CCNP Bootcamp. Introduction

Size: px

Start display at page:

Download "CCNP Bootcamp. Introduction"

Maximillian Kelly
5 years ago
Views:

0101010101010101101010101010101011010101010101010110101010101010101010101010101011010101010101010 010101010101010110101010101010101010101010101011010101010101010110101010101010101101010101010101

0, CCNA, CCNP CCIE Routing and Switching - 2002 CCIE

2 CCNP Bootcamp Introduction Instructor Introduction Brian McGahan, CCIE #8593 MCSE NT 4.0, CCNA, CCNP CCIE Routing and Switching CCIE Service Provider CCIE Security bmcgahan@ine.com Copyright

3 Cisco NDA Agreement Questions In Class Participation is key Offline Questions Blog Online Community Web forum / mailing lists Asking Questions Copyright Class Timing Start daily at 9am 10 minute break ~ every 50 minutes 1 hour lunch break at noon Class ends ~ 5pm Copyright

4 Class Objectives CCNP validates the ability to plan, implement, verify and troubleshoot local and wide-area enterprise networks and work collaboratively with specialists on advanced security, voice, wireless and video solutions. Class goal not just pass the test, but to understand the technologies! Copyright CCNP Prerequisites Valid CCNA Certification Basic knowledge of OSI model TCP/IP Layer 2 technologies Ethernet, Frame Relay, PPP, WIFI Layer 3 technologies IP Routing, RIPv2, EIGRP, OSPF Misc. DHCP, DNS, ACLs, etc. Copyright

5 CCNP Exam Blueprint Exam Topics Exam Tutorial Review type of exam questions Copyright Class Schedule SWITCH Campus Network Design VLANs Trunking VTP Spanning-Tree Protocol EtherChannel Inter-VLAN Routing First Hop Redundancy Protocols Wireless Layer 2 Security Layer 2 VoIP Copyright

6 Class Schedule (cont.) ROUTE IP Routing Overview EIGRP OSPF Routing Features BGP IPv6 Routing Redistribution VPN/GRE Copyright Class Schedule (cont.) TSHOOT Troubleshooting Tools LAN Troubleshooting IGP Troubleshooting BGP Troubleshooting IPv6 Troubleshooting IP Services & Security Troubleshooting Copyright

7 Recommended Readings General networking TCP/IP Illustrated, Volume 1: The Protocols Internetworking with TCP/IP Vol.1: Principles, Protocols, and Architecture Interconnections: Bridges, Routers, Switches, and Internetworking Protocols CCNP specific Authorized self study Exam certification guide Cisco in depth Cisco LAN Switching Routing TCP/IP Volumes I & II Cisco documentation Copyright CCNP Hardware Building a home lab Renting rack time Dynamips/PEMU/GNS3 Copyright

8 Copyright General Q&A

9 Internetwork Expert s CCNP Bootcamp Hierarchical Campus Network Design Overview Hierarchical Campus Network Design Overview Per Cisco, a three layer hierarchical model to design a modular topology using scalable building blocks that allow the network to meet evolving business needs. The modular design makes the network easy to scale, understand, and troubleshoot by promoting deterministic traffic patterns. The building blocks are Access layer Distribution layer Core (backbone) layer

10 Campus Network Example Why Building Blocks? Easy to replicate, redesign, and expand No need to redesign entire network when a block is added or removed Can be added and removed without impacting the rest of the network Eases troubleshooting, fault isolation, and management

11 The Access Layer Point of entry for end nodes into the network e.g. desktops, IP phones, printers, etc. Typically comprised of Layer 2 Switches, but can also be Layer 3 Switches Multiple connections to Distribution Layer for redundancy Offers services such as Broadcast domain segmentation (VLANs) QoS (marking, policing, etc.) Security (802.1x, port security, DAI, etc.) Multicast traffic management (IGMP Snooping) Inline power The Distribution Layer Aggregates access layer switches Typically comprised of Layer 3 Switches Multiple connections to upstream to Core and downstream to Access Offers services such as Gateway redundancy (HSRP/VRRP/GLBP) Bandwidth aggregation (EtherChannel/802.3ad) Load balancing Topology summarization

12 The Core Layer Backbone of the network Must be fast and reliable as all other blocks depend on it Typically hardware accelerated Layer 3 Switches Offers services such as Wire speed forwarding Fast convergence around a link or node failure Efficient bandwidth utilization Network Device Roles To understand how the layers interact, we must understand what role different devices play in the network Devices such as Hubs/Repeaters Layer 2 Bridges/Switches Layer 3 Routers Layer 3/Layer 4 Switches

13 Hubs & Repeaters Work at layer 1 of OSI model When a frame is received it is sent back out all ports i.e. multiport repeater Typically unintelligent and unmanaged Does not inspect frame at all before forwarding Accepts no user-defined configuration Devices connected to a hub are in the same Collision domain i.e. Ethernet CSMA/CD Half-Duplex transmission Broadcast domain Layer 2 Bridges & Switches Work at layer 2 of OSI model Can be managed or unmanaged For Ethernet, frames are forwarded based on destination layer 2 MAC address CAM table used for decisions Other types of switches such as Frame Relay & ATM use similar logic Does not rewrite anything in the frame when forwarding Switches are hardware accelerated bridges ASICs for specific forwarding jobs Devices connected to a bridge/switch are in the same broadcast domain not in the same collision domain i.e. Full-Duplex transmission

14 Layer 2 Broadcast Domains Defines which devices can communicate directly at layer 2 When a broadcast frame (i.e. FFFF.FFFF.FFFF) is received, it is sent out all ports in the broadcast domain except the one it came in on Unmanaged bridges/switches All ports in the same broadcast domain Managed switches Uses Virtual LANs (VLANs) to group ports into different broadcast domains Frames within the same VLAN are Layer 2 switched Packets between VLANs must be Layer 3 routed Layer 2 Switching Design Problems Ethernet networks used to have scalability limitations based on the collision domain size Half-Duplex CSMA/CD Physical network delay vs. collision detection window Layer 2 switches segment the collision domain on a per-port basis to solve this Layer 2 switches still have scalability issues based on total hosts in the network and hosts per broadcast domain

15 CAM Table Limitations Switches use the MAC address (CAM) table to do destination based switching CAM table cannot be summarized like IP routing 50,000 hosts in the network, 50,000 MAC addresses per CAM per switch Even access layer switches! When CAM is full, switch acts like a hub Forwards all new frames like broadcasts Used in flooding attacks such as macof Layer 3 routing segments the MAC flooding domain Broadcast Domain Limitations Devices in the same VLAN, or everyone in a flat network, are directly addressable via FFFF.FFFF.FFFF Larger the broadcast domain, more likelihood of a broadcast storm So much broadcast traffic network is unusable Can happen for legitimate or illegitimate reasons e.g. ARP storm vs. Fraggle attack Limiting hosts per VLAN limits broadcast domain size Usually one VLAN per /24 IP subnet is a good rule

16 Layer 3 Routers Work at layer 3 of OSI model Packets are forwarded based on destination layer 3 address e.g. IPv4 address, IPv6 address routing table used for decisions Rebuilds layer 2 frame header at every hop e.g. packet routed between Ethernet and HDLC Normally does not modify layer 3 packet header Exceptions such as NAT All router links are in separate collision and broadcast domains Software based forwarding Layer 3 Switches The same as Layer 3 Routers, but layer 2 packet rewrite is hardware accelerated with ASICs Rewrite process is called switching path Process switching CPU interrupt based (slowest) Fast switching Flow based rewrite cache Netflow switching Previously called Multi-Layered Switching (MLS) Cisco Express Fowarding (CEF) switching Pre-built adjacency table (fastest) Layer 3 Switching & MLS today is effectively hardware based CEF

17 Layer 3/Layer 4 Switches Layer 3 devices make decision based only on destination layer 3 address In some cases where multiple equal-cost paths are available, some paths are underutilized AKA CEF polarization Layer 4 switching adds TCP/UDP src/dst port information into CEF input in order to vary output e.g. HTTP flow vs. FTP flow between same 2 hosts can follow different forwarding path Still hardware accelerated for performance, but adds more optimal resource utilization Further Reading Cisco Validated Design program Previously SRNDs Enterprise Campus 3.0 Architecture: Overview and Framework Campus Network for High Availability Design Guide High Availability Campus Recovery Analysis Design Guide

18 Internetwork Expert s CCNP Bootcamp VLANs, Trunking, & VTP VLANs Overview Virtual Local Area Network Hosts in the same VLAN share the same broadcast domain Switches create a separate CAM table per VLAN Traffic inside the VLAN is layer 2 switched Traffic to outside or between VLANs must be layer 3 routed Can span multiple physical switches VLAN Trunks or simply Trunks carry traffic for multiple VLANs between switches on uplinks

19 VLAN Design Recommendations Previously, hosts in the same VLAN were grouped by role, not physical location e.g. accounting, sales, etc. In newer designs, VLAN definitions should typically exist based on physical location e.g. one VLAN per subnet per access switch Old 80/20 rule is really more 20/80 rule now VLAN Numbering VLAN membership defined by number 12-bit field (0-4095) 0 & 4095 reserved per 802.1Q standard Normal VLANs Default Ethernet VLAN 1002/1004 Default FDDI VLANs 1003/1005 Default Token Ring VLANs Extended VLANs More on this later

20 Creating VLANs Cisco IOS based switches store VLAN information in flash in the VLAN database vlan.dat VLANs can be added, deleted, and modified in two ways Exec mode VLAN database mode Being deprecated but still supported on some platforms Global configuration Creating VLANs in Database Mode SW1#vlan database % Warning: It is recommended to configure VLAN from config mode, as VLAN database mode is being deprecated. Please consult user documentation for configuring VTP/VLAN in config mode. SW1(vlan)#vlan 10 name ACCOUNTING VLAN 10 added: Name: ACCOUNTING SW1(vlan)#exit APPLY completed. Exiting... SW1#

21 Creating VLANs in Global Config SW1#config t Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#vlan 20 SW1(config-vlan)#name SALES SW1(config-vlan)# SW1(config-vlan)#exit SW1(config)#vlan 30,40,50-55 SW1(config-vlan)#end SW1# SW1#show vlan brief VLAN Verification VLAN Name Status Ports default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/2 10 ACCOUNTING active 20 SALES active 30 VLAN0030 active 40 VLAN0040 active 50 VLAN0050 active 51 VLAN0051 active 52 VLAN0052 active 53 VLAN0053 active 54 VLAN0054 active 55 VLAN0055 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

22 VLAN Membership Once VLANs are created, membership is assigned at the port level Layer 2 switchports generally fall into three categories Access Switchports One VLAN per port Trunk Switchports Multiple VLANs per port Dynamic Switchports Automatically choose access or trunk Access Ports Example Fa0/1 SW1 VLAN 10 Fa0/ /24 Fa0/ /24 Fa0/0 R1 R3

23 Basic Access Port Configuration R1# interface FastEthernet0/0 ip address R3# interface FastEthernet0/0 ip address SW1# interface FastEthernet0/1 switchport access vlan 10 switchport mode access! interface FastEthernet0/3 switchport access vlan 10 switchport mode access SW1#show vlan brief Access Port Verification VLAN Name Status Ports default active Fa0/2, Fa0/4, Fa0/5, Fa0/6 Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/2 10 ACCOUNTING active Fa0/1, Fa0/3 20 SALES active 30 VLAN0030 active 40 VLAN0040 active 50 VLAN0050 active 51 VLAN0051 active 52 VLAN0052 active 53 VLAN0053 active 54 VLAN0054 active 55 VLAN0055 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

24 Access Port Verification (cont.) SW1#show interfaces Fa0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 10 (ACCOUNTING) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none VLAN Trunks Trunk links are used to transport traffic for multiple VLANs between devices Typically between two switches, but can also be Switch to router Switch to server Traffic sent over a trunk link receives special trunking encapsulation Normal Ethernet header does not have a field for VLAN number ISL or 802.1Q headers are added to include this information

25 Trunking Encapsulations Both ISL and 802.1Q accomplish the same goal of encoding VLAN number in frame header to separate traffic The key differences are ISL Cisco proprietary 30-byte encapsulation for all frames Does not modify original frame 802.1Q IEEE standard 4-byte tag except for native VLAN Modifies original frame See Inter-Switch Link and IEEE 802.1Q Frame Format for more info ISL Trunking Inter-Switch Link Cisco proprietary 30-byte encapsulation overhead 26-byte header 4-byte trailer (FCS) Supports Ethernet, Token Ring, and FDDI Legacy now but originally important Becoming deprecated from many newer platforms

26 802.1Q Trunking AKA dot1q IEEE standard 4-byte tag overhead Inserts 4-byte tag between src/dst MAC and len/ethertype fields Rebuilds trailer (FCS) since frame is modified Native VLAN support Sent as normal untagged Ethernet frames QinQ support Multiple tags on a single frame Used for layer 2 VPNs in Metro Ethernet Similar logic to how MPLS VPNs work Generally more preferred because of interoperability Trunking Example R2 Fa0/ /24 R4 Fa0/ /24 VLAN 10 Fa0/2 Fa0/4 SW2 Fa0/13 Fa0/13 Fa0/1 SW1 VLAN 10 Fa0/ /24 Fa0/ /24 Fa0/0 R1 R3

27 ISL Trunking Configuration R1# interface FastEthernet0/0 ip address R2# interface FastEthernet0/0 ip address R3# interface FastEthernet0/0 ip address R4# interface FastEthernet0/0 ip address SW1# interface FastEthernet0/1 switchport access vlan 10 switchport mode access! interface FastEthernet0/3 switchport access vlan 10 switchport mode access! interface FastEthernet0/13 switchport trunk encapsulation isl switchport mode trunk SW2# interface FastEthernet0/2 switchport access vlan 10 switchport mode access! interface FastEthernet0/4 switchport access vlan 10 switchport mode access! interface FastEthernet0/13 switchport trunk encapsulation isl switchport mode trunk ISL Trunking Verification SW1#show interface trunk Port Mode Encapsulation Status Native vlan Fa0/13 on isl trunking 1 Port Vlans allowed on trunk Fa0/ Port Vlans allowed and active in management domain Fa0/13 1,10 Port Vlans in spanning tree forwarding state and not pruned Fa0/13 1,10 SW1#show interface Fa0/13 switchport Name: Fa0/13 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: isl Operational Trunking Encapsulation: isl Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none

28 802.1Q Trunking Configuration R1# interface FastEthernet0/0 ip address R2# interface FastEthernet0/0 ip address R3# interface FastEthernet0/0 ip address R4# interface FastEthernet0/0 ip address SW1# interface FastEthernet0/1 switchport access vlan 10 switchport mode access! interface FastEthernet0/3 switchport access vlan 10 switchport mode access! interface FastEthernet0/13 switchport trunk encapsulation dot1q switchport mode trunk SW2# interface FastEthernet0/2 switchport access vlan 10 switchport mode access! interface FastEthernet0/4 switchport access vlan 10 switchport mode access! interface FastEthernet0/13 switchport trunk encapsulation dot1q switchport mode trunk 802.1Q Trunking Verification SW1#show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/13 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/ Port Vlans allowed and active in management domain Fa0/13 1,10 Port Fa0/13 Vlans in spanning tree forwarding state and not pruned none SW1#show interfaces fa0/13 switchport Name: Fa0/13 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none

29 Dynamic Switchports Dynamic switchports automatically choose whether to run in access or trunking mode Runs Dynamic Trunking Protocol (DTP) to negotiate, in order ISL trunk 802.1Q trunk Access port Configured as switchport mode dynamic [auto desirable] Disabled with switchport nonegotiate or switchport mode access Dynamic Trunking Config & Verification SW1# interface FastEthernet0/13 switchport mode dynamic desirable SW2# interface FastEthernet0/13 switchport mode dynamic auto SW1#show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/13 desirable n-isl trunking 1 Port Vlans allowed on trunk Fa0/ Port Vlans allowed and active in management domain Fa0/13 1,10 Port Fa0/13 Vlans in spanning tree forwarding state and not pruned none SW2#show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/13 auto n-isl trunking 1 Port Vlans allowed on trunk Fa0/ Port Vlans allowed and active in management domain Fa0/13 1,10 Port Fa0/13 Vlans in spanning tree forwarding state and not pruned none

30 Dynamic Trunking Verification (cont.) SW1#show interfaces fa0/13 switchport Name: Fa0/13 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: trunk Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: isl Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none Dynamic Trunking Verification (cont.) SW2#show interfaces fa0/13 switchport Name: Fa0/13 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: trunk Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: isl Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none

31 Trunk Port VLAN Membership By default, trunk ports carry traffic for all VLANs Called trunk allowed list VLANs can be manually filtered off the trunk by removing from the allowed list Used to reduce Broadcast transmission Unknown unicast/multicast transmission Spanning-Tree overhead More on this later Allowed List Example

32 Allowed List Configuration SW1# interface FastEthernet0/13 switchport trunk encapsulation dot1q switchport trunk allowed vlan 10 switchport mode trunk! interface FastEthernet0/16 switchport trunk encapsulation dot1q switchport trunk allowed vlan 20 switchport mode trunk SW2# interface FastEthernet0/13 switchport trunk encapsulation dot1q switchport trunk allowed vlan 10 switchport mode trunk SW3# interface FastEthernet0/13 switchport trunk encapsulation dot1q switchport trunk allowed vlan 20 switchport mode trunk SW1#show interfaces trunk Allowed List Verification Port Mode Encapsulation Status Native vlan Fa0/13 on 802.1q trunking 1 Fa0/16 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/13 10 Fa0/16 20 Port Vlans allowed and active in management domain Fa0/13 10 Fa0/16 20 Port Vlans in spanning tree forwarding state and not pruned Fa0/13 10 Fa0/16 20

33 VLAN Administration In order for devices to be in the same broadcast domain, VLAN numbers must be consistent and inter-switch links must run trunking As layer 2 network size grows, managing VLAN numbers and trunk allowed lists involves large administrative overhead VTP solves this administration problem VTP Overview VLAN Trunk Protocol Cisco proprietary Used to dynamically Advertise addition, removal, modification of VLAN properties Number, name, etc. Negotiate trunking allowed lists VTP Pruning Does not affect actual VLAN assignments Still manually needed with switchport access vlan [vlan]

34 How VTP Works VTP Domain To exchange information, switches must belong to the same domain VTP Mode Controls who can advertise new/modified information Modes are Server Client Transparent VTP Revision Number Sequence number to ensure consistent databases Higher revision indicates newer database VTP Domains VTP domain name controls which devices can exchange VTP advertisements VTP domain does not define broadcast domain Switches in different VTP domains that share same VLAN numbers hosts are still in the same broadcast domain Configured as vtp domain [name] Defaults to null value Switch inherits VTP domain name of first advertisement it hears

35 VTP Server Mode Default mode Allows addition, deletion, and modification of VLAN information Changes on server overwrite the rest of the domain Configured as vtp mode server VTP Client Mode Cannot add, remove, or modify VLAN information Listens for advertisements originated by a server, installs them, and passes them on Configured as vtp mode client

36 VTP Transparent Mode Keeps a separate VTP database from the rest of the domain Does not originate advertisements Transparently passes received advertisements through without installing them Needed for some applications like Private VLANs Configured as vtp mode transparent VTP Security VTP susceptible to attacks or misconfiguration where VLANs are deleted Access ports in a VLAN that does not exist cannot forward traffic MD5 authentication prevents against attack vtp password [password] Does not prevent against misconfiguration VTP transparent mode recommendation

37 VTP Example SW1# vtp mode server vtp domain CISCO vtp password VTPPASS vlan 10,20,30,40,50-55 SW2# vtp mode client vtp domain CISCO vtp password VTPPASS SW3# vtp mode client vtp domain CISCO vtp password VTPPASS SW4# vtp mode client vtp domain CISCO vtp password VTPPASS VTP Configuration

38 VTP Verification SW1#show vtp status VTP Version : 2 Configuration Revision : 7 Maximum VLANs supported locally : 1005 Number of existing VLANs : 15 VTP Operating Mode : Server VTP Domain Name : CISCO VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xB0 0x6D 0xC8 0xD8 0x1C 0x45 0xD8 0x60 Configuration last modified by at :30:42 Local updater ID is (no valid interface found) SW2#show vtp status VTP Version : 2 Configuration Revision : 7 Maximum VLANs supported locally : 1005 Number of existing VLANs : 15 VTP Operating Mode : Client VTP Domain Name : CISCO VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xB0 0x6D 0xC8 0xD8 0x1C 0x45 0xD8 0x60 Configuration last modified by at :30:42 VTP Verification (cont.) SW3#show vtp status VTP Version : 2 Configuration Revision : 7 Maximum VLANs supported locally : 1005 Number of existing VLANs : 15 VTP Operating Mode : Client VTP Domain Name : CISCO VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xB0 0x6D 0xC8 0xD8 0x1C 0x45 0xD8 0x60 Configuration last modified by at :30:42 SW4#show vtp status VTP Version : 2 Configuration Revision : 7 Maximum VLANs supported locally : 1005 Number of existing VLANs : 15 VTP Operating Mode : Client VTP Domain Name : CISCO VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xB0 0x6D 0xC8 0xD8 0x1C 0x45 0xD8 0x60 Configuration last modified by at :30:42

39 SW1#show vlan brief VTP Verification (cont.) VLAN Name Status Ports default active Fa0/2, Fa0/4, Fa0/5, Fa0/6 Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/14, Fa0/15 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/2 10 VLAN0010 active Fa0/1, Fa0/3 20 VLAN0020 active 30 VLAN0030 active 40 VLAN0040 active 50 VLAN0050 active 51 VLAN0051 active 52 VLAN0052 active 53 VLAN0053 active 54 VLAN0054 active 55 VLAN0055 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup SW4#show vlan brief VTP Verification (cont.) VLAN Name Status Ports default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/2 10 VLAN0010 active 20 VLAN0020 active 30 VLAN0030 active 40 VLAN0040 active 50 VLAN0050 active 51 VLAN0051 active 52 VLAN0052 active 53 VLAN0053 active 54 VLAN0054 active 55 VLAN0055 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

40 VTP Transparent Configuration SW1# vtp mode server vtp domain CISCO no vtp password vlan 10,20,30,40,50-55 SW2# vtp mode client vtp domain CISCO no vtp password SW3# vtp mode transparent vtp domain CISCO no vtp password no vlan 10,20,30,40,50-55 vlan 3,33,333,3333 SW4# vtp mode client vtp domain CISCO no vtp password VTP Transparent Verification SW1#show vtp status VTP Version : 2 Configuration Revision : 9 Maximum VLANs supported locally : 1005 Number of existing VLANs : 15 VTP Operating Mode : Server VTP Domain Name : CISCO VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xD3 0x41 0xF1 0x21 0x12 0xF7 0x11 0xBF Configuration last modified by at :35:59 Local updater ID is (no valid interface found) SW2#show vtp status VTP Version : 2 Configuration Revision : 9 Maximum VLANs supported locally : 1005 Number of existing VLANs : 15 VTP Operating Mode : Client VTP Domain Name : CISCO VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xD3 0x41 0xF1 0x21 0x12 0xF7 0x11 0xBF Configuration last modified by at :35:59

41 VTP Transparent Verification (cont.) SW3#show vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Transparent VTP Domain Name : CISCO VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x15 0x07 0xC0 0x68 0xA7 0xCD 0xCC 0xD2 Configuration last modified by at :30:42 SW4#show vtp status VTP Version : 2 Configuration Revision : 9 Maximum VLANs supported locally : 1005 Number of existing VLANs : 15 VTP Operating Mode : Client VTP Domain Name : CISCO VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xD3 0x41 0xF1 0x21 0x12 0xF7 0x11 0xBF Configuration last modified by at :35:59 VTP Transparent Verification (cont.) SW1#show vlan brief VLAN Name Status Ports default active Fa0/2, Fa0/4, Fa0/5, Fa0/6 Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/14, Fa0/15 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/2 10 VLAN0010 active Fa0/1, Fa0/3 20 VLAN0020 active 30 VLAN0030 active 40 VLAN0040 active 50 VLAN0050 active 51 VLAN0051 active 52 VLAN0052 active 53 VLAN0053 active 54 VLAN0054 active 55 VLAN0055 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

42 VTP Transparent Verification (cont.) SW3#show vlan brief VLAN Name Status Ports default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/2 3 VLAN0003 active 33 VLAN0033 active 333 VLAN0333 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup 3333 VLAN3333 active VTP Pruning Broadcasts and unknown unicast/multicast frame are flooded everywhere in the broadcast domain Includes trunk links Editing allowed list limits this flooding, but large administrative overhead VTP pruning automates this procedure Switches advertise what VLANs they need All other VLANs are pruned (removed) off the trunk link Does not work for transparent mode

43 VTP Pruning Example VLAN 30 VLAN 10 VLAN 20 Fa0/13 SW1 Fa0/16 Fa0/13 SW2 VLAN 10 VLAN 20 Fa0/13 SW3 Fa0/19 Fa0/19 SW4 VLAN 30 VTP Pruning Configuration SW1# vtp domain CISCO vtp mode server vtp pruning vlan 10,20,30! interface FastEthernet0/1 switchport mode access switchport access vlan 10! interface FastEthernet0/3 switchport mode access switchport access vlan 20! interface FastEthernet0/5 switchport mode access switchport access vlan 30! interface FastEthernet0/13 switchport trunk encapsulation dot1q switchport mode trunk! interface FastEthernet0/16 switchport trunk encapsulation dot1q switchport mode trunk SW2# vtp domain CISCO vtp mode client! interface FastEthernet0/2 switchport mode access switchport access vlan 10! interface FastEthernet0/13 switchport trunk encapsulation dot1q switchport mode trunk SW3# vtp domain CISCO vtp mode client! interface FastEthernet0/3 switchport mode access switchport access vlan 20! interface FastEthernet0/13 switchport trunk encapsulation dot1q switchport mode trunk! interface FastEthernet0/19 switchport trunk encapsulation dot1q switchport mode trunk SW4# vtp domain CISCO vtp mode client! interface FastEthernet0/4 switchport mode access switchport access vlan 30! interface FastEthernet0/19 switchport trunk encapsulation dot1q switchport mode trunk

44 VTP Pruning Verification (cont.) SW1#show vtp status VTP Version : 2 Configuration Revision : 12 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Server VTP Domain Name : CISCO VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xF6 0x11 0xDA 0x50 0x99 0x7B 0x17 0x0F Configuration last modified by at :45:40 Local updater ID is (no valid interface found) SW2#show vtp status VTP Version : 2 Configuration Revision : 12 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Client VTP Domain Name : CISCO VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xF6 0x11 0xDA 0x50 0x99 0x7B 0x17 0x0F Configuration last modified by at :45:40 VTP Pruning Verification (cont.) SW3#show vtp status VTP Version : 2 Configuration Revision : 12 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Client VTP Domain Name : CISCO VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xF6 0x11 0xDA 0x50 0x99 0x7B 0x17 0x0F Configuration last modified by at :45:40 SW4#show vtp status VTP Version : 2 Configuration Revision : 12 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Client VTP Domain Name : CISCO VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xF6 0x11 0xDA 0x50 0x99 0x7B 0x17 0x0F Configuration last modified by at :45:40

45 VTP Pruning Verification (cont.) SW1#show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/13 on 802.1q trunking 1 Fa0/16 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/ Fa0/ Port Vlans allowed and active in management domain Fa0/13 1,10,20,30 Fa0/16 1,10,20,30 Port Vlans in spanning tree forwarding state and not pruned Fa0/13 1,10 Fa0/16 1,20,30 SW2#show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/13 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/ Port Vlans allowed and active in management domain Fa0/13 1,10,20,30 Port Vlans in spanning tree forwarding state and not pruned Fa0/13 1,10,20,30 VTP Pruning Verification (cont.) SW3#show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/13 on 802.1q trunking 1 Fa0/19 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/ Fa0/ Port Vlans allowed and active in management domain Fa0/13 1,10,20,30 Fa0/19 1,10,20,30 Port Vlans in spanning tree forwarding state and not pruned Fa0/13 1,10,20,30 Fa0/19 1,30 SW4#show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/19 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/ Port Vlans allowed and active in management domain Fa0/19 1,10,20,30 Port Vlans in spanning tree forwarding state and not pruned Fa0/19 1,10,20,30

46 VTP Pruning Verification (cont.) SW1#show interfaces Fa0/13 pruning Port Vlans pruned for lack of request by neighbor Fa0/13 20,30 Port Vlan traffic requested of neighbor Fa0/13 1,10,20,30 SW1#show interfaces Fa0/16 pruning Port Vlans pruned for lack of request by neighbor Fa0/16 10 Port Vlan traffic requested of neighbor Fa0/16 1,10,20,30 SW2#show interfaces Fa0/13 pruning Port Fa0/13 Vlans pruned for lack of request by neighbor none Port Vlan traffic requested of neighbor Fa0/13 1,10 VTP Pruning Verification (cont.) SW3#show interfaces Fa0/13 pruning Port Fa0/13 Vlans pruned for lack of request by neighbor none Port Vlan traffic requested of neighbor Fa0/13 1,20,30 SW3#show interfaces Fa0/19 pruning Port Vlans pruned for lack of request by neighbor Fa0/19 10,20 Port Vlan traffic requested of neighbor Fa0/19 1,10,20,30 SW4#show interfaces Fa0/19 pruning Port Fa0/19 Vlans pruned for lack of request by neighbor none Port Vlan traffic requested of neighbor Fa0/19 1,30

47 VLANs, Trunking, & VTP Q&A

48 Internetwork Expert s CCNP Bootcamp Spanning-Tree Protocol (STP) Switching Logic Review Layer 2 switches use the CAM table to switch traffic based on destination MAC address To populate the CAM table the following logic is used A frame from X going to Y is received on port 1 Insert X into the CAM table via port 1 Flood the frame out all ports in the VLAN except 1 A return frame from Y going to X is received on port 2 Insert Y into the CAM table via port 2 Subsequent traffic does not require flooding

49 Switching Loop Problems When redundant paths exist in the layer 2 network, CAM population logic breaks down and frames are switched out the wrong interfaces Looping frames, especially broadcasts, can quickly overwhelm all links with 100% utilization Switching Loop Example SW1 HostA sends a frame SW2 adds HostA via port 1 Floods SW3 SW4 adds frame adds to HostB HostA HostA via port 1 Floods frame out out ports via port 2 port & 2 31 Floods SW4 receives frame frame out port in port 2 2 followed adds HostA by port via 3 port 2, then SW2 SW4 floods frame out SW1 overrides adds HostA ports 1 and to port via port Floods SW1 adds now HostA frame knows via port 2 Floods frame out out HostA ports port 1 via incorrect port & process & 3 continues A A via via Fa0/1 Fa0/2 A A via via Fa0/1 Fa0/2 A via Fa0/1 A via Fa0/2 A via Fa0/3

50 Spanning-Tree Protocol Overview STP solves the looping problem by blocking redundant paths Blocked links cannot forward traffic or use the CAM table Same effect as removing or shutting down the link Since STP is dynamic, layer 2 network can reconverge around network failures Standards based per 802.1D Switching Loop Prevention Example SW1 HostA sends a frame SW2 adds HostA via port 1 Floods SW3 SW4 adds frame adds to HostB HostA HostA via port 1 Floods frame out out ports via port 2 port & 2 31 Floods SW4 s SW4 receives frame frame out port in port 2 2 followed adds port 3 HostA is blocking so frame is by discarded port via 3 port 2 and floods frame out port 1 No looping occurs Fa0/2 A SW1 Fa0/1 A via Fa0/1 Fa0/3 Fa0/1 A via Fa0/1 SW2 Fa0/2 Fa0/1 SW3 Fa0/2 A via Fa0/1 Fa0/2 A via Fa0/2 SW4 Fa0/1 Fa0/3 B

