IPexpert's Cisco CCIE R&S (v4) Written Exam Video On Demand Slides

IPexperts CCIE R&S Written
Video on Demand Series

Instructor :
Piotr Kauny
CCIE #25665
IPexpert, Inc.
The Blueprint
Implement Layer 2 Technologies

Implement IPv4
Implement IPv6
Implement MPLS Layer 3 VPNs
Implement IP Multicast
Implement Network Security
Implement Network Services
Implement Quality of Service (QoS)
Troubleshoot a Network
Optimize the Network
Evaluate proposed changes to a Network
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
The Quiz
Each section ends with a Quiz (15 questions)
Final Quiz contains 50 questions
The answers should be separated by space, always put

them in the alphabetical order. Watch out for white
spaces :
a b, b e, c d
b a, be, c d
- OK
- WRONG
Rev. 1700
IPexpert, Inc.
Thank You!
IPexpert, Inc.

VoD Series
1.0 Implement Layer 2 Technologies
IPexpert, Inc.
1.01 Implement Spanning Tree

(STP)
IPexpert, Inc.
STP
Spanning Tree Protocol (802.1d)
Used to ensure loop-free topology in a L2 domain

Builds active physical topology
Redundant paths are blocked
Rev. 1700
IPexpert, Inc.
STP Example
S1
S2
S3
ARP
Rev. 1700
IPexpert, Inc.
Operations of STP
Bridge Protocol Data Units are simply STP packets
BPDUs are initially sent out of all enabled interfaces
Two types of BPDUs :

1. Hello BPDUs (used in STP operations)
2. TCN BPDUs (used in STP reconvergence)
STP Algorithm is a 3-step process :

1. Root Bridge Election
2. Root Port is chosen
3. Designated Ports are chosen
Rev. 1700
IPexpert, Inc.
Operations of STP Root Bridge

One Root per VLAN (PVST+)
Bridge ID = (Priority+SystemID).MAC
spanning-tree extend system-id cannot be disabled
Root Bridge ID is initially set to the Sender Bridge ID

Only lower Bridge-ID Hellos are forwarded (Superior
BPDUs)
All Root Bridge ports are placed into the forwarding state
Rev. 1700
IPexpert, Inc.
Operations of STP Root Port

Lowest-cost path to the Root Bridge
Path cost = BPDU cost + the receiving interfaces cost

There is only one Root Port per device
Rev. 1700
IPexpert, Inc.
Operations of STP Designated Ports

Only one switch is allowed to forward into a segment
A switch port advertising the lowest-cost Hello becomes a

DP
Root Port can be considered a upstream port
Designated Port can be considered a downstream port
Both ports are bidirectional when forwarding traffic

All other inter-switch ports are blocked
Host ports are forwarding

Rev. 1700
IPexpert, Inc.
Operations of STP Tie breakers
Root Port and Designated Ports use lowest path-cost as

the reference
What if costs are the same for multiple links?
Tie breakers :
1. Lowest Sender Bridge ID. If the same on multiple
ports, it means that they connect to the same
switch
2. Lowest Sender Bridge PortID (Priority.Port_Nr)
Rev. 1700
IPexpert, Inc.
Example STP Topology
Rev. 1700
10
IPexpert, Inc.
STP Interface States
Ports dont transition immediately
There are five STP interface states :

1. Disabled - does not participate in STP
2. Blocking
- does not forward traffic, only
receives BPDUS
3. Listening - does not forward traffic, sends &
receives BPDUs
4. Learning - does not forward traffic, sends &
receives BPDUs, populates
CAM
5. Forwarding - sends traffic, sends & receives
BPDUs, populates CAM
Rev. 1700
11
IPexpert, Inc.
STP Timers
STP Timers are set by the Root Bridge for the entire
domain (sent in Hellos) :
Hello timer says says how often BPDUs are sent
(2 seconds by default)
Forward Delay determines how long are the
Listening and Learning phases (15 seconds by
default)
MaxAge is kind of a hold-time for BPDUs (20
seconds by default) how long to keep ports in the
blocking state when BPDUs are not received
Each switch port keeps a copy of the last Superior BPDU
received
Rev. 1700
12
IPexpert, Inc.
Stable STP Topology
Rev. 1700
13
IPexpert, Inc.
STP Reconvergence
There are two types of link failures

1. Direct change (MaxAge is NOT involved)
2. Indirect change (MaxAge is involved)
Blocking Ports pretty much dont count
If Root Port fails, the STP Algorithm starts again.

Blocked ports are moved into the Listening state,
BPDUs are sent etc.
If a Designated Port fails, TCN BPDU is generated

(which always goes upstream, to the Root). The next
upstream device Acknowledges it (TCA bit is set in the
next forwarded Hello)
Rev. 1700
14
IPexpert, Inc.
STP Reconvergence cont.
The TCN/TCA process starts over again. Another TCN

BPDU is generated, now on this upstream switch, then
the next upper device sends TCA and so on, so forth
When the TCN frame finally reaches the Root, next

several Hellos will have the Toplogy Change bit set (TC
flag). The TC bit will be kept to be set for the MaxAge +
Forward Delay time
All switches that received a BPDU with the TC flag set

shorten their CAM table aging time from the default 300
seconds to the Forward Delay value (15 seconds by
default)
Prevents CAM table corruption. Does not say what

happened, but that something happened (like Lassie)
Rev. 1700
15
IPexpert, Inc.
STP Reconvergence Example

S1 (Root)
S2
D
RP
RP
RP
B
PC1
S3
S4
PC2
Rev. 1700
16
IPexpert, Inc.
STP Reconvergence cont.
When a port goes into the forwarding state, TCN BPDU

will be generated but only when the switch has at least
one DP
Direct topology change takes 30 seconds by default

(Listening + Learning)
Indirect change takes 50 seconds by default (MaxAge +

Listening + Learning)
Rev. 1700
17
IPexpert, Inc.
STP Configuration
IPexpert, Inc.
STP Configuration
Disable STP Instance

no spanning-tree vlan vlan_nr
Root Bridge
spanning-tree vlan vlan_nr root primary
Secondary (possible backup) Root Bridge

spanning-tree vlan vlan_nr root secondary
Rev. 1700
19
IPexpert, Inc.
STP Configuration - Traffic Engineering
STP Cost
spanning-tree cost cost
Port Priority
spanning-tree port-priority priority
Rev. 1700
20
IPexpert, Inc.
Configuration Verification
show spanning-tree [detail|root]
- Displays STP
information
show spanning-tree vlan
- Displays STP
information
for a
specified VLAN
Rev. 1700
21
IPexpert, Inc.
STP Optimizations
IPexpert, Inc.
STP Optimizations
Built-in to RSTP
In STP, depending on the Layer 2 domain size,

convergence may take even more than a minute
PortFast
UplinkFast
BackboneFast
Rev. 1700
23
IPexpert, Inc.
PortFast
IPexpert, Inc.
STP Optimizations - PortFast
Used on ports connected to end-devices
Listening and Learning states are bypassed
TCN BPDUs are NOT generated
Can be also enabled on trunks for example on ports

connected to the ASA or IPS
Rev. 1700
25
IPexpert, Inc.
PortFast Configuration
IPexpert, Inc.
PortFast Configuration
Per-interface
spanning-tree portfast [trunk]
Globally on all non-trunking interfaces

spanning-tree portfast default
Rev. 1700
27
IPexpert, Inc.
show spanning-tree interface portfast - Shows if PortFast
is enabled
on an
interface
show spanning-tree summary
- Displays the
summary
of port
states of the STP
section
Rev. 1700
28
IPexpert, Inc.
UplinkFast
IPexpert, Inc.
STP Optimizations - UplinkFast
Should be used
redundant uplinks
Accelerates election of a new Root Port
Listening and Learning phases are bypassed
Dummy multicast frames are generated that allow all

switches to update their CAMs
Alternate Ports are non-Root Port interfaces where Root

Hellos are received
on
access-layer
switches
with
Rev. 1700
30
IPexpert, Inc.
UplinkFast example
Rev. 1700
31
IPexpert, Inc.
UplinkFast Configuration
IPexpert, Inc.
UplinkFast Configuration
Global Command
spanning-tree uplinkfast
Rev. 1700
33
IPexpert, Inc.
show spanning-tree detail
- Displays detailed
information about STP
- Displays the summary of

port states of the
section
STP
Rev. 1700
34
IPexpert, Inc.
BackboneFast
IPexpert, Inc.
STP Optimizations - BackboneFast
Inferior BPDU contains either a worse Bridge ID

(higher) or, if Bridge IDs are the same, a higher Root
Path Cost
Inferior BPDUs are generated in two conditions :

1. Root Port failed on the upstream switch
2. Designated switchs Root Path Cost increased
BackboneFast is used to optimize convergence for any

indirect failures, taking off the MaxAge time from the
equation
Only triggered by the reception of an Inferior BPDU

from a designated (upstream) switch
Rev. 1700
36
IPexpert, Inc.
STP Optimizations - BackboneFast
When first Hello goes missing and an Inferior BPDU has

been received on a non-designated port, a Root Link
Query Request is sent on all non-designated ports
except the one Inferior BPDU was received on
If RLQ Response confirms the switch can still access

the Root Bridge via a particular port, MaxAge is
bypassed on the port that received the Inferior BPDU.
This port will eventually go into blocking or forwarding,
since usual STP rules apply
If RLQ Response comes negative to a port, the BPDU

is aged out on this port and it goes into the Listening
state
In case all RLQ responses suggest a different Root,

STP runs from scratch
Rev. 1700
37
IPexpert, Inc.
BackboneFast Example
S1 (Root)
RLQ Request
RLQ Response
D
D
F0/1
(B)
F0/2
(RP)
RP
D
F0/3
B
S3
S2
Rev. 1700
38
IPexpert, Inc.
BackboneFast Configuration
IPexpert, Inc.
BackboneFast Configuration
Global Command
spanning-tree backbonefast
Rev. 1700
40
IPexpert, Inc.
show spanning-tree backbonefast
Displays
STP
BackboneFast status
- Displays the
summary of port
states of the
STP
section
Rev. 1700
41
IPexpert, Inc.
RSTP
IPexpert, Inc.
RSTP (802.1w)
Rapid convergence
PortFast, UplinkFast and BackboneFast are built-in
Can inter-operate with older switches (802.1d)
Point-to-point links are required for fast convergence.

Link Type is learned from the duplex mode
RSTP differentiates between Port States and Port Roles
Rev. 1700
43
IPexpert, Inc.
RSTP Port States
Only Three Port States are available in RSTP :

1. Discarding (replaced Blocking)
2. Learning
3. Forwarding
No Listening and Disabled states
Blocking could mean either the state OR process in

802.1d
For example data packets were dropped in Listening

and Learning phases
Rev. 1700
44
IPexpert, Inc.
RSTP Port Roles
Five Port Roles are available in RSTP :

1. Disabled (which was a state in 802.1d)
2. Root Port
3. Designated Port
4. Alternate Port
5. Backup Port
Disabled port does not participate in STP
Alternate Port is a non-Root port that receives Root

BPDUs
Backup Port is a non-Root port that receives Root

BPDUs from itself
Rev. 1700
45
IPexpert, Inc.
RSTP Alternate Port
Rev. 1700
46
IPexpert, Inc.
RSTP Backup Port
Rev. 1700
47
IPexpert, Inc.
RSTP Convergence
Each switch generates BPDUs every 2 seconds
BPDUs serve as keepalives if 3 are missed a port

transition occurs
RSTP Convergence is on a link-by-link basis
Proposal-Agreement mechanism
Proposals are sent down the DPs, Agreements are sent

out of RPs
Only non-edge ports moving to forwarding state cause

the switch to generate a Topology Change
Rev. 1700
48
IPexpert, Inc.
RSTP Convergence cont.
In RSTP, ports start as Designated Ports in the

Discarding State (which corresponds to 802.1d
Listening state). This way only BPDUs can be
exchanged between the switches
If a Superior BPDU is received on a port, a

reconfiguration is triggered
If a received Proposal has been agreed, some ports are

forced to synchronize
Only the following ports will be synchronized :

1. Ports in the Discarding State
2. Edge Ports
Rev. 1700
49
IPexpert, Inc.
RSTP Convergence Example

Lowest Bridge ID
S1
F0/0
F0/3
F0/1
S2
F0/2
S3
S4
Rev. 1700
50
IPexpert, Inc.
RSTP Configuration
IPexpert, Inc.
RSTP Configuration
RSTP Mode
spanning-tree mode rapid-pvst
RSTP Link Type

spanning-tree link-type [point-to-point|
shared]
Rest of commands is as with 802.1d
Rev. 1700
52
IPexpert, Inc.
show spanning-tree
- Displays STP information
Rev. 1700
53
IPexpert, Inc.
MSTP
IPexpert, Inc.
MSTP (802.1s)
Multiple Spanning Tree Protocol Uses RSTP in its

operations
Allows for mapping several VLANs into one STP

Instance
Reduces CPU and memory burden
Networks usually dont need more than a few active

physical topologies
Rev. 1700
55
IPexpert, Inc.
MSTP Logic Example
S1
S2
Link #1
Link #2
MST #1
VLANs 1-400
MST #2
VLANs 401-800
S3
Rev. 1700
56
IPexpert, Inc.
MSTP Region
Single MSTP Region is a collection of interconnected

switches that have the same MST configuration
Hash of the VLANs-to-Instance mappings is sent to the

neighbor along with the revision number and the name
Upon the reception, the neighboring device calculates

its own hash (based on its local configuration), and if
digests match the devices are in the same MSTP
Region
MSTP Configuration consists of three attributes :

1. Region Name
2. Revision Number
3. Mapped VLAN range
Rev. 1700
57
IPexpert, Inc.
MSTP Region Example
Rev. 1700
58
IPexpert, Inc.
MSTP Configuration
IPexpert, Inc.
MSTP Configuration
Enable MSTP
spanning-tree mode mst
Enter MSTP Configuration Mode

spanning-tree mst configuration
Region, Revision Number & Mappings

name region_name
revision rev_nr
instance inst_nr vlan vlans
Rest of the commands is pretty much like with STP, just

remember to use the mst keyword
Rev. 1700
60
IPexpert, Inc.
Example MSTP Configuration

spanning-tree mst configuration
name REGION_1
revision 5
instance 1 vlan 10, 11, 12
instance 2 vlan 20, 21, 22
spanning-tree mst 0-1 root primary
spanning-tree mst 2 root secondary
interface FastEthernet 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,11,12,20,21,22
Rev. 1700
61
IPexpert, Inc.
show spanning-tree mst configuration - Displays the MSTP
region
configuration
show spanning-tree mst inst_id
- Displays MSTP
information for a
specified region
Rev. 1700
62
IPexpert, Inc.
Loop Guard
IPexpert, Inc.
Loop Guard
Protects against Layer 2 loops
Unidirectional Links may drop BPDUs
Normally, without Loop Guard, port transitions to

forwarding after MaxAge + 2x Forwarding Delay,
potentially causing loops
With Loop Guard enabled, after MaxAge expires, port is

moved into the loop-inconsistent state. Loop is avoided
Once BPDUs start flowing again, port falls back to the

STP blocking state
Rev. 1700
64
IPexpert, Inc.
Loop Guard Example

BPDUs
Root
D
RP
S1
D
S2
D
BPDUs
BPDUs
RP
B
S3
Loop Guard
Rev. 1700
65
IPexpert, Inc.
Loop Guard Summary & Interoperability
Loop Guard Summary :

- Works on non-designated ports not allowing them
to become DPs
- After MaxAge expires port moves into the loopinconsistent state
- Ports are blocked on a per-VLAN basis
- Protects against software failures (e.g. BPDUs are
not generated)
Loop Guard Interoperability with other features :

- Cannot be enabled on PortFast ports
- Mutually exclusive with Root Guard (Root Guard
works on designated ports preventing them from
becoming non-designated)
Rev. 1700
66
IPexpert, Inc.
Loop Guard Configuration
IPexpert, Inc.
Loop Guard Configuration
Per-interface
spanning-tree guard loop
Globally, on all Root and Alternate/Blocking ports

spanning-tree loopguard default
Rev. 1700
68
IPexpert, Inc.
- Displays detailed

port states of the
section
STP
Rev. 1700
69
IPexpert, Inc.
UDLD
IPexpert, Inc.
UDLD
Protects against Layer 2 loops when a unidirectional

link has been detected (traffic can only flow one way)
Works along with L1 AutoNegotiation
AutoNegotiation takes care of Layer 1, whereas UDLD

is responsible for Layer 2
Periodic Hellos are sent every UDLD-enabled interface
If Hello is echoed-back, the link is fully operational
Rev. 1700
71
IPexpert, Inc.
UDLD Operations
UDLD works for both, Copper and Fiber links
Two modes of operations are available :

1. Normal Mode (informational purposes)
2. Aggressive Mode (can put an interface into the
err-disabled state)
UDLD overlaps with Loop Guard
UDLD is more flexible for unidirectional links
Only failed links are disabled
Rev. 1700
72
IPexpert, Inc.
UDLD Summary
UDLD Summary :
- Detects unidirectional links
- Per-port granularity (LoopGuard offers per-VLAN
function)
- Enabled on all redundant links
- Can auto-recover using the errdisable feature
- Does NOT protect against STP failures caused by
problems in software
Rev. 1700
73
IPexpert, Inc.
UDLD Configuration
IPexpert, Inc.
UDLD Configuration
Fiber Optic interfaces Normal Mode

udld enable
Fiber Optic interfaces Aggressive Mode

udld aggressive
Copper interfaces
udld port [aggressive]
Remember that both ends of the link must have UDLD

enabled to make it work
Rev. 1700
75
IPexpert, Inc.
show udld
- Displays operational status
of UDLD
- Displays detailed

port states of the
section
STP
Rev. 1700
76
IPexpert, Inc.
BPDU Guard
IPexpert, Inc.
BPDU Guard
Used to terminate the STP domain
Devices behind ports with BPDU Guard enabled are not

able to influence the STP topology
Enabled globally works on all PortFast ports
Enabled on an interface works only on this port
When a BPDU is received, an interface is put into the

errdisabled state
Rev. 1700
78
IPexpert, Inc.
BPDU Guard Configuration
IPexpert, Inc.
BPDU Guard Configuration
Globally, on all PortFast ports

spanning-tree portfast bpduguard default
Per-interface
spanning-tree bpduguard enable
Re-enabling a port
shut
no shut
Auto-Recovery
errdisable recovery cause bpduguard
Rev. 1700
80
IPexpert, Inc.
- Displays detailed

port states of the
section
STP
Rev. 1700
81
IPexpert, Inc.
Root Guard
IPexpert, Inc.
Root Guard
Activates only when Superior BPDU is received
Once a Superior BPDU is received, an interface is put

into the Root-Inconsistent state (which corresponds to
the STP Listening phase)
When Superior BPDUs cease to be received, the port

moves back into the STP forwarding state
Root Guard should be enabled on the Designated Ports
Remember to active this feature on all the devices

where a rouge switch may connect
Rev. 1700
83
IPexpert, Inc.
Root Guard Example

PC1
Root
D
PC2
RP
S1
S2
S3
Root Guard
Rev. 1700
84
IPexpert, Inc.
Root Guard Caveats
Root Guard caveats :

- When enabled applies to all the VLANs the interface
belongs to
- It is not possible to enable Root Guard and Loop
Guard on the same port
- Should not be enabled on interfaces that are used
by the UplinkFast feature
Rev. 1700
85
IPexpert, Inc.
Root Guard Configuration
IPexpert, Inc.
Root Guard Configuration
Per-interface
spanning-tree guard root
Rev. 1700
87
IPexpert, Inc.
show spanning-tree interface detail - Displays detailed
information
about
STP
Rev. 1700
88
IPexpert, Inc.
Storm Control
IPexpert, Inc.
Storm Control
Also known as traffic suppression
Can be configured for three traffic types separately :

Unicast
Multicast
Broadcast
Counts the number of packets of a specified type

received within 1-second interval. Measurements are
compared to the defined threshold
Traffic above the threshold will be dropped
Multicast threshold does not block L2 control traffic like

BPDUs or CDP frames
Rev. 1700
90
IPexpert, Inc.
Storm Control Configuration
IPexpert, Inc.
Storm Control Configuration
Per-interface
storm-control
{broadcast|multicast|unicast}
level | bps | pps
Rev. 1700
92
IPexpert, Inc.
show storm-control [interface]
- Displays detailed stormcontrol

suppression
levels set on the
interfaces
Rev. 1700
93
IPexpert, Inc.
Unicast Flooding
IPexpert, Inc.
Unicast Flooding
L2 switches dont have routing tables, they use CAM for

traffic forwarding
If there is no entry in the CAM, the frame will be flooded

out all ports except the one it was received on
Limited flooding is part of the normal switching process
Increased unicast flooding may suggest network

abnormalities. Common reasons for flooding are :
1. Asymetric Routing
2. STP Topology Changes
3. CAM table overflow
Rev. 1700
95
IPexpert, Inc.
Assymetric Routing Example

VLAN 10
VLAN 20
PC1
ARP = 4 hours
CAM = 5 minutes
ARP >> CAM
TRUNK
R1
S1
S2
R2
PC2
Rev. 1700
96
IPexpert, Inc.
Unicast Flooding Configuration
IPexpert, Inc.
Unicast Flooding Configuration
Per-interface
switchport block unicast
Commonly used with Port Protection feature
Rev. 1700
98
IPexpert, Inc.
show interface switchport

of a switching port
Rev. 1700
99
IPexpert, Inc.
1.02 Implement VLAN and

VLAN Trunking Protocol (VTP)
IPexpert, Inc.
VLANs
VLAN = Layer 2 network = Broadcast domain
Virtual LAN is just a subset of switch ports that are in

the same broadcast domain
VLANs can span across many switches
Traffic does not leak between the VLANs by default
We have got two ways

communication :
1. Bridge VLANs in Layer 2
2. Route between VLANs
to
enable
inter-VLAN
Rev. 1700
101
IPexpert, Inc.
VLAN Example 1 subnet, 2 VLANs

H1
VLAN 10
10.1.1.0/24
VLAN 20
ARP
ARP
VLAN 10
VLAN 20
ARP
H1
H2
ARP
H3
H4
H2
102
Rev. 1700
IPexpert, Inc.
VLAN Example 1 VLAN, 2 subnets

H1 10.1.1.1/24
VLAN 10
GW1
10.1.1.10/24 - PRI
10.2.2.10/24 - SEC
H2 10.2.2.2/24
GW2
10.2.2.20/24 - PRI
H2 10.2.2.2/24
GW1
10.1.1.10/24 - PRI
Static Routes :
10.1.1.0/24 -> Connected
0.0.0.0/0 -> 10.1.1.10
Rev. 1700
103
IPexpert, Inc.
Switching Logic
Separate CAM (Content Addressable Memory) for each

VLAN. CAM is populated based on learned framess
source MACs (note that mulitcasts and broadcasts
should never be learned)
If there no is no CAM entry for a particular L2

destination, traffic will be flooded out of all ports except
the one the frame was received on. More over, such
flooding will occur for ALL broadcast and multicast
frames (no CAM entries)
Rev. 1700
104
IPexpert, Inc.
VLAN Configuration
IPexpert, Inc.
VLAN Configuration
Acces Port
switchport mode access
switchport access vlan vlan_nr
VLAN database
vlan vlan_nr
Rev. 1700
106
IPexpert, Inc.
show vlan [brief]
- Displays parameters for all

configured VLANs
show mac-address-table
- Displays CAM table entries
Rev. 1700
107
IPexpert, Inc.
VLAN Trunking Protocol (VTP)
IPexpert, Inc.
VTP
Advertises VLAN information to other switches
Only the VLAN number and its name is advertised

port-to-VLAN assignments are NOT
VTP messages are only sent over the trunk links
There are three VTP Modes :

1. Server
generates & processes VTP
Updates
2. Client
processes & forwards VTP Updates
3. Transparent forwards VTP Updates but does not
process them
Rev. 1700
109
IPexpert, Inc.
VTP Operations
Summary Advertisements are sent every 5 minutes
They contain a VTP domain name and revision number
If the revision number in the update is higher, an

Advertisement Request is sent to request the VLAN list
VTP Advertisement is sent when :

1. The switch has been reset
2. The VTP domain name has been changed
3. The device received a Summary Advertisement
with a higher revision number
Rev. 1700
110
IPexpert, Inc.
VTP Operations cont.
Summary Advertisements are also triggered whenever

a VLAN is added, deleted or updated
In such case Summary Advertisement is followed by

several Subset Advertisement messages (that contain
the VLAN information)
VTP messages can be processed only when VTP

domain name & password (if any) match. Otherwise the
trunk may not even come up (if DTP is used)
VLAN configuration is stored in the vlan.dat file
To reset the revision number change the VTP domain

name to something else and then back to the original
name
Rev. 1700
111
IPexpert, Inc.
VTP Pruning
Some VLANs may exist on only part of the switches
This may result in forwarding unnecessary traffic
VTP dynamically determines which switches have no

ports assigned to a specific VLAN and are not in the
transit path for it
VTP is enabled on a VTP Server for the entire domain
VLANs 1 and 1002-4094 are prune-ineligible
Rev. 1700
112
IPexpert, Inc.
VTP Pruning Example

S1
S4
VLAN 10
H1
Broadcast
Packet
S2
S5
S3
VLAN 10
H2
Rev. 1700
113
IPexpert, Inc.
VTP Configuration
IPexpert, Inc.
VTP Configuration
VTP Mode
vtp mode client|server|transparent
VTP Domain Name

vtp domain domain_name
VTP Authentication (MD5)

vtp password password
VTP Pruning
vtp pruning
Rev. 1700
115
IPexpert, Inc.
Example VTP Configuration

vtp domain IPexpert.com
vtp password cciers
vtp mode server
Rev. 1700
116
IPexpert, Inc.
show vtp status
- Displays general
information about VTP
show interface pruning
- Displays information about

VTP Pruning on a
particular
interface
Rev. 1700
117
IPexpert, Inc.
1.03 Implement trunk and trunk

protocols, EtherChannel, and
load-balance
IPexpert, Inc.
Trunking
VLANs can span across multiple switches
Since traffic from many VLANs can be carried over a

trunk, frames must be somehow identified
There are two trunking protocols that can be used for

this
ISL
802.1Q
Rev. 1700
119
IPexpert, Inc.
ISL
Cisco proprietary
Encapsulates the entire frame with a new header that is

26-bytes long (and which will contain a VLAN tag)
New trailer allows to recalculate CRC
Source MAC in this new header is set to the sending

switch ports MAC
Destination is a multicast address of the ISL group the

receiver belongs to
Rev. 1700
120
IPexpert, Inc.
802.1Q
Open Standard
Inserts a 4-byte tag into the frame (802.1Q tag)
First two bytes are set to 0x8100 (Type field)
Two remaining bytes contain :

- Priority field, used for QoS (3 bits)
- Flag, used for compatibility with Token Ring (1 bit)
- VLAN ID (12 bits)
Uses a concept of a Native VLAN that encompasses

the following frames :
- Received on access VLAN equal to Native VLAN
- Untagged frames
Rev. 1700
121
IPexpert, Inc.
DTP
Trunk links can be either statically configured or

negotiated
DTP is a Cisco proprietary point-to-point protocol that

was designed for two things :
- Negotiation of a trunk
- Negotiation of trunking encapsulation
Negotiated trunks are always bi-directional
Manual configuration may result in inconsistencies
DTP will always try to negotiate ISL first
Routers DONT support DTP
122
Rev. 1700
IPexpert, Inc.
Switchport Mode Combinations
Rev. 1700
123
IPexpert, Inc.
Trunking Configuration
IPexpert, Inc.
Trunking Configuration
Switchport Mode
switchport mode [access|trunk|dynamic auto|
dynamic desirable]
Manual Trunking Encapsulation

switchport trunk encapsulation [dot1q|isl]
Native VLAN
switchport trunk native vlan vlan_nr
Disable DTP
switchport trunk nonegotiate
Allowed VLANs
switchport trunk allowed vlan1,vlan2
Rev. 1700
125
IPexpert, Inc.
Example Trunking Configuration

int f0/1
switchport
switchport
switchport
switchport
trunk encapsulation dot1q

mode trunk
trunk nonegotiate
trunk native vlan 10
Rev. 1700
126
IPexpert, Inc.
show int trunk
- Displays interface trunk

information
show int switchport

of a switching port
show dtp
- Displays Dynamic Trunking

Protocol information
Rev. 1700
127
IPexpert, Inc.
Configuration Verification Example #1

Cat2#show
Port
Gi0/1
Gi0/2
interface trunk
Mode
Encapsulation
desirable
802.1q
desirable
802.1q
Port
Gi0/1
Gi0/2
Vlans allowed on trunk

1-4094
1-4094
Port
Gi0/1
Gi0/2
Vlans allowed and active in management domain

1-3,10
1-3,10
Port
Gi0/1
Gi0/2
Vlans in spanning tree forwarding state and not pruned

1-3,10
1-3,10
Status
trunking
trunking
Native vlan
1
1
Rev. 1700
128
IPexpert, Inc.
Configuration Verification Example #2

Cat2#show interface f0/2 switchport
Name: Fa0/2
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
129
Rev. 1700
IPexpert, Inc.
EtherChannel
IPexpert, Inc.
EtherChannel
Allows to group physical interfaces and treat them as a

single logical link (called PortChannel)
Two main purposes of using this feature are :

- Increasing available bandwidth
- Providing redundancy
Member interfaces should have the same config :

- Access VLAN
- Trunking Mode
- Native VLAN
- Speed & Duplex
- Interface Type (L2/L3)
Rev. 1700
131
IPexpert, Inc.
EtherChannel cont.
There are two types of EtherChannels L2 and L3
STP will treat PortChannel as a single link
EC can be created manually or negotiated
Manual method may be less secure (STP loops)
Automatic negotiation can detect certain kinds of

misconfiguration
Two dynamic negotiation protocols are available :

1. Port Aggregation Protocol (PAgP)
2. Link Aggregation Control Protocol (LACP)
Rev. 1700
132
IPexpert, Inc.
PAgP
Cisco proprietary
Operates in two modes :

- Desirable
- Auto
Desirable Mode actively negotiates an EC
Auto Mode negotiates an EC only when the far end

initiates it
Rev. 1700
133
IPexpert, Inc.
LACP
Open Standard
Lowest System Priority (Priority.MAC) switch decides

which ports will actively participate in the EtherChannel
Switch selects active ports based on Port Priority values

(Port_Priority.Port_number)
Up to 8 lowest Port Priority ports is elected as active,

other links are placed in a standby state
Operates in two modes :

- Active (corresponds to PAgPs Desirable)
- Passive (corresponds to PAgPs Auto)
Rev. 1700
134
IPexpert, Inc.
EtherChannel Load-Balancing
There are 6 different modes of load-balancing in EC :

1. Source MAC
2. Destination MAC
3. Source-Destination MAC pair
4. Source IP address
5. Destination IP address
6. Source-Destination IP address pair
The default load-balancing method is Source MAC
Rev. 1700
135
IPexpert, Inc.
EtherChannel Load Balancing Example

H1
S1
MAC-Based
H3
S2
H2
H4
H1
H3
IP-Based
R1
S1
S2
H2
R2
H4
Rev. 1700
136
IPexpert, Inc.
EtherChannel Configuration
IPexpert, Inc.
EtherChannel Configuration
EtherChannel
channel-group nr mode [desirable|auto|active|
passive|on]
LACP System ID Priority

lacp system-id nr
LACP Port Priority

lacp port-priority nr
Load-Balancing
port-channel load-balance [src-mac|dst-mac|srcdst-mac|src-ip|
dst-ip|src-dst-ip]
Rev. 1700
138
IPexpert, Inc.
Example EtherChannel Configuration

interface f0/5
shut
channel-group 1 mode desirable
no shut
int f0/7
shut
no switchport
channel-group 2 mode on
no shut
int port-channel 2
ip add 10.1.1.1 255.255.255.0
139
Rev. 1700
IPexpert, Inc.
show etherchannel [summary]
show etherchannel [load-balance]
- Displays EC
Displays one-line
EtherChannel
information
for a channel
Load-Balancing
scheme
show lacp
Displays
LACP
information
Rev. 1700
140
IPexpert, Inc.
1.04 Implement Ethernet

Technologies
IPexpert, Inc.
Ethernet, FastEthernet
Ethernet refers to the family of LAN products covered

by the IEEE 802.3 standard
Original 802.3 Ethernet

- Runs at 10Mbps
- Collisions were expected
- CSMA/CD controls which device can transmit at a
time
FastEthernet 802.3u
- Runs at 100Mbps
- 100BASE-TX is the most common standard
Rev. 1700
142
IPexpert, Inc.
GigabitEthernet
GigabitEthernet
- 802.3z for optical cabling
- 802.3ab for copper
- Runs at 1000Mbps
- Cisco devices only support
CSMA/CD)
full-duplex
(no
Flow Control (PAUSE frames) built-in
PAUSE frames are generated when receivers queue is

filled
Must be negotiated
Rev. 1700
143
IPexpert, Inc.
Speed and Duplex
IPexpert, Inc.
Speed and Duplex
Autonegotiation is enabled by default
It is used to automatically exchange information about

speed and duplex settings
Both sides of a link should have auto-negotiation on, or

both sides should have it off
To disable it, statically configure speed and duplex
Rev. 1700
145
IPexpert, Inc.
Speed & Duplex Configuration
IPexpert, Inc.
Speed and Duplex Configuration
Speed
speed
[10|100|1000|auto]
Duplex
duplex [half|full|auto]
Rev. 1700
147
IPexpert, Inc.
show interface status
Displays status of the

interfaces and their
settings
show interfaces capabilities
- Displays interface
capabilities
Rev. 1700
148
IPexpert, Inc.
PPPoE
IPexpert, Inc.
PPPoE
Point to Point Protocol over Ethernet
Defines interaction between a host PC and a broadband

medium, such as Digital Subscriber Line (DSL)
Allows authenticated sessions over a standard Ethernet

line
Client-Server architecture
Rev. 1700
150
IPexpert, Inc.
PPPoE Mechanics
PPPoE logic is similar to DHCP operations
Discovery Phase :
- PPPoE Active Discovery Initiation (PADI) packet
is sent
- Server replies with PPPoE Active Discovery Offer
(PADO)
- Client sends PPPoE Active Discovery Request
(PADR)
- Server agress sending PPPoE Active Discovery
Session-confirmation message (PADS)
PPP packets are now exchanged inside the Ethernet

frames, a standard PPP negotiation is performed
Rev. 1700
151
IPexpert, Inc.
Typical PPPoE network
Rev. 1700
152
IPexpert, Inc.
PPPoE Configuration
IPexpert, Inc.
PPPoE Configuration
Dialer Interface
interface dialer nr
MTU & PPP Encapsulation

mtu value
encapsulation ppp
PPP IP CP Address Negotiation

ip address negotiated
Dialing Pool & Dialing Group

dialer pool nr
dialer-group nr
Cloning
pppoe-client dial-pool-number nr
Rev. 1700
154
IPexpert, Inc.
Example PPPoE Configuration

interface dialer 1
encapsulation ppp
ip address negotiated
dialer pool 1
dialer-group 1
mtu 1492
interface E1
pppoe-client dial-pool-number 1
Rev. 1700
155
IPexpert, Inc.
show pppoe session

currently
active
sessions
PPPoE
Rev. 1700
156
IPexpert, Inc.
1.05 Implement Switched Port

Analyzer (SPAN), Remote
Switched Port Analyzer
(RSPAN), and flow control
IPexpert, Inc.
SPAN, RSPAN
SPAN is also known as port mirroring or port monitoring
This
feature
is
used
to
copy
all
traffic
transmitted/received on a specific port or VLAN to a
single port on the same switch
Common applications are call recording and IDS/IPS
RSPAN does the same what SPAN does but the

destination of an RSPAN session is on another switch
than the one where the monitored traffic is being
received on/transmitted from
A special VLAN, called RSPAN VLAN is used to carry

monitored traffic between the switches (RSPAN only)
Rev. 1700
158
IPexpert, Inc.
SPAN Example
F0/2
F0/10
PC
Network Analyzer
Rev. 1700
159
IPexpert, Inc.
RSPAN Example
S1
RSPAN
VLAN
S2
PC
RSPAN
VLAN
S3
Network Analyzer
Rev. 1700
160
IPexpert, Inc.
SPAN, RSPAN cont.
Both SPAN & RSPAN can work with transmitted and/or

received traffic
Traffic that is received is copied before any other

features, like ACLs or VACLs are applied
Traffic that is transmitted is already modified (ACLs,

QoS, policing, etc.)
Rev. 1700
161
IPexpert, Inc.
SPAN & RSPAN Configuration
IPexpert, Inc.
SPAN & RSPAN Configuration
SPAN
monitor session session_nr source
interface|vlan [both|rx|tx]
monitor session session_nr destination
interface [ingress vlan]
RSPAN
monitor session session_nr source
interface|vlan
[both|rx|tx]
[remote vlan]
monitor session session_nr destination
interface [ingress vlan]
[remote vlan]
vlan vlan_nr
remote-span
VLAN Filtering
monitor session session_nr filter vlan vlans
163
Rev. 1700
IPexpert, Inc.
Example SPAN Configurations
SPAN
monitor session 1 source interface f0/1

monitor session 1 destination interface f0/20
VLAN Filtering (trunk link)
monitor session 2 source interface f0/10

monitor session 2 filter vlan 100-200, 300
Rev. 1700
164
IPexpert, Inc.
Example RSPAN Configuration
Switch 1
vlan 999
remote-span
monitor session 12 source vlan 10 rx
monitor session 12 destination remote vlan 999
Switch 2
vlan 999
remote-span
monitor session 12 source remote vlan 999
Rev. 1700
165
IPexpert, Inc.
show monitor session session_nr
- Displays information
about
specified
SPAN
or
RSPAN
session
Rev. 1700
166
IPexpert, Inc.
1.06 Implement Frame Relay
IPexpert, Inc.
Frame Relay
L2 WAN technology
NBMA means more than two devices can be attached

but there is no inherent broadcast capability
DTE customers end (Frame Relay router)
DCE ISPs end (Frame Relay switch)
Permanent Virtual Circuit (PVC) is a pre-configured

logical communication path between two DTEs
Data Link Connection Identifier (DLCI) is a connection

identifier,
usually
locally
significant.
Global
nomenclature can be also used, though
Rev. 1700
168
IPexpert, Inc.
Frame Relay - LMI
Local Management Interface (LMI) messages are

ONLY exchanged between the FR switch and its
directly connected DTE device
LMI is mainly used to advertise the VC information to

the routers main physical interface. LMI Status Enquiry
packets act as keepalives
Three LMI Types are available :

1. Cisco
2. ANSI
3. Q-933A (ITU)
LMI Type must match between DCE and DTE and

routers by default autosense it. DLCIs 0 & 1023 are
reserved for LMI messages
Rev. 1700
169
IPexpert, Inc.
Frame Relay PVC status
LMI advertises a PVC status for each of the configured

DLCIs
Three PVC status codes are reported :

1. Active
- PVC is usable, data frames can be
sent
2. Inactive - Problem with the remote end. No data
frames will sent
3. Deleted - Router has a DLCI, FR switch does
not.
Usually
implies
misconfiguration.
No
data
frames are sent
The fourth code, Static, shows up if LMI has been

disabled. Data frames will be sent
Rev. 1700
170
IPexpert, Inc.
Frame Relay Full Mesh
Full Mesh = all the devices connected with each other.

