Presentation is loading. Please wait.

Presentation is loading. Please wait.

CCIE R&S Advanced.

Similar presentations


Presentation on theme: "CCIE R&S Advanced."— Presentation transcript:

1 CCIE R&S Advanced

2 Agenda Day 1 Session 1 CCIE Program Overview Day 1 Session 2
CCIE Foundation Overview Day 1 Session 3 Catalyst Day 1 Session 4 Frame Relay Day 1 Session 5 IPv6 Day 2 Session 6 Ripv2 Day 2 Session 7 Eigrp Day 3 Session 8 OSPF Day 3 Session 9 BGP Day 4 Session 10 Multicast Day 4 Session 11 QoS Day 4 Session 12 Others

3 Housekeeping Restrooms Kitchen - Softdrinks and snacks available
Cellphones - PLEASE put them on vibrate or turn them off. If you need to take/make a call, please exit the classroom. Smoking - out side in front of building

4 CCIE R&S Program Overview
SESSION 1 CCIE R&S Program Overview 4 4 4

5 CCIE R&S Program Overview
CCNA/CCNP Certification (Optional) CCIE Written Exam CCBOOTCAMP’s R&S Foundation Course Develop a Study Plan and Timeline to Prepare for LAB Review CCIE Blueprint Purchase and Download recommended reading from Cisco Press and CCO web site Purchase LAB workbooks Purchase and Setup Home Lab Reserve Online Rack rentals Save money or work out a deal with your employer to budget for multiple lab attempts Schedule a Lab Date commensurate with the Timeline Study, Practice, Practice some more, and then study CCIE Advanced Bootcamp CCIE Mock LAB Bootcamp

6 CCIE LAB Overview A 8-hour, hands-on, 100-point lab exam. Candidates must score 80 or above to pass. Students builds a network to supplied specifications on a provided Cisco equipment rack. Lab questions can be completed in any order, although some questions depends on the completion of previous part of the exam. Physical cabling is done. Some of the basic functionality is preconfigured. Some of the equipment you can not configure such as the Backbone routers. 6

7 Cisco R&S Equipment List
3725 series routers - IOS 12.4 mainline – Advanced Enterprise Services 3825 series routers - IOS 12.4 mainline – Advanced Enterprise Services Catalyst 3550 series switches running IOS version 12.2 – IP Services Catalyst 3560 Series switches running IOS version Advanced IP Services

8 Pre-lab Checklist Remove the Variables, increase your chances, and get your body physically and mentally ready! Get to the testing city/location at least one day prior to your exam. If your time zone is plus/minus more than six hours different than the time zone of the Cisco office you are taking your exam, plan on getting there at least two days prior to the exam. Drive over to the facility where your lab exam will be held. Make sure you know how long it will take you to get to the testing location. Look for a good place to eat breakfast near the facility. Eat a healthy dinner consisting of protein and complex carbohydrates. Stay away from greasy, fatty, and sugary foods. Also, if you want to eat meat, try and eat chicken or fish (avoid red meat as it takes your body longer to digest). Get a good night’s rest. Do not stay up the entire night trying to cram or study last minute materials. Do NOT take any type of sleep aid that could still be in your system the following day. Wake up at least ninety minutes before your exam start time. Get showered, dressed, and go out for breakfast. At breakfast, eat only healthy foods. No greasy, fatty, or sugary items should be consumed. Eat fruits, vegetables, oatmeal, etc. Arrive at the facility at least fifteen minutes prior to your exam.

9 CCIE R&S Blueprint Bridging and Switching IP IGP Routing
Frame relay Catalyst configuration: VLANs, VTP, STP, MSTP, RSTP, Trunk, Etherchannel, management, features, advanced configuration, Layer 3 IP IGP Routing OSPF EIGRP RIPv2 IPv6: Addressing, RIPng, OSPFv3 GRE ODR Filtering, redistribution, summarization and other advanced features BGP iBGP eBGP Filtering, redistribution, summarization, synchronization, attributes and other advanced features

10 CCIE (R&S) Blueprint Cont.
These topics would be covered in the Advanced Boot camp QoS Quality of service solutions Classification Congestion management, congestion avoidance Policing and shaping Signaling Link efficiency mechanisms Modular QoS command line Security AAA Security server protocols Traffic filtering and firewalls Access lists Routing protocols security, catalyst security CBAC Other security features IP and IOS Features IP addressing DHCP HSRP IP services IOS user interfaces System management NAT NTP SNMP RMON Accounting IP Multicast PIM, bi-directional PIM MSDP Multicast tools, source specific multicast DVMRP Anycast

11 CCIE Advanced Bootcamp Overview
SESSION 2 CCIE Advanced Bootcamp Overview 11 11 11

12 Advanced Class Hours - Instructor
Monday 9:00 AM till your head hurts Tuesday 9:00 AM till your head hurts Wednesday 9:00 AM till your head hurts Thursday :00 AM till your head is spinning Friday 9:00 AM till 3-ish [Mock Lab] Lunch Break at 1:00 PM to 2:00 PM (60 minutes)

13 CCBOOTCAMP R&S Rack Layout

14 SESSION 3 Switching 14 14

15 First Things First (Ping Script)
tclsh foreach address { } {ping $address}

16 On a switch

17 Things You should already know (not covered)
Interface Commands VTP Spanning Tree SPAN Strom Control Protected Ports 802.1X authentication Trunking MAC Address expiration Templates

18 Topics Covered Ether-channel and Load Balancing MST spanning tree
Rapid Spanning Tree Advanced Switch Security Switch QoS

19 Ether channel PAgP can automatically groups interfaces with the same speed, duplex, mode, native VLAN, VLAN range, and trunking status and type. The Ether Channel group looks like a single switch port to Spanning tree. PAgP modes: auto, desirable, on The first port in the channel that comes up provides its MAC address to the EtherChannel

20 Link Aggregation Control Protocol
LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches Similarly configured ports are grouped based on hardware, administrative, and port parameter constraints such as same speed, duplex mode, native VLAN, VLAN range, and trunking status and type A port in the active mode can form an EtherChannel with another port that is in the active or passive mode. A port in the passive mode cannot form an EtherChannel with another port that is also in the passive mode because neither port starts LACP negotiation. Can have 8 active and 8 standby ports per ether channel. (16) *Note on mode configured manually on both ends of the EtherChannel must have the same configuration. If the group is misconfigured, packet loss or spanning-tree loops can occur.

21 Load Balancing and Forwarding
Reduces part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel. EtherChannel load balancing can use MAC addresses or IP addresses, source or destination addresses, or both source and destination addresses.

22 Source/destination MAC load balancing
The PCs uses different ports on sw1 The router will use different ports to reply to the PCs

23 Switch Security MAC Flood Attacks Port Security ARP Inspection
MAC ACLs VACLs Private VLANs

24 Rapid Spanning Tree Protocol (RSTP)

25 RSTP Port Roles

26 RSTP Port States RSTP provides rapid convergence of the spanning tree.
Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the 802.1D Only non-edge ports moving to the forwarding state cause a topology change.

27 Rapid PVST

28 802.1s (Multiple Spanning Tree)
MSTs (IEEE 802.1s) combine the best aspects from both the PVST+ and the 802.1q. When you enable MST you enable 802.w (RSTP) The idea is that several VLANs can be mapped to a reduced number of spanning tree instances because most networks do not need more than a few logical topologies. There is no need to run 1000 instances. If you map half of the 1000 VLANs to a different spanning tree instance, as shown in this diagram, these statements are true: The desired load balancing scheme can still be achieved, because half of the VLANs follow one separate instance. The CPU is spared because only two instances are computed.

29 MST Configuration

30 MAC Flood Attacks Affects Transparent Switches
Switches Learn and populate the CAM table based on Source MAC addresses If to many MAC addresses are sent – open fail mode The switch forwards out every frame on every port This allows hackers to sniff other clients uni-cast information.

31 Preventing MAC Flooding with Port Security

32 Port Security - Aging Static- enables timer to static entries
Time - <1-1440> Aging time in minutes Type – absolute Absolute aging (default) inactivity Aging based on inactivity time period

33 Mac-address Can manually input the actual Mac address
Also can store dynamically learned Mac addresses with Sticky

34 Maximum The total amount of Mac addresses allowed on a port

35 Violations The action to take if port security is violated
protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. (no syslogs/snmp) restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. shutdown—The interface is error disabled when a violation occurs, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments

36 Apply Port Security and Verify
If more than 3 mac-addresses are learned any additional sources will cause the port to be shutdown (error disabled).

37 HSRP and Port Security HSRP has a virtual mac-address that counts towards the maximum allowed on a port configured for port security. Options: Switchport port-security maximum 2 (still can cause violation for a short period of time Static Mac-address entry for HSRP virtual mac-address (Best choice) Use-bia command on the router’s interface standby use-bia scope interface

38 ARP Spoofing Gratuitous ARP
Detect IP conflicts. When a machine receives an ARP request containing a source IP that matches its own, then it knows there is an IP conflict. They assist in the updating of other machines' ARP tables. They inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port. Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts.

