Notes for Cisco 642-902 ROUTE, based on 2010 Official Cert Guide.

Chapter 2: EIGRP Overview and Neighbor Relationships CCNA Review:

Configuration Review o EIGRP ASNs must match for neighborship o EIGRP enabled only on matched “network” command interfaces o Neighbor discovery attempt by multicast 224.0.0.10 Hello o Advertises connected subnet to neighbors o No wildcard mask in network command = classful o All interfaces matching network command are EIGRP enabled o Address range example, “network 10.1.0.0 0.0.31.255” = all IPs 10.1.0.0 -

10.1.31.255 Verification Review

o 1st confirm which interfaces are EIGRP enabled on each router show ip eigrp interfaces (omits passive)

o Verify neighborships show ip protocols (lists routing processes + neighbors)

o Verify EIGRP topology table: at least one entry for each subnet show ip eigrp neighbors (lists known valid neighbors + interfaces) show ip eigrp topology (lists successor / FS)

o Verify routes show ip route (displays routing table)

Internals Review o EIGRP process of adding routes to the routing table:

Neighbor discovery via Hello packets Topology exchange: full update on neighborship, then partial based on

topology changes Choosing routes by each router calculating the lowest-metric route to

each subnet o EIGRP topology exchange:

Sent via RTP (Reliable Transport Protocol) via multicast 224.0.0.10

o Calculating the Best Routes: EIGRP topology includes subnet + mask + EIGRP composite metric EIGRP uses only bandwidth and delay by default, but can use

interface load + reliability (not recommended by Cisco) Default metric = ( (10^7/least-bandwidth) + cumulative delay ) * 256

least-bandwidth = slowest link in the route configurable via bandwidth and delay interface commands

o EIGRP Features: Transport: IP Protocol 88 (not TCP or UDP) Hold Timer: determines when neighbor has failed MD5 authentication only Route Tags allow EIGRP to tag routes for redistribution Supports manual and automatic route summarization Supports IP, IPX, AppleTalk, and IPv6

EIGRP Neighborships:

Establish neighborships, exchange topology, calculate best route Manipulating EIGRP Hello and Hold Timers:

o Default Hold Time: LAN=15s, T1+FrameRelay=60s o Timers can be changed per sub/interface and per EIGRP process o Configuring Hello/Hold Timers:

Timers do not have to match between routers (but it’s a good idea) Hello/Hold does not have to be 1:3 (but it’s a good idea) interface command ip hello-interval eigrp ASN x (x=seconds)

tells router to send hello’s every x seconds interface command ip hold-time eigrp ASN x (x=seconds)

tells neighbors to use x-second hold time with regards to sending router

o Verifying the Hello/Hold Timers: show ip eigrp interfaces detail int displays Hello timer use show ip eigrp neighbors command repeatedly to guess at the

Hold timer setting. Use show running-config (if available) for definite answer

Preventing Unwanted Neighbors Using Passive Interfaces: o Purpose: to advertise the subnet without creating EIGRP neighborship o use passive-interface EIGRP subcommand

router eigrp 1 passive-interface fa0/1 network x.x.x.x

router eigrp 1 passive-interface default no passive-interface f0/1 network x.x.x.x

o still use the EIGRP network subcommand o Alternative option: don’t use EIGRP and redistribute the subnet (not

preferred) o show ip eigrp interfaces hides passive, show ip protocols lists them

Controlling Neighborships Using EIGRP Authentication o When configured with MD5 authentication, if the PSK doesn’t match, the

router discards the EIGRP packet o EIGRP Authentication Configuration Checklist:

Create a key chain with key chain name global command (name does not have to match between routers)

Enter key number command (does not have to match between routers)

Define key value with key-string value command (strings MUST match between routers)

Optionally define key lifetime accept-lifetime 09:00:00 Aug 07 2012 09:00:00 Aug 30 2012 send-lifetime 09:00:00 Aug 07 2012 09:00:00 Aug 30 2012