Before Frame Relay n(n-1)/2 connections were
required, where n is the number of sites. With FR, only
n-interfaces is needed
Rev. 1700
171
IPexpert, Inc.
Frame Relay Hub & Spoke
Hub & Spoke = every branch has a VC to the Hub only.

The downside is that traffic between the sites must
traverse the Hub
Rev. 1700
172
IPexpert, Inc.
Frame Relay Problems
Split Horizon
Multicast issues
Other protocol-related problems
Solution may include subinterfaces
Point-to-point subinterface does not require L3 to L2

resolution
Multipoint subinterface supports more than two devices

in the same L3 network. L3 to L2 resolution is required
Rev. 1700
173
IPexpert, Inc.
Frame Relay - Controlling Speed
Forward Explicit Congestion Notification (FECN)
Backward Explicit Congestion Notification (BECN)
FECN informs the destination so it could e.g. inform

upper layers about possible delay. FECN bit can be
only set by the FR switches
BECN is used to inform the source so it could slow

down the sending rate (Adaptive Traffic Shaping must
be enabled). BECN bit can be set by FR switches or the
receiving router
For unidirectional flows FECN Adapt feature can be

used dummy frames with BECN bit set will be
generated by the FECN-receiving router
Rev. 1700
174
IPexpert, Inc.
Frame Relay Discard Eligible bit
Discard Eligible bit (DE) is used to indicate low-priority

data
Commonly used in oversubscription scenarios
Both routers & Frame Relay switches can set the DE bit
ISP may drop DE frames before any other traffic (e.g.

when congestion occurs)
Rev. 1700
175
IPexpert, Inc.
Frame Relay Configuration
IPexpert, Inc.
Frame Relay Configuration
Encapsulation
encapsulation frame-relay
frame-relay map [cisco|ietf]
LMI
frame-relay lmi-type ansi|cisco|q933a
Point-to-Point subinterfaces
frame-relay interface-dlci DLCI_nr
Multipoint subinterfaces
frame-relay map ip IP_addr DLCI_nr [broadcast]
Inverse ARP
[no] frame-relay inverse-arp [IP_addr DLCI_nr]
Rev. 1700
177
IPexpert, Inc.
Example Frame Relay Configuration

interface serial 0
interface serial 0.1 point-to-point
ip address 10.1.1.1 255.255.255.252
frame-relay interface-dlci 10
interface serial 0.2 multipoint
ip address 10.2.2.2 255.255.255.0
frame-relay map ip 10.2.2.2 20 broadcast
frame-relay map ip 10.2.2.3 30
Rev. 1700
178
IPexpert, Inc.
show frame-relay map
and
about
show frame-relay pvc
Displays current Frame

Relay map entries
information
connections
- Displays statistics about

Frame
Relay
Permanent
Virtual Circuits
debug frame-relay packet

packets that have
over
been sent
a Frame Relay interface
Rev. 1700
179
IPexpert, Inc.
1.07 Implement High-Level

Data Link Control (HDLC) and
PPP
IPexpert, Inc.
HDLC
Simple L2 protocol used on point-to-point links
HDLC Header fields :

Flag
delimits start & end of each frame
Address is set to 3 in decimal
Control defines the frame type (Control or Data)
FCS
used for error detection
Ciscos HDLC (proprietary) also contains Type field

which is used to support different L3 protocols
Rev. 1700
181
IPexpert, Inc.
PPP
IPexpert, Inc.
PPP
Very similar to HDLC
PPP uses two main components Link Control Protocol

(LCP) and Network Control Protocols e.g. IP CP
Rev. 1700
183
IPexpert, Inc.
PPP LCP
LCP is used for link management and negotiation
Main four LCP functions are as follows :

1. Looped Link Detection (magic number)
2. Link Quality Monitoring (LQM). Used to monitor
the links quality if it drops below a configured
percentage, the router will shut down the link
3. Authentication (clear-text PAP or MD-5 CHAP)
4. Load Balancing (Multilink PPP). MLP balances the
traffic by fragmenting each data link frame (L2
fragmentation) based on the number of parallel
links or based on a configured delay
Rev. 1700
184
IPexpert, Inc.
PPP Phases
There are five different PPP Phases :

1. Link Dead (e.g. when the link fails)
2. Link Establishment (Link Control Protocol LCP)
3. Authentication (optional)
4. Network Layer Protocol (e.g. IP CP for IP)
5. Termination (closing down the connection)
Rev. 1700
185
IPexpert, Inc.
PPP Configuration
IPexpert, Inc.
PPP Configuration
Clocking
clock rate
Encapsulation
encapsulation ppp
PPP Authentication
ppp authentication pap|chap
LQM
ppp quality percentage
Multilink PPP (MLP)

interface multilink number
ppp multilink
ppp group number
Rev. 1700
187
IPexpert, Inc.
Example PPP Configuration #1
Router XXX
hostname XXX
username YYY password SAMEONE
int serial 0
encapsulation ppp
ppp authentication pap/chap
Router YYY
hostname YYY
username XXX password SAMEONE
int serial 0
encapsulation ppp
ppp authentication pap/chap
Rev. 1700
188
IPexpert, Inc.
Example PPP Configuration #2

interface multilink 2
ip address 10.1.1.1 255.255.255.252
encapsulation ppp
ppp multilink
int s0/1, int s0/2
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 2
Rev. 1700
189
IPexpert, Inc.
show interfaces
- Displays statistics for all

configured
interfaces
show ppp multilink
- Displays bundle information

for Multilink PPP
debug ppp negotiation
Displays PPP
during
packets
the
negotiation
Rev. 1700
190
IPexpert, Inc.
End of Section 1.0

VoD Series
2.0 Implement IPv4
IPexpert, Inc.
2.01 Implement IP version 4 (IPv4)

addressing, subnetting, and
variable-length subnet masking
(VLSM)
IPexpert, Inc.
IPv4 Basics
IPv4 address uniquely identifies a device on an IP
network. It is a 32-bit structure divided into four octects
Written in a decimal form
IP network is a distinguished group of networking devices
Network classes were developed to provide some

structure to the way IP addresses are assigned
Each network class has a range of IP addresses and a
particular class can be determined from the four highorder bits
Rev. 1700
IPexpert, Inc.
IPv4 Network Classes

There are five network classes :
1. Class A Range : 0.0.0.0/8 to 127.0.0.0/8
Binary : 0nnnnnnn.hhhhhhhh.hhhhhhhh.hhhhhhhh
2. Class B Range : 128.0.0.0/16 to 191.255.0.0/16
Binary : 10nnnnnn.nnnnnnnn.hhhhhhhh.hhhhhhhh
3. Class C Range : 192.0.0.0/24 to 223.255.255.0/24
Binary : 110nnnnn.nnnnnnnn.nnnnnnnn.hhhhhhhh
4. Class D Range : 224.0.0.0 to 239.255.255.255
Binary : 1110xxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx
5. Class E Range : 240.0.0.0 to 255.255.255.255
Binary : 1111xxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx
Rev. 1700
IPexpert, Inc.
IPv4 Network Masks

Network mask is used to determine which portion of the
IP address identifies the network (or a subnet) and which
portion identifies the node
Default masks (natural) :
Class A 255.0.0.0 or /8
Class B 255.255.0.0 or /16
Class C 255.255.255.0 or /24
These masks cannot be changed, they are implicit
Rev. 1700
IPexpert, Inc.
IPv4 Subnets & Subnetting

Subnetting allows you to create multiple logical networks
that exist within a single Class A, B, or C network
A subnet mask (or a number after /) is used to determine
the number of bits used for the subnet and host portions
of the address and it is a consecutive course of 1s in
binary
Subet-Zero address is indistinguishable from the natural
network address. Subnet-Zero has all of its bits set to 0,
and is turned on in recent IOS versions by default (ip
subnet zero)
Rev. 1700
IPexpert, Inc.
Networking Math - Subnetting

192.168.1.0/25 - 11000000.10101000.00000001.00000000
192.168.1.128/25 - 11000000.10101000.00000001.10000000
Rev. 1700
IPexpert, Inc.
Networking Math - Subnet Number
Rev. 1700
IPexpert, Inc.
Networking Math Finding a Subnet

10.2.3.19
- 00001010.00000010.00000011.00010110
/29
- 11111111.11111111.11111111.11111000
Logical AND - 00001010.00000010.00000011.00010000
Rev. 1700
IPexpert, Inc.
VLSM & CIDR

Variable Length Subnet Mask allows subnetting using an
arbitrary subnet mask for different subnets
Classless Inter-Domain Routing (CIDR) is a more flexible
way of allocating IP addresses because it allows for using
VLSM. It depicts a more hierarchical Internet architecture,
where each domain takes its IP addresses from a higher
level. Introduces Summarization/Supernetting
Rev. 1700
10
IPexpert, Inc.
2.02 Implement IPv4 tunneling

and Generic Routing
Encapsulation (GRE)
IPexpert, Inc.
Tunneling
Tunneling is transmission of data intended for use only
within a private, usually corporate network, through a
public network like for example Internet
Tunneling equals to encapsulation
Tunneling requires three different protocols :

1. Carrier protocol outer header protocol used to
transport data
2. Encapsulating protocol wraps the original data.
For example GRE, L2TP
3. Passenger protocol original data, e.g. IP or IPX
Subway analogy
Rev. 1700
12
IPexpert, Inc.
GRE
GRE (Generic Routing Encapsulation) is a tunneling
protocol
Commonly used to transport multicast packets
Rev. 1700
13
IPexpert, Inc.
GRE cont.
GRE tunnels are connectionless & stateless
Line Protocol of the tunnel interface is not tracked by

default
Keepalives can be used to solve this problem
GRE header with no options included is 4-byte long,
which totals to 24 bytes of overhead (outer IP -> 20 bytes)
GRE key can be used to provide basic authentication and
to uniqely identify multiple tunnels
GRE key adds another 4-bytes of overhead

Rev. 1700
14
IPexpert, Inc.
GRE Configuration
IPexpert, Inc.
GRE Configuration
Tunnel Interface
interface tunnel nr
Tunnel IP & Network

ip address ip_address mask
Outer IP Headers Source & Destination

tunnel source ip_address
tunnel destination ip_address
Keepalives
keepalive interval retries
Tunnel Mode
tunnel mode gre
Rev. 1700
16
IPexpert, Inc.
Example GRE Configuration

interface tunnel 1
ip address 172.16.1.1 255.255.255.0
tunnel source f0/1
tunnel destination 192.0.2.1
keepalive 10
Rev. 1700
17
IPexpert, Inc.
show interface tunnel
- Displays tunnel interface

information
Rev. 1700
18
IPexpert, Inc.
2.03 Implement IPv4 RIP

version 2 (RIPv2)
IPexpert, Inc.
IP Routing
Routing is the process of forwarding packets from one

interface to another (ingress and egress interface can
be the same, though)
Routing Logic can be divided into five steps :

1. Route Lookup
2. Route Recursion
3. Packet Switching
4. Encapsulation
5. Serialization
Rev. 1700
20
IPexpert, Inc.
IP Routing Step 1
Step 1 Route Lookup :

Destination-based
Longest-match prefix is always chosen
If there are multiple longest-match prefixes received

from different routing protocols, only the lowest
Administrative Distance prefix is placed into the routing
table
If there is more than one longest-match prefix received

from the same routing protocol, only the lowest-metric
prefix is put into the RIB
If metrics are the same, Load Balancing occurs

(account for maximum-paths command)
Rev. 1700
21
IPexpert, Inc.
IP Routing Step 1 Example
Following routes are in the RIB :

a) 10.0.0.0/8, AD 90
(EIGRP)
b) 10.1.0.0/16, AD 90 (EIGRP)
c) 10.1.2.0/24, AD 90 (EIGRP)
d) 10.1.2.3/32, AD 110 (OSPF)
e) 0.0.0.0.0/0, AD 1
(STATIC)
If a packet is received destined to 10.1.2.3, which route

will be chosen? The answer is : 10.1.2.3/32, AD 110,
although it has the worst AD (the highest)
If we start receiving 10.1.2.3/32 from EIGRP as well,

OSPF route will be preempted
Rev. 1700
22
IPexpert, Inc.
IP Routing Step 2
Step 2 Route Recursion :

Finding an outgoing interface for a particular
prefix
If 10.1.2.3 has a Next-Hop 1.2.3.4, perform route lookup

for 1.2.3.4
If 1.2.3.4 is reachable via 5.6.7.8, perform route lookup

for 5.6.7.8, and so on and so forth until one of the
prefixes is listed as directly connected
Rev. 1700
23
IPexpert, Inc.
IP Routing Steps 3, 4 and 5
Step 3 Packet Switching :

Move the packet to the outgoing interface found in
Step #2
Step 4 Encapsulation :
Encapsulate the packet into the interfaces
underlaying L2 header
Layer 3 to Layer 2 resolution may be required for
multiaccess interfaces such as Ethernet or Frame
Relay multipoint
Point-to-point interfaces dont require resolution
Step 5 Serialization
Serialize the packet onto the physical link
Rev. 1700
24
IPexpert, Inc.
RIP
RIP is an example of Distance-Vector protocol meaning

that it periodically passes full copies of its routing table
out of all protocol-enabled interfaces
The Distance means Metric whereas Vector refers to

the Next-Hop
RIP version 1 :
Classful
Does not support VLSM
No authentication
Uses broadcasts
Rev. 1700
25
IPexpert, Inc.
RIP cont.
RIP version 2
Supports VLSM
Authentication
Packets sent as multicast to 224.0.0.9
Both RIP versions run over UDP port 520
Metric is limited to 15 hops. Unreachable networks are

denoted with metric set to 16 hops
RIP updates are sent every 30 seconds by default
Rev. 1700
26
IPexpert, Inc.
RIP Operations
Five discrete steps :

1. Initialization Request packet
2. Request Received Creating the update
message
3. Response Processing the update packet
4. Regular Routing Updates Unsolicited Response
message sent every 30 seconds
5. Triggered Routing Updates Optional extension
for WAN links. Suppresses periodic updates
Rev. 1700
27
IPexpert, Inc.
RIP Timers
Routing Timer clocks the interval between periodic

routing updates, set to 30 seconds by default
Invalid Timer is initialized to 180 seconds whenever a

new route is established and is reset to the initial value
whenever an update is heard for that route
Flush Timer determines how long a route is advertised

with an unreachable metric. Set to 240 by default
Holddown Timer, Cisco proprietary, kicks in after a

route is received with a higher metric. Provides
additional time for convergence, set to 180 seconds by
default
Rev. 1700
28
IPexpert, Inc.
Split Horizon
Used to reduce probability of creating routing loops
This feature, when sending routing updates out of a

particular interface, does not allow to include networks
that were learned from updates received on that
interface
Split Horizon is enabled on all ports except Serial

Frame Relay interface (physical)
Rev. 1700
29
IPexpert, Inc.
RIP Configuration
IPexpert, Inc.
RIP Configuration
Enabling RIP
network ip_address
The network command does three things :

1. Enables sending the protocol updates
2. Enables receiving the protocol updates
3. Advertises configured networks/subnetworks
RIP version
version 1|2
Passive Interface
passive-interface if_name
Rev. 1700
31
IPexpert, Inc.
RIP Configuration cont.
Disabling Auto Summarization

no auto-summary
Interface-Level Summary
ip summary-address rip
Unicast Updates
neighbor ip_address
passive-interface if_name
Default Route
default-information originate
Split Horizon
[no] ip split-horizon
Rev. 1700
32
IPexpert, Inc.
RIP Configuration cont.
RIP Timers
timers basic
Offset List
offset-list
Source Validation
no validate-update-source
Triggered Updates
ip rip triggered
Rev. 1700
33
IPexpert, Inc.
Example RIP Configuration

int f0/0
ip add 172.16.1.1 255.255.255.0
int
ip
no
ip
serial 0/0
add 172.16.100.1 255.255.255.0
ip split-horizon
rip triggered
router rip
version 2
no auto-sumary
network 172.16.100.0
timers basic 10 60 60 80
Rev. 1700
34
IPexpert, Inc.
show ip rip database
- Displays RIP databases and

summary entries
show ip protocols
- Displays parameters and state of

ACTIVE routing processes
Rev. 1700
35
IPexpert, Inc.
2.04 Implement IPv4

Open Shortest Path First
(OSPF)
IPexpert, Inc.
OSPF Link State Protocol
OSPF is a Link-State protocol that uses Shortest Path

First (SPF), also known as Dijkstras algorithm
All routers within an area have the same topology
Information about links is stored in a memory structure

called Link State Database (LSDB)
Each of the devices uses the information stored in

LSDB to calculate the best paths
Rev. 1700
37
IPexpert, Inc.
OSPF Operations
High level overview of OSPFs operations :

1. Router ID is chosen
2. Hello Packets are exchanged
3. Neighbors vs Adjacencies - adjacency is
determined by the type of routers exchanging
Hellos and the type of network over which the
Hellos are exchanged
4. Link State Advertisement (LSA) are flooded
(exchanging topology information)
5. SPF is calcuated (the calculating device places
itself as a root)
6. Routing Table is populated
Rev. 1700
38
IPexpert, Inc.
OSPF Router ID
Router ID is an OSPF device identifier and it should be

always unique within a single OSPF domain
Router ID is chosen in the following way :

1. If the router-id command is configured, its value
is used as the Router ID
2. If there is no router-id command configured,
highest loopbacks IP address is chosen
3. If there are no router-id command and loopback
interfaces configured, the router will pick the
highest numeric IP address from all other up/up
status interfaces
Rev. 1700
39
IPexpert, Inc.
OSPF Messages
OSPF sends packets encapsulating them directly using

IP protocol number 89
There are five types of OSPF messages :

1. Hello - discovers and maintain the relationship
2. Database Description - contains summary of all
LSA headers
3. Link State Request (LSR) - identifies one or more
LSAs the router would like to receive
4. Link State Update (LSU) - contains the requested
LSAs
5. Link State Acknowledgement - sent to confirm
receipt of an LSU
Rev. 1700
40
IPexpert, Inc.
OSPF Neighbors
Discovered neighbors are stored in a neighbor table
Every OSPF-enabled interface listens for packets

destined to the multicast address 224.0.0.5 and also
sends packets with that destination
Following parameters must match :

1. Area
2. Timers Hello and Dead Intervals
3. Stub Flag
4. Network Types (based on DR/BDR election)
5. MTU
6. Authentication
Rev. 1700
41
IPexpert, Inc.
OSPF Network Types & Adjacencies
OSPF Network Types affect the adjacency

establishment process and required configuration
There are six OSPF Network Types :

1. Broadcast
2. Non-Broadcast
3. Point to Point
4. Point to Multipoint
5. Point to Multipoint Non-Broadcast
6. Loopback
Rev. 1700
42
IPexpert, Inc.
OSPF Broadcast & Non-Broadcast
Broadcast & Non-Broadcast

Used on multiaccess networks
Adjacencies are ONLY formed with a DR & BDR
DROTHERs use 224.0.0.6 (broadcast type)
DR sends Hellos to 224.0.0.5 (broadcast type)
DR Election Criteria :
1. Highest OSPF Priority
2. Highest OSPF Router ID
DR/BDR is NOT preemptive (set the OSPF Priority to 0

to exclude a particular device from the election)
Non-broadcast network type (default on FR multiaccess

interfaces) requires the neighbor command
Rev. 1700
43
IPexpert, Inc.
OSPF Point-to-point
Point to Point
Hellos are sent as multicast to 224.0.0.5
Neighboring routers automatically become
adjacent
NO DR/BDR Election
Faster Convergence
Rev. 1700
44
IPexpert, Inc.
OSPF Remaining Network Types
Point to Multipoint & Point to Multipoint Non-Broadcast

Understand that there is no L2 connectivity
between the Spokes
Routers advertise their IP addresses as host
routes (/32) and the Next-Hop points to the Hub
The Non-Broadcast version uses unicast Hellos
which means that the neighbor command must be
issued
Loopback
Used on loopbacks and looped-back interfaces
Interfaces are advertised as host routes (/32)
Rev. 1700
45
IPexpert, Inc.
OSPF Network Types - Recap
Recap :
DR and BDR election is performed on broadcast
and non-broadcast networks only
Unicast updates are sent on non-broadcast and
point-to-multipoint nonbroadcast networks
Next-hop modifications are only performed on pointto-multipoint and point-to-multipoint non-broadcast
networks
Rev. 1700
46
IPexpert, Inc.
OSPF Areas
OSPF Area is part of the network and this way it

contains less topology information
Devices consume less memory and it takes less time to

calculate SPF
Area 0 is called the backbone. All other areas must be

connected to this area so the inter-area routes can be
exchanged
Topology changes within one area are not propagated

to other areas inter-area routes hide topology
information
OSPF inter-area routing uses some of the DistanceVector logic (advertised metric)
Rev. 1700
47
IPexpert, Inc.
OSPF Router Types
Area Border Router (ABR) has at least one interface

connected to area 0 and is also connected to at least
one other area
Autonomous System Boundary Router (ASBR) is a

device that injects prefixes external to the OSPF
domain (e.g. when performing redistribution)
Rev. 1700
48
IPexpert, Inc.
OSPF Link State Advertisements (LSAs)
LSA is just a piece of topology information that routers

use to build the LSDB
LSAs are reliable they are acknowledged
LSA sequence number and lifetime are used to

determine the most current LSA
There are multiple Types of LSA
Rev. 1700
49
IPexpert, Inc.
OSPF LSA Types
OSPF LSA Types :

LSA Type 1 (Router LSA) lists Router ID and all
interface IP addresses. Generated by each router
for each area it belongs to. Flooded only within a
particular area
LSA Type 2 (Network LSA) is created by the DR
and it represents the subnet & Router IDs of all
connected OSPF devices. LSA Type 2 is also
known as Pseudo-node and is flooded only within
a particular area
LSA Type 3 (Summary LSA) is created by ABR
and it identifies networks reachable outside the
area, including default routes external to the area
but internal to the OSPF domain. This LSA
contains the cost from the ABR to the destination
network
Rev. 1700
50
IPexpert, Inc.
OSPF LSA Types cont.
OSPF LSA Types :

LSA Type 4 (ASBR Summary) is created by ABR.
Advertises a host route used to reach an ASBR
LSA Type 5 (External LSA) is created by ASBR
for external routes injected into the OSPF domain
(external to the domain). Default route external
to OSPF domain will be also described as LSA
Type 5
LSA Type 7 (NSSA) equivalent to an external LSA
(Type 5), but inside the NSSA area. Created by
ASBR
Rev. 1700
51
IPexpert, Inc.
OSPF LSAs Example
Rev. 1700
52
IPexpert, Inc.
OSPF Area Types
OSPF Area Types :

Standard Area - accepts all LSAs
Stubby Area - prevents LSAs Type 4 & 5, they are
replaced with a default route. Does not allow for
redistribution
Totally Stubby Area - no LSAs Type 3, 4 & 5, they
are replaced with a default route. Does not allow
for redistribution
Not So Stubby Area same as Stubby Area (no
LSAs Type 4 & 5) but it allows for redistribution
using LSA Type 7. Default route is NOT
automatically generated
Not So Totally Stubby Area same as Totally
Stubby Area (only LSAs Type 1 & 2 are permitted)
but it allows for redistribution using LSA Type 7.
Default route is generated by default
Rev. 1700
53
IPexpert, Inc.
OSPF Area Types Example
Rev. 1700
54
IPexpert, Inc.
OSPF Cost
Each OSPF link (interface) has assigned cost
By default, the interface cost is derived based on the

configured bandwidth (bandwidth command)
The formula for this is 100Mbps/bandwidth
If bandwidth is higher than 1, the cost is always the

same (1)
To modify this behavior, change 100Mbps to any

configured value using the auto-cost referencebandwidth command
To define the cost manually use the ip ospf cost

Rev. 1700
statement
55
IPexpert, Inc.
OSPF Path Selection
OSPF Path Selection :

1. Longest-match prefix
2. Route Type
3. Metric (Cost)
OSPF Route Types :

1. Intra-Area routes (O)
2. Inter-Area routes (O IA) Area 0 routes will be
preferred over routes through other areas
3. External Routes Type 1 (E1)
4. External Routes Type 2 (E2)
5. NSSA Routes Type 1 (N1)
6. NSSA Routes Type 2 (N2)
Rev. 1700
56
IPexpert, Inc.
OSPF Route Types
Intra-Area routes (O) are paths to destinations within

one of the routers attached areas
Inter-Area routes (O IA) are paths to destinations in

another area but still within the OSPF domain
External routes (E1 or E2), are generally speaking

routes that were redistributed to the OSPF domain from
any outside Autonomous System, so they are
considered to be external to the OSPF domain. Type 1
= external (redistributed) cost + cost to the ASBR. Type
2 = redistributed cost only
NSSA routes (N1 or N2) are very similar to External

routes with the only exception being that they reside
inside an NSSA area
Rev. 1700
57
IPexpert, Inc.
OSPF Path Calculations
SPF calculations in OSPF are performed for intra-area

routes
The OSPF metric is sum of costs of outgoing interfaces

towards the destination
For Inter-Area and External routes the metric is a sum

of the advertised cost and the cost to the ABR/ASBR
device
If there are two prefixes with the same length, type and
cost, load balancing will occur
Rev. 1700
58
IPexpert, Inc.
OSPF Path Calculations cont.
For Type 2 routes (External or NSSA), the end-to-end

metric calculation includes the forward metric
The forward metric describes the cost to the ASBR

and is used when there is more than one E2 route with
the same metric to a destination. For example :
R8#sh ip route 23.23.23.23
Routing entry for 23.23.23.0/24
Known via "ospf 1", distance 110, metric 20, type
extern 2, forward metric 66
Last update from 58.0.0.5 on FastEthernet0/1,
01:41:14 ago
Routing Descriptor Blocks:
* 58.0.0.5, from 19.1.1.9, 01:41:14 ago, via ...
Rev. 1700
59
IPexpert, Inc.
OSPF Path Calculations Example
Rev. 1700
60
IPexpert, Inc.
OSPF Virtual Links
Area 0 should be contiguous and all areas must

connect to it
Virtual Link is a logical connection to area 0 used to :

Link an area to the backbone through a nonbackbone area
Connect the two parts of a partitioned backbone
through a nonbackbone area
Once a Virtual Links is created between an ABR and an

OSPF device, those two devices are considered to be
ABRs
Transit area between both ends of a Virtual Link

CANNOT be a Stub Area
Rev. 1700
61
IPexpert, Inc.
OSPF Graceful Restart
OSPF Graceful Restart is also known as Non-Stop

Forwarding
This feature allows the router to continue forwarding the

packets even when undergoing a failure
Two modes this feature may operate in are :

1. Restarting Mode the OSPF router process is
performing nonstop forwarding
2. Helper Mode a neighboring router is restarting,
and this router is helping in the nonstop
forwarding recovery
Relies on CEF
Rev. 1700
62
IPexpert, Inc.
OSPF Configuration
IPexpert, Inc.
OSPF Configuration
OSPF Process
router ospf proc_nr
Enable OSPF
network IP_address wildcard area area_nr
ip ospf area area_nr [secondaries none]
Router ID
router-id router_id
Hello & Dead Intervals

ip ospf hello-interval value
ip ospf dead-interval value
ip ospf dead-interval minimal hello-multiplier
multiplier
Rev. 1700
64
IPexpert, Inc.
OSPF Configuration cont.
OSPF Network Types

ip ospf network broadcast|
non-broadcast|
point-to-point|
point-to-multipoint
[non-broadcast]
Area Types
area stub [no-summary]
area nssa [no-summary] [no-redistribution]
[default-information-originate]
[nssa-only]
Default Route
default-information-originate [always]
Rev. 1700
65
IPexpert, Inc.
OSPF Configuration cont.
Virtual Link
area area_nr virtual-link router_id
NFS
nfs cisco
Rev. 1700
66
IPexpert, Inc.
Example OSPF Configuration

int
ip
ip
ip
s0/0
address 192.0.2.1 255.255.255.0
ospf hello-interval 15
ospf dead-interval 60
int
ip
ip
ip
f0/1
address 10.1.1.1 255.255.255.0
ospf 1 area 1
ospf cost 50
int loopback 0
ip address 172.16.1.1 255.255.255.0
ip ospf network point-to-point
Rev. 1700
67
IPexpert, Inc.
Example OSPF Configuration cont.

router ospf 1
router-id 1.1.1.1
network 192.0.2.1 0.0.0.0 ar 0
network 172.16.1.1 0.0.0.0 ar 0
area 1 nssa default-information-originate
Rev. 1700
68
IPexpert, Inc.
show ip ospf neighbors
- Displays OSPF neighbor

information on a perinterface basis
show ip ospf interface
show ip ospf
- Displays general
information about OSPF
routing processes
show ip ospf border-routers
- Displays the internal OSPF

RIB entries to the
ASBR
ABR and
Displays
OSPF-related
interface information
Rev. 1700
69
IPexpert, Inc.
Configuration Verification cont.

show ip ospf database
- Displays lists of information

related to the OSPF
database
show ip ospf virtual-links
- Displays virtual-links related

information
show ip protocols
- Displays parameters and

state
of
ACTIVE
processes
routing
Rev. 1700
70
IPexpert, Inc.
2.05 Implement IPv4 Enhanced

Interior Gateway Routing
Protocol (EIGRP)
IPexpert, Inc.
EIGRP General Information
EIGRP is a Cisco proprietary, advanced hybrid routing

protocol
Uses Diffusing Update Algorithm (DUAL)
EIGRP packets use IP protocol 88 and are sent to the

multicast address 224.0.0.10
Some packet (e.g. Updates) can be sent as unicasts as

well
Rev. 1700
72
IPexpert, Inc.
EIGRP Terminology
Feasible Distance (FD) is the lowest-cost metric to a

particular prefix
Advertised Distance (AD), also called Reported

Distance (RD) is the FD from the neighbors perspective
reported in Update message from that device
Successor, is a Next-Hop router with the lowest cost

(FD) to a particular subnet
Feasible Successor (FS) is a backup Next-Hop router

which meets Feasibility Condition
Feasibility Condition is met when RD/AD for a route is

LOWER than router's current FD for the prefix
Rev. 1700
73
IPexpert, Inc.
EIGRP Feasibility Condition Example
Rev. 1700
74
IPexpert, Inc.
EIGRP Operations
Three general steps that EIGRP follows are :

1. Neighbor Discovery - Hello messages are sent,
and the following must match so the devices
could become neighbors :
Routers must be in the same primary
subnet
AS number must be the same
Devices must pass authentication (if
enabled)
The K-values must match
2.
3.
Topology Exchange Full routing tables are

exchanged initially and then only partial updates
are sent
Routing Table Update Based on EIGRP
Topology table
Rev. 1700
75
IPexpert, Inc.
EIGRP Packet Types
There are five types of EIGRP packets :

1. Hello
- Used to establish & maintain
neighborship
2. ACK
- Used to acknowledge Update, Query
and Reply packets (Hellos and
ACKs
themselves
are
NOT
acknowledged)
3. Update - Contain route updates. Can be sent
as multicasts or unicasts
4. Query
- Used during route computation if
there is no FS for a route. Can
be
sent as multicasts or
unicasts
5. Reply
- Sent as response to Query. Reply
packets are always unicasts
EIGRP packets
are
transported
76
using
Rev. 1700
Reliable
IPexpert, Inc.
EIGRP Neighbor Relationship
Hello packets are sent as multicasts (although can be

configured for unicasts) source of the primary IP
address on an interface
When a Hello is received for the first time and all the
parameters match, an adjacency forms and an Update
packet is sent back
Neighbor acknowledges the Update packet and sends

back its own Update to the originator
If ACK is not received, retransmission occurs
Rev. 1700
77
IPexpert, Inc.
EIGRP Metric Calculations
EIGRP metric = AD + cost of the link to that neighbor
K-values are weights for EIGRP metric components :

1. Bandwidth (lowest in the path)
2. Delay
(cumulative, in tens of microseconds)
3. Load
(worst along the path)
4. Reliability (worst along the path)
5. MTU
Only bandwidth and delay are used to calculate the

metric by default (K-values are set to 1 for them and to
0 for other metric components)
Never change bandwidth to modify the metric always

use the delay
Rev. 1700
78
IPexpert, Inc.
EIGRP Metric Calculations Example
Rev. 1700
79
IPexpert, Inc.
EIGRP Load Balancing
By default only equal-cost Load Balancing is performed

with EIGRP
A feature that is unique to EIGRP is that it also supports

unequal-cost Load Balancing (traffic share will be
proportional to the ratio of metrics)
In order for a route to be considered for unequal-cost

LB it must meet the Feasability Condition (AD of the
route must be lower than FD of the Successor)
To enable unequal-cost Load Balancing use the

variance command
If FD*variance is greater than the total metric of an

alternate route, this route can be put into the RIB
Rev. 1700
80
IPexpert, Inc.
EIGRP Query Process
EIGRP actively searches for a lost route
Queries are sent ONLY if there is no FS for a route
A route that has lost its Successor is put into the

Active state (valid routes are Passive)
In general, Query packet is sent to each EIGRP

neighbor and if the neighboring router has a route for
the queried destination it will send a Reply packet.
Othwerise it will extend the Query
If a Reply packet is received, the topology table entry

returns to the Passive state and Update packets are
sent to the neighbors so the network could reconverge
Rev. 1700
81
IPexpert, Inc.
EIGRP Query Process cont.
What happens when a router receiving the Query does

not have an exact match in the topology table?
If the Query was NOT received from the Successor :

Router sends a Reply with current Successor
If it does not have a Successor (e.g. the route is
active) it replies with an unreachable information
If the Query was received from the Successor :

Router looks for FS and if finds one it replies with
this information
If no FS was found it goes active and starts
querying all neighbors except the previous
successor
Rev. 1700
82
IPexpert, Inc.
EIGRP Query Process - Example
Rev. 1700
83
IPexpert, Inc.
Rev. 1700
84
IPexpert, Inc.
Rev. 1700
85
IPexpert, Inc.
Rev. 1700
86
IPexpert, Inc.
Rev. 1700
87
IPexpert, Inc.
EIGRP Query Process cont.
If the topology is large, the Query process could take

very long to complete (each Active router must wait for
the Reply)
EIGRP has a built-in timer, called Active timer, which

limits the amount of time in which a router can stay
Active
If the Active timer expires, a route is placed into the

Stuck-In-Active state which means that all the neighbors
that did not answer are brought down
To change the Active timer value (3 minutes by default),

use the timers active-time command
A better solution is to limit the scope of Queries
88
Rev. 1700
IPexpert, Inc.
EIGRP Limiting Query Propagation
The Query stops if there is no EXACT match in the

EIGRP Topology
There are three ways to affect the Query propagation :

1. Summarization
2. Route Filtering
3. Stub Routers
Rev. 1700
89
IPexpert, Inc.
Query Propagation - Summarization
Rev. 1700
90
IPexpert, Inc.
Query Propagation Route Filtering
Filtered routes are not propagated
Queries will be extended/forwarded, but the device that

has a route filtered replies saying that the prefix is
unreachable
Rev. 1700
91
IPexpert, Inc.
Query Propagation Stub Routers
Stub routers signal the neighbors not to query them

(Stub routers should not be in a transit path)
Rev. 1700
92
IPexpert, Inc.
EIGRP Stub Routing
EIGRP Stubs can be used to limit the query boundary
Commonly implemented in Hub & Spoke scenarios
Rev. 1700
93
IPexpert, Inc.
EIGRP Stub Routing cont.
Stub routers are configured using the eigrp stub

command
There are a couple of different options available for this

statement :
connected, which advertises only the EIGRPenabled interfaces (covered by the network
command)
summary, which advertises auto-summaries and/or

manual EIGRP summaries
static, which advertises static routes that are

redistributed (via the redistribute static
command)
receive-only, which does not allow to advertise

any routes. This keyword cannot be combined
with any other option
Rev. 1700
94
IPexpert, Inc.
EIGRP Split Horizon
An additional mechanism implemented to prevent

routing loops
Split Horizon with Poison Reverse advertises a route

with an unreachable metric instead of not advertising it
at all
Three additional applications for Split Horizon are :