39 ARP DoS Overloads a switch port with ARP traffic
Switch can handle untrusted host connecting to as many as 15 new hosts per second. checks every 1 second Exceed limit than port changes to error disabled

40 IP ARP Inspection This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN How does it work? DHCP Snooping (Recommended in production) Static ARP Access-list (Use for Lab situation)

41 ARP inspection Cont. Option to change defaults per port

42 IP Source Guard By watching which IP addresses are assigned by DHCP, a switch can create dynamic ACL's to block all traffic except traffic from DHCP-assigned IP addresses. Benefits: Prevents a hacker from spoofing their IP address to launch an anonymous attack. Prevents users from ignoring DHCP and manually configuring a static IP address.

43 IP Source Guard Configuration

44 DHCP Snooping Create a DHCP database on flash or TFTP
Enable DHCP Snooping "The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (circuit ID suboption). The switch forwards the DHCP request that includes the option-82 field to the DHCP server. " ip dhcp snooping database flash:file01.txt" ip dhcp snooping ip dhcp snooping information option

45 Show IP DHCP Snooping Bindings
Switch> show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface 01:02:03:04:05: dhcp-snooping 20 GigabitEthernet0/1 00:D0:B7:1B:35:DE dhcp-snooping 20 GigabitEthernet0/2 Total number of bindings: 2

46 Mac-address Access-list
You can configure a MAC address ACL using either of the following: Access-list bit MAC address access-list or the extended version of the 48-bit MAC address access-list is To filter using the MAC address access-list, first you would define your access-list. Say that you wanted to allow only a host with the MAC address of to access-list Ethernet0/0 interface. You would define the access-list like this: Router(config)# access-list 700 permit You can use these same methods to filter by “vendor code”. All companies who create Ethernet devices are designated a block of MAC addresses and all of these blocks begin with a specific string. This prefix for each vendor is known as the “vendor code”.

47 Protocol Type-Code Access-Lists (ACL)
Used for non IP traffic Inbound only

48 MAC ACLs Cont.

49 Vlan ACLs (VACLs)

50 Private VLANs The private-VLAN feature addresses two problems that service providers face when using VLANs: Scalability: The switch supports up to 1005 active VLANs. If a service provider assigns one VLAN per customer, this limits the numbers of customers the service provider can support. To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can result in wasting the unused IP addresses, and cause IP address management problems.

51 Primary to Secondary VLAN
There are two types of secondary VLANs: Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level. Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level.

52 Private Vlan Access Ports
Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types: Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN. (Default Gateway) Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. * Note Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs.

53 Issues with VTP V3 and Private VLANs
Private VLANs need VTPv3 If configuring in a 3550 or 3560 set VTP to transparent

54 Private Vlan Compatibility
Do not configure private-VLAN ports on interfaces configured for these other features: – dynamic-access port VLAN membership – Dynamic Trunking Protocol (DTP) – Port Aggregation Protocol (PAgP) – Link Aggregation Control Protocol (LACP) – Multicast VLAN Registration (MVR) – voice VLAN – Web Cache Communication Protocol (WCCP)

55 Private VLAN configuration

56 Show private Vlans

57 Promiscuous Port / Default Gateway
Primary Secondary

58 Applying a Community to interfaces

59 3560 QOS Considerations Uses shaped round robin (SRR)
Q1 can be configured as a priority queue Queues can operate in shaped or sharing modes Each Interface can be assigned to one of two queue-sets 4 queues Egress 2 queues Inbound Congestion avoidance algorithm is Weighted Tail Drop (WTD) *Note 3550 only has egress queues and queue 4 = priority queue by default

60 Weighted Tail Drop Queue size is 1000 frames.
Three drop percentages are configured: 40 percent (400 frames), 60 percent (600 frames), and 100 percent (1000 frames). 400 frames can be queued at the 40-percent threshold, up to 600 frames at the 60-percent threshold, and up to 1000 frames at the 100-percent threshold.

61 SRR Shaping and Sharing
Both the ingress and egress queues are serviced by Shaped Round Robin (SRR) SRR controls the rate at which packets are sent. On the ingress queues, SRR sends packets to the internal ring. On the egress queues, SRR sends packets to the egress port.

62 Input Queue Bandwidth weight queue 1 and queue 2cv DSCP values
Queue Id

63 Output Queue drop threshold Reserved threshold Maximum threshold
queue-set id queue id buffer Percentage Queue 3 buffer Percentage Queue 1 buffer Percentage Queue 2 buffer Percentage Queue 4

64 SRR applied

65 Frame Relay Interfaces Inverse ARP Mesh Hub and spoke Point-to-point
Combination Issues Advanced Frame-relay and PPP

66 Frame-Relay Interface Configuration

67 Inverse ARP

68 Static Mappings

69 Sub Interfaces

70 Point-to-Multipoint Sub interface

71 Point-to-point Sub Interface

72 Mesh Topology 72 28

73 Full Mesh Frame-relay Requirements Phys Interface With Inverse ARP
NO frame relay maps required NO inverse-arp allowed A PVC/FR Map configured between each router Total PVCs = k(k-1)/2 where k=router 3 routers need 6 DLCIs All routers are on the same subnet All routers are using the physical interface Can support Broadcast or NBMA 73

74 Full Mesh Frame-relay Point-to-Multipoint Sub
In a frame-relay mesh multipoint configuration the following must be true before two routers can communicate; The destination IP address must be in the routing table There must be a frame-relay map for the destination IP address. The destination IP address can be any IP address including yours. (need a map statement to ping your own interface)

75 Hub and Spoke Topology

76 Frame Relay Hub and Spoke
Requirements With Physical Interfaces and inverse-arp No map statements needed on spokes Map statements needed on hub to all spokes With Physical Interfaces and No inverse-arp Map statements needed on hub to each spoke and one map from the spoke to hub Enable broadcasts over the NBMA if required for routing protocol or multicast All routers are on a common subnet

77 Example Configuration from the HUB router
On r1lablab Int S0/0/0 Ip address Encapsulation frame Frame-relay map ip broadcast Frame-relay map ip broadcast Frame-relay map ip broadcast No frame-relay inverse-arp No shut To prevent inverse-arp wait until all routers have been configured for FR before un shutting the interfaces

78 Frame Relay Hub and Spoke Point-to-Multipoint
Inverse ARP not recommended should be disabled Need FR map statements configured on sub interface to each hub. Need FR map statements from each spoke to the hub. Enable broadcasts over the NBMA if required for routing protocol or multicast All routers are on a common subnet Still need a map statement to ping your own interface)

79 Frame Relay Point-to-Point
Requirements Uses sub interfaces A separate L3 subnet for each pair of routers Works the same with or without Inverse ARP Note if the routers are configured in a point-to-point manner they will NOT generate inverse-arp requests; however, if they receive a request, they will respond. Useful for combinations of one end p2p sub and the other physical 79 28

80 Troubleshoot Frame Relay
Show interface Show controllers serial Show frame-relay lmi Show frame-relay pvc Show frame-relay map Debug frame-relay lmi

81 PPP 2-way authentication (PAP and Chap)

82 Debug PPP authentication

83 PAP/CHAP configuration

84 FREEK (Frame relay end to end keepalives
There are four modes determine the type of keepalive traffic each device sends and responds to: In bidirectional mode, the device will send keepalive requests to the other end of the VC and will respond to keepalive requests from the other end of the VC. In request mode, the device will send keepalive requests to the other end of the VC. In reply mode, the device will respond to keepalive requests from the other end of the VC. In passive-reply mode, the device will respond to keepalive requests from the other end of the VC, but will not track errors or successes.

85 Configuring FREEK For example, could require 3 in a row

86 Objectives IPv6 Addressing IPv6 Address Scopes Enabling IPv6 RIPng
EIGRP for IPv6 OSPFv3 OSPFv3 over NBMA IPv6 over IPv4

87 Things not covered IPv6 Neighbor Discovery Duplicate Address Detection
Solicited Node Stateless Auto-configuration DHCPv6 DNSv6

88 Larger Address Space IPv4 IPv6 32 bits or 4 bytes long
4,200,000,000 possible addressable nodes IPv6 128 bits or 16 bytes: four times the bits of IPv4 3.4 * 1036 possible addressable nodes 340,282,366,920,938,463,374,607,432,768,211,456 5 * 1028 address ~ = undecillion ~ = ~ = ~ =

89 IPV6 Addressing IPV6 addresses are 128 bits long
Consecutive zeroes can be eliminated (::) 2001:0:0:A1::1E2A/64 2001:0:0:A1 is the network portion Interface portion is 0:0:0:1E2A or ::1E2A

90 IPV6 Address Scopes Link-local Scope Unique-local Scope Global Scope

91 Link-local 128 bits Interface ID 64 bits 10 bits
Interface ID 64 bits FE80::/10 10 bits Identifies all hosts within a single layer 2 domain Unicast addresses within this scope are called link-local addresses They are assigned by default when ipv6 is enabled on an interface Network address is always FE80::/10 Host portion derived from MAC address (Modified EUI-64) Can be manually added too R3(config-if)#ipv6 address FE80::3 link-local Independent of the global addressing scheme Cannot be routed