51 How STP Loop Prevention Works All devices agree on a reference point in the network Called the root bridge Device directly downstream of the root bridge performs the following Select one upstream facing port to forward traffic towards the root bridge Called the root port All other upstream facing ports are disabled Called blocking ports All downstream facing ports are called designated ports Next downstream device performs the same, selecting one upstream facing root port Repeat until entire loop-free tree is built How STP Works Exchange bridge and link attributes Elect one Root Bridge Elect one Root Port per bridge Elect Designated Ports

52 STP Advertisements Uses Bridge Protocol Data Units (BPDUs) Sent as multicast frames between adjacent bridges (0180.C ) Used to advertise bridge and link attributes Root ID Root Path Cost Bridge ID Port ID Timers Two types of BPDUs Configuration BPDUs Topology Change Notification (TCN) BPDUs Root Bridge Election Based on the lowest Bridge ID (BID) in the network BID is an 8-byte field that contains Bridge Priority Defaults to MAC Address New standard splits Bridge Priority into two fields AKA MAC address reduction feature Bridge Priority 4 high order bits in increments of 4096 System ID Extension 12 low order bits Lowest BID in the network becomes everyone s Root ID (RID) in their BPDUs

53 Root Port Election Port closest to the Root Bridge Root is always upstream Elected based on lowest Root Path Cost Cumulative cost of all links to get to the root Cost based on inverse bandwidth i.e. higher bandwidth, lower cost Not linear If tie in cost Choose lowest upstream BID Choose lowest upstream Port ID Designated Port Election Ports downstream facing away from Root Bridge Like Root Port, elected based on Lowest Root Path Cost Lowest BID Lowest Port ID All other ports go into blocking mode Receives BPDUs Discards all other traffic Cannot send traffic Blocking ports are the key to the loop free topology

54 STP Path Selection Example Fa0/13 SW1 Fa0/16 Fa0/13 SW2 Fa0/19 Fa0/13 SW3 Fa0/19 Fa0/16 Fa0/19 SW4 STP Path Selection Verification (SW1) SW1#show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority Address c.a380 Cost 38 Port 18 (FastEthernet0/16) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority (priority sys-id-ext 1) Address c8.4e80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost Prio.Nbr Type Fa0/13 Altn BLK P2p Fa0/16 Root LRN P2p

55 STP Path Selection Verification (SW2) SW2#show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority Address c.a380 Cost 19 Port 21 (FastEthernet0/19) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority (priority sys-id-ext 1) Address 0019.aa7e.ea00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost Prio.Nbr Type Fa0/13 Desg FWD P2p Fa0/19 Root FWD P2p STP Path Selection Verification (SW3) SW3#show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority Address c.a380 Cost 19 Port 19 (FastEthernet0/19) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority (priority sys-id-ext 1) Address 000a.f4f3.e780 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost Prio.Nbr Type Fa0/13 Desg FWD P2p Fa0/19 Root FWD P2p

56 STP Path Selection Verification (SW4) SW4#show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority Address c.a380 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority (priority sys-id-ext 1) Address c.a380 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost Prio.Nbr Type Fa0/16 Desg FWD P2p Fa0/19 Desg FWD P2p STP Verification Detail (SW1) SW1#show spanning-tree detail VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, sysid 1, address c8.4e80 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32769, address c.a380 Root port is 18 (FastEthernet0/16), cost of root path is 38 Topology change flag not set, detected flag not set Number of topology changes 1 last change occurred 00:03:34 ago from FastEthernet0/13 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300 Port 15 (FastEthernet0/13) of VLAN0001 is blocking Port path cost 19, Port priority 128, Port Identifier Designated root has priority 32769, address c.a380 Designated bridge has priority 32769, address 0019.aa7e.ea00 Designated port id is , designated path cost 19 Timers: message age 2, forward delay 0, hold 0 Number of transitions to forwarding state: 0 Link type is point-to-point by default BPDU: sent 6, received 116 Port 18 (FastEthernet0/16) of VLAN0001 is forwarding Port path cost 19, Port priority 128, Port Identifier Designated root has priority 32769, address c.a380 Designated bridge has priority 32769, address 000a.f4f3.e780 Designated port id is , designated path cost 19 Timers: message age 2, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 2, received 111

57 STP Verification Detail (SW2) SW2#show spanning-tree detail VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, sysid 1, address 0019.aa7e.ea00 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32769, address c.a380 Root port is 21 (FastEthernet0/19), cost of root path is 19 Topology change flag not set, detected flag not set Number of topology changes 2 last change occurred 00:03:19 ago from FastEthernet0/19 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300 Port 15 (FastEthernet0/13) of VLAN0001 is forwarding Port path cost 19, Port priority 128, Port Identifier Designated root has priority 32769, address c.a380 Designated bridge has priority 32769, address 0019.aa7e.ea00 Designated port id is , designated path cost 19 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 117, received 6 Port 21 (FastEthernet0/19) of VLAN0001 is forwarding Port path cost 19, Port priority 128, Port Identifier Designated root has priority 32769, address c.a380 Designated bridge has priority 32769, address c.a380 Designated port id is , designated path cost 0 Timers: message age 1, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 3, received 118 STP Verification Detail (SW3) SW3#show spanning-tree detail VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, sysid 1, address 000a.f4f3.e780 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32769, address c.a380 Root port is 19 (FastEthernet0/19), cost of root path is 19 Topology change flag not set, detected flag not set Number of topology changes 3 last change occurred 00:03:12 ago from FastEthernet0/19 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300 Port 13 (FastEthernet0/13) of VLAN0001 is forwarding Port path cost 19, Port priority 128, Port Identifier Designated root has priority 32769, address c.a380 Designated bridge has priority 32769, address 000a.f4f3.e780 Designated port id is , designated path cost 19 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 114, received 2 Port 19 (FastEthernet0/19) of VLAN0001 is forwarding Port path cost 19, Port priority 128, Port Identifier Designated root has priority 32769, address c.a380 Designated bridge has priority 32769, address c.a380 Designated port id is , designated path cost 0 Timers: message age 1, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 3, received 114

58 STP Verification Detail (SW4) SW4#show spanning-tree detail VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, sysid 1, address c.a380 Configured hello time 2, max age 20, forward delay 15 We are the root of the spanning tree Topology change flag not set, detected flag not set Number of topology changes 1 last change occurred 00:03:47 ago from FastEthernet0/19 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 1, topology change 0, notification 0, aging 300 Port 16 (FastEthernet0/16) of VLAN0001 is forwarding Port path cost 19, Port priority 128, Port Identifier Designated root has priority 32769, address c.a380 Designated bridge has priority 32769, address c.a380 Designated port id is , designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 122, received 3 Port 19 (FastEthernet0/19) of VLAN0001 is forwarding Port path cost 19, Port priority 128, Port Identifier Designated root has priority 32769, address c.a380 Designated bridge has priority 32769, address c.a380 Designated port id is , designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 116, received 3 STP Port States When a bridge boots up, the initial STP convergence time is based on how long the device takes to transition through different port states STP port states are Disabled e.g. shutdown Listening Exchanging BPDUs with adjacent bridges Learning Building the CAM table Forwarding Normal loop-free traffic forwarding Blocking Receiving BPDUs but not forwarding Normal progression between states is either Disabled Listening Learning Forwarding Blocking Listening Learning Forwarding

59 STP Timers Timers that affect the transition between port states are Hello timer How often configuration BPDUs are sent Defaults to 2 seconds MaxAge timer How long to wait in blocking state without hearing a BPDU Defaults to 20 seconds Forward Delay How long to wait in each the listening and learning phases Defaults to 15 seconds STP Reconvergence The second BPDU type, TCN, is used to quickly age out the CAM table in case of a port state change e.g. Forwarding Down, Blocking Designated TCN is sent up to Root Bridge TCN sent out Root Port Upstream switch sends TCAck in Configuration BPDU back Upstream switch sends TCN out Root Port Next upstream switch sends TCAck in Configuration BPDU back Next upstream switch sends TCN out Root Port Process continues until Root Bridge receives TCN When Root Bridge receives TCN, it replies with TCN out all ports Result is that CAM aging time is reduced to Forward Delay Default of 5 minutes reduced to 15 seconds

60 STP Q&A

61 Internetwork Expert s CCNP Bootcamp Advanced Spanning-Tree Protocol (STP) Cisco STP Enhancements Common Spanning-Tree (CST) Originally defined in 802.1D One STP instance for all VLANs Does not allow complex layer 2 traffic engineering Per-VLAN Spanning-Tree (PVST) Cisco proprietary extensions One STP instance per VLAN Layer 2 traffic engineering per VLAN New features to reduce convergence time PortFast, UplinkFast, etc. PVST+ interoperates with CST Complex tunneling outside our scope See INE Blog s PVST+ Explained for details

62 PVST/PVST+ Path Selection One Root Bridge election per VLAN Bridge priority per VLAN configurable as spanningtree vlan [vlan] [priority root] Separate Root Port & Designated Port elections per VLAN Port cost per VLAN configurable as interface spanning-tree vlan [vlan] cost [cost] Port priority per VLAN configurable as interface spanning-tree vlan [vlan] priority [priority] Per-VLAN Path Selection Example Fa0/13 SW1 Fa0/16 Fa0/13 Fa0/13 VLAN 10 Root VLAN 20 Root SW2 Fa0/19 SW3 Fa0/19 Fa0/16 Fa0/19 SW4

63 Per-VLAN Path Selection Configuration SW2# spanning-tree vlan 10 priority 16384! interface FastEthernet0/19 spanning-tree vlan 20 cost 5 SW3# spanning-tree vlan 20 priority 16384! interface FastEthernet0/13 spanning-tree vlan 10 cost 5 Per-VLAN Path Selection Verification SW2#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority Address 0019.aa7e.ea00 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority (priority sys-id-ext 10) Address 0019.aa7e.ea00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost Prio.Nbr Type Fa0/13 Desg FWD P2p Fa0/19 Desg FWD P2p SW3#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority Address 0019.aa7e.ea00 Cost 24 Port 13 (FastEthernet0/13) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority (priority sys-id-ext 10) Address 000a.f4f3.e780 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost Prio.Nbr Type Fa0/13 Root FWD P2p Fa0/19 Altn BLK P2p

64 Per-VLAN Path Selection Verification (cont.) SW2#show spanning-tree vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority Address 000a.f4f3.e780 Cost 24 Port 21 (FastEthernet0/19) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority (priority sys-id-ext 20) Address 0019.aa7e.ea00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost Prio.Nbr Type Fa0/13 Altn BLK P2p Fa0/19 Root FWD P2p SW3#show spanning-tree vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority Address 000a.f4f3.e780 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority (priority sys-id-ext 20) Address 000a.f4f3.e780 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost Prio.Nbr Type Fa0/13 Desg FWD P2p Fa0/19 Desg FWD P2p Cisco s s 802.1D Convergence Enhancements PortFast End hosts need not be subject to Forwarding Delay UplinkFast Direct Root Port failure should reconverge immediately if Alternate Port available BackboneFast Indirect failures should start recalculating immediately

65 RSTP Rapid Spanning-Tree Protocol New standard per IEEE 802.1w Faster convergence than Cisco s 802.1D enhancements Builds the same STP as regular STA Simplifies port states Rapid convergence based on sync process RSTP Port States 802.1D uses Disabled Blocking Listening Learning Forwarding 802.1w simplifies this to Discarding Dropping frames Learning Dropping frames but building the CAM Forwarding Normal forwarding

66 RSTP Port Roles Port Roles are decoupled from states Root Port & Designated Port Same as before Alternate Port Alternate but less desirable path to the root Allows the equivalent of UplinkFast i.e. fast root path recovery Operates in discarding state Backup Port Backup Designated Port Activates if the primary Designated Port fails Operates in discarding state RSTP Edge Ports Equivalent of PVST+ PortFast enabled ports Immediately transitions to forwarding Still requires spanning-tree portfast command for backwards compatibility Maintains edge status as long as no BPDUs are received If BPDU received, remove edge status and generate TCN

67 RSTP Link Types Non-edge ports fall into two types Point-to-point Full-Duplex ports Shared Half-Duplex ports Only point-to-point Designated Ports use the sync process for rapid convergence RSTP Sync Process Goal is for a bridge to synchronize its root port with the rest of the topology When a bridge elects a root port it assumes all non-edge ports to be designated All non-edge ports are discarding at this moment Bridge sends proposals out all designated ports Proposal has port role set to designated Proposal contains root bridge info (priority, cost, etc.) Downstream bridges review this information If they don t have better paths to the root they agree If they do have it they announce their information

68 RSTP Sync Process (cont.) When designated port receives agreement, it is unblocked If downstream bridge sends better root information, local bridge changes root port If downstream bridge agrees to upstream proposal, then it Elects a local root port Blocks all non-edge designated ports Starts sync process on all designated ports Port blocking is essential in preventing transient loops Sync process ensures all bridges agree on the same root bridge RSTP Fault Detection In 802.1D, BPDUs are only generated by Root Bridge All other bridges forward them on In RSTP, each bridge generates BPDU every hello interval 2 seconds by default If 3 hellos are missed from a neighbor, reconvergence begins 6 seconds vs. 20 seconds MaxAge

69 RSTP Fault Detection (cont.) MaxAge is used as hop count Every bridge sends BPDUs on its own Age incremented by every bridge MaxAge also used on shared ports for legacy STP backwards compatibility Fault could be detected fast by means of physical layer signaling RSTP Convergence RSTP needs to re-converge when Root port is lost If there is an Alternate port, it is selected in place of old Root port New Root port is then synchronized with downstream bridges If there are no Alternate ports and no better info Declare itself as root Synchronize this decision Possibly adapt to better information

70 RSTP Convergence (cont.) Non-deterministic, depends on topology Meshy topologies converge slow Large topologies converge slow Root bridge failures may cause slow convergence time and temporary loops To ensure fast convergence Keep Topology Small (3-5 bridges) Avoid excessive redundancy (e.g. use ring topologies but not full-mesh) Rely on physical layer failure detection not the Hello BPDUs RSTP Topology Change Generated when link becomes forwarding Originated by the switch that detected the event Uses special BPDU bit to signal topology change Flooded by all switches using reverse path forwarding Flushes MAC address tables Causes temporary excessive unicast traffic flooding Use Edge Ports as much as possible

71 Multiple Spanning-Tree Protocol IEEE (802.1s) response to PVST/PVST+ Pioneered by Cisco as MISTP Supports multiple user-defined instances of spanning-tree Not as resource intensive as PVST/PVST+ Automatically runs RSTP Multiple Spanning-Tree Protocol (cont.) STP Instances (MSTIs) are separate from VLANs VLANs are mapped to MSTIs manually Switches sharing the same region name and mappings form a region Different regions see each other as virtual bridges See INE Blog s Understanding MSTP for more info

72 MST & RSTP Example Fa0/13 SW1 Fa0/16 Instance 1 Root (VLANs 10,20,30) Fa0/13 SW2 Fa0/19 Fa0/13 SW3 Fa0/19 Instance 2 Root (VLANs 40,50,60) Fa0/16 Fa0/19 SW4 MST Configuration SW1# spanning-tree mst configuration name MST_REGION1 revision 1 instance 1 vlan 10, 20, 30 instance 2 vlan 40, 50, 60! spanning-tree mode mst SW2# spanning-tree mst configuration name MST_REGION1 revision 1 instance 1 vlan 10, 20, 30 instance 2 vlan 40, 50, 60! spanning-tree mode mst spanning-tree mst 1 priority 4096! interface FastEthernet0/19 spanning-tree mst 2 cost SW3# spanning-tree mst configuration name MST_REGION1 revision 1 instance 1 vlan 10, 20, 30 instance 2 vlan 40, 50, 60! spanning-tree mode mst spanning-tree mst 2 priority 4096! interface FastEthernet0/13 spanning-tree mst 1 cost SW4# spanning-tree mst configuration name MST_REGION1 revision 1 instance 1 vlan 10, 20, 30 instance 2 vlan 40, 50, 60! spanning-tree mode mst

73 SW2#show spanning-tree mst 1 MST Verification ##### MST1 vlans mapped: 10,20,30 Bridge address 0019.aa7e.ea00 priority 4097 (4096 sysid 1) Root this switch for MST1 Interface Role Sts Cost Prio.Nbr Type Fa0/13 Desg FWD P2p Fa0/19 Desg FWD P2p SW3#show spanning-tree mst 1 ##### MST1 vlans mapped: 10,20,30 Bridge address 000a.f4f3.e780 priority (32768 sysid 1) Root address 0019.aa7e.ea00 priority 4097 (4096 sysid 1) port Fa0/13 cost rem hops 18 Interface Role Sts Cost Prio.Nbr Type Fa0/13 Root FWD P2p Fa0/19 Altn BLK P2p SW2#show spanning-tree mst 2 MST Verification (cont.) ##### MST2 vlans mapped: 40,50,60 Bridge address 0019.aa7e.ea00 priority (32768 sysid 2) Root address 000a.f4f3.e780 priority 4098 (4096 sysid 2) port Fa0/19 cost rem hops 18 Interface Role Sts Cost Prio.Nbr Type Fa0/13 Altn BLK P2p Fa0/19 Root FWD P2p SW3#show spanning-tree mst 2 ##### MST2 vlans mapped: 40,50,60 Bridge address 000a.f4f3.e780 priority 4098 (4096 sysid 2) Root this switch for MST2 Interface Role Sts Cost Prio.Nbr Type Fa0/13 Desg FWD P2p Fa0/19 Desg FWD P2p

74 Rapid PVST+ Same as PVST+, but uses RSTP enhancements for rapid convergence Every instance runs RSTP Configured as spanning-tree mode rapid-pvst Other STP Features BPDU Filter Interface level Filter BPDUs inbound/outbound Global If BPDU is received revert out of portfast state BPDU Guard If BPDU is received shut port down Root Guard If superior BPDU is received shut port down Loop Guard & UDLD Prevent unidirectional links

75 Advanced STP Q&A

76 Internetwork Expert s CCNP Bootcamp Inter-VLAN Routing Layer 2 vs Layer 3 Review Layer 2 switches do not do frame modification i.e. Transparent bridging Implies hosts in a VLAN can only reach MACs directly in the CAM table i.e. the local broadcast domain Layer 3 routers/switches perform layer 2 packet rewrite Remove the layer 2 header and rebuild it Implies Inter-VLAN traffic must be routed

77 Switch to Router w/ Multiple Links One solution for Inter-VLAN routing is to use one physical link per VLAN between the layer 2 switch and layer 3 router How it works Frames leaves switch on link 1 in VLAN 10 Router rewrites frame to MAC in VLAN 20 and sends back on link 2 Switch uses CAM of VLAN 20 to reach destination Switch to Router w/ Multiple Links Example R / /24 Fa0/1 Fa0/2 Fa0/1 SW1 Fa0/2 VLAN 10 VLAN 20 Fa0/3 Fa0/4 A B / /24

78 Router-on on-a-stick Multiple interfaces work, but not scalable because of port density and cost Alternate solution is to use one physical link between layer 2 switch and layer 3 router running as ISL/802.1Q Trunk How it works Frame leaves switch on trunk link with VLAN 10 encapsulation Router rewrites frame to MAC in VLAN 20 and sends back on the same trunk link with new encapsulation Switch uses CAM of VLAN 20 to reach destination Router-on on-a-stick Example

79 Switched Virtual Interfaces (SVIs) Better solution is to combine the layer 2 switch and layer 3 router together i.e. layer 3 switch Switch to router communication and rewrite happens on the backplane/fabric e.g RSFC/MSFC Implemented as interface vlan [vlan] on the layer 3 switch Faster, more scalable, and easier to manage SVIs Example

80 Native Layer 3 Routed Ports In addition to layer 2 switchports, most layer 3 switches can run ports in native layer 3 routed mode i.e. no switchport Native layer 3 ports treated just like an Ethernet port on a router IP address assignment, ACLs, QoS, etc. Typically used in designs where uplinks are routed Access to distribution layer uplinks Distribution layer to core layer uplinks Eliminates STP convergence time Convergence is now a function of layer 3 routing protocol See High Availability Campus Network Design-Routed Access Layer using EIGRP or OSPF for more info Native Layer 3 Routed Ports Example /24 VLAN10 Fa0/3 VLAN 10 Fa0/13 Fa0/ / /24 VLAN20 Fa0/4 VLAN 20 A B / /24

81 Inter-VLAN Routing Q&A

82 Internetwork Expert s CCNP Bootcamp EtherChannel EtherChannel Used to aggregate bandwidth of multiple links together Sometimes called NIC Teaming by other vendors Fools STP into thinking bonded links are one STP link Technically redundant paths, but no loops Load balancing based on MAC address More efficient bandwidth utilization than STP traffic engineering

83 EtherChannel Terms Port-Channel / Channel-Group Logical EtherChannel interface that represents bonded links Member interfaces Physical interfaces that belong to the group Strict requirements about configuration compatibility between member interfaces i.e. member port configs should be identical Types of EtherChannels EtherChannel does not directly relate to the underlying type of member interface Can be used to aggregate both Switchport Access switchport Trunk switchports Routed ports Limitations of what and how many interfaces can channel together are per-platform E.g StackWise vs modular platforms See individual hardware release notes

84 EtherChannel Negotiation In order to ensure loop free topology, EtherChannel can be auto-negotiated two ways Port Aggregation Protocol (PAgP) Cisco proprietary Link Aggregation Control Protocol (LACP) IEEE 802.3ad In Cisco IOS, negotiation protocol determined by the channel mode Desirable & Auto - PAgP Active & Passive LACP On neither Negotiation must be compatible otherwise loops can occur EtherChannel Example

85 EtherChannel Configuration SW1# interface FastEthernet0/13 switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode desirable! interface FastEthernet0/14 switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode desirable! interface FastEthernet0/16 switchport trunk encapsulation isl switchport mode trunk channel-group 2 mode active! interface FastEthernet0/17 switchport trunk encapsulation isl switchport mode trunk channel-group 2 mode active SW2# interface FastEthernet0/13 switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode auto! interface FastEthernet0/14 switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode auto SW3# interface FastEthernet0/13 switchport trunk encapsulation isl switchport mode trunk channel-group 2 mode passive! interface FastEthernet0/14 switchport trunk encapsulation isl switchport mode trunk channel-group 2 mode passive EtherChannel Verification (cont.) SW1#show etherchannel summary Flags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 2 Number of aggregators: 2 Group Port-channel Protocol Ports Po1(SU) PAgP Fa0/13(P) Fa0/14(P) 2 Po2(SU) LACP Fa0/16(P) Fa0/17(P)

86 EtherChannel Verification (cont.) SW2#show etherchannel summary Flags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports Po1(SU) PAgP Fa0/13(P) Fa0/14(P) EtherChannel Verification (cont.) SW3#show etherchannel summary Flags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports Po2(SU) LACP Fa0/13(P) Fa0/14(P)

87 EtherChannel Verification (cont.) SW1#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 10 Address 0019.aa7e.ea00 Cost 12 Port 72 (Port-channel1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority (priority sys-id-ext 10) Address c8.4e80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost Prio.Nbr Type Po1 Root FWD P2p Po2 Desg FWD P2p EtherChannel Verification (cont.) SW2#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 10 Address 0019.aa7e.ea00 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 10 (priority 0 sys-id-ext 10) Address 0019.aa7e.ea00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost Prio.Nbr Type Fa0/19 Desg FWD P2p Po1 Desg FWD P2p

88 EtherChannel Verification (cont.) SW3#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 10 Address 0019.aa7e.ea00 Cost 24 Port 65 (Port-channel2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority (priority sys-id-ext 10) Address 000a.f4f3.e780 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost Prio.Nbr Type Fa0/19 Altn BLK P2p Po2 Root FWD P2p EtherChannel Q&A

89 Internetwork Expert s CCNP Bootcamp Gateway Redundancy Protocols & High Availability What is High Availability? Ability of the network to recover from faults in timely fashion Service availability time (e.g. 5 nines) Requires redundancy (nodes, links, etc.) Layered implementation Physical layer (SONET), L2 (STP), L3 (IGP) Redundancy should be planned based on target recovery time Excessive redundancy slows convergence

90 What is High Availability? (cont.) Hierarchical design separates network modules Recovery in one module does not affect other modules Different technologies could be used E.g. IGP recovery in core First Hop Redundancy in Access Layer Technologies need to be synchronized E.g. FHRP selected GW should be aligned with STP root What is Gateway Redundancy? End hosts typically do not route into the network, they default to their gateway If the gateway is down, connectivity is lost First Hop/Gateway Redundancy allows another device to take over for a host s default gateway if it goes down Transparent to the end host No need for dual gateways in DHCP

91 IP over Ethernet Review ARP is the glue When a HostA wants to communicate with HostB via IP If HostB is on my subnet Check the ARP cache for HostB s MAC If no MAC, ARP for HostB If HostB is not on my subnet Check the ARP cache for gateway s MAC If no MAC, ARP for gateway Network Failure and FHRPs

92 How Gateway Redundancy Works Multiple routers bundled in a group Group represents virtual gateway All routers know virtual gateway IP Active physical router responds to ARP Virtual MAC used in ARP responses Hosts configured with default gateway IP equal to virtual IP Routers exchange keepalive messages Once active router goes down another one takes it place Gateway Redundancy Protocols Three protocols Same major functionality Difference enhancements Different behind the scenes communication Hot Standby Router Protocol (HSRP) Virtual Router Redundancy Protocol (VRRP) Gateway Load Balancing Protocol (GLBP)

93 HSRP Overview Hot Standby Router Protocol Cisco proprietary Communication via UDP multicast to at port 1985 Uses active/standby routers Active forwards for virtual MAC Standby checks to make sure active is up If down take over the MAC standby interface level command VRRP Overview Virtual Router Redundancy Protocol Open standard per RFC 3768 Communication with own multicast transport via IP protocol 112 to Uses master/backup routers Master forwards for virtual MAC Backup checks to make sure master is up If down take over the MAC vrrp interface level command

94 GLBP Overview Gateway Load Balancing Protocol Cisco proprietary Communication via UDP multicast at port 3222 Provides load balancing One virtual IP address Multiple virtual MAC addresses Active Virtual Gateway (AVG) Responds with virtual MACs Active Virtual Forwarder (AVF) Handles particular virtual MAC AVFs backup each other AVFs have weights assigned Advanced FHRP Features Multiple groups per interface Authentication Preemption Interface Tracking and Enhanced Object Tracking IP SLA integration

95 Object Tracking Allows changing gateway priority based on tracked object state Select activate gateway based on network conditions Tracked objects could be Routes in RIP, IP SLA Operations, Boolean combinations GLBP supports weighting decrement based on tracking Object Tracking (cont.) Tracking object syntax track X track x interface track x ip route track x ip sla track x list boolean The command track ip sla links object tracking to IP SLA Operation IP SLA is mainly used for connectivity tracking with FHRP

96 Object Tracking (cont.) Linking IP SLA operation FHRP Create SLA operation ip sla x Schedule SLA operations ip sla schedule x start-time Create track objects track x ip sla y Configure FHRP to use objects (e.g. HSRP) standby 1 track x FHRP Example SW3 SW /24 VLAN 10 Fa0/13 Fa0/19 Fa0/19 Fa0/13 Fa0/ /24 VLAN 20 Fa0/16 Fa0/16 Fa0/19 Fa0/16 Fa0/19 SW1 Fa0/0 Fa0/1 SW2 Fa0/2 Fa0/0 R /24 R /24

97 Non-Stop Forwarding Higher level platforms separate control plane from data plane modules E.g. RSP handles IP Routing exchange Line cards/distributed fabric implement forwarding RSP failure normally paralyzes data-plane forwarding Redundant RSPs reduce the risk of failure Switchover takes time Non-Stop Forwarding (cont) Stateful Switchover with Redundant RSPs When active RSP fails, standby detects it and becomes active Data-plane State is shared between RSPs Control Plane need to be restarted in new RSP Forwarding continues using old data-plane information (CEF table) New RSP initializes and restarts IGP adjacencies After restart, CEF is updated based on new information

98 Non-Stop Forwarding (cont) Peers should not notice IGP adjacency loss when RSP restarts Otherwise, FIB tables are flushed Requires protocol extension to signal restart Restart bit for EIGRP Local Link Signaling for OSPF BGP Graceful Restart Capability SSO should be enabled per protocol configuration

99 Internetwork Expert s CCNP Bootcamp Layer 2 Security Attack Mitigation Overview What are common types of attacks? Layer 2 attacks? Layer 3 attacks? Application attacks? How do we detect them? How do we stop them?