1. Initial routing tables exchange - Poison Reverse
each prefix
2. Topology Change (when an outgoing interface for
a route changes) Poison Reverse the old route
on all other interfaces
3. Queries queries received from the Successor
are not sent back to him
Rev. 1700
95
IPexpert, Inc.
EIGRP Configuration
IPexpert, Inc.
EIGRP Configuration
EIGRP Process & Interfaces

router eigrp AS_nr
network ip_address wildcard
Auto-Summarization
[no] auto-summary
Hello & Dead Intervals

ip hello-interval eigrp AS_nr
ip hold-time eigrp AS_nr
Unicast Hellos
neighbor ip_address
Default Network
ip default-network ip_address
Rev. 1700
97
IPexpert, Inc.
EIGRP Configuration
Split Horizon
no ip split-horizon eigrp AS_nr
K-Values
metric weights tos k1 k2 k3 k4 k5
Traffic Engineering
delay value
Bandwidth Limitation
ip bandwidth-percent eigrp AS_nr value
Rev. 1700
98
IPexpert, Inc.
Example EIGRP Configuration

router eigrp 10
no auto-summary
network 172.16.1.1 0.0.0.0
network 192.0.2.1 0.0.0.0
passive-interface f0/1
int f0/1
ip address 172.16.1.1 255.255.255.0
ip hold-time eigrp 10 20
int s0/0
ip address 192.0.2.1 255.255.255.0
bandwidth 1500
no ip split-horizon eigrp 10
ip bandwidth-percent eigrp 10 20
99
Rev. 1700
IPexpert, Inc.
show ip eigrp neighbors
- Displays neighbors
discovered by EIGRP
show ip eigrp interface
about
EIGRP-configured
interfaces
show ip eigrp topology
- Displays Successors and

Feasible Successors
only
Rev. 1700
100
IPexpert, Inc.
show ip eigrp topology all-links
Displays ALL IP
entries in the
EIGRP
topology table
show ip protocols
- Displays parameters
and state of
ACTIVE
routing processes
Rev. 1700
101
IPexpert, Inc.
2.06 Implement IPv4 Border

Gateway Protocol (BGP)
IPexpert, Inc.
BGP General Information
BGP is used to exchange routing information between

multiple Autonomous Systems. Autonomous System is
a set of devices under a single technical administration
BGP is a Path Vector protocol. Path is a sequence of

ASs used to reach a particular Network Layer
Reachability Information (NLRI), or just a prefix
Each Path is described by several Path Attributes

(PAs). An example Path Attribute is the AS_PATH
which is also used to guarantee that a particular Path is
loop free
Generally speaking BGP is not designed to route the

traffic it only advertises a prefix and Next-Hop. IGPlearned information is used for traffic forwarding
Rev. 1700
103
IPexpert, Inc.
BGP General Information Example
Rev. 1700
104
IPexpert, Inc.
BGP Peerings
Internal BGP (iBGP) session is created when two

devices are in the same AS
External BGP (eBGP) is formed between different ASs
Rev. 1700
105
IPexpert, Inc.
BGP Operations
BGP uses TCP port 179 in its operations
Open messages are sent to establish the neighborship
The session is maintained by periodic keepalives
Full Routing tables are exchanged using the Update

messages (there is a separate Update message for
Path Attribute list-value combination)
Further only the incremental updates are sent
Networks are stored in the BGP Table and only the

best route is passed to the RIB & other neighbors
Rev. 1700
106
IPexpert, Inc.
BGP Next-Hop Processing
Next-Hop is automatically changed when a BGP packet

flows between external BGP speakers (it is set to the
update-sending routers IP address)
In BGP, the Control Plane may differ from the Data

Plane
BGP Peers dont have to be directly connected since

TCP is used for transport
Rev. 1700
107
IPexpert, Inc.
BGP Next-Hop Processing Example
Rev. 1700
108
IPexpert, Inc.
BGP Next-Hop Processing cont.
There are three ways to resolve the Next-Hop problem :

1. IGP or static routing
2. Advertise the Next-Hop subnet via BGP (network
command)
3. Modify the Next-Hop value
The next-hop statement of the BGP neighbor
command
Route-map with the set ip next-hop option
Rev. 1700
109
IPexpert, Inc.
BGP Third-Party Next-Hop
Rev. 1700
110
IPexpert, Inc.
BGP Synchronization
Legacy feature
Used in the past when BGP tables were redistributed

into an IGP
Synchronization was used to ensure that before a prefix

was advertised by BGP, an IGP had already known
about it
Rev. 1700
111
IPexpert, Inc.
BGP Synchronization Example
Rev. 1700
112
IPexpert, Inc.
BGP Path Attributes
BGP attributes can be either well-known or optional
Well-known attributes must be understood by every

BGP implementation, there are two types of them :
1. Mandatory must be included in every BGP
Update. Examples are AS_PATH, Next-Hop and
Origin
2. Discretionary not required in every BGP Update.
An example is Local Preference
Optional attributes does not have to be understood by

every implementation, there are two types of them :
1. Transitive should be forwarded even if not
understood. An example is BGP Community
2. Non-transitive should be removed if not
understood. An example is MED
Rev. 1700
113
IPexpert, Inc.
BGP Path Attributes cont.
BGP Path Attributes :

AS_PATH
lists ASes that a particular
route has traversed. Affects inbound traffic
Next-Hop
an IP address used to reach
a particular prefix
Origin
Origin of the information.
The i sign means interior to the AS, whereas the
? sign means redistributed
MED
used to indicate a preferred
path to the AS. Affects inbound traffic, you set it
outbound
Local Preference local to the AS, indicates
which path is preferred to exit the AS. Affects
outbound traffic, you set it inbound
Weight
similar to the Local
Preference, local to the device. Affects outbound
Rev. 1700
traffic, you set it inbound
114
IPexpert, Inc.
BGP Path Attributes cont.
BGP Communities are used to tag a group of prefixes

that share a common characteristic
There are 3 predefined, well-known Communities :

1. No Export
- limits a prefix to the local AS
only
2. No Advertise
- does not allow to advertise a
prefix to ANY peer
3. Local AS
- limits a prefix to the Sub-AS
only (BGP Confederations)
Rev. 1700
115
IPexpert, Inc.
BGP Path Selection
To consider a prefix for best path selection, three

criterias have to be met :
1. Prefixes cannot have the local AS number in the
AS_PATH
2. Next-Hop has to be reachable
3. If BGP Sync is on, a prefix has to be in the RIB
BGP best path selection logic is try to find a winner in

the earliest step as possible
Rev. 1700
116
IPexpert, Inc.
BGP Path Selection cont.
There are ten steps in the best path selection process :

1. Weight (the higher, the better)
2. Local Preference (the higher, the better)
3. Locally Injected Routes (network, redistribution,
summary). Local routes have NH of 0.0.0.0
4. AS_PATH (the shorter length, the better)
5. Origin (prefer i routes over ?)
6. MED (lower value wins)
7. Neighbor Type (prefer eBGP over iBGP)
8. IGP metric to the Next-Hop (lower wins)
9. Oldest paths are preferred (more stable)
10. Router ID lower value is preferred
Rev. 1700
117
IPexpert, Inc.
BGP Split Horizon
Internal BGP peerings cannot use AS_PATH

mechanism to detect a loop (they are all in the same
AS)
BGP Split Horizon rule states that updates learned from

iBGP peers will not be further propagated to other
internal neighbors
This rule is also known as Full Mesh iBGP requirement
Rev. 1700
118
IPexpert, Inc.
BGP Split Horizon Example
Rev. 1700
119
IPexpert, Inc.
BGP Route Reflectors
Router Reflectors are the first method of alleviating Split

Horizon rule (Full Mesh iBGP)
Route Reflector Servers are able to forward received

routes to internal BGP neighbors
Router Reflector Clients are configured on the Server

whereas the remaining BGP devices are called NonClients
Router Reflector and its clients form a Cluster
Rev. 1700
120
IPexpert, Inc.
BGP Route Reflectors
There are three rules of Route Reflection :

1. If the route was learned from a Non-Client IBGP
peer, it is reflected to Clients ONLY
2. If the route was learned from a Client, it is
reflected to All Clients and Non-Clients except
the originating client
3. If the route was learned from an eBGP peer, it is
reflected to All Clients and Non-Clients
Rev. 1700
121
IPexpert, Inc.
BGP Route Reflectors Example
Rev. 1700
122
IPexpert, Inc.
BGP Route Reflectors cont.
Loop Detection for Router Reflection works based on

two attributes Originator ID and Cluster ID
Originator ID contains the Router ID of the originator of

the route in the local AS
Cluster ID is used to detect a loop between Route

Reflectors in different clusters
Rev. 1700
123
IPexpert, Inc.
BGP Confederations
Used to reduce the need for Full Mesh iBGP
Confederations divide an Autonomous System into the

smaller ASes, called sub-Autonomous Systems
Peers inside the same AS are called confederation

iBGP peers
Routers in different sub-ASes

confederation eBGP peers
Full Mesh iBGP requirement still applies within a subAS
Next-Hop is NOT modified between confederation

Rev. 1700
eBGP peers
124
are
considered
IPexpert, Inc.
BGP Confederations Example
Rev. 1700
125
IPexpert, Inc.
BGP Configuration
IPexpert, Inc.
BGP Configuration
Enable BGP
router bgp AS_nr
Configure Peerings
neighbor ip_address remote-as AS_nr
Update Source
neighbor ip_address update-source if_name
Synchronization
[no] synchronization
TTL Modifications
neighbor ip_address ebgp-multihop [ttl] ttl
neighbor ip_address disable-connected-check
Rev. 1700
127
IPexpert, Inc.
BGP Configuration cont.
Next-Hop Modifications
neighbor ip_address next-hop-self
Network Advertisement
network ip_address mask mask
Path Attributes : Weight

neighbor ip_address weight value
set weight value
Path Attributes : Local Preference

set local-preference value
Path Attributes : AS_PATH

set as-path prepend as1 as2 ...
Rev. 1700
128
IPexpert, Inc.
Path Attributes : Origin

set origin code
Path Attributes : MED

set metric value
Path Attributes : Communities

set community value
neighbor ip_address send-community
Apply the Route-Map

neighbor ip_address route-map name [in|out]
Rev. 1700
129
IPexpert, Inc.
Always Compare MED

bgp always-compare-med
Missing MED
bgp bestpath med missing-as-worst
Route Reflection
neighbor ip_address route-reflector-client
Rev. 1700
130
IPexpert, Inc.
Confederation Peers
bgp confederation peers as1 as2 ...
Real AS Number
bgp confederation identifier
Soft Reconfiguration
neighbor ip_address soft-configuration inbound
clear ip bgp soft [in|out]
Rev. 1700
131
IPexpert, Inc.
Example BGP Configuration #1
router bgp 100

nei 2.2.2.2 remote-a 200
nei 2.2.2.2 update-s lo1
nei 2.2.2.2 ebgp-mul 2
router bgp 200

nei 1.1.1.1 remote-a 100
nei 1.1.1.1 update-s lo2
nei 1.1.1.1 ebgp-mul 2
Rev. 1700
132
IPexpert, Inc.
Rev. 1700
133
IPexpert, Inc.

R2
router bgp 65100
bgp confederation identifier 200
bgp confederation peers 65200
neighbor 3.3.3.3 remote-as 65200
neighbor 3.3.3.3 update-source loop0
neighbor 3.3.3.3 ebgp-multihop 2
neighbor 1.1.1.1 update-source loop0
Rev. 1700
134
IPexpert, Inc.
show ip bgp summary
- Displays the status of BGP

neighbors
show ip bgp
- Displays the BGP table
show ip bgp community
- Displays routes that belong

to specified BGP
community
show ip bgp neighbors

BGP
and
TCP
to
connections
neighbors
show ip protocols
135

Rev. 1700
state
of
ACTIVE
IPexpert, Inc.
2.07 Implement Policy Routing
IPexpert, Inc.
Policy Routing
Standard routing process is destination-based
Policy-Based Routing allows to route packets based on

other fields, e.g. source IP address
Policy Routing always takes precedence over standard

forwarding
Route-maps are used for configuration
To affect locally generated traffic a feature called Local

Policy-Based Routing is used
Rev. 1700
137
IPexpert, Inc.
Policy Routing Route Maps
Leave after the first match logic, same as with ACLs

(order of entries IS important)
Each route-map ends with an implicit deny entry that

matches all the traffic that has not been matched in
previous entries (match any)
A blank route-map entry also contains the match any

statement
Multiple match arguments in the same line correspond

to logical OR
Multiple match arguments within the same entry

(separate lines) correspond to logical AND
Rev. 1700
138
IPexpert, Inc.
Policy Routing Configuration
IPexpert, Inc.
Policy Routing Configuration
Route-Map & Match Options

route-map name permit|deny [seq_nr]
match ...
set ...
Match Options
match ip address ACL_nr
match length length
Set Options
set
set
set
set
set
set
ip next-hop ip_address
ip default next-hop ip_address
interface if_name
default interface if_name
ip precedence value
ip tos value
Rev. 1700
140
IPexpert, Inc.
Policy Routing Configuration cont.
Reliable Policy-Based Routing

ip sla monitor ...
track nr ...
set ip next-hop verify-availability ip track nr
Policy-Based Routing
ip policy route-map name
Local Policy-Based Routing

ip local policy route-map name
Rev. 1700
141
IPexpert, Inc.
Example Policy Routing Configuration

route-map TEST permit 10
match ip address 120 121
match length 120 120
set int null0
route-map TEST permit 20
match interface s0/0
set ip precedence 5
Rev. 1700
142
IPexpert, Inc.
Case Study
All IP traffic from PC 10.1.1.1 should go to ISP A

Active Mode FTP from PC 10.1.1.2 should go to ISP B
Rev. 1700
143
IPexpert, Inc.
Case Study - Solution

Match the appropriate traffic
access-list 100 permit ip host 10.1.1.1 any
access-list 150 permit tcp host 10.1.1.2 any eq 20
Create Route-Map & Apply the Policy

route-map PBR permit 10
match ip address 100
set ip next-hop 192.0.2.2
route-map PBR permit 20
match ip address 150
set interface serial0/1
int f0/0
ip policy route-map PBR
Rev. 1700
144
IPexpert, Inc.
show ip policy
- Displays policy route-maps
show ip local policy
- Displays the local policy route-map
show route-map
- Displays route-map information
debug ip policy
- Shows which packets are policybased routed
Rev. 1700
145
IPexpert, Inc.
2.08 Implement Performance

Routing (PfR) and Cisco
Optimized Edge Routing (OER)
IPexpert, Inc.
PfR
Performance Routing (PfR) was previously known as

Optimized Edge Routing (OER)
PfR was created to extend standard lowest-cost metric

routing
PfR takes into account

characteristics :
Packet loss
Response time
Traffic load
Path availability
the
following
traffic
Rev. 1700
147
IPexpert, Inc.
PfR Components
Main PfR components are :

1. Master Controller
- processes information
received from Border Routers and communicates
them a routing decision
2. Border Routers
actual
PfR
policy
enforcement points
Rev. 1700
148
IPexpert, Inc.
PfR Process
Five phases of Performance Routing are :

1. Profile Phase traffic classes are discovered
(flows experiencing some performance issues)
2.
Measure Phase traffic performance metrics are

measured on Border Routers and then they are
reported to the Master Controller
Active measure based on IP SLA
Passive measure based on NetFlow and
interface counters
3.
Apply Policy Phase the collected performance

metrics are compared against predefined
thresholds. When a threshold is crossed, an OutOf-Policy (OOP) event is generated
Rev. 1700
149
IPexpert, Inc.
PfR Process cont.
Five phases of Performance Routing are :

4. Control Phase policy enforcement phase. Traffic
paths will be optimized by manipulating routing
(e.g. injecting a static or BGP route) or by using
Policy-Based Routing feature
5.
Verify Phase verification of the optimized traffic

path. If a particular traffic class still remains
OOP, however, OER will go through all the
phases once again trying to adjust the policy
Rev. 1700
150
IPexpert, Inc.
PfR Configuration
IPexpert, Inc.
PfR Configuration - Foundations
OER Master
oer master
border ip_address [key-chain] kchain
interface if_name internal|external
OER Border
oer border
master ip_address [key-chain] kchain
local if_name
Rev. 1700
152
IPexpert, Inc.
PfR Configuration Profile Phase
Automatic Learning
oer master
learn
delay
throughput
periodic-interval time_interval
monitor-period time_interval
prefixes number
Manual Traffic Classes

ip prefix-list name permit|deny ip_address/pref
oer map map_name seq
match ip address prefix-list name
oer master
policy-rules map_name
Rev. 1700
153
IPexpert, Inc.
PfR Configuration Measure Phase
Active Monitoring
oer master
mode monitor active
active-probe echo|udp-conn|tcp-conn
Rev. 1700
154
IPexpert, Inc.
PfR Configuration Apply Policy Phase
The Policy
oer-map map_name seq
match ip address prefix-list prefix-list-name
set delay {relative percent|threshold maximum}
set loss {relative average|threshold maximum}
oer master
policy-rules map_name
Link Utilization
oer master
border ip_address
interface if_name internal|external
max-xmit-utilization percentage value
Rev. 1700
155
IPexpert, Inc.
PfR Configuration Control Phase
Active Control Mode

oer master
mode route control
oer-map map_name seq
set mode route control
Static Route Injection

oer master
mode route metric static tag tag_nr
BGP Local Preference

oer master
mode route metric bgp local-pref local_pref
Rev. 1700
156
IPexpert, Inc.
PfR Configuration Verify Phase
NetFlow
Logging
oer master|border
logging
Rev. 1700
157
IPexpert, Inc.
Example PfR Configuration

key-chain KCHAIN
key 1
key-string ipexpert
ip prefix-list PREF permit 192.0.2.0/24
oer-map OER_MAP 10
match ip address prefix-list PREF
set mode monitor active
Rev. 1700
158
IPexpert, Inc.
Example PfR Configuration cont.

oer master
policy-rules OER
active-probe tcp-conn 192.0.2.1 target-port 23
logging
mode route control
mode route metric static tag 2000
learn
delay
monitor period 10
periodic interval 60
prefixes 100
delay threshold 300
Rev. 1700
159
IPexpert, Inc.

border 10.1.1.1 key-chain KCHAIN
interface fa0/0 internal
interface serial0/0 external
max-xmit-utilization percentage 50
border 10.2.2.2 key-chain KCHAIN
interface fa0/0 internal
interface serial0/0 external
max-xmit-utilization percentage 70
Rev. 1700
160
IPexpert, Inc.

key-chain KCHAIN
key 1
key-string ipexpert
oer border
master 10.3.3.3 key-chain KCHAIN
local fa0/0
route-map RED_RMAP
match tag 2000
router ospf 1
redistribute static route-map RED_RMAP
Rev. 1700
161
IPexpert, Inc.
show oer master
- Displays information about Master

Controller
show oer border
- Displays information about Border

Routers and OER controlled
interfaces
show oer master prefix
show oer master policy
- Displays policy settings on the OER

Master Controller
show oer border routes
- Displays information about OERcontrolled routes
Displays status
prefixes
162
of
monitored
Rev. 1700
IPexpert, Inc.
2.09 Implement filtering, route

redistribution, summarization,
synchronization, attributes,
and other advanced features
IPexpert, Inc.
Summarization
Route summarization is a technique of grouping IP

networks together to minimize route advertisements
Summarization saves CPU & Memory resources and

hides topology information
RIPv2 and EIGRP perform automatic summarization at

classful network boundaries
Auto Summarization may cause problems when e.g.

discontinuous subnets are used
Rev. 1700
164
IPexpert, Inc.
Summarization Example
Rev. 1700
165
IPexpert, Inc.
Summarization cont.
To disable Auto Summarization use the no autosummary command (works for RIP & EIGRP)
RIPv2 manual summarization can be configured using

the ip summary-address rip statement
EIGRP can summarize networks to supernets, whereas

RIP cannot
EIGRP can unsuppress the component routes so not

only the summary is sent. This feature is known as
Leak-Map
EIGRP summarization can be performed using the ip

summary-address eigrp [leak-map] command
Rev. 1700
166
IPexpert, Inc.
Summarization cont.
OSPF requires the same copy of the database within an

area
Summarization in OSPF can only take place on ABRs

(inter-area routes) and ASBRs (external routes)
To configure inter-area summarization on ABRs use the

area area_nr range [not-advertise] command
To configure external route summarization on ASBRs,

use the summary-address IP_address mask [notadvertise] command
Rev. 1700
167
IPexpert, Inc.
Summarization cont.
BGP Auto Summarization to classful boundaries (autosummary) applies only to connected, static, and
redistributed routes
Two other methods to summarize in BGP are :

1. Create a Null route and advertise it via the
network statement
2. Use the aggregate-address [sumary-only]
[suppress-map] command
The second option requires at least one subnet of the

summary to exist in the BGP table
A catch-all route to Null0 is always created when

summarizing in EIGRP, OSPF and BGP (but not in RIP)
Rev. 1700
168
IPexpert, Inc.
Route Filtering
IPexpert, Inc.
Route Filtering
Route Filtering is a technique used to prevent

propagation of routing updates
Possible applications are redistribution,

engineering and network security
traffic
Rev. 1700
170
IPexpert, Inc.
Prefix Lists
Prefix List specifies two things :

1. Prefix with its length, e.g. 10.1.1.0/24
2. Prefix length range, e.g. ge 25 le 32
Both these things are checked during the comparison
An example prefix list may look like this :

ip prefix-list FILTER permit 192.0.0.0/16 le 24
This prefix matches

192.0.100.0/25
192.0.100.0/24
but
not
Rev. 1700
171
IPexpert, Inc.
Prefix Lists cont.
Match-ALL prefix list example :

ip prefix-list MATCH_ALL permit 0.0.0.0/0 le 32
Match all Class A prefixes :

ip prefix-list CLASS_A permit 0.0.0.0/1 ge 8 le 8
Rev. 1700
172
IPexpert, Inc.
Route Filtering RIP
RIPv2 :
Passive interface (passive-interface)
Distribute-lists
(distribute-list
in|out).
Standard ACL can only specify the routes which
we want to filter. Extended ACL can also specify
the source of the routing update
Offset lists (offset-list). Used to manipulate the
metric
Administrative Distance (distance). Setting AD to
255 prevents a route from being placed in the RIB
Rev. 1700
173
IPexpert, Inc.
Route Filtering EIGRP
EIGRP :
Passive interface (passive-interface). In EIGRP
it prevents forming an adjacency (no Hellos are
sent)
Distribute-lists
(distribute-list
in|out).
Standard ACL can only specify the routes which
we want to filter. Extended ACL can also specify
the source of the routing update. Route-maps can
be used to match a route metric or a tag
Administrative Distance (distance). Setting AD to
255 prevents a route from being placed in the RIB
Rev. 1700
174
IPexpert, Inc.
Route Filtering OSPF
Distance Vector protocols advertise routes from the RIB
Route Filtering has no effect on the topology database

in link-state protocols
OSPF :
Stub Areas
LSA Type 3 Filtering (area filter-list prefix
[in|out])
Summarization (area range not-advertise)
Distribute-lists (distribute-list in). Work only
inbound, preventing an LSA information from
being put into the RIB
Administrative Distance (distance). Does not
affect LSA in the database. LSA Originator is a
source of an update
Rev. 1700
175
IPexpert, Inc.
Route Filtering BGP
The neighbor command or route-maps can be used for

route-filtering in BGP
Regular Expressions (regexp) meta-characters :

. matches any character
[0-9] matches any single digit
[a-z] matches any single lower-case letter
[A-Z] matches any single upper-case letter
_ matches a space or the end of the AS Path list
^ matches the beginning of a string
$ matches the end of a string
Rev. 1700
176
IPexpert, Inc.
Route Filtering BGP cont.
Occurence Modifiers (refer to the preceding character) :

? means one or zero times
* means zero or any times
+ means one or any times
Regexp examples :
a*
- Any consecutive occurrence of the letter
"a", which includes none. For example ,
a, aa, aaa
ab?a - Matches "aa" or "aba"
[0-9]+ - Matches one digit or more
Rev. 1700
177
IPexpert, Inc.
Route Filtering BGP cont.
BGP :
Prefix Lists (neighbor prefix-list [in|out])
Distribute-lists
(neighbor
distribute-list
in|out). Extended ACL can match the network
mask. The source portion of the ACL defines the
prefix, and the destination portion, along with the
destination mask, determines the prefix length
Filter Lists (neighbor filter-list [in|out]). To
define an AS Path ACL use the ip as-path
access-list statement
Route-maps (neighbor route-map [in|out]).
User-defined communities can be created using
the ip community-list command
Rev. 1700
178
IPexpert, Inc.
Route Filtering Examples
Example ACLs for Distribute Lists. ACL 102 matches

only 30.0.0.0/22 whereas ACL 105 matches 30.0.x.0/24
access-l 102 per 30.0.0.0 0.0.0.0 255.255.252.0 0.0.0.0

access-l 105 per 30.0.0.0 0.0.255.255 255.255.255.0 0.0.0.0
Example AS Path regexps :

.*
- Matches All AS Paths
^$
- Matches all NLRIs originated in the AS
^123$ - Matches the AS_PATH with one AS 123
^54 - Matches AS_PATH which begins with 54
^1_4$ - Matches an AS_PATH originated in AS 4 with
direct neighbor in AS 1
_50_ - Matches ASN 50 somewhere in the
AS_PATH
Rev. 1700
179
IPexpert, Inc.
Redistribution
IPexpert, Inc.
Redistribution
Redistribution allows one or more routers to take routes

learned via one routing protocol and advertise those
routes via another routing protocol
To define
For example, to redistribute all OSPF routes including

subnets to RIP, the following configuration is required :
the source routing protocol use the

redistribute command. The router statement (routing
protocol process) defines the receiving protocol
router rip
redistribute ospf 1 subnets
Rev. 1700
181
IPexpert, Inc.
Redistribution cont.
Different routing protocols use different merics. Only

OSPF assigns a default metric (20) to redistributed
routes if none was specified
Three ways to specify a metric :

1. The metric keyword
2. The default-metric statement
3. Route-map
The logic of the redistribute command :

Redistribute all the routes from the RIB that were
learned by the routing protocol I am redistributing
from
Redistribute all connected interfaces that were
designated by the network command
Rev. 1700
182
IPexpert, Inc.
Route-Maps
Route-maps can be used with redistribution to limit the

prefixes that will be redistributed
Some additional attributes can

redistributed routes (e.g. a tag)
All the prefixes matched in the deny route-map

statement will be filtered
Always remember that there is a default deny entry at

the end
be
set
for
the
Rev. 1700
183
IPexpert, Inc.
Redistribution Problems
If there are multiple points where redistribution is

performed, some problems such as suboptimal routing
or routing loops may occur
Always remember that the information learned from one

routing domain (X) should be never announced back to
this domain (X)
To fix problems related to redistribution we can use :

Administrative Distance
Route Filtering
Another Redistribution
Rev. 1700
184
IPexpert, Inc.
Redistribution Problems cont.
Administrative Distance can be configured so you can

assign different AD values to different routes (distance)
For example, to change OSPFs AD for external routes

use the distance ospf external statement
EIGRP raises AD to 170 for external routes by default
To set AD to 169 for routes 1.2.3.0/24 and 1.2.4.0/24

received from 10.1.1.1 we would use the following
configuration :
access-list 2 permit host 1.2.3.0
router rip
distance 169 10.1.1.1 0.0.0.0 2
Rev. 1700
185
IPexpert, Inc.
Redistribution Problems cont.
Route Filtering can be used to limit the prefixes that will

be redistributed. Things like distribute-lists or route tags
can be used here
Another redistribution may help in some certain

scenarios
If a redistributed prefix had been already known,

consider increasing the metric value so the native route
is preferred
Rev. 1700
186
IPexpert, Inc.
Case Study
Full reachability to R1s Loopback 0 network is required

Rev. 1700
187
IPexpert, Inc.

1. Increase OSPF distance of external routes to a value
higher than 120 :
router ospf 1
distance ospf external 130
2. Redistribute RIP to OSPF on R2 :

router ospf 1
redistribute rip subnets
R5(config)#do show ip eigrp topology
...
P 1.1.1.0/24, 0 successors, FD is Inaccessible
via 10.1.45.4 (2560002816/2560000256),
FastEthernet0/1
Rev. 1700
188
IPexpert, Inc.

3. Tag Loopback 0 prefix on R2 :
route-map RIP_EIGRP_TAG_RMAP permit 10
match ip address 1
set tag 120
route-map RIP_EIGRP_TAG_RMAP permit 20
router eigrp 1
redistribute rip metric 1 1 1 1 1 route-map
RIP_EIGRP_TAG_RMAP
Rev. 1700
189
IPexpert, Inc.

And filter the prefix on R5 :
route-map FILTER_TAGGED_RMAP deny 10
match tag 120
route-map FILTER_TAGGED_RMAP permit 20
redistribute eigrp 1 subnets route-map

FILTER_TAGGED_RMAP
Rev. 1700
190
IPexpert, Inc.
Question 7 Topology
Rev. 1700
191
IPexpert, Inc.
Question 15 Topology
Rev. 1700
192
IPexpert, Inc.
End of Section 2.0

VoD Series
3.0 Implement IPv6
IPexpert, Inc.
3.01 Implement IP version 6 (IPv6)

addressing and different
addressing types
IPexpert, Inc.
IPv6 Basics
IPv6 addresses are 128-bits long and are represented in
hex
If no abbreviation is used, an IPv6 address is composed
of eight colon-separated fields, each containing 4
hexdecimal numbers. For example :
2001:0000:0000:0000:0DB8:0800:200C:417B
Since IPv6 addresses are long and somewhat
cumbersome to work with, there are two methods of
abbreviating them
Rev. 1700
IPexpert, Inc.
IPv6 Basics cont.

The first method allows to replace consecutive 4-hex
fields of zeros with a double colon ::
2001:0000:0000:0000:0DB8:0800:0000:417B
==
2001::0DB8:0800:0000:417A
This method can be used only once in an address, to
avoid ambiguity
The second rule says that leading zeros (NOT trailing)
within a 4-hex tuple can be omitted. This method can be
used as many times as needed in an address
0098:0CAB:0000 == 98:CAB:0
Rev. 1700
IPexpert, Inc.
IPv6 Address Types

Unicast address identifies a single interface on a single
device. There are three sorts of unicast addresses :
Aggregatable Global Address, Link Local Address and
IPv4-Compatibile IPv6 Address
Aggregatable Global Address Defined by a global
routing prefix, subnet ID and interface ID. Current global
addresses begin with 2 or 3 in hex, which corresponds to
2000::/3
Rev. 1700
IPexpert, Inc.
IPv6 Interface ID
RFC 3513 states that for all unicast addresses, except
those that start with binary value 000, Interface IDs are
required to be 64 bits long and to be constructed in
Modified EUI-64 format
The process of constructing an EUI-64 address consists
of two steps :
1. Ethernets MAC address is divided into two equal
parts, 24-bits each, and a fixed hex value FFFE
is put between them
2. Universal/Local (U/L) bit, which is the seventh bit
of the first octet in MAC address, is inverted
For interface types other than Ethernet (e.g. Serial, ATM,
FR), the first MAC from the pool of MAC addresses in a
router is used
Rev. 1700
IPexpert, Inc.
IPv6 EUI-64 Interface ID Example
Rev. 1700
IPexpert, Inc.
IPv6 Address Types cont.

Link Local Address Used locally on a data link or multiaccess interface. Guaranteed to be unique per L2
network, assigned to each interface. Link Local
addresses always begin with FE80::/10
IPv4-Compatibile IPv6 Address Assigned to nodes that
support both, IPv4 and IPv6 protocol stacks, which are
used in automatic tunnels. The format of an IPv4Compatible IPv6 Address is 0:0:0:0:0:0:A.B.C.D or
::A.B.C.D, where A.B.C.D is an IPv4 address
IPv6 multicasts are a separate group of IPv6 addresses
There is no broadcast address in IPv6 and it is multicast
that takes all the functions that a broadcast address would
do in IPv4 world
Rev. 1700
IPexpert, Inc.
IPv6 Multicast Address Structure
Rev. 1700
IPexpert, Inc.
IPv6 Address Types cont.

IPv6 multicast address examples :
FF02::1 - All hosts
FF02::2 - All routers
FF02::A - EIGRP
Anycast Address A single unicast address assigned to

more than one node. Packet delivery is determined by the
routing protocol in use
Unspecified Address Composed of all zeros which can
be denoted as ::. Used in the source field by a host that
does not know its own address
Rev. 1700
10
IPexpert, Inc.
IPv6 Addressing Configuration
IPexpert, Inc.
IPv6 Addressing Configuration
Enable IPv6 Unicast Routing

ipv6 unicast-routing
IPv6 Address
ipv6 address ip_add /prefix-length [eui-64]
ipv6 address 2001:0DB8:0:1::1/64

ipv6 address 2001:0DB8:0:1::/64 eui-64
Link Local Address

ipv6 address ip_add /prefix-length link-local
ipv6 address fe80::1 link-local
Rev. 1700
12
IPexpert, Inc.
show ipv6 interface [brief]
- Displays the usability status

of interfaces configured for
IPv6 and their addresses
Rev. 1700
13
IPexpert, Inc.
3.02 Implement IPv6 neighbor

discovery
IPexpert, Inc.
IPv6 Neighbor Discovery

Neighbor Discovery is a messaging protocol that performs
a group of different functions. It uses ICMPv6 and
solicited-node multicast address in its operations
There is no ARP in IPv6
Neighbor Discovery functions can be divided into two

groups :
1. Host to Router or Router to Host interaction
2. Host to Host interaction
Rev. 1700
15
IPexpert, Inc.
IPv6 Neighbor Discovery cont.

The first group of IPv6 ND functions contain the following :
Router Discovery
Prefix Discovery
Parameter Discovery
Address Autoconfiguration
Redirect
And the second group roles are :
Address Resolution
Duplicate Address Detection
Neighbor Unreachability Detection
Next-Hop Determination
Rev. 1700
16
IPexpert, Inc.
ICMPv6 Message Types

There are five types of ICMPv6 messages :
1. Router Advertisement (Type 134, Code 0).
Periodically sent by ROUTERS with the destination
address set to all-host multicast address or
FF02::1. Used to inform about three things :
IPv6 prefixes used on a link
MTU
Whether a router is a default gateway
2. Router Solicitation (Type 133, Code 0). Sent by
HOSTS to immediately receive a Router
Advertisement
Rev. 1700
17
IPexpert, Inc.
ICMPv6 Message Types cont.

There are five types of ICMPv6 messages :
3. Neighbor Advertisement (Type 136, Code 0). Sent
by all HOSTS. Generated periodically or in
response to a Neighbor Solicitation, to inform other
PCs on the network of their presence and link-layer
addresses
4. Neighbor Solicitation (Type 135, Code 0). Sent by
HOSTS to obtain the link layer address of other
hosts right away, without waiting for the periodic
Neighbor Advertisment
5. Redirect (Type 137, Code 0). Same as in IPv4,
used to inform a host of a better first hop to the
destination. Sent by ROUTERS
Rev. 1700
18
IPexpert, Inc.
IPv6 ND Functions
There are nine functions of IPv6 Neighbor Discovery :
1. Router Discovery. A host receiving Router
Advertisement builds a list of Default Routers
2. Prefix Discovery. Allows hosts to learn about their
directly connected networks
3. Parameter Discovery. Includes MTU and Hop
Count value that hosts should be using on that
specific link
4. Stateless Address Autoconfiguration. IPv6
hosts can automatically configure itself with an
IPv6 address the prefix learned from the Router
Advertisement message will become a network
part, whereas Interface ID will be derived using
modified EUI-64 format
Rev. 1700
19
IPexpert, Inc.
IPv6 ND Functions cont.

5. Redirect. Informs hosts of a better Next-Hop to a
particular destination
6. Address Resolution. Replaces ARP. Neighbor
Solicitation, sent to a solicited-node multicast
address, corresponds to an ARP Request whereas
Neighbor Advertisement is sent as a Reply
7. Duplicate Address Detection (DAD). Used to
verify uniqueness of a newly assigned IPv6
address. Neighbor Solicitation message is sent
with its own IPv6 address if a Neighbor
Advertisement is received, the address is already
taken
Rev. 1700
20
IPexpert, Inc.
IPv6 ND Functions cont.