Enable EIGRP MD5 authentication on an interface: ip authentication mode eigrp ASN md5

Refer to correct keychain: ip authentication key-chain eigrp ASN name-of-chain

o Key Chain Time-Based Logic Rules:

Sending EIGRP messages: use lowest-numbered key among all currently valid keys

Receiving EIGRP messages: check MD5 digest using all currently valid keys

When using time-based keys, router clocks should be synchronized with NTP

show key chain and debug eigrp packet to troubleshoot neighborship authentication

“invalid authentication” = wrong string “missing authentication” = no MD5

Controlling Neighborships with Static Configuration o Configuring Static Neighbors:

Must be configured on both routers EIGRP router subcommand: neighbor remote-ip local-outgoing-

interface Routers must be on same subnet Verify with show ip eigrp neighbors detail command

o Caveat: Static neighbors removes multicast and instead uses unicast so all neighbors on the subnet must be statically configured, no dynamic multicast discovery

Configuration Settings That Could Prevent Neighbor Relationships o Requirements:

Routers must be able to send/receive IP packets Interface primary IP must be in same subnet Must not be passive on connected interface Must use same EIGRP ASN Must pass neighbor authentication (if configured) K-values must match

o Configuring EIGRP Metric Components (K-values): metric weights EIGRP command

o EIGRP Router ID: eigrp router-id a.b.c.d highest IPv4 address on up/up loopback interface highest IPv4 address on up/up non-loopback interface Only needs to be unique for injecting external routes into EIGRP

Neighborship over WANs: Frame Relay / Layer 2 o PVC must exist between two routers o Needs “pseudo-broadcast” on subinterface - frame-relay map ip IP DLCI

broadcast Neighborship over WANs: MPLS VPN / Layer 3

o CE router establishes neighborship with PE router Neighborship over WANs: Metro Ethernet / Layer 2

o Works like a VLAN, all routers become neighbors

Chapter 3: EIGRP Topology, Routes and Convergence

Building the EIGRP Topology Table:

Seeding the EIGRP Topology Table o EIGRP needs local data to start with o Source: interfaces enabled with EIGRP network command o Source: connected subnets referenced with EIGRP neighbor command o Source: prefixes learned through routing protocol redistribution o Once the sources are added to the topology table, EIGRP advertises it to

neighbors

The Content of EIGRP Update Message o EIGRP protocol messages: Hello, Update, Query, Reply, ACK o Update message contains Prefix, Prefix Length, Metric components

(bandwidth, delay, reliability, load), Non-metric components (MTU, hop count) o Neighbor Update Stages:

First (originating) router uses Update message to transfer subnet information to a connected neighbor

Second router (connected neighbor) receives the update and changes the information before adding it to its own topology table:

The interface which the Update was received on becomes the outgoing interface to the route in the topology table

The delay of the interface is added to the existing delay The lowest bandwidth in the path is updated in the topology

table The highest load, lowest reliability and lowest MTU are added The hop count is incremented by 1 The router sends the new information in an Update to its

neighbors

The EIGRP Update Process o Full topology exchange when neighbor first comes up o No periodic re-flooding of topology information, only updates when necessary o Only partial updates containing routes that have changed are transmitted o When a neighbor fails, then recovers, the full topology update is transmitted o Split Horizon is in effect by default on most interfaces o When sending Updates via multicast, a unicast ACK is expected in return

WAN Issues for EIGRP Topology Exchange o Split Horizon Default on Frame Relay Multipoint Subinterfaces

EIGRP routers must be Layer 2 adjacent to form neighborships Turn off EIGRP split horizon (enabled by default) with interface

subcommand no ip split-horizon eigrp ASN To display split horizon state of interface, view config or debug ip

eigrp to see when prefixes are not advertised out an interface due to split horizon

o EIGRP WAN Bandwidth Control Only up to 50% of a link’s bandwidth (set by bandwidth command) is

used for EIGRP update messages by default Change default with ip bandwidth-percent eigrp ASN 00 (00 =

percent) interface subcommand Must be set individually on physical interface and particular

subinterfaces Bandwidth recommendations:

