Documente Academic
Documente Profesional
Documente Cultură
1. CCIE # 41999
2. CCNP
3. CCNA
E0
S0
EGP
Exterior Gateway
Protocols are used
for routing between
Autonomous Systems
AS 1000 AS 3000
IGP
Interior Gateway Protocols are
used for routing decisions
AS 2000 within an Autonomous System.
AS 1000 AS 3000
EGP
EGP IGP
EGP
AS 2000
Link state
OSPF
Hybrid
EIGRP
B C
Area 2
Area 1
Autonomous System
Boundary Router
ASBR
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Basic OSPF Configuration
Router(config)# router ospf 1
The number 1 in this example is a process-id # that
begins an OSPF process in the router
More than one process can be launched in a router,
but this is rarely necessary
Usually the same process-id is used throughout the
entire network, but this is not required
The process-id # can actually be any value from 1 to
"very large integer―
The process-id # cannot be ZERO
This is NOT the same as the AS# used in IGRP and
EIGRP
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Configuring OSPF Areas
After identifying the OSPF process, you need to identify the interfaces that
you want to activate OSPF communications
Lab_A#config t
Lab_A(config)#router ospf 1
Lab_A(config-router)#network 10.0.0.0 0.255.255.255
area ?
<0-4294967295> OSPF area ID as a decimal value
A.B.C.D OSPF area ID in IP address format
Lab_A(config-router)#network 10.0.0.0 0.255.255.255
area 0
Every OSPF network must have an area 0 (the backbone area) to which
other areas connect
So in a multiple area network, there must be an area 0
The wildcard mask represents the set of hosts supported by the network
and is really just the inverse of the subnet mask.
Router#
show ip ospf
Router#
show ip ospf neighbor [detail]
• EIGRP
– Hybrid
– DUAL
– Topology Database
– Rapid Convergence
– Reliable
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Overview
Neighbor table
Topology table
Routing table
K1 – BW
K2- Delay
K3-Load
K3-Reliability
K5-MTU
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Metric Calculation
The metrics used by EIGRP in making routing decisions are (lower the metric the better):
bandwidth
delay
load
Reliability
MTU
Analogies:
Think of bandwidth as the width of the pipe
and
delay as the length of the pipe.
Router(config-router)#network network-number
Configure IP Address
sw1(config-if)#interface vlan 1
sw1(config-if)#ip address 10.0.0.1 255.0.0.0
sw1(config-if)#no shut
sw1(config-if)#exit
sw1(config)ip default-gateway 10.0.0.254
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
VLANs
This limits the size of the broadcast domains and uses the router to
determine whether one VLAN can talk to another VLAN.
NOTE: This is the only way a switch can break up a broadcast domain!
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
VLAN Overview
• Segmentation
• Flexibility
• Security
Trunk links
Trunks can carry multiple VLANs
These carry the traffic of multiple VLANs
VLAN 3 VLAN 2
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
2 enet 100002 1500 - - - - - 0 0
51 enet 100051 1500 - - - - - 0 0
52 enet 100052 1500 - - - - - 0 0
…
sw#config t
sw(config)#int fastethernet 0/24
sw(config-if)#switchport trunk encapsulation
dot1q
sw(config-if)#switchport mode trunk
CSU/DSU
Presentation
Session
Transport
Network IP/IPX/AppleTalk, etc.
Data Link Frame Relay
EIA/TIA-232,
Physical EIA/TIA-449, V.35,
X.21, EIA/TIA-530
DLCI: 400
Local Access
Local Loop=64 kbps
Access
Loop=T1
PVC
Local Access
Loop=64 kbps
DLCI: 500
HQ Branch
interface Serial1
interface Serial1
ip address 10.16.0.1 255.255.255.0
ip address 10.16.0.2 255.255.255.0
encapsulation frame-relay
encapsulation frame-relay
bandwidth 64
bandwidth 64
frame-relay lmi-type ansi
HQ Branch
Inverse ARP
• Enabled by default
• Does not appear in configuration output
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Configuring a Static Frame Relay
Map
DLCI=110
IP address=10.16.0.1/24
p1r1
HQ Branch
DLCI=100
IP address=10.16.0.2/24
interface Serial1
ip address 10.16.0.1 255.255.255.0
encapsulation frame-relay
bandwidth 64
frame-relay map ip 10.16.0.2 110 broadcast
LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 113100 Num Status msgs Rcvd 113100
Num Update Status Rcvd 0 Num Status Timeouts 0
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0
interface Serial0
no ip address
encapsulation frame-relay
! 10.18.0.2
interface Serial0.2 point-to-point
ip address 10.17.0.1 255.255.255.0
bandwidth 64 C
frame-relay interface-dlci 110
!