100 VLAN Hopping Attack Attacking host attached to Ethernet network sends 802.1Q / ISL tagged frames into switched network in order to hop over VLAN barriers Two variations Host runs Dynamic Trunking Protocol (DTP) to actually form a trunk link with the adjacent switch Host sends frames double tagged with 802.1q headers Outside header is padding Inside header is tagged with destination VLAN of victim VLAN Hopping Mitigation Host facing interfaces should not be dynamic ports switchport mode access Don t use VLAN 1, ever! Unused ports should be assigned to unused non VLAN 1 VLAN Native VLAN should be changed to new administrative VLAN

101 CAM Table Attacks Switch s Content Addressable Memory (CAM) table associates destination MAC address with outgoing interface If CAM table is full all unknown entries are treated like broadcast traffic Forward out all ports in VLAN except the one it was received on Attacker floods frames with random source MAC addresses until CAM table fills up VLAN essentially turns into a hub Port Security CAM Attack Mitigation Limit the amount of source MAC addresses on a port Limit the specific MAC address allowed on a port Shut down the port or filter traffic if a violation occurs Generate a syslog or SNMP trap for notification

102 Man-in in-the-middle (MiM) Attack DHCP Starvation Attack DHCP server has finite IP address scope Attacker sends flood of DHCP requests with spoofed source MAC addresses DHCP server leases one IP address per MAC address until pool is depleted Victim hosts are starved of a DHCP lease

103 DHCP Starvation Mitigation Port Security Limit the amount of source MAC addresses on a port Limit the specific MAC address allowed on a port Shut down the port or filter traffic if a violation occurs Generate a syslog or SNMP trap for notification DHCP Starvation Variation Port security can be used to limit number of MAC addresses on an interface Attacker can t generate DHCP requests with lots of source MAC addresses Some DHCP implementation don t use client source MAC address but instead use Client Hardware Address inside DHCP request payload Attacker can keep source MAC address in Ethernet frame the same but change the source MAC address in the DHCP packet Port security sees only one source MAC address - same starvation attack result

104 DHCP Starvation Mitigation DHCP Snooping Listens for DHCP traffic between client and server Builds IP to MAC mapping on a per interface basis Additional DHCP requests are dropped on interfaces that already have IP to MAC binding in the snooping table Rogue DHCP Server Attack DHCP requests are layer 2 broadcasts within the VLAN By default anyone could reply to a host s DHCP request Can facilitate simple DoS, or worse, MiM attack For MiM attacker replies to host s request with Itself as default gateway Sniff all traffic then forward to correct gateway Transparent from victim perspective Itself as DNS server Redirect to phishing website

105 Rogue DHCP Server Mitigation DHCP Snooping Port connected to DHCP server is in snooping trust state DHCP replies denied in all other ports Rogue DHCP Server Mitigation If switches don t support snooping DHCP request uses UDP port 67 DHCP reply users UDP 68 Filter DHCP replies from all sources except DHCP server Can use port ACLs but VACLs would be more efficient

106 ARP Spoofing Attacks ARP is normally request / reply protocol What is s MAC address? I m , my MAC address is Gratuitous is an unsolicited ARP reply Legitimate use is to refresh neighbors ARP cache Illegitimate use is to spoof someone else s MAC address Can be used to facilitate MiM attack ARP Attack Mitigation DHCP Snooping & Dynamic ARP Inspection DHCP snooping builds IP and MAC binding table When ARP replies are received the snooping table is checked to see if IP source and MAC address in ARP match Malformed replies are dropped

107 MAC Spoofing Attack Attacker simply modifies source MAC and/or IP address to look like someone else From victim s perspective it looks like legitimate host MAC Spoofing Mitigation IP Source Guard Works like Dynamic ARP Inspection but checks all packets instead of just ARP Consults DHCP snooping table If source IP address and MAC don t match snooping table traffic is dropped

108 MAC Spoofing Mitigation If switches don t support IP Source Guard Port security can be used to allow only specific source MAC address or limit number of MAC addresses allowed in the interface 802.1X Authentication Used for username / password authentication between client and switch Uses AAA w/ RADIUS for authentication Stops illegitimate hosts from joining the network in the first place

109 Private VLANs Allow for layer 2 isolation and access control between ports within the same VLAN Can span multiple switches Example: Device A, B, C and D are in VLAN 10 Device A should be allowed to communicate with device B, C, and D Device B and C should be allowed to communicate with device A and each other Device D should only be allowed to communicate with device A Private VLANs (cont.) Private VLANs use sub-vlans within the primary VLAN for the layer 2 isolation Community Isolated Sub VLANs contain port types Promiscuous Can talk to all ports in the VLAN Isolated Can talk only to promiscuous ports Community Can talk to other ports in the same community and to promiscuous ports

110 Layer 2 Security Q&A

111 Internetwork Expert s CCNP Bootcamp Layer 2 Voice & Video Support Power Over Ethernet Required to centrally power small devices IP Phones Access Point Surveillance cameras PoE reduces Cabling requirements Centralized power management PoE compliant switches support power in Ethernet twisted pair Injectors could be used with other switches

112 Power Over Ethernet (cont.) Two incompatible detection methods Cisco Pre-Standard IEEE 802.1af Newer devices support both methods Automatic PoE requirement is detected Every switch has PoE budget Plan power usage in ahead Configuration Interface: power inline {auto never} Exec: show power inline Voice QoS Requirements VoIP traffic has strict QoS requirements In terms of Round Trip Time In terms of Jitter In terms of packet loss Packet networks are statistically multiplexed Oversubscription is possible Even over engineered network may have traffic bursts over capacity VoIP deployment requires QoS mechanics

113 DiffServ QoS Review Instead of dealing with traffic flows, introduces traffic classes E.g. differentiate voice vs. data Scales with large number of node Classification is performed at the edge of network Packet Marking preserves classification decision All devices must agree on common marking All devices should implement consistent QoS policy applied to classes DiffServ Classification Could be based on existing marking Layer 2 (Ethernet CoS) Layer 3 (IP Precedence & DSCP) Could be based on traffic characteristic Protocol, ports numbers (via access-lists) TCP/UDP ports Could be based on flow characteristics E.g. traffic is metered and exceeding packets are classified as low priority

114 DiffServ Marking Marking stores classification decision To be interpreted by receiving device Could be encoded differently Layer 2 CoS Layer 3 IP DSCP/IPP To maintain consistency, different layer markings should be in sync E.g. having CoS 5 with IPP of 0 is not illegal but makes little sense DiffServ Per-Hop Hop-Behavior (PHB) Actual policy implementation, based on marking Applies to traffic classes Could be of three general types Assured forwarding (reserves some bandwidth) Expedited forwarding (priority treatment) Best-Effort (no guarantees of any type) Implemented using Cisco s QoS tools

115 Trust Boundaries Accepting existing marking is called trusting Simplest classification method Saves configuration time and switch resources Relies on some other device to perform classification E.g. IP Phone marking VoIP traffic Trust boundary typically occurs on network edge Untrusted ports by default have their marking reset to zero Trust Boundary Examples

116 Configuring Trust Boundaries Trust state is configured per-port with the mls qos trust command Trust can be defined based on CoS IP Precedence DSCP Conditional Trust Based on CDP signaling (cisco-phone) For ports connected to IP phones, separate extension trust can be defined with switchport priority extend [cos trust] Voice VLANs Voice and Data traffic should be separated Different Transport Requirements Different Security Requirements Same VLAN could be used but normally not recommended Voice VLAN AKA Auxiliary VLAN Automatically Signaled to IP Phone via CDP Configured using switchport voice vlan

117 Voice VLANs (cont.) A single physical link can connect to a phone and PC at the same time Voice & data traffic must have some way of being differentiated 802.1Q trunk encapsulation typically used for this separation Also allows encoding of CoS value Regular Ethernet header has no CoS field Voice VLAN Variations SW1# interface FastEthernet0/1 switchport access vlan 20 switchport voice vlan 10! interface FastEthernet0/2 switchport access vlan 20 switchport voice vlan dot1p! interface FastEthernet0/3 switchport access vlan 20 switchport voice vlan untagged! interface FastEthernet0/4 switchport access vlan 20 switchport voice vlan none

118 Layer 2 AutoQoS Layer 2 AutoQoS simplifies QoS implementation for VoIP Effectively a macro that defines Trust boundaries Marking policy Classification policy Queueing policy Configured as port-level auto qos voip [cisco-phone cisco-softphone trust] Q&A

119 Internetwork Expert s CCNP Bootcamp Wireless LANs WLANs Overview WLANs replace Physical (layer 1) and Data Link (layer 2) transports with wireless Upper layer protocols like IP/TCP/UDP/etc. are not affected Similar in many ways to legacy Ethernet Uses MAC addresses for layer 2 addressing WLAN is a shared media Access Point (AP) acts like a hub/repeater Uses same RF for transmit and receive Implies communication is half-duplex Collisions can occur

120 Collision Detection (Ethernet) uses CSMA/CD Listen on the wire for Contention Window duration If, someone is transmitting, wait Backoff duration Else, transmit Listen for jam signal for Propagation Delay duration If jam, collision occurred, wait Backoff duration Else, transmission successful Collision Avoidance In WLANs, collisions can t be detected Can t listen while sending Implies we can t hear a jam signal Possible hidden terminal problem A is in range of B & C, but B & C are not in range of each other Instead, (WLAN) uses CSMA/CA Tries to avoid collisions before they happen Uses Distributed Coordinated Function (DCF) with random Backoff timers to accomplish this If ACK received, transmission assumed successful AP is responsible for ACKing client data

121 Distributed Coordinated Function DCF is the implementation of collision avoidance Listen on RF channel If free, transmit and advertise duration of frame i.e. how many microseconds I need to transmit Else Wait for duration heard to expire plus DCF Inter Frame Spacing (DIFS) Listen again for random Backoff duration If free, transmit and advertise duration Else, wait for duration to expire plus DIFS plus random Backoff Since Backoff is random, unlikely that stations transmit at the same time DCF Example HostA listens on RF and finds it free Packet sent with Duration X and DIFS Y HostB listens and hears A sending HostB must wait X + Y + random Backoff Z B HostC listens and hears A sending HostC must wait X + Y + random Backoff Z C If Z B < Z C, HostB sends next If Z C < Z B, HostC sends next If Z B = Z C, collision will occur

122 WLAN SSIDs Ethernet LANs define who can talk to each other based on the broadcast domain (VLAN) With WLANs, everyone is in the same collision and broadcast domain e.g. stations can receive everyone s traffic WLANs are logically separated based on Service Set Identifier (SSID) value Devices with mismatched SSIDs (generally) ignore each others traffic Does not affect collision domain SSIDs and Modes SSIDs fall into three categories and two modes based on who participates in the WLAN Independent Basic Service Set (IBSS) Ad hoc mode Wireless clients without an Access Point Basic Service Set (BSS) Infrastructure mode Wireless clients associated with the same Access Point Extended Service Set (ESS) Infrastructure mode Wireless clients associated with multiple Access Points with the same SSID Allows for advanced applications like transparent roaming

123 Wireless Association In order to communicate with an AP, clients perform a negotiation process called association Association steps are Client sends probe request to find AP AP responds with probe response AP can also send unsolicited beacon Client starts association AP accepts/rejects association If successful, AP installs client s MAC WLAN Topologies Once association is complete, APs main job is to bridge traffic either Wired to wireless Wireless to wireless APs can performs different roles such as Bridges Accept traffic in LAN and forward it to client Used to translate between wired and wireless network Can be point-to-point (Workgroup Bridge) or point-to-multipoint Repeaters Accept RF signal and resend it Used to extend range of wireless network Mesh topologies Combination of both repeating and bridging Used for fault tolerance, load distribution, transparent roaming, etc.

124 WLAN Multipoint Bridging Topology LAN WLAN Point-to to-point Bridging Topology

125 WLAN Repeaters Topology WLAN Mesh Topology LAN

126 WLAN VLAN Support Enterprise APs (e.g. Aironet) can support multiple SSIDs per AP SSIDs can be mapped to VLANs, and then trunked back to the LAN via 802.1q Does not separate the broadcast or collision domain, but does create different logical segments E.g. VLAN 10 SSID guest with open access E.g. VLAN 20 SSID private with WPA2 WLAN VLAN Topology

127 Cisco Unified Wireless Solution Standalone or autonomous APs are easy to install, but in large deployment difficult to manage Each AP requires manual config of parameters such as SSIDs, VLAN, Security, etc. CUWS adds scalability by separating the WLAN data plane and control plane into a split MAC design with two key components Lightweight Access Points (LWAPs) Wireless LAN Controllers (WLCs) Lightweight WLANs Split MAC means that LWAP and WLC share functionality that an autonomous AP performs on its own LWAP Actual RF transmission Controls real-time operations Beacons, probes, buffering, etc. WLC Controls management and non real-time operations SSIDs, VLANs, association, authentication, QoS, etc. LWAPs are now plug-and-play and require the WLC for operation

128 LWAP to WLC Communication All RF traffic an LWAP receives must first go to the WLC Traffic forwarding paradigm now changes Even for hosts associated to same AP Tunneled with the Lightweight Access Point Protocol (LWAPP) LWAPP tunnel can run in two modes Layer 2 LWAP receives frame and encapsulates inside Ethernet towards WLC Implies LWAP and WLC must be in same VLAN & subnet Layer 3 LWAP receives frame and encapsulates inside UDP towards WLC Implies WLC can be anywhere as long as reachable Layer 2 LWAPP Topology IP

129 Layer 3 LWAPP Topology Wireless Q&A

130 Internetwork Expert s CCNP Bootcamp IP Routing Overview IP Routing Overview Three main steps Routing Find the outgoing interface Switching Move the packet between interfaces Encapsulation Build the layer 2 header i.e. layer 2 packet rewrite

131 The Routing Process Step 1: Find the longest match show ip route / / /24 Which route chosen? Step 2: Perform recursive lookup via via via » directly connected, FastEthernet0/0 Metric vs. Administrative Distance If there are multiple longest matches from the same protocol Metric used to decide between multiple routes from the same protocol different protocols Administrative distance used to decide between multiple routes from different protocols

132 Administrative Distance Reference Connected 0 Static 1 EIGRP Summary 5 External BGP 20 Internal EIGRP 90 IGRP* 100 OSPF 110 IS-IS 115 RIP 120 EGP* 140 ODR 160 External EIGRP 170 Internal BGP 200 Infinite 255 *Deprecated The Switching Process Move the packet between interfaces Where load balancing occurs Switching Paths Process Fast CEF

133 The Encapsulation Process Build the layer 2 header based on the outgoing media i.e. layer 2 packet rewrite Two different types of interfaces Point-to-point Only one possible destination No need for layer 2 addressing e.g. HDLC, PPP, etc. Multipoint More than one possible destination Requires layer 3 to layer 2 resolution e.g. Ethernet, Frame Relay, ATM, etc. Routing to a Next-Hop vs. Interface To next-hop e.g. ip route Recursive lookup required Resolve layer 2 address of To point-to-point interface e.g. ip route Serial0/0.1 No recursive lookup Layer 2 resolution not required To multipoint Interface e.g. ip route FastEthernet0/0 No recursive lookup Resolve layer 2 address for final destination Ethernet Proxy-ARP NBMA Mappings

134 IP Routing Q&A

135 Internetwork Expert s CCNP Bootcamp Enhanced Interior Gateway Routing Protocol (EIGRP) What is EIGRP? Enhanced Interior Gateway Routing Protocol Successor to Interior Gateway Routing Protocol (IGRP) Cisco proprietary hybrid protocol Both Distance Vector and Link State Behavior Really Advanced Distance Vector Classless protocol Supports VLSM and summarization

136 Why Use EIGRP? Guarantees loop-free topology Diffusing Update Algorithm (DUAL) Fast convergence Fastest of all IGP in certain designs Reliable & Efficient Updating Forms active neighbor adjacencies Guarantees packet delivery with Reliable Transport Protocol (RTP) Supports partial updates Not all neighbors need all routes Why Use EIGRP? (cont.) Multiple routed protocol support IPv4, IPX, & Appletalk Legacy now, but originally important in nonconverged networks Granular Metric Hybrid metric derived from multiple factors Unequal Cost Load Balancing Only IGP that supports true load distribution Control Plane Security Supports MD5 based authentication

137 How EIGRP Works Step 1 - Discover EIGRP Neighbors Step 2 - Exchange Topology Information Step 3 - Choose Best Path via DUAL Step 4 - Neighbor and Topology Table Maintenance Step 1 - Discovering EIGRP Neighbors EIGRP uses multicast HELLO packets to discover neighbors on EIGRP enabled attached links Transport via IP protocol 88 (EIGRP) Destination address Hello packets contain Autonomous System Number Hold Time Authentication Metric Weightings (K values) Neighbors found are inserted into EIGRP neighbor table show ip eigrp neighbors Neighbors that agree on attributes and exchange updates form active adjacency

138 Step 2 - Exchanging Topology Information Once neighbors are found, EIGRP UPDATE messages used to exchange routes Sent as multicast to or as unicast RTP uses sequence numbers and acknowledgements (ACKs) to ensure delivery Update messages describe attributes of a route Prefix + Length Next-Hop Bandwidth Delay Load Reliability MTU Hop Count External Attributes All routes learned from all neighbors make up the EIGRP topology table show ip eigrp topology Step 3 - Choosing The Best Path Once topology is learned, DUAL runs to choose loop-free best path to each destination Unlike other protocols, EIGRP uses complex composite metric to choose best path Composite metric calculated from Administrative Weighting Bandwidth Delay Load Reliability Path with lowest composite metric is considered best and installed in IP routing table One or more backup routes can also be pre-calculated per destination Only best route is advertised to other EIGRP neighbors

139 Step 4 - Neighbor and Topology Table Maintenance Unlike RIP or IGRP, active EIGRP neighbor adjacency reduces convergence time in event of network failure Adjacent neighbors hello packets contain hold time If no hello is received within hold time, neighbor declared unreachable When neighbor is lost Paths via that neighbor are removed from topology and routing table If backup routes exist, they become new best paths and are inserted in routing table In this case EIGRP can have sub-second convergence If no backup routes exist, DUAL must run again DUAL Reconvergence When best path is lost and no backup routes exist, route goes into active state and active timer starts Stable routes not in active state are considered passive EIGRP QUERY message is reliably sent to remaining neighbors asking if there is an alternate route QUERY is propagated to all neighbors within EIGRP query domain or flooding domain More on this later Neighbors respond with EIGRP REPLY packet indicating if alternate route is available If alternate route exists, DUAL recalculates new best path If no alternate route, prefix removed from topology table If active timer expires and no REPLY received, route is declared Stuck-In-Active (SIA) and removed from topology table

140 EIGRP Loop Prevention EIGRP guarantees loop-free topology through usage of Split Horizon Don t advertise routes out the link they came in on DUAL Feasibility Condition If your metric is lower than mine, you are loop-free DUAL Terms in Detail Successor Best path to a destination Feasible Distance (FD) Composite metric of best path Feasible Successor (FS) Backup path to a destination Advertised Distance (AD) Composite metric learned from neighbor Local Distance (LD) Composite metric to reach local neighbor Feasibility Condition (FC) Criteria for valid backup paths

141 DUAL Path Selection in Detail Once adjacency occurs and update messages are exchanged, path selection begins Each update includes the metric the upstream router uses to reach destination (AD) Local router knows the metric to reach each upstream router (LD) Best path (successor) is chosen based on lowest AD + LD DUAL Example Local Distance Advertised Distance Feasible Distance R1 R1 R2 R5 X = 21 R1 R3 R5 X = 36 R1 R4 R5 X = 36 R2 R5 X = 11 R2 R3 R5 X = R3 R5 X = 16 R4 R5 X = R3 R2 R5 X = R3 R4 R5 X = R4 R3 R5 X = 26 R2 16 R3 16 R R5 VLAN X 1 R5 X = 1

142 Feasibility Condition in Detail Once best path is chosen, additional paths are examined for backup routes Feasibility Condition (FC) finds loop-free backup routes via logic If AD < FD, path is loop-free and viable backup e.g. if your metric is lower than mine, you are closer to the destination and loop-free Paths that meet the FC are Feasible Successors (FS) Only Feasible Successors can be used for unequal cost load balancing Feasibility Condition Example Local Distance Advertised Distance Feasible Distance R1 R2 R5 X = 21 R1 R3 R5 X = 36 R1 R4 R5 X = 36 FD = 21 Find routes with AD < 21 R2 R5 X = 11 R2 R3 R5 X = 26 R1 X via R4 = 21 X via R3 = 16 R4 IS NOT Feasible Successor 10R3 is Feasible Successor R3 R5 X = 16 R4 R5 X = 21 R3 R2 R5 X = 21 R4 R3 R5 X = R3 R4 R5 X = R2 R3 R VLAN X R5 1 R5 X = 1

143 Composite Metric Calculation in Detail Unlike other IGPs hop count or BW-based cost, EIGRP metric is a hybrid value comprised of Inverse lowest bandwidth along path in Kbps scaled by 10 7 * 256 Cumulative delay along path in tens of microseconds (µs) scaled by 256 Worst load along path Worst reliability along path Composite metric is computed as metric = [k1 * bandwidth + (k2 * bandwidth)/(256 - load) + k3 * delay] If k5!= 0, metric = metric * [k5/(reliability + k4)] K values allow for manual administrative weighting Must match for adjacency to occur Default K values are K1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0 Implies default composite is bandwidth + delay Reliability and load typically not used since they are constantly changing Composite Metric Calculation Example All Links FastEthernet BW = 100,000Kbps DLY = 100µs R1 R2 R5 X = (10 7 * 256 / BW ) + (30 DLY * 256) = R1 R3 R5 X = (10 7 * 256 / BW ) + (30 DLY * 256) = R1 R4 R5 X = (10 7 * 256 / BW ) + (30 DLY * 256) = Advertised Distance Feasible Distance R3 R5 X = (10 7 * 256 / BW ) + (20 DLY * 256) = R3 R2 R5 X = (10 7 * 256 / BW ) + (30 DLY * ) = R3 R4 R5 X = (10 7 * 256 / BW ) + (30 DLY * 256) = R2 R5 X = (10 7 * 256 / BW ) + (20 DLY * 256) = R2 R3 R5 X = (10 7 * 256 / BW ) + (30 DLY * 256) = R4 R5 X = (10 7 * 256 / BW ) + (20 DLY * 256) = R4 R3 R5 X = (10 7 * 256 / BW ) + (30 DLY * 256) = R5 X = (10 7 * 256 / BW ) + (10 DLY * 256) R5 X = 28160

144 Implementing Basic EIGRP Initialize EIGRP process router eigrp [asn] Enable EIGRP on links network [address] [wildcard] Network statement does not control what is advertised, controls what interfaces run the protocol Verifying Basic EIGRP Verify EIGRP interfaces show ip eigrp interfaces Verify EIGRP neighbors show ip eigrp neighbors Verify EIGRP topology show ip eigrp topology Verify EIGRP routes in routing table show ip route [eigrp]

145 Implementing Basic EIGRP Example /24 VLAN 1 Fa0/0.1 Fa0/0.12 R /24 VLAN /24 VLAN 2 Fa0/ /24 VLAN 4 Fa0/0.2 R2 Fa0/ /24 VLAN /24 VLAN 34 Fa0/0.23 Fa0/0.23 R3 Fa0/ /24 VLAN 35 Fa0/0.34 Fa0/0.34 R4 Fa0/0.45 Fa0/ /24 VLAN 25 Fa0/ /24 VLAN 45 Fa0/0.25 Fa0/0.45 R5 Fa0/ /24 VLAN 5 Basic EIGRP Configuration R1#show run section router eigrp 1 router eigrp 1 network no auto-summary R2#show run section router eigrp 1 router eigrp 1 network no auto-summary R3#show run section router eigrp 1 router eigrp 1 network network network no auto-summary R4#show run section router eigrp 1 router eigrp 1 network network network no auto-summary R5#show run section router eigrp 1 router eigrp 1 network no auto-summary

146 EIGRP Interface Verification R1#show ip eigrp interfaces IP-EIGRP interfaces for process 1 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Fa0/ /0 0 0/1 0 0 Fa0/ /0 8 0/ Fa0/ /0 0 0/1 0 0 Fa0/ /0 0 0/1 0 0 R2#show ip eigrp interfaces IP-EIGRP interfaces for process 1 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Fa0/ /0 0 0/1 0 0 Fa0/ /0 4 0/ Fa0/ /0 6 0/ Fa0/ /0 9 0/ R3#show ip eigrp interfaces IP-EIGRP interfaces for process 1 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Fa0/ /0 6 0/ Fa0/ /0 1 0/ Fa0/ /0 8 0/ R4#show ip eigrp interfaces IP-EIGRP interfaces for process 1 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Fa0/ /0 1 0/ Fa0/ /0 0 0/1 0 0 Fa0/ /0 4 0/ R5#show ip eigrp interfaces IP-EIGRP interfaces for process 1 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Fa0/ /0 0 0/1 0 0 Fa0/ /0 13 0/ Fa0/ /0 15 0/ Fa0/ /0 7 0/ EIGRP Packet Level Debug R1#debug ip packet detail IP packet debugging is on (detailed) R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#router eigrp 1 R1(config-router)#no auto-summary R1(config-router)#network R1(config-router)#end R1# IP: s= (local), d= (FastEthernet0/0.1), len 60, sending broad/multicast, proto=88 IP: s= (local), d= (FastEthernet0/0.12), len 60, sending broad/multicast, proto=88 IP: s= (FastEthernet0/0.12), d= , len 60, rcvd 2, proto=88 %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor (FastEthernet0/0.12) is up: new adjacency IP: tableid=0, s= (FastEthernet0/0.12), d= (FastEthernet0/0.12), routed via RIB IP: s= (FastEthernet0/0.12), d= (FastEthernet0/0.12), len 40, rcvd 3, proto=88 IP: s= (local), d= (FastEthernet0/0.12), len 60, sending broad/multicast, proto=88 IP: s= (local), d= (FastEthernet0/0.12), len 40, sending, proto=88 IP: s= (FastEthernet0/0.12), d= , len 77, rcvd 2, proto=88 IP: s= (FastEthernet0/0.12), d= , len 320, rcvd 2, proto=88 IP: s= (local), d= (FastEthernet0/0.12), len 77, sending R1(config-routbroad/multicast, proto=88 IP: s= (local), d= (FastEthernet0/0.12), len 68, sending broad/multicast, proto=88 IP: tableid=0, s= (FastEthernet0/0.12), d= (FastEthernet0/0.12), routed via RIB IP: s= (FastEthernet0/0.12), d= (FastEthernet0/0.12), len 320, rcvd 3, proto=88 <output omitted>

147 EIGRP Neighbor Adjacency Verification R1#show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num Fa0/ :03: R2#show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num Fa0/ :03: Fa0/ :27: Fa0/ :27: R3#show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num Fa0/ :27: Fa0/ :27: Fa0/ :27: R4#show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num Fa0/ :27: Fa0/ :27: R5#show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num Fa0/ :27: Fa0/ :27: Fa0/ :27: EIGRP Topology Verification R2#show ip eigrp topology IP-EIGRP Topology Table for AS(1)/ID( ) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P /24, 2 successors, FD is via (33280/30720), FastEthernet0/0.23 via (33280/30720), FastEthernet0/0.25 P /24, 1 successors, FD is via (30720/28160), FastEthernet0/0.23 P /24, 1 successors, FD is via Connected, FastEthernet0/0.12 P /24, 1 successors, FD is via Connected, FastEthernet0/0.2 P /24, 1 successors, FD is via (30720/28160), FastEthernet0/0.12 P /24, 1 successors, FD is via (30720/28160), FastEthernet0/0.25 P /24, 2 successors, FD is via (33280/30720), FastEthernet0/0.23 via (33280/30720), FastEthernet0/0.25 P /24, 1 successors, FD is via Connected, FastEthernet0/0.25 P /24, 1 successors, FD is via Connected, FastEthernet0/0.23 P /24, 1 successors, FD is via (30720/28160), FastEthernet0/0.25 P /24, 2 successors, FD is via (30720/28160), FastEthernet0/0.23 via (30720/28160), FastEthernet0/0.25 P /24, 1 successors, FD is via (30720/28160), FastEthernet0/0.23

148 EIGRP Topology Verification Detail R2#show ip eigrp topology IP-EIGRP (AS 1): Topology entry for /24 State is Passive, Query origin flag is 1, 1 Successor(s), FD is Routing Descriptor Blocks: (FastEthernet0/0.25), from , Send flag is 0x0 Composite metric is (30720/28160), Route is Internal Vector metric: Minimum bandwidth is Kbit Total delay is 200 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is (FastEthernet0/0.23), from , Send flag is 0x0 Composite metric is (33280/30720), Route is Internal Vector metric: Minimum bandwidth is Kbit Total delay is 300 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 2 EIGRP Routing Table Verification R2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set D D C C D D D C C D D D /24 is subnetted, 12 subnets [90/33280] via , 00:19:40, FastEthernet0/0.25 [90/33280] via , 00:19:40, FastEthernet0/ [90/30720] via , 00:19:42, FastEthernet0/ is directly connected, FastEthernet0/ is directly connected, FastEthernet0/ [90/30720] via , 00:07:41, FastEthernet0/ [90/30720] via , 01:30:23, FastEthernet0/ [90/33280] via , 00:19:41, FastEthernet0/0.25 [90/33280] via , 00:19:41, FastEthernet0/ is directly connected, FastEthernet0/ is directly connected, FastEthernet0/ [90/30720] via , 01:31:20, FastEthernet0/ [90/30720] via , 01:31:20, FastEthernet0/0.25 [90/30720] via , 01:31:20, FastEthernet0/ [90/30720] via , 01:31:20, FastEthernet0/0.23

149 EIGRP Routing Table Verification Detail R2#show ip route Routing entry for /24 Known via "eigrp 1", distance 90, metric 30720, type internal Redistributing via eigrp 1 Last update from on FastEthernet0/0.25, 01:30:53 ago Routing Descriptor Blocks: * , from , 01:30:53 ago, via FastEthernet0/0.25 Route metric is 30720, traffic share count is 1 Total delay is 200 microseconds, minimum bandwidth is Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 1 EIGRP Default Routing EIGRP supports default routing two ways Candidate default network ip default-network [network] Native advertisement of /0 prefix default-information command in EIGRP does not behave the same as other protocols

150 IP Default-Network Candidate default network is backwards compatible with IGRP IGRP didn t support native /0 advertisement Default network must be Dynamically learned through EIGRP Not directly connected Classful network Limited application due to these restrictions IP Default-Network Example R1# interface Loopback0 ip address ! router eigrp 1 network R2# ip default-network R2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is to network D* /8 [90/156160] via , 00:01:43, FastEthernet0/ /24 is subnetted, 10 subnets C is directly connected, FastEthernet0/0.12 C is directly connected, FastEthernet0/0.2 D [90/30720] via , 00:20:11, FastEthernet0/0.12 D [90/30720] via , 00:31:28, FastEthernet0/0.25 D [90/33280] via , 00:31:28, FastEthernet0/0.25 [90/33280] via , 00:31:28, FastEthernet0/0.23 C is directly connected, FastEthernet0/0.25 C is directly connected, FastEthernet0/0.23 D [90/30720] via , 00:31:29, FastEthernet0/0.25 D [90/30720] via , 00:31:29, FastEthernet0/0.25 [90/30720] via , 00:31:29, FastEthernet0/0.23 D [90/30720] via , 00:31:29, FastEthernet0/0.23

151 Native Default Advertisement Native /0 network can be advertised via Static default route to an interface + network under EIGRP process Redistribution from static or another protocol Summarization /0 Advertisement Examples R1# router eigrp 1 network ! ip route Null0 R2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is to network /24 is subnetted, 10 subnets C is directly connected, FastEthernet0/0.12 C is directly connected, FastEthernet0/0.2 D [90/30720] via , 00:23:33, FastEthernet0/0.12 D [90/30720] via , 00:34:50, FastEthernet0/0.25 D [90/33280] via , 00:34:50, FastEthernet0/0.25 [90/33280] via , 00:34:50, FastEthernet0/0.23 C is directly connected, FastEthernet0/0.25 C is directly connected, FastEthernet0/0.23 D [90/30720] via , 00:34:51, FastEthernet0/0.25 D [90/30720] via , 00:34:51, FastEthernet0/0.25 [90/30720] via , 00:34:51, FastEthernet0/0.23 D [90/30720] via , 00:34:51, FastEthernet0/0.23 D* /0 [90/28160] via , 00:01:05, FastEthernet0/0.12

152 /0 Advertisement Examples (cont.) R1# router eigrp 1 redistribute static metric ! ip route Null0 R2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is to network /24 is subnetted, 10 subnets C is directly connected, FastEthernet0/0.12 C is directly connected, FastEthernet0/0.2 D [90/30720] via , 00:24:53, FastEthernet0/0.12 D [90/30720] via , 00:36:10, FastEthernet0/0.25 D [90/33280] via , 00:36:10, FastEthernet0/0.25 [90/33280] via , 00:36:10, FastEthernet0/0.23 C is directly connected, FastEthernet0/0.25 C is directly connected, FastEthernet0/0.23 D [90/30720] via , 00:36:11, FastEthernet0/0.25 D [90/30720] via , 00:36:11, FastEthernet0/0.25 [90/30720] via , 00:36:11, FastEthernet0/0.23 D [90/30720] via , 00:36:11, FastEthernet0/0.23 D*EX /0 [170/53760] via , 00:00:27, FastEthernet0/ /0 Advertisement Examples (cont.) R1# interface FastEthernet0/0.12 ip summary-address eigrp R2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is to network /24 is subnetted, 9 subnets C is directly connected, FastEthernet0/0.12 C is directly connected, FastEthernet0/0.2 D [90/30720] via , 00:38:16, FastEthernet0/0.25 D [90/33280] via , 00:38:16, FastEthernet0/0.25 [90/33280] via , 00:38:16, FastEthernet0/0.23 C is directly connected, FastEthernet0/0.25 C is directly connected, FastEthernet0/0.23 D [90/30720] via , 00:38:17, FastEthernet0/0.25 D [90/30720] via , 00:38:17, FastEthernet0/0.25 [90/30720] via , 00:38:17, FastEthernet0/0.23 D [90/30720] via , 00:38:17, FastEthernet0/0.23 D* /0 [90/30720] via , 00:00:26, FastEthernet0/0.12