8. Neighbor Unreachability Detection. Used to
confirm the neighbors reachability either a probe
message is sent waiting for a Router/Neighbor
Advertisement or a high-level protocol information
is utilized, such as TCP ACK
9. Next-Hop Determination. Used to determine the
Next-Hop. If the destination is on-link, the next-hop
address is the same as the packet's destination
address. Otherwise, the sender selects a router
from the Default Router List
Rev. 1700
21
IPexpert, Inc.
IPv6 Neighbor Discovery

Configuration
IPexpert, Inc.
IPv6 ND Configuration
Router Advertisement Interval

ipv6 nd ra-interval value
Router Advertisement Lifetime

ipv6 nd ra-lifetime value
Enabling Router Advertisements

no ipv6 nd ra suppress [all]
Neighbor Discovery Cache Entry

ipv6 neighbor ipv6_addr if_name hardware-addr
Rev. 1700
23
IPexpert, Inc.
show ipv6 neighbors
- Displays Neighbor Discovery Cache

information
Rev. 1700
24
IPexpert, Inc.
3.03 Implement basic IPv6

functionality protocols
IPexpert, Inc.
IPv6 Functionality Protocols ICMPv6
ICMPv6 also provides error reporting and diagnostic

functions
ICMPv6 Error Messages :

Type 1 Destination Unreachable
Code 0 No route to destination
Code 1 Communication administratively prohibited
Code 2 Unassigned
Code 3 Address unreachable
Code 4 Port Unreachable
Type 2 Packet Too Big (PMTU Discovery)
Rev. 1700
26
IPexpert, Inc.
IPv6 Functionality Protocols ICMPv6
ICMPv6 Error Messages :

Type 3 Time Exceeded
Code 0 Hop limit exceeded in transit
Code 1 Fragment reassembly time exceeded
Type 4 Parameter Problem

Code 0 Erroneous header field
Code 1 Unrecognized Next Header type encountered
Code 2 IPv6 option encountered
ICMPv6 Diagnostic Messages :

Type 128, Code 0 Echo Request
Type 129, Code 0 Echo Reply
Rev. 1700
27
IPexpert, Inc.
IPv6 Functionality Protocols DHCPv6
DHCPv6 provides Stateful Autoconfiguration
The concept is similar as in IPv4. Messages are

different :
Solicit
Advertise
Request
Reply
Two additional facts about DHCPv6 are :

1. Solicit and Advertise messages are sent to two
well-known DHCPv6 multicast addresses
2. DHCPv6 clients listen on UDP port 546, whereas
servers and relay agents listen on UDP port 547
Rev. 1700
28
IPexpert, Inc.
IPv6 Functionality Protocols DNS,CDP
Both DNS and CDP protocols perform the same

function as in IPv4 World
IPv6 DNS replaces the A record with AAAA
Rev. 1700
29
IPexpert, Inc.
IPv6 Functionality Protocols

Configuration
IPexpert, Inc.
Functionality Protocols Configuration
ICMPv6 Rate-Limiting
ipv6 icmp error-interval msec [bucketsize]
Rev. 1700
31
IPexpert, Inc.
show cdp neighbors [detail]
- Displays Cisco Discovery
Protocol information
Rev. 1700
32
IPexpert, Inc.
3.04 Implement tunneling

techniques
IPexpert, Inc.
IPv6 Tunneling Techniques
There are a couple of different Tunneling Techniques

that can be used to provide communication between
isolated islands of IPv6 networks :
GRE Tunnels
Manual Tunnels
Automatic 6to4 Tunnels
ISATAP Tunnels
Rev. 1700
34
IPexpert, Inc.
IPv6 GRE Tunnels
GRE Tunnels are a point-to-point solution. The

passenger protocol is distinguished based on the
protocol field
Rev. 1700
35
IPexpert, Inc.
IPv6 GRE Tunnels cont.
Configuration :
R1
R2
int loopback0
ip add 1.1.1.1 255...
int loopback0
ip add 2.2.2.2 255...
int tun 12
ipv6 add 2001:12::1/64
tunnel source loop 0
tunnel dest 2.2.2.2
tunnel mode gre ipv6
int tun 12
ipv6 add 2001:12::2/64
tunnel source loop 0
tunnel dest 1.1.1.1
tunnel mode gre ipv6
ipv6 route ::/0 tunn 12
ipv6 route ::/0 tunn 12

Rev. 1700
36
IPexpert, Inc.
IPv6 Manual Tunnels
Another point-to-point solution
Embeds an IPv6 packet in the payload portion of an

IPv4 packet with protocol type 41
Configuration is very similar to GRE tunnels the only

exception is the Tunnel Mode which should be set to
IPv6ip
Use the tunnel mode ipv6ip to accomplish this
Rev. 1700
37
IPexpert, Inc.
IPv6 Automatic 6to4 Tunnels
IPv4 header is prepended with a Protocol Number 41
This methods offers a point-to-multipoint solution
Automatic 6to4 addresses always start with 2002

followed by an IPv4 address in hex. More specifically :
2002 : IPv4_Address : Subnet_ID : Interface_ID
Routing in Automatic Tunneling is based on the IPv4

part of the original IPv6 destination address. Source
address will be taken from the tunnel source command
Embedded IPv4 address must be public and the IPv6

addresses assigned to hosts must come from the site
2002 : IPv4_Address range
Rev. 1700
38
IPexpert, Inc.
IPv6 Automatic 6to4 Tunnels cont.
Rev. 1700
39
IPexpert, Inc.
IPv6 Automatic 6to4 Tunnels cont.
Configuration for R1 :
int f0/0
ip address 1.1.1.1 255.255.255.0
int tun 12
ipv6 address 2002:0101:0101:0::1/64
tunnel source f0/0
tunnel mode ipv6ip 6to4
ipv6 route 2002::/16 tunnel 12
Rev. 1700
40
IPexpert, Inc.
IPv6 ISATAP Tunnels
Intra-Site Automatic Tunneling Protocol (ISATAP)

packets are tunneled inside IPv4 packets using Protocol
Number 41
ISATAP characteristics :
Tunnel interfaces can use a normal /64 prefixes,
there is no need for 2002 in the beginning
Interface ID is derived based on another modified
EUI-64 format the first 32 bits are always the
same and equal to 0000:5efe
The remaining 32 bits are taken from the tunnel
source command
For example, if the tunnel source points to 1.1.1.1,
the
Interface
ID
will
be
equal
to
0000:5efe:0101:0101
Rev. 1700
41
IPexpert, Inc.
IPv6 ISATAP Tunnels cont.
Example ISATAP configuration :
int loopback 0
ip address 1.1.1.1 255.255.255.0
-- Actual IPv6 address will be 2001:1111::0:5efe:0101:0101

int tunnel 12
ipv6 address 2001:1111::/64 eui-64
tunnel source loopback0
tunnel mode ipv6ip isatap
ipv6 route 2001:DB8::/64 2001:1111::0:5efe:0202:0202
Rev. 1700
42
IPexpert, Inc.
show interfaces tunnel
- Displays tunnel interface
information
Rev. 1700
43
IPexpert, Inc.
3.05 Implement OSPF version 3

(OSPFv3)
IPexpert, Inc.
OSPFv3
OSPFv3 is very similar to IPv4 OSPF (OSPFv2)
The differences are as follows :

OSPFv3 devices communicate over links and not
subnets
OSPFv3 packets are sourced from linked-local

addresses. This way topology information is kept
independent of the network protocol in use. The
only exception are Virtual Links where global IPv6
addresses are used
Rev. 1700
45
IPexpert, Inc.
OSPFv3 cont.

Flooding Scope is explicitly defined within the
LSAs :
OSPFv3 Router ID will not be automatically

derived if there is no IPv4 address configured on
a device. Remember that you can always set it
manually using the router-id command
Rev. 1700
46
IPexpert, Inc.
OSPFv3 cont.

Neighboring routers on a given link are always
identified by a Router ID
Multiple OSPFv3 instances are allowed per link
Rev. 1700
47
IPexpert, Inc.
OSPFv3 cont.

Two LSA Instances have been renamed :
1. LSA Type 3 -> Inter-Area Prefix LSA
2. LSA Type 4 -> Inter-Area Router LSA
Two new LSA Types were defined :

1. Link LSA (Type 8). Local to the link only,
used to exchange link-local addresses and
prefixes
2. Intra-Area Prefix LSA (Type 9). Carries the
information about routers prefixes and
transit network
Protocol authentication is provided by IPSec, not

the OSPF itself
Rev. 1700
48
IPexpert, Inc.
OSPFv3 Configuration
IPexpert, Inc.
OSPFv3 Configuration
General Syntax
ipv6 ospf ...
Enabling OSPFv3
ipv6 ospf nr area area_nr [instance inst_id]
Frame Relay Mappings

frame-relay map ipv6 ip_addr dlci [broadcast]
Rev. 1700
50
IPexpert, Inc.
Example OSPFv3 Configuration

ipv6 router ospf 1

router-id 192.0.2.1
int loopback 0
ipv6 address 2001::/64 eui-64
ipv6 ospf 1 area 1
ipv6 ospf network point-to-point
int f0/0
ipv6 address 2001:1::1/64
ipv6 ospf 1 area 0
Rev. 1700
51
IPexpert, Inc.
show ipv6 ospf neighbors
- Displays OSPFv3 neighbor

information
show ipv6 ospf interface
- Displays OSPFv3 interfacerelated information
show ipv6 ospf database
- Displays OSPFv3 database
show ipv6 ospf border-routers to

ASBRs
show ipv6 protocols

52
Displays internal OSPF

routing table entries
ABRs
and

current state of the ACTIVERev. 1700
IPv6 routing protocols IPexpert, Inc.
3.06 Implement EIGRP version

6 (EIGRPv6)
IPexpert, Inc.
EIGRPv6
EIGRPv6 is very similar to EIGRP in IPv4. The only

difference that is not related to the protocol
configuration is that EIGRPv6 uses link-local address
for the Next-Hop
Configuration differences are as follows :

No more network command, use the ipv6 eigrp
AS_nr statement to enable EIGRP
EIGRP process is shutdown by default. To
activate it, use the no shutdown command
If there is no IPv4 address configured on a device,
Router ID has to be defined manually using the
eigrp router-id command
Whenever the passive-interface statement is
used, the interface to which this command refers
to automatically starts participating in EIGRP
Rev. 1700
54
IPexpert, Inc.
EIGRPv6 cont.
Configuration differences are as follows :

There is no concept of classful routing within IPv6.
Since networks cannot be automatically
summarized, there is no need for the no autosummary command
Route Filtering is supported by the distributelist prefix-list command. Route-maps cannot
be used, however
Authentication is currently performed in the same
way as in IPv4 EIGRP (Key Chains), but Cisco
will probably change it to IPSec in the future
Rev. 1700
55
IPexpert, Inc.
Example EIGRPv6 Configuration

int loopback 100

ipv6 address 3001:1:1:1::1/64
ipv6 router eigrp 10
router-id 192.0.2.1
no shutdown
passive-interface loopback 0
int f0/0
ipv6 address 2001:1::/64 eui-64
ipv6 eigrp 10
ipv6 summary-address eigrp 10 3001:1:1::/62
Rev. 1700
56
IPexpert, Inc.
show ipv6 eigrp neighbors
- Displays EIGRPv6 neighbor

information
show ipv6 eigrp interfaces
- Displays EIGRPv6 interfacerelated information
show ipv6 eigrp topology
- Displays EIGRPv6 topology

database
show ipv6 protocols

current state of the ACTIVE
IPv6 routing protocols
Rev. 1700
57
IPexpert, Inc.
3.07 Implement filtering and

route redistribution
IPexpert, Inc.
IPv6 Route Filtering
Distribute Lists in IPv6 OSPF and EIGRP support only

the prefix-lists
Configuration-wise it is the distribute-list prefixlist command
One unsupported feature is LSA 3 Type filtering there

is no area filter-list command in OSPFv3
Rev. 1700
59
IPexpert, Inc.
IPv6 Route Redistribution
The main difference in redistribution between IPv6 and

IPv4 is that locally connected networks will NOT be
advertised by default (Step #2 in IPv4)
To change this behavior use the include-connected

keyword of the redistribute command
The rest is pretty much the same as in IPv4, even the

Administrative Distances did not change
Rev. 1700
60
IPexpert, Inc.
Case Study
Two-way redistribution between EIGRPv6 and OSPFv3

is going to be performed here
Rev. 1700
61
IPexpert, Inc.

Redistribute OSPFv3 -> EIGRPv6
ipv6 router eigrp 1
redistribute ospf 1 metric 1 1 1 1 1
Verify :
R4#sh ipv route eigrp
IPv6 Routing Table - Default - 9 entries
-- Output Omitted -ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
EX 2222:1:1::1/128 [170/2560002816]
via FE80::211:93FF:FE69:AB1, FastEthernet0/0
EX 2222:1:2::1/128 [170/2560002816]
Rev. 1700
62
IPexpert, Inc.

Add the locally connected subnet :
ipv6 router eigrp 1
redistribute ospf 1 metric 1 1 1 1 1 include-conn
Verify :
R4#sh ipv route eigrp
EX
EX
EX
-- Output Omitted -2222:1:1::1/128 [170/2560002816]

2222:1:2::1/128 [170/2560002816]
3001:1212::/64 [170/2560002816]
Rev. 1700
63
IPexpert, Inc.

Redistribute EIGRPv6 -> OSPFv3. Only Loopback 1
network should be redistributed & tagged with 90 :
ipv6 prefix-list L1_PREF seq 5 permit 2222:4:1::/64
route-map RED_RMAP permit 10
match ipv6 address prefix-list L1_PREF
set tag 90
ipv6 router ospf 1
redistribute eigrp 1 route-map RED_RMAP
Rev. 1700
64
IPexpert, Inc.

Verify :
R1#sh ipv router ospf
Codes: C - Connected, L - Local, S - Static, U - Peruser Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS
summary, D - EIGRP
EX - EIGRP external
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF
ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
OE2 2222:4:1::/64 [110/20], tag 90 via
FE80::211:93FF:FE69:AB0, FastEthernet0/0
R1#
Rev. 1700
65
IPexpert, Inc.
End of Section 3.0

VoD Series
4.0 Implement MPLS Layer 3 VPNs
IPexpert, Inc.
4.01 Implement Multiprotocol

Label Switching (MPLS)
IPexpert, Inc.
MPLS Basics
MPLS is a high-performance switching WAN technology
It operates in the OSI Layer 2.5 (between Layer 2 and

Layer 3)
Layer 3 header is analyzed only once, at the entrance of a
MPLS network
Further forwarding decisions are made based on socalled MPLS labels
Any protocol can be carried by MPLS either L2 like
Ethernet or L3 like IPv4/6
Rev. 1700
IPexpert, Inc.
MPLS Header Structure
Rev. 1700
IPexpert, Inc.
MPLS Terminology
Customer Edge (CE) device is client-managed equipment
Provider Edge (PE) device is managed by an ISP. Also

known as Edge Label Switch Router (edge LSR)
Provider (P) device is also managed by an ISP this box
is internal to the providers network. Also known as LSR
Rev. 1700
IPexpert, Inc.
MPLS Control Plane Basics

Before the data packets are switched across the MPLS
network, the MPLS devices have to know which labels
correspond to which IP prefixes on neighboring devices
Each MPLS-enabled device generates a label for every
IGP-learned prefix
Labels are then advertised to the neighboring devices so
they know which labels correspond to which prefixes on
the adjacent routers
This way if devices R1 & R2 are directly connected and
R2 generated label X for prefix Z, when R1 sends a
packet destined to Z through R2, it will use X as the label
Rev. 1700
IPexpert, Inc.
Label Distribution Protocol (LDP)
LDP simply advertises labels for each IGP-learned

prefix listed in the IP routing table
What it basically says is : if you want to send packets to

this subnet through me, send me them using the MPLS
label listed in the update I sent you
The labels are assigned starting on the edge device which
is closest to the destination prefix
Rev. 1700
IPexpert, Inc.
LDP Example
Rev. 1700
IPexpert, Inc.
LDP Details
LDP is a session-based protocol that uses UDP & TCP
UDP is used for neighbor discovery and adjacency

forming. Multicast Hello packets are sent to 224.0.0.2
over UDP port 646
LDP ID of a neighbor is learned from the first received
Hello packet
On each device, if the mpls ldp router-id command has
not been issued, the highest IP address of all loopback
interfaces will be used as LDP ID. If there is no loopbacks
configured, the highest IP address of all other interfaces
will be used
Rev. 1700
IPexpert, Inc.
LDP Details cont.

LDP ID will be used as the destination IP of a LDP TCP
session by default watch out for loopbacks
To change this IP address use the mpls ldp transportaddress command
TCP session uses port 646 and is used to exchange the

labels between the neighbors
Label entries are stored in Label Information Base (LIB)
There can be multiple entries for the same prefix if there
is more than one LDP neighbor
Rev. 1700
10
IPexpert, Inc.
LFIB
Only the best label is used in the traffic forwarding
process
The decision about which label is considered to be best
is made by the underlying IGP protocol
The Next-Hop address learned from the IGP is looked up

in the LDP neighbor table to find the corresponding MPLS
Router ID
MPLS Router ID allows to find a label advertised by this
device for that particular prefix
This best label is then stored in a separate structure
called Label Forwarding Information Base (LFIB)
Rev. 1700
11
IPexpert, Inc.
Populating LFIB Example Topology
Rev. 1700
12
IPexpert, Inc.
Populating LFIB cont.

Next-Hop lookup :
R2#sh ip route | in 10.1.1.0
O
10.1.1.0 [110/4] via 172.16.24.4, 00:17:02,
GigabitEthernet0/1.24
MPLS Router ID lookup :

R2#sh mpls ldp neighbor
Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 2.2.2.2:0
TCP connection: 4.4.4.4.12712 - 2.2.2.2.646
State: Oper; Msgs sent/rcvd: 63/62; Downstream
Up time: 00:40:09
LDP discovery sources:
GigabitEthernet0/1.24, Src IP addr: 172.16.24.4
Addresses bound to peer LDP Ident:
172.16.24.4
172.16.46.4
4.4.4.4
Rev. 1700
13
IPexpert, Inc.
Populating LFIB cont.

LIB lookup :
R2#sh mpls ldp bindings 10.1.1.0 24
lib entry: 10.1.1.0/24, rev 28s
local binding: label: 24
remote binding: lsr: 8.8.8.8:0, label: 25
MPLS Router ID lookup :

R2#sh mpls forwarding-table 10.1.1.0 24
Local
Label
24
Outgoing
Prefix
Bytes Label Outgoing Next Hop
Label or VC or Tunnel Id Switched
interface
25
10.1.1.0/24
0
Gi0/1.24 172.16.24.4
Rev. 1700
14
IPexpert, Inc.
LDP Troubleshooting Note

PE directly connected interfaces always have a label
generated for the subnet configured on them and NOT for
the advertised one
For example, in OSPF an /24 loopback interface will be
advertised as /32 by default
Breaking a Label Switched Path may result in traffic
black-holing
Rev. 1700
15
IPexpert, Inc.
MPLS Forwarding Plane

MPLS packet forwarding paradigm
three steps :
1. Assigning labels on the edge
2. MPLS packet switching
3. Removing labels on the edge
can be divided into
(Push operation)
(Swap operation)
(Pop operation)
Push operation is also known as Label Imposition

Pop operation is also known as Label Disposition
When a packet is received with a label that does not exist
in the LFIB, the packet is dropped
Rev. 1700
16
IPexpert, Inc.
MPLS Forwarding Plane Example
Rev. 1700
17
IPexpert, Inc.
CEF
Cisco Express Forwarding (CEF), is an advanced
switching technology. It consists of two key components :
1. Forwarding Information Base (FIB)
2. Adjacency Table
FIB contains all IP routes from the RIB, their Next-Hops,
outgoing interfaces and a reference to the Adjacency
Table. This information is stored in a special memory
structure that allows for optimized lookups
Adjacency table contains pre-built Layer 2 headers

CEF allows
forwarding
for
very
efficient,
high-speed
packet
Rev. 1700
18
IPexpert, Inc.
MPLS Forwarding Plane cont.

CEF lookup on ingress Router 2 :
R2#sh ip cef 10.1.1.0/24
10.1.1.0/24
nexthop 172.16.24.4 GigabitEthernet0/1.24 label 25
CEF & LFIB lookup on egress Router 6 :
R6(config)#do sh ip cef 10.1.1.0

10.1.1.0/24
nexthop 172.16.67.7 FastEthernet0/1
R6#sh mpls forwarding-table 10.1.1.0 24
Local
Label
24
Outgoing
Prefix
Label or VC or Tunnel Id Switched
interface
No Label
10.1.1.0/24
1812
Fa0/1 172.16.67.7
Rev. 1700
19
IPexpert, Inc.
MPLS Configuration
IPexpert, Inc.
MPLS Configuration
Enable CEF
ip cef
Enable MPLS Globally

mpls ip
Enable LDP
mpls label protocol ldp
Enable MPLS Per-Interface

mpls ip
Rev. 1700
21
IPexpert, Inc.
show mpls ldp discovery
- Displays status of LDP

discovery
show mpls ldp neighbor
- Displays status of an LDP

session
show mpls ldp bindings
- Displays the contents of LIB
show mpls forwarding-table
- Displays the contents of

LFIB
show ip cef
- Displays CEF FIB entries
Rev. 1700
22
IPexpert, Inc.
4.02 Implement Virtual Routing

and Forwarding (VRF) and MultiVRF Customer Edge (VRF-Lite)
IPexpert, Inc.
VRF Basics
Virtual Routing and Forwarding (VRF) is just a separate
(virtual) routing table on a device
VRFs are used with MPLS
VRF Lite, also known as Multi-VRF CE is a feature that
does not use MPLS at all
Rev. 1700
24
IPexpert, Inc.
VRF-Lite
There are a couple of methods that can be used to
segment traffic at Layer 3 :
Separate physical devices
Access-lists
Route-Filtering
Policy Routing
NAT
The aformentioned solutions does not scale well (cost,
administrative burden)
VRF Lite can be used to overcome those limitations
Rev. 1700
25
IPexpert, Inc.
VRF-Lite cont.
Rev. 1700
26
IPexpert, Inc.
VRF-Lite cont.
Rev. 1700
27
IPexpert, Inc.
VRF-Lite cont.
Rev. 1700
28
IPexpert, Inc.
VRF-Lite cont.
Each VRF consists of a :
Separate routing table
Separate CEF FIB and Adjacency table
Set of interfaces using this particular virtual
routing table only
Packets entering a VRF-assigned interface can only
follow routes and other interfaces listed in that specific
VRF
Multiple technologies can be used to extend VRFs (e.g.
Frame Relay, VLANs, MPLS, IPSec), since they are only
locally significant
VRF configuration should be consistent end to end
Rev. 1700
29
IPexpert, Inc.
VRF-Lite Configuration
IPexpert, Inc.
VRF-Lite Configuration
VRF Instance
ip vrf vrf_name
Assigning an Interface
ip vrf forwarding vrf_name
Remember that whenever a command is going to refer

to a VRF, it must have the vrf part included
somewhere in the syntax
Rev. 1700
31
IPexpert, Inc.
VRF-Aware Routing Configuration
Static Route
ip route vrf vrf_name IP_addr mask NH [global]
ip route vrf VRF_100 192.0.2.0 255.255.255.0
10.1.1.1
RIP, EIGRP, BGP

address-family ipv4 vrf
EIGRP
autonomous-system AS_NR
router eigrp 100
address-family ipv4 vrf VRF_100
autonomous-system 100
Rev. 1700
32
IPexpert, Inc.
VRF-Aware Routing Configuration
BGP
neighbor IP_addr activate
router bgp 65000
no sync
no auto
address-family ipv4 vrf VRF_100
neighbor 192.0.2.1 activate
OSPF
router ospf proc_nr vrf vrf_name
router ospf 1 vrf VRF1

Rev. 1700
33
IPexpert, Inc.
show ip vrf [interfaces]
- Displays VRF instances and

interfaces
show ip route vrf [*]
- Displays the routing table

associated with a
VRF
show ip ospf proc_nr
- Displays VRF-Aware OSPF

configuration
show ip eigrp vrf
- Displays VRF-Aware EIGRP

configuration
show ip protocol vrf
- Displays routing protocol

information
Rev. 1700
a VRF
IPexpert, Inc.
associated with
34
Case Study
Goal is to achieve rechability between the sites, keeping

networks in their respective VRF
Rev. 1700
35
IPexpert, Inc.

ip vrf VRF_CUSTOMERS
ip vrf VRF_INTERNAL
interface Loopback1
ip vrf forwarding VRF_CUSTOMERS
ip address 192.168.10.1 255.255.255.0
interface Loopback2
ip vrf forwarding VRF_INTERNAL
ip address 192.168.20.1 255.255.255.0
interface FastEthernet0/0
ip vrf forwarding VRF_CUSTOMERS
ip address 172.16.12.1 255.255.255.0
Rev. 1700
36
IPexpert, Inc.

ip vrf forwarding VRF_INTERNAL
ip address 172.16.120.1 255.255.255.0
router eigrp 100
address-family ipv4 vrf VRF_INTERNAL
network 172.16.120.1 0.0.0.0
network 192.168.20.1 0.0.0.0
no auto-summary
autonomous-system 100
router ospf 1 vrf VRF_CUSTOMERS
log-adjacency-changes
network 172.16.12.1 0.0.0.0 area 0
network 192.168.10.1 0.0.0.0 area 0
37
Rev. 1700
IPexpert, Inc.

R1(config)#do sh ip vrf int
Interface
IP-Address
Lo1
192.168.10.1
Fa0/0
172.16.12.1
Lo2
192.168.20.1
Fa0/1
172.16.120.1
R2(config)#do sh ip vrf
Name
Default RD
VRF_CUSTOMERS
<not set>
VRF_INTERNAL
<not set>
VRF
Protocol
VRF_CUSTOMERS
up
VRF_CUSTOMERS
up
VRF_INTERNAL
up
VRF_INTERNAL
up
Interfaces
Lo1
Gi0/0
Lo2
Gi0/1
Rev. 1700
38
IPexpert, Inc.

R2#sh ip route vrf VRF_CUSTOMERS ospf
Routing Table: VRF_CUSTOMERS

192.168.10.0/32 is subnetted, 1 subnets
O
192.168.10.1 [110/2] via 172.16.12.1,
00:05:02, GigabitEthernet0/0
R2#sh ip route vrf VRF_INTERNAL eigrp
D
192.168.20.0/24 [90/156160] via 172.16.120.1,
Rev. 1700
39
IPexpert, Inc.

R2#ping vrf VRF_CUSTOMERS 192.168.10.1 so loop1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1,
timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip
min/avg/max = 1/1/4 ms
R2#ping vrf VRF_INTERNAL 192.168.20.1 so loop2
!!!!!
Success rate is 100 percent (5/5), round-trip
min/avg/max = 1/1/4 ms
Rev. 1700
40
IPexpert, Inc.

R2#sh ip route vrf VRF_INTERNAL | be Gateway
Gateway of last resort is not set
C
192.168.120.0/24 is directly connected,Loopback2
C
172.16.120.0 is directly connected,
GigabitEthernet0/1
D
192.168.20.0/24 [90/156160] via 172.16.120.1,
R2#ping vrf VRF_INTERNAL 192.168.10.1

.....
Success rate is 0 percent (0/5)
41
Rev. 1700
IPexpert, Inc.
4.03 Implement Layer 3 Virtual

Private Networks (VPNs) on
Provider Edge (PE), Provider
(P), and Customer Edge (CE)
routers
IPexpert, Inc.
MPLS VPNs
MPLS VPN is a feature that allows several sites of one

customer to interconnect transparently through a
service provider's network, effectively making those
sites part of one private network
Customer routes are not advertised to the ISPs IGP,

since they could overlap
VRFs are used to keep the customer routes separated
BGP (actually MP-BGP) is used to the routing

information between ingress and egress PE routers
Rev. 1700
43
IPexpert, Inc.
MPLS VPNs High-Level Overview
Rev. 1700
44
IPexpert, Inc.
MPLS VPN Control Plane - CE-PE
Rev. 1700
45
IPexpert, Inc.
MPLS VPN Control Plane - PE-PE
MP-BGP (Multi-Protocol BGP) allows to re-define the

existing prefixes by adding an additional field in front of
them, making the prefixes unique
The address-family used in MPLS VPNs is called a

Route Distinguisher (RD)
Route Distinguisher is used to make each customer

prefix unique. RD is 64-bits long value pre-pended to an
IPv4 prefix, which results in 96-bits long NLRI called a
VPN-V4 route. Typical RD format is ASN:NN, where NN
is the VRF number
65000:1:10.1.1.0/24
65000:2:10.1.1.0/24
Rev. 1700
46
IPexpert, Inc.
Route Distinguishers are configured per-VRF
Customer routes are then redistributed into MP-BGP

from their respective VRFs, populating MP-BGP table
with VPNv4 routes
Since the same client may use different RDs for its
different sites, Route Distinguishers cannot be used to
determine which VPN a prefix belongs to. Route
Distinguishers must be still unique among the
customers, though
Route Targets (RTs) are used to indicate which VPN a

prefix belongs to
Rev. 1700
47
IPexpert, Inc.
Route Target is an extended BGP Community
Export RT is used to mark a prefix when it is

redistributed from VRF to MP-BGP (before it is sent to
an iBGP peer)
Import RT is used when a route is received from an

iBGP peer only the prefixes matching the VRFs
Import RT will be redistributed into that VRF
If more than one Export RT was configured for a prefix,

it can be then imported by VRFs in more than one VPN
(Overlapping VPNs)
Rev. 1700
48
IPexpert, Inc.
Rev. 1700
49
IPexpert, Inc.
MPLS VPN Forwarding Plane
Each MPLS VPN data packet is assigned TWO labels
The outer label is used to transport the packet inside an

MPLS network
Transport label corresponds to the destination routes

Next-Hop IP address, which was learned through the
MP-BGP session meaning to one of the PE devices
The inner label is used to select the proper VRF
Penultimate Hop Popping (PHP) causes the second to

last router to pop the outer label, so that the last
ultimate hop could receive a packet that only has the
VPN label in the stack. This feature is triggered by the
PE by sending an Implicit-Null Label (value 3)
Rev. 1700
50
IPexpert, Inc.
MPLS VPN Configuration
IPexpert, Inc.
MPLS VPN Configuration - CE
Standard Configuration
OSPF Example :
router ospf 1
network 192.168.1.1 0.0.0.0 area 0
network 172.16.12.1 0.0.0.0 area 0
Rev. 1700
52
IPexpert, Inc.
MPLS VPN Configuration PE-CE
VRFs
ip vrf vrf_name
rd rd_value
route-target import|export|both rt_value
interface if_name
ip vrf forwarding vrf_name
ip vrf CUST-1
rd 1:1
route-target import 1:10
route-target export 1:10
VRF-aware IGP Example (OSPF) :

router ospf 1 vrf CUST-1
network 172.16.12.2 0.0.0.0 area 0
53
Rev. 1700
IPexpert, Inc.
MPLS VPN Configuration PE-PE
BGP
neighbor IP_addr remote-as as_nr
neighbor IP_addr update-source if_name
MP-BGP (VPNv4)
address-family vpnv4
neighbor IP_addr activate
neighbor IP_addr send-community
router bgp 65000

neighbor 5.5.5.5 update-source loopback0
neighbor 5.5.5.5 send-community
54
Rev. 1700
IPexpert, Inc.
MPLS VPN Configuration MPLS VPN
VRF -> MP-BGP

address-family ipv4 vrf vrf_name
redistribute protocol
router bgp 65000
address-family ipv4 vrf CUST-1
redistribute ospf 1 vrf CUST-1
MP-BGP -> VRF

router protocol
redistribute bgp AS_nr subnets
router ospf 1 vrf CUST-1
redistribute bgp 65000 subnets
Rev. 1700
55
IPexpert, Inc.
show mpls ldp bindings
- Displays the contents of LIB

database
show mpls forwarding-table

LFIB database
show ip bgp summary
- Displays the BGP session

status
Rev. 1700
56
IPexpert, Inc.
Configuration Verification cont.

show bgp vpnv4 unicast vrf|all [labels]
- Displays the
MP-
BGP
VPNv4
information
show ip route vrf
[*]
- Displays the
RIB
for a
particular
VRF
show ip cef [vrf]
- Displays CEF
FIB entries
Rev. 1700
57
IPexpert, Inc.
Case Study
Ensure connectivity between different sites of the same

customer
Rev. 1700
58
IPexpert, Inc.

ip vrf CUST1
rd 65000:1
route-target export 1:1
route-target import 1:1
ip vrf CUST2
rd 65000:2
route-target both 2:2
interface GigabitEthernet0/0.12
ip vrf forwarding CUST2
ip address 172.16.12.2 255.255.255.0
interface GigabitEthernet0/0.92
ip vrf forwarding CUST1
ip address 172.16.92.2 255.255.255.0
Rev. 1700
59
IPexpert, Inc.

router ospf 2 vrf CUST2
log-adjacency-changes
network 172.16.12.2 0.0.0.0 area 0
router eigrp 65000
auto-summary
address-family ipv4 vrf CUST1
network 172.16.92.2 0.0.0.0
no auto-summary
autonomous-system 1
Rev. 1700
60
IPexpert, Inc.

R2#sh ip route ospf 2
Routing Table: CUST2

10.1.1.0 [110/2] via 172.16.12.1, 00:00:00,
R2#sh ip route vrf CUST1 eigrp

D
10.2.2.0 [90/130816] via 172.16.92.9, 00:05:54,
Rev. 1700
61
IPexpert, Inc.

router bgp 65000
no auto-summary
no synchronization
neighbor 6.6.6.6 update-source Loopback0
neighbor 6.6.6.6 send-community both
Rev. 1700
62
IPexpert, Inc.

R2# sh ip bgp summary
BGP router identifier 2.2.2.2, local AS number 65000
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
6.6.6.6 4 65000
5
6
1
0
0
00:01:56
0
Redistribute IGP into MP-BGP :

redistribute ospf 2 vrf CUST2
redistribute eigrp 1 metric 100
Rev. 1700
63
IPexpert, Inc.

R2#sh bgp vpnv4 unicast all labels
Network
Next Hop
In label/Out label
Route Distinguisher: 65000:1 (CUST1)
10.2.2.0/24
172.16.92.9
22/nolabel
172.16.92.0/24
0.0.0.0
21/nolabel(CUST1)
Route Distinguisher: 65000:2 (CUST2)
10.1.1.0/24
172.16.12.1
20/nolabel
172.16.12.0/24
0.0.0.0
19/nolabel(CUST2)
Rev. 1700
64
IPexpert, Inc.

R2#sh bgp vpnv4 unicast all
BGP table version is 18, local router ID is 2.2.2.2
...
Network
Next Hop
Metric LocPrf Weight Path
Route Distinguisher: 65000:1 (default for vrf CUST1)
*> 10.2.2.0/24
172.16.92.9
100
32768
?
*>i10.3.3.0/24
6.6.6.6
200
100
0
?
*>i172.16.68.0/24
6.6.6.6
0
100
0
?
*> 172.16.92.0/24
0.0.0.0
0
32768
?
Route Distinguisher: 65000:2 (default for vrf CUST2)
*> 10.1.1.0/24
172.16.12.1
2
32768
?
*>i10.3.3.0/24
6.6.6.6
2
100
0
?
*> 172.16.12.0/24
0.0.0.0
0
32768
?
*>i172.16.67.0/24
6.6.6.6
0
100
0 ?
Rev. 1700
65
IPexpert, Inc.

router ospf 2 vrf CUST2
redistribute bgp 65000 subnets
router eigrp 65000
redistribute bgp 65000 metric 1 1 1 1 1
Rev. 1700
66
IPexpert, Inc.

R1#sh ip ro ospf
O IA 172.16.67.0 [110/2] via 172.16.12.2, 00:00:25,FastEthernet0/0
O IA 10.3.3.0 [110/3] via 172.16.12.2, 00:00:25, FastEthernet0/0
R9#sh ip ro eigrp
D
172.16.68.0 [90/30720] via 172.16.92.2, 00:00:16,
FastEthernet0/0
D
10.3.3.0 [90/158720] via 172.16.92.2, 00:00:16,
FastEthernet0/0
Rev. 1700
67
IPexpert, Inc.

R2 CEF lookup :
R2#sh ip cef vrf CUST2 10.3.3.8
10.3.3.0/24
nexthop 172.16.24.4 GigabitEthernet0/1 label 18 20
Transport label lookup :

R2#sh ip ro vrf CUST2 | in 10.3.3.0
B
10.3.3.0 [200/2] via 6.6.6.6, 01:30:11
R2#sh mpls ldp binding 6.6.6.6 32
lib entry: 6.6.6.6/32, rev 15
local binding: label: 18
Rev. 1700
68
IPexpert, Inc.

R4s verification outputs :
R4#
MPLS les: Fa0/0: rx: Len 122 Stack {18 0 254} {20 0 254}- ipv4 data
MPLS les: Fa0/1: tx: Len 122 Stack {18 0 253} {20 0 254}- ipv4 data
R4#sh mpls forwarding 6.6.6.6
Local Outgoing
Prefix
Label Label or VC
or Tunnel Id
18
18
6.6.6.6/32
Bytes Label
Switched
41404
Outgoing Next Hop

interface
Fa0/1 172.16.45.5
Rev. 1700
69
IPexpert, Inc.

R5s verification outputs :
R5#sh mpls forwarding 6.6.6.6
Local Outgoing
Prefix
Label Label or VC
or Tunnel Id
18
Pop Label
6.6.6.6/32
Bytes Label Outgoing

Next Hop
Switched
interface
19820
Fa0/1
172.16.56.6
R5#
MPLS les: Fa0/0: rx: Len 122 Stack {18 0 253} {20 0 254}- ipv4 data
MPLS les: Fa0/1: tx: Len 118 Stack {20 0 252} - ipv4 data
Rev. 1700
70
IPexpert, Inc.

