Advanced Boot Camp Day 1 to 4

8/12/2019 Advanced Boot Camp Day 1 to 4

http://slidepdf.com/reader/full/advanced-boot-camp-day-1-to-4 1/136

Advanced Boot camp

Day 1 to Day 4

Technology Labs

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



Day 1

Switching

In order to properly configure switches for the CCIE Lab examination the subsequent topicsand configurations must be understood. At the time of writing this Technology workbook

!""#s and !"$#s were co%resident in the &'( Lab. )owe*er by the time of reading thisdocument you may ha*e + x !"$#s in your lab. Thus !"$#s are used in the following section

labs and for explanatory purposes.

MAC Address expiration

All modern Cisco switching platforms store and forward Ethernet frames and need to build aContent Addressable ,emory -CA, table to understand which source ,ac addresses are

connected to which ports. If a switch does not ha*e a CA, table entry for a destination ,acaddress it must forward the frame out e*ery port. /eedless to say forwarding unicast

multicast and broadcast to e*ery switch port could cause security as well as bandwidthissues. In *olume II we discuss the security issues in great detail but for now we will use the

,ac address expiration to limit the chances of forwarding traffic out e*ery port. (ome de*icescan not or will not send gratuitous A&0s on regular inter*als1 therefore there is a chance their

dynamically learned ,ac%addresses may be remo*ed from the CA, table. Instead of allowingthe switch to forward traffic destined to this de*ice out e*ery switch port the ,ac address

aging timer can be increased from the default -!## seconds to a greater *alue.

Switch(config)# mac address-table aging-time 4000 (increases timer to a little

over an hour)

0 This *alue disables aging. (tatic address entries are ne*er aged or remo*edfrom the table.

2#%2###### Aging time in seconds. The range is 2# to 2###### seconds.

vlan *lan%id -3ptional (pecify the 4LA/ I5 to which to apply the aging time. The rangeis 2 to +#6+.

STATC Mac addresses

7nfortunately there are some de*ices that can ne*er send gratuitous A&0s to the switch. 8orthese de*ices we can statically configure their ,AC Addresses to a*oid flooding.

Switch(config)# mac address-table static 1234.1234.1234 vlan 4 interfacegigabitethernet0/2




switch(config)# int fa0/1switch(config-if)# s"itchport mode accessswitch(config-if)# s"itchport access vlan 100

Tr#n$s

:ith trunks we can than transport the 4LA/s we ha*e created o*er a single uplink. Trunks are

said to carry multiple colors or tags. :ith @#<.2 trunks all *lans are tagged except for the/ati*e 4lan. 9y default the /ati*e 4lan is 4LA/ 2 but this can be changed. )owe*er use the

same nati*e *lan on both ends of the trunk. 3ptionally 4LA/s can be remo*ed -pruned

completely from a trunk if they are not required to tra*erse the switch.

Basic Configuration:

switch(config)# int fa0/1switch(config-if)# s"itchport tr#n$ encaps#lation dot1%

switch(config-if)#s"itchport tr#n$ native vlan &&&switch(config-if)# s"itchport mode tr#n$switch(config-if)# s"itchport tr#n$ native vlan 100

Static VLA B!oc"ing:

switch(config-if)# s"itchport tr#n$ allo"ed vlan add '2(3(4) switch(config-if)# s"itchport tr#n$ allo"ed vlan remove '*)

As mentioned earlier normally a nati*e 4LA/ is not tagged for tra*ersing a trunk. This allows

the nati*e 4LA/ to function as a static access 4LA/. If for some reason the Trunk -on autoor desirable were not working than the nati*e 4LA/ would still pass traffic. Contrary to thisbeha*ior ser*ice pro*iders can tag their customerBs nati*e 4LA/ so that it can be tunneled

o*er a pro*iderBs leased Ethernet ser*ice.

If we needed to tag nati*e 4LA/ traffic into a pro*iderBs connection we would configure the

following on the customer edge switch>

Switch# config#re terminalSwitch (config)# vlan dot1% tag nativeSwitch (config)# end

!T%

Cisco pro*ides the 4LA/ Trunking 0rotocol -4T0 to automate the configuration of 4LA/s. If you recall from the pre*ious 4LA/ section in order to add a 4LA/ to a switch we needed to

add the 4LA/ to the switchBs 4LA/ database. This exercise could be daunting if we had 2##switches in a large office building. Instead of configuring each switch to support se*eral

4LA/( with 4T0 you only ha*e to create the 4LA/s on a switch configured as a ser*er and

allow the other switches to dynamically learn the 4LA/s o*er their trunks. 9est practice is to




run these other switches in a read only client mode. If more than one switch is configured asa ser*er than the switch with the highest re*ision number would control the 4LA/ database.

Transparent mode is a third option that is used to allow 4T0 information to pass%through aswitch but that specific switch will ignore the 4T0 and refer to its own manually assigned

4LA/s.

It is important to remember that all switches by default are 4T0 ser*ers. The 4T0 ser*er iswhere you would create remo*e or modify 4LA/s. If for some reason you remo*e a switch

from a lab or spares en*ironment that was configured as a ser*er and then introduce theswitch into the production network e*en if for only a few minutes before you reconfigure it as

a client if it has a higher re*ision number it will take control of the 4T0 database.

This 4T0 ser*er sends ad*ertisements across the 4T0 domain e*ery " minutes or whene*er a

change is made in the 4LA/ database. The ad*ertisement contains all the different 4LA/

names 4LA/ numbers what switches ha*e ports in what 4LA/s and a re*ision number.:hene*er a switch recei*es an update with a larger re*ision number than the last one it

applied it applies that re*ision.

4T0 switches can operate in three different modes>

• Server the default where all 4LA/ adds changes and remo*als are allowed

• Client where no changes can be made only new re*isions can be recei*ed from the

4T0 ser*er switches.

• Transparent where local 4LA/ information can be changed but that information is

not sent out to other switches. Transparent switches also do not apply 4T0

ad*ertisements from other switches but they do forward those ad*ertisements on.

4T0 pruning is the process of not sending unnecessary broadcast traffic for 4LA/s to switchesthat do not ha*e any ports assigned to those 4LA/s. 0runing sa*es bandwidth because

broadcasts donBt ha*e to be sent to switches that donBt need them to configure 4T0 you usethe *tp global configuration mode command. :ith this command you can specify the

following>

• VTP domain the name of the 4T0 domain. All switches communicating with 4T0 in

the same domain must ha*e the same 4T0 domain name.

• VTP mode either ser*er client or transparent

• VTP password a password to control who can and cannot recei*e 4T0 information

• VTP pruning 4T0 pruning is either turned on or off

• VTP version 9e aware that most switches do not support 4!

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page # of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



D/ote the 4T0 password is highly recommended to a*oid switches from accidentally becoming

a 4T0 ser*er.

&ther'channel

Ether%channel allows a Cisco switch to bond together up to @ Ethernet ports into a singlechannel. An Ether%channel uses a single port for spanning%tree purposes. If a link in the

channel were to fail than Ethernet frames would simply be forwarded across another port inthe channel without relearning the spanning%tree topology. In addition to failo*er and

redundancy ether%channels can be configured to pro*ide load balancing across each port inthe channel.

Ether%channels send traffic load across the links in a channel con*erting the frame from binary

to a new numeric *alue from source or destination ,ac%address or I0 address. The selectedmode weather it is I0 or ,ac%address is applied to all Ether%channels configured on the

switch.

If you configured load balancing based on source ,ac%addresses than different de*ices based

on their source ,ac%address would be distributed across each port per de*ice. 8or examplethe first de*iceBs source ,ac%address would be forwarded on the first port of the Ether%

channel while the second de*ice would be forwarded out the second port of the Ether%channel.

:hile source ,ac%address load balancing works well for equally distributing traffic acrossEther%channel ports because there are multiple 0C de*ices -sources going to *arious

destinations 5estination ,ac%address load balancing works well with multiple ser*ers orgateways that are accessed by 0Cs In other words traffic destined to each ser*er would use

a separate port in the Ether%channel.

If there is a mixture of end 0C de*ices and ser*ers than source%and%destination ,ac%address

forwarding is the best method for load balancing. 3f course ,ac%address based loadbalancing is intended for layer Ether%channels. If we were configuring load balancing for layer

! Ether%channels we would simply use source I0 destination I0 or sourcedestination load

balancing depending on the same scenarios as the ,ac%address load balancing.

%ort Aggregation %rotocol

0ort Aggregation 0rotocol -0Ag0 is a Cisco proprietary method of automatically creating

Ether%channel links. 0Ag0 packets are sent between Ethernet ports in order to negotiate the

forming of Ethernet%channels. 0Ag0 can not work properly on the following configurations>

• 5ynamic 4LA/s.

• 5ifferent speeds or port duplex..

• The 0Ag0 modes are explained below.

1. on> 0Ag0 will not run. The channel is forced to come up.




2. off> 0Ag0 will not run. The channel is forced to remain down.

3. auto> 0Ag0 is running passi*ely. The formation of a channel is desired1 howe*er

it is not initiated.

desirable> 0Ag0 is running acti*ely. The formation of a channel is desired and initiated.

Lin$ Aggregate Control %rotocol (LAC%)

LAC0 is a standards based -IEEE @#<.!ad method for configuring Ether%channels. LAC0

supports four modes of operation>

• 3n> ,anual with no without any LAC0 negotiation

• 3ff> The link aggregation will not be formed.

• 0assi*e> The switch does not initiate the channel but does understand inbound LAC0

packets. The peer -in acti*e state initiates negotiation -when it sends out an LAC0

packet which we recei*e and answer e*entually to form the aggregation channel withthe peer. 0.

• Acti*e> The link aggregate will be formed if the other end runs in LAC0 acti*e or

passi*e mode. This is similar to the desirable mode of 0Ag0.

As mentioned pre*iously both LAC0 and 0Ag0 are used to dynamically pro*ision Ethernet

ports as Ether%channels. If the Ether%channel is manually pro*isioned by using the mode FonG key word than neither LAC0 nor 0ag0 is used. In any case load balancing using source ,ac%

address destination ,ac%address sourcedestination mac%address or source destinationsourcedestination I0 addressing can be use with all methods.

The following global configuration example displays the load balancing choices a*ailable toEther%channels>

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page $ of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



The following is an example of a 0Ag0 Layer < Ether%channel configuration>

Layer 2

switch-configH interface range fastEthernet0/ ! "switch-config%if%rangeH switchport mode accessswitch-config%if%rangeH switchport access vlan #00switch-config%if%rangeH channel!group # mode desira$le

The following is an example of a LAC0 Layer ! Ether%channel configuration>

Layer %switch-configH int port!channel #

switch-config%ifH no switchportswitch-config%ifH ip add #0&#&#&# 2&2&2&0

switch-configH interface range fastEthernet 0/2 ' (

switch-config%if%rangeH no switchportswitch-config%if%rangeH channel!group # mode active (panning Tree

Spanning Tree

9y default the Cisco switch uses @#<.2d 0er 4LA/ spanning tree for each configured 4LA/.

This fla*or of (panning tree is notoriously slow. Typically @#<.2d takes "# seconds for portsto complete the " state -5isabled 9locking Listening Learning and 8orwarding and to build

the tree to the root bridge. 9ecause of this slowness port fast is used to disable listening and

learning states for ports with end stations connected and uplink fast is used for portsconnected between switches. E*en with these impro*ements @#<.2w &apid (panning Tree

-&(T0 is the configuration of choice for new deployments.

&(T0 only has three port states -5iscarding Learning and 8orwarding and is able tocon*erge with a few seconds. &(T0 also has included two new port roles -Alternate port and

9ackup 0ort.

/ow take a step back and allow us to drill down into @#<.2d so we can further analye theimpro*ements of @#<.2w.

In all *ersions of (panning Tree we need a root bridge for each 4LA/. The following examplepro*ides the a*ailable options for setting the &oot>

switch-configHspanning!tree vlan 2 root primary )macro*

or

switch-configH spanning!tree vlan 2 priority (0+,

The lower the priority -bridge is more preferable to become the &33T

The switch that is designated as &33T only has designated ports to other connected switches.

The other switches -non%root ha*e root ports to the connections that are closest to the &33Tswitch as well as designated ports connected to other switches with a longer path back to the

&33T. 9ecause of a loop free topology when using spanning tree path costs and port

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page % of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



priorities are used to determine which switch and port needs to be blocked. 8or e*ery 4LA/one port in a redundant patch must be blocked.

(panning tree calculates the longest path from &33T and determines the switch to be

blocked. This beha*ior can be o*erridden by manipulating the path costs and additionallychanging port priorities to manipulate which port -linear on the longest path is chosen to be

blocked. Jou will notice in this example the layer < patch with a longer path cost of !# ischosen as the segment to block. 9y manually configuring a higher port priority on (:! the

port on (:+ will be blocked.

Spanning Tree Diagram

&(T0 must also designate a &33T as well as calculating path costs and port priorities.

)owe*er instead of optionally enabling uplink fast to reduce the time to failo*er to redundant

uplinks @#<.2w has added Alternati*e and 9ackup ports. In the next example an additionalpath was added between (:! and (:+. This new uplink can forward frames and if for some

reason it were to fail the alternati*e and backup port which are blocking would thenimmediately start forwarding frames. This beha*ior is *ery similar to uplink fast in @#<.2d.

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page & of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



*ST% Diagram

S%A"+*S%A"

The (witch 0ort Analyer -(0A/ is used to monitor traffic from 4LA/s andor Ethernet ports

on a switch. A *ery common application for this configuration is to connect a passi*e intrusion

detection system -I5( or packet sniffing application. Ethereal is packet sniffing software thatcan be downloaded from> http>www.ethereal.comdownload.html. In addition to capturingtraffic from a connected switch &(0A/ can be used to capture traffic from remote switch

connected to the destination -sniffing port with a dot2q trunk.

The following example displays how to configure a remote span session>

Switch #

switch2-config%*lanH vlan switch2-config%*lanH name remote!spanswitch2-config%*lanHremote!span

switch2-config- monitor session # source interface .a0/# $othswitch2-config- monitor session # destination remote vlan

S'itc( 2

switch2-config- monitor session # source vlan rswitch2-config- monitor session # destination interface fastEthernet 0/#2

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 1) of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.

http://www.ethereal.com/download.html

http://www.ethereal.com/download.html



Controlling Telnet Access

Telnet is controlled from the 4TJ lines. The following configuration does not require a

password to access the de*ice with pri*ilege 2" access rights but limits access to the 4TJ lineto only the protocol Telnet from only the 2.2.2.2 I0 address.

line vty 0 (

access!class # in eec!timeout 20 0

privilege level # no login

transport input telnet

access!list # permit #&#&#&#

To hide addresses while trying to establish a Telnet session from the router or switch use the

service hide!telnet!address global command.

To a*oid the router from sending information to an idle telnet session use the ser*ice telnet!

eroidle command. 5ata transfer is resumed if the logged in 4TJ user enters the resumecommand for the idle session.

/ormally telnet only sends one character at a time. The service nagle command canimpro*e performance by sending multiple characters in each telnet packet.

Strom Control

This technique is used to pre*ent switch ports being o*erloaded by a broadcast multicast or

unicast traffic on a per port basis. (torm control creates threshold so excessi*e traffic isdropped until traffic drops below threshold. The thresholds are set as a percentage of the

interface. 8or example if the traffic is set to 2## it is always permitted and if it were set to #.#

than that type of traffic is ne*er permitted. The following example illustrates how differentthresholds are set for unicast broadcast and multicast traffic.

switch-config%ifH storm!control $roadcast level 2switch-config%ifH storm!control unicast level 2switch-config%ifH storm!control multicast level 20

Bloc$ing9locking pre*ents unicast or multicast from being flooded into the port when enabled. The defaultbeha*ior of a switch is to forward the packets with unknown destination ,AC addresses to all its ports.This might not always be desirable especially in terms of security. If you configure a port block featurethen depending on what type of traffic you specified unicast or multicast packets are not forwardedfrom one port to another

switch-config%if%rangeHswitchport block ; multicast 9lock unknown multicast addresses unicast 9lock unknown unicast addresses




%rotected %orts

0ri*ate 4LA/s will be discussed in 4olume II. 3ne thing to note about 0ri*ate 4LA/ is thatthey can not co%exist with 4T0 *ersion < or lower. A workaround for this limitation is to

configure a switch in Transparent 4T0 mode. If for some reason the switch must be a 4T0ser*er than protected ports can be used in a limited manner to pro*ide a subset of the same

isolation.

A protected port feature is used in those en*ironments where no traffic can be forwardedbetween two ports on the same switch. This way one neighbor connected to one port does

not see the traffic that is generated by another neighbor connected to the second port. Theblocking of traffic -unicast broadcast or multicast only works when both ports are protected.

:hen a protected port is communicating with an unprotected port the traffic is forwarded inthe usual manner. 3nce the ports are protected traffic between them can only be forwarded

by a Layer ! de*ice.(w<-config%if%rangeHint range f0/#0 !##(w<-config%if%rangeHswitchport protected

,-./10 a#thentication

IEEE @#<.2x is simply a standard for passing EA0 o*er a wired or wireless LA/.

EA0 -Extensible Authentication 0rotocol traffic is used to authenticate wirelesses de*ices

using supplicants but also functions o*er wired media. The @#<.2K authentication using EA0allows for switch le*el port authentication.

In order to authenticate the actual de*ices andor users to an external database the switch is

required to use radius. &adius is the only authentication method supported as of now.The switch works as a proxy between the client and the radius authentication ser*er. The

switch encapsulates and de%encapsulates the EA0 frames from the client into radius packets.

0rior to authentication the switch ports start in the unauthoried state. This state disallowsingress and egress traffic except @#<.2x packets. :hen a client gets authenticated the port

transitions to the authoried state. If the client doesnBt support @#<.2x the port stays in theunauthoried state and no traffic is allowed on the switch.

The following states are supported by Cisco switches>

• 8orce%authoried> It bypasses the authentication state and all traffic is allowed.

• 8orce%7nauthoried> The port remains in unauthoried state regardless of clients

attempt to get authenticated.

• Auto> Enables @#<.2x authentication the switch identifies the client by the ,AC

address.

This eample shows how to ena$le 111 and "02&# on .ast Ethernet port 0/#3

switch-configH aaa new!model switch-configH aaa authentication dot# default group radius local

switch-configH dot# system!auth!control

switch-configH interface fastethernet 0/#

switch-config%ifH dot# port!control auto




switch-config%ifH end

switchH configure terminal switch-configH ip radius source!interface Vlan

switch-configH radius!server host #0&#&#&#switch-configH radius!server 4ey cisco

switch-configH end

Macros

,acros can be used to group common switch configurations together. ,acros along with theinterface%range command helps to reduce the amount of effort needed to deploy switches.

)ere is useful ,acro to be used in the switches for a ping script.

Sw1(config)#macro name P*+ Enter macro commands one per line. End with the character '@'.

do ping 142.22.12.1do ping 142.22.13.1do ping 144.21.1.1do ping 1!.1.2".2do ping 142.22.12.2@

Sw1(config)# S'1,config-.macro g!oba! app!y P*+




Switching LAB

Scenario

This is the first Lab in a series of Labs that will build on themsel*es.

There is no need for initial configurations $ecause this first la$ will construct theLayer 2 topology to $e used for all other la$s in Volume 5 of this technologywor4$oo4. Please save your configurations after each la$ to avoid any rewor4 when

progressing to other la$s.

The point of this Lab is to build a new infrastructure for Turn%?ey Inc. This company has hired

you to interconnect -+ branch locations and -< data centers. In addition to the internal :A/there are two separate connections one each to two different I(0s. Turn%key has decided to

connect all internal sites with both frame relay and leased Ethernet. ,any Layer < issues willbe encountered in 9ranch -2 which is a large campus site with many 0C users. As the

integrator Turn%key is depending on you to translate their tasks -requirements into a fully

functional system. Each Lab will include se*eral tasks that build towards a completed proect.

The Turn%key network should be fully functional and tested after completion of all labs. Themaority of the Tasks will draw from the Technology section of this workbook and lectures.)owe*er some questions marked with F9onusG may ha*e not been co*ered in the lecture and

is meant to test your search skills on the Cisco web site.

0lease refer to> http>www.cisco.comuni*ercdhomehome.htm. As the labs progress lessand less support information is pro*ided in the introduction section of the lab.

Topology

As pre*iously mentioned LA9 2 will build the Layer < infrastructure. At 9ranch 2 we will ha*ea mixed L< and L! en*ironment. This is due to some de*ices needing so span 4LA/s across

the campus. In the I58 -Access Layer some 4LA/s will be routed and others Trunked to theC3&E.

In addition to the campus network at 9ranch -2 we will also build a 4LA/ between se*eral of

the routers to imitate a Leased Ethernet ser*ice.

This Topology is supported inn CC933TCA,0Bs rack rentals but should also work in other&ack &ental sites or a home lab with -+ !"$# switches and -@ routers. The next page

pro*ides the physical Ethernet topology. As you progress to Lab < and others the topologywill include 8rame%relay and logical I0 addressing and &outing information.


http://www.cisco.com/univercd/home/home.htm




%hysical Diagram

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 1# of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



Switch Tas$s

Tas4 # )6asic VL17*3 Configure (:2 such that it pro*ides the database for the 4LA/s in

the following table. All other switches should learn the 4LA/s from (:2. 7se a controlmechanism to pre*ent new switches from accidentally controlling the 4LA/ database when

added into the network. Also add the appropriate hostnames and interface descriptions to allde*ices based on the diagram.

$%& $%& &ame2 V!an2/rspan

3 V!an3/trun"e0

4 V!an4/trun"e0

# V!an#/s'1tos'2

6 V!an6/s'1tor1

$ V!an$/s'2tor1

% V!an%/s'1tos'3

& V!an&/s'3tos'4

1) V!an1)/Lease0

11 V!an11/s'2tos'4

Tas4 2 )Load 6alance and Trun4s*3 4lan ! and + should be trunked on a pair -< of portsbetween e*ery switch. Ensure that this pair of ports is manually configured not dynamic.

9oth 4LA/ ! and + ha*e se*eral clients in the I58 that connect to the C3&E for a singledefault gateway. Configure load balancing that would best distribute traffic across all layer <

ports for 4lan ! and +. 4lans ! and + are allowed on e*ery Trunk howe*er Turn%key wouldlike to limit unneeded broadcast on the Trunks as well as only allowing 4lan ! + and the

interconnect 4LA/ on each trunk. The interconnect 4LA/ should ha*e a (4I on the switch andbe configured to not be tagged on the trunk. 8or example 4LA/ 6 is the interconnect 4LA/

between sw! and sw+.

Tas4 % )Spanning Tree*3 Configure spanning tree such that (w2 is the root for 4lan !@ and(w< in the root for 4lan +22. 6onus3 Ensure no other switch besides (w2 or (w< will e*er

be able to become root for these 4LA/ -!+@ and 22s.

,anipulate (T0 so that ports 8#<2 << -0o2 on sw! are blocked for 4lan ! and +. In orderto reduce failo*er times con*ert the (T0 configuration from @#<.2d to @#<.2w 04(T.

Tas4 ( )8ac 1ddresses*3 Turn%key Inc. desires to pre*ent unnecessary unicast traffic from

being flooded out switch ports. Configure the switch to best pre*ent flooding based on thefollowing table.

8ac 1ddress Switch Vlan 5ssue

2222.2222.2222 ! f#22 ! Mratuitous A&0 e*ery

!# min

222<.222<.222< + f#22 ! /e*er sendsMratuitous A&0

2<!+.2<!+.2<!+ All + 5etected as rogue

de*ice and desire tonot forward it.

8or a ser*er connected to (w< f#2$ we want to make sure no unknown unicast are e*erflooded into this port.




Tas4 )8onitoring*3 Turn%key would like to connect a packet sniffer to 8#2" on sw! to

analye the 4LA/2# traffic on &<. Configure a session to allow for these connections.

Tas4, )5P 1ddresses*3 Configure I0 addresses based on the following table>D/ote *irtual I0 addresses will be used later.

VL17 VL17 7ame 9evice 5P< 4lan<Nrspan

! 4lan!Ntrunked (w2(w<

*irtual

2#.!.!.2<+2#.!.!.<<+

2#.!.!.<"+<+

+ 4lan+Ntrunked (w2

(w<*irtual

2#.+.+.2<+

2#.+.+.<<+2#.+.+.<"+<+

" 4lan"Nsw2tosw< (w2(w<

2#.".".2!#2#.".".<!#

$ 4lan$Nsw2tor2 (w2

&2

2#.$.$.2!#

2#.$.$.<!#= 4lan=Nsw<tor2 (w<

&2

2#.=.=.2!#

2#.=.=.<!#

@ 4lan@Nsw2tosw! (w2

(w!

2#.@[email protected]!#

2#.@.@.<!#

6 4lan6Nsw!tosw+ (w!

(w+

2#.6.6.2!#

2#.6.6.<!#

2# 4lan2#NLeased (w2

&<&!

&+&"

&$

&6 A?A 992

26<[email protected]#.2<+

26<[email protected]#.<<+26<[email protected]#.!<+

26<[email protected]#.+<+26<[email protected]#."<+

26<[email protected]#.$<+

26<[email protected]#.6<+22 4lan22Nsw<tosw+ (w<

(w+2#.22.22.<!#2#.22.22.2!#

Tas4: )"02&#*3 Ensure sw! 8#2" is authenticated with @#<.2x. There is no &adiusa*ailable so create a local userpass usercisco and make it the fallback. 8or configuration

purposes point your switch to the radius ser*er at 26<.2$@.<.2#2. If you are using

CC933TCA,0 rack rental there is a &adius ser*er connected to (:2 8#<+.

Tas4" )Telnet*3 3n the de*ices at the 9ranch location restrict telnet access to only de*ices

from 2#.#.#.#. 6onus3 only allow telnet access from @am to "pm ,onday through 8riday andlog it. Configure the 4TJ lines such that only telnet and (() are supported. 3n &2 configure

telnet so that multiple characters are transmitted in each telnet packet. If allowed from the2#.#.#.# network users should ha*e le*el 2" pri*ileges without needing to log in.

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 1$ of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



Switch Answers (Don2t pee$)

Try to complete these labs with minimal looking at the answers. The completed answers will

be pro*ided on a thumb dri*e.

Tas4 # )6asic VL17*3The 4T0 and 4lan information was supposed to be configured on (:2>Sw1(config)#tp domain trne*Sw1(config)#tp mode serer Sw1(config)#tp password ciscoSw1(config)#lan 2Sw1(config+lan)#name lan2,rspan ,same for ot(er V!ans-

The other switches <%+ were supposed to be 4T0 clients>

on the other switches>Sw-(config)#tp mode clientSw-(config)#tp domain trne*Sw-(config)#tp password cisco

In order to pre*ent accidental 4lan changes we set the 4T0 password to Cisco

The names and interface description should be based from the Table.

8or example>interface lan description lan,sw1tosw2 ip address 1!...2 2.2.2.22

To test your configuration issue the following commands>

Sw1#sh tp stats/ ersion 0 2onfigration eision 0 1a-imm $%&s spported locall* 0 1!!

&m5er of e-isting $%&s 0 23/ 6perating ode 0 Serer / 7omain &ame 0 trne*/ /rning ode 0 Ena5led/ 2 ode 0 7isa5led/ raps 8eneration 0 7isa5led7 digest 0 !-3 !-1 !-"9 !-93 !-24 !-" !-:4 !-;1onfigration last modified 5* !.!.!.! at 3+1+3 !20!3042$ocal pdater <7 is 1!...1 on interface l (lowest nm5ered $%& interface f

Sw1#lan dataSw1#lan data5aseSw1(lan)#sh crrent $%& <S$ <d0 1 &ame0 defalt edia *pe0 Ethernet $%& 9!2.1! <d0 1!!!!1 State0 6perational =0 1!! ;acp : ode0 7isa5led

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 1% of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



emote S/%& $%&0 &o

$%& <S$ <d0 2 &ame0 lan2,rspan edia *pe0 Ethernet $%& 9!2.1! <d0 1!!!!2 State0 6perational =0 1!!