153 EIGRP Summarization EIGRP summarization (aggregation) serves two purposes Minimize routing information needed in topology Limit EIGRP query domain More on this later Process level auto-summary automatically summarizes to classful boundary when passing major network boundaries On by default Interface level ip summary-address eigrp [network] [mask] [AD] supports any bit boundary Automatically suppresses subnet advertisements Administrative Distance defaults to 5 to allow for floating summaries EIGRP Auto-Summary Example R1# interface Loopback0 ip address ! interface Loopback1 ip address ! interface Loopback2 ip address ! interface Loopback3 ip address ! router eigrp 1 network auto-summary R2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set D C C D D D C C D D D /8 [90/156160] via , 00:00:44, FastEthernet0/ /24 is subnetted, 10 subnets is directly connected, FastEthernet0/ is directly connected, FastEthernet0/ [90/30720] via , 00:02:25, FastEthernet0/ [90/30720] via , 00:49:15, FastEthernet0/ [90/33280] via , 00:49:15, FastEthernet0/0.25 [90/33280] via , 00:49:15, FastEthernet0/ is directly connected, FastEthernet0/ is directly connected, FastEthernet0/ [90/30720] via , 00:49:16, FastEthernet0/ [90/30720] via , 00:49:16, FastEthernet0/0.25 [90/30720] via , 00:49:16, FastEthernet0/ [90/30720] via , 00:49:16, FastEthernet0/0.23

154 EIGRP Manual Summarization Example R1# interface Loopback0 ip address ! interface Loopback1 ip address ! interface Loopback2 ip address ! interface Loopback3 ip address ! interface FastEthernet0/0.12 ip summary-address eigrp ! router eigrp 1 network no auto-summary R2#show ip route eigrp /14 is subnetted, 1 subnets D [90/156160] via , 00:05:01, FastEthernet0/ /24 is subnetted, 10 subnets D [90/30720] via , 00:09:57, FastEthernet0/0.12 D [90/30720] via , 00:56:46, FastEthernet0/0.25 D [90/33280] via , 00:56:46, FastEthernet0/0.25 [90/33280] via , 00:56:46, FastEthernet0/0.23 D [90/30720] via , 00:56:46, FastEthernet0/0.25 D [90/30720] via , 00:56:46, FastEthernet0/0.25 [90/30720] via , 00:56:46, FastEthernet0/0.23 D [90/30720] via , 00:56:46, FastEthernet0/0.23 EIGRP Load Balancing EIGRP allows load distribution among unequal paths Not the same as other IGPs load balancing among equal cost paths Controlled by variance command If feasible distance * variance > feasible successor, load balancing occurs Only feasible successors are candidate for load balancing Automatically calculated traffic share count causes links to be used in ratio proportional to their composite metrics

155 EIGRP Unequal Cost Load Balancing BW = 100,000Kbps DLY = 100µs BW = 100,000Kbps DLY = 50µs BW = 100,000Kbps DLY = 100µs EIGRP Unequal Cost Load Balancing R2# router eigrp 1 variance 2 R3# interface FastEthernet0/0.35 delay 5 R2#show ip eigrp topology IP-EIGRP (AS 1): Topology entry for /24 State is Passive, Query origin flag is 1, 1 Successor(s), FD is Routing Descriptor Blocks: (FastEthernet0/0.25), from , Send flag is 0x0 Composite metric is (30720/28160), Route is Internal Vector metric: Minimum bandwidth is Kbit Total delay is 200 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is (FastEthernet0/0.23), from , Send flag is 0x0 Composite metric is (32000/29440), Route is Internal Vector metric: Minimum bandwidth is Kbit Total delay is 250 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 2

156 EIGRP Unequal Cost Load Balancing (cont.) R2#show ip route Routing entry for /24 Known via "eigrp 1", distance 90, metric 30720, type internal Redistributing via eigrp 1 Last update from on FastEthernet0/0.23, 00:03:39 ago Routing Descriptor Blocks: * , from , 00:03:39 ago, via FastEthernet0/0.25 Route metric is 30720, traffic share count is 24 Total delay is 200 microseconds, minimum bandwidth is Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops , from , 00:03:39 ago, via FastEthernet0/0.23 Route metric is 32000, traffic share count is 23 Total delay is 250 microseconds, minimum bandwidth is Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 2 EIGRP Link Utilization EIGRP control plane traffic is allowed to use up to 50% of each interface s configured bandwidth value Can be adjusted with interface level ip bandwidth-percent eigrp [asn] [percent] Can be an important design consideration when bandwidth is modified for routing policy, QoS, or where WAN link circuit speeds don t match underlying interface speeds (e.g. fractional T1)

157 EIGRP Authentication Routing control plane security is a must in today s networks to prevent DoS and other attacks EIGRP neighbor authentication prevents against malicious route injection attacks or errors in configuration Configured Key ID and password are combined to generate MD5 hash If MD5 hash does not match in Hello packets, adjacency cannot occur Multiple keys can be configured for manual or automated key rotation key-chain accept & send lifetime EIGRP Authentication Example R1# key chain EIGRP-KEY-CHAIN key 1 key-string CISCO! interface FastEthernet0/0.12 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 EIGRP-KEY-CHAIN R2# key chain EIGRP-KEY-CHAIN key 1 key-string CISCO! interface FastEthernet0/0.12 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 EIGRP-KEY-CHAIN R1#show key chain Key-chain EIGRP-KEY-CHAIN: key 1 -- text "CISCO" accept lifetime (always valid) - (always valid) [valid now] send lifetime (always valid) - (always valid) [valid now] R1#debug eigrp packet hello EIGRP: Sending HELLO on FastEthernet0/0.12 AS 1, Flags 0x0, Seq 0/0 idbq 0/0 iidbq un/rely 0/0 EIGRP: received packet with MD5 authentication, key id = 1 EIGRP: Received HELLO on FastEthernet0/0.12 nbr AS 1, Flags 0x0, Seq 0/0 idbq 0/0 iidbq un/rely 0/0 peerq un/rely 0/0

158 EIGRP Authentication Troubleshooting R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#key chain EIGRP-KEY-CHAIN R1(config-keychain)#key 1 R1(config-keychain-key)#key-string WRONG_PASSWORD %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor (FastEthernet0/0.12) is down: Auth failure R1(config-keychain-key)#do debug eigrp packet hello EIGRP Packets debugging is on (HELLO) R1(config-keychain-key)# EIGRP: pkt key id = 1, authentication mismatch <output omitted> R1(config-keychain-key)#do undebug all All possible debugging has been turned off R1(config-keychain-key)#no key 1 R1(config)#key chain EIGRP-KEY-CHAIN R1(config-keychain)#key 2 R1(config-keychain-key)#key-string WRONG_KEY_NUMBER R1(config-keychain-key)#do debug eigrp packet hello EIGRP Packets debugging is on (HELLO) R1(config-keychain-key)# EIGRP: Sending HELLO on FastEthernet0/0.12 AS 1, Flags 0x0, Seq 0/0 idbq 0/0 iidbq un/rely 0/0 EIGRP: pkt authentication key id = 1, key not defined or not live EIGRP Scalability EIGRP Scalability is a combined function of Device CPU & memory Protocol timers Number of prefixes in topology Size of query domain Physical resources are fixed, but software optimization can reduce convergence time and increase availability through Modifying hello/hold timers Ensuring Feasible Successors are available Topology reduction through summarization Query domain reduction through summarization & stub routing

159 EIGRP Query Domain and SIA When an EIGRP route is lost and there are no Feasible Successors, the route goes into active state and a QUERY message is sent to all neighbors EIGRP state machine must wait for REPLY messages from all neighbors indicating either a new route or no route for the active prefix If REPLY is not received before active timer expires, prefix is declared Stuck-in-Active (SIA), and EIGRP neighbors are reset and must be re-established The larger or more overloaded the network is, the more likely SIA events are to occur and to cause network downtime Occurrence of SIA events can be reduced by shrinking where QUERY message must be sent (i.e. query domain ) through EIGRP Summarization EIGRP Stub EIGRP Summarization and Query Reduction When a QUERY message is received from an EIGRP neighbor, a topology lookup occurs for an exact match of the prefix I.e. if QUERY is received for /24, topology is checked for /24 exactly If exact match is found but no Feasible Successors exist, local device re-generates QUERY to all other neighbors Process continues until REPLY is sent or SIA occurs If exact match is not found, REPLY is sent immediately and new QUERY is not generated Based on this logic, summarization terminates query domain for subnets of the summary I.e. if QUERY is received for /24, but I have only /16, send REPLY and do not generate QUERY

160 EIGRP Query/Reply Verification R1#debug eigrp packet query reply EIGRP Packets debugging is on (QUERY, REPLY) R2#debug eigrp packet query reply EIGRP Packets debugging is on (QUERY, REPLY) R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface Loopback0 R1(config-if)#shutdown EIGRP: Enqueueing QUERY on FastEthernet0/0.12 iidbq un/rely 0/1 serno EIGRP: Enqueueing QUERY on FastEthernet0/0.12 nbr iidbq un/rely 0/0 peerq un/rely 0/0 serno EIGRP: Sending QUERY on FastEthernet0/0.12 AS 1, Flags 0x0, Seq 58/0 idbq 0/0 iidbq un/rely 0/0 serno EIGRP: Received REPLY on FastEthernet0/0.12 nbr AS 1, Flags 0x0, Seq 231/58 idbq 0/0 iidbq un/rely 0/0 peerq un/rely 0/0 R2# EIGRP: Received QUERY on FastEthernet0/0.12 nbr AS 1, Flags 0x0, Seq 58/0 idbq 0/0 iidbq un/rely 0/0 peerq un/rely 0/0 EIGRP: Enqueueing QUERY on FastEthernet0/0.25 iidbq un/rely 0/1 serno EIGRP: Enqueueing QUERY on FastEthernet0/0.23 iidbq un/rely 0/1 serno EIGRP: Enqueueing QUERY on FastEthernet0/0.12 iidbq un/rely 0/1 serno EIGRP: Enqueueing QUERY on FastEthernet0/0.25 nbr iidbq un/rely 0/0 peerq un/rely 0/0 serno EIGRP: Sending QUERY on FastEthernet0/0.25 AS 1, Flags 0x0, Seq 228/0 idbq 0/0 iidbq un/rely 0/0 serno EIGRP: Enqueueing QUERY on FastEthernet0/0.23 nbr iidbq un/rely 0/0 peerq un/rely 0/0 serno EIGRP: Sending QUERY on FastEthernet0/0.23 AS 1, Flags 0x0, Seq 229/0 idbq 0/0 iidbq un/rely 0/0 serno EIGRP: Enqueueing QUERY on FastEthernet0/0.12 nbr iidbq un/rely 0/0 peerq un/rely 0/0 serno EIGRP: Received REPLY on FastEthernet0/0.25 nbr AS 1, Flags 0x0, Seq 201/228 idbq 0/0 iidbq un/rely 0/0 peerq un/rely 0/0 EIGRP: Received REPLY on FastEthernet0/0.23 nbr AS 1, Flags 0x0, Seq 248/229 idbq 0/0 iidbq un/rely 0/0 peerq un/rely 0/0 EIGRP: Enqueueing REPLY on FastEthernet0/0.12 nbr iidbq un/rely 0/1 peerq un/rely 0/0 serno EIGRP: Sending REPLY on FastEthernet0/0.12 nbr AS 1, Flags 0x0, Seq 231/58 idbq 0/0 iidbq un/rely 0/0 peerq un/rely 0/1 serno EIGRP Query Reduction and Summarization R1# interface FastEthernet0/0.12 ip summary-address eigrp R1#debug eigrp packet query reply EIGRP Packets debugging is on (QUERY, REPLY) R2#debug eigrp packet query reply EIGRP Packets debugging is on (QUERY, REPLY) R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface loopback0 R1(config-if)#shutdown R1(config-if)# EIGRP: Enqueueing QUERY on FastEthernet0/0.12 iidbq un/rely 0/1 serno EIGRP: Enqueueing QUERY on FastEthernet0/0.12 nbr iidbq un/rely 0/0 peerq un/rely 0/0 serno EIGRP: Sending QUERY on FastEthernet0/0.12 AS 1, Flags 0x0, Seq 53/0 idbq 0/0 iidbq un/rely 0/0 serno EIGRP: Received REPLY on FastEthernet0/0.12 nbr AS 1, Flags 0x0, Seq 216/53 idbq 0/0 iidbq un/rely 0/0 peerq un/rely 0/0 %LINK-5-CHANGED: Interface Loopback0, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to down R2# EIGRP: Received QUERY on FastEthernet0/0.12 nbr AS 1, Flags 0x0, Seq 53/0 idbq 0/0 iidbq un/rely 0/0 peerq un/rely 0/0 EIGRP: Enqueueing REPLY on FastEthernet0/0.12 nbr iidbq un/rely 0/1 peerq un/rely 0/0 serno EIGRP: Sending REPLY on FastEthernet0/0.12 nbr AS 1, Flags 0x0, Seq 216/53 idbq 0/0 iidbq un/rely 0/0 peerq un/rely 0/1 serno

161 EIGRP Stub and Query Reduction In certain physical topologies, the query domain extends to portions of the network that can never be used as alternate paths QUERY/REPLY messages sent into these portions waste network resources and increase convergence time Hub-and-Spoke Example: EIGRP Stub and Query Reduction (cont.) EIGRP Stub is used to inform adjacent neighbors that QUERY messages should not be sent to them Useful whenever an EIGRP router is not used for transit for the rest of the network Routes received by a stub router are not advertised to other adjacent neighbors Process level eigrp stub [connected] [leak-map] [receive-only] [redistributed] [static] [summary] Arguments control what prefixes can be advertised outbound

162 EIGRP Stub Example EIGRP Stub Router EIGRP Stub Verification R1# router eigrp 1 eigrp stub connected summary R2#show ip eigrp neighbors detail Fa0/0.12 IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num Fa0/ :00: Version 12.4/1.2, Retrans: 0, Retries: 0, Prefixes: 4 Stub Peer Advertising ( CONNECTED SUMMARY ) Routes Suppressing queries R1#debug eigrp packet terse EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#interface Fa0/0.2 R2(config-subif)#shutdown R1# EIGRP: Received UPDATE on FastEthernet0/0.12 nbr AS 1, Flags 0x0, Seq 333/0 idbq 0/0 iidbq un/rely 0/0 peerq un/rely 0/0 EIGRP: Enqueueing ACK on FastEthernet0/0.12 nbr Ack seq 333 iidbq un/rely 0/0 peerq un/rely 1/0 EIGRP: Sending ACK on FastEthernet0/0.12 nbr AS 1, Flags 0x0, Seq 0/333 idbq 0/0 iidbq un/rely 0/0 peerq un/rely 1/0 EIGRP: Enqueueing QUERY on FastEthernet0/0.12 iidbq un/rely 0/1 serno EIGRP: Enqueueing QUERY on FastEthernet0/0.12 nbr iidbq un/rely 0/0 peerq un/rely 0/0 serno EIGRP: Sending QUERY on FastEthernet0/0.12 AS 1, Flags 0x0, Seq 80/0 idbq 0/0 iidbq un/rely 0/0 serno EIGRP: Received ACK on FastEthernet0/0.12 nbr AS 1, Flags 0x0, Seq 0/80 idbq 0/0 iidbq un/rely 0/0 peerq un/rely 0/1 EIGRP: FastEthernet0/0.12 multicast flow blocking cleared EIGRP: Received REPLY on FastEthernet0/0.12 nbr AS 1, Flags 0x0, Seq 336/80 idbq 0/0 iidbq un/rely 0/0 peerq un/rely 0/0 EIGRP: Enqueueing ACK on FastEthernet0/0.12 nbr Ack seq 336 iidbq un/rely 0/0 peerq un/rely 1/0 EIGRP: Sending ACK on FastEthernet0/0.12 nbr AS 1, Flags 0x0, Seq 0/336 idbq 0/0 iidbq un/rely 0/0 peerq un/rely 1/0

163 EIGRP Q&A

164 Internetwork Expert s CCNP Bootcamp Open Shortest Path First (OSPF) What Is OSPF? Open Shortest Path First Open Standards Based Interior Gateway Routing Protocol (IGP) RFC 2328 OSPF Version 2 Link-State Protocol Uses Dijkstra SPF Algorithm Classless Protocol Supports VLSM And Summarization

165 Why Use OSPF? Guarantees Loop-Free Topology All routers agree on overall topology Uses Dijkstra SPF Algorithm for calculation Standards Based Inter-operability between vendors Large Scalability Hierarchy through areas Topology summarization Why Use OSPF? (cont.) Fast Convergence Actively Tracks Neighbor Adjacencies Event Driven Incremental Updates Efficient Updating Uses reliable multicast and unicast updates Non-OSPF devices do not need to process updates Bandwidth Based Cost Metric More flexible than static hop count

166 Why Use OSPF? (cont.) Control Plane Security Supports clear-text and MD5 based authentication Extensible Future application support through opaque LSA, e.g. MPLS Traffic Engineering Distance Vector Routing Review RIPv1/v2 & IGRP Uses Bellman-Ford based algorithm Routers only know what directly connected neighbors tell them Routing by Rumor Entire routing table periodically advertised on hop-by-hop basis Limits scalability Loop prevention and convergence time limitations Split-horizon, poison reverse, holddown timers, etc.

167 Link State Routing Overview OSPF & IS-IS Uses Dijkstra Shortest Path First (SPF) based algorithm Guarantees loop-free calculation Attributes of connected links (link-states) are advertised, not routes Routers agree on overall picture of topology before making a decision How Link State Routing Works Form adjacency relationship with connected neighbors Exchange link attributes in form of Link State Advertisements (LSAs) / Link State Packets (LSPs) with neighbors Store copy of all LSAs in Link State Database (LSDB) to form a graph of the network Run Dijkstra algorithm to find shortest path to all links Since all routers have same LSDB, all SPF calculations are loop-free

168 How OSPF Works Step 1 Discover OSPF Neighbors & Exchange Topology Information Step 2 Choose Best Path via SPF Step 3 Neighbor and Topology Table Maintenance Step 1 Neighbor & Topology Discovery Like EIGRP, OSPF uses hello packets to discover neighbors on OSPF enabled attached links Transport via IP protocol 89 (OSPF) Sent as multicast to or , or unicast More on this later Hello packets contain attributes that neighbors must agree on to form adjacency Once adjacency is negotiated, LSDB is exchanged

169 Negotiating OSPF Adjacencies OSPF adjacency occurs when connected neighbors use hello packets to agree on unique and common attributes Not all OSPF neighbors actually form adjacency Most OSPF configuration problems happen at this stage Unique attributes include Local Router-ID Local Interface IP Address Negotiating OSPF Adjacencies (cont.) Common attributes include Interface Area-ID Hello interval & dead interval Interface network address Interface MTU Network Type Authentication Stub Flags Other optional capabilities

170 OSPF Hello Packets OSPF routers periodically send hello packets out OSPF enabled links every hello interval Hello packet contains Local Router-ID Local Area-ID Local Interface Subnet Mask Local Interface Priority Hello Interval Dead Interval Authentication Type & Password DR/BDR Addresses Options (e.g. stub flags, etc.) Router IDs of other neighbors on the link OSPF Adjacency State Machine OSPF adjacency process uses 8 states to determine progress of adjacency establishment Down No hellos have been received from neighbor Attempt Unicast hello packet has been sent to neighbor, but no hello has been received back Only used for manually configured NBMA neighbors (more on this later ) Init I have received a hello packet from a neighbor, but they have not acknowledged a hello from me

171 OSPF Adjacency State Machine (cont.) 2-Way I have received a hello packet from a neighbor and they have acknowledged a hello from me Indicated by my Router-ID in neighbor s hello packet ExStart First step of actual adjacency Master & slave relationship is formed, where master has higher Router-ID Master chooses the starting sequence number for the Database Descriptor (DBD) packets that are used for actual LSA exchange OSPF Adjacency State Machine (cont.) Exchange Local link state database is sent through DBD packets DBD sequence number is used for reliable acknowledgement/retransmission Loading Link State Request packets are sent to ask for more information about a particular LSA Full Neighbors are fully adjacent and databases are synchronized

172 OSPF Adjacency Example Hello, I m R1 with these attributes: Area-ID , Router-ID , etc. I m the Master, let s use DBD Sequence Number X Okay, I m Slave. Let s use DBD Seq Y State State = Down Init No hellos R1 sends sent State or hello received 2-Way to R2 yet. R2 acknowledges State State = Exchange ExStart DBD Seq Number is R1 s negotiated hello Database Descriptor State State Packets = Loading = Full Send Link State Request packets are to exchanged Adjacency Established & Databases get Synchronized more info Hello R1, I m R2 with these attributes: Area-ID , Router-ID , etc. No, my Router-ID is higher than yours, I m the Master. Let s use DBD Seq Y Here s my Link State Database. Here s my Link State Database. I m still waiting for info on LSA A Here s LSA A s information. LSA information complete. Step 2 Choose Best Path via SPF Once databases are synchronized, path selection begins Each router s LSAs include a cost attribute for each described link Best path to that link is lowest end-to-end cost Cisco s implementation uses bandwidth based cost, but per RFC it is arbitrary Default Cisco Cost = 100Mbps / Link Bandwidth Reference bandwidth can be modified to accommodate higher speed links (e.g. GigabitEthernet)

173 Why SPF is Needed With distance vector routing, you only know your neighbor s best path With link-state routing, you know all paths, including your neighbor s unused paths Dijkstra s SPF algorithm ensures that all routers agree on the same routing path, even though they make independent decisions Result of SPF is called the Shortest Path Tree (SPT) SPF Calculation Overview To find the SPT, SPF uses three internal data sets: Link State Database All paths discovered from all neighbors Candidate Database Links possible to be in the Shortest Path Tree Tree Database Actual SPT once calculation is complete

174 SPF Calculation Overview (cont.) Entries in the Candidate and Tree databases describe individual branches of the tree between two nodes Denoted as (Router ID, Neighbor ID, Cost) e.g. the branch between R1 and R2 with a cost of 10 is denoted as (R1,R2,10) R1 s ultimate goal is to build tree with entries (R1,R n,cost), where R n is every node in the topology i.e. calculate the shortest path from R1 to everywhere SPF Calculation Logic Step 1 Start by setting the local router as the root of the SPT, with a cost of zero to itself Step 2 Find the links to all local neighbors and add them to the Candidate database Step 3 Take the lowest cost branch from the Candidate database and move it to the Tree database

175 SPF Calculation Logic (cont.) Step 4 For the branch just moved to the Tree database do the following Find the remote node s links connecting to other neighbors Move all these links to the Candidate database, with the exception of any links that go to a neighbor already in the Tree database Step 5 If the Candidate database is not empty, go to Step 3, otherwise SPF is complete and the Tree database contains the SPT SPF Calculation in Detail Tree Cost R1,R1,0 0 R1,R2,10 10 R2,R3,5 15 R3,R4,10 25 R4,R5,10 35 Shortest Step Lowest Next Add Path Find Candidates Move All of All R2 s R3 s R4 s Tree R5 s Lowest Candidate Of Initializes R1 s Neighbors List Candidate Have Empty. (R1,R3,20) With Not Higher Already to SPF to Already To Tree As Cost Candidate Already Calculation In Exists Root. (R1,R2,10) (R2,R3,5) (R3,R4,10) In Tree. (R4,R5,10) In Than Tree In List and Has Move and Check Tree. Complete. Move Cost With to Discard Candidate Of Lower to View 0 Candidate Them. To Resulting Cost. List Reach List For Discard List Itself. Costs Tree. It It Lower From Candidate. Than Tree. Candidate R1,R2,10 Cost 10 R1,R3,20 20 R1,R4,30 30 R2,R3,5 15 R2,R5,40 50 R1,R2,10 R1,R4,30 R3,R4,10 25 R1,R3,20 R3,R5,25 40 R4,R5,10 35 R2,R1,10 R2,R3,5 R3,R2,5 R3,R1,20 R4,R1,30 R4,R3,10 R3,R4,10 R2,R5,40 R5,R2,40 R5,R3,25 R3,R5,25 R5,R4,10 R4,R5,10

176 Step 3 Neighbor & Topology Maintenance Once adjacencies established and SPT built, OSPF state machine tracks neighbor and topology changes Hello packets used to track neighbor changes LSA fields used to track topology changes Tracking Neighbor Changes Hello packets continue to be sent on each OSPF enabled link every hello interval 10 or 30 seconds by default depending on interface type If a hello packet is not received from a neighbor within dead interval, the neighbor is declared down Defaults to 4 times hello interval Can be as low as 1 second for fast convergence

177 Tracking Topology Changes When a new LSA is received it is checked against the database for changes such as Sequence number Used to track new vs old LSAs Age Used to keep information new and withdraw old information Periodic flooding occurs after 30 minutes paranoid update LSAs that reach maxage (60 minutes) are withdrawn Checksum Used to avoid transmission & memory corruption LSA Flooding When change is detected new LSA is generated and flooded (sent) out all links OSPF does not use split horizon Not all LSA changes require SPF to recalculate e.g. link up/down event vs. seq number change See RFC The Flooding Procedure for details

178 OSPF Media Dependencies Unlike EIGRP, OSPF behavior changes depending on what type of media it is configured on e.g. Ethernet vs. Frame Relay vs. PPP OSPF defines different network types to deal with different media characteristics OSPF network types control How updates are sent Who forms adjacency How next-hop is calculated OSPF Network Types Broadcast Non-Broadcast Point-to-Point Point-to-Multipoint Point-to-Multipoint Non-Broadcast Loopback

179 OSPF Network Broadcast ip ospf network broadcast Default on multi-access broadcast medias Ethernet Token Ring FDDI Sends hellos and updates as multicast (AllSPFRouters) (AllDRouters) Performs Designated Router (DR) & Backup Designated Router (BDR) Election DR / BDR Overview Designated Router (DR) Used on broadcast links to Minimize adjacencies Minimize LSA replication Backup Designated Router (BDR) Used for redundancy of DR DROthers All other routers on link Form full adjacency with DR & BDR Stop at 2-Way adjacency with each other DR / BDR chosen through election process

180 Adjacency Without DR/BDR Without DR/BDR Adjacency Needs are n(n-1)/2 Adjacency With DR/BDR With DR/BDR Adjacency Needs are n+(n-1) DR BDR

181 LSA Replication with DR/BDR DROthers send LSUs to DR/BDR via multicast DR forwards LSUs to DROthers via multicast Prevents constant forwarding of unneeded LSAs on the segment BDR does not forward LSUs, only waits for DR to fail LSA Replication Without DR/BDR R3 s Single LSA Advertisement is Received 4 Times On Each Router

182 LSA Replication With DR/BDR R3 s LSA Advertisement is Minimized with Use of DR/BDR DR BDR DR / BDR Election Election based on interface priority and Router-ID Priority Higher better 0 = never Router-ID Highest loopback / interface IP Can be statically set Higher better No preemption unlike IS-IS s DIS

183 OSPF Network Non-Broadcast ip ospf network non-broadcast Default on multipoint NBMA medias Frame Relay / ATM Sends hellos as unicast Manually defined addresses with neighbor command Performs DR/BDR Election Originally designed for legacy networks that didn t support broadcast transmission i.e. X.25 OSPF Network Point-to to-point ip ospf network point-to-point Default on point-to-point medias HDLC / PPP Sends hellos as multicast No DR/BDR Election Supports only two neighbors on the link

184 OSPF Network Point-to to-multipoint ip ospf network point-to-multipoint Treats network as a collection of point-to-point links Sends hellos as multicast No DR/BDR Election Special next-hop processing Usually best design option for partial mesh NBMA networks Point-to to-multipoint Non-Broadcast ip ospf network point-tomultipoint non-broadcast Same as point-to-multipoint, but sends hellos as unicast Sends hellos as unicast Manually defined addresses with neighbor command No DR/BDR Election Special next-hop processing

185 OSPF Network Loopback Special case for Loopback and Loopedback interfaces Advertises link as /32 stub host route ip ospf network point-to-point used to disable this behavior Implementing Basic OSPF Enable the OSPF process router ospf [process-id] Process-id locally significant Must be an up/up interface running IP to choose Router-ID from Enable the interface process Process level network [address] [wildcard] area [area-id] Interface level ip ospf [process-id] area [area-id]

186 OSPF Network Statement Like EIGRP, enables OSPF on the interface Wildcard mask does not relate to subnet mask Most specific match wins network area 0 network area 1 network area 2 network area 3 network area 4 Source of common confusion, new versions support interface level enabling as alternative Verifying Basic OSPF Verify OSPF interfaces show ip ospf interface Verify OSPF neighbors show ip ospf neighbors Verify OSPF topology show ip ospf database Verify OSPF routes in routing table show ip route [ospf]

187 OSPF Configuration Example /24 VLAN Basic OSPF Configuration R1# router ospf 1 network area 0 network area 0 network area 0 R2# router ospf 1 network area 0 R3# router ospf 1 network area 0 R4# router ospf 1 network area 0 network area 0 network area 0 R5# router ospf 1 network area 0 neighbor neighbor R6# interface Loopback0 ip ospf 1 area 0! interface FastEthernet0/0 ip ospf 1 area 0! interface FastEthernet0/1 ip ospf 1 area 0

188 Verifying OSPF Interfaces R1#show ip ospf interface brief Interface PID Area IP Address/Mask Cost State Nbrs F/C Fa0/ /24 1 DROTH 2/2 Se0/ /24 64 P2P 1/1 Lo /24 1 LOOP 0/0 R2#show ip ospf interface brief Interface PID Area IP Address/Mask Cost State Nbrs F/C Lo /24 1 LOOP 0/0 Se0/ /24 64 BDR 1/1 Fa0/ /24 1 BDR 1/1 R3#show ip ospf interface brief Interface PID Area IP Address/Mask Cost State Nbrs F/C Lo /24 1 LOOP 0/0 Se1/ / P2P 1/1 Fa0/ /24 1 DR 1/1 R3# R4#show ip ospf interface brief Interface PID Area IP Address/Mask Cost State Nbrs F/C Lo /24 1 LOOP 0/0 Se0/ /24 64 BDR 1/1 Fa0/ /24 1 BDR 2/2 R5#show ip ospf interface brief Interface PID Area IP Address/Mask Cost State Nbrs F/C Lo /24 1 LOOP 0/0 Se0/ /24 64 DR 2/2 Fa0/ /24 1 DR 0/0 R6#show ip ospf interface brief Interface PID Area IP Address/Mask Cost State Nbrs F/C Lo /24 1 LOOP 0/0 Fa0/ /24 1 DR 0/0 Fa0/ /24 1 DR 2/2 Verifying OSPF Broadcast Interface Detail R1#show ip ospf interface Fa0/0 FastEthernet0/0 is up, line protocol is up Internet Address /24, Area 0 Process ID 1, Router ID , Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) , Interface address Backup Designated router (ID) , Interface address Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:05 Supports Link-local Signaling (LLS) Index 3/3, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 2 Last flood scan time is 4 msec, maximum is 8 msec Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor (Backup Designated Router) Adjacent with neighbor (Designated Router) Suppress hello for 0 neighbor(s)