interface Serial0.3 point-to-point
ip address 10.18.0.1 255.255.255.0
bandwidth 64
frame-relay interface-dlci 120
!
interface Serial2
no ip address RTR4
encapsulation frame-relay s2.1=10.17.0.4/24
!
interface Serial2.2 multipoint
ip address 10.17.0.1 255.255.255.0
bandwidth 64
frame-relay map ip 10.17.0.2 120 broadcast
frame-relay map ip 10.17.0.3 130 broadcast
frame-relay map ip 10.17.0.4 140 broadcast
• Delay is the sum of all the delays of the links along the paths:
Delay = [delay in tens of microseconds] x 256
• Bandwidth is the lowest bandwidth of the links along the paths:
Bandwidth = [10,000,000 / (bandwidth in kbps)] x 256
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
EIGRP Metrics Are Backward-
Compatible
with IGRP
Router(config-router)#
network network-number [wildcard-mask]
<output omitted>
interface Serial0/0/1
bandwidth 64
ip address 192.168.1.102 255.255.255.224
<output omitted>
router eigrp 100
network 172.17.2.0 0.0.0.255
network 192.168.1.0
R1#show ip route
<output omitted>
Gateway of last resort is not set
D 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:06:55,
Serial0/0/1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:05:07, Null0
C 172.16.1.0/24 is directly connected, FastEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.96/27 is directly connected, Serial0/0/1
D 192.168.1.0/24 is a summary, 00:05:07, Null0
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Verifying EIGRP: show ip protocols
R1#show ip protocols
Routing Protocol is "eigrp 100"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 100
EIGRP NSF-aware route hold timer is 240s
<output omitted>
Maximum path: 4
Routing for Networks:
172.16.1.0/24
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
(this router) 90 00:09:38
Gateway Distance Last Update
192.168.1.102 90 00:09:40
Distance: internal 90 external 170
(config-if)#
ip summary-address eigrp as-number address mask
[admin-distance]
• Allows the router to include routes with a metric smaller than the
multiplier value times the minimum metric route to that destination
Point-to-point links
• Configure each virtual Circuit as point-to-point, specify bandwidth = 1/10 of link capacity
• Increase EIGRP utilization to 50% of actual VC capacity
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
EIGRP WAN Configuration:
Hybrid Multipoint
Router(config-if)#
ip authentication key-chain eigrp autonomous-system
name-of-chain
Router(config-keychain-key)#
send-lifetime start-time {infinite | end-time | duration
seconds}
LAN links:
Neighbors form a full adjacency with the DR and BDR.
Routers maintain two-way state with the other routers
(DROTHERs).
Routing updates and topology information are passed
only between adjacent routers.
Once an adjacency is formed, LSDBs are synchronized
by exchanging LSAs.
LSAs are flooded reliably throughout the area (or
network).
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
OSPF Calculation
Routers find the best paths to destinations by applying
Dijkstra’s SPF algorithm to the link-state database as
follows:
Every router in an area has the identical
link-state database.
Each router in the area places itself into
the root of the tree that is built.
The best path is calculated with respect to the
lowest total cost of links to a specific destination.
Best routes are put into the forwarding database
(routing table).
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
SPF Calculation
database synchronization.
0x80000001.
Router(config-router)#
network ip-address wildcard-mask area area-id
Router(config-if)#
ip ospf process-id area area-id [secondaries none]
Router(config)#interface loopback 0
Router(config-if)#ip address 172.16.17.5 255.255.255.255
Router(config)#router ospf 1
Router(config-router)#router-id 172.16.1.1
Area 1
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm last executed 00:00:54.636 ago
SPF algorithm executed 3 times
<output omitted>
Router#
show ip route ospf [process-id ]
Router#
show ip ospf interface [type number]
• Displays the OSPF router ID, area ID, and adjacency information
Router#
Router C
interface Serial0/0/0
ip address 192.168.1.3 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-multipoint
ip ospf priority 0
Single interface serial 0/0/0 has been logically separated into two
subinterfaces: one point-to-point (S0/0/0.1) and one point-to-
multipoint (S0/0/0.2).
Each subinterface requires a subnet.
OSPF defaults to point-to-point mode on point-to-point
subinterfaces.
