Routing PDF

Presented By:Waleed Adlan
BSc, MSc in Telecommunication

CCNA,CCNP,CCIE#41999
Prepared By:Waleed Adlan-CCIE41999 -

waleed_hashim@hotmail.com
Course Instructor
 Name: Waleed Hashim Ali Adlan
 Academic Qualifications and Achievements:
1. MSc of Telecommunication – Leeds University,

UK – Distinction(Top of the class)
2. BSc of Electrical Engineering-Khartoum

University
 Research Publications:
1. Anycast Routing in OBS Grid Networks, 2009
2. Storage Area Networks Extensions in WDM

Architecture, 2009

 Technical Certifications:
1. CCIE # 41999
2. CCNP
3. CCNA
4. Gold IPv6 Certified Engineer
5. Huwaei RNC Certification with MTN

Work History:
1. Part-timer Teaching Assistant, Khartoum University
2. Network Engineer, Khartoum University –

Information Network
3. Routing & Switching Engineer, AZ
4. Base Station Network Engineer, MTN

5. Network Engineer, Excell Group, London
6. FreeLancer Network Consultant
7. Lecturer at PTC, Sudacad, SoftStars, Beacon
Training Centers & Graduation Project Supervisor at
SIU.
CCNP Routing Course Contents
 CCNA Revision
 EIGRP
 Advanced EIGRP Topics
 OSPF
 Advanced OSPF Topics
 Redistribution
 Route Filtering and Manipulation
 BGP

 BGP Best Path Selection Criteria
 IPv6
 VPN (IPSEC, DMVPN, MPLS)
 Security of Network Devices
 Network Devices Management
 IP SLA

What is Routing?
10.120.2.0 172.16.1.0
E0
S0
Network Destination Exit

Protocol Network Interface
Connected 10.120.2.0 E0 Routed Protocol: IP

Learned 172.16.1.0 S0
Routers must learn destinations that are not

directly connected
IP Routing
The different types of routing are:
 Static routing
 Default routing
 Dynamic routing

Dynamic Routing Categories
An Autonomous System (AS) is a group of IP networks, which has a
Autonomous System single and clearly defined routing policy.
Group of routers which can exchange updates
AS are identified by numbers
All Routing protocols are categorized as IGP or EGP
EGP
Exterior Gateway
Protocols are used
for routing between
Autonomous Systems
AS 1000 AS 3000
IGP
Interior Gateway Protocols are
used for routing decisions
AS 2000 within an Autonomous System.

Routing Categories
Interior Gateway Protocol Exterior Gateway Interior Gateway Protocol
(IGP) Protocol (EGP) (IGP)
AS 1000 AS 3000
EGP
EGP IGP
EGP
AS 2000

Autonomous Systems: Interior or Exterior Routing
Protocols
An autonomous system is a collection of networks under a

common administrative domain.
IGPs operate within an autonomous system.
EGPs connect different autonomous systems.
Types or Classes of Routing Protocols

Types or Classes of Routing
Protocols
 Distance Vector
 RIP V1
 IGRP
 RIP V2
 Link state
 OSPF
 Hybrid
 EIGRP

OSPF

Open Shortest Path First (OSPF)
 OSPF is an open standards routing protocol
 This works by using the Dijkstra algorithm
 OSPF provides the following features:
 Minimizes routing update traffic
 Allows scalability (e.g. RIP is limited to 15 hops)
 Has unlimited hop count
 Supports VLSM/CIDR
 Allows multi-vendor deployment (open standard)

Link State
There are two types of Packets
 Hello
 LSA’s

OSPF Hello
A
B C
 When router A starts it send Hello packet – uses 224.0.0.5

 Hello packets are received by all neighbors
 B will write A’s name in its neighbor table
 C also process the same way

"Hello" Packets
 Small frequently issued packets
 Discover neighbours and negotiate "adjacencies"
 Verify continued availability of adjacent neighbours
 Hello packets and Link State Advertisements (LSAs) build
and maintain the topological database
 Hello packets are addressed to 224.0.0.5.

Link State Advertisement
(LSA)
 An OSPF data packet containing link state and routing
information that is shared among OSPF routers
 LSAs are shared only with routers with whom it has

formed adjacencies
 LSA packets are used to update and maintain the

topology database.

Link State
There are three type of tables
 Neighbor
 Topology
 Routing

Tables
 Neighbor
 Contain information about the neighbors
 Neighbor is a router which shares a link on same
network
 Another relationship is adjacency
 Not necessarily all neighbors
 LSA updates are only when adjacency is established

Tables
 Topology
 Contain information about all network and path to
reach any network
 All LSA’s are entered in to topology table
 When topology changes LSA’s are generated and send
new LSA’s
 On topology table an algorithm is run to create a
shortest path, this algorithm is known as SPF or dijkstra
algorithm

Tables
 Routing Table
 Also knows as forwarding database
 Generated when an algorithm is run on the topology
database
 Routing table for each router is unique

OSPF
Link
Terms Backbone area
Router ID Internal routers
Neighbours Area Border Router
Adjacency (ABR)
OSPF Area Autonomous System
Boundary Router
(ASBR)

OSPF Design
Area Border Router Backbone Router
ABR
Area Border Router

Area 0
ABR
Backbone
Area
Area 2
Area 1
Autonomous System
Boundary Router
ASBR
Basic OSPF Configuration
Router(config)# router ospf 1
 The number 1 in this example is a process-id # that
begins an OSPF process in the router
 More than one process can be launched in a router,
but this is rarely necessary
 Usually the same process-id is used throughout the
entire network, but this is not required
 The process-id # can actually be any value from 1 to
"very large integer―
 The process-id # cannot be ZERO
 This is NOT the same as the AS# used in IGRP and
EIGRP
Configuring OSPF Areas
 After identifying the OSPF process, you need to identify the interfaces that
you want to activate OSPF communications
Lab_A#config t
Lab_A(config)#router ospf 1
Lab_A(config-router)#network 10.0.0.0 0.255.255.255
area ?
<0-4294967295> OSPF area ID as a decimal value
A.B.C.D OSPF area ID in IP address format
Lab_A(config-router)#network 10.0.0.0 0.255.255.255
area 0
 Every OSPF network must have an area 0 (the backbone area) to which
other areas connect
 So in a multiple area network, there must be an area 0
 The wildcard mask represents the set of hosts supported by the network
and is really just the inverse of the subnet mask.

OSPF Configuration
 OSPF Process ID number is irrelevant. It can be the same on every
router on the network
 The arguments of the network command are the network number
(10.0.0.0) and the wildcard mask (0.255.255.255)
 Wildcards - A 0 octet in the wildcard mask indicates that the
corresponding octet in the network must match exactly
 A 255 indicates that you don’t care what the corresponding octet is
in the network number
 A network and wildcard mask combination of 1.1.1.1 0.0.0.0 would
match 1.1.1.1 only, and nothing else.
 The network and wildcard mask combination of 1.1.0.0 0.0.255.255
would match anything in the range 1.1.0.0–1.1.255.255

OSPF and Loopback Interfaces
 Configuring loopback interfaces when using the OSPF routing
protocol is important
 Cisco suggests using them whenever you configure OSPF on a router
 Loopback interfaces are logical interfaces, which are virtual,
software-only interfaces; they are not real router interfaces
 Using loopback interfaces with your OSPF configuration ensures that
an interface is always active for OSPF processes.
 The highest IP address on a router will become that router’s RID
 The RID is used to advertise the routes as well as elect the DR and
BDR.
 If you configure serial interface of your router with highest IP
Address this Address becomes RID of t is the RID of the router
because e router
 If this interface goes down, then a re-election must occur
 It can have an big impact when the above link is flapping
Configuring Loopback Interfaces
R1#config t
Enter configuration commands, one per line. End
with CNTL/Z.
R1(config)#int loopback 0
R1(config-if)#ip address 172.16.10.1
255.255.255.255
R1(config-if)#no shut
R1(config-if)#^Z
R1#
Verifying OSPF Operation
Router#
show ip protocols
• Verifies the configured IP routing protocol

processes, parameters and statistics
Router#
show ip route ospf
• Displays all OSPF routes learned by the router

Router#
show ip ospf interface
• Displays the OSPF router ID, area ID and

adjacency information
Verifying OSPF Operation (Cont.)
Router#
show ip ospf
• Displays the OSPF router ID, timers, and statistics
Router#
show ip ospf neighbor [detail]
• Displays information about the OSPF neighbors,

including Designated Router (DR) and Backup
Designated Router (BDR) information on
broadcast networks
The show ip route ospf Command
RouterA# show ip route ospf
Codes: C - connected, S - static, I - IGRP, R

- RIP, M - mobile,
B - BGP, D - EIGRP, EX - EIGRP external, O -
OSPF,
IA - OSPF inter area, E1 - OSPF external type
1,
E2 - OSPF external type 2, E - EGP, i - IS-
IS, L1 - IS-IS
level-1, L2 - IS-IS level-2, * - candidate
default
Gateway of last resort is not set

10.0.0.0 255.255.255.0 is subnetted, 2
subnets
O 10.2.1.0 [110/10] via 10.64.0.2, 00:00:50,
Ethernet0
The show ip ospf interface
Command
RouterA# show ip ospf interface e0
Ethernet0 is up, line protocol is up

Internet Address 10.64.0.1/24, Area 0
Process ID 1, Router ID 10.64.0.1, Network Type
BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DROTHER, Priority 1
Designated Router (ID) 10.64.0.2, Interface address
10.64.0.2
Backup Designated router (ID) 10.64.0.1, Interface
address 10.64.0.1
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Retransmit 5
Hello due in 00:00:04
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.64.0.2 (Designated Router)
Suppress hello for 0 neighbor(s)

EIGRP

EIGRP
 IGRP • OSPF
 DV
– LS
 Easy to configure
 Neighbor – Incremental Updates
 Advanced Metric – Multicast
 Periodic – Open Standard
 Broadcast
• EIGRP
– Hybrid
– DUAL
– Topology Database
– Rapid Convergence
– Reliable
Overview
Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco-

proprietary routing protocol based on Interior Gateway Routing Protocol
(IGRP).
Released in 1994, Unlike IGRP, which is a classful routing protocol,

EIGRP supports CIDR and VLSM.
 it is probably one of the two most popular routing protocols in use

today.
Compared to IGRP, EIGRP boasts faster convergence times, improved

scalability, and superior handling of routing loops.
EIGRP is often described as a hybrid routing protocol, offering the

best of distance vector and
Prepared link-state
By:Waleed algorithms.
Adlan-CCIE41999 -
Comparing EIGRP with IGRP
IGRP and EIGRP are compatible with each other.

EIGRP offers multiprotocol support, but IGRP does not.
Communication via Reliable Transport Protocol (RTP)
Best path selection via Diffusing Update Algorithm (DUAL)
Improved convergence time
Reduced network overhead

EIGRP Tables
 EIGRP maintains 3 tables
 Neighbor table
 Topology table
 Routing table

Neighbor Discovery
 There are three conditions that must be met for
neighborship establishment
 Hello or ACK received
 AS numbers match
 Identical metrics (K values)
? AS
?K
K1 – BW
K2- Delay
K3-Load
K3-Reliability
K5-MTU
Metric Calculation
 The metrics used by EIGRP in making routing decisions are (lower the metric the better):
 bandwidth
 delay
 load
 Reliability
 MTU
 By default, EIGRP uses only:

 Bandwidth
 Delay
Analogies:
Think of bandwidth as the width of the pipe
and
delay as the length of the pipe.
 Bandwidth is the carrying capacity

 Delay is the end-to-end travel time.

EIGRP Terminology and Operations
 Successor – Current Route
 A successor is a route selected as the primary route to use to reach
a destination.
 Successors are the entries kept in the routing table.
 Feasible Successor - A backup route

 A feasible successor is a backup route.
 These routes are selected at the same time the successors are
identified, but they are kept in the topology table.
 Multiple feasible successors for a destination can be retained in the
topology table.

Configuring EIGRP
Router(config)#router eigrp autonomous-system
• Defines EIGRP as the IP routing protocol
Router(config-router)#network network-number
• Selects participating attached networks

EIGRP Configuration Example

Verifying the EIGRP Configuration
To verify the EIGRP configuration a number of show

and debug commands are available.
These commands are shown on the next few slides.

show ip eigrp topology

[active | pending | successors]

all-links
show ip eigrp traffic

Administrative Distances

Switching

Layer 2 Switching
 Switching breaks up large collision domains into
smaller ones
 Collision domain is a network segment with two or

more devices sharing the same bandwidth.
 A hub network is a typical example of this type of

technology
 Each port on a switch is actually its own collision

domain, you can make a much better Ethernet LAN
network just by replacing your hubs with switches
Switching Services
 Unlike bridges that use software to create and manage a
filter table, switches use Application Specific Integrated
Circuits (ASICs)
 Layer 2 switches and bridges are faster than routers
because they don’t take up time looking at the Network
layer header information.
 They look at the frame’s hardware addresses before
deciding to either forward the frame or drop it.
 layer 2 switching so efficient is that no modification to
the data packet takes place

How Switches and Bridges
Learn Addresses
Bridges and switches learn in the following ways:
• Reading the source MAC address of each

received frame or datagram
• Recording the port on which the MAC address

was received.
In this way, the bridge or switch learns which addresses

belong to the devices connected to each port.
Ethernet Access with Hubs

Ethernet Access with Switches

Switch Configuration
 There are two reasons to set the IP address information on the switch:
 To manage the switch via Telnet or other management software
 To configure the switch with different VLANs and other network
functions
 See the default IP configuration = show IP command
Configure IP Address
sw1(config-if)#interface vlan 1
sw1(config-if)#ip address 10.0.0.1 255.0.0.0
sw1(config-if)#no shut
sw1(config-if)#exit
sw1(config)ip default-gateway 10.0.0.254
VLANs

VLANs
 A VLAN is a logical grouping of network users and
resources connected to administratively defined ports on a
switch.
 Ability to create smaller broadcast domains within a layer
2 switched internetwork by assigning different ports on
the switch to different subnetworks.
 Frames broadcast onto the network are only switched
between the ports logically grouped within the same VLAN
 By default, no hosts in a specific VLAN can communicate
with any other hosts that are members of another VLAN,
 For Inter VLAN communication you need routers

VLANs
VLAN implementation combines Layer 2 switching and Layer 3 routing
technologies to limit both collision domains and broadcast domains.
VLANs can also be used to provide security by creating the VLAN

groups according to function and by using routers to communicate
between VLANs.
A physical port association is used to implement VLAN assignment.
Communication between VLANs can occur only through the router.
This limits the size of the broadcast domains and uses the router to
determine whether one VLAN can talk to another VLAN.
NOTE: This is the only way a switch can break up a broadcast domain!
VLAN Overview
• Segmentation
• Flexibility
• Security
A VLAN = A Broadcast Domain = Logical Network (Subnet)

VLAN Operation
VLANs can span across multiple switches.

Trunks carry traffic for multiple VLANs.
Trunks use special encapsulation to distinguish between
different VLANs.

Types

of
Access links
Links
 This type of link is only part of one VLAN
native VLAN of the port.
 It’s referred to as the
 Any device attached to an access link is unaware of a VLAN
 Switches remove any VLAN information from the frame before
it’s sent to an access-link device.
 Trunk links
 Trunks can carry multiple VLANs
 These carry the traffic of multiple VLANs
 A trunk link is a 100- or 1000Mbps point-to-point link between

two switches, between a switch and router.
Access links

Trunk links

VLAN Configuration
24 12
1 2 3 4 1 2 3 4
10.0.0.1 10.0.0.4
VLAN 2 10.0.0.2
10.0.0.3
VLAN 3
VLAN 3 VLAN 2

VLAN Configuration Steps
 VLAN Creation:
!SW1/SW2
Vlan 2
Name Red
Vlan 3
Name Blue
Exit
 Port Assignment:
!SW1/SW2

Interface Fa0/1
Switchport access vlan 2
!
Interface fa0/4
Switchport access vlan 3
 Trunk Configuration:
!SW1
Int erface fa0/24
Switchport trunk encapsulation dot1q
Switchport mode trunk

Switchport Mode Interactions
Dynamic Dynamic
Trunk Access
Auto Desirable
Dynamic
Access Trunk Trunk Access
Auto
Dynamic
Trunk Trunk Trunk Access
Desirable
Not
Trunk Trunk Trunk Trunk
recommended
Not
Access Access Access Access
recommended
Note: Table assumes DTP is enabled at both ends.

• show dtp interface – to determine current setting

Verifying the VLAN
Configuration
Switch#show vlan [id | name] [vlan_num | vlan_name]
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/11, Fa0/12
Gi0/1, Gi0/2
2 VLAN0002 active
51 VLAN0051 active
52 VLAN0052 active
…
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
2 enet 100002 1500 - - - - - 0 0
51 enet 100051 1500 - - - - - 0 0
52 enet 100052 1500 - - - - - 0 0
…
Remote SPAN VLANs

------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
VLAN to VLAN
If you want to connect between two VLANs you need
a layer 3 device

Router on Stick
10.0.0.1
20.0.0.1
FA0/0
9
24 12
1 2 3 4 1 2 3 4
10.0.0.2 20.0.0.3
20.0.0.2 10.0.0.3

Router On Stick (creating Vlans)
Create two VLAN's on each switches
#vlan database
sw(vlan)#vlan 2 name red
sw(vlan)#vlan 3 name blue
sw(vlan)#exit
sw#config t
sw(config)#int fastethernet 0/1
sw(config-if )#switchport access vlan 2
sw(config)#int fastethernet 0/4
sw(config-if )#switchport access vlan 3
To see Interface status
#show interface status
Router On Stick (Trunk
Configuration)
 Trunk Port Configuration
 sw#config t
 sw(config)#int fastethernet 0/24
 sw(config-if)#switchport trunk encapsulation
dot1q
 sw(config-if)#switchport mode trunk

Router On Stick (Router
Configuration)
 Router Configuration
 R1#config t
 R1(config)#int fastethernet 0/0
 R1(config-if)# no shut
 R1(config)#int fastethernet 0/0.1
 R1(config-if)#encapsulation dot1q 2
 R1(config-if)#ip address 10.0.0.1 255.0.0.0
 R1(config-Iif)# EXIT
 R1(config)#int fastethernet 0/0.2
 R1(config-if)# encapsulation dot1q 3
 R1(config-if)#ip address 20.0.0.1 255.0.0.0
Router On Stick (Switch-Router
Port Configuration)
 Router-Switch Port to be made as Trunk
 sw(config)#int fastethernet 0/9
 sw(config-if )#switchport trunk enacapsulation dot1q
 sw(config-if )#switchport mode trunk

Frame Relay Overview
DCE or
Frame
Relay Switch
CSU/DSU
Frame Relay works here.
 Virtual circuits make connections

 Connection-oriented service
Frame Relay Stack
OSI Reference Model Frame Relay
Application
Presentation
Session
Transport
Network IP/IPX/AppleTalk, etc.
Data Link Frame Relay
EIA/TIA-232,
Physical EIA/TIA-449, V.35,
X.21, EIA/TIA-530

Frame Relay Terminology
PVC
DLCI: 100
DLCI: 200
LMI
100=Active
400=Active
DLCI: 400
Local Access
Local Loop=64 kbps
Access
Loop=T1
PVC
Local Access
Loop=64 kbps
DLCI: 500

Configuring Basic Frame Relay
Rel. 11.2 Router Rel. 10.3 Router
HQ Branch
interface Serial1
interface Serial1
ip address 10.16.0.1 255.255.255.0
ip address 10.16.0.2 255.255.255.0
encapsulation frame-relay
bandwidth 64
bandwidth 64
frame-relay lmi-type ansi

Configuring Basic Frame Relay
(cont.)
Rel. 11.2 Router Rel. 10.3 Router
HQ Branch
interface Serial1 interface Serial1

ip address 10.16.0.1 255.255.255.0 ip address 10.16.0.2 255.255.255.0
encapsulation frame-relay encapsulation frame-relay
bandwidth 64 bandwidth 64
frame-relay lmi-type ansi
Inverse ARP
• Enabled by default
• Does not appear in configuration output
Configuring a Static Frame Relay
Map
DLCI=110
IP address=10.16.0.1/24
p1r1
HQ Branch
DLCI=100
IP address=10.16.0.2/24
interface Serial1
ip address 10.16.0.1 255.255.255.0
bandwidth 64
frame-relay map ip 10.16.0.2 110 broadcast

Verifying Frame Relay Operation
Router#show interface s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation FRAME-RELAY, loopback not set, keepalive set (10 sec)
LMI enq sent 19, LMI stat recvd 20, LMI upd recvd 0, DTE LMI up
LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0
LMI DLCI 1023 LMI type is CISCO frame relay DTE
FR SVC disabled, LAPF state down
Broadcast queue 0/64, broadcasts sent/dropped 8/0, interface broadcasts 5
Last input 00:00:02, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
<Output omitted>
Displays line, protocol, DLCI, and LMI information

(cont.)
Router#show frame-relay lmi
LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 113100 Num Status msgs Rcvd 113100
Num Update Status Rcvd 0 Num Status Timeouts 0
Displays LMI information

(cont.)
Router#show frame-relay pvc 100
PVC Statistics for interface Serial0 (Frame Relay DTE)
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 28 output pkts 10 in bytes 8398

out bytes 1198 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 10 out bcast bytes 1198
pvc create time 00:03:46, last time pvc status changed 00:03:47
Displays PVC traffic statistics

(cont.)
Router#show frame-relay map
Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic,
broadcast,, status defined, active
Displays the route maps, either static or dynamic

(cont.)
Router#show frame-relay map
Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic,
broadcast,, status defined, active
Router#clear frame-relay-inarp
Router#sh frame map
Router#
Clears dynamically created Frame Relay maps

Configuring Point-to-Point
Subinterfaces 10.17.0.1
s0.2 DLCI=110 10.17.0.2
A
s0.3
10.18.0.1 B
interface Serial0
no ip address
! 10.18.0.2
interface Serial0.2 point-to-point
ip address 10.17.0.1 255.255.255.0
bandwidth 64 C
frame-relay interface-dlci 110
!
interface Serial0.3 point-to-point
ip address 10.18.0.1 255.255.255.0
bandwidth 64
frame-relay interface-dlci 120
!