R6s verification output :
R6#sh mpls forwarding labels 20
Local Outgoing
Prefix
Label Label or VC or Tunnel Id
Switched
interface
20
No Label
10.3.3.0/24[V] 6726
Fa0/0.67 172.16.67.7
Final ping from R1 :

R1#ping 10.3.3.7 rep 1
Sending 1, 100-byte ICMP Echos to 10.3.3.7, timeout is 2 seconds:
!
Success rate is 100 percent (1/1),round-trip min/avg/max = 4/4/4 ms
Rev. 1700
71
IPexpert, Inc.
End of Section 4.0
IPexperts CCIE R&S written

VoD Series
5.0 Implement IP Multicast
IPexpert, Inc.
5.00 IP Multicast Introduction
IPexpert, Inc.
IP Multicast Introduction
How would you deliver 1Mbps video stream to five PCs?
Unicast transmission takes 5x1Mbps = 5Mbps

Broadcasts are not forwarded by routers by default +
every device in a local network would have to process the
frame
Multicast would work best. Multicast is UDP-based oneto-many transmission technology - multicast packets are
forwarded to only the devices that joined a particular
multicast group
Multicast applications use a multicast IP address (class D)
as the destination - multicast address can never be a
source
Rev. 1700
IPexperts CCIE R&S written VoD Series
IPexpert, Inc.
Multicast Groups
We have got two types of multicast groups :
1. Special Usage
2. Transient
Special Usage group can be further subdivided into the
following ranges :
Permanent ranges :
224.0.0.0/24 (TTL set to 1). E.g. OSPF
224.0.0.5/6
224.0.1.0/24 (can be forwarded). E.g. Auto-RP
Non-permanent ranges :
232.0.0.0/8 (Source-Specific Multicast)
233.0.0.0/8 (GLOP range)
239.0.0.0/8 (Private range)
Rev. 1700
IPexpert, Inc.
Multicast L2 Address Calculation

Whenever an IP multicast address is assigned to an
application, a corresponding L2 multicast address is
derived
NIC will then listen to two MACs instead of just to BIA
Every Layer 2 multicast MAC starts with 01.00.5E and

25th bit is set to 0
Since only 23 bits are available in the multicast MAC,
there will be 25 addresses that overlap (initial class D
marker 1110 does not count, it is always the same)
The remaining part of the multicast MAC address is
copied from the IP address (last 23 bits)
Rev. 1700
IPexpert, Inc.
Multicast MAC Address Example

Our IP address is 225.192.4.9 which can be written in
binary as :
11100001.11000000.00000100.00001001
- Class D
- Overlap
- Part that is copied into multicast MAC
Multicast MAC : 0100.5e40.0409

An overlapping IP could be for example 234.64.4.9 :
11101010.01000000.00000100.00001001
Rev. 1700
IPexpert, Inc.
IGMP
Internet Group Management Protocol (IGMP) works
between a router and multicast client
IGMP is used to inform local multicast routers that a host
wants to receive a multicast traffic for a specific group (or
that it no longer wants to receive it)
Routers send periodic Host Membership Query messages
to see if there are any hosts interested in multicast traffic
On multiaccess segments only one router is responsible

for sending the Queries this device is known as IGMP
Designated Querier (elected based on the lowest IP
address)
Rev. 1700
IPexpert, Inc.
IGMP cont.
If there are multicast clients, they will respond with a Host
Membership Report message, also known as IGMP Join
Host Membership Reports are sent to the destination IP
address corresponding to the group a host wants to join
IGMP Joins are also sent after joining a group (unsolicited

Reports)
IGMP Leave is sent when a host leaves a group router
will automatically respond with a group-specific query to
see if there are other hosts interested in this group. This
message is not available in IGMP version 1
IGMPv3 is a component of Source-Specific Multicasting

it adds the ability to choose a particular multicast source Rev. 1700
IPexpert, Inc.
LAN Multicast Optimizations

Switches by default flood multicast packets out of all ports
in a VLAN except the port packet was received on
Two popular methods of optimizing this behavior are :
1. Cisco Group Management Protocol (CGMP)
2. IGMP Snooping
CGMP is Cisco-proprietary. It forces a router to
communicate the switch the multicast group it learned
from IGMP so it could adjust the CAM table. This
information includes two things :
1. Destination L2 multicast group MAC
2. Source IP address of the host
Rev. 1700
IPexpert, Inc.
LAN Multicast Optimizations cont.

IGMP Snooping works only with Layer 3 switches it
inspects all IGMP messages. Whenever an IGMP Join
message for a new group is detected on a port, a new
CAM entry is created for this multicast group and the port
is added to that entry. A disadvantage is that all IGMP
packets are process-switched
Neither CGMP nor IGMP Snooping works for 224.0.0.0/24
The reason for this is that routing protocols like OSPF or
EIGRP dont generate IGMP packets
Host Membership Query message would not be answered
and switch ports connected to routers would not be
reported to CGMP or IGMP Snooping. This would result
in traffic black-holing at L2
Rev. 1700
10
IPexpert, Inc.
IGMP, CGMP and IGMP Snooping

Configuration
IPexpert, Inc.
IGMP & LAN Optimization Configuration
IGMP Version
ip igmp version 1|2|3
Emulating Multicast Clients

ip igmp join-group IP_address
ip igmp static-group IP_address
CGMP
ip cgmp
IGMP Snooping
ip igmp snooping
[no] ip igmp snooping vlan vlan_nr
Rev. 1700
12
IPexpert, Inc.
show ip igmp groups
- Displays IGMP groups learned from

multicast receivers
show ip igmp interface
- Displays IGMP-related information

per-interface
show ip igmp snooping
- Displays IGMP Snooping

configuration
Rev. 1700
13
IPexpert, Inc.
5.01 Implement Protocol

Independent Multicast
(PIM) Sparse Mode
IPexpert, Inc.
Multicast Distribution Trees

Since multicast is a one-to-many technology, unicast
forwarding logic cannot be used to forward multicast
packets
Distribution Trees are used instead
Two types of multicast trees are :

1. Source Trees
2. Shared Trees
Source Tree is always rooted at the source of the
multicast traffic
Shared Tree is always

Rendezvous Point (RP)
rooted
at
the
so-called
Rev. 1700
15
IPexpert, Inc.
Source Tree
Rev. 1700
16
IPexpert, Inc.
Shared Tree
Rev. 1700
17
IPexpert, Inc.
Reverse Path Forwarding (RPF)

RPF (Reverse Path Forwarding) mechanism is used to
prevent forwarding loops in a multicast environment
Source IP address of each received multicast packet is
validated by the unicast routing table
If the route corresponding to the source is reachable

through an interface other than the one on which the
packet was received on, the packet is dropped
If there are multiple paths to the source (load-balancing),
the highest IP address Next-Hop interface is considered
to be the RPF interface
Rev. 1700
18
IPexpert, Inc.
RPF Example
Rev. 1700
19
IPexpert, Inc.
Protocol Independent Multicast (PIM)

Cisco devices use Protocol Independent Multicast (PIM)
to construct the distribution trees
There are two varieties of PIM :
1. PIM Dense Mode (PIM-DM)
2. PIM Sparse Mode (PIM-SM)
PIM neighbors are discovered & maintained using PIM
Hello packets
PIM Hellos are sent to multicast address 224.0.0.13 using
IP Protocol Number 103 every 30 seconds by default
The default hold-time value is 90 seconds

Rev. 1700
20
IPexpert, Inc.
PIM Dense Mode

PIM Dense Mode uses Source Trees (also known as
Shortest Path Trees or SPTs)
Dense Mode logic is based on a push model flood and
prune
Routers configured for PIM-DM flood multicast traffic out

of all PIM-enabled interfaces (to all PIM DM neighbors)
As a result, initially every PIM neighbor is considered to
be on the Shortest Path Tree
Pruning is then used to clean empty branches
Rev. 1700
21
IPexpert, Inc.
PIM Dense Mode Example
Rev. 1700
22
IPexpert, Inc.
PIM Dense Mode - Pruning

Initially, every single network segment receives the
multicast feed regardless of whether it needs it or not
Prune messages are used to inform upstream device that
multicast traffic is not required (at the given time)
Prune message is sent in two situations :
1. When a multicast packet is received on a nonRPF interface
2. When a router has no directly connected hosts
AND downstream routers listening for a particular
multicast group
Pruned interfaces are put back into the forwarding state

after a 3-minute timer expires
Rev. 1700
23
IPexpert, Inc.
Pruning Example
Rev. 1700
24
IPexpert, Inc.
Pruning Example cont.
Rev. 1700
25
IPexpert, Inc.
Example Dense Mode Entry

(10.1.1.1, 225.1.1.1), 00:01:15/00:01:20, flags: CT
Incoming interface: Serial0/1, RPF nbr 0.0.0.0
Outgoing interface list:
Serial 0/0, Prune/Dense, 00:01:00/00:02:00
Rev. 1700
26
IPexpert, Inc.
State Refresh & Graft Message

State Refresh feature is designed to stop the constant
flood-and-prune behavior
State Refresh keeps the pruned state in PIM dense mode
from timing out by periodically forwarding a control
message down the source-based distribution tree
This feature also enables PIM DM routers to recognize
topology changes (IGMP Join/Leave) before the 3-minute
timer expires
Graft Message is sent to rejoin a previously pruned
branch to the delivery tree
Rev. 1700
27
IPexpert, Inc.
Graft Message - Example
Rev. 1700
28
IPexpert, Inc.
PIM - Two Details

Cisco routers automatically create a (*,G) entry for each
(S,G) entry (which is called a parent entry), just for design
efficiency
This entry is NOT used for traffic forwarding (incoming
interface will be shown as Null)
Technically speaking, Prune message is actually a
Join/Prune message with the P flag set
Rev. 1700
29
IPexpert, Inc.
PIM DM & SM Common Features

Features common for PIM Dense & Sparse Mode, that
apply to multi-access interfaces, are as follows :
1. Prune Override
2. PIM Assert
3. PIM Designated Router (PIM DR)
Prune Override sent to override a Prune when other
devices still wants to receive the multicast feed
PIM Assert used to choose a single device that will be

responsible for forwarding multicast traffic TO a segment.
The election is based on :
1. Lowest Administrative Distance
2. Lowest Metric
3. Highest IP address
Rev. 1700
30
IPexpert, Inc.
PIM DM & SM Common Features cont.

PIM Designated Router (PIM DR) the device with the
highest Priority value, or in a tie, with the highest IP
address is elected as PIM DR. In Dense Mode, PIM DR
was used only with IGMPv1. In Sparse Mode, PIM DR is
responsible for two things :
1. Registering active multicast sources
2. Constructing the shared tree for a particular
multicast group
Rev. 1700
31
IPexpert, Inc.
PIM Sparse Mode

PIM Sparse Mode is based on a pull model
In Sparse Mode, traffic will not be forwarded to a device
unless it explictly asked for this
PIM Join messages are sent towards the RP to build the
shared distribution tree
PIM-SM operations can be divided into two distinct

phases :
1. Source Phase
2. Client Phase
Rev. 1700
32
IPexpert, Inc.
PIM Sparse Mode Client Phase

Shared tree is created using PIM Join messages
PIM Join is generated on the Last-Hop router (directly
connected to the client) just right after an IGMP
Membership Report message is received. A (*,G) entry is
created
An upstream router receiving this message builds its own
(*,G) entry and generates another PIM Join towards the
RP. Finally the RP also creates its own (*,G)
Remember that PIM DR is responsible for generating the

first PIM Join message on multiaccess segments
Rev. 1700
33
IPexpert, Inc.
PIM-SM Client Phase Example
Rev. 1700
34
IPexpert, Inc.
PIM Sparse Mode Source Phase

Shortest Path Tree is created from the RP to the multicast
source
First-Hop router (directly connected to the source) sends
a unicast PIM Register message to the RP (on
multiaccess segments it would be the PIM DR)
Rendezvous Point creates SPT to the multicast source
using a PIM Join message
RP sends PIM Register Stop message to the source since
traffic has just started flowing over the SPT it built (with
the source)
Rev. 1700
35
IPexpert, Inc.
PIM-SM Source Phase
Rev. 1700
36
IPexpert, Inc.
PIM SM Source Phase cont.
Rev. 1700
37
IPexpert, Inc.
Example Sparse Mode mroute entries

Shared Tree
(*.225.1.1.1), 00:01:30/00:02:10, RP 192.168.1.1,
flags: S
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Serial 0/0, Forward/Sparse, 00:01:30/00:02:01
SPT
(10.1.1.1/32, 225.1.1.1), 00:01:30/00:02:01, flags T
Incoming interface: Serial0/1, RPF nbr 10.3.3.3,
Outgoing interface list: Null
Rev. 1700
38
IPexpert, Inc.
SPT Switchover
Each PIM-SM router can build the SPT between itself and
the source of multicast traffic
This is used to reduce the latency and load on the RP
itself
Before PIM Join can be generated to build this tree, a
router needs to learn the multicast source IP address
By default, this happens after the first multicast data

packet is received on the shared tree from the RP (but
the SPT Switchover threshold is configurable)
It is impossible to build the SPT initially, since source of
the multicast traffic is unknown
Rev. 1700
39
IPexpert, Inc.
SPT Switchover Example
Rev. 1700
40
IPexpert, Inc.
SPT Switchover Example cont.
Rev. 1700
41
IPexpert, Inc.
PIM Sparse-Dense Mode

PIM Sparse-Dense Mode uses Sparse Mode for groups
that have an RP configured
All other groups that have no RP information will be
processed as Dense Mode traffic
Rev. 1700
42
IPexpert, Inc.
Protocol Independent Multicast

Configuration
IPexpert, Inc.
PIM Configuration
Multicast Routing
ip multicast-routing
PIM Dense, Sparse and Sparse-Dense Modes

ip pim dense-mode
ip pim sparse-mode
ip pim sparse-dense-mode
Static Rendezvous Point

ip pim rp-address IP_address
SPT Threshold
ip pim spt-threshold value
Rev. 1700
44
IPexpert, Inc.
show ip pim interface
- Displays information about the

interfaces configured for PIM
show ip pim neighbor

discovered PIM neighbors
show ip mroute
- Displays the contents of the

multicast routing table
Rev. 1700
45
IPexpert, Inc.
5.02 Implement PIM AutoRendezvous Point (Auto-RP),

unicast Rendezvous Point (RP),
and BootStrap Router (BSR)
IPexpert, Inc.
Rendezvous Point
All PIM Sparse Mode devices need to know the RP
address
Rendezvous Point information can be provided in three
ways :
1. Statically (ip pim rp-address)
2. Using Auto-RP (Cisco-proprietary)
3. Using BSR (standard-based)
Static method does not scale well
Rev. 1700
47
IPexpert, Inc.
Auto-RP
Auto-RP uses two types of devices candidate RPs
(cRPs) and a Mapping Agent
Candidate RP sends RP-Announce messages to the
reserved multicast address 224.0.1.39 (UDP port 496), to
propose itself as an RP for a particular group/range
Mapping Agent learns all cRPs information (it listens to
224.0.1.39) and decides which device becomes an RP for
a particular group/range (if there is more than one cRP for
a group/range, the highest IP device is elected)
Mapping Agent embedds this information inside an RPDiscovery message which is then sent to 224.0.1.40 over
UDP port 496. All cRPs listen to 224.0.1.40 to receive this
message
Rev. 1700
48
IPexpert, Inc.
Auto-RP Example
Rev. 1700
49
IPexpert, Inc.
Auto-RP Example cont.
Rev. 1700
50
IPexpert, Inc.
Auto-RP Problem
If Auto-RP uses multicasts to learn the RP address, how
are Auto-RP messages actually forwarded?
Auto-RP uses PIM Sparse Mode which means that there
should be an RP configured for 224.0.1.39/40. We have
three options to fix this problem :
1. Static RP configuration for 224.0.1.39/40
2. PIM Sparse-Dense Mode
3. Auto-RP Listener feature
Auto-RP Listener enables forwarding Auto-RP packets
(only 224.0.1.39/40) as Dense Mode traffic, even if router
interfaces are configured for Sparse Mode. Use the ip
pim autorp listener command to configure this feature
Rev. 1700
51
IPexpert, Inc.
BootStrap Router (BSR) Overview

BSR is somewhat similar to Auto-RP since mapping
information is first collected and then distributed to other
routers
Candidate RPs propose themselves as RPs to the BSR
BSR floods this mapping information, called Candidate

RP-set or RP-set, to all of its PIM neighbors inside a
BootStrap Message (BSM)
RP-set is sent to 224.0.0.13 (all PIM-routers) hop-by-hop,
and is further re-flooded out of all interfaces where PIM
neighbors exist. There is no need for PIM since BSM
packets are local to the underlying L2 network (TTL of 1)
Rev. 1700
52
IPexpert, Inc.
BSR Example
Rev. 1700
53
IPexpert, Inc.
BootStrap Router (BSR) cont.

Candidate RPs learn the BSRs IP address from a BSM
message
CRPs advertisement are sent as unicasts
Initially, all the devices configured for BSRs (candidate
BSRs) elect a single BSR router
This election process is based on a higher priority value
(advertised in every BSM message)
In a tie, the highest IP address wins (source IP addresses
of BSM messages are compared)
Rev. 1700
54
IPexpert, Inc.
BootStrap Router (BSR) cont.

Each BSR router uses a common algorithm to select the
same RP address for a given multicast group
When there are multiple cRPs available for the same set
of groups, a hash mask parameter can be used for loadbalancing
Every cRP gets 2^(32 hash_mask_length) consecutive
multicast groups
There will be only ONE RP active for a given group

range
Rev. 1700
55
IPexpert, Inc.
Auto-RP & BSR Configuration
IPexpert, Inc.
Auto-RP & BSR Configuration
Auto-RP Mapping Agent

ip pim send-rp-discovery if_name
Auto-RP Candidate RP
ip pim send-rp-announce if_name [group-list]
BSR Candidate BSR

ip pim bsr-candidate if_name [hash-mask-length]
BSR Candidate RP
ip pim rp-candidate if_name [group-list]
Rev. 1700
57
IPexpert, Inc.
show ip pim rp
- Displays cached active RPs with

associated multicast groups
show ip pim rp mappings - Displays all group-to-RP mappings

the router is aware of
show ip pim bsr-router
- Displays information about a BSR
show ip pim rp-hash
- Displays the RP selected for a

particular group (Auto-RP & BSR)
Rev. 1700
58
IPexpert, Inc.
5.03 Implement Multicast

Source Discovery Protocol
(MSDP)
5.04 Implement interdomain
multicast routing
IPexpert, Inc.
MSDP
Multicast Source Discovery Protocol (MSDP) is a

mechanism used to connect multiple PIM-SM domains
(each PIM domain has its own Rendezvous Point)
A newly received PIM Register message (which is

denoted with A in the show ip mroute output) triggers
sending a so-called Source Active message to all
MSDP Peers
Source Active message contains the following :

Multicast source IP address
Destination group IP address
Rendezvous Point IP address
The other-end RP can now join the multicast source

Rev. 1700
60
IPexpert, Inc.
MSDP Example
Rev. 1700
61
IPexpert, Inc.
Anycast RP
Anycast RP is a feature that allows for redundancy and

load-balancing between multiple RPs
Anycast RP allows multiple devices to act as a RP for

the same group
Two or more RPs are configured with the same IP

address which is further advertised into the multicast
domain AND the underlying IGP
PIM Joins will be sent to the closest RP
MSDP is used to keep information about multicast

sources in sync (between the RPs)
Rev. 1700
62
IPexpert, Inc.
MSDP Configuration
IPexpert, Inc.
MSDP Configuration
MSDP Peering
ip msdp peer IP_address
SA Originator (Anycast RP)

ip msdp originator-id if_name
Rev. 1700
64
IPexpert, Inc.
show ip msdp peer
- Displays detailed information about

MSDP peers
show ip msdp summary
- Displays MSDP peer status in a

more friendly format
show ip msdp sa-cache
- Displays the learned (S,G) states

learned from MSDP peersy
Rev. 1700
65
IPexpert, Inc.
5.05 Implement multicast tools,

features, and Source-Specific
Multicast
IPexpert, Inc.
Multicast Scoping
Multicast Scoping limits forwarding of multicast packets
Two methods can be used to implement this feature :

1. TTL Scoping a multicast packet will be dropped
if its TTL value is less or equal to the interfaceconfigured threshold. For configuration, use the ip
multicast ttl-threshold command
2. Multicast Boundary - allows you to configure a
boundary for specified multicast group ranges
(applies to both data & control plane packets). For
configuration, use the ip multicast boundary
ACL command an extended ACL can not only
specify the group but also the source of the
multicast traffic
Rev. 1700
67
IPexpert, Inc.
Bidirectional PIM
Only the Shared Tree is used in Bidirectional PIM
Shared Tree provides a single distribution tree for all of

the active sources (traffic from different sources
traverse the same distribution tree)
In PIM Bidirectional, upstream traffic follows the same

path as the downstream traffic
Since PIM Registration & Source Trees are not used in

Bidir PIM, a new mechanism must be used to transport
the traffic from the multicast source to the RP
This mechanism is called Designated Forwarder (DF)

Rev. 1700
68
IPexpert, Inc.
Bidirectional PIM cont.
Designated Forwarder is chosen on each network

segment based on the lowest-cost metric to the RP
The Designated Forwarder responsibilities include :

Deciding what packets need to be forwarded
upstream toward the Rendezvous Point
Generating PIM Join/Leave messages and
forwarding them towards the RP
Routers located on a sender-only branch will also

create a (*,G) state, like with a downstream part, but the
OIL list will be Null
PIM Register messages and Source Trees are NOT

used in Bidirectional PIM
Rev. 1700
69
IPexpert, Inc.
Bidirectional PIM Example
Rev. 1700
70
IPexpert, Inc.
Source-Specific Multicast (SSM)
Source-Specific Multicast (SSM) allows multicast

receivers to explicitly specify the source of the multicast
traffic
Only Source Trees are used in SSM. No more RPs,

Shared Trees, Auto-RP, BSR and MSDP
PIM Join is sent directly towards the multicast source
SSM uses multicast range 232.0.0.0/8
IGMPv3 is a core of SSM it allows the clients to select

the specific multicast sources (INCLUDE mode). The
EXCLUDE mode reports are ignored in SSM
Rev. 1700
71
IPexpert, Inc.
SSM & Bidirectional PIM

Configuration
IPexpert, Inc.
SSM & Bidirectional PIM Configuration
SSM
ip pim ssm default|range access-list
ip igmp version 3
Bidirectional PIM
ip pim bidir-enable
Bidirectional PIM Auto-RP

Add the bidir when configuring Auto-RP
Rev. 1700
73
IPexpert, Inc.
show ip igmp groups [detail]
- Displays IGMP
groups
learned from
multicast receivers
show ip igmp interface
- Displays IGMPrelated information

per-interface
show ip mroute [active]
- Displays the
contents of the
multicast
table
routing
Rev. 1700
74
IPexpert, Inc.
5.06 Implement IPv6 multicast,

PIM, and related multicast
protocols, such as Multicast
Listener Discovery (MLD)
IPexpert, Inc.
IPv6 Multicast
IPv6 multicast address structure :
Rev. 1700
76
IPexpert, Inc.
Multicast Listener Discovery (MLD)
Multicast Listener Discovery replaces IGMP
MLD is used by IPv6 routers to discover multicast

listeners on directly attached links
MLD version 1 corresponds to IGMPv2
MLD version 2 corresponds to IGMPv3
MLD message types are as follows :

Query
Report
Done (equivalent to IGMP Leave)
Rev. 1700
77
IPexpert, Inc.
IPv6 PIM, Auto-RP, BSR
IPv6 PIM is similar to IPv4 PIM
Only Sparse Mode is supported
Currently there is no Auto-RP in IPv6
IPv6 BSR allows to configure a list of Candidate RPs on

the BSR
This may be useful in Anycast RP and Bidirectional PIM

scenarios
Rev. 1700
78
IPexpert, Inc.
Embedded RP
There is no MSDP in IPv6; Embedded RP feature can

be used instead
Embedded RP allows the router to learn RP information

from the multicast group destination address
RP must be statically configured and advertised into the

IGP
Rev. 1700
79
IPexpert, Inc.
Embedded RP Address
For example, FF76:0140:2001:ABCD::5 results in an

RP address 2001:ABCD::1/64.
Rev. 1700
80
IPexpert, Inc.
IPv6 SSM
IPv6 SSM is exactly the same as in IPv4
Multicast Listener Discovery version two is used to

specify the source address
IPv6 multicast group reserved for SSM is FF3x/96
Rev. 1700
81
IPexpert, Inc.
IPv6 Multicast Configuration
IPexpert, Inc.
IPv6 Multicast Configuration
IPv6 Multicast Routing

ipv6 multicast-routing
IPv6 PIM
[no] ipv6 pim
MLD
ipv6 mld ...
Static Multicast Route

ipv6 route prefix if_name next_hop multicast
ipv6 route 2001:1:/64 FastEthernet0/0
FE80::200:60EA:FE10:AB29 multicast
Rev. 1700
83
IPexpert, Inc.
show ipv6 pim interface

interfaces
PIM
configured for
show ipv6 pim neighbors

discovered PIM
neighbors
show ipv6 pim range-list

IPv6 multicast range
lists
show ipv6 pim bsr
- Displays BSR-related
information
Rev. 1700
84
IPexpert, Inc.
show ipv6 mld interface
- Displays MLD-related
information about an
interface
show ipv6 mld groups
- Displays connected
multicast groups learned
through MLD
show ipv6 mroute
- Displays the IPv6 PIM

topology table
Rev. 1700
85
IPexpert, Inc.
End of Section 5.0

VoD Series
6.0 Implement Network Security
IPexpert, Inc.
6.01 Implement Access Lists
IPexpert, Inc.
Access Lists
Not only a traffic-filtering tool
Processed in a top-down fashion, up to the first match

(order of entries important)
Implicit deny ip any any at the end
If you want to log, use an explicit entry with the log/loginput keyword
The log-input option includes information about ingress
interface and source MAC address
Rev. 1700
IPexpert, Inc.
Numbered vs Named Access Lists

Configuration is a little bit different (access-list for
numbered and ip access-list standard/extended for
named)
Named ACLs are easier in management
Additional matching options are available, for example

TCP flags or TTL value
Rev. 1700
IPexpert, Inc.
Standard vs Extended Access Lists
Standard ACLs test only the source IP address, with

two exceptions :
1. Outbound VTY standard ACL specifies the
destination address
2. For route filtering, the networks are specified
Extended ACLs test source & destination IPs +

additional fields can also be specified (e.g. port number,
ToS)
IOS ACLs are using wildcard masks
0 means check whilst 1 means ignore the bit

Rev. 1700
IPexpert, Inc.
Wildcard Mask Examples
To match even networks, just remember to set last bit of

the IP address to 0 :
access-list 1 permit 192.168.1.0 0.0.0.254
To match odd networks, just remember to set last bit of

the IP address to 1 :
254 corresponds to 11111110 in binary
Rev. 1700
IPexpert, Inc.
Access List Configuration
IPexpert, Inc.
Access List Configuration
Numbered Standard ACL

access-list 1-99
Numbered Extended ACL

access-list 100-199
Named ACL
ip access-list standard|extended name
Attaching an ACL to an interface

ip access-group number|name in|out
IPv6 ACL
ipv6 access-list name
ipv6 traffic-filter name in|out
Rev. 1700
IPexpert, Inc.
Example Access List Configuration
Numbered & Named Standard ACL

ip access-list standard STANDARD_ACL
10 permit host 10.1.1.1
Extended ACL
access-list 123 permit tcp 10.1.1.1 0.0.0.0 eq 23 any

gt 1023
Additional matching operators
ip access-list extended EXAMPLE_ACL

10 permit tcp any host 10.1.1.1 match-all +syn -fin
20 permit tcp any any eq 80 8080
Rev. 1700
IPexpert, Inc.
Example IPv6 Access List Configuration
IPv6 Access List
ipv6 access-list EXAMPLE

deny tcp any FEC0:0:0::/64 eq 23
int f0/1
ipv6 traffic-filter EXAMPLE in
Rev. 1700
10
IPexpert, Inc.
show access-list
- Displays the contents of all current

access lists
show ip access-list

IP access lists
show ipv6 access-list

IPv6 access lists
Rev. 1700
11
IPexpert, Inc.
6.02 Implement Zone Based

Firewall
IPexpert, Inc.
Zone Based Firewall
Security Model operates on Security Zones
Policy is applied to zone-pairs
Zone-pairs are unidirectional
Inside to Outside is different from Outside to Inside
Rev. 1700
13
IPexpert, Inc.
Zone Based Firewall Zone Pairs
Rev. 1700
14
IPexpert, Inc.
Zone Based Firewall
Each interface belongs to only one security zone
For traffic to flow among all the interfaces in a router, all

the interfaces must be a member of one security zone
or another
By default all the traffic between zone-assigned

interfaces is dropped (unless these interfaces are in the
same zone)
Flexible policies can be created, per-flow granularity
Self-Zone affects traffic going from/to the router only (all

is allowed by default)
Rev. 1700
15
IPexpert, Inc.
Zone Based Firewall Zones
Rev. 1700
16
IPexpert, Inc.
Zone Based Firewall L7 Policies
Used for application-level inspection
1.
2.
3.
4.
5.
6.
HTTP
IMAP
Instant Messenger
Peer to Peer
SMTP
SUN RPC
Rev. 1700
17
IPexpert, Inc.
Zone Based Firewall Configuration
IPexpert, Inc.
Zone Based Firewall Configuration #1
Classify traffic
class-map type inspect
class-map type inspect match-any ZFW_TEST_CLASS

match protocol http
match protocol tcp
Create policy
policy-map type inspect
Four available ZFW policy actions are :

1. Inspect - stateful packet inspection
2. Pass
- allow packets one-way
3. Drop
- drop the packets
4. Police
- rate-limit the traffic
Rev. 1700
19
IPexpert, Inc.
Example policy-map configuration :
policy-map type inspect ZFW_IN_OUT_POL

class TCP_CLASS
inspect
police ...
class ICMP
pass log
Create zones
zone security
zone security INSIDE

zone security OUTSIDE
Rev. 1700
20
IPexpert, Inc.
Assign the interfaces to the appropriate zones

interface F0/0
zone-member security zone_name
interface F0/0
zone-member security INSIDE
Create zone pairs

zone-pair security zpair_name source src_zone
destination dst_zone
service-policy type inspect policy_name
zone-pair security IN_OUT source INSIDE dest OUTSIDE

service-policy type inspect ZFW_INOUT_POL
Rev. 1700
21
IPexpert, Inc.
show policy-map type inspect
- Displays ZFW policy-map

configuration
show zone security

created
security
zones
show zone-pair security

zone-pairs
and
policies
Rev. 1700
22
IPexpert, Inc.
Case Study
Host on the inside (10.1.1.1) should be able to access

any device on the outside using SSH and HTTP
Any external device should be able to ping all inside

networks but the inspect action cannot be used
Rev. 1700
23
IPexpert, Inc.
Traffic classification
access-list
access-list
access-list
access-list
100
100
150
151
permit
permit
permit
permit
tcp host
tcp host
icmp any
icmp any
10.1.1.1 any eq 22
10.1.1.1 any eq 80
any echo
any echo-reply
class-map type inspect ZFW_INOUT_HOST1_CLASS

match access-group 100
class-map type inspect ZFW_INOUT_ICMP_CLASS

class-map type inspect ZFW_OUTIN_ICMP_CLASS
Rev. 1700
24
IPexpert, Inc.
Policy creation
policy-map type inspect ZFW_INOUT_POL

class type inspect ZFW_INOUT_HOST1_CLASS
inspect
class type inspect ZFW_INOUT_ICMP_CLASS
pass
policy-map type inspect ZFW_OUTIN_POL
class type inspect ZFW_OUTIN_ICMP_CLASS
pass
Rev. 1700
25
IPexpert, Inc.
Zones & interface assignments
zone security INSIDE

zone security OUTSIDE
int f0/1
zone-member security INSIDE
int s0/0
zone-member security OUTSIDE
Rev. 1700
26
IPexpert, Inc.
Creating zone pairs and associating the policy
zone-pair security INOUT source INSIDE dest OUTSIDE

service-policy type inspect ZFW_INOUT_POL
zone-pair security OUTIN source OUTSIDE dest INSIDE
service-policy type inspect ZFW_OUTIN_POL
Rev. 1700
27
IPexpert, Inc.
6.03 Implement Unicast

Reverse Path Forwarding
(uRPF)
IPexpert, Inc.
uRPF
Verifies the source of received packets
Two modes of operation Strict and Loose
In Strict Mode the packet must be received on the

interface towards the source (based on RIB)
In Loose Mode it is enough if the packets source is

anywhere in the routing table
Loose Mode allows to use a default route for verification
One caveat with uRPF is a Null route if it is used to

find a path towards the source, the received packet will
be dropped
Rev. 1700
29
IPexpert, Inc.
uRPF Configuration
IPexpert, Inc.
uRPF Configuration
Ensure that CEF is enabled

ip cef
Loose Mode
ip verify unicast source reachable-via any
Strict Mode
ip verify unicast source reachable-via rx
Additional configuration options :

allow-default
allow-self-ping
ACL_nr
Rev. 1700
31
IPexpert, Inc.
Example uRPF Configuration

interface Serial0/0
ip address 192.0.2.2 255.255.255.0
ip verify unicast source reachable-via any 2
Rev. 1700
32
IPexpert, Inc.
show ip interface if | in verify
- Shows if uRPF is
enabled
on
this
interface
show cef int if
Displays
CEF
information
for a
specified interface
Rev. 1700
33
IPexpert, Inc.
6.04 Implement IP Source

Guard
IPexpert, Inc.
IP Source Guard
Anti-Spoofing solution for L2 switch ports
Source binding entries are transformed to a port ACL
Source bindings are either manual or learned from

DHCP Snooping
Filtering based on MAC addresses can be also

configured, which affects IP and non-IP traffic
Rev. 1700
35
IPexpert, Inc.
IP Source Guard Configuration
IPexpert, Inc.
IP Source Guard Configuration
Turn on DHCP Snooping

ip dhcp snooping vlan vlan_nr
ip dhcp snooping
IP address filtering
ip verify source
IP & MAC address filtering (IP and non-IP traffic)

ip dhcp snooping information option
switch-port port-security
ip verify source port-security
Manual bindings
ip source binding
Rev. 1700
37
IPexpert, Inc.
Example IP Source Guard Configuration

ip dhcp snooping vlan 10
ip dhcp snooping
int f0/1
switchport access vlan 10
ip verify source
int f0/2
ip verify source
Rev. 1700
38
IPexpert, Inc.
show ip verify source [interface]
- Displays IP Source
Guard
configuration
show ip source binding
- Shows dynamic AND

static bindings in the
DHCP
Snooping
database
show ip dhcp snooping binding
- Shows ONLY
dynamic
bindings
(DHCP
Snooping
bindings)
Rev. 1700
39
IPexpert, Inc.
6.05 Implement Authentication,

Authorization and Accounting
(AAA)
IPexpert, Inc.
AAA
Security framework
Authentication who you are
Usually RADIUS and TACACS+ protocols are used
RADIUS uses UDP port 1812 for authentication &

authorization and UDP port 1813 for accounting
TACACS+ uses TCP port 49
RADIUS encrypts the password, TACACS+ the entire

body of the packet
RADIUS combines authentication and authorization
41
Rev. 1700
IPexpert, Inc.
AAA cont.
TACACS+ seperates the three AAA functions
TACACS+ can be used for command authorization
Authorization what you can do
Accounting what you did
Router/Switch acts as a Network Access Server (NAS)
Rev. 1700
42
IPexpert, Inc.
AAA Configuration
IPexpert, Inc.
AAA Configuration
Enable the AAA framework

aaa new-model
Authentication method list

aaa authentication login name auth_methods
aaa authentication login default
Authentication methods :
line
local
enable
group radius/tacacs+
none
AAA Servers
radius-server, tacacs-server
Rev. 1700
44
IPexpert, Inc.
AAA Configuration cont.
Authorization method lists

aaa authorization exec
aaa authorization commands
Authorization methods :
if-authenticated
line
local
group radius/tacacs+
none
aaa authorization exec default group radius

if-authenticated
Accounting method lists

aaa accounting exec
aaa accounting commands
45
Rev. 1700
IPexpert, Inc.
AAA Configuration cont.
Applying an authentication list

login authentication list_name
Applying an authorization list

authorization exec|commands list_name
Applying an accounting list

accounting exec|commands list_name
Rev. 1700
46
IPexpert, Inc.
Example AAA Configuration

aaa
aaa
aaa
aaa
new-model
authentication login AUTH group tacacs+ local
authorization exec AUTHOR group tacacs+
accounting exec ACC start-stop group tacacs+
tacacs-server host 10.1.1.1 key ipexpert

username ipexpert password ipexpert
line con 0
login authentication AUTH
authorization exec AUTHOR
accounting exec ACC
Rev. 1700
47
IPexpert, Inc.
show aaa-servers
- Display statistics related to

RADIUS AAA Server
show radius server-group
- Displays properties for the

RADIUS
server
group
show tacacs
- Displays statistics for a

TACACS+ server
Rev. 1700
48
IPexpert, Inc.
6.06 Implement Control Plane

Policing (CoPP)
IPexpert, Inc.
CoPP Control Plane
IP packets are all carried in a single pipe
Transit packets are destined to something else than a

device itself
Control Plane is a logical distinction used to describe

components that build up other traffic planes
Control Plane packets can be divided into two groups :

1. Packets destined to the device itself, e.g. BGP, RIP
2. Layer 2 and Layer 3 non-IP packets, e.g. ARP, CDP
Rev. 1700
50
IPexpert, Inc.
CoPP Policing
Used to protect the Control Plane
Other traffic is also a subject to this feature, e.g.

management, exception
Exception packets require CPU handling, examples are

IPv4 packets with header options, expiring TTL, ICMP
unreachables, packets requiring fragmentation
Usually applied for ingress traffic, although certain

platforms support egress traffic too
Rev. 1700
51
IPexpert, Inc.
CoPP Configuration
IPexpert, Inc.
CoPP Configuration
MQC
class-map
policy-map
Policy Actions available

police [rate]
drop
Enabling CoPP
control-plane
service-policy input|output policy_name
Rev. 1700
53
IPexpert, Inc.
Example CoPP Configuration
Routing Protocols
access-list 100 permit ospf any host 224.0.0.5

access-list 100 permit ospf any host 224.0.0.6
Management traffic
access-list 101 deny tcp host 10.1.1.1 any eq 22

access-list 101 permit tcp any any eq 22
Normal traffic
access-list
access-list
access-list
access-list
102
102
102
102
permit
permit
permit
permit
icmp any any echo

icmp any any echo-reply
icmp any any unreachable
pim any any
Rev. 1700
54
IPexpert, Inc.
Example CoPP Configuration cont.
Undesirable traffic
access-list 103 permit ip any any fragments

access-list 103 permit udp any any eq 1434
Classification
class-map match-all ROUTING_CLASS

class-map match-all MGMT_CLASS
class-map match-all NORMAL_CLASS
class-map match-all BAD_CLASS
Rev. 1700
55
IPexpert, Inc.
Example CoPP Configuration cont.
Policy & Enabling CoPP
policy-map COPP_POL
class ROUTING_CLASS
police 1000000 50000 50000 conform-action transmit
exceed-action transmit
class MGMT_CLASS
police 100000 5000 5000 conform-action transmit
exceed-action drop
class NORMAL_CLASS
police rate 1000 pps burst 100
class BAD_CLASS
drop
control-plane
service-policy input COPP_POL
56
Rev. 1700
IPexpert, Inc.
show policy-map

existing policy-maps
show policy-map control-plane - Displays the configuration

and statistics for a
traffic
class or all
traffic classes
in the
policy maps attached
to the control-plane
show control-plane features
- Displays configured controlplane features
Rev. 1700
57
IPexpert, Inc.
10.07 Implement Cisco IOS

Firewall
IPexpert, Inc.
CBAC
Cisco IOS Firewall = CBAC (Context-Based Access

Control)
Stateful monitoring
Connection Table
Firewall ACL Bypass (FAB) only if no connection entry

is found, an ACL is examined
Rev. 1700
59
IPexpert, Inc.
CBAC Connection Table
Rev. 1700
60
IPexpert, Inc.
CBAC features
Generic TCP & UDP inspection
Application-level inspection
Special protocol handling e.g. FTP
Alerts notify about protocol violations or potential

attacks
Audit-trails are used for basic traffic accounting
Alerts & Audit-trails appear as SYSLOG messages
Rev. 1700
61
IPexpert, Inc.
CBAC Configuration
IPexpert, Inc.
CBAC Configuration
Create and apply an ACL, usually inbound

access-list ACL_nr permit|deny
ip access-group in|out
Enable CBAC for particular protocols

ip inspect name name protocol [options]
Apply CBAC
ip inspect name name in|out
Rev. 1700
63
IPexpert, Inc.
CBAC Configuration - Tuning
General Tuning
ip
ip
ip
ip
inspect
inspect
inspect
inspect
tcp synwait-time
tcp idle-time
udp idle-time
dns-timeout
Anti-DoS configuration
ip inspect max-incomplete high|low
ip inspect one-minute high|low
ip inspect tcp max-incomplete host
Rev. 1700
64
IPexpert, Inc.
Example CBAC Configuration

ip access-list extended OUTSIDE_IN
10 permit tcp any host 192.0.2.1 eq 80
100 deny ip any any log
ip inspect name CBAC tcp alert on audit-trail on
ip inspect name CBAC http
ip inspect name CBAC icmp router-traffic
int F0/1
ip access-group OUTSIDE_IN in
ip inspect CBAC out
Rev. 1700
65
IPexpert, Inc.
show ip inspect config
Displays the complete

CBAC
inspection
configuration
show ip inspect interfaces
Displays the CBAC-related

interface
Displays existing sessions

tracked
and
configuration
show ip inspect sessions
inspected by
CBAC
Rev. 1700
66
IPexpert, Inc.