;acp : ode0 7isa5led emote S/%& $%&0 &o

$%& <S$ <d0 3 &ame0 lan3,trned edia *pe0 Ethernet $%& 9!2.1! <d0 1!!!!3 State0 6perational =0 1!! ;acp : ode0 7isa5led emote S/%& $%&0 &o

$%& <S$ <d0 4 &ame0 lan4,trned edia *pe0 Ethernet $%& 9!2.1! <d0 1!!!!4 State0 6perational

=0 1!! ;acp : ode0 7isa5led emote S/%& $%&0 &o

$%& <S$ <d0 &ame0 lan,sw1tosw3 edia *pe0 Ethernet $%& 9!2.1! <d0 1!!!! State0 6perational =0 1!! ;acp : ode0 7isa5led emote S/%& $%&0 &o

$%& <S$ <d0 > &ame0 lan>,sw1tor1 edia *pe0 Ethernet

$%& 9!2.1! <d0 1!!!!> State0 6perational =0 1!! ;acp : ode0 7isa5led emote S/%& $%&0 &o

$%& <S$ <d0 " &ame0 lan",sw2tor1 edia *pe0 Ethernet $%& 9!2.1! <d0 1!!!!" State0 6perational =0 1!! ;acp : ode0 7isa5led emote S/%& $%&0 &o

$%& <S$ <d0 9 &ame0 lan9,sw1tosw3

edia *pe0 Ethernet $%& 9!2.1! <d0 1!!!!9 State0 6perational =0 1!! ;acp : ode0 7isa5led emote S/%& $%&0 &o

$%& <S$ <d0 &ame0 lan,sw3tosw4 edia *pe0 Ethernet $%& 9!2.1! <d0 1!!!! State0 6perational

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 1& of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



=0 1!! ;acp : ode0 7isa5led emote S/%& $%&0 &o

$%& <S$ <d0 1! &ame0 lan1!,$eased edia *pe0 Ethernet $%& 9!2.1! <d0 1!!!1!

State0 6perational =0 1!! ;acp : ode0 7isa5led emote S/%& $%&0 &o

$%& <S$ <d0 11 &ame0 lan11,sw2tosw4 edia *pe0 Ethernet $%& 9!2.1! <d0 1!!!11 State0 6perational =0 1!! ;acp : ode0 7isa5led emote S/%& $%&0 &o

Tas4 2 )Load 6alance and Trun4s*3 In this task we were supposed to configure manual

Ether%channels and trunks from the redundant inter%switch connections as specified on thefollowing lab diagram.




Sw10

port+channel load+5alance src+dst+mac

interface /ort+channel1 switchport trn encapslation dot1?

switchport trn natie lan switchport trn allowed lan 2+ switchport mode trn interface /ort+channel2 switchport trn encapslation dot1? switchport trn natie lan 9 switchport trn allowed lan 2+4A9 switchport mode trn interface :astEthernet!B1 switchport trn encapslation dot1? switchport trn natie lan switchport trn allowed lan 2+ switchport mode trn channel+grop 1 mode on

interface :astEthernet!B2! switchport trn encapslation dot1? switchport trn natie lan switchport trn allowed lan 2+ switchport mode trn channel+grop 1 mode oninterface :astEthernet!B21 switchport trn encapslation dot1? switchport trn natie lan 9 switchport trn allowed lan 2+4A9 switchport mode trn channel+grop 2 mode oninterface :astEthernet!B22 switchport trn encapslation dot1? switchport trn natie lan 9 switchport trn allowed lan 2+4A9 switchport mode trn channel+grop 2 mode on

interface lan1 no ip address shtdowninterface lan3 description lan3,trned ip address 1!.3.3.1 2.2.2.!interface lan4 description lan4,trned ip address 1!.4.4.1 2.2.2.!

interface lan description lan,sw1tosw2 ip address 1!...1 2.2.2.22interface lan9 description lan9,sw1tosw3 ip address 1!.9.9.1 2.2.2.22




8or the load balancing we needed source ,ac%address L9 closest to the 0C de*ices so thateach de*ice would be load balanced based on source ,ac addresses to equally use each port

in the Ether%channel.

3n (w! and (w+>

port+channel load+5alance src+mac

The other two switches (w2 and (w< need src%dst%mac because they will be the defaultgateways for these de*ices.

Tas4 % )Spanning Tree*3 The following configurations were needed on the following de*icesin order to set the &33T and 9locked ports per Task ! specifications>

Sw10spanning+tree mode rapid+pstspanning+tree e-tend s*stem+idspanning+tree lan 1A3A9 priorit* !

Sw20

spanning+tree mode rapid+pstspanning+tree e-tend s*stem+idspanning+tree lan 4A11 priorit* !

Sw30spanning+tree mode rapid+pstspanning+tree e-tend s*stem+id

interface /ort+channel1 switchport trn encapslation dot1? switchport trn natie lan switchport trn allowed lan 2+4A switchport mode trn spanning+tree lan 3 cost 2!!!!!!!!interface /ort+channel2

switchport trn encapslation dot1? switchport trn natie lan 9 switchport trn allowed lan 2+4A9 switchport mode trn

Sw40

spanning+tree mode rapid+pstspanning+tree e-tend s*stem+id

interface /ort+channel1 switchport trn encapslation dot1? switchport trn natie lan switchport trn allowed lan 2+4A switchport mode trn interface /ort+channel2 switchport trn encapslation dot1? switchport trn natie lan 11 switchport trn allowed lan 2+4A11 switchport mode trn

To configure the bonus than root guard was needed on (w!




interface :astEthernet!B1 switchport trn encapslation dot1? switchport trn natie lan switchport trn allowed lan 2+4A switchport mode trn channel+grop 1 mode on spanning+tree gard root

interface :astEthernet!B2! switchport trn encapslation dot1? switchport trn natie lan switchport trn allowed lan 2+4A switchport mode trn channel+grop 1 mode on spanning+tree gard root

Tas4 ( )8ac 1ddresses*3 In the first part of this task we are changing the ,ac aging timer

to be in synch with how often the ser*er sends gratuitous A&0s.

Sw30

mac+address+ta5le aging+time 19!! lan 3

In the next section we must configure a static ,ac%address for a de*ice that is unable to sendgratuitous A&0s.

Sw40mac+address+ta5le static 1112.1112.1112 lan 3 interface :astEthernet!B11

The next requirement was to block a ,ac%address from all switches>

mac+address+ta5le static 1234.1234.1234 lan 4 drop

The Last requirement was to make sure that unicast traffic going to mac%address destinations

not known in the CA, table were not flooded into (w< port f#2$

interface :astEthernet!B1> switchport 5loc nicast

Tas4 )8onitoring*3 The following configuration would setup a monitoring session on sw! to

sniff traffic tofrom &< *lan 2#

Sw3monitor session 1 destination interface :a!B1monitor session 1 sorce remote lan 2Sw1monitor session 1 sorce interface :a!B2monitor session 1 destination remote lan 2




Tas4, )5P 1ddresses*3 Configure I0 addresses per specifications.

Tas4: )"02&#*3

Sw30sername ser password ! ciscoaaa new+modelaaa athentication dot1- defalt grop radis localdot1- s*stem+ath+controlint f!B24switchport access lan 3 switchport mode access dot1- pae athenticator dot1- port+control ato

radis+serer host 12.1>9.2.1!1 ath+port 1>4 acct+port 1>4>radis+serer sorce+ports 1>4+1>4>radis+serer e* cisco

Tas4" )Telnet*3 The first part of the Task asks us to restrict telnet or (() access to 2#.#.#.#and gi*e those administrators pri*ilege le*el 2" when they log into the de*ices. In order to

configure the bonus this access must be restricted to ,on%8riday between 6am and "pm.

The following configuration on each de*ice would satisfy the abo*e requirements>

ip access+list e-tended telnet permit ip 1!.!.!.! !.2.2.2 an* log time+range weeda*s

time+range weeda*s periodic weeda*s 90!! to 1"0!!

line t* ! 4 access+class telnet in priilege leel 1 transport inpt telnet sshline t* 1 access+class telnet in priilege leel 1 transport inpt telnet ssh

3n &2 configure telnet so that multiple characters are transmitted in each telnet packet.

10serice nagle




Day 1

3rame *elay

Basic 3acts

• 8rame &elay is a Layer < protocol.

• (erial interfaces use 59%$# connectors.

• Connection%oriented to transport data between a 5TE de*ice and a 8rame

&elay switch.

• (imple error checking is pro*ided by appending a 8rame Check (equence

-8C( to each frame -similar to a C&C.

• /o error correction -error checking but no correctionOthatBs left to the

host.

• 8rame &elay uses )5LC 000 or I(5/LA05 encapsulations.

• ,aximum speed of 8rame is +" ,bps.

Data Lin$ Connection dentiier (DLC)

5LCIBs are assigned by the 8rame &elay circuit pro*ider and ha*e local significance only.

They pro*ide an identifier for the connection between the router at your site and the big8rame &elay switch at the pro*ider. There is often confusion about this so to make it clearO

the 5LCI is used only between your site and the pro*iderBs point%of%presence it has nosignificance beyond that.

5LCI states are>

• 9eleted;/o L,I signal is being recei*ed from switch or no ser*ice is

a*ailable from switch.

• 1ctive;Lines are up1 connections are acti*e. &outers are exchanging data.

• 5nactive;8rame relay switch to local connection is working. The remote

routersB connection to the frame switch is not working.

Local Management nterace (LM)

L,I pro*ides the control protocol for 04C setup and management. There are three types

a*ailable> Cisco A/(I and q.6!!a -default is Cisco. The ser*ice pro*ider will specify the L,Iin use. L,IPs control data keepali*es and *erify the dataflow. The L,I type must be identical

between the local de*ice -router and the local 8rame &elay switch1 it does not ha*e to beidentical for the end de*ices.

&ncaps#lation

The encapsulation choices are Cisco and IET8 with Cisco being the default. This designation

can be made through 5LCI. The encapsulation type must be identical at both end de*ices. If Cisco de*ices are used across the entire network Cisco encapsulation will likely be the

encapsulation type1 howe*er since the Cisco encapsulation type is proprietary if anothermanufacturerBs de*ices are used at the 8rame &elay endpoints then IET8 encapsulation type

will be required. &emember encapsulation can be set per interface or per destination.




Split 5ori6on and 3rame *elay nteraces

(plit horion dictates that if a router has recei*ed a route ad*ertisement from another router

it will not re%ad*ertise it back out the interface on which it was learned. The default conditionfor 8rame &elay interfaces is>

• 0hysical interfacesOsplit%horion is disabled by default

• ,ultipoint sub interfacesOsplit%horion is enabled by default

• 0oint%to%point sub interfacesOsplit%horion is enabled by default

nverse'A*%

In*erse A&0 when enabled is used to automatically map frame%relay 5LCIs which are

configured in the frame%relay switch to I0 addresses configured on the remote routers. Joumay be requested to disable frame%relay in*erse A&0 on you physical or point%to%multipoint

sub interface if so than you can use frame%relay map statements after you disable thein*erse%A&0. (econdly it is best practice to make these changes while the interfaces are shut

to a*oid rebooting the router later.

In*erse%A&0 is not recommended for frame%relay hub%and%spoke topologies because it couldtake in*erse%A&0 up to $# seconds to con*erge from a site failure. In a ,E() topology this

short coming is not as impacting because e*ery site has an alternate 5LCI to e*ery site butin hub%and%spoke the spokes must always communicate *ia the hub.

Mesh

A full mesh requires 5LCIs to interconnect 04Cs between each router. Total 04CsQ<k-k%2

where kQrouter. Each router would be configured on a common I0 subnet.

:ith in*erse%A&0 turned on at the 0hysical circuit or sub%interface point%to%multipoint le*elno ,A0 entry is required. )owe*er with in*erse%A&0 turned off the ,A0 entries are required.

In fact a ,A0 entry to one of the 5LCIs to a routers own interface I0 is required for a routerto e*en ping itself.

In order to satisfy the requirement the destination I0 address to be in the routing table theremust be a frame%relay map for the destination I0 address. The destination I0 address can be

any I0 address including yours. -need a map statement to ping your own interface

8or the ,ultipoint sub interface option each ,A0 statement adds a !< connected interface.And finally whene*er ,A0 statements are required the optional broadcast keyword must be

added to the end of the statement if required for routing protocols or other multicastfunctionality to work o*er the frame relay.

5#b and spo$eAgain with )ub%and%spoke the &outers are configured on a common I0 subnet and we ha*e

some differences in configuration depending on if in*erse%A&0 is enabled.

A hub%and spoke with in*erse are needs to ha*e ,A0 statements from on the hub to a*oid

issues with extra 5LCIs configured on the frame relay switch. In other words these framerelay switches in rack rentals typically ha*e 5LCIs pre%configured between each de*ice -,esh

and you would need to o*er ride this configuration otherwise you would ha*e a ,E(). The




same issue with needing ,A0s exists with the spokes too. If this hub%and%spoke configurationwere pro*isioned on a carrierBs network the spokes would not need to ha*e ,A0 entries

because the pro*ider would only configure the needed 5LCI back to the )ub site.

:ith In*erse%A&0 off which is the recommended configuration all routers will ha*e ,A0statements from )ub to all spokes and from spokes to hub. 5epending on the neighbor

requirements of the routing protocol we may find oursel*es later adding map statementsbetween spokes or needing to enable the broadcast keyword.

%oint'to'point

In this configuration each 0<0 sub%interface frame relay connection is own a unique subnet

and we must use the frame relay interface%dlci instead of the ,A0 statement. It doesnBtmatter if in*erse%A&0 in enabled because 0<0 will connect to whate*er is on the other side of

the 04C similar to 000. )owe*er 0<0 frame relay will listen and respond to in*erse%A&0because it is possible to ha*e a 0hysical interface on one end with in*erse%A&0 enabled and a

0<0 sub%interface on the other end.

CombinationAny combination of 0<0 or ,ultipoint -0artial ,E() can be configured with multiple subnets

and proper ,apping of 5LCIs.

H/ote 8rame &elay traffic shaping and other o( related issues will be discussed in 4olume

II.




3rame *elay LAB

Scenario

Turn%?ey Inc. has purchased frame relay ser*ice from a pro*ider. Jou must configure each

router to connect to the proper 5LCI and interface as outlined in the following Lab < tasks andfrom the following diagram that displays the 5LCI numbers that correspond to

CC933TCA,0Bs &'( rack rentals. If you are using home equipment or another &ack rentalyou can simply use different interfaces and 5LCIs but try to model this topology as close as

possible. Turn%key is using a combination of Leased Ethernet and 8rame &elay to interconnectall of their sites.




3rame *elay DLC+%!C and % addressing


S!B!B!.2



3rame Tas$s

Tas4 # )8esh*3 Configure a mesh between &2 &< and &!. Configure 0hysical or ,ultipoint

(ub interfaces based from the abo*e diagram. The diagram contains the subnets for eachframe%relay connections. (imply use the routerBs I5 for the host octet with the exception of

992 which is -.6. In*erse A&0 is allowed for this ,E() only on &2 so configure the frame%relay mappings to be dynamic only on &2 but do not allow 5LCIs that are not part of this

,E() connection to be acti*e on &2. Also add descriptions to the interfaces.

Tas4 2 )<u$ and Spo4e*3 Configure a hub and spoke between &! &" and &$. &! is on a

sub interface and &" and $ are on physical interfaces. /o in*erse%A&0 is allowed at allbetween these routers. Configure the I0 addresses from the abo*e diagram using the router

I5 as the host octet. Also add descriptions to the interfaces.

Tas4 % )Point!to!Points*3 Configure 0<0 frame relay connections between the *ariousrouters as per the abo*e diagram. Configure the I0 addresses from the abo*e diagram using

the router I5 as the host octet. Also add descriptions to the interfaces.

Tas4 ( )PPP*3 Configure a 000 connection between &= and &@. :e did not include the basicconfiguration explanation for this in the technology section so you are tasked with using the

uni*erC5 at http>www.cisco.comuni*ercdhomehome.htm and search the 2<.+configuration or command references for 000 examples. )6onus*3 configure < way

authentications between these two routers but allow &= to send the username I(02 instead of &=. Also add descriptions to the interfaces.






3rame Answers

Tas4 # )8esh*3 &emember to keep your interfaces shut until you ha*e configured all of yourframe relay on each interface or sub interface. (ometimes clear frame%relay inarp helps but

usually you will ha*e to either reboot or default interface to fix frame relay issues. Thesesimple problems can cost you time in the real Lab. ,ake sure to test each connection with

ping as you no shut the interfaces.

10

interface Serial!B!B! description ESC,to,2,3 ip address 1"2.1>.1.1 2.2.2.! encapslation frame+rela* no frame+rela* inerse+arp </ 1!4 no frame+rela* inerse+arp </ 1! no frame+rela* inerse+arp </ 1!>

no frame+rela* inerse+arp </ 1!" no frame+rela* inerse+arp </ 1!9 no frame+rela* inerse+arp </ 1! no frame+rela* inerse+arp </ 11! frame+rela* lmi+t*pe ansi

20interface Serial!B!B! no ip address encapslation frame+rela*

interface Serial!B!B!.1 mltipoint description ESC,to,1,3 ip address 1"2.1>.1.2 2.2.2.! frame+rela* map ip 1"2.1>.1.3 2!3 5roadcast

frame+rela* map ip 1"2.1>.1.1 2!1 5roadcast no frame+rela* inerse+arp

30interface Serial!B!B! no ip address encapslation frame+rela* frame+rela* lmi+t*pe ansiinterface Serial!B!B!.1 mltipoint description ESC,to,1,2 ip address 1"2.1>.1.3 2.2.2.! frame+rela* map ip 1"2.1>.1.1 3!1 5roadcast frame+rela* map ip 1"2.1>.1.2 3!2 5roadcast no frame+rela* inerse+arp

1#sh frame+rela* mapSerial!B!B! (p)0 ip 1"2.1>.1.3 dlci 1!3(!->"A!-19"!)A d*namicA 5roadcastA <S6A stats definedA actieSerial!B!B! (p)0 ip 1"2.1>.1.2 dlci 1!2(!->>A!-19>!)A d*namicA 5roadcastA <S6A stats definedA actie

1#ping 1"2.1>.1.2

*pe escape se?ence to a5ort.




Sending A 1!!+5*te </ Echoes to 1"2.1>.1.2A timeot is 2 seconds0Sccess rate is 1!! percent (B)A rond+trip minBagBma- D >B>B>! ms1#ping 1"2.1>.1.3

*pe escape se?ence to a5ort.Sending A 1!!+5*te </ Echoes to 1"2.1>.1.3A timeot is 2 seconds0

Sccess rate is 1!! percent (B)A rond+trip minBagBma- D >B"B>! ms1#

Tas4 2 )<u$ and Spo4e*3 This one simply needs the proper ,A0 statements.

30interface Serial!B!B!.2 mltipoint description C5+and+spoe++> ip address 1"2.1>.3.3 2.2.2.! frame+rela* map ip 1"2.1>.3. 3! 5roadcast frame+rela* map ip 1"2.1>.3.> 3!> 5roadcast frame+rela* map ip 1"2.1>.3.3 3!

no frame+rela* inerse+arp

0interface Serial!B!B! description C5+and+spoe+to+3+> ip address 1"2.1>.3. 2.2.2.! encapslation frame+rela* frame+rela* map ip 1"2.1>.3.3 !3 5roadcast frame+rela* map ip 1"2.1>.3. !3frame+rela* map ip 1"2.1>.3.> !3 5roadcast no frame+rela* inerse+arp frame+rela* lmi+t*pe ansi

>0interface Serial!B!B! description C5+and+spoe+to+3+

ip address 1"2.1>.3.> 2.2.2.! encapslation frame+rela* frame+rela* map ip 1"2.1>.3.3 >!3 5roadcast framere!ay map ip 1$2163# 6)3 broa0cast ,(is is configure0 to assist in t(e ip section !ater-

frame+rela* map ip 1"2.1>.3.> >!3no frame+rela* inerse+arp

frame+rela* lmi+t*pe ansi

as" 3 ,PointtoPoints-:

;;10interface Serial0/0/0.1 point-to-point description P2P-to-R2 ip address 172.16.2.9 255.255.255.0 frame-relay interface-dlci 902

R7:interface Serial0/0/0.1 point-to-point description P2P-to-R2 ip address 172.16.5.7 255.255.255.0 frame-relay interface-dlci 702

R8:interface Serial!B!B!.1 point+to+point description /2/+to+3 ip address 1"2.1>.>.9 2.2.2.!




frame+rela* interface+dlci 9!3

Configure the opposite on &< or &! to connect to the 0<0 8& connections.

Tas4 ( )PPP*3 Configure a 000 connection and then enable Chap authentication with7sername user password cisco.

"0sername 9 password ! cisco

interface Serial!B!B1 description ///+to+9 ip address 1"2.1>.4." 2.2.2.! encapslation ppp cloc rate 2!!!!!! ppp athentication chap ppp chap hostname ser ppp chap password ! cisco

90sername ser password ! cisco

interface Serial!B!B1 description ///+to+" ip address 1"2.1>.4.9 2.2.2.! encapslation ppp ppp athentication chap




Day 1

*%v.There are two *ersions of &I0O*ersions 2 and <Oboth of which are 5istance 4ector routingprotocols. &I0*2 -*ersion 2 is classful and must use 8ixed Length (ubnet ,asks -8L(,1

&I0*< adds additional features such as classless routing *ariable subnet masks -4L(, andauthentication. 9oth *ersions use hop count as their only metric and are limited to 2" hops. A

hop is simply a single pass through a router. 9y default &I0 routers send their entire routingtable out e*ery interface in !# seconds increments.

9oth *ersions of &I0 operate on 750 port "<#. )owe*er &ip*2 uses a broadcast and &ip4<

uses a multicast <<+.#.#.6. A metric of 2 signifies a directly connected network by thead*ertising router and 2$ as an unreachable network. The timers for update in*alid hold%

down and flush can be manually configured. 8or the purposes of this workbook and for Labpreparation we will focus on &ip*<.

7pdates&ip*< is able to send a mask in the updates that are sent out e*ery !# seconds so we can use

4L(,. If needed the update time can be changed>

8or example>&@-config%routerHtimers $asic 20

Changes the updates from !# to <# second update inter*als. ?eep in mind you will need to

change it on the other connected neighbors.

:e can go a step farther and set the in*alid hold down and flush timers>

&@-config%routerHtimers $asic 20 (0 ,0 #20

Also Tags can be used in &ip*< for redistribution.

It is possible to still send or recei*e &ip*2 updates when configured for &ip4< from theinterface le*el>

&@-config%ifHip rip send version #&@-config%ifHip rip receive version #

The update timer can be set for ust on connected neighbor at the interface le*el>

&@-config%ifHip rip advertise 20

And lastly an &I0*< router can broadcast instead of multicast form an interface using the

following command>

&@-config%ifHip rip v2!$roadcast




"eighbors

Connected neighbors simply need &I0*< enabled globally and a connected network entry and

they are ready to exchange updates. (econdly no auto summary needs to be configured if classless summaries are required.

roter rip networ 1"2.1>.!.! no ato+smmar*

If it is desired to not send updates to interfaces without connected neighbors than the passi*einterface command can be used. There are two different approaches to using this

configuration. The first is to use the Rpassi*e%interface defaultS and the specify whichinterfaces will allow the updates>

oter rip passie+interface defalt

no passie+interface :astEthernet!B!

The second choice is to ust do a passi*e%interface command to the specific interfaces thatyou desire to disable the updates>

oter rip passie+interface f!B!

There are times when broadcast updates or multicast are permitted or limited because of the

frame%relay map statements. In these cases the passi*e interface commands can be used tosuppress the broadcastmulticast with the combination of the neighbor command to send a

unicast update to the neighbors I0 address>

oter ripneigh5or 1"2.1>.>.3

And lastly it is possible to send updates to a neighbor that is not physically connected. Two

scenarios come to mind neighbors o*er 000 with non%connected and different subnets or a&(0A/ session. The former is an ad*anced topic so we will lea*e it for 4olume II but the

ladder is something we can configure with are current bag of tricks. In order to recei*e &I0*<updates o*er a &(0A/ session we need to configure>

oter ripno alidate pdate sorce

This command makes it so the &I0 router doesnBt care who is sending the update.




Loop %rotection

The split horion rule reduces the incidence of routing loops. (plit horion pre*ents two%node

loops between neighbors -tight loops by not ad*ertising the routes on the same interfacefrom which they were learned. (plit horion also eliminates unnecessary updates.

(plit horion with the addition of poison re*erse allows the routing protocol to ad*ertise all

routes out an interface but those learned from earlier updates coming into that interface aremarked with infinite distance metrics. 0oison re*erse guards against loops spanning multiple

&I0 routers.

7nfortunately there are some issues with (plit )orion in a )ub and (poke /etworkIn a hub and spoke network routes from remote frame relay sites will not be sent to other

remote locations because of the split horion enabled by default on the sub interfaces. It ispossible to disable split horion but than we loose the loop protection. 5isabling (plit )orion

will ensure full connecti*ity between all locations in a hub and spoke topology using &I0*<.(plit horion can be turned off on a sub%interface on the hub with out impacting the other

sub%interfaces. If split horion is enabled neither auto%summary nor interface summaryaddresses -those configured with the ip summary%address rip command are ad*ertised. If

summary addresses or a hub router are required than disable split horion and use filtering ordiscard routes -null for pre*enting loops.

3iltering

&ip can filter routes by using a distribute list. A distribute list are used to filter the contents of

inbound or outbound routing protocol updates. (tandard I0 access lists are used to define alist against which the contents of the routing updates are matched. &emember that the

access list is applied to the contents of the update not to the source or destination of therouting update packets themsel*es.

The distribute%list command is entered at the global or router configuration le*els and there

is an option to apply the list to specific interfaces. 8or any gi*en routing protocol it is possible

to define one interface%specific distribute%list per interface and one protocol%specificdistribute%list for each processautonomous%system pair.)ere is an example>

access+list 1 permit 1!.!.!.! !.2.2.2access+list 2 permit 1"2.1>.3.! !.!.!.2roter rip

distri5te+list 1 in ethernet !distri5te+list 2 ot

9ecause distribute%list can use access%list we can ha*e some *ery complex filtering usingbinary. The following example is filtering only the odd prefixes using an access%list basedprefix list>

Allow only odd routes from 2.2.#.# from &2 to other routers.

&etwor 1.1.1.! !.!.24.2* networ D!




* mas D 1

;inar* 6ctet 129 >4 32 1> 9 4 2 1

1.1.1.! ! ! ! ! ! ! ! 11.1.3.! ! ! ! ! ! ! 1 11.1..! ! ! ! ! ! 1 ! 1

as 11111111.11111111.1111111!.!!!!!!!! &etwor !!!!!!!1.!!!!!!!1.!!!!!!!1.!!!!!!!!:irst host !!!!!!!1.!!!!!!!1.!!!!!!!1.!!!!!!!!2nd host !!!!!!!1.!!!!!!!1.!!!!!!11.!!!!!!!!

The <"+ in the in*erse mask translates to 2222222# which tells the ACL to not care about

anything in that octet except the least significant bit. In this case that position is 2 in the thirdoctet. 3nly 3dd numbers ha*e a 2 in that bit placement. Thus we ha*e a match for e*ery

odd network.

S#mmaryIn &I0*< summaries are applied to an interface. Jou can still use auto summary but it willonly summarie to the classful boundary the summary%address allows for classless

summariation

r2lab-config%ifH ip summary!address rip #0&20&0&0 2&2&2&0

In order for summaries to work split horion must be disabled on the interface. )owe*er theinterface summary does not insert a /7LL# entry into the routing table so beware of routing

loops.

A#thentication

&ip*< uses a key chain on the interface to protect updates with Clear text or ,5".

r2lab-configH interface s0

r2lab-config%ifH ip rip authentication 4ey!chain ciscor2lab-config%ifH ip rip authentication mode =md>tet?

r2lab-configH 4ey chain ciscor2lab-config%keychainH 4ey #

r2lab-config%keychain%keyH 4ey!string cisco

Dea#lt *o#tes

5efault routes can be ad*ertised in &I0*< in the following ways>• &edistribute static Rip route #.#.#.# #.#.#.# null# permanentS

• 5efault information originate• Rip default network 2.#.#.#S




*%v. LAB

Scenario

(o far we ha*e setup the basic campus network at Turn%?ey IncBs branch office as well as the

leased Ethernet and 8rame relay :A/ connections between the sites. /ormally in a proect

similar in scope we would not configure any of the network management or security featuresuntil after we ha*e tested the network stability and performance. In most networkdeployments it is a also a good idea to enable an easy to configure routing protocol so we can

test the infrastructure. In this scenario we will use basic rip and a few tweaks to testconnecti*ity. Afterwards we can enable more complex features and optimie the routing with

other protocols.