Multipoint Subinterfaces
Configuration Example
B
s2.2=10.17.0.1/24 s2.1=10.17.0.2/24
DLCI=130
RTR1
RTR3
s2.1=10.17.0.3/24
interface Serial2
no ip address RTR4
encapsulation frame-relay s2.1=10.17.0.4/24
!
interface Serial2.2 multipoint
ip address 10.17.0.1 255.255.255.0
bandwidth 64

Introducing EIGRP

EIGRP Features
• Advanced distance vector • Flexible network design

• Fast convergence • Multicast and unicast instead of broadcast
• Support for VLSM and discontiguous address
subnets • Manual summarization at any point
• Partial updates • 100% loop-free classless routing
• Support for multiple network-layer • Easy configuration for WANs and LANs
protocols • Load balancing across equal-
waleed_hashim@hotmail.comand unequal-cost pathways
EIGRP Key Technologies
 Neighbor discovery/recovery
 Uses hello packets between neighbors
 Reliable Transport Protocol (RTP)
 Guaranteed, ordered delivery of EIGRP packets to all
neighbors
 DUAL finite-state machine
 Selects lowest-cost, loop free, paths to each destination
 Protocol-dependent modules (PDMs)
 EIGRP supports IP, AppleTalk, and Novell NetWare.
 Each protocol has its own EIGRP module and operates
independently of any of the others that may be running.
EIGRP Neighbor Table

DUAL Terminology
 Selects lowest-cost, loop-free paths to each destination
 AD = cost between the next-hop router and the
destination
 FD = cost from local router = AD of next-hop router +
cost between the local router and the next-hop router
 Lowest-cost = lowest FD
 (Current) successor = next-hop router with lowest-cost,
loop free path
 Feasible successor = backup router with loop-free path
(AD of feasible successor must be less than FD of
current successor route)

EIGRP Topology Table

EIGRP IP Routing Table

Example: EIGRP Tables
Router C Tables:

EIGRP Packets
 Hello: Establish neighbor relationships.
 Update: Send routing updates.
 Query: Ask neighbors about routing information.
 Reply: Respond to query about routing information.
 ACK: Acknowledge a reliable packet.

Initial Route Discovery

EIGRP Metric
• Same metric components as IGRP:
–Bandwidth
–Delay
–Reliability
–Loading
–MTU
• EIGRP metric is IGRP metric multiplied by 256.

EIGRP Metric Calculation
 By default, EIGRP metric:
Metric = bandwidth (lowest link) + delay (sum of delays)
 Delay = sum of the delays in the path, in tens of
microseconds, multiplied by 256
 Bandwidth = [107 / (minimum bandwidth link along the
path, in kilobits per second)] * 256
 Formula with default K values (K1 = 1, K2 = 0, K3 = 1, K4
= 0, K5 = 0):
Metric = [K1 * BW + ((K2 * BW) / (256 – load)) + K3 * delay]
 If K5 not equal to 0:
Metric = metric * [K5 / (reliability + K4)]:

EIGRP Metrics Calculation Example
ABCD Least bandwidth 64 kbps Total delay 6,000

AXYZD Least bandwidth 256 kbps Total delay 8,000
• Delay is the sum of all the delays of the links along the paths:
Delay = [delay in tens of microseconds] x 256
• Bandwidth is the lowest bandwidth of the links along the paths:
Bandwidth = [10,000,000 / (bandwidth in kbps)] x 256
EIGRP Metrics Are Backward-
Compatible
with IGRP

Implementing and Verifying EIGRP

Configuring EIGRP
Router(config)#
router eigrp autonomous-system-number
• Defines EIGRP as the IP routing protocol.
• All routers in the internetwork that must exchange EIGRP routing
updates must have the same autonomous system number.
Router(config-router)#
network network-number [wildcard-mask]
• Identifies attached networks participating in EIGRP.

• The wildcard-mask is an inverse mask used to determine how to interpret
the address. The mask has wildcard bits, where 0 is a match and 1 is “don’t
care.”
Configuring EIGRP (Cont.)
Router(config-if)#
bandwidth kilobits
• Defines the interface’s bandwidth for the purposes of sending routing
update traffic.

Configuring EIGRP for IP
Network 192.168.1.0 is not configured on router A,

because it is not directly connected to router A.
Using the Wildcard Mask in EIGRP

Using and Configuring the ip default-
network Command for EIGRP

Example EIGRP Configuration

R2 EIGRP Configuration
<output omitted>
interface FastEthernet0/0
ip address 172.17.2.2 255.255.255.0
<output omitted>
interface Serial0/0/1
bandwidth 64
ip address 192.168.1.102 255.255.255.224
<output omitted>
router eigrp 100
network 172.17.2.0 0.0.0.255
network 192.168.1.0

Verifying EIGRP: show ip eigrp
neighbors
R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT
RTO Q Seq
(sec) (ms)
Cnt Num
0 192.168.1.102 Se0/0/1 10 00:07:22 10
2280 0 5
R1#

Verifying EIGRP: show ip route
eigrp
R1#show ip route eigrp
D 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:07:01,
Serial0/0/1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:05:13, Null0
R1#show ip route
<output omitted>
D 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:06:55,
Serial0/0/1
C 172.16.1.0/24 is directly connected, FastEthernet0/0
C 192.168.1.96/27 is directly connected, Serial0/0/1
Verifying EIGRP: show ip protocols
R1#show ip protocols
Routing Protocol is "eigrp 100"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 100
EIGRP NSF-aware route hold timer is 240s
<output omitted>
Maximum path: 4
Routing for Networks:
172.16.1.0/24
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
(this router) 90 00:09:38
Gateway Distance Last Update
192.168.1.102 90 00:09:40
Distance: internal 90 external 170

interfaces
R1#show ip eigrp interfaces
IP-EIGRP interfaces for process 100
Xmit Queue Mean Pacing Time
Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable
Flow Timer Routes
Fa0/0 0 0/0 0 0/10
0 0
Se0/0/1 1 0/0 10 10/380
424 0

topology
R1#show ip eigrp topology
IP-EIGRP Topology Table for AS(100)/ID(192.168.1.101)
Codes: P - Passive, A - Active, U - Update, Q - Query,
R - Reply,
r - reply Status, s - sia Status
P 192.168.1.96/27, 1 successors, FD is 40512000
via Connected, Serial0/0/1
via Summary (40512000/0), Null0
via Summary (28160/0), Null0
via Connected, FastEthernet0/0
via 192.168.1.102 (40514560/28160),
Serial0/0/1

traffic
R1#show ip eigrp traffic
IP-EIGRP Traffic Statistics for AS 100
Hellos sent/received: 429/192
Updates sent/received: 4/4
Queries sent/received: 1/0
Replies sent/received: 0/1
Acks sent/received: 4/3
Input queue high water mark 1, 0 drops
SIA-Queries sent/received: 0/0
SIA-Replies sent/received: 0/0
Hello Process ID: 113
PDM Process ID: 73

Configuring Advanced EIGRP Options

EIGRP Route Summarization:
Automatic
 Purpose: Smaller routing tables, smaller updates
 Automatic summarization:
 On major network boundaries, subnetworks are
summarized to a single classful (major) network.
 Automatic summarization occurs by default.

EIGRP Route Summarization:
Manual
Manual summarization has the following
characteristics:
 Summarization is configurable on a per-interface basis
in any router within a network.
 When summarization is configured on an interface, the
router immediately creates a route pointing to null0.
 Loop-prevention mechanism
 When the last specific route of the summary goes away,
the summary is deleted.
 The minimum metric of the specific routes is used as the
metric of the summary route.
Configuring Route Summarization
(config-router)#
no auto-summary
• Turns off automatic summarization for the EIGRP process
(config-if)#
ip summary-address eigrp as-number address mask
[admin-distance]
• Creates a summary address that this interface will generate

Manually Summarizing EIGRP
Routes

Router C Routing Table
RouterC#show ip route
<output omitted>
172.16.0.0/16 is variably subnetted, 3 subnets, 2
masks
D 172.16.1.0/24 [90/156160] via 10.1.1.2, 00:00:04,
FastEthernet0/0
D 172.16.2.0/24 [90/20640000] via 10.2.2.2, 00:00:04,
Serial0/0/1
RouterC#
EIGRP Load Balancing
 Routes with a metric equal to the minimum metric are
installed in the routing table (equal-cost load balancing).
 There can be up to six entries in the routing table for the
same destination:
 The number of entries is configurable.
 The default is four.
 Set to 1 to disable load balancing.

EIGRP Unequal-Cost Load
Balancing
variance multiplier
• Allows the router to include routes with a metric smaller than the
multiplier value times the minimum metric route to that destination

Variance Example
• Router E chooses router C to get to network Z, because it has lowest FD of

20.
• With a variance of 2, router E chooses router B to get to network Z (20 +
10 = 30) < [2 * (FD) = 40].
• Router D is never considered to get to network Z
(because 25 > 20).
Configuring WAN Links
 EIGRP supports different WAN links:
 Point-to-point links
 NBMA
 Multipoint links
 Point-to-point links
 EIGRP uses up to 50% of

bandwidth by default; this
bandwidth utilization can
be changed.

Bandwidth Utilization over WAN
Interfaces
 Bandwidth utilization over point-to-point subinterfaces
using Frame Relay:
 Treats bandwidth as T1 by default
 Should manually configure bandwidth as the CIR of
the PVC
 Bandwidth utilization over multipoint Frame Relay,
ATM, and ISDN PRI:
 EIGRP uses the bandwidth on the physical interface divided
by the number of neighbors on that interface to calculate the
bandwidth attributed per neighbor.

Bandwidth Utilization over WAN
Interfaces (Cont.)
 Each PVC can have a different CIR, creating an EIGRP
packet-pacing problem.
 Multipoint interfaces:
 Convert these to point-to-point configuration or
manually configure bandwidth by multiplying the
lowest CIR by the number of PVCs.

EIGRP WAN Configuration:
Frame Relay Hub-and-Spoke Topology
• Configure each virtual Circuit as point-to-point, specify bandwidth = 1/10 of link capacity
• Increase EIGRP utilization to 50% of actual VC capacity
EIGRP WAN Configuration:
Hybrid Multipoint
• Configure lowest CIR virtual circuit as point-to-point, specify

bandwidth = CIR.
• Configure higher CIR virtual circuits as multipoint, combine CIRs.
Configuring EIGRP Authentication

Router Authentication
 Many routing protocols support authentication such
that a router authenticates the source of each routing
update packet that it receives.
 Simple password authentication is supported by:
 IS-IS
 OSPF
 RIPv2
 MD5 authentication is supported by:
 OSPF
 RIPv2
 BGP
 EIGRP
Simple Password vs. MD5
Authentication
 Simple password authentication:
 Router sends packet and key.
 Neighbor checks whether key matches its key.
 Process not secure.
 MD5 authentication:
 Configure a key (password) and key ID; router generates a
message digest, or hash, of the key, key ID and message.
 Message digest is sent with packet; key is not sent.
 Process OS secure.

EIGRP MD5 Authentication
 EIGRP supports MD5 authentication.
 Router generates and checks every EIGRP packet. Router
authenticates the source of each routing update packet
that it receives.
 Configure a key (password) and key ID; each
participating neighbor must have same key configured.

MD5 Authentication
EIGRP MD5 authentication:
 Router generates a message digest, or hash, of the key,
key ID, and message.
 EIGRP allows keys to be managed using key chains.
 Specify key ID (number), key, and lifetime of key.
 First valid activated key, in order of key numbers, is used.

Configuring EIGRP MD5
Authentication
Router(config-if)#
ip authentication mode eigrp autonomous-system md5
• Specifies MD5 authentication for EIGRP packets
Router(config-if)#
ip authentication key-chain eigrp autonomous-system
name-of-chain
• Enables authentication of EIGRP packets using key in the keychain

Authentication (Cont.)
Router(config)#
key chain name-of-chain
• Enters configuration mode for the keychain

Router(config-keychain)#
key key-id
• Identifies key and enters configuration mode for the keyid

Authentication (Cont.)
Router(config-keychain-key)#
key-string text
• Identifies key string (password)

accept-lifetime start-time {infinite | end-time | duration
seconds}
• Optional: Specifies when key will be accepted for received packets
send-lifetime start-time {infinite | end-time | duration
seconds}
• Optional: Specifies when key can be used for sending packets

Example MD5 Authentication
Configuration

R1 Configuration for MD5
Authentication
<output omitted>
key chain R1chain
key 1
key-string firstkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006
key 2
key-string secondkey
send-lifetime 04:00:00 Jan 1 2006 infinite
<output omitted>
ip address 172.16.1.1 255.255.255.0
!
bandwidth 64
ip address 192.168.1.101 255.255.255.224
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 R1chain
!
router eigrp 100
network 172.16.1.0 0.0.0.255
network 192.168.1.0
auto-summary
Authentication
<output omitted>
key chain R2chain
key 1
key-string firstkey
key 2
key-string secondkey
<output omitted>
ip address 172.17.2.2 255.255.255.0
!
bandwidth 64
ip address 192.168.1.102 255.255.255.224
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 R2chain
!
router eigrp 100
network 172.17.2.0 0.0.0.255
network 192.168.1.0
auto-summary
Verifying MD5 Authentication
R1#
*Jan 21 16:23:30.517: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor
192.168.1.102 (Serial0/0/1) is up: new adjacency

H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.1.102 Se0/0/1 12 00:03:10 17 2280 0 14
R1#show ip route
<output omitted>
D 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:02:22, Serial0/0/1
R1#ping 172.17.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),Adlan-CCIE41999
Prepared By:Waleed round-trip- min/avg/max = 12/15/16 ms
Troubleshooting MD5
Authentication
R1#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
*Jan 21 16:38:51.745: EIGRP: received packet with MD5 authentication, key id = 1
*Jan 21 16:38:51.745: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.102
*Jan 21 16:38:51.745: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0

SIAREPLY)
R2#
*Jan 21 16:38:38.321: EIGRP: received packet with MD5 authentication, key id = 2
*Jan 21 16:38:38.321: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.101
*Jan 21 16:38:38.321: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0

Troubleshooting MD5
Authentication Problem
MD5 authentication on both R1 and R2, but R1 key 2 (that it uses when sending)
changed
R1(config-if)#key chain R1chain
R1(config-keychain)#key 2
R1(config-keychain-key)#key-string wrongkey

SIAREPLY)
R2#
*Jan 21 16:50:18.749: EIGRP: pkt key id = 2, authentication mismatch
*Jan 21 16:50:18.749: EIGRP: Serial0/0/1: ignored packet from 192.168.1.101, opc
ode = 5 (invalid authentication)
*Jan 21 16:50:18.749: EIGRP: Dropping peer, invalid authentication
*Jan 21 16:50:18.749: EIGRP: Sending HELLO on Serial0/0/1
*Jan 21 16:50:18.749: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Jan 21 16:50:18.753: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.101
(Serial0/0/1) is down: Auth failure

R2# Prepared By:Waleed Adlan-CCIE41999 -
Using EIGRP in an Enterprise Network

Factors That Influence EIGRP
Scalability
 Quantity of routing information exchanged between
peers; without proper route summarization, this can be
excessive.
 Number of routers that must be involved when a
topology change occurs.
 Depth of topology: the number of hops that information
must travel to reach all routers.
 Number of alternate paths through the network.

EIGRP Query Process
 Queries are sent when a route is lost and no feasible
successor is available.
 The lost route is now in active state.
 Queries are sent to all neighboring routers on all
interfaces except the interface to the successor.
 If the neighbors do not have the lost-route information,
queries are sent to their neighbors.
 If a router has an alternate route, it answers the query;
this stops the query from spreading in that branch of the
network.

Updates and Queries in Hub-and-
Spoke Topology
You do not want to use these paths!

EIGRP Stub
 The EIGRP stub routing feature improves network
stability, reduces resource utilization, and simplifies
remote router (spoke) configuration.
 Stub routing is commonly used in a hub-and-spoke
topology.
 A stub router sends a special peer information
packet to all neighboring routers to report its status
as a stub router.
 A neighbor that receives a packet informing it of the stub
status does not query the stub router for any routes.

Configuring EIGRP Stub
eigrp stub [receive-only|connected|static|summary]
 receive-only: Prevents the stub from sending any type

of route.
 connected: Permits stub to send connected routes
(may still need to redistribute).
 static: Permits stub to send static routes
(must still redistribute).
 summary: Permits stub to send summary routes.
 Default is connected and summary.

Limiting Updates and Queries:
Using EIGRP Stub

Example: eigrp stub Parameters
If stub connected is
configured:
 B will advertise
10.1.2.0/24 to A.
 B will not advertise
10.1.2.0/23, 10.1.3.0/23, or
10.1.4.0/24.
If stub summary is
configured:
10.1.2.0/23 to A.
 B will not advertise 10.1.2.0/24,
10.1.3.0/24,
or 10.1.4.0/24.
Example: eigrp stub Parameters
(Cont.)
If stub static is configured:
10.1.4.0/24 to A.
 B will not advertise 10.1.2.0/24,
10.1.2.0/23,
or 10.1.3.0/24.
If stub receive-only is
configured:
 B will not advertise anything
to A, so A needs to have a
static route to the networks
behind B to reach them.
EIGRP Query Process Stuck in
Active
 The router has to get all the replies from the neighbors
with an outstanding query before the router calculates
the successor information.
 If any neighbor fails to reply to the query within 3
minutes by default, the route is SIA, and the router
resets the neighbor relationship with the neighbor that
fails to reply.

Active Process Enhancement
Before After
Router A resets relationship to router B Router A sends an SIA-Query at half of
when the normal active timer expires. the normal active timer. Router B
However, the problem is the link between acknowledges the query there by
router B and C.
keeping the relationship up.

Graceful Shutdown

Introducing the OSPF Protocol

Link-State Protocols

Link-State Data Structures
 Neighbor table:
 Also known as the adjacency database
 Contains list of recognized neighbors
 Topology table:
 Typically referred to as LSDB
 Contains all routers and their attached links in the area or
network
 Identical LSDB for all routers within an area
 Routing table:
 Commonly named a forwarding database
 Contains list of best paths to destinations
Link-State Routing Protocols
 Link-state routers recognize more information about the
network than their distance vector counterparts.
 Each router has a full picture of the topology.
 Consequently, link-state routers tend to make more
accurate decisions.

Link-State Data Structure:
Network Hierarchy
 Link-state routing requires a hierachical
network structure that is enforced by OSPF.
 This two-level hierarchy consists of the following:
 Transit area (backbone or area 0)
 Regular areas (nonbackbone areas)

OSPF Areas
OSPF area
characteristics:
• Minimizes routing
table entries
• Localizes impact of
a topology change
within an area
• Detailed LSA
flooding stops at
the area boundary
• Requires a
hierarchical
network design

Area Terminology
• Routers A and B are
backbone routers.
• Backbone routers
make up area 0.
• Routers C, D, and E are
known as area border
routers (ABRs).
• ABRs attach all other areas
to area 0.

OSPF Adjacencies
 Routers discover neighbors by exchanging hello

packets.
 Routers declare neighbors to be up after checking
certain parameters or options in the hello packet.
Forming OSPF Adjacencies
 Point-to-point WAN links:
 Both neighbors become fully adjacent.
 LAN links:
 Neighbors form a full adjacency with the DR and BDR.
 Routers maintain two-way state with the other routers
(DROTHERs).
 Routing updates and topology information are passed
only between adjacent routers.
 Once an adjacency is formed, LSDBs are synchronized
by exchanging LSAs.
 LSAs are flooded reliably throughout the area (or
network).
OSPF Calculation
Routers find the best paths to destinations by applying
Dijkstra’s SPF algorithm to the link-state database as
follows:
 Every router in an area has the identical
link-state database.
 Each router in the area places itself into
the root of the tree that is built.
 The best path is calculated with respect to the
lowest total cost of links to a specific destination.
 Best routes are put into the forwarding database
(routing table).
SPF Calculation
Assume all links are Ethernet, with an OSPF cost of 10.

Link-State Data Structures: LSA
Operation

OSPF Packet Types

OSPF Packet Types

Neighborship: The Hello Packet

Establishing Bidirectional
Communication

Discovering the Network Routes

Adding the Link-State Entries

Maintaining Routing Information
• Router A notifies all OSPF DRs on 224.0.0.6.

• DR notifies others on 224.0.0.5.
LSA Sequence Numbering
 Each LSA in the LSDB maintains a sequence number.
 The sequence numbering scheme is a 4-byte number that
begins with 0x80000001 and ends with 0x8FFFFFFF.
 OSPF floods each LSA every 30 minutes to maintain proper
database synchronization.
 Ultimately, an LSA sequence number will wrap around to
0x80000001.

LSA Sequence Numbers and
Maximum Age
RTC# show ip ospf database
OSPF Router with ID (192.168.1.67) (Process ID 10)

Router Link States (Area 1)
Link ID ADV Router Age Seq# Checksum Link count
192.168.1.67 192.168.1.67 48 0x80000008 0xB112 2
192.168.2.130 192.168.2.130 212 0x80000006 0x3F44 2
<output omitted>
 Every OSPF router announces a router LSA for those

interfaces that it owns in that area.
 Router with link ID 192.168.1.67 has been updated
eight times; the last update was 48 seconds ago.

Configuring OSPF Routing

Configuring Basic OSPF
Router(config)#
router ospf process-id [vrf vpn-name]
• Enables one or more OSPF routing processes
network ip-address wildcard-mask area area-id
• Defines the interfaces that OSPF will run on
Router(config-if)#
ip ospf process-id area area-id [secondaries none]
• Optional method to enable OSPF explicitly on an interface

Configuring OSPF on Internal
Routers of a Single Area

Configuring OSPF for Multiple
Areas

OSPF Router ID
The router is known to OSPF by the OSPF router ID number.

 LSDBs use the OSPF router ID to differentiate one router
from the next.
 By default, the router ID is the highest IP address on an
active interface at the moment of OSPF process startup.
 A loopback interface can override the OSPF router ID. If a
loopback interface exists, the router ID is the highest IP
address on any active loopback interface.
 The OSPF router-id command can be used to override the
OSPF router ID.
 Using a loopback interface or a router-id command is
recommended for stability.

Loopback Interfaces
Router(config)#interface loopback 0
Router(config-if)#ip address 172.16.17.5 255.255.255.255
• If the OSPF process is already running, the router must be reloaded or

the OSPF process must be removed and reconfigured before the new
loopback address will take effect.