92 IPv6 Address Configuration (Cont.)
LAN: 3ffe:b00:c18:1::/64 Ethernet0 ipv6 unicast-routing interface Ethernet0 ipv6 address 3ffe:b00:c18:1::/64 eui-64 MAC address: e router# show ipv6 interface Ethernet0 Ethernet0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::160:3EFF:FE47:1530 Global unicast address(es): 3FFE:B00:C18:1:160:3EFF:FE47:1530, subnet is 3FFE:B00:C18:1::/64 Joined group address(es): FF02::1:FF47:1530 FF02::1 FF02::2 MTU is 1500 bytes The IPv6 address can be completely specified or the host identifier (rightmost 64 bits) can be computed from the EUI-64 identifier of the interface. In the example, the IPv6 address of the interface is configured using the EUI-64 format. The configuration of the IPv6 address on an interface automatically configures the link-local address for that interface. Also, the interface automatically joins the required multicast groups for that link: Solicited node multicast address FF02::1:FF47:1530 All hosts on the link multicast addresses FF02::1 All routers on the link multicast addresses FF02::2 The solicited node multicast address is used in the duplicate address detection algorithm and neighbor discovery. A solicited node multicast address is joined for each IPv6 unicast address configured on the link.

93 Unique-local 128 bits Interface ID Subnet ID 16 bits 10 bits
Interface ID Subnet ID FEC0::/10 16 bits 10 bits Previously referred to as site local Identifies all devices within an administrative domain containing multiple distinct links Unicast addresses within this scope are called unicast-local addresses Have a scope limited to the site Network address is always FEC0::/10 16 bits in the network address identify the subnet Host portion derived from MAC address (Modified EUI-64)

94 Global Unicast Addresses
Provider Site Interface 64 bits Usually given a /48 Global Routing Prefix Subnet ID Interface ID Global unicast addresses are: Addresses for generic use of IPv6 Identifies all devices reachable across the Internet Unicast addresses within this scope are called global unicast addresses Have to be globally unique and routable Addresses reserved for global scope 2000 /3 Can have a variable subnet portion Last 64 bits for the interface identifier The Global Unicast Addresses correspond to the principal use of IPv6 addresses for the generic IPv6 traffic and consume the most important part of the address space. The structure of a global unicast address is as follow: A global routing prefix, typically assigned to a site, A subnet ID used to identify links within a site, 64-bit interface ID to identify the interface of the node. Note that the 64-bit interface ID defined for global unicast addresses other than those that start with binary 000. The unicast addresses that start with binary 000 are the special purpose addresses that will be discussed later in this lesson. An example of global addresses can be found in RFC2374, "An Aggregatable Global Unicast Address Format". The structure proposed in this document enables strict aggregation of routing prefixes in order to limit the number of routing table entries in the global routing table. We will see in a later module that IANA allocates IPv6 global unicast address space from the range of addresses that start with binary value 001 (2000::/3).

95 Unspecified and Loopback Addresses
Unspecified address: 0:0:0:0:0:0:0:0 Used as a placeholder when no address is available (initial DHCP request, DAD) Loopback address: 0:0:0:0:0:0:0:1 Same as in IPv4 Identifies self The unspecified address is only used on the network for special purposes. It is a placeholder when no address is available. For example, the unspecified address is used when a host requests an address to a DHCP server or when the duplicate address detection packet is sent. The unspecified address is "0:0:0:0:0:0:0:0" or simply "::". The loopback address identifies the local interface in the IP stack. It is the same as the loopback address in IPv4. The address is "0:0:0:0:0:0:0:1" or simply "::1".

96 IPv4-Mapped Addresses IPv4-mapped addresses: 80 bits 16 bits 32 bits
FFFF IPv4 Address 0:0:0:0:0:FFFF: = ::FFFF: = ::FFFF:C0A8:1E01 IPv4 mapped addresses are IPv6 addresses that represent an IPv4 address. On a dual-stack node (a node that supports both IPv6 and IPv4), an IPv6 application sending traffic to a destination represented by an IPv4-mapped IPv6 address will send IPv4 packets to that destination. In most cases, the IPv6 mapped addresses are used inside the dual-stack node API. RFC2765 " Stateless IP/ICMP Translation Algorithm (SIIT)" specifies a transition mechanism where IPv4 mapped addresses are used in IPv6 packets. IPv4-mapped addresses: Used to represent the addresses of IPv4 nodes as IPv6 addresses

97 IPv4-Compatible Addresses
80 bits 16 bits 32 bits 0000 IPv4 Address 0:0:0:0:0:0: = :: = ::C0A8:1E01 IPv4 compatible addresses are IPv6 addresses with 96 zeros at the left. The rightmost 32 bits are the IPv4 address embedded; the 32 bits of the IPv4 address is the rightmost 32 bits of the IPv6 address. In text form, one can use the decimal version of the IPv4 address as an easy way to write the address, but in reality, it is still the binary 32 bits. IPv4 compatible addresses are used to create automatic tunneling. When an IPv6 node wants to send an IPv6 packet to another IPv6 node and the network between them is IPv4, the sender can use the IPv4 compatible address. This will automatically create an IPv6 over an IPv4 tunnel to the destination, using the IPv4 address of the destination inside the destination IPv6 address. The sending and receiving nodes must be dual-stacked (support both IPv6 and IPv4) This way of doing tunnels looks easy but has scalability problems. Its use is deprecated in favour of more robust transition and integration mechanisms. IPv4-compatible addresses: Refer to an IPv4/IPv6 node that supports automatic tunneling

98 Enabling IPV6 ipv6 unicast-routing (global config mode)
ipv6 address 2001:200:1:1::1/64 (interface mode) Link-local addresses are generated by default or use manual configuration

99 RIPng Neighbors need not be on the same global subnet since they are on the same link-local subnet Hence router has to advertise its own prefix for the link out that interface In addition to the frame-relay map ipv6 broadcast to the Global Address you also need a map to the link local address. RIP messages are sent to the all RIP routers link-local multicast address FF02::9/128 RIPng uses the authentication headers present in IPv6 for authentication purposes

100 RIPng Configuration ipv6 rip abc enable (interface mode)
show ipv6 protocol show ipv6 rip show ipv6 rip database

101 OSPFv3 Basic mechanisms such as flooding, DR election, areas and spf calculations remain the same Additionally link lsa’s announce link-local addresses and a list of ipv6 prefixes to associate with the link Intra-area prefix lsa’s carry all ipv6 prefixes to all ospfv3 routers within an area (correspond to router and network lsa’s in ipv4) Inter-area prefix lsa 0x2003 replaces summary or type 3 lsa’s Inter-area router lsa 0x2004 replaces type 4 lsa ospfv3 runs on a link basis rather than on a subnet basis as in ospfv2 Authentication removed from ospf, relies on ipv6 authentication

102 LSA Type Review LSA Function Code LSA type Router-LSA 1 0x2001
Network-LSA 2 0x2002 Inter-Area-Prefix-LSA 3 0x2003 Inter-Area-Router-LSA 4 0x2004 AS-External-LSA 0x4005 5 Group-membership-LSA 6 0x2006 RFc A4.2.1 Type-7-LSA 7 0x2007 8 Link-LSA 0x0008 Intra-Area-Prefix-LSA 9 0x2009

103 OSPFv3 Configuration ipv6 ospf 100 area 0 (interface mode)
In case of an ipv6 only router configure a 32 bit router id under ipv6 router ospf 100 Summary can be configured under ipv6 router ospf 100 using the command area 1 range 2001::/48 show ipv6 ospf show ipv6 ospf neighbor

104 OSPFv3 over NBMA OSPFv3 over NBMA is very much similar to OSPF over NBMA The hub interface priority has to be increased to make it the DR The spokes should be configured with a priority of 0 so that they never participate in the DR elections

105 OSPFv3 over NBMA Moreover neighbors have to be specified
The address for the neighbor has to be the link local addresses Neighbors have to be specified only on the hub not on the spokes frame-relay maps have to be configured pointing to the neighbor’s link local address on both hub and spokes as well as the global addresses (if configured) sh ipv6 int s0/1/0 displays the link-local address

106 OSPFv3 over NBMA Hub interface Serial0/1/0 ipv6 ospf priority 100
ipv6 ospf neighbor FE80::20A:B8FF:FE6B:A478 ipv6 ospf neighbor FE80::20A:B8FF:FE2C:7DC8 ipv6 ospf 10 area 0 frame-relay map ipv6 FE80::20A:B8FF:FE6B:A frame-relay map ipv6 FE80::20A:B8FF:FE2C:7DC8 105

107 OSPFv3 over NBMA Spoke interface Serial0/1/0 ipv6 ospf priority 0
ipv6 ospf 10 area 0 frame-relay map ipv6 FE80::217:95FF:FE27:B frame-relay map ipv6 FE80::20A:B8FF:FE2C:7DC8 601

108 IPv6 over IPv4 IPv6 can be tunneled under ipv4
Tunnel mode by default is gre can to be changed to ipv6ip The tunnel itself needs an ipv6 address The tunnel source and destination will be ipv4 addresses Routing protocol can be enabled on the tunnel interface Tunnel0 no ip address ipv6 address 2002:100:24:1::2/64 ipv6 ospf 100 area 0 tunnel source tunnel destination

109 ISATAP ISATAP is an IETF transition mechanism that allows IPv6 networks to connect over IPv4 networks, even though this is a draft and it has not yet standardized, it is a better solution than 6to4 tunnel mechanism. ISATAP works like 6to4 tunnels, with one major difference, it is a special IPv6 address that it uses on the edge routers; this special IPv6 address is formed as follows: The network portion can be any IPv6 address. The host portion of the IPv6 address starts with “0000.5EFE” and then the rest of the host portion is the translated IPv4 address of the tunnel’s source IPv4 address. This translation is performed automatically.

