1 CCIE R&S Advanced. 222 © 2007 Network Learning, Inc. Agenda Day 1 Session 1CCIE Program Overview Day 1 Session 2CCIE Foundation Overview Day 1 Session.

1

CCIE R&S Advanced

222© 2007 Network Learning, Inc.

Agenda

Day 1 Session 1 CCIE Program Overview

Day 1 Session 2 CCIE Foundation Overview

Day 1 Session 3 Catalyst

Day 1 Session 4 Frame Relay

Day 1 Session 5 IPv6

Day 2 Session 6 Ripv2

Day 2 Session 7 Eigrp

Day 3 Session 8 OSPF

Day 3 Session 9 BGP

Day 4 Session 10 Multicast

Day 4 Session 11 QoS

Day 4 Session 12 Others


Housekeeping

• Restrooms

• Kitchen - Softdrinks and snacks available

• Cellphones - PLEASE put them on vibrate or turn them off. If you need to take/make a call, please exit the classroom.

• Smoking - out side in front of building

444© 2007 Network Learning, Inc. 444

SESSION 1

CCIE R&S Program Overview


CCIE R&S Program Overview

1. CCNA/CCNP Certification (Optional)

2. CCIE Written Exam

3. CCBOOTCAMP’s R&S Foundation Course

4. Develop a Study Plan and Timeline to Prepare for LABa) Review CCIE Blueprint

b) Purchase and Download recommended reading from Cisco Press and CCO web site

c) Purchase LAB workbooks

d) Purchase and Setup Home Lab

e) Reserve Online Rack rentals

f) Save money or work out a deal with your employer to budget for multiple lab attempts

5. Schedule a Lab Date commensurate with the Timeline

6. Study, Practice, Practice some more, and then study

7. CCIE Advanced Bootcamp

8. CCIE Mock LAB Bootcamp


CCIE LAB Overview

• A 8-hour, hands-on, 100-point lab exam. Candidates must score 80 or above to pass.

• Students builds a network to supplied specifications on a provided Cisco equipment rack.

• Lab questions can be completed in any order, although some questions depends on the completion of previous part of the exam.

• Physical cabling is done.

• Some of the basic functionality is preconfigured.

• Some of the equipment you can not configure such as the Backbone routers.


Cisco R&S Equipment List

• 3725 series routers - IOS 12.4 mainline – Advanced Enterprise Services

• 3825 series routers - IOS 12.4 mainline – Advanced Enterprise Services

• Catalyst 3550 series switches running IOS version 12.2 – IP Services

• Catalyst 3560 Series switches running IOS version 12.2 - Advanced IP Services


Pre-lab Checklist

• Remove the Variables, increase your chances, and get your body physically and mentally ready!

• Get to the testing city/location at least one day prior to your exam. If your time zone is plus/minus more than six hours different than the time zone of the Cisco office you are taking your exam, plan on getting there at least two days prior to the exam.

• Drive over to the facility where your lab exam will be held. Make sure you know how long it will take you to get to the testing location.

• Look for a good place to eat breakfast near the facility.

• Eat a healthy dinner consisting of protein and complex carbohydrates. Stay away from greasy, fatty, and sugary foods. Also, if you want to eat meat, try and eat chicken or fish (avoid red meat as it takes your body longer to digest).

• Get a good night’s rest. Do not stay up the entire night trying to cram or study last minute materials. Do NOT take any type of sleep aid that could still be in your system the following day.

• Wake up at least ninety minutes before your exam start time. Get showered, dressed, and go out for breakfast.

• At breakfast, eat only healthy foods. No greasy, fatty, or sugary items should be consumed. Eat fruits, vegetables, oatmeal, etc.

• Arrive at the facility at least fifteen minutes prior to your exam.


CCIE R&S Blueprint

• Bridging and Switching – Frame relay

– Catalyst configuration: VLANs, VTP, STP, MSTP, RSTP, Trunk, Etherchannel, management, features, advanced configuration, Layer 3

• IP IGP Routing – OSPF

– EIGRP

– RIPv2

• IPv6: Addressing, RIPng, OSPFv3

• GRE

• ODR

• Filtering, redistribution, summarization and other advanced features

• BGP

• iBGP

• eBGP

• Filtering, redistribution, summarization, synchronization, attributes and other advanced features


CCIE (R&S) Blueprint Cont.

• IP and IOS Features – IP addressing

– DHCP

– HSRP

– IP services

– IOS user interfaces

• System management – NAT

– NTP

– SNMP

– RMON

– Accounting

• IP Multicast – PIM, bi-directional PIM

– MSDP

– Multicast tools, source specific multicast

– DVMRP

– Anycast

• QoS

– Quality of service solutions

– Classification

– Congestion management, congestion avoidance

– Policing and shaping

– Signaling

– Link efficiency mechanisms

– Modular QoS command line

• Security

– AAA

– Security server protocols

– Traffic filtering and firewalls

– Access lists

– Routing protocols security, catalyst security

– CBAC

– Other security features

These topics would be covered in the Advanced Boot camp


SESSION 2CCIE Advanced Bootcamp Overview


Advanced Class Hours - Instructor

• Monday 9:00 AM till your head hurts

• Tuesday 9:00 AM till your head hurts

• Wednesday 9:00 AM till your head hurts

• Thursday 9:00 AM till your head is spinning

• Friday 9:00 AM till 3-ish [Mock Lab]

Lunch Break at 1:00 PM to 2:00 PM (60 minutes)


CCBOOTCAMP R&S Rack Layout

2811

R1

S0/0/0

S0/0/1

Fas0/0 Fas0/1

S0/1/0

S0/1/1

R2S0/0/1

DCE DCE

DCE DCE

R2S0/1/0

R3S0/1/1

FRS1

SW1Fas0/1

SW2Fas0/1

2811

R2Fas0/0 Fas0/1

R1DCE

DCE DCE

R1

R4FRS2

SW1Fas0/2

SW2Fas0/2

2811

R4Fas0/0 Fas0/1

R3

DCE DCE

DCE DCE

R3

R2FRS4

SW1Fas0/4

SW2Fas0/4

2811

R5Fas0/0 Fas0/1

R6

DCE

DCE

FRS5

SW1Fas0/5

SW2Fas0/5

2811

R6Fas0/0 Fas0/1

R5

DCE

DCE

FRS6

SW1Fas0/6

SW2Fas0/6

2811

R7Fas0/0 Fas0/1

R8

DCE

DCE

FRFRS7

SW3Fas0/17

SW4Fas0/17

2811

R8Fas0/0 Fas0/1

R7

DCE

DCE

FRS8

SW3Fas0/18

SW4Fas0/18

2811

BB1Fas0/0 Fas0/1

BB2

DCE

DCE

FRS9

SW1Fas0/9

SW2Fas0/9

2811Fas0/0 Fas0/1

BB1

DCE

DCE

BB3

SW1Fas0/10

SW2Fas0/10

3640E0/0 E0/1

SW1Fas0/11

SW2Fas0/11

BB2 BB3

DCE

Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

Frame Relay Cloud

DCE

S1

S2S3

S4

S5

S6S7

S8S9

S0

R1S0/0/0

R2R3

R4

R5

R8

R6

R7

R7

BB1

Fas0/24

S0/1/0

S0/0/0 S0/0/0 S0/0/0

S0/0/0

S0/0/0

S0/0/0S0/0/0

S0/0/0Fas0/24

S0/0/0

S0/0/1 S0/1/0

S0/1/1

S0/0/1 S0/1/0

S0/1/1 S0/0/0

S0/0/1 S0/1/0

S0/1/1 S0/1/1

2811

R3Fas0/0 Fas0/1

R4

DCE

DCE DCE

R4

R1FRS3

SW1Fas0/3

SW2Fas0/3

DCES0/0/0

S0/0/1 S0/1/0

S0/1/1

S0/1/0

S0/1/1

S0/0/0

S0/0/1

S0/0/1

S0/0/0

S0/0/1

S0/0/1

S0/0/0

S0/0/1

S0/1/0 S0

S0/0/0

S0/0/1

S0/0/0

S0/0/0S0/0/1

S0/0/1

S0/0/0

S0/0/0

S0/0/1

S0/0/1 S0/0/1 S0/1/0

S0/0/1 S0/0/1

TFTP Server Address:172.22.1.254 /24

BB2

DCES0/0S0/0/1

DCE

ACS/CA Server192.168.0.0 /16

PublicNet172.22.10X.0 /24

(DG: 172.22.10X.1)

LS1010ATM0/0/1

ATM1/0

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

Fas0/2

2F

as0/22

Fas0/2

1F

as0/21

Fas0/2

2F

as0/22

Fas0/2

1F

as0/21

Fas0/08

Fas0/08

Fas0/07

Fas0/07

Fas0/

08Fas0/

07

Fas0/

08Fas0/

07


SESSION 3Switching


First Things First (Ping Script)

tclsh

foreach address {

150.10.1.1

150.10.2.2

150.10.3.3

150.20.5.5

150.20.35.35

} {ping $address}


On a switch


Things You should already know (not covered)

• Interface Commands

• VTP

• Spanning Tree

• SPAN

• Strom Control

• Protected Ports

• 802.1X authentication

• Trunking

• MAC Address expiration

• Templates


Topics Covered

• Ether-channel and Load Balancing

• MST spanning tree

• Rapid Spanning Tree

• Advanced Switch Security

• Switch QoS


Ether channel

• PAgP can automatically groups interfaces with the same speed, duplex, mode, native VLAN, VLAN range, and trunking status and type.

• The Ether Channel group looks like a single switch port to Spanning tree.

• PAgP modes: auto, desirable, on

• The first port in the channel that comes up provides its MAC address to the EtherChannel


Link Aggregation Control Protocol

• LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches

• Similarly configured ports are grouped based on hardware, administrative, and port parameter constraints such as same speed, duplex mode, native VLAN, VLAN range, and trunking status and type

• A port in the active mode can form an EtherChannel with another port that is in the active or passive mode.