OSPF router-id Command
router-id ip-address
• This command is configured under the router ospf [process-id]

command.
• Any unique arbitrary 32-bit value in an IP address format (dotted
decimal) can be used.
• If this command is used on an OSPF process that is already active,
then the new router ID is used after the next reload or manual OSPF
process restart using:
Router#
clear ip ospf process
Router(config)#router ospf 1
Router(config-router)#router-id 172.16.1.1
Router#clear ip ospf process

OSPF Router ID Verification
RouterB#sh ip ospf
Routing Process "ospf 50" with ID 10.64.0.2
<output omitted>
Number of areas in this router is 2. 2 normal 0 stub 0 nssa

Number of areas transit capable is 0
External flood list length 0
Area BACKBONE(0)
Area BACKBONE(0)
Area has no authentication
SPF algorithm last executed 00:01:25.028 ago
SPF algorithm executed 7 times
<output omitted>
Area 1
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm last executed 00:00:54.636 ago
SPF algorithm executed 3 times
<output omitted>

Verifying OSPF Operation
Router#
show ip protocols
• Verifies the configured IP routing protocol processes, parameters, and

statistics
Router#
show ip route ospf [process-id ]
• Displays all OSPF routes learned by the router
Router#
show ip ospf interface [type number]
• Displays the OSPF router ID, area ID, and adjacency information

Verifying OSPF Operation (Cont.)
Router#
show ip ospf
• Displays the OSPF router ID, timers, and statistics
Router#
show ip ospf neighbor [type number] [neighbor-id] [detail]
• Displays information about the OSPF neighbors, including DR and

BDR information on broadcast networks

Example: The show ip route ospf
Command
RouterA#show ip route ospf
O IA 10.2.1.0/24 [110/782] via 10.64.0.2, 00:03:05, FastEthernet0/0
RouterA#

Example: The show ip ospf
interface Command
RouterA#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Process ID 1, Router ID 10.64.0.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DROTHER, Priority 0
Designated Router (ID) 10.64.0.2, Interface address 10.64.0.2
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Supports Link-local Signaling (LLS)
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 4
Last flood scan time is 0 msec, maximum is 4 msec
Adjacent with neighbor 10.64.0.2 (Designated Router)

Example: The show ip ospf
neighbor Command
RouterB# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface

10.64.0.1 0 FULL/DROTHER 00:00:30 10.64.0.1 FastEthernet0/0
10.2.1.1 0 FULL/ - 00:00:34 10.2.1.1 Serial0/0/1
RouterB# show ip ospf neighbor detail

Neighbor 10.64.0.1, interface address 10.64.0.1
In the area 0 via interface FastEthernet0/0
Neighbor priority is 0, State is FULL, 16 state changes
DR is 10.64.0.2 BDR is 0.0.0.0
<output omitted>
Neighbor 10.2.1.1, interface address 10.2.1.1

In the area 1 via interface Serial0/0/1
Neighbor priority is 0, State is FULL, 6 state changes
DR is 0.0.0.0 BDR is 0.0.0.0
<output omitted>

OSPF Network Types

OSPF Network Types
The three types of networks defined by OSPF are:
 Point-to-point: A network that joins a single pair of
routers.
 Broadcast: A multiaccess broadcast network, such as
Ethernet.
 Nonbroadcast multiaccess (also called NBMA): A
network that interconnects more than two routers but
that has no broadcast capability. Frame Relay, ATM, and
X.25 are examples of NBMA networks.
 Five modes of OSPF operation are available for NBMA
networks.
Point-to-Point Links
 Usually a serial interface running either PPP or HDLC.

 May also be a point-to-point subinterface running
Frame Relay or ATM.
 No DR or BDR election required.
 OSPF autodetects this interface type.
 OSPF packets are sent using multicast 224.0.0.5.

Multiaccess Broadcast Network
 Generally these are, LAN technologies like Ethernet

and Token Ring.
 DR and BDR selection are required.
 All neighbor routers form full adjacencies with the DR
and BDR only.
 Packets to the DR and the BDR use 224.0.0.6.
 Packets from DR to all other routers use 224.0.0.5.
Electing the DR and BDR
 Hello packets are exchanged via IP multicast.

 The router with the highest OSPF priority is selected as
the DR. The router with the second-highest priority value is
the BDR.
 Use the OSPF router ID as the tiebreaker.
 The DR election is nonpreemptive.
Setting Priority for DR Election
Router(config-if)#
ip ospf priority number
 This interface configuration command assigns the

OSPF priority to an interface.
 Different interfaces on a router may be assigned
different values.
 The default priority is 1. The range is from 0 to 255.
 0 means the router cannot be the DR or BDR.
 A router that is not the DR or BDR is DROTHER.
NBMA Topology
 A single interface interconnects multiple sites.

 NBMA topologies support multiple routers, but
without broadcasting capabilities.

DR Election in NBMA Topology
 OSPF considers NBMA to be like other broadcast media.
 The DR and BDR need to have fully meshed connectivity
with all other routers, but NBMA networks are not
always fully meshed.
 The DR and BDR need a list of neighbors.
 OSPF neighbors are not automatically discovered by the
router.

Frame Relay Topologies

OSPF over NBMA Topology Modes
of Operation
 RFC 2328-compliant modes are as follows:
 Nonbroadcast (NBMA)
 Point-to-multipoint
 Additional modes from Cisco are as follows:
 Point-to-multipoint nonbroadcast
 Broadcast
 Point-to-point

Selecting the OSPF Network Type
for NBMA Networks
Router(config-if)#
ip ospf network [{broadcast | non-broadcast | point-to-
multipoint [non-broadcast] | point-to-point}]
• Defines OSPF network type
Example: Broadcast Mode

Router(config)#interface serial 0/0/0
Router(config-if)#encapsulation frame-relay
Router(config-if)#ip ospf network broadcast

Nonbroadcast Mode (NBMA Mode)
 Treated as a broadcast
network by OSPF
(acts like a LAN).
 All serial ports are part of
the same IP subnet.
 Frame Relay, X.25, and
ATM networks default to
nonbroadcast mode.
 Neighbors must be
statically configured.
 Duplicates LSA updates.
 Complies with RFC 2328.
Using the neighbor Command
neighbor ip-address [priority number] [poll-interval
number] [cost number] [database-filter all]
 Used to statically define neighbor relationships in an

NBMA network

neighbor Command Example
RouterA(config)# router ospf 100

RouterA(config-router)# network 192.168.0.0 0.0.255.255 area 0
RouterA(config-router)# neighbor 192.168.1.2 priority 0
RouterA(config-router)# neighbor 192.168.1.3 priority 0
RouterA(config-router)# network 172.16.0.0 0.0.255.255 area 0

The show ip ospf neighbor
Command
RouterA# show ip ospf neighbor

192.168.1.3 0 FULL/DROTHER 00:01:57 192.168.1.3 Serial0/0/0
192.168.1.2 0 FULL/DROTHER 00:01:33 192.168.1.2 Serial0/0/0
172.16.1.1 1 FULL/BDR 00:00:34 172.16.1.1 FastEthernet0/0

Point-to-Multipoint Mode
 The point-to-multipoint mode allows for NBMA

networking.
 The point-to-multipoint mode fixes partial-mesh and star
topologies.
 No DR is required and only a single subnet is used.
 A 30-second hello is used.
 This mode is RFC 2328-compliant.
Point-to-Multipoint Configuration
Router A
ip address 192.168.1.1 255.255.255.0
ip ospf network point-to-multipoint
<output omitted>
router ospf 100

log-adjacency-changes
network 172.16.0.0 0.0.255.255 area 0
network 192.168.0.0 0.0.255.255 area 0
Router C
ip address 192.168.1.3 255.255.255.0
ip ospf network point-to-multipoint
ip ospf priority 0

Point-to-Multipoint Example
RouterA#sh ip ospf int s0/0/0
Serial0/0/0 is up, line protocol is up
Process ID 100, Router ID 192.168.1.1, Network Type POINT_TO_MULTIPOINT,
Cost: 781
Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
oob-resync timeout 120
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 4 msec
Adjacent with neighbor 192.168.1.3
Adjacent with neighbor 192.168.1.2
RouterA#

Point-to-Multipoint Nonbroadcast
• Cisco extension to RFC-compliant point-to-multipoint
mode
• Must statically define neighbors, like nonbroadcast mode
• Like point-to-multipoint mode, DR and BDR not elected
• Used in special cases where neighbors cannot be
automatically discovered

Using Subinterfaces
Router(config)#
interface serial number.subinterface-number {multipoint |
point-to-point}
 The physical serial port becomes multiple logical

ports.
 Each subinterface requires an IP subnet.

Point-to-Point Subinterfaces
Router(config)#
interface serial number.subinterface-number point-to-point
 Each PVC and SVC gets its own subinterface.

 OSPF point-to-point mode is the default on point-to-
point Frame Relay subinterfaces.
 No DR/BDR
 Do not need to configure neighbors

Point-to-Point Subinterface
Example
 PVCs are treated like point-to-point links.

 Each subinterface requires a subnet.

Multipoint Subinterfaces
Router(config)#
interface serial number.subinterface-number multipoint
 Multiple PVCs and SVCs are on a single subinterface.

 OSPF nonbroadcast mode is the default.
 DR and BDR are required.
 Neighbors need to be statically configured.

Multipoint Subinterface Example
 Single interface serial 0/0/0 has been logically separated into two
subinterfaces: one point-to-point (S0/0/0.1) and one point-to-
multipoint (S0/0/0.2).
 Each subinterface requires a subnet.
 OSPF defaults to point-to-point mode on point-to-point
subinterfaces.
 OSPF defaults to nonbroadcast mode on point-to-multipoint
OSPF over NBMA Topology
Summary
NBMA Preferred Hello RFC or
OSPF Mode Subnet Address Adjacency
Topology Timer Cisco
Full or partial Automatic,

Broadcast Same 10 sec Cisco
mesh DR/BDR elected
Manual
Nonbroadcast Full or partial
Same 30 sec configuration, RFC
(NBMA) mesh
DR/BDR elected
Point-to- Partial-mesh Automatic,

Same 30 Sec RFC
multipoint or star no DR/BDR
Point-to- Manual
partial-mesh
multipoint Same 30 sec configuration, Cisco
or star
nonbroadcast no/DR/BDR
Partial-mesh or
Different for Each Automatic,
Point-to-point star, using 10 sec Cisco
Subinterface no DR/BDR
subinterface

Creation of Adjacencies for Point-
to-Point Mode
RouterA# debug ip ospf adj
OSPF: Interface Serial0/0/0.1 going Up
OSPF: Build router LSA for area 0, router ID 192.168.1.1, seq 0x80000023
OSPF: Rcv DBD from 192.168.1.2 on Serial0/0/0.1 seq 0xCF0 opt 0x52 flag 0x7 len 32
mtu 1500 state INIT
OSPF: 2 Way Communication to 192.168.1.2 on Serial0/0/0.1, state 2WAY
OSPF: Send DBD to 192.168.1.2 on Serial0/0/0.1 seq 0xF4D opt 0x52 flag 0x7 len 32
OSPF: NBR Negotiation Done. We are the SLAVE
OSPF: Send DBD to 192.168.1.2 on Serial0/0/0.1 seq 0xCF0 opt 0x52 flag 0x2 len 132
mtu 1500 state EXCHANGE
OSPF: Database request to 192.168.1.2
OSPF: sent LS REQ packet to 192.168.1.2, length 12
mtu 1500 state EXCHANGE
OSPF: Exchange Done with 192.168.1.2 on Serial0/0/0.1
OSPF: Synchronized with 192.168.1.2 on Serial0/0/0.1, state FULL
%OSPF-5-ADJCHG: Process 100, Nbr 192.168.1.2 on Serial0/0/0.1 from LOADING to FULL,
Loading Done
OSPF: Build router LSA for area 0, router ID 192.168.1.1, seq 0x80000024
Creation of Adjacencies for
Broadcast Mode
RouterA# debug ip ospf adj
OSPF: Interface FastEthernet0/0 going Up
OSPF: Build router LSA for area 0, router ID 192.168.1.1,seq 0x80000008
OSPF: 2 Way Communication to 172.16.1.1 on FastEthernet0/0, state 2WAY
OSPF: end of Wait on interface FastEthernet0/0
<output omitted>
OSPF: Neighbor change Event on interface FastEthernet0/0

OSPF: DR/BDR election on FastEthernet0/0
OSPF: Elect BDR 172.16.1.1
OSPF: Elect DR 192.168.1.1
DR: 192.168.1.1 (Id) BDR: 172.16.1.1 (Id)
OSPF: Rcv DBD from 172.16.1.1 on FastEthernet0/0 seq 0x14B 7 opt 0x52 flag 0x7
len 32 mtu 1500 state EXSTART
OSPF: First DBD and we are not SLAVE-if)#
OSPF: Send DBD to 172.16.1.1 on FastEthernet0/0 seq 0xDCE opt 0x52 flag 0x7
len 32
OSPF: Retransmitting DBD to 172.16.1.1 on FastEthernet0/0[1]
OSPF: Rcv DBD from 172.16.1.1 on FastEthernet0/0 seq 0xDCE
opt 0x52 flag 0x2 len 152 mtu 1500 state EXSTART
<output omitted>

Link-State Advertisements

Issues with Maintaining a Large
OSPF Network

The Solution: OSPF Hierarchical
Routing
 Consists of areas and autonomous systems

 Minimizes routing update traffic
Types of OSPF Routers

Defining Virtual Links
• Virtual links are used to connect a discontiguous area to area 0.

• A logical connection is built between router A and router B.
• Virtual links are recommended for backup or temporary
connections.

Configuring Virtual Links
area area-id virtual-link router-id [authentication
[message-digest | null]] [hello-interval seconds]
[retransmit-interval seconds] [transmit-delay
seconds] [dead-interval seconds] [[authentication-
key key] | [message-digest-key key-id md5 key]]
Creates a virtual link
remoterouter#sh ip ospf
Routing Process "ospf 1000" with ID 10.2.2.2
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports area transit capability
It is an area border router
<output omitted>

OSPF Virtual Link Configuration
Example

The show ip ospf virtual-links
Command
RouterA#sh ip ospf virtual-links
Virtual Link OSPF_VL0 to router 10.2.2.2 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 1, via interface Serial0/0/1, Cost of using 781
Transmit Delay is 1 sec, State POINT_TO_POINT,
Adjacency State FULL (Hello suppressed)
Index 1/2, retransmission queue length 0, number of retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
RouterA#

LSA Types
LSA Type Description
1 Router LSAs
2 Network LSAs
3 or 4 Summary LSAs
Autonomous system
5
external LSAs
6 Multicast OSPF LSA
7 Defined for not-so-stubby areas
External attributes LSA for

8
Border Gateway Protocol (BGP)
9, 10, 11 Opaque LSAs

LSA Type 1: Router LSA
 One router LSA (type 1) for every router in an area

 Includes list of directly attached links
 Each link identified by IP prefix assigned to link and
link type
 Identified by the router ID of the originating router
 Floods within its area only; does not cross ABR
LSA Type 2: Network LSA
 One network (type 2) LSA for each transit broadcast or NBMA

network in
an area
 Includes list of attached routers on the transit link
 Includes subnet mask of link
 Advertised by the DR of the broadcast network

 Floods within its area only; does not cross ABR
LSA Type 3: Summary LSA
 Type 3 LSAs are used to flood network information to areas

outside the originating area (interarea)
 Describes network number and mask of link.
 Advertised by the ABR of originating area.
 Regenerated by subsequent ABRs to flood throughout the
autonomous system.
 By default, routes are not summarized, and type 3 LSA is
advertised for every
Prepared subnet.
By:Waleed Adlan-CCIE41999 -
LSA Type 4: Summary LSA
 Summary (type 4) LSAs are used to advertise an ASBR to all other

areas in the autonomous system.
 They are generated by the ABR of the originating area.
 They are regenerated by all subsequent ABRs to flood throughout the
autonomous system.
 Type 4 LSAs contain the router ID of the ASBR.
LSA Type 5: External LSA
 External (type 5) LSAs are used to advertise networks from other

autonomous systems.
 Type 5 LSAs are advertised and owned by the originating ASBR.
 Type 5 LSAs flood throughout the entire autonomous system.
 The advertising router ID (ASBR) is unchanged throughout the
autonomous system.
 Type 4 LSA is needed to find the ASBR.
 By default, routes Prepared
are not summarized.
Interpreting the OSPF Database
RouterA#show ip ospf database
OSPF Router with ID (10.0.0.11) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
10.0.0.11 10.0.0.11 548 0x80000002 0x00401A 1
10.0.0.12 10.0.0.12 549 0x80000004 0x003A1B 1
100.100.100.100 100.100.100.100 548 0x800002D7 0x00EEA9 2
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
172.31.1.3 100.100.100.100 549 0x80000001 0x004EC9
Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
10.1.0.0 10.0.0.11 654 0x80000001 0x00FB11
10.1.0.0 10.0.0.12 601 0x80000001 0x00F516
<output omitted>

Interpreting the Routing Table:
Types of Routes
Router Designator Description
• Networks from within the area of
OSPF intra-area the router
O (router LSA) and
network LSA • Advertised by way of router LSAs
and network LSA
• Networks from outside the area of

the router, but within the OSPF
OSPF interarea autonomous system
O IA
(summary LSA)
• Advertised by way of
summary LSAs
• Networks outside of the

O E1 Type 1 external routes
autonomous system of the router
• Advertised by way of external
O E2 Type 2 external routes
LSAs

Calculating Costs for E1 and E2
Routes

The show ip route Command
RouterB>show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
172.31.0.0/24 is subnetted, 2 subnets

O IA 172.31.2.0 [110/1563] via 10.1.1.1, 00:12:35, FastEthernet0/0
C 10.200.200.13/32 is directly connected, Loopback0
O 10.1.2.0/24 [110/782] via 10.1.3.4, 00:12:35, Serial0/0/0
O 10.1.0.0/24 [110/782] via 10.1.1.1, 00:12:37, FastEthernet0/0
O E2 10.254.0.0/24 [110/50] via 10.1.1.1, 00:12:37, FastEthernet0/0

Changing the Cost Metric
• Dijkstra’s algorithm determines the best path by adding all link costs
along a path.
• The cost, or metric, is an indication of the overhead to send packets over
an interface. Default = (100 Mbps) / (bandwidth in Mbps).
RouterA(config-if)#
ip ospf cost interface-cost
• Overrides the default cost calculation. Values from 1 to 65535 can be

defined.
RouterA(config-router)#
auto-cost reference-bandwidth ref-bw
• Sets the reference bandwidth to values other than 100 Mbps (legal
values range from 1 to 4,294,967 in megabits per second).

OSPF Route Summarization

Benefits of Route Summarization
 Minimizes number of routing table entries

 Localizes impact of a topology change
 Reduces LSA type 3 and 5 flooding and saves CPU resources
Using Route Summarization
 Interarea summary link carries mask.

 One or more entries can represent several subnets.

Configuring Route Summarization
area area-id range address mask [advertise | not-advertise]
[cost cost]
• Consolidates interarea routes on an ABR

summary-address ip-address mask [not-advertise] [tag tag]
• Consolidates external routes, usually on an ASBR

Route Summarization Configuration
Example at ABR

Route Summarization Configuration
Example at ASBR

Default Routes in OSPF
 A default route is injected into OSPF as an external LSA

type 5.
 Default route distribution is not on by default; use the
default-information originate command under the OSPF
routing process.

Configuring OSPF Default Routes
default-information originate [always] [metric metric-
value] [metric-type type-value] [route-map map-name]
• Normally, this command advertises a 0.0.0.0 default into the OSPF

network only if the default route already exists in the routing table.
• The always keyword allows the 0.0.0.0 default to be advertised even
when the default route does not exist in the routing table.

Default Route Configuration
Example

Configuring OSPF Special Area Types

Types of Areas

Stub and Totally Stub Area Rules
An area can be stub or totally stub if:
 There is a single ABR, or if there is more than one ABR,
suboptimal routing paths to other areas or external
autonomous systems are acceptable.
 All routers in the area are configured as stub routers.
 There is no ASBR in the area.
 The area is not area 0.
 No virtual links go through the area.

Using Stub Areas
• External LSAs
are stopped.
• Default route
is advertised
into stub area
by the ABR.
• All routers in
area 50 must
be configured
as stub.

Stub Area Configuration
area area-id stub [no-summary]

• This command turns on stub area networking.
• All routers in a stub area must use the stub command.
area area-id default-cost cost
• This command defines the cost of a default route sent into the stub area.
• The default cost is 1.

OSPF Stub Area Configuration
Example

Using Totally Stubby Areas
• External LSAs
are stopped.
• Summary LSAs
are stopped.
• Routing table
is reduced to
a minimum.
• All routers must
be configured
as stub.
• ABR must be
configured as
totally stubby.
• This is a Cisco
proprietary
feature.
Totally Stubby Configuration
area area-id stub no-summary
• The addition of no-summary on the ABR creates a totally stubby area

and prevents all summary LSAs from entering the stub area.

Totally Stubby Configuration
Example

Routing Table in a Standard Area
P1R3#sh ip route
<output omitted>

O IA 172.31.11.2 [110/782] via 10.1.3.4, 00:02:52, Serial0/0/0
[110/782] via 10.1.1.1, 00:02:52, FastEthernet0/0
O 10.1.2.0/24 [110/782] via 10.1.3.4, 00:03:23, Serial0/0/0
O E2 10.254.0.0/24 [110/50] via 10.1.1.1, 00:02:39, FastEthernet0/0
P1R3#

Routing Table in a Stub Area
P1R3#sh ip route
<output omitted>
Gateway of last resort is 10.1.1.1 to network 0.0.0.0

O IA 172.31.11.2 [110/782] via 10.1.3.4, 00:01:49, Serial0/0/0
[110/782] via 10.1.1.1, 00:01:49, FastEthernet0/0
O 10.1.2.0/24 [110/782] via 10.1.3.4, 00:01:50, Serial0/0/0
O*IA 0.0.0.0/0 [110/2] via 10.1.1.1, 00:01:51, FastEthernet0/0
P1R3#

Routing Table in a Stub Area with
Summarization
P1R3#sh ip route
<output omitted>

O 10.1.2.0/24 [110/782] via 10.1.3.4, 00:13:09, Serial0/0/0
P1R3#

Routing Table in a Totally Stubby
Area
P1R3#sh ip route
<output omitted>

O 10.1.2.0/24 [110/782] via 10.1.3.4, 00:16:53, Serial0/0/0
P1R3#

Not-So-Stubby Areas
• NSSA breaks stub area rules. • ABR (R2) converts LSA type 7
• ASBR (R1) is allowed in NSSA. to LSA type 5.
• Special LSA type 7 defined, • ABR sends default route into

sent by ASBR. NSSA instead of external routes
from other ASBRs.
• NSSA is an RFC addendum.
NSSA Configuration
area area-id nssa [no-redistribution] [default-
information-originate [metric metric-value] [metric-
type type-value]] [no-summary]
• Use this command instead of the area stub command to define the area
as NSSA.
• The no-summary keyword creates an NSSA totally stubby area; this is a
Cisco proprietary feature.

Example: NSSA Configuration

NSSA Totally Stubby Configuration
• NSSA totally stubby area is a Cisco proprietary feature.

show Commands for Stub and NSSA
RouterA#
show ip ospf
• Displays which areas are normal, stub, or NSSA
RouterA#
show ip ospf database
• Displays details of LSAs
RouterA#
show ip ospf database nssa-external
• Displays specific details of each LSA type 7 update in database
RouterA#
show ip route
• Displays all routes
Configuring OSPF Authentication

OSPF Authentication Types
 OSPF supports 2 types of authentication:
 Simple password (or plain text) authentication
 MD5 authentication
 Router generates and checks every OSPF packet. Router
authenticates the source of each routing update packet
that it receives.
 Configure a “key” (password); each participating
neighbor must have same key configured.