*% Tas$s

Tas4 # )6asic @5Pv2*3 Configure e*ery router with &I0*< including the I(0 router &= and

&@. 0ut the existing connected networks into &I0*< on each router. 7se a single networkstatement to configure this. After all routers are configured for &I0*< make any necessary

adustments for sites ha*ing difficulties exchanging updates. /ow that basic &I0*< isconfigured from &2 ping e*ery I0 address configured so far to *alidate and troubleshoot any

connecti*ity issues. )<int* Create a TCL script to make the ping testing easier mo*ingforward. It is 3? the &2 can not ping its own (### interface -2=<.2$.2.2.

Tas4 2 )@oute Aptimiation*3Turn%key would like us to pro*e that we can utilie the Leased Ethernet to reach the 9ranchcampus from the I(0 and *ice *ersa before they allow us to mo*e forward with implementing

other routing protocols. Test Trace routes to the 9ranch site I0 addresses to ensure traffic

flows inout of 4lan2# -26<[email protected]#.#.

Tas4 % )1uthentication*3The connections tofrom the I(0 are not trusted by Turn%key and the customer desires some

security for the routing protocols between &<%&= and &!%&@. 7se the most security methodwith cisco as the password.

Tas4 ( )<u$!and!Spo4e*3 Turn%key would like to not ha*e broadcast or multicast from the

routing protocols on this :A/ segment between &!%&"%&$.

Tas4 ).iltering*3 only allow e*en networks to be learned in &I0 from &= to &< and onlyallow odd networks to be learned from &@ to &!. 9ecause &= and &@ ha*e a 000 connection

between each other you may need some additional filtering to pre*ent the routes frompassing through the other router. Configure the following loop back and I0 addresses on &=

and &@>

&=>Int lo#

Ip address 2!#.#.2.2 <"".<"".<"".#Ip address 2!#.#.<.2 <"".<"".<"".# secondary

Ip address 2!#.#.!.2 <"".<"".<"".# secondaryIp address 2!#.#.+.2 <"".<"".<"".# secondary

Ip address 2!#.#.".2 <"".<"".<"".# secondary

Ip address 2!#.#.$.2 <"".<"".<"".# secondary




&@>

Int lo#Ip address 2!2.#.2.2 <"".<"".<"".#

Ip address 2!2.#.<.2 <"".<"".<"".# secondaryIp address 2!2.#.!.2 <"".<"".<"".# secondary

Ip address 2!2.#.+.2 <"".<"".<"".# secondaryIp address 2!2.#.".2 <"".<"".<"".# secondary

Ip address 2!2.#.$.2 <"".<"".<"".# secondary

)6onus* 3n the same connections tofrom &=&< &@&! configure &I0 so that only updatesare sent when route changes occur and not e*ery !# seconds.




*% Answers

Tas4 # )6asic @5Pv2*3To use the least amount of /etwork statements on e*ery router configure>

roter rip ersion 2 networ !.!.!.! no ato+smmar*

3n the switches we would configure 2#.#.#.# because (4I interfaces -4lan do not configure

under #.#.#.#>

roter rip

ersion 2 networ 1!.!.!.! no ato+smmar*

(:2> also needs 26<[email protected]#.# for neighbors on the Leased Ethernet 4lan 2#

To make sure updates are learned from both &" and &$ disable split horion on &! s###.<

30interface Serial!B!B!.2 mltipoint

description C5+and+spoe++> ip address 1"2.1>.3.3 2.2.2.! no ip split+horionframe+rela* map ip 1"2.1>.3.3 3! frame+rela* map ip 1"2.1>.3. 3! 5roadcast frame+rela* map ip 1"2.1>.3.> 3!> 5roadcast no frame+rela* inerse+arp

To test all the I0 address connecti*ity from &2 use the following TCL script>

tclsh

foreach address F1!.3.3.11!.3.3.21!.4.4.11!.4.4.21!...11!...21!.>.>.11!.>.>.21!.".".11!.".".21!.9.9.1




1!.9.9.21!...11!...212.1>9.1!.112.1>9.1!.212.1>9.1!.312.1>9.1!.12.1>9.1!.>

12.1>9.1!.1"2.1>.1.21"2.1>.1.31"2.1>.2.21"2.1>.2.1"2.1>.3.31"2.1>.3.1"2.1>.3.>1"2.1>..21"2.1>.."1"2.1>.>.31"2.1>.>.9G Fping HaddressG

Tas4 2 )@oute Aptimiation*3

3n &2 &< &! &" and &$ an offset list can be used to manipulate the &I0 routing.

10roter rip ersion 2 offset+list rip in 3 Serial!B!B! networ !.!.!.! no ato+smmar*

ip access+list standard rip permit 12.1>9.1!.!

permit 1"2.1>.!.! !.!.2.2

Show ip rote

8atewa* of last resort is not set

12.1>9.1!.!B24 I12!B1J ia 1!.>.>.1A !!0!!01A :astEthernet!B! 1"2.1>.!.!B1> is aria5l* s5nettedA 9 s5netsA 2 mass 1"2.1>.4.9B32 I12!B3J ia 1!.>.>.1A !!0!!01A :astEthernet!B! 1"2.1>.4.!B24 I12!B3J ia 1!.>.>.1A !!0!!01A :astEthernet!B! 1"2.1>..!B24 I12!B2J ia 1!.>.>.1A !!0!!01A :astEthernet!B! 1"2.1>.>.!B24 I12!B2J ia 1!.>.>.1A !!0!!01A :astEthernet!B! 1"2.1>.1.!B24 is directl* connectedA Serial!B!B! 1"2.1>.2.!B24 I12!B2J ia 1!.>.>.1A !!0!!01"A :astEthernet!B! 1"2.1>.4."B32 I12!B3J ia 1!.>.>.1A !!0!!01"A :astEthernet!B! 1"2.1>.3.!B24 I12!B2J ia 1!.>.>.1A !!0!!01"A :astEthernet!B! 1!.!.!.!B9 is aria5l* s5nettedA 9 s5netsA 2 mass

20roter rip ersion 2 offset+list rip in 2 Serial!B!B!.1 networ !.!.!.! no ato+smmar*

ip access+list standard rip permit 1!.!.!.! !.2.2.2 permit 12.1>9.1!.!




Show ip rote

1!.!.!.!B9 is aria5l* s5nettedA 9 s5netsA 2 mass 1!.11.11.!B3! I12!B2J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!...!B3! I12!B2J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!.9.9.!B3! I12!B1J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!.".".!B3! I12!B2J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B!

1!.>.>.!B3! I12!B1J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!...!B3! I12!B1J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!.4.4.!B24 I12!B1J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!.3.3.!B24 I12!B1J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B!

30roter rip ersion 2 offset+list rip in 2 Serial!B!B!.1 networ !.!.!.! no ato+smmar*

ip access+list standard rip permit 1!.!.!.! !.2.2.2 permit 12.1>9.1!.!

1!.11.11.!B3! I12!B2J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!...!B3! I12!B2J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!.9.9.!B3! I12!B1J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!.".".!B3! I12!B2J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!.>.>.!B3! I12!B1J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!...!B3! I12!B1J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!.4.4.!B24 I12!B1J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!.3.3.!B24 I12!B1J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B!

3n &= and &@ run a TCL script with Trace route>tclsh

foreach address F1!.3.3.11!.3.3.21!.4.4.11!.4.4.21!...11!...21!.>.>.11!.>.>.21!.".".11!.".".21!.9.9.11!.9.9.21!...11!...2G Ftrace HaddressG

*pe escapes se?ence to a5ort.racing the rote to 1!.3.3.1

1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!.3.3.2

1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!.3.3.2 29 msec 29 msec K




KLl 2 10230!3.>10 1!.4.4.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1!...!B3! ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1!.>.>.!B3! ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1!.".".!B3! ia !.!.!.! in 3 hopsKLl 2 10230!3.>10 1!.9.9.!B3! ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1!...!B3! ia !.!.!.! in 3 hopsKLl 2 10230!3.>10 1!.11.11.!B3! ia !.!.!.! in 3 hopsKLl 2 10230!3.>10 13!.!.2.!B24 ia !.!.!.! in 3 hops

KLl 2 10230!3.>10 13!.!.4.!B24 ia !.!.!.! in 3 hopsKLl 2 10230!3.>10 13!.!.>.!B24 ia !.!.!.! in 3 hopsKLl 2 10230!3.>10 131.!.1.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 131.!.3.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 131.!..!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1"2.1>.1.!B24 ia !.!.!.! in 1 hopsKLl 2 10230!3.>10 1"2.1>.2.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1"2.1>.3.!B24 ia !.!.!.! in 1 hopsKLl 2 10230!3.>10 1"2.1>..!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1"2.1>.>.!B24 ia !.!.!.! in 1 hopsKLl 2 10230!3.>10 12.1>9.1!.!B24 ia !.!.!.! in 1 hopsKLl 2 10230!>.1430 </0 receied 2 pdate from 1"2.1>.3. on Serial!B!B!KLl 2 10230!>.1430 1!.3.3.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!>.1430 1!.4.4.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!>.1430 1!...!B3! ia !.!.!.! in 2 hopsKLl 2 10230!>.1430 1!.>.>.!B3! ia !.!.!.! in 2 hopsKLl 2 10230!>.1430 1!.".".!B3! ia !.!.!.! in 3 hops

KLl 2 10230!>.1430 1!.9.9.!B3! ia !.!.!.! in 2 hopsKLl 2 10230!>.1430 1!...!B3! ia !.!.!.! in 3 hopsKLl 2 10230!>.1430 1!.11.11.!B3! ia !.!.!.! in 3 hopsKLl 2 10230!>.1430 13!.!.2.!B24 ia 1"2.1>.3.3 in 4 hopsKLl 2 10230!>.1430 13!.!.4.!B24 ia 1"2.1>.3.3 in 4 hopsKLl 2 10230!>.1430 13!.!.>.!B24 ia 1"2.1>.3.3 in 4 hopsKLl 2 10230!>.1430 131.!.1.!B24 ia 1"2.1>.3.3 in 3 hopsKLl 2 10230!>.14"0 131.!.3.!B24 ia 1"2.1>.3.3 in 3 hopsKLl 2 10230!>.14"0 131.!..!B24 ia 1"2.1>.3.3 in 3 hopsKLl 2 10230!>.14"0 1"2.1>.1.!B24 ia 1"2.1>.3.3 in 2 hopsKLl 2 10230!>.14"0 1"2.1>.2.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!>.14"0 1"2.1>.3.!B24 ia !.!.!.! in 1 hopsKLl 2 10230!>.14"0 1"2.1>..!B24 ia !.!.!.! in 2 hopsKLl 2 10230!>.14"0 1"2.1>.>.!B24 ia 1"2.1>.3.3 in 2 hopsKLl 2 10230!>.14"0 12.1>9.1!.!B24 ia !.!.!.! in 1 hops

Tas4 ).iltering*3 A distribute%list is needed to filter these routes. &emember &I0 waits for

the 8L7() time to remo*e routes. Mi*e it a few minutes and then look at the routing tables.

20roter rip ersion 2 offset+list rip in 2 Serial!B!B!.1 networ !.!.!.! distri5te+list ripin in Serial!B!B!.3 no ato+smmar*

ip access+list standard ripin permit 13!.!.!.! !.!.24.2 permit 131.!.1.! !.!.24.2

I12!B1J ia 1"2.1>.1.3A !!0!!0!3A Serial!B!B!.1 13!.!.!.!B24 is s5nettedA 3 s5nets 13!.!.2.! I12!B1J ia 1"2.1>.."A !!0!!01!A Serial!B!B!.3 13!.!.>.! I12!B1J ia 1"2.1>.."A !!0!!012A Serial!B!B!.3 13!.!.4.! I12!B1J ia 1"2.1>.."A !!0!!012A Serial!B!B!.3 131.!.3.! I12!B2J ia 12.1>9.1!.3A !!0!!014A :astEthernet!B! I12!B2J ia 1"2.1>.1.3A !!0!!0!A Serial!B!B!.1 131.!.1.! I12!B2J ia 12.1>9.1!.3A !!0!!01>A :astEthernet!B!




I12!B2J ia 1"2.1>.1.3A !!0!!0!>A Serial!B!B!.1 131.!..! I12!B2J ia 12.1>9.1!.3A !!0!!01>A :astEthernet!B! I12!B2J ia 1"2.1>.1.3A !!0!!0!>A Serial!B!B!.1

30roter rip ersion 2 offset+list rip in 2 Serial!B!B!.1

networ !.!.!.! distri5te+list ripin in Serial!B!B!.3 no ato+smmar*

ip access+list standard ripin permit 13!.!.!.! !.!.24.2 permit 131.!.1.! !.!.24.2

13!.!.!.!B24 is s5nettedA 3 s5nets 13!.!.2.! I12!B2J ia 12.1>9.1!.2A !!0!!01A :astEthernet!B! I12!B2J ia 1"2.1>.>.9A !!0!!0!1A Serial!B!B!.3 I12!B2J ia 1"2.1>.1.2A !!0!!0!A Serial!B!B!.1 13!.!.>.! I12!B2J ia 12.1>9.1!.2A !!0!!02!A :astEthernet!B! I12!B2J ia 1"2.1>.>.9A !!0!!0!3A Serial!B!B!.3 I12!B2J ia 1"2.1>.1.2A !!0!!01!A Serial!B!B!.1 13!.!.4.! I12!B2J ia 12.1>9.1!.2A !!0!!02!A :astEthernet!B!

I12!B2J ia 1"2.1>.>.9A !!0!!0!3A Serial!B!B!.3 I12!B2J ia 1"2.1>.1.2A !!0!!01!A Serial!B!B!.1 131.!.!.!B24 is s5nettedA 3 s5nets 131.!.3.! I12!B1J ia 1"2.1>.>.9A !!0!!0!4A Serial!B!B!.3 131.!.1.! I12!B1J ia 1"2.1>.>.9A !!0!!0!4A Serial!B!B!.3 131.!..! I12!B1J ia 1"2.1>.>.9A !!0!!0!4A Serial!B!B!.3

;ons0 onfigre on the interface of 2A3A"Aand 9 (configsubif-.ip rip triggere0 to onl* send pdates when changes occr.

Day 1

&8*%

9verview

EIM&0 is a Cisco proprietary protocol that combines the attributes of a Link (tate and a

5istance 4ector routing protocol. It is considered a hybridB routing protocol. EIM&0 wasreleased as an enhancement to CiscoPs other proprietary routing protocol IM&0. EIM&0

supports automatic route summariation 4L(, addressing multicast updates non%periodicupdates unequal%cost load balancing and independent support for I0K and AppleTalk.

EIM&0 added many features to o*ercome the limitations of IM&0>

• The 5iffusing 7pdate Algorithm -57AL

•

Loop%free networks• Incremental updates instead of periodic -only send changes as they occur

• ?nowledge about neighbors as opposed to the entire network

• Independent (upport for I0 I0K and AppleTalk

• Classless routing

• Efficient summariation of networks

• Efficient use of link bandwidth for routing updates




• Authentication

• EIM&0 uses the same metrics as IM&0

7pdates

EIM&0 sends hello packets e*ery " seconds on high bandwidth links like 000 and )5LC leased

lines Ethernet T& 855I and 8rame &elay point%to%point and AT,. It sends helloBs e*ery $#seconds on low bandwidth multipoint links like 8& multipoint and AT, multipoint links.

• EIM&0 reliable packets are> 7pdate uery and &eply.

• EIM&0 unreliable packets are> )ello and Ack.

7pdates are always transmitted reliably. 7pdates con*ey reachability of destinations. 3ndisco*ery of a new neighbor update packets are sent so the neighbor can build its topology

table. These update packets are unicast. In other cases such as a link cost change updatesare multicast.

9oth queries and replies are transmitted reliably. :hen destinations go into acti*e state

queries and replies are sent. ueries are always multicast unless they are sent in response toa recei*ed query. In this case a reply is unicast back to the successor that originated the

query. &eplies are always sent in response to queries to indicate to the originator that it does

not need to go into acti*e state because it has feasible successors. &eplies are unicast to theoriginator of the query.

A#thentication

Authentication inn EIM&0 is *ery similar to &I0 4< Authentication except for EIM&0 only

supports ,5" Authentication. EIM&0 uses key chains and interface commands to configureauthentication.

r2lab-configH interface s0r2lab-config%ifH ip authentication mode eigrp 222 md

r2lab-config%ifH ip authentication 4ey!chain eigrp 222 ciscor2lab-configH 4ey chain ciscor2lab-config%keychainH 4ey #

r2lab-config%keychain%keyH 4ey!string ccie

Dea#lt *o#tes

5efault routes can be configured in EIM&0 in three different ways>• Rip summary address eigrp 2## #.#.#.# #.#.#.#S

• Rip default network

• Rredistribute ip route #.#.#.# #.#.#.# null #S

M Rredistribute static or network #.#.#.#

The ip default network must be a classful network that is used as the candidate defaultnetwork in EIM&0. This method is legacy left o*er from IM&0.

S#mmari6ation

In EIM&0 Auto summary is on by default and it is used to summarie to classful boundaries./o auto%summary allows the router to summarie to bit boundaries. This type of




summariation is configured on the interface and split horion must be disabled for it to work.As you can see in the following example an A5 of " is assigned to summaries>

r2lab-config%ifH ip summary%address eigrp <<< 2#.<.#.# <"".<"".<"".# "

Also there is no way to get rid of the /7LL# entry in EIM&0 it is added to a*oid loops. Jou can

set the A5 to <"" and it will remo*e the summary from the originating routerBs route tableand will still send the summary to another router. Care must be taken to filter the summary

from returning by implementing a route map etc. since split horion is disabled and therewould be no /ull # protection.

Metrics

57AL selects primary and backup routes using the composite metric and guarantees that theselected routes are loop free. The primary routes are then mo*ed to a routing table. The rest

-up to $ are stored in the topology table as feasible successors.EIM&0 uses the same composite metric as IM&0 to determine the best path. The default

criteria used are>

• 6andwidth;The smallest bandwidth cost between source and destination

• 9elay;Cumulati*e interface delay along the path

• @elia$ility;:orst reliability between source and destination depending on

keepali*es

• Load;7tiliation on a link between source and destination measured in bits

per second on its worst link

• 8TB;The smallest ,aximum Transmission 7nit

The default for EIM&0 is to use only bandwidth and delay when calculating the metric. EIM&0uses the following scaled *alues to determine the total metric to the network>

EIM&0 ,etric Q<"$D--?2D9w U -?<D9w-<"$%Load U -?!D5elayD-?"-&eliability U ?+

The default *alues for ? are>

?2 Q 2?< Q #

?! Q 2?+ Q #

?" Q #

8or the default you can simplify the formula as> ,etric Q 9andwidth U 5elayAfter two routers become neighbors each will send routing updates -and other packets to

the other using a reliable multicast scheme.

8or example assume that router 2 has a series of packets such as a routing table updatewhich must be transmitted to routers 2 ! and +. &outer 2 will send the first packet to the

EIM&0 multicast address <<+.#.#.2# and then will wait for acknowledgment from each of itsneighbors on its Ethernet interface -in this case routers < ! and +.

Assume that routers < and + answer the multicast packet but router ! does not. &outer 2 will

wait until the multicast flow timer expires on the Ethernet interface then send out a specialpacket a sequence TL4 telling router ! not to listen to any further multicast packets from

router 2. &outer 2 will then continue transmitting the remainder of the update packets asmulticast to all other routers on the network. The sequence TL4 indicates an out%of%sequence

multicast packet.




Those routers not listed in the packet enter Conditional &ecei*e -C& mode and continue

listening to multicast. :hile there are some routers in this mode the Conditional &ecei*e bitwill be set in multicast packets. In this case router 2 will send out a sequence TL4 with router

! listed so routers < and + will continue listening to further multicast updates. If a routerrecei*es an update packet with the init flag set it clearly implies that this packet is the first

after a new neighbor relationship has been established. If we clear the I0 EIM&0 neighborrelationship it will automatically cause the EIM&0 neighbor relationship to be restarted.

nit 3lag

There is an @%bit flag *alue in the EIM&0 header. The rightmost bit is init. :hen init is set to

#x#######2 the enclosed route entries are treated as the first in a new neighbor relationship.

/ote that route entries are carried in update packets not hello packets.This debug output displays the Init (equence increasing only with the update packet>

&outerH debug eigrp packet

EIM&0> (ending )ELL3 on Ethernet#2

A( $$$ 8lags #x# (eq # Ack #

EIM&0> (ending )ELL3 on Ethernet#2A( $$$ 8lags #x# (eq # Ack #

EIM&0> (ending )ELL3 on Ethernet#2

A( $$$ 8lags #x# (eq # Ack #

EIM&0> &ecei*ed 705ATE on Ethernet#2 from 2#.<!.<!.<!

A( $$$ 8lags #x2 (eq 2 Ack #

EIM&0> (ending )ELL3AC? on Ethernet#2 to 2#.<!.<!.<!

A( $$$ 8lags #x# (eq # Ack 2

EIM&0> (ending )ELL3AC? on Ethernet#2 to 2#.<!.<!.<!

A( $$$ 8lags #x# (eq # Ack 2

EIM&0> &ecei*ed 705ATE on Ethernet#2 from 2#.<!.<!.<!

A( $$$ 8lags #x# (eq < Ack #

• Successor;A route selected as the primary route to reach a destination

network specified by the 8easibility Condition. (uccessors are entries kept in the

routing table.

• .easi$le Successor;A backup route to a specified network. ,ultiple

feasible successors for a destination network can be retained in a topology table.

Thus when a route goes down the entire routing table does not ha*e to berecomputed.

3easibility Condition

:hen the recei*ing router has a 8easible 5istance -85 to a specified network and when it

recei*es an update from a neighbor with a lower ad*ertised or &eported 5istance -&5 to thatnetwork the 8easible Condition is met. The neighbor then becomes a 8easible (uccessor -8(

for that route because it is one hop closer to the destination network. In a meshed networken*ironment there can be a number of 8easible (uccessors.




The &5 for a neighbor to reach a specified network must always be less than the 85 for thelocal router to reach the network. In this way EIM&0 a*oids routing loops. This is the reason

why routes that ha*e &5 larger than the 85 are not entered into the Topology table.

Load Balancing

&outes with a metric equal to the minimum metric will be installed in the routing table -equalcost load balancing. 7p to six entries in the routing table for the same destination can be

stored but the default is four.

The number of entries is configured with the maimum!paths command.

7nequal cost load balancing will be discussed in 4olume II.

"etwor$s and 3iltering

/etworks are configured from the routing process ust like &I0*<. 0assi*e interface and

network commands also work.

As for filtering offset lists and distribute lists work too.

&8*% St#b

A (T79 set a flag bit in the hello packets and affects what the router will ad*ertise. Typically it

is use to send a reduced routing table so it reduces processing on the router and controlswhat networks are ad*ertised.

8our options exist for what a stub router can send> recei*e%only summary connected andstatic

&8*% LAB

Scenario

5isable &I0 and configure EIM&0 as per the following diagram.

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page #) of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



Topology

&8*% Tas$s

Tas4 # )6asic E5@P*3 Configure EIM&0 on all &outers and switches. 3nly use a singlenetwork statement on the routers. The switches can be configured as you wish.&= and &@ will be configured as a stub with only summaries of 2=<.2$.#.#2$

26<[email protected]#.#<+ and 2#.#.#.#@ being learned from Turnkey but does not use the stubcommand under the EIM&0 routing process to accomplish this.

Tas4 2 )Summaries*3 ,ake sure the 9ranch site only ad*ertises a 2#.#.#.#@ out bound. &2

can also ad*ertises a longer mask for itBs loop back. Configure extra filters to make sure (w2is always preferred for the 2#.#.#.# networks. 3nly (w2 can ha*e a null # route in this Lab

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page #1 of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



Tas4 % )9efaults*3 &< and &! should send a default route into EIM&0 to reach the I(0

routers make sure the I(0 routers -&=&@ do not use this default route.

Tas4 ( )@outing Ta$le*3 4erify the routing tables in your equipment and make adustmentsuntil they look the same as Task +.

208atewa* of last resort is 1"2.1>.." to networ !.!.!.!

12.1>9.1!.!B24 is directl* connectedA :astEthernet!B! 1"2.1>.!.!B1> is aria5l* s5nettedA 9 s5netsA 2 mass7 1"2.1>.4.9B32 I!B291>9>J ia 1"2.1>.."A !!012043A Serial!B!B!.37 1"2.1>.4.!B24 I!B291>9>J ia 1"2.1>.."A !!012043A Serial!B!B!.3 1"2.1>..!B24 is directl* connectedA Serial!B!B!.37 1"2.1>.>.!B24 I!B21"!112J ia 12.1>9.1!.3A !!012042A :astEthernet!B! 1"2.1>.1.!B24 is directl* connectedA Serial!B!B!.1 1"2.1>.2.!B24 is directl* connectedA Serial!B!B!.27 1"2.1>.4."B32 I!B291"!112J ia 12.1>9.1!.3A !!012044A :astEthernet!B!7 1"2.1>.3.!B24 I!B21"!112J ia 12.1>9.1!.>A !!012044A :astEthernet!B! I!B21"!112J ia 12.1>9.1!.A !!012044A :astEthernet!B!

I!B21"!112J ia 12.1>9.1!.3A !!012044A :astEthernet!B! 13!.!.!.!B24 is s5nettedA > s5nets7 13!.!.2.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.3.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.1.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.>.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.4.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!..! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.3 1!.!.!.!B9 is aria5l* s5nettedA 4 s5netsA 2 mass7 1!.13.13.!B24 I!B139>J ia 12.1>9.1!.3A !!01302A :astEthernet!B! 1!.12.12.!B24 is directl* connectedA $oop5ac17 1!.1!.1!.!B24 I!B21"49>!3J ia 1"2.1>.1.1A !!01204>A Serial!B!B!.17 1!.!.!.!B9 I!B2>112J ia 12.1>9.1!.1A !!01204A :astEthernet!B! 131.!.!.!B24 is s5nettedA > s5nets7 131.!.3.! I!B229112J ia 12.1>9.1!.3A !!01204A :astEthernet!B!7 131.!.2.! I!B229112J ia 12.1>9.1!.3A !!01204A :astEthernet!B!7 131.!.1.! I!B229112J ia 12.1>9.1!.3A !!01204>A :astEthernet!B!

7 131.!.>.! I!B229112J ia 12.1>9.1!.3A !!01204>A :astEthernet!B!7 131.!..! I!B229112J ia 12.1>9.1!.3A !!01204>A :astEthernet!B!7 131.!.4.! I!B229112J ia 12.1>9.1!.3A !!01204>A :astEthernet!B! 2!9.1.1.!B32 is s5nettedA 2 s5nets7 2!9.1.1.1 I!B22"9>J ia 1"2.1>.."A !!01204"A Serial!B!B!.37 2!9.1.1.2 I!B229112J ia 12.1>9.1!.3A !!01204>A :astEthernet!B!SK !.!.!.!B! I1B!J ia 1"2.1>.."

308atewa* of last resort is 1"2.1>.>.9 to networ !.!.!.!

12.1>9.1!.!B24 is directl* connectedA :astEthernet!B! 1"2.1>.!.!B1> is aria5l* s5nettedA 9 s5netsA 2 mass7 1"2.1>.4.9B32 I!B291"!112J ia 12.1>9.1!.2A !!014031A :astEthernet!B!7 1"2.1>.4.!B24 I!B291>9>J ia 1"2.1>.>.9A !!014031A Serial!B!B!.3

7 1"2.1>..!B24 I!B21"!112J ia 12.1>9.1!.2A !!014031A :astEthernet!B! 1"2.1>.>.!B24 is directl* connectedA Serial!B!B!.3 1"2.1>.1.!B24 is directl* connectedA Serial!B!B!.17 1"2.1>.2.!B24 I!B21"!112J ia 12.1>9.1!.A !!014032A :astEthernet!B!7 1"2.1>.4."B32 I!B291>9>J ia 1"2.1>.>.9A !!014031A Serial!B!B!.3 1"2.1>.3.!B24 is directl* connectedA Serial!B!B!.2 13!.!.!.!B24 is s5nettedA > s5nets7 13!.!.2.! I!B229112J ia 12.1>9.1!.2A !!014032A :astEthernet!B!7 13!.!.3.! I!B229112J ia 12.1>9.1!.2A !!014033A :astEthernet!B!7 13!.!.1.! I!B229112J ia 12.1>9.1!.2A !!014033A :astEthernet!B!7 13!.!.>.! I!B229112J ia 12.1>9.1!.2A !!014033A :astEthernet!B!7 13!.!.4.! I!B229112J ia 12.1>9.1!.2A !!014033A :astEthernet!B!




