Advanced Routing Reference Manual Ver. 0.9

Reference Manual ver. 1.
0 (2012-14)
Created by Paul Nadstoga (pnadstoga@gmali.com)
Contents
EIGRP
OSPF
CONTROLLING ROUTING UPDATES
BGP
BRANCH OFFICE
IPv6
APPENDIXES
1
27
81
117
150
167
203
EIGRP
EIGRP Basics
EIGRP Packets
EIGRP Stuck In Active
EIGRP Timers
EIGRP Metric
EIGRP Tables
EIGRP Over NBMA
EIGRP Configurations
EIGRP Verification and Tshooting
EIGRP BASICS
TYPE
ALGORITHM
INTERNAL AD
EXTERNAL AD
SUMMARY AD
STANDARD
PROTOCOLS
TRANSPORT
AUTHENTICATION
MULTICAST IP
Distance
Vector
DUAL
90
170
Cisco
IP
IPX
AppleTalk
RTP:IP:88
MD5
224.0.0.10
TIMERS
HELLO: 5 / 60
HOLD: 15 / 180
The following conditions have to be met for two routers to form a neighbor relationship:
Autonomous System values match

source IP address of a received HELLO is in the same subnet as the primary IP address configured on the receiving interface (subnet mask does not need to be identical)
K values match
authentication key IDs + key strings match (if authentication is configured)
ADVANCED ROUTING ver. 1.0 CREATED BY PAWEL PAUL N=DSTOGA (PNADSTOGA@GMAIL.COM) 2012-14
EIGRP PACKETS
PACKET
HELLO
OVERVIEW
COMMENTS
initially used to discover and verify neighbors

later used to maintain the relationship (keep-alive mechanism)
sent at interval specified by the HELLO timer
multicasted on 224.0.0.10
unreliable (delivery not acknowledged by the recipient)
used to exchange routing information

initially sent when forming a relationship and then only to affected routers
unicasted to a specific router
multicasted to a group of routers
reliable (delivery acknowledged by the recipient)
UPDATE
Contains:
QUERY
prefix / prefix length

metric components (bandwidth, delay, reliability, load)
non-metric components (MTU, hop count)
sent when a specific information is required from one / all of its neighbors
normally sent as multicast but can be retransmitted as unicast in certain cases
if all outstanding QUERIES are not replied within the ACTIVE timer, the neighbor that failed to
reply is removed from the neighbor table
Also used when a router loses its successor and cant find a feasible
successor for a route - in such case DUAL places the router in active
state and start sending multicasts in search for a successor.
used to respond to a QUERY

Always sent as unicast to specifically inform the originator it does

not need to go into active state because it an alternative route is
available.
REPLY
ACK
sent to acknowledge UPDATE, QUERY and REPLY

unicast HELLO packets and contain a nonzero ack. number
also known as graceful shutdown

send to notify the neighbors when a router is shutting down the EIGRP process or removes a
network statement that included the neighbors in the EIGRP process (e.g. no network 10.0.0.0)
GOODBYE
sent as multicast initially and when one ACK received from a

specific router the UPDATE is resent as an unicast
also sent when a topology change is detected - in such case
the router sends a multicast UPDATE to all its neighbors
UPDATE sent on an interface does not contain routes that
were learnt through the same interface because of the split
horizon rule
the default HELLO timer depends on the interface bandwidth

neighbors learn each others timers through the HELLO
packets and use that information to forge a relationship
more than one HELLO packets may be needed to convey all
routing information to a new neighbor
Sent as a HELLO packet with all K values set to 255.
EIGRP STUCK-IN-ACTIVE
a situation that may take place when the successor is lost and a FS does not exist
when the successor to a network is lost, QUERIES are sent to all the neighbors asking for an alternative route (note: the inactive link is not queried)
if REPLIES are not received, the route is put into an ACTIVE state
by default, the router will wait 180 sec. to receive replies to queries sent any adjacency that hasnt replied by then will be reset
EIGRP TIMERS
TIMER
OVERVIEW
COMMENTS
Works independently in each direction neighbors dont need to use the same
HELLO timer values
specifies the time interval at which the HELLO packets are retransmitted
To adjust:
HELLO
<Router(config-if)#ip hello-interval eigrp (AS) (5 | 60, 1-65535 sec.)>

To verify:
<Router#show ip eigrp interfaces detail>
specifies the time interval during which a router will consider a neighbor alive without receiving a HELLO from that neighbor
by default equals to 3 x HELLO timer
To adjust:
HOLD
<Router(config-if)#ip hold-timer eigrp (15 | 180, 1-65535 sec.)>

To verify:
ACTIVE

<Router#show ip eigrp neighbors>
specifies the time interval the router waits after sending a QUERY before declaring the route stuck in active (SIA) and
resetting the neighbor relationship
To adjust:
changing the HELLO timer does not

automatically adjust the HOLD timer
the HOLD timer is sent to the
neighbor in the HELLO packet i.e. a
router does not use locally
configured timer value be the value it
receives from the neighbor in the
HELLO packet
the IOS does not prevent the user
from setting the HOLD timer to a
value lesser than HELLO!
increasing the timer might be useful
when troubleshooting EIGRP
timers active-time disabled - disables
time limit for active states
<Router(config-router)#timers active-time (180, 1-65535 min.)>

<Router(config-router)#timers active-time disabled>
DEFAULT TIMER VALUES
BANDWITDH
EXAMPLE LINK
DEFAULT HELLO TIMER
DEFAULT HOLD TIMER
< 1.544 Mbps
Multipoint Frame Relay
60 sec.
180 sec.
> 1.544 Mbps
T1, Ethernet
5 sec.
15 sec.
ACTIVE
180 sec.
EIGRP METRIC
FULL (ALL K VALUES USED)
( +
+ )

+
DEFAULT (ONLY K1 + K3 USED AND ARE EQUAL TO 1)
( + )
bw = 107 / minimum bandwidth in kbps (if the result is not a whole number the value is rounded down)
delay = sum of delays of outgoing interfaces in secs / 10
256 = multiplier used for compatibility with IGRP (EIGRP uses 32 bit metric while IGRP uses 24)
METRIC COMPONENTS
COMPONENT
OVERVIEW
BANDWIDTH
COMMENTS
Default values for:
the bandwidth of the interface

static value
To modify:
ethernet: 100000 Kbit/sec

serial:
1544 Kbit/sec
<Router(config-if)#bandwidth (1-10000000 kbit.)>
DELAY
Default value for:
measure of time it takes for a packet to traverse a route

static value
To modify:
To view total delay for a route:
<Router(config-if)#delay (1-16777215 usec.)>
LOAD
RELIABILITY
a measure of probability that the link will fail i.e. how often the link has experienced errors
calculated on a 5 min. basis
MTU
not used anywhere in the metric calculation but sent for prefixes
K VALUES
show ip eigrp topology A.A.A.A/MM
amount of traffic utilizing the link

dynamic value (0-255)
calculated on a 5 min. basis
1/255 minimally loaded link

255/255 fully saturated link
1/255 least reliable link

255/255 fully reliable link
identical K values are one of the conditions for two

routers to become an EIGRP neighbor
TOS was never implemented so the value has to be
always set to 0
Defaults:
ethernet: 100 usec

serial:
20000 usec
K1=1, K2=0, K3=1, K4=0, K5=0
To modify:
<Router(config)# router eigrp (1-65535)>
<Router(config-router)#metric weights (tos 0-8) (k1 0-255) (k2 0-255) (k3 0-255) (k4 0-255) (k5 0-255)>
TSHOOT
show interface (interface)

show ip protocols
EXAMPLE: DEFAULT METRIC CALCULATION
From R3 to 172.30.0.0 /24 through s1/1
From R3 to 172.30.0.0 /24 through fa0/0
( + )
,,
,+
( (
) + (
)
( + )
,,
+,+
( (
) + (
)
(6476.6839 = 6476)
256 * (1 *
256 * (6476 + 2500)
256 * 8976
2297856
+1*
(2500)
(6476.6839 = 6476)
256 * (1 *
256 * (6476 + 2510)
256 * 8986
2300416
+ 1 * (2510)
*Not a Feasible Successor since AD equals (needs to be less) than Feasible Distance of the
current Successor (via s1/1 - 172.1.34.1)
EIGRP TABLES
TABLE
NEIGHBOR TABLE
To view the table content:
OVERVIEW
COMMENTS
list of directly connected routers running EIGRP with which adjacencies are formed
<R1#show ip eigrp neighbors>
H (handle) - an IOS internally used number to track a

neighbor by recording the order in which the neighbours
were learnt
Address - neighbors L3 address
Interface - local interface on which the neighbor can be
reached
Hold (hold time) - maximum time in seconds that the router
waits to hear from the neighbor before considering the link
down (any EIGRP packet received after the first HELLO from
that neighbor resets the timer)
Uptime - time that has elapsed since the neighbor was added
to the table
SRTT (smoothed round-trip time) - the average number of
milliseconds it takes for an EIGRP packet to be sent to this
neighbor and for the local router to receive an ACK for that
packet - this timer determines the RTO
RTO (retransmission timeout) - the number of milliseconds
that the router waits for an ACK before retransmitting a
reliable packet from the retransmission quote to the
neighbor. If an UPDATE, QUERY or REPLY packet is sent, a
copy of packet is queued. If the RTO expires before an ACK is
received, another copy of the queued packet is sent
Q Cnt (queue count) - number of packets waiting in the queue
to be sent out (if constantly higher than 0 a congestion
problem may exist)
Seq Num - sequence number of the last UPDATE, QUERY or
REPLY packet that was received from the neighbor (used to
detect out-of-order packets)
TOPOLOGY TABLE
list of all routers learnt from each EIGRP neighbor

<Router#show ip eigrp topology (active | all-links | detail-links)>
the table is updated when a directly connected router /

interface changes or a neighbor reports a route change
active - shows only active entries

all-links - shows all links in topology table
detail-links - more detailed version of the above
P(Passive) - correct state for a stable network (network is

available and installation can occur in the routing table
A(Active) - network is currently unavailable, and installation
cannot occur in the routing table (there are outstanding
queries for this network). A route will be put into Active state
when the current Successor is down and Feasible Successors
are not available
U(Update) - network is being updated (placed in an UPDATE
packet); also applies if the router is waiting for an ACK for this
UPDATE
Q(Query) - outstanding query packet for this network (also
applies if the router is waiting for an ACK for a QUERY)
R(Reply status) - router is generating a REPLY for this
network or is waiting for an ACK for the REPLY
S(Stuck-in-active status) - indicates EIGRP convergence
problem for the network with which it is associated
successor - next-hop router with lowest cost and loop free
path (successors end up in the routing table)
Feasible Successor - a backup router with loop-free path (to
become one a router has to meet the Feasible Condition)
Feasible Condition - AD of Feasible Successor must be less
than the FD of the current Successor
AD (Advertised Distance) - cost between the next-hop router
and the destination
FD (Feasible Distance) - cost from a local router to the
destination
10
ROUTING TABLE
list of all best routes from EIGRP topology table and other routing processes
the best route to a destination (successor) is chosen by comparing all FDs to that
destination and selecting the route with the lowest FD - which becomes the routers
metric shown in the table
[90/156160] - EIGRPs Administrative Distance (believability)

[90/156160] - the cost to reach the network (Feasible Distance)
<Router#show ip route eigrp>
11
EIGRP OVER NBMA

THINGS TO KEEP IN MIND:
by default multicasts and broadcasts are denied on NBMA networks which requires special consideration for protocols such as EIGRP that rely on multicasts to establish and maintain
neighbor relationships
in point-to-multipoint topologies, split horizon enabled on the hub may prevent updates from being propagated across all network
pseudo broadcast must be enabled on the frame-relay interface OR EIGRP neighbors need to be statically configured if the pseudo broadcast cannot be used or is not supported
EXAMPLE:
12
CONFIGURATIONS
CONFIGURE FR INTERFACES
--->
COMMENTS
R1(config)#interface s1/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#ip address 172.16.124.1 255.255.255.0
R1(config-if)#no frame-relay inverse-arp
R1(config-if)#no arp frame-relay
R1(config-if)#bandwidth 128
R1(config-if)#ip bandwidth percent eigrp 1 40
By default EIGRP uses 50% of the bandwidth specified with the

bandwidth command on a frame relay enabled interface.
ip bandwidth-percent defines how much percentage of the

interface bandwidth can be utilized the EIGPR
(*has to be configured on a per (sub)interface basis)
(** for multipoint interfaces the router further divides the
bandwidth according to the number of neighbours out that
interface)
STATICALLY ADD FR MAPS
--->
R1(config-if)#frame-relay map ip 172.16.124.2 102 broadcast

broadcast (aka. pseudo broadcast) emulated broadcast acts as broadcast but the packets are sent as unicast
messages

To confirm:
Router#show frame-relay map
ENABLE EIGRP
--->
R1(config)#router eigrp 1
R1(config-router)#no auto-summary
R1(config-router)#network 10.0.0.0
13
SUMMARISE UPDATES
--->
R1(config)#ip summary-address eigrp 1 10.1.0.0 255.255.0.0
DISABLE SPLIT-HORIZON
--->
R1(config-if)#no ip split-horizon eigrp 1
At this stage routes from R2 are not being propagated to R3 and

vice versa because split horizon will prevent R1 to advertise the
10.2.0.0/16 network via the same interface it was received on.
Disabling split horizon will generate on the local end:
*Oct 18 21:20:12.041: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor
172.16.124.3 (Serial1/0) is resync: split horizon changed
*ENABLE EIGRP NON-BROADCAST MODE --->
R1(config-router)#neighbor 172.16.124.2 s1/0

May be used as first solution or when the Frame Relay cloud does
not support pseudo broadcast. Changes the EIGRP packets
propagation mechanism from multicast to unicast.

(*the exit interface still has to be advertised with the network

command)
(** the mechanism change will only affect the interface via which
the routers communicated the EIGRP neighbor)
(*** both ends have to use the same mode)
Changing the mode will generate the following on the local end:
*Oct 18 21:39:23.961: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor
172.16.124.2 (Serial1/0) is down: Static peer configured
14
EIGRP CONFIGURATIONS
ACTIVATION
STEP #
COMMANDS
<Router(config)#router eigrp (Autonomous System; 1-65535)>
START EIGRP PROCESS
AUTOMATIC
SUMMARIZATION
<Router#show ip eigrp topology>
Mainly used in external routes as a loop prevention mechanism

external routes are tagged with the RID and in case the advertising
router receives them back with its own RID they are dropped.
Unique for each AS.
1.
2.
3.
<Router#show ip protocols>
To add all networks:

<Router(config-router)#network 0.0.0.0 255.255.255.255>
To add individual networks:
<Router(config-router)#network (IP address)(wildcard)
OR
ADD NETWORKS
auto-summary when enabled, EIGRP automatically

summarize network updates to their classful boundaries
<Router(config-router)#no auto-summary>
To verify:
HARDCODE ROUTER ID
AS allows to start separate EIGRP processes on the same router

(the value has to be the same for all the routers within the same
processes).
<Router(config-router)#auto-summary>
<Router(config-router)#eigrp router-id (A.A.A.A)>
COMMENTS
<Router(config-router)#network (IP address)(mask)

OR
<Router(config-router)#network (IP address)
To manually add a neighbor:
use the configured value: eigrp router-id

use the highest IPv4 address on an UP|UP loopback
use the highest IPv4 address on an UP|UP non-loopback
auto-summary - enables automatic network summarization
on major network boundaries (enabled by default - it is
recommended to switch the command off and to do it before
adding networks - otherwise the EIGRP will have to reconverge disturbing the network operation)
network - specifies the range of addresses on which the
interfaces start sending / receiving HELLOs and advertise the
network the interface belongs to
network (IP address)(mask) - the mask will be converted into
and displayed as wildcard in the running configuration
network (IP address) - the IP address entered will be treated
as classful and the whole classful range will be included in the
EIGRP process
<Router(config-router)#neighbor A.A.A.A>
15
<Router(config-router)#passive-interface (default | (interface))>
To verify:
PASSIVE INTERFACES
passive-interface - no HELLOs are sent on the interface

(hence no relationship can be formed) but the network is still
advertised
passive-interface default - sets all interfaces as passive
A passive interface is still part of the EIGRP process and the

network advertised but no HELLOs are sent to that interface.
PROPAGATE DEFAULT
GATEWAY
<Router(config)#ip route 0.0.0.0 0.0.0.0 (IP address | exit interface)>
<Router(config-router)#network 0.0.0.0>
network 0.0.0.0 - can also be used to include any static route

in the updates
ip default-network - sets and redistributes given network as
default (has to be classful and has to be reachable by the
router)
16
TUNING
FEATURE
COMMANDS
COMMENTS
Globally:
<Router(config-router)#distance eigrp (internal (1-255)) (external (1-255))>
ADJUST AD
distance (AD 0-255) - returns Incomplete command

distance (AD 0-255) 0.0.0.0 255.255.255.255 - assigns AD = 0
ip bandwidth-percent - maximum bandwidth % EIGRP may

use on the interface
Per routes:
<Router(config-router)#distance (AD 1-255) (source A.A.A.A W.W.W.W) (*1-99 | 13001999 | ACL name)>
ADJUST K VALUES
TIMERS
<Router(config-router)#metric weights (tos; 0-8) (k1; 0-255) (k2; 0-255) (k3; 0-255) (k4;
0-255) (k5 0-255)>
<Router(config-if)#ip hello-interval eigrp (AS) (1-65535 sec)>

o
HELLO
To verify:
<Router(config-if)#ip hold-timer eigrp (1-65535 sec)>
HOLD
To verify:
<Router#show ip eigrp neighbors>
ACTIVE
BANDWIDTH LIMIT
<Router(config-router)#timers active-time (1-65535 min)>

<Router(config-router)#timers active-time disabled>
<Router(config-if)#ip bandwidth-percent eigrp (AS) (1-999999)>
<Router(config-if)#ip split-horizon eigrp>
SPLIT-HORIZON
To verify:
<Router#show ip eigrp interface detail>
17
Equal load balancing:
Load balancing is the ability to forward traffic over all its network
ports that are the same metric from the destination address.
<Router(config-router)#maximum-paths (1-32)>
When a packet is process-switched, equal load balancing occurs on

a per-packet basis. When packets are packet-switched, load
balancing occurs on a per-destination basis.
Unequal load balancing:

<Router(config-router)#variance (1-128)>
To verify:
LOAD BALANCING
maximum-paths - installs routes with a metric equal to the

minimum metric in the routing table (the default is 4; set to
1 to disable load balancing)
variance - a multiplier that is applied to a successors metric any path with a metric that fits within the range can be
unequal balanced over (default is 1 meaning only equal load
balancing is enabled)
The command affects which routes end up in the routing
table but does not affect the routes roles i.e. successor,
feasible successor etc.
<Router(config-router)#eigrp stub (connected) (static) (summary)>
<Router(config-router)#eigrp stub (receive-only)>

To verify local settings:
STUB ROUTING
<Router#show ip protocols
To verify neighbors settings:
<Router#show ip eigrp neighbors detail>
eigrp stub - configures the spoke router as a stub and

prevents the hub router from sending queries under any
condition (the stub sends a notification packet to all its
neighbours to report its status as a stub and all queries
issued by stubs are answered by the hubs on their behalf)
receive-only - prevents the stub from sending any type of
routes
connected - permits stub to send connected routes (if the
network command does not include a given network it needs
to be redistributed using the redistribute connected
command)
static - permits stub to send static routes (static routes must
be redistributed!)
summary - permits stub to send summary routes
The stub router still receives all routing updates from its
neighbours. Only the outgoing packets undergo control.
18
<Router(config-if)#ip summary-address eigrp (AS) A.A.A.A M.M.M.M>
MANUAL
SUMMARIZATION
the AS specifies that summarization will only be sent out to

neighbors in within that AS
while summarizing it has to be remembered that routes will
always prefer more specific routes
the summary route will use a metric equal to the lowest
metric of a subordinate route
advertising a summary will take down and bring up all
neighbor relationships established via that interface
summarization should be avoided if the priority is for the
routes to always take the shortest paths
The following will be generated on the local end:

*Oct 18 21:03:05.482: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1:
Neighbor 172.16.124.1 (Serial1/0) is resync: summary configured
The following will be generated on the far end:
*Oct 18 21:03:15.810: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1:
Neighbor 172.16.124.2 (Serial1/0) is resync: peer graceful-restart
19
AUTHENTICATION
STEP #
COMMANDS
COMMENTS
<Router(config)#key chain (key chain name)>

<Router(config-keychain)#key (key id; 0-2147483647)>
<Router(config-keychain-key)#key string (authentication string)>
*<Router(config-keychaing-key)#accept-lifetime (hh:mm:ss) (1-31) (month) (year) infinite |
duration (1-2147483646) | (hh:mm:ss) (1-31) (month) (year)
DEFINE KEYS
NOTE: the key numbers and key strings have to match on

both ends - otherwise authentication will fail!
*<Router(config-keychaing-key)#send-lifetime (hh:mm:ss) (1-31) (month) (year) infinite |

duration (1-2147483646) | (hh:mm:ss) (1-31) (month) (year)
To verify:
<Router#show key chain>
<Router#debug eigrp packet>
<Router(config)#interface (interface)>
<Router(config-if)#ip authentication mode eigrp (AS) md5>

<Router(config-if)#ip authentication key-chain eigrp (AS) (key chain name)>
To verify:
<Router#debug eigrp packet>
ACTIVATE
AUTHENTICATION
key chain - enters the sub-configuration mode for key chain

key - enters the sub-configuration mode for a given key
key string - defines the password for a given key (by default
the key is stored in plain form in the running configuration unless the service password-encryption is enabled)
accept-lifetime - specifies the period of time during which the

key is accepted; the key can be accepted always (infinite),
within a given time limit in sec. (duration) or during given
period (default start time and the earliest acceptable date is 1
Jan 1993)
send-lifetime - same as above but with regards to the time a
key can be used for encryption
ip authentication mode - enables md5 authentication for
EIGRP packets sent on that interface (entering this command
only on one side will tear the relationship down authentication mode changed)
ip authentication key-chain - specifies the keys to be used for
EIGRP packets encryption (entering this command only on
one side will NOT tear the relationship down)
The authentication feature does encrypts packets but rather

prevents the router from accepting non-authenticated EIGRP
packets and therefore from forming relationship with nonauthenticated routers.
Sending EIGRP messages: use the lowest key number among all
currently valid keys.
Receiving EIGRP messages: check the MD5 digest using ALL
currently valid keys.
20
REDISTRIBUTION
To set a default-metric (NOTE: this command does not affect the metric of directly connected networks)
<Router(config-router)#default-metric (bandwidth kb; 1-4294967295) (delay 10-microsec; 0-255) (reliability; 0-255) (load; 0-255) (MTU; 1-65535)>
ROUTING PROTOCOLS
PULL ROUTES FROM:
RIP
COMMANDS
COMMENTS
<Router(config)#router eigrp (AS)>
<Router(config-router)#redistribute rip (*metric (bandwidth) (delay) (reliability) ( load) (MTU) (*route-map

(route map name))>

<Router(config-router)#redistribute ospf (process ID 1-65535) (*match (external (1-2)) (*internal) (*nssaexternal) (*metric (bandwidth) (delay) (reliability) ( load) (MTU) (*route-map (route map name))>
Example:
OSPF
default-metric - overridden by the

redistribute metric command
metric - redistribute router with the specified
metric (by default it is set to infinite
(unreachable) for all redistributed protocols
except for EIGRP with different AS - in such
case the it takes the metric from the source
of the routing information)
match internal - redistribute the OSPF
internal routes
match external - redistribute OSPF external
Type 1/2 routes
match nssa-external - redistribute OSPF NSSA
external routes
route-map - applies a route map to
redistributed routes
EIGRP was designed to automatically redistribute

IGRP route from the same AS.
Good practice to make redistributed routes appear
as links e.g. 100Mb:
#default-metric 100000 10 255 1 1500
BGP
<Router(config-router)#redistribute bgp (AS #) (*metric (bandwidth) (delay) (reliability) (load) (MTU) (*routemap (route map name))>
21
DIRECTLY CONNECTED NETWORKS