Set p2p links to the speed of the CIR of the single PVC subinterface

Set p2mp links to the speed of the total CIR of all VCs on subinterface

For multipoint subinterfaces, IOS divides subinterface bandwidth by total of all PVCs, then determines EIGRP bandwidth from there

Building the IP Routing Table:

Calculating the Metrics: Feasible Distance and Reported Distance o Feasible Distance = calculated route from the local router’s perspective o Reported Distance (aka Advanced Distance) = calculated route from the

perspective of the router that reported the route (used when converging to new routes)

o The route with the lowest feasible distance among all possible routes is added to the routing table

EIGRP Metric Tuning o Configuring Bandwidth and Delay

bandwidth values are Kb/s, delay values are 10s of µs Default Bandwidth / Delay:

Serial: 1544 / 2000 GigE: 1,000,000 / 10 FastE: 100,000 / 100 Ethernet: 10,000 / 1000

o Choosing Bandwidth Settings on WAN Subinterfaces When changing to influence routes, prefer changing delay because

bandwidth is used for other things like QoS o Metric Weights (K-Values)

configure with metric weights 0 k1 k2 k3 k4 k5 EIGRP command, k1-k5 range 0-255, default k1=1, k2=0, k3=1, k4=0, k5=0

Cisco recommends against changing k2, k4 and k5, which include interface load and reliability whose values change over time and cause new EIGRP topology updates which may cause routers to keep changing routes and cause route flapping

As of IOS 12.3(2)T when a router is purposefully breaking the neighborship (such as reload, clear ip eigrp neighbors, etc), the router sends one final Hello containing K-values set to 255 to purposefully break the neighborship so that the neighbors don’t have to wait for the holddown timeout (goodbye message / graceful shutdown)

o Offset Lists Let you add an integer value to the FD/RD of specific routes

1: Match specific route with IP ACL permit o ex: access-list 11 permit 10.11.1.0 (regardless of prefix

length o ex: access-list 111 permit ip host 10.11.1.0 host

255.255.255.0 (matches prefix exactly) 2: Match direction of Update message (sent/out or received/in) 3: Match interface of Update message 4: Set the integer metric added to the route

Format for EIGRP subcommand: offset-list {ACL # or name} {in or out} offset interface

ex: offset-list 11 in 3 s0/0/0.1 references ACL 11 incoming, adds 3 to the FD/RD metric on subinterface s0/0/0.1

Optimizing EIGRP Convergence:

Fast Convergence to Feasible Successors o Successor and Feasible Successor Concepts

When multiple routes exist to a subnet, the smallest calculated FD is used and entered as the successor route, with the next hop router being the successor

Feasible successors (backup routes) are calculated by testing the feasibility condition

RD must be less than FD -- if larger, a loop can occur o Verification of Feasible Successors

show ip eigrp topology command only lists successor and FS routes show ip eigrp topology all-links command lists all possible routes Because RD must be less than FD (and can’t be equal), routes with

identical metrics must be altered with offset-list, for example Converging By Going Active

o Process of finding new routes when a route fails and no FS exists: 1: Change state of route from passive to active 2: Send EIGRP query messages to all neighbors except for failed to

find a loop-free route 3: If the neighbor reports a passive route, it is loop-free 4: If the neighbor is also active, it does not send an EIGRP Reply until

it has a loop-free route 5: After a router receives a Reply for a loop-free route, it can send its

own Reply messages 6: When a Reply for all Query messages is received, the router can

safely use the best of the available loop-free routes o The Impact of Stub Routers on Query Scope