7 13!.!..! I!B229112J ia 12.1>9.1!.2A !!014033A :astEthernet!B! 1!.!.!.!B9 is aria5l* s5nettedA 4 s5netsA 2 mass 1!.13.13.!B24 is directl* connectedA $oop5ac17 1!.12.12.!B24 I!B139>J ia 12.1>9.1!.2A !!01403A :astEthernet!B!7 1!.1!.1!.!B24 I!B21"49>!3J ia 1"2.1>.1.1A !!014034A Serial!B!B!.17 1!.!.!.!B9 I!B2>112J ia 12.1>9.1!.1A !!014033A :astEthernet!B! 131.!.!.!B24 is s5nettedA > s5nets7 131.!.3.! I!B22"9>J ia 1"2.1>.>.9A !!014032A Serial!B!B!.3

7 131.!.2.! I!B22"9>J ia 1"2.1>.>.9A !!014032A Serial!B!B!.37 131.!.1.! I!B22"9>J ia 1"2.1>.>.9A !!014032A Serial!B!B!.37 131.!.>.! I!B22"9>J ia 1"2.1>.>.9A !!014034A Serial!B!B!.37 131.!..! I!B22"9>J ia 1"2.1>.>.9A !!014034A Serial!B!B!.37 131.!.4.! I!B22"9>J ia 1"2.1>.>.9A !!014034A Serial!B!B!.3 2!9.1.1.!B32 is s5nettedA 2 s5nets7 2!9.1.1.1 I!B229112J ia 12.1>9.1!.2A !!014034A :astEthernet!B!7 2!9.1.1.2 I!B22"9>J ia 1"2.1>.>.9A !!014034A Serial!B!B!.3SK !.!.!.!B! I1B!J ia 1"2.1>.>.9

"08atewa* of last resort is not set

7 12.1>9.1!.!B24 I!B21"!112J ia 1"2.1>..2A !10!"0!4A Serial!B!B!.1 1"2.1>.!.!B1> is aria5l* s5nettedA 4 s5netsA 3 mass 1"2.1>.4.9B32 is directl* connectedA Serial!B!B1 1"2.1>.4.!B24 is directl* connectedA Serial!B!B1 1"2.1>..!B24 is directl* connectedA Serial!B!B!.17 1"2.1>.!.!B1> I!B2>919>J ia 1"2.1>..2A !10!"0!3A Serial!B!B!.1 13!.!.!.!B24 is s5nettedA > s5nets 13!.!.2.! is directl* connectedA $oop5ac! 13!.!.3.! is directl* connectedA $oop5ac! 13!.!.1.! is directl* connectedA $oop5ac! 13!.!.>.! is directl* connectedA $oop5ac! 13!.!.4.! is directl* connectedA $oop5ac! 13!.!..! is directl* connectedA $oop5ac!7 1!.!.!.!B9 I!B21"!3>9J ia 1"2.1>..2A !!01>0!>A Serial!B!B!.1 2!9.1.1.!B32 is s5nettedA 1 s5nets 2!9.1.1.1 is directl* connectedA $oop5ac2


7 12.1>9.1!.!B24 I!B21"!112J ia 1"2.1>.>.3A !10!9033A Serial!B!B!.1 1"2.1>.!.!B1> is aria5l* s5nettedA 4 s5netsA 3 mass 1"2.1>.4.!B24 is directl* connectedA Serial!B!B1 1"2.1>.>.!B24 is directl* connectedA Serial!B!B!.17 1"2.1>.!.!B1> I!B2>919>J ia 1"2.1>.>.3A !10!9033A Serial!B!B!.1 1"2.1>.4."B32 is directl* connectedA Serial!B!B17 1!.!.!.!B9 I!B21"!3>9J ia 1"2.1>.>.3A !!01"033A Serial!B!B!.1 131.!.!.!B24 is s5nettedA > s5nets 131.!.3.! is directl* connectedA $oop5ac! 131.!.2.! is directl* connectedA $oop5ac! 131.!.1.! is directl* connectedA $oop5ac! 131.!.>.! is directl* connectedA $oop5ac! 131.!..! is directl* connectedA $oop5ac! 131.!.4.! is directl* connectedA $oop5ac! 2!9.1.1.!B32 is s5nettedA 1 s5nets 2!9.1.1.2 is directl* connectedA $oop5ac2

Tas4 )Testing*3 0ing test connecti*ity to e*ery I0 address from (w!.




&8*% Answers

Tas4 # )6asic E5@P*3 Configure EIM&0 on all &outers and switches. 3nly use a singlenetwork statement on the routers. The switches can be configured as you wish.

3nly an example of a router and switch are shown because the remainders are redundant1

10roter eigrp 1!! networ !.!.!.! no ato+smmar*

Sw10roter eigrp 1!! networ 1!.!.!.! networ 12.1>9.1!.! no ato+smmar*

&= and &@ will be configured as a stub with only summaries of 2=<.2$.#.#2$ 26<[email protected]#.#<+ and 2#.#.#.#@ being learned form Turn%key but do not use the stub

command under the eigrp routing process to accomplish this. To make the I(0 routers appearto be a stub we will only send summaries from &< and &!. The 2#.#.#.#@ was already

summaried by (w2 and &2 sow we ust need to summarie 2=<.2$.#.# and filter it between&= and &@.

20roter eigrp 1!! redistri5te static metric 1 1 1 1 1 offset+list ero in 214"493>4" Serial!B!B!.1 offset+list ero in 214"493>4" Serial!B!B!.2

networ !.!.!.! no autosummary ,(is a!!o's us to use0 VLS5-

interface Serial!B!B!.3 point+to+point ip address 1"2.1>..2 2.2.2.! ip rip triggered ip rip athentication mode md ip rip athentication e*+chain cisco ip summarya00ress eigrp 1)) 1$216)) 2##2##)) 2## ,e are setting t(e AD to 2## to remo7e t(e u!!)-

ip ospf 1 area > frame+rela* interface+dlci 2!"

30roter eigrp 1!! redistri5te static metric 1 1 1 1 1 offset+list ero in 214"493>4" Serial!B!B!.1

offset+list ero in 214"493>4" Serial!B!B!.2 networ !.!.!.! no autosummary

interface Serial!B!B!.3 point+to+point description /2/+to+> ip address 1"2.1>.>.3 2.2.2.! ip rip triggered ip rip athentication mode md ip rip athentication e*+chain cisco ip summarya00ress eigrp 1)) 1$216)) 2##2##)) 2##

ip ospf 1 area




frame+rela* interface+dlci 3!9

"0roter eigrp 1!! networ !.!.!.! 0istribute!ist prefi8 nu!! out ,Pre7ent t(e summaries from going bac" to urn"ey-

distri5te+list prefi- defalt in no ato+smmar*

interface Serial!B!B1 description ///+to+9 ip address 1"2.1>.4." 2.2.2.! encapslation ppp ip summarya00ress eigrp 1)) 1$216)) 2##2##)) 2## ,9n!y sen0 a summary bet'een $ % an0 no u!! )-

dela* 1!!!!!! cloc rate 2!!!!!! ppp athentication chap ppp chap hostname ser ppp chap password ! cisco

ip prefi8!ist nu!! se; # 0eny 1))))<%

ip prefi8!ist nu!! se; 1) 0eny 1$216))<16

ip prefi8!ist nu!! se; 1# 0eny 1&216%1))<24

ip prefi8!ist nu!! se; 2) permit ))))<) !e 32 ,a!!o' t(e !eft o7er net'or"s-

90 Same configration as " 5asicall*

Tas4 2 )Summaries*3 ,ake sure the 9ranch site only ad*ertises a 2#.#.#.#@ out bound. &2

can also ad*ertises a longer mask for itBs loop back -2#.2#.2#.#<+.

Sw10interface lan1! description lan1!,$eased ip address 12.1>9.1!.1 2.2.2.!

ip summarya00ress eigrp 1)) 1)))) 2##))) # ,(is summary a00s a u!!) for !oop protection-roter eigrp 1!! networ 1!.!.!.! networ 12.1>9.1!.! no ato+smmar*

10roter eigrp 1!! networ !.!.!.! no ato+smmar*interface Serial!B!B! description ESC,to,2,3 ip address 1"2.1>.1.1 2.2.2.! encapslation frame+rela*

ip summarya00ress eigrp 1)) 1)))) 2##))) 2## !ea"map !ea"y ,A !ea" map a!!o's a more specific mas" 1)1)1))<24 an0 AD of 2##

remo7es t(e nu!!)-

ip ospf 1 area ! no frame+rela* inerse+arp </ 1!4 no frame+rela* inerse+arp </ 1! no frame+rela* inerse+arp </ 1!> no frame+rela* inerse+arp </ 1!" no frame+rela* inerse+arp </ 1!9 no frame+rela* inerse+arp </ 1! no frame+rela* inerse+arp </ 11! frame+rela* lmi+t*pe ansi

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page ## of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




12.1>9.1!.!B24 is directl* connectedA :astEthernet!B! 1"2.1>.!.!B1> is aria5l* s5nettedA 9 s5netsA 2 mass

7 1"2.1>.4.9B32 I!B291>9>J ia 1"2.1>.."A !!012043A Serial!B!B!.37 1"2.1>.4.!B24 I!B291>9>J ia 1"2.1>.."A !!012043A Serial!B!B!.3 1"2.1>..!B24 is directl* connectedA Serial!B!B!.37 1"2.1>.>.!B24 I!B21"!112J ia 12.1>9.1!.3A !!012042A :astEthernet!B! 1"2.1>.1.!B24 is directl* connectedA Serial!B!B!.1 1"2.1>.2.!B24 is directl* connectedA Serial!B!B!.27 1"2.1>.4."B32 I!B291"!112J ia 12.1>9.1!.3A !!012044A :astEthernet!B!7 1"2.1>.3.!B24 I!B21"!112J ia 12.1>9.1!.>A !!012044A :astEthernet!B! I!B21"!112J ia 12.1>9.1!.A !!012044A :astEthernet!B! I!B21"!112J ia 12.1>9.1!.3A !!012044A :astEthernet!B! 13!.!.!.!B24 is s5nettedA > s5nets7 13!.!.2.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.3.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.1.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.>.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.4.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.3

7 13!.!..! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.3 1!.!.!.!B9 is aria5l* s5nettedA 4 s5netsA 2 mass7 1!.13.13.!B24 I!B139>J ia 12.1>9.1!.3A !!01302A :astEthernet!B! 1!.12.12.!B24 is directl* connectedA $oop5ac17 1!.1!.1!.!B24 I!B21"49>!3J ia 1"2.1>.1.1A !!01204>A Serial!B!B!.17 1!.!.!.!B9 I!B2>112J ia 12.1>9.1!.1A !!01204A :astEthernet!B! 131.!.!.!B24 is s5nettedA > s5nets7 131.!.3.! I!B229112J ia 12.1>9.1!.3A !!01204A :astEthernet!B!7 131.!.2.! I!B229112J ia 12.1>9.1!.3A !!01204A :astEthernet!B!7 131.!.1.! I!B229112J ia 12.1>9.1!.3A !!01204>A :astEthernet!B!7 131.!.>.! I!B229112J ia 12.1>9.1!.3A !!01204>A :astEthernet!B!7 131.!..! I!B229112J ia 12.1>9.1!.3A !!01204>A :astEthernet!B!7 131.!.4.! I!B229112J ia 12.1>9.1!.3A !!01204>A :astEthernet!B! 2!9.1.1.!B32 is s5nettedA 2 s5nets7 2!9.1.1.1 I!B22"9>J ia 1"2.1>.."A !!01204"A Serial!B!B!.37 2!9.1.1.2 I!B229112J ia 12.1>9.1!.3A !!01204>A :astEthernet!B!SK !.!.!.!B! I1B!J ia 1"2.1>.."

308atewa* of last resort is 1"2.1>.>.9 to networ !.!.!.!

12.1>9.1!.!B24 is directl* connectedA :astEthernet!B! 1"2.1>.!.!B1> is aria5l* s5nettedA 9 s5netsA 2 mass7 1"2.1>.4.9B32 I!B291"!112J ia 12.1>9.1!.2A !!014031A :astEthernet!B!7 1"2.1>.4.!B24 I!B291>9>J ia 1"2.1>.>.9A !!014031A Serial!B!B!.37 1"2.1>..!B24 I!B21"!112J ia 12.1>9.1!.2A !!014031A :astEthernet!B! 1"2.1>.>.!B24 is directl* connectedA Serial!B!B!.3 1"2.1>.1.!B24 is directl* connectedA Serial!B!B!.17 1"2.1>.2.!B24 I!B21"!112J ia 12.1>9.1!.A !!014032A :astEthernet!B!7 1"2.1>.4."B32 I!B291>9>J ia 1"2.1>.>.9A !!014031A Serial!B!B!.3 1"2.1>.3.!B24 is directl* connectedA Serial!B!B!.2 13!.!.!.!B24 is s5nettedA > s5nets

7 13!.!.2.! I!B229112J ia 12.1>9.1!.2A !!014032A :astEthernet!B!7 13!.!.3.! I!B229112J ia 12.1>9.1!.2A !!014033A :astEthernet!B!7 13!.!.1.! I!B229112J ia 12.1>9.1!.2A !!014033A :astEthernet!B!7 13!.!.>.! I!B229112J ia 12.1>9.1!.2A !!014033A :astEthernet!B!7 13!.!.4.! I!B229112J ia 12.1>9.1!.2A !!014033A :astEthernet!B!7 13!.!..! I!B229112J ia 12.1>9.1!.2A !!014033A :astEthernet!B! 1!.!.!.!B9 is aria5l* s5nettedA 4 s5netsA 2 mass 1!.13.13.!B24 is directl* connectedA $oop5ac17 1!.12.12.!B24 I!B139>J ia 12.1>9.1!.2A !!01403A :astEthernet!B!7 1!.1!.1!.!B24 I!B21"49>!3J ia 1"2.1>.1.1A !!014034A Serial!B!B!.17 1!.!.!.!B9 I!B2>112J ia 12.1>9.1!.1A !!014033A :astEthernet!B! 131.!.!.!B24 is s5nettedA > s5nets

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page #$ of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



7 131.!.3.! I!B22"9>J ia 1"2.1>.>.9A !!014032A Serial!B!B!.37 131.!.2.! I!B22"9>J ia 1"2.1>.>.9A !!014032A Serial!B!B!.37 131.!.1.! I!B22"9>J ia 1"2.1>.>.9A !!014032A Serial!B!B!.37 131.!.>.! I!B22"9>J ia 1"2.1>.>.9A !!014034A Serial!B!B!.37 131.!..! I!B22"9>J ia 1"2.1>.>.9A !!014034A Serial!B!B!.37 131.!.4.! I!B22"9>J ia 1"2.1>.>.9A !!014034A Serial!B!B!.3 2!9.1.1.!B32 is s5nettedA 2 s5nets7 2!9.1.1.1 I!B229112J ia 12.1>9.1!.2A !!014034A :astEthernet!B!

7 2!9.1.1.2 I!B22"9>J ia 1"2.1>.>.9A !!014034A Serial!B!B!.3SK !.!.!.!B! I1B!J ia 1"2.1>.>.9

"08atewa* of last resort is not set

7 12.1>9.1!.!B24 I!B21"!112J ia 1"2.1>..2A !10!"0!4A Serial!B!B!.1 1"2.1>.!.!B1> is aria5l* s5nettedA 4 s5netsA 3 mass 1"2.1>.4.9B32 is directl* connectedA Serial!B!B1 1"2.1>.4.!B24 is directl* connectedA Serial!B!B1 1"2.1>..!B24 is directl* connectedA Serial!B!B!.17 1"2.1>.!.!B1> I!B2>919>J ia 1"2.1>..2A !10!"0!3A Serial!B!B!.1 13!.!.!.!B24 is s5nettedA > s5nets 13!.!.2.! is directl* connectedA $oop5ac! 13!.!.3.! is directl* connectedA $oop5ac! 13!.!.1.! is directl* connectedA $oop5ac! 13!.!.>.! is directl* connectedA $oop5ac! 13!.!.4.! is directl* connectedA $oop5ac! 13!.!..! is directl* connectedA $oop5ac!7 1!.!.!.!B9 I!B21"!3>9J ia 1"2.1>..2A !!01>0!>A Serial!B!B!.1 2!9.1.1.!B32 is s5nettedA 1 s5nets 2!9.1.1.1 is directl* connectedA $oop5ac2


7 12.1>9.1!.!B24 I!B21"!112J ia 1"2.1>.>.3A !10!9033A Serial!B!B!.1 1"2.1>.!.!B1> is aria5l* s5nettedA 4 s5netsA 3 mass 1"2.1>.4.!B24 is directl* connectedA Serial!B!B1 1"2.1>.>.!B24 is directl* connectedA Serial!B!B!.17 1"2.1>.!.!B1> I!B2>919>J ia 1"2.1>.>.3A !10!9033A Serial!B!B!.1 1"2.1>.4."B32 is directl* connectedA Serial!B!B17 1!.!.!.!B9 I!B21"!3>9J ia 1"2.1>.>.3A !!01"033A Serial!B!B!.1

131.!.!.!B24 is s5nettedA > s5nets 131.!.3.! is directl* connectedA $oop5ac! 131.!.2.! is directl* connectedA $oop5ac! 131.!.1.! is directl* connectedA $oop5ac! 131.!.>.! is directl* connectedA $oop5ac! 131.!..! is directl* connectedA $oop5ac! 131.!.4.! is directl* connectedA $oop5ac! 2!9.1.1.!B32 is s5nettedA 1 s5nets 2!9.1.1.2 is directl* connectedA $oop5ac2

Tas4 )Testing*3 0ing test connecti*ity to e*ery I0 address from (w!.

3n a switch we need to use a macro>

+tep 1, Sw4(config)#macro name PING

Enter macro commands one per line End with the character !"!

do ping 1!.3.3.1

do ping 1!.3.3.2

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page #% of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



do ping 1!.4.4.1

do ping 1!.4.4.2

do ping 1!...1

do ping 1!...2

do ping 1!.>.>.1

do ping 1!.>.>.2

do ping 1!.".".1

do ping 1!.".".2

do ping 1!.9.9.1

do ping 1!.9.9.2

do ping 1!...1

do ping 1!...2

do ping 12.1>9.1!.1

do ping 12.1>9.1!.2

do ping 12.1>9.1!.3

do ping 12.1>9.1!.

do ping 12.1>9.1!.>

do ping 12.1>9.1!.

do ping 1"2.1>.1.2

do ping 1"2.1>.1.3

do ping 1"2.1>.2.2

do ping 1"2.1>.2.

do ping1"2.1>.3.3do ping 1"2.1>.3.

do ping 1"2.1>.3.>

do ping 1"2.1>..2

do ping 1"2.1>.."

do ping 1"2.1>.>.3

do ping 1"2.1>.>.9

do ping 1!.1!.1!.1

do ping 1!.12.12.1

do ping 1!.13.13.1

do ping 2!9.1.1.1

do ping 2!9.1.1.2

"

+tep 2, Sw4(config)#macro gloal appl$ PING

S%&'

Sw1#sh ip eigrp topolog*

</+E<8/ opolog* a5le for %S(1!!)B<7(12.1>9.1!.1)

odes0 / + /assieA % + %ctieA = + =pdateA O + Oer*A + epl*A

r + repl* StatsA s + sia Stats

/ !.!.!.!B!A 2 sccessorsA :7 is 2>!!!!12

ia 12.1>9.1!.2 (2>!!!!12B2>!!!!2>)A lan1!A serno >"

ia 12.1>9.1!.3 (2>!!!!12B2>!!!!2>)A lan1!

/ 1!.13.13.!B24A 1 sccessorsA :7 is 13!91>

ia 12.1>9.1!.3 (13!91>B1292>)A lan1!

/ 1!.12.12.!B24A 1 sccessorsA :7 is 13!91>

ia 12.1>9.1!.2 (13!91>B1292>)A lan1!

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page #& of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



/ 1!.1!.1!.!B24A 1 sccessorsA :7 is 13!91>

ia 1!.>.>.2 (13!91>B1292>)A lan>

/ 1!.>.>.!B3!A 1 sccessorsA :7 is 291>

ia onnectedA lan>

/ 1!.!.!.!B9A 1 sccessorsA :7 is 291>

ia Smmar* (291>B!)A &ll!

/ 1!.".".!B3!A 3 sccessorsA :7 is 3!"2

ia 1!...2 (3!"2B291>)A lan

ia 1!.3.3.2 (3!"2B291>)A lan3

ia 1!.4.4.2 (3!"2B291>)A lan4

/ 1!...!B3!A 1 sccessorsA :7 is 3!"2



ia 1!.9.9.2 (3!"2B291>)A lan9

/ 1!.11.11.!B3!A 3 sccessorsA :7 is 3!"2

ia 1!.3.3.2 (3!"2B291>)A lan3

ia 1!.4.4.2 (3!"2B291>)A lan4

ia 1!...2 (3!"2B291>)A lan

/ 1!.9.9.!B3!A 1 sccessorsA :7 is 291>

ia onnectedA lan9

/ 1!...!B3!A 1 sccessorsA :7 is 291>

ia onnectedA lan

/ 1!.3.3.!B24A 1 sccessorsA :7 is 291>

ia onnectedA lan3

/ 1!.4.4.!B24A 1 sccessorsA :7 is 291> ia onnectedA lan4

/ 12.1>9.1!.!B24A 1 sccessorsA :7 is 291>

ia onnectedA lan1!

/ 1!.2.3."B32A 1 sccessorsA :7 is 2>!!!!12

ia 12.1>9.1!.2 (2>!!!!12B2>!!!!2>)A lan1!

/ 14.3.3.!B24A ! sccessorsA :7 is <naccessi5le

ia 12.1>9.1!.3 (13!91>B1292>)A lan1!

/ 1!.3.3.!B24A 1 sccessorsA :7 is 13!91>

ia 12.1>9.1!.3 (13!91>B1292>)A lan1!

/ 1!.2.2.!B24A ! sccessorsA :7 is <naccessi5le

ia 12.1>9.1!.2 (13!91>B1292>)A lan1!



/ 1!.1.1.!B24A 1 sccessorsA :7 is 13!91>

ia 12.1>9.1!.2 (13!91>B1292>)A lan1!





ia 12.1>9.1!.3 (13!91>B1292>)A lan1!


ia 12.1>9.1!.2 (13!91>B1292>)A lan1!


ia 12.1>9.1!.3 (13!91>B1292>)A lan1!


ia 12.1>9.1!.2 (13!91>B1292>)A lan1!

/ 1!.9.9.9B32A 1 sccessorsA :7 is 2>!!!!12

ia 12.1>9.1!.3 (2>!!!!12B2>!!!!2>)A lan1!

/ 1"2.1>..!B24A 1 sccessorsA :7 is 21"!112

ia 12.1>9.1!.2 (21"!112B21>9>)A lan1!

/ 1"2.1>.>.!B24A 1 sccessorsA :7 is 21"!112

ia 12.1>9.1!.3 (21"!112B21>9>)A lan1!

/ 1"2.1>.1.!B24A 1 sccessorsA :7 is 21"!112

ia 1!.>.>.2 (21"!112B21>9>)A lan>

/ 1"2.1>.2.!B24A 1 sccessorsA :7 is 21"!112

ia 12.1>9.1!. (21"!112B21>9>)A lan1!

/ 1"2.1>.3.!B24A 3 sccessorsA :7 is 21"!112

ia 12.1>9.1!.> (21"!112B21>9>)A lan1!

ia 12.1>9.1!.3 (21"!112B21>9>)A lan1!






• 1ctive;The router is doing what it does route.

• Stand$y;:aiting waiting waiting.

• Spea4ing and listening;The router is sending and recei*ing hello

messages.

• Listening;The router is recei*ing hello messages.

The following example configures a (4I interface to ha*e a *irtual I0 address of 2#.<.<.2

which would be used as a default gateway for end%de*ices. This routerBs priority is 2<# and if

it has the highest priority than after a failure the *irtual I0 should become acti*e after a delayof !## seconds. The default hello timers ha*e been set to " seconds with 2" seconds causing

a standby switch o*er.

configre terminalinterface lan 2stand5* ip 1!.2.2.1stand5* priorit* 12! preempt dela* 3!!

stand5* 1 timers 1

!irt#al *o#ter *ed#ndancy %rotocol (!**%)

4irtual &outer &edundancy 0rotocol -4&&0 is a non%proprietary -VE79A@ 7EBT@1L

redundancy protocol designed to increase the a*ailability of the default gateway ser*icinghosts on the same subnet. This increased reliability is achie*ed by ad*ertising a V*irtual

routerV -an abstract representation of master and backup routers acting as a group as adefault gateway to the host-s instead of one physical router. Two or more physical routers

are then configured to stand for the *irtual router with only one doing the actual routing atany gi*en time. If the current physical router that is routing the data on behalf of the *irtual

router fails an arrangement is made for another physical router to automatically replace it.

The physical router that is currently forwarding data on behalf of the *irtual router is calledthe master router. 0hysical routers standing by to take o*er from the master router in case

something goes wrong are called backup routers. 4&&0 can be used o*er Ethernet ,0L( andtoken ring networks. Implementations for I0*$ are in de*elopment but not yet a*ailable. The

4&&0 protocol is more widely implemented than its competitors. 4endors like Extreme/etworks 5ell /okia /ortel /etworks Cisco (ystems Inc Allied Telesis Wuniper /etworks

)uawei 8oundry /etworks &adware and !Com Corporation all offer routers and Layer !

switches that can use the 4&&0 protocol. 4&&0 implementations for Linux and 9(5 are alsoa*ailable. 4&&0 is not a routing protocol as it does not ad*ertise I0 routes or affect the

routing table in any way.

The following is an example of a router with an I0 address of 2#.<.<.< and using a *irtual I0of 2#.<.<.2 as a gateway for end%de*ices.

interface lan 2ip address 1!.2.2.2rrp 1 ip 1!.2.2.1rrp 1 priorit* 1!rrp 1 timers adertise 4




8ateway Load Balancing %rotocol (8LB%)

Mateway Load 9alancing 0rotocol -ML90 is a Cisco proprietary protocol that attempts too*ercome the limitations of existing redundant router protocols by adding basic load balancing

functionality. In addition to being able to set priorities on different gateway routers ML90 also

allows a weighting parameter to be set. 9ased on this weighting -compared to others in thesame *irtual router group A&0 requests will be answered with ,AC addresses pointing to

different routers. Thus load balancing is not based on traffic load but rather on the numberof hosts that will use each gateway router.

The Acti*e 4irtual Mateway -A4M maintains a table of the 4irtual Mateway I0 address to mac%

address mapping of the Acti*e 4irtual 8orwarders -A48. :hen the end hosts A&0 than theA4M decides which router A48Bs mac%address to respond to the A&0. In other words de*ices

will be equally di*ided between multiple routers with unique mac%addresses but sharing acommon *irtual I0 address. This way 5)C0 can hand out a single gateway address while the

A4M pro*ides the load balancing mechanism.

The following example shows a basic ML90 example>

*o#ter 1

trac * interface Serial+* line-protocol up dela$ *

,

interface astEthernet&+*

ip address &*&&& .//.//.//*

duple0 full

glp & ip &*&&&*

glp & weighting &** lower 1/

glp & weighting trac *

glp & forwarder preempt dela$ minimum *

*o#ter .

trac * interface Serial+* line-protocol up dela$ *

,

interface astEthernet&+*

ip address &*&&. .//.//.//*

duple0 full

glp & ip &*&&&*

glp & priorit$ 1/

glp & weighting &** lower 1/

glp & weighting trac *

glp & forwarder preempt dela$ minimum *

D/ote at the time of writing this workbook the !"$#s do not support the ML90 feature.




5S*% Lab

5S*% Tas$s

Tas4 # )<S@P*3 Configure redundancy such that (w2 is the gateway for de*ices on 4lan !

and (w< is the gateway for de*ices on 4lan +. If there is a failo*er and reco*ery make therouters wait 2 minute prior to re*erting back to the primary. 9oth routers must track their

connection to &2.




5S*% Answers

Tas4 # )<S@P*3 The answer is to make (w2 the acti*e router for 4lan ! and (w< the acti*e

router for 4lan +. 9oth routers need the track command to monitor the status to &2.