Configuring OSPF Simple Password
Authentication
Router(config-if)#
ip ospf authentication-key password
• Assigns a password to be used with neighboring routers
Router(config-if)#
ip ospf authentication [message-digest | null]
• Specifies the authentication type for an interface (since Cisco

IOS software 12.0)
area area-id authentication [message-digest]
• Specifies the authentication type for an area (was in Cisco IOS

software before 12.0)
Example Simple Password
Authentication Configuration
Loopback 0
10.2.2.2

R2 Configuration for Simple
Password Authentication
<output omitted>
interface Loopback0
ip address 10.2.2.2 255.255.255.0
<output omitted>
ip address 192.168.1.102 255.255.255.224
ip ospf authentication
ip ospf authentication-key plainpas
<output omitted>
router ospf 10
network 10.2.2.2 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0

Verifying Simple Password
Authentication
R1#sh ip ospf neighbor
10.2.2.2 0 FULL/ - 00:00:32 192.168.1.102 Serial0/0/1
R1#show ip route
<output omitted>
O 10.2.2.2/32 [110/782] via 192.168.1.102, 00:01:17, Serial0/0/1
C 192.168.1.96 is directly connected, Serial0/0/1
R1#ping 10.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms

Configuring OSPF MD5
Authentication
Router(config-if)#
ip ospf message-digest-key key-id md5 key
• Assigns a key ID and key to be used with neighboring routers
Router(config-if)#
ip ospf authentication [message-digest | null]
• Specifies the authentication type for an interface (since Cisco

IOS software 12.0)
area area-id authentication [message-digest]
• Specifies the authentication type for an area (was in Cisco IOS

software before 12.0)
Example MD5 Authentication
Configuration

Authentication
<output omitted>
interface Loopback0
ip address 10.2.2.2 255.255.255.0
<output omitted>
ip address 192.168.1.102 255.255.255.224
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 secretpass
<output omitted>
router ospf 10
network 10.2.2.2 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0

Verifying MD5 Authentication
R1#sho ip ospf neighbor
10.2.2.2 0 FULL/ - 00:00:31 192.168.1.102 Serial0/0/1
R1#show ip route
<output omitted>
O 10.2.2.2/32 [110/782] via 192.168.1.102, 00:00:37, Serial0/0/1
C 192.168.1.96 is directly connected, Serial0/0/1
R1#ping 10.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms

Troubleshooting Simple Password
Authentication
Router#
debug ip ospf adj
• Displays the OSPF adjacency-related events

R1#debug ip ospf adj
OSPF adjacency events debugging is on
R1#
<output omitted>
*Feb 17 18:42:01.250: OSPF: 2 Way Communication to 10.2.2.2 on Serial0/0/1,
state 2WAY
*Feb 17 18:42:01.250: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x9B6 opt
0x52 flag 0x7 len 32
*Feb 17 18:42:01.262: OSPF: Rcv DBD from 10.2.2.2 on Serial0/0/1 seq 0x23ED
opt0x52 flag 0x7 len 32 mtu 1500 state EXSTART
*Feb 17 18:42:01.262: OSPF: NBR Negotiation Done. We are the SLAVE
*Feb 17 18:42:01.262: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x23ED opt
<output omitted>
R1#show ip ospf neighbor

10.2.2.2 0 Prepared
FULL/ By:Waleed
- 00:00:34
Adlan-CCIE41999 -
192.168.1.102 Serial0/0/1
Troubleshooting Simple Password
Authentication Problems
Simple authentication on R1, no authentication on R2
R1#
*Feb 17 18:51:31.242: OSPF: Rcv pkt from 192.168.1.102, Serial0/0/1 :
Mismatch Authentication type. Input packet specified type 0, we use type 1
R2#
Mismatch Authentication type. Input packet specified type 1, we use type 0
Simple authentication on R1 and R2, but different

passwords
R1#
Mismatch Authentication Key - Clear Text
R2#
Mismatch Authentication Key - Clear Text

Troubleshooting MD5
Authentication
R1#debug ip ospf adj
OSPF adjacency events debugging is on
<output omitted>
*Feb 17 17:14:06.530: OSPF: Send with youngest Key 1
*Feb 17 17:14:06.546: OSPF: 2 Way Communication to 10.2.2.2 on Serial0/0/1,
state 2WAY
*Feb 17 17:14:06.546: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0xB37 opt
*Feb 17 17:14:06.562: OSPF: Rcv DBD from 10.2.2.2 on Serial0/0/1 seq 0x32F opt
0x52 flag 0x7 len 32 mtu 1500 state EXSTART
*Feb 17 17:14:06.562: OSPF: NBR Negotiation Done. We are the SLAVE
*Feb 17 17:14:06.562: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x32F opt
<output omitted>
R1#show ip ospf neighbor

10.2.2.2 0 FULL/ - 00:00:35 192.168.1.102 Serial0/0/1

Troubleshooting MD5
Authentication Problems
MD5 authentication on both R1 and R2, but R1 has key 1 and
R2 has key 2, both with the same passwords:
R1#
Mismatch Authentication Key - No message digest key 2 on interface
R2#
Mismatch Authentication Key - No message digest key 1 on interface

Operating a Network Using Multiple IP Routing
Protocols

Using Multiple IP Routing Protocols

Using Multiple Routing Protocols
 Interim during conversion
 Application-specific protocols
 One size does not always fit all.
 Political boundaries
 Groups that do not work well with others
 Mismatch between devices
 Multivendor interoperability
 Host-based routers

Redistributing Route Information

Using Seed Metrics
 Use the default-metric command to establish the seed
metric for the route or specify the metric when
redistributing.
 Once a compatible metric is established, the metric will
increase in increments just like any other route.

Redistribution with Seed Metric

Configuring and Verifying Route Redistribution

Redistribution Supports All
Protocols
RtrA(config)#router rip
RtrA(config-router)#redistribute ?
bgp Border Gateway Protocol (BGP)
connected Connected
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
isis ISO IS-IS
iso-igrp IGRP for OSI networks
metric Metric for redistributed routes
mobile Mobile routes
odr On Demand stub Routes
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
route-map Route map reference
static Static routes
<cr>

Configuring Redistribution into RIP
RtrA(config)# router rip
RtrA(config-router)# redistribute ospf ?
<1-65535> Process ID
RtrA(config-router)# redistribute ospf 1 ?
match Redistribution of OSPF routes

…
<cr>
Default metric is infinity.

Redistributing into RIP

Configuring Redistribution into
OSPF
RtrA(config)# router ospf 1
RtrA(config-router)# redistribute eigrp ?
<1-65535> Autonomous system number

RtrA(config-router)# redistribute eigrp 100 ?

metric-type OSPF/IS-IS exterior metric type for redistributed routes
subnets Consider subnets for redistribution into OSPF
tag Set tag for routes redistributed into OSPF
…
<cr>
 Default metric is 20.

 Default metric type is 2.
 Subnets do not redistribute by default.

Redistributing into OSPF

Configuring Redistribution into
EIGRP
RtrA(config)# router eigrp 100
RtrA(config-router)# redistribute ospf ?
<1-65535> Process ID
RtrA(config-router)# redistribute ospf 1 ?
match Redistribution of OSPF routes

…
<cr>
• Default metric is infinity.

Redistributing into EIGRP
• Bandwidth in kilobytes = 10000

• Delay in tens of microseconds = 100
• Reliability = 255 (maximum)
• Load = 1 (minimum)
• MTU = 1500 bytes
Example: Before Redistribution

Example: Before Redistribution
(Cont.)

Example: Configuring
Redistribution at Router B

Example: Routing Tables After
Route Redistribution

Example: Routing Tables After
Summarizing Routes and
Redistributions

Controlling Routing Update Traffic

Using the passive-interface
Command

Controlling Routing Update Traffic

Configuring distribute-list
For outbound updates:
distribute-list {access–list-number | name} out
[interface–name | routing–process [routing-process
parameter]]
For inbound updates:

distribute-list [access–list-number | name] | [route-map
map-tag] in [interface-type interface-number]]
• Use an access list (or route map) to permit or deny routes.

• Can be applied to transmitted, received, or redistributed routing
updates.
Filtering Routing Updates with a
Distribute List
• Hides network 10.0.0.0 using interface filtering

Controlling Redistribution with
Distribute Lists

Route Maps
Route maps are similar to a scripting language for these
reasons:
 They work like a more sophisticated access list.
 They offer top-down processing.
 Once there is a match, leave the route map.
 Lines are sequence-numbered for easier editing.
 Insertion of lines
 Deletion of lines
 Route maps are named rather than numbered for easier

documentation.
 Match criteria and set criteria can be used, similar to the “if,
then” logic in a scripting language.
Route Map Applications
The common uses of route maps are as follows:
 Redistribution route filtering: a more sophisticated
alternative to distribute lists
 Policy-based routing: the ability to determine routing
policy based on criteria other than the destination
network
 BGP policy implementation: the primary tool for
defining BGP routing policies

Route Map Operation
 A list of statements constitutes a route map.
 The list is processed top-down like an access list.
 The first match found for a route is applied.
 The sequence number is used for inserting or deleting specific
route map statements.
route-map my_bgp permit 10
{ match statements }
{ match statements }
{ set statements }
{ set statements }
route-map my_bgp deny 20
:: :: ::
:: :: ::
route-map my_bgp permit 30
:: :: ::
:: :: ::

Route Map Operation (Cont.)
• The match statement may contain multiple references.
• Multiple match criteria in the same line use a logical OR.
• At least one reference must permit the route for it to be a candidate for
redistribution.
• Each vertical match uses a logical AND.

• All match statements must permit the route for it to remain a candidate
for redistribution.
• Route map permit or deny determines if the candidate
will be redistributed.
route-map Commands
router(config)#
route-map map-tag [permit | deny] [sequence-number]
• Defines the route map conditions
router(config-route-map)#
match {conditions}
• Defines the conditions to match

set {actions}
• Defines the action to be taken on a match

router(config-router)#
redistribute protocol [process id] route-map map-tag
• Allows for detailed control of routes being redistributed into a routing
protocol
The match Command
• The match commands specify criteria to be matched.

• The associated route map statement permits or denies the matching
routes.
Match {options}
options :
ip address ip-access-list
ip route-source ip-access-list
ip next-hop ip-access-list
interface type number
metric metric-value
route-type [external | internal | level-1 | level-2 |local]
…

The set Command
• The set commands modify matching routes.
• The command modifies parameters in redistributed routes.
set {options}
options :
metric metric-value
metric-type [type-1 | type-2 | internal | external]
level [level-1 | level-2 | level-1-2 |stub-area | backbone]
ip next-hop next-hop-address

Route Maps and Redistribution
Commands
Router(config)# router ospf 10
Router(config-router)# redistribute rip route-map redis-rip
• Routes matching either access list 23 or 29 are redistributed with an OSPF cost
of 500, external type 1.
• Routes permitted by access list 37 are not redistributed.
• All other routes are redistributed with an OSPF cost metric of 5000, external
type 2.
Router(config)# Router(config)#
route-map redis-rip permit 10 access-list 23 permit 10.1.0.0 0.0.255.255
match ip address 23 29 access-list 29 permit 172.16.1.0 0.0.0.255
set metric 500 access-list 37 permit 10.0.0.0 0.255.255.255
set metric-type type-1
route-map redis-rip deny 20

match ip address 37
route-map redis-rip permit 30

set metric 5000
set metric-type type-2
Administrative Distance
Route Source Default Distance
Connected interface 0
Static route 1
EIGRP summary route 5
External BGP 20
Internal EIGRP 90
IGRP 100
OSPF 110
IS-IS 115
RIPv1, RIPv2 120
External EIGRP 170
Internal BGP 200
Unknown 255

Modifying Administrative Distance
distance administrative distance [address wildcard-mask
[access-list-number | name]]
• Used for all protocols except EIGRP and BGP redistribution
distance eigrp internal-distance external-distance
• Used for EIGRP

Example: Redistribution Using
Administrative Distance

Administrative Distance (Cont.)
Router P3R1
router ospf 1
redistribute rip metric 10000 metric-type 1 subnets
network 172.31.0.0 0.0.255.255 area 0
!
router rip
version 2
redistribute ospf 1 metric 5
network 10.0.0.0
no auto-summary
Router P3R2
router ospf 1
redistribute rip metric 10000 metric-type 1 subnets
network 172.31.3.2 0.0.0.0 area 0
!
router rip
version 2
redistribute ospf 1 metric 5
network 10.0.0.0
no auto-summary

hostname P3R1 hostname P3R2
! !
router ospf 1 router ospf 1
redistribute rip metric 10000 metric-type 1 redistribute rip metric 10000 metric-type 1
subnets subnets
network 172.31.0.0 0.0.255.255 area 0 network 172.31.3.2 0.0.0.0 area 0
distance 125 0.0.0.0 255.255.255.255 64 distance 125 0.0.0.0 255.255.255.255 64
! !
router rip router rip
version 2 version 2
redistribute ospf 1 metric 5 redistribute ospf 1 metric 5
network 10.0.0.0 network 10.0.0.0
no auto-summary no auto-summary
! !
access-list 64 permit 10.3.1.0 0.0.0.255 access-list 64 permit 10.3.1.0 0.0.0.255
access-list 64 permit 10.200.200.31 access-list 64 permit 10.200.200.31


Prefix Lists
Used to Filter a range of routes based on the network id and the

subnet mask.
ip prefix-list <list name> description <description statement>

ip prefix-list <list name>[seq. no.] <deny/permit>
<prefix>/<prefix length> [ge <prefix length>][le <prefix
length>]
Prefix-List Activation:
(config-router)#neighbor <ip of neighbor> prefix-list <in/out>
Prefix List Verification:

#sh ip prefix-list
Prefix-List Scenarios
 ip prefix-list exam1 seq 5 permit 172.16.8.0/24
 If there is only a / after the network (no le or ge) then the

number after the / is BOTH bits checked and subnet mask.
 So in this case it will check the 24 bits from left to right (won't
care about the last 8 bits) AND it will make sure that it has a
24 bit mask.
 BOTH the 24 bits checked and the 24 bit subnet mask must
match for the network to be permitted or denied

Prefix-List Scenarios
 Ip prefix-list exam2 seq 5 permit 172.16.8.0/24 ge 25
 If we use either the le or ge (or both le and ge) after the

/then the number directly after the / becomes ONLY bits
checked and the number after the ge or le (or both) is
the subnet mask.

Example 1
• Deny default route

(config)#ip prefix-list ccnp1 deny 0.0.0.0/0
! To deny exactly 0.0.0.0/0 !
(config)#ip prefix-list ccnp1 permit 0.0.0.0/0 le 32
! To permit all routes !
Example 2
• Deny 172.16.0.0/24 from update containing 172.16.0.0/24,
172.16.0.0/20 & 172.16.0.0/16
(config)#ip prefix-list ccnp2 permit 172.16.0.0/16 le 20
(config)#ip prefix-list name deny 0.0.0.0/0 le 32
! To deny all routes !

Policy Based Routing
PBR is used with route-maps to modify the default routing, and It
is mainly used in the following categories:
1-Source based routing

different sources goes through different paths
2-QOS
mark different traffic with different TOS values in IP packets
3-Load Sharing
distribute traffic on multiple paths
4-Cost saving
by distributing traffic among low-BW, low cost and high BW, high
cost connections

Route map for PBR configuration
1)Create route map (policy map)
(config)#route-map <map-tag> <permit/deny> [seq. no.]
(config-route-map)#match <condition>
(config-route-map)#set <condition>
 Permit in route map statement means permit PBR by applying

the set
 Deny in route map statement means deny PBR and use normal
Routing process
2)Activate route map for PBR

(config)#interface <interface name>
(config-if )#ip policy route-map <map-tag>

Route-map processing for PBR
yes
Is there yes
Match no Is there
Incoming packet a policy
criteria Other
map?
statements
yes
no
permit in deny in
no
the main line the main line
statement statement
Use default Is there entry no

routing in routing table Discard
process packet
(destinatio yes
n based
routing apply set
table)
Match conditions
(config-route-map)#match ip address [ACL no. or name]
! Put Access-list that contain IP addresses that will be matched with
incoming packets source ip !
(config-route-map)#match length <min> <max>
! Check incoming packet min & max length !
(config-route-map)#match tos <value>
! Match TOS value in an incoming ip packet !

Set conditions
(config-route-map)#set ip next-hop <ip address>
! Redirect the incoming packet to the next hop ip specified in the command (only
if an exact matching route to the destination exist in the routing table) !
(config-route-map)#set ip default next-hop <ip address>
! Redirect the incoming packet to the next hop ip specified in the command (even
if an exact matching route to the destination does not exist in the routing
table) !
(config-route-map)#set interface <type>
! Redirect the incoming packet to the output interface specified in the command
(only if an exact matching route to the destination exist in the routing table) !
(config-route-map)#set ip default interface <type>
! Redirect the incoming packet to the output interface specified in the command
(even if an exact matching route to the destination does not exist in the
routing table) !
(config-route-map)#set ip tos <value>
! Change TOS value in the incoming ip packet (packet marking or coloring) !

Example
For the shown exhibit

-all traffic using default route and sourced from subnet 1.1.0.0 should go through ISP A
-all traffic using default route and sourced from subnet 1.2.0.0 should go through ISP B
-all other traffic must be denied
RouterA(config)# access-list 1 permit 1.1.0.0 0.0.255.255

RouterA(config)# access-list 2 permit 1.2.0.0 0.0.255.255
RouterA(config)# route-map load-sharing permit 10

RouterA(config-route-map)# match ip address 1
RouterA(config-route-map)# set ip default next-hop 6.6.6.6
RouterA(config-route-map)# route-map load-sharing permit 20
RouterA(config-route-map)# match ip address 2
RouterA(config-route-map)# set ip default next-hop 7.7.7.7
RouterA(config-route-map)# route-map load-sharing permit 30
RouterA(config-route-map)# set default interface null0
RouterA(config)# interface ethernet 0

RouterA(config-if)# ip address 1.1.1.1 255.255.255.0
RouterA(config-if)# ip policy route-map load-sharing
Verifying Policy-Based Routing Examples
RouterA# show ip policy
Interface Route map
Ethernet0 load-sharing
RouterA# show route-map

route-map load-sharing, permit, sequence 10
Match clauses:
ip address (access-lists): 1
Set clauses:
ip default next-hop 6.6.6.6
Policy routing matches: 3 packets, 168 bytes
Match clauses:
ip address (access-lists): 2
Set clauses:
ip default next-hop 7.7.7.7
Set clauses:
default interface null0
RouterA# debug ip policy

Policy routing debugging is on
11:51:25: IP: s=1.1.1.1 (Ethernet0), d=190.168.1.1, len 100, policy

match
11:51:25: IP: route map load-sharing, item 10, permit
11:51:25: IP: s=1.1.1.1 (Ethernet0), d=190.168.1.1 (Serial0), len
100, policy routed
11:51:25: IP: Ethernet0 to Serial0 6.6.6.6
#traceroute <ip> Prepared By:Waleed Adlan-CCIE41999 -
#ping <ip> , with recordwaleed_hashim@hotmail.com
option
Explaining BGP Concepts and Terminology

Using BGP to Connect to the Internet

What Is Multihoming?
Connecting to two or more ISPs to increase the
following:
 Reliability: If one ISP or connection fails, there is still
Internet access.
 Performance: Path selection to common Internet
destinations is better.

Example: Default Routes from All
Providers

Default Routes from All Providers
and Partial Table

Example: Full Routes from All
Providers

BGP Autonomous Systems
 An AS is a collection of networks under a single technical

administration.
 IGPs operate within an AS.
 BGP is used between autonomous systems.
 Exchange of loop-free routing information is guaranteed.
BGP Path-Vector Routing
 IGPs announce networks and describe the metric to reach

those networks.
 BGP announces paths and the networks that are reachable
at the end of the path. BGP describes the path by using
attributes, which are similar to metrics.
 BGP allows administrators to define policies or rules for
how data will flow through the autonomous systems.
BGP Routing Policies
BGP can support any policy conforming to the hop-by-

hop (AS-by-AS) routing paradigm.

BGP Characteristics
 BGP is most appropriate when at least one of the following
conditions exists:
 An AS allows packets to transit through it to reach other
autonomous systems (for example, it is a service provider).
 An AS has multiple connections to other autonomous systems.
 Routing policy and route selection for traffic entering and

leaving the AS must be manipulated.
 BGP is not always appropriate. You do not have to use BGP if you
have one of the following conditions:
 Limited understanding of route filtering and BGP path-
selection process
 A single connection to the Internet or another AS
 Lack of memory or processor power to handle constant

updates on BGP routers
BGP Characteristics (Cont.)
BGP is a path-vector protocol with the following
enhancements over distance vector protocols:
 Reliable updates: runs on top of TCP (port 179)
 Incremental, triggered updates only
 Periodic keepalive messages to verify TCP connectivity
 Rich metrics (called path vectors or attributes)
 Designed to scale to huge internetworks (for example,
the Internet)

BGP Databases
 Neighbor table
 List of BGP neighbors
 BGP table (forwarding database)
 List of all networks learned from each neighbor
 Can contain multiple paths to destination networks
 Contains BGP attributes for each path
 IP routing table
 List of best paths to destination networks

BGP Message Types
BGP defines the following message types:
 Open
 Includes hold time and BGP router ID
 Keepalive
 Update
 Information for one path only
(could be to multiple networks)
 Includes path attributes and networks
 Notification
 When error is detected
 BGP connection closed after message is sent

Explaining EBGP and IBGP

Peers = Neighbors
 A “BGP peer,” also known as a “BGP neighbor,” is a

specific term that is used for BGP speakers that have
established a neighbor relationship.
 Any two routers that have formed a TCP connection to
exchange BGP routing information are called BGP
peers or BGP neighbors.
External BGP
 When BGP is running between neighbors that belong

to different autonomous systems, it is called EBGP.
 EBGP neighbors, by default, need to be directly
connected.Prepared By:Waleed Adlan-CCIE41999 -
Internal BGP
 When BGP is running between neighbors within the

same AS, it is called IBGP.
 The neighbors do not have to be directly connected.
IBGP in a Transit AS (ISP)
 Redistributing BGP into an IGP (OSPF in this example)

is not recommended.
 Instead, run IBGP on all routers.
IBGP in a NonTransit AS
By default, routes learned via IBGP are never propagated to

other IBGP peers, so they need full-mesh IBGP.
Routing Issues If BGP Not on in All
Routers in Transit Path
• Router C will drop the packet to network 10.0.0.0. Router C is

not running IBGP; therefore, it has not learned about the
route to network 10.0.0.0 from router B.
• In this example, router B and router E are not redistributing
BGP into OSPF.

