Guide To Cisco Router Configuration

3/10/12 Guide to Cisco Router Configuration
1/25 .opennet.ru/soft/cisco-configuration.html
Gide o Cico Roe Configaion
Conen
PreIace And Scope
Description oI Cisco Router Products
Cisco InterIace Cards
Preparing Ior ConIiguration
ConIiguring the Router
I. Set a Hostname
II. Establishing Enable Password Protection
III. Optionally Enable UDP and TCP network services
IV. ConIigure Console and Network Access
V. ConIigure Serial and Ethernet InterIaces
VI. ConIiguring the CIP card and the virtual interIaces
VII. Add IP Routes and Set a DeIault Route
VIII. ConIigure Frame Relay
IX. ConIigure Asynchronous TransIer Mode (ATM)
ConIiguring Access Lists and Network Security
ConIiguring Routing Protocols
I. ConIiguring RIP
II. ConIiguring IGRP
III. ConIiguring Enhanced IGRP
IV. ConIiguring OSPF
V. ConIiguring BGP
VI. Exchanging Routes Between Protocols
Peface and Scope
This document is intended to instruct in the basics oI Cisco router conIiguration and maintenance. It is by no
means complete or authoritative. This document purposely omits many topics and assumes a Ioreknowledge oI
others. It is assumed that the reader has a preexisting knowledge oI Internet protocols and an understanding oI
TCP/IP networking. Prior experience with Cisco router products will make this document easier to understand
but is not required.
The commands and procedures detailed in this writing are consistent with Cisco's Internetwork Operating
SoItware (IOS) version 11.0, 11.1, and 11.2. Cisco endeavors to maintain backwards compatability in their
soItware however, there is no guarantee oI such. Hence, the commands and procedures outlined herein should
only be used as a guide when working with latter releases oI IOS. ReIerences within this writing to IOS
documentation reIer to the manual set Ior IOS version 11.0.
Decipion of Cico Roe Podc
There are several varieties oI cisco routers. The relevant router models are the 2500, 4000, 7000, and 7500
series. Physically, each is as Iollows:
The 2501 (which is about the only router out oI the 2500 series we use) has a console port and an aux port in
the Iorm oI rj45 type connectors. There is one 10 megabit ethernet AUI type connector, and two high density 60
pin serial connectors. The serial connectors are used Ior the WAN connections.
The 4000 is the next step up in Cisco's product line. It has a console port and an aux port in the Iorm oI two
db25 connectors. There are slots Ior various interIaces, however, they are not presented in a card/slot Iormat,
rather each card adds interIaces to those already in existance so it becomes possible to have, Ior example,
interIaces Serial0 through Serial11 by using three cards.
One oI the more recent generations oI backbone routers is Cisco's 7000 series router. This router is quite large.
It has room Ior a primary and redundant power supply. In the backplane, there are 7 slots that are used as
Iollows. All the way on the right-hand side is a slot labeled Ior the Route processor (which holds two db25
connectors Ior console and aux.) It utilizes a Motorola 68040 Ior its processor and has internal slots Ior two
Ilash modules and 4 30 pin simms. There is also a bank oI pins Ior various jumpers. These control certain deIault
settings that are read when the router is powered up. Factory deIault is almost ALWAYS correct and these
jumpers should NOT be moved. To the leIt oI this card is the switch processor. This card handles "Iast
switching" in this model router. "Iast switching" will be explained later in this document. Finally, there are slots
labeled 0 through 4. These are Ior interIace cards.
There is also an upgraded processor card Ior the 7000 as well. The primary diIIerence is the processor is MIPS
based and the Ilash slots have been made external to accommodate a single removable PCMCIA Ilash module.
Finally, is the 7500 series. This is Cisco's latest router model. The processor is MIPS based and the backplane
has been greatly enhanced. The 7505, which is our most common router, has a single power supply, a slot Ior
the route/switch processor with two PCMCIA slots Ior Ilash cards (they are one card here instead oI 2 because
oI changes made in the way that Iast switching is done), and interIace slots labeled 0 through 3. The on board
memory is 4 72 pin simm slots using paritied RAM. The 7507 adds a redundant power supply and an additional
interIace slot, and room Ior a redundant processor card. The 7513 adds a blower Ior additional cooling and
contains a route processor, switch processor, and can hold up to 11 interIace cards in addition to the
processors.
Cico Ineface Cad
There are several cards Ior use with the cisco 4000, 7000, 7200, and 7500 series routers. The 2500 series are
Iixed conIigurations. This section only describes the cards used with 7000 and 7500 series routers.
The Iirst is the Fast Serial InterIace Processor (FSIP) card. The FSIP is available with 4 or 8 serial ports. These
are used Ior synchronous data connections such as T1s which are used in Wide Area Networks (WANs).
Ethernet InterIace Processor (EIP) cards contain 2, 4 or 6 AUI type connectors Ior 10 megabit ethernet and are
used Ior connecting the router to the low speed Local Area Network (LAN).
Fast Ethernet InterIace processor (FEIP) cards contain two rj45 type modular connectors used Ior 100baseT
connections.
ATM InterIace Processor (AIP) cards are used Ior Asynchronous TransIer Mode (ATM) connections. There
are a couple oI varieties oI ATM cards. Most commonly used is a DS3 interIace which has two BNC type
coaxial connectors (one Ior transmit and one Ior receive). This interIace operates at 45 Mbps. In our Phoenix
POP, we have installed a SONET interIace card which makes use oI a Iiber optic connection to a lightstream
100 (which is an ATM switch essentially). This connection operates at OC3c speeds (155 Mbps).
Fiber Distributed Data InterIace (FDDI) Processors (FIP) are used in These cards have two Iiber optic
connectors and may be connected by one or the other, or both connectors may be utilized to create a Iiber ring
Ior redundancy. This interIace operates at 90 Mbps.
High Speed Serial InterIace (HSSI) Processors (HIP) are used Ior DS3 level connections. These cards have a
single connector Ior one T3.
Channelized T3 InterIace Processors (CIP) are used to connect a muxed T3 into a router. This card has two
BNC connectors Ior the transmit and receive oI the T3. It also has 3 db9 connectors Ior T1 output and one db9
Ior output to a test set. Using this card, it is possible to conIigure 28 Iull or Iractional T1 circuits in one slot within
the router. This is a signiIicant advantage over the use oI external CSUs and multiple FSIP cards which occupy
valuable rack and bus space, respectively. Built using the second generation Versatile InterIace Processor design
(VIP2), this card also supports distributed switching and can actually handle the same conventional load while
using less oI the router's primary processor. The outputs can be used to Ieed T1s to external devices oI Ior
connecting to a MIP card Ior channelized T1 processing.
Pack Over SONET InterIace Processors (POSIP) are used to provide Point-To-Point connectivity between
locations at the OC3 level. This interIace operates at 155 Mbps, Iull duplex. It has one optical connection to
receive an OC3 circuit.
Pepaing fo Configaion
There are several steps involved in commissioning a new router. The Iirst is to determine physical conIiguration.
Although any interIace card may be placed in any slot, thought should go into how cards are arranged. For
example, iI you intend to have a large group oI routers with more or less identical types and quantities oI cards, it
is easier to place the cards in a "standard" order. This way, there is no searching to Iind what card is in which
slot. it is simply assumed that a given card will be in a given slot. This leaves less to remember and can cut critical
time oII diagnosing network problems.
Initial conIiguration is done Irom the console. There are a Iew caveats which will be explained later. The console
should be connected via a straight through rs232 interIace using either a standard rs232 cable or one oI the
appropriate adaptors provided with the 2501 (Note: the adaptors Ior the 2500 series routers are proprietary to
cisco and do NOT contain standard pin-outs.) The connection operates at 9600 baud, 8 data bits, 1 stop bit
and no parity. Boot the router and wait Ior the "press return to get started" prompt. When the router boots Ior
the Iirst time aIter being shipped Irom the manuIacturer, you may enter the "setup" dialogue. In general, you don't
want to use setup to initialize your router. You may exit out oI this when prompts or you can type C-` (caret),
which is the cisco interrupt character, to break out oI it.
You should end up at a "Router~" prompt. This is an unprivileged access mode known as "User EXEC Mode".
There are several levels oI access that can be conIigured within the router. This mode is privilege level 1. (You
may use the "show privilege" command to Iind out what your current privilege level is.)
To enter a higher privilege mode, use "enable". The deIault privilege level is 15. II a password has been set, you
will be prompted to enter it at this time. II no password has yet been set, you will not be prompted Ior a
password, and instead immediately gain privileged access. Your prompt will now become "Router#".
At that point, you may prepare to enter conIiguration commands by typing "conIigure terminal". Your prompt will
change to "Router (conIig)#". To exit the conIiguration, type "exit" or C-z. Once you are done, you need to store
your conIiguration changes in non-volatile memory. Type "write" Irom the privileged EXEC prompt (Router#). It
will take a Iew moments to build the conIiguration Iile and store it in memory.
As mentioned above, there are a Iew things to watch Ior when conIiguring cisco routers. Once logged into a
router via a network connection, you cannot "enable" Irom the network connection iI no enable password has
been set. One oI the most important things to remember is that ALL changes are IMMEDIATE. II you attempt
to restart an interIace by shutting it down and then turning it back up, iI it is the interIace you are coming in over,
you will never be able to turn the interIace back up unless you come in via an alternate path (such as logging in on
console or by dialing up to a POP) or power cycle the router. Likewise, when conIiguring a packet Iilter, it is a
good idea to remove the Iilter Irom the associated interIace while updating it iI at all Ieasible. This saves you Irom
Iiltering yourselI out oI the router and possibly causing signiIicant interruption oI services Ior others. Also, Ior any
given command, with only a Iew exceptions, placing a "no" in Iront oI the command has the eIIect oI "undoing"
that operation.
Configing he Roe
The Cisco Internetwork Operating System (IOS) is extremely Ilexible and powerIul. Hence, there are many
subtleties to conIiguring certain services and many things that the router can do that you will never use. For the
Iull description oI the options that can be used with each oI these commands, reIer to the router conIiguration
guide and command reIerence. These documents are available in printed Iorm and via the World Wide Web as
http://www.cisco.com/univercd/data/doc/soItware.htm. (hint: This is a good bookmark to place in Netscape.)
From there, you may select the appropriate version oI IOS to Iind the section you are looking Ior.
Cisco interIaces are named according to interIace type and interIace number. The 7000, 7200, and 7500 series
routers also add a slot number. All interIaces and slots are indexed at zero. The Iirst ethernet port on a model
2501 router would be identiIied as Ethernet0. The Iourth serial port on a 7000 with a serial card in slot 2 would
be Serial2/3.
* For the remainder oI this section, it is assumed that the reader has entered the terminal conIiguration mode
within the router via "conIigure terminal" Irom the privileged EXEC prompt.
I. Se a Honame
The Iirst order oI business in conIiguring a router is to choose a hostname Ior the router. This name is not
used by the router itselI and is entirely Ior human consumption. The hostname you set replaces "Router" in
the prompt and can be useIul in distinguishing which router you are connected to when telnetting among
several routers. This line also appears within the Iirst 20 lines oI the conIiguration Iile and can be used to
distinguish saved conIigurations oI one router Irom another. The Iorm oI this command is
hae <ae>
II. Eablihing Enable Paod Poecion
BeIore connecting the router to your network it is also a good idea to set the enable password. This
password is used to gain privileged access to the router so it should not be an obvious password. The
Iormat oI this command is as Iollows:
eabe ad <ad>
This password may contain any alphanumeric characters up to 80 including spaces but MUST NOT
START with a number or a space. The password is stored in an unencrypted (plain text) Iormat in the
conIiguration Iile. Obviously, it is desirable to have the password encrypted beIore it is saved. To do this,
use:
eice ad-eci
This will cause all passwords in the system to be encrypted beIore being stored in a saved conIiguration
using Cisco's proprietary encryption algorithm.
NOTE: There is no way to recover a lost encrypted password.
III. Opionall Enable UDP and TCP neok eice
Cisco routers support standard network services Ior TCP and UDP such as echo, discard, daytime, and
so Iorth. These services are enabled with the commands
eice c-a-ee
eice d-a-ee
It should be noted that these package all standard network services in one bundle. Without creating
access lists, it is not possible to disallow any oI the services these create.
Cisco also supports a Iinger daemon to give inIormation about who is connected to a given router. This
service is enabled by deIault. Finger may be disabled as Iollows
eice fige
IV. Confige Conole and Neok Acce
Initialy, the only device setup Ior access is the console. When placed in the Iield, it is more convenient to
program and maintain the routers through a telnet connection than it is to dial up into each router to
conIigure or monitor the system. In order to do this, virtual ttys (vtys) must be conIigured. Generally, 5
vtys should be conIigured however, the router will support up to 100. Each should be given a timeout to
avoid all vtys being in use. II all vtys are in use, Iurther connection attempts will result in a "connection
reIused". It is probably a good idea to Iorce the user to enter a password beIore he can login to the router
through a vty as well. An example oI this conIiguration is shown below.
ie 0 4
eec-ie 30 0
gi
ad eaba
This creates 5 vtys numbered 0 through 4. Each vty has a timeout oI 30 minutes and 0 seconds. These
vtys require a password Ior login. This password is "steamboat". Note: II password-encryption is enabled,
this password is encrypted beIore being stored in the router's conIiguration. The minimum number oI vtys
that may be enabled is 5.
Usually you do not want to require a password Ior console access but you would like to speciIy a timeout.
ie c 0
eec-ie 15 0
For a Iull description oI how each vty may be conIigured, reIer to chapter 4 oI the router conIiguration
guide.
V. Confige Seial and Ehene Ineface
By Iar, the easiest interIaces to conIigure are ethernet interIaces. To bring up an ethernet interIace, all that
is necessary is to assign it an IP address, associate a netmask with that address, and turn up the interIace.
For example, to bring online the ethernet interIace on a 2501 and assign it the IP address 150.151.152.1
with a class C netmask (255.255.255.0), the Iollowing commands would be used:
ieface Ehee0
i adde 150.151.152.1 255.255.255.0
hd
and thats it. It should be noted that this has the side eIIect oI placing a route Ior 150.151.152.0 in the
2501's routing tables since this is a network that is directly "Connected" via ethernet0. As a result, you can
immediately connect to any system on that network Irom the router. Routing and types oI routes will be
discussed later in this document.
ConIiguring serial interIaces Ior point to point connections is not too diIIerent.
ieface eia0/3
i adde 203.142.253.33 255.255.255.252
ecaai
1500
hd
This gives serial0/3 the address 203.142.253.33 and makes it part oI a subnet oI 2 ip addresses (plus
broadcast/network number) oI 203.142.253.32-35. Again, a connected route is placed in the routing
tables. These routes can be useIul when conIiguring BGP or OSPF or some other routing protocol as
discussed later. IP subnetting, as used in the above example, is not covered within the scope oI this
document.
The preceeding example also assigned a link encapsulation oI PPP to the interIace and gives it an MTU oI
1500 bytes, which is the deIault iI no MTU is speciIied. This is correct Ior most instances, but when
connecting to another cisco, it will be slightly more eIIicient to make use oI Cisco's HDLC protocol. This
is the deIault encapsulation Ior all serial interIaces. To make use oI this, either omit the encapsulation or
speciIy "no encapsulation" to remove a previous setting.
There is a third encapsulation Ior serial interIaces, Irame relay, which will be discussed in its own section
later on.
VI. Configing he CIP cad and he ial ineface
The CIP card appears to the router as a controller instead oI a standard interIace. T1 channels may be
deIined, modiIied, or deleted without any external conIiguration to the card. CSU loops may be initiated
and released Irom within soItware and testing patterns run to these loops Irom the router. The advantages
oI Iull management is well known to anyone who has spent any time at all perIorming work as a network
operations technician. The ability to quickly determine CSU states, attempt quick Iixes, and obtain a Iull
diagnostic oI the problem is invaluable when reporting an outage to a carrier. The more inIormation that
can be provided to them during the initial problem report can oIten greatly speed the diagnostic and repair
processes.
The T3 controller, since it is built on VIP2 technology introduces a third level to the card designation.
Instead oI simply slot/port, it not introduces a port adaptor number. Since there is only one CT3IP per
card, the port and port adaptor numbers will always be zero. An interIace in slot 2 will be identiIied as
2/0/0. T1 channels are designated by a colon and a channel number aIter the interIace identiIier
(numbering 1 through 28 to coincide with belcore designations). In the previous example, the 17th T1
channel would be 2/0/0:17.
The Iirst step in conIiguring this interIace is the conIiguration oI the T3. Settings required are T3 Iraming,
clock source, and cable distance (which is used in determining the LBO to use). The deIault cable length is
224 Ieet. This should be acceptable Ior most applications. The Iraming types availible are cbit and m23. It
is possible to conIigure the router to auto-detect Iraming but in many instances, auto detection can lead to
Iuture problems so it is best to use this only when you are uncertain oI the Iraming being used. Once the
Iraming has been identiIied, it can then be set staticly in the router's conIiguration.
For most muxed T3s, the Iraming type will be m23. cbit is used, Ior example, in a clear channel T3 into an
ATM network.
ce 3 0/0/0
faig 23
cc ce ie
cabeegh 224
Once the T3 has been conIigured, T1 channels may be assigned. The T1 channels need to be conIigured
Ior the number oI slots on the T1 in use, the Iraming and encoding being used, the speed oI the underlying
DS0s (56K or 64K), and the clock source Ior the T1.
ce 3 0/0/0
1 1 ie 1-24 eed 64
1 1 cc ce ie
1 1 faig ef
1 1 iece b8
T1 deIault parameters are clock source line, esI, b8zs, and 64K DS0s. II this is the desired conIiguration,
the only command necessary is "t1 1 timeslots 1-24".
The Iirst three channels on the T3 may also be output to the connectors on the outside oI the card. This is
accomplished by conIiguring that T1 as external.
ce 3 0/0/0
1 eea 1
AIter the T1 is conIigured, the router creates a virtual serial interIace. This interIace does not appear until
the T1 has been created and is identiIied in the same manner described above. For example, to reIIerence
the serial interIace Ior the Iirst t1, it would be identiIied as Serial0/0/0:1. This interIace may beconIigured
as any other serial interIace.
Loopbacks and tests are initiated Irom the interIace level. The T3 may also be looped back Irom the
controller conIiguration. It is important to note that the T1s may NOT be looped Irom the controller
conIiguration.
ieface Seia0/0/0:1
bac e
The loop is removed by speciIying "no loopback network" in the interIace conIiguration.
VII. Add IP Roe and Se a Defal Roe
Obviously, the internet is not centered around one router. Usually, to get to another system requires
passing through at least one other router (probably several). It is also possible that more than one network
will end up on a single interIace. The general Iorm oI Cisco's route command is
i e <e> <a> <ieface/e-h> [eic]
The metric is used by certain routing protocols such as RIP as a hint to other routers oI the "distance" to
network when advertising this route to other routers. In general, you can omit the metric and let the routing
protocols assign deIault values to these.
Examples:
Add a route Ior 202.123.100.0 (class C) through 204.203.12.1.
i e 202.123.100.0 255.255.255.0 204.203.12.1
Add 122.250.0.0 (class B) to ethernet0
i e 122.250.0.0 255.255.0.0 Ehee0
Clale Ine-Domain Roing.
With the recent explosion oI the internet, Dividing address into class A, B, C, and D networks is no longer
adequate. Cisco's IOS support the concept oI Classless Inter-Domain Routing, or CIDR entries (oIten
pronounced "cider") to allow a given subset oI any class oI network to be routed at a given destination.
For example, the Iollowing example routes 8 class Cs at the speciIied router.
i e 221.243.242.0 255.255.248.0 128.230.3.1
Note that the only change Irom the above examples is the diIIerent mask. This command uses subnet style
netmasks to split oII 8 class C networks beginning at 221.243.242.0 through 221.243.250.0 and lists
128.230.3.1 as the next-hop router. Normally, 8 routes would be needed to accomplish what this one
entry has done. The goal oI CIDR routing is to simpliIy routing tables and reduce the size oI the internet
routing tables, preventing complete collapse when older backbone routers (such as sprint, ANS, and
Alternet) reach a point where they simply do not have enough memory to hold the Iull internet routing
tables and cannot operate. Such outages cause major disruption oI internet services worldwide.
One practice oIten used is subnetting a class C network into blocks oI 64 or 32 IP addresses Ior
customers who don't require the Iull 254 addresses in order to save wasting large blocks oI numbers.
Traditional subnetting allowed you to split a class C into blocks oI 4, 8, 16, 32, 64, and 128 but ONLY
one size. Cisco's IOS supports variable length subnetting however. This allows a class C to be segmented
such that it is possible to have some portions 4 addresses in length, some in 32, etc. This permits more
eIIicient use oI addresses by eliminating the need to send 32 addresses at a customer who only intends to
use 6.
One caveat oI subnet routing is that the IOS does not normally permit you to speciIy a subnet mask with a
class C address (ie, you can't route a subnet oI 8 addresses 203.102.123.0 since that is the network
number Ior a class C and it wants to treat the route as a class C route). This can cause conIusion when
looking at routing tables. In order to get around this, Cisco has provided a command to override this
behavior:
i be-e
Once that has been entered, it will very happily take the subnet route.
VIII. Confige Fame Rela
ConIiguring Frame Relay is a little more complicated than conIiguring point to point networks and
thereIore involves a Iew more steps. First is to conIigure the interIace as a Irame relay link. At the same
time, you need to speciIy the type oI Irame relay packets carried by this network. Currently, cisco only
supports IETF and Cisco's own Irame relay packet types. Since not very many vendors use the cisco
Iormat, we always speciIy IETF. The Iormat oI this command as as Iollows.
ieface Seia0/0
i adde 1.2.3.4 255.255.255.224
ecaai fae-ea IETF
Having the wrong LMI type speciIied can interIere with the operation oI the Irame relay circuit. Cisco
supports LMI types ANSI (annex D), cisco (deIault), and q933a (annex A). Most vendors' switches are
capable oI auto detecting which LMI type you are using but not all. Generally, its saIe to leave the deIault
LMI type set. Should you need to change it, the command is
fae-ea i-e ANSI
to speciIy the ANSI packet Iormat.
Using LMI, the router can obtain inIormation Irom the switch and other routers with PVCs to this circuit
to build its own DLCI list or map as its sometimes called. However, it should be noted that cisco has
problems talking to some vendors' equipment (most notably Livingston Enterprises.) This can result in the
router sensing an active PVC (based on what its getting Irom the switch) but not being able to tell what the
address oI the router on the other end is. For the sake oI robustness, it is generally better to manually
conIigure the DLCI list. This can make it more diIIicult to conIigure the router or make changes in the
Irame relay network but can save considerable headaches when initially conIiguring a circuit or coping with
service disruptions within the Irame relay network.
The DLCI number assigned to each PVC is provided by the telco and is entered into the router along with
the networking protocol operating over this PVC as well as additional optional inIormation about this
PVC. For example, a router transmitting IP into with an address oI 10.2.3.4 and connected to DLCI 19
would be entered into the "map" as shown below
fae-ea a i 10.2.3.4 19 badca IETF
Again, the packet type needs to be speciIied Ior this particular PVC and again, we have selected IETF.
The "broadcast" keyword instructs the router to Iorward broadcast packets over this PVC. This can assist
with broadcast routing protocols, Ior example. One line is needed Ior each DLCI conIigured. You can
check to see the status oI the PVC you just setup by entering the command "show Irame-relay map" Irom
the EXEC prompt.
IX. Confige Anchono Tanfe Mode (ATM)
The structure oI ATM draws heavily Irom X.25 and Irame relay but is designed to operate at much higher
speeds. Unlike Irame relay, however, there is a card Ior the 7000 and 7500 series router designed
specially to interIace with the ATM network. It is also possible to conIigure ATM over a serial interIace
using a serial interIace (either FSIP or HSSI) or (on a 4000) an NMP. For more inIormation on this
conIiguration, reIer to chapter 7 oI the conIiguration guide.
ConIiguring the ATM interIace begins with assigning the interIace an IP address (as demonstrated earlier
in this document). Like Frame Relay, ATM requires that each host on the network be a part oI the same
subnet. The next step is conIiguring PVCs. There are two parts to doing this. The Iirst is creating the PVC
"map" on the interIace. The second is mapping a protocol address to each PVC created. PVCs are
created by assigning a Virtual Circuit Descriptor (VCD) to a given Virtual Path IdentiIier (VPI) and a
Virtual Circuit IdentiIier (VCI). The VCI Ior a given link, as with Irame relay DLCIs, is assigned by the
carrier. The general Iorm oI the command to create a PVC on a given interIace is
a c <cd> <i> <ci> <aa-ecaai> [[<id> <idhigh>]
[<ea> <ag> <b> [a <ecd>]]
The VCD is speciIic to the router and is used by the router to match VPI/VCI pairs and can be diIIerent
than the numbers used to identiIy the VPI and VCI. It is also necessary to speciIy an encapsulation Ior the
ATM packets over this VCI. This is the ATM Adaptation Layer (AAL). The peak and average values
are used to speciIy the bandwidth at which this PVC will be permitted to connect. When these values are
omitted, the highest possible connection rate is assumed.
Next, it is necessary to map a protocol to each PVC created on an interIace. This is accomplished by
creating a map list. Each entry in this list has the Iorm "protocol~ address~ atm-vc vcd~ |broadcast|"
where protocol is either IPX, IP, or AppleTalk Ior example. The address is the address oI the remote
router with respect to the protocol being transmitted over the virtual connection.
Once the map is created, it need to be associated with a given ATM interIace using the interIace
command "map-group map name~
An example conIiguration might look as Iollows
ieface ATM1/0
i adde 1.2.3.4 255.255.255.224
i e 121
a c 32 0 3 aa5a
a c 33 0 4 aa5a
a-g a-a-1
a-i a-a-1
i 1.2.3.5 a-c 3 badca
i 121.0000.0c7e.a45.546 a-c 4
There are two principle AAL encapsulations appropriate Ior use with data. The Iirst, as already shown is
aal5snap. This encapsulation allows multiple protocols to be routed over a virtual circuit. The second
encapsulation is AAL5MUX. This encapsulation dedicates a single protocol to a virtual circuit. It has
slightly less overhead than AAL5SNAP and can be useIul when the network you are attached to has been
conIigured with a per packet usage charge.
The current deIault Ior Cisco's IOS is AAL5SNAP. However, earlier versions oI the operating soItware
speciIied AAL5NLPID as the deIault. NLPID is also a multi protocol encapsulation somewhat similar to
SNAP which is oIten used when running ATM over a serial interIace (such HSSI) where an external
ATM DSU is necessary. This encapsulation is prevalent at exchange points such as Ameritech's NAP
(AADS).
Configing Acce Li and Neok Seci
Once the router's interIaces are conIigured, a momment should be taken to determine iI any oI these interIaces
connect to "secure" networks. These networks can be those that connect corporate workstations with the rest oI
your network or perhaps the rest oI the internet. They could also be networks which house servers that provide
speciIic services to the internet community but which you would like to protect as much as possible. A good
example oI such a server is a WWW server oI SMTP gateway. The general public needs to be able to view
your web page and send you mail but they do not need to be able to connect interractively to those servers.
Other uses Ior access control could be in protecting parts oI your corporate intra-net Irom other parts oI your
company. For example, iI you have a Research and Development department, it is unlike that you'll be giving
your sales staII access details on top secret projects. Likewise, you don't want your Research and Development
department making some clever modiIications to your accounting servers.
The traditional way oI protecting such servers is with access lists. Access lists Iilter Internet traIIic and determine
iI a packet is permitted to pass into or out oI the network. Ideas about how access lists should be designed,
where they should be placed, and how physical networks should be structured to allow propper Iiltering without
overloading network links and the routers they connect varry considerably. Some corporations choose to invest
in commercial "Iire wall" products while others will implement minimal access controls at all. Still others will invest
in the hardware necessary to service access lists at two levels (one router that blocks access to itselI and the
interrior router and a second, the interrior router, that blocks access to itselI, is only accessible Irom inside or
even only Irom its console, and provides primary access list control. This router generally does nothing else
besides Iiltering packets and sending them to its deIault router or a local host.)
Which method you choose depends on your needed level oI security, your budget, and the particular application
Ior which the protection is needed. The decisions that lead to the various scenarios are beyond the scope oI this
document, however. This section intends to Iocus solely on access list design and implementation Ior the general
case.
Cisco has created two diIIerent classes oI access lists within its routers. The Iirst, the standard access list, Iilters
only on source address. II numbered access lists are being used (IOS 11.1 and earlier did not support named
access lists), than these lists would be numbered Irom 1 to 99. The second type oI access list, the extended
access list, is numberes Irom 100 to 199 and is capable oI Iiltering based on source address, destination address,
protocol, protocol port number, and a myriad oI other Ieatures not necessarily applicable to general IP traIIic.
Once an access list is created, it must be tied to an interIace in order to be used. The interIace conIiguration
considers a Iilter list to be an "access group". The access group can be applied either inbound or outbound with
respect to the interIace. For example:
Ieface Seia0
i acce-g 101 i
i acce-g 6
This group oI commands speciIies that traIIic coming into Serial0 must be processed through extended access list
number 101 and that outbound traIIic must pass through standard access list 10 beIore leaving the interIace.
Standard access lists are conIigured by speciIying a list number, wether a match on this entry will result in traIIic
being permitted or denied, and the host or network which is being Iiltered and the mask associated with it (iI it is
a network or subnet).
acce-i 10 ei 234.5.6.12
acce-i 10 de 5.10.10.32 0.0.0.31
acce-i 10 ei 5.10.0.0 0.0.255.255
acce-i 10 ei 123.234.0.0 0.0.0.255
The above example creates access list 10 and conIigured 4 entries. The Iirst line permit all traIIic with a source IP
address oI 234.5.6.12. Note that when a host IP address is listed, no mask needs to be associated with it. The
second line denies all traIIic Irom the subnet 5.10.10.32/27. One thing to observe about access lists is that
instead oI netmasks, they use what Cisco calls "wildcard masks." These masks Iunction very similarly to
netmasks with one important diIIerence. Network masks operate Irom leIt to right. Wildcard masks operate
Irom right to leIt. ThereIore, when looking at the above conIiguration line, what the wildcard mask is matching is
the 32 addresses that begin at 5.10.10.32. (Since zero is a valid mask, it counts as one address. Hence 31 is
used in the mask instead oI 32.)
The remaining two lines permit traIIic Irom 5.10.10.0.0/16 and 123.234.0.0/24 respectively. On Iirst glance, a
newcommer to access lists might think that the only thing getting denied to this network is the second line and that
the permit lines are unnecessary. Access lists, though, are designed to be selectively permissive, not to selectively
deny traIIic. As a result, an implicit deny exists at the end oI this access list. (More propperly, anything that does
not explicitly match an entry in the access list is dropped.)
There are a couple oI other important things to consider when creating access lists. First, order is extremely
important. Since access lists Iunction through "short circuit" processing (bail out when a match is Iound), those
entries that are most likely to match traIIic should be listed Iirst. IP access list processing is very processor
intensive. By listing Irequent matches Iirst, processor utilization is kept to a minimum. Note also lines 2 and 3 oI
the above example. They state, collectively, that all traIIic Irom 5.10.0.0/16 is to be permitted EXCEPT Ior
those hosts in 5.10.10.32/27. II line 2 (the deny statement) were listed AFTER line 3, than the denial would have
no eIIect. The traIIic would be permitted as a result oI line 3 and those hosts you intended to block would be
allowed access. When you create access lists, you should review them very careIully to be certain that no mis-
ordering has occured.
The second thing to watch Ior when creating access lists is the Iact that changes to a cisco router take eIIect
immediately upon entry. It is a Iact that most access lists are not the stagnant, unchanging creatures we would like
them to be. From time to time, they will require modiIication. ModiIying an access list means deleting the existing
list and recreating it with the appropriate changes. When an interIace is conIigured to reIIerence an access list
that does not exist, the traIIic will, by deIault, be permitted through. However, when you create that access list,
the implicit denial at the end can result in your conIiguration session being Iiltered out. As a matter oI policy, it is
good practice to remove the reIIerence to the access list Irom the interIace beIore modiIying the access list. (via
"no ip access-group 123" or whatever access list you intend to reIIerence.)
Building extended access lists is somewhat more complicated and requires a Iew more steps. Since extended
access lists Iilter based on both the source and destination IP address, two parts to each entry are needed. The
Iollowing is a brieI example oI an extended access list Ior IP.
acce-i 101 ei c a a eabihed
acce-i 101 ei c a 204.34.5.25 h e 80
acce-i 101 ei i 203.45.34.0 0.0.0.255 204.34.5.0 0.0.0.255
acce-i 101 ei c 203.44.32.0 0.0.0.31 204.34.5.0 0.0.0.255 e ee
acce-i 101 ei c a 204.34.5.10 e
This access list allows all TCP connections with the established Ilag, allows any user to get to the host
204.34.5.25, tcp port 80 (which is the http port), all IP protocols Irom 203.45.34.0/24 to reach any host within
the 204.34.5.0 class C, all hosts within 203.44.32.0/27 can telnet into any host on the 204.34.5.0, and allows all
hosts to connect to the smtp port on host 204.34.5.10.
A Iew notes about this access list. The Iirst line is important. It allows all packets which have had the TCP
established Ilag set. This means two things. First, all outbound connections will be able to have the return traIIic
pass back through the access list. This is important. Since outbound tcp connections come Irom random ports
above 1024, it is not possible to Iilter explicitly Ior outbound connections. The established Iield takes care oI
that. Second, an inbound TCP connection only needs to have the Iirst packet pass beyond this point in the
access list. Once the connection has been opened, the remaining traIIic will have the established Ilag set and will
not have to again pass through the entire access list.
The second line also demonstrates that when a source or destination is used, the wildcard mask can be replaced
with the word "host" to indicate this. It also gives an example oI Iiltering based on a destination port. The third
line matches all IP protocols (TCP, UDP, ICMP, etc. Everything that gets encapsulated in an IP packet.) The
source and destination network number and wildcard mask pairs Iunction the same as in standard access lists.
The Iourth line shows that, on well known services, the port number can be replaced with the name oI the
service.
There is one last important thing to consider when creating access lists however. Many services depend on other
services in order to Iunction. For example, you can't just permit telnet connections without permitting DNS
packets to get through as well. You oIten won't be able to telnet out unless telnet ident requests can come back
into your network. II you wish to synchronize the clocks on your computer systems to other systems, you likely
need to permit NTP packets (both TCP and UDP) to pass through. For this reason, careIull consideration is
needed when creating access lists. It is all too easy to overlook one or two key services when creating lists. As
network administrators gain experience with access controls, these omissions become more rare, but they still
occur with annoying Irequency. Access lists should be tested throroughly once they are in place. Both to be
certain that necessary traIIic is permitted through the list as well as to be certain that unwanted traIIic does not.
Configing Roing Poocol
Routing protocols serve one Iunction: To let nearby routers know how to get to them and the networks they
serve. There are two basic types oI routing protocols: distance vector protocols and link state protocols.
The simplest protocols are perhaps those that classiIy as Distance Vector protocols. They base their routing
decisions on the number oI intermediate routers along a given path. This has the advantage oI taking very Iew
resources but has the disadvantages oI not considering bandwidth or the load oI the available link. They also
suIIer limitations when long distances are present. The path may be valid but because oI the high metric, the
routers decide that the remote host or network is unreachable. In addition, these types oI protocols usually
broadcast their entire routing tables at preset intervals. This can take quite a bit oI time and consume
considerable bandwidth. Protocols that Iall under this classiIication are RIP, IGRP, and BGP.
Link State protocols Iunction by maintaining a database oI advertisements they have received Irom other routers
called the link state database. This means that each router is wholly responsible Ior determining the best path to a
given location Irom its point oI view and already has an idea oI an alternate path, iI any, should the Iirst path
become unavailable.
I. Configing RIP
The Routing InIormation Protocol (RIP) is perhaps the simplest oI routing protocols. It Iunctions by
broadcasting its entire routing table to all participating networks once every 60 seconds Ior IP or once
every 90 seconds Ior IPX. When a route is heard Irom a remote router, the metric is increased by one.
This number cannot exceed 15. A metric oI 16 describes an unreachable network.
The simplicity oI this protocol means that there is very little that the router must do each update. This
allows the processor to perIorm other tasks. At the same time, there is no database being maintained. Its
all contained in the routing tables. This simplicity, however, requires increased bandwidth as the entire
routing table must be sent across the network. In a large network, this can take considerable time. In
addition, It is not uncommon Ior networks to be more than 15 hops apart. This means that end nodes will
not be able to contact each other because the metrics surpass the "unreachable" point.
ConIiguration is a 3 step procedure. First, create a RIP process and determine iI any other routing
process (such as IGRP or OSPF) is to redistribute its routes into this one. Second, speciIy which
networks will receive RIP broadcasts. Third, conIigure any non-broadcast neighbors.
A sample conIiguration might look like
e i
ediibe ig 1000
e 2.3.4.0
e 4.5.3.0
eighb 4.5.5.2
eighb 4.5.5.3
II. Configing IGRP
The Interior Gateway Routing Protocol (IGRP) is a dynamic distance-vector routing protocol designed by
Cisco Systems in the mid-1980s. The advantages oI IGRP over RIP include the maximum diameter oI the
network. Networks over 15 hops are unreachable in a RIP controlled network. IGRP allows up to 100
hops by deIault and can be set to accept paths as Iar away as 255 hops.
IGRP uses a combination oI user-conIigurable metrics including internetwork delay, bandwidth, reliability,
and load. Unlike RIP, IGRP routes are shared in proportion to their cost to provide equal or unequal cost
load balancing with up to 4 paths to a given destination. Equal or unequal cost can be speciIied with a
variance Iactor. The variance determines how unequal paths can be when perIorming load balancing. A
variance oI 1 (the deIault) speciIies load balancing only when all paths are oI an equal cost. This behavior
can be overridden with the "traIIic-share" command. To permit only the path with the lowest cost to be
used, speciIy "traIIic-share min". "traIIic-share balanced" is the deIault.
Basic IGRP conIiguration is very similar to that oI RIP. An IGRP routing process must be created on the
router and given a list oI participating networks. IGRP also accepts an optional Autonomous System
number. When running IGRP over a non-broadcast network, systems which will accept updates can be
entered individually with the "neighbor" command, as in RIP. InterIaces included in the range oI addresses
speciIied with a network statement that should not participate in IGRP (an example would be iI that
interIace is managed through some other protocol such as OSPF), it can be designated passive with the
"passive-interIace" statement.
Example conIiguration:
e ig 1000
aiace 3
e 203.4.22.0
e 204.103.24.0
eighb 204.103.24.5
eighb 204.103.24.6
eighb 204.103.24.7
aie-ieface Ehee4/1
aie-ieface Fddi3/0
III. Configing Enhanced IGRP
Enhanced IGRP is a redesign by Cisco oI IGRP. It is intended to overcome some oI the limitations that
became apparent when IGRP was put into heavy use. Principally, improvements concentrated on the
convergance time. Towards that end, a new convergence algorithm, DUAL (DiIIusing Update Algorithm)
was introduced. Among the beneIits gained by the new algorithm is a guarantee oI loop-Iree routing tables
where EIGRP is the controlling protocol. EIGRP also introduces partial updates. This allows Iewer routing
messages to be exchanged between routers which, in turn, consume less bandwidth, leaving the data path
Iree Ior user data. Partial updates also allow the receiving router to spend less time recalculating routing
tables since routes not included in the update do not have to be recalculated.
Two key Ieatures oI EIGRP are support Ior variable-length subnet masks and arbitrary route
summarization. This allows Ior the removal oI "classIull" routes in Iavor oI CIDR routes, reducing the size
oI the routing table as a whole and allowing Ior easier maintenance oI routing tables. EIGRP is also
capable oI automatically summarizing routes into common routes when possible. This Ieature can be
disabled by speciIying "no auto-summary" in the EIGRP conIiguration. Additional summarization can be
perIormed within the router conIiguration on a per interIace basis by placing "ip summary-address eigrp"
statements in the interIace conIiguration commands to advertise a speciIic aggregate as belonging to a
given autonomous system as shown below.
ieface Ehee0
i a-adde eig 1234 201.200.8.0 255.255.224.0
The result oI this command is that advertisements oI networks within the 201.200.8.0 block are reduced
to a single advertisement oI the aggregate block. So rather than sending routes Ior 32 class C networks,
as RIP would do, a single advertisement encompassing all 32 networks can be made instead.
Another addition to EIGRP is support Ior the exchange oI hello messages. When an EIGRP process is
started, the router will send out hello packets on all participating interIaces using multicast packets when
appropriate. Once the router determines which other routers are participating in EIGRP, the process oI
exchanging updates can begin. This allows Ior routers to quickly determine when new routers are added
to the network or when existing routers become unreachable.
Basic conIiguration oI EIGRP does not diIIer signiIicantly Irom that oI IGRP except that the router
conIiguration command requires an EIGRP process ID instead oI the optional autonomous system
number.
Like IGRP, EIGRP supports unequal cost load balancing. But because oI EIGRP's rapid convergence,
enabling this Ieature is not only desirable Irom a traIIic standpoint, when enabled, the other paths are
already in use so Iall over time in the event oI a Iailure is minimal. To ease the transition Irom IGRP to
EIGRP, routes are automatically redistributed between the two protocols.
IV. Configing OSPF
The Open Shortest Path First (OSPF) Protocol was designed by the IETF as an IGP expressly Ior use
with TCP/IP networks belonging to a single Autonomous System. It is designed as a link state protocol
and is scalable to all but the most complex networks.
OSPF operates by Iorming adjacencies between routers and creating a topological database containing
inIormation about the state oI all the links in the OSPF network. This inIormation includes weights placed
on various interIaces based on the bandwidth oI the link and the type oI interIace or placed there manually
by the network administrator. The cost oI an internal path is determined by calculating the sum oI the cost
oI traversing each link in the database. The path with the lowest cost (shortest path) is chosen as the best
route. II there are multiple paths with equal cost, OSPF will load balance across up to 4 oI these paths.
This database is updated whenever an adjacency is Iormed or dropped. Because a complete picture oI
the network is maintained by every router, when an adjacency drops and the corrosponding link is no
longer availible, a new path can quickly be chosen Irom inIormation the router already has. However,
because it must hold a complete copy oI the topological database, the memory requirements are quite
substantial.
On large networks, the number oI links in the database can grow to immense proportions. In these cases,
a single link change can have a signiIicant impact on every router in the system. A link that is intermittantly
availible and unavailible can lead to high processor use Ior all routers, diminishing the perIormance oI the
network. OSPF provides a method oI segmenting the network into several areas. These areas act as
described above and are connected to a "backbone" area (area 0). The area boundry routers, rather than
propegating every link state advertizement (LSA) into the backbone, only propegate "summary"
advertizements describing the area they are linked to. This summary advertizement describes the entire
area database in a single message, thus reducing the computational overhead and memory usage. Dividing
the network into areas also reduces the impact oI a single router or interIace changing states on the rest oI
the network. only the attached area must recalculate the paths through that router or interIace.
Use oI stub areas and route summarization between areas can also help to reduce the number oI entries in
the topological database and reduce the memory requirements and CPU requirements Ior recalculating
paths when changes occur in the network even Iurther. Stub areas do not receive external LSAs (those
injected into OSPF via redistribution Irom another protocol, such as RIP) and do not have to maintain any
link state records except those within the stub area.
Routers conIigured with OSPF discover other OSPF routers by multicasting or unicasting hello packets to
all SPF routers (multicast address 224.0.0.5). These hello packets are used to Iorm and maintain
adjacencies between routers.
Adjacencies are Iormed automatically across point to point links. On multiaccess networks such as
ethernet, a "Designated Router" (DR) is elected. This router Iorms adjacencies with all other routers on the
multi-access network and is responsible Ior synchronizing the topological database. In addition, a backup
designated router (BDR) is also selected. In the event oI a Iailure which disconnects the DR Irom the
network, the BDR takes over and a new BDR is elected. This reduces traIIic across the network since
each router does not have to Iorm an adjacency with every other router. This also reduces the CPU usage
on all other routers connected to this network when a router becomes unavailable. Which routers are DR
and BDR can be determined with either "show ip ospI neighbors" or "show ip ospI interIace interIace~".
OSPF is enabled by creating an OSPF routing process and speciIying a process ID. Which networks
OSPF operates over is controlled by "network" statements (as in RIP or IGRP). At the same time, these
networks are assigned an area number. Neighbors can be hinted at by using the "neighbor" statement.
Note that a neighbor does not necessarily Iorm an adjacency. The exec command "show ip ospI neighbor"
can be used to determine which routers are viewed as neighbors and the state oI the link (whether they are
simple neighbors, adjacent neighbors, BDR, or DR.) A simple OSPF conIiguration is shown below.
Ieface Ehee0/0
i adde 1.1.1.1 255.255.255.0
Ieface Seia1/2
i adde 1.1.2.1 255.255.255.0
Ieface Fddi2/0
i adde 1.1.3.1 255.255.255.0
e f 1234
e 1.1.1.0 0.0.0.255 aea 1
e 1.1.2.0 0.0.0.255 aea 2
e 1.1.3.0 0.0.0.255 aea 0
This sequence oI commands conIigures OSPF on the three interIaces listed assigning Ethernet0/0 to area
1, Serial1/2 to area 2, and Fddi2/0 to the backbone area (area 0). Note that the network statements
require a wildcard mask and not a network mask.
OSPF also supports variable length subnetting and route sumarization though it must be conIigured
manualy. Sumarization takes place between areas and into the OSPF backbone area. ConIiguration oI
summary networks is done at area border routers with the "area area ID~ range network~ network
mask~" command. Using route sumarization can greatly decrease the size oI the topological database and
reduce the amount oI recalculation that needs to be done when a route becomes inaccessible or other
topological changes occur. The backbone area should not be sumarized. II all other areas are summarized
properly, all the backbone area will contain is summary routes.
Similarly, sumarization can be done when another protocol is redistributed into OSPF with a "summary-
address network~ network mask~"
V. Configing BGP
The Border Gateway Protocol (BGP) is another in the Iamily oI distance vector protocols. However,
unlike most routing protocols, BGP views its paths in terms oI Autonomous Systems (ASs). An AS is
loosely deIined as a collection oI routers under common administration. For example, Primenet is one AS,
MCI is another, AT&T a third, and so on. Each oI these ASs has their own AS number, which is used in
the BGP exchange. Primenet's AS number (ASN) is 3549, MCI is 3561, and so Iorth.
BGP Iunctions by setting up peering sessions with neighboring routers. An important advantage oI BGP
over other protocols is the use oI TCP to transmit update messages and maintain peering sessions.
Because oI this, these sessions are not intended directly to be a measure oI the link integrity, but more to
provide an idea oI the health oI the neighboring router. II the router becomes unreachable or stops
responding, the peering session will drop and the routes received over that link will be deleted Irom the
BGP tables and other routers subsequently inIormed.
This loss oI conectivity can be caused by the router going down due to a Iailure or loss oI power, a
problem with the link the session is transmitting over, or simply congestion which causes BGP inIormation
packets to be dropped. With the explosion oI the internet over the last several years, routers which
experience repeated BGP or EGP neighbor state changes have become more problematic. This is usually
caused by the router rebooting multiple times or by an intermittant link. Most recently, a cause oI such
problems has been routers simply being overwhelemd by update messages and being unable to maintain
peering sessions as a result. The term coined to describe this repeated advertizement and deletion oI
routes is "route Ilap" or a router "Ilapping". The result is that neighboring routers (and quite probably
routers two or three links downstream) being overwhelemd with these messages and spending all their
time recalculating paths. The eIIect oI this is that those routers' services are degraded until stability returns.
It can even cause those routers to begin to "Ilap" as well as the number oI updates goes beyond what that
router is capable oI processing, creating a cascade Iailure. A great deal oI research and development is
being done by many companies at a Ieverish rate to produce routers capable oI handling these updates
and many service providers have instituted policies designed to reduce the size oI the routing tables to
reduce Ilap or to protect themselves Irom Ilap by "dampening" routes that Ilap repeatedly in a given
interval.
A BGP route contains only a Iew pieces oI inIormation. The Iirst is the network that the route describes.
Second, the AS path necessary to get to that destination. Third, the origin oI the route (External BGP or
EBGP, Internal BGP or IBGP, another Interior Gateway Protocol or IGP, or incomplete.) Fourth, the
router ID oI the advertizing router, and Iinally, the BGP next hop address.
BGP provides a simple, yet eIIective loop detection method. Simply, the AS path oI the learned route is
checked against the router's own AS number. II this number apears anywhere in the path, the route is
unusable and is discarded.
There are also a Iew weights and metrics associated with a BGP route which are used to aid in the path
selection process. The Iirst is litterally known as a "weight" and is used only by the router which sets it.
This weight is not propegated to other routers. The second is a "local preIIerence" value. This is
propegated to all routers belonging to a single AS. The last value availible is a "metric" or "Multi Exit
Descriminator" (MED). MEDs are advertized to EBGP neighbors and is used to hint at the best path into
an AS. The MED is reset when the route is readvertized to a third AS.
The BGP path selection process is straight Iorward.
II the next hop is inaccessible, do not consider it.
Consider larger BGP administrative weights Iirst.
II the routers have the same weight, consider the route with higher local preIerence.
II the routes have the same local preIerence, preIer the route that the local router originated.
II no route was originated, preIer the shorter autonomous system path.
II all paths are oI the same autonomous system path length, preIer the lowest origin code (IGP
EGP INCOMPLETE).
II origin codes are the same and all the paths are Irom the same autonomous system, preIer the path
with the lowest Multi Exit Discriminator (MED) metric. A missing metric is treated as zero.
II the MEDs are the same, preIer external paths over internal paths.
II IGP synchronization is disabled and only internal paths remain, preIer the path through the closest
neighbor.
PreIer the route with the lowest IP address value Ior the BGP router ID.
BGP conIiguration begins by creating a BGP process and listing the router's local ASN. Next, neighbors
are listed with their ASNs. A router with the same ASN is identiIied as an iBGP peer and those with
diIIering ASNs are eBGP peers. The Iollowing conIiguration establishes a BGP process with ASN 3549
and creates an iBGP session with router 1.2.3.4 and an eBGP session to router 2.3.4.5 with AS number
380.
e bg 3549
eighb 1.2.3.4 ee-a 3549
eighb 2.3.4.5 ee-a 380
Advertizements oI reachable networks can be controlled by redistributing another protocol into BGP or
by manualy conIiguring these networks as in the Iollowing example.
e 1.0.0.0
The class A network 1.0.0.0 is placed in the iBGP routing tables and becomes eligible Ior advertizement
to eBGP peers with an origin code oI "IGP". In general, this is the preIered method oI advertizing BGP
networks as redistribution oI other protocols into BGP results in the loss oI inIormation about those
networks learned by the IGP and mutual redistribution can lead to routing loops.
In the normal case, BGP must synchronize with an IGP. This means that a route learned by an eBGP peer
will not be readvertized to another eBGP peer until the IGP has propegated this route to all routers in the
local autonomous system. This has the eIIect oI making certain that the route is not used beIore all routers
know about it, resulting in data loss and serving to stabalize the network somewhat. However, this can
slow convergance when routes change and increase the size oI the IGP tables. To disable synchronization,
use the BGP "no synchronization" command. II redistribution is not used, synchronization must be disabled
Ior BGP to Iunction.
Beginning with BGP version 4, BGP supports CIDR and route summarization. Summarization is enabled
by deIault and can be disabled using the "no summarization" command. Routes are summarized by
creating aggregate addresses. This has the eIIect oI advertizing a single supernet Ior multiple related routes
when possible in addition to the individual routes. Using the "summary-only" option, these more speciIic
routes can be surpressed.
router A:
e bg 3549
eighb 1.2.3.5 ee-a 3549
e 1.2.0.0 a 255.255.0.0
e 1.3.0.0 a 255.255.0.0
e 1.1.8.0 a 255.255.248.0
router B:
e bg 3549
aggegae adde 1.0.0.0 255.0.0.0 a-
eighb 1.2.3.4 ee-a 3549
eighb 2.3.4.5 ee-a 1111
In the preceding example, router A is conIigured with one iBGP peer and begins advertizing 3 subnets oI
the 1.0.0.0 class A. Router B conIigures one iBGP neighbor and one eBGP neighbor and summarizes
routes learned Irom router A into a single advertizement which is sent to the eBGP peer.
OIten, the closest path to a site may not be the best path, either because oI bandwidth limitations or
perIormance problems. The most direct way to preIer one neighbor's routes over another is to simply Iilter
the advertizements to remove the unwanted routes. This can be done based on network preIix or AS
path.
e bg 3549
eighb 1.2.3.4 ee-a 1111
eighb 1.2.3.4 diibe-i 1 i
eighb 2.3.4.5 ee-a 2222
eighb 2.3.4.5 fie-i 7 i
acce-i 1 de 10.0.0.0 0.255.255.255
acce-i 1 ei a
i a-ah acce-i 7 de _5555$
i a-ah acce-i 7 ei .*
The preceding example prevents neighbor 1.2.3.4 Ior advertizing that it can reach the network 10.0.0.0/8
and prevents neighbor 2.3.4.5 Irom advertizing that it can reach any path where ASN 5555 is the last
ASN in the path. The as-path regular expressions are documented in the cisco documentation set and
Iollow general regular expression rules. Note that access lists and route maps (as illustrated below) can be
applied to either inbound or outbound advertizements.
Filtering advertizements is an easy way to determine how you want your network to route but it has one
big drawback: iI the primary route is down, the destination simply becomes unreachable. The Iilter
prevents the secondary route Irom ever appearing in the Iirst place. BGP provides two alternative ways oI
inIluencing the path selection process: weights and local preIIerence values.
e bg 3549
eighb 1.2.3.4 ee-a 1111
eighb 1.2.3.4 eigh 300
eighb 2.3.4.5 ee-a 2222
ConIiguring weights Ior all oI a neighbor's routes requires no more than an additional statement in the BGP
conIiguration, speciIying the weight that should be assigned to these routes. II two neighbors advertize that
they can reach the same network, the path with more weight will be selected.
It should be noted that the conIigured weight is only used by the router that sets it. II you want every
router in your AS to preIer the same path, you can use a "route map" to set a local preIerence value. This
value will be propegated to every iBGP peer that receives this route. Routes with no local preIerence set
receive a local preIerence oI 100. Higher local preIerences are selected Iirst.
e bg 3549
eighb 1.2.3.4 ee-a 1111
eighb 1.2.3.4 e-a e-eigh i
e-a e-eigh ei 10
e ca-efeece 200
Route maps allow complex Iiltering to be perIormed based on multiple conditions. There can be multiple
statements underneath a route-map to alter a variety oI attributes. The routes altered can also be limited
by Iurther Iiltering the advertizements by using an access-list (preIix or AS path) to "match" a subset oI the
routes being processed. It is also possible to apply multiple policies to the same neighbor. These policies
are ordered sequentially according to the number listed aIter the "permit" or "deny" statement. The
Iollowing example illustrates some oI these capabilities.
e bg 3549
eighb 1.2.3.4 ee-a 1111
eighb 1.2.3.4 e-a ca-ic i
eighb 1.2.3.4 diibe-i 25 i
e-a ca-ic ei 10
ach a-ah 1
e eigh 300
e-a ca-ic ei 20
ach i adde 20
e ca-efeece 125

e-a ca-ic ei 30
e a-ah eed 1111
i a-ah acce-i 1 de _350_
i a-ah acce-i 1 ei .*
acce-i 20 ei 120.10.0.0 0.0.255.255
acce-i 20 de a
This example also demonstrates that it is possible to alter the AS path oI a given route. By prepending the
appropriate AS number, it is possible to increase the path length oI a BGP route, making it Iurther away.
One problem with running iBGP is the requirement oI BGP Ior a "Iull mesh" within the AS (every router
must establish a peering session with every other router). Clearly, this is not possible in all settings and can
create problems when a great meny peering sessions must be maintained on a single router. There are
ways to reduce the mesh needed to propegate iBGP routes and simpliIy the structure oI the autonomous
system. The Iirst oI these is router reIlectors.
Normaly, when a route is received Irom one iBGP speaker, it is not readvertized to another. Route
reIlectors provide a way to permit this occurence. Each client's routes are reIlected to every other iBGP
router that the server peers with. The clients are conIigured as normal iBGP speakers. The server simply
designates clients as such.
e bg 3549
eighb 1.2.3.4 ee-a 3549
eighb 1.2.3.4 e-efec-cie
eighb 1.2.3.5 ee-a 3549
eighb 1.2.3.5 e-efec-cie
With such a conIiguration, peering between 1.2.3.4 and 1.2.3.5 is not necessary since the route server
reIlects the routes received by each neighbor to the other neighbor.
Another method oI reducing the iBGP mesh is to create a conIederation, eIIectively splitting the single AS
into several smaller autonomous systems. These "mini-ASs" must be Iully meshed but only require one
connection between themselves and other mini-ASs. ConIederations allow the smaller ASs to exchange
routes between themselves as iI they were using iBGP (local preIerence values, MEDs, etc are all
preserved). To the rest oI the world, the conIederation appears as a single AS.
e bg 65501
bg cfedeai ideifie 3549
bg cfedeai ee 65502 65503
eighb 1.2.3.4 ee-a 65501
eighb 1.2.3.5 ee-a 65501
eighb 2.3.4.5 ee-a 65502
eighb 2.3.4.6 ee-a 65503
eighb 2.3.4.6 eigh 300
eighb 5.5.5.5 ee-a 1050
eighb 5.5.5.5 e-a e-efeece i
The local router is identiIied to the conIederation as 65501. It is identiIied to non-conIederation peers as
ASN 3549. AS 65502 and 65503 are also members oI this conIederation. iBGP connections are
conIigured between this router and the routers listed as 1.2.3.4 and 1.2.3.5. Peering sessions are
established between this router and the conIederation members 65502 and 65503. There is also an eBGP
session established with router 5.5.5.5 with the remote ASN oI 1050. This router will view the peer as
AS 3549 and not be aware oI 65501, 65502, or 65503. This router sets the local preIerence Ior AS
1050 and passes it to every iBGP peer and the rest oI the conIederation.
VI. Echanging Roe Beeen Poocol
It is entirely possible (and oIten necessary) to exchange routes learned by one protocol into another. An
example oI such a case would be where a network cannot be managed by a single protocol due to
soItware or hardware limitations. Such limitations might be due to a lack oI adequate memory in the router
or a router that does not support the desired protocol. It might also be the case that Iunctionality provided
by one protocol is not suIIicient in a particular area oI the network and another protocl must be leIt to
manage that section. In order Ior the rest oI the network to know the routes to those other sections and
vice versa, the protocols must exchange routing inIormation.
Assume that a collection oI routers only speak RIP but that these routes need to make their way into
EIGRP and the EIGRP routes neet to be injected into RIP. Redistribution would occur at the boundry
router and would look similar to the example that Iollows.
e eig 10
ediibe i
e i
ediibe eig 10
The routes that one protocol learns are now visible to the other. But assume Ior a momment that the
network running RIP only needs to deIault out to the network running EIGRP. In this case, the RIp
network does not need to see the eigrp routes and the redistribution is only necessary into EIGRP. This
saves memory on the RIP routers, network bandwidth, calculation time, etc and generaly makes things run
cleaner. It also eliminates one problem with the conIiguration shown above. Once the routes Irom the RIP
process are distributed into the EIGRP process, they become EIGRP routes and are eligigle to be
distibuted BACK into the RIP process. This can create routing loops and destroy the connectivity oI the
network. When using such mutual redistribution, careIul Iiltering is required to avoid such pitIalls. This
Iiltering is set by using a route-map along with the redistribution statement.
In this example, the RIP network needs to learn the EIGRP routes and send its routes back. The RIP
network manages routes Ior 10.2.3.0/24 and 10.2.4.0/24. The EIGRP network routes the rest oI the
10.0.0.0/8 network.
e eig 10
ediibe i e-a i-i
e i
ediibe eig 10 e-a eig-i
e-a i-i ei 10
ach i adde 20
e-a eig-i ei 10
ach i adde 21
acce-i 20 ei 10.2.3.0 0.0.0.255
acce-i 20 ei 10.2.4.0 0.0.0.255
acce-i 21 de 10.2.3.0 0.0.0.255
acce-i 21 de 10.2.4.0 0.0.0.255
This eIIectively limits the routes seen by the two processes. This is not the only method oI Iiltering,
however. Assuming the same access lists, the Iollowing two conIigurations would also work.
e i
ediibe eig 10 eic 2
diibe-i 21 i
e eig 10
ediibe i
defa-eic 1000 100 250 100 200
Or
e i
ediibe eig 10
diibe-i 20
e eig 10
ediibe i
diibe-i 21
These two examples accomplish the same end result as the route-map example above. In addition, two
other Ieatures are demonstrated. The Iirst is the setting oI a metric on the inbound routes. The second is a
deIault metric used when the metric cannot properly be calculated or when inIormation is missing (as in the
redistribution). This inIormation is speciIic to the protocol and the command reIIerence guide should be
used to determine which values to use.
Mail suggestions, corrections, and comments to
eb@globalcenter.net

Guide To Cisco Router Configuration

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Guide To Cisco Router Configuration

Загружено:

Авторское право:

Доступные форматы

3/10/12 Guide to Cisco Router Configuration

Вам также может понравиться