The Ccie Book

The CCIE Book…

While I was studying for the CCIE back in 2000 - 2001, I maintained this word document for my study notes. Good luck in your CCIE journey and enjoy ! Jeff Kesemeyer

THE CCIE Book

Page 2 of 296

Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved

T A B L E O F C O N T E N T S

1. PHYSICAL AND DATA LINK LAYERS .....................................................................................................................................................9 1.1. ROUTER MANAGEMENT................................................................................................................................................................................. 9 1.2. ALIASES.......................................................................................................................................................................................................... 10 1.3. LOGGING ........................................................................................................................................................................................................ 11 1.4. IOS FEATURE SETS....................................................................................................................................................................................... 11 1.5. BASIC INTERFACE CONFIGURATION.......................................................................................................................................................... 12 1.6. CISCO DISCOVERY PROTOCOL (CDP) ....................................................................................................................................................... 13 1.7. DOMAIN NAME SYSTEM (DNS).................................................................................................................................................................. 14 1.8. NETWORK TIME PROTOCOL (NTP) ............................................................................................................................................................ 14

1.8.1. Association Modes..............................................................................................................................................................................14 1.9. HTTP .............................................................................................................................................................................................................. 16 1.10. SNMP ........................................................................................................................................................................................................ 16 1.11. AGGREGATE T1’S AT............................................................................................................................................................................... 17 1.12. LEVEL ONE TROUBLESHOOTING............................................................................................................................................................ 18 1.13. ROUTER AS PACKET ANALYZER............................................................................................................................................................ 20

2. FRAME-RELAY ................................................................................................................................................................................................22 2.1. CONNECTIVITY SCENERIOS......................................................................................................................................................................... 24 2.2. CONFIGURING FRAME-RELAY .................................................................................................................................................................... 26 2.3. TROUBLESHOOTING FRAME RELAY........................................................................................................................................................... 27

3. ISDN.......................................................................................................................................................................................................................29 3.1. SETUP.............................................................................................................................................................................................................. 33 3.2. LEGACY DDR................................................................................................................................................................................................ 34 3.3. DIALER PROFILES.......................................................................................................................................................................................... 36 3.4. PPP.................................................................................................................................................................................................................. 38

3.4.1. Snapshot Routing.................................................................................................................................................................................39 3.4.2. Dial Backup..........................................................................................................................................................................................41 3.4.3. OSPF DDR Methods..........................................................................................................................................................................41 Dialer Watch..........................................................................................................................................................................................................42 3.4.4. Callback ................................................................................................................................................................................................43 3.4.5. Floating Static Routes........................................................................................................................................................................44 3.4.6. Other ISDN Commands......................................................................................................................................................................45

3.5. ISDN TROUBLESHOOTING STRATEGY (MASTER THIS CHECKLIST )...................................................................................................... 45 3.5.1. Problem Isolation................................................................................................................................................................................47 3.5.2. ISDN Debug Example ........................................................................................................................................................................48

4. ATM.......................................................................................................................................................................................................................49 4.1. ATM CONFIGURATIONS.............................................................................................................................................................................. 51

4.1.1. Multiprotocol Encapsulation (2684)................................................................................................................................................52 4.1.2. Classical IP (CLIP) - (RFC 2225 / 1577) .......................................................................................................................................54 4.1.3. Other Configurations..........................................................................................................................................................................56 4.1.4. Configurations Summary ...................................................................................................................................................................57

4.2. QOS................................................................................................................................................................................................................. 58 4.2.1. PVC Traffic Management..................................................................................................................................................................58 4.2.2. SVC Traffic Management...................................................................................................................................................................58

4.3. ROUTING WITH ATM................................................................................................................................................................................... 58 4.4. ATM SHOW COMMANDS............................................................................................................................................................................. 59 4.5. ATM DEBUG COMMANDS............................................................................................................................................................................ 61 4.6. TROUBLESHOOTING ATM........................................................................................................................................................................... 62

5. LAN SWITCHING ............................................................................................................................................................................................63 5.1. SWITCH MANAGEMENT................................................................................................................................................................................ 64

THE CCIE Book

Page 3 of 296


5.2. PORT PARAMETERS....................................................................................................................................................................................... 66 5.3. VLAN’S ......................................................................................................................................................................................................... 67 5.4. TRUNKING...................................................................................................................................................................................................... 71 5.5. INTER-VLAN ROUTING............................................................................................................................................................................... 73 5.6. TOKEN-RING (3900) CONFIGURATION...................................................................................................................................................... 74

5.6.1. Token-Ring VLAN’s ............................................................................................................................................................................75 5.7. TROUBLESHOOTING SWITCHES................................................................................................................................................................... 77

6. IP MANAGEMENT...........................................................................................................................................................................................80 6.1. PLANNING A NETWORK ................................................................................................................................................................................ 80 6.2. OVERVIEW ..................................................................................................................................................................................................... 80 6.3. HOT STANDBY ROUTER PROTOCOL (HSRP) ............................................................................................................................................ 84 6.4. DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) .......................................................................................................................... 85

7. ROUTING ............................................................................................................................................................................................................87 7.1. ADMINISTRATIVE DISTANCES..................................................................................................................................................................... 89 7.2. DEFAULT AND STATIC ROUTES .................................................................................................................................................................. 90

7.2.1. RIP .........................................................................................................................................................................................................90 7.2.2. IGRP ......................................................................................................................................................................................................91 7.2.3. EIGRP...................................................................................................................................................................................................91 7.2.4. OSPF/ ISIS ...........................................................................................................................................................................................92 7.2.5. BGP .......................................................................................................................................................................................................93 7.2.6. IPX .........................................................................................................................................................................................................93

7.3. DEFAULT ROUTE SUMMARIES.................................................................................................................................................................... 94 7.4. AUTHENTICATION......................................................................................................................................................................................... 94 7.5. ROUTING TABLES.......................................................................................................................................................................................... 95 7.6. TROUBLESHOOTING ROUTING TABLE ....................................................................................................................................................... 96 7.7. DEBUGGING IP PACKET FORWARDING...................................................................................................................................................... 97

8. RIP (R) 120...........................................................................................................................................................................................................98 8.1. RIP V1 ............................................................................................................................................................................................................ 99 8.2. RIP V2 ..........................................................................................................................................................................................................100

9. IGRP (I) 100...................................................................................................................................................................................................... 102

10. EIGRP (D 90) (EX 170) ............................................................................................................................................................................. 105 10.1. HOW EIGRP WORKS.............................................................................................................................................................................105 10.2. DUAL......................................................................................................................................................................................................110 10.3. AUTHENTICATION..................................................................................................................................................................................112 10.4. SUMMARIZARTION .................................................................................................................................................................................112 10.5. EIGRP AND THE WAN..........................................................................................................................................................................113 10.6. NEW TO EIGRP WITH RELEASE 12.0 ..................................................................................................................................................115 10.7. CONFIGURING EIGRP ...........................................................................................................................................................................115

11. OSPF (O) 110................................................................................................................................................................................................ 118 11.1. OSPF BASICS..........................................................................................................................................................................................118 11.2. OSPF ROUTING......................................................................................................................................................................................121 11.3. NETWORK TYPES....................................................................................................................................................................................123 11.4. AREAS......................................................................................................................................................................................................125 11.5. OSPF AREA AUTHENTICATION............................................................................................................................................................127 11.6. OSPF ROUTE SUMMARIZATION...........................................................................................................................................................128

11.6.1. Inter-Area Summarization.............................................................................................................................................................. 128 11.6.2. External Summarization.................................................................................................................................................................. 129

11.7. OSPF DESIGN TECHNIQUES.................................................................................................................................................................129 11.8. OSPF CONFIGURATION OVERVIEW....................................................................................................................................................129 11.9. OSPF CONFIGURATION.........................................................................................................................................................................130

THE CCIE Book

Page 4 of 296


11.10. OSPF COMMANDS .................................................................................................................................................................................130 11.11. TROUBLESHOOTING OSPF....................................................................................................................................................................131

12. IS-IS (I) 115................................................................................................................................................................................................... 135 12.1. IS-IS ROUTING........................................................................................................................................................................................135 12.2. AUTHENTICATION..................................................................................................................................................................................139 12.3. ISIS CONFIGURATION............................................................................................................................................................................139 12.4. TROUBLESHOOTING ISIS ......................................................................................................................................................................140

13. BGP (B) 20 / 200 .......................................................................................................................................................................................... 141 13.1. BGP PATH SELECTION PROCESS28 .....................................................................................................................................................142 13.2. BGP BEST PATH ALGORITHM FOR IOS ..............................................................................................................................................143 13.3. BGP DECISION ALGORITHM.................................................................................................................................................................144 13.4. BGP ROUTING........................................................................................................................................................................................148

13.4.1. Selecting a BGP Path...................................................................................................................................................................... 148 13.4.2. Other Routing Information............................................................................................................................................................. 148 13.4.3. IBGP Routing.................................................................................................................................................................................... 149 13.4.4. EBGP Routing.................................................................................................................................................................................. 153 13.4.5. Advertising Routes........................................................................................................................................................................... 154 13.4.6. Route Cache Invalidation............................................................................................................................................................... 155 13.4.7. Aggregate Address........................................................................................................................................................................... 155

13.5. CONTROLLING THE FLOW OF BGP UPDATES.....................................................................................................................................157 13.6. LOAD BALANCING TRAFFIC.................................................................................................................................................................158 13.7. BGP FILTERING......................................................................................................................................................................................159 13.8. INTERNET CONNECTIVITY OPTIONS....................................................................................................................................................162 13.9. MULTIPROTOCOL BGP ..........................................................................................................................................................................164 13.10. BASIC BGP CONFIGURATION...............................................................................................................................................................164 13.11. BGP COMMANDS...................................................................................................................................................................................165 13.12. BGP TROUBLESHOOTING......................................................................................................................................................................166

14. IPX AND NLSP ........................................................................................................................................................................................... 169 14.1. IPX EIGRP .............................................................................................................................................................................................170 14.2. IPX AND WANS ......................................................................................................................................................................................171 14.3. IPX AND DDR ........................................................................................................................................................................................172 14.4. NLSP .......................................................................................................................................................................................................173 14.5. TUNNELING.............................................................................................................................................................................................175 14.6. IPX COMMANDS.....................................................................................................................................................................................177 14.7. IPX TROUBLESHOOTING.......................................................................................................................................................................177

15. ROUTE FILTERING ................................................................................................................................................................................ 179 15.1. ROUTE FILTERS......................................................................................................................................................................................179 15.2. PREFIX-LISTS..........................................................................................................................................................................................179 15.3. DISTRIBUTE-LISTS .................................................................................................................................................................................181 15.4. ROUTE-MAPS..........................................................................................................................................................................................182

16. ROUTE REDISTRIBUTION .................................................................................................................................................................. 186 16.1. GENERAL REDISTRIBUTION ..................................................................................................................................................................186 16.2. REDISTRIBUTION PROBLEMS................................................................................................................................................................187 16.3. STATIC REDISTRIBUTION......................................................................................................................................................................188 16.4. RIP REDISTRIBUTION ............................................................................................................................................................................189 16.5. IGRP REDISTRIBUTION.........................................................................................................................................................................189 16.6. EIGRP REDISTRIBUTION.......................................................................................................................................................................189 16.7. OSPF REDISTRIBUTION.........................................................................................................................................................................191 16.8. IS-IS REDISTRIBUTION..........................................................................................................................................................................193 16.9. BGP REDISTRIBUTION...........................................................................................................................................................................193 16.10. IPX REDISTRIBUTION ............................................................................................................................................................................195

THE CCIE Book

Page 5 of 296


16.11. FLSM AND VLSM .................................................................................................................................................................................195 16.12. MUTUAL REDISTRIBUTION...................................................................................................................................................................197 16.13. REDISTRIBUTION SUMMARIES..............................................................................................................................................................199 16.14. TROUBLESHOOTING REDISTRIBUTION................................................................................................................................................200

17. BRIDGING ................................................................................................................................................................................................... 203 17.1. STP...........................................................................................................................................................................................................203

17.1.1. Bridged Parameters......................................................................................................................................................................... 203 17.2. TRANSPARENT BRIDGING............................................................................................................................................................204 17.3. CONCURRENT ROUTING AND BRIDGING.............................................................................................................................................205 17.4. INTEGRATED ROUTING AND BRIDGING (IRB) ...................................................................................................................................206 17.5. SOURCE ROUTE BRIDGING....................................................................................................................................................................207 17.6. RSRB.......................................................................................................................................................................................................208 17.7. SRT ..........................................................................................................................................................................................................209 17.8. SR/TLB ...................................................................................................................................................................................................210

18. DLSW+........................................................................................................................................................................................................... 213 18.1.1. Encapsulations.................................................................................................................................................................................. 214 18.1.2. DLSW and Ethernet ......................................................................................................................................................................... 215 18.1.3. Configuring DLSw+ ........................................................................................................................................................................ 215 18.1.4. DLSw+ DDR Configurations......................................................................................................................................................... 218 18.1.5. DLSW Load Balancing Configurations........................................................................................................................................ 219 18.1.6. DLSW (Commands) ......................................................................................................................................................................... 221

18.2. BRIDGING TROUBLESHOOTING............................................................................................................................................................221 19. ACCESS-LISTS ........................................................................................................................................................................................... 224

19.1. IP ACCESS-LISTS ...............................................................................................................................................................................224 19.1.1. ICMP Messages................................................................................................................................................................................ 225 19.1.2. ACL and Routing Protocols ........................................................................................................................................................... 226 19.1.3. Configuring IP Access-Lists........................................................................................................................................................... 226

19.2. IPX ACCESS-LISTS............................................................................................................................................................................230 19.2.1. The Basics.......................................................................................................................................................................................... 230 19.2.2. IPX Network Filtering..................................................................................................................................................................... 231 19.2.3. SAP Filtering.................................................................................................................................................................................... 232 19.2.4. Troubleshooting IPX........................................................................................................................................................................ 233

19.3. MAC ACCESS-LISTS..............................................................................................................................................................................233 19.3.1. LSAPs (200) ...................................................................................................................................................................................... 233 19.3.2. SNA..................................................................................................................................................................................................... 234 19.3.3. NetBIOS ............................................................................................................................................................................................. 234 19.3.4. Bit-Swapping..................................................................................................................................................................................... 235 19.3.5. DLSw+ ............................................................................................................................................................................................... 236 19.3.6. Bridging (MAC) Filters (700)........................................................................................................................................................ 237

19.4. ACCESS-EXPRESSIONS...................................................................................................................................................................238 20. QUEUING..................................................................................................................................................................................................... 240

20.1. WFQ ........................................................................................................................................................................................................240 20.1.1. CB-WFQ ............................................................................................................................................................................................ 240 20.1.2. Low-Latency Queueing (LLQ) ....................................................................................................................................................... 241 20.1.3. Distributed WFQ (DWFQ) ............................................................................................................................................................. 241

20.2. WEIGHTED RANDOM EARLY DETECTION...........................................................................................................................................242 20.3. PRIORITY QUEUING................................................................................................................................................................................242 20.4. CUSTOM QUEUING.................................................................................................................................................................................243 20.5. COMMITTED ACCESS RATE (CAR) .....................................................................................................................................................243 20.6. TROUBLESHOOTING QUEUEING...........................................................................................................................................................244

21. TRAFFIC SHAPING................................................................................................................................................................................. 245

THE CCIE Book

Page 6 of 296


21.1. POLICY ROUTING....................................................................................................................................................................................245 21.2. RTP PRIORITY........................................................................................................................................................................................246 21.3. GENERIC TRAFFIC-SHAPING (GTS).....................................................................................................................................................247 21.4. FRAME-RELAY QUEUING......................................................................................................................................................................247

21.4.1. Frame-Relay DLCI-Prioritization................................................................................................................................................. 247 21.4.2. Frame-Relay Broadcast Queue ..................................................................................................................................................... 247 21.4.3. Frame-Relay Traffic-Shaping (FRTS).......................................................................................................................................... 248

21.5. IP PRECEDENCE......................................................................................................................................................................................249 21.6. RSVP .......................................................................................................................................................................................................250 21.7. RANDOM EARLY DETECTION (RED) ..................................................................................................................................................251 21.8. DATA COMPRESSION..............................................................................................................................................................................251 21.9. MPLS AND TAG SWITCHING................................................................................................................................................................251

22. MULTICASTING....................................................................................................................................................................................... 252 22.1. INTERNET GROUP MANAGEMENT PROTOCOL (IGMP).....................................................................................................................252 22.2. CISCO GROUP MANAGEMENT PROTOCOL (CGMP)..........................................................................................................................253

22.2.1. Stopping Multicasts from Broadcasting on a Switch................................................................................................................. 253 22.3. DISTANCE VECTOR MULTICAST ROUTING PROTOCOL (DVMRP) .................................................................................................254 22.4. PROTOCOL INDEPENDENT MULTICAST (PIM) ...................................................................................................................................256

22.4.1. Dense Mode....................................................................................................................................................................................... 259 22.4.2. Sparse-Mode..................................................................................................................................................................................... 260

22.5. MULTIPROTOCOL BGP (MBGP)..........................................................................................................................................................263 22.6. MULTICAST SOURCE DISCOVERY PROTOCOL (MSDP)....................................................................................................................263 22.7. TROUBLESHOOTING COMMANDS.........................................................................................................................................................265 22.8. INTERNET MULTICAST ADDRESSES.....................................................................................................................................................265 22.9. QUICK CONFIGURATION GUIDES.........................................................................................................................................................266

23. SECURITY ................................................................................................................................................................................................... 268 23.1. TACACS.................................................................................................................................................................................................268 23.2. NETWORK ADDRESS TRANSLATION (NAT).......................................................................................................................................268

23.2.1. Basic NAT Configuration................................................................................................................................................................ 269 23.2.2. Port Address Translation (Overload)........................................................................................................................................... 269 23.2.3. TCP Load Sharing........................................................................................................................................................................... 270 23.2.4. Dynamic NAT.................................................................................................................................................................................... 270 23.2.5. Nat on a Stick .................................................................................................................................................................................... 270 23.2.6. NAT Timers ....................................................................................................................................................................................... 271

23.3. AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING................................................................................................................273 23.4. IPSEC .......................................................................................................................................................................................................274

23.4.1. Configuring IPSec............................................................................................................................................................................ 276 23.4.2. Quick Notes....................................................................................................................................................................................... 277 23.4.3. Basic IPSec over Tunnel (Works).................................................................................................................................................. 278 23.4.4. GRE Tunnel....................................................................................................................................................................................... 279 23.4.5. IP and IPX over Frame-Relay ....................................................................................................................................................... 280 23.4.6. Troubleshooting IKE and IPSec.................................................................................................................................................... 281

24. VOICE............................................................................................................................................................................................................ 282 24.1. VOIP.........................................................................................................................................................................................................282

24.1.1. VoIP Example ................................................................................................................................................................................... 282 24.1.2. Configuring Dial Peers................................................................................................................................................................... 283 24.1.3. .................................................................................................................................................................................................................. 283 24.1.4. General Configuration Information.............................................................................................................................................. 283 24.1.5. Configuring VoIP............................................................................................................................................................................. 283 24.1.6. More Configuration Commands.................................................................................................................................................... 284

24.2. QOS ..........................................................................................................................................................................................................286 CONGESTION AVOIDANCE ......................................................................................................................................................................................286 CONGESTION MANAGEMENT..................................................................................................................................................................................286

THE CCIE Book

Page 7 of 296


IP PRECEDENCE........................................................................................................................................................................................................288 RSVP .........................................................................................................................................................................................................................289 LINK FRAGMENTATION / INTERLEAVING (LFI) ...................................................................................................................................................290

Frame-Relay ....................................................................................................................................................................................................... 290 TRAFFIC SHAPING AND POLICING..........................................................................................................................................................................290

Frame-Relay Traffic Shaping.......................................................................................................................................................................... 290 Generic Traffic Shaping................................................................................................................................................................................... 291

HEADER COMPRESSION...........................................................................................................................................................................................291 TROUBLESHOOTING QUEUING...............................................................................................................................................................................292

24.2.1. Show commands............................................................................................................................................................................... 292 24.2.2. Debug commands............................................................................................................................................................................. 292 24.2.3. Troubleshooting and Verifiying VoIP Connectivity................................................................................................................... 292 24.2.4. Voice Troubleshooting Methodology............................................................................................................................................ 292

THE CCIE Book

Page 8 of 296


Introduction to the CCIE Book Color Legend: Blue text IOS commands Pink test Reference Material Red Text Traps within a Technology Highlighted Text Tips that could be Traps Highlight reference material Highlight traps

Ø Test Sections System Setup ISDN Frame-Relay ATM LAN Switching IP Management IGP Routing BGP IPX and NLSP Route Filtering Redistribution Bridging, DLSW+ Access-Lists Traffic Management Multicasting Security VoIP

THE CCIE Book

Page 9 of 296


1. Physical and Data Link layers

Ø Configure a terminal server You will have a serial and ethernet connection to the comm_server. Make sure you know what cables you need to connect to the comm. server by rs-232.

Ø Config Register Values 0x2100 – ROM monitor 0x2101 – Boot from ROM 0x2102 – Boot from flash, run NVRAM configuration (default) 0x2142 – Boot from flash, run NO NVRAM configuration (Password recovery mode)

1.1. ROUTER MANAGEMENT Configuring a router as a TFTP server ip tftp server Loading the IOS onto a router with no IOS copy tftp flas Bypassing startup configuration on a router config-register 0x2142 Check out Router / Physical Layer sho buff sho int sho control sho memory sho proc

Ø Setup a Terminal Server hostname comm_server no ip domain-lo enable pass cisco int loopback 0 ip address 1.1.1.1 255.255.255.0 ip host r1 2001 1.1.1.1 line 1 16 transport input all no exec line vty 0 4 login pass cisco line con 0 login pass cisco log synch tcp tcp synwait 5 exec-timeout 0 exec cle lin 3 sh sess disc 5 sh line Use cntl+shft+6 x to switch routers

THE CCIE Book

Page 10 of 296


1.2. ALIASES no ip domain-lo ! 4 alias exec ct conf t alias exec sr sh run alias exec sri sh run int alias exec u undeb all ! 6 alias exec sfm sh frame map alias exec sfr sh frame route alias exec sfp sh fram pvc alias exec sis sh isdn stat alias exec sam sh atm map alias exec sap sh atm pvc ! 4 alias configure rr router rip alias configure ro router ospf alias configure re router eigrp alias configure rb router bgp ! 6 alias exec siib sh ip int brie alias exec sir sh ip rout alias exec sie sh ip eigrp alias exec sio sh ip ospf alias exec sib sh ip bgp alias exec sip sh ip protocols ! 3 alias exec sipxr sh ipx route alias exec sxr sh ipx route alias exec sxs sh ipx server ! 3 alias exec cir cle ip rou alias exec cib cle ip bgp alias exec cxr clea ipx route ! Pings alias exec r1s1 ping 180.1.1.1 ! line con 0 logg synch exec-time 0 0 ! line vty 04 ip tcp synwait-time 5 Run sh ver to check config reg and version. alias exec s1 sho run | begin alias exec s2 sho run | include This parses the config quickly to give for s1 say "s1 router bgp" it will show the config from router bgp AS# "s2 dlsw" for example will show you all lines in the config that have dlsw in it. Thought it was neat and wanted to pass it along.

Ø Basic Switch Setup show module Check modules installed, document cards and slots show port status

THE CCIE Book

Page 11 of 296


show mac mod/port show port mod/port conf t int sc0 set ip address <address>

1.3. LOGGING logging buffered 16000 no logging console Don’t send logs to the router console logging buffered 16384 16Kbyte history buffer on router logging trap debugging Catch debugging level traps (i.e. everything) logging facility local7 Syslog facility on syslog server logging 169.223.32.1 IP address of your first syslog server logging 169.223.45.8 IP address of your second syslog server logging source-interface Loopback0 Used to set to source so you know messages are from a reliable source.

Ø Eight Levels of Errors emergencies alerts critical errors warnings notification informational debugging

1.4. IOS FEATURE SETS i IP d Desktop j Enterprise k Kitchen Sink o FireWall p Service Provider r IBM Base option (SRB, STUN, DSLW) s Source Route u IP with VLAN RIP (Network Layer 3 Switching, rsrb, srt, srt, sr/tlb) A 2 after the letter signifys a subset of a set. IOS Execution Area The last few characters determine where the IOS will run. m RAM f flash r ROM l relocated at run time z image is zipped compressed x images is mzip compressed w image is stac compressed

Ø Router Hardware NVRAM, Flash, Memory & CPU, file system, config register File transfers - TFTP operations Password Recovery copy tftp flash

THE CCIE Book

Page 12 of 296


service compress-config service timestamps log datetime localtime

Ø Process Switching Uses cpu for processing, required for debugging no ip route-cache, no ip-mroute-cache To enable

Ø Fast Switching Default for all protocols except IP

Ø Silicon Switching / Autonomous Switching ON 7000 SSP Fast Switching uses a RP Silicon Switching uses a SSP Autonomous Switching uses the SSP as well

Ø Optimum Switching Similar to fast-switching but faster Default for TCP/IP disabled for debugging Requires a VIP

Ø Distributed Switching Handled by interface processors Requires a VIP Same as CiscoFusion or MLS

Ø NetFlow Switching Enables you to collect statistics

Ø Switching Features that Affect Performance Queuing: FIFO Priority – assigned priority Custom – percent of bandwidth WFQ – low, high bandwidth requirements RED – ToS prioritizing Compression Encryption Filtering – Access-lists Accounting

1.5. BASIC INTERFACE CONFIGURATION CTL+A Move to beginning of line CTL+E Move to end of line CTL+F Move forward one character CTL+B Move backward one character CTL+N Most recent command recall CTL+R Repaints a line CTL+D Delete a char at Cursor CTL+K Right os Cursor CTL+U Left of Cursor CTL+W Word Left ESC+D Word Rights ESC+B Move backward one word

THE CCIE Book

Page 13 of 296


ESC+F Move forward one word Terminal history size, Terminal no editing, Terminal editing Configuration register settings

Ø Parsing show configuration | ? begin Begin with the line that matches exclude Exclude lines that match include Include lines that match show running-config | begin router bgp router bgp 200 no synchronization neighbor 4.1.2.1 remote-as 300 neighbor 4.1.2.1 description Link to Excalabur neighbor 4.1.2.1 send-community neighbor 4.1.2.1 version 4 neighbor 4.1.2.1 soft-reconfiguration inbound neighbor 4.1.2.1 route-map Community1 out maximum-paths 2

Ø Loopbacks BGP Update-Source Router ID for OSPF and BGP IP Unnumbered Interfaces IP addresses do not need to be used on static WAN links to customers. IP unnumbered saves /30 of address space, and one entry in the IGP routing able, a significant saving for a large number of customers. IP unnumbered makes use of the loopback interface on the ISP’s backbone router, the same loopback interface used for iBGP etc. An example interface Serial 5/0 ! description 128K HDLC link to San Jose R5-0 bandwidth 128 ip unnumbered loopback 0 ! ip route 215.34.10.0 255.255.252.0 Serial 5/0

1.6. CISCO DISCOVERY PROTOCOL (CDP) *Excellent tool for displaying interface status on routers Works only at the data link level, uses snap frames. Uses multicast packet 01-00-0C-CC-CC TTL is 180 seconds Use cdp timer to change update times, default is 60 seconds.

Ø On Routers sh cdp neighbors sh cdp neighbors detail cdp enable, cdp timer, and cdp run affect IP and DDR

Ø On Switches set cdp enable all ! To enable CDP for all ports

THE CCIE Book

Page 14 of 296


set cdp disable all ! To disable CDP for all ports set cdp enable <module>/<port number> ! To enable CDP for a particular port. set cdp disable <module>/<port number> ! To disable CDP for a particular port. sh cdp port

Ø CDP Troubleshooting cdp run – global run cdp no cdp run – disable cdp global no cdp enable – disable per interface

1.7. DOMAIN NAME SYSTEM (DNS) ip domain lookup ip name-server 131.108.111.1 131.108.111.2 ip domain-name cisco.com

1.8. NETWORK TIME PROTOCOL (NTP) NTP can take up to thirty minutes to converge. Whenever you configure authenticatin with a date, or any ACL’s that may use a date, make sure you use a NTP server or your authentication can fail due to time differences. clock set hh:mm:ss day month year Used to set the router clock clock timezone CST –6 clock summer-time CDT recurring ntp master 3 Use on Server ntp update-calendar ntp source e0 Use on Client ntp peer 1.1.1.1 version 1 Use on Client -or- ntp server 11.1.1.1 version 1 Client / Server ntp broadcast delay 2000 sh calendar clock set sh clock sh ntp associations detail sh ntp status

1.8.1. Association Modes The association of two routers can operate in one of several modes: server, client, peer, and broadcast/multicast. The modes are further classified as active and passive: Active modes: The host continues to send NTP messages regardless of the reachability or stratum of its peer. Client, Peer, Broadcast / Mulicast Passive modes: The host sends NTP messages only as long as its peer is reachable and operating at a stratum level less than or equal to the host.

THE CCIE Book

Page 15 of 296


Server, Peer

Ø Server Mode By operating in server mode, a host (usually a LAN time server) announces its willingness to synchronise, but not to be synchronised by a peer. This type of association is ordinarily created upon arrival of a client request message and exists only in order to reply to that request, after which the association is dissolved. Server mode is a passive mode.

Ø Client Mode By operating in client mode, the host (usually a LAN workstation) announces its willingness to be synchronised by, but not to synchronise the peer. A host operating in client mode sends periodic messages regardless of the reachability or stratum of its peer. Client mode is an active mode.

Ø Peer Mode By operating in peer mode (also called “symmetric” mode), a host announces its willingness to synchronise and be synchronised by other peers. Peers can be configured as active (symmetric-active) or passive (symmetric-passive).

Ø Broadcast/Multicast Mode By operating in broadcast or multicast mode, the host (usually a LAN time server operating on a high-speed broadcast medium) announces its willingness to synchronise all of the peers, but not to be synchronised by any of them. Broadcast mode requires a broadcast server on the same subnet, while multicast mode requires support for IP multicast on the client machine, as well as connectivity via the MBONE to a multicast server. Broadcast and multicast modes are active modes.

An error condition results when both peers operate in the same mode, except for the case of symmetric-active mode.

Ø NTP Source Interface NTP is the means of keeping the clocks on all the routers on the network synchronised to within a few milliseconds. If the loopback interface is used as the source interface between NTP speakers, it makes filtering and authentication somewhat easier to maintain. Most ISPs only wish to permit their customers to synchronise with their time servers and not everyone else in the world. A configuration example: clock timezone SST 8 ! access-list 5 permit 192.36.143.150 access-list 5 permit 169.223.50.14 ! ntp authentication-key 1234 md5 104D000A0618 7 ntp authenticate ntp trusted-key 1234 ntp source Loopback0 ntp access-group peer 5 ntp update-calendar ntp peer 192.36.143.150 ntp peer 169.223.50.14

Ø Authentication Add to all routers

THE CCIE Book

Page 16 of 296


ntp authentication-key 1 md5 cisco ntp authenticate ntp trusted-key 1 ntp server 1.1.1.1 key 1 Client / Server

1.9. HTTP ip http server ! Disables http service ip http server ip http port 8765 ! line vty 0 4 ip http access-class 1 ! deb ip http url deb http tokens deb http transactions ip http server ip http port 8765 ! use a non-standard port ip http authentication aaa ! use the AAA authentication method which has been configured ip http access-class <1-99> ! access-list to protect the HTTP port access-list 1 permit 10.1.1.1

1.10. SNMP snmp-server community <auth string> <access-list>

Ø Configuration Router: snmp-server community public ro snmp-server community private rw Switch: set snmp community read-only public set snmp community read-write private

Ø SNMP in read-only mode If SNMP is used in a read-only scenario, ensure that it is set up with appropriate access controls. The following is an example: access-list 98 permit 215.17.34.1 access-list 98 permit 215.17.1.1 access-list 98 deny any ! snmp-server community 5nmc02m RO 98 snmp-server trap-source Loopback0 snmp-server trap-authentication snmp-server enable traps config snmp-server enable traps envmon snmp-server enable traps bgp snmp-server enable traps frame-relay snmp-server contact Barry Raveendran Greene [[email protected]] snmp-server location Core Router #1 in City Y

THE CCIE Book

Page 17 of 296


snmp-server host 215.17.34.1 5nmc02m snmp-server host 215.17.1.1 5nmc02m snmp-server tftp-server-list 98 !

1.11. AGGREGATE T1’S AT If you want to aggregate the bandwidth of two serial T1's at layer2 try this Saves IP space, prevents layer3 route reconvergence when a link flaps, and provides better redundancy/throughput overall R1 interface Multilink1 ip address 10.252.3.1 255.255.255.252 ppp multilink multilink-group 1 ! interface Serial0/0 description T1 to Router2 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1 ! interface Serial0/1 description T1 to Router2 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1 R2 interface Multilink1 ip address 10.252.3.2 255.255.255.252 ppp multilink multilink-group 1 ! interface Serial0/0 description T1 to Router1 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1 ! interface Serial0/1 description T1 to Router1 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1

THE CCIE Book

Page 18 of 296


1.12. LEVEL ONE TROUBLESHOOTING Are the interfaces in an "Up/Up" State? show ip interface brief show atm interface status show ports (CAT 5000) show MAC (CAT 5000) show modules (CAT 5000) General interface troubleshooting: show controllers Which end of the connection is the DTE and which end is the DCE? show cdp neighbor

Ø Show Buffers Displays data link errors Hits, misses, buffer sizes

Ø Show Interfaces show line – shows connectivity status show sessions – displays connectivity No clock rate set on DCE serial interface Encapsulation type mismatch LMI mismatch Keepalive timer mismatch Up / down status - protocol physical Bandwidth for igrp metrics Load – 255/255 = 100% utilization Reliability 255/255 = 100% reliable Last Input – dead interface ? Output – dead interface ? No Buffers – main memory problems Received Broadcasts – should be less than 20% of total input Runts Giants CRC – Noise on links Collisions - .1% or less of output packets

Ø Show Interface – Ethernet CRC errors – noise Collisions – should be less than .1% Runts – should not have any Late collisions – check diameter of network, bad network design Ethernet lines can be in a up/down state when no cable is connected since they need a transciever Turn off keepalives and ethernet interfaces can be in a up/up state Show controllers e Debug ethernet interface

Ø Show Interface - Fast-Ethernet Half – Full duplex Trunking, vlan

Ø Show Interface – Token-ring Token ring is reset – hardware error occurred

THE CCIE Book

Page 19 of 296


Interface resets – lobe cable failure Transitions – ring up / down Incorrect ring-speed Debug token events Show controllers token-ring Debug token ring Show Inm status

Ø Show Interface – Serial Bandwidth – is the actual bandwidth ? Packets input – error-free packets Ignored – burst noise Carrier transitions – line up / down, modem,line problems Interface resets – modem no supplying a clock signal or cable problem The DCE side must supply the clock rate show controllers displays DCE / DTE configuratiuon, cable status clock rate sets the clock rate

Ø Show Interface – FDDI Bypass switch installed, check naun Bypass switchees do not repeat signals like a transceiver does, this causes signal degradation. EMC: SMT entity for coordination management. This indicates the router state: out, in (normal), trace, leave, path_test, insert, check, deinsert. Neighbor states: A DAS neighbor attached to primary ring S SAS neighbor B DAS neighbor, secondary ring M concentrator Unk Unknown Status States (Line Status): LSU Line QLS Quiet NLS Noise ALS Active MLS Master OVUF Over Buffer Under Flow ILS Idle HLS Halt

Ø Router Interface Status TRA – Stuck beacon condition Physical states – join, vfy, act Neighbor – A or S, B or M CMT signal bits – should be ILS or AL5 ECM – should be IN CFM – should be Thru RMT – should be ring-op

Ø Show Interface – ATM encap AAL5 (pvc or svc) max vc – compare current vc – compare\

THE CCIE Book

Page 20 of 296


Ø Show Controllers Token - ring num mismatch Output line errors – crc errors Indicator burst error – noise / crosstalk Receive congested error – traffic problems Line,burst,and receive congestion errors are the most common on TR networks. Isolated errors – line, internal, burst, ARI/FCI abort Non-Isolating Errors – lost frame, copy, receive congestion, token-frame

Ø Show Memory Check size of largest block free

Ø Show Processes Run the command one minute apart, processes incremented are the cpu load ones

Ø Debug Commands service timestamps log datetime localtime – adds timestamps to packets Debug broadcast Terminal monitor – to copy debug to terminal Sho proc cpu

Ø Troubleshooting Router1#show line aux 0 Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns A 1 AUX 38400/38400 - inout - - - 0 0 0/0 Line 1, Location: "", Type: "" Length: 24 lines, Width: 80 columns Baud rate (TX/RX) is 38400/38400, no parity, 2 stopbits, 8 databits Status: Ready, Active, Async Interface Active

1.13. ROUTER AS PACKET ANALYZER rmon ? native Monitor the interface in native mode promiscuous Monitor the interface in promiscuous mode If you want to see certain packets that are going through the router, do a "debug ip packet dump". I would advise using an access list with it to only see the packets you are looking for. Also turn off route caching on the interfaces. r1# deb ip packet 100 dump IP packet debugging is on (dump) for access list 100 *Mar 11 07:16:07: IP: s=172.16.10.15 (local), d=63.15.14.16 (Ethernet0), len 42, sending 00E03380: 4500002A E..* 00E03390: 00A80000 FF06DAA6 AC10829B 3FC37210 .(....Z&,...?Cr. 00E033A0: 07D9F2E6 E0031F86 463B1C49 50181038 .Yrf`...F;.IP..8 00E033B0: F0210000 72230A20 00002020 20507269 p!..r#. .. Pri 00E033C0: 6E74206D 6F726520 64656275 67 nt more debug *Mar 11 07:16:07: IP: s=63.15.14.16 (Ethernet0), d=172.16.130.155 (Ethernet0), len 40, rcvd 3 00E12BC0: 0050 54800958 00D0BBCC .PT..X.P;L 00E12BD0: 9C200800 45000028 37614000 7106F1EF . ..E..([email protected] 00E12BE0: 3FC37210 AC10829B F2E607D9 463B1C49 ?Cr.,...rf.YF;.I

THE CCIE Book

Page 21 of 296


00E12BF0: E0031F86 501040A2 31E50000 00000000 `...P.@"1e...... 00E12C00: 000043 ..C

THE CCIE Book

Page 22 of 296


2. FRAME-RELAY You can ping your own FR interface if you map it's IP to it's DLCI. Whenever you use map commands, automatically disable inverse-arp. no frame-relay inverse-arp If you ping a connection and get an “encap failed maessage” check your pvc’s. When disabling split horizon you must use distribute-lists to prevent routing loops. Whenever the connections type are different you will have OSPF mismatch networks. If you change a L3 address, do cle fram inarp on all remote connections. LMI uses DLCI’s 0 and 1023: User ranges can be between 16 to 1007. 0 - 15, 1008 - 1023 Reserved 1019 - 1026 Mulitcast 1023 - LMI 0 - ANSI / ITU Packet switched networks are not the best at telling a DTE when there's a problem in the cloud. ATM and FR interfaces may stay up/up even if the remote is down. A point-to-point subinterface can only accommodate a single DLCI at any given time. Point-to-point sub-interfaces are treated by the IOS like a physical point-to-point interface and do not need either inverse-arp or frame-relay map statements. Multipoint DLCI’s rely map statements for proper operation. The broadcast parameter is required for protocols such as OSPF If the router is reloaded inverse-arp will be disabled for any DLCI that is used with a frame-relay map statement. As a rule when configuring frame-relay map statements make note of the protocol and the DLCI specified if there are any inverse mappings for that same protocol referencing the same DLCI replace the inverse-arp entries with frame-relay map statements. Without the frame-relay interface DLCI command, all DLCI’s are assigned to the physical interface Split horizon only blocks routing updates in a hub and spoke topology A Cisco IOS remedy to this split horizon problem is to disable split horizon on the hub router in a frame-relay network this can be performed at the interface configuration mode. Split horizon is disabled on frame-relay physical IP interfaces split horizon is enabled on frame-relay point-to-point and multi-point IP sub-interfaces. When using only physical interfaces in a hub and spoke topology you need to add a frame-relay map statement on the spoke routers to assure spoke to spoke reach ability nothing needs to be done to the hub router.

THE CCIE Book

Page 23 of 296


If using point-to-point sub-interfaces each sub-interface must be configured as a separate subnet

Ø Inverse-Arp Inverse ARP will resolve a remote network layer address with a local DLCI even if the remote IP address does not belong to the local subnet. If you run into this shut down the interface, execute the "clear frame map command" and then bringing the interface back up. Inverse arp only works with directly connected sites A DLCI should not referenced by a map statement that was discovered by inverse-arp.

Ø FR and ISDN Similarities encap frame isdn switch-type Both start the encap on interface check dlci check switch Check L2 devices for activity sh fram pvc sh isdn status Check for L2 connectivity

Ø LMI LMI uses DLCI 0 or 1023 LMI is autosensed starting with IOS 11.2 Myseq and yourseg should be incrementing by one If LMI is not working you will see DLCI’s dropping and myseg or yourseg will not be incrementing. If you change the network layer address, run the command clear frame-relay inarp on all remote connections

Ø Configure Frame-Relay Switch hostname frameswitch-r6 enable pass cisco no ip domain-lo frame switch int s1 clock rat 64000 encap frame frame intf dce frame route 102 int s2 201 frame route 103 int s3 301 int s2 clock rat 64000 encap frame frame intf dce frame route 201 int s1 102 int s3 clock rat 64000 encap frame frame intf dce frame route 301 int s1 101 show fram route sfm sfp sfr

THE CCIE Book

Page 24 of 296


2.1. CONNECTIVITY SCENERIOS

Hub Spoke Probem and Solution1 Physical (I)

Inverse-arpPhysical (M)

MapsNo spoke-to-spoke connectivity

Add Map to S-to-SAdd Map to all routers

(inv-arp/map problems)Use dist-list to fix SH problems

OSPF NBMASH: Enable on spokes.

2 PtM (D) int-dlci

“possibly down networks”

disable split horizon on hub

PtP (D) inter-dlci

OSPF Network Type DV Problems

3 Physical (D) inverse-arp

PtP (D) inter-dlci

SH Problemssir will display

“possibly down routes” disable SH

4 PtM (D) inter-dlci

mutliple dlci’smap or inv-arp can be used

Physical (M) Maps

OSPF Network Mismatch

5 PtPNo inverse-arp Use inter-dlciCan use map statements

PtP Separate Subnets

Legend: (I) Inverse-Arp statement (D) Interface-dlsi statement (M) Fr map statement

THE CCIE Book

Page 25 of 296


Ø General Guideline PtM Need map/(dlci preferred) or inverse-arp to associate neighbors. PtP Does not use map statements, use inter-dlci. Split Horizon is disabled on physical interfaces. Enable SH on PtP, PtM spokes.

THE CCIE Book

Page 26 of 296


2.2. CONFIGURING FRAME-RELAY 1 – Enable frame-relay on both sides int ser 0 encap frame-relay bandwidth 64 no shutdown 2 – Verify the interface is communicating to the switch show frame-relay pvc PVC STATUS must be ACTIVE show frame-relay arp Inverse-arp maps DLCI Inverse will also get the L# addresses, if these are wrong or changed after encapsulating frame-relay use the clear frame-relay inarp command to clear FR’s arp.

Ø Basic FR Configuration R1 int s0 encap frame int s0.1 multi frame inter 102 int s0.2 point frame inter 103 R2 int s0 encap frame fram inter 102 R3 int s0 encap frame fram inter 103

Ø FR Commands clear frame-relay inarp de-group 3 200 / de-list 3 protocol ip gt 512

Ø Frame-Relay Discard Eligibility Setups the DE bit on the outgoing dlci (200 in this case) de-group 3 200 de-list 3 protocol ip gt 512 Use extended ping to test and sfp to display de packets.

THE CCIE Book

Page 27 of 296


2.3. TROUBLESHOOTING FRAME RELAY FRF8 requires ietf encapsulation, this is used when going from ATM to ATM and using frame-relay. clear frame-relay inarp Used to clear bad map statements out of map cache If inverse-arp screws up the map cache this will correct it.

Ø LMI Issues LMI Types – cisco, ansi, ccitt sh int s0 With LMI problems line protocol will be down and LMI sent will increment but LMI receieved will not be. show frame lmi Displays the stability of you Frame connections Num Status … Sent/Recv’d should be equal Num Status Timeouts should be 0

Use debug frame lmi to determine problem debug frame lmi Displays DTE status – should be up, myseq should be incrementing by one yourseq should be incrementing by one Always check both sides of the connection show frame-relay pvc PVC Status of deleted means that this pvc is no longer being reported by LMI.

Ø Other Issues show int type show frame-relay pvc show frame-relay map sho frame-relay traffic sho frame-relay route Displays the status of all PVC’s (dlci’S) all should be active If not check interface configurations of inactive PVC’s, DTE device configuration show frame-relay svc maplist debug frame-relay events dlci problems, input problems, 25 pps or less debug serial interface hdls keepalives, displays timing problems debug ip packet debug frame packet “encaps failed - no map entry line 7 (IP) “ Check PVS status – show frame-relay pvc No PCS connectivity IP: s=172.16.1.1 (local), d=172.6.1.2 (Serial0), len 100, Sending. IP: s=172.16.1.1 (local), d=172.6.1.2 (Serial0), len 100, Sending. IP: s=172.16.1.1 (local), d=172.6.1.2 (Serial0), len 100, Sending.” Frame map missing at other side debug ip icmp Is the router properly communicating to the frame-relay switch? Does the show frame pvc display the DLCIs as active? Are your packets leaving the router? debug frame packet show frame pvc (packets in / packets out) Are your frame relay map statements correct? (Show frame map) Favorite Frame-Relay Troubleshooting Tool in a lab environment:

THE CCIE Book

Page 28 of 296


debug frame packet

Ø Problem Isolation

Ø Symptom Problem Action Local physical link Fix cabling Configuration for PVC’s Check encap, LMI, speed Layer 2 -> 3 maps Check address configuration Remote Site OK Contact Remote Site Link is down no keepalives sho int Bad encryption sh frame map Dlci inactive sh frame pvc LMI mismatch sh int serial/sf lmi Can’t Ping Remote Router bad encap Dlci inactive Bad access-list sh access-list No map sfm No broadcast in map sfm Can’t Ping end-to-end split-horizon Access-list for protocol No gateway on workstation

THE CCIE Book

Page 29 of 296


3. ISDN The broadcast parameter allows broadcast traffic to be forwarded and broadcasts will reset the idle timer. Just as with frame-relay map statements the dialer-map broadcast parameter is required for proper OSPF operation over a DDR link Note that when the broadcast parameter is added the DDR link can stay up indefinitely due to constant broadcast traffic, to remedy this situation granular dialer-lists must be configured. A physical interface can be associated with multiple dialer pools. A logical dialer interface can be associated with only one dialer pool. In order to configure PPP chap authentication with dialer profiles enter the PPP authentication chap statement at both the physical interface and the logical dialer interface The dialer remote name statement is critical for the called party it must match the calling party host name or the name specified in the calling parties PPP chap host name statement Backup for a DLCI for IP, but IPX has to flow all the time, has to be a profile Backup a serial interface with the least number of commands. Legacy, HDLC, and a dial string

Ø Interface Types

TE2 –r– TA /TE1 –s– NT2 –t– NT1 –u– LE BRI’s have SPIDs, PRI’s do not Snapshot Routing The client defines the quiet period Use ppp quality for DDR based on the quality of the line.

Ø Call Setup Messages SETUP, CALL_PROC, CONNECT, CONNECT,ASK

THE CCIE Book

Page 30 of 296


Ø Teardown Messages DISCONNECT, RELEASE,

Ø ISDN and OSPF Add the broadcast to dialer maps

Ø Routing over DDR Floating statics with dynamic routing protocol OSFP demmand circuit distr-list snapshot routing (RIP,IGRP,IPX RIP) BGP -- long keepalive timer + default idle timer no peer neighbor-route DLSw -- turn off keepalive or use dynamic with inactivity Bridge(over tunnel) -- turn off spanning tree EIGRP - Filter the hellos (224.0.0.10)

access-list 101 deny eigrp any any access-list 101 deny ip any 224.0.0.10 0.0.0.0

Supress-state-change-updates – prevents routing traffic on line when line was initated by interesting traffic. Need dialer parameter as well since this is what allows a call for routing traffic.

Ø Basic Configuration Needs Info you need to configure is: BRI DN, SPID, Signaling protocol PRI Timeslot 24 is for D Channel Controller, framing, linecode, pri-group Basic ISDN (3 statements) Add Authentication (3 statements) Add Dialer-list complexity (3 interface / 1 Global statements) Four step Configuration Define Interesting Traffic dialer list Map Destination dialer map Define interface dialer group Options dialer idle-timeout dialer fast-idle dialer load- threshold

Ø Basic Configuration This is the basic configuration for a ISDN connection. Notice three ISDN, dialer, and ppp statements are required. R1 username r2 password 0 sanfran isdn switch-type basic-ni interface BRI0 ip address 199.10.10.1 255.255.255.0 isdn switch-type basic-ni isdn spid1 0835866101 8358661 isdn spid2 0835866301 8358663 dialer idle-timeout 90 ! Interesting traffic timeout dialer map ip 199.10.10.2 name r2 broadcast 8358662 ! Map command or dial string 8358662

THE CCIE Book

Page 31 of 296


! Need a static map with just a dail string to send traffic ! Dial strings and maps are to dial out only ! These are not needed if the router is to receive calls only dialer-group 1 ! Assign dialer list 1 to int encapsulation ppp ppp authentication chap ppp multilink ! Negotiate MLPPP dialer-list 1 protocol ip permit ! Define interesting traffic R2 username r1 password 0 sanfran isdn switch-type basic-ni interface BRI0 ip address 199.10.10.2 255.255.255.0 isdn switch-type basic-ni isdn spid1 0835866201 8358662 isdn spid2 0835866401 8358664 dialer idle-timeout 90 dialer map ip 199.10.10.1 name r1 broadcast 8358661 dialer-group 1 encapsulation ppp ppp authentication chap ppp multilink

Ø General L2 Connectivity R1 isdn switch-type basic-ni int bri 0 isdn switch-type basic-ni isdn spid1 0835866201 8358662 isdn spid2 0835866401 8358664 R5 isdn switch-type basic-ni int bri 0 isdn switch-type basic-ni isdn spid1 0835866101 8358661 isdn spid2 0835866301 8358663

Ø Configuration (3) Basic ISDN commands (switch-type / spids) (3) Add Authentication (3+1) Add Dialer-list complexity (3 interface and 1 global statements) Four step Configuration Define Interesting Traffic dialer list Define interface dialer group Map Destination dialer map Options idle-timeout, fast-idle, load- threshold

Ø Example: R1 username r2 password 0 sanfran isdn switch-type basic-ni interface BRI0 ip address 199.10.10.1 255.255.255.0 isdn switch-type basic-ni isdn spid1 0835866101 8358661 isdn spid2 0835866301 8358663

THE CCIE Book

Page 32 of 296


dialer idle-timeout 90 ! Interesting traffic timeout dialer map ip 199.10.10.2 name r2 broadcast 8358662 ! ap command or dial string 8358662 ! Need a static map with just a dail string to send trffic ! Dial strings and maps are to dial out only ! These are not needed if the router is to receive calls only dialer-group 1 ! Assign dialer list 1 to int encapsulation ppp ppp authentication chap ppp multilink ! Negotiate MLPPP dialer-list 1 protocol ip permit ! Define interesting traffic

Ø Call Messages SETUP, CALL_PROC, CONNECT, CONNECT,ACK DISCONNECT, RELEASE,

Ø BRI Configuration Configure the isdn switch, for all configurations int bri 0 isdn switch-type basic-ni1 no shutdown Verify that the router is communicating with the switch show isdn status debug isdn q921 Layer 1 should be ACTIVE Layer 2 state = MULTI_FRAME_ESTABLISHED

THE CCIE Book

Page 33 of 296


3.1. SETUP Some of the mandatory decisions that must be made are: A.) What type of encapsulation am I going to use on my interface? HDLC, PPP B.) What kind of traffic will be able to generate outbound calls? Dialer-lists C.) What kind of traffic do I want to prevent from making outbound calls? ACL D.) Will I always be dialing the same location or multiple remote locations? Dialer map, dialer strings (up to three) great for hub – spoke connectivity or for a backup router. Need dialer maps when calling two different locations (on hub) Dialer strings can be used on spokes. Dialer maps can set the speed, host name, of the call and determine if broadcast traffic should be sent, broadcast traffic is optional. “All ip addresses that are put it the dialer maps must be in the routing table, if not you must put them in the routing table with statics.” E.) If I'm dialing multiple remote locations can I use the same parameters for all of them such as authentication type, IP subnets, layer3 protocols allowed during the call, etc? chap never sends passwords across the link pap send password in clear text Changing hostnames: CHAP - ppp chap hostname x PAP - ppp pap sent-username x password y" F.) After all the data transmission is done how long do I want to wait before the call is disconnected? Never rely on the remote routers to disconnect your calls in a timely manner. If you're worried about ISDN charges make sure you take control by configuring your router with the appropriate disconnect timer. G.) Am I going to allow dynamic routing protocols to use the ISDN link or just static routes? Dynamic routing without keepalives: H.) If I use both B-channels on the call (either inbound or outbound) do I want to use the PPP Multilink feature to fragment large packets into smaller ones? When do you want the second link to come up? dialer load-threshold x outbound | inbound | either” where “x” is a value between 1 and 255. The number range of 1 to 255 correlates to the current bandwidth usage or load of the call with 255 being equated to an existing load of 100%. So as an example, if I wanted to configure my ISDN DDR interface such that when the first B-channel reached a load if 50% it would automatically bring up the next available B-channel I would configure the command, “dialer load-threshold 128” because 128 is approximately 50% of the maximum value of 255. If I didn't want additional B- channels to be added unless the first B-channel was 100% utilized I would modify the command to “dialer load-threshold 255”. ppp multilink – breaks packets into smaller packets for optimized delivery for two links.

THE CCIE Book

Page 34 of 296


I.) Do I want to implement ppp callback? J.) IP Addressing scheme. 1.) Do you want to place a static IP Address on your ISDN interface? No 2.) Do you want to have your ISDN interface unnumbered to some other physical or logical interface on the router? ip unnumbered lo0, ip unnumbered dialer1 3.) Do you want to obtain your IP address for the ISDN interface dynamically during each call via IPCP? Obtain an IP address from an IPCP pool on a remote router. This is most often used in hub and spoke situations where a pool of address resides on the Hub router and is used to dynamically assign an IP address via IPCP to individual PCs that dial in with an ISDN Terminal Adapter. This can also work when you have Spoke Routers that dial in via PPP. Hub router: Single ip address: peer default ip address x.x.x.x Multiple IP Addresses: ip local pool CCIELAB x.x.x.x y.y.y.y peer default ip address pool CCIELAB Spoke Routers: ip address negotiated

3.2. LEGACY DDR Uses the physical interface versus dialer profiles Relies on dialer map statements

Ø ISDN Call Process Interesting packets dictate DDR call Route to destination is determined Dialer information is looked up Traffic is transmitted Call is terminated

Ø IPX Dialer-lists This will stop RIP’s and SAP’s for DDR access-list 901 deny any any all any rip access-list 901 deny any any all any sap access-list 901 deny any any all any 457 access-list 901 permit any dialer-list 1 protocol ipx permit list 901

Ø Minimum ISDN / DDR Configuration with PPP isdn switch-type basic-ni1 username sanjose password cisco int bri0 isdn switch-type basic-ni1 isdn spid1 0836866101 8358661 isdn spid2 0835866301 8358663 ip address 172.16.1.1 255.255.255.0 dialer map ip 172.16.1.2 name r2 broadcast 1113344 dialer-group 1 encapsulation ppp ppp authentication chap ppp multilink dialer-list 1 protocol ip permit

THE CCIE Book

Page 35 of 296


Ø Bridging int bri0 dialer map bridge name r2 speed 56 8837676 bridge-group 1 bridge 1 protocol ieee access-list 201 permit 0x0000 0xFFFF dialer-list 1 list 201 ACL permits all bridged protocols.