Prepared By:Waleed Adlan-CCIE41999 -
OSPF defaults to nonbroadcast mode on point-to-multipoint
waleed_hashim@hotmail.com
OSPF over NBMA Topology
Summary
NBMA Preferred Hello RFC or
OSPF Mode Subnet Address Adjacency
Topology Timer Cisco
Manual
Nonbroadcast Full or partial
Same 30 sec configuration, RFC
(NBMA) mesh
DR/BDR elected
Point-to- Manual
partial-mesh
multipoint Same 30 sec configuration, Cisco
or star
nonbroadcast no/DR/BDR
Partial-mesh or
Different for Each Automatic,
Point-to-point star, using 10 sec Cisco
Subinterface no DR/BDR
subinterface
remoterouter#sh ip ospf
Routing Process "ospf 1000" with ID 10.2.2.2
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
It is an area border router
<output omitted>
1 Router LSAs
2 Network LSAs
3 or 4 Summary LSAs
Autonomous system
5
external LSAs
RouterA(config-if)#
ip ospf cost interface-cost
• Sets the reference bandwidth to values other than 100 Mbps (legal
values range from 1 to 4,294,967 in megabits per second).
RouterA(config-router)#
area area-id default-cost cost
• This command defines the cost of a default route sent into the stub area.
• The default cost is 1.
• NSSA breaks stub area rules. • ABR (R2) converts LSA type 7
• ASBR (R1) is allowed in NSSA. to LSA type 5.
• Use this command instead of the area stub command to define the area
as NSSA.
• The no-summary keyword creates an NSSA totally stubby area; this is a
Cisco proprietary feature.
Router(config-if)#
ip ospf authentication [message-digest | null]
Router(config-router)#
area area-id authentication [message-digest]
<output omitted>
interface Serial0/0/1
ip address 192.168.1.102 255.255.255.224
ip ospf authentication
ip ospf authentication-key plainpas
<output omitted>
router ospf 10
log-adjacency-changes
network 10.2.2.2 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0
R1#show ip route
<output omitted>
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O 10.2.2.2/32 [110/782] via 192.168.1.102, 00:01:17, Serial0/0/1
C 10.1.1.0/24 is directly connected, Loopback0
192.168.1.0/27 is subnetted, 1 subnets
C 192.168.1.96 is directly connected, Serial0/0/1
R1#ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms
Router(config-if)#
ip ospf authentication [message-digest | null]
Router(config-router)#
area area-id authentication [message-digest]
<output omitted>
interface Serial0/0/1
ip address 192.168.1.102 255.255.255.224
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 secretpass
<output omitted>
router ospf 10
log-adjacency-changes
network 10.2.2.2 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0
R1#show ip route
<output omitted>
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O 10.2.2.2/32 [110/782] via 192.168.1.102, 00:00:37, Serial0/0/1
C 10.1.1.0/24 is directly connected, Loopback0
192.168.1.0/27 is subnetted, 1 subnets
C 192.168.1.96 is directly connected, Serial0/0/1
R1#ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2#
*Feb 17 18:50:43.046: OSPF: Rcv pkt from 192.168.1.101, Serial0/0/1 :
Mismatch Authentication type. Input packet specified type 1, we use type 0
R2#
*Feb 17 18:53:13.050: OSPF: Rcv pkt from 192.168.1.101, Serial0/0/1 :
Mismatch Authentication Key - Clear Text
R2#
*Feb 17 17:55:28.226: OSPF: Send with youngest Key 2
*Feb 17 17:55:28.286: OSPF: Rcv pkt from 192.168.1.101, Serial0/0/1 :
Mismatch Authentication Key - No message digest key 1 on interface
*Feb 17 17:55:38.226: OSPF: Send with youngest Key 2
<1-65535> Process ID
RtrA(config-router)# redistribute ospf 1 ?
<1-65535> Process ID
RtrA(config-router)# redistribute ospf 1 ?
• Routes matching either access list 23 or 29 are redistributed with an OSPF cost
of 500, external type 1.
• Routes permitted by access list 37 are not redistributed.
• All other routes are redistributed with an OSPF cost metric of 5000, external
type 2.
Router(config)# Router(config)#
route-map redis-rip permit 10 access-list 23 permit 10.1.0.0 0.0.255.255
match ip address 23 29 access-list 29 permit 172.16.1.0 0.0.0.255
set metric 500 access-list 37 permit 10.0.0.0 0.255.255.255
set metric-type type-1
Router(config-router)#
distance eigrp internal-distance external-distance
• Used for EIGRP
Prefix-List Activation:
(config-router)#neighbor <ip of neighbor> prefix-list <in/out>
Example 2
• Deny 172.16.0.0/24 from update containing 172.16.0.0/24,
172.16.0.0/20 & 172.16.0.0/16
(config)#ip prefix-list ccnp2 permit 172.16.0.0/16 le 20
(config)#ip prefix-list name deny 0.0.0.0/0 le 32
! To deny all routes !