Intrusion Prevention System
(IPS)
IPexpert, Inc.
Cisco IOS IPS
Sophisticated, signature-based security tool
Signature is a distinctive characteristic that identifies

something
Inline detection sensor
Single packets and entire sessions are scanned
Cisco IOS IPS available actions are as follows :

1. Send an alarm
2. Drop the packet
3. Reset the connection
4. Deny the source or connection
Rev. 1700
68
IPexpert, Inc.
Cisco IOS IPS Configuration
IPexpert, Inc.
Cisco IOS IPS Configuration
Decrypt the signature file (copy & paste)

crypto key pubkey-chain rsa
Create a directory for IPS files

mkdir flash:/dir_name
Create an IPS rule

ip ips name rule_name
Specify the location for the signatures

ip ips config location path
Rev. 1700
70
IPexpert, Inc.
Cisco IOS IPS Configuration cont.
Retire/Enable signatures
ip ips signature-category
category cat_name
retired true|false
Apply the IPS rule to an interface

ip ips rule_name in|out
Compile and load the signatures

copy flash:/file_name.pgk idconf
Rev. 1700
71
IPexpert, Inc.
Example Cisco IOS IPS Configuration

mkdir flash:/IPS_DIR
ip ips name IPS
ip ips config location flash:/IPS_DIR
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
int g0/1
ip ips IPS in
copy flash:IOS-S258-CLI-kd.pgk idconf
Rev. 1700
72
IPexpert, Inc.
show ip ips [config|signature]
Displays the IPS

information
show ip ips category
Displays the IPS

categories
Rev. 1700
73
IPexpert, Inc.
6.09 Implement Secure Shell

(SSH)
IPexpert, Inc.
SSH
Remote management protocol
Replaces Berkeley r-tools
Version 2 is most secure
IOS boxes support both SSH server and client
Used for Execution Shell (EXEC) access
Rev. 1700
75
IPexpert, Inc.
SSH Mechanics
SSH Server has one or two public keys :

1. Host key (permanent)
2. Server key (only used in SSHv1, changes hourly)
Public key(s) are send to the client
Client caches the host key
Client generates a random key (session key) which is

encrypted using public keys and sent to back to the
server. SSHv2 uses two one-way session keys
Server decrypts this key and starts using it for data

Rev. 1700
76
IPexpert, Inc.
SSH Configuration
IPexpert, Inc.
SSH Configuration
Define hostname and domain-name

hostname host_name
ip domain-name domain_name
Generate the RSA Key pair

crypto key generate rsa
Configure the authentication database (e.g. local) and

optionally restrict Remote Management traffic to SSH
username ...
line 0 4
login local
transport input ssh
Configure SSH version (optional)

ip ssh version 1|2
Rev. 1700
78
IPexpert, Inc.
Example SSH Configuration

hostname Europe
ip domain-name ipexpert.com
username ipexpert password ipexpert
line vty 0 4
login local
ip ssh version 2
Rev. 1700
79
IPexpert, Inc.
show ip ssh
- Displays the version and configuration data

for SSH
show ssh
- Displays the status of SSH Server

connections
Rev. 1700
80
IPexpert, Inc.
6.10 Implement 802.1x
IPexpert, Inc.
802.1x
Port-level authentication mechanism
Used along with RADIUS
Unauthenticated port permits only three things :

1. EAPoL frames
2. CDP
3. STP
Extensible Authentication Protocol carries arbitrary

authentication information
Rev. 1700
82
IPexpert, Inc.
802.1x components
Three primary 802.1x components/roles
Supplicant (client), is an end device supporting 802.1x.

For example a workstation or laptop
Authenticator is a policy enforcer. Examples are catalyst

switch or wireless access point
Authentication server is a database

RADIUS. For example Cisco ACS
supporting
Rev. 1700
83
IPexpert, Inc.
802.1x mechanics
Rev. 1700
84
IPexpert, Inc.
802.1x Configuration
IPexpert, Inc.
802.1x Configuration
Enable AAA framework

aaa new-model
Define a 802.1x method list

aaa authentication dot1x default group radius
Enable 802.1x framework

dot1x system auth-control
Define the RADIUS Server

radius-server host server_IP key key_string
Specify which ports 802.1x should be running on

dot1x port-control auto | force-authorized |
force-unauthorized
Rev. 1700
86
IPexpert, Inc.
Example 802.1x Configuration

aaa new-model
aaa authentication dot1x default group radius
radius-server host 10.1.1.1 key ipexpert
dot1x system-auth-control
dot1x port-control auto
Rev. 1700
87
IPexpert, Inc.
show dot1x [interface][details] - Displays 802.1x statistics
and status
Rev. 1700
88
IPexpert, Inc.
6.11 Implement NAT
IPexpert, Inc.
NAT
Alleviates the problem of IPv4 exhaustion
Modifies IP address and/or port number
Confusing terminology
Local addresses appear on the inside network
Global addresses appear on the outside network
Rev. 1700
90
IPexpert, Inc.
NAT local/global
Rev. 1700
91
IPexpert, Inc.
NAT local/global
Rev. 1700
92
IPexpert, Inc.
NAT flavors & order of operations
Static NAT
- one-to-one mapping. A fixed
translation slot is pre-created allowing traffic to be
intiated from the post-NAT side
Dynamic NAT - each host gets a unique address from

a defined pool, for the sessions duration
PAT
- form of Dynamic NAT, however only a
single IP address is used in conjunction with source port
numbers
For packtes flowing outside->inside, NAT happens first,

then routing. For inside->outside routing takes place
first, then the NAT translation.
Rev. 1700
93
IPexpert, Inc.
NAT Configuration
IPexpert, Inc.
NAT Configuration
General syntax for NAT

ip nat inside|outside source(destination)
NAT Pool (Dynamic NAT)

ip nat pool pool_name
Define the traffic which should be translated

access-list
route-map
Mark internal and external networks

ip nat inside
ip nat outside
Rev. 1700
95
IPexpert, Inc.
Example Static NAT Configuration #1

ip nat inside source static 10.1.1.1 172.16.1.1
int f0/0
ip nat inside
int f0/1
ip nat outside
Rev. 1700
96
IPexpert, Inc.
Rev. 1700
97
IPexpert, Inc.

Europe#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 172.16.1.1:15 10.1.1.1:15 192.0.2.1:15 192.0.2.1:15
--- 172.16.1.1
10.1.1.1
-----
Rev. 1700
98
IPexpert, Inc.

ip nat outside source static 192.0.2.1 172.16.1.1
int f0/0
ip nat inside
int f0/1
ip nat outside
Rev. 1700
99
IPexpert, Inc.
Rev. 1700
100
IPexpert, Inc.

Europe#show ip nat translations
Pro Inside global Inside local Outside local Outside global
------172.16.1.1
192.0.2.1
icmp 10.1.1.1:37 10.1.1.1:37 172.16.1.1:37 192.0.2.1:37
Rev. 1700
101
IPexpert, Inc.
Example Dynamic NAT Configuration

ip nat pool NAT_POOL 172.16.1.1 172.16.1.254 netmask
255.255.255.0
ip nat inside source list 1 pool NAT_POOL
int f0/0
ip nat inside
int f0/1
ip nat outside
Rev. 1700
102
IPexpert, Inc.
Example PAT Configuration

ip nat inside source list 1 interface f0/1 overload
int f0/0
ip nat inside
int f0/1
ip nat outside
Rev. 1700
103
IPexpert, Inc.
Example NAT Load-Balancing Config

ip nat pool REAL_HOSTS_POOL 10.1.1.1 10.1.1.10
prefix-length 28 type rotary
ip nat inside destination list 10 pool
REAL_HOSTS_POOL
int serial0
ip nat outside
int f0/1
ip nat inside
Rev. 1700
104
IPexpert, Inc.
show ip nat translations
- Displays active NAT

translations
show ip nat statistics
- Displays NAT statistics
Rev. 1700
105
IPexpert, Inc.
6.12 Implement Routing

Protocol Authentication
IPexpert, Inc.
Routing Protocol Authentication
Two authentication methods are available clear text

and MD5
With MD5, hash of a packet is created and embedded

inside
Receiving router generates its own hash and compares

the two
If they are the same, a routing update is assumed to be

trusted
Prevents from packet tampering
Rev. 1700
107
IPexpert, Inc.
Routing Protocol Authentication

Configuration
IPexpert, Inc.
RIP Authentication Configuration
Define the authentication method

ip rip authentication mode text|md5
Text password
ip rip authentication password
For MD5 first create a key-chain

key-chain kchain
key key_nr
key-string key_string
accept-lifetime
send-lifetime
Enable MD5 authentication

ip rip authentication key-chain kchain
Rev. 1700
109
IPexpert, Inc.
EIGRP Authentication Configuration
Only MD5 is supported with EIGRP

ip authentication mode eigrp AS md5
Create a key-chain
key-chain kchain
key key_nr
key-string key_string
accept-lifetime
send-lifetime
Enable MD5 authentication

ip authentication key-chain eigrp AS kchain
Rev. 1700
110
IPexpert, Inc.
OSPF Authentication Configuration
OSPF supports three types of authentication :

1. Type 0 Null authentication
2. Type 1 Clear text
3. Type 2 MD5
Enabling OSPF authentication per-interface

ip ospf authentication
Enabling OSPF authentication per-area & for a VL

area area_nr authentication
area area_nr virtual-link
Configure authentication key

ip ospf authentication-key
ip ospf message-digest-key
Rev. 1700
111
IPexpert, Inc.
BGP Authentication Configuration
Essentially one command

neighbor neighbor_IP_address password
The hash is placed into the TCP Headers option 19
Rev. 1700
112
IPexpert, Inc.
Example EIGRP Auth. Configuration
Example EIGRP authentication
key chain KCHAIN

key 1
key-string ipexpert
interface F0/1
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 KCHAIN
Rev. 1700
113
IPexpert, Inc.
debug ip rip
- Displays information on RIP

routing transactions
show ip eigrp int detail

EIGRP-configured
interfaces
show key-chain
- Displays authentication key

information
show ip ospf interface

OSPF-configured
interfaces
show ip bgp neighbors

114

Rev. 1700
BGP
and
TCP
IPexpert, Inc.
6.13 Implement Device Access

Control
IPexpert, Inc.
Device Access Control
Line password (password)
Enable clear-text password (enable password)
Password encryption (service password-encryption)
Enable MD5 password (enable secret)
Local database + Users (username secret)
VTY Lines can use VTY ACL (access-class nr in|out)
Restricting connections (transport input/output)

Rev. 1700
116
IPexpert, Inc.
Device Access Control

Configuration
IPexpert, Inc.
Device Access Control Examples
Example #1

line vty 0 4
access-class 13 in
Example #2
access-list 101 permit tcp any host 10.1.1.1 eq 22
line vty 0 4
access-class 101 out
Example #3
line vty 1
transport input ssh
Rev. 1700
118
IPexpert, Inc.
show line
- Displays parameters of a terminal line
Rev. 1700
119
IPexpert, Inc.
6.14 Implement Security

Features
IPexpert, Inc.
Security Features Port Security
Used to prevent certain attacks such as CAM table

overflow or MAC address spoofing
Two applications of this feature :

1. Identify MACs and bind them to only a specific port
2. Limit the number of MACs on a port
Three ways to identify MACs :

1. Static
2. Dynamic
3. Sticky
Rev. 1700
121
IPexpert, Inc.
Security Features Port Security
A security violation occurs when :

1. Maximum number of MACs has been reached and
a new device tries to access the port
2. One of the learned/configured MACs is seen on
another interface in the same VLAN
If a violation occurs, three actions are available :

1. Shutdown the port (default action)
2. Silently discard the frame (Protect Mode)
3. Discard the frame, generate a Syslog message or
an SNMP trap, increase the counter (Restrict Mode)
Rev. 1700
122
IPexpert, Inc.
Port Security Configuration
Works only on access or trunk ports

switchport mode trunk
Enable Port Security

switchport port-security
Define maximum number of MACs (one by default)

switchport port-security maximum nr
Define a violation mode

switchport port-security violation protect |
restrict |
shutdown
Rev. 1700
123
IPexpert, Inc.
Example Port Security Configuration
Example Port Security configuration
description Printer
switchport port-security
switchport port-security mac-address
0022.1ab1.7013
Rev. 1700
124
IPexpert, Inc.
show port-security [interface]
- Displays Port Security

configuration and
entries
Rev. 1700
125
IPexpert, Inc.
Configuration Verification Example

Switch#show port-security int gigabitethernet0/1
Port Security : Enabled
Port status : SecureUp
Violation mode : Shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Aging time : 0 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation count : 0
Rev. 1700
126
IPexpert, Inc.
Security Features DHCP Snooping
Used to inspect & filter DHCP packets
Trusted ports should only connect to legitimate DHCP

Servers or uplink ports toward them
Untrusted ports are the remaining ones
Trusted ports allow every DHCP packet
Untrusted ports will block DHCP server-related

messages such as DHCP OFFER, DHCP ACK or
DHCP NAK
Rev. 1700
127
IPexpert, Inc.
DHCP Snooping Message Validation
DHCP packets validation on the untrusted interfaces :
1. Server-related messages (DHCP OFFER, DHCP

ACK and DHCP NAK) are dropped
2. DHCP messages with a non-zero relay agent
address or Option 82 are dropped
3. DHCP RELEASE/DECLINE messages are verified
so a host cannot release/decline addresses leased
to other hosts
4. In the DHCP DISCOVER messages the Client
Hardware Identifier field must match the source
MAC address of the frame (optional)
Rev. 1700
128
IPexpert, Inc.
DHCP Snooping Database
Built based on DHCP assignments from trusted ports
Each database entry consists of :

1. Assigned IP address
2. MAC address
3. Lease time
4. Untrusted interface number
5. VLAN this interface belong to
Snooping bindings are created only for the untrusted

ports
DHCP Snooping is used as a base component for other

security features like IP Source Guard or DAI
Rev. 1700
129
IPexpert, Inc.
DHCP Snooping Configuration
Enable it globally
ip dhcp snooping
Enable it for a particular VLAN(s)

ip dhcp snooping vlan VLAN_nr
Configure at least one trusted port

ip dhcp snooping trust
Optionally, rate-limit the DHCP packets

ip dhcp snooping limit rate rate
Rev. 1700
130
IPexpert, Inc.
Example DHCP Snooping Configuration
Example DHCP Snooping configuration
ip dhcp snooping
int f0/1
ip dhcp snooping trust
Rev. 1700
131
IPexpert, Inc.
show ip dhcp snooping
- Displays DHCP
Snooping
configuration
show ip dhcp snooping [interface]
- Displays DHCP
Snooping
binding
database
Rev. 1700
132
IPexpert, Inc.
Security Features DAI
Dynamic ARP Inspection is used to validate ARP

packets in the network (ingress packets only)
Used to protect from MiM and ARP Spoofing attacks
Mainly works based on DHCP Snooping database, but

manual bindings can be also configured
Only the ARP packets reflecting one of the bindings will

be allowed
Some ports should be configured as DAI-trusted, which

generaly speaking disables DAI feature on them
Rev. 1700
133
IPexpert, Inc.
Dynamic ARP Inspection Configuration
Per Layer 2 domain configuration

ip arp inspection vlan VLAN_nr
Optionally, configure a trusted port

ip arp inspection trust
Remember that DHCP Snooping is a pre-requisite

unless manual bindings have been configured (e.g. in a
non-DHCP environment)
Manual bindings
arp access-list ARP_ACL_name
permit|deny ip [host] IP_addr [host] MAC_addr
ip arp inspection filter ARP_ACL_name vlan vlan

Rev. 1700
134
IPexpert, Inc.
Example DAI Configuration
Example DAI configuration
int f0/1
ip arp inspection trust
ip arp inspection vlan 120
Rev. 1700
135
IPexpert, Inc.
show ip arp inspection [interfaces|vlan] Displays
configuration
and state of
DAI
Rev. 1700
136
IPexpert, Inc.
End of Section 6.0

VoD Series
7.0 Implement Network Services
IPexpert, Inc.
7.01 Implement Hot Standby

Routing Protocol (HSRP)
7.03 Implement Virtual Router
Redundancy Protocol (VRRP)
IPexpert, Inc.
HSRP & VRRP

Both are examples of First Hop Redundancy Protocols
(FHRP) which allow to work with Redundant Gateways
Virtual IP Address (VIP) is configured as a gateway
Only one physical device is active within a group
Active/Standby (HSRP)
Master/Backup (VRRP)
Higher priority device becomes the primary unit
If priorities are the same, higher IP address wins

Rev. 1700
IPexpert, Inc.
HSRP/VRRP
Rev. 1700
IPexpert, Inc.
HSRP
Cisco proprietary
HSRP Hello packets are sent to multicast address

224.0.0.2 over UDP port 1985
Virtual MAC in form of 0000.0C07.ACxy, where xy is the
HSRP group number in hex
For example, HSRP group #1 uses 0000.0C07.AC01
Active/Standby
Preemption disabled by default
Rev. 1700
IPexpert, Inc.
VRRP
Industry Standard
VRRP packets are sent to multicast address 224.0.0.18

using the IP protocol number 112
Virtual MAC in form of 0000.5e00.01xy, where xy is the
VRRP group number in hex
For example, HSRP group #10 uses 0000.5e00.010A
Master/Backup
Preemption enabled by default
Rev. 1700
IPexpert, Inc.
HSRP & VRRP Common Features

Preemption
Object Tracking
MD-5 Authentication
No inherent Load-Balancing functionality
Rev. 1700
IPexpert, Inc.
HSRP/VRRP Configuration
IPexpert, Inc.
HSRP/VRRP Configuration
HSRP VIP
standby group_nr ip
HSRP Priority
standby group_nr priority
HSRP Tracking
standby group_nr track
track_obj|interface_name [decrement]
HSRP Preemption
standby group_nr preempt
VRRP
vrrp
Rev. 1700
IPexpert, Inc.
Example HSRP Configuration

Router 1 :
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
standby 1 ip 10.1.1.100
standby 1 track Serial0
standby 1 preempt
standby
standby
standby
standby
2
2
2
2
ip 10.1.1.200
track serial 0
preempt
priority 95
Rev. 1700
10
IPexpert, Inc.
Example HSRP Configuration cont.

Router 2 :
interface Ethernet0
ip address 10.1.1.2 255.255.255.0
standby
standby
standby
standby
1
1
1
1
ip 10.1.1.100
track Serial0
preempt
priority 95
standby 2 ip 10.1.1.200
standby 2 track serial 0
standby 2 preempt
Rev. 1700
11
IPexpert, Inc.
show standby [brief]
show vrrp [brief]
- Displays HSRP information

- Displays VRRP information
Rev. 1700
12
IPexpert, Inc.
7.02 Implement Gateway Load

Balancing Protocol
IPexpert, Inc.
GLBP
Another FHRP
Similar function to HSRP/VRRP
Provides true load-balancing
GLBP Hellos are sent every 3 seconds
Packets are sent to 224.0.0.102 over UDP port 3222
Rev. 1700
14
IPexpert, Inc.
GLBP Active Virtual Gateway
One AVG per GLBP Group
AVG is chosen based on Priority value (the higher the

better). In case of ties higher IP address wins
All other devices act as Backup Virtual Gateways
Assigns Virtual MAC addresses to the group members
Each group member (gateway or AVF) is responsible

for forwarding packet destined to the assigned Virtual
MAC
AVG can become a gateway (AVF) as well

Rev. 1700
15
IPexpert, Inc.
GLBP Active Virtual Forwarder
Responsible for actual traffic forwarding
All AVFs backup each other
If an AVF fails, a device with the highest weight takes

over
This new Primary device starts forwarding traffic for two

Virtual MACs
Backup Virtual Forwarder cannot become Active before

a dely timer expires by default 30 seconds (glbp
forwarder preempt delay minimum)
Rev. 1700
16
IPexpert, Inc.
GLBP Load Balancing
Load Balancing is actually accomplished by an AVG
Based on Virtual MAC assignments
Three Load Balancing methods are available :

VMACs are assigned
sequentially
2. Weighted
VMACs are assigned
proportionally to the
configured weights
3. Host-dependent Guarantess a host the same
VMAC as long as the
number
of
GLBP
members is the same
1. Round Robin
Rev. 1700
17
IPexpert, Inc.
GLBP Load Balancing
Rev. 1700
18
IPexpert, Inc.
GLBP Configuration
IPexpert, Inc.
GLBP Configuration
Virtual IP Address
glbp group_nr ip
Priority and Preemption

glbp group_nr priority
glbp group_nr preempt
Load-Balancing Method
glbp group_nr load-balancing
Weighting and Tracking

glbp group_nr weighting [lower] [higher]
glbp group_nr weighting track obj_nr
Track Object
track obj_nr interface line-protocol|ip routing
Rev. 1700
20
IPexpert, Inc.
Example GLBP Configuration

track 1 interface S0/1 line-protocol
int f0/0
glbp 1 ip 10.1.1.254
glbp 1 priority 110
glbp 1 preempt
glbp 1 load-balancing weighted
glbp 1 weighting 50
glbp 1 weighting track 1 decrement 50
Rev. 1700
21
IPexpert, Inc.
show glbp [brief]
- Displays GLBP information
Rev. 1700
22
IPexpert, Inc.
Configuration Verification Example

R2#sh glbp
Ethernet0/0 - Group 1
State is Standby
7 state changes, last state change 00:00:59
Virtual IP address is 10.1.1.254
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.528 secs
Redirect time 600 sec, forwarder time-out 14400 sec
Preemption enabled
Active is 10.1.1.1, priority 110 (expires in 9.560 sec)
Standby is local
Priority 100 (default)
Weighting 10 (configured 10), thresholds: lower 1, upper 10
Load balancing: weighted
Group members:
aabb.cc00.0100 (10.1.1.2) local
aabb.cc00.0200 (10.1.1.1
Rev. 1700
23
IPexpert, Inc.
Configuration Verification Example cont.

There are 2 forwarders (1 active)
Forwarder 1
State is Active
1 state change, last state change 00:59:30
MAC address is 0007.b400.0101 (default)
Owner ID is aabb.cc00.0100
Preemption enabled, min delay 30 sec
Active is local, weighting 10
Forwarder 2
State is Listen
4 state changes, last state change 00:01:09
MAC address is 0007.b400.0102 (learnt)
Owner ID is aabb.cc00.0200
Time to live: 14399.532 sec (maximum 14400 sec)
Preemption enabled, min delay 30 sec
Active is 10.1.1.1 (primary), weighting 50 (expires in 9.532 sec)
Rev. 1700
24
IPexpert, Inc.
7.04 Implement Network Time

Protocol (NTP)
IPexpert, Inc.
NTP
Responsible for time synchronization
Time source (authoritative NTP server) is usually a

radio/atomic clock (and it resides in Stratum 1)
NTP transactions are made over a polling interval,

which ranges from 64 to 1024 seconds
Stratum defines how far is the authoritative NTP

source
Lowest-stratum devices are preferred
NTP packets are sent over the UDP port 123

Rev. 1700
26
IPexpert, Inc.
NTP Associations
Association is a session between two NTP devices
Three types of NTP association are available :

1. Client-Server client requests, server replies
2. Symmetric Active/Passive provides mutual
synchronization. Also called NTP peers
3. Broadcast/Multicast simplifies deployments
Rev. 1700
27
IPexpert, Inc.
NTP Authentication
Should be always configured for security reasons
Authenticates the time source, not the client
NTP Servers or Peers should be authenticated
NTP uses MD5 Authentication
Rev. 1700
28
IPexpert, Inc.
NTP Configuration
IPexpert, Inc.
NTP Configuration
NTP Server
ntp master stratum
NTP Client
ntp server IP_address [key key_nr]
ntp peer IP_address [key key_nr]
Source Interface
ntp source if_name
Authentication
ntp authentication-key key_nr md5 password
ntp trusted-key key_nr
ntp authenticate
Rev. 1700
30
IPexpert, Inc.
Example NTP Configuration #1
NTP Server
ntp master 2
ntp source loopback 1
ntp authentication-key 1 md5 ipexpert
NTP Client
ntp authentication-key 1 md5 ipexpert

ntp trusted-key 1
ntp authenticate
ntp server 10.1.1.1 key 1
Rev. 1700
31
IPexpert, Inc.
Example NTP Configuration #2
Symmetric Active Mode
R1
ntp master
ntp peer 10.1.1.2
R2
ntp peer 10.1.1.1
Rev. 1700
32
IPexpert, Inc.
show ntp status
- Displays status of NTP
show ntp associations
- Displays status of NTP

associations
Rev. 1700
33
IPexpert, Inc.
7.05 Implement DHCP
IPexpert, Inc.
DHCP
Based on older BOOTP protocol
Not only IP addresses can be assigned
Other configuration parameters include, but are not

limited to, DNS Server and the default gateway
Rev. 1700
35
IPexpert, Inc.
DHCP Structure
Major networks form a root
Subnetworks form branches
Manual bindings form leaves
Not configured parameters are inherited
The DHCP pool is selected based on the IP subnet

assigned to an interface
Rev. 1700
36
IPexpert, Inc.
DHCP Operations
DHCP Operations :
1. (C) DHCP Discover
2. (S) DHCP Offer
3. (C) DHCP Request
4. (S) DHCP ACK or DHCP NAK
Client -> Server messages are sent over UDP port 67
Server -> Client messages are sent over UDP port 68
Rev. 1700
37
IPexpert, Inc.
DHCP remaining messages
(S) DHCP NAK refues the requested parameters
(C) DHCP DECLINE IP address is already used
(C) DHCP RELEASE returns the assigned IP address
(C) DHCP INFORM request for local parameters
Rev. 1700
38
IPexpert, Inc.
DHCP Relay Agent
DHCP Relay Agent forwards DHCP packets between

DHCP Clients and a DHCP Server
Forwarded packet is a unicast
Used when clients are located off the servers network
Special GIADDR field is used to choose the pool
To configure use the ip helper-address command
Rev. 1700
39
IPexpert, Inc.
DHCP Configuration
IPexpert, Inc.
DHCP Configuration
Define a DHCP Pool

ip dhcp pool
Specify the address range

network network
Default Gateway, Domain-Name, DNS Server

default-router IP_addr
domain-name
dns-server IP_addr1 IP_addr2
DHCP Lease
lease days hours minutes
Excluded addresses (global command)

ip dhcp excluded-address IP_addr1 IP_addr2
41
Rev. 1700
IPexpert, Inc.
Example DHCP Configuration

ip dhcp excluded-address 10.1.1.1
ip dhcp excluded-address 10.1.1.50 10.1.1.51
ip dhcp pool ENTIRE_POOL
network 10.1.0.0 /16
domain-name ipexpert.com
ip dhcp pool VLAN1_POOL
network 10.1.1.0 /24
default-router 10.1.1.1
dns-server 10.1.1.50 10.1.1.51
lease 0 12
Rev. 1700
42
IPexpert, Inc.
Example DHCP Configuration #2
Windows manual binding
ip dhcp pool WINDOWS_POOL

network 10.1.1.0/24
host 10.1.1.1 255.255.255.0
client-identifier 0100.1234.5678.12
Linux manual binding
ip dhcp pool LINUX_POOL

network 10.1.1.0/24
host 10.1.1.1 255.255.255.0
hardware-address 0012.3456.7812
Rev. 1700
43
IPexpert, Inc.
show ip dhcp pool
- Displays the information

about DHCP address
pools
show ip dhcp database
Displays DHCP Server

database location
show ip dhcp bindings
Displays DHCP Server

address bindings
Rev. 1700
44
IPexpert, Inc.
7.06 Implement Web Cache

Communication Protocol
(WCCP)
IPexpert, Inc.
WCCP
Used for communication with Content Engines
Frequently accessed content can be retrieved locally
Reduces bandwidth utilization on WAN links
Fully transparent to the users
Rev. 1700
46
IPexpert, Inc.
WCCP Redirection
Rev. 1700
47
IPexpert, Inc.
WCCP versions
There are two WCCP versions 1 and 2
In WCCP version 1 only one router can redirect the

traffic
Only HTTP traffic is supported (TCP 80)
In WCCP version 2 multiple routers can be configured
Provides redirection of packets other than HTTP, for

example FTP, Real Audio, HTTP on non-default port
Multicast and MD5 authentication are supported as well

Rev. 1700
48
IPexpert, Inc.
WCCP Configuration
IPexpert, Inc.
WCCP Configuration
Select an interface and configure redirection

interface if_name
ip wccp web-cache redirect in|out
Exclude some traffic from being redirected

access-list nr
ip wccp web-cache redirect-list nr
Exclude ALL traffic

ip wccp redirect exclude in
WCCP Version 2
ip wccp version 2
ip wccp web-cache group-address IP_addr
[redirect-list ACL_nr] [group-list
ACL_nr]
ip wccp web-cache group-listen
50
Rev. 1700
IPexpert, Inc.
Example WCCP Configuration
Rev. 1700
51
IPexpert, Inc.
ip wccp web-cache redirect in
Rev. 1700
52
IPexpert, Inc.
ip wccp web-cache redirect out
Rev. 1700
53
IPexpert, Inc.
ip wccp web-cache redirect out
ip wccp web-cache exclude in
Rev. 1700
54
IPexpert, Inc.
Example WCCP Configuration #1

int f0/0
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip any any
ip wccp web-cache redirect-list 101
Rev. 1700
55
IPexpert, Inc.
Example WCCP Configuration #2

ip wccp version 2
ip wccp web-cache group-address 224.0.2.100 redirectlist 2 group-list 1
int f0/0
ip wccp web-cache group-listen
Rev. 1700
56
IPexpert, Inc.
show ip wccp
- Displays the WCCP configuration

and statistics
Rev. 1700
57
IPexpert, Inc.
End of Section 7.0

VoD Series
8.0 Implement Quality of Service QoS
IPexpert, Inc.
8.01 Implement Modular QoS

CLI (MQC)
8.04 Implement Generic Traffic

Shaping
IPexpert, Inc.
Introduction to QoS
Quality of Service (QoS) is a technique used to provide
better service to selected network traffic
Network traffic can be characterized by three parameters :
1. Delay (latency) how long does it take for a
packet to get to a
particular
destination
2. Jitter
delay variation
3. Packet loss
the amount of dropped packets
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
IPexpert, Inc.
MQC Framework
MQC (Modular QoS CLI) is a framework used to configure
QoS
Replaces most of the legacy QoS commands
Using Modular Quality of Service CLI is a three-step
process :
1. Classyfing the traffic (class-map)
2. Defining a QoS tool/action (policy-map)
3. Enabling QoS (service-policy)
Rev. 1700
IPexpert, Inc.
Classification & Marking

Classification allows to identify a specific traffic flow
Marking is a way to mark identified packet flows to easy

differentiate between them
Classification without marking is said to be on a per-hop
basis (resource intensive)
Packets that are marked can be further easily classified
end-to-end (based on the marking)
Traffic can be classified using access-list, ToS value,
input interface, MAC address, QoS group, NBAR and a
couple of different methods
Rev. 1700
IPexpert, Inc.
NBAR
NBAR (Network-Based Application Recognition) classifies
packets based on their payload, up to the application
layer
An example may be classifying HTTP traffic based on
URL or MIME Type
NBAR can be also used to discover the protocols that are
running in the network
Rev. 1700
IPexpert, Inc.
Marking Methods
Marking can be performed in Layer 2 or Layer 3
Layer 3 marking is end-to-end

Layer 2 fields used for marking include Frame Relay DE
bit, CoS (trunks only) and EXP (MPLS)
The only Layer 3 field used for marking is Type of Service
(ToS)
Type of Service can be logically divided into IP
Precedence and DSCP
Rev. 1700
IPexpert, Inc.
IP Precedence
Rev. 1700
IPexpert, Inc.
Differentiated Services Code Point
Rev. 1700
IPexpert, Inc.
Per-Hop Behaviors (PHBs)

PHB is a suggested DSCP value (or set of DSCP values)
that corresponds to recommended QoS behavior :
1. Default used for Best Effort traffic. Three most
significant DSCP bits are set to 0
2. Class Selector provides backward compatibility
with IP Precedence. Three least significant DSCP
bits are set to 0
3. Assured Forwarding (AF) defines four classes,
each with three drop probability levels inside. The
format for this PHB is AFxy where x is the
class/queue number and y is the drop probability.
To convert AFxy to decimal DSCP value use the 8x
+ 2y formula
4. Expedited Forwarding (EF) describes lowlatency, low-loss and assured bandwidth service
(such as Voice). EF is always DSCP 46
Rev. 1700
10
IPexpert, Inc.
Classification & Marking

Configuration
IPexpert, Inc.
Classification & Marking Configuration
Classification
class-map match-any|match-all class_name
match access-group
match fr-dlci
match source-address-mac
match destination-address-mac
match cos
match dscp
match precedence
match any
NBAR
match protocol protocol_name
match protocol kazaa

match protocol http url *video*
match protocol http host ipexpert*
12
Rev. 1700
IPexpert, Inc.
Classification & Marking Configuration
Marking
policy-map policy_name
set cos
set dscp
set precedence
set fr-de
set qos-group
Apply the QoS Policy

interface if_name
service-policy policy_name
Rev. 1700
13
IPexpert, Inc.
Example Marking Configuration

class-map SSH_CLASS
class-map VOICE_CLASS
match protocol rtp audio
policy-map MARKING_POL
class SSH_CLASS
set dscp 34
class VOICE_CLASS
set dscp ef
class class-default
set precedence 0
int f0/0
service-policy input MARKING_POL
14
Rev. 1700
IPexpert, Inc.
show class-map
- Displays all class-maps and

their matching criteria
show policy-map
- Displays all configured

policy-maps
show policy-map interface
- Displays traffic statistics of

all classes configured on the
specified interface
Rev. 1700
15
IPexpert, Inc.
Congestion Management
(Queuing)
IPexpert, Inc.
Queuing
Queuing identifies how traffic from multiple streams is
sent out of an interface that is currently experiencing
congestion
No congestion means that no queuing is required
Congestion management on IOS Routers works only

outbound, configuration is applied to the physical interface
There are two types of queues :
Software Queue - controlled by QoS. For example
CBWFQ or LLQ
Hardware Queue - not managable (you can change
its length, though). Always FIFO. Also known as
TxRing
Rev. 1700
17
IPexpert, Inc.
CBWFQ
Class-Based Weighted Fair Queuing (CBWFQ) is used to
configure minimum bandwidth for a class
During congestion, a particular class receives at least
Class-Configured_BW/Interface_BW share
Interface bandwidth is derived from the well-known

interface-level bandwidth command
Class-Configured_BW is what you configure under a
class (using the same bandwidth statement)
Upper bandwidth for a class is NOT limited if some
queues need less bandwidth during the congestion, the
remaining part is proportionally allocated to other classes
Rev. 1700
18
IPexpert, Inc.
CBWFQ cont.
Bandwidth reservation is limited to 75% of the interface
bandwidth by default (max-reserved-bandwidth)
There are three ways to allocate bandwidth in CBWFQ :
1. bandwidth absolute value, in kbps
2. bandwidth percent allocates percentage of the
interface-level bandwidth (bandwidth)
3. bandwidth
remaining
percent
reserves
percentage of the bandwidth that left (after the
priority,
bandwidth,
bandwidth
percent
commands)
The first two options cannot be mixed within the same
policy-map
Rev. 1700
19
IPexpert, Inc.
CBWFQ Example
We assume interface-level bandwidth configured to
200Kbps
CBWFQ calculations are as follows :
Option #1 bandwidth 100 reserves 100Kbps
Option #2 bandwidth percent 60 reserves
60%*200Kbps = 120Kbps
Now if another class is added and configured with
bandwidth remaining percent 40, it will receive the
following allocation :
For #1 40%*(75%*200-100)Kbps = 20Kbps
For #2 40%*(75%*200-120)Kbps = 12Kbps
Rev. 1700
20
IPexpert, Inc.
LLQ
Low Latency Queuing (LLQ) is essentially CBWFQ
extended by the priority queue
LLQ class will be always serviced before any other class,
up to its configured bandwidth (LLQ queue is policed)
Perfect queuing mechanism for Voice & Video packets