Ø Other Commands dialer in-band If you do not have native ISDN BRI and are using sync or async interfaces

Ø Legacy DDR Optional Commands dialer load-threshold load [outbound | inbound | either] load = 1-255 (255 being 100%) Establishes the amount of traffic on link before a second link is enabled dialer idle-timeout 120 Establishes the idle time before disconnect dialer fast-idle

Ø Verifying Legacy DDR Operation ping or telnet Triggers a link show dialer Displays current status of link show isdn active When using ISDN, displays call status while call is in progress show isdn status Displays the status of an ISDN connection show ip route Displays all routes, including static routes

Ø Troubleshooting Legacy DDR The dialer-map broadcast command will keep the DDR interface up indefinitely OSPF requires the use of the broadcast command

THE CCIE Book

Page 36 of 296


3.3. DIALER PROFILES Allows the configuration of physical interfaces to be separated from the logical configuration required for a call. Uses dialer pool and dialer pool-member Does not use dialer map statements Bound dialer pools to physical interfaces Put isdn,ppp encapsulation commands on physical Put IP,ppp and dialer commands on dialer interface

Ø Dialer Profiles Configurations Physcial Interface Encapsulation, Authentication, Dialer pool, SPIDs Logical interface Ip address, Dial String, Dial pool, dialer-group, dialer remote-name, dialer parameters Configuring of a Dialer Interface 1 - Configure dialer <remote-name> int dialer sanjose 2 - Associate dialer pool with logical interface, dialer pool 1 dialer pool 1 3 - Apply dialer-group statement to define interesting traffic dialer-group 1 4 - Provide dialer string to call dial string 9851234 Optional: Configure a MAP-CLASS Map class configuration provides basic dialer commands to specific dialer interfaces To Go from a Legacy DDR to a Dialer Profile Remove from interface all: (All logical commands – dialer and L3 addressing) Dialer map statements Dialer group statements Network layer addresses Verify DDR operation. ping or telnet show dialer show isdn active show ip route clear dialer interface

Ø Dialer profiles R1 username r2 password 0 sanfran isdn switch-type basic-ni interface BRI0 isdn switch-type basic-ni isdn spid1 0835866101 8358661 isdn spid2 0835866301 8358663 dialer pool-member 1 encap ppp ppp authentication chap int dialer 0 ip address 199.10.10.1 255.255.255.0 encapsulation ppp

THE CCIE Book

Page 37 of 296


dialer idle-timeout 90 dialer remote-name r2 dialer string 8358662 dialer load-threshold 1 dialer pool 1 dialer-group 1 ppp authentication chap dialer-list 1 protocol ip permit R2 username r1 password 0 sanfran isdn switch-type basic-ni interface BRI0 ip address 199.10.10.2 255.255.255.0 isdn switch-type basic-ni isdn spid1 0835866201 8358662 isdn spid2 0835866401 8358664 dialer idle-timeout 90 dialer map ip 199.10.10.1 name r1 broadcast 8358661 dialer-group 1 encapsulation ppp ppp authentication chap dialer-list 1 protocol ip permit

Ø Dialer Profile with Multiple Locations R1 hostname r1 username r2 pass cisco isdn switch-type basic-ni1 int bri0 no ip addr encap ppp ppp auth chap dialer pool-member 1 int dialer0 ip address 172.16.1.2 255.255.255.0 encap ppp ppp auth chap ppp chap hostname backup dialer remote-name r2 dialer string 2448989 dialer pool 1 dialer-group 1 no cdp enable int dialer1 ip addr 172.16.2.3 255.255.255.0 encap ppp ppp auth chap ppp chap hostname sanjose dialer remte-name policy dialer string 2448989 dialer pool 1 dialer-group 1 no cdp enable dialer-list 1 protocol permit ip R2

THE CCIE Book

Page 38 of 296


hostname r2 username r1 pass 0 cisco username backup pass 0 cisco username sanjose pass 0 cisco isdn switch-type basic-ni1 int bri0 no ip addr encapp ppp ppp auth chap diale pool-member 1 int dialer0 ip addr 172.16.1.1 255.255.255.0 encap ppp ppp auth chap dialer remote-name backup dialer pool 1 dialer-group 1 int dialer1 ip add 172.16.2.1 255.255.255.0 encap ppp ppp auth chap dialer remote-name sanjose dialer pool 1 dialer-group 1 dialer-list 1 protocol ip permit

Ø Dialer Options dialer wait-for-carrier-time 40 ! timer to dial dialer in-band ! enable ddr on dialer int async dialer hold-queue ! prevents packets from being dropped during call

3.4. PPP Stop PPP from creating /32 hosts by using no peer neighbor-route username headquaters password cisco int s 0 int dialer 1 encap ppp ppp authentication chap en cdp enable Check LCP and NCP status with the command show interface bri0 1

Ø Other Commands ppp chap hostname r1 Used to specify a different hostname

Ø Debugging PPP PPP Authenticaton problem: “interface BRI0:1, changed stat to up interface BRI0:1, changed stat to down interface BRI0:1, changed stat to up interface BRI0:1, changed stat to down” PPP authentication process goes through three phases:

THE CCIE Book

Page 39 of 296


CHALLENGE, RESPONSE, SUCCESS debug ppp negotiation will show you all three

Ø PPP Multilink Does not work with snapshot routing. PPP multilink requires: ppp authentication chap SPIDs A second dialer map or string ppp multilink command dialer load-threshold to bring up second channel Multilink PPP – Interfaces are grouped into a bundle to increase the available bandwidth for the connection. int dialer 1 ppp multilink dialer-group 1 dialer load-threshold load Specify the load threshold that the interface should reach before enabling one or more additional links. dialer-list 1 protocol ip list 102 access-list 110 permit tcp any any eq www access-list 110 permit tcp any any eq 53 Verify Multilink PPP operation. show dialer Displays information about existing bundles debug ppp multilink Displays event information

Ø PPP Troubleshooting Show dialer Debug ppp negotiation Debug ppp authentication Sho int bri

3.4.1. Snapshot Routing Snapshot routing does not work with MLPPP, use the sho ppp multilink command to verify Minimum active period is five minutes Minimum quiet period is eight minutes The client determines the quiet period. The server makes to call and determines the active period. Snapshot Routing – allows dynamic distance vector routing protocols to run over DDR. Reduces overhead and routing updates. Snapshot routing for DV protocols Side one int bri 0: snapshot server 5 snapshot client 5 43200 dialer

Ø Snapshot Routing for DV’s (Except EIGRP) Does not support MLPPP dialer map snapshot 60 2002 snapshot client 5 1200 supress-statechange-updates dialer snapshot server 5 dialer

THE CCIE Book

Page 40 of 296


Ø Snapshot Configuration Needs Specify an ISDN interface Configure the client and server routers Define a dialer map

Ø Configuring the Client Router Dialer map snapshot dialer map snapshot 60 2002 Snapshot client snapshot client 5 1200 supress-statechange-updates dialer 5 = active-time, 1200 = quit-time

Ø Configuring the Server Router Active period interval snapshot server 5 dialer Verifying Snapshot Routing show snapshot clear snapshot debug snapshot debug dialer events

Ø Snapshot configuration with dialer profile R1 username r2 password 0 sanfran isdn switch-type basic-ni interface BRI0 isdn switch-type basic-ni isdn spid1 0835866101 8358661 isdn spid2 0835866301 8358663 encap ppp ppp authentication chap no ppp multilink dialer idle-timeout 90 dialer-group 1 (dialer map ip 199.10.10.1 name r1 broadcast 8358661) (This line disappeared when snapshot was entered) dialer map snapshot 1 name r2 broad 8358662 snapshot client 5 8 dialer dialer-list 1 protocol ip permit R2 username r1 password 0 sanfran isdn switch-type basic-ni interface BRI0 isdn switch-type basic-ni isdn spid1 0835866201 8358662 isdn spid2 0835866401 8358664 ip address 199.10.10.2 255.255.255.0 dialer idle-timeout 90 dialer map ip 199.10.10.1 name r1 broadcast 8358661 dialer-group 1 encapsulation ppp ppp authentication chap snapshot server 5 dialer dialer-list 1 protocol ip permit

THE CCIE Book

Page 41 of 296


Ø Troubleshooting Snapshot sh snapshot cle snapshot deb snapshot clea snapsho quiet-time bri 0 (make bri active, must be entered on the client)

3.4.2. Dial Backup Sets a interface to standby mode so when a primary interface goes down, this line will come up. The line can also be activated on a load threshold. You can use dial backup to backup an individual frame-relay DLCI by placing the DLCI under a point-to-point subinterface. If the DLCI becomes inactive the point-to-point sub-interfaces line protocol attains a state of down and the designated back up interface will become active

Ø Configuring Dial Backup for Primary Links Select the primary interface and go into interface configuration mode. Indicated the backup interface to use in case of primary link failure or if a load threshold is exceeded. backup interface bri0 backup delay {enable-delay | never} {disable-delay | never} The backup interface command will put the int bri0 interface into a not physically connected state.

Ø Configuring Dial Backup for Excessive Traffic Load backup interface bri0 backup load {enable-threshold | never} {disable-load | never} NOTE: A floating static will work better than a dial backup

Ø Backup Configuration Inteface Serial 0 is the interface that will be going down Int bri0 will become a standby interface, you can use a dialer profile and then the dialer is in standby. int s0 backup delay 5 20 backup interface bri0

3.4.3. OSPF DDR Methods

Ø Demmand Circuit ip ospf demand-circuit Stops OSPF’s hellos (224.0.0.5) This interface command stops hellos from keeping DDR’s up debug ip ospf packet debug dialer packet show ip ospf database OSPF’s hellos (224.0.0.5) will keep a DDR up (active), Use the ip ospf demand-circuit command to limit the hellos. This changes the age to DNA, and the dead interval to ‘-‘. Doing a ‘show ip ospf int bri0’ will show that the interface is configured as a demand circuit and that the hello’s are suppressed.

THE CCIE Book

Page 42 of 296


Useful if backup link and failure point are in different parts of the network. Configure on one side of link only. Don’t change the network type of the backup link. Make sure the question allows the link to come up for topology changes. Watch for routing loops. The demand circuit does not suppress LSA's. It only suppresses the hellos and the Link aging (in turn suppressing the periodic LSA refresh.) With the demand circuit, the router will dial immediately to establish neighbors and update it's Link Database and then go quiet until a LSA occurs. Keep this in mind when redistributing other routing protocols as they will generate LSA's in your OSPF area. Type 5 externals will go over the links as well as the LSA refreshes every thirty minutes. *When you have redistribution going on, you may have to filter those specific networks, such as your connected network (and possibly /32's associated with the the dialer interfaces), so that they don't cause the link to go up and down. The first step is determining which specific LSA's are changing in the database causing the link to go up and down, and then filter as needed.

Ø NSSA Area area 1 nssa no-summary Then only a default to the ABR would be injected into the area, again protecting it from changes in other areas while maintaining the ASBR redistribution capabilities. If you defined the area in question as an nssa no-summary this would only allow type 7 lsa into the area from the external protocol domain. The type 7's would be converted into type 5 lsa on the ABR as they are injected into the backbone. This configuration would allow the redistribution of the external routing protocol into OSPF, prevent the advertisement of inter-area and intra-area routes by the OSPF ABR into the nssa, and inject a default into the nssa area from the ABR. This would minimize link flapping while allowing the redistribution of the external protocol through the nssa area into the backbone.

Dialer Watch Allows a backup link to support multiple primary links. Keeps the backup interface down until the monitored routes are no longer reachable. *Requires IGRP/EIGRP or OSPF and only supports IP. Three methods to implememt: DDR, Floating Statics, and Dialer load-threshold May not be expressly forbidden in the lab, but requirements may prevent using this option.

Ø Floating Static Usually passive dialer0 and Ospf pkt not interesting so that because we rely on static routes at both ends and not necessary for user of DC. These are added to a working config: int bri0 dialer watch-group 2

THE CCIE Book

Page 43 of 296


dialer watch-disable 60 dialer watch-list 1 ip 10.1.1.0 255.255.255.0 dialer-list 1 protocol ip permit Example #2: interface bri0 ip address 7.1.1.2 255.255.255.0 encapsulation ppp dialer idle-timeout 5 dialer map ip 3.1.1.0 name pioneer 60079 broadcast dialer map ip 7.1.1.3 name pioneer 60079 broadcast dialer-group 1 dialer watch-group 1 ppp authentication chap router eigrp 190 network 7.0.0.0 network 172.21.0.0 access-list 100 deny eigrp any any access-list 100 permit ip any any ! Watch IP networks 3.1.1.0, 4.1.1.0, and 5.1.1.0 dialer watch-list 1 ip 3.1.1.0 255.255.255.0 dialer watch-list 1 ip 4.1.1.0 255.255.255.0 dialer watch-list 1 ip 5.1.1.0 255.255.255.0 dialer-list 1 protocol ip list 100

Ø DDR Example host r1 int bri0 ip addr 1.1.1.1 255.255.255.0 encap ppp dialer map ip 1.1.1.2 name r2 broadcast 1113344 dialer-group 1 dialer watch-group 2 dialer watch-disable 60 (Sets a 60 second delay before the backup line is dropped after the primary comes back up) isdn switch-type basic-ni1 isdn spid1 902111222200 1112222 isdn spid2 902111222301 1112301 ppp auth chap dialer-list 1 protocol ip permit dialer watch-list 2 ip 10.1.1.0 255.255.255.0

3.4.4. Callback If the return call fails (because the line is not answered or the line is busy), no retry occurs. If the callback server has no interface available when attempting the return call, it does not retry.

How do you verify callback?

Ø Callback Server R5 username jeff pass 0 cisco int bri 0 ip address 10.1.1.7 255.255.255.0 encapsulation ppp dialer callback-secure

THE CCIE Book

Page 44 of 296


dialer map ip 10.1.1.8 name r6 class dial1 8358662 dialer-group 1 ppp callback accept ppp authentication chap ! map-class dialer dial1 dialer callback-server username dialer-list 1 protocol ip permit

Ø Callback client R6 username jeff pass 0 cisco int bri 0 ip address 10.1.1.8 255.255.255.0 encapsulation ppp dialer map ip 10.1.1.7 name r5 8358661 dialer-group 1 ppp callback request ppp authentication chap

3.4.5. Floating Static Routes Use only if the test explicitly says to do. Make sure the dynamic route exists when route is not active. R1 username r2 password 0 sanfran isdn switch-type basic-ni interface BRI0 ip address 199.10.10.1 255.255.255.0 isdn switch-type basic-ni isdn spid1 0835866101 8358661 isdn spid2 0835866301 8358663 dialer idle-timeout 90 dialer map ip 199.10.10.2 name r2 broadcast 8358662 dialer-group 1 encapsulation ppp ppp authentication chap ppp multilink ip ospf demmand-circuit dialer-list 1 protocol ip permit ip route 0.0.0.0 0.0.0.0 199.10.10.2 121 (With OSPF running as a dynamic protocol use, to stop hellos from leaving the line open) R2 username r1 password 0 sanfran isdn switch-type basic-ni interface BRI0 ip address 199.10.10.2 255.255.255.0 isdn switch-type basic-ni isdn spid1 0835866201 8358662 isdn spid2 0835866401 8358664 dialer idle-timeout 90 dialer map ip 199.10.10.1 name r1 broadcast 8358661 dialer-group 1

THE CCIE Book

Page 45 of 296


encapsulation ppp ppp authentication chap ppp multilink dialer-list 1 protocol ip permit ip route 0.0.0.0 0.0.0.0 199.10.10.2 121

3.4.6. Other ISDN Commands ppp quality supress-state-change-updates Authentication: - chap ppp chap hostname router5 - if you are not using the router name router5 replaces the local host name If using dialer interface, ppp authentication chap must be on physical ALSO!! Dialer Interfaces Don't use ppp multilink unless told to!! Seams to be some issue with OSPF Demand and PPP Multilink

3.5. ISDN TROUBLESHOOTING STRATEGY (MASTER THIS CHECKLIST) Usually contributed to one of three problems, check each in turn. Use the show isdn status to determine if you need to start with ISDN or dialer.

Ø ISDN 1 – Router communicating to switch? debug isdn q921 This will display 10 second keepalives from the switch. These will be from tei=64 and tei=65, one for each bri channel. 2 – Router placing the call? debug isdn q931 show isdn status

Ø Dialer 3 – Is the traffic to initiate the call defined as interesting? show run, examine dialer-list 4 – Is the interface recognizing the interesting traffic? debug ip packet – shows the packet going to the interface debug dialer packet – shows if the packet is interesting debug dialer events – shows other important DDR messages

Ø PPP 5 – Is PPP negotiation working properly? debug ppp negotiation, show int bri0 1 6 – Is PPP authentication working properly? debug ppp authentication

Ø Show Commands sh int bri 0 sh controllers bri activiation status =1

Ø Debug Commands deb bri Layer 1 – b-channel, enabled when call deb isdn q921 access procedures, lapd, dsapi=63 deb ppp negotiation encapsulations, sapi=64

THE CCIE Book

Page 46 of 296


deb isdn q931 Displays call setup, maintain, and terminating, sapi=0 Calling Party SETUP, CALL_PROC, CONNECT, CONNECT_ACK Called Party SETUP, CONNECT, CONNECT_ACK deb ppp authentication chap, pap debug isdn events Layer 2 is between TE and LT, this is where most errors are found. NOTE: Always troubleshoot both sides of the line

THE CCIE Book

Page 47 of 296


3.5.1. Problem Isolation

Ø Sympton Problem Action Router does no dial interface down sh int bad dialer map sr no dialer-group sr bad dialer-list sr bad access-lists sr no pri-group (7XXX) sr Dial Does not go (BRI) speed mismatch sr, (speed 56 in dialer-map) bad dialer map sr bad dialer-group sr number in use deb isdn ev/den isdn q931 bad spids sr, sis bad nt1 br10 -> nt1 on 2500’s Dial Does not go (PRI) check bri0 info bad framing sh controllers t1 No communication to remote router bad chap deb ppp chap ppp encap not configured sr,encap ppp no route to remote sir Line disconnects, to slow or fast Bad hold queue Bad dialer idle-timeout or dialer-fast-idle Second B channel not coming up Bad dialer-load-threshold sr Set at 200/255 (80%) Use 1/255 when you want it up all the time Slow performance hold queue to small sh int bit Hold-queue <number> Increment by 25% until no drops

THE CCIE Book

Page 48 of 296


3.5.2. ISDN Debug Example Here is a ping and then the line goes down, you can see the line getting activated, ppp chap coming up, multilinking and then pinging again… deb ppp auth, deb isdn events, deb isdn q93 r1#ping Target IP address: 10.10.1.2 Sending 1000, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!. 00:14:52: ISDN BR0: TX -> INFORMATION pd = 8 callref = (null) SPID Information i = '0835866101' 00:14:52: ISDN BR0: RX <- INFORMATION pd = 8 callref = (null) ENDPOINT IDent i = 0x8181 00:14:52: ISDN BR0: TX -> SETUP pd = 8 callref = 0x02 00:14:52: Bearer Capability i = 0x8890 00:14:52: Channel ID i = 0x83 00:14:52: Keypad Facility i = '8358662' 00:14:52: ISDN BR0: Received EndP.oint ID 00:14:52: ISDN BR0: RX <- CALL_PROC pd = 8 callref = 0x82 00:14:52: Channel ID i = 0x89 00:14:52: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 74 changed to up 00:14:52: ISDN BR0: TX -> INFORMATION pd = 8 callref = (null) SPID Information i = '0835866301' 00:14:53: ISDN BR0: RX <- CONNECT pd = 8 callref = 0x82 00:14:53: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up 00:14:53: BR0:1 PPP: Treating connection as a callout 00:14:53: ISDN BR0: TX -> CONNECT_ACK pd = 8 callref = 0x02 00:14:53: ISDN BR0: RX <- INFORMATION pd = 8 callref = (null) ENDPOINT IDent i = 0x8381 00:14:53: ISDN BR0: Received EndPoint ID 00:14:53: BR0:1 PPP: Phase is AUTHENTICATING, by both 00:14:53: BR0:1 CHAP: O CHALLENGE id 1 len 23 from "r1" 00:14:53: BR0:1 CHAP: I CHALLENGE id 13 len 23 from "r2" 00:14:53: BR0:1 CHAP: O RESPONSE id 13 len 23 from "r1" 00:14:53: BR0:1 CHAP: I SUCCESS id 13 len 4 00:14:53: BR0:1 CHAP: I RESPONSE id 1 len 23 from "r2" 00:14:53: BR0:1 CHAP.: O SUCCESS id 1 len 4 00:14:53: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up 00:14:53: Vi1 PPP: Treating connection as a callout 00:14:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up 00:14:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up.. 00:14:59: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662 r2.....!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!! Success rate is 98 percent (986/1000), round-trip min/avg/max = 36/38/232 ms

THE CCIE Book

Page 49 of 296


4. ATM What is ATM? A technology that uses the worlds longest layer two address.

A layer two technology that uses virtual circuits (VC’s) to go between two devices. These VC’s use a VPI / VCI for mappings. A layer two techology that has it’s own routing and signaling protocols – ILMI, IISP, PNNI. Since IISP and PNNI are used with switched and LANE these will not be covered here.

Ø AAL The adaptation layer performs segmentation and reassembly of ATM cells.

Ø ATM A

Ø ddressing ATM addresses have a substructure defined in the User-Network Interface (UNI) specification. Three types of ATM addresses are identified by the first byte, called the authority and format identifier (AFI): Data Country Code (DCC), AFI = 39; the DCC is assigned by the ISO International Code Designator (ICD), AFI = 47; the ICD is assigned by the British Standards Institute; in the United States, it is determined by the American National Standards Institute (ANSI) E.164, AFI = 45 The remaining portion of the address is domain specific and contains the end-system identifier (ESI) and selector byte. The prefix of the domain-specific part can be further subdivided to create the appropriate hierarchy that the user needs to operate the ATM network. The ESI is a six-byte field and the selector is a one-byte field.

AFI ICD DSP ESI(MAC Address) SEL 47 0091 81000000 123456789000 00 ESI is 12 digits long. #show atm addresses Switch Address(es): 47.0091.8100.0000.0060.705A.8F01.0060.705A.8F01.00 active Soft VC Address(es): 47.0091.8100.0000.0060.705a.8f01.4000.0c80.0000.00 ATM0/0/0 47.0091.8100.0000.0060.705a.8f01.4000.0c80.0010.00 ATM0/0/1 We can see that: The switch address is a Cisco address; it starts with 0x47.00.91 The next 4 bytes are 0x81.00.00.00, assigned by Cisco. The MAC address allocated to the switch is 0x00.60.70.5a.8f.01 The MAC address 0x00.60.70.5a.8f.01 is also used as the switch ESI Each ATM interface is allocated an end-system identifier (ESI) such as 0x4000.00.0c.80.00.00

Ø ESI Address If you specify an ESI address you need to have ilmi configured.

THE CCIE Book

Page 50 of 296


Ø VPI’s and VCI’s ATM end points are referred to by VPI/VCI’s, 0/112 for example. VPI / VCI’s are locally significant, just like frame-relay dlci’s VCI’s x/0-31 reserved 0/0 empty cell x/5 signalling (qsaal) x/16 ilmi ATM signaling is responsible for call establishment. This is the b channel in ISDN or q931, for atm it was expanded to q2931. Signaling ATM Adaptation Layer (saal) is the service. VC Types – PVC, SVC, Soft-PVC SVC’s use ILMI, IISP, or PNNI for routing

Ø PVC An 'endpoint' is identified by a VPI/VCI pair. E.g. 0/100 - this is synonymous with Frame-relay PVCs and their DLCI addresses. This connection is nailed up constantly.

Ø SVC Endpoints are identified by NSAP addresses. Once setup a VPI/VCI pair is used to reference them dynamically. This means the NSAP addressing is only used at SVC setup. You can map NSAPs to the network layer protocol addresses, and then SVCs are setup dynamically. Once an SVC is setup, the connection is identified by a VPI/VCI pair (dynamically assigned by the ATM network). This remains until the connection is torn down. This means the NSAP addressing is only used at SVC setup, so if you cannot get a SVC setup – check the NSAP address.

Ø PVC’s versus SVC’s SVC PVC 1-Use ILMI 1-Create PVC 2-esi or nsap address 2-Map-list or inarp 3-L2 to L3 mapping

Ø CLIP Versus Multiprotocol Encapsulation PVC – Use inarp or map-list SVC – Use arp-server or map-list

Ø ILMI ILMI has the following characteristics: Uses the information from SNMP packets and MIB Runs directly over the ATM adaptation layer 5 (AAL5) Includes both the agent and manager functions Is used to discover the ATM addresses and the servers ILMI Uses (VPI = 0 and VCI = 16) QSAAL Uses 0/5

Ø ILMI Discovery To make autodiscovery work, you not only need ilmi.

THE CCIE Book

Page 51 of 296


Do a show atm vc which will tell your what you vpi/vci... interface atm0 pvc 0/16 ilmi atm ilmi-pvc-discovery

Ø Point-to-Point or Point-to-Multipoint Inverse arp is enbled on both interface automatically. Point-to-Point (PtP) Separate subnet between two routers. You have to use sub-interfaces to create ptp interfaces. Multipoint Subnet between the group of routers. The main interface is a multipoint interface

You need to either configure a static map or enable inverse arp for dynamic mapping.

Ø Encapsulation Types Use aal5snap – allows multiple protocols over one vc, supports inarp Uses aal5mux – each protocol has it’s own vc

Ø Static IP to ATM VC Mappings SVC Associate a protocol address with a NSAP atm address. PVC Associate a protocol address with a VPI/VCI.

PVC Mapping

int atm 1/0.1 ip address 172.10.10.1 255.255.255.0

atm 1 0 32 aal5mux ip map-group static-ip-map map-list static-ip-map ip 172.10.10.13 atm-vc 1 broadcast SVC Mapping int atm 1/0.1 ip address 172.10.10.1 255.255.255.0

pvc 0/5 qsaal atm nsap-address 47.1111.2222.3333.4444.5555.6666.7777.8888.9999.00 atm 1 0 32 aal5mux ip

svc svc-1 nsap 47.1111.1111.1111.1111.1111.1111.1111.1111.1111.01 protocol ip 172.10.10.13

4.1. ATM CONFIGURATIONS Back to what is ATM? A layer two technology What is every routing procotol? A layer three technology

So how do we get L3 to communicate over L2? Same way as other technologies:

Frame-relay uses dlci mappings With ATM we will use VPI/VCI instead of DLCI’s Ethernet uses arp With ATM we will use an ARP Server SNA over IP With ATM we can encapsulate L3 into L2.

THE CCIE Book

Page 52 of 296


Let’s start with Multiprotocol Encapsulation…

4.1.1. Multiprotocol Encapsulation (2684) Uses llc / snap Inverse ARP is supported on PVC’s running IP and IPX and no static map is configured. If a static map is configured, Inverse ARP will be disabled. Add inarp to the end of the atm pvc command.

Ø PVC’s 1 – Create PVC’s and identify the encapsulation type (ip, ilmi, oam, data)

2 – Map protocol to VCD or VC identifier with map-list

AAL5SNAP Any protocol AAL5MUX ip,ipx,bridge,clns

Ø PVC with only one protocol per vc R1 int atm 0.1 multipoint ip address 128.10.10.1 255.255.255.0

ipx network 40 atm pvc 1 0 112 aal5mux ip atm pvc 2 3 32 aal5mux ipx map-group 1483pvc

map-list 1483pvc ip 120.10.10.2 atm-vc 1 broadcast ipx 40.0000.0123.08e5 atm-vc 2 broadcast

R2 int atm 0/0.1 multipoint ip address 128.10.10.1 255.255.255.0 ipx network 40

atm pvc 1 2 211 aal5mux ip atm pvc 2 4 33 aal5mux ipx map-group 1483pvc


Ø Use only one vc for both IP and IPX R1 int atm 0.1 multipoint ip address 128.10.10.1 255.255.255.0 ipx network 40

atm pvc 1 0 112 aal5snap map-group 1483pvc


R2 int atm 0.1 multipoint ip address 128.10.10.1 255.255.255.0

ipx network 40 atm pvc 1 2 211 aal5snap

map-group 1483pvc map-list 1483pvc

THE CCIE Book

Page 53 of 296


ip 128.10.10.1 atm-vc 1 broadcast ipx 40.0000.0123.08e5 atm-vc 1 broadcast

Ø SVC’s For ATM SVC’s you need to configure two pvc’s ILMI Used for the routing between switches QSAAL Used for signaling 1 – Create SVC for signaling (qsaal) 2 – Define ESI or NSAP address, or use ILMI pvc 3 – Map L3 protocol to L2 ATM address

Ø SVC with ILMI R1 int atm 0.1 multipoint ip address 10.10.10.1 255.255.255.0 atm pvc 1 0 5 qsaal Done on major interface on 7xxx routers atm pvc 2 0 16 ilmi Gets the NSAP prefix dynamically

map group 1483svc map-list 1483svc

10.10.10.10.2 atm-nsap 47.<30 digits>.10 broadcast R2

int atm 0.1 multipoint ip address 10.10.10.2 255.255.255.0 atm pvc 1 0 5 qsaal arm pvc 2 0 16 ilmi Done on major interface on 7xxx routers map-group 1483svc

map-list 1483svc 10.10.10.10.1 atm-nsap 47.<30 digits>.10 broadcast

Ø SVC without ILMI R1 int atm 0.1 multipoint ip address 10.10.10.1 255.255.255.0 atm pvc 1 0 5 qsaal Done on major interface on 7xxx routers atm esi-address 12.9876543210

-or- atm nsap-address 47.123421343212234567895433234523545433.12 map group 1483svc


R2 int atm 0.1 multipoint

ip address 10.10.10.2 255.255.255.0 atm pvc 1 0 5 qsaal atm esi-address 12.987654320 -or- atm nsap-address 47.123421343212234567895433234523545433.12 map-group 1483svc


Ø SVC with ILMI R13 interface ATM0 pvc 0/5 qsaal

THE CCIE Book

Page 54 of 296


pvc 0/16 ilmi interface ATM0.9 multipoint ip address 89.1.1.91 255.255.0.0 map-group CCIE atm esi-address 999999999999.00 map-list CCIE ip 89.1.1.81 atm-nsap 47.0091810000000050E2058501.888888888888.00 broadcast R8 interface ATM0 pvc 0/5 qsaal pvc 0/16 ilmi interface ATM0.8 multipoint ip address 89.1.1.81 255.255.0.0 map-group CCIE atm esi-address 888888888888.00 map-list CCIE ip 89.1.1.91 atm-nsap 47.0091810000000050E2058501.999999999999.00 broadcast

4.1.2. Classical IP (CLIP) - (RFC 2225 / 1577) Use arp like ethernet versus map-lists No maps, uses arp server

Only supports IP One arp server per ip subnet

Uses RFC 2684 for IP, it is multiprotocol encapsulation with inarp, and omit the map-group statements.

PVC – No arp server 1 – Create PVC with InARP

SVC with ILMI 1 – Create signaling PVC, use ILMI 2 – Define arp server and esi address

SVC without ILMI 1 – Create signaling PVC 2 – Define NSAP address 3 – Define ARP server

Takes a layer 3 address and does an atm address resolution so it can be transported over ATM. For CLIP is needs an arp server and arp clients to work. For PVC it will be inarp on the atm vcd For SVC it will be a server and use InATMARP, which is based on Frame-relay InARP. The ARP server create a single point of failure, using atm extensions one can create multiple arp servers. On ARP server

atm arp-server self On the ARP Client Atm arp-server nsap xxx.xxxxxxxxxxxxxxxxxxx.xx

THE CCIE Book

Page 55 of 296


Ø PVC’s R13 interface ATM0/0

no ip address ! interface ATM0/0.1 multipoint

ip address 172.16.1.13 255.255.255.0 atm pvc 1 0 112 aal5snap inarp 5

! R14 interface ATM0/0

no ip address ! interface ATM0/0.1 multipoint

ip address 172.16.1.14 255.255.255.0 atm pvc 1 2 211 aal5snap inarp 5

Switch interface ATM0/0/1

atm pvc 0 121 interface ATM0/0/0 0 112

Ø SVC with ILMI R9 (Server) interface ATM0

atm pvc 1 0 5 qsaal atm pvc 2 0 16 ilmi

! interface ATM0.9 multipoint

ip address 89.1.1.91 255.255.0.0 atm esi-address 999999999999.00 atm arp-server self

! R8 (Client) interface ATM0

atm pvc 1 0 5 qsaal atm pvc 2 0 16 ilmi

interface ATM0.8 multipoint

ip address 89.1.1.81 255.255.0.0 atm esi-address 888888888888.00 atm arp-server nsap 47.0091810000000050E2058501.999999999999.00

Ø With SVC without ILMI Without ilmi you need to add the nsap-addresses of the local routers. You must use sub-interfaces as well. R9 interface ATM0 atm pvc 1 0 5 qsaal interface ATM0.9 multipoint ip address 89.1.1.91 255.255.0.0 atm nsap-address 47.0091810000000050E2058501.999999999999.00 atm arp-server self R8 interface ATM0 atm pvc 1 0 5 qsaal interface ATM0.8 multipoint

THE CCIE Book

Page 56 of 296


ip address 89.1.1.81 255.255.0.0 atm nsap-address 47.0091810000000050E2058501.888888888888.00 atm arp-server nsap 47.0091810000000050E2058501.999999999999.00 atm classic-ip-extension bfi (allows more than one arp server)

Ø With SVC and ARP R1 int atm 0 ip addr 128.10.10.1 255.255.255.0 atm nsap xxxx atm arp-server nsap xxxx R2 int atm 0 ip addr 128.10.10.2 255.255.255.0 atm nsap xxxx atm arp-server self 5 atm classic-ip-extension bfi (allso more than one) atm arp-server nsap xxx

Ø With SVC with ILMI and ARP Server R9 (Server) interface ATM0 atm pvc 1 0 5 qsaal

atm pvc 2 0 16 ilmi ! interface ATM0.9 multipoint ip address 89.1.1.91 255.255.0.0

atm esi-address 999999999999.00 atm arp-server self

! R8 (Client) interface ATM0 atm pvc 1 0 5 qsaal

atm pvc 2 0 16 ilmi interface ATM0.8 multipoint ip address 89.1.1.81 255.255.0.0

atm esi-address 888888888888.00 atm arp-server nsap 47.0091810000000050E2058501.999999999999.00

4.1.3. Other Configurations

Ø CLIP Versus Multiprotocol Encapsulation PVC – Use inarp or map-list SVC – Use arp-server or map-list

Ø Other Commands atm idle-timeout <seconds> Used on SVC’s to specify an interval of inactivity

after which any idle SVC on an interface will be disconnected.

Ø SSCOP Commands sscop cc-timer Number of seconds between begin messages, default

is 10 seconds.

THE CCIE Book

Page 57 of 296


sscop poll-timer The poll timer controls the maximum time between transmission of POLL PDUs, default is 100 seconds.

sscop keepalive-timer Number of seconds the router waits between transmission of POLL PDUs, default is 5 seconds.

sscop max-cc Number of times that SSCOP will retry to transmit BGN (establishment), END (release), or RS (resynchronization) PDUs as long as an acknowledgment has not been received. Valid range is 1 to 6000. The default is 10.

Used to change the retry count of connection control, default is 10 retries.

sscop send-window Used to change the poll timer, default is 100 seconds.

sscop recieve-window Number of packets the interface can receive before it must send an acknowledgment to the ATM switch. Valid range is 1 to 6000. The default is 7.

Ø OAM Management for PVC 11.x Version oam manage <frequency> When network connectivity is lost at one end the

PVC at the other end will remain up. This creates a routing black hole. Use this command for the pvc to get notified and to go down. This works by sending loopback messages and when the other end does not respond it will go down as well.

12.x version oam-pvc manage 3

4.1.4. Configurations Summary ATM has two main methods to be configured (not counting LANE or MPOA which uses LANE): Multiprotocol Encapsulation (rfc 2684) MPE uses map-lists Classical IP (rfc 2225/1577) CLIP uses an arp server or inarp. Uses arp so map-lists are not needed. Each of these methods has two vc types - pvc, svc.

Ø Multiprotocol Encapsulation (uses map-lists) SVC PVC ilmi map-list using vc map-list using nsap

Ø Classical IP (CLIP) (no map-list use arp-server or inarp) SVC PVC Use arp server Use inarp on pvc

THE CCIE Book

Page 58 of 296


4.2. QOS Cell Loss Priority (CLP) bit indicates whether a cell can be discarded if congestion occurs, similar to frame-relay DE bit.

4.2.1. PVC Traffic Management Multiprotocol Encapsulation with PVC’s

ATM rate-queue <0-7> <speed) atm rate-queue 1 155

4.2.2. SVC Traffic Management The following example creates a VC class named CCIE configures VBR-NRT, configures UBR, PVC management, and encapsulation parameters. The parameters can also be applied directly to the interfaces.

int atm 0.8 class CCIE

vc-class atm CCIE

ubr 15000 vbr-nrt 10000 5000 64 encapsulation aal5snap

Ø VC class configuration commands broadcast ATM pseudo-broadcast encapsulation Select ATM Encapsulation for VC exit-class Exit from vc class configuration mode idle-timeout Set idle time for disconnecting SVCs ilmi Enable ILMI management inarp Change the inverse arp timer on the PVC oam Configure oam parameters oam-pvc Send oam cells on pvcs oam-svc Send oam cells on svcs protocol Selectively enable/disable inarps on this protocol transmit-priority set the transmit priority for this VC tx-ring-limit Configure PA level transmit ring limit ubr Enter Unspecified Peak Cell Rate (pcr) in Kbps. ubr+ Enter Peak Cell Rate(pcr)Minimum Cell Rate(mcr) in Kbps. vbr-nrt Enter Variable Bit Rate (pcr)(scr)(bcs)

4.3. ROUTING WITH ATM

Ø RIP

Ø IGRP

Ø EIGRP

Ø OSPF OSPF has the same problems as in a Frame-Relay network.

THE CCIE Book

Page 59 of 296


You will have to define a ptm or ptp interface.

Ø IS-IS

Ø BGP

Ø IPX

Ø NLSP

Ø Bridging Transparent bridging for ATM work only on aal5snap PVC’s. Transparent bridging does not work on aal5mux or on SVC’s. R1 int atm 0.1 multipoint

atm pvc 1 0 112 aalsnap bridge bridge-group 1

bridge 1 protocol ieee R2 int atm 0/0.1 multipoint

atm pvc 1 0 112 aal5snap bridge bridge-group 1

bridge 1 protocol ieee

4.4. ATM SHOW COMMANDS sho arp* Used to check end-statation connectivity Protocol Address Age (min) Hardware Addr Type Interface Internet 89.1.1.91 3 0 / 39 ATM ATM0.8 Internet 89.1.1.81 2 0 / 40 ATM ATM0.8

sh atm ilmi-status* Interface : ATM0 Interface Type : Private UNI (User-side) ILMI VCC : (0, 16) ILMI Keepalive : Disabled ILMI State: UpAndNormal Peer IP Addr: 0.0.0.0 Peer IF Name: ATM0/0/1 Peer MaxVPIbits: 8 Peer MaxVCIbits: 14 Active Prefix(s) : 47.0091.8100.0000.0050.e205.8501 End-System Registered Address(s) : 47.0091.8100.0000.0050.e205.8501.9999.9999.9999.00(Confirmed)

sho atm int atm 0* Interface ATM0: AAL enabled: AAL5 AAL3/4, Maximum VCs: 1024, Current VCCs: 3 Maximum Transmit Channels: 0 Max. Datagram Size: 4528, MIDs/VC: 1024 PLIM Type: SONET - 155Mbps, TX clocking: LINE 814 input, 980 output, 0 IN fast, 0 OUT fast Avail bw = 155000 Rate-Queue 0 set to 155000Kbps, reg=0x0 DYNAMIC, 4 VCCs Config. is ACTIVE

THE CCIE Book

Page 60 of 296


sho atm map Map list 1 : PERMANENT ip 89.1.1.81 maps to VC 1, broadcast

sh atm status sho atm svc* VCD / Peak Avg/Min Burst Interface Name VPI VCI Type Encaps SC Kbps Kbps Cells Sts 0.8 7 0 39 SVC SNAP UBR 155000 UP 0.8 8 0 40 SVC SNAP UBR 155000 UP 0.8 9 0 41 SVC SNAP UBR 155000 UP sho atm traffic 833 Input packets 998 Output packets 270 Broadcast packets 0 Packets received on non-existent VC 101 Packets attempted to send on non-existent VC 0 OAM cells received F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0 F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0 0 OAM cells sent F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutRDI: 0 F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0 0 OAM cell drops

sho atm vc* Displays the VPI/VCI of any PVC's the router discovers. VCD / Peak Avg/Min Burst Interface Name VPI VCI Type Encaps SC Kbps Kbps Cells Sts 0 2 0 200 PVC NLPID UBR 155000 UP sh atm vc int atm 0/0 sh bridge

sh controller atm 0 (Verifies the hardware is functional) ATM Unit 0, Slot 2, Type ATMizer BX-50, Hardware Version 1 ATM Xilinx Code, Version 2, ATMizer Firmware, Version 3.0 Public SRAM 65536 bytes, Private SRAM 524288 bytes, I/O Base Addr 0x3C200000 PLIM Type OC-3 Single-Mode Fiber, Version 3 Network Transmit Clock NIM IS Operational, Configuration OK DMA Read 12, DMA Write 12

sh span sh int a0* ATM0 is up, line protocol is up Hardware is ATMizer BX-50 Internet address is 89.1.1.81/16 MTU 4470 bytes, sub MTU 4470, BW 155520 Kbit, DLY 100 usec, reliability 52/255, txload 1/255, rxload 1/255 Encapsulation ATM, loopback not set Keepalive not supported

THE CCIE Book

Page 61 of 296


Encapsulation(s): AAL5 AAL3/4, PVC mode 1024 maximum active VCs, 1 current VCCs VC idle disconnect time: 300 seconds Last input never, output 00:06:44, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 18 packets output, 1056 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 output buffer failures, 0 output buffers swapped out

4.5. ATM DEBUG COMMANDS deb atm arp Used to verify connectivity for SVC’s deb atm error Used to verify PVC mappings, this command only produces

output if an error does exist. deb tm events Displays event changes. deb atm oam Displays the oam cells contents If you see any messages they will look like the following: [date] ATM(ATM0/0.1) Send:Error in encapsulation, No VC for address 0xB010117 Address B010117 is a hex address, which in decimal equals 11.1.1.23, the host with the trouble. Check this host to see why there is no mapping for this address. This can be caused by not having the broadcast keyword on a PVC configuration. 0B = 11 01 = 1 01 = 1 17 = 23 debug atm ilmi check uni version

Peer IfName on 1 = atm 0/0/1 Trap sent

Prefix will be added Local Reg Validation Attempt Address added to local table Register request sent to peer

deb atm packet int atm 0/0 This prints one line message for evey packet that

passes through the vc. Displays the SNAP/NLPID/SMDS header. deb atm sig-events Used to check signalling

To view svc setp

THE CCIE Book

Page 62 of 296


4.6. TROUBLESHOOTING ATM Use ilmi manage or oam-pvc manage to monitor end-to-end connectivity. Do a sho atm vc 1 and see if any CrcErrors are being reported use traffic shaping to resolve. Do a sho controller atm 2/0 and check the port status, should be Good Signal. sh atm interface status sh atm ilmi 0 5 sh atm vc 0 16 sh atm map sh atm traffic Sh atm arp Used to check end station connectivity sh atm stat sh atm svc deb atm packet deb atm arp deb atm sig-events To view svc setp

THE CCIE Book

Page 63 of 296


5. LAN SWITCHING Broadcast control, load balancing, Dynamic vlan membersip, VLAN security, VLAN performance tuning Switch must have a domain name before it can use any VLAN number other than 1. FastEtherChannel does not work with Supervisory one modules All switches know about all vlan’s in same vtp domain

Ø Spanning Tree Information There are three parameters that define which port is chosen for forwarding: (In Order) Path Cost Bridge ID Port Priority

Ø Switching Commands clear config all Erases the entire configuration on switch clear counters set interface set ip route set port Configure port parameters set trunk Places ports in Trunking mode set vlan Used to create and configure vlans set vtp domain Configures the domain show cam Catalyst Switching Table contains: Destination MAC Address VLAN membership of destination MAC address Port destination MAC address Example: 1 00-60-97-90-b3-96 3/7 If no match the packet is sent do all ports. show cdp neighbor show config show ip route Displays the switch routing information show mac Displays the number and type of frames sent and received by a port show module Displays a summary of the installed modules show port show port mac show port information show port spantree Displays the STP status of a specific port 5 States: Learning, Listening, Forwarding, Blocking, Disabled show port status show port statistics show system Displays the uptime show port trunk show trunk Displays a summary of the ports in trunking mode, and which vlans are being sent over the trunk show version Displays IOS and hardware features show vlan Displays the vlans on switch or in vtp domain show vtp domain Displays the domain that the switch resides in

THE CCIE Book

Page 64 of 296


5.1. SWITCH MANAGEMENT

Ø System Parameters set system contact <string> set system location <string> set system name <system hostname> show system show time set time <day mm/dd/yy hh:mm:ss> set prompt <prompt> set password set enablepass Configure the SCO interface set interface sc0 [vlan] [ip address [netmask [broadcast]]] /* Default is vlan1 */ Configure a default route for the SCO interface Place the SCO interface in another VLAN Configure a new vtp domain, create vlan, add sc0 to it. set ip route default 10.1.1.1 primary set ip route 0.0.0.0 172.16.100.1 – or - set ip route default 172.16.100.1 show ip route clear ip route all show module show config show version show log clear log

Ø Configuration Management Backup Config write termninal show config write <host> <file> write network Download a Config configure network configure <host> <file> Download / Upload Software Images upload <host> <file> <supervisory module> download <host> <file> Backup Configuration write network Download Configuration configure network configure 172.16.30.41 system5.cfg Download Software Image download jkcat c5000-2152.cbi Upload Software Image upload jkcat c5000-2152.cbin 4 /* The 4 is for the module */

THE CCIE Book

Page 65 of 296


Ø SNMP Management set snmp community read-only public set snmp community read-write sanfran set snmp community read-write-all cisco set snmp trap 172.16.30.42 read-write-all You can have up to 10 receivers set snmp trap enable all set snmp rmon enable show snmp clear snmp trap <ip address> Traps: module chasis, bridge, repeater, auth, vtp, ippermit, vmps, config, entity, stpx, rcvr_addr, rcvr_community, all

Ø IN-Band Management set interface sc0 up set interface sc0 172.16.30.81 255.255.255.0 172.16.30.255 set interface sc0 vlan1 set ip route 172.16.120.1 172.16.30.1.1 set ip route default 172.16.20.1 set interface sc0 5 1 (Set’s the VLAN) sh int s sh route

Ø Out-of-Band Management set interface sl0 up set interface s10 172.16.90.44 255.255.255.0 172.16.90.255 set ip router default 172.16.90.1 slip attach sir sh int slip dettach

Ø Security Router A Config: ip address 172.16.30.1 255.255.255.0 Router B Config: ip address 172.16.30.2 255.255.255.0 Switch Config: set port name 5/11 routerb set port name 5/12 routera set interface sc0 172.16.30.3

Ø IP Permit Lists Permit only Router A to telnet to switch by IP set ip permit 172.16.30.1 telnet set ip permit 10.1.1.1 snmp set ip permit enable set ip permit disable

Ø Secure Port Filtering Permit only Router A to telnet to switch by MAC set port security 5/12 enable 00-e0-1e-5b-27-62

THE CCIE Book

Page 66 of 296


MAC from Router A set port security 5/12 disable

5.2. PORT PARAMETERS Configure the port speed set port speed <mod/num> <10|100|auto> Configure the port duplex Set port duplex <mod_num/port-Num> <full|half|auto>

Ø Fast EtherChannel Fast EtherChannel uses PAgp (Port Agregation Protocol) Port Modes – On, Off, Auto (default) , Desirable Port security must be disabled

Ø Fast EtherChannel Configuration Guidelines Assign all ports in a channel to the same VLAN(s) or configure them as trunk ports. Do not configure the ports in a channel as dynamic VLAN ports. Doing so can adversely affect switch performance. (You will learn about this in depth in a later module.) Configure all ports in a channel to operate at the same speed and duplex mode (full or half duplex). Disable the port security feature on the channeled ports. If port security is enabled for a channeled port, the port will shut down when it receives packets with source addresses that do not match the secure address of the port. Enable all ports in a channel. If a port in a channel is disabled, it will be treated as a link failure and its traffic will be transferred to one of the remaining ports in the channel. Ensure that all ports in a channel have the same configuration on both ends of the channel. Note that port aggregation is constrained by the Ethernet bundling hardware, so that the system will prevent certain ports or groups of ports from forming channels.

Ø STP UplinkFast UplinkFast is an enhancement to the Spanning-Tree Protocol that provides fast convergence whenever the Spanning-Tree Protocol picks a new root port. set spantree uplinkfast enable rate <pps> Configure uplinkfast (For access switches to converge after root dies, reenables blocked ports) set spantree uplinkfast enable

Ø STP Backbone Fast The Backbone Fast feature provides an alternate path in case the currently forwarding link between backbone switches fails. Configure Backbonefast (not used) set spantree backbonefast

Ø STP PortFast Ports can be configured to immediately enter Spanning-Tree Protocol forwarding mode when a connection is made, instead of following the usual sequence of blocking, learning, and then forwarding This command should be used only on ports that are connected to a single workstation or server. Do not use it on ports connected to hubs, routers, bridges, switches, or concentrators. set spantree portfast <mod/port> enable

THE CCIE Book

Page 67 of 296


Configure Portfast (Servers and Workstations) set spantree portfast 2/1 show interface port-channel show spantree uplinkfast

Ø RMON Probe Configuration SPAN port configuration Use the set span enable command to enable port monitoring in the switch. Use the set span src_mod/src_port dest_mod/dest_port [rx | tx |both] command to configure the SPAN port . Port monitoring can be used for monitoring a specified VLAN or port. Cat1> (enable) set span 3/1 3/8 both Use the show span command to verify the SPAN port configuration change.

Ø Commands Assigns a name to a port. set port name <mod_num/port_num> [name-string] Assigns a priority for bus access. set port level [normal / high] Changes port speed. set port speed <mod_num/port_num> <10 | 100 | auto> Changes port duplex. set port duplex <mod_num/port_num> <full | half> Set to only allow a specific mac to allow port access. set port security 3/1 enable <mac_address> Enables Fast EtherChannel on ports, up to 4 can be grouped for 800mbps. set port channel <port_list> [on | off | auto | desirable]

Ø Misc Commands show config show port 3/1 show mac <mod_num/port_num> show port <mod_num/port_num> show cdp neighbors show module

5.3. VLAN’S Have a maximum hop of seven Two Tasks for creating VLANs: 1 – Create VLAN in Mangement Domain 2 – Group ports to VLAN

Ø Default Switch Configuration Default is all ports belong to VLAN1 No mangement domain Advertisement interval is 5 minutes VTP mode is server, tranparent, and client, default is server. Non-secure-mode <no password> Adding a password puts the management domain into secure mode If management password is wrong, the domain does not work

Ø VLAN Membership The common VLAN configuration options implemented today are as follows:

THE CCIE Book

Page 68 of 296


By port group By Media Access Control (MAC) address By network-layer information By IP multicast groups

Ø Port-Centric VLANs set vlan <vlan_num> <mod/num> All traffic to and from the port is associated with the particular VLAN that has been statically configured for that port, regardless of the addresses/contents of the frames.

Ø Dynamic VLANs The port is assigned to only one VLAN at a time, but that assignment changes dynamically according to the frames received from the port. Cisco implements this configuration based on the source MAC address of the hosts connected to that port, which works in conjunction with the VLAN Membership Policy Server (VMPS) that holds a database of MAC address-to-VLAN mappings. To configure dynamic port VLAN membership, the following tasks have to be completed: Configure the VMPS set vmps tftpserver 172.16.10.100 cat5.db set vmps state enable download vmps (Only needed if download fails) set vmps server 172.16.100.51 primary sh vmps The operational state must be active. If anything else check the filename for the .db. Configure dynamic ports on clients set port membership 3/2-6 dynamic Port fast is enabled automatically.

Ø Switch STP Port Parameters set spantree portfast 1/2 enable set spantree uplinkfast set spantree backbonefast set spantree portvlancost

Ø STP Commands *set spantree enable <vlan> *set spantree priority bridge_priority <vlan> *sh spantree <vlan>

Configure the Catalyst as the root bridge set spantree root <vlans> Timers set spantree hello Determines the frequency of receiving BPDU Default is two seconds set spantree maxage Default is 20 seconds Maximum age timeout - then the port go to blocked state, then to listening state, then learning state, and finally to forwarding state. set spantree fwddelay Default is 15 seconds Time to wait before changing state show spantree <vlan> Displays the STP information

THE CCIE Book

Page 69 of 296


Load Balancing Best path to Root is path cost, bridge ID, port priority Port Cost is 1000 / LAN Speed Path Cost is port cost totaled set spantree portcost <mod/num> <cost> set spantree portvlancost <mod/num> <cost> <vlans> set spantree portpri <mod/num> <priority> set spanttree portvlanpri <mod/num> <priority> <vlans> Enable STP set spantree enable 2/1 (per port) set spantree enable all Config Root set spantree root 42-44 dia 2 Port Cost set spantree portcost 2/1 10 set spantree portvlancost 2./1 42-44 Port Priority set spantree portpri 2/1 20 set spantree portvlanpri 2/1 42-44 ! Used for load balancing show spantree sw-lab2 STP Timers set spantree fwddelay 15 42 set spantree hello 2 set spantree maxage 20 42

Ø VLAN Trunk Protocol (VTP) set vtp <vlan-Num> namew <name> Creates the VLAN set vtp domain <name> 802.1 is persuading 802.3 to increase the maximum frame size from 1518 to 1522 (four extra bytes) Ability to create and delete local VLAN’s – Server, transparent Generages VTP Messages – Server Acts on received VTP messages – Server, Client Forwards VTP messages – All modes Remembers own VLAN info – Server, Transparent Take care when adding a new switch with a higher Config Revision number into the network because it might override the VLAN configuration in other switches in the network. It is recommended that you reset a switch before adding it to the network. When you reset the switch, the VTP Config Revision number becomes zero sh vtp domain The Last Updater indicates the switch that sent the last VTP advertisement to all devices in the VTP domain. The PruneEligible on Vlans column indicates the VLANs that are eligible for pruning on this switch. This information is local to the switch. When enabling Version 2, version 3.11 must be on all switches. Maintains VLAN configuration throughout network. VTP establishes global configuration values and distributes the following global configuration information: VLAN name

THE CCIE Book

Page 70 of 296


VLAN IDs ELAN names 802.10 SAID values MTU size for a VLAN Frame format VTP Version 2 supports Token-Ring switching VTP Pruning Configuration: VLAN 1 cannot be pruned on 2-1000. Enabling VTP pruning on a vtp server will enable or disable it for the entire vtp domain. set vtp ccie server pruning enable set vtp pruneeligible 100 VTP Messages – subset, summary, advertisement, VTP join VTP Configuration: set vtp domain ccie set vtp mode [server (default) | client | transparent] set vtp pruning enable /* VLAN1 is not prune eligible */ set vtp pruneeligible ccie

Ø VTP Configuration Commands set vtp v2 <enable | disable> set vtp domain <name> mode <mode> password <pwd> pruning <enable | disable> v2 <enable | disable> set vtp CCIE v2 enable show vtp domain

Ø Create a VLAN Across Domains set vlan <num> name <name> type <type> mtu <1500> said <said> state <state> ring <num> bridge <num> parent <vlan num> stp <type> translation <vlan num> backupcrf <on | off> aremaxhop <hop count> stemaxhop <hop count> set vlan 2 name CCIE_support 3/1-12 show vlan

Ø VLAN Configuration set vtp domain ccie mode server password ccie2k set vlan 42 name sw-lab type ethernet set vlan 42 1/1-12 set trunk 1/1 on version 2: set vtp v2 enable set vtp domain ccie mode server password ccie2k v2 enable show vlan show vtp show vtp domain (version check) show trunk show vtp statistics sh int fast sh bridge vlan deb vlan packet (Other VLAN information)

THE CCIE Book

Page 71 of 296


deb span (STP packets)

5.4. TRUNKING ISL is Cisco proprietary 802.1Q is a Standard Trunk ports advertise: Management domain, config revision number, known vlans and parameters

Ø Fast EtherChannel Configuration Create Channel Group set port channel 2/1 on

Ø FDDI Configuration set vlan 300 type fddi said 300 set vlan 300 2/1 set vlan 10 translation 300 set trunk 2/1 on ! To disable fddicheck and apart set bridge apart disable show bridge show vlan

Ø 802.1q set trunk <mod_num/port_num> [on|off|desirable|auto|nonegotiate] [vlans] on Set the trunk to on to make the port a trunk port and off to make the port a nontrunk port. The on option places the port into a permanent ISL trunking mode. When a port is configured to be a trunk, the range of allowed VLANs on the trunk is 1–1005. VLAN 1 is the default VLAN. This mode is not allowed on IEEE 802.1q ports. This is the only possible mode for ATM ports. Off The port converts to a nontrunk port even if the other end of the link does not agree to the change. This is the default mode for FDDI trunks. The off option is not allowed for ATM ports. Desirable Sets the trunk to desirable to make the port a trunk port if the port it is connecting to allows trunking. Auto Set the trunk to auto to make the port a trunk port if the port to which it is connected becomes set for trunking. When a Catalyst switch port that is configured to auto detects a link bit, and it determines that the other end of the link is a trunk port, the Catalyst 5000 series switch automatically converts the port configured to auto into trunking mode. This mode is not allowed on IEEE 802.1q, FDDI, and ATM ports. However, auto is the default mode for Fast Ethernet ports. Nonegotiate This option causes the port to become a trunk but prevents the port from sending DISL frames. It is used with ISL and IEEE 802.1q Fast Ethernet trunks. The trunk port reverts to a nontrunk port if the link goes down. For trunking to take effect on Fast Ethernet ports, the ports must be in the same Virtual Trunk Protocol (VTP) domain. You can use the on mode, however, to force a port to become a trunk, even if it is in a different domain. Dynamic Trunking Protocol (DTP) is a Point-to-Point Protocol (PPP) used to negotiate Ethernet trunks. However, some internetworking devices may improperly forward DTP frames. You can avoid this problem by ensuring that trunking is turned

THE CCIE Book

Page 72 of 296


off on ports connected to devices that are not Catalyst 5000 switches if you do not intend to trunk across those links. TIP: When enabling trunking on a link to a Cisco router, enter the nonegotiate keyword to cause the port to become a trunk but not generate DTP frames. The nonegotiate keyword is available in Catalyst 5000 series software Release 2.4(3) and later. When you first configure a port as a trunk, the set trunk command always adds all VLANs to the allowed VLAN list for the trunk, even if you specify a VLAN range (the specified VLAN range is ignored). To remove VLANs from the allowed list, enter the clear trunk mod_num/port_num vlan_range command. Trunk ports carry the traffic of multiple VLANs and are not assigned to any specific VLAN. When you do a show trunk, no vlans will show up if all vlans are allowed on vlan,

Ø Basic Trunk Configuration Set trunk ports set trunk 4/1 on Turn off default vlans clear trunk 4/1 2-1005 This clears all vlans off of trunk port 4/1, vlan 1 cannot be cleared. set spantree root 1,7,9 This makes this catalyst the root for vlans 1,7,9. sh spantree 7 Use arp cache to determine the traffic patterns. Sh arp, ping destination Then use the show arp to display which vlan the traffic traveled through.