110 ISATAP cont.

111 End of Day 1 Lecture 111 111 111

112 SESSION 6 RIPv2 112 112 112

113 RIPv2 Outline Updates Optimize Filtering Summary Authentication
Default Routes Advanced

114 Classless Routing (RIPv2)
The version 2 extensions provide the following enhancements to RIP: SUBNET MASKING INFORMATION IS NOW INCLUDED IN ROUTING UPDATES ALLOWING RIP TO HANDLE VLSM ADDRESSING A NEXT-HOP ADDRESS IS CARRIED WITH EACH ROUTE ENTRY EXTERNAL ROUTE TAGS CAN BE USED MULTICAST ROUTING UPDATES SUPPORT FOR MD5 AUTHENTICATION

115 Split Horizon Never advertise an network on the
interface from which it was learned

116 Poison Reverse Once you learn of a route through an interface, than advertise it as unreachable back through the same interface

117 Timers Update - rate (time in seconds [30] between updates) at which routing updates are sent Invalid - interval of time (in [180] seconds) after which a route is declared invalid Hold - interval (in [180] seconds) during which routing information regarding better paths is suppressed Flush - amount of time (in [240] seconds) that must pass before a route is removed from the routing table

118 Optimize

119 Obscure Topics Offset List – increases the value of routing metrics
r1lab(config)# access-list 1 permit r1lab(config)# router rip r1lab(config-router)# offset-list 1 in 3 Source IP address validation – Default validates the source IP address of incoming RIP routing updates - can be disabled for “off network” routes r1lab(config-router)# no validate-update-source * Note For unnumbered IP interfaces (interfaces configured as ip unnumbered), no checking is performed. Interpacket delay – slows down sending routing update packets; typically useful to slow down high speed routers when communicating with low speed routers r1lab(config-router)# output-delay <8-50 milliseconds> Hops

120 Filtering On the third octet Inverse Mask Odds always
Allow only odd routes from from R1 to other routers Network My network =0 My mask = 1 Mask Network First host On the third octet Inverse Mask Odds always include a binary 1 Evens never have a binary 1 In ACL Must Match on this Binary value The 254 translates to which tells the acl to not care about anything in that octet except the least significant bit.

121 Distribute List

122 RIP V2 Summarization Applied to an interface
r1lab(config-if)# ip summary-address rip Split horizon must be disabled on the interface Auto summary can only summarize to the classful boundary, the summary-address allows for classless summarization Does not insert a NULL0 entry into the routing table

123 RIP V2 Features Authentication Classless
r1lab(config)# interface s0 r1lab(config-if)# ip rip authentication key-chain cisco r1lab(config-if)# ip rip authentication mode <md5,text> r1lab(config)# key chain cisco r1lab(config-keychain)# key 1 r1lab(config-keychain-key)# key-string cisco Classless Route summarization (enabled by default) r1lab(config)# router rip r1lab(config-router)# no auto-summary

124 IP RIP Triggered When you enable triggered extensions to RIP, routing updates are transmitted on the WAN only if one of the following events occurs: The router receives a specific request for a routing update, which causes the full database to be sent. Information from another interface modifies the routing database, which causes only the latest changes to be sent. The interface comes up or goes down, which causes a partial database to be sent. The router is powered on for the first time to ensure that at least one update is sent, which causes the full database to be sent

125 Default routes in RIP Redistribute static <ip route null0 permanent> Default information originate <ip default network >

126 Example of default information

127 Advanced Workaround with RIP / RSPAN
RIPv2 F1/0 R4 must receive RIP routes from BB2 but not permitted to redistribute from OSPF SPAN or RSPAN used and no validate update source

128 Redistribution 128 128 128

129 Advertising Routes between routing protocol
Longest Match Administrative Distance Redistribution Route Maps Distribute Lists Prefix Lists

130 Longest Match >show ip route D 172.33.1.0/25 via 192.168.1.1
R /24 via O /23 via Preferred

131 Administrative Distance

132 Allow Redistribute on R1
Maintain R routes on R1 even after redistribution

133 Example Configuration with AD

134 Route Maps Route filtering Metric control Used extensively in BGP
Used for setting IP Precedence Policy routing (not part of redistribution) Can use match and sets ->rout-map lab permit 10 >match ip access-list 1 , 3 (values separated with , creates an or statement) >match ip prefix-list lab Multiple match lines are considered an and

135 Distribute Lists Used with access-lists to filter incoming or outgoing updates Be as specific as possible when applying the distribute list RIP & EIGRP distribute-list 1 in ethernet 0 (also can use a route map) distribute-list 1 out ethernet 0 OSPF – only allows inbound distribute-list 1 in ethernet 0 IS-IS does not use distribute lists BGP – applied to the neighbor neighbor distribute-list 1 in

136 Prefix Lists Prefix lists are more sophisticated forms that Cisco provides for filtering route advertisements. They filter on IP address just as distribute-lists do, however they are easier to read, and require fewer commands to configure. The other advantage to a distribute list is that it is easier to add, remove and organize the statements in the manner you chose. For example: prefix-list xx seq 10 permit /22 prefix-list xx seq 20 permit /21 prefix-list xx seq 30 permit /24

137 Redistribution Problems
When redistributing OSPF in to BGP, by default, BGP only accepts internal routes not external type 1 or type 2 Watch for administrative distance problems Beware of the metric used by RIP Redistributing in to RIP requires a metric or default-metric or it will get set to 16 Redistributing in to EIGRP requires a metric or default-metric or it will get set to infinity Always filter routes when doing redistribution

138 Advanced RIP One static route allowed Receive the rip routes

139 SESSION 7 EIGRP 139 139 139

140 EIGRP Outline Overview Updates Authentication Default Routes
Summarization Metrics

141 EIGRP Eigrp is a Cisco proprietary routing protocol loosely based on their original IGRP EIGRP is an advanced distance-vector routing protocol, with optimizations to minimize both the routing instability incurred after topology changes, as well as the use of bandwidth and processing power in the router. EIGRP and IGRP are compatible with each other. Eigrp uses the Diffusing Update Algorithm (DUAL), which guarantees loop-free operation. In particular, DUAL avoids the "count to infinity" behavior common in distance-vector routing protocols. The maximum hop count of EIGRP-advertised routes (i.e. destination networks) is is the default but in the routing process <metric maximum-hops > EIGRP is considered an Advanced Distance or Hybrid routing protocol Classless (VLSM)

142 EIGRP Updates Send Hellos between neighbors which must include
AS # Subnet Authentication K- Values Neighbor Table Topology Table (Determine successor (Primary) and Feasible Successor Dual Algorithm (Loop Free) Routing Table (Move successor from primary *Note updates sent on and EIGRP uses IP protocol number 88

143 Successor versus Feasible Successor
Reported Distance (RD) is from your neighbor( next hop ) to the destination. Feasible Distance (FD) is from the current router, all the way to the destination, this would include all other routers in between your router and the destination. FD RD Destination. R R R3 To qualify as a feasible successor, a next-hop router must have an RD less than the FD of the current successor route Eigrp metric = lowest bandwidth + all delays x 256

144 Similar to RIP V2 Authentication Only MD5 Authentication supported
EIGRP Authentication Similar to RIP V2 Authentication Only MD5 Authentication supported r1lab(config)# interface s0 r1lab(config-if)# ip authentication mode eigrp 222 md5 r1lab(config-if)# ip authentication key-chain eigrp 222 cisco r1lab(config)# key chain cisco r1lab(config-keychain)# key 1 r1lab(config-keychain-key)# key-string ccie

145 Default Routes in EIGRP
<ip summary address eigrp > <ip default network <redistribute ip route null 0> <redistribute static or network

146 EIGRP Summarization Auto summary is on by default – disable
Summarization is done on the interface r1lab(config-if)# ip summary-address eigrp No way to get rid of the NULL0 entry, it is added to avoid loops Default AD is 5 but higher can be used for floating summary You can bump the AD to 255 to remove the null0 but Then the Summary could cause a loop if you do not properly filter