COMMANDS
COMMENTS
<Router(config-router)#redistribute connected (*metric (bandwidth) (delay) (reliability) (load) (MTU) (*route-map (route map name))>
STATIC ROUTES
COMMANDS
COMMENTS
<Router(config-router)#redistribute static (*metric (bandwidth) (delay) (reliability) (load) (MTU) (*route-map (route map name))>
22
EIGRP VERIFICATION AND TSHOOTING
show ip eigrp neighbors

show ip eigrp topology (all-links)
show ip eigrp interface
show ip eigrp interface detail
show ip eigrp traffic
show ip route eigrp
show ip protocols
debug ip eigrp neighbors
debug ip eigrp packet
clear ip eigrp neighbors
COMMAND
VERIFIES / DISPLAYS
EXAMPLE
EIGRP neighbors for a given process

neighbors IP addresses
the local interface the neighbors are reachable through
HOLD timers
how long the adjacency have been active
detailed information about neighbors
show ip eigrp neighbors detail
23
EIGRP router-id
successors, feasible distances, feasible successors, advertised distances
networks states
interfaces participating in a given EIGRP process

number of peers on a given interfaces
does not display information about passive-interfaces
detailed information about interfaces enabled for EIGRP

does not include passive interfaces
show ip eigrp topology
show ip eigrp interfaces
show ip eigrp interface detail
24
Displays EIGRP traffic statistics
show ip route eigrp
Displays routing tables entry learnt via EIGRP
25
Displays IP routing protocol process parameters and statistics
show ip protocols
debug ip eigrp neighbors
Displays events associated with EIGRP neighbors
debug ip eigrp packet
Displays events associated with EIGRP packets
Purges EIGRP neighbor table
26
OSPF
OSPF Basics
OSPF Routers
OSPF Packets
OSPF Tables
OSPF Metric
OSPF Areas
OSPF Virtual Links
OSPF Timers
OSPF Routers ID
OSPF Link ID
OSPF DR / BDR
OSPF Adjacencies States
OSPF Networks
OSPF Over NMBA
OSPF Configurations
OSPF Verification and Tshooting
OSPF BASICS
TYPE
ALGORITHM
AD
Link State
Dijkstra
110
STANDARD
PROTOCOLS
TRANSPORT
IP
IP:89
RFC 2328
RFC 2740
AUTHENTICATION
plain text
MD5
DROHTERS
DR/BDR
224.0.0.5
224.0.0.6
TIMERS
10/40
30/120
The following conditions have to be met for two routers to form a neighbor relationship:
Area ID match on both ends

stub flag match (on/off)
route-IDs are unique
primary IP addresses of the routers must be on the same subnet
hello timer match on both ends
hold timer match on both ends
authentication modes and passwords match (if authentication is configured)
ADVANCED ROUTING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14
28
OSPF ROUTERS
To view a router type:
show ip protocols
ROUTER
INTERNAL
BACKBONE
ABR
OVERVIEW
COMMENTS
routers that have all their interfaces in the same area and have identical LSDBs
routers that sit on the perimeter of the backbone area and have at least one interface connected to
Area 0
maintain OSPF routing information using the same algorithms and rules as the internal routers
Area Border Router

routers that have interfaces attached to multiple areas
maintain separate LSDBs for each area they are connected to
serve as exit points for the area (routing information destined to another area can get there only via
the ABR of the local area)
Autonomous System Border Router

routers that have at least one interface attached to an external internetwork (another AS) e.g. a
non-OSPF network
capable of importing non-OSPF network information to the OSPF network and vice-versa (route
redistribution)
ASBR
to identify itself as an ABR, the router sends Type 1 LSA

with a border bit (b bit) set
ABR containing a NSSA area will also become an ASBR
CISCO recommends no more than 2 areas per ABR (in
addition to Area 0)
to identify itself as an ASBR, the router sends Type 1
LSA with an external bit (e bit) set
any form of redistribution enabled on a router will mark
it as an ASBR (it doesnt even have to be working i.e.
redistributing RIP when its not activated)
29
OSPF PACKETS
all OSPF packet types are encapsulated directly into an IP payload

a protocol ID of 89 defines all OSPF packets
PACKET
OVERVIEW
COMMENTS
Sent to:
sent to discover neighbors and form adjacencies with them
DROTHER - 224.0.0.5
DR/BDR - 224.0.0.6
HELLO
DBD
LSR
Link-State Request
requests specific link-state records from a router
LSU
Link-State Update
sends specifically requested link-state records
all LSUs are acknowledged
LSAck
Link-State Acknowledgement
send to acknowledge the receipt of the other packets
LSA
Link-State Advertisement
11 types
all have 20-byte headers
the LSA includes a link ID field that identifies (by network number and mask) the object that this link
connects to
sequence number
each router link is defined as an LSA type
Database Description
contains LSA headers only and describes the content of the entire link-state database
each DBD has a sequence number which can be incremented only by the master (which in turn is
explicitly acknowledged by the slave)
Exchanged during EXTSTART + EXCHANGE adjacency

establishment phases.
Each LSA has their own age timer and waits 30 min before
requiring an update.
Sequence numbers if the seq. in the update is:
same as local ignore the update

higher than local accept and propagate
lower than local ignore the update, send back local
30
LSAs
advertised by every router in the area

flooded within its area only (does not cross ABR)
includes list of directly attached links
contains (O) intra-area routes

each link is identified by IP prefix assigned
to link and link type
advertised by the DR
generated for every transit broadcast and NBMA network within the area (intra-area)
flooded to all routers within the transit network area (does not cross ABR)
lists each of the attached routers that make up the transit network (including the DR itself +
subnet mask used on the link)
contains (O) intra-area routes

the link-state ID for a network LSA is the IP
address of the advertising DR interface
advertised by the ABR

used to flood network information outside the originating area (inter-area)
describes network number and subnet mask of the link
flooded throughout a single area only but are regenerated by ABRs to flood into other areas
contains (IA) intra-area routes

it is advised to perform manual
summarization at the ABR (by default Type
3 LSA is advertised into the backbone area
for every subnet defined in the originating
area)
TYPE 4: Summary LSA
advertised by the ABR (but only when ASBR exist within an area)
used to advertise an ASBR to all other routers in the AS (router ID and route to it)
flooded throughout a single area only but are regenerated by ABRs to flood into other areas
TYPE 5: External LSA
advertised by the originating ASBR

used to advertise networks from outside the OSPF AS
flooded to the entire AS
advertising router ID (ABSR) remains unchanged throughout the AS
contains (E1/E2) external routes

Type 4 LSA is needed to find the ASBR
TYPE 6: Group Summary
NOT SUPPORTED BY CISCO ROUTERS
TYPE 7: NSSA External Link LSA
originated by the ASBR within NSSAs

flooded only within the NSSA in which they originated
contains (E1/E2) external routes

converted into Type 5 LSA by the ABR when
leaving the area
TYPE 9, 10, 11: Opaque
TYPE 1: Router LSAs
TYPE 2: Network LSAs
TYPE 3: Summary LSA
DESIGNED FOR FUTURE USE
31
OSPF TABLES
TABLE
NEIGHBOUR TABLE
OVERVIEW
COMMENTS
also known as adjacency database

list of directly connected routers running OSPF with which adjacencies are
formed

<R1#show ip ospf neighbors ((type | number) (neighbor-id) detail))>
type - interface type (FastEthernet, Serial etc.)

number - interface number
neighbor-id - neighbors router ID
detail - displays all neighbors given in detail
Neighbor ID - neighbors router ID

Pri - priority of the neighbors interface on which adjacency is
formed
State - adjacency state
Dead Time - if the router doesnt receive a HELLO packet from the
neighbor before the timer expires, the adjacency is considered dead
Address - IP address of the neighbors interface on which adjacency
is formed
Interface - local interface on which adjacency is formed
32
TOPOLOGY TABLE

<R1#show ip ospf database>
typically referred to as LSDB (Link State Database)

contains all routers and their attached links in the area or network
all routers within an area have an identical LSDB
Link ID - name given to the entity on the links far end (see page 46)
ADV Router - advertising router ID
Age - the time that has passed since the last link update
Seq# - link-state sequence number (detects old/duplicate LSAs)
Checksum - fletcher checksum of the complete contents of the LSA
Link count - number of interfaces detected for router
33
ROUTING TABLE

<Router#show ip route ospf>
also known as forwarding database

contains list of best paths to destinations
[110/65] - OSPFs Administrative Distance (believability)

O - OSPF intra-area route (from within the area)
IA - OSPF inter-area route (from outside the area but from local AS)
N1 - OSPF NSSA external type 1 route
N2 - OSPF NSSA external type 2 route
E1 - OSPF external type 1 route (from outside of local AS)
E2 - OSPF external type 2 route (from outside of local AS)
For the same prefix/prefix length, OSPF always prefers routes in the
following order:
O
IA
E1
E2
34
OSPF METRIC

()
reference bandwidth (default) = 100 Mbps
COST
OSPF term for metric

routes metric is the sum of all costs along the path
the lower the metric the more preferred the route is
The COST is advertised in the LSAa that are advertised within an

OSPF area. When the COST is calculated to a destination then its
based on the exit interface of each router in the path to the
destination. Not consistent values along the path can lead to
asymmetric routing and the path one way may not be the same as
the return path.
To hardcode cost on an interface:

<Router(config-if)#ip ospf cost (1-65535)>
ip ospf cost - the command hardcodes the cost and overrides

the value that normally would be calculated using the
formula
defaults to 100Mbps
100Mbps = 100,000Kbps = 100,000,000bps
Cisco recommends keeping the value constant throughout the

entire OSPF AS to avoid sub-optimal routing decisions.
To modify:
<Router(config-router)#auto-cost reference (bandwidth in Mbps)>
To verify:
<Router#show ip ospf interface (interface)>
Interface Type
Bandwidth
COST
Loopback
8,000,000,000
Serial
56,000
1785
T1
1,544,000
64
Ethernet
10,000,000
10
Fast Ethernet
100,000,000
Gigabit Ethernet
1,000,000,000
REFERENCE BANDWIDTH
35
OSPF AREAS
an area is a logical collection of OSPF networks, routers, and links that share area ID
a router within a given area maintains a topological database only for the area to which it belongs
an router does not have detailed information about network topology beyond of the area it belongs to
OSPF uses 2-layer hierarchy: transit and regular (the underlying physical connectivity must map to the two-layer area structure with all non-backbone areas directly attaching to Area 0)
the purpose of dividing networks into sub-domains is to restrict the propagation of routes and reduce the amount of resources required by each router to maintain its link database
recommended maximum number of routers in an OSPF area: 50
AREA
BACKBONE (AREA 0)
OVERVIEW
COMMENTS
a standard area that has been designated to as the central point to which all areas connect
all traffic moving from one area to another area must traverse the backbone
all characteristics of the STANDARD area apply also to AREA 0
contains LSA Types: 1/2, 3 , 4, 5

contains route types: O, IA, E1/2
contains LSA Types: 1/2, 3

contains route types: O, IA
E1/2 external routes are not allowed
a default route (Type 3 LSA) is injected by the ABR (0.0.0.0/0 via ABR)
STANDARD
To create:
<Router(config-router)#area (area ID) stub>

STUBBY
for an area to become STUBBY, all routers belonging

to it must be configured to operate as such
area cannot be converted to STUBBY if it contains a
virtual link
STUB routers and non-STUB routers will not form

adjacencies!
36
TOTALLY STUBBY
contains LSA Type: 1/2 and 3 (LSA Type 3 is only used to advertise 0.0.0.0/0)
contains route types: O
E1/2 external routes are not allowed
a default route (via Type 3 LSA) is injected by the ABR (0.0.0.0/0 via ABR)
because LSA Type 4 and 5 are not permitted, STUBBY and TOTALLY STUBBY areas cannot
contain ASBR
only the ABR configuration needs to be modified to transform STUBBY to TOTALLY STUBBY area
To create (on ABR only):

<Router(config-router)#area (area ID) stub no-summary>
contains LSA Types: 1/2, 3, 7

contains route types: O, IA, N1/2
implements STUBBY or TOTALLY STUBBY functionality yet contains an ASBR
allows LSA Type 7 (originated by ASBR) to advertise N1/2 external routes
the ABR converts it into LSA Type 5 before flooding them to the rest of OSPF domain (if there
are multiple ABRs in an NSSA, the ABR with the highest router ID performs the translation)
LSA Type 3 will pass into and out of the area
ABR will not inject a default route into an NSSA unless explicitly configured to do so
To create NSSA (allows N1/2 external routes + allows IA inter-area routes):

NOT SO STUBBY
STUBBY and TOTALLY STUBBY areas can be used to

reduce the resource utilization of routers in portion of
the network not requiring full routing knowledge
area cannot be converted to TOTALLY STUBBY if it
contains a virtual link
<Router(config-router)#area (area ID) nssa)>

To create NSSA with stub functionality (allows N1/2 external routes + allows IA inter-area routes +
injects default route (Type 7 LSA with 0.0.0.0/0 via ABR):
<Router(config-router)#area (area ID) nssa default-information originate>
*default-information originate - ensures that ABR

injects a default route into a STUBBY NSSA (by default
it doesnt but does in TOTALLY STUBBY NSSA areas)
area cannot be converted to a NSSA if it contains a
virtual link
while all routers in the NSSA have to be configured as
such, additional functions (default-information, nosummary) need to be only configured on the ABR
To create NSSA with totally stub functionality (allows N1/2 external routes + injects default route
(Type 3 LSA with 0.0.0.0/0 via ABR):
<Router(config-router)#area (area ID) nssa no-summary>
37
EXAMPLES: OSPF AREAS

<R1(config)#router ospf 1>
<R1(config-router)#network 10.1.1.1 0.0.0.0 area 0>

<R2(config-router)#network 10.1.12.2 0.0.0.0 area 0
AREA 0 is the BACKBONE area

AREA 23 is a STANDARD area
R1 is a BACKBONE router
R2 is an ABR
R3 is an ASBR

<R3(config-router)#redistribute connected subnets>
(O) INTRA-AREA ROUTES
(IA) INTER-AREA ROUTES
(E1/2) EXTERNAL ROUTES
(N1/2) NSSA EXTERNAL ROUTES
DEFAULT ROUTE
Type LSAs ACCEPTED
R1
n/a
n/a
1/2, 3, 4, 5
R2: AREA 0
n/a
n/a
1/2, 3, 4, 5
R2: AREA 23
n/a
n/a
1/2, 3, 4, 5
R3
n/a
n/a
1/2, 3, 4, 5
38
SCENARIO 1: STUBBY AREA

<R1(config-router)#router ospf 1>

<R2(config-router)#area 23 stub>

<R3(config-router)#area 23 stub>
AREA 23 is a STUBBY area

E1/E2 external routes (Type 5 LSA) are not allowed
ABR (R2) injects default route: Type 3 LSA with 0.0.0.0/0 via ABR into AREA 23
(note: 172.20.200.1/24 redistributed by R3 is no longer advertised)
DEFAULT ROUTE
Type LSAs ACCEPTED
R1
n/a
n/a
1/2, 3, 4, 5
R2: AREA 0
n/a
n/a
1/2, 3, 4, 5
R2: AREA 23
n/a
n/a
1/2, 3
R3
n/a
0.0.0.0/0 via ABR
1/2, 3
39
SCENARIO 2: TOTALLY STUBBY AREA

R1(config-router)#router ospf 1>

<R2(config-router)#area 23 stub no-summary>
AREA 23 is a TOTALLY STUBBY area

E1/E2 routes (Type 5 LSA) are not accepted from ASBR (R3)
IA routes (Type 3 LSA) are not advertised by ABR (R2) into AREA 23
ABR injects default route: Type 3 LSA with 0.0.0.0/0 via ABR into AREA 23
DEFAULT ROUTE
Type LSAs ACCEPTED
R1
n/a
n/a
1/2, 3, 4, 5
R2: AREA 0
n/a
n/a
1/2, 3, 4, 5
R2: AREA 23
n/a
n/a
1/2, *3 (only for default)
R3
n/a
0.0.0.0/0 via ABR
1/2, *3 (only for default)
40
SCENARIO 3: NOT SO STUBBY AREA


<R2(config-router)#no area 23 stub no-summary>
<R2(config-router)#area 23 nssa>
AREA 23 is a NOT SO STUBBY area

N1/N2 routes (Type 7 LSA) are accepted from ABSR (R3)
IA routes (Type 3 LSA) are advertised by ABR (R2) to AREA 23
the ABR coverts Type 7 LSA into Type 5 LSA before flooding them to the rest of the OSPF
domain (if there are multiple ABRs in an NSSA, the ABR with highest router-id performs the
translation)

<R3(config-router)#no area 23 stub>
<R3(config-router)#area 23 nssa>
DEFAULT ROUTE
Type LSAs ACCEPTED
R1
n/a
1/2, 3, 4, 5
R2: AREA 0
n/a
1/2, 3, 4, 5
R2: AREA 23
n/a
1/2, 3, 7
R3
n/a
1/2, 3, 7
41
SCENARIO 4: NOT SO STUBBY AREA (STUB FUNCTIONALITY)


<R2(config-router)#area 23 nssa default-information originate>
AREA 23 is a NOT SO STUBBY area with STUB functionality

all characteristics of a NSSA plus:
o ABR (R2) injects default route: Type 7 LSA with 0.0.0.0/0 via ABR (R2)
DEFAULT ROUTE
Type LSAs ACCEPTED
R1
n/a
1/2, 3, 4, 5
R2: AREA 0
n/a
1/2, 3, 4, 5
R2: AREA 23
n/a
1/2, 3, 7
R3
0.0.0.0/0 via ABR
1/2, 3, 7
42
SCENARIO 5: NOT SO STUBBY AREA (TOTALLY STUB FUNCTIONALITY)


<R2(config-router)#area 23 nssa default-information originate no-summary>
AREA 23 is a NOT SO STUBBY area with TOTALLY STUB functionality

all characteristics of a NSSA plus:
o IA routes (Type 3 LSA) are not propagated by ABR (R2) into AREA 23
o ABR (R2) injects default route: Type 3 LSA with 0.0.0.0/0 via ABR
Type LSAs ACCEPTED
DEFAULT ROUTE
n/a
1/2, 3, 4, 5
R2: AREA 0
n/a
1/2, 3, 4, 5
R2: AREA 23
n/a
1/2,*3 (only for default),7
R3
0.0.0.0/0 via ABR
1/2,*3 (only for default),7
R1
43
OSPF VIRTUAL LINKS
used when an area cannot be directly connected to the backbone

act as a tunnel formed to join two areas across an intermediate area
both end routers must share a common area
at least one end must reside in Area 0
HELLOs are sent every 10 sec. by default
LSAs learnt through a virtual link have the DoNotAge (DNA) option set so that they do not age out (required to avoid excessive flooding over the virtual link)
cannot traverse stub areas
44
VIRTUAL LINKS CONFIGURATION

COMMANDS
COMMENTS
<Router(config-router)#area (transit area ID) virtual-link (router ID of the far end router) (*hello-interval (sec.)) (*dead-interval (sec.))>
To verify:
<Router#show ip ospf virtual-links>
both ends of a virtual links need to be

configured
hello-interval - specifies the time between
the HELLO packets that are sent on the
interface
dead-interval - specifies the time that must
pass without HELLO packets being seen
before the neighbor declares the router
down
EXAMPLE:
45
OSPF TIMERS
TIMER
OVERVIEW
COMMENTS
specifies the time interval at which the HELLO packets are retransmitted
Matching timer value is a condition of forming an

adjacency.
To adjust:
HELLO
<Router(config-if)#ip ospf hello-interval (1-65535 sec)>

To verify:
specifies the time interval during which a router will consider a neighbour alive without receiving a
HELLO from that neighbour
by default equals to 4 x HELLO timer
To adjust:
DEAD
Matching timer value is a condition of forming an

adjacency
ip ospf dead-interval minimal hello-multiplier sets the dead interval to 1 sec. with HELLOs sent at
the rate of multiplier per second
<Router(config-if)#ip ospf dead-interval (1-65535 sec)>

<Router(config-if)#ip ospf dead-interval minimal hello-multiplier (3-20)>
To verify:
46
OSPF ROUTER ID
routers name in the OSPF process

duplicate router-ids will prevent two routers from becoming neighbors!
determined in the following order:
1.
2.
3.
ID hardcoded using the <(config-router)#router-id A.A.A.A> command

highest IP of an UP|UP local loopback interface
highest IP of an UP|UP physical local physical interface (doesnt have to be OSPF enabled)
if the router-id cannot be determined (no IP addresses assigned to interfaces) the OSPF process will not start (router-id = 0.0.0.0) and the following error will be generated:
the ID doesnt change unless:

o
o
the router is rebooted

the OSPF process is cleared e.g. with #clear ip ospf process
flood war - an error message generated when a router in a different area has the same router ID as the one the message is displayed on and is advertising a network that the local router
isnt advertising
OSPF LINK ID
Link ID is a name given to the entity that is on the other end of the link
LINK TYPE
DESCRIPTION
LINK ID
Point-to-point
Neighbor Router ID
Link to transit network
Interface address of the DR
Link to stub area
IP network number
Virtual link
Neighbor Router ID
To view Link ID:
show ip ospf database
47
OSPF DR / BDR
on a Multipoint Broadcast networks routers form adjacencies with DR (Designated Routers) and BDR (Backup Designated Router)
a router that is neither DR nor BDR is called DROTHER
DROTHERs only form FULL adjacencies with DR and BDR
DROTHERS form 2-WAY adjacencies with themselves
adjacencies have synchronized LSDBs
BDR does not perform any DR functions when the DR is operating
BDR receives all information, but it is the DR that performs LSA forwarding and LSDB synchronization
a router can have interface belonging to different networks behaving as both DR and BDR
DROTHERS listen on 224.0.0.5
DR & BDR listen on 224.0.0.6
the DR/BDR improve network functionality by reducing routing update traffic
DR / BDR ELECTION PROCESS
COMMENTS
routers view the OSPF priority value of the other routers during HELLO exchange
the router with the highest priority becomes the DR
the router with the second highest priority becomes the BDR
router ID acts as a tie breaker
the only time DR/BDR change is when one of them is out of service
adding routers with higher priority than current BD/BDR does not preempt current selection
BDR uses the wait timer to determine whether the DR is out of service (if the DR is not confirmed to be forwarding LSAs
before the timer expires it is consider down)
should the DR fail the BDR becomes the new DR and new BDR is elected
priority range: 0 - 255 (if 0 the router never becomes

the DR/BDR)
default priority = 1
Sample output of show ip ospf neighbor detail:
To modify interface priority:

<Router(config-if)#ip ospf priority (0-255)>
To view interface priority:
To influence the DB/BDB election:
<Router#show ip ospf neighbor>

<Router#show ip ospf neighbor detail>
To view current DB/BDB:

<Router#show ip ospf neighbor>
<Router#show ip ospf neighbor detail>
boot up DR first followed by DBD and DROTHERS

shut and un-shut interface in the above order
use clear ip ospf process command
<-- displays states per neighbor

<-- displays states for the whole segment
48
OSPF ADJACENCIES STATES
when an adjacencies are formed the routers go through several state changes before they become fully adjacent
STATE
OVERVIEW
COMMENTS
HELLO packets have been sent but none have been received
DOWN
ATTEMPT
The router sends unicast HELLO packets every poll interval to the neighbor from which HELLO packets have
not been received within the DEAD interval
INIT
2-WAY
EXSTART
EXCHANGE
Events that can cause this state:
starting an OSPF process on a router

RouterDeadInterval he expiration
KillNbr
InactivityTimer
LLDown
This state is only valid for manually configured neighbors

in an NBMA environment.
the router has received HELLO packet from its neighbor, but the receiving routers ID was not included in
the incoming HELLO packet
one-way HELLO
When a router receives a HELLO from a neighbor, it

should be able to find own router-id in the content
which acknowledges that the packet came as a reply to
locally generated HELLO.
a bi-directional communication has been established between two routers (each router has seen the
other routers HELLO packet)
at this stage it is decided whether two routers should become neighbors (based on whether the required
conditions have been met)
on broadcast and non-broadcast multi-access networks DROTHERS form only 2-WAY relationship with
each other and FULL relationship with DR/BDR
At the end of this stage DR/BDR election occurs for

broadcast and non-broadcast multi-access networks.
routers and their DR/BDR establish a master/slave relationship and choose the initial sequence number
for adjacency formation
the router with the highest router ID becomes the master and starts the exchange (it also is the only
router that can increment the sequence number)
master/slave election takes place on a per-neighbor basis
routers exchange DBD (Database Description) packets in this state
each DBD packet has a sequence number which can be only incremented by master (slave explicitly
acknowledges it)
49
LOADING
FULL
the actual exchange of link-state information occurs

based on the information received in DBD routers send link-state request packets (which are provided in
LSUs)
routers are fully synchronized with each other (all the router and network LSAs are exchanged and the
routers databases are fully synced)
ready to run SPF (Shortest Path First) algorithm and individually figure out the best routes to networks
from their own perspective
Considered a normal state for an OSPF router (if routers

are stuck in other states it may indicate problems with
forming adjacencies - with the exception of 2-WAY state
which is a desired state between DROTHERS).
50
OSPF NETWORKS
NETWORK
OVERVIEW
COMMENTS
a multi-access broadcast network e.g. Ethernet

DB/DBD election for each segment
1 x mode of operation
MULTI-ACCESS BROADCAST
The DR/BDR concept is at the link level i.e. router can have different interface
belonging to different areas acting as DR, BDR or DROTHER
POINT-TO-POINT
NON-BROADCAST MULTIACCESS
a network that joins a single pair of routers e.g. PPP, HDLC

mode auto-detected by OSPF
OSPF packets are sent using multicast 224.0.0.5
no DB/DBD election
default timers: 10 HELLO / 40 DEAD
1 x mode of operation
a network that interconnects more than two routers but has no

broadcast capabilities e.g. FR, X.25
5 x modes of operation
LOOPBACK
VIRTUAL LINK
the default OSPF network type for a loopback interface, causing the
OSPF to advertise host routers instead of actual network masks
the LOOPBACK network type is a CISCO proprietary extension that is not
configurable but present on a loopback interface by default
may also be a sub-interface running FR or ATM

the IP source address of a packet is set to the address of the outgoing
interface
ip ospf network point-to-point - on an loopback interfaces ensures that

the whole subnet is advertised (the interface is treated as a stub host)
act as a tunnel formed to join two areas across an intermediate area
51
OSPF OVER NBMA
MODE
OVERVIEW
BROADCAST
COMMENTS
CISCO proprietary
HELLO / DEAD = 10/40 sec.
DR/BDR elected
single subnet
neighbors are automatically discovered
acts like a LAN environment
preferred topology: full mesh
Cisco proprietary in a sense that CISCO defined the style over

NBMA
works best with fully meshed topologies (implementing this
mode in hub and spoke + partial mesh topologies will result in
connectivity issues)
broadcast - enables pseudo broadcast (sends broadcast style
unicast packet)
CONFIGURATIONS:
Setting network type:
<Router(config-if)#ip ospf network broadcast>
Enabling pseudo broadcast over Frame Relay cloud:
<Router(config-if)#frame-relay map ip A.A.A.A (DLCI) broadcast>
52
NON-BROADCAST
In hub and spoke topology, DR must be manually hardcoded on the

hub so that the spokes can form full adjacencies with it
RFC compliant mode

DR/BDR elected
single subnet
neighbors are statically configured
acts like a LAN environment with broadcast disabled
preferred topology: full mesh
default OSPF mode for all NBMA networks
Also, the spokes should never become BDR because they have no full
connectivity with the rest of the networks
In full mesh its acceptable for the DR/BDR election to automatically
elect DR/BDR
CONFIGURATIONS:
<Router(config-if)#ip ospf network non-broadcast>
Adding neighbors:
<Router(config-router)#neighbor (A.A.A.A) (*priority (0-255)) (*cost (1-65535))>
POINT-TO-MULTIPOINT
BROADCAST
RFC compliant mode

DR/BDR not elected
single subnet
neighbors are automatically formed
treats the cloud like a series of point-to-point links
preferred topology: partial | star
neighbor A.A.A.A - manually hardcodes the OSPF neighbor

priority - hardcodes the priority of the neighbor (good practice to
configure priority value on both ends to avoid errors)
cost - hardcodes the cost to reach the neighbor
In hub and spoke topologies the neighbors only need to be hardcoded

on the hub (reason: it is the hub that initiates the HELLO exchange
process; the spokes only respond to it) - however it is still a good
practice to hardcode all neighbors
in this mode OSPF advertises host routes (not networks)

can be mixed with point-to-point mode on the far ends as long as
timers are adjusted
CONFIGURATIONS:
<Router(config-if)#ip ospf network point-to-multipoint>
53
POINT-TO-MULTIPOINT
NONBROADCAST
CISCO extension
DR/BDR not elected
single subnet
used when multi / broadcasts are not allowed on the virtual circuits
acts like point-to-multipoint mode with broadcast disabled

can be mixed with point-to-point mode on the far ends as
long as timers are adjusted
CONFIGURATIONS:
<Router(config-if)#ip ospf network point-to-multipoint non-broadcast>
POINT-TO-POINT
CISCO proprietary
DR/BDR not elected
one subnet for each point-to-point link
CONFIGURATIONS:
<Router(config-if)#ip ospf network point-to-point>
54
EXAMPLES: OSPF OVER NBMA CONFIGURATION

CONSIDERATIONS:
choosing appropriate OSPF mode over NBMA will depend on particular circumstances such as:
o
o
o
support for broadcasts / multicasts

topology used (fully meshed, partially meshed, hub-and-spoke (star))
IP addresses availability
DR/BDR have to have full connectivity with the rest of the nodes (unless the network is fully meshed this process cannot be automatic)
for automatic neighbor discovery use broadcast parameter with FR mapping
for static neighbor hardcoding use neighbor command under OSPR process sub-configuration mode
there is no one right way to configure OSPF over NBMA - technically each mode can be configured over every topology
the aim is to achieve fully network connectivity over the cloud as efficiently as possible - if a mode is working over a suboptimal topology then tuning is essential
55
SCENARIO 1: BROADCAST MODE

MAIN CHARACTERISTICS:
HELLO/DEAD = 10/40 sec.