Ø ISL (FE / GE) Cisco IOS versions required to support ISL are the 11.1(5) or above Enterprise feature set and 11.2 "Plus" feature set. On 4500: int fastethernet0.1 encap isl <vlan number>

Ø VLAN Trunk Load Balancing The lower the priority the better, 32 is the default Both sides have to be set the same set spantree portvlanpri 1/1 16 3-4 Port 1/1 vlans 1-2, 5-1005 using portpri 32 Port 1/1 vlans 3-4 using portpri 16 set spantree portvlanpri 1/2 16 9-10 Port 1/2 vlans 1-8, 11-1005 using portpri 32 Port 1/2 vlans 9-10, using portpri 16 This is done on both switches to have vlans 1,2 use one trunk and 3-4 use the other trunk. In effect you set the vlans for trunk 2 to a lower priority.

Ø ISL Trunking and Routing Router A Config: ip address 172.16.30.1 255.255.255.0 router rip

THE CCIE Book

Page 73 of 296


network 172.16.30.0 Router B Config: ip address 172.16.35.2 255.255.255.0 router rip network 172.16.35.0 Router C Config: ! vlan 1 int fa 1/0.1 encapsulation isl ip address 172.16.30.3 255.255.255.0 ! vlan 2 int fa 1/0.2 encapsulation isl ip address 172.16.35.3 255.255.255.0 router rip network 172.16.30.0 network 172.16.35.0

Ø Switch Configuration set interface sc0 172.16.30.3 set vtp domain ccie set trunk 5/10 on

5.5. INTER-VLAN ROUTING Routing between VLANs: One route port per vlan

Ø Inter_VLAN Configuration session 2 hostname rsm-jkcat5000 ip routing router eigrp 2 network 172.16.30.0 int vlan2 ip address 172.16.30.1 255.255.255.0 int fastethernet 0/1.1 enacapsulation ISL ip address 172.30.36.1 255.255.255.0 ip default-gateway 172.16.90.1 1 Setup ISL for Inter-VLAN Routing Cat 1 show vlan set trunk 1/1 on show port 1/1 clear ip route all set ip route 0.0.0.0 172.16.120.1 4500 Router conf t interface fastethernet0.1 encapsulation isl 1 ip address 172.16.100.1 255.255.255.0 exit

THE CCIE Book

Page 74 of 296


interface fastethernet0.2 encapsulation isl 2 ip address 172.16.120.1 255.255.255.0 exit router rip network 172.16.0.0 show ip route

5.6. TOKEN-RING (3900) CONFIGURATION TrCRF’s are concentrators and TrBRF are bridges. The TRCrf ring number can be learned from an external bridge You must configure a BRF, and one or more CRF's depending on your topology. Then you must associate your physical ports to the appropriate CRf's, and of course move the CRF's in the correct BRF. Only one BRF is required, with multiple CRF's, for each ring. Frames will not get forwarded to the BRF unless the RII is set to one with a RIF present anyways, and we are forwarding to the vring for DLSw in the lab.. Make sure that you either set the 3920 for source-route transparent or put 'multiring all' on the router interfaces

Ø Five Steps to Configure a 3900 1 - Create virtual bridge (TrBRF) TR Bridge-Relay Function A TrBRF has two global parameters - bridge number and bridge type. The TrBRF controls the switching between the SRS, and SRB groups. 2 – Assign the TrBRF a two-digit vlan id 3 - Create virtual ring (TrCRF) TR Concentrator-Relay Function A TrCRF has two global parameters: a ring number and a parent TrBRF identifier. CRF’s create the SRS, SRB, SRT groups. 4 - Assign ports to TrCRF 5 - Assign an IP Address to TrBRF *The grouping of one or more TrCRFs and a TrBRF forms a VLAN.

Ø Bridging between Token Ring VLANS follows two rules 1 - Bridging between two TrBRF VLANs can be accomplished only by an external device such as a router or route switch module (RSM). 2 - Bridging between TrCRF VLANs can be accomplished with TrCRF VLANs that are children of the same parent TrBRF VLAN.

Ø Bridging Modes and STP Source-route bridging (SRB) Uses a RIF, and Explorer packets (All-Routes Explorer and Spanning-Tree Explorer) Source-route transparent bridging (SRT) Forwarding of frames without a RIF Source-route switching (SRS) Looks at t RIF for the bridge and ring numbers but does not update the RIF Works like a transparent bridge. The key difference between SRB and SRS is that although a source-route switch looks at the RIF, it never updates the RIF. Therefore, all ports in a source-route switch group have the same ring number.

Ø *Choosing the right STP SRT BRF - IEEE, CRF - CISCO

THE CCIE Book

Page 75 of 296


SRB BRF - IBM, CRF - IEEE

Ø MAC Address Filtering on the Catalyst 3900 MAC address filtering on the port level. When trying to configure a MAC address filter on the Catalyst 3900 token ring switch, the filter must be applied on the inbound port. The filter will only filter inbound packets, not outbound packets. As a side note, filters can not be applied to trunk ports.

Ø Catalyst Switching Supports 802.5r - Token-Ring Switching No media filters are needed Token-Ring module requires 3.1 or higher in the Supervisor Engine module and a EARL+ chip. Four modes of Operation: Half-duplex concentrator port — The port is connected to a single station in half-duplex mode. In this case, the port behaves like an active media attachment unit (MAU) port for classic Token Ring. Half-duplex station emulation — The port is connected to a port on an MAU. In this case, the port behaves like a station connected to a classic Token Ring segment that contains multiple stations. Full-duplex concentrator port — The port is connected to a single station in full-duplex mode. Full-duplex station emulation — The port is connected to another Token Ring switch in full-duplex mode.

5.6.1. Token-Ring VLAN’s The implementation of Token Ring VLANs involves two levels of rings and bridging, namely Token Ring concentrator relay function (TrCRF) and Token Ring bridge relay function (TrBRF). Within a Token Ring VLAN, logical rings can be formed by defining groups of ports that have the same ring number. Token Ring concentrator relay function (TrCRF) - A TrCRF has two global parameters: a ring number and a parent TrBRF identifier. On the Catalyst® 5000 series switch, the ring number must be defined. The TrCRF covers the functionality of SRS and SRT Backup TrCRF To create a backup TrCRF: Create the TrCRF. Assign the TrCRF to the TrBRF that traverses the switches. Mark the TrCRF as a backup TrCRF. Assign one port on each switch to the backup TrCRF. Token Ring bridge relay function (TrBRF) - The TrBRF is used to join different TrCRFs contained within the Token Ring modules of a single Catalyst 5000 series switch. The TrBRF functionality of the switch controls switching of source-route bridged traffic such as SRB and source-route transparent bridging (SRT). A TrBRF has two global parameters - Bridge number and Bridge type The default is 1003 for TrCRF and 1005 for TrBRF. MTU is 4472 The grouping of one or more TrCRFs and a TrBRF forms a VLAN. The bridging between Token Ring VLANS follows two rules: Bridging between two TrBRF VLANs can be accomplished only by an external device such as a router or route switch module (RSM).

THE CCIE Book

Page 76 of 296


Bridging between TrCRF VLANs can be accomplished with TrCRF VLANs that are children of the same parent TrBRF VLAN. Bridging Modes and STP

Ø Source-route bridging (SRB) Uses a RIF, and Explorer packets (All-Routes Explorer and Spanning-Tree Explorer)

Ø Source-route transparent bridging (SRT) Forwarding of frames without a RIF

Ø Source-route switching (SRS) Looks at the RIF for the bridge and ring numbers but does not update the RIF Spanning-Tree Protocols IEEE 802.1d - can be used at the TrCRF or the TrBRF level. IBM STP - can be used at the TrBRF level Cisco STP - designed to be used at the TrCRF level

SRS forwards frames that do not contain routing information based on MAC address, the same way that transparent bridging does. All rings that are source-route switched have the same ring number and the switch learns the MAC addresses of adapters on these rings. The key difference between SRB and SRS is that although a source-route switch looks at the RIF, it never updates the RIF. Therefore, all ports in a source-route switch group have the same ring number.

Ø Bridging Mode and Spanning-Tree Combinations For proper operation of the TrBRF and TrCRFs, use the following combinations of bridging modes and Spanning-Tree Protocols: Source-route transparent bridging For SRT, run the IEEE Spanning-Tree Protocol at the TrBRF level and the Cisco Spanning-Tree Protocol at the TrCRF level. Source-route bridging For SRB run the IBM Spanning-Tree Protocol at the TrBRF level and the IEEE Spanning-Tree Protocol at the TrCRF level.

While configuring the TrBRF and TrCRF, use the information in the following table to set the bridging mode and Spanning-Tree Protocol combinations.

TrBRF Spanning-Tree Protocol

TrCRF mode / ISL port setting

TrBRF Setting

TrCRF Spanning-Tree Protocol

IBMSRB SRT

ISL Ports

IBM None* IBM

IEEE CISCO (auto)

None

IEEESRB SRT

ISL Ports

None* IEEE IEEE

IEEE CISCO (auto)

None

THE CCIE Book

Page 77 of 296


*For the options that have None* specified, you must manually force the ports into the forwarding mode. Logical ports of the TrBRF may be set to forwarding state using the set spantree portstate command. SRT BRF - IEEE, CRF - CISCO SRB BRF - IBM, CRF - IEEE

Ø Incompatible Bridging and Spanning-Tree Combinations

These combinations are as follows:

TrBRF Spanning-Tree Protocol of IBM and TrCRF bridge mode of SRT TrBRF Spanning-Tree Protocol of IEEE and TrCRF bridge mode of SRB Configuration of Token-Ring Switches Configure Token Ring ports (port name, priority, speed, duplex) Configure TrBRF VLAN ("parent" ring) Configure TrCRF VLANs ("children") Assign Token Ring ports to TrCRF VLANs Configure bridging mode. Default Configuration The default values of the Catalyst 5000 series Token Ring switch module features follow: All ports are enabled and assigned to the default TrCRF. No port name is configured for any port. The priority level for all ports is set to normal. Transmission speeds for the ports is set to autodetect. Transmission modes for the ports is set to auto. The transmission threshold is 3. The minimum transmit setting is 4. Spanning-Tree Protocol is enabled for all ports. All-routes explorer (ARE) reduction is enabled.

5.7. TROUBLESHOOTING SWITCHES If the load light is on the load is over 80%, possible broadcast storms.

Ø Switch Problem Isolation LED’s Fix Hardware Switch Configuration Fix Configuration Physical Link Check CDP, fix cables VLAN configuration Fix VLAN, STP, Router L2 Path OK Fix Trunk, ISL configuration

Ø VLAN Problem Isolation Check cables between switch and router Check switch and router for configurations Check trunk and ISL Troubleshoot VLAN and STP

Ø Switch Troubleshooting Strategy 1 All modules in OK state? show modules and check leds 2 All connected ports in active state? Sh port stat show port status 3 All Ports have traffic?

THE CCIE Book

Page 78 of 296


sho mac, sho port 4 Check CAM sh cam 5 Sho system to view utilization Is the port active? show port Is the port passing frames clear counters sh mac module/port Is a specific MAC address in the CAM table? show port show mac show cam dynamic show vlan show trunk show spantree

Ø Commands set interface show module Displays the module type, model, serial number, status, module MAC address, and hardware, firmware, and software version numbers. show port Displays a wealth of information about the port, including name, VLAN, status, priority level, transmission type, and speed of the port. show port channel Used in troubleshooting the Fast EtherChannel modules. Displays the status (connected or not connected), channel mode (on, off, auto, desirable), and the channeling status, indicating whether it is an EtherChannel link or not. show mac Used in troubleshooting the MAC counters. This command displays important counters associated with the port. show port Displays MAC level security and port stats show interface Displays interface IP address show ip permit Display IP addresses permited, disallowed show vtp domain Displays domain name if assigned show vlan Displays vlan status show trunk Displays trunk info, vlans and ports on trunk show version Displays system level info show module Displays type of card in each slot show mac Displays traffic stats on all ports show cam dynamic Displays vlan, mac and mod/slot show system Displays system uptime, peak traffic util, contacts, and thermal info show port <mod_num/port_num> The most common errors you will see are the alignment and FCS errors. Alignment errors usually indicate a cable problem or faulty transmitter on network equipment connected to the switch. Alignment errors could also be caused by a discrepancy in the duplex setting at both ends. A few receive FCS errors are acceptable, but a large number could be an indication of bad cable or connections, faulty network interface cards (NICs), and cable runs that exceed the maximum distances allowed. show mac <mod_num/port_num> Displays Media Access Control (MAC) counters. Some of the fields in the output are self-explanatory. The following counters need some explanation. The In-Discard counter is the number of times a frame was received, but discarded because the frame did not need to be switched. It is normal to see this counter incrementing. You will see the In-Discard frames when the switch receives traffic on a trunk port for VLANs that have no ports on the switch. Also, this counter

THE CCIE Book

Page 79 of 296


increments when the destination address of a frame is learned on the port the frame was received. The Lrn-Discrd counter indicates the number of times a frame was forwarded but did not need to be switched because the destination was local. This counter should always be zero. The In-Lost counter indicates frames that were received but lost before being forwarded. Lost frames are input errors that indicate that frames have been lost because of insufficient buffer space. This scenario occurs when the switch is being oversubscribed. The Out-Lost counter indicates frames that were received but lost before being forwarded. This indicates that the segment connected to the destination port is oversubscribed; it could also indicate insufficient buffer space on the switch.

Ø Troubleshooting 3900 Check the port statistics on a Catyalst 3900: If the Duplicate Ring Number counter is constantly incrementing, this indicates frames are being received that contained a duplicate ring number in the Routing Information Field (RIF). Check the source-bridge local-ring bridge-number target-ring command in all of your routers to make sure you have not inadvertently specified an incorrect ring number here. Also ensure that the identical line has not been specified in more than one router in your network

THE CCIE Book

Page 80 of 296


6. IP Management Bits 128 64 32 16 8 4 2 1Dotted Decimal .128 .192 .224 .240 .248 .252 .254 .255Inverse DD .127 .63 .31 .15 .7 .3 .1 .0

CIDR255.255.255.x /25 /26 /27 /28 /29 /30 /31 /32255.255.x.0 /17 /18 /19 /20 /21 /22 /23 /24255.x.0.0 /9 /10 /11 /12 /13 /14 /15 /16x.0.0.0 /1 /2 /3 /4 /5 /6 /7 /8

6.1. PLANNING A NETWORK Distance, congestion, locality, scalability

6.2. OVERVIEW Load Balancing Per packet – best for wan, process switched Per destination – uses fast switching IGRP / EIGPR / OSPF / RIP can use up to 4 equal-cost paths. IGRP and EIGRP can use unequal-cost paths with the varience command. Classful Routing Protocols - RIP v1 / IGRP Address Breaks 0 - 31 32 - 63 64 - 95 96 - 127 IP Address Planning - OSPF area's & VLSM, BGP, NAT Make serial network three digits on the network octet Make LAN networks two digits on the network octet Cisco routers hold arp entries for four hours. int e0 arp timeout 1800 (30 minute arps) Static ARP’s arp 172.21.5.131 0000.00a4.b74c snap Bit count format = /24 line vty 0 4 ip netmask-format bit

Ø IP Packet Header TOS = Precedence / TOS 3 bits 5 bits

Ø Precedence 000 Routine 001 Priority 010 Immediate

THE CCIE Book

Page 81 of 296


011 Flash 100 Flash Override 101 Critical / ECP 110 Internetwork Control 111 Network Control

Ø TOS Delay Throughput Reliability Monetary Cost Reserved 0 0 0 0 0 1 1 1 1 (Always 0) 0 = Normal 1 = Minimize Protocol Field: 1 ICMP 45 IDRP 2 IGMP 46 RSVP 4 IP in IP 47 GRE 6 TCP 54 NHRP 17 UDP 88 IGRP 89 OSPF

Ø ICMP ICMP performs a number of tasks within an IP internetwork. The principal reason it was created was for reporting routing failures back to the source. In addition, ICMP provides helpful messages such as the following:

• Echo and reply messages to test node reachability across an internetwork

Redirect messages to stimulate more efficient routing Time exceeded messages to inform sources that a datagram has exceeded its allocated time to exist within the internetwork Router advertisement and router solicitation messages to determine the addresses of routers on directly attached subnetworks A more recent addition to ICMP provides a way for new nodes to discover the subnet mask currently used in an internetwork. All in all, ICMP is an integral part of all IP implementations, particularly those that run in routers. Three types of messages – errors, queries, responses 0 Echo request Used by ping 0 Echo reply Used by ping Destination Network unreachable Host unreachable Protocol unreachable Port unreachable 4 Source quench 5 Redirect (deb ip icmp) no ip redirects Router advertisement (IRDP) Router Selection (IRDP) Time Exceeded – ttl exceeded 15 Information Request 16 Information Reply 17 Address Mask Request 18 Address Mask Reply 30 Traceroute 33 IPv6 Where-Are-You 34 IPv6 I-Am-Here

THE CCIE Book

Page 82 of 296


35 Mobile Registration Request 36 Mobile Registration Reply

Ø Address Classes Classes Mask A 0xxx 0-127 8-bit B 10xx 128-191 16 bits C 110x 192-223 24 bits D 1110 224-239 1111 240-up

Ø Private IP Addresses 10.0.0.0 172.31.0.0 192.168.0.0 192.168.255.255

Ø Designing IP Addressing 1 – Determine Organizations need for subnets of varying lengths 2 - Deploy a subnet strategy 3 – Depoly a route summarization strategy

Ø Frame-Relay Addressing Use three digit addresses with the first digit being the source router and the last digit being the destination router. Example: 102 201

Router 1 to Router 2

Ø TCP/IP Always use even numbers on network addresses Example; 130.10.10.1 255.255.255.0. Use the rtr name as the host address Make serial netowrk three digits on the network octet Make LAN networks two digits on the network octet TCP uses: windowing (flow control) sequence numbers acknowledgements (reliability) checksums (reliability) timers (reliability) Flags for data flow and connection control: URG, ACK, RST, PSH, FIN

Ø TCP’s 3-Way Handshake Request SYN -> <- Reply ACK and SYN ACK -> SYN = 1 Setup a Connection

Ø Subnetting IP subnetting uses a logical AND 172.16.64.15

THE CCIE Book

Page 83 of 296


255.255.0.0 255.255.0.0 172.16.0.0 172.16.0.0 On same subnet Right or Wrong? Host & Subnet bits = 2^N-2 = subnet / hosts bits

Ø VLSM Supported by Rip V2, EIGRP, OSPF Subnetting - start with the lowest subnet mask possible and work your way down /20 /22 /22 /22 /24 /24 /24 /24 /30 /30 /26 /26 /26 debug traces

Ø Summarization Dist -> Core Summarize (hide access to core) Dist -> Access Provide route from nearest dist. Rtr Hide core to access Route-maps, dist-lists, default networks

Ø Summarization and Protocols RIP, IGRP, EIGRP,BGP Automatically summarizes at classful boundaries. EIGRP – disable auto summarization with no-auto-summary command EIGRP - Use ip summary-address eigrp to summarize at other boundaries OSPF does not summarize automatically Use area-range and summary-address to summarize Benefits to Summarize Reduce routing table size to save bandwidth with less updates, and less router memory used. Limits the scope of failure of netework instability CIDR - Supported by RIP v2, OSPF, and BGP

Ø Trace Command The following are the characters that can appear in trace output: nn/msec---For each node, the round-trip time in milliseconds for the specified number of probes. *---The probe timed out ?---Unknown packet type Q---Source quench P---Protocol unreachable N---Network unreachable U---Port unreachable H---Host unreachable

Ø Extended Ping To test MTU use extended ping with DF bit set. TTL = 64 by default Options Field Loose / strict source routing

THE CCIE Book

Page 84 of 296


Allows you to specify route hops to destination. Loose means take these hops as needed and strict means take only these hop. Hence, with strict you must list all routers while with loose you can list only a few.

Ø IP ADDRESSING Troubleshooting Show ip interface brief What are all of the IP addresses of the interfaces of my directly connected neighbors? Show cdp neighbor detail Can you ping your own interface?

6.3. HOT STANDBY ROUTER PROTOCOL (HSRP) Cisco Feature For token-ring use the use-bia command. Uses multicast UDP packets for hellos, send them out every 3 seconds. Hold time is 10 seconds, if 3 hellos are missed the standby goes active. You can use multiple groups for HSRP. The virtual MAC address is: Vendor code – HSRP code – group number (47) 0000.0c – 07.ac – group in hex (2F) HSRP messages are UDP’switch port 1985 and are addressd to 224.0.0.2 with TTL = 1 The highest priority is the active router, default is 100 The standby ip The configuration for at least one of the routers in the Hot Standby group must specify the IP address of the virtual router; specifying the IP address of the virtual router is optional for other routers in the same Hot Standby group. The standby timers Used to change the hello timer, make sure all routers in the same group use the same timer.

Ø HSRP States Initial boot up Learn wait for active router Listen knows virtual ip of active router Speak send hellos Standby candidate for active / standby router Only one standby router per HSRP group Make HSRP check the active interface versus route cache for active router standby <group num> track <type num> <interface-priority>

Ø HSPR Configuration standby 5 ip 172.16.1.1 standby 5 priority 200 standby 5 preempt standby timers 5 15 standby 5 track int s0 200

Ø HSRP Configuration Router 1 (Active Router) standby 12 ip 172.30.16.3 standby 12 priority 180 (default 100)

THE CCIE Book

Page 85 of 296


standby 12 preempt Timers standby 12 timers 3 10 show standby brief debug standby Router 2 (Standby Router) standby 12 ip 172.30.16.3 standby track ethernet 1 100 Make HSRP check the active interface versus route cache for active router standby ip Enables HSRP and establishes the IP address of the virtual router standby preempt Allows the router to become the active router when its priority is higher than all other HSRP-configured routers in this hot-standby group. standby priority Priority status is used in choosing the active Troubleshooting show ip route show interface show running-config show standby

Ø HSRP Router 1 (Active Router) standby 12 ip 172.30.16.3 standby 12 priority 180 (default 100) standby 12 preempt standby 12 timers 3 10 Router 2 (Standby Router) standby 12 ip 172.30.16.3 standby track ethernet 1 100

Ø Troubleshooting Commands sh standby deb standby deb standby errors deb standby events

6.4. DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) New Feature to 12.0.(1)T Basic Example: ip dhcp pool networkers network 10.1.1.0 255.255.255.0 default-router 10.1.1.254 lease 0 0 15

Ø DHCP Commands show ip dhcp binding <address> show ip dhcp conflict <address> show ip dhcp server <statistics> clear ip dhcp binding <address> clear ip dhcp conflict <address>

THE CCIE Book

Page 86 of 296


Ø Example With this config, the router will assign 10.2.X.Y/16 and 10.4.X.Y/16 address to the clients. As you can see I also have the default gateway, DNS, and the two WINS servers on my network and the lease set to 3 days. ip dhcp excluded-address 10.1.0.0 10.1.1.255 ip dhcp excluded-address 10.1.3.0 10.1.3.255 ip dhcp excluded-address 10.1.5.0 10.1.255.255 ! ip dhcp pool Chancery network 10.1.0.0 255.255.0.0 default-router 10.1.1.1 dns-server 206.80.192.1 204.147.80.5 netbios-node-type h-node netbios-name-server 10.1.1.13 10.1.1.11 lease 3 ! interface FastEthernet0/0 ip address 10.1.1.1 255.255.0.0 no ip directed-broadcast no ip route-cache no ip mroute-cache duplex auto speed auto

Ø Example #1 ! ! Start DHCP Server service dhcp ! ! Store DHCP Lease database on tftp server ip dhcp database tftp://tftp.cisco.com/dhcp. db ! ! Create DHCP address pool for the 10.0.0.0/28 network ip dhcp pool subnet-10 lease 3 0 0 ! lease time of 3 days 0 hours 0 minutes network 10.0.0.0 255.255.255.240 ! Defines address pool with addresses 10.0.0.1 - 10.0.0.14 dns-server 171.68.10.70 171.68.10.140 domain-name cisco.com netbios-name-server 171.68.235.228 171.68.235.229 netbios-node-type h-node option 150 ip 172.16.24.12 ! Defines custom option with IP address default-router 10.0.0.1 ! ! Create static mapping for the 10.0.0.5 address - i.e. BootP ip dhcp pool manual host 10.0.0.5 client-identifier 010a.1211.2e3c.4a ! ! Exclude 10.0.0.1 - 10.0.0.5 from DHCP pool ip dhcp excluded-address 10.0.0.1 10.0.0.5

THE CCIE Book

Page 87 of 296


7. Routing

Ø Protocol Specifics

ProtocolProtocol

UsedDDR Advertises Metric

Converge Method

Misc. / Problems

Partition Internetwork

dv RIP v1 UDP 520 Snapshot Broadcast 30 Hops (16 Max)

180 (6x) Classful, Split-horizon

None

dv RIP v2 UDP 520 224.0.0.9

Snapshot Broadcast 30 Hops (16 Max)

180 (6x) Split-horizon None

dv IGRP UDP 9 Snapshot Broadcast 90Composite

(BW / DLY) 255 Hops

270 (3x)Classful,

Dual, Split-horizon

AS

dv EIGRP 224.0.0.10Deny

224.0.0.10Hellos 5

224.0.0.10

Composite (BW / DLY *256)

224 Hops25 (3x)

Dual, Split-horizon

AS

ls OSPF224.0.0.5 224.0.0.6

Demand-circuit

LSA'a CostSPF,

Manual summarization

Areas, 2 Tier

ls IS-IS LSP'sCost

(All 10)SPF

dv BGP4 TCP 179Long

KeepalivesKeepalives AS Paths IGP Synch.

Manual summarization

AS

dv IPX Broadcast (60)

Ticks

ls NLSP Hello Level 3 Tier, Level 3 is EGRP

Protocol Load Balancing Authentication Discontinuous Networks

Summary

Static Equal AD None Yes YesRIP v1 None None autoRIP v2 None MD5 / Simple auto

IGRPEqual,

Unequal (up to 6)None

Stop, Auto-summary

auto

eIGRPEqual,

Unequal (up to 6)MD5

Stop, Auto-summary

auto

OSPF Equal Only MD5 / Simple No Problem On ABR or ASBR

ISISEqual

Cost onlyClear text only

No Problem, CLNS routing

Level 2 Only, auto

BGP4MED, AS_PATH

same, up to 6 pathes

auto

IPX RIP None noneNLPS None

THE CCIE Book

Page 88 of 296


THE CCIE Book

Page 89 of 296


How would you speed up RIP/EIGRP/OSPF/IGRP/BGP convergence? Change timers, use summaries, minimze routing tables. You can create unicast updates by passiving the interface and using the neighbor command specify who to send updates to. RIP / IGRP / EIGRP With fast switching enabled load balancing occurs on a per destination basis otherwise it is per packet. IGRP, EIGRP, OSPF and RIP can use up to four equal-cost paths.

Ø Path Determination Longest Prefix (Address), AD (Which / Outside IGP), Metric (Inside IGP)

Ø Classful Routing 0/0 in a classful protocol it is a route to all destinations except connected networks, use the ip classless command to change this behavior. A route is first matched with the address class then the subnet, if no match the packet is dropped. RIP v1 and IGRP will not send a routing update between to routers on the same subnet if the subnet masks are different. Use the passive interface when more interfaces are enabled by the Classful network than what you what.

Ø Classless Routing 0/0 in a classless protocol is considered a route to all destinations. A route is checked for the longest match (bit-by-bit) rather than classful boundaries.

Ø Passive Interfaces The passive-interface command prevents all routing updates for a given routing protocol from being sent into a network, but does not prevent the specified interface from receiving updates.

Ø Common Routing Protocol Configuration Options These commands are common to all routing protocols: default-metric distance distribute-list maximum-paths network passive-interface redistribute timers

7.1. ADMINISTRATIVE DISTANCES When two routing protocols are enabled the path with the lowest AD will be used. Use the distance command only to prevent or stop routing loops.

0 Connected

THE CCIE Book

Page 90 of 296


1 Static 5 EIGRP Summary 20 EBGP 90 EIGRP (I)

100 IGRP 110 OSFP 115 IS-IS 120 RIP 170 EIGRP (E) 200 IBGP 255 Unknown

7.2. DEFAULT AND STATIC ROUTES Pointing static routes to interface only on PtP interfaces, proxy arp will have a problems with multiacess networks if hosts are on segment. When you enter an address versus the interface the route is not automatically redistributed into routing protocols and the admin distance is 1 versus 0, and requires one recursive lookup for the route. An ip default route can point to the next-hop gateway, network number, or a router interface. If pointing to an interface the route will never go away unless the interface in unavailable. Frame-relay and ATM interfaces do not go down automatically when they lose communications.

Ø Path Determination for Statics (All /xx examples are for a class C address) Host route /32 Subnet /30 Summary /26 Major Net /24 CIDR / Supernet /20 Default route 0/0

Ø Interesting Ideas If you were going to create a loopback interface, you could give it a classful address and mask outside of the classful network in question and make it your default network... Create a loopback whose IP address and mask was a summary of the networks your trying to propagate, then redistribute connected

Ø DV Protocols 0.0.0.0 0.0.0.0 The default route will automatically be advertised if ip default network is included.

7.2.1. RIP RIP automatically redistributes a default route When the static default route 0.0.0.0 0.0.0.0 is configured on a rip speaking router, rip automatically redistributes the 0.0.0.0 entry into the rip domain. Another method of advertising a default route with rip is to use the default information originate statement under the router rip configuration mode. By entering this statement 0.0.0.0 route will be advertised into the rip domain,

THE CCIE Book

Page 91 of 296


even if there is no 0.0.0.0 route on the router that is the source of the default route. A default route allows a rip speaking router to forward all classfull network prefixes that are not listed in a given routers routing table. However, a default route does not automatically allow a rip speaking router to forward all subnets that are not listed in a given routers routing table. router rip network 138.5.0.0 default-information originate route-map rip_def_to_interfaces ! route-map rip_def_to_interfaces permit 10 set interface Serial0/3

7.2.2. IGRP IGRP does not advertise the 0.0.0.0 network to downstream IGRP neighbors. ip default-network will only insert the route correctly If the address is on a classful boundary ... otherwise it will enter a static route into the routing table (NOT good) The default network will appear as an exterior network in debugging events, And will be a * = “canadidate default” in the routing table. Configuring Defaults ip default-network 192.168.1.17 This command creates a static route if route is not classful

7.2.3. EIGRP EIGRP redistributes the default network, but a static default route must be redistributed into EIGRP. EIGRP does not use ip default-network. You need to redistribute ospf into eigrp or setup a static default route and redistribute it. Propagation Control of Default Routes default-information in <acl> Erases the * from all route not matching ACL default-information out <acl> Erases the * from routes advertised to neighbors no default-information in Do not accept * no default-information out Do not send * Use default routes with route filters, this way you gain the route and remove the redundant routes. router eigrp 200 network 0.0.0.0 ip route 0.0.0.0 0.0.0.0 Serial2 Configuring Defaults router eigrp 100 redistribute static metric 64 20000 255 1 1500 ip route 0.0.0.0 0.0.0.0 192.168.1.17 Send default network 0/0 into EIGRP domain by using "ip summary-address eigrp <AS> 0.0.0.0 0.0.0.0 " on the interface connected towards EIGRP side.

THE CCIE Book

Page 92 of 296


7.2.4. OSPF/ ISIS A router can advertise a default route with default information-originate. This will work only if the router has a default route already. If not use the keyword always. But the router needs to have a stable path to the destination or a black hole will exist. The following configuration example illustrates how a route map is referenced by the default-information router configuration command. This is called conditional default origination. OSPF will originate the default route (network 0.0.0.0) with a Type 2 metric of 5 if 140.222.0.0 is in the routing table. Extended access-lists cannot be used in a route map for conditional default origination.

Ø OSPF Example #1 router ospf default-information originate route-map DEFAULT ! route-map DEFAULT match ip address 5 ! access-list 5 permit 0.0.0.0 Example #2 router ospf 109 default-information originate route-map ospf-default ! route-map ospf-default permit match ip address 1 set metric 5 set metric-type type-2 ! access-list 1 140.222.0.0 0.0.255.255

Ø ISIS router isis default-information originate route-map adv-default ! route-map adv-default permit 10 match ip addr 10 ! access-list 10 permit 192.168.200.192 0.0.0.3 This allows 192.168.200.192 to be advertised as a default only if it is in the isis database. You have to have ISIS on the link Example #2 router isis 100 default-information originate route-map DEFAULT ! route-map DEFAULT match ip address 5 match ip next-hop 2 ! access-list 5 permit 0.0.0.0

THE CCIE Book

Page 93 of 296


7.2.5. BGP Default 0.0.0.0 route into bgp 1) 0.0.0.0 in routing table 2) network 0.0.0.0 under routing process The only difference between advertising a static and a default route, is that when you redistribute a static, BGP sets the origin attribute of updates to incomplete. To advertise default routes within BGP Method 1a Send a default route to a neighbor router bgp 200 nei 1.1.1.1 default-originate ip route 0.0.0.0 0.0.0.0 2.2.2.2 Method 1b Send a default route to a neighbor router bgp 200 nei 1.1.1.1 default-originate always Method 2 router bgp 200 netw 0.0.0.0 ip route 0.0.0.0 0.0.0.0 2.2.2.2 Method 3 router bgp 200 netw 0.0.0.0 ip route 0.0.0.0 0.0.0.0 2.2.2.2 40 ip route 0.0.0.0 0.0.0.0 3.3.3.3 60 Method 4 int lo 0 ip add 172.33.16.0 255.255.255.0 router bgp 200 network 172.33.16.0 nei 1.1.1.1 default-originate route-map default-route route-map default-route permit 10 match ip address 1 access-list 1 permit 172.33.16.0 Sending a BGP default route to a IGP Make sure the IGP does not have a default point to BGP. A route map is used to inject BGP's default route only, otherwise a few to many routes may get injected into the IGP. RIP Set the default-metric under RIP, BGP route is automatically injected into RIP. IGRP The ip default-network needs to be set for the redistribution to be successful. This will be set to the BGP address (192.168.2.0) Set the default-metric in IGRP.

7.2.6. IPX IPX Default Routes IPX's default route is FFFF.FFFE or -2 ipx routing ipx internal-network ACE ipx route-default ACE.0000.0000.0002 To reduce RIP updates and only send the default route out use:

THE CCIE Book

Page 94 of 296


Ipx advertise-default-route-only 300

7.3. DEFAULT ROUTE SUMMARIES RIP default information originate ip default gateway IGRP ip default-network EIGRP redistribute ospf into EIGRP Use ip summary-address eigrp 100 0.0.0.0 0.0.0.0 on the interface connected towards EIGRP side. OSPF/ISIS default information originate BGP neighbor default-info route-map router bgp 200 nei 1.1.1.1 default-originate route-map DEFAULT route-map DEFAULT match ip address 1 access-list 1 permit 172.33.16.0

7.4. AUTHENTICATION Supports MD5 OSPF Yes RIP v2 Yes BGP Yes EIGRP Yes ISIS Yes

Ø OSPF interface ethernet1 ip address 10.1.1.1 255.255.255.0 ip ospf message-digest-key 100 md5 cisco ! router ospf 1 network 10.1.1.0 0.0.0.255 area 0 area 0 authentication message-digest

Ø ISIS interface ethernet0 ip address 10.1.1.1 255.255.255.0 ip router isis isis password cisco level-2

Ø BGP router bgp 200 no synchronization neighbor 4.1.2.1 remote-as 300 neighbor 4.1.2.1 description Link to Excalabur neighbor 4.1.2.1 send-community neighbor 4.1.2.1 version 4 neighbor 4.1.2.1 soft-reconfiguration inbound neighbor 4.1.2.1 route-map Community1 out neighbor 4.1.2.1 password cisco

THE CCIE Book

Page 95 of 296


7.5. ROUTING TABLES

Ø Distance-Vector Single table - routing Full routing table advertisements Loop-avoidance techniques Split-horizon Poison-reverse Count-to-infinity Timers – update, holddown, flush Routing table are forever young if stable. show ip protocols Used to view the routing timers

Ø Link-State Protocols Three tables – routing, neighbor, topology Executes SPA for path determination Results are posted to main routing table Paritial advertisement updates – LSA’s Know backup routes since they have a full topology in memory Routing tables should be old to be stable. Benefits of LS protocols is that they don’t have a hop count.

Ø On-Demmand Routing (ODR) (160) Supports VLSM Metric is hop-count so all routes usually have a metric of 1 Uses CDP, CDP uses snap frames Hub to Stub ODR Default route to hub router odr

THE CCIE Book

Page 96 of 296


Ø Maintaining Routing Tables RIP, IGRP Hold-down state and mark “possibly down” EIGRP Feasible succssor OSPF

Ø Cisco Routing Table Seven Columns Source of routing information Destination address Administratice distance Metric Next hop / source of routing information Age of entry (Dynamic routing protocols only) Local interface to switch packet Example: I* 140.10.0.0 [100/183071]via 172.16.3.2 00:00:26, Serial1

Ø Redundancy Floating statics DDR Adjust metrics AD Dialer watch Backup interface

7.6. TROUBLESHOOTING ROUTING TABLE All connect routes listed? Is default route set? Is the destination in the routing table? Are the routing metrics correct? Are the routes aging ? Any “possibly down” networks?

Ø Troubleshooting Commands show ip route connected show ip route show ip route 172.16.1.0 clear ip route * Resets the entire routing table show ip route 172.16.0 255.0.0.0 longer-prefixes Used to filter routing table displays debug ip packet Be careful with this command debug ip icmp debug ip routing debug ip rip debug ip irgp events debug ip igrp transactions debug ip ospf adj debug ip eigrp

THE CCIE Book

Page 97 of 296


7.7. DEBUGGING IP PACKET FORWARDING Are IP packets leaving the router in the desired manner? Ping (standard ping/extended ping) Debug ip packet Is the packet leaving the router through the correct interface? If debug ip packet displays "unroutable" messages, check the routing table. show ip route If debug ip packet displays "encap failed" messages, check processes that support the forwarding of IP packets out of a particular interface. If the "encap failed" message appears on a multiaccess interface, such as Ethernet or Token-Ring, enable debug arp to make sure the ARP process is working properly. If the "encap failed" message appears on a non-broadcast multiaccess interface, such as Frame-Relay or ATM, enable debug frame packet or debug atm packet to make sure the packet has a mapping to the destination address. If the "encap failed" message appears on a switched connection, such as an ISDN/DDR link, enable debug isdn q931 to make sure the call is being set up properly; debug dialer packet to make sure the traffic is being defined as interesting; or debug ppp authentication to make sure ppp authentication is occurring properly. If debug ip packet displays only "sending" messages, all IP forwarding processes are operating properly on this router. Check all intermediate routers or the return path of the routing traffic. Are IP routing updates sending the correct prefixes out the correct interfaces? Are you receiving the correct routing updates on the correct interfaces? Debug ip rip Debug ip igrp transactions Debug ip igrp events Debug ip eigrp Traceroute (standard traceroute/extended traceroute)

THE CCIE Book

Page 98 of 296


8. RIP (R) 120 Enable and assign locally connected IP address to each routing process with the network command. Transport is UDP 520 Uses hop count 1 = connected / 16 unreachable Each RIP update can have up to 25 routes in it. Multiple connections will enable equal-cost load balancing Boundary router will automatically summarize Know about the Split Horizon Problems How do you work around it? 25 destinations per routing update packet RIP metric = hops = 15 All subnets must be classful, and continuous. IP classless and default routes can be used for discontinuous RIP networks In a rip domain, all subnets must be contiguous. The contiguous subnet requirement can be overcome by using a combination of default routes and the ip classless command. By enabling ip classless, you override the contiguous subnet rule and allow the router to look for the longest match beyond the listed subnets. If a subnet is not listed on a router with ip classless enabled, it will eventually match the 0.0.0.0 entry. (the default route) The most useful debugging tool for rip routing is debug ip rip. RIP V1 and IGRP will advertise routes having a different subnet mask than the interface if the route is in a different major network. RIP will assume a classful mask. RIP will advertise host routes. RIP ip rip send version 1 ip rip receive version 1 Authentication ip rip send version 2 ip rip receive version 2 ip rip authentication mode md5 ip rip authentication key-chain cisco Global key chain cisco key 1 key-string cisco

Ø Timers Update 30 Invalid 180

THE CCIE Book

Page 99 of 296


Holddown 180 Flush 270 If you adjust the timers on one router in a rip domain, adjust the timers on all routers to the exact same settings.

Ø Basic Rip Configuration router rip network 172.16.0.0 ip route 0.0.0.0 0.0.0.0 RIP’s Default Route

Ø Tuning RIP offset-list Used to adjust the metric manually, changes the hop. distance Used to adjust the administrative distance timers Used to adjust the timers, make sure all routers timers are the same version Used to enable RIP v2

Ø Passive-Interface Use passive interfaces to stop advertisements Unicast updates You can use the passive-interface command to block routing traffic and then add the neighbor command to allow routing to sepcific routers. Such as block on serial for three routers but add nei to r2 to allow it to get updates.

Ø Commands to Know *flash-update-threshold *input-queue ouput-delay *validate-update-source Disables the validation of the source IP address of incoming RIP routing updates. Needed when 2 IGP’s are running.

Ø Troubleshooting RIP Are Distance Vector Timers the same? show router rip debug ip rip debug ip routing clear ip route * show ip protocols Check the timers

8.1. RIP V1

Ø Timers invalid timer 180 seconds (6x updates) These are marked possibly down in route table until garbage collection Garbage collection 240 seconds (invalid + 60 seconds) Holddown 180 seconds (6x updates) Random timer 1-5 seconds, used for trigger updates

Ø Configuring RIPv1 router rip network 10.0.0.0

THE CCIE Book

Page 100 of 296


passive-interface e0 neighbor 192.168.1.12 deb ip rip deb ip rip events

Ø Discontinuous Subnets for RIPv1 r1 - - - r2 - - - r3 10.10.0.0 is on r1, 10.20.0.0 is on r3 r1,r3 are border routers r2 will only get 50% of the packets correct Solution: 1 - Configure subnets 10.10.0.0, 10.20.0.0 on r2. This stops r1,r3 from being border routers. Use a secondary ip address to resolve this. 2 – Use default routes to 10.10.0.0 on both routers. 3 – Configure a secondary address on the primary interface.

Ø Proper Path Determination r1 - - - - (backup link to r3) 10.3.0.0 | | r2- - - -r3 r1-r2-r3 is the preferred path, RIP uses hops so r1-r3 is used. Change metric on backup link. Change incoming on r1 and r3 router rip network 10.0.0.0 offset-list 1 in serial 0 access-list 1 permit 10.3.0.0 0.0.0.0 Change outgoing on r1 and r3 router rip network 10.0.0.0 offset-list 2 out serial 0 access-list 2 permit 10.3.0.0 0.0.0.0 Other Offset-List Options If no interface is specified all in/out interfaces will be modified. If acl 0 is used all in/out updates will be modified.

Ø Limitatations of RIP No support for: Classful, Discontinuous networks, VLSM, CIDR,

8.2. RIP V2 Carries subnet mask – vlsm’s Has authentication Next-hop with each route entry External route tags – use to send AS#’s or other info Uses multicast updates – 224.0.0.9 * Underline items are what fields that are new to the rip packet.

Ø RIP Compatibility Modes Rip-1 = only transmit v1 messages Rip-2-only = multicast only v2 messages

THE CCIE Book

Page 101 of 296


Both = broadcast v2 messages If you want to block rip use passive-interface, or block port 520 on interface.

Ø Authentication When enabled only 24 routes per route update AFI is set to all ones – 0xFFFF Simple password is auth-type 2 MD5 is auth-type 3 key chain valk key 1 key-string 99valk int eth 0 ip rip authentication key-chain valk ip rip authentication mode md5 (Omit for clear text authentication) router rip version 2

Ø Configuring RIPv2 router rip version 2 | version 1 network 10.0.0.0 int e0 ip rip receive version 1 int s0 ip rip send version 1 2 If version 2 receives a route it cannot send the route out the same interface to a version 1 router. (Split Horizon) The version 2 router must either turn off split horizon or enable send v1 updates.

Ø Discontinuous Subnets for RipV2 Turn off auto-summary at boundary routers with the no auto-summary command.

Ø Authentication (This is identical to EIGRP Authentication Configuration) int e0 ip rip authentication key-chain CCIE ip rip authentication mode md5 RIP1 versus RIPv2 RIPv1 RIPv2 Classful classless / VLSM Authentication (simple / md5) no auto-summary Uses multicast updates Snapshot Routing External route tags

THE CCIE Book

Page 102 of 296


9. IGRP (I) 100 All subnets must be classful, and continuous. Each updates carries 104 entries. Does not support authentication. Summarizes at boundaries Uses IP protocol 9 Uses AS’s IGRP has three route types: Internal local subnets System Summarized by boundary router Exterior Default network For discontinuous network RIPv1 solution should work.

Ø Metric IGRP = bandwidth + delay Bandwidth is the smallest of all bandwidths on outbound ports in a given path. Delay is the sum of all delays of outbound ports in a path. Delay, bandwidth, reliability, load, hop count. Delay is units of 10 ms Delay = 167 seconds, delay can only go to 167.8 seconds. Anything over 167 is unreachable. Bw = 10^7, or 10GB / BW, default for serial are t1’s so anything else must be changed. Delay is DLY/10, a 50 ms delay would be 5 in IGRP. Max hops = 100 default, up to 255, metric maximum-hops

Ø Timers jitter is up to 20%, 18 seconds Update 90 Invalid 270 (3x Update) Holddown 280 (3x +10) Disable with no metric holddown command, ok to do in a loop free topologies. Flush 630 (7x) (Has to be at least the sum of the update and holddown) IGRP has a sleeptime timer – used to delay an update after a triggered update was received. All timers in AS must be the same Speed up IGRP convergence by reducing the holddown and flush timers as long as you know you do not have any routing loops.

Ø Bandwidth IGRP bandwidth (bits) = (10*1010 / BW (bps)) div 1 Min BW = 1200 bps: Max IGRP bandwidth = (10*1010 / 1200) div 1 = 8 333 333 Max BW = 10 Gbps: Min IGRP bandwidth = 10 / 10 = 1 Loopback BW = 10 000 000 000 bps; IGRP bandwidth = 1 Satelite BW = 500 000 000 bps; IGRP bandwidth = 20 Ethernet BW = 10 000 000 bps; IGRP bandwidth = 1000 Serial BW = 2 000 000 bps; IGRP bandwidth = 5000 Serial BW = 512 000 bps; IGRP bandwidth = 19531 Serial BW = 64 000 bps; IGRP bandwidth = 156250

THE CCIE Book

Page 103 of 296


Serial BW = 9 600 bps; IGRP bandwidth = 1041666

Ø Unequal Load Sharing IGRP will load balance up to 6 equal-cost paths. IGRP maximum-paths default is 4. *IGRP Supports unequal load sharing with the varience command Three rules must be met for a route to load-share: 1 - Maximum paths limit must not be exceeded 2 - Next-hop must be metrically closer to the destination 3 - Metric of the lowest-cost route, when multiplied by the varience, must be greater then the metric of the route to be added.

Ø Summarizing a VLSM address To summarize a 24 bit address: 1. a static route to null0 ip route 172.16.6.0 255.255.255.0 null0 redistribute static subnets or 2. redistribute connected subnets summary-address 172.16.6.0 255.255.255.0 or 3. Add /24 secondary address on interface redistribute connected subnets

Ø Configuring IGRP router igrp 10 network 10.0.0.0 offset-list (uses delay and not hops) metric weights tos k1 k2 k3 k4 k5 timers basic update invalid hold flash [sleeptime] traffic-share [balanced | min] Specifics equal or unequal-cost load balancing validate-update-source

Ø Tuning IGRP distance Used to adjust the administrative distance varience Used for unequal-cost load balancing timers Used to adjust the timers, make sure all routers timers are the same

Ø Commands to Know default **default-information **default-metric **distance ***distribute-list *input-queue *maximum-paths *metric **neighbor **network *offset-list This is delay in IGRP *passive-interface ***redistribte *timers

THE CCIE Book

Page 104 of 296


*traffic-share Specifies whether equal or non-equal paths should be used. *validate-update-source *varience

Ø Troubleshooting IGRP Are Distance Vector Timers the same? show ip route 172.16.0.0 show ip protocol debug ip igrp events debug ip igrp transactions debug ip routing

THE CCIE Book

Page 105 of 296


10. EIGRP (D 90) (EX 170) Classless Updates are periodic and partial Uses protocol number 88 of IP EIGRP uses no more than 50% of bandwidth ip bandwidth-percent eigrp 50 EIGRP handles losing neighbors and route by setting the delay to –1, infinity. One key concept is EIGRP updates routes like DV protocols and converge like Link State protocols.

10.1. HOW EIGRP WORKS For scalability use: IP addressing scheme Hierarchy - Core, Distribution, Access Summarization at boundaries and interfaces whenever possible Bandwidth issues – use dialer profile and set bandwidth / # dialins EIGRP does not have timers since it uses feasible distances EIGRP routing tables get old when stable EIGRP has four components: Protocol-dependant module RTP Neighbor Discovery / Recovery Diffusing Update Algorithm (DUAL) EIGRP has three types of routes, just like IGRP: Internal learned by EIGRP 90 External Redistributed 170 System auto-summary or 5 Explicit summary

Ø Route Process Route Selection Process ^ Topology Database <-> Other Protocols (Internal) (External) ^ Neighbor Table <-> DUAL ^ Transport Mechanisms (Hello) (RTP)

Ø EIGRP Packet Types Hellos unreliable multicast ACKs unreliable unicast Updates reliable multicast Queries/Replies reliable unicast(?) Unreliable Reliable Unicast Ack Reply, SAP response Multicast Hello Update, Query(?) IPX SAP Flash Update, IPX SAP Query

THE CCIE Book

Page 106 of 296


Unicasts are sent versus multicast when sending over FR, and when retransmitting a packet to a neighbor (update) that did not acknowledge the packet in the multicast timeout interval. Use the sie int detail to see the unicast packets sent, mcst exceptions are the unicasts.

Ø Hellos When you change the hello or holdtime change it on both neighbors. Hellos are for: Discovering new neighbors Verifying neighbor confirmation / adjacency Monitoring neighbor reachability and detecting loss Hellos are sent every 5 seconds, on NBMA – (T1’s and slower) they are send every 60 seconds. This longer hello is also for ATM SVC’s and ISDN PRI’s. ip hello interval eigrp <as> <seconds> Is used to change the time Hellos use a reliable multicast 224.0.0.10 and each neighbor responds with a unicast ack. Hellos are sent from the primary interface, if the secondary interface is in EIGRP the neighbor must know about the primary address for it to work. Hello use two timers to detect neighbors: Hello interval – how oftem hellos are sent (5 seconds) Hold timer – how long to wait for hello (3x hello interval) If a neighbor does not respond to an update a unicast is send, after 16 of these are sent the neighbor is declared dead. The time to wait before a mulitcast is sent is the multicast flow timer. The time between unicasts is the retransmission timeout (RTO). Both the RTO and multicast flow timer are calculated from the smooth-round-trip timer (SRTT). RTO cannot be smaller than 200 msec or larger than 5 seconds. sie neighbor To display SRTT To find the hello interval: deb eigrp packet hello (on neighbor) When you see two hello packets, subtract the timestamps. Easier method is show ip eigrp nei and see the hold timer jump, default is 15 seconds, divde by three for the hello timer.

Ø Metric EIGRP uses bandwidth and delay for the metric, if you must change the metric, change the delay. The metric is two-part, composite and vector. sie top 10.0.0.1 255.0.0.0 Displays both metrics. The vector part is all parts – load, reliability, mtu, bw, delay The composite is the result. Setting all metrics to 0 will create routing loops. If you turn off split-horizon, loops can be generated as well. The bw and dly must be the same throughout the AS and VLAN’s. Metric = [ 10,000,000 / BW + ((Delay on first connection + delay on second connection ) / 10 ) ] * 256

THE CCIE Book

Page 107 of 296


The only difference between an IGRP metric and an EIGRP metric is that the EIGRP metric is represented by a value that is larger than the IGRP metric by a factor of 256 IGRP = BW + DLY = IGRP metric 19531 + 4600 = 24131 107/512 + 46000/10 The BW is the minimum BW along the path to the destination. The DLY is the sum of all the delay’s along the path to the destination.

Media Bandwidth BW / IGRP Delay Delay / IGRP

ATM FE

FDDI 100,000 100 100 10

HSSI 45,045 222 20,000 2,000 TR 16,000 625 630 63

Ethernet 10,000 1,000 1,000 100 Loopback 8,000,000 5,000 500

T1 1,544 6,476 20,000 2,000 DS0 64 156,250 20,000 2,000

Dialer / 56K

56 178,571 20,000 20,000

Tunnel 9 1,111,111 500,000 50,000 Low

Speed Serial 115 20,000 2,000 BRI 64 20,000

Ø Holddown Timer A router needs to receive another hello before the holddown time expires. Hold down timer is 3x hello interval. If another hello is not received the neighbor is considered unreachable. The holddown timer is changed with ip hold-time eigrp <as> <seconds>. To find the hold time: sh ip eigrp neighbor Do this repeatedly until you see the hold timer jump to it’s highest value. This is the hxold-time of the router. The value jumps when the router receives a hello packet, resetting the hold time. Once EIGRP routing is enabled three tables are created. Topology Database – advertised metric, feasible distance Stores all routes learned in the topology table. Neighbor Table Routing Table

Ø Topology Table How if information entered into the topology table: Update packets Reply packets

THE CCIE Book

Page 108 of 296


Redistributed route (ex) Network command in EIGRP process Deleted from Topology Table: Subnet unreachable – physical failure Update, query, reply with infinite delay Redistribution fails (ex removed) Neighbor found dead Topology Table Rules Routes learned locally take precedence over neighbor routers regardless of distance. Even if the local route is down it will block the neighbor route. A static route will block successors and make the FD infinite if the destinations are the same. Monitoring Topology Table sie top sum Summary of all topology tables sie top <as> sum Summary of as topology table sie top <as> Routes in topology table sie top <as> all-links Summary of all routes in topology table sie top <as> <ip addr> <mask> Shows all the details of a route such as: route-type, vector/composite metrics sie top active Displays route for which dual is active sie top pending Displays unconverged routes ie top zero-successor Displays routes with successors that are down. With sie top sum check the number of routes. If the number of router is much more than the route in your routing table your network is to highly meshed or split-horizon is off at the wrong place. Use sie top all-links to verify this condition. The next-serial field counts the number of changes to the top table. By monitoring this you can tell how stable your network is. Compare the sie top and sie top all-links to see what routes are not FS due to FC. sie top <as> <ip addr> <mask> External routes will also display: The originating router AS number of BGP or EIGRP External protocol External metric Administrative Tag

Ø Neighbor Table (Adjacency Table) Deb eigrp neighbor Debug neighbor events router eigrp <as> Logs adj establishments and losses eigrp log-neighbor-changes ipx router eigrp <as> Logs adj establishments and losses log-neighbor-changes When using logs use service timestamps to record the times. Logging buffered enables logging to the internal buffer. Adjacency Resets Why? Hold time expires

THE CCIE Book

Page 109 of 296


16 packets sent with no reply interface down / line down network removed from EIGRP process How to manually reset cle ip eigrp neighbor <ip address> Clears single ip address cle ip eigrp neighbor <interface> Clears neighbors on interface cle ip eigrp neighbor Clears all neighbors IOS Resets When a configuration change that affects the topology table. Change interface – bw, dly, mtu Split-horizon change Summarizations Network address change Passive-interface added or removed Distribute-list modified Metric changed Maximum-hop changed Tips for adjacency resets Any changes to EIGRP should be done during maintenance periods. Otherwise the network will go down for 5-60 seconds until the adjacencies reestablish. The possibility of a network meltdown can happen if the network is not designed properly. All changes to core routers should be done in batches to prevent repetitive adjacency resets which could lead to a meltdown. Any adjacency resets will last as long as 2x the hello interval – 10-14 seconds ethernet or 120 – 179 seconds on frame-relay links. Monitoring Neighbors sie neighbor Summary of all neighbors sie neighbor <as> Summary of AS neighbors sie neighbor <interface> Summary of interface neighbors sie neighbor detail <as> Detail of all neighbors on AS sie neighbor detail <interface> Detail of all neighbors on interface sio nei detail If this router is a potential bottleneck, routers not responding to queries. This will display who is the slowest during convergence. Look for long active times and a high number of routes.