Sw10interface lan3 description lan3,trned ip address 1!.3.3.1 2.2.2.! stand5* ip 1!.3.3.24 stand5* priorit* 2 stand5* preempt dela* minimm >! stand5* name lan3 stand5* trac :astEthernet!B1interface lan4 description lan4,trned ip address 1!.4.4.1 2.2.2.! stand5* 1 ip 1!.4.4.24 stand5* 1 name lan4

Sw1#sh stand5*lan3 + 8rop ! State is Acti7e

2 state changesA last state change !10440> irtal </ address is 1!.3.3.24 %ctie irtal % address is !!!!.!c!".ac!! $ocal irtal % address is !!!!.!c!".ac!! (1 defalt) Cello time 3 secA hold time 1! sec &e-t hello sent in 1.3 secs /reemption ena5ledA dela* min >! secs %ctie roter is local Stand5* roter is 1!.3.3.2A priorit* 1!! (e-pires in ".2!" sec) /riorit* 2 (configred 2) rac interface :astEthernet!B1 state =p decrement 1! </ redndanc* name is Plan3P (cfgd)

lan4 + 8rop 1 State is Stan0by

1 state changeA last state change !104403" irtal </ address is 1!.4.4.24 %ctie irtal % address is !!!!.!c!".ac!1 $ocal irtal % address is !!!!.!c!".ac!1 (1 defalt) Cello time 3 secA hold time 1! sec &e-t hello sent in 1."33 secs /reemption disa5led %ctie roter is 1!.4.4.2A priorit* 2 (e-pires in ".>1 sec) Stand5* roter is local /riorit* 1!! (defalt 1!!) </ redndanc* name is Plan4P (cfgd)Sw1#

Sw20interface lan4 stand5* 1 ip 1!.4.4.24 stand5* 1 priorit* 2 stand5* 1 preempt dela* minimm >! stand5* 1 name lan4 stand5* 1 trac :astEthernet!B1interface lan3 stand5* ip 1!.3.3.24 stand5* name lan3

SN2#sh stand5*




lan3 + 8rop ! State is Stan0by

1 state changeA last state change !104>0!9 irtal </ address is 1!.3.3.24 %ctie irtal % address is !!!!.!c!".ac!! $ocal irtal % address is !!!!.!c!".ac!! (1 defalt) Cello time 3 secA hold time 1! sec &e-t hello sent in 1." secs

/reemption disa5led %ctie roter is 1!.3.3.1A priorit* 2 (e-pires in ".2"4 sec) Stand5* roter is local /riorit* 1!! (defalt 1!!) </ redndanc* name is Plan3P (cfgd)lan4 + 8rop 1 State is Acti7e

2 state changesA last state change !104>02 irtal </ address is 1!.4.4.24 %ctie irtal % address is !!!!.!c!".ac!1 $ocal irtal % address is !!!!.!c!".ac!1 (1 defalt) Cello time 3 secA hold time 1! sec &e-t hello sent in !."! secs /reemption ena5ledA dela* min >! secs %ctie roter is local Stand5* roter is 1!.4.4.1A priorit* 1!! (e-pires in 9.492 sec) /riorit* 2 (configred 2)

rac interface :astEthernet!B1 state =p decrement 1! </ redndanc* name is Plan4P (cfgd)




Day .

9S%33(08 is a Link (tate routing protocol that uses 5ikstraBs shortest path first -(08 algorithm.3(08 is an open standard -following &8C 2<"! and is often used in multi%*endor

en*ironments.(e*eral of 3(08Bs ad*antages include fast con*ergence classless routing 4L(, support

authentication support support for much larger inter%networks the use of areas to minimierouting protocol traffic and a hierarchical design.

9ther 9S%3 3eat#res

• Equal cost load balancing

• ,ulticast routing updates

• &oute tagging for tagging of external routing information

•

Classless beha*ior which allows the use of discontiguous networks

9S%3 "etwor$ Types

• 5ntra!area;Traffic passed between routers within a single area.

• 5nter!area;Traffic passed between routers in different areas.

• Eternal;Traffic passed between an 3(08 router and a router in another

autonomous system.

M Type 2 Eternals use a cost defined at redistribution -default

M Type # Eternals calculate the actual cost with 3(08

/etworks can be added to 3(08 in three different methods#& /etwork command networ4 #&#&#&0 0&0&0&2 area 0

2& &edistribute connected

%& 7nder the interface % ip ospf # area 2

*D

The 3(08 router I5 -&I5 Identifies an 3(08 neighbor. It consists of a 5otted 5ecimal !< bitidentifier but does not ha*e to be a routable I0 address.

The *alue <<!.<"".<"".<"" highest possible router I5. (tatically setting the &outer I5 is

preferred to allowing the router choose the I5. If a &I5 is not configured than the router will

do the following after an 3(08 process is first started cleared or the router is rebooted>

7ses highest I0 address of all configured loopbacksIf no loopback is present it uses the highest I0 address of an interface

If Interfaces are added later the router could choose a different &I5 after a reboot. (ince the

&I5 is used for *irtual%link commands 5& election and must be the same as a 9M0 &I5 whensynchroniation is enabled it is recommended to manually control the &I5.




the branch office need not know about all the routes to e*ery other office instead it could usea default route to the central office and get to other places from there. )ence the memory

requirements of the leaf node routers is reduced and so is the sie of the 3(08 database.To define an area as a stub area use the 3(08 router configuration command area =area

id? stu$

Totally Stu$ 1reas3 These areas do not allow routes other than intra%area and the defaultroutes to be propagated within the area. The A9& inects a default route into the area and all

the routers belonging to this area use the default route to send any traffic outside the area.To define a totally stub area use the 3(08 router configuration command area =area id?

stu$ no!summary on the A9&.

7SS13 This type of area allows the flexibility of importing a few external routes into the areawhile still trying to retain the stub characteristic. Assume that one of the routers in the stub

area is connected to an external A( running a different routing protocol it now becomes theA(9& and hence the area can no more be called a stub area. )owe*er if the area is

configured as a /((A then the A(9& generates a /((A external link%state ad*ertisement

-L(A -Type%= which can be flooded throughout the /((A area. These Type%= L(As arecon*erted into Type%" L(As at the /((A A9& and flooded throughout the 3(08 domain.

External network L(As -type " redistributed from other routing protocols into 3(08 are notpermitted to flood into a stub area.To define a /((A use the 3(08 router configuration command area =area id? nssa

If you desire to allow a #.#.#.# into the /((A area in addition to the Type !+ summaries thanconfigure area =area id? nssa default!information!originate

Totally 7SS13 This area still can send the Type = L(As to the A9& but only recei*es a #.#.#.#

default route from the A9&. To configure a Totally /((A configure area =area id? nssa no!summary

S#mmaries

There two methods for summariing networks on 3(08

M Area range used to summarie between 3(08 areas. Always done on an A9&• area 2 range 20"&&0&0 2&2&2&0

M (ummary%address used to summarie external routes redistributed into 3(08.

Always done on an A(9&• summary!address 20"&&0&0 2&2&2&0

(ummaries will inect a /7LL# route into the routing table. If you are required to remo*e the/7LL# the following commands can be entered for the 3(08 process.

• no discard!route internal ' used with area range• no discard!route eternal ' used with summary!address

9S%3 MetricsE*ery routing protocol has metric used to prefer one route o*er the other. 8or 3(08 themetric that is used is cost. :ith 3(08 the cost is a number that is in*ersely proportional to

the bandwidth of the link. In other words the higher the cost the LE(( the link is preferred.The lower the cost the ,3&E the link is preferred. 9y default 3(08 load balances on up to

four equal cost paths.The formula that 3(08 uses to calculate the cost of a link is>

Cost Q 2######## bandwidth of the link

3r

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page $) of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



8or example to set the hello to <"#ms

ip ospf dead!interval minimal hello!multiplier (

!irt#al Lin$s

4irtual links are used to connect a discontigous 3(08 area # together without using a M&Etunnel. 4Ls should be a*oided in real word. 8or lab purposes they are used to connect an areato the backbone through another area extension of area #.

In order to configure a 4L use the router%id so be careful of what number is being used as the

I5. If authentication is configured on area # it must also be configured on the *irtual link andthe far side router. 3(08 authentication will be co*ered in 4olume II.

The following is an eample of configuring one side of a virtual lin4&

r2lab-configH router ospf #

r2lab-config%routerH area # virtual!lin4 2&2&2&2

It is important to note that a 4L cannot tra*erse o*er a stub area and if you are required to

tra*erse a 4L instead of another connected router with area # connecti*ity you must negatecapability transit on the other router.

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page $2 of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



9S%3 LAB

Scenario

/ow that we ha*e successfully configured and tested EIM&0 for Turn%key Inc. we can mo*e

on to 3(08. Turn%key would like us to keep EIM&0 configured but disabled on the routers incase we need to roll back. Their desire is for us to enable the same networks in 3(08 and for

those networks to be seen as 3(08 routes in the routing tables. Turn%key belie*es inhierarchical designs so we must build a hierarchy into the 3(08 design. The 3(08 must

support the Leased Ethernet and 8rame &elay networks concurrently and act as a back up if either were to fail. Again Turn%keyBs desire is to use the Leased Ethernet to reach the 9ranch

3ffice from the 5ata Centers.

The following 5iagram includes the design for the 3(08 topology and Area types>

9S%3 Topology




9S%3 9S%3 Tas$sV!ans 34#%&11

Tas4 # )6asic ASP.*3 Add the following loop backs>10$o1

</ address 1!.1!.1!.1 2.2.2.!

20$o1</ address 1!.12.12.1 2.2.2.!

30$o1</ address 1!.13.13.2 2.2.2.!

Add the loop backs and existing networks into 3(08 -for the loopbacks use any areas of your

choice but you can not use redistribute connected or network commands from within the3(08 process. Create &I5s that are not currently being routed and use network commands toadd networks for the switches at the branch site.

3n &= add the e*en addresses and on &@ add the 3dd. This time you must use redistribute

connected for the loop back I0s but make sure the 000 network is not added. Jou can usenetwork commands for the (###.2. Configure Areas based on the abo*e diagram.

Tas4 2 )9efault @oute*3 Add a new loop back to &= -<#@.2.2.2!< and &@ -<#@.2.<.<!<

and make sure these networks are not redistributed into 3(08 from connected. Configure &=and &@ to be a*ailable as default routes using per router costs to reach them in 3(08 from &!

and &<. ,ake sure your routers can ping <#@.2.2.2!< and <#@.2.<.<!< and there is nospecific routing table entry for either. &edistribute &ip and 3(08 at &@ and only allow

<#@.2.2.2 and <#@.2.<.< to be exchanged between rip and 3(08.

Tas4 % )@edundancy*3 Ensure that if there were any failures to A&EA# that the rest 3(08topology would be operational. The configuration of M&E tunnels is not an acceptable work

around.

Tas4 ( )Summaries*3 (ummarie the 2#.#.#.# networks in the branch site to the smallestbit boundaries and ad*ertise them to the other sites not at the branch office. 5o not allow any

null routes in the routing tables or !< ad*ertised to any neighbors. Lea*e the three new loopbacks with a <+ subnet in the routing tables do not try to summarie them with the branch

site

Tas4 )7681*3 ,ake sure 3(08 is /9,A on the )ub and (poke and that the hello timer is<"# msec for those interfaces. The hello timer command can not be used to accomplish this.

Tas4 , )Testing*3 0ing test connecti*ity from &2 to e*ery network.




9S%3 9S%3 Answers

Tas4 # )6asic ASP.*3

5eacti*ating &I0*< on all routers except &= and &@

roter rip ersion 2 networ 1!.!.!.! 0istance 2##

no ato+smmar*

Sw10interface lan9 description lan9,sw1tosw3 ip address 1!.9.9.1 2.2.2.22 ip ospf priorit* 2 ,ee0e0 to force D e!ection-

ip ospf mt+ignore ,5tu mismatc(-

roter ospf 1 routeri0 1111) ,5anua!!y set t(e *Ds to a7oi0 prob!ems !ater-

log+adQacenc*+changes no discard+rote internal area ! range 1!.!.!.! 2.!.!.! area 2 irtal+lin 1.1.1.1 area 4 irtal+lin 1.1.1.2! area 4 irtal+lin 1.1.1.4! networ 1!.3.3.1 !.!.!.! area 4 networ 1!.4.4.1 !.!.!.! area 4 networ 1!...1 !.!.!.! area 4 networ 1!.>.>.1 !.!.!.! area 2 networ 1!.".".1 !.!.!.! area 1 networ 1!.9.9.1 !.!.!.! area 4 networ 12.1>9.1!.1 !.!.!.! area !

Sw20roter ospf 1 roter+id 1.1.1.2! log+adQacenc*+changes no discard+rote internal area 1 irtal+lin 1.1.1.1 area 4 range 1!.!.!.! 2.!.!.! area 4 irtal+lin 1.1.1.1! area 4 irtal+lin 1.1.1.3! area 4 irtal+lin 1.1.1.4! networ 1!.3.3.2 !.!.!.! area 4 networ 1!.4.4.2 !.!.!.! area 4 networ 1!...2 !.!.!.! area 4 networ 1!.".".1 !.!.!.! area 1 networ 1!.11.11.1 !.!.!.! area 4

Sw30interface lan description lan,sw3tosw4 ip address 1!...1 2.2.2.22 ip ospf mtuignore ,mismatc(e0 5?-

roter ospf 1 roter+id 1.1.1.3! log+adQacenc*+changes area 4 irtal+lin 1.1.1.2! networ 1!.9.9.2 !.!.!.! area 4 networ 1!...1 !.!.!.! area 4

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page $# of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



Sw40interface lan description lan,sw3tosw4 ip address 1!...2 2.2.2.22 ip ospf mtuignore

roter ospf 1 roter+id 1.1.1.4! log+adQacenc*+changes area 4 range 1!.!.!.! 2.!.!.! area 4 irtal+lin 1.1.1.2! area 4 irtal+lin 1.1.1.1! networ 1!.!.!.! !.2.2.2 area 4

10interface $oop5ac1 ip address 1!.1!.1!.1 2.2.2.! ip ospf net'or" pointtopoint ,remo7es <32-

ip ospf 1 area 2 ,A!ternati7e to using t(e net'or" comman0-

interface :astEthernet!B! description lan>,sw1tor1

ip address 1!.>.>.2 2.2.2.22 ip ospf 1 area 2

dple- ato speed atointerface :astEthernet!B1 description lan")sw2tor1 ip address 1!.".".2 2.2.2.22 ip ospf 1 area 1

dple- ato speed atointerface Serial!B!B! description ESC,to,2,3 ip address 1"2.1>.1.1 2.2.2.! encapslation frame+rela* ip ospf 1 area )

no frame+rela* inerse+arp </ 1!4 no frame+rela* inerse+arp </ 1! no frame+rela* inerse+arp </ 1!> no frame+rela* inerse+arp </ 1!" no frame+rela* inerse+arp </ 1!9 no frame+rela* inerse+arp </ 1! no frame+rela* inerse+arp </ 11!

frame+rela* lmi+t*pe ansiroter ospf 1 roter+id 1.1.1.1 log+adQacenc*+changes area ! range 1!.!.!.! 2.!.!.! area 1 irtal+lin 1.1.1.2! area 2 irtal+lin 1.1.1.1!

20interface $oop5ac1 ip address 1!.12.12.1 2.2.2.! ip ospf networ point+to+point ip ospf 1 area >interface :astEthernet!B! description lan1!,$eased ip address 12.1>9.1!.2 2.2.2.! ip ospf 1 area !




dple- ato speed atointerface Serial!B!B!.1 mltipoint description ESC,to,1,3 ip address 1"2.1>.1.2 2.2.2.! ip ospf 1 area ! frame+rela* map ip 1"2.1>.1.3 2!3 5roadcast (esh /s to 3 and 1)

frame+rela* map ip 1"2.1>.1.1 2!1 5roadcast no frame+rela* inerse+arpinterface Serial!B!B!.2 point+to+point description /2/+to+;;1 ip address 1"2.1>.2.2 2.2.2.! ip ospf 1 area " frame+rela* interface+dlci 2!interface Serial!B!B!.3 point+to+point ip address 1"2.1>..2 2.2.2.! ip rip triggered ip rip athentication mode md ip rip athentication e*+chain cisco ip ospf 1 area > frame+rela* interface+dlci 2!"

roter ospf 1 roter+id 1.1.1.2 log+adQacenc*+changes area > nssa no+smmar* redistri5te static metric+t*pe 1 s5nets defalt+information originate metric+t*pe 1 distri5te+list prefi- area! in

30interface $oop5ac1 ip address 1!.13.13.1 2.2.2.! ip ospf networ point+to+point ip ospf 1 area 3interface :astEthernet!B! description lan1!,$eased

ip address 12.1>9.1!.3 2.2.2.! ip ospf 1 area ! dple- ato speed atointerface :astEthernet!B1 no ip address shtdown dple- ato speed atointerface Serial!B!B! no ip address encapslation frame+rela* frame+rela* lmi+t*pe ansiinterface Serial!B!B!.1 mltipoint

description ESC,to,1,2 ip address 1"2.1>.1.3 2.2.2.! ip ospf 1 area ! frame+rela* map ip 1"2.1>.1.1 3!1 5roadcast frame+rela* map ip 1"2.1>.1.2 3!2 5roadcast no frame+rela* inerse+arpinterface Serial!B!B!.2 mltipoint description C5+and+spoe++> ip address 1"2.1>.3.3 2.2.2.! no ip split+horion ip ospf dead+interal minimal hello+mltiplier 4

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page $$ of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



ip ospf 1 area 3 frame+rela* map ip 1"2.1>.3.3 3! frame+rela* map ip 1"2.1>.3. 3! 5roadcast frame+rela* map ip 1"2.1>.3.> 3!> 5roadcast no frame+rela* inerse+arpinterface Serial!B!B!.3 point+to+point description /2/+to+>

ip address 1"2.1>.>.3 2.2.2.! ip rip triggered ip rip athentication mode md ip rip athentication e*+chain cisco ip ospf 1 area frame+rela* interface+dlci 3!9

roter ospf 1 roter+id 1.1.1.3 log+adQacenc*+changes area ! range 1!.!.!.! 2.!.!.! area 3 st5 area nssa redistri5te static metric+t*pe 1 s5nets neigh5or 1"2.1>.3. neigh5or 1"2.1>.3.> defalt+information originate metric+t*pe 1

distri5te+list prefi- area! in

0interface :astEthernet!B! description lan1!,$eased ip address 12.1>9.1!. 2.2.2.! ip ospf 1 area ! dple- ato speed atointerface :astEthernet!B1 no ip address shtdown dple- ato speed ato

interface Serial!B!B! description C5+and+spoe+to+3+> ip address 1"2.1>.3. 2.2.2.! encapslation frame+rela* ip ospf dead+interal minimal hello+mltiplier 4 ip ospf 1 area 3 frame+rela* map ip 1"2.1>.3.3 !3 5roadcast frame+rela* map ip 1"2.1>.3. !3 5roadcast frame+rela* map ip 1"2.1>.3.> !3 5roadcast no frame+rela* inerse+arp frame+rela* lmi+t*pe ansiinterface Serial!B!B1 no ip address cloc rate 2!!!!!!

roter ospf 1 roter+id 1.1.1. log+adQacenc*+changes area 3 st5 neigh5or 1"2.1>.3.3 priorit* 1!! distri5te+list prefi- area! in

90interface $oop5ac! ip address 131.!.2.1 2.2.2.! secondar* ip address 131.!.3.1 2.2.2.! secondar*

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page $% of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



ip address 131.!.4.1 2.2.2.! secondar* ip address 131.!..1 2.2.2.! secondar* ip address 131.!.>.1 2.2.2.! secondar* ip address 131.!.1.1 2.2.2.! ip rip adertise 2!interface $oop5ac2 ip address 2!9.1.1.2 2.2.2.2

ip rip adertise 2!interface Serial!B!B!.1 point+to+point description /2/+to+3 ip address 1"2.1>.>.9 2.2.2.! ip rip triggered ip rip adertise 2! ip rip athentication mode md ip rip athentication e*+chain cisco frame+rela* interface+dlci 9!3interface Serial!B!B1 description ///+to+" ip address 1"2.1>.4.9 2.2.2.! ip rip adertise 2! encapslation ppp ppp athentication chap

roter ospf 1 roter+id 1.1.1.9 log+adQacenc*+changes area nssa redistri5te connected metric+t*pe 1 s5nets rote+map ospf re0istribute rip subnets routemap re0ist

networ 1"2.1>.>.9 !.!.!.! area roter rip ersion 2 timers 5asic 2! 4! ! 12! re0istribute ospf 1 metric 1 routemap ospf2rip

passie+interface defalt no passie+interface Serial!B!B1

networ 1"2.1>.!.! networ !.!.!.! neigh5or 1"2.1>.>.3 no ato+smmar*

o iew the 5asic 6S/: configrations for "A>A and ;;1 refer to answers proided in the thm5 drie

Tas4 2 )9efault @oute*3 Add a new loop back to &= -<#@.2.2.2!< and &@ -<#@.2.2.<!<

and make sure these networks are not redistributed into 3(08.

&=>interface Loopback< ip address <#@.2.2.2 <"".<"".<"".<""

router ospf 2 redistribute connected metric%type 2 subnets route%map ospf

ip access!list standard ospfevens )This access!list does not permit 20"&#&#&#* permit #%0&0&0&0 0&0&2(&2

DZroute%map ospf permit 2# match ip address ospfe*ens

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page $& of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



&@> same configuration on &@ except>

ip access!list standard ospfodd )This access!list does not permit 20"&#&#&2* permit #%#&0&#&0 0&0&2(&2

Configure &= and &@ to be a*ailable as default routes using per router costs to reach them in3(08 from &! and &<. ,ake sure your routers can ping <#@.2.2.2!< and <#@.2.2.<!< and

there is no specific routing table entry for either.

20redistri5te static metric+t*pe 1 s5nets ,e0istributes t(e static route into 9SP@ as 8 1-

defalt+information originate metric+t*pe 1 ,Sen0s t(e )))) to t(e ot(er 9SP@ routers 'it( a 1-

ip rote !.!.!.! !.!.!.! 1"2.1>.." ,(e gate'ay of !ast resort is $-

30roter ospf 1redistri5te static metric+t*pe 1 s5nets defalt+information originate metric+t*pe 1

ip rote !.!.!.! !.!.!.! 1"2.1>.>.9

Tas4 % )@edundancy*3 (ince A&EA # has se*eral points of failure in this topology it is

important to configure *irtual links on routers that could potentially become Areas separatedfrom Area #. The best way to determine where to place the *irtual links is draw out the

failure scenarios from the 3(08 topology. The following 4Ls were configured for this lab>

SN1roter ospf 1 roter+id 1.1.1.1!

area 2 irtal+lin 1.1.1.1 (to 1) area 4 irtal+lin 1.1.1.2! (to Sw2) area 4 irtal+lin 1.1.1.4! (to Sw4)

SN2 roter+id 1.1.1.2! area 1 irtal+lin 1.1.1.1 (to 1) area 4 irtal+lin 1.1.1.1! (to Sw1) area 4 irtal+lin 1.1.1.3! (to Sw3) area 4 irtal+lin 1.1.1.4! (to Sw4)

SN4area 4 irtal+lin 1.1.1.2! (to Sw2)

area 4 irtal+lin 1.1.1.1! (to Sw1)

1area 1 irtal+lin 1.1.1.2! (to Sw2)

area 2 irtal+lin 1.1.1.1! (to Sw1)

Sw3area 4 irtal+lin 1.1.1.2! (to sw2)

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page %) of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



Tas4 ( )Summaries*3 (ummarie the 2#.#.#.# networks in the branch site to the smallestbit boundaries and do not allow any null routes in the routing tables or !< ad*ertised to any

neighbors. Lea*e the three new loop backs with a <+

Area range is used to summarie the 2#.#.#.# networks from the switches. The following siteswere configured with the area range commands and no discardOroute internal to remo*e the

null# entry from the routing table>

Sw40roter ospf 1no discard+rote internal area 4 range 1!.!.!.! 2.!.!.!

Sw20roter ospf 1no discard+rote internal area 4 range 1!.!.!.! 2.!.!.!

Sw10roter ospf 1

no discard+rote internal area ! range 1!.!.!.! 2.!.!.!

3n all of the routers external to the branch site a distribute list in was needed to filter out the

more specific -longer mask prefixes.

&<&!&"&$ and 992

roter ospf 1 0istribute!ist prefi8 area) in

ip prefi-+list area! se? 1 permit 1!.!.!.!B9ip prefi-+list area! se? 2 permit !.!.!.!B32ip prefi-+list area! se? 3 permit 1"2.1>.!.!B1> le 32ip prefi-+list area! se? 4 permit 13!.!.2.!B24ip prefi-+list area! se? permit 13!.!.4.!B24ip prefi-+list area! se? > permit 13!.!.>.!B24ip prefi-+list area! se? " permit 13!.!.9.!B24ip prefi-+list area! se? 9 permit 131.!.1.!B24ip prefi-+list area! se? permit 131.!.3.!B24ip prefi-+list area! se? 1! permit 131.!..!B24ip prefi-+list area! se? 11 permit 131.!.".!B24ip prefi-+list area! se? 12 permit 1!.1!.1!.!B24ip prefi-+list area! se? 13 permit 1!.11.11.!B24ip prefi-+list area! se? 14 permit 1!.12.12.!B24ip prefi-+list area! se? 1 permit 1!.13.13.!B24

(how I0 route on &<>


12.1>9.1!.!B24 is directl* connectedA :astEthernet!B! 1"2.1>.!.!B24 is s5nettedA s5nets 1"2.1>..! is directl* connectedA Serial!B!B!.3

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page %1 of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



1"2.1>.3.31"2.1>.3.1"2.1>.3.>1"2.1>..21"2.1>.."1"2.1>.>.31"2.1>.>.91!.1!.1!.1

1!.12.12.11!.13.13.12!9.1.1.12!9.1.1.2G Fping HaddressG

Sw106S/: oter with <7 (1.1.1.1!) (/rocess <7 1)

oter $in States (%rea !)

$in <7 %7 oter %ge Se?# hecsm $in cont1.1.1.1 1.1.1.1 (7&%) !-9!!!!!!4 !-!!41% 31.1.1.2 1.1.1.2 >9 !-9!!!!!!9 !-!!2>:9 21.1.1.3 1.1.1.3 >!4 !-9!!!!!!9 !-!!3!E; 2

1.1.1. 1.1.1. 1">! !-9!!!!!! !-!!9%% 11.1.1.> 1.1.1.> >2> !-9!!!!!!" !-!!9" 11.1.1. 1.1.1. 33 !-9!!!!!!" !-!!9>4 11.1.1.1! 1.1.1.1! 29 !-9!!!!!! !-!!2!9 41.1.1.2! 1.1.1.2! 1 (7&%) !-9!!!!!!4 !-!!;"41 41.1.1.3! 1.1.1.3! > (7&%) !-9!!!!!!2 !-!!339 11.1.1.4! 1.1.1.4! (7&%) !-9!!!!!!2 !-!!917: 2

&et $in States (%rea !)

$in <7 %7 oter %ge Se?# hecsm12.1>9.1!. 1.1.1. 34 !-9!!!!!!> !-!!1"!

Smmar* &et $in States (%rea !)