147 EIGRP Leak Map On the remote router

148 Virtual Template in PPP with Leak Map
Problem- Can not use Leak Map with Sub Interfaces Must use PPP and Virtual Template

149 EIGRP Stub Areas Affects what the router will advertise
Reduces processing on the router Controls what networks are advertised Four options: receive-only, summary, connected, and static Router eigrp 1 Eigrp stub summary leak-map leaky

150 Problems with EIGRP Stub
All routers in EIGRP AS need the stub command or neighbors could become stuck inactive situation because of no stub flag in hello packets Work around use Stub configuration on all routers that need to be a stub on a single AS Use a separate AS for all other EIGRP routers and redistribute between the EIGRP AS processes on the Hub router

151 Tuning EIGRP OPTIONAL EIGRP COMMANDS :
ip hello-interval eigrp –use this interface command to change the hello timer ip hold-time eigrp – use this command to change the EIGRP hold time for routes received by this interface metric weights - allows you to set the weight of the EIGRP metric distance – used to change the administrative distance of routes received from a neighbor delay – specifies the delay of an interface in tens of microseconds bandwidth –specifies the bandwidth of an interface in kilobits per second passive-interface - prevents the sending of EIGRP hellos on the link Offset-list - used to increase the value of the routing metrics

152 Miscellaneous Topics Offset List
r1lab(config)# access-list 1 permit r1lab(config)# router eigrp 222 r1lab(config-router)# offset-list 1 in 10000 Adjust the Percentage of Bandwidth used for routing updates - 50% is default r1lab(config-if)# ip bandwidth-percent eigrp Very important to summarize and use stubs in a large EIGRP networks, otherwise the query traffic to find successor routes could easily take 50% of the bandwidth. If we throttle the percentage too much the convergence times will be effected Delay

153 Equal Cost Load Balancing
Change with the maximum-paths command in EIGRP process

154 EIGRP Unequal-Cost Load Balancing
EIGRP offers unequal-cost Load balancing – variance command Variance allows the router to include routes with a metric smaller than multiplier times the minimum metric route to that destination – Multiplier is the number specified by the variance command

155 Traffic-Share Determines how traffic is load balanced. Two options:
Balanced (balances across paths) Min across-interfaces (traffic still uses lowest metric path) Router eigrp 1 Variance 2 Traffic-share balanced (actively uses the lower speed link to load balance with higher speed links) * Note Min – only add to the routing table for fall back but does not load balance Under the interface you can configure per packet or per flow load balancing Ip load-balancing per-packet or per-destination

156 Variance Example Router E chooses router C to get to network Z because FD = 20. With a variance of 2, router E chooses router B to get to network Z ( = 30) < [2 * 20(FD) = 40]. Router D is not used to get to network Z (45 > 40). To use D we need a variance of 3 because 3x20=60 and 60 is > 45

157 End Day 2 Lecture 157 157 157

158 Session 8 OSPF 158 158 158

159 OSPF Outline OSPF Network Types RID LSA Adjacencies Area types
New Features Authentication Summaries Filtering

160 Physical Frame Relay Interface
Network Types The easiest configuration is to configure all OSPF frame relay interfaces for point-to-multipoint If the lab prohibits you from changing the network type you can try the neighbor command Physical Frame Relay Interface OSPF Network Type Physical Non-Broadcast Multipoint Sub Point-to-Point Sub Point-to-Point

161 OSPF Over NBMA Topology Summary

162 Hello and Dead Timers In order to form neighbor adjacency, hello and dead timers must match Timer differ based on network type configuration broadcast–Hello time (10 seconds), dead time (40 seconds) point-to-point–Hello time (30 seconds), dead time(120 seconds) non-broadcast– Hello Time (30 seconds), dead time (120 seconds) Timers can be manually adjusted through the “ip ospf hello-interval” and “ip ospf dead-interval” interface commands

163 Hello and Dead Timers Physical Interface Non- Broadcast
Hello 30 Dead 120 Sub Interface P2P Point-to-Point Hello 10 Dead 40 Sub Interface Point to multipoint Physical changed to Ip ospf Broadcast Broadcast P2P sub interface changed to NBMA Non-Broadcast

164 Miscellaneous OSPF - Timers
Basic Timers Hello-interval interface serial 1/0 ip ospf hello-interval 20 – automatically changes the dead-interval to 80, dead = hello x 4 Dead-interval ip ospf dead-interval 50 – does NOT change the hello-interval Unless - See next slide

165 OSPF Timers – Fast Hellos
Added in 12.2T15 Enables faster convergence Sets Dead timer to 1 second, hello timer based on hello-multiplier. Example – set hello to 250ms ip ospf dead-interval minimal hello-multiplier 4

166 Router ID Identifies an OSPF neighbor Dotted Decimal 32 bits
highest possible router ID Statically set the Router ID (Prefered) *note they may reboot the routers before they grade router ospf 1 router-id Uses highest IP address of all configured loopbacks If no loopback is present it uses the highest IP address Used for virtual-link commands Highest Router ID wins DR election – Priority can offset election

167 Link State Announcement (LSA) Types
1 - Router LSA - Each OSPF router generates a single Type 1 LSA to describe the status and cost (metric) of all links on the router. This LSA is flooded to each router with-in the OSPF area only. 2 - Network LSA - the designated router on a broadcast segment (e.g. Ethernet) lists which routers are joined together by the segment 3 - Network summary LSA - an Area Border Router (ABR) takes information it has learned on one of its attached areas and summarizes it before sending it out on other areas 4 - ASBR Summary LSA - Type 5 External LSAs are flooded to all areas and the detailed next-hop information may not be available in those other areas. The ABR floods the information for the router (i.e. the Autonomous System Border Router) where the type 5 originated. 5 - AS External LSA - these LSAs contain information imported into OSPF from other routing processes. They are flooded to all areas (except stub areas). 6 - Group Membership LSA - this was defined for Multicast extensions to OSPF (MOSPF), 7 - NSSA External LSA - Not-so-stubby-area (NSSA) do not receive external LSAs from Area Border Routers, but are allowed to send external routing information for redistribution. They use type 7 LSAs to tell the ABRs about these external routes, which the Area Border Router then translates to type 5 external LSAs and floods as normal to the rest of the OSPF network.

168 LSA Table To DR Router 224.0.0.6 To Area Network 224.0.0.5
Intra/Internal LSA Adv Router R/Table Display Database Intra 1 (Router) All in Area O <sh ip ospf database router 2 (Network) DR only N/A <sh ip ospf database network Inter 3 (Summary) ABR IA <sh ip ospf database summary 4 (Announce ASBRs) <sh ip ospf database ASBR summary External 5 (Type 1 or Type 2) ASBR E2 (default) or E1 <sh ip ospf database external 6 (MOSPF) Cisco can generate a syslog error 7 ASBR (In NSSA) N1 or N2 <sh ip ospf nssa-external To DR Router To Area Network

169 Problem preventing Neighbor Adjacency
Mismatched hello Subnet information Authentication Area ID doesn’t match Area Stub flag not set Duplicate RID

170 Neighbor States Down State Init (Clear or start new OSPF process)
2way (Elect DR / BDR) Exstart (Master/ Slave) Master sends data descriptor packets (Contain link-state advertisement (LSA) headers only) Higher IP is Master Exchange Use ip ospf mtu ignore to avoid MTU problems (Exchange LSDB) Loading LSR (Request) ----- ---LSU (Updates) Full (Database synchronized and all Routes have been exchanged)

171 Electing the DR and BDR Hello packets are exchanged via IP multicast.
The router with the highest OSPF priority is selected as the DR. Use the OSPF router ID as the tie breaker. If no RID, than use highest Loopback IP If no Loopback than use highest interface IP The DR election is nonpreemptive.

172 Setting Priority for DR Election
Router(config-if)# ip ospf priority number This interface configuration command assigns the OSPF priority to an interface. Different interfaces on a router may be assigned different values. The default priority is 1. The range is from 0 to 255. 0 means the router is a DROTHER; it can’t be the DR or BDR.