189 Verifying OSPF Point-to to-point Int Detail R1#show ip ospf interface Serial0/1 Serial0/1 is up, line protocol is up Internet Address /24, Area 0 Process ID 1, Router ID , Network Type POINT_TO_POINT, Cost: 64 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:02 Supports Link-local Signaling (LLS) Index 2/2, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 4 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor Suppress hello for 0 neighbor(s) Verifying OSPF Non-Broadcast Int Detail R5#show ip ospf interface Serial0/0 Serial0/0 is up, line protocol is up Internet Address /24, Area 0 Process ID 1, Router ID , Network Type NON_BROADCAST, Cost: 64 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) , Interface address Backup Designated router (ID) , Interface address Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 oob-resync timeout 120 Hello due in 00:00:24 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 2/2, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 6 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor Adjacent with neighbor (Backup Designated Router) Suppress hello for 0 neighbor(s)

190 Verifying OSPF Loopback Int Detail R1#show ip ospf interface Loopback0 Loopback0 is up, line protocol is up Internet Address /24, Area 0 Process ID 1, Router ID , Network Type LOOPBACK, Cost: 1 Loopback interface is treated as a stub Host OSPF Packet Level Debug R1#debug ip packet detail IP packet debugging is on (detailed) IP: s= (local), d= (FastEthernet0/0), len 84, sending broad/multicast, proto=89 IP: s= (FastEthernet0/0), d= , len 84, rcvd 0, proto=89 IP: s= (Serial0/1), d= , len 80, rcvd 0, proto=89 IP: s= (FastEthernet0/0), d= , len 84, rcvd 0, proto=89

191 Verifying OSPF Adjacency R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/BDR 00:00: FastEthernet0/ FULL/DR 00:00: FastEthernet0/ FULL/ - 00:00: Serial0/1 R2#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/DR 00:01: Serial0/ FULL/DR 00:00: FastEthernet0/0 R3#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/ - 00:00: Serial1/ FULL/BDR 00:00: FastEthernet0/0 R4#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/DR 00:01: Serial0/ FULL/DROTHER 00:00: FastEthernet0/ FULL/DR 00:00: FastEthernet0/0 R5#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/DROTHER 00:01: Serial0/ FULL/BDR 00:01: Serial0/0 R6#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/DROTHER 00:00: FastEthernet0/ FULL/BDR 00:00: FastEthernet0/0 Verifying OSPF Database (R1) R1#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count x x003C x x002D x x0046DE x x00B98D x x0069DE x x0084B7 3 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x00A x x0069DA x x0043A0

192 Verifying OSPF Database (R2) R2#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count x x003C x x002D x x0046DE x x00B98D x x0069DE x x0084B7 3 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x00A x x0069DA x x0043A0 Verifying OSPF Database Detail R1#show ip ospf database router OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 0) LS age: 1167 Options: (No TOS-capability, DC) LS Type: Router Links Link State ID: Advertising Router: LS Seq Number: Checksum: 0x2D24 Length: 60 Number of Links: 3 Link connected to: a Stub Network (Link ID) Network/subnet number: (Link Data) Network Mask: Number of TOS metrics: 0 TOS 0 Metrics: 1 Link connected to: a Transit Network (Link ID) Designated Router address: (Link Data) Router Interface address: Number of TOS metrics: 0 TOS 0 Metrics: 64 Link connected to: a Transit Network (Link ID) Designated Router address: (Link Data) Router Interface address: Number of TOS metrics: 0 TOS 0 Metrics: 1

193 Verifying OSPF Routing Table R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set C C O O O O O O O O C O /8 is variably subnetted, 12 subnets, 2 masks /24 is directly connected, Serial0/ /24 is directly connected, Loopback /32 [110/2] via , 00:10:36, FastEthernet0/ /32 [110/66] via , 00:10:36, FastEthernet0/ /32 [110/2] via , 00:10:36, FastEthernet0/ /32 [110/65] via , 00:10:36, Serial0/ /32 [110/66] via , 00:10:36, FastEthernet0/0 [110/66] via , 00:10:37, Serial0/ /24 [110/65] via , 00:10:37, Serial0/ /24 [110/2] via , 00:10:37, FastEthernet0/ /24 [110/66] via , 00:10:37, FastEthernet0/ /24 is directly connected, FastEthernet0/ /24 [110/65] via , 00:10:38, FastEthernet0/0

194 OSPF Areas Overview OSPF areas add hierarchy and scalability to the routing domain An area defines a flooding domain All devices in the area agree on the topology Changes inside the area require LSA flooding and full SPF Routing between areas hides topology details Inter-area routing similar to distance vector Changes outside the area don t always require LSA flooding or SPF Limits impact on router resources Backbone area OSPF Area Types Area 0 ( ) Used to summarize topology information between other areas Traffic from one area to another must pass through area 0 Must be contiguous Non-transit areas All other areas ( ) Must use connections to area 0 to reach other areas

195 OSPF Router Types Backbone routers At least one link in area 0 Internal routers All links in one non-transit area Area Border Router (ABR) At least one link in area 0 and one link in a non-transit area Used to summarize information between area 0 and non-transit area Autonomous System Boundary Router (ASBR) At least one link in the OSPF domain At least one link outside the OSPF domain EIGRP, IS-IS, BGP, etc. Used to redistribute information to/from other routing domains and OSPF OSPF Multi-Area Topology Example

196 Area 0 Continuity All inter-area traffic must pass through area 0 If a non-transit area loses connectivity to area 0, all inter-area connectivity is lost This state is called discontiguous areas or discontiguous area 0 Repairs to these broken designs come in the form of virtual area 0 adjacencies called virtual links OSPF Virtual Links Used to connect area 0 over a non-transit area Virtual area 0 adjacency between two ABRs over a non-transit area Provides continuity to the OSPF database calculation Non-transit area must have full routing information Cannot be a stub area and should not have filtering Not a tunnel in traditional sense Traffic does not flow over the virtual link itself Configured under the routing process of the ABRs area [transit area-id] virtual-link [remote abr router-id]

197 OSPF Virtual-Link Example Area 1 ABR Area 0 Area 3 ABR Virtual-Link ABR Area 2 Area Traffic Path From Virtual-Link 3 ABR Loses Connectivity To Area Area New Traffic 3 Adjacency 0. To All Area Inter-Area Path 1 From Between Area Routing Area 2 ABRs Restores Connectivity To Area 3 To To 3 Area Is Area Lost. 1 0 ASBR EIGRP OSPF LSA Types With different router types in the OSPF domain, different types of advertisements are required e.g DR, ABR, ASBR, etc. Different LSA formats used to represent this information Format is defined by type code Type 1, type 2, etc. Which LSA types are sent and received depends on Router s type OSPF network type Area type

198 OSPF LSA Types (cont.) LSA types are Type 1 Router LSA Type 2 Network LSA Type 3 Network Summary LSA Type 4 ASBR Summary LSA Type 5 External LSA Type 7 NSSA External LSA Other types exist outside our scope Type 6 Multicast LSA Not implemented by Cisco Types 8, 9, 10 Opaque LSA Used for extensibility OSPF LSA Types (cont.) Routes that LSAs describe can be grouped together as Intra-Area Routes (O) LSA Types 1 & 2 Inter-Area Routes (O IA) LSA Types 3 & 4 External Routes E1/E2 LSA Type 5 N1/N2 LSA Type 7

199 OSPF LSA Types In Detail (cont.) Type 1 Router LSA Generated by every router in the OSPF domain Not flooded outside the area they originate in Describes its directly connected links What are my link costs Who are my neighbors Used to build graph for intra-area SPF show ip ospf database router [Link ID] OSPF LSA Types In Detail (cont.) Type 2 Network LSA Generated by DR on broadcast and nonbroadcast network types Not flooded outside the area they originate in Describes who is adjacent with DR Used to reduce redundant information in the database n*(n-1)/2 and flooding scalability issue show ip ospf database network [Link ID]

200 OSPF LSA Types In Detail (cont.) Type 3 Network Summary LSA Generated by ABR Flooded from area 0 into non-transit area and vice-versa Describes ABR s reachability to links in other areas Includes cost, but hides ABR s actual path to destination SPF not run to reach ABR advertised routes, instead logic is ABR can reach link A via SPT in cost X I can reach ABR via SPT in cost Y I can reach link A via SPT in cost X + Y This is why inter-area routing is considered distance vector show ip ospf database summary [Link ID] OSPF LSA Types In Detail (cont.) Type 4 ASBR Summary LSA Generated by ABR Flooded from area 0 into non-transit area and vice-versa Describes ABR s reachability to ASBRs in other areas Includes cost, but hides ABR s actual path to destination SPF not run to reach inter-area ASBR, instead logic is ABR can reach ASBR via SPT in cost X I can reach ABR via SPT in cost Y I can reach ASBR via SPT in cost X + Y This is why inter-area external routing is also considered distance vector show ip ospf database asbr-summary [Link ID]

201 OSPF LSA Types In Detail (cont.) Type 5 External LSA Generated by ASBR Flooded to all non-stub areas Describes routes ASBR is redistributing Metric Metric Type Type 1 = E1 Type 2 = E2 (default) Forward Address Who should I route towards to reach the link? Usually the ASBR itself, but could be someone else in some designs Route Tag show ip ospf database external [Link ID] OSPF External Type 1 vs Type 2 External route type controls how metric for external link is calculated Type 1 (E1) Take the cost the ASBR reports in plus the cost to the ASBR Type 2 (E2) Take just the cost the ASBR reports in If there is a tie, then take the cost to the ASBR as well Type 1 is usually used when there are multiple ASBRs redistributing the same routes into OSPF

202 OSPF External Route Calculation Performs like distance vector routing similar to inter-area calculation Intra-area externals ASBR can reach link A in cost X I can reach ASBR via SPT in cost Y I can reach link A via SPT in cost X + Y Inter-area externals ASBR can reach link A in cost X ABR can reach ASBR via SPT in cost Y I can reach ABR via SPT in cost Z I can reach link A via SPT in cost X + Y + Z OSPF LSA Types In Detail (cont.) Type 7 NSSA External LSA Special type of external route generated by ASBR redistributing routes inside a Not-So-Stubby Area More on this later

203 OSPF Inter-Area Routing Example /24 VLAN Basic OSPF Configuration R1# router ospf 1 network area 2 network area 1 network area 2 R2# router ospf 1 network area 1 network area 1 network area 0 R3# router ospf 1 network area 1 network area 1 network area 1 R4# router ospf 1 network area 2 network area 2 network area 0 R5# router ospf 1 network area 0 network area 0 neighbor neighbor redistribute connected subnets R6# router ospf 1 network area 2 network area 2 network area 2

204 OSPF Interface Verification R1#show ip ospf interface brief Interface PID Area IP Address/Mask Cost State Nbrs F/C Se0/ /24 64 P2P 1/1 Fa0/ /24 1 DR 2/2 Lo /24 1 LOOP 0/0 R2#show ip ospf interface brief Interface PID Area IP Address/Mask Cost State Nbrs F/C Se0/ /24 64 BDR 1/1 Fa0/ /24 1 DR 1/1 Lo /24 1 LOOP 0/0 R3#show ip ospf interface brief Interface PID Area IP Address/Mask Cost State Nbrs F/C Fa0/ /24 1 BDR 1/1 Se1/ / P2P 1/1 Lo /24 1 LOOP 0/0 R4#show ip ospf interface brief Interface PID Area IP Address/Mask Cost State Nbrs F/C Se0/ /24 64 BDR 1/1 Lo /24 1 LOOP 0/0 Fa0/ /24 1 BDR 2/2 R5#show ip ospf interface brief Interface PID Area IP Address/Mask Cost State Nbrs F/C Lo /24 1 LOOP 0/0 Se0/ /24 64 DR 2/2 R6#show ip ospf interface brief Interface PID Area IP Address/Mask Cost State Nbrs F/C Lo /24 1 LOOP 0/0 Fa0/ /24 1 DROTH 2/2 Fa0/ /24 1 DR 0/0 OSPF Neighbor Verification R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/ - 00:00: Serial0/ FULL/BDR 00:00: FastEthernet0/ FULL/DROTHER 00:00: FastEthernet0/0 R2#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/DR 00:01: Serial0/ FULL/BDR 00:00: FastEthernet0/0 R3#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/DR 00:00: FastEthernet0/ FULL/ - 00:00: Serial1/2 R4#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/DR 00:01: Serial0/ FULL/DR 00:00: FastEthernet0/ FULL/DROTHER 00:00: FastEthernet0/0 R5#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/DROTHER 00:01: Serial0/ FULL/BDR 00:01: Serial0/0 R6#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/DR 00:00: FastEthernet0/ FULL/BDR 00:00: FastEthernet0/0

205 OSPF Database Verification (R1) R1#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 1) Link ID ADV Router Age Seq# Checksum Link count x x00CD x x005B4B x x004ED4 4 Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x00C025 Summary Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x00FDDF x x00B x x009F x x00943F x x007C x x00BC x x006D7E Summary ASB Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x00894E Router Link States (Area 2) Link ID ADV Router Age Seq# Checksum Link count x x00D7E x x x x001E21 3 Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x Summary Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x00C x x00B91C x x00854D x x00FCC x x00F0D x x Summary ASB Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x006F64 Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag x x008DC0 0 OSPF Database Verification (R2) R2#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count x x x x003A x x00DBB5 2 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0041A1 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0061B x x005CC x x0051C x x0018FC x x00F x x00946F x x x x00DFFF x x00206A Router Link States (Area 1) Link ID ADV Router Age Seq# Checksum Link count x x00CD x x005B4B x x004ED4 4 Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x00C025 Summary Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x00FDDF x x00B x x009F x x00943F x x007C x x00BC x x006D7E Summary ASB Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x00894E Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag x x008DC0 0

206 OSPF Database Verification (R3) R3#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 1) Link ID ADV Router Age Seq# Checksum Link count x x00CD x x005B4B x x004ED4 4 Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x00C025 Summary Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x00FDDF x x00B x x009F x x00943F x x007C x x00BC x x006D7E Summary ASB Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x00894E Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag x x008DC0 0 OSPF Database Verification (R4) R4#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count x x x x003A x x00DBB5 2 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0041A1 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0061B x x005CC x x0051C x x0018FC x x00F x x00946F x x x x00DFFF x x00206A Router Link States (Area 2) Link ID ADV Router Age Seq# Checksum Link count x x00D7E x x x x001E21 3 Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x Summary Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x00C x x00B91C x x00854D x x00FCC x x00F0D x x Summary ASB Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x006F64 Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag x x008DC0 0

207 OSPF Database Verification (R5) R5#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count x x x x003A x x00DBB5 2 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0041A1 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0061B x x005CC x x0051C x x0018FC x x00F x x00946F x x x x00DFFF x x00206A Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag x x008DC0 0 OSPF Database Verification (R6) R6#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 2) Link ID ADV Router Age Seq# Checksum Link count x x00D7E x x x x001E21 3 Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x Summary Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x00C x x00B91C x x00854D x x00FCC x x00F0D x x Summary ASB Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x006F64 Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag x x008DC0 0

208 OSPF Routing Table Verification (R1) R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set C C O O IA O O O O O O E2 C O IA /8 is variably subnetted, 12 subnets, 2 masks /24 is directly connected, Serial0/ /24 is directly connected, Loopback /32 [110/2] via , 00:22:34, FastEthernet0/ /32 [110/66] via , 00:22:34, FastEthernet0/ /32 [110/2] via , 00:22:34, FastEthernet0/ /32 [110/65] via , 00:22:34, Serial0/ /32 [110/66] via , 00:22:34, Serial0/ /24 [110/65] via , 00:22:35, Serial0/ /24 [110/2] via , 00:22:35, FastEthernet0/ /24 [110/20] via , 00:22:35, FastEthernet0/ /24 is directly connected, FastEthernet0/ /24 [110/65] via , 00:22:35, FastEthernet0/0 OSPF Routing Table Verification (R2) R2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set O C O IA O O IA O O IA C O IA O E2 O IA C /8 is variably subnetted, 12 subnets, 2 masks /24 [110/782] via , 00:22:36, FastEthernet0/ /24 is directly connected, Loopback /32 [110/66] via , 00:22:36, Serial0/ /32 [110/65] via , 00:22:36, Serial0/ /32 [110/65] via , 00:22:36, Serial0/ /32 [110/2] via , 00:22:36, FastEthernet0/ /32 [110/66] via , 00:22:36, Serial0/ /24 is directly connected, FastEthernet0/ /24 [110/66] via , 00:22:37, Serial0/ /24 [110/20] via , 00:22:37, Serial0/ /24 [110/65] via , 00:22:37, Serial0/ /24 is directly connected, Serial0/0

209 OSPF Routing Table Verification (R3) R3#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set C C O IA O IA O IA O O IA C O IA O E2 O IA O IA /8 is variably subnetted, 12 subnets, 2 masks /24 is directly connected, Serial1/ /24 is directly connected, Loopback /32 [110/67] via , 00:22:38, FastEthernet0/ /32 [110/66] via , 00:22:38, FastEthernet0/ /32 [110/66] via , 00:22:38, FastEthernet0/ /32 [110/2] via , 00:22:38, FastEthernet0/ /32 [110/67] via , 00:22:38, FastEthernet0/ /24 is directly connected, FastEthernet0/ /24 [110/67] via , 00:22:40, FastEthernet0/ /24 [110/20] via , 00:22:40, FastEthernet0/ /24 [110/66] via , 00:22:40, FastEthernet0/ /24 [110/65] via , 00:22:40, FastEthernet0/0 OSPF Routing Table Verification (R4) R4#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set O IA O O O IA O IA O C O IA O O E2 C C /8 is variably subnetted, 12 subnets, 2 masks /24 [110/846] via , 00:22:41, Serial0/ /32 [110/2] via , 00:22:41, FastEthernet0/ /32 [110/65] via , 00:22:41, Serial0/ /32 [110/66] via , 00:22:41, Serial0/ /32 [110/65] via , 00:22:41, Serial0/ /32 [110/2] via , 00:22:41, FastEthernet0/ /24 is directly connected, Loopback /24 [110/65] via , 00:22:41, Serial0/ /24 [110/2] via , 00:22:41, FastEthernet0/ /24 [110/20] via , 00:22:41, Serial0/ /24 is directly connected, FastEthernet0/ /24 is directly connected, Serial0/0

210 OSPF Routing Table Verification (R5) R5#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set O IA O IA O IA O IA O IA O IA C O IA O IA C O IA C /8 is variably subnetted, 12 subnets, 2 masks /24 [110/846] via , 00:22:44, Serial0/ /32 [110/66] via , 00:22:44, Serial0/ /32 [110/65] via , 00:22:44, Serial0/ /32 [110/66] via , 00:22:44, Serial0/ /32 [110/65] via , 00:22:44, Serial0/ /32 [110/66] via , 00:22:44, Serial0/ /24 is directly connected, Loopback /24 [110/65] via , 00:22:44, Serial0/ /24 [110/66] via , 00:22:44, Serial0/ /24 is directly connected, FastEthernet0/ /24 [110/65] via , 00:22:44, Serial0/ /24 is directly connected, Serial0/0 OSPF Routing Table Verification (R6) R6#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set O IA O IA O O IA O IA O C O IA C O E2 C O IA /8 is variably subnetted, 12 subnets, 2 masks /24 [110/847] via , 00:22:45, FastEthernet0/ /32 [110/66] via , 00:22:45, FastEthernet0/ /32 [110/2] via , 00:22:45, FastEthernet0/ /32 [110/67] via , 00:22:45, FastEthernet0/ /32 [110/66] via , 00:22:45, FastEthernet0/ /32 [110/2] via , 00:22:45, FastEthernet0/ /24 is directly connected, Loopback /24 [110/66] via , 00:22:46, FastEthernet0/ /24 is directly connected, FastEthernet0/ /24 [110/20] via , 00:22:46, FastEthernet0/ /24 is directly connected, FastEthernet0/ /24 [110/65] via , 00:22:46, FastEthernet0/0

211 OSPF Type-1 1 LSA Verification Detail R3#show ip ospf database router OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 1) LS age: 142 Options: (No TOS-capability, DC) LS Type: Router Links Link State ID: Advertising Router: LS Seq Number: Checksum: 0x4AD6 Length: 72 Number of Links: 4 Link connected to: a Transit Network (Link ID) Designated Router address: (Link Data) Router Interface address: Number of TOS metrics: 0 TOS 0 Metrics: 1 Link connected to: another Router (point-to-point) (Link ID) Neighboring Router ID: (Link Data) Router Interface address: Number of TOS metrics: 0 TOS 0 Metrics: 781 Link connected to: a Stub Network (Link ID) Network/subnet number: (Link Data) Network Mask: Number of TOS metrics: 0 TOS 0 Metrics: 781 Link connected to: a Stub Network (Link ID) Network/subnet number: (Link Data) Network Mask: Number of TOS metrics: 0 TOS 0 Metrics: 1 OSPF Type-2 2 LSA Verification Detail R3#show ip ospf database network OSPF Router with ID ( ) (Process ID 1) Net Link States (Area 1) Routing Bit Set on this LSA LS age: 151 Options: (No TOS-capability, DC) LS Type: Network Links Link State ID: (address of Designated Router) Advertising Router: LS Seq Number: Checksum: 0xBC27 Length: 32 Network Mask: /24 Attached Router: Attached Router:

212 OSPF Type-3 3 LSA Verification Detail R3#show ip ospf database summary OSPF Router with ID ( ) (Process ID 1) Summary Net Link States (Area 1) Routing Bit Set on this LSA LS age: 165 Options: (No TOS-capability, DC, Upward) LS Type: Summary Links(Network) Link State ID: (summary Network Number) Advertising Router: LS Seq Number: Checksum: 0x6980 Length: 28 Network Mask: /24 TOS: 0 Metric: 64 OSPF Type-4 4 LSA Verification Detail R3#show ip ospf database asbr-summary OSPF Router with ID ( ) (Process ID 1) Summary ASB Link States (Area 1) Routing Bit Set on this LSA LS age: 671 Options: (No TOS-capability, DC, Upward) LS Type: Summary Links(AS Boundary Router) Link State ID: (AS Boundary Router address) Advertising Router: LS Seq Number: Checksum: 0x874F Length: 28 Network Mask: /0 TOS: 0 Metric: 64

213 OSPF Type-5 5 LSA Verification Detail R3#show ip ospf database external OSPF Router with ID ( ) (Process ID 1) Type-5 AS External Link States Routing Bit Set on this LSA LS age: 130 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: (External Network Number ) Advertising Router: LS Seq Number: Checksum: 0x8BC1 Length: 36 Network Mask: /24 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: External Route Tag: 0 OSPF Routing Table Verification Detail R3#show ip route Routing entry for /32 Known via "ospf 1", distance 110, metric 2, type intra area Last update from on FastEthernet0/0, 00:39:04 ago Routing Descriptor Blocks: * , from , 00:39:04 ago, via FastEthernet0/0 Route metric is 2, traffic share count is 1 R3#show ip route Routing entry for /24 Known via "ospf 1", distance 110, metric 65, type inter area Last update from on FastEthernet0/0, 00:39:06 ago Routing Descriptor Blocks: * , from , 00:39:06 ago, via FastEthernet0/0 Route metric is 65, traffic share count is 1 R3#show ip route Routing entry for /24 Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 65 Last update from on FastEthernet0/0, 00:39:09 ago Routing Descriptor Blocks: * , from , 00:39:09 ago, via FastEthernet0/0 Route metric is 20, traffic share count is 1

214 OSPF Virtual-Link Example /24 VLAN 6 With R2 s Virtual-Link Link To Area Configured 0 Goes Between Down. R1 All and Inter-Area R4, Traffic Can Connectivity Be Rerouted To Area Via Area 1 Is Lost. 2. Virtual-Link OSPF Virtual-Link Configuration R1# router ospf 1 area 2 virtual-link R4# router ospf 1 area 2 virtual-link R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/ OSPF_VL FULL/ - 00:00: Serial0/ FULL/BDR 00:00: FastEthernet0/ FULL/DROTHER 00:00: FastEthernet0/0 R4#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/ OSPF_VL FULL/DR 00:01: Serial0/ FULL/DR 00:00: FastEthernet0/ FULL/DROTHER 00:00: FastEthernet0/0

215 OSPF Virtual-Link Verification R1#show ip ospf virtual-links Virtual Link OSPF_VL0 to router is up Run as demand circuit DoNotAge LSA allowed. Transit area 2, via interface FastEthernet0/0, Cost of using 1 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:07 Adjacency State FULL (Hello suppressed) Index 1/4, retransmission queue length 0, number of retransmission 0 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 0, maximum is 0 Last retransmission scan time is 0 msec, maximum is 0 msec R1#show ip ospf interface OSPF_VL0 is up, line protocol is up Internet Address /24, Area 0 Process ID 1, Router ID , Network Type VIRTUAL_LINK, Cost: 1 Configured as demand circuit. Run as demand circuit. DoNotAge LSA allowed. Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:06 Supports Link-local Signaling (LLS) Index 1/4, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor (Hello suppressed) Suppress hello for 1 neighbor(s) <output omitted> OSPF Virtual-Link Verification (cont.) R3#show ip route Routing entry for /32 Known via "ospf 1", distance 110, metric 66, type inter area Last update from on FastEthernet0/0, 00:07:16 ago Routing Descriptor Blocks: * , from , 00:07:16 ago, via FastEthernet0/0 Route metric is 66, traffic share count is 1 R3#traceroute Type escape sequence to abort. Tracing the route to msec 0 msec 4 msec msec * 28 msec R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#interface Serial0/0 R2(config-if)#shutdown R2(config-if)# OSPF-5-ADJCHG: Process 1, Nbr on Serial0/0 from FULL to DOWN, Neighbor Down: Interface down or detached %LINK-5-CHANGED: Interface Serial0/0, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down R3#show ip route Routing entry for /32 Known via "ospf 1", distance 110, metric 847, type inter area Last update from on Serial1/2, 00:00:03 ago Routing Descriptor Blocks: * , from , 00:00:03 ago, via Serial1/2 Route metric is 847, traffic share count is 1 R3#traceroute Type escape sequence to abort. Tracing the route to msec 16 msec 16 msec msec 12 msec 12 msec msec * 40 msec

216 OSPF Scalability Less topology info & less routing info means lower resource utilization OSPF areas add scalability by hiding topology information, but they don t hide reachability information NLRI can be reduced in OSPF by implementing Summarization Stub areas OSPF Summarization OSPF supports two types of summaries Internal Summarization (Type-3 LSAs) External Summarization (Type-5 & 7 LSAs) Unlike RIPv2, EIGRP, and BGP, OSPF summarization (aggregation) cannot be performed at arbitrary places in the topology Internal summarization only on ABRs External summarization only on ASBRs

217 OSPF Internal Summarization Configured only on ABRs Takes intra-area (O) routes and summarizes them into inter-area (O IA) routes as they move between areas area [source area-id] range [network] [mask] Automatically generates route to Null0 OSPF External Summarization Configured only on ASBRs Takes routes external to OSPF domain and summarizes them as OSPF external routes (E1/E2/N1/N2) when redistributed summary-address [network] [mask] Automatically generates routes to Null0

218 OSPF Internal Summarization Example /24 VLAN 6 Fa0/1 Lo /24 R6 Fa0/0 Area 2 Lo /24 Fa0/ /24 VLAN 146 Fa0/0 Lo /24 R1 R4 S0/0/ /24 VLAN /24 Fa0/0 Lo /24 Lo /24 Lo /24 Lo /24 Lo /24 Fa0/0 R3 Lo /24 Area 1 R2 Fa0/ /24 VLAN 23 S0/ Area 0 R5 S0/0/0 Lo /24 OSPF Internal Summarization Configuration R2# router ospf 1 area 1 range R3# interface Loopback32 ip address ip ospf network point-to-point! interface Loopback33 ip address ip ospf network point-to-point! interface Loopback34 ip address ip ospf network point-to-point! interface Loopback35 ip address ip ospf network point-to-point! router ospf 1 network area 1 network area 1 network area 1 network area 1

219 Internal Summarization Verification R2#show ip route ospf /8 is variably subnetted, 16 subnets, 3 masks O IA /32 [110/66] via , 00:05:05, Serial0/0 O /32 [110/65] via , 00:05:05, Serial0/0 O IA /32 [110/65] via , 00:05:05, Serial0/0 O /32 [110/2] via , 00:05:05, FastEthernet0/0 O IA /32 [110/66] via , 00:05:05, Serial0/0 O /24 [110/2] via , 00:05:05, FastEthernet0/0 O /24 [110/2] via , 00:05:05, FastEthernet0/0 O /24 [110/2] via , 00:05:05, FastEthernet0/0 O /24 [110/2] via , 00:05:05, FastEthernet0/0 O /22 is a summary, 00:05:05, Null0 O IA /24 [110/66] via , 00:05:05, Serial0/0 O E /24 [110/20] via , 00:05:05, Serial0/0 O IA /24 [110/65] via , 00:05:05, Serial0/0 R5#show ip route ospf /8 is variably subnetted, 12 subnets, 3 masks O IA /32 [110/66] via , 00:07:48, Serial0/0 O IA /32 [110/65] via , 00:07:48, Serial0/0 O IA /32 [110/66] via , 00:07:48, Serial0/0 O IA /32 [110/65] via , 00:07:48, Serial0/0 O IA /32 [110/66] via , 00:07:48, Serial0/0 O IA /24 [110/65] via , 00:07:48, Serial0/0 O IA /22 [110/66] via , 00:05:10, Serial0/0 O IA /24 [110/66] via , 00:07:48, Serial0/0 O IA /24 [110/65] via , 00:07:48, Serial0/0 R6#show ip route ospf /8 is variably subnetted, 12 subnets, 3 masks O IA /32 [110/66] via , 00:09:58, FastEthernet0/0 O /32 [110/2] via , 00:11:12, FastEthernet0/0 O IA /32 [110/67] via , 00:09:48, FastEthernet0/0 O IA /32 [110/66] via , 00:09:48, FastEthernet0/0 O /32 [110/2] via , 00:11:12, FastEthernet0/0 O IA /24 [110/66] via , 00:09:48, FastEthernet0/0 O IA /22 [110/67] via , 00:07:16, FastEthernet0/0 O E /24 [110/20] via , 00:07:15, FastEthernet0/0 O IA /24 [110/65] via , 00:11:12, FastEthernet0/0 Internal Summarization Verification (cont.) R5#show ip ospf database summary OSPF Router with ID ( ) (Process ID 1) Summary Net Link States (Area 0) Routing Bit Set on this LSA LS age: 466 Options: (No TOS-capability, DC, Upward) LS Type: Summary Links(Network) Link State ID: (summary Network Number) Advertising Router: LS Seq Number: Checksum: 0x20E2 Length: 28 Network Mask: /22 TOS: 0 Metric: 2 R6#show ip ospf database summary OSPF Router with ID ( ) (Process ID 1) Summary Net Link States (Area 2) Routing Bit Set on this LSA LS age: 467 Options: (No TOS-capability, DC, Upward) LS Type: Summary Links(Network) Link State ID: (summary Network Number) Advertising Router: LS Seq Number: Checksum: 0x8637 Length: 28 Network Mask: /22 TOS: 0 Metric: 66

220 OSPF External Summarization Example /24 VLAN 6 Fa0/1 Lo /24 R6 Fa0/0 Area 2 Lo /24 Fa0/ /24 VLAN 146 Fa0/0 Lo /24 Fa0/0 R1 Lo /24 R3 Lo /24 Lo /24 Lo /24 Lo /24 Lo /24 Lo /24 Lo /24 Lo /24 Area /24 VLAN 23 Lo /24 Fa0/0 R4 R2 S0/0/ /24 VLAN /24 Fa0/0 S0/ Area 0 R5 S0/0/0 Lo /24 OSPF External Summarization Configuration R1# interface Loopback104 ip address ! interface Loopback105 ip address ! interface Loopback106 ip address ! interface Loopback107 ip address ! interface Loopback108 ip address ! interface Loopback109 ip address ! interface Loopback110 ip address ! interface Loopback111 ip address ! router ospf 1 summary-address redistribute connected subnets