$in <7 %7 oter %ge Se?# hecsm1!.!.!.! 1.1.1.2! 1" (7&%) !-9!!!!!!1 !-!!9!%

1!.!.!.! 1.1.1.4! 11 (7&%) !-9!!!!!!1 !-!!!9:E1!.3.3.! 1.1.1.1! 32 !-9!!!!!!> !-!!>7%1!.3.3.! 1.1.1.3! 13 (7&%) !-9!!!!!!1 !-!!!!11!.4.4.! 1.1.1.1! 32 !-9!!!!!!> !-!!>11!.4.4.! 1.1.1.3! 13 (7&%) !-9!!!!!!1 !-!!:11>1!...! 1.1.1.1! 32 !-9!!!!!!> !-!!27E;1!...! 1.1.1.3! 13 (7&%) !-9!!!!!!1 !-!!94!1!.>.>.! 1.1.1.1 11 (7&%) !-9!!!!!!1 !-!!>E1!.>.>.! 1.1.1.1! 32 !-9!!!!!!> !-!!1>!11!.".".! 1.1.1.1 11 (7&%) !-9!!!!!!1 !-!!3:E31!.".".! 1.1.1.2! 1 (7&%) !-9!!!!!!3 !-!!941!.9.9.! 1.1.1.1! 32 !-9!!!!!!> !-!!E"2;1!.9.9.! 1.1.1.3! 13 (7&%) !-9!!!!!!1 !-!!"9%1!...! 1.1.1.1! 32 !-9!!!!!! !-!!7341!...! 1.1.1.3! 13 (7&%) !-9!!!!!!1 !-!!>2:1!.1!.1!.! 1.1.1.1 11 (7&%) !-9!!!!!!1 !-!!!!E

1!.1!.1!.! 1.1.1.1! 33 !-9!!!!!!4 !-!!7331!.11.11.! 1.1.1.1! 33 !-9!!!!!!4 !-!!;!71!.11.11.! 1.1.1.3! 13 (7&%) !-9!!!!!!1 !-!!3E;E1!.12.12.! 1.1.1.2 "3 !-9!!!!!!4 !-!!714!1!.13.13.! 1.1.1.3 >! !-9!!!!!!4 !-!!;4%1!.13.13.! 1.1.1.> 39 !-9!!!!!!4 !-!!2%>1"2.1>.2.! 1.1.1.2 " !-9!!!!!!4 !-!!4>E:1"2.1>.2.! 1.1.1. 4! !-9!!!!!!4 !-!!1131"2.1>.3.! 1.1.1.3 3>1 !-9!!!!!!9 !-!!27!31"2.1>.3.! 1.1.1.> 39 !-9!!!!!!> !-!!1:1!1"2.1>..! 1.1.1.2 " !-9!!!!!!4 !-!!2!E1"2.1>.>.! 1.1.1.3 >11 !-9!!!!!!4 !-!!1417




1.1.1.4! 1.1.1.4! 24 !-9!!!!!!% !-!!94; 2

&et $in States (%rea 4)

$in <7 %7 oter %ge Se?# hecsm1!.3.3.2 1.1.1.2! 3 !-9!!!!!!4 !-!!;E2;1!.4.4.2 1.1.1.2! 3 !-9!!!!!!4 !-!!%"4!1!...2 1.1.1.2! 3 !-9!!!!!!4 !-!!"E>%

1!.9.9.1 1.1.1.1! 41 !-9!!!!!!4 !-!!34%:1!...2 1.1.1.4! 24 !-9!!!!!!4 !-!!9;11!.11.11.2 1.1.1.4! 24 !-9!!!!!!4 !-!!7!7

Smmar* &et $in States (%rea 4)

$in <7 %7 oter %ge Se?# hecsm1!.>.>.! 1.1.1.1! 41 !-9!!!!!!> !-!!1>!11!.".".! 1.1.1.2! 3> !-9!!!!!!> !-!!2491!.1!.1!.! 1.1.1.1! 42 !-9!!!!!!4 !-!!7331"2.1>.1.! 1.1.1.1! 42 !-9!!!!!!4 !-!!2;!31"2.1>.1.! 1.1.1.2! 3> !-9!!!!!!4 !-!!EE312.1>9.1!.! 1.1.1.1! 42 !-9!!!!!!4 !-!!1:

Smmar* %S; $in States (%rea 4)

$in <7 %7 oter %ge Se?# hecsm

1.1.1.2 1.1.1.1! 42 !-9!!!!!!4 !-!!:2331.1.1.2 1.1.1.2! 3" !-9!!!!!!4 !-!!!%1.1.1.2 1.1.1.3! 19 !-9!!!!!!% !-!!"921.1.1.2 1.1.1.4! 2" !-9!!!!!!4 !-!!2;31.1.1.3 1.1.1.1! 43 !-9!!!!!!4 !-!!E931.1.1.3 1.1.1.2! 3" !-9!!!!!!4 !-!!;>>31.1.1.3 1.1.1.3! 19 !-9!!!!!!% !-!!>E;1.1.1.3 1.1.1.4! 2" !-9!!!!!!4 !-!!49;

*pe+ %S E-ternal $in States

$in <7 %7 oter %ge Se?# hecsm ag!.!.!.! 1.1.1.2 93 !-9!!!!!! !-!!9;E 1!.!.!.! 1.1.1.3 >2! !-9!!!!!!4 !-!!9"%2 11!.2.3." 1.1.1.2 94 !-9!!!!!!4 !-!!1>1 !1!.9.9.9 1.1.1.3 >2! !-9!!!!!!4 !-!!9E3 !

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page %# of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.



CC6AATC18P @S 1dvanced La$s

Day :

B8%

9M0 *ersion + is a path *ector routing protocol used to exchange routing information betweenautonomous systems and can be considered the routing protocol of the Internet. 9M0 is used

to exchange routing information for the Internet and is the protocol used between Internetser*ice pro*iders -I(0s. 9M0 carries information as a sequence of A( numbers which

indicate the autonomous systems that must be used to get to a destination network. 9M0 isdefined inn &8Cs 22$! 2<$= and 2==2. 9M0 is considered an Exterior Mateway 0rotocol

-EM0 -not to be confused with the obsolete routing protocol also called FEM0G. 9M0 isdesigned to pre*ent loops from forming between systems.

There are both internal and external 9M0 -I9M0 and E9M0 configurations. 3rganiational

networks such as uni*ersities and corporations usually employ an Interior Mateway 0rotocol-IM0 such as &I0 or 3(08 for the exchange of routing information within their networks.

These networks connect to I(0s and I(0s use 9M0 to exchange customer and I(0 routes.:hen 9M0 is used between autonomous systems -A( the protocol is referred to as External

9M0 -E9M0. If a ser*ice pro*ider is using 9M0 to exchange routes within an A( then theprotocol is referred to as Interior 9M0 -I9M0.

9M0 neighbors are defined in the configuration not by their physical location in the network.

E*en if two routers are physically connected they are not necessarily neighbors unless theyform a TC0 connection which is configured by the network engineer.

9M0Bs effecti*e use of classless inter%domain routing -CI5& has been a maor factor inslowing the explosi*e growth of the Internet routing table. CI5& doesnBt rely on classes of I0

networks such as Class A 9 and C. In CI5& a prefix and a mask such as 26=.!<.#.#2+

represent a network. This would normally be considered an illegal Class C network but CI5&handles it ust fine. A network is called a super%net when the prefix boundary contains fewer

bits than the networkBs natural mask.

9peration

Synchroniation/.ull 8eshIn order to a*oid routing loops inside an A( 9M0 doesnBt ad*ertise to internal 9M0 -I9M0

peer routes that are learned *ia other I9M0 peers. Therefore one must maintain full I9M0

mesh within an A( or utilie other techniques such as route reflectors. 9M0 routinginformation must be in sync with the Interior Mateway 0rotocol -IM0 such as 3(08 before

ad*ertising transit routes to other A(s. This beha*ior can be turned off using the Cisco I3(command no sync. )owe*er this isnBt recommended unless all the routers in your 9M0 A(

are running 9M0 and are fully meshed or the A( in question isnBt a transit A(. The carelessuse of the no sync command could cause non%9M0 routers within an autonomous system to

recei*e traffic for destinations that they donBt ha*e a route for. :ith synchroniation enabled9M0 waits until the IM0 has propagated routing information across the autonomous system

before ad*ertising transit routes to other A(s. 9y default synchroniation is enabled on all9M0 routers.

Things to what out for when synchroniation is turned on>

• 3(08 and 9M0 must ha*e the same &I5





• The mask lengths must be the same for IM0 and 9M0

• 9M0 only redistributes 3(08 internals by default

•

7et!<op!Self CommandIn a non%meshed en*ironment such as confederations or route reflectors where you know that

a path exists from the current router to a specific address the 9M0 router command neigh$orXip%address [ peer%group%nameY net!hop!self can be used to disable next%hop processing.

This will cause the current router to ad*ertise itself as the next hop for the specified neighborsimplifying the network. 3ther 9M0 neighbors will then forward packets for that destination to

the current router. This would not be useful in a fully meshed en*ironment since it will resultin unnecessary extra hops where there may be a more direct path.

Private 1S num$ersA( numbers from $+"2<%$""!" are pri*ate A( numbers. These numbers are *ery similar in

fashion to the &8C 262@ I0 addresses of 2#.#.#.#@ 2=<.2$.#.#2< and 26<.2$@.#.#2$.These A( numbers arenBt used anywhere in the Core 9M0 route tables. They are used to keep

the A( number requirement down. (maller 9M0 users will often use 0ri*ate A( numbers and

then ha*e them translated to public A( numbers by routers upstream toward the core of theInternet. ,any of the larger I(0s may ha*e multiple public A( numbers. (maller I(0s willusually only ha*e one public A( number

There is a manual method of confederations that must strip the pri*ate A( information in

order to pre*ent those Autonomous systems from leaking into the Internet.

neighbor 2.2.2.2 remo*e%pri*ate%as

State

/eighbors in 9M0 must go through the following states in order to form an adacency>

•

Idle• Connect

o Acti*e resets the retry timer kickbacks to idle

• 3pen send *ersion must be +

• 3pen confirm

• Established

If there are issues the routers may cycle from Acti*e back to connect. (ome of the isues thatpre*ent 9M0 routers from becoming neighbors are>

• Incorrect I0 address

• Incorrect A( number

• /o route to source address

•

TTL to low

Attrib#tes

9M0 metrics are called path attributes and are categoried into well%known and optional

:ell%known attributes must be recognied by all compliant implementations and *endorswhereas optional attributes are only recognied by some implementations -could be pri*ate

expected not to be recognied by e*eryone.

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page %$ of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




:ell%known attributes are di*ided into mandatory and discretionary. The :ell%knownmandatory attributes must be present in all update messages. The following attributes must

be in e*ery 9M0 update>

• A(%path> A list of the Autonomous (ystems -A( numbers that a route passes through

to reach the destination. As the update passes through an A( the A( number is

inserted at the beginning of the list. The A(%path attribute has a re*erse%order list of A( passed through to get to the destination.

• /ext%hop> The next%hop address that is used to reach the destination.

• 3rigin> Indicates how 9M0 learned a particular route. There are three possible types %%

IM0 -route is internal to the A( EM0 -learned *ia E9M0 or Incomplete -originunknown or learned in a different way.

:ell%known discretionary attributes are optional % they could be present in update messages

or not. All well%known attributes are propagated to other 9M0 neighbors. )owe*er optional9M0 attributes are transiti*e or non%transiti*e>

• 3ptional transiti*e attributes

o Aggregator> (pecifies the router I5 and A( of the router that originated an

aggregate prefix. 7sed in conunction with the atomic aggregate attribute.o Community> 7sed to group routes that share common properties so that

policies can be applied at the group le*el.

• 3ptional non%transiti*e attributes

o ,ulti%exit%discriminator -,E5> Indicates the preferred path into an A( to

external neighbors when multiple paths exist.

• &ecognied optional attributes are propagated to other neighbors based on their

meaning -not constrained by transiti*e bit

Conig#ring Attrib#tes

FeightThe weight attribute is a Cisco%defined attribute used for the path selection process. Theweight is configued locally to a router and is not propagated to any other routers.

neigh$or #&#&#&# weight #00 The higher the number the more preferred

AriginThe origin attribute indicates how 9M0 learned about a particular route. The origin attribute

can ha*e one of three possible *alues> M IM0OThe route is interior to the originating A(. This *alue is set when the network

router configuration command is used to inect the route into 9M0. \#] i M EM0OThe route is learned *ia the Exterior 9order Mateway 0rotocol -EM0. \2] e

M IncompleteOThe origin of the route is unknown or learned in some other way. An

origin of incomplete occurs when a route is redistributed into 9M0. \;]

Jou can issue the -sh ip bgp command to *iew the origin.

1S!PathThe A(%path attribute is empty when a local route is first inserted in the 9M0 table. ThesenderBs A( number is prepended to the A(%path attribute when the routing update crosses

the A( boundary. A 9M0 recei*er of 9M0 routing information can use the A(%path to

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page %% of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




determine through which A( the information has passed. Therefore an A( that recei*esrouting information with its own A( number in the A(%path silently ignores the information.

0repend as%path can be used as a metric to make a path appear less optimal.

routemap prepend permit #0

match ip address #set as!path prepend #00 #00 #00

7et <opThe /ext%hop attribute indicates the next%hop I0 address used for packet forwarding and is

usually set to the I0 address of the sending 9M0 router.

8ulti!eit discriminator )8E9*The multi%exit discriminator -,E5 or metric attribute is used as a suggestion to an external

A( regarding the preferred route into the A( that is ad*ertising the metric.

The ,E5 only works from directly connected A(. It is not transiti*e so it has to be configuredon e*ery A( in the path. The default ,E5 is # which is more preferable if another router

within the A( does not enable a ,E5 *alue. The lower the *alue the more preferred. A routemap is sent with the neighbor command>

neigh$or #&#&#&# route!map med out

route!map med permit #0 set metric 200

Local Preference

The local preference attribute is used to prefer an exit point from the local autonomoussystem -A(. 7nlike the weight attribute the local preference attribute is propagated

throughout the local A(. If there are multiple exit points from the A( the local preference

attribute is used to select the exit point for a specific route. The default Local 0reference is2##. The higher the *alue is more preferred.

route!map local permit #0

set local!preference 200

CommunitiesThe community attribute has multiple options and will be explained in detail in 4olume II.

1S Path .iltering(e*eral scenarios require 9M0 route filtering based on A(%path. A( paths are filtered using a

As%path access filter and regular expressions.

The following are examples of regular expressions that are used in A(%path filters>

N2##N Moing through A( 2##

^2##_ 5irectly connected to A( 2##

N2##_ 3riginated in A( 2##

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page %& of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




^2##N.D networks behind A( 2##

^ \#%6]U_ A( paths one A( long

^_ networks originated in local A(

.D matches e*erything

ip as!path access!list permit &G

neigh$or #&#&#&# filter!list out

9rder+%reerence

2. If the path specifies a next hop that is inaccessible drop the update.<. 0refer the path with the largest weight.

!. If the weights are the same prefer the path with the largest local preference.

+. If the local preferences are the same prefer the path that was originated by 9M0

running on this router.". If no route was originated prefer the route that has the shortest A(Npath.$. If all paths ha*e the same A(Npath length prefer the path with the lowest origin type

-where IM0 is lower than EM0 and EM0 is lower than incomplete.=. If the origin codes are the same prefer the path with the lowest ,E5 attribute.

@. If the paths ha*e the same ,E5 prefer the external path o*er the internal path.6. If the paths are still the same prefer the path through the closest IM0 neighbor.

2#. 0refer the path with the lowest I0 address as specified by the 9M0 router I5.

Aggregation

(pecify aggregation range in 9M0 routing process that you would like to summarie.The aggregate will be announced if there is at least one network in the specified range in the

9M0 table. Indi*idual networks will still be announced in outgoing 9M0 updates so otheroption must be enabled to suppress the longer masks.

router $gp #

aggregate!address #:2&#,&0&0 2&2&0&0

If you desire to remo*e any longer mask than as the summary only keyword.

router $gp #aggregate!address #:2&#,&0&0 2&2&0&0 summary!only

If you would like to protect against loops than add A(%set to pre*ent your own A( from

returning.

router $gp #aggregate!address #:2&#,&0&0 2&2&0&0 as!set summary!only

3ther options that can be enabled are>

• 1ttri$ute maps are used to configure the attributes of the aggregate route since the

attributes of the original routes are used by default when summaried

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page &) of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




• 1dvertise maps allow the aggregate to inherit the attributes from the specific

networks identified in the ad*ertise map. It is important to note the attribute map

o*errides the ad*ertise map

• Suppress maps this command o*errides the summary only keyword and suppresses

on the routes configured in the suppress map.

• Bn!suppress maps selecti*ely un%suppresses networks suppressed in a suppress%map

• 5nHect maps 7sed to inect more specific into 9M0 based on existence of aggregatedroute or originate default route based on certain route existence

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page &1 of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




B8% LAB

Scenario

Turn%key and the two I(0 pro*iders ha*e agreed to peer with 9M0 and to exchange routes.

Turn%key has decided to use EIM&0 as the IM0 and will connect to the I(0 with a new 3(080rocess between the e9M0 peers.

AS Topology





B8% Tas$s

Tas4 # )6asic 6P*3 Configure &= to be in A( 2 and &@ in As <. Configure a static route on

&< and &= to each others Lo! address. Also configure Lo+ but do not add static routes for thenetworks. 5isable EIM&0 2## with distance and passi*e interface default commands on &=

and &@ only.

20

$o3<p address 1!.1.1.2B24

$o4<p address 1!.2.2.1B24<p address 11.2.2.1B24 secondar*<p address 12.2.2.1B24 secondar*

"0$o3<p address 1!.2.3."B24

$o4<p address 2!.!.!.1B1"<p address 22!.!.!.1B1" secondar*

onfigre static rotes 5etween 3 and 9 for $o3 and add the $o! networs withot static rotes.

30

$o3<p address 1!.3.3.2B24

$o4<p address 14.3.3.1B24<p address 11.3.3.1B24 secondar*<p address 12.3.3.1B24 secondar*

90$o3<p address 1!.9.9.9B24

$o4

<p address 1!.!.!.1B1"<p address 1>!.!.!.1B1" secondar*

7se the new Lo! interface on each of these -+ routers to peer 9M0 as defined in the abo*eA( topology diagram. &= and &@ can use their 000 interface to peer. :ithin A( ! peer all





routers as shown in the diagram and note the bgp confederation identifier can not be used onany of the routers. Mi*e each router the same &outer%id that was used pre*iously for 3(08. If

there is an existing loop back on the router use that as the update source if not use the4lan2# interface when possible. 3n the connections within A( $"##2 make sure you

consolidate your commands to reduce the sie of the 9M0 command line configuration.

Tas4 2 )7etwor4s*3 Ad*ertise the /ew Loopbacks from &= and &@ in 9M0. ,ake sure (w+can ping them. Ad*ertise the new I0 addresses in the new loop backs of &< and &! as well as

26<[email protected]#.# and a summary of the 2#.#.#.# network. ,ake sure your 9M0 table in &= lookslike the following>

6rigin codes0 i + <8/A e + E8/A R + incomplete

&etwor &e-t Cop etric $oc/rf Neight /athK 1!.!.!.! 1!.1.1.2 ! ! 3 iK 1"2.1>.4.9 ! 2 3 iK 14.3.3.!B24 1!.1.1.2 ! 3 iK 1"2.1>.4.9 ! 2 3 iK 1!.2.2.!B24 1!.1.1.2 ! ! 3 i

K 1"2.1>.4.9 ! 2 3 iK 11.2.2.!B24 1!.1.1.2 ! ! 3 iK 1"2.1>.4.9 ! 2 3 iK 11.3.3.!B24 1!.1.1.2 ! 3 iK 1"2.1>.4.9 ! 2 3 iK 12.2.2.!B24 1!.1.1.2 ! ! 3 iK 1"2.1>.4.9 ! 2 3 iK 12.3.3.!B24 1!.1.1.2 ! 3 iK 1"2.1>.4.9 ! 2 3 iK 1>!.!.!.!B 1!.1.1.2 ! 3 2 iK 1"2.1>.4.9 ! ! 2 iK 1"2.1>.!.! 1!.1.1.2 ! ! 3 i &etwor &e-t Cop etric $oc/rf Neight /ath

K 1"2.1>.4.9 ! 2 3 iK 1!.!.!.!B 1!.1.1.2 ! 3 2 iK 1"2.1>.4.9 ! ! 2 iK 2!.!.!.!B !.!.!.! ! 32">9 iK 22!.!.!.!B !.!.!.! ! 32">9 i

Tas4 % )8E9s*3 Configure meds such that A( ! will prefer &@ to reach <#6.#.#.2 and

<<#.#.#.2. and &= will be a better path to 26#.#.#.2 and 2$#.#.#.2. ,ake sure you configure&< and &! to pre*ent A( $"##2 from being ad*ertised to &= or &@. 0ing the routes from (w+

and ensure you can still reach them.

Tas4 ( )1s!filtering*3 Configure A( ! so that is can not be a transit A( between A(2 andAs<.





B8% Answers

Tas4 # )6asic 6P*3 Configure &= to be in A( 2 and &@ in As <. Configure a static route on

&< at &= to each others Lo! address. Also configure Lo+ but do not add static routes for thenetworks. 5isable EIM&0 2## on &= and &@ only. 7se the new Lo! interface on each of these

-+ routers to peer 9M0 as defined in the abo*e A( topology diagram. &= and &@ can use their000 interface to peer.

"0roter 5gp 1 no s*nchroniation 5gp roter+id 1.1.1." 5gp log+neigh5or+changes neig(bor 1#)112 remoteas 3 ,(is 'i!! peer $ an0 2-

neig(bor 1#)112 ebgpmu!ti(op 3 ,(is a!!o's t(e CP L to e8cee0 1 (op-

neig(bor 1#)112 up0atesource Loopbac"3 ,(is a!!o's $ to originate B+P CP 1$& connections from t(e Lo3-

neigh5or 1"2.1>.4.9 remote+as 2 no ato+smmar*ip route 1#)112 2##2##2##2## 1$216#2 ,(e static oute * use0 to reac( t(e 2 !oopbac"-

20roter 5gp 3 no s*nchroniation 5gp roter+id 1.1.1.2 5gp log+neigh5or+changes neigh5or 1!.13.13.1 remote+as 3 neigh5or 1!.13.13.1 pdate+sorce $oop5ac1 neigh5or 1!.2.3." remote+as 1 neigh5or 1!.2.3." e5gp+mltihop 3 neigh5or 1!.2.3." pdate+sorce $oop5ac3 neigh5or 12.1>9.1!.1 remote+as >!!1 neigh5or 12.1>9.1!.1 e5gp+mltihop 2 neigh5or 12.1>9.1!.1 pdate+sorce $oop5ac1 neigh5or 12.1>9.1!. remote+as 3 neigh5or 12.1>9.1!. pdate+sorce $oop5ac1 no ato+smmar*

ip rote 1!.2.3." 2.2.2.2 1"2.1>.."

90roter 5gp 2 no s*nchroniation 5gp roter+id 1.1.1.9 5gp log+neigh5or+changes neigh5or 1!.3.3.2 remote+as 3 neigh5or 1!.3.3.2 e5gp+mltihop 3 neigh5or 1!.3.3.2 pdate+sorce $oop5ac3 neigh5or 1"2.1>.4." remote+as 1 no ato+smmar*ip rote 1!.3.3.2 2.2.2.2 1"2.1>.>.3

30roter 5gp 3 no s*nchroniation 5gp roter+id 1.1.1.3 5gp log+neigh5or+changes neigh5or 1!.1!.1!.1 remote+as >!!1 neigh5or 1!.1!.1!.1 e5gp+mltihop 3 neigh5or 1!.1!.1!.1 pdate+sorce $oop5ac1 neigh5or 1!.12.12.1 remote+as 3 neigh5or 1!.12.12.1 pdate+sorce $oop5ac1 neigh5or 1!.9.9.9 remote+as 2 neigh5or 1!.9.9.9 e5gp+mltihop 3

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page &# of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




neigh5or 1!.9.9.9 pdate+sorce $oop5ac3 neigh5or 12.1>9.1!. remote+as 3 neigh5or 12.1>9.1!. pdate+sorce $oop5ac1 neigh5or 12.1>9.1!. rote+reflector+client neigh5or 12.1>9.1!.> remote+as 3 neigh5or 12.1>9.1!.> pdate+sorce $oop5ac1 neigh5or 12.1>9.1!.> rote+reflector+client no ato+smmar*

ip rote 1!.9.9.9 2.2.2.2 1"2.1>.>.9

:ithin A( -! peer all routers as shown in the diagram and note the bgp confederationidentifier can not be used on any of the routers. Mi*e each router the same &outer%id that was

used pre*iously for 3(08. If there is an existing loop back on the router use that as theupdate source if not use the 4lan2# interface when possible. 3n the connections within A(

$"##2 make sure you consolidate your commands to reduce the sie of the 9M0 commandline configuration.

AS3

20roter 5gp 3 no s*nchroniation 5gp roter+id 1.1.1.2 5gp log+neigh5or+changes neigh5or 1!.13.13.1 remote+as 3 ,(is peers t(e route ref!ectors 2 an0 3-

neigh5or 1!.13.13.1 pdate+sorce $oop5ac1 neigh5or 1!.2.3." remote+as 1 neigh5or 1!.2.3." e5gp+mltihop 3 neigh5or 1!.2.3." pdate+sorce $oop5ac3 neigh5or 12.1>9.1!.1 remote+as >!!1 ,(is connects an eB+P manua! confe0eration to S'1-

neigh5or 12.1>9.1!.1 e5gp+mltihop 2

neigh5or 12.1>9.1!.1 pdate+sorce $oop5ac1 neigh5or 12.1>9.1!. remote+as 3 neigh5or 12.1>9.1!. pdate+sorce $oop5ac1 neigh5or 12.1>9.1!. rote+reflector+client ,Configures BB1 as a route ref!ector c!ient-

no ato+smmar*

;;10roter 5gp 3 no s*nchroniation 5gp log+neigh5or+changes neigh5or 1!.12.12.1 remote+as 3 neigh5or 1!.12.12.1 pdate+sorce :astEthernet!B! no ato+smmar*

30roter 5gp 3

no s*nchroniation 5gp roter+id 1.1.1.3 5gp log+neigh5or+changes neigh5or 1!.1!.1!.1 remote+as >!!1 neigh5or 1!.1!.1!.1 e5gp+mltihop 3 neigh5or 1!.1!.1!.1 pdate+sorce $oop5ac1 neigh5or 1!.12.12.1 remote+as 3 neigh5or 1!.12.12.1 pdate+sorce $oop5ac1 neigh5or 1!.9.9.9 remote+as 2 neigh5or 1!.9.9.9 e5gp+mltihop 3 neigh5or 1!.9.9.9 pdate+sorce $oop5ac3 neigh5or 12.1>9.1!. remote+as 3





neigh5or 12.1>9.1!. pdate+sorce $oop5ac1 neigh5or 12.1>9.1!. rote+reflector+client neigh5or 12.1>9.1!.> remote+as 3 neigh5or 12.1>9.1!.> pdate+sorce $oop5ac1 neigh5or 12.1>9.1!.> rote+reflector+client no ato+smmar*

0roter 5gp 3 no s*nchroniation 5gp roter+id 1.1.1. 5gp log+neigh5or+changes neigh5or 1!.13.13.1 remote+as 3 neigh5or 1!.13.13.1 pdate+sorce :astEthernet!B! no ato+smmar*

>0roter 5gp 3 no s*nchroniation 5gp roter+id 1.1.1.> 5gp log+neigh5or+changes neigh5or 1!.13.13.1 remote+as 3 neigh5or 1!.13.13.1 pdate+sorce :astEthernet!B!

no ato+smmar*

3n the connections within A( $"##2 make sure you consolidate your commands to reduce the

sie of the 9M0 command line configuration.

AS 6#))1

SN10roter 5gp >!!1

no s*nchroniation 5gp roter+id 1.1.1.1! 5gp log+neigh5or+changes neig(bor Branc( peergroup ,Peer +roup comman0s are use0 to group simi!ar B+P comman0s toget(er for neig(bors-

neigh5or ;ranch remote+as >!!1 neigh5or ;ranch pdate+sorce lan1! neigh5or ;ranch rote+reflector+client ,(e ot(er s'itc(es S'23an0 4 'i!! become route ref!ector c!ients-

neigh5or 1!...2 peer+grop ;ranch neigh5or 1!.9.9.2 peer+grop ;ranch neigh5or 1!...2 peer+grop ;ranch neigh5or 1!.1!.1!.1 remote+as >!!1 neigh5or 1!.1!.1!.1 e5gp+mltihop 2 neigh5or 1!.1!.1!.1 pdate+sorce lan1! neigh5or 1!.12.12.1 remote+as 3 neigh5or 1!.12.12.1 e5gp+mltihop 2 neigh5or 1!.12.12.1 pdate+sorce lan1! no ato+smmar*

10roter 5gp >!!1 no s*nchroniation 5gp roter+id 1.1.1.1 5gp log+neigh5or+changes neigh5or ;ranch peer+grop neigh5or ;ranch remote+as >!!1 neigh5or ;ranch pdate+sorce $oop5ac! neigh5or ;ranch rote+reflector+client neigh5or 1!...2 peer+grop ;ranch neigh5or 1!.9.9.2 peer+grop ;ranch

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page &$ of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




neigh5or 1!...2 peer+grop ;ranch neigh5or 1!.13.13.1 remote+as 3 neigh5or 1!.13.13.1 e5gp+mltihop 3 neigh5or 1!.13.13.1 pdate+sorce $oop5ac! neigh5or 12.1>9.1!.1 remote+as >!!1 neigh5or 12.1>9.1!.1 pdate+sorce $oop5ac! no ato+smmar*

Sw20roter 5gp >!!1 no s*nchroniation 5gp roter+id 1.1.1.2! 5gp log+neigh5or+changes neigh5or 1!.1!.1!.1 remote+as >!!1 neigh5or 1!.1!.1!.1 pdate+sorce lan neigh5or 12.1>9.1!.1 remote+as >!!1 neigh5or 12.1>9.1!.1 pdate+sorce lan no ato+smmar*

Sw30roter 5gp >!!1 no s*nchroniation 5gp roter+id 1.1.1.3! 5gp log+neigh5or+changes

neigh5or 1!.1!.1!.1 remote+as >!!1 neigh5or 1!.1!.1!.1 pdate+sorce lan9 neigh5or 12.1>9.1!.1 remote+as >!!1 neigh5or 12.1>9.1!.1 pdate+sorce lan9 no ato+smmar*

Sw40roter 5gp >!!1 no s*nchroniation 5gp roter+id 1.1.1.4! 5gp log+neigh5or+changes neigh5or 1!.1!.1!.1 remote+as >!!1 neigh5or 1!.1!.1!.1 pdate+sorce lan neigh5or 12.1>9.1!.1 remote+as >!!1 neigh5or 12.1>9.1!.1 pdate+sorce lan no ato+smmar*

Tas4 2 )7etwor4s*3 Ad*ertise the /ew Loopbacks from &= and &@ in 9M0. ,ake sure (w+can ping them. Ad*ertise the new I0 addresses in the new loop backs of &< and &! as well as

26<[email protected]#.# and a summary of the 2#.#.#.# network. ,ake sure your 9M0 table in &= lookslike the following>

"0roter 5gp 1 no s*nchroniation 5gp roter+id 1.1.1."