Configuring Basic BGP Operations

BGP Commands
Router(config)#
router bgp autonomous-system
• This command enters router configuration mode only; subcommands

must be entered to activate BGP.
• Only one instance of BGP can be configured on the router at a single
time.
• The autonomous system number identifies the autonomous system to
which the router belongs.
• The autonomous system number in this command is compared to the
autonomous system numbers listed in neighbor statements to
determine if the neighbor is an internal or external neighbor.

BGP neighbor remote-as Command
neighbor {ip-address | peer-group-name}

remote-as autonomous-system
• The neighbor command activates a BGP session with this neighbor.

• The IP address that is specified is the destination address of BGP
packets going to this neighbor.
• This router must have an IP path to reach this neighbor
before it can set up a BGP relationship.
• The remote-as option shows what AS this neighbor is in. This AS
number is used to determine if the neighbor is internal or external.
• This command is used for both external and internal neighbors.

Example: BGP neighbor Command

BGP neighbor shutdown Command
neighbor {ip-address | peer-group-name} shutdown
• Administratively brings down a BGP neighbor

• Used for maintenance and policy changes to prevent
route flapping
no neighbor {ip-address | peer-group-name} shutdown
• Re-enables a BGP neighbor that has been administratively shut

down

BGP Issues with Source IP Address
 When creating a BGP packet, the neighbor statement
defines the destination IP address and the outbound
interface defines the source IP address.
 When a BGP packet is received for a new BGP session,
the source address of the packet is compared to the list
of neighbor statements:
 If a match is found, a relationship is established.
 If no match is found, the packet is ignored.
 Make sure that the source IP address matches the
address that the other router has in its neighbor
statement.
Example: IBGP Peering Issue

BGP neighbor update-source
Command
neighbor {ip-address | peer-group-name} update-source

interface-type interface-number
• This command allows the BGP process to use the IP address of a

specified interface as the source IP address of all BGP updates to that
neighbor.
• A loopback interface is usually used, because it will be available as
long as the router is operational.
• The IP address used in the neighbor command on the other router will
be the destination IP address of all BGP updates and should be the
loopback interface of this router.
• The neighbor update-source command is normally used only with
IBGP neighbors.
• The address of an EBGP neighbor must be directly connected by
default; the loopback of an EBGP
Prepared By:Waleed neighbor
Adlan-CCIE41999 - is not directly connected.
Example: BGP Using Loopback
Addresses

BGP neighbor ebgp-multihop
Command
neighbor {ip-address | peer-group-name} ebgp-multihop [ttl]
• This command increases the default of one hop for EBGP peers.
• It allows routes to the EBGP loopback address
(which will have a hop count greater than 1).

Example: ebgp-multihop Command

Next-Hop Behavior
• BGP is an AS-by-AS routing protocol, not a router-by-router routing
protocol.
• In BGP, the next hop does not mean the next router; it means the IP
address to reach the next AS.
• For EBGP, the default next hop is the IP address of the neighbor router
that sent the update.
• For IBGP, the BGP protocol states that the next hop advertised by EBGP
should be carried into IBGP.

Example: Next-Hop Behavior
 Router A advertises
network 172.16.0.0 to
router B in EBGP, with
a next hop of
10.10.10.3.
 Router B advertises
172.16.0.0 in IBGP to
router C, keeping
10.10.10.3
as the next-hop
address.
BGP neighbor next-hop-self
Command
neighbor {ip-address | peer-group-name} next-hop-self
 Forces all updates for this neighbor to be

advertised with this router as the next hop.
 The IP address used for the next-hop-self option will be the
same as the source IP address of the BGP packet.

Example: next-hop-self
Configuration

Example: Next Hop on a
Multiaccess Network
The following takes place in a
multiaccess network:
• Router B advertises
router A in EBGP with
a next hop of 10.10.10.2,
not 10.10.10.1. This avoids
an unnecessary hop.
• BGP is being efficient by
informing AS 64520 of the
best entry point into AS 65000
for network 172.30.0.0.
• Router B in AS 65000 also advertises to AS 64520 that
the best entry point for each network in AS 64600 is the
next hop of router C because that is the best path to
move through AS 65000 to AS 64600.
Using a Peer Group
neighbor peer-group-name peer-group
• This command creates a peer group.
neighbor ip-address peer-group peer-group-name
• This command defines a template with parameters set for a group of

neighbors instead of individually.
• This command is useful when many neighbors have the same
outbound policies.
• Members can have a different inbound policy.
• Updates are generated once per peer group.
• Configuration is simplified.

Example: Using a Peer Group
Router C Without a Peer Group

router bgp 65100
neighbor 192.168.24.1 remote-as 65100
Router C Using a Peer Group
neighbor 192.168.24.1 update-source Loopback 0
neighbor 192.168.24.1 next-hop-self router bgp 65100
neighbor 192.168.24.1 distribute-list 20 out neighbor internal peer-group
neighbor 192.168.25.1 remote-as 65100 neighbor internal remote-as 65100
neighbor 192.168.25.1 update-source Loopback 0 neighbor internal update-source Loopback 0
neighbor 192.168.25.1 next-hop-self neighbor internal next-hop-self
neighbor 192.168.25.1 distribute-list 20 out neighbor internal distribute-list 20 out
neighbor 192.168.26.1 remote-as 65100 neighbor 192.168.24.1 peer-group internal
neighbor 192.168.26.1 update-source Loopback 0 neighbor 192.168.25.1 peer-group internal
neighbor 192.168.26.1 next-hop-self neighbor 192.168.26.1 peer-group internal
neighbor 192.168.26.1 distribute-list 20 out
BGP network Command
network network-number [mask network-mask] [route-map
map-tag]
• This command tells BGP what network to advertise.

• The command does not activate the protocol on an interface.
• Without a mask option, the command advertises classful networks. If a
subnet of the classful network exists in a routing table, the classful
address is announced.
• With the mask option, BGP looks for an exact match in the local
routing table before announcing the route.

Example: BGP network Command
network 192.168.1.1 mask 255.255.255.0
• The router looks for exactly 192.168.1.1/24 in the routing table, but
cannot find it, so it will not announce anything.
network 192.168.0.0 mask 255.255.0.0
• The router looks for exactly 192.168.0.0/16 in the routing table.

• If the exact route is not in the table, you can add a static route to
null0 so that the route can be announced.

BGP Synchronization
Synchronization rule: Do not use or advertise to an external
neighbor a route learned by IBGP until a matching route has
been learned from an IGP
• Ensures consistency of information throughout the AS
• Safe to have it off only if all routers in the transit path in the AS are running
full-mesh IBGP; off by default in Cisco IOS software release 12.2(8)T and
later
no synchronization
• Disables BGP synchronization so that a router will advertise routes in
BGP without learning them in an IGP
synchronization
• Enables BGP synchronization so that a router will not advertise routes

in BGP until it learns them in an IGP
Example: BGP Synchronization
• If synchronization is on, then:

– Routers A, C, and D would not use or advertise the route to
172.16.0.0 until they receive the matching route via an IGP.
– Router E would not hear about 172.16.0.0.
• If synchronization is off (the default), then:
– Routers A, C, and D would use and advertise the route that they
receive via IBGP; router E would hear about 172.16.0.0.
– If router E sends traffic for 172.16.0.0, routers A, C, and D
would route the packets correctly to router B.
Example: BGP Configuration

BGP Example Configuration
1. RouterB(config)# router bgp 65000
2. RouterB(config-router)# neighbor 10.1.1.2 remote-as 64520
3. RouterB(config-router)# neighbor 192.168.2.2 remote-as 65000
4. RouterB(config-router)# neighbor 192.168.2.2 update-source Loopback 0
5. RouterB(config-router)# neighbor 192.168.2.2 next-hop-self
6. RouterB(config-router)# network 172.16.10.0 mask 255.255.255.0
7. RouterB(config-router)# network 192.168.1.0
8. RouterB(config-router)# network 192.168.3.0
9. RouterB(config-router)# no synchronization

BGP States
When establishing a BGP session, BGP goes through
the following states:
1. Idle: Router is searching routing table to see whether a
route exists to reach the neighbor.
2. Connect: Router found a route to the neighbor and has
completed the three-way TCP handshake.
3. Open sent: Open message sent, with the parameters for
the BGP session.
4. Open confirm: Router received agreement on the
parameters for establishing session.
 Alternatively, router goes into active state if no response to
open message
5. Established: Peering is established; routing begins.
BGP Established and Idle States
• Idle: The router in this state cannot find the address of
the neighbor in the routing table. Check for an IGP
problem. Is the neighbor announcing the route?
• Established: The established state is the proper
state for BGP operations. In the output of the show ip
bgp summary command, if the state column has a
number, then the route is in the established state. The
number is how many routes have been learned from this
neighbor.

Example: show ip bgp neighbors
Command
RouterA#sh ip bgp neighbors
BGP neighbor is 172.31.1.3, remote AS 64998, external link
BGP version 4, remote router ID 172.31.2.3
BGP state = Established, up for 00:19:10
Last read 00:00:10, last write 00:00:10, hold time is 180, keepalive
interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received(old & new)
Address family IPv4 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 7 7
Notifications: 0 0
Updates: 13 38
<output omitted>

BGP Active State Troubleshooting
Active: The router has sent an open packet and is
waiting for a response. The state may cycle between
active and idle. The neighbor may not know how to get
back to this router because of the following reasons:
 Neighbor does not have a route to the source IP address
of the BGP open packet generated by this router.
 Neighbor is peering with the wrong address.
 Neighbor does not have a neighbor statement for this
router.
 AS number is misconfiguration.

Example: BGP Active State
Troubleshooting
AS number misconfiguration:
 At the router with the wrong remote AS number:
%BGP-3-NOTIFICATION: sent to neighbor
172.31.1.3 2/2 (peer in wrong AS) 2 bytes FDE6
FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 002D
0104 FDE6 00B4 AC1F 0203 1002 0601 0400 0100
0102 0280 0002 0202 00
 At the remote router:
%BGP-3-NOTIFICATION: received from neighbor
172.31.1.1 2/2 (peer in wrong AS) 2 bytes FDE6

Example: BGP Peering
RouterA# show ip bgp summary
BGP router identifier 10.1.1.1, local AS number 65001
BGP table version is 124, main routing table version 124
9 network entries using 1053 bytes of memory
22 path entries using 1144 bytes of memory
12/5 BGP path/bestpath attribute entries using 1488 bytes of memory
6 BGP AS-PATH entries using 144 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3829 total bytes of memory
BGP activity 58/49 prefixes, 72/50 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.1.0.2 4 65001 11 11 124 0 0 00:02:28 8

172.31.1.3 4 64998 21 18 124 0 0 00:01:13 6
172.31.11.4 4 64999 11 10 124 0 0 00:01:11 6

BGP Neighbor Authentication
neighbor {ip-address | peer-group-name} password string
 BGP authentication uses MD5.

 Configure a key (password); router generates a
message digest, or hash, of the key and the message.
 Message digest is sent; key is not sent.
 Router generates and checks the MD5 digest of every
segment sent on the TCP connection. Router
authenticates the source of each routing update
packet that it receives

Example: BGP Neighbor Authentication

Example: show ip bgp Command
RouterA# show ip bgp
BGP table version is 14, local router ID is 172.31.11.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal, r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.0/24 0.0.0.0 0 32768 i
* i 10.1.0.2 0 100 0 i
*> 10.1.1.0/24 0.0.0.0 0 32768 i
*>i10.1.2.0/24 10.1.0.2 0 100 0 i
*> 10.97.97.0/24 172.31.1.3 0 64998 64997 i
* 172.31.11.4 0 64999 64997 i
* i 172.31.11.4 0 100 0 64999 64997 i
*> 10.254.0.0/24 172.31.1.3 0 0 64998 i
* 172.31.11.4 0 64999 64998 i
* i 172.31.1.3 0 100 0 64998 i
r> 172.31.1.0/24 172.31.1.3 0 0 64998 i
r 172.31.11.4 0 64999 64998 i
r i 172.31.1.3 0 100 0 64998 i
*> 172.31.2.0/24 172.31.1.3 0 0 64998 i
<output omitted>
Displays networks from lowest to highest

Example: show ip bgp rib-failure
Command
RouterA# show ip bgp rib-failure
Network Next Hop RIB-failure RIB-NH Matches
172.31.1.0/24 172.31.1.3 Higher admin distance n/a
172.31.11.0/24 172.31.11.4 Higher admin distance n/a
• Displays networks that are not installed in the RIB and the reason that
they were not installed

Clearing the BGP Session
 When policies such as access lists or attributes are
changed, the change takes effect immediately, and the
next time that a prefix or path is advertised or received,
the new policy is used. It can take a long time for the
policy to be applied to all networks.
 You must trigger an update to ensure that the policy is
immediately applied to all affected prefixes and paths.
 Ways to trigger an update:
 Hard reset
 Soft reset
 Route refresh

Hard Reset of BGP Sessions
router#
clear ip bgp *
• Resets all BGP connections with this router.

• Entire BGP forwarding table is discarded.
• BGP session makes the transition from established to idle; everything
must be relearned.
router#
clear ip bgp [neighbor-address]
• Resets only a single neighbor.

• BGP session makes the transition from established to idle; everything
from this neighbor must be relearned.
• Less severe than clear ip bgp *.
Soft Reset Outbound
Router#
clear ip bgp {*|neighbor-address} [soft out]
• Routes learned from this neighbor are not lost.

• This router resends all BGP information to the neighbor without
resetting the connection.
• The connection remains established.
• This option is highly recommended when you are changing
outbound policy.
• The soft out option does not help if you are changing inbound
policy.

Inbound Soft Reset
neighbor [ip-address] soft-reconfiguration inbound
• This router stores all updates from this neighbor in case the inbound
policy is changed.
• The command is memory-intensive.
Router#
clear ip bgp {*|neighbor-address} soft in
• Uses the stored information to generate new inbound updates

Route Refresh: Dynamic Inbound
Soft Reset
Router#
clear ip bgp {*|neighbor-address} [soft in | in]
• Routes advertised to this neighbor are not withdrawn.

• Does not store update information locally.
• The connection remains established.
• Introduced in Cisco IOS software release 12.0(2)S and 12.0(6)T.

debug ip bgp updates Command
RouterA#debug ip bgp updates
Mobile router debugging is on for address family: IPv4 Unicast
RouterA#clear ip bgp 10.1.0.2
<output omitted>
*Feb 24 11:06:41.309: %BGP-5-ADJCHANGE: neighbor 10.1.0.2 Up
*Feb 24 11:06:41.309: BGP(0): 10.1.0.2 send UPDATE (format) 10.1.1.0/24, next
10.1.0.1, metric 0, path Local
*Feb 24 11:06:41.309: BGP(0): 10.1.0.2 send UPDATE (prepend, chgflags: 0x0)
10.1.0.0/24, next 10.1.0.1, metric 0, path Local
*Feb 24 11:06:41.309: BGP(0): 10.1.0.2 NEXT_HOP part 1 net 10.97.97.0/24, next
172.31.11.4
172.31.11.4, metric 0, path 64999 64997
*Feb 24 11:06:41.309: BGP(0): 10.1.0.2 NEXT_HOP part 1 net 172.31.22.0/24, next
172.31.11.4
172.31.11.4, metric 0, path 64999
<output omitted>
*Feb 24 11:06:41.349: BGP(0): 10.1.0.2 rcvd UPDATE w/ attr: nexthop 10.1.0.2,
origin i, localpref 100, metric 0
*Feb 24 11:06:41.349: BGP(0): 10.1.0.2 rcvd 10.1.2.0/24
*Feb 24 11:06:41.349: BGP(0): 10.1.0.2 rcvd 10.1.0.0/24

Selecting a BGP Path

BGP Path Attributes
 BGP metrics are called path attributes.
 Characteristics of path attributes include:
 Well-known versus optional
 Mandatory versus discretionary
 Transitive versus nontransitive
 Partial

Well-Known Attributes
 Well-known attributes
 Must be recognized by all compliant BGP implementations
 Are propagated to other neighbors
 Well-known mandatory attributes
 Must be present in all update messages
 Well-known discretionary attributes
 May be present in update messages

Optional Attributes
 Optional attributes
 They are recognized by some implementations (could be
private); but expected not to be recognized by all BGP routers.
 Recognized optional attributes are propagated to other
neighbors based on their meaning.
 Optional transitive attributes
 If not recognized, marked as partial and propagated to other
neighbors
 Optional nontransitive attributes
 Discarded if not recognized

BGP Attributes
BGP attributes include the following:
 AS path *
 Next-hop *
 Origin *
 Local preference
 MED
 Others
* Well-known mandatory attribute

AS Path Attribute
 A list of autonomous
systems that a route
has traversed:
 For example, on router
B, the path to 192.168.1.0
is the AS sequence
(65500, 64520).
 The AS path attribute
is well-known,
mandatory.
Next-Hop Attribute
The IP address of the next
AS to reach a given network:
 Router A advertises
router B in EBGP, with a
next hop of 10.10.10.3.
 Router B advertises
172.16.0.0 in IBGP to
router C, keeping
10.10.10.3
as the next-hop address.
The next-hop attribute is
well-known, mandatory.
Origin Attribute
 IGP (i)
 network command
 EGP (e)
 Redistributed from EGP
 Incomplete (?)
 Redistributed from IGP or static
The origin attribute informs all autonomous systems in
the internetwork how the prefixes were introduced into
BGP.
The origin attribute is well-known, mandatory.
Example: Origin Attribute
RouterA# show ip bgp
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal, r RIB-failure, S Stale
*> 10.1.0.0/24 0.0.0.0 0 32768 i
* i 10.1.0.2 0 100 0 i
*> 10.1.1.0/24 0.0.0.0 0 32768 i
*>i10.1.2.0/24 10.1.0.2 0 100 0 i
*> 10.97.97.0/24 172.31.1.3 0 64998 64997 i
* 172.31.11.4 0 64999 64997 i
* i 172.31.11.4 0 100 0 64999 64997 i
*> 10.254.0.0/24 172.31.1.3 0 0 64998 i
* 172.31.11.4 0 64999 64998 i
* i 172.31.1.3 0 100 0 64998 i
r> 172.31.1.0/24 172.31.1.3 0 0 64998 i
r 172.31.11.4 0 64999 64998 i
r i 172.31.1.3 0 100 0 64998 i
*> 172.31.2.0/24 172.31.1.3 0 0 64998 i
<output omitted>

Local Preference Attribute
Paths with highest local preference value are preferred:

 Local preference is used to advertise to IBGP neighbors about how to leave their AS.
 The local preference is sent to IBGP neighbors only (that is, within the AS only).
 The local preference attribute is well-known and discretionary.
 Default value is 100.
MED Attribute
• The paths with the lowest MED
multi-exit discriminator (also called
the metric) value are the most
desirable:
– MED is used to advertise
to EBGP neighbors
how to exit their
AS to reach networks owned
by this AS.
• The MED attribute is optional and
nontransitive.

Weight Attribute (Cisco Only)
Paths with the highest weight value are preferred

• Weight not sent to any BGP neighbors; local to this
router only
BGP Path Selection
 The BGP forwarding table usually has multiple paths
from which to choose for each network.
 BGP is not designed to perform load balancing:
 Paths are chosen because of policy.
 Paths are not chosen based on bandwidth.
 The BGP selection process eliminates any multiple paths
through attrition until a single best path is left.
 That best path is submitted to the routing table manager
process and evaluated against the methods of other
routing protocols for reaching that network (using
administrative distance).
 The route from the source with the lowest
administrative distance is installed in the routing table.
Route Selection Decision Process
Consider only (synchronized) routes with no AS loops and a
valid next hop, and then:
1. Prefer highest weight (local to router).
2. Prefer highest local preference (global within AS).
3. Prefer route originated by the local router (next hop = 0.0.0.0).
4. Prefer shortest AS path.
5. Prefer lowest origin code (IGP < EGP < incomplete).
6. Prefer lowest MED (exchanged between autonomous systems).
7. Prefer EBGP path over IBGP path.
8. Prefer the path through the closest IGP neighbor.
9. Prefer oldest route for EBGP paths.
10. Prefer the path with the lowest neighbor BGP router ID.
11. Prefer the path with the lowest neighbor IP address.

Using Route Maps to Manipulate Basic BGP Paths

BGP Is Designed to Implement
Policy Routing
BGP is designed for manipulating routing paths.

Changing BGP Local Preference For
All Routes
Local preference is used in these ways:
• Within an AS between IBGP speakers
• To determine the best path to exit the
AS to reach an outside network
• Set to 100 by default; higher values preferred
bgp default local-preference value
• This command changes the default local preference value.
• All routes advertised to an IBGP neighbor have the local preference set
to the value specified.

Local Preference Case Study
What is the best path for router C to 65003, 65004, and 65005?

Router C BGP Table with Default
Settings
RouterC# show ip bgp
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
* i172.16.0.0 172.20.50.1 100 0 65005 65004 65003 i
*>i 192.168.28.1 100 0 65002 65003 i
*>i172.24.0.0 172.20.50.1 100 0 65005 i
* i 192.168.28.1 100 0 65002 65003 65004 65005 i
*>i172.30.0.0 172.20.50.1 100 0 65005 65004 i
* i 192.168.28.1 100 0 65002 65003 65004i
• By default, BGP selects the shortest AS path as the best (>) path.
• In AS 65001, the percentage of traffic going to 172.24.0.0 is 30%, 172.30.0.0 is 20%, and 172.16.0.0 is 10%.
• 50% of all traffic will go to the next hop of 172.20.50.1 (AS 65005), and 10% of all traffic will go to the next hop
of 192.168.28.1 (AS 65002).
• Make traffic to 172.30.0.0 select the next hop of 192.168.28.1 to achieve load sharing where both external
links get approximately 30% of the load.
Route Map for Router A
Router A configuration
router bgp 65001
neighbor 2.2.2.2 remote-as 65001 update-source loopback0
neighbor 3.3.3.3 remote-as 65001 update-source loopback0
neighbor 192.168.28.1 route-map local_pref in
!
access-list 65 permit 172.30.0.0 0.0.255.255
!
route-map local_pref permit 10
match ip address 65
set local-preference 400
!
route-map local_pref permit 20
Router C BGP Table with Local
Preference Learned
RouterC# show ip bgp
* i172.16.0.0 172.20.50.1 100 0 65005 65004 65003 i
*>i 192.168.28.1 100 0 65002 65003 i
*>i172.24.0.0 172.20.50.1 100 0 65005 i
* i 192.168.28.1 100 0 65002 65003 65004 65005 i
* i172.30.0.0 172.20.50.1 100 0 65005 65004 i
*>i 192.168.28.1 400 0 65002 65003 65004i
• Best (>) paths for networks 172.16.0.0/16 and 172.24.0.0/16 have not changed.
• Best (>) path for network 172.30.0.0 has changed to a new next hop of 192.168.28.1 because the next
hop of 192.168.28.1 has a higher local preference, 400.
• In AS 65001, the percentage of traffic going to 172.24.0.0 is 30%, 172.30.0.0 is 20%, and 172.16.0.0 is
10%.
• 30% of all traffic will go to the next hop of 172.20.50.1 (AS 65005), and 30% of all traffic will go to
the next hop of 192.168.28.1 (AS 65002).
Changing BGP MED for All Routes
• MED is used when multiple paths exist between two autonomous
systems.
• A lower MED value is preferred.
• The default setting for Cisco is MED = 0.
• The metric is an optional, nontransitive attribute.
• Usually, MED is shared only between two autonomous
systems that have multiple EBGP connections with each other.
default-metric number
• MED is considered the metric of BGP.