Is there yes
Match no Is there
Incoming packet a policy
criteria Other
map?
statements
yes
no
permit in deny in
no
the main line the main line
statement statement
Notification
When error is detected
BGP connection closed after message is sent
Router(config-router)#
no neighbor {ip-address | peer-group-name} shutdown
• This command increases the default of one hop for EBGP peers.
• It allows routes to the EBGP loopback address
(which will have a hop count greater than 1).
Router A advertises
network 172.16.0.0 to
router B in EBGP, with
a next hop of
10.10.10.3.
Router B advertises
172.16.0.0 in IBGP to
router C, keeping
10.10.10.3
as the next-hop
address.
BGP neighbor next-hop-self
Command
Router(config-router)#
neighbor {ip-address | peer-group-name} next-hop-self
Router(config-router)#
neighbor ip-address peer-group peer-group-name
• The router looks for exactly 192.168.1.1/24 in the routing table, but
cannot find it, so it will not announce anything.
Router(config-router)#
network 192.168.0.0 mask 255.255.0.0
9. RouterB(config-router)# no synchronization
• Displays networks that are not installed in the RIB and the reason that
they were not installed
router#
clear ip bgp [neighbor-address]
• This router stores all updates from this neighbor in case the inbound
policy is changed.
• The command is memory-intensive.
Router#
clear ip bgp {*|neighbor-address} soft in
A list of autonomous
systems that a route
has traversed:
For example, on router
B, the path to 192.168.1.0
is the AS sequence
(65500, 64520).
The AS path attribute
is well-known,
mandatory.
Next-Hop Attribute
The IP address of the next
AS to reach a given network:
Router A advertises
network 172.16.0.0 to
router B in EBGP, with a
next hop of 10.10.10.3.
Router B advertises
172.16.0.0 in IBGP to
router C, keeping
10.10.10.3
as the next-hop address.
The next-hop attribute is
well-known, mandatory.
Origin Attribute
IGP (i)
network command
EGP (e)
Redistributed from EGP
Incomplete (?)
Redistributed from IGP or static
The origin attribute informs all autonomous systems in
the internetwork how the prefixes were introduced into
BGP.
The origin attribute is well-known, mandatory.
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Example: Origin Attribute
RouterA# show ip bgp
BGP table version is 14, local router ID is 172.31.11.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal, r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.0/24 0.0.0.0 0 32768 i
* i 10.1.0.2 0 100 0 i
*> 10.1.1.0/24 0.0.0.0 0 32768 i
*>i10.1.2.0/24 10.1.0.2 0 100 0 i
*> 10.97.97.0/24 172.31.1.3 0 64998 64997 i
* 172.31.11.4 0 64999 64997 i
* i 172.31.11.4 0 100 0 64999 64997 i
*> 10.254.0.0/24 172.31.1.3 0 0 64998 i
* 172.31.11.4 0 64999 64998 i
* i 172.31.1.3 0 100 0 64998 i
r> 172.31.1.0/24 172.31.1.3 0 0 64998 i
r 172.31.11.4 0 64999 64998 i
r i 172.31.1.3 0 100 0 64998 i
*> 172.31.2.0/24 172.31.1.3 0 0 64998 i
<output omitted>
What is the best path for router C to 65003, 65004, and 65005?
• By default, BGP selects the shortest AS path as the best (>) path.
• In AS 65001, the percentage of traffic going to 172.24.0.0 is 30%, 172.30.0.0 is 20%, and 172.16.0.0 is 10%.
• 50% of all traffic will go to the next hop of 172.20.50.1 (AS 65005), and 10% of all traffic will go to the next hop
of 192.168.28.1 (AS 65002).
• Make traffic to 172.30.0.0 select the next hop of 192.168.28.1 to achieve load sharing where both external
links get approximately 30% of the load.
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Route Map for Router A
Router A configuration
router bgp 65001
neighbor 2.2.2.2 remote-as 65001
neighbor 3.3.3.3 remote-as 65001
neighbor 2.2.2.2 remote-as 65001 update-source loopback0
neighbor 3.3.3.3 remote-as 65001 update-source loopback0
neighbor 192.168.28.1 remote-as 65002
neighbor 192.168.28.1 route-map local_pref in
!
access-list 65 permit 172.30.0.0 0.0.255.255
!
route-map local_pref permit 10
match ip address 65
set local-preference 400
!
route-map local_pref permit 20
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Router C BGP Table with Local
Preference Learned
RouterC# show ip bgp
BGP table version is 7, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i172.16.0.0 172.20.50.1 100 0 65005 65004 65003 i
*>i 192.168.28.1 100 0 65002 65003 i
*>i172.24.0.0 172.20.50.1 100 0 65005 i
* i 192.168.28.1 100 0 65002 65003 65004 65005 i
* i172.30.0.0 172.20.50.1 100 0 65005 65004 i
*>i 192.168.28.1 400 0 65002 65003 65004i
• Best (>) paths for networks 172.16.0.0/16 and 172.24.0.0/16 have not changed.
