Вы находитесь на странице: 1из 56

In the last Cisco Packet Tracer 7.2.

1 some CLI command does not exist


Route 300-101
1. EIGRP
1.1. Introduction:

1.1.1. Basic Information:


- Cisco property IGP (interior gateway protocol)
- Routing protocol vector distant and sometimes hybrid routing protocol (not a global vision of the
topology)
- Routing inside autonomous system AS
- It use RTP (reliable transport protocol)
- AD = 90 administrative distance
- Take on charge VLSM
- Multicast address 224.0.0.10 (for neighbors)
- Able to calculate a second path (2 paths for every best path)
- Load balancing + unequal cost load balancing
- Send an update when there are something change, and send only the route who has changed
- Fast convergence and less greedy in resources (RAM and, CPU)

1.1.2. Messages:

Hello: for detecting of neighbors every 5 sec by default, after three hellos (15 sec) without response, the neighboring
will be considered down. The hello message is sent to multicast address 224.0.0.10

R1 (config) # interface serial 0/0/0


R1 (config-if) # ip hello-interval eigrp 90 50
R1 (config-if) # ip hold-time eigrp 90 150

Update: the message of update is send on multicast address too, a new neighbor is send on unicast

Query: message for looking for a route to specific network

Reply: is a respond for query

ACK: acknowledgment of update, query and reply (not for hello)

1.1.3. Metric:

K1: bandwidth
K2 & K4: reliability
K3: delay
K5: charge
Theses K parameters can take a zero or 1 value

107
𝐵𝑊" =
𝐵𝑊
𝑀𝑒𝑡𝑟𝑖𝑐 = [𝐿𝑜𝑤𝑒𝑠𝑡 𝐵𝑊" + 𝑎𝑙𝑙 𝑙𝑖𝑛𝑘 𝑑𝑒𝑙𝑎𝑦]
1.1.4. Terminology:

Feasible Distance FD: is the total distance to reach a destination


Advertised Distance AD or RD: the distance announce by the neighbor

FD = RD (or AD) + metric

Successor: is the next hop of the route


Feasible successor FS: the backup next hop (if the successor is down, the feasible successor become successor)
1.1.5. Tables:

Neighbors table: R1 # show ip eigrp neighbors

Topology table: R1 # show ip eigrp topology

P 10.2.0.0 /22, 1 successor, FD is 409600


via 172.16.1.2 (FD1 409600/ AD1 128256), fa 0/0
via 172.16.1.3 (FD2 435200/AD2 17496), fa 0/1

AD2 < FD so via 172.16.1.3 is a feasible successor FS

P = passive, that mean able to send to this network (if A = active mean can’t send, so query message is ready to
send)

Routing table: R1 # show ip route


EIGRP’s symbol is D in routing table: AD is 90 for internal route

1.2. Basic Configuration

Set network:

R1 (config) # router eigrp 90 (90 is the e.g. of autonomous system AS)


R1 (config-router) # (ip address of the network + wildcard mask or without)
R1 (config-router) # no auto-summary
R1 (config-router) # network 10.1.1.0 0.0.0.255
or
R1 (config-router) # network 10.1.1.1 0.0.0.0 (the ip interface)
R1 (config-router) # redistribute static (if there is a static or default route)

Auto-summary:

R1 (config) # interface f0/0


R1 (config-if) # ip summary-address eigrp 90 10.1.0.0 /22
(/22 is the resume of multiple network addresses /24)

Passive interface:

R1 (config) # router eigrp 90


R1 (config-router) # passive interface default (interface connected to access)
R1 (config-router) # no passive interface f0/0 (interface who participate in EIGRP
process)

Load balancing:

R1 (config) # router eigrp 90


R1 (config-router) # variance 2
(the value 2 when the interface f0/0 have twice more power than interface f0/1)
R1 (config-router) # traffic-share balanced
1.3. Frame Relay (Hub and Spoke)

Configuration of interface & sub-interface

R1 (config) # interface s0/0/0


R1 (config-if) # no ip address
R1 (config-if) # encapsulation frame-relay ietf
R1 (config-if) # frame-relay lmi-type ansi

R1 (config) # interface s0/0/0.1 multipoint


R1 (config-subif) # ip address 172.16.1.1 /24
R1 (config-subif) # frame-relay map ip 172.16.1.2 102 broadcast
R1 (config-subif) # frame-relay interface-ldci 102
R1 (config-subif) # frame-relay map ip 172.16.1.3 103 broadcast
R1 (config-subif) # frame-relay interface-ldci 103
R1 (config-subif) # no ip split-horizon eigrp 90
R1 (config-subif) # ip bandwidth-percent eigrp 90 80

- Broadcast: because frame relay is a NBMA network (no broadcast multi access)
- Split Horizon: this function stop the return of an update to the source (must be disabled)
- EIGRP by default use only 50% of bandwidth (we have 2 router 50% / 2 = 25% 25%), in case of
bandwidth problem, we have to force it to 80% (80% / 2 = 40% 40%)

R2 (config) # interface s0/0/0


R2 (config-if) # ip address 172.16.1.2 /24
R2 (config-if) # encapsulation frame-relay ietf
R2 (config-if) # frame-relay lmi-type ansi
R2 (config-if) # frame-relay interface-ldci 201
R2 (config-if) # frame-relay map ip 172.16.1.1 201 broadcast
R2 (config-if) # frame-relay lmi-type ansi
R2 (config-if) # frame-relay map ip 172.16.1.3 201 broadcast
R2 (config-if) # frame-relay lmi-type ansi

Summarization

R1 (config) # interface serial 0/0/0.1


R1 (config-subif) # ip summary-address eigrp 90 10.1.0.0 255.255.252.0
1.4. Authentication (Security)

To stop no authorized router to participate in EIGRP process.

Configuration of period

R1 (config) # key chain eigrp_keys


R1 (config-keychain) # key 1
R1 (config-keychain-key) # key-string cisco (cisco is the password)
R1 (config-keychain-key) # accept-lifetime 00:00:00 1 jan 2018 00:00:00 1 jan 2019
R1 (config-keychain-key) # send-lifetime 00:00:00 1 jan 2018 00:00:00 1 jan 2019
R1 (config-keychain) # key 2
R1 (config-keychain-key) # key-string labCisco (labCisco is the password)
R1 (config-keychain-key) # accept-lifetime 00:00:00 30 dec 2018 infinite
R1 (config-keychain-key) # send-lifetime 00:00:00 30 dec 2018 infinite

Configuration

R1 (config) # interface s0/0/0.1


R1 (config-if) # ip authentication mode eigrp 90 md5
R1 (config-if) # ip authentication key-chain eigrp 90 eigrp_keys

1.5. Stuck in Active (SIA)

Summarization

R1 (config) # interface serial 0/0/0


R1 (config-if) # ip summary-address eigrp 90 10.1.0.0 /22

Router stub

Join only networks who’s directly connected

R1 (config) # router eigrp 90


R1 (config-router) # eigrp stub ? connected, summary, leak-map, static, receive only,
redistributed, cr

By default <cr> use connected & summary


1.6. EIGRP Route Filtering

Allow an engineer to filter which routes are advertised in an EIGRP updates for this Reasons:

- Branches offices only need to communicate with HQ, not with each other’s
- Smaller routing table
- Security

By ACL

R1 (config) # access-list 1 deny 172.16.1.0 0.0.0.255 (route who want to block)


R1 (config) # access-list 1 permit any
R1 (config) # router eigrp 90
R1 (config-router) # distribute-list 1 S0/0/0.1 out (to router who I decide to not receive update)
R1 # show access-list

By Prefix-list

R1 (config) # ip prefix-list NAME_LIST deny 172.16.1.0/24 ge 24 le 24


R1 (config) # router eigrp 90
R1 (config-router) # distribute-list prefix NAME_LIST out S0/0/0.1
R1 # show prefix-list

By Route-map
R1 (config) # access-list 1 permit 172.16.1.0 0.0.0.255 (route who want to block)
R1 (config) # route-map NAME_LIST deny 10
R1 (config-route-map) # match ip address 1
R1 (config) # route-map NAME_LIST permit 20 <cr>
R1 (config-router) # distribute-list route-map NAME_LIST out s0/0/0.1
R1 # show route-map
2. OSPF
2.1. Introduction
2.1.1. Basic Information
- Good for large area.
- Open standard IGP (interior gateway protocol).
- Routing inside autonomous system AS.
- Routing Link state protocol (global vision of the topology).
- Fast convergence.
- Do not use a lot of bandwidth but Greedy in RAM and CPU.
- Take on charge VLSM.
- Not easy to implement.
- Separate network with a zone (area) to alleviate process for router (all zone must be connected to zone
zero) cisco recommend 50 router per area.
- Multicast address 224.0.0.5 (for neighbors).
- Use Dijkstra algorithm for calculate best path.
- Router who is connect between two zones (areas) called ABR area border router (able to resume route,
distribute route, and block info about link to go outside of the zone).
ASBR autonomous system border router, used for router who have other routing protocol
- Addressing must be hierarchical (for summary between zones).
- AD = 110 administrative distance.
- Equal path load balancing.
8
- 𝑚𝑒𝑡𝑟𝑖𝑐 (𝑐𝑜𝑠𝑡) = 10𝐵𝑤

2.1.2. Messages:

Hello: for detecting of neighbors every 10 sec by default, after “4” four hellos (mean 40 sec) without response, the
neighboring is considering down state. The hello messages is sent to multicast address 224.0.0.5.

R1 (config) # interface f0/0


R1 (config-if) # ip ospf hello-interval 10
R1 (config-if) # ip ospf dead-interval 40

DBD database description: Summary of all the links that the router knows. When link missing ask with LSR.

LSR link state request: for asking for more info about a link (respond with LSA).

LSA link state advertisement: is a response to LSR, is an update containing an info about a link.

LSU link state update: containing more LSA.

LSAck: acknowledgment for DBD, LSR, LSA, LSU (not for hello).

2.1.3. OSPF process:

- 1# determination of ID router

Auto, router take a highest ip address of loopback, if else the highest address of physical interface

On the other hand, manually, e.g.

R1 (config) # router ospf 1


R1 (config-router) # router-id + ip address (e.g. # router-id 1.1.1.1)
R1 # clear ip ospf process

For submitting any change on OSPF configuration, ospf process must be reboot (cisco command above).

- 2# add an interfaces on OSPF process

Used for sending hello packet, and which interface must the ospf process operate.
- 3# sending of hello message

For neighboring and creation of relationship (*timer hello dead, *net mask, *ID of area…).

- 4# reception of hello message

This star field * in step #3 must matching for neighboring, if doesn’t match router ignore hello message.

- 5# Reply hello

Already neighbor: sending a REPLY, this neighbor's Dead timer reset to 0, end of the process

Not a neighbor yet: start of a new relationship -> move to step #6.

- 6# determination of Master and Slave

The router who have a highest priority become a master DR (designated router), if equal, the highest router-id. After
becoming a master a DBD message is sent to others (topology), BDR (backup designated router) slave do the same.

- 7# ask more details about topology

LSR and LSU will be sent, and LSAck between any LSR and LSU message.

- 8# synchronization of neighbors

After Master and Slave synchronized their database, all information’s knows by master, will be knows by slave too.