5gp log+neigh5or+changes net'or" 2)&))) mas" 2##12%)) ,(is configuration a07ertises t(ese net'or"s into B+P-

net'or" 22)))) mas" 2##12%))

neigh5or 1!.1.1.2 remote+as 3 neigh5or 1!.1.1.2 e5gp+mltihop 3 neigh5or 1!.1.1.2 pdate+sorce $oop5ac3 neigh5or 1"2.1>.4.9 remote+as 2 no ato+smmar*

20roter 5gp 3 no s*nchroniation

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page &% of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




5gp roter+id 1.1.1.2 5gp log+neigh5or+changes net'or" 1)1212) mas" 2##2##2##)

net'or" 1#)22) mas" 2##2##2##)

net'or" 1#122) mas" 2##2##2##)

net'or" 1#222) mas" 2##2##2##)

net'or" 1$216#) mas" 2##2##2##)

aggregatea00ress 1)))) 2##))) summaryon!y ,(is comman0 configures a summary on!y for t(e 1)<% net'or"-

aggregatea00ress 1$216)) 2##2##)) summaryon!y neigh5or 1!.13.13.1 remote+as 3 neigh5or 1!.13.13.1 pdate+sorce $oop5ac1 neigh5or 1!.2.3." remote+as 1 neigh5or 1!.2.3." e5gp+mltihop 3 neigh5or 1!.2.3." pdate+sorce $oop5ac3 neigh5or 12.1>9.1!.1 remote+as >!!1 neigh5or 12.1>9.1!.1 e5gp+mltihop 2 neigh5or 12.1>9.1!.1 pdate+sorce $oop5ac1 neigh5or 12.1>9.1!. remote+as 3 neigh5or 12.1>9.1!. pdate+sorce $oop5ac1 neigh5or 12.1>9.1!. rote+reflector+client no ato+smmar*

90roter 5gp 2 no s*nchroniation 5gp roter+id 1.1.1.9 5gp log+neigh5or+changes networ 1>!.!.!.! mas 2.129.!.! networ 1!.!.!.! mas 2.129.!.! neigh5or 1!.3.3.2 remote+as 3 neigh5or 1!.3.3.2 e5gp+mltihop 3 neigh5or 1!.3.3.2 pdate+sorce $oop5ac3 neigh5or 1"2.1>.4." remote+as 1 no ato+smmar*

30roter 5gp 3 no s*nchroniation 5gp roter+id 1.1.1.3 5gp log+neigh5or+changes networ 1!.13.13.! mas 2.2.2.!

networ 14.3.3.! mas 2.2.2.! networ 11.3.3.! mas 2.2.2.! networ 12.3.3.! mas 2.2.2.! networ 1"2.1>.>.! mas 2.2.2.! aggregate+address 1!.!.!.! 2.!.!.! smmar*+onl* aggregate+address 1"2.1>.!.! 2.2.!.! smmar*+onl* neigh5or 1!.1!.1!.1 remote+as >!!1 neigh5or 1!.1!.1!.1 e5gp+mltihop 3 neigh5or 1!.1!.1!.1 pdate+sorce $oop5ac1 neigh5or 1!.12.12.1 remote+as 3 neigh5or 1!.12.12.1 pdate+sorce $oop5ac1 neigh5or 1!.9.9.9 remote+as 2 neigh5or 1!.9.9.9 e5gp+mltihop 3 neigh5or 1!.9.9.9 pdate+sorce $oop5ac3 neigh5or 12.1>9.1!. remote+as 3 neigh5or 12.1>9.1!. pdate+sorce $oop5ac1

neigh5or 12.1>9.1!. rote+reflector+client neigh5or 12.1>9.1!.> remote+as 3 neigh5or 12.1>9.1!.> pdate+sorce $oop5ac1 neigh5or 12.1>9.1!.> rote+reflector+client no ato+smmar*

Sw40SN4#ping 2!.!.!.1

*pe escape se?ence to a5ort.Sending A 1!!+5*te </ Echos to 2!.!.!.1A timeot is 2 seconds0

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page && of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




Sccess rate is 1!! percent (B)A rond+trip minBagBma- D !B"B msSN4#SN4#ping 22!.!.!.1

*pe escape se?ence to a5ort.Sending A 1!!+5*te </ Echos to 22!.!.!.1A timeot is 2 seconds0Sccess rate is 1!! percent (B)A rond+trip minBagBma- D 9B9B ms

SN4#SN4#ping 1>!.!.!.1

*pe escape se?ence to a5ort.Sending A 1!!+5*te </ Echos to 1>!.!.!.1A timeot is 2 seconds0Sccess rate is 1!! percent (B)A rond+trip minBagBma- D 1B>!B" msSN4#SN4#ping 1!.!.!.1

*pe escape se?ence to a5ort.Sending A 1!!+5*te </ Echos to 1!.!.!.1A timeot is 2 seconds0Sccess rate is 1!! percent (B)A rond+trip minBagBma- D !B"B msSN4#

Tas4 % )8E9s*3 Configure meds such that A( ! will prefer &@ to reach <#6.#.#.2 and

<<#.#.#.2. and &= will be a better path to 26#.#.#.2 and 2$#.#.#.2. ,ake sure you configure&< and &! to pre*ent A( $"##2 from being ad*ertised to &= or &@. 0ing the routes from (w+

and ensure you can still reach them.

"0roter 5gp 1 no s*nchroniation 5gp roter+id 1.1.1." 5gp log+neigh5or+changes networ 1"2.1>.4.! mas 2.2.2.! networ 2!.!.!.! mas 2.129.!.! networ 22!.!.!.! mas 2.129.!.! neigh5or 1!.1.1.2 remote+as 3 neigh5or 1!.1.1.2 e5gp+mltihop 3 neigh5or 1!.1.1.2 pdate+sorce $oop5ac3 neig(bor 1#)112 routemap me0 out ,(is a!!o's us to use a route map to set t(e me0 7a!ue-

neigh5or 1"2.1>.4.9 remote+as 2 no ato+smmar*

rote+map med permit 1! match ip address prefi-+list med set metric 1) ,Setting a !o'er metric for t(ese net'or"s 'i!! ma"e t(em more preferre0 o7er $

rote+map med permit 2! match ip address prefi-+list med2 set metric 2!!set aspat( prepen0 1 , *n B+P ASPat( attribute is more preffere0 t(an 5D so 'e nee0 to gi7e t(e AS patc( an e;ua! 7a!ue so t(at 5D

'i!! be use0 as a tie brea"er-

ip prefi-+list med se? permit 1>!.!.!.!Bip prefi-+list med se? 1! permit 1!.!.!.!Bip prefi-+list med2 se? permit 2!.!.!.!Bip prefi-+list med2 se? 1! permit 22!.!.!.!B

90roter 5gp 2 no s*nchroniation

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 1)) of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




5gp roter+id 1.1.1.9 5gp log+neigh5or+changes networ 1>!.!.!.! mas 2.129.!.! networ 1"2.1>.4.! mas 2.2.2.! networ 1!.!.!.! mas 2.129.!.! neigh5or 1!.3.3.2 remote+as 3 neigh5or 1!.3.3.2 e5gp+mltihop 3 neigh5or 1!.3.3.2 pdate+sorce $oop5ac3

neigh5or 1!.3.3.2 rote+map med ot neigh5or 1"2.1>.4." remote+as 1 no ato+smmar*

rote+map med permit 1! match ip address prefi-+list med set metric 1!rote+map med permit 2! match ip address prefi-+list med2 set metric 2!! set as+path prepend 2

ip prefi-+list med se? permit 2!.!.!.!Bip prefi-+list med se? 1! permit 22!.!.!.!Bip prefi-+list med2 se? permit 1>!.!.!.!B

ip prefi-+list med2 se? 1! permit 1!.!.!.!B

Tas4 ( )1s!filtering*3 Configure A( ! so that is can not be a transit A( between A(2 andAs<.To accomplish this task you must use an as path acl to enable a filter list.

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 1)1 of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




Day :

M#lticastefer to slides from lectre or =niers7 for assistance.

8ulticast Tas4s

Tas4 # )8ulticast*> Configure ,ulticast support for &< &! and &2. Configure

multicast routing such that it can automatically find the &0s in a failure. Jou can notuse (parse5ense or 5ense mode for this task. Also make sure &2 is configured with

the highest priority for any elections.

Tas4 2 )58P*3 3n &2 configure to oin group <<+.<.<.<. After doing this &< and &!

should be able to ping this group.

Tas4 % )58P*3 3n (w + we are ha*ing a problem with ,ulticast on 4lan +. 8or

testing purposes configure (: + so that multicast is flooded to e*ery switch port.





8ulticast 1nswers

Tas4 # )8ulticast*> Configure ,ulticast support for &< &! and &2. Configuremulticast routing such that it can automatically find the &0s in a failure. Jou can not

use (parse5ense or 5ense mode for this task. Also make sure &2 is configured withthe highest priority for any elections.1hostname 1ip mlticast+roting (is urns on mu!ticast g!oba!!y

ip pim 5sr+candidate Serial!B!B! 3! 2 (is forces 1 to be t(e BS by using t(e (ig(est

priority

ip pim rp+candidate Serial!B!B! priorit* 2 (is forces 1 to be t(e P for 224222 by using

t(e (ig(est priority

interface :astEthernet!B! description lan>,sw1tor1 ip address 1!.>.>.2 2.2.2.22 ip pim sparse+mode (is enab!es P*5 routing an0 contro! traffic

ip igmp Qoin+grop 224.2.2.2 (is A!!o's outer 1 to Eoin 224222

ip ospf 1 area 2 dple- ato speed ato

interface Serial!B!B! description ESC,to,2,3 ip address 1"2.1>.1.1 2.2.2.!

ip pim sparse+mode (is enab!es P*5 routing

2ip mlticast+rotingip pim 5sr+candidate Serial!B!B!.1 3! 1!!ip pim rp+candidate Serial!B!B!.1 priorit* 1!!

interface Serial!B!B!.1 mltipoint description ESC,to,1,3 ip address 1"2.1>.1.2 2.2.2.! ip pim sparse+mode

3

interface Serial!B!B!.1 mltipoint description ESC,to,1,3 ip address 1"2.1>.1.2 2.2.2.! ip pim sparse+mode

3#sh ip pim 5sr+roter /<2 ;ootstrap information ;S address0 1"2.1>.1.1 (R) =ptime0 !!0!304A ;S /riorit*0 2A Cash mas length0 3!





E-pires0 !!0!101his s*stem is a candidate ;S andidate ;S address0 1"2.1>.1.3A priorit*0 1!!A hash mas length0 3! andidate /0 1"2.1>.1.3(Serial!B!B!.1) Coldtime 1! seconds %dertisement interal >! seconds &e-t adertisement in !!0!!01> andidate / priorit* 0 1!!

3#ping 224.2.2.2

*pe escape se?ence to a5ort.Sending 1A 1!!+5*te </ Echos to 224.2.2.2A timeot is 2 seconds0

epl* to re?est ! from 1"2.1>.1.1A "2 ms3#

Tas4 2 )58P*3 3n &2 configure to oin group <<+.<.<.< and only this group. Afterdoing this &< and &! should be able to ping this group.

Sw1interface :astEthernet!B! description lan>,sw1tor1 ip address 1!.>.>.2 2.2.2.22 ip igmp Qoin+grop 224.2.2.2 ip ospf 1 area 2 dple- ato speed ato

Tas4 % )58P*3 3n (w + we are ha*ing a problem with ,ulticast on 4lan +. 8or

testing purposes configure (: + so that multicast is flooded to e*ery switch port.

SN4(config)#no ip igmp snooping lan 4





Day :

;oSIos Tas4s

Tas4# )Switch IoS*3 Enable Automatic o( features on (:2 such that an I0

phone can be connected to any of the ports except for the trunk ports or portsconnected between switches or the routers. Also if a 0C were to be conncted it

should not allow it to send o( information. 3n (w< configure f#+ so that it willonly e*er send traffic at a maximum of "#megs

Tas42 )8LPP*3 3n &2 and &< first use ,C to match all *oice traffic with a 5(C0

of +$ and set a priority of "2<k. (econd match signaling information with a C(! andset the bandwidth to $+k. (et 9est effort traffic to 8air ueue. Configure ,L00 to

pro*ide fragmentation and interlea*ing with a delay of 2# and 2+$#### as the CI&.

Tas4% )Congestion 1voidance*3 Configure congestion a*oidance on &" 8##. 8or

5(C0 A822 set the min threshold to 2# and when the queue reaches the max

threshold of 2## packets set the drop probability to drop 2 out of 2# packets.

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 1)# of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




mls ?os ?ee+set otpt 2 threshold 2 119 119 1!! 23mls ?os ?ee+set otpt 2 threshold 3 41 >9 1!! 2"2mls ?os ?ee+set otpt 2 threshold 4 42 "2 1!! 242mls ?os ?ee+set otpt 1 5ffers 1! 1! 2> 4mls ?os ?ee+set otpt 2 5ffers 1> > 1" >1mls ?os

interface :astEthernet!B4 srr+?ee 5andwidth limit !+++(is comman0 'i!! !imit traffic to #)G of t(e

actua! port ban0'i0t(

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 1)$ of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




Tas42 )8LPP*3 9etween 992 and &< on the frame first use ,C to match all *oicetraffic with a 5(C0 of +$ and set a priority of "2<k. (econd match signaling

information with a C(! and set the bandwidth to $+k. (et 9est effort traffic to 8airueue. Configure ,L00 to pro*ide fragmentation and interlea*ing with a delay of 2#

and 2+$#### as the CI&.

class%map match%all (ignal !!! 8atch traffic mar4ed with the reJuested 9SCPmatch ip dscp cs!

class%map match%all 43ICE match ip dscp ef

ZZ

policy%map 992to&< !! This set LLI for Voice and C6F.I for Signalling

class 43ICE

priority "2< class (ignal

bandwidth $+ class class%default

fair%queue !!!!!!!!!!!! Set 6est Effort Iueue to fair Jueue not .5.A

interface (erial###

frame%relay traffic%shapingZ

Zinterface (erial###.< point%to%point

description 0<0%to%992

frame%relay interface%dlci <#6 ppp 4irtual%Template2 !sets 9LC5 to Virtual

Template

class 992to&<Z

interface 4irtual%Template2

description 0<0%to%&< bandwidth 2"+$ ip address 2=<.2$.<.< <"".<"".<"".#

ip ospf 2 area = delay 2#####

ppp multilink !!!!!!!!!!8LPPP

ppp multilink fragment delay 2# !!!!Set delay to #0

ppp multilink interlea*e !!!5nterleave Voice into larger 9ata Pac4ets

ser*ice%policy output 992to&<

Z

map%class frame%relay 992to&< !!!!!!!!!!!.@TS

frame%relay cir 2+$#### frame%relay bc 2+$## frame%relay be #

frame%relay mincir 2+$####Z

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 1)% of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




Tas4% )Congestion 1voidance*3 Configure congestion a*oidance on &" 8##. 8or

5(C0 A822 set the min threshold to 2# and when the queue reaches the maxthreshold of 2## packets set the drop probability to drop 2 out of 2# packets.

interface 8astEthernet##

description 4lan2#NLeased ip address 26<[email protected]#." <"".<"".<"".#

ip ospf 2 area # duplex auto

speed auto ip*$ address <###>2>2>2<!+>>"$+

ip*$ address 8E@#>>" link%local ip*$ ospf 2 area #

random%detect dscp%based random%detect dscp 2# 2# 2## 2# !!1.## K #0 decimal> min #0 ma #00 >

drop # out of #0 pac4ets&

CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 1)& of 136©2008 Network Learning, Inc. All Rights reserved Unauthorized dulication is a violation o! "ederal Law.




Day :

Sec#ritySecurity Tas4s

Tas4# )9<CP security*3 Configure a 5)C0 ser*er on (:<. Create a scope for

network <#.<#.<#.#<+ with a default gateway of <#.<#.<#.<"+ which will beconfigured on sw<. Configure (w< for 5)C0 snooping and to examine the 5)C0

leases coming from (w< to &<. Create 4lan <# on the 4T0 ser*er and configure a*lan <# to f#< interface on (:< such that &< learns its I0 address from (w<.

Configure 5)C0 snooping on (w< and sa*e the bindings to flash>. &eset the I0 on(w< and ensure 5)C0 snooping is tracking the 5)C0 lease.

Tas4 2 )Prevent Spoofing*3 3n (w< enable security features that can use the

5)C0 bindings to pre*ent (poofing I0 addresses already bound to f#<. 3n &< and&! pre*ent I0 spoofing from the I(0 connections.

Tas4 % )9oS*3 Configure &! and &< to prtotect against TC0 5o(. 7se 2## for low

and "## for high thresh old of half open connections.

3n &< and &!

ip tcp intercept ma-+incomplete low 1!!ip tcp intercept ma-+incomplete high !!

Security 1nswers

Tas4# )DHCP security-: onfigre a 7C/ serer on SN2. reate a scope for networ 2!.2!.2!.!B24 with a defalt gatewa* of 2!.2!.2!.24 which will 5e configred on sw2.onfigre Sw2 for 7C/ snooping and to e-amine the 7C/ leases coming from Sw2to 2. reate lan 2! on the / serer and configre a lan 2! to f!B2 interface onSN2 sch that 2 learns its </ address from Sw2. onfigre 7C/ snooping on Sw2 andsae the 5indings to flash0. eset the </ on Sw2 and ensre 7C/ snooping is tracingthe 7C/ lease.

(w<

ip dhcp excluded%address <#.<#.<#.<"+Z

ip dhcp pool sw< network <#.<#.<#.# <"".<"".<"".#

default%router <#.<#.<#.<"+interface 4lan<#

ip address <#.<#.<#.<"+ <"".<"".<"".#





&2

&2-configHntp master !!!7TP is reJuired for 9<CP snooping

(w<ntp ser*er 26<[email protected]#.2%%%%%%%%%%% 7TP is reJuired for 9<CP snooping

ip dhcp snooping *lan <#ip dhcp snooping database flash>file#2.txt%%%%%%%Stores the 9<CP lease info

ip dhcp snooping%%%%%%%%Ena$les 9<CP Snooping

(w<-configint f#<(:<-config%ifHip dhcp snooping trust

(:<Hsh ip dhcp snooping binding

,acAddress IpAddress Lease-sec Type 4LA/ Interface%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%% %%%%%%%%%% %%%%%%%%%%%%% %%%% %%%%%%%%%%

%%%%%%%%%%##>2"><9>A5>$<>52 <#.<#.<#.2 @$!!! dhcp%snooping <# 8astEthern

et#<Total number of bindings> 2

Tas4 2 )Prevent Spoofing*3 3n (w< enable security features that can use the5)C0 bindings to pre*ent (poofing I0 addresses already bound to f#<. 3n &< and

&! pre*ent I0 spoofing from the I(0 connections.

Sw2interface :astEthernet!B2 switchport access lan 2!

switchport mode access ip erif* sorce port+secrit*++++++++nab!es *P source guar0

SN2#sh ip erif* sorce interface f!B2<nterface :ilter+t*pe :ilter+mode </+address ac+address lan+++++++++ +++++++++++ +++++++++++ +++++++++++++++ +++++++++++++++++ ++++++++++:a!B2 ip+mac actie 2!.2!.2!.1 permit+all 2!

2

2(config)#int s!B!B!.32(config+s5if)#ip erif* nicast reerse+path

3(config)#int s!B!B!.33(config+s5if)#ip erif* nicast reerse+path





Tas4 % )9oS*3 Configure &! and &< to prtotect against TC0 5o(. 7se 2## for lowand "## for high thresh old of half open connections.

3n &< and &!

ip tcp intercept ma-+incomplete low 1!!ip tcp intercept ma-+incomplete high !!





Day 4

%v<

The Internet Engineering Task 8orce -IET8 has de*eloped a suite of protocols andstandards known as I0 *ersion $ -I0*$. This new *ersion pre*iously called I0%The

/ext Meneration -I0ng incorporates the concepts of many methods for updating theI0*+ protocol.

%v< Addressing

I04$ addresses are 2<@ bits long and are configured in hexadecimal. Consecuti*e

eroes can be eliminated ->>. In the following example <##2>#>#>A2>>2E<A$+ is thefull I0*$ address where <##2>#>#>A2 is the network portion and the interface -host

portion is #>#>#>2E<A or >>2E<A.

%v< Address ScopesI0*$ has the following three scopes>

• Link%local (cope

• 7nique%local (cope

• Mlobal (cope

Link Local

• Identifies all hosts within a single layer < domain

• 7nicast addresses within this scope are called link%local addresses

• They are assigned by default when ip*$ is enabled on an interface

• /etwork address is always 8E@#>>2#

• )ost portion deri*ed from ,AC address -,odified E7I%$+

• Can be manually added too &!-config%ifHip*$ address 8E@#>>! link%local• Independent of the global addressing scheme

• Cannot be routed

7nique%local (cope

• 0re*iously referred to as site local

• Identifies all de*ices within an administrati*e domain containing multiple

distinct links

• 7nicast addresses within this scope are called unicast%local addresses

• )a*e a scope limited to the site

• /etwork address is always 8EC#>>2#

• 2$ bits in the network address identify the subnet

• )ost portion deri*ed from ,AC address -,odified E7I%$+

Mlobal

• Addresses for generic use of I0*$

• Identifies all de*ices reachable across the Internet

• 7nicast addresses within this scope are called global unicast addresses

• )a*e to be globally unique and routable

• Addresses reser*ed for global scope <### !





• Can ha*e a *ariable subnet portion

• Last $+ bits for the interface identifier

• IA/A assigns +@

&nabling %v<

3n a router in global configuration mode configure>

Ip*$ unicast%routing

In interface mode>

ip*$ address <##2><##>2>2>>2$+

Link%local addresses are generated by default or use manual configuration to change

them.

ip*$ address 8E@#>>! link%local

In order for a switch to understand I0*$ addresses configure>

In Mlobal configuration

sdm prefer dual%ip*+%and%ip*$ default

/ext you must reboot the switch for the changes to take place.

After a reboot the following global configuration can be entered

ip*$ unicast%routing

*%ng

In &I0ng neighbors need not be on the same global subnet since they are on thesame link%local subnet. )ence the router has to ad*ertise its own prefix for the link

on the actual interface. In addition to the frame%relay map ip*$ broadcast to theMlobal I0*$ Addresses you also need a map to the link local address. &I0 messages

are sent to the all &I0 routers link%local multicast address 88#<>>62<@. And lastly&I0ng uses the authentication headers present in the I0*$ header for authentication

purposes and does not pro*ide ,5" authentication.

To configure &I0ng in interface mode>

ip*$ rip RstringS enable

To *erify the configuration>show ip*$ protocolshow ip*$ rip

show ip*$ rip database

/ote D &edistribution between separate &I0ng processes is configure under therouting process.





9S%3v:

In comparison wit 3(08*< 4ersion! has the same basic mechanisms such as

flooding 5& election areas and spf calculations remain the same. In contrast linklsaBs announce link%local addresses and a list of ip*$ prefixes to associate with the

link. Intra%area prefix lsaBs carry all ip*$ prefixes to all ospf*! routers within an area-correspond to router and network lsaBs in ip*+ Inter%area prefix lsa #x<##!

replaces summary or type ! lsaBs and Inter%area router lsa #x<##+ replaces type +lsa. 3spf*! runs on a link basis rather than on a subnet basis as in ospf*<.

Authentication is also remo*ed from 3spf*! and relies on ip*$ for authentication

3(08*! is configured on the interfaces>• ip*$ ospf 2## area #

•

To *erify the configuration>• show ip*$ ospf • show ip*$ ospf neighbor

3(08*! still uses a !< bit router id at must be configured tunder ip*$ router ospf 2##

(ummaries can be configured under ip*$ router ospf 2## using the command area 2range <##2>>+@

The L(As in 3(08*!>oter+$S% !-2!!1

&etwor+$S% !-2!!2

<nter+%rea+/refi-+$S% !-2!!3

<nter+%rea+oter+$S% !-2!!4

%S+E-ternal+$S% !-2!!

8rop+mem5ership+$S% !-2!!>

*pe+"+$S% !-2!!"

$in+$S% !-2!!9

<ntra+%rea+/refi-+$S% !-2!!

9S%3v: over "BMA

3(08*! o*er /9,A is *ery much similar to 3(08*< o*er /9,A. The hub interfacepriority has to be increased manually to make it the 5&. The spokes should beconfigured with a priority of # so that they ne*er participate in the 5& elections.

,oreo*er neighbors ha*e to be specified manually on the interface. The address forthe neighbor has to be the link local addresses. The neighbors ha*e to be specified

only on the hub not on the spokes.

8rame%relay maps ha*e to be configured pointing to the neighborBs link local addresson both hub and spokes as well as the global addresses -if configured





sh ip*$ int s#2# displays the link%local address

The following example displays configuring 3(08*! on a hub interface>interface (erial#2#

ip*$ ospf priority 2## ip*$ ospf neighbor 8E@#>><#A>9@88>8E$9>A+=@ ip*$ ospf neighbor 8E@#>><#A>9@88>8E<C>=5C@

ip*$ ospf 2# area # frame%relay map ip*$ 8E@#>><#A>9@88>8E$9>A+=@ 2#$

frame%relay map ip*$ 8E@#>><#A>9@88>8E<C>=5C@ 2#"

%v< over %v4

I0*$ can be tunneled under ip*+. The $to+ tunnel mode by default is gre and can to

be changed to ip*$ip. The tunnel itself needs an ip*$ address configured manually.The tunnel source and destination will be ip*+ addresses. Afterwards a I0*$ capable

routing protocol can be enabled o*er the tunnel.

The following example tunnels I0*$ o*er I0*+>

interface nnel! no ip address ip> address 2!!201!!02401002B>4 ip> ospf 1!! area ! tnnel sorce 1!.9>."2.1" tnnel destination 1!.9>."2.19

In the abo*e example we are using M&E as the default encapsulation1 howe*er we

could also opt for ip*$ip with the Rtunnel mode ip*$ip command.

%v< "eighbor Discovery

• /eighbor 5isco*ery determines the link%layer address of a neighbor on the

same link and helps both keep track of and find neighbor routers. /eighbordisco*ery is achie*ed with the IC,0 protocol using multicast addresses. This

is also known as the solicited node address. A solicited%node address is a,ulticast address with a link%local scope which is formed by a prefix and the

right%most <+ bits of the unicast or anycast address& The following diagramillustrates how a neighbor is disco*ered in I0*$.





"eigbbor Discovery

Afterwards routers send periodic &outer Ad*ertisements -&A to the all%nodes

multicast address. At reboot time the de*ices send &outer (olicitations to promptly

recei*e &outer Ad*ertisements. There is also a notion of a redirect which is used bya router to signal the reroute of a packet to a better router.

D#plicate Address Detection

5uplicate Address 5etection -5A5 uses /eighbor (olicitation to *erify the existenceof an address to be configured to a*oid conflicts.