DR/BDR elected
single subnet
neighbors are automatically discovered
broadcasts / multicasts are allowed over the cloud
56
CONFIGURATIONS
--->
COMMENTS
R1(config-if)#no shutdown
frame-relay inverse arp - maps a known L2 address (DLCI) to

an unknown L3 address (IP)
arp frame-relay - allows the router to answer to remote
routers ARP query
Since broadcast capabilities have to be enabled while statically

adding FR mapping automatic FR neighbor discovery should be
disabled.
--->

broadcast - enables pseudo broadcast (forwards broadcast

style unicast packets to the specified node)

R2(config-if)#frame-relay map ip 10.1.123.3 201
To confirm FR mappings:
57
HARDCODE OSPF PRIORITIES
--->
R1(config)#ip ospf priority 255
On fully meshed networks it is fine to let the routers automatically

elect the DR/BDR.
Because the network is not fully meshed, letting the DR/BDR be

automatically elected can lead to connectivity issues - the
DR/BDR/DROTHER assignment will take place on a link basis
(R1 <--> R2, R1 <--> R4) and not a segment basis.
Both DR/BDR rely on full connectivity with all the nodes on the
segment to work properly. Since only the hub (R1) meets this
requirement it has be hardcoded as DR. R1 and R4 only have direct
connection to R1 and not to each other. Therefore neither can
become BDR and none will be elected. Both routers need to be
hardcoded as DROTHERS.
R1(config-if)#ip ospf network broadcast
HARDCODE OSPF MODES

To confirm OSPF mode:
Router#show ip ospf interface
ENABLE OSPF
--->
R1(config)#router ospf 1
R1(config-router)#router-id 1.1.1.1
R1(config-router)#network 10.1.123.1 0.0.0.0 area 0
At this stage the adjacencies will be formed and OSPF will be

operational.
58
SCENARIO 2: NON-BROADCAST MODE


DR/BDR elected
single subnet
broadcasts / multicasts are not allowed over the cloud
59
CONFIGURATIONS
--->
COMMENTS

routers ARP query
Since broadcasts are not allowed over the FR cloud, building the FR
map should rely on static entries with the dynamic mapping
disabled.
--->

It is necessary to add maps in a way that both spokes can reach

other - otherwise the spoke wont be able to reach networks
advertised by the other spoke.
Since the topology is not fully meshed the route to remote spoke
should be mapped through the hub.
--->
DR/BDR election will occur during establishing adjacencies.

DR/BDR/DROTHER assignment will take place on a link basis
(R1 <--> R2, R1 <--> R4) and not a segment basis.
60
HARDCODE OSPF MODES
--->
R1(config-if)#ip ospf network non-broadcast

ENABLE OSPF
--->
At this stage the adjacencies will not form since OSPF is working in
non-broadcast mode and will not multicast HELLOs.
Neighbors need to be statically configured under the OSPF
process.
MANUALLY ADD OSPF NEIGHBORS
--->
R1(config-router)#neighbor 10.1.123.2 priority 0
Technically, the neighbors only need to be hardcoded on the hub it is the hub that initiates the HELLO exchange process; the spokes
only respond to it - however it is still a good practice to hardcode
all neighbors.
Same case with priority - its already configured on each router on
the FR interface but its a good practice to hardcode it again under
the neighbor statement.
No need for the spokes to become neighbors since all the traffic
has to go through the hub anyways.
The neighbor command causes the HELLOs to be unicasted instead
of multicasted.
61
SCENARIO 3: POINT-TO-MULTIPOINT BROADCAST


DR/BDR not elected
single subnet
62
CONFIGURATIONS
--->
COMMENTS

routers ARP query
Since broadcast capabilities have to be enabled while statically

adding FR mapping automatic FR neighbor discovery should be
disabled.
--->

HARDCODE OSPF MODES
--->
R1(config-if)#ip ospf network point-to-multipoint

63
ENABLE OSPF
--->
At this stage the adjacencies will be formed and OSPF will be

operational.
(*note: take notice of how host routes are advertised not the
whole networks)
64
SCENARIO 4: POINT-TO-MULTIPOINT NON-BROADCAST


DR/BDR not elected
single subnet
65
CONFIGURATIONS
--->
COMMENTS

routers ARP query
Since broadcasts are not allowed over the FR cloud, building the FR
map should rely on static entries with the dynamic mapping
disabled.
--->

It is necessary to add maps in a way that both spokes can reach

other - otherwise the spoke wont be able to reach networks
advertised by the other spoke.
Since the topology is not fully meshed the route to remote spoke
should be mapped through the hub.
--->
DR/BDR election will occur during establishing adjacencies.

DR/BDR/DROTHER assignment will take place on a link basis (R1
<--> R2, R1 <--> R4) and not a segment basis.
66

HARDCODE OSPF MODES
--->
R1(config-if)#ip ospf network point-to-multipoint non-broadcast

ENABLE OSPF
--->
At this stage the adjacencies will not form since OSPF is working in
non-broadcast mode and will not multicast HELLOs.
Neighbors need to be statically configured under the OSPF
process.
MANUALLY ADD OSPF NEIGHBORS
--->
Technically, the neighbors only need to be hardcoded on the hub it is the hub that initiates the HELLO exchange process; the spokes
only respond to it - however it is still a good practice to hardcode
all neighbors.
Same case with priority - its already configured on each router on
the FR interface but its a good practice to hardcode it again under
the neighbor statement.
No need for the spokes to become neighbors since all the traffic
has to go through the hub anyways.
The neighbor command causes the HELLOs to be unicasted instead
of multicasted.
67
SCENARIO 5: POINT-TO-POINT

DR/BDR not elected
one subnet for each point-to-point link
68
CONFIGURATIONS
--->
COMMENTS
R1(config-if)#interface s0/0.102 point-to-point
R1(config-if)#frame-relay interface-dlci 102
R1(config-if)#interface s1/0.103 point-to-point
R1(config-if)#ip add 10.1.1.5 255.255.255.252
R2(config-if)#interface s1/0.201

routers ARP query
Auto discovery can be left on - since there is only one node at each
end there is no risk of mapping to undesired / unknown networks.
When configuring FR sub-interfaces, the FR encapsulation and FR
parameters (LMI type etc.) only need to be configured on the main
interface.
Only the main interface needs to be turned on (no shutdown).
R4(config-if)#interface s1/0.301
ENABLE OSPF
--->
No need to hardcode OSPF mode on the interfaces - the point-topoint mode is default for point-to-point interfaces.
At this state the adjacencies will be formed and OSPF will be
operational.
69
OSPF CONFIGURATIONS
ACTIVATION
STEP #
START OSPF PROCESS
HARDCODE ROUTER ID
COMMANDS
COMMENTS
<Router(config)#router ospf (process ID; 1-65535)>
process ID - a locally significant number that

does not affect the OSPF operation
network - specifies what interfaces to add to

the OSPF process (added interface will send /
receive HELLO packets and advertise the
networks to which they belong)
<Router(config-router)#router-id A.A.A.A>
<Router(config-router)#network (A.A.A.A) (M.M.M.M | W.W.W.W) area (area ID; 0-4294967295)>
Alternatively:
<Router(config-if)#ip ospf (process ID) area (OSPF area)>
ADD INTERFACES TO OSPF

PROCESS
The wildcard mask is used for matching prefix only.

The prefix-length is not matched.
To add every interface:

<Router(config-router)#network 0.0.0.0 255.255.255.255 area (area ID)>
To manually add neighbor:
A network command with the most specific

wildcard is revised first.
If a statement ends with subnet mask it will be
converted into appropriate wildcard mask and
saved in the running config. in this format
<Router(config-router)#neighbor A.A.A.A>
To verify:
PASSIVE INTERFACES
passive-interface - no HELLOs are sent on the

interface (hence no relationship can be
formed) but the network is still advertised
passive-interface default - sets all interfaces
as passive
A passive interface is still part of the OSPF process

and the network advertised but no HELLOs are sent
to that interface.
HARDCODE AREA TYPE
<Router(config-router)#area (area ID) (stub (no-summary)) (nssa (default-information originate)

(no-summary))>
70
hello-interval - specifies the HELLO timer

dead-interval - specifies the time that must
pass without HELLO packets being seen
before the neighbor declares the router
down
<Router(config)#ip route 0.0.0.0 0.0.0.0 (exit interface)>
<Router(config-router)#default-information originate (*always) (*metric (0-16777214)) (*metrictype (1-2))
default-information originate - distributes a

default route if it exists in the routing table
always - always advertises a default route
even if it doesnt exist in the routing table
metric - propagate default route with
hardcoded OSPF metric
metric-type - type of OSPF metric
<Router(config-router)#area (transit area ID) virtual-link (router ID of the far end router) (*hellointerval (seconds)) (*dead-interval (seconds))>
VIRTUAL LINK
PROPAGATE DEFAULT
GATEWAY
71
TUNING
FEATURE
COMMANDS
COMMENTS
Globally:
ADJUST AD
<Router(config-router)#distance ospf (external (AD 1-255)) (inter-area (AD 1-255)) (intra-area (AD,
1-255))>
Per routes:
<Router(config-router)#distance (AD, 1-255) (source IP Address) (*1-99 | 1300-1999 | ACL name)>
ADJUST TIMERS
o
HELLO
<Router(config-if)#ip ospf hello-interval (1-65535 sec)>
To verify:
<Router(config-if)#ip ospf dead-interval (1-65535 sec)>

o
HOLD
ADJUST RETRANSMIT
INTERVAL
ADJUST REFERENCE
BANDWIDTH
<Router(config-if)#ip ospf dead-interval minimal hello-multiplier (3-20)>
<Router(config-if)#ip ospf retransmit-interval (1-65535 sec)>
ip ospf retransmit-interval controls the time

interval between advertisement retransmission if
the previous packet was not acknowledged
<Route(config-router)#auto-cost reference bandwidth (1-4294967)>

To verify:
ADJUST I-FACE COST
<Router(config-if)#ip ospf cost (1-65535)>
ADJUST I-FACE PRIORITY
<Router(config-if)#ip ospf priority (0-255)>
Default = 1
<Router(config-if)#ip ospf network (broadcast | non-broadcast | point-to-multipoint | point-tomultipoint non-broadcast | point-to-point>

HARDCODE NETWORK TYPE
To verify:
72
AUTHENTICATION
TYPE
COMMANDS
COMMENTS
<Router(config-if)#ip ospf authentication>
PLAIN TEXT
<Router(config-if)#ip ospf authentication-key (authentication key)>
For the entire area:

<Router(config-router)#area (area ID) authentication message-digest>
<Router(config-if)#ip ospf message-digest-key (1-255) md5 (authentication key)>
For an interface:
MD5
<Router(config-if)#ip ospf authentication message-digest>

<Router(config-if)#ip ospf message-digest-key (1-255) md5 (authentication key)>
authentication Type 1 (default = 0, disabled)

ip ospf authentication - enables plain text
authentication
ip ospf authentication-key - OSPF password
authentication Type 2
ip ospf authentication message-digest enables md5 authentication
ip ospf message-digest-key (1-255) md5 MD5 OSPF password
Routers must use the same key ID to authenticate

each other.
The router uses the most recently added key for
authenticating sent packages.
SUMMARIZATION
by default, the metric of the summary route is equal to the highest (worst) metric of the component subnet
TYPE
COMMANDS
COMMENTS
<Router(config-router)#area (area ID) range A.A.A.A M.M.M.M>
Configured on and performed by an ABR.

The ABR advertises only the summary route if at
least one subordinate subnets exists as an (IA)
inter-area route.
INTERNAL ROUTES
EXTERNAL ROUTES
Also creates a summary route pointing toward

Null0 for the same range - (behavior known as
sending unknown traffic to bit bucket - if the router
advertising the summary route receives a packet
destined for something covered by the summary
route but not in the routing table, it drops it)
<Router(config-router)#summary-address A.A.A.A M.M.M.M>
Configured on and performed by an ASBR.
73
REDISTRIBUTION
ROUTING PROTOCOLS
To set a default-metric (NOTE: this command does not affect the metric of directly connected networks):
<Router(config-router)#default-metric (1-16777214)>
PULL ROUTES FROM:
COMMANDS
COMMENTS
<Router(config)#router ospf (process ID)>
RIP
<Router(config-router)#redistribute rip (*metric (0-16777214)) (*metric-type (1-2)) (*nssa-only) (*route-map

(route map name)) (*subnets)>

<Router(config-router)#redistribute eigrp (AS 1-65535) (*metric (0-16777214)) (*metric-type (1-2)) (*nssaonly) (*route-map (route map name)) (*subnets)>
Example:
metric - redistribute router with the specified

metric (by default it is set to 20) (overridden
by a route-map if used)
metric-type - External Type 1 (increment the
seed metric by adding the internal cost) or
Type 2 (do not increment metric)
nssa-only - redistribute only NSSA external
routes
route-map - apply a route map for filtering of
subnets - prevents automatic summarization
of the redistributed routes
Defaults:
EIGRP
when redistributing BGP the metric = 1

when redistributing another OSPF process
take the source routes metric
when redistributing all other sources, use a
default metric = 20
creates a Type 5 LSA for each redistributed
route if not inside an NSSA area
route if inside an NSSA area
uses External Type 2 metric
redistribute only classful networks (ignores
subnets)
<Router(config)#router router (process ID)>
BGP
<Router(config-router)#redistribute bgp (AS #) (*metric (0-16777214)) (*metric-type (1-2)) (*nssa-only)

(*route-map (route map name)) (*subnets)>
74
DIRECTLY CONNECTED NETWORKS

COMMANDS
COMMENTS
<Router(config-router)#redistribute connected (*metric (0-16777214)) (*metric-type (1-2)) (*nssa-only) (*route-map (route map name)) (*subnets)>
STATIC ROUTES
COMMANDS
COMMENTS
<Router(config-router)#redistribute static (*metric (0-16777214)) (*metric-type (1-2)) (*nssa-only) (*route-map (route map name)) (*subnets)>
75
OSPF VERIFICATION AND TSHOOTING
show ip ospf neighbors

show ip ospf neighbors detail
show ip ospf interface
show ip ospf interface brief
show ip ospf
show ip ospf border-routers
show ip route ospf
show ip protocols
debug ip ospf adjacencies
clear ip ospf process
COMMAND
show ip ospf neighbor
VERIFIES
EXAMPLE
neighbor ID
neighbor priority
adjacency state
neighbor IP address
local interface through which the neighbor is accessible
detailed neighbor related information
show ip ospf neighbor detail
76
local interface(s) that participate in OSPF processes
local interface(s) that participate in OSPF processes

the areas the interface belongs to
interface IP address
interface COST
interface network type
the number of neighbors
show ip ospf interface (*interface)
show ip ospf interface brief
77
OSPF processes
router ID
OSPF areas
various LSAs in the OSPF database organized by area and type
show ip ospf
78
lists boundary routers information
network in the routing table learnt via OSPF processes
router ID
networks OSPF is routing for
reference bandwidth
administrative distance
show ip route ospf
show ip protocols
Information about virtual links created on the local router
show ip ospf virtual-link
79
Debugs OSPF adjacency events
debug ip ospf adj
clear ip ospf process
Restarts OSPF processes
80
RouterA
RouterB
RouterA initiates OSPF process:
RouterB initiates OSPF process:
RouterA(config)#router ospf 1
RouterA(config)#router ospf 1
1. THE ROUTERS DETERMINE THEIR OWN ROUTER-IDs

Determined in the following order:
1
ID configured with <Router(config-router)#router-id A.A.A.A>
Highest IP of a Loopback interface
Highest IP of an active interface (doesnt have to be OSPF enabled but has to be UP:UP)
routers name in the OSPF process
* the router-id doesnt change until:

the router is rebooted
the OSPF process is restarted <Router#clear ip opsf process>
2. ADD INTERFACES TO THE LINK STATE DATABASE

Use the network command:
Router(config)#router ospf 1
Router(config-router)#network A.A.A.A W.W.W.W
OR
Router(config-router)#network A.A.A.A M.M.M.M
3. THE ROUTERS SEND HELLO PACKETS ON OSPF

ENABLED INTERFACES
*** DOWN STATE ***
HELLO packet contains:

router ID
* HELLO/DEAD timers
* network mask
* area ID
known neighbors
interface priority
DB/DBD IP address
* authentication password
* these need to match on both routers in order
to successfully form an adjacency
the router sent a HELLO message

but havent received a reply yet
HELLOs are multicasted on 224.0.0.5
4. THE ROUTERS RECEIVE HELLO PACKET

*** INIT STATE ***
Read the HELLO packet:
Routers received a HELLO and sent
one back
Check if all the conditions required to form a

relationship are met. If so:
add the router-id of the router that originated
the HELLO packet to the neighbor list
If routers go from DOWN STATE

INIT
DOWN
it is most likely because some of the conditions
required to form a neighbour relationship are not
met
send a unicast HELLO packet back
5. BIDIRECTIONAL COMMUNICATION HAS BEEN ESTABLISHED

*** 2 WAY STATE ***
Routers have exchanged the HELLO
packets and are in bidirectional
communicatoin
Both routers check the HELLOs received
and check the neighbor field:
Already a neighbor:
Router finds itself in the
neighbor field?
YES
reset the DEAD timer

await another HELLO
NO
Is this a broadcast
network?
NO
Not a neighbor yet:

Go to Step 6
YES
Elect DR/BDR
DROTHERS remain in 2WAY
relationship
BD/BDR form FULL
relationship with itself and
with DROTHERS (Go to Step
6)
6. THE ROUTERS DETERMINE THE MASTER/SLAVE RELATIONSHIP

*** EXSTART STATE ***
Establish Master/Slave relationship on a per-neighbor basis:
MASTER/SLAVE comes down to

who sends its DBD first
The router with the higher priority becomes the MASTER

The other router becomes the SLAVE
router-id breaks the tie
7. THE ROUTERS EXCHANGE THE LINK-STATE SUMMARIES

*** EXCHANGE STATE ***
DBD = Database Descriptor
Include information about the
LSA entry header that appears
in the LSDB of the router
Headers include: link-state type,
advertising routers IP address,
links COST + sequence number
The MASTER sends the DBD first

The SLAVE acknowledges
The SLAVE sends its DBD
The MASTER acknowledges
8. THE ROUTERS EXCHANGE REQUIRED LINK-STATE INFO

*** LOADING STATE ***
Process of sending / receiving LSRs
The router receives the DBD and:

acknowledges the packet
compares received information with
the information it already has
if the DBD has a more up-to-date
link-state entry, the router sends an
LSR to the other router
the other router responds with the
complete information about the
requested entry in an LSU packet
the LSU is acknowledged
8. ESTABLISHING FULL ADJACENCIES

*** FULL STATE ***
Routers share the same road map of the whole
network
They are ready to run SPF algorithm and
individually figure out the best route to each
network from their own perspective
The adjacent routers are considered

fully synchronised all routers in the
area should have identical LSDBs
Controlling
Routing Updates
Administrative Distance
Passive Interfaces
Filtering Routing Updates
Redistribution
Policy Based Routing
IP SLA
ADMINISTRATIVE DISTANCE
PROTOCOL
COMMANDS
COMMENTS
To change AD for all routes coming from all sources (*does not work with EIGRP):
<Router(config-router)#distance (AD; 0-255)>
If the updates are coming from EIGRP and RIP, use the
advertising interfaces IP address.
To change AD for all routes coming from specific sources:
<Router(config-router)#distance (AD; 0-255) (source A.A.A.A W.W.W.W)>
To change AD for specific routes coming from all sources (*does not work with EIGRP):
<Router(config-router)#distance (AD; 0-255) 0.0.0.0 255.255.255.255 (standard ACL # |name)>
all
If the updates are coming from OSPF, use router-ID as the

source.
To change AD for specific routes coming from specific sources:
<Router(config-router)#distance (AD; 0-255) (source A.A.A.A W.W.W.W) (standard ACL # |name)>
Modifying AD affects routing decision only locally (the

adjusted AD values never leave the local router).
AD = 0 - reserved for directly connected routes

AD = 255 - routes will not be installed in the routing
table
source A.A.A.A W.W.W.W - IP address of the updates

source (i.e. given routing protocol neighbor)
distance (AD 0-255) - returns Incomplete command
for EIGRP
distance (AD 0-255) 0.0.0.0 255.255.255.255 - assigns
AD = 0 under EIGRP
EIGRP
<Router(config-router)#distance eigrp (internal distance; 1-255) (external distance; 1-255)>
OSPF
<Router(config-router)#distance ospf (external (AD; 1-255)) (inter-area (AD; 1-255)) (intra-area (AD; 1-255))
TSHOOT
*Will cause EIGRP adjacencies to be re-negotiated.
show ip protocols
82
PASSIVE INTERFACES
makes a router a silent host on the network

prevent routing updates from being propagated and/or received on these interfaces
PROTOCOL
COMMANDS
all
COMMENTS
To verify:
passive-interface - no HELLOs are sent on the

interface (hence no relationship can be
formed) but the network is still advertised
passive-interface default - sets all interfaces as
passive
83
FILTERING ROUTING UPDATES
controls can be applied to incoming / outgoing routing protocol updates
WITH DISTRIBUTE LISTS

STEP #
CREATE A STANDARD ACL
COMMANDS
COMMENTS
<Router(config)#ip access-list standard (1-99 | 1300-1999 | name)>

<Router(config-std-nacl)# (permit | deny) A.A.A.A W.W.W.W>
Apply to routing updates:

<Router(config-router)#distribute-list (ACL name | #) (in | out) (*interface)>
The command does not overwrite the distribute-list

commands that have been already issued.
(*BGP ONLY)
<Router(config-router)#neighbor A.A.A.A distribute-list (ACL name | #) (in | out)>
Example:
distribute-list - keyword that allows applying

an ACL / prefix-list to the updates
interface - affects update flow on that given

interface (if this parameter is omitted all
given routing process on all interfaces will be
affected by the distribute list)
Routes that were already installed before applying

a distribute list might remain in the routing table
until the table is flushed with or the routing
process is restarted.
ACTIVATE UNDER A ROUTING

PROCESS
clear ip route flushes the routing table
NOTE: the idea of filtering works different with

OSPF. One of the requirements of link-state
protocols is that the routers in the same area must
have the same, synchronized LSDB. Therefore,
filters cannot be applied outbound!
Also, when applied inbound the route is still
allowed to enter the LSDB but its movement to the
routing table is subject to the filter.
TSHOOT
show ip access-list (name | #)
84
WITH PREFIX-LISTS
STEP #
COMMANDS
COMMENTS
Basic syntax (checks all the bits starting with the most significant):
<Router(config)#ip prefix-list (list name | #) (*seq (1-4294967294)) permit | deny A.A.A.A/nn>
Description:
<Router(config)#ip prefix-list (list name | #) description (up to 80 characters)>
seq sequence number of an entry

permit 0.0.0.0/0 le 32 - logical permit any
To figure out the exact prefix it should be thought

of as summary address go as far as the bits are
matching and write down the mask e.g.
The exact prefix for the following:
To permit/deny prefixes greater or equal than the exact prefix:

<Router(config)#ip prefix-list (list name | #) permit | deny A.A.A.A/nn ge (1-32)
CREATE A PREFIX LIST
To permit/deny prefixes lesser or equal than the exact prefix:

<Router(config)#ip prefix-list (list name | #) permit | deny A.A.A.A/nn le (1-32)
To permit/deny a range of prefixes:
<Router(config)#ip prefix-list (list name | #) permit | deny A.A.A.A/nn ge (1-32) le (1-32)>
10.1.7.0/24
10.1.8.0/24
10.1.9.0/24
10.1.10.0/24
10.1.11.0/24
10.1.12.0/30
10.1.12.4/30
10.1.12.8/30
could be: 10.1.0.0/12
The length specified by ge should be longer than
the length of the initial prefix (it is impossible to
match anything smaller than the initial prefix)

PROCESS
TSHOOT

<Router(config-router)#distribute-list prefix (prefix list name) (in | out) (*interface)>
distribute-list - keyword that allows applying

an ACL / prefix-list to the updates
show ip prefix-list (*name)

show ip prefix-list (*name) detail>
show ip prefix-list summary
show ip prefix-list (name) A.A.A.A/nn
show ip prefix-list (name) seq (1-4294967294))
85
WITH ROUTE MAPS

STEP #
COMMANDS
<Router(config)#route-map (map name) (permit | deny) (10, 0-65535 sequence number)>
COMMENTS
permit | deny - logical DO | DONT
seq. number - clauses are numbered to

specify the order in which they should be
evaluated
CREATE A ROUTE MAP
ACL
<Router(config-route-map#match ip address (ACL # | name)>
PREFIX LIST
<Router(config-route-map)#match ip address prefix-list (prefix list name)>
match ip address both standard

and extended ACLs can be used
tag a tag follows the route
advertisement even through the
redistribution process
OUTGOING INTERFACE
<Router(config-route-map)#match interface (name | number)>
NEXT HOP IP ADDRESS
<Router(config-route-map)#match ip next-hop (ACL # | name)>
SOURCE IP ADDRESS
<Router(config-route-map)#match ip route-source (ACL # | name)>

MATCH ROUTES BASED ON/WITH
PACKET LENGTH
<Router(config-route-map)#match length (min.; 0-2147483647) (max.; 0-2147483647)>
TAG
<Router(config-route-map#match tag (tag value)>
METRIC
<Router(config-route-map#match metric (metric value)>
ROUTE-TYPE (OSPF)
<Router(config-route-map#match route-type (internal | external | type (1 | 2))>
LOCAL-PREFERENCE (BGP)
<Router(config-route-map#match local-preference (0-4294967295)>
86

PROCESS
Doesnt work with RIP!
<Router(config-router)#distribute-list route-map (route map name) (in | out) (*interface)>