Now DIJKSTRA algorithm can work.

2.1.4. State of neighbors:

- Down: We have not received Hello from the neighbor yet, but we try to reach him.
- Init: We receive a Hello from the neighbor, but our router isn’t listed in the Neighbors field.
- 2-Way: The relationship is created (our router is listed in the Neighbors field). Election DR / BDR if
necessary.
- Exchange: Exchange DBD - Data Base Description.
- Loading: Exchange of LSU - Link State Update.
- Full: Synchronized databases (between DR/BDR).

2.2. OSPF in multi-access network

In the case of multi-access network, OSPF can cause a


big problem overload link with messages.

DR Designated Router, BDR – Backup Designated


Router is recommended.

When a router want to send an update, he sent to DR


and BDR to 224.0.0.6

DR will reply to others router in multicast 224.0.0.5

Relationship with the DR / BDR: FULL

Relationship with DROthers: 2-Way


2.3. Basic configuration of OSPF
2.3.1. Configuration

R1 (config) # router ospf 1


R1 (config-router) # router-id 1.1.1.1
R1 (config-router) # network 172.16.1.0 0.0.0.255 area 0
R1 (config-router) # network 172.16.2.0 0.0.0.255 area 0
R1 # show ip ospf neighbor
R1 # show ip ospf database
R1 # show ip route
O IA 10.20.3.1 [110/66] via 172.16.1.2, 00:03:00, FastEthernet0/0

IA: mean to other area “inter area”


O: mean via OSPF

To force R1 to becoming DR, configuration below:

R1 (config) # interface f0/0


R1 (config-if) # ip ospf priority 200

To force R1 to be never becoming DR or BDR or participate in DR/BDR election, set priority zero, config below:

R1 (config) # interface f0/0


R1 (config-if) # ip ospf priority 0

2.3.2. Hello & dead intervall

In Point-to-Point network, hello every 10 sec

In NBMA network, hello every 30 sec (like Frame Relay, MPLS)

Dead interval every 4 hello

R1 (config) # interface f0/0


R1 (config-if) # ip ospf hello-interval 5
R1 (config-if) # ip ospf dead-interval 20

2.3.3. Summarization

Only on ABR router: area 20 is the loopback address or LAN network in this example.

R2 (config) # router ospf 1


R2 (config-router) # area 20 range 10.20.0.0 255.255.252.0

Summarization on only ASBR router:

R1 (config) # router ospf 1


R1 (config-router) # summary-address 192.168.0.0 255.255.252.0

2.4. Route redistribution

R1 (config) # router ospf 1


R1 (config-router) # redistribute static subnets metric 200 metric-type 2

Subnet: the router will redistribute classful and classless networks.


Metric 200: the route will have a metric of 200.
Metric-type 2: the metric does not evolve (evolution) when the route is distributed between the routers.

R1 # show ip route
O E2 192.168.0.0/24 [110/20] via 172.16.1.1, 00:00:10, FastEthernet0/0
2.5. OSPF Metric
108
𝐶𝑜𝑠𝑡 =
𝐵𝑊 (𝑘𝑏𝑦𝑡𝑠)

This configuration must be the same on all router.

R1 (config) # router ospf 1


R1 (config-router) # auto-cost reference-bandwidth 1000

The cost must be configured on each interface R1 interface S0/0/0 and R2 interface S0/0/0

R1 (config) # interface s0/0/0


R1 (config-if) # ip ospf cost 200

2.6. Different type of zone

Reminder

ABR do not distribute LSA messages (only type 3), but it distribute the routes.

- Usefulness of zones: locate the update to the zone, reduce the size of the topology to know
- All zones must be connected to zone 0
- Addressing must be hierarchical (for summary between zones)
- ABR: links several zones (other zones)
- ASBR: injects routes from other routing protocols (router who use other routing protocol)

Different type of LSA messages

- Type 1 and 2: they allow the routers of a zone to know each other, and to build a topological map of
the zone.
- Type 3: Summary Route Sent to Another Area by the ABR - Area Border Router.
- Type 4: it allows knowing the ASBR.
- Type 5: It allows the ASBR to distribute external routes in an area.

Different type of zones

- Backbone area: zone 0, all zones must be connected in this area.


- Standard area: is a default area, LSA type 1 and 2 never go out of the zone. LSA type 3, 4 and 5 can be
exchanged between standard areas.
- Stubby area: LSA type 4 and 5 do not enter to the zone (externals routes are replaced by default route).

O IA 0.0.0.0 [110/65] via 10.40.1.2, 00:03:00, FastEthernet0/0

- Totally stubby area: block LSA type 3, 4 and 5 to come in (externals routes and externals routes of
other zones are replaced by default route).
- Not So Stubby area: NSSA is a zone who have an ASBR, LSA type 4 and 5 are replaced by LSA type 7 in
the zone, and converted in LSA type 4 and 5 in out.
- Totally Stubby Not So Stubby area: same like NSSA but in Totally Stubby area.
Standard Area Configuration

Stubby Area Configuration


Router (config-router) #
area 10 stub

Totally Stubby Area Configuration


Router (config-router) #
area 10 stub no-summary

Not So Stubby Area NSSA Configuration


Router (config-router) #
area 10 nssa

Router (config-router) #
area 10 nssa default-
information-originate

Router (config-router) #
area 10 nssa no-summary
Configuration of type of zones

We configure R1 like an ASBR:

R1 (config) # ip route 172.16.0.0 255.255.255.0 Null0


R1 (config) # ip route 172.16.1.0 255.255.255.0 Null0
R1 (config) # ip route 172.16.2.0 255.255.255.0 Null0
R1 (config) # ip route 172.16.3.0 255.255.255.0 Null0
R1 (config) # router ospf 1
R1 (config-router) # router-id 1.1.1.1
R1 (config-router) # network 10.0.12.0 0.0.0.255 area 0
R1 (config-router) # network 10.0.13.0 0.0.0.255 area 0
R1 (config-router) # redistribute static metric 200 metric-type 1 subnet

R2 (config-router) # router-id 2.2.2.2


R2 (config-router) # network 10.0.12.0 0.0.0.255 area 0
R2 (config-router) # network 10.0.23.0 0.0.0.255 area 0
R2 (config-router) # network 10.40.1.0 0.0.0.255 area 40
R2 (config-router) # network 10.50.1.0 0.0.0.255 area 50

R3 (config) # router ospf 1


R3 (config-router) # router-id 3.3.3.3
R3 (config-router) # network 10.0.13.0 0.0.0.255 area 0
R3 (config-router) # network 10.0.23.0 0.0.0.255 area 0
R3 (config-router) # network 10.60.1.0 0.0.0.255 area 60

R4 (config) # router ospf 1


R4 (config-router) # router-id 4.4.4.4
R4 (config-router) # network 10.40.1.0 0.0.0.255 area 40

R5 (config) # router ospf 1


R5 (config-router) # router-id 5.5.5.5
R5 (config-router) # network 10.50.1.0 0.0.0.255 area 50

R6 (config) # router ospf 1


R6 (config-router) # router-id 6.6.6.6
R6 (config-router) # network 10.60.1.0 0.0.0.255 area 60
R6 (config-router) # network 10.70.1.0 0.0.0.255 area 70
R7 (config) # router ospf 1
R7 (config-router) # router-id 7.7.7.7
R7 (config-router) # network 10.70.1.0 0.0.0.255 area 70

After basic configuration of interface, OSPF process, and redistribution, creation of virtual link like this:

R3 (config) # router ospf 1


R3 (config-router) # area 60 virtual-link 6.6.6.6
R6 (config) # router ospf 1
R6 (config-router) # area 60 virtual-link 3.3.3.3

Virtual link is used to relay area 70 to area 0 (who is not connected physically to area 0)

Stubby Area configuration:

R2 (config) # router ospf 1


R2 (config-router) # area 40 stub
R4 (config) # router ospf 1
R4 (config-router) # area 40 stub
O*IA 0.0.0.0/0 [110/65] via 10.40.1.2, 00:08:32, Serial0/0/0

Now we can see the external route are replaced by default route.

Totally Stubby Area configuration:

R2 (config) # router ospf 1


R2 (config-router) # area 50 stub no-summary
R5 (config) # router ospf 1
R5 (config-router) # area 50 stub

No So Stubby Area NSSA

R4 (config) # ip route 172.18.0.0 255.255.255.0 Null 0


R4 (config) # ip route 172.18.1.0 255.255.255.0 Null 0
R4 (config) # ip route 172.18.2.0 255.255.255.0 Null 0
R4 (config) # ip route 172.18.3.0 255.255.255.0 Null 0

We must make a redistribution:

R4 (config) # router ospf 1


R4 (config-router) # redistribute static subnets metric 200 metric-type 1
R4 (config) # router ospf 1
R4 (config-router) # area 40 nssa no-summary
R2 (config) # router ospf 1
R2 (config-router) # area 40 nssa

Indeed, it does not have redistributed routes (ie 172.16.0.0 / 22). We keep the advantages of the Stub mode, while
allowing the redistribution of road from inside the area.

R4 will therefore be unable to join the 172.16.0.0 / 22 networks. In NSSA mode, R2 does not announce a default
route. So we must configure:

R2 (config) # router ospf 1


R2 (config-router) # area 40 nssa default-information-originate

On R4:

O*N2 0.0.0.0/0 [110/1] via 10.40.1.2, 00:08:32, Serial0/0/0

Totally Stubby Not So Stubby area

Here we keep the advantages of Totally Stubby mode (no LSA types 3, 4 and 5), but we have the opportunity to
redistribute routes. There is only one command to change.
R2 (config) # router ospf 1
R2 (config-router) # area 40 nssa no-summary

2.7. OSPF over frame relay NBMA

We know Multicast messages cannot pass, OSPF will not be able to establish a neighborhood relationship, and
therefore will not work. In order to overcome this problem, OSPF is able to operate in 5 different modes.

2.7.1. Type of topology frame relay

NBMA (No Broadcast Multi Access)

NBMA is the default mode of OSPF over frame relay, an election of DR and BDR is necessary (because Multi-access),
neighbor is made manually, because NBMA network do not allow multicast message transit (hello is transmitted en
multicast).

R1 (config-if) # frame-relay map ip 172.16.1.2 201 broadcast

Point to Multipoint Broadcast

The same like NBMA function but more advanced, and it is used for resolving the multicast problem. It propose to
make the link functional like point to point.

That can avoid DR/BDR selection (automatic neighborhood detection). In addition, is used for partial mesh or star
topology (standard).

Point to Multipoint Non-broadcast

Cisco property, it function like Point to Multipoint, manually neighborhood configuration.

Broadcast

Cisco property. It function like LAN. Used for full mesh topology.

Point to Point

Cisco property, require sub-interface per neighbor.


