AHMED NABIL
Arranged by:Eng. AHMED NABIL
CCNA
Routing &
Switching
E T WO R K E R S
AHMED NABIL
New Cisco
Certifications model
AHMED NABIL
The Golden Redundancy
Rule
(One is none, Two
yadobak One)
- Link redundancy (EC)
- Router/Switch redundancy
(FHRP)
AHMED NABIL
Switch Port Aggregation with Ether Channels
Switches can use Ethernet, FastEthernet & Gigabit Ethernet to scale link
speeds.
Cisco offers another method of scaling link BW by aggregating or bundling
parallel links termed as the EtherChannel technology.
Two to eight links of FE or GE are bundled as one logical link of FEC
(FastEtherChannel) or GEC (GigaEtherChannel), that can provide a full
duplex BW up to 1600Mbps or 16Gbps
EtherChannelswill provide the
switching devices with the ability
of:
Logical aggregation of similar links
Viewed as one logical port
Switch-level load balancing (Load
distribution)
Link Level Redundancy
Bundle C/C's
All bundled ports must be
1- In the same VLAN (if they are access ports)
2- In the same Trunk mode (if they are trunk ports)
3- All ports must be configured with identical STP settings
4- Ports must have the same Duplex & Speed
Use the show interface capabilities command to check the switch for
EtherChannelfeature.
AHMED NABIL
Avoidance of switching loops with ECOrdinarily, having multiple or parallel links between switches create
possibility of bridging loops, a special protection method is used with EC to
avoid bridging loops "no inbound (received) broadcast, multicasts or any
flooded traffic is sent back out over any of the remaining ports in the
channel, outbound flooded frames are load balanced like any other traffic,
so flooded traffic becomes part of the hashing calculation to choose an
outbound channel link", also STP treat EC as one physical link, and if a link
fail it does not recalculate STP & no TCN BPDU is sent.
EtherChannel Dynamic Negotiation protocols
To provide some dynamic link configuration, we can allow dynamic creation
of EC between switches using either PAgP (Port Aggregation Protocol) or
LACP (Link Aggregation Control Protocol)
The three major aspects to EtherChannel are as follows:
- Frame distribution
- Management of EtherChannel
- Logical port
An EtherChannel protocol has to satisfy all these aspects
Traffic Distribution
Actually EtherChannel make "Traffic Distribution" among the available
links of the bundle, so load may not be equally balanced across
EtherChannel links, as a result there must be an algorithm or criteria for
selecting certain users to use certain link in the EtherChannel bundle
This load balancing criteria on an EC is not done on a frame-by-frame or
packet-by-packet basis, instead address in the frame or packet run
through an algorithm, which results in a binary value, this value is then
matched up with one of the connections in the EC, all traffic with this
binary value is then transported across this connection in the EC
AHMED NABIL
1)PAgP
Port Aggregation Protocol
PAgPis a Cisco propeiateryprotocol, where PAgPpackets are exchanged between switches over EtherChannelscapable ports
PAgPlearn the neighbordevice id & port capabilities, ports that have same neighbordevice id & port group capability of my local switch are bundled together as a bidirectional point-to-point EtherChannelLink
The PAgPaids in the automatic creation of Fast EtherChannellinks. PAgPpackets are sent between Fast EtherChannelcapable ports to negotiate the forming of a channel. When PAgPidentifies matched Ethernet links, it groups the links into an EtherChannel. The EtherChannelis then added to the spanning tree as a single bridge port.
The last component of EtherChannelis the creation of the logical port. The logical port, or Agport, is composed of all the links that make up the EtherChannel. The actual functionality and behaviour of the Agport is not different than that of any other port. For instance, the spanning tree algorithm treats Agport as a single port.
for example:
if VLAN, speed, duplex of an established port in the bundle changes, PAgPchanges that parameter for all the ports of the bundle
2)LACP
Link Aggregation Control Protocol
It is a standard based alternative to PAgPdefined in IEEE 802.3ad, also
known as IEEE 802.3 clause 43"link aggregation"
LACP also learn the neighborid & port group capabilities & compare it with
its local switch capability.
A set of up to 16 link for EC, through LACP can be negotiated, only 8 of the
links will be active & other 8 links are used as standby for active links.
Configuring EC
(config)#interface
(config-if)#channel-protocol {pagp/lacp}
(config-if)#channel-group mode {on/desirable/auto/off}
AHMED NABIL
Troubleshooting
The status of the port channel shows the
EtherChannellogical interface as a
whole. This should show SU (Layer 2
channel, in use) if the channel is
operational. You also can examine the
status of each port within the channel.
Notice that most of the channel ports
have flags (P), indicating that they are
active in the port-channel. One port
shows because it is physically not
connected or down. If a port is connected
but not bundled in the channel, it will
have an independent, or (I), flag.
AHMED NABIL
FHRP(First Hop Redundancy
Protocols)
AHMED NABIL
Redundancy within the network (between devices)
Router redundancy in a multilayer switched network:
- Redundancy is one method for creating highly available networks.
- Cisco supports:
1- HSRP (Hot Standby Router Protocol)
2- VRRP (Virtual Router Redundancy Protocol)
3- GLBP (Gateway Load Balancing Protocol)
to provide failover in case of a gateway failure.
When the host tries to communicate with a
device outside its network, it needs a
gateway.
Router Redundancy Protocols
(First Hop Redundancy Protocols)
= FHRP
Hosts will see multiple
Gateways as a single
Virtual Gateway
AHMED NABIL
- The routers exchange HSRP hello messages at regular intervals so they can remain aware of each other existence.
- Hello is sent on 224.0.0.2 3 sec. with hold down time = 10 sec. using UDP port no. 1985.
- HSRP router election:
The active router is the router that have the highest:
1- HSRP priority (0-255) by default=100.
2- Highest IP address of interface facing the LAN segment.
The standby router is the second highest priority or IP address.
HSRP: (RFC 2281)
(Cisco proprietary)
- HSRP was developed to allow several routers to appear as a single gateway (Virtual router).