173 Area Type All routers in an OSPF area must have the same area type set or no neighbor will be formed Totally Stubby and Totally NSSA have the ‘no-summary’ command added to ONLY the ABR NSSA does not inject a default route automatically. Must configure for the default to be sent on the ABR: area 2 nssa default-information-originate Area Type ABR LSA Area Routers Stub stub 2,3,4 1 Totally Stubby Stub no-summary 2, NSSA Nssa default-information-originate 2, ,4 1,7 nssa nssa no-summary

174 Types of OSPF Routers

175 OSPF Authentication Uses either Clear Text or MD5
Can do either Area Authentication or Link Authentication If area 0 has authentication, any virtual links must have the same authentication configured Watch for extra spaces on your passwords

176 Area Authentication Clear Text MD5 r1lab(config)# router ospf 1
r1lab(config-router)# area 0 authentication r1lab(config)# int serial 0 r1lab(config-if)# ip ospf authentication-key cisco MD5 r1lab(config-router)# area 0 authentication message-digest r1lab(config)# int s0 r1lab(config-if)# ip ospf message-digest-key 1 md5 cisco

177 Link Authentication Clear Text MD5 r1lab(config-if)# int s0
r1lab(config-if)# ip ospf authentication r1lab(config-if)# ip ospf authentication-key cisco MD5 r1lab(config-if)# ip ospf authentication message-digest r1lab(config-if)# ip ospf message-digest-key 1 md5 cisco

178 Virtual Links Avoid in real word
Used to connect an area to the backbone through another area – extension of area 0 Configuration uses router-id If authentication is configured on area 0 it must also be configured on the virtual link and the far side router. Needed in two cases Discontiguous area 0 Router touching two areas, but not area 0. Use Area Border routers as endpoints

179 Virtual Link Authentication
Clear Text r1lab(config)# router ospf 1 r1lab(config-router)# area 1 virtual-link authentication-key cisco MD5 r1lab(config-router)# area 1 virtual-link message-digest-key 1 md5 cisco Remember that the far side of the virtual link must know what type of authentication area 0 is using VL cannot traverse over a stub area If you are required to traverse a VL to area 0 you must negate capability transit.

180 Connecting a Non-Backbone Area Through a Stub Area
Generic Routing Encapsulation (GRE) allows you to connect a discontiguous area to the backbone through a stub area GRE will cause extra packet overhead due to tunnel header information

181 OSPF New Features Max LSA (Internal)

182 OSPF New Features Cont. Maximum Prefixes (Networks)

183 OSPF New Features Cont. Prevent OSPF router from being transit
Max Metric uses – (16 bits)

184 OSPF Summarization Two ways to summarize
Area range used to summarize between OSPF areas. Always done on an ABR area 2 range Summary-address used to summarize external routes redistributed into OSPF. Always done on an ASBR summary-address Will inject a NULL0 route into the routing table. MUST get rid of the NULL0 no discard-route internal – used with area range no discard-route external – used with summary-address

185 Configuring Route Summarization
router (config-router)# area area-id range address mask Consolidates inter-area (IA) routes on an ABR router (config-router)# Summary-address address mask (not-advertise) (tag tag) Consolidates external routes, usually on an ASBR

186 Filtering in OSPF Distribute list only inbound and can not stop LSAs

187 Break Area 0 R1 and R1 have full knowledge of Area 0 routes and R3 and R4 have no knowledge. Or on R2 OSPF

188 Prevent type 7 to 5 routes from Area 0

189 SESSION 8 BGP 189 189 189

190 BGP Outline Operation State Attributes Order/Preference Aggregation
Security Peer Groups Dampening

191 iBGP Full Mesh Requirement
All BGP speakers within an AS must be connected together in a Full Mesh. For n BGP speakers within an AS that requires to maintain n*(n-1)/2 unique iBGP sessions to connect the eBGP routers If not meshed, routes must be redistributed into and syncronized with IGP. Route Reflectors and Confederations may be used to avoid the full mesh requirement or redistribution

192 BGP Route Reflector Scales well unlike full mesh
Optional Peer groups could be used to save configuration on the route reflector r1lab(config-router)# neighbor update-source loopback 0 r1lab(config-router)# neighbor next-hop-self r1lab(config-router)# neighbor distribute-list 1 out r1lab(config-router)# neighbor route-reflector-client r1lab(config-router)# neighbor update-source loopback 0 r1lab(config-router)# neighbor next-hop-self r1lab(config-router)# neighbor distribute-list 1 out r1lab(config-router)# neighbor route-reflector-client

193 Route Reflector

194 BGP Confederations Splits one AS into many smaller Private AS’s
Private AS numbers are – 65535 Connections between the Private AS’s are treated as special eBGP connections External AS’s only participate in the Public AS – they are not aware of the Private AS’s inside

195 Confederation AS 6502 AS 6503 6503 6502

196 Manual Confederation Uses private AS for IBGP and Public AS for EBGP
Need to remove the private AS information

197 Basic BGP Configuration
Neighbors must be configured on both sides Neighbors must be directly connected or have a specific IGP route (default route will not work) to the neighbor. Neighbors in the same AS are iBGP iBGP will go 255 hops by default to find a neighbor Neighbors in different AS’s are eBGP eBGP will only go 1 hop to find a neighbor neighbor eBGP-multihop <1-255> (need IGP) If you use loopback to neighbor don’t forget to change the update source BGP expects the directly connected interface to be the update source unless you specify neighbor update-source loopback 0 Advertised networks must have an exact match in the routing table in order for BGP to advertise the route

198 State Idle Connect Open send – version must be 4 Open confirm
Active – resets the retry timer kickbacks to idle Open send – version must be 4 Open confirm Established

199 Neighbors

200 Synchronization Example
AS 45 AS 40 eBGP E C D iBGP AS 50 F B A eBGP An IGP running only on Routers B and C will not appear in D’s IP Routing Table

201 Synchronization Problem
An eBGP learned route cannot be installed in the routing table of iBGP connected routers until the route has already been learned by the IGP connecting these routers It is almost always recommended to disable synchronization or need to redistribute eBGP routes directly in the IGP r1lab(config)# router bgp 10 r1lab(config-router)# no synchronization

202 Next Hop IGP should carry route to next hops Recursive route look-up
Decouples BGP from actual physical topology If an IGP router does not have a direct route to the Next Hop EBGP than Next hop self can be used on the IBGP/Ebgp neighbor to provide connect

203 Next Hop Example B Does Not Advertise Network 20.2.2.0 to A
eBGP D A iBGP F eBGP B / 24 B Does Not Advertise Network to A A Will Not Install Network in its Routing Table since A does not know how to reach the next hop ( )

204 Next-Hop-Self Problem
An eBGP learned route cannot be installed in the IP routing table of iBGP connected routers unless the route’s next-hop address is reachable r1lab(config)# router bgp 10 r1lab(config-router)# neighbor next-hop-self eBGP neighbors always advertise themselves as the "next hop" for any routes sent. iBGP neighbors retain the original advertiser's address as the next hop. The issue with next-hop information is whether or not that next hop ( the eBGP neighbor address ) is reachable to any iBGP neighbor.

205 Transit AS If an AS has 2 or more connections to the Internet, by default some traffic not destined for your AS may pass through your routers Two ways to stop this AS-Path access-lists Communities Explained later

206 BGP Characteristics Distance-vector protocol with enhancements:
Reliable updates Triggered updates only Rich metrics (called path attributes) Designed to scale to huge internetworks

207 BGP Path Attributes BGP metrics are called path attributes
BGP attributes are categorized as well-known and optional Well-known attributes must be recognized by all compliant implementations Optional attributes are only recognized by some implementations (could be private), expected not to be recognized by everyone

208 Well-Known BGP Attributes
Well-known attributes are divided into mandatory and discretionary Well-known mandatory attributes must be present in all update messages Well-known discretionary attributes are optional - they could be present in update messages All well-known attributes are propagated to other neighbors

209 WELL-KNOWN, MANDATORY AS-path: A list of the Autonomous Systems (AS) numbers that a route passes through to reach the destination. As the update passes through an AS the AS number is inserted at the beginning of the list. The AS-path attribute has a reverse-order list of AS passed through to get to the destination. Next-hop: The next-hop address that is used to reach the destination. Origin: Indicates how BGP learned a particular route. There are three possible types -- IGP (route is internal to the AS), EGP (learned via EBGP), or Incomplete (origin unknown or learned in a different way).

210 WELL-KNOWN, DISCRETIONARY
Local Preference: Defines the preferred exit point from the local AS for a specific route. Atomic Aggregate: Set if a router advertises an aggregate causes path attribute information to be lost.

211 Optional BGP Attributes
Optional BGP attributes are transitive or non-transitive Optional transitive attributes Aggregator: Specifies the router ID and AS of the router that originated an aggregate prefix. Used in conjunction with the atomic aggregate attribute. Community: Used to group routes that share common properties so that policies can be applied at the group level. Optional non-transitive attributes Multi-exit-discriminator (MED): Indicates the preferred path into an AS to external neighbors when multiple paths exist. Recognized optional attributes are propagated to other neighbors based on their meaning (not constrained by transitive bit)

212 Priority of Attributes
If the path specifies a next hop that is inaccessible, drop the update. Prefer the path with the largest weight. If the weights are the same, prefer the path with the largest local preference. If the local preferences are the same, prefer the path that was originated by BGP running on this router. If no route was originated, prefer the route that has the shortest AS_path. If all paths have the same AS_path length, prefer the path with the lowest origin type (where IGP is lower than EGP, and EGP is lower than incomplete). If the origin codes are the same, prefer the path with the lowest MED attribute. If the paths have the same MED, prefer the external path over the internal path. If the paths are still the same, prefer the path through the closest IGP neighbor. Prefer the path with the lowest IP address, as specified by the BGP router ID.

213 Weight The weight attribute is a Cisco-defined attribute used for the path selection process. The weight is configued locally to a router and is not propagated to any other routers.