2.7.2. Configuration

Area 0: Frame Relay Config

R1 (config) # interface Serial 0/0/0


R1 (config-if) # description to FR1
R1 (config-if) # ip address 172.16.0.1 255.255.255.0
R1 (config-if) # encapsulation frame-relay
R1 (config-if) # frame-relay map ip 172.16.0.2 102 broadcast
R1 (config-if) # frame-relay map ip 172.16.0.3 103 broadcast
R1 (config-if) # frame-relay lmi-type ansi

R2 (config) # interface Serial 0/0/0


R2 (config-if) # description to FR1
R2 (config-if) # ip address 172.16.0.2 255.255.255.0
R2 (config-if) # encapsulation frame-relay
R2 (config-if) # frame-relay map ip 172.16.0.1 201 broadcast
R2 (config-if) # frame-relay map ip 172.16.0.3 201 broadcast
R2 (config-if) # frame-relay lmi-type ansi

R3 (config) # interface Serial 0/0/0


R3 (config-if) # description to FR1
R3 (config-if) # ip address 172.16.0.3 255.255.255.0
R3 (config-if) # encapsulation frame-relay
R3 (config-if) # frame-relay map ip 172.16.0.1 301 broadcast
R3 (config-if) # frame-relay map ip 172.16.0.2 301 broadcast
R3 (config-if) # frame-relay lmi-type ansi

Area 10: Frame Relay Config


R1 (config) # interface serial 0/0/1
R1 (config-if) # encapsulation frame-relay
R1 (config-if) # ip address 172.16.10.1 255.255.255.0
R1 (config-if) # frame-relay map ip 172.16.10.4 104 broadcast
R1 (config-if) # frame-relay map ip 172.16.10.5 105 broadcast
R1 (config-if) # frame-relay lmi-type ansi

R4 (config) # interface serial 0/0/0


R4 (config-if) # encapsulation frame-relay
R4 (config-if) # ip address 172.16.10.4 255.255.255.0
R4 (config-if) # frame-relay map ip 172.16.10.1 401 broadcast
R4 (config-if) # frame-relay map ip 172.16.10.5 401 broadcast
R4 (config-if) # frame-relay lmi-type ansi
R5 (config) # interface serial 0/0/0
R5 (config-if) # encapsulation frame-relay
R5 (config-if) # ip address 172.16.10.5 255.255.255.0
R5 (config-if) # frame-relay map ip 172.16.10.1 501 broadcast
R5 (config-if) # frame-relay map ip 172.16.10.4 501 broadcast
R5 (config-if) # frame-relay lmi-type ansi

Area 20: Frame Relay Config

R2 (config) # interface serial 0/0/1


R2 (config-if) # encapsulation frame-relay

R6 (config) # interface Serial 0/0/0


R6 (config-if) # encapsulation frame-relay
R6 (config) # interface Serial 0/0/0.1 point-to-point
R6 (config-if) # description to FR3
R6 (config-if) # ip address 172.16.20.6 255.255.255.0
R6 (config-if) # frame-relay interface-dlci 602

Area 30: Frame Relay Config


R3 (config) # interface Serial 0/0/1
R3 (config-if) # no ip address
R3 (config-if) # encapsulation frame-relay
R3 (config-if) # frame-relay lmi-type ansi
R3 (config) # interface Serial 0/0/1.1 multipoint
R3 (config-subif) # ip address 172.16.30.3 255.255.255.0
R3 (config-subif) # frame-relay map ip 172.16.30.7 307 broadcast
R3 (config-subif) # frame-relay map ip 172.16.30.8 308 broadcast

R7 (config) # interface Serial 0/0/0


R7 (config-if) # encapsulation frame-relay
R7 (config-if) # frame-relay lmi-type ansi
R7 (config) # interface Serial0/0/0.1 multipoint
R7 (config-subif) # description to FR4
R7 (config-subif) # ip address 172.16.30.7 255.255.255.0
R7 (config-subif) # frame-relay map ip 172.16.30.3 703 broadcast
R7 (config-subif) # frame-relay map ip 172.16.30.8 708 broadcast

R8 (config) # interface Serial 0/0/0


R8 (config) # encapsulation frame-relay
R8 (config) # frame-relay lmi-type ansi
R8 (config) # interface Serial 0/0/0.1 multipoint
R8 (config-subif) # description to FR4
R8 (config-subif) # ip address 172.16.30.8 255.255.255.0
R8 (config-subif) # frame-relay map ip 172.16.30.3 803 broadcast
R8 (config-subif) # frame-relay map ip 172.16.30.7 807 broadcast

OSPF area 0 (NBMA): OSPF Config

R1 (config) # router ospf 1


R1 (config-router) # network 172.16.0.0 0.0.0.255 area 0
R1 (config-router) # neighbor 172.16.0.2
R1 (config-router) # neighbor 172.16.0.3

R2 (config) # router ospf 1


R2 (config-router) # network 172.16.0.0 0.0.0.255 area 0
R2 (config-router) # neighbor 172.16.0.1
R2 (config-if) # ip ospf priority 0

R3 (config) # router ospf 1


R3 (config-router) # network 172.16.0.0 0.0.0.255 area 0
R3 (config-router) # neighbor 172.16.0.1
R3 (config-if) # ip ospf priority 0
OSPF area 10 (Point to Multipoint): OSPF Config

R1 (config) # router ospf 1


R1 (config-router) # network 172.16.10.0 0.0.0.255 area 10
R1 (config-router) # area 10 range 10.10.0.0 255.255.252.0
R1 (config) # interface serial 0/0/1
R1 (config-if) # ip ospf network point-to-multipoint

R4 (config) # router ospf 1


R4 (config-router) # router-id 4.4.4.4
R4 (config-router) # network 172.16.10.0 0.0.0.255 area 10
R4 (config) # interface serial 0/0/0
R4 (config-if) # ip ospf network point-to-multipoint

R5 (config) # router ospf 1


R5 (config-router) # router-id 5.5.5.5
R5 (config-router) # network 172.16.10.0 0.0.0.255 area 10
R5 (config) # interface serial 0/0/0
R5 (config-if) # ip ospf network point-to-multipoint

OSPF area 10 (Non-broadcast): OSPF Config

R1 (config) # interface serial 0/0/1


R1 (config-if) # frame-relay map ip 172.16.10.4 104
R1 (config-if) # frame-relay map ip 172.16.10.5 105
R1 (config-if) # ip ospf network point-to-multipoint non-broadcast
R1 (config) # router ospf 1
R1 (config-router) # neighbor 172.16.10.4
R1 (config-router) # neighbor 172.16.10.5

R4 (config) # interface serial 0/0/0


R4 (config-if) # frame-relay map ip 172.16.10.1 401
R4 (config-if) # frame-relay map ip 172.16.10.5 401
R4 (config-if) # ip ospf network point-to-multipoint non-broadcast

R5 (config) # interface serial 0/0/0


R5 (config-if) # frame-relay map ip 172.16.10.1 501
R5 (config-if) # frame-relay map ip 172.16.10.4 501
R5 (config-if) # ip ospf network point-to-multipoint non-broadcast

OSPF area 20 (Point-to-point): OSPF Config

R2 (config) # router ospf 1


R2 (config-router) # network 172.16.20.2 0.0.0.0 area 20
R2 (config-router) # area 20 range 10.20.0.0 255.255.252.0

R6 (config) # router ospf 1


R6 (config-router) # router-id 6.6.6.6
R6 (config-router) # network 172.16.20.0 0.0.0.255 area 20
R6 (config-router) # network 10.20.0.0 0.0.3.255 area 20

OSPF area 30 (Boradcast): OSPF Config

R3 (config) # router ospf 1


R3 (config-router) # network 172.16.30.3 0.0.0.0 area 30
R3 (config-router) # area 30 range 10.30.0.0 255.255.252.0

R7 (config) # router ospf 1


R7 (config-router) # router-id 7.7.7.7
R7 (config-router) # network 172.16.30.7 0.0.0.0 area 30
R7 (config-router) # network 10.30.0.0 0.0.3.255 area 30
R7 (config) # interface serial 0/0/0.1
R7 (config-subif) # ip ospf network broadcast

R8 (config) # router ospf 1


R8 (config-router) # router-id 8.8.8.8
R8 (config-router) # network 172.16.30.0 0.0.0.255 area 30
R8 (config) # interface serial 0/0.1
R8 (config-subif) # ip ospf network broadcast

2.8. Default information originate

If your network works with multiple routing protocols, mastering the redistribution is essential. The goal is for
routes to propagate across the entire network, even if it uses multiple routing protocols.

Unfortunately, the redistribution of roads brings several problems.


- Problem 1: Loss of Metric
- Problem 2: Loss of administrative distance
- Problem 3: Redistribution loop

Solutions:
- Distribution List: The principle is very simple, use an ACL to choose the routes to redistribute.
- Prefix List: The Prefix List is similar to the List Distribution. Except that, it does not use ACL. In addition, it
is possible to filter according to the subnet mask.
- Route map: The Route Map is the most complex solution, but also the most complete. It is possible to do
many things. Among the possibilities we can:
- Redistribute or not, depending on the destination of the road
- Choose the metric to announce
- Tag routes to avoid loops

2.8.1. Static route redistribution

If R1 is an ASBR, and it has a default route to internet and we want to propagate this route to all areas

R1 (config) # ip route 0.0.0.0 0.0.0.0 interface fastethernet 0/0


R1 (config) # router ospf 1
R1 (config-router) # default-information originate

If R1 is an ASBR, and it has not a default route to internet

R1 (config) # router ospf 1


R1 (config-router) # default-information originate always

Static route

R1 (config) # router ospf 1


R1 (config-router) # redistribute static subnets
2.9. OSPF Authentication

2.9.1. Easy authentication

R1 (config) # interface s0/0/0


R1 (config-if) # ip ospf authentication
R1 (config-if) # ip ospf authentication-key cisco

R2 (config) # interface s0/0/0


R2 (config-if) # ip ospf authentication
R2 (config-if) # ip ospf authentication-key cisco

2.9.2. Message digest authentication md5

The password is cisco

R1 (config) # interface s0/0/0


R1 (config-if) # ip ospf authentication message-digest
R1 (config-if) # ip ospf message-digest-key 1 md5 cisco

R3 (config) # interface s0/0/0


R3 (config-if) # ip ospf authentication message-digest
R3 (config-if) # ip ospf message-digest-key 1 md5 cisco
3. MPLS VPN & GRE Tunnel / DMVPN
3.1. MPLS

Extension for Frame relay.

3.2. VPN (Virtual Private Network)

Secure but no multicast address can go (pass).

3.3. GRE Tunnel (Generic Routing Encapsulation)

Multicast pass but not secure.

R1 (config) # interface tunnel 0


R1 (config-if) # ip address 192.168.1.1 255.255.255.0
R1 (config-if) # tunnel source int or @ of public IP source of physical interface
R1 (config-if) # tunnel destination @ of public IP destination of physical interface

R2 (config) # interface tunnel 0


R2 (config-if) # ip address 192.168.1.2 255.255.255.0
R2 (config-if) # tunnel source int or @ of public IP source of physical interface
R2 (config-if) # tunnel destination @ of public IP destination of physical interface

3.4. DMVPN (Dynamic Multi-point VPN)

Security of VPN and multicast of GRE Tunnel.

NHRP next hop resolution protocol: used for full mesh DMVPN.