(*BGP ONLY)
<Router(config-router)#neighbor A.A.A.A route-map (route map name) (in | out)>
TSHOOT
show route-map (*name | all)
87
ROUTE MAPS
allow for traffic control with greater flexibility than ACLs

can alter packets with the set command (e.g. next hop, QoS etc.)
named and build from clauses (default = 10)
each clause can either be permit or deny
if there are no matches the route map applies to everything
88
89
REDISTRIBUTION
ROUTING PROTOCOLS
always performed outbound

the router doing redistribution does not change its routing table
most redistribution designs call for a min. of two routers performing redistribution to avoid a single point of failure
default seed metrics:

PROTOCOL
ORIGIN
VALUE
RIP ver. 1
all
Infinity
Directly Connected
infinity
all
all
Infinity
another EIGRP process
same
BGP
all
20
all
equals to IGP metric
RIP ver. 2
EIGRP
OSPF
BGP
90
METRIC
let the default behavior set the metric value (see above)
set a default metric for all redistributed routes (*does not affect the metric of directly connected networks) using the default-metric command under the routing process
set metric for all routes redistributed from a given source using the metric parameter under the redistribute command
set metric for specific routes by referencing a route map under the redistribute command
PREVENTING DOMAIN LOOPS WHILE REDISTRIBUTING
assign purposefully high metrics to redistributed routes

manipulate Administrative Distance
use TAGs
91
REDISTRIBUTION INTO RIP

<Router(config-router)#default-metric (1-4294967295)> (*any metric above 15 will render the route unreachable)>
PULL ROUTES FROM:
EIGRP
COMMANDS
COMMENTS
<Router(config-router)#redistribute eigrp (AS; 1-65535) (*metric (0-16)) (*route-map (route map

name))>
metric of 16 and above will render the route

unreachable
<Router(config-router)#redistribute ospf (process ID;1-65535) (*match (external (1-2)) (*internal)

(*nssa-external) (*metric (0-16)) (route-map (route map name))>
Example:
OSPF
BGP
<Router(config-router)#redistribute bgp (AS) (*metric (0-16)) (*route-map (route map name))>
92
REDISTRIBUTION INTO EIGRP

<Router(config-router)#default-metric (bandwidth kb; 1-4294967295) (delay; 10-microsec 0-255) (reliability; 0-255) (load; 0-255) (MTU; 1-65535)>
PULL ROUTES FROM:
RIP
COMMANDS
COMMENTS
<Router(config-router)#redistribute rip (*metric (bandwidth) (delay) (reliability) (load) (MTU) (*route-map

(route map name))>

<Router(config-router)#redistribute ospf (process ID) (*match (external (1-2)) (*internal) (*nssa-external)
(*metric (bandwidth) (delay) (reliability) (load) (MTU) (*route-map (route map name))>
Example:
OSPF
default-metric overridden by the

redistribute metric command
metric redistribute router with the specified
metric (by default it is set to infinite
(unreachable) for all redistributed protocols
except for EIGRP with different AS in such
case the it takes the metric from the source
of the routing information)
match internal redistribute the OSPF
internal routes
match external - redistribute OSPF external
Type 1/2 routes
match nssa-external redistribute OSPF
NSSA external routes
route-map applies a route map to
EIGRP was designed to automatically redistribute

IGRP route from the same AS.
Good practice to make redistributed routes appear
as links e.g. 100Mb:
<Router(config-router)#default-metric 100000 10
255 1 1500>
BGP
<Router(config-router)#redistribute bgp (AS) (*metric (bandwidth kb) (delay) (reliability) (load) (MTU)
(*route-map (route map name))>
93
REDISTRIBUTION INTO OSPF

PULL ROUTES FROM:
COMMANDS
COMMENTS
RIP
<Router(config-router)#redistribute rip (*metric (0-16777214)) (*metric-type (1-2)) (*nssa-only) (*routemap (route map name)) (*subnets)>

<Router(config-router)#redistribute eigrp (AS) (*metric (0-16777214)) (*metric-type (1-2)) (*nssa-only)
Example:
metric redistribute router with the specified

metric (by default it is set to 20) (overridden
by a route-map if used)
metric-type External Type 1 (increment the
seed metric by adding the internal cost) or
Type 2 (do not increment metric)
nssa-only redistribute only NSSA external
routes
route-map applies a route map to
subnets redistributes classless networks
Default behavior:
EIGRP
<Router(config)#router router (process ID)>
BGP
<Router(config-router)#redistribute bgp (AS #) (*metric (0-16777214)) (*metric-type (1-2)) (*nssa-only)

when redistributing BGP the metric = 1

when redistributing another OSPF process
take the source routes metric
when redistributing all other sources, use a
default metric = 20
route if not inside an NSSA area
route if inside an NSSA area
uses External Type 2 metric
redistribute only classful networks (ignore
subnets)
94
REDISTRIBUTION INTO BGP

PULL ROUTES FROM:
COMMANDS
COMMENTS
<Router(config)#router ospf (AS #)>
RIP
<Router(config-router)#redistribute rip (*metric (0-4294967295)) (*route-map (route map name))>
EIGRP
<Router(config-router)#redistribute eigrp (AS #) (*metric (0-4294967295)) (*route-map (route map

name))>
<Router(config)#router router (AS #)>
OSPF

(*metric (0-4294967295)) (route-map (route map name))>
95
REDISTRIBUTION OF DIRECTLY CONNECTED NETWORKS & STATIC ROUTES

PROTOCOL
COMMANDS
COMMENTS
Directly connected networks:
<Router(config-router)#redistribute connected (*metric (0-16)) (*route-map (route map name))>

RIP
Static routes:
<Router(config-router)#redistribute static (AS) (*metric (0-16)) (*route-map (route map name))>
<Router(config-router)#redistribute connected (*metric (bandwidth) (delay) (reliability) (load) (MTU)) (route-map (route
map name))>
EIGRP
Static routes:
<Router(config-router)#redistribute static (*metric (bandwidth) (delay) (reliability) (load) (MTU) (route-map (route map
name))>
<Router(config-router)#redistribute connected (*metric (0-16777214)) (*metric-type (1-2)) (*nssa-only) (*route-map (route

map name)) (*subnets)>
OSPF
Static routes:
<Router(config-router)#redistribute static (*metric (0-16777214)) (*metric-type (1-2)) (*nssa-only) (*route-map (route map
name)) (*subnets)>
BGP
<Router(config-router)#redistribute connected (*metric (0-4294967295)) (*route-map (route map name))>

Static routes:
<Router(config-router)#redistribute static (*metric (0-4294967295)) (*route-map (route map name))>
96
FILTERING REDISTRIBUTED ROUTES

WITH DISTRIBUTE LISTS
STEP #
CREATE A STANDARD ACL
COMMANDS
COMMENTS
<Router(config)#ip access-list standard (1-99 | 1300-1999 | name)>

<Router(config-std-nacl)# (permit | deny) A.A.A.A W.W.W.W>
Apply to the redistribution process:
<Router(config-router)#distribute-list (ACL name | #) out (routing protocol routes are pulled from)>
Example:
NOTE: the idea of filtering works different with

OSPF. One of the requirements of link-state
protocols is that the routers in the same area must
have the same, synchronized LSDB. Therefore,
filters cannot be applied outbound!
Also, when applied inbound the route is still
allowed to enter the LSDB but its movement to the
routing table is subject to the filter.

PROCESS
TSHOOT
show ip access-list
97
WITH PREFIX-LISTS
STEP #
COMMANDS
COMMENTS
Basic syntax (checks all the bits starting with the most significant):
<Router(config)#ip prefix-list (list name | #) (*seq (1-4294967294)) permit | deny A.A.A.A/nn>
Description:
<Router(config)#ip prefix-list (list name | #) description (up to 80 characters)>
CREATE A PREFIX LIST
seq sequence number of an entry

permit 0.0.0.0/0 le 32 logical permit any
The length specified by ge should be longer than

the length of the initial prefix (it is impossible to
match anything smaller than the initial prefix)
To permit/deny prefixes greater or equal than the exact prefix:

<Router(config)#ip prefix-list (list name | #) permit | deny A.A.A.A/nn ge (1-32)
To permit/deny prefixes lesser or equal than the exact prefix:
<Router(config)#ip prefix-list (list name | #) permit | deny A.A.A.A/nn le (1-32)
To permit/deny a range of prefixes:
<Router(config)#ip prefix-list (list name | #) permit | deny A.A.A.A/nn ge (1-32) le (1-32)>

PROCESS
TSHOOT

<Router(config-router)#distribute-list prefix (prefix list name) out (routing protocols routes are
pulled from)>
show ip prefix-list (*name)>

show ip prefix-list (*name) detail
show ip prefix-list summary
show ip prefix-list (name) A.A.A.A/nn
show ip prefix-list (name) seq (1-4294967294))
98
WITH ROUTE MAPS

STEP #
COMMANDS
<Router(config)#route-map (map name) (permit | deny) (sequence number; 10,0-65535)>
CREATE A ROUTE MAP
ACL
PREFIX LIST
COMMENTS
permit | deny logical DO | DONT

seq. number clauses are numbered to
specify the order in which they should be
evaluated
match ip address both standard and

extended ACLs can be used
tag a tag follows the route advertisement
even through the redistribution process
OUTGOING INTERFACE
NEXT HOP IP ADDRESS
SOURCE IP ADDRESS

PACKET LENGTH
TAG
METRIC
ROUTE-TYPE (OSFP)
<Router(config-route-map#match route-type (internal | external | type (1 | 2)>
99
The first option does not work with RIP!
<Router(config-router)#distribute-list route-map (route map name) out (routing protocol

routes are pulled from)>
PROCESS
OR
<Router(config-router)#redistribute (source protocol) route-map (route map name)>
TSHOOT
100
MODYFYING THE ATTRIBUTES OF REDISTRIBUTED ROUTES

WITH ROUTE MAPS
STEP #
CREATE A ROUTE MAP
COMMANDS
COMMENTS
ACL
PREFIX LIST
match ip address both standard

and extended ACLs can be used
tag a tag follows the route
advertisement even through the
redistribution process
OUTGOING INTERFACE
NEXT HOP IP ADDRESS
SOURCE IP ADDRESS

PACKET LENGTH
TAG
METRIC
ROUTE-TYPE (OSFP)
101
SET ATTRIBUTES FOR:
Metric
<Router(config-route-map)#set metric (1-4294967295)>

o
all
Tag
<Router(config-route-map)#set tag (0-4294967295)>
EIGRP
Metric
<Router(config-route-map)#set metric (bandwidth kb 1-4294967295) (delay 10-microsec 0-255)

(reliability 0-255) (load 0-255) (MTU 1-65535)>
Tag
OSPF
Metric type
<Router(config-route-map)#set metric-type (1 | 2)>
Weight

o
BGP
Local Preference
<Router(config-router)#redistribute (source routing protocol) route-map (route map name)>
ACTIVATE
(*BGP ONLY)
<Router(config-router)#neighbor A.A.A.A route-map (route map name) (in | out)>
102
REDISTRIBUTION VERIFICATION AND TSHOOTING
show ip route A.A.A.A M.M.M.M

show ip protocols
show ip route eigrp
COMMAND
VERIFIES:
EXAMPLE
The process via which the route was learnt about
show ip route A.A.A.A M.M.M.M
redistributed routes are marked as external

metric values assigned when redistributing
the protocol that routes where redistributed from
external metric
103
The protocols that are being redistributed under a routing process.
show ip protocols
104
External EIGRP routes as marked as EX in the routing table.
show ip route eigrp
105
POLICY BASED ROUTING
a technique used to make routing decisions based on policies set by the network administrator
overrides the routers normal routing behavior
PBR CONFIGURATIONS
STEP #
CREATE A ROUTE MAP
COMMANDS
COMMENTS
ACL
Route maps are used to implement PBR.
PREFIX LIST
match ip address both standard and extended

ACLs can be used
tag a tag follows the route advertisement even
through the redistribution process
OUTGOING INTERFACE
NEXT HOP IP ADDRESS
MATCH ROUTES BASED

ON/WITH
SOURCE IP ADDRESS
PACKET LENGTH
<Router(config-route-map)#match length (min. ; 0-2147483647) (max. ; 0-2147483647)>
TAG
METRIC
ROUTE-TYPE (OSFP)
106
NEXT HOP
<R1(config-route-map)#set ip next-hop (next hop 1 A.A.A.A) (next hop 2 A.A.A.A) (next hop 3 )>
These commands cause the system to use policy

routing first and then use the routing table:
OUTPUT INTERFACE
set ip next-hop
set interface
<R1(config-route-map)#set interface (interface)>
Use PBR first and if the outgoing interface is down or

next-hop is unreachable, use normal forwarding logic.
DEFAULT NEXT HOP
<R1(config-route-map)#set ip default next-hop
SET
These commands cause the system to use routing table

first and then the policy route:
DEFAULT OUTPUT INTERFACE
<R1(config-route-map)#set default interface
set ip default next-hop

set default interface
Use normal forwarding logic (while ignoring any default

routes) and if failed, use the PBR.
When using any combination of these commands within
the same policy the commands are evaluated in the
above order.
To redistributed routes:
<Router(config-router)#redistribute (source routing protocol) route-map (route map name)>
APPLY
To an interface:
<Router(config-if)#ip policy route-map (route map name)>
To traffic generated by the local router:
<Router(config)#ip local policy route-map (route map name)>
TSHOOT

traceroute A.A.A.A source (interface | source A.A.A.AI)
107
PBR VERIFICATION AND TSHOOTING

show ip policy
debug ip policy
COMMAND
VERIFIES
EXAMPLE
Content of the route map.
show ip policy
Policies applied on a given interface.
debug ip policy (*# | name)
Debugs PBR events
108
EXAMPLE:
OBJECTIVES
ICMP packets of 512kb from Client 1 should be sent to ISP1

ICMP packets of 512kb from Client 2 should be sent to ISP2
TELNET and WWW traffic should be sent to ISP1
all other traffic should be sent to ISP2
CONFIGURATIONS
CREATE ACLs
--->
COMMENTS
<R1(config)#ip access-list extended 100>

<R1(config-ext-nacl)#permit icmp host 192.168.1.21 any>
<R1(config-ext-nacl)#exit>
<R1(config-ext-nacl)#permit icmp host 192.168.1.22 any>
<R1(config-ext-nacl)#permit tcp any any eq www>
<R1(config-ext-nacl)#permit tcp any any eq telnet>
CREATE ROUTE MAP
--->
<R1(config)#route-map POLICY permit 10

<R1(config-route-map)#match ip address 100>
<R1(config-route-map)#match length 512 512>
<R1(config-route-map)#set ip next-hop 200.1.1.2>
109
<R1(config)#route-map POLICY permit 20

<R1(config-route-map)#match length 512 512>
<R1(config)#route-map POLICY permit 30>
<R1(config)#route-map POLICY permit 40>
ACTIVATE ROUTE-MAP
--->
<R1(config)#interface fa0/0>
<R1(config-if)#ip policy route-map POLICY>
VERIFY
--->
<R1# show route-map POLICY>
110
IP SLA
Internet Protocol Service Level Agreement

technology that allows Cisco devices to automatically gather information about data traffic
IP SLA CONFIGURATIONS
COMPONENTS
PROBE
COMMANDS
COMMENTS
<Router(config)#ip sla (operation number;1-2147483647)>
<Router(config-ip-sla)#icmp-echo (destination IP | hostname) (*(source-interface (interface) |

(source-ip (ip address))>
<Router(config-ip-sla-echo)#frequency (1-604800 sec.)>
<Router(config-ip-sla-echo)#timeout (0-604800000 msec.)>
<Router(config-ip-sla-echo)#threshold (0-60000 msec.)>
To verify:
<Router#show ip sla configuration>
operation number - identification number of the IP SLA

operation
icmp-echo - configures source to non-responder type of
probe
*icmp-echo source-interface - specifies the source
interface of the ICMP probes
*icmp-echo source-ip - specifies the source IP address of
the ICMP probes (when a source IP / hostname is not
configured, IP SLA chooses the IP address nearest to the
probes destination)
frequency - sets the rate at which a specified IP SLAs
operation repeat (default = 60 sec.)
timeout - sets the amount of time IP SLA operation waits
for a response from its request packet (default = 5000
msec.)
threshold - sets the rising threshold that generates a
reaction event and stores history operation for an IP SLA
operation (e.g. sends SNMP trap) (default = 5000 msec.)
The three above values have to be configured so that:

frequency > timeout > threshold
SCHEDULE
<Router(config)#ip sla schedule (probe number 1-2147483647) (life (0-2147483647 sec.) |

forever)) start-time (hh:mm:ss | now | pending)>
To verify:
ip sla schedule - schedule for the probe defined

life - number of seconds the IP SLA operation actively
collects information (default = 3600 sec.)
start-time - time when the IP SLA operation starts (the
default parameter is pending meaning no information is
collected)
111
TRACKING
OBJECTS
<Router(config)#track (tracked object 1-500) ip sla (probe number 1-2147483647) reachability>
*<Router(config-track)#delay up (0-180 sec.) down (0-180 sec.)>
To verify:
reachability - tracks whether the route is reachable

*delay - specifies a period of time to delay
communicating state changes of a tracked object
up | down - time to delay the notification of an event
(regulate flapping of the tracking state)
<Router#show track>
112
IP SLA VERIFICATION AND TSHOOTING
show ip sla statistics

show ip sla configuration
debug ip sla trace (*1-2147483647)
COMMAND
show ip sla statistics
show ip sla configuration
debug ip sla trace (*1-2147483647)
VERIFIES
operation ID
type of operation
start time
latest return code: OK | FAIL
number of successes / failures
operation TTL
type of operation
target address / source interface
schedule
threshold
statistics
EXAMPLE
debugs ip sla processes
113
EXAMPLES:
SCENARIO 1: APPLY IP SLA TO A STATIC ROUTE
OBJECTIVES
all traffic leaving R1 should be sent to ISP1

should the path to ISP1 fail, the default route should point to ISP2
if the path to ISP1 comes back on line, it should become the primary again
CONFIGURATIONS
COMMENTS
CREATE PROBE
--->
<Router(config)#ip sla 10>

<Router(config-ip-sla)#icmp-echo 200.1.1.2 source-interface s1/0>
<Router(config-ip-sla-echo)#threshold 500>
<Router(config-ip-sla-echo)#timeout 1000>
<Router(config-ip-sla-echo)#frequency 3>
CREATE PROBE SCHEDULE
--->
<Router(config)#ip sla schedule 10 start-time now life forever>
CREATE TRACKING OBJECT
--->
<Router(config)#track 10 ip sla 10 reachability>
CREAT STATIC ROUTES
--->
<Router(config)#ip route 0.0.0.0 0.0.0.0 s1/0 200.1.1.2 3 track 10>

<Router(config)#ip route 0.0.0.0 0.0.0.0 s1/0 201.1.1.2 5>
VERIFY
--->
track - installs the route in the routing table

depending on the tracked object (in this case
number 10 is the number of the tracking object)
3 | 5 - Administrative Distance values; since both
routes point to the same destination the router
relies on the AD to decide which one install in the
routing table. As long as the primary route (AD 3)
is up the secondary route (AD 5) will not be used

<Router#show ip sla statistics>
114
SCENARIO 2: APPLY IP SLA TO A ROUTE MAP
OBJECTIVES
all traffic generated by the router itself should by default be directed to ISP1
should the path to ISP1 be unavailable the traffic should be directed to ISP2
CONFIGURATIONS
COMMENTS
CREATE PROBE
--->
<Router(config)#ip sla 10>

<Router(config-ip-sla)#icmp-echo 200.1.1.2 source-interface s1/0>
<Router(config-ip-sla-echo)#threshold 500>
<Router(config-ip-sla-echo)#timeout 1000>
<Router(config-ip-sla-echo)#frequency 3>
CREATE PROBE SCHEDULE
--->
<Router(config)#ip sla schedule 10 start-time now life forever>
CREATE TRACKING OBJECT
--->
<Router(config)#track 10 ip sla 10 reachability>
CREAT ACL
--->
<Router(config)#ip access-list extended 100>

<Router(config-ext-nacl)#permit ip any any>
CREATE ROUTE-MAP
--->
<Router(config)#route-map ROUTER-TRAFFIC permit 10>

<Router(config-route-map)#match ip address 100>
<Router(config-route-map)#set ip next-hop verify-availability 200.1.1.2 10 track 1>
<Router(config-route-map)#set ip next-hop 201.1.1.2>
<Router(config)#ip local policy route-map ROUTER-TRAFFIC>
ACTIVATE ROUTE-MAP
--->
verify-availability - next hop is subject to

availability (if the tracking object is down, PBR
ignores the set command)
10 - a sequence number inserted into the next-hop
list (1-65535)
ip local policy - enables policy routing
115
VERIFY
--->
<Router#show route-map ROUTER-TRAFFIC>
116
BGP
BGP Basics
BGP Rules
BGP Multihoming
BGP Implementation Flavours
BGP Session Establishment
BGP Packets
BGP Tables
BGP Attributes
BGP Best Path Selection Process
BGP Advanced Features
BGP Configurations
BGP Verification and Tshooting
BGP BASICS
TYPE
PEERING MECHANISM
Path Vector
Manual
AD
STANDARD
eBGP:20
iBGP: 200
Open
PROTOCOLS
TRANSPORT
IPv4
IPv6
TCP:179
AUTHENTICATION
TIMERS
MD5
plain text
Hello:60
USE BGP WHEN:
an AS allows packet to transit through it to reach other AS (e.g. ISP)

an AS has multiple connections to other AS
theres a need for routing policy implementation for traffic entering / leaving the AS
DO NOT USE BGP WHEN:
a single connection exists to the Internet or another AS

BGP routers lack memory or processor power to handle constant updates
16
24
Hold:180
32
Version
My Autonomous System
Hold Time
BGP Identifier
Length
Optional Parameters
Optional Parameters
118
BGP RULES
RULE 1: SYNCHRONIZATION RULE
Do not use, or advertise to an eBGP peer, routes learned by iBGP until a match has been learned from an IGP
disabled by default in >= IOS 12.2(8)T

ensures consistency of information throughout the AS
safe to have it off only if all routers in the transit path in the AS are running full-mesh iBGP
To enable/disable synchronization:
<Router(config-router)#(no) synchronization>
EXAMPLE:
*no matching IGP routes exist
SYNCHRONIZATION ON
routers A, C, D would not use or advertise the router to 172.16.0.0 until they receive
the matching router via an IGP
router E would not hear about 172.16.0.0
SYNCHRONIZATION OFF
RULE 2: UPDATES BETWEEN iBGP
Routes learned through iBGP are never propagated to other iBGP peers
each BGP peer is assumed to have a neighbor statement for all other iBGP speakers in the AS (full mesh BGP)
can be by-passed by using route reflectors or confederations
RULE 3: eBGP PEERING
routers A, C, D would use and advertise the route that they receive via iBGP
router E would hear about 172.16.0.0
eBGP peers must be directly connected
when building a packet to a eBGP peer, the IOS sets the TTL value in the IP header to 1 (as per BGP4 specification)
can be by-passed by using the ebgp-multiphop command
RULE 4: NEXT HOP PROCESSING
For eBGP peers: change next hop address on advertised routes

For iBGP peers: do not change next hop address on advertised routes
119
BGP MULTIHOMING
situation when an AS has more than one connection to the ISP

it increases reliability (redundancy) and performance (better path selection)
Single Homed (1 link per ISP, 1 ISP)
Dual Homed (2+ links per ISP, 1 ISP)
Single Multihomed (1 link per ISP, 2+ ISPs)
Dual Multihomed (2+links per ISP, 2+ ISPs)
BGP IMPLEMENTATION FLAVOURS
BGP can be implemented in an organization using the following styles:

FLAVOUR
OVERVIEW
DEFAULT ROUTE
COMMENTS
the ISP sends an AS only a default route

the AS sends all of its routes to the ISP which passes them on to other ASs
if multiple default routes are received the best one is chosen based on the IGP metric
the route that packet destined to an AS takes is decided outside the AS
LIMITATIONS:
path manipulation cannot be performed

bandwidth manipulation is extremely difficult
the ISP sends a default route and a partial table

path selection is more predicable than using a default route
DEFAULT ROUTE + SELECTED ROUTES
120
FULL ROUTES
all ISPs pass all routes to the AS

iBGP is run on all routers in the transit path in the AS
allows the internal routers of the AS to take the path through the best ISP for each route
configuration requires a lot of resources within the AS because it must process all of the
external routes
LIMITATIONS:
powerful routers required with big memory to handle a large amount of routes
121
BGP SESSION ESTABLISHMENT PHASES
neighbors are not dynamically discovered! --> they need to be manually configured on both ends
keepalives are sent every 60 sec.
the following phases are triggered by entering the neighbor statement under a BGP routing process on a router
debug ip bgp all (to view session setup)
PHASE
OVERVIEW
COMMENTS
Initial state of a BGP connection
IDLE
Possible reasons for being stuck in this state:
the BGP speaker is waiting for a BGP start event e.g. (re)establishment of a TCP connection
the state is also true when the BGP process is administratively down
the router is looking for the route to the IP address stated in the neighbor statement
the router can transition back to this state from any other BGP state in case of errors
The router is attempting to establish a TCP connection
ACTIVE
the router is waiting for the local IGP to learn about

the network through an advertisement from another
router
the router is looking for the route to IP address stated
in the neighbor statement
Possible reasons for being stuck in this state:
the router has found the IP address from the neighbor statement and sent an Open packet
the router hasnt received the Open Confirm packet
may cycle between Active and Idle
the neighbor does not have a return path to the route

that sent the packet
neighbor is peering with the wrong address
neighbor does not have a neighbor statement for this
router
AS number is incorrect
NOTE: it cannot be determined from this phase whether

the connection can complete or not!
CONNECT
the BGP process is waiting for the TCP connection to be completed

if successful, the state transitions to Open Sent
OPEN SENT
TCP connection has been established

Open message was sent containing parameters for the BGP session and waiting for a reply
OPEN CONFIRM
the router received agreement on parameters for establishing a session

waiting for a keepalive message (all parameters matched) or notification (parameters mismatch)
If there is no response to Open message within 5 sec., the

router goes into Active state.
peering has been established and routing can begin

peers can now exchange update messages
desired state for the BGP operation
If there is a response to Open message within 5 sec., the

router start evaluating its routing table for the paths to
send to the neighbor. Once theyre found the routers goes
into Established state and begins routing between the
neighbors.
ESTABLISHED
122
123
BGP PACKETS
PACKET
OPEN
o
VERSION
AS
OVERVIEW
sent after the TCP handshake is completed

used to start a BGP peering session
the highest common version of the protocol both routers can use
version 4 has been used since 1994
the AS number of the local router
verified by the peer if the value is not what

expected the BGP session is taken down
the maximum number of sec. that can elapse between the successive keepalives and update
messages from the sender
upon receiving of an Open message the router

calculates the value of the HOLD timer by using
whichever is smaller: locally configured value or
the value received in the Open message
the BGP router ID of the peer

determined in the following order:
HOLD TIME
ROUTER ID
OPTIONAL
COMMENTS
1.
2.
3.
ID hardcoded using the <(config-router)#bgp router-id A.A.A.A> command

highest IP of an UP|UP local loopback interface
highest IP of an UP|UP physical local interface (doesnt have to be BGP enabled)
Type | Length | Value

e.g. authentication
KEEPALIVE
exchanged between BGP peers to maintain an existing the relationship

consist only of a message header
UPDATE
contain BGP updates

each packet has information on a single path only (multiple paths require multiple packets)
all attributes in an Update message refer to that path only
WITHDRAWN
the list displays IP address prefixes for routes that are withdrawn from service (if any)
ATTRIBUTES
Type | Length | Value
L3 REACHABILITY
destinations reachable through the path
Are sent to both announce and withdraw routes

