1. CCIE R&S Advanced

2. Agenda Day 1 Session 1 CCIE Program Overview Day 1 Session 2
CCIE Foundation Overview
Day 1 Session 3
Catalyst
Day 1 Session 4
Frame Relay
Day 1 Session 5
IPv6
Day 2 Session 6
Ripv2
Day 2 Session 7
Eigrp
Day 3 Session 8
OSPF
Day 3 Session 9
BGP
Day 4 Session 10
Multicast
Day 4 Session 11
QoS
Day 4 Session 12
Others

3. Housekeeping Restrooms Kitchen - Softdrinks and snacks available
Cellphones - PLEASE put them on vibrate or turn them off. If you need to take/make a call, please exit the classroom.
Smoking - out side in front of building

4. CCIE R&S Program Overview
SESSION 1
CCIE R&S Program Overview 4 4 4

5. CCIE R&S Program Overview
CCNA/CCNP Certification (Optional)
CCIE Written Exam
CCBOOTCAMP’s R&S Foundation Course
Develop a Study Plan and Timeline to Prepare for LAB
Review CCIE Blueprint
Purchase and Download recommended reading from Cisco Press and CCO web site
Purchase LAB workbooks
Purchase and Setup Home Lab
Reserve Online Rack rentals
Save money or work out a deal with your employer to budget for multiple lab attempts
Schedule a Lab Date commensurate with the Timeline
Study, Practice, Practice some more, and then study
CCIE Advanced Bootcamp
CCIE Mock LAB Bootcamp

6. CCIE LAB Overview
A 8-hour, hands-on, 100-point lab exam. Candidates must score 80 or above to pass.
Students builds a network to supplied specifications on a provided Cisco equipment rack.
Lab questions can be completed in any order, although some questions depends on the completion of previous part of the exam.
Physical cabling is done.
Some of the basic functionality is preconfigured.
Some of the equipment you can not configure such as the Backbone routers. 6

7. Cisco R&S Equipment List
3725 series routers - IOS 12.4 mainline – Advanced Enterprise Services
3825 series routers - IOS 12.4 mainline – Advanced Enterprise Services
Catalyst 3550 series switches running IOS version 12.2 – IP Services
Catalyst 3560 Series switches running IOS version Advanced IP Services

8. Pre-lab Checklist
Remove the Variables, increase your chances, and get your body physically and mentally ready!
Get to the testing city/location at least one day prior to your exam. If your time zone is plus/minus more than six hours different than the time zone of the Cisco office you are taking your exam, plan on getting there at least two days prior to the exam.
Drive over to the facility where your lab exam will be held. Make sure you know how long it will take you to get to the testing location.
Look for a good place to eat breakfast near the facility.
Eat a healthy dinner consisting of protein and complex carbohydrates. Stay away from greasy, fatty, and sugary foods. Also, if you want to eat meat, try and eat chicken or fish (avoid red meat as it takes your body longer to digest).
Get a good night’s rest. Do not stay up the entire night trying to cram or study last minute materials. Do NOT take any type of sleep aid that could still be in your system the following day.
Wake up at least ninety minutes before your exam start time. Get showered, dressed, and go out for breakfast.
At breakfast, eat only healthy foods. No greasy, fatty, or sugary items should be consumed. Eat fruits, vegetables, oatmeal, etc.
Arrive at the facility at least fifteen minutes prior to your exam.

9. CCIE R&S Blueprint Bridging and Switching IP IGP Routing
Frame relay
Catalyst configuration: VLANs, VTP, STP, MSTP, RSTP, Trunk, Etherchannel, management, features, advanced configuration, Layer 3
IP IGP Routing
OSPF
EIGRP
RIPv2
IPv6: Addressing, RIPng, OSPFv3
GRE
ODR
Filtering, redistribution, summarization and other advanced features
BGP
iBGP
eBGP
Filtering, redistribution, summarization, synchronization, attributes and other advanced features

10. CCIE (R&S) Blueprint Cont.
These topics would be covered in the Advanced Boot camp
QoS
Quality of service solutions
Classification
Congestion management, congestion avoidance
Policing and shaping
Signaling
Link efficiency mechanisms
Modular QoS command line
Security
AAA
Security server protocols
Traffic filtering and firewalls
Access lists
Routing protocols security, catalyst security
CBAC
Other security features
IP and IOS Features
IP addressing
DHCP
HSRP
IP services
IOS user interfaces
System management
NAT
NTP
SNMP
RMON
Accounting
IP Multicast
PIM, bi-directional PIM
MSDP
Multicast tools, source specific multicast
DVMRP
Anycast

11. CCIE Advanced Bootcamp Overview
SESSION 2
CCIE Advanced Bootcamp Overview 11 11 11

12. Advanced Class Hours - Instructor
Monday 9:00 AM till your head hurts
Tuesday 9:00 AM till your head hurts
Wednesday 9:00 AM till your head hurts
Thursday :00 AM till your head is spinning
Friday 9:00 AM till 3-ish [Mock Lab]
Lunch Break at 1:00 PM to 2:00 PM (60 minutes)

13. CCBOOTCAMP R&S Rack Layout

14. SESSION 3 Switching 14 14

15. First Things First (Ping Script)
tclsh
foreach address {
} {ping $address}

16. On a switch

17. Things You should already know (not covered)
Interface Commands
VTP
Spanning Tree
SPAN
Strom Control
Protected Ports
802.1X authentication
Trunking
MAC Address expiration
Templates

18. Topics Covered Ether-channel and Load Balancing MST spanning tree
Rapid Spanning Tree
Advanced Switch Security
Switch QoS

19. Ether channel
PAgP can automatically groups interfaces with the same speed, duplex, mode, native VLAN, VLAN range, and trunking status and type.
The Ether Channel group looks like a single switch port to Spanning tree.
PAgP modes: auto, desirable, on
The first port in the channel that comes up provides its MAC address to the EtherChannel

20. Link Aggregation Control Protocol
LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches
Similarly configured ports are grouped based on hardware, administrative, and port parameter constraints such as same speed, duplex mode, native VLAN, VLAN range, and trunking status and type
A port in the active mode can form an EtherChannel with another port that is in the active or passive mode.
A port in the passive mode cannot form an EtherChannel with another port that is also in the passive mode because neither port starts LACP negotiation.
Can have 8 active and 8 standby ports per ether channel. (16)
*Note on mode configured manually on both ends of the EtherChannel must have the same configuration. If the group is misconfigured, packet loss or spanning-tree loops can occur.

21. Load Balancing and Forwarding
Reduces part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel.
EtherChannel load balancing can use MAC addresses or IP addresses, source or destination addresses, or both source and destination addresses.

22. Source/destination MAC load balancing
The PCs uses different ports on sw1
The router will use different ports to reply to the PCs

23. Switch Security MAC Flood Attacks Port Security ARP Inspection
MAC ACLs
VACLs
Private VLANs

24. Rapid Spanning Tree Protocol (RSTP)

25. RSTP Port Roles

26. RSTP Port States RSTP provides rapid convergence of the spanning tree.
Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the 802.1D
Only non-edge ports moving to the forwarding state cause a topology change.

27. Rapid PVST

28. 802.1s (Multiple Spanning Tree)
MSTs (IEEE 802.1s) combine the best aspects from both the PVST+ and the 802.1q.
When you enable MST you enable 802.w (RSTP)
The idea is that several VLANs can be mapped to a reduced number of spanning tree instances because most networks do not need more than a few logical topologies.
There is no need to run 1000 instances. If you map half of the 1000 VLANs to a different spanning tree instance, as shown in this diagram, these statements are true:
The desired load balancing scheme can still be achieved, because half of the VLANs follow one separate instance.
The CPU is spared because only two instances are computed.

29. MST Configuration

30. MAC Flood Attacks Affects Transparent Switches
Switches Learn and populate the CAM table based on Source MAC addresses
If to many MAC addresses are sent – open fail mode
The switch forwards out every frame on every port
This allows hackers to sniff other clients uni-cast information.

31. Preventing MAC Flooding with Port Security

32. Port Security - Aging Static- enables timer to static entries
Time - <1-1440> Aging time in minutes
Type –
absolute Absolute aging (default)
inactivity Aging based on inactivity time period

33. Mac-address Can manually input the actual Mac address
Also can store dynamically learned Mac addresses with Sticky

34. Maximum
The total amount of Mac addresses allowed on a port

35. Violations The action to take if port security is violated
protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. (no syslogs/snmp)
restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
shutdown—The interface is error disabled when a violation occurs, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments

36. Apply Port Security and Verify
If more than 3 mac-addresses are learned any additional sources will cause the port to be shutdown (error disabled).

37. HSRP and Port Security
HSRP has a virtual mac-address that counts towards the maximum allowed on a port configured for port security.
Options:
Switchport port-security maximum 2 (still can cause violation for a short period of time
Static Mac-address entry for HSRP virtual mac-address
(Best choice) Use-bia command on the router’s interface
standby use-bia scope interface

38. ARP Spoofing Gratuitous ARP
Detect IP conflicts. When a machine receives an ARP request containing a source IP that matches its own, then it knows there is an IP conflict.
They assist in the updating of other machines' ARP tables.
They inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port.
Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts.

39. ARP DoS Overloads a switch port with ARP traffic
Switch can handle untrusted host connecting to as many as 15 new hosts per second. checks every 1 second
Exceed limit than port changes to error disabled

40. IP ARP Inspection
This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN
How does it work?
DHCP Snooping (Recommended in production)
Static ARP Access-list (Use for Lab situation)

41. ARP inspection Cont.
Option to change defaults per port

42. IP Source Guard
By watching which IP addresses are assigned by DHCP, a switch can create dynamic ACL's to block all traffic except traffic from DHCP-assigned IP addresses.
Benefits:
Prevents a hacker from spoofing their IP address to launch an anonymous attack.
Prevents users from ignoring DHCP and manually configuring a static IP address.

43. IP Source Guard Configuration

44. DHCP Snooping Create a DHCP database on flash or TFTP
Enable DHCP Snooping
"The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (circuit ID suboption). The switch forwards the DHCP request that includes the option-82 field to the DHCP server. "
ip dhcp snooping database flash:file01.txt"
ip dhcp snooping
ip dhcp snooping information option

45. Show IP DHCP Snooping Bindings
Switch> show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
01:02:03:04:05: dhcp-snooping 20 GigabitEthernet0/1
00:D0:B7:1B:35:DE dhcp-snooping 20 GigabitEthernet0/2
Total number of bindings: 2

46. Mac-address Access-list
You can configure a MAC address ACL using either of the following:
Access-list bit MAC address access-list
or the extended version of the 48-bit MAC address access-list is
To filter using the MAC address access-list, first you would define your access-list. Say that you wanted to allow only a host with the MAC address of to access-list Ethernet0/0 interface. You would define the access-list like this:
Router(config)# access-list 700 permit
You can use these same methods to filter by “vendor code”. All companies who create Ethernet devices are designated a block of MAC addresses and all of these blocks begin with a specific string. This prefix for each vendor is known as the “vendor code”.

47. Protocol Type-Code Access-Lists (ACL)
Used for non IP traffic
Inbound only

48. MAC ACLs Cont.

49. Vlan ACLs (VACLs)

50. Private VLANs
The private-VLAN feature addresses two problems that service providers face when using VLANs:
Scalability: The switch supports up to 1005 active VLANs. If a service provider assigns one VLAN per customer, this limits the numbers of customers the service provider can support.
To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can result in wasting the unused IP addresses, and cause IP address management problems.

51. Primary to Secondary VLAN
There are two types of secondary VLANs:
Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.
Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level.

52. Private Vlan Access Ports
Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types:
Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN. (Default Gateway)
Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports.
Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports.
* Note Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs.

53. Issues with VTP V3 and Private VLANs
Private VLANs need VTPv3
If configuring in a 3550 or 3560 set VTP to transparent

54. Private Vlan Compatibility
Do not configure private-VLAN ports on interfaces configured for these other features:
– dynamic-access port VLAN membership
– Dynamic Trunking Protocol (DTP)
– Port Aggregation Protocol (PAgP)
– Link Aggregation Control Protocol (LACP)
– Multicast VLAN Registration (MVR)
– voice VLAN
– Web Cache Communication Protocol (WCCP)

55. Private VLAN configuration

56. Show private Vlans

57. Promiscuous Port / Default Gateway
Primary
Secondary

58. Applying a Community to interfaces

59. 3560 QOS Considerations Uses shaped round robin (SRR)
Q1 can be configured as a priority queue
Queues can operate in shaped or sharing modes
Each Interface can be assigned to one of two queue-sets
4 queues Egress
2 queues Inbound
Congestion avoidance algorithm is Weighted Tail Drop (WTD)
*Note 3550 only has egress queues and queue 4 = priority queue by default

60. Weighted Tail Drop Queue size is 1000 frames.
Three drop percentages are configured: 40 percent (400 frames), 60 percent (600 frames), and 100 percent (1000 frames).
400 frames can be queued at the 40-percent threshold, up to 600 frames at the 60-percent threshold, and up to 1000 frames at the 100-percent threshold.

61. SRR Shaping and Sharing
Both the ingress and egress queues are serviced by Shaped Round Robin (SRR)
SRR controls the rate at which packets are sent.
On the ingress queues, SRR sends packets to the internal ring.
On the egress queues, SRR sends packets to the egress port.

62. Input Queue Bandwidth weight queue 1 and queue 2cv DSCP values
Queue Id

63. Output Queue drop threshold Reserved threshold Maximum threshold
queue-set id
queue id
buffer
Percentage
Queue 3
buffer
Percentage
Queue 1
buffer
Percentage
Queue 2
buffer
Percentage
Queue 4

64. SRR applied

65. Frame Relay Interfaces Inverse ARP Mesh Hub and spoke Point-to-point
Combination
Issues
Advanced Frame-relay and PPP

66. Frame-Relay Interface Configuration

67. Inverse ARP

68. Static Mappings

69. Sub Interfaces

70. Point-to-Multipoint Sub interface

71. Point-to-point Sub Interface

72. Mesh Topology 72 28

73. Full Mesh Frame-relay Requirements Phys Interface With Inverse ARP
NO frame relay maps required
NO inverse-arp allowed
A PVC/FR Map configured between each router
Total PVCs = k(k-1)/2 where k=router
3 routers need 6 DLCIs
All routers are on the same subnet
All routers are using the physical interface
Can support Broadcast or NBMA 73

74. Full Mesh Frame-relay Point-to-Multipoint Sub
In a frame-relay mesh multipoint configuration the following must be true before two routers can communicate;
The destination IP address must be in the routing table
There must be a frame-relay map for the destination IP address. The destination IP address can be any IP address including yours. (need a map statement to ping your own interface)

75. Hub and Spoke Topology

76. Frame Relay Hub and Spoke
Requirements
With Physical Interfaces and inverse-arp
No map statements needed on spokes
Map statements needed on hub to all spokes
With Physical Interfaces and No inverse-arp
Map statements needed on hub to each spoke and one map from the spoke to hub
Enable broadcasts over the NBMA if required for routing protocol or multicast
All routers are on a common subnet

77. Example Configuration from the HUB router
On r1lablab
Int S0/0/0
Ip address
Encapsulation frame
Frame-relay map ip broadcast
Frame-relay map ip broadcast
Frame-relay map ip broadcast
No frame-relay inverse-arp
No shut
To prevent inverse-arp
wait until all routers
have been configured
for FR
before un
shutting
the interfaces

78. Frame Relay Hub and Spoke Point-to-Multipoint
Inverse ARP not recommended should be disabled
Need FR map statements configured on sub interface to each hub.
Need FR map statements from each spoke to the hub.
Enable broadcasts over the NBMA if required for routing protocol or multicast
All routers are on a common subnet
Still need a map statement to ping your own interface)

79. Frame Relay Point-to-Point
Requirements
Uses sub interfaces
A separate L3 subnet for each pair of routers
Works the same with or without Inverse ARP
Note if the routers are configured in a point-to-point manner they will NOT generate inverse-arp requests; however, if they receive a request, they will respond. Useful for combinations of one end p2p sub and the other physical 79 28

80. Troubleshoot Frame Relay
Show interface
Show controllers serial
Show frame-relay lmi
Show frame-relay pvc
Show frame-relay map
Debug frame-relay lmi

81. PPP 2-way authentication (PAP and Chap)

82. Debug PPP authentication

83. PAP/CHAP configuration

84. FREEK (Frame relay end to end keepalives
There are four modes determine the type of keepalive traffic each device sends and responds to:
In bidirectional mode, the device will send keepalive requests to the other end of the VC and will respond to keepalive requests from the other end of the VC.
In request mode, the device will send keepalive requests to the other end of the VC.
In reply mode, the device will respond to keepalive requests from the other end of the VC.
In passive-reply mode, the device will respond to keepalive requests from the other end of the VC, but will not track errors or successes.

85. Configuring FREEK
For example, could require
3 in a row

86. Objectives IPv6 Addressing IPv6 Address Scopes Enabling IPv6 RIPng
EIGRP for IPv6
OSPFv3
OSPFv3 over NBMA
IPv6 over IPv4

87. Things not covered IPv6 Neighbor Discovery Duplicate Address Detection
Solicited Node
Stateless Auto-configuration
DHCPv6
DNSv6

88. Larger Address Space IPv4 IPv6 32 bits or 4 bytes long
4,200,000,000 possible addressable nodes
IPv6
128 bits or 16 bytes: four times the bits of IPv4
3.4 * 1036 possible addressable nodes
340,282,366,920,938,463,374,607,432,768,211,456
5 * 1028 address
~ =
undecillion
~ =
~ =
~ =

89. IPV6 Addressing IPV6 addresses are 128 bits long
Consecutive zeroes can be eliminated (::)
2001:0:0:A1::1E2A/64
2001:0:0:A1 is the network portion
Interface portion is 0:0:0:1E2A or ::1E2A

90. IPV6 Address Scopes
Link-local Scope
Unique-local Scope
Global Scope

91. Link-local 128 bits Interface ID 64 bits 10 bits
Interface ID
64 bits
FE80::/10
10 bits
Identifies all hosts within a single layer 2 domain
Unicast addresses within this scope are called link-local addresses
They are assigned by default when ipv6 is enabled on an interface
Network address is always FE80::/10
Host portion derived from MAC address (Modified EUI-64)
Can be manually added too R3(config-if)#ipv6 address FE80::3 link-local
Independent of the global addressing scheme
Cannot be routed

92. IPv6 Address Configuration (Cont.)
LAN: 3ffe:b00:c18:1::/64
Ethernet0
ipv6 unicast-routing
interface Ethernet0
ipv6 address 3ffe:b00:c18:1::/64 eui-64
MAC address: e
router# show ipv6 interface Ethernet0
Ethernet0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::160:3EFF:FE47:1530
Global unicast address(es):
3FFE:B00:C18:1:160:3EFF:FE47:1530, subnet is 3FFE:B00:C18:1::/64
Joined group address(es):
FF02::1:FF47:1530
FF02::1
FF02::2
MTU is 1500 bytes
The IPv6 address can be completely specified or the host identifier (rightmost 64 bits) can be computed from the EUI-64 identifier of the interface. In the example, the IPv6 address of the interface is configured using the EUI-64 format.
The configuration of the IPv6 address on an interface automatically configures the link-local address for that interface. Also, the interface automatically joins the required multicast groups for that link:
Solicited node multicast address FF02::1:FF47:1530
All hosts on the link multicast addresses FF02::1
All routers on the link multicast addresses FF02::2
The solicited node multicast address is used in the duplicate address detection algorithm and neighbor discovery.
A solicited node multicast address is joined for each IPv6 unicast address configured on the link.

93. Unique-local 128 bits Interface ID Subnet ID 16 bits 10 bits
Interface ID
Subnet ID
FEC0::/10
16 bits
10 bits
Previously referred to as site local
Identifies all devices within an administrative domain containing multiple distinct links
Unicast addresses within this scope are called unicast-local addresses
Have a scope limited to the site
Network address is always FEC0::/10
16 bits in the network address identify the subnet
Host portion derived from MAC address (Modified EUI-64)

94. Global Unicast Addresses
Provider
Site
Interface
64 bits
Usually given a /48
Global Routing Prefix
Subnet ID
Interface ID
Global unicast addresses are:
Addresses for generic use of IPv6
Identifies all devices reachable across the Internet
Unicast addresses within this scope are called global unicast addresses
Have to be globally unique and routable
Addresses reserved for global scope 2000 /3
Can have a variable subnet portion
Last 64 bits for the interface identifier
The Global Unicast Addresses correspond to the principal use of IPv6 addresses for the generic IPv6 traffic and consume the most important part of the address space.
The structure of a global unicast address is as follow:
A global routing prefix, typically assigned to a site,
A subnet ID used to identify links within a site,
64-bit interface ID to identify the interface of the node.
Note that the 64-bit interface ID defined for global unicast addresses other than those that start with binary 000. The unicast addresses that start with binary 000 are the special purpose addresses that will be discussed later in this lesson.
An example of global addresses can be found in RFC2374, "An Aggregatable Global Unicast Address Format". The structure proposed in this document enables strict aggregation of routing prefixes in order to limit the number of routing table entries in the global routing table.
We will see in a later module that IANA allocates IPv6 global unicast address space from the range of addresses that start with binary value 001 (2000::/3).

95. Unspecified and Loopback Addresses
Unspecified address:
0:0:0:0:0:0:0:0
Used as a placeholder when no address is available (initial DHCP request, DAD)
Loopback address:
0:0:0:0:0:0:0:1
Same as in IPv4
Identifies self
The unspecified address is only used on the network for special purposes. It is a placeholder when no address is available. For example, the unspecified address is used when a host requests an address to a DHCP server or when the duplicate address detection packet is sent. The unspecified address is "0:0:0:0:0:0:0:0" or simply "::".
The loopback address identifies the local interface in the IP stack. It is the same as the loopback address in IPv4. The address is "0:0:0:0:0:0:0:1" or simply "::1".

96. IPv4-Mapped Addresses IPv4-mapped addresses: 80 bits 16 bits 32 bits
FFFF
IPv4 Address
0:0:0:0:0:FFFF:
= ::FFFF:
= ::FFFF:C0A8:1E01
IPv4 mapped addresses are IPv6 addresses that represent an IPv4 address. On a dual-stack node (a node that supports both IPv6 and IPv4), an IPv6 application sending traffic to a destination represented by an IPv4-mapped IPv6 address will send IPv4 packets to that destination.
In most cases, the IPv6 mapped addresses are used inside the dual-stack node API. RFC2765 " Stateless IP/ICMP Translation Algorithm (SIIT)" specifies a transition mechanism where IPv4 mapped addresses are used in IPv6 packets.
IPv4-mapped addresses:
Used to represent the addresses of IPv4 nodes as IPv6 addresses

97. IPv4-Compatible Addresses
80 bits
16 bits
32 bits
0000
IPv4 Address
0:0:0:0:0:0:
= ::
= ::C0A8:1E01
IPv4 compatible addresses are IPv6 addresses with 96 zeros at the left. The rightmost 32 bits are the IPv4 address embedded; the 32 bits of the IPv4 address is the rightmost 32 bits of the IPv6 address. In text form, one can use the decimal version of the IPv4 address as an easy way to write the address, but in reality, it is still the binary 32 bits.
IPv4 compatible addresses are used to create automatic tunneling. When an IPv6 node wants to send an IPv6 packet to another IPv6 node and the network between them is IPv4, the sender can use the IPv4 compatible address. This will automatically create an IPv6 over an IPv4 tunnel to the destination, using the IPv4 address of the destination inside the destination IPv6 address. The sending and receiving nodes must be dual-stacked (support both IPv6 and IPv4)
This way of doing tunnels looks easy but has scalability problems. Its use is deprecated in favour of more robust transition and integration mechanisms.
IPv4-compatible addresses:
Refer to an IPv4/IPv6 node that supports automatic tunneling

98. Enabling IPV6 ipv6 unicast-routing (global config mode)
ipv6 address 2001:200:1:1::1/64 (interface mode)
Link-local addresses are generated by default or use manual configuration

99. RIPng
Neighbors need not be on the same global subnet since they are on the same link-local subnet
Hence router has to advertise its own prefix for the link out that interface
In addition to the frame-relay map ipv6 broadcast to the Global Address you also need a map to the link local address.
RIP messages are sent to the all RIP routers link-local multicast address FF02::9/128
RIPng uses the authentication headers present in IPv6 for authentication purposes

100. RIPng Configuration ipv6 rip abc enable (interface mode)
show ipv6 protocol
show ipv6 rip
show ipv6 rip database

101. OSPFv3
Basic mechanisms such as flooding, DR election, areas and spf calculations remain the same
Additionally link lsa’s announce link-local addresses and a list of ipv6 prefixes to associate with the link
Intra-area prefix lsa’s carry all ipv6 prefixes to all ospfv3 routers within an area (correspond to router and network lsa’s in ipv4)
Inter-area prefix lsa 0x2003 replaces summary or type 3 lsa’s
Inter-area router lsa 0x2004 replaces type 4 lsa
ospfv3 runs on a link basis rather than on a subnet basis as in ospfv2
Authentication removed from ospf, relies on ipv6 authentication

102. LSA Type Review LSA Function Code LSA type Router-LSA 1 0x2001
Network-LSA 2
0x2002
Inter-Area-Prefix-LSA 3
0x2003
Inter-Area-Router-LSA 4
0x2004
AS-External-LSA
0x4005 5
Group-membership-LSA 6
0x2006
RFc A4.2.1
Type-7-LSA 7
0x2007 8
Link-LSA
0x0008
Intra-Area-Prefix-LSA 9
0x2009

103. OSPFv3 Configuration ipv6 ospf 100 area 0 (interface mode)
In case of an ipv6 only router configure a 32 bit router id under ipv6 router ospf 100
Summary can be configured under ipv6 router ospf 100 using the command area 1 range 2001::/48
show ipv6 ospf
show ipv6 ospf neighbor

104. OSPFv3 over NBMA
OSPFv3 over NBMA is very much similar to OSPF over NBMA
The hub interface priority has to be increased to make it the DR
The spokes should be configured with a priority of 0 so that they never participate in the DR elections

105. OSPFv3 over NBMA Moreover neighbors have to be specified
The address for the neighbor has to be the link local addresses
Neighbors have to be specified only on the hub not on the spokes
frame-relay maps have to be configured pointing to the neighbor’s link local address on both hub and spokes as well as the global addresses (if configured)
sh ipv6 int s0/1/0 displays the link-local address

106. OSPFv3 over NBMA Hub interface Serial0/1/0 ipv6 ospf priority 100
ipv6 ospf neighbor FE80::20A:B8FF:FE6B:A478
ipv6 ospf neighbor FE80::20A:B8FF:FE2C:7DC8
ipv6 ospf 10 area 0
frame-relay map ipv6 FE80::20A:B8FF:FE6B:A
frame-relay map ipv6 FE80::20A:B8FF:FE2C:7DC8 105

107. OSPFv3 over NBMA Spoke interface Serial0/1/0 ipv6 ospf priority 0
ipv6 ospf 10 area 0
frame-relay map ipv6 FE80::217:95FF:FE27:B
frame-relay map ipv6 FE80::20A:B8FF:FE2C:7DC8 601

108. IPv6 over IPv4 IPv6 can be tunneled under ipv4
Tunnel mode by default is gre can to be changed to ipv6ip
The tunnel itself needs an ipv6 address
The tunnel source and destination will be ipv4 addresses
Routing protocol can be enabled on the tunnel
interface Tunnel0
no ip address
ipv6 address 2002:100:24:1::2/64
ipv6 ospf 100 area 0
tunnel source
tunnel destination

109. ISATAP
ISATAP is an IETF transition mechanism that allows IPv6 networks to connect over IPv4 networks, even though this is a draft and it has not yet standardized, it is a better solution than 6to4 tunnel mechanism.
ISATAP works like 6to4 tunnels, with one major difference, it is a special IPv6 address that it uses on the edge routers; this special IPv6 address is formed as follows:
The network portion can be any IPv6 address.
The host portion of the IPv6 address starts with “0000.5EFE” and then the rest of the host portion is the translated IPv4 address of the tunnel’s source IPv4 address.
This translation is performed automatically.

110. ISATAP cont.

111. End of Day 1 Lecture
111
111
111

112. SESSION 6 RIPv2
112
112
112

113. RIPv2 Outline Updates Optimize Filtering Summary Authentication
Default Routes
Advanced

114. Classless Routing (RIPv2)
The version 2 extensions provide the following enhancements to RIP:
SUBNET MASKING INFORMATION IS NOW INCLUDED IN ROUTING UPDATES ALLOWING RIP TO HANDLE VLSM ADDRESSING
A NEXT-HOP ADDRESS IS CARRIED WITH EACH ROUTE ENTRY
EXTERNAL ROUTE TAGS CAN BE USED MULTICAST ROUTING UPDATES
SUPPORT FOR MD5 AUTHENTICATION

115. Split Horizon Never advertise an network on the
interface from which it was learned

116. Poison Reverse
Once you learn of a route through an interface, than advertise it as unreachable back through the same interface

117. Timers
Update - rate (time in seconds [30] between updates) at which routing updates are sent
Invalid - interval of time (in [180] seconds) after which a route is declared invalid
Hold - interval (in [180] seconds) during which routing information regarding better paths is suppressed
Flush - amount of time (in [240] seconds) that must pass before a route is removed from the routing table

118. Optimize

119. Obscure Topics Offset List – increases the value of routing metrics
r1lab(config)# access-list 1 permit
r1lab(config)# router rip
r1lab(config-router)# offset-list 1 in 3
Source IP address validation – Default validates the source IP address of incoming RIP routing updates - can be disabled for “off network” routes
r1lab(config-router)# no validate-update-source
* Note For unnumbered IP interfaces (interfaces configured as ip unnumbered), no checking is performed.
Interpacket delay – slows down sending routing update packets; typically useful to slow down high speed routers when communicating with low speed routers
r1lab(config-router)# output-delay <8-50 milliseconds>
Hops

120. Filtering On the third octet Inverse Mask Odds always
Allow only odd routes from from R1 to other routers
Network
My network =0
My mask = 1
Mask
Network
First host
On the third octet
Inverse Mask
Odds always
include a binary 1
Evens never have a binary 1
In ACL Must Match on this
Binary value
The 254 translates to which tells the acl to not care
about anything in that octet except the least significant bit.

121. Distribute List

122. RIP V2 Summarization Applied to an interface
r1lab(config-if)# ip summary-address rip
Split horizon must be disabled on the interface
Auto summary can only summarize to the classful boundary, the summary-address allows for classless summarization
Does not insert a NULL0 entry into the routing table

123. RIP V2 Features Authentication Classless
r1lab(config)# interface s0
r1lab(config-if)# ip rip authentication key-chain cisco
r1lab(config-if)# ip rip authentication mode <md5,text>
r1lab(config)# key chain cisco
r1lab(config-keychain)# key 1
r1lab(config-keychain-key)# key-string cisco
Classless
Route summarization (enabled by default)
r1lab(config)# router rip
r1lab(config-router)# no auto-summary

124. IP RIP Triggered
When you enable triggered extensions to RIP, routing updates are transmitted on the WAN only if one of the following events occurs:
The router receives a specific request for a routing update, which causes the full database to be sent.
Information from another interface modifies the routing database, which causes only the latest changes to be sent.
The interface comes up or goes down, which causes a partial database to be sent.
The router is powered on for the first time to ensure that at least one update is sent, which causes the full database to be sent

125. Default routes in RIP
Redistribute static <ip route null0 permanent>
Default information originate
<ip default network >

126. Example of default information

127. Advanced Workaround with RIP / RSPAN
RIPv2 F1/0
R4 must receive RIP routes from BB2 but not permitted to redistribute from OSPF
SPAN or RSPAN used and no validate update source

128. Redistribution
128
128
128

129. Advertising Routes between routing protocol
Longest Match
Administrative Distance
Redistribution
Route Maps
Distribute Lists
Prefix Lists

130. Longest Match >show ip route D 172.33.1.0/25 via 192.168.1.1
R /24 via
O /23 via
Preferred

131. Administrative Distance

132. Allow Redistribute on R1
Maintain R routes on R1 even after redistribution

133. Example Configuration with AD

134. Route Maps Route filtering Metric control Used extensively in BGP
Used for setting IP Precedence
Policy routing (not part of redistribution)
Can use match and sets
->rout-map lab permit 10
>match ip access-list 1 , 3 (values separated with , creates an or statement)
>match ip prefix-list lab
Multiple match lines
are considered an and

135. Distribute Lists
Used with access-lists to filter incoming or outgoing updates
Be as specific as possible when applying the distribute list
RIP & EIGRP
distribute-list 1 in ethernet 0 (also can use a route map)
distribute-list 1 out ethernet 0
OSPF – only allows inbound
distribute-list 1 in ethernet 0
IS-IS does not use distribute lists
BGP – applied to the neighbor
neighbor distribute-list 1 in

136. Prefix Lists
Prefix lists are more sophisticated forms that Cisco provides for filtering route advertisements. They filter on IP address just as distribute-lists do, however they are easier to read, and require fewer commands to configure. The other advantage to a distribute list is that it is easier to add, remove and organize the statements in the manner you chose.
For example:
prefix-list xx seq 10 permit /22
prefix-list xx seq 20 permit /21
prefix-list xx seq 30 permit /24

137. Redistribution Problems
When redistributing OSPF in to BGP, by default, BGP only accepts internal routes not external type 1 or type 2
Watch for administrative distance problems
Beware of the metric used by RIP
Redistributing in to RIP requires a metric or default-metric or it will get set to 16
Redistributing in to EIGRP requires a metric or default-metric or it will get set to infinity
Always filter routes when doing redistribution

138. Advanced RIP
One static route allowed
Receive the rip routes

139. SESSION 7 EIGRP
139
139
139

140. EIGRP Outline Overview Updates Authentication Default Routes
Summarization
Metrics

141. EIGRP
Eigrp is a Cisco proprietary routing protocol loosely based on their original IGRP
EIGRP is an advanced distance-vector routing protocol, with optimizations to minimize both the routing instability incurred after topology changes, as well as the use of bandwidth and processing power in the router.
EIGRP and IGRP are compatible with each other.
Eigrp uses the Diffusing Update Algorithm (DUAL), which guarantees loop-free operation.
In particular, DUAL avoids the "count to infinity" behavior common in distance-vector routing protocols.
The maximum hop count of EIGRP-advertised routes (i.e. destination networks) is is the default but in the routing process <metric maximum-hops >
EIGRP is considered an Advanced Distance or Hybrid routing protocol
Classless (VLSM)

142. EIGRP Updates Send Hellos between neighbors which must include
AS #
Subnet
Authentication
K- Values
Neighbor Table
Topology Table (Determine successor (Primary) and Feasible Successor
Dual Algorithm (Loop Free)
Routing Table (Move successor from primary
*Note updates sent on and EIGRP uses IP protocol number 88

143. Successor versus Feasible Successor
Reported Distance (RD) is from your neighbor( next hop ) to the destination.
Feasible Distance (FD) is from the current router, all the way to the destination, this would include all other routers in between your router and the destination. FD RD Destination. R R R3
To qualify as a feasible successor, a next-hop router must have an RD less than the FD of the current successor route
Eigrp metric = lowest bandwidth + all delays x 256

144. Similar to RIP V2 Authentication Only MD5 Authentication supported
EIGRP Authentication
Similar to RIP V2 Authentication
Only MD5 Authentication supported
r1lab(config)# interface s0
r1lab(config-if)# ip authentication mode eigrp 222 md5
r1lab(config-if)# ip authentication key-chain eigrp 222 cisco
r1lab(config)# key chain cisco
r1lab(config-keychain)# key 1
r1lab(config-keychain-key)# key-string ccie

145. Default Routes in EIGRP
<ip summary address eigrp >
<ip default network
<redistribute ip route null 0>
<redistribute static or network

146. EIGRP Summarization Auto summary is on by default – disable
Summarization is done on the interface
r1lab(config-if)# ip summary-address eigrp
No way to get rid of the NULL0 entry, it is added to avoid loops
Default AD is 5 but higher
can be used for floating summary
You can bump the AD to 255 to remove the null0 but
Then the Summary could cause a loop if you do not properly filter

147. EIGRP Leak Map
On the remote router

148. Virtual Template in PPP with Leak Map
Problem- Can not use Leak Map with Sub Interfaces
Must use PPP and Virtual Template

149. EIGRP Stub Areas Affects what the router will advertise
Reduces processing on the router
Controls what networks are advertised
Four options: receive-only, summary, connected, and static
Router eigrp 1
Eigrp stub summary leak-map leaky

150. Problems with EIGRP Stub
All routers in EIGRP AS need the stub command or neighbors could become stuck inactive situation because of no stub flag in hello packets
Work around use Stub configuration on all routers that need to be a stub on a single AS
Use a separate AS for all other EIGRP routers and redistribute between the EIGRP AS processes on the Hub router

151. Tuning EIGRP OPTIONAL EIGRP COMMANDS :
ip hello-interval eigrp –use this interface command to change the hello timer
ip hold-time eigrp – use this command to change the EIGRP hold time for routes received by this interface
metric weights - allows you to set the weight of the EIGRP metric
distance – used to change the administrative distance of routes received from a neighbor
delay – specifies the delay of an interface in tens of microseconds
bandwidth –specifies the bandwidth of an interface in kilobits per second
passive-interface - prevents the sending of EIGRP hellos on the link
Offset-list - used to increase the value of the routing metrics

152. Miscellaneous Topics Offset List
r1lab(config)# access-list 1 permit
r1lab(config)# router eigrp 222
r1lab(config-router)# offset-list 1 in 10000
Adjust the Percentage of Bandwidth used for routing updates - 50% is default
r1lab(config-if)# ip bandwidth-percent eigrp
Very important to summarize and use stubs in a large EIGRP networks, otherwise the query traffic to find successor routes could easily take 50% of the bandwidth. If we throttle the percentage too much the convergence times will be effected
Delay

153. Equal Cost Load Balancing
Change with the maximum-paths command in EIGRP
process

154. EIGRP Unequal-Cost Load Balancing
EIGRP offers unequal-cost Load balancing
– variance command
Variance allows the router to include routes with a metric smaller than multiplier times the minimum metric route to that destination
– Multiplier is the number specified by the variance
command

155. Traffic-Share Determines how traffic is load balanced. Two options:
Balanced (balances across paths)
Min across-interfaces (traffic still uses lowest metric path)
Router eigrp 1
Variance 2
Traffic-share balanced (actively uses the lower speed link to load balance with higher speed links)
* Note Min – only add to the routing table for fall back but does not load balance
Under the interface you can configure per packet or per flow load balancing
Ip load-balancing per-packet or per-destination

156. Variance Example
Router E chooses router C to get to network Z because FD = 20.
With a variance of 2, router E chooses router B to get to network Z ( = 30) < [2 * 20(FD) = 40].
Router D is not used to get to network Z (45 > 40).
To use D we need a variance of 3 because 3x20=60 and 60 is > 45

157. End Day 2 Lecture
157
157
157

158. Session 8 OSPF
158
158
158

159. OSPF Outline OSPF Network Types RID LSA Adjacencies Area types
New Features
Authentication
Summaries
Filtering

160. Physical Frame Relay Interface
Network Types
The easiest configuration is to configure all OSPF frame relay interfaces for point-to-multipoint
If the lab prohibits you from changing the network type you can try the neighbor command
Physical Frame Relay Interface
OSPF Network Type
Physical
Non-Broadcast
Multipoint Sub
Point-to-Point Sub
Point-to-Point

161. OSPF Over NBMA Topology Summary

162. Hello and Dead Timers
In order to form neighbor adjacency, hello and dead timers must match
Timer differ based on network type configuration
broadcast–Hello time (10 seconds), dead time (40 seconds)
point-to-point–Hello time (30 seconds), dead time(120 seconds)
non-broadcast– Hello Time (30 seconds), dead time (120 seconds)
Timers can be manually adjusted through the “ip ospf hello-interval” and “ip ospf dead-interval” interface commands

163. Hello and Dead Timers Physical Interface Non- Broadcast
Hello 30 Dead 120
Sub Interface P2P
Point-to-Point
Hello 10 Dead 40
Sub Interface Point to multipoint
Physical changed to
Ip ospf Broadcast
Broadcast
P2P sub interface changed to NBMA
Non-Broadcast

164. Miscellaneous OSPF - Timers
Basic Timers
Hello-interval
interface serial 1/0
ip ospf hello-interval 20 – automatically changes the dead-interval to 80, dead = hello x 4
Dead-interval
ip ospf dead-interval 50 – does NOT change the hello-interval
Unless - See next slide

165. OSPF Timers – Fast Hellos
Added in 12.2T15
Enables faster convergence
Sets Dead timer to 1 second, hello timer based on hello-multiplier.
Example – set hello to 250ms
ip ospf dead-interval minimal hello-multiplier 4

166. Router ID Identifies an OSPF neighbor Dotted Decimal 32 bits
highest possible router ID
Statically set the Router ID (Prefered) *note they may reboot the routers before they grade
router ospf 1
router-id
Uses highest IP address of all configured loopbacks
If no loopback is present it uses the highest IP address
Used for virtual-link commands
Highest Router ID wins DR election – Priority can offset election

167. Link State Announcement (LSA) Types
1 - Router LSA - Each OSPF router generates a single Type 1 LSA to describe the status and cost (metric) of all links on the router. This LSA is flooded to each router with-in the OSPF area only.
2 - Network LSA - the designated router on a broadcast segment (e.g. Ethernet) lists which routers are joined together by the segment
3 - Network summary LSA - an Area Border Router (ABR) takes information it has learned on one of its attached areas and summarizes it before sending it out on other areas
4 - ASBR Summary LSA - Type 5 External LSAs are flooded to all areas and the detailed next-hop information may not be available in those other areas. The ABR floods the information for the router (i.e. the Autonomous System Border Router) where the type 5 originated.
5 - AS External LSA - these LSAs contain information imported into OSPF from other routing processes. They are flooded to all areas (except stub areas).
6 - Group Membership LSA - this was defined for Multicast extensions to OSPF (MOSPF),
7 - NSSA External LSA - Not-so-stubby-area (NSSA) do not receive external LSAs from Area Border Routers, but are allowed to send external routing information for redistribution. They use type 7 LSAs to tell the ABRs about these external routes, which the Area Border Router then translates to type 5 external LSAs and floods as normal to the rest of the OSPF network.

168. LSA Table To DR Router 224.0.0.6 To Area Network 224.0.0.5
Intra/Internal
LSA
Adv Router
R/Table
Display Database
Intra
1 (Router)
All in Area O
<sh ip ospf database router
2 (Network)
DR only
N/A
<sh ip ospf database network
Inter
3 (Summary)
ABR IA
<sh ip ospf database summary
4 (Announce
ASBRs)
<sh ip ospf database ASBR summary
External
5 (Type 1 or Type 2)
ASBR
E2 (default) or E1
<sh ip ospf database external
6 (MOSPF)
Cisco can generate a syslog error 7
ASBR (In NSSA)
N1 or N2
<sh ip ospf nssa-external
To DR Router
To Area Network

169. Problem preventing Neighbor Adjacency
Mismatched hello
Subnet information
Authentication
Area ID doesn’t match
Area Stub flag not set
Duplicate RID

170. Neighbor States Down State Init (Clear or start new OSPF process)
2way (Elect DR / BDR)
Exstart (Master/ Slave)
Master sends data descriptor packets (Contain link-state advertisement (LSA) headers only)
Higher IP is Master
Exchange
Use ip ospf mtu ignore to avoid MTU problems (Exchange LSDB)
Loading
LSR (Request) -----
---LSU (Updates)
Full (Database synchronized and all Routes have been exchanged)

171. Electing the DR and BDR Hello packets are exchanged via IP multicast.
The router with the highest OSPF priority is selected as the DR.
Use the OSPF router ID as the tie breaker.
If no RID, than use highest Loopback IP
If no Loopback than use highest interface IP
The DR election is nonpreemptive.

172. Setting Priority for DR Election
Router(config-if)#
ip ospf priority number
This interface configuration command assigns the OSPF priority to an interface.
Different interfaces on a router may be assigned different values.
The default priority is 1. The range is from 0 to 255.
0 means the router is a DROTHER; it can’t be the DR or BDR.

173. Area Type
All routers in an OSPF area must have the same area type set or no neighbor will be formed
Totally Stubby and Totally NSSA have the ‘no-summary’ command added to ONLY the ABR
NSSA does not inject a default route automatically. Must configure for the default to be sent on the ABR:
area 2 nssa default-information-originate
Area Type
ABR
LSA
Area Routers
Stub
stub
2,3,4 1
Totally
Stubby
Stub no-summary 2,
NSSA
Nssa default-information-originate
2, ,4
1,7
nssa
nssa no-summary

174. Types of OSPF Routers

175. OSPF Authentication Uses either Clear Text or MD5
Can do either Area Authentication or Link Authentication
If area 0 has authentication, any virtual links must have the same authentication configured
Watch for extra spaces on your passwords

176. Area Authentication Clear Text MD5 r1lab(config)# router ospf 1
r1lab(config-router)# area 0 authentication
r1lab(config)# int serial 0
r1lab(config-if)# ip ospf authentication-key cisco
MD5
r1lab(config-router)# area 0 authentication message-digest
r1lab(config)# int s0
r1lab(config-if)# ip ospf message-digest-key 1 md5 cisco

177. Link Authentication Clear Text MD5 r1lab(config-if)# int s0
r1lab(config-if)# ip ospf authentication
r1lab(config-if)# ip ospf authentication-key cisco
MD5
r1lab(config-if)# ip ospf authentication message-digest
r1lab(config-if)# ip ospf message-digest-key 1 md5 cisco

178. Virtual Links Avoid in real word
Used to connect an area to the backbone through another area – extension of area 0
Configuration uses router-id
If authentication is configured on area 0 it must also be configured on the virtual link and the far side router.
Needed in two cases
Discontiguous area 0
Router touching two areas, but not area 0.
Use Area Border routers as endpoints

179. Virtual Link Authentication
Clear Text
r1lab(config)# router ospf 1
r1lab(config-router)# area 1 virtual-link authentication-key cisco
MD5
r1lab(config-router)# area 1 virtual-link message-digest-key 1 md5 cisco
Remember that the far side of the virtual link must know what type of authentication area 0 is using
VL cannot traverse over a stub area
If you are required to traverse a VL to area 0 you must negate capability transit.

180. Connecting a Non-Backbone Area Through a Stub Area
Generic Routing Encapsulation (GRE) allows you to connect a discontiguous area to the backbone through a stub area
GRE will cause extra packet overhead due to tunnel header information

181. OSPF New Features
Max LSA (Internal)

182. OSPF New Features Cont.
Maximum Prefixes (Networks)

183. OSPF New Features Cont. Prevent OSPF router from being transit
Max Metric uses – (16 bits)

184. OSPF Summarization Two ways to summarize
Area range used to summarize between OSPF areas. Always done on an ABR
area 2 range
Summary-address used to summarize external routes redistributed into OSPF. Always done on an ASBR
summary-address
Will inject a NULL0 route into the routing table. MUST get rid of the NULL0
no discard-route internal – used with area range
no discard-route external – used with summary-address

185. Configuring Route Summarization
router (config-router)#
area area-id range address mask
Consolidates inter-area (IA) routes on an ABR
router (config-router)#
Summary-address address mask (not-advertise) (tag tag)
Consolidates external routes, usually on an ASBR

186. Filtering in OSPF
Distribute list only inbound and can not stop LSAs

187. Break Area 0
R1 and R1 have full knowledge of Area 0 routes and R3 and R4 have no knowledge.
Or on R2 OSPF

188. Prevent type 7 to 5 routes from Area 0

189. SESSION 8
BGP
189
189
189

190. BGP Outline Operation State Attributes Order/Preference Aggregation
Security
Peer Groups
Dampening

191. iBGP Full Mesh Requirement
All BGP speakers within an AS must be connected together in a Full Mesh. For n BGP speakers within an AS that requires to maintain n*(n-1)/2 unique iBGP sessions to connect the eBGP routers
If not meshed, routes must be redistributed into and syncronized with IGP.
Route Reflectors and Confederations may be used to avoid the full mesh requirement or redistribution

192. BGP Route Reflector Scales well unlike full mesh
Optional Peer groups could be used to save configuration on the route reflector
r1lab(config-router)# neighbor update-source loopback 0
r1lab(config-router)# neighbor next-hop-self
r1lab(config-router)# neighbor distribute-list 1 out
r1lab(config-router)# neighbor route-reflector-client
r1lab(config-router)# neighbor update-source loopback 0
r1lab(config-router)# neighbor next-hop-self
r1lab(config-router)# neighbor distribute-list 1 out
r1lab(config-router)# neighbor route-reflector-client

193. Route Reflector

194. BGP Confederations Splits one AS into many smaller Private AS’s
Private AS numbers are – 65535
Connections between the Private AS’s are treated as special eBGP connections
External AS’s only participate in the Public AS – they are not aware of the Private AS’s inside

195. Confederation
AS 6502
AS 6503
6503
6502

196. Manual Confederation Uses private AS for IBGP and Public AS for EBGP
Need to remove the private AS information

197. Basic BGP Configuration
Neighbors must be configured on both sides
Neighbors must be directly connected or have a specific IGP route (default route will not work) to the neighbor.
Neighbors in the same AS are iBGP
iBGP will go 255 hops by default to find a neighbor
Neighbors in different AS’s are eBGP
eBGP will only go 1 hop to find a neighbor
neighbor eBGP-multihop <1-255> (need IGP)
If you use loopback to neighbor don’t forget to change the update source
BGP expects the directly connected interface to be the update source unless you specify
neighbor update-source loopback 0
Advertised networks must have an exact match in the routing table in order for BGP to advertise the route

198. State Idle Connect Open send – version must be 4 Open confirm
Active – resets the retry timer kickbacks to idle
Open send – version must be 4
Open confirm
Established

199. Neighbors

200. Synchronization Example
AS 45
AS 40
eBGP E C D
iBGP
AS 50 F B A
eBGP
An IGP running only on Routers B and C
will not appear in D’s IP Routing Table

201. Synchronization Problem
An eBGP learned route cannot be installed in the routing table of iBGP connected routers until the route has already been learned by the IGP connecting these routers
It is almost always recommended to disable synchronization or need to redistribute eBGP routes directly in the IGP
r1lab(config)# router bgp 10
r1lab(config-router)# no synchronization

202. Next Hop IGP should carry route to next hops Recursive route look-up
Decouples BGP from actual physical topology
If an IGP router does not have a direct route to the Next Hop EBGP than Next hop self can be used on the IBGP/Ebgp neighbor to provide connect

203. Next Hop Example B Does Not Advertise Network 20.2.2.0 to A
eBGP D A
iBGP F
eBGP B
/ 24
B Does Not Advertise Network to A
A Will Not Install Network in its Routing Table since
A does not know how to reach the next hop ( )

204. Next-Hop-Self Problem
An eBGP learned route cannot be installed in the IP routing table of iBGP connected routers unless the route’s next-hop address is reachable
r1lab(config)# router bgp 10
r1lab(config-router)# neighbor next-hop-self
eBGP neighbors always advertise themselves as the "next hop" for any routes sent.
iBGP neighbors retain the original advertiser's address as the next hop.
The issue with next-hop information is whether or not that next hop ( the eBGP neighbor address ) is reachable to any iBGP neighbor.

205. Transit AS
If an AS has 2 or more connections to the Internet, by default some traffic not destined for your AS may pass through your routers
Two ways to stop this
AS-Path access-lists
Communities
Explained later

206. BGP Characteristics Distance-vector protocol with enhancements:
Reliable updates
Triggered updates only
Rich metrics (called path attributes)
Designed to scale to huge internetworks

207. BGP Path Attributes BGP metrics are called path attributes
BGP attributes are categorized as well-known and optional
Well-known attributes must be recognized by all compliant implementations
Optional attributes are only recognized by some implementations (could be private), expected not to be recognized by everyone

208. Well-Known BGP Attributes
Well-known attributes are divided into mandatory and discretionary
Well-known mandatory attributes must be present in all update messages
Well-known discretionary attributes are optional - they could be present in update messages
All well-known attributes are propagated to other neighbors

209. WELL-KNOWN, MANDATORY
AS-path: A list of the Autonomous Systems (AS) numbers that a route passes through to reach the destination. As the update passes through an AS the AS number is inserted at the beginning of the list. The AS-path attribute has a reverse-order list of AS passed through to get to the destination.
Next-hop: The next-hop address that is used to reach the destination.
Origin: Indicates how BGP learned a particular route. There are three possible types -- IGP (route is internal to the AS), EGP (learned via EBGP), or Incomplete (origin unknown or learned in a different way).

210. WELL-KNOWN, DISCRETIONARY
Local Preference: Defines the preferred exit point from the local AS for a specific route.
Atomic Aggregate: Set if a router advertises an aggregate causes path attribute information to be lost.

211. Optional BGP Attributes
Optional BGP attributes are transitive or non-transitive
Optional transitive attributes
Aggregator: Specifies the router ID and AS of the router that originated an aggregate prefix. Used in conjunction with the atomic aggregate attribute.
Community: Used to group routes that share common properties so that policies can be applied at the group level.
Optional non-transitive attributes
Multi-exit-discriminator (MED): Indicates the preferred path into an AS to external neighbors when multiple paths exist.
Recognized optional attributes are propagated to other neighbors based on their meaning (not constrained by transitive bit)

212. Priority of Attributes
If the path specifies a next hop that is inaccessible, drop the update.
Prefer the path with the largest weight.
If the weights are the same, prefer the path with the largest local preference.
If the local preferences are the same, prefer the path that was originated by BGP running on this router.
If no route was originated, prefer the route that has the shortest AS_path.
If all paths have the same AS_path length, prefer the path with the lowest origin type (where IGP is lower than EGP, and EGP is lower than incomplete).
If the origin codes are the same, prefer the path with the lowest MED attribute.
If the paths have the same MED, prefer the external path over the internal path.
If the paths are still the same, prefer the path through the closest IGP neighbor.
Prefer the path with the lowest IP address, as specified by the BGP router ID.

213. Weight
The weight attribute is a Cisco-defined attribute used for the path selection process. The weight is configued locally to a router and is not propagated to any other routers.

214. Origin
The origin attribute indicates how BGP learned about a particular route. The origin attribute can have one of three possible values:
IGP—The route is interior to the originating AS. This value is set when the network router configuration command is used to inject the route into BGP. [0] i
EGP—The route is learned via the Exterior Border Gateway Protocol (EGP). [1] e
Incomplete—The origin of the route is unknown or learned in some other way. An origin of incomplete occurs when a route is redistributed into BGP. [?]

215. AS-Path
The AS-path attribute is empty when a local route is inserted in the BGP table
The sender’s AS number is prepended to the AS-path attribute when the routing update crosses AS boundary
The receiver of BGP routing information can use the AS-path to determine through which AS the information has passed
An AS that receives routing information with its own AS number in the AS-path silently ignores the information
Prepend as-path can be used as a metric
<routemap prepend permit 10
<match ip address 1
<set as-path prepend

216. Next-Hop Attribute
Next-hop attribute indicates the next-hop IP address used for packet forwarding
Usually set to the IP address of the sending BGP router

217. Multi-Exit Discriminator Attribute
The multi-exit discriminator (MED) or metric attribute is used as a suggestion to an external AS regarding the preferred route into the AS that is advertising the metric.
Only works from directly connected AS. It is not transitive
Default MED 0

218. Local Preference
The local preference attribute is used to prefer an exit point from the local autonomous system (AS). Unlike the weight attribute, the local preference attribute is propagated throughout the local AS. If there are multiple exit points from the AS, the local preference attribute is used to select the exit point for a specific route.
Default Local Preference 100

219. Atomic aggregate
The Atomic aggregate serves as an indication to the receiver that it can't "deaggregate" the prefix per some of the granularity associated with the AS paths may have been lost when the aggregate was created, and deaggregation could result in the introduction of loops.
Border Gateway Protocol (BGP) allows the aggregation of specific routes into one route with use of the aggregate-address address mask [as-set] [summary-only] [suppress-map map-name] [advertise-map map-name] [attribute-map map-name] command. When you issue the aggregate-address command without any arguments, there is no inheritance of the individual route attributes (such as AS_PATH or community)

220. Aggregator
AGGREGATOR is an optional transitive attribute of length 6. The attribute contains the last AS number that formed the aggregate route (encoded as 2 octets), followed by the IP address of the BGP speaker that formed the aggregate route (encoded as 4 octets). This SHOULD be the same address as the one used for the BGP Identifier of the speaker.
Created from enabling AS-Set

221. Communities RFC1997, RFC1998 Optional attribute
Range: 0 to 4,294,901,760
Method to group destinations into communities and apply routing decisions (accept, prefer, redistribute, etc.) using route-maps
Route maps are used to set the community attribute. Predefined community attributes are listed here:
no-export—Do not advertise this route to EBGP peers.
no-advertise—Do not advertise this route to any peer.
internet—Advertise this route to the Internet community; all routers in the network belong to it.
local-AS — Use in confederation scenarios to prevent sending packets outside the local autonomous system (AS).
Commuties are AS specific and are stripped when transit through an AS

222. Originator-ID
Originator-ID is an optional, nontransitive BGP attribute. This is a 4-byte attributed created by a route reflector. The attribute carries the router ID of the originator of the route in the local autonomous system. Therefore, if a misconfiguration causes routing information to come back to the originator, the information is ignored.

223. Cluster List
Cluster-list is an optional, nontransitive BGP attribute. It is a sequence of cluster IDs that the route has passed. When a route reflector reflects a route from its clients to nonclient peers, and vice versa, it appends the local cluster ID to the cluster-list. If the cluster-list is empty, it creates a new one. Using this attribute, a route reflector can identify if routing information is looped back to the same cluster due to misconfiguration. If the local cluster ID is found in the cluster-list, the advertisement is ignored.

224. BGP Path Attribute Summary
Well-known mandatory attributes
Recognized by everone, always present
AS-Path, Next-Hop, Origin
Well-known discretionary
Recognized by everone, optional
Local Preference, Atomic Aggregate
Optional transitive
Might not be recognized, propagated if not
BGP Community, Aggregator
Optional non-transitive
Might not be recognized, dropped if not
Multi-exit-discriminator

225. Announcing Networks in BGP
Only administratively defined networks are announced in BGP
Manually configure networks to be announced <network mask>
Use redistribution from IGP
Use aggregation to announce summary prefixes

226. Manually Announce Classless Prefix in BGP
router(config-router)#
network ip-prefix-address mask subnet-mask
Configures a classless prefix to be advertised into BGP
The prefix must exactly match an entry in the IP forwarding table
Hint: use a static route to null 0 to create a matching prefix in the IP forwarding table

227. Redistributing Routes from IGP
Easier than listing networks in BGP process in large networks
Redistributed routes carry origin-attribute ‘incomplete’
Always filter redistributed routes to prevent route leaking

228. Aggregating BGP Networks
Summarization is called aggregation in BGP
Aggregation creates summary routes (called aggregates) from networks already in BGP table
Individual networks could be announced or suppressed

229. Configuring Aggregation
router(config)#
router bgp as-number
aggregate-address address-prefix mask
Specify aggregation range in BGP routing process
The aggregate will be announced if there is at least one network in the specified range in the BGP table
Individual networks will still be announced in outgoing BGP updates

230. Configuring Aggregation
router(config)#
router bgp as-number
aggregate-address address-prefix mask summary-only
Configure aggregation of BGP routes
Advertise only the aggregate and not the individual networks
Benefits:
Smaller BGP routing tables
More stable internetworks (less route flapping)
Drawbacks:
Problems with multi-homed customers

231. Configuring Aggregation with other options
Summary plus AS path
Prevents loops in the summary

232. Aggregate cont. Other options that can be enabled are:
Attribute maps are used to configure the attributes of the aggregate route since the attributes of the original routes are used by default when summarized
Advertise maps allow the aggregate to inherit the attributes from the specific networks identified in the advertise map. It is important to note the attribute map overrides the advertise map
Suppress maps this command overrides the summary only keyword and suppresses on the routes configured in the suppress map.
Un-suppress maps selectively un-suppresses networks suppressed in a suppress-map

233. Configuring BGP Communities
BGP communities are configured in the following steps:
Configure route tagging with BGP communities
Configure BGP community propagation
Define BGP community access-lists (community-lists) to match BGP communities
Configure route-maps that match on community-lists and filter routes or set other BGP attributes
Apply route-maps to incoming or outgoing updates

234. Community Setting Through Route-Map
route-map name
match condition
set community value [ value … ] [additive]
router(config)#
Route tagging with communities is always done with a route-map
Any number of communities can be specified
Communities specified in the set keyword overwrites existing communities unless you specify the additive option

235. Attaching Communities to a Route
neighbor ip-address route-map map in | out
router(config-router)#
Applies a route-map to inbound or outbound BGP updates
The route-map can set BGP communities or other BGP attributes
redistribute protocol route-map map
router(config-router)#
Applies a route-map to redistributed routes

236. Configure Community Propagation
neighbor ip-address send-community
router(config-router)#
By default, communities are stripped in outgoing BGP updates
Community propagation to BGP neighbors has to be manually configured
BGP peer groups are ideal for configuring BGP community propagation toward a large number of neighbors

237. Related Commands Set community none – Removes all community attributes
Set comm-list delete – Removes specific communities
ip community-list 1 permit 200:100
route map REM_COM permit 10
set comm-list 1 delete
Set community additive – Appends to existing communities
set community 450 additive
ip community-list 1 permit 200:10 – Matches any route that has 200:10 as one of its communities
ip community-list permit 200:10 100:10 - Matches any route that has either or both communities
ip community-list permit 200:10 100:10 exact-match – Matches only those routes that are members of both communities

238. AS Path Filtering
Several scenarios require BGP route filtering based on AS-path
Announce only local routes to the ISP - AS-path needs to be empty
Select routes based on a specific AS-number in the AS-path
Accept routes for specific AS only from some BGP neighbors
AS-path filters use regular expressions

239. Regular Expressions Ranges and Wildcard Characters
A range of characters matches any single character in the range examples:[1234] or [1-4]
dot (.) matches any single character

240. Regular Expressions Matching Delimiters
^ matches beginning of string
$ matches end of string
_ matches any delimiter (beginning, end, whitespace, tab, comma)

241. Regular Expressions Repeating Operators
matches zero or more instances
? matches zero or one instances
+ matches one or more instances

242. Sample Regular Expressions
_100_
^100$
_100$
^100_.*
^ [0-9]+$ ^$ .*
Going through AS 100
Directly connected to AS 100
Originated in AS 100
networks behind AS 100
AS paths one AS long
networks originated in local AS
matches everything

243. Regular Expression Examples
Routes originated from a directly connected AS ( 5 ).
^5$
Routes that passed through AS 6.
_6_
Routes that originated in AS 7.
_7$
Routes that originated in an odd AS.
[1,3,5,7,9]$
Routes that originated in AS 3, or in an AS directly attached to AS 3.
^3_[0-9]*$

244. Configuring BGP AS-path Filters
router(config)#
ip as-path access-list number permit|deny regexp
Configures AS-path access list
router(config-router)#
neighbor ip-address filter-list as-path-filter in|out
Configures inbound or outbound AS-path filter for specified BGP neighbor

245. Conditional Route Injection
Used to inject more specific into BGP based on existence of aggregated route or originate default route based on certain route existence

246. BGP Authentication Authentication is MD5
Configured on a per neighbor basis
r1lab(config)# router bgp 10
r1lab(config-router)# neighbor remote-as 10
r1lab(config-router)# neighbor password CISCO
r2(config)# router bgp 10
r1lab(config-router)# neighbor remote-as 10
r2(config-router)# neighbor password CISCO

247. BGP Route Flap Dampening Goals
Minimize the amount of BGP update processing in the Internet
Do not suppress routes that occasionally flap
Suppress routes that are likely to flap in the future based on the history of their behavior
Flap = removal of route Suppress= do not use a route after it reappears

248. Route Flap Dampening Implementation
Every time an eBGP route flaps it gets 1000 penalty points (iBGP routes are not dampened)
The penalty placed on a route is decayed using the exponential decay algorithm
When the penalty exceeds “suppress limit”, the route is dampened (no longer used or propagated to other neighbors)
A dampened route is propagated when the penalty drops below “reuse limit”

249. Route Flap Dampening Implementation
Flap history is forgotten when the penalty drops below half of “reuse limit”
The route is never dampened for more than “max-suppress” time
An unreachable route with flap history is put in “history state” - it stays in the BGP table but only to maintain the flap history
A penalty is applied on the individual path in the BGP table, not on the IP prefix

250. Configuring BGP Route Flap Dampening
bgp dampening [half-time [reuse-limit suppress-limit max-suppress]] [route-map route-map]
router(config-router)#
Configures BGP route flap dampening
Parameter meaning:
Half-time Exponential decay half-time (time in which the penalty is halved)
Suppress-limit Penalty value where the route is starting to be dampened
Reuse-limit Penalty value where the dampened route is reused
Max-suppress Maximum suppression time
Route-map Dampening parameters are specified with a route-map

251. Default BGP Dampening Parameter Values
The following default dampening parameter values are used if you don’t specify them:
half-time 15 minutes
per-flap penalty 1,000 (non-configurable)
suppress limit 2,000
reuse limit 750
max-suppress-time 60 minutes

252. Limiting the Number of Routes Received from a Neighbor
Problem definition:
A misconfigured BGP neighbor can send a huge number of prefixes that exhaust router’s memory or overload the CPU (several Internet-wide incidents have already occurred)
All other filtering mechanisms only specify what we’re willing to accept but not how much
A new tool is needed to establish a hard limit on the number of prefixes received from a neighbor

253. Maximum-Prefix Command
router(config-router)#
neighbor ip-address maximum-prefix maximum [threshold] [warning-only]
Controls how many prefixes can be received from a neighbor
Optional threshold parameter specifies the percentage where a warning message is logged (default is 75%)
Optional warning-only keyword specifies the action on exceeding the maximum number (default is to drop neighborship)

254. End of Day 3 Lecture
254
254
254

255. SESSION 9
Multicast
255
255
255

256. Multicast Outline Address RFP Dense/Sparse Source/shared Static RP
Auto-RP
BSR
Stub
M-B-M
MSDP /Anycast

257. Multicast Address Range

258. Mapping a MAC Address

259. Reverse Path Forwarding

260. RPF Calculation

261. RPF with two paths

262. Multicast Distribution Trees
Dense Mode uses Source
Push Technology that is
very chatty

263. Shared Distribution Tree
Sparse uses Shared
Pull Mode

264. Characteristics of Distribution Trees

265. Multicast Tree Creation

266. Multicast Distribution Tree Example

267. Different types of PIM

268. PIM Sparse Mode

269. How does the network know about the RP?

270. Static RPs

271. Auto RP Uses Intended for PIMv1 C_RP Candidates
Mapping Agent (Collects announcements and sends RP discovery messages on )
The RPs announce on
Recommended to locate Can_RP and Mapping Agent on same router
Uses dense mode to find the RP as a fallback

272. Auto RP

273. Auto RP Cont.

274. Auto-RP configured

275. BSR Election

276. BSR Overview
PIM join messages that might inadvertently cross the border

277. BSR Highest Priority

278. Cont.

279. BSR Cont.

280. Configuring BSR
Hash Mask
Priority
RP priority

281. Anycast – RP Overview

282. MSDP

283. Anycast RP RP

284. Anycast RP Cont.

285. Multicast-Broadcast-Multicast

286. IGMP Stub

287. SESSION 10
QoS
287
287
287

288. QoS Outline Modular QoS CLI (MQC) LLQ Police/CAR WRED, CBWRED Marking
Shaping, FRTS
Fragmenting
NBAR

289. MQC Class-maps <class-map lab (match all is the default)
Match any
<match = Classify ?
Input interface f0/0
Destination Mac address
Source Mac address
Fr-de, fr-dlci
Cos, dscp, IP-prec
Any
Access-group
Protocol=NBAR (download PDLMs)
CEF requires
Can run <ip protocol NBAR protocol discovery
Packet length min or max

290. Policy-Map and DSCP Class Lab
<set cos,dscp,ip-prec
DSCP has 64 different colors to mark traffic
<mls qos map dscp-map lab 31 to 41

291. CBWFQ <Int f0/0 Policy-map can use Kbps or Percent but not both
<max reserve bandwidth 100 (75% is default)
Policy-map can use Kbps or Percent but not both
<policy-map voice
<class CONTROL
<bandwidth 1000
<class VOICE
<priority 10000
Can have 255 classes total
When applying a strict priority queue
To a CBWFQ it is referred to as a LLQ

292. Police/CAR Use on edge routers to classify and/ or rate limit traffic
Can be applied to all traffic or a subset of the traffic selected by an access list
Configured on an interface
rate- limit {input| output} bps normal- burst max- burst conform- action action exceed- action action
rate- limit {input| output} access- group index bps normal- burst max- burst conform- action action exceed- action action
Maximum burst bytes
Bits per second
Normal burst bytes

293. CBWFQ Architecture Insertion policy

294. Applying RED
You can change to DSCP based
random-detect dscp-based

295. Configuring WRED on an interface
mark probability
denominator
minimum threshold
(number of packets)
maximum threshold
(number of packets)
When the average queue size is above the minimum threshold, RED starts dropping packets.
The rate of packet drop increases linearly as the average queue size increases, until the average queue size reaches the maximum threshold.
The mark probability denominator is the fraction of packets dropped when the average queue size is at the maximum threshold. For example, one out of every 100 packets is dropped when the average queue size is at the maximum threshold.

296. Shaping
Shape

297. Shape Peak Allow the router to peak to 64k Peak rate = CIR(1+BE/BC)
Router(config-pmap-c)# shape {average | peak} cir [bc] [be]
Shape adaptive – BECN field set to 1
25% slow down is BECN received if 16 TCs received with no BECNs increase 1/16 every TC
Can also use Fecn-adapt to send ahead to your other router to set BECN field.

298. Frame Relay Traffic Shaping
Time Committed (TC) = 125micro

299. Network Based Application Recognition (NBAR)

300. NBAR Application Support

301. Packet Description Language Module

302. NBAR Protocol Discovery

303. SESSION 11
Others
303
303
303

304. NTP

305. Optimizing HSRP

306. Gateway Load Balancing Protocol (GLBP)

307. GLBP Operations

308. GLBP Cont.

309. Virtual Router Redundancy Protocol (VRRP)

310. VRRP Operational Status

311. VRRP Configuration

312. NAT

313. NAT with Access List—Multiple Address Pools

314. NAT with Extended Access List Configuration
ip nat pool trusted_pool prefix-length 24
ip nat pool untrusted_pool prefix-length 24 !
ip nat inside source list 102 pool trusted_pool
ip nat inside source list 103 pool untrusted_pool
interface ethernet 0
ip address
ip nat inside
interface serial 0
ip address
ip nat outside
access-list 102 permit ip
access-list 102 permit ip
access-list 103 permit ip any

315. Benefits of Route Maps with NAT

316. Route Map Configuration

317. Verifying NAT

318. Session 10
Security
318
318
318

319. Session 10 Outline Unicast Reverse Path Forwarding (uRPF)
Context Based Access Control (CBAC)

320. CBAC Configuration

321. Enable Audit Trails and Alerts

322. Enable TCP Syn and Fin times

323. TCP UDP and DNS Idle Times

324. Port to Application Mapping

325. Port Mapping Configuration

326. Global Half Open Connection Limits

327. Configuring Inspection Rules

328. Apply Inspection Rule to an Interface

329. Unicast Reverse Path Forwarding (uRPF)
Unicast Reverse Path Forwarding (uRPF) is a feature originally created to implement Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing

330. Configuring uRPF
By enabling Unicast Reverse Path Forwarding (uRPF), all spoofed packets will be dropped at the first device. To enable uRPF, use the following commands.

331. IP Source Guard
By watching which IP addresses are assigned by DHCP, a switch can create dynamic ACL's to block all traffic except traffic from DHCP-assigned IP addresses.
Benefits:
Prevents a hacker from spoofing their IP address to launch an anonymous attack.
Prevents users from ignoring DHCP and manually configuring a static IP address.

332. IP Source Guard Configuration