The CCIE Book… While I was studying for the CCIE back in 2000 - 2001, I maintained this word document for my study notes. Good luck in your CCIE journey and enjoy !
Jeff Kesemeyer
THE CCIE Book TABLE OF CONTENTS 1.
PHYSICAL AND DATA LINK LAYERS .....................................................................................................................................................9 1.1. ROUTER M ANAGEMENT ................................................................................................................................................................................. 9 1.2. A LIASES.......................................................................................................................................................................................................... 10 1.3. LOGGING ........................................................................................................................................................................................................ 11 1.4. IOS FEATURE SETS....................................................................................................................................................................................... 11 1.5. BASIC INTERFACE CONFIGURATION .......................................................................................................................................................... 12 1.6. CISCO DISCOVERY PROTOCOL (CDP) ....................................................................................................................................................... 13 1.7. DOMAIN NAME SYSTEM (DNS).................................................................................................................................................................. 14 1.8. NETWORK TIME PROTOCOL (NTP) ............................................................................................................................................................ 14 1.8.1. Association Modes..............................................................................................................................................................................14 1.9. HTTP .............................................................................................................................................................................................................. 16 1.10. SNMP ........................................................................................................................................................................................................ 16 1.11. A GGREGATE T1’S AT ............................................................................................................................................................................... 17 1.12. LEVEL ONE TROUBLESHOOTING............................................................................................................................................................ 18 1.13. ROUTER AS PACKET ANALYZER............................................................................................................................................................ 20
2.
FRAME-RELAY ................................................................................................................................................................................................22 2.1. 2.2. 2.3.
3.
CONNECTIVITY SCENERIOS......................................................................................................................................................................... 24 CONFIGURING FRAME-RELAY .................................................................................................................................................................... 26 TROUBLESHOOTING FRAME RELAY ........................................................................................................................................................... 27
ISDN.......................................................................................................................................................................................................................29 3.1. SETUP .............................................................................................................................................................................................................. 33 3.2. LEGACY DDR................................................................................................................................................................................................ 34 3.3. DIALER PROFILES.......................................................................................................................................................................................... 36 3.4. PPP.................................................................................................................................................................................................................. 38 3.4.1. Snapshot Routing.................................................................................................................................................................................39 3.4.2. Dial Backup..........................................................................................................................................................................................41 3.4.3. OSPF DDR Methods..........................................................................................................................................................................41 Dialer Watch..........................................................................................................................................................................................................42 3.4.4. Callback ................................................................................................................................................................................................43 3.4.5. Floating Static Routes........................................................................................................................................................................44 3.4.6. Other ISDN Commands......................................................................................................................................................................45 3.5. ISDN TROUBLESHOOTING STRATEGY (M ASTER THIS CHECKLIST )...................................................................................................... 45 3.5.1. Problem Isolation................................................................................................................................................................................47 3.5.2. ISDN Debug Example ........................................................................................................................................................................48
4.
ATM .......................................................................................................................................................................................................................49 4.1. ATM CONFIGURATIONS .............................................................................................................................................................................. 51 4.1.1. Multiprotocol Encapsulation (2684)................................................................................................................................................52 4.1.2. Classical IP (CLIP) - (RFC 2225 / 1577).......................................................................................................................................54 4.1.3. Other Configurations..........................................................................................................................................................................56 4.1.4. Configurations Summary ...................................................................................................................................................................57 4.2. QOS................................................................................................................................................................................................................. 58 4.2.1. PVC Traffic Management..................................................................................................................................................................58 4.2.2. SVC Traffic Management...................................................................................................................................................................58 4.3. ROUTING WITH ATM ................................................................................................................................................................................... 58 4.4. ATM SHOW COMMANDS............................................................................................................................................................................. 59 4.5. ATM DEBUG COMMANDS............................................................................................................................................................................ 61 4.6. TROUBLESHOOTING ATM........................................................................................................................................................................... 62
5.
LAN SWITCHING ............................................................................................................................................................................................63 5.1.
SWITCH M ANAGEMENT................................................................................................................................................................................ 64 Page 2 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 5.2. PORT PARAMETERS....................................................................................................................................................................................... 66 5.3. VLAN’ S ......................................................................................................................................................................................................... 67 5.4. TRUNKING...................................................................................................................................................................................................... 71 5.5. INTER-VLAN ROUTING............................................................................................................................................................................... 73 5.6. TOKEN-RING (3900) CONFIGURATION...................................................................................................................................................... 74 5.6.1. Token-Ring VLAN’s ............................................................................................................................................................................75 5.7. TROUBLESHOOTING SWITCHES................................................................................................................................................................... 77 6.
IP MANAGEMENT...........................................................................................................................................................................................80 6.1. 6.2. 6.3. 6.4.
7.
PLANNING A NETWORK ................................................................................................................................................................................ 80 OVERVIEW ..................................................................................................................................................................................................... 80 HOT STANDBY ROUTER PROTOCOL (HSRP) ............................................................................................................................................ 84 DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) .......................................................................................................................... 85
ROUTING ............................................................................................................................................................................................................87 7.1. A DMINISTRATIVE DISTANCES..................................................................................................................................................................... 89 7.2. DEFAULT AND STATIC ROUTES .................................................................................................................................................................. 90 7.2.1. RIP .........................................................................................................................................................................................................90 7.2.2. IGRP ......................................................................................................................................................................................................91 7.2.3. EIGRP...................................................................................................................................................................................................91 7.2.4. OSPF/ ISIS ...........................................................................................................................................................................................92 7.2.5. BGP .......................................................................................................................................................................................................93 7.2.6. IPX .........................................................................................................................................................................................................93 7.3. DEFAULT ROUTE SUMMARIES .................................................................................................................................................................... 94 7.4. A UTHENTICATION......................................................................................................................................................................................... 94 7.5. ROUTING TABLES.......................................................................................................................................................................................... 95 7.6. TROUBLESHOOTING ROUTING TABLE ....................................................................................................................................................... 96 7.7. DEBUGGING IP PACKET FORWARDING...................................................................................................................................................... 97
8.
RIP (R) 120...........................................................................................................................................................................................................98 8.1. 8.2.
9.
RIP V1 ............................................................................................................................................................................................................ 99 RIP V2 ..........................................................................................................................................................................................................100
IGRP (I) 100...................................................................................................................................................................................................... 102
10. 10.1. 10.2. 10.3. 10.4. 10.5. 10.6. 10.7. 11.
EIGRP (D 90) (EX 170) ............................................................................................................................................................................. 105 HOW EIGRP W ORKS.............................................................................................................................................................................105 DUAL......................................................................................................................................................................................................110 A UTHENTICATION ..................................................................................................................................................................................112 SUMMARIZARTION .................................................................................................................................................................................112 EIGRP AND THE WAN..........................................................................................................................................................................113 NEW TO EIGRP WITH RELEASE 12.0 ..................................................................................................................................................115 CONFIGURING EIGRP ...........................................................................................................................................................................115 OSPF (O) 110................................................................................................................................................................................................ 118
11.1. OSPF BASICS..........................................................................................................................................................................................118 11.2. OSPF ROUTING......................................................................................................................................................................................121 11.3. NETWORK TYPES....................................................................................................................................................................................123 11.4. A REAS......................................................................................................................................................................................................125 11.5. OSPF A REA A UTHENTICATION............................................................................................................................................................127 11.6. OSPF ROUTE SUMMARIZATION...........................................................................................................................................................128 11.6.1. Inter-Area Summarization.............................................................................................................................................................. 128 11.6.2. External Summarization.................................................................................................................................................................. 129 11.7. OSPF DESIGN TECHNIQUES .................................................................................................................................................................129 11.8. OSPF CONFIGURATION OVERVIEW ....................................................................................................................................................129 11.9. OSPF CONFIGURATION.........................................................................................................................................................................130 Page 3 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 11.10. 11.11. 12.
IS-IS (I) 115................................................................................................................................................................................................... 135
12.1. 12.2. 12.3. 12.4. 13.
OSPF COMMANDS .................................................................................................................................................................................130 TROUBLESHOOTING OSPF....................................................................................................................................................................131
IS-IS ROUTING........................................................................................................................................................................................135 A UTHENTICATION ..................................................................................................................................................................................139 ISIS CONFIGURATION............................................................................................................................................................................139 TROUBLESHOOTING ISIS ......................................................................................................................................................................140 BGP (B) 20 / 200 .......................................................................................................................................................................................... 141
13.1. BGP PATH SELECTION PROCESS28 .....................................................................................................................................................142 13.2. BGP BEST PATH ALGORITHM FOR IOS ..............................................................................................................................................143 13.3. BGP DECISION A LGORITHM.................................................................................................................................................................144 13.4. BGP ROUTING........................................................................................................................................................................................148 13.4.1. Selecting a BGP Path...................................................................................................................................................................... 148 13.4.2. Other Routing Information............................................................................................................................................................. 148 13.4.3. IBGP Routing.................................................................................................................................................................................... 149 13.4.4. EBGP Routing.................................................................................................................................................................................. 153 13.4.5. Advertising Routes........................................................................................................................................................................... 154 13.4.6. Route Cache Invalidation............................................................................................................................................................... 155 13.4.7. Aggregate Address........................................................................................................................................................................... 155 13.5. CONTROLLING THE FLOW OF BGP UPDATES.....................................................................................................................................157 13.6. LOAD BALANCING TRAFFIC.................................................................................................................................................................158 13.7. BGP FILTERING......................................................................................................................................................................................159 13.8. INTERNET CONNECTIVITY OPTIONS....................................................................................................................................................162 13.9. M ULTIPROTOCOL BGP ..........................................................................................................................................................................164 13.10. BASIC BGP CONFIGURATION...............................................................................................................................................................164 13.11. BGP COMMANDS ...................................................................................................................................................................................165 13.12. BGP TROUBLESHOOTING......................................................................................................................................................................166 14.
IPX AND NLSP ........................................................................................................................................................................................... 169
14.1. 14.2. 14.3. 14.4. 14.5. 14.6. 14.7. 15.
IPX EIGRP .............................................................................................................................................................................................170 IPX AND W ANS ......................................................................................................................................................................................171 IPX AND DDR ........................................................................................................................................................................................172 NLSP .......................................................................................................................................................................................................173 TUNNELING.............................................................................................................................................................................................175 IPX COMMANDS.....................................................................................................................................................................................177 IPX TROUBLESHOOTING.......................................................................................................................................................................177 ROUTE FILTERING ................................................................................................................................................................................ 179
15.1. 15.2. 15.3. 15.4. 16.
ROUTE FILTERS ......................................................................................................................................................................................179 PREFIX-LISTS..........................................................................................................................................................................................179 DISTRIBUTE-LISTS .................................................................................................................................................................................181 ROUTE-M APS..........................................................................................................................................................................................182 ROUTE REDISTRIBUTION .................................................................................................................................................................. 186
16.1. 16.2. 16.3. 16.4. 16.5. 16.6. 16.7. 16.8. 16.9. 16.10.
GENERAL REDISTRIBUTION ..................................................................................................................................................................186 REDISTRIBUTION PROBLEMS................................................................................................................................................................187 STATIC REDISTRIBUTION ......................................................................................................................................................................188 RIP REDISTRIBUTION ............................................................................................................................................................................189 IGRP REDISTRIBUTION .........................................................................................................................................................................189 EIGRP REDISTRIBUTION.......................................................................................................................................................................189 OSPF REDISTRIBUTION.........................................................................................................................................................................191 IS-IS REDISTRIBUTION..........................................................................................................................................................................193 BGP REDISTRIBUTION...........................................................................................................................................................................193 IPX REDISTRIBUTION ............................................................................................................................................................................195 Page 4 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 16.11. 16.12. 16.13. 16.14. 17.
FLSM AND VLSM .................................................................................................................................................................................195 M UTUAL REDISTRIBUTION ...................................................................................................................................................................197 REDISTRIBUTION SUMMARIES..............................................................................................................................................................199 TROUBLESHOOTING REDISTRIBUTION ................................................................................................................................................200
BRIDGING ................................................................................................................................................................................................... 203
17.1. STP...........................................................................................................................................................................................................203 17.1.1. Bridged Parameters......................................................................................................................................................................... 203 17.2. TRANSPARENT BRIDGING............................................................................................................................................................204 17.3. CONCURRENT ROUTING AND BRIDGING.............................................................................................................................................205 17.4. INTEGRATED ROUTING AND BRIDGING (IRB) ...................................................................................................................................206 17.5. SOURCE ROUTE BRIDGING....................................................................................................................................................................207 17.6. RSRB.......................................................................................................................................................................................................208 17.7. SRT ..........................................................................................................................................................................................................209 17.8. SR/TLB ...................................................................................................................................................................................................210 18.
DLSW+........................................................................................................................................................................................................... 213
18.1.1. Encapsulations.................................................................................................................................................................................. 214 18.1.2. DLSW and Ethernet......................................................................................................................................................................... 215 18.1.3. Configuring DLSw+ ........................................................................................................................................................................ 215 18.1.4. DLSw+ DDR Configurations......................................................................................................................................................... 218 18.1.5. DLSW Load Balancing Configurations........................................................................................................................................ 219 18.1.6. DLSW (Commands) ......................................................................................................................................................................... 221 18.2. BRIDGING TROUBLESHOOTING ............................................................................................................................................................221 19.
ACCESS-LISTS ........................................................................................................................................................................................... 224
19.1. IP ACCESS-LISTS ...............................................................................................................................................................................224 19.1.1. ICMP Messages................................................................................................................................................................................ 225 19.1.2. ACL and Routing Protocols ........................................................................................................................................................... 226 19.1.3. Configuring IP Access-Lists........................................................................................................................................................... 226 19.2. IPX ACCESS-LISTS............................................................................................................................................................................230 19.2.1. The Basics.......................................................................................................................................................................................... 230 19.2.2. IPX Network Filtering..................................................................................................................................................................... 231 19.2.3. SAP Filtering.................................................................................................................................................................................... 232 19.2.4. Troubleshooting IPX........................................................................................................................................................................ 233 19.3. MAC A CCESS -LISTS..............................................................................................................................................................................233 19.3.1. LSAPs (200) ...................................................................................................................................................................................... 233 19.3.2. SNA..................................................................................................................................................................................................... 234 19.3.3. NetBIOS ............................................................................................................................................................................................. 234 19.3.4. Bit-Swapping..................................................................................................................................................................................... 235 19.3.5. DLSw+ ............................................................................................................................................................................................... 236 19.3.6. Bridging (MAC) Filters (700)........................................................................................................................................................ 237 19.4. ACCESS-EXPRESSIONS...................................................................................................................................................................238 20.
QUEUING..................................................................................................................................................................................................... 240
20.1. WFQ ........................................................................................................................................................................................................240 20.1.1. CB-WFQ ............................................................................................................................................................................................ 240 20.1.2. Low-Latency Queueing (LLQ) ....................................................................................................................................................... 241 20.1.3. Distributed WFQ (DWFQ) ............................................................................................................................................................. 241 20.2. W EIGHTED RANDOM EARLY DETECTION...........................................................................................................................................242 20.3. PRIORITY QUEUING................................................................................................................................................................................242 20.4. CUSTOM QUEUING.................................................................................................................................................................................243 20.5. COMMITTED A CCESS RATE (CAR) .....................................................................................................................................................243 20.6. TROUBLESHOOTING QUEUEING ...........................................................................................................................................................244 21.
TRAFFIC SHAPING................................................................................................................................................................................. 245 Page 5 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 21.1. POLICY ROUTING....................................................................................................................................................................................245 21.2. RTP PRIORITY........................................................................................................................................................................................246 21.3. GENERIC TRAFFIC-SHAPING (GTS).....................................................................................................................................................247 21.4. FRAME-RELAY QUEUING......................................................................................................................................................................247 21.4.1. Frame-Relay DLCI-Prioritization................................................................................................................................................. 247 21.4.2. Frame-Relay Broadcast Queue ..................................................................................................................................................... 247 21.4.3. Frame-Relay Traffic-Shaping (FRTS).......................................................................................................................................... 248 21.5. IP PRECEDENCE ......................................................................................................................................................................................249 21.6. RSVP .......................................................................................................................................................................................................250 21.7. RANDOM EARLY DETECTION (RED) ..................................................................................................................................................251 21.8. DATA COMPRESSION ..............................................................................................................................................................................251 21.9. MPLS AND TAG SWITCHING................................................................................................................................................................251 22.
MULTICASTING....................................................................................................................................................................................... 252
22.1. INTERNET GROUP M ANAGEMENT PROTOCOL (IGMP).....................................................................................................................252 22.2. CISCO GROUP MANAGEMENT PROTOCOL (CGMP)..........................................................................................................................253 22.2.1. Stopping Multicasts from Broadcasting on a Switch................................................................................................................. 253 22.3. DISTANCE VECTOR MULTICAST ROUTING PROTOCOL (DVMRP) .................................................................................................254 22.4. PROTOCOL INDEPENDENT M ULTICAST (PIM) ...................................................................................................................................256 22.4.1. Dense Mode....................................................................................................................................................................................... 259 22.4.2. Sparse-Mode ..................................................................................................................................................................................... 260 22.5. M ULTIPROTOCOL BGP (MBGP)..........................................................................................................................................................263 22.6. M ULTICAST SOURCE DISCOVERY PROTOCOL (MSDP)....................................................................................................................263 22.7. TROUBLESHOOTING COMMANDS.........................................................................................................................................................265 22.8. INTERNET MULTICAST A DDRESSES.....................................................................................................................................................265 22.9. QUICK CONFIGURATION GUIDES.........................................................................................................................................................266 23.
SECURITY ................................................................................................................................................................................................... 268
23.1. TACACS.................................................................................................................................................................................................268 23.2. NETWORK ADDRESS TRANSLATION (NAT).......................................................................................................................................268 23.2.1. Basic NAT Configuration................................................................................................................................................................ 269 23.2.2. Port Address Translation (Overload)........................................................................................................................................... 269 23.2.3. TCP Load Sharing ........................................................................................................................................................................... 270 23.2.4. Dynamic NAT.................................................................................................................................................................................... 270 23.2.5. Nat on a Stick .................................................................................................................................................................................... 270 23.2.6. NAT Timers ....................................................................................................................................................................................... 271 23.3. A UTHENTICATION, A UTHORIZATION, AND A CCOUNTING................................................................................................................273 23.4. IPSEC .......................................................................................................................................................................................................274 23.4.1. Configuring IPSec............................................................................................................................................................................ 276 23.4.2. Quick Notes....................................................................................................................................................................................... 277 23.4.3. Basic IPSec over Tunnel (Works).................................................................................................................................................. 278 23.4.4. GRE Tunnel....................................................................................................................................................................................... 279 23.4.5. IP and IPX over Frame-Relay ....................................................................................................................................................... 280 23.4.6. Troubleshooting IKE and IPSec.................................................................................................................................................... 281 24.
VOICE............................................................................................................................................................................................................ 282
24.1. VO IP.........................................................................................................................................................................................................282 24.1.1. VoIP Example ................................................................................................................................................................................... 282 24.1.2. Configuring Dial Peers................................................................................................................................................................... 283 24.1.3. .................................................................................................................................................................................................................. 283 24.1.4. General Configuration Information.............................................................................................................................................. 283 24.1.5. Configuring VoIP............................................................................................................................................................................. 283 24.1.6. More Configuration Commands.................................................................................................................................................... 284 24.2. QOS ..........................................................................................................................................................................................................286 CONGESTION A VOIDANCE ......................................................................................................................................................................................286 CONGESTION M ANAGEMENT..................................................................................................................................................................................286 Page 6 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book IP PRECEDENCE ........................................................................................................................................................................................................288 RSVP .........................................................................................................................................................................................................................289 LINK FRAGMENTATION / INTERLEAVING (LFI) ...................................................................................................................................................290 Frame-Relay ....................................................................................................................................................................................................... 290 TRAFFIC SHAPING AND POLICING..........................................................................................................................................................................290 Frame-Relay Traffic Shaping.......................................................................................................................................................................... 290 Generic Traffic Shaping................................................................................................................................................................................... 291 HEADER COMPRESSION...........................................................................................................................................................................................291 TROUBLESHOOTING QUEUING ...............................................................................................................................................................................292 24.2.1. Show commands............................................................................................................................................................................... 292 24.2.2. Debug commands............................................................................................................................................................................. 292 24.2.3. Troubleshooting and Verifiying VoIP Connectivity................................................................................................................... 292 24.2.4. Voice Troubleshooting Methodology............................................................................................................................................ 292
Page 7 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book
Introduction to the CCIE Book Color Legend: Blue text Pink test Red Text Highlighted Text
IOS commands Reference Material Traps within a Technology Tips that could be Traps
Highlight reference material Highlight traps
Ø
Test Sections System Setup ISDN Frame-Relay ATM LAN Switching IP Management IGP Routing BGP IPX and NLSP Route Filtering Redistribution Bridging, DLSW+ Access-Lists Traffic Management Multicasting Security VoIP
Page 8 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 1. Ø
Physical and Data Link layers Configure a terminal server You will have a serial and ethernet connection to the comm_server. Make sure you know what cables you need to connect to the comm. server by rs-232.
Ø
Config Register Values 0x2100 – ROM monitor 0x2101 – Boot from ROM 0x2102 – Boot from flash, run NVRAM configuration (default) 0x2142 – Boot from flash, run NO NVRAM configuration (Password recovery mode)
1.1. ROUTER MANAGEMENT Configuring a router as a TFTP server ip tftp server Loading the IOS onto a router with no IOS copy tftp flas Bypassing startup configuration on a router config-register 0x2142 Check out Router / Physical Layer sho buff sho int sho control sho memory sho proc Ø
Setup a Terminal Server hostname comm_server no ip domain-lo enable pass cisco int loopback 0 ip address 1.1.1.1 255.255.255.0 ip host r1 2001 1.1.1.1 line 1 16 transport input all no exec line vty 0 4 login pass cisco line con 0 login pass cisco log synch tcp tcp synwait 5 exec-timeout 0 exec cle lin 3 sh sess disc 5 sh line Use cntl+shft+6 x to switch routers Page 9 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 1.2. ALIASES no ip domain-lo ! 4 alias exec ct conf t alias exec sr sh run alias exec sri sh run int alias exec u undeb all ! 6 alias exec sfm sh frame map alias exec sfr sh frame route alias exec sfp sh fram pvc alias exec sis sh isdn stat alias exec sam sh atm map alias exec sap sh atm pvc ! 4 alias configure rr router rip alias configure ro router ospf alias configure re router eigrp alias configure rb router bgp ! 6 alias exec siib sh ip int brie alias exec sir sh ip rout alias exec sie sh ip eigrp alias exec sio sh ip ospf alias exec sib sh ip bgp alias exec sip sh ip protocols ! 3 alias exec sipxr sh ipx route alias exec sxr sh ipx route alias exec sxs sh ipx server ! 3 alias exec cir cle ip rou alias exec cib cle ip bgp alias exec cxr clea ipx route ! Pings alias exec r1s1 ping 180.1.1.1 ! line con 0 logg synch exec-time 0 0 ! line vty 04 ip tcp synwait-time 5 Run sh ver to check config reg and version. alias exec s1 sho run | begin alias exec s2 sho run | include This parses the config quickly to give for s1 say "s1 router bgp" it will show the config from router bgp AS# "s2 dlsw" for example will show you all lines in the config that have dlsw in it. Thought it was neat and wanted to pass it along. Ø
Basic Switch Setup show module show port status
Check modules installed, document cards and slots Page 10 of 296
Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book show mac mod/port show port mod/port conf t int sc0 set ip address
1.3. LOGGING logging buffered 16000 no logging console Don’t send logs to the router console logging buffered 16384 16Kbyte history buffer on router logging trap debugging Catch debugging level traps (i.e. everything) logging facility local7 Syslog facility on syslog server logging 169.223.32.1 IP address of your first syslog server logging 169.223.45.8 IP address of your second syslog server logging source-interface Loopback0 Used to set to source so you know messages are from a reliable source. Ø
Eight Levels of Errors emergencies alerts critical errors warnings notification informational debugging
1.4. IOS FEATURE S ETS i d j k o p r s u
IP Desktop Enterprise Kitchen Sink FireWall Service Provider IBM Base option (SRB, STUN, DSLW) Source Route IP with VLAN RIP (Network Layer 3 Switching, rsrb, srt, srt, sr/tlb)
A 2 after the letter signifys a subset of a set. IOS Execution Area The last few characters determine where the IOS will run. m RAM f flash r ROM l relocated at run time z image is zipped compressed x images is mzip compressed w image is stac compressed Ø
Router Hardware NVRAM, Flash, Memory & CPU, file system, config register File transfers - TFTP operations Password Recovery copy tftp flash Page 11 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book service compress-config service timestamps log datetime localtime Ø
Process Switching Uses cpu for processing, required for debugging no ip route-cache, no ip-mroute-cache To enable
Ø
Fast Switching Default for all protocols except IP
Ø
Silicon Switching / Autonomous Switching ON 7000 SSP Fast Switching uses a RP Silicon Switching uses a SSP Autonomous Switching uses the SSP as well
Ø
Optimum Switching Similar to fast-switching but faster Default for TCP/IP disabled for debugging Requires a VIP
Ø
Distributed Switching Handled by interface processors Requires a VIP Same as CiscoFusion or MLS
Ø
NetFlow Switching Enables you to collect statistics
Ø
Switching Features that Affect Performance Queuing: FIFO Priority – assigned priority Custom – percent of bandwidth WFQ – low, high bandwidth requirements RED – ToS prioritizing Compression Encryption Filtering – Access-lists Accounting
1.5. BASIC INTERFACE C ONFIGURATION CTL+A CTL+E CTL+F CTL+B CTL+N CTL+R CTL+D CTL+K CTL+U CTL+W ESC+D ESC+B
Move to beginning of line Move to end of line Move forward one character Move backward one character Most recent command recall Repaints a line Delete a char at Cursor Right os Cursor Left of Cursor Word Left Word Rights Move backward one word Page 12 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ESC+F
Move forward one word
Terminal history size, Terminal no editing, Terminal editing Configuration register settings Ø
Parsing show configuration | ? begin Begin with the line that matches exclude Exclude lines that match include Include lines that match show running-config | begin router bgp router bgp 200 no synchronization neighbor 4.1.2.1 remote-as 300 neighbor 4.1.2.1 description Link to Excalabur neighbor 4.1.2.1 send-community neighbor 4.1.2.1 version 4 neighbor 4.1.2.1 soft-reconfiguration inbound neighbor 4.1.2.1 route-map Community1 out maximum-paths 2
Ø
Loopbacks BGP Update-Source Router ID for OSPF and BGP IP Unnumbered Interfaces IP addresses do not need to be used on static WAN links to customers. IP unnumbered saves /30 of address space, and one entry in the IGP routing able, a significant saving for a large number of customers. IP unnumbered makes use of the loopback interface on the ISP’s backbone router, the same loopback interface used for iBGP etc. An example interface Serial 5/0 ! description 128K HDLC link to San Jose R5-0 bandwidth 128 ip unnumbered loopback 0 ! ip route 215.34.10.0 255.255.252.0 Serial 5/0
1.6. CISCO DISCOVERY P ROTOCOL (CDP) *Excellent tool for displaying interface status on routers Works only at the data link level, uses snap frames. Uses multicast packet 01-00-0C-CC-CC TTL is 180 seconds Use cdp timer to change update times, default is 60 seconds. Ø
On Routers sh cdp neighbors sh cdp neighbors detail cdp enable, cdp timer, and cdp run affect IP and DDR
Ø
On Switches set cdp enable all ! To enable CDP for all ports Page 13 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book set cdp disable all ! To disable CDP for all ports set cdp enable / ! To enable CDP for a particular port. set cdp disable / ! To disable CDP for a particular port. sh cdp port Ø
CDP Troubleshooting cdp run – global run cdp no cdp run – disable cdp global no cdp enable – disable per interface
1.7. DOMAIN NAME SYSTEM (DNS) ip domain lookup ip name-server 131.108.111.1 131.108.111.2 ip domain-name cisco.com
1.8. NETWORK TIME PROTOCOL (NTP) NTP can take up to thirty minutes to converge. Whenever you configure authenticatin with a date, or any ACL’s that may use a date, make sure you use a NTP server or your authentication can fail due to time differences. clock set hh:mm:ss day month year clock timezone CST –6 clock summer-time CDT recurring ntp master 3 ntp update-calendar ntp source e0 ntp peer 1.1.1.1 version 1 -orntp server 11.1.1.1 version 1 ntp broadcast delay 2000
Used to set the router clock
Use on Server Use on Client Use on Client Client / Server
sh calendar clock set sh clock sh ntp associations detail sh ntp status
1.8.1. Association Modes The association of two routers can operate in one of several modes: server, client, peer, and broadcast/multicast. The modes are further classified as active and passive: Active modes: The host continues to send NTP messages regardless of the reachability or stratum of its peer. Client, Peer, Broadcast / Mulicast Passive modes: The host sends NTP messages only as long as its peer is reachable and operating at a stratum level less than or equal to the host. Page 14 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Server, Peer Ø
Server Mode By operating in server mode, a host (usually a LAN time server) announces its willingness to synchronise, but not to be synchronised by a peer. This type of association is ordinarily created upon arrival of a client request message and exists only in order to reply to that request, after which the association is dissolved. Server mode is a passive mode.
Ø
Client Mode By operating in client mode, the host (usually a LAN workstation) announces its willingness to be synchronised by, but not to synchronise the peer. A host operating in client mode sends periodic messages regardless of the reachability or stratum of its peer. Client mode is an active mode.
Ø
Peer Mode By operating in peer mode (also called “symmetric” mode), a host announces its willingness to synchronise and be synchronised by other peers. Peers can be configured as active (symmetric-active) or passive (symmetric-passive).
Ø
Broadcast/Multicast Mode By operating in broadcast or multicast mode, the host (usually a LAN time server operating on a high-speed broadcast medium) announces its willingness to synchronise all of the peers, but not to be synchronised by any of them. Broadcast mode requires a broadcast server on the same subnet, while multicast mode requires support for IP multicast on the client machine, as well as connectivity via the MBONE to a multicast server. Broadcast and multicast modes are active modes. An error condition results when both peers operate in the same mode, except for the case of symmetric-active mode.
Ø
NTP Source Interface NTP is the means of keeping the clocks on all the routers on the network synchronised to within a few milliseconds. If the loopback interface is used as the source interface between NTP speakers, it makes filtering and authentication somewhat easier to maintain. Most ISPs only wish to permit their customers to synchronise with their time servers and not everyone else in the world. A configuration example: clock timezone SST 8 ! access-list 5 permit 192.36.143.150 access-list 5 permit 169.223.50.14 ! ntp authentication-key 1234 md5 104D000A0618 7 ntp authenticate ntp trusted-key 1234 ntp source Loopback0 ntp access-group peer 5 ntp update-calendar ntp peer 192.36.143.150 ntp peer 169.223.50.14
Ø
Authentication Add to all routers Page 15 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ntp ntp ntp ntp
authentication-key 1 md5 cisco authenticate trusted-key 1 server 1.1.1.1 key 1
Client / Server
1.9. HTTP ip http server ! Disables http service ip http server ip http port 8765 ! line vty 0 4 ip http access-class 1 ! deb ip http url deb http tokens deb http transactions ip http server ip http port 8765 ! use a non-standard port ip http authentication aaa ! use the AAA authentication method which has been configured ip http access-class ! access-list to protect the HTTP port access-list 1 permit 10.1.1.1
1.10. SNMP snmp-server community Ø
Configuration Router: snmp-server community public ro snmp-server community private rw Switch: set snmp community read-only public set snmp community read-write private
Ø
SNMP in read-only mode If SNMP is used in a read-only scenario, ensure that it is set up with appropriate access controls. The following is an example: access-list 98 permit 215.17.34.1 access-list 98 permit 215.17.1.1 access-list 98 deny any ! snmp-server community 5nmc02m RO 98 snmp-server trap-source Loopback0 snmp-server trap-authentication snmp-server enable traps config snmp-server enable traps envmon snmp-server enable traps bgp snmp-server enable traps frame-relay snmp-server contact Barry Raveendran Greene [
[email protected]] snmp-server location Core Router #1 in City Y Page 16 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book snmp-server host 215.17.34.1 5nmc02m snmp-server host 215.17.1.1 5nmc02m snmp-server tftp-server-list 98 !
1.11. AGGREGATE T1’S AT If you want to aggregate the bandwidth of two serial T1's at layer2 try this Saves IP space, prevents layer3 route reconvergence when a link flaps, and provides better redundancy/throughput overall R1 interface Multilink1 ip address 10.252.3.1 255.255.255.252 ppp multilink multilink-group 1 ! interface Serial0/0 description T1 to Router2 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1 ! interface Serial0/1 description T1 to Router2 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1 R2 interface Multilink1 ip address 10.252.3.2 255.255.255.252 ppp multilink multilink-group 1 ! interface Serial0/0 description T1 to Router1 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1 ! interface Serial0/1 description T1 to Router1 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1
Page 17 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 1.12. LEVEL ONE TROUBLESHOOTING Are the interfaces in an "Up/Up" State? show ip interface brief show atm interface status show ports (CAT 5000) show MAC (CAT 5000) show modules (CAT 5000) General interface troubleshooting: show controllers Which end of the connection is the DTE and which end is the DCE? show cdp neighbor Ø
Show Buffers Displays data link errors Hits, misses, buffer sizes
Ø
Show Interfaces show line – shows connectivity status show sessions – displays connectivity No clock rate set on DCE serial interface Encapsulation type mismatch LMI mismatch Keepalive timer mismatch Up / down status - protocol physical Bandwidth for igrp metrics Load – 255/255 = 100% utilization Reliability 255/255 = 100% reliable Last Input – dead interface ? Output – dead interface ? No Buffers – main memory problems Received Broadcasts – should be less than 20% of total input Runts Giants CRC – Noise on links Collisions - .1% or less of output packets
Ø
Show Interface – Ethernet CRC errors – noise Collisions – should be less than .1% Runts – should not have any Late collisions – check diameter of network, bad network design Ethernet lines can be in a up/down state when no cable is connected since they need a transciever Turn off keepalives and ethernet interfaces can be in a up/up state Show controllers e Debug ethernet interface
Ø
Show Interface - Fast-Ethernet Half – Full duplex Trunking, vlan
Ø
Show Interface – Token-ring Token ring is reset – hardware error occurred Page 18 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Interface resets – lobe cable failure Transitions – ring up / down Incorrect ring-speed Debug token events Show controllers token-ring Debug token ring Show Inm status Ø
Show Interface – Serial Bandwidth – is the actual bandwidth ? Packets input – error-free packets Ignored – burst noise Carrier transitions – line up / down, modem,line problems Interface resets – modem no supplying a clock signal or cable problem The DCE side must supply the clock rate show controllers displays DCE / DTE configuratiuon, cable status clock rate sets the clock rate
Ø
Show Interface – FDDI Bypass switch installed, check naun Bypass switchees do not repeat signals like a transceiver does, this causes signal degradation. EMC: SMT entity for coordination management. This indicates the router state: out, in (normal), trace, leave, path_test, insert, check, deinsert. Neighbor states: A DAS neighbor attached to primary ring S SAS neighbor B DAS neighbor, secondary ring M concentrator Unk Unknown Status States (Line Status): LSU Line QLS Quiet NLS Noise ALS Active MLS Master OVUF Over Buffer Under Flow ILS Idle HLS Halt
Ø
Router Interface Status TRA – Stuck beacon condition Physical states – join, vfy, act Neighbor – A or S, B or M CMT signal bits – should be ILS or AL5 ECM – should be IN CFM – should be Thru RMT – should be ring-op
Ø
Show Interface – ATM encap AAL5 (pvc or svc) max vc – compare current vc – compare\ Page 19 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Show Controllers Token - ring num mismatch Output line errors – crc errors Indicator burst error – noise / crosstalk Receive congested error – traffic problems Line,burst,and receive congestion errors are the most common on TR networks. Isolated errors – line, internal, burst, ARI/FCI abort Non-Isolating Errors – lost frame, copy, receive congestion, token-frame
Ø
Show Memory Check size of largest block free
Ø
Show Processes Run the command one minute apart, processes incremented are the cpu load ones
Ø
Debug Commands service timestamps log datetime localtime – adds timestamps to packets Debug broadcast Terminal monitor – to copy debug to terminal Sho proc cpu
Ø
Troubleshooting Router1#show line aux 0 Tty Typ Tx/Rx A Modem Roty AccO AccI Uses A 1 AUX 38400/38400 - inout 0
Noise 0
Overruns 0/0
Line 1, Location: "", Type: "" Length: 24 lines, Width: 80 columns Baud rate (TX/RX) is 38400/38400, no parity, 2 stopbits, 8 databits Status: Ready, Active, Async Interface Active
1.13. ROUTER AS P ACKET ANALYZER rmon ? native promiscuous
Monitor the interface in native mode Monitor the interface in promiscuous mode
If you want to see certain packets that are going through the router, do a "debug ip packet dump". I would advise using an access list with it to only see the packets you are looking for. Also turn off route caching on the interfaces. r1# deb ip packet 100 dump IP packet debugging is on (dump) for access list 100 *Mar 11 07:16:07: IP: s=172.16.10.15 (local), d=63.15.14.16 (Ethernet0), len 42, sending 00E03380: 4500002A E..* 00E03390: 00A80000 FF06DAA6 AC10829B 3FC37210 .(....Z&,...?Cr. 00E033A0: 07D9F2E6 E0031F86 463B1C49 50181038 .Yrf`...F;.IP..8 00E033B0: F0210000 72230A20 00002020 20507269 p!..r#. .. Pri 00E033C0: 6E74206D 6F726520 64656275 67 nt more debug *Mar 11 07:16:07: IP: s=63.15.14.16 (Ethernet0), d=172.16.130.155 (Ethernet0), len 40, rcvd 3 00E12BC0: 0050 54800958 00D0BBCC .PT..X.P;L 00E12BD0: 9C200800 45000028 37614000 7106F1EF . ..E..(
[email protected] 00E12BE0: 3FC37210 AC10829B F2E607D9 463B1C49 ?Cr.,...rf.YF;.I Page 20 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 00E12BF0: E0031F86 501040A2 31E50000 00000000 00E12C00: 000043
`...P.@"1e...... ..C
Page 21 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 2.
FRAME-RELAY You can ping your own FR interface if you map it's IP to it's DLCI. Whenever you use map commands, automatically disable inverse-arp. no frame-relay inverse-arp If you ping a connection and get an “encap failed maessage” check your pvc’s. When disabling split horizon you must use distribute-lists to prevent routing loops. Whenever the connections type are different you will have OSPF mismatch networks. If you change a L3 address, do cle fram inarp on all remote connections. LMI uses DLCI’s 0 and 1023: User ranges can be between 16 to 1007. 0 - 15, 1008 - 1023 Reserved 1019 - 1026 Mulitcast 1023 - LMI 0 - ANSI / ITU Packet switched networks are not the best at telling a DTE when there's a problem in the cloud. ATM and FR interfaces may stay up/up even if the remote is down. A point-to-point subinterface can only accommodate a single DLCI at any given time. Point-to-point sub-interfaces are treated by the IOS like a physical point-to-point interface and do not need either inverse-arp or frame-relay map statements. Multipoint DLCI’s rely map statements for proper operation. The broadcast parameter is required for protocols such as OSPF If the router is reloaded inverse-arp will be disabled for any DLCI that is used with a frame-relay map statement. As a rule when configuring frame-relay map statements make note of the protocol and the DLCI specified if there are any inverse mappings for that same protocol referencing the same DLCI replace the inverse-arp entries with frame-relay map statements. Without the frame-relay interface DLCI command, all DLCI’s are assigned to the physical interface Split horizon only blocks routing updates in a hub and spoke topology A Cisco IOS remedy to this split horizon problem is to disable split horizon on the hub router in a frame-relay network this can be performed at the interface configuration mode. Split horizon is disabled on frame-relay physical IP interfaces split horizon is enabled on frame-relay point-to-point and multi-point IP sub-interfaces. When using only physical interfaces in a hub and spoke topology you need to add a frame-relay map statement on the spoke routers to assure spoke to spoke reach ability nothing needs to be done to the hub router.
Page 22 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book If using point-to-point sub-interfaces each sub-interface must be configured as a separate subnet Ø
Inverse-Arp Inverse ARP will resolve a remote network layer address with a local DLCI even if the remote IP address does not belong to the local subnet. If you run into this shut down the interface, execute the "clear frame map command" and then bringing the interface back up. Inverse arp only works with directly connected sites A DLCI should not referenced by a map statement that was discovered by inverse-arp.
Ø
FR and ISDN Similarities encap frame check dlci sh fram pvc
Ø
isdn switch-type check switch sh isdn status
Both start the encap on interface Check L2 devices for activity Check for L2 connectivity
LMI LMI uses DLCI 0 or 1023 LMI is autosensed starting with IOS 11.2 Myseq and yourseg should be incrementing by one If LMI is not working you will see DLCI’s dropping and myseg or yourseg will not be incrementing. If you change the network layer address, run the command clear frame-relay inarp on all remote connections
Ø
Configure Frame-Relay Switch hostname frameswitch-r6 enable pass cisco no ip domain-lo frame switch int s1 clock rat 64000 encap frame frame intf dce frame route 102 int s2 frame route 103 int s3 int s2 clock rat 64000 encap frame frame intf dce frame route 201 int s1 int s3 clock rat 64000 encap frame frame intf dce frame route 301 int s1 show fram route sfm sfp sfr
201 301
102
101
Page 23 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 2.1. CONNECTIVITY SCENERIOS Hub Physical (I) Inverse-arp
Spoke Physical (M) Maps
Probem and Solution No spoke-to-spoke connectivity Add Map to S-to-S Add Map to all routers (inv-arp/map problems) Use dist-list to fix SH problems OSPF NBMA SH: Enable on spokes.
2
PtM (D) int-dlci “possibly down networks” disable split horizon on hub
PtP (D) inter-dlci
OSPF Network Type DV Problems
3
Physical (D) inverse-arp
PtP (D) inter-dlci
SH Problems sir will display “possibly down routes” disable SH
4
PtM (D) inter-dlci mutliple dlci’s map or inv-arp can be used
Physical (M) Maps
OSPF Network Mismatch
5
PtP No inverse-arp Use inter-dlci Can use map statements
PtP
Separate Subnets
1
Legend: (I) Inverse-Arp statement (D) Interface-dlsi statement (M) Fr map statement
Page 24 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book
Ø
General Guideline PtM PtP
Need map/(dlci preferred) or inverse-arp to associate neighbors. Does not use map statements, use inter-dlci.
Split Horizon is disabled on physical interfaces. Enable SH on PtP, PtM spokes.
Page 25 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 2.2. CONFIGURING FRAME-RELAY 1 – Enable frame-relay on both sides int ser 0 encap frame-relay bandwidth 64 no shutdown 2 – Verify the interface is communicating to the switch show frame-relay pvc PVC STATUS must be ACTIVE show frame-relay arp Inverse-arp maps DLCI Inverse will also get the L# addresses, if these are wrong or changed after encapsulating frame-relay use the clear frame-relay inarp command to clear FR’s arp. Ø
Basic FR Configuration R1 int s0 encap frame int s0.1 multi frame inter 102 int s0.2 point frame inter 103 R2 int s0 encap frame fram inter 102 R3 int s0 encap frame fram inter 103
Ø
FR Commands clear frame-relay inarp de-group 3 200 / de-list 3 protocol ip gt 512
Ø
Frame-Relay Discard Eligibility Setups the DE bit on the outgoing dlci (200 in this case) de-group 3 200 de-list 3 protocol ip gt 512 Use extended ping to test and sfp to display de packets.
Page 26 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 2.3. TROUBLESHOOTING FRAME RELAY FRF8 requires ietf encapsulation, this is used when going from ATM to ATM and using frame-relay. clear frame-relay inarp Used to clear bad map statements out of map cache If inverse-arp screws up the map cache this will correct it. Ø
LMI Issues LMI Types – cisco, ansi, ccitt sh int s0 With LMI problems line protocol will be down and LMI sent will increment but LMI receieved will not be. show frame lmi
debug frame lmi
show frame-relay pvc Ø
Displays the stability of you Frame connections Num Status … Sent/Recv’d should be equal Num Status Timeouts should be 0 Use debug frame lmi to determine problem Displays DTE status – should be up, myseq should be incrementing by one yourseq should be incrementing by one Always check both sides of the connection PVC Status of deleted means that this pvc is no longer being reported by LMI.
Other Issues show int type show frame-relay pvc show frame-relay map sho frame-relay traffic sho frame-relay route Displays the status of all PVC’s (dlci’S) all should be active If not check interface configurations of inactive PVC’s, DTE device configuration show frame-relay svc maplist debug debug debug debug
frame-relay events dlci problems, input problems, 25 pps or less serial interface hdls keepalives, displays timing problems ip packet frame packet “encaps failed - no map entry line 7 (IP) “ Check PVS status – show frame-relay pvc No PCS connectivity IP: s=172.16.1.1 (local), d=172.6.1.2 (Serial0), len 100, Sending. IP: s=172.16.1.1 (local), d=172.6.1.2 (Serial0), len 100, Sending. IP: s=172.16.1.1 (local), d=172.6.1.2 (Serial0), len 100, Sending.” Frame map missing at other side debug ip icmp Is the router properly communicating to the frame-relay switch? Does the show frame pvc display the DLCIs as active? Are your packets leaving the router? debug frame packet show frame pvc (packets in / packets out) Are your frame relay map statements correct? (Show frame map) Favorite Frame-Relay Troubleshooting Tool in a lab environment: Page 27 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book debug frame packet Ø
Problem Isolation
Ø
Symptom
Problem
Local physical link Configuration for PVC’s Layer 2 -> 3 maps Remote Site OK
Fix cabling Check encap, LMI, speed Check address configuration Contact Remote Site
Link is down
no keepalives Bad encryption Dlci inactive LMI mismatch bad encap Dlci inactive Bad access-list No map No broadcast in map split-horizon Access-list for protocol No gateway on workstation
Can’t Ping Remote Router
Can’t Ping end-to-end
Action
sho int sh frame map sh frame pvc sh int serial/sf lmi
sh access-list sfm sfm
Page 28 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 3.
ISDN The broadcast parameter allows broadcast traffic to be forwarded and broadcasts will reset the idle timer. Just as with frame-relay map statements the dialer-map broadcast parameter is required for proper OSPF operation over a DDR link Note that when the broadcast parameter is added the DDR link can stay up indefinitely due to constant broadcast traffic, to remedy this situation granular dialer-lists must be configured. A physical interface can be associated with multiple dialer pools. A logical dialer interface can be associated with only one dialer pool. In order to configure PPP chap authentication with dialer profiles enter the PPP authentication chap statement at both the physical interface and the logical dialer interface The dialer remote name statement is critical for the called party it must match the calling party host name or the name specified in the calling parties PPP chap host name statement Backup for a DLCI for IP, but IPX has to flow all the time, has to be a profile Backup a serial interface with the least number of commands. Legacy, HDLC, and a dial string
Ø
Interface Types
TE2
–r–
TA /TE1
–s–
NT2
–t–
NT1
–u–
LE
BRI’s have SPIDs, PRI’s do not Snapshot Routing The client defines the quiet period Use ppp quality for DDR based on the quality of the line. Ø
Call Setup Messages SETUP, CALL_PROC, CONNECT, CONNECT,ASK
Page 29 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Teardown Messages DISCONNECT, RELEASE,
Ø
ISDN and OSPF Add the broadcast to dialer maps
Ø
Routing over DDR Floating statics with dynamic routing protocol OSFP demmand circuit distr-list snapshot routing (RIP,IGRP,IPX RIP) BGP -- long keepalive timer + default idle timer no peer neighbor-route DLSw -- turn off keepalive or use dynamic with inactivity Bridge(over tunnel) -- turn off spanning tree EIGRP - Filter the hellos (224.0.0.10) access-list 101 deny eigrp any any access-list 101 deny ip any 224.0.0.10 0.0.0.0 Supress-state-change-updates – prevents routing traffic on line when line was initated by interesting traffic. Need dialer parameter as well since this is what allows a call for routing traffic.