Bandwidth for LLQ class is reserved using the priority
command
Multiple classes can be configured as LLQ, but there will
be only one single priority queue that exists
Class-default is the catch-all queue that runs WFQ
Rev. 1700
21
IPexpert, Inc.
MDRR
Modified Deficit Round Robin (MDRR) uses seven normal
queues and one priority queue (PQ)
MDRR keeps track of extra bytes sent for each queue and
adjusts how many bytes can be sent in subsequent
rounds
There are two modes of MDRR priority queue :
1. Strict Priority PQ is always emptied first
2. Alternate Priority PQ will be served between
normal queues. For example, if 0 is the PQ,
queues will be served as follows : 0, 1, 0, 2, 0, 3 ...
Each MDRR queue uses two variables Quantum Value
(number of bytes that can be sent per round) and Deficit
Counter (number of extra bytes that were sent)
Rev. 1700
22
IPexpert, Inc.
MDRR Example
Rev. 1700
23
IPexpert, Inc.
MDRR Example cont.
Rev. 1700
24
IPexpert, Inc.
Queuing Configuration
IPexpert, Inc.
Queuing Configuration
CBWFQ & LLQ

class-map match-any|match-all class_name
match ...
class class_name
bandwidth value
bandwidth percent percentage
bandwidth remaining percent percentage
priority bw-kbps | percent percentage
interface if_name
service-policy output policy_name
Hardware Queue Length

tx-ring-limit length
Rev. 1700
26
IPexpert, Inc.
Example CBWFQ & LLQ Configuration

policy-map QOS_POL
class VOICE_CLASS
priority 64
// LLQ queue
class WEB_CLASS
bandwidth remaining percent 50
// CBWFQ queue
class BE_CLASS
bandwidth remaining percent 10
// CBWFQ queue
int f0/0
bandwidth 200
service-policy output QOS_POL
Rev. 1700
27
IPexpert, Inc.
show class-map
- Displays class-maps and

their matching
criteria
show policy-map

policy-maps

specified interface
show queueing interface
- Displays queuing statistics

of an interface
Rev. 1700
28
IPexpert, Inc.
Policing
IPexpert, Inc.
Policing
Policing is a traffic regulation mechanism. It allows to
mark or drop the packets that dont conform to a
configured rate
There are three types of Policing :
Single Rate, Two-Color
Single Rate, Three-Color
Two Rate, Three Color
Both Shaping and Policing are based on the Token

Bucket metaphore
Rev. 1700
30
IPexpert, Inc.
Token Bucket (General)

Classic Token Bucket consists of three components :
Burst Committed (Bc)
CIR
Time Interval (Tc)
Tc = Bc / CIR
Each token represents a fixed amound of bits/bytes that
can be sent
If there is not enough tokens in the bucket, the packet will
be queued (shaping) or marked/dropped (policing)
Rev. 1700
31
IPexpert, Inc.
Token Bucket (Policing)

Burst Committed is token bucket size in bytes
CIR is an average rate at which we want to send the

packets
Timer Interval is just an averaging interval (how many
bytes can be sent over during this Tc time)
Token Arrival Rate = CIR(bps)*(T1-T0)/8
Rev. 1700
32
IPexpert, Inc.
Single Rate, Two-Color Policing

Single token arrival rate (Single Rate)
Two actions available are either conform or exceed

(Two-Color)
Conform typically means transmit
Exceed action usually corresponds to drop (although
marking is also available)
Rev. 1700
33
IPexpert, Inc.
Single Rate, Two-Color Policing
Rev. 1700
34
IPexpert, Inc.
Single Rate, Two-Color Policer Example

An example : CIR = 64Kbps (8KBps), Bc = 1KB
We start with the full bucket (1KB), 400B packet arrives

Packet conforms, 600B remains
A 700B packets arrives 1 milisecond later
Token Refresh : 1/1000 [s] * 8000 [KBps] = 8 tokens
Since 608 < 700, the exceed action is taken
Bc regulates burstiness of traffic
Rev. 1700
35
IPexpert, Inc.
Single Rate, Three-Color Policing

Single token arrival rate (Single Rate)
Two buckets are used

The second bucket is Be (Excess Burst) in size
One additional action available is Violate
Rev. 1700
36
IPexpert, Inc.
Single Rate, Three-Color Policing
Rev. 1700
37
IPexpert, Inc.
Two Rate, Three-Color Policing

Two buckets, two separate token arrival rates (Two
Rate) CIR and PIR (Peak Information Rate)
Buckets are emptied backwards :
1. First PIR bucket is checked if there is not enough
tokens the violate action is taken
2. Second (if there are tokens in the PIR bucket) CIR
bucket is checked if there is not enough tokens in
the CIR bucket the exceed action is taken AND
tokens are removed from the PIR bucket
3. Third (if there are tokens in the CIR bucket) the
conform action is taken AND tokens are removed
from both PIR and CIR buckets
In short, first the violate action is checked, then exceed

and finally conform
Rev. 1700
38
IPexpert, Inc.
Two Rate, Three-Color Policing
The main advantage of Two Rate, Three-Color policer is

that it allows for sustained bursts of traffic
Rev. 1700
39
IPexpert, Inc.
CAR
Committed Access Rate (CAR) is another method of ratelimiting traffic
CAR relies on Single Rate, Two-Color token bucket (Bc in
size), but it works differently than standard policing
CAR Be is unrelated to Shaping/Policing Be

Extended Burst capability in CAR is based on so-called
Compounded Debt parameter
Cisco recommended values for CAR are as follows :
Bc = (CIR*1.5)/8 (assuming CIR is in bps)
Be = 2*Bc
Rev. 1700
40
IPexpert, Inc.
Policing Configuration
IPexpert, Inc.
Policing Configuration
Policing Single Rate

police bps [Bc] [Be] conform-action action
exceed-action action [violate-action action]
Policing Dual Rate

police cir cir [bc conform-burst] [pir pir] [be
peak-burst] [conform-action action [exceedaction action [violate-action action]]]
Apply the Policy

service-policy input|output policy_name
CAR
rate-limit {input | output} access-group ACL_nr
bps burst-normal burst-max
conform-action action
exceed-action action
Rev. 1700
42
IPexpert, Inc.
Example CAR Configuration

access-list 100 permit icmp any any
int f0/1
rate-limit input access-group 100 8000 1500 3000
conform-action set-prec-transmit 0
exceed-action drop
Rev. 1700
43
IPexpert, Inc.
show class-map
- Displays class-maps and

their matching
criteria
show policy-map

policy-maps

specified interface
show interface x rate-limit
- Displays informatio about

CAR for a specified
interface
Rev. 1700
44
IPexpert, Inc.
Shaping
IPexpert, Inc.
Shaping
Traffic shaping is used to control the speed of the
outgoing traffic
Shaper does not mark/drop excess traffic it buffers it
Four main characteristics of shaping are :
1. Shaping queue
2. Size of the Token Bucket is Bc + Be
3. Bc tokens are refilled every Tc (Bc = CIR * Tc)
4. One token corresponds to one bit
Rev. 1700
46
IPexpert, Inc.
Token Bucket (Shaping)
Rev. 1700
47
IPexpert, Inc.
Shaping Example
Rev. 1700
48
IPexpert, Inc.
Shaping Configuration
IPexpert, Inc.
Generic Traffic Shaping Configuration
GTS (no ACL)

traffic-shape rate bps
[burst-size [excess-burst-size]]
GTS (ACL)
traffic-shape group ACL_nr bps
[burst-size [excess-burst-size]]
Adaptive Shaping
traffic-shape adaptive bps
Example
int f0/0
traffic-shape group 120 64000 640 640
50
Rev. 1700
IPexpert, Inc.
FRTS Configuration
FRTS
interface if_name
frame-relay traffic-shaping
Map Class
map-class frame-relay map_name
map-class frame-relay PVC120_CLASS
frame-relay cir 256000
frame-relay bc 2560
frame-relay be 0
service-policy output LLQ_POL
Rev. 1700
51
IPexpert, Inc.
FRTS Configuration cont.
Map Class -> DLCI

frame-relay interface-dlci DLCI_nr
class map_name
Map Class -> Interface

int if_name
frame-relay class map_name
Adaptive Shaping
map-class frame-relay map_name
frame-relay cir bps
frame-relay adaptive-shaping [becn|foresight]
frame-relay mincir bps
Rev. 1700
52
IPexpert, Inc.
Class-Based Shaping Configuration
MQC Shaping
class class_name
shape average bps [bc] [be]
MQC Adaptive Shaping

class class_name
shape average bps [bc] [be]
shape adaptive minCIR
Hierarchical Shaping -> two policy-maps
Rev. 1700
53
IPexpert, Inc.
Example Shaping Configuration

policy-map LLQ_POL
class VOICE_CLASS
priority 32
policy-map SHAPE_QUEUE_POL
class class-default
shape average 128000 1280
service-policy LLQ_POL
int s0/1.2
service-policy output SHAPE_QUEUE_POL
Rev. 1700
54
IPexpert, Inc.
Example Shaping Configuration #2

policy-map INT_SOFTWARE_POL
class HTTP_CLASS
bandwidth
int s0/1
service-policy output INT_SOFTWARE_POL
Rev. 1700
55
IPexpert, Inc.
show traffic-shape
- Displays current trafficshaping configuration
show frame-relay pvc
- Displays Frame Relay PVC

statistics

specified interface
Rev. 1700
56
IPexpert, Inc.
Congestion Avoidance
IPexpert, Inc.
Congestion Avoidance & RED

Congestion Avoidance mechanisms manage tail of a
queue
If none congestion avoidance mechanism is enabled, tail
drop is performed
Tail drop may result in TCP Global Synchronization

Congestion Avoidance doesnt work for UDP flows
Random Early Discard (RED) drops random packets
when the minimum defined queue threshold has been
exceeded
Rev. 1700
58
IPexpert, Inc.
WRED
RED is not supported on IOS
WRED allows to influence a degree of randomness by

setting drop thresholds selectively, based on IP
Precedence or DSCP
Every new packet arrives, Average Queue Depth (AQD)
is compared against two thresholds min and max :
1. If AQD < min threshold, queue the packet
2. If min < AQD < max, use Packet Drop Probability
3. If AQD > max, drop the packet
Packet Drop Probability = 1/Max_Prob_Denominator
Rev. 1700
59
IPexpert, Inc.
WRED Example Output

Current random-detect configuration:
Serial1/0
Queueing strategy:random early detection (WRED)
Exp-weight-constant:9 (1/512)
Mean queue depth:40
Class Random Tail
drop
drop
0
1401
9066
1
0
0
2
0
0
3
0
0
4
0
0
5
0
0
6
0
0
7
0
0
Minimum
threshold
20
22
24
26
28
31
33
35
Maximum
threshold
40
40
40
40
40
40
40
40
Mark
probability
1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
Rev. 1700
60
IPexpert, Inc.
WRED Configuration
IPexpert, Inc.
WRED Configuration
WRED
random-detect [dscp-based]
WRED Profile
random-detect precedence|dscp value
min-threshold min
max-threshold min
mark-prob-denominator value
WRED Exponential Weighting

random-detect exponential-weighting-constant val
Rev. 1700
62
IPexpert, Inc.
show queue
- Displays contents of
packets inside a particular
queue
show queueing [random-detect] - Displays status of Weighted

RED
Rev. 1700
63
IPexpert, Inc.
Compression
IPexpert, Inc.
Compression
Compression increases available bandwidth
Two types of compression are :

1. Payload Compression useful for longer packets
2. Header Compression useful for small packets
Two most prevalent compression algorithms are called
Stacker and Predictor
Compression is generally used on slow-speed links
Rev. 1700
65
IPexpert, Inc.
Compression Configuration
Payload Compression
compress stac|predictor
int s0/1
compress stac
Frame Relay Payload Compression

frame-relay payload-compression
packet-by-packet | frf9 stac |
data-stream stac
frame-relay map ip IP DLCI [payload-compress]
Rev. 1700
66
IPexpert, Inc.
Compression Configuration
Header Compression
ip tcp|rtp header-compression [passive]
Frame Relay Header Compression

frame-relay map ip ip DLCI tcp headercompression
MQC Header Compression

compression header ip [tcp|rtp]
policy-map QOS_POL
class VOICE_CLASS
compression header ip rtp
Rev. 1700
67
IPexpert, Inc.
show compress
- Displays
compression
statistics
show ip tcp|rtp header-compression
- Displays TCP/RTP
header
compression
statistics
- Displays traffic
statistics of all
classes configured
on the specified
interface
Rev. 1700
68
IPexpert, Inc.
8.02 Implement Layer 2 QoS:

Weighted Round Robin (WRR),
Shaped Round Robin (SRR), and
policies
IPexpert, Inc.
Layer 2 QoS Ingress Queuing

Cisco switches can perform not only outbound, but also
inbound queuing
Catalysts 3560 have two ingress queues per port
These queues are located after a packet is classified,
policed and marked
By default the second ingress queue is the Priority Queue
Rev. 1700
70
IPexpert, Inc.
Ingress Queuing Mechanism

Packets are mapped to the queue based on two tables :
CoS-to-Queue-ID
DSCP-to-Queue-ID
Which table is used depends on the ports Trust State
Available Trust States are :
1. DSCP
(mls qos trust dscp)
2. IP Precedence (mls qos trust ip-precedence)
3. CoS
(mls qos trust cos)
4. Untrusted (CoS/DSCP is set to 0). To assign
specified CoS to each packet use the mls qos cos
command
Rev. 1700
71
IPexpert, Inc.
Ingress Queuing Mapping Example

In this example we assume that ports Trust State is set to
CoS
To display the CoS-to-Queue-ID mappings, use the show
mls qos maps cos-input-q command :
Cos-inputq-threshold map:
cos: 0
1
2
3
4
5
6
7
-----------------------------------queue-threshold:
1-1 1-1 1-1 1-1 1-1 2-1 1-1 1-1
Rev. 1700
72
IPexpert, Inc.
Ingress Queueing SRR

Shaped Round Robin (SRR) algorithm working in shared
mode is used to service ingress queues
SRR logic is as follows :
1. Service the Priority Queue (which is max 40%)
2. Service all the remaining packets according to their
weights (relative share)
3. If there is no Priority Queue configured, proceed
according to point #2
Rev. 1700
73
IPexpert, Inc.
Ingress Queueing SRR Example

We assume :
Internal ring BW
Priority Queue (#2)
SRR weights
: 20Gbps
: 20% = 20%*20Gbps = 4Gbps
: 40 for queue #1 and 10 for queue #2
Relative share :
Queue #1 : 40/(10+40) = 0.8
Queue #2 : 10/(10+40) = 0.2
Overall Reservation :
Queue #1 : (20-4)*0.8Gbps = 12.8Gbps
Queue #2 : 4Gbps + (20-4)*0.2Gbps = 7.2Gbps
If there was no PQ :
Queue #1 : 20*0.8Gbps = 16Gbps
Queue #2 : 20*0.2Gbps = 4Gbps
74
Rev. 1700
IPexpert, Inc.
Egress Queueing
Outbound queues are located after internal ring
There are four egress queues

Priority Queue is supported but it will be always queue #1
Egress queues may work in Shared or Shaped Mode
Rev. 1700
75
IPexpert, Inc.
Egress Queueing Shaped Mode

Each Shaped queue is guaranteed a percentage of
bandwidth and is rate-limited to that amount (always)
The allocated bandwidth is inversely proportional to the
configured weight
Example Shaped Mode configuration :

int f0/1
speed 100
srr-queue bandwidth shape 10 20 2 0
Overall Result :
Queue #1 : 1/10*100Mbps = 10Mbps
Queue #3 : 1/2 *100Mbps = 50Mbps
Queue #4 : Shared Mode
76
Rev. 1700
IPexpert, Inc.
Egress Queueing Shared Mode

Shared Mode queues share bandwidth that remained
after Shaped queues
Bandwidth is divided according to relative shares. Unused
bandwidth is shared between the queues
Example Shared Mode configuration :

int f0/1
speed 100
srr-queue bandwidth shape 10
srr-queue bandwidth share 0
10
20
0 0
30 50
In this example queues #1 and #2 operate in Shaped

Mode (non-zero shape value)
Rev. 1700
77
IPexpert, Inc.
Egress Queuing Shared Mode Example

Relative Share :
Queue #3 : 30/(30+50) = 3/8
Queue #4 : 50/(30+50) = 5/8
Overall Reservation :
Queue #3 : 3/8*(100 10 10)Mbps = 30Mbps
Queue #4 : 5/8*(100 10 10)Mbps = 50Mbps
If there was no traffic in Queue #3, Queue#4 would get
80Mbps (and vice versa)
If Priority Queue is enabled, Shaped & Shared weight for

queue #1 is ignored. PQ is always serviced first
Rev. 1700
78
IPexpert, Inc.
Layer 2 Congestion Avoidance
IPexpert, Inc.
Layer 2 Congestion Avoidance

Catalyst 3560 switches use Weighted Tail Drop (WTD)
Three thresholds are created for each of the 6 queues :

1. Threshold #1 (configurable)
2. Threshold #2 (configurable)
3. Threshold #3 (not-configurable, equals to 100%)
Each of the thresholds has CoS/DSCP values assigned
only packets matching a particular CoS/DSCP value will
be subject to that threshold
Example :
Threshold #1 = 50%, CoS 0 through 4
Threshold #2 = 80%, CoS 6
Whether to trust CoS/DSCP depends on Port Trust State
Rev. 1700
80
IPexpert, Inc.
Layer 2 QoS Configuration
IPexpert, Inc.
Enable QoS
mls qos
Ingress Queueing
mls qos srr-queue input bandwidth w1 w2
mls qos srr-queue input priority-queue nr
bandwidth value
mls qos srr-queue input cos-map q_nr <values>
mls qos srr-queue input dscp-map q_nr <values>
Egress Queuing
srr-queue bandwidth shape w1 w2 w3 w4
srr-queue bandwidth share w1 w2 w3 w4
priority-queue out
srr-queue bandwidth limit
Rev. 1700
82
IPexpert, Inc.
WTD Threshold Mapping

mls qos srr-queue input {dscp-map|cos-map}
queue q_nr threshold thresh_id <values>
mls qos srr-queue output {dscp-map|cos-map}
queue q_nr threshold thresh_id <values>
WTD Threshold Values

mls qos srr-queue input threshold q_nr v1 v2
mls qos queue-set output qset_id
threshold q_nr v1 v2
int if_name
queue-set qset_id
Rev. 1700
83
IPexpert, Inc.
Example Layer 2 QoS Configuration

mls qos srr-queue input priority-queue 1 bandwidth 20
mls qos srr-queue input bandwidth 10 40
mls qos srr-queue input cos-map queue 1 4
mls qos srr-queue input threshold 2 60 80
Rev. 1700
84
IPexpert, Inc.
show mls qos
- Displays global QoS

configuration information
show mls qos input-queue
- Displays QoS settings for

the ingress queues
show mls qos queue-set
- Displays QoS settings for

the egress queues
show mls qos maps
- Displays QoS mapping

information
Rev. 1700
85
IPexpert, Inc.
8.03 Implement Link

Fragmentation and Interleaving
(LFI) for Frame Relay
IPexpert, Inc.
LFI
Large packets take long time to serialize on lowbandwidth WAN links this may affect small Voice
packets that are delay & jitter -sensitive
Rev. 1700
87
IPexpert, Inc.
LFI cont.
To overcome this problem Link Fragmentation and

Interleaving feature (FRF.12) can be used
LFI mechanics can be divided into two phases :

1. Fragmentation packets serialized longer than
10 miliseconds are fragmented
2. Interleaving
small, non-fragmented packets
are inserted between the fragments
Rev. 1700
88
IPexpert, Inc.
LFI Example
High Priority Interleaving queue

packets) is always serviced first
(non-fragmented
Rev. 1700
89
IPexpert, Inc.
LFI Configuration
IPexpert, Inc.
LFI Configuration
LFI with FRTS

map-class map_name
frame-relay fragment fragment_size
MQC-Compatible LFI
frame-relay fragment end-to-end
Rev. 1700
91
IPexpert, Inc.
show frame-relay fragment

Frame-Relay
fragmentation
Rev. 1700
92
IPexpert, Inc.
8.05 Implement Resource

Reservation Protocol (RSVP)
IPexpert, Inc.
Resource Reservation Protocol
RSVP reservations are end-to-end
RSVP is unidirectional if bidrectional reservation is

required, both endpoints must request it
RSVP uses three types of messages :

PATH Message
RESV Message
ERROR Message
Rev. 1700
94
IPexpert, Inc.
Resource Reservation Protocol
RSVP Path message contains information describing

the flow, bandwidth and QoS needed for the traffic
Rev. 1700
95
IPexpert, Inc.
RSVP Configuration
IPexpert, Inc.
RSVP Configuration
RSVP
ip rsvp bandwidth total_bw single_flow_bw
Rev. 1700
97
IPexpert, Inc.
show ip rsvp interface
- Displays RSVP-related
interface information
show ip rsvp reservation
- Displays RSVP receiver

information
Rev. 1700
98
IPexpert, Inc.
8.06 Implement Cisco

AutoQoS
IPexpert, Inc.
AutoQoS, AutoQoS VoIP
AutoQoS is just a macro
There are two kinds of AutoQoS VoIP and Enterprise
AutoQoS VoIP (IOS switches) is enabled using the auto

qos voip command. Three options are available :
1. cisco-phone
trusts DSCP values 24,
26 and 46
2. cisco-softphone
same as above but for
softphones
3. trust
trust CoS for L2 and
DSCP for L3 port
AutoQos VoIP (IOS Routers) is enabled using the auto

qos voip [trust] command
Rev. 1700
100
IPexpert, Inc.
AutoQoS Enterprise
AutoQoS Enterprise is only available on IOS Routers
AutoQoS Enterprise works in two phases :

1. Auto-Discovery phase uses NBAR to detect
applications running on the network
2. Installation phase generates templates based on
the information collected in Phase I. Finally the
policy is installed on the interface
AutoQoS-generated configurations can be manually

modified
Rev. 1700
101
IPexpert, Inc.
AutoQoS Configuration
IPexpert, Inc.
AutoQoS Configuration
AutoQoS VoIP IOS Switches

auto qos voip cisco-phone|cisco-softphone|trust
AutoQoS VoIP IOS Routers

auto qos voip [trust]
AutoQoS Enterprise
auto discovery qos [trust]
auto qos
Rev. 1700
103
IPexpert, Inc.
show auto qos
- Displays the interface Auto

QoS commands
show auto discovery qos
- Displays types and amounts

of traffic detected by NBAR

specified interface
Rev. 1700
104
IPexpert, Inc.
End of Section 8.0

VoD Series
9.0 Troubleshoot a network
IPexpert, Inc.
9.01 Troubleshoot complex

Layer 2 network issues
IPexpert, Inc.
Troubleshooting Introduction
Troubleshooting means diagnosing a problem and
resolving it
Common approaches to troubleshooting include :
Top-Down
Bottom-Up
Divide & Conquer
The main troubleshooting tool available on Cisco IOS is a

variety of show and debug commands
As a general advice, always try to approach a problem in
a structured way, without skipping anything (there is no
99% in troubleshooting)
Rev. 1700
IPexpert, Inc.
Troubleshooting Auto-Negotiation
Both sides should have Auto-Negotiation enabled or both
sides should be configured manually
Any other combination may cause Auto-Negotiation to fail
Verify how the speed & duplex settings were actually
derived :
- show interfaces status
Port Name
Status
Fa0/1
connected
Vlan Duplex Speed

Type
1
a-full a-100 10/100BaseTX
Rev. 1700
IPexpert, Inc.
Verifying Basic Interface Settings

R1# show interfaces eth 0
Ethernet0 is up, line protocol is up
Hardware is Lance, address is 0010.7b36.1be8 (bia
0010.7b36.1be8)
Possible causes for down down are as follows :

Cable is not connected
Cable is faulty
Cable is connected to the wrong port on the far end
Possible causes for up down are as follows :
Speed mismatch
Encapsulation mismatch
Disabled keepalives
No clocking set on DCE
Rev. 1700
IPexpert, Inc.

5 minute input rate 1000 bits/sec, 2 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
2058015 packets input, 233768993 bytes, 1 no buffer
Received 1880947 broadcasts, 0 runts, 0 giants, 1
throttles
3 input errors, 0 CRC, 0 frame, 0 overrun, 3
ignored
0 input packets with dribble condition detected
298036 packets output, 32280269 bytes, 0 underruns
0 output errors, 10 collisions, 0 interface resets
0 babbles, 0 late collision, 143 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped
out
Rev. 1700
IPexpert, Inc.

FCS, alignment, runts & collision counters are normal for
half-duplex if errors/packets ratio is below 2%
FCS, alignment and runt counters should be minimal for
full-duplex (and no collisions)
Duplex mismatch results in poor performance, intermittent

connectivity and packet drops
Jan 20 13:26:45 %CDP-4-DUPLEX_MISMATCH: duplex
mismatch discovered on FastEthernet1/2(not half
duplex), with TBA04251336 3/2 (half duplex)
Other possible causes of errors in full-duplex are bad

cables, NIC problems and other hardware issues
Rev. 1700
IPexpert, Inc.
Verifying Interface Counters

Collisions (normal on half-duplex links) :
Duplex mismatch
Late Collision (detected after 512th bit) :
Duplex mismatch
Too long Ethernet cable or segment
Cyclic Redundancy Check (CRC)
Collisions
Physical Layer issue
Giants (frames greater than 1518B) :
Bad NIC
Runts (frames shorter than 64B)
Bad NIC/cable/port
Rev. 1700
IPexpert, Inc.
Troubleshooting VLANs & Trunking

If Native VLANs are different on both ends, CDP (if
enabled) should complain about it (use show logging if
logging to a buffer) :
*Jan 14 03:21:00: %CDP-4-NATIVE_VLAN_MISMATCH: Native
VLAN mismatch discovered on FastEthernet0/10 (1), with
CAT1 FastEthernet0/13 (10)
For troubleshooting DTP always verify administrative &

operational modes :
- show interface if_name switchport
Rev. 1700
IPexpert, Inc.
Troubleshooting VTP
VTP information is always forwarded on trunk links using
VLAN 1
VTP Parameters that have to match are :
VTP domain name
VTP password
VTP version
Since VTP domain name is sent inside a DTP packet,
DTP will never negotiate a trunk between two different
VTP domains
Not only a VTP Server with higher revision number can
erase the entire VLAN configuration within a VTP domain,
but also a VTP Client
Rev. 1700
10
IPexpert, Inc.
Troubleshooting EtherChannel
The following parameters must match in order to form an
EtherChannel :
Speed & duplex
STP values
VLAN, Native VLAN
Trunking mode
Interface Type
When using manual configuration, dont wait too long with
configuring the other side
Make sure that Load-Balancing method chosen fits into
the current topology
Rev. 1700
11
IPexpert, Inc.
Troubleshooting STP
STP loops are formed when a port that should block starts
forwarding traffic
Unidirectional links are often a culprit
Duplex mismatch can resemble a unidirectional link
scenario
Never use PortFast on interfaces connected to :
Switches
Hubs
Bridging routers
Rev. 1700
12
IPexpert, Inc.
Troubleshooting STP cont.

Disable redundant ports one by one. Generally always
start with examining the blocking ports
Check if BPDUs are received (include Root Ports) :
- show spanning-tree detail
- debug spanning-tree bpdu
CAT1# show spanning-tree detail
Port 1 (GigabitEthernet0/1) of VLAN0001 is blocking
Port path cost 2019, Port priority 128, Port
Identifier 128.24.
-- Omitted -Number of transitions to forwarding state: 1
Link type is point-to-point by default
BPDU: sent 2, received 72364
Rev. 1700
13
IPexpert, Inc.
Troubleshooting STP cont.

If problems are intermittent debug and log to the buffer :
- debug spanning-tree events
Look for Port & CPU utilization :
- show interfaces
- show processes cpu
R1# show interfaces
GigabitEthernet0/1 is up, line protocol is up
Hardware is Gigabit Ethernet, address is
0009.43a7.ab85 (bia 0009.43a7.ab85)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 120/255, rxload 210/255
Rev. 1700
14
IPexpert, Inc.
Troubleshooting & Verification

debug spanning-tree events
- Displays spanning-tree
topology event debug
messages
debug spanning-tree bpdu
- Displays sent and received

Bridge Protocol Data Units
show processes cpu
- Displays detailed CPU

utilization statistics
Rev. 1700
15
IPexpert, Inc.
9.02 Troubleshoot complex

Layer 3 network issues
IPexpert, Inc.
Layer 3 Troubleshooting Introduction

In many cases the problems we may run into are not
directly related to Layer 3. Examples :
Mismatched MTU
Inappropriate L2 config
Network security features
Hardware problems
IPv6 problems are pretty much the same
When troubleshooting IPv6 remember to use ipv6

instead of ip in the command syntax
Rev. 1700
17
IPexpert, Inc.
Troubleshooting RIP
Lack of routes installed in the RIB may be generally
caused by three things :
1. Router receives an update but does not install it
2. Route sender is not even advertising a route
3. Routing update got lost somewhere in the path
between the sender and receiver
Start verifying the devices configuration :
- show run router rip, show ip protocols
- debug ip rip
RIP: ignored v2 packet from 10.1.1.1 (not enabled on
FastEthernet0/0)
RIP: ignored v2 packet from 10.1.1.1 (invalid
authentication)
18
Rev. 1700
IPexpert, Inc.
Troubleshooting RIP cont.

Few other RIP potential problems :
Source-Validity check
Distribute-lists
Incompatibile RIP versions
Offset-lists
Split Horizon
Passive-interface
RIP: ignored v2 update from bad source 10.1.2.1 on
FastEthernet0/0
RIP: ignored v2 packet from 10.1.1.1 (illegal version)
Rev. 1700
19
IPexpert, Inc.
Troubleshooting RIP cont.

RIP passive interface only receives updates
R1# show ip protocols
Routing Protocol is "rip"
--Output Omitted-Routing for Networks:
10.0.0.0
Passive Interface(s) FastEthernet0/0
Rev. 1700
20
IPexpert, Inc.
Troubleshooting EIGRP
Unidirectional links may prevent a neighborship from
being established
Common causes :
Layer 2 problems
Hardware issues
Filtering
Troubleshoot adjacencies :
- show ip eigrp neighbors
Rev. 1700
21
IPexpert, Inc.
Troubleshooting EIGRP cont.

H Address Interface Hold
1 10.1.1.2
Et0/0
11
Uptime
SRTT RTO
(sec) (ms)
00:00:20
0
5000
Q
Cnt
5
Seq
Num
0
Output params :
H
order in which the neighbors were
learned
SRTT
how long does it take for an ACK to
come back (0 means ACK was never
received)
RTO
how long to wait for an ACK before
retransmitting
Q Cnt
number of unicast packets queued
Rev. 1700
22
IPexpert, Inc.

EIGRP sources packets from its primary IP subnet
02:19:31.142: IP-EIGRP: Neighbor 10.1.1.1 not on common
subnet for Serial0/0
K-values must match :

- debug ip eigrp packet
Stuck In Active (SIA) timer is 3 minutes by default. Watch
for DUAL-3-SIA error console message
Troublesohot SIA :
- show ip eigrp topology active
- eigrp log-neighbor-changes
Rev. 1700
23
IPexpert, Inc.

R1# show ip eigrp topology active
IP-EIGRP Topology Table for process 1

Codes: P - Passive, A - Active, U - Update,
Q - Query, R - Reply, r - Reply status
A 10.1.2.0 255.255.255.0, 1 successors, FD is 2213055 1
replies, active 0:00:55, query-origin: Multiple Origins
via 10.1.1.2 (Infinity/Infinity), r, Serial0, serno 1232

via 10.1.4.2 (Infinity/Infinity), Serial1, serno 1227
Rev. 1700
24
IPexpert, Inc.

The inaccessible keyword in the output of show ip
eigrp topology usually indicates that a prefix has been
overriden by a lower-AD route received from other routing
protocol
This usually happens for EIGRP external routes, since
their AD is 170 by default
EIGRP Router-ID is used on external routes to prevent
routing loops
Updates received with the devices own EIGRP Router-ID
will be dropped
Rev. 1700
25
IPexpert, Inc.
Troubleshooting OSPF
Basic OSPF verification :
- show ip ospf neighbor
- show ip ospf interface [brief]
More advanced troubleshooting :
- debug ip ospf adjacency
- debug condition interface
OSPF adjacency events debugging is on
OSPF: Rcv hello from 10.1.10.1 area 0 from
FastEthernet0/0 10.1.1.1
OSPF: Mismatched hello parameters from 10.1.1.1
Dead R 40 C 40, Hello R 10 C 10 Mask R 255.255.255.0 C
255.255.255.128
Rev. 1700
26
IPexpert, Inc.
Troubleshooting OSPF cont.

Generally always look for a FULL adjacency, but
remember that devices on broadcast media will become
adjacent only with the DR & BDR
Before an adjacency is formed, OSPF goes through
several states
Problem : Lack of any state
No Hellos have been received at all
Hello packet failed basic sanity checks
Solution :
Check L1/L2
Ping 224.0.0.5
Use show ip ospf interface & debug ip ospf
adjacency
Rev. 1700
27
IPexpert, Inc.

Problem : DOWN state
Usually refers to unicast neighbors (neighbor)
No Hellos received during the last Dead Interval
Solution :
Verify neighbor configuration
Follow the steps listed for previous problem
Problem : INIT state
Hello has been received but no local Router-ID is
seen
Solution :
Look for unidirectional communication
Verify Layer 2 & filtering
28
Rev. 1700
IPexpert, Inc.

Problem : TWO-WAY state
All neighbors stuck in TWO-WAY
Solution :
Check if at least one device is configured with
OSPF Priority higher than 0
Problem : EXSTART/EXCHANGE state
MTU mismatch
Solution :
Look for broken unicast connectivity (DBD packets
are sent as unicast)
Avoid using ip ospf mtu-ignore
Rev. 1700
29
IPexpert, Inc.

Problem : LOADING state
Corrupted LSAs, uncommon
Solution :
Contact TAC
Rev. 1700
30
IPexpert, Inc.
Troubleshooting BGP
For direct peering, If Layer 1 and Layer 2 are configured
correctly, verify the neighbors :
- show ip bgp summary
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

10.1.1.2 4 400
0
0
0
0
0
never
Active
Another useful troubleshooting tool :

- debug ip bgp
BGP: 10.1.1.2 open active, local address 1.1.1.1
BGP: 10.1.1.2 open failed: Connection refused by remote
host
Rev. 1700
31
IPexpert, Inc.
Troubleshooting BGP cont.

You can also verify TCP which could confirm BGP
misconfiguration :
- debug ip tcp transactions
TCB00135978 created
TCB00135978 setting property 0 16ABEA
TCB00135978 bound to 1.1.1.1.13009
TCP: sending SYN, seq 3897223151, ack 0
TCP0: Connection to 10.1.1.2:179, advertising MSS 1460
TCP0: state was CLOSED -> SYNSENT [13009 ->
10.1.1.2(179)]
TCP0: state was SYNSENT -> CLOSED [13009 ->
10.1.1.2(179)]
TCP0: bad seg from 10.1.1.2 -- closing connection: seq 0
ack 3897223152 rcvnxt 0 rcvwnd 0
TCP0: connection closed - remote sent RST
Rev. 1700
32
IPexpert, Inc.

For non-direct peerings dont hestiate to check the
following things :
EBGP multihop
IP reachability to the neighbor (default route will
NOT work)
BGP: 2.2.2.2 Active open failed - no route to peer, open
active delayed 13312ms (35000ms max, 60% jitter)
Also, as for direct peerings, verify BGP configuration :

Correct neighbor statement
The update-source command
Rev. 1700
33
IPexpert, Inc.

Manually configured Cluster-ID (the same) in redundant
topologies may cause problems :
- debug ip bgp update
Jan 10 17:12:31: BGP(0): 1.1.1.1 rcv UPDATE w/ attr: nexthop
10.1.2.1, origin i, localpref 100, metric 0, originator 2.2.2.2,
clusterlist 0.0.0.101, path, community, extended community
Jan 10 17:12:31: BGP(0): 1.1.1.1 rcv UPDATE about 172.16.0.0/24
DENIED due to: reflected from the same cluster
The remaining problems we may run into are usually

introduced by protocol-related features (e.g. Split Horizon,
BGP Sync Rule)
Rev. 1700
34
IPexpert, Inc.
Troubleshooting Redistribution
Verify which routes have been added to/removed from the
RIB and what was the reason for it :
- debug ip routing
*Jan 11 13:21:24.181:
10.1.1.0, flushing 1
*Jan 11 13:21:24.185:
*Jan 11 13:21:24.185:
bgp metric [20/20]
*Jan 11 13:21:24.191:
RT: closer admin distance for

routes
RT: NET-RED 10.1.1.0/24
RT: add 10.1.1.0/24 via 1.1.1.1,
RT: NET-RED 10.1.1.1/24
Rev. 1700
35
IPexpert, Inc.
Troubleshooting Redistribution cont.