• All routes that are advertised to an EBGP neighbor are set to the value
specified using this command.

BGP Using Route Maps and the
MED

Route Map for Router A
Router A’s Configuration:
router bgp 65001
neighbor 2.2.2.2 update-source loopback0
neighbor 192.168.28.1 route-map med_65004 out
!
access-list 66 permit 192.168.25.0.0 0.0.0.255
!
route-map med_65004 permit 10
match ip address 66
set metric 100
!
set metric waleed_hashim@hotmail.com
200
Route Map for Router B
Router B’s Configuration:
router bgp 65001
neighbor 172.20.50.1 route-map med_65004 out
!
!
match ip address 66
set metric 100
!
set metric 200
MED Learned by Router Z
RouterZ# show ip bgp
*>i192.168.24.0 172.20.50.2 100 100 0 65001 i
* i 192.168.28.2 200 100 0 65001 i
* i192.168.25.0 172.20.50.2 200 100 0 65001 i
*>i 192.168.28.2 100 100 0 65001 i
* i192.168.26.0 172.20.50.2 200 100 0 65001 i
*>i 192.168.28.2 100 100 0 65001 i
• Examine the networks that have been learned from AS 65001 on Router Z in AS 65004.
• For all networks: Weight is equal (0); local preference is equal (100); routes are not originated in
this AS; AS path is equal (65001); origin code is equal (i).
• 192.168.24.0 has a lower metric (MED) through 172.20.50.2 (100) than 192.168.28.2 (200).
BGP in an Enterprise

Introducing IPv6

Why Do We Need a Larger Address
Space?
• Internet population
 Approximately 973 million users in November 2005
 Emerging population and geopolitical and address space
 Mobile users
 PDA, pen-tablet, notepad, and so on
 Approximately 20 million in 2004
 Mobile phones
 Already 1 billion mobile phones delivered by the industry
 Transportation
 1 billion automobiles forecast for 2008
 Internet access in planes – Example: Lufthansa
 Consumer devices
 Sony mandated that all its products be IPv6-enabled by 2005
 Billions of home and industrial
Prepared By:Waleed appliances
Adlan-CCIE41999 -
IPv6 Advanced Features
Larger address space Simpler header
 Global reachability and  Routing efficiency
flexibility  Performance and forwarding
 Aggregation rate scalability
 Multihoming  No broadcasts
 Autoconfiguration  No checksums
 Plug-and-play  Extension headers
 End to end without NAT  Flow labels
 Renumbering

IPv6 Advanced Features (Cont.)
Mobility and security Transition richness
 Mobile IP RFC-compliant  Dual stack
 IPsec mandatory  6to4 tunnels
(or native) for IPv6
 Translation

Larger Address Space
IPv4
 32 bits or 4 bytes long
~
=
 4,200,000,000 possible addressable nodes
IPv6
 128 bits or 16 bytes: four times the bits of IPv4
~
=

~ 3.4 * 1038 possible addressable nodes
=

~ 340,282,366,920,938,463,374,607,432,768,211,456
=
 5 * 1028Prepared
addresses per person
Larger Address Space Enables
Address Aggregation
 Aggregation of prefixes announced in the global routing table

 Efficient and scalable routing
 Improved bandwidth and functionality for user traffic

Defining IPv6 Addressing

Simple and Efficient Header
A simpler and more efficient header means:

 64-bit aligned fields and fewer fields
 Hardware-based, efficient processing
 Improved routing efficiency and performance
 Faster forwarding rate with better scalability
IPv4 and IPv6 Header Comparison

IPv6 Extension Headers
Simpler and more efficient header means:

 IPv6 has extension headers.
 It handles the options more efficiently.
 It enables faster forwarding rate and end nodes processing.
IPv6 Address Representation
Format:
 x:x:x:x:x:x:x:x, where x is a 16-bit hexadecimal field
Case-insensitive for hexadecimal A, B, C, D, E, and F

 Leading zeros in a field are optional:

 2031:0:130F:0:0:9C0:876A:130B
 Successive fields of 0 can be represented as ::, but only once per

address.
Examples:
 2031:0000:130F:0000:0000:09C0:876A:130B
 2031:0:130f::9c0:876a:130b
 2031::130f::9c0:876a:130b—incorrect
 FF01:0:0:0:0:0:0:1 FF01::1
 0:0:0:0:0:0:0:1 ::1
 0:0:0:0:0:0:0:0 ::
IPv6 Address Types
IPv6 uses:
 Unicast
Address is for a single interface.
 IPv6 has several types (for example, global and IPv4 mapped).
 Multicast
 One-to-many
 Enables more efficient use of the network
 Uses a larger address range
 Anycast
 One-to-nearest (allocated from unicast address space).
 Multiple devices share the same address.
 All anycast nodes should provide uniform service.
 Source devices send packets to anycast address.
 Routers decide on closest device to reach that destination.
 Suitable for load balancing and content delivery services.

IPv6 Global Unicast (and Anycast)
Addresses
IPv6 has same address format for global unicast and for anycast.
 Uses a global routing prefix—a structure that enables aggregation upward,
eventually to the ISP.
 A single interface may be assigned multiple addresses of any type (unicast,
anycast, multicast).
 Every IPv6-enabled interface must contain at least one loopback (::1/128)
and one link-local address.
 Optionally, every interface can have multiple unique local and global
addresses.
 Anycast address is a global unicast address assigned to a set of interfaces
(typically on different nodes).
 IPv6 anycast is used for a network multihomed to several ISPs that have
multiple connections to each other.

IPv6 Unicast Addressing
 IPv6 addressing rules are covered by multiple RFCs.
 Architecture defined by RFC 4291.
 Unicast: One to one
 Global 2000::/3
 Unique Local FC00::/7
 Link local (FE80::/10)
 A single interface may be assigned multiple IPv6
addresses of any type: unicast, anycast, or multicast.

Implementing Dynamic IPv6 Addresses

Aggregatable Global Unicast
Addresses
 Cisco uses the extended universal identifier (EUI)-64
format to do stateless autoconfiguration.
 This format expands the 48-bit MAC address to 64 bits
by inserting “FFFE” into the middle 16 bits.
 To make sure that the chosen address is from a unique
Ethernet MAC address, the universal/local (U/L bit) is
set to 1 for global scope (0 for local scope).

Link-Local Address
 Link-local addresses have a scope limited to the link and are dynamically
created on all IPv6 interfaces by using a specific link-local prefix FE80::/10
and a 64-bit interface identifier.
 Link-local addresses are used for automatic address configuration,
neighbor discovery, and router discovery. Link-local addresses are also
used by many routing protocols.
 Link-local addresses can serve as a way to connect devices on the same
local network without needing global addresses.
 When communicating with a link-local address, you must specify the
outgoing interface because every interface is connected to FE80::/10.
EUI-64 to IPv6 Interface Identifier
A modified EUI-64 address is formed by inserting “FFFE” and

“complementing” a bit identifying the uniqueness of the MAC address.
(Cont.)
 A modified EUI-64 address is formed by inserting “FFFE” and

(Cont.)
 A modified EUI-64 address is formed by inserting “FFFE” and

Multicasting

Examples of Permanent Multicast
Addresses

Anycast
 An IPv6 anycast address is a global unicast address that is assigned to

more than one interface.
Assigning IPv6 Global Unicast Addresses
 IP Address
 IP subnet mask (prefix length)
 Default router IP address
 DNS IP address(es)
 IPv6 has four major options for IPv6 global unicast

address assignment.
1. Stateful DHCP
2. Stateless autoconfig
3. Static configuration
4. Static configuration with EUI-64

DHCPv6
Server
Stateful DHCP
DHCPv6
Solicit DHCPv6
Reply
DHCPv6
Request
 Similar DHCP for IPv4
 Host sends a (multicast) packet searching for the DHCP
server.
 DHCP server replies.
 DHCP client sends a message asking for a lease of an IP
address, and the server replies, listing an IPv6 address, prefix
length, default router, and DNS IP addresses.
 DHCPv4 and DHCPv6 actually differ in detail, but the
basic process remains theAdlan-CCIE41999
Prepared By:Waleed same. -
Stateless Autoconfiguration
 IP Address
 IP subnet mask (prefix length)
 Stateless autoconfiguration uses:

1. IPv6 NDP (Neighbor Discovery Protocol) router
solicitation and router advertisement messages to
obtain this information.
2. Some math to derive the interface ID (host ID) portion
of the IPv6 address, using a format called EUI-64
3. Stateless DHCP to learn the DNS IPv6 addresses
Neighbor Discovery Protocol
 It uses The following ICMPv6 messages
 Router Advertisement (RA) messages are originated by routers to
advertise their presence and link-specific parameters such as link

prefixes, link MTU, and hop limits.
 Router Solicitation (RS) messages are originated by hosts to
request that a router send an RA.
 Neighbor Solicitation (NS) messages are originated by nodes to
request another node's link layer address and also for functions such
as duplicate address detection and neighbor unreachability detection.
 Neighbor Advertisement (NA) messages are sent in response to
NS messages. If a node changes its link-layer address, it can send an

unsolicited NA to advertise the new address.
1. Neighbor Discovery Protocol
RA (Router Advertisement)
- Address, prefix, link MTU
RS (Router Solicitation)
- Need RA from Router
 Router Advertisement (RA) messages are originated by routers to

advertise their presence and link-specific parameters such as link
prefixes, link MTU, and hop limits.
 These messages are sent periodically, and also in response to
Router Solicitation messages.
 Router Solicitation (RS) messages are originated by hosts to
request that a router send an RA.
Calculating the Interface ID Using EUI-64
 you can look at an IPv6 address and quickly notice the

FFFE late in the address, and then easily find the two
halves of the corresponding interface’s MAC address.
0034:5678:9ABC
0234:56FF:FE78:9ABC

Assigning IPv6 Global Unicast Addresses
 IP Address
 IP subnet mask (prefix
length)
 IPv6 has four major options for IPv6 global unicast address
assignment.
 Stateful DHCP
 Stateless autoconfig
 Static configuration (without EUI-64)
 May also use Stateless DHCP
 Static configuration with EUI-64

 May also use Stateless DHCP
Layer 2 Addressing Mapping and Duplicate Address Checking
NS (Neighbor Solicitation)
- Request another node's link layer address
NA (Neighbor Advertisement)
- Sent in response to NS
 Like IPv4, IPv6 devices need to determine the data link layer address used by
devices on the same link.
 IPv4 uses Address Resolution Protocol (ARP) on LANs
 NDP (Network Discovery Protocol), using ICMPv6
 Neighbor Solicitation (NS)
 Neighbor Advertisement (NA)
Neighbor Discovery (like IPv4 ARP)
I know your IPv6 address
2340:1111:AAAA:1:213:19FF:FE7B: (2340:1111:AAAA:1:213:19FF:FE7B:
5004/64 5004) what is your MAC
address?
Dest Add: FF02::1:FF:0/104 + 7B:5004
The last 24 bits of the IPv6 address to
Source Add: which the message being sent
2340:1111:AAAA:1:213:19FF:FE7B:5004
Dest Add: Host’s IPv6 address
MAC Add: 0013:197B:5004
 Uses a special multicast destination address solicited node

multicast
 Destined for all hosts with the same last 24 bits of this
Destination IPv6 addresses
 This is a sort of “broadcast” for any device with these 24 bits in
their Interface IDwaleed_hashim@hotmail.com
(at least I know these 24 bits of your MAC).
Duplicate Address Detection (DAD)
I need to make sure My Global Address is

nobody else has this 2340:1111:AAAA:1:213:19FF:FE7B:5004
Global Unicast
“Tentative”: Need to do Duplicate Address Detection
Address…
- Target Address =
2340:1111:AAAA:1:213:19FF:FE7B:5004
- Destination: Solicited-Node Multicast Address =
FF02::1::FF7B:5004
 The Destination, solicited-node multicast address is formed by prepending

the prefix FF02:0:0:0:0:1: FF00::/104 to the last 24 bits of the target address.
FF02::1:FF0A:2D51.
 This is a sort of broadcast for any device with these 24 bits in their Interface
ID.
IPv6 Mobility

Using IPv6 with IPv4

IPv4-to-IPv6 Transition
Transition richness means:

– No fixed day to convert; no need to convert all at once.
– Different transition mechanisms are available:
• Smooth integration of IPv4 and IPv6.
• Use of dual stack or 6to4 tunnels.
– Different compatibility mechanisms:
• IPv4 and IPv6 nodes can communicate.
Cisco IOS Software Is IPV6-Ready:
Cisco IOS Dual Stack
 If both IPv4 and IPv6 are configured on an interface,

this interface is dual-stacked.

Cisco IOS Software Is IPv6-Ready:
Overlay Tunnels
 Tunneling encapsulates the IPv6 packet in the IPv4

packet.

Tunneling Techniques
 Point to Point (Static)
(Can Use IGP over the tunnels, and It is fixed Tunnel with source and
destination)
1. Manual
2. GRE (Generic Routing Encapsulation)
 Point to Multipoint (Dynamic)

(Can only use static routes or BGP, and the tunnel is dynamic
from one point (source) to any destination based on the
destination IPV6 address)
1. Automatic 6to4 Tunnels
2. ISATAP (Intra-Site Automatic Tunnel Addressing Protocol)
“Isolated” Dual-Stack Host
Encapsulation can be done by edge routers between hosts

or between a host and a router.
Example: Cisco IOS Manual Tunnel
Configuration

Cisco IOS Software Is IPv6-Ready:
6to4 Tunneling
6to4
 Is an automatic tunnel method
 Gives a prefix to the attached IPv6 network

 Set the tunnel mode with the tunnel
mode ipv6ip 6to4 command.
 Set the IPv6 address with the ipv6
address address/mask command. 2002:AC10:0C01:1::1/64
 Address for R1 is
2002:AC10:0C01:1::1/64:
AC10:0C01 = 172.16.12.1
 Set the source interface for
AC = 172, 10 = 16, 0C = 12, 01 = 1
the tunnel with the tunnel
 The 1 after this address is just a more source command
specific subnet, and the 1 at the end
 Notice the two addresses are
is the host address.
not in the same /64 subnet.
R1(config)# interface tunnel 0
R1(config-if)# tunnel mode ipv6ip 6to4
R1(config-if)# ipv6 address 2002:AC10:0C01:1::1/64
R1(config-if)# tunnel source serial0/0/0

 Set the tunnel mode with the tunnel
mode ipv6ip 6to4 command.
 Set the IPv6 address with the ipv6
address address/mask command.
 Address for R3 is
2002:AC10:1703:1::3/64
2002:AC10:1703:1::3/64:
AC10:1703 = 172.16.23.3
 Set the source interface for
AC = 172, 10 = 16, 17 = 23, 03 = 3
the tunnel with the tunnel
 The 1 after this address is just a more source command
specific subnet, and the 3 at the end
is the host address.
R3(config)# interface tunnel 0
R3(config-if)# tunnel mode ipv6ip 6to4
R3(config-if)# ipv6 address 2002:AC10:1703:1::3/64
R3(config-if)# tunnel source serial0/0/1

Translation—NAT-PT
• NAT-Protocol Translation (NAT-PT) is a translation mechanism that sits

between an IPv6 network and an IPv4 network.
• The job of the translator is to translate IPv6 packets into IPv4 packets and
vice versa.

IPv6 Routing Protocols
-The existing routing protocols has been modified to carry out the
new IPv6 architecture and their names has been slightly modified
as follow:
• RIPng (RIP next generation)
• EIGRPv6
• OSPFv3 (as OSPFv2 was used with IPv4)

RIPng
- Like RIPv2 but now it uses UDP port 521
- Keeps track of neighbor next hop with the local link address
not the global
- Advertisement of a network is now done using interface
command not network command and this also enable rip
process ( so no need to go to configure it under configuration
mode)
- Router(config)#ipv6 Unicast-routing
-Router(config-if)#ipv6 rip 1 enable
- No need to do the following one except if we need to do
more configuration like distribution
- Router(config)#ipv6 router rip 1

EIGRPV6
- EIGRPv6
- Like EIGRPv4 except the advertisement became from
interface
- Also in EIGRPv6, we have to go to the router configuration
mode and turn on the protocol with no shut command
- Router(config)#ipv6 router eigrp 1
- Router(config-rtr)#no shut
- Router(config-rtr)#router-id 1.1.1.1
- Router(config-if)#ipv6 eigrp 1

OSPFV3
-The router ID here must be assigned as well as the area
ID and the link ID which are still 32 bit value
-Adjacencies now use the link local addresses
-Networks advertisements are configured under
interfaces
-Router(config)#ipv6 router ospf 1
-Router(config-rtr)#router-id 1.1.1.1
-Router(config-if)#ipv6 ospf 1 area 0

OSPFv3Virtual Link
 It the same concept as in IPV4, all areas should be
directly connected to area 0 otherwise, we should use
Virtual-link configuration:
IPv6 router ospf 1
Area 1 virtual-link 1.1.1.1

IPv6 Routing Redistribution
 Redistribution from OSPFv3 to RIPng
IPv6 router rip 1
Redistribute ospf 1 metric 3 include-connected
 Redistribution from RIPng to OSPFv3

IPv6 router ospf 1
Redistribute rip 1 include-connected

IPv6 Routing Redistribution (2)
 Redistribution from OSPFv3 to EIGRPv6
IPv6 router eigrp 1
Redistribute ospf 1 metric 1 1 1 1 1 include-connected
 Redistribution from EIGRP to OSPFv3

IPv6 router ospf 1
Redistribute eigrp 1 include-connected

 Redistribution from RIPng to EIGRPv6
IPv6 router eigrp 1
Redistribute rip 1 metric 1 1 1 1 1 include-connected
 Redistribution from EIGRP to RIPng

IPv6 router rip 1
Redistribute eigrp 1 include-connected

 Redistribution Static Route into IGP
IPv6 route 2003::/64 2004::1
Ipv6 router rip 1
Redistribute static metric 2
!
Ipv6 router OSPF 1
Redistribute static metric 2
!
Ipv6 router EIGRP 1
Redistribute static metric 1 1 1 1 1

VPN

What is VPN?
 Virtual Private Network is a type of private network
that uses public telecommunication, such as the
Internet, instead of leased lines to communicate.
 Became popular as more employees worked in remote

locations.

Types of VPN
 The three types of VPN are named based upon the role
they play in business
 Remote access VPN
 Site-to-Site VPN
 Extranet VPN

VPN Types
 Remote access VPN : allow remote users like
telecommuters to securely access the corporate
network wherever and whenever they need.
 Site-to-Site VPN : or (intranet VPN) allow a company
to connect to its remote sites securely over a public
medium like internet instead of expensive dedicated
connection

VPN Types
 Extranet VPN : allow an organization’s suppliers,
partners or customers to be connected to the corporate
in a limited way for business to business (B2B)
communications

VPN Examples
 GRE VPN
 IPSEC VPN
 DMVPN
 MPLS VPN

Generic Routing Encapsulation GRE
 GRE is an OSI Layer 3 tunneling protocol:

Encapsulates a wide variety of protocol packet types inside IP tunnels
Creates a virtual point-to-point link to Cisco routers at remote points over an IP
internetwork
Uses IP for transport
Uses an additional header to support any other OSI Layer 3 protocol as payload
(for example, IP, IPX, AppleTalk)

Generic Routing Encapsulation
 IPsec only encapsulates IP traffic
 This may be a problem for non-IP or multicast traffic that needs to
be sent across a secure tunnel
 GRE – a Cisco developed protocol – allows traffic other than IP to be
transported using a powerful but simple tunnel technique
 GRE supports any OSI Layer 3 protocol as payload, for which it
provides virtual point-to-point connectivity.
 GRE also allows the use of routing protocols across the tunnel
 However, GRE offers minimum security (basic plaintext
authentication using the tunnel key) to the payload, and so needs to
be used with IPsec if security is required

Generic Routing Encapsulation
 Some of the reasons for using GRE over IPsec:
To pass multicast and broadcast traffic across the tunnel
securely
To pass non-IP traffic securely
To provide resiliency
To assist in saving memory and CPU cycles in the router,
by reducing the number of SA that need to be set up

Basic GRE Header - GRE flags
GRE is stateless (no flow control mechanisms).

GRE offers no security (no confidentiality, data authentication, or
integrity assurance).
GRE uses 24-byte overhead by default (20-byte IP header and 4-
byte GRE header).

Basic GRE Tunnel Configuration

TWO Conditions for the GRE Tunnel to be up:
 Tunnel Source should be capable of reaching the
Tunnel destination.
 Tunnel Source and Destination Interfaces should be
up up.

!R1
Interface Tunnel 0
Ip address 30.0.0.1 255.0.0.0
Tunnel source fa0/1
Tunnel destination 25.0.0.2
Tunnel mode gre ip

IPSEC VPN

Introducing IPSec
 IPSec Topology
 IPSec Framework
 Confidentiality
 Integrity
 Authentication
 Pre-Shared Key
 RSA Signature
 Secure Key Exchange

IPSec Framework
Diffie-Hellman DH7

Confidentiality
Least secure Most secure
Key length:
- 56-bits
Key length:
- 56-bits (3 times)
Key lengths:
-128-bits
Diffie-Hellman DH7
-192 bits
-256-bits
Key length:
- 160-bits
Integrity
Least secure Most secure
Key length:
- 128-bits
Key length:
Diffie-Hellman - 160-bits) DH7

Authentication
Diffie-Hellman DH7

Secure Key Exchange
Diffie-Hellman DH7

Internet Key Exchange (IKE)
 Security Associations
 IKE Phases
 IKE Phase 1 (ISAKMP)
 IKE Phase 2 (IPSEC)

Security Associations
IPSec parameters are configured using IKE

IKE Phases
R1 R2
Host A Host B
10.0.1.3 10.0.2.3
IKE Phase 1 Exchange

Policy 10 Policy 15
1. Negotiate IKE policy sets DES DES 1. Negotiate IKE policy sets
MD5 MD5
pre-share pre-share
DH1 DH1
lifetime lifetime
2. DH key exchange 2. DH key exchange
3. Verify the peer identity 3. Verify the peer identity
IKE Phase 2 Exchange
Negotiate IPsec policy Negotiate IPsec policy

IKE Phase 1 – First Exchange
R1 R2
Host A Host B
Negotiate IKE Proposals 10.0.2.3
10.0.1.3
Policy 10 Policy 15
DES DES
MD5 MD5
pre-share IKE Policy Sets pre-share
DH1 DH1
lifetime lifetime
Policy 20
3DES
SHA
pre-share
DH1
lifetime
Negotiates matching IKE policies to protect IKE exchange

IKE Phase 2
R1 R2
Host A Host B
10.0.1.3 Negotiate IPsec 10.0.2.3

Security Parameters
 IKE negotiates matching IPsec policies.