Ø
Basic Configuration Needs Info you need to configure is: BRI DN, SPID, Signaling protocol PRI Timeslot 24 is for D Channel Controller, framing, linecode, pri-group Basic ISDN (3 statements) Add Authentication (3 statements) Add Dialer-list complexity (3 interface Four step Configuration Define Interesting Traffic dialer Map Destination dialer Define interface dialer Options dialer dialer fast-idle dialer load- threshold
Ø
/ 1 Global statements) list map group idle-timeout
Basic Configuration This is the basic configuration for a ISDN connection. Notice three ISDN, dialer, and ppp statements are required. R1 username r2 password 0 sanfran isdn switch-type basic-ni interface BRI0 ip address 199.10.10.1 255.255.255.0 isdn switch-type basic-ni isdn spid1 0835866101 8358661 isdn spid2 0835866301 8358663 dialer idle-timeout 90 ! Interesting traffic timeout dialer map ip 199.10.10.2 name r2 broadcast 8358662 ! Map command or dial string 8358662 Page 30 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ! Need a static map with just a dail string to send traffic ! Dial strings and maps are to dial out only ! These are not needed if the router is to receive calls only dialer-group 1 ! Assign dialer list 1 to int encapsulation ppp ppp authentication chap ppp multilink ! Negotiate MLPPP dialer-list 1 protocol ip permit ! Define interesting traffic R2 username r1 password 0 sanfran isdn switch-type basic-ni interface BRI0 ip address 199.10.10.2 255.255.255.0 isdn switch-type basic-ni isdn spid1 0835866201 8358662 isdn spid2 0835866401 8358664 dialer idle-timeout 90 dialer map ip 199.10.10.1 name r1 broadcast 8358661 dialer-group 1 encapsulation ppp ppp authentication chap ppp multilink Ø
General L2 Connectivity R1 isdn switch-type basic-ni int bri 0 isdn switch-type basic-ni isdn spid1 0835866201 8358662 isdn spid2 0835866401 8358664 R5 isdn switch-type basic-ni int bri 0 isdn switch-type basic-ni isdn spid1 0835866101 8358661 isdn spid2 0835866301 8358663
Ø
Configuration (3) Basic ISDN commands (switch-type / spids) (3) Add Authentication (3+1) Add Dialer-list complexity (3 interface and 1 global statements) Four step Configuration Define Interesting Traffic dialer list Define interface dialer group Map Destination dialer map Options idle-timeout, fast-idle, load- threshold
Ø
Example: R1 username r2 password 0 sanfran isdn switch-type basic-ni interface BRI0 ip address 199.10.10.1 255.255.255.0 isdn switch-type basic-ni isdn spid1 0835866101 8358661 isdn spid2 0835866301 8358663 Page 31 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book dialer idle-timeout 90 ! Interesting traffic timeout dialer map ip 199.10.10.2 name r2 broadcast 8358662 ! ap command or dial string 8358662 ! Need a static map with just a dail string to send trffic ! Dial strings and maps are to dial out only ! These are not needed if the router is to receive calls only dialer-group 1 ! Assign dialer list 1 to int encapsulation ppp ppp authentication chap ppp multilink ! Negotiate MLPPP dialer-list 1 protocol ip permit ! Define interesting traffic Ø
Call Messages SETUP, CALL_PROC, CONNECT, CONNECT,ACK DISCONNECT, RELEASE,
Ø
BRI Configuration Configure the isdn switch, for all configurations int bri 0 isdn switch-type basic-ni1 no shutdown Verify that the router is communicating with the switch show isdn status debug isdn q921 Layer 1 should be ACTIVE Layer 2 state = MULTI_FRAME_ESTABLISHED
Page 32 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 3.1. SETUP Some of the mandatory decisions that must be made are: A.) What type of encapsulation am I going to use on my interface? HDLC, PPP B.) What kind of traffic will be able to generate outbound calls? Dialer-lists C.) What kind of traffic do I want to prevent from making outbound calls? ACL D.) Will I always be dialing the same location or multiple remote locations? Dialer map, dialer strings (up to three) great for hub – spoke connectivity or for a backup router. Need dialer maps when calling two different locations (on hub) Dialer strings can be used on spokes. Dialer maps can set the speed, host name, of the call and determine if broadcast traffic should be sent, broadcast traffic is optional. “All ip addresses that are put it the dialer maps must be in the routing table, if not you must put them in the routing table with statics.” E.) If I'm dialing multiple remote locations can I use the same parameters for all of them such as authentication type, IP subnets, layer3 protocols allowed during the call, etc? chap never sends passwords across the link pap send password in clear text Changing hostnames: CHAP - ppp chap hostname x PAP - ppp pap sent-username x password y" F.) After all the data transmission is done how long do I want to wait before the call is disconnected? Never rely on the remote routers to disconnect your calls in a timely manner. If you're worried about ISDN charges make sure you take control by configuring your router with the appropriate disconnect timer. G.) Am I going to allow dynamic routing protocols to use the ISDN link or just static routes? Dynamic routing without keepalives: H.) If I use both B-channels on the call (either inbound or outbound) do I want to use the PPP Multilink feature to fragment large packets into smaller ones? When do you want the second link to come up? dialer load-threshold x outbound | inbound | either” where “x” is a value between 1 and 255. The number range of 1 to 255 correlates to the current bandwidth usage or load of the call with 255 being equated to an existing load of 100%. So as an example, if I wanted to configure my ISDN DDR interface such that when the first B-channel reached a load if 50% it would automatically bring up the next available B-channel I would configure the command, “dialer load-threshold 128” because 128 is approximately 50% of the maximum value of 255. If I didn't want additional B- channels to be added unless the first B-channel was 100% utilized I would modify the command to “dialer load-threshold 255”. ppp multilink – breaks packets into smaller packets for optimized delivery for two links. Page 33 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book I.) Do I want to implement ppp callback? J.) IP Addressing scheme. 1.) Do you want to place a static IP Address on your ISDN interface? No 2.) Do you want to have your ISDN interface unnumbered to some other physical or logical interface on the router? ip unnumbered lo0, ip unnumbered dialer1 3.) Do you want to obtain your IP address for the ISDN interface dynamically during each call via IPCP? Obtain an IP address from an IPCP pool on a remote router. This is most often used in hub and spoke situations where a pool of address resides on the Hub router and is used to dynamically assign an IP address via IPCP to individual PCs that dial in with an ISDN Terminal Adapter. This can also work when you have Spoke Routers that dial in via PPP. Hub router: Single ip address: peer default ip address x.x.x.x Multiple IP Addresses: ip local pool CCIELAB x.x.x.x y.y.y.y peer default ip address pool CCIELAB Spoke Routers: ip address negotiated
3.2. LEGACY DDR Uses the physical interface versus dialer profiles Relies on dialer map statements Ø
ISDN Call Process Interesting packets dictate DDR call Route to destination is determined Dialer information is looked up Traffic is transmitted Call is terminated
Ø
IPX Dialer-lists This will stop RIP’s and SAP’s for DDR access-list 901 deny any any all any rip access-list 901 deny any any all any sap access-list 901 deny any any all any 457 access-list 901 permit any dialer-list 1 protocol ipx permit list 901
Ø
Minimum ISDN / DDR Configuration with PPP isdn switch-type basic-ni1 username sanjose password cisco int bri0 isdn switch-type basic-ni1 isdn spid1 0836866101 8358661 isdn spid2 0835866301 8358663 ip address 172.16.1.1 255.255.255.0 dialer map ip 172.16.1.2 name r2 broadcast 1113344 dialer-group 1 encapsulation ppp ppp authentication chap ppp multilink dialer-list 1 protocol ip permit Page 34 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Bridging int bri0 dialer map bridge name r2 speed 56 8837676 bridge-group 1 bridge 1 protocol ieee access-list 201 permit 0x0000 0xFFFF dialer-list 1 list 201 ACL permits all bridged protocols.
Ø
Other Commands dialer in-band If you do not have native ISDN BRI and are using sync or async interfaces
Ø
Legacy DDR Optional Commands dialer load-threshold load [outbound | inbound | either] load = 1-255 (255 being 100%) Establishes the amount of traffic on link before a second link is enabled dialer idle-timeout 120 Establishes the idle time before disconnect dialer fast-idle
Ø
Verifying Legacy DDR Operation ping show show show show
Ø
or telnet dialer isdn active isdn status ip route
Triggers a link Displays current status of link When using ISDN, displays call status while call is in progress Displays the status of an ISDN connection Displays all routes, including static routes
Troubleshooting Legacy DDR The dialer-map broadcast command will keep the DDR interface up indefinitely OSPF requires the use of the broadcast command
Page 35 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 3.3. DIALER PROFILES Allows the configuration of physical interfaces to be separated from the logical configuration required for a call. Uses dialer pool and dialer pool-member Does not use dialer map statements Bound dialer pools to physical interfaces Put isdn,ppp encapsulation commands on physical Put IP,ppp and dialer commands on dialer interface Ø
Dialer Profiles Configurations Physcial Interface Encapsulation, Authentication, Dialer pool, SPIDs Logical interface Ip address, Dial String, Dial pool, dialer-group, dialer remote-name, dialer parameters Configuring of a Dialer Interface 1 - Configure dialer int dialer sanjose 2 - Associate dialer pool with logical interface, dialer pool 1 dialer pool 1 3 - Apply dialer-group statement to define interesting traffic dialer-group 1 4 Provide dialer string to call dial string 9851234 Optional: Configure a MAP-CLASS Map class configuration provides basic dialer commands to specific dialer interfaces To Go from a Legacy DDR to a Dialer Profile Remove from interface all: (All logical commands – dialer and L3 addressing) Dialer map statements Dialer group statements Network layer addresses Verify DDR operation. ping or telnet show dialer show isdn active show ip route clear dialer interface
Ø
Dialer profiles R1 username r2 password 0 sanfran isdn switch-type basic-ni interface BRI0 isdn switch-type basic-ni isdn spid1 0835866101 8358661 isdn spid2 0835866301 8358663 dialer pool-member 1 encap ppp ppp authentication chap int dialer 0 ip address 199.10.10.1 255.255.255.0 encapsulation ppp Page 36 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book dialer idle-timeout 90 dialer remote-name r2 dialer string 8358662 dialer load-threshold 1 dialer pool 1 dialer-group 1 ppp authentication chap dialer-list 1 protocol ip permit R2 username r1 password 0 sanfran isdn switch-type basic-ni interface BRI0 ip address 199.10.10.2 255.255.255.0 isdn switch-type basic-ni isdn spid1 0835866201 8358662 isdn spid2 0835866401 8358664 dialer idle-timeout 90 dialer map ip 199.10.10.1 name r1 broadcast 8358661 dialer-group 1 encapsulation ppp ppp authentication chap dialer-list 1 protocol ip permit Ø
Dialer Profile with Multiple Locations R1 hostname r1 username r2 pass cisco isdn switch-type basic-ni1 int bri0 no ip addr encap ppp ppp auth chap dialer pool-member 1 int dialer0 ip address 172.16.1.2 255.255.255.0 encap ppp ppp auth chap ppp chap hostname backup dialer remote-name r2 dialer string 2448989 dialer pool 1 dialer-group 1 no cdp enable int dialer1 ip addr 172.16.2.3 255.255.255.0 encap ppp ppp auth chap ppp chap hostname sanjose dialer remte-name policy dialer string 2448989 dialer pool 1 dialer-group 1 no cdp enable dialer-list 1 protocol permit ip R2 Page 37 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book hostname r2 username r1 pass 0 cisco username backup pass 0 cisco username sanjose pass 0 cisco isdn switch-type basic-ni1 int bri0 no ip addr encapp ppp ppp auth chap diale pool-member 1 int dialer0 ip addr 172.16.1.1 255.255.255.0 encap ppp ppp auth chap dialer remote-name backup dialer pool 1 dialer-group 1 int dialer1 ip add 172.16.2.1 255.255.255.0 encap ppp ppp auth chap dialer remote-name sanjose dialer pool 1 dialer-group 1 dialer-list 1 protocol ip permit Ø
Dialer Options dialer wait-for-carrier-time 40 ! timer to dial dialer in-band ! enable ddr on dialer int async dialer hold-queue ! prevents packets from being dropped during call
3.4. PPP Stop PPP from creating /32 hosts by using no peer neighbor-route username headquaters password cisco int s 0 int dialer 1 encap ppp ppp authentication chap en cdp enable Check LCP and NCP status with the command show interface bri0 1 Ø
Other Commands ppp chap hostname r1
Ø
Used to specify a different hostname
Debugging PPP PPP Authenticaton problem: “interface BRI0:1, changed interface BRI0:1, changed interface BRI0:1, changed interface BRI0:1, changed
stat stat stat stat
to to to to
up down up down”
PPP authentication process goes through three phases: Page 38 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book CHALLENGE, RESPONSE, SUCCESS debug ppp negotiation will show you all three Ø
PPP Multilink Does not work with snapshot routing. PPP multilink requires: ppp authentication chap SPIDs A second dialer map or string ppp multilink command dialer load-threshold to bring up second channel Multilink PPP – Interfaces are grouped into a bundle to increase the available bandwidth for the connection. int dialer 1 ppp multilink dialer-group 1 dialer load-threshold load Specify the load threshold that the interface should reach before enabling one or more additional links. dialer-list 1 protocol ip list 102 access-list 110 permit tcp any any eq www access-list 110 permit tcp any any eq 53 Verify Multilink PPP operation. show dialer Displays information about existing bundles debug ppp multilink Displays event information
Ø
PPP Troubleshooting Show dialer Debug ppp negotiation Debug ppp authentication Sho int bri
3.4.1. Snapshot Routing Snapshot routing does not work with MLPPP, use the sho ppp multilink command to verify Minimum active period is five minutes Minimum quiet period is eight minutes The client determines the quiet period. The server makes to call and determines the active period. Snapshot Routing – allows dynamic distance vector routing protocols to run over DDR. Reduces overhead and routing updates. Snapshot routing for DV protocols Side one int bri 0: snapshot server 5 snapshot client 5 43200 dialer Ø
Snapshot Routing for DV’s (Except EIGRP) Does not support MLPPP dialer map snapshot 60 2002 snapshot client 5 1200 supress-statechange-updates dialer snapshot server 5 dialer
Page 39 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Snapshot Configuration Needs Specify an ISDN interface Configure the client and server routers Define a dialer map
Ø
Configuring the Client Router Dialer map snapshot dialer map snapshot 60 2002 Snapshot client snapshot client 5 1200 supress-statechange-updates dialer 5 = active-time, 1200 = quit-time
Ø
Configuring the Server Router Active period interval snapshot server 5 dialer Verifying Snapshot Routing show snapshot clear snapshot debug snapshot debug dialer events
Ø
Snapshot configuration with dialer profile R1 username r2 password 0 sanfran isdn switch-type basic-ni interface BRI0 isdn switch-type basic-ni isdn spid1 0835866101 8358661 isdn spid2 0835866301 8358663 encap ppp ppp authentication chap no ppp multilink dialer idle-timeout 90 dialer-group 1 (dialer map ip 199.10.10.1 name r1 broadcast 8358661) (This line disappeared when snapshot was entered) dialer map snapshot 1 name r2 broad 8358662 snapshot client 5 8 dialer dialer-list 1 protocol ip permit R2 username r1 password 0 sanfran isdn switch-type basic-ni interface BRI0 isdn switch-type basic-ni isdn spid1 0835866201 8358662 isdn spid2 0835866401 8358664 ip address 199.10.10.2 255.255.255.0 dialer idle-timeout 90 dialer map ip 199.10.10.1 name r1 broadcast 8358661 dialer-group 1 encapsulation ppp ppp authentication chap snapshot server 5 dialer dialer-list 1 protocol ip permit Page 40 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Troubleshooting Snapshot sh snapshot cle snapshot deb snapshot clea snapsho quiet-time bri 0 (make bri active, must be entered on the client)
3.4.2. Dial Backup Sets a interface to standby mode so when a primary interface goes down, this line will come up. The line can also be activated on a load threshold. You can use dial backup to backup an individual frame-relay DLCI by placing the DLCI under a point-to-point subinterface. If the DLCI becomes inactive the pointto-point sub-interfaces line protocol attains a state of down and the designated back up interface will become active Ø
Configuring Dial Backup for Primary Links Select the primary interface and go into interface configuration mode. Indicated the backup interface to use in case of primary link failure or if a load threshold is exceeded. backup interface bri0 backup delay {enable-delay | never} {disable-delay | never} The backup interface command will put the int bri0 interface into a not physically connected state.
Ø
Configuring Dial Backup for Excessive Traffic Load backup interface bri0 backup load {enable-threshold | never} {disable-load | never} NOTE: A floating static will work better than a dial backup
Ø
Backup Configuration Inteface Serial 0 is the interface that will be going down Int bri0 will become a standby interface, you can use a dialer profile and then the dialer is in standby. int s0 backup delay 5 20 backup interface bri0
3.4.3. OSPF DDR Methods Ø
Demmand Circuit ip ospf demand-circuit Stops OSPF’s hellos (224.0.0.5) This interface command stops hellos from keeping DDR’s up debug ip ospf packet debug dialer packet show ip ospf database OSPF’s hellos (224.0.0.5) will keep a DDR up (active), Use the ip ospf demand-circuit command to limit the hellos. This changes the age to DNA, and the dead interval to ‘-‘. Doing a ‘show ip ospf int bri0’ will show that the interface is configured as a demand circuit and that the hello’s are suppressed. Page 41 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Useful if backup link and failure point are in different parts of the network. Configure on one side of link only. Don’t change the network type of the backup link. Make sure the question allows the link to come up for topology changes. Watch for routing loops. The demand circuit does not suppress LSA's. It only suppresses the hellos and the Link aging (in turn suppressing the periodic LSA refresh.) With the demand circuit, the router will dial immediately to establish neighbors and update it's Link Database and then go quiet until a LSA occurs. Keep this in mind when redistributing other routing protocols as they will generate LSA's in your OSPF area. Type 5 externals will go over the links as well as the LSA refreshes every thirty minutes. *When you have redistribution going on, you may have to filter those specific networks, such as your connected network (and possibly /32's associated with the the dialer interfaces), so that they don't cause the link to go up and down. The first step is determining which specific LSA's are changing in the database causing the link to go up and down, and then filter as needed. Ø
NSSA Area area 1 nssa no-summary Then only a default to the ABR would be injected into the area, again protecting it from changes in other areas while maintaining the ASBR redistribution capabilities. If you defined the area in question as an nssa no-summary this would only allow type 7 lsa into the area from the external protocol domain. The type 7's would be converted into type 5 lsa on the ABR as they are injected into the backbone. This configuration would allow the redistribution of the external routing protocol into OSPF, prevent the advertisement of inter-area and intra-area routes by the OSPF ABR into the nssa, and inject a default into the nssa area from the ABR. This would minimize link flapping while allowing the redistribution of the external protocol through the nssa area into the backbone.
Dialer Watch Allows a backup link to support multiple primary links. Keeps the backup interface down until the monitored routes are no longer reachable. *Requires IGRP/EIGRP or OSPF and only supports IP. Three methods to implememt: DDR, Floating Statics, and Dialer load-threshold May not be expressly forbidden in the lab, but requirements may prevent using this option. Ø
Floating Static Usually passive dialer0 and Ospf pkt not interesting so that because we rely on static routes at both ends and not necessary for user of DC. These are added to a working config: int bri0 dialer watch-group 2 Page 42 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book dialer watch-disable 60 dialer watch-list 1 ip 10.1.1.0 255.255.255.0 dialer-list 1 protocol ip permit Example #2: interface bri0 ip address 7.1.1.2 255.255.255.0 encapsulation ppp dialer idle-timeout 5 dialer map ip 3.1.1.0 name pioneer 60079 broadcast dialer map ip 7.1.1.3 name pioneer 60079 broadcast dialer-group 1 dialer watch-group 1 ppp authentication chap router eigrp 190 network 7.0.0.0 network 172.21.0.0 access-list 100 deny eigrp any any access-list 100 permit ip any any ! Watch IP networks 3.1.1.0, 4.1.1.0, and 5.1.1.0 dialer watch-list 1 ip 3.1.1.0 255.255.255.0 dialer watch-list 1 ip 4.1.1.0 255.255.255.0 dialer watch-list 1 ip 5.1.1.0 255.255.255.0 dialer-list 1 protocol ip list 100 Ø
DDR Example host r1 int bri0 ip addr 1.1.1.1 255.255.255.0 encap ppp dialer map ip 1.1.1.2 name r2 broadcast 1113344 dialer-group 1 dialer watch-group 2 dialer watch-disable 60 (Sets a 60 second delay before the backup line is dropped after the primary comes back up) isdn switch-type basic-ni1 isdn spid1 902111222200 1112222 isdn spid2 902111222301 1112301 ppp auth chap dialer-list 1 protocol ip permit dialer watch-list 2 ip 10.1.1.0 255.255.255.0
3.4.4. Callback If the return call fails (because the line is not answered or the line is busy), no retry occurs. If the callback server has no interface available when attempting the return call, it does not retry. How do you verify callback? Ø
Callback Server R5 username jeff pass 0 cisco int bri 0 ip address 10.1.1.7 255.255.255.0 encapsulation ppp dialer callback-secure Page 43 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book dialer map ip 10.1.1.8 name r6 class dial1 8358662 dialer-group 1 ppp callback accept ppp authentication chap ! map-class dialer dial1 dialer callback-server username dialer-list 1 protocol ip permit Ø
Callback client R6 username jeff pass 0 cisco int bri 0 ip address 10.1.1.8 255.255.255.0 encapsulation ppp dialer map ip 10.1.1.7 name r5 8358661 dialer-group 1 ppp callback request ppp authentication chap
3.4.5. Floating Static Routes Use only if the test explicitly says to do. Make sure the dynamic route exists when route is not active. R1 username r2 password 0 sanfran isdn switch-type basic-ni interface BRI0 ip address 199.10.10.1 255.255.255.0 isdn switch-type basic-ni isdn spid1 0835866101 8358661 isdn spid2 0835866301 8358663 dialer idle-timeout 90 dialer map ip 199.10.10.2 name r2 broadcast 8358662 dialer-group 1 encapsulation ppp ppp authentication chap ppp multilink ip ospf demmand-circuit dialer-list 1 protocol ip permit ip route 0.0.0.0 0.0.0.0 199.10.10.2 121 (With OSPF running as a dynamic protocol use, to stop hellos from leaving the line open) R2 username r1 password 0 sanfran isdn switch-type basic-ni interface BRI0 ip address 199.10.10.2 255.255.255.0 isdn switch-type basic-ni isdn spid1 0835866201 8358662 isdn spid2 0835866401 8358664 dialer idle-timeout 90 dialer map ip 199.10.10.1 name r1 broadcast 8358661 dialer-group 1 Page 44 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book encapsulation ppp ppp authentication chap ppp multilink dialer-list 1 protocol ip permit ip route 0.0.0.0 0.0.0.0 199.10.10.2 121
3.4.6. Other ISDN Commands ppp quality supress-state-change-updates Authentication: - chap ppp chap hostname router5 - if you are not using the router name router5 replaces the local host name If using dialer interface, ppp authentication chap must be on physical ALSO!! Dialer Interfaces Don't use ppp multilink unless told to!! Seams to be some issue with OSPF Demand and PPP Multilink
3.5. ISDN TROUBLESHOOTING STRATEGY (MASTER THIS CHECKLIST) Usually contributed to one of three problems, check each in turn. Use the show isdn status to determine if you need to start with ISDN or dialer. Ø
ISDN 1 – Router communicating to switch? debug isdn q921 This will display 10 second keepalives from the switch. These will be from tei=64 and tei=65, one for each bri channel. 2 – Router placing the call? debug isdn q931 show isdn status
Ø
Dialer 3 – Is the traffic to initiate the call defined as interesting? show run, examine dialer-list 4 – Is the interface recognizing the interesting traffic? debug ip packet – shows the packet going to the interface debug dialer packet – shows if the packet is interesting debug dialer events – shows other important DDR messages
Ø
PPP 5 – Is PPP negotiation working properly? debug ppp negotiation, show int bri0 1 6 – Is PPP authentication working properly? debug ppp authentication
Ø
Show Commands sh int bri 0 sh controllers bri
Ø
activiation status =1
Debug Commands deb bri deb isdn q921 deb ppp negotiation
Layer 1 – b-channel, enabled when call access procedures, lapd, dsapi=63 encapsulations, sapi=64 Page 45 of 296
Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book deb isdn q931 sapi=0
Displays call setup, maintain, and terminating,
Calling Party SETUP, CALL_PROC, CONNECT, CONNECT_ACK Called Party SETUP, CONNECT, CONNECT_ACK deb ppp authentication chap, pap debug isdn events Layer 2 is between TE and LT, this is where most errors are found. NOTE: Always troubleshoot both sides of the line
Page 46 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 3.5.1. Problem Isolation Ø
Sympton
Problem
Action
Router does no dial
interface down sh int bad dialer map sr no dialer-group sr bad dialer-list sr bad access-lists sr no pri-group (7XXX) sr Dial Does not go (BRI) speed mismatch sr, (speed 56 in dialer-map) bad dialer map sr bad dialer-group sr number in use deb isdn ev/den isdn q931 bad spids sr, sis bad nt1 br10 -> nt1 on 2500’s Dial Does not go (PRI) check bri0 info bad framing sh controllers t1 No communication to remote router bad chap deb ppp chap ppp encap not configured sr,encap ppp no route to remote sir Line disconnects, to slow or fast Bad hold queue Bad dialer idle-timeout or dialer-fast-idle Second B channel not coming up Bad dialer-load-threshold sr Set at 200/255 (80%) Use 1/255 when you want it up all the time Slow performance hold queue to small sh int bit Hold-queue Increment by 25% until no drops
Page 47 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 3.5.2. ISDN Debug Example Here is a ping and then the line goes down, you can see the line getting activated, ppp chap coming up, multilinking and then pinging again… deb ppp auth, deb isdn events, deb isdn q93 r1#ping Target IP address: 10.10.1.2 Sending 1000, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!. 00:14:52: ISDN BR0: TX -> INFORMATION pd = 8 callref = (null) SPID Information i = '0835866101' 00:14:52: ISDN BR0: RX SETUP pd = 8 callref = 0x02 00:14:52: Bearer Capability i = 0x8890 00:14:52: Channel ID i = 0x83 00:14:52: Keypad Facility i = '8358662' 00:14:52: ISDN BR0: Received EndP.oint ID 00:14:52: ISDN BR0: RX INFORMATION pd = 8 callref = (null) SPID Information i = '0835866301' 00:14:53: ISDN BR0: RX CONNECT_ACK pd = 8 callref = 0x02 00:14:53: ISDN BR0: RX Setup a Connection
Subnetting IP subnetting uses a logical AND 172.16.64.15 Page 82 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 255.255.0.0 172.16.0.0
255.255.0.0 172.16.0.0
On same subnet Right or Wrong? Host & Subnet bits = 2^N-2 = subnet / hosts bits Ø
VLSM Supported by Rip V2, EIGRP, OSPF Subnetting - start with the lowest subnet mask possible and work your way down /20 /22 /22 /24 /24 /30 /30 /26 /26 debug traces
Ø
/22 /24 /26
Summarization Dist -> Core Dist -> Access Hide core to access
Ø
/24
Summarize (hide access to core) Provide route from nearest dist. Rtr Route-maps, dist-lists, default networks
Summarization and Protocols RIP, IGRP, EIGRP,BGP Automatically summarizes at classful boundaries. EIGRP – disable auto summarization with no-auto-summary command EIGRP - Use ip summary-address eigrp to summarize at other boundaries OSPF does not summarize automatically Use area-range and summary-address to summarize Benefits to Summarize Reduce routing table size to save bandwidth with less updates, and less router memory used. Limits the scope of failure of netework instability CIDR - Supported by RIP v2, OSPF, and BGP
Ø
Trace Command The following are the characters that can appear in trace output: nn/msec---For each node, the round-trip time in milliseconds for the specified number of probes. *---The probe timed out ?---Unknown packet type Q---Source quench P---Protocol unreachable N---Network unreachable U---Port unreachable H---Host unreachable
Ø
Extended Ping To test MTU use extended ping with DF bit set. TTL = 64 by default Options Field Loose / strict source routing
Page 83 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Allows you to specify route hops to destination. Loose means take these hops as needed and strict means take only these hop. Hence, with strict you must list all routers while with loose you can list only a few. Ø
IP ADDRESSING Troubleshooting Show ip interface brief What are all of the IP addresses of the interfaces of my directly connected neighbors? Show cdp neighbor detail Can you ping your own interface?
6.3. HOT STANDBY ROUTER PROTOCOL (HSRP) Cisco Feature For token-ring use the use-bia command. Uses multicast UDP packets for hellos, send them out every 3 seconds. Hold time is 10 seconds, if 3 hellos are missed the standby goes active. You can use multiple groups for HSRP. The virtual MAC address is: Vendor code – HSRP code – group number (47) 0000.0c – 07.ac – group in hex (2F) HSRP messages are UDP’switch port 1985 and are addressd to 224.0.0.2 with TTL = 1 The highest priority is the active router, default is 100 The standby ip The configuration for at least one of the routers in the Hot Standby group must specify the IP address of the virtual router; specifying the IP address of the virtual router is optional for other routers in the same Hot Standby group. The standby timers Used to change the hello timer, make sure all routers in the same group use the same timer. Ø
HSRP States Initial Learn Listen Speak Standby
boot up wait for active router knows virtual ip of active router send hellos candidate for active / standby router Only one standby router per HSRP group
Make HSRP check the active interface versus route cache for active router standby track Ø
HSPR Configuration standby standby standby standby standby
Ø
5 ip 172.16.1.1 5 priority 200 5 preempt timers 5 15 5 track int s0 200
HSRP Configuration Router 1 (Active Router) standby 12 ip 172.30.16.3 standby 12 priority 180 (default 100) Page 84 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book standby 12 preempt Timers standby 12 timers 3 10 show standby brief debug standby Router 2 (Standby Router) standby 12 ip 172.30.16.3 standby track ethernet 1 100 Make HSRP check the active interface versus route cache for active router standby ip Enables HSRP and establishes the IP address of the virtual router standby preempt Allows the router to become the active router when its priority is higher than all other HSRP-configured routers in this hot-standby group. standby priority Priority status is used in choosing the active Troubleshooting show ip route show interface show running-config show standby Ø
HSRP Router 1 (Active Router) standby 12 ip 172.30.16.3 standby 12 priority 180 (default 100) standby 12 preempt standby 12 timers 3 10 Router 2 (Standby Router) standby 12 ip 172.30.16.3 standby track ethernet 1 100
Ø
Troubleshooting Commands sh standby deb standby deb standby errors deb standby events
6.4. DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) New Feature to 12.0.(1)T Basic Example: ip dhcp pool networkers network 10.1.1.0 255.255.255.0 default-router 10.1.1.254 lease 0 0 15 Ø
DHCP Commands show ip dhcp binding show ip dhcp conflict show ip dhcp server clear ip dhcp binding clear ip dhcp conflict
Page 85 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Example With this config, the router will assign 10.2.X.Y/16 and 10.4.X.Y/16 address to the clients. As you can see I also have the default gateway, DNS, and the two WINS servers on my network and the lease set to 3 days. ip dhcp excluded-address 10.1.0.0 10.1.1.255 ip dhcp excluded-address 10.1.3.0 10.1.3.255 ip dhcp excluded-address 10.1.5.0 10.1.255.255 ! ip dhcp pool Chancery network 10.1.0.0 255.255.0.0 default-router 10.1.1.1 dns-server 206.80.192.1 204.147.80.5 netbios-node-type h-node netbios-name-server 10.1.1.13 10.1.1.11 lease 3 ! interface FastEthernet0/0 ip address 10.1.1.1 255.255.0.0 no ip directed-broadcast no ip route-cache no ip mroute-cache duplex auto speed auto
Ø
Example #1 ! ! Start DHCP Server service dhcp ! ! Store DHCP Lease database on tftp server ip dhcp database tftp://tftp.cisco.com/dhcp. db ! ! Create DHCP address pool for the 10.0.0.0/28 network ip dhcp pool subnet-10 lease 3 0 0 ! lease time of 3 days 0 hours 0 minutes network 10.0.0.0 255.255.255.240 ! Defines address pool with addresses 10.0.0.1 - 10.0.0.14 dns-server 171.68.10.70 171.68.10.140 domain-name cisco.com netbios-name-server 171.68.235.228 171.68.235.229 netbios-node-type h-node option 150 ip 172.16.24.12 ! Defines custom option with IP address default-router 10.0.0.1 ! ! Create static mapping for the 10.0.0.5 address - i.e. BootP ip dhcp pool manual host 10.0.0.5 client-identifier 010a.1211.2e3c.4a ! ! Exclude 10.0.0.1 - 10.0.0.5 from DHCP pool ip dhcp excluded-address 10.0.0.1 10.0.0.5
Page 86 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 7. Ø
Routing Protocol Specifics
Protocol
Protocol Used
DDR
Advertises
Metric
Hops (16 Max) UDP 520 Hops dv RIP v2 Snapshot Broadcast 30 224.0.0.9 (16 Max) Composite dv IGRP UDP 9 Snapshot Broadcast 90 (BW / DLY) 255 Hops Composite Deny Hellos 5 dv EIGRP 224.0.0.10 (BW / DLY *256) 224.0.0.10 224.0.0.10 224 Hops
dv RIP v1
UDP 520
Snapshot
Broadcast 30
Converge Method
Misc. / Problems Classful, Split-horizon
Partition Internetwork
180 (6x)
Split-horizon
None
270 (3x)
Classful, Dual, Split-horizon
AS
25 (3x)
Dual, Split-horizon
AS
Areas, 2 Tier
180 (6x)
LSA'a
Cost
SPF, Manual summarization
LSP's
Cost (All 10)
SPF
Keepalives
AS Paths
dv IPX
Broadcast (60)
Ticks
ls NLSP
Hello
ls OSPF
224.0.0.5 224.0.0.6
Demandcircuit
ls IS-IS dv BGP4
TCP 179
Long Keepalives
Protocol
Load Balancing
Authentication
Static RIP v1 RIP v2
Equal AD None None Equal, Unequal (up to 6) Equal, Unequal (up to 6) Equal Only Equal Cost only MED, AS_PATH same, up to 6 pathes
None None MD5 / Simple
IGRP eIGRP OSPF ISIS BGP4 IPX RIP NLPS
None MD5 MD5 / Simple Clear text only
IGP Synch.
Manual summarization
None
AS
Level 3 Tier, Level 3 is EGRP
Discontinuous Networks Yes
Summary Yes auto auto
Stop, auto Auto-summary Stop, auto Auto-summary No Problem On ABR or ASBR No Problem, Level 2 Only, CLNS routing auto auto
None None
none Page 87 of 296
Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book
Page 88 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book How would you speed up RIP/EIGRP/OSPF/IGRP/BGP convergence? Change timers, use summaries, minimze routing tables. You can create unicast updates by passiving the interface and using the neighbor command specify who to send updates to. RIP / IGRP / EIGRP With fast switching enabled load balancing occurs on a per destination basis otherwise it is per packet. IGRP, EIGRP, OSPF and RIP can use up to four equal-cost paths. Ø
Path Determination Longest Prefix (Address), AD (Which / Outside IGP), Metric (Inside IGP)
Ø
Classful Routing 0/0 in a classful protocol it is a route to all destinations except connected networks, use the ip classless command to change this behavior. A route is first matched with the address class then the subnet, if no match the packet is dropped. RIP v1 and IGRP will not send a routing update between to routers on the same subnet if the subnet masks are different. Use the passive interface when more interfaces are enabled by the Classful network than what you what.
Ø
Classless Routing 0/0 in a classless protocol is considered a route to all destinations. A route is checked for the longest match (bit-by-bit) rather than classful boundaries.
Ø
Passive Interfaces The passive-interface command prevents all routing updates for a given routing protocol from being sent into a network, but does not prevent the specified interface from receiving updates.
Ø
Common Routing Protocol Configuration Options These commands are common to all routing protocols: default-metric distance distribute-list maximum-paths network passive-interface redistribute timers
7.1. ADMINISTRATIVE DISTANCES When two routing protocols are enabled the path with the lowest AD will be used. Use the distance command only to prevent or stop routing loops. 0
Connected Page 89 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 1 5 20 90 100 110 115 120 170 200 255
Static EIGRP Summary EBGP EIGRP (I) IGRP OSFP IS-IS RIP EIGRP (E) IBGP Unknown
7.2. DEFAULT AND STATIC ROUTES Pointing static routes to interface only on PtP interfaces, proxy arp will have a problems with multiacess networks if hosts are on segment. When you enter an address versus the interface the route is not automatically redistributed into routing protocols and the admin distance is 1 versus 0, and requires one recursive lookup for the route. An ip default route can point to the next-hop gateway, network number, or a router interface. If pointing to an interface the route will never go away unless the interface in unavailable. Frame-relay and ATM interfaces do not go down automatically when they lose communications. Ø
Path Determination for Statics (All /xx examples are for a class C address) Host route /32 Subnet /30 Summary /26 Major Net /24 CIDR / Supernet /20 Default route 0/0
Ø
Interesting Ideas If you were going to create a loopback interface, you could give it a classful address and mask outside of the classful network in question and make it your default network... Create a loopback whose IP address and mask was a summary of the networks your trying to propagate, then redistribute connected
Ø
DV Protocols 0.0.0.0 0.0.0.0 The default route will automatically be advertised if ip default network is included.
7.2.1. RIP RIP automatically redistributes a default route When the static default route 0.0.0.0 0.0.0.0 is configured on a rip speaking router, rip automatically redistributes the 0.0.0.0 entry into the rip domain. Another method of advertising a default route with rip is to use the default information originate statement under the router rip configuration mode. By entering this statement 0.0.0.0 route will be advertised into the rip domain, Page 90 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book even if there is no 0.0.0.0 route on the router that is the source of the default route. A default route allows a rip speaking router to forward all classfull network prefixes that are not listed in a given routers routing table. However, a default route does not automatically allow a rip speaking router to forward all subnets that are not listed in a given routers routing table. router rip network 138.5.0.0 default-information originate route-map rip_def_to_interfaces ! route-map rip_def_to_interfaces permit 10 set interface Serial0/3
7.2.2. IGRP IGRP does not advertise the 0.0.0.0 network to downstream IGRP neighbors. ip default-network will only insert the route correctly If the address is on a classful boundary ... otherwise it will enter a static route into the routing table (NOT good) The default network will appear as an exterior network in debugging events, And will be a * = “canadidate default” in the routing table. Configuring Defaults ip default-network 192.168.1.17 This command creates a static route if route is not classful
7.2.3. EIGRP EIGRP redistributes the default network, but a static default route must be redistributed into EIGRP. EIGRP does not use ip default-network. You need to redistribute ospf into eigrp or setup a static default route and redistribute it. Propagation Control of Default Routes default-information in Erases the * from all route not matching ACL default-information out Erases the * from routes advertised to neighbors no default-information in Do not accept * no default-information out Do not send * Use default routes with route filters, this way you gain the route and remove the redundant routes. router eigrp 200 network 0.0.0.0 ip route 0.0.0.0 0.0.0.0 Serial2 Configuring Defaults router eigrp 100 redistribute static metric 64 20000 255 1 1500 ip route 0.0.0.0 0.0.0.0 192.168.1.17 Send default network 0/0 into EIGRP domain by using "ip summary-address eigrp 0.0.0.0 0.0.0.0 " on the interface connected towards EIGRP side. Page 91 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 7.2.4. OSPF/ ISIS A router can advertise a default route with default information-originate. This will work only if the router has a default route already. If not use the keyword always. But the router needs to have a stable path to the destination or a black hole will exist. The following configuration example illustrates how a route map is referenced by the default-information router configuration command. This is called conditional default origination. OSPF will originate the default route (network 0.0.0.0) with a Type 2 metric of 5 if 140.222.0.0 is in the routing table. Extended access-lists cannot be used in a route map for conditional default origination. Ø
OSPF Example #1 router ospf default-information originate route-map DEFAULT ! route-map DEFAULT match ip address 5 ! access-list 5 permit 0.0.0.0 Example #2 router ospf 109 default-information originate route-map ospf-default ! route-map ospf-default permit match ip address 1 set metric 5 set metric-type type-2 ! access-list 1 140.222.0.0 0.0.255.255
Ø
ISIS router isis default-information originate route-map adv-default ! route-map adv-default permit 10 match ip addr 10 ! access-list 10 permit 192.168.200.192 0.0.0.3 This allows 192.168.200.192 to be advertised as a default only if it is in the isis database. You have to have ISIS on the link Example #2 router isis 100 default-information originate route-map DEFAULT ! route-map DEFAULT match ip address 5 match ip next-hop 2 ! access-list 5 permit 0.0.0.0 Page 92 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 7.2.5. BGP Default 0.0.0.0 route into bgp 1) 0.0.0.0 in routing table 2) network 0.0.0.0 under routing process The only difference between advertising a static and a default route, is that when you redistribute a static, BGP sets the origin attribute of updates to incomplete. To advertise default routes within BGP Method 1a Send a default route to a neighbor router bgp 200 nei 1.1.1.1 default-originate ip route 0.0.0.0 0.0.0.0 2.2.2.2 Method 1b Send a default route to a neighbor router bgp 200 nei 1.1.1.1 default-originate always Method 2 router bgp 200 netw 0.0.0.0 ip route 0.0.0.0 0.0.0.0 2.2.2.2 Method 3 router bgp 200 netw 0.0.0.0 ip route 0.0.0.0 0.0.0.0 2.2.2.2 40 ip route 0.0.0.0 0.0.0.0 3.3.3.3 60 Method 4 int lo 0 ip add 172.33.16.0 255.255.255.0 router bgp 200 network 172.33.16.0 nei 1.1.1.1 default-originate route-map default-route route-map default-route permit 10 match ip address 1 access-list 1 permit 172.33.16.0 Sending a BGP default route to a IGP Make sure the IGP does not have a default point to BGP. A route map is used to inject BGP's default route only, otherwise a few to many routes may get injected into the IGP. RIP Set the default-metric under RIP, BGP route is automatically injected into RIP. IGRP The ip default-network needs to be set for the redistribution to be successful. This will be set to the BGP address (192.168.2.0) Set the default-metric in IGRP.
7.2.6. IPX IPX Default Routes IPX's default route is FFFF.FFFE or -2 ipx routing ipx internal-network ACE ipx route-default ACE.0000.0000.0002 To reduce RIP updates and only send the default route out use: Page 93 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Ipx advertise-default-route-only 300
7.3. DEFAULT ROUTE S UMMARIES RIP
default information originate ip default gateway IGRP ip default-network EIGRP redistribute ospf into EIGRP Use ip summary-address eigrp 100 0.0.0.0 0.0.0.0 on the interface connected towards EIGRP side. OSPF/ISIS BGP
default information originate neighbor default-info route-map router bgp 200 nei 1.1.1.1 default-originate route-map DEFAULT route-map DEFAULT match ip address 1 access-list 1 permit 172.33.16.0
7.4. AUTHENTICATION OSPF RIP v2 BGP EIGRP ISIS Ø
Supports MD5 Yes Yes Yes Yes Yes
OSPF interface ethernet1 ip address 10.1.1.1 255.255.255.0 ip ospf message-digest-key 100 md5 cisco ! router ospf 1 network 10.1.1.0 0.0.0.255 area 0 area 0 authentication message-digest
Ø
ISIS interface ethernet0 ip address 10.1.1.1 255.255.255.0 ip router isis isis password cisco level-2
Ø
BGP router bgp 200 no synchronization neighbor 4.1.2.1 remote-as 300 neighbor 4.1.2.1 description Link to Excalabur neighbor 4.1.2.1 send-community neighbor 4.1.2.1 version 4 neighbor 4.1.2.1 soft-reconfiguration inbound neighbor 4.1.2.1 route-map Community1 out neighbor 4.1.2.1 password cisco
Page 94 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 7.5. ROUTING TABLES Ø
Distance-Vector Single table - routing Full routing table advertisements Loop-avoidance techniques Split-horizon Poison-reverse Count-to-infinity Timers – update, holddown, flush Routing table are forever young if stable. show ip protocols Used to view the routing timers
Ø
Link-State Protocols Three tables – routing, neighbor, topology Executes SPA for path determination Results are posted to main routing table Paritial advertisement updates – LSA’s Know backup routes since they have a full topology in memory Routing tables should be old to be stable. Benefits of LS protocols is that they don’t have a hop count.
Ø
On-Demmand Routing (ODR) (160) Supports VLSM Metric is hop-count so all routes usually have a metric of 1 Uses CDP, CDP uses snap frames Hub to Stub ODR Default route to hub router odr
Page 95 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Ø
Maintaining Routing Tables RIP, IGRP Hold-down state and mark “possibly down” EIGRP Feasible succssor OSPF
Ø
Cisco Routing Table Seven Columns Source of routing information Destination address Administratice distance Metric Next hop / source of routing information Age of entry (Dynamic routing protocols only) Local interface to switch packet Example: I* 140.10.0.0
Ø
[100/183071]via 172.16.3.2 00:00:26, Serial1
Redundancy Floating statics DDR Adjust metrics AD Dialer watch Backup interface
7.6. TROUBLESHOOTING ROUTING TABLE All connect routes listed? Is default route set? Is the destination in the routing table? Are the routing metrics correct? Are the routes aging ? Any “possibly down” networks? Ø
Troubleshooting Commands show ip route connected show ip route show ip route 172.16.1.0 clear ip route * Resets the entire routing table show ip route 172.16.0 255.0.0.0 longer-prefixes Used to filter routing table displays debug debug debug debug debug debug debug debug
ip ip ip ip ip ip ip ip
packet icmp routing rip irgp events igrp transactions ospf adj eigrp
Be careful with this command
Page 96 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 7.7. DEBUGGING IP P ACKET FORWARDING Are IP packets leaving the router in the desired manner? Ping (standard ping/extended ping) Debug ip packet Is the packet leaving the router through the correct interface? If debug ip packet displays "unroutable" messages, check the routing table. show ip route If debug ip packet displays "encap failed" messages, check processes that support the forwarding of IP packets out of a particular interface. If the "encap failed" message appears on a multiaccess interface, such as Ethernet or Token-Ring, enable debug arp to make sure the ARP process is working properly. If the "encap failed" message appears on a non-broadcast multiaccess interface, such as Frame-Relay or ATM, enable debug frame packet or debug atm packet to make sure the packet has a mapping to the destination address. If the "encap failed" message appears on a switched connection, such as an ISDN/DDR link, enable debug isdn q931 to make sure the call is being set up properly; debug dialer packet to make sure the traffic is being defined as interesting; or debug ppp authentication to make sure ppp authentication is occurring properly. If debug ip packet displays only "sending" messages, all IP forwarding processes are operating properly on this router. Check all intermediate routers or the return path of the routing traffic. Are IP routing updates sending the correct prefixes out the correct interfaces? Are you receiving the correct routing updates on the correct interfaces? Debug ip rip Debug ip igrp transactions Debug ip igrp events Debug ip eigrp Traceroute (standard traceroute/extended traceroute)
Page 97 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 8.
RIP (R) 120 Enable and assign locally connected IP address to each routing process with the network command. Transport is UDP 520 Uses hop count 1 = connected / 16 unreachable Each RIP update can have up to 25 routes in it. Multiple connections will enable equal-cost load balancing Boundary router will automatically summarize Know about the Split Horizon Problems How do you work around it? 25 destinations per routing update packet RIP metric = hops = 15 All subnets must be classful, and continuous. IP classless and default routes can be used for discontinuous RIP networks In a rip domain, all subnets must be contiguous. The contiguous subnet requirement can be overcome by using a combination of default routes and the ip classless command. By enabling ip classless, you override the contiguous subnet rule and allow the router to look for the longest match beyond the listed subnets. If a subnet is not listed on a router with ip classless enabled, it will eventually match the 0.0.0.0 entry. (the default route) The most useful debugging tool for rip routing is debug ip rip. RIP V1 and IGRP will advertise routes having a different subnet mask than the interface if the route is in a different major network. RIP will assume a classful mask. RIP will advertise host routes. RIP ip rip send version 1 ip rip receive version 1 Authentication ip rip send version 2 ip rip receive version 2 ip rip authentication mode md5 ip rip authentication key-chain cisco Global key chain cisco key 1 key-string cisco
Ø
Timers Update Invalid
30 180 Page 98 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Holddown Flush
180 270
If you adjust the timers on one router in a rip domain, adjust the timers on all routers to the exact same settings. Ø
Basic Rip Configuration router rip network 172.16.0.0 ip route 0.0.0.0 0.0.0.0
Ø
RIP’s Default Route
Tuning RIP offset-list Used to adjust the metric manually, changes the hop. distance Used to adjust the administrative distance timers Used to adjust the timers, make sure all routers timers are the same version Used to enable RIP v2
Ø
Passive-Interface Use passive interfaces to stop advertisements Unicast updates You can use the passive-interface command to block routing traffic and then add the neighbor command to allow routing to sepcific routers. Such as block on serial for three routers but add nei to r2 to allow it to get updates.