R1 is a HUB (NHS)

R1 (config) # interface tunnel 0


R1 (config-if) # ip address 192.168.0.1 255.255.255.0
R1 (config-if) # tunnel source int or @ of public IP source of physical interface
R1 (config-if) # tunnel mode gre multipoint

For security

R1 (config-if) # tunnel key 1111


R1 (config-if) # ip nhrp network-id 1
R1 (config-if) # ip nhrp authentication PASSWORD
R1 (config-if) # ip nhrp map multicast dynamic
R1 (config-if) # ip redirects
R1 (config-if) # ip mtu 1400
R1 (config-if) # ip tcp adjust-mss 1366

MTU Maximum Transmission Unit, MSS Maximum Segment Size.

R2 is a spoke (branch)

R2 (config) # interface tunnel 0


R2 (config-if) # ip address 192.168.0.2 255.255.255.0
R2 (config-if) # tunnel source int or @ of public IP source of physical interface
R2 (config-if) # tunnel mode gre multipoint
R2 (config-if) # tunnel key 1111
R2 (config-if) # ip nhrp network-id 1
R2 (config-if) # ip nhrp authentication PASSWORD
R2 (config-if) # ip nhrp map multicast dynamic
R2 (config-if) # ip nhrp nhs 192.168.0.1 IP@ of hub tunnel interface
R2 (config-if) # ip nhrp map 192.168.0.1 51.1.1.1 IP@ of physical interface of HUB
R2 (config-if) # ip nhrp map multicast 51.1.1.1
R2 (config-if) # ip mtu 1400
R2 (config-if) # ip tcp adjust-mss 1366
4. Route redistribution
We will start by redistributing OSPF routes in EIGRP configuration should be done on R2 and R3.

OSPF to EIGRP

R2 (config) # router eigrp 1


R2 (config-router) # redistribute ospf 1 metric 100 100 100 100 100

R3 (config) # router eigrp 1


R3 (config-router) # redistribute ospf 1 metric 100 100 100 100 100

EIGRP to OSPF

R2 (config) # router ospf 1


R2 (config-router) # redistribute eigrp 1 metric 50 metric-type 2 subnets

R3 (config) # router ospf 1


R3 (config-router) # redistribute eigrp 1 metric 50 metric-type 2 subnets

Subnets does not summarize the routes when they are redistributed.
Metric-type allows defining if the metric must grow after redistribution.
Metric-type 1 means that the metric increases after redistribution (every time a router advertises that route)
Metric-type 2 means that the metric remains the same after redistribution (all routers receiving this route will
see a metric of 50)

Let's end with the redistribution between RIP and EIGRP

R5 (config) # router eigrp 1


R5 (config-router) # redistribute rip metric 100 100 100 100 100
R5 (config) # router rip
R5 (config-router) # redistribute eigrp 1 metric 5

4.1.1. Redistribution list

The Distribution List is based on an ACL to know whether or not to redistribute a route.

R2 (config) # access-list 1 permit 172.16.30.0 0.0.0.255


R2 (config) # access-list 1 permit 172.16.31.0 0.0.0.255
R2 (config) # access-list 1 permit 172.16.32.0 0.0.0.255
R2 (config) # access-list 1 permit 10.0.12.0 0.0.0.255
R2 (config) # access-list 1 permit 10.0.13.0 0.0.0.255

deny all option is automatically placed at the end.

R2 (config) # router eigrp 1


R2 (config-router) # distribute-list 1 out

The same configuration on R3 router must be established.

4.1.2. Prefix list

The Prefix List looks a little like the List distribution. Its operation is relatively simple.

R2 (config) # ip prefix-list PL_EIGRP-To-OSPF seq 10 permit 172.16.20.0/21 ge 24 le 26

First, give the Prefix List a name PL_EIGRP-To-OSPF

Then, we choose a sequence number 10. This allows you to create multiple entries in a Prefix List. They will be
browsed from the lowest sequence number to the highest (a bit like an ACL)

Then we choose Permit or Deny


We then choose the subnet concerned
The last 2 options are optional (ge: great or equal >= ; le: less or equal <=)

"Age 24 on 32" means that the mask of the redistributed route must be at least 24, and at most 32

For example:
172.16.20.0 / 24 -> OK
172.16.20.0 / 26 -> OK
172.16.20.0 / 23 -> No

Here is the configuration to apply to R2 and R3, The second entry allows to refuse all the rest:

R2 (config) # ip prefix-list PL_EIGRP-To-OSPF seq 10 permit 172.16.20.0/21 ge 24 le 26


R2 (config) # ip prefix-list PL_EIGRP-To-OSPF seq 20 deny 0.0.0.0/0 le 32
R2 (config) # router ospf 1
R2 (config-router) # distribute-list prefix PL_EIGRP-To-OSPF out

4.1.3. Basic route map

Map routes are a more advanced solution than the Distribution List or the Prefix List.
Each entry of a Route Map has a sequence number. Entries go from the lowest to the highest sequence number
until you find a match.
There is an implicit Deny ALL at the end of the Route Map.

R2 (config) # route-map Name SeqNumber


R2 (config-route-map) # match Condition
R2 (config-route-map) # set Option

We will make a Route Map to control EIGRP redistribution to OSPF and another one to OSPF to EIGRP. We have
created entry number 10 in the Route Map EIGRP-TO-OSPF:

R2 (config) # ip prefix-list PL_EIGRP-To-OSPF seq 10 permit 172.16.20.0/21 ge 24 le 26


R2 (config) # ip prefix-list PL_EIGRP-To-OSPF seq 20 deny 0.0.0.0/0 le 32
R2 (config) # route-map EIGRP-TO-OSPF 10
R2 (config-route-map) # match ip address prefix-list PL_EIGRP-To-OSPF

Entry number 10 will apply to the routes leading to the networks captured by the PL_EIGRP-To-OSPF Prefix List.
The roads concerned by the entry 10 of the Route Map, will be redistributed with a metric of 50:

R2 (config-route-map) # set metric 50

Once distributed, the metric of roads will not increase:

R2 (config-route-map) # set metric-type type-2

With this second entry, we allow the redistribution of all other routes, with a metric of 100 and type 2:

R2 (config) # route-map EIGRP-TO-OSPF 20


R2 (config-route-map) # set metric 100
R2 (config-route-map) # set metric-type type-2
R2 (config) # router ospf 1
R2 (config-router) # redistribute eigrp 1 subnets route-map EIGRP-TO-OSPF

Well. Create a Route Map for OSPF to EIGRP

R2 (config) # route-map OSPF-TO-EIGRP enabled 10


R2 (config-route-map) # match ip address 1
R2 (config-route-map) # set metric 50 50 50 50 50
R2 (config) # route-map OSPF-TO-EIGRP enabled 20
R2 (config-route-map) # set metric 100 100 100 100 100

4.1.4. Route map – tag route (loop prevention when redistribution)

In the previous article, we saw that it is possible to create a routing loop by doing redistribution. Road tags will
prevent this.

Here are the conditions to create a routing loop:

Have a mutual redistribution. Here R2 and R3 are both redistribution, which allows the roads to be redistributed.
That a router (here R5) has two possible routes: a good (towards R6) and a bad one (the re-redistributed route).
That the re-redistributed route has a lower AD than the good road.

The Route Tag will allow routers not to redistribute already redistributed routes.

R2 (config) # route-map EIGRP-TO-OSPF 10


R2 (config-route-map) # set tag 10
R2 (config) # route-map EIGRP-TO-OSPF 20
R2 (config-route-map) # set tag 20
R2 (config) # route-map OSPF-TO-EIGRP 10
R2 (config-route-map) # set tag 30
R2 (config) # route-map OSPF-TO-EIGRP 20
R2 (config-route-map) # set tag 40

All distributed routes are now tagged. All that remains is to prevent EIGRP-TO-OSPF from redistributing the routes
tagged by OSPF-TO-EIGRP (and vice versa).

R2 (config) # route-map EIGRP-TO-OSPF deny 5


R2 (config-route-map) # match tag 30 40
R2 (config) # route-map OSPF-TO-EIGRP deny 5
R2 (config-route-map) # match tag 10 20

4.1.5. Modification of AD
AD 90 to 105

R2 (config) # router eigrp 1


R2 (config-router) # distance eigrp 90 105
5. BGP
5.1. Introduction

The routing protocol that used on the internet is the BGP, between AS (Autonomous System).

An AS is a set of networks under the same authority. For example, a corporate network is an AS. BGP allows to
connect this AS to the internet, and thus to other AS.

BGP is of the Vector Path type. It is a derivative of the distance vector type.

BGP uses TCP on port 179. Therefore, TCP is responsible for sending the Ack.

Convergence on a BGP network is very slow. Imagine what would happen on the internet with a fast convergence.
The slightest change would be immediately replicated around the world! In addition, routing updates are sent when
there is a change, and only what has changed is sent (when it necessary).

5.2. Neighboring

Manually configuration. In BGP it is necessary to inform the address of the neighbor, so as to establish the connection.

Idle  Connect  Active  Open sent  Open confirm  Established

5.3. BGP Messages


- Open packet: It allows starting a neighborhood relationship. It Contain the version of BGP, router ID, IP
interface, AS number, hold-down timer 180 sec …
- Keep alive: for maintain the BPG relationship, update when it necessary.
- Update: for adding new route or deleting, when a new route added it provide the AS with it.
- Notification: inform the neighbor if there is an incident.

5.4. BGP Table:


- Neighbor table:

R1 # show ip bgp summary

It contain the neighbor list who’s connected.

Neighbor: ID of neighbor (IP of interface of neighbor connected with BGP).


V: BGP version.
AS: number of Autonomous System of neighbor.
MsgRcvd: number of messages received (Update, Keep Alive).
MsgSent: number of messages sent.
TblVer: last version of routing table of routing sent (compared with local version).
InQ: number of message in waiting line coming from neighbor.
OutQ: number of message in waiting line sending to neighbor.
Up/Down: for how many time the relation is UP.
State/PfxRcd: number of prefixes received from the neighbor.
- BGP Table:

It contain of all received route

*: the star mean the route is valid.


>: mean the best path for this destination (when exist only one route, it doesn’t have no choice).
Network: network destination.
Next Hop: next hop for joining the destination.
Metric: one of the attributes constituting the total metric.
LocPrf: one of the attributes constituting the total metric.
Weight: one of the attributes constituting the total metric.
Path: the AS that will have to pass (1 As = 200).

- Routing table:

Best path is put in routing table logically.

5.5. Multi-homing:

The principle of Multi-homing is to be connected to multiple ISPs for high availability and load balancing for in/out
packets.

- 1st case: default route:

We have two ISP and every ISP give us a default route. However, we cannot promote (favor) an ISP or another
depending to the destination network. Load balancing, or keep one in relief.

We can also influence the choice of the ISP for incoming packets.

This solution consumes very little resource.

- 2nd case: partial update:

Here, the ISPs send us a partial update of their routing table; we have the possibility to choose the destination
route.

- 3rd case: total update:

In this case, all ISPs send us all their routing tables; we can choose the best path for outgaining packet. This solution
consumes many resources. Especially a lot of RAM.
5.6. Configuration

eBGP (Same thing with E2 and ISP_2)

E1 (config) # router bgp 100


E1 (config-router) # neighbor 10.1.1.2 remote-as 1
E1 (config-router) # neighbor 10.1.1.6 remote-as 1
E1 (config-router) # network 128.107.1.0 mask 255.255.255.0
E1 (config-router) # network 128.107.2.0 mask 255.255.255.0

ISP_1 (config) # router bgp 100


ISP_1 (config-router) # neighbor 10.1.1.1 remote-as 100
ISP_1 (config-router) # neighbor 10.1.1.5 remote-as 100
ISP_1 (config-router) # network 180.0.0.0 mask 255.255.0.0

iBGP

It is also possible to set up iBGP relations (within the same AS). For a BGP relationship, it is advisable to use a
Loopback IP as a neighbor's IP.