221 External Summarization Verification R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set /8 is variably subnetted, 21 subnets, 4 masks C /24 is directly connected, Loopback0 O /32 [110/2] via , 00:12:37, FastEthernet0/0 O IA /32 [110/66] via , 00:12:37, FastEthernet0/0 O /32 [110/2] via , 00:12:37, FastEthernet0/0 O IA /32 [110/67] via , 00:12:37, FastEthernet0/0 O IA /32 [110/66] via , 00:12:37, FastEthernet0/0 O IA /24 [110/66] via , 00:12:38, FastEthernet0/0 O IA /22 [110/67] via , 00:12:38, FastEthernet0/0 O /24 [110/2] via , 00:12:38, FastEthernet0/0 O E /24 [110/20] via , 00:12:38, FastEthernet0/0 C /24 is directly connected, Loopback107 C /24 is directly connected, Loopback106 C /24 is directly connected, Loopback105 C /24 is directly connected, Loopback104 O /21 is a summary, 00:04:25, Null0 C /24 is directly connected, Loopback111 C /24 is directly connected, Loopback110 C /24 is directly connected, Loopback109 C /24 is directly connected, Loopback108 C /24 is directly connected, FastEthernet0/0 O IA /24 [110/65] via , 00:12:38, FastEthernet0/0 External Summarization Verification (cont.) R3#show ip route ospf /8 is variably subnetted, 16 subnets, 3 masks O IA /32 [110/67] via , 00:28:51, FastEthernet0/0 O IA /32 [110/66] via , 00:28:51, FastEthernet0/0 O IA /32 [110/66] via , 00:28:51, FastEthernet0/0 O /32 [110/2] via , 00:28:51, FastEthernet0/0 O IA /32 [110/67] via , 00:28:51, FastEthernet0/0 O IA /24 [110/67] via , 00:28:51, FastEthernet0/0 O E /24 [110/20] via , 00:11:28, FastEthernet0/0 O E /21 [110/20] via , 00:07:20, FastEthernet0/0 O IA /24 [110/66] via , 00:28:51, FastEthernet0/0 O IA /24 [110/65] via , 00:28:51, FastEthernet0/0 R3#show ip ospf database external OSPF Router with ID ( ) (Process ID 1) Type-5 AS External Link States Routing Bit Set on this LSA LS age: 460 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: (External Network Number ) Advertising Router: LS Seq Number: Checksum: 0x48DD Length: 36 Network Mask: /21 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: External Route Tag: 0

222 OSPF Stub Areas Summarization saves resources by taking multiple longer match prefixes and combining them into a smaller amount of shorter matches e.g two routes /16 and /16 become one route /15 Using the same logic, OSPF stub areas reduce NLRI by taking prefixes of the same LSA type and combining them into the shortest match possible, a default route How OSPF Stub Areas Work Stub areas use the common transit point of the OSPF topology, the ABR, to stop LSAs from entering the area Type-3, Type-4, and/or Type-5 filtered depending on stub type The reachability information removed is then replaced with a default route Still allows reachability to removed routes (in most cases)

223 OSPF Stub Area Types Four stub area types control which routes (LSAs) can enter the area Stub Area Stops external routes Totally Stubby Area Stops inter-area and external routes Not-So-Stubby Area (NSSA) Stops external routes but allows local redistribution Not-So-Totally-Stubby Area Stops inter-area and external routes but allows local redistribution All routers in the area must agree on the stub flag Stub Area logic OSPF Stub Areas I know how to get to my ABR My ABR knows how to get to the ASBRs The ASBRs knows how to get to the external routes If I default to the ABR, I don t need the specific external routes area [area-id] stub on all routers in the area Result ABR removes LSAs 4 (ASBR) & 5 (External) ABR originates default route

224 OSPF Stub Area Example /24 VLAN 6 Stub Area Stub Area Configuration & Verification R2# router ospf 1 area 1 stub R3# router ospf 1 area 1 stub R2#show ip route ospf /8 is variably subnetted, 17 subnets, 4 masks O IA /32 [110/66] via , 00:00:04, Serial0/0 O /32 [110/65] via , 00:00:19, Serial0/0 O IA /32 [110/65] via , 00:00:04, Serial0/0 O /32 [110/2] via , 00:00:04, FastEthernet0/0 O IA /32 [110/66] via , 00:00:04, Serial0/0 O /24 [110/2] via , 00:00:04, FastEthernet0/0 O /24 [110/2] via , 00:00:04, FastEthernet0/0 O /24 [110/2] via , 00:00:04, FastEthernet0/0 O /24 [110/2] via , 00:00:04, FastEthernet0/0 O /22 is a summary, 00:00:04, Null0 O IA /24 [110/66] via , 00:00:04, Serial0/0 O E /24 [110/20] via , 00:00:04, Serial0/0 O E /21 [110/20] via , 00:00:04, Serial0/0 O IA /24 [110/65] via , 00:00:04, Serial0/0 R3#show ip route ospf /8 is variably subnetted, 14 subnets, 2 masks O IA /32 [110/67] via , 00:00:04, FastEthernet0/0 O IA /32 [110/66] via , 00:00:04, FastEthernet0/0 O IA /32 [110/66] via , 00:00:04, FastEthernet0/0 O /32 [110/2] via , 00:00:04, FastEthernet0/0 O IA /32 [110/67] via , 00:00:04, FastEthernet0/0 O IA /24 [110/67] via , 00:00:04, FastEthernet0/0 O IA /24 [110/66] via , 00:00:04, FastEthernet0/0 O IA /24 [110/65] via , 00:00:04, FastEthernet0/0 O*IA /0 [110/2] via , 00:00:04, FastEthernet0/0

225 Stub Area Verification (cont.) R2#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count x x x x003A x x Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0041A1 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0061B x x005CC x x0053C x x0018FC x x00F x x x x0022E x x00DFFF x x00206A Summary ASB Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x004BCF Router Link States (Area 1) Link ID ADV Router Age Seq# Checksum Link count x x00CF x x x A 0x00E0C5 6 Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x00BB27 Summary Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x0035F x x001AC x x00D x x00BB1C x x00B x x00980C x x00D x x Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag x x008BC x x0046DE 0 Stub Area Verification (cont.) R3#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 1) Link ID ADV Router Age Seq# Checksum Link count x x00CF x x x A 0x00E0C5 6 Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x00BB27 Summary Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x0035F x x001AC x x00D x x00BB1C x x00B x x00980C x x00D x x008963

226 OSPF Totally Stubby Areas Totally Stub Area logic I know how to get to my ABR My ABR knows how to get to other areas and to the ASBRs The ASBRs knows how to get to the external routes If I default to the ABR, I don t need the specific inter-area or external routes area [area-id] stub on the internal routers in the area area [area-id] stub no-summary on the ABR(s) of the area Result ABR removes LSAs 3 (Inter-Area), 4 (ASBR), & 5 (External) ABR originates default route OSPF Totally Stubby Area Example /24 VLAN 6 Totally Stubby Area

227 Totally Stubby Area Config & Verification R2# router ospf 1 area 1 stub no-summary R3# router ospf 1 area 1 stub R2#show ip route ospf /8 is variably subnetted, 17 subnets, 4 masks O IA /32 [110/66] via , 00:00:16, Serial0/0 O /32 [110/65] via , 00:00:16, Serial0/0 O IA /32 [110/65] via , 00:00:16, Serial0/0 O /32 [110/2] via , 00:00:16, FastEthernet0/0 O IA /32 [110/66] via , 00:00:16, Serial0/0 O /24 [110/2] via , 00:00:16, FastEthernet0/0 O /24 [110/2] via , 00:00:16, FastEthernet0/0 O /24 [110/2] via , 00:00:16, FastEthernet0/0 O /24 [110/2] via , 00:00:16, FastEthernet0/0 O /22 is a summary, 00:00:16, Null0 O IA /24 [110/66] via , 00:00:16, Serial0/0 O E /24 [110/20] via , 00:00:16, Serial0/0 O E /21 [110/20] via , 00:00:06, Serial0/0 O IA /24 [110/65] via , 00:00:16, Serial0/0 R3#show ip route ospf /8 is variably subnetted, 7 subnets, 2 masks O /32 [110/2] via , 00:06:05, FastEthernet0/0 O*IA /0 [110/2] via , 00:00:19, FastEthernet0/0 Totally Stubby Area Verification (cont.) R2#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count x x x x003A x x Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0041A1 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0061B x x005CC x x0053C x x0018FC x x00F x x x x0022E x x00DFFF x x00206A Router Link States (Area 1) Link ID ADV Router Age Seq# Checksum Link count x x00CF x x x A 0x00E0C5 6 Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x00BB27 Summary Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x0033FA Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag x x008BC x x0044DF 0 Summary ASB Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x004BCF

228 Totally Stubby Area Verification (cont.) R3#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 1) Link ID ADV Router Age Seq# Checksum Link count x x00CF x x x A 0x00E0C5 6 Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x00BB27 Summary Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum x x0033FA OSPF Not-So So-Stubby Stubby Areas (NSSA) NSSA logic Stub areas block external routes from coming from other areas What if I want to redistribute directly into the stub area itself? Filter like a stub area, but make an exception for local redistribution This exception requires the new Type 7 LSA (NSSA External) area [area-id] nssa on all routers in the area Result Redistributing router in NSSA generates Type 7 external instead of Type 5 ABR changes Type 7 into Type 5 as it is sent into area 0 ABR removes LSAs 4 (ASBR) & 5 (External) from coming into the area ABR does not originate default route

229 Type 7 LSA In Detail Type 7 NSSA External LSA Generated by ASBR inside NSSA Flooded only within NSSA Changed into Type 5 LSA as it leaves the area Describes routes ASBR is redistributing Metric Metric Type Type 1 = N1 Type 2 = N2 (default) Forward Address Who should I route towards to reach the link? Usually the ASBR itself, but could be someone else in some designs Route Tag show ip ospf database nssa-external [Link ID] Type 7 LSA Translation N1/N2 routes exist only inside the NSSA Changed on ABR to E1/E2 routes as they enter area 0 ABR called NSSA Translator If multiple ABRs, hold an election ABR with highest router-id becomes NSSA Translator Traffic doesn t necessarily transit the translator See RFC 3101 The OSPF Not-So-Stubby Area (NSSA) Option for details

230 OSPF NSSA Example /24 VLAN 6 Fa0/1 Lo /24 R6 Fa0/0 Area 2 Not So Stubby Area Lo /24 Fa0/ /24 VLAN 146 Fa0/0 Lo /24 Fa0/0 R1 Lo /24 R3 Lo /24 Lo /24 Lo /24 Lo /24 Lo /24 Lo /24 Lo /24 Lo /24 Area /24 VLAN 23 Lo /24 Fa0/0 R4 R2 S0/0/ /24 VLAN /24 Fa0/0 S0/ Area 0 R5 S0/0/0 Lo /24 OSPF NSSA Config & Verification R1# router ospf 1 area 2 nssa redistribute connected subnets R4# router ospf 1 area 2 nssa R6# router ospf 1 area 2 nssa R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set /8 is variably subnetted, 19 subnets, 3 masks C /24 is directly connected, Loopback0 O /32 [110/2] via , 00:01:37, FastEthernet0/0 O IA /32 [110/66] via , 00:01:37, FastEthernet0/0 O /32 [110/2] via , 00:01:37, FastEthernet0/0 O IA /32 [110/67] via , 00:01:37, FastEthernet0/0 O IA /32 [110/66] via , 00:01:37, FastEthernet0/0 O IA /24 [110/66] via , 00:01:38, FastEthernet0/0 O IA /22 [110/67] via , 00:01:38, FastEthernet0/0 O /24 [110/2] via , 00:01:38, FastEthernet0/0 C /24 is directly connected, Loopback107 C /24 is directly connected, Loopback106 C /24 is directly connected, Loopback105 C /24 is directly connected, Loopback104 C /24 is directly connected, Loopback111 C /24 is directly connected, Loopback110 C /24 is directly connected, Loopback109 C /24 is directly connected, Loopback108 C /24 is directly connected, FastEthernet0/0 O IA /24 [110/65] via , 00:01:38, FastEthernet0/0

231 OSPF NSSA Verification (cont.) R4#show ip route ospf /8 is variably subnetted, 20 subnets, 3 masks O /32 [110/2] via , 00:00:34, FastEthernet0/0 O /32 [110/65] via , 00:00:59, Serial0/0 O IA /32 [110/66] via , 00:00:34, Serial0/0 O IA /32 [110/65] via , 00:00:34, Serial0/0 O /32 [110/2] via , 00:00:34, FastEthernet0/0 O IA /24 [110/65] via , 00:00:34, Serial0/0 O IA /22 [110/66] via , 00:00:34, Serial0/0 O /24 [110/2] via , 00:00:34, FastEthernet0/0 O E /24 [110/20] via , 00:00:34, Serial0/0 O N /24 [110/20] via , 00:00:34, FastEthernet0/0 O N /24 [110/20] via , 00:00:34, FastEthernet0/0 O N /24 [110/20] via , 00:00:34, FastEthernet0/0 O N /24 [110/20] via , 00:00:34, FastEthernet0/0 O N /24 [110/20] via , 00:00:34, FastEthernet0/0 O N /24 [110/20] via , 00:00:35, FastEthernet0/0 O N /24 [110/20] via , 00:00:35, FastEthernet0/0 O N /24 [110/20] via , 00:00:35, FastEthernet0/0 R6#show ip route ospf /8 is variably subnetted, 19 subnets, 3 masks O IA /32 [110/66] via , 00:00:50, FastEthernet0/0 O /32 [110/2] via , 00:00:50, FastEthernet0/0 O IA /32 [110/67] via , 00:00:50, FastEthernet0/0 O IA /32 [110/66] via , 00:00:50, FastEthernet0/0 O /32 [110/2] via , 00:00:50, FastEthernet0/0 O IA /24 [110/66] via , 00:00:50, FastEthernet0/0 O IA /22 [110/67] via , 00:00:50, FastEthernet0/0 O N /24 [110/20] via , 00:00:50, FastEthernet0/0 O N /24 [110/20] via , 00:00:50, FastEthernet0/0 O N /24 [110/20] via , 00:00:50, FastEthernet0/0 O N /24 [110/20] via , 00:00:50, FastEthernet0/0 O N /24 [110/20] via , 00:00:50, FastEthernet0/0 O N /24 [110/20] via , 00:00:50, FastEthernet0/0 O N /24 [110/20] via , 00:00:51, FastEthernet0/0 O N /24 [110/20] via , 00:00:51, FastEthernet0/0 O IA /24 [110/65] via , 00:00:51, FastEthernet0/0 OSPF NSSA Verification (cont.) R5#show ip route ospf /8 is variably subnetted, 20 subnets, 3 masks O IA /32 [110/66] via , 00:00:50, Serial0/0 O IA /32 [110/65] via , 00:01:00, Serial0/0 O IA /32 [110/66] via , 00:01:00, Serial0/0 O IA /32 [110/65] via , 00:01:00, Serial0/0 O IA /32 [110/66] via , 00:00:46, Serial0/0 O IA /24 [110/65] via , 00:01:00, Serial0/0 O IA /22 [110/66] via , 00:01:00, Serial0/0 O IA /24 [110/66] via , 00:00:50, Serial0/0 O E /24 [110/20] via , 00:00:40, Serial0/0 O E /24 [110/20] via , 00:00:40, Serial0/0 O E /24 [110/20] via , 00:00:40, Serial0/0 O E /24 [110/20] via , 00:00:40, Serial0/0 O E /24 [110/20] via , 00:00:40, Serial0/0 O E /24 [110/20] via , 00:00:40, Serial0/0 O E /24 [110/20] via , 00:00:41, Serial0/0 O E /24 [110/20] via , 00:00:41, Serial0/0 O IA /24 [110/65] via , 00:01:01, Serial0/0

232 OSPF NSSA Verification (cont.) R1#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 2) Link ID ADV Router Age Seq# Checksum Link count x x00BBF x x00F79C x x00B77B 3 Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x Summary Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x x x005F x x0029A x x x x002E8A x x00F6E9 Type-7 AS External Link States (Area 2) Link ID ADV Router Age Seq# Checksum Tag x x00669E x x005FA x x0054B x x0049BA x x003EC x x0033CE x x0028D x x001DE2 0 OSPF NSSA Verification (cont.) R6#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 2) Link ID ADV Router Age Seq# Checksum Link count x B 0x00A7FE x x00F79C x x00B77B 3 Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x Summary Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x x x005F x x0029A x x x x002E8A x x00F6E9 Type-7 AS External Link States (Area 2) Link ID ADV Router Age Seq# Checksum Tag x x00669E x x005FA x x0054B x x0049BA x x003EC x x0033CE x x0028D x x001DE2 0

233 OSPF NSSA Verification (cont.) R4#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count x x x x003E7E x x Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0041A1 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0055BE x x005CC x x0053C x x0018FC x x00F x x x x0022E x x00E1FE x x00206A Router Link States (Area 2) Link ID ADV Router Age Seq# Checksum Link count x B 0x00A7FE x x00F79C x x00B77B 3 Summary Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x x x005F x x0029A x x x x002E8A x x00F6E9 Type-7 AS External Link States (Area 2) Link ID ADV Router Age Seq# Checksum Tag x x00669E x x005FA x x0054B x x0049BA x x003EC x x0033CE x x0028D x x001DE2 0 Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag x x008BC x x00DB x x00D03B x x00C x x00BA4F x x00AF x x00A x x00996D x x008E77 0 Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x OSPF NSSA Verification (cont.) R5#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count x x x x003E7E x x Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0041A1 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0055BE x x005CC x x0053C x x0018FC x x00F x x x x0022E x x00E1FE x x00206A Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag x x008BC x x00DB x x00D03B x x00C x x00BA4F x x00AF x x00A x x00996D x x008E77 0

234 OSPF NSSA Verification (cont.) R4#show ip ospf database nssa-external OSPF Router with ID ( ) (Process ID 1) Type-7 AS External Link States (Area 2) Routing Bit Set on this LSA LS age: 118 Options: (No TOS-capability, Type 7/5 translation, DC) LS Type: AS External Link Link State ID: (External Network Number ) Advertising Router: LS Seq Number: Checksum: 0x669E Length: 36 Network Mask: /24 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: External Route Tag: 0 R4#show ip ospf database external OSPF Router with ID ( ) (Process ID 1) Type-5 AS External Link States LS age: 116 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: (External Network Number ) Advertising Router: LS Seq Number: Checksum: 0xDB31 Length: 36 Network Mask: /24 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: External Route Tag: 0 OSPF Not-So So-Totally Stubby Areas Not-So-Totally Stubby Area logic Totally Stubby areas block inter-area and external routes from coming from other areas What if I want to redistribute directly into the totally stubby area itself? Combine totally stubby and NSSA behaviors area [area-id] nssa on all routers in the area area [area-id] nssa no-summary on ABR(s) in the area Result Redistributing router in NSSA generates Type 7 external instead of Type 5 ABR changes Type 7 into Type 5 as it is sent into area 0 ABR removes LSAs 3 (Inter-Area), 4 (ASBR), & 5 (External) from coming into the area ABR originates default route

235 OSPF Not-So So-Totally Stubby Example /24 VLAN 6 Fa0/1 Lo /24 R6 Fa0/0 Area 2 Not-So-Totally Stubby Area Lo /24 Fa0/ /24 VLAN 146 Fa0/0 Lo /24 Fa0/0 R1 Lo /24 R3 Lo /24 Lo /24 Lo /24 Lo /24 Lo /24 Lo /24 Lo /24 Lo /24 Area /24 VLAN 23 Lo /24 Fa0/0 R4 R2 S0/0/ /24 VLAN /24 Fa0/0 S0/ Area 0 R5 S0/0/0 Lo /24 Not-So So-Totally Stubby Config & Verification R1# router ospf 1 area 2 nssa redistribute connected subnets R4# router ospf 1 area 2 nssa no-summary R6# router ospf 1 area 2 nssa R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is to network /8 is variably subnetted, 13 subnets, 2 masks C /24 is directly connected, Loopback0 O /32 [110/2] via , 00:04:43, FastEthernet0/0 O /32 [110/2] via , 00:04:43, FastEthernet0/0 O /24 [110/2] via , 00:04:43, FastEthernet0/0 C /24 is directly connected, Loopback107 C /24 is directly connected, Loopback106 C /24 is directly connected, Loopback105 C /24 is directly connected, Loopback104 C /24 is directly connected, Loopback111 C /24 is directly connected, Loopback110 C /24 is directly connected, Loopback109 C /24 is directly connected, Loopback108 C /24 is directly connected, FastEthernet0/0 O*IA /0 [110/2] via , 00:00:10, FastEthernet0/0

236 Not-So So-Totally Stubby Verification (cont.) R6#show ip route ospf /8 is variably subnetted, 13 subnets, 2 masks O /32 [110/2] via , 00:04:41, FastEthernet0/0 O /32 [110/2] via , 00:04:41, FastEthernet0/0 O N /24 [110/20] via , 00:00:11, FastEthernet0/0 O N /24 [110/20] via , 00:00:11, FastEthernet0/0 O N /24 [110/20] via , 00:00:11, FastEthernet0/0 O N /24 [110/20] via , 00:00:11, FastEthernet0/0 O N /24 [110/20] via , 00:00:11, FastEthernet0/0 O N /24 [110/20] via , 00:00:11, FastEthernet0/0 O N /24 [110/20] via , 00:00:11, FastEthernet0/0 O N /24 [110/20] via , 00:00:11, FastEthernet0/0 O*IA /0 [110/2] via , 00:00:16, FastEthernet0/0 R4#show ip route ospf /8 is variably subnetted, 20 subnets, 3 masks O /32 [110/2] via , 00:00:20, FastEthernet0/0 O /32 [110/65] via , 00:00:20, Serial0/0 O IA /32 [110/66] via , 00:00:20, Serial0/0 O IA /32 [110/65] via , 00:00:20, Serial0/0 O /32 [110/2] via , 00:00:20, FastEthernet0/0 O IA /24 [110/65] via , 00:00:20, Serial0/0 O IA /22 [110/66] via , 00:00:20, Serial0/0 O /24 [110/2] via , 00:00:20, FastEthernet0/0 O E /24 [110/20] via , 00:00:20, Serial0/0 O N /24 [110/20] via , 00:00:20, FastEthernet0/0 O N /24 [110/20] via , 00:00:20, FastEthernet0/0 O N /24 [110/20] via , 00:00:20, FastEthernet0/0 O N /24 [110/20] via , 00:00:20, FastEthernet0/0 O N /24 [110/20] via , 00:00:20, FastEthernet0/0 O N /24 [110/20] via , 00:00:22, FastEthernet0/0 O N /24 [110/20] via , 00:00:22, FastEthernet0/0 O N /24 [110/20] via , 00:00:22, FastEthernet0/0 Not-So So-Totally Stubby Verification (cont.) R5#show ip route ospf /8 is variably subnetted, 20 subnets, 3 masks O IA /32 [110/66] via , 00:12:35, Serial0/0 O IA /32 [110/65] via , 00:12:45, Serial0/0 O IA /32 [110/66] via , 00:12:45, Serial0/0 O IA /32 [110/65] via , 00:12:45, Serial0/0 O IA /32 [110/66] via , 00:06:37, Serial0/0 O IA /24 [110/65] via , 00:12:45, Serial0/0 O IA /22 [110/66] via , 00:12:45, Serial0/0 O IA /24 [110/66] via , 00:12:35, Serial0/0 O E /24 [110/20] via , 00:06:32, Serial0/0 O E /24 [110/20] via , 00:06:32, Serial0/0 O E /24 [110/20] via , 00:06:32, Serial0/0 O E /24 [110/20] via , 00:06:32, Serial0/0 O E /24 [110/20] via , 00:06:32, Serial0/0 O E /24 [110/20] via , 00:06:32, Serial0/0 O E /24 [110/20] via , 00:06:33, Serial0/0 O E /24 [110/20] via , 00:06:33, Serial0/0 O IA /24 [110/65] via , 00:12:46, Serial0/0

237 Not-So So-Totally Stubby Verification (cont.) R1#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 2) Link ID ADV Router Age Seq# Checksum Link count x B 0x00A7FE x x00F79C x x00B77B 3 Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x Summary Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x00A280 Type-7 AS External Link States (Area 2) Link ID ADV Router Age Seq# Checksum Tag x x00669E x x005FA x x0054B x x0049BA x x003EC x x0033CE x x0028D x x001DE2 0 Not-So So-Totally Stubby Verification (cont.) R6#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 2) Link ID ADV Router Age Seq# Checksum Link count x B 0x00A7FE x x00F79C x x00B77B 3 Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x Summary Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x00A280 Type-7 AS External Link States (Area 2) Link ID ADV Router Age Seq# Checksum Tag x x00669E x x005FA x x0054B x x0049BA x x003EC x x0033CE x x0028D x x001DE2 0

238 Not-So So-Totally Stubby Verification (cont.) R4#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count x x x x003E7E x x Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0041A1 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0055BE x x005CC x x0053C x x0018FC x x00F x x x x0022E x x00E1FE x x00206A Router Link States (Area 2) Link ID ADV Router Age Seq# Checksum Link count x B 0x00A7FE x x00F79C x x00B77B 3 Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x Summary Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum x x00A280 Type-7 AS External Link States (Area 2) Link ID ADV Router Age Seq# Checksum Tag x x00669E x x005FA x x0054B x x0049BA x x003EC x x0033CE x x0028D x x001DE2 0 Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag x x008BC x x00DB x x00D03B x x00C x x00BA4F x x00AF x x00A x x00996D x x008E77 0 Not-So So-Totally Stubby Verification (cont.) R5#show ip ospf database OSPF Router with ID ( ) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count x x x x003E7E x x Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0041A1 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum x x0055BE x x005CC x x0053C x x0018FC x x00F x x x x0022E x x00E1FE x x00206A Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag x x008BC x x00DB x x00D03B x x00C x x00BA4F x x00AF x x00A x x00996D x x008E77 0

239 Controlling NSSA Redistribution What if I redistribute on the ABR of the NSSA itself? ABR is now also and ASBR Type 5 sent into area 0 Type 7 sent into NSSA Type 7 generation can be suppressed with area [area-id] nssa noredistribution [no-summary] on ABR/ASBR OSPF Default Routing OSPF stub areas ABR(s) automatically generate a default route into the stub area NSSA exception Normal routers can generate a default route with Redistribution default-information originate [always] [routemap name] If always keyword is omitted, default must exist in local routing table before being generated Used in designs where with multiple default exit points Route-map used for condition checking e.g. if link to ISP is down, do not originate default

240 OSPF Default Routing Example R5#sh run s router ospf default-information originate always metric 50 R2#show ip route ospf /8 is variably subnetted, 24 subnets, 3 masks O IA /32 [110/66] via , 00:16:26, Serial0/0 O /32 [110/65] via , 00:16:36, Serial0/0 O IA /32 [110/65] via , 00:16:36, Serial0/0 O /32 [110/2] via , 00:25:49, FastEthernet0/0 O IA /32 [110/66] via , 00:10:27, Serial0/0 O /24 [110/2] via , 00:25:49, FastEthernet0/0 O /24 [110/2] via , 00:25:49, FastEthernet0/0 O /24 [110/2] via , 00:25:49, FastEthernet0/0 O /24 [110/2] via , 00:25:49, FastEthernet0/0 O /22 is a summary, 00:25:49, Null0 O IA /24 [110/66] via , 00:16:26, Serial0/0 O E /24 [110/20] via , 00:10:22, Serial0/0 O E /24 [110/20] via , 00:10:22, Serial0/0 O E /24 [110/20] via , 00:10:22, Serial0/0 O E /24 [110/20] via , 00:10:24, Serial0/0 O E /24 [110/20] via , 00:10:24, Serial0/0 O E /24 [110/20] via , 00:10:24, Serial0/0 O E /24 [110/20] via , 00:10:24, Serial0/0 O E /24 [110/20] via , 00:10:24, Serial0/0 O E /24 [110/20] via , 00:10:24, Serial0/0 O IA /24 [110/65] via , 00:16:37, Serial0/0 O*E /0 [110/50] via , 00:00:04, Serial0/0 OSPF Authentication Like EIGRP, OSPF supports adjacency authentication to protect control plane Every packet header includes authentication information e.g. Hello, LSU, LSR Three types of authentication Type 0 Null Type 1 Simple Password Type 2 Cryptographic (MD5)

241 Implementing OSPF Authentication OSPF authentication can be enabled on All local links in the area area [area-id] authentication [messagedigest] Per link basis ip ospf authentication [null message-digest] Password always configured on the link ip ospf authentication-key [password] ip ospf message-digest-key [key-id] md5 [password] Key ID s must match for MD5 authentication OSPF Simple Authentication Example R2# interface FastEthernet0/0 ip ospf authentication-key CISCO! router ospf 1 area 1 authentication R3# interface FastEthernet0/0 ip ospf authentication ip ospf authentication-key CISCO R3#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/BDR 00:00: FastEthernet0/0 R3#show ip ospf interface Fa0/0 FastEthernet0/0 is up, line protocol is up Internet Address /24, Area 1 Process ID 1, Router ID , Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) , Interface address Backup Designated router (ID) , Interface address Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:07 Supports Link-local Signaling (LLS) Index 3/3, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 8 Last flood scan time is 0 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor (Backup Designated Router) Suppress hello for 0 neighbor(s) Simple password authentication enabled

242 OSPF MD5 Authentication Example R1# interface FastEthernet0/0 ip ospf message-digest-key 1 md5 CISCO! router ospf 1 area 1 authentication message-digest R4# interface FastEthernet0/0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 CISCO R6# interface FastEthernet0/0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 CISCO R6#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/DROTHER 00:00: FastEthernet0/ FULL/BDR 00:00: FastEthernet0/0 R6#show ip ospf interface Fa0/0 FastEthernet0/0 is up, line protocol is up Internet Address /24, Area 2 Process ID 1, Router ID , Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) , Interface address Backup Designated router (ID) , Interface address Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:09 Supports Link-local Signaling (LLS) Index 3/3, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 14 Last flood scan time is 0 msec, maximum is 4 msec Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor Adjacent with neighbor (Backup Designated Router) Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1 OSPF Tuning OSPF database calculation & lookup times a function of hardware e.g. faster CPU, more memory, faster lookups Resource needs can be lowered through Areas for flooding domain segmentation Summarization Stub areas Further optimization through timers Hello & dead timers Faster neighbor down detection Pacing timers How long do I wait between updates, retransmits, etc. Throttling timers How often do I generate LSAs, run SPF, etc.