(announce they are not longer valid).
124
NOTIFICATION
sent when an error condition has been detected

the BGP connection is closed down immediately after the message is sent
can include an error code, error subcode and data related to the error
ERROR CODE
MESSAGE HEADER ERROR
OPEN MESSAGE ERROR
UPDATE MESSAGE ERROR
ERROR SUBCODE
1.
2.
3.
Connection Not Synchronized

Bad Message Length
Bad Message Type
1.
2.
3.
4.
5.
6.
Unsupported Version
Bad Peer AS
Bad BGP Identifier
Unsupported Optional Parameter
Authentication Failure
Unacceptable Hold Time
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Malformed Attribute List

Unrecognized well-known attribute
Missing Well-Known Attribute
Attribute Flags Error
Attribute Length Error
Invalid Origin Attribute
AS routing loop
Invalid NEXT_HOP attribute
Optional Attribute Error
Invalid Network Field
HOLD TIME EXPIRED

FINITE STATE ERROR
NO SUBCODES
CEASE
125
BGP TABLES
TABLE
NEIGHBOUR TABLE

<Router#show ip bgp summary>
OVERVIEW
COMMENTS
lists all BGP neighbors
BGP router ID IP address that all other BGP peers

recognize as representing this router
Table version increase in increments when the
BGP table changes
Main routing table version last version of the
BGP database that was injected into the main
routing table
Neighbor IP address that is used in the neighbor
statement with which this router has a
relationship
V (Version) BGP version that this router is
running with the listed neighbor
AS autonomous system number of the listed
neighbor
MsgRcvd (Message Received) number of BGP
messages that have been received from that
neighbor
MsgSent (Message Sent) number of BGP
messages that have been sent to that neighbor
TblVer (Table Version) BGP table version
InQ number of BGP messages waiting to be
processed from this neighbor
OutQ number of BGP messages waiting to be
sent to this neighbor
Up/Down length of time that this neighbor has
been in the current BGP state
State BGP state (empty = established)
PfxRcd (Prefix Received) number of BGP
network entries received from the listed neighbors
126
BGP TABLE
lists all networks learned from each neighbor
<Router#show ip bgp>
s (suppressed) specified router are suppressed

(usually because routes have been aggregated and
only the summary route is being sent
d (damped) route is being dampened (penalized)
for going up and down too often (it is not
advertised until the penalty has expired)
h (history) route is unavailable and possibly
down (historic information about the route exists
but the best route does not)
* - indicates that the next hop is valid
> - best route (add to the routing table)
i (internal) - entry originated in iBGP (received
from an iBGP peer) (no letter means eBGP)
Next Hop - if 0.0.0.0 that means the local router
advertises these networks
r (RIB failure) the routing table rejects a route
learnt via BGP for any of the following reasons:
- a route with a better AD is already present in IGP

- memory failure
- the number of routers in VPN routing/forwarding
exceeds the route-limit configured under the VRF
instance
s (stale) symbol is used in nonstop forwardingaware router
127
ROUTING TABLE

<Router#show ip route bgp>
lists best paths to destination networks
eBGP AD - 20
iBGP AD - 200
128
BGP BEST PATH SELECTION

the BGP table usually has multiple paths from which to choose for each network
because BGP is not designed to perform load balancing, only single path is used for each network
paths are chosen based on policy
the path selection process eliminates any multiple paths until a single best path is left
the router from the source with the lowest AD is installed in the routing table
using default settings for path selection in BGP can cause uneven use of bandwidth!
Ignore routers with an inaccessible next-hop address (inaccessible = no entries for that destination in the routing table)
Prefer the path with the highest WEIGHT (local to router) (default = 32768 for directly connected; = 0 for all the other routes)
Prefer the path with the highest LOCAL_PREF (global within AS) (default = 100)
Prefer the path originated by the local router via the network command or redistribution (NEXT HOP = 0.0.0.0)
Prefer the path with the shortest AS_PATH
Prefer the path with the lowest ORIGIN TYPE (IGP > EGP > incomplete)
Prefer the path with the lowest MED (from other AS) (default = 0)
Prefer eBGP over iBGP
Prefer the path with the lowest IGP METRIC to the next-hop
Determine if multiple paths require installation in the routing table for BGP Multipath
10
When both paths are external, prefer the one that was received FIRST (the oldest one)
11
Prefer the route that comes from the BGP router with the lowest ROUTER ID
12
If the originator or router ID is the same for multiple paths, prefer the path with the minimum CLUSTER LIST LENGTH
13
Prefer the path that comes from the lowest NEIGHBOR ADDRESS
129
BGP ATTRIBUTES
CATEGORIES
BGP announces paths and the networks that are reachable at the end of the path
the paths are described by the use of attributes
CATEGORY
OVERVIEW
ATTRIBUTES
WELL KNOWN
MANDATORY
DISCRETIONARY
o
o
recognized by all compliant BGP implementations

mandatory presence in BGP update messages (if missing, an error will be generated)
AS PATH
ORIGIN (IGP, EGP, UNKNOWN)
NEXT HOP
o
o
recognized by all compliant BGP implementations

optional presence in BGP update messages
LOCAL PREFERENCE
ATOMIC AGGREGATE
o
o
may or not be recognized by all BGP implementations

routers that do not implement an optional transitive attribute pass it to other BGP
routers unmodified and mark the attribute as partial
AGGREGATOR
COMMUNITY
o
o
may or not be recognized by all BGP implementations

BGP routers that do not implement an optional non-transitive must delete the attribute
and must not pass it on to other BGP peers
MED
ORIGINATOR ID
CLUSTER LIST
CLUSTER ID
WEIGHT
OPTIONAL
TRANSITIVE
NON-TRANSITIVE
130
ATTRIBUTES
ATTRIBUTE
OVERVIEW
COMMENTS
WELL KNOWN MANDATORY
AS PATH
NEXT HOP
a list of AS the route has traversed to reach a destination

AS is prepended (added to the front of the list) when route crosses a boundary
without attribute manipulation this is the most common reason for path selection
indicates the next-hop IP address that is to be used to reach a destination

typically IP address of the outbound interface of the originating router (unless
update-source command is used)
eBGP neighbors change the next-hop to the IP address

of the outgoing interface
iBGP neighbors do not change the next-hop address
To change the next-hop attribute to local router on an iBGP peer:

<Router(config-router)#neighbor A.A.A.A next-hop-self>
the number of the AS that originated the route sits at

the end of the list
also used as a loop prevention mechanism (if a router
receives an update for a route and sees local AS in the
AS_PATH the update is rejected)
The next-hop must be reachable from the local router (the

route was learnt either via an IGP or a static route)
otherwise packets will be dropped.
If receiving router is on the same subnet as the sender, the
next-hop stays the same.
Defines the origin of the path information:
EGB (Exterior Gateway Protocol) was the name of the

protocol that was replaced with BGP.
IGB
It should never appear as the origin!

-
ORIGIN
EGP
-
(i) in the BGP table

router is interior to the originating AS
the route was advertised via BGP most likely by using the network command
(e) in the BGP table

the route has been learned via EGP
INCOMPLETE
-
(?) in the BGP table

the origin of the route is unknown
most likely redistributed into BGP
131
WELL KNOWN DISCRETIONARY
indicates to routers in the AS the preferred path to leave that AS

used within an AS between iBGP peers
influences outbound traffic out of an AS
used when two or more routers provide multiple exit points from an AS
default for iBGP peers = 100

default for eBGP peers = 0
higher is better
To modify :
LOCAL PREFERENCE
ATOMIC AGGREGATE
<Router(config-router)#bgp default local-preference (0-4294967295)>
informs a router (tags and notifies) that a route has been summarized
designates the IP address of the router that performed summarization (aggregated

routes)
used for route tagging
OPTIONAL TRANSITIVE
AGGREGATOR
COMMUNITY
Can be used to influence from who summary routes are

accepted.
132
OPTIONAL NON-TRANSITIVE
used to suggest another AS an entry point into local AS

eBGP peers propagate the MED within their AS
influences inbound traffic to an AS
with the use of MED, BGP is the only protocol that can influence how routes enter the AS
To modify:
<Router(config-router)#default-metric>
lower is better
default = 0
bgp always-compare-med - if not enabled, the MED
comparison is made only if the neighboring AS is the
same for all routes considered
bgp bestpath med missing-as-worst if MED
attribute is missing in the update its considered the
worst
Other parameters:
MED
<Router(config-router)#bgp always-compare-med>
<Router(config-router)#bgp bestpath med missing-as-worst>
CISCO proprietary
indicates to routers in the AS the preferred path to leave that AS
configured locally and not propagated to other routers
influences AS outbound traffic
used when a single router provides multiple exist from an AS
higher is better
default (paths originated by the router) = 32768
default (other paths) = 0
To modify:
WEIGHT
<Router(config-router)#neighbor A.A.A.A weight (0-65535)>
133
BGP ADVANCED FEATURES

BGP PEER GROUPS
neighboring routers with the same update policies can be grouped into peer groups
members of a peer group inherit all the configuration options of the peer group (routers can be configured to override selected options)
updates are generated only once per peer group and that update is replicated for each neighbor
peer group name is local to the router it is configured on and it is not passed on to other routers
a router can be a member of a single peer group only
EXAMPLE:
134
BGP ROUTE REFLECTORS
offers an alternative to the full mesh requirement of iBGP peering

similar to OSPFs DR/BDR feature
the Route Reflector acts a focal point for iBGP sessions
multiple BGP routers peer with a central point, the RR server, rather than peer with every other router in a full mesh (they become RR clients)
RR servers propagate routes inside the AS based on the following:
o
o
o
o
o
if a route is received from a non-client peer, it is reflected to clients only

if a route is received from a client peer, it is reflected to all non-client peers (with except of the originating router)
if a route is received from an eBGP peer, it is reflected to all client and non-client peers
only the best paths will be reflected
the RR server cant introduce any changes to the attributes of the routes reflected
BGP CONFEDERATIONS
allow to partition an AS into sub-AS and avoid having to fully mesh a iBGP network
each confederation has a fully meshed BGP topology between the routers forming the confederation
the behavior between the members of a confederation is more like a eBGP session
135
BGP AUTHENTICATION
uses MD5
password must be the same on both ends (if differs, the peering session wont be established)
the digest is made out of the key and the message
router generates and checks the MD5 digest of every segment sent on the TCP connection
the source of each routing update packet received is authenticated
EXAMPLE:
136
BGP CONFIGURATIONS
ACTIVATION
STEP #
COMMAND
<Router(config)#router bgp (AS; 1-4294967295>
COMMENTS
autonomous system identifies the AS to which the router

belongs
This value is compared to local AS value:
ENABLING BGP
- if same = iBGP neighbor

- if different = eBGP neighbor
Only one instance of BGP can be configured on a router.
<Router(config-router)#bgp router-id A.A.A.A>
ROUTER ID
To verify:
<Router#show ip bgp summary>
bgp router-id - routers identification in the BGP process
Once router ID is changed, the adjacency is automatically reset

*Nov 25 18:37:41.263: %BGP_SESSION-5-ADJCHANGE: neighbor
10.0.0.2 IPv4 Unicast topology base removed from session Router
ID changed.
<Router(config-router)#auto-summary>
1.
Influencing the network command (*only if mask is omitted):
<Router(config-router)#no auto-summary>
Add a classful network to the BGP table if:
NO AUTO-SUMMARY
- the exact classful route is in the routing table
AUTO-SUMMARY
- the exact classful route is in the routing table
AUTOMATIC
SUMMARIZATOIN
OR
- a subnet of that classful network exist in the routing table
2.
When redistributing networks into BGP:
AUTO-SUMMARY
- all routers are summarized to their classful boundaries
NO AUTO-SUMMARY
- all routers are presented in their original form

137
This feature is OFF by default starting from IOS > 12.2(8)T

<Router(config-router)#synchronization>
<Router(config-router)#no synchronization>
synchronization enforces the following rule:
Do not use or advertise to an eBGP peer a route learnt by iBGP

until a matching route has been learnt from an IGP.
SYNCHRONIZATION
Ensures consistency of information throughout the AS.

Safe to turn off when local AS is not transit or all transit routers run
BGP.
This feature is ON by default starting from IOS 12.2(8)T
<Router(config-router)#neighbor A.A.A.A remote-as (neighbors AS)>
neighbor A.A.A.A - activates a BGP session with this neighbor
The router must have an IP path to reach this neighbor before it

can set up a BGP relationship.
The command is used for both internal and external neighbors.
ADDING NEIGHBORS
The IP address is the destination address for all BGP packets going
to this neighboring router.
Internal neighbors dont need to be directly connected.
External neighbors do need to be directly connected.
NETWORK STATEMENT
<Router(config-router)#network A.A.A.A (*mask M.M.M.M)>
ADDING NETWORKS
REDISTRIBUTE CONNECTED
<Router(config-router)#redistribute connected (*route-map (route map name))>
Before BGP starts advertising a network it checks whether it can

reach that network.
To advertise a summary:
<Router(config)#ip route A.A.A.A M.M.M.M null0>
DEFAULT ROUTE
network tells router to look for a route in the routing table

that exactly matches the parameters in the network
command (prefix + prefix length), and if theres a match to
put identical prefix+prefix length combination in the BGP
table
mask if omitted a classful mask is assumed
The list of network commands must include all networks in the AS

that need to be advertised (including those that are not locally
connected).
<Router(config)#ip route 0.0.0.0 0.0.0.0 (A.A.A.A | exit interface)>

<Router(config)#router bgp (AS)>
<RouteR(config-router)#neighbor A.A.A.A default-originate>
138
TUNING
<Router(config-router)#neighbor A.A.A.A shutdown>
<Router(config-router)#no neighbor A.A.A.A shutdown>
Used for maintenance and policy changes to prevent route

flapping.
ADMINISTRATIVE
SHUTDOWN
TIMERS
SOURCE OF UPDATES
shutdown used to administratively bring a BGP neighbor to

an idle state
*Dec 7 20:38:03.031: %BGP_SESSION-5-ADJCHANGE: neighbor

10.1.48.1 IPv4 Unicast topology base removed from session
Admin. shutdown
<Router(config-router)#timers bgp (keepalive 0-65535) (holdtime 0-65535)>
timers bgp adjust the BGP timers
<Router(config-router)#neighbor A.A.A.A update-source (interface)>
update-source allows the BGP process to use the IP address

of a specified interface as the source IP address of all BGP
updates to that neighbor
When creating a BGP packet the neighbor statement defines the

destination IP address and the outbound interface defines the
source IP address. When a BGP packet is received the source IP
address is compared against the list of neighbor statements (if a
match is found a relationship is formed; otherwise the packet is
ignored). This behavior might result in peering issues when there
are multiple paths between BGP neighbors.
For iBGP neighbors a loopback address is recommended since its
always UP|UP.
For eBGP neighbors, since they need to be directly connected, a
loopback cant be used (a loopback of a neighbor is not considered
to be directly connected) unless the default TTL settings are
adjusted (ebgp-multihop).
139
<Router(config-router)#neighbor A.A.A.A ebgp-multihop (TTL 1-255)>
ebgp-multihop increases the default of 1 hop for eBGP

peers
Because internal routing information is not exchanged between

eBGP peers they have to be formed via directly connected
addresses.
However, when multiple paths to an eBGP exist (e.g. for
redundancy) peering must be done on loopback interfaces to make
the neighbor reachable via multiple paths.
*the loopbacks must be accessible by all the peers (e.g. static

routes can be used)
MULTHOPPING
<Router(config-router)#neighbor A.A.A.A next-hop-self>
next-hop-self - forces all updates for this neighbor to be

advertised with this router as the next hop
NEXT-HOP
MANIUPLATION
140
To create a peer group:

<Router(config-router)#neighbor (peer group name) peer-group>
PEER GROUPS
To create a configuration template for the peer group:

<Router(config-router)#neighbor (peer group name) (command)>
To assign a peer group to a neighbor:
Neighboring routers with the same update policies can be grouped

into peer groups. Members of a peer group inherit all the
configuration options of the peer group (routers can be configured
to override selected parameters). Updates are generated only once
per peer group. Generated update is replicated for each neighbor.
Peer group name is local to the router it is configured on and it is
not passed on any other router.
A router can be a member of a single peer group.
<Router(config-router)#neighbor (neighbor IP address) peer-group (peer group name)>

<Router(config-router)#neighbor A.A.A.A route-reflector-client>
ROUTE REFLECTORS
To verify:
route-reflector-client sets the local router as a route

reflector server in regards to the configured peer
<Router#show ip bgp neighbor>
*Nov 25 18:37:41.263: %BGP_SESSION-5-ADJCHANGE: neighbor

10.0.0.2 IPv4 Unicast topology base removed from session
<Router(config-router)#neighbor A.A.A.A remove-private-as>
remove-private-as removes private AS from the AS path

RANGE
0
1-64495
PRIVATE AS RANGE
AUTHENTICATION
Reserved
Assignable by IANA for public use
64496-65511
Reserved for use in documentation
65512-65534
Private use
65535
<Router(config-router)#neighbor (A.A.A.A | peer group name) password (key value up to

25 characters)>
PURPOSE
Reserved
password the first character cannot be a number (space

after the first character can cause authentication to fail
Configuring / changing the password will not tear down the

connection (the local router attempts to maintain the peering
session using the new password until the BGP hold-down timer
expires). If the password is not entered or changed on the remote
router before the timer expires, the session times out.
141
<Router(config-router)#aggregate-address A.A.A.A M.M.M.M (*summary-only)>
To send the aggregated route to specific peers only:

<Router(config)#access-list (#) permit A.A.A.A W.W.W.W><Router(config)#route-map
(route map) permit | deny (sequence number)>
ROUTE AGGREGATION
UPDATE
INFORMATION
STORAGE
aggregate-address sends a summary route

summary-only suppress the default behavior of sending the
summary AND the subnets (if enabled only summary is sent)
<Router(config-route-map)#match ip address (#)
NOTE: aggregation only applies to routes that exist in the BGP table
the aggregated route is only forwarded if at least one more
specific route of the aggregation exists!
<Router(config-router)#aggregate-address A.A.A.A M.M.M.M suppress-map (route

map)>
The summary works for all BGP peers unless suppress maps are
used.
<Router(config-router)#aggregate-address A.A.A.A M.M.M.M unsuppress-map (route

map)>
<Router(config-router)#neighbor (A.A.A.A) soft-reconfiguration inbound>
suppress-map matches whatever networks are permitted

by the ACL and suppresses them
unsuppress-map - matches whatever networks are
permitted by the ACL and un-suppresses them
soft-reconfiguration inbound makes the BGP to save all
updates that were learned from the neighbor specified
The router retains an unfiltered table of what that neighbor has

sent. When the inbound policy is changed, issuing the clear ip bgp
* command causes the unfiltered table generates new inbound
updates and the results are placed in the BGP table.
142
TUNIG THE ATTRIBUTES

ATTRIBUTE
AS-PATH
SYNTAX
COMMENTS
To change the AS-PATH value using a route map:
<Router(config)#ip as-path access-list (1-500) permit|deny (regular expression)>

<Router(config)#exit>
<Router(config)#router bgp (AS)>
<Router(config-router)#neighbor A.A.A.A filter-list (list number) (in|out)>
To verify:
ip as-path access lists based on AS path; allow for controlling

routing information based on BGP AS information
filter-list activates ip as-path under a BGP routing process
in | out inbound | outbound direction
Regular expression atoms:

. - matches any single character
^ - matches the beginning of a string
$ - matches the end of a string
<Router#show ip bgp regexp (regular expression)>

Example: Configure the local router to not propagate routes originated in AS100
<Router(config)#ip as-path access-list 1 deny ^100$>
<Router(config)#ip as-path access-list 1 permit .*>
<Router(config)#router bgp 500>
<Router(config-router)#neightbor 172.16.1.2 filter-list 1 out>
To set a default local-preference value:
<Router(config-router)#bgp default local-preference (0-4294967295)>

To change the local-preference value using a route map:
LOCAL PREFERENCE
bgp default local-preference changes the default value of

100 to that configured and applies it to all the BGP routes on
the local router; the value these routes is shared among iBGP
peers within the same AS
<Router(config)#route-map (name) permit (sequence #)>

<Router(config-route-map)#set local-preference (0-4294967295)>
<Router(config-route-map)#router bgp (AS)>
<Router(config-router)#neighbor A.A.A.A route-map (route map) (in | out)>
143
To set a default MED value:
To change the MED value using a route map:
MED
bgp always-compare-med - if not enabled, the MED

comparison is made only if the neighboring AS is the same for
all routes considered
bgp bestpath med missing-as-worst if MED attribute is
missing in the update its considered the worst
<Router(config)#route-map (name) permit (sequence #)>

<Router(config-route-map)#set metric (0-4294967295)>
*Optional:
<Router(config-router)#bgp always-compare-med>
<Router(config-router)#bgp bestpath med missing-as-worst>
To change the WEIGHT value using a route map:
WEIGHT
<Router(config)#route-map (name) permit | deny (sequence #)>

<Router(config-route-map)#set weight (0-65535)>
To change the WEIGHT value on a per neighbor basis:
<Router(config-router)#neighbor A.A.A.A weight (0-65535)>
144
REDISTRIBUTION
ROUTING PROTOCOLS
PULL ROUTES FROM:
RIP
EIGRP
COMMANDS
COMMENTS

< <Router(config-router)#redistribute rip (*metric (0-4294967295)) (*route-map (route map name))>
<Router(config-router)#redistribute eigrp (AS #) (*metric (0-4294967295)) (*route-map (route map name))>
<Router(config)#router router (AS #)>
OSPF

(*metric (0-4294967295)) (route-map (route map name))>
DIRECTLY CONNECTED NETWORKS & STATIC ROUTES

COMMANDS
COMMENTS

<Router(config-router)#redistribute connected (*metric (0-4294967295)) (*route-map (route map name)>
Static routes:
<Router(config-router)#redistribute static (*metric (0-4294967295)) (*route-map (route map name)>
145
BGP VERIFICATION AND TSHOOTING
show ip bgp
show ip bgp A.A.A.A M.M.M.M
show ip bgp summary
show ip bgp neighbors
show ip bgp rib-failure
debug ip bgp all
debug ip bgp updates
clear ip bgp *
clear ip bgp (neighbor address)
clear ip bgp * in
clear ip bgp * out
clear ip bgp * soft
COMMAND
show ip bgp
VERIFIES / ACTION
SCREENSHOT
entries in the BGP table

routes learnt via BGP
routes that will be installed in the routing table
metric value
local preference value
weight value
AS_PATH value
Detailed information on routes learned via BGP
show ip bgp A.A.A.A/mm
show ip bgp summary
router ID
local AS number
BGP table version
BGP neighbors
146
Detailed information about BGP neighbors:
show ip bgp rib-failure
connection established number of times a TCP and BGP connection

have been successfully established
connections dropped number of times a TCP and BGP connections
have been dropped
displays networks which BGP chosen as best but did not end up being
installed in the routing table
explains why networks werent installed
show ip bgp neighbors (neighbor)

received-routes
Displays BGP routes learned from a neighbor, before being processed by an inbound filter

routes
Display BGP routes learned from a neighbor, after being process by an inbound filter

advertised-routes
Display BGP routes sent to a neighbor, after applying the outbound filter
debug ip bgp all
Debugs all BGP associated events
debug ip bgp updates
Debugs events associated with BGP packets exchange
clear ip bgp *
clear ip bgp (neighbor address)
hard reset
completely resets all BGP adjacencies
closes and re-established TCP connections
entire BGP table is discarded
BGP session makes the transition from established to idle; everything must be re-learned
if the soft-reconfiguration inbound command is used, the stored unfiltered table generates new inbound updates and the results are placed
in the BGP table
hard resets only a single neighbor

less severe than the previous command
147
clear ip bgp * in
soft reset of the inbound updates

the TCP connection is not torn down
clear ip bgp * out
soft reset of the outbound updates

the TCP connection is not torn down
the router creates a new update and sends the entire table to all neighbors
recommended command when the outbound policy has been changed
clear ip bgp * soft
Performs soft reset of both inbound and outbound updates
148
APPENDIX A: AUTO-SUMMARY VS. NO AUTO-SUMMARY BEHAVIOR EXAMPLE
ROUTING TABLE
C
L
C
L
C
L
C
L
C
L
C
L
C
L
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

10.1.45.0/30 is directly connected, Serial1/3
10.1.45.1/32 is directly connected, Serial1/3
11.0.0.0/8 is directly connected, Loopback11
193.168.1.0/32 is subnetted, 1 subnets
193.168.1.1 is directly connected, Loopback193
NETWORK
STATEMENT
ENTRY IN BGP TABLE

COMMENTS
AUTO-SUMMARY
NO AUTO-SUMMARY
network 11.0.0.0
11.0.0.0/8
11.0.0.0/8
BGP assumes the default classful mask (/8)

entry for 11.0.0.0/8 exist in the routing table
route is installed in the BGP table
network 12.1.0.0
not installed
not installed

no entries in the routing table for 12.0.0.0/8
no routes are installed in the BGP table

no entries for classful network in the routing table
entries for subnet of the classful network exist
install classful network if the auto-summary
enabled
network 12.0.0.0
12.0.0.0/8
not installed
network 172.16.0.0
172.16.0.0/16
172.16.0.0/16
BGP assumes default classful mask (/16)

entry for 172.16.0.0/16 exist in the routing table
route is installed in the BGP table
network 173.1.1.0
not installed
not installed

no entries in the routing table for 173.1.0.0/16

install classful network if the auto-summary
enabled

install classful network if auto-summary enabled
network 173.1.0.0
network 192.168.1.0
173.1.0.0/16
192.168.1.0/24
not installed
not installed
149
Branch Office
NAT
IP Sec
GRE Tunneling
NAT
NAT ADDRESS CLASSIFICATION
INSIDE LOCAL
the actual address assigned to an inside host
INSIDE GLOBAL
an inside address seen from the outside
OUTSIDE LOCAL
an actual address assigned to an outside host
OUTSIDE GLOBAL
an outside address seen from the inside
151
NAT CONFIGURATIONS
DYNAMIC TRANSLATION
STEP #
COMMANDS
CREATE ACL TO MATCH