Ø TERMS DUAL – is run when a neighbor is found or lost Adjacency – link between neighbors Feasible distance (FD) – metric to destination Feasible Condition (FC) – is met if neighbor’s FD is lower then the router’s FD Feasible Successor (FS) – If FC is met the neighbor is a FS. All FS’s will be recorded in the topology table. Successor (S) – A route that is put in the routing table, the lowest FD. The FS will become the S if: A new route is learned Cost of successor increases Cost of FS decreases to below S’s route Finding a FS is done by DUAL

THE CCIE Book

Page 110 of 296


The Dual Finite State Machine defines the rules: First a local computation is done If FS exist, it is S New FD lower, FD is updated When Dual is running routes go into a active state When a router is in an active state it cannot: Change the S Change the distance for a route Change the routes FD

10.2. DUAL

Ø DUAL Rules 1 – Whenever a route chooses a new S, it informs all it’s neighbors about the new distance. 2 – Every time a router selects a new S, it sends a poison-reverse to it’s S. 3 – A poison update is sent to all neighbors on the interface through which the S is reachable unless split-horizon is off, then it send the poison update only to the S.

Ø DUAL Computation 1 - Mark route active, start active time (3 minutes to converge) 2 - Start local computation If FS exist set to S Send Update If no FS Exist go to 2 3 - Send Queries to all neighbors 3b – Each neighbor starts local computation If neighbor has FS, send reply If neighbor does not have FS, start Dual If neighbor has other routers attached it sends a query to them and they start #3 as well. Once all the other routers reply to this neighbor route, this neighbor router then replies back to the original router. This time can create SIA events. 4 – The lost route’s FD is set to infinity so any replies meet the FC If the replies are not received by 3 minutes the route is SIA. The neighbors who did not reply will be removed from the neighbor table. (Receive Replies) 5 – For every reply received a metric is calculated. A S is not chosen until all replies are received. 6 – If a new S is found or not, the route table is updated and an update packet is then sent and all routers are now converged. When a route is declared unreachable another route is searched for. If a route is found in the topology table / route table (up to six are kept) it is activated and DUAL is not performed. When a route is lost but a FS exist the change is immediate by local computation. This may not be the case for its neighbors however. Proper network design will take this into consideration.

Ø Monitoring DUAL timers active-time 3 Used to change Active time

THE CCIE Book

Page 111 of 296


timers active-time disable Disable SIA check sio nei detail If this router is a potential bottleneck, routers not responding to queries. This will display who is the slowest during convergence. Look for long active times and a high number of routes.

Ø Building a Route Table All S’s, up to six are put into the routing table. IGRP and EIGRP are the only routing protocols that support unequal-cost load balancing.

Ø Distance To change the distance: Default router eigrp <as> distance eigrp <default-internal> <default-external> Change routes from neighbors router eigrp <as> distance eigrp <neighbor ip address> <wildcard mask> Use ACL to Change Distance router eigrp <as> distance eigrp <neighbor ip address> <wildcard mask><route select ACL> router rip distance 130 ~says set all RIP routes dist. 130 distance 100 10.21.1.2 0.0.0.0 2 ~ says when you receive routes for networks specified in access-list 2 from neighbor 10.21.1.2 set the administrative distance to 100. For a redistributed route: distance 90 172.50.50.0 0.0.0.255 -or- router eigrp 1 distance 90 0.0.0.0 0.0.0.255 2 access-list 2 permit 172.50.50.0 0.0.0.255 This changes the distance to make it look internal and therefore preferred over most other routing protocols. The distance command sets new defaults for internal and external routes. This can be used to prefer one EIGRP process over another. If you want to ignore some neighbor routes use the 255 distance.

Ø EIGRP SIA This means a bad network design. Check the EIGRP bandwidth against the actual bandwidth of links. To fix SIA change the active timer to 300 seconds (5 minutes) router eigrp 1 timers active-time 300 Use sh ip eigrp top active to find the SIA routes. Or the undocumented sie sia events ☺

Ø EIGRP bandwidth EIGRP bandwidth (bits) = 256*((1010 / BW (bps))div 1) Min BW = 1200 bps: Max EIGRP bandwidth = 256*((1010 / 1200) div 1) = 2,133,333,248 = 256*(8333333.33 div 1)

THE CCIE Book

Page 112 of 296


= 256*8333333 Max BW = 25.6 Gbps: Min EIGRP bandwidth = 25.6 / 25.6 = 1 Loopback BW = 10 000 000 000 bps; EIGRP bandwidth = 256 Satelite BW = 500 000 000 bps; EIGRP bandwidth = 5 120 Ethernet BW = 10 000 000 bps; EIGRP bandwidth = 256 000 Serial BW = 2 000 000 bps EIGRP bandwidth = 1 280 000 Serial BW = 512 000 bps; EIGRP bandwidth = 4 999 936 Serial BW = 64 000 bps; EIGRP bandwidth = 40 000 000 Serial BW = 9 600 bps; EIGRP bandwidth = 266 666 496

10.3. AUTHENTICATION Supports md5 authentication MD5 is the only authentication supported Why should Cisco support Simple Password when EIGRP will be on all Cisco routers? To Configure Authentication: Define Key Chain Define Keys Enable on interface, specify key chain Config Key Management (Optional) key chain CCIE key 1 key-string cisco int s0 ip auth key-chain eigrp 15 CCIE ip auth mode eigrp 15 md5 Key Management Accept-lifetime / Send lifetime

Ø Securing EIGRP Make all interfaces not using EIGRP passive. Enable md5 on all EIGRP processes and interfaces. Change passwords often. router eigrp 100 ip authentication key-chain eigrp 100 CCIE ip authentication mode eigrp 100 md5 key-chain CCIE key 1 key-string cisco Key Management Strategies Each subnet is a different key Each hierarchy level has a different key (core, distribution, access) If you use a key management of accept / send lifetimes then you should use a ntp server as well. Overlap the time by 30 minutes to ensure no time problems. Troubleshooting MD5 deb ip eigrp packets verbose sh key chain

10.4. SUMMARIZARTION In 12.0.5t the summary-add command has a AD parameter. Summarization is achieved by reducing the address mask length.

THE CCIE Book

Page 113 of 296


Address Aggregation summarizes further by going past the class boundary. This is also known as supernetting. CIDR is the process of supernetting class C addresses into one CIDR block. *EIGRP does not summarize external routes unless there is an internal in the topology database. *The summary route will have a AD of 5, points to null0, and has a metric of the subnets they cover. Only the summary will be seen by the neighbors as a distance of 90. You can summarize multiple networks received by a neighbor by adding the network summary to the route process by creating an interface summary. Query boundaries are not stopped at summarized routers, but one hop beyond summary point. When configuring summarization make sure that the manual versus the automatic summaries (classful) do not overlap. When summarizing try to make the lowest cost router the most stable. If it flaps so will the summary. Apply ip summary-address eigrp on the interface you want to advertise the summarize route. Per interface summary: ip summary-address eigrp 15 172.16.15.0 255.255.255.0 EIGRP automatically summarizes like RIPv2 does, at the boundaries and to the class. To stop automatic summarization (just like RIPv2: router eigrp 100 no auto-summary Summary statements do two things: Creates a route > null 0 Filters summary routes in table A summary can only be created if eigrp has an internal route in the table. Uses a Null0 interface for summarization, default is classful Changing or removing the auto-summarization affects this Null0 interface

10.5. EIGRP AND THE WAN When enabling EIGRP on BRI or Serial interfaces always configure the bandwidth since it is needed for proper metrics.

Ø EIGRP and NBMA (Non Broadcast Multi-Access) *Split-horizon is disabled on all DV NBMA networks. NBMA = FR, ATM int s 0 no ip spilt-horizon ip hello-interval eigrp 10 30 ip hold-time eigrp 10 90 ip bandwidth-percent eigrp 10 25

Ø EIGRP and FR or ATM If you have several sites connecting to a central site, turn on frame-relay broadcast-queue at central site.

THE CCIE Book

Page 114 of 296


L2 – L3 Mapping Add broadcast to the end of the map statement, needed for hellos, adjacency. Most WAN problems are L2,L3 problems and not routing problems. PtP = IPXWAN PtM = Split-horizon problems Most WAN problems are output queue overloads, to resolve: Extend output queue Use subinterfaces Use frame-relay broadcast queues FR PtM Disable split-horizon *This will make routes appear as “possibly down” on that router. Add default network or route summarization Disabling split-horizon increases the topology table on remote routers and traffic generated by EIGRP. FR & EIGRP Helpful Hints Pacing Check BW = CIR Reduce hellos to speed convergence where needed Broadcast-queue to avoid output drops ATM & EIGRP Need broadcast option in map statement EIGRP does not like CLIP Only the arp servers will form adjacencies, meaning all traffic will go through the arp server. EIGRP Pacing Pacing is to ensure that the EIGRP bandwidth used does not exceed the total bandwidth available of the central site. Remote route = 64 kbps / 16 cir Central router = 256 kbps EIGRP BW Remote = 32 kbps EIGRP BW Central = 128 kbps VC on Remote = 8 kbps (1/2 cir) VC on Central = 128 kbps (1/2 BW) With 10 remote routers (VC = 8*10 = 80 kbps) Does the remote VC exceed the VC on central? If no your ok, if yes adjust the bandwidth on interface or how much bandwidth EIGRP uses. Note: If CIR=0 use ½ of overall BW.

Ø Dial Solutions Dial Backup Design Who will be the initiating router? Where should the ISDN backup be terminated? Should the link be unnumbered or subnetted?

THE CCIE Book

Page 115 of 296


Dial-In & EIGRP Use no peer neighbor-route / no ip peer host-route to stop a dial up host route (/32) from getting entered into a EIGRP process or topology table. Dial-Out & EIGRP To route to remote: Static, dynamic protocol When an ISDN link goes down, when the frame-relay primary comes back up the route need to converge fast. If it waits for EIGRP to time out (270 seconds) a black hole will exist during this time. To solve use: Quick hellos and change hold time Different AD routing protocol Higher distance / AD over ISDM

Ø Load Sharing All command are under the eigrp process variance <factor> Config unequal load-sharing *traffic-share balanced Config proportional load balancing on unequal-cost routes traffic-share min <across-interface> Use only min-cost routes maximum-paths <1-6> Maximum number of routes no ip route-cache per packet balancing ip route-cache cef CEF per destination ip load-sharing per-destination ip route-cache cef CEF per packet ip load-sharing per-packet

Ø Variance Rules The router’s own distance from topology table is less than FD*V. 1 – The paths toward destination goes through FS 2 – Always verify both directions 3 – If more than one router in on LAN and you must load balance outgoing, use HSRP. 4 – You can use another layer of routers to distribute traffic

10.6. NEW TO EIGRP WITH RELEASE 12.0 12.0.4t has a mask option on the network command, otherwise you have to use the passive-interface to stop EIGRP from advertising on an interface. router eigrp 100 network 172.16.30.0 0.0.0.255 Wild card mask instead of passive interfaces Stub receive-only Allows stub routers int serial 0 no eigrp neighbor auto-discovery Neighbor control

10.7. CONFIGURING EIGRP

Ø Configure EIGRP as IGRP with a ‘E’ router eigrp 10 network 10.0.0.0

THE CCIE Book

Page 116 of 296


ipx router eigrp <as> network 100 network all no redistribute rip Stops IPX RIP routes into IPX EIGRP distribute-list out <acl> rip Filter RIP into EIGRP ipx router rip no router rip 100 no redistribute eigrp 100 Stops IPX EIGRP routes into IPX RIP distribute-list out <acl> eigrp <as> Filter EIGRP into RIP Process-ID can be between 1 and 65535

Ø EIGRP Troubleshooting Neighbors established? sie ne Topology database OK? Sie top Feasible distances OK? Sir Feasible distance entries in topology database must be greater than direct metric Optimal paths in routing table? Deb ip eigrp, sie top, sir When a router in not in the topology table Check: Interface address and mask EIGRP Process ID Network Statements sie neighbor If SRTT is 0, the packets are not making the round-trip. If Q count is more than 0, then packets are queued to send. If ACL blocks traffic make sure routing traffic is permitted access-list 150 permit eigrp 192.168.1.1 0.0.0.0 any sie top Displays the routes it’s using sie top all-links Displays all routes it has learned SIA show log sie top If a reply is active for more than 180 seconds SIA happens. deb eigrp packet Shows all activity deb eigrp packet query reply update Used to observe DUAL only deb eigrp traffic debug eigrp packet hello Used to see the hello, AS number,etc from neighbor show ip route eigrp displays route table show ip eigrp neighbor displays all neighbors show ip eigrp topology displays all topology table entries Displays the neighbors distance, this must always be less show ip eigrp toplogy x.x.x.x Provides detailed info show ip eigrp traffic displays packet count show ip protocols displays active protocol sessions show ip eigrp events displays all eigrp events show ip route x.x.x.x show ip eigrp interface show ip protocol

THE CCIE Book

Page 117 of 296


**eigrp log-neighbor-changes Used to find SIA sources clear ip eigrp neighbor Reinitializes EIGRP neighbor processes debug ip eigrp Dislplays routing table advertisements Verifying EIGRP for IPX Operation show ipx route Displays the contents of the IPX routing table show ipx eigrp neighbors Displays the neighbors discovered by IPX EIGRP show ipx eigrp topology Displays the IPX EIGRP topology

THE CCIE Book

Page 118 of 296


11. OSPF (O) 110

11.1. OSPF BASICS The network statement in OSPF is used as a tool for indicating which interfaces will participate in the OSPF process. Using a range of addresses simply allows you to specific more than one interface with a single network statement. Maxage is 60 minutes, an LSA is then obsolete SPF is used to compute the routes in an area but distance-vector is used to inter-area routes. How often is SPF run? 5 seconds? OSPF routers exchange hellos, discover adjacencies, and become neighbors. When an OSPF router boots up it floods the area with packets to find the DR. Once a DR is found the router builds it’s LSDB from the DR. Once the LSDB is built it runs the SPF algorithm and builds it’s routing table from the lowest paths. OSPF will load balance over multiple equal-cost links automatically Once the routing table is build, LSA updates are exchanged every 30 minutes. Each router has a RID, the router maintains this RID until the router is rebooted. Changing the IP address or removing it does not change the RID> Use sio 1 <- process id, to find out how may interfaces are in ospf Avoid ACL’s under router ospf Three OSPF Tables = neighbor, LS database, IP Routing table Always configure a loopback before enabling ospf. Watch for RID changes with Virtual links and PtM DR’s For preventing the flooding of LSA updates from a specific interfaces , I would use ospf database-filter all out.

Ø Packet Types IP Protocol type 89 TTL = 1 Precedence bit is 110b, internetwork control Hellos, database-description, link-state request, link-state update, link-state-acknowledgement.

Ø Hello Discovers Neighbors Keepalives Elects DR/BDR Hellos are sent every 10 seconds, 30 on NBMA ip ospf hello-interval 10 RouterDeadInterval is 4x hello and can be changed with

THE CCIE Book

Page 119 of 296


ip ospf dead-interval 40 *When you change the hello or dead interval, you must change it for all routers that get that segments broadcast. Otherwise the adjacency will be lost. Hellos contain: RID, AREA ID, Address Mask, authentication type, hello and dead interval. These must all be correct for the router to establish an adjacency. Other fields in the hello packet are: router priority, DR/BDR, and RID’s of neighbors. NMBA routers send hellos by the the PollInterval, default is 60 seconds. Hellos use address 224.0.0.5

Ø Metric / Cost The cost of a route is the sum of the costs of all outgoing interfaces to a destination. Default OSPF cost is 10^8/BW (configured BW of the interface). Best practice dictates that a non-backbone area’s addresses should be summarized INTO the backbone area by its own ABR, as opposed to having all other ABRs summarize the area into their areas Recall from EIGRP that when a summary route is configured, a route to the null interface is created and automatically entered into the route table to prevent routing loops and black holes. THEREFORE, whenever you are configuring summary routes within an OSPF domain, be sure to add a static route for the summary address pointing to a null interface. OSPF’s cost is 10^8, 100,000,000/ BW ip ospf cost <cost> Use auto-cost reference-bandwidth 1,000,000,000,000 to change the refernce number for OSPF from 100 to 1TB. For 100MB links 100,000,000/100,000,000 = 1 auto-cost reference-bandwidth <155> To change OSPF’s bandwidth. sh ip ospf interface s0 Displays interface information

Interface Type Bandwidth CostFDDI / FE 100 1

HSSI 45 2Token-ring 16 6Ehternet 10 10

Token-Ring 4 25T1 1.544 64DS0 64K 156256K 56K 1785

Tunnel 9K 11111Loopback

Ø DR, BDR, and Priority There is a DR for every network segment Drothers are routers that form adjencies with only the DR and BDR Priority 0 = no DR or BDR A new router with a higher priority will not take over as DR until the current DR fails.

THE CCIE Book

Page 120 of 296


The highest priority is the DR (default 100) Priority - Highest wins, 0 prevents becomming a DR. Every router has a priority (1 by default) int s0 ip ospf priority <0-255> If priority = 0, this router cannot be a DR/BDR Highest priority or highest IP address is DR Always set the priority on the interface, globally can create problems with 12.x IOS. If a higher priority or address router joins the domain it will not replace the DR or BDR until one of them fail. Because of this all routers should be assigned and configured their IP addresses before enabling the OSPF process.

Ø Interface Data Structure (IDS) sh ip ospf interface Displays the IDS IDS contains: ip address, mask, area id, process id, RID, network type, interface transmit delay, state, priority, DR, BDR, hello interval, dead interval, wait time = dead interval, retransmit interval, hello timer, neighbor routers, authentication type, authentication key.

Ø Interface State Machine (ISM) Down Initial state PtP PtP, PtM, Virtual Links Waiting Broadcast, NBMA, Waiting for DR DR Router is DR Backup Router is BDR DRother Forms adjacency with DR and BDR only Loopback Interface is looped back

Ø Neighbor Data Structure (NDS) NDS contains: neighbor id, neighbor ip address, area id, int, priority, state, poll interval (NBMA), inactivity timer (dead interval), DR, BDR, master / slave, plus link state activity.

Ø Neighbor State Machine (NSM) Down Attempt interface initialization Init hello sent, neighbor is put in NDS 2-Way hello is received, DR/BDR election Ex-Start master / slave relationship, highest ip is master Exchange Sends DDP’s Loading Client requests more LSA’s FULL Database complete, adjacency established sh ip ospf neighbor <ip address> Displays the NDS sh ip ospf neighbor <interface> Displays the NDS deb ip ospf adjacency Debugs NDS Synchronization Adjacencies only form in four conditions: Network is PtP Network is a virtual-link

THE CCIE Book

Page 121 of 296


Router is a DR/BDR Neighbor is DR/BDR Routing updates go to adjacencies.

Ø Link State Database (LSDB) Each LSA only reports one destination per packet. Stores all LSA’s sh ip ospf database All LSDB’s are identical in the area. An ABR will have two LSDB, one for each area. ASBR will also have external protocol information. Every 30 minutes (LSRefreshTime) the routers will update their LSA with a new age timer. If the maxage timer is reached the LSA is flushed from the OSPF domain. This LSRefreshTime is OSPF’s keepalive. So this refresh time is not synched between all routers a jitter is used. This is called a group-pacing interval and is four minutes. timers lsa-group-pacing You can modify this according to the size of the link state database.

Ø LSA’s Generated By Sent to 1 Router All Originated by every router Contains connected and neighbor Flood internal areas sio data router 2 Network DR Contains internal area routes Flood internal areas sio data network 3 network-summary ABR Contains inter-area routes Flood internal areas except totally stubs sio data summary 4 ASBR ABR Contain external routes sio data asbr-summary 5 AS External ASBR->AS, Not sent to Stub, Totally-Stub and NSSA sio data external 7 External routes to NSSA’s Internal areas and NSSA’s ASBR in NSAA->ABR sio data nssa-external

Ø Timers Used the change the SPF calculation time. timers spf 5 45 Run time default is five seconds and should not be changed. How long to wait before consectutive runs is 45 seconds in this example.

11.2. OSPF ROUTING Secondary Address Rules 1 – OSPF will advertise the secondary only if the primary is in the OSPF domain. 2 – Secondary networks are stubs

Ø Destination Types Network Network Router ABR, ASBR

THE CCIE Book

Page 122 of 296


sh ip ospf border-routers

Ø Router Types (All are AD 110) O Internal O IA ABR O N1 NSSA O N2 NSSA O E1 Redist+Internal Metric O E2 Redist No metric increase through area Internal All interfaces belong to same area ABR Connects to backbone and another area Backbone Connects to area 0 / backbone ASBR Connects to area and external protocol (RIP, EIGRP,BGP) This router does redistribution.

Ø Path Determination Intra – Inter – E1 – E2 If multiple paths exist with same type and cost, OSPF will load balance over four paths. ip ospf maximum-paths <1-6> To choose an (IA) route to a destination network over an intra area route (O) change the AD of the IA. OSPF Route preference behavior: Intra Area (O) Inter Area (IA) External Type 1 (E1) External Type 2 (E2) EX1 Include the cost of traversing the OSPF domain. EX2 Routes that have a cost which consist of the external cost only.

Ø Loopbacks PtM and Loopbacks will generate host routes /32 in the routing table. Three ways to get a loopback interface into OSPF with a real subnet mask: 1. "ip ospf network point-to-point" on a loopback 2. putting loopback in certain areas so you can summarize them using "area range" 3. resdistribute connected with restrictive list.

Ø Demand-Circuit Hellos will keep a DDR link up, use ip os demmand circuit. Make sure ip ospf demand-circuit is only on one side Make SURE there are no LSA-5 entries for OSPF routes do a 'show ip ospf database' and look!!! debug ip ospf lsa-generation With demand-circuit the LSA is flagged as DNA – do not age so no hellos will be sent. Put demand circuits in stub or NSSA areas to minimize the LSA 5 changes. Do not implement on broadcast based networks because the link would remain up.

THE CCIE Book

Page 123 of 296


To prevent an ISDN call setup causing an update to be made to the IP Route table use the no peer neighbor-route. To Stop OSPF from creating /32 routes Use a loopback with PtP network type A PtP loopback cannot be a DR int lo 0 ip add 172.16.22.1 255.255.255.0 ip ospf network-type point-to-point router ospf 1 network 172.16.22.1 0.0.0.0 area 10

11.3. NETWORK TYPES OSPF problems usually can be attributed to a network type (network mismatch or hello interval mismatch).

THE CCIE Book

Page 124 of 296


Ø Network Types 1 PtP Destination is 224.0.0.5 2 Broadcast DR/DBR, 224.0.0.6 3 NBMA ATM/FR, DR/BDR, packets are unicast 4 PtM 224.0.0.5 multicast 5 Virtual Links Packets are unicast Multiaccess networks use a DR to reduce flooding. Everyone send their LSA’s to the DR, DR forwards updates to everyone.

THE CCIE Book

Page 125 of 296


Ø Non-Broadcast (Default on FR serial interfaces) All connections are physical Define neighbors between spokes Same Subnet PtP, PtM DR/ BDR (Hub must be DR) Hello (30), Dead / Wait (120) OSPF packets are unicast.

Ø Point-to-Point (Default for Non FR Serial Interfaces) Worst way to configure (should not be used) No DR Each Point-to-Point is a separate subnet Hello (10), Dead / Wait (40) Stub Areas

Ø Point-to-Multipoint (Best Method) No DR Same Subnet No neighbors needed Map statements from hub Hello (30), Dead / Wait (120) A point-to-multipoint network will generate a specific host route for all neighbors on the NBMA network. PtM networks are a special configuration of NBMA networks in which the networks are treated as a collection of PtP links. Routers do not elect a DR and BDR and OSPF packets are multicast.

Ø Broadcast (LAN Interfaces) DR/BDR No neighbors needed Same Subnet Hello (10), Dead / Wait (40)

Ø Troubleshooting If different combinations of interfaces are being used (physical, point-to-point subinterface and multipoint subinterface), is there an interface mismatch? Solutions: 1 – hub is dr 2 – use subinterfaces, PtP 3 – use PtM

11.4. AREAS AREA ID is 32 bits for 0.0.0.0 and 0 are identical. Area’s with two ABRs: Traffic will leave by the closet ABR, this is usually not the best route. Change the default route to a summary then the traffic will leave by the router closest to the destination and not the closest ABR. Having two ABRs in one area can result in asymmetric routing. Areas must be continuous

THE CCIE Book

Page 126 of 296


Area 0 is for interarea transit traffic. All areas must have a connection to Area 0

Ø Regular Areas All LSA types permitted

Ø Stub Areas (No LSA 5’s EX) To see the network under a stub area instead of the /32, change the network type to PtP. Loopback interfaces are considered stub networks and advertised as host routes (/32). Adding the interface command ip ospf network point-to-point can alter this default behavior. Loopbacks area advertised as /32 So they are stub areas, you should use 255.255.255.255 as a loopback mask Loopbacks Show as /32 because they are loopbacks To get as /24: 1) Don't put in area Redistribute connected Create restrictive route-map 2) Newer IOS lo0> ip ospf net p-to-p 3) Put in non-zero area and summerize in Stub Restrictions: 1 – All routers in area must be stub 2 – No virtual-links allowed 3 – No ASBR in area 4 – Only on ABR can define the exit, is two exist change cost on one. area <area> default-cost <cost> Specifies what ABR to use to exit an area if more than one exist. When you configure a stub a default network is entered in place of the external routers and all external routes are removed. This is why the stub must only have one exit. router ospf 100 area 22 stub

Ø Totally Stubby Area (No LSA Type 3,4,5 IA EX) Only one type 3 route should be here and that is the default route. Enter this on the ABR only router ospf 100 area 22 stub no-summary Must be entered on every router in the stub area Does not receive summary and external routes (LSA 4 and 5’s) Must have default routes in and out On ALL ABR’s: area area-id stub no summary default-information originate (so a default route is generated)

Ø NSSA router ospf 100

THE CCIE Book

Page 127 of 296


area 22 stub NSSA Must be entered on every router in the stub area Does not receive summaries (LSA 4 or 5’s) but receives (LSA 7’s) Must have default routes in and out Allows a ASBR into stub area. Blocks LSA 5’s but allows LSA 7’s and converts it to a LSA 5 and send it to the ABR. Type 7’s are blocked at ABR. When an ABR is also a ASBR and is in a NSSA The ASBR routes will automatically get redistributed into the ABR. Use the no-redistribution keyword on the area nssa command to turn off. There is a single exception to when using the quad-zero mask is problematic: network 10.20.1.1 0.0.0.0 area 0 If a NSSA ABR is configured with a 0.0.0.0 mask on the Area 0 side AND there is another router in the NSSA with a higher RID than the ABR, then that ABR will fail to perform the type 7 to type 5 lsa conversion. So don’t configure a NSSA area to area 0 with a 0.0.0.0 mask or make sure all NSSA ABR’s have the highest RID of the area. By default, only the router with the highest RID will perform type 7 to type 5 lsa conversions for NSSAs. You can fix this by not using a quad-zero mask when you include the ABR interface that connects to Area 0.

Ø NSSA no-summary Totally Stub not-so-stubby area NSSA with no LSA 3 or 4’s

Ø Network Down Detection Token-ring / Ethernet Use the hello timeout Serial Uses the keepalive timeout or Immediate if LMI / carrier is lost

Ø Virtual Links Virtual links can only be configured on abr’s, they are unnumbered p-t-p links. Used to maintain the area rules router ospf 1 area 30 virtual-link 172.16.100.1 show ip ospf virtual-link deb ip ospf adj Configured between two ABR’s Used to stop area 0 partitions

11.5. OSPF AREA AUTHENTICATION When you enable area 0 authentication, turn it on virtual links as well All routers in the same area must have authentication on. Sio nei after enabling authentication. Authentication password must be the same on all routers With MD5 the key identifier must be the same Authentication (2 Steps) 1- Configure on interface ip ospf authentication-key 1 md5 cisco

THE CCIE Book

Page 128 of 296


2 - Enable authentication under the process area 0 authentication message-digest For Virtual link Authentication area 0 virtual-link 1.1.1.2 authentication-key 5 cisco area 0 virtual-link 1.1.1.2 authentication-key 5 md5 5 cisco

Ø Authentication Types Type 0 - No Authentification Type 1 - Clear text auth. Type 2 - MD5 auth

Ø Authentication OSPF Support simple password and MD5 Simple Password int e0 ip ospf authentication-key cisco router ospf 10 area 0 authentication MD5 int e0 ip ospf message-digest-key 5 md5 cisco router ospf 10 area 0 authentication message-digest

11.6. OSPF ROUTE SUMMARIZATION All OSPF summarization is done manually, this is why discontiguous networks are not a problem to OSPF. Summarization occurs at ABR and ASBR’s, Internal and External routes. OSPF does not do any auto summarization

11.6.1. Inter-Area Summarization Between ABRs from one area into another area area 15 range 10.10.0.0 255.255.0.0 Area summerization must be on every active connection betweeen the sub area and the backbone, watch virtual circuits. Scenario:- area 0 area 1 area2 R1------------------R2--------------------R3----------------------R4 R2 is the ABR for area 1 and is summarizing networks in area 1 with area range command. The summary route can be observed in R1's routing table. R2 has number of interfaces connected to other routers in area 1 but is left out of the diagram. When I configure a virtual link between R2 and R3, I can observe all the networks in area 1 in the routing table of R1 along with the summary route. Configure the "area 1 range" command on R3 as well as R2 (since with the virtual link, R3 is an ABR that touches Areas 0, 1 & 2)

THE CCIE Book

Page 129 of 296


11.6.2. External Summarization Summary-address is only effective on ASBR’s with redistribution since you need external routes to summarize. On ASBR – external routes into area summary-address 10.10.0.0 255.255.0.0 summary-address only summerizes routes redistributed into and out of OSPF (lsa 5s). summary-address only summerizes into area 0 !!! (generates a null0) When you use the summary-address command with not-advertise keyword you put the external routes into the OSPF process, but do not put them in the routing table. To debug check you LSA 5 route in database with: sh ip ospf data external

11.7. OSPF DESIGN TECHNIQUES Three tier backbone No more than 6 hops from source to destination (diameter) 30-50 routers per area IP must be contiguous in area 0 All areas connect to area 0 No more than two areas per ABR No more than 60 neighbors per router, check DR The DR should not be the DR for more than on LAN

Ø Backbone Area Create Redundancy – prevent partitioning by losing single interface Ensure contiguous Reduce routes as much as possible

Ø IP Address and Route Summarization Each area need to be able to be split if necessary. Determine what OSPF type each router should be.

11.8. OSPF CONFIGURATION OVERVIEW

Ø Step One Enables OSPF routing process and define network

Ø Step Two Use show ip ospf interface to validate you configuration If you see: “OSPF is not enabled on this interface” go to Step One

Ø Step Three Check Neighbor relationships with the command show ip ospf neighbor Is the number of adjencies and neighbors correct? All neighbors must be in full state, except DROTHER routers which will be in 2-WAY state. The dead time must be less than the hello time.

Ø Step Four Check the Link state database with show ip ospf database

THE CCIE Book

Page 130 of 296


Is there a LSA for every router Are the proper number of link shown ( 2 for P-T-P interfaces) Are the LSAs aging properly and their sequence numbers are incrementing

Ø Step Five Check the routing Table with show ip route and verify every column

11.9. OSPF CONFIGURATION int loopback 0 ip address 172.16.99.1 Sets the router ID of the router Document the RID for every OSPF router router ospf 1 network 172.16.20.0 0.0.0.255 area 20 network 192.168.0.0 0.0.255.255 area 0 network 10.0.0.0 0.255.255.255 area 10 stub network 128.100.0.0 0.0.255.255 area 128 stub no-summary network 192.168.16.0 0.0.0.255 area 128 nssa ! int e 0 ip ospf priority 255 ip ospf cost 0 Once you have enabled OSPF’s routing process check to verify that is it up. sho ip ospf int eth 0

Ø Other OSPF Commands ip ospf hello-interval ip ospf dead interval ip ospf transmit-delay <seconds> Seconds that LSA’s exiting the interface will be aged. Default is 1 ip ospf retransmit-interval <seconds> Seconds to wait before retransmitting packets not acknowledged. timers spf <spf-delay> <spf-holdtime> no ospf auto-cost determination ospf log-adj-changes neighbor ip ospf name-lookup

11.10. OSPF COMMANDS ***area **auto-cost ospf auto-cost reference-bandwidth <ref-bw> Used to change the reference number for OSPF, default is 100. *default-information *default-metric *distance *distribute-list *ignore Sends syslog messages when router receives LSA Type 6 (MOSPF) packets *log-adjancey-changes Sends a syslog message when the state of an OSPF *maximum-paths **neighbor ***network *no *passive-interface ***redistribute

THE CCIE Book

Page 131 of 296


*router-id ***summary-address *timers timers spf 5 45 *traffic-share area <id | ID in IP address format> **area 1 authentication *default-cost *nssa ***range *stub ***virtual-link default-information-originate ? always metric metric-type route-map default-metric <metric> network <network> (Inteface Commands) ip ospf ? ***authentication-key **cost *database-filter *dead-interval ***demmand-circuit *hello-interval **messages-digest-key ***network ***priority *retransmit-interval *transmit-delay show ip ospf ? ***<AS>? border-routers database flood-list ***interface ***neighbor request-list retransmission-list summary-address ***virtual-links | (Output Modifier)

11.11. TROUBLESHOOTING OSPF Is OSPF enabled on each interface that is supposed to be participating the OSPF process? Show ip ospf interface e0 Are OSPF neighbor relationships correctly formed? Show ip ospf neighbors

THE CCIE Book

Page 132 of 296


Are OSPF adjacencies being formed properly? Shut/no shut Debug ip ospf adjacencies

show ip protocol Verifies OSPF is configured show ip route Displays all the routes learned by the router show ip ospf Displays OSPF timers

show ip ospf border-routers Lists the ABRs in the autonomous system show ip ospf database Displays a one line summary of every LSA known to the router. At least one Type 1 must be in there. Stub network are not in here You can view specific LSA’s by being more specific: asbr database-summary external network nssa router summary show ip ospf database router 172.16.1 show ip ospf interface Displays area ID, adjacency information, and network type show ip ospf neighbor detail Displays information about DR/BDR and neighbors show ip ospf process-id Displays statistics about each area to which the router is connected show ip ospf virtual-link Displays the status of the virtual link

Ø Neighbor Problems debug ip ospf adj Used to watch the adjency formation process Great for virtual link troubleshooting show ip ospf neighbor What state are the routers in? Must be in 2-Way state

Ø States Down [NBMA: Attempt] Init 2- Way ExStart Exchange Loading Full

Ø AREA Partition To fix an area partition is to not use a summary address so both sides see all routes.

Ø Debugging OSPF 02:50:19: OSPF: rcv. v:2 t:1 l:48 rid:10.34.1.1 aid:0.0.0.0 chk:6E09 aut:0 auk: from Serial0.1 v = version t = Packet Type 1 Hello 2 DDP

THE CCIE Book

Page 133 of 296


3 LS Request 4 LS Update 5 LS Ack l: packet length in bytes rid: Router ID aid: Area ID chk: Checksum aut: Authentication 0 No authentication 1 Simple password 2 MD5 auk: Authntication key keyid: MD% key id seq: sequence number

THE CCIE Book

Page 134 of 296


THE CCIE Book

Page 135 of 296


12. IS-IS (i) 115 clns routing router isis network 49.0001.7777.7777.7777.00 is-type 1, 2 or both 1's are local router 2's tie one areas together (backbone) router isis area-password angel You will have to configure ISIS over FR with some type of interface. With IP only config the area address ensures that two areas don’t get merged, if level 1 addresses don’t match they don’t communicate.

12.1. IS-IS ROUTING ISIS level configuration defaults to L1/L2 type routers. On serial interfaces configure the IP address as unnumbered Three types of packets: hello, LSP, SNP Distribution should be a level 2 router Level 2 routes will not go into Level 1 routers. Single area = make all level 2 router or all level one routers in the same area. With ISIS a router can only be in one area ISIS reports the holding time in hello messages, with critical routers you may change this holding time for faster convergence. ISIS has two network types, broadcast and point-to-point. The broadcast type works between frame-relay physical to physical or to multipoint interfaces. You do need to put in a frame-relay map clns broadcast statement if there is not a clns dynamic map. The ptp connection works between frame relay ptp subinterfaces or other ptp circuits.

Ø ISIS on NBMA Every interface has to be a PtP Must be a separate subnet, pvc, dlci, etc.. On serial interfaces configured the IP address as unnumbered A router can only be in one area If the types are mixed there is no command similiar to the ospf network command. This is the case in the Doyle example. In this case use a tunnel. A tunnel works in the other cases also but is unnecessary. Similar to OSPF: LSDP, uses SPF, hellos, 2-level areas, summarization, classless, uses DR for broadcast network, authentication.

THE CCIE Book

Page 136 of 296


ISIS uses a Link State PDU (LSP) versus OSPF’s LSA The refresh rate is 900 seconds (15 minutes) For frame-relay NBMA you have three choices - physical interfaces with frame-relay map clns <dlci> broadcast, point to point subinterfaces, or use an GRE/IP Tunnel. Using GRE tunels through NBMA for IS-IS is good technique. With physical interfaces you may need a full mesh map. You need to have both, frame-relay map ip x.x.x.x x.x.x broadcast statments AND frame-relay map clns xxx broadcast statments. This is just like

Ø ISIS Router Types OSPF ISIS ABR Level 1 / 2 (Maintains two databases does not advertise L2 routes into L1) Internal / total stubby area Level 1 Backbone Level 2

Ø NSAP 47 ICD Area System ID Selector Byte 49 Private AAAA SSSS.SSSS.SSSS. 00 RID is a NSAP address or NET AFI.area.unique-system-id.00 49.0000. router number .00 router 1 router isis net 49.0000.1111.1111.1111.00 Format AA.BBBB.CCCC.CCCC.CCCC.00 These are hex numbers. AA is the AFI identifier. There are certain "registered" numbers apparently, but none of the sources above specify. Doyle likes 47. Slattery likes 49. BBBB is the area i.d. The C's represent the system ID and must be unique in an ISIS domain. A ISIS router can have up to three area addresses, each router has a system id and a area id. This is defined by the Network Entity Title (NET) Area is is used by level 2 routers System ID is used by level 1 routers The system is of all nodes must be 6 octets (1111.2222.3333) The first address should be 47 and the last two digits (selector bits) must be 00. If not the address is a NSAP address and not a NET. The ISIS network layer is divided into two sublayers, the Subnetwork Independent Sublayer and the Subnetwork Dependant Sublayer. SIS provides services to the transport layer and the SDS provides services to the data link layer

Ø Hellos LAN Hellos contain a proiority and lan ID fields.

THE CCIE Book

Page 137 of 296


WAN Hellos How long are LAN versus WAN hellos sent? Same? Hellos are sent every 3.33 seconds once a psudenode is elected.

Ø Psuedenode (DR) Like OSPF’s DR, ISIS defines a psuedenode or a designated intermediate system (DIS), all routers on the multi-access network form adjacency with the DIS. All routers in area establish adjacency with all routers, not just the DIS. Each router sends multicasts to all neighbors. The highest priority router becomes the DIS. 0-127, default is 64, 0 = can no be DIS serial interfaces are set to 0 Router with highest priority is DIS, if all same - highest system ID / MAC Priorities are interface based, not globally. isis priority <priority> If new router with higher priority or higher system id joins LAN it will become the DR immediately.

Ø Metric Default is 10 on all interfaces so this is just a hop count. Range is 0 – 63, with 1023 being the highest possible isis metric <new metric> Path Determination Internal L1 / L2 routes External L2 routes

Ø Subnetwork Dependent Sublayer Exchanges hellos to discover neighbors Establishes Adjacencies Maintenance of the adjacencies Two network Types Broadcast, PtP Neighbors and adjacencies Hellos are sent every 10 seconds Can be changes per interface with isis hello interval L1 – L1, L1 - L1/2 form adjacencies L2 – L2, L2 - L1/2 form adjacencies ISIS holdtime is 3x hello, change with isis hello-multiplier sh clns is-neighbor Displays neighbor table Adjacency States Init initializing Up Adjacent Neighbor table has: System id, interface, state, type, priority, circuit id, format Circuit ID – if interface is on a broadcast network it is concatenated with system id of the network DR and pseudonode id, this is known as LAN ID. Format will always be Phase V, other is Decnet Phase IV.

THE CCIE Book

Page 138 of 296


Ø Subnetwork Independent Sublayer Routing functions – has four processes: Receive Receieves PDU’s Update Constructs L1, L2 databases Decision Run SPF and find optimal path Forwarding Sends PDU’s LSP Contains: remaining lifeimte, sequence number, checksum Remaining lifetime is 1200 seconds (20 minutes) max-lsp-lifetime ISIS refresh interval is 15 minutes minus 25% jitter lsp-refresh-interval When remaining liketime (maxage) is 0 the route will stay in the LSDB for 60 seconds, this is known as ZeroAgeLifetime. If a LSP is received with a bad checksum the remaining lifetime will equal 0 and reflood it. This allows slow or over utilized routers to purge routes of other routers. To stop this use the ignore-lsp-errors command under the routing process. This was a bad link cannot pruge all routes. If the sequence number get to the max 0xFFFFFFFF the ISIS process shuts down for at least 21 minutes (Remaining Lifetime + ZeroAgeLifetime) to allow the old LSP’s to age out of all the databases. Sequence Number PDU(SNP) - Two types: Partial SNP (PSNP) – Used on PtP to acknowledge LSP’s – unicast The internal to send PSNP is the minimum LSPTransmissionInterval and is 5 seconds. Use isis retransmit-interval to change. Complete SNP (CSNP) – Used on broadcast networks, sent every 10 seconds – multicasted by DR. If the router has a memory overload it will set a bit called Overload (OL). This means the database is incomplete, and not all routes are in the LSDB. Other routers no longer use this router as a transit router until the OL is cleared. Use the command set-overload-bit to manually set the OL bit. To set a IS router as a ES (end-system) router only, set the overload bit. sh isis database Displays a summary is the LSDBm and a * next to LSPID indicates that those are from this router. ISIS Decision Process Uses SPF to construct the routing table Load Balancing Up to six equal-cast paths can be put into the routing table The closest L2 or L1/L2 router will be the exit to an area sh isis database Displays the system id, and the att bit sh ip route Displays the default router to other areas ISIS uses CLNS routing so if you want to see the IP address of a system id then use the which-route <clns address> command. ISIS PDU’s Send in Seconds Hello hello’s L1 / L2 / PtP 1 / 3.33 after DIS

THE CCIE Book

Page 139 of 296


Link State LSP’s L1 / L2 Sequence Number SNP’s L1 / L2 / PSNP / CSNP CSNP - 10 ISIS has no secondary ip address problems since CLNP is used for route, an interfaces with different subnets can be adjacent. IP will not work buy the adjacency is there, this is referred to as being “half-broke”.

Ø Spf-flooding Use max-lsp-lifetime and lsp-refresh-interval on large networks to reduce spf recalcs. Spf-interval can also be used to change how often spf runs. By default is runs every 5 seconds.

Ø Summarization Summarization only happens on Level 2 routers summary-address <ip address> <mask>

12.2. AUTHENTICATION Authentication is clear text only Three levels of Authentication

Ø Between neighbors on connected interfaces isis password <password> <level-1 | level-2> (Level 1 is the default)

Ø Area Wide all area routers area-password <password>

Ø Domain Wide (L2) all L2 routers domain-password <password>

12.3. ISIS CONFIGURATION clns routing router isis ccie net 49.0001.6666.6666.6666.00 is-type level-2-only int e0 ip router isis ccie ip addr 172.168.12.1 255.255.255 sh isis data detail Four Steps to Configure ISIS 1 – Enable isis routing with isis router 2 – Configure NET 3 – Determine all interfaces that should be advertised. Configure ip router isis on all interfaces that isis should advertise the ip address for. 4 – Enable isis on all router interfaces Changing router type – default is L1/L2 router router isis is-type <level-1 | level-2> For routers with no default route to another area, there are two ways to fix:

THE CCIE Book

Page 140 of 296


1 – enable clns routing on the interface. int e0 clns router isis 2 – Map a default static route to null0 on the other area and use the default-information-originate command to propagate

12.4. TROUBLESHOOTING ISIS Check NSAPS Check neighbor area’s Someone may be in the wrong area Check hello timer NET address is incorrect Access-lists Commands sh clns is-neighbors sh clns proto Displays the level type, and other great info. deb isis adj-packets deb isis update-packets deb isis snp-packets LSDB Troubleshooting sh isis spf-log sh isis database deb isis spf-triggers deb isis spf-events deb isis spf statistics

THE CCIE Book

Page 141 of 296


13. BGP (B) 20 / 200 Transport is TCP 179 BGP is a Path Vector Protocol BGP is classless Never redistribute BGP into IGP When changes are made to an ESTABLISHED peer, you must reset the BGP Session Config BGP in the core, all cores routers are peers Filter all IGP info by changing any multiple IGP routes to BGP routes If you want to change the RID, create a loopback with a higher IP address and then clear the bgp connections with clear ip bgp. You can also use the bgp router-id to set the bgp rid.

Ø Controlling the Maximum Prefixes Allowed To limit the number of prefixs a router is allowed to accept from a neighbor: neighbor maximum-prefix 300 75 warning-only By default bgp will close the connection if max-prefix is exceeded, use the warning-only option to sent a messages to the log. A message is generated when the neighbor exceeds 75% by default, use the following command to change to 90%: neighbor maximum-prefix 300 90 warning-only

Ø Type of AS’s An AS can be a stub, transit, or multihomed. Multihomed Transit – more than one exit, one or two providers Multihomed Non-Transit - more than one exit, single provider, recommend BGP Single-homed Non-Transit – Stub AS Transit traffic is any traffic that has as orgin and destination from another AS. Multihoming is for redundancy and increased routing efficiency and not load sharing.

Ø Keepalives and Hold times Keepalives increment from 0 to holdtime. The connection will be paused if a keepalive, update, is not received. Keepalives are 60 seconds or 1/3 of holdtime. Keepalives on serial SNA connections should be set to 3 seconds. Minimum holdtime is 3 seconds. The holddtime is selected between neighbors, lowest one wins. The hold time must be 0 for no keepalives (this will keep the connection up), or at least 3 seconds, default is 180 seconds. Change neighbor holdtime with: neighbor <ip address | peer-group> timers <keepalive> <holdtime> Change per router with: bgp timers <keepalive> <holdtime>

Ø *States Idle When BGP is enabled ConnectRetry is 60 seconds, and doubles on each attempt. Connect Opens transport protocol TCP/179, has connected. Goes to: OpenSent on success Active on failure

THE CCIE Book

Page 142 of 296


Active Start peer connectivity Test by pinging the neighbor Goes to: OpenSent on success Connect? on failure OpenSent Waits for an message, if message received is: Notification goto Idle KeepAlive goto OpenConfirm Hold timer is negotiated. Compares AS’s. OpenConfirm Waits for an message, if message received is: Notification goto Idle KeepAlive goto Established Hold timer is restarted. Established Working and receiving Keepalives Note: Going from Connect to Active means the TCP connection has a problem.

Ø Messages Contains Open BGP version, AS, Hold Time, BGP Identifier/IP Address Update NLRI, Path Attributes, Withdrawn / Unreachable routes Keepalive Notification Sent whenever an error has occurred and the connection is closed. NLRI is network layer reachability information Contains network and prefix When the tranport port closes, the state goes to active, any other problem the state goes to idle. If notfication messages are being sent means there is an error. If a router goes from ACTIVE to IDLE there is a problem, also many NOTIFICATION messages also indicate an error.

Ø Authentication BGP supports MD5 authentication with: neighbor 10.2.2.1 password cisco

13.1. BGP PATH SELECTION PROCESS28 1. Ignore paths marked as “not synchronized” in the output of show ip bgp x.x.x.x. If bgp synchronization is enabled – which is the current default in IOS – there must be a match for the prefix in the ip routing table in order for an internal (i.e. iBGP) path to be considered a valid path. Most ISPs will want to disable synchronization using the no synchronization bgp subcommand. 2. Ignore paths for which the NEXT_HOP is inaccessible. This is why it is important to have an IGP route to the NEXT_HOP associated with the path. 3. Ignore paths from an EBGP neighbor if the local AS appears in the AS path. Such paths are denied upon ingress into the router, and not even installed in the BGP RIB. The same applies to any path denied by routing policy implemented via access, prefix, as-path, or community lists, unless “inbound soft reconfiguration” is configured for the neighbor. 4. If bgp bestpath enforce-first-as is enabled and the UPDATE does not contain the AS of the neighbor as the first AS number in the AS_SEQUENCE, send a NOTIFICATION and close the session.

THE CCIE Book

Page 143 of 296


5. Ignore paths marked as (received-only) in the output of show ip bgp x.x.x.x. This path has been rejected by policy, but has been stored by the router because soft-reconfiguration inbound has been configured for the neighbor sending the path. 6. Ignore paths with a next -hop metric marked as inaccessible.

13.2. BGP BEST PATH ALGORITHM FOR IOS 1. Prefer the path with the largest weight. Note that weight is a Cisco specific parameter, local to the router on which it is configured. 2. Prefer the path with the largest LOCAL_PREF. 3. Prefer the path which was locally originated via a network or aggregate bgp subcommand, or through redistribution from an IGP. 4. Prefer locally sourced network/redistributed paths over locally generated aggregates. 5. Prefer the path with the shortest AS path. a) This step is skipped if bgp bestpath as-path ignore is configured. b) An AS_SET counts as one AS, no matter how many ASs are in the set. The AS_CONFED_SEQUENCE is not include in the AS path length. 6. Prefer the path with the lowest origin type: IGP is lower than EGP, and EGP is lower than INCOMPLETE. 7. Prefer the path with the lowest MED. a) This comparison is only done if the first (i.e. neighbouring) AS is the same in the two paths; any confederation sub-ASes are ignored. In other words, MEDs are compared only if the first AS in the AS_SEQUENCE is the same – any preceding AS_CONFED_SEQUENCE is ignored. b) If bgp always-compare-med is enabled, MEDs are compared for all paths. This knob needs to be enabled over the entire AS, otherwise routing loops could occcur. c) If bgp bestpath med confed is enabled MEDs are compared for all paths that consist only of AS_CONFED_SEQUENCE (i.e. paths originated within the local confederation). d) Paths received with no MED are assigned a MED of 0,unless bgp bestpath missing-is-worst is enabled, in which case they are effectively considered to have (although not actually assigned) a MED of 4,294,967,295. Any route received from a neighbor with a MED of 4,294,967,295 will have the MED changed to 4,294,967,294 before insertion into the bgp table. e) BGP Deterministic MED (see later) can also influence this step. 8. Prefer the External (eBGP) over Internal (iBGP) paths. Note that paths containing AS_CONFED_SEQUENCE are local to the confederation, and therefore treated as internal paths. There is no distinction between Confederation External and Confederation Internal. 9. Prefer the path with the lowest IGP metric to the BGP nexthop. 10. If maximum-paths N is enabled, and there are multiple external/confederation-external paths from the same neighboring AS/sub-AS, then insert up to N most recently received paths in the IP routing table. This allows eBGP multipath load sharing. The maximum value of N is currently 6; the default value, with the knob disabled, is 1. The oldest received path is marked as the best path in the output of show ip bgp x.x.x.x, and the equivalent of next-hopself is performed before forwarding this best path on to internal peers. 11. Prefer the path which was received first (i.e. the oldest one). a) This step minimizes route-flap, since a newer path will not displace an older one, even if it would otherwise be selected on account of the additional decision criteria below. It makes more sense to only apply the additional decision steps below to iBGP paths, in order to ensure a consistent bestpath decision within the network, and thereby avoid loops.

THE CCIE Book

Page 144 of 296


b) This step is skipped if bgp bestpath compare-routerid is enabled. c) This step is skipped if the ROUTER_ID is the same, since the routers were received from the same router. d) This step is skipped if there is no current best path. An example of losing the current bestpath occurs when the neighbor offering the path goes down. 12. Prefer the route coming from the BGP router with the lowest router ID. The router ID is the highest IP address on the router, with preference given to loopback interfaces, if one or more is configured. It can also be set manually via bgp router-id x.x.x.x. Note that if a path contains Route Reflector attributes, the originator ID is substituted for the router ID in the path selection process. 13. If the originator/router ID is the same, prefer the path with the minimum cluster-id length – this will only be present in BGP route-reflector environments, and allows clients to peer with RRs/clients in other clusters. In this scenario the client must be aware of the Route Reflector specific BGP attributes. 14. Prefer the path coming from the lowest neighbor address. This is the ip address used in the bgp neighbor configuration, and corresponds to the address the remote peer uses in the TCP connection with the local router.

13.3. BGP DECISION ALGORITHM HWPOATMENI

Hop Weight - prefer largest, default is 32768 Preference - prefer largest, default 100 Originated on local router AS Path Type or Origin - IE? MED - Prefer lowest, default = 0 External over Internal - EBGP, Confed EBGP, Confed EBGP, IBGP Neighbor - lowest IGP metric ID – lowest Router ID

Well-Known Mandatory attributes:

Orgin, AS_Path, Next_Hop, Well-Known discretionary:

Local-Preference (non-transitive), Atomic-Aggregate Optional Transitive:

Aggregator, Community Optional Nontransitive: MED, Originator ID, Cluster-List, MP_REACH_NLRI, MP_UNREACH_NLRI

Ø Next-Hop Attribute IBGP Neighbor EBGP Orginator MutiAccess Media Interface Next-hop attrib is not changed in IBGP LANs – next-hop it set to actual router, versus advertising router. NBMA FR acting like a LAN. The next_hop address for multiaccess media of a route is not changed.

THE CCIE Book

Page 145 of 296


Next-hop is set it to the actual router like in MultiAcess media but the route to the next hop will fail. By using the next-hop-self option it will change the route to the hub and will work. DMZ Zones Use next-hop-self to limit the EBGP routes in IBGP

Ø Next-Hop-Self If a router is a IBGP and needs to route to a EBGP the router must know the route. On the border of the AS set the next-hop-self for external routes.

Ø Weight Attribute Internal metric of route for specific router. Similar to Local Preference but is only specific to the current router. Used to specify the exit point or destination on a local router. Default is 32768 for originated paths and 0 for routes generated by other routers. Higher is better, so lower it on the worst paths. The weight attribute is a special CISCO attribute that is used in the path selection when there is more than one route to the destination. The weight attribute is local to the router on which it is assigned and is NOT propagated in routing updates. (higher more preferred) There are three ways to set the weight: Access-list nei 1.1.1.1 remote-as 100 nei 1.1.1.1 filter-list 5 weight 2000 ip as-path access-list 5 permit ^100$ Route-map nei 1.1.1.1 remote-as 100 nei 1.1.1.1 route-map setweight in ip as-path access-list 5 permit ^100$ route-map setweight permit 10 match as-path 5 set weight 2000 route-map setweight permit 20 Weight command. nei 1.1.1.1 remote-as 100 nei 1.1.1.1 weight 300

Ø Local Preference Attribute Internal metric of route. Used for updates between IBGP routers. Local Preference is NOT sent to EBGP peers Used to set the exit point in a IBGP AS. Higher the better, default 100 Local Preference attribute indicates the preferred path when there is multiple paths. (higher=better). Unlike the weight attribute, the local preference IS carried with route updates and exchanged with routers in the same AS. There are two ways to set the local preference: BGP Default Local Preference

THE CCIE Book

Page 146 of 296


bgp default local-preference 202 Route-Map to set local preference router bgp 300 neighbor 172.16.24.15 remote-as 100 neighbor 172.16.24.15 route-map LOCPREF out ! route-map LOCPREF permit 10 match as-path 5 set local-preference 100 route-map LOCPREF permit 20 ! ip as-path access-list 5 permit 10

Ø Locally Originated Attribute Prefer the path that was originated by BGP by using the network command, or through redistribution, or an aggregate, on the current router, in this order as well.

Ø AS_PATH Attribute Shortest AS_PATH is preferred. In the originated IBGP area it does not get set, AS_PATH = ^$. Only during EBGP exchanges is the area prepended to it. AS_SEQUENCE – this is the list of AS numbers in order. AS-SET – This is the list of AS numbers unordered. AS_CONFED_SEQUENCE - AS_CONFED_SET – To have a router ingnore the AS_Path length when determining routes use the command: bgp bestpath as-path ignore. AS-Path Prepending (500,300,100) changes to (500,300, 300, 100)

Ø Origin Type Attribute Origin attribute- will be “i” when injected with network command in router configuration mode, “e” when learned through EGP, “?” incomplete when a route is redistributed into bgp. IGP IBGP = i EGP EBGP = e Incomplete Redistributed = ?

Ø MED Attribute The MED is BGP’s metric! The external metric of a route. Used the change the traffic coming into the AS. Multi-Exit-Discriminator, default = 0, lower is better It goes into the AS but it does not get passed around in the internal AS, it is possible to have a inter-as routing loop with this command. The MED is passed to sub-AS’s in confederations. *MED’s are only compared with other MED from the same AS. The MED that comes into a AS does not leave MED is exchanged between ASs but is not forwarded out of the AS. Can be used to specify the entrance and exit point for other AS’s.

THE CCIE Book

Page 147 of 296


Ø BGP Always-compare-med Used to compare MED from other AS’s. You must add this to all routers in the same AS.

Ø BGP Bestpath AS-PATH ignore Ignores the AS_PATH for nest path selection. This makes the MED more valuable than the AS_PATH.

Ø BGP Bestpath MED Confed Select the bestpath based on the MED, only for routes that have an AS confederation sequence in their AS_PATH.

Ø BGP bestpath med missing-as-worst The MED is 0 if there is not one assigned. This attribute assigns 4,294,967,294 if path does not have a MED assigned.