• Best (>) path for network 172.30.0.0 has changed to a new next hop of 192.168.28.1 because the next
hop of 192.168.28.1 has a higher local preference, 400.
• In AS 65001, the percentage of traffic going to 172.24.0.0 is 30%, 172.30.0.0 is 20%, and 172.16.0.0 is
10%.
• 30% of all traffic will go to the next hop of 172.20.50.1 (AS 65005), and 30% of all traffic will go to
the next hop of 192.168.28.1 (AS 65002).
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Changing BGP MED for All Routes
• MED is used when multiple paths exist between two autonomous
systems.
• A lower MED value is preferred.
• The default setting for Cisco is MED = 0.
• The metric is an optional, nontransitive attribute.
• Usually, MED is shared only between two autonomous
systems that have multiple EBGP connections with each other.
Router(config-router)#
default-metric number
• Examine the networks that have been learned from AS 65001 on Router Z in AS 65004.
• For all networks: Weight is equal (0); local preference is equal (100); routes are not originated in
this AS; AS path is equal (65001); origin code is equal (i).
• 192.168.24.0 has a lower metric (MED) through 172.20.50.2 (100) than 192.168.28.2 (200).
• 192.168.25.0 has a lower metric (MED) through 192.168.28.2 (100) than 172.20.50.2 (200).
• 192.168.26.0 has a lower metric (MED) through 192.168.28.2 (100) than 172.20.50.2 (200).
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
BGP in an Enterprise
IPv4
32 bits or 4 bytes long
~
=
4,200,000,000 possible addressable nodes
IPv6
128 bits or 16 bytes: four times the bits of IPv4
~
=
~ 3.4 * 1038 possible addressable nodes
=
~ 340,282,366,920,938,463,374,607,432,768,211,456
=
5 * 1028Prepared
addresses per person
By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Larger Address Space Enables
Address Aggregation
Examples:
2031:0000:130F:0000:0000:09C0:876A:130B
2031:0:130f::9c0:876a:130b
2031::130f::9c0:876a:130b—incorrect
FF01:0:0:0:0:0:0:1 FF01::1
0:0:0:0:0:0:0:1 ::1
0:0:0:0:0:0:0:0 ::
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
IPv6 Address Types
IPv6 uses:
Unicast
Address is for a single interface.
IPv6 has several types (for example, global and IPv4 mapped).
Multicast
One-to-many
Enables more efficient use of the network
Uses a larger address range
Anycast
One-to-nearest (allocated from unicast address space).
Multiple devices share the same address.
All anycast nodes should provide uniform service.
Source devices send packets to anycast address.
Routers decide on closest device to reach that destination.
Suitable for load balancing and content delivery services.
IPv6 has same address format for global unicast and for anycast.
Uses a global routing prefix—a structure that enables aggregation upward,
eventually to the ISP.
A single interface may be assigned multiple addresses of any type (unicast,
anycast, multicast).
Every IPv6-enabled interface must contain at least one loopback (::1/128)
and one link-local address.
Optionally, every interface can have multiple unique local and global
addresses.
Anycast address is a global unicast address assigned to a set of interfaces
(typically on different nodes).
IPv6 anycast is used for a network multihomed to several ISPs that have
multiple connections to each other.
Link-local addresses have a scope limited to the link and are dynamically
created on all IPv6 interfaces by using a specific link-local prefix FE80::/10
and a 64-bit interface identifier.
Link-local addresses are used for automatic address configuration,
neighbor discovery, and router discovery. Link-local addresses are also
used by many routing protocols.
Link-local addresses can serve as a way to connect devices on the same
local network without needing global addresses.
When communicating with a link-local address, you must specify the
outgoing interface because every interface is connected to FE80::/10.
EUI-64 to IPv6 Interface Identifier
IP Address
IP subnet mask (prefix length)
Default router IP address
DNS IP address(es)
Stateful DHCP
DHCPv6
Solicit DHCPv6
Reply
DHCPv6
Request
Similar DHCP for IPv4
Host sends a (multicast) packet searching for the DHCP
server.
DHCP server replies.
DHCP client sends a message asking for a lease of an IP
address, and the server replies, listing an IPv6 address, prefix
length, default router, and DNS IP addresses.