 Upon completion, unidirectional IPsec Security
Associations(SA) are established for each protocol and
algorithm combination.

Implementing Site-to-Site IPSec
VPNs
 Configuring Site-to-Site IPSec VPNs
 Task 1 – Configure Compatible ACLs
 Task 2 – Configure IKE
 Task 3 – Configure the Transform Set
 Task 4 – Configure the Crypto ACLs
 Task 5 – Apply the Crypto Map
 Verify and Troubleshoot the IPSec Configuration

IPSec VPN Negotiation
10.0.1.3 R1 R2 10.0.2.3
1. Host A sends interesting traffic to Host B.

2. R1 and R2 negotiate an IKE Phase 1 session.
IKE SA IKE Phase 1 IKE SA
3. R1 and R2 negotiate an IKE Phase 2 session.

IPsec SA IKE Phase 2 IPsec SA
4. Information is exchanged via IPsec tunnel.

IPsec Tunnel
5. The IPsec tunnel is terminated.

Task 1
Configure Compatible ACLs

Permitting Traffic
AH
ESP
Site 1 IKE Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
R1(config)# access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2

R1(config)# access-list 102 permit esp host 172.30.2.2 host 172.30.1.2
R1(config)# access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
R1(config)#
R1(config)# interface Serial0/0/0
R1(config-if)# ip address 172.30.1.2 255.255.255.0
R1(config-if)# ip access-group 102 in
!
R1(config)# exit
R1#
R1# show access-lists
access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2
access-list 102 permit esp host 172.30.2.2 host 172.30.1.2
access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
R1#
Task 2
Configure IKE

Overview
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
Internet
Site 1 Site 2
Policy 110
DES
MD5 Tunnel
Preshare
86400
DH1
router(config)#
crypto isakmp policy priority
Defines the parameters within the IKE policy
R1(config)# crypto isakmp policy 110
R1(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption des
R1(config–isakmp)# group 1
R1(config–isakmp)# hash md5
R1(config–isakmp)#
Prepared lifetime 86400 -
By:Waleed Adlan-CCIE41999
Policy Negotiations
R1 attempts to establish a VPN tunnel with
R2 and sends its IKE policy parameters
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
Internet
Site 1 Site 2
Policy 110
Preshare
3DES Tunnel
SHA
DH2
43200
R2 must have an ISAKMP policy
configured with the same parameters.
R1(config)# crypto isakmp policy 110 R2(config)# crypto isakmp policy 100
R1(config–isakmp)# authentication pre-share R2(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption 3des R2(config–isakmp)# encryption 3des
R1(config–isakmp)# group 2 R2(config–isakmp)# group 2
R1(config–isakmp)# hash sha R2(config–isakmp)# hash sha
R1(config–isakmp)# lifetime 43200 R2(config–isakmp)# lifetime 43200

Crypto ISAKMP Key
router(config)#
crypto isakmp key keystring address peer-address
router(config)#
crypto isakmp key keystring hostname hostname
Parameter Description
This parameter specifies the PSK. Use any combination of alphanumeric characters
keystring up to 128 bytes. This PSK must be identical on both peers.
peer-
This parameter specifies the IP address of the remote peer.
address
This parameter specifies the hostname of the remote peer.
hostname This is the peer hostname concatenated with its domain name (for example,
myhost.domain.com).
• The peer-address or peer-hostname can be used, but must be

used consistently between peers.
• If the peer-hostname is used, then the crypto isakmp
identity hostname command
Prepared By:Waleed must -also be configured.
Adlan-CCIE41999
Sample Configuration
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
Internet
Site 1 Site 2
R1(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption 3des
R1(config–isakmp)# group 2
R1(config–isakmp)# hash sha
R1(config–isakmp)# lifetime 43200
R1(config-isakmp)# exit
R1(config)# crypto isakmp key cisco123 address 172.30.2.2
R1(config)#
Note:
• The keystring cisco1234 matches. R2(config–isakmp)# authentication pre-share
R2(config–isakmp)# encryption 3des
• The address identity method is R2(config–isakmp)# group 2
specified. R2(config–isakmp)# hash sha
• The ISAKMP policies are compatible. R2(config–isakmp)# lifetime 43200
R2(config-isakmp)# exit
• Default values do not have to be R2(config)# crypto isakmp key cisco123 address 172.30.1.2
configured. R2(config)#
Task 3
Configure the Transform Set

Overview
router(config)#
crypto ipsec transform–set transform-set-name
transform1 [transform2] [transform3]]
crypto ipsec transform-set Parameters
Description
Command
This parameter specifies the name of the transform set
transform-set-name
to create (or modify).
Type of transform set. You may specify up to four
"transforms": one Authentication Header (AH), one
transform1,
Encapsulating Security Payload (ESP) encryption, one
transform2, transform3
ESP authentication. These transforms define the IP
Security (IPSec) security protocols and algorithms.
A transform set is a combination of IPsec transforms that enact a

security policy for traffic.
Site 1 R1 172.30.1.2 R2 Site 2
A
Internet B
10.0.1.3 10.0.2.3
172.30.2.2
R1(config)# crypto isakmp key cisco123 address 172.30.2.2
R1(config)# crypto ipsec transform-set MYSET esp-aes 128
R1(cfg-crypto-trans)# exit
R1(config)#
Note:
• Peers must share the same
transform set settings. R2(config)# crypto isakmp key cisco123 address 172.30.1.2
R2(config)#crypto ipsec transform-set OTHERSET esp-aes 128
R2(cfg-crypto-trans)# exit
• Names are only locally
significant.

Task 4
Configure the Crypto ACLs

Command Syntax
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
router(config)#
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny |
permit} protocol source source-wildcard destination destination-wildcard
[precedence precedence] [tos tos] [log]
access-list access-list-number Parameters

access-list access-list-number Description
Command
This option causes all IP traffic that matches the specified conditions to be protected by
permit
cryptography, using the policy described by the corresponding crypto map entry.
deny This option instructs the router to route traffic in plaintext.
This option specifies which traffic to protect by cryptography based on the protocol,
protocol such as TCP, UDP, or ICMP. If the protocol is IP, then all traffic IP traffic that matches
that permit statement is encrypted.
If the ACL statement is a permit statement, these are the networks, subnets, or hosts
source and destination between which traffic should be protected. If the ACL statement is a deny statement,
then the traffic between the specified source and destination is sent in plaintext.
Symmetric Crypto ACLs
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
S0/1
Applied to R1 S0/0/0 outbound traffic:

R1(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
(when evaluating inbound traffic– source: 10.0.2.0, destination: 10.0.1.0)
Applied to R2 S0/0/0 outbound traffic:

R2(config)# access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
(when evaluating inbound traffic- source: 10.0.1.0, destination: 10.0.2.0)

Task 5
Apply the Crypto Map

Overview
Site 1 Site 2
R1 R2
Internet
10.0.1.3 10.0.2.3
Crypto maps define the following:

 ACL to be used
 Remote VPN peers Encrypted Traffic
 Transform set to be used
 Key management method Router
 SA lifetimes Interface
or Subinterface

Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
R1 R2
10.0.2.3
10.0.1.3
Internet
S0/0/0
172.30.2.2
R3
S0/0/0
172.30.3.2
R1(config)# crypto map MYMAP 10 ipsec-isakmp

R1(config-crypto-map)# match address 110
R1(config-crypto-map)# set peer 172.30.2.2 default
R1(config-crypto-map)# set peer 172.30.3.2
R1(config-crypto-map)# set transform-set mine
Multiple peers can be specified for redundancy.

Assign the Crypto Map Set
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
MYMAP
router(config-if)#
crypto map map-name
R1(config)# interface serial0/0/0

R1(config-if)# crypto map MYMAP
 Applies the crypto map to outgoing interface

 Activates the IPsec policy

show crypto map
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
router#
show crypto map
Displays the currently configured crypto maps
R1# show crypto map
Crypto Map “MYMAP" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 110
access-list 102 permit ip host 10.0.1.3 host 10.0.2.3
Current peer: 172.30.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ MYSET, }

show crypto isakmp policy
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
router# 172.30.1.2 172.30.2.2
show crypto isakmp policy
R1# show crypto isakmp policy

Protection suite of priority 110
encryption algorithm: 3DES - Data Encryption Standard (168 bit keys).
hash algorithm: Secure Hash Standard
authentication method: preshared
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

show crypto ipsec transform-set
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
show crypto ipsec transform-set

Displays the currently defined transform sets
R1# show crypto ipsec transform-set
Transform set AES_SHA: { esp-128-aes esp-sha-hmac }
will negotiate = { Tunnel, },

show crypto ipsec sa
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
R1# show crypto ipsec sa

Interface: Serial0/0/0
Crypto map tag: MYMAP, local addr. 172.30.1.2
local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0)
current_peer: 172.30.2.2
PERMIT, flacs={origin_is_acl,}
#pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2
path mtu 1500, media mtu 1500
current outbound spi: 8AE1C9C

debug crypto isakmp
router#
debug crypto isakmp
1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no
offers accepted!
1d00h: ISAKMP (0:1): SA not acceptable!
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2
• This is an example of the Main Mode error message.

• The failure of Main Mode suggests that the Phase I policy does
not match on both sides.
• Verify that the Phase I policy is on both peers and ensure that
all the attributes match.
DMVPN
 Dynamic Multipoint VPN (DMVPN) is a combination
of GRE, NHRP, and IPsec
 NHRP allows the peers to have dynamic addresses (ie:
Dial and DSL) with GRE / IPsec tunnels
 Backbone is a hub and spoke topology
 Allows direct spoke to spoke tunneling by auto leveling
to a partial mesh

Multipoint GRE
 An mGRE interface definition includes An IP address,
A tunnel source, A tunnel key
 mGRE interfaces do not have a tunnel destination
 interface Tunnel 0
 ipaddress 10.0.0.1 255.0.0.0
 tunnel source Fa0/0
 tunnel mode gre multipoint
 tunnel key 1
 The tunnel address is the ip address defined on the
tunnel interface
 The Non-Broadcast Multiple Access (NBMA) address
is the ip address used as tunnel source (or destination)
 In the previous figure, the tunnel interface for Router
A is 10.1.1.1, and the NBMA address is 1.1.1.1

MGRE Talking to a Peer
 Because mGRE tunnels do not have a tunnel
destination defined, they can not be used alone
 NHRP tells mGRE where to send the packets to

What is NHRP
 NHRP is a layer two resolution protocol and cache like
ARP or Reverse ARP (Frame Relay)
 It is used in DMVPN to map a tunnel IP address to an
NBMA address
 Like ARP, NHRP can have static and dynamic entries
 NHRP has worked fully dynamically since Release
12.2(13)T

How MGRE Uses NHRP
 When a packet is routed, it is passed to the mGRE interface
along with a next-hop
 The next-hop is the tunnel address of a remote peer
 mGRE looks up the NHRP cache for the next-hop address
and retrieves the NBMA address of the remote peer
 mGRE encapsulates the packet into a GRE/IP payload
 The new packet destination is the NMBA address
 Multicast packets are only sent to specific remote peers
identified in the NHRP configuration
NHRP Registration Process

Basic NHRP Configuration
 In order to configure an mGRE interface to use NHRP, the
following command is necessary:
 Ip nhrp network-id <id>

 Where <id> is a unique number (same on hub and all
spokes)
 <id> has nothing to do with tunnel key
 The network ID defines an NHRP domain
 Several domains can co-exist on the same router

Initial NHRP Caches
 Initially, the hub has an empty cache
 The spoke has one static entry mapping the hub’s
tunnel address to the hub’s NBMA address:
 Ip nhrp map 10.0.0.1 172.17.0.1

 Multicast traffic must be sent to the hub
 Ip nhrp map multicast 172.17.0.1

The Spokes Must Register to the
Hub
 In order for the spokes to register themselves to the
hub, the hub must be declared as a Next Hop Server
(NHS):
 Ip nhrp nhs 10.0.0.1

 Spokes control the cache on the hub

Registration Process
 The spokes send Registration-requests to the hub
 The request contains the spoke’s Tunnel and NBMA
addresses as well as the hold time and some flags
 The hub creates an entry in its NHRP cache
 The entry will be valid for the duration of the hold
time defined in the registration
 The NHS returns a registration
reply(acknowledgement)
Multicasts Packet From the Hub
 The hub must also send multicast traffic to all the
spokes that registered to it
 This must be done dynamically (possible since Release
12.2(13)T)
 This is not the default
 Ip nhrp map multicast dynamic

NHRP Functionality
Address mapping/resolution
 Static NHRP mapping

 Next Hop Client (NHC) registration with
 Next Hop Server (NHS)
Packet Forwarding
 Resolution of VPN to NBMA mapping

 Routing: IP destination Tunnel IP next-hop
 NHRP: Tunnel IP next-hop NBMA address

Routing Protocol
 The spoke needs to advertise its private network to the
hub
 Can use BGP, EIGRP, OSPF, RIP or ODR; however, this
presentation will focus on EIGRP
 Must consider several caveats

Spoke Hellos
 Spoke has all it needs to send hellos immediately:
 Tunnel is defined
 Static NHRP entry to hub is present
 NHRP entry is marked for multicast
 So the spoke never waits…

Hub Hellos
 With its basic tunnel definition, the hub cannot send
anything(including hellos) to anyone
 It must wait NHRP for registrations to arrive
 As soon as the spokes have registered, the NHRP is
marked “Multicast” due to
 Ip nhrp map multicast dynamic

 The hub sends hellos to all the registered spokes
simultaneously
IPSec Protection
 GRE/NHRP can build a fully functional overlay network
 GRE is insecure; ideally, it must be protected
 The good old crypto map configuration is rather
cumbersome; DMVPN introduced tunnel protection
 Still need to define an IPsec security level

IPSec Security Policy
 A transform set must be defined:
 crypto ipsec transform-set ts esp-sha-hmac esp-3des

 mode transport
 An IPsec profile replaces the crypto map
 crypto ipsec profile prof

 set transform-set ts
 The IPsec profile is like a crypto map without “set peer” and
“match address”
Protecting the Tunnel
 The profile must be applied on the tunnel
 tunnel protection ipsec profile prof

 Internally Cisco IOS®Software will treat this as a
dynamic crypto map and it derives the local-address,
set peer and match address parameters from the
tunnel parameters and the NHRP cache
 This must be configured on the hub and spoke
tunnels.
MPLS

Problems with Conventional IP
• Forwarding Decision at each hop
• IP Forwarding is destination based
• Longest Prefix Match of hierarchical addresses
• Search Time becomes bottleneck
• No traffic Flow optimization
• Forwarding Plane and Control Plane approach
• Transit routers carry full routing table

Limitations of other Layer 2 Technologies
ATM
• End-to-end PVC
• Manageability when Network grows
• Overhead for IP Traffic
• SAR Limitation
Frame Relay
• Lower Bandwidth rates
• End-to-end PVC
• Good for Hub and Spoke
PVC = Permanent Virtual Circuit
SAR = Segmentation and Reassembly

WHY MPLS ?
• Leverage existing ATM hardware

• Ultra fast forwarding
• IP Traffic Engineering
– Constraint-based Routing
• Virtual Private Networks
– Controllable tunneling mechanism
• Voice/Video on IP
– Delay variation + QoS constraints
BEST OF BOTH WORLDS
PACKET CIRCUIT
HYBRID SWITCHING
Forwarding
IP MPLS ATM
+IP
• MPLS + IP form a middle ground that combines the best of
IP and the best of circuit switching technologies.
• ATM and Frame Relay cannot easily come to the middle so
IP has !! Prepared By:Waleed Adlan-CCIE41999 -
What is MPLS?
• Multi Protocol Label Switching

• Assigns Labels for IP Packets
• Router makes forwarding decision based on Label
• Advantages of both Layer 2 and Layer 3 technologies

How MPLS works
• MPLS routers affix labels to packets based on the criteria

– FEC
• Label information is exchanged among routers
• Paths are build using labels – Label switch paths
• Packets are forwarded along Label Switch Paths (LSP) by

Label Switch Routers (LSR)

MPLS Terminology
• LDP: Label Distribution Protocol
• LSP: Label Switched Path
• FEC: Forwarding Equivalence Class
• LSR: Label Switching Router
• LER: Label Edge Router

MPLS Control and Data Planes
•Forwarding component
Uses label information carried in a packet and label
binding information maintained by a router to forward
the packet
•Control component
Responsible for establishment and maintenance of
correct label binding information among routers

MPLS Control and Data Planes

Route at Edge and Switch in Core
IP IP #L1 IP #L2 IP #L3 IP
IP Forwarding LABEL SWITCHING IP Forwarding

Forwarding Equivalence Classes
LSR LSR
LER LER
LSP
IP1 IP1
IP1 #L1 IP1 #L2 IP1 #L3
IP2 #L1 IP2 #L2 IP2 #L3
IP2 IP2
Packets are destined for different address prefixes, but can be
mapped to common path
• FEC = “A subset of packets that are all treated the same way by a router”
• The concept of FECs provides for a great deal of flexibility and
scalability
• In conventional routing, a packet is assigned to a FEC at each hop (i.e.
L3 look-up), in MPLS it is only done once at the network ingress.
* LSP = Label Switched Path,Prepared By:Waleed
LSR = Label Adlan-CCIE41999
Switching Router, LER -= Label Edge Router
MPLS BUILT ON STANDARD IP
Dest Out
47.1 1
Dest Out 47.2 2
47.1 1 47.3 3
47.2 2
47.3 3
1 47.1
3
1 2
3
Dest Out 2
47.1 1
47.2 2
47.3 3
1
47.3 3 47.2
• Destination based forwarding tables as built by OSPF, IS-IS, RIP, etc.

Conventional IP
Forwarding Dest Out
47.1 1
Dest Out 47.2 2
47.1 1 47.3 3
47.2 2
47.3 3
1 47.1
IP 47.1.1.1
1 2 IP 47.1.1.1
Dest Out
3
47.1 1 2
47.2 2
47.3 3 IP 47.1.1.1
1
47.3 3 47.2
2
IP 47.1.1.1

MPLS Label Distribution
Intf Label Dest Intf Label Intf Label Dest Intf
In In Out Out In In Out
3 0.50 47.1 1 0.40 3 0.40 47.1 1
1 47.1
Request: 47.1
3
Intf Dest Intf Label
In Out Out 2
3 1
3 47.1 1 0.50 Mapping: 0.40
1 2
47.3 3 47.2
2

MPLS Labels
 Labels are inserted between the Layer 2 (frame) header
and the Layer 3 (packet) header.
 There can be more than one label (label stack).
 The bottom-of-stack bit indicates if the label is the last
label in the label stack.
 The TTL field is used to prevent the indefinite looping
of packets.
 Experimental bits are usually used to carry the IP
precedence value.

MPLS Label Format
 MPLS uses a 32-bit label field that contains the
following information:
 20-bit label (a number)
 3-bit experimental field (usually used to carry IP
precedence value)
 1-bit bottom-of-stack indicator (indicates whether this is
the last label before the IP header)
 8-bit TTL (equal to the TTL in the IP header)

MPLS Label Stack
 The protocol identifier in a Layer 2 header specifies that the

payload starts with a label (labels) and is followed by an IP
header.
 The bottom-of-stack bit indicates whether the next header is
another label or a Layer 3 header.
 The receiving router uses the top label only.

MPLS Forwarding
 An LSR can perform the following functions:
 Insert (impose) a label or a stack of labels on ingress
 Swap a label with a next-hop label or a stack of labels in the
core
 Remove (pop) a label on egress
 ATM LSRs can swap a label with only one label (VPI/VCI
fields change).

MPLS Forwarding: Frame Mode
• On ingress, a label is assigned and imposed by the IP routing process.