E1 (config) # router bgp 100


E1 (config-router) # neighbor 128.107.2.1 remote-as 100
E1 (config-router) # neighbor 128.107.2.1 next-hop-self
E1 (config-router) # neighbor 128.107.1.2 next-hop-self

E2 (config) # router bgp 100


E2 (config-router) # neighbor 128.107.1.1 remote-as 100
E2 (config-router) # neighbor 128.107.1.1 next-hop-self
E2 (config-router) # neighbor 128.107.2.2 next-hop-self

EX (config) # router bgp 100


EX (config-router) # neighbor 128.107.1.1 remote-as 100
EX (config-router) # neighbor 128.107.2.1 remote-as 100
5.7. BGP metric attribute

AS-path, weight, local preference, metric.

Weight > AS-path

# AS-Path

R4 (config) # access-list 1 permit 200.5.5.0 0.0.0.255


R4 (config) # route-map net200.5.5 permit 10
R4 (config-route-map) # match ip address 1
R4 (config-route-map) # set as-path prepend 40 50 60 70 80 90
R4 (config) # route-map net200.5.5 permit 20
R4 (config) # router bgp 2000
R4 (config-router) # neighbor 20.1.1.2 route-map net200.5.5 out
R4 # clear ip bgp *

# Weight

- Highest weight is better


- Used in ebgp
- Default weight for any route = 0

R5 (config) # router bgp 3000


R5 (config-router) # neighbor 60.1.1.2 weight 50
R5 # clear ip bgp *

# Local preference

R3 (config) # router bgp 1000


R3 (config-router) # bgp default local-preference 200
R3 # clear ip bgp *

# MED Multi Exit Discriminator


6. Path Control
how to influence routing on a network?

Some networks have redundant links. It can be useful to choose how the routers will exploit these links: load
distribution, reaction in case of breakdown, better performances, etc.

6.1. Theory

6.2. Policy Based Routing

Policy Based Routing is about influencing the routing of data. We can force the router to send traffic to ISP_1 or
ISP_2. Subsequently, we will implement a system of fault tolerance.

Assume that ISP 1 (R4) is the fastest and most reliable. ISP 2 is slower and less reliable.

R3 (config) # ip access-list extended CLIENTS


R3 (config-ext-nacl) # permit ip 172.16.10.0 0.0.0.255 any
R3 (config-ext-nacl) # permit ip 172.16.1.0 0.0.0.255 any
R3 (config) # route-map ISP_1 permit 10
R3 (config-route-map) # match ip address CLIENTS
R3 (config-route-map) # set ip next-hop 34.0.0.4

And here's how to redirect all traffic from customers (employees) to ISP_1, same thing with servers

R3 (config) # ip access-list extended SERVERS


R3 (config-ext-nacl) # permit ip 172.16.20.0 0.0.0.255 any
R3 (config-ext-nacl) # permit ip 172.16.2.0 0.0.0.255 any
R3 (config) # route-map ISP_2 permit 20
R3 (config-route-map) # match ip address SERVERS
R3 (config-route-map) # set ip next-hop 35.0.0.5

Next, we send non captured traffic to ISP_2

R3 (config) # route-map ISP_2 permit 30


R3 (config-route-map) # set ip next-hop 35.0.0.5

Now we add a rule for LAN to LAN traffic


R3 (config) # ip access-list extended LanToLan
R3 (config-ext-nacl) # permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
R3 (config) # route-map ISP#1 permit 2
R3 (config-route-map) # match ip address LanToLan
Finally, we must set the rules on interface

R3 (config) # interface serial 0/0/0


R3 (config-if) # ip policy route-map ISP_1
R3 (config) # interface serial 0/0/1
R3 (config-if) # ip policy route-map ISP_2

Or

R3 (config) # interface serial 0/0/0


R3 (config-if) # ip policy route-map control

6.3. SLA : Service Level Agreement and proactive technic test

If ISP_1 is down, what is happen to the Internet?


The best things we can do, is to use ISP_2 if ISP#1 will be down. So proactive test is required.

How is works?
Is testing the connectivity of the first ISP with PING, and switch to the second ISP is the first is down. And the
switching will be automatically.

R3 (config) # ip sla monitor 5


R3 (config-sla-monitor) # type echo protocol ipicmpEcho 34.0.0.4
R3 (config-sla-monitor-echo) # timeout 1000
R3 (config-sla-monitor-echo) # frequency 3

Frequency 3: mean 3 seconds (Every how long a request is sent, default: 60)

R3 (config) # ip sla monitor schedule 5 start-time now life forever

start-time now life forever:(the test start now and never stop)

R3 (config) # track 1 rtr 5 reachability

rtr: response time reporter (track objet to analyze the SLA, and we must implement it in last route-map)

Before:

R3 (config) # route-map ISP_2 permit 20


R3 (config-route-map) # match ip address SERVERS
R3 (config-route-map) # set ip next-hop 34.0.0.4

Now:

R3 (config) # route-map ISP_2 permit 20


R3 (config-route-map) # no set ip next-hop 34.0.0.4
R3 (config-route-map) # set ip next-hop verify-availability 34.0.0.4 10 track 1
R3 (config-route-map) # set ip next-hop 35.0.0.5

10: mean the weight of the path, the higher the weight, the more the path is favored

6.4. Offset List

The goal is to add an Offset to the metric of a route, Offset means time space interval.
The goal is to modify the metric of a path.

In our lab above, R7 have two path to reach 172.17.10.0/24 (R7R9 with 100 Mbs or R7R8R9 with 1 Gbs). In
this case the shortest path is favored which mean So R7R9 is the best path because it’s the shortest path.

Now we put a higher metric to the next path R7R8R9.


R7 (config) # access-list 1 permit 172.17.10.0 0.0.0.255
R7 (config) # router rip
R7 (config-router) # offset-list 1 in 2 serial 0/1/1

1: identifier of the ACL indicating that it route it is necessary to filter.


In: allows you to choose whether the Offset is applied on the routes received or announced.
2: Offset to apply.
Serial 0/1/1: interface on which the Offset List is applied.
7. Network Virtualization
7.1. VRF: Virtual Router Forwarding

Create virtual router A & B


edge (config) # ip vrf A
edge (config) # ip vrf B
edge # show ip vrf

For virtual router A, we select the interface whose will be connected to virtual router A

edge (config) # interface serial 0/1/0


edge (config-if) # ip vrf forwarding A
edge (config-if) # ip address 10.0.0.2 255.255.255.0
edge (config) # interface serial 0/1/1
edge (config-if) # ip vrf forwarding A
edge (config-if) # ip address 20.0.0.2 255.255.255.0
edge # show ip vrf A
edge # show ip vrf

For virtual router B, we select the interface whose will be connected to virtual router B

edge (config) # interface serial 0/2/0


edge (config-if) # ip vrf forwarding B
edge (config-if) # ip address 30.0.0.2 255.255.255.0
edge (config) # interface serial 0/2/2
edge (config-if) # ip vrf forwarding B
edge (config-if) # ip address 40.0.0.2 255.255.255.0

After that, we set routing protocol (eigrp 100) for vrf A, same things for vrf B

edge (config) # router eigrp 100


edge (config-router) # address-family ipv4 vrf A
edge (config-router-af) # no auto-summary
edge (config-router-af) # network 0.0.0.0
edge (config-router-af) # autonomous-system 100
7.2. EVN Easy Virtual Network

NB: For this lab you must have in possession Router 7200 series, IOS Software release 15-3 (3) M.

VRF is one virtual router; the opposite in EVN is more than one.
First, we create two (02) vrf on R1 (R1.a R1.b), R0 (R0.a, R0.b) and R2 (R2.a, R2.b)
After that, you must relay router A, R1.a, R0.a, R2.a and A_DC with vrf technics (yellow routers).
Same thing in router B, R1.b, R0.b, R2.b, B_DC (blue-sky routers)

 VRF creation A & B on R1, R0 and R2

R1 (config) # vrf definition A


R1 (config-vrf) # vnet tag 10
R1 (config-vrf) # address-family ipv4
R1 (config-vrf-af) #

R1 (config) # vrf definition B


R1 (config-vrf) # vnet tag 20
R1 (config-vrf) # address-family ipv4
R1 (config-vrf-af) #

 Trunk configuration R1, R0 and R2 (the link between R0, R1 and R2)

R1 (config) # interface gigabitethernet 0/0/0


R1 (config-if) # vnet trunk

 Interface vrf setting on R1 and R2

R1 (config) # interface gigaethernet 0/1/0


R1 (config-if) # description to A
R1 (config-if) # vrf farwarding A
R1 (config-if) # ip address 10.0.0.2 255.255.255.0

R1 (config) # interface gigaethernet 0/1/1


R1 (config-if) # description to B
R1 (config-if) # vrf farwarding B
R1 (config-if) # ip address 30.0.0.2 255.255.255.0

 Routing protocol EIGRP 100 R1, R0 and R2

R1 (config) # router eigrp 100


R1 (config-router) # address-family ipv4 unicast vrf A autonomous-system 100
R1 (config-router-af) # no auto-summary
R1 (config-router-af) # network 0.0.0.0
R1 (config-router) # address-family ipv4 unicast vrf B autonomous-system 100
R1 (config-router-af) # no auto-summary
R1 (config-router-af) # network 0.0.0.0
8. IPv6
- Succession of IPv4
- Its coded on 128 bits, 8 group of 16 bits (opposite IPv4 32 bits)
- Advantages:
 End of NAT: more private IP (each machine will have its own IP)
 IPSEC supported basic
 Mobile IP: a machine can keep are IP when it moves
 A simpler Header
 Auto configured address
 Disappearance of Broadcast
 Disappearance of ARP (but replaced by Neighbor Discovery) and more …

8.1. IPv6 structure

It is coded on 128 bits, 8 group of 16 bits. E.g. 2001:0048:0000:0000:1D00:1111:0B48:1111


Hexadecimal (not decimal).

It is a long address and complicated, How to resume?


- The first thing to do is to delete the consecutive "0" groups.
2001:0048:0000:0000:1D00:1111:0B48:1111  2001:0048::1D00:1111:0B48:1111
- Then, you must delete all the "0" at the beginning of the group:
2001:0048::1D00:1111:0B48:1111  2001:48::1D00:1111:B48:1111

8.2. Type of Communication

IPv4 IPv6
Unicast Unicast : One to one
Multicast Multicast : One to many
Broadcast Anycast : One To Nearest

Anycast work like multicast, unique IP address who represent many interfaces.
 FFx2 ::/16 : can’t be routed (like 224.0.0.0 /24) useful for routing update
 FF02 ::5 : OSPF
 FF02 ::9 : RIP
 FF02 ::a EIGRP

8.3. Type of Address

8.3.1. Link-local address

This type of address is valid only for interfaces connected on the same link (that is, without going through a router).
E.g. PPP or Ethernet … it is therefore not possible to route a packet with this type of address. This IP must of course
be unique. In general, it is auto-configured (a combination of prefix and MAC address).