INSIDE LOCAL ADDRESSES
<Router(config)#ip access-list extended (# | name)>
CREATE NAT POOL OF

INSIDE GLOBAL
ADDRESSES
<Router(config)#ip nat pool (pool name) (start IP address) (end IP address) (netmask (M.M.M.M)) (prefix-length (1-32))>
COMBINE THE ABOVE

TOGETHER
<Router(config)#ip nat pool inside source (ACL) pool (pool name)>
COMMENTS
<Router(config-nacl-ext)#(permit | deny) ip (source) (destination)
<Router(config)#interface (interace)>
DEFINE BOUNDRY
INTERFACES
<Router(config-if)#ip nat (inside | outside)>

To verify:
<Router#show ip nat statistics>
STATIC TRANSLATION
STEP #
COMMANDS
CREATE STATIC RULE
<Router(config)#ip nat pool inside static (address to be translated) (address to be translated to)>
DEFINE BOUNDRY
INTERFACES
<Router(config)#interface (interace)>
COMMENTS
<Router(config-if)#ip nat (inside | outside)>
152
NAT VERIFICATION AND TSHOOTING
show ip nat translations

show ip nat statistics
clear ip nat translations *
COMMAND
show ip nat translations
VERIFIES
Inside global / local addresses translated to: outside local / global addresses
clear ip nat translations *
SCREENSHOT
inside / outside interfaces

inside translation source (interface / ACL)
Clears current NAT translations
153
EXAMPLE: NAT CONFIGURATION

<Router(config)#ip access-list extended NAT_ACL>
<Router(config-nacl-ext)#deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255>
<Router(config-nacl-ext)#permit ip 192.168.1.0 0.0.0.255 any>
<Router(config-nacl-ext)#exit>
<Router(config)#ip nat pool NAT_POOL 209.165.200.249 209.165.200.254 prefix-length 29>
<Router(config)#ip nat pool inside
<Router(config)#interface lo0>
<Router(config-if)#ip nat inside>
<Router(config-if)#interface s1/0>
<Router(config-if)#ip nat outside>
154
IPSec
IPSec CONFIGURATION
IKE PHASE 1
STEP #
ENABLE ISAKMP
COMMANDS
COMMENTS
<Router(config)#crypto isakmp enable>
The default state of isakmp will differ depending on the IOS

version.
<Router(config)#crypto isakmp policy (1-10000)>
Each policy configured on a router is assigned a priority

number, which is only locally significant (the lower the number
the higher the priority)
<Router(config-isakmp)#authentication (pre-share | rsa-encr | rsa-sig)>

<Router(config-isakmp)#encryption (3des | aes | des)>
<Router(config-isakmp)#hash (md5 | sha)>
<Router(config-isakmp)#group (1 | 2 | 5 | 14 | 15 | 16)>
<Router(config-isakmp)#lifetime (60 - 86400)>
To verify:
The peer initiating the negotiation sends all of its policies to the
remote peer, who compares them with the locally configured
until a match is found - the policies with higher priorities are
compared first (thats why the most secure policies should
have lower priorities)
For a match to be found, two policies have to use identical
following protocols:
<Router#show crypto isakmp policy>
CREATE ISAKMP POLICY
AUTHENTICATION
ENCRYPTION
HASH
DH LEVEL
If a match is found ISAKMP will use DH algorithm to exchange

keys and authenticate the peers
If a match is not found ISAKMP refuses negotiation.
lifetime - specifies after what time the IKE Phase 1 tunnel

is torn down and re-established (the value does not have
to be identical on both ends and if a non-default value is
used the lower the value on either sides is used)
155
<Router(config)#crypto isakmp identity (address | hostname)>
The router can ID itself when communicating with the remote

end using either its IP address or hostname (both ends need to
use the same form of authentication).
Hostname should only be used when the routers IP address is
a subject to frequent changes e.g. by the ISP.
CREATE ISKAMP LOCAL ID
If hostname is used a DNS server must be present to resolve

the hostname to its IP address.
IF LOCAL ID = HOSTNAME
The PKS has to be identical on both ends.
<Router(config)#crypto isakmp key (key up to 128 char) hostname (remote devices

hostname)>
IF LOCAL ID = IP ADDRESS
CREATE PSKs
<Router(config)#crypto isakmp key (key up to 128 char) address (remote devices IP

address)>
To verify:
<Router#show crypto isakmp key>
156
IKE PHASE 2
STEP #
COMMANDS
COMMENTS
<Router(config)#crypto ipsec transform set (name) (AH authentication) (ESP

authentication) (ESP encryption) (compression)>
*<Router(cfg-crypto-trans)#mode (transport | tunnel)>
Multiple sets can be configured and multiple sets can be

specified in a crypto map
To verify:
<Router#show crypto ipsec transform-set (sets name)>
transform set - groups together security protocols and

their protection methods and create security parameters
that protect traffic traveling through the IPSec tunnel
Each set is compared against each of the sets configured on the

peer - at least one needs to match
CREATE TRANSFORM SET
There are four groups of transforms (only one transform from

each category can be used):
o
o
o
o
<Router(config)#crypto ipsec security-association lifetime kilobytes (2560 - 4294967295)
mode transport - protection of L2 and below

mode tunnel - protection of L3 and below
lifetime kilobytes - sets the amount of data limit after

reaching which will cause the tunnel to be torn down and
renegotiated (default = 460800 kb)
lifetime seconds - sets the time period after which the
tunnel will be torn down and renegotiated (default =
3600 sec.)
idle-timer - disabled by default
permit - encrypt data

deny - send in plain text
<Router(config)#crypto ipsec security-association lifetime seconds (120 - 86400)>
*TUNE IPSec SA
PARAMETERS
<Router(config)#crypto ipsec security-association idle-time (60 - 86400)>
<Router(config)#ip access-list extended (ACL name | #)>

<Router(config-ext-nacl)#(permit | deny) ip (source) (destination)>
CREATE CRYPTO ACL
AU AUTHENTICATION (hashing)
ESP AUTHENTICATION (hashing)
ESP ENCRYPTION
COMPRESSION
The ACL criteria are applied in the forward direction to traffic

exiting the router, and in the backward direction to the traffic
entering the router (the outbound ACL source becomes the
inbound ACL destination).
157
CREATE CRYPTO MAP
<Router(config)#crypto map (map name) (sequence number) ipsec-isakmp>
Crypto map binds all the IPSec information together.
<Router(config-crypto-map)#match address (crypto ACL)>
Only one crypto map can exist on an interface.
<Router(config-crypto-map)#set peer (remote peers IP address)>
If no PKS are configured, the SA keys are shared from Phase 1

connection.
<Router(config-crypto-map)#set transform-set (transform sets name)>

*<Router(config-crypto-map)#set pfs (1 | 2 | 5 )>
ASSIGN CRYPTO MAP TO

AN INTERFACE
sequence number - used to prioritize multiple maps that may

exist on a router (the lower the number the higher the priority)
<Router(config-if)#crypto map (crypto map name)>
158
GRE TUNNELING
STEP #
COMMANDS
COMMENTS
<Router(config)#interface tunnel (0-2147483647)>
tunnel source - logical beginning of the tunnel (the IP

address of the local exit interface)
tunnel destination - logical end of the tunnel (the IP

address of the far end entry interface)
<Router(config-if)#ip address A.A.A.A M.M.M.M>
CONFIGURE TUNNEL
INTERFACE
<Router(config-if)#tunnel source A.A.A.A>

<Router(config-if)#tunnel destination A.A.A.A>
To verify:
<Router#show interfaces tunnel (#)>
<Router(config)#ip access-list extended (# | name)>
INCLUDE GRE TRAFFIC IN

THE IPSEC CRYPTO ACL
<Router(config-ext-nacl)#permit | deny gre (source) (destination)>
*ENABLE ROUTING
PROTOCOL OVER GRE
TUNNEL
<Router(config)#router eigrp 1>
The interesting traffic will be any traffic that passes through

the tunnel: from tunnel source to tunnel destination.
To make sure desired traffic goes through VPN, the traffic has
to be forwarded via the tunnel with the help of e.g. static
routes.
<Router(config-router)#network (IP address range to include GRE tunnel)>
GRE tunneling supports multicasts - thats why routing

protocols can be deployed.
159
IPSec VERIFICATION AND TSHOOTING
show crypto isakmp policy

show crypto ipsec transform-set
show crypto map
show crypto isakmp sa
show crypto ipsec sa
show crypto session detail
debug crypto isakmp
debug crypto ipsec
clear crypto isakmp (connection ID)
clear crypto sa
clear crypto sa peer
clear crypto sa map
clear crypto sa counters
COMMAND
VERIFIES
EXAMPLE
Displays all of the isakmp policies defined on the router:
policy number
encryption algorithm
hashing algorithm
authentication method
DH group
lifetime
Displays all of the transform sets defined on the router:
transform set name

encryption algorithm
hashing algorithm
160
Displays all of the crypto maps defined on the router:
show crypto map
maps name and sequence number

peer associated with the map
ACL defining interesting traffic associated with the map
transform set associated with the map
interface associated with the map
IKE Phase 1 Tunnel information:
source and destination

tunnels state (QM_IDLE desired)
tunnels status (ACTIVE desired)
MM = Main Mode
QM = Quick Mode
PHASE / STATE
DESCRIPTION
MM_NO_STATE
AG_NO_STATE
The tunnel has been initialized but nothing

has been negotiated yet.
MM_SA_SETUP
The peers have negotiated IKE Phase 1

policies.
MM_KEY_EXCH
DH has completed.
AG_INIT_EXCH
The peers have negotiated the Phase 1

policies and performed DH.
AG_AUTH
The Phase 1 authentication has completed.
QM_IDLE
The Phase 1 and/or Phase 2 sessions have

completed successfully.
161
IKE Phase 2 Tunnel information:
local and remote identity

packets encapsulated / encrypted / digested
packets decapsuated / decrypted / verified
162
Displays tunnels information and statistics
show crypto session detail
debug crypto isakmp
Debugs the process of creating IKE Phase 1 tunnel
debug crypto ipsec
Debugs the process of creating IKE Phase 2 tunnel
clear crypto isakmp (connection ID)
Clears active ISAKMP connections
clear crypto sa
Clears all data SA
clear crypto sa peer (IP Address |

hostname)
Clears data SA associated with specific peer.
clear crypto sa map
Clears all data SA associated with specific crypto map.
clear crypto sa counters
Clears the counters in the output of the show crypto ipsec sa
163
EXAMPLE: IPSec CONFIGURATION
Secure the traffic sent between 172.30.2.0 /24 and 192.168.1.0 /24
IKE PHASE 1: PLANNING

PEER
IP ADDRESS
LOCAL ID
HOME
REMOTE
98.174.249.99
67.40.69.33
IP ADDRESS
POLICY
NUMBER
AUTHENTICATION
ENCRYPTION
HASHING
DH LVL
LIFETIME
#10
#60
PRE SHARED KEY
AES 128
SHA 1
2
86,400
PRE SHARED KEY
NAME
ACCEPTED FROM
cbtkey
67.40.69.33
98.174.249.99
164
IKE PHASE 2: PLANNING

TRANSFORM SET
CBTVPN
NAME
AH HASHING
N/A
ESP HASHING
ESP-AES 123
ESP ENCRYPTION
COMPRESION
ESP-SHA-1-HMAC
N/A
CRYPTO ACL
NAME
INTERESTING TRAFFIC
S2S-VPN-TRAFFIC
S2S-VPN-TRAFFIC
172.30.2.0 /24 192.168.1.0 /24

CRYPTO MAP
S2S-VPN
S2S-VPN
SEQUENCE #
100
200
INTERFACE
s1/0
s1/1
NAME
165
IKE PHASE 1: CONFIGURATION

STEP #
1. ENABLE ISAKMP
COMMANDS
<Router(config)#crypto isakmp enable>
<Rotuer(config)#crypto isakmp policy 10>
<Router(config-isakmp)#authentication pre-share>
<Router(config-isakmp)#encryption aes 128 >
<Router(config-isakmp)#group 2>
2. CREATE ISAKMP POLICY
<Router(config-isakmp)#hash sha>
<Router(config-isakmp)#lifetime 86400>
VERIFY:
<Router#show crypto isakmp policy>
3. CREATE ISAKMP LOCAL IDENTITY
<Router(config)#crypto isakmp identity address>

<HOME(config)#crypto isakmp key cbtkey address 67.40.69.33>
<REMOTE(config)#crypto isakmp key cbtkey address 98.174.249.99>
4. CONFIGURE PRE-SHARED KEYS

VERIFY:
<Router#show crypto isakmp key>
166
IKE PHASE 2: CONFIGURATION

STEP#
5. CREATE TRANSFORM SET
COMMANDS
<Router(config)#crypto ipsec transform-set CBTVPN esp-aes 128 esp-sha-hmac>
<Router(config)#ip access-list extended S2S-VPN-TRAFFIC
6. CREATE CRYPTO ACL
<HOME(config-ext-nacl)#permit ip 172.30.2.0 0.0.0.255 192.168.1.0 0.0.0.255>

<REMOTE(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 172.30.2.0 0.0.0.255>
<Router(config)#crypto map S2S-VPN 100 ipsec-isakmp>
<Router(config-crypto-map)#match address S2S-VPN-TRAFFIC>
<HOME(config-crypto-map)#set peer 67.40.69.33>
7. SET UP IPSec CRYPTO-MAP
<REMOTE(config-crypto-map)#set peer 98.174.249.99>

<Router(config-crypto-map)#set transform-set CBTVPN)>
VERIFY:
<Router#show crypto map>
<HOME(config)#interface s1/0>
8. ASSIGN CRYPTO MAP TO AN

INTERFACE
<HOME(config-if)#crypto map S2S-VPN>

<REMOTE(config)#interface s1/1>
<REMOTE(config-if)#crypto map S2S-VPN>
167
VERIFICATION AND TSHOOTING

show crypto isakmp key
show crypto ipsec transport-set
show crypto map
debug crypto isakmp
debug crypto ipsec
168
IPv6
IPv6 Packet Header
IPv6 Address Format
IPv6 Special Use Ranges
IPv6 Address Assignment
IPv6 L2 Address Discovery
IPv6 Routing Protocols

IPv6 / IPv4 Coexistence
IPv6 Configurations
IPv6 Verification and Tshooting
IPv6 PACKET HEADER
COMPONENT
OVERVIEW
VERSION
version of the IP
always set to 6
TRAFFIC CLASS
DSCP value for QoS
FLOW LABEL
identifies unique flows (optional)
PAYLOAD LENGTH
length of the payload in bytes
NEXT HEADER
header or protocol which follows
HOP LIMIT
similar to IPv4 TTL
SOURCE ADDRESS
source IP address
DESTINATION ADDDRESS
destination IP address
COMMENTS
168
IPv6 ADDRESS FORMAT
128 bits
divided into 8 x blocks of 4 x HEX characters (each HEX = 4 x bits)
each block is separated by a colon (:)
the slash notation indicates the prefix-length (equivalent to IPv4 subnet mask)
2001:0050:0000:0000:0000:0BA4:1E2E:98AA/64
SHORTENING RULE 1: ELIMINATE GROUP OF CONSECUTIVE ZEROS (ONCE PER ADDRESS)
2001:0050:0000:0000:0000:0BA4:1E2E:98AA/64
2001:0050::0BA4:1E2E:98AA/64
SHORTENING RULE 2: DROP LEADING ZEROS
2001:0050::0BA4:1E2E:98AA/64
2001:50::BA4:1E2E:98AA/64
169
IPv6 ADDRESS TYPES

TYPE
OVERVIEW
COMMENTS
A packet is delivered to a single interface
UNICAST
64
2000::/3
o
Subnet ID
Interface ID
GLOBAL
prefix = 2000::/3
globally unique, routable addresses
equivalent of the IPv4 public addresses
can be automatically assigned to a node using stateless auto-configuration
10
54
FE80::/10
64
LINK-LOCAL
::
64
EUI-64 Interface ID
automatically generated when IPv6 is enabled on the interface

only reachable on the local segment - not routable
an infinite preferred and valid lifetime - never times out
equivalent of the IPv4 169.254.0.0/16 auto-configuration range
sample use:
o
o
o
neighbor discovery (replaces IPv4 ARP)

source address for RS and RA messages
next-hop address for IP routes
To hardcode the address:
To generate a link-local address from a MAC:
FE80::/64 + EUI-64
When created automatically, the link-local address begins

with FE80::/64 because after the prefix FE80::/10 the IPv6
device builds the next 54 bits as binary 0s.
When configuring the address statically, as long as it
conforms to FE80:::/10 prefix it will be considered valid.
How is EUI-64 Interface ID generated:
take first 24 bits from the MAC address

invert the 7th bit (0=1; 1=0)
insert FFFE
add the last 24 bits from the MAC
Example:
<Router(config-if)#ipv6 address FE80::AAAA:AAAA:AAAA:AAAA link-local>

o
o
o
MAC: ca00.0a30.0008
EUI-64: C800:AFF:FE30:8
link-local: FE80::C800:AFF:FE30:8
170
Since link-local address is based on the MAC address it will

be the same for all local IPv6 enabled interfaces - thats why
when pinging a link-local address the output interface
always (even if only a single interface is enabled) needs to
be specified.
8
FD00::/8
o
40
Global ID
16
64
Subnet ID
Replaces deprecated site-local addresses FEC0::/10.
Interface ID
UNIQUE- LOCAL
equivalent to IPv4 private addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
only routed within an organization
A packet is delivered to multiple interfaces

8
MULTICAST
FF
FLAGS
FF
4 4
F S
112
Group ID
indicates a multicast address

L3 prefix: FF
L2 prefix: 3333
bits 1-8
flags show if the multicast addresses is predefined (well-known) or not

if well-known all bits set to 0
bits 9-12
at the L2 an Ethernet frame is addressed to:
3333: +(last 32 bits of the L3 multicast address)
WELL-KNOWN MULTICAST ADDRESSES:

FF02::1
all IPv6 nodes on the link
FF02::2
all IPv6 routers on the link
FF02::5
all IPv6 OSPF routers on the link
FF02::6
all IPv6 OSPF DRs on the link
FF02::10
all IPv6 EIGRP routers on the link
FF02:1::2
all IPv6 DCHP relays on the link
171
SCOPE
indicates to which scope a multicast address belongs

bits 13-16
SCOPES:
1
interface-local
link-local
admin-local (can be customized)
org-local
global
specifies a multicast group

the group IP is appended to 3333 to form a L2 address for IPv6 mcast frames
bits 17-112
GROUP ID
GROUP IDs:
1
all nodes
all routers
OSPF routers
OSPF DR routers
RIP routers
A packet is delivered to the nearest of multiple interfaces
ANYCAST
172
IPv6 SPECIAL USE RANGES

RANGE
::/0
OVERVIEW
COMMENTS
Default Route
Unspecified Address
::/128
indicates the absence of an address

it must never be assigned to a node
example usage: Source Address any IPv6 packet sent by an initializing host before it has learned its
own IPv6 address
If a packet is sent with a source address of ::/128 the reply

will be addressed to FE01::2.
Loopback Address
::1/128
may be used by a node to send an IPv4 packet to itself

it must not be assigned to any physical interfaces
cannot be as a source address in IPv6 packets that are sent outside of a single node
a packet received on an interface with a destination address of loopback must be dropped
mainly used for testing purposes
Documentation Prefix
2001:DB8::/32
used for documentation addresses

used for documentation purposes e.g. user manuals, RFCs, etc.
addresses within this block should not appear on the Internet
6to4
To create a 6to4 Tunnel IPv6 address:

may be advertised when the site is running a 6to4 relay or offering a 6to4 transit service
2000::/16
prefix 2002:
convert IPv4 address of the source interface to hex in
IPv6 notation and append to the prefix
add subnet hex
add host hex
Example:
Tunnel source interface IPv4 address: 172.16.12.1
6to4 Tunnel IPv6 address: 2002:AC10:0C01:1::1/64
Link-local address is created by taking FE80::/96 prefix and
appending the 6to4 tunnels source interface IPv4 address in
hex.
173
IPv6 ADDRESS ASSIGNMENT

FEATURE
OVERVIEW
COMMENTS
works like DHCP for IPv4

allows the host to learn:
o prefix /prefix length
o interface ID
o DNS servers IPv6 address
STATEFUL DHCP
the IP address of the default router is resolved via NDP

the IPv6 DHCP server retains state information about each client (IP address
leased to the client and the length of time the lease is valid)
RELEVANT PREFIXES:
SLAAC
FF02::1:2 - used by IPv6 hosts to send packets to an unknown DHCP server
Stateless Address Auto-Configuration

allows the host to learn:
o prefix /prefix length, default router (via NDP)
o interface ID (via EUI-64)
o DNS servers IPv6 address (via Stateless DHCPv6)
To run SLAAC on an interface:

<Router(config-if)#ipv6 address autoconfig>
174
Neighbor Discovery Protocol

uses ICMPv6 messages: RS and RA
there must be at least one router configured for IPv6 (an IPv6 address assigned
and IPv6 routing enabled) on the link
Router Solicitation:
o
o
o
o
o
o
NDP
ICMPv6 Type 133

used to locate routers on the local-link
requests information about local-link prefix / prefix length
sent to all IPv6 routers on the local-link
sent with a source address of the outbound interface IPv6 address
sent with a source address of ::/128 (if no IPv6 addresses assigned)
the router that advertises prefix / prefix length via RA

messages will be considered the default router
NDP is responsible for:
address auto-configuration
neighbor discovery
MAC discovery
duplicate address detection
finding existing routers / DNS servers
Router Advertisement:
o
o
o
o
o
o
ICMPv6 Type 134

provides information about local-link prefix / prefix length
advertises itself as the default router
sent upon new IPv6 address assignment (and then periodically every
200 sec.)
sent as a reply to RS on FF02::1
sent with a source address of ::/128 when a part of SLAAC
RELEVANT PREFIXES:
EUI-64 Interface ID
FF02::2 - destination IPv6 address (all routers on the link) of the RS messages
FF02::1 - destination IPv6 address (all nodes on the link) of the RA messages
allows for automatic creation of a unique global unicast IP address based on the
local MAC address
How EUI-64 is created:
To generate on an interface:
<Router(config-if)#ipv6 address (X:X:X::/64) eui-64>
insert FFFE between two halves of MAC

invert the 7th bit (universal/local flag) 0=1; 1=0
175
STATELESS DHCP
stateless function of the IPv6 DHCP server supplies the IPv6 address of the DNS
server to the client
does not need to keep track of any state information
To configure DHCPv6 server for DNS:

<Router(config)#ipv6 dhcp pool (pool name)>
<Router(config-dhcpv6)#dns-server (IPv6 address)>
<Router(config-dhcpv6)#interface (interface)>
<Router(config-if)#ipv6 dhcp server (pool name)>
Configure the full IPv6 address:
STATIC IPv6 CONFIGURATION
<Router(config-if)#ipv6 address (X:X:X:X::X/0-128)>

Configure the 64-bit prefix and use EUI-64 calculation:
<Router(config-if)#ipv6 address (X:X:X::/64) eui-64>
176
IPv6 L2 ADDRESS DISCOVERY

FEATURE
OVERVIEW
NEIGHBOR DATABASE
COMMENTS
IPv6s equivalent to IPv4s CAM table

contains a list of all neighboring IPv6 addresses (in connected links) and their
corresponding MAC addresses
if a mapping is not found in the table the router uses NDP to update the database
To display the database:

<Router#show ipv6 neighbors>
NDP
Network Discovery Protocol

replaces IPv4 ARP
used to dynamically map hosts MAC addresses to their corresponding IPv6 addresses
utilizes ICMPv6 messages NS (Neighbor Solicitation) and NA (Neighbor Advertisement)
NDP States:
Neighbor Solicitation
ICMPv6 Type 135
sent to a host to request its MAC address
sent as a part of DAD upon an IPv6 address assignment to confirm its uniqueness
multi-casted on the destination hosts solicited node multicast address
Solicited node multicast address
RELEVANT PREFIXES:
o
NS MESSAGE
FF02::1:FF/104 - solicited node multicast address (destination of NS messages)
DELETED
INCOMING
REACHABLE
STALE
To create:
prefix FF02::1:FF
add last 6 HEX (digits) of the destination IPv6
address
Example:
Destination IPv6 address: 2002::AACC
Solicited node address: FF02::1:FF00:AACC
The router joins the multicast group for solicited node
address for every address assigned to an interface the
moment the interface is up
177
NA MESSAGE
DAD
IND
Neighbor Advertisement
ICMPv6 Type 136
sent in reply to an NS message (unicasted)
multicasted to every local IPv6 node every time a new IPv6 address is assigned and cleared
by DAD
includes local IPv6 | MAC mapping
Duplicate Address Detection
used to make sure there are no duplicate addresses on the link
performed every time a new IPv6 address is assigned to an interface OR when the
interface comes back up after being down for whatever reason
the interface sends an NS message destined to a solicited node multicast address for each
IPv6 address assigned on the router if a NA messages comes from other source than
local than it means theres a duplicate address on the link
NEW ADDRESS --> DAD: SEND NS

RECEIVED NA FROM ITSELF
DAD: ADDRESS IS UNIQUE
ASSIGN THE ADDRESS
DAD: MCAST NA ON FF02::1 WITH IPv6 | MAC
MAPPING
Inverse Neighbor Discovery

maps IPv6 addresses to their corresponding MAC addresses
uses ICMPv6 messages INS (Inverted Neighbor Solicitation) and INA (Inverted Neighbor
Advertisement)
178
EXAMPLE: IPv6 ADDRESS ASSIGNMENT / NDP
COMMANDS
<R1(config-if)#ipv6 address 2003::1/64>
ACTION TRIGGERED
RESULT
enables IPv6 on fa0/0

creates EUI-64
creates link-local address based on EUI-64
assigns 2003::1/64 as the fa0/0 Interface-ID
performs DAD on null0 for link-local address:
o sends NA for FE80::1 [src: :: | dst: ::1]
o address is unique
Multicast groups joined:
<R1(config)#ipv6 unicast-routing
FF02::1 (all link-local IPv6 nodes)
enables IPv6 routing
FF02::2
179
<R1(config-if)#no shutdown>
performs DAD on fa0/0 for link-local address:

o sends NS for FE80::C804:1FFF:FE14:8 [src: :: | dst: FF02::1:FF14:8]
o only the local router responses --> address is unique on the link
o sends NA [src: fa0/0 link-local | dst: FF02::1] to announce address
assignment (includes the IPv6|MAC mapping)
performs DAD on fa0/0 for unicast address:

o sends NS for 2003::1 [src: :: | dst: FF02::1:FF00:1]
o sends NA [src: fa0/0 unicast | dst: FF02::1] to announce address
assignment (includes the IPv6|MAC mapping)
starts periodically generating RA message:

o [src: fa0/0 link-local | dst: FF02::1]
o includes prefix / prefix length
<R1(config)#ipv6 dhpc pool POOL>