Ø BGP deterministic-med When selecting the best path using the bgp always compare-med, this command allows the best path selection to sort the paths based on neighbors AS and MED. The MED attribute is a hint to EBGP peers about the preferred path into an AS when there are multiple. (lower=better). Unlike local preference, the MED is exchanged between AS’s, but a MED that comes into an AS does not leave the AS. Can be set based on: AS destination with match as-path IP address with match ip address. Two ways to set: Set using route maps router bgp 300 neighbor 172.16.24.15 remote-as 100 neighbor 172.16.24.15 route-map SETMED out ! route-map SETMED permit 10 match ip address 1 set metric 25 route-map CCIE permit 20 ! access-list 1 permit 172.16.0.0 0.0.255.255

Set with default-metric router bgp 1 redist static default-metric 50

Ø External over Internal EBGP over Confed EBGP Confed EBGP over IBGP

Ø Neighbor, Closest Closest IBGP neighbor, lowest IGP metric to the next BGP hop

Ø Equal Paths If routes are the same from here and maximum-paths is more than 1

THE CCIE Book

Page 148 of 296


Install equal-cost paths in route table.

Ø ID, Router Lowest IP address as specified by the RID. If the route comes from a RR use the originator attribute.

Ø Lowest IP address from neightbor.

Ø Atomic_aggregate Attribute Used to deal with overlapping address summaries. Gets set when loss of information has occurred.

Ø Aggregator Attribute Contains who generated the aggregator

13.4. BGP ROUTING

Ø Controlling the Routing IBGP Path out changed by Local preference, Path in MED EBGP Path changed by AS_PATH

13.4.1. Selecting a BGP Path You can do a show ip bgp <longer prefixes> to see all the routes that bgp know about. From this list bgp will or will not select routes to be entered into the route table.

Here is a list of reasons that BGP may not inject a route into the routing table:

1 - Not synchronized 2 - Next-Hop is inaccessible 3 - Local AS appears in the AS_Path 4- bgp enforce-first-as is enabled, and the update does not contain the AS of the neighbor as the first AS number in the AS_SEQUENCE so the session is closed. 5 - Received-Only – These paths have been rejected due to a policy, but have been stored on the router because soft-reconfiguration inbound has been configured for the neighbor sending the path.

13.4.2. Other Routing Information For non-bgp routers in an AS to reach outside networks: Injecting the bgp routes into their igp Use a default route on the non-bgp routes for their exit points.

Ø Injecting Routes into BGP Static – network command – origin = I EBGP = E Dynamic – redistribution – origin = ? Dynamic routes must be filtered so the correct routes get injected. Only internal routes should be injected in. OSPF external routes are blocked automatically. EIGRP has the external set to type 2

THE CCIE Book

Page 149 of 296


RIP / IGRP routes must be tagged to differentiate between internal and external. A route-map permitting ^$ should work. For all network commands an exact match must be in the routing table.

Ø Unstable Routes Use route dampening or aggregate the addresses. If you aggregate at the customer site the provider will not see the flucuations.

Ø Update-Source Used to specify a loopback as the neighbor interface. Great for IBGP stability and not usually used for EBGP except when parellel (load balancing) paths are used.

Ø Auto-Summary BGP automatically summarizes at the classful boundary. no auto-summary use this command to not summarize. Only summarize within an AS when the AS contains the entire network range being summarized.

Ø Neighbor Commands neighbor 10.1.1.1 default-originate Used just like OSPF’s default-info-originate always. A default will be sent to the neighbor even if one does not exist on this router. neighbor 10.1.1.1 distribute-list 1 out ! access-list 1 permit 0.0.0.0 access-list 1 deny any Add this to the router along with the default-originate command so no other routes are advertised to the neighbor. neighbor 10.1.1.1 next-hop-self neighbor 10.1.1.1 update-source loopback 0 Adding the between two IBGP routers make the IGP find the best path rather than BGP, which may be slow at converging. neighbor 10.1.1.1 ebgp-multihop 2 Used by EBGP to use loopback interfaces for sources. EBGP neighbors must be directly connected, loopbacks are not so you specify the ebgp-multihop option to tell EBGP to look further than the one hop TTL. This changes the TTL of EBGP packets.

13.4.3. IBGP Routing By default, iBGP routes are not redistributed into IGPs. To ensure a loop free inter-domain topology, BGP does not accept updates that originated from its own AS. Within an AS, bgp peers do not need to be directly connected. ALL bgp speakers within an AS MUST establish a peer relationship unless you use Route reflectors or confederations. Use route reflecting within confederations.

THE CCIE Book

Page 150 of 296


Use peer-groups with router reflectors. When a EBGP route gets to a BGP router and the IGP does not have a path to the last device the next-hop-self attribute can be used to put the BGP route in the IGP routing table. All IBGP’s must be fully meshed, these are BGP speaking routers only. Administrative Distance is 200, the AS numbers must be the same IGRP does not advertise IGRP routes, to change this rule use the neighbor command, next-hop self command, or use a route reflector. IBGP neighbors do not have to be directly connected, as long as there is a IGP route to the neighbor.

Ø Synchronization The BGP synchronization rule states that if an AS provides transit service to another AS, BGP should not advertise a route until all of the routers within the AS have learned the route via an IGP. If an AS is a transit AS, all routes must be fully meshed before synchronization is disabled. If all routers run bgp with no redistribution, turn off synchronization When you disable synchronization on a active bgp router, reset all the bgp connections with clea ip bgp * You cannot be synchronized with IGP and use a route reflector at the same time.

Ø Route Reflectors *When enabling, turn off synchronization Always configure the cluster id on a bgp route reflector. If you don’t and later need to you will have to remove all neighbors, add the cluster id, and then put the neighbors back. Route reflectors are for Internal AS’s ONLY Route reflector make good route servers RR Clients should not be peers to other IBGP speakers, but can be peers to EBGP routers. Originator ID - created by the router reflector, is the RID of the route within the local AS. Optional non-transitive Cluster-ID – each cluster in a AS must have a unique cluster id. If there is a single cluster the ID is the RID of the route reflector. If there is more than one cluster, each RR must be configured with a cluster id. Optional non-transitive Cluster List – tracks the cluster id’s like AS_Path tracks AS number. *Route reflectors must follow the physical layout, if a client is between a route reflecting area it will create a routing loop. RRa – RRbclient – RRacliient - RRb

Ø Route Reflector Redundancy (Old Method) 1 Put two RR’s in the same cluster

THE CCIE Book

Page 151 of 296


All clients need ibgp session to both reflectors The RR’s should be ibgp peers to each other A Cluster ID must be set. (New Method) 2 One RR per cluster Have any redundant clients connect to both 3 Create a third cluster to cluster the RR’s This create a two tier level.

Ø Route Reflector configuration router bgp 10 neighbor 192.168.10.10 remote-as 10 neighbor 192.168.10.10 route-reflector-client neighbor 192.168.20.10 remote-as 10 neighbor 192.168.20.10 route-reflector-client no bgp client-to-client reflection

Ø Update From Send To Nonclient IBGP To all IBGP Clients Client Peer / EGBP Peer To all Clients and IBGP Peers Remember that updates only can go to IBGP routers and not to EBGP routers. Neighbor peers still exist for EBGP routers.

Ø Prevention of Routing Loops with RR’s Originator ID is used to stop routing loops by checking this attribute and if myself igore update. Cluster List – When more than one RR is in the same cluster, a cluster id must be set so the other RR ignores the updates from the second RR.

Ø BGP Peer Groups Use confederations and peer groups to change policies.

A group of BGP neighbors sharing the same update policies. Create peer group, assign policies, add BGP neighbor to peer-group. Peer group members can override incoming updates locally. BGP Peer groups – a group of neighbors that share the same update policies. Use peer groups to reduce update traffic Do not configure a peer group within a route reflector cluster. The remote-as command is used on the neighbor PEERGROUP command on IBGP and on the neighbor x.x.x.x command for EBGP. This is because a different AS must be specificied. If EBGP are in a peer group there are two rules:

The hub router cannot be a transit router All EBGP members should be part of the same subnet

Ø Configuration This is a group within a local AS. router bgp 300 nei internalmap peer-group nei internalmap remote-as 300

THE CCIE Book

Page 152 of 296


nei internalmap route-map internal out nei internalmap filter-list 1 out nei internalmap filter-list 2 in nei 5.5.5.2 peer-group internalmap nei 6.6.6.2 peer-group internalmap nei 3.3.3.2 filter-list 3 in The route-map internal, and filter-list 1 and 2 are applied to all peer-group members. The filter-list 3 is applied to that neighbor and can only be applied on incoming updates. This is a EBGP peer-group member router bgp 200 nei external map peer-group nei external map route-map SETMED nei external map filter-list 1 out nei external map filter-list 2 out nei 2.2.2.2 remote-as 100 nei 2.2.2.2 peer-group externalmap nei 3.3.3.3 remote-as 300 nei 3.3.3.3 peer-group externalmap nei 3.3.3.3 filter-list 3 in

Ø Confederations A confederation is a AS that has been subdivided into a group of sub-AS’s. A confederation ID is used to inform external peers of the real AS. Used to reduce the IBGP mesh. Also used when you want different routing policies in IBGP. Two new AS-Path types must exist: AS-CONFED_SEQUENCE – for the confederation as-sequence AS-CONFED-SET – the confederation AS-Set

Can you block paths based on these attributes? Next-hop, local-Pref, and MED can be advertised to sub-AS EBGP peers,but are still inside the same AS. Use the command bgp confed peer is needed to make a Sub-EBGP to appear as a IBGP. *Sub_AS’s do not change the EBGP AS_Path Use confederations to have more than one policy per AS. Private AS’s 64512 – 65535 RFC 2270 Recommended confederation design is to use a centralized sub-AS, like OSPF’s area 0. R1 router 65000 bgp confed id 100 bgp confed peers 65001 65002 65003 nei 2.2.2.2 remote-as 65001 nei 2.2.2.2 remote-as 65002 nei 2.2.2.2 remote-as 65003 nei 3.3.3.3 remote-as 300 R2 router bgp 65001

THE CCIE Book

Page 153 of 296


bgp confed id 100 bgp confed peers 65000 65002 65003 nei 1.1.1.1 remote-as 65000 nei 3.3.3.3 remote-as 300 The Confederation ID is used for the true AS that these routers belong to.

Ø Remove Private AS Use the neighbor 10.1.1.2 remove-private-as to stop BGP from sending private AS’s (64512-65535) to the Internet.

13.4.4. EBGP Routing For routers that run ebgp, neighbors are usually directly connected. BGP uses only one path to a EBGP BGP specifies that the next hop of EBGP learned routes remain unchanged into and through IBGP. EBGP must be directly connected or EBGP_MULTIHOP must be used. EBGP Multihop sends updates to IBGPs up to 255 hops away When EGRP injects a route into IBGP it does not change the next-hop address Routes traffic between different AS’s Administrative Distance is 20 The AS numbers are different As soon as a bgp route leave a AS the AD goes from 200 to 20.

Ø Multihop BGP Configuration router bgp 100 neighbor 15.1.1.2 remote-as 200 neighbor 15.1.1.2 ebgp-multihop 2

Ø Community Attribute Used to group destinations and apply routing decisions. Not restricted to one AS or network and has no physical boundaries. A route can have more than one community attribute. Commom community attributes are set based on 200:1, where 200 is the AS and 1 is for the provider. Set with neighbor send-community Communities range from 0x00000000 to 0x0000FFFF and 0xFFFF0000 to 0xFFFFFFFF are reserved. These are defined in RFC 1998. NO_EXPORT Do not advertise this route to EBGP peers. 0xFFFFFF01 NO_ADVERTISE Do not advertise to any peer. 0xFFFFFF02 INTERNET Advertise this route to all routers. LOCAL-AS Do not advertise this route to any eBGP peer,including confederation eBGP peers. The community attribute provides a way of grouping destinations to which routing decisions can be applied. To send the attribute you must use the neighbor send-community router config command.

THE CCIE Book

Page 154 of 296


Use the command sib community no-export to see what routes have been tagged. Set with route-maps nei 1.1.1.1 route-map set-comm-noexp route-map set-comm-noexp permit 10 match ip add 1 set community no-export route-map set-commm-noexp permit 10 match as-path 1 set community 200 additive The additive option adds the community to the current community versus replacing it. To Send the Community Attribute you must specify it in the neightbor command: nei 1.1.1.1 send-community Set Community Method router bgp 1 neighbor 192.168.1.2 send-community neighbor 192.168.1.2 route-map SET_COMMUNITY out access-list 15 deny 155.1.1.0 0.0.0.255 access-list 15 permit any route-map SET_COMMUNITY permit 10 match ip address 15 set community no-export route-map SET_COMMUNITY permit 20

13.4.5. Advertising Routes Before a BGP route is advertised it must be in the ip routing table and BGP must be aware of it by network command or redistribution. These are orginiating routes, and their AS Path changes as they are advertised outside of their IBGP area. BGP does not accept updates that orginiated from it’s own AS, but will forward them to other AS’s. *The AS can advertise the IGP metric to another AS by using the set metric-type internal command as part of a route map toward the neighbor. This causes BGP routes to carry the internal IGP metric as the BGP MED.

Ø Network Command Origin is set to IBGP / EBGP router bgp 200 network 172.16.20.0

Ø *Conditional Advertising Use on ISDN or backup links. Advertise-map router bgp 100 nei 10.1.1.1 advertise-map toadv nonexist (Map if not exist) route-map ifnotexist permit 10 match ip addr 1

THE CCIE Book

Page 155 of 296


route-map ifnotexist deny 20 route-map toadvertise permit 10 match ip addr 10

13.4.6. Route Cache Invalidation In order to implement a new policy or to reinitialize a peering the BGP established connections must be reset. There are four ways to do this.

Ø Manually trigger readvertisement Reset the router

Ø Reseting entire TCP Session clear ip bgp * soft out This is the best way

Ø Soft Reconfiguration Soft Reconfiguration is not recommended for inbound changes. neighbor 1.1.1.1 soft-reconfiguration inbound clear ip bgp * soft in Inbound requires that all new entries are stored in cache. Eventually the router will run out of memory and reload. Does not use addititional memory, resets the Adj-RIB-Out

Ø Route Refresh If supported this is the best way. sib neigh 1.1.1.1 route refresh: advertised and received clear ip bgp 1.1.1.1 soft in This tells the neighbor to do a clear ip bgp 1.1.1.2 soft out

13.4.7. Aggregate Address Aggregate IP’s and use no-export to not advertise specific routes. The BGP routers aggregating a route becomes the orginator of the new route What is different between summarization, aggregation, and CIDR? Summarization Takes routes to advertise and summarizes them in the bgp routing table. Only one route is in the bgp routing table. You can use the summary and then use the community property to disable other neighbors from seeing the less specific routes. Aggregation Takes routes already in the bgp routing table and advertises all or just the aggregate. Whenever you aggregate make sure there is a static to null0 for the aggregate, otherwise loops can form. When you can’t aggregate all the routes you need, aggregate what you can and add the specific routes you need to complete your routing. CIDR Is a network with a prefix /?, shorter than the natural mask. This can also be referred to a as supernet.

Ø Summary-Only network 172.16.10.0 aggregate-address 172.16.0.0 0.0.255.255 summary-only

THE CCIE Book

Page 156 of 296


The aggregate route along with the more specific routes get advertised. Using the summary-only option limits the advertising to only the aggregated route and any route that was injected with the network command.

Ø Supress-Map / Unsupress-Map Use the supress-map command with aggregation. To surpress routes you need to use the supress-map option with a route-map: network 160.10.40.0 aggregate-address 160.0.0.0 255.0.0.0 suppress-map CHECK ! route-map CHECK permit 10 match ip address 1 ! access-list 1 deny 160.10.0.0 0.255.255.255 access-list 1 permit any You can use ip prefix lists for suppress-maps as well. network 160.10.40.0 aggregate-address 160.0.0.0 255.0.0.0 suppress-map CHECK ! route-map CHECK permit 10 match ip address 1 ! ip prefix-list CHECK permit 160.10.0.0/16 gre 16 (?) There is also a unsurpress-map command. This allows you to auto-summary and then unsupress the routes you wish to advertise.

Ø Attribute-Map To set attributes as the router is progated use the attribute-map command: route-map setorigin permit 10 set origin <igp | egp | imcomplete> ! aggregate-address 160.0.0.0 255.0.0.0 attribute-map setorigin

Ø Using a Static Route to Aggregate (First Method) router bgp 200 redist static ! ip route 160.0.0.0 255.0.0.0 null 0 This method sets the origin as incomplete since it is a redistribution. (Second Method) router bgp 200 network 160.0.0.0 mask 255.0.0.0 ! ip router 160.0.0.0 255.0.0.0 null 0

Ø Advertise-Map aggregate-address 192.168.192.0 255.255.2548.0 summary-only advertise-map ALLOW ! access-list 1 deny 192.168.197.0 accesslist 1 permit any ! route-map ALLOW match ip address 1

THE CCIE Book

Page 157 of 296


Allow you to control the attribute’s that create the aggregate. If you leave out certain routes, those route’s attributes will not be sent to the neighbor. neighbor 10.1.1.1 password 7 cisco neighbor <peer-group> password 7 cisco neighbor 10.1.1.1 advertisement-interval <0 – 600> neighbor 10.1.1.1 version 3

Ø AS-SET When you aggregate you lose the specific AS_Paths that are aggregated. The AS_SET contains all the aggregated AS’s and can be used to prevent routing loops. When agregating addresses that belong to EBGP’s, use the as-set keyword. aggregate-address 160.0.0.0 255.0.0.0 as-set The as-set keyword causes the route to generate routes that include all of the AS’s in the set.

13.5. CONTROLLING THE FLOW OF BGP UPDATES Whenever you want to change the flow of incoming traffic you will normally change the outgoing traffic. The way traffic comes into an area is determined by the routing it receives. This is the basis of asymetric routing as well.

Ø Administrative Distance 20 EBGP 200 IBGP

Ø *Backdoor Option You can change this by using the backdoor (Cisco) option. Specifing a EBGP route as a backdoor raises it’s AD to 200 so IGP routes will be preferred over a EBGP routes. router bgp 200 network 160.10.0.0 backdoor This option is used with confederations.

Ø *Route Dampening Dampening is not applied to routes learned by IGBP. Penalty Number to assign when route flaps. Half lifetime Time required to reduce the penalty by ½. Supress limit Penalty number to supress route. Reuse limit Number to reuse the route. Suppressed route A route that is not advertised. History entry Stores flap information when route is down. This is cleared when the route is ½ of the reuse limit. router bgp 100 bgp dampening <half-life> <reuse> <surpress> <max-surpress-limit> Penalty 1000 Supress-value 2000 stop advertising limit (dampen) (1-20000) Half-life-time 15 minutes (1-45) Reuse limit 750 low point before route is used again (1-20000) Max supress-limit 4 x times the number of half-lives (1-255)

THE CCIE Book

Page 158 of 296


13.6. LOAD BALANCING TRAFFIC When multipath is enabled the External versus Internal path, highest Router ID, and Closest neighbor metrics are not used. If the MED and AS_PATH are the same, both routes are installed into the routing table. By using ebgp-multihop and associating it with a loopback you can load balance BGP over two parallel communication lines. BGP can load balance up to six across equal-pathes. Use the maximum-paths <1-6> command to change. IBGP can only use one path.

Ø *Automatically Load Balancing Method 1 Two communication lines going to two routers. router bgp 100 maximum-paths 2 (Up to 6 can be used) nei 1.1.1.1 filter-list 1 out nei 2.2.2.2 filter-list 1 out ip as-path access-list 10 permit ^$ Don’t forget about those routing loops. Single Router Use the ebgp-multihop, and update-source command and it will be automatic. Method 2 Two communication lines going to same routers. Create a loopback and use update-source with ebgp-multihop.

Ø Load Share – Outbound No Routes received, use default routes Full routing - choose best path Partial routes – Only accept ^$ routes from ISP

Ø Load Sharing on Inbound with AS-PATH router bgp 100 nei <2> remote-as 200 nei <2> route-map add-to-200 out nei <3> remote-as 300 nei <3> route-map add-to-300 out route-map add-to-200 permit 10 map ip addr 5 set as-path-perpend 100 100 route-map add-to-300 permit 10 match ip add 10 set as-path-prepend 100 100 access-list 5 permit 192.168.1.0 0.0.0.255 access-list 10 permit 192.168.2.0 0.0.0.255

Ø Load Sharing on Inbound with MED router bgp 100 nei <2> remote-as 200 nei <2> route-map set-med out nei <3> remote-as 200 nei <3> route-map set-med out

THE CCIE Book

Page 159 of 296


route-map set-med permit 10 set metric-type internal

Ø Load Sharing without Transit Area router bgp 100 nei <1> remote-as 200 nei <1> filter-list 1 out ip as-path access-list 1 permit ^$

13.7. BGP FILTERING Filter Expressions

Network AS_PATH NetA 300 400 NetB 300 NetC 100 200 NetD 100 NetE empty

Ø Regular expressions Character Symbol Special Meaning Period . Matches any single character, including white space. Asterisk * Matches zero or more sequences of the pattern. Plus sign + Matches one or more sequences of the pattern. Question mark ? Matches zero or one occurrences of the pattern. Caret ^ Begins with Dollar sign $ Ends with Underscore _ Matches a comma (,), left brace ({), right Brace (}) left parenthesis, right parenthesis, the beginning of the input string, the end of the input string, or a space. Brackets [range] Designates a range of single-character patterns. Hyphen - Separates the end points of a range. () repeat string ie: (ab)+ matches ab or abab or ababab.. ^v to allow you to insert a ? in an expression

Examples of Expressions Routes to be Advertised from RTA to the NAP Expression Path Info Outcome

Local routes only ^$ empty NetE All routes .* all paths NetA, NetB, NetC, NetD, NetE

THE CCIE Book

Page 160 of 296


Routes that originated from ^300$ 300 NetB, NetD directly connected customers ^100$ 100 Connected customer routes and ^300_ 300 400 NetA,NetB,NetC their customers' routes ^100_ 300 NetD 100 200 100 Routes that originated in AS200 _200$ 100 200 NetC Routes that passed via AS100 _100_ 100 200 NetC, NetD 100 Coming from as100 ^100.* Use the sh ip bgp regexp <reg-expression> to test your statements. Filtering on AS Confederations ip as-path access-list 1 permit _$65005$$

Ø Use a Distribute-List neighbor 2.2.2.2 distribute-list 1 out access-list deny 160.0.0.0 0.0.255.255 access-list 1 permit any To restrict supernetted subnets use an extended accesss-list access-list 101 permit ip 160.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255

Ø AS_Path Filtering Specify ACL based on incoming out outgoing AS_PATHs. neighbor 2.2.2.2 filter-list 1 out ip as-path access-list 1 deny ^200$ Blocks any route orginating from 200.

Ø Filtering BGP Using AS-Path Access Lists router bgp 200 no synchronization bgp dampening neighbor 172.16.65.10 remote-as 100 neighbor 172.16.65.10 filter-list 10 in neighbor 172.16.65.10 filter-list 1 out neighbor 172.16.65.10 remote-as 300 neighbor 172.16.65.10 filter-list 1 out ! ip as-path access-list 1 permit ^200$ ip as-path access-list 10 permit .* .* permits any Manipulating BGP Attributes router bgp 10 nei 1.1.1.0 remote-as 10 nei 2.2.2.0 route-map as_200_in in ip as-path access-list 1 permit _300$ route-map as-200-in permiot 10 match as-path 1 set local-preference 200 route-map as-200-in permit 20

Ø Stop a Transit Area Use an as-path filter on both border routers so they only advertise their own AS.

THE CCIE Book

Page 161 of 296


Ø Route-Map Filtering Can be used on incoming and outgoing BGP updates. Cannot be used to filter incoming updates based on ip address. Allow 200 originated routes, deny any from 400. Set weight on 200 to 20 and everything else to 10. neighbor route-map SETRULE route-map SETRULE permit 10 match as-path 1 set weight 20 route-map SETRULE permit 20 match as-path 2 route-map SETRULE permit 30 set weight 10 ip as-path access-list 1 permit ^200$ ip as-path access-list 2 deny _400_ Prepending paths to influence path to destination nei 1.1.1.1 route-map setpath out route-map setpath permit 10 set as-path prepend 300 300

Ø Community Filtering Community Values: NO_EXPORT Do not advertise this route to EBGP peers. NO_ADVERTISE Do not advertise to any peer. INTERNET Advertise this roter to all routers belonging to it. LOCAL-AS Used by Confederations

Ø Community-Filtering Set the routes going out of 2.2.2.2 to not be forwarded, no-export. neighbor 2.2.2.2 send-community neighbor 2.2.2.2 route-map setcommunity out route-map setcommunity permit 10 match ip 1 set community no-export route-map setcommunity permit 20 access list 1 permit 0.0.0.0 255.255.255

Ø Community-List Another long way to do it.. R1 nei 2.2.2.2 send-community nei 2.2.2.2 route-map setcommunity out route-map setcommunity permit 10 match ip 2 set community 100 200 additive route-map setcommunity permit 20 access list 2 permit 0.0.0.0 255.255.255 R2 nei 3.3.3.3 route-map check-comm in route-map check-comm permit 10 match community 1 set weight 10 (or do nothing) route-map check-comm permit 20 match community 2

THE CCIE Book

Page 162 of 296


ip community-list 1 permit 100 ip community-list 2 permit internet This disallows one match (ACL 1) and allows everone else.

13.8. INTERNET CONNECTIVITY OPTIONS Use MED to determine the entrance points. Use LP to determine the exit points. Set ACL’s to determine what traffic goes where. Use AS-PATH for all Area manipulation. Use Set’s for IP address manipulation. Set default routes when possible and block ISP BGP updates as not needed.

Ø Types of Internet Connections

Ø Single-Homing Customer has only on connection to ISP. Configure a default route / default network to ISP and statics at ISP.

Ø Multihoming to a Single Provider

Ø Default Only, One Primary, and One Backup Link Outbound traffic with floating statics or backup interfaces. Inbound traffic can be set by sending metric (MED) to the routers and have the prefered with the lower metric. Also, block all bgp updates from coming into your area when possible.

Ø Default, Primary, and Backup, Plus Partial Routing Partial routing is accepting the local ISP routes only. When the customer accepts parital routes, they can then decide which way each partial route should exit. This can be done by setting the local-preference with either AS_PATH, prefix path, or both. Using the AS-PATH the LP gets set to all prefixes.

Ø Multihoming to Different Providers These type of configuration will be based on the policies between the ISP and what AS paths you can modify.

Ø Two Customers with the Same Provider with Backup Link Here two customers use each other for the backup link versus two lines to the same provider. You set the Local Preference to the primary as 300 unless is has the neighbor’s AS then set it to 200 and the last resort to 100.

Ø Two Customers with Different Providers Use the community or as-path attribute to determine the routing.

Ø Describe when to use BGP to connect to an ISP When you connect to 2 different ISPs, it is frequently necessary to use BGP Redundancy, load sharing, and lower tariffs at particular times of the day or night are some reasons why you would use 2 different ISPs Also if you have a different routing policy requirements than the ISP

THE CCIE Book

Page 163 of 296


When a link becomes overloaded the first thing you need to determine is whether the inbound or outbound traffic is being overloaded?

Ø Describe methods to connect to an ISP If you do not need bgp in your network use static (From ISP) and default routes (Into ISP) to connect to the ISP. If you use BGPd in your network from your ISP use access-lists or a firewall for security on your network.

Ø When not to use BGP You want a different routing policy than the ISP You have multiple redundant links to the ISP

Ø Internet with Static Routes Internet –s0- r1 –s1/s0– r2 R1 router bgp 200 aggregate-address 192.168.0.0 255.255.248.0 ip route 192.168.0.0 255.255.248.0 serial0 R2 router rip passive-interface s0 netw 192.168.2.0 netw 182.168.4.0 ip route 0.0.0.0 0.0.0.0 serial 0 Use RIP for all local routers and use the default route to get to the internet. The internet attached router uses bgp for internet connectivity and RIP for all local routing.

Ø Internet – Single Exit Internet – r1 - r2 R1 router bgp 200 nei 192.168.100.1 remote-as 200 R2 router rip netw 192.168.1.0 netw 192.168.3.0 router bgp 300 netw 192.168.1.0 netw 192.168.2.0 nei 192.168.100.1 remote-as 200 ip route 0.0.0.0 0.0.0.0 192.168.100.2 (r1)

Ø Sending a BGP default route to a IGP Make sure the IGP does not have a default point to BGP. A route map is used to inject BGP’s default route only, otherwise a few to many routes may get injected into the IGP. RIP Set the default-metric under RIP, BGP route is automatically injected into RIP. IGRP The ip default-network needs to be set for the redistribution to be successful. This will be set to the BGP address (192.168.2.0) Set the default-metric in igrp.

THE CCIE Book

Page 164 of 296


Ø Non-Transit Methods Filter ebgp updates (out) to allow only ^$ Set the no-export community Use a distribute list to allow only your networks Filter _all_ incoming updates so you don't recieve anything external in your AS. Turn on synchronization without redistributing EBGP routes into IGP Create unreachable Next-Hop issue between IBGP peers in AS100 Only permit routes originated from your AS100 to be advertised out to other ASs by using the filter-list. Assign the community Local-AS to all incoming NLRI's and use the neighbor send-community to distribute the community information. In order to not become a transit as you should only allow your subnets to be advertised, using a route map.

13.9. MULTIPROTOCOL BGP RFC 2283 MP_Reachable NLRI: Advertises a feasible route to a peer Permits a router to advertise NLRI Allows a given router to report some or all of the Subnetwork Points of Attachment (SNPAs). MP_Unreachable NLRI: Used to withdraw a route from service. Multicast BGP uses two sets of routes: one for unicast and one for multicast. Multicast routes are used with PIM and RPF.

13.10. BASIC BGP CONFIGURATION router bgp 100 network 19.0.0.0 neighbor 15.1.1.2 remote-as 200

Ø BGP Configuration Router bgp 109 no synch redisrib ospf 1 route-map routes-to-core nei x.x.x.x remote-as 109 no auto-summ route-map routes-to-core permit 10 Set metric-type internal ! Better method since bgp routes are statics Router bgp 109 No synch Nei x.x.x.x remote-as 109 Redistr statix route-map route-to-core No auto-summ Router ospf 1 Area 0 range y.y.y.y t.t.t.t Area 0 range x.x.x.x t.t.t.t Ip route y.y.y.y y.y.y.y null 0 Ip route x.x.x.x x.x.x.x null 0

THE CCIE Book

Page 165 of 296


Route-map route-to-core permit 10 Set metric 20

13.11. BGP COMMANDS

Ø Other Commands Automatic-tag ***aggregate-address *auto-summary *bgp comm-list *dampening default *default-information *default-metric *distance ***distribute-list exit help *maximum-paths ***neighbor **network no ***redistribute *summary-address *synchronization *table-map *timers *traffic-share neighbor 1.1.1.1 ? **advertise-map *advertisement-interval **default-originate Used to sent a default route to a neighbor. Like a stub area. description ***distribute-list **ebgp-multihop **filter-list *maximum-prefix ***next-hop-self *password *peer-group *prefix-list ***remote-as *remove-private-AS ***route-map ***route-reflector-client **send-community *shutdown *soft-reconfiguration *timers **unsurpress-map **update-source *version **weight

THE CCIE Book

Page 166 of 296


sho ip bgp a.b.c.d cidr-only community community-list dampened-paths filter-list flap-statistics inconsistent-as **neighbors paths peer-group regexp summary

13.12. BGP TROUBLESHOOTING If the table version is incrementing there is a route flapping. sho ip bgp Displays bgp route table sho ip bgp paths Displays all bgp paths sho ip bgp summary Displays the status of all bgp connections sho ip bgp neighbors Displays the status of all bgp connections sho ip bgp filter-list Displays all routes that conform to a specified filter list. clear ip bgp * To make sure all policies are working properly sho ip bgp community no-export Displays routes that have been tagged. Is your BGP neighbor relationship formed? sh ip bgp summary Are your BGP networks being advertised? Are the networks to be advertised in the BGP speaker's IGP table? sho ip route Can your IBGP speakers ping the advertised next-hop address? If not, consider using next-hop-self. Is your BGP table being formed properly? Clear ip bgp * Debug ip bgp events Debug ip bgp updates Should synchronization be turned off? Show ip bgp Show ip route

Ø Verifying BGP clear ip bgp {* | address} Used to reestablish the TCP session, use after all changes show ip bgp Displays the bgp routing table show ip bgp paths Displays the topology table show ip bgp summary Displays information about the TCP sessions

Ø Common Issues With BGP Next-Hop reachable? Route in IP Routing table? Disable Synchronization?

THE CCIE Book

Page 167 of 296


Route Reflector Needed? Redistributing dynamic protocols – routes flapping? Watch out for policies that never converge, converge but if a link goes down won’t converge again, and policies that only converge based on order of messages. A route cannot exit and re-enter a confederation or it’s own AS.

Ø Troubleshooting Neighbors Need valid tcp connection – pingable? Check states, check sib nei is the tcp connection there? Does emultihop need to be on? Different AS Are neighbor remote AS’s correct? Turn on bgp-log-nei-changes

THE CCIE Book

Page 168 of 296


Ø CIDR to Dotted Decimal Notation Chart

/1 128.0.0.0 127.255.255.255/2 192.0.0.0 63.255.255.255/3 224.0.0.0 31.255.255.255/4 240.0.0.0 15.255.255.255/5 248.0.0.0 7.255.255.255/6 252.0.0.0 3.255.255.255/7 254.0.0.0 1.255.255.255/8 255.0.0.0 0.255.255.255/9 255.128.0.0 0.127.255.255/10 255.192.0.0 0.63.255.255/11 255.224.0.0 0.31.255.255/12 255.240.0.0 0.15.255.255/13 255.248.0.0 0.7.255.255/14 255.252.0.0 0.3.255.255/15 255.254.0.0 0.1.255.255/16 255.255.0.0 0.0.255.255/17 255.255.128.0 0.0.127.255/18 255.255.192.0 0.0.63.255/19 255.255.224.0 0.0.31.255/20 255.255.240.0 0.0.15.255/21 255.255.248.0 0.0.7.255/22 255.255.252.0 0.0.3.255/23 255.255.254.0 0.0.1.255/24 255.255.255.0 0.0.0.255/25 255.255.255.128 0.0.0.127/26 255.255.255.192 0.0.0.63/27 255.255.255.224 0.0.0.31/28 255.255.255.240 0.0.0.15/29 255.255.255.248 0.0.0.7/30 255.255.255.252 0.0.0.5/31 255.255.255.254 0.0.0.1/32 255.255.255.255 0.0.0.0

THE CCIE Book

Page 169 of 296


14. IPX and NLSP IPX RIP is enabled by default when IPX routing is enabled IPX default-route is enabled as network 2 MTU is between 30 and 65535 IPX does not support multicasts. AD for IPX Statics Dynamic over floating statics Multiple Routes – lower tick is better, if tick is same use EIGR Every 60 seconds all routes broadcast. Bit 0 in the first octet of the MAC address is the multi/broadcast indicator. 5555.5555.5555 would have been flagged as multicast/broadcast. Using the command "ipx routing 1.1.1" only assigns the node address of 1.1.1 to non-MAC interfaces (i.e. Serial). I would guess that if you wanted all node addresses on the router to be 1.1.1, you would change the MAC address on each LAN interface to 1.1.1... When you enable NLSP or EIGRP on LAN interface, disable RIP then EIGRP NLSP router rip int e0 net 1.1.1.1 ipx nlsp rip off ipx nlsp sap off

Ø IPX Addressing Use three digit addresses for LANs, four digit addresses for wans, and five digit addresses for loopbacks. For the LAN addresses use 100 for router one, 200 for router two, etc. If there are two routers on a segment use both the router numbers. For example, say router R1 and R5 are on the same segment then use 105 as the IPX network address. Use the same scheme for wan segments. For example, the IPX network number for the serial connection between R1 and R5 would be 1005. In this example I assumed that R1 was on the left and R5 was on the right. We try to do all are numbering schemes from left to right and from top to bottom. When using ipx routing, for router 1 use "ipx routing 1.1.1" Another example, when numbering your ipx links, I use the router numbers also. So if the ipx link is between router 2 and 5 it's ipx network 25. It makes it very easy to see which network is which in the routing table and to troubleshoot it.

Ø Metric IPX RIP has two metrics (Link Delay and Hop-Count) Delay is 6 on WAN and 1 on LAN Lower Delay is preferred over Lower Hops You can change the metric/tick/delay with ipx delay

Ø Frame Types Encapsulation Type 802.3 novell-ether (default) 802.2 / 802.5 sap

THE CCIE Book

Page 170 of 296


Eth_II arpa ALL SNAPS snap

Ø Tuning IPX ipx update-time Raise on serial

Ø Static SAPs Static SAP’s will not get advertised on the network they are defined on. ipx sap 107 mailservre 160.2222.2222.2222 8104 1 ipx sap 4 fileserver 160.3333.3333.3333.451 1 ipx sap 7 ptrserver 160.4444.4444.4444.452 1

Ø GNS Increases the time period for gns replies. Useful on ISDN links. ipx gns-response-delay 1000

14.1. IPX EIGRP Periodic updates, only changes and every 120 minutes Two-way redistribution with RIP Can disable spilt horizon Enable EIGRP at the Core and IPX/RIP at the LAN Never mix EIGRP and IPXWAN Remember once you enable EIGRP/ NLSP you still have to turn IPX RIP off for the networks concerned The Metric for EIGRP is better than RIP IPX’s hop metric. Disable RIP on WAN links or where no Novell hosts or servers are located.

Ø *Rules: 1 – EIGRP routes are preferred over RIP, unless RIP has a lower hop count. 2 – Router redistributes only the routes that are used to forward the data. SAPS EIGRP keeps a backup SAP table per neighbor EIGRP makes sure the SAP updates are correct Use the command sh ipx eigrp neigh server to display the neighbor SAP table. EIGRP broadcasts SAP on LANs, but suppress them on WANs, only updates are sent. IPX Hellos use broadcast address of <network>.ffff.ffff.ffff Three difference between EIGRP IP And EIGRP IPX: Automatic redistribution Metric integration – most ipx metrics are identical Naming and Directory services - SAPs

Ø Incremental SAPs To change EIGRP SAP behavior: Stop Peridic SAPs on LAN with no ipx servers or hosts. int e0 ipx sap-incremental eigrp <as> Start Peridic SAPs on WAN with no EIGRP routers.

THE CCIE Book

Page 171 of 296


int s0 no ipx sap-incremental eigrp <as> Suppress SAPs on WAN but don’t use EIGRP routing, use RIP. int e0 ipx sap-incremental eigrp <as> rsup-only To take advantage of Enhanced IGRP's incremental SAP update mechanism while using the RIP routing protocol instead of the Enhanced IGRP routing protocol, specify the rsup-only keyword. SAP updates are then sent only when changes occur, and only changes are sent. Use this feature only when you want to use RIP routing; Cisco IOS software disables the exchange of route information via Enhanced IGRP for that interface. no ipx sap-incremental split-horizon in the event of SAP propogation through NBMA network.

Ø Configurations ipx router eigrp 100 redistribute rip ipx router eigrp 100 distribute-list out 1 rip ipx router rip distribute-list out 1 eigrp 100

14.2. IPX AND WANS How you stop IPX / RIP and SAP’s from keeping GRE Tunneling up ?

Ø IPXWAN Accurately measures delay of serial links The links negotiates the tick count Has no affect on SAP’s on serial Requires no IPX addressing on WAN Links Requires PPP encapsulation and not HDLC Will define the tick and not use the default of six No IPX Addressing on interface for IPXWAN 6 ticks per WAN 1 tick per LAN IPXWAN is better than tick, more accurate IPXWAN Confguration Three requirements: Assign IPX internal number to router ipx internal-network 111 No IPX network address on interface no ipx network enable IPXWAN on both ends ipx ipxwan 0 unnumbered r1 (Default with ipx ipxwan)

Ø IPXWAN Confguration R1 ipx internal-network 1111 interface Serial0.2 point-to-point

THE CCIE Book

Page 172 of 296


ipx ipxwan 1111 51 r1 ipx nlsp enable ipx router eigrp 20 redistribute nlsp network 800 ipx router nlsp area-address 0 0 redistribute eigrp 20 R5 ipx internal-network 5555 interface Serial0.1 point-to-point ipx ipxwan 5555 51 r5 ipx nlsp enable ipx router nlsp area-address 0 0

Ø IPX and Frame-Relay frame-relay map ipx 124.00ed.1edf.9821 102 broadcast

Ø IPX over NBMA *Need Full Mesh Uses Inverse ARP Hub / Spoke Use FR Map statements on spoke Inverse arp at hub IPX/RIP - Same split horizon problems spilt horizon cannot be disabled EIGRP – disable split horizon at hub

14.3. IPX AND DDR To limit traffic use static ipx routes, sap or snapshot routing. Other possiblities are spx spoofing, watchdog spoofing and spx timeouts. To limit traffic use static ipx routes, sap or snapshot routing. Other possiblities are spx spoofing, watchdog spoofing and spx timeouts. You must configure static SAPs for all resources that need to traverse to link. Since SAPs are blocked no resources will be available.

Ø IPX spoofing IPX spoofing – spoofing allows the router to respond while the DDR interface is idle. Configuring IPX Spoofing Turn off route caching no ipx route-cache Enable SPX spoofing of the idle DDR link. ipx spx-spoof Enable IPX watchdog spoofing. ipx watchdog-spoof Set SPX idle time. ipx spx-idle-time

Ø Floating Static ipx route default 14.0001.0001.0001 floating-static

Ø Type 20 Propagation int s0

THE CCIE Book

Page 173 of 296


ipx type20-propagation

Ø IPX DDR and Traffic Monitoring username r5 password 0 cisco ipx routing 1.1.1 ipx router rip no network 12 ipx router eigrp 12 network 151 isdn switch-type basic-ni interface BRI0 encapsulation ppp dialer idle-timeout 90 dialer map ip 151.1.1.5 name r5 broadcast 8358662 dialer map ipx 151.0005.0005.0005 name r5 broadcast 8358661 dialer-group 2 ipx network 151 ! 2-SPX, 2-IPX commands for DDR no ipx route-cache ipx watchdog-spoof ipx spx-spoof ipx spx-idle-time 90 isdn switch-type basic-ni isdn spid1 0835866101 8358661 isdn spid2 0835866301 8358663 no cdp enable ppp authentication chap ppp multilink access-list 900 deny any any all any rip access-list 900 deny any any all any sap access-list 900 deny any any all any 457 access-list 900 permit any dialer-list 1 protocol ipx list 900

14.4. NLSP It can be configured on point-to-point FR interfaces. NLSP does not work on PtM, Phy FR’s,Loopbacks NLSP needs a non-multipoint LAN interface. You cannot filter SAP’s in NLSP. Disable RIP and SAP after enabling NLSP. Default Behavior of NLSP is: ipx router nlsp redistribute rip [invisible] redistribute connected [invisible] Turn RIP and SAP off by using: int e0 ipx nlsp rip off ipx nlsp sap off When enabling NLSP it might shutdown the OSPF process When you configure the area address you are specifying which areas to routes will pass along. Setup three areas that share info from the second with same area address in 1 and 3.

THE CCIE Book

Page 174 of 296


Supports up to 127 hops After a DR has been a DR for 1 minute it’s priority is increased to 20. To make sure only powerful routers become DR’s increase their priority to be 21 more than any other routers. If you want the priority to be 85 fro a router, better make it 65, and in one minute it will be 85.

Ø Metric / Cost Cost for NLSP can be between 0 and 63.

r1# show ipx route Codes: C - Connected primary network, c - Connected secondary network S - Static, F - Floating static, L - Local (internal), W - IPXWAN R - RIP, E - EIGRP, N - NLSP, X - External, s - seconds, u - uses 9 Total IPX routes. Up to 1 parallel paths and 16 hops allowed. No default route known. L D35 is the internal network C E001 (SAP), Et0 C D35E2 (NOVELL-ETHER), Et2 R D34 [02/01] via E001.0000.0c02.8cf9, 52s, Et0 N D36 [20][02/01] via D35E2.0000.0c02.8cfc, 594s, Et2

NX D40 [20][03/02][02/01] via D35E2.0000.0c02.8cfc, 594s, Et2 R D34E1 [01/01] via E001.0000.0c02.8cf9, 53s, Et0 NX D40E1 [20][02/02][01/01] via D35E2.0000.0c02.8cfc, 594s, Et2 N D36E02 [20][01/01] via D35E2.0000.0c02.8cfc, 594s, Et2

[20] Cost of the route (NLSP only). For interior NLSP routes (marked "N"), this is the cost to the destination network. For exterior NLSP routes (marked "NX") this is the equivalent NLSP cost to the edge of the NLSP area [03/02] Ticks/hops to the destination network. For RIP routes, this is the cumulative ticks and hops to the destination network. For NLSP routes, this is the equivalent ticks/hops computed from the NLSP cost to the destination network. For NLSP exterior routes, this is the equivalent ticks/hops computed by adding the RIP ticks/hops advertised at the edge of the NLSP area to the equivalent ticks/hops computed from the NLSP cost to the edge of the area. [02/01] Ticks/hops external to the NLSP cloud. These numbers are the tick and hop values advertised by RIP at the point where it entered the NLSP cloud.

Ø Area-Address NLSP supports a hierarchical addressing scheme. Each routing area is identified by two 32-bit quantities: a network address and a mask. This pair of numbers is called an area address. Expressed in hexadecimal, an example of an area address follows:

• 01234500---This number is the network address for this routing area. Every network number within that area starts with the identification code 012345.

FFFFFF00---This number is the mask that identifies how much of the network address refers to the area itself and how much refers to individual networks within the area.

In the example area address above, the first 24 bits (012345) identify the routing area. The remaining 8 bits are used to identify individual network numbers within the routing area (for example, 012345AB, 012345C1, 01234511).

THE CCIE Book

Page 175 of 296


Figure 40-2 highlights the above addressing concepts with three different networks in a single area.

Ø Load-Balancing

Ø Aggregation Is there a way of getting nlsp aggregated routes to appear as rip routes further on down a chain of routers. if i am running nlsp in the core and aggregate some routes when i go to the edge running rip or eigrp the aggregated routes do not appear but the non aggregated do. RIP and EIGRP does not understand summary routes so you must use a default route to get back to a router that has a more explicit route to your destination.

Ø NLSP Configuration Enable nlsp Area summarization Define internal network Enable at interface Diasable rip/sap’s on interfaces ipx routing ipx internal network 111 ipx router nlsp area-address 0 0 no ipx router rip no ipx router sap ipx internal-network cab int s 0 ipx network 40 ipx ipxwan 2 23 ipx nlsp enable int e 0 ipx nlsp enable ipx network FAB

14.5. TUNNELING Create a single ipx network between FR / ISDN / Token-Ring. Put a static sap into both. Use a tunnel to split / share ipx network. IRB bridging ?

Ø Tunneling Passenger – protocol to be encapsulated Carrier – GRE Transport – IP When or why would you need to encapsulate IPX. Hop limit, discontinuous networks, separate policies Be careful of routing decisions when using a tunnel. The hop count change will affect DV protocols.

THE CCIE Book

Page 176 of 296


Ø IP over IP Tunneling Watch out for recursive routing loops, when a routing loop happens the router will shutdown the tunnel for 1-2 minutes and issue a warning message before it goes into the recursive loop.

Ø Avoiding Loops Use separate protocol domains if possible. Use different routing protocols. Assign the metric for the routing protocol to equal the physical path. Keep the two IP ranges separate.

Ø FR Switch and Tunneling R1 frame switch int s0 encap frame frame route 167 tu0 43 frame intf dce int s1 ip add 17.16.100.1 255.255.255.0 int tu0 tunnel source serial tunnel destination 172.16.13.2 R2 frame switch int s0 encap frame frame route 93 tu0 43 frame intf dce int s1 ip add 17.16.13.1 255.255.255.0 int tu0 tunnel source serial tunnel destination 172.16.100.2

Ø IP Tunneling Default mode is GRE You must configure a destination and source. int s 0 ip address 131.108.13.1 255.255.255.0 int tunnel 0 tunnel source s 0 (or) tunnel source 131.108.13.1 tunnel destination 131.108.13.2

Ø IPX Tunneling Use NLSP or EIGRP and disable IPX/RIP int s 0 ipx network 131 int tunnel 0 ipx network 2130 tunnel source s 0 (or) (What port ?) tunnel source 131 tunnel destination 2130 ( What destination IP)

THE CCIE Book

Page 177 of 296


Ø GRE Tunneling (pg 718 Caslow II) crypto key genertate dss r1 crypto key exchange dss passive (r1) crypto key exchange dss 10.10.1.1 r3 (r3) crypto cisco algor des sh crypto key mypubkey dss

14.6. IPX COMMANDS debug ipx packet sh ipx int sh ipx int brie sh ipx cache sipxr sipxs sh ipx traffic

14.7. IPX TROUBLESHOOTING Everything problem with IPX will be server-centric – everything is for server connectivity. sh ipx servers sh ipx int sh ipx traffic sh access-list sh ipx eigrp top sh ipx int sh ipx nlsp database sh ipx route sh ipx servers sh sipx traffic deb ipx ipxwan deb ipx packet, no ipx route cache to monitor deb ipx routing activity deb ipx routing events deb ipx sap activity deb ipx sap events Is the IPX process running on a specific router? Show protocols Show ipx interface brief Show cdp neighbor brief Is IPX traffic exiting a specific router properly? Ping ipx Debug ipx packet Are you sending and receiving the correct IPX routing updates on the correct interfaces: Debug ipx routing activity Are your IPX routing tables converging properly? Clear ipx route * Show ipx route Are your SAP tables converging properly? Clear ipx route*

THE CCIE Book

Page 178 of 296


Show ipx servers If using IPX EIGRP, are EIGRP neighbor relationships being formed properly? sh ipx eigrp nei Are the contents of the EIGRP topological database correct and complete? sh ipx eigrp top Are EIGRP metric calculations reflecting the correct cost of the shortest path? sipxr If tunneling IPX traffic, is the tunnel operating properly? Show tunnel / debug tunnel Remember-IPX tunneling relies on IP connectivity between the tunnel endpoints. To assure that one tunnel endpoint is reachable from another, ping the tunnel endpoints. If the pings are successful and the tunnel still does not work, check for access-lists on all intermediate routers. Access-lists could be clocking the tunneling traffic.

THE CCIE Book

Page 179 of 296


15. Route Filtering When you filter routers in OSPF, the filter is only applied to the current routers. Since LSA's still flow downstream all other routers will see these routes as well.

15.1. ROUTE FILTERS Can be used to identify query boundaries, can be applied in/out, global, per interface, and during redistribution. Used for mutual redistribution Distance-vector protocols use the routing table to advertise routes Link-State protocols use the link-state database to advertise routes A route filter will influenece the routing table where it is configured, but not on it’s neighbors. So the best place to use route filters will be at the redistribution points. distribute-list out serial 0 Cannot be used on LS protocols since no routes are going out interfaces. distribute-list out <routing-protocol> is the only way to use the out keyword. Configuring IP Filters Applies to: distribute-list <acl> in All updates from neighbors distribute-list <acl> in <int> All updates from interface distribute-list <acl> out All updates sent distribute-list <acl> out <int> All updates sent out interface distribute-list <acl> out <routing-process> All updates received through routing process before topology table. Global and interface distribute-lists are combined. Interface distribute-list’s do not override globals like the Cisco docs say. Outbound route filters are always filtered one hop beyond the route filter. Inbound route filters are filtered at the router. Configuring IPX RIP Filters ipx input-network-filter <acl> ipx output-network-filter <acl> Configuring IPX SAP Filters ipx input-sap-filter <acl> ipx output-sap-filter <acl> EIGRP IPX SAP Filters distribute-sap-list <acl> in SAPs received distribute-sap-list <acl> in <int> SAPs received on interface distribute-sap-list <acl> out SAPs updates out distribute-sap-list <acl> out <int> SAPs out interface distribute-sap-list <acl> out <protocol> SAPs out from IPX SAP, NLSP

15.2. PREFIX-LISTS Prefix list allows you to match by subnet mask and destination network If le or gr is not on the end of the line then it is an exact match. Example #1: ip prefix-list 1 deny 192.168.10.0/24 Only permits 192.168.10.0 255.255.255.0 and not the entire subnet:

THE CCIE Book

Page 180 of 296


Example #2: ip prefix-list 1 deny 192.168.10.0/24 ge 25 Is the entire subnet The sequence number starts at 5 and is incremented by 5 automatically. The best practice is to permit only what you want to see. *You can use prefix-lists to block BGP paths, NLRI, tuples. neighbor 172.16.1.1 prefix-list 1 out ip prefix-list 1 seq 5 deny 192.168.10.0/24 ip prefix-list 1 seq 10 permit 0.0.0.0/0 le 32 -or- neighbor 172.16.1.1 route-map DO_NOT_SEND ip prefix-list 1 seq 5 deny 192.168.10.0/24 ip prefix-list 1 seq 10 permit 0.0.0.0/0 le 32 route-map DO_NOT_SEND permit 10 match ip 1

Ø Prefix-List Syntax ip prefix-list <name> permit | deny <condition> Add line to end no ip prefix-list <name> seq <seq #> Deletes specific line ip prefix-list <name> seq <seq #> Insert line at number ip prefix-list <name> description <line> Add description

Ø Conditions Match Prefix ip prefix-list <name> permit | deny <ip prefix>/<prefix-length> Match IP addresses with subnets shorter or equal the prefix length ip prefix-list <name> permit | deny <ip prefix>/<prefix-length> le <prefix-length> Match IP addresses with subnets longer or equal the prefix length ip prefix-list <name> permit | deny <ip prefix>/<prefix-length> Match IP addresses between the min and max prefixes ip prefix-list <name> permit | deny <ip pfx>/<pfx-len> gr <min-len> le <max-len> Prefix lists are supported with 11.3 and all version that support BGP. They are not officially documented even in 12.0. To enable prefix lists: distribute-list prefix <prefix-list> in distribute-list prefix <prefix-list> in <int> distribute-list prefix <prefix-list> out distribute-list prefix <prefix-list> out <int> distribute-list prefix <prefix-list> out <routing-process>

Ø Prefix Examples: You can use a prefix to block /32’s ip prefix-list seq 5 deny 0.0.0.0/0 Permit exact prefix 192.168.0.0/16 ip prefix-list CCIE permit 192.168.0.0/16 Deny a default route ip prefix-list CCIE deny 0.0.0.0/0 Permit all ip prefix-list CCIE permit 0.0.0.0/0 le 32

THE CCIE Book

Page 181 of 296


Deny All ip prefix-list CCIE deny 0.0.0.0/0 le 32 Deny /19, in all ip addresses (Internet based one) ip prefix-list CCIE deny 0.0.0.0/0 ge 19 In 192.168.0.0/24 deny /25+ ip prefix-list CCIE deny 192.168.0.0/24 ge 25 Permit all addresses from /8 to /24 ip prefix-list CCIE permit 0.0.0.0/0 ge 8 le 24 Redistribution Example router rip redist eigrp 100 route-map kill-loops ip prefix-list loop-list 10 deny 1.1.1.0 255.255.255.0 ip prefix-list loop-list 10 permit 0.0.0.0 0.0.0.0 le 32 route-map kill-loops permit 10 math prefix-list loop-list

15.3. DISTRIBUTE-LISTS Identify the network addresses you want to filter and create an access list. Determine if you want to filter them on an incoming or outgoing interface. Assign the access list to filter outgoing routing updates: distribute-list access-list-number out [interface-name]

Assign the access list to filter incoming routing updates: distribute-list access-list-number in [interface-name]

Distribure-list on stops routes from getting into the routing table and not lsa's.

Ø Distribute-list in What is going into the routing process. Dist-list in can only be applied to interfaces.

Ø Distribute-list out what is being adverstised out of the process 1 – Create access-list 2 – Create distribute-list statement Standard, prefix, and 1300 expanded access-lists can be used for distribute-lists. IOS 12.x may change this ? What is being advertised.

Ø IGRP Route Filtering router igrp 10 network 140.10.0.0 redist rip default-metric 1 1 1 1 1 distr-list 1 in access-list 1 deny 170.10.0.0 0.0.255.255 access-list 1 permit any any

Ø EIGRP IPX Filtering ipx router eigrp 100

THE CCIE Book

Page 182 of 296


network 9e network 6c network 4a distribute-list 800 out s0 access-list 800 permit 6c

Ø EIGRP IP Filtering router eigrp 1 network 172.16.0.0 network 192.168.5.0 distribute-list 7 out s0 access-list permit 172.16.0.0 0.0.255.255

Ø RIP access-list 1 deny 10.2.2.0 0.0.0.255 access-list 1 deny 172.16.0.0 0.0.0.255.255 access-list 1 permit any router rip distrbute-list 1 in e0 This blocks routing entries into the routing table

Ø RIP router ospf 10 redistr rip ! router rip redist ospf 10 metric 1 dist-list 10 out ospf 10 Stops the routing loop by not allowing OSPF to be sent back out.

Ø OSPF On ASBR use a dist-list in to stop routes from being put into routing tables, LSA’s are still sent. router ospf 1 redistr eigrp 1 subnet distribute-list 10 in access-list 10 deny 10.1.1.1 0.0.0.255 access-list 10 permit 10.2.2.0 0.0.0.255

15.4. ROUTE-MAPS *Only one route map is allowed per neighbor on BGP. *End all route-maps with permit statements or you will block routes. Route Maps can be assigned based on protocol and path. Allows routing based on IP header fields: Source address, Interface, Protocol-layer, Packet length, and Application type.

Ø To configure Global command ip local policy route-map Interface command ip policy route-map The SET Clause is evaluated in order of:

THE CCIE Book

Page 183 of 296


Next-hop interface Next-hop IP address Next-hop default interfaces Next-hop default IP address

Ø Match Command match as-path match community match clns match interface match ip address match ip next-hop match ip route-source match length match metric match route-type match tag

Ø Set Commands set automatic-tag set interface set default inteface set ip default next-hop set ip next-hop set ip precedence set ip tos set level set metric-type set next-hop default interfaces set next-hop default IP address set tag

Ø BGP Set Commands set as-path set comm-list set community-list set dampening set local-preference set metric set nlri set origin set ip next-hop set weight

Ø Route Map Basic Configuration int e0 ip address 172.16.23.1 255.255.255.0 ip policy route-map CCIE ! disables fast-switching route-map CCIE permit 10 match ip address 1 set interface serial 0 ! access-list 1 permit 172.16.134.0 0.0.0.255 !

THE CCIE Book

Page 184 of 296


ip route-cache policy ! to re-enable fast-switching sh ip policy debug ip policy

Ø Even ACL Only access-list 34 permit 192.168.1.0 0.0.254.0 route-map hide-odd deny 10 match ip address 34 route-map hide-odd permit 20

Ø Odd only access-list 34 permit 192.168.0.0 0.0.254.0 access-list 35 permit 192.168.6.0 0.0.0.0 route-map hide-odd deny 10 match ip address 34 route-map hide-odd permit 20

Ø Internet route-map adv-default permit 10 match ip addr 10 access-list 10 permit 192.168.200.192 0.0.0.3 router isis default-informaiton originate route-map adv-default This allows 192.168.200.192 to be advertised as a default only if it is in the isis database. You have to have ISIS on the link

Ø Route-Map with Default Map access-list 10 permit 10.1.1.1 255.255.255.0 route-map adv-default permit 10 match ip address 10 router ospf 1 default-information originate route-map adv-default

THE CCIE Book

Page 185 of 296


THE CCIE Book

Page 186 of 296


16. Route Redistribution Redistribute into... Protocol RIP RIP v2 IGRP EIGRP OSPF BGP IPX RIP NLSP ISIS

RIP XXX Works Works Works Works Works N/A N/A ???RIPv2 V-F XXX V-F Works Works Works N/A N/A WorksIGRP Works Works XXX Works Works Works N/A N/A ???

EIGRP V-F Works V-F XXX Works Works Auto ???OSPF V-F Works V-F Works XXX Works N/A N/A WorksBGP Why? Why? Why? Why? Why? XXX N/A N/A Why?

IPX RIP N/A N/A N/A Auto N/A N/A XXX Auto N/ANLSP N/A N/A N/A Works N/A N/A Auto XXX N/AISIS ??? Works ??? Works Works Works N/A N/A XXX

16.1. GENERAL REDISTRIBUTION *If any a questions state “put x route in routing table but do not make it appear as external”, they do not what you to use redistribution to get that route into the table. When redistributing into a classless protocol Set the metric When redistributing into a classfull protocol (rip, igrp) Summerize to a classful boundry or the Fixed Length Subnet Mask (FLSM) being used by the classfull protocol. When 2-way redistributing Create a distribution list out that only allows the correct routes to be advertized or use route maps to set metrics.

Ø Redistribution Design ACCESS Level Stub areas pointing up Usually one-way redistribution Example 1 – Single Border Router One-Way Redistribution Default routes are used Redistribute into upper routing domain (metrics not important) Upstream router will have a summary of the access Example 2 – Multiple Border Routers One-Way Redistribution Default routes are used Redistribute into upper routing domain (metrics are important) Example 3 – Multiple Border Routers Two-Way Redistribution Distribute-list needed for metric and route selection Possible routing loops can form

Ø Redistribution Methods 1 Default routes in stub area 1-way Redistribute into larger areas

THE CCIE Book

Page 187 of 296


2 Default routes 1-way redistribute with metrics 3 Redistribute with dist-lists 2-way avoid routing loops

16.2. REDISTRIBUTION PROBLEMS Prot. Metrics AD Redistribution Class/ Summarizations Options RIPv1 hops 120 classful/FLSM RIPv2 hops 120 IGRP bw/dly/rel/load/mtu 100 classful/FLSM 10000/100/255/1/1500 EIGRP bw/dly 90/170 ip summary-address eigrp 1 internal external OSPF cost 110 subnets internal: metric-type 1 metric-type (1|2) ABR - area range external: metric-type 2 ASBR - summary address ISIS metric 115 level-1,1-2,2 summary-addres level1 metric-type [int/ext] internal external BGP path 20/200 internal external IPX delay/ticks NLSP cost/throughput internal external

Ø Router Redistribution Basic Steps 1 – Enable Routing protocols on border routers 2 – Specify what networks to advertise 3 – Determine how you want to redistribute (one or two way) 4 – Determine metric for routes redistributed into RIP, IGRP, and EIGRP 5 – Apply subnets parameters subnets redistributd into OSPF 6 – Apply distribute-list (optional) 7 – Apply route-maps (optional) 8 – Address VLSM/FLSM issues if they exist

Ø Administrative Distance With two-way redistribution make sure the administrative distances don’t form a routing loop When redistributing two IGP protocols (RIP & OSPF) create a distribute list to only redistribute the routes once, through either IGP protocol.

EIGRP uses the D and EX administrative distances

Ø Passive-Interface Use passive interfaces to stop advertisements

Ø Path Selection Problems Use administrative distance or default metric

THE CCIE Book

Page 188 of 296


Ø Assigning Metrics Three Ways: 1 - Default metric Assigns the same metric to all routes. 2 - Redistributed metric Uses the same metric for redistrib. protocol. 3 - Route Maps Assigned based on protocol and path. Determine core or backbone routing protocol (usually EIGRP or OSPF) Determine which routing protocol is the edge or short-term protocol. *Use default-metric bandwidth delay reliability loading mtu for IGRP, EIGRP Bandwidth 10000 for ethernet Delay 100 Reliability 255 Loading 1 MTU 1500 Use default-metric number for OSPF, RIP, EGP, and BGP redistribution Resolve path selection problems that result in a redistributed network with: Use administrative distance or default metric

Ø Summarization EIGRP, OSPF, and ISIS can summarize redistributed routes.

Ø Examples: QUIZ Protocol Definging Protocol Type Metric IGRP redistribute ospf 1 metric 10000 100 255 1 1500 OSPF redistribute igrp 1 metric 30 metric-type 1 subnets RIP redistribute igrp 1 metric 5 RIP redistribute isis level-1-2 metric 5 ISIS redistribute rip metric 5 metric-type external level-2 Connected redistribute connected metric <?> Default-metric <?>

Ø Metric Requirements for Redistributing into DV Protocols You must supply a metric when redistributing into DVP’s Unless they are static or connected routes Three ways: Default metric Assigns the same metric to all redistributed routes. IGRP 1000 100 255 1 1500

EIGRP 1000 100 255 1 1500 RIP 5 Redistributed metric Uses the same metric for the protocol. Route Maps Assigned based on protocol and path. Any routes redistributed without a metric will be set to unreachable Use route-maps to define metrics based on paths Assign metrics to OSPF, RIP, and BGP with the default-metric command.

OSPF automatically assigns a metric of 20 for any redist.

16.3. STATIC REDISTRIBUTION Connected Versus Static Routes with Next-Hop Address AD = 0 AD = 1 Uses interfaces Uses addresses Automatically redistributed Manually redistributed

THE CCIE Book

Page 189 of 296


No metric is required for connected and static redistribution. redistribute static redistribute connected Redistributes all interfaces, use distribute-list to be selective.

16.4. RIP REDISTRIBUTION All redistribution must be on a classful boundary. Otherwise refer to the VLSM to FLSM section. *Redistribute connected do not work with RIP. Automatically redistributes a 0/0 route.

Ø IGRP / EIGRP default-metric 5 router rip redist igrp 200 metric 5 redist eigrp 200 metric 5 netw 192.168.3.0

Ø OSPF router rip redist ospf 200 metric 3 netw 192.168.3.0

16.5. IGRP REDISTRIBUTION All redistribution must be on a classful boundary, in this case it is identical to EIGRP. Otherwise refer to the VLSM to FLSM section.

16.6. EIGRP REDISTRIBUTION Routes coming in will be EX (external) type routes. Split-Horizon will stop routing loops when redistributed between routing processes. This may will also stop some routes from getting redistributed. Automatically redistributes with: IPX RIP,IGRP if AS’s are the same Always set the metric when redistributing either with the redistribute metric or with the default metric command.

Ø Ways to block routing loops: (Slattery) Dist-list access-list 10 deny 1.0.0.0 0.0.0.255 access-list 10 permit any router rip redist eigrp 100 dist-list 10 out serial 0 Route-Maps access-list 10 deny 10.1.1.0 0.0.0.255 access-list 10 permit any

THE CCIE Book

Page 190 of 296


route-map kill-loops permit 10 match ip address 10 route rip redist eigrp 100 route-map kill-loops -or- route-map kill-loops deny 10 match route-type external route-map kill-loops permit 20 ! this will stop all externals not just rips Prefix-List ip prefix-list loop-list 10 deny 1.1.1.0 255.255.255.0 ip prefix-list loop-list 10 permit 0.0.0.0 0.0.0.0 le 32 route-map kill-loops permit 10 math prefix-list loop-list router rip redist eigrp 100 route-map kill-loops ! Prefix list allows you to match by subnet mask ! and destination network (prefix)

Ø Distance access-list 10 permit 172.16.20.0 0.0.0.255 router eigrp 100 distance 255 172.16.21.1 0.0.0.0 10

Ø Admin Tags router eigrp 1 redist rip route-map setflag router rip redist eigrp 1 route-map denyflag route-map setflag permit 10 set tag 1 route-map denyflag deny 10 match tag 1 route-map denyflag premit 20

Ø Connected Networks, and Statics R1 router eigrp 200 redist connected (same as netw 1.1.6.0) redist static netw 1.1.6.0 ip default-network 1.1.6.0 ! ip route 1.1.3.0 255.255.255.0 1.1.6.0

Ø Static Redistribution and Filtering a Static Route router eigrp 1 network 192.31.7.0 default-metric 10000 100 255 1 1500 redistribute static distribute-list 3 out static access-list 3 permit 131.108.0.0 ! ip route 131.108.0.0. 255.255..0.0 192.31.7.18

THE CCIE Book

Page 191 of 296


ip route 201.222.5.0 255.255.255.0 192.31.7.10 ! Deny this route

Ø RIP RIP into EIGRP router eigrp 200 redist rip metric 10000 100 255 1 1500 netw 192.168.6.0

Ø IGRP and EIGRP (Same AS) R1 router eigrp 200 netw 1.1.1.0 router igrp 200 netw 1.1.6.0 R2 router igrp 200 netw 1.1.2.0

Ø IGRP with different AS If the AS between IGRP and EIGRP are different you must redistribute between them with the redistribute metric or redistribute default-metric commands.

Ø IGRP and EIGRP (Different AS) R1 router eigrp 200 redist igrp 300 netw 1.1.1.0 netw 1.1.4.0 default-metric 125 1000 255 1 1500 router igrp 300 redist eigrp 200 netw 1.1.6.0 default-metric 125 1000 255 1 1500 R2 router igrp 300 netw 1.1.3.0 netw 1.1.6.0 R3 router eigrp 200 netw 1.1.2.0 netw 1.1.4.0

Ø OSPF to EIGRP router eigrp 150 network 150.50.0.0 redistribute ospf 128 default-metric 56 1000 255 1 1500

16.7. OSPF REDISTRIBUTION With area summarization, the router summarizing does not use the summary. Bug in version IOS 12.0(5) If OSPF is configured using a ''network x.x.x.x 0.0.0.0 area x'' command (explicitly identifying and interface), then the connected interface

THE CCIE Book

Page 192 of 296


information may not be properly redistributed into other protocols (configured to ''redistribute ospf xxx...''). Workaround: use a general mask instead (''network x.x.x.0 0.0.0.255 area x'', for example). If the routes are not Classful use the subnet option on redistribution Routes coming in will be E2 (external type 2 by default) LSA 5 routes. OSPF assigns 20 to all routes if a metric is not assigned, except BGP which is assigned 1. redistribute ospf 109 match internal external 1 external 2 This is the default for OSPF, both internal and external routes are redistributed. redistribute connected subnets For OSPF the subnets parameter is needed for all subnetted routes debug trace Used to display the Type 5 LSA’s to getting redistributed clear ip ospf redistribution Manually initiate a redistribution Metric-Types: Type 1 routes include the cost of traversing the OSPF domain. Type 2 routes have a cost which consists of the external cost only. By default, redistributed routes have external metric-type 2. Redistribution is always done on a ASBR, if it is not an ASBR before is will be afterwards.

Ø Static router ospf 10 redistribute static metric 50 metric-type 1 subnets redistribute connected metric 50 metric-type 1 subnets

Ø RIP NSSA - Good for Redistribution of RIP, RIP will be external The rule for ospf network to be redistributed into rip seems to be: If the network is owned by ospf only, rip will summarized it into major net and pass to next rip router. 2. If the network is owned by both ospf and local interface, rip will not summarize the route and it comes into 2 situations: a.if the route is a major net route(unsubnetted), rip will leave it untouched (not summarize it) and pass it to next rip router. b.if the route is a subnetted route, rip will leave it untouched, and when this route tries to go deeper into the rip process, it was rejected because rip only passes major network. router ospf 10 redistribute rip subnets metric-type 1 metric 12 router ospf 200 redist rip metric 100 netw 192.168.6.0 0.0.0.255 area 6

Ø IGRP / EIGRP router ospf 10

THE CCIE Book

Page 193 of 296


redistribute igrp metric-type 1 metric 12 redistribute eigrp subnets metric-type 1 metric 12

Ø ISIS router isis=20 summary-address 172.16.0.0 255.255.0.0 =20 redistribute ospf 200 metric 20 net 48.0001.0000.0000.0001.00

Ø Filtering On ASBR use distribute-list out to filter routers into other protocols. distribute-list in stops routes from being inserted into the routing tables. But it does not stop the LSA’s from being sent.

Ø Summarization and Redistribution (On ASBR) router ospf 100 summary-address 190.10.32.0 255.255.224.0 redistribute eigrp 90 metric 200 subnets This makes EIGRP routes 190.0.0.0 get summarized into a single external route.

16.8. IS-IS REDISTRIBUTION ISIS defaults redistributing routes as internal level-2 routes. To get level-1 routes redistributed you must specify them. router ospf 200 log-adjacency-changes summary-address 182.18.0.0 255.255.0.0 redistribute isis metric 300 metric-type 1 subnets network 172.16.253.4 0.0.0.3 area 0 network 172.16.254.0 0.0.0.255 area 0 distribute-list 4 out

16.9. BGP REDISTRIBUTION **By default OSPF external routes are not redistributed into BGP. If you want the routes showing as E1 or E2 in your OSPF domain to be also redistributed into BGP then you would configure the redistribute command with the match external 1 external 2 sub-options. If you redistribute IGP’s into BGP, watch for null0 interfaces. Make sure only the route you need is redistributed. You should never redistribute BGP into IGP on a internet router. For the enterprise it would be ok. Redistributing a static route is the best way to advertise a supernet because it stops the route from flapping. With IGP’s & BGP redistrib, check route tables If IGP is the choosen route you can change by: Route bgp 109 Distance 20 20 20

THE CCIE Book

Page 194 of 296


**If trying to use 'No Sync' (Syncronization) and redistributing from BGP to OSPF, RID from BGP and OSPF must match! This will NOT occur if you are using route reflectors because the reflector changes the RID! *IBGP routes cannot be redistributed into IGP in the same AS The only way to inject routes into BGP from IGP’s is with the redistribute command. *Orgin is set to Incomplete on redistributed routes. **BGP can be used to send default routes to IGP protocols.

Ø Static router bgp 200 redist static ip route 10.1.1.0 0.0.0.255 > null0 Supernetting

Ø IGRP Redistribute the BGP route so that the ip default-network command is set to in IGRP. (192.168.2.0 0.0.0.255) router igrp 100 default-metric 1000 100 250 100 1500 redistr bgp 3 route-map DEFAULT ip default-network 192.168.6.0 route-map DEFAULT match ip address 5 access-list 5 permit 192.168.6.0

Ø EIGRP Orgin is set to Incomplete router bgp 200 nei 1.1.1.1 remote-as 100 nei 1.1.1.1 dist-list 1 in redist eigrp 10 access-list 1 permit 172.16.0.0 0.0.255.255 EIGRP You must use redistribution to inject a BGP default into EIGRP. Set the metric and add a route map as needed. router eigrp 100 redistr bgp route-map DEFAULT default-metric 1000 5 100 250 100 1500 route-map DEFAULT match ip address 5 access-list 5 permit 0.0.0.0

Ø OSPF / ISIS OSPF does not inject external OSPF routes into BGP unless it is specifically instructed to do with the following command: router bgp 3 redist ospf 3 match external 1 external 2 Normally you would not do this. You should the nei dist-list xx out command to redist into any IGP,this will allow you to limit the networks into IGP. router ospf 1

THE CCIE Book

Page 195 of 296


redist bgp 200 dist-list 1 in access-list 1 permit 172.16.0.0 0.0.255.255

16.10. IPX REDISTRIBUTION Manual Redistribution IPX EIGRP - NLSP

Ø *Automatic IPX Mutal Redistribution IPX EIGRP to IPX RIP IPX RIP to NLSP IPX RIP and Static Routes Manual Redistribution IPX EIGRP - NLSP

Ø IPX EIGRP and IPX RIP Redistribution Redistribution between IPX RIP and IPX EIGRP is automatic, use the no redistribute command to stop. ipx router eigrp 100 no redistribute rip

Ø NLSP and IPX EIGRP Redistribtion ipx router eigrp 20 redistribute nlsp ! ipx router nlsp redistribute eigrp 20

16.11. FLSM AND VLSM You will most definitely be asked to do some kind of redistribution between an FLSM protocol and a VLSM protocol, and you will be told you cannot use a static route, a default route, or a default network. RIP will redistribute the 0.0.0.0 default network use the default-information originate command IGRP does not distribute the 0.0.0.0 network use the ip default-network command, network must be classful, in routing table, and not on FLSM router. ip classless must be configured on the FLSM router.

Ø RIPv2 Method Create RIP routes with /25 mask, redistribute into OSPF with no subnets keyword. Change to RIPv2 and see what happens. How can change RIP to RIPv2 make the routes appear / disappear? Change RIP to version 2 that supports /28 networks.

Ø Static Method – RIP / IGRP OSPF ASBR Create a static route to null0 on ASBR and redistribute static into IGRP.

THE CCIE Book

Page 196 of 296


Ø Second OSPF Process Method – OSPF to RIP / IGRP Use a second ospf process and redistribute your main process into your second and then use the summary-address command and redistribute the second process into igrp.

Ø Route-Map Method OSPF ASBR router ospf 10 redistribute rip metric 10 subnets router rip redistribute ospf 10 metric 2 route-map add-all route-map add-all permit 10 match ip address 1 access-list 1 permit 203.45.2.1 255.255.255.0

Ø Loopback Method OSPF – RIP / IGRP OSPF ASBR OSPF /28 -> RIP /24 -> IGRP /24 Create a loopback on a router in the ospf domain other than the ASBR using the same subnet but with a /24 mask and then advertised that into ospf and all was well on the IGRP router. You may be able to use the subnet-zero option to create the loopback.

Ø Summarize Method #1 OSPF ABR Summarize route if the area in not connected to the same area as the ASBR. If you use the area range command to summarize an area that is directly connected to the ASBR, the summarized route will not get "injected" into the RIP/IGRP domain. OSPF ASBR Summarize the network area 0 range on a router other than the ASBR, then the ASBR would have the summary in the routing table to redistribute. For either of these summarization methods to work you must get the summary to the ASBR. The only way to do this is to have the ASBR be in another area.

Ø Summarize Method #2 To avoid the problems on a ASBR where the route must be external to summarize, you can redistributing connected into OSPF, the connected route appears as external, which is then subject to the summary-address command. Redistribute connected using a route map with an access list to match only that route into OSPF (This makes the route EX external) and use a summary address to make it a /24 then redistribute OSPF to RIP. An external routes will be injected router ospf 10 redistribute connected route-map onlyloops subnets summary-address 173.16.24.1 0.0.0.3 summary-address 192.168.12.1 0.0.0.3 route-map onlyloops match interface loop0 loop1

THE CCIE Book

Page 197 of 296


int lo0 ip add 173.16.24.1 255.255.255.252 int lo1 ip add 192.168.12.1 255.255.255.252

16.12. MUTUAL REDISTRIBUTION This is when the same routing protocol is redistributed into two identical processes on different routers. The AD can form a routing loop. Route-tagging is great for mutual redistribution except for RIPv1 and IGRP. Although route-maps do work, distribute-lists are more flexible. To Solve this problem use: Passive-interfaces Split-horizon Distribute-list 1 out ospf 10

Ø RIP and OSPF (Dist-List) router ospf 10 redistribute rip metric 10 subnets router rip redistribute ospf 10 metric 2 distribute-list 1 out ospf 10

Ø RIP and OSPF (Route-Map) Exmaple #1 router ospf 1 redistribute rip subnets metric 100 route-map r2o router rip version 2 redistribute ospf 1 metric 2 route-map o2r route-map r2o deny match tag 110 route-map r2o permit 20 set tag 120 route-map o2r deny match tag 120 route-map o2r permit 20 set tag 110 Example #2 route-map tagging deny 10 match tag 100 route-map tagging permit 20 set tag 100 router ospf 1 redistribute rip subnets metric 100 route-map tagging router rip version 2

THE CCIE Book

Page 198 of 296


redistribute ospf 1 metric 2 route-map tagging The logic is that we can seperate the routes in OSPF domain as internal (no tag) and external (tag 100). Because tag in OSPF routes will not influence the routes in RIP2, vice versa, you can set both tag as 100. Harder to understand, though. Any show commands to observe tags? sho ip ospf database, last section has tagging. if you do debug ip rip database (v2) it shows tags of routes coming in and out. igrp doesn't understand tagging. eigrp does, and i things its also some show ip eigrp database like command.

Ø IGRP and OSPF router igrp 100 passive-interface s 0 distribute-list 1 out ospf 10 access-list 1 deny 10.10.0.0 ! IGRP route redistrib into OSPF access-list 1 permit any The dist-list need to be applied to all routers that could advertise the OSPF network back to the originating router. IGRP ->OSPF R1 router ospf 200 netw 1.1.6.0 0.0.0.255 area 6 netw 1.1.1.0 0.0.0.255 area 0 netw 1.1.4.0 0.0.0.255 area 4 R2 router ospf 200 netw 1.1.2.0 0.0.0.255 area 4 netw 1.1.4.0 0.0.0.255 area 4 R3 router ospf 200 redist igrp 200 metric 1 metric-type 1 netw 1.1.6.0 0.0.0.255 area 6 router igrp 200 redist ospf 200 metric 125 1000 255 1 1500 netw 1.1.1.3.0 passive-interface serial 0 dist-list 1 out ospf 200 access-list 1 permit 1.1.1.0 0.0.0.255 access-list 1 permit 1.1.2.0 0.0.0.255

Ø Two-Way Redistribution Method 1: OSPF – EIGRP router eigrp 10 redistribute ospf 1 match internal router ospf 1 redistribute eigrp 10 route-map Internal-Only route-map Internal-Only permit 10 match route-type internal Method 2: OSPF – EIGRP router eigrp 10 redistribute ospf 1 route-map OSPF1

THE CCIE Book

Page 199 of 296


router ospf 1 redistribute eigrp 10 route-map EIGRP10 route-map OSPF1 deny 10 match tag 10 route-map OSPF1 permit 20 set tag 1 route-map EIGRP10 deny 10 match tag 1 route-map EIGRP10 permit 20 set tag 1 Two-Way with RIP RIP does not support internal / external tags Use route filters / tags.

Ø RIP and IGRP router rip redist igrp 200 route-map igrp-to-rip netw 192.168.3.0 router igrp 200 redist rip metric 10000 100 255 1 1500 netw 192.168.6.0 route-map igrp-to-rip permit 10 match ip address 1 set metric 1 route-map ipgr-to-rip permit 20 match ip addr 2 set metric 2 route-map igrp-to-rip permit 30 match ip addr 3 set metric 3 access-list 1 permit 192.168.6.0 0.0.0.255 access-list 2 permit 192.168.1.0 0.0.0.255 access-list 2 permit 192.168.4.0 0.0.0.255 access-list 3 permit 192.168.2.0 0.0.0.255

Ø IGRP / OSPF Mutual access-list 1 permit 172.161.1.0 access-list 1 permit 172.16.2.0 access-list 1 permit 10.1.1.0 access-list 2 permit 172.16.20.0 access-list 2 permit 172.16.30.0 access-list 2 permit 10.20.30.0 router ospf 100 redistribute igrp 100 subnets distribute-list 1 out igrp 100 router igrp 100 redistribute ospf 100 metric 10000 1000 255 1 1500 distribute-list 2 out ospf 100

16.13. REDISTRIBUTION SUMMARIES

Ø RIP default-metric 5 router rip

THE CCIE Book

Page 200 of 296


redist igrp 200 metric 5 redist eigrp 200 metric 5 redist ospf 1 metric 5

Ø IGRP / EIGRP Examples Default-Metric default-metric 10000 100 255 1 1500 Connected redist connected metric 10000 100 255 1 1500 Static redist static metric 10000 100 255 1 1500 RIP redist rip metric 10000 100 255 1 1500 IGRP (Same AS) router eigrp 200 netw 1.1.1.0 router igrp 200 netw 1.1.6.0 IGRP (Diff AS) redist igrp 100 metric 10000 100 255 1 1500 OSPF redistribute ospf 128 56 1000 255 1 1500 IPX RIP Automatic NLSP redistribute nlsp ? metric 56 1000 255 1 1500

Ø OSPF Static redistribute static metric 50 metric-type 1 subnets Connected redistribute connected metric 50 metric-type 1 subnets RIP redistribute rip subnets metric-type 1 metric 12 IGRP/ EIGRP redistribute eigrp subnets metric-type 1 metric 12

Ø BGP EIGRP redist eigrp 10 OSPF Internal redist ospf 3 OSPF External redist ospf 3 match external 1 external 2

Ø IPX EIGRP IPX RIP ipx router eigrp 100 dist-list 800 in NLSP ipx router eigrp 20 redistribute nlsp

Ø NLSP EIGRP ipx router nlsp redistribute eigrp 20

Ø VLSM to FLSM Solutions: RIPv2 Use a static route Use a second OSPF Process Use a route-map Use a loopback Use a regular summarization (ABR, ASBR) Use a reverse summarization (ASBR)

16.14. TROUBLESHOOTING REDISTRIBUTION Enable the appropriate routing protocol debugging tools to verify the routes are getting passed through the redistribution process. Is there an FLSM/VLSM conflict in the route redistribution process?

THE CCIE Book

Page 201 of 296


sh ip protocols sh ip access-list 1 clear ip ospf redistribution deb ip rip deb ip igrp transactions This router will only advertise the route when it is up.

THE CCIE Book

Page 202 of 296


THE CCIE Book

Page 203 of 296


17. Bridging BPDUs are multicast to a well known address of 01-80-C2-00-00-00. When enabling bridging, check to see what protocols are being routed and bridged. The bridge tables are not flushed when the root bridge goes down, the entries have to age out. All L3 protocols used are to be bridged by default If you see generating “bridge 1 route ip” then all L3 will be routed (12.x update)

17.1. STP Bridges make certain assumptions: A source can only appear in one location. A station that is receiving will also be transmitting.

17.1.1. Bridged Parameters Bridge Priority – lower for root,0 to 65535 Router ethernet port is 100 by default Switch port is 32768, by default Port Priority – Used to select forwarding or blocking modes. Hello Time – time between BCDU’s Max Age – Max time for a bridge to hold the configuration messages. Forward Delay – Amount of time in the learning and listening states, the delay between listening and when the port is allowed to forward data from that port. All bridged routers set their max age, hello time, and forward delay based on the root bridge’s settings. If another router becomes the root that timers may change.

Ø Path Cost Path Cost is the cost of the path to the root Large cost on lower bandwidth links. Path cost is used to set the blocking / forwarding state. Path cost is the total cast to the root bridge. Use Path Cost to determine path Force a bridge interface to be in forwarding mode Force a bridge interface to be in blocking mode

Ø The Four Phases of the STP Process Election of root bridge Calculate the shortest path to the root bridge Block the highest cost paths Maintain and recaulculate the spanning tree per VLAN

Ø STP State Flows Power-On Switch Blocking Listening Learning Forwarding – Disabled / Blocking

THE CCIE Book

Page 204 of 296


17.2. TRANSPARENT BRIDGING Do not STP block router interfaces on switches. Use bridge-group 1 path-cost 1000 to determine what path to take or what ports to block.

Ø Configuring Transparent Bridging int e0 bridge-group 1 bridge-group priority 100 (0-65535, sets the root bridge 0=highest) bridge 1 protocol ieee sh spanning-tree

Ø Frame-Relay hub/spoke topology R1 (Hub with PtM) int s0.1 multipoint frame-relay map bridge 102 broadcast frame-relay map bridge 103 broadcast bridge-group 1 bridge 1 protocol ieee bridge 1 priority 0 Should be used on hubs to set as root R2 & R3 (Spokes) int s0.1 bridge-group 1 bridge 1 protocol ieee

Ø Bridging over ISDN Example hostname ROUTER1 ! username ROUTER2 password same isdn switch-type basic-5ess ! interface Ethernet0 ip address 172.16.55.33 255.255.255.240 ! interface Serial0 ip address 172.16.54.1 255.255.255.0 ! interface BRI0 description ISDN TO ROUTER2 encapsulation ppp dialer map bridge name ROUTER2 speed 56 5773756 dialer-group 1 bridge-group 1 isdn spid1 0177104130 7710413 ppp authentication chap ! bridge 1 protocol ieee ! Permit all bridged packets access-list 201 permit 0x0000 0xFFFF ! dialer-list 1 LIST 201

THE CCIE Book

Page 205 of 296


Ø DDR link R1 int bri 0 dialer map bridge name r2 broadcast 8358661 bridge-group 1 dialer-list 1 protocol bridge permit bridge 1 protocol ieee R2 int bri 0 dialer map bridge name r2 broadcast bridge-group 1 dialer-list 1 protocol bridge permit bridge 1 protocol ieee With ACL int bri 0 dialermap bridge name r2 broadcast dialer-group 1 dialer-list 1 protocol bridge list 200 access-list 200 deny 0xF0F0 0xF0F0 access-list 200 permit 0x0000 0xFFFF

Ø Configuring Transparent Bridging over a Frame-Relay full-mesh topology Use frame-relay map bridge xx broadcast

Ø Bridge Parameters Forward-time Hello-time Max-age Aging-time

17.3. CONCURRENT ROUTING AND BRIDGING Cisco Feature Bridge and route a L3 packet on same router Bridge L3 -> Bridge L3 Route L3 -> Route L3 Use to conserve a multiple logical network addresses.

Ø Configuring Concurrent Bridging and Routing over Ethernet bridge 1 protocol ieee int e0 bridge-group 1 brdige crb

THE CCIE Book

Page 206 of 296


Ø Configuring CRB over a Frame-Relay full-mesh topology

Ø Configuring CRB over a Frame-Relay hub and spoke topology

17.4. INTEGRATED ROUTING AND BRIDGING (IRB) Bridge L3 -> Route L3 Route L3 -> Bridge L3 Packets received on bridged interface can be routed to another interface. Packets received on routed interface can be bridged to bridged interface. Use to conserve a single logical network addresses. Optimize network by bridging local traffic but route to other places. Bridge between vlans. IRB uses a BVI interface for all routing commands. A packet is routed to the bvi interface Get forwarded by the bridging engine Then gets forwarded out the bridge-group specified. Bridging to routing is the reverse. No routed protocols are assigned to the bridged interface and no bridged attributes are configured on the bvi interface. A BVI acts like a normal routed interface that does not support bridging. BVI represents the bridge-group to the routed interfaces, when you enable routing on the BVI, the sources packets for that route will be send to the bridge-group corresponding to the BVI.

Ø Configuring IRB over Ethernet ipx network r1.r1.r1 int e0 bridge-group 12 bridge 1 protocol ieee int bvi 12 ipx network 300

THE CCIE Book

Page 207 of 296


bridge irb bridge 1 route ip bridge 1 route ipx no bridge 1 bridge ip sh int bvi Displays what is bridged and routed Other Commands bridge x route protocol bridge x bridge protocol

Ø Configuring IRB over a Frame-Relay full-mesh topology

Ø Configuring IRB over a Frame-Relay hub and spoke topology

Ø Cisco Feature bridge irb bridge 1 protocol IEEE bridge 1 route ip no bridge 1 bridge ip bridge 1 priority 0 int bvi0 ip address 171.16.30.2 255.255.255.0

Ø Configure Integrated Routing and Bridging (IRB) Enable IRB bridge irb Configure the BVI (Bridge-group virtual interface) interface bvi bridge-group

Enable the BVI to accept routed packets bridge bridge-group route protocol

Enable routing on the BVI for desired protocols interface bvi 1 ip address ip-address mask

17.5. SOURCE ROUTE BRIDGING If a RIF is in the packet the multicast bit will be set, this is the magic bit. A RIF packet will have either a specifically routed, all paths explorer, or a spanning tree explorer type. If a RIF is not present it is a transparent packet.

Ø Using explorer packets Specific route or local ring explorer - sent by a route All-routes-explorer – sent to all paths Spanning-explorer (enabled with source-bridged spanning) – sent to all spanning tree paths. IBM version only supports 8 rings and 7 bridges 802.1q version supports 14 rings and 13 bridges Used for token-ring – token-ring connections. A virtual ring turns the router into a multiport bridge, this allows all token-ring interfaces to act as if they are on the same ring.

THE CCIE Book

Page 208 of 296


multiring all Enables RIF caching and allows routed protocols to be bridged. Source-Route Bridging - SRB RII is 1st bit of frame, 1=RIF present. Interface Tok0 Source-brigge 10 1 20 ; local, bridge group, destination Interface Tok1 Source-bridge 20 1 10

Ø SRB Options source-bridge route-cache Fast-switching source-bridge route-cache cbus Autonomous-switching source-bridge route-cache sse Silicon Switch Engine source-bridge proxy explorer source-bridge explorer-dvp-ARE-filter Stops duplicate explorers source-bridge explorerq-depth 100 Sets max queue to 100 source-bridge explorer-maxrate 1000000 Max byte rate of explorers per ring per second.

Ø SRB Configurations source-bridge <local-ring> <local bridge-number> <target-ring> source-bridge transparent <ring-group> <pseudo-ring> <bridge-number>

Ø Configuring a two port SRB source-bridge 129 1 130 source-bridge spanning multiring all

Ø Configuring a multi-port SRB with a virtual-ring statement source-bridge ring-group 1000 int t0 source-bridge active 1 10 1000 source-bridge spanning 1 multiring all int t1 source-bridge active 2 10 1000 source-bridge spanning 1 multiring all bridge 1 protocol ibm

17.6. RSRB SRB with WAN FST, TCP or Direct encapsulation Direct FR Encapsulation, LLC2 over IP Cloud Uses SR/TLB for ethernet support RIF’s are end-to-end

Ø Frame-Relay Configuration source-bridge ring-group 200 source-bridge remote-peer 200 frame-relay int serial0 203 int s0 mtu 3000 encap fram clock rate 56000

THE CCIE Book

Page 209 of 296


frame-relay lmi-type ansi frame-relay map rsrb 30 int tok0 multiring source-bridge active 102 1 200 source-bridge spanning

Ø TCP Transport source-bridge ring-group 5 source-bridge remote-peer 5 tcp 131.1.2.1 int tok0 source-bridge active 102 1 5 source-bridge spanning

Ø Local Acknowledgement source-bridge ring-group 5 source-bridge remote-peer 5 tcp 131.1.2.1 local-ack int tok0 source-bridge active 102 1 5 source-bridge spanning mutliring all

Ø Commands sh control tok sh int sh local ack

17.7. SRT Lets Token devices communicate with TB’s. Configure source-route transparent bridging (SRT) SRT handles transparent bridging and source-route bridging traffic handled appropriately To configure SRT, enable transparent and SRB bridging on interfaces used for SRT bridging. Traffic without RIF information is transparently bridged, and traffic with RIF information is source-route bridged. Support both source route bridging and transparent bridging on the same interface SRT bridges use the routing information indicator (RII ) bit to distinguish between frame employing SRB and frame employing transparent bridging. If RII, RIF is present and SRB is used. If there is a mix of SRT and TB bridges the source routes must choose whatever SRT bridges that are available and this may not be the most optimal path. Source Route Transparent Bridging - SRT Either transparent or SRB depending on the existance of a RII Configure SRB and TB

Ø SRT Configuration int tok 0 source-bridge 401 5 400 source-bridge spanning bridge-group 1 bridge 1 protocol ieee

THE CCIE Book

Page 210 of 296


int t0 source-bridge 1 1 2 int e0 bridge-group 1 bridge-group 1 protocol ieee

17.8. SR/TLB When you have token-ring and ethernet on the same router, DLSW+ cannot translate between the differences in mac addressing formats between these interfaces and so you have to use SR/TLB. When a packet from the ethernet side crosses the router, the route check the RIF cache and if it does not have a RIF entry it forward the packet as a spanning-tree explorer. If it does have a RIF cache the packet is sent as a unicast. Token-Ring (SR) to Ethernet Translation (TLB) The bridge must: Change MTU (1500 – 4476) Add / Remove RIF Perform bit ordering / swapping Change frame formats

Ø *Three tasks for SR/TLB Configuration Configure SRB (make ring-numbers from 10 – 99) Configure TB (make bridge-groups are 1-9) Configure Virtural-ring (make numbers in the thousands (1000 – 9999) Create Pseudo ring (make umbers be in the hundreds 100 - 999) source-bridge transparent <v-ring-group><pseudo-ring><srb #><bridge-group #> source-bridge transparent 1000 100 10 1 ! The parameter numbers are easy to remember then

Ø SR/TLB Configuration source-bridge ring-group 450 source-bridge transparent 450 451 5 1 int tok 0 source-bridge 401 5 400 source-bridge spanning int eth 0 bridge-group 1 bridge 1 protocol ieee

THE CCIE Book

Page 211 of 296


THE CCIE Book

Page 212 of 296


THE CCIE Book

Page 213 of 296


18. DLSw+ Lab info: know the mac-exclusive, acl’s, icanreach with saps, mac, etc / icannotreach, commands and how to use them extensively.

Use sh dlsw capabilities to see the LSAP's supported. Use the debug dlsw to see the LSAPs in action.

DLSW must establish peers, exchange capabilities, and establish circuit before any end to end communication can take place. RFC 1795 defines the SSP messages, DLSW uses SSP for all operations. Requires full mesh DLSW has proxy explorer, netbios name caching, sdlc to llc2 conversion, SR/TLB, and local ack’s built in. So they do not need to be configured.

Ø DLSW Operations Establish connections (TCP Ports Read/2065 Write/2067) Exchange capabilities:version, vendor ID, initial window List of unsupported saps, reachable mac, netbios names, Number of tcp connections supported. (static resources can be configured) Cisco also exchanges = group number, border peer, cost, cisco version, and priority. *Peers are ready Setup SNA / NetBios LLC2 Circuits (end stations) SNA Send test,xid frames DSSAP/SSAP 0x04 NetBIOS Name Query Name recognized SAP 0xF0

Ø Establish Circuit Canureach to destination To source Icanreach Reach_ack to destination XID frame Both directions XID Frame Contact to destination To source connected Info frame both directions infor frame

Ø DLSW States CONNECT, DISCONNECT, CAP_EXG, WAIT_RD, WAN_BUSY

Ø DLSW Reachability States State Why do you get these?

FOUND NOT FOUND SEARCHING UNCONFIRMED VERIFY FRESH STALE

THE CCIE Book

Page 214 of 296


Ø DLSW versus RSRB RIF termination DLSW has ethernet support, RSRB requires SR/TLB DLSW has backup peers and load balances DLSW eliminates the SRB 7 limit hop DLSW handles broadcast better for reduced traffic, local ack When migrating from RSRB to DLSW remove the following functions from the config: Proxy explorers Netbios name caching SDLC - LLC2 conversions SR/TLB

18.1.1. Encapsulations When you use local-ack, sna sessions are not lost when routing protocol converge. If you use RIP / IGRP you need local ack. EIGRP converges fast enough so local ack is not an issue OSPF needs the hello-interval set to 6 seconds and the dead-interval set to 18 seconds. If you set the dead time to 16, hello will equal 4 seconds.

Ø Direct encapsulation No local ack Supports HDLC and Frame-relay. Fast switched End systems must be on token-ring. On PtP use direct encapsulation Direct fast switched dlsw remote-peer 0 interface serial 0 Direct on FR dlsw remote-peer 0 frame-relay interface serial 0 33 passthru int s1 frame-relay map dlsw 33

Ø FST No local ack End systems must be on token-ring. No load balance Fast switched dlsw remote-peer 0 fst 10.2.3.2 Not Supported: local ACK, load balancing You cannot filter by SAP’s with FST, all traffic is LLC2 traffic so SAP or MAC filtering are not possible.

Ø TCP Keepalives and acknowledgements are kept off the WAN. Has the most overhead, Headers bytes are: 20TCP/ 20IP/ 16DSLW Port 2065, Process switched dlsw remote-peer 0 tcp 10.2.3.2 TCP w/RIF passthru dlsw remote-peer 0 tcp 10.2.3.2 rifpassthru 100 Used by FEP’s Not Supported: border, pod, dynamic, and backup peers.

THE CCIE Book

Page 215 of 296


Ø LLC2 over Frame-relay LLC2 is only supported over FR Supports local ack, rif pass-thru Keepalives and acknowledgements are kept off the WAN. No backup peers With ptp interfaces use the frame-relay interface-dlci 201 Versus frame-relay map llc2 60 DLSW over frame - Don't forget frame map dlsw dlci broad dlsw remote-peer 0 llc 10.2.3.2 -or- dlsw remote-peer 0 frame-relay interface serial 0 33 int s1 frame-relay map llc2 33 For PtP connection dlsw remote-peer 0 frame-relay interface serial 0 33 int s0.1 point-to-point frame-relay interface-dlci 33

18.1.2. DLSW and Ethernet

Ø Configure DLSw+ between one Ethernet and one Token-Ring LAN source-bridge ring-group 31 dlsw local-peer peer-id 10.2.25.1 dlsw remote-peer 0 tcp 10.2.5.2 dlsw bridge-group 5 int eth0 bridge-group 5 int tok0 source-bridge active 25 1 10 source-bridge spanning bridge 5 protocol ieee

Ø Configure DLSw+ between two Ethernets dlsw local-peer peer-id 10.2.25.1 dlsw remote-peer 1 tcp 10.2.5.2 dlsw bgroup-list 1 bgroups 5 dlsw bridge-group 5 int ethernet 0 bridge-group 5 bridge 5 protocol ieee

18.1.3. Configuring DLSw+

Ø Preconfiguration Checklist What is the edge network? Eth TB TR SRB w/ VR, SRT SDLC DLSW with virtual mac addressing Eth/TR TB,SRB,SR/TLB Select IP Addresses

THE CCIE Book

Page 216 of 296


Any ACL’s What MAC address should be exchanged during CAP-EXG?

Ø Configuration Types Conf manual Prom promiscuous Pod peer-on-demmand

Ø Adjust LLC2 timers

Ø Limiting explorer traffic dlsw remote-peer 1 tcp 172.16.1.1 prom dlsw port-list 1 token-ring 0 The port list determines where the remote explorers are flood to. dlsw remote-peer 1 tcp 172.16.1.1 prom dlsw ring-list 1 rings 34 int tok 0 source-bridge 34 1 73 The ring list determines where the remote explorers are flood to.

Ø Direct Encapsulation over FR (Local Peer) source-bridge ring-group 100 dlsw local-peer peer-id 10.2.25.1 promiscuous dlsw remote-peer 100 frame-relay int serial0 203 pass-thru dlsw remote-peer 0 interface serial 0 10.2.5.2 ! int s0 mtu 3000 encap fram clock rate 56000 frame-relay lmi-type ansi frame-relay map llc2 30 int tok0 source-bridge active 102 1 200 (Remote Peer) dlsw remote-peer 1 frame-relay int serial 0.1 204 lf 1500 This is a direct encapsulation int s0.1 multipoint frame-relay map llc2 302 broadcast This is not used on ptp interfaces frame-relay interface 302 This is used on ptp interfaces

Ø Configure DLSw+ between two token-ring LANs with TCP source-bridge ring-group 10 dlsw local-peer peer-id 10.2.25.1 dlsw remote-peer 0 tcp 10.2.5.2 int lo0 ip addr 10.2.5.2 255.255.255.0 int tok0 source-bridge active 25 1 10 source-bridge spanning

THE CCIE Book

Page 217 of 296


Ø Configure DLSw+ between two token-ring LANs with FST Same as above but change this line: dlsw remote-peer 0 fst 10.2.5.2

Ø Configure a DLSw+ local-peer with the promiscuous parameter source-bridge ring-group 10 dlsw local-peer peer-id 10.2.25.1 promiscuous dlsw remote-peer 0 tcp 10.2.5.2 int lo0 ip addr 10.2.5.2 255.255.255.0 int tok0 source-bridge active 25 1 10 source-bridge spanning

Ø DLSW and Redundancy R3 dlsw local-peer peer-id 150.16.16.2 cost 3 prom R4 dlsw local-peer peer-is 160.10.10.4 cost 4 prom R5 dlsw timer explorer-wait-time 5 Use a cost to determine the path, lowest cost is best. Use the explorer-wait-time so it waits for both explorers to determine path and no just the first packet that arrives.

Ø Testing DLSW Method 1: What about using two edge routers running ipx, and core routers routing only ip ? RA-----------RB------RC--------------RD ethernet ser ethernet - on RA and RD only, turn on ipx routing, - on RA and RD ethernet, set ipx network ABBA encaps sap - make RB and RC two dlsw peers, link the ethernets to dlsw - from RA, ping ipx ABBA.<RD Eth-mac> and viceversa Method 2:

Remember that DLSw is just a way of connecting bridged domains through an Internet Protocol (IP) cloud; the traffic doesn't have to be Systems Network Architecture (SNA). Here is one example: Create a loopback interface on two remote tokenring routers. Under the loopback assign the same Internetwork Packet Exchange (IPX) network. The 'multiring ipx' command allows the router to generate Routing Information Field (RIF) on behalf of routed traffic. So, now you have simulated a bridged domain, seperated by DLSw. You should be able to ping the IPX address of either remote router.

THE CCIE Book

Page 218 of 296


18.1.4. DLSw+ DDR Configurations

Ø DLSW over ISDN with DDR If you are asked to configure only dlsw over ISDN, then I would do an ip extended access list permitting tcp ports 2065 (read), 2067 (write), 1981, 1982, and 1983. Here are the two recommended commands for SNA DDR: dlsw remote-peer <list number> tcp <ip address> dynamic keepalive 0 timeout <seconds> dlsw netbios keepalive-filter The key points in the first command set keepalives to zero so they don't keep the link up, and timeout set appropriately to bring the link down after connections are terminated. Alternatively, you can use dynamic with no-llc or inactivity instead of timeout to do the same thing (more or less). Of course, if you are using promiscuous keyword on your local-peer statement, you'll need to use prom-peer-default command to set keepalive, timeout, etc. The second command filters netbios session alive packets that are periodically sent across the link. The only other issue is the routing protocol, which can keep the link up also. If you use a distance vector protocol, you can use snapshot. If ospf, use demand-circuit.

Ø SNA DDR and Backup Peers Backup peers can only use FST or TCP encapsulations. FST and Direct encapsulation can be fast switched. TCP is process switched. DDR can be used if a permanent connection is not needed and only seldom communications is needed between multiple sites. The keepalive shuts down the RIF keepalives across the connection. There is still a DLSW peer keepalive and the timeout shuts that down. dlsw remote-peer 0 tcp 10.2.3.2 backup-peer 10.2.3.3 dynamic keepalive 0 timeout 120 -or- dlsw remote-peer 0 tcp 10.2.3.2 backup-peer 10.2.3.3 dynamic keepalive 0 no- llc 10 dlsw netbios-keepalive-filter int bri0 dialer-map llc2 name r3 broadcast 8358661 dialer-list 1 protocol llc2 permit

Ø Controlling Peer Selections dlsw timers explorer-wait-time

Ø Backup Peers Backup peers can only use FST or TCP> dlsw remote-peer 0 tcp 10.2.3.2 backup-peer 10.2.3.4 linger 0 (Sessions terminate on own) dlsw remote-peer 0 tcp 10.2.3.2 backup-peer 10.2.3.4 linger 30 (Sessions terminates in 30 minutes) dlsw remote-peer 0 tcp 10.2.3.2 backup-peer 10.2.3.4 (Sessions terminate immediately when primary is backup)

THE CCIE Book

Page 219 of 296


Ø Configuring Cost dlsw local-peer peer-id 10.2.3.2 cost 40 dlsw remotee-peer 0 tcp 10.2.3.1 cost 40 sh dlsw cap When viewing cost remember that you are viewing the advertised costs. Only sh run will show you the local costs.

18.1.5. DLSW Load Balancing Configurations

Ø Fault Tolerant Mode Without load balancing, by default DLSW selects the first path it finds. This may be: A peer which responded first A peer with least cost A port over which responded first

Ø Load-Balancing Mode dlsw duplicate-path-bias load-balance New to 12.0.3T dlsw load-balance round-robin dlsw load-balance circuit-weight 40 Use dlsw mac-addr or netbios-name to configure a reachability cache-static route. Explorer firewalls only allow a single MAC address for a particular destination to be sent across WAN links. TCP header compression, priority and custom queuing can be used to help tcp encapsulations.

Ø Parallel Link Recommendations Use FST when possible Use TCP when local ack or prioritization is required Maximize fast switching

Ø Border Peers / Border Groups Border Peers allow partial mesh configurations. Border: dlsw local-peer peer-id 1.1.1.1 group 40 border promis source-bridge ring group 1 Peers dlsw local-peer peer-id 2.2.2.2 group 40 promis dlsw remote-peer 0 tcp 1.1.1.1 source-bridge ring group 1 source-bridge spanning

Ø Configure DSLw+ in a hub/spoke topology with border groups and peer groups Configure two groups each with a border router. All local peers connect to local border router. The two border routers connect to each other. Configration is:

THE CCIE Book

Page 220 of 296


Define the group on the dlsw local-peer peer-id statement for all routers Add the border statement on the border routers Add the pod command on the non-borders r1 – r2 r1 is a hub, r2,r3 are spokes - r3 Add these to all routers source-bridge ring group 200 dlsw remote-peer 0 tcp x.x.x.x int tok 0 source-bridge xx 1 200 source-bridge spanning r1 dlsw local-peer peer-id 10.2.25.1 promiscuous group 70 border r2 dlsw local-peer peer-id 10.2.25.1 promiscuous group 70 dlsw peer-on-demmand-defaults tcp r3 dlsw local-peer peer-id 10.2.25.1 promiscuous group 69 dlsw peer-on-demmand-defaults tcp

Ø Peer Groups An addition to border groups is to have a secondary group called clusters or peer groups. This allows border routers to limit the broadcasts to other routers. Borders just send one broadcast per cluster. Local routers are grouped by adding a cluster <number> to their local-peer command. On Client dlsw local-peer peer-id 0 tcp 10.1.1.1 group 25 prom On Border dlsw local-peer peer-id 0 tcp 10.1.1.1 group 25 border prom Border routers connect to each other in the normal manner.

Ø Dynamic Peers dlsw remote-peer 0 tcp 10.2.3.2 dynamic inactivity 20 dest-mac 4000.3454.0000

Ø bitswap-layer3-addresses The command is needed for IP arps to cross the bridge. If you're doing SRT or SR/TB, with IP traffic, you need it. Even with SR/TB, IP needs to know the MAC of the destination host. They just add the RII and RIF to the layer 2 header when they do it. ARP packets have the MAC address in the payload of the packet, and this command will go into the payload to bitswap the MAC there. int token0 bridge-group 1 ! int ethernet0 bridge group 1 ! bridge 1 protocol ieee bridge 1 bitswap-layer3-addresses I've found that a good approach to this is to use the receiving station's ARP cache ie if you try to ping across a SRT or SR/TLB bridge and an arp entry appears in the

THE CCIE Book

Page 221 of 296


target in the wrong format, you need to bitswap. Really easy if you're pinging router to router across a bridge; just do sh ip arp <int> on the receiving router and compare with the MAC address of your source. http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fibm_r1/br1fpt1/br1ftb.htm#1056224 This command "bitswaps" (to and from noncanonical format) the hardware addresses that are embedded in layer 3 of ARP and RARP frames. As well as for transparent bridging bitwswapping I believe this is used for DHCP responses as the mac address is contained in the layer3 payload and therefore not bitswapped by the layer 2 bridging process.

18.1.6. DLSW (Commands) sh dlsw peers sh dlsw capabilities sh dlsw capabilities ip-addr <ip address> sh dlsw circuits sh dlsw fastcache sh dlsw reachability cle dlsw circuit cle dlsw reachability cle dlsw statistics dlsw disable

18.2. BRIDGING TROUBLESHOOTING

Ø TRANSPARENT BRIDGING Are all bridge-group members listing the same root bridge? show span sho bridge Is your spanning tree being formed properly? What ports in the bridge-group (if any) are in a blocking state? debug span events show spantree debug arp

Ø CRB AND IRB Are the proper protocols being bridged over the correct nterface? Are the proper protocols being routed over the correct interface? show interface crb show interface irb show interface bvi sho int bvi0 sho int s0 irb

Ø SOURCE-ROUTE BRIDGING Show source sho rif

THE CCIE Book

Page 222 of 296


Ø DLSW+ Troubleshoot both sides of the DLSw+connection. Can you ping your DLSw+ peer? When debugging dlsw you will have to debug the peers-to-peers and the peers-to-endstations. dlsw disable show dlsw peer show dlsw reachability debug dlsw peer debug dlsw reachability debug d1sw core show span show source show dlsw capabilities show dlsw circuits show dlsw peers show dlsw reachability

Ø DLSW Debug Prompts CSM Circuit Setup Message Between peers CLSI Common Layer Services Interface End-to-Peer (ind – local, rsp – remote)

THE CCIE Book

Page 223 of 296


THE CCIE Book

Page 224 of 296


19. Access-Lists Standard ACL’s are applied to source ip addresses Extended ACL’s are applied to source and destination, or source and network mask. *Incoming ACL’s block routing protocols Place Extended by source – where traffic is being denied

Ø What type of management is needed? ACL’s Queu-lists Dist-lists Route-maps

Ø Overhead Traffic Types Solutions Route updates Dist-lists, Route-Maps DHCP Traffic Queue-List DNS traffic Queue-List IPX/SAP, GNS Traffic ACL’s, EIGRP, NLSP LLC-2 S-Frames DLSW STP BPDU’s Queue List Voice Traffic Queue List AS_PATH Updates AS_PATH ACL

Ø Six Rules of ACL’s General to specific critieria Know the protocols Config Global then interface In / Out One ACL per interface, per protocol, per direction Adding ACL are top to bottom

19.1. IP ACCESS-LISTS Default mask is 0.0.0.0 Default is outbound Inbound lists area better for routing, outbound block routing updates. Apply ACL’s closest to the traffic that will be denied. Only one ACL can be applied to each interface, protocol, and direction Ethernet Type Fields IP 800 ARP 806 Reverse ARP 8035 IPX / SPX 8137

Ø Standard ACL’s filter on source Usually based on outbound traffic Outbound ACL’s block routing protocols

Ø Extended ACL’s filter on source ip address, destination ip address,ports,protocols Usually based on inbound traffic

THE CCIE Book

Page 225 of 296


Ø Dynamic ACL This will require a login to access www username jeff pass cisco user paul autocommand access-enable host int e0 ip addr 172.16.20.1 255.255.255.0 int s0 ip addr 10.200.57.20 255.255.255.0 ip access-group 100 in router rip netw 10.0.0.0 netw 171.16.0.0 access-list 100 permit udp any any eq rip access-list 100 permit tcp any host 10.200.57.20 eq telnet access-list 100 permit tcp any any gt 1023 established access-list 100 dynamic firewall timeout 60 permit tcp any host 172.16.20.20 eq www line vty 0 4 login local

Ø L3 Protocol ID’s ICMP 1 TCP 6 UDP 17

Ø Layer 4 Ports - TCP / UDP Ports Ports 1 – 1023 have been reserved, RFC 1700

UDP TCP Time 37 DNS 53 SMTP 25 BootP 67/68 Telnet 23 TFTP 69 FTP 20/21 NetBIOS 137/138 BGP 179 SMTP 25 TACACS 49 SNMP 161 NTP 123 RIP 520 DNS uses TCP 53 for zone transfers and UDP 53 for Queries

Ø IP helper-address Automatically forwards these eight protocols: 37, Time 49, TACACS 53, DNS 67, Bootp - Server 68, Bootp Client 69, TFTP 137, NetBIOS - Name service 138, NetBIOS - Datagram service

19.1.1. ICMP Messages Destination Unreachable

THE CCIE Book

Page 226 of 296


Network Unreachable – failure in routing or addressing Host Unreachable – delivery failure usually wrong subnet mask Protocol Unreachable – destination not supporting upper layer protocol Port Unreachable – TCP socket or port not available ICMP echo-request is from a ping ICMP redirects sent if better route found ICMP time-exceeded message sent by router if TTL expires Ping Results ! Success . Complete route but no reply U Desintation Unreachable – no route N Network Unreachable – was a route but routing failed P Protocol Unreachable – Receiving host does not support this protocol Q Source Quench – Receiving host does not have the buffer space to receive packet M Could not fragment A Administrativly Unreachable – Path is blocked by ACL ? Unknown packet type

19.1.2. ACL and Routing Protocols

Ø When denying outbound traffic make sure you allow for routing protocols. access-list 100 permit udp any any eq rip access-list 100 permit igrp any any access-list 100 permit eigrp any any access-list 100 permit ospf any any

Ø Access control lists can filter routing updates RIP UDP Port 520 255.255.255.255 RIPv2 UDP Port 520 224.0.0.9 (Default) 255.255.255.255 IGRP IP Protocol Field 9 255.255.255.255 EIGRP IP Protocol Field 88 224.0.0.10 OSPF IP Protocol Field 89 224.0.0.5 (AllOSPFRouters) 224.0.0.6 (DRRouters) BGP TCP Port 179 Neighbor Address

19.1.3. Configuring IP Access-Lists Group Study Minimum Knowledge List access-list 199 permit ospf any any log access-list 199 permit eigrp any any log access-list 199 permit pim any any log access-list 193 permit igrp any any VoIP Call Setup access-list 199 permit udp any any range 16383 20000 access-list 199 permit tcp any eq 1720 any access-list 199 permit tcp any any eq 1720 access-list 199 permit tcp any any range 11000 11999 VoIP for FRTS access-list 104 permit udp host 17.27.2.13 host 17.28.1.14 range 16383 20000 access-list 104 permit tcp host 17.27.2.13 eq 1720 host 17.28.1.14 access-list 104 permit tcp host 17.27.2.13 host 17.28.1.14 range 11000 11999 IPSec for FRTS access-list 104 permit esp host 17.27.2.13 host 17.28.1.14

THE CCIE Book

Page 227 of 296


access-list 104 permit udp host 17.27.2.13 eq isakmp host 17.28.1.14 IPSec access-list 192 permit esp any any access-list 192 permit ahp any any access-list 199 permit gre any any Ping access-list 199 permit icmp any any echo-reply access-list 199 permit icmp any any echo DLSW access-list 199 permit tcp any eq 2065 any log access-list 199 permit tcp any gt 11000 any eq 2065 log access-list 199 permit tcp any gt 11000 any eq bgp log access-list 199 permit tcp any eq bgp any gt 11000 log access-list 199 permit udp any any eq ntp log access-list 199 permit tcp any any eq pim-auto-rp log access-list 199 permit esp host 172.16.18.18 host 172.16.18.17 log access-list 199 permit tcp host 172.16.18.18 host 172.16.18.17 eq 50 log access-list 199 permit tcp host 172.16.18.18 host 172.16.18.17 eq 51 log access-list 199 permit udp host 172.16.18.18 host 172.16.18.17 eq isakmp log Deny Traceroute Cisco / Linux traceroute targets UDP ports starting at 33434 in the outbound direction. The returns are ICMP 'port-unreachable' messages. access-l 100 deny udp any any range 33434 34199 inter s 0 ip access-group 100 out MS Windows traceroute uses ICMP access-l 100 deny icmp any any range 33434 34199 inter s 0 ip access-group 100 out Windows Filesharing and Netbios Filter access-list 150 deny udp any any eq netbios-ns access-list 150 deny udp any any eq netbios-dgm access-list 150 deny udp any any eq 139 BGP over ISDN access-list 109 deny tcp any any eq bgp access-list 109 permit ip any any BootP Bootp requires ip helper address, if your using for DHCP, then use no ip forward-protocol bootp to stop bootp from being forwarded. -or- access-list 101 deny udp any any eq 67 access-list 101 deny udp any any eq 68 access-list 101 permit any Pings Pings require both icmp type echo and echo-reply. If you want to deny pings access-list 100 deny icmp any any eq echo access-list 100 deny icmp any any eq echo-reply access-list 100 perm ip any Allow BGP access-list 100 per tcp any eq 179 any access-list 100 per tcp any any eq 179

THE CCIE Book

Page 228 of 296


-or- access-list 100 per tcp any eq 179 any ge 1024 access-list 100 per tcp any any eq 179 FTP Permit ftp sessions if established from a local subnet and an inbound access-list on that local interface. access-list 102 permit tcp host 10.10.10.1 gt 1023 19.10.1.0 0.0.0.255 eq ftp Even Networks Only access-list 3 deny 192.168.1.0 0.0.0.1 access-list 3 permit any Odd Networks Only access-list 3 deny 192.168.1.0 0.0.0.254 access-list 3 permit any Trivial File Transfer Protocol (TFTP) access-list 1 permit tcp 1.1.1.1 0.0.0.255 2.2.2.2 0.0.0.0 eq 69 TFTP and nothing else access-list 101 permit udp 172.10.1.0 0.0.0.255 any eq tftp access-list 101 permit udp any any gt 1023 established access-list 101 deny udp any any eq tftp access-list 101 permit ip any any Internet Control Message Protocol (ICMP) access-list 1 permit tcp 1.1.1.1 0.0.0.255 2.2.2.2 0.0.0.0 eq echo access-list 1 permit icmp host 1.1.1.1 host 2.2.2.2 eq echo-reply Network Time Server access-list 1 permit udp host 1.1.1.1 host 2.2.2.2 eq ntp Deny FTP access-list 101 deny tcp 172.30.11.0 0.0.0.255 172.30.12.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.30.11.0 0.0.0.255 172.30.12.0 0.0.0.255 eq 20 access-list 101 permit ip 172.30.11.0 0.0.0.255 0.0.0.0 255.255.255.255 ! int e 0 ip access-group 101 out Deny Telnet access-list 101 deny tcp 172.30.11.0 0.0.0.255 2.2.2.2 0.0.0.0 any eq 23 access-list 101 permit ip any any ! int e 0 ip access-group 101 out Allow Internet Access Out Only access-list 101 permit tcp any host 128.88.12.45 eq 80 access-list 101 permit tcp any any gt 1023 established ! int e 0 ip access-group 101 out Allow Internet Mail access-list 101 permit tcp any 128.88.0.0 0.0.255.255 established access-list 101 permit tcp any host 128.88.12.45 eq smtp ! int e 0 ip access-group 101 in Avoid Denial-of-Service Attacks access-list 101 permit tcp any 128.88.0.0 0.0.255.255 established ip tcp intercept list 105 access-list 105 deny tcp any host 128.88.12.45 int s 0 ip access-group 105 in Limit virtual terminal access.

THE CCIE Book

Page 229 of 296


access-list 12 permit 192.89.55.0 0.0.0.255 line vty 0 4 access-class 12 in Verifiying Access-Lists show access-list (Displays access lists from all protocols) show ip access-list [access-list-number] (Displays a specific IP access list) clear access-list counters [access-list-number] (Clears packet counts) show line (Displays line configuration) Null Interface ip route address mask null 0 Configure IP extended access-lists with the ESTABLISHED parameter access-list 1 permit tcp any any eq 25 any established

Ø IP Extended Access-List Summaries (100-199) BGP bgp & gt 11000-11199 VoIP Call Setup 1720 both ways, UDP 16383–20000, TCP 11000-11999 IPSec esp(50),ahp(51),udp eq isakmp(500),gre Ping icmp echo and icmp echo reply DLSW tcp eq 2065, tcp eq 2067, 1981-1983, gt 11000-11199 Traceroute udp gt 33434 - 34199 IP helper-address 37 Time,49 TACACS,53 DNS,67/68 BootP,69 TFTP, 137/138 NetBIOS TFTP udp tftp, udp gt 1023 established DoS tcp established, ip tcp intercept list 105, acl->websrvr FTP 20,21,tcp gt 1023

Ø More Filtering Techniques Does anyone recall how to block outbound traffic generated by the router itself? Use a route map, match to an access list, and route to int null. -or- policy routing with ip local policy route-map xxxxx -or- An access-list cannot be used at all for locally generated traffic, but local policy can. - take your access-list that you normally would apply to an interface. - rewrite it at the contrary (permit what you want to deny) - then configure ! ip local policy route-map ciao ! route-map ciao permit 10 match ip address <acl nbr> set interface null 0 ! - What you permit with the acl, is what you route to null 0.

Ø Configure IP access-lists to permit or deny a range of addresses Rule 1: Finite number of masks – major bit boudaries 0,1,3,7,15,31,63,127,255, only one octet meeded Rule 2: Slightly off major boundary Do lower boundary Do upper boundary

THE CCIE Book

Page 230 of 296


Do specific lower boundary Do specific upper boundary (Five statements usually does all)

Ø Helper Address ip helper-address {address} ip forward-protocol {udp [port] | nd | snds} specific protocols

Ø IP Named Access-lists

Ø ACL – Lock and Key Allows a user to network once they have been verified through router. username jeffk password 0 cisco ! int eth0 ip access-group 120 in access-list 120 permint tcp host 1.1.1.1 host 1.1.1.2 eq telnet acesss-list 120 permit udp any any eq rip access-list deny dynamic jefflist permit tcp host 1.1.1.1 any eq 23 ! line vty 0 4 login local autocommand access-enable

19.2. IPX ACCESS-LISTS

19.2.1. The Basics When 0 is used as the protocol number, the socket number is used for the filtering only. Use the ipx output-sap-delay 55 command to limit the number of SAP packets tranversing the WAN link. This will eventually be the default on Cisco routers.

Ø ACL Ranges Standard filter on source and destination Extended filter on socket, network, mode 800 IPX 900 Ext IPX 1000 SAP Route Summary (NLSP ?) Allow IPX access-list 200 permit 0xE0E0 0x0000 Block IPX access-list 200 deny 0xE0E0 0x0000 access-list 200 permit 0x0000 0xFFFF

Ø L3 - IPX Protocol Numbers http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np2_r/2ripx.htm#xtocid271971 -1 Any

THE CCIE Book

Page 231 of 296


1 IPX/RIP 2 IPX Ping 3 Error Packet 4 SAP 5 SPX 17 NCP 20 NetBIOS 24 Remote bridge server (router)

Ø L4 - IPX Sockets All 2 cping 451 NCP 452 SAP 453 RIP NetBIOS Diagnostic 457 Serialization 4000-7FFF Dynamic sockets used by workstations for interaction with file servers and other network servers 9001 NLSP 85BE EIGRP 9004 IPXWAN 9086 IPX PING, Novell standard ping packet In Nw4.1 do not filter 0x4, 0x26B, 0x278

Ø SAP Numbers - Type of service desired 3 GNS 4 File Server 5 Job Server 7 Print Server 21 NAS SNA Gateway 2E Dynamic SAP 47 Advertising Print Server 4B Btrieve VAP 5.0 4C SQL VAP 107 Rconsole 26B Time Synchronization 278 NetWare Directory Server In NW4.1 do not filter 4,26B,278

19.2.2. IPX Network Filtering

Ø IPX RIP Filtering (interface command) Use ipx input-network-filter and ipx output-network-filter commands to control which networks are added to the router’s routing table. The ipx output-network-filter command applies to IPX RIP only. Filtering RIP traffic access-list 877 permit 93 ! int s 0 ipx network 90 ipx output-network-filter 877

THE CCIE Book

Page 232 of 296


Blocking Networks int e0 ipx access-group 900 in ipx output-network-filter 900 ipx intput-network-filter 900 access-list 900 deny –1 800.0000.0000.0000 FF.FFFF.FFFF.FFFF (Network) access-list 900 deny –1 800.0000.0000.0000 ff.FFFF.FFFF.FFFF (Node) access-list 900 permit -1

Ø IPX EIGRP Filtering A distribute-list must be used since EIGRP uses hellos and not the routing table. Use the distribute-list out command to control advertising of EIGRP routes. ipx router eigrp 100 dist-list 800 in

19.2.3. SAP Filtering

Ø IPX RIP SAP Filters (0 = All Services) Interface commands ipx router-sap-filter ipx input-sap-filter (access-list | name} SAP ipx output-sap-filter(access-list | name} ipx output-gns-filter (access-list | name} GNS ipx-gns-reply-disable GNS The ipx output-gns-filter command is used with the access-list command to control which servers are included in GNS responses. The ipx sap-interval command is used to configure less frequent SAP updates.

Ø IPX RIP SAP Filtering Instead of denying traffic try permitting traffic instead. Filtering Print Servers access-list 1000 deny –1 0 pserver access-list 1000 permit –1 ! int s 0 ipx network 10 ipx output-sap-filter 1000 Filter PServer - It WORKS!!! access-list 1001 deny -1 7 PServer access-list 1001 permit -1 int s0 ipx output-sap-filter 1001 Filtering File Servers access-list 1001 deny 2e.0000.0000.0001 4 access-list 1001permit –1 ! int s 0

THE CCIE Book

Page 233 of 296


ipx network 1 ipx output-sap-filter 1001

Ø EIGRP IPX - SAP Filtering distribute-sap-list <ACL> in distribute-sap-list <ACL> in <interface> distribute-sap-list <ACL> out distribute-sap-list <ACL> out <interface> distribute-sap-list <ACL> out <protocol>

19.2.4. Troubleshooting IPX show ipx interface Displays the status of the IPX interfaces show ipx route Lists the entries of the IPX routing table show ipx servers Lists the servers discovered through SAP advertisements show ipx traffic Shows ipx packet information.

19.3. MAC ACCESS-LISTS Practice all ACL’s with every bridge type. 200 LSAP Filter on LLC address 700 MAC Filter on source, or destination (only one) 1100 NetBIOS name Filter on source and/or destination Applied to bridge-group with input-pattern-list What do you want to filter? 200 SAP’s filter SRB on TR, TB on Ethernet, and SAP’s on DLSW Peers. 700 MAC Addresses NetBIOS names? Combination or Others ? = Access-expresssions

19.3.1. LSAPs (200) http://www.cisco.com/warp/public/111/12.html http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3920/3920ug4/codes.htm#xtocid189133

Ø MAC Access-Lists 00 Null / ALL 04,05,08,0C,0D SNA E0 IPX F0 NetBIOS 42 STP Bit-Swapping 18,24,3c,5a,7e,bd

Ø SAPS Defined Address (Hex) Assignment 00 Null LSAP 04,05,08,0C,0D SNA 04 IBM SNA Path Control (individual) 05 IBM SNA Path Control (group) 06 IP Spanning Tree Protocol (STP) BPDU 98 ARP AA SNAP

THE CCIE Book

Page 234 of 296


E0 IPX F0 NetBIOS Commands F1 BetBIOS Resonses F4 IBM LAN Management (individual) F5 IBM LAN Management (group) F8 IBM Remote Program Load (RPL) FE OSI FF Global SAP The addresses area paired for src/dest such as F0F0 for netbios.

Ø Applying LSAP Filters TR source-bridge input-lsap-list DLSW remote-peer lsap-output-list ETH bridge-group input-lsap-list (802.3) ETH bridge-group input-type-list

19.3.2. SNA For permitting SNA: access-list 200 permit 0x0000 0x0D0D -or- access-list 200 permit 0x0000 0x0000 access-list 200 permit 0x0808 0x0001 access-list 200 permit 0x0c0c 0x0001 access-list 200 permit 0x0404 0x0001 Deny SNA access-list 200 deny 0x0000 0x0D0D Filtering SNA in DLSW dlsw local-peer peer-id 10.1.1.1 dlsw remote-peer 0 tcp 10.2.2.2 output-lsap-list 200 access-list 200 permit 0x0000 0x0D0D Filtering SNA in Transparent Bridging bridge 1 protocol ieee int eth0 bridge-group 1 bridge-group 1 input-type-list 200 bridge-group 1 output-type-list 200 access-list 200 permit 0x0D0D 0x0000

19.3.3. NetBIOS Apply NETBIOS Name filter to DLSw+ remote peer statement. Apply NETBIOS Name filter to Token-Ring interface. NetBIOS filers only block by connection packets, so previous connections will still exist. netbios access-list host name {permit | deny} pattern You an use DOS wild cards. For permitting NetBios: dlsw remote-peer list 0 tcp 10.1.1.1 lsap-output-list 200 access-list 200 permit 0xF0F0 0x0101

THE CCIE Book

Page 235 of 296


For blocking NetBIOS dlsw remote-peer list 0 tcp 10.1.1.1 lsap-input-list 200 access-list 200 deny 0xF0F0 0x0101 access-list 200 permit 0x0000 0xFFFF

19.3.4. Bit-Swapping 802.3 / 802.4 Uses the least significant bit first - canonical form 802.5 Uses the more significant bit first non-canonical form The MAC is bit swapped as it passes between Token-Ring to Ethernet bridges (SRT, SR/TLB) The problem with these two formats is if the bits are flipped then it may appear to be a multicast, another desintation. For SRB it may sent it some where else or mess up the functional addresses. For TB it may refuse to forward the packet. Note MAC addresses on Ethernets are "bit swapped" when compared with MAC addresses on Token Ring and FDDI. For example, address 0110.2222.3333 on Ethernet is 8008.4444.CCCC on Token Ring and FDDI. Access lists always use the canonical Ethernet representation. When using different media and building access lists to filter on MAC addresses, keep this point in mind. Note that when a bridged packet traverses a serial link, it has an Ethernet-style address. >>> If you are using access-list to specify mac output list on a DLSW statement, you will always use non-canonical format. If the access-list will be using to filter on a token-ring interface it will be non-canonical. If the access-list will be used to filter on an ethernet interface it will be canonical.

Ø Bit-Switching All addresses are in non-canonical form (10) token-ring form. Ethernet - Traffic that originates on Ethernet is picked up from the local Ethernet bridge group and transported across the DLSw network. DLSw always transfers data in noncanonical format. DLSw will automatically make the correct MAC address conversion depending on the destination media. When DLSw+ receives a MAC address from an Ethernet-attached device, it assumes it is canonical and converts it to noncanonical for transport to the remote peer. At the remote peer, the address is either passed unchanged to Token Ring-attached end systems or converted back to canonical if the destination media is Ethernet. Note that when an SNA resource resides on Ethernet, if you configure a destination SNA address in that device, you must use canonical format. For example, Ethernet-attached 3174s must specify the MAC address of the FEP in canonical format. If the Token Ring or noncanonical format of the MAC address of the FEP is 4000.3745.0001, the canonical format is 0200.ECA2.0080. Another example is 0800.5CED.1E4C is 1000.3AB7.7832 in ethernet.

Ø DLSW and Ethernet Token-ring dlsw ethernet Non-canonical Non-canonical canonical DLSW converts ethernet mac’s to non-canonical form so if you need to specify a mac make sure the format is correct where you specify it.

THE CCIE Book

Page 236 of 296


Ø Canonical to Non-Canonical Forms Here is a good way to do the conversion, just learn this sequence: 18,24,3c,5a,7e,bd 1---8 18 4---2 24 3---C 3c 5---A 5a 7---E 7e B---D bd Remember that you always need to specify non-canonical in DLSW configurations.

Ø Conversion on a per OCTET basis Hold your hands in front of you palms down. Tuck your thumbs in, and now represent the bits in your octet by either tucking in a finger (0) or leaving it sticking out (1). Now, cross your hands over AND turn your hands palm up (WITHOUT adjusting your finger positions). You have now got your converted octect (either non-canonical to canonical or vice-versa) Canonical MAC: 00D0.5924.80A4 000d.9542.084a 0 0 0 D 9 5 4 2 0 8 4 A 0000 0000 0000 1101.1001 0101 0100 0010. 0000 1000 0100 1010 0000 0000 0000 1011.1001 1010 0010 0100. 0000 0001 0010 0101 Non-Canonical MAC: 000B.9A24.0125 Hex: 1 – 9 is normal 0 A 1 B 2 C 3 D 4 E 5 F

19.3.5. DLSw+ DLSW TCP Ports 2065,1981,1982 and 1983 FST Port 91 Stop Router ONE from sending explorer packets to Router TWO looking for MAC address 4444.4444.4444? dlsw icanreach mac-address 4444.4444.4444 mask FFFF.FFFF.FFFF dlsw icanreach netbios-name SALES* If you use dlsw icanreach mac-exclusive without defining a mac mac address

THE CCIE Book

Page 237 of 296


in an icanreach then all traffic will be filtered. "The dlsw icanreach command also supports the mac-exclusive and netbios-exclusive keywords, which indicate that the resources advertised by this peer are the only resources the peer can reach. By specifying mac-exclusive or netbios-exclusive, you can indicate that the list of specified MAC addresses or NetBIOS names are the only ones reachable from a given router. For DLSW put on remote-peer with lsap-output-list On Ethernet use: input-lsap-list (802.3) input-type-list (incoming by type code – Eth_II)

Ø NetBIOS on DLSW dlsw remote-peer 0 tcp 172.16.24.2 host-netbios-out mylist dlsw remote-peer 0 tcp 172.16.24.2 bytes-netbios-out mylist netbios access-list host mylist permit MAR* sh dlsw circuit to display sap addresses

19.3.6. Bridging (MAC) Filters (700) NetBIOS functional address is C000.0000.0080

Ø SRB Use 8000.0000.0000 for TR source address mask on traffic that requires exa ct match and needs to be SRB.

Ø Type Code Access Lists int tok 0 source-bridge input-type-list 201 int eth0 bridge-group 1 input-type-list 201 access-list 201 deny oxo806 0x0000 access-list 202 permit 0x0000 0xFFFF

Ø Filter by DSAP/LSAP addresses source-bridge input-lsap-list <ACL number> source-bridge output-lsap-list <ACL number>

Ø Filter by Vendor Code

Ø MAC Access Filtering int tok 0 source-bridge input-address-list 702 int eth0 bridge-group 1 input-address-list 701 access-list 701 permit 0110.2222.3333 access-list 702 permit 0110.1234.6554

Ø LSAP Filter (200) int tok 0

THE CCIE Book

Page 238 of 296


source-bridge input-lsap-list 200 source-bridge output-lsap-list 200

Ø Commands sh controller token sh int token sh int sh source show span

19.4. ACCESS-EXPRESSIONS Access-expressions are applied to interfaces only !!! Access-expressions can be applied to ethernet interfaces – great way to block netbios stuuf when transparent bridging.

Ø Key Expressions ! NOT & AND | OR ~ Logical not, such as !(lsap 201) Keywords Lsap (2xx) Type (2xx) Smac (7xx) Dmac (7xx) Netbios-host (netbios access-list name) Netbios-bytes (netbios access-list name)

Ø Access Filters int tok0 access-expression in (lsap(201) | lsap(202) & dmac(701)) access-list 201 permit 0xf0f0 0x0001 (Netbios)(Host blocking) access-list 202 permit 0x0404 0x0001 (SNA Command / Response) access-list 202 permit 0x0004 0x0001 (SNA Explorers with NULL DSAP) access-list 701 permit 0110.2222.3333 (FEP MAC Address) access-list 200 deny 0xF0F0 0x0101 (Host & Client bit blocked) Deny mac address 0020.1234.XXXX and permit any thing else. dlsw icannotreach 0020.1243.0000 ffff.ffff.0000 -or- dlsw local-peer peer-id 192.168.12.1 dlsw remote-peer 0 192.168.4.5 dmac-output-list 701 ! access-list 701 deny 0020.1234.0000 0000.0000.ffff access-list 701 permit 0000.0000.0000 ffff.ffff.ffff

Ø Ethernet Filtering Netbios filters only seem to be allowed on token ring interfaces, other than on the dlsw remote-peer command. But that command only keeps connections from being formed by blocking the name query it seems and the entries still make it into the reachability table. Is there a way to filter netbios so I don't even get the netbios names in the reachability info?

THE CCIE Book

Page 239 of 296


netbios access-list host TEST deny CCIES2B netbios access-list host TEST permit CCIES int e0 access-expression in netbios-host(TEST)

Ø Troubleshooting ACCESS-LISTS Remember implicit deny Remember that access-lists have direction Sh access-lists Show access-expressions debug access-expressions clear access-list counters deb ip packet

THE CCIE Book

Page 240 of 296


20. QUEUING With custom and priority there are three types: interface, protocol, and default. Percent of bandwidth need to be queued = Custom Queuing Three main types: Weighted-Fair-Queuing Breaks up traffic and sends user traffice over ftp traffic. Enabled by default on T1’s and lower. Priority Queuing Priortizes by protocol Custon Queuing Bandwidth Allocation Great for SNA Queue 0 is a system queue for keepalives

20.1. WFQ 12000’s do not support WFQ. The default or legacy WFQ is flow-based FB-WFQ. This was the original and is referred to as just WFQ. Packets are classified into flows by: ToS bits in the IP header IP protocol type Source IP Address Source TCP or UDP socket Destination IP address Destination TCP or UDP socket By default WFQ classifies the traffic streams into 256 different traffic flows. WFQ is enables on all E1’s and lower. WFQ’s use on a 7500 should be limited to only the lower speed interfaces. WFQ’s uses a sequence number to assign the packets for determine the queue order. This sequence number is based on the weights and are assigned using the following formula: W = 4096 / (IP Precedence + 1) The sequence number is based on the following formula: Last Sequence Number + ( 4096 * packet size) = sequence number Example of first packet and with 500 bytes. 0 + (4096 * 500) = 2048000 So WFQ is based on ToS (IP Precedence) and packet size. fair-queue <congestive-discard-threshold><dyn-queues><reserveable-queues> congestive-discard-threshold queue depth (default is 64 packets per queue) dyn-queues number of queues, default is 256 reserveable-queues number reservable (RSVP)

20.1.1. CB-WFQ No delay guarantee Allows you to classify traffic into 64 classes based on protocol, acl’s, and the input interface. Each class is then a percent of the bandwidth. Any packets that

THE CCIE Book

Page 241 of 296


overflows a class gets dropped. Side note: WRED can manage these drops with each class. A default class can be configured, but if not default class is configured the packets not classified are given best-effort treatment. If you create voice class with 32kbps and not traffic is going over it. The 32 kbps will be divied among all other assigned classes until there is traffic. There are three modules to configure: Class-map Policy-map Service-policy class-map voice match access-group 101 policy-map policy1 class voice bandwidth 32 kbps queue-limit 20 class class-default bandwidth 64 kbps random-detect int serial 0 service-policy output policy1 access-list 101 permit ip any any precedence critical show policy <policy-map> Displays configuration of all classes in policy. show policy int Displays whether CB-WFQ is working on an interface.

20.1.2. Low-Latency Queueing (LLQ) Combines strict-priority queuing with CB-WFQ. Bandwidth guarantee - allows voice to go first and everything else second. “PQ + CB-WFQ” policy-map policy1 class voice priority 100 class class-default bandwidth 64 kbps random-detect

Ø LLQ Rules You cannot oversubscribe the bandwidth Priority command policies by class Use bandwidth to guarantee a minimum Use priority for voice Use bandwidth for data

20.1.3. Distributed WFQ (DWFQ) Implemented on VIP’s of 7500’s when dCEF is enabled. Does not scale to interfaces higher than E1’s. Classifies packet in four ways: Flow-based Based on:

THE CCIE Book

Page 242 of 296


ToS bits in IP header IP protocol type Source IP address Source TCP / UDP socket Destination IP address Destination TCP / UDP socket Traffic is classified into 512 flows with each flow getting a percent of the available bandwidth. Use the fair-queue command to enable on an interface. dCEF must already be enabled. ToS based Also known as CB-DWFQ Classifies packets based on the lower two bits of the precedence field in the IP header, so four queues are available. The weight of each queue determines the amount of bandwidth the traffic placed in this queue received if the outbound link is fully congested. Use the command fair-queue tos to enable ToS DWFQ. Classes 3,2,1,0 get 40,30,20,10 weights. The total cannot exceed 100. QoS group-based QoS groups are created by local policies and applied through committed access rate (CAR) and can be propagated through BGP policy propagation. Troubleshooting DWFQ show int fair

20.2. WEIGHTED RANDOM EARLY DETECTION The idea behind RED is for packets to be randomly dropped before a queue is full, rather than weighting until it’s actually full. This allows the traffic to deal with the queuing during transmission rather then when the queues are full and everyone backs off, and tries again. RED define a min. max, avg threshold. Packets are dropped based on probability and the following formulas: If avg < min, no packet dropped If min < avg < max, packets are dropped with increased probability as avg increases. If av > max, all packets are dropped WRED drops packets based on the IP precedence bits in the header. Use the command random-detect to enable RED. sh int random

20.3. PRIORITY QUEUING Four queues: High, Med, Low, Normal Defaults: 20 40 60 80

Ø Configuration Tasks Create List Assign default queue Assign list to interface

THE CCIE Book

Page 243 of 296


Ø Priority Configuration priority-list 1 protocol ip high tcp 23 priority-list 1 ip high list 1 priority-list 1 interface ethernet 0 medium priority-list 1 default low priority-list 1 queue-limit 15 20 20 30 ! access-list 1 permit 131.34.0.0 0.0.255.255 ! int s 0 priority-group 1

20.4. CUSTOM QUEUING 16 custom queues Default byte-count is 1500 bytes Frame size differences will affect the byte-count and bandwidth percent. Configure Custom Queuing byte-count parameter to assure percentage of bandwidth for a given queue

Ø Custom Queueing Comnfiguration queue-list 1 interface e0 1 queue-list 1 protocol ip 2 tcp 20 queue-list 1 protocol ipx 3 queue-list 1 default 3 queue-list 1 queue 1 byte-count 4500 queue-list 1 queue 1 limit 20 ! int s 0 custom-queue-list 1

Ø Custom Queueing Based on Bandwidth Allocate 25% for DLSW 25% for Telnet 25% for ipx 25% for default queue-list 1 protocol dlsw 1 queue-list 1 protocol ip 2 tcp 23 queue-list 1 protocol ipx 3 list 900 queue-list 1 queue 4 byte-count 1500 queue-list 1 queue 4 access-list 900 permit ncp any 451 any 451 int s 0 custom-queue-list 1

20.5. COMMITTED ACCESS RATE (CAR) http://www.cisco.com/warp/public/732/Tech/car/index.html Configuring Committed Access Rate http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c/qcpart1/qccar.htm

THE CCIE Book

Page 244 of 296


20.6. TROUBLESHOOTING QUEUEING sh queue <interface> sh queueing <custom | fair |priority| red > sh int serial 0 Displays the packets that have traveled through the interface. debug custom debug priority

THE CCIE Book

Page 245 of 296


21. TRAFFIC SHAPING

21.1. POLICY ROUTING Is always applied to the incoming interface. Only affects router it is configured on. Can use extended ACL’s. Used to control access by destination , protocol type, packet size, application, source address, and can be used to load balance across lines.

Ø To configure Global command ip local policy route-map Interface command ip policy route-map Policy mapping disables fast-switching Use ip route-cache policy to re-enable

Ø Policy Routing Examples Packets not matched use the routing table. Multiple 'Set Clauses' order: Next-Hop Interface Use if interface is up Next-Hop IP address Use if add in routing table Next-Hop Default Interface Use routing table 1st, if no route use this interface Next-Hop Default IP address Use routing table 1st, if no route use this address

Ø Packet Length Example int ethernet0 ip address 172.16.1.4 255.255.255.0 ip policy route-map test ! route-map test permit 10 match length 3 100 set next-hop 172.16.5.1

Ø Source Address Example int ethernet0 ip address 172.16.1.4 255.255.255.0 ip policy route-map test ! access-list 101 permit 172.16.1.1 ! route-map test permit 10 match ip address 101 set interface serial 0 -or- route-map test permit 10 match ip address 101 set next-hop 172.16.5.1

THE CCIE Book

Page 246 of 296


! This allows routers to do recursive lookups

Ø Application / Protocol Type Example int ethernet0 ip address 172.16.1.4 255.255.255.0 ip policy route-map Rerun ! access-list 105 permit tcp 172.16.1.0 0.0.0.255 eq ftp any access-list 105 permit tcp 172.16.1.0 0.0.0.255 eq ftp-data any access-list 106 permit tcp 172.16.1.0 0.0.0.255 eq telnet any ! route-map ReRun permit 10 match ip address 105 set ip next-hop 172.16.2.1 ! route-map ReRun permit 20 match ip address 106 set ip next-hop 172.16.3.1

Ø Load Balancing Example r1 int ethernet0 ip address 172.16.1.4 255.255.255.0 ip address 172.16.1.5 255.255.255.0 secondary r2 int eth0 ip add 172.16.1.3 255.255.255.0 ip policy route-map load ! access-list 1 permit 172.16.1.4 access-list 2 permit 172.16.1.5 ! route-map load permit 10 match ip address 1 set default interface s0 ! route-map load permit 20 match ip address 2 set default interface s1

Ø Troubleshooting Policy Routing show ip policy show route-map show access-list show ip policy local debug ip policy

21.2. RTP PRIORITY 16,384 – 32,767 voice 32,768 – 49,151 whiteboard 49,152 – 65,535 video

THE CCIE Book

Page 247 of 296


21.3. GENERIC TRAFFIC-SHAPING (GTS) Use on ethernet, p-t-p, or frame-relay. Used to shape all traffic leaving an interface. Use traffic-shape group to configure traffic shaping for outbound traffic on an interface for the specified access list. traffic-shape rate <cir> <bc> <be> traffic-shape group <acl> <cir> <bc> <be> Example: int s0.1 traffic-shape rate 32000 8000 int s0.2 traffic-shape rate 32000 8000 There are three major differences between GTS and CAR: 1- CAR is able to limit the traffic for the input and output while GTS limits only for the output. 2- Both work different. CAR discard packets in order to limit the rate, while traffic shaping does add some delay between the packets in order to reduce the rate/flow. 3- CAR only measures the IP traffic, while GTS is able measure the "entire" traffic thru an interface (including L2 headers). My conclusion is that GTS cause much less retransmissions and makes the traffic looks much smoother than CAR (because CAR works by discarding packets - i.e. TCP slow start, etc). If you have 2 routers and 2 PCs, it's easy to confirm that (that's what I did). What I read somewhere is that Cisco created CAR in order to allow ISP to control/restrict that bandwidth that they receive/send to other ISPs on a NAP.

21.4. FRAME-RELAY QUEUING

21.4.1. Frame-Relay DLCI-Prioritization interface Serial0 no ip address encapsulation frame-relay priority-group 1 ! interface Serial0.1 point-to-point ip address 4.0.1.1 255.255.255.0 frame-relay priority-dlci-group 1 140 180 190 200 frame-relay interface-dlci 140 ! access-list 102 permit icmp any any priority-list 1 protocol ip high list 102 priority-list 1 protocol ip medium tcp telnet priority-list 1 protocol ip normal tcp ftp priority-list 1 protocol ip low

21.4.2. Frame-Relay Broadcast Queue frame-relay broadcast-queue size byte-rate packet-rate

THE CCIE Book

Page 248 of 296


21.4.3. Frame-Relay Traffic-Shaping (FRTS) Regulates the traffic To change to queue depth on FIFO, enable custom or priority queueing and assign all traffic to one queue.

Ø FRTS Formula Tc = Bc/CIR (Tc= Interval Bc=Commited burst)

Ø When to use FRTS T1 at central site and 56 kbps at branch Multipoint connections Congestion occurs Multiprotocols on same fr vc

Ø Terms Access rate max rate at a fixed period of time (line or port speed) CIR Average rate of data, committed information rate Bc Committed Burst Size, max rate or fixed period, multiple of CIR. This should be 1/8 of CIR. Be Excess Burst size, max rate excess of Bc Usually 0 when port speed is sent. MinCIR Minimum CIR, true CIR that is guarnteed. Default is 50% is CIR. Tc Time inveral, (Tc = Bc/CIR)

Ø Three Steps To FRTS 1 - Enable FRTS under main interface int s0 frame-relay traffic-shaping 2 - Create Map-Class map-class frame-relay ccie frame-relay cir 32000 frame-relay mincir 16000 frame-relay bc 4000 frame-relay be 32000 frame-relay adaptive-shaping becn Enables BECN feedback to throttle the output rate on the SVC for the map class. 3 - Apply to interface or DLCI frame-relay interface-dlci 102 class ccie int s0.1 frame-relay class ccielab

Ø Map Class Parameters Traffic Parameters frame-relay custom-queue-list <list-number> frame-relay priority-group <list_number> frame-relay adaptive-shaping <becn | foresight> frame-relay traffic-rate <average> <peak> frame-relay cir <in | out > bps frame-relay mincir <in | out > bps

THE CCIE Book

Page 249 of 296


frame-relay bc <in | out > bits frame-relay be <in | out > bits frame-relay idle-timer <duration>

Ø Apply Map Class to an interface or vc frame-relay class <map-class> class <map-class-name>

Ø FRTS on serial Example: Port Speed: 64000 kbps CIR: 32000 kbps MinCIR: 16000 kbps Bc: 4000 kbps Be: 32000 kbps int s0 ip addr 1.1.1.1 255.255.255.0 encap frame frame-relay traffic-shaping frame-relay class ccie map-class frame-relay ccie frame-relay adaptive-shaping becn frame-relay cir 32000 frame-relay mincir 16000 frame-relay bc 4000 frame-relay be 32000

Ø FRTS on DLCI int s0 ip addr 1.1.1.1 255.255.255.0 encap frame frame-relay traffic-shaping frame-relay inter-dlci 102 class ccie map-class frame-relay ccie frame-relay adaptive-shaping becn frame-relay cir 56000 frame-relay mincir 32000 frame-relay bc 8000 frame-relay be 16000

Ø Troubleshooting FRTS sh traffic stat sh traffic queue sfp

21.5. IP PRECEDENCE Three ways to set: Policy-based routing QoS Policy via BGP (Supported only on 7xxx Routers ☺ Committed Access Rate (CAR)

THE CCIE Book

Page 250 of 296


Ø IP Precedence Values RFC 791 Number Name 0 routine 1 priority 2 immediate 3 flash 4 flash-override 5 critical 6 internetwork control 7 network control

Ø Configuring interface ethernet 1 ip policy route-map Texas ! route-map Texas permit 10 match ip address 1 set ip precedence priority set ip next-hop 3.3.3.3 ! route-map Texas permit 20 match ip address 2 set ip precedence critical set ip next-hop 3.3.3.5 access-list 1 permit ip 1.1.1.1 access-list 2 permit ip 2.2.2.2

Ø QoS set ip precedence set ip tos Tos Bits Bits Number (0-15) Keyword 0000 0 Normal 0001 1 min-monetary-cost 0010 2 max-reliability 0100 4 max-throughput 1000 8 min-delay

21.6. RSVP

Ø RSVP support three traffic types Best-effort – traditional IP traffic Rate-sensitive – give up time for guaranteed rate, video application. RSVP service that support this is called guaranteed bit-rate service Delay-sensitive- variable rate but timeliness of delivery, mpeg RSVP services support this are: controlled-delay (non real-time) predictive service (real-time service)

Ø RSVP int s0 ip rsvp band 100 32 fair-queue

THE CCIE Book

Page 251 of 296


dial-peer voice 12 11 voip req-qos controlled-load max bandwidth 100kbps max per request 32kbps Use for slow links, high utilized links, or links with less that 2 mb, need best voice quality. Check Out: www.mentortech.com/learn/welcher/papers/rsvp.html

21.7. RANDOM EARLY DETECTION (RED) Uses ip precedence bits

21.8. DATA COMPRESSION

Ø LABB, PPP, HDLC Compress <predictor | stac | mppc> Predictor memory intensive Stac CPU intensive Mppc CPU Intensive

Ø Frame-Relay frame-relay payload-compression

Ø IP ip tcp header-compression <passive>

21.9. MPLS AND TAG SWITCHING MPLS Terminology Label Switch Router (LSR) Switch or router that switches labeled packets based on switching tables. Label The tag or label for a packet or cell In the packet the tag is usually between L2 and L3 in the header and in a cell it is in the VPI / VCI header. Edge LSR L3 switch or router that is responsible for initally processing the L3 info to create the label. Label Switch Path (LSP) Path defined by label Label Switch Circuit (LSC) ATM path for label Label Distribution Protocol (LDP) Protocol for creating labels in the core and edge devices. Works with interior routing protocols – EIGRP, IGRP, OSPF, RIP, IS-IS. MPLS Process 1 – LDP creates a switching table based on IRP and devices. 2 – Edge LSR – create label, lebels have local significance only 3 – Next hop / LSR – Replaces label, forward to destination 4 – Next hop / Edge LSR – Removes label, forward to destination With MPLS – CLIP and NHRP are no longer needed for dynamic routing over ATM.

THE CCIE Book

Page 252 of 296


22. Multicasting Host <-> Rtr IGMP Rtr <-> Switch CGMP Rtr <-> Rtr PIM Note: Recall that the least significant bit of the most significant octet of an Ethernet or FDDI MAC address is the "group bit." If the bit is set (1), the MAC address is a multicast (or broadcast). If the bit is not set (0), the MAC address is a unicast. The MAC address 0900.3333.4444 has the group bit set, and is therefore a multicast MAC (09 hex = 00001001; the last bit, the group bit, is set). If you have two lines a 56K and a T1 and enable multicasting on the 56k it will not work. You need to use a static mroute, or DVMRP, PIM will not work. IP multicast rule – a router can have only one incoming interface for any entry in it’s multicast routing table. If the first number of the MAC address is odd, it is a multicast address. With token-ring multicast address are not supported since they are functional addresses. Only 31 addresses are available for functional addresses.

22.1. INTERNET GROUP MANAGEMENT PROTOCOL (IGMP) You can limit the IGMP broadcasts three ways: Config static CAM, IGMP snooping, CGMP Allows routers to forward multicasts. Allows IP hosts to join multicast groups Two message structures – query and report All messages are addressed to 224.0.0.1, ttl=1 Used by hosts to signal to routers that they want to join / leave multicast groups. IGMP are sent with the TTL set to one so routers never forward them. Routers send IGMP queries to hosts every 60 seconds and use 224.0.0.1 A workstation “surfs” training vidoes, they receive the fourth videos the other three multicast streams are still being sent for up to three minutes. This is the leave latency, IGMP version 2 corrects this problem. The router will send two queries for a membership report. Each query will time out in one second. If there are version 1 and 2 IGMP routers, configure all routers as version 1 if they are on the same subnet.

Ø Configuration ip multicast routing int e0 ip igmp join group 224.10.1.2

Ø Commands sh ip igmp groups sh ip igmp int deb ip igmp

THE CCIE Book

Page 253 of 296


22.2. CISCO GROUP MANAGEMENT PROTOCOL (CGMP) Allows switches to use IGMP, so switch can then make L2F decisions When enabling CGMP on a switch, Cisco recommend you also enable port fast on any port that has hosts. By default, CGMP is disabled, and no multicast routers are configured.

Ø Broadcast / Multicast Suppression Broadcast suppression is off by default. The set port broadcast command allows you to set up the broadcast suppression threshold value. You enable broadcast/multicast suppression by setting the threshold to a value greater than 0 percent. A threshold value of 100 percent means that no limit is placed on broadcast traffic. A threshold value of 0 percent means that broadcast/multicast suppression is disabled. By default, broadcast/multicast suppression is disabled Broadcast Suppression – Bandwidth Based Bandwith based is hardware supression. set port broadcast 3/2-3 20% Bandwidth-based broadcast/multicast suppression applies to all ports on a module show port broadcast 3 show test 3 Broadcast Suppression – Packet Based Packet based is software suppression. set port broadcast 4/1 500 Applies only to the port set, 500 pps is the limit. Hardware based suppression takes precedence over software suppression. To disable the hardware set the threshold to 100%. Use sh port broadcast 4/1 to display whether packets were dropped. Prevents switched ports on a LAN from being disrupted by a broadcast storm on one of the ports. Hardware Suppression is supported on the Catalyst 5000’s Software Supression is support on all ethernet modules

Ø CGMP Filtering CGMP filtering requires a network connection from the Catalyst 5000 series switch to a router running CGMP.

22.2.1. Stopping Multicasts from Broadcasting on a Switch

Ø Manually Setting a Switch for Multicasting Ports 2/3, 2/4, and 2/19 want multicasts from 239.0.5.10. Router is on port 1/1. The IP 239.0.5.10 has the multicast mac of 0100.5E00.050A. set cam permanent 01-00-5E-00-05-0A 2/3-4,2/19 or set cam static 01-00-5E-00-05-0A 2/3-4 2/19 set multicast router 1/1 To set a multicast group set multicast group 01-00-5E-00-05-0A 2/3-4 10

THE CCIE Book

Page 254 of 296


show multicast group cgmp 10 show multicast group count 10

Ø Enabling IGMP Snooping set igmp enable sh igmp statistics 10 IGMP snooping is available in Catalyst 5000 series software Release 4.1 and later with a Supervisor Engine III with the NetFlow feature card (NFFC). This requires that every IP packet get examined and slows the performance down on the switch. When IGMP snooping is enabled the switch will automatically learn where the multicast router is connected and you do not have to manually configure it.

Ø Enabling CGMP Before you enable CGMP on a Catalyst 5000 series switch, you must disable IGMP snooping, if it is enabled, by entering the set igmp disable command. If you try to enable CGMP without first disabling IGMP snooping, an error message will be generated. When CGMP is enabled, it automatically identifies the ports to which the CGMP-capable router is attached. The set multicast router command allows you to statically configure multicast router ports. Set igmp disable set cgmp enable Enables CGMP on switch set multicast router 1/1 Statically defines the multicast router for CGMP This should not have to be entered. Verifying CGMP show multicast router show multicast group cgmp 5 show cgmp statistics show multicast router cgmp 5

Ø Enabling CGMP Leave Processing set cgmp leave enable show cgmp statistics

Ø Enabling CGMP on Routers Used on routers to notify switches when host joins / leaves group Requires at least one router to work. Router Configuration: ip multicast-routing int e0 ip cgmp

22.3. DISTANCE VECTOR MULTICAST ROUTING PROTOCOL (DVMRP) Cisco routers can run DVMRP, they can however be PIM-DVMRP gateways. If PIM multicasting is configured and a Cisco routers hears a DVMRP probe message the router will mark that segment as having a DVMRP neighbor. RFC 1075 Based on hop count Uses a reverse-path flooding technique

THE CCIE Book

Page 255 of 296


DBMRP flood the network for multicast requests the routers send a prune message back that they do not want the particular multicast group. DVMRP periodically refloods the network to check for new hosts This is the basis of the Internet’s MBONE Sends periodic route updates every 60 seconds. Has a 32 hop limit. Poison reverse is used to signal that the router is downstream. Works with all manufactures routers. Uses a neighbor discovery 224.0.0.4 “all dvmrp routers” Neighbors form adjacencies. DVMRP uses the RPF check If RPF check constantly removes routing from the mroute table then the network is not converging.

Ø DVMRP Tunnels Cisco routers can convert DVMRP to PIM traffic and act as a DVMRP router when using a tunnel.

Ø Multi-Access Networks and DVMRP Cisco routers cannot prune DVMRP networks on multi-access networks. This allows Cisco routers to still send multicast traffic on networks without hosts. To make pruning available for ethernet or other multi-access networks you must configure a tunnel to each DVMRP router. A tunnel makes the connection on ethernet a point-to-point so prunes work. If multicast sources are available on DVMRP network you must configure static mroutes to them or the RPF check will fail. interface tunnel 0 ip unnumbered ethernet0 ip pim sparse-dense-mode tunnel source ethernet0 tunnel destination 192.168.1.11 tunnel mode DVMRP int ethernet0 ip address 172.16.2.1 255.255.255.0 int ethernet1 ip address 192.168.10.1 255.255.255.0 ip pim sparse-dense mode router ospf 1 network 172.16.2.1 0.0.0.0 area 0 passive-interface tunnel 0

Ø Sending hosts to DVMRP Network By default directly connected multicast hosts will be advertised to the DVMRP network. If you have a multicast host of 130.1.1.1 behind the DVMRP connected router and you want to advertise it to the DVMRP network use: int tun0 ip dvmrp metric list 3 acess-list 3 permit 130.1.1.0 0.0.0.255

THE CCIE Book

Page 256 of 296


Ø Sending hosts throughout a PIM Network Add ip dvmrp unicast-routing to all routers between the two networks.

Ø Blocking DVMRP Routers int ethernet 0 ip address 172.16.10.1 255.255.255.0 ip dvmrp accept-filter 0 neighbor-list 10 access-list 10 deny all This will block all DVMRP probe messages and not allow the router to enter DVMRP interoperability mode.

Ø Summarizing DVMRP Routes ip dvmrp summary-address 172.16.0.0 255.255.0.0 This command causes the router to summarize any DVMRP route that in this class.

Ø Disabling DVMRP Automatic Summarization no ip dvmrp auto-summary

Ø Controlling DVMRP Advertisements ip dvmrp metric 1 list 10 ip dvmrp metric 0 dvmrp ip dvmrp metric 2 ospf 120 access-list 10 permit 172.16.0.0 0.0.255.255 access-list 10 permit 192.168.0.0 0.0.255.255 The first command enables a Cisco router to advertise these routes from it’s routing table as DVMRP routes with a metric of 2. The second command species that any routes learned by DVMRP should not be advertised, hence the 0 metric. This command can stop a router from becoming a transient router. The third command allows only routes from ospf process 120 to be advertised.

Ø Other DVMRP Commands ip dvmrp output-report-delay <delay-time> <burst> ip dvmrp default-information {originate | only} ip dvmrp accept-filter <acl> Used to block DVMRP route reports. ip dvmrp distance <admin-distance> ip dvmrp metric-offset [in | out] <increment> ip dvmrp route-limit <route-count> Limits the number of DVMRP routes send over an interface. The default is 7000, this command is enabled when multicasting is enabled on the router. ip dvmrp routehog-notification <route-count> Sends a syslog message if more than 10,000 routes have been received on an interface. This is enabled by default when multicasting is enabled. ip dvmrp unicast-routing Used to make network congruent.

22.4. PROTOCOL INDEPENDENT MULTICAST (PIM) PIM is Cisco specific. All multicast mac addresses begin with 01-00-5E. Some common Ethernet multicasts are: NetBIOS 0300.0000.0001 Bridge Group 0180.c200.0000 (for BPDUs - IEEE) IP Multicast 0100.5exx.xxxx rp filtering, group filtering, load-balancing over equal cost paths

THE CCIE Book

Page 257 of 296


There is no prune delay on ptp interfaces. PIM uses the routing table PIM version I uses IP protocol number 2 and IP address 224.0.0.2 PIM version II uses IP protocol number 102 and IP address 224.0.0.13

Ø Multicast General Rules 1. Whenever is it necessary to create and (S,G) entry and a corresponding parent (*,G) does not exists, a new (*,G) entry is automatically created first. 2. The RPF interface is computed as the interface with the lowest cost path (based on administrative distance / metric) to the IP address of the source (or in the case os a sparse mode (*,G) entry, the RP). If multiple interfaces have the same cost, the interface with the highest IP address is choosen as the tie breaker. 3. When a new (S,G) entry is created, its outgoing interface list (OIL) is initially populated with a copy of the outgoing interface list from its parent (*,G) entry. 4. The incoming interface (RPF interface) of a multicast forwarding entry must never appear in its outgoing interface list. 5. The RPF interface (that is, the incoming interface) of every multicast state entry is recalculated every 5 seconds and the outgoing interface list is adjusted appropriately based on General Rule 4 (to prevent the incoming interface from appearing in the outgoing interface list). 6. Additions or deletions to the outgoing interface list of a (*.G) entry are replicated (within the constraints of General Rule 4) to all associated (S,G) entries for the group.

Ø PIM Dense Mode Rules 1. The outgoing interface list of a dense mode (*,G) entry reflects the interfaces where (1) other PIM-DM neighbors exist or (2) directly connected members of the group exist. 2. Outgoing interfaces in dense mode (S,G) entries are not removed as a result of Prunes. Instead they are marked as Prune/Dense and left in the outgoing interface list. When a new PIM neighbor is added to the list of PIM neighbors on an interface, the interface is reset to Forward/Dense state in all PIM-DM (S,G) outgoing interface lists.

Ø PIM Sparse Mode Rules 1. A sparse mode (*,G) entry is created as a result of an Explicit Join operation. 2. The incoming interface of a sparse mode (*,G) entry always points up the shared tree toward the RP. 3. A sparse mode (S,G) entry is created under the following conditions: Receipt of an (S,G) Join/Prune message On a last-hop router when is switches to the SPT Unexpected arrival of (S,G) traffic when no (*,G) state exists At the RP when a Register message is recvieved (This is identical to Rule 1) An interface is addres to the outgoing interface list of a sparse mode (*,G) or (S,G) entry in either of the following conditions: When an appropriate (*,G) or (S,G) Join is received vis this interface When a directly connected member of the group exists on the interface An interface is removed from the outgoing interface list of a sparse mode (*,G) or (S,G) entry in either of the following situations: When an appropriate (*,G) or (S,G) Prune (that is not overridden) is received via this interface (and where there is no directly connected member) When the interface’s expiration timer counts down to zero

THE CCIE Book

Page 258 of 296


(Notice this rules never allows a Prune state to exist in an a sparse mode OIL) The expiration timer of an interface is reset to 3 minutes as a result of either of the following conditions: An appropriate (*,G) or (S,G) Join is received via this interface An IGMP Membership Report is received from a directly connected member on this interface. Routers will send and (S,G) RP-bit Prune up the shared tree when the RP neighbor for ths (S,G) entry is different from the RPF neighbor of the (*,G) entry. 8. The RPF interface (that is, the incoming interface) of a sparse mode (S,G) entry is calculated by using the IP address of the source except when the RP-bit is set, in which case the IP address of the RP is used.

Ø Proxy-Join Timer Rules 1. The Proxy-Join timer for an (S,G) entry is (re)started under the following conditions: A nonatomic (*,G) Join is received on the incoming interface of the (S,G) entry from other thant the RPF neighbor toward the Source S. In the RP when an (S,G) entry is created as a result of the receipt of a Register message and the (*,G) entry has a non-null OIL. 2. Proxy-Join timers are not stopped by any direct event. Instead, they are simply allowed to time out is not restartd by the recipt of a nonatomic (*,G) Join. 3. While the Proxy-Join timer is running on and (S,G) entry, the router will perform the following steps: Send periodic (S,G) Joins toward Source S Suppress sending (S,G) Prunes toward Source S

Ø PIM State Flags D - Dense mode C - Connected, a receiver is directly connected L - Local, router is a member of this group PIM-RP discovery / 224.0.1.40 / PIM-SM P - Indicates that the router has been pruned. T - SPT-bit, Indicates that the router is an active member of the SPT, on all (S,G) J - Joined SPT, on all (*,G)’s S - Sparse Mode SM Specific Flags X - Proxy Join timer flag F - Register bit, Indicates that the software is registering for a multicast source. R - RP bit, Indicates that the (S,G) entry is pointing toward the RP This is typically a prune state along the shared tree for a particular source.

Ø RPF Check When a multicast packet arrives on an interface, the RPF process checks to ensure that this incoming interface is the outgoing interface used by unicast routing to reach the source of the multicast packet. This RPF check process prevents loops.

Ø Static Mroutes When using a GRE tunnel for multicasting through multiple routers that don’t support multicasting you need a static mroute to join to the tunnel.

THE CCIE Book

Page 259 of 296


It's important to understand static mroutes aren't like regular static routes, they don't alter the path multicast traffic take, they only modify the rpf interface (the interface you expect it to come in on).

Ø Load-balancing over equal cost paths Scenario: Two routers with e0 and s0 and s1, they are connected by both serial interfaces. Setup a GRE Tunnel between them and add PIM to E0 at both sides. The source of the tunnel is local E0 The destination is other router’s E0. The traffic will be automatically spilt between them.

Ø Stub Multicast Networks R1 ip multicast-routing int s0 ip pim neighbor-filter 1 access-list 1 deny host 10.1.1.2 R2 ip multicast-routing int eth0 ip pim sparse-mode ip igmp helper-address 10.1.1.1 int s0 ip pim sparse-dense-mode

Ø Three Different Modes of Operation Dense-mode all routers forward # ip pim dense Sparse-mode *1 no router forward # ip pim sparse mode Sparse-dense mode *2 either mode # ip pim sparse-dense *1 Needs rendezvous point configured # ip pim send-rp-announce *2 Can use AutoRP

22.4.1. Dense Mode (*,G) is the parent, the interface indicates neighbors (S,G) is a child, the outgoing interface is the parent PIM-DM does not support NBMA networks. The RPF is calculated with the lowest administrative distance / metric to the ip address of the source. There is no RP for Dense-Mode PIM-DM uses a 3-minute flood-prune cycle. PIM-DM uses a 30 second broadcast to 224.0.0.13 for hellos. PIM version 1 t he address is 224.0.0.2 for hellos and uses IGMP. PIM-DM uses a DR, the highest IP address is assigned. PIM-DM sends prunes: If traffic arrives on non-RPF ptp interface Leaf router and no receivers Non-leaf on ptp that has a prune neighbor Non-leaf on LAN with no receivers (Overall if the router has no receivers it will prune) PIM-DM only knows about subnets that has receivers on them and not hosts.

THE CCIE Book

Page 260 of 296


Ø PIM-DM Configuration R1 ip multicast-routing int e0 ip address 172.16.1.1 255.255.255.0 ip pim sparse-dense-mode (Best way to implement) R2 ip multicast-routing int e0 ip address 172.16.1.2 255.255.255.0 ip pim sparse-dense-mode (Best way to implement)

22.4.2. Sparse-Mode PIM-SM uses and explicit join PIM-SM uses a rendezvous point PIM-SM routers sends join / prune messages every 60 seconds. Otherwise a 3 minute time out would prune them. PIM-SM uses shared trees and SPT, when a SPT switchover takes place the shared tree path gets pruned. PIM-SM can use the Auto-RP feature to aid in network management. Keeps a list of hosts / members in the routing table. When routers join a multicast group they join the RPT tree and not the RP. Unlike PIM-DM, PIM-SM removes the routing table entries when they receive a prune message. You will never see a prune / sparse entry in the mroute table with PIM-SM.

Ø NBMA Networks ip pim nbma-mode is only useful for pim sparse-mode. If you're using PIM sparse mode in a hub & spoke partial mesh, you can use the command ip pim nbma on the hub router. If your FR is a full mesh, you don't need to use the ip pim nbma-mode command. The ip pim nbma-mode command makes PIM treat the network as a bunch of ptp’s. Dialer interfaces can also use this command.

Ø Auto-RP and NBMA Networks For Auto-RP to work with NBMA networks you must configure the ip pim nbma-mode as well as configure the mapping agents to be on the inside network of the hub. If the mapping agent must be behind one of the spokes, that spoke has to be fully meshed with the other routers.

Ø Bootstrap Router (BSR) BSR works on all manufactures routers. This is PIM version 2 method to automatically define a RP. A BSR is elected the same way a root bridge is elected for a spanning tree. A higher bsr-priority will change who is the BSR router. BSR messages are flood every 60 seconds and candidate RP’s (C-RP) send their advertisement by unicast to the BSR.

THE CCIE Book

Page 261 of 296


BSR messages contain all the C-RP’s (known as RP-set) and the routers use a hash algorithm to select to RP. Since all router know about all C-RP’s failing over is fast. If two C-RP’s are configured the multicast workload is divided between them. Unlike Auto-RP were one would be a fail over. The workload is divided by the hash algorithm when they are selected. BSR messages use 224.0.0.13 and are sent with a TTL of one. Routers that receive them remulticast them out their interfaces. This is the hop-hop flooding of BSR messages.

Ø Auto-RP When configuring a RP candidate make sure the TTL parameter is sufficient to reach all the mapping agents. Also make sure the scope for the mapping agents is sufficient to reach all the routers, otherwise a router would operate in Dense mode. Mapping agents join the Cisco-RP-Announce (224.0.1.39 ) group to find the RP candidates. Once the mapping agents know the RP’s they advertise this information by multicasting as Cisco-RP-Discovery messages (224.0.1.40). Multiple mapping agents can be configured for redundancy. A good practice is to configure two RP’s and have each one be a mapping agent. All Cisco routers learn about the active Group-to-RP mapping by automatically joining the Cisco-RP-Discovery (224.0.1.40) multicast group. If there are two routers set for Auto-RP the highest IP address will become the RP. If no RP exists the router go into Dense mode.

Ø PIM-SM with RP R1 ip multicast-routing int s0 ip pim spare-mode int s1 ip pim sparse-mode R2 ip multicast-routing ip pim rp-address r1 int s0 ip pim sparse-mode

Ø PIM-SM with Auto-RP R1 ip multicast routing ip pim send-rp-announce serial 2 scope 10 ! Used to configure the RP Candidate. ip pim send-rp-discovery scope 10 ! Used to configure the Mapping agent. int s0 ip pim sparse-mode R2 ip multicast routing int s0 ip pim sparse-mode

THE CCIE Book

Page 262 of 296


Ø PIM-SM with Auto-RP and Group-List R1 ip multicast routing ip pim send-rp-announce serial 0 scope 10 group-list 10 ip pim send-rp-discovery scope 10 int s0 ip pim sparse-mode access-list 10 permit 239.254.0.0 0.0.255.255 access-list 10 permit 224.0.0.0 7.255.255.255 Permits this router to be the RP for: 239.254.0.0 - 239.255.255.255 224.0.0.0 – 231.255.255.255.

Ø PIM-SM with Auto-RP and Mapping Filter R1 ip multicast routing ip pim send-rp-announce serial 0 scope 10 ip pim send-rp-discovery scope 10 ip pim rp-announce-filter rp-list 10 group-list 20 int s0 ip pim sparse-mode access-list 10 permit host 172.16.5.1 access-list 10 permit host 172.16.6.1 access-list 20 deny 239.0.0.0 0.255.255.255 access-list 20 permit 224.0.0.0 15.255.255.255 This allows only RP announcements from host 172.16.5.1 and 172.16.6.1 for multicast groups of 224 –238.

Ø Last-Ditch RP ip pim rp-address 172.16.5.1 10 access-list 10 deny 224.0.1.39 access-list 10 deny 224.0.1.40 access-list 10 permit any This defines a static RP and if this RP fails all multicast traffic will stop and not revert to dense mode.

Ø PIM Sparse and Dense Mode R1 ip multicast routing ip pim send-rp-announce serial 0 scope 10 group-list 10 ip pim send-rp-discovery scope 10 int s0 ip pim sparse-dense-mode access-list 10 permit 224.1.1.0 0.0.0.255 Permits this router to be the RP for: 224.1.1.0 224.1.1.255 If all the routers are configured like this, 224.1.1.0 would operate in sparse mode since a RP is available and all the other multicast groups would operate in Dense mode.

Ø BSR and Group-List R1 ip multicast routing ip pim border This command stops the flow of BSR messages into another PIM domain.

THE CCIE Book

Page 263 of 296


ip pim rp-candidate serial 0 group-list 10 ! Specifies the C-RP ip pim bsr-candidate serial 0 30 50 interval 30 Specifies the BSR candidate, 30 is the hash mask length and 50 is the priority. A mask of 30 0xFFFFFFFC would make 4 groups per RP 239.0.0.0 – 239.0.0.3 be assigned to r1 and the next 4 to r2 until all the addresses are divided. The interval parameter is the RP Failover timer. A BSR will failover when 90 seconds (3x) has gone by. int s0 ip pim sparse-mode access-list 10 permit 239.254.0.0 0.0.255.255 access-list 10 permit 224.0.0.0 7.255.255.255 Permits this router to be the RP for: 239.254.0.0 - 239.255.255.255

Ø Filtering RP routers ip pim accept-rp 172.16.1.1 group-list 10 ip pim accept-rp 172.16.5.1 group-list 10 access-list 10 permit 224.1.1.0 0.0.0.255 This allows routers 172.16.1.1 and 172.16.5.1 to become the RP for all 224.1.1.0 traffic. This makes only 224.1.1.0 traffic operate in sparse mode. Everything else will be in dense mode. ip pim accept-rp Auto-RP This filter makes sure the RP uses the Group-to-RP mapping and cannot be in groups 224.0.1.39 or 224.0.1.40. ip pim accept-rp 0.0.0.0 group-list 10 access-list 10 permit 224.1.1.0 0.0.0.255 This list allows any router to be the RP for 224.1.1.0 so only this multicast address will operate in sparse mode, all other multicast groups will operate in dense mode.

22.5. MULTIPROTOCOL BGP (MBGP)

Ø Configuring MBGP router bgp 100 no bgp default ipv4-unicast neighbor 192.168.1.2 remote-as 200 neighbor 192.168.1.2 activate address-family ipv4 multicast neighbor 192.168.1.2 activate exit-address-family sh ip bgp ipv4 unicast sh ip bgp ipv4 multicast

22.6. MULTICAST SOURCE DISCOVERY PROTOCOL (MSDP) MSDP is spoken between RP’s of different AS’s, this allows each RP to discover sources known by other RP’s. Uses TCP port 692 for it’s peering connections. MSDP shares the source information to it’s peers by sending Source Active (SA) messages. These messages contain the address of the source, the group address, and the ip address of the originating RP.

THE CCIE Book

Page 264 of 296


By default Cisco routers do not cache SA’s you can enable caching with: ip msdp cache-sa-state To enable a Cisco router to sent SA requests use the command: ip msdp sa-request

Ø Mesh Groups You can use mspd to create a mesh group, this allows all the routers to share the RP responsibilities and the RP failover is only a matter of unicast routing protocol convergence. r1 int loopback 0 ip address 10.100.1.1 255.255.255.0 int loopback 1 ip address 10.100.254.1 255.255.255.0 ip pim-sparse-dense-mode ! router ospf 1 network 0.0.0.0 255.255.255.255 area 0 router-id 10.100.1.1 ! router bgp 6500 bgp router-id 10.100.1.1 neighbor CCIE peer-group neighbor CCIE remote-as 6500 neighbor CCIE update-source loopback 0 neighbor 10.100.1.2 peer-group CCIE ! address-family ipv4 multicast neighbor 10.100.1.2 activate exit-address-family ! ip pim rp-address 10.100.1.1 ip pim send-rp-discovery loopback1 scope 20 ip mspd peer 10.100.1.2 connect-source loopback 0 ip msdp description 10.100.1.2 to r2 ip msdp mesh-group CCIE 10.100.1.2 ip msdp cache-sa-state ip msdp originate-id loopback0 r2 int loopback 0 ip address 10.100.1.2 255.255.255.0 int loopback 1 ip address 10.100.254.1 255.255.255.0 ip pim-sparse-dense-mode ! router ospf 1 network 0.0.0.0 255.255.255.255 area 0 router-id 10.100.1.2 ! router bgp 6500 bgp router-id 10.100.1.2 neighbor CCIE peer-group neighbor CCIE remote-as 6500 neighbor CCIE update-source loopback 0 neighbor 10.100.1.1 peer-group CCIE

THE CCIE Book

Page 265 of 296


! address-family ipv4 multicast neighbor 10.100.1.1 activate exit-address-family ! ip pim rp-address 10.100.1.2 ip pim send-rp-discovery loopback1 scope 20 ip mspd peer 10.100.1.1 connect-source loopback 0 ip msdp description 10.100.1.1 to r1 ip msdp mesh-group CCIE 10.100.1.1 ip msdp cache-sa-state ip msdp originate-id loopback0

Ø Configuring MSDP ip msdp peer 192.168.1.1 connect-source loopback 0 sh ip msdp peer

22.7. TROUBLESHOOTING COMMANDS sh ip igmp groups sh ip mcache sh ip mroute sh ip mroute sum sh ip mroute count sh ip mroute active sh ip pim neighbor sh ip pim int sh ip pim rp sh ip pim rp mapping in-use sh ip pim rp-hash sh ip pim bsr-router sh ip rpf sh ip route mrinfo mtrace mstat deb ip pim deb ip igmp

22.8. INTERNET MULTICAST ADDRESSES 239.0.0.0 to 239.255.255.255 are reserved like a private addresses. 224.0.0.0 to 224.255.255.255 are reserved for special purposes. 224.0.0.0 Base Address (Reserved) [RFC1112,JBP] 224.0.0.1 All Systems on this Subnet [RFC1112,JBP] 224.0.0.2 All Routers on this Subnet [JBP] 224.0.0.3 Unassigned [JBP] 224.0.0.4 DVMRP Routers [RFC1075,JBP] 224.0.0.5 OSPF IGP OSPF IGP All Routers [RFC2328,JXM1] 224.0.0.6 OSPF IGP OSPF IGP Designated Routers [RFC2328,JXM1] 224.0.0.7 ST Routers [RFC1190,KS14] 224.0.0.8 ST Hosts [RFC1190,KS14] 224.0.0.9 RIP2 Routers [RFC1723,GSM11]

THE CCIE Book

Page 266 of 296


224.0.0.10 IGRP Routers [Farinacci] 224.0.0.11 Mobile-Agents [Bill Simpson] 224.0.0.12 DHCP Server / Relay Agent [RFC1884] 224.0.0.13 All PIM Routers [Farinacci] 224.0.0.14 RSVP-ENCAPSULATION [Braden] 224.0.0.15 all-cbt-routers [Ballardie] 224.0.0.16 designated-sbm [Baker] 224.0.0.17 all-sbms [Baker] 224.0.0.22 IGMP [Deering] 224.0.0.23 GLOBECAST-ID [Scannell] 224.0.0.25 router-to-switch [Wu] 224.0.1.1 NTP Network Time Protocol [RFC1119,DLM1] 224.0.1.9 MTP Multicast Transport Protocol [SXA] 224.0.1.21 DVMRP on MOSPF [John Moy] 224.0.1.33 RSVP-encap-1 [Braden] 224.0.1.34 RSVP-encap-2 [Braden] 224.0.1.39 cisco-rp-announce [Farinacci] 224.0.1.40 cisco-rp-discovery [Farinacci]

22.9. QUICK CONFIGURATION GUIDES Router - sparse mode 1. Global>ip multicast-routing 2. Global>ip pim rp-address 192.168.1.1 1 // on every router 3. Interface> ip pim sparse mode ; on every interface 4. Interface> IP igmp join-group 224.x.x.x (optional, router will respond) (have pim also!!!) 5. Interface> IP cgpm ; for those hooked to catalysts Router - sparse mode auto RP 1. Global>ip multicast-routing 2. Global>ip pim send-rp-anounce <interface> scope <hop count> Global>ip pim send-rp-discovery scope <hop count> 3. Interface> ip pim sparse mode ; on every interface 4. Interface> IP igmp join-group 224.x.x.x (optional, router will respond) 5. Interface> IP cgpm ; for those hooked to catalysts Router - sparse-Dense mode auto RP 1. Global>ip multicast-routing 2. Global>ip pim send-rp-anounce <interface> scope <hop count> Global>ip pim send-rp-discovery scope <hop count> 3. Interface> ip pim sparse-dense mode on every interface except joined (sparse)! 4. Interface> IP igmp join-group 224.x.x.x (optional, router will respond, make sparse mode) 5. Interface> IP cgpm ; for those hooked to catalysts Router - dense mode 1. Global>ip multicast-routing 2. Interface> ip pim dense mode ; on every interface 3. Interface> IP igmp join-group 224.x.x.x (optional, router will respond) 4. Interface> IP cgpm ; for those hooked to catalysts nbma network configure pim sparse mode Interface(all logical)>ip pim nbma-mode

THE CCIE Book

Page 267 of 296


Switch SET CGMP ENABLE set multicast <mod/port> to manually set the port the multicast router is on show multicast router show multicast group

THE CCIE Book

Page 268 of 296


23. Security Configure Terminal Access Controller Access Control System (TACACS)

Ø Lock and Key Username cisco password cisco - different than one used to actually telnet to router Username cisco autocommand access-enable timeout 5 access-list 100 dynamic testname permit ip any any access-list 100 permit tcp any [router-ip] eq telnet log - allow authentication

23.1. TACACS tacacs-server last-resort succeed -or- tacacs-server last-resort password line vty 0 4 login tacacs

23.2. NETWORK ADDRESS TRANSLATION (NAT) Inside Local Address – internal network, private, illegal addresses Inside Global Address – registered inside address, registered addresses Outside Local Address – Outside registered address translated local Outside Global Address - Outside registered address When does the routing decision occur? Outbound packets--- routing done first, then nat Inbound packets--- nat first, then route IG addresses are mapped to IL addresses, and OL are mapped to OG addresses. Global to Local addresses are mapped for both inside and outside. Addresses can be static or dynamically mapped. Static mappings are one-to-one, or a local to global. Dynamic addresses can be many-to-one or one-to-many. When an entry is first put into the NAT table a translation timer is started, the default is 24 hours / 86,400 seconds. Change the time with the ip nat translation timer command. It is important to make sure the translation timer is small enough, or the NAT pool is large enough so that the dynamic address pool never runs out. FTP, Web, Mail, servers must use static NAT assignments. If IPSec is used with NAT, NAT must be on the secure / unencrypted side. Cisco’s trace command uses ICMP packets and MS Windows uses UDP packets. TCP UDP SMTP 25 Syslog 514 TFTP 69 FTP 20,21 HTTP 80 "inside destination" (TCP load sharing) - icmp and udp are not recognized by access-lists. Use a route-map to get a 'fully extended' translation entry.

THE CCIE Book

Page 269 of 296


23.2.1. Basic NAT Configuration

Ø Steps 1 – Define NAT Pool (Addresses to Use) ip nat pool CCIE 192.108.1.1 192.108.1.254 netmask 255.255.255.0 2 – Define a NAT inside address (Addresses to Convert) ip nat inside source list 1 pool CCIE 3 – Define which interfaces are participarting in the NAT process int e0 (Implement on Interface) ip nat inside int s 0 ip nat outside

Ø Basic Configuration ip nat pool CCIE 192.108.1.1 192.108.1.254 netmask 255.255.255.0 ip nat inside source list 1 pool CCIE int e 0 ip nat inside int s 0 ip nat outside access-list 1 permit 10.99.34.0 0.0.0.255

23.2.2. Port Address Translation (Overload)

Ø Configuration for (PAT) Overloading Inside Addresses ip nat pool CCIELAB 137.20.20.1 137.20.20.1 netmask 255.255.255.0 ip nat inside source list 1 pool CCIELAB overload int s0 ip add 10.10.1.2 ip nat outside interface Ethernet0 ip add 137.20.20.1 ip nat inside access-list 1 permit 10.10.0.0 0.0.255.255

Ø Configuration for Overlapping Addresses ip nat pool CCIELAB 137.20.20.1 137.20.20.1 netmask 255.255.255.0 ip nat inside source list 1 pool CCIELAB overload ip nat outside source static 10.1.1.1 2.2.2.2 or ip nat pool outside-local 2.2.2.1 2.2.2.4 netmask 255.255.255.0 ip nat outside source list 2 pool outside-local int s0 ip add 10.10.1.2 ip nat outside interface Ethernet0 ip add 137.20.20.1 ip nat inside access-list 1 permit 10.10.0.0 0.0.255.255

THE CCIE Book

Page 270 of 296


23.2.3. TCP Load Sharing

Ø Configuration for TCP Load Sharing 1 ip nat pool CCIELAB 137.20.20.41 137.20.20.42 prefix-length 24 type rotary ip nat inside destination list 1 pool CCIELAB ! int s0 ip add 10.10.1.2 ip nat outside int e0 ip add 137.20.20.1 ip nat inside access-list 1 permit 137.20.20.11 0.0.255.255 (Global Load Sharing Address) How this works:

Match ip address 137.20.20.11 Replace with 137.20.20.41 and 137.20.20.42 on a round robin basis (rotary)

Ø Configuration for TCP Load Sharing 2 R2 ip nat pool shared-hosts 172.16.3.3 172.16.3.4 prefix-length 24 type rotary ip nat inside destination list 1 pool shared-hosts int e0 ip nat inside int s0 ip nat outside router rip netw 172.16.0.0 access-list 1 permit 172.16.3.4

23.2.4. Dynamic NAT

Ø Dynamic NAT ip nat inside source static 192.1.1.1 10.140.1.2 ip nat pool natlab 10.117.1.1 10.117.1.254 netmask 255.255.255.0 ip nat inside source list 10 pool natlab access-list 10 permit 192.1.1.1 int lo0 ip addr 192.1.1.1 255.255.255.0 ip nat inside int serial 0 ip nat outside ip route 10.117.1.0 255.255.255.0 10.140.1.2

23.2.5. Nat on a Stick interface Loopback1 ip address 172.16.1.1 255.255.255.0 ip nat inside ip policy route-map nat ! interface Ethernet0 ip address 172.16.2.1 255.255.255.0 secondary ip address 75.102.181.33 255.255.255.0 ip nat outside

THE CCIE Book

Page 271 of 296


! ip nat inside source list 1 interface Ethernet0 overload ip route 0.0.0.0 0.0.0.0 Loopback1 ! access-list 1 permit 172.16.0.0 0.0.255.255 route-map nat permit 10 set ip next-hop 75.102.181.1 !

23.2.6. NAT Timers Dynamic translation will timeout after 24 hours, excluding overloading. To change: ip nat translation timeout <seconds> Change dynamic translations ip nat translation udp-timeout <seconds> Change UDP, default is 300 ip nat translation dns-timeout <seconds> Change DNS, default is 60 ip nat translation tcp-timeout <seconds> Change TCP, default is 24 hours ip nat translation finrst-timout <seconds> Change finish and reset, default is 60

Ø Lab Example: Configure NAT on vlan 2. Host addresses are 1.1.1.1 to 1.1.1.253. Use the valid 14-host network on r5's E0 as valid addresses (into the rest of the network). Make sure that the other routers see the 170.100.42.x route but not the 1.1.1.0 network . ip nat pool InsideIP 170.100.42.242 170.100.42.254 prefix-length 28 ip nat inside source list 1 pool InsideIP access-list 1 permit 1.1.1.0 0.0.0.255 log int e0 ip address 170.100.42.241 255.255.255.240 ip address 1.1.1.254 255.255.255.0 secondary ip nat inside int s0.0.1 ip nat outside int S0.0.2 ip nat outside router IGRP 100 network 170.100.0.0

THE CCIE Book

Page 272 of 296


Ø Examples

Ø NAT Summaries

Ø Network Address Translation (NAT) Port Address Translation (Overload) ip nat inside source list 1 pool CCIELAB overload ip nat pool CCIELAB 137.20.20.1 137.20.20.1 netmask 255.255.255.0 TCP Load Sharing ip nat inside destination list 1 pool CCIELAB ip nat loadsharing 137.20.20.41 137.20.20.42 prefix-length 24 type rotary

THE CCIE Book

Page 273 of 296


Dynamic NAT ip nat inside source static 192.1.1.1 10.140.1.2 ip nat inside source list 10 pool natlab ip nat pool natlab 10.117.1.1 10.117.1.254 netmask 255.255.255.0 Nat on a Stick ip nat inside source list 1 interface Ethernet0 overload interface Loopback1 ip nat inside ip policy route-map nat interface Ethernet0 ip address 172.16.2.1 255.255.255.0 secondary ip nat outside ip route 0.0.0.0 0.0.0.0 Loopback1 route-map nat permit 10 set ip next-hop 75.102.181.1

Ø Troubleshooting NAT show ip nat statistics show ip nat translation debug ip nat debug ip nat detailed Displays what L4 protocols are being translated clear ip nat statistics clear ip nat translations

23.3. AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING aaa new model aaa authentication login default local aaa authentication ppp default radius aaa authentication ppp isdn tacas+ local ! username RtrB password 0 cisco ! int bri0 encap ppp ppp auth chap isdn ! tacacs-server host 2.2.2.2 tacacs-server key tacaskey radius-server jost 2.2.2.2 auth-port 1645 acct-port 1646 radius-server key radiuskey

Ø Configuration aaa new model aaa authentication local-override aaa authentication login default tacacs+ aaa authentication login backdoor enable aaa authentication ppp default tasacs+ aaa authentication exec tacacs+ aaa authentication network tacacs+ aaa authentication exec start-stop tacacs+ aaa authentication network start-stop tacacs+ ! username student password cisco

THE CCIE Book

Page 274 of 296


! line console 0 login authentication backdoor tacacs-server host 2.2.2.2 tacacs-server key tacaskey

23.4. IPSEC Transport mode – Payload encrypted, header left alone. Tunnle mode – payload/header encrypted and become payload of new IP packet.

RFC 1825, 1826, 1827 Encryption Interface to Interface isakmp: crypto isakmp policy 20 authentication pre-share lifetime 50000 crypto isakmp key 1234567890 address 192.168.0.77 ipsec: crypto ipsec transform-set myset esp-des esp-sha-hmac crypto map toRemoteSite 10 ipsec-isakmp set peer 192.168.0.77 set transform-set myset match address 101 access-list 101 permit ip any any ; from a senders standpoint Encryption Tunnel to Tunnel - Note crypto on both tunnel and E0!! crypto isakmp policy 20 authentication pre-share lifetime 10000 crypto isakmp key 1234567890 address 192.168.1.3 crypto ipsec transform-set myset esp-des esp-sha-hmac crypto map toRemoteSite 10 ipsec-isakmp set peer 192.168.1.3 set transform-set myset match address 101 interface Tunnel0 ip address 1.1.1.4 255.255.255.0 tunnel source Ethernet0 tunnel destination 192.168.1.3 crypto map toRemoteSite interface Ethernet0 ip address 192.168.1.4 255.255.255.0 crypto map toRemoteSite access-list 101 permit gre 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

Ø GRE Tunneling GRE will let you encapsulate IPX or APPLE protocols through it. IPSEC will do ip only. IPSec tunnel do not support multicasts or broadcasts. You can carry multicast traffic over a GRE Tunnel, allowing you to

THE CCIE Book

Page 275 of 296


run routing protocols, use multicast, etc... Remember that when using GRE tunnels, you apply the crypto map to both the tunnel interface and the serial/outbound inteface in order for the encryption to occur.

Crypto - Policy, Key, Transform, Map, Apply (PKTMA) With IPSec you define what traffic should be protected between two IPSec peers by configuring access lists and applying these access lists to interfaces by way of crypto map sets. Therefore, traffic may be selected based on source and destination address, and optionally Layer 4 protocol, and port. Uses two security services: AH for authentication – no encryption, only authentication. ESP for payload encryption – encrypts the payload or the entire packet. ESP can also provide authentication. ESP = OUT <-> Encrypt / Authentication <-> IN IPSec has two modes: Transport Mode – end stations provide security, so they must run IPSec. The IP payload is encrypted. Tunnel Mode – Network provides security, IPSec runs on routers. Entire packet is encrypted. Security Associations (SA) define what, who and how to protect the data. SA is unidirectional so 4 SA’s are need for one connection. Security Policy Database (SPD) contains all the SA’s. Define the traffic to be secure with ACL’s. IPSec uses a IKE for security. IKE provides authentication, creates the IPSec key, and negotiates the SA. The hash algorithm has two options: SHA-1 and MD5. The authentication method has three options: RSA signatures, RSA encrypted nonces, and pre-shared keys. (pre-share, RSA-Sig, RSA-Encr) RSA-Sig need a certificate authority. IKE uses UDP port 500 IPSec AH = IP protocol 51 IPSec ESP = IP protocol 50 IPSec is layer 3 If you are using SSL, then you may be concerned with TCP/UDP ports 448. IPSec works with the following serial encapsulations: High-Level Data-Links Control (HDLC), Point-to-Point Protocol (PPP), and Frame Relay. IPSec also works with the GRE and IP in IP Layer 3, L2F, L2TP, DLSw+, and SRB tunneling protocols; however, multipoint tunnels are not supported. Other Layer 3 tunneling protocols may not be supported for use with IPSec.

Ø Encryptions Diffie-Hellman

A public-key cryptography protocol which allows two parties to establish a shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish session keys. 768-bit and 1024-bit Diffie-Hellman groups are supported. DES The Data Encryption Standard (DES) is used to encrypt packet data. Cisco IOS implements the mandatory 56-bit DES-CBC with Explicit IV. Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is

THE CCIE Book

Page 276 of 296


explicitly given in the IPSec packet. For backwards compatibility, Cisco IOS IPSec also implements the RFC 1829 version of ESP DES-CBC. MD5 (HMAC variant) (Message Digest 5) is a hash algorithm. HMAC is a keyed hash variant used to authenticate data. SHA (HMAC variant) (Secure Hash Algorithm) is a hash algorithm. HMAC is a keyed hash variant used to authenticate data. RSA Signatures and RSA encrypted nonces—RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA signatures provides non-repudiation while RSA encrypted nonces provide repudiation. X.509v3 certificates Used with the IKE protocol when authentication requires public keys. This certificate support allows the protected network to scale by providing the equivalent of a digital ID card to each device. When two devices wish to communicate, they exchange digital certificates to prove their identity (thus removing the need to manually exchange public keys with each peer or to manually specify a shared key at each peer).

Ø Define the Transform Set ah-md5-hmac esp-des esp-md5-hmac ah-sha-hmac esp-3des esp-sha-hmac ah-rfc1828 esp-rfc1829 esp-null crypto ipsec transform-set transform-set-name transform1 transform2

23.4.1. Configuring IPSec

Ø Define Interesting Traffic Ensure IPSec is not being blocked over path, UDP port 500, IP protocols 50,51. access-list 111 permit udp host 201.1.1.1 host 202.2.2.1 eq 500 access-list 111 permit esp host 201.1.1.1 host 202.2.2.1 access-list 111 permit ahp host 201.1.1.1 host 202.2.2.1 access-list 111 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 Define crypto ACL – What traffic do you to encrpyt? access-list 120 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 121 permit ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 One ACL per SA.

Ø Phase I Setup – IKE SA Configure IKE Policy – Authentication method (CA, RSA) crypto isakmp policy 1 hash md5 Default hash is sha, which is more secure authentication pre-share If peers can accept the following policy, then use it. crypto isakmp policy 2 authentication pre-share Other options are rsa-encr and rsa-sig (default) (For RSA encryption and signature, these are for CA) group 2 Defines the modulus for Diffie-Hellman group 1 = 768 bits (default) , group 2 = 1024 bits lifetime 360 Lifetime is in seconds (default is one day – 86400)

THE CCIE Book

Page 277 of 296


Configure IKE Key defines the pre-shared authentication key of the peers crypto isakmp key itsnotverysecret address 201.1.1.1

Ø Phase II Setup – IPSec SA Define Transform Set – hashing, encryption, mode crypto ipsec transform-set mydessha esp-des esp-sha-hmac crypto ipsec transform-set myothermd5 esp-des esp-md5-hmac The default mode is tunnel, add mode transport to the line for transport mode. Define Crypto Map – match peers to SA’s and ACL’s Use the simple map for sha to one peer and md5 for another peer. crypto map SimpleMap 10 ipsec-ikakmp set peer 201.1.1.1 set tranform-set mydessha match address 120 crypto map ComplexMap 20 ipsec-ikakmp set peer 204.4.4.1 set tranform-set myothermd5 match address 121

Ø Data Transfer Apply Crypto to Interface interface serial 0 crypto map SimpleMap interface serial 1 crypto map ComplexMap

Ø IPSec Terminates

23.4.2. Quick Notes

Ø Traffic Permit ACL (500,50,51) Define ACL ACL 120 permit any any

Ø Phase I (ISA) ISA Policy crypto isakap policy 1 hash md5 auth pre-share lifetime 360 ISA Key crypto isa key mykey address

Ø PhaseII (IPSec) IPSec Transform crypto ipsec tan JK esp-des esp-md5-hmac Map crypto map jkmap 10 ipsec-isakmp

THE CCIE Book

Page 278 of 296


set peer 10.1.1.10 set trans jk match address 120

Ø Transfer Apply Map int s0 crypto map jkmap

23.4.3. Basic IPSec over Tunnel (Works) R3 crypto isakmp policy 10 authentication pre-share crypto isakmp key mykey address 5.5.5.5 ! crypto ipsec transform-set r3 esp-des esp-sha-hmac ! crypto map gre local-address Loopback0 ! crypto map gre 10 ipsec-isakmp set peer 5.5.5.5 set transform-set r3 match address 101 interface Loopback0 ip address 3.3.3.3 255.255.255.0 no ip directed-broadcast interface Tunnel1 ip address 10.10.10.3 255.255.255.0 no ip directed-broadcast tunnel source 1.1.1.3 tunnel destination 1.1.1.5 tunnel mode ipip crypto map gre interface Serial0/1 ip address 1.1.1.3 255.255.255.0 no ip directed-broadcast encapsulation ppp clockrate 2000000 crypto map gre router rip network 10.0.0.0 ip route 0.0.0.0 0.0.0.0 1.1.1.5 access-list 106 permit gre host 10.254.253.2 host 10.254.254.1 access-list 106 permit gre host 10.254.254.1 host 10.254.253.2 R5 crypto isakmp policy 10 authentication pre-share crypto isakmp key mykey address 3.3.3.3 crypto ipsec transform-set r5 esp-des esp-sha-hmac crypto map gre local-address Loopback0 crypto map gre 10 ipsec-isakmp set peer 3.3.3.3 set transform-set r5 match address 101 interface Loopback0

THE CCIE Book

Page 279 of 296


ip address 5.5.5.5 255.255.255.0 no ip directed-broadcast interface Loopback2 ip address 20.20.20.1 255.255.255.0 no ip directed-broadcast interface Tunnel1 ip address 10.10.10.5 255.255.255.0 no ip directed-broadcast tunnel source 1.1.1.5 tunnel destination 1.1.1.3 tunnel mode ipip crypto map gre interface Serial0/1 ip address 1.1.1.5 255.255.255.0 no ip directed-broadcast encapsulation ppp crypto map gre router rip passive-interface Serial0/1 passive-interface Tunnel1 network 10.0.0.0 network 20.0.0.0 neighbor 10.10.10.3 ip classless ip route 0.0.0.0 0.0.0.0 1.1.1.3 access-list 106 permit gre host 10.254.253.1 host 10.254.254.2 access-list 106 permit gre host 10.254.254.2 host 10.254.253.1

23.4.4. GRE Tunnel Makes IPSec more stable, configure two gre tunnels (primary and backup). Use a routing protocol to provide the backup versus, IPSec / IKESA keepalives. crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco123 address 172.18.45.1 crypto ipsec transform-set one esp-des esp-md5-hmac mode transport crypto map gre 10 ipsec-isakmp set peer 172.18.45.1 set transform-set one match address gre1 interface Tunnel0 ip address 10.4.1.1 255.255.255.0 tunnel source 172.18.31.1 tunnel destination 172.18.45.1 crypto map gre interface Ethernet0 ip address 10.2.1.1 255.255.255.0 interface Serial0 ip address 172.18.31.1 255.255.255.0 crypto map gre ip route 172.18.0.0 255.255.0.0 serial0 ip eigrp 100 network 10.0.0.0 ip access-list extended gre1 permit gre host 172.18.31.1 host 172.18.45.1

THE CCIE Book

Page 280 of 296


23.4.5. IP and IPX over Frame-Relay For those of you that are interested, the following final configs are encrypting both IP and IPX through a GRE tunnel which spans a frame-relay WAN. Router1: crypto isakmp policy 10 authentication pre-share crypto isakmp key tunnel address 10.1.1.4 255.0.0.0 crypto ipsec transform-set cisco esp-des esp-md5-hmac crypto map crypmap 15 ipsec-isakmp set peer 10.1.1.4 set transform-set cisco match address 100 interface Tunnel4 no ip address ipx network 1441 tunnel source Serial0 tunnel destination 10.1.1.4 crypto map crypmap interface Ethernet0 mac-address 0001.0001.0001 ip address 1.1.1.1 255.0.0.0 no ip mroute-cache no keepalive ipx network 11 interface Serial0 ip address 10.1.1.1 255.0.0.0 encapsulation frame-relay no ip mroute-cache frame-relay lmi-type ansi crypto map crypmap ip route 4.4.4.4 255.255.255.255 10.1.1.4 access-list 100 permit ip host 10.1.1.1 host 10.1.1.4 Router2: crypto isakmp policy 10 authentication pre-share crypto isakmp key tunnel address 10.1.1.1 255.0.0.0 crypto ipsec transform-set cisco esp-des esp-md5-hmac crypto map crypmap 15 ipsec-isakmp set peer 10.1.1.1 set transform-set cisco match address 100 interface Tunnel1 no ip address ipx network 1441 tunnel source Serial0 tunnel destination 10.1.1.1 rypto map crypmap interface Ethernet0 mac-address 0004.0004.0004 ip address 4.4.4.4 255.0.0.0 no ip mroute-cache no keepalive ipx network 44 no cdp enable

THE CCIE Book

Page 281 of 296


interface Serial0 ip address 10.1.1.4 255.0.0.0 encapsulation frame-relay no ip mroute-cache no fair-queue frame-relay lmi-type ansi crypto map crypmap ip route 1.1.1.1 255.255.255.255 10.1.1.1 access-list 100 permit ip host 10.1.1.4 host 10.1.1.1

23.4.6. Troubleshooting IKE and IPSec show crypto isakmp policy show crypto isakmp sa show crypto map [interface interface | tag map-name] show crypto dynamic-map show crypto ipsec transform-set show crypto ipsec sa [map map-name | address | identity] [detail] show crypto ipsec security-association lifetime debug crypto ipsec Displays the IPSec negotiations of phase 2 debug crypto isa Displays the IPSec negotiations of phase 1 debug crypto engine Displays the traffic that is encrypted show crypto engine connect active This shows each SA, and has counters for each packet that is encrypted or decrypted, and is very easy to read. Make sure you the Dial Access Routers you have: no logging console service timestamps debug datetime msec service timestamps log datetime msec modem-call-record terse Conditional Debugging allows debugto be turned on and off based on: Usename, calling number / called number, interface debug condition {username | called <dial-string> | caller <dial-string> } debug condition interface <interface> Debugs affected by condition: debug aaa {accounting | authorization | authentication } debug dialer (events | packets} debug isdn {q921 | q931} debug modem {oob | trace} debug ppp {all | auth | chap | error | negotioation | multilink | packet} Displaying active user information show caller username jeff

THE CCIE Book

Page 282 of 296


24. Voice Read - Integrating Voice and Data Networks You can use the undocumented command csim start <number> to have a voip connection dial.

24.1. VOIP Voice uses UDP ports, Data for VoIP uses TCP ports TCP 1720 is H.225 UDP 16383-32767 is RTP voice packets (RFC 1889)

The UDP port for VoIP is 16384 to 16384+4N, where N is the number of voice calls that the router can support. The full range of UDP ports is 16384 to 32768

TCP 11000-11999 is H.245 VoIP Call Control Protocols H.323 = TCP 1719-1720, 11000-11999 Skinny = TCP 2000-2200 ICCP = TCP 8001-8002 CTI (TAPI/JTAPI) = TCP 2748 MGCP = UDP 2427, TCP 2428 SIP – RFC 2543, r Codecs Covert analog to digital voice signals, work the same as a modem Default codec is G.729 Voice is 64,000 bps FXS (Foreign Exchange Station) is used for phones FXO (Foreign Exchange Office) is used for PBXs. E&M (Ear and Mouth) signaling is used for trunk interfaces fro PBXs.

24.1.1. VoIP Example r2 Locate and configure the FXS voice port show voice port Set up the POTS and VoIP dial peers dial-peer voice 1 pots destination-pattern 7771234 (Local Number) port 1/0/0 dial-peer voice 2 voip destination-pattern 2221234 session target ipv4:1.1.1.2 r7 Locate and configure the FXS voice port. show voice port Set up the POTS and VoIP dial . dial-peer voice 1 pots destination-pattern 2221234 (Local Number) port 1/0/0 dial-peer voice 2 voip destination-pattern 7771234 session target ipv4:1.1.1.1 Test your connection. sho dial voice

THE CCIE Book

Page 283 of 296


24.1.2. Configuring Dial Peers dial-peer voice tag {pots | voip | voatm | vofr}

Specifies the method of voice encapsulation. destination-pattern <string> The string can be a prefix, dial string, or the

full telephone number. num-exp 5..... 1904641 = 58161

prefix <string> Used to specify a prefix for a dial peer.

24.1.3.

24.1.4. General Configuration Information

Ø FXS Ports ring frequency {25 | 50} (For FXS ports only) Select the appropriate ring frequency (in Hertz) specific to the equipment attached to this voice port. signal {loop-start | ground-start} Select the appropriate signal type for this interface. cptone country Select the appropriate voice call progress tone for this interface.

Ø Optional num-exp <extension> <expanded-number> Used to specify an extension. Wildcards may be used to extend a 4 digit number to a full telephone number. Such as - num-exp 5..... 1904641 = 58161 connection plar string (Optional) Specify the private line auto ringdown (PLAR) connection, if this voice port is used for a PLAR connection. The string value specifies the destination telephone number. music-threshold number (Optional) Specify the threshold (in decibels) for on-hold music. Valid entries are from –70 to –30. description string (Optional) Attach descriptive text about this voice port connection. comfort-noise (Optional) Specify that background noise will be generated. forward-digits {num-digit | all | extra}

Used to specify which digits to forward for voice calls, used on POTS only.

Note: In the destination-pattern each digital ‘.’ is a number.

Ø Adjusting Voice Quality input gain <value> Gain to be inserted at the receiver side. output attenuation <value> Amount of loss inserted at transmitter side.

24.1.5. Configuring VoIP

Ø JK Quick Method (DP/DS) On Pots config destination – port On VoIP config destination – session target

THE CCIE Book

Page 284 of 296


Ø VoIP Example RtrA RtrB dial-peer voice 1 pots dial-peer voice 1 pots destination-pattern 1111 destination-pattern 2222 port 1/0/0 port 1/0/0 dial-peer voice 2 voip dial-peer voice 2 voip destination-pattern 2222 destination-pattern 1111 session target ipv4:1.1.1.2 session target ipv4:1.1.1.1

24.1.6. More Configuration Commands

Ø Voice Port Subcommands cptone <country> Sets the call progress tone, this is for all

tone settings. Default is cptone us description <string> Allows you to include a description for the

voice port. shutdown Used to activate / deactivate the port, this is

needed to allow changes to take effect. signal {loop-start | ground-start}

Used to specify the type of signaling for the specific voice port. Loop-start is the default and allows only one side to hang-up. Ground-start allows both sides of the connection to place a call and to hang up.

ring number <number> Used to specifiy the maximum number of rings to be detected before answering a call over a FXO voice port. Default is 1, values are 1 to 10.

dial-type {pulse | dtmf} Used to set the dial type for out-dialing to pulse or tone on the FXO ports only.

Most of these commands will affect boths ports.

Ø Voice Activity Detection (VAD)

Ø Timeouts Values Pg 552-565, Integrating Voice and Data Networks

Ø Timing Values

Ø Compression Configured by dial-peer on 3600 g711alaw G711 A-law 64kbps g711ulaw G711 u-law 64kbps g729r8 G729 8kbps (default) Dial peers must match.

Ø Direct Inward Dial (POTS peers) To enable the Direct Inward Dial (DID) call treatment for the incoming called number, use the direct-inward-dial dial peer configuration command. Use the no form of this command to disable this feature.

THE CCIE Book

Page 285 of 296


direct-inward-dial no direct-inward-dial

Ø Number Expansion You will complete the following objectives: Configure the number expansion feature on routers 3640-A and 3640 Test your configuration. Change the configuration to create an echo. RouterA num-exp 5678 6555678 show num-exp To display expansions RouterB num-exp voice-port 3/0/0 input gain 12 Changes the volume for the call

Ø Preference Use preference command to indicated the default dial-peer to use for a connection if two ip addresses are list for the same number. Default is 0 and lowest is always preferred. dial-peer voice 1 voip destination-pattern 3002 session target ipv4:10.1.1.2 ip preference 0 (won't show in the config as it is the default) ! dial-peer voice 2 voip destination-pattern 3002 session target ipv4:11.1.1.2 ip preference 1

Ø RSVP int s0 ip rsvp band 100 32 fair-queue dial-peer voice 12 11 voip req-qos controlled-load max bandwidth 100kbps max per request 32kbps Use for slow links, high utilized links, or links with less that 2 mb, need best voice quality.

Ø RTP Header Compression int s0 ip rtp header-compression ip rtp compression connections 16 Slow links Save bandwidth Use on slow links less than 2 mb

THE CCIE Book

Page 286 of 296


Ø Interpreting Call Progress Tones Dial tone The device is ready to receive digits. Busy The call could not be completed because the remote phone at the other end was off hook. (This is the "regular busy signal.") Fast-busy The call could not be completed because there is an error in the path or a path to the remote side could not be found. The presence of this tone could indicate that all trunks are busy or that there is a routing problem. Ringback The ringback signal indicates the remote end is ringing. Reorder The reorder signal indicates that the call cannot be placed, possibly because of incorrect digits or an unavailable circuit.

24.2. QOS Integrating Voice and Data Networks Chapter 15 - pg 487, Practice QOS techniques Use CB-WFQ with IP RTP Priority or LLQ to prioritize VoIP packets.

CONGESTION AVOIDANCE

RED or WRED RED or WRED should be run on your core routers. WRED drops packets with a precedence of 5 or less. Set VoIP packets withs a IP precedence of 5.

Enabling WRED:

int s0 random-detect random-detect exponential-weighting-constant 10

sh queuing random-detect Tuning WRED:

random-detect precedence 5 100 101 65526 random-detect precedence rsvp 100 101 65526

RED Info – rfc2309, www.aciri.org/floyd/red.html

CONGESTION MANAGEMENT

FIFO Queuing (no fair-queue) On E1’s or lower, disabling fair-queue enables FIFO.

Priority Queueing Used on E1’s or lower. Used when you have multiple high priority types of traffic, such as SNA and VoIP. Four types of traffic (high, medium, normal, and low) If you have multiple vc’s and want to apply separate priority groups to each vc, assign the priority queue to a map class, then apply the map class to the vc.

Example: map-class frame-relay VOIP-FIRST

frame-relay priority-group 1 int s0

frame-relay interface-dlci 103

THE CCIE Book

Page 287 of 296


class VOIP-FIRST You can also send VoIP to one dlci and all the other traffic to another dlci.

Example: int s0

ip add 1.1.1.1 255.255.255.0 frame-relay interface-dlci 102 frame-relay interface-dlci 112 frame-relay map ip 1.1.1.2 102 broadcast frame-relay priority-dlci-group 102 112 112 112

Although this looks like a priority queuing, it really is just redirecting the high to 102, and the other queues to 112. Traffic is not really getting prioritized only redirected.

Custom Queueing Used on E1’s or lower. Do not use on VoIP traffic, the jitter created by the queuing process will interrupt the traffic and cause to large of delays.

You can also use custom queuing on vc’s like priority queuing.

WFQ If you use WFQ with VoIP then you must also configure IP RTP Priority to ensure adequate performance for VoIP packets.

IP RTP Priority The best for E1’s and lower. Also known as Priority-Queuing Weighted-Fair-Queuing (PQ-WFQ) Implemented as ip rtp reserve in early IOS versions. As of 12.0.(5)T it uses ip rtp priority 16384 100 120

16384 is the first UDP port number. 100 is the number of UDP ports to prioritize.

120 is the maximum amount of bandwidth in kbps allowed for the priority queue.

Only even ports receive priority. RCTP control packets and TCP call setup messages do not receive or need prioritizing. Use debug priority to monitor IP RTP Priority.

Class-Based WFQ (CB-WFQ) Three main steps to implement CB-WFQ:

1 - Sort traffic into classes Create map classes

class-map VOICE match access-group 101 class-map WebSurfers match access-group 102 class-map ServerBackups match access-group 103

2 - Apply policies to classes Assign 128 kbps for VoIP Assign 64 kbps for off-net Assign 256 kbps for backups

The following policy options are configurable for each class: Minimum bandwidth during period of congestion FIFO queue depth for defined class Tail-drop or WRED behavior during congestion

THE CCIE Book

Page 288 of 296


Congestion thresholds and drop probabilities for WRED classes Priority treatment for the class as a whole, which is called LLQ FIFO or WFQ behavior for the default class Number of WFQ conversations for the default class Basic Class Policy

policy-map RemoteOffices class ServerBackups bandwidth 256 queue-limit 64 (FIFO queue with the default depth of 64 packets) WRED Class Policy policy-map RemoteOffices class WebSurfers bandwidth 256 random-detect random-detect exponential-weighted-constant 10 random-detect precedence 0 20 40 10

Priority Class Policy

Also known as PQ-CBWFQ or LLQ queuing policy-map RemoteOffices class VOICE priority 256 (VoIP should be priority) queue-limit 32

Default Class Policy

policy-map RemoteOffices class class-default (The default class must be called class-default) fair-queue 512 queue-limit 64

3 - Assign a service policy to an interface

Create three loopbacks and use each loopback address for each class ACL. Point the dial peers to different loopbacks based on call type.

Applying service policy

int s0 service-policy output RemoteOffices show policy-map RemoteOffices show policy interface serial 0

IP PRECEDENCE Used mostly for high bandwidth and WRED networks. The goal is to minimize or eliminate WRED from dropping VoIP packets. IP Precedence is the three high-order bits in the TOS field of the IP Header. IP Precedence Priority 0 Routine 1 Priority 2 Immediate 3 Flash 4 Flash-override 5 Critical 6 Internet

THE CCIE Book

Page 289 of 296


7 Network

IP precedence values 6 and 7 are assigned to routing protocols, control messages, and essential network traffic. For use data, including VoIP, 5 is the highest that can be assigned. The default for all data is 0. There are three ways to set the ip precedence values: Route maps

route-map SetPrecedence permit 10 match ip address 101 set ip precedence critical int s0 ip policy route-map SetPrecedence ip route-cache policy

Dial peers dial-peer voice 1 voip ip precedence 5

RSVP int s0 ip rsvp precedence conform 5

ip rsvp precedence exceed 0 Be careful when using this technique, VoIP traffic could get changed to 0, then dropped even if dial-peer precedence is set.

RSVP This is only need if your network has other vendors equipment on it, or some VoIP traffic does not originate on the network that you can manage.

Example:

dial-peer voice 108 voip destination-pattern +14085551234 req-qos controlled-load session target ipv4:10.0.0.8

In this example, every time a connection is made through VoIP dial peer 108, an RSVP reservation request is made between the local router, all intermediate routers in the path, and the final destination router.

int s0

ip rsvp bandwidth 240 24 This allocates 24 kbps, and up to 240 kbps for all flows. G729 VoIP call uses 8 kbps, plus 16 kbps for IP Overhead. (Only 3 kbps is need if header compression is used) Therefore, this configuration supports 10 calls.

RSVP does not consider header compression when configuring bandwidth needs. If you configure the flow or total flow kbps with header compression, it would not work.

Use the neighbor command to specify which hosts are allowed to make RSVP reservations. NetMeeting clients, IP phones, or H.323 terminals could make reservations if you do not specify voice routers only. Example:

int s0

THE CCIE Book

Page 290 of 296


ip rsvp neighbor 199 access-list ip permit 199 172.10.10.1 0.0.0.0 You can also limit by UDP ports, using 16384 – 32768 VoIP ports.

(Lab: Limit the rsvp hosts that can initiate a reservation by using an extended ACL.)

Monitoring RSVP:

sh ip rsvp ?

LINK FRAGMENTATION / INTERLEAVING (LFI) Used to reduce the serialization delay associated with large packets in midtransmission. This functions at layer two, so all layer two technologies has there own way to implement LFI.

Frame-Relay Three methods for frame-relay: Cisco Proprietary Used with VoFR on 3810’s FRF.11 Annex C Used with VoFR

FRF.12 end-to-end Used on PVC’s with VoIP traffic, or interfaces that has subinterfaces with data and voip traffic. Not supported on 2500 routers.

FRF.12 Example: int serial 0.0 frame-relay traffic shaping frame-relay interface-dlci 102 class TrafficShape map-class frame-relay TrafficShape

frame-relay fragment 320 FRF.12 fragments must be larger than VoIP packets.

frame-relay fair-queue 64 256 0

TRAFFIC SHAPING AND POLICING Traffic shaping place the traffic into queues for manageability. Traffic policing discard traffic that is in excess, causing retransmissions and should not be used with VoIP. CAR is a type of traffic policing. If any part of the vc is being used for voice or real-time traffic, then you must not exceed the CIR for the vc. If you want to allow data traffic to burst above the CIR, then you ,ust put the data traffic is a separate vc.

Frame-Relay Traffic Shaping When the CIR is equal to the port speed, you do not have to configure FRTS, except for VoFR.

Three steps to configure FRTS:

THE CCIE Book

Page 291 of 296


1 – Create frame-relay map class and define traffic-shaping parameters. map-class frame-relay TrafficShape frame-relay fair-queue no frame-relay adaptive-shaping frame-relay mincir out 128000 frame-relay cir out 128000 frame-relay be out 0 frame-relay bc out 1280 frame-relay fragment 160

2 – Assign the frame relay map class to a vc, interface, or subinterface. int s0 frame-relay traffic-shaping int s0.1 point-to-point frame-relay interface dlci 102 class TrafficShape 3 – Enable FRTS on the interface that contains the vc. Example:

map-class frame-relay TrafficShape frame-relay fair-queue no frame-relay adaptive-shaping frame-relay mincir out 128000 frame-relay cir out 128000 frame-relay be out 0 frame-relay bc out 1280 frame-relay fragment 160

Rules for FRTS for VoIP 1 - Set mincir and cir to contracted cir.

If fragmentation is used set mincir and cir a little lower than actual CIR.

2 - Disable adaptive-shaping 3 - Set BE to zero 4 - Set BC to one percent of CIR 5 – Enable fragmentation and interleave, set the fragmentation size to BC. Remember BC is set in bits and the fragment parameter is set in bytes.

Generic Traffic Shaping int s0 traffic-shape rate 128000 1280 0 512

HEADER COMPRESSION Always use RTP header compression with VoIP. TCP header compression

int serial 0 ip tcp header compression ip tcp compression-connections 96

RTP header compression int serial 0/0

ip rtp header-compression ip rtp compression-connections 96

THE CCIE Book

Page 292 of 296


TROUBLESHOOTING QUEUING Use show int s0 to display the queuing method per interface. No dropped packets means there is no congestion. Show queueing to display the queuing info.

24.2.1. Show commands show num-exp Displays all the telephone number expansions configured for this router. This is the only new command here. show interface show voice port Display configuration and voice interface card-specific information about a specific voice port show voice call To show the call status for all voice ports on the Cisco MC3810 show voice dsp To show the current status of all DSP voice channels show dial-peer voice Display the configuration for all VoIP and POTS dial peers configured for the router show call active voice Display the contents of the active call table show call history Display the call history table show dialplan number To determine whether or not you have a dial plan/dial peer match

24.2.2. Debug commands debug vpm signal Collect debug information only for signaling events deb voice all deb voice cpx deb voice eecm deb voice protocol deb voice signaling debug voip ccapi inout Shows how a call flows through the system undebug all Stop all debugging debug voip ccapi error Traces the error logs in the call control API, showing error events or unexpected behavior in system software debug vpm spi Verify the output string the router dials is correct. debug cch323 rtp Check RTP packet transport. debug cch323 h225 Check the call setup.

24.2.3. Troubleshooting and Verifiying VoIP Connectivity show call active voice Verify connectivity during a call. Debug voip ccapi inout Debug voip show dialplan Use on both the local and remote routers—verify that the data is configured correctly. sho num-exp (if number expansion is configured) Check that the partial number on the local router maps to the correct full E.164 telephone number on the remote router.

24.2.4. Voice Troubleshooting Methodology Test the Call; Listen to the Signal When a problem is encountered in completing a VoIP call, first listen to the audible signals produced along the path of the call. Ask the following questions: 1 - Is there a dial tone?

THE CCIE Book

Page 293 of 296


If there is no dial tone, check the following hardware connections: the telephone, the cables connecting to the phone, and the power to the router. (See the Sidebar "Hardware Troubleshooting Tips" for details. If there is a dial tone present, go on to Step 2. 2 - Can you place a call successfully? If no, do the following: Check the dial plan to make sure the number you are trying to call is correctly mapped and is included in the dial plan. Listen to make sure the next type of signal expected is heard Check the network connections. If you can dial and hear a ringback, go on to step 3. 3 - Can the called party successfully receive the call? If no, check the connections and configuration of the remote router, including its dial plan. If yes, proceed to Step 4. 4 - How is the quality of service (QoS) for the call? If the call is completed but the quality is poor, do the following: Check the bandwidth, echo, and delay settings. Try a different coder/decoder (CODEC). Check the appropriate QoS. If the call is complete and the quality is good, go on to Step 5. 5 - Is the problem with the call intermittent? If yes, check for interface resets, look for port lockups, check the supervisory signals (such as the disconnect signal, ACKs, answer supervision signaling). See "Signaling" for complete details. If no, no fault is found.

Ø Common Problems No Dial Tone Means you have not proceeded past the first call leg. slow busy signal The voice port of the remote router (3640-b) is shut down. debug voip ccapi inout Misconfigured Dial Peer Originator hears a brief silence, then a fast-busy signal. (The actual cause of the problem: the dial-peer statement on 3640-a is misconfigured—it is set to 5556666 instead of 5551234.) debug voip ccapi inout Misconfigured Session Target The call originator hears silence followed by a fast busy signal. (The actual cause of the problem: the session target for 3640-a is misconfigured— it is set to 10.10.10.10 instead of 1.1.1.2.)

THE CCIE Book

Page 294 of 296


Symptoms Troubleshooting Tips Command to Use

No Dial Tone

Are all cables connected? Is a cable bad? Is a phone bad?

Is the cable connected to the FXS port? (FXO port does not

provide dial tone.) Is the attached router

configured for loopstart or groundstart? (Groundstart does

not provide a dial tone.) Check router at phone that has

no dial tone

show voice port portwhere port is the voice

port number. Valid entries are either 0 or 1. Check for configuration information, including

loopstart or groundstart.Debug vmp signal

Collect debug information about signaling events, such as detection of a

ring, a call connection, or a disconnect.

Fast Busy

Is the destination IP address reachable using ping? (The fast-busy signal means the number

dialed is unreachable.) Is the dial-peer statement

correct?

ping ip address Confirm IP connectivity.

Show dial-peer voice Verify that the

operational status of the dial peer is up.

Make sure that both VoIP peers have been

configured with the same CODEC value, if you are

using CODECs.

Silence (dead air) followed by Fast-

Busy

Is destination IP address reachable? ping ip address

Phone doesn’t ring (no

Ringback).

Is dial-peer statement correct? Visually check the router. Do you see the green LED on router on the correct voice

port?

Show voice port <port>debug vpm signal

show dial-peer voice

Busy

Are all cables connected? Is the remote phone off-hook?

(In this case, wait and try again.)

Show voice port <port>debug vpm signal

show dial-peer voice

THE CCIE Book

Page 295 of 296


APPENDIX A. POPULAR PORTS For access-lists: BGP uses TCP port 179 RIPv1 uses UDP port 520 OSPF uses protocol 89 and dest. address 224.0.0.5 EIGRP uses protocol 88 IGRP uses protocol 9 DLSw uses TCP 2065 and 2067, if prioritization is used - TCP 1981, 1982, 1983 ESP (IPSec) uses protocol 50 AH (IPSec) uses protocol 51 GRE uses protocol 47 ISAKMP uses UDP port 500 IGMP (2) PIM (103) ICMP (1). NTP UDP 123 TACACS (47, 65) DHCP (bootp) (67 and 68) Microsoft Netbios UDP (137, 138, 139) H323, H225 1719, 1720 http://www.iana.org/assignments/port-numbers http://www.isi.edu/in-notes/iana/assignments/protocol-numbers

THE CCIE Book

Page 296 of 296


APPENDIX B. REFERENCE MATERIAL

The Ccie Book

Documents