DHCPv4 and DHCPv6 actually differ in detail, but the
basic process remains theAdlan-CCIE41999
Prepared By:Waleed same. -
waleed_hashim@hotmail.com
Stateless Autoconfiguration
IP Address
IP subnet mask (prefix length)
Default router IP address
DNS IP address(es)
request another node's link layer address and also for functions such
as duplicate address detection and neighbor unreachability detection.
RA (Router Advertisement)
- Address, prefix, link MTU
RS (Router Solicitation)
- Need RA from Router
0034:5678:9ABC
0234:56FF:FE78:9ABC
IP Address
IP subnet mask (prefix
length)
Default router IP address
DNS IP address(es)
IPv6 has four major options for IPv6 global unicast address
assignment.
Stateful DHCP
Stateless autoconfig
Static configuration (without EUI-64)
May also use Stateless DHCP
NS (Neighbor Solicitation)
- Request another node's link layer address
NA (Neighbor Advertisement)
- Sent in response to NS
Like IPv4, IPv6 devices need to determine the data link layer address used by
devices on the same link.
IPv4 uses Address Resolution Protocol (ARP) on LANs
NDP (Network Discovery Protocol), using ICMPv6
Neighbor Solicitation (NS)
Neighbor Advertisement (NA)
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Neighbor Discovery (like IPv4 ARP)
I know your IPv6 address
2340:1111:AAAA:1:213:19FF:FE7B: (2340:1111:AAAA:1:213:19FF:FE7B:
5004/64 5004) what is your MAC
address?
NS (Neighbor Solicitation)
Dest Add: FF02::1:FF:0/104 + 7B:5004
The last 24 bits of the IPv6 address to
Source Add: which the message being sent
2340:1111:AAAA:1:213:19FF:FE7B:5004
Dest Add: Host’s IPv6 address
MAC Add: 0013:197B:5004
6to4
Is an automatic tunnel method
Gives a prefix to the attached IPv6 network
Diffie-Hellman DH7
Key length:
- 56-bits
Key length:
- 56-bits (3 times)
Key lengths:
-128-bits
Diffie-Hellman DH7
-192 bits
-256-bits
Key length:
- 160-bits
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Integrity
Key length:
- 128-bits
Key length:
Diffie-Hellman - 160-bits) DH7
Diffie-Hellman DH7
Diffie-Hellman DH7
10.0.1.3 10.0.2.3
Policy 10 Policy 15
DES DES
MD5 MD5
pre-share IKE Policy Sets pre-share
DH1 DH1
lifetime lifetime
Policy 20
3DES
SHA
pre-share
DH1
lifetime
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
Internet
Site 1 Site 2
Policy 110
DES
MD5 Tunnel
Preshare
86400
DH1
router(config)#
crypto isakmp policy priority
Defines the parameters within the IKE policy
R1(config)# crypto isakmp policy 110
R1(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption des
R1(config–isakmp)# group 1
R1(config–isakmp)# hash md5
R1(config–isakmp)#
Prepared lifetime 86400 -
By:Waleed Adlan-CCIE41999
waleed_hashim@hotmail.com
Policy Negotiations
R1 attempts to establish a VPN tunnel with
R2 and sends its IKE policy parameters
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
Internet
Site 1 Site 2
Policy 110
Preshare
3DES Tunnel
SHA
DH2
43200
R2 must have an ISAKMP policy
configured with the same parameters.
R1(config)# crypto isakmp policy 110 R2(config)# crypto isakmp policy 100
R1(config–isakmp)# authentication pre-share R2(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption 3des R2(config–isakmp)# encryption 3des
R1(config–isakmp)# group 2 R2(config–isakmp)# group 2
R1(config–isakmp)# hash sha R2(config–isakmp)# hash sha
R1(config–isakmp)# lifetime 43200 R2(config–isakmp)# lifetime 43200
Parameter Description
This parameter specifies the PSK. Use any combination of alphanumeric characters
keystring up to 128 bytes. This PSK must be identical on both peers.
peer-
This parameter specifies the IP address of the remote peer.
address
This parameter specifies the hostname of the remote peer.
hostname This is the peer hostname concatenated with its domain name (for example,
myhost.domain.com).
Internet
Site 1 Site 2
R1(config)# crypto isakmp policy 110
R1(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption 3des
R1(config–isakmp)# group 2
R1(config–isakmp)# hash sha
R1(config–isakmp)# lifetime 43200
R1(config-isakmp)# exit
R1(config)# crypto isakmp key cisco123 address 172.30.2.2
R1(config)#
Note:
R2(config)# crypto isakmp policy 110
• The keystring cisco1234 matches. R2(config–isakmp)# authentication pre-share
R2(config–isakmp)# encryption 3des
• The address identity method is R2(config–isakmp)# group 2
specified. R2(config–isakmp)# hash sha
• The ISAKMP policies are compatible. R2(config–isakmp)# lifetime 43200
R2(config-isakmp)# exit
• Default values do not have to be R2(config)# crypto isakmp key cisco123 address 172.30.1.2
configured. R2(config)#
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Task 3
Configure the Transform Set
Description
Command
This parameter specifies the name of the transform set
transform-set-name
to create (or modify).