214 Origin The origin attribute indicates how BGP learned about a particular route. The origin attribute can have one of three possible values: IGP—The route is interior to the originating AS. This value is set when the network router configuration command is used to inject the route into BGP. [0] i EGP—The route is learned via the Exterior Border Gateway Protocol (EGP). [1] e Incomplete—The origin of the route is unknown or learned in some other way. An origin of incomplete occurs when a route is redistributed into BGP. [?]

215 AS-Path The AS-path attribute is empty when a local route is inserted in the BGP table The sender’s AS number is prepended to the AS-path attribute when the routing update crosses AS boundary The receiver of BGP routing information can use the AS-path to determine through which AS the information has passed An AS that receives routing information with its own AS number in the AS-path silently ignores the information Prepend as-path can be used as a metric <routemap prepend permit 10 <match ip address 1 <set as-path prepend

216 Next-Hop Attribute Next-hop attribute indicates the next-hop IP address used for packet forwarding Usually set to the IP address of the sending BGP router

217 Multi-Exit Discriminator Attribute
The multi-exit discriminator (MED) or metric attribute is used as a suggestion to an external AS regarding the preferred route into the AS that is advertising the metric. Only works from directly connected AS. It is not transitive Default MED 0

218 Local Preference The local preference attribute is used to prefer an exit point from the local autonomous system (AS). Unlike the weight attribute, the local preference attribute is propagated throughout the local AS. If there are multiple exit points from the AS, the local preference attribute is used to select the exit point for a specific route. Default Local Preference 100

219 Atomic aggregate The Atomic aggregate serves as an indication to the receiver that it can't "deaggregate" the prefix per some of the granularity associated with the AS paths may have been lost when the aggregate was created, and deaggregation could result in the introduction of loops. Border Gateway Protocol (BGP) allows the aggregation of specific routes into one route with use of the aggregate-address address mask [as-set] [summary-only] [suppress-map map-name] [advertise-map map-name] [attribute-map map-name] command. When you issue the aggregate-address command without any arguments, there is no inheritance of the individual route attributes (such as AS_PATH or community)

220 Aggregator AGGREGATOR is an optional transitive attribute of length 6. The attribute contains the last AS number that formed the aggregate route (encoded as 2 octets), followed by the IP address of the BGP speaker that formed the aggregate route (encoded as 4 octets). This SHOULD be the same address as the one used for the BGP Identifier of the speaker. Created from enabling AS-Set

221 Communities RFC1997, RFC1998 Optional attribute
Range: 0 to 4,294,901,760 Method to group destinations into communities and apply routing decisions (accept, prefer, redistribute, etc.) using route-maps Route maps are used to set the community attribute. Predefined community attributes are listed here: no-export—Do not advertise this route to EBGP peers. no-advertise—Do not advertise this route to any peer. internet—Advertise this route to the Internet community; all routers in the network belong to it. local-AS — Use in confederation scenarios to prevent sending packets outside the local autonomous system (AS). Commuties are AS specific and are stripped when transit through an AS

222 Originator-ID Originator-ID is an optional, nontransitive BGP attribute. This is a 4-byte attributed created by a route reflector. The attribute carries the router ID of the originator of the route in the local autonomous system. Therefore, if a misconfiguration causes routing information to come back to the originator, the information is ignored.

223 Cluster List Cluster-list is an optional, nontransitive BGP attribute. It is a sequence of cluster IDs that the route has passed. When a route reflector reflects a route from its clients to nonclient peers, and vice versa, it appends the local cluster ID to the cluster-list. If the cluster-list is empty, it creates a new one. Using this attribute, a route reflector can identify if routing information is looped back to the same cluster due to misconfiguration. If the local cluster ID is found in the cluster-list, the advertisement is ignored.

224 BGP Path Attribute Summary
Well-known mandatory attributes Recognized by everone, always present AS-Path, Next-Hop, Origin Well-known discretionary Recognized by everone, optional Local Preference, Atomic Aggregate Optional transitive Might not be recognized, propagated if not BGP Community, Aggregator Optional non-transitive Might not be recognized, dropped if not Multi-exit-discriminator

225 Announcing Networks in BGP
Only administratively defined networks are announced in BGP Manually configure networks to be announced <network mask> Use redistribution from IGP Use aggregation to announce summary prefixes

226 Manually Announce Classless Prefix in BGP
router(config-router)# network ip-prefix-address mask subnet-mask Configures a classless prefix to be advertised into BGP The prefix must exactly match an entry in the IP forwarding table Hint: use a static route to null 0 to create a matching prefix in the IP forwarding table

227 Redistributing Routes from IGP
Easier than listing networks in BGP process in large networks Redistributed routes carry origin-attribute ‘incomplete’ Always filter redistributed routes to prevent route leaking

228 Aggregating BGP Networks
Summarization is called aggregation in BGP Aggregation creates summary routes (called aggregates) from networks already in BGP table Individual networks could be announced or suppressed

229 Configuring Aggregation
router(config)# router bgp as-number aggregate-address address-prefix mask Specify aggregation range in BGP routing process The aggregate will be announced if there is at least one network in the specified range in the BGP table Individual networks will still be announced in outgoing BGP updates

230 Configuring Aggregation
router(config)# router bgp as-number aggregate-address address-prefix mask summary-only Configure aggregation of BGP routes Advertise only the aggregate and not the individual networks Benefits: Smaller BGP routing tables More stable internetworks (less route flapping) Drawbacks: Problems with multi-homed customers

231 Configuring Aggregation with other options
Summary plus AS path Prevents loops in the summary

232 Aggregate cont. Other options that can be enabled are:
Attribute maps are used to configure the attributes of the aggregate route since the attributes of the original routes are used by default when summarized Advertise maps allow the aggregate to inherit the attributes from the specific networks identified in the advertise map. It is important to note the attribute map overrides the advertise map Suppress maps this command overrides the summary only keyword and suppresses on the routes configured in the suppress map. Un-suppress maps selectively un-suppresses networks suppressed in a suppress-map

233 Configuring BGP Communities
BGP communities are configured in the following steps: Configure route tagging with BGP communities Configure BGP community propagation Define BGP community access-lists (community-lists) to match BGP communities Configure route-maps that match on community-lists and filter routes or set other BGP attributes Apply route-maps to incoming or outgoing updates

234 Community Setting Through Route-Map
route-map name match condition set community value [ value … ] [additive] router(config)# Route tagging with communities is always done with a route-map Any number of communities can be specified Communities specified in the set keyword overwrites existing communities unless you specify the additive option

235 Attaching Communities to a Route
neighbor ip-address route-map map in | out router(config-router)# Applies a route-map to inbound or outbound BGP updates The route-map can set BGP communities or other BGP attributes redistribute protocol route-map map router(config-router)# Applies a route-map to redistributed routes

236 Configure Community Propagation
neighbor ip-address send-community router(config-router)# By default, communities are stripped in outgoing BGP updates Community propagation to BGP neighbors has to be manually configured BGP peer groups are ideal for configuring BGP community propagation toward a large number of neighbors

237 Related Commands Set community none – Removes all community attributes
Set comm-list delete – Removes specific communities ip community-list 1 permit 200:100 route map REM_COM permit 10 set comm-list 1 delete Set community additive – Appends to existing communities set community 450 additive ip community-list 1 permit 200:10 – Matches any route that has 200:10 as one of its communities ip community-list permit 200:10 100:10 - Matches any route that has either or both communities ip community-list permit 200:10 100:10 exact-match – Matches only those routes that are members of both communities

238 AS Path Filtering Several scenarios require BGP route filtering based on AS-path Announce only local routes to the ISP - AS-path needs to be empty Select routes based on a specific AS-number in the AS-path Accept routes for specific AS only from some BGP neighbors AS-path filters use regular expressions

239 Regular Expressions Ranges and Wildcard Characters
A range of characters matches any single character in the range examples:[1234] or [1-4] dot (.) matches any single character

240 Regular Expressions Matching Delimiters
^ matches beginning of string $ matches end of string _ matches any delimiter (beginning, end, whitespace, tab, comma)

241 Regular Expressions Repeating Operators
matches zero or more instances ? matches zero or one instances + matches one or more instances

242 Sample Regular Expressions
_100_ ^100$ _100$ ^100_.* ^ [0-9]+$ ^$ .* Going through AS 100 Directly connected to AS 100 Originated in AS 100 networks behind AS 100 AS paths one AS long networks originated in local AS matches everything

243 Regular Expression Examples
Routes originated from a directly connected AS ( 5 ). ^5$ Routes that passed through AS 6. _6_ Routes that originated in AS 7. _7$ Routes that originated in an odd AS. [1,3,5,7,9]$ Routes that originated in AS 3, or in an AS directly attached to AS 3. ^3_[0-9]*$

244 Configuring BGP AS-path Filters
router(config)# ip as-path access-list number permit|deny regexp Configures AS-path access list router(config-router)# neighbor ip-address filter-list as-path-filter in|out Configures inbound or outbound AS-path filter for specified BGP neighbor

