 Network Learning, Inc.
Optional BGP Attributes
• Optional BGP attributes are transitive or non-transitive
• Optional transitive attributes–Aggregator: Specifies the router ID and AS of the router that originated an aggregate prefix. Used in conjunction with the atomic aggregate attribute.
–Community: Used to group routes that share common properties so that policies can be applied at the group level.
• Optional non-transitive attributes–Multi-exit-discriminator (MED): Indicates the preferred path into an AS to external neighbors when multiple paths exist.
• Recognized optional attributes are propagated to other neighbors based on their meaning (not constrained by transitive bit)
212212212© 2007 Network Learning, Inc.
Priority of Attributes
1. If the path specifies a next hop that is inaccessible, drop the update.
2. Prefer the path with the largest weight.
3. If the weights are the same, prefer the path with the largest local preference.
4. If the local preferences are the same, prefer the path that was originated by BGP running on this router.
5. If no route was originated, prefer the route that has the shortest AS_path.
6. If all paths have the same AS_path length, prefer the path with the lowest origin type (where IGP is lower than EGP, and EGP is lower than incomplete).
7. If the origin codes are the same, prefer the path with the lowest MED attribute.
8. If the paths have the same MED, prefer the external path over the internal path.
9. If the paths are still the same, prefer the path through the closest IGP neighbor.
10. Prefer the path with the lowest IP address, as specified by the BGP router ID.
213213213© 2007 Network Learning, Inc.
Weight
• The weight attribute is a Cisco-defined attribute used for the path selection process. The weight is configued locally to a router and is not propagated to any other routers.
214214214© 2007 Network Learning, Inc.
Origin
• The origin attribute indicates how BGP learned about a particular route. The origin attribute can have one of three possible values:
–IGP—The route is interior to the originating AS. This value is set when the network router configuration command is used to inject the route into BGP. [0] i
–EGP—The route is learned via the Exterior Border Gateway Protocol (EGP). [1] e
–Incomplete—The origin of the route is unknown or learned in some other way. An origin of incomplete occurs when a route is redistributed into BGP. [?]
215215215© 2007 Network Learning, Inc.
AS-Path
• The AS-path attribute is empty when a local route is inserted in the BGP table
• The sender’s AS number is prepended to the AS-path attribute when the routing update crosses AS boundary
• The receiver of BGP routing information can use the AS-path to determine through which AS the information has passed
• An AS that receives routing information with its own AS number in the AS-path silently ignores the information
Prepend as-path can be used as a metric
<routemap prepend permit 10
<match ip address 1
<set as-path prepend 100 100 100
216216216© 2007 Network Learning, Inc.
Next-Hop Attribute
• Next-hop attribute indicates the next-hop IP address used for packet forwarding
• Usually set to the IP address of the sending BGP router
217217217© 2007 Network Learning, Inc.
Multi-Exit Discriminator Attribute
• The multi-exit discriminator (MED) or metric attribute is used as a suggestion to an external AS regarding the preferred route into the AS that is advertising the metric.
• Only works from directly connected AS. It is not transitive
• Default MED 0
218218218© 2007 Network Learning, Inc.
Local Preference
• The local preference attribute is used to prefer an exit point from the local autonomous system (AS). Unlike the weight attribute, the local preference attribute is propagated throughout the local AS. If there are multiple exit points from the AS, the local preference attribute is used to select the exit point for a specific route.
• Default Local Preference 100
219219219© 2007 Network Learning, Inc.
Atomic aggregate
• The Atomic aggregate serves as an indication to the receiver that it can't "deaggregate" the prefix per some of the granularity associated with the AS paths may have been lost when the aggregate was created, and deaggregation could result in the introduction of loops.
• Border Gateway Protocol (BGP) allows the aggregation of specific routes into one route with use of the aggregate-address address mask [as-set] [summary-only] [suppress-map map-name] [advertise-map map-name] [attribute-map map-name] command. When you issue the aggregate-address command without any arguments, there is no inheritance of the individual route attributes (such as AS_PATH or community)
220220220© 2007 Network Learning, Inc.
Aggregator
• AGGREGATOR is an optional transitive attribute of length 6. The attribute contains the last AS number that formed the aggregate route (encoded as 2 octets), followed by the IP address of the BGP speaker that formed the aggregate route (encoded as 4 octets). This SHOULD be the same address as the one used for the BGP Identifier of the speaker.