Type of transform set. You may specify up to four
"transforms": one Authentication Header (AH), one
transform1,
Encapsulating Security Payload (ESP) encryption, one
transform2, transform3
ESP authentication. These transforms define the IP
Security (IPSec) security protocols and algorithms.
Note:
• Peers must share the same
transform set settings. R2(config)# crypto isakmp key cisco123 address 172.30.1.2
R2(config)#crypto ipsec transform-set OTHERSET esp-aes 128
R2(cfg-crypto-trans)# exit
• Names are only locally
significant.
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
router(config)#
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny |
permit} protocol source source-wildcard destination destination-wildcard
[precedence precedence] [tos tos] [log]
This option specifies which traffic to protect by cryptography based on the protocol,
protocol such as TCP, UDP, or ICMP. If the protocol is IP, then all traffic IP traffic that matches
that permit statement is encrypted.
If the ACL statement is a permit statement, these are the networks, subnets, or hosts
source and destination between which traffic should be protected. If the ACL statement is a deny statement,
then the traffic between the specified source and destination is sent in plaintext.
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Symmetric Crypto ACLs
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
S0/1
Internet
10.0.1.3 10.0.2.3
R3
S0/0/0
172.30.3.2
MYMAP
router(config-if)#
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
router# 172.30.1.2 172.30.2.2
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no
offers accepted!
1d00h: ISAKMP (0:1): SA not acceptable!
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2
interface Tunnel 0
tunnel key 1
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
The tunnel address is the ip address defined on the
tunnel interface
The Non-Broadcast Multiple Access (NBMA) address
is the ip address used as tunnel source (or destination)
In the previous figure, the tunnel interface for Router
A is 10.1.1.1, and the NBMA address is 1.1.1.1
Packet Forwarding
Tunnel is defined
Static NHRP entry to hub is present
NHRP entry is marked for multicast
So the spoke never waits…
IP MPLS ATM
+IP
• MPLS + IP form a middle ground that combines the best of
IP and the best of circuit switching technologies.
• ATM and Frame Relay cannot easily come to the middle so
IP has !! Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
What is MPLS?
•Forwarding component
Uses label information carried in a packet and label
binding information maintained by a router to forward
the packet
•Control component
Responsible for establishment and maintenance of
correct label binding information among routers
LSP
IP1 IP1
IP1 #L1 IP1 #L2 IP1 #L3
IP2 #L1 IP2 #L2 IP2 #L3
IP2 IP2
Packets are destined for different address prefixes, but can be
mapped to common path
• FEC = “A subset of packets that are all treated the same way by a router”
• The concept of FECs provides for a great deal of flexibility and
scalability
• In conventional routing, a packet is assigned to a FEC at each hop (i.e.
L3 look-up), in MPLS it is only done once at the network ingress.
* LSP = Label Switched Path,Prepared By:Waleed
LSR = Label Adlan-CCIE41999
Switching Router, LER -= Label Edge Router
waleed_hashim@hotmail.com
MPLS BUILT ON STANDARD IP
Dest Out
47.1 1
Dest Out 47.2 2
47.1 1 47.3 3
47.2 2
47.3 3
1 47.1
3
1 2
3
Dest Out 2
47.1 1
47.2 2
47.3 3
1
47.3 3 47.2
2
IP 47.1.1.1
1 47.1
Request: 47.1
3
Intf Dest Intf Label
In Out Out 2
3 1
3 47.1 1 0.50 Mapping: 0.40
1 2
47.3 3 47.2
2
• Border router
• Provider Edge router interfacing to other
provider networks
• Extended Community
• BGP attribute used to identify a Route-origin,
Route-target
• Site of Origin Identifier (SOO)
• 64 bits identifying routers where the route has
been originated
• Route-Target
• 64 bits identifying routers that should receive
the route
• Route Distinguisher
• Attributes of each route used to uniquely
identify prefixes among VPNs (64 bits)
• VRF based (not VPN based)
• VPN-IPv4 addresses
• Address including the 64 bits Route
Distinguisher and the 32 bits IP address
iBGP session
Question: How will the PE routers forward the VPN packets across the
MPLS VPN backbone?
Answer #1: The PE routers will label the VPN packets with an LDP label for the
egress PE router and forward the labeled packets across the MPLS
backbone.