Stateless A#to'conig#ration

This time end de*ices or routers are configured to send router solicitations at boot upto request &As for configuring thier interfaces. An I0*$ router configure to respond

will send the following information in the &outer ad*ertisements>

• 5efault router

• I0*$ network prefix

• Lifetime of ad*ertisement

The I0*$ router would configure an interface with the following parameters>

ip*$ nd prefix RprefixS [ default

\ \R*alid%lifetimeS Rpreferred%lifetimeS] [ \at R*alid%dateS Rpreferred%dateS]

\off%link] \no%autoconfig] ]





%v< LAB

Scenario

Turn%key is doing business with a partner that would like to connect with them o*er

I0*$ in the future. Turn%key has registered I0*$ address space and would like you to

configure I0*$ as outlined in the following diagram to pilot this capability o*er theirexisting I0*+ infrastructure.

%v< Topology





%v< Tas$s

Tas4 # )Ena$le 5Pv,*3 enable on each de*ice identified in the abo*e diagram.

Configure I0*$ addresses based on the following Table0

*nterface De7ice *P76lan3,trned Sw1Sw2

2!!!02.201234002B>42!!!02.201234004B>4

lan1!,$eased Sw1 2!!!010101234001B>4

3 :!B! 2!!!010101234003B>4

3 S!B!B!.2 2!!1010101234003B>4 :!B! 2!!!01010123400B>4

S!B!B! 2!!101010123400B>4> :!B! 2!!!01010123400>B>4

> S!B!B! 2!!101010123400>B>4

onfigre the following loop 5ac addresses0

• 3 M $o D 2!!!030303003B>4

• M $o D 2!!!00000B>4

• >+ $o D 2!!!0>0>0>00>B>4

Tas4 2 )Lin4 Local*3 5# a Rsh ip*$ int on each of the configured addresses and

manually modify the link local address to make it easier to look at.

8or example on &!>

&!Hsh ip*$ int8astEthernet## is up line protocol is up I0*$ is enabled link%local address is .E"0332#:3E..3.E,(3600" 5escription> 4lan2#NLeased

Mlobal unicast address-es> <###>2>2>2>2<!+>>2 subnet is <###>2>2>2>>$+ Woined group address-es> 88#<>>2 88#<>>< 88#<>>2>88##>2

88#<>>2>88$+>9##@ ,T7 is 2"## bytes IC,0 error messages limited to one e*ery 2## milliseconds IC,0 redirects are enabled /5 5A5 is enabled number of 5A5 attempts> 2 /5 reachable time is !#### milliseconds

/5 ad*ertised reachable time is # milliseconds /5 ad*ertised retransmit inter*al is # milliseconds /5 router ad*ertisements are sent e*ery <## seconds /5 router ad*ertisements li*e for 2@## seconds )osts use stateless autoconfig for addresses.





:e could shorten the address to 8E@#>>! by issuing the following interfacecommand>

&!-config%ifHip*$ address 8E@#>>! link%local

Tas4 % )@5Png*3 Enable &I0ng for networks on (w2 and (w<

Tas4 ( )ASP.v%*3 Ena$le 3(08*! area # between (w2 &! &" and &$. 8orredundancy 3(08 should run o*er the Leased Ethernet and 8rame &elay.

Tas4 )@edistri$ution*3 &edistribute 3(08*! and &I0ng on (w2 and ping testfrom (w< to ensure all I0*$ networks are reacheable.





%v< Answers

Tas4 # )Ena$le 5Pv,*3 enable on each de*ice identified in the abo*e diagram.

In order to allow the Catalyst !"$# switches to support Ip*$ addresses we need tochange the (5, template to dual. (ince we ha*e configured so many L< options in

the pre*ious Lab we will lea*e the switch tuned for desktop.

Sw10Sw1(config)#sdm R prefer onfig % and :orwarding % sies. Narning0 need to reset switch for configration to tae effect.

Sw1(config)#sdm prefer R access %ccess 5ias defalt 7efalt 5ias dal+ip4+and+ip> Spport 5oth </4 and </> roting =nicast 5ias lan $%& 5ias

Sw1(config)#sdm prefer dalSw1(config)#sdm prefer dal+ip4+and+ip> R defalt 7efalt 5ias roting =nicast 5ias lan $%& 5ias

Sw1(config)#sdm prefer dal+ip4+and+ip> roSw1(config)#sdm prefer dal+ip4+and+ip> rotinghanges to the rnning S7 preferences hae 5een storedA 5t cannot tae effect

ntil the ne-t reload.=se 'show sdm prefer' to see what S7 preference is crrentl* actie.Sw1(config)#do sh sdm prefer he crrent template is Pdestop defaltP template. he selected template optimies the resorces in the switch to spport this leel of featres for

9 roted interfaces and 1!24 $%&s.

nm5er of nicast mac addresses0 >T nm5er of </4 <8/ grops U mlticast rotes0 1T nm5er of </4 nicast rotes0 9T nm5er of directl*+connected </4 hosts0 >T nm5er of indirect </4 rotes0 2T nm5er of </4 polic* 5ased roting aces0 ! nm5er of </4B% ?os aces0 12 nm5er of </4B% secrit* aces0 1T

6n ne-t reloadA template will 5e Pdestop </4 and </> rotingP template.

Sw1(config)#Sw1(config)#sdm prefer dal+ip4+and+ip> defalthanges to the rnning S7 preferences hae 5een storedA 5t cannot tae effect

ntil the ne-t reload.=se 'show sdm prefer' to see what S7 preference is crrentl* actie.Sw1(config)#do sh sdm prefer he crrent template is Pdestop defaltP template. he selected template optimies the resorces in the switch to spport this leel of featres for 9 roted interfaces and 1!24 $%&s.

nm5er of nicast mac addresses0 >T nm5er of </4 <8/ grops U mlticast rotes0 1T nm5er of </4 nicast rotes0 9T





Sw30

SN3(config)#sdm prefer dal+ip4+and+ip> defalthanges to the rnning S7 preferences hae 5een storedA 5t cannot tae effect

ntil the ne-t reload.=se 'show sdm prefer' to see what S7 preference is crrentl* actie.=se 'show sdm prefer' to see what S7 preference is crrentl* actie.

SN3(config)#do reload

SN3#sh sdm prefer he crrent template is Pdestop </4 and </> defaltP template. he selected template optimies the resorces in the switch to spport this leel of featres for 9 roted interfaces and 1!24 $%&s.

nm5er of nicast mac addresses0 2T nm5er of </4 <8/ grops U mlticast rotes0 1T nm5er of </4 nicast rotes0 3T nm5er of directl*+connected </4 hosts0 2T nm5er of indirect </4 rotes0 1T nm5er of </> mlticast grops0 112 nm5er of directl*+connected </> addresses0 2T nm5er of indirect </> nicast rotes0 1T

nm5er of </4 polic* 5ased roting aces0 ! nm5er of </4B% ?os aces0 12 nm5er of </4B% secrit* aces0 1T nm5er of </> polic* 5ased roting aces0 ! nm5er of </> ?os aces0 1! nm5er of </> secrit* aces0 1!

Sw40

SN4(config)#sdm prefer dal+ip4+and+ip> defalthanges to the rnning S7 preferences hae 5een storedA 5t cannot tae effect

ntil the ne-t reload.=se 'show sdm prefer' to see what S7 preference is crrentl* actie.=se 'show sdm prefer' to see what S7 preference is crrentl* actie.

SN4(config)#do reload

SN4#sh sdm prefer he crrent template is Pdestop defaltP template. he selected template optimies the resorces in the switch to spport this leel of featres for 9 roted interfaces and 1!24 $%&s.

nm5er of nicast mac addresses0 >T nm5er of </4 <8/ grops U mlticast rotes0 1T nm5er of </4 nicast rotes0 9T nm5er of directl*+connected </4 hosts0 >T nm5er of indirect </4 rotes0 2T nm5er of </4 polic* 5ased roting aces0 ! nm5er of </4B% ?os aces0 12 nm5er of </4B% secrit* aces0 1T

6n ne-t reloadA template will 5e Pdestop </4 and </> defaltP template.

30

3(config)#ip> nicast+roting

0

(config)#ip> nicast+roting





>0

>(config)#ip> nicast+roting

&oteK after the switches re5oot the* need the ip> nicast+roting command as well.

Configure I0*$ addresses based on the abo*e Table and Tas42 Lin4 local

addresses0

30

interface $oop5ac no ip address ip76 a00ress 2))):3:3:3::3<64 ,(is is t(e +!oba! *P76 a00ress-

ip76 a00ress @%)::3 !in"!oca! ,(is is a mo0ifie0 Lin" Loca! a00ress t(at is not routab!e so it can be 0up!icate0

interface Serial!B!B!.2 mltipoint

description C5+and+spoe++> ip address 1"2.1>.3.3 2.2.2.! no ip split+horion ip ospf dead+interal minimal hello+mltiplier 4 ip ospf 1 area 3 ip76 a00ress 2))1:1:1234::3<64

ip76 a00ress @%)::3 !in"!oca!

frame+rela* map ip 1"2.1>.3.3 3! frame+rela* map ip 1"2.1>.3. 3! 5roadcast frame+rela* map ip 1"2.1>.3.> 3!> 5roadcast no frame+rela* inerse+arp

interface :astEthernet!B! description lan1!,$eased ip address 12.1>9.1!.3 2.2.2.! ip ospf 1 area ! dela* 1 dple- ato speed ato ip76 a00ress 2))):1:1:1234::1<64

ip76 a00ress @%)::3 !in"!oca!

3#sh ip> int 5rief :astEthernet!B! IpBpJ :E9!003 2!!!010101234001:astEthernet!B1 Iadministratiel* downBdownJSerial!B!B! IpBpJSerial!B!B!.1 IpBpJSerial!B!B!.2 IpBpJ :E9!003 2!!1010101234003Serial!B!B!.3 IpBpJ

Serial!B!B1 Iadministratiel* downBdownJSerial!B1B! Iadministratiel* downBdownJSerial!B1B1 Iadministratiel* downBdownJ$oop5ac1 IpBpJ$oop5ac3 IpBpJ$oop5ac4 IpBpJ$oop5ac IpBpJ :E9!003 2!!!030303003





frame+rela* map ip 1"2.1>.3. >!3 5roadcast frame+rela* map ip 1"2.1>.3.> >!3 5roadcast no frame+rela* inerse+arp frame+rela* lmi+t*pe ansi

>#sh ip> int 5rief :astEthernet!B! IpBpJ :E9!00>

2!!!01010100>:astEthernet!B1 Iadministratiel* downBdownJSerial!B!B! IpBpJ :E9!00> 2!!101010100>Serial!B!B1 Iadministratiel* downBdownJ$oop5ac IpBpJ :E9!00> 2!!!0>0>0>00>

Interfaces that are connected you should be able to ping the link locals>#ping ip> fe9!0036tpt <nterface0 fastethernet!B!*pe escape se?ence to a5ort.Sending A 1!!+5*te </ Echos to :E9!003A timeot is 2 seconds0/acet sent with a sorce address of :E9!00>

Sw10

interface lan3 description lan3,trned ip address 1!.3.3.1 2.2.2.! ip> address 2!!!020201234001B>4 ip> address :E9!001 lin+local stand5* ip 1!.3.3.24 stand5* priorit* 2 stand5* preempt dela* minimm >! stand5* name lan3 stand5* trac :astEthernet!B1

interface lan1! description lan1!,$eased ip address 12.1>9.1!.1 2.2.2.! ip smmar*+address eigrp 1!! 1!.!.!.! 2.!.!.! ip> address 2!!!010101234001B>4 ip> address :E9!001 lin+local

Sw1#sh ip> int 5rief lan1 Iadministratiel* downBdownJ nassignedlan3 IpBpJ :E9!001 2!!!020201234001lan4 IpBpJ nassigned

lan IpBpJ nassignedlan> IpBpJ nassignedlan9 IpBpJ nassignedlan1! IpBpJ :E9!001 2!!!010101234001

Sw20





interface lan3 description lan3,trned ip address 1!.3.3.2 2.2.2.! ip> address 2!!!020201234002B>4 ip> address :E9!002 lin+local stand5* ip 1!.3.3.24 stand5* name lan3

lan1 Iadministratiel* downBdownJ nassignedlan3 IpBpJ :E9!002 2!!!02020201234002lan4 IpBpJ =nassigned

Tas4 % )@5Png*3 Enable &I0ng for networks on (w2 and (w<

Sw10

interface lan3 description lan3,trned ip address 1!.3.3.1 2.2.2.! ip> address 2!!!020201234001B>4 ip> address :E9!001 lin+local ip76 rip cisco enab!e ,(is enab!es *P for t(is interface-

stand5* ip 1!.3.3.24 stand5* priorit* 2 stand5* preempt dela* minimm >! stand5* name lan3 stand5* trac :astEthernet!B1

interface lan1! description lan1!,$eased ip address 12.1>9.1!.1 2.2.2.! ip smmar*+address eigrp 1!! 1!.!.!.! 2.!.!.! ip> address 2!!!010101234001B>4 ip> address :E9!001 lin+local ip76 rip cisco enab!e

Sw1#sh ip> rip</ process PciscoPA port 21A mlticast+grop ::!200A pid 234 %dministratie distance is 12!. a-imm paths is 1> =pdates eer* 3! secondsA e-pire after 19! Colddown lasts ! secondsA gar5age collect after 12! Split horion is onV poison reerse is off 7efalt rotes are not generated /eriodic pdates 3A trigger pdates 1 <nterfaces0 $oop5ac lan1! lan3

edistri5tion0 &one

Sw1#sh ip> rote</> oting a5le + entriesodes0 + onnectedA $ + $ocalA S + StaticA + </A ; + ;8/ = + /er+ser Static rote <1 + <S<S $1A <2 + <S<S $2A <% + <S<S interareaA <S + <S<S smmar* 6 + 6S/: intraA 6< + 6S/: interA 6E1 + 6S/: e-t 1A 6E2 + 6S/: e-t 2 6&1 + 6S/: &SS% e-t 1A 6&2 + 6S/: &SS% e-t 2 2!!!01010123400B>4 I!B!J ia 00A lan1!





2!!!02020200B>4 I!B!J ia 00A lan3$ 2!!!02020201234001B129 I!B!J ia 00A lan3$ :E9!00B1! I!B!J ia 00A &ll!$ ::!!00B9 I!B!J ia 00A &ll!

Sw20

interface lan3 description lan3,trned ip address 1!.3.3.2 2.2.2.! ip> address 2!!!020201234002B>4 ip> address :E9!002 lin+local ip76 rip cisco enab!e

stand5* ip 1!.3.3.24 stand5* name lan3

SN2#sh ip> rip</ process PciscoPA port 21A mlticast+grop ::!200A pid 234 %dministratie distance is 12!. a-imm paths is 1>

=pdates eer* 3! secondsA e-pire after 19! Colddown lasts ! secondsA gar5age collect after 12! Split horion is onV poison reerse is off 7efalt rotes are not generated /eriodic pdates 11A trigger pdates 1 <nterfaces0 lan3 edistri5tion0 &one

SN2#sh ip> rote</> oting a5le + entriesodes0 + onnectedA $ + $ocalA S + StaticA + </A ; + ;8/ = + /er+ser Static rote <1 + <S<S $1A <2 + <S<S $2A <% + <S<S interareaA <S + <S<S smmar* 6 + 6S/: intraA 6< + 6S/: interA 6E1 + 6S/: e-t 1A 6E2 + 6S/: e-t 2 6&1 + 6S/: &SS% e-t 1A 6&2 + 6S/: &SS% e-t 2

2!!!01010123400B>4 I12!B2J ia :E9!001A lan3 2!!!020200B>4 I!B!J ia 00A lan3$ 2!!!020201234002B129 I!B!J ia 00A lan3$ :E9!00B1! I!B!J ia 00A &ll!$ ::!!00B9 I!B!J ia 00A &ll!

SN2#sh ip> rote</> oting a5le + entriesodes0 + onnectedA $ + $ocalA S + StaticA + </A ; + ;8/ = + /er+ser Static rote <1 + <S<S $1A <2 + <S<S $2A <% + <S<S interareaA <S + <S<S smmar*

6 + 6S/: intraA 6< + 6S/: interA 6E1 + 6S/: e-t 1A 6E2 + 6S/: e-t 2 6&1 + 6S/: &SS% e-t 1A 6&2 + 6S/: &SS% e-t 2 2))):1:1:1234::<64 12)<2 ,(is is a *P neto'r" !earne0-

ia :E9!001A lan3 2!!!020200B>4 I!B!J ia 00A lan3$ 2!!!020201234002B129 I!B!J ia 00A lan3$ :E9!00B1! I!B!J ia 00A &ll!$ ::!!00B9 I!B!J ia 00A &ll!





SN2#ping 2!!!010101234001

*pe escape se?ence to a5ort.Sending A 1!!+5*te </ Echos to 2!!!010101234001A timeot is 2 seconds0Sccess rate is 1!! percent (B)A rond+trip minBagBma- D !B!B! msSN2#

Tas4 ( )ASP.v%*3 Ena$le 3(08*! area # between (w2 &! &" and &$. 8or

redundancy 3(08 should run o*er the Leased Ethernet and 8rame &elay.

SN10

interface lan1! description lan1!,$eased ip address 12.1>9.1!.1 2.2.2.! ip smmar*+address eigrp 1!! 1!.!.!.! 2.!.!.! ip> address 2!!!010101234001B>4

ip> address :E9!001 lin+local ip> rip cisco ena5le ip76 ospf 1 area ) ,(is enab!es an 9SP@ process in *PV6-

Sw1#sh ip> ospf data5ase

6S/:3 oter with <7 (12.1>9.1!.1) (/rocess <7 1)

oter $in States (%rea !)

%7 oter %ge Se?# :ragment <7 $in cont ;its1!.3.3.2 292 !-9!!!!!1 ! 2 &one12.1>9.1!.1 29! !-9!!!!!!" ! 1 &one12.1>9.1!. 29" !-9!!!!!!% ! 2 &one12.1>9.1!.> 29 !-9!!!!!! ! 2 &one

&et $in States (%rea !)

%7 oter %ge Se?# $in <7 tr cont1!.3.3.2 4>1 !-9!!!!!!4 21 312.1>9.1!.1 29" !-9!!!!!!3 2!"9 4

$in (*pe+9) $in States (%rea !)

%7 oter %ge Se?# $in <7 <nterface1!.3.3.2 3! !-9!!!!!!2 4 l1!12.1>9.1!.1 >22 !-9!!!!!!2 2!"9 l1!12.1>9.1!. 2 !-9!!!!!!1 4 l1!12.1>9.1!.> 13"2 !-9!!!!!!1 4 l1!

<ntra %rea /refi- $in States (%rea !)

%7 oter %ge Se?# $in <7 ef+lst*pe ef+$S<71!.3.3.2 494 !-9!!!!!!3 ! !-2!!1 !1!.3.3.2 4" !-9!!!!!!3 1!21 !-2!!2 2112.1>9.1!.1 3"3 !-9!!!!!!2 3!"9 !-2!!2 2!"912.1>9.1!. 21 !-9!!!!!! ! !-2!!1 !Sw1#

Sw1#sh ip> ospf neigh5or

&eigh5or <7 /ri State 7ead ime <nterface <7 <nterface12.1>9.1!. 1 :=$$B76CE !!0!!03 4 lan1!12.1>9.1!.> 1 :=$$B76CE !!0!!03 4 lan1!





1!.3.3.2 1 :=$$B;7 !!0!!033 4 lan1!Sw1#

Sw1#sh ip> rote</> oting a5le + entriesodes0 + onnectedA $ + $ocalA S + StaticA + </A ; + ;8/ = + /er+ser Static rote <1 + <S<S $1A <2 + <S<S $2A <% + <S<S interareaA <S + <S<S smmar*

6 + 6S/: intraA 6< + 6S/: interA 6E1 + 6S/: e-t 1A 6E2 + 6S/: e-t 2 6&1 + 6S/: &SS% e-t 1A 6&2 + 6S/: &SS% e-t 2 2!!!01010123400B>4 I!B!J ia 00A lan1!$ 2!!!010101234001B129 I!B!J ia 00A lan1! 2!!!02020123400B>4 I!B!J ia 00A lan3$ 2!!!020201234001B129 I!B!J ia 00A lan36 2!!!030303003B129 I11!B1J ia :E9!003A lan1!6 2!!!00000B129 I11!B1J ia :E9!00A lan1!6 2!!101010123400B>4 I11!B>J ia :E9!00>A lan1! ia :E9!003A lan1!

ia :E9!00A lan1!$ :E9!00B1! I!B!J ia 00A &ll!$ ::!!00B9 I!B!J ia 00A &ll!

Sw1#ping 2!!!030303003 (/inging some of the remote $oop 5acs)

*pe escape se?ence to a5ort.Sending A 1!!+5*te </ Echos to 2!!!030303003A timeot is 2 seconds0Sccess rate is 1!! percent (B)A rond+trip minBagBma- D !B!B! msSw1#ping 2!!!00000

*pe escape se?ence to a5ort.

Sending A 1!!+5*te </ Echos to 2!!!00000A timeot is 2 seconds0Sccess rate is 1!! percent (B)A rond+trip minBagBma- D !B1B9 msSw1#

30interface $oop5ac no ip address ip> address 2!!!030303003B>4 ip> address :E9!003 lin+local ip76 ospf 1 area ) ,nab!es t(is interface in 9SP@73 for *P76-

interface :astEthernet!B! description lan1!,$eased ip address 12.1>9.1!.3 2.2.2.! ip ospf 1 area ! dela* 1

dple- ato speed ato ip> address 2!!!010101234003B>4 ip> address :E9!003 lin+local ip76 ospf 1 area )

interface Serial!B!B!.2 mltipoint description C5+and+spoe++> ip address 1"2.1>.3.3 2.2.2.! no ip split+horion ip ospf dead+interal minimal hello+mltiplier 4 ip ospf 1 area 3





ia 00A $oop5ac$ 2!!!030303003B129 I!B!J ia 00A $oop5ac6 2!!!00000B129 I11!B1J ia :E9!00A :astEthernet!B! 2!!101010123400B>4 I!B!J ia 00A Serial!B!B!.2$ 2!!1010101234003B129 I!B!J

ia 00A Serial!B!B!.2$ :E9!00B1! I!B!J ia 00A &ll!$ ::!!00B9 I!B!J ia 00A &ll!

3#ping 2!!!00000

*pe escape se?ence to a5ort.Sending A 1!!+5*te </ Echos to 2!!!00000A timeot is 2 seconds0Sccess rate is 1!! percent (B)A rond+trip minBagBma- D !B1B4 ms3#ping 2!!!0>0>0>00>

*pe escape se?ence to a5ort.Sending A 1!!+5*te </ Echos to 2!!!0>0>0>00>A timeot is 2 seconds0

Sccess rate is 1!! percent (B)A rond+trip minBagBma- D !B!B4 ms3#

0interface $oop5ac no ip address ip> address 2!!!00000B>4 ip> address :E9!00 lin+local ip> ospf 1 area !interface :astEthernet!B! description lan1!,$eased ip address 12.1>9.1!. 2.2.2.! ip ospf 1 area ! dple- ato speed ato

ip> address 2!!!01010123400B>4 ip> address :E9!00 lin+local ip> ospf 1 area !

interface Serial!B!B! description C5+and+spoe+to+3+> ip address 1"2.1>.3. 2.2.2.! encapslation frame+rela* ip ospf dead+interal minimal hello+mltiplier 4 ip ospf 1 area 3 ip> address 2!!101010123400B>4 ip> address :E9!00 lin+local ip76 ospf neig(bor @%)::3 priority 2## ,orma!!y 'e 0o not nee0 neig(bors on t(e spo"es but since 'e are connecting o7er

t(ernet too it (e!p stabi!i=e t(e frame neig(bor re!ations(ip-

ip> ospf 1 area ! framere!ay map ip76 @%)::3 #)3 broa0cast

frame+rela* map ip 1"2.1>.3.3 !3 5roadcast

frame+rela* map ip 1"2.1>.3. !3 5roadcast frame+rela* map ip 1"2.1>.3.> !3 5roadcast framere!ay map ip76 2))1:1:1:1234::3 #)3 broa0cast

no frame+rela* inerse+arp frame+rela* lmi+t*pe ansi

>0

interface $oop5ac no ip address ip> address 2!!!0>0>0>00>B>4





ip> address :E9!00> lin+local ip> ospf 1 area !interface :astEthernet!B! description lan1!,$eased ip address 12.1>9.1!.> 2.2.2.! ip ospf 1 area ! dple- ato

speed ato ip> address 2!!!01010123400>B>4 ip> address :E9!00> lin+local ip> ospf 1 area !

interface Serial!B!B! description C5+and+spoe+to+3+ ip address 1"2.1>.3.> 2.2.2.! encapslation frame+rela* ip ospf dead+interal minimal hello+mltiplier 4 ip ospf 1 area 3 ip> address 2!!101010123400>B>4 ip> address :E9!00> lin+local ip> ospf 1 area ! frame+rela* map ip> :E9!003 >!3 5roadcast frame+rela* map ip 1"2.1>.3.3 >!3 5roadcast frame+rela* map ip 1"2.1>.3. >!3 5roadcast

frame+rela* map ip 1"2.1>.3.> >!3 5roadcast frame+rela* map ip> 2!!1010101234003 >!3 5roadcast no frame+rela* inerse+arp frame+rela* lmi+t*pe ansi

Tas4 )@edistri$ution*3 &edistribute 3(08*! and &I0ng on (w2 and ping test

from (w< to ensure all I0*$ networks are reachable

SN10

ip76 router ospf 1 ,e0istribution is 0one from t(e *P76 routing process-

log+adQacenc*+changes redistri5te rip cisco metric+t*pe 1ip> roter rip cisco redistri5te ospf 1 metric 2

Sw20

SN2#sh ip> rote</> oting a5le + entriesodes0 + onnectedA $ + $ocalA S + StaticA + </A ; + ;8/ = + /er+ser Static rote <1 + <S<S $1A <2 + <S<S $2A <% + <S<S interareaA <S + <S<S smmar* 6 + 6S/: intraA 6< + 6S/: interA 6E1 + 6S/: e-t 1A 6E2 + 6S/: e-t 2 6&1 + 6S/: &SS% e-t 1A 6&2 + 6S/: &SS% e-t 2 2!!!01010123400B>4 I12!B2J

ia :E9!001A lan3 2!!!02020123400B>4 I!B!J ia 00A lan3$ 2!!!020201234002B129 I!B!J ia 00A lan3 2!!!030303003B129 I12!B3J ia :E9!001A lan3 2!!!00000B129 I12!B3J ia :E9!001A lan3 2!!!0>0>0>00>B129 I12!B3J ia :E9!001A lan3 2!!101010123400B>4 I12!B3J





ia :E9!001A lan3$ :E9!00B1! I!B!J ia 00A &ll!$ ::!!00B9 I!B!J ia 00A &ll!





Day 4

% 3eat#res and Services5P Tas4s

Tas4# )Distribute0 Director-:There will be a 5istributed 5irector ser*er in the future on &$. Configure &$ for this

future implementation on 8## to The 5irector will need to accept the )TT0connections appearing to be the requested web ser*er. The 5irector determines the

host name requested by the client based on the I0 address on which the )TT0request arri*es.

Tas42 )Fe$ Cache service*3

here will be a web%cache ser*ice in the future. Configure it so that &$ web userswill be redirected to a web%cache ser*er at 26<[email protected]#.2##





5P 1nswers

Tas4# )Distribute0 Director-:There will be a 5istributed 5irector ser*er in the future on &$. Configure &$ for this

future implementation on 8## to The 5irector will need to accept the )TT0connections appearing to be the requested web ser*er. The 5irector determines thehost name requested by the client based on the I0 address on which the )TT0

request arri*es.

ip director access%group 2 !!!!!!!The 5P users are redirected to this 5P

ip director access%list 2 permit V^:::.V !!!!!! The interesting traffic $eing

redirectedip director access%list 2 deny A/J

ip director enable !!!!!!!Ena$le 9irector

access%list 2 permit 26<[email protected]#.$

access%list 2 deny any

Tas42 )Fe$ Cache service*3

here will be a web%cache ser*ice in the future. Configure it so that &$ web users

will be redirected to a web%cache ser*er at 26<[email protected]#.2##

&$-configHip wccp web%cache

&$-configHint f##&$-config%ifHip wccp web%cache redirect out

&$-config%ifH

Advanced Boot Camp Day 1 to 4

Documents

Transcript of Advanced Boot Camp Day 1 to 4