• Created from enabling AS-Set
221221221© 2007 Network Learning, Inc.
Communities
• RFC1997, RFC1998
• Optional attribute
• Range: 0 to 4,294,901,760
• Method to group destinations into communities and apply routing decisions (accept, prefer, redistribute, etc.) using route-maps
• Route maps are used to set the community attribute. Predefined community attributes are listed here:
–no-export—Do not advertise this route to EBGP peers.
–no-advertise—Do not advertise this route to any peer.
–internet—Advertise this route to the Internet community; all routers in the network belong to it.
–local-AS — Use in confederation scenarios to prevent sending packets outside the local autonomous system (AS).
• Commuties are AS specific and are stripped when transit through an AS
222222222© 2007 Network Learning, Inc.
Originator-ID
• Originator-ID is an optional, nontransitive BGP attribute. This is a 4-byte attributed created by a route reflector. The attribute carries the router ID of the originator of the route in the local autonomous system. Therefore, if a misconfiguration causes routing information to come back to the originator, the information is ignored.
223223223© 2007 Network Learning, Inc.
Cluster List
• Cluster-list is an optional, nontransitive BGP attribute. It is a sequence of cluster IDs that the route has passed. When a route reflector reflects a route from its clients to nonclient peers, and vice versa, it appends the local cluster ID to the cluster-list. If the cluster-list is empty, it creates a new one. Using this attribute, a route reflector can identify if routing information is looped back to the same cluster due to misconfiguration. If the local cluster ID is found in the cluster-list, the advertisement is ignored.
224224224© 2007 Network Learning, Inc.
BGP Path Attribute Summary
Well-known mandatory attributes
–Recognized by everone, always present–AS-Path, Next-Hop, Origin
Well-known discretionary
–Recognized by everone, optional–Local Preference, Atomic Aggregate
Optional transitive
–Might not be recognized, propagated if not–BGP Community, Aggregator
Optional non-transitive
–Might not be recognized, dropped if not–Multi-exit-discriminator
225225225© 2007 Network Learning, Inc.
Announcing Networks in BGP
• Only administratively defined networks are announced in BGP
–Manually configure networks to be announced <network mask>
–Use redistribution from IGP
–Use aggregation to announce summary prefixes
226226226© 2007 Network Learning, Inc.
Manually Announce Classless Prefix in BGP
network ip-prefix-address mask subnet-mask
router(config-router)#
Configures a classless prefix to be advertised into BGP
The prefix must exactly match an entry in the IP forwarding table
Hint: use a static route to null 0 to create a matching prefix in the IP forwarding table
227227227© 2007 Network Learning, Inc.
Redistributing Routes from IGP
• Easier than listing networks in BGP process in large networks
• Redistributed routes carry origin-attribute ‘incomplete’
• Always filter redistributed routes to prevent route leaking
228228228© 2007 Network Learning, Inc.
Aggregating BGP Networks
• Summarization is called aggregation in BGP–Aggregation creates summary routes (called aggregates) from networks already in BGP table
–Individual networks could be announced or suppressed
229229229© 2007 Network Learning, Inc.
Configuring Aggregation
router bgp as-numberaggregate-address address-prefix mask
router(config)#
• Specify aggregation range in BGP routing process
• The aggregate will be announced if there is at least one network in the specified range in the BGP table
• Individual networks will still be announced in outgoing BGP updates
230230230© 2007 Network Learning, Inc.
Configuring Aggregation
router bgp as-numberaggregate-address address-prefix mask summary-only
router(config)#
• Configure aggregation of BGP routes• Advertise only the aggregate and not the
individual networks
• Benefits:• Smaller BGP routing tables• More stable internetworks (less route
flapping)
• Drawbacks:• Problems with multi-homed customers
231231231© 2007 Network Learning, Inc.
Configuring Aggregation with other options
• Summary plus AS path • Prevents loops in the summary
232232232© 2007 Network Learning, Inc.
Aggregate cont.
• Other options that can be enabled are:
–Attribute maps are used to configure the attributes of the aggregate route since the attributes of the original routes are used by default when summarized
–Advertise maps allow the aggregate to inherit the attributes from the specific networks identified in the advertise map. It is important to note the attribute map overrides the advertise map
–Suppress maps this command overrides the summary only keyword and suppresses on the routes configured in the suppress map.
–Un-suppress maps selectively un-suppresses networks suppressed in a suppress-map
233233233© 2007 Network Learning, Inc.