Ø
Commands to Know *flash-update-threshold *input-queue ouput-delay *validate-update-source Disables the validation of the source IP address of incoming RIP routing updates. Needed when 2 IGP’s are running.
Ø
Troubleshooting RIP Are Distance Vector Timers the same? show router rip debug ip rip debug ip routing clear ip route * show ip protocols
Check the timers
8.1. RIP V1 Ø
Timers invalid timer 180 seconds (6x updates) These are marked possibly down in route table until garbage collection Garbage collection 240 seconds (invalid + 60 seconds) Holddown 180 seconds (6x updates) Random timer 1-5 seconds, used for trigger updates
Ø
Configuring RIPv1 router rip network 10.0.0.0 Page 99 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book passive-interface e0 neighbor 192.168.1.12 deb ip rip deb ip rip events Ø
Discontinuous Subnets for RIPv1 r1 - - - r2 - - - r3 10.10.0.0 is on r1, 10.20.0.0 is on r3 r1,r3 are border routers r2 will only get 50% of the packets correct Solution: 1 - Configure subnets 10.10.0.0, 10.20.0.0 on r2. This stops r1,r3 from being border routers. Use a secondary ip address to resolve this. 2 – Use default routes to 10.10.0.0 on both routers. 3 – Configure a secondary address on the primary interface.
Ø
Proper Path Determination r1 - - - - (backup link to r3) 10.3.0.0 | | r2- - - -r3 r1-r2-r3 is the preferred path, RIP uses hops so r1-r3 is used. Change metric on backup link. Change incoming on r1 and r3 router rip network 10.0.0.0 offset-list 1 in serial 0 access-list 1 permit 10.3.0.0 0.0.0.0 Change outgoing on r1 and r3 router rip network 10.0.0.0 offset-list 2 out serial 0 access-list 2 permit 10.3.0.0 0.0.0.0 Other Offset-List Options If no interface is specified all in/out interfaces will be modified. If acl 0 is used all in/out updates will be modified.
Ø
Limitatations of RIP No support for: Classful, Discontinuous networks, VLSM, CIDR,
8.2. RIP V2 Carries subnet mask – vlsm’s Has authentication Next-hop with each route entry External route tags – use to send AS#’s or other info Uses multicast updates – 224.0.0.9 * Underline items are what fields that are new to the rip packet. Ø
RIP Compatibility Modes Rip-1 Rip-2-only
= =
only transmit v1 messages multicast only v2 messages Page 100 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Both
=
broadcast v2 messages
If you want to block rip use passive-interface, or block port 520 on interface. Ø
Authentication When enabled only 24 routes per route update AFI is set to all ones – 0xFFFF Simple password is auth-type 2 MD5 is auth-type 3 key chain valk key 1 key-string 99valk int eth 0 ip rip authentication key-chain valk ip rip authentication mode md5 (Omit for clear text authentication) router rip version 2
Ø
Configuring RIPv2 router rip version 2 | version 1 network 10.0.0.0 int e0 ip rip receive version 1 int s0 ip rip send version 1 2 If version 2 receives a route it cannot send the route out the same interface to a version 1 router. (Split Horizon) The version 2 router must either turn off split horizon or enable send v1 updates.
Ø
Discontinuous Subnets for RipV2 Turn off auto-summary at boundary routers with the no auto-summary command.
Ø
Authentication (This is identical to EIGRP Authentication Configuration) int e0 ip rip authentication key-chain CCIE ip rip authentication mode md5 RIP1 versus RIPv2 RIPv1 RIPv2 Classful classless / VLSM Authentication (simple / md5) no auto-summary Uses multicast updates Snapshot Routing External route tags
Page 101 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 9.
IGRP (I) 100 All subnets must be classful, and continuous. Each updates carries 104 entries. Does not support authentication. Summarizes at boundaries Uses IP protocol 9 Uses AS’s IGRP has three route types: Internal local subnets System Summarized by boundary router Exterior Default network For discontinuous network RIPv1 solution should work.
Ø
Metric IGRP = bandwidth + delay Bandwidth is the smallest of all bandwidths on outbound ports in a given path. Delay is the sum of all delays of outbound ports in a path. Delay, bandwidth, reliability, load, hop count. Delay is units of 10 ms Delay = 167 seconds, delay can only go to 167.8 seconds. Anything over 167 is unreachable. Bw = 10^7, or 10GB / BW, default for serial are t1’s so anything else must be changed. Delay is DLY/10, a 50 ms delay would be 5 in IGRP. Max hops = 100 default, up to 255, metric maximum-hops
Ø
Timers jitter is up to 20%, 18 seconds Update 90 Invalid 270 (3x Update) Holddown 280 (3x +10) Disable with no metric holddown command, ok to do in a loop free topologies. Flush 630 (7x) (Has to be at least the sum of the update and holddown) IGRP has a sleeptime timer – used to delay an update after a triggered update was received. All timers in AS must be the same Speed up IGRP convergence by reducing the holddown and flush timers as long as you know you do not have any routing loops.
Ø
Bandwidth IGRP bandwidth (bits) = (10*1010 / BW (bps)) div 1 Min BW = 1200 bps: Max IGRP bandwidth = (10*1010 / 1200) div 1 = 8 333 333 Max BW = 10 Gbps: Min IGRP bandwidth = 10 / 10 = 1 Loopback Satelite Ethernet Serial Serial Serial
BW BW BW BW BW BW
= 10 000 000 000 bps; = 500 000 000 bps; = 10 000 000 bps; = 2 000 000 bps; = 512 000 bps; = 64 000 bps;
IGRP bandwidth = IGRP bandwidth = IGRP bandwidth = IGRP bandwidth = IGRP bandwidth = IGRP bandwidth =
1 20 1000 5000 19531 156250
Page 102 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Serial Ø
BW =
9 600 bps;
IGRP bandwidth = 1041666
Unequal Load Sharing IGRP will load balance up to 6 equal-cost paths. IGRP maximum-paths default is 4. *IGRP Supports unequal load sharing with the varience command Three rules must be met for a route to load-share: 1 - Maximum paths limit must not be exceeded 2 - Next-hop must be metrically closer to the destination 3 - Metric of the lowest-cost route, when multiplied by the varience, must be greater then the metric of the route to be added.
Ø
Summarizing a VLSM address To summarize a 24 bit address: 1. a static route to null0 ip route 172.16.6.0 255.255.255.0 null0 redistribute static subnets or 2. redistribute connected subnets summary-address 172.16.6.0 255.255.255.0 or 3. Add /24 secondary address on interface redistribute connected subnets
Ø
Configuring IGRP router igrp 10 network 10.0.0.0 offset-list (uses delay and not hops) metric weights tos k1 k2 k3 k4 k5 timers basic update invalid hold flash [sleeptime] traffic-share [balanced | min] Specifics equal or unequal-cost load balancing validate-update-source
Ø
Tuning IGRP distance varience timers timers are the same
Ø
Used to adjust the administrative distance Used for unequal-cost load balancing Used to adjust the timers, make sure all routers
Commands to Know default **default-information **default-metric **distance ***distribute-list *input-queue *maximum-paths *metric **neighbor **network *offset-list *passive-interface ***redistribte *timers
This is delay in IGRP
Page 103 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book *traffic-share Specifies whether equal or non-equal paths should be used. *validate-update-source *varience Ø
Troubleshooting IGRP Are Distance Vector Timers the same? show ip route 172.16.0.0 show ip protocol debug ip igrp events debug ip igrp transactions debug ip routing
Page 104 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 10. EIGRP (D 90) (EX 170) Classless Updates are periodic and partial Uses protocol number 88 of IP EIGRP uses no more than 50% of bandwidth ip bandwidth-percent eigrp 50 EIGRP handles losing neighbors and route by setting the delay to –1, infinity. One key concept is EIGRP updates routes like DV protocols and converge like Link State protocols.
10.1. HOW EIGRP WORKS For scalability use: IP addressing scheme Hierarchy - Core, Distribution, Access Summarization at boundaries and interfaces whenever possible Bandwidth issues – use dialer profile and set bandwidth / # dialins EIGRP does not have timers since it uses feasible distances EIGRP routing tables get old when stable EIGRP has four components: Protocol-dependant module RTP Neighbor Discovery / Recovery Diffusing Update Algorithm (DUAL) EIGRP has three types of routes, just like IGRP: Internal learned by EIGRP 90 External Redistributed 170 System auto-summary or 5 Explicit summary Ø
Route Process Route Selection Process ^ Topology Database (Internal) (External) ^ Neighbor Table DUAL ^ Transport Mechanisms (Hello) (RTP)
Ø
Other Protocols
EIGRP Packet Types Hellos ACKs Updates Queries/Replies
unreliable unreliable reliable reliable
Unreliable Unicast Multicast
Reliable Ack Hello
multicast unicast multicast unicast(?)
Reply, SAP response Update, Query(?) IPX SAP Flash Update, IPX SAP Query Page 105 of 296
Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Unicasts are sent versus multicast when sending over FR, and when retransmitting a packet to a neighbor (update) that did not acknowledge the packet in the multicast timeout interval. Use the sie int detail to see the unicast packets sent, mcst exceptions are the unicasts. Ø
Hellos When you change the hello or holdtime change it on both neighbors. Hellos are for: Discovering new neighbors Verifying neighbor confirmation / adjacency Monitoring neighbor reachability and detecting loss Hellos are sent every 5 seconds, on NBMA – (T1’s and slower) they are send every 60 seconds. This longer hello is also for ATM SVC’s and ISDN PRI’s. ip hello interval eigrp Is used to change the time Hellos use a reliable multicast 224.0.0.10 and each neighbor responds with a unicast ack. Hellos are sent from the primary interface, if the secondary interface is in EIGRP the neighbor must know about the primary address for it to work. Hello use two timers to detect neighbors: Hello interval – how oftem hellos are sent (5 seconds) Hold timer – how long to wait for hello (3x hello interval) If a neighbor does not respond to an update a unicast is send, after 16 of these are sent the neighbor is declared dead. The time to wait before a mulitcast is sent is the multicast flow timer. The time between unicasts is the retransmission timeout (RTO). Both the RTO and multicast flow timer are calculated from the smooth-round-trip timer (SRTT). RTO cannot be smaller than 200 msec or larger than 5 seconds. sie neighbor To display SRTT To find the hello interval: deb eigrp packet hello (on neighbor) When you see two hello packets, subtract the timestamps. Easier method is show ip eigrp nei and see the hold timer jump, default is 15 seconds, divde by three for the hello timer.
Ø
Metric EIGRP uses bandwidth and delay for the metric, if you must change the metric, change the delay. The metric is two-part, composite and vector. sie top 10.0.0.1 255.0.0.0 Displays both metrics. The vector part is all parts – load, reliability, mtu, bw, delay The composite is the result. Setting all metrics to 0 will create routing loops. If you turn off split-horizon, loops can be generated as well. The bw and dly must be the same throughout the AS and VLAN’s. Metric = [ 10,000,000 / BW + ((Delay on first connection + delay on second connection ) / 10 ) ] * 256 Page 106 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book The only difference between an IGRP metric and an EIGRP metric is that the EIGRP metric is represented by a value that is larger than the IGRP metric by a factor of 256 IGRP = BW 19531 107/512
+ + +
DLY 4600 46000/10
= =
IGRP metric 24131
The BW is the minimum BW along the path to the destination. The DLY is the sum of all the delay’s along the path to the destination.
Media
Bandwidth BW / IGRP
ATM FE FDDI HSSI TR Ethernet Loopback T1 DS0 Dialer / 56K Tunnel Low Speed Serial BRI Ø
Delay
Delay / IGRP
100,000
100
100
10
45,045 16,000 10,000 8,000,000 1,544 64
222 625 1,000 6,476 156,250
20,000 630 1,000 5,000 20,000 20,000
2,000 63 100 500 2,000 2,000
56
178,571
20,000
20,000
9
1,111,111
500,000
50,000
20,000 20,000
2,000
115 64
Holddown Timer A router needs to receive another hello before the holddown time expires. Hold down timer is 3x hello interval. If another hello is not received the neighbor is considered unreachable. The holddown timer is changed with ip hold-time eigrp . To find the hold time: sh ip eigrp neighbor Do this repeatedly until you see the hold timer jump to it’s highest value. This is the hxold-time of the router. The value jumps when the router receives a hello packet, resetting the hold time. Once EIGRP routing is enabled three tables are created. Topology Database – advertised metric, feasible distance Stores all routes learned in the topology table. Neighbor Table Routing Table
Ø
Topology Table How if information entered into the topology table: Update packets Reply packets Page 107 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Redistributed route (ex) Network command in EIGRP process Deleted from Topology Table: Subnet unreachable – physical failure Update, query, reply with infinite delay Redistribution fails (ex removed) Neighbor found dead Topology Table Rules Routes learned locally take precedence over neighbor routers regardless of distance. Even if the local route is down it will block the neighbor route. A static route will block successors and make the FD infinite if the destinations are the same. Monitoring Topology Table sie top sum sie top sum sie top sie top all-links sie top sie top active sie top pending ie top zero-successor down.
Summary of all topology tables Summary of as topology table Routes in topology table Summary of all routes in topology table Shows all the details of a route such as: route-type, vector/composite metrics Displays route for which dual is active Displays unconverged routes Displays routes with successors that are
With sie top sum check the number of routes. If the number of router is much more than the route in your routing table your network is to highly meshed or splithorizon is off at the wrong place. Use sie top all-links to verify this condition. The next-serial field counts the number of changes to the top table. By monitoring this you can tell how stable your network is. Compare the sie top and sie top all-links to see what routes are not FS due to FC. sie top External routes will also display: The originating router AS number of BGP or EIGRP External protocol External metric Administrative Tag Ø
Neighbor Table (Adjacency Table) Deb eigrp neighbor router eigrp eigrp log-neighbor-changes ipx router eigrp log-neighbor-changes
Debug neighbor events Logs adj establishments and losses Logs adj establishments and losses
When using logs use service timestamps to record the times. Logging buffered enables logging to the internal buffer. Adjacency Resets Why? Hold time expires Page 108 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 16 packets sent with no reply interface down / line down network removed from EIGRP process How to manually reset cle ip eigrp neighbor Clears single ip address cle ip eigrp neighbor Clears neighbors on interface cle ip eigrp neighbor Clears all neighbors IOS Resets When a configuration change that affects the topology table. Change interface – bw, dly, mtu Split-horizon change Summarizations Network address change Passive-interface added or removed Distribute-list modified Metric changed Maximum-hop changed Tips for adjacency resets Any changes to EIGRP should be done during maintenance periods. Otherwise the network will go down for 5-60 seconds until the adjacencies reestablish. The possibility of a network meltdown can happen if the network is not designed properly. All changes to core routers should be done in batches to prevent repetitive adjacency resets which could lead to a meltdown. Any adjacency resets will last as long as 2x the hello interval – 10-14 seconds ethernet or 120 – 179 seconds on frame-relay links. Monitoring Neighbors sie neighbor sie neighbor sie neighbor sie neighbor detail sie neighbor detail sio nei detail
Ø
Summary of all neighbors Summary of AS neighbors Summary of interface neighbors Detail of all neighbors on AS Detail of all neighbors on interface If this router is a potential bottleneck, routers not responding to queries. This will display who is the slowest during convergence. Look for long active times and a high number of routes.
TERMS DUAL – is run when a neighbor is found or lost Adjacency – link between neighbors Feasible distance (FD) – metric to destination Feasible Condition (FC) – is met if neighbor’s FD is lower then the router’s FD Feasible Successor (FS) – If FC is met the neighbor is a FS. All FS’s will be recorded in the topology table. Successor (S) – A route that is put in the routing table, the lowest FD. The FS will become the S if: A new route is learned Cost of successor increases Cost of FS decreases to below S’s route Finding a FS is done by DUAL Page 109 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book The Dual Finite State Machine defines the rules: First a local computation is done If FS exist, it is S New FD lower, FD is updated When Dual is running routes go into a active state When a router is in an active state it cannot: Change the S Change the distance for a route Change the routes FD
10.2. DUAL Ø
DUAL Rules 1 – Whenever a route chooses a new S, it informs all it’s neighbors about the new distance. 2 – Every time a router selects a new S, it sends a poison-reverse to it’s S. 3 – A poison update is sent to all neighbors on the interface through which the S is reachable unless split-horizon is off, then it send the poison update only to the S.
Ø
DUAL Computation 1 - Mark route active, start active time (3 minutes to converge) 2 - Start local computation If FS exist set to S Send Update If no FS Exist go to 2 3 - Send Queries to all neighbors 3b – Each neighbor starts local computation If neighbor has FS, send reply If neighbor does not have FS, start Dual If neighbor has other routers attached it sends a query to them and they start #3 as well. Once all the other routers reply to this neighbor route, this neighbor router then replies back to the original router. This time can create SIA events. 4 – The lost route’s FD is set to infinity so any replies meet the FC If the replies are not received by 3 minutes the route is SIA. The neighbors who did not reply will be removed from the neighbor table. (Receive Replies) 5 – For every reply received a metric is calculated. A S is not chosen until all replies are received. 6 – If a new S is found or not, the route table is updated and an update packet is then sent and all routers are now converged. When a route is declared unreachable another route is searched for. If a route is found in the topology table / route table (up to six are kept) it is activated and DUAL is not performed. When a route is lost but a FS exist the change is immediate by local computation. This may not be the case for its neighbors however. Proper network design will take this into consideration.
Ø
Monitoring DUAL timers active-time 3
Used to change Active time Page 110 of 296
Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book timers active-time disable
Disable SIA check
sio nei detail If this router is a potential bottleneck, routers not responding to queries. This will display who is the slowest during convergence. Look for long active times and a high number of routes. Ø
Building a Route Table All S’s, up to six are put into the routing table. IGRP and EIGRP are the only routing protocols that support unequal-cost load balancing.
Ø
Distance To change the distance: Default router eigrp distance eigrp Change routes from neighbors router eigrp distance eigrp Use ACL to Change Distance router eigrp distance eigrp router rip distance 130 ~says set all RIP routes dist. 130 distance 100 10.21.1.2 0.0.0.0 2 ~ says when you receive routes for networks specified in access-list 2 from neighbor 10.21.1.2 set the administrative distance to 100. For a redistributed route: distance 90 172.50.50.0 0.0.0.255 -orrouter eigrp 1 distance 90 0.0.0.0 0.0.0.255 2 access-list 2 permit 172.50.50.0 0.0.0.255 This changes the distance to make it look internal and therefore preferred over most other routing protocols. The distance command sets new defaults for internal and external routes. This can be used to prefer one EIGRP process over another. If you want to ignore some neighbor routes use the 255 distance.
Ø
EIGRP SIA This means a bad network design. Check the EIGRP bandwidth against the actual bandwidth of links. To fix SIA change the active timer to 300 seconds (5 minutes) router eigrp 1 timers active-time 300 Use sh ip eigrp top active to find the SIA routes. Or the undocumented sie sia events J
Ø
EIGRP bandwidth EIGRP bandwidth (bits) = 256*((1010 / BW (bps))div 1) Min BW = 1200 bps: Max EIGRP bandwidth = 256*((1010 / 1200) div 1) = 2,133,333,248 = 256*(8333333.33 div 1) Page 111 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Max BW = Loopback Satelite Ethernet Serial Serial Serial Serial
= 256*8333333 25.6 Gbps: Min EIGRP bandwidth = 25.6 / 25.6 = 1 BW = 10 000 000 000 bps; EIGRP bandwidth = 256 BW = 500 000 000 bps; EIGRP bandwidth = 5 120 BW = 10 000 000 bps; EIGRP bandwidth = 256 000 BW = 2 000 000 bps EIGRP bandwidth = 1 280 000 BW = 512 000 bps; EIGRP bandwidth = 4 999 936 BW = 64 000 bps; EIGRP bandwidth = 40 000 000 BW = 9 600 bps; EIGRP bandwidth = 266 666 496
10.3. AUTHENTICATION Supports md5 authentication MD5 is the only authentication supported Why should Cisco support Simple Password when EIGRP will be on all Cisco routers? To Configure Authentication: Define Key Chain Define Keys Enable on interface, specify key chain Config Key Management (Optional) key chain CCIE key 1 key-string cisco int s0 ip auth key-chain eigrp 15 CCIE ip auth mode eigrp 15 md5 Key Management Accept-lifetime / Send lifetime Ø
Securing EIGRP Make all interfaces not using EIGRP passive. Enable md5 on all EIGRP processes and interfaces. Change passwords often. router eigrp 100 ip authentication key-chain eigrp 100 CCIE ip authentication mode eigrp 100 md5 key-chain CCIE key 1 key-string cisco Key Management Strategies Each subnet is a different key Each hierarchy level has a different key (core, distribution, access) If you use a key management of accept / send lifetimes then you should use a ntp server as well. Overlap the time by 30 minutes to ensure no time problems. Troubleshooting MD5 deb ip eigrp packets verbose sh key chain
10.4. SUMMARIZARTION In 12.0.5t the summary-add command has a AD parameter. Summarization is achieved by reducing the address mask length. Page 112 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Address Aggregation summarizes further by going past the class boundary. This is also known as supernetting. CIDR is the process of supernetting class C addresses into one CIDR block. *EIGRP does not summarize external routes unless there is an internal in the topology database. *The summary route will have a AD of 5, points to null0, and has a metric of the subnets they cover. Only the summary will be seen by the neighbors as a distance of 90. You can summarize multiple networks received by a neighbor by adding the network summary to the route process by creating an interface summary. Query boundaries are not stopped at summarized routers, but one hop beyond summary point. When configuring summarization make sure that the manual versus the automatic summaries (classful) do not overlap. When summarizing try to make the lowest cost router the most stable. If it flaps so will the summary. Apply ip summary-address eigrp on the interface you want to advertise the summarize route. Per interface summary: ip summary-address eigrp 15 172.16.15.0 255.255.255.0 EIGRP automatically summarizes like RIPv2 does, at the boundaries and to the class. To stop automatic summarization (just like RIPv2: router eigrp 100 no auto-summary Summary statements do two things: Creates a route > null 0 Filters summary routes in table A summary can only be created if eigrp has an internal route in the table. Uses a Null0 interface for summarization, default is classful Changing or removing the auto-summarization affects this Null0 interface
10.5. EIGRP AND THE WAN When enabling EIGRP on BRI or Serial interfaces always configure the bandwidth since it is needed for proper metrics. Ø
EIGRP and NBMA (Non Broadcast Multi-Access) *Split-horizon is disabled on all DV NBMA networks. NBMA = FR, ATM int s 0 no ip spilt-horizon ip hello-interval eigrp 10 30 ip hold-time eigrp 10 90 ip bandwidth-percent eigrp 10 25
Ø
EIGRP and FR or ATM If you have several sites connecting to a central site, turn on frame-relay broadcast-queue at central site. Page 113 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book L2 – L3 Mapping Add broadcast to the end of the map statement, needed for hellos, adjacency. Most WAN problems are L2,L3 problems and not routing problems. PtP = IPXWAN PtM = Split-horizon problems Most WAN problems are output queue overloads, to resolve: Extend output queue Use subinterfaces Use frame-relay broadcast queues FR PtM Disable split-horizon *This will make routes appear as “possibly down” on that router. Add default network or route summarization Disabling split-horizon increases the topology table on remote routers and traffic generated by EIGRP. FR & EIGRP Helpful Hints Pacing Check BW = CIR Reduce hellos to speed convergence where needed Broadcast-queue to avoid output drops ATM & EIGRP Need broadcast option in map statement EIGRP does not like CLIP Only the arp servers will form adjacencies, meaning all traffic will go through the arp server. EIGRP Pacing Pacing is to ensure that the EIGRP bandwidth used does not exceed the total bandwidth available of the central site. Remote route = 64 kbps / 16 cir Central router = 256 kbps EIGRP EIGRP VC on VC on
BW Remote BW Central Remote Central
= = = =
32 kbps 128 kbps 8 kbps (1/2 cir) 128 kbps (1/2 BW)
With 10 remote routers (VC = 8*10 = 80 kbps) Does the remote VC exceed the VC on central? If no your ok, if yes adjust the bandwidth on interface or how much bandwidth EIGRP uses. Note: If CIR=0 use ½ of overall BW. Ø
Dial Solutions Dial Backup Design Who will be the initiating router? Where should the ISDN backup be terminated? Should the link be unnumbered or subnetted? Page 114 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Dial-In & EIGRP Use no peer neighbor-route / no ip peer host-route to stop a dial up host route (/32) from getting entered into a EIGRP process or topology table. Dial-Out & EIGRP To route to remote: Static, dynamic protocol When an ISDN link goes down, when the frame-relay primary comes back up the route need to converge fast. If it waits for EIGRP to time out (270 seconds) a black hole will exist during this time. To solve use: Quick hellos and change hold time Different AD routing protocol Higher distance / AD over ISDM Ø
Load Sharing All command are under the eigrp process variance Config unequal load-sharing *traffic-share balanced Config proportional load balancing on unequal-cost routes traffic-share min Use only min-cost routes maximum-paths Maximum number of routes no ip route-cache per packet balancing ip route-cache cef CEF per destination ip load-sharing per-destination ip route-cache cef CEF per packet ip load-sharing per-packet
Ø
Variance Rules The 1 – 2 – 3 – 4 –
router’s own distance from topology table is less than FD*V. The paths toward destination goes through FS Always verify both directions If more than one router in on LAN and you must load balance outgoing, use HSRP. You can use another layer of routers to distribute traffic
10.6. NEW TO EIGRP WITH RELEASE 12.0 12.0.4t has a mask option on the network command, otherwise you have to use the passive-interface to stop EIGRP from advertising on an interface. router eigrp 100 network 172.16.30.0 0.0.0.255 Wild card mask instead of passive interfaces Stub receive-only Allows stub routers int serial 0 no eigrp neighbor auto-discovery Neighbor control
10.7. CONFIGURING EIGRP Ø
Configure EIGRP as IGRP with a ‘E’ router eigrp 10 network 10.0.0.0 Page 115 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ipx router eigrp network 100 network all no redistribute rip Stops IPX RIP routes into IPX EIGRP distribute-list out rip Filter RIP into EIGRP ipx router rip no router rip 100 no redistribute eigrp 100 Stops IPX EIGRP routes into IPX RIP distribute-list out eigrp Filter EIGRP into RIP Process-ID can be between 1 and 65535 Ø
EIGRP Troubleshooting Neighbors established? sie ne Topology database OK? Sie top Feasible distances OK? Sir Feasible distance entries in topology database must be greater than direct metric Optimal paths in routing table? Deb ip eigrp, sie top, sir When a router in not in the topology table Check: Interface address and mask EIGRP Process ID Network Statements sie neighbor If SRTT is 0, the packets are not making the round-trip. If Q count is more than 0, then packets are queued to send. If ACL blocks traffic make sure routing traffic is permitted access-list 150 permit eigrp 192.168.1.1 0.0.0.0 any sie top sie top all-links
Displays the routes it’s using Displays all routes it has learned
SIA show log sie top If a reply is active for more than 180 seconds SIA happens. deb eigrp packet Shows all activity deb eigrp packet query reply update Used to observe DUAL only deb eigrp traffic debug eigrp packet hello Used to see the hello, AS number,etc from neighbor show ip route eigrp displays route table show ip eigrp neighbor displays all neighbors show ip eigrp topology displays all topology table entries Displays the neighbors distance, this must always be less show ip eigrp toplogy x.x.x.x Provides detailed info show ip eigrp traffic displays packet count show ip protocols displays active protocol sessions show ip eigrp events displays all eigrp events show ip route x.x.x.x show ip eigrp interface show ip protocol Page 116 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book **eigrp log-neighbor-changes clear ip eigrp neighbor debug ip eigrp
Used to find SIA sources
Reinitializes EIGRP neighbor processes Dislplays routing table advertisements
Verifying EIGRP for IPX Operation show ipx route Displays the contents of the IPX routing table show ipx eigrp neighbors Displays the neighbors discovered by IPX EIGRP show ipx eigrp topology Displays the IPX EIGRP topology
Page 117 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 11. OSPF (O) 110 11.1. OSPF BASICS The network statement in OSPF is used as a tool for indicating which interfaces will participate in the OSPF process. Using a range of addresses simply allows you to specific more than one interface with a single network statement. Maxage is 60 minutes, an LSA is then obsolete SPF is used to compute the routes in an area but distance-vector is used to interarea routes. How often is SPF run? 5 seconds? OSPF routers exchange hellos, discover adjacencies, and become neighbors. When an OSPF router boots up it floods the area with packets to find the DR. Once a DR is found the router builds it’s LSDB from the DR. Once the LSDB is built it runs the SPF algorithm and builds it’s routing table from the lowest paths. OSPF will load balance over multiple equal-cost links automatically Once the routing table is build, LSA updates are exchanged every 30 minutes. Each router has a RID, the router maintains this RID until the router is rebooted. Changing the IP address or removing it does not change the RID> Use sio 1 AS, Not sent to Stub, Totally-Stub and NSSA sio data external 7 External routes to NSSA’s Internal areas and NSSA’s ASBR in NSAA->ABR sio data nssa-external 3 network-summary ABR Flood internal areas
Ø
Timers Used the change the SPF calculation time. timers spf 5 45 Run time default is five seconds and should not be changed. How long to wait before consectutive runs is 45 seconds in this example.
11.2. OSPF ROUTING Secondary Address Rules 1 – OSPF will advertise the secondary only if the primary is in the OSPF domain. 2 – Secondary networks are stubs Ø
Destination Types Network Router
Network ABR, ASBR Page 121 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book sh ip ospf border-routers Ø
Router Types (All are AD 110) O O O O O O
IA N1 N2 E1 E2
Internal ABR NSSA NSSA Redist+Internal Metric Redist No metric increase through area
Internal ABR Backbone ASBR Ø
All interfaces belong to same area Connects to backbone and another area Connects to area 0 / backbone Connects to area and external protocol (RIP, EIGRP,BGP) This router does redistribution.
Path Determination Intra – Inter – E1 – E2 If multiple paths exist with same type and cost, OSPF will load balance over four paths. ip ospf maximum-paths To choose an (IA) route to a destination network over an intra area route (O) change the AD of the IA. OSPF Route preference behavior: Intra Area (O) Inter Area (IA) External Type 1 (E1) External Type 2 (E2) EX1 EX2
Ø
Include the cost of traversing the OSPF domain. Routes that have a cost which consist of the external cost only.
Loopbacks PtM and Loopbacks will generate host routes /32 in the routing table. Three ways to get a loopback interface into OSPF with a real subnet mask: 1. "ip ospf network point-to-point" on a loopback 2. putting loopback in certain areas so you can summarize them using "area range" 3. resdistribute connected with restrictive list.
Ø
Demand-Circuit Hellos will keep a DDR link up, use ip os demmand circuit. Make sure ip ospf demand-circuit is only on one side Make SURE there are no LSA-5 entries for OSPF routes do a 'show ip ospf database' and look!!! debug ip ospf lsa-generation With demand-circuit the LSA is flagged as DNA – do not age so no hellos will be sent. Put demand circuits in stub or NSSA areas to minimize the LSA 5 changes. Do not implement on broadcast based networks because the link would remain up.
Page 122 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book To prevent an ISDN call setup causing an update to be made to the IP Route table use the no peer neighbor-route. To Stop OSPF from creating /32 routes Use a loopback with PtP network type A PtP loopback cannot be a DR int lo 0 ip add 172.16.22.1 255.255.255.0 ip ospf network-type point-to-point router ospf 1 network 172.16.22.1 0.0.0.0 area 10
11.3. NETWORK TYPES OSPF problems usually can be attributed to a network type (network mismatch or hello interval mismatch).
Page 123 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book
Ø
Network Types 1 2 3 4 5
PtP Broadcast NBMA PtM Virtual Links
Destination is 224.0.0.5 DR/DBR, 224.0.0.6 ATM/FR, DR/BDR, packets are unicast 224.0.0.5 multicast Packets are unicast
Multiaccess networks use a DR to reduce flooding. Everyone send their LSA’s to the DR, DR forwards updates to everyone. Page 124 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Non-Broadcast (Default on FR serial interfaces) All connections are physical Define neighbors between spokes Same Subnet PtP, PtM DR/ BDR (Hub must be DR) Hello (30), Dead / Wait (120) OSPF packets are unicast.
Ø
Point-to-Point (Default for Non FR Serial Interfaces) Worst way to configure (should not be used) No DR Each Point-to-Point is a separate subnet Hello (10), Dead / Wait (40) Stub Areas
Ø
Point-to-Multipoint (Best Method) No DR Same Subnet No neighbors needed Map statements from hub Hello (30), Dead / Wait (120) A point-to-multipoint network will generate a specific host route for all neighbors on the NBMA network. PtM networks are a special configuration of NBMA networks in which the networks are treated as a collection of PtP links. Routers do not elect a DR and BDR and OSPF packets are multicast.
Ø
Broadcast (LAN Interfaces) DR/BDR No neighbors needed Same Subnet Hello (10), Dead / Wait (40)
Ø
Troubleshooting If different combinations of interfaces are being used (physical, point-to-point subinterface and multipoint subinterface), is there an interface mismatch? Solutions: 1 – hub is dr 2 – use subinterfaces, PtP 3 – use PtM
11.4. AREAS AREA ID is 32 bits for 0.0.0.0 and 0 are identical. Area’s with two ABRs: Traffic will leave by the closet ABR, this is usually not the best route. Change the default route to a summary then the traffic will leave by the router closest to the destination and not the closest ABR. Having two ABRs in one area can result in asymmetric routing. Areas must be continuous Page 125 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Area 0 is for interarea transit traffic. All areas must have a connection to Area 0 Ø
Regular Areas All LSA types permitted
Ø
Stub Areas (No LSA 5’s EX) To see the network under a stub area instead of the /32, change the network type to PtP. Loopback interfaces are considered stub networks and advertised as host routes (/32). Adding the interface command ip ospf network point-to-point can alter this default behavior. Loopbacks area advertised as /32 So they are stub areas, you should use 255.255.255.255 as a loopback mask Loopbacks Show as /32 because they are loopbacks To get as /24: 1) Don't put in area Redistribute connected Create restrictive route-map 2) Newer IOS lo0> ip ospf net p-to-p 3) Put in non-zero area and summerize in Stub Restrictions: 1 – All routers in area must be stub 2 – No virtual-links allowed 3 – No ASBR in area 4 – Only on ABR can define the exit, is two exist change cost on one. area default-cost than one exist.
Specifies what ABR to use to exit an area if more
When you configure a stub a default network is entered in place of the external routers and all external routes are removed. This is why the stub must only have one exit. router ospf 100 area 22 stub Ø
Totally Stubby Area (No LSA Type 3,4,5 IA EX) Only one type 3 route should be here and that is the default route. Enter this on the ABR only router ospf 100 area 22 stub no-summary Must be entered on every router in the stub area Does not receive summary and external routes (LSA 4 and 5’s) Must have default routes in and out On ALL ABR’s: area area-id stub no summary default-information originate (so a default route is generated)
Ø
NSSA router ospf 100 Page 126 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book area 22 Must be Does Must
stub NSSA entered on every router in the stub area not receive summaries (LSA 4 or 5’s) but receives (LSA 7’s) have default routes in and out
Allows a ASBR into stub area. Blocks LSA 5’s but allows LSA 7’s and converts it to a LSA 5 and send it to the ABR. Type 7’s are blocked at ABR. When an ABR is also a ASBR and is in a NSSA The ASBR routes will automatically get redistributed into the ABR. Use the no-redistribution keyword on the area nssa command to turn off. There is a single exception to when using the quad-zero mask is problematic: network 10.20.1.1 0.0.0.0 area 0 If a NSSA ABR is configured with a 0.0.0.0 mask on the Area 0 side AND there is another router in the NSSA with a higher RID than the ABR, then that ABR will fail to perform the type 7 to type 5 lsa conversion. So don’t configure a NSSA area to area 0 with a 0.0.0.0 mask or make sure all NSSA ABR’s have the highest RID of the area. By default, only the router with the highest RID will perform type 7 to type 5 lsa conversions for NSSAs. You can fix this by not using a quad-zero mask when you include the ABR interface that connects to Area 0. Ø
NSSA no-summary Totally Stub not-so-stubby area NSSA with no LSA 3 or 4’s
Ø
Network Down Detection Token-ring / Ethernet Serial
Ø
Use the hello timeout Uses the keepalive timeout or Immediate if LMI / carrier is lost
Virtual Links Virtual links can only be configured on abr’s, they are unnumbered p-t-p links. Used to maintain the area rules router ospf 1 area 30 virtual-link 172.16.100.1 show ip ospf virtual-link deb ip ospf adj Configured between two ABR’s Used to stop area 0 partitions
11.5. OSPF AREA AUTHENTICATION When you enable area 0 authentication, turn it on virtual links as well All routers in the same area must have authentication on. Sio nei after enabling authentication. Authentication password must be the same on all routers With MD5 the key identifier must be the same Authentication (2 Steps) 1- Configure on interface ip ospf authentication-key 1 md5 cisco Page 127 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 2 - Enable authentication under the process area 0 authentication message-digest For Virtual link Authentication area 0 virtual-link 1.1.1.2 authentication-key 5 cisco area 0 virtual-link 1.1.1.2 authentication-key 5 md5 5 cisco Ø
Authentication Types Type 0 - No Authentification Type 1 - Clear text auth. Type 2 - MD5 auth
Ø
Authentication OSPF Support simple password and MD5 Simple Password int e0 ip ospf authentication-key cisco router ospf 10 area 0 authentication MD5 int e0 ip ospf message-digest-key 5 md5 cisco router ospf 10 area 0 authentication message-digest
11.6. OSPF ROUTE S UMMARIZATION All OSPF summarization is done manually, this is why discontiguous networks are not a problem to OSPF. Summarization occurs at ABR and ASBR’s, Internal and External routes. OSPF does not do any auto summarization
11.6.1. Inter-Area Summarization Between ABRs from one area into another area area 15 range 10.10.0.0 255.255.0.0 Area summerization must be on every active connection betweeen the sub area and the backbone, watch virtual circuits. Scenario:area 0 area 1 area2 R1------------------R2--------------------R3----------------------R4 R2 is the ABR for area 1 and is summarizing networks in area 1 with area range command. The summary route can be observed in R1's routing table. R2 has number of interfaces connected to other routers in area 1 but is left out of the diagram. When I configure a virtual link between R2 and R3, I can observe all the networks in area 1 in the routing table of R1 along with the summary route. Configure the "area 1 range" command on R3 as well as R2 (since with the virtual link, R3 is an ABR that touches Areas 0, 1 & 2) Page 128 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 11.6.2. External Summarization Summary-address is only effective on ASBR’s with redistribution since you need external routes to summarize. On ASBR – external routes into area summary-address 10.10.0.0 255.255.0.0 summary-address only summerizes routes redistributed into and out of OSPF (lsa 5s). summary-address only summerizes into area 0 !!! (generates a null0) When you use the summary-address command with not-advertise keyword you put the external routes into the OSPF process, but do not put them in the routing table. To debug check you LSA 5 route in database with: sh ip ospf data external
11.7. OSPF DESIGN TECHNIQUES Three tier backbone No more than 6 hops from source to destination (diameter) 30-50 routers per area IP must be contiguous in area 0 All areas connect to area 0 No more than two areas per ABR No more than 60 neighbors per router, check DR The DR should not be the DR for more than on LAN Ø
Backbone Area Create Redundancy – prevent partitioning by losing single interface Ensure contiguous Reduce routes as much as possible
Ø
IP Address and Route Summarization Each area need to be able to be split if necessary. Determine what OSPF type each router should be.
11.8. OSPF CONFIGURATION OVERVIEW Ø
Step One Enables OSPF routing process and define network
Ø
Step Two Use show ip ospf interface to validate you configuration If you see: “OSPF is not enabled on this interface” go to Step One
Ø
Step Three Check Neighbor relationships with the command show ip ospf neighbor Is the number of adjencies and neighbors correct? All neighbors must be in full state, except DROTHER routers which will be in 2-WAY state. The dead time must be less than the hello time.
Ø
Step Four Check the Link state database with show ip ospf database Page 129 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Is there a LSA for every router Are the proper number of link shown ( 2 for P-T-P interfaces) Are the LSAs aging properly and their sequence numbers are incrementing Ø
Step Five Check the routing Table with show ip route and verify every column
11.9. OSPF CONFIGURATION int loopback 0 ip address 172.16.99.1 Sets the router ID of the router Document the RID for every OSPF router router ospf 1 network 172.16.20.0 0.0.0.255 area 20 network 192.168.0.0 0.0.255.255 area 0 network 10.0.0.0 0.255.255.255 area 10 stub network 128.100.0.0 0.0.255.255 area 128 stub no-summary network 192.168.16.0 0.0.0.255 area 128 nssa ! int e 0 ip ospf priority 255 ip ospf cost 0 Once you have enabled OSPF’s routing process check to verify that is it up. sho ip ospf int eth 0 Ø
Other OSPF Commands ip ospf hello-interval ip ospf dead interval ip ospf transmit-delay Seconds that LSA’s exiting the interface will be aged. Default is 1 ip ospf retransmit-interval Seconds to wait before retransmitting packets not acknowledged. timers spf no ospf auto-cost determination ospf log-adj-changes neighbor ip ospf name-lookup
11.10. OSPF COMMANDS ***area **auto-cost ospf auto-cost reference-bandwidth Used to change the reference number for OSPF, default is 100. *default-information *default-metric *distance *distribute-list *ignore Sends syslog messages when router receives LSA Type 6 (MOSPF) packets *log-adjancey-changes Sends a syslog message when the state of an OSPF *maximum-paths **neighbor ***network *no *passive-interface ***redistribute Page 130 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book *router-id ***summary-address *timers *traffic-share
timers spf 5 45
area **area 1 authentication *default-cost *nssa ***range *stub ***virtual-link default-information-originate ? always metric metric-type route-map default-metric network (Inteface Commands) ip ospf ? ***authentication-key **cost *database-filter *dead-interval ***demmand-circuit *hello-interval **messages-digest-key ***network ***priority *retransmit-interval *transmit-delay show ip ospf ? ***? border-routers database flood-list ***interface ***neighbor request-list retransmission-list summary-address ***virtual-links | (Output Modifier)
11.11. TROUBLESHOOTING OSPF Is OSPF enabled on each interface that is supposed to be participating the OSPF process? Show ip ospf interface e0 Are OSPF neighbor relationships correctly formed? Show ip ospf neighbors Page 131 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Are OSPF adjacencies being formed properly? Shut/no shut Debug ip ospf adjacencies show ip protocol Verifies OSPF is configured show ip route Displays all the routes learned by the router show ip ospf Displays OSPF timers show ip ospf border-routers Lists the ABRs in the autonomous system show ip ospf database Displays a one line summary of every LSA known to the router. At least one Type 1 must be in there. Stub network are not in here You can view specific LSA’s by being more specific: asbr database-summary external network nssa router summary show ip ospf database router 172.16.1 show ip ospf interface Displays area ID, adjacency information, and network type show ip ospf neighbor detail Displays information about DR/BDR and neighbors show ip ospf process-id Displays statistics about each area to which the router is connected show ip ospf virtual-link Displays the status of the virtual link Ø
Neighbor Problems debug ip ospf adj show ip ospf neighbor Must be in 2-Way state
Ø
Used to watch the adjency formation process Great for virtual link troubleshooting What state are the routers in?
States Down [NBMA: Attempt] Init 2- Way ExStart Exchange Loading Full
Ø
AREA Partition To fix an area partition is to not use a summary address so both sides see all routes.
Ø
Debugging OSPF 02:50:19: OSPF: rcv. v:2 t:1 l:48 rid:10.34.1.1 aid:0.0.0.0 chk:6E09 aut:0 auk: from Serial0.1 v = version t = Packet Type 1 Hello 2 DDP Page 132 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 3 LS Request 4 LS Update 5 LS Ack l: packet length in bytes rid: Router ID aid: Area ID chk: Checksum aut: Authentication 0 No authentication 1 Simple password 2 MD5 auk: Authntication key keyid: MD% key id seq: sequence number
Page 133 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book
Page 134 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 12. IS-IS (i) 115 clns routing router isis network 49.0001.7777.7777.7777.00 is-type 1, 2 or both 1's are local router 2's tie one areas together (backbone) router isis area-password angel You will have to configure ISIS over FR with some type of interface. With IP only config the area address ensures that two areas don’t get merged, if level 1 addresses don’t match they don’t communicate.
12.1. IS-IS ROUTING ISIS level configuration defaults to L1/L2 type routers. On serial interfaces configure the IP address as unnumbered Three types of packets: hello, LSP, SNP Distribution should be a level 2 router Level 2 routes will not go into Level 1 routers. Single area = make all level 2 router or all level one routers in the same area. With ISIS a router can only be in one area ISIS reports the holding time in hello messages, with critical routers you may change this holding time for faster convergence. ISIS has two network types, broadcast and point-to-point. The broadcast type works between frame-relay physical to physical or to multipoint interfaces. You do need to put in a frame-relay map clns broadcast statement if there is not a clns dynamic map. The ptp connection works between frame relay ptp subinterfaces or other ptp circuits. Ø
ISIS on NBMA Every interface has to be a PtP Must be a separate subnet, pvc, dlci, etc.. On serial interfaces configured the IP address as unnumbered A router can only be in one area If the types are mixed there is no command similiar to the ospf network command. This is the case in the Doyle example. In this case use a tunnel. A tunnel works in the other cases also but is unnecessary. Similar to OSPF: LSDP, uses SPF, hellos, 2-level areas, summarization, classless, uses DR for broadcast network, authentication. Page 135 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ISIS uses a Link State PDU (LSP) versus OSPF’s LSA The refresh rate is 900 seconds (15 minutes) For frame-relay NBMA you have three choices - physical interfaces with frame-relay map clns broadcast, point to point subinterfaces, or use an GRE/IP Tunnel. Using GRE tunels through NBMA for IS-IS is good technique. With physical interfaces you may need a full mesh map. You need to have both, frame-relay map ip x.x.x.x x.x.x broadcast statments AND frame-relay map clns xxx broadcast statments. This is just like Ø
ISIS Router Types OSPF ISIS ABR Level 1 / 2 (Maintains two databases does not advertise L2 routes into L1) Internal / total stubby area Level 1 Backbone Level 2
Ø
NSAP 47 ICD Area System ID 49 Private AAAA SSSS.SSSS.SSSS. RID is a NSAP address or NET
Selector Byte 00
AFI.area.unique-system-id.00 49.0000. router number .00 router 1 router isis net 49.0000.1111.1111.1111.00 Format AA.BBBB.CCCC.CCCC.CCCC.00 These are hex numbers. AA is the AFI identifier. There are certain "registered" numbers apparently, but none of the sources above specify. Doyle likes 47. Slattery likes 49. BBBB is the area i.d. The C's represent the system ID and must be unique in an ISIS domain. A ISIS router can have up to three area addresses, each router has a system id and a area id. This is defined by the Network Entity Title (NET) Area is is used by level 2 routers System ID is used by level 1 routers The system is of all nodes must be 6 octets (1111.2222.3333) The first address should be 47 and the last two digits (selector bits) must be 00. If not the address is a NSAP address and not a NET. The ISIS network layer is divided into two sublayers, the Subnetwork Independent Sublayer and the Subnetwork Dependant Sublayer. SIS provides services to the transport layer and the SDS provides services to the data link layer Ø
Hellos LAN Hellos contain a proiority and lan ID fields. Page 136 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book WAN Hellos How long are LAN versus WAN hellos sent? Same? Hellos are sent every 3.33 seconds once a psudenode is elected. Ø
Psuedenode (DR) Like OSPF’s DR, ISIS defines a psuedenode or a designated intermediate system (DIS), all routers on the multi-access network form adjacency with the DIS. All routers in area establish adjacency with all routers, not just the DIS. Each router sends multicasts to all neighbors. The highest priority router becomes the DIS. 0-127, default is 64, 0 = can no be DIS serial interfaces are set to 0 Router with highest priority is DIS, if all same - highest system ID / MAC Priorities are interface based, not globally. isis priority If new router with higher priority or higher system id joins LAN it will become the DR immediately.
Ø
Metric Default is 10 on all interfaces so this is just a hop count. Range is 0 – 63, with 1023 being the highest possible isis metric Path Determination Internal L1 / L2 routes External L2 routes
Ø
Subnetwork Dependent Sublayer Exchanges hellos to discover neighbors Establishes Adjacencies Maintenance of the adjacencies Two network Types Broadcast, PtP Neighbors and adjacencies Hellos are sent every 10 seconds Can be changes per interface with isis hello interval L1 – L1, L1 - L1/2 form adjacencies L2 – L2, L2 - L1/2 form adjacencies ISIS holdtime is 3x hello, change with isis hello-multiplier sh clns is-neighbor Displays neighbor table Adjacency States Init initializing Up Adjacent Neighbor table has: System id, interface, state, type, priority, circuit id, format Circuit ID – if interface is on a broadcast network it is concatenated with system id of the network DR and pseudonode id, this is known as LAN ID. Format will always be Phase V, other is Decnet Phase IV. Page 137 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Subnetwork Independent Sublayer Routing functions – has four processes: Receive Receieves PDU’s Update Constructs L1, L2 databases Decision Run SPF and find optimal path Forwarding Sends PDU’s LSP Contains: remaining lifeimte, sequence number, checksum Remaining lifetime is 1200 seconds (20 minutes) max-lsp-lifetime ISIS refresh interval is 15 minutes minus 25% jitter lsp-refresh-interval When remaining liketime (maxage) is 0 the route will stay in the LSDB for 60 seconds, this is known as ZeroAgeLifetime. If a LSP is received with a bad checksum the remaining lifetime will equal 0 and reflood it. This allows slow or over utilized routers to purge routes of other routers. To stop this use the ignore-lsp-errors command under the routing process. This was a bad link cannot pruge all routes. If the sequence number get to the max 0xFFFFFFFF the ISIS process shuts down for at least 21 minutes (Remaining Lifetime + ZeroAgeLifetime) to allow the old LSP’s to age out of all the databases. Sequence Number PDU(SNP) - Two types: Partial SNP (PSNP) – Used on PtP to acknowledge LSP’s – unicast The internal to send PSNP is the minimum LSPTransmissionInterval and is 5 seconds. Use isis retransmit-interval to change. Complete SNP (CSNP) – Used on broadcast networks, sent every 10 seconds – multicasted by DR. If the router has a memory overload it will set a bit called Overload (OL). This means the database is incomplete, and not all routes are in the LSDB. Other routers no longer use this router as a transit router until the OL is cleared. Use the command set-overload-bit to manually set the OL bit. To set a IS router as a ES (end-system) router only, set the overload bit. sh isis database Displays a summary is the LSDBm and a * next to LSPID indicates that those are from this router. ISIS Decision Process Uses SPF to construct the routing table Load Balancing Up to six equal-cast paths can be put into the routing table The closest L2 or L1/L2 router will be the exit to an area sh isis database Displays the system id, and the att bit sh ip route Displays the default router to other areas ISIS uses CLNS routing so if you want to see the IP address of a system id then use the which-route command. ISIS PDU’s Hello
hello’s
L1 / L2 / PtP
Send in Seconds 1 / 3.33 after DIS
Page 138 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Link State Sequence Number
LSP’s SNP’s
L1 / L2 L1 / L2 / PSNP / CSNP
CSNP - 10
ISIS has no secondary ip address problems since CLNP is used for route, an interfaces with different subnets can be adjacent. IP will not work buy the adjacency is there, this is referred to as being “half-broke”. Ø
Spf-flooding Use max-lsp-lifetime and lsp-refresh-interval on large networks to reduce spf recalcs. Spf-interval can also be used to change how often spf runs. By default is runs every 5 seconds.
Ø
Summarization Summarization only happens on Level 2 routers summary-address
12.2. AUTHENTICATION Authentication is clear text only Three levels of Authentication Ø
Between neighbors on connected interfaces isis password (Level 1 is the default)
Ø
Area Wide
all area routers
area-password Ø
Domain Wide (L2)
all L2 routers
domain-password
12.3. ISIS CONFIGURATION clns routing router isis ccie net 49.0001.6666.6666.6666.00 is-type level-2-only int e0 ip router isis ccie ip addr 172.168.12.1 255.255.255 sh isis data detail Four Steps to Configure ISIS 1 – Enable isis routing with isis router 2 – Configure NET 3 – Determine all interfaces that should be advertised. Configure ip router isis on all interfaces that isis should advertise the ip address for. 4 – Enable isis on all router interfaces Changing router type – default is L1/L2 router router isis is-type For routers with no default route to another area, there are two ways to fix: Page 139 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 1 – enable clns routing on the interface. int e0 clns router isis 2 – Map a default static route to null0 on the other area and use the default-information-originate command to propagate
12.4. TROUBLESHOOTING ISIS Check NSAPS Check neighbor area’s Someone may be in the wrong area Check hello timer NET address is incorrect Access-lists Commands sh clns is-neighbors sh clns proto
Displays the level type, and other great info.
deb isis adj-packets deb isis update-packets deb isis snp-packets LSDB Troubleshooting sh isis spf-log sh isis database deb isis spf-triggers deb isis spf-events deb isis spf statistics
Page 140 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 13. BGP (B) 20 / 200 Transport is TCP 179 BGP is a Path Vector Protocol BGP is classless Never redistribute BGP into IGP When changes are made to an ESTABLISHED peer, you must reset the BGP Session Config BGP in the core, all cores routers are peers Filter all IGP info by changing any multiple IGP routes to BGP routes If you want to change the RID, create a loopback with a higher IP address and then clear the bgp connections with clear ip bgp. You can also use the bgp router-id to set the bgp rid. Ø
Controlling the Maximum Prefixes Allowed To limit the number of prefixs a router is allowed to accept from a neighbor: neighbor maximum-prefix 300 75 warning-only By default bgp will close the connection if max-prefix is exceeded, use the warning-only option to sent a messages to the log. A message is generated when the neighbor exceeds 75% by default, use the following command to change to 90%: neighbor maximum-prefix 300 90 warning-only
Ø
Type of AS’s An AS can be a stub, transit, or multihomed. Multihomed Transit – more than one exit, one or two providers Multihomed Non-Transit - more than one exit, single provider, recommend BGP Single-homed Non-Transit – Stub AS Transit traffic is any traffic that has as orgin and destination from another AS. Multihoming is for redundancy and increased routing efficiency and not load sharing.
Ø
Keepalives and Hold times Keepalives increment from 0 to holdtime. The connection will be paused if a keepalive, update, is not received. Keepalives are 60 seconds or 1/3 of holdtime. Keepalives on serial SNA connections should be set to 3 seconds. Minimum holdtime is 3 seconds. The holddtime is selected between neighbors, lowest one wins. The hold time must be 0 for no keepalives (this will keep the connection up), or at least 3 seconds, default is 180 seconds. Change neighbor holdtime with: neighbor timers Change per router with: bgp timers
Ø
*States Idle
When BGP is enabled ConnectRetry is 60 seconds, and doubles on each attempt. Connect Opens transport protocol TCP/179, has connected. Goes to: OpenSent on success Active on failure Page 141 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Active Start peer connectivity Test by pinging the neighbor Goes to: OpenSent on success Connect? on failure OpenSent Waits for an message, if message received is: Notification goto Idle KeepAlive goto OpenConfirm Hold timer is negotiated. Compares AS’s. OpenConfirm Waits for an message, if message received is: Notification goto Idle KeepAlive goto Established Hold timer is restarted. Established Working and receiving Keepalives Note: Going from Connect to Active means the TCP connection has a problem. Ø
Messages
Contains
Open Update Keepalive Notification
BGP version, AS, Hold Time, BGP Identifier/IP Address NLRI, Path Attributes, Withdrawn / Unreachable routes Sent whenever an error has occurred and the connection is closed.
NLRI is network layer reachability information Contains network and prefix When the tranport port closes, the state goes to active, any other problem the state goes to idle. If notfication messages are being sent means there is an error. If a router goes from ACTIVE to IDLE there is a problem, also many NOTIFICATION messages also indicate an error. Ø
Authentication BGP supports MD5 authentication with: neighbor 10.2.2.1 password cisco
13.1. BGP PATH SELECTION PROCESS28 1. Ignore paths marked as “not synchronized” in the output of show ip bgp x.x.x.x. If bgp synchronization is enabled – which is the current default in IOS – there must be a match for the prefix in the ip routing table in order for an internal (i.e. iBGP) path to be considered a valid path. Most ISPs will want to disable synchronization using the no synchronization bgp subcommand. 2. Ignore paths for which the NEXT_HOP is inaccessible. This is why it is important to have an IGP route to the NEXT_HOP associated with the path. 3. Ignore paths from an EBGP neighbor if the local AS appears in the AS path. Such paths are denied upon ingress into the router, and not even installed in the BGP RIB. The same applies to any path denied by routing policy implemented via access, prefix, as-path, or community lists, unless “inbound soft reconfiguration” is configured for the neighbor. 4. If bgp bestpath enforce-first-as is enabled and the UPDATE does not contain the AS of the neighbor as the first AS number in the AS_SEQUENCE, send a NOTIFICATION and close the session.
Page 142 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 5. Ignore paths marked as (received-only) in the output of show ip bgp x.x.x.x. This path has been rejected by policy, but has been stored by the router because soft-reconfiguration inbound has been configured for the neighbor sending the path. 6. Ignore paths with a next -hop metric marked as inaccessible.
13.2. BGP BEST PATH ALGORITHM FOR IOS 1. Prefer the path with the largest weight. Note that weight is a Cisco specific parameter, local to the router on which it is configured. 2. Prefer the path with the largest LOCAL_PREF. 3. Prefer the path which was locally originated via a network or aggregate bgp subcommand, or through redistribution from an IGP. 4. Prefer locally sourced network/redistributed paths over locally generated aggregates. 5. Prefer the path with the shortest AS path. a) This step is skipped if bgp bestpath as-path ignore is configured. b) An AS_SET counts as one AS, no matter how many ASs are in the set. The AS_CONFED_SEQUENCE is not include in the AS path length. 6. Prefer the path with the lowest origin type: IGP is lower than EGP, and EGP is lower than INCOMPLETE. 7. Prefer the path with the lowest MED. a) This comparison is only done if the first (i.e. neighbouring) AS is the same in the two paths; any confederation sub-ASes are ignored. In other words, MEDs are compared only if the first AS in the AS_SEQUENCE is the same – any preceding AS_CONFED_SEQUENCE is ignored. b) If bgp always-compare-med is enabled, MEDs are compared for all paths. This knob needs to be enabled over the entire AS, otherwise routing loops could occcur. c) If bgp bestpath med confed is enabled MEDs are compared for all paths that consist only of AS_CONFED_SEQUENCE (i.e. paths originated within the local confederation). d) Paths received with no MED are assigned a MED of 0,unless bgp bestpath missingis-worst is enabled, in which case they are effectively considered to have (although not actually assigned) a MED of 4,294,967,295. Any route received from a neighbor with a MED of 4,294,967,295 will have the MED changed to 4,294,967,294 before insertion into the bgp table. e) BGP Deterministic MED (see later) can also influence this step. 8. Prefer the External (eBGP) over Internal (iBGP) paths. Note that paths containing AS_CONFED_SEQUENCE are local to the confederation, and therefore treated as internal paths. There is no distinction between Confederation External and Confederation Internal. 9. Prefer the path with the lowest IGP metric to the BGP nexthop. 10. If maximum-paths N is enabled, and there are multiple external/confederationexternal paths from the same neighboring AS/sub-AS, then insert up to N most recently received paths in the IP routing table. This allows eBGP multipath load sharing. The maximum value of N is currently 6; the default value, with the knob disabled, is 1. The oldest received path is marked as the best path in the output of show ip bgp x.x.x.x, and the equivalent of next-hopself is performed before forwarding this best path on to internal peers. 11. Prefer the path which was received first (i.e. the oldest one). a) This step minimizes route-flap, since a newer path will not displace an older one, even if it would otherwise be selected on account of the additional decision criteria below. It makes more sense to only apply the additional decision steps below to iBGP paths, in order to ensure a consistent bestpath decision within the network, and thereby avoid loops. Page 143 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book b) This step is skipped if bgp bestpath compare-routerid is enabled. c) This step is skipped if the ROUTER_ID is the same, since the routers were received from the same router. d) This step is skipped if there is no current best path. An example of losing the current bestpath occurs when the neighbor offering the path goes down. 12. Prefer the route coming from the BGP router with the lowest router ID. The router ID is the highest IP address on the router, with preference given to loopback interfaces, if one or more is configured. It can also be set manually via bgp router-id x.x.x.x. Note that if a path contains Route Reflector attributes, the originator ID is substituted for the router ID in the path selection process. 13. If the originator/router ID is the same, prefer the path with the minimum cluster-id length – this will only be present in BGP route-reflector environments, and allows clients to peer with RRs/clients in other clusters. In this scenario the client must be aware of the Route Reflector specific BGP attributes. 14. Prefer the path coming from the lowest neighbor address. This is the ip address used in the bgp neighbor configuration, and corresponds to the address the remote peer uses in the TCP connection with the local router.
13.3. BGP DECISION ALGORITHM HWPOATMENI Hop Weight - prefer largest, default is 32768 Preference - prefer largest, default 100 Originated on local router AS Path Type or Origin - IE? MED - Prefer lowest, default = 0 External over Internal - EBGP, Confed EBGP, Confed EBGP, IBGP Neighbor - lowest IGP metric ID – lowest Router ID Well-Known Mandatory attributes: Orgin, AS_Path, Next_Hop, Well-Known discretionary: Local-Preference (non-transitive), Atomic-Aggregate Optional Transitive: Aggregator, Community Optional Nontransitive: MED, Originator ID, Cluster-List, MP_REACH_NLRI, MP_UNREACH_NLRI Ø
Next-Hop Attribute IBGP EBGP MutiAccess Media
Neighbor Orginator Interface
Next-hop attrib is not changed in IBGP LANs – next-hop it set to actual router, versus advertising router. NBMA FR acting like a LAN. The next_hop address for multiaccess media of a route is not changed. Page 144 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Next-hop is set it to the actual router like in MultiAcess media but the route to the next hop will fail. By using the next-hop-self option it will change the route to the hub and will work. DMZ Zones Ø
Use next-hop-self to limit the EBGP routes in IBGP
Next-Hop-Self If a router is a IBGP and needs to route to a EBGP the router must know the route. On the border of the AS set the next-hop-self for external routes.
Ø
Weight Attribute Internal metric of route for specific router. Similar to Local Preference but is only specific to the current router. Used to specify the exit point or destination on a local router. Default is 32768 for originated paths and 0 for routes generated by other routers. Higher is better, so lower it on the worst paths. The weight attribute is a special CISCO attribute that is used in the path selection when there is more than one route to the destination. The weight attribute is local to the router on which it is assigned and is NOT propagated in routing updates. (higher more preferred) There are three ways to set the weight: Access-list nei 1.1.1.1 remote-as 100 nei 1.1.1.1 filter-list 5 weight 2000 ip as-path access-list 5 permit ^100$ Route-map nei 1.1.1.1 remote-as 100 nei 1.1.1.1 route-map setweight in ip as-path access-list 5 permit ^100$ route-map setweight permit 10 match as-path 5 set weight 2000 route-map setweight permit 20 Weight command. nei 1.1.1.1 remote-as 100 nei 1.1.1.1 weight 300
Ø
Local Preference Attribute Internal metric of route. Used for updates between IBGP routers. Local Preference is NOT sent to EBGP peers Used to set the exit point in a IBGP AS. Higher the better, default 100 Local Preference attribute indicates the preferred path when there is multiple paths. (higher=better). Unlike the weight attribute, the local preference IS carried with route updates and exchanged with routers in the same AS. There are two ways to set the local preference: BGP Default Local Preference Page 145 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book bgp default local-preference 202 Route-Map to set local preference router bgp 300 neighbor 172.16.24.15 remote-as 100 neighbor 172.16.24.15 route-map LOCPREF out ! route-map LOCPREF permit 10 match as-path 5 set local-preference 100 route-map LOCPREF permit 20 ! ip as-path access-list 5 permit 10 Ø
Locally Originated Attribute Prefer the path that was originated by BGP by using the network command, or through redistribution, or an aggregate, on the current router, in this order as well.
Ø
AS_PATH Attribute Shortest AS_PATH is preferred. In the originated IBGP area it does not get set, AS_PATH = ^$. Only during EBGP exchanges is the area prepended to it. AS_SEQUENCE – this is the list of AS numbers in order. AS-SET – This is the list of AS numbers unordered. AS_CONFED_SEQUENCE AS_CONFED_SET – To have a router ingnore the AS_Path length when determining routes use the command: bgp bestpath as-path ignore. AS-Path Prepending (500,300,100) changes to (500,300, 300, 100)
Ø
Origin Type Attribute Origin attribute- will be “i” when injected with network command in router configuration mode, “e” when learned through EGP, “?” incomplete when a route is redistributed into bgp. IGP EGP Incomplete
Ø
IBGP EBGP Redistributed
= i = e = ?
MED Attribute The MED is BGP’s metric! The external metric of a route. Used the change the traffic coming into the AS. Multi-Exit-Discriminator, default = 0, lower is better It goes into the AS but it does not get passed around in the internal AS, it is possible to have a inter-as routing loop with this command. The MED is passed to sub-AS’s in confederations. *MED’s are only compared with other MED from the same AS. The MED that comes into a AS does not leave MED is exchanged between ASs but is not forwarded out of the AS. Can be used to specify the entrance and exit point for other AS’s. Page 146 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book BGP Always-compare-med Used to compare MED from other AS’s. You must add this to all routers in the same AS.
Ø
BGP Bestpath AS-PATH ignore Ignores the AS_PATH for nest path selection. This makes the MED more valuable than the AS_PATH.
Ø
BGP Bestpath MED Confed Select the bestpath based on the MED, only for routes that have an AS confederation sequence in their AS_PATH.
Ø
BGP bestpath med missing-as-worst The MED is 0 if there is not one assigned. This attribute assigns 4,294,967,294 if path does not have a MED assigned.
Ø
BGP deterministic-med When selecting the best path using the bgp always compare-med, this command allows the best path selection to sort the paths based on neighbors AS and MED. The MED attribute is a hint to EBGP peers about the preferred path into an AS when there are multiple. (lower=better). Unlike local preference, the MED is exchanged between AS’s, but a MED that comes into an AS does not leave the AS. Can be set based on: AS destination with match as-path IP address with match ip address. Two ways to set: Set using route maps router bgp 300 neighbor 172.16.24.15 remote-as 100 neighbor 172.16.24.15 route-map SETMED out ! route-map SETMED permit 10 match ip address 1 set metric 25 route-map CCIE permit 20 ! access-list 1 permit 172.16.0.0 0.0.255.255 Set with default-metric router bgp 1 redist static default-metric 50
Ø
External over Internal EBGP over Confed EBGP over
Ø
Confed EBGP IBGP
Neighbor, Closest Closest IBGP neighbor, lowest IGP metric to the next BGP hop
Ø
Equal Paths If routes are the same from here and maximum-paths is more than 1 Page 147 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Install equal-cost paths in route table. Ø
ID, Router Lowest IP address as specified by the RID. If the route comes from a RR use the originator attribute.
Ø
Lowest IP address from neightbor.
Ø
Atomic_aggregate Attribute Used to deal with overlapping address summaries. Gets set when loss of information has occurred.
Ø
Aggregator Attribute Contains who generated the aggregator
13.4. BGP ROUTING Ø
Controlling the Routing IBGP Path out changed by Local preference, Path in MED EBGP Path changed by AS_PATH
13.4.1. Selecting a BGP Path You can do a show ip bgp to see all the routes that bgp know about. From this list bgp will or will not select routes to be entered into the route table. Here is a list of reasons that BGP may not inject a route into the routing table: 1 - Not synchronized 2 - Next-Hop is inaccessible 3 - Local AS appears in the AS_Path 4- bgp enforce-first-as is enabled, and the update does not contain the AS of the neighbor as the first AS number in the AS_SEQUENCE so the session is closed. 5 - Received-Only – These paths have been rejected due to a policy, but have been stored on the router because soft-reconfiguration inbound has been configured for the neighbor sending the path.
13.4.2. Other Routing Information For non-bgp routers in an AS to reach outside networks: Injecting the bgp routes into their igp Use a default route on the non-bgp routes for their exit points. Ø
Injecting Routes into BGP Static – network command – origin = I EBGP = E Dynamic – redistribution – origin = ? Dynamic routes must be filtered so the correct routes get injected. Only internal routes should be injected in. OSPF external routes are blocked automatically. EIGRP has the external set to type 2 Page 148 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book RIP / IGRP routes must be tagged to differentiate between internal and external. A route-map permitting ^$ should work. For all network commands an exact match must be in the routing table. Ø
Unstable Routes Use route dampening or aggregate the addresses. If you aggregate at the customer site the provider will not see the flucuations.
Ø
Update-Source Used to specify a loopback as the neighbor interface. Great for IBGP stability and not usually used for EBGP except when parellel (load balancing) paths are used.
Ø
Auto-Summary BGP automatically summarizes at the classful boundary. no auto-summary use this command to not summarize. Only summarize within an AS when the AS contains the entire network range being summarized.
Ø
Neighbor Commands neighbor 10.1.1.1 default-originate Used just like OSPF’s default-info-originate always. A default will be sent to the neighbor even if one does not exist on this router. neighbor 10.1.1.1 distribute-list 1 out ! access-list 1 permit 0.0.0.0 access-list 1 deny any Add this to the router along with the default-originate command so no other routes are advertised to the neighbor. neighbor 10.1.1.1 next-hop-self neighbor 10.1.1.1 update-source loopback 0 Adding the between two IBGP routers make the IGP find the best path rather than BGP, which may be slow at converging. neighbor 10.1.1.1 ebgp-multihop 2 Used by EBGP to use loopback interfaces for sources. EBGP neighbors must be directly connected, loopbacks are not so you specify the ebgp-multihop option to tell EBGP to look further than the one hop TTL. This changes the TTL of EBGP packets.
13.4.3. IBGP Routing By default, iBGP routes are not redistributed into IGPs. To ensure a loop free inter-domain topology, BGP does not accept updates that originated from its own AS. Within an AS, bgp peers do not need to be directly connected. ALL bgp speakers within an AS MUST establish a peer relationship unless you use Route reflectors or confederations. Use route reflecting within confederations. Page 149 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Use peer-groups with router reflectors. When a EBGP route gets to a BGP router and the IGP does not have a path to the last device the next-hop-self attribute can be used to put the BGP route in the IGP routing table. All IBGP’s must be fully meshed, these are BGP speaking routers only. Administrative Distance is 200, the AS numbers must be the same IGRP does not advertise IGRP routes, to change this rule use the neighbor command, next-hop self command, or use a route reflector. IBGP neighbors do not have to be directly connected, as long as there is a IGP route to the neighbor. Ø
Synchronization The BGP synchronization rule states that if an AS provides transit service to another AS, BGP should not advertise a route until all of the routers within the AS have learned the route via an IGP. If an AS is a transit AS, all routes must be fully meshed before synchronization is disabled. If all routers run bgp with no redistribution, turn off synchronization When you disable synchronization on a active bgp router, reset all the bgp connections with clea ip bgp * You cannot be synchronized with IGP and use a route reflector at the same time.
Ø
Route Reflectors *When enabling, turn off synchronization Always configure the cluster id on a bgp route reflector. If you don’t and later need to you will have to remove all neighbors, add the cluster id, and then put the neighbors back. Route reflectors are for Internal AS’s ONLY Route reflector make good route servers RR Clients should not be peers to other IBGP speakers, but can be peers to EBGP routers. Originator ID - created by the router reflector, is the RID of the route within the local AS. Optional non-transitive Cluster-ID – each cluster in a AS must have a unique cluster id. If there is a single cluster the ID is the RID of the route reflector. If there is more than one cluster, each RR must be configured with a cluster id. Optional non-transitive Cluster List – tracks the cluster id’s like AS_Path tracks AS number. *Route reflectors must follow the physical layout, if a client is between a route reflecting area it will create a routing loop. RRa – RRbclient – RRacliient - RRb
Ø
Route Reflector Redundancy 1
(Old Method) Put two RR’s in the same cluster Page 150 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 2 3 Ø
All clients need ibgp session to both reflectors The RR’s should be ibgp peers to each other A Cluster ID must be set. (New Method) One RR per cluster Have any redundant clients connect to both Create a third cluster to cluster the RR’s This create a two tier level.
Route Reflector configuration router bgp 10 neighbor 192.168.10.10 remote-as 10 neighbor 192.168.10.10 route-reflector-client neighbor 192.168.20.10 remote-as 10 neighbor 192.168.20.10 route-reflector-client no bgp client-to-client reflection
Ø
Update From
Send To
Nonclient IBGP Client Peer / EGBP Peer
To all IBGP Clients To all Clients and IBGP Peers
Remember that updates only can go to IBGP routers and not to EBGP routers. Neighbor peers still exist for EBGP routers. Ø
Prevention of Routing Loops with RR’s Originator ID is used to stop routing loops by checking this attribute and if myself igore update. Cluster List – When more than one RR is in the same cluster, a cluster id must be set so the other RR ignores the updates from the second RR.
Ø
BGP Peer Groups Use confederations and peer groups to change policies. A group of BGP neighbors sharing the same update policies. Create peer group, assign policies, add BGP neighbor to peer-group. Peer group members can override incoming updates locally. BGP Peer groups – a group of neighbors that share the same update policies. Use peer groups to reduce update traffic Do not configure a peer group within a route reflector cluster. The remote-as command is used on the neighbor PEERGROUP command on IBGP and on the neighbor x.x.x.x command for EBGP. This is because a different AS must be specificied. If EBGP are in a peer group there are two rules: The hub router cannot be a transit router All EBGP members should be part of the same subnet
Ø
Configuration This is a group within a local AS. router bgp 300 nei internalmap peer-group nei internalmap remote-as 300 Page 151 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book nei nei nei nei nei nei
internalmap route-map internal out internalmap filter-list 1 out internalmap filter-list 2 in 5.5.5.2 peer-group internalmap 6.6.6.2 peer-group internalmap 3.3.3.2 filter-list 3 in
The route-map internal, and filter-list 1 and 2 are applied to all peer-group members. The filter-list 3 is applied to that neighbor and can only be applied on incoming updates. This is a EBGP peer-group member router bgp 200 nei external map peer-group nei external map route-map SETMED nei external map filter-list 1 out nei external map filter-list 2 out nei 2.2.2.2 remote-as 100 nei 2.2.2.2 peer-group externalmap nei 3.3.3.3 remote-as 300 nei 3.3.3.3 peer-group externalmap nei 3.3.3.3 filter-list 3 in Ø
Confederations A confederation is A confederation ID Used to reduce the Also used when you
a AS that has been subdivided into a group of sub-AS’s. is used to inform external peers of the real AS. IBGP mesh. want different routing policies in IBGP.
Two new AS-Path types must exist: AS-CONFED_SEQUENCE – for the confederation as-sequence AS-CONFED-SET – the confederation AS-Set Can you block paths based on these attributes? Next-hop, local-Pref, and MED can be advertised to sub-AS EBGP peers,but are still inside the same AS. Use the command bgp confed peer is needed to make a Sub-EBGP to appear as a IBGP. *Sub_AS’s do not change the EBGP AS_Path Use confederations to have more than one policy per AS. Private AS’s 64512 – 65535 RFC 2270 Recommended confederation design is to use a centralized sub-AS, like OSPF’s area 0. R1 router bgp bgp nei nei nei nei R2 router
65000 confed id 100 confed peers 65001 65002 65003 2.2.2.2 remote-as 65001 2.2.2.2 remote-as 65002 2.2.2.2 remote-as 65003 3.3.3.3 remote-as 300 bgp 65001 Page 152 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book bgp confed id 100 bgp confed peers 65000 65002 65003 nei 1.1.1.1 remote-as 65000 nei 3.3.3.3 remote-as 300 The Confederation ID is used for the true AS that these routers belong to. Ø
Remove Private AS Use the neighbor 10.1.1.2 remove-private-as to stop BGP from sending private AS’s (64512-65535) to the Internet.
13.4.4. EBGP Routing For routers that run ebgp, neighbors are usually directly connected. BGP uses only one path to a EBGP BGP specifies that the next hop of EBGP learned routes remain unchanged into and through IBGP. EBGP must be directly connected or EBGP_MULTIHOP must be used. EBGP Multihop sends updates to IBGPs up to 255 hops away When EGRP injects a route into IBGP it does not change the next-hop address Routes traffic between different AS’s Administrative Distance is 20 The AS numbers are different As soon as a bgp route leave a AS the AD goes from 200 to 20. Ø
Multihop BGP Configuration router bgp 100 neighbor 15.1.1.2 remote-as 200 neighbor 15.1.1.2 ebgp-multihop 2
Ø
Community Attribute Used to group destinations and apply routing decisions. Not restricted to one AS or network and has no physical boundaries. A route can have more than one community attribute. Commom community attributes are set based on 200:1, where 200 is the AS and 1 is for the provider. Set with neighbor send-community Communities range from 0x00000000 to 0x0000FFFF and 0xFFFF0000 to 0xFFFFFFFF are reserved. These are defined in RFC 1998. NO_EXPORT NO_ADVERTISE INTERNET LOCAL-AS eBGP peers.
Do not advertise this route to EBGP peers. 0xFFFFFF01 Do not advertise to any peer. 0xFFFFFF02 Advertise this route to all routers. Do not advertise this route to any eBGP peer,including confederation
The community attribute provides a way of grouping destinations to which routing decisions can be applied. To send the attribute you must use the neighbor sendcommunity router config command. Page 153 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Use the command sib community no-export to see what routes have been tagged. Set with route-maps nei 1.1.1.1 route-map set-comm-noexp route-map set-comm-noexp permit 10 match ip add 1 set community no-export route-map set-commm-noexp permit 10 match as-path 1 set community 200 additive The additive option adds the community to the current community versus replacing it. To Send the Community Attribute you must specify it in the neightbor command: nei 1.1.1.1 send-community Set Community Method router bgp 1 neighbor 192.168.1.2 send-community neighbor 192.168.1.2 route-map SET_COMMUNITY out access-list 15 deny 155.1.1.0 0.0.0.255 access-list 15 permit any route-map SET_COMMUNITY permit 10 match ip address 15 set community no-export route-map SET_COMMUNITY permit 20
13.4.5. Advertising Routes Before a BGP route is advertised it must be in the ip routing table and BGP must be aware of it by network command or redistribution. These are orginiating routes, and their AS Path changes as they are advertised outside of their IBGP area. BGP does not accept updates that orginiated from it’s own AS, but will forward them to other AS’s. *The AS can advertise the IGP metric to another AS by using the set metric-type internal command as part of a route map toward the neighbor. This causes BGP routes to carry the internal IGP metric as the BGP MED. Ø
Network Command Origin is set to IBGP / EBGP router bgp 200 network 172.16.20.0
Ø
*Conditional Advertising Use on ISDN or backup links. Advertise-map router bgp 100 nei 10.1.1.1 advertise-map toadv nonexist (Map if not exist) route-map ifnotexist permit 10 match ip addr 1 Page 154 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book route-map ifnotexist deny 20 route-map toadvertise permit 10 match ip addr 10
13.4.6. Route Cache Invalidation In order to implement a new policy or to reinitialize a peering the BGP established connections must be reset. There are four ways to do this. Ø
Manually trigger readvertisement Reset the router
Ø
Reseting entire TCP Session clear ip bgp * soft out
Ø
This is the best way
Soft Reconfiguration Soft Reconfiguration is not recommended for inbound changes. neighbor 1.1.1.1 soft-reconfiguration inbound clear ip bgp * soft in Inbound requires that all new entries are stored in cache. Eventually the router will run out of memory and reload. Does not use addititional memory, resets the Adj-RIB-Out
Ø
Route Refresh If supported this is the best way. sib neigh 1.1.1.1 route refresh: advertised and received clear ip bgp 1.1.1.1 soft in This tells the neighbor to do a clear ip bgp 1.1.1.2 soft out
13.4.7. Aggregate Address Aggregate IP’s and use no-export to not advertise specific routes. The BGP routers aggregating a route becomes the orginator of the new route What is different between summarization, aggregation, and CIDR? Summarization Takes routes to advertise and summarizes them in the bgp routing table. Only one route is in the bgp routing table. You can use the summary and then use the community property to disable other neighbors from seeing the less specific routes. Aggregation Takes routes already in the bgp routing table and advertises all or just the aggregate. Whenever you aggregate make sure there is a static to null0 for the aggregate, otherwise loops can form. When you can’t aggregate all the routes you need, aggregate what you can and add the specific routes you need to complete your routing. CIDR Is a network with a prefix /?, shorter than the natural mask. This can also be referred to a as supernet. Ø
Summary-Only network 172.16.10.0 aggregate-address 172.16.0.0 0.0.255.255 summary-only Page 155 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book The aggregate route along with the more specific routes get advertised. Using the summary-only option limits the advertising to only the aggregated route and any route that was injected with the network command. Ø
Supress-Map / Unsupress-Map Use the supress-map command with aggregation. To surpress routes you need to use the supress-map option with a route-map: network 160.10.40.0 aggregate-address 160.0.0.0 255.0.0.0 suppress-map CHECK ! route-map CHECK permit 10 match ip address 1 ! access-list 1 deny 160.10.0.0 0.255.255.255 access-list 1 permit any You can use ip prefix lists network 160.10.40.0 aggregate-address 160.0.0.0 ! route-map CHECK permit match ip address 1 ! ip prefix-list CHECK permit
for suppress-maps as well. 255.0.0.0 suppress-map CHECK 10
160.10.0.0/16 gre 16 (?)
There is also a unsurpress-map command. This allows you to auto-summary and then unsupress the routes you wish to advertise. Ø
Attribute-Map To set attributes as the router is progated use the attribute-map command: route-map setorigin permit 10 set origin ! aggregate-address 160.0.0.0 255.0.0.0 attribute-map setorigin
Ø
Using a Static Route to Aggregate (First Method) router bgp 200 redist static ! ip route 160.0.0.0 255.0.0.0 null 0 This method sets the origin as incomplete since it is a redistribution. (Second Method) router bgp 200 network 160.0.0.0 mask 255.0.0.0 ! ip router 160.0.0.0 255.0.0.0 null 0
Ø
Advertise-Map aggregate-address 192.168.192.0 255.255.2548.0 summary-only advertise-map ALLOW ! access-list 1 deny 192.168.197.0 accesslist 1 permit any ! route-map ALLOW match ip address 1 Page 156 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Allow you to control the attribute’s that create the aggregate. If you leave out certain routes, those route’s attributes will not be sent to the neighbor. neighbor 10.1.1.1 password 7 cisco neighbor password 7 cisco neighbor 10.1.1.1 advertisement-interval neighbor 10.1.1.1 version 3 Ø
AS-SET When you aggregate you lose the specific AS_Paths that are aggregated. The AS_SET contains all the aggregated AS’s and can be used to prevent routing loops. When agregating addresses that belong to EBGP’s, use the as-set keyword. aggregate-address 160.0.0.0 255.0.0.0 as-set The as-set keyword causes the route to generate routes that include all of the AS’s in the set.
13.5. CONTROLLING THE FLOW OF BGP UPDATES Whenever you want to change the flow of incoming traffic you will normally change the outgoing traffic. The way traffic comes into an area is determined by the routing it receives. This is the basis of asymetric routing as well. Ø
Administrative Distance 20 EBGP 200 IBGP
Ø
*Backdoor Option You can change this by using the backdoor (Cisco) option. Specifing a EBGP route as a backdoor raises it’s AD to 200 so IGP routes will be preferred over a EBGP routes. router bgp 200 network 160.10.0.0 backdoor This option is used with confederations.
Ø
*Route Dampening Dampening is not applied to routes learned by IGBP. Penalty Half lifetime Supress limit Reuse limit Suppressed route History entry
Number to assign when route flaps. Time required to reduce the penalty by ½. Penalty number to supress route. Number to reuse the route. A route that is not advertised. Stores flap information when route is down. This is cleared when the route is ½ of the reuse limit.
router bgp 100 bgp dampening Penalty Supress-value Half-life-time Reuse limit Max supress-limit
1000 2000 15 750 4
stop advertising limit (dampen) (1-20000) minutes (1-45) low point before route is used again (1-20000) x times the number of half-lives (1-255) Page 157 of 296
Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 13.6. LOAD B ALANCING TRAFFIC When multipath is enabled the External versus Internal path, highest Router ID, and Closest neighbor metrics are not used. If the MED and AS_PATH are the same, both routes are installed into the routing table. By using ebgp-multihop and associating it with a loopback you can load balance BGP over two parallel communication lines. BGP can load balance up to six across equal-pathes. Use the maximum-paths command to change. IBGP can only use one path. Ø
*Automatically Load Balancing Method 1 Two communication lines going to two routers. router bgp 100 maximum-paths 2 (Up to 6 can be used) nei 1.1.1.1 filter-list 1 out nei 2.2.2.2 filter-list 1 out ip as-path access-list 10 permit ^$ Don’t forget about those routing loops. Single Router Use the ebgp-multihop, and update-source command and it will be automatic. Method 2 Two communication lines going to same routers. Create a loopback and use update-source with ebgp-multihop.
Ø
Load Share – Outbound No Routes received, use default routes Full routing - choose best path Partial routes – Only accept ^$ routes from ISP
Ø
Load Sharing on Inbound with AS-PATH router bgp 100 nei remote-as 200 nei route-map add-to-200 out nei remote-as 300 nei route-map add-to-300 out route-map add-to-200 permit 10 map ip addr 5 set as-path-perpend 100 100 route-map add-to-300 permit 10 match ip add 10 set as-path-prepend 100 100 access-list 5 permit 192.168.1.0 0.0.0.255 access-list 10 permit 192.168.2.0 0.0.0.255
Ø
Load Sharing on Inbound with MED router nei nei nei nei
bgp
100 remote-as route-map remote-as route-map
200 set-med out 200 set-med out Page 158 of 296
Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book route-map set-med permit 10 set metric-type internal Ø
Load Sharing without Transit Area router bgp nei nei ip as-path
100 remote-as 200 filter-list 1 out access-list 1 permit ^$
13.7. BGP FILTERING Filter Expressions
Network NetA NetB NetC NetD NetE Ø
AS_PATH 300 400 300 100 200 100 empty
Regular expressions Character Period Asterisk Plus sign Question mark Caret Dollar sign Underscore
Symbol . * + ? ^ $ _
Special Meaning Matches any single character, including white space. Matches zero or more sequences of the pattern. Matches one or more sequences of the pattern. Matches zero or one occurrences of the pattern. Begins with Ends with Matches a comma (,), left brace ({), right Brace (}) left parenthesis, right parenthesis, the beginning of the input string, the end of the input string, or a space. Brackets [range] Designates a range of single-character patterns. Hyphen Separates the end points of a range. () repeat string ie: (ab)+ matches ab or abab or ababab.. ^v to allow you to insert a ? in an expression Examples of Expressions Routes to be Advertised from RTA to the NAP Local routes only All routes NetD, NetE
Expression ^$ .*
Path Info
empty all paths
Outcome NetE NetA, NetB, NetC,
Page 159 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Routes that originated from ^300$ directly connected customers ^100$ Connected customer routes and ^300_ their customers' routes ^100_ 100 200 100 Routes that originated in AS200 _200$ Routes that passed via AS100 _100_ 100 Coming from as100 ^100.* Use the sh ip bgp regexp
300 100 300 400 300
NetB, NetD
100 200 100 200
NetC NetC, NetD
NetA,NetB,NetC NetD
to test your statements.
Filtering on AS Confederations ip as-path access-list 1 permit _\(65005\)$ Ø
Use a Distribute-List neighbor 2.2.2.2 distribute-list 1 out access-list deny 160.0.0.0 0.0.255.255 access-list 1 permit any To restrict supernetted subnets use an extended accesss-list access-list 101 permit ip 160.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
Ø
AS_Path Filtering Specify ACL based on incoming out outgoing AS_PATHs. neighbor 2.2.2.2 filter-list 1 out ip as-path access-list 1 deny ^200$ Blocks any route orginating from 200.
Ø
Filtering BGP Using AS-Path Access Lists router bgp 200 no synchronization bgp dampening neighbor 172.16.65.10 remote-as 100 neighbor 172.16.65.10 filter-list 10 in neighbor 172.16.65.10 filter-list 1 out neighbor 172.16.65.10 remote-as 300 neighbor 172.16.65.10 filter-list 1 out ! ip as-path access-list 1 permit ^200$ ip as-path access-list 10 permit .* .* permits any Manipulating BGP Attributes router bgp 10 nei 1.1.1.0 remote-as 10 nei 2.2.2.0 route-map as_200_in in ip as-path access-list 1 permit _300$ route-map as-200-in permiot 10 match as-path 1 set local-preference 200 route-map as-200-in permit 20
Ø
Stop a Transit Area Use an as-path filter on both border routers so they only advertise their own AS. Page 160 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Route-Map Filtering Can be used on incoming and outgoing BGP updates. Cannot be used to filter incoming updates based on ip address. Allow 200 originated routes, deny any from 400. Set weight on 200 to 20 and everything else to 10. neighbor route-map SETRULE route-map SETRULE permit 10 match as-path 1 set weight 20 route-map SETRULE permit 20 match as-path 2 route-map SETRULE permit 30 set weight 10 ip as-path access-list 1 permit ^200$ ip as-path access-list 2 deny _400_ Prepending paths to influence path to destination nei 1.1.1.1 route-map setpath out route-map setpath permit 10 set as-path prepend 300 300
Ø
Community Filtering Community Values: NO_EXPORT Do NO_ADVERTISE INTERNET LOCAL-AS
Ø
not advertise this route to EBGP peers. Do not advertise to any peer. Advertise this roter to all routers belonging to it. Used by Confederations
Community-Filtering Set the routes going out of 2.2.2.2 to not be forwarded, no-export. neighbor 2.2.2.2 send-community neighbor 2.2.2.2 route-map setcommunity out route-map setcommunity permit 10 match ip 1 set community no-export route-map setcommunity permit 20 access list 1 permit 0.0.0.0 255.255.255
Ø
Community-List Another long way to do it.. R1 nei 2.2.2.2 send-community nei 2.2.2.2 route-map setcommunity out route-map setcommunity permit 10 match ip 2 set community 100 200 additive route-map setcommunity permit 20 access list 2 permit 0.0.0.0 255.255.255 R2 nei 3.3.3.3 route-map check-comm in route-map check-comm permit 10 match community 1 set weight 10 (or do nothing) route-map check-comm permit 20 match community 2 Page 161 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ip community-list 1 permit 100 ip community-list 2 permit internet This disallows one match (ACL 1) and allows everone else.
13.8. INTERNET CONNECTIVITY OPTIONS Use Use Set Use Use Set
MED to determine the entrance points. LP to determine the exit points. ACL’s to determine what traffic goes where. AS-PATH for all Area manipulation. Set’s for IP address manipulation. default routes when possible and block ISP BGP updates as not needed.
Ø
Types of Internet Connections
Ø
Single-Homing Customer has only on connection to ISP. Configure a default route / default network to ISP and statics at ISP.
Ø
Multihoming to a Single Provider
Ø
Default Only, One Primary, and One Backup Link Outbound traffic with floating statics or backup interfaces. Inbound traffic can be set by sending metric (MED) to the routers and have the prefered with the lower metric. Also, block all bgp updates from coming into your area when possible.
Ø
Default, Primary, and Backup, Plus Partial Routing Partial routing is accepting the local ISP routes only. When the customer accepts parital routes, they can then decide which way each partial route should exit. This can be done by setting the local-preference with either AS_PATH, prefix path, or both. Using the AS-PATH the LP gets set to all prefixes.
Ø
Multihoming to Different Providers These type of configuration will be based on the policies between the ISP and what AS paths you can modify.
Ø
Two Customers with the Same Provider with Backup Link Here two customers use each other for the backup link versus two lines to the same provider. You set the Local Preference to the primary as 300 unless is has the neighbor’s AS then set it to 200 and the last resort to 100.
Ø
Two Customers with Different Providers Use the community or as-path attribute to determine the routing.
Ø
Describe when to use BGP to connect to an ISP When you connect Redundancy, load are some reasons Also if you have
to 2 different ISPs, it is frequently necessary to use BGP sharing, and lower tariffs at particular times of the day or night why you would use 2 different ISPs a different routing policy requirements than the ISP Page 162 of 296
Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book When a link becomes overloaded the first thing you need to determine is whether the inbound or outbound traffic is being overloaded? Ø
Describe methods to connect to an ISP If you do not need bgp in your network use static (From ISP) and default routes (Into ISP) to connect to the ISP. If you use BGPd in your network from your ISP use access-lists or a firewall for security on your network.
Ø
When not to use BGP You want a different routing policy than the ISP You have multiple redundant links to the ISP
Ø
Internet with Static Routes Internet –s0- r1 –s1/s0– r2 R1 router bgp 200 aggregate-address 192.168.0.0 255.255.248.0 ip route 192.168.0.0 255.255.248.0 serial0 R2 router rip passive-interface s0 netw 192.168.2.0 netw 182.168.4.0 ip route 0.0.0.0 0.0.0.0 serial 0 Use RIP for all local routers and use the default route to get to the internet. The internet attached router uses bgp for internet connectivity and RIP for all local routing.
Ø
Internet – Single Exit Internet – r1 - r2 R1 router bgp 200 nei 192.168.100.1 remote-as 200 R2 router rip netw 192.168.1.0 netw 192.168.3.0 router bgp 300 netw 192.168.1.0 netw 192.168.2.0 nei 192.168.100.1 remote-as 200 ip route 0.0.0.0 0.0.0.0 192.168.100.2 (r1)
Ø
Sending a BGP default route to a IGP Make sure the IGP does not have a default point to BGP. A route map is used to inject BGP’s default route only, otherwise a few to many routes may get injected into the IGP. RIP Set the default-metric under RIP, BGP route is automatically injected into RIP. IGRP The ip default-network needs to be set for the redistribution to be successful. This will be set to the BGP address (192.168.2.0) Set the default-metric in igrp. Page 163 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Non-Transit Methods Filter ebgp updates (out) to allow only ^$ Set the no-export community Use a distribute list to allow only your networks Filter _all_ incoming updates so you don't recieve anything external in your AS. Turn on synchronization without redistributing EBGP routes into IGP Create unreachable Next-Hop issue between IBGP peers in AS100 Only permit routes originated from your AS100 to be advertised out to other ASs by using the filter-list. Assign the community Local-AS to all incoming NLRI's and use the neighbor sendcommunity to distribute the community information. In order to not become a transit as you should only allow your subnets to be advertised, using a route map.
13.9. MULTIPROTOCOL BGP RFC 2283 MP_Reachable NLRI: Advertises a feasible route to a peer Permits a router to advertise NLRI Allows a given router to report some or all of the Subnetwork Points of Attachment (SNPAs). MP_Unreachable NLRI: Used to withdraw a route from service. Multicast BGP uses two sets of routes: one for unicast and one for multicast. Multicast routes are used with PIM and RPF.
13.10. BASIC BGP CONFIGURATION router bgp 100 network 19.0.0.0 neighbor 15.1.1.2 remote-as 200 Ø
BGP Configuration Router bgp 109 no synch redisrib ospf 1 route-map routes-to-core nei x.x.x.x remote-as 109 no auto-summ route-map routes-to-core permit 10 Set metric-type internal ! Better method since bgp routes are statics Router bgp 109 No synch Nei x.x.x.x remote-as 109 Redistr statix route-map route-to-core No auto-summ Router ospf 1 Area 0 range y.y.y.y t.t.t.t Area 0 range x.x.x.x t.t.t.t Ip route y.y.y.y y.y.y.y null 0 Ip route x.x.x.x x.x.x.x null 0 Page 164 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Route-map route-to-core permit 10 Set metric 20
13.11. BGP COMMANDS Ø
Other Commands Automatic-tag ***aggregate-address *auto-summary *bgp comm-list *dampening default *default-information *default-metric *distance ***distribute-list exit help *maximum-paths ***neighbor **network no ***redistribute *summary-address *synchronization *table-map *timers *traffic-share neighbor 1.1.1.1 ? **advertise-map *advertisement-interval **default-originate Used to sent a default route to a neighbor. Like a stub area. description ***distribute-list **ebgp-multihop **filter-list *maximum-prefix ***next-hop-self *password *peer-group *prefix-list ***remote-as *remove-private-AS ***route-map ***route-reflector-client **send-community *shutdown *soft-reconfiguration *timers **unsurpress-map **update-source *version **weight Page 165 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book sho ip bgp a.b.c.d cidr-only community community-list dampened-paths filter-list flap-statistics inconsistent-as **neighbors paths peer-group regexp summary
13.12. BGP TROUBLESHOOTING If the table version is incrementing there is a route flapping. sho ip bgp Displays bgp route table sho ip bgp paths Displays all bgp paths sho ip bgp summary Displays the status of all bgp connections sho ip bgp neighbors Displays the status of all bgp connections sho ip bgp filter-list Displays all routes that conform to a specified filter list. clear ip bgp * To make sure all policies are working properly sho ip bgp community no-export Displays routes that have been tagged. Is your BGP neighbor relationship formed? sh ip bgp summary Are your BGP networks being advertised? Are the networks to be advertised in the BGP speaker's IGP table? sho ip route Can your IBGP speakers ping the advertised next-hop address? If not, consider using next-hop-self. Is your BGP table being formed properly? Clear ip bgp * Debug ip bgp events Debug ip bgp updates Should synchronization be turned off? Show ip bgp Show ip route Ø
Verifying BGP clear ip bgp {* | address} use after all changes show ip bgp show ip bgp paths show ip bgp summary
Ø
Used to reestablish the TCP session, Displays the bgp routing table Displays the topology table Displays information about the TCP sessions
Common Issues With BGP Next-Hop reachable? Route in IP Routing table? Disable Synchronization? Page 166 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Route Reflector Needed? Redistributing dynamic protocols – routes flapping? Watch out for policies that never converge, converge but if a link goes down won’t converge again, and policies that only converge based on order of messages. A route cannot exit and re-enter a confederation or it’s own AS. Ø
Troubleshooting Neighbors Need valid tcp connection – pingable? Check states, check sib nei is the tcp connection there? Does emultihop need to be on? Different AS Are neighbor remote AS’s correct? Turn on bgp-log-nei-changes
Page 167 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Ø
CIDR to Dotted Decimal Notation Chart
/1 /2 /3 /4 /5 /6 /7 /8 /9 /10 /11 /12 /13 /14 /15 /16 /17 /18 /19 /20 /21 /22 /23 /24 /25 /26 /27 /28 /29 /30 /31 /32
128.0.0.0 192.0.0.0 224.0.0.0 240.0.0.0 248.0.0.0 252.0.0.0 254.0.0.0 255.0.0.0 255.128.0.0 255.192.0.0 255.224.0.0 255.240.0.0 255.248.0.0 255.252.0.0 255.254.0.0 255.255.0.0 255.255.128.0 255.255.192.0 255.255.224.0 255.255.240.0 255.255.248.0 255.255.252.0 255.255.254.0 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 255.255.255.254 255.255.255.255
127.255.255.255 63.255.255.255 31.255.255.255 15.255.255.255 7.255.255.255 3.255.255.255 1.255.255.255 0.255.255.255 0.127.255.255 0.63.255.255 0.31.255.255 0.15.255.255 0.7.255.255 0.3.255.255 0.1.255.255 0.0.255.255 0.0.127.255 0.0.63.255 0.0.31.255 0.0.15.255 0.0.7.255 0.0.3.255 0.0.1.255 0.0.0.255 0.0.0.127 0.0.0.63 0.0.0.31 0.0.0.15 0.0.0.7 0.0.0.5 0.0.0.1 0.0.0.0
Page 168 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 14. IPX and NLSP IPX RIP is enabled by default when IPX routing is enabled IPX default-route is enabled as network 2 MTU is between 30 and 65535 IPX does not support multicasts. AD for IPX Statics Dynamic over floating statics Multiple Routes – lower tick is better, if tick is same use EIGR Every 60 seconds all routes broadcast. Bit 0 in the first octet of the MAC address is the multi/broadcast indicator. 5555.5555.5555 would have been flagged as multicast/broadcast. Using the command "ipx routing 1.1.1" only assigns the node address of 1.1.1 to non-MAC interfaces (i.e. Serial). I would guess that if you wanted all node addresses on the router to be 1.1.1, you would change the MAC address on each LAN interface to 1.1.1... When you enable NLSP or EIGRP on LAN interface, disable RIP then EIGRP NLSP router rip int e0 net 1.1.1.1 ipx nlsp rip off ipx nlsp sap off Ø
IPX Addressing Use three digit addresses for LANs, four digit addresses for wans, and five digit addresses for loopbacks. For the LAN addresses use 100 for router one, 200 for router two, etc. If there are two routers on a segment use both the router numbers. For example, say router R1 and R5 are on the same segment then use 105 as the IPX network address. Use the same scheme for wan segments. For example, the IPX network number for the serial connection between R1 and R5 would be 1005. In this example I assumed that R1 was on the left and R5 was on the right. We try to do all are numbering schemes from left to right and from top to bottom. When using ipx routing, for router 1 use "ipx routing 1.1.1" Another example, when numbering your ipx links, I use the router numbers also. So if the ipx link is between router 2 and 5 it's ipx network 25. It makes it very easy to see which network is which in the routing table and to troubleshoot it.
Ø
Metric IPX RIP has two metrics (Link Delay and Hop-Count) Delay is 6 on WAN and 1 on LAN Lower Delay is preferred over Lower Hops You can change the metric/tick/delay with ipx delay
Ø
Frame Types
Encapsulation Type
802.3 802.2 / 802.5
novell-ether (default) sap Page 169 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Eth_II ALL SNAPS Ø
arpa snap
Tuning IPX ipx update-time Raise on serial
Ø
Static SAPs Static SAP’s will not get advertised on the network they are defined on. ipx sap 107 mailservre 160.2222.2222.2222 8104 1 ipx sap 4 fileserver 160.3333.3333.3333.451 1 ipx sap 7 ptrserver 160.4444.4444.4444.452 1
Ø
GNS Increases the time period for gns replies. Useful on ISDN links. ipx gns-response-delay 1000
14.1. IPX EIGRP Periodic updates, only changes and every 120 minutes Two-way redistribution with RIP Can disable spilt horizon Enable EIGRP at the Core and IPX/RIP at the LAN Never mix EIGRP and IPXWAN Remember once you enable EIGRP/ NLSP you still have to turn IPX RIP off for the networks concerned The Metric for EIGRP is better than RIP IPX’s hop metric. Disable RIP on WAN links or where no Novell hosts or servers are located. Ø
*Rules: 1 – EIGRP routes are preferred over RIP, unless RIP has a lower hop count. 2 – Router redistributes only the routes that are used to forward the data. SAPS EIGRP keeps a backup SAP table per neighbor EIGRP makes sure the SAP updates are correct Use the command sh ipx eigrp neigh server to display the neighbor SAP table. EIGRP broadcasts SAP on LANs, but suppress them on WANs, only updates are sent. IPX Hellos use broadcast address of .ffff.ffff.ffff Three difference between EIGRP IP And EIGRP IPX: Automatic redistribution Metric integration – most ipx metrics are identical Naming and Directory services - SAPs
Ø
Incremental SAPs To change EIGRP SAP behavior: Stop Peridic SAPs on LAN with no ipx servers or hosts. int e0 ipx sap-incremental eigrp Start Peridic SAPs on WAN with no EIGRP routers.
Page 170 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book int s0 no ipx sap-incremental eigrp Suppress SAPs on WAN but don’t use EIGRP routing, use RIP. int e0 ipx sap-incremental eigrp rsup-only To take advantage of Enhanced IGRP's incremental SAP update mechanism while using the RIP routing protocol instead of the Enhanced IGRP routing protocol, specify the rsup-only keyword. SAP updates are then sent only when changes occur, and only changes are sent. Use this feature only when you want to use RIP routing; Cisco IOS software disables the exchange of route information via Enhanced IGRP for that interface. no ipx sap-incremental split-horizon in the event of SAP propogation through NBMA network. Ø
Configurations ipx router eigrp 100 redistribute rip ipx router eigrp 100 distribute-list out 1 rip ipx router rip distribute-list out 1 eigrp 100
14.2. IPX AND W ANS How you stop IPX / RIP and SAP’s from keeping GRE Tunneling up ? Ø
IPXWAN Accurately measures delay of serial links The links negotiates the tick count Has no affect on SAP’s on serial Requires no IPX addressing on WAN Links Requires PPP encapsulation and not HDLC Will define the tick and not use the default of six No IPX Addressing on interface for IPXWAN 6 ticks per WAN 1 tick per LAN IPXWAN is better than tick, more accurate IPXWAN Confguration Three requirements: Assign IPX internal number to router ipx internal-network 111 No IPX network address on interface no ipx network enable IPXWAN on both ends ipx ipxwan 0 unnumbered r1 (Default with ipx ipxwan)
Ø
IPXWAN Confguration R1 ipx internal-network 1111 interface Serial0.2 point-to-point Page 171 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ipx ipxwan 1111 51 r1 ipx nlsp enable ipx router eigrp 20 redistribute nlsp network 800 ipx router nlsp area-address 0 0 redistribute eigrp 20 R5 ipx internal-network 5555 interface Serial0.1 point-to-point ipx ipxwan 5555 51 r5 ipx nlsp enable ipx router nlsp area-address 0 0 Ø
IPX and Frame-Relay frame-relay map ipx 124.00ed.1edf.9821 102 broadcast
Ø
IPX over NBMA *Need Full Mesh Uses Inverse ARP Hub / Spoke Use FR Map statements on spoke Inverse arp at hub IPX/RIP - Same split horizon problems spilt horizon cannot be disabled EIGRP – disable split horizon at hub
14.3. IPX AND DDR To limit traffic use static ipx routes, sap or snapshot routing. Other possiblities are spx spoofing, watchdog spoofing and spx timeouts. To limit traffic use static ipx routes, sap or snapshot routing. Other possiblities are spx spoofing, watchdog spoofing and spx timeouts. You must configure static SAPs for all resources that need to traverse to link. Since SAPs are blocked no resources will be available. Ø
IPX spoofing IPX spoofing – spoofing allows the router to respond while the DDR interface is idle. Configuring IPX Spoofing Turn off route caching no ipx route-cache Enable SPX spoofing of the idle DDR link. ipx spx-spoof Enable IPX watchdog spoofing. ipx watchdog-spoof Set SPX idle time. ipx spx-idle-time
Ø
Floating Static ipx route default 14.0001.0001.0001 floating-static
Ø
Type 20 Propagation int s0 Page 172 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ipx type20-propagation Ø
IPX DDR and Traffic Monitoring username r5 password 0 cisco ipx routing 1.1.1 ipx router rip no network 12 ipx router eigrp 12 network 151 isdn switch-type basic-ni interface BRI0 encapsulation ppp dialer idle-timeout 90 dialer map ip 151.1.1.5 name r5 broadcast 8358662 dialer map ipx 151.0005.0005.0005 name r5 broadcast 8358661 dialer-group 2 ipx network 151 ! 2-SPX, 2-IPX commands for DDR no ipx route-cache ipx watchdog-spoof ipx spx-spoof ipx spx-idle-time 90 isdn switch-type basic-ni isdn spid1 0835866101 8358661 isdn spid2 0835866301 8358663 no cdp enable ppp authentication chap ppp multilink access-list 900 deny any any all any rip access-list 900 deny any any all any sap access-list 900 deny any any all any 457 access-list 900 permit any dialer-list 1 protocol ipx list 900
14.4. NLSP It can be configured on point-to-point FR interfaces. NLSP does not work on PtM, Phy FR’s,Loopbacks NLSP needs a non-multipoint LAN interface. You cannot filter SAP’s in NLSP. Disable RIP and SAP after enabling NLSP. Default Behavior of NLSP is: ipx router nlsp redistribute rip [invisible] redistribute connected [invisible] Turn RIP and SAP off by using: int e0 ipx nlsp rip off ipx nlsp sap off When enabling NLSP it might shutdown the OSPF process When you configure the area address you are specifying which areas to routes will pass along. Setup three areas that share info from the second with same area address in 1 and 3. Page 173 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Supports up to 127 hops After a DR has been a DR for 1 minute it’s priority is increased to 20. To make sure only powerful routers become DR’s increase their priority to be 21 more than any other routers. If you want the priority to be 85 fro a router, better make it 65, and in one minute it will be 85. Ø
Metric / Cost Cost for NLSP can be between 0 and 63. r1# show ipx route Codes: C - Connected primary network, c - Connected secondary network S - Static, F - Floating static, L - Local (internal), W - IPXWAN R - RIP, E - EIGRP, N - NLSP, X - External, s - seconds, u - uses 9 Total IPX routes. Up to 1 parallel paths and 16 hops allowed. No default route known. L D35 is the internal network C E001 (SAP), Et0 C D35E2 (NOVELL-ETHER), Et2 R D34 [02/01] via E001.0000.0c02.8cf9, 52s, Et0 N D36 [20][02/01] via D35E2.0000.0c02.8cfc, 594s, Et2 NX D40 [20][03/02][02/01] via D35E2.0000.0c02.8cfc, 594s, Et2 R D34E1 [01/01] via E001.0000.0c02.8cf9, 53s, Et0 NX D40E1 [20][02/02][01/01] via D35E2.0000.0c02.8cfc, 594s, Et2 N D36E02 [20][01/01] via D35E2.0000.0c02.8cfc, 594s, Et2 [20] Cost of the route (NLSP only). For interior NLSP routes (marked "N"), this is the cost to the destination network. For exterior NLSP routes (marked "NX") this is the equivalent NLSP cost to the edge of the NLSP area [03/02] Ticks/hops to the destination network. For RIP routes, this is the cumulative ticks and hops to the destination network. For NLSP routes, this is the equivalent ticks/hops computed from the NLSP cost to the destination network. For NLSP exterior routes, this is the equivalent ticks/hops computed by adding the RIP ticks/hops advertised at the edge of the NLSP area to the equivalent ticks/hops computed from the NLSP cost to the edge of the area. [02/01] Ticks/hops external to the NLSP cloud. These numbers are the tick and hop values advertised by RIP at the point where it entered the NLSP cloud.
Ø
Area-Address NLSP supports a hierarchical addressing scheme. Each routing area is identified by two 32-bit quantities: a network address and a mask. This pair of numbers is called an area address. Expressed in hexadecimal, an example of an area address follows: •
01234500---This number is the network address for this routing area. Every network number within that area starts with the identification code 012345.
FFFFFF00---This number is the mask that identifies how much of the network address refers to the area itself and how much refers to individual networks within the area. In the example area address above, the first 24 bits (012345) identify the routing area. The remaining 8 bits are used to identify individual network numbers within the routing area (for example, 012345AB, 012345C1, 01234511). Page 174 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Figure 40-2 highlights the above addressing concepts with three different networks in a single area.
Ø
Load-Balancing
Ø
Aggregation Is there a way of getting nlsp aggregated routes to appear as rip routes further on down a chain of routers. if i am running nlsp in the core and aggregate some routes when i go to the edge running rip or eigrp the aggregated routes do not appear but the non aggregated do. RIP and EIGRP does not understand summary routes so you must use a default route to get back to a router that has a more explicit route to your destination.
Ø
NLSP Configuration Enable nlsp Area summarization Define internal network Enable at interface Diasable rip/sap’s on interfaces ipx routing ipx internal network 111 ipx router nlsp area-address 0 0 no ipx router rip no ipx router sap ipx internal-network cab int s 0 ipx network 40 ipx ipxwan 2 23 ipx nlsp enable int e 0 ipx nlsp enable ipx network FAB
14.5. TUNNELING Create a single ipx network between FR / ISDN / Token-Ring. Put a static sap into both. Use a tunnel to split / share ipx network. IRB bridging ? Ø
Tunneling Passenger – protocol to be encapsulated Carrier – GRE Transport – IP When or why would you need to encapsulate IPX. Hop limit, discontinuous networks, separate policies Be careful of routing decisions when using a tunnel. The hop count change will affect DV protocols. Page 175 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book IP over IP Tunneling Watch out for recursive routing loops, when a routing loop happens the router will shutdown the tunnel for 1-2 minutes and issue a warning message before it goes into the recursive loop.
Ø
Avoiding Loops Use separate protocol domains if possible. Use different routing protocols. Assign the metric for the routing protocol to equal the physical path. Keep the two IP ranges separate.
Ø
FR Switch and Tunneling R1 frame switch int s0 encap frame frame route 167 tu0 43 frame intf dce int s1 ip add 17.16.100.1 255.255.255.0 int tu0 tunnel source serial tunnel destination 172.16.13.2 R2 frame switch int s0 encap frame frame route 93 tu0 43 frame intf dce int s1 ip add 17.16.13.1 255.255.255.0 int tu0 tunnel source serial tunnel destination 172.16.100.2
Ø
IP Tunneling Default mode is GRE You must configure a destination and source. int s 0 ip address 131.108.13.1 255.255.255.0 int tunnel 0 tunnel source s 0 (or) tunnel source 131.108.13.1 tunnel destination 131.108.13.2
Ø
IPX Tunneling Use NLSP or EIGRP and disable IPX/RIP int s 0 ipx network 131 int tunnel 0 ipx network 2130 tunnel source s 0 (or) (What port ?) tunnel source 131 tunnel destination 2130 ( What destination IP) Page 176 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book GRE Tunneling (pg 718 Caslow II) crypto key genertate dss r1 crypto key exchange dss passive (r1) crypto key exchange dss 10.10.1.1 r3 (r3) crypto cisco algor des sh crypto key mypubkey dss
14.6. IPX COMMANDS debug ipx packet sh ipx int sh ipx int brie sh ipx cache sipxr sipxs sh ipx traffic
14.7. IPX TROUBLESHOOTING Everything problem with IPX will be server-centric – everything is for server connectivity. sh sh sh sh sh sh sh sh sh sh deb deb deb deb deb deb
ipx servers ipx int ipx traffic access-list ipx eigrp top ipx int ipx nlsp database ipx route ipx servers sipx traffic ipx ipx ipx ipx ipx ipx
ipxwan packet, no ipx route cache to monitor routing activity routing events sap activity sap events
Is the IPX process running on a specific router? Show protocols Show ipx interface brief Show cdp neighbor brief Is IPX traffic exiting a specific router properly? Ping ipx Debug ipx packet Are you sending and receiving the correct IPX routing updates on the correct interfaces: Debug ipx routing activity Are your IPX routing tables converging properly? Clear ipx route * Show ipx route Are your SAP tables converging properly? Clear ipx route* Page 177 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Show ipx servers If using IPX EIGRP, are EIGRP neighbor relationships being formed properly? sh ipx eigrp nei Are the contents of the EIGRP topological database correct and complete? sh ipx eigrp top Are EIGRP metric calculations reflecting the correct cost of the shortest path? sipxr If tunneling IPX traffic, is the tunnel operating properly? Show tunnel / debug tunnel Remember-IPX tunneling relies on IP connectivity between the tunnel endpoints. To assure that one tunnel endpoint is reachable from another, ping the tunnel endpoints. If the pings are successful and the tunnel still does not work, check for access-lists on all intermediate routers. Access-lists could be clocking the tunneling traffic.
Page 178 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 15. Route Filtering When you filter routers in OSPF, the filter is only applied to the current routers. Since LSA's still flow downstream all other routers will see these routes as well.
15.1. ROUTE FILTERS Can be used to identify query boundaries, can be applied in/out, global, per interface, and during redistribution. Used for mutual redistribution Distance-vector protocols use the routing table to advertise routes Link-State protocols use the link-state database to advertise routes A route filter will influenece the routing table where it is configured, but not on it’s neighbors. So the best place to use route filters will be at the redistribution points. distribute-list out serial 0 Cannot be used on LS protocols since no routes are going out interfaces. distribute-list out is the only way to use the out keyword. Configuring IP Filters Applies to: distribute-list in All updates from neighbors distribute-list in All updates from interface distribute-list out All updates sent distribute-list out All updates sent out interface distribute-list out All updates received through routing process before topology table. Global and interface distribute-lists are combined. Interface distribute-list’s do not override globals like the Cisco docs say. Outbound route filters are always filtered one hop beyond the route filter. Inbound route filters are filtered at the router. Configuring IPX RIP Filters ipx input-network-filter ipx output-network-filter Configuring IPX SAP Filters ipx input-sap-filter ipx output-sap-filter EIGRP IPX SAP Filters distribute-sap-list distribute-sap-list distribute-sap-list distribute-sap-list distribute-sap-list
in in out out out
SAPs SAPs SAPs SAPs SAPs
received received on interface updates out out interface out from IPX SAP, NLSP
15.2. PREFIX-LISTS Prefix list allows you to match by subnet mask and destination network If le or gr is not on the end of the line then it is an exact match. Example #1: ip prefix-list 1 deny 192.168.10.0/24 Only permits 192.168.10.0 255.255.255.0 and not the entire subnet: Page 179 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Example #2: ip prefix-list 1 deny 192.168.10.0/24 ge 25 Is the entire subnet The sequence number starts at 5 and is incremented by 5 automatically. The best practice is to permit only what you want to see. *You can use prefix-lists to block BGP paths, NLRI, tuples. neighbor 172.16.1.1 prefix-list 1 out ip prefix-list 1 seq 5 deny 192.168.10.0/24 ip prefix-list 1 seq 10 permit 0.0.0.0/0 le 32 -orneighbor 172.16.1.1 route-map DO_NOT_SEND ip prefix-list 1 seq 5 deny 192.168.10.0/24 ip prefix-list 1 seq 10 permit 0.0.0.0/0 le 32 route-map DO_NOT_SEND permit 10 match ip 1 Ø
Prefix-List Syntax ip no ip ip
Ø
prefix-list permit | deny ip prefix-list seq prefix-list seq prefix-list description
Add line to end Deletes specific line Insert line at number Add description
Conditions Match Prefix ip prefix-list permit | deny / Match IP addresses with subnets shorter or equal the prefix length ip prefix-list permit | deny / le Match IP addresses with subnets longer or equal the prefix length ip prefix-list permit | deny / Match IP addresses between the min and max prefixes ip prefix-list permit | deny / gr le Prefix lists are supported with 11.3 and all version that support BGP. They are not officially documented even in 12.0. To enable prefix lists: distribute-list prefix distribute-list prefix distribute-list prefix distribute-list prefix distribute-list prefix
Ø
in in out out out
Prefix Examples: You can use a prefix to block /32’s ip prefix-list seq 5 deny 0.0.0.0/0 Permit exact prefix 192.168.0.0/16 ip prefix-list CCIE permit 192.168.0.0/16 Deny a default route ip prefix-list CCIE deny 0.0.0.0/0 Permit all ip prefix-list CCIE permit 0.0.0.0/0 le 32 Page 180 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Deny All ip prefix-list CCIE deny 0.0.0.0/0 le 32 Deny /19, in all ip addresses (Internet based one) ip prefix-list CCIE deny 0.0.0.0/0 ge 19 In 192.168.0.0/24 deny /25+ ip prefix-list CCIE deny 192.168.0.0/24 ge 25 Permit all addresses from /8 to /24 ip prefix-list CCIE permit 0.0.0.0/0 ge 8 le 24 Redistribution Example router rip redist eigrp 100 route-map kill-loops ip prefix-list loop-list 10 deny 1.1.1.0 255.255.255.0 ip prefix-list loop-list 10 permit 0.0.0.0 0.0.0.0 le 32 route-map kill-loops permit 10 math prefix-list loop-list
15.3. DISTRIBUTE-LISTS Identify the network addresses you want to filter and create an access list. Determine if you want to filter them on an incoming or outgoing interface. Assign the access list to filter outgoing routing updates: distribute-list access-list-number out [interface-name] Assign the access list to filter incoming routing updates: distribute-list access-list-number in [interface-name] Distribure-list on stops routes from getting into the routing table and not lsa's. Ø
Distribute-list in What is going into the routing process. Dist-list in can only be applied to interfaces.
Ø
Distribute-list out what is being adverstised out of the process 1 – Create access-list 2 – Create distribute-list statement Standard, prefix, and 1300 expanded access-lists can be used for distribute-lists. IOS 12.x may change this ? What is being advertised.
Ø
IGRP Route Filtering router igrp 10 network 140.10.0.0 redist rip default-metric 1 1 1 1 1 distr-list 1 in access-list 1 deny 170.10.0.0 0.0.255.255 access-list 1 permit any any
Ø
EIGRP IPX Filtering ipx router eigrp 100 Page 181 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book network 9e network 6c network 4a distribute-list 800 out s0 access-list 800 permit 6c Ø
EIGRP IP Filtering router eigrp 1 network 172.16.0.0 network 192.168.5.0 distribute-list 7 out s0 access-list permit 172.16.0.0 0.0.255.255
Ø
RIP access-list 1 deny 10.2.2.0 0.0.0.255 access-list 1 deny 172.16.0.0 0.0.0.255.255 access-list 1 permit any router rip distrbute-list 1 in e0 This blocks routing entries into the routing table
Ø
RIP router ospf 10 redistr rip ! router rip redist ospf 10 metric 1 dist-list 10 out ospf 10 Stops the routing loop by not allowing OSPF to be sent back out.
Ø
OSPF On ASBR use a dist-list in to stop routes from being put into routing tables, LSA’s are still sent. router ospf 1 redistr eigrp 1 subnet distribute-list 10 in access-list 10 deny 10.1.1.1 0.0.0.255 access-list 10 permit 10.2.2.0 0.0.0.255
15.4. ROUTE-MAPS *Only one route map is allowed per neighbor on BGP. *End all route-maps with permit statements or you will block routes. Route Maps can be assigned based on protocol and path. Allows routing based on IP header fields: Source address, Interface, Protocol-layer, Packet length, and Application type. Ø
To configure Global command ip local policy route-map Interface command ip policy route-map The SET Clause is evaluated in order of: Page 182 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Next-hop interface Next-hop IP address Next-hop default interfaces Next-hop default IP address Ø
Match Command match match match match match match match match match match match
Ø
Set Commands set set set set set set set set set set set set
Ø
automatic-tag interface default inteface ip default next-hop ip next-hop ip precedence ip tos level metric-type next-hop default interfaces next-hop default IP address tag
BGP Set Commands set set set set set set set set set set
Ø
as-path community clns interface ip address ip next-hop ip route-source length metric route-type tag
as-path comm-list community-list dampening local-preference metric nlri origin ip next-hop weight
Route Map Basic Configuration int e0 ip address 172.16.23.1 255.255.255.0 ip policy route-map CCIE ! disables fast-switching route-map CCIE permit 10 match ip address 1 set interface serial 0 ! access-list 1 permit 172.16.134.0 0.0.0.255 ! Page 183 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ip route-cache policy ! to re-enable fast-switching sh ip policy debug ip policy Ø
Even ACL Only access-list 34 permit 192.168.1.0 0.0.254.0 route-map hide-odd deny 10 match ip address 34 route-map hide-odd permit 20
Ø
Odd only access-list 34 permit 192.168.0.0 0.0.254.0 access-list 35 permit 192.168.6.0 0.0.0.0 route-map hide-odd deny 10 match ip address 34 route-map hide-odd permit 20
Ø
Internet route-map adv-default permit 10 match ip addr 10 access-list 10 permit 192.168.200.192 0.0.0.3 router isis default-informaiton originate route-map adv-default This allows 192.168.200.192 to be advertised as a default only if it is in the isis database. You have to have ISIS on the link
Ø
Route-Map with Default Map access-list 10 permit 10.1.1.1 255.255.255.0 route-map adv-default permit 10 match ip address 10 router ospf 1 default-information originate route-map adv-default
Page 184 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book
Page 185 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 16. Route Redistribution Redistribute into...
Protocol RIP RIP v2 IGRP EIGRP OSPF BGP IPX RIP NLSP ISIS RIP XXX Works Works Works Works Works N/A N/A ??? RIPv2 V-F XXX V-F Works Works Works N/A N/A Works IGRP Works Works XXX Works Works Works N/A N/A ??? EIGRP V-F Works V-F XXX Works Works Auto ??? OSPF V-F Works V-F Works XXX Works N/A N/A Works BGP Why? Why? Why? Why? Why? XXX N/A N/A Why? IPX RIP N/A N/A N/A Auto N/A N/A XXX Auto N/A NLSP N/A N/A N/A Works N/A N/A Auto XXX N/A ISIS ??? Works ??? Works Works Works N/A N/A XXX
16.1. GENERAL REDISTRIBUTION *If any a questions state “put x route in routing table but do not make it appear as external”, they do not what you to use redistribution to get that route into the table. When redistributing into a classless protocol Set the metric When redistributing into a classfull protocol (rip, igrp) Summerize to a classful boundry or the Fixed Length Subnet Mask (FLSM) being used by the classfull protocol. When 2-way redistributing Create a distribution list out that only allows the correct routes to be advertized or use route maps to set metrics. Ø
Redistribution Design ACCESS Level Stub areas pointing up Usually one-way redistribution Example 1 – Single Border Router One-Way Redistribution Default routes are used Redistribute into upper routing domain (metrics not important) Upstream router will have a summary of the access Example 2 – Multiple Border Routers One-Way Redistribution Default routes are used Redistribute into upper routing domain (metrics are important) Example 3 – Multiple Border Routers Two-Way Redistribution Distribute-list needed for metric and route selection Possible routing loops can form
Ø
Redistribution Methods 1 Default routes in stub area Redistribute into larger areas
1-way Page 186 of 296
Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 3
2 Default routes redistribute with metrics Redistribute with dist-lists avoid routing loops
1-way 2-way
16.2. REDISTRIBUTION PROBLEMS Prot. Metrics
AD
Redistribution Options
RIPv1 hops RIPv2 hops IGRP bw/dly/rel/load/mtu 10000/100/255/1/1500 EIGRP bw/dly
120 120 100
classful/FLSM
90/170
ip summary-address eigrp 1 internal
classful/FLSM
external OSPF cost 110 subnets metric-type (1|2) ABR - area range external: metric-type 2 ASBR - summary address ISIS metric 115 level-1,1-2,2 metric-type [int/ext] internal external
Ø
BGP
path
IPX NLSP
delay/ticks cost/throughput
20/200
internal: metric-type 1
summary-addres level1
internal external internal external
Router Redistribution Basic Steps 1 2 3 4 5 6 7 8
Ø
Class/ Summarizations
– – – – – – – –
Enable Routing protocols on border routers Specify what networks to advertise Determine how you want to redistribute (one or two way) Determine metric for routes redistributed into RIP, IGRP, and EIGRP Apply subnets parameters subnets redistributd into OSPF Apply distribute-list (optional) Apply route-maps (optional) Address VLSM/FLSM issues if they exist
Administrative Distance With two-way redistribution make sure the administrative distances don’t form a routing loop When redistributing two IGP protocols (RIP & OSPF) create a distribute list to only redistribute the routes once, through either IGP protocol. EIGRP uses the D and EX administrative distances
Ø
Passive-Interface Use passive interfaces to stop advertisements
Ø
Path Selection Problems Use administrative distance or default metric
Page 187 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Assigning Metrics Three Ways: 1 - Default metric 2 - Redistributed metric 3 - Route Maps
Assigns the same metric to all routes. Uses the same metric for redistrib. protocol. Assigned based on protocol and path.
Determine core or backbone routing protocol (usually EIGRP or OSPF) Determine which routing protocol is the edge or short-term protocol. *Use default-metric bandwidth delay reliability loading mtu for IGRP, EIGRP Bandwidth 10000 for ethernet Delay 100 Reliability 255 Loading 1 MTU 1500 Use default-metric number for OSPF, RIP, EGP, and BGP redistribution Resolve path selection problems that result in a redistributed network with: Use administrative distance or default metric Ø
Summarization EIGRP, OSPF, and ISIS can summarize redistributed routes.
Ø
Examples: QUIZ Protocol Definging Protocol Type Metric IGRP redistribute ospf 1 metric 10000 100 255 1 1500 OSPF redistribute igrp 1 metric 30 metric-type 1 subnets RIP redistribute igrp 1 metric 5 RIP redistribute isis level-1-2 metric 5 ISIS redistribute rip metric 5 metric-type external level-2 Connected redistribute connected metric Default-metric
Ø
Metric Requirements for Redistributing into DV Protocols You must supply a metric when redistributing into DVP’s Unless they are static or connected routes Three ways: Default metric Assigns the same metric to all redistributed routes. IGRP 1000 100 255 1 1500 EIGRP 1000 100 255 1 1500 RIP 5 Redistributed metric Uses the same metric for the protocol. Route Maps Assigned based on protocol and path. Any routes redistributed without a metric will be set to unreachable Use route-maps to define metrics based on paths Assign metrics to OSPF, RIP, and BGP with the default-metric command. OSPF automatically assigns a metric of 20 for any redist.
16.3. STATIC REDISTRIBUTION Connected Versus AD = 0 Uses interfaces Automatically redistributed
Static Routes with Next-Hop Address AD = 1 Uses addresses Manually redistributed Page 188 of 296
Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book No metric is required for connected and static redistribution. redistribute static redistribute connected selective.
Redistributes all interfaces, use distribute-list to be
16.4. RIP REDISTRIBUTION All redistribution must be on a classful boundary. Otherwise refer to the VLSM to FLSM section. *Redistribute connected do not work with RIP. Automatically redistributes a 0/0 route. Ø
IGRP / EIGRP default-metric 5 router rip redist igrp 200 metric 5 redist eigrp 200 metric 5 netw 192.168.3.0
Ø
OSPF router rip redist ospf 200 metric 3 netw 192.168.3.0
16.5. IGRP REDISTRIBUTION All redistribution must be on a classful boundary, in this case it is identical to EIGRP. Otherwise refer to the VLSM to FLSM section.
16.6. EIGRP REDISTRIBUTION Routes coming in will be EX (external) type routes. Split-Horizon will stop routing loops when redistributed between routing processes. This may will also stop some routes from getting redistributed. Automatically redistributes with: IPX RIP,IGRP if AS’s are the same Always set the metric when redistributing either with the redistribute metric or with the default metric command. Ø
Ways to block routing loops: (Slattery) Dist-list access-list 10 deny 1.0.0.0 0.0.0.255 access-list 10 permit any router rip redist eigrp 100 dist-list 10 out serial 0 Route-Maps access-list 10 deny 10.1.1.0 0.0.0.255 access-list 10 permit any Page 189 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book route-map kill-loops permit 10 match ip address 10 route rip redist eigrp 100 route-map kill-loops -orroute-map kill-loops deny 10 match route-type external route-map kill-loops permit 20 ! this will stop all externals not just rips Prefix-List ip prefix-list loop-list 10 deny 1.1.1.0 255.255.255.0 ip prefix-list loop-list 10 permit 0.0.0.0 0.0.0.0 le 32 route-map kill-loops permit 10 math prefix-list loop-list router rip redist eigrp 100 route-map kill-loops ! Prefix list allows you to match by subnet mask ! and destination network (prefix) Ø
Distance access-list 10 permit 172.16.20.0 0.0.0.255 router eigrp 100 distance 255 172.16.21.1 0.0.0.0 10
Ø
Admin Tags router eigrp 1 redist rip route-map setflag router rip redist eigrp 1 route-map denyflag route-map setflag permit 10 set tag 1 route-map denyflag deny 10 match tag 1 route-map denyflag premit 20
Ø
Connected Networks, and Statics R1 router eigrp 200 redist connected (same as netw 1.1.6.0) redist static netw 1.1.6.0 ip default-network 1.1.6.0 ! ip route 1.1.3.0 255.255.255.0 1.1.6.0
Ø
Static Redistribution and Filtering a Static Route router eigrp 1 network 192.31.7.0 default-metric 10000 100 255 1 1500 redistribute static distribute-list 3 out static access-list 3 permit 131.108.0.0 ! ip route 131.108.0.0. 255.255..0.0 192.31.7.18 Page 190 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ip route 201.222.5.0 255.255.255.0 192.31.7.10 ! Deny this route Ø
RIP RIP into EIGRP router eigrp 200 redist rip metric 10000 100 255 1 1500 netw 192.168.6.0
Ø
IGRP and EIGRP (Same AS) R1 router eigrp 200 netw 1.1.1.0 router igrp 200 netw 1.1.6.0 R2 router igrp 200 netw 1.1.2.0
Ø
IGRP with different AS If the AS between IGRP and EIGRP are different you must redistribute between them with the redistribute metric or redistribute default-metric commands.
Ø
IGRP and EIGRP (Different AS) R1 router eigrp 200 redist igrp 300 netw 1.1.1.0 netw 1.1.4.0 default-metric 125 1000 255 1 1500 router igrp 300 redist eigrp 200 netw 1.1.6.0 default-metric 125 1000 255 1 1500 R2 router igrp 300 netw 1.1.3.0 netw 1.1.6.0 R3 router eigrp 200 netw 1.1.2.0 netw 1.1.4.0
Ø
OSPF to EIGRP router eigrp 150 network 150.50.0.0 redistribute ospf 128 default-metric 56 1000 255 1 1500
16.7. OSPF REDISTRIBUTION With area summarization, the router summarizing does not use the summary. Bug in version IOS 12.0(5) If OSPF is configured using a ''network x.x.x.x 0.0.0.0 area x'' command (explicitly identifying and interface), then the connected interface Page 191 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book information may not be properly redistributed into other protocols (configured to ''redistribute ospf xxx...''). Workaround: use a general mask instead (''network x.x.x.0 0.0.0.255 area x'', for example). If the routes are not Classful use the subnet option on redistribution Routes coming in will be E2 (external type 2 by default) LSA 5 routes. OSPF assigns 20 to all routes if a metric is not assigned, except BGP which is assigned 1. redistribute ospf 109 match internal external 1 external 2 This is the default for OSPF, both internal and external routes are redistributed. redistribute connected subnets For OSPF the subnets parameter is needed for all subnetted routes debug trace Used to display the Type 5 LSA’s to getting redistributed clear ip ospf redistribution Manually initiate a redistribution Metric-Types: Type 1 routes include the cost of traversing the OSPF domain. Type 2 routes have a cost which consists of the external cost only. By default, redistributed routes have external metric-type 2. Redistribution is always done on a ASBR, if it is not an ASBR before is will be afterwards. Ø
Static router ospf 10 redistribute static metric 50 metric-type 1 subnets redistribute connected metric 50 metric-type 1 subnets
Ø
RIP NSSA
-
Good for Redistribution of RIP, RIP will be external
The rule for ospf network to be redistributed into rip seems to be: If the network is owned by ospf only, rip will summarized it into major net and pass to next rip router. 2. If the network is owned by both ospf and local interface, rip will not summarize the route and it comes into 2 situations: a.if the route is a major net route(unsubnetted), rip will leave it untouched (not summarize it) and pass it to next rip router. b.if the route is a subnetted route, rip will leave it untouched, and when this route tries to go deeper into the rip process, it was rejected because rip only passes major network. router ospf 10 redistribute rip subnets metric-type 1 metric 12 router ospf 200 redist rip metric 100 netw 192.168.6.0 0.0.0.255 area 6 Ø
IGRP / EIGRP router ospf 10 Page 192 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book redistribute igrp metric-type 1 metric 12 redistribute eigrp subnets metric-type 1 metric 12 Ø
ISIS router isis=20 summary-address 172.16.0.0 255.255.0.0 redistribute ospf 200 metric 20 net 48.0001.0000.0000.0001.00
Ø
=20
Filtering On ASBR use distribute-list out to filter routers into other protocols. distribute-list in stops routes from being inserted into the routing tables. But it does not stop the LSA’s from being sent.
Ø
Summarization and Redistribution (On ASBR) router ospf 100 summary-address 190.10.32.0 255.255.224.0 redistribute eigrp 90 metric 200 subnets This makes EIGRP routes 190.0.0.0 get summarized into a single external route.
16.8. IS-IS REDISTRIBUTION ISIS defaults redistributing routes as internal level-2 routes. To get level-1 routes redistributed you must specify them. router ospf 200 log-adjacency-changes summary-address 182.18.0.0 255.255.0.0 redistribute isis metric 300 metric-type 1 subnets network 172.16.253.4 0.0.0.3 area 0 network 172.16.254.0 0.0.0.255 area 0 distribute-list 4 out
16.9. BGP REDISTRIBUTION **By default OSPF external routes are not redistributed into BGP. If you want the routes showing as E1 or E2 in your OSPF domain to be also redistributed into BGP then you would configure the redistribute command with the match external 1 external 2 sub-options. If you redistribute IGP’s into BGP, watch for null0 interfaces. Make sure only the route you need is redistributed. You should never redistribute BGP into IGP on a internet router. For the enterprise it would be ok. Redistributing a static route is the best way to advertise a supernet because it stops the route from flapping. With IGP’s & BGP redistrib, check route tables If IGP is the choosen route you can change by: Route bgp 109 Distance 20 20 20
Page 193 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book **If trying to use 'No Sync' (Syncronization) and redistributing from BGP to OSPF, RID from BGP and OSPF must match! This will NOT occur if you are using route reflectors because the reflector changes the RID! *IBGP routes cannot be redistributed into IGP in the same AS The only way to inject routes into BGP from IGP’s is with the redistribute command. *Orgin is set to Incomplete on redistributed routes. **BGP can be used to send default routes to IGP protocols. Ø
Static router bgp 200 redist static ip route 10.1.1.0 0.0.0.255 > null0
Ø
Supernetting
IGRP Redistribute the BGP route so that the ip default-network command is set to in IGRP. (192.168.2.0 0.0.0.255) router igrp 100 default-metric 1000 100 250 100 1500 redistr bgp 3 route-map DEFAULT ip default-network 192.168.6.0 route-map DEFAULT match ip address 5 access-list 5 permit 192.168.6.0
Ø
EIGRP Orgin is set to Incomplete router bgp 200 nei 1.1.1.1 remote-as 100 nei 1.1.1.1 dist-list 1 in redist eigrp 10 access-list 1 permit 172.16.0.0 0.0.255.255 EIGRP You must use redistribution to inject a BGP default into EIGRP. Set the metric and add a route map as needed. router eigrp 100 redistr bgp route-map DEFAULT default-metric 1000 5 100 250 100 1500 route-map DEFAULT match ip address 5 access-list 5 permit 0.0.0.0
Ø
OSPF / ISIS OSPF does not inject external OSPF routes into BGP unless it is specifically instructed to do with the following command: router bgp 3 redist ospf 3 match external 1 external 2 Normally you would not do this. You should the nei dist-list xx out command to redist into any IGP,this will allow you to limit the networks into IGP. router ospf 1 Page 194 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book redist bgp 200 dist-list 1 in access-list 1 permit 172.16.0.0 0.0.255.255
16.10. IPX REDISTRIBUTION Manual Redistribution IPX EIGRP - NLSP Ø
*Automatic IPX Mutal Redistribution IPX EIGRP to IPX RIP IPX RIP to NLSP IPX RIP and Static Routes Manual Redistribution IPX EIGRP - NLSP
Ø
IPX EIGRP and IPX RIP Redistribution Redistribution between IPX RIP and IPX EIGRP is automatic, use the no redistribute command to stop. ipx router eigrp 100 no redistribute rip
Ø
NLSP and IPX EIGRP Redistribtion ipx router eigrp 20 redistribute nlsp ! ipx router nlsp redistribute eigrp 20
16.11. FLSM AND VLSM You will most definitely be asked to do some kind of redistribution between an FLSM protocol and a VLSM protocol, and you will be told you cannot use a static route, a default route, or a default network. RIP will redistribute the 0.0.0.0 default network use the default-information originate command IGRP does not distribute the 0.0.0.0 network use the ip default-network command, network must be classful, in routing table, and not on FLSM router. ip classless must be configured on the FLSM router. Ø
RIPv2 Method Create RIP routes with /25 mask, redistribute into OSPF with no subnets keyword. Change to RIPv2 and see what happens. How can change RIP to RIPv2 make the routes appear / disappear? Change RIP to version 2 that supports /28 networks.
Ø
Static Method – RIP / IGRP OSPF ASBR Create a static route to null0 on ASBR and redistribute static into IGRP.
Page 195 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Second OSPF Process Method – OSPF to RIP / IGRP Use a second ospf process and redistribute your main process into your second and then use the summary-address command and redistribute the second process into igrp.
Ø
Route-Map Method OSPF ASBR router ospf 10 redistribute rip metric 10 subnets router rip redistribute ospf 10 metric 2 route-map add-all route-map add-all permit 10 match ip address 1 access-list 1 permit 203.45.2.1 255.255.255.0
Ø
Loopback Method OSPF – RIP / IGRP OSPF ASBR OSPF /28 -> RIP /24 -> IGRP /24 Create a loopback on a router in the ospf domain other than the ASBR using the same subnet but with a /24 mask and then advertised that into ospf and all was well on the IGRP router. You may be able to use the subnet-zero option to create the loopback.
Ø
Summarize Method #1 OSPF ABR Summarize route if the area in not connected to the same area as the ASBR. If you use the area range command to summarize an area that is directly connected to the ASBR, the summarized route will not get "injected" into the RIP/IGRP domain. OSPF ASBR Summarize the network area 0 range on a router other than the ASBR, then the ASBR would have the summary in the routing table to redistribute. For either of these summarization methods to work you must get the summary to the ASBR. The only way to do this is to have the ASBR be in another area.
Ø
Summarize Method #2 To avoid the problems on a ASBR where the route must be external to summarize, you can redistributing connected into OSPF, the connected route appears as external, which is then subject to the summary-address command. Redistribute connected using a route map with an access list to match only that route into OSPF (This makes the route EX external) and use a summary address to make it a /24 then redistribute OSPF to RIP. An external routes will be injected router ospf 10 redistribute connected route-map onlyloops subnets summary-address 173.16.24.1 0.0.0.3 summary-address 192.168.12.1 0.0.0.3 route-map onlyloops match interface loop0 loop1 Page 196 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book int lo0 ip add 173.16.24.1 255.255.255.252 int lo1 ip add 192.168.12.1 255.255.255.252
16.12. MUTUAL REDISTRIBUTION This is when the same routing protocol is redistributed into two identical processes on different routers. The AD can form a routing loop. Route-tagging is great for mutual redistribution except for RIPv1 and IGRP. Although route-maps do work, distribute-lists are more flexible. To Solve this problem use: Passive-interfaces Split-horizon Distribute-list 1 out ospf 10 Ø
RIP and OSPF (Dist-List) router ospf 10 redistribute rip metric 10 subnets router rip redistribute ospf 10 metric 2 distribute-list 1 out ospf 10
Ø
RIP and OSPF (Route-Map) Exmaple #1 router ospf 1 redistribute rip subnets metric 100 route-map r2o router rip version 2 redistribute ospf 1 metric 2 route-map o2r route-map r2o deny match tag 110 route-map r2o permit 20 set tag 120 route-map o2r deny match tag 120 route-map o2r permit 20 set tag 110 Example #2 route-map tagging deny 10 match tag 100 route-map tagging permit 20 set tag 100 router ospf 1 redistribute rip subnets metric 100 route-map tagging router rip version 2 Page 197 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book redistribute ospf 1 metric 2 route-map tagging The logic is that we can seperate the routes in OSPF domain as internal (no tag) and external (tag 100). Because tag in OSPF routes will not influence the routes in RIP2, vice versa, you can set both tag as 100. Harder to understand, though. Any show commands to observe tags? sho ip ospf database, last section has tagging. if you do debug ip rip database (v2) it shows tags of routes coming in and out. igrp doesn't understand tagging. eigrp does, and i things its also some show ip eigrp database like command. Ø
IGRP and OSPF router igrp 100 passive-interface s 0 distribute-list 1 out ospf 10 access-list 1 deny 10.10.0.0 ! IGRP route redistrib into OSPF access-list 1 permit any The dist-list need to be applied to all routers that could advertise the OSPF network back to the originating router. IGRP ->OSPF R1 router ospf 200 netw 1.1.6.0 0.0.0.255 area 6 netw 1.1.1.0 0.0.0.255 area 0 netw 1.1.4.0 0.0.0.255 area 4 R2 router ospf 200 netw 1.1.2.0 0.0.0.255 area 4 netw 1.1.4.0 0.0.0.255 area 4 R3 router ospf 200 redist igrp 200 metric 1 metric-type 1 netw 1.1.6.0 0.0.0.255 area 6 router igrp 200 redist ospf 200 metric 125 1000 255 1 1500 netw 1.1.1.3.0 passive-interface serial 0 dist-list 1 out ospf 200 access-list 1 permit 1.1.1.0 0.0.0.255 access-list 1 permit 1.1.2.0 0.0.0.255
Ø
Two-Way Redistribution Method 1: OSPF – EIGRP router eigrp 10 redistribute ospf 1 match internal router ospf 1 redistribute eigrp 10 route-map Internal-Only route-map Internal-Only permit 10 match route-type internal Method 2: OSPF – EIGRP router eigrp 10 redistribute ospf 1 route-map OSPF1 Page 198 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book router ospf 1 redistribute eigrp 10 route-map EIGRP10 route-map OSPF1 deny 10 match tag 10 route-map OSPF1 permit 20 set tag 1 route-map EIGRP10 deny 10 match tag 1 route-map EIGRP10 permit 20 set tag 1 Two-Way with RIP RIP does not support internal / external tags Use route filters / tags. Ø
RIP and IGRP router rip redist igrp 200 route-map igrp-to-rip netw 192.168.3.0 router igrp 200 redist rip metric 10000 100 255 1 1500 netw 192.168.6.0 route-map igrp-to-rip permit 10 match ip address 1 set metric 1 route-map ipgr-to-rip permit 20 match ip addr 2 set metric 2 route-map igrp-to-rip permit 30 match ip addr 3 set metric 3 access-list 1 permit 192.168.6.0 0.0.0.255 access-list 2 permit 192.168.1.0 0.0.0.255 access-list 2 permit 192.168.4.0 0.0.0.255 access-list 3 permit 192.168.2.0 0.0.0.255
Ø
IGRP / OSPF Mutual access-list 1 permit access-list 1 permit access-list 1 permit access-list 2 permit access-list 2 permit access-list 2 permit router ospf 100 redistribute igrp distribute-list 1 router igrp 100 redistribute ospf distribute-list 2
172.161.1.0 172.16.2.0 10.1.1.0 172.16.20.0 172.16.30.0 10.20.30.0 100 subnets out igrp 100 100 metric 10000 1000 255 1 1500 out ospf 100
16.13. REDISTRIBUTION SUMMARIES Ø
RIP default-metric 5 router rip Page 199 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book redist igrp 200 metric 5 redist eigrp 200 metric 5 redist ospf 1 metric 5 Ø
IGRP / EIGRP Examples Default-Metric Connected Static RIP IGRP (Same AS) netw 1.1.1.0 router igrp 200 netw 1.1.6.0 IGRP (Diff AS) OSPF IPX RIP NLSP
Ø
redistribute redistribute redistribute redistribute
static metric 50 metric-type 1 subnets connected metric 50 metric-type 1 subnets rip subnets metric-type 1 metric 12 eigrp subnets metric-type 1 metric 12
BGP EIGRP OSPF Internal OSPF External
Ø
redist igrp 100 metric 10000 100 255 1 1500 redistribute ospf 128 56 1000 255 1 1500 Automatic redistribute nlsp ? metric 56 1000 255 1 1500
OSPF Static Connected RIP IGRP/ EIGRP
Ø
default-metric 10000 100 255 1 1500 redist connected metric 10000 100 255 1 1500 redist static metric 10000 100 255 1 1500 redist rip metric 10000 100 255 1 1500 router eigrp 200
redist eigrp 10 redist ospf 3 redist ospf 3 match external 1 external 2
IPX EIGRP IPX RIP ipx router eigrp 100 dist-list 800 in NLSP ipx router eigrp 20 redistribute nlsp
Ø
NLSP EIGRP ipx router nlsp redistribute eigrp 20
Ø
VLSM to FLSM Solutions: RIPv2 Use a static route Use a second OSPF Process Use a route-map Use a loopback Use a regular summarization (ABR, ASBR) Use a reverse summarization (ASBR)
16.14. TROUBLESHOOTING REDISTRIBUTION Enable the appropriate routing protocol debugging tools to verify the routes are getting passed through the redistribution process. Is there an FLSM/VLSM conflict in the route redistribution process? Page 200 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book sh ip protocols sh ip access-list 1 clear ip ospf redistribution deb ip rip deb ip igrp transactions This router will only advertise the route when it is up.
Page 201 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book
Page 202 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 17. Bridging BPDUs are multicast to a well known address of 01-80-C2-00-00-00. When enabling bridging, check to see what protocols are being routed and bridged. The bridge tables are not flushed when the root bridge goes down, the entries have to age out. All L3 protocols used are to be bridged by default If you see generating “bridge 1 route ip” then all L3 will be routed (12.x update)
17.1. STP Bridges make certain assumptions: A source can only appear in one location. A station that is receiving will also be transmitting.
17.1.1. Bridged Parameters Bridge Priority – lower for root,0 to 65535 Router ethernet port is 100 by default Switch port is 32768, by default Port Priority – Used to select forwarding or blocking modes. Hello Time – time between BCDU’s Max Age – Max time for a bridge to hold the configuration messages. Forward Delay – Amount of time in the learning and listening states, the delay between listening and when the port is allowed to forward data from that port. All bridged routers set their max age, hello time, and forward delay based on the root bridge’s settings. If another router becomes the root that timers may change. Ø
Path Cost Path Cost is the cost of the path to the root Large cost on lower bandwidth links. Path cost is used to set the blocking / forwarding state. Path cost is the total cast to the root bridge. Use Path Cost to determine path Force a bridge interface to be in forwarding mode Force a bridge interface to be in blocking mode
Ø
The Four Phases of the STP Process Election of root bridge Calculate the shortest path to the root bridge Block the highest cost paths Maintain and recaulculate the spanning tree per VLAN
Ø
STP State Flows Power-On Switch Blocking Listening Learning Forwarding – Disabled / Blocking
Page 203 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 17.2. TRANSPARENT BRIDGING Do not STP block router interfaces on switches. Use bridge-group 1 path-cost 1000 to determine what path to take or what ports to block. Ø
Configuring Transparent Bridging int e0 bridge-group 1 bridge-group priority 100 (0-65535, sets the root bridge 0=highest) bridge 1 protocol ieee sh spanning-tree
Ø
Frame-Relay hub/spoke topology R1 (Hub with PtM) int s0.1 multipoint frame-relay map bridge 102 broadcast frame-relay map bridge 103 broadcast bridge-group 1 bridge 1 protocol ieee bridge 1 priority 0 Should be used on hubs to set as root R2 & R3 (Spokes) int s0.1 bridge-group 1 bridge 1 protocol ieee
Ø
Bridging over ISDN Example hostname ROUTER1 ! username ROUTER2 password same isdn switch-type basic-5ess ! interface Ethernet0 ip address 172.16.55.33 255.255.255.240 ! interface Serial0 ip address 172.16.54.1 255.255.255.0 ! interface BRI0 description ISDN TO ROUTER2 encapsulation ppp dialer map bridge name ROUTER2 speed 56 5773756 dialer-group 1 bridge-group 1 isdn spid1 0177104130 7710413 ppp authentication chap ! bridge 1 protocol ieee ! Permit all bridged packets access-list 201 permit 0x0000 0xFFFF ! dialer-list 1 LIST 201
Page 204 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book DDR link R1 int bri 0 dialer map bridge name r2 broadcast 8358661 bridge-group 1 dialer-list 1 protocol bridge permit bridge 1 protocol ieee R2 int bri 0 dialer map bridge name r2 broadcast bridge-group 1 dialer-list 1 protocol bridge permit bridge 1 protocol ieee With ACL int bri 0 dialermap bridge name r2 broadcast dialer-group 1 dialer-list 1 protocol bridge list 200 access-list 200 deny 0xF0F0 0xF0F0 access-list 200 permit 0x0000 0xFFFF
Ø
Configuring Transparent Bridging over a Frame-Relay full-mesh topology Use frame-relay map bridge xx broadcast
Ø
Bridge Parameters Forward-time Hello-time Max-age Aging-time
17.3. CONCURRENT ROUTING AND BRIDGING Cisco Feature Bridge and route a L3 packet on same router Bridge L3 -> Bridge L3 Route L3 -> Route L3 Use to conserve a multiple logical network addresses. Ø
Configuring Concurrent Bridging and Routing over Ethernet bridge 1 protocol ieee int e0 bridge-group 1 brdige crb
Page 205 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book
Ø
Configuring CRB over a Frame-Relay full-mesh topology
Ø
Configuring CRB over a Frame-Relay hub and spoke topology
17.4. INTEGRATED ROUTING AND BRIDGING (IRB) Bridge Route
L3 -> Route L3 L3 -> Bridge L3
Packets received on bridged interface can be routed to another interface. Packets received on routed interface can be bridged to bridged interface. Use to conserve a single logical network addresses. Optimize network by bridging local traffic but route to other places. Bridge between vlans. IRB uses a BVI interface for all routing commands. A packet is routed to the bvi interface Get forwarded by the bridging engine Then gets forwarded out the bridge-group specified. Bridging to routing is the reverse. No routed protocols are assigned to the bridged interface and no bridged attributes are configured on the bvi interface. A BVI acts like a normal routed interface that does not support bridging. BVI represents the bridge-group to the routed interfaces, when you enable routing on the BVI, the sources packets for that route will be send to the bridge-group corresponding to the BVI.
Ø
Configuring IRB over Ethernet ipx network r1.r1.r1 int e0 bridge-group 12 bridge 1 protocol ieee int bvi 12 ipx network 300 Page 206 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book bridge irb bridge 1 route ip bridge 1 route ipx no bridge 1 bridge ip sh int bvi Other Commands bridge x route protocol bridge x bridge protocol
Displays what is bridged and routed
Ø
Configuring IRB over a Frame-Relay full-mesh topology
Ø
Configuring IRB over a Frame-Relay hub and spoke topology
Ø
Cisco Feature bridge irb bridge 1 protocol IEEE bridge 1 route ip no bridge 1 bridge ip bridge 1 priority 0 int bvi0 ip address 171.16.30.2 255.255.255.0
Ø
Configure Integrated Routing and Bridging (IRB) Enable IRB bridge irb Configure the BVI (Bridge-group virtual interface) interface bvi bridge-group Enable the BVI to accept routed packets bridge bridge-group route protocol Enable routing on the BVI for desired protocols interface bvi 1 ip address ip-address mask
17.5. SOURCE ROUTE BRIDGING If a RIF is in the packet the multicast bit will be set, this is the magic bit. A RIF packet will have either a specifically routed, all paths explorer, or a spanning tree explorer type. If a RIF is not present it is a transparent packet. Ø
Using explorer packets Specific route or local ring explorer - sent by a route All-routes-explorer – sent to all paths Spanning-explorer (enabled with source-bridged spanning) – sent to all spanning tree paths. IBM version only supports 8 rings and 7 bridges 802.1q version supports 14 rings and 13 bridges Used for token-ring – token-ring connections. A virtual ring turns the router into a multiport bridge, this allows all token-ring interfaces to act as if they are on the same ring. Page 207 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book multiring all
Enables RIF caching and allows routed protocols to be bridged.
Source-Route Bridging - SRB RII is 1st bit of frame, 1=RIF present. Interface Tok0 Source-brigge 10 1 20 ; local, bridge group, destination Interface Tok1 Source-bridge 20 1 10 Ø
SRB Options source-bridge source-bridge source-bridge source-bridge source-bridge source-bridge source-bridge second.
Ø
route-cache route-cache cbus route-cache sse proxy explorer explorer-dvp-ARE-filter explorerq-depth 100 explorer-maxrate 1000000
Fast-switching Autonomous-switching Silicon Switch Engine Stops duplicate explorers Sets max queue to 100 Max byte rate of explorers per ring per
SRB Configurations source-bridge source-bridge transparent
Ø
Configuring a two port SRB source-bridge 129 1 130 source-bridge spanning multiring all
Ø
Configuring a multi-port SRB with a virtual-ring statement source-bridge ring-group 1000 int t0 source-bridge active 1 10 1000 source-bridge spanning 1 multiring all int t1 source-bridge active 2 10 1000 source-bridge spanning 1 multiring all bridge 1 protocol ibm
17.6. RSRB SRB with WAN FST, TCP or Direct encapsulation Direct FR Encapsulation, LLC2 over IP Cloud Uses SR/TLB for ethernet support RIF’s are end-to-end Ø
Frame-Relay Configuration source-bridge ring-group 200 source-bridge remote-peer 200 frame-relay int serial0 203 int s0 mtu 3000 encap fram clock rate 56000 Page 208 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book frame-relay lmi-type ansi frame-relay map rsrb 30 int tok0 multiring source-bridge active 102 1 200 source-bridge spanning Ø
TCP Transport source-bridge ring-group 5 source-bridge remote-peer 5 tcp 131.1.2.1 int tok0 source-bridge active 102 1 5 source-bridge spanning
Ø
Local Acknowledgement source-bridge ring-group 5 source-bridge remote-peer 5 tcp 131.1.2.1 local-ack int tok0 source-bridge active 102 1 5 source-bridge spanning mutliring all
Ø
Commands sh control tok sh int sh local ack
17.7. SRT Lets Token devices communicate with TB’s. Configure source-route transparent bridging (SRT) SRT handles transparent bridging and source-route bridging traffic handled appropriately To configure SRT, enable transparent and SRB bridging on interfaces used for SRT bridging. Traffic without RIF information is transparently bridged, and traffic with RIF information is source-route bridged. Support both source route bridging and transparent bridging on the same interface SRT bridges use the routing information indicator (RII ) bit to distinguish between frame employing SRB and frame employing transparent bridging. If RII, RIF is present and SRB is used. If there is a mix of SRT and TB bridges the source routes must choose whatever SRT bridges that are available and this may not be the most optimal path. Source Route Transparent Bridging - SRT Either transparent or SRB depending on the existance of a RII Configure SRB and TB
Ø
SRT Configuration int tok 0 source-bridge 401 5 400 source-bridge spanning bridge-group 1 bridge 1 protocol ieee Page 209 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book int t0 source-bridge 1 1 2 int e0 bridge-group 1 bridge-group 1 protocol ieee
17.8. SR/TLB When you have token-ring and ethernet on the same router, DLSW+ cannot translate between the differences in mac addressing formats between these interfaces and so you have to use SR/TLB. When a packet from the ethernet side crosses the router, the route check the RIF cache and if it does not have a RIF entry it forward the packet as a spanning-tree explorer. If it does have a RIF cache the packet is sent as a unicast. Token-Ring (SR) to Ethernet Translation (TLB) The bridge must: Change MTU (1500 – 4476) Add / Remove RIF Perform bit ordering / swapping Change frame formats Ø
*Three tasks for SR/TLB Configuration Configure SRB (make ring-numbers from 10 – 99) Configure TB (make bridge-groups are 1-9) Configure Virtural-ring (make numbers in the thousands (1000 – 9999) Create Pseudo ring (make umbers be in the hundreds 100 - 999) source-bridge transparent source-bridge transparent 1000 100 10 1 ! The parameter numbers are easy to remember then
Ø
SR/TLB Configuration source-bridge ring-group 450 source-bridge transparent 450 451 5 1 int tok 0 source-bridge 401 5 400 source-bridge spanning int eth 0 bridge-group 1 bridge 1 protocol ieee
Page 210 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book
Page 211 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book
Page 212 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 18. DLSw+ Lab info: know the mac-exclusive, acl’s, icanreach with saps, mac, etc / icannotreach, commands and how to use them extensively. Use sh dlsw capabilities to see the LSAP's supported. Use the debug dlsw to see the LSAPs in action. DLSW must establish peers, exchange capabilities, and establish circuit before any end to end communication can take place. RFC 1795 defines the SSP messages, DLSW uses SSP for all operations. Requires full mesh DLSW has proxy explorer, netbios name caching, sdlc to llc2 conversion, SR/TLB, and local ack’s built in. So they do not need to be configured. Ø
DLSW Operations Establish connections (TCP Ports Read/2065 Write/2067) Exchange capabilities:version, vendor ID, initial window List of unsupported saps, reachable mac, netbios names, Number of tcp connections supported. (static resources can be configured) Cisco also exchanges = group number, border peer, cost, cisco version, and priority. *Peers are ready Setup SNA / NetBios LLC2 Circuits (end stations) SNA Send test,xid frames DSSAP/SSAP 0x04 NetBIOS Name Query Name recognized SAP 0xF0
Ø
Establish Circuit Canureach Reach_ack XID frame Contact Info frame
Ø
to destination To source to destination Both directions to destination To source both directions
Icanreach XID Frame connected infor frame
DLSW States CONNECT, DISCONNECT, CAP_EXG, WAIT_RD, WAN_BUSY
Ø
DLSW Reachability States State FOUND NOT FOUND SEARCHING UNCONFIRMED VERIFY FRESH STALE
Why do you get these?
Page 213 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book DLSW versus RSRB RIF termination DLSW has ethernet support, RSRB requires SR/TLB DLSW has backup peers and load balances DLSW eliminates the SRB 7 limit hop DLSW handles broadcast better for reduced traffic, local ack When migrating from RSRB to DLSW remove the following functions from the config: Proxy explorers Netbios name caching SDLC - LLC2 conversions SR/TLB
18.1.1. Encapsulations When you use local-ack, sna sessions are not lost when routing protocol converge. If you use RIP / IGRP you need local EIGRP converges fast enough so local OSPF needs the hello-interval set to seconds. If you set the dead time to Ø
ack. ack is not an issue 6 seconds and the dead-interval set to 18 16, hello will equal 4 seconds.
Direct encapsulation No local ack Supports HDLC and Frame-relay. Fast switched End systems must be on token-ring. On PtP use direct encapsulation Direct fast switched dlsw remote-peer 0 interface serial 0 Direct on FR dlsw remote-peer 0 frame-relay interface serial 0 33 passthru int s1 frame-relay map dlsw 33
Ø
FST No local ack End systems must be on token-ring. No load balance Fast switched dlsw remote-peer 0 fst 10.2.3.2 Not Supported: local ACK, load balancing You cannot filter by SAP’s with FST, all traffic is LLC2 traffic so SAP or MAC filtering are not possible.
Ø
TCP Keepalives and acknowledgements are kept off the WAN. Has the most overhead, Headers bytes are: 20TCP/ 20IP/ 16DSLW Port 2065, Process switched dlsw remote-peer 0 tcp 10.2.3.2 TCP w/RIF passthru dlsw remote-peer 0 tcp 10.2.3.2 rifpassthru 100 Used by FEP’s Not Supported: border, pod, dynamic, and backup peers. Page 214 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book LLC2 over Frame-relay LLC2 is only supported over FR Supports local ack, rif pass-thru Keepalives and acknowledgements are kept off the WAN. No backup peers With ptp interfaces use the Versus
frame-relay interface-dlci 201 frame-relay map llc2 60
DLSW over frame - Don't forget frame map dlsw dlci broad dlsw remote-peer 0 llc 10.2.3.2 -ordlsw remote-peer 0 frame-relay interface serial 0 33 int s1 frame-relay map llc2 33 For PtP connection dlsw remote-peer 0 frame-relay interface serial 0 33 int s0.1 point-to-point frame-relay interface-dlci 33
18.1.2. DLSW and Ethernet Ø
Configure DLSw+ between one Ethernet and one Token-Ring LAN source-bridge ring-group 31 dlsw local-peer peer-id 10.2.25.1 dlsw remote-peer 0 tcp 10.2.5.2 dlsw bridge-group 5 int eth0 bridge-group 5 int tok0 source-bridge active 25 1 10 source-bridge spanning bridge 5 protocol ieee
Ø
Configure DLSw+ between two Ethernets dlsw local-peer peer-id 10.2.25.1 dlsw remote-peer 1 tcp 10.2.5.2 dlsw bgroup-list 1 bgroups 5 dlsw bridge-group 5 int ethernet 0 bridge-group 5 bridge 5 protocol ieee
18.1.3. Configuring DLSw+ Ø
Preconfiguration Checklist What is the edge network? Eth TB TR SRB w/ VR, SRT SDLC DLSW with virtual mac addressing Eth/TR TB,SRB,SR/TLB Select IP Addresses Page 215 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Any ACL’s What MAC address should be exchanged during CAP-EXG? Ø
Configuration Types Conf Prom Pod
manual promiscuous peer-on-demmand
Ø
Adjust LLC2 timers
Ø
Limiting explorer traffic dlsw remote-peer 1 tcp 172.16.1.1 prom dlsw port-list 1 token-ring 0 The port list determines where the remote explorers are flood to. dlsw remote-peer 1 tcp 172.16.1.1 prom dlsw ring-list 1 rings 34 int tok 0 source-bridge 34 1 73 The ring list determines where the remote explorers are flood to.
Ø
Direct Encapsulation over FR (Local Peer) source-bridge ring-group 100 dlsw local-peer peer-id 10.2.25.1 promiscuous dlsw remote-peer 100 frame-relay int serial0 203 pass-thru dlsw remote-peer 0 interface serial 0 10.2.5.2 ! int s0 mtu 3000 encap fram clock rate 56000 frame-relay lmi-type ansi frame-relay map llc2 30 int tok0 source-bridge active 102 1 200 (Remote Peer) dlsw remote-peer 1 frame-relay int serial 0.1 204 lf 1500 This is a direct encapsulation int s0.1 multipoint frame-relay map llc2 302 broadcast This is not used on ptp interfaces frame-relay interface 302 This is used on ptp interfaces
Ø
Configure DLSw+ between two token-ring LANs with TCP source-bridge ring-group 10 dlsw local-peer peer-id 10.2.25.1 dlsw remote-peer 0 tcp 10.2.5.2 int lo0 ip addr 10.2.5.2 255.255.255.0 int tok0 source-bridge active 25 1 10 source-bridge spanning
Page 216 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Configure DLSw+ between two token-ring LANs with FST Same as above but change this line: dlsw remote-peer 0 fst 10.2.5.2
Ø
Configure a DLSw+ local-peer with the promiscuous parameter source-bridge ring-group 10 dlsw local-peer peer-id 10.2.25.1 promiscuous dlsw remote-peer 0 tcp 10.2.5.2 int lo0 ip addr 10.2.5.2 255.255.255.0 int tok0 source-bridge active 25 1 10 source-bridge spanning
Ø
DLSW and Redundancy R3 dlsw local-peer peer-id 150.16.16.2 cost 3 prom R4 dlsw local-peer peer-is 160.10.10.4 cost 4 prom R5 dlsw timer explorer-wait-time 5 Use a cost to determine the path, lowest cost is best. Use the explorer-wait-time so it waits for both explorers to determine path and no just the first packet that arrives.
Ø
Testing DLSW Method 1: What about using two edge routers running ipx, and core routers routing only ip ? RA-----------RB------RC--------------RD ethernet ser ethernet -
on RA and RD only, turn on ipx routing, on RA and RD ethernet, set ipx network ABBA encaps sap make RB and RC two dlsw peers, link the ethernets to dlsw from RA, ping ipx ABBA. and viceversa
Method 2: Remember that DLSw is just a way of connecting bridged domains through an Internet Protocol (IP) cloud; the traffic doesn't have to be Systems Network Architecture (SNA). Here is one example: Create a loopback interface on two remote tokenring routers. Under the loopback assign the same Internetwork Packet Exchange (IPX) network. The 'multiring ipx' command allows the router to generate Routing Information Field (RIF) on behalf of routed traffic. So, now you have simulated a bridged domain, seperated by DLSw. You should be able to ping the IPX address of either remote router.
Page 217 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 18.1.4. DLSw+ DDR Configurations Ø
DLSW over ISDN with DDR If you are asked to configure only dlsw over ISDN, then I would do an ip extended access list permitting tcp ports 2065 (read), 2067 (write), 1981, 1982, and 1983. Here are the two recommended commands for SNA DDR: dlsw remote-peer tcp dynamic keepalive 0 timeout dlsw netbios keepalive-filter The key points in the first command set keepalives to zero so they don't keep the link up, and timeout set appropriately to bring the link down after connections are terminated. Alternatively, you can use dynamic with no-llc or inactivity instead of timeout to do the same thing (more or less). Of course, if you are using promiscuous keyword on your local-peer statement, you'll need to use prom-peer-default command to set keepalive, timeout, etc. The second command filters netbios session alive packets that are periodically sent across the link. The only other issue is the routing protocol, which can keep the link up also. If you use a distance vector protocol, you can use snapshot. If ospf, use demand-circuit.
Ø
SNA DDR and Backup Peers Backup peers can only use FST or TCP encapsulations. FST and Direct encapsulation can be fast switched. TCP is process switched. DDR can be used if a permanent connection is not needed and only seldom communications is needed between multiple sites. The keepalive shuts down the RIF keepalives across the connection. There is still a DLSW peer keepalive and the timeout shuts that down. dlsw remote-peer 0 tcp 10.2.3.2 backup-peer 10.2.3.3 dynamic keepalive 0 timeout 120 -ordlsw remote-peer 0 tcp 10.2.3.2 backup-peer 10.2.3.3 dynamic keepalive 0 nollc 10 dlsw netbios-keepalive-filter int bri0 dialer-map llc2 name r3 broadcast 8358661 dialer-list 1 protocol llc2 permit
Ø
Controlling Peer Selections dlsw timers explorer-wait-time
Ø
Backup Peers Backup peers can only use FST or TCP> dlsw remote-peer 0 tcp 10.2.3.2 backup-peer 10.2.3.4 linger 0 (Sessions terminate on own) dlsw remote-peer 0 tcp 10.2.3.2 backup-peer 10.2.3.4 linger 30 (Sessions terminates in 30 minutes) dlsw remote-peer 0 tcp 10.2.3.2 backup-peer 10.2.3.4 (Sessions terminate immediately when primary is backup) Page 218 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Configuring Cost dlsw local-peer peer-id 10.2.3.2 cost 40 dlsw remotee-peer 0 tcp 10.2.3.1 cost 40 sh dlsw cap When viewing cost remember that you are viewing the advertised costs. Only sh run will show you the local costs.
18.1.5. DLSW Load Balancing Configurations Ø
Fault Tolerant Mode Without load balancing, by default DLSW selects the first path it finds. This may be: A peer which responded first A peer with least cost A port over which responded first
Ø
Load-Balancing Mode dlsw duplicate-path-bias load-balance New to 12.0.3T dlsw load-balance round-robin dlsw load-balance circuit-weight 40 Use dlsw mac-addr or netbios-name to configure a reachability cache-static route. Explorer firewalls only allow a single MAC address for a particular destination to be sent across WAN links. TCP header compression, priority and custom queuing can be used to help tcp encapsulations.
Ø
Parallel Link Recommendations Use FST when possible Use TCP when local ack or prioritization is required Maximize fast switching
Ø
Border Peers / Border Groups Border Peers allow partial mesh configurations. Border: dlsw local-peer peer-id 1.1.1.1 group 40 border promis source-bridge ring group 1 Peers dlsw local-peer peer-id 2.2.2.2 group 40 promis dlsw remote-peer 0 tcp 1.1.1.1 source-bridge ring group 1 source-bridge spanning
Ø
Configure DSLw+ in a hub/spoke topology with border groups and peer groups Configure two groups each with a border router. All local peers connect to local border router. The two border routers connect to each other. Configration is:
Page 219 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Define the group on the dlsw local-peer peer-id statement for all routers Add the border statement on the border routers Add the pod command on the non-borders r1 – r2 r1 is a hub, r2,r3 are spokes - r3 Add these to all routers source-bridge ring group 200 dlsw remote-peer 0 tcp x.x.x.x int tok 0 source-bridge xx 1 200 source-bridge spanning r1 dlsw local-peer peer-id 10.2.25.1 promiscuous group 70 border r2 dlsw local-peer peer-id 10.2.25.1 promiscuous group 70 dlsw peer-on-demmand-defaults tcp r3 dlsw local-peer peer-id 10.2.25.1 promiscuous group 69 dlsw peer-on-demmand-defaults tcp Ø
Peer Groups An addition to border groups is to have a secondary group called clusters or peer groups. This allows border routers to limit the broadcasts to other routers. Borders just send one broadcast per cluster. Local routers are grouped by adding a cluster to their local-peer command. On Client dlsw local-peer peer-id 0 tcp 10.1.1.1 group 25 prom On Border dlsw local-peer peer-id 0 tcp 10.1.1.1 group 25 border prom Border routers connect to each other in the normal manner.
Ø
Dynamic Peers dlsw remote-peer 0 tcp 10.2.3.2 dynamic inactivity 20 dest-mac 4000.3454.0000
Ø
bitswap-layer3-addresses The command is needed for IP arps to cross the bridge. If you're doing SRT or SR/TB, with IP traffic, you need it. Even with SR/TB, IP needs to know the MAC of the destination host. They just add the RII and RIF to the layer 2 header when they do it. ARP packets have the MAC address in the payload of the packet, and this command will go into the payload to bitswap the MAC there. int token0 bridge-group 1 ! int ethernet0 bridge group 1 ! bridge 1 protocol ieee bridge 1 bitswap-layer3-addresses I've found that a good approach to this is to use the receiving station's ARP cache ie if you try to ping across a SRT or SR/TLB bridge and an arp entry appears in the Page 220 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book target in the wrong format, you need to bitswap. Really easy if you're pinging router to router across a bridge; just do sh ip arp on the receiving router and compare with the MAC address of your source. http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fibm_r1/br1 fpt1/br1ftb.htm#1056224 This command "bitswaps" (to and from noncanonical format) the hardware addresses that are embedded in layer 3 of ARP and RARP frames. As well as for transparent bridging bitwswapping I believe this is used for DHCP responses as the mac address is contained in the layer3 payload and therefore not bitswapped by the layer 2 bridging process.
18.1.6. DLSW (Commands) sh sh sh sh sh sh
dlsw dlsw dlsw dlsw dlsw dlsw
peers capabilities capabilities ip-addr circuits fastcache reachability
cle dlsw circuit cle dlsw reachability cle dlsw statistics dlsw disable
18.2. BRIDGING TROUBLESHOOTING Ø
TRANSPARENT BRIDGING Are all bridge-group members listing the same root bridge? show span sho bridge Is your spanning tree being formed properly? What ports in the bridge-group (if any) are in a blocking state? debug span events show spantree debug arp
Ø
CRB AND IRB Are the proper Are the proper show interface show interface show interface sho int bvi0 sho int s0 irb
Ø
protocols being bridged over the correct nterface? protocols being routed over the correct interface? crb irb bvi
SOURCE-ROUTE BRIDGING Show source sho rif
Page 221 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book DLSW+ Troubleshoot both sides of the DLSw+connection. Can you ping your DLSw+ peer? When debugging dlsw you will have to debug the peers-to-peers and the peers-toendstations. dlsw disable show dlsw peer show dlsw reachability debug dlsw peer debug dlsw reachability debug d1sw core show show show show show show
Ø
span source dlsw capabilities dlsw circuits dlsw peers dlsw reachability
DLSW Debug Prompts CSM Circuit Setup Message CLSI Common Layer Services Interface (ind – local, rsp – remote)
Between peers End-to-Peer
Page 222 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book
Page 223 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 19. Access-Lists Standard ACL’s are applied to source ip addresses Extended ACL’s are applied to source and destination, or source and network mask. *Incoming ACL’s block routing protocols Place Extended by source – where traffic is being denied Ø
What type of management is needed? ACL’s Queu-lists Dist-lists Route-maps
Ø
Ø
Overhead Traffic Types
Solutions
Route updates DHCP Traffic DNS traffic IPX/SAP, GNS Traffic LLC-2 S-Frames STP BPDU’s Voice Traffic AS_PATH Updates
Dist-lists, Route-Maps Queue-List Queue-List ACL’s, EIGRP, NLSP DLSW Queue List Queue List AS_PATH ACL
Six Rules of ACL’s General to specific critieria Know the protocols Config Global then interface In / Out One ACL per interface, per protocol, per direction Adding ACL are top to bottom
19.1. IP ACCESS-LISTS Default mask is 0.0.0.0 Default is outbound Inbound lists area better for routing, outbound block routing updates. Apply ACL’s closest to the traffic that will be denied. Only one ACL can be applied to each interface, protocol, and direction Ethernet Type Fields IP 800 ARP 806 Reverse ARP 8035 IPX / SPX 8137 Ø
Standard ACL’s filter on source Usually based on outbound traffic Outbound ACL’s block routing protocols
Ø
Extended ACL’s filter on source ip address, destination ip address,ports,protocols Usually based on inbound traffic
Page 224 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Dynamic ACL This will require a login to access www username jeff pass cisco user paul autocommand access-enable host int e0 ip addr 172.16.20.1 255.255.255.0 int s0 ip addr 10.200.57.20 255.255.255.0 ip access-group 100 in router rip netw 10.0.0.0 netw 171.16.0.0 access-list 100 permit udp any any eq rip access-list 100 permit tcp any host 10.200.57.20 eq telnet access-list 100 permit tcp any any gt 1023 established access-list 100 dynamic firewall timeout 60 permit tcp any host 172.16.20.20 eq www line vty 0 4 login local
Ø
L3 Protocol ID’s ICMP TCP UDP
Ø
1 6 17
Layer 4 Ports - TCP / UDP Ports Ports 1 – 1023 have been reserved, RFC 1700 UDP Time 37 DNS 53 BootP 67/68 TFTP 69 NetBIOS 137/138 SMTP 25 TACACS 49 SNMP 161 NTP 123 RIP 520
TCP SMTP Telnet FTP BGP
25 23 20/21 179
DNS uses TCP 53 for zone transfers and UDP 53 for Queries Ø
IP helper-address Automatically forwards these eight protocols: 37, Time 49, TACACS 53, DNS 67, Bootp - Server 68, Bootp Client 69, TFTP 137, NetBIOS - Name service 138, NetBIOS - Datagram service
19.1.1. ICMP Messages Destination Unreachable Page 225 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Network Unreachable – failure in routing or addressing Host Unreachable – delivery failure usually wrong subnet mask Protocol Unreachable – destination not supporting upper layer protocol Port Unreachable – TCP socket or port not available ICMP echo-request is from a ping ICMP redirects sent if better route found ICMP time-exceeded message sent by router if TTL expires Ping Results ! Success . Complete route but no reply U Desintation Unreachable – no route N Network Unreachable – was a route but routing failed P Protocol Unreachable – Receiving host does not support this protocol Q Source Quench – Receiving host does not have the buffer space to receive packet M Could not fragment A Administrativly Unreachable – Path is blocked by ACL ? Unknown packet type
19.1.2. ACL and Routing Protocols Ø
When denying outbound traffic make sure you allow for routing protocols. access-list access-list access-list access-list
Ø
100 100 100 100
permit permit permit permit
udp any any eq rip igrp any any eigrp any any ospf any any
Access control lists can filter routing updates RIP UDP Port 520 255.255.255.255 RIPv2 UDP Port 520 224.0.0.9 (Default) 255.255.255.255 IGRP IP Protocol Field 9 255.255.255.255 EIGRP IP Protocol Field 88 224.0.0.10 OSPF IP Protocol Field 89 224.0.0.5 (AllOSPFRouters) 224.0.0.6 (DRRouters) BGP TCP Port 179 Neighbor Address
19.1.3. Configuring IP Access-Lists Group Study Minimum Knowledge List access-list 199 permit ospf any any log access-list 199 permit eigrp any any log access-list 199 permit pim any any log access-list 193 permit igrp any any VoIP Call Setup access-list 199 permit udp any any range 16383 20000 access-list 199 permit tcp any eq 1720 any access-list 199 permit tcp any any eq 1720 access-list 199 permit tcp any any range 11000 11999 VoIP for FRTS access-list 104 permit udp host 17.27.2.13 host 17.28.1.14 range 16383 20000 access-list 104 permit tcp host 17.27.2.13 eq 1720 host 17.28.1.14 access-list 104 permit tcp host 17.27.2.13 host 17.28.1.14 range 11000 11999 IPSec for FRTS access-list 104 permit esp host 17.27.2.13 host 17.28.1.14 Page 226 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book access-list IPSec access-list access-list access-list Ping access-list access-list DLSW access-list access-list
104 permit udp host 17.27.2.13 eq isakmp host 17.28.1.14
access-list access-list access-list access-list access-list access-list access-list access-list
199 199 199 199 199 199 199 199
192 permit esp any any 192 permit ahp any any 199 permit gre any any 199 permit icmp any any echo-reply 199 permit icmp any any echo 199 permit tcp any eq 2065 any log 199 permit tcp any gt 11000 any eq 2065 log permit permit permit permit permit permit permit permit
tcp tcp udp tcp esp tcp tcp udp
any gt 11000 any eq bgp log any eq bgp any gt 11000 log any any eq ntp log any any eq pim-auto-rp log host 172.16.18.18 host 172.16.18.17 host 172.16.18.18 host 172.16.18.17 host 172.16.18.18 host 172.16.18.17 host 172.16.18.18 host 172.16.18.17
log eq 50 log eq 51 log eq isakmp log
Deny Traceroute Cisco / Linux traceroute targets UDP ports starting at 33434 in the outbound direction. The returns are ICMP 'port-unreachable' messages. access-l 100 deny udp any any range 33434 34199 inter s 0 ip access-group 100 out MS Windows traceroute uses ICMP access-l 100 deny icmp any any range 33434 34199 inter s 0 ip access-group 100 out Windows Filesharing and Netbios Filter access-list 150 deny udp any any eq netbios-ns access-list 150 deny udp any any eq netbios-dgm access-list 150 deny udp any any eq 139 BGP over ISDN access-list 109 deny tcp any any eq bgp access-list 109 permit ip any any BootP Bootp requires ip helper address, if your using for DHCP, then use no ip forward-protocol bootp to stop bootp from being forwarded. -oraccess-list 101 deny udp any any eq 67 access-list 101 deny udp any any eq 68 access-list 101 permit any Pings Pings require both icmp type echo and echo-reply. If you want to deny pings access-list 100 deny icmp any any eq echo access-list 100 deny icmp any any eq echo-reply access-list 100 perm ip any Allow BGP access-list 100 per tcp any eq 179 any access-list 100 per tcp any any eq 179 Page 227 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book -oraccess-list 100 per tcp any eq 179 any ge 1024 access-list 100 per tcp any any eq 179 FTP Permit ftp sessions if established from a local subnet and an inbound access-list on that local interface. access-list 102 permit tcp host 10.10.10.1 gt 1023 19.10.1.0 0.0.0.255 eq ftp Even Networks Only access-list 3 deny 192.168.1.0 0.0.0.1 access-list 3 permit any Odd Networks Only access-list 3 deny 192.168.1.0 0.0.0.254 access-list 3 permit any Trivial File Transfer Protocol (TFTP) access-list 1 permit tcp 1.1.1.1 0.0.0.255 2.2.2.2 0.0.0.0 eq 69 TFTP and nothing else access-list 101 permit udp 172.10.1.0 0.0.0.255 any eq tftp access-list 101 permit udp any any gt 1023 established access-list 101 deny udp any any eq tftp access-list 101 permit ip any any Internet Control Message Protocol (ICMP) access-list 1 permit tcp 1.1.1.1 0.0.0.255 2.2.2.2 0.0.0.0 eq echo access-list 1 permit icmp host 1.1.1.1 host 2.2.2.2 eq echo-reply Network Time Server access-list 1 permit udp host 1.1.1.1 host 2.2.2.2 eq ntp Deny FTP access-list 101 deny tcp 172.30.11.0 0.0.0.255 172.30.12.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.30.11.0 0.0.0.255 172.30.12.0 0.0.0.255 eq 20 access-list 101 permit ip 172.30.11.0 0.0.0.255 0.0.0.0 255.255.255.255 ! int e 0 ip access-group 101 out Deny Telnet access-list 101 deny tcp 172.30.11.0 0.0.0.255 2.2.2.2 0.0.0.0 any eq 23 access-list 101 permit ip any any ! int e 0 ip access-group 101 out Allow Internet Access Out Only access-list 101 permit tcp any host 128.88.12.45 eq 80 access-list 101 permit tcp any any gt 1023 established ! int e 0 ip access-group 101 out Allow Internet Mail access-list 101 permit tcp any 128.88.0.0 0.0.255.255 established access-list 101 permit tcp any host 128.88.12.45 eq smtp ! int e 0 ip access-group 101 in Avoid Denial-of-Service Attacks access-list 101 permit tcp any 128.88.0.0 0.0.255.255 established ip tcp intercept list 105 access-list 105 deny tcp any host 128.88.12.45 int s 0 ip access-group 105 in Limit virtual terminal access. Page 228 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book access-list 12 permit 192.89.55.0 0.0.0.255 line vty 0 4 access-class 12 in Verifiying Access-Lists show access-list (Displays access lists from all protocols) show ip access-list [access-list-number] (Displays a specific IP access list) clear access-list counters [access-list-number] (Clears packet counts) show line (Displays line configuration) Null Interface ip route address mask null 0 Configure IP extended access-lists with the ESTABLISHED parameter access-list 1 permit tcp any any eq 25 any established Ø
IP Extended Access-List Summaries (100-199) BGP VoIP Call Setup IPSec Ping DLSW Traceroute IP helper-address 137/138 NetBIOS TFTP DoS acl->websrvr FTP
Ø
bgp & gt 11000-11199 1720 both ways, UDP 16383–20000, TCP 11000-11999 esp(50),ahp(51),udp eq isakmp(500),gre icmp echo and icmp echo reply tcp eq 2065, tcp eq 2067, 1981-1983, gt 11000-11199 udp gt 33434 - 34199 37 Time,49 TACACS,53 DNS,67/68 BootP,69 TFTP, udp tftp, udp gt 1023 established tcp established, ip tcp intercept list 105, 20,21,tcp gt 1023
More Filtering Techniques Does anyone recall how to block outbound traffic generated by the router itself? Use a route map, match to an access list, and route to int null. -orpolicy routing with ip local policy route-map xxxxx -orAn access-list cannot be used at all for locally generated traffic, but local policy can. - take your access-list that you normally would apply to an interface. - rewrite it at the contrary (permit what you want to deny) - then configure ! ip local policy route-map ciao ! route-map ciao permit 10 match ip address set interface null 0 ! - What you permit with the acl, is what you route to null 0.
Ø
Configure IP access-lists to permit or deny a range of addresses Rule 1: Finite number of masks – major bit boudaries 0,1,3,7,15,31,63,127,255, only one octet meeded Rule 2: Slightly off major boundary Do lower boundary Do upper boundary Page 229 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Do specific lower boundary Do specific upper boundary (Five statements usually does all) Ø
Helper Address ip helper-address {address} ip forward-protocol {udp [port] | nd | snds} specific protocols
Ø
IP Named Access-lists
Ø
ACL – Lock and Key Allows a user to network once they have been verified through router. username jeffk password 0 cisco ! int eth0 ip access-group 120 in access-list 120 permint tcp host 1.1.1.1 host 1.1.1.2 eq telnet acesss-list 120 permit udp any any eq rip access-list deny dynamic jefflist permit tcp host 1.1.1.1 any eq 23 ! line vty 0 4 login local autocommand access-enable
19.2. IPX ACCESS-LISTS 19.2.1. The Basics When 0 is used as the protocol number, the socket number is used for the filtering only. Use the ipx output-sap-delay 55 command to limit the number of SAP packets tranversing the WAN link. This will eventually be the default on Cisco routers. Ø
ACL Ranges Standard filter on source and destination Extended filter on socket, network, mode 800 IPX 900 Ext IPX 1000 SAP Route Summary (NLSP ?) Allow IPX access-list 200 permit 0xE0E0 0x0000 Block IPX access-list 200 deny 0xE0E0 0x0000 access-list 200 permit 0x0000 0xFFFF
Ø
L3 - IPX Protocol Numbers http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np2_r/2ripx. htm#xtocid271971 -1
Any Page 230 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 1 2 3 4 5 17 20 24 Ø
IPX/RIP IPX Ping Error Packet SAP SPX NCP NetBIOS Remote bridge server (router)
L4 - IPX Sockets All 2 451 452 453
cping NCP SAP RIP
NetBIOS Diagnostic 457 Serialization 4000-7FFF Dynamic sockets used by workstations for interaction with file servers and other network servers 9001 NLSP 85BE EIGRP 9004 IPXWAN 9086 IPX PING, Novell standard ping packet In Nw4.1 do not filter 0x4, 0x26B, 0x278 Ø
SAP Numbers - Type of service desired 3 4 5 7 21 2E 47 4B 4C 107 26B 278
GNS File Server Job Server Print Server NAS SNA Gateway Dynamic SAP Advertising Print Server Btrieve VAP 5.0 SQL VAP Rconsole Time Synchronization NetWare Directory Server
In NW4.1 do not filter 4,26B,278
19.2.2. IPX Network Filtering Ø
IPX RIP Filtering (interface command) Use ipx input-network-filter and ipx output-network-filter commands to control which networks are added to the router’s routing table. The ipx output-network-filter command applies to IPX RIP only. Filtering RIP traffic access-list 877 permit 93 ! int s 0 ipx network 90 ipx output-network-filter 877 Page 231 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Blocking Networks int e0 ipx access-group 900 in ipx output-network-filter 900 ipx intput-network-filter 900 access-list 900 deny –1 800.0000.0000.0000 FF.FFFF.FFFF.FFFF access-list 900 deny –1 800.0000.0000.0000 ff.FFFF.FFFF.FFFF access-list 900 permit -1 Ø
(Network) (Node)
IPX EIGRP Filtering A distribute-list must be used since EIGRP uses hellos and not the routing table. Use the distribute-list out command to control advertising of EIGRP routes. ipx router eigrp 100 dist-list 800 in
19.2.3. SAP Filtering Ø
IPX RIP SAP Filters (0 = All Services) Interface commands ipx router-sap-filter ipx input-sap-filter (access-list | name} ipx output-sap-filter(access-list | name}
SAP
ipx output-gns-filter (access-list | name} ipx-gns-reply-disable
GNS GNS
The ipx output-gns-filter command is used with the access-list command to control which servers are included in GNS responses. The ipx sap-interval command is used to configure less frequent SAP updates. Ø
IPX RIP SAP Filtering Instead of denying traffic try permitting traffic instead. Filtering Print Servers access-list 1000 deny –1 0 pserver access-list 1000 permit –1 ! int s 0 ipx network 10 ipx output-sap-filter 1000 Filter PServer - It WORKS!!! access-list 1001 deny -1 7 PServer access-list 1001 permit -1 int s0 ipx output-sap-filter 1001 Filtering File Servers access-list 1001 deny 2e.0000.0000.0001 4 access-list 1001permit –1 ! int s 0 Page 232 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ipx network 1 ipx output-sap-filter 1001
Ø
EIGRP IPX - SAP Filtering distribute-sap-list distribute-sap-list distribute-sap-list distribute-sap-list distribute-sap-list
in in out out out
19.2.4. Troubleshooting IPX show show show show
ipx ipx ipx ipx
interface Displays the status of the IPX interfaces route Lists the entries of the IPX routing table servers Lists the servers discovered through SAP advertisements traffic Shows ipx packet information.
19.3. MAC ACCESS-LISTS Practice all ACL’s with every bridge type. 200 LSAP Filter on LLC address 700 MAC Filter on source, or destination (only one) 1100 NetBIOS name Filter on source and/or destination Applied to bridge-group with input-pattern-list What do you want to filter? 200 SAP’s filter SRB on TR, TB on Ethernet, and SAP’s on DLSW Peers. 700 MAC Addresses NetBIOS names? Combination or Others ? = Access-expresssions
19.3.1. LSAPs (200) http://www.cisco.com/warp/public/111/12.html http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3920/3920ug4/codes.htm#xtoci d189133 Ø
MAC Access-Lists 00 E0 42 Bit-Swapping
Ø
Null / ALL IPX STP 18,24,3c,5a,7e,bd
04,05,08,0C,0D SNA F0 NetBIOS
SAPS Defined Address (Hex) Assignment 00 Null LSAP 04,05,08,0C,0D SNA 04 IBM SNA Path Control (individual) 05 IBM SNA Path Control (group) 06 IP Spanning Tree Protocol (STP) BPDU 98 ARP AA SNAP Page 233 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book E0 IPX F0 NetBIOS Commands F1 BetBIOS Resonses F4 IBM LAN Management (individual) F5 IBM LAN Management (group) F8 IBM Remote Program Load (RPL) FE OSI FF Global SAP The addresses area paired for src/dest such as F0F0 for netbios. Ø
Applying LSAP Filters TR DLSW ETH ETH
source-bridge input-lsap-list remote-peer lsap-output-list bridge-group input-lsap-list (802.3) bridge-group input-type-list
19.3.2. SNA For permitting SNA: access-list 200 permit -oraccess-list 200 permit access-list 200 permit access-list 200 permit access-list 200 permit
0x0000 0x0D0D 0x0000 0x0808 0x0c0c 0x0404
0x0000 0x0001 0x0001 0x0001
Deny SNA access-list 200 deny 0x0000 0x0D0D Filtering SNA in DLSW dlsw local-peer peer-id 10.1.1.1 dlsw remote-peer 0 tcp 10.2.2.2 output-lsap-list 200 access-list 200 permit 0x0000 0x0D0D Filtering SNA in Transparent Bridging bridge 1 protocol ieee int eth0 bridge-group 1 bridge-group 1 input-type-list 200 bridge-group 1 output-type-list 200 access-list 200 permit 0x0D0D 0x0000
19.3.3. NetBIOS Apply NETBIOS Name filter to DLSw+ remote peer statement. Apply NETBIOS Name filter to Token-Ring interface. NetBIOS filers only block by connection packets, so previous connections will still exist. netbios access-list host name {permit | deny} pattern You an use DOS wild cards. For permitting NetBios: dlsw remote-peer list 0 tcp 10.1.1.1 lsap-output-list 200 access-list 200 permit 0xF0F0 0x0101 Page 234 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book For blocking NetBIOS dlsw remote-peer list 0 tcp 10.1.1.1 lsap-input-list 200 access-list 200 deny 0xF0F0 0x0101 access-list 200 permit 0x0000 0xFFFF
19.3.4. Bit-Swapping 802.3 / 802.4 802.5
Uses the least significant bit first - canonical form Uses the more significant bit first non-canonical form
The MAC is bit swapped as it passes between Token-Ring to Ethernet bridges (SRT, SR/TLB) The problem with these two formats is if the bits are flipped then it may appear to be a multicast, another desintation. For SRB it may sent it some where else or mess up the functional addresses. For TB it may refuse to forward the packet. Note MAC addresses on Ethernets are "bit swapped" when compared with MAC addresses on Token Ring and FDDI. For example, address 0110.2222.3333 on Ethernet is 8008.4444.CCCC on Token Ring and FDDI. Access lists always use the canonical Ethernet representation. When using different media and building access lists to filter on MAC addresses, keep this point in mind. Note that when a bridged packet traverses a serial link, it has an Ethernet-style address. >>> If you are using access-list to specify mac output list on a DLSW statement, you will always use non-canonical format. If the access-list will be using to filter on a token-ring interface it will be non-canonical. If the access-list will be used to filter on an ethernet interface it will be canonical. Ø
Bit-Switching All addresses are in non-canonical form (10) token-ring form. Ethernet - Traffic that originates on Ethernet is picked up from the local Ethernet bridge group and transported across the DLSw network. DLSw always transfers data in noncanonical format. DLSw will automatically make the correct MAC address conversion depending on the destination media. When DLSw+ receives a MAC address from an Ethernet-attached device, it assumes it is canonical and converts it to noncanonical for transport to the remote peer. At the remote peer, the address is either passed unchanged to Token Ring-attached end systems or converted back to canonical if the destination media is Ethernet. Note that when an SNA resource resides on Ethernet, if you configure a destination SNA address in that device, you must use canonical format. For example, Ethernet-attached 3174s must specify the MAC address of the FEP in canonical format. If the Token Ring or noncanonical format of the MAC address of the FEP is 4000.3745.0001, the canonical format is 0200.ECA2.0080. Another example is 0800.5CED.1E4C is 1000.3AB7.7832 in ethernet.
Ø
DLSW and Ethernet Token-ring Non-canonical
dlsw Non-canonical
ethernet canonical
DLSW converts ethernet mac’s to non-canonical form so if you need to specify a mac make sure the format is correct where you specify it.
Page 235 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Canonical to Non-Canonical Forms Here is a good way to do the conversion, just learn this sequence: 18,24,3c,5a,7e,bd 1---8 4---2 3---C 5---A 7---E B---D
18 24 3c 5a 7e bd
Remember that you always need to specify non-canonical in DLSW configurations. Ø
Conversion on a per OCTET basis Hold your hands in front of you palms down. Tuck your thumbs in, and now represent the bits in your octet by either tucking in a finger (0) or leaving it sticking out (1). Now, cross your hands over AND turn your hands palm up (WITHOUT adjusting your finger positions). You have now got your converted octect (either non-canonical to canonical or vice-versa) Canonical MAC: 00D0.5924.80A4 000d.9542.084a 0 0 0 D 9 5 4 2 0 8 4 0000 0000 0000 1101.1001 0101 0100 0010. 0000 1000 0100 1010
A
0000 0000 0000 1011.1001 1010 0010 0100. 0000 0001 0010 0101 Non-Canonical MAC:
000B.9A24.0125
Hex: 1 – 9 is normal 0 1 2 3 4 5
A B C D E F
19.3.5. DLSw+ DLSW TCP Ports 2065,1981,1982 and 1983 FST Port 91 Stop Router ONE from sending explorer packets to Router TWO looking for MAC address 4444.4444.4444? dlsw icanreach mac-address 4444.4444.4444 mask FFFF.FFFF.FFFF dlsw icanreach netbios-name SALES* If you use dlsw icanreach mac-exclusive without defining a mac mac address Page 236 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book in an icanreach then all traffic will be filtered. "The dlsw icanreach command also supports the mac-exclusive and netbios-exclusive keywords, which indicate that the resources advertised by this peer are the only resources the peer can reach. By specifying mac-exclusive or netbios-exclusive, you can indicate that the list of specified MAC addresses or NetBIOS names are the only ones reachable from a given router. For DLSW put on remote-peer with lsap-output-list On Ethernet use: input-lsap-list (802.3) input-type-list (incoming by type code – Eth_II) Ø
NetBIOS on DLSW dlsw remote-peer 0 tcp 172.16.24.2 host-netbios-out mylist dlsw remote-peer 0 tcp 172.16.24.2 bytes-netbios-out mylist netbios access-list host mylist permit MAR* sh dlsw circuit to display sap addresses
19.3.6. Bridging (MAC) Filters (700) NetBIOS functional address is C000.0000.0080
Ø
SRB Use 8000.0000.0000 for TR source address mask on traffic that requires exa ct match and needs to be SRB.
Ø
Type Code Access Lists int tok 0 source-bridge input-type-list 201 int eth0 bridge-group 1 input-type-list 201 access-list 201 deny oxo806 0x0000 access-list 202 permit 0x0000 0xFFFF
Ø
Filter by DSAP/LSAP addresses source-bridge input-lsap-list source-bridge output-lsap-list
Ø
Filter by Vendor Code
Ø
MAC Access Filtering int tok 0 source-bridge input-address-list 702 int eth0 bridge-group 1 input-address-list 701 access-list 701 permit 0110.2222.3333 access-list 702 permit 0110.1234.6554
Ø
LSAP Filter (200) int tok 0 Page 237 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book source-bridge input-lsap-list 200 source-bridge output-lsap-list 200 Ø
Commands sh controller token sh int token sh int sh source show span
19.4. ACCESS-EXPRESSIONS Access-expressions are applied to interfaces only !!! Access-expressions can be applied to ethernet interfaces – great way to block netbios stuuf when transparent bridging. Ø
Key Expressions ! & | ~
NOT AND OR Logical not, such as !(lsap 201)
Keywords Lsap (2xx) Type (2xx) Smac (7xx) Dmac (7xx) Netbios-host (netbios access-list name) Netbios-bytes (netbios access-list name) Ø
Access Filters int tok0 access-expression in (lsap(201) | lsap(202) & dmac(701)) access-list 201 permit 0xf0f0 0x0001 (Netbios)(Host blocking) access-list 202 permit 0x0404 0x0001 (SNA Command / Response) access-list 202 permit 0x0004 0x0001 (SNA Explorers with NULL DSAP) access-list 701 permit 0110.2222.3333 (FEP MAC Address) access-list 200 deny 0xF0F0 0x0101 (Host & Client bit blocked) Deny mac address 0020.1234.XXXX and permit any thing else. dlsw icannotreach 0020.1243.0000 ffff.ffff.0000 -ordlsw local-peer peer-id 192.168.12.1 dlsw remote-peer 0 192.168.4.5 dmac-output-list 701 ! access-list 701 deny 0020.1234.0000 0000.0000.ffff access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
Ø
Ethernet Filtering Netbios filters only seem to be allowed on token ring interfaces, other than on the dlsw remote-peer command. But that command only keeps connections from being formed by blocking the name query it seems and the entries still make it into the reachability table. Is there a way to filter netbios so I don't even get the netbios names in the reachability info? Page 238 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book netbios access-list host TEST deny CCIES2B netbios access-list host TEST permit CCIES int e0 access-expression in netbios-host(TEST) Ø
Troubleshooting ACCESS-LISTS Remember implicit deny Remember that access-lists have direction Sh access-lists Show access-expressions debug access-expressions clear access-list counters deb ip packet
Page 239 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 20. QUEUING With custom and priority there are three types: interface, protocol, and default. Percent of bandwidth need to be queued = Custom Queuing Three main types: Weighted-Fair-Queuing Breaks up traffic and sends user traffice over ftp traffic. Enabled by default on T1’s and lower. Priority Queuing Priortizes by protocol Custon Queuing Bandwidth Allocation Great for SNA Queue 0 is a system queue for keepalives
20.1. WFQ 12000’s do not support WFQ. The default or legacy WFQ is flow-based FB-WFQ. This was the original and is referred to as just WFQ. Packets are classified into flows by: ToS bits in the IP header IP protocol type Source IP Address Source TCP or UDP socket Destination IP address Destination TCP or UDP socket By default WFQ classifies the traffic streams into 256 different traffic flows. WFQ is enables on all E1’s and lower. WFQ’s use on a 7500 should be limited to only the lower speed interfaces. WFQ’s uses a sequence number to assign the packets for determine the queue order. This sequence number is based on the weights and are assigned using the following formula: W = 4096 / (IP Precedence + 1) The sequence number is based on the following formula: Last Sequence Number + ( 4096 * packet size) = sequence number Example of first packet and with 500 bytes. 0 + (4096 * 500) = 2048000 So WFQ is based on ToS (IP Precedence) and packet size. fair-queue congestive-discard-threshold queue depth (default is 64 packets per queue) dyn-queues number of queues, default is 256 reserveable-queues number reservable (RSVP)
20.1.1. CB-WFQ No delay guarantee Allows you to classify traffic into 64 classes based on protocol, acl’s, and the input interface. Each class is then a percent of the bandwidth. Any packets that Page 240 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book overflows a class gets dropped. Side note: WRED can manage these drops with each class. A default class can be configured, but if not default class is configured the packets not classified are given best-effort treatment. If you create voice class with 32kbps and not traffic is going over it. The 32 kbps will be divied among all other assigned classes until there is traffic. There are three modules to configure: Class-map Policy-map Service-policy class-map voice match access-group 101 policy-map policy1 class voice bandwidth 32 kbps queue-limit 20 class class-default bandwidth 64 kbps random-detect int serial 0 service-policy output policy1 access-list 101 permit ip any any precedence critical show policy Displays configuration of all classes in policy. show policy int Displays whether CB-WFQ is working on an interface.
20.1.2. Low-Latency Queueing (LLQ) Combines strict-priority queuing with CB-WFQ. Bandwidth guarantee - allows voice to go first and everything else second. “PQ + CB-WFQ” policy-map policy1 class voice priority 100 class class-default bandwidth 64 kbps random-detect Ø
LLQ Rules You cannot oversubscribe the bandwidth Priority command policies by class Use bandwidth to guarantee a minimum Use priority for voice Use bandwidth for data
20.1.3. Distributed WFQ (DWFQ) Implemented on VIP’s of 7500’s when dCEF is enabled. Does not scale to interfaces higher than E1’s. Classifies packet in four ways: Flow-based Based on: Page 241 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ToS bits in IP header IP protocol type Source IP address Source TCP / UDP socket Destination IP address Destination TCP / UDP socket Traffic is classified into 512 flows with each flow getting a percent of the available bandwidth. Use the fair-queue command to enable on an interface. dCEF must already be enabled. ToS based Also known as CB-DWFQ Classifies packets based on the lower two bits of the precedence field in the IP header, so four queues are available. The weight of each queue determines the amount of bandwidth the traffic placed in this queue received if the outbound link is fully congested. Use the command fair-queue tos to enable ToS DWFQ. Classes 3,2,1,0 get 40,30,20,10 weights. The total cannot exceed 100. QoS group-based QoS groups are created by local policies and applied through committed access rate (CAR) and can be propagated through BGP policy propagation. Troubleshooting DWFQ show int fair
20.2. WEIGHTED RANDOM E ARLY DETECTION The idea behind RED is for packets to be randomly dropped before a queue is full, rather than weighting until it’s actually full. This allows the traffic to deal with the queuing during transmission rather then when the queues are full and everyone backs off, and tries again. RED define a min. max, avg threshold. Packets are dropped based on probability and the following formulas: If avg < min, no packet dropped If min < avg < max, packets are dropped with increased probability as avg increases. If av > max, all packets are dropped WRED drops packets based on the IP precedence bits in the header. Use the command random-detect to enable RED. sh int random
20.3. PRIORITY QUEUING Four queues: High, Med, Low, Normal Defaults: 20 40 60 80 Ø
Configuration Tasks Create List Assign default queue Assign list to interface
Page 242 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Priority Configuration priority-list 1 protocol ip high tcp 23 priority-list 1 ip high list 1 priority-list 1 interface ethernet 0 medium priority-list 1 default low priority-list 1 queue-limit 15 20 20 30 ! access-list 1 permit 131.34.0.0 0.0.255.255 ! int s 0 priority-group 1
20.4. CUSTOM QUEUING 16 custom queues Default byte-count is 1500 bytes Frame size differences will affect the byte-count and bandwidth percent. Configure Custom Queuing byte-count parameter to assure percentage of bandwidth for a given queue Ø
Custom Queueing Comnfiguration queue-list 1 interface e0 1 queue-list 1 protocol ip 2 tcp 20 queue-list 1 protocol ipx 3 queue-list 1 default 3 queue-list 1 queue 1 byte-count 4500 queue-list 1 queue 1 limit 20 ! int s 0 custom-queue-list 1
Ø
Custom Queueing Based on Bandwidth Allocate 25% 25% 25% 25%
for for for for
DLSW Telnet ipx default
queue-list 1 protocol dlsw 1 queue-list 1 protocol ip 2 tcp 23 queue-list 1 protocol ipx 3 list 900 queue-list 1 queue 4 byte-count 1500 queue-list 1 queue 4 access-list 900 permit ncp any 451 any 451 int s 0 custom-queue-list 1
20.5. COMMITTED A CCESS RATE (CAR) http://www.cisco.com/warp/public/732/Tech/car/index.html Configuring Committed Access Rate http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c/qcpart 1/qccar.htm
Page 243 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 20.6. TROUBLESHOOTING QUEUEING sh queue sh queueing sh int serial 0 Displays the packets that have traveled through the interface. debug custom debug priority
Page 244 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 21. TRAFFIC SHAPING 21.1. POLICY ROUTING Is always applied to the incoming interface. Only affects router it is configured on. Can use extended ACL’s. Used to control access by destination , protocol type, packet size, application, source address, and can be used to load balance across lines. Ø
To configure Global command ip local policy route-map Interface command ip policy route-map Policy mapping disables fast-switching Use ip route-cache policy to re-enable
Ø
Policy Routing Examples Packets not matched use the routing table. Multiple 'Set Clauses' order: Next-Hop Interface Use if interface is up Next-Hop IP address Use if add in routing table Next-Hop Default Interface Use routing table 1st, if no route use this interface Next-Hop Default IP address Use routing table 1st, if no route use this address
Ø
Packet Length Example int ethernet0 ip address 172.16.1.4 255.255.255.0 ip policy route-map test ! route-map test permit 10 match length 3 100 set next-hop 172.16.5.1
Ø
Source Address Example int ethernet0 ip address 172.16.1.4 255.255.255.0 ip policy route-map test ! access-list 101 permit 172.16.1.1 ! route-map test permit 10 match ip address 101 set interface serial 0 -orroute-map test permit 10 match ip address 101 set next-hop 172.16.5.1 Page 245 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ! This allows routers to do recursive lookups Ø
Application / Protocol Type Example int ethernet0 ip address 172.16.1.4 255.255.255.0 ip policy route-map Rerun ! access-list 105 permit tcp 172.16.1.0 0.0.0.255 eq ftp any access-list 105 permit tcp 172.16.1.0 0.0.0.255 eq ftp-data any access-list 106 permit tcp 172.16.1.0 0.0.0.255 eq telnet any ! route-map ReRun permit 10 match ip address 105 set ip next-hop 172.16.2.1 ! route-map ReRun permit 20 match ip address 106 set ip next-hop 172.16.3.1
Ø
Load Balancing Example r1 int ethernet0 ip address 172.16.1.4 255.255.255.0 ip address 172.16.1.5 255.255.255.0 secondary r2 int eth0 ip add 172.16.1.3 255.255.255.0 ip policy route-map load ! access-list 1 permit 172.16.1.4 access-list 2 permit 172.16.1.5 ! route-map load permit 10 match ip address 1 set default interface s0 ! route-map load permit 20 match ip address 2 set default interface s1
Ø
Troubleshooting Policy Routing show show show show
ip policy route-map access-list ip policy local
debug ip policy
21.2. RTP PRIORITY 16,384 – 32,767 32,768 – 49,151 49,152 – 65,535
voice whiteboard video
Page 246 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 21.3. GENERIC TRAFFIC-SHAPING (GTS) Use on ethernet, p-t-p, or frame-relay. Used to shape all traffic leaving an interface. Use traffic-shape group to configure traffic shaping for outbound traffic on an interface for the specified access list. traffic-shape rate traffic-shape group Example: int s0.1 traffic-shape rate 32000 8000 int s0.2 traffic-shape rate 32000 8000 There are three major differences between GTS and CAR: 1- CAR is able to limit the traffic for the input and output while GTS limits only for the output. 2- Both work different. CAR discard packets in order to limit the rate, while traffic shaping does add some delay between the packets in order to reduce the rate/flow. 3- CAR only measures the IP traffic, while GTS is able measure the "entire" traffic thru an interface (including L2 headers). My conclusion is that GTS cause much less retransmissions and makes the traffic looks much smoother than CAR (because CAR works by discarding packets - i.e. TCP slow start, etc). If you have 2 routers and 2 PCs, it's easy to confirm that (that's what I did). What I read somewhere is that Cisco created CAR in order to allow ISP to control/restrict that bandwidth that they receive/send to other ISPs on a NAP.
21.4. FRAME-RELAY QUEUING 21.4.1. Frame-Relay DLCI-Prioritization interface Serial0 no ip address encapsulation frame-relay priority-group 1 ! interface Serial0.1 point-to-point ip address 4.0.1.1 255.255.255.0 frame-relay priority-dlci-group 1 140 180 190 200 frame-relay interface-dlci 140 ! access-list 102 permit icmp any any priority-list 1 protocol ip high list 102 priority-list 1 protocol ip medium tcp telnet priority-list 1 protocol ip normal tcp ftp priority-list 1 protocol ip low
21.4.2. Frame-Relay Broadcast Queue frame-relay broadcast-queue size byte-rate packet-rate Page 247 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 21.4.3. Frame-Relay Traffic-Shaping (FRTS) Regulates the traffic To change to queue depth on FIFO, enable custom or priority queueing and assign all traffic to one queue. Ø
FRTS Formula Tc = Bc/CIR (Tc= Interval Bc=Commited burst)
Ø
When to use FRTS T1 at central site and 56 kbps at branch Multipoint connections Congestion occurs Multiprotocols on same fr vc
Ø
Terms Access rate max rate at a fixed period of time (line or port speed) CIR Average rate of data, committed information rate Bc Committed Burst Size, max rate or fixed period, multiple of CIR. This should be 1/8 of CIR. Be Excess Burst size, max rate excess of Bc Usually 0 when port speed is sent. MinCIR Minimum CIR, true CIR that is guarnteed. Default is 50% is CIR. Tc Time inveral, (Tc = Bc/CIR)
Ø
Three Steps To FRTS 1 - Enable FRTS under main interface int s0 frame-relay traffic-shaping 2 - Create Map-Class map-class frame-relay ccie frame-relay cir 32000 frame-relay mincir 16000 frame-relay bc 4000 frame-relay be 32000 frame-relay adaptive-shaping becn Enables BECN feedback to throttle the output rate on the SVC for the map class. 3 - Apply to interface or DLCI frame-relay interface-dlci 102 class ccie int s0.1 frame-relay class ccielab
Ø
Map Class Parameters Traffic Parameters frame-relay custom-queue-list frame-relay priority-group frame-relay adaptive-shaping frame-relay traffic-rate frame-relay cir bps frame-relay mincir bps Page 248 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book frame-relay bc bits frame-relay be bits frame-relay idle-timer Ø
Apply Map Class to an interface or vc frame-relay class class
Ø
FRTS on serial Example: Port Speed: 64000 kbps CIR: 32000 kbps MinCIR: 16000 kbps Bc: 4000 kbps Be: 32000 kbps int s0 ip addr 1.1.1.1 255.255.255.0 encap frame frame-relay traffic-shaping frame-relay class ccie map-class frame-relay ccie frame-relay adaptive-shaping becn frame-relay cir 32000 frame-relay mincir 16000 frame-relay bc 4000 frame-relay be 32000
Ø
FRTS on DLCI int s0 ip addr 1.1.1.1 255.255.255.0 encap frame frame-relay traffic-shaping frame-relay inter-dlci 102 class ccie map-class frame-relay ccie frame-relay adaptive-shaping becn frame-relay cir 56000 frame-relay mincir 32000 frame-relay bc 8000 frame-relay be 16000
Ø
Troubleshooting FRTS sh traffic stat sh traffic queue sfp
21.5. IP PRECEDENCE Three ways to set: Policy-based routing QoS Policy via BGP (Supported only on 7xxx Routers J Committed Access Rate (CAR) Page 249 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book IP Precedence Values Number 0 1 2 3 4 5 6 7
Ø
RFC 791
Name routine priority immediate flash flash-override critical internetwork control network control
Configuring interface ethernet 1 ip policy route-map Texas ! route-map Texas permit 10 match ip address 1 set ip precedence priority set ip next-hop 3.3.3.3 ! route-map Texas permit 20 match ip address 2 set ip precedence critical set ip next-hop 3.3.3.5 access-list 1 permit ip 1.1.1.1 access-list 2 permit ip 2.2.2.2
Ø
QoS set ip precedence set ip tos Tos Bits Bits 0000 0001 0010 0100 1000
Number (0-15) 0 1 2 4 8
Keyword Normal min-monetary-cost max-reliability max-throughput min-delay
21.6. RSVP Ø
RSVP support three traffic types Best-effort – traditional IP traffic Rate-sensitive – give up time for guaranteed rate, video application. RSVP service that support this is called guaranteed bit-rate service Delay-sensitive- variable rate but timeliness of delivery, mpeg RSVP services support this are: controlled-delay (non real-time) predictive service (real-time service)
Ø
RSVP int s0 ip rsvp band 100 32 fair-queue Page 250 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book dial-peer voice 12 11 voip req-qos controlled-load max bandwidth 100kbps max per request 32kbps Use for slow links, high utilized links, or links with less that 2 mb, need best voice quality. Check Out: www.mentortech.com/learn/welcher/papers/rsvp.html
21.7. RANDOM EARLY DETECTION (RED) Uses ip precedence bits
21.8. DATA COMPRESSION Ø
LABB, PPP, HDLC Compress Predictor memory intensive Stac CPU intensive Mppc CPU Intensive
Ø
Frame-Relay frame-relay payload-compression
Ø
IP ip tcp header-compression
21.9. MPLS AND TAG S WITCHING MPLS Terminology Label Switch Router (LSR) Switch or router that switches labeled packets based on switching tables. Label The tag or label for a packet or cell In the packet the tag is usually between L2 and L3 in the header and in a cell it is in the VPI / VCI header. Edge LSR L3 switch or router that is responsible for initally processing the L3 info to create the label. Label Switch Path (LSP) Path defined by label Label Switch Circuit (LSC) ATM path for label Label Distribution Protocol (LDP) Protocol for creating labels in the core and edge devices. Works with interior routing protocols – EIGRP, IGRP, OSPF, RIP, IS-IS. MPLS 1 2 3 4
Process – LDP creates a switching table based on IRP and devices. – Edge LSR – create label, lebels have local significance only – Next hop / LSR – Replaces label, forward to destination – Next hop / Edge LSR – Removes label, forward to destination
With MPLS – CLIP and NHRP are no longer needed for dynamic routing over ATM.
Page 251 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 22. Multicasting Host Rtr Rtr
Rtr Switch Rtr
IGMP CGMP PIM
Note: Recall that the least significant bit of the most significant octet of an Ethernet or FDDI MAC address is the "group bit." If the bit is set (1), the MAC address is a multicast (or broadcast). If the bit is not set (0), the MAC address is a unicast. The MAC address 0900.3333.4444 has the group bit set, and is therefore a multicast MAC (09 hex = 00001001; the last bit, the group bit, is set). If you have two lines a 56K and a T1 and enable multicasting on the 56k it will not work. You need to use a static mroute, or DVMRP, PIM will not work. IP multicast rule – a router can have only one incoming interface for any entry in it’s multicast routing table. If the first number of the MAC address is odd, it is a multicast address. With token-ring multicast address are not supported since they are functional addresses. Only 31 addresses are available for functional addresses.
22.1. INTERNET GROUP MANAGEMENT PROTOCOL (IGMP) You can limit the IGMP broadcasts three ways: Config static CAM, IGMP snooping, CGMP Allows routers to forward multicasts. Allows IP hosts to join multicast groups Two message structures – query and report All messages are addressed to 224.0.0.1, ttl=1 Used by hosts to signal to routers that they want to join / leave multicast groups. IGMP are sent with the TTL set to one so routers never forward them. Routers send IGMP queries to hosts every 60 seconds and use 224.0.0.1 A workstation “surfs” training vidoes, they receive the fourth videos the other three multicast streams are still being sent for up to three minutes. This is the leave latency, IGMP version 2 corrects this problem. The router will send two queries for a membership report. Each query will time out in one second. If there are version 1 and 2 IGMP routers, configure all routers as version 1 if they are on the same subnet. Ø
Configuration ip multicast routing int e0 ip igmp join group 224.10.1.2
Ø
Commands sh ip igmp groups sh ip igmp int deb ip igmp Page 252 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 22.2. CISCO GROUP MANAGEMENT PROTOCOL (CGMP) Allows switches to use IGMP, so switch can then make L2F decisions When enabling CGMP on a switch, Cisco recommend you also enable port fast on any port that has hosts. By default, CGMP is disabled, and no multicast routers are configured. Ø
Broadcast / Multicast Suppression Broadcast suppression is off by default. The set port broadcast command allows you to set up the broadcast suppression threshold value. You enable broadcast/multicast suppression by setting the threshold to a value greater than 0 percent. A threshold value of 100 percent means that no limit is placed on broadcast traffic. A threshold value of 0 percent means that broadcast/multicast suppression is disabled. By default, broadcast/multicast suppression is disabled Broadcast Suppression – Bandwidth Based Bandwith based is hardware supression. set port broadcast 3/2-3 20% Bandwidth-based broadcast/multicast suppression applies to all ports on a module show port broadcast 3 show test 3 Broadcast Suppression – Packet Based Packet based is software suppression. set port broadcast 4/1 500 Applies only to the port set, 500 pps is the limit. Hardware based suppression takes precedence over software suppression. To disable the hardware set the threshold to 100%. Use sh port broadcast 4/1 to display whether packets were dropped. Prevents switched ports on a LAN from being disrupted by a broadcast storm on one of the ports. Hardware Suppression is supported on the Catalyst 5000’s Software Supression is support on all ethernet modules
Ø
CGMP Filtering CGMP filtering requires a network connection from the Catalyst 5000 series switch to a router running CGMP.
22.2.1. Stopping Multicasts from Broadcasting on a Switch Ø
Manually Setting a Switch for Multicasting Ports 2/3, 2/4, and 2/19 want multicasts from 239.0.5.10. Router is on port 1/1. The IP 239.0.5.10 has the multicast mac of 0100.5E00.050A. set cam permanent 01-00-5E-00-05-0A 2/3-4,2/19 or set cam static 01-00-5E-00-05-0A 2/3-4 2/19 set multicast router 1/1 To set a multicast group set multicast group 01-00-5E-00-05-0A 2/3-4 10 Page 253 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book show multicast group cgmp 10 show multicast group count 10 Ø
Enabling IGMP Snooping set igmp enable sh igmp statistics 10 IGMP snooping is available in Catalyst 5000 series software Release 4.1 and later with a Supervisor Engine III with the NetFlow feature card (NFFC). This requires that every IP packet get examined and slows the performance down on the switch. When IGMP snooping is enabled the switch will automatically learn where the multicast router is connected and you do not have to manually configure it.
Ø
Enabling CGMP Before you enable CGMP on a Catalyst 5000 series switch, you must disable IGMP snooping, if it is enabled, by entering the set igmp disable command. If you try to enable CGMP without first disabling IGMP snooping, an error message will be generated. When CGMP is enabled, it automatically identifies the ports to which the CGMPcapable router is attached. The set multicast router command allows you to statically configure multicast router ports. Set igmp disable set cgmp enable set multicast router 1/1
Enables CGMP on switch Statically defines the multicast router for CGMP This should not have to be entered.
Verifying CGMP show multicast router show multicast group cgmp 5 show cgmp statistics show multicast router cgmp 5 Ø
Enabling CGMP Leave Processing set cgmp leave enable show cgmp statistics
Ø
Enabling CGMP on Routers Used on routers to notify switches when host joins / leaves group Requires at least one router to work. Router Configuration: ip multicast-routing int e0 ip cgmp
22.3. DISTANCE VECTOR M ULTICAST ROUTING P ROTOCOL (DVMRP) Cisco routers can run DVMRP, they can however be PIM-DVMRP gateways. If PIM multicasting is configured and a Cisco routers hears a DVMRP probe message the router will mark that segment as having a DVMRP neighbor. RFC 1075 Based on hop count Uses a reverse-path flooding technique Page 254 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book DBMRP flood the network for multicast requests the routers send a prune message back that they do not want the particular multicast group. DVMRP periodically refloods the network to check for new hosts This is the basis of the Internet’s MBONE Sends periodic route updates every 60 seconds. Has a 32 hop limit. Poison reverse is used to signal that the router is downstream. Works with all manufactures routers. Uses a neighbor discovery 224.0.0.4 “all dvmrp routers” Neighbors form adjacencies. DVMRP uses the RPF check If RPF check constantly removes routing from the mroute table then the network is not converging. Ø
DVMRP Tunnels Cisco routers can convert DVMRP to PIM traffic and act as a DVMRP router when using a tunnel.
Ø
Multi-Access Networks and DVMRP Cisco routers cannot prune DVMRP networks on multi-access networks. This allows Cisco routers to still send multicast traffic on networks without hosts. To make pruning available for ethernet or other multi-access networks you must configure a tunnel to each DVMRP router. A tunnel makes the connection on ethernet a point-to-point so prunes work. If multicast sources are available on DVMRP network you must configure static mroutes to them or the RPF check will fail. interface tunnel 0 ip unnumbered ethernet0 ip pim sparse-dense-mode tunnel source ethernet0 tunnel destination 192.168.1.11 tunnel mode DVMRP int ethernet0 ip address 172.16.2.1 255.255.255.0 int ethernet1 ip address 192.168.10.1 255.255.255.0 ip pim sparse-dense mode router ospf 1 network 172.16.2.1 0.0.0.0 area 0 passive-interface tunnel 0
Ø
Sending hosts to DVMRP Network By default directly connected multicast hosts will be advertised to the DVMRP network. If you have a multicast host of 130.1.1.1 behind the DVMRP connected router and you want to advertise it to the DVMRP network use: int tun0 ip dvmrp metric list 3 acess-list 3 permit 130.1.1.0 0.0.0.255 Page 255 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Sending hosts throughout a PIM Network Add ip dvmrp unicast-routing to all routers between the two networks.
Ø
Blocking DVMRP Routers int ethernet 0 ip address 172.16.10.1 255.255.255.0 ip dvmrp accept-filter 0 neighbor-list 10 access-list 10 deny all This will block all DVMRP probe messages and not allow the router to enter DVMRP interoperability mode.
Ø
Summarizing DVMRP Routes ip dvmrp summary-address 172.16.0.0 255.255.0.0 This command causes the router to summarize any DVMRP route that in this class.
Ø
Disabling DVMRP Automatic Summarization no ip dvmrp auto-summary
Ø
Controlling DVMRP Advertisements ip dvmrp metric 1 list 10 ip dvmrp metric 0 dvmrp ip dvmrp metric 2 ospf 120 access-list 10 permit 172.16.0.0 0.0.255.255 access-list 10 permit 192.168.0.0 0.0.255.255 The first command enables a Cisco router to advertise these routes from it’s routing table as DVMRP routes with a metric of 2. The second command species that any routes learned by DVMRP should not be advertised, hence the 0 metric. This command can stop a router from becoming a transient router. The third command allows only routes from ospf process 120 to be advertised.
Ø
Other DVMRP Commands ip dvmrp output-report-delay ip dvmrp default-information {originate | only} ip dvmrp accept-filter Used to block DVMRP route reports. ip dvmrp distance ip dvmrp metric-offset [in | out] ip dvmrp route-limit Limits the number of DVMRP routes send over an interface. The default is 7000, this command is enabled when multicasting is enabled on the router. ip dvmrp routehog-notification Sends a syslog message if more than 10,000 routes have been received on an interface. This is enabled by default when multicasting is enabled. ip dvmrp unicast-routing Used to make network congruent.
22.4. PROTOCOL INDEPENDENT M ULTICAST (PIM) PIM is Cisco specific. All multicast mac addresses begin with 01-00-5E. Some common Ethernet multicasts are: NetBIOS 0300.0000.0001 Bridge Group 0180.c200.0000 (for BPDUs - IEEE) IP Multicast 0100.5exx.xxxx rp filtering, group filtering, load-balancing over equal cost paths Page 256 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book There is no prune delay on ptp interfaces. PIM uses the routing table PIM version I uses IP protocol number 2 and IP address 224.0.0.2 PIM version II uses IP protocol number 102 and IP address 224.0.0.13 Ø
Multicast General Rules 1. Whenever is it necessary to create and (S,G) entry and a corresponding parent (*,G) does not exists, a new (*,G) entry is automatically created first. 2. The RPF interface is computed as the interface with the lowest cost path (based on administrative distance / metric) to the IP address of the source (or in the case os a sparse mode (*,G) entry, the RP). If multiple interfaces have the same cost, the interface with the highest IP address is choosen as the tie breaker. 3. When a new (S,G) entry is created, its outgoing interface list (OIL) is initially populated with a copy of the outgoing interface list from its parent (*,G) entry. 4. The incoming interface (RPF interface) of a multicast forwarding entry must never appear in its outgoing interface list. 5. The RPF interface (that is, the incoming interface) of every multicast state entry is recalculated every 5 seconds and the outgoing interface list is adjusted appropriately based on General Rule 4 (to prevent the incoming interface from appearing in the outgoing interface list). 6. Additions or deletions to the outgoing interface list of a (*.G) entry are replicated (within the constraints of General Rule 4) to all associated (S,G) entries for the group.
Ø
PIM Dense Mode Rules 1. The outgoing interface list of a dense mode (*,G) entry reflects the interfaces where (1) other PIM-DM neighbors exist or (2) directly connected members of the group exist. 2. Outgoing interfaces in dense mode (S,G) entries are not removed as a result of Prunes. Instead they are marked as Prune/Dense and left in the outgoing interface list. When a new PIM neighbor is added to the list of PIM neighbors on an interface, the interface is reset to Forward/Dense state in all PIM-DM (S,G) outgoing interface lists.
Ø
PIM Sparse Mode Rules 1. A sparse mode (*,G) entry is created as a result of an Explicit Join operation. 2. The incoming interface of a sparse mode (*,G) entry always points up the shared tree toward the RP. 3. A sparse mode (S,G) entry is created under the following conditions: Receipt of an (S,G) Join/Prune message On a last-hop router when is switches to the SPT Unexpected arrival of (S,G) traffic when no (*,G) state exists At the RP when a Register message is recvieved (This is identical to Rule 1) An interface is addres to the outgoing interface list of a sparse mode (*,G) or (S,G) entry in either of the following conditions: When an appropriate (*,G) or (S,G) Join is received vis this interface When a directly connected member of the group exists on the interface An interface is removed from the outgoing interface list of a sparse mode (*,G) or (S,G) entry in either of the following situations: When an appropriate (*,G) or (S,G) Prune (that is not overridden) is received via this interface (and where there is no directly connected member) When the interface’s expiration timer counts down to zero Page 257 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book (Notice this rules never allows a Prune state to exist in an a sparse mode OIL) The expiration timer of an interface is reset to 3 minutes as a result of either of the following conditions: An appropriate (*,G) or (S,G) Join is received via this interface An IGMP Membership Report is received from a directly connected member on this interface. Routers will send and (S,G) RP-bit Prune up the shared tree when the RP neighbor for ths (S,G) entry is different from the RPF neighbor of the (*,G) entry. 8. The RPF interface (that is, the incoming interface) of a sparse mode (S,G) entry is calculated by using the IP address of the source except when the RP-bit is set, in which case the IP address of the RP is used. Ø
Proxy-Join Timer Rules 1. The Proxy-Join timer for an (S,G) entry is (re)started under the following conditions: A nonatomic (*,G) Join is received on the incoming interface of the (S,G) entry from other thant the RPF neighbor toward the Source S. In the RP when an (S,G) entry is created as a result of the receipt of a Register message and the (*,G) entry has a non-null OIL. 2. Proxy-Join timers are not stopped by any direct event. Instead, they are simply allowed to time out is not restartd by the recipt of a nonatomic (*,G) Join. 3. While the Proxy-Join timer is running on and (S,G) entry, the router will perform the following steps: Send periodic (S,G) Joins toward Source S Suppress sending (S,G) Prunes toward Source S
Ø
PIM State Flags D C L
-
Dense mode Connected, a receiver is directly connected Local, router is a member of this group PIM-RP discovery / 224.0.1.40 / PIM-SM Indicates that the router has been pruned. SPT-bit, Indicates that the router is an active member of the SPT, on all
P T (S,G) J - Joined SPT, on all (*,G)’s S - Sparse Mode
SM Specific Flags X - Proxy Join timer flag F - Register bit, Indicates that the software is registering for a multicast source. R - RP bit, Indicates that the (S,G) entry is pointing toward the RP This is typically a prune state along the shared tree for a particular source. Ø
RPF Check When a multicast packet arrives on an interface, the RPF process checks to ensure that this incoming interface is the outgoing interface used by unicast routing to reach the source of the multicast packet. This RPF check process prevents loops.
Ø
Static Mroutes When using a GRE tunnel for multicasting through multiple routers that don’t support multicasting you need a static mroute to join to the tunnel.
Page 258 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book It's important to understand static mroutes aren't like regular static routes, they don't alter the path multicast traffic take, they only modify the rpf interface (the interface you expect it to come in on). Ø
Load-balancing over equal cost paths Scenario: Two routers with e0 and s0 and s1, they are connected by both serial interfaces. Setup a GRE Tunnel between them and add PIM to E0 at both sides. The source of the tunnel is local E0 The destination is other router’s E0. The traffic will be automatically spilt between them.
Ø
Stub Multicast Networks R1 ip multicast-routing int s0 ip pim neighbor-filter 1 access-list 1 deny host 10.1.1.2 R2 ip multicast-routing int eth0 ip pim sparse-mode ip igmp helper-address 10.1.1.1 int s0 ip pim sparse-dense-mode
Ø
Three Different Modes of Operation Dense-mode Sparse-mode *1 Sparse-dense mode *2
all routers forward no router forward either mode
*1 Needs rendezvous point configured *2 Can use AutoRP
# ip pim dense # ip pim sparse mode # ip pim sparse-dense
# ip pim send-rp-announce
22.4.1. Dense Mode (*,G) is the parent, the interface indicates neighbors (S,G) is a child, the outgoing interface is the parent PIM-DM does not support NBMA networks. The RPF is calculated with the lowest administrative distance / metric to the ip address of the source. There is no RP for Dense-Mode PIM-DM uses a 3-minute flood-prune cycle. PIM-DM uses a 30 second broadcast to 224.0.0.13 for hellos. PIM version 1 t he address is 224.0.0.2 for hellos and uses IGMP. PIM-DM uses a DR, the highest IP address is assigned. PIM-DM sends prunes: If traffic arrives on non-RPF ptp interface Leaf router and no receivers Non-leaf on ptp that has a prune neighbor Non-leaf on LAN with no receivers (Overall if the router has no receivers it will prune) PIM-DM only knows about subnets that has receivers on them and not hosts.
Page 259 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book PIM-DM Configuration R1 ip multicast-routing int e0 ip address 172.16.1.1 255.255.255.0 ip pim sparse-dense-mode (Best way to implement) R2 ip multicast-routing int e0 ip address 172.16.1.2 255.255.255.0 ip pim sparse-dense-mode (Best way to implement)
22.4.2. Sparse-Mode PIM-SM uses and explicit join PIM-SM uses a rendezvous point PIM-SM routers sends join / prune messages every 60 seconds. Otherwise a 3 minute time out would prune them. PIM-SM uses shared trees and SPT, when a SPT switchover takes place the shared tree path gets pruned. PIM-SM can use the Auto-RP feature to aid in network management. Keeps a list of hosts / members in the routing table. When routers join a multicast group they join the RPT tree and not the RP. Unlike PIM-DM, PIM-SM removes the routing table entries when they receive a prune message. You will never see a prune / sparse entry in the mroute table with PIM-SM. Ø
NBMA Networks ip pim nbma-mode is only useful for pim sparse-mode. If you're using PIM sparse mode in a hub & spoke partial mesh, you can use the command ip pim nbma on the hub router. If your FR is a full mesh, you don't need to use the ip pim nbma-mode command. The ip pim nbma-mode command makes PIM treat the network as a bunch of ptp’s. Dialer interfaces can also use this command.
Ø
Auto-RP and NBMA Networks For Auto-RP to work with NBMA networks you must configure the ip pim nbma-mode as well as configure the mapping agents to be on the inside network of the hub. If the mapping agent must be behind one of the spokes, that spoke has to be fully meshed with the other routers.
Ø
Bootstrap Router (BSR) BSR works on all manufactures routers. This is PIM version 2 method to automatically define a RP. A BSR is elected the same way a root bridge is elected for a spanning tree. A higher bsr-priority will change who is the BSR router. BSR messages are flood every 60 seconds and candidate RP’s (C-RP) send their advertisement by unicast to the BSR.
Page 260 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book BSR messages contain all the C-RP’s (known as RP-set) and the routers use a hash algorithm to select to RP. Since all router know about all C-RP’s failing over is fast. If two C-RP’s are configured the multicast workload is divided between them. Unlike Auto-RP were one would be a fail over. The workload is divided by the hash algorithm when they are selected. BSR messages use 224.0.0.13 and are sent with a TTL of one. Routers that receive them remulticast them out their interfaces. This is the hop-hop flooding of BSR messages. Ø
Auto-RP When configuring a RP candidate make sure the TTL parameter is sufficient to reach all the mapping agents. Also make sure the scope for the mapping agents is sufficient to reach all the routers, otherwise a router would operate in Dense mode. Mapping agents join the Cisco-RP-Announce (224.0.1.39 ) group to find the RP candidates. Once the mapping agents know the RP’s they advertise this information by multicasting as Cisco-RP-Discovery messages (224.0.1.40). Multiple mapping agents can be configured for redundancy. A good practice is to configure two RP’s and have each one be a mapping agent. All Cisco routers learn about the active Group-to-RP mapping by automatically joining the Cisco-RP-Discovery (224.0.1.40) multicast group. If there are two routers set for Auto-RP the highest IP address will become the RP. If no RP exists the router go into Dense mode.
Ø
PIM-SM with RP R1 ip multicast-routing int s0 ip pim spare-mode int s1 ip pim sparse-mode R2 ip multicast-routing ip pim rp-address r1 int s0 ip pim sparse-mode
Ø
PIM-SM with Auto-RP R1 ip multicast routing ip pim send-rp-announce serial 2 scope 10 ! Used to configure the RP Candidate. ip pim send-rp-discovery scope 10 ! Used to configure the Mapping agent. int s0 ip pim sparse-mode R2 ip multicast routing int s0 ip pim sparse-mode Page 261 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book PIM-SM with Auto-RP and Group-List R1 ip multicast routing ip pim send-rp-announce serial 0 scope 10 group-list 10 ip pim send-rp-discovery scope 10 int s0 ip pim sparse-mode access-list 10 permit 239.254.0.0 0.0.255.255 access-list 10 permit 224.0.0.0 7.255.255.255 Permits this router to be the RP for: 239.254.0.0 - 239.255.255.255 224.0.0.0 – 231.255.255.255.
Ø
PIM-SM with Auto-RP and Mapping Filter R1 ip multicast routing ip pim send-rp-announce serial 0 scope 10 ip pim send-rp-discovery scope 10 ip pim rp-announce-filter rp-list 10 group-list 20 int s0 ip pim sparse-mode access-list 10 permit host 172.16.5.1 access-list 10 permit host 172.16.6.1 access-list 20 deny 239.0.0.0 0.255.255.255 access-list 20 permit 224.0.0.0 15.255.255.255 This allows only RP announcements from host 172.16.5.1 and 172.16.6.1 for multicast groups of 224 –238.
Ø
Last-Ditch RP ip pim rp-address 172.16.5.1 10 access-list 10 deny 224.0.1.39 access-list 10 deny 224.0.1.40 access-list 10 permit any This defines a static RP and if this RP fails all multicast traffic will stop and not revert to dense mode.
Ø
PIM Sparse and Dense Mode R1 ip multicast routing ip pim send-rp-announce serial 0 scope 10 group-list 10 ip pim send-rp-discovery scope 10 int s0 ip pim sparse-dense-mode access-list 10 permit 224.1.1.0 0.0.0.255 Permits this router to be the RP for: 224.1.1.0 224.1.1.255 If all the routers are configured like this, 224.1.1.0 would operate in sparse mode since a RP is available and all the other multicast groups would operate in Dense mode.
Ø
BSR and Group-List R1 ip multicast routing ip pim border This command stops the flow of BSR messages into another PIM domain. Page 262 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ip pim rp-candidate serial 0 group-list 10 ! Specifies the C-RP ip pim bsr-candidate serial 0 30 50 interval 30 Specifies the BSR candidate, 30 is the hash mask length and 50 is the priority. A mask of 30 0xFFFFFFFC would make 4 groups per RP 239.0.0.0 – 239.0.0.3 be assigned to r1 and the next 4 to r2 until all the addresses are divided. The interval parameter is the RP Failover timer. A BSR will failover when 90 seconds (3x) has gone by. int s0 ip pim sparse-mode access-list 10 permit 239.254.0.0 0.0.255.255 access-list 10 permit 224.0.0.0 7.255.255.255 Permits this router to be the RP for: 239.254.0.0 - 239.255.255.255 Ø
Filtering RP routers ip pim accept-rp 172.16.1.1 group-list 10 ip pim accept-rp 172.16.5.1 group-list 10 access-list 10 permit 224.1.1.0 0.0.0.255 This allows routers 172.16.1.1 and 172.16.5.1 to become the RP for all 224.1.1.0 traffic. This makes only 224.1.1.0 traffic operate in sparse mode. Everything else will be in dense mode. ip pim accept-rp Auto-RP This filter makes sure the RP uses the Group-to-RP mapping and cannot be in groups 224.0.1.39 or 224.0.1.40. ip pim accept-rp 0.0.0.0 group-list 10 access-list 10 permit 224.1.1.0 0.0.0.255 This list allows any router to be the RP for 224.1.1.0 so only this multicast address will operate in sparse mode, all other multicast groups will operate in dense mode.
22.5. MULTIPROTOCOL BGP (MBGP) Ø
Configuring MBGP router bgp 100 no bgp default ipv4-unicast neighbor 192.168.1.2 remote-as 200 neighbor 192.168.1.2 activate address-family ipv4 multicast neighbor 192.168.1.2 activate exit-address-family sh ip bgp ipv4 unicast sh ip bgp ipv4 multicast
22.6. MULTICAST S OURCE DISCOVERY PROTOCOL (MSDP) MSDP is spoken between RP’s of different AS’s, this allows each RP to discover sources known by other RP’s. Uses TCP port 692 for it’s peering connections. MSDP shares the source information to it’s peers by sending Source Active (SA) messages. These messages contain the address of the source, the group address, and the ip address of the originating RP. Page 263 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book By default Cisco routers do not cache SA’s you can enable caching with: ip msdp cache-sa-state To enable a Cisco router to sent SA requests use the command: ip msdp sa-request Ø
Mesh Groups You can use mspd to create a mesh group, this allows all the routers to share the RP responsibilities and the RP failover is only a matter of unicast routing protocol convergence. r1 int loopback 0 ip address 10.100.1.1 255.255.255.0 int loopback 1 ip address 10.100.254.1 255.255.255.0 ip pim-sparse-dense-mode ! router ospf 1 network 0.0.0.0 255.255.255.255 area 0 router-id 10.100.1.1 ! router bgp 6500 bgp router-id 10.100.1.1 neighbor CCIE peer-group neighbor CCIE remote-as 6500 neighbor CCIE update-source loopback 0 neighbor 10.100.1.2 peer-group CCIE ! address-family ipv4 multicast neighbor 10.100.1.2 activate exit-address-family ! ip pim rp-address 10.100.1.1 ip pim send-rp-discovery loopback1 scope 20 ip mspd peer 10.100.1.2 connect-source loopback 0 ip msdp description 10.100.1.2 to r2 ip msdp mesh-group CCIE 10.100.1.2 ip msdp cache-sa-state ip msdp originate-id loopback0 r2 int loopback 0 ip address 10.100.1.2 255.255.255.0 int loopback 1 ip address 10.100.254.1 255.255.255.0 ip pim-sparse-dense-mode ! router ospf 1 network 0.0.0.0 255.255.255.255 area 0 router-id 10.100.1.2 ! router bgp 6500 bgp router-id 10.100.1.2 neighbor CCIE peer-group neighbor CCIE remote-as 6500 neighbor CCIE update-source loopback 0 neighbor 10.100.1.1 peer-group CCIE Page 264 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ! address-family ipv4 multicast neighbor 10.100.1.1 activate exit-address-family ! ip pim rp-address 10.100.1.2 ip pim send-rp-discovery loopback1 scope 20 ip mspd peer 10.100.1.1 connect-source loopback 0 ip msdp description 10.100.1.1 to r1 ip msdp mesh-group CCIE 10.100.1.1 ip msdp cache-sa-state ip msdp originate-id loopback0 Ø
Configuring MSDP ip msdp peer 192.168.1.1 connect-source loopback 0 sh ip msdp peer
22.7. TROUBLESHOOTING COMMANDS sh sh sh sh sh sh sh sh sh sh sh sh sh sh
ip ip ip ip ip ip ip ip ip ip ip ip ip ip
igmp groups mcache mroute mroute sum mroute count mroute active pim neighbor pim int pim rp pim rp mapping in-use pim rp-hash pim bsr-router rpf route
mrinfo mtrace mstat deb ip pim deb ip igmp
22.8. INTERNET MULTICAST ADDRESSES 239.0.0.0 to 239.255.255.255 are reserved like a private addresses. 224.0.0.0 to 224.255.255.255 are reserved for special purposes. 224.0.0.0 224.0.0.1 224.0.0.2 224.0.0.3 224.0.0.4 224.0.0.5 224.0.0.6 224.0.0.7 224.0.0.8 224.0.0.9
Base Address (Reserved) All Systems on this Subnet All Routers on this Subnet Unassigned DVMRP Routers OSPF IGP OSPF IGP All Routers OSPF IGP OSPF IGP Designated Routers ST Routers ST Hosts RIP2 Routers
[RFC1112,JBP] [RFC1112,JBP] [JBP] [JBP] [RFC1075,JBP] [RFC2328,JXM1] [RFC2328,JXM1] [RFC1190,KS14] [RFC1190,KS14] [RFC1723,GSM11]
Page 265 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 224.0.0.10 224.0.0.11 224.0.0.12 224.0.0.13 224.0.0.14 224.0.0.15 224.0.0.16 224.0.0.17 224.0.0.22 224.0.0.23 224.0.0.25 224.0.1.1 224.0.1.9 224.0.1.21 224.0.1.33 224.0.1.34 224.0.1.39 224.0.1.40
IGRP Routers Mobile-Agents DHCP Server / Relay Agent All PIM Routers RSVP-ENCAPSULATION all-cbt-routers designated-sbm [Baker] all-sbms [Baker] IGMP GLOBECAST-ID router-to-switch NTP Network Time Protocol MTP Multicast Transport Protocol DVMRP on MOSPF RSVP-encap-1 RSVP-encap-2 cisco-rp-announce cisco-rp-discovery
[Farinacci] [Bill Simpson] [RFC1884] [Farinacci] [Braden] [Ballardie]
[Deering] [Scannell] [Wu] [RFC1119,DLM1] [SXA] [John Moy] [Braden] [Braden] [Farinacci] [Farinacci]
22.9. QUICK CONFIGURATION GUIDES Router - sparse mode 1. Global>ip multicast-routing 2. Global>ip pim rp-address 192.168.1.1 1 // on every router 3. Interface> ip pim sparse mode ; on every interface 4. Interface> IP igmp join-group 224.x.x.x (optional, router will respond) (have pim also!!!) 5. Interface> IP cgpm ; for those hooked to catalysts Router - sparse mode auto RP 1. Global>ip multicast-routing 2. Global>ip pim send-rp-anounce scope Global>ip pim send-rp-discovery scope 3. Interface> ip pim sparse mode ; on every interface 4. Interface> IP igmp join-group 224.x.x.x (optional, router will respond) 5. Interface> IP cgpm ; for those hooked to catalysts Router - sparse-Dense mode auto RP 1. Global>ip multicast-routing 2. Global>ip pim send-rp-anounce scope Global>ip pim send-rp-discovery scope 3. Interface> ip pim sparse-dense mode on every interface except joined (sparse)! 4. Interface> IP igmp join-group 224.x.x.x (optional, router will respond, make sparse mode) 5. Interface> IP cgpm ; for those hooked to catalysts Router - dense mode 1. Global>ip multicast-routing 2. Interface> ip pim dense mode ; on every interface 3. Interface> IP igmp join-group 224.x.x.x (optional, router will respond) 4. Interface> IP cgpm ; for those hooked to catalysts nbma network configure pim sparse mode Interface(all logical)>ip pim nbma-mode
Page 266 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Switch SET CGMP ENABLE set multicast to manually set the port the multicast router is on show multicast router show multicast group
Page 267 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 23. Security Configure Terminal Access Controller Access Control System (TACACS) Ø
Lock and Key Username cisco password cisco - different than one used to actually telnet to router Username cisco autocommand access-enable timeout 5 access-list 100 dynamic testname permit ip any any access-list 100 permit tcp any [router-ip] eq telnet log - allow authentication
23.1. TACACS tacacs-server last-resort succeed tacacs-server last-resort password line vty 0 4 login tacacs
-or-
23.2. NETWORK ADDRESS T RANSLATION (NAT) Inside Local Address – internal network, private, illegal addresses Inside Global Address – registered inside address, registered addresses Outside Local Address – Outside registered address translated local Outside Global Address - Outside registered address When does the routing decision occur? Outbound packets--- routing done first, then nat Inbound packets--- nat first, then route IG addresses are mapped to IL addresses, and OL are mapped to OG addresses. Global to Local addresses are mapped for both inside and outside. Addresses can be static or dynamically mapped. Static mappings are one-to-one, or a local to global. Dynamic addresses can be many-to-one or one-to-many. When an entry is first put into the NAT table a translation timer is started, the default is 24 hours / 86,400 seconds. Change the time with the ip nat translation timer command. It is important to make sure the translation timer is small enough, or the NAT pool is large enough so that the dynamic address pool never runs out. FTP, Web, Mail, servers must use static NAT assignments. If IPSec is used with NAT, NAT must be on the secure / unencrypted side. Cisco’s trace command uses ICMP packets and MS Windows uses UDP packets.
SMTP Syslog TFTP FTP HTTP
TCP 25
UDP 514 69
20,21 80
"inside destination" (TCP load sharing) - icmp and udp are not recognized by accesslists. Use a route-map to get a 'fully extended' translation entry. Page 268 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 23.2.1. Basic NAT Configuration Ø
Steps 1 – Define NAT Pool (Addresses to Use) ip nat pool CCIE 192.108.1.1 192.108.1.254 netmask 255.255.255.0 2 – Define a NAT inside address (Addresses to Convert) ip nat inside source list 1 pool CCIE 3 – Define which interfaces are participarting in the NAT process int e0 (Implement on Interface) ip nat inside int s 0 ip nat outside
Ø
Basic Configuration ip nat pool CCIE 192.108.1.1 192.108.1.254 netmask 255.255.255.0 ip nat inside source list 1 pool CCIE int e 0 ip nat inside int s 0 ip nat outside access-list 1 permit 10.99.34.0 0.0.0.255
23.2.2. Port Address Translation (Overload) Ø
Configuration for (PAT) Overloading Inside Addresses ip nat pool CCIELAB 137.20.20.1 137.20.20.1 netmask 255.255.255.0 ip nat inside source list 1 pool CCIELAB overload int s0 ip add 10.10.1.2 ip nat outside interface Ethernet0 ip add 137.20.20.1 ip nat inside access-list 1 permit 10.10.0.0 0.0.255.255
Ø
Configuration for Overlapping Addresses ip nat pool CCIELAB 137.20.20.1 137.20.20.1 netmask 255.255.255.0 ip nat inside source list 1 pool CCIELAB overload ip nat outside source static 10.1.1.1 2.2.2.2 or ip nat pool outside-local 2.2.2.1 2.2.2.4 netmask 255.255.255.0 ip nat outside source list 2 pool outside-local int s0 ip add 10.10.1.2 ip nat outside interface Ethernet0 ip add 137.20.20.1 ip nat inside access-list 1 permit 10.10.0.0 0.0.255.255
Page 269 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 23.2.3. TCP Load Sharing Ø
Configuration for TCP Load Sharing 1 ip nat pool CCIELAB 137.20.20.41 137.20.20.42 prefix-length 24 type rotary ip nat inside destination list 1 pool CCIELAB ! int s0 ip add 10.10.1.2 ip nat outside int e0 ip add 137.20.20.1 ip nat inside access-list 1 permit 137.20.20.11 0.0.255.255 (Global Load Sharing Address) How this works: Match ip address 137.20.20.11 Replace with 137.20.20.41 and 137.20.20.42 on a round robin basis (rotary)
Ø
Configuration for TCP Load Sharing 2 R2 ip nat pool shared-hosts 172.16.3.3 172.16.3.4 prefix-length 24 type rotary ip nat inside destination list 1 pool shared-hosts int e0 ip nat inside int s0 ip nat outside router rip netw 172.16.0.0 access-list 1 permit 172.16.3.4
23.2.4. Dynamic NAT Ø
Dynamic NAT ip nat inside source static 192.1.1.1 10.140.1.2 ip nat pool natlab 10.117.1.1 10.117.1.254 netmask 255.255.255.0 ip nat inside source list 10 pool natlab access-list 10 permit 192.1.1.1 int lo0 ip addr 192.1.1.1 255.255.255.0 ip nat inside int serial 0 ip nat outside ip route 10.117.1.0 255.255.255.0 10.140.1.2
23.2.5. Nat on a Stick interface Loopback1 ip address 172.16.1.1 255.255.255.0 ip nat inside ip policy route-map nat ! interface Ethernet0 ip address 172.16.2.1 255.255.255.0 secondary ip address 75.102.181.33 255.255.255.0 ip nat outside Page 270 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ! ip nat inside source list 1 interface Ethernet0 overload ip route 0.0.0.0 0.0.0.0 Loopback1 ! access-list 1 permit 172.16.0.0 0.0.255.255 route-map nat permit 10 set ip next-hop 75.102.181.1 !
23.2.6. NAT Timers Dynamic translation will timeout after 24 hours, excluding overloading. To change: ip nat translation timeout Change dynamic translations ip nat translation udp-timeout Change UDP, default is 300 ip nat translation dns-timeout Change DNS, default is 60 ip nat translation tcp-timeout Change TCP, default is 24 hours ip nat translation finrst-timout Change finish and reset, default is 60 Ø
Lab Example: Configure NAT on vlan 2. Host addresses are 1.1.1.1 to 1.1.1.253. Use the valid 14-host network on r5's E0 as valid addresses (into the rest of the network). Make sure that the other routers see the 170.100.42.x route but not the 1.1.1.0 network . ip nat pool InsideIP 170.100.42.242 170.100.42.254 prefix-length 28 ip nat inside source list 1 pool InsideIP access-list 1 permit 1.1.1.0 0.0.0.255 log int e0 ip address 170.100.42.241 255.255.255.240 ip address 1.1.1.254 255.255.255.0 secondary ip nat inside int s0.0.1 ip nat outside int S0.0.2 ip nat outside router IGRP 100 network 170.100.0.0
Page 271 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book
Ø
Examples
Ø
NAT Summaries
Ø
Network Address Translation (NAT) Port Address Translation (Overload) ip nat inside source list 1 pool CCIELAB overload ip nat pool CCIELAB 137.20.20.1 137.20.20.1 netmask 255.255.255.0 TCP Load Sharing ip nat inside destination list 1 pool CCIELAB ip nat loadsharing 137.20.20.41 137.20.20.42 prefix-length 24 type rotary Page 272 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Dynamic NAT ip nat inside source static 192.1.1.1 10.140.1.2 ip nat inside source list 10 pool natlab ip nat pool natlab 10.117.1.1 10.117.1.254 netmask 255.255.255.0 Nat on a Stick ip nat inside source list 1 interface Ethernet0 overload interface Loopback1 ip nat inside ip policy route-map nat interface Ethernet0 ip address 172.16.2.1 255.255.255.0 secondary ip nat outside ip route 0.0.0.0 0.0.0.0 Loopback1 route-map nat permit 10 set ip next-hop 75.102.181.1 Ø
Troubleshooting NAT show ip nat statistics show ip nat translation debug ip nat debug ip nat detailed
Displays what L4 protocols are being translated
clear ip nat statistics clear ip nat translations
23.3. AUTHENTICATION, A UTHORIZATION, AND ACCOUNTING aaa new model aaa authentication login default local aaa authentication ppp default radius aaa authentication ppp isdn tacas+ local ! username RtrB password 0 cisco ! int bri0 encap ppp ppp auth chap isdn ! tacacs-server host 2.2.2.2 tacacs-server key tacaskey radius-server jost 2.2.2.2 auth-port 1645 acct-port 1646 radius-server key radiuskey Ø
Configuration aaa new model aaa authentication local-override aaa authentication login default tacacs+ aaa authentication login backdoor enable aaa authentication ppp default tasacs+ aaa authentication exec tacacs+ aaa authentication network tacacs+ aaa authentication exec start-stop tacacs+ aaa authentication network start-stop tacacs+ ! username student password cisco Page 273 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ! line console 0 login authentication backdoor tacacs-server host 2.2.2.2 tacacs-server key tacaskey
23.4. IPSEC Transport mode – Payload encrypted, header left alone. Tunnle mode – payload/header encrypted and become payload of new IP packet. RFC 1825, 1826, 1827 Encryption Interface to Interface isakmp: crypto isakmp policy 20 authentication pre-share lifetime 50000 crypto isakmp key 1234567890 address 192.168.0.77 ipsec: crypto ipsec transform-set myset esp-des esp-sha-hmac crypto map toRemoteSite 10 ipsec-isakmp set peer 192.168.0.77 set transform-set myset match address 101 access-list 101 permit ip any any ; from a senders standpoint Encryption Tunnel to Tunnel - Note crypto on both tunnel and E0!! crypto isakmp policy 20 authentication pre-share lifetime 10000 crypto isakmp key 1234567890 address 192.168.1.3 crypto ipsec transform-set myset esp-des esp-sha-hmac crypto map toRemoteSite 10 ipsec-isakmp set peer 192.168.1.3 set transform-set myset match address 101 interface Tunnel0 ip address 1.1.1.4 255.255.255.0 tunnel source Ethernet0 tunnel destination 192.168.1.3 crypto map toRemoteSite interface Ethernet0 ip address 192.168.1.4 255.255.255.0 crypto map toRemoteSite access-list 101 permit gre 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Ø
GRE Tunneling GRE will let you encapsulate IPX or APPLE protocols through it. IPSEC will do ip only. IPSec tunnel do not support multicasts or broadcasts. You can carry multicast traffic over a GRE Tunnel, allowing you to Page 274 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book run routing protocols, use multicast, etc... Remember that when using GRE tunnels, you apply the crypto map to both the tunnel interface and the serial/outbound inteface in order for the encryption to occur. Crypto - Policy, Key, Transform, Map, Apply (PKTMA) With IPSec you define what traffic should be protected between two IPSec peers by configuring access lists and applying these access lists to interfaces by way of crypto map sets. Therefore, traffic may be selected based on source and destination address, and optionally Layer 4 protocol, and port. Uses two security services: AH for authentication – no encryption, only authentication. ESP for payload encryption – encrypts the payload or the entire packet. ESP can also provide authentication. ESP = OUT Encrypt / Authentication IN IPSec has two modes: Transport Mode – end stations provide security, so they must run IPSec. The IP payload is encrypted. Tunnel Mode – Network provides security, IPSec runs on routers. Entire packet is encrypted. Security Associations (SA) define what, who and how to protect the data. SA is unidirectional so 4 SA’s are need for one connection. Security Policy Database (SPD) contains all the SA’s. Define the traffic to be secure with ACL’s. IPSec uses a IKE for security. IKE provides authentication, creates the IPSec key, and negotiates the SA. The hash algorithm has two options: SHA-1 and MD5. The authentication method has three options: RSA signatures, RSA encrypted nonces, and pre-shared keys. (pre-share, RSA-Sig, RSA-Encr) RSA-Sig need a certificate authority. IKE uses UDP port 500 IPSec AH = IP protocol 51 IPSec ESP = IP protocol 50 IPSec is layer 3 If you are using SSL, then you may be concerned with TCP/UDP ports 448. IPSec works with the following serial encapsulations: High-Level Data-Links Control (HDLC), Point-to-Point Protocol (PPP), and Frame Relay. IPSec also works with the GRE and IP in IP Layer 3, L2F, L2TP, DLSw+, and SRB tunneling protocols; however, multipoint tunnels are not supported. Other Layer 3 tunneling protocols may not be supported for use with IPSec. Ø
Encryptions Diffie-Hellman A public-key cryptography protocol which allows two parties to establish a shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish session keys. 768-bit and 1024-bit Diffie-Hellman groups are supported. DES The Data Encryption Standard (DES) is used to encrypt packet data. Cisco IOS implements the mandatory 56-bit DES-CBC with Explicit IV. Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is Page 275 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book explicitly given in the IPSec packet. For backwards compatibility, Cisco IOS IPSec also implements the RFC 1829 version of ESP DES-CBC. MD5 (HMAC variant) (Message Digest 5) is a hash algorithm. HMAC is a keyed hash variant used to authenticate data. SHA (HMAC variant) (Secure Hash Algorithm) is a hash algorithm. HMAC is a keyed hash variant used to authenticate data. RSA Signatures and RSA encrypted nonces—RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA signatures provides non-repudiation while RSA encrypted nonces provide repudiation. X.509v3 certificates Used with the IKE protocol when authentication requires public keys. This certificate support allows the protected network to scale by providing the equivalent of a digital ID card to each device. When two devices wish to communicate, they exchange digital certificates to prove their identity (thus removing the need to manually exchange public keys with each peer or to manually specify a shared key at each peer). Ø
Define the Transform Set ah-md5-hmac ah-sha-hmac ah-rfc1828
esp-des esp-3des esp-rfc1829
esp-md5-hmac esp-sha-hmac esp-null
crypto ipsec transform-set transform-set-name transform1 transform2
23.4.1. Configuring IPSec Ø
Define Interesting Traffic Ensure IPSec is access-list 111 access-list 111 access-list 111 access-list 111
not being blocked over path, UDP port 500, IP protocols 50,51. permit udp host 201.1.1.1 host 202.2.2.1 eq 500 permit esp host 201.1.1.1 host 202.2.2.1 permit ahp host 201.1.1.1 host 202.2.2.1 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
Define crypto ACL – What traffic do you to encrpyt? access-list 120 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 121 permit ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 One ACL per SA. Ø
Phase I Setup – IKE SA Configure IKE Policy – Authentication method (CA, RSA) crypto isakmp policy 1 hash md5 Default hash is sha, which is more secure authentication pre-share If peers can accept the following policy, then use it. crypto isakmp policy 2 authentication pre-share Other options are rsa-encr and rsa-sig (default) (For RSA encryption and signature, these are for CA) group 2 Defines the modulus for Diffie-Hellman group 1 = 768 bits (default) , group 2 = 1024 bits lifetime 360 Lifetime is in seconds (default is one day – 86400) Page 276 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Configure IKE Key defines the pre-shared authentication key of the peers crypto isakmp key itsnotverysecret address 201.1.1.1 Ø
Phase II Setup – IPSec SA Define Transform Set – hashing, encryption, mode crypto ipsec transform-set mydessha esp-des esp-sha-hmac crypto ipsec transform-set myothermd5 esp-des esp-md5-hmac The default mode is tunnel, add mode transport to the line for transport mode. Define Crypto Map – match peers to SA’s and ACL’s Use the simple map for sha to one peer and md5 for another peer. crypto map SimpleMap 10 ipsec-ikakmp set peer 201.1.1.1 set tranform-set mydessha match address 120 crypto map ComplexMap 20 ipsec-ikakmp set peer 204.4.4.1 set tranform-set myothermd5 match address 121
Ø
Data Transfer Apply Crypto to Interface interface serial 0 crypto map SimpleMap interface serial 1 crypto map ComplexMap
Ø
IPSec Terminates
23.4.2. Quick Notes Ø
Traffic Permit ACL (500,50,51) Define ACL ACL 120 permit any any
Ø
Phase I (ISA) ISA Policy crypto isakap policy 1 hash md5 auth pre-share lifetime 360 ISA Key crypto isa key mykey address
Ø
PhaseII (IPSec) IPSec Transform crypto ipsec tan JK esp-des esp-md5-hmac Map crypto map jkmap 10 ipsec-isakmp Page 277 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book set peer 10.1.1.10 set trans jk match address 120 Ø
Transfer Apply Map int s0 crypto map jkmap
23.4.3. Basic IPSec over Tunnel (Works) R3 crypto isakmp policy 10 authentication pre-share crypto isakmp key mykey address 5.5.5.5 ! crypto ipsec transform-set r3 esp-des esp-sha-hmac ! crypto map gre local-address Loopback0 ! crypto map gre 10 ipsec-isakmp set peer 5.5.5.5 set transform-set r3 match address 101 interface Loopback0 ip address 3.3.3.3 255.255.255.0 no ip directed-broadcast interface Tunnel1 ip address 10.10.10.3 255.255.255.0 no ip directed-broadcast tunnel source 1.1.1.3 tunnel destination 1.1.1.5 tunnel mode ipip crypto map gre interface Serial0/1 ip address 1.1.1.3 255.255.255.0 no ip directed-broadcast encapsulation ppp clockrate 2000000 crypto map gre router rip network 10.0.0.0 ip route 0.0.0.0 0.0.0.0 1.1.1.5 access-list 106 permit gre host 10.254.253.2 host 10.254.254.1 access-list 106 permit gre host 10.254.254.1 host 10.254.253.2 R5 crypto isakmp policy 10 authentication pre-share crypto isakmp key mykey address 3.3.3.3 crypto ipsec transform-set r5 esp-des esp-sha-hmac crypto map gre local-address Loopback0 crypto map gre 10 ipsec-isakmp set peer 3.3.3.3 set transform-set r5 match address 101 interface Loopback0 Page 278 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ip address 5.5.5.5 255.255.255.0 no ip directed-broadcast interface Loopback2 ip address 20.20.20.1 255.255.255.0 no ip directed-broadcast interface Tunnel1 ip address 10.10.10.5 255.255.255.0 no ip directed-broadcast tunnel source 1.1.1.5 tunnel destination 1.1.1.3 tunnel mode ipip crypto map gre interface Serial0/1 ip address 1.1.1.5 255.255.255.0 no ip directed-broadcast encapsulation ppp crypto map gre router rip passive-interface Serial0/1 passive-interface Tunnel1 network 10.0.0.0 network 20.0.0.0 neighbor 10.10.10.3 ip classless ip route 0.0.0.0 0.0.0.0 1.1.1.3 access-list 106 permit gre host 10.254.253.1 host 10.254.254.2 access-list 106 permit gre host 10.254.254.2 host 10.254.253.1
23.4.4. GRE Tunnel Makes IPSec more stable, configure two gre tunnels (primary and backup). Use a routing protocol to provide the backup versus, IPSec / IKESA keepalives. crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco123 address 172.18.45.1 crypto ipsec transform-set one esp-des esp-md5-hmac mode transport crypto map gre 10 ipsec-isakmp set peer 172.18.45.1 set transform-set one match address gre1 interface Tunnel0 ip address 10.4.1.1 255.255.255.0 tunnel source 172.18.31.1 tunnel destination 172.18.45.1 crypto map gre interface Ethernet0 ip address 10.2.1.1 255.255.255.0 interface Serial0 ip address 172.18.31.1 255.255.255.0 crypto map gre ip route 172.18.0.0 255.255.0.0 serial0 ip eigrp 100 network 10.0.0.0 ip access-list extended gre1 permit gre host 172.18.31.1 host 172.18.45.1
Page 279 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 23.4.5. IP and IPX over Frame-Relay For those of you that are interested, the following final configs are encrypting both IP and IPX through a GRE tunnel which spans a frame-relay WAN. Router1: crypto isakmp policy 10 authentication pre-share crypto isakmp key tunnel address 10.1.1.4 255.0.0.0 crypto ipsec transform-set cisco esp-des esp-md5-hmac crypto map crypmap 15 ipsec-isakmp set peer 10.1.1.4 set transform-set cisco match address 100 interface Tunnel4 no ip address ipx network 1441 tunnel source Serial0 tunnel destination 10.1.1.4 crypto map crypmap interface Ethernet0 mac-address 0001.0001.0001 ip address 1.1.1.1 255.0.0.0 no ip mroute-cache no keepalive ipx network 11 interface Serial0 ip address 10.1.1.1 255.0.0.0 encapsulation frame-relay no ip mroute-cache frame-relay lmi-type ansi crypto map crypmap ip route 4.4.4.4 255.255.255.255 10.1.1.4 access-list 100 permit ip host 10.1.1.1 host 10.1.1.4 Router2: crypto isakmp policy 10 authentication pre-share crypto isakmp key tunnel address 10.1.1.1 255.0.0.0 crypto ipsec transform-set cisco esp-des esp-md5-hmac crypto map crypmap 15 ipsec-isakmp set peer 10.1.1.1 set transform-set cisco match address 100 interface Tunnel1 no ip address ipx network 1441 tunnel source Serial0 tunnel destination 10.1.1.1 rypto map crypmap interface Ethernet0 mac-address 0004.0004.0004 ip address 4.4.4.4 255.0.0.0 no ip mroute-cache no keepalive ipx network 44 no cdp enable Page 280 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book interface Serial0 ip address 10.1.1.4 255.0.0.0 encapsulation frame-relay no ip mroute-cache no fair-queue frame-relay lmi-type ansi crypto map crypmap ip route 1.1.1.1 255.255.255.255 10.1.1.1 access-list 100 permit ip host 10.1.1.4 host 10.1.1.1
23.4.6. Troubleshooting IKE and IPSec show show show show
crypto crypto crypto crypto
isakmp policy isakmp sa map [interface interface | tag map-name] dynamic-map
show crypto ipsec transform-set show crypto ipsec sa [map map-name | address | identity] [detail] show crypto ipsec security-association lifetime debug crypto ipsec debug crypto isa debug crypto engine
Displays the IPSec negotiations of phase 2 Displays the IPSec negotiations of phase 1 Displays the traffic that is encrypted
show crypto engine connect active This shows each SA, and has counters for each packet that is encrypted or decrypted, and is very easy to read. Make sure you the Dial Access Routers you have: no logging console service timestamps debug datetime msec service timestamps log datetime msec modem-call-record terse Conditional Debugging allows debugto be turned on and off based on: Usename, calling number / called number, interface debug condition {username | called | caller } debug condition interface Debugs affected by condition: debug aaa {accounting | authorization | authentication } debug dialer (events | packets} debug isdn {q921 | q931} debug modem {oob | trace} debug ppp {all | auth | chap | error | negotioation | multilink | packet} Displaying active user information show caller username jeff
Page 281 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 24. Voice Read - Integrating Voice and Data Networks You can use the undocumented command csim start to have a voip connection dial.
24.1. VOIP Voice uses UDP ports, Data for VoIP uses TCP ports TCP 1720 is H.225 UDP 16383-32767 is RTP voice packets (RFC 1889) The UDP port for VoIP is 16384 to 16384+4N, where N is the number of voice calls that the router can support. The full range of UDP ports is 16384 to 32768 TCP 11000-11999 is H.245 VoIP Call Control Protocols H.323 = TCP 1719-1720, 11000-11999 Skinny = TCP 2000-2200 ICCP = TCP 8001-8002 CTI (TAPI/JTAPI) = TCP 2748 MGCP = UDP 2427, TCP 2428 SIP – RFC 2543, r Codecs Covert analog to digital voice signals, work the same as a modem Default codec is G.729 Voice is 64,000 bps FXS (Foreign Exchange Station) is used for phones FXO (Foreign Exchange Office) is used for PBXs. E&M (Ear and Mouth) signaling is used for trunk interfaces fro PBXs.
24.1.1. VoIP Example r2 Locate and configure the FXS voice port show voice port Set up the POTS and VoIP dial peers dial-peer voice 1 pots destination-pattern 7771234 (Local Number) port 1/0/0 dial-peer voice 2 voip destination-pattern 2221234 session target ipv4:1.1.1.2 r7 Locate and configure the FXS voice port. show voice port Set up the POTS and VoIP dial . dial-peer voice 1 pots destination-pattern 2221234 (Local Number) port 1/0/0 dial-peer voice 2 voip destination-pattern 7771234 session target ipv4:1.1.1.1 Test your connection. sho dial voice
Page 282 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 24.1.2. Configuring Dial Peers dial-peer voice tag {pots | voip | voatm | vofr} Specifies the method of voice encapsulation. destination-pattern
prefix
The string can be a prefix, dial string, or the full telephone number. num-exp 5..... 1904641 = 58161 Used to specify a prefix for a dial peer.
24.1.3. 24.1.4. General Configuration Information Ø
FXS Ports ring frequency {25 | 50} (For FXS ports only) Select the appropriate ring frequency (in Hertz) specific to the equipment attached to this voice port. signal {loop-start | ground-start} Select the appropriate signal type for this interface. cptone country Select the appropriate voice call progress tone for this interface.
Ø
Optional num-exp Used to specify an extension. Wildcards may be used to extend a 4 digit number to a full telephone number. Such as - num-exp 5..... 1904641 = 58161 connection plar string (Optional) Specify the private line auto ringdown (PLAR) connection, if this voice port is used for a PLAR connection. The string value specifies the destination telephone number. music-threshold number (Optional) Specify the threshold (in decibels) for on-hold music. Valid entries are from –70 to –30. description string (Optional) Attach descriptive text about this voice port connection. comfort-noise (Optional) Specify that background noise will be generated. forward-digits {num-digit | all | extra} Used to specify which digits to forward for voice calls, used on POTS only. Note: In the destination-pattern each digital ‘.’ is a number.
Ø
Adjusting Voice Quality input gain output attenuation
Gain to be inserted at the receiver side. Amount of loss inserted at transmitter side.
24.1.5. Configuring VoIP Ø
JK Quick Method (DP/DS) On Pots config destination – port On VoIP config destination – session target Page 283 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book VoIP Example RtrA dial-peer voice 1 pots destination-pattern 1111 port 1/0/0
RtrB dial-peer voice 1 pots destination-pattern 2222 port 1/0/0
dial-peer voice 2 voip destination-pattern 2222 session target ipv4:1.1.1.2
dial-peer voice 2 voip destination-pattern 1111 session target ipv4:1.1.1.1
24.1.6. More Configuration Commands Ø
Voice Port Subcommands cptone
Sets the call progress tone, this is for all tone settings. Default is cptone us description Allows you to include a description for the voice port. shutdown Used to activate / deactivate the port, this is needed to allow changes to take effect. signal {loop-start | ground-start} Used to specify the type of signaling for the specific voice port. Loop-start is the default and allows only one side to hang-up. Ground-start allows both sides of the connection to place a call and to hang up. ring number Used to specifiy the maximum number of rings to be detected before answering a call over a FXO voice port. Default is 1, values are 1 to 10. dial-type {pulse | dtmf} Used to set the dial type for out-dialing to pulse or tone on the FXO ports only. Most of these commands will affect boths ports. Ø
Voice Activity Detection (VAD)
Ø
Timeouts Values Pg 552-565, Integrating Voice and Data Networks
Ø
Timing Values
Ø
Compression Configured by dial-peer on 3600 g711alaw G711 A-law 64kbps g711ulaw G711 u-law 64kbps g729r8 G729 8kbps (default) Dial peers must match.
Ø
Direct Inward Dial (POTS peers) To enable the Direct Inward Dial (DID) call treatment for the incoming called number, use the direct-inward-dial dial peer configuration command. Use the no form of this command to disable this feature. Page 284 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book direct-inward-dial no direct-inward-dial Ø
Number Expansion You will complete the following objectives: Configure the number expansion feature on routers 3640-A and 3640 Test your configuration. Change the configuration to create an echo.
Ø
RouterA num-exp 5678 6555678 show num-exp
To display expansions
RouterB num-exp voice-port 3/0/0 input gain 12
Changes the volume for the call
Preference Use preference command to indicated the default dial-peer to use for a connection if two ip addresses are list for the same number. Default is 0 and lowest is always preferred. dial-peer voice 1 voip destination-pattern 3002 session target ipv4:10.1.1.2 ip preference 0 (won't show in the config as it is the default) ! dial-peer voice 2 voip destination-pattern 3002 session target ipv4:11.1.1.2 ip preference 1
Ø
RSVP int s0 ip rsvp band 100 32 fair-queue dial-peer voice 12 11 voip req-qos controlled-load max bandwidth 100kbps max per request 32kbps Use for slow links, high utilized links, or links with less that 2 mb, need best voice quality.
Ø
RTP Header Compression int s0 ip rtp header-compression ip rtp compression connections 16 Slow links Save bandwidth Use on slow links less than 2 mb
Page 285 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
Ø
THE CCIE Book Interpreting Call Progress Tones Dial tone The device is ready to receive digits. Busy The call could not be completed because the remote phone at the off hook. (This is the "regular busy signal.") Fast-busy The call could not be completed because there is an error or a path to the remote side could not be found. The presence of this indicate that all trunks are busy or that there is a routing problem. Ringback The ringback signal indicates the remote end is ringing. Reorder The reorder signal indicates that the call cannot be placed, because of incorrect digits or an unavailable circuit.
other end was in the path tone could
possibly
24.2. QOS Integrating Voice and Data Networks Chapter 15 - pg 487, Practice QOS techniques Use CB-WFQ with IP RTP Priority or LLQ to prioritize VoIP packets.
CONGESTION AVOIDANCE RED or WRED RED or WRED should be run on your core routers. WRED drops packets with a precedence of 5 or less. Set VoIP packets withs a IP precedence of 5. Enabling WRED: int s0 random-detect random-detect exponential-weighting-constant 10 sh queuing random-detect Tuning WRED: random-detect precedence 5 100 101 65526 random-detect precedence rsvp 100 101 65526 RED Info – rfc2309, www.aciri.org/floyd/red.html
CONGESTION MANAGEMENT FIFO Queuing (no fair-queue) On E1’s or lower, disabling fair-queue enables FIFO. Priority Queueing Used on E1’s or lower. Used when you have multiple high priority types of traffic, such as SNA and VoIP. Four types of traffic (high, medium, normal, and low) If you have multiple vc’s and want to apply separate priority groups to each vc, assign the priority queue to a map class, then apply the map class to the vc. Example: map-class frame-relay VOIP-FIRST frame-relay priority-group 1 int s0 frame-relay interface-dlci 103 Page 286 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book class VOIP-FIRST You can also send VoIP to one dlci and all the other traffic to another dlci. Example: int s0 ip add 1.1.1.1 255.255.255.0 frame-relay interface-dlci 102 frame-relay interface-dlci 112 frame-relay map ip 1.1.1.2 102 broadcast frame-relay priority-dlci-group 102 112 112 112 Although this looks like a priority queuing, it really is just redirecting the high to 102, and the other queues to 112. Traffic is not really getting prioritized only redirected. Custom Queueing Used on E1’s or lower. Do not use on VoIP traffic, the jitter created by the queuing process will interrupt the traffic and cause to large of delays. You can also use custom queuing on vc’s like priority queuing. WFQ If you use WFQ with VoIP then you must also configure IP RTP Priority to ensure adequate performance for VoIP packets. IP RTP Priority The best for E1’s and lower. Also known as Priority-Queuing Weighted-Fair-Queuing (PQ-WFQ) Implemented as ip rtp reserve in early IOS versions. As of 12.0.(5)T it uses ip rtp priority 16384 100 120 16384 is the first UDP port number. 100 is the number of UDP ports to prioritize. 120 is the maximum amount of bandwidth in kbps allowed for the priority queue. Only even ports receive priority. RCTP control packets and TCP call setup messages do not receive or need prioritizing. Use debug priority to monitor IP RTP Priority. Class-Based WFQ (CB-WFQ) Three main steps to implement CB-WFQ: 1 - Sort traffic into classes Create map classes class-map VOICE match access-group 101 class-map WebSurfers match access-group 102 class-map ServerBackups match access-group 103 2 - Apply policies to classes Assign 128 kbps for VoIP Assign 64 kbps for off-net Assign 256 kbps for backups The following policy options are configurable for each class: Minimum bandwidth during period of congestion FIFO queue depth for defined class Tail-drop or WRED behavior during congestion Page 287 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Congestion thresholds and drop probabilities for WRED classes Priority treatment for the class as a whole, which is called LLQ FIFO or WFQ behavior for the default class Number of WFQ conversations for the default class Basic Class Policy policy-map RemoteOffices class ServerBackups bandwidth 256 queue-limit 64 (FIFO queue with the default depth of 64 packets) WRED Class Policy policy-map RemoteOffices class WebSurfers bandwidth 256 random-detect random-detect exponential-weighted-constant 10 random-detect precedence 0 20 40 10 Priority Class Policy Also known as PQ-CBWFQ or LLQ queuing policy-map RemoteOffices class VOICE priority 256 (VoIP should be priority) queue-limit 32 Default Class Policy policy-map RemoteOffices class class-default (The default class must be called class-default) fair-queue 512 queue-limit 64 3 - Assign a service policy to an interface Create three loopbacks and use each loopback address for each class ACL. Point the dial peers to different loopbacks based on call type. Applying service policy int s0 service-policy output RemoteOffices show policy-map RemoteOffices show policy interface serial 0
IP PRECEDENCE Used mostly for high bandwidth and WRED networks. The goal is to minimize or eliminate WRED from dropping VoIP packets. IP Precedence is the three high-order bits in the TOS field of the IP Header. IP Precedence Priority 0 Routine 1 Priority 2 Immediate 3 Flash 4 Flash-override 5 Critical 6 Internet Page 288 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 7
Network
IP precedence values 6 and 7 are assigned to routing protocols, control messages, and essential network traffic. For use data, including VoIP, 5 is the highest that can be assigned. The default for all data is 0. There are three ways to set the ip precedence values: Route maps route-map SetPrecedence permit 10 match ip address 101 set ip precedence critical int s0 ip policy route-map SetPrecedence ip route-cache policy Dial peers dial-peer voice 1 voip ip precedence 5 RSVP int s0 ip rsvp precedence conform 5 ip rsvp precedence exceed 0 Be careful when using this technique, VoIP traffic could get changed to 0, then dropped even if dial-peer precedence is set.
RSVP This is only need if your network has other vendors equipment on it, or some VoIP traffic does not originate on the network that you can manage. Example: dial-peer voice 108 voip destination-pattern +14085551234 req-qos controlled-load session target ipv4:10.0.0.8 In this example, every time a connection is made through VoIP dial peer 108, an RSVP reservation request is made between the local router, all intermediate routers in the path, and the final destination router. int s0 ip rsvp bandwidth 240 24 This allocates 24 kbps, and up to 240 kbps for all flows. G729 VoIP call uses 8 kbps, plus 16 kbps for IP Overhead. (Only 3 kbps is need if header compression is used) Therefore, this configuration supports 10 calls. RSVP does not consider header compression when configuring bandwidth needs. If you configure the flow or total flow kbps with header compression, it would not work. Use the neighbor command to specify which hosts are allowed to make RSVP reservations. NetMeeting clients, IP phones, or H.323 terminals could make reservations if you do not specify voice routers only. Example: int s0 Page 289 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book ip rsvp neighbor 199 access-list ip permit 199 172.10.10.1 0.0.0.0 You can also limit by UDP ports, using 16384 – 32768 VoIP ports. (Lab: Limit the rsvp hosts that can initiate a reservation by using an extended ACL.) Monitoring RSVP: sh ip rsvp ?
LINK F RAGMENTATION / INTERLEAVING (LFI) Used to reduce the serialization delay associated with large packets in midtransmission. This functions at layer two, so all layer two technologies has there own way to implement LFI.
Frame-Relay Three methods for frame-relay: Cisco Proprietary Used with VoFR on 3810’s FRF.11 Annex C Used with VoFR FRF.12 end-to-end Used on PVC’s with VoIP traffic, or interfaces that has subinterfaces with data and voip traffic. Not supported on 2500 routers. FRF.12 Example: int serial 0.0 frame-relay traffic shaping frame-relay interface-dlci 102 class TrafficShape map-class frame-relay TrafficShape frame-relay fragment 320 FRF.12 fragments must be larger than VoIP packets. frame-relay fair-queue 64 256 0
TRAFFIC SHAPING AND POLICING Traffic shaping place the traffic into queues for manageability. Traffic policing discard traffic that is in excess, causing retransmissions and should not be used with VoIP. CAR is a type of traffic policing. If any part of the vc is being used for voice or real-time traffic, then you must not exceed the CIR for the vc. If you want to allow data traffic to burst above the CIR, then you ,ust put the data traffic is a separate vc.
Frame-Relay Traffic Shaping When the CIR is equal to the port speed, you do not have to configure FRTS, except for VoFR. Three steps to configure FRTS: Page 290 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book 1 – Create frame-relay map class and define traffic-shaping parameters. map-class frame-relay TrafficShape frame-relay fair-queue no frame-relay adaptive-shaping frame-relay mincir out 128000 frame-relay cir out 128000 frame-relay be out 0 frame-relay bc out 1280 frame-relay fragment 160 2 – Assign the frame relay map class to a vc, interface, or subinterface. int s0 frame-relay traffic-shaping int s0.1 point-to-point frame-relay interface dlci 102 class TrafficShape 3 – Enable FRTS on the interface that contains the vc. Example: map-class frame-relay TrafficShape frame-relay fair-queue no frame-relay adaptive-shaping frame-relay mincir out 128000 frame-relay cir out 128000 frame-relay be out 0 frame-relay bc out 1280 frame-relay fragment 160 Rules for FRTS for VoIP 1 - Set mincir and cir to contracted cir. If fragmentation is used set mincir and cir a little lower than actual CIR. 2 - Disable adaptive-shaping 3 - Set BE to zero 4 - Set BC to one percent of CIR 5 – Enable fragmentation and interleave, set the fragmentation size to BC. Remember BC is set in bits and the fragment parameter is set in bytes.
Generic Traffic Shaping int s0 traffic-shape rate 128000 1280 0 512
HEADER COMPRESSION Always use RTP header compression with VoIP. TCP header compression int serial 0 ip tcp header compression ip tcp compression-connections 96 RTP header compression int serial 0/0 ip rtp header-compression ip rtp compression-connections 96
Page 291 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book TROUBLESHOOTING QUEUING Use show int s0 to display the queuing method per interface. No dropped packets means there is no congestion. Show queueing to display the queuing info.
24.2.1. Show commands show num-exp Displays all the telephone number expansions configured for this router. This is the only new command here. show interface show voice port Display configuration and voice interface card-specific information about a specific voice port show voice call To show the call status for all voice ports on the Cisco MC3810 show voice dsp To show the current status of all DSP voice channels show dial-peer voice Display the configuration for all VoIP and POTS dial peers configured for the router show call active voice Display the contents of the active call table show call history Display the call history table show dialplan number To determine whether or not you have a dial plan/dial peer match
24.2.2. Debug commands debug vpm signal Collect debug information only for signaling events deb voice all deb voice cpx deb voice eecm deb voice protocol deb voice signaling debug voip ccapi inout Shows how a call flows through the system undebug all Stop all debugging debug voip ccapi error Traces the error logs in the call control API, showing error events or unexpected behavior in system software debug vpm spi Verify the output string the router dials is correct. debug cch323 rtp Check RTP packet transport. debug cch323 h225 Check the call setup.
24.2.3. Troubleshooting and Verifiying VoIP Connectivity show call active voice Verify connectivity during a call. Debug voip ccapi inout Debug voip show dialplan Use on both the local and remote routers—verify that the data is configured correctly. sho num-exp (if number expansion is configured) Check that the partial number on the local router maps to the correct full E.164 telephone number on the remote router.
24.2.4. Voice Troubleshooting Methodology Test the Call; Listen to the Signal When a problem is encountered in completing a VoIP call, first listen to the audible signals produced along the path of the call. Ask the following questions: 1 - Is there a dial tone? Page 292 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book If there is no dial tone, check the following hardware connections: the telephone, the cables connecting to the phone, and the power to the router. (See the Sidebar "Hardware Troubleshooting Tips" for details. If there is a dial tone present, go on to Step 2. 2 - Can you place a call successfully? If no, do the following: Check the dial plan to make sure the number you are trying to call is correctly mapped and is included in the dial plan. Listen to make sure the next type of signal expected is heard Check the network connections. If you can dial and hear a ringback, go on to step 3. 3 - Can the called party successfully receive the call? If no, check the connections and configuration of the remote router, including its dial plan. If yes, proceed to Step 4. 4 - How is the quality of service (QoS) for the call? If the call is completed but the quality is poor, do the following: Check the bandwidth, echo, and delay settings. Try a different coder/decoder (CODEC). Check the appropriate QoS. If the call is complete and the quality is good, go on to Step 5. 5 - Is the problem with the call intermittent? If yes, check for interface resets, look for port lockups, check the supervisory signals (such as the disconnect signal, ACKs, answer supervision signaling). See "Signaling" for complete details. If no, no fault is found. Ø
Common Problems No Dial Tone Means you have not proceeded past the first call leg. slow busy signal The voice port of the remote router (3640-b) is shut down. debug voip ccapi inout Misconfigured Dial Peer Originator hears a brief silence, then a fast-busy signal. (The actual cause of the problem: the dial-peer statement on 3640-a is misconfigured—it is set to 5556666 instead of 5551234.) debug voip ccapi inout Misconfigured Session Target The call originator hears silence followed by a fast busy signal. (The actual cause of the problem: the session target for 3640-a is misconfigured— it is set to 10.10.10.10 instead of 1.1.1.2.)
Page 293 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book Symptoms
No Dial Tone
Silence (dead air) followed by FastBusy
Busy
Command to Use
Are all cables connected? Is a cable bad? Is a phone bad? Is the cable connected to the FXS port? (FXO port does not provide dial tone.) Is the attached router configured for loopstart or groundstart? (Groundstart does not provide a dial tone.) Check router at phone that has no dial tone
show voice port port where port is the voice port number. Valid entries are either 0 or 1. Check for configuration information, including loopstart or groundstart. Debug vmp signal Collect debug information about signaling events, such as detection of a ring, a call connection, or a disconnect.
ping ip address Confirm IP connectivity. Show dial-peer voice Is the destination IP address Verify that the reachable using ping? (The fastoperational status of the busy signal means the number dial peer is up. dialed is unreachable.) Make sure that both VoIP Is the dial-peer statement peers have been correct? configured with the same CODEC value, if you are using CODECs.
Fast Busy
Phone doesn’t ring (no Ringback).
Troubleshooting Tips
Is destination IP address reachable?
ping ip address
Is dial-peer statement correct? Visually check the router. Do Show voice port you see the green LED on debug vpm signal router on the correct voice show dial-peer voice port? Are all cables connected? Show voice port Is the remote phone off-hook? debug vpm signal (In this case, wait and try show dial-peer voice again.)
Page 294 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book APPENDIX A.
POPULAR PORTS
For access-lists: BGP uses TCP port 179 RIPv1 uses UDP port 520 OSPF uses protocol 89 and dest. address 224.0.0.5 EIGRP uses protocol 88 IGRP uses protocol 9 DLSw uses TCP 2065 and 2067, if prioritization is used - TCP 1981, 1982, 1983 ESP (IPSec) uses protocol 50 AH (IPSec) uses protocol 51 GRE uses protocol 47 ISAKMP uses UDP port 500 IGMP (2) PIM (103) ICMP (1). NTP UDP 123 TACACS (47, 65) DHCP (bootp) (67 and 68) Microsoft Netbios UDP (137, 138, 139) H323, H225 1719, 1720 http://www.iana.org/assignments/port-numbers http://www.isi.edu/in-notes/iana/assignments/protocol-numbers
Page 295 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
THE CCIE Book APPENDIX B.
REFERENCE MATERIAL
Page 296 of 296 Copyright © 2003 by Bradshaw Labs Inc. All Rights Reserved