Results:
• The P routers perform the label switching, and the packet reaches the
egress PE router.
• However, the egress PE router does not know which VRF to use for packet
switching, so the packet is dropped.
• How about using a label stack?
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
VPN Packet Forwarding Across an
MPLS VPN Backbone (Cont.)
Question: How will the PE routers forward the VPN packets across the
MPLS VPN backbone?
Answer #2: The PE routers will label the VPN packets with a label stack, using the LDP
label for the egress PE router as the top label, and the VPN label assigned
by the egress PE router as the second label in the stack.
Result:
• The P routers perform label switching, and the packet reaches the egress PE router.
• The egress PE router performs a lookup on the VPN label and forwards the packet
toward the CE router.
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
VPN Penultimate Hop Popping
Question: How will the ingress PE router get the second label in the
label stack from the egress PE router?
R1 R1 Firewall R2
LAN 1 Internet Internet
LAN 3
Console Port
Administrator
Commands to establish a
login password on the
console line
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
Password Security
To increase the security of passwords, use additional
configuration parameters:
Minimum password lengths should be enforced
Unattended connections should be disabled
All passwords in the configuration file should be encrypted
Parameter Description
name This parameter specifies the username.
0 (Optional) This option indicates that the plaintext
password is to be hashed by the router using MD5.
password This parameter is the plaintext password to be
hashed using MD5.
5 This parameter indicates that the encrypted-secret
password was hashed using MD5.
encrypted-secret This parameter is the MD5 encrypted-secret
password that is stored as the encrypted user
password.
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
SSH version 1, 2
Configuring Router
SSH Commands
Connecting to Router
R1(config)#
*Dec 13 16:19:12.079: %SSH-5-ENABLED: SSH 1.99 has
been enabled 3. Verify or create a local
R1(config)# username Bob secret cisco
R1(config)# line vty 0 4 database entry
R1(config-line)# login local
R1(config-line)# transport input ssh 4. Enable VTY inbound
R1(config-line)# exit SSH sessions
Syslog Client
e0/0
10.2.1.1 R3 e0/1 DMZ LAN 10.2.2.0/24
e0/2 10.2.2.1
10.2.3.1
Syslog
Server 10.2.3.2
4.Prepared
Enable By:Waleed Adlan-CCIE41999 -
logging
waleed_hashim@hotmail.com
Using NTP
Uses
Timekeeping
Features/Functions
Username: Admin
Internet Password: cisco12
% Login invalid
Accounting
What did you spend it on?
Command Description
R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default local-case enable
R1(config)# aaa authentication login TELNET-LOGIN local-case
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN
Remote User
Server-Based Authentication
1. The user establishes a connection with the router.
2. The router prompts the user for a username and password.
3. The router passes the username and password to the Cisco Secure ACS (server or engine).
4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network
based on information found in the Cisco Secure ACS database.
R1(config)# aaa authentication login default group tacacs+ group radius local-case Cisco Secure ACS
R1(config)# Solution Engine
using TACACS+
Router Management Through
HTTP/HTTPs
Cisco Routers Can be managed through HTTP/HTTPs
To enable it on Cisco Router:
!R1
ip http server
ip http secure-server
ip http authentication local
username CCNP privilege 15 password cisco
Also make Sure, there is a network connectivity between
the router and the PC.
Simple Network Management Protocol (SNMP) and NetFlow are two main
technologies that are used to gather statistics from Cisco switches and routers.
Each has a different focus.
SNMP’s focus is primarily on the collection of various statistics from network
devices.
Statistics can be viewed through the CLI or Graphical User Interface (GUI).
However, if you want to collect and analyze these statistics over time, you can
take advantage of SNMP.
Poll
Data
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
SNMP Configuration
!R1
Snmp-server community cisco ro
Snmp-server enable traps Optional
Snmp-server host 10.0.0.2 cisco Optional
The collector is configured with and verifies the source IP address of the
incoming packets
Important that the NetFlow packets are always sourced from the same
router interface.
Using a loopback interface as the source interface for NetFlow ensures that
the packets will always be sourced from the same address, regardless of the
interface that is used to transmit the NetFlow packets to the Collector.
Prepared By:Waleed Adlan-CCIE41999 -
waleed_hashim@hotmail.com
After the router starts caching and accounting flow information locally in its
memory, you can display the NetFlow cache content by issuing the show ip
cache flow command.
Shows the active flows that are sending packets through the router.
In contrast to SNMP, NetFlow uses a “push” based model.
Routers must send NetFlow data to the collector based on changes in the
flow cache
The collector simply listens for NetFlow traffic