Configuring BGP Communities
• BGP communities are configured in the following steps:
–Configure route tagging with BGP communities
–Configure BGP community propagation
–Define BGP community access-lists (community-lists) to match BGP communities
–Configure route-maps that match on community-lists and filter routes or set other BGP attributes
–Apply route-maps to incoming or outgoing updates
234234234© 2007 Network Learning, Inc.
Community Setting Through Route-Map
route-map name match condition set community value [ value … ] [additive]
router(config)#
• Route tagging with communities is always done with a route-map
• Any number of communities can be specified• Communities specified in the set keyword
overwrites existing communities unless you specify the additive option
235235235© 2007 Network Learning, Inc.
Attaching Communities to a Route
neighbor ip-address route-map map in | out
router(config-router)#
• Applies a route-map to inbound or outbound BGP updates
• The route-map can set BGP communities or other BGP attributes
redistribute protocol route-map map
router(config-router)#
• Applies a route-map to redistributed routes
236236236© 2007 Network Learning, Inc.
Configure Community Propagation
neighbor ip-address send-community
router(config-router)#
• By default, communities are stripped in outgoing BGP updates
• Community propagation to BGP neighbors has to be manually configured
• BGP peer groups are ideal for configuring BGP community propagation toward a large number of neighbors
237237237© 2007 Network Learning, Inc.
Related Commands
Set community none – Removes all community attributes
Set comm-list delete – Removes specific communities
ip community-list 1 permit 200:100
route map REM_COM permit 10
set comm-list 1 delete
Set community additive – Appends to existing communities
set community 450 additive
ip community-list 1 permit 200:10 – Matches any route that has 200:10 as one of its communities
ip community-list permit 200:10 100:10 - Matches any route that has either or both communities
ip community-list permit 200:10 100:10 exact-match – Matches only those routes that are members of both communities
238238238© 2007 Network Learning, Inc.
AS Path Filtering
• Several scenarios require BGP route filtering based on AS-path
–Announce only local routes to the ISP - AS-path needs to be empty
–Select routes based on a specific AS-number in the AS-path
–Accept routes for specific AS only from some BGP neighbors
• AS-path filters use regular expressions
239239239© 2007 Network Learning, Inc.
Regular ExpressionsRanges and Wildcard Characters
• A range of characters matches any single character in the rangeexamples:[1234] or [1-4]
• dot (.) matches any single character
240240240© 2007 Network Learning, Inc.
Regular ExpressionsMatching Delimiters
^ matches beginning of string
$ matches end of string
_ matches any delimiter (beginning, end, whitespace, tab, comma)
241241241© 2007 Network Learning, Inc.
Regular ExpressionsRepeating Operators
• matches zero or more instances
? matches zero or one instances
+ matches one or more instances
242242242© 2007 Network Learning, Inc.
Sample Regular Expressions
• _100_
• ^100$
• _100$
• ^100_.*
• ^ [0-9]+$
• ^$
• .*
Going through AS 100
Directly connected to AS 100
Originated in AS 100
networks behind AS 100
AS paths one AS long
networks originated in local AS
matches everything
243243243© 2007 Network Learning, Inc.
Regular Expression Examples
• Routes originated from a directly connected AS ( 5 ).
^5$
• Routes that passed through AS 6.
_6_
• Routes that originated in AS 7.
_7$
• Routes that originated in an odd AS.
[1,3,5,7,9]$
• Routes that originated in AS 3, or in an AS directly attached to AS 3.
^3_[0-9]*$
244244244© 2007 Network Learning, Inc.
Configuring BGP AS-path Filters
ip as-path access-list number permit|deny regexp
router(config)#
• Configures AS-path access list
neighbor ip-address filter-list as-path-filter in|out
router(config-router)#
• Configures inbound or outbound AS-path filter for specified BGP neighbor
245245245© 2007 Network Learning, Inc.
Conditional Route Injection
• Used to inject more specific into BGP based on existence of aggregated route or originate default route based on certain route existence
246246246© 2007 Network Learning, Inc.
BGP Authentication
• Authentication is MD5
• Configured on a per neighbor basisr1lab(config)# router bgp 10
r1lab(config-router)# neighbor 2.2.2.2 remote-as 10
r1lab(config-router)# neighbor 2.2.2.2 password CISCO
r2(config)# router bgp 10
r1lab(config-router)# neighbor 1.1.1.1 remote-as 10
r2(config-router)# neighbor 1.1.1.1 password CISCO
247247247© 2007 Network Learning, Inc.
BGP Route Flap Dampening Goals
• Minimize the amount of BGP update processing in the Internet
• Do not suppress routes that occasionally flap
• Suppress routes that are likely to flap in the future based on the history of their behavior
Flap = removal of routeSuppress= do not use a route after it reappears
248248248© 2007 Network Learning, Inc.
Route Flap Dampening Implementation
• Every time an eBGP route flaps it gets 1000 penalty points (iBGP routes are not dampened)
• The penalty placed on a route is decayed using the exponential decay algorithm
• When the penalty exceeds “suppress limit”, the route is dampened (no longer used or propagated to other neighbors)
• A dampened route is propagated when the penalty drops below “reuse limit”
249249249© 2007 Network Learning, Inc.
Route Flap Dampening Implementation
• Flap history is forgotten when the penalty drops below half of “reuse limit”
• The route is never dampened for more than “max-suppress” time
• An unreachable route with flap history is put in “history state” - it stays in the BGP table but only to maintain the flap history
• A penalty is applied on the individual path in the BGP table, not on the IP prefix
250250250© 2007 Network Learning, Inc.
Configuring BGP Route Flap Dampening
bgp dampening [half-time [reuse-limit suppress-limit max-suppress]] [route-map route-map]
router(config-router)#
Configures BGP route flap dampeningParameter meaning:
Half-time Exponential decay half-time (time in which the penalty is halved)
Suppress-limit Penalty value where the route is starting to be dampened
Reuse-limit Penalty value where the dampened route is reused
Max-suppress Maximum suppression timeRoute-map Dampening parameters are specified
with aroute-map
251251251© 2007 Network Learning, Inc.
Default BGP Dampening Parameter Values
The following default dampening parameter values are used if you don’t specify them:
– half-time 15 minutes
– per-flap penalty 1,000 (non-configurable)
– suppress limit 2,000
– reuse limit 750
– max-suppress-time 60 minutes
252252252© 2007 Network Learning, Inc.
Limiting the Number of Routes Received from a Neighbor
Problem definition:
–A misconfigured BGP neighbor can send a huge number of prefixes that exhaust router’s memory or overload the CPU (several Internet-wide incidents have already occurred)
–All other filtering mechanisms only specify what we’re willing to accept but not how much
–A new tool is needed to establish a hard limit on the number of prefixes received from a neighbor
253253253© 2007 Network Learning, Inc.
Maximum-Prefix Command
neighbor ip-address maximum-prefix maximum [threshold] [warning-only]
router(config-router)#
• Controls how many prefixes can be received from a neighbor
• Optional threshold parameter specifies the percentage where a warning message is logged (default is 75%)
• Optional warning-only keyword specifies the action on exceeding the maximum number (default is to drop
neighborship)
254254254© 2007 Network Learning, Inc. 254254
End of Day 3 Lecture
255255255© 2007 Network Learning, Inc. 255255
SESSION 9Multicast
256256256© 2007 Network Learning, Inc.
Multicast
• Outline–Address
–RFP
–Dense/Sparse
–Source/shared
–Static RP
–Auto-RP
–BSR
–Stub
–M-B-M
–MSDP /Anycast
257257257© 2007 Network Learning, Inc.
Multicast Address Range
258258258© 2007 Network Learning, Inc.
Mapping a MAC Address
259259259© 2007 Network Learning, Inc.
Reverse Path Forwarding
260260260© 2007 Network Learning, Inc.
RPF Calculation
261261261© 2007 Network Learning, Inc.
RPF with two paths
262262262© 2007 Network Learning, Inc.
Multicast Distribution Trees
Dense Mode uses SourcePush Technology that is very chatty
263263263© 2007 Network Learning, Inc.
Shared Distribution Tree
Sparse uses Shared Pull Mode
264264264© 2007 Network Learning, Inc.
Characteristics of Distribution Trees
265265265© 2007 Network Learning, Inc.
Multicast Tree Creation
266266266© 2007 Network Learning, Inc.
Multicast Distribution Tree Example
267267267© 2007 Network Learning, Inc.
Different types of PIM
268268268© 2007 Network Learning, Inc.
PIM Sparse Mode
269269269© 2007 Network Learning, Inc.
How does the network know about the RP?
270270270© 2007 Network Learning, Inc.
Static RPs
271271271© 2007 Network Learning, Inc.
Auto RP
• Uses –Intended for PIMv1
–C_RP Candidates
–Mapping Agent (Collects announcements and sends RP discovery messages on 224.0.1.40)
–The RPs announce on 224.0.1.39
–Recommended to locate Can_RP and Mapping Agent on same router
–Uses dense mode to find the RP as a fallback
272272272© 2007 Network Learning, Inc.
Auto RP
273273273© 2007 Network Learning, Inc.
Auto RP Cont.
274274274© 2007 Network Learning, Inc.
Auto-RP configured
275275275© 2007 Network Learning, Inc.
BSR Election
276276276© 2007 Network Learning, Inc.
BSR Overview
PIM join messages that might inadvertently cross the border
277277277© 2007 Network Learning, Inc.
BSR Highest Priority
278278278© 2007 Network Learning, Inc.
Cont.
279279279© 2007 Network Learning, Inc.
BSR Cont.
280280280© 2007 Network Learning, Inc.
Configuring BSR
Hash MaskPriority
RP priority
281281281© 2007 Network Learning, Inc.
Anycast – RP Overview
282282282© 2007 Network Learning, Inc.
MSDP
283283283© 2007 Network Learning, Inc.
Anycast RP RP
284284284© 2007 Network Learning, Inc.
Anycast RP Cont.
285285285© 2007 Network Learning, Inc.
Multicast-Broadcast-Multicast
286286286© 2007 Network Learning, Inc.
IGMP Stub
287287287© 2007 Network Learning, Inc. 287287
SESSION 10QoS
288288288© 2007 Network Learning, Inc.
QoS
• Outline
–Modular QoS CLI (MQC)
–LLQ
–Police/CAR
–WRED, CBWRED
–Marking
–Shaping, FRTS
–Fragmenting
–NBAR
289289289© 2007 Network Learning, Inc.
MQC Class-maps
• <class-map lab (match all is the default)– Match any
• <match = Classify
• ?– Input interface f0/0
– Destination Mac address
– Source Mac address
– Fr-de, fr-dlci
– Cos, dscp, IP-prec
– Any
– Access-group
– Protocol=NBAR (download PDLMs)
•CEF requires
•Can run <ip protocol NBAR protocol discovery
– Packet length min or max
290290290© 2007 Network Learning, Inc.
Policy-Map and DSCP
• Class Lab
–<set cos,dscp,ip-prec
• DSCP has 64 different colors to mark traffic
• <mls qos map dscp-map lab 31 to 41
291291291© 2007 Network Learning, Inc.
CBWFQ
• <Int f0/0
–<max reserve bandwidth 100 (75% is default)
• Policy-map can use Kbps or Percent but not both
• <policy-map voice
–<class CONTROL
–<bandwidth 1000
–<class VOICE
–<priority 10000
• Can have 255 classes total
When applying a strict priority queueTo a CBWFQ it is referred to as a LLQ
292292292© 2007 Network Learning, Inc.
Police/CAR
Bits per second
Normal burst bytes
Maximum burst bytes
• Use on edge routers to classify and/ or rate limit traffic
• Can be applied to all traffic or a subset of the traffic selected by an access list
• Configured on an interface
• rate- limit {input| output} bps normal- burst max- burst conform- action action exceed- action action
• rate- limit {input| output} access- group index bps normal- burst max- burst conform- action action exceed- action action
293293293© 2007 Network Learning, Inc.
CBWFQ Architecture Insertion policy
294294294© 2007 Network Learning, Inc.
Applying RED
You can change to DSCP basedrandom-detect dscp-based
295295295© 2007 Network Learning, Inc.
Configuring WRED on an interface
minimum threshold (number of packets)
maximum threshold (number of packets)
mark probability denominator
When the average queue size is above the minimum threshold, RED starts dropping packets.
The rate of packet drop increases linearly as the average queue size increases, until the average queue size reaches the maximum threshold.
The mark probability denominator is the fraction of packets dropped when the average queue size is at the maximum threshold. For example, one out of every 100 packets is dropped when the average queue size is at the maximum threshold.
296296296© 2007 Network Learning, Inc.
Shaping
• Shape
297297297© 2007 Network Learning, Inc.
Shape Peak
• Allow the router to peak to 64k
• Peak rate = CIR(1+BE/BC)
• Router(config-pmap-c)# shape {average | peak} cir [bc] [be]
• Shape adaptive – BECN field set to 1
• 25% slow down is BECN received if 16 TCs received with no BECNs increase 1/16 every TC
• Can also use Fecn-adapt to send ahead to your other router to set BECN field.
298298298© 2007 Network Learning, Inc.
Frame Relay Traffic Shaping
• Time Committed (TC) = 125micro
299299299© 2007 Network Learning, Inc.
Network Based Application Recognition (NBAR)
300300300© 2007 Network Learning, Inc.
NBAR Application Support
301301301© 2007 Network Learning, Inc.
Packet Description Language Module
302302302© 2007 Network Learning, Inc.
NBAR Protocol Discovery
303303303© 2007 Network Learning, Inc. 303303
SESSION 11Others
304304304© 2007 Network Learning, Inc.
NTP
305305305© 2007 Network Learning, Inc.
Optimizing HSRP
306306306© 2007 Network Learning, Inc.
Gateway Load Balancing Protocol (GLBP)
307307307© 2007 Network Learning, Inc.
GLBP Operations
308308308© 2007 Network Learning, Inc.
GLBP Cont.
309309309© 2007 Network Learning, Inc.
Virtual Router Redundancy Protocol (VRRP)
310310310© 2007 Network Learning, Inc.
VRRP Operational Status
311311311© 2007 Network Learning, Inc.
VRRP Configuration
312312312© 2007 Network Learning, Inc.
NAT
313313313© 2007 Network Learning, Inc.
NAT with Access List—Multiple Address Pools
314314314© 2007 Network Learning, Inc.
NAT with Extended Access List Configuration
ip nat pool trusted_pool 192.168.2.1 192.168.2.254 prefix-length 24ip nat pool untrusted_pool 192.168.3.1 192.168.3.254 prefix-length 24!ip nat inside source list 102 pool trusted_poolip nat inside source list 103 pool untrusted_pool!interface ethernet 0 ip address 10.1.1.1 255.255.0.0 ip nat inside!interface serial 0 ip address 172.16.2.1 255.255.255.0 ip nat outside!access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255access-list 102 permit ip 10.1.1.0 0.0.0.255 192.168.200.0 0.0.0.255access-list 103 permit ip 10.1.1.0 0.0.0.255 any
315315315© 2007 Network Learning, Inc.
Benefits of Route Maps with NAT
316316316© 2007 Network Learning, Inc.
Route Map Configuration
317317317© 2007 Network Learning, Inc.
Verifying NAT
318318318© 2007 Network Learning, Inc. 318318
Session 10 Security
319319319© 2007 Network Learning, Inc.
Session 10 Outline
• Unicast Reverse Path Forwarding (uRPF)
• Context Based Access Control (CBAC)
320320320© 2007 Network Learning, Inc.
CBAC Configuration
321321321© 2007 Network Learning, Inc.
Enable Audit Trails and Alerts
322322322© 2007 Network Learning, Inc.
Enable TCP Syn and Fin times
323323323© 2007 Network Learning, Inc.
TCP UDP and DNS Idle Times
324324324© 2007 Network Learning, Inc.
Port to Application Mapping
325325325© 2007 Network Learning, Inc.
Port Mapping Configuration
326326326© 2007 Network Learning, Inc.
Global Half Open Connection Limits
327327327© 2007 Network Learning, Inc.
Configuring Inspection Rules
328328328© 2007 Network Learning, Inc.
Apply Inspection Rule to an Interface
329329329© 2007 Network Learning, Inc.
Unicast Reverse Path Forwarding (uRPF)
• Unicast Reverse Path Forwarding (uRPF) is a feature originally created to implement Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing
330330330© 2007 Network Learning, Inc.
Configuring uRPF
• By enabling Unicast Reverse Path Forwarding (uRPF), all spoofed packets will be dropped at the first device. To enable uRPF, use the following commands.
331331331© 2007 Network Learning, Inc.
IP Source Guard
• By watching which IP addresses are assigned by DHCP, a switch can create dynamic ACL's to block all traffic except traffic from DHCP-assigned IP addresses.
• Benefits:
–Prevents a hacker from spoofing their IP address to launch an anonymous attack.
–Prevents users from ignoring DHCP and manually configuring a static IP address.
332332332© 2007 Network Learning, Inc.
IP Source Guard Configuration