• A port in the passive mode cannot form an EtherChannel with another port that is also in the passive mode because neither port starts LACP negotiation.

• Can have 8 active and 8 standby ports per ether channel. (16)

*Note on mode configured manually on both ends of the EtherChannel must have the same configuration. If the group is misconfigured, packet loss or spanning-tree loops can occur.


Load Balancing and Forwarding

• Reduces part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel.

• EtherChannel load balancing can use MAC addresses or IP addresses, source or destination addresses, or both source and destination addresses.


Source/destination MAC load balancing

• The PCs uses different ports on sw1

• The router will use different ports to reply to the PCs


Switch Security

• MAC Flood Attacks

• Port Security

• ARP Inspection

• MAC ACLs

• VACLs

• Private VLANs


Rapid Spanning Tree Protocol (RSTP)


RSTP Port Roles


RSTP Port States

• RSTP provides rapid convergence of the spanning tree.

• Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the 802.1D

• Only non-edge ports moving to the forwarding state cause a topology change.


Rapid PVST


802.1s (Multiple Spanning Tree)

• MSTs (IEEE 802.1s) combine the best aspects from both the PVST+ and the 802.1q.

• When you enable MST you enable 802.w (RSTP)

• The idea is that several VLANs can be mapped to a reduced number of spanning tree instances because most networks do not need more than a few logical topologies.

• There is no need to run 1000 instances. If you map half of the 1000 VLANs to a different spanning tree instance, as shown in this diagram, these statements are true:

–The desired load balancing scheme can still be achieved, because half of the VLANs follow one separate instance.

–The CPU is spared because only two instances are computed.

•


MST Configuration


MAC Flood Attacks

• Affects Transparent Switches

• Switches Learn and populate the CAM table based on Source MAC addresses

• If to many MAC addresses are sent – open fail mode

• The switch forwards out every frame on every port

• This allows hackers to sniff other clients uni-cast information.


Preventing MAC Flooding with Port Security


Port Security - Aging

• Static- enables timer to static entries

• Time - <1-1440> Aging time in minutes

• Type –

– absolute Absolute aging (default)

– inactivity Aging based on inactivity time period


Mac-address

• Can manually input the actual Mac address

• Also can store dynamically learned Mac addresses with Sticky


Maximum

• The total amount of Mac addresses allowed on a port


Violations

• The action to take if port security is violated–protect—When the number of port secure MAC addresses reaches the maximum

limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. (no syslogs/snmp)

–restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

–shutdown—The interface is error disabled when a violation occurs, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments


Apply Port Security and Verify

• If more than 3 mac-addresses are learned any additional sources will cause the port to be shutdown (error disabled).


HSRP and Port Security

• HSRP has a virtual mac-address that counts towards the maximum allowed on a port configured for port security.

• Options:

–Switchport port-security maximum 2 (still can cause violation for a short period of time

–Static Mac-address entry for HSRP virtual mac-address

– (Best choice) Use-bia command on the router’s interface

•standby use-bia scope interface

http://www.cisco.com/en/US/products/ps6350/products_command_reference_chapter09186a00804462c4.html#wp1165870


ARP Spoofing

• Gratuitous ARP

–Detect IP conflicts. When a machine receives an ARP request containing a source IP that matches its own, then it knows there is an IP conflict.

–They assist in the updating of other machines' ARP tables.

–They inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port.

–Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts.


ARP DoS

• Overloads a switch port with ARP traffic

• Switch can handle untrusted host connecting to as many as 15 new hosts per second. checks every 1 second

• Exceed limit than port changes to error disabled


IP ARP Inspection

• This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN

• How does it work?

–DHCP Snooping (Recommended in production)

–Static ARP Access-list (Use for Lab situation)


ARP inspection Cont.

• Option to change defaults per port


IP Source Guard

• By watching which IP addresses are assigned by DHCP, a switch can create dynamic ACL's to block all traffic except traffic from DHCP-assigned IP addresses.

• Benefits:

–Prevents a hacker from spoofing their IP address to launch an anonymous attack.

–Prevents users from ignoring DHCP and manually configuring a static IP address.


IP Source Guard Configuration


DHCP Snooping

• Create a DHCP database on flash or TFTP

• Enable DHCP Snooping

• "The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (circuit ID suboption). The switch forwards the DHCP request that includes the option-82 field to the DHCP server. "

• ip dhcp snooping database flash:file01.txt"

• ip dhcp snooping

• ip dhcp snooping information option


Show IP DHCP Snooping Bindings

Switch> show ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

------------------ --------------- ---------- ------------- ---- --------------------

01:02:03:04:05:06 10.1.2.150 9837 dhcp-snooping 20 GigabitEthernet0/1

00:D0:B7:1B:35:DE 10.1.2.151 237 dhcp-snooping 20 GigabitEthernet0/2

Total number of bindings: 2


Mac-address Access-list

• You can configure a MAC address ACL using either of the following:

• Access-list 700-799 48-bit MAC address access-list

• or the extended version of the 48-bit MAC address access-list is 1100-1199

• To filter using the MAC address access-list, first you would define your access-list. Say that you wanted to allow only a host with the MAC address of 0800001234567 to access-list Ethernet0/0 interface. You would define the access-list like this:

Router(config)# access-list 700 permit 0800.0123.4567

You can use these same methods to filter by “vendor code”. All companies who create Ethernet devices are designated a block of MAC addresses and all of these blocks begin with a specific string. This prefix for each vendor is known as the “vendor code”.


Protocol Type-Code Access-Lists (ACL)

• Used for non IP traffic

• Inbound only


MAC ACLs Cont.


Vlan ACLs (VACLs)


Private VLANs

• The private-VLAN feature addresses two problems that service providers face when using VLANs:

–Scalability: The switch supports up to 1005 active VLANs. If a service provider assigns one VLAN per customer, this limits the numbers of customers the service provider can support.

–To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can result in wasting the unused IP addresses, and cause IP address management problems.


Primary to Secondary VLAN

• There are two types of secondary VLANs:

–Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.

–Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level.


Private Vlan Access Ports

• Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types:

–Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN. (Default Gateway)

–Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports.

–Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports.

* Note Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs.


Issues with VTP V3 and Private VLANs

• Private VLANs need VTPv3

• If configuring in a 3550 or 3560 set VTP to transparent


Private Vlan Compatibility

• Do not configure private-VLAN ports on interfaces configured for these other features:

–– dynamic-access port VLAN membership

–– Dynamic Trunking Protocol (DTP)

–– Port Aggregation Protocol (PAgP)

–– Link Aggregation Control Protocol (LACP)

–– Multicast VLAN Registration (MVR)

–– voice VLAN

–– Web Cache Communication Protocol (WCCP)


Private VLAN configuration


Show private Vlans


Promiscuous Port / Default Gateway

Primary

Secondary


Applying a Community to interfaces


3560 QOS Considerations

• Uses shaped round robin (SRR)

• Q1 can be configured as a priority queue

• Queues can operate in shaped or sharing modes

• Each Interface can be assigned to one of two queue-sets–4 queues Egress

–2 queues Inbound

• Congestion avoidance algorithm is Weighted Tail Drop (WTD)

*Note 3550 only has egress queues and queue 4 = priority queue by default


Weighted Tail Drop

• Queue size is 1000 frames.

• Three drop percentages are configured: 40 percent (400 frames), 60 percent (600 frames), and 100 percent (1000 frames).

• 400 frames can be queued at the 40-percent threshold, up to 600 frames at the 60-percent threshold, and up to 1000 frames at the 100-percent threshold.


SRR Shaping and Sharing

• Both the ingress and egress queues are serviced by Shaped Round Robin (SRR)

• SRR controls the rate at which packets are sent.

• On the ingress queues, SRR sends packets to the internal ring.

• On the egress queues, SRR sends packets to the egress port.


Input Queue

Bandwidth weight queue 1 and queue 2cv

Queue Id DSCP values


Output Queue

queue-set id queue id

drop thresholdReservedthreshold

Maximumthreshold

buffer PercentageQueue 1 buffer

PercentageQueue 2

buffer PercentageQueue 3

buffer PercentageQueue 4


SRR applied


Frame Relay

• Interfaces

• Inverse ARP

• Mesh

• Hub and spoke

• Point-to-point

• Combination

• Issues

• Advanced Frame-relay and PPP


Frame-Relay Interface Configuration


Inverse ARP


Static Mappings


Sub Interfaces


Point-to-Multipoint Sub interface


Point-to-point Sub Interface


Mesh Topology


Full Mesh Frame-relay

• Requirements Phys Interface–With Inverse ARP

•NO frame relay maps required

–NO inverse-arp allowed

–A PVC/FR Map configured between each router

–Total PVCs = k(k-1)/2 where k=router

–3 routers need 6 DLCIs

–All routers are on the same subnet

–All routers are using the physical interface

–Can support Broadcast or NBMA


Full Mesh Frame-relay Point-to-Multipoint Sub

• In a frame-relay mesh multipoint configuration the following must be true before two routers can communicate;

–The destination IP address must be in the routing table

–There must be a frame-relay map for the destination IP address. The destination IP address can be any IP address including yours. (need a map statement to ping your own interface)


Hub and Spoke Topology


Frame Relay Hub and Spoke

• Requirements–With Physical Interfaces and inverse-arp

•No map statements needed on spokes

•Map statements needed on hub to all spokes

–With Physical Interfaces and No inverse-arp

•Map statements needed on hub to each spoke and one map from the spoke to hub

–Enable broadcasts over the NBMA if required for routing protocol or multicast

–All routers are on a common subnet


Example Configuration from the HUB router

On r1lablabInt S0/0/0 Ip address 131.1.234.1 255.255.255.0 Encapsulation frame Frame-relay map ip 131.1.234.2 102 broadcast Frame-relay map ip 131.1.234.3 103 broadcast Frame-relay map ip 131.1.234.4 104 broadcast No frame-relay inverse-arp No shut

To prevent inverse-arp wait until all routers have been configured

for FR before un shutting

the interfaces


Frame Relay Hub and Spoke Point-to-Multipoint

• Inverse ARP not recommended should be disabled

• Need FR map statements configured on sub interface to each hub.