243 OSPF Q&A

244 Internetwork Expert s CCNP Bootcamp Border Gateway Protocol (BGP) What Is BGP? Border Gateway Protocol Version 4 Standards based RFC 4271 A Border Gateway Protocol 4 (BGP-4) Exterior Gateway Protocol (EGP) Used for inter-domain routing between Autonomous Systems Path vector routing Uses multiple attributes for routing decision Classless Supports VLSM and summarization

245 Inter-AS Routing and ASNs Autonomous System (AS) a set of routers under a single technical administration, using an interior gateway protocol (IGP) and common metrics to determine how to route packets within the AS, and using an inter-as routing protocol to determine how to route packets to other ASes. (RFC 4271) Like IP address space, Autonomous System Numbers (ASNs) allocated by Internet Assigned Numbers Authority (IANA) BGP ASNs originally 2-byte field Values RFC 4893 defines 4-byte ASNs notation 0.[ ] denote original 2-byte ASNs Why Use BGP? Scalability IGPs can scale to thousands of routes BGP can scale to hundreds of thousands of routes Current Global (Internet) BGP table ~ 300,000 routes Stability Internet routing table never converges BGP stable enough to handle routing and decision making at the same time Enforce routing policy IGP uses link cost for routing decision Effective traffic engineering nearly impossible with IGP BGP uses attributes of the route itself Traffic engineering feasible and simple to implement

246 Who Needs BGP? Transit networks SPs that sell access or transit bandwidth to customers Need full routing table to make accurate decisions Should not use default routing Multihomed networks Enterprise networks with two or more connections to ISPs Allows control of inbound and outbound routing policy Example Transit Network

247 Example Multihomed Network Internet ISP 1 AS 1000 ISP 2 AS 2000 Customer 1 AS 100 When not To Use BGP Single ISP connectivity Default routing sufficient Limited memory and/or CPU resources Global table needs ~ 1GB of memory just for storage If you don t own your IPv4 addresses ISP advertises their address space on your behalf Red tape involved with getting PI address space and BGP ASN

248 BGP Data Structure Like EIGRP/OSPF/IS-IS, BGP uses a three table data structure Neighbor table List of active adjacencies called peerings BGP table All prefixes learned from all peers IP Routing table The best routes from the BGP table actually used for routing How BGP Works Establish BGP peerings to build neighbor table Exchange updates to build BGP table Choose BGP bestpaths to build routing table

249 Example Global BGP Neighbor Table route-views.oregon-ix.net>show ip bgp summary BGP router identifier , local AS number 6447 BGP table version is , main routing table version network entries using bytes of memory path entries using bytes of memory /56881 BGP path/bestpath attribute entries using bytes of memory BGP AS-PATH entries using bytes of memory BGP community entries using bytes of memory 29 BGP extended community entries using 1406 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using total bytes of memory Dampening enabled history paths, dampened paths BGP activity / prefixes, / paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd w4d w4d w2d never Active w3d w4d w4d w0d w4d d23h w2d :59: w3d never Active w4d w4d w1d w4d w1d w0d never Active :53: :02: w4d w3d <output omitted> Example Global BGP Table route-views.oregon-ix.net>show ip bgp BGP table version is , local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> i * i * i * i * i * i * i * i * i * i * i * i * i * i * i * i * i * i * i * i * i * i * i * i *> i * i * i * i * i * i * i * i * i * i * i <output omitted>

250 Example BGP Routing Table route-views.oregon-ix.net>show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is to network B /24 [20/0] via , 1d12h B /24 [20/0] via , 4w4d B /24 [20/0] via , 1w4d B /24 [20/0] via , 2w5d B /24 [20/0] via , 1d09h B /24 [20/0] via , 2w0d B /24 [20/0] via , 2w1d B /24 [20/0] via , 2d18h B /24 [20/0] via , 2w1d B /24 [20/0] via , 1d09h B /24 [20/0] via , 4w0d B /24 [20/0] via , 2w4d /24 is variably subnetted, 3 subnets, 2 masks B /24 [20/0] via , 3w4d B /27 [20/0] via , 2w3d B /27 [20/0] via , 2w3d B /24 [20/0] via , 2w5d B /24 [20/0] via , 4w4d B /24 [20/0] via , 4w4d B /24 [20/0] via , 3w1d B /24 [20/0] via , 2w5d B /24 [20/0] via , 14:17:04 B /24 [20/3] via , 1w3d B /24 [20/0] via , 2d12h B /24 [20/0] via , 2w6d B /24 [20/0] via , 4w3d B /24 [20/0] via , 1d12h B /24 [20/0] via , 4w1d B /24 [20/0] via , 2w3d B /24 [20/0] via , 7w0d /16 is variably subnetted, 3 subnets, 3 masks <output omitted> Establishing BGP Peerings Like IGP, first step in BGP is to find neighbors to exchange information with Unlike IGP BGP does not have its own transport Uses TCP port 179 BGP neighbors are not discovered Manually configured via neighbor statement BGP neighbors do not have to be connected IGP is always on a link-by-link basis BGP is a logical peering over TCP Implies that BGP always needs IGP underneath BGP has different types of neighbors External BGP vs. Internal BGP

251 BGP Packet Formats Peering establishment and maintenance uses four types of packets OPEN KEEPALIVE UPDATE NOTIFICATION BGP OPEN Message Used to negotiate parameters for peering Includes BGP version Should be 4 Local ASN Local Router-ID Hold time Negotiated to lowest requested value Options AKA capabilities

252 BGP KEEPALIVE Message Used for dead neighbor detection If hold time = 0, keepalives disabled BGP UPDATE Message Used to advertise or withdraw a prefix Includes Withdrawn routes List of routes that should be discarded NLRI Route being advertised Path vector attributes Attributes of route being advertised Used for bestpath selection

253 BGP NOTIFICATION Message Used to convey error messages After notification sent, BGP session closed Examples Unsupported Version Number Unsupported Optional Parameter Unacceptable Hold Time Hold Timer Expired BGP Peering State Machine BGP state machine tracks peering establishment Idle Waiting to start 3-way handshake Connect Waiting to complete 3-way handshake Active 3-way handshake failed, try again Open sent 3-way handshake complete, OPEN message sent Open confirm OPEN message received, parameters agreed upon Established Peering complete

254 BGP Peering State Machine Debug R1#debug ip bgp BGP debugging is on for address family: IPv4 Unicast R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#router bgp 1 R1(config-router)#neighbor remote-as 1 R1(config-router)#end %SYS-5-CONFIG_I: Configured from console by console R1# BGP: went from Idle to Connect BGP: rcv message type 1, length (excl. header) 26 BGP: rcv OPEN, version 4, holdtime 180 seconds BGP: went from Connect to OpenSent BGP: sending OPEN, version 4, my as: 1, holdtime 180 seconds BGP: rcv OPEN w/ OPTION parameter len: 16 BGP: rcvd OPEN w/ optional parameter type 2 (Capability) len 6 BGP: OPEN has CAPABILITY code: 1, length 4 BGP: OPEN has MP_EXT CAP for afi/safi: 1/1 BGP: rcvd OPEN w/ optional parameter type 2 (Capability) len 2 BGP: OPEN has CAPABILITY code: 128, length 0 BGP: OPEN has ROUTE-REFRESH capability(old) for all address-families BGP: rcvd OPEN w/ optional parameter type 2 (Capability) len 2 BGP: OPEN has CAPABILITY code: 2, length 0 BGP: OPEN has ROUTE-REFRESH capability(new) for all address-families BGP: rcvd OPEN w/ remote AS 1 BGP: went from OpenSent to OpenConfirm BGP: send message type 1, length (incl. header) 45 BGP: went from OpenConfirm to Established %BGP-5-ADJCHANGE: neighbor Up BGP Peering Types External BGP (EBGP) Peers Neighbors outside my Autonomous System Internal BGP (ibgp) Peers Neighbors inside my Autonomous System Update and path selection rules change depending on what type of peer a route is being sent to/received from

255 EBGP Peerings Peers in different ASes Usually directly connected neighbors e.g. DS3 Frame Relay link to ISP Can be multihop, but TTL defaults to 1 neighbor [address] ebgp-multihop [ttl] Uses AS-Path attribute for loop prevention If I receive an update from an EBGP peer with my own ASN in the AS-Path, discard it ibgp Peerings Peers in the same AS Many times not directly connected Implies IGP needed to provide TCP transport Loop prevention via route suppression Routes learned from an ibgp peer cannot be advertised on to another ibgp peer Implies that all routers running BGP within the AS must peer with each other i.e. ibgp full mesh n*(n-1)/2 peerings

256 BGP Peering Redundancy BGP peering is based on TCP reachability to peer address If peer address is unreachable, peering goes down e.g. if IP address of Serial link is used for peering and Serial link is down, peer goes down Using Loopback addresses for peerings allows rerouting around link failures and adds redundancy e.g. as long as any link is up, Loopback can be reached Defined as update-source for TCP session BGP Loopback Redundancy Example ISP 1 AS 1000 Directly R1 and R2 Peer Using Their Directly Connected Connected Link Link Goes Down R1 Physical and and R2 BGP Peer Link Peering Using Goes Is Down Their Loopback Interfaces Lost But Peering Is Rerouted ISP 2 AS 2000 R2 R1 AS 100

257 Basic BGP Configuration Enable global BGP process router bgp [ASN] Establish BGP peers neighbor [address] remote-as [remote ASN] Basic BGP Verification Verify BGP peerings show ip bgp summary Verify BGP table show ip bgp Verify BGP table detail show ip bgp [network] [mask] Verify BGP routing table show ip route [bgp]

258 BGP Configuration Topology Fa0/ /24 VLAN 12 Fa0/0 R1 S0/1 Lo /24 BGP AS 200 OSPF Area 0 Lo /24 R2 S0/ / / S1/2 BGP AS 100 EIGRP AS 100 S0/0 R3 Lo /24 Fa0/ /24 VLAN 35 Fa0/0 Lo /24 R5 Fa0/ /24 VLAN /24 VLAN 46 Lo /24 Fa0/1 R6 Fa0/0 Fa0/0 R4 Lo /24 Basic BGP Peering Configuration R1# router bgp 200 neighbor remote-as 200 neighbor remote-as 100 R2# router bgp 200 neighbor remote-as 200 neighbor remote-as 100 R3# router bgp 100 neighbor remote-as 100 neighbor remote-as 100 neighbor remote-as 100 neighbor update-source Loopback0 neighbor update-source Loopback0 neighbor update-source Loopback0 neighbor remote-as 200 R4# router bgp 100 neighbor remote-as 100 neighbor remote-as 100 neighbor remote-as 100 neighbor update-source Loopback0 neighbor update-source Loopback0 neighbor update-source Loopback0 neighbor remote-as 200 R5# router bgp 100 neighbor remote-as 100 neighbor remote-as 100 neighbor remote-as 100 neighbor update-source Loopback0 neighbor update-source Loopback0 neighbor update-source Loopback0 R6# router bgp 100 neighbor remote-as 100 neighbor remote-as 100 neighbor remote-as 100 neighbor update-source Loopback0 neighbor update-source Loopback0 neighbor update-source Loopback0

259 BGP Peering Verification R1#show ip bgp summary BGP router identifier , local AS number 200 BGP table version is 15, main routing table version 15 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd :26: :24:59 0 R2#show ip bgp summary BGP router identifier , local AS number 200 BGP table version is 15, main routing table version 15 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd :26: :24:58 0 R3#show ip bgp summary BGP router identifier , local AS number 100 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd :24: :24: :24: :25:02 0 BGP Peering Verification (cont.) R4#show ip bgp summary BGP router identifier , local AS number 100 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd :24: :25: :24: :25:01 0 R5#show ip bgp summary BGP router identifier , local AS number 100 BGP table version is 34, main routing table version 34 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd :25: :25: :40:12 0 R6#show ip bgp summary BGP router identifier , local AS number 100 BGP table version is 34, main routing table version 34 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd :25: :24: :40:13 0

260 ibgp Full Mesh Scalability n*(n-1)/2 doesn t scale 10 routers, 45 peerings 100 routers, 4950 peerings 1000 routers, 499,500 peerings Can be fixed with two exceptions Route Reflectors Same logic as DR/DIS Confederation Split the AS into smaller Sub-ASes ibgp Full Mesh Example ISP 1 AS Routers = 36 Peerings ISP 2 AS 2000 AS 100

261 BGP Route Reflectors Eliminates need for full mesh Only need peering(s) to the RR(s) Like OSPF DR & IS-IS DIS, minimizes prefix replication Send one update to the RR RR sends the update to its clients Loop prevention through Cluster-ID If I am a RR and I receive a route with my own Cluster-ID, discard it Route Reflector Example ISP 1 AS 1000 ISP 2 AS 2000 Route Reflector AS 100

262 BGP Confederation Reduces full mesh ibgp need by splitting AS into smaller Sub-ASes Inside Sub-AS full mesh or RR need remains Between Sub-AS acts like EBGP Devices outside the confederation do not know about the internal structure Sub-AS numbers are stripped from advertisements to true EBGP peers Typically uses ASNs in private range ( ) BGP Confederation Example Route Reflector

263 BGP Peer Groups Typically many peers share the same update policy e.g. a route reflector s clients BGP Peer Groups reduce configuration and processing overhead by applying a template to the peers Peer group is assigned parameters such as remote-as route-reflector-client route-map Neighbor is specified as a member of the group Peers in a group must be either all ibgp or all EBGP BGP Peer Group Example router bgp 1 neighbor IBGP_PEER_GROUP peer-group neighbor IBGP_PEER_GROUP remote-as 1 neighbor IBGP_PEER_GROUP update-source Loopback0 neighbor IBGP_PEER_GROUP route-reflector-client neighbor IBGP_PEER_GROUP next-hop-self neighbor peer-group IBGP_PEER_GROUP neighbor peer-group IBGP_PEER_GROUP neighbor peer-group IBGP_PEER_GROUP neighbor peer-group IBGP_PEER_GROUP

264 BGP Authentication Like IGP authentication, BGP peer authentication protects control plane against attacks and misconfigurations Without authentication, BGP susceptible to TCP RST attacks Interesting read: Slipping in the Window: TCP Reset attacks Uses MD5 as defined in RFC 2385 Protection of BGP Sessions via the TCP MD5 Signature Option Simply configured as neighbor [address] password [password] Misc. BGP Configuration Modify peering source address neighbor [address] update-source [interface] Enabling BGP authentication neighbor [address] password [password] Configuring BGP peer group neighbor [Peer-Group-Name] peer-group neighbor [Peer-Group-Name] [attrbiutes] neighbor [address] peer-group [Peer- Group-Name]

265 Misc. BGP Configuration (cont.) Enabling Route Reflection neighbor [address] routereflector-client Enabling Confederation Enable global BGP process router bgp [Sub-ASN] Define global ASN bgp confederation-id [ASN] Define other Sub-ASes bgp confederation peers [Sub-ASN 1 ] [Sub-ASN 2 ] [Sub-ASN n ] Building the BGP Table Once peerings are established, UPDATE messages are exchanged to advertise NLRI and build the BGP table Routes local to the AS can be originated either by process level network [network] mask [mask] statement or redistribution Unlike IGP, networks do not have to be directly connected to be advertised, they only have to be in the routing table e.g. prefixes in local routing table learned via OSPF can be advertised with BGP network statement

266 Originating NLRI Configuration R1# router bgp 200 network mask network mask network mask R2# router bgp 200 network mask network mask network mask R3# router bgp 100 network mask network mask network mask network mask network mask network mask network mask R4# router bgp 100 network mask network mask network mask network mask network mask network mask network mask BGP Table Verification R1#show ip bgp BGP table version is 28, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i *>i / i *> / i *>i / i * i *> / i * / i *>i i * i / i *> i *> / i * / i *>i i *> / i * i i

267 BGP Table Verification (cont.) R2#show ip bgp BGP table version is 30, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *>i / i *> / i * / i *>i i *> / i *>i / i * i *> / i *> / i * i i *>i / i * i *> / i * i / i *> i BGP Table Verification (cont.) R3#show ip bgp BGP table version is 11, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path * i / i *> i * i / i *> i * i / i *> i * i / i *> i * i / i *> i * i / i *> i * i / i *> i * i / i *> i * i / i *> i * i / i *> I

268 BGP Table Verification (cont.) R4#show ip bgp BGP table version is 26, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i * i i * i / i *> i *> / i * i i *> / i * i i *> / i * i i *> / i * i i * i / i *> i *> / i * i i *> / i * i i *> / i * i i BGP Table Verification (cont.) R5#show ip bgp BGP table version is 52, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *>i / i * i i * i / i *>i i r i / i r>i i r>i / i r>i / i r>i / i * i / i *>i i r i / i r>i i r>i / i r>i / i

269 BGP Table Verification (cont.) R6#show ip bgp BGP table version is 54, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *>i / i * i i * i / i *>i i r>i / i r>i / i r i i r>i / i r>i / i * i / i *>i i r>i / i r>i / i r i i r>i / I BGP Table Verification Detail R1#show ip bgp BGP routing table entry for /24, version 25 Paths: (2 available, best #1, table Default-IP-Routing- Table) Advertised to update-groups: from ( ) Origin IGP, metric 30720, localpref 100, valid, external, best (metric 20) from ( ) Origin IGP, metric 30720, localpref 100, valid, internal

270 BGP NLRI Aggregation BGP aggregation, like IGP summarization, is used to reduce resource requirements needed to process the BGP table Configured as aggregate-address [network] [mask] [summary-only as-set routemap...] Can be applied at any point in the network No hierarchy like OSPF/IS-IS Does not automatically stop subnet advertisements summary-only argument Can be used for longest match routing traffic engineering BGP Aggregation Configuration R3# router bgp 100 aggregate-address summary-only R1#show ip bgp BGP table version is 31, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i *>i / i *> / i *>i / i * i / i *> i *>i / i * / i *>i i * i / i *> i *> / i * / i *>i i *> / i i I

271 BGP Path Vector Attributes UPDATE includes path vector attributes for a route Next-hop AS-Path Origin Local preference Multi-Exit Discriminator (MED) Atomic aggregate Aggregator BGP Attribute Types Attributes fall into different categories Well-known vs. optional Well-known must be implemented Optional may or may not be implemented Mandatory vs. discretionary Mandatory must be present in update Discretionary may or may not be present Transitive vs. non-transitive Transitive passes between EBGP and ibgp neighbors Non-transitive passes only between ibgp neighbors Valid combinations are Well-known mandatory Well-known discretionary Optional transitive Optional non-transitive

272 BGP Next-Hop Well-known mandatory attribute If UPDATE comes from EBGP peer Next-hop is the IP address they use to peer with you i.e. their update-source If UPDATE comes from ibgp peer Next-hop is the IP address used to peer with the EBGP neighbor they learned it from i.e. the next-hop is unmodified Implies that ibgp neighbors must have an IGP route to the links between EBGP neighbors Behavior can be changed with neighbor [address] next-hop-self BGP AS-Path Well-known mandatory attribute Defines which Autonomous Systems the route has passed through When sending an UPDATE to an EBGP neighbor, the local ASN is prepended to the route Example path Originated in 2000 Passed through 1000 Learned from 100 Shorter AS-Path length is preferred e.g (3) vs (4)

273 BGP Origin Well-known mandatory attribute Possible values 0 IGP 1 EGP 2 Incomplete Defines how prefix was advertised into BGP IGP interior to the AS EGP the actual protocol EGP (deprecated) Incomplete some other means e.g. redistribution Lower origin code is preferred BGP Local Preference Well-known discretionary attribute 4 byte field Value of 0 4,294,967,295 Only exchanged in ibgp updates Higher local preference is preferred

274 BGP Multi-Exit Discriminator AKA MED or simply metric optional non-transitive attribute 4 byte field Value of 0 4,294,967,295 Used to choose (discriminate) between multiple exit points out of the AS Many exceptions to MED comparison Rarely used in practice Lower MED is preferred BGP Atomic Aggregate and Aggregator Atomic Aggregate Well-known discretionary attribute Aggregator Optional transitive attribute Both used when BGP prefixes are summarized (aggregated) together Aggregate prefix has Atomic Aggregate = TRUE Aggregator = BGP Router-ID who performed summarization

275 BGP Bestpath Selection Once updates are exchanged, path selection begins Bestpath selection algorithm compares path vector attributes and elects one route as best for each prefix Denoted by > in the show ip bgp output Like RIPv2 & EIGRP, only best route is sent to the routing table and to other peers Bestpath Selection Example X 1 X 2 X 3 Three Instances of Prefix X R1 and R2 run Bestpath Learned R1 All and Selection. From R2 advertise EBGP On R2, Neighbors their best Resulting Other Routers X 2 wins paths Traffic Run Bestpath Selection. to X XFlow Exits Via 1 Wins. R1 With Exception Of R2 X 1 X 2 X 1 X 1 X 1 X 1 X 1 X 1 X 1

276 BGP Bestpath Selection Order Algorithm not standardized, Cisco IOS selection order is Weight (highest) Locally significant Cisco proprietary attribute Local Preference (highest) Locally originated routes AS-Path (shortest) Origin (lowest) MED (lowest) EBGP learned routes over ibgp learned routes Smallest IGP metric to next-hop value Algorithm runs top down until a deciding match occurs Other tie-breaking checks occur if no bestpath Oldest route, lowest Router-ID, lowest interface IP address, etc. See BGP Best Path Selection Algorithm on cisco.com for details Manipulating BGP Bestpath Selection Vector attributes can be manually modified to define different routing policy for different routes E.g. control inbound/outbound traffic flow on a perprefix basis Attributes typically modified are Weight Local-Preference AS-Path MED Inbound routing policy affects outbound traffic Change weight or local-pref in to affect traffic out Outbound routing policy affects incoming traffic Change AS-Path or MED to affect traffic in

277 Manipulating Weight Example ISP 1 AS 1000 ISP 2 AS 2000 ISP 1 AS 1000 X 1 X 2 X 3 Three R2 Modifies Instances Weight of Prefix Of X X Learned From EBGP Neighbors 3 R1 R1 and R2 run Bestpath Selection. Weight To and Be R2 Higher advertise On R2, Than their X 2 best Traffic Does Flow paths To Not Affect to X Exits 3 wins. Other Via R1 Neighbors. With Exception X 1 Still Of Wins. R2. Weight 0 (Default) X 1 R1 R2X 3 X 1 Weight 100 X 1 X 1 X 1 X 1 X 1 X 1 AS 100 Manipulating Local Preference Example Three Instances of Prefix X Learned R1 R2 Modifies Local Pref Of X From EBGP Neighbors 3 R1 Runs To Withdraws Bestpath On X Be Higher Than Default 1 and X 3. Local X X 3 wins. 1. R2 Advertises Traffic Pref X 3 Flow Affects All Peers. To All To Peers. X Exits Via R2 X 3 Wins. Including R1. X 2 X 1 Local Pref 100 (Default) Local Pref X (Default) X X 1 3 X 3 X 3 Local Pref 200 X 3 X 3 X 3 X 3 X 3 X 3

278 Manipulating AS-Path Example AS-Path AS-Path 100 (default) AS-Path AS R1 100 Originates Prefix X Into BGP X and R2 Prepend Additional ASNs 2 And Via to Advertises AS 2000 Is X Outbound Preferred Entry Point 1 and To X 3 Reach Outbound X X 1 X 2 X3 X Manipulating MED Example ISP 1 AS MED 1000 ISP 1 AS 1000 MED 200 AS R1 100 Originates Prefix X Into BGP X and R2 Set MED for X And Advertises Outbound 1 and X 1 Is Preferred Entry Point For 2 Outbound To AS 1000 AS 1000 To Reach X X 1 R1 R2 X 2 X AS 100

279 Modifying BGP Next-Hop Configuration R4# router bgp 100 neighbor next-hop-self neighbor next-hop-self neighbor next-hop-self R5#show ip bgp BGP table version is 58, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *>i / i * i i * i / i *>i i r i / i r>i i r>i / i r>i / i r>i / i * i / i *>i i r i / i r>i i r>i / i r>i / I BGP Weight Configuration R2#show ip bgp BGP routing table entry for /24, version 28 Paths: (2 available, best #2, table Default-IP-Routing-Table) Advertised to update-groups: from ( ) Origin IGP, metric , localpref 100, valid, external (metric 20) from ( ) Origin IGP, metric 0, localpref 100, valid, internal, best R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip prefix-list R3_LOOPBACK permit /24 R2(config)#route-map R4_INBOUND permit 10 R2(config-route-map)#match ip address prefix-list R3_LOOPBACK R2(config-route-map)#set weight 100 R2(config-route-map)#route-map R4_INBOUND permit 100 R2(config-route-map)#router bgp 200 R2(config-router)#neighbor route-map R4_INBOUND in R2(config-router)#end R2#clear ip bgp * in R2#show ip bgp BGP routing table entry for /24, version 34 Paths: (2 available, best #1, table Default-IP-Routing-Table) Flag: 0x4940 Advertised to update-groups: from ( ) Origin IGP, metric , localpref 100, weight 100, valid, external, best (metric 20) from ( ) Origin IGP, metric 0, localpref 100, valid, internal

280 BGP Local Preference Configuration R3#show ip bgp BGP routing table entry for /24, version 2 Paths: (2 available, best #2, table Default-IP-Routing-Table) Advertised to update-groups: (metric ) from ( ) Origin IGP, metric 0, localpref 100, valid, internal from ( ) Origin IGP, metric 0, localpref 100, valid, external, best R4#show ip bgp BGP routing table entry for /24, version 3 Paths: (2 available, best #1, table Default-IP-Routing-Table) Advertised to update-groups: from ( ) Origin IGP, localpref 100, valid, external, best (metric ) from ( ) Origin IGP, metric 0, localpref 100, valid, internal R3#traceroute Type escape sequence to abort. Tracing the route to msec * 13 msec R4#traceroute Type escape sequence to abort. Tracing the route to msec 28 msec 28 msec [AS 200] 28 msec * 28 msec BGP Local Preference Configuration (cont.) R4#conf t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#ip prefix-list R1_LOOPBACK permit /24 R4(config)#route-map R2_INBOUND permit 10 R4(config-route-map)#match ip address prefix-list R1_LOOPBACK R4(config-route-map)#set local-pref R4(config-route-map)#set local-preference 200 R4(config-route-map)#route-map R2_INBOUND permit 100 R4(config-route-map)#router bgp 100 R4(config-router)#neighbor route-map R2_INBOUND in R4(config-router)#end R4#clear ip bgp * in R4#show ip bgp BGP routing table entry for /24, version 28 Paths: (1 available, best #1, table Default-IP-Routing-Table) Flag: 0x800 Advertised to update-groups: from ( ) Origin IGP, localpref 200, valid, external, best R4#traceroute Type escape sequence to abort. Tracing the route to msec 28 msec 28 msec [AS 200] 32 msec * 28 msec

281 BGP Local Preference Configuration (cont.) R3#show ip bgp BGP routing table entry for /24, version 15 Paths: (2 available, best #1, table Default-IP-Routing-Table) Flag: 0x940 Advertised to update-groups: (metric ) from ( ) Origin IGP, metric 0, localpref 200, valid, internal, best from ( ) Origin IGP, metric 0, localpref 100, valid, external R3#traceroute Type escape sequence to abort. Tracing the route to msec 4 msec 0 msec msec 4 msec 0 msec msec 4 msec 4 msec msec 20 msec 20 msec [AS 200] 20 msec * 20 msec BGP AS-Path Configuration R3#show ip bgp BGP routing table entry for /24, version 11 Paths: (2 available, best #2, table Default-IP-Routing-Table) Advertised to update-groups: (metric ) from ( ) Origin IGP, metric 0, localpref 100, valid, internal from ( ) Origin IGP, localpref 100, valid, external, best R4#show ip bgp BGP routing table entry for /24, version 26 Paths: (2 available, best #2, table Default-IP-Routing-Table) Advertised to update-groups: (metric ) from ( ) Origin IGP, metric 0, localpref 100, valid, internal from ( ) Origin IGP, metric 0, localpref 100, valid, external, best R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip prefix-list R2_LOOPBACK permit /24 R2(config)#route-map R4_OUTBOUND permit 10 R2(config-route-map)#match ip address prefix-list R2_LOOPBACK R2(config-route-map)#set as-path prepend R2(config-route-map)#route-map R4_OUTBOUND permit 100 R2(config-route-map)#router bgp 200 R2(config-router)#neighbor route-map R4_OUTBOUND out R2(config-router)#end R2#clear ip bgp * out

282 BGP AS-Path Configuration (cont.) R3#show ip bgp BGP routing table entry for /24, version 11 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to update-groups: from ( ) Origin IGP, localpref 100, valid, external, best R4#show ip bgp BGP routing table entry for /24, version 29 Paths: (2 available, best #1, table Default-IP-Routing-Table) Flag: 0x940 Advertised to update-groups: (metric ) from ( ) Origin IGP, metric 0, localpref 100, valid, internal, best from ( ) Origin IGP, metric 0, localpref 100, valid, external R4#traceroute Type escape sequence to abort. Tracing the route to msec 4 msec 0 msec msec 4 msec 0 msec msec 4 msec 4 msec msec 24 msec 28 msec [AS 200] 24 msec * 24 msec BGP MED Configuration R1#show ip bgp BGP routing table entry for /24, version 27 Paths: (2 available, best #2, table Default-IP-Routing-Table) Advertised to update-groups: from ( ) Origin IGP, metric , localpref 100, valid, external (metric 20) from ( ) Origin IGP, metric , localpref 100, valid, internal, best R2#show ip bgp BGP routing table entry for /24, version 25 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to update-groups: from ( ) Origin IGP, metric , localpref 100, valid, external, best R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#ip prefix-list R6_LOOPBACK permit /24 R3(config)#route-map R1_OUTBOUND permit 10 R3(config-route-map)#matc ip address prefix-list R6_LOOPBACK R3(config-route-map)#match ip address prefix-list R6_LOOPBACK R3(config-route-map)#set metric 100 R3(config-route-map)#route-map R1_OUTBOUND permit 100 R3(config-route-map)#router bgp 100 R3(config-router)#neighbor route-map R1_OUTBOUND out R3(config-router)#end R3#clear ip bgp * out

283 BGP MED Configuration (cont.) R1#show ip bgp BGP routing table entry for /24, version 32 Paths: (1 available, best #1, table Default-IP-Routing-Table) Flag: 0x4940 Advertised to update-groups: from ( ) Origin IGP, metric 100, localpref 100, valid, external, best R2#show ip bgp BGP routing table entry for /24, version 35 Paths: (2 available, best #1, table Default-IP-Routing-Table) Flag: 0x4940 Advertised to update-groups: (metric 20) from ( ) Origin IGP, metric 100, localpref 100, valid, internal, best from ( ) Origin IGP, metric , localpref 100, valid, external BGP Q&A

284 Internetwork Expert s CCNP Bootcamp Redistribution & Layer 3 Path Control Route Redistribution Overview Process of exchanging reachability information between routing domains e.g. OSPF to EIGRP redistribution Considerations Metric conversion Loss of loop prevention Table instability e.g. BGP to IGP redistribution

285 How Redistribution Works Route redistribution occurs from the routing table, not the routing database i.e. only currently installed routes are candidate to be redistributed Most protocols also include connected interfaces running the routing process as candidate e.g. implicit redistribute connected IPv6 exceptions Redistribution must be explicit e.g. EIGRP to OSPF then OSPF to RIP does not imply EIGRP to RIP Redistribution into RIPv2 Does not distinguish between internal vs. external routes No default metric for redistribution, must be manually specified Global default-metric Individual redistribute statements

286 Redistribution into EIGRP Does distinguish between internal vs. external routes Internal (D) EIGRP AD 90 External (D EX) EIGRP AD 170 EIGRP Router-ID tagged in external route Automatic loop prevention No default metric for redistribution unless going EIGRP to EIGRP Global default-metric Individual redistribute statements Redistribution into OSPF Does distinguish between internal vs. external routes E1/E2/N1/N2 Same AD for all, but can be separately modified OSPF Router-ID tagged in external LSA Automatic loop prevention Default metric of 20 Default metric type of E2/N2

287 IGP Redistribution into BGP Redistributed routes get origin code of incomplete Denoted as? in the BGP table Implies redistributed routes less preferred OSPF into BGP only matches internal routes by default redistribute ospf 1 match internal external BGP Redistribution into IGP Generally not recommended without strict filtering Global routing table ~ 350,000 routes BGP into IGP only matches EBGP routes by default bgp redistribute-internal Can result in routing/traffic loops or BGP race condition