The prefix of such an IP is: FE80::/64 (FE80:0000:0000:0000) to FEBF::/64

8.3.2. Site-local address

This type of address is no longer used; it was more or less a private IPv6. However, as we said, IPv6 has removed the
notion of private / public. So finally, this type of address does not really interest anymore.

Prefix is: FEC0::/64 to FECF::/64


8.3.3. Global Address

This is the type of address that interests us the most. It is routable on the internet and divided into several parts:

- The first 48 bits correspond to the global prefix. It is attributed to you by your ISP.
- The next 16 bits correspond to the Subnet ID, which allows you to create subnets.
- The last 64 bits represent the interface

It is therefore simple for an interface to configure this IP automatically. For this, it recovers the global prefix with
the Subnet ID, then adds the ID interface (calculated from the MAC address).

Prefix is: 2000 to 3FFF

8.4. Transition to IPv6

8.4.1. The Dual-stack

Most of the best technic. It can therefore send traffic in IPv4 or IPv6 depending on the source / destination. Machines
using IPv6 to communicate, if else, they use the IPv4.

Therefore, router work with IPv4 and IPv6 at the same interface (2 address at the same interface).

8.4.2. Tunneling

It used if you are forced to go through an IPv4 network to connect IPv6 networks (or vice versa).
- We talk about "6 to 4" when IPv6 packets go through a tunnel through an IPv4 network.
- We speak of "4 to 6" when IPv4 packets pass through a tunnel through an IPv6 network.
8.4.3. NAT-PT (NAT Protocol Translation)

This solution is not to be used if one of the other two previous solutions is possible.

The purpose of NAT-PT is to connect an IPv6 network directly to an IPv4 network (or vice versa). The router is
responsible for changing the source IPs and destinations of the packets.

8.5. Configuration

Network example.

8.5.1. Interface configuration

Now, we must config 2 kind of address in each interface Link Local and Link Global,
- Global for standard communication.
- Local for neighboring discovery, routing protocol and others.

We start with global link R1 this way:

R1 (config) # interface GigabitEthernet 0/0


R1 (config-if) # ipv6 address 2001:12::1/64
R1 (config-if) # no shutdown
R1 # show ipv6 interface gigaethernet 0/0
GigabitEthernet0/0 is up, line protocol is down
IPv6 is tentative, link-local address is FE80::290:21FF:FE29:7201 [TEN]
No Virtual link-local address(es):
Global unicast address(es):
2001:12::1, subnet is 2001:12::/64 [TEN]
We can notice local link is auto configured (combined with mac address).
R2 (config-if) # no shutdown
R2 (config-if) # ipv6 address FE80::2 link-local

R1 (config) # ipv6 unicast-routing


R1 (config) # interface gigabitEthernet 0/0
R1 (config-if) # ipv6 nd prefix 2001:12::/64

R2 (config) # interface gigabitEthernet 0/0


R2 (config-if) # ipv6 address autoconfig

R2 (config) # interface serial 0/0


R2 (config-if) # no shutdown
R2 (config-if) # do debug ipv6 nd
ICMP Neighbor Discovery events debugging is on

 Ping
R1 # ping 2001:12::2

 Static route
R1 (config) # ipv6 unicast-routing
R2 (config) # ipv6 unicast-routing

R2 (config) # ipv6 route 2001:36::/64 serial 0/0


R2 (config) # ipv6 route 2001:45::/64 2001:24::4
R2 (config) # ipv6 route 2001:34::/64 serial 0/1

 RIPng config

The RIPng must be configured directly in interface


The updates are sent in multicast on the IP FF02 :: 9 in UDP (port 521)

R1 (config) # interface gigabitEthernet 0/0


R1 (config-if) # ipv6 rip IPV6LAB enable

R2 (config) # interface gigabitEthernet 0/0


R2 (config-if) # ipv6 rip IPV6LAB enable
R2 (config) # interface serial 0/0/0
R2 (config-if) # ipv6 rip IPV6LAB enable
R2 (config) # interface serial 0/0/1
R2 (config-if) # ipv6 rip IPV6LAB enable
R2 (config) # ipv6 router rip IPV6LAB
R2 (config-rtr) # redistribute static

 OSPFv3 config

R5 (config) # ipv6 router ospf 1


R5 (config-rtr) # router-id 5.5.5.5
R5 (config) # interface gigabitEthernet 0/0
R5 (config-if) # ipv6 ospf 1 area 0

R4 (config) # ipv6 router ospf 1


R4 (config-rtr) # router-id 4.4.4.4
R4 (config-rtr) # redistribute static
R4 (config-rtr) # passive-interface serial 0/0/0
R4 (config-rtr) # passive-interface serial 0/0/1
R4 (config) # interface gigabitEthernet 0/0
R4 (config-if) # ipv6 ospf 1 area 0
R4 (config) # interface serial 0/0/0
R4 (config-if) # ipv6 ospf 1 area 0
R4 (config) # interface serial 0/0/1
R4 (config-if) # ipv6 ospf 1 area 0
 EIGRP IPv6 config

R3 (config) # ipv6 router eigrp 1


R3 (config-rtr) # eigrp router-id 3.3.3.3
(the ID is necessary when ipv4 not configured)
R3 (config-rtr) # passive-interface serial 1/0
R3 (config-rtr) # passive-interface serial 1/1
R3 (config-rtr) # redistribute static
R3 (config) # interface serial 1/0
R3 (config-if) # ipv6 eigrp 1
R3 (config) # interface serial 1/1
R3 (config-if) # ipv6 eigrp 1
R3 (config) # interface gigabitEthernet 0/0
R3 (config-if) # ipv6 eigrp 1

R6 (config) # ipv6 router eigrp 1


R6 (config-rtr) # eigrp router-id 6.6.6.6
R6 (config) # interface fastEthernet 0/0
R6 (config-if) # ipv6 eigrp 1
Switch 300-115
1. Cisco Enterprise Composite Network Model
The Cisco Enterprise Composite Network Model is the model to follow when we need to create a network, it allow
fragmenting the network to layers for having an easiest management platform.

1.1.Overview

This model is divide in 3 layers:


Enterprise campus.
Edge distribution.
Service provider edge.

 Enterprise campus:
This is the most interesting part in this switching journey, and it is divide in 4 parts: access layer, distribution layer,
core layer, server farms. In access and distributions layers we found a separation of functionalities, example, every
building have a specific VLAN.

# Access:
- The access layer is the entry of the network; it allow to users for access to the network.
- The switch is layer 2 switch. The routing inter-vlan will be occur in distribution and core layer.
- In access layer, we found theses’ functionalities: fast and giga-Ethernet, VLAN, link-aggregation and
spanning tree, PoE, Port security, QoS.

# Distribution:
- The switch is layer 3 switch, for routing inter-vlan traffic in the building (to pass from VLAN to another
one even if the destination is in the same switch).
- The second role is to relay to the core layer.
- Functionalities: routing, giga-Ethernet and 10 giga-Ethernet, high availability, link-aggregation, spanning
tree, ACL, QoS.

# Core:
- We found layer 3 switches or routers. It is use for routing between branches, server farm, edge
enterprise… etc.
- Functionalities: routing, giga-Ethernet and 10 giga-Ethernet, high availability, link-aggregation, spanning
tree.

# Server farm:
Is like a Datacenter.
 Hierarchical model:
We can found 03 (three) layers: core, distribution and access. Advantages:

Scalability - It very easy to change the hierarchical model (add or delete).


Performance - The flows are well optimized (Congestion on a link will not disturb the entire network).
Redundancy - The hierarchical model facilitates redundancy (In this way, the loss of a link will not cause
any interruption of service).
Others - Summary addressing (alleviate the routing table).
- Implementation and security (If security is well implemented at the Access and
Distribution layers, the Core layer should have a very weak role in security, which will
make it more efficient).

 Enterprise Edge:
This part is intended to connect the Campus Enterprise part to the WAN network.

WAN - This is a WAN link to other company sites.


- These can be leased lines, Frame Relay links, etc. now VPN.
E-commerce - When we have an E-commerce web site in local server. Firewall is necessary to filtering
the flow.
Internet - It’s to provide internet to users.
- Firewall is necessary between internet and our LAN.
- It allow to create a DMZ and somes services: FTP, web mail…etc.
Remote access - VPN site-to-site.

 Service provider edge:


We found the WAN and Internet in most case. Redundancy may exist.

1.2.Layer 3 Switch:

For configuring router-on-stick (inter-vlan routing), please follow the configuration:

Creation of three (03) vlans on switch


Switch (config) # vlan 10, 20, 30
Configuration of router-on-stick (inter-vlan routing) on router and tag the number of vlan in each sub-interface:
Router (config) # interface gigaethernet 0/0.10
Router (config-subif) # ip address 10.10.10.1 255.255.255.0
Router (config-subif) # encapsulation dot1q 10
Router (config) # interface gigaethernet 0/0.20
Router (config-subif) # ip address 10.10.20.1 255.255.255.0
Router (config-subif) # encapsulation dot1q 20
Router (config) # interface gigaethernet 0/0.30
Router (config-subif) # ip address 10.10.30.1 255.255.255.0
Router (config-subif) # encapsulation dot1q 30
Router (config) # interface gigaethernet 0/0
Router (config-if) # no shutdown

The equivalent configuration of router-on-stick in layer 3 switch:

Switch (config) # vlan 10, 20, 30


Switch (config) # interface range fastEthernet 0/1-2
Switch (config-if) # switchport mode access
Switch (config-if) # switchport access vlan 10
Switch (config) # interface range fastEthernet 0/3-4
Switch (config-if) # switchport mode access
Switch (config-if) # switchport access vlan 20
Switch (config) # interface range fastEthernet 0/5-6
Switch (config-if) # switchport mode access
Switch (config-if) # switchport access vlan 30

Switch (config) # interface vlan 10


Switch (config-if) # ip address 10.10.10.1 255.255.255.0
Switch (config) # interface vlan 20
Switch (config-if) # ip address 10.10.20.1 255.255.255.0
Switch (config) # interface vlan 30
Switch (config-if) # ip address 10.10.30.1 255.255.255.0

Switch (config) # ip routing

The command ip routing used to activate the routing protocol on the switch.
The layer 3 switch provide FIB Forward Information Base (the forwarding in layer 3 switch is faster than router).

To configure routed link:

Switch (config) # interface fastEthernet 0/10


Switch (config-if) # no switchport
Switch (config-if) # ip address 192.168.1.10 255.255.255.0
Switch (config-if) # description to-server
- Creation of vlan on switch layer 3 and other access switches:

S1 (config) # vlan 10, 20


SW (config) # vlan 10, 20, 30
SW (config) # ip routing

- Configuration of port trunk between all accesses switches and switch layer 3:

S1 (config) # interface fastEthernet 0/1


S1 (config-if) # switchport mode trunk
SW (config) # interface fastEthernet 0/1
SW (config-if) # switchport trunk encapsulation dot1q
SW (config-if) # switchport mode trunk

- Attribute for each interface vlan (SVI) an IP address (same thing with vlan 20 and 30):

SW (config) # interface vlan 10


SW (config-if) # ip address 30.10.10.1 255.255.255.0
- Configuration of routed link between Layer 3 switch and router:

SW (config) # interface gigaEthernet 0/1


SW (config-if) # no switchport
SW (config-if) # ip address 90.1.1.1 255.255.255.0

R1 (config) # interface gigaEthernet 0/1


R1 (config-if) # ip address 90.1.1.2 255.255.255.0
R1 (config) # interface gigaEthernet 0/0
R1 (config-if) # ip address 41.5.5.5 255.255.255.0

R2 (config) # interface gigaEthernet 0/1


R2 (config-if) # ip address 60.1.1.1 255.255.255.0
R2 (config) # interface gigaEthernet 0/0
R2 (config-if) # ip address 41.5.5.6 255.255.255.0
- Default route and Routing protocol between Layer 3 switch and R1:

R1 (config) # ip route 0.0.0.0 0.0.0.0 g0/0


R1 (config) # router eigrp 100
R1 (config-router) # no auto-summary
R1 (config-router) # network 30.0.0.0
R1 (config-router) # network 90.1.1.0
R1 (config-router) # redistribute static

SW (config) # ip route 0.0.0.0 0.0.0.0 90.1.1.2


SW (config) # router eigrp 100
SW (config-router) # no auto-summary
SW (config-router) # network 41.5.5.0
SW (config-router) # network 90.1.1.0
- Access list to access to server:
R1 (config) # access-list 1 permit 30.0.0.0 0.255.255.255
R1 (config) # access-list 1 permit 90.1.1.0 0.0.0.255
R1 (config) # ip nat inside source list 1 interface GigabitEthernet0/0 overload
R1 (config) # interface gigaEthernet 0/1
R1 (config-if) # ip nat inside
R1 (config) # interface gigaEthernet 0/0
R1 (config-if) # ip nat outside

1.3. Campus LAN Design:


2. VLAN
2.1.Theory:

A vlan mean a sub-network or subnet.


Routing Between VLANs through a router or Level 3 Switch

 Advantage of VLAN:
Grouping users logically, will allow greater flexibility.
The physical location of the machine then no longer matters.
Reduce costs.
Segmentation.

2.2.How work VLAN

 Type of vlan:
vlan per port
vlan per MAC address
vlan per ip address

# Access port:
In a real case, a PC want to connect to switch via this address 192.168.1.0/24, according to our addressing plan it is
a VLAN 10.
First, you must create the vlan and name it, after that, you attribute the vlan in the port:

S1 (config) # vlan 10
S1 (config-vlan) # name 1st_floor
S1 (config) # interface FastEthernet0/1
S1 (config-if) # switchport access vlan 10
S1 (config-if) # switchport mode access

To see all vlans, status, and port attributed:


S1 # show vlan brief

# Trunk port:
The port is connected between switches it named trunk port, configuration below (config between L2 & L3 switch):

S1 (config) # interface FastEthernet0/1


S1 (config-if) # description to-SW
S1 (config-if) # switchport mode trunk

SW (config) # interface gigabitEthernet 1/0/1


SW (config-if) # description to-S1
SW (config-if) # switchport trunk encapsulation dot1q
SW (config-if) # switchport mode trunk

Configuration between L2 & L2 switch

S1 (config) # interface FastEthernet0/1


S1 (config-if) # description to-S2
S1 (config-if) # switchport mode trunk

S2 (config) # interface FastEthernet0/1


S2 (config-if) # description to-S1
S2 (config-if) # switchport mode trunk

S1 # show interface trunk (display trunk interface)

S1 is an access switch; SW is a distribution switch (layer 3 switch).


Trunk port, pass all vlan created. Instead, access port it allow only one vlan.
If PC0 send a packet to PC2 (in the same vlan but not in the same switch), S1 tag the frame in the trunk port before
sending.
It exist two (02) tag protocols: dot.1q and ISL

ISL inter-switch link (cisco proprietary):


The Ethernet frame is encapsulated in a new frame containing the VLAN identifier (in header 15 bits).

dot.1q (open standard) (In tag 4 bits):


TPID: identify the inserted tag protocol (for 802.1q: 0x8100).
Priority: gives the priority of the frame (0 to 7).
CFI: ensures compatibility between Token Ring and Ethernet (value 0 for Ethernet).
VID: tag of VLAN.

# Native VLAN:
In trunk link, the native vlan is a vlan, which is placed the untagged frames received in the trunk.
- The frames of native vlan are sent without a tag in trunk interface (by default the native vlan is vlan 1).
- Best practice put that the native VLAN is not used anywhere else. For example, if we choose VLAN 666 to be
the native VLAN, it should never be used anywhere else. In this way, a hacker who sends untagged frames
on a trunk, can not reach any subnet.
- Also, the native vlan must be configured in each trunk port.

SW (config) # interface gigabitEthernet 1/0/1


SW (config-if) # switchport trunk native vlan 666
S1 (config) # interface gigabitEthernet 0/1
S1 (config-if) # switchport trunk native vlan 666

 Function mode:

S1/S2 Access Trunk Dynamic auto Dynamic desirable


Access Access / Access Access
Trunk / Trunk Trunk Trunk
Dynamic auto Access Trunk Access Trunk
Dynamic desirable Access Trunk Trunk Trunk

- “Dynamic Auto” and “Dynamic Desirable” modes aim to negotiate a trunk (by default, port trunk is in
mode dynamic auto).
- DTP (dynamic trunk protocol) protocol is used to negotiate, configuration below:

S1 (config) # interface gigabitEthernet 0/1


S1 (config-if) # switchport mode access
S1 (config-if) # switchport mode trunk
S1 (config-if) # switchport mode dynamic auto
S1 (config-if) # switchport mode dynamic desirable

S1 # show interface g0/1 switchport


# Administrative mode: trunk (what is configured)
# Operational Mode: trunk (how it works)

It is possible to unable the negotiation of DTP protocol with this command below (for security raisons):

S1 (config) # interface gigabitEthernet 0/1


S1 (config-if) # switchport mode trunk
S1 (config-if) # switchport nonegotiate

Vlan 1002 to 1005 are stocked in


SW # dir flash: in file vlan.dat

S1 (config) # interface gigabitEthernet 0/1


S1 (config-if) # switchport mode trunk
S1 (config-if) # switchport trunk native vlan 666
S1 (config-if) # Switchport trunk allowed vlan add 10
S1 (config-if) # Switchport trunk allowed vlan add 20

 Inter-vlan routing:

R1 (config) # interface gigabitEthernet 0/1


R1 (config-if) # no shutdown
R1 (config) # interface gigabitEthernet 0/1.10
R1 (config-subif) # encapsulation dot.1q 10
R1 (config-subif) # ip address 192.168.10.1 255.255.255.0
R1 (config) # interface gigabitEthernet 0/1.20
R1 (config-subif) # encapsulation dot.1q 20
R1 (config-subif) # ip address 192.168.20.1 255.255.255.0

S1 (config) # interface gigabitEthernet 0/1


S1 (config-if) # switchport mode trunk
S1 (config-if) # switchport trunk allowed vlan none
S1 (config-if) # switchport trunk allowed vlan add 10
S1 (config-if) # switchport trunk allowed vlan add 20
S1 (config-if) # switchport trunk vlan native 666

2.3.VLAN Trunking Protocol


The VTP (VLAN Trunking Protocol, cisco proprietary) allow implementing the vlan in the network, any modification
add or delete a vlan it will be automatically happen in others switches in the network.
The real asset of VTP is to propagate the configuration of VLAN in the network (it reduces the likelihood of
inconsistencies).

VTP propagates the following parameters: creating a VLAN, editing a VLAN (renaming), and deleting a VLAN.

NB: trunk and access ports will be configured manually.

 Mode Server, Client and Transparent:

# Server mode which where you can add, edit or delete vlans, the config is stocked in vlan.dat, after the VTP server
send an update vlan to other switches.

# Client mode this switch not able to edit, add or delete a vlan, it cannot conserve the configuration in the file vlan.dat

# Transparent mode does not participate in VTP process, vlans must be configured manually. (Revision number is
zero, and if it was greater than zero before, it will be zero)

 Number of revision and domain name:

# Number of revision it correspond the database if vlan. When changing happen, the number of revision increase
(zero at the beginning)

# Domain name must be the same in all switches in order to exchange updates, also password.
 Update process:

- The updates are sent automatically when changes happens; also, the updates are sent every 300 sec
(summary advertisement). The number of revision and domain name are included in this update.
- If the switch have an update which number of revision greater or equal than the update received, it not
transmit the update also if the domain is not the same.
- The update pass only in trunk port.
- Only vlan from 1 to 1005 are announced.

 VTP Pruning:

VTP pruning prevent the broadcast to propagate to switches that does not have an access ports in the vlan concerned
by the broadcast (pruning is cisco propriety).
 Disadvantage:

- If you delete accidentally a vlan in VTP server, all vlan will be deleted.

 Configuration:

MS (config) # vtp domain ccnpswitch


MS (config) # vtp password cisco
MS (config) # vtp version 2
MS (config) # vtp mode server
MS (config) # vtp pruning
MS (config) # vlan 10
MS (config-vlan) # name engineer
MS (config) # vlan 20
MS (config-vlan) # name finance

S1 (config) # vtp domain ccnpswitch


S1 (config) # vtp password cisco
S1 (config) # vtp version 2
S1 (config) # vtp mode client

S2 (config) # vtp mode transparent

MS # show vtp status (password…)

Deleting vtp configuration:

S1 # delete flash:vlan.dat

3. Spanning Tree Protocol


Spanning tree 802.1d is a layer 2 protocol used to prevent loop in the network. Also, to benefit redundancy topology
without a risk to create a loop. Redundancy is used to provide high availability of services. However, loop may occur
by error or redundancy topology (image below 3.1. situations).
3.1. Situations:
 Broadcast storm:

We call Broadcast's storm, the fact


that broadcast messages turn around
in circles without a stop.

 Frame duplication:

On some redundant topologies, the


frames can be duplicated.

 Instability of CAM tables:

The table CAM Content Address


Memory, is a table in which the
switch keeps a correspondence of the
type "MAC address A -> behind port
1".

3.2. How it works:

Spanning tree will disable the links that can create a loop. It will take care of reactivating it if necessary (in case of
failure of another link).

Spanning Tree can also share load-balance using the redundant links (VLAN-based distribution).

3.3. BPDU & Root Bridge:

The switches sent a BPDU Bridge Protocol Data Unit message to detect the loop, the BPDUs messages allow
discovering of the topology and electing the root bridge, (the root bridge is somehow the leader of the topology of
spanning tree). Once the root bridge is elected, all switch try to find the best path to reach the root bridge. In addition,
redundant paths will be disabled.

The switches will looking the port with the lowest metric to the root bridge, then they will disable the others ports.

# Root bridge election:


BPDU message contain the BID (bridge ID) and it is composed of: the priority (32768 by default) + MAC address.
The switch that has the lowest BID, win the election. However, if equal (the priority the same in all switch) the
lowest MAC address win.

# BPDU messages: BPDUs messages are sent in multicast on the address 01:80:C2:00:00:00
BPDU config: used to calculate the spanning tree. It contain the ID of the switch who send the message, the ID of
port and the cost of the link.
BPDU change notification: (TCN topology change notification) it sent by the switch when the topology change.
BPDU Ack: used to respond to BPDU TCN.
3.4. Type of ports:

In spanning tree, port can have three (3) roles:


# root port: the port who give the best path to the root bridge.
# designated port: one and only one port designated per link.
# blocking: port blocked by spanning tree (never be root port or
designated port).

S3 is the root bridge all ports are designated.

The port from S1 to S3 is root port.

The port from S1 to S4 S1 is blocked.

3.5. Find the best path:

So that the switches find the best way to the Root Bridge, criteria are based on the cost of each link. Spanning Tree
defines a cost depending on the type of link.

After that, switches add all cost of each link to reach the root
Link bandwidth STP cost RSTP cost
bridge in order to select the best path (the root port).
4 Mbps 250 5000000
However, why the port of S1 to S4 in blocked and not the port 10 Mbps 100 2000000
from S4 to S1? 16 Mbps 62 1250000
100 Mbps (fast-eth) 19 200000
Because the BID of port of S1 is higher than port of S4. So its 1 Gbps (giga-eth) 4 20000
blocked and, the port of S4 is designated. 10 Gbps 2 2000
100 Gbps 1 200
1 Tbps 1 20
3.6. STP process: 10 Tbps 1 2

Election of root bridge Select the best path (root port) Select designated port
* From BID in BPDU message, Lowest BID * The switches add the costs of the * All ports of root bridge is
is the root bridge (BID= priority + mac@). links to the root bridge. Other links, designated port.
* It is possible to select the root bridge by which cause a loop, will be blocked. * Lowest priority or lowest
modification of priority of switch. * Port can take 3 roles: root, MAC address will be
designated and blocked. designated port.
3.7. PVST Peer VLAN Spanning Tree:

It work like a spanning tree per each


vlan. Which mean all links are used but
for not the same vlan.

Finally, the traffic will be shared


between links.

The BID in PVST = priority + vlan ID +


mac address.

3.8. Port state in spanning tree:

Spanning tree can be in four (04) state:

Listening: send and receive de BPDU (duration 15 sec).


Learning: filling the MAC table (duration 15 sec).
Forwarding: the port is able to transport the traffic.
Blocking: the port is blocked (duration of out mode 20 sec).

# At first, the switch is in listening mode (state), it send and receive BPDU config (it is used for finding the root
bridge and to choose the role of port).

# The port become in learning mode (state), learning and filling the MAC address.

# If all it’s okay (30sec), the port is in forwarding mode or blocking role (blocked port role).

For going out of blocking mode you must wait 20 sec. Spanning tree is so slow.

3.9. Other type of STP

Name STP PVST PVST+ Rapid-PVST+ RSTP MSTP


Standard IEEE 802.1D Cisco Cisco Cisco IEEE 802.1W IEEE 802.1s
Algorithm Spanning tree Spanning tree Spanning tree Rapid ST Rapid ST Rapid ST
Instance 1 Peer-vlan Peer-vlan Peer-vlan 1 Peer-vlan
Trunking - ISL ISL/802.1Q ISL/802.1Q - ISL/802.1Q
Convergence slow slow slow fast Fast fast
Resource low low high high average high
consumption

4. Configuration:
4.1. Default configuration:

First, spanning tree is enabled by default in: Information displayed for vlan1

S2 # show running config


spanning-tree mode pvst
S2 (config) # spanning-tree mode ? mst, pvst or rapid-pvst
S2 (config) # spanning-tree vlan 1 priority number
S2 (config) # spanning-tree vlan 1 root ? primary or secondary
S2 (config) # spanning-tree vlan 1,10,20 root ? primary or secondary

The root bridge in the topology (low priority and low MAC address)

S2 # show spanning-tree
VLAN0001
Root ID
this is bridge is the root
Bridge ID
Address 0001.9757.A70E
---------------------------------------------
interface role sts cost prio.nbr type
---------------------------------------------
fa0/1 desg FWD 19 128.1 p2p
fa0/2 desg FWD 19 128.1 p2p

4.2. State port:

S1 # show spanning-tree
VLAN0001

Root ID
Address 0001.9757.A70E
Bridge ID
Address 000B.BEA0.C3D8
---------------------------------------------
interface role sts cost prio.nbr type
---------------------------------------------
fa0/1 root FWD 19 128.1 p2p
fa0/2 altn BLK 19 128.1 p2p

The port fa0/2 in switch1 is blocked because the BID of this port is higher than switch4 fa0/2.

4.3. STP Timers and costs:

4.4. Portfast:

Portfast is configured in access port (port that connected to pc, hub, server…), used to disabling the spanning tree in
theses ports. The result: no BPDU message diffusion and no spanning tree state. Never used in trunk port.
s1 (config) # interface fastEthernet 0/3
s1 (config-if) # spanning-tree portfast

4.5. Rapid-PVST

Is a cisco proprietary, RSTP is faster than STP. The timer have been reduced or deleted. BPDUs are sent every hello-
time (2s by default).

# port state:

Learning: filling the MAC table (time is small).


Forwarding: the port is able to transport the traffic.
Discarding: the port is blocked.

# port roles:

Root port: port offering the best path to the root bridge.
Designated Port: you need one and only one port designated by link.
Alternate Port: port blocked by spanning tree, but can very quickly go into forwarding in case of failure of primary
link.
Edge Port: is not connected to a switch (Portfast equivalent).

To boost spanning tree to be more faster than before you must implement the Rapid-PVST.

S1 (config) # spanning-tree mode ?


mst multiple spanning-tree mode
pvst peer-vlan spanning-tree mode
rapid-pvst peer-vlan rapid spanning-tree mode

Rapid-pvst work like pvst but is faster. If you check if you shutdown the interface fa0/2. The interface blocked will
be forwarding state.

Rapid-pvst, RSTP and MST are compatible.

4.6. MSTP Multiple Spanning tree:

S1 (config) # spanning-tree mode mst


S1 (config) # spanning-tree mst configuration
S1 (config-mst) # name resgion1
S1 (config-mst) # revision 10
S1 (config-mst) # instance 1 vlan 10, 20, 100
S1 (config-mst) # instance 2 vlan 30, 40, 200
S1 (config) # spanning-tree mst 1 root primary

Open standard protocol of spanning-tree at the same way as PVST but it work in rapid spanning tree algorithm. The
config of MSTP require the creation of instance, each instance contain multiple vlans. A switch will then be the Root
Bridge for an instance, and thus potentially for multiple VLANs.

The last command is to force the switch to be a root bridge.

4.7. Multiple Instance Spanning-tree

The previous topology, the creation of vlan 10, and vlan 20 in all switch.
Access port for vlan 10: s1 interface fa0/3 and s2 interface fa0/3.
Access port for vlan 20: s1 interface fa0/4 and s2 interface fa0/4.
Trunk ports between switch are configured. Also, Rapid-pvst is configured in all switchs.

Now, set vlan 10 primary in s2 and vlan20 primary in s3, configuration be like:

S2 (config) # spanning-tree mode rapid-pvst


S2 (config) # spanning-tree vlan 10 root primary

S3 (config) # spanning-tree mode rapid-pvst


S3 (config) # spanning-tree vlan 20 root primary

Check now with the command: show spanning-tree => s2 is the root bridge in vlan 10; s3 is root bridge in vlan
20.

4.8. Others functionalities of Spanning-tree


4.8.1. BPDU guard: By activating the BPDU Guard on a port, it will disable itself (state Err-Disable) if it receives
a BPDU. This is a feature to enable on ports facing PCs (access port).

S2 (config) # interface fastEthernet 0/3


S2 (config-if) # spanning-tree bpduguard enable

4.8.2. BPDU filter: The BPDU Filter is used to disable the sending of BPDU on this port (access port). On the
other hand, if a BPDU is received on this same port, the port will again be part of the Spanning Tree
process (Portfast will also be disabled).

S2 (config) # interface fastEthernet 0/3


S2 (config-if) # spanning-tree bpdufilter enable

4.8.3. Backbone-fast and uplink-fast: Backbone-fast and Uplink-fast are two features (created by Cisco) that
improve Spanning Tree process convergence time. Configuring these features is unnecessary in Rapid-
PVST, RSTP, and MSTP because they are already supported.

By activating Uplink-fast, the convergence will be faster in case of failure. If the switch S3 fails, S1 will
automatically activate its port Fa0/2 because it has kept in mind that it is an alternative path to the
Root Bridge. The convergence will be faster, because it will not be necessary to go through the
different phases of listening and learning. This feature is to be activated on the Access level switches.
At the Distribution and Core levels, this can sometimes lead to loops. To improve security, the switch
priority is increased when Uplink-fast is activated. As is the cost of ports.

Conversely, Backbone-fast can detect remote faults (distant failure). That is, failures that occur on
remote switches that cause us to no longer access the Root Bridge. (Once failure detected) Upon
detection of such a failure, the switch directly passes the port concerned in Listening mode, and does
not wait for the expiration of the Max Age Timer (time after which the port goes Listening if we no
longer receive BPDU Root Bridge).

S2 (config) # spanning-tree uplinkfast


S2 (config) # spanning-tree backbonefast

4.9. Storm Control:

In this case, only 20% of the bandwidth of the link can be used to transmit broadcast. If the threshold is exceeded,
the entire broadcast will be blocked until the transmission rate drops below 20%. It is possible to do the same for
multicast and unicast. To disable the port in case of excess (error-disabled in shutdown):

S2 (config) # interface fastEthernet 0/3


S2 (config-if) # storm-control broadcast level 20
S2 (config-if) # storm-control action shutdown

In this case, broadcast traffic will be blocked if it exceeds 20%, and will only be allowed again if it falls below 15%.

S2 (config) # interface fastEthernet 0/3


S2 (config-if) # storm-control broadcast level 15 20
More commands:

# Delete the startaup configuration:


Router # erase startup-config

# Hostname:
Router (config) # hostname R1

# Create domain name:


Router (config) # ip domain-name cisco

# Create password to privilege access (secret is better than password because it’s encrypted in configuration file):
Router (config) # enable secret PASSword
Router (config) # enable password PASSword

# For encryption:
Router (config) # service password-encryption

# Username and password creation (remote access):


Router (config) # username admin secret PASSword

# Disabling the DNS Lookup will avoid blocking the CLI when you enter a wrong command in Enable mode.
Router (config) # no ip domain-lookup

# The MOTD banner is displayed at each connection to the equipment (SSH, Telnet, Console).
The banner Login is displayed if an identifier is requested.
Router (config) # banner motd !banner MOTD!
Router (config) # banner login !banner LOGIN!

# Console Access:
Router (config) # line console 0
Router (config-line) # password PASSword
Router (config-line) # login
Router (config-line) # logging synchronous

# Telnet and SSH Access:


Router (config) # line vty 0 15
Router (config-line) # password PASSword
Router (config-line) # login
Router (config-line) # logging synchronous
Router (config-line) # transport input ssh, telnet, all…
Router (config) # crypto key generate rsa
How many bits in the modulus [512]: 1024
Router (config) # ip ssh version 2

Вам также может понравиться