245 Conditional Route Injection
Used to inject more specific into BGP based on existence of aggregated route or originate default route based on certain route existence

246 BGP Authentication Authentication is MD5
Configured on a per neighbor basis r1lab(config)# router bgp 10 r1lab(config-router)# neighbor remote-as 10 r1lab(config-router)# neighbor password CISCO r2(config)# router bgp 10 r1lab(config-router)# neighbor remote-as 10 r2(config-router)# neighbor password CISCO

247 BGP Route Flap Dampening Goals
Minimize the amount of BGP update processing in the Internet Do not suppress routes that occasionally flap Suppress routes that are likely to flap in the future based on the history of their behavior Flap = removal of route Suppress= do not use a route after it reappears

248 Route Flap Dampening Implementation
Every time an eBGP route flaps it gets 1000 penalty points (iBGP routes are not dampened) The penalty placed on a route is decayed using the exponential decay algorithm When the penalty exceeds “suppress limit”, the route is dampened (no longer used or propagated to other neighbors) A dampened route is propagated when the penalty drops below “reuse limit”

249 Route Flap Dampening Implementation
Flap history is forgotten when the penalty drops below half of “reuse limit” The route is never dampened for more than “max-suppress” time An unreachable route with flap history is put in “history state” - it stays in the BGP table but only to maintain the flap history A penalty is applied on the individual path in the BGP table, not on the IP prefix

250 Configuring BGP Route Flap Dampening
bgp dampening [half-time [reuse-limit suppress-limit max-suppress]] [route-map route-map] router(config-router)# Configures BGP route flap dampening Parameter meaning: Half-time Exponential decay half-time (time in which the penalty is halved) Suppress-limit Penalty value where the route is starting to be dampened Reuse-limit Penalty value where the dampened route is reused Max-suppress Maximum suppression time Route-map Dampening parameters are specified with a route-map

251 Default BGP Dampening Parameter Values
The following default dampening parameter values are used if you don’t specify them: half-time 15 minutes per-flap penalty 1,000 (non-configurable) suppress limit 2,000 reuse limit 750 max-suppress-time 60 minutes

252 Limiting the Number of Routes Received from a Neighbor
Problem definition: A misconfigured BGP neighbor can send a huge number of prefixes that exhaust router’s memory or overload the CPU (several Internet-wide incidents have already occurred) All other filtering mechanisms only specify what we’re willing to accept but not how much A new tool is needed to establish a hard limit on the number of prefixes received from a neighbor

253 Maximum-Prefix Command
router(config-router)# neighbor ip-address maximum-prefix maximum [threshold] [warning-only] Controls how many prefixes can be received from a neighbor Optional threshold parameter specifies the percentage where a warning message is logged (default is 75%) Optional warning-only keyword specifies the action on exceeding the maximum number (default is to drop neighborship)

254 End of Day 3 Lecture 254 254 254

255 SESSION 9 Multicast 255 255 255

256 Multicast Outline Address RFP Dense/Sparse Source/shared Static RP
Auto-RP BSR Stub M-B-M MSDP /Anycast

257 Multicast Address Range

258 Mapping a MAC Address

259 Reverse Path Forwarding

260 RPF Calculation

261 RPF with two paths

262 Multicast Distribution Trees
Dense Mode uses Source Push Technology that is very chatty

263 Shared Distribution Tree
Sparse uses Shared Pull Mode

264 Characteristics of Distribution Trees

265 Multicast Tree Creation

266 Multicast Distribution Tree Example

267 Different types of PIM

268 PIM Sparse Mode

269 How does the network know about the RP?

270 Static RPs

271 Auto RP Uses Intended for PIMv1 C_RP Candidates
Mapping Agent (Collects announcements and sends RP discovery messages on ) The RPs announce on Recommended to locate Can_RP and Mapping Agent on same router Uses dense mode to find the RP as a fallback

272 Auto RP

273 Auto RP Cont.

274 Auto-RP configured

275 BSR Election

276 BSR Overview PIM join messages that might inadvertently cross the border

277 BSR Highest Priority

278 Cont.

279 BSR Cont.

280 Configuring BSR Hash Mask Priority RP priority

281 Anycast – RP Overview

282 MSDP

283 Anycast RP RP

284 Anycast RP Cont.

285 Multicast-Broadcast-Multicast

286 IGMP Stub

287 SESSION 10 QoS 287 287 287

288 QoS Outline Modular QoS CLI (MQC) LLQ Police/CAR WRED, CBWRED Marking
Shaping, FRTS Fragmenting NBAR

289 MQC Class-maps <class-map lab (match all is the default)
Match any <match = Classify ? Input interface f0/0 Destination Mac address Source Mac address Fr-de, fr-dlci Cos, dscp, IP-prec Any Access-group Protocol=NBAR (download PDLMs) CEF requires Can run <ip protocol NBAR protocol discovery Packet length min or max

290 Policy-Map and DSCP Class Lab
<set cos,dscp,ip-prec DSCP has 64 different colors to mark traffic <mls qos map dscp-map lab 31 to 41

291 CBWFQ <Int f0/0 Policy-map can use Kbps or Percent but not both
<max reserve bandwidth 100 (75% is default) Policy-map can use Kbps or Percent but not both <policy-map voice <class CONTROL <bandwidth 1000 <class VOICE <priority 10000 Can have 255 classes total When applying a strict priority queue To a CBWFQ it is referred to as a LLQ

292 Police/CAR Use on edge routers to classify and/ or rate limit traffic
Can be applied to all traffic or a subset of the traffic selected by an access list Configured on an interface rate- limit {input| output} bps normal- burst max- burst conform- action action exceed- action action rate- limit {input| output} access- group index bps normal- burst max- burst conform- action action exceed- action action Maximum burst bytes Bits per second Normal burst bytes

293 CBWFQ Architecture Insertion policy

294 Applying RED You can change to DSCP based random-detect dscp-based

295 Configuring WRED on an interface
mark probability denominator minimum threshold (number of packets) maximum threshold (number of packets) When the average queue size is above the minimum threshold, RED starts dropping packets. The rate of packet drop increases linearly as the average queue size increases, until the average queue size reaches the maximum threshold. The mark probability denominator is the fraction of packets dropped when the average queue size is at the maximum threshold. For example, one out of every 100 packets is dropped when the average queue size is at the maximum threshold.

296 Shaping Shape

297 Shape Peak Allow the router to peak to 64k Peak rate = CIR(1+BE/BC)
Router(config-pmap-c)# shape {average | peak} cir [bc] [be] Shape adaptive – BECN field set to 1 25% slow down is BECN received if 16 TCs received with no BECNs increase 1/16 every TC Can also use Fecn-adapt to send ahead to your other router to set BECN field.

298 Frame Relay Traffic Shaping
Time Committed (TC) = 125micro

299 Network Based Application Recognition (NBAR)

300 NBAR Application Support

301 Packet Description Language Module

302 NBAR Protocol Discovery

303 SESSION 11 Others 303 303 303

304 NTP

305 Optimizing HSRP

306 Gateway Load Balancing Protocol (GLBP)

307 GLBP Operations

308 GLBP Cont.

309 Virtual Router Redundancy Protocol (VRRP)

310 VRRP Operational Status

311 VRRP Configuration

312 NAT

313 NAT with Access List—Multiple Address Pools

314 NAT with Extended Access List Configuration
ip nat pool trusted_pool prefix-length 24 ip nat pool untrusted_pool prefix-length 24 ! ip nat inside source list 102 pool trusted_pool ip nat inside source list 103 pool untrusted_pool interface ethernet 0 ip address ip nat inside interface serial 0 ip address ip nat outside access-list 102 permit ip access-list 102 permit ip access-list 103 permit ip any

315 Benefits of Route Maps with NAT

316 Route Map Configuration

317 Verifying NAT

318 Session 10 Security 318 318 318

319 Session 10 Outline Unicast Reverse Path Forwarding (uRPF)
Context Based Access Control (CBAC)

320 CBAC Configuration

321 Enable Audit Trails and Alerts

322 Enable TCP Syn and Fin times

323 TCP UDP and DNS Idle Times

324 Port to Application Mapping

325 Port Mapping Configuration

326 Global Half Open Connection Limits

327 Configuring Inspection Rules

328 Apply Inspection Rule to an Interface

329 Unicast Reverse Path Forwarding (uRPF)
Unicast Reverse Path Forwarding (uRPF) is a feature originally created to implement Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing

330 Configuring uRPF By enabling Unicast Reverse Path Forwarding (uRPF), all spoofed packets will be dropped at the first device. To enable uRPF, use the following commands.

331 IP Source Guard By watching which IP addresses are assigned by DHCP, a switch can create dynamic ACL's to block all traffic except traffic from DHCP-assigned IP addresses. Benefits: Prevents a hacker from spoofing their IP address to launch an anonymous attack. Prevents users from ignoring DHCP and manually configuring a static IP address.

332 IP Source Guard Configuration


Download ppt "CCIE R&S Advanced."

Similar presentations


Ads by Google