• Need FR map statements from each spoke to the hub.

–Enable broadcasts over the NBMA if required for routing protocol or multicast

–All routers are on a common subnet

– Still need a map statement to ping your own interface)


Frame Relay Point-to-Point

• Requirements–Uses sub interfaces

–A separate L3 subnet for each pair of routers

–Works the same with or without Inverse ARP

Note if the routers are configured in a point-to-point manner they will NOT generate inverse-arp requests; however, if they receive a request, they will respond. Useful for combinations of one end p2p sub and the other physical


Troubleshoot Frame Relay

• Show interface

• Show controllers serial

• Show frame-relay lmi

• Show frame-relay pvc

• Show frame-relay map

• Debug frame-relay lmi


PPP 2-way authentication (PAP and Chap)


Debug PPP authentication


PAP/CHAP configuration

R1 R2


FREEK (Frame relay end to end keepalives

• There are four modes determine the type of keepalive traffic each device sends and responds to:

– In bidirectional mode, the device will send keepalive requests to the other end of the VC and will respond to keepalive requests from the other end of the VC.

– In request mode, the device will send keepalive requests to the other end of the VC.

– In reply mode, the device will respond to keepalive requests from the other end of the VC.

– In passive-reply mode, the device will respond to keepalive requests from the other end of the VC, but will not track errors or successes.


Configuring FREEK

For example, could require3 in a row


Objectives

• IPv6 Addressing

• IPv6 Address Scopes

• Enabling IPv6

• RIPng

• EIGRP for IPv6

• OSPFv3

• OSPFv3 over NBMA

• IPv6 over IPv4


Things not covered

• IPv6 Neighbor Discovery

• Duplicate Address Detection

• Solicited Node

• Stateless Auto-configuration

• DHCPv6

• DNSv6


Larger Address Space

• IPv4

–32 bits or 4 bytes long

• 4,200,000,000 possible addressable nodes

• IPv6

–128 bits or 16 bytes: four times the bits of IPv4

• 3.4 * 1036 possible addressable nodes

• 340,282,366,920,938,463,374,607,432,768,211,456

• 5 * 1028 address

~=~=

~=

~=

undecillion


IPV6 Addressing

• IPV6 addresses are 128 bits long

• Consecutive zeroes can be eliminated (::)

• 2001:0:0:A1::1E2A/64 • 2001:0:0:A1 is the network portion

• Interface portion is 0:0:0:1E2A or ::1E2A


IPV6 Address Scopes

• Link-local Scope

• Unique-local Scope

• Global Scope


Link-local

• Identifies all hosts within a single layer 2 domain

• Unicast addresses within this scope are called link-local addresses

• They are assigned by default when ipv6 is enabled on an interface

• Network address is always FE80::/10

• Host portion derived from MAC address (Modified EUI-64)

• Can be manually added too R3(config-if)#ipv6 address FE80::3 link-local

• Independent of the global addressing scheme

• Cannot be routed

Interface ID0

128 bits

1111 1110 10

FE80::/10

10 bits

64 bits


IPv6 Address Configuration (Cont.)LAN: 3ffe:b00:c18:1::/64

Ethernet0

MAC address: 0060.3e47.1530

ipv6 unicast-routinginterface Ethernet0 ipv6 address 3ffe:b00:c18:1::/64 eui-64

router# show ipv6 interface Ethernet0Ethernet0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::160:3EFF:FE47:1530Global unicast address(es): 3FFE:B00:C18:1:160:3EFF:FE47:1530, subnet is 3FFE:B00:C18:1::/64 Joined group address(es): FF02::1:FF47:1530 FF02::1 FF02::2 MTU is 1500 bytes


Unique-local

• Previously referred to as site local

• Identifies all devices within an administrative domain containing multiple distinct links

• Unicast addresses within this scope are called unicast-local addresses

• Have a scope limited to the site

• Network address is always FEC0::/10

• 16 bits in the network address identify the subnet

• Host portion derived from MAC address (Modified EUI-64)

Interface ID0

1111 1110 11

FEC0::/10

Subnet ID

128 bits

10 bits

16 bits


Global Unicast Addresses

• Global unicast addresses are:

–Addresses for generic use of IPv6

• Identifies all devices reachable across the Internet

• Unicast addresses within this scope are called global unicast addresses

• Have to be globally unique and routable

• Addresses reserved for global scope 2000 /3

• Can have a variable subnet portion

• Last 64 bits for the interface identifier

Interface IDGlobal Routing Prefix Subnet ID

64 bits

Provider Site Interface

Usually given a /48


Unspecified and Loopback Addresses

• Unspecified address:

–0:0:0:0:0:0:0:0

–Used as a placeholder when no address is available (initial DHCP request, DAD)

• Loopback address:

–0:0:0:0:0:0:0:1

–Same as 127.0.0.1 in IPv4

–Identifies self


IPv4-Mapped Addresses

• IPv4-mapped addresses:

–Used to represent the addresses of IPv4 nodes as IPv6 addresses

IPv4 Address0

32 bits80 bits

0:0:0:0:0:FFFF:192.168.30.1

= ::FFFF:192.168.30.1

= ::FFFF:C0A8:1E01

FFFF

16 bits


IPv4-Compatible Addresses

• IPv4-compatible addresses:

–Refer to an IPv4/IPv6 node that supports automatic tunneling

0:0:0:0:0:0:192.168.30.1

= ::192.168.30.1

= ::C0A8:1E01

IPv4 Address0

32 bits80 bits

0000

16 bits


Enabling IPV6

• ipv6 unicast-routing (global config mode)

• ipv6 address 2001:200:1:1::1/64 (interface mode)

• Link-local addresses are generated by default or use manual configuration


RIPng

• Neighbors need not be on the same global subnet since they are on the same link-local subnet

• Hence router has to advertise its own prefix for the link out that interface

• In addition to the frame-relay map ipv6 broadcast to the Global Address you also need a map to the link local address.

• RIP messages are sent to the all RIP routers link-local multicast address FF02::9/128

• RIPng uses the authentication headers present in IPv6 for authentication purposes


RIPng Configuration

• ipv6 rip abc enable (interface mode)

• show ipv6 protocol

• show ipv6 rip

• show ipv6 rip database


OSPFv3

• Basic mechanisms such as flooding, DR election, areas and spf calculations remain the same

• Additionally link lsa’s announce link-local addresses and a list of ipv6 prefixes to associate with the link

• Intra-area prefix lsa’s carry all ipv6 prefixes to all ospfv3 routers within an area (correspond to router and network lsa’s in ipv4)

• Inter-area prefix lsa 0x2003 replaces summary or type 3 lsa’s

• Inter-area router lsa 0x2004 replaces type 4 lsa

• ospfv3 runs on a link basis rather than on a subnet basis as in ospfv2

• Authentication removed from ospf, relies on ipv6 authentication


LSA Type Review

LSA Function Code

LSA Function Code LSA typeLSA type

Router-LSARouter-LSA

Network-LSANetwork-LSA

Inter-Area-Prefix-LSAInter-Area-Prefix-LSA

Inter-Area-Router-LSAInter-Area-Router-LSA

AS-External-LSAAS-External-LSA

Group-membership-LSAGroup-membership-LSA

Type-7-LSAType-7-LSA

Link-LSALink-LSA

Intra-Area-Prefix-LSAIntra-Area-Prefix-LSA

11

22

44

33

55

66

77

88

99

0x20010x2001

0x20020x2002

0x20030x2003

0x20040x2004

0x40050x4005

0x20060x2006

0x00080x0008

0x20090x2009

0x20070x2007


OSPFv3 Configuration

• ipv6 ospf 100 area 0 (interface mode)

• In case of an ipv6 only router configure a 32 bit router id under ipv6 router ospf 100

• Summary can be configured under ipv6 router ospf 100 using the command area 1 range 2001::/48

• show ipv6 ospf

• show ipv6 ospf neighbor


OSPFv3 over NBMA

• OSPFv3 over NBMA is very much similar to OSPF over NBMA

• The hub interface priority has to be increased to make it the DR

• The spokes should be configured with a priority of 0 so that they never participate in the DR elections


OSPFv3 over NBMA

• Moreover neighbors have to be specified • The address for the neighbor has to be the link local addresses

• Neighbors have to be specified only on the hub not on the spokes • frame-relay maps have to be configured pointing to the neighbor’s

link local address on both hub and spokes as well as the global addresses (if configured)

• sh ipv6 int s0/1/0 displays the link-local address


OSPFv3 over NBMA Hub

• interface Serial0/1/0

• ipv6 ospf priority 100

• ipv6 ospf neighbor FE80::20A:B8FF:FE6B:A478

• ipv6 ospf neighbor FE80::20A:B8FF:FE2C:7DC8

• ipv6 ospf 10 area 0

• frame-relay map ipv6 FE80::20A:B8FF:FE6B:A478 106

• frame-relay map ipv6 FE80::20A:B8FF:FE2C:7DC8 105


OSPFv3 over NBMA Spoke

• interface Serial0/1/0

• ipv6 ospf priority 0

• ipv6 ospf 10 area 0

• frame-relay map ipv6 FE80::217:95FF:FE27:B900 601

• frame-relay map ipv6 FE80::20A:B8FF:FE2C:7DC8 601


IPv6 over IPv4

• IPv6 can be tunneled under ipv4

• Tunnel mode by default is gre can to be changed to ipv6ip

• The tunnel itself needs an ipv6 address

• The tunnel source and destination will be ipv4 addresses

• Routing protocol can be enabled on the tunnel

interface Tunnel0

no ip address

ipv6 address 2002:100:24:1::2/64

ipv6 ospf 100 area 0

tunnel source 10.86.72.17

tunnel destination 10.86.72.18


ISATAP

• ISATAP is an IETF transition mechanism that allows IPv6 networks to connect over IPv4 networks, even though this is a draft and it has not yet standardized, it is a better solution than 6to4 tunnel mechanism.

• ISATAP works like 6to4 tunnels, with one major difference, it is a special IPv6 address that it uses on the edge routers; this special IPv6 address is formed as follows:

–The network portion can be any IPv6 address.

–The host portion of the IPv6 address starts with “0000.5EFE” and then the rest of the host portion is the translated IPv4 address of the tunnel’s source IPv4 address.

• This translation is performed automatically.


ISATAP cont.


End of Day 1 Lecture


SESSION 6RIPv2


RIPv2

• Outline

–Updates

–Optimize

–Filtering

–Summary

–Authentication

–Default Routes

–Advanced


Classless Routing (RIPv2)

• SUBNET MASKING INFORMATION IS NOW INCLUDED IN

ROUTING UPDATES ALLOWING RIP TO HANDLE VLSM

ADDRESSING

• A NEXT-HOP ADDRESS IS CARRIED WITH EACH ROUTE

ENTRY

• EXTERNAL ROUTE TAGS CAN BE USED MULTICAST

ROUTING UPDATES

• SUPPORT FOR MD5 AUTHENTICATION

The version 2 extensions provide the following enhancements to RIP:


Split Horizon

Never advertise an network on the interface from which it was learned


Poison Reverse

• Once you learn of a route through an interface, than advertise it as unreachable back through the same interface


Timers

• Update - rate (time in seconds [30] between updates) at which routing updates are sent

• Invalid - interval of time (in [180] seconds) after which a route is declared invalid

• Hold - interval (in [180] seconds) during which routing information regarding better paths is suppressed

• Flush - amount of time (in [240] seconds) that must pass before a route is removed from the routing table


Optimize


Obscure Topics

• Offset List – increases the value of routing metrics

r1lab(config)# access-list 1 permit 10.1.10.0

r1lab(config)# router rip

r1lab(config-router)# offset-list 1 in 3

• Source IP address validation – Default validates the source IP address of incoming RIP routing updates - can be disabled for “off network” routes

r1lab(config-router)# no validate-update-source* Note For unnumbered IP interfaces (interfaces configured as ip unnumbered), no checking is

performed.

• Interpacket delay – slows down sending routing update packets; typically useful to slow down high speed routers when communicating with low speed routers

r1lab(config)# router rip

r1lab(config-router)# output-delay <8-50 milliseconds>

Hops


• Allow only odd routes from 1.1.0.0 from R1 to other routers

Network 1.1.1.0 0.0.254.255

My network =0

My mask = 1

128 64 32 16 8 4 2 1

1.1.1.0 0 0 0 0 0 0 0 1

1.1.3.0 0 0 0 0 0 0 1 1

1.1.5.0 0 0 0 0 0 1 0 1

Mask 11111111.11111111.11111110.00000000

Network 00000001.00000001.00000001.00000000

First host 00000001.00000001.00000001.00000000

Filtering

Inverse Mask

Odds alwaysinclude a binary 1Evens never have a binary 1

In ACL Must Match on thisBinary value

On the third octet

The 254 translates to 11111110 which tells the acl to not care about anything in that octet except the least significant bit.


Distribute List


RIP V2 Summarization

• Applied to an interfacer1lab(config-if)# ip summary-address rip 10.20.0.0 255.255.255.0

• Split horizon must be disabled on the interface

• Auto summary can only summarize to the classful boundary, the summary-address allows for classless summarization

• Does not insert a NULL0 entry into the routing table


RIP V2 Features

• Authentication r1lab(config)# interface s0

r1lab(config-if)# ip rip authentication key-chain cisco

r1lab(config-if)# ip rip authentication mode <md5,text>

r1lab(config)# key chain cisco

r1lab(config-keychain)# key 1

r1lab(config-keychain-key)# key-string cisco

• Classless

• Route summarization (enabled by default)r1lab(config)# router rip

r1lab(config-router)# no auto-summary


IP RIP Triggered

• When you enable triggered extensions to RIP, routing updates are transmitted on the WAN only if one of the following events occurs:

–The router receives a specific request for a routing update, which causes the full database to be sent.

–Information from another interface modifies the routing database, which causes only the latest changes to be sent.

–The interface comes up or goes down, which causes a partial database to be sent.

–The router is powered on for the first time to ensure that at least one update is sent, which causes the full database to be sent


Default routes in RIP

• Redistribute static <ip route 0.0.0.0 0.0.0.0 null0 permanent>

• Default information originate

• <ip default network 1.0.0.0>


Example of default information


Advanced Workaround with RIP / RSPAN

RIPv2 F1/0

• R4 must receive RIP routes from BB2 but not permitted to redistribute from OSPF

• SPAN or RSPAN used and no validate update source


Redistribution


Advertising Routes between routing protocol

• Longest Match

• Administrative Distance

• Redistribution

• Route Maps

• Distribute Lists

• Prefix Lists


Longest Match

• >show ip route

D 172.33.1.0/25 via 192.168.1.1

R 172.33.1.0/24 via 192.168.1.2

O 172.33.1.0/23 via 192.168.1.3

Preferred


Administrative Distance


Allow Redistribute on R1

Maintain R routes on R1 even after redistribution


Example Configuration with AD


Route Maps

• Route filtering

• Metric control

• Used extensively in BGP

• Used for setting IP Precedence

• Policy routing (not part of redistribution)

• Can use match and sets

• ->rout-map lab permit 10–>match ip access-list 1 , 3 (values separated with , creates an or statement)

–>match ip prefix-list lab Multiple match lines are considered an and


Distribute Lists

• Used with access-lists to filter incoming or outgoing updates

• Be as specific as possible when applying the distribute list

• RIP & EIGRP–distribute-list 1 in ethernet 0 (also can use a route map)

–distribute-list 1 out ethernet 0

• OSPF – only allows inbound–distribute-list 1 in ethernet 0

• IS-IS does not use distribute lists

• BGP – applied to the neighbor–neighbor 2.2.2.2 distribute-list 1 in


Prefix Lists

• Prefix lists are more sophisticated forms that Cisco provides for filtering route advertisements. They filter on IP address just as distribute-lists do, however they are easier to read, and require fewer commands to configure. The other advantage to a distribute list is that it is easier to add, remove and organize the statements in the manner you chose.

• For example:

prefix-list xx seq 10 permit 204.134.12.0/22




Redistribution Problems

• When redistributing OSPF in to BGP, by default, BGP only accepts internal routes not external type 1 or type 2

• Watch for administrative distance problems

• Beware of the metric used by RIP

• Redistributing in to RIP requires a metric or default-metric or it will get set to 16

• Redistributing in to EIGRP requires a metric or default-metric or it will get set to infinity

• Always filter routes when doing redistribution


Advanced RIP

• One static route allowedReceive the rip routes


SESSION 7EIGRP


EIGRP

• Outline

–Overview

–Updates

–Authentication

–Default Routes

–Summarization

–Metrics


EIGRP

• Eigrp is a Cisco proprietary routing protocol loosely based on their original IGRP

• EIGRP is an advanced distance-vector routing protocol, with optimizations to minimize both the routing instability incurred after topology changes, as well as the use of bandwidth and processing power in the router.

• EIGRP and IGRP are compatible with each other.

• Eigrp uses the Diffusing Update Algorithm (DUAL), which guarantees loop-free operation.

• In particular, DUAL avoids the "count to infinity" behavior common in distance-vector routing protocols.

• The maximum hop count of EIGRP-advertised routes (i.e. destination networks) is 255. 100 is the default but in the routing process <metric maximum-hops >

• EIGRP is considered an Advanced Distance or Hybrid routing protocol

• Classless (VLSM)


EIGRP Updates

• Send Hellos between neighbors which must include– AS #

– Subnet

– Authentication

– K- Values

1. Neighbor Table

2. Topology Table (Determine successor (Primary) and Feasible Successor

3. Dual Algorithm (Loop Free)

4. Routing Table (Move successor from primary

*Note updates sent on 224.0.0.10 and EIGRP uses IP protocol number 88


Successor versus Feasible Successor

• Reported Distance (RD) is from your neighbor( next hop ) to the destination.

• Feasible Distance (FD) is from the current router, all the way to the destination, this would include all other routers in between your router and the destination.

FD--------RD---------Destination. R1--------R2-----------R3

• To qualify as a feasible successor, a next-hop router must have an RD less than the FD of the current successor route

• Eigrp metric = lowest bandwidth + all delays x 256

•


EIGRP Authentication

• Similar to RIP V2 Authentication

• Only MD5 Authentication supported

r1lab(config)# interface s0

r1lab(config-if)# ip authentication mode eigrp 222 md5

r1lab(config-if)# ip authentication key-chain eigrp 222 cisco

r1lab(config)# key chain cisco

r1lab(config-keychain)# key 1

r1lab(config-keychain-key)# key-string ccie


Default Routes in EIGRP

• <ip summary address eigrp 100 0.0.0.0 0.0.0.0>

• <ip default network

• <redistribute ip route 0.0.0.0 0.0.0.0 null 0>

–<redistribute static or network 0.0.0.0


EIGRP Summarization

• Auto summary is on by default – disable

• Summarization is done on the interface r1lab(config-if)# ip summary-address eigrp 222 10.2.0.0 255.255.255.0 5

• No way to get rid of the NULL0 entry, it is added to avoid loops

Default AD is 5 but higher can be used for floating summary

You can bump the AD to 255 to remove the null0 but Then the Summary could cause a loop if you do not properly filter


EIGRP Leak Map

On the remote router


Virtual Template in PPP with Leak Map

• Problem- Can not use Leak Map with Sub Interfaces

• Must use PPP and Virtual Template


EIGRP Stub Areas

• Affects what the router will advertise

• Reduces processing on the router

• Controls what networks are advertised

• Four options: receive-only, summary, connected, and static

–Router eigrp 1

Eigrp stub summary leak-map leaky


Problems with EIGRP Stub

• All routers in EIGRP AS need the stub command or neighbors could become stuck inactive situation because of no stub flag in hello packets

• Work around use Stub configuration on all routers that need to be a stub on a single AS

• Use a separate AS for all other EIGRP routers and redistribute between the EIGRP AS processes on the Hub router


Tuning EIGRP

• ip hello-interval eigrp –use this interface command to change the hello timer

• ip hold-time eigrp – use this command to change the EIGRP hold time for routes received by this interface

• metric weights - allows you to set the weight of the EIGRP metric• distance – used to change the administrative distance of routes

received from a neighbor• delay – specifies the delay of an interface in tens of microseconds• bandwidth –specifies the bandwidth of an interface in kilobits per

second• passive-interface - prevents the sending of EIGRP hellos on the link• Offset-list - used to increase the value of the routing metrics

OPTIONAL EIGRP COMMANDS :


Miscellaneous Topics

• Offset Listr1lab(config)# access-list 1 permit 10.2.1.0

r1lab(config)# router eigrp 222

r1lab(config-router)# offset-list 1 in 10000

• Adjust the Percentage of Bandwidth used for routing updates - 50% is default

r1lab(config-if)# ip bandwidth-percent eigrp 222 10

Very important to summarize and use stubs in a large EIGRP networks, otherwise the query traffic to find successor routes could easily take 50% of the bandwidth. If we throttle the percentage too much the convergence times will be effected

Delay


Equal Cost Load Balancing

Change with the maximum-paths command in EIGRPprocess


• EIGRP offers unequal-cost Load balancing – variance command

• Variance allows the router to include routes with a metric smaller than multiplier times the minimum metric route to that destination

– Multiplier is the number specified by the variance command

EIGRP Unequal-Cost Load Balancing


Traffic-Share

• Determines how traffic is load balanced.

• Two options:–Balanced (balances across paths)

–Min across-interfaces (traffic still uses lowest metric path)Router eigrp 1

Variance 2

Traffic-share balanced (actively uses the lower speed link to load balance with higher speed links)

* Note Min – only add to the routing table for fall back but does not load balance

Under the interface you can configure per packet or per flow load balancing

Ip load-balancing per-packet or per-destination


Variance Example

• Router E chooses router C to get to network Z because FD = 20.

• With a variance of 2, router E chooses router B to get to network Z (20 + 10 = 30) < [2 * 20(FD) = 40].

• Router D is not used to get to network Z (45 > 40).

• To use D we need a variance of 3 because 3x20=60 and 60 is > 45


End Day 2 Lecture


Session 8 OSPF


OSPF

• Outline–OSPF Network Types

–RID

–LSA

–Adjacencies

–Area types

–New Features

–Authentication

–Summaries

–Filtering


Network Types

• The easiest configuration is to configure all OSPF frame relay interfaces for point-to-multipoint

• If the lab prohibits you from changing the network type you can try the neighbor command

Physical Frame Relay Interface OSPF Network Type

Physical Non-Broadcast

Multipoint Sub Non-Broadcast

Point-to-Point Sub Point-to-Point


OSPF Over NBMA Topology Summary

Mode Preferred Topology

Subnet Address

Adjacency

Non-broadcast Fully meshed Same Manual configuration

DR/BDR Elected Broadcast Fully meshed Same Automatic

DR/BDR elected Point-to-point

multipoint nonbroadcast

Partial mesh (hub and spoke)

Same Manual configuration No

DR/BDR Point-to-point and Point-to-Multipoint sub

interface

Partial mesh (hub and

spoke using subinterfaces

Different for each subint. And SAME

for point-to-multipoint

Manual DR on hub


Hello and Dead Timers

•In order to form neighbor adjacency, hello and dead timers must match

•Timer differ based on network type configuration broadcast–Hello time (10 seconds), dead time (40 seconds) point-to-point–Hello time (30 seconds), dead time(120 seconds) non-broadcast– Hello Time (30 seconds), dead time (120 seconds)

•Timers can be manually adjusted through the “ip ospf hello-interval” and “ip ospf dead-interval” interface commands


Hello and Dead Timers

Physical Interface Non- Broadcast Hello 30 Dead 120

Sub Interface P2P Point-to-Point Hello 10 Dead 40

Sub Interface Point to multipoint

Non- Broadcast Hello 30 Dead 120

Physical changed to

Ip ospf Broadcast

Broadcast Hello 10 Dead 40

P2P sub interface changed to NBMA

Non-Broadcast Hello 30 Dead 120


Miscellaneous OSPF - Timers

• Basic Timers

–Hello-interval

•interface serial 1/0

•ip ospf hello-interval 20 – automatically changes the dead-interval to 80, dead = hello x 4

–Dead-interval

•interface serial 1/0

•ip ospf dead-interval 50 – does NOT change the hello-interval

• Unless - See next slide


OSPF Timers – Fast Hellos

• Added in 12.2T15

• Enables faster convergence

• Sets Dead timer to 1 second, hello timer based on hello-multiplier.

• Example – set hello to 250ms

ip ospf dead-interval minimal hello-multiplier 4


Router ID

• Identifies an OSPF neighbor

• Dotted Decimal 32 bits

• 223.255.255.255 highest possible router ID

• Statically set the Router ID (Prefered) *note they may reboot the routers before they grade

router ospf 1

router-id 150.5.50.5

• Uses highest IP address of all configured loopbacks

• If no loopback is present it uses the highest IP address

• Used for virtual-link commands

• Highest Router ID wins DR election – Priority can offset election


Link State Announcement (LSA) Types

• 1 - Router LSA - Each OSPF router generates a single Type 1 LSA to describe the status and cost (metric) of all links on the router. This LSA is flooded to each router with-in the OSPF area only.

• 2 - Network LSA - the designated router on a broadcast segment (e.g. Ethernet) lists which routers are joined together by the segment

• 3 - Network summary LSA - an Area Border Router (ABR) takes information it has learned on one of its attached areas and summarizes it before sending it out on other areas

• 4 - ASBR Summary LSA - Type 5 External LSAs are flooded to all areas and the detailed next-hop information may not be available in those other areas. The ABR floods the information for the router (i.e. the Autonomous System Border Router) where the type 5 originated.

• 5 - AS External LSA - these LSAs contain information imported into OSPF from other routing processes. They are flooded to all areas (except stub areas).

• 6 - Group Membership LSA - this was defined for Multicast extensions to OSPF (MOSPF),

• 7 - NSSA External LSA - Not-so-stubby-area (NSSA) do not receive external LSAs from Area Border Routers, but are allowed to send external routing information for redistribution. They use type 7 LSAs to tell the ABRs about these external routes, which the Area Border Router then translates to type 5 external LSAs and floods as normal to the rest of the OSPF network.


LSA Table

Intra/Internal LSA Adv Router R/Table Display Database

Intra 1 (Router) All in Area O <sh ip ospf database router

Intra 2 (Network) DR only N/A <sh ip ospf database network

Inter 3 (Summary) ABR IA <sh ip ospf database summary

Inter 4 (Announce

ASBRs)

ABR N/A <sh ip ospf database ASBR summary

External 5 (Type 1 or Type 2)

ASBR E2 (default) or E1 <sh ip ospf database external

6 (MOSPF) Cisco can generate a syslog error

External 7 ASBR (In NSSA) N1 or N2 <sh ip ospf nssa-external

To DR Router 224.0.0.6To Area Network 224.0.0.5


Problem preventing Neighbor Adjacency

• Mismatched hello

• Subnet information

• Authentication

• Area ID doesn’t match

• Area Stub flag not set

• Duplicate RID


Neighbor States

• Down State

• Init (Clear or start new OSPF process)

• 2way (Elect DR / BDR)

• Exstart (Master/ Slave)–Master sends data descriptor packets (Contain link-state advertisement

(LSA) headers only)

–Higher IP is Master

• Exchange –Use ip ospf mtu ignore to avoid MTU problems (Exchange LSDB)

• Loading –LSR (Request) ----- ---LSU (Updates)

• Full (Database synchronized and all Routes have been exchanged)


Electing the DR and BDR

• Hello packets are exchanged via IP multicast.

• The router with the highest OSPF priority is selected as the DR.

• Use the OSPF router ID as the tie breaker.

•If no RID, than use highest Loopback IP

•If no Loopback than use highest interface IP

• The DR election is nonpreemptive.


Setting Priority for DR Election

ip ospf priority number

• This interface configuration command assigns the OSPF priority to an interface.

• Different interfaces on a router may be assigned different values.

• The default priority is 1. The range is from 0 to 255.• 0 means the router is a DROTHER; it can’t be the DR or

BDR.

Router(config-if)#


Area Type

• All routers in an OSPF area must have the same area type set or no neighbor will be formed

• Totally Stubby and Totally NSSA have the ‘no-summary’ command added to ONLY the ABR

• NSSA does not inject a default route automatically. Must configure for the default to be sent on the ABR:

– area 2 nssa default-information-originate

Area Type ABR LSA Area Routers

Stub stub 2,3,4

1

stub

Totally

Stubby

Stub no-summary

2, 0.0.0.0

1

stub

NSSA Nssa default-information-originate

2, 0.0.0.0 3,4

1,7

nssa

Totally

NSSA

nssa no-summary

2, 0.0.0.0

1,7

nssa


Types of OSPF Routers


OSPF Authentication

• Uses either Clear Text or MD5

• Can do either Area Authentication or Link Authentication

• If area 0 has authentication, any virtual links must have the same authentication configured

• Watch for extra spaces on your passwords


Area Authentication

• Clear Textr1lab(config)# router ospf 1

r1lab(config-router)# area 0 authentication

r1lab(config)# int serial 0

r1lab(config-if)# ip ospf authentication-key cisco

• MD5r1lab(config)# router ospf 1

r1lab(config-router)# area 0 authentication message-digest

r1lab(config)# int s0

r1lab(config-if)# ip ospf message-digest-key 1 md5 cisco


Link Authentication

• Clear Textr1lab(config-if)# int s0

r1lab(config-if)# ip ospf authentication

r1lab(config-if)# ip ospf authentication-key cisco

• MD5r1lab(config-if)# int s0

r1lab(config-if)# ip ospf authentication message-digest

r1lab(config-if)# ip ospf message-digest-key 1 md5 cisco


Virtual Links

• Avoid in real word

• Used to connect an area to the backbone through another area – extension of area 0

• Configuration uses router-id

• If authentication is configured on area 0 it must also be configured on the virtual link and the far side router.

• Needed in two cases–Discontiguous area 0

–Router touching two areas, but not area 0.

• Use Area Border routers as endpoints


Virtual Link Authentication

• Clear Textr1lab(config)# router ospf 1

r1lab(config-router)# area 1 virtual-link 2.2.2.2 authentication-key cisco

• MD5r1lab(config)# router ospf 1

r1lab(config-router)# area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 cisco

• Remember that the far side of the virtual link must know what type of authentication area 0 is using

• VL cannot traverse over a stub area

• If you are required to traverse a VL to area 0 you must negate capability transit.


Connecting a Non-Backbone Area Through a Stub Area

• Generic Routing Encapsulation (GRE) allows you to connect a discontiguous area to the backbone through a stub area

• GRE will cause extra packet overhead due to tunnel header information


OSPF New Features

• Max LSA (Internal)


OSPF New Features Cont.

• Maximum Prefixes (Networks)


OSPF New Features Cont.

• Prevent OSPF router from being transit

• Max Metric uses 64000 – 65535 (16 bits)


OSPF Summarization

• Two ways to summarize

–Area range used to summarize between OSPF areas. Always done on an ABR

•area 2 range 100.5.50.0 255.255.255.0

–Summary-address used to summarize external routes redistributed into OSPF. Always done on an ASBR

•summary-address 100.5.50.0 255.255.255.0

• Will inject a NULL0 route into the routing table. MUST get rid of the NULL0

•no discard-route internal – used with area range

•no discard-route external – used with summary-address


router (config-router)#

area area-id range address mask

• Consolidates inter-area (IA) routes on an ABR

router (config-router)#

Summary-address address mask (not-advertise) (tag tag)

• Consolidates external routes, usually on an ASBR

Configuring Route Summarization


Filtering in OSPF

• Distribute list only inbound and can not stop LSAs


Break Area 0

• R1 and R1 have full knowledge of Area 0 routes and R3 and R4 have no knowledge.

Or on R2 OSPF


Prevent type 7 to 5 routes from Area 0


SESSION 8BGP


BGP

• Outline

–Operation

–State

–Attributes

–Order/Preference

–Aggregation

–Security

–Peer Groups

–Dampening


iBGP Full Mesh Requirement

• All BGP speakers within an AS must be connected together in a Full Mesh. For n BGP speakers within an AS that requires to maintain n*(n-1)/2 unique iBGP sessions to connect the eBGP routers

• If not meshed, routes must be redistributed into and syncronized with IGP.

• Route Reflectors and Confederations may be used to avoid the full mesh requirement or redistribution


BGP Route Reflector

• Scales well unlike full mesh

• Optional Peer groups could be used to save configuration on the route reflector

r1lab(config-router)# neighbor 1.1.1.2 update-source loopback 0

r1lab(config-router)# neighbor 1.1.1.2 next-hop-self

r1lab(config-router)# neighbor 1.1.1.2 distribute-list 1 out

r1lab(config-router)# neighbor 1.1.1.2 route-reflector-client

r1lab(config-router)# neighbor 1.1.2.2 update-source loopback 0


r1lab(config-router)# neighbor 1.1.2.2 distribute-list 1 out

r1lab(config-router)# neighbor 1.1.2.2 route-reflector-client


Route Reflector


BGP Confederations

• Splits one AS into many smaller Private AS’s

–Private AS numbers are 64512 – 65535

• Connections between the Private AS’s are treated as special eBGP connections

• External AS’s only participate in the Public AS – they are not aware of the Private AS’s inside


Confederation

AS 6502 AS 6503

6503 6502


Manual Confederation

• Uses private AS for IBGP and Public AS for EBGP

• Need to remove the private AS information


Basic BGP Configuration

• Neighbors must be configured on both sides

• Neighbors must be directly connected or have a specific IGP route (default route will not work) to the neighbor.

• Neighbors in the same AS are iBGP– iBGP will go 255 hops by default to find a neighbor

• Neighbors in different AS’s are eBGP–eBGP will only go 1 hop to find a neighbor

•neighbor 1.1.1.1 eBGP-multihop <1-255> (need IGP)

• If you use loopback to neighbor don’t forget to change the update source–BGP expects the directly connected interface to be the update source unless

you specify

•neighbor 1.1.1.1 update-source loopback 0

• Advertised networks must have an exact match in the routing table in order for BGP to advertise the route


State

• Idle

• Connect

–Active – resets the retry timer kickbacks to idle

• Open send – version must be 4

• Open confirm

• Established


Neighbors


• An IGP running only on Routers B and C

• 31.106.0.0 will not appear in D’s IP Routing Table

Synchronization Example

AS 45

AS 50

AS 40

iBGP

eBGP

eBGP

31.106.0.0

DC

B A

E

F


Synchronization Problem

• An eBGP learned route cannot be installed in the routing table of iBGP connected routers until the route has already been learned by the IGP connecting these routers

• It is almost always recommended to disable synchronization or need to redistribute eBGP routes directly in the IGP

r1lab(config)# router bgp 10

r1lab(config-router)# no synchronization


Next Hop

• IGP should carry route to next hops

• Recursive route look-up

• Decouples BGP from actual physical topology

• If an IGP router does not have a direct route to the Next Hop EBGP than Next hop self can be used on the IBGP/Ebgp neighbor to provide connect


Next Hop Example

iBGP

eBGP

eBGP

31.106.0.0

A

B

D

F 20.2.2.1/ 24

1.1.1.2

1.1.1.1

• B Does Not Advertise Network 20.2.2.0 to A

• A Will Not Install Network 31.106.0.0 in its Routing Table since

A does not know how to reach the next hop (20.2.2.1)


Next-Hop-Self Problem

• An eBGP learned route cannot be installed in the IP routing table of iBGP connected routers unless the route’s next-hop address is reachable

r1lab(config)# router bgp 10


• eBGP neighbors always advertise themselves as the "next hop" for any routes sent.

• iBGP neighbors retain the original advertiser's address as the next hop.

• The issue with next-hop information is whether or not that next hop ( the eBGP neighbor address ) is reachable to any iBGP neighbor.


• If an AS has 2 or more connections to the Internet, by default some traffic not destined for your AS may pass through your routers

• Two ways to stop this

–AS-Path access-lists

–Communities

Transit AS

Explained later


BGP Characteristics

• Distance-vector protocol with enhancements:–Reliable updates

–Triggered updates only

–Rich metrics (called path attributes)

• Designed to scale to huge internetworks


BGP Path Attributes

• BGP metrics are called path attributes

• BGP attributes are categorized as well-known and optional

• Well-known attributes must be recognized by all compliant implementations

• Optional attributes are only recognized by some implementations (could be private), expected not to be recognized by everyone


Well-Known BGP Attributes

• Well-known attributes are divided into mandatory and discretionary

• Well-known mandatory attributes must be present in all update messages

• Well-known discretionary attributes are optional - they could be present in update messages

• All well-known attributes are propagated to other neighbors


WELL-KNOWN, MANDATORY

• AS-path: A list of the Autonomous Systems (AS) numbers that a route passes through to reach the destination. As the update passes through an AS the AS number is inserted at the beginning of the list. The AS-path attribute has a reverse-order list of AS passed through to get to the destination.

• Next-hop: The next-hop address that is used to reach the destination.

• Origin: Indicates how BGP learned a particular route. There are three possible types -- IGP (route is internal to the AS), EGP (learned via EBGP), or Incomplete (origin unknown or learned in a different way).


WELL-KNOWN, DISCRETIONARY

• Local Preference: Defines the preferred exit point from the local AS for a specific route.

• Atomic Aggregate: Set if a router advertises an aggregate causes path attribute information to be lost.


Optional BGP Attributes

• Optional BGP attributes are transitive or non-transitive

• Optional transitive attributes–Aggregator: Specifies the router ID and AS of the router that originated an aggregate prefix. Used in conjunction with the atomic aggregate attribute.

–Community: Used to group routes that share common properties so that policies can be applied at the group level.

• Optional non-transitive attributes–Multi-exit-discriminator (MED): Indicates the preferred path into an AS to external neighbors when multiple paths exist.

• Recognized optional attributes are propagated to other neighbors based on their meaning (not constrained by transitive bit)


Priority of Attributes

1. If the path specifies a next hop that is inaccessible, drop the update.

2. Prefer the path with the largest weight.

3. If the weights are the same, prefer the path with the largest local preference.

4. If the local preferences are the same, prefer the path that was originated by BGP running on this router.

5. If no route was originated, prefer the route that has the shortest AS_path.

6. If all paths have the same AS_path length, prefer the path with the lowest origin type (where IGP is lower than EGP, and EGP is lower than incomplete).

7. If the origin codes are the same, prefer the path with the lowest MED attribute.

8. If the paths have the same MED, prefer the external path over the internal path.

9. If the paths are still the same, prefer the path through the closest IGP neighbor.

10. Prefer the path with the lowest IP address, as specified by the BGP router ID.


Weight

• The weight attribute is a Cisco-defined attribute used for the path selection process. The weight is configued locally to a router and is not propagated to any other routers.


Origin

• The origin attribute indicates how BGP learned about a particular route. The origin attribute can have one of three possible values:

–IGP—The route is interior to the originating AS. This value is set when the network router configuration command is used to inject the route into BGP. [0] i

–EGP—The route is learned via the Exterior Border Gateway Protocol (EGP). [1] e

–Incomplete—The origin of the route is unknown or learned in some other way. An origin of incomplete occurs when a route is redistributed into BGP. [?]


AS-Path

• The AS-path attribute is empty when a local route is inserted in the BGP table

• The sender’s AS number is prepended to the AS-path attribute when the routing update crosses AS boundary

• The receiver of BGP routing information can use the AS-path to determine through which AS the information has passed

• An AS that receives routing information with its own AS number in the AS-path silently ignores the information

Prepend as-path can be used as a metric

<routemap prepend permit 10

<match ip address 1

<set as-path prepend 100 100 100


Next-Hop Attribute

• Next-hop attribute indicates the next-hop IP address used for packet forwarding

• Usually set to the IP address of the sending BGP router


Multi-Exit Discriminator Attribute

• The multi-exit discriminator (MED) or metric attribute is used as a suggestion to an external AS regarding the preferred route into the AS that is advertising the metric.

• Only works from directly connected AS. It is not transitive

• Default MED 0


Local Preference

• The local preference attribute is used to prefer an exit point from the local autonomous system (AS). Unlike the weight attribute, the local preference attribute is propagated throughout the local AS. If there are multiple exit points from the AS, the local preference attribute is used to select the exit point for a specific route.

• Default Local Preference 100


Atomic aggregate

• The Atomic aggregate serves as an indication to the receiver that it can't "deaggregate" the prefix per some of the granularity associated with the AS paths may have been lost when the aggregate was created, and deaggregation could result in the introduction of loops.

• Border Gateway Protocol (BGP) allows the aggregation of specific routes into one route with use of the aggregate-address address mask [as-set] [summary-only] [suppress-map map-name] [advertise-map map-name] [attribute-map map-name] command. When you issue the aggregate-address command without any arguments, there is no inheritance of the individual route attributes (such as AS_PATH or community)


Aggregator

• AGGREGATOR is an optional transitive attribute of length 6. The attribute contains the last AS number that formed the aggregate route (encoded as 2 octets), followed by the IP address of the BGP speaker that formed the aggregate route (encoded as 4 octets). This SHOULD be the same address as the one used for the BGP Identifier of the speaker.

• Created from enabling AS-Set


Communities

• RFC1997, RFC1998

• Optional attribute

• Range: 0 to 4,294,901,760

• Method to group destinations into communities and apply routing decisions (accept, prefer, redistribute, etc.) using route-maps

• Route maps are used to set the community attribute. Predefined community attributes are listed here:

–no-export—Do not advertise this route to EBGP peers.

–no-advertise—Do not advertise this route to any peer.

–internet—Advertise this route to the Internet community; all routers in the network belong to it.

–local-AS — Use in confederation scenarios to prevent sending packets outside the local autonomous system (AS).

• Commuties are AS specific and are stripped when transit through an AS


Originator-ID

• Originator-ID is an optional, nontransitive BGP attribute. This is a 4-byte attributed created by a route reflector. The attribute carries the router ID of the originator of the route in the local autonomous system. Therefore, if a misconfiguration causes routing information to come back to the originator, the information is ignored.


Cluster List

• Cluster-list is an optional, nontransitive BGP attribute. It is a sequence of cluster IDs that the route has passed. When a route reflector reflects a route from its clients to nonclient peers, and vice versa, it appends the local cluster ID to the cluster-list. If the cluster-list is empty, it creates a new one. Using this attribute, a route reflector can identify if routing information is looped back to the same cluster due to misconfiguration. If the local cluster ID is found in the cluster-list, the advertisement is ignored.


BGP Path Attribute Summary

Well-known mandatory attributes

–Recognized by everone, always present–AS-Path, Next-Hop, Origin

Well-known discretionary

–Recognized by everone, optional–Local Preference, Atomic Aggregate

Optional transitive

–Might not be recognized, propagated if not–BGP Community, Aggregator

Optional non-transitive

–Might not be recognized, dropped if not–Multi-exit-discriminator


Announcing Networks in BGP

• Only administratively defined networks are announced in BGP

–Manually configure networks to be announced <network mask>

–Use redistribution from IGP

–Use aggregation to announce summary prefixes


Manually Announce Classless Prefix in BGP

network ip-prefix-address mask subnet-mask

router(config-router)#

Configures a classless prefix to be advertised into BGP

The prefix must exactly match an entry in the IP forwarding table

Hint: use a static route to null 0 to create a matching prefix in the IP forwarding table


Redistributing Routes from IGP

• Easier than listing networks in BGP process in large networks

• Redistributed routes carry origin-attribute ‘incomplete’

• Always filter redistributed routes to prevent route leaking


Aggregating BGP Networks

• Summarization is called aggregation in BGP–Aggregation creates summary routes (called aggregates) from networks already in BGP table

–Individual networks could be announced or suppressed


Configuring Aggregation

router bgp as-numberaggregate-address address-prefix mask

router(config)#

• Specify aggregation range in BGP routing process

• The aggregate will be announced if there is at least one network in the specified range in the BGP table

• Individual networks will still be announced in outgoing BGP updates


Configuring Aggregation

router bgp as-numberaggregate-address address-prefix mask summary-only

router(config)#

• Configure aggregation of BGP routes• Advertise only the aggregate and not the

individual networks

• Benefits:• Smaller BGP routing tables• More stable internetworks (less route

flapping)

• Drawbacks:• Problems with multi-homed customers


Configuring Aggregation with other options

• Summary plus AS path • Prevents loops in the summary


Aggregate cont.

• Other options that can be enabled are:

–Attribute maps are used to configure the attributes of the aggregate route since the attributes of the original routes are used by default when summarized

–Advertise maps allow the aggregate to inherit the attributes from the specific networks identified in the advertise map. It is important to note the attribute map overrides the advertise map

–Suppress maps this command overrides the summary only keyword and suppresses on the routes configured in the suppress map.

–Un-suppress maps selectively un-suppresses networks suppressed in a suppress-map


Configuring BGP Communities

• BGP communities are configured in the following steps:

–Configure route tagging with BGP communities

–Configure BGP community propagation

–Define BGP community access-lists (community-lists) to match BGP communities

–Configure route-maps that match on community-lists and filter routes or set other BGP attributes

–Apply route-maps to incoming or outgoing updates


Community Setting Through Route-Map

route-map name match condition set community value [ value … ] [additive]

router(config)#

• Route tagging with communities is always done with a route-map

• Any number of communities can be specified• Communities specified in the set keyword

overwrites existing communities unless you specify the additive option


Attaching Communities to a Route

neighbor ip-address route-map map in | out


• Applies a route-map to inbound or outbound BGP updates

• The route-map can set BGP communities or other BGP attributes

redistribute protocol route-map map


• Applies a route-map to redistributed routes


Configure Community Propagation

neighbor ip-address send-community


• By default, communities are stripped in outgoing BGP updates

• Community propagation to BGP neighbors has to be manually configured

• BGP peer groups are ideal for configuring BGP community propagation toward a large number of neighbors


Related Commands

Set community none – Removes all community attributes

Set comm-list delete – Removes specific communities

ip community-list 1 permit 200:100

route map REM_COM permit 10

set comm-list 1 delete

Set community additive – Appends to existing communities

set community 450 additive

ip community-list 1 permit 200:10 – Matches any route that has 200:10 as one of its communities

ip community-list permit 200:10 100:10 - Matches any route that has either or both communities

ip community-list permit 200:10 100:10 exact-match – Matches only those routes that are members of both communities


AS Path Filtering

• Several scenarios require BGP route filtering based on AS-path

–Announce only local routes to the ISP - AS-path needs to be empty

–Select routes based on a specific AS-number in the AS-path

–Accept routes for specific AS only from some BGP neighbors

• AS-path filters use regular expressions


Regular ExpressionsRanges and Wildcard Characters

• A range of characters matches any single character in the rangeexamples:[1234] or [1-4]

• dot (.) matches any single character


Regular ExpressionsMatching Delimiters

^ matches beginning of string

$ matches end of string

_ matches any delimiter (beginning, end, whitespace, tab, comma)


Regular ExpressionsRepeating Operators

• matches zero or more instances

? matches zero or one instances

+ matches one or more instances


Sample Regular Expressions

• _100_

• ^100$

• _100$

• ^100_.*

• ^ [0-9]+$

• ^$

• .*

Going through AS 100

Directly connected to AS 100

Originated in AS 100

networks behind AS 100

AS paths one AS long

networks originated in local AS

matches everything


Regular Expression Examples

• Routes originated from a directly connected AS ( 5 ).

^5$

• Routes that passed through AS 6.

_6_

• Routes that originated in AS 7.

_7$

• Routes that originated in an odd AS.

[1,3,5,7,9]$

• Routes that originated in AS 3, or in an AS directly attached to AS 3.