288 Redistribution & Traffic Engineering Traffic engineering (layer 3 path control) can be implemented in redistribution designs with multiple entry/exit points Seed metric can influence path selection ASBR1 reports prefix X with cost 10 ASBR2 reports prefix X with cost 20 Route-map, prefix-list, etc. filtering can influence path selection with longest match routing ASBR1 reports aggregate X plus subnets X 1 & X 2 ASBR2 reports only aggregate X Basic Redistribution Example /24 VLAN 1 Fa0/ /24 VLAN 12 Fa0/0.13 R1 Fa0/ /24 VLAN 13 Fa0/0.12 Fa0/ /24 VLAN 23 R2 Fa0/0.23 Fa0/ /24 VLAN 24 Fa0/0.24 Fa0/0.23 R3 Fa0/0.35 R4 Fa0/ /24 VLAN /24 VLAN 45 Fa0/0.35 Fa0/0.45 R5

289 Problems with Redistribution Routing loops & traffic loops ( blackholes ) generally occur for three reasons Reconvergence after a topology change Metric feedback Administrative Distance feedback Temporary traffic loss during reconvergence is normal Metric or AD feedback is usually recurring, and happens because of improper design E.g. redistribution from higher AD to lower AD and then fed back Metric Route Feedback Example R2 learns prefix via RIP with metric 5 R2 redistributes prefix into OSPF R2 learns prefix via RIP with metric 1 and loop occurs R3 redistributes prefix into RIP with metric 1

290 AD Route Feedback Example R2 learns prefix via RIP with AD 120 R2 learns prefix via OSPF with AD 110 RIP route is withdrawn and loop occurs R3 redistributes prefix into OSPF Fixing Redistribution Problems Some redistribution problems can only be solved by changing the topology design or changing where redistribution occurs Others can be fixed with various IOS tools such as Route-map filters Distribute-list filters Prefix-lists Access-lists Passive-interface filters Route tags

291 Route-Map Filtering Condition based criteria for filtering & modifying redistribution Like ACLs, ends in implicit deny Typically matches prefix-list, but can match more ACL Route type Route source Route tag Metric Can be used for route tagging & loop prevention Distribute-List Filtering Used to filter routing advertisements Received on an interface Sent on an interface Received from a neighbor Sent to a neighbor Calls prefix-list or access-list for actual route matching Only supported for RIPv2/EIGRP/BGP Breaks OSPF/IS-IS LSDB logic

292 Prefix-List Filtering Used to match route based on both prefix and length e.g. ip prefix-list LIST permit /24 Can also match ranges of prefixes or lengths e.g. ip prefix-list LIST permit /0 le 32 Uses sequence numbers to allow editing Preferred use for routing filters, not traffic filters Can be referenced from distribute-list or route-map distribute-list prefix-list LIST in FastEthernet0/0 match ip address prefix-list LIST Access-List Filtering Normally used for traffic filtering, but can be used for routing filters Standard ACLs can only match on prefix, not length /16 and /31 appear the same Shortcoming as compared to prefix-list Extended ACL applies differently based on protocol In RIP & EIGRP can filter route based on gateway In BGP uses legacy prefix-list workaround syntax

293 Passive-Interface Filtering Used to disable sending of routing updates on an interface that has the process enabled For RIPv2, receive but not send For OSPF/EIGRP, breaks adjacency forming Can be per link or all links Route Tag Filtering Administrative route tagging can be used to color routes based on their origination Gives visibility to redistribution source router or source protocol in the routing database Route tag can be used to prevent route feedback in certain designs Applied through route-map set tag 1234 match tag 1234

294 Policy Based Routing & Traffic Engineering Normal routing decision is based on longest match to destination address Policy Based Routing (PBR) allows routing decision based on Source address Incoming interface Application QoS markings Very flexible, but non-distributed platforms may have performance limitations How PBR Works Route-map defines match and set criteria Match incoming interface or ACL Set ip next-hop, interface, default ip next-hop, or default-interface Route-map applies either to Incoming traffic on interface with ip policy Locally generated traffic with ip local policy Order of operations is... If set ip next-hop or interface Check route-map first, then routing table If set ip default next-hop or default interface Check routing table first, then route-map

295 IP SLA & Traffic Engineering IP Service Level Agreement adds application level awareness to Enhanced Object Tracking Enhanced Objects can be called from features such as FHRPs Policy-Based Routing Static Routing Q&A

296 Internetwork Expert s CCNP Bootcamp Internet Protocol Version 6 (IPv6) Why IPv6? Main motivation for IPv6 is lack of IPv4 address space IPv4 uses 32-bits 2^32 = 4,294,967,296 max addresses IPv6 uses 128-bits 2^128 = 34,028,236,692,938,463,463,374,607,431,77 0,000,000+

297 IPv4 vs. IPv6 Addressing Format IPv4 Dotted Decimal Each place denotes 1 byte IPv6 Hexadecimal XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX Two characters = one byte RFC 2373: IP Version 6 Addressing Architecture 2.4 Address Type Representation The specific type of an IPv6 address is indicated by the leading bits in the address. The variable-length field comprising these leading bits is called the Format Prefix (FP). The initial allocation of these prefixes is as follows: Allocation Prefix Fraction of (binary) Address Space Aggregatable Global Unicast Addresses 001 1/8 Link-Local Unicast Addresses /1024 Site-Local Unicast Addresses /1024 Multicast Addresses /256

298 IPv6 Address Space Four main address types Global Unicast FFF Unique Local FC00 Deprecates Site Local (FEC0) Link Local FE80 Multicast FF Modified EUI-64 Addressing IPv6 host addresses are generated from interface MAC address MAC address is 48-bits IPv6 host address is 64-bits Extra 16 bits derived as follows: MAC Invert 7 th most significant bit Insert FFFE in middle 1034:56FF:FE78:9012

299 Ethernet IPv6 Address Resolution ICMPv6 ND replaces ARP NBMA Static resolution on multipoint interfaces Inverse Neighbor Discover not yet implemented ICMPv6 Neighbor Discovery ICMPv6 ND Replaces IPv4 ARP NS Neighbor Solicitation Ask for information about neighbor NA Neighbor Advertisement Advertise yourself to other neighbors RS Router Solicitation Ask for information about local routers RA Router Advertisement Advertise yourself as an active router

300 ICMPv6 Neighbor Discovery Send neighbor solicitation to solicited node multicast FF02:0:0:0:0:1:FF00::/ low-order bits If no reply address is unique Duplicate Address Detection (DAD) Send unsolicited neighbor advertisement to announce yourself Sent to all hosts multicast FF02::1 Essentially the same as IPv6 Routing Overview IPv6 unicast routing off by default ipv6 unicast-routing Dynamic routing through RIPng OSPFv3 EIGRPv6 IS-IS BGP Dynamic information recurses to remote linklocal address Layer 3 to layer 2 resolution on multipoint NBMA medias

301 IPv6 Static Routing Same static routing implications as IPv4 To next-hop Resolve next-hop To multipoint interface Resolve final destination To point-to-point interface No resolution required IPv6 Routing RIPng, OSPFv3, & EIGRPv6 Use separate processes BGP & IS-IS Use the same process Different Address families

302 RIPng Overview RFC RIPng Similar in operation to RIPv1 / RIPv2 UDP port 521 multicast to FF02::9 Configuration Interface level ipv6 rip [process] enable Automatically enables global process Split-horizon enabled globally no split-horizon on multipoint NBMA OSPFv3 Overview RFC OSPFv3 Similar in operation to OSPFv2 Router-id is IPv4 address Use router-id command if no IPv4 configured Configuration Interface level ipv6 ospf [process-id] area [area-id] Automatically enables global process

303 OSPFv3 Over NBMA Same network types as OSPFv2 Broadcast DR/BDR Election Non-broadcast DR/BDR Election Unicast updates to link-local address Point-to-point Point-to-multipoint Point-to-multipoint non-broadcast Unicast updates to link-local address EIGRPv6 Overview Similar in operation to IPv4 EIGRP IP protocol 88 multicast to FF02::A Configuration Interface level ipv6 eigrp [ASN] Process level no shutdown

304 BGP for IPv6 Overview Same process for IPv4 and IPv6 Uses address-family configuration Normal BGP rules apply Requires underlying IGP transport ibgp loop prevention Don t advertise ibgp learned routes to other ibgp neighbors Exception through route-reflection / confederation EBGP loop prevention Don t accept routes with your own AS in the path Same best-path selection process Tunneling IPv6 over IPv4 Static tunnels GRE Default tunnel mode IPv6IP Less overhead, no CLNS transport Automatic tunnels 6to4 Imbeds IPv4 address into IPv6 prefix to provide automatic tunnel endpoint determination ISATAP Automatic host to router and host to host tunneling

305 Automatic 6to4 Tunneling Derives destination IPv4 router from address imbedded inside IPv6 destination 2002:border-router-IPv4-address::/48 Single /48 subnetted amongst site Only one tunnel needed for all destinations IPv6 Examples 2001:0:0:6::/64 VLAN 6 Fa0/1 Lo0 2001::6/128 R6 Fa0/0 Lo0 2001::1/128 Fa0/0 2001:0:0:146::/64 VLAN 146 Fa0/0 Lo0 2001::4/ :0:0:13::0/127 R1 S0/1 R4 S0/ / :0:0:5::/64 VLAN 5 Fa0/0 2001:0:0:13::0/127 S1/2 Lo0 2001::3/128 Lo0 2001::2/ S0/0 R5 Lo0 2001::5/128 Fa0/0 R3 2001:0:0:23::/64 VLAN 23 Fa0/0 R2 S0/0

306 IPv6 Q&A

307 Internetwork Expert s CCNP Bootcamp Troubleshooting Overview What Is Troubleshooting? Per Wikipedia a form of problem solving most often applied to repair of failed products or processes. It is a logical, systematic search for the source of a problem so that it can be solved, and so the product or process can be made operational again. The key is that troubleshooting is logical and systematic Fixing a problem by dumb luck does not constitute troubleshooting

308 Why Troubleshooting? Today s networks are more high-availability minded than ever, and downtime means loss of revenue in Employee productivity Customer SLA violations Regulatory fines Etc. One key way expert-level engineers set themselves apart from average engineers is troubleshooting methodology average engineer runs around like a chicken with its head cut off expert engineer keeps a cool head and follows a structured approach Structured Troubleshooting Approach Defines a logical and systematic method of troubleshooting that can be applied to any case E.g. troubleshooting VoIP call quality and OSPF neighbor adjacency involves different discrete steps, but logical approach is the same Structured troubleshooting is closely analogous to the Scientific Method of conducting experiments

309 Scientific Method Workflow Structured Troubleshooting Workflow

310 Defining The Problem Network problems are generally discovered in two ways Reactive e.g. users submit tickets to the help desk that web browsing is slow Proactive e.g. SNMP reports a linkdown event In either case, more investigation is needed to find the root of the cause Gathering Information Apart from asking users for more information on tickets submitted, gathering information is in the form of show commands debug commands Typically not used in real-world unless network-down emergency Misc. testing tools PING Traceroute Telnet Etc. Ultimate goal is to isolate the issue as closely as possible by eliminating unrelated variables

311 How To Gather Information Structured troubleshooting involves isolating the operation network into functional layers E.g. OSI Model or TCP/IP Model Where to actually start isolating is a personal preference Common approaches are Top-Down Bottom-Up Divide and Conquer Key to remember is that layers have a cascading effect E.g. if physical layer (i.e. layer 1) is down, all layers above it are broken Top Down Troubleshooting Most useful for application related issues E.g. user can t send start by checking their settings Potentially very time consuming if problem resides in lower layer E.g. physical switchport is bad (layer 1)

312 Bottom Up Troubleshooting Verify each layer starting with physical and proceed to the next Is the link UP/UP? Are the layer 2 options correct? IP properly configured? IGP adjacency exists? Etc. Like top-down, can be very time consuming depending on where the problem actually lies Divide and Conquer Goal is to reduce search time by picking a layer to start at Based on results of testing, further verification goes either up or down the stack E.g. for troubleshooting problem Can I ping the mail server? If yes, go up the stack If no, go down the stack

313 Defining & Implementing The Fix Ideally up to this point the issue is sufficiently isolated to make an educated guess as to how the problem can be fixed Proper Change Control at this stage is key Clearly define the proposed fix Implement the proposed fix Did it work? If yes, proceed forwards If no, roll back Changing too many variables at once can compound the problem even further Observing The Results Depending on the nature of the problem, verification of the solution can be either straightforward or complicated E.g. user said they couldn t , now they can, problem straightforward and solved E.g. users experienced low VoIP quality, quality is now good, but only time will tell Within the scope of TSHOOT exam, final observation is your score

314 Reiteration If the problem was not solved, a further dilemma occurs Did I misdiagnose the problem in the first place? Are there significant variables that were overlooked? Was my fix not appropriate? Before making further changes, more information should be gathered Did the situation change since I implemented a fix? If yes, for the better or worse? If not, why not? Documenting the Fix All good change control policies should require documentation for all fixes Documentation allows the development of a knowledge base for your particular network topology KB can be referenced in the future to solve similar problems, or to trace your steps if the same problem is recurring

315 Q&A

316 Internetwork Expert s CCNP Bootcamp Troubleshooting Tools Tools for Gathering Information Before implementing a fix, information must be gathered about a problem to eliminate as many variables as possible IOS offers both proactive and reactive tools for gathering information Proactive monitoring can inform you about problems that need more reactive research to isolate

317 Proactive Monitoring IOS supports both passive and event driven monitoring to observe the current network status Examples are SNMP RMON Syslog NetFlow EEM SNMP Simple Network Management Protocol Used to report conditions of managed device to management station (NMS) Two ways to collect data Trapping Managed device reports event to NMS Polling NMS asks managed device to report a variable Management Information Base (MIB) Variable used to report a network condition SNMPv2c vs. SNMP3

318 SMMP Polling Define SNMP Community String Password for NMS to poll device Two types of community strings Read Only Information gathering only Read Write Gather info and set values snmp-server community string [ro rw] [acl] access-list defines who can poll device SNMP Trapping: Step 1 Define events to trap All traps snmp-server enable traps Specific traps snmp-server enable traps [notification-type]

319 SNMP Trapping: Step 2 Define NMS to trap to All enabled traps snmp-server host host-addr communitystring Subset of enabled traps snmp-server host host-addr communitystring [notification-type] RMON Remote Monitoring Used to report a MIB value to SNMP NMS or syslog server Two components Alarm Condition that triggers event CPU exceeds 90% Free memory drops below 20Mb Event Message to send to NMS / syslog Help! My CPU is over 90%!

320 RMON RMON alarm defines how MIB is sampled Delta sampling Difference between MIB value at time index A compared to MIB value at time index B Packets sent out E0/0 each minute CRC errors received every hour Used for values that only increase Absolute sampling RMON Exact value of MIB at time index A CPU Utilization Memory Utilization Used for value that increase and decrease

321 RMON Example Configure RMON to track the five minute CPU average (lsystem.58.0) If the utilization is over 90% generate the event CPU Above 90% If the utilization is below 30% generate the event CPU Below 30% Sample the MIB every 60 seconds Trap the events to the SNMP NMS at using the community string CISCO Logging IOS can log messages to Console Monitor (VTY / AUX) Buffer Trap (syslog) show log to check logging condition

322 Logging Severity Level or severity determines what log messages will be sent Logging at severity 3 means 0, 1, 2, and 3 Rack1R1(config)#logging console? <0-7> Logging severity level alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) debugging Debugging messages (severity=7) emergencies System is unusable (severity=0) errors Error conditions (severity=3) guaranteed Guarantee console messages informational Informational messages (severity=6) notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) xml Enable logging in XML <cr> Syslog Logging logging [host] global command Syslog defaults to informational severity 6 logging trap debugging to send all messages Logging facility controls format of syslog messages Used to ease parsing of logs from different devices on the syslog server

323 Logging Timestamps Log timestamps can be formatted as Uptime Time since last reload service timestamps {debug log} uptime Localtime Clock s time service timestamps {debug log} datetime [msec] [localtime] [showtimezone] [year] NTP considerations NetFlow Used to collect traffic statistics for inbound or outbound flows Flow defined as an individual session between a source & destination plus protocol/port pairs/markings Flows data is exported to a collection station for further analysis E.g. Cisco NetFlow Collector, NetQoS, Cacti, etc. Configured with ip flow interface & global command Local verification by show ip cache flow

324 Embedded Event Manager EEM allows custom event actions to be defined in IOS E.g. if CPU exceeds 90% send me an Includes several built in applets to simplify configuration Supports Tool Command Language (TCL) shell for advanced programming External repository hosted at Embedded Event Manager (EEM) Scripting Community Reactive Monitoring Once you are alerted of a problem, more research is generally needed Examples are show commands E.g. show processes cpu history Uses pipe for redirect options debug commands E.g. debug ip ospf adj SPAN/RSPAN packet capture Requires outside analysis with offline tools, e.g. Wireshare/Ethereal

325 Q&A

326 Internetwork Expert s CCNP Bootcamp LAN Troubleshooting Ethernet Speed/Duplex Negotiation Rarely a problem of mis-negotiation Cisco to Cisco switches, but can be a problem of mis-configuration Speed mismatch causes link to be up/down Duplex mismatch allows link up/up but typically results in lots of packet loss CDP detects and logs this by default late collisions in show interface output typically means duplex mismatch

327 VTP Troubleshooting - Modes VLANs failing to propagate in the topology can have devastating effect on reachability i.e. cascading Layers effect Initially check the VTP modes and the domain Server creates and forwards VLANs Client receives VLAN information from the server(s) Transparent does not sync it will forward VTP messages in the domain VTP Troubleshooting Domain Name The VTP domain name is case-sensitive and must match on all switches in the domain use show vtp status in order to verify mode and name

328 VTP Troubleshooting show vtp status Rack26SW1#show vtp status VTP Version : running VTP1 (VTP2 capable) Configuration Revision : 16 Maximum VLANs supported locally : 1005 Number of existing VLANs : 16 VTP Operating Mode : Server VTP Domain Name : BCTS VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xE7 0xF2 0xC0 0xF5 0xC3 0xC7 0xF3 0xE3 Configuration last modified by at :55:08 Local updater ID is on interface Lo0 (first layer3 interface found) VTP Troubleshooting vtp password VTP authentication adds security but also complexity Occasionally password may match through show vtp password but MD5 digests are different in show vtp status

329 VTP Troubleshooting config rev Device with highest configuration revision number has most updated copy of the database When adding switches to the topology errors in config rev. number can overwrite the network Can be reset to 0 by Changing VTP domain Changing to VTP transparent VTP Troubleshooting - Trunks VTP messages flow over trunk links If trunks are broken, VTP is broken Cascading Layers again Use show interface trunk to confirm functional trunks in the topology

330 Access VLAN Troubleshooting As a safeguard, use the switchport mode access command in conjunction with switchport access vlan vlan_id Avoids errors in DTP Ensure the VLAN exists in the database with show vlan brief You may need show cdp neighbors to verify interfaces that must participate in the VLAN Access VLAN Troubleshooting Topo. Logical topology diagrams provided might hide important Layer 2 aspects of the physical topology show cdp neighbor to verify physical topology Misc. verification through show run interface show interface switchport Are VLANs allowed over trunk ports? show interface trunk

331 show interface switchport Rack26SW1#show interface fa0/15 switchport Name: Fa0/15 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none Trunking Troubleshooting - DTP Dynamic Trunk Protocol (DTP) might cause or prevent a trunk from forming Verification of mode is best accomplished with show interface switchport

332 Trunking Troubleshooting DTP Modes ON switchport mode trunk forces the interface to trunk, and sends DTP frames OFF switchport mode access forces the interface to access mode (non-trunk) DESIRABLE switchport mode dynamic desirable willing to trunk and sends DTP frames AUTO switchport mode dynamic auto willing to trunk but does not send DTP frames NONEGOTIATE switchport nonegotiate used with the ON mode stops DTP (no frames sent) Trunking Troubleshooting show show int sw Rack26SW1#show interface fa0/15 switchport Name: Fa0/15 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On

333 Trunking Troubleshooting DTP Quiz In each case trunk or no trunk? AUTO AUTO AUTO DESIRABLE ON AUTO NONEGOTIATE AUTO Trunking Troubleshooting Native VLAN Untagged VLAN across 802.1Q trunk links Must match at each end of link Both CDP and DTP will detect a mismatch Verify with show interface switchport or show interface trunk

334 Trunking Trouble. show interface trunk Rack26SW2#show int trunk Port Mode Encapsulation Status Native vlan Fa0/16 auto 802.1q trunking 1 Fa0/17 auto 802.1q trunking 1 Fa0/18 auto 802.1q trunking 1 Fa0/19 auto 802.1q trunking 1 Fa0/20 auto 802.1q trunking 1 Fa0/21 auto 802.1q trunking 1 Port Vlans allowed on trunk Fa0/ Fa0/ Fa0/ Fa0/ Fa0/ Fa0/ Port Vlans allowed and active in management domain Fa0/16 1-9,20,30,999 Fa0/17 1-9,20,30,999 Fa0/18 1-9,20,30,999 Fa0/19 1-9,20,30,999 Fa0/20 1-9,20,30,999 Trunking Troubleshooting Encapsulation Trunking protocol must match at each end of the link ISL or 802.1Q can be negotiated between the devices with DTP E.g. n-isl indicates ISL was negotiated show interface trunk for confirmation of protocol

335 EtherChannel Troubleshooting Can be Layer 2 or Layer 3 Used for redundancy and load balancing Problems with EtherChannel can appear as: Loss of connectivity due to loop High CPU utilization due to loop Interfaces in the Error Disabled state EtherChannel Trouble. Member Ports Member ports in the EtherChannel should be checked for identical configuration Speed/Duplex Native VLAN Trunking State Allowed VLAN List etc.

336 EtherChannel Trouble. Requirements Other important guidelines: No interfaces of the bundle can be configured for SPAN In a Layer 3 EtherChannel IP address must be assigned to logical Port Channel When channeling, physical interface changes effect only the physical interface, while Port Channel interface changes effect the whole EtherChannel EtherChannel Trouble. LACP vs. PAgP Negotiation protocols for the EtherChannel formation LACP is open standard; PAgP is Cisco proprietary Keywords are PAgP desirable, auto LACP active, passive The keyword on ensures static configuration Proper configuration is critical to avoid mismatches and issues caused with order of operations issues

337 EtherChannel Trouble. Layer 2 SW2: SW2(config)#interface range fastethernet 0/19-21 SW2(config-if-range)#shutdown SW2(config-if-range)#switchport trunk encapsulation dot1q SW2(config-if-range)#switchport mode trunk SW2(config-if-range)#channel-group 1 mode desirable Creating a port-channel interface Port-channel 1 SW2(config-if-range)# SW4: SW4(config)#interface range fastethernet 0/16-18 SW4(config-if-range)#switchport trunk encapsulation dot1q SW4(config-if-range)#switchport mode trunk SW4(config-if-range)#channel-group 1 mode desirable Creating a port-channel interface Port-channel 1 SW2: SW2(config-if-range)#no shutdown EtherChannel Verifications show interface trunk show etherchannel summary show etherchannel port-channel

338 STP Troubleshooting STP failure and subsequent loop can impact the entire network! Most real world problems result from failures with BPDU propagation STP Trouble. Unidirectional Links Common problem for STP Unidirectional link means Both sides of link are up Local device can send frames to remote Remote cannot send frames to local device LoopGuard and Unidirectional Link Detection are both methods to prevent this problem

339 STP Trouble. The STP Topology A key to troubleshooting is often to diagram the STP topology Check placement of the Root Bridge and blocking ports in the topology Diagramming is done through use of the show spanning-tree command In the real world many tools (CiscoWorks LMS) automate this diagramming STP Trouble. show spanning-tree Rack27SW2#show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority Address 000f.9052.ab80 Cost 19 Port 18 (FastEthernet0/16) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority (priority sys-id-ext 1) Address d580 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type Fa0/13 Desg FWD P2p Fa0/14 Desg FWD P2p Fa0/15 Desg FWD P2p Fa0/16 Root FWD P2p Fa0/17 Altn BLK P2p Fa0/18 Altn BLK P2p Fa0/24 Desg FWD Shr Interface Role Sts Cost Prio.Nbr Type Po1 Altn BLK P2p

340 Internetwork Expert s CCNP Bootcamp IPv4 IGP Troubleshooting IPv4 Routing Workflow IPv4 routing can be subdivided into three discrete steps Routing lookup Switching method Layer 2 encapsulation Subdividing these functions gives us a layered approach to routing troubleshooting

341 IPv4 Routing Lookup Three goals: find the Longest match(es) Outgoing interface(s) Next-hop(s) Troubleshooting considerations Administrative Distance Metric Overlapping routes Policing routing Can override this step IPv4 Switching Method Goal is to move packets between interfaces Medthods are Process Fast CEF Etc. Load balancing occurs at this stage not all hosts use the same routing path E.g. show ip cef exact-route Troubleshooting considerations PING result!.!.! High CPU utilization

342 Layer 2 Encapsulation Goal is to build layer 2 frame header Multipoint interfaces require layer 3 to layer 2 resolutions Point-to-point interfaces do not Troubleshooting considerations Routing to interface vs. next-hop ARP, Proxy-ARP, & Inverse-ARP Subnet mismatches Further Reading Troubleshooting Cisco Express Forwarding Routing Loops Troubleshooting Incomplete Adjacencies with CEF Troubleshooting High CPU Utilization in IP Input Process

343 EIGRP Workflow EIGRP operation can be subdivided into four discrete steps Discover EIGRP Neighbors Exchange Topology Information Choose Best Path Neighbor and Topology Table Maintenance Discovering EIGRP Neighbors EIGRP neighbors discovered through multicast Implies bi-directional multicast transport of IP protocol 88 to is needed Possible NBMA pseudo-broadcast support issues Possible filtering issues If neighbor statement configured, only unicast hellos are accepted If not agreed upon adjacency cannot continue

344 Discovering EIGRP Neighbors (cont.) Attributes that must match to proceed Common subnet Must be primary IP address, not secondary ASN Authentication K Values (metric weights) Exchanging EIGRP Topology Info Topology info exchanged through unicast, not multicast Implies bi-directional unicast transport of IP protocol 88 needed Multicast still required unless neighbor statement used EIGRP only advertises what it installs in routing table Troubleshooting considerations Auto-summary Split-horizon Duplicate Router-IDs for external routes No seed metric for external routes Distribute-list filters

345 EIGRP Path Selection Feasible distance must be finite to use and advertise a path show ip eigrp topology Unequal cost load balancing only supported for Feasible Successors IF Advertised Distance < Feasible Distance, Feasible Successor = TRUE Modifying bandwidth for path selection can starve EIGRP updates of bandwidth ip bandwidth percent eigrp Common EIGRP Verifications show ip route show ip eigrp neighbor show ip eigrp topology show ip eigrp topology alllinks debug eigrp packet hello debug eigrp packet query reply More info at Troubleshooting EIGRP

346 Troubleshooting EIGRP Advertisement OSPF Workflow OSPF operation can be subdivided into four discrete steps Discover OSPF Neighbors Exchange Topology Information Choose Best Path Neighbor and Topology Table Maintenance

347 Discovering OSPF Neighbors Requires IP protocol 89 multicast ( / ) or unicast transport depending on network type Possible NBMA pseudo-broadcast support issues Possible filtering issues Discovering OSPF Neighbors (cont.) Attributes that must be unique to proceed IP address Router-ID Attributes that must match to proceed Subnet Area Compatible Network Types Timers MTU Stub Flags Authentication

348 Exchanging OSPF Topology Info Intra-area routes flooded via LSA 1 & LSA 2 Duplicate router-id issues DR/BDR on NBMA issues Inter-area routes flooded via LSA 3 by ABR Discontiguous area 0 issue External routes flooded via LSA 4, and 5 or 7 Duplicate router-id issues NSSA connectivity issues Forward address issue on translated 7 to 5 LSA Common OSPF Verifications show ip route show ip ospf neighbor show ip ospf database debug ip ospf adj More info at Troubleshooting OSPF

349 Internetwork Expert s CCNP Bootcamp BGP Troubleshooting BGP Workflow BGP operation can be subdivided into five discrete steps Establish BGP peerings Learn BGP table Choose Best Path Advertise Best Paths Routing using BGP

350 Establishing BGP Peerings Requires TCP port 179 transport Troubleshooting considerations IGP routing Default route & initiating peering Update source Client/server relationship & filtering TTL ebgp Multihop TTL Security NAT & Next-Hop Establishing BGP Peerings (cont.) BGP peers must agree on attributes to establish peering Peer addresses Unique RID ASNs Hide Local-AS Authentication (TCP Option) Capabilities (address-families)

351 Learning the BGP Table Troubleshooting considerations AS-Path looping Allow-AS in AS-Override (MPLS VPN) Inbound Filters Route-map, distribute-list, AS_PATH filter etc ORF Max AS limit Enforce First AS Unlikely but possible Choose BGP Best Path Valid Next Hop BGP Synchronization Router ID Matching BGP Attributes Weight, Local-Preference, AS_PATH, MED, etc. Improper Attribute Manipulation BGP Dampening Nexthop tracking

352 Advertising Best Paths Advertisement Interval Delays Outbound Filters Route-Map, Distribute-List, Prefix-List ibgp Split Horizon Rule Full Mesh Route Reflectors Confederations Synchronization Routing using BGP Installing Best Paths Nexthop Recursion issues AD Collisions & Race Condition Backdoor Networks ebgp Default AD 20 BGP Blackholes Redistribution ibgp Redistribution Tunneling

353 Common BGP Commands show ip bgp summary show ip bgp show ip bgp neighbor [advertised-routes] debug ip tcp transaction debug ip bgp events debug ip bgp updates Further Reading Troubleshooting BGP Why Do BGP Neighbors Toggle Between Idle, Connect, and Active States? Troubleshooting When BGP Routes Are Not Advertised Troubleshooting Flapping BGP Routes (Recursive Routing Failure)

354 Internetwork Expert s CCNP Bootcamp IPv6 Troubleshooting IPv6 Issues Classification Layer 1/2 Problems: Common to other protocols Layer 3 Issues Routing Protocols Issues IPv6 Tunneling Problems

355 Layer 3 Issues Misconfigurations (e.g. wrong address or prefix length) NBMA No Inverse-ARP for Frame-Relay Manual Mapping Required Auto-Configuration RA Not Properly Configured IPv6 Not Supported in Transit E.g. No Fallback-Bridging Routing Protocols Configuration Differs from IPv4 Different Redistribution Different Advertisement Link-Local Addressing Used by IGP Packets Needs to be mapped on NBMA

356 Tunneling Different Tunnel Types Firewall Filtering Tunnel Misconfiguration 6to4 ISATAP Static Routing over the Tunnels Misconfigurations

Servers DHCP Attributes not Inherited Subnets don t overlap debug ip dhcp server linkage Centralized

357 Internetwork Expert s CCNP Bootcamp IP Services Troubleshooting DHCP Troubleshooting DHCP Pool Not Matched Wrong Address Range, MAC Address/Client-ID DHCP Parameters Wrong Wrong Default GW, Wrong DNS Servers DHCP Attributes not Inherited Subnets don t overlap debug ip dhcp server linkage Centralized DHCP Wrong Helper Address or unreachable giaddr Debugging Command: debug ip dhcp server {event packet}

Internetwork Expert s CCNP Bootcamp. VLANs, Trunking, & VTP. VLANs Overview

Internetwork Expert s CCNP Bootcamp VLANs, Trunking, & VTP http:// VLANs Overview Virtual Local Area Network Hosts in the same VLAN share the same broadcast domain Switches create a separate CAM table