<R1(config-dhcpv6)#dns_server
2003::AAAA/64>
<R1(config-dhcpv6)#interface fa0/0>
<R1(config-if)#ipv6 dhcp server POOL>
<R2(config-if)#ipv6 address autoconfig>
FF02::1FF14:8 (solicited-node address for link-local address)

FF02::1:FF00:1 (solicited-node address for 2003::1)
R1 becomes a DHCPv6 server
FF02::1:2 (all DHCP Relay Agents and Servers)

FF05::1:3 (all DHCPv6 servers)
SLAAC enabled
enables IPv6 on fa0/0
creates EUI-64
creates link-local address based on EUI-64
performs DAD on null0 for link-local address:
o sends NA for FE80::1 [src: :: | dst: ::1]
o address is unique
FF02::1 (all link-local IPv6 nodes)
180
<R2(config-if)#ipv6 unicast-routing>
enables IPv6 routing
<R2(config-if)#no shut>
FF02::2 (all link-local IPv6 router)
performs DAD on fa0/0 for link-local address:

o sends NS for FE80::C801:16FF:FE14:8 [src: :: | dst: FF02::1:FF14:8]
o sends NA [src: :: | dst: FF02::1] to announce address assignment
(includes the IPv6|MAC mapping)
sends a RS on fa0/0 as per SLAAC:

o sends RS [src: fa0/0 link-local | dst: FF02::1]
o whats the prefix/prefix length used on the link?
o receives RA [src: R1 fa0/0 link-local | dst: FF02::2]
o prefix 2003::, length 64 bits
o selected new default router: R1 fa0/0 link-local
o installed default to FE80::C800:16FF:FE14:8
FE80::C801:16FF:FE14:8
autoconfigure interface ID
o use prefix / prefix length obtained from R1 RA message
o use EUI-64 to generate interface ID: 2003::C801:16FF:FE17:8
performs DAD on fa0/0 for unicast address:

o sends NS for 2003::C801:16FF:FE17:8 [src: :: | dst: FF02::1:FF17:8]
o sends NA [src: :: | dst: FF02::1] to announce address assignment
(includes the IPv6|MAC mapping)
FF02::1FF14:8 (solicited node address for 2003::C801:16FF:FE17:8)
181
IPv6 ROUTING PROTOCOLS

RIPng
RIP Next Generation

UDP 521
Administrative Distance 120
does not perform automatic summarization
supports Split Horizon
supports Poison Reverse
30 seconds periodic full updates
maximum hop count = 15
FF02::9 - multicast update destination (uses link-local address as the source)
Authentication - IPv6 AH/ESP
RIPng CONFIGURATIONS
STEP #
ENABLE IPv6 ROUTING
COMMANDS
COMMENTS
<Router(config)#ipv6 unicast-routing>
Disabled by default. Router will not start a RIPng process

if unicast routing is disabled.
<Router(config)#ipv6 router rip (process tag)>
Unlike IPv4 RIP, RIPng allows for running multiple

instances on a single router just like EIGRP and OSPF.
ENABLE RIPng GLOBALLY
Tags dont have to match between the routers for RIP to

be working.
<Router(config-if)#ipv6 rip (process tag) enable>
Enables RIPng on an interface and enables the process

globally on the router (if it hasnt been activated yet).
For this command to be accepted by the router IPv6
must first be enabled on that interface.
ENABLE RIPng ON INTERFACES
The command causes RIPng to:
start sending RIPng updates on that interface

start processing RIPng updates on that interface
advertise the connected, routable, routes on that
interface
182
RIPng VERIFICATION AND TSHOOTING
show ipv6 route

show ipv6 route rip
show ipv6 route prefix/length
show ipv6 protocols
show ipv6 rip next-hop
debug ipv6 rip
COMMAND
show ipv6 route
VERIFIES
SCREENSHOT
all routes known to a router
RIPng uses link-local address of the next hop router as the next hop
show ipv6 route rip
all RIPng learnt routes
details on the routes for a specific prefix
183
show ipv6 protocols
show ipv6 rip next-hops
debug ipv6 rip
interfaces on which RIPng is enabled
list of routing information sources
Debugs sent / received messages
184
EIGRPv6
EIGRP for IPv6

Layer 3 88
updates triggered and
FF02::10 - multicast update destination
neighbors do not need to be on the same subnet
multiple instances per interfaces
EIGRPv6 CONFIGURATIONS
STEP #
ENABLE IPv6 ROUTING
ENABLE EIGRPv6 GLOBALLY
ACTIVATE EIGRPv6 PROCESS
ASSIGN ROUTER-ID
COMMANDS
COMMENTS
Disabled by default. Router will not start an

EIGRPv6 process if unicast routing is disabled.
<Router(config)#ipv6 router eigrp (AS)>
Enables EIGRPv6 for a given process.

May need or not administrative activation.
<Router(config-rtr)#shutdown>
<Router(config-rtr)#no shutdown>
Shuts down / activates the EIGRPv6 process.
<Router(config-rtr)#eigrp router id A.A.A.A>
The EIGRPv6 process must have a router ID before

it works.
Default state depends on the IOS version.
If it cannot be picked up automatically (no IPv4

addresses on the router) it has to be manually
hardcoded.
185
EIGRPv6 relationships form between link-local addresses!

ENABLE EIGRPv6 ON INTERFACES
<Router(config-if)#ipv6 eigrp (AS; 1-65535)>
Enables EIGRPv6 on an interface (does not activate

it globally if it hasnt been enabled yet).
For this command to be accepted by the router
IPv6 must first be enabled on that interface.
The command causes EIGRPv6 to:
start transmitting / receiving HELLO packets

advertise the connected, routable, routes
186
EIGRPv6 VERIFICATION AND TSHOOTING
show ipv6 route

show ipv6 route eigrp
show ipv6 protocols
show ipv6 eigrp neighbors
show ipv6 eigrp interface detail
show ipv6 eigrp topology (*all-links)
debug ipv6 eigrp notifications
COMMAND
show ipv6 route
show ipv6 route eigrp
VERIFIES
SCREENSHOT
all routes known to a router
EIGRPv6 uses link-local address of the next hop router as the next
hop
all EIGRPv6 learnt routes
details on the routers for a specific prefix
187
interfaces on which EIGRPv6 is enabled

metric + weights
variance value
redistribution
max paths
Administrative Distance
show ipv6 protocols
List of routing information sources
show ipv6 eigrp neighbors
timers
show ipv6 eigrp interface detail
188
EIGRPv6 database
show ipv6 eigrp topology (*all-links)
debug ipv6 eigrp notifications
Debug sent / received updates
189
OSPFv3
OSPF ver. 3 for IPv6

Layer 3 89
FF02::5 - multicast all SPF routers
FF02::6 - multicast all DR routers
neighbors do not need to be on the same subnet
multiple instances per interfaces
OSPFv3 CONFIGURATIONS
ENABLE IPv6 ROUTING
ENABLE OSPFv3 GLOBALLY
Disabled by default. Router will not start an OSPFv3 process

if unicast routing is enabled.
<Router(config)#ipv6 router ospf (process ID 1-65535)>
Enables OSPFv3 for a given process.
<Router(config-rtr)#router id A.A.A.A>
The OSPFv3 process must have a router ID before its

operational.
If it cannot be picked up automatically (no IPv4 addresses
on the router) it has to be manually hardcoded.
ASSIGN ROUTER-ID
*Feb 23 19:49:09.875: %OSPFv3-4-NORTRID: OSPFv3

process 1 could not pick a router-id, please configure
manually
OSPFv3 relationships form between link-local addresses!
<Router(config-if)#ipv6 ospf (process ID)>
ENABLE OSPFv3 ON INTERFACES
Enables OSPFv3 on an interface and enables the process

globally on the router (if it hasnt been activated yet).
For this command to be accepted by the router IPv6 must
first be enabled on that interface.
OSPFv2 and v3 are not compatible with each other
although can run simultaneously to support parallel
domains.
The command causes OSPFv3 to:
start transmitting / receiving HELLOs

advertise the connected, routable, routes on that
interface
190
OSPFv3 VERIFICATION AND TSHOOTING
show ipv6 route

show ipv6 route ospf
show ipv6 ospf protocols
show ipv6 ospf neighbor
show ipv6 ospf interface
show ipv6 ospf interface brief
show ipv6 ospf database
COMMAND
show ipv6 route
VERIFIES
SCREENSHOT
All routes known to the router

OSPFv3 uses link-local address of the next hop router as the next hop
show ipv6 route ospf
all routes learnt via OSPFv3
Interfaces assigned to each of the areas
show ipv6 ospf protocols
show ipv6 ospf neighbor
neighbor ID
priority
state
Dead Time
Interface ID
Interface
191
Detailed information about OSPF interfaces
show ipv6 ospf interface (interface)
OSPFv3 interfaces:
show ipv6 ospf interface brief
show ipv6 ospf database
costs
state
area
number of neighbors
Displays summary of OSPFv3 database
192
IPv6/IPv4 COEXISTANCE
IPv4/IPv6 DUAL STACKING
the host or router use both IPv4 and IPv6 at the same time
nodes can then choose to communicate with IPv4 nodes using IPv4 stack and with IPv6 nodes using IPv6 stack
two implementation approaches:
o
o
NATIVE IPv6: configure IPv6 on most/all routers making all routers use dual stacking
IPv6 TUNNELS: some routers are configured for IPv6 and packets are tunneled over the IPv4 network
TUNNELING
the IPv6 packet is encapsulated inside an IPv4 packet and then routed over IPv4 network
allows for only partial migration between the two protocols
adds extra overhead in form of headers
types:
o point-to-point: two (and only two) devices sit at the end of the tunnel
o point-to-multipoint: allows a router (the point) to use a single user interface to send packets to multiple remote routers
NAT-PT
translates the entire header between IPv4 and IPv6

NAT-PT must be heavily involved in DNS flow - it must convert requests between DNSv4 and DNSv6 queries keep track of the bindings
193
STATIC POINT-TO-POINT TUNNELS
two flavors:
o manual tunnels
o GRE tunnels
MANUAL / GRE TUNNELS

MANUAL TUNNELS:
RFC 4213
acts like a virtual point-to-point link
supports IPv6 IGPs
ideal for more permanent tunnels
less overhead than GRE
GRE TUNNELS:
RFC 2784
same characteristics and advantages as manual tunnels
uses an extra stub header between IPv4 and IPv6 headers
can carry multiple passenger protocols
MANUAL / GRE TUNNELS CONFIGURATIONS

STEP #
CREATE A TUNNEL INTERFACE
HARDCODE TUNNEL TYPE
COMMANDS
COMMENTS

MANUAL:
GRE mode is the default on the tunnel interface.
<Router(config-if)#tunnel mode ipv6ip | gre ip>
If two routers tunnel modes dont match the tunnel

interface may stay UP | UP but the mismatched
encapsulation will prevent the routers from forwarding
IPv6 packets.
The tunnel interface only needs a L3 address for the

passenger protocol - does not need one for the transport
protocol.
ASSIGN TUNNELS IPv6

ADDRESS
A link-local and solicited node addresses are also

generated.
Link-local address is based on:
FE80::/96 + 32 bits of tunnel source IPv4 address
CONFIGURE TUNNEL SOURCE
<Router(config-if)#tunnel source (exit interface | IP address)>
The address / exit interface on the local router.
194
CONFIGURE TUNNEL
DESTINATION
<Router(config-if)#tunnel destination (destination IP address)>
ADD INTERFACE TO AN IGP

ROUTING PROCESS
<Router(config-if)#ipv6 (rip | eigrp | ospf) (process ID | AS#) (*area (area ID))>
TSHOOT
The address on the far end router.
show interfaces tunnel (interface)

show ipv6 interface brief
195
DYNAMIC MULTIPOINT TUNNELS
creates the possibility that new sites can join the tunnel without requiring additional configuration on the existing routers
do not support IGPs requiring the use of either static routes or multiprotocol BGP
the forwarding logic requires more work per packet as compared with point-to-point tunnels (more suited for less traffic)
the incomings packet IPv6 address implies which IPv4 address should be used for encapsulation for transport over the IPv4 network
dynamic multipoint tunnels come in two falvors:
o
o
6to4 Tunnels
IPv6 ISATAP Tunnels
196
6to4 TUNNELS (RFC3956)
transition mechanism that enable encapsulation of IPv6 packets into IPv4 packets for transport across an IPv4 network
allows for automatic IPv6-to-IPv4 address translation
treats the underlying IPv4 network as one big logical NBMA network
internal routing protocols cannot be used across the 6to4 tunnels! (because they rely on link-local addresses to form adjacencies and these are not supported across 6to4 tunnels)
6to4 tunnels do not allow IPv4-only hosts to communicate with IPv6-only hosts (they only allows IPv6 hosts to communicate with each other over an IPv4 network)
the tunnel configuration has to be applied on all edge routers on the cloud-facing interfaces
a single tunnel interface is needed per router
6to4 Tunnel addressing:
o
o
2002:/16 prefix
Global Unicast Address
6to4 TUNNEL CONFIGURATIONS

STEP #
CREATE A TUNNEL INTERFACE
COMMANDS
COMMENTS
Only a single tunnel interface is needed per router.
<Router(config-if)#tunnel mode ipv6ip 6to4>
Hardcodes the tunnel mode as a dynamic multipoint 6to4

tunnel.
Also, instructs the router to look into 2nd and 3rd octet of
the outgoing IPv6 packet IPv6 destination address and
figure out the IPv4 destination address to be put into the
new IPv4 header.
HARDCODE TUNNEL TYPE
To create a 6to4 Tunnel IPv6 address:
ASSIGN TUNNELS IPv6

ADDRESS
prefix 2002:
convert IPv4 address of the source interface to hex
in IPv6 notation and append to the prefix
fill the rest of the bits to make up a total of 128
Example:
Tunnel source interface IPv4 address: 172.16.12.1
6to4 Tunnel IPv6 address: 2002:AC10:0C01:1::1/64
Link-local address is created by taking FE80::/96 prefix and
appending the 6to4 tunnels source interface IPv4 address
(in HEX).
197

o
CONFIGURE TUNNEL
SOURCE
Tunnel destination does not need to be specified because

it is embedded in the outgoing IPv6 packet destination
address.
<Router(config)#ipv6 route 2002::/16 (6to4 tunnel interface)>
CONFIGURE STATIC ROUTES
TSHOOT
The cloud-facing local interface (a loopback can be used).
Static routes pointing to 2002::/16 network and individual

subnets behind it are needed on each routers that is part
of the tunnel.
show interfaces tunnel (interface)

198
IPv6 CONFIGURATIONS
COMPONENT
COMMANDS
COMMENTS
ipv6 unicast-routing - enable forwarding of

IPv6 unicast datagrams
If the command is not enabled the router acts like

an IPv6 host and will not forward IPv6 packets.
ENABLE IPv6 ROUTING
If removed after configuring a routing protocol all

configurations for that protocol will be deleted!
Causes the host to join FF02::1 multicast group.
ENABLE IPv6 CEF
ENABLING IPv6 ON AN INTERFACE
IPv6 ASSIGNMENT
<Router(config)#ipv6 cef>
<Router(config-if)#ipv6 enable>
ipv6 enable enables IPv6 on an interfaces

and generates a link-local address
no ipv6 address removes all configured

IPv6 addresses from the interface and also
disables IPv6
<Router(config-if)#no ipv6 address>

To verify:
o
STATIC IPv6 ADDRESS ASSIGNMENT
<Router#show ipv6 interface (interface)>
To reassign an IPv6 address the old one has to be

first removed with the no command - IPv6 allows
for multiple addresses to be assigned to an
interface.
Both IPv4 and IPv6 addresses can be assigned to
the same interface because theyre different
protocols and run independently.
AUTO IPv6 ADDRESS ASSIGNMENT
EUI-64 ADDRESS
IPv6 ADDRESS ASSIGNMENT VIA

DHCP
<Router(config-if)#ipv6 address autoconfig>
The router uses SLAAC to find address.
<Router(config-if)#ipv6 address (X:X:X:X::X/128) eui-64>
Static configuration for the first 64 bits the router

derives the last 64 bits with EUI-64.
<Router(config-if)#ipv6 address dhcp>
The router uses stateful DHCP to find address.
199
<Router(config-if)#ipv6 address (X:X:X:X::X) link-local>

o
CHANGING DEFAULT LINK-LOCAL

ADDRESS
DESIGNATING AN ANYCAST ADDRESS
MANUAL IPv6 TUNNEL
Link-local addresses take no subnet masks because

they are not routed. Because of that, when pinging
a link-local address an exit interface has to be
specified (full name has to be used).
<Router(config-if)# ipv6 address (X:X:X:X::X/128) anycast>

Creates a series of logical point-to-point links.
<Router(config-if)#tunnel mode ipv6ip>
Does not scale well since each p2p link has to be

configured separately.

<Router(config-if)#tunnel destination (exit interface | IP address)>
6to4 TUNNEL
<Router(config-if)#tunnel mode ipv6ip 6to4>

<Router(config-if)#ipv6 address
<Router(config-if)#tunnel source (exit interface ID | IPv6 address)>
IPV6 STATIC ROUTES
<Router(config)#ipv6 route (X:X:X:X::X/0-128) (exit interface ID | IPv6

address)>
When using next-hop IPv6 address it can be any

address configured on the next-hop router.
If link-local address is used, the exit interface
parameter is not optional - has to be supplied.
200
IPv6 VERIFICATION AND TSHOOTING
show ipv6 route

show ipv6 route (source)
show ipv6 interface (interface)
show ipv6 protocol
show ipv6 neighbor
debug ipv6 nd
debug ipv6 packet
COMMAND
VERIFIES
EXAMPLE
Displays IPv6 routing table content
show ipv6 route
show ipv6 route (source)
Displays IPv6 routing table content learned via specified source

Displays IPv6 interfaces configured locally
show ipv6 interface (interface)
201
Displays IPv6 interfaces configured locally (summary)
Displays IPv6 protocols configured on the router
show ipv6 protocol
show ipv6 neighbor
Displays neighboring IPv6 routers and their MAC address
debug ipv6 nd
Debugs events associated with IPv6 Neighbor Discovery
debug ipv6 packet
Debugs events associated with IPv6 packet flow
202
APPENDIXES
IPv4 Subnetting
RIP
EIGRP
OSPF
IS-IS
BGP
NAT
IPSec
IPv6
IPV4 SUBNETTING
packetlife.net
Subnets
Decimal to Binary
CIDR Subnet Mask
Addresses
Wildcard
Subnet Mask
Wildcard
/32 255.255.255.255
0.0.0.0
255 1111 1111
0 0000 0000
/31 255.255.255.254
0.0.0.1
254 1111 1110
1 0000 0001
/30 255.255.255.252
0.0.0.3
252 1111 1100
3 0000 0011
/29 255.255.255.248
0.0.0.7
248 1111 1000
7 0000 0111
/28 255.255.255.240
16
0.0.0.15
240 1111 0000
15 0000 1111
/27 255.255.255.224
32
0.0.0.31
224 1110 0000
31 0001 1111
/26 255.255.255.192
64
0.0.0.63
192 1100 0000
63 0011 1111
/25 255.255.255.128
128
0.0.0.127
128 1000 0000
127 0111 1111
/24 255.255.255.0
256
0.0.0.255
0 0000 0000
255 1111 1111
/23 255.255.254.0
512
0.0.1.255
/22 255.255.252.0
1,024
0.0.3.255
/21 255.255.248.0
2,048
0.0.7.255
/20 255.255.240.0
4,096
0.0.15.255
/19 255.255.224.0
8,192
0.0.31.255
/18 255.255.192.0
16,384
0.0.63.255
/17 255.255.128.0
32,768
0.0.127.255
/16 255.255.0.0
65,536
0.0.255.255
/15 255.254.0.0
131,072
0.1.255.255
/14 255.252.0.0
262,144
0.3.255.255
/13 255.248.0.0
524,288
0.7.255.255
/12 255.240.0.0
1,048,576
0.15.255.255
/11 255.224.0.0
2,097,152
0.31.255.255
/10 255.192.0.0
4,194,304
0.63.255.255
/9 255.128.0.0
8,388,608
0.127.255.255
A 0.0.0.0 127.255.255.255
/8 255.0.0.0
16,777,216
0.255.255.255
B 128.0.0.0 - 191.255.255.255
/7 254.0.0.0
33,554,432
1.255.255.255
C 192.0.0.0 - 223.255.255.255
/6 252.0.0.0
67,108,864
3.255.255.255
D 224.0.0.0 - 239.255.255.255
/5 248.0.0.0
134,217,728
7.255.255.255
E 240.0.0.0 - 255.255.255.255
/4 240.0.0.0
268,435,456
15.255.255.255
/3 224.0.0.0
536,870,912
31.255.255.255
RFC 1918 10.0.0.0 - 10.255.255.255
/2 192.0.0.0
1,073,741,824
63.255.255.255
Localhost 127.0.0.0 - 127.255.255.255
/1 128.0.0.0
2,147,483,648
127.255.255.255
RFC 1918 172.16.0.0 - 172.31.255.255
/0 0.0.0.0
4,294,967,296
255.255.255.255
RFC 1918 192.168.0.0 - 192.168.255.255
Subnet Proportion
/27
/28
/26
/29
/30
/30
/25
Classful Ranges
Reserved Ranges
Terminology
CIDR
Classless interdomain routing was developed to
provide more granularity than legacy classful
addressing; CIDR notation is expressed as /XX
by Jeremy Stretch
VLSM
Variable-length subnet masks are an arbitrary length
between 0 and 32 bits; CIDR relies on VLSMs to define
routes
v2.0
RIP
packetlife.net
RIP Implementations
Attributes
RIPv1
Original RIP implementation, limited to classful routing
(obsolete)
RIPv2
Introduced support for classless routing, authentication,
triggered updates, and multicast announcements (RFC 2453)
RIPng (RIP Next Generation)
Extends RIPv2 to support IPv6 routing (RFC 2080); functions
very similarly to RIPv2 and is subsequently as limited
Protocols Comparison
RIPv1
RIPng
IPv4
IPv6
Admin Distance 120
120
120
UDP Port 520
520
521
Classless No
Yes
Yes
224.0.0.9
FF02::9
Plain, MD5
None
Adv. Address Broadcast

Authentication None
RIPv2 Configuration
! Enable RIPv2 IPv4 routing
router rip
version 2
! Disable RIPv2 automatic summarization
no auto-summary
Algorithm Bellman-Ford
Admin Distance 120
Metric Hop count (max 15)
Standard RFCs 2080, 2453
Protocols IPv4, IPv6
Transport UDP
Authentication Plaintext, MD5
RIPv2
IP IPv4
Type Distance Vector
Multicast IP 224.0.0.9/FF02::9
Terminology
Split Horizon
A rule that states a router may not advertise a route
back to the neighbor from which it was learned
Route Poisoning
When a network becomes unreachable, an
update with an infinite metric is generated to
explicitly advertise the route as unreachable
Poison Reverse
A router advertises a network as unreachable
through the interface on which it was learned
Timer Defaults
Update 30 sec
Invalid 180 sec
! Designate RIPv2 interfaces by network

network network
Flush 240 sec

Hold-down 180 sec
RIPv2 Interface Configuration
! Identify unicast-only neighbors

neighbor IP-address
! Configure manual route summarization

ip summary-address rip network mask
! Originate a default route

default-information originate
! Enable MD5 authentication (RIPv2 only)

ip rip authentication mode md5
ip rip authentication key-chain key-chain
! Designate passive interfaces

passive-interface {interface | default}
! Modify timers
timers basic update invalid hold flush
RIPng Configuration
! Enable IPv6 routing
ipv6 unicast-routing
! Enable RIPng IPv6 routing
ipv6 router rip name
RIPng Interface Configuration

! Enable RIPng on the interface
ipv6 rip name enable
! Configure manual route summarization
ipv6 rip name summary-address prefix
Troubleshooting
show ip[v6] protocols
show ip[v6] rip database
! Toggle split-horizon and poison-reverse

[no] split-horizon
[no] poison-reverse
show ip[v6] route rip
! Modify timers
timers basic update invalid hold flush
debug ipv6 rip [interface]
by Jeremy Stretch
debug ip rip { database | events }
v1.1
EIGRP
packetlife.net
Protocol Header
Attributes
16
Version
24
Opcode
32
Type Distance Vector
Checksum
Algorithm DUAL
Flags
Internal AD 90
Sequence Number
External AD 170
Acknowledgment Number
Summary AD 5
Autonomous System Number

Type
Standard Cisco proprietary
Length
Protocols IP, IPX, Appletalk
Value
Transport IP/88
Metric Formula
256 * (K1 * bw +
K2 * bw
256 - load
Authentication MD5
+ K3 * delay) *
K5
rel + K4
bw = 107 / minimum path bandwidth in kbps

delay = interface delay in secs / 10
EIGRP Configuration
Protocol Configuration
! Enable EIGRP
router eigrp <ASN>
! Add networks to advertise
network <IP address> <wildcard mask>
Multicast IP 224.0.0.10
Hello Timers 5/60
Hold Timers 15/180
K Defaults
Packet Types
K1 1
1 Update
K2 0
3 Query
K3 1
4 Reply
K4 0
5 Hello
K5 0
8 Acknowledge
! Configure K values to manipulate metric formula

metric weights 0 <k1> <k2> <k3> <k4> <k5>
Terminology
Reported Distance
! Disable automatic route summarization

no auto-summary
The metric for a route advertised by a neighbor
! Designate passive interfaces

passive-interface (<interface> | default)
The distance advertised by a neighbor plus the cost

to get to that neighbor
! Enable stub routing

eigrp stub [receive-only | connected | static | summary]
! Statically identify neighoring routers
neighbor <IP address> <interface>
Interface Configuration
! Set maximum bandwidth EIGRP can consume

ip bandwidth-percent eigrp <AS> <percentage>
! Configure manual summarization of outbound routes
ip summary-address eigrp <AS> <IP address> <mask> [<AD>]
Feasible Distance
Stuck In Active (SIA)

The condition when a route becomes unreachable
and not all queries for it are answered; adjacencies
with unresponsive neighbors are reset
Passive Interface
An interface which does not participate in EIGRP but
whose network is advertised
Stub Router
A router which advertises only a subset of routes,
and is omitted from the route query process
Troubleshooting
! Enable MD5 authentication

ip authentication mode eigrp <AS> md5
ip authentication key-chain eigrp <AS> <key-chain>
show ip eigrp interfaces
! Configure hello and hold timers

ip hello-interval eigrp <AS> <seconds>
ip hold-time eigrp <AS> <seconds>
show ip eigrp topology