^3_[0-9]*$


Configuring BGP AS-path Filters

ip as-path access-list number permit|deny regexp

router(config)#

• Configures AS-path access list

neighbor ip-address filter-list as-path-filter in|out


• Configures inbound or outbound AS-path filter for specified BGP neighbor


Conditional Route Injection

• Used to inject more specific into BGP based on existence of aggregated route or originate default route based on certain route existence


BGP Authentication

• Authentication is MD5

• Configured on a per neighbor basisr1lab(config)# router bgp 10

r1lab(config-router)# neighbor 2.2.2.2 remote-as 10

r1lab(config-router)# neighbor 2.2.2.2 password CISCO

r2(config)# router bgp 10

r1lab(config-router)# neighbor 1.1.1.1 remote-as 10

r2(config-router)# neighbor 1.1.1.1 password CISCO


BGP Route Flap Dampening Goals

• Minimize the amount of BGP update processing in the Internet

• Do not suppress routes that occasionally flap

• Suppress routes that are likely to flap in the future based on the history of their behavior

Flap = removal of routeSuppress= do not use a route after it reappears


Route Flap Dampening Implementation

• Every time an eBGP route flaps it gets 1000 penalty points (iBGP routes are not dampened)

• The penalty placed on a route is decayed using the exponential decay algorithm

• When the penalty exceeds “suppress limit”, the route is dampened (no longer used or propagated to other neighbors)

• A dampened route is propagated when the penalty drops below “reuse limit”


Route Flap Dampening Implementation

• Flap history is forgotten when the penalty drops below half of “reuse limit”

• The route is never dampened for more than “max-suppress” time

• An unreachable route with flap history is put in “history state” - it stays in the BGP table but only to maintain the flap history

• A penalty is applied on the individual path in the BGP table, not on the IP prefix


Configuring BGP Route Flap Dampening

bgp dampening [half-time [reuse-limit suppress-limit max-suppress]] [route-map route-map]


Configures BGP route flap dampeningParameter meaning:

Half-time Exponential decay half-time (time in which the penalty is halved)

Suppress-limit Penalty value where the route is starting to be dampened

Reuse-limit Penalty value where the dampened route is reused

Max-suppress Maximum suppression timeRoute-map Dampening parameters are specified

with aroute-map


Default BGP Dampening Parameter Values

The following default dampening parameter values are used if you don’t specify them:

– half-time 15 minutes

– per-flap penalty 1,000 (non-configurable)

– suppress limit 2,000

– reuse limit 750

– max-suppress-time 60 minutes


Limiting the Number of Routes Received from a Neighbor

Problem definition:

–A misconfigured BGP neighbor can send a huge number of prefixes that exhaust router’s memory or overload the CPU (several Internet-wide incidents have already occurred)

–All other filtering mechanisms only specify what we’re willing to accept but not how much

–A new tool is needed to establish a hard limit on the number of prefixes received from a neighbor


Maximum-Prefix Command

neighbor ip-address maximum-prefix maximum [threshold] [warning-only]


• Controls how many prefixes can be received from a neighbor

• Optional threshold parameter specifies the percentage where a warning message is logged (default is 75%)

• Optional warning-only keyword specifies the action on exceeding the maximum number (default is to drop

neighborship)


End of Day 3 Lecture


SESSION 9Multicast


Multicast

• Outline–Address

–RFP

–Dense/Sparse

–Source/shared

–Static RP

–Auto-RP

–BSR

–Stub

–M-B-M

–MSDP /Anycast


Multicast Address Range


Mapping a MAC Address


Reverse Path Forwarding


RPF Calculation


RPF with two paths


Multicast Distribution Trees

Dense Mode uses SourcePush Technology that is very chatty


Shared Distribution Tree

Sparse uses Shared Pull Mode


Characteristics of Distribution Trees


Multicast Tree Creation


Multicast Distribution Tree Example


Different types of PIM


PIM Sparse Mode


How does the network know about the RP?


Static RPs


Auto RP

• Uses –Intended for PIMv1

–C_RP Candidates

–Mapping Agent (Collects announcements and sends RP discovery messages on 224.0.1.40)

–The RPs announce on 224.0.1.39

–Recommended to locate Can_RP and Mapping Agent on same router

–Uses dense mode to find the RP as a fallback


Auto RP


Auto RP Cont.


Auto-RP configured


BSR Election


BSR Overview

PIM join messages that might inadvertently cross the border


BSR Highest Priority


Cont.


BSR Cont.


Configuring BSR

Hash MaskPriority

RP priority


Anycast – RP Overview


MSDP


Anycast RP RP


Anycast RP Cont.


Multicast-Broadcast-Multicast


IGMP Stub


SESSION 10QoS


QoS

• Outline

–Modular QoS CLI (MQC)

–LLQ

–Police/CAR

–WRED, CBWRED

–Marking

–Shaping, FRTS

–Fragmenting

–NBAR


MQC Class-maps

• <class-map lab (match all is the default)– Match any

• <match = Classify

• ?– Input interface f0/0

– Destination Mac address

– Source Mac address

– Fr-de, fr-dlci

– Cos, dscp, IP-prec

– Any

– Access-group

– Protocol=NBAR (download PDLMs)

•CEF requires

•Can run <ip protocol NBAR protocol discovery

– Packet length min or max


Policy-Map and DSCP

• Class Lab

–<set cos,dscp,ip-prec

• DSCP has 64 different colors to mark traffic

• <mls qos map dscp-map lab 31 to 41


CBWFQ

• <Int f0/0

–<max reserve bandwidth 100 (75% is default)

• Policy-map can use Kbps or Percent but not both

• <policy-map voice

–<class CONTROL

–<bandwidth 1000

–<class VOICE

–<priority 10000

• Can have 255 classes total

When applying a strict priority queueTo a CBWFQ it is referred to as a LLQ


Police/CAR

Bits per second

Normal burst bytes

Maximum burst bytes

• Use on edge routers to classify and/ or rate limit traffic

• Can be applied to all traffic or a subset of the traffic selected by an access list

• Configured on an interface

• rate- limit {input| output} bps normal- burst max- burst conform- action action exceed- action action

• rate- limit {input| output} access- group index bps normal- burst max- burst conform- action action exceed- action action


CBWFQ Architecture Insertion policy


Applying RED

You can change to DSCP basedrandom-detect dscp-based


Configuring WRED on an interface

minimum threshold (number of packets)

maximum threshold (number of packets)

mark probability denominator

When the average queue size is above the minimum threshold, RED starts dropping packets.

The rate of packet drop increases linearly as the average queue size increases, until the average queue size reaches the maximum threshold.

The mark probability denominator is the fraction of packets dropped when the average queue size is at the maximum threshold. For example, one out of every 100 packets is dropped when the average queue size is at the maximum threshold.


Shaping

• Shape


Shape Peak

• Allow the router to peak to 64k

• Peak rate = CIR(1+BE/BC)

• Router(config-pmap-c)# shape {average | peak} cir [bc] [be]

• Shape adaptive – BECN field set to 1

• 25% slow down is BECN received if 16 TCs received with no BECNs increase 1/16 every TC

• Can also use Fecn-adapt to send ahead to your other router to set BECN field.


Frame Relay Traffic Shaping

• Time Committed (TC) = 125micro


Network Based Application Recognition (NBAR)


NBAR Application Support


Packet Description Language Module


NBAR Protocol Discovery


SESSION 11Others


NTP


Optimizing HSRP


Gateway Load Balancing Protocol (GLBP)


GLBP Operations


GLBP Cont.


Virtual Router Redundancy Protocol (VRRP)


VRRP Operational Status


VRRP Configuration


NAT


NAT with Access List—Multiple Address Pools


NAT with Extended Access List Configuration

ip nat pool trusted_pool 192.168.2.1 192.168.2.254 prefix-length 24ip nat pool untrusted_pool 192.168.3.1 192.168.3.254 prefix-length 24!ip nat inside source list 102 pool trusted_poolip nat inside source list 103 pool untrusted_pool!interface ethernet 0 ip address 10.1.1.1 255.255.0.0 ip nat inside!interface serial 0 ip address 172.16.2.1 255.255.255.0 ip nat outside!access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255access-list 102 permit ip 10.1.1.0 0.0.0.255 192.168.200.0 0.0.0.255access-list 103 permit ip 10.1.1.0 0.0.0.255 any


Benefits of Route Maps with NAT


Route Map Configuration


Verifying NAT


Session 10 Security


Session 10 Outline

• Unicast Reverse Path Forwarding (uRPF)

• Context Based Access Control (CBAC)


CBAC Configuration


Enable Audit Trails and Alerts


Enable TCP Syn and Fin times


TCP UDP and DNS Idle Times


Port to Application Mapping


Port Mapping Configuration


Global Half Open Connection Limits


Configuring Inspection Rules


Apply Inspection Rule to an Interface


Unicast Reverse Path Forwarding (uRPF)

• Unicast Reverse Path Forwarding (uRPF) is a feature originally created to implement Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing


Configuring uRPF

• By enabling Unicast Reverse Path Forwarding (uRPF), all spoofed packets will be dropped at the first device. To enable uRPF, use the following commands.


IP Source Guard

• By watching which IP addresses are assigned by DHCP, a switch can create dynamic ACL's to block all traffic except traffic from DHCP-assigned IP addresses.

• Benefits:

–Prevents a hacker from spoofing their IP address to launch an anonymous attack.

–Prevents users from ignoring DHCP and manually configuring a static IP address.


IP Source Guard Configuration

1 CCIE R&S Advanced. 222 © 2007 Network Learning, Inc. Agenda Day 1 Session 1CCIE Program Overview Day 1 Session 2CCIE Foundation Overview Day 1 Session.

Documents

session 5ipv6 day

session 6ripv2 day

lab exam

ccie lab overview

catalyst day

ccie program overview

ccie foundation overview

network learning