• LSRs in the core swap labels based on the contents of the label forwarding table.
• On egress, the label is removed and a routing lookup is used to forward the packet.
MPLS VPN

What are VPNs?
• VPN = Virtual Private Network

• VPNs are building blocks for modern
network, security and service
infrastructures
• VPNs can provide security and/or privacy
• VPNs create connectivity among distant
sites and remote users

MPLS-VPN Terminology
• Provider Network (P-Network)

• The backbone under control of a Service
Provider
• Customer Network (C-Network)
• Network under customer control
• CE router
• Customer Edge router. Part of the C-
network and
interfaces to a PE router

• Site
• Set of (sub)networks part of the C-network and
co-located
• A site is connected to the VPN backbone
through one or more PE/CE links
• PE router
• Provider Edge router. Part of the P-Network and
interfaces to CE routers
• P router
• Provider (core) router, without knowledge of
VPN

• Border router
• Provider Edge router interfacing to other
provider networks
• Extended Community
• BGP attribute used to identify a Route-origin,
Route-target
• Site of Origin Identifier (SOO)
• 64 bits identifying routers where the route has
been originated

• Route-Target
• 64 bits identifying routers that should receive
the route
• Route Distinguisher
• Attributes of each route used to uniquely
identify prefixes among VPNs (64 bits)
• VRF based (not VPN based)
• VPN-IPv4 addresses
• Address including the 64 bits Route
Distinguisher and the 32 bits IP address

• VRF
• VPN Routing and Forwarding Instance
• Routing table and FIB table
• Populated by routing protocol contexts
• VPN-Aware network
• A provider backbone where MPLS-VPN is
deployed

MPLS VPN Connection Model
VPN_A iBGP sessions VPN_A
10.2.0.0 11.5.0.0
CE
CE
VPN_B VPN_A
10.2.0.0 P P PE CE 10.1.0.0
CE PE
VPN_A
11.6.0.0 P P
CE VPN_B
PE CE 10.3.0.0
VPN_B PE
10.1.0.0 CE
• P routers (LSRs) are in the core of the

MPLS cloud
• PE routers use MPLS with the core and
plain IP with CE routers
• P and PE routers share a common IGP
• PE router are MP-iBGP fully meshed
CE
Site-1
PE
EBGP,OSPF, RIPv2,Static
CE
Site-2
• PE and CE routers exchange routing

information through:
• EBGP, OSPF, RIPv2, Static routing
• CE router run standard routing software

CE
Site-1
PE
EBGP,OSPF, RIPv2,Static VPN Backbone IGP
CE
Site-2
• The routes the PE receives from CE routers are installed

in the appropriate VRF
• The routes the PE receives through the backbone IGP
are installed in the global routing table
• By using separate VRFs, addresses need NOT to be
unique among VPNs

• The Global Routing Table is populated by

IGP protocols.
• In PE routers it may contain the BGP
Internet routes (standard BGP-4 routes)
• BGP-4 (IPv4) routes go into global routing
table
• MP-BGP (VPN-IPv4) routes go into VRFs

P P
PE PE
VPN Backbone IGP
P P
iBGP session
• PE and P routers share a common IGP

(ISIS or OSPF)
• PEs establish MP-iBGP sessions between
them
• PEs use MP-BGP to exchange routing
information related to the connected sites
and VPNs
• VPN-IPV4 address
• Route Distinguisher
• 64 bits
• Makes the IPv4 route globally unique
• RD is configured in the PE for each VRF
• RD may or may not be related to a site or a VPN
• IPv4 address (32bits)
• Extended Community attribute (64 bits)
• Site of Origin (SOO): identifies the originating
site
• Route-target (RT): identifies the set of sites the
route has to be advertised to

 The Extended Community is used to:
 Identify one or more routers where the route has

been originated (site)
 Site of Origin (SOO)
 Selects sites which should receive the route
 Route-Target

VPN-IPv4 update is translated
P P into IPv4 address (Net1) put into
VRF green since RT=Green and
advertised to CE-2
PE-1 PE-2
CE-2
VPN Backbone IGP
Site-2
BGP,RIPv2 update P P
for Net1,Next-
Hop=CE-1
CE-1 VPN-IPv4 update:

Site-1 RD:Net1, Next-hop=PE-1
SOO=Site1, RT=Green,
Label=(intCE1)
• PE routers receive IPv4 updates (EBGP, RIPv2, Static)

• PE routers translate into VPN-IPv4
• Assign a SOO and RT based on configuration
• Re-write Next-Hop attribute
• Assign a label based on VRF and/or interface
• Send MP-iBGP update to all PE neighbors

VPN-IPv4 update is translated
P P into IPv4 address (Net1) put into
VRF green since RT=Green and
advertised to CE-2
PE-1 PE-2
CE-2
BGP,OSPF, RIPv2 VPN Backbone IGP
Site-2
update for Net1 P P
Next-Hop=CE-1
CE-1 VPN-IPv4 update:

Site-1 RD:Net1, Next-hop=PE-1
SOO=Site1, RT=Green,
Label=(intCE1)
• Receiving PEs translate to IPv4

• Insert the route into the VRF identified by the
RT attribute (based on PE configuration)
• The label associated to the VPN-IPv4 address will be
set on packet forwarded towards the destination

VPN Packet Forwarding Across an
MPLS VPN Backbone
Question: How will the PE routers forward the VPN packets across the
MPLS VPN backbone?
Answer #1: The PE routers will label the VPN packets with an LDP label for the
egress PE router and forward the labeled packets across the MPLS
backbone.
Results:
• The P routers perform the label switching, and the packet reaches the
egress PE router.
• However, the egress PE router does not know which VRF to use for packet
switching, so the packet is dropped.
• How about using a label stack?
VPN Packet Forwarding Across an
MPLS VPN Backbone (Cont.)
Question: How will the PE routers forward the VPN packets across the
MPLS VPN backbone?
Answer #2: The PE routers will label the VPN packets with a label stack, using the LDP
label for the egress PE router as the top label, and the VPN label assigned
by the egress PE router as the second label in the stack.
Result:
• The P routers perform label switching, and the packet reaches the egress PE router.
• The egress PE router performs a lookup on the VPN label and forwards the packet
toward the CE router.
VPN Penultimate Hop Popping
• Penultimate hop popping on the LDP label can be

performed on the last P router.
• The egress PE router performs label lookup only on the
VPN label, resulting in faster and simpler label lookup.
• IP lookup is performed only once—in the ingress PE router.

VPN Label Propagation
Question: How will the ingress PE router get the second label in the
label stack from the egress PE router?
Answer: Labels are propagated in MP-BGP VPNv4 routing updates.

VPN Label Propagation (Cont.)
Step 1: A VPN label is assigned to every VPN route by the egress

PE router.
Step 2: The VPN label is advertised to all other PE routers in an MP-BGP
update.
Step 3: A label stack is built in the VFR table.

MPLS VPNs and Label Propagation
 The VPN label must be assigned by the BGP next hop.
 The BGP next hop should not be changed in the
MP-IBGP update propagation.
 The PE router must be the BGP next hop.
 Use the next-hop-self command on the PE router.
 The label must be re-originated if the next hop is changed.
 A new label is assigned every time that the MP-BGP update

crosses the AS boundary where the next hop is changed.

Areas of Router Security
 Physical Security
 Place router in a secured, locked room
 Install an uninterruptible power supply
 Operating System Security
 Use the latest stable version that meets network requirements
 Keep a copy of the O/S and configuration file as a backup
 Router Hardening
 Secure administrative control
 Disable unused ports and interfaces
 Disable unnecessary services

Securing Administrative Access
 Restrict Device Accessibility - Limit the accessible ports,
restrict the permitted communicators and restrict the
permitted methods of access.
 Log and Account for all Access - Record anyone who
accesses a device.
 Authenticate Access: Ensure access is only granted to authenticated
users, groups, and services.
 Authorize Actions: Restrict the actions and views permitted by any
particular user, group, or service.
 Present Legal Notification - Display legal notice for
interactive sessions.
 Ensure the Confidentiality of Data - Protect locally stored
sensitive data from viewing and copying.

Local Versus Remote Access
Local Access Remote Access
LAN 2
R1 R1 Firewall R2
LAN 1 Internet Internet
LAN 3
Console Port
Administrator
Requires a direct connection to a Management

console port using a computer LAN
running terminal emulation software
Administration Logging
Host Host
Uses Telnet, SSH HTTP or SNMP

connections to the router from a computer
Secure Administrative Access
 Passwords
 Access Port Passwords
 Password Security
 Creating Users

Access Port Passwords
Command to restrict access to
R1(config)# enable secret cisco privileged EXEC mode
Commands to establish a
Commands to establish a login login password for dial-up
password on incoming Telnet sessions modem connections
R1(config)# line vty 0 4 R1(config)# line aux 0
R1(config-line)# password cisco R1(config-line)# password cisco
R1(config-line)# login R1 R1(config-line)# login
R1(config)# line con 0

R1(config-line)# password cisco
R1(config-line)# login
Commands to establish a
login password on the
console line
Password Security
To increase the security of passwords, use additional
configuration parameters:
 Minimum password lengths should be enforced
 Unattended connections should be disabled
 All passwords in the configuration file should be encrypted
R1(config)# service password-encryption

R1(config)# exit
R1# show running-config
line con 0
exec-timeout 3 30
password 7 094F471A1A0A
login
line aux 0
exec-timeout 3 30
password 7 094F471A1A0A
login

Creating Users
username name secret {[0]password|5encrypted-secret}
Parameter Description
name This parameter specifies the username.
0 (Optional) This option indicates that the plaintext
password is to be hashed by the router using MD5.
password This parameter is the plaintext password to be
hashed using MD5.
5 This parameter indicates that the encrypted-secret
password was hashed using MD5.
encrypted-secret This parameter is the MD5 encrypted-secret
password that is stored as the encrypted user
password.
SSH version 1, 2
 Configuring Router
 SSH Commands
 Connecting to Router

Preliminary Steps
Complete the following prior to configuring routers for
the SSH protocol:
1. Ensure that the target routers are running a Cisco IOS Release
12.1(1)T image or later to support SSH.
2. Ensure that each of the target routers has a unique hostname.
3. Ensure that each of the target routers is using the correct domain
name of the network.
4. Ensure that the target routers are configured for local
authentication, or for authentication, authorization, and
accounting (AAA) services for username or password
authentication, or both. This is mandatory for a router-to-router
SSH connection.

Configuring the Router for SSH
R1# conf t 1. Configure the IP domain
R1(config)# ip domain-name span.com name of the network
R1(config)# crypto key generate rsa general-keys
modulus 1024 2. Generate one way
The name for the keys will be: R1.span.com
secret key
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-
exportable...[OK]
R1(config)#
*Dec 13 16:19:12.079: %SSH-5-ENABLED: SSH 1.99 has
been enabled 3. Verify or create a local
R1(config)# username Bob secret cisco
R1(config)# line vty 0 4 database entry
R1(config-line)# login local
R1(config-line)# transport input ssh 4. Enable VTY inbound
R1(config-line)# exit SSH sessions

Using Syslog
 Implementing Router Logging
 Syslog
 Configuring System Logging

Implementing Router Logging
Configure the router to send log messages to:
 Console: Console logging is used when modifying or
testing the router while it is connected to the console.
Messages sent to the console are not stored by the router
and, therefore, are not very valuable as security events.
 Terminal lines: Configure enabled EXEC sessions to receive
log messages on any terminal lines. Similar to console
logging, this type of logging is not stored by the router and,
therefore, is only valuable to the user on that line.

Implementing Router Logging
 Buffered logging: Store log messages in router memory.
Log messages are stored for a time, but events are cleared
whenever the router is rebooted.
 SNMP traps: Certain thresholds can be preconfigured.
Events can be processed by the router and forwarded as
SNMP traps to an external SNMP server. Requires the
configuration and maintenance of an SNMP system.
 Syslog: Configure routers to forward log messages to an
external syslog service. This service can reside on any
number of servers, including Microsoft Windows and
UNIX-based systems, or the Cisco Security MARS
appliance.

Syslog
 Syslog servers: Known as log hosts, these systems accept
and process log messages from syslog clients.
 Syslog clients: Routers or other types of equipment that
generate and forward log messages to syslog servers.
Public Web Mail Administrator
Server Server Server
10.2.2.3 10.2.2.4 10.2.2.5
Syslog Client
e0/0
10.2.1.1 R3 e0/1 DMZ LAN 10.2.2.0/24
e0/2 10.2.2.1
10.2.3.1
Syslog
Server 10.2.3.2
Protected LAN User 10.2.3.3

10.2.3.0/24
Configuring System Logging
Turn logging on and off using the

logging buffered, logging
monitor, and logging
commands
1. Set the destination logging host

R3(config)# logging 10.2.2.6
R3(config)# logging trap informational 2. Set the log severity (trap) level
R3(config)# logging source-interface loopback 0
R3(config)# logging on 3. Set the source interface
4.Prepared
Enable By:Waleed Adlan-CCIE41999 -
logging
Using NTP
 Uses
 Timekeeping
 Features/Functions

Uses
 Clocks on hosts and network devices must be
maintained and synchronized to ensure that log
messages are synchronized with one another
 The date and time settings of the router can be set
using one of two methods:
 Manually edit the date and time
 Configure Network Time Protocol

Timekeeping
 Pulling the clock time from the Internet means that unsecured packets
are allowed through the firewall
 Many NTP servers on the Internet do not require any authentication of
peers
 Devices are given the IP address of NTP masters. In an NTP configured
network, one or more routers are designated as the master clock keeper
(known as an NTP Master) using the ntp master global
configuration command.
 NTP clients either contact the master or listen for messages from the
master to synchronize their clocks. To contact the server, use the ntp
server ntp-server-address command.
 In a LAN environment, NTP can be configured to use IP broadcast
messages instead, by using the ntp broadcast client command.

Features/Functions
 There are two security mechanisms available:
 An ACL-based restriction scheme
 An encrypted authentication mechanism such as offered by NTP
version 3 or higher
 Implement NTP version 3 or higher. Use the following
commands on both NTP Master and the NTP client.
 ntp authenticate
 ntp authentication key md5 value
 ntp trusted-key key-value

Authentication – Password-Only
User Access Verification
Password-Only Method
Password: cisco
Password: cisco1
Password: cisco12
% Bad passwords
Internet
R1(config)# line vty 0 4

R1(config-line)# password cisco
R1(config-line)# login
 Uses a login and password combination on access lines

 Easiest to implement, but most unsecure method
 Vulnerable to brute-force attacks
 Provides no accountability
Authentication – Local Database
 Creates individual user account/password on each device
 Provides accountability
 User accounts must be configured locally on each device
 Provides no fallback authentication method
R1(config)# username Admin secret User Access Verification

Str0ng5rPa55w0rd
R1(config)# line vty 0 4 Username: Admin
R1(config-line)# login local Password: cisco1
% Login invalid
Username: Admin
Internet Password: cisco12
% Login invalid
Local Database Method

AAA Access Security
Authorization
which resources the user is allowed to access and which
Authentication operations the user is allowed to perform?
Who are you?
Accounting
What did you spend it on?

Local AAA Authentication
Commands
R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default local-case
R1(config)# aaa local authentication attempts max-fail 10
To authenticate administrator access

(character mode access)
1. Add usernames and passwords to the
local router database
2. Enable AAA globally
3. Configure AAA parameters on the router
4. Confirm and troubleshoot the AAA
configuration
AAA Authentication Command
Elements
router(config)#
aaa authentication login {default | list-name}
method1…[method4]
Command Description
Uses the listed authentication methods that follow this

default
keyword as the default list of methods when a user logs in
list-name Character string used to name the list of authentication

methods activated when a user logs in
password- Enables password aging on a local authentication list.
expiry
method1 Identifies the list of methods that the authentication
[method2... algorithm tries in the given sequence. You must enter at
] leastPrepared
one method; you may- enter up to four methods.
By:Waleed Adlan-CCIE41999
R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa authentication login default local-case enable
R1(config)# aaa authentication login TELNET-LOGIN local-case
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN

Troubleshooting
 The debug aaa Command
 Sample Output

The debug aaa Command
R1# debug aaa ?
accounting Accounting
administrative Administrative
api AAA api events
attr AAA Attr Manager
authentication Authentication
authorization Authorization
cache Cache activities
coa AAA CoA processing
db AAA DB Manager
dead-criteria AAA Dead-Criteria Info
id AAA Unique Id
ipc AAA IPC
mlist-ref-count Method list reference counts
mlist-state Information about AAA method list state change and
notification
per-user Per-user attributes
pod AAA POD processing
protocol AAA protocol processing
server-ref-count Server handle reference counts
sg-ref-count Server group handle reference counts
sg-server-selection Server Group Server Selection
subsys AAA Subsystem
testing Info. about AAA generated test packets

R1# debug aaa
Sample Output
R1# debug aaa authentication
113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''
ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list=''
action=LOGIN service=LOGIN
113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list
113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL
113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='(undef)')
113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS
113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='diallocal')
113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS
113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS

Server-Based AAA
 Comparing Local versus Server-Based AAA
 Overview of TACACS+ and RADIUS
 TACACS (Terminal Access Controller Access-Control
System)
 RADIUS (Remote Authentication Dial-In User
Service)

Local Versus Server-Based
Authentication
Local Authentication
1. The user establishes a connection with the router.
2. The router prompts the user for a username and password authenticating the
user using a local database.
Cisco Secure ACS for
Windows Server
Perimeter
1 Router
3
2
4
Remote User
Server-Based Authentication
1. The user establishes a connection with the router.
2. The router prompts the user for a username and password.
3. The router passes the username and password to the Cisco Secure ACS (server or engine).
4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network
based on information found in the Cisco Secure ACS database.

Overview of TACACS+ and RADIUS
TACACS+ or RADIUS protocols are used to
communicate between the clients and AAA
security servers.
Cisco Secure ACS for

Windows Server
Perimeter
Router
Remote User Cisco Secure

ACS Express

Configuring Server-Based AAA
Authentication
1. Globally enable AAA to allow the user of all AAA
elements (a prerequisite)
2. Specify the Cisco Secure ACS that will provide AAA
services for the network access server
3. Configure the encryption key that will be used to
encrypt the data transfer between the network access
server and the Cisco Secure ACS
4. Configure the AAA authentication method list

aaa authentication Command
R1(config)# aaa authentication type { default | list-name } method1 … [method4]
R1(config)# aaa authentication login default ?

enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V
Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support
R1(config)# aaa authentication login default group ?

WORD Server-group name
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.
R1(config)# aaa authentication login default group

 Multiple RADIUS servers can be
TACACS+ or RADIUS protocols are
identified by entering a radius-server used to communicate between the
clients and AAA security servers.
command for each

 For TACACS+, the single-connection
command maintains a single TCP 192.168.1.100
connection for the life of the session R1
Cisco Secure ACS

for Windows
using RADIUS
R1(config)#
R1(config)# radius-server host 192.168.1.100
R1(config)# radius-server key RADIUS-Pa55w0rd
R1(config)#
R1(config)# tacacs-server host 192.168.1.101
R1(config)# tacacs-server key TACACS+Pa55w0rd single-connection
R1(config)# 192.168.1.101
R1(config)# aaa authentication login default group tacacs+ group radius local-case Cisco Secure ACS
R1(config)# Solution Engine
using TACACS+
Router Management Through
HTTP/HTTPs
 Cisco Routers Can be managed through HTTP/HTTPs
 To enable it on Cisco Router:
!R1
ip http server
ip http secure-server
ip http authentication local
username CCNP privilege 15 password cisco
 Also make Sure, there is a network connectivity between
the router and the PC.

Gathering Information with SNMP
 Simple Network Management Protocol (SNMP) and NetFlow are two main
technologies that are used to gather statistics from Cisco switches and routers.
 Each has a different focus.
 SNMP’s focus is primarily on the collection of various statistics from network
devices.
 Statistics can be viewed through the CLI or Graphical User Interface (GUI).
 However, if you want to collect and analyze these statistics over time, you can
take advantage of SNMP.

SNMP
 SNMP makes use of:
 SNMP Network Management Station (NMS)
 One or more SNMP Agents
 Agents are special processes running on the devices we’d like to monitor and
collect information about.
 By periodically querying (polling) the SNMP agent, the SNMP NMS can
collect valuable ongoing information and statistics and store them.
Poll
Data
SNMP Configuration
!R1
Snmp-server community cisco ro
Snmp-server enable traps  Optional
Snmp-server host 10.0.0.2 cisco  Optional

Gathering
Information with
NetFlow
 NetFlow has a different focus and uses different underlying mechanisms.

 Currently supported on only the 4500 and 6500 series switches
 A NetFlow enabled device, (router or Layer 3 switch) collects information about
the IP traffic that is flowing through (transit through) the device.
 Classifies traffic by flow.
 A flow is identified as a collection of packets that have the same essential
header fields such as:
 source IP address
 destination IP address
 protocol number
 Type of Service (TOS) field
 port number (if applicable)
 plus the ingress interface
 For each individual flow, the number of packets and bytes will be tracked and
accounted.
 This information is kept in a flow cache.
 Flows are expired from the cache when the flows are terminated or time
out.
 Examine the NetFlow cache:
 CLI commands
 Exported to a NetFlow collector – Can be processed and graphed
 The collector receives the flow information and records it in a database.
 Contains a full view of all the traffic that has transited through the router
except for the payload.
NetFlow
 To export NetFlow information to a collector, you must first enable NetFlow

accounting (collection) on the desired router interfaces.
ip flow ingress interface configuration command
 Configure the version of the NetFlow protocol.
The most commonly used is NetFlow version 5.
The most current and flexible version is NetFlow version 9 (if your
collector supports it)
NetFlow
ip flow ingress interface configuration command

 Fa0/0 and Fa0/1 interfaces enabled to collect NetFlow information for ingress traffic.
 The definition of a flow is unidirectional, so if you want to account for both
inbound and outbound traffic, the feature needs to be turned on for both
interfaces.
 The command ip flow ingress replaces the old ip route-cache flow command.
NetFlow
 Configure the IP address and UDP port number of the collector.

 There is no default port number for NetFlow
 Must match on router and collector
 The NetFlow information is exported to a collector with:
 IP address 10.1.152.1 (at UDP port 9996)
 Packet format version is 5
 Interface loopback
Prepared0’s IP address
By:Waleed is used- as the source of the outgoing IP
Adlan-CCIE41999
packet. waleed_hashim@hotmail.com
NetFlow
 The collector is configured with and verifies the source IP address of the
incoming packets
 Important that the NetFlow packets are always sourced from the same
router interface.
 Using a loopback interface as the source interface for NetFlow ensures that
the packets will always be sourced from the same address, regardless of the
interface that is used to transmit the NetFlow packets to the Collector.
 After the router starts caching and accounting flow information locally in its
memory, you can display the NetFlow cache content by issuing the show ip
cache flow command.
 Shows the active flows that are sending packets through the router.
 In contrast to SNMP, NetFlow uses a “push” based model.
 Routers must send NetFlow data to the collector based on changes in the
flow cache
 The collector simply listens for NetFlow traffic

IP SLA
 ip sla 1
 icmp-echo 54.1.1.254
 timeout 1000
 frequency 1
!
 ip sla schedule 1 life forever start-time now
!
 ip route 150.1.1.0 255.255.255.0 155.1.146.1 track 1

 On 54.1.1.254 Router
!
ip sla responder


Routing PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Routing PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Presented By:Waleed Adlan

BSc, MSc in Telecommunication

Prepared By:Waleed Adlan-CCIE41999 -

 Academic Qualifications and Achievements:

1. MSc of Telecommunication – Leeds University,

2. BSc of Electrical Engineering-Khartoum

1. Anycast Routing in OBS Grid Networks, 2009

2. Storage Area Networks Extensions in WDM

Prepared By:Waleed Adlan-CCIE41999 -

4. Gold IPv6 Certified Engineer

5. Huwaei RNC Certification with MTN

Prepared By:Waleed Adlan-CCIE41999 -

1. Part-timer Teaching Assistant, Khartoum University

2. Network Engineer, Khartoum University –

3. Routing & Switching Engineer, AZ

4. Base Station Network Engineer, MTN

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

Network Destination Exit

Connected 10.120.2.0 E0 Routed Protocol: IP

Routers must learn destinations that are not

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

An autonomous system is a collection of networks under a

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

 When router A starts it send Hello packet – uses 224.0.0.5

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

 LSAs are shared only with routers with whom it has

 LSA packets are used to update and maintain the

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

Area Border Router

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

• Verifies the configured IP routing protocol

• Displays all OSPF routes learned by the router

• Displays the OSPF router ID, area ID and

• Displays the OSPF router ID, timers, and statistics

• Displays information about the OSPF neighbors,

Codes: C - connected, S - static, I - IGRP, R

Gateway of last resort is not set

Ethernet0 is up, line protocol is up

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco-

Released in 1994, Unlike IGRP, which is a classful routing protocol,

 it is probably one of the two most popular routing protocols in use

Compared to IGRP, EIGRP boasts faster convergence times, improved

EIGRP is often described as a hybrid routing protocol, offering the

IGRP and EIGRP are compatible with each other.

Prepared By:Waleed Adlan-CCIE41999 -

Prepared By:Waleed Adlan-CCIE41999 -

 By default, EIGRP uses only: