RIP IGRP

Routing Protocol Type Distance Vector Distance Vector

Alogrithm Bellman Ford Bellman Ford
AD Value 120 100
L4 Transport UDP/520 IP/9
Multicast IP Broadcast / 224.0.0.10
224.0.0.9 (RIP V2)
Hello Timer
Hold Timers
Hop count limitation 15 255

Metric Hop count Bandwith, Delay

Table Type Neighbor Tables

Topology Table
Routing Table
Peering Mechanism

Neighbor or Adjacency Sates

Packet Types

Hello Field
Neighborship Failure Reason

How It Works

Advantage

Disadvantage

Network or Link goes Down Trigger update

with Hop count 16
Split Horizon Technique Use
EIGRP OSPF
Hybrid / Advanced Distance Vector Link State
DUAL Dijakstra
Internal-90, External-170 110
IP/88 IP/89
224.0.0.10 224.0.0.5 DR send update to Drother
224.0.0.6 Drother send update to DR
5 or 60 5 or 15
20 or 60
224 No Limitation

Distance Cost
(256*10^7/Bandwith+Delay) (100/Bw in mbps)
Load, Reliability, MTU

Neighbor Tables Neighbor Tables

Topology Table Topology Table
Routing Table Routing Table
Multicast / Unicast Multicast / Unicast

No Such States Down - No Hello sent or recived

Process or Step is Attempt -
Hello Init
HelloAck 2-Way
Update Ex-start
Ack Excahnge
Loading
Full
Hello Hello
Update DBD
Qery LSR
Reply LSU
Acknowledge LSAck
Request LSDB
EIGRP Version No. Local Router ID
AS no. Local Area ID*
K Values Local Network & Subnet mask*
Router id Local Interface Priority
Local Network & Subnet mask
Authentication password or Hash
AS No. mismatch
K Values mismatch
Authentication Password mismatch
Subnet / Network IP mismatch
Using common Router ID
ACL blocking Port no. 88
Multicat Traffic not allowed
Passive Interface is enabled
Interfaces MTU mismatch
No connectivity between R1 & R2
Using wrong IP and Subnet Mask
Interfaces shutdown
Flexibility in Summarization
Back Route & Fast Convergence
Simple to Configure
Uneqal cost load balancing
Trigger update with Delay
Use
Hello timer* & Dead Timer*
Authentication Type & Password*
DR/BDR IP Address
Stub Flag
Neighbor Router Router ID
Interface MTU
ospf Network Type
Area ID & Area Type mismatch
Hello & Hold Timer mismatch
Authentication Password mismatch
Subnet / Network IP mismatch
Using common Router ID
ACL blocking Port no. 89
Multicat Traffic not allowed
Passive Interface is enabled
Interfaces MTU mismatch
No connectivity between R1 & R2
Using wrong IP and Subnet Mask
Interfaces shutdown
1 - Router Discover neighbors
2 - Form Neighbor adjacency
2 - Exchange all routes via LSA
3 - Build LSDB
4 - Run SPF Alogrithm
5 - Build Routing Table
Trigger LSA with max age 60 Minute
Does not use
EIGRP Stub Type
Receive only
Connected (Default Mode)
Static
Summary (Default Mode)
Redistribute
Leak-map
BGP
Path Vector
Best Path Alogrithm
IBGP-200, EBGP-20
TCP/179
Unicast

60

Weight (Highest)
Local Preference
(Highest)
Self Originated
AS Path
Origin
MED
External
IGP Cost
EBGP Peering
Roter ID

Unicast

Idle
Active
Connect
Open Sent
Open confirm
Established

Open
Update
Keepalive
Notification
sh ip eigrp neighbors
sh ip eigrp neighbor detail
sh ip eigrp topology
sh ip eigrp interfaces
sh ip protocols

debug eigrp packet

debug eigrp packet terse
debug ip eigrp

(config-if) # ip summary-address eigrp 10 172.30.0.0 255.255.255.248.0

(config-router) # passive-interface Gig0/1
(config-router) # passive-interface default
(config-if) # ip authentication mode eigrp 10 md5
(config-if) # ip authentication key-chain eigrp 10 Abc
(config-router) # eigrp stub
(config-router) # eigrp receive
(config-router) # variance 2
(config-router) # redistribute static metric 15 1 1 1 1
(config-router) # neighbour 1.1.1.2 Gig0/1
(config-router) # metric weight 0 1 0 1 1 1
(config-if) # ip hello-interval eigrp 10 2
(config-if) # ip hold-timer eigrp 10
(config-router) # redistribute connected
(config-router) # eigrp router-id 1.1.1.1
To check Q cu
To check K values

Eigrp is running on which interface

To check all eigrp packet

To check all eigrp packet except hello

To configure Summarize route

To configure passive interface

To configure authentication

To configure uneqal cost load balancing

To Redistrubute static route in eigrp
To manually define Neighbour
To change the Metric
To change Hello interval
To change dead interval
To Redistrubute connected route in eigrp
To configure router id
sh ip ospf int br
sh ip ospf neighbor
sh ip route ospf
sh ip ospf databse

sh ip ospf database router or

sh ip ospf database self-originate
sh ip ospf database network
sh ip ospf database summary
sh ip ospf database asbr-summary

(config-router) # network 1.0.0.0 0.255.255.255 area 0

(config-if) # ip ospf 100 area 0
(config-router) # passive-interface Gig0/1
(config-router) # shut
(config-router) # area 10 virtual link 11.11.11.11

OSPF states
DOWN - No Hello sent or recived by R1 & R2
ATTEMPT - R1 sent an unicast hello on NBMA network but
no
INIThello
- R1 received
sent a hello to R2, or R2 received a hello from R1, which causes R2 to move into Init state
2-WAY - R2 reply with its own hellow by putting R1 router ID in it, which causes R1 to move into 2-way
Ex-START - Master slave election happens and DBD sequence no. is negotiated
EXCHANGE - DBD (LSDB) Packets are exchanged by R1 & R2
LOADING - LSR and LSU packets are sent if required by R1 or and R2
FULL - Adjacency established and database synchronized

OSPF Network Types (Behaviour of OSPF over different media)

Broadcast Network - like Ethernet, FDDI,,Token Ring (DR/BDR) (DR send update on Multicast address
224.0.0.5 to Drother and Drother send Update on Multicast Address 224.0.0.6 to DR)
Non Broadcast Network - like Frame relay, ATM (DR/BDR can be used) (ospf update sent on unicast ad
Point to Point Network - like PPP, HDLC (No DR/BDR) (Update sent on Multicast Address 224.0.0.5)
Point to Multipoint - like Frame relay, MPLS, VPLS, DMVPN
Point to Multipoint Non Broadcast - like MPLS, VPLS, DMVPN

OSPF Router Type

Backbone router
Internal router
Area border router
ASBR

Area Type
Backbone Area (Area 0)
Non-backbone Area (Non Transit Area)
Stub Area
Not so Stuby Area
Totally Stuby Area

LSA Types
Type 1 - Router LSA - Generated by Drother, Advertise Intra Area routes (connected routes), Denoted b
Not flooded outside of area that it originates
Type 2 - Network LSA - Generated by DR, Advertise Intra Area routes, Denoted by O
Not flooded outside of area that it originates
Type 3 - Network Summary LSA - Generated by ABR, Advertise Inter Area routes, Denoted by O IA
Flooded from Area 0 to Non-Transit area and Vice-Vers
Type 4 - ASBR Summary LSA - Generated by ABR, Advertise Inter Area routes, Denoted by O IA
Type 5 - External LSA - Generated by ASBR, Advertise external routes like redistributed routes or
RIP routes into ospf, Denoted by E1/E2, Flooded to all the Area except stub area
Type 6 - Multicast LSA
Type 7 - NSSA External LSA - Generated by , Advertise external routes like redistributed routes or
RIP routes, Denoted by N1/N2
Type 8 - Opeque LSA
Type 9 - Opeque LSA
Type 10 - Opeque LSA
Type 11

OSPF Route Types

Intra Area routes - O
Inter Area routes - 0 IA
External 1 & Externa 2 - E1 & E2
Not so Stuby Area route - N1 & N2
To check ospf is enabled on a interface
To check ospf neighbor and adjacency
To check ospf routes in the routing table
To check ospf database or topology

To check Router LSA or Type 1 LSA

To check Network LSA or Type 2 LSA

To check Network summary LSA or Type 3 LSA
To check ASBR summary LSA or Type 4 LSA

To configure ospf
To configure on newer version or or enable ospf on a interface
To configure passive interface
To Disable ospf on R1
To configure virtual-links
sh interface inside
2745 overrun indicates packet drop due to brust of traffic or other reason, Rx ring is full
sh interface inside
2745 underrun indicates packet drop due to high cpu or other reason, Tx ring is full

show traffic - To check historical average packet rates and last 1 min packet rate, This is useful to de
GigabitEthernet1/0:
received (in 25788 secs): 39580 pkts/sec 52128831 bytes/sec
1 minute input rate 144028 pkts/sec, 25190735 bytes/sec

same-security-traffic permit intra-interface - Allow connections to be establish between two host attac

sh memory - To check current memory utilization

sh blocks - To check how much memory allocated to different processes and current free blocks avail

show process cpu-usage sorted non-zero - To check the amount of CPU used on a per-process basis s
PC Thread 5Sec 1Min 5Min Process
0x08dc4f6c 0xc81abd38 14.4% 8.2% 8.0% S SNMP Notify Thread

To Reduce cpu usage of SNMP or For logging optimization

Do not log to Buffer, Console and ASDM unless troubleshooting
Reduce serverity level
sent onlly certain message as SNMP trap instead of using logging history which will send all syslog me
Try to use one no. of syslog, snmp and Netflow server
Avoid using debug unless you are troubleshooting a problem

show conn address 10.50.5.182 - To check Connection flags or connection state, uptime and timeout i
show conn detail - To check Connection flags or connection state, uptime and timeout information, B
show access-list | include elements - To check how many ACEs we have configured on ASA
show local-host detail connection tcp 50 - To check hosts that have more than 50 active TCP connectio
show access-list | grep 10.50.9.15 - To check all the configured access-list that contains 10.50.5.182

show service-policy ABC

show service-policy flow tcp host 10.50.5.182 host 219.8.5.16 eq 80 - To check if MPF policy is matchi

show asp drop

Frame drop:
Invalid encapsulation (invalid-encap) 10897
No valid adjacency (no-adjacency) 5594
No route to host (no-route) 1009
Reverse-path verify failed (rpf-violated) 15
Flow is denied by access rule (acl-drop) 25247101
First TCP packet not SYN (tcp-not-syn) 3688810942

capture drops type asp-drop all buffer 1000000 - Capture all frames dropped in the ASP (Accelerated
show capture asp | include 10.50.5.182
show log | include 10.50.5.182
capture drop type asp-drop acl-drop - Capture all frames with a specific drop reason

Packet Tracer - Inject a simulated packet to analyse the behaviour in respect to the associated configu
packet-tracer input inside tcp 10.50.9.15 6517 212.48.7.18 80 detailed - Show detailed internal flow a
packet-tracer input outside tcp 61.16.247.10 1234 10.50.5.85 3389

capture ABC interface inside match ip 10.50.5.182 any host 212.8.6.2 - Displays what packet flowing b
capture XYZ interface outside match ip 10.50.5.182 any host 212.8.56.12
show capture ABC
no capture ABC - To remove capture

https://x.x.x.x/admin/capture/ABC/pcap/xyz.pcap - Copy captures off via TFTP or retrieve through HTTP

TCP Ping - Verify bi-directional TCP connectivity from an ASA to a Server by Injecting a simulated TCP S
ping tcp
Interface: inside
Target IP address: 226.54.5.8
Target IP port: 80
Specify source? [n]: y
Source IP address: 10.50.9.15
Source IP port: 27533

Look for TCP flags or connection state to isolate where communication is gettting stuck
Connection Establishment or build up intiated from Inside host
PC1 send TCP SYN to Google through asa - saA (awaiting SYN ACK, ACK) which means Permit flow and
Google responded with SYN-ACK to client - A (awaiting inside ACK), so asa here matches conn entry, a
PC1 send Acknwledgement to Google - U (up), so asa here create full conn, and update flags to U
PC1 send first data packet to Google - UI (inside data seen), asa here apply stateful checks, and updat
Google send data in response to PC1 - UIO (inside and outside data seen), asa here apply stateful che
Connection Termination Initiated from Inside
PC1 send FIN message or packet to Google via asa - Uf (inside FIN seen), asa apply stateful checks, an
Google responded with FIN ACK to PC1 - UfFR (inside FIN ack, outside FIN seen) asa Transition conn to
PC1 send final ACK to google - UfFRr , asa passes this TCP ACK to server and remove that statefull con

Connection Establishment or build up started from outside host

Ironport send TCP SYNmessage or Packet to Exchange server (10.50.5.182) through asa - saAB
Exchange server responded with SYN-ACK to Ironport - aB
Ironport send Acknowledgement to Exchange server - UB
Ironport send first data packet to Exchange server - UIB
Exchange server send data in response to Ironport - UIOB
Connection Termination Initiated from Outside
Ironport send FIN message to Exchange server via asa - UBF
Exchange server responded with FIN ACK to Ironport - UBfFr
Ironport send final ACK to Exchange server - UBfFRr

TCP tear down message is logged at level 6 (Informational) by default

If you are having problems with abnormal TCP connection termination or teardown, There
Conn-Timeout - Connection Ended Because It Was Idle Longer Than the Configured Idle Timeout
Idle Timeout - Connection Timed Out Because It Was Idle Longer than the Timeout Value
FIN Timeout - Force Termination After Ten Minutes Awaiting the Last ACK or After Half-Closed Timeout
SYN Timeout - Force Termination After Twenty Seconds Awaiting Three-Way Handshake Completion
Invalid SYN - SYN Packet Not Valid
TCP Fins - Normal Close Down Sequence
TCP Reset-I - TCP Reset Was Sent From the Inside Host
TCP Reset-O - TCP Reset Was Sent From the Outside Host
Flow Closed by Inspection - Flow Was Terminated by Inspection Feature
Deny Terminate - Flow Was Terminated by Application Inspection
Flow Terminated by IPS
Flow Reset by IPS
Flow Terminated by TCP Intercept
Unauth Deny - Connection Denied by URL Filtering Server
Tunnel Has Been Torn Down - Flow Terminated Because Tunnel Is Down
Xlate Clear - User Executed the Clear Xlate Command
TCP Bad Retransmission - Connection Terminated Because of Bad TCP Retransmission
Failover Primary Closed - The Standby Unit in a Failover Pair Deleted a Connection Because of a Messa
SYN Control - Back Channel Initiation from Wrong Side
TCP Segment Partial Overlap - Detected a Partially Overlapping Segment
TCP Unexpected Window Size Variation - Connection Terminated Due to a Variation in the TCP Window
IPS Fail-Close - Flow Was Terminated Due to IPS Card Down

NAT Order of operation in 8.3+

Section 1 - Twice NAT Policies
Section 2 - Object NAT or Auto NAT Policies (Static NAT with /32 > Static NAT with /24 > Dunamic NAT
Section 3 - Twice NAT after auto Policies

If there is aconnection issue between two host attached with inside and outside of ASA, Th
Check connection Table - To ensure Connections are built and passing traffic through the ASA o these t
Check any kind of packet drop in ASP for these two host
Use packet trace and inject a simulated packet to check if anything is getting blocked by ASA flow
Use packet capture to analyse the traffic passing between these two host
use cisco CLI Analyzer to update the sh tech and look for the result / errors
Object NAT or Auto NAT Configuration 8.3 +
Static NAT
object network COPAL_PROXYSERVER
host 10.50.5.122
nat (inside,outside) static 61.16.247.3
Dynamic PAT (Intercae Overload)
Object Network COPAL_GGN
Subnet 10.50.0.0 255.255.0.0
nat (inside,outside) dynamic interface
Configure the session prompt to indicate failover unit and its state
prompt hostname state priority

Twice NAT Configuration 8.3 +

Object Network COPAL_GGN
Subnet 10.50.0.0 255.255.0.0
Object Network AMBA_BLR
Subnet 192.168.0.0 255.255.0.0
nat (inside,outside) source static COPAL_GGN COPAL_GGN destination static AMBA_BLR AMBA_BLR