Another useful command that can be used to display
routing table statistics :
- show ip route profile
------------------------------------------------------------------Change/
Fwd-path
Prefix
Nexthop
Pathcount
Prefix
interval
change
add
Change
Change
refresh
------------------------------------------------------------------0
14
14
17
17
17
1
0
0
0
0
0
2
1
1
0
0
0
3
2
2
0
0
0
Rev. 1700
36
IPexpert, Inc.

debug ip rip
- Displays information on RIP

transactions
debug ip eigrp packet

EIGRP protocol packets
debug ip ospf adjacency
- Displays the information on

adjacency events related to
OSPF
debug condition interface
- Limits a debug output to a

single interface
Rev. 1700
37
IPexpert, Inc.
Troubleshooting & Verification cont.

debug ip bgp
- Displays information related

to processing of BGP
debug ip tcp transactions
- Displays information on
significant TCP transactions
debug ip routing
- Displays information on
routing table and route
cache updates
show ip route profile
- Displays routing table

change statistics
Rev. 1700
38
IPexpert, Inc.
9.03 Troubleshoot a network in

response to application
problems
IPexpert, Inc.
Troubleshooting Application Problems
Network performance problems are often related to

Layer 1/2 issues (bad NICs, duplex mismatch)
Troubleshooting issues from the QoS standpoint should

be approached in a structured way :
1. Verify the traffic classes :
- show class-map
2.
Make sure that QoS policy is applied :

- show policy-map interface brief
- show mls qos
3.
Verify the actual policy :

- show policy-map interface
Rev. 1700
40
IPexpert, Inc.

R1# show class-map
Class Map SSH_CLASS
Match access-group 103
Class Map HTTP_CLASS
Match protocol http
Class Map F00_CLASS
Match input-interface FastEthernet0/0
R1# show policy-map interface brief
Service-policy input: QOS_POL
interface F0/0
interface F0/1
Switch> show mls qos
QoS is enabled
QoS ip packet dscp rewrite is enabled
Rev. 1700
41
IPexpert, Inc.

Serial0/0
Service-policy output: QOS_POL
Class-map: VOICE_CLASS (match-all)
1231 packets, 78784 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name VOICE
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 512 (kbps) Burst 12800 (Bytes)
(pkts matched/bytes matched) 1231/78784
(total drops/bytes drops) 0/0
Class-map: HTTP_CLASS (match-all)
9390 packets, 5501312 bytes
Match: protocol http
Queueing
Output Queue: Conversation 265
Bandwidth 128 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 3012/1746960
(depth/total drops/no-buffer drops) 5/0/0
42
Rev. 1700
IPexpert, Inc.

R1# show policy-map interface serial0/0
Serial0/0
Service-policy output: QOS_POL
Class-map: class-default (match-any)
0 packets, 0 bytes
Traffic Shaping
Target
Byte
Sustain
Excess
Interval
Rate
Limit bits/int bits/int
(ms)
320000
2000
8000
8000
25
Queue
Depth
6
Packets
1200
Bytes
654120
Packets
Delayed
248
Match: any
Increment Adapt
(bytes) Active
1000
-
Bytes
Delayed
135185
Shaping
Active
yes
If Voice/Video is used, consider tuning Tc to 10ms

Rev. 1700
43
IPexpert, Inc.
In Layer 2, start with verifying the mapping tables
Dont forget to check queuing configuration as well :

1. Ingress :
- show mls qos input-queue
2.
Egress :
- show mls qos if_name queuing
Switch> show mls qos input-queue

Queue
:
1
2
---------------------------------------------buffers
:
90
10
bandwidth :
4
4
priority :
0
10
threshold1:
100
100
threshold2:
100
100
44
Rev. 1700
IPexpert, Inc.

Switch> show mls qos interface gig0/2 queueing
GigabitEthernet0/2
Egress Priority Queue :enabled
Shaped queue weights (absolute) : 25 0 0 0
Shared queue weights : 25 25 25 25
The
port
bandwidth
limit
:
100
(Operational
Bandwidth:100.0)
The port is mapped to qset : 1
IP SLA feature can be used to :

1. Narrow down the problem
2. Verify effectiveness of configuration amendments
Gather IP SLA statistics :

- show ip sla statistics
Rev. 1700
45
IPexpert, Inc.

show mls qos
- Displays global QoS

configuration
information
show policy-map interface brief
about only the active
policy maps
attached to an
interface
show ip sla statistics
- Displays the current

operational status
and statistics of all
Cisco IOS IP SLA
operations
Rev. 1700
46
IPexpert, Inc.
9.04 Troubleshoot network

services
IPexpert, Inc.
Troubleshooting FHRPs
Most HSRP issues are related to the network itself
One of the most commonly seen problems is the

duplicate address message :
Jan 15 21:40:09: %STANDBY-3-DUPADDR: Duplicate address

10.1.1.100
on Vlan5, sourced by 0000.0c07.ac01
Few things that might cause this problem :

STP problems
Etherchannel misconfiguration
Physical layer problems
Standard Layer 1/2 procedures should be followed

Rev. 1700
48
IPexpert, Inc.
Troubleshooting FHRPs cont.
If Port-Security is also configured, use BIA addresses.

Troubleshoot with :
- show interfaces status
- show port-security
Another useful commands :

- show standby/vrrp/glbp brief
- debug standby
R2# show standby brief

P indicates configured to preempt.
Interface Grp Prio
P State
Active Standby
Et0/0
1
100
Standby 10.1.1.1 local
Virtual IP
10.1.1.100
HSRP debugging is on
Vlan5 Hello out 10.1.1.1 Active pri 100 ip 10.1.1.100
Vlan5 Hello in 10.1.1.2 Standby pri 100 ip 10.1.1.100
49
Rev. 1700
IPexpert, Inc.
Troubleshooting NTP
It may take a long time for NTP to synchronize
If problem persists, look for :

ACL blocking UDP port 123
High CPU utilization
NTP server reporting stratum of 15
Useful troubleshooting commands :

- show ntp status
- show ntp associations
- debug ntp authentication
Rev. 1700
50
IPexpert, Inc.
Troubleshooting NTP cont.

Router> show ntp status
Clock is synchronized, stratum 4, reference is 10.1.1.2
nominal freq is 250.0000 Hz, actual freq is 249.9990 Hz, precision
is 2**19
reference time is AFE2525E.70597B34 (13:12:17.438 PDT Sun Jan16 5
2011)
clock offset is 7.33 msec, root delay is 133.36 msec
root dispersion is 126.28 msec, peer dispersion is 5.98 msec
Router> show ntp associations detail
10.1.1.2 configured, our_master, sane, valid, stratum 4
ref ID 192.168.1.111, time AFE252DC.1F2B3000 (13:12:19.121 PDT Sun
Jan16 5 2011)
our mode client, peer mode server, our poll intvl 128, peer poll
intvl 128
root delay 125.50 msec, root disp 115.80, reach 377, sync dist
186.157
delay 7.86 msec, offset 11.176 msec, dispersion 3.62
precision 2**6, version 2
Router# debug ntp authentication

Jan 16 13:14:49.763: Authentication failed
Rev. 1700
51
IPexpert, Inc.
Troubleshooting DHCP
Common issues :
DHCP Pool is exhausted
DHCP Server cannot reach Relay Agent
Option 82 is enabled and makes troubles
URPF used to drop packet with src IP 0.0.0.0 &
dst IP 255.255.255.255
DHCP is turned off (no service dhcp)
DHCP Client troubleshooting :

- debug dhcp packet
DHCP Server troubleshooting :

- debug ip dhcp server
Rev. 1700
52
IPexpert, Inc.
Troubleshooting WCCP
Start with the very basic config
Make sure that ip wccp web-cache redirect out is

applied on the appropriate interface (towards the real
servers)
Verify :
- show ip wccp
R1# show ip wccp

Global WCCP information:
Router information:
Router Identifier:
Protocol Version:
Service Identifier: web-cache
Number of Cache Engines:
Number of routers:
Total Packets Redirected:
10.1.1.1
2.0
1
1
20
Rev. 1700
53
IPexpert, Inc.
Troubleshooting WCCP cont.
Troubleshoot :
- debug ip wccp events
- debug ip wccp packets
R1#
WCCP-EVNT:S00: Built new router view: 0 routers, 0
usable web caches, change # 00000001
WCCP-PKT:S00: Sending I_See_You packet to 10.1.1.2 w/
rcv_id 00000001
WCCP-EVNT:S00: Redirect_Assignment packet from 10.1.1.2
fails source check
WCCP-5-SERVICEFOUND: Service web-cache acquired on Web
Cache 10.1.1.2
WCCP-PKT:S00: Received valid Here_I_Am packet from
10.1.1.2 w/rcv_id 00000001
WCCP-EVNT:S00: Built new router view: 1 routers, 1
usable web caches, change # 00000002
Rev. 1700
54
IPexpert, Inc.

debug standby
- Displays HSRP state

changes
debug ntp authentication
- Displays debugging
information on NTP
authentication
debug dhcp packet
- Displays debugging
information about the DHCP
Client activities
Rev. 1700
55
IPexpert, Inc.
Troubleshooting & Verification cont.

debug ip dhcp server

to DHCP Server functions
debug ip wccp events

significant WCCP events
debug ip wccp packets

every WCCP packet received
or sent by the router
Rev. 1700
56
IPexpert, Inc.
9.05 Troubleshoot network

security
IPexpert, Inc.
Troubleshooting CBAC
Common issues :
Inspection is not enabled for a protocol
Inspection is enabled on wrong interface
Inspection is enabled in wrong direction
Router-generated traffic is not inspected
Verify :
- show ip inspect session detail
Rev. 1700
58
IPexpert, Inc.
Troubleshooting CBAC cont.
Sample output from show ip inspect session detail :
Established Sessions
Session 817298C4 (10.1.1.2:11005)=>(20.1.1.1:23) tcp SIS_OPEN
Created 00:00:06, Last heard 00:00:03
Bytes sent (initiator:responder) [391:123911]
In SID 20.1.1.1[23:23]=>10.1.1.2[11005:11005] on ACL 100(108
matches)
Half-open Sessions
Session 81729A34 (10.1.1.2:11006)=>(20.1.1.1:80) http SIS_OPENING
Created 00:00:03, Last heard 00:00:01
Bytes sent (initiator:responder) [0:0]
Dont forget to check an ACL
Rev. 1700
59
IPexpert, Inc.
Troubleshooting AAA
Common issues :
AAA server is not configured/misconfigured
Key mismatch (NAS <-> AAA)
Connectivity problems (NAS <-> AAA)
Misconfigured AAA database
Troubleshoot AAA :
- debug aaa authentication
- debug aaa authorization
- debug aaa accounting
Rev. 1700
60
IPexpert, Inc.
Troubleshooting AAA cont.

*Jan 19 17:11:18.132: AAA/BIND(0000000E): Bind i/f
*Jan 19 17:11:18.132: AAA/AUTHEN/LOGIN (0000000E): Pick method list
VTY
*Jan 19 17:11:19.327: AAA: parse name=tty66 idb type=-1 tty=-1
*Jan 19 17:11:19.327: AAA: name=tty66 flags=0x11 type=5 shelf=0
slot=0 adapter=0 port=66 channel=0
*Jan 19 17:11:19.327: AAA/MEMORY: create_user (0x83C938B4)
user=ipexpert ruser=NULL ds0=0 port=tty66
rem_addr=10.1.1.1 authen_type=ASCII service=ENABLE priv=15
initial_task_id=0, vrf= (id=0)
*Jan 19 17:11:19.327: AAA/AUTHEN/START (4286245615): port=tty66
list=action=LOGIN service=ENABLE
-- Output omitted
*Jan 19 17:11:21.103: AAA/AUTHEN(4286245615): Status=PASS
Rev. 1700
61
IPexpert, Inc.
Troubleshooting AAA cont.
Troubleshoot RADIUS/TACACS+ :
- debug radius
- debug tacacs
00:37:10: RADIUS(00000015): Send Access-Request to 10.1.1.100:1645

id 1645/21, len 159
00:37:10: RADIUS: authenticator 2D 03 E5 A6 A5 30 1A 32 - F2 C5 EE
E2 AC 5E 5D 22
00:37:10: RADIUS: User-Name
[1]
11 "ipexpert
00:37:10: RADIUS: User-Password
[2]
18 *
00:37:10: RADIUS: Service-Type [6]
6
Outbound
[5]
00:37:10: RADIUS: Received from id 1645/21 10.1.1.100:1645, AccessAccept, len 313
00:37:10: RADIUS: authenticator E6 6E 1D 64 5A 15 FD AE - C9 60 C0
68 F5 10 E9 B7
00:37:10: RADIUS:
Cisco AVpair
[1]
13 "priv-lvl=15"
Rev. 1700
62
IPexpert, Inc.

debug aaa authentication
- Displays debug information

on AAA authentication
debug aaa authorization

on AAA authorization
debug aaa accounting

on accountable events
debug radius
- Enables debugging for

RADIUS configuration
debug tacacs
associated with TACACS+
Rev. 1700
63
IPexpert, Inc.
End of Section 9.0

VoD Series
10.0 Optimize the Network
IPexpert, Inc.
10.01 Implement Syslog and

local logging
IPexpert, Inc.
Syslog and local logging

Logging is the process of recording and storing the events
Severity Levels control which messages are logged :

0 Emergencies
1 Alerts
2 Critical
3 Errors
4 Warnings
5 Notifications
6 Informational
7 Debugging
Rev. 1700
IPexpert, Inc.
Syslog and local logging
Logging Destinations
1.
2.
3.
4.
5.
(logging console)
(logging buffered)
(logging monitor + terminal monitor)
(snmp-server enable traps syslog +
logging history)
Syslog Server (logging trap)
Console
Internal Buffer
VTY lines
SNMP Server
Syslog uses UDP port 514
Rev. 1700
IPexpert, Inc.
Syslog Configuration
IPexpert, Inc.
Syslog Configuration
Turning Logging on
[no] logging on
Time Stamps
service timestamps log
Logging facility
logging facility
Logging Synchronous
logging synchronous
Rev. 1700
IPexpert, Inc.
Example Syslog Configuration

logging buffered 4096 debugging
logging console errors
line console 0
logging synchronous
Rev. 1700
IPexpert, Inc.
show logging
- Displays the logging configuration and the

contents of the logging
Rev. 1700
IPexpert, Inc.
10.02 Implement IP Service

Level Agreement (SLA)
IPexpert, Inc.
IP SLA
Formerly known as RTR
Performs active monitoring by generating and analyzing

traffic to measure performance
Statistics include jitter, delay, packet loss
IP SLA Responder
a) Allows for unidirectional measurements
b) Improves accuracy uses two timestamps
allowing to neglect the probe processing time
IP SLA Responder works only for TCP & UDP probes

Rev. 1700
10
IPexpert, Inc.
IP SLA Responder
T0
30 ms
T1
Rev. 1700
11
IPexpert, Inc.
IP SLA Configuration
IPexpert, Inc.
IP SLA Configuration
IP SLA Configuration mode

ip sla nr
Scheduling an SLA instance

ip sla schedule
IP SLA Responder
ip sla responder
Rev. 1700
13
IPexpert, Inc.
Example IP SLA Configuration

ip sla 1
icmp-echo 10.1.1.1
timeout 1000
frequency 1
ip sla schedule 1 life forever start-time now
Rev. 1700
14
IPexpert, Inc.
Example IP SLA Responder Configuration
Source of the SLA probes
ip sla 2
udp-echo dest-ipaddr 10.1.1.2 1234
frequency 3
ip sla schedule 2 life 43200 start-time now
SLA target device
ip sla responder
Rev. 1700
15
IPexpert, Inc.
show ip sla configuration
- Displays configuration for

all IP SLA operations
show ip sla responder

the
IP
SLA
Responder
show ip sla configuration
- Displays current operational

status and statistics of IP
SLA
Rev. 1700
16
IPexpert, Inc.
10.03 Implement NetFlow
IPexpert, Inc.
NetFlow
Cisco IOS statistics-gathering tool
Flows are identified by source & destination IP

addresses, source & destination port numbers, protocol
and Type of Service
Different NetFlow versions (e.g. 5, 7,8, 9) are available
Cached flows can be further send to a collecting device

(NetFlow export)
Aggregation Cache available in version 8
Flow Sampling
Rev. 1700
18
IPexpert, Inc.
NetFlow Configuration
IPexpert, Inc.
NetFlow Configuration
Enabling NetFlow
ip flow ingress/egress
Flow Exporter
ip flow-export
Capturing additional fields

ip flow-capture
Flow Aggregation
ip flow-aggregation
Rev. 1700
20
IPexpert, Inc.
Example NetFlow Configuration
General NetFlow configuration example :
int f0/1
ip flow ingress
ip flow-export version 5
ip flow-export destination 10.1.1.1 9000
ip flow-capture icmp
Flow Aggregation example :
ip flow-aggregation cache destination-prefix

cache entries 2048
export destination 10.1.1.1 25665
enabled
int f0/0
ip flow egress
Rev. 1700
21
IPexpert, Inc.
show ip flow interface
- Displays the NetFlow config

for an interface
show ip cache flow

NetFlow
statistics
and flows
show ip cache verbose flow
Displays
the
detailed
summary of NetFlow
statistics and flows
show ip cache flow aggregation - Displays the Aggregation

Cache information and
number of flows
Rev. 1700
22
IPexpert, Inc.
10.04 Implement SPAN,

RSPAN, and Router IP
Traffic Export (RITE)
IPexpert, Inc.
SPAN, RSPAN, RITE
RITE is a similar feature to SPAN/RSPAN, but available

on Cisco IOS routers
Useful for Traffic Analyzers and monitoring devices,

such as IDS/IPS
Allows to export traffic going over WAN interfaces
Rev. 1700
24
IPexpert, Inc.
RITE Configuration
IPexpert, Inc.
RITE Configuration
Start with creating a profile

ip traffic-export profile
Within a profile, define the monitoring station (the

device which is collecting the exported traffic)
interface
mac-address
By default all incoming traffic is exported, you can

change this behavior using two methods :
bidirectional
incoming/outgoing access-list
Apply the profile to an interface (interface level)

ip traffic-export apply
Rev. 1700
26
IPexpert, Inc.
Example RITE Configuration
General RITE configuration example :
ip traffic-export profile RITE_PROF

interface FastEthernet 0/0
mac-address 1234.1234.5678
bidirectional
int F0/1
ip traffic-export apply RITE_PROF
Rev. 1700
27
IPexpert, Inc.
show ip traffic-export

to exported IP traffic
Rev. 1700
28
IPexpert, Inc.
10.05 Implement Simple

Network Management
Protocol (SNMP)
IPexpert, Inc.
SNMP
Application-Layer management
monitoring and administration
SNMP Framework
1. Network Management Station (NMS)
2. SNMP Agent
3. Management Information Base (MIB)
SNMP Operations
1. Polling (GET, SET)
2. Notifications (TRAPS, INFORMS)
protocol
used
for
Rev. 1700
30
IPexpert, Inc.
SNMP Polling
SNMP Polling is a process of sending periodic queries

to the network devices. It uses two different SNMP
messages GET and SET, sent over UDP port 161
Three types of SNMP GET operation :
1. GET, which retrieves the exact object instance

from the SNMP Agent
2. GETNext Retrieves the next object to the
specified
3. GETBulk Retrieves a large amount of object
data
SNMP SET
Rev. 1700
31
IPexpert, Inc.
SNMP Polling
Rev. 1700
32
IPexpert, Inc.
SNMP Notifications
SNMP Notifications are unsolicited notifications sent to

the NMS. There are two types of Notifications TRAPS
and INFORMS
1. TRAPS are unreliable, no ACKs are sent back
2. INFORMS are ACKed
SNMP Notifications (TRAPS and INFORMS) are sent

over UDP port 162 (SNMP Polling GET/SET messages
use UDP port 161)
Rev. 1700
33
IPexpert, Inc.
SNMP Notifications
Rev. 1700
34
IPexpert, Inc.
SNMP Versions
SNMP Versions :
1. SNMPv1 - full Internet standard. Communitybased authentication

2. SNMPv2c - introduces GETBulk operation.
Authentication based on community-strings, same
as with version 1
3. SNMPv3 - lots of security enhancements.
Message Integrity (HMAC MD5/SHA), Encryption
(originally DES). Authentication based on
usernames
Rev. 1700
35
IPexpert, Inc.
SNMP Versions
SNMP Versions :
1. SNMPv1 - full Internet standard. Communitybased authentication

2. SNMPv2c - introduces GETBulk operation.
Authentication based on community-strings, same
as with version 1
3. SNMPv3 - lots of security enhancements.
Message Integrity (HMAC MD5/SHA), Encryption
(originally DES). Authentication based on
usernames
Rev. 1700
36
IPexpert, Inc.
SNMP Security Model
SNMPv3 Security Model three different Security

Levels :
1. noAuthNoPriv no encryption; authentication
based on usernames
2. authNoPriv no encryption; authentication based
on HMAC MD5/SHA
3. authPriv DES for encryption; authentication
based on HMAC MD5/SHA
3DES & AES are now supported
Rev. 1700
37
IPexpert, Inc.
SNMP Configuration
IPexpert, Inc.
SNMP Configuration
The main command

snmp-server
SNMP Polling
snmp-server community [ro|rw]
SNMP Notifications
snmp-server enable traps
snmp-server host [traps|informs]
Rev. 1700
39
IPexpert, Inc.
Example SNMP Configuration
SNMP Polling
snmp-server community ipexpert rw
SNMP Notifications
snmp-server enable traps bgp

snmp-server host 10.1.1.1 inform version 2c ipexpert
Rev. 1700
40
IPexpert, Inc.
show snmp
- Displays the status of SNMP

communications
show snmp host
- Displays information about NMS

and SNMP Notifications
show snmp community
- Displays SNMP Communities
Rev. 1700
41
IPexpert, Inc.

Embedded Event Manager
IPexpert, Inc.
EEM
Flexible framework for system and system events

monitoring
Event -> Action mechanism
EEM Components :
1. Event Detector (monitored component)
2. EEM Policy (defines actions)
3. Event Manager Server (an interface between Event
Detector and EEM Policy)
Rev. 1700
43
IPexpert, Inc.
EEM Event Detectors
CLI - monitors CLI-typed commands based on the

regular expressions
Syslog allows screening syslog messages for
configured regular expressions, just like the CLI ED
Interface Counter this one monitors interface counters
and reacts when a threshold is crossed
SNMP allows to monitor values of different SNMP
MIB objects
None None Event Detector publishes an event when
the event manager run command is executed
Rev. 1700
44
IPexpert, Inc.
EEM Event Policies
Executing a CLI command

Generating a Syslog Message
Generating an SNMP Trap
Setting or modifying a named Counter
Rev. 1700
45
IPexpert, Inc.
EEM Configuration
IPexpert, Inc.
EEM Configuration
Two types of EEM policies :

- Applet (the one we are going to examine)
- Script
Create an applet
event manager applet
Inside an applet define an Event Detector

event
And specify a policy

action
Rev. 1700
47
IPexpert, Inc.
EEM Configuration
Remember that policies can also refer to the so-called

Environment Variables
These variables are built-in and have a pre-defined

meaning. You refer to them using a $ sign
Example Environment Variables :

_cli_msg
_cli_msg_count
_syslog_msg
the fully expanded message that

triggered the CLI event
the number of times that a message
match occurred before the event was
published
they Syslog message that triggered
the event
Rev. 1700
48
IPexpert, Inc.
Example EEM Configuration
Example applet #1
event manager applet EEM_SHRUN_APP

event cli pattern "show run.*" sync yes
action 1.0 syslog msg "$_cli_msg Cmd Executed"
set 2.0 _exit_status 1
Example applet #2
event manager applet EEM_IFDOWN_APP

event syslog pattern "Interface Loop.*, changed
.*administratively down
action 1.0 cli command sh ssh
Rev. 1700
49
IPexpert, Inc.
show event manager
EEM Event Detectors

debug event manager
Displays the
output
debugging
of
EEM
process
show event manager policy registered - Displays already
registered
EEM
policies
Rev. 1700
50
IPexpert, Inc.
10.07 Implement Remote

Monitoring (RMON)
IPexpert, Inc.
RMON
An additional MIB module
Alarms are generated after a particular threshold is

reached
Two methods of measuring MIB variables :

1. Absolute Sampling reads the current value
2. Delta Sampling measures the change in value
Rev. 1700
52
IPexpert, Inc.
RMON Groups
1.
2.
3.
4.
5.
6.
7.
8.
9.
Statistics contains interface statistics measured by

the probe
History
stores periodic statistical samples
Alarm
takes statistical samples form variables. If
the configured threshold is crossed,
an
event is generated
Host
contains information about each
discovered host
HostTopN contains sorted host statistics
Matrix
holds statistics for conversation between
two hosts
Filter
used to create filters to match only specific
packets
Capture allows to capture packets based on
previously created filters
Event
triggered by alarms
Rev. 1700
53
IPexpert, Inc.
RMON Configuration
IPexpert, Inc.
RMON Configuration
Create an event
rmon event nr [log|trap community]
Create an alarm
rmon
alarm nr var interval [delta|absolute]

rising-threshold falling-threshold
Rev. 1700
55
IPexpert, Inc.
Example RMON Configuration

rmon alarm 1 ifEntry.20.1 7 delta rising-threshold 15
5 falling-threshold 0
rmon event 5 log description Counter increased by 15
Rev. 1700
56
IPexpert, Inc.
show rmon alarm
routers RMON alarm table

show rmon event

routers RMON event table
Rev. 1700
57
IPexpert, Inc.
10.08 Implement FTP
IPexpert, Inc.
FTP
Cisco IOS does NOT support FTP server
FTP Client is supported (file transfer, core dumps)
Following FTP Characteristics are available :

1. Passive-mode FTP
(ip ftp passive)
2. User name
(ip ftp username)
3. Password
(ip ftp password)
4. Source Interface
(ip ftp source-interface)
Rev. 1700
59
IPexpert, Inc.
FTP Modes
FTP always uses TCP port 21 for the control channel.

Data port varies and depends on FTP Mode
Active Mode :
FTP client specifies its port using a PORT
command
FTP server initiates the data connection from
TCP port 20 to the port specified inside the PORT
command
Passive Mode
FTP Client sends a PASV command
Server responds with an ephemeral port number
and the FTP client initiates the data connection
TCP Port 20 is not used
Rev. 1700
60
IPexpert, Inc.
FTP Configuration
IPexpert, Inc.
FTP Configuration
For File Transfer configure at least a username and

password
ip ftp username
ip ftp password
To initiate the transfer use the copy command with the

ftp keyword
For Core Dumps specify FTP as the transfer protocol

and add the servers location
exception protocol ftp
exception dump IP_addr
Rev. 1700
62
IPexpert, Inc.
Example FTP Client Configuration

ip
ip
ip
ip
ftp
ftp
ftp
ftp
username ipexpert
password cciers
passive
source-interface l0
exception protocol ftp

exception dump 192.168.1.1
Rev. 1700
63
IPexpert, Inc.
show exception
- Displays current Exception

configuration
debug ip tcp transactions
Displays information on
significant
TCP
transactions
Rev. 1700
64
IPexpert, Inc.
10.09 Implement TFTP

10.10 Implement TFTP
Server on router
IPexpert, Inc.
TFTP
Cisco IOS can act as a TFTP Server and Client
TFTP Server functionality is typically used for system

image and configuration file transfers
Although TFTP protocol itself does not support any

security mechanisms, Cisco IOS provides basic form of
limiting the scope of users accessing a file using Access
Control List
TFTP works over UDP port 69. The actual data transfer,
however, uses an ephemeral port
Rev. 1700
66
IPexpert, Inc.
TFTP Mechanics
Client sends a Read Request (RRQ) or Write Request

(WRQ) packet to the server
An ephemeral port for data is opened on the server side
The server responds with an ACK (for WRQ) or the first

data packet (for RRQ)
Data is sent in fixed-length blocks of 512B. Each block

must be ACKed before next one is sent
A data packet shorter than 512B signals termination of

the connection
Rev. 1700
67
IPexpert, Inc.
TFTP Configuration
IPexpert, Inc.
TFTP Configuration
For TFTP Server is essentially one command

tftp-server [alias] [acl_nr]
For TFTP Client use the copy command with the tftp
keyword
A connection source interface can be also configured

ip tftp source-interface
Rev. 1700
69
IPexpert, Inc.
Example TFTP Configuration
TFTP Server (192.0.2.1)

tftp-server flash:c1841-advsecurityk9-mz.124-8.bin
alias image2 20
TFTP Client
int loopback 1
ip add 10.1.1.1 255.255.255.0
ip tftp source-interface loopback 1
copy tftp://192.0.2.1/image2 flash
Rev. 1700
70
IPexpert, Inc.
debug tftp
- Displays TFTP debugging information
Rev. 1700
71
IPexpert, Inc.
10.11 Implement Secure Copy

Protocol (SCP)
IPexpert, Inc.
SCP
Secure method of transferring files (encryption and

authentication)
Relies on SSH protocol, runs on TCP port 22
AAA Authentication
configured
Currently has been superseded by SFTP
and
authorization
must
be
Rev. 1700
73
IPexpert, Inc.
SCP Configuration
IPexpert, Inc.
SCP Configuration
AAA and SSH are prerequisites

SSH
hostname
ip domain-name
AAA authentication and authorization

aaa new-model
aaa authentication login
aaa authorization exec
Enable SCP Server

ip scp server enable
For SCP Client use the copy command with the scp
keyword
Rev. 1700
75
IPexpert, Inc.
Example SCP Configuration
SCP Server (192.0.2.1)
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username ipexpert priv 15 password cciers
hostname Europe
ip domain-name ipexpert.com
ip scp server enable
SCP Client
copy scp://ipexpert@192.0.2.1/file1 flash:/file1

Rev. 1700
76
IPexpert, Inc.
debug ip scp
- Displays information related to

troubleshooting
SCP
authentication
Rev. 1700
77
IPexpert, Inc.
10.12 Implement HTTP and

HTTPS
IPexpert, Inc.
HTTP
Application-Layer protocol used for browsing web pages
Client-Server architecture, request-response model
Separate TCP session for each request in HTTP 1.0
Only one TCP session (keepalives), called a persistent

connection in HTTP 1.1 (widely spread now)
Rev. 1700
79
IPexpert, Inc.
HTTP Operations
Nine HTTP methods are defined
Two most common ones are HTTP GET and HTTP

POST
HTTP GET is used to request a specific resource
HTTP POST is used to submit data to the server (e.g.

from an HTML form)
HTTP uses TCP port 80 by default
Rev. 1700
80
IPexpert, Inc.
HTTPS
HyperText Transfer Protocol Secure
HTTP + SSL/TLS
Sufficent protection with only one-way authentication
HTTPS URLs begin with https:// as opposed to http://
HTTPS uses TCP port 443 by default
Rev. 1700
81
IPexpert, Inc.
HTTP and HTTPS Configuration
IPexpert, Inc.
HTTP Configuration
Enable HTTP Server

ip http server
HTTP Authentication
ip http authentication [local|aaa]
Restrict Remote Management Access

ip http access-class
A user should have a privilege level 15 assigned (AAA

authorization)
For lower levels use http://server_IP/level/priv_lvl/exec
Rev. 1700
83
IPexpert, Inc.
HTTPS Configuration
Disable HTTP Server (not required)

no ip http server
Enable HTTPS Server

ip http secure-server
Change the default port (optional)

ip http secure-port
Specify the CipherSuites (optional)

ip http secure-ciphersuite
Rev. 1700
84
IPexpert, Inc.
Example HTTP & HTTPS Configuration
HTTP Server
username ipexpert privilege 15 password ipexpert

ip
ip
ip
ip
http
http
http
http
server
port 8080
access-class 2
authentication local
HTTPS Server
ip http secure-server
ip http secure-port 8443
Rev. 1700
85
IPexpert, Inc.
show ip http server [status]
Displays
details
about
the
current
configuration of the
HTTP server
show ip http server secure status
- Displays the status

of the HTTPS
server
configuration
Rev. 1700
86
IPexpert, Inc.
10.13 Implement Telnet
IPexpert, Inc.
Telnet
Telnet is a terminal emulation protocol
Can be used for remote management provides CLI

access to the remote host
Some of the Cisco implementation supported Telnet

options are as follows :
- Remote Echo
- Terminal Type
- Terminal Speed
- Remote Flow Control
TCP uses TCP port 23
Rev. 1700
88
IPexpert, Inc.
Telnet Configuration
IPexpert, Inc.
Telnet Configuration
Enabling password-based Telnet access (line-mode

subcommands)
password
login
Username-based authentication with a local database

login local
Username-based authentication with AAA enabled

login authentication
To enable non-standard ports 3000, 5000, and 7000

rotary
Telnet Client settings

ip telnet
Rev. 1700
90
IPexpert, Inc.
Example Telnet Configuration
Password-based Telnet authentication
line vty 0 4
password ipexpert
login
Username-based
database
Telnet
authentication
with
local
username ipexpert password cciers
line vty 0 4
login local
Rev. 1700
91
IPexpert, Inc.
show users
terminal
show tcp [brief]
- Displays information about the

active
lines
and
user
location
- Displays the status of TCP
connections
Rev. 1700
92
IPexpert, Inc.
End of Section 10.0

Video on Demand Series
Addendum
IPexpert, Inc.
Exam Overview
The exam is 2-hours long and it consists of multiplechoice questions and simulations (approx. 100 in total)
No reference materials are allowed (even the Cisco

documentation)
The Blueprint :
Cisco Certifications : www.cisco.com/go/certifications
Cisco Connection Online (CCO) account is required
www.cisco.com/go/ccie
Rev. 1700
IPexpert, Inc.
Exam Overview cont.
Two changes were announced in February 2009 :

Coming back to any of the previous questions is
not allowed
The overall exam score is reported on a scale
300-1000
Possible exam question formats :

Multiple-choice single answer
Multiple-choice multiple answer
Drag-and-drop
Fill-in-the-blank
Testlet
Simlet
Simulations
Rev. 1700
IPexpert, Inc.
Exam Policy
At least 5 calendar days must elapse between any

written exam attempt
Exams are not refundable
The lab exam must be attempted within 18 months from

passing written
The entire exam content is Ciscos intelectual property
You must accept the terms and conditions of the Cisco

Certification and Confidentiality Agreement during the
registration and prior to testing
Rev. 1700
IPexpert, Inc.
Reference Books
CCIE Routing & Switching Exam Certification Guide,

4th edition by Wendell Odom, Rus Healy, Denise
Donohue
Routing TCP/IP by Jeff Doyle and Jennifer Carroll
CCNP BCMSN Official Exam Certification Guide, 4th

edition by David Hucaby
Cisco LAN Switching by Kennedy Clark, Kevin

Hamilton
Deploying IPv6 Networks by Ciprian Popoviciu, Eric

Levy-Abegnoli, Patrick Grossetete
Rev. 1700
IPexpert, Inc.
Reference Books cont.
Developing IP Multicast Networks, Vol. I by Beau

Williamson
MPLS Fundamentals by Luc De Ghein
Network Security Technologies and Solutions by

Yusuf Bhaiji
Cisco QOS Exam Certification Guide (IP Telephony

Self-Study), 2nd Edition by Wendell Odom and Michael
Cavanaugh
Rev. 1700
IPexpert, Inc.
Preparation Timeline
Everyone is different
Set yourself a rough date and try to stick with it
Be prepared for sacrifices
Study in a consistent fashion when you learn actively

you tend to forget less
Repeat the material often (spaced repetitions)
Rev. 1700
IPexpert, Inc.
Strategy
If you have already seen the product assess your

knowledge do the quizzes. If you have not started yet,
take notes when going through the videos, try to
understand the technology first
Incorporate books and the documentation (especially on

areas where you are week). Do the quizzes and review
the material
When question wording is vague, try to eliminate the

answers you know are bad
Use the whiteboard (topologies, calculations)

Rev. 1700
IPexpert, Inc.
Good Luck!
IPexpert, Inc.

IPexpert's Cisco CCIE R&S (v4) Written Exam Video On Demand Slides

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

IPexpert's Cisco CCIE R&S (v4) Written Exam Video On Demand Slides

Загружено:

Авторское право:

Доступные форматы

IPexperts CCIE R&S Written

Video on Demand Series

Implement Layer 2 Technologies

Each section ends with a Quiz (15 questions)

Final Quiz contains 50 questions

The answers should be separated by space, always put

IPexperts CCIE R&S Written

1.01 Implement Spanning Tree

Used to ensure loop-free topology in a L2 domain

Bridge Protocol Data Units are simply STP packets

BPDUs are initially sent out of all enabled interfaces

Two types of BPDUs :

STP Algorithm is a 3-step process :

Operations of STP Root Bridge

Root Bridge ID is initially set to the Sender Bridge ID

Operations of STP Root Port

Path cost = BPDU cost + the receiving interfaces cost

Operations of STP Designated Ports

A switch port advertising the lowest-cost Hello becomes a

Both ports are bidirectional when forwarding traffic

Host ports are forwarding

Operations of STP Tie breakers

Root Port and Designated Ports use lowest path-cost as

What if costs are the same for multiple links?

Example STP Topology

STP Interface States

Ports dont transition immediately

There are five STP interface states :

Stable STP Topology

There are two types of link failures

Blocking Ports pretty much dont count

If Root Port fails, the STP Algorithm starts again.

If a Designated Port fails, TCN BPDU is generated

IPexperts CCIE R&S Written VoD Series

STP Reconvergence cont.

The TCN/TCA process starts over again. Another TCN

When the TCN frame finally reaches the Root, next

All switches that received a BPDU with the TC flag set

Prevents CAM table corruption. Does not say what

IPexperts CCIE R&S Written VoD Series

STP Reconvergence Example

STP Reconvergence cont.

When a port goes into the forwarding state, TCN BPDU

Direct topology change takes 30 seconds by default

Indirect change takes 50 seconds by default (MaxAge +

Disable STP Instance

Secondary (possible backup) Root Bridge

STP Configuration - Traffic Engineering

show spanning-tree vlan

In STP, depending on the Layer 2 domain size,

STP Optimizations - PortFast

Used on ports connected to end-devices

Listening and Learning states are bypassed

TCN BPDUs are NOT generated

Can be also enabled on trunks for example on ports

Globally on all non-trunking interfaces

show spanning-tree summary

STP Optimizations - UplinkFast

Accelerates election of a new Root Port

Listening and Learning phases are bypassed

Dummy multicast frames are generated that allow all

Alternate Ports are non-Root Port interfaces where Root

show spanning-tree summary