EIGRP stub routers do not advertise EIGRP-learned subnets to other EIGRP routers

Non-stub EIGRP routers note which routers are EIGRP stub routers, and do not send EIGRP Query messages to the stub routers

eigrp stub x (x below): connected - advertise connected routes matched with

network summary - advertise auto- or static- summary routes static - advertise static routes if redistribute static command

is issued redistributed - advertise redistributed routes, if configured receive-only - do not advertise any routes (negates all other

options) connected & summary are the defaults

o The Impact of Summary Routes on Query Scope When a router receives a Query for a specific route, but only has a

summary route to the specific route, the router sends a Reply and does not Query its neighbors

o Stuck in Active EIGRP waits a default of 3 minutes for a Reply to a Query

adjustable via timers active-time x (x=minutes) EIGRP subcommand

If EIGRP does not receive a timely reply, the route is Stuck In Active Starting with IOS 12.2, at the timer half-point, a SIA-Query is sent. If

the neighbor replies, the router waits, otherwise the neighborship fails Unequal Metric Route Load Sharing

o Provides instant convergence o Requires two commands:

maximum-paths x = total number of routes to the same subnet variance x (x = 1 - 128) Router takes FD*x, any matching routes less

than that value can be used for load balancing (and are considered equal), up to the maximum-paths amount

o Uses only FS routes o Use show ip protocols to verify

Chapter 4: EIGRP Route Summarization and Filtering Route Filtering:

Filtering By Referencing ACLs o 1: create standard ACL denying the desired routes

access-list 1 deny 10.10.10.0 0.0.0.255 access-list 1 permit any

o 2: reference ACL with distribute-list in router config mode distribute-list {ACL} {direction} {optional interface} distribute-list 1 out s0/0/0.1

Filtering By Referencing IP Prefix Lists o IP Prefix List Concepts

permit or deny indicates whether or not a route is matched ip prefix-list list-name [seq value] {deny | permit prefix/length} [ge

value] [le value] ge value is >= le value is <= up to 32 no ge/le value = exact route match both ge/le value = range only ge = ge through 32 only le = prefix through le

o Using IP Prefix Lists to Filter EIGRP Routes distribute-list prefix list-name direction optional-interface

Filtering By Using Route Maps o Route Map Concepts

Route Maps stop processing the route as soon as it is matched, even if there are more route map commands following

Route Maps can reference ACLs and prefix lists, but if they deny a route, the route map determines the statement to be non-matching and processes the next route map statement

The route-map command has an implicit deny all at the end. To permit all, use a permit action with no match

o Using Route Maps to Filter EIGRP Routes distribute-list route-map name direction optional-interface route-map name {deny | permit} optional-seq

match ip address {prefix-list name | ACL}

Route Summarization:

Route Summarization Design o Calculating Summary Routes

Subnet math, invert mask to find range Take care that the subnet is valid. For example, 10.10.16.0/19 is not a

subnet, but in the range of 10.10.0.0 - 10.10.31.255

o Choosing Where to Summarize Routes EIGRP supports summarization on any router (unlike OSPF) Summarize where keeping the routing tables smaller will help to keep

the internetwork more efficient (generally closer to the sources) o Influencing the Choice of Best Route for Summary Routes

Properly setting interface bandwidths aids in proper metrics for summary routes (for example, two PVCs to the same router with different CIRs)

o Suboptimal Forwarding with Summarization EIGRP does not report a summary route as failed unless all

subordinate routes have failed Due to this type of failure, a packet’s path may be longer than if

summarization was not used o Route Summarization Benefits and Trade-Offs

Benefits: Smaller routing tables Reduces Query scope as EIGRP stops at the router containing

the summary route EIGRP summarization at any point in the internetwork Summary metric is best of summarized subnets

Tradeoffs: Can cause suboptimal routing Packets destined for an unreachable subnet are forwarded to

the summarizing router before being discarded Configuring EIGRP Route Summarization

o Interface subcommand: ip summary-address eigrp ASN subnet mask {optional administrative distance - default 5}

o Upon configuration, the router re-forms EIGRP neighborships on the interface o The advertising router adds the summary route to its own routing table with

the outgoing interface null0 Auto-Summary

o Auto-summary does not support discontiguous networks o Disable with EGIRP command no auto-summary o Has no effect on routers that connect to a single classful network

Default Routes:

Default Routing to the Internet Router o Internet-facing router advertises a default route to the rest of the EIGRP

internetwork o Each EIGRP router creates its own default route to the next hop router

Default Routing Configuration With EIGRP o Advertising Static Default Routes With EIGRP

Create a static route with ip route 0.0.0.0 0.0.0.0 interface Inject the route into EIGRP with network 0.0.0.0 or redistribution

o Configuring a Default Network Determine a subnet that can be used for the default route and use the

EIGRP network command to enter it Use global command ip default-network subnet - MUST be classful Most often a classful loopback network is created on the default router

for the purpose of acting as the default gateway for the internetwork - all routers forward packets to the gateway. The gateway then forwards the packets to the next destination (ie Internet)

The default gateway itself does not recognize its own ip default-network as the default gateway for the network

Chapter 5: OSPF Review and Neighbor Relationships

OSPF Review:

OSPF Link State Concepts o Neighbor discovery is similar to EIGRP o Each router stores its own Link State Database, which includes:

Existence of each router via Router ID Each router interface, IP, subnet and mask List of routers reachable by each router on each interface

o Each router independently runs SPF to calculate routes OSPF Configuration Review

o Process ID’s do not have to match between routers for neighborship o Enabled only on interfaces matched by network command - OSPF neighbor

discovery attempted via multicast Hello o IOS lists the entered network commands in the config file in order of most

specific o The first network command in the config that matches an interface

determines which area the OSPF router belongs o OSPF Router ID Config:

1: Use the router ID defined in router-id x.x.x.x OSPF subcommand 2: Use the highest IP of any up/up loopback interface (does not require

OSPF to be enabled on the interface) 3: Use the highest IP of any up/up non-loopback interface (does not

require OSPF to be enabled on the interface) OSPF Verification Review

o Confirm which interfaces have OSPF enabled on each router show ip ospf interface brief (omits passive interfaces) show ip protocols (list contents of network commands + passive

interfaces) o Determine if intended OSPF neighborships are up and working

show ip ospf neighbors lists known neighbors and state. Does not list failed neighborships due to mismatched settings

o Examine topology table to confirm that non-ABRs have topology for only the single area for which they belong

show ip ospf database lists LSAs for all connected areas

o Verify all intended routes are known show ip route

OSPF Feature Summary o Transport: uses IP protocol 89 (not TCP or UDP) o Metric: Based on cumulative cost of all outgoing interfaces in a route, but can

be set explicitly o Update Multicast address: 224.0.0.5 = all SPF routers, 224.0.0.6 = all DRs o Supports MD5 and clear text authentication o Route tags allow OSPF to tag routes for redistribution o Next-hop field: supports advertisement of routes with a different next-hop

router than the advertising router o Manual route summarization allows summarization at ABRs only

OSPF Neighbors and Adjacencies on LANs:

Enabling OSPF Neighbor Discovery on LANs o OSPF attempts multicast Hello neighbor discovery when an interface has

been enabled via OSPF network or interface ip ospf area as long as the interface is not passive via OSPF passive-interface

o Hello is sent to 224.0.0.5 and has many parameters including: OSPF Router ID Stub area flag Hello / Dead Interval Subnet Mask List of reachable neighbors on the interface Area ID Router priority DR / BDR IPs Authentication digest

o Like EIGRP, with OSPF passive-interface, routes are still advertised, but neighborship is not attempted

o ip ospf process-id area area-id enables OSPF directly on the interface (instead of using a network command)

Settings That Must Match for OSPF Neighborship o Optimizing Convergence Using Hello and Dead Timers

Default Hello 10 / Dead 40 Dead timer is automatically set to 4x the Hello timer, unless manually

specified ip ospf hello-interval x (x=seconds) ip ospf dead-interval x ip ospf dead-interval minimal hello-multiplier multiplier sets dead-

interval to one second, and hello to fraction of multiplier Upon changing values, the neighborships fail after the dead timers

count down

o Using a Unique OSPF Router-ID OSPF prevents