! Disable split horizon for EIGRP

no ip split-horizon eigrp <AS>
by Jeremy Stretch
debug ip eigrp [packet | neighbors]

v2.1
OSPF PART 1
packetlife.net
Protocol Header
8
Attributes
16
Version
24
Type
32
Type Link-State
Length
Algorithm Dijkstra
Router ID
Metric Cost (Bandwidth)
Area ID
Checksum
AD 110
Instance ID
Reserved
Standard RFC 2328, 2740
Data
Protocols IP
Link State Advertisements

Router Link (Type 1)
Lists neighboring routers and the cost to each; flooded within an area
Network Link (Type 2)
Generated by a DR; lists all routers on an adjacent segment; flooded
within an area
Transport IP/89
AllSPF Address 224.0.0.5
AllDR Address 224.0.0.6
Metric Formula
100,000 Kbps*
Network Summary (Type 3)

Generated by an ABR and advertised among areas
cost =
ASBR Summary (Type 4)

Injected by an ABR into the backbone to advertise the presence of an
ASBR within an area
* modifiable with
ospf auto-cost reference-bandwidth
External Link (Type 5)

Generated by an ASBR and flooded throughout the AS to advertise a
route external to OSPF
NSSA External Link (Type 7)
Generated by an ASBR in a not-so-stubby area; converted into a
type 5 LSA by the ABR when leaving the area
Router Types
Area Types
Internal Router
All interfaces reside within the
same area
Backbone Router
A router with an interface in
area 0 (the backbone)
Standard Area
Default OSPF area type
Stub Area
External link (type 5) LSAs are
replaced with a default route
Area Border Router (ABR)

Connects two or more areas
Totally Stubby Area

Type 3, 4, and 5 LSAs are
replaced with a default route
AS Boundary Router (ASBR)

Connects to additional routing
domains; typically located in
the backbone
Not So Stubby Area (NSSA)

A stub area containing an ASBR;
type 5 LSAs are converted to type
7 within the area
link speed
Adjacency States
1 Down
5 Exstart
2 Attempt
6 Exchange
3 Init
7 Loading
4 2-Way
8 Full
DR/BDR Election
The DR serves as a common point for

all adjacencies on a multiaccess
segment
The BDR also maintains adjacencies
with all routers in case the DR fails
Election does not occur on point-topoint or multipoint links
Default priority (0-255) is 1; highest
priority wins; 0 cannot be elected
DR preemption will not occur unless
the current DR is reset
External Route Types

E1 Cost to the advertising ASBR plus the external cost of the route
E2 (Default) Cost of the route as seen by the ASBR
Troubleshooting
Virtual Links
Tunnel formed to join two areas
across an intermediate
show ip [route | protocols]
Both end routers must share a

common area
show ip ospf interface
show ip ospf virtual-links
At least one end must reside in area 0
show ip ospf neighbor
debug ip ospf []
Cannot traverse stub areas
by Jeremy Stretch
v2.1
OSPF PART 2
packetlife.net
Network Types
Nonbroadcast
(NBMA)
DR/BDR Elected Yes

Neighbor Discovery No
Hello/Dead Timers 30/120
Defined By RFC 2328
Supported Topology Full Mesh
Multipoint
Broadcast
Multipoint
Nonbroadcast
Broadcast
Point-to-Point
No
No
Yes
No
Yes
No
Yes
Yes
30/120
30/120
10/40
10/40
RFC 2328
Cisco
Cisco
Cisco
Any
Any
Full Mesh
Point-to-Point
Configuration Example
WAN
Area 0
Area 9
172.16.0.0/18
Backbone
Totally Stubby Area
A
C
Area 1
Area 2
Stub Area
Standard Area
Router B
interface Ethernet0/0
description Area 0
ip address 192.168.0.2 255.255.255.0
ip ospf 100 area 0
!
description Area 2
ip address 192.168.2.1 255.255.255.0
ip ospf 100 area 2
! Optional MD5 authentication configured
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 FooBar
! Give B priority in DR election
ip ospf priority 100
!
description Area 1
ip address 192.168.1.1 255.255.255.0
ip ospf 100 area 1
!
interface Loopback0
ip address 10.0.34.2 255.255.255.0
!
router ospf 100
! Define area 1 as a stub area
area 1 stub
! Virtual link from area 0 to area 9
area 2 virtual-link 10.0.34.3
by Jeremy Stretch
Router A
interface Serial0/0
description WAN Link
ip address 172.16.34.2 255.255.255.252
!
interface FastEthernet0/0
description Area 0
ip address 192.168.0.1 255.255.255.0
!
interface Loopback0
! Used as router ID
ip address 10.0.34.1 255.255.255.0
!
router ospf 100
! Advertising the WAN cloud to OSPF
redistribute static subnets
network 192.168.0.0 0.0.0.255 area 0
!
! Static route to the WAN cloud
ip route 172.16.0.0 255.255.192.0 172.16.34.1
Router C
description Area 9
ip address 192.168.9.1 255.255.255.0
ip ospf 100 area 9
!
description Area 2
ip address 192.168.2.2 255.255.255.0
ip ospf 100 area 2
! Optional MD5 authentication configured
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 FooBar
! Give C second priority (BDR) in election
ip ospf priority 50
!
!
!
!
!
!
interface Loopback0
ip address 10.0.34.3 255.255.255.0
!
router ospf 100
! Define area 9 as a totally stubby area
area 9 stub no-summary
! Virtual link from area 9 to area 0
area 2 virtual-link 10.0.34.2
v2.1
IS-IS PART 1
packetlife.net
Protocol Header
4
Attributes
12
IRPD
Packet Length
Version/Protocol ID Extension
ID Length
PDU Type
16
Type Link-State
Algorithm Dijkstra
Metric Default (10)
Version
AD 115
Reserved
Maximum Area Addresses
Type
Length
Standard ISO 10589

Protocols IP, CLNS
Value ...
Transport Layer 2
NSAP Addressing
Interdomain Part
Routing Levels
Domain-Specific Part
Level 0 Used to locate end systems

NSAP
AFI
IDI
Condensed
Example
HODSP
Area
47
System ID
SEL
0000.0c00.1234
00
Level 1 Routing within an area

Level 2 Backbone between areas
0005.80ff.f800.0000
0001
Interdomain Part (IDP)

Portion of the address used in routing between autonomous
systems; assigned by ISO
Domain-Specific Part (DSP)
Portion of the address relevant only within the local AS
Authority and Format Identifier (AFI)
Identifies the authority which dictates the format of the address
Initial Domain Identifier (IDI)
An organization belonging to the AFI
Level 3 Inter-AS routing

Terminology
Type-Length-Value (TLV)
Variable-length modular datasets
Link State PDU (LSP)
Carry TLVs encompassing link state
information
Sequence Number Packet (SNP)
Used to request and advertise LSPs; can
be complete (CSNP) or partial (PSNP)
Hello Packet
Establishes and maintains neighbor
adjacencies
High Order DSP (HODSP)

The area within the AS
System ID
Unique router identifier; 48 bits for Cisco devices (often taken from
a MAC address)
NSAP Selector (SEL)
Identifies a network layer service; always 0x00 in a NET address
Network Types
Broadcast
DIS Elected Yes

Neighbor Discovery Yes
Hello/Dead Timers 10/30
Designated Intermediate System

A pseudonode responsible for emulating
point-to-point links across a multi-access
segment
Adjacency Requirements
Interface MTUs must match
Point-to-Point
Levels must match
No
Areas must match (if level 1)
Yes
System IDs must be unique
10/30
Authentication must succeed
Troubleshooting
DIS Election
show ip route
show isis spf-log
Highest-priority interface elected
show ip protocols
debug isis spf-events
Highest SNPA (MAC/DLCI) breaks tie
show [clns|isis] neighbor
debug isis adjacencies-packets
Highest system ID breaks SNPA tie
show [clns|isis] interface
debug isis spf-statistics
Default interface priority is 64
show isis database
debug isis update-packets
Current DIS may be preempted
by Jeremy Stretch
v2.0
IS-IS PART 2
packetlife.net
TLV Types
Name
Use
Name
Use
Name
Use
1 Area Addresses
Hello, LSP
6 IS Neighbors
Hello, L2 LSP
128 IP Internal Reach.
LSP
2 IS Neighbors
LSP
8 Padding
Hello
129 Protocols Supported
Hello, LSP
3 ES Neighbors
L1 LSP
9 LSP Entries
SNP
131 IDRPI
SNP, L2 LSP
5 Prefix Neighbors
L2 LSP
132 IP Interface Address
Hello, LSP
10 Authentication All
Area 1
Router A2
192.168.1.0/24
description Area 1
ip address 192.168.1.2 255.255.255.0
ip router isis
isis circuit-type level-1
!
router isis
net 49.0001.0000.0000.00a2.00
A3
A2
10
.0.
0
192.168.2.0/24
30
.4/
Area 2
.0
.0
10
.0
/3
0
A1
Area 3
192.168.3.0/24
B2
C2
B1
10.0.0.8/30
C1
B3
C3
Router B2
description Area 2
ip address 192.168.2.2 255.255.255.0
ip router isis
!
router isis
net 49.0002.0000.0000.00b2.00
Router A1
description Area 1
ip address 192.168.1.1 255.255.255.0
ip router isis
!
interface Serial1/0
no ip address
encapsulation frame-relay
!
interface Serial1/0.1 point-to-point
description To Area 2
ip address 10.0.0.1 255.255.255.252
ip router isis
isis circuit-type level-2-only
! MD5 authentication (keychain not shown)
isis authentication mode md5
isis authentication key-chain <keychain>
frame-relay interface-dlci 101
!
ip address 10.0.0.5 255.255.255.252
ip router isis
!
router isis
net 49.0001.0000.0000.00a1.00
by Jeremy Stretch
Router B1
description Area 2
ip address 192.168.2.1 255.255.255.0
ip router isis
!
interface Serial1/0
no ip address
encapsulation frame-relay
!
ip address 10.0.0.2 255.255.255.252
ip router isis
! MD5 authentication (keychain not shown)
isis authentication mode md5
isis authentication key-chain <keychain>
!
ip address 10.0.0.9 255.255.255.252
ip router isis
!
router isis
net 49.0002.0000.0000.00b1.00
v2.0
BGP PART 1
packetlife.net
Attributes
Name
About BGP
Description
Type Path Vector
Well-known Mandatory Must be supported and propagated

1 Origin
Origin type (IGP, EGP, or unknown)
2 AS Path
List of autonomous systems which the

advertisement has traversed
3 Next Hop
External peer in neighboring AS
Well-known Discretionary Must be supported; propagation optional

5 Local Preference
Metric for internal neighbors to reach

external destinations (default 100)
6 Atomic Aggregate
Includes ASes which have been dropped

due to route aggregation
Optional Transitive Marked as partial if unsupported by neighbor

7 Aggregator
ID and AS of summarizing router
8 Community
Route tag
Optional Nontransitive Deleted if unsupported by neighbor

4
Multiple Exit
Metric for external neighbors to reach the
Discriminator (MED) local AS (default 0)
9 Originator ID
The originator of a reflected route
10 Cluster List
List of cluster IDs
13 Cluster ID
Originating cluster
-- Weight
iBGP AD 200
Standard RFC 4271
Protocols IP
Transport TCP/179
Authentication MD5
Terminology
Autonomous System (AS)
A logical domain under the control of a
single entity
External BGP (eBGP)

BGP adjacencies which span autonomous
system boundaries
Internal BGP (iBGP)

BGP adjacencies formed within a single AS
Synchronization Requirement
A route must be known by an IGP before
it may be advertised to BGP peers
Packet Types
Cisco proprietary, not communicated to

peers (default 0)
Path Selection
Attribute
eBGP AD 20
Open
Update
Keepalive
Notification
Neighbor States
Description
Preference
1 Weight
Administrative preference
Highest
Active Attempting to connect
2 Local Preference
Communicated between peers

within an AS
Highest
Connect TCP session established
3 Self-originated
Prefer paths originated locally
True
4 AS Path
Minimize AS hops
Shortest
5 Origin
Prefer IGP-learned routes over

EGP, and EGP over unknown
IGP
6 MED
Used externally to enter an AS
Lowest
show ip bgp [summary]
7 External
Prefer eBGP routes over iBGP
eBGP
8 IGP Cost
Consider IGP metric
Lowest
show ip route [bgp]
9 eBGP Peering
Favor more stable routes
Oldest
clear ip bgp * [soft]
Tie breaker
Lowest
debug ip bgp []
10 Router ID
Idle Neighbor is not responding
Open Sent Open message sent

Open Confirm Response received
Established Adjacency established
Troubleshooting
Influencing Path Selection

Weight neighbor 172.16.0.1 weight 200
MED default-metric 400
Ignore
bgp bestpath as-path ignore
AS Path
by Jeremy Stretch
Local Preference bgp default local-preference 100

Route Map neighbor 172.16.0.1 route-map Foo
Ignore Cost
bgp bestpath cost-community ignore
Communities
v2.1-r1
BGP PART 2
packetlife.net
AS 65100
F2/0
A
S1/0
S1/1
172.16.0.0/30
172.16.0.4/30
AS 65200
S1/0
S1/0
F0/0
F0/0
10.0.0.0/30
B
F2/0
C
F2/0
OSPF
interface Serial1/0
description Backbone to B
ip address 172.16.0.1 255.255.255.252
!
interface Serial1/1
description Backbone to C
ip address 172.16.0.5 255.255.255.252
!
description LAN
ip address 192.168.1.1 255.255.255.0
!
router bgp 65100
no synchronization
network 172.16.0.0 mask 255.255.255.252
network 172.16.0.4 mask 255.255.255.252
network 192.168.1.0
neighbor South peer-group
neighbor South remote-as 65200
neighbor 172.16.0.2 peer-group South
neighbor 172.16.0.6 peer-group South
no auto-summary
Router A
Router B
description Backbone to C
ip address 10.0.0.1 255.255.255.252
!
interface Serial1/0
description Backbone to A
ip address 172.16.0.2 255.255.255.252
!
description LAN
ip address 192.168.2.1 255.255.255.0
!
router ospf 100
network 10.0.0.1 0.0.0.0 area 0
network 192.168.2.1 0.0.0.0 area 1
!
router bgp 65200
no synchronization
redistribute ospf 100 route-map LAN_Subnets
neighbor 10.0.0.2 remote-as 65200
no auto-summary
!
access-list 10 permit 192.168.0.0 0.0.255.255
!
route-map LAN_Subnets permit 10
match ip address 10
set metric 100
Router C
description Backbone to B
ip address 10.0.0.2 255.255.255.252
!
interface Serial1/0
description Backbone to A
ip address 172.16.0.6 255.255.255.252
!
description LAN
ip address 192.168.3.1 255.255.255.0
!
router ospf 100
network 10.0.0.2 0.0.0.0 area 0
network 192.168.3.1 0.0.0.0 area 2
!
router bgp 65200
no synchronization
redistribute ospf 100 route-map LAN_Subnets
no auto-summary
!
!
route-map LAN_Subnets permit 10
match ip address 10
set metric 100
Router A Routing Table
Router B Routing Table
C
C
C
B
B

172.16.0.4 is directly connected, S1/1
192.168.1.0/24 is directly connected, F2/0
192.168.2.0/24 [20/100] via 172.16.0.2
192.168.3.0/24 [20/100] via 172.16.0.2
by Jeremy Stretch
B
C
C
B
C
O

172.16.0.4 [20/0] via 172.16.0.1
10.0.0.0 is directly connected, F0/0
192.168.1.0/24 [20/0] via 172.16.0.1
192.168.2.0/24 is directly connected, F2/0
IA 192.168.3.0/24 [110/2] via 10.0.0.2, F0/0
v2.1-r1
NETWORK ADDRESS TRANSLATION

Example Topology
packetlife.net
Address Classification
Inside Local
An actual address assigned to

an inside host
An inside address seen from

the outside
An actual address assigned to
Outside Global
an outside host
Inside Global
FastEthernet0
10.0.0.1/16
NAT Inside
FastEthernet1
174.143.212.1/22
NAT Outside
Outside Local
An outside address seen from

the inside
NAT Boundary Configuration
Location
interface FastEthernet0
ip address 10.0.0.1 255.255.0.0
ip nat inside
!
interface FastEthernet1
ip address 174.143.212.1 255.255.252.0
ip nat outside
Perspective
Local
Global
Inside
Inside Local
Inside Global
Outside
Outside Local
Outside Global
Static Source Translation

! One line per static translation
ip nat inside source static 10.0.0.19 192.0.2.1
ip nat outside source static 174.143.212.133 10.0.0.47
ip nat outside source static 174.143.213.240 10.0.2.181
Dynamic Source Translation

! Create an access list to match inside local addresses
!
! Create NAT pool of inside global addresses
ip nat pool MyPool 192.0.2.1 192.0.2.254 prefix-length 24
!
! Combine them with a translation rule
ip nat inside source list 10 pool MyPool
!
! Dynamic translations can be combined with static entries
Terminology
NAT Pool
A pool of IP addresses to be used as inside
global or outside local addresses in translations
Port Address Translation (PAT)

An extension to NAT that translates information
at layer four and above, such as TCP and UDP
port numbers; dynamic PAT configurations
include the overload keyword
Extendable Translation
The extendable keyword must be appended
when multiple overlapping static translations are
configured
Special NAT Pool Types

Rotary Used for load balancing
Match- Preserves the host portion of
Host the address after translation
Port Address Translation (PAT)

! Static layer four port translations
ip nat inside source static tcp 10.0.0.3 8080 192.0.2.1 80
ip nat inside source static udp 10.0.0.14 53 192.0.2.2 53
ip nat outside source static tcp 174.143.212.4 23 10.0.0.8 23
!
! Dynamic port translation with a pool
ip nat inside source list 11 pool MyPool overload
!
! Dynamic translation with interface overloading
ip nat inside source list 11 interface FastEthernet1 overload
Troubleshooting
show ip nat translations [verbose]
clear ip nat translations
NAT Translations Tuning
ip nat translation tcp-timeout <seconds>
ip nat translation udp-timeout <seconds>
ip nat translation max-entries <number>
Inside Destination Translation

! Create a rotary NAT pool
ip nat pool LoadBalServers 10.0.99.200 10.0.99.203 prefix-length 24 type rotary
!
! Enable load balancing across inside hosts for incoming traffic
ip nat inside destination list 12 pool LoadBalServers
by Jeremy Stretch
v1.0
IPSEC
packetlife.net
Protocols
Encryption Algorithms
Internet Security Association and Key Management

Protocol (ISAKMP)
A framework for the negotiation and management of
security associations between peers (traverses UDP/500)
Internet Key Exchange (IKE)
Responsible for key agreement using asymmetric
cryptography
Encapsulating Security Payload (ESP)
Provides data encryption, data integrity, and peer
authentication; IP protocol 50
Authentication Header (AH)
Provides data integrity and peer authentication, but not data
encryption; IP protocol 51
L2
IP
TCP/UDP
Transport
Mode
L2
IP
ESP/AH
Tunnel
Mode
L2
New IP
ESP/AH
Strength
56
Weak
168
Medium
AES Symmetric
128/192/256
Strong
RSA Asymmetric
1024+
Strong
DES Symmetric
3DES Symmetric
Hashing Algorithms
Length (Bits)
MD5 128
Strength
Medium
SHA-1 160
Strong
IKE Phases
Phase 1.5 (optional)

Xauth can optionally be implemented to enforce
user authentication
TCP/UDP
IP
TCP/UDP
Transport Mode
The ESP or AH header is inserted behind the IP header; the
IP header can be authenticated but not encrypted
Tunnel Mode
A new IP header is created in place of the original; this
allows for encryption of the entire original packet
Configuration
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 2
lifetime 3600
Key Length (Bits)
Phase 1
A bidirectional ISAKMP SA is established
between peers to provide a secure management
channel (IKE in main or aggressive mode)
IPsec Modes
Original
Packet
Type
ISAKMP Policy
Phase 2
Two unidirectional IPsec SAs are established for
data transfer using separate keys (IKE quick
mode)
Terminology
Data Integrity
Secure hashing (HMAC) is used to ensure data
has not been altered in transit
Data Confidentiality
Encryption is used to ensure data cannot be
intercepted by a third party
Data Origin Authentication
Authentication of the SA peer
ISAKMP Pre-Shared Key
crypto isakmp key 1 MySecretKey address 10.0.0.2

IPsec Transform Set
crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac

mode tunnel
IPsec Profile
crypto ipsec profile MyProfile

set transform-set MyTS
Virtual Tunnel Interface
interface Tunnel0
ip address 172.16.0.1 255.255.255.252
tunnel source 10.0.0.1
tunnel destination 10.0.0.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile
Anti-replay
Sequence numbers are used to detect and
discard duplicate packets
Hash Message Authentication Code (HMAC)
A hash of the data and secret key used to
provide message authenticity
Diffie-Hellman Exchange
A shared secret key is established over an
insecure path using public and private keys
Troubleshooting
debug crypto {isakmp | ipsec}
by Jeremy Stretch
v2.0
IPV6
packetlife.net
Protocol Header
8
Ver
16
Address Notation
24
Traffic Class
32
Flow Label
Payload Length
Next Header
Hop Limit
Eliminate leading zeros from all two-byte sets

Replace up to one string of consecutive zeros
with a double-colon (::)
Address Formats
Source Address
Global unicast
Global Prefix
Subnet
Interface ID
48
16
64
Destination Address
Link-local unicast
Version (4 bits) Always set to 6
Interface ID
Traffic Class (8 bits) A DSCP value for QoS
64
Multicast
Flags
Payload Length (16 bits) Length of the payload in bytes

Next Header (8 bits) Header or protocol which follows
Hop Limit (8 bits) Similar to IPv4's time to live field
Group ID
4 4
112
EUI-64 Formation
Source Address (128 bits) Source IP address

Destination Address (128 bits) Destination IP address
64
Scope
Flow Label (20 bits) Identifies unique flows (optional)
MAC
Address Types
EUI-64
Unicast One-to-one communication

Multicast One-to-many communication
Insert 0xfffe between the two halves of the MAC
Anycast An address configured in multiple locations
Flip the seventh bit (universal/local flag) to 1
Multicast Scopes
1 Interface-local
5 Site-local
2 Link-local
8 Org-local
4 Admin-local
E Global
Special-Use Ranges
Extension Headers
Hop-by-hop Options (0)
Carries additional information which must be examined by every
router in the path
Routing (43)
Provides source routing functionality
::/0
Default route
Fragment (44)
Included when a packet has been fragmented by its source
::/128
Unspecified
::1/128
Loopback
Encapsulating Security Payload (50)

Provides payload encryption (IPsec)
::/96
IPv4-compatible*
Authentication Header (51)

Provides packet authentication (IPsec)
::FFFF:0:0/96
IPv4-mapped
2001::/32
Teredo
Destination Options (60)

Carries additional information which pertains only to the recipient
2001:DB8::/32
Documentation
2002::/16
6to4
FC00::/7
Unique local
FE80::/10
Link-local unicast
FEC0::/10
Site-local unicast*
FF00::/8
Multicast
by Jeremy Stretch
Transition Mechanisms
Dual Stack
Transporting IPv4 and IPv6 across an infrastructure simultaneously
Tunneling
IPv6 traffic is encapsulated into IPv4 using IPv6-in-IP, UDP (Teredo),
or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
Translation
Stateless IP/ICMP Translation (SIIT) translates IP header fields, NAT
* Deprecated Protocol Translation (NAT-PT) maps between IPv6 and IPv4 addresses
v2.0

Advanced Routing Reference Manual Ver. 0.9

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Advanced Routing Reference Manual Ver. 0.9

Uploaded by

Copyright:

Available Formats

Reference Manual ver. 1.

Created by Paul Nadstoga (pnadstoga@gmali.com)

Autonomous System values match

initially used to discover and verify neighbors

used to exchange routing information

prefix / prefix length

used to respond to a QUERY

Always sent as unicast to specifically inform the originator it does

sent to acknowledge UPDATE, QUERY and REPLY

also known as graceful shutdown

sent as multicast initially and when one ACK received from a

the default HELLO timer depends on the interface bandwidth

Sent as a HELLO packet with all K values set to 255.

<Router(config-if)#ip hello-interval eigrp (AS) (5 | 60, 1-65535 sec.)>

<Router(config-if)#ip hold-timer eigrp (15 | 180, 1-65535 sec.)>

<Router#show ip eigrp interfaces detail>

changing the HELLO timer does not

<Router(config-router)#timers active-time (180, 1-65535 min.)>

DEFAULT HELLO TIMER

DEFAULT HOLD TIMER

< 1.544 Mbps

Multipoint Frame Relay

> 1.544 Mbps

DEFAULT (ONLY K1 + K3 USED AND ARE EQUAL TO 1)

the bandwidth of the interface

ethernet: 100000 Kbit/sec

<Router(config-if)#bandwidth (1-10000000 kbit.)>

Default value for:

measure of time it takes for a packet to traverse a route

To view total delay for a route:

<Router(config-if)#delay (1-16777215 usec.)>

show ip eigrp topology A.A.A.A/MM

amount of traffic utilizing the link

1/255 minimally loaded link

1/255 least reliable link

identical K values are one of the conditions for two

ethernet: 100 usec

K1=1, K2=0, K3=1, K4=0, K5=0

show interface (interface)

EXAMPLE: DEFAULT METRIC CALCULATION

From R3 to 172.30.0.0 /24 through s1/1

From R3 to 172.30.0.0 /24 through fa0/0

To view the table content:

<R1#show ip eigrp neighbors>

H (handle) - an IOS internally used number to track a

list of all routers learnt from each EIGRP neighbor

To view the table content:

the table is updated when a directly connected router /

active - shows only active entries

P(Passive) - correct state for a stable network (network is

To view the table content:

[90/156160] - EIGRPs Administrative Distance (believability)

<Router#show ip route eigrp>

EIGRP OVER NBMA

By default EIGRP uses 50% of the bandwidth specified with the

ip bandwidth-percent defines how much percentage of the

STATICALLY ADD FR MAPS

R1(config-if)#frame-relay map ip 172.16.124.2 102 broadcast

R2(config-if)#frame-relay map ip 172.16.124.1 201 broadcast

At this stage routes from R2 are not being propagated to R3 and

*ENABLE EIGRP NON-BROADCAST MODE --->

R1(config-router)#neighbor 172.16.124.2 s1/0

R2(config-router)#neighbor 172.16.124.1 s1/0

(*the exit interface still has to be advertised with the network

<Router(config-router)#redistribute rip (metric (bandwidth) (delay) (reliability) ( load) (MTU) (route-map