- The routers that provide redundancy for a given gateway address are assigned to a common HSRP group no. (0-255).
- If multiple routers exist,
One router is elected as an active router,
One router is elected as a standby router,
The other routers are listeners.
Gateway routers
CL1 CL2 CL3
HSRP ACTIVE HSRP STANDBY HSRP LISTEN
Clients
R1 R2 R3
R1- Active, forwarding traffic; R2, R3 - hot standby, idle
IP: 10.0.0.254
MAC: 0000.0c12.3456
vIP: 10.0.0.10
vMAC: 0000.0c07acxx
IP: 10.0.0.253
MAC: 0000.0C78.9abc
vIP:
vMAC:
IP: 10.0.0.252
MAC: 0000.0cde.f123
vIP:
vMAC:
IP: 10.0.0.1
MAC: aaaa.aaaa.aa01
GW: 10.0.0.10
ARP: 0000.0c07.acxx
IP: 10.0.0.2
MAC: aaaa.aaaa.aa02
GW: 10.0.0.10
ARP: 0000.0c07.acxx
IP: 10.0.0.3
MAC: aaaa.aaaa.aa03
GW: 10.0.0.10
ARP: 0000.0c07.acxx
This will be the typical addresses learned by the hosts
AHMED NABIL
HSRP tracking system (conceding the election):
The active router has many links to outside. If all /or any link failed, the router remains active and still all hosts forward traffic to it.
HSRP has a mechanism to detect link failures, this is called interface tracking.
When an interface fail, HSRP reduce the router priority by a certain value (default=10).
If the pre-emptive effect is enabled and the priority of the active router is less than the standby router, the standby router will be the active router.
The Gigabit Ethernet link between the active forwarding router for the standby group and
the other building experiences a failure. Without HSRP enabled, router A would detect the
failed link and send an Internet Control Message Protocol (ICMP) redirect to router B.
However, when HSRP is enabled, ICMP redirects are disabled. Therefore, neither router A
nor the virtual router sends an ICMP redirect. In addition, although the G1 interface on
router A is no longer functional, router A still communicates hello messages out interface
E0, indicating that router A is still the active router. Packets sent to the virtual router for
forwarding to headquarters cannot be routed. Interface tracking enables the priority of a
standby group router to be automatically adjusted,
based on availability of the interfaces of that router. When a tracked interface becomes
unavailable, the HSRP priority of the router is decreased. When properly configured, the
HSRP tracking feature ensures that a router with an unavailable key interface will
relinquish the active router role.
In this example, the E0 interface on router A tracks the G1 interface. If the link between
the G1 interface and the other building fails, the router automatically decrements the
priority on that interface and stops transmitting hello messages out interface E0. Router B
assumes the active router role when no hello messages are detected for the specific
holdtime period.
In this example, router A and router B reside in one building. Each of these routers supports a
Gigabit Ethernet link to the other building. Router A has the higher priority and is the active
forwarding router for standby group 1. Router B is the standby router for that group. Routers
A and B are exchanging hello messages through their E0 interfaces.
G1
G1
G1
G1
AHMED NABIL
HSRP configuration:
Configuration can take place on any layer 3 port as router port, SVI (Switched Virtual Interface) MLS interface, Ether Channel port
(config-if)# standby ip
(config-if)# standby priority
(config-if)# standby track
Configuring an HSRP Standby Interface
Configuring HSRP Standby Priority
Troubleshooting:
#show standby [brief]
#debug standby
AHMED NABIL
Switch# show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active addr Standby addr Group addr
Vl 11 11 100 Active local 172 . 16. 11. 112 172 . 16. 11. 115
Switch# debug standby
* Mar 1 00 : 22: 30. 443 : SB 11: Vl 11 Hello out 172 . 16. 11. 111 Active pri 100 ip 172 . 16. 11. 115
* Mar 1 00 : 22: 32. 019 : SB 11: Vl 11 Hello in 172 . 16. 11. 112 Standby pri 50 ip 172 . 16. 11. 115
* Mar 1 00 : 22: 33. 331 : SB 11: Vl 11 Hello out 172 . 16. 11. 111 Active pri 100 ip 172 . 16. 11. 115
* Mar 1 00 : 22: 34. 927 : SB 11: Vl 11 Hello in 172 . 16. 11. 112 Standby pri 50 ip 172 . 16. 11. 115
* Mar 1 00 : 22: 36. 231 : SB 11: Vl 11 Hello out 172 . 16. 11. 111 Active pri 100 ip 172 . 16. 11. 115
* Mar 1 00 : 22: 37. 823 : SB 11: Vl 11 Hello in 172 . 16. 11. 112 Standby pri 50 ip 172 . 16. 11. 115
* Mar 1 00 : 22: 39. 163 : SB 11: Vl 11 Hello out 172 . 16. 11. 111 Active pri 100 ip 172 . 16. 11. 115
* Mar 1 00 : 22: 40. 735 : SB 11: Vl 11 Hello in 172 . 16. 11. 112 Standby pri 50 ip 172 . 16. 11. 115
* Mar 1 00 : 22: 42. 119 : SB 11: Vl 11 Hello out 172 . 16. 11. 111 Active pri 100 ip 172 . 16. 11. 115
* Mar 1 00 : 22: 43. 663 : SB 11: Vl 11 Hello in 172 . 16. 11. 112 Standby pri 50 ip 172 . 16. 11. 115
* Mar 1 00 : 22: 45. 067 : SB 11: Vl 11 Hello out 172 . 16. 11. 111 Active pri 100 ip 172 . 16. 11. 115
* Mar 1 00 : 22: 46. 567 : SB 11: Vl 11 Hello in 172 . 16. 11. 112 Standby pri 50 ip 172 . 16. 11. 115
Troubleshooting
AHMED NABIL
VRRP: (RFC 2338)
- IETF standard alternative to HSRP.
- VRRP group has one Master router & all other routers are in the backup state.
- The master router has the highest priority (1-255) default=100
- If equal priorities, the highest IP address will break the tie.
- VRRP master only sends hellos on multicast address 224.0.0.18 every 1sec. By default on IP protocol 112.
VRRP configuration:
(config-if)# vrrp priority
(config-if)# vrrp ip
- Troubleshooting :
#show vrrp [brief ]
AHMED NABIL
GLBP (Gateway Load Balancing Protocol): : (Cisco proprietary)
- HSRP & VRRP provide gateway resiliency but HSRP & VRRP can accomplish load balancing by configuring multiple groups.
- GLBP is like HSRP & VRRP but with a more dynamic and robust behavior.
- Rather than having just one active router performing forwarding, all routers in the group can participate and offer load balancing by forwarding portion of the overall traffic.
- So, GLBP will fully utilize resources without extra administrative burden.
- GLBP group members multicast hellos every 3 seconds to IP address 224.0.0.102, UDP port 3222.
Troubleshooting
#show glbp
A Comparison of Router Redundancy Protocols
0007.b4xx.xxyy
GLBP Operation:
- The trick behind GLBP load balancing lies in electing an AVG (Active Virtual Gateway) router that has a management role by distributing the load among all routers (Gateways or also called AVFs (Active Virtual Forwarders))
- The AVG router has the highest priority (1-255) if equal the highest IP address.
- AVG router answers all ARP requests for the virtual router & every time it will reply with a MAC of one of the routers (AVFs)
AHMED NABIL
Figure shows a typical network where three multilayer switches are
participating in a common GLBP group. Catalyst A is elected the AVG, so
it coordinates the entire GLBP process. The AVG answers all ARP requests
for the virtual router 192.168.1.1. It has identified itself, Catalyst B, and
Catalyst C as AVFs for the group.
Multilayer Switches in a GLBP Group
In this figure, round robin load balancing is being used. Each of the client PCs
look for the virtual router address in turn, from left to right. Each time the AVG
replies, the next sequential virtual MAC address is sent back to a client. After the
fourth PC sends a request, all three virtual MAC addresses (and AVF routers)
have been used, so the AVG cycles back to the first virtual MAC address.
Notice that only one GLBP group has been configured, and all clients know of
only one gateway IP address 192.168.1.1. However, all uplinks are being
utilized, and all routers are proportionately forwarding traffic.
Redundancy is also inherent in the GLBP groupCatalyst A is the AVG, but the
next-highest priority router can take over if the AVG fails. All routers have been
given an AVF role for a unique virtual MAC address in the group. If one AVF
fails, some clients remember the last known virtual MAC address that was
handed out. Therefore, another of the routers also takes over the AVF role for
the failed router, causing the virtual MAC address to remain alive at all times.
AHMED NABIL
STP Enhancements and
Per-VLAN STP
VLAN Ranges and Mappings
VLAN Range Range Usage
Reserved For system use only0, 4095
Normal Cisco default1
Normal For Ethernet VLANs2-1001
NormalCisco defaults for FDDI and
Token Ring1002-1005
Extended For Ethernet VLANs only1025-4094
AHMED NABIL
Types of STP
1) CST (Common Spanning Tree)
Single STP instance run for all VLANs, all BPDUs will be transmitted over native VLAN using dot1q trunks, but any redundant links will not ever be used.
2)PVST (Per-VLAN Spanning Tree)
Cisco provided that proprietary version of STP that offer more flexibility than CST, this allows the STP on each VLAN to be configured independently by run STP instance for each VLAN, this could allow using redundant links in a load sharing attitude, due to proprietary nature of PVST, ISL must be used for trunking
So no interoperability between CST & PVST (no BPDUs exchange will take place).
3)PVST+ (PVST plus)
Cisco introduced that version of STP, but it allow CST and PVST to interoperate, to do this PVST+ act as a translator between CST & PVST
PVST+ exchange BPDUs with PVST using ISL trunks, while it communicate with CST by sending BPDUs as untagged frames, BPDUs from other instances of STP (other VLANs) are propagated across CST network by tunnelling (PVST+ send these BPDU by using unique multicast address so that the CST switch will not interpret them and forward them to down stream neighbor, these tunnelled BPDUs reach other PVST+ switches where they are understood.
AHMED NABIL
Optimizing Spanning Tree ProtocolBy default, STP is enabled for every port on the switch.
If for some reason STP has been disabled, you can re-enable it.
1) Activating Spanning tree:
If an entire instance of STP has been disabled, you can re-enable it with the
following global configuration command:
Switch(config)# spanning-tree vlan vlan-id
If STP has been disabled for a specific VLAN on a specific port, you can re-
enable it with the following interface configuration command:
Switch (config-if)# spanning-tree vlan vlan-id
2) Root Bridge Placement
Although STP is wonderfully automatic with its default values and election
processes, the resulting tree structure might perform quite differently than
expected.
To force certain switch to be the root or backup root:
Switch(config)#spanning-tree vlan vlan-list root {primary/secondary}
Switch(config)#spanning-tree vlan 5, 70-77 root primary
Switch(config)#spanning-tree vlan 5, 70-77 root secondary
Or
Switch(config)#spanning-tree vlan 1 priority priority
4096).
AHMED NABIL
AHMED NABIL
STP considerations & Enhancements
There are many configuration needed to optimize the operation of
STP, also Cisco has introduced many enhancements, to speed up the
convergence of STP
Enhancing STP convergence
Port Fast: Access Layer nodes
On switch ports that connect only to single workstations or specific devices, bridging loops should never be possible
Catalyst switches offer the PortFastfeature that shortens the Listening and Learning states to a negligible amount of time. When a workstation link comes up, the switch immediately moves the PortFastport into the Forwarding state
One other benefit of PortFastis that topology change notification (TCN) BPDUs are not sent when a switch port in PortFastmode goes up or down
Activate portFast by that command
On specific interface:
(config-if)# spanning-tree portfast
On all interfaces:
(config)#spanning-tree portfast default
2)BPDU Guard
By definition, if you enable PortFast, you are never expecting to find anything that can cause a bridging loopespecially another switch or device that produces BPDUs. Suppose that a switch is connected by mistake to a port where PortFastis enabled. Now, there is a potential for a bridging loop to form. An even greater consequence is that the potential now exists for a new device to advertise itself and become the new Root Bridge.
Configuring BPDU Guard
Switch(config)# spanning-tree portfast bpduguard default
-On interface: (config-if)# spanning-tree bpduguard enable
The BPDU guard feature was developed to further protect the integrity of switch ports that have PortFast enabled. If any BPDU (whether superior to the current Root or not) is received on a port where BPDU guard is enabled, that port is immediately put into the errdisable state. The port is shut down in an error condition and must either be manually re-enabled or automatically recovered through the errdisable timeout function.
AHMED NABIL
Rapid Spanning Tree Protocol (RSTP)
IEEE802.1wThe IEEE 802.1w standard was developed to take 802.1concepts and make the resulting convergence much faster. This is also known as the Rapid Spanning Tree Protocol (RSTP).
RSTP defines how switches must interact with each other to keep the network topology loop free, in a very efficient manner. Like 802.1D,
instances. and also as the Cisco-proprietary, Rapid Per-VLAN Spanning Tree Protocol (RPVST+).
RSTP operates consistently in each, but replicating RSTP as multiple instances requires different approach.
RSTP calculates final topology using exactly the same criteria as 802.1d.
There is now a difference between the role the protocol has determined for a port and its current state.
RSTP Port BehaviorRoot Port The one switch port on each switch that has the best root path cost to the Root. This is identical to 802.1D. (By definition, the Root Bridge has no Root Ports.)
Designated Port The switch port on a network segment that has the best root path cost to the Root.
Alternate Port A port that has an alternate path to the Root, different than the path the Root Port takes. This path is less desirable than that of the Root Port. (An example of this is an access layer switch with two uplink ports; one becomes the Root Port, the other is an Alternate Port.)
Backup Port A port that provides a redundant (but less desirable)
connection to a segment where another switch port already connects. If
that common segment is lost, the switch might or might not have a path
back to the Root.
AHMED NABIL
RSTP port states
Discarding Incoming frames are simply dropped; no MAC addresses
are learned. (This state combines the 802.1D Disabled, Blocking,and
Listening states,as all three did not effectively forward anything. The
Listening state is not needed, because RSTP can quickly negotiate a state
change without listening for BPDUs first.)
Learning Incoming frames are dropped, but MAC addresses are
learned.
Forwarding Incoming frames are forwarded according to MAC
addresses that have been (and are being) learned.
RSTP Port State
Discarding
STP Port State
Disabled
Port Included in
Active Topology?
No
Port Learning MAC
Addresses?
No
DiscardingBlocking No No
DiscardingListening No No
LearningLearning No Yes
ForwardingForwarding Yes Yes
AHMED NABIL
Rapid Per-VLAN Spanning Tree Protocol
In PVST+, one spanning tree instance is created and used for each active
VLAN that is defined on the switch. Each STP instance behaves according
to the traditional 802.1D STP rules.
You can improve the efficiency of each STP instance by configuring a
switch to begin using RSTP instead. This means that each VLAN will have
its own independent instance of RSTP running on the switch. This mode is
known as Rapid PVST+ (RPVST+).
You need only one configuration step to change the STP mode and begin
using RPVST+. You can use the following global configuration command
to accomplish this:
Switch(config)# spanning-tree mode rapid-pvst
Be careful when you use this command on a production network because
any STP process that currently is running must be restarted. This can cause
functioning links to move through the traditional STP states, preventing
data from flowing for a short time.
Important note: RSTP is compatible with STP (but will work slower to
adapt to STP)
AHMED NABIL
Native VLAN concept:
Dot1q also introduced the concept of native VLAN on a trunk,
where frames belonging to this VLAN are not tagged with any
VLAN id, using this feature 802.1q tagging device & non-
802.1q devices can co-exist on a 802.1q trunk.
Native VLAN is by default VLAN 1, which is also called the
management VLAN (management VLAN is the VLAN that
native VLAN can be changed by configuration.
To identify native VLAN
(config-if)#switchport trunk native vlan
default is VLAN 1, this is used only with dot1q & trunkingmode
AHMED NABIL26
Securing and Managing
network devices
AHMED NABIL27
CDP Vulnerabilities
Telnet Vulnerabilities
The Telnet connection sends text
unencrypted and potentially readable.
SSH replaces the Telnet session
with an encrypted connection.
Disable CDP whenever possible
(config)#no cdp run
(config-if)#no cdp enable
Use SSH (Secure Shell) whenever possible,
it can encrypt data
(config)# hostname name
(config)# ip domain-name name
(config)# ip ssh[version 1 |version 2]
(config)#crypto key generate rsa
(config)#line vty 0 15
(config-line)#transport input ssh
AHMED NABIL28
Describing vty ACLs
Set up standard IP ACL.
Use line configuration mode to filter
access with the access-class
command.
Set identical restrictions on every
vty line.
Configures a standard IP access list
Switch(config)#access-list access-list-number
{permit | deny | remark} source [mask]
Enters configuration mode for a vty or vty range
Restricts incoming or outgoing vty connections to addresses
in the ACL
Switch(config-line)#access-class access-list-number in|out
Switch(config)#line vty {vty# | vty-range}
AHMED NABIL
Syslog (System Message Logging):
Syslogis a protocol that is used to permit network devices to
send their system messages across the network to a
syslogserver, so events as interface up or down, routing
protocol neighborshipestablished or tear down, or any
debug lines can be saved to that server.
Also syslogmessages can be sent to the logging buffer inside
a router or a switch, and it can be displayed using
# show logging or famously #show log
And to order the device to buffer logs in internal memory of
router or switch use (config)#logging buffer
To tell router or switch the IP address of a syslogserver, use
(config)#logging ip of server
One of the very famous syslogserver softwaresis called
KIWI
Syslogmessages have 7 types called:
Emergency, Alert, Critical, Error, Warning, Notification,
Informational and Debugging
AHMED NABIL
SNMP (Simple Network Management Protocol):
It is an application that provide a mean of sending management
messages (called SNMP traps) from various network device
needed to be monitored to a SNMP server, the device which
is needed to be managed is called SNMP agent, and the
managing device is called Manager, and the database
collected is called MIB (Management Information Base) and
the software installed on Manager is called NMS (Network
Management Station Software), of the most famous NMSs
are Cisco Works, Cisco Prime, HP open view, IBM Tivoli.
Most commonly a network administrator gathers and stores
statistics over time using NMS, this info may contain devices
processing(#show process cpu), memory utilization(#show
process memory), interface status changes, any protocol state,
also SNMP can used to make remote configuration.
SNMP versions:
The three main versions are ver1, ver2c and ver 3.
Version 1 is extremely legacy, and often used today.
SNMP ver2c main enhancements were improvements in the
messaging system to make obtaining large amount of
statistics more efficient, but both version 1 and 2c have no
much to do with security, specially what is termed SNMP
community string in other words authentication of agents,
manager and administrator.
These community strings are really just clear text.
AHMED NABIL
In SNMP there are two types of community strings
(authentication):
Read-only (RO): Proviodesaccess to MIB, but doesnotallow
to change.
Read-Write (RW): provides read and modify for all MIB
objects and variables.
\
SNMP v3 most visible enhancement is security, by providing
Confidentiality (Encryption), Integrity, and secured
Authentication.
By configuration you can choose which of the CIA options
you want to activate
On a managed device to configure the community string:
(config)#snmp-server community community-string
{RO/RW}
This string should be exact on the SNMP server
AHMED NABIL
Routing Advanced
Features
AHMED NABIL
Floating Static (using Static as backup path):
(config)# ip route {o/p interface / ip
address of next hop} [ Admin. Dist.]
- Floating static configured by changing the admin. Dist. Of
static route to be least preferred over a dynamic routing
protocol, so the static route will be backup for the dynamic
protocol, in an immediate convergence fashion
AHMED NABIL
OSPF
in
Multiple Areas
AHMED NABIL
Single VS. Multiple Areas OSPF
Problems with OSPF in single area:
1-Frequent calculation of SPF algorithm (in a large sized topology a
single network instability will cause instability to the whole
topology)
2-Large link-state table (due to large network size)
3-Large routing table (due to large network size)
So routers will need high CPU power & big memory size,
The solution if you require to scale your network using OSPF, is to
use hierarchical design.
Multiple Area OSPF1-Reduced Rate of SPF calculations.
2-Smaller routing and topology table.
3-Reduced LSU overhead by confining network instability.
AHMED NABIL
Types of Routers
Internal Router:
Router that has all its interfaces in the same area, it has full LSDB for its area
(config)#router ospf
(config-router)#network area
ABR (Area Border Router):
Router that is responsible for connecting two or more areas, it must has at least one interface in the backbone area (area 0), it has full database for all areas to which it is connected and send summary database updates between these areas
(config)#router ospf
(config-router)#network area 0
(config-router)#network area
ASBR (Autonomous System Boundary Router):Router that has at least one interface into an external internetwork (another AS) or other non-OSPF network
Backbone Router:
Router that has at least one link in area 0, it could be an internal router, ABR or ASBR
AHMED NABIL
Types of LSAs
Type 1 LSA:(router link LSA)
Intra -area LSA "O in routing
table"
Every router generate router link
advertisements and flood it to all
routers for each area to which it
belong.
Type 2 LSA: (Network Link LSA)
Intra-area "O in routing table"
generated by DR and flooded inside its
area, its function is that DR advertise
its existence to all its area.
Type3 LSA:(Network Link Summary LSA)
inter -area "O-IA in routing table"
generated by ABR, ABR take type1 LSA and type2 LSA from area
and summarize theses LSAs to type3 LSA and flood it to all AS, it
describes network ips and their masks.
AHMED NABIL
Type4 LSA:(ASBR summary LSA)
inter-area "O-IA in routing table"
generated by ABR to advertise how to reach an ASBR inside an area to all AS,
it describe path and cost to reach ASBR, so it contains RID of ASBR &
cost.
Type5 LSA (AS External link LSA)
"OE 1, OE2" in routing table
generated by ASBR and flood to all AS, it describe routes to
destination networks in an external AS
-external type 2 (OE2
external cost (default)
-external type 1(OE1): add internal cost to external cost
Type6 LSA (Multicast OSPF-Not supported by Cisco)
AHMED NABIL
Interpreting the Routing Table: Types of Routes
Link-State Advertisement Types
Interpreting the OSPF Database
(Future use)
Link count: Total number of directly attached links, used only on router LSAs..
AHMED NABIL
Advertise default route:
(config-router)#default-information originate [always] [metric value]
default-information originate is used to dynamically advertise a default
route, only if a default route exist in the routing table, otherwise use always
keyword which is used to advertise a default router even if no default route
exist in the table.
This command is valid for OSPF and RIP ver2, for Eigrp another command
is used to give the same effect
(Config)#router eigrp222
(config-router)#ip default-network 0.0.0.0
Note that the path
through R1 is
preferred to Internet
until R1 path fail, then
R2 will be the
alternative
AHMED NABIL41
Enhanced
Interior Gateway
Routing Protocol
(EIGRP)
AHMED NABIL42
EIGRP Neighborship:
Every router discover its neighbors (begin establishing adjacency) using hello protocol.
EIGRP routers to be neighbors:
1- they must have the same AS no.
2- they must have the same K-values.
- The routers will form adjacency even if hello & dead intervals
The debug output below will display that action
RouterA# debug eigrp packets
Mismatched adjacency values
01: 39: 13: EIGRP: Received HELLO on Serial 0/ 0 nbr 10. 1. 1. 2
01: 39: 13: AS 200 , Flags 0x0, Seq 0/ 0 idbQ 0/ 0 iidbQ un/rely 0/ 0 peerQ un/rely 0/ 0
01: 39: 13: K- value mismatch
AHMED NABIL43
EIGRP terminologies :
1- Neighbor table
(list of all neighbors)
#show ip eigrp neighbors
2- Topology table
(list of all routes to all destination network, as a matter of fact, it is routing tables of all neighbors)
#show ip eigrp topology [all-links]
3- Routing table
(best routes to all destination networks)
#show ip route [eigrp]
4-
(the best route)
5-
(the backup route)
6-
(the metric from source to destination)
7-
(the metric from my neighbor to destination)
AHMED NABIL44
Route selection:- By applying DUAL on the topology table to get the RTG table.
- DUAL:
1- Track all routes advertised by neighbors.
2-
3- If a S is lost, FS is used.
4- If no FS available, it queries neighbors and recalculate S.
5- It can hold up to 4 routes by default and 16 as max. for the
same destination network in the RTG table.
6- It can differentiate between different types of paths :
- internal path (Admin. Dist.=90
-external path (Admin. Dist. =170 & symbol in RTG table is
How to choose S?
- S is the route that have the least metric.
Metric = 256* [k1*BW + (k2*BW / 256-load) + k3*delay + (k5 /
reliability+k4)]
By default, k1=k3=1 , k2=k4=k5=0
BW=107
/BWi, BWi=Bandwidth of interface in units of Kbps
Delay=delayi * 10, delayi=delay of interface in microseconds
These values can be observed from the #show interface command
How to choose FS?
The route that satisfy that inequality FD (S) > AD ( FS) , is eligible
to be the FS
AHMED NABIL45
Configuration:
(config)# router eigrp
! Up to 32 process (AS) can be configured on the same router !
(config-router)# network []
Note that wild card mask is now optional in new IOS for
EIGRP, but with OSPF is a must.
Example 2
Example 1
AHMED NABIL46
172.16.2.0
Auto and Manual summary:
(config-router)# no auto-summary
(config-if)# ip summary-address eigrp
RouterC#show ip route
Gateway of last resort is not set
172 . 16. 0. 0/ 16 is variably subnetted, 3 subnets, 2 masks
D 172 . 16. 0. 0/ 16 is a summary, 00: 00: 04, Null 0
D 172 . 16. 1. 0/ 24 [ 90/ 156160 ] via 10. 1. 1. 2, 00: 00: 04, FastEthernet 0/ 0
D 172 . 16. 2. 0/ 24 [ 90/ 20640000 ] via 10. 2. 2. 2, 00: 00: 04, Serial 0/ 0/ 1
C 192 . 168 . 4. 0/ 24 is directly connected, Serial 0/ 0/ 0
10. 0. 0. 0/ 8 is variably subnetted, 3 subnets, 2 masks
C 10. 2. 2. 0/ 24 is directly connected, Serial 0/ 0/ 1
C 10. 1. 1. 0/ 24 is directly connected, FastEthernet 0/ 0
D 10. 0. 0. 0/ 8 is a summary, 00: 00: 05, Null 0
AHMED NABIL47
EIGRP load sharing:
(config-router)# maximum-paths maximum-pathDefault 4, max 16 or more
.
Router E chooses router C as Successor to get to network Z because FD =
20
Router B could be a Feasible Successor because it satisfy Feasibility
Condition
Router D (is not Feasible)is not used to get to network Z (45 > 40).
Note: Feasibility Condition
(AD (FS)
AHMED NABIL48
Troubleshooting:
#show ip route
RouterA# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP,
D - EIGRP, EX - EIGRP external, O - OSPF,
(text omitted)
* - candidate default,
Gateway of last resort is not set
172 . 16. 0. 0/ 24 is subnetted, 1 subnets
D 172 . 16. 1. 0 [ 90/ 10639872 ] via 10. 1. 2. 2, 06: 04: 01, Serial 0/ 0
10. 0. 0. 0/ 24 is subnetted, 4 subnets
D 10. 1. 3. 0 [ 90/ 10514432 ] via 10. 1. 2. 2, 05: 54: 47, Serial 0/ 0
D 10. 3. 1. 0 [ 90/ 10639872 ] via 10. 1. 2. 2, 06: 19: 41, Serial 0/ 0
C 10. 1. 2. 0 is directly connected, Serial 0/ 0
C 10. 1. 1. 0 is directly connected, Ethernet 0/ 0
#show ip eigrptopology [all-links]
RouterA# show ip eigrp topology
IP - EIGRP Topology Table for AS( 100 )/ID( 10. 1. 2. 1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 10. 1. 3. 0/ 24, 1 successors, FD is 10514432
via 10. 1. 2. 2 ( 10514432 / 28160 ), Serial 0/ 0
P 10. 3. 1. 0/ 24, 1 successors, FD is 10639872
via 10. 1. 2. 2 ( 10639872 / 384000 ), Serial 0/ 0
P 10. 1. 2. 0/ 24, 1 successors, FD is 10511872
via Connected, Serial 0/ 0
P 10. 1. 1. 0/ 24, 1 successors, FD is 2190
via Connected, Ethernet 0/ 0
P 172 . 16. 1. 0/ 24, 1 successors, FD is 10639872
via 10. 1. 2. 2 ( 10639872 / 384000 ), Serial 0/ 0
AHMED NABIL49
#show ip eigrp traffic
#debug eigrp packet [query / reply / update]
#debug ip eigrp
#show ip protocols
RouterA# show ip protocols
Routing Protocol is "eigrp 100"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K 1=1, K 2=0, K 3=1, K 4=0, K 5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 100
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10. 1. 0. 0/ 16
10. 0. 0. 0
Routing Information Sources:
Gateway Distance Last Update
10. 1. 2. 2 90 05 : 50: 13
Distance: internal 90 external 170
#show ip eigrp neighbors
AHMED NABIL
Redistributing
Multiple Routing
Protocols
AHMED NABIL
Redistribution
It is the mechanism that allow to connect different domains, so as the
different Routing protocol can exchange and advertise routing updates
as if they are a single protocol
The redistribution is performed on the router that lies at the boundary
between different domains or runs multiple protocols
Redistributing VS. Redistributed protocol
Redistributing protocol:
It is the native protocol that will transform another protocol to its form
Redistributed Protocol:
It is the non-native protocol that will be transformed to another protocol form
- note: in order for any routes to be redistributed it must exist in the routing
table of the redistributing router
AHMED NABIL
Configuring Redistribution
Redistribution supports all protocols
RIP, IGRP, EIGRP, OSPF, IS-IS, ISO-IGRP, ODR, BGP,
Static and Connected
RtrA ( Config )# Router protocol
RtrA ( config - router )# redistribute ?
bgp Border Gateway Protocol (BGP)
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
igrp Interior Gateway Routing Protocol (IGRP)
isis ISO IS - IS
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
static Static routes
But consider the following:
1-Redistribution vary slightly among different protocols
2-Only protocols that support the same stack are redistributed
-IP RIP AND OSPF
-IPX RIP cannot with OSPF
-IP EIGRP cannot with IPX EIGRP or Apple Talk EIGRP
3-Redistribution occur automatically between:
-IGRP & EIGRP if both in same AS
-Static into RIP
-Connected into any protocol using network command
4-Redistribution of classless updates to a classfullprotocol could cause problems
AHMED NABIL
IPv6 Routing
AHMED NABIL
IP routingprotocolssupportingIPv6 :
IntegratedIS-IS for IPv6
BGP extensions for IPv6
RIP for IPv6
Staticroutes
EIGRP for IPv6
OSPF for IPv6
IPv6 Routing Protocols
Configuring IPv6:
(config)#ipv6 unicast-routing
(config)#ipv6 route {interface / next hop ip}
(config)#interface fa0/0
(config-if)#ipv6 address [eui-64]
The eui-64 parameter forces the router to complete the address low-order 64-
bits by using an EUI-64 interface ID.
Example:
AHMED NABIL55
R2# show ipv6 interface brief
FastEthernet0/0 [up/up]
FE80::213:19FF:FE7B:5004
2000::4:213:19FF:FE7B:5004
FastEthernet0/1 [up/up]
FE80::213:19FF:FE7B:5005
2000:0:0:2::2
Serial0/0/0 [administratively down/down]
unassigned
Serial0/0/1 [up/up]
FE80::213:19FF:FE7B:5004
2000::1:213:19FF:FE7B:5004
Serial0/1/0 [administratively down/down]
unassigned
Serial0/1/1 [administratively down/down]
Unassigned
R2# show ipv6 route
IPv6 Routing Table - Default - 7 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C 2000:0:0:1::/64 [0/0] via Serial0/0/1, directly connected
L 2000::1:213:19FF:FE7B:5004/128 [0/0] via Serial0/0/1, receive
C 2000:0:0:2::/64 [0/0] via FastEthernet0/1, directly connected
L 2000:0:0:2::2/128 [0/0] via FastEthernet0/1, receive
C 2000:0:0:4::/64 [0/0] via FastEthernet0/0, directly connected
L 2000::4:213:19FF:FE7B:5004/128 [0/0] via FastEthernet0/0, receive
L FF00::/8 [0/0] via Null0, receive
AHMED NABIL56
RIPng (RIP next Generation)Theory and Comparisons to RIP-2
The RIPng RFC states that the protocol uses many of the same concepts and
conventions as the original RIP-1 specification, also drawing on some RIP-2
concepts. However, knowing that many of you might not remember a lot of
details about RIP-2, particularly because
RIP-2 is included in the CCNA certification rather than CCNP,
variety of facts about RIP-2 and RIPng.
The overall operation of RIPng closely matches RIP-2. In both, routers send
periodic full updates with all routes, except for routes omitted due to Split
Horizon rules. No neighbor relationships occur; the continuing periodic
Updates, on a slightly-variable 30 second period,
also serve the purpose of confirming that the neighboring router still works.
AHMED NABIL57
EIGRP for IPv6Cisco originally created EIGRP to advertise routes for IPv4, IPX, and AppleTalk.
This original EIGRP architecture easily allowed for yet another Layer 3 protocol,
IPv6, to be added. As a result, Cisco did not have to change EIGRP significantly
to support IPv6, so many similarities exist between the IPv4 and IPv6 versions of
EIGRP.
Note: Many documents, including this chapter, refer to the IPv6 version of
EIGRP as EIGRP for IPv6. However, some documents at www.cisco.com also
refer to this protocol as EIGRPv6, not because it is the sixth version of the
protocol, but because it implies a relationship with IPv6.
RIPng
with a discussion of the similarities and differences between the IPv4 and IPv6
versions of EIGRP. The remaining coverage of EIGRP focuses on the changes to
EIGRP configuration
and verification in support of IPv6.
EIGRP for IPv4 and IPv6 Theory and Comparisons
For the most part, EIGRP for IPv4 and for IPv6 have many similarities. The
following list outlines some of the key differences:
EIGRP for IPv6 advertises IPv6 prefixes/lengths, rather than IPv4 subnet/mask
information.
EIGRP for IPv6 -hop IP
address.
EIGRP for IPv6 encapsulates its messages in IPv6 packets, rather than IPv4
packets.
Like RIPngand OSPFv3, EIGRP for IPv6 authentication relies on IPv6 -
in authentication and privacy features (IPsec).
EIGRP for IPv6 has no concept of classfulnetworks, so EIGRP for IPv6 cannot
perform any automatic summarization.
EIGRP for IPv6 does not require neighbors to be in the same IPv6 subnet as a
requirement to become neighbors.
Other than these differences, most of the details of EIGRP for IPv6 works like
EIGRP for IPv4.
AHMED NABIL58
Configuring EIGRP for IPv6
EIGRP for IPv6 follows the same basic configuration style as for RIPng, plus a
few additional steps, as follows:
Step 1. Enable IPv6 routing with the ipv6 unicast-routing global command.
Step 2. Enable EIGRP using the ipv6 router eigrp {1 65535} global
configuration command.
Step 3. Enable IPv6 on the interface, typically with one of these two methods:
Configure an IPv6 unicast address on each interface, using the ipv6
address address/prefix-length [eui-64] interface command.
Configure the ipv6 enable command, which enables IPv6 and causes the router to
derive its link local address.
Step 4. Enable EIGRP on the interface with the ipv6 eigrp asn interface
subcommand (where the name matches the ipv6 router eigrp asn global
configuration command).
Step 5. Enable EIGRP for IPv6 with a no shutdown command while in EIGRP
configuration mode.
Step 6. If no EIGRP router ID has been automatically chosen, due to not having
at least one working interface with an IPv4 address, configure an EIGRP router
ID with the eigrp router-id rid command in EIGRP configuration mode.
FF02::A
AHMED NABIL59
R1# show running-config
! output is edited to remove lines not pertinent to this example
! Configuration step 1: enabling IPv6 routing
ipv6 unicast-routing
! Next, configuration steps 3 and 4, on 5 different interfaces
interface FastEthernet0/0.1
ipv6 address 2012::1/64
ipv6 eigrp9
!
interface FastEthernet0/0.2
ipv6 address 2017::1/64
ipv6 eigrp9
!
interface FastEthernet0/1.18
ipv6 address 2018::1/64
ipv6 eigrp9
!
interface Serial0/0/0.3
ipv6 address 2013::1/64
ipv6 eigrp9
!
interface Serial0/0/0.4
ipv6 address 2014::1/64
ipv6 eigrp9
!
interface Serial0/0/0.5
ipv6 address 2015::1/64
ipv6 eigrp9
!
! Configuration steps 2, 5, and 6
ipv6 router eigrp9
no shutdown
Router-id 10.10.34.3
AHMED NABIL60
#sh ip route
D 2005::/64 [90/2684416]
via FE80::11FF:FE11:1111, Serial0/0/0.1
via FE80::22FF:FE22:2222, Serial0/0/0.2
D 2012::/64 [90/2172416]
via FE80::22FF:FE22:2222, Serial0/0/0.2
via FE80::11FF:FE11:1111, Serial0/0/0.1
D 2014::/64 [90/2681856]
via FE80::11FF:FE11:1111, Serial0/0/0.1
D 2015::/64 [90/2681856]
via FE80::11FF:FE11:1111, Serial0/0/0.1
! lines omitted for brevity...
D 2099::/64 [90/2174976]
via FE80::22FF:FE22:2222, Serial0/0/0.2
via FE80::11FF:FE11:1111, Serial0/0/0.1
! show ipv6 protocols displays less info than its IPv4 cousin.
R3# show ipv6 protocols
IPv6 9
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Interfaces:
FastEthernet0/0
Serial0/0/0.1
Serial0/0/0.2
Redistribution:
None
Maximum path: 16
Distance: internal 90 external 170
R3# show ipv6 eigrp neighbors
IPv6-EIGRP neighbors for process 9
H Address Interface Hold Uptime SRTT RTO Q Seq
1 Link-local address: Se0/0/0.2 14 01:50:51 3 200 0 82
FE80::22FF:FE22:2222
AHMED NABIL61
R3# show ipv6 eigrp topology
IPv6-EIGRP Topology Table for AS(9)/ID(10.10.34.3)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 2005::/64, 2 successors, FD is 2684416
via FE80::11FF:FE11:1111 (2684416/2172416), Serial0/0/0.1
via FE80::22FF:FE22:2222 (2684416/2172416), Serial0/0/0.2
P 2012::/64, 2 successors, FD is 2172416
via FE80::11FF:FE11:1111 (2172416/28160), Serial0/0/0.1
via FE80::22FF:FE22:2222 (2172416/28160), Serial0/0/0.2
P 2013::/64, 1 successors, FD is 2169856
via Connected, Serial0/0/0.1
! lines omitted for brevity
P 2099::/64, 2 successors, FD is 2174976
via FE80::11FF:FE11:1111 (2174976/30720), Serial0/0/0.1
via FE80::22FF:FE22:2222 (2174976/30720), Serial0/0/0.2
AHMED NABIL
How OSPF for IPv6 Works
Similar to IPv4
Updated features for IPv6
6 currently an IETF proposed standard
OSPF is a routing protocol for IP. It is a link-state protocol, as opposed to a
distance vector protocol. Think of a link as being an interface on a networking
device. A link-state protocol makes its routing decisions based on the states of the
links that connect source and destination machines.
The state of a link is a description of that interface and its relationship to its
neighboring networking devices. The interface information includes the IPv6
prefix of the interface, the network mask, the type of network that it is connected
to, the routers connected to that network, and so on.
This information is propagated in various types of link-state advertisements
(LSAs). A collection of LSA data on a router is stored in a link-state database
(LSDB). The contents of the
OSPF routing table.
The difference between the database and the routing table is that the database
contains a complete collection of raw data; the routing table contains a list of
shortest paths to known
destinations via specific router interface ports.
OSPFv3, which is described in RFC 2740, supports IPv6.
AHMED NABIL
OSPFv3 Hierarchical Structure
from outside of the area:
LSA flooding is bounded by area.
SPF calculation is performed
separately for each area.
a connection to the backbone:
Otherwise a virtual
link must be used to
connect to the backbone.
OSPFv3 messages
3 uses the same basic packet types as OSPFv2:
Hello
Link state update (LSU)
Link state acknowledgment (ACK)
Neighbor discovery and adjacency formation mechanism are identical.
LSA flooding and aging mechanisms are identical.
AHMED NABIL
OSPFv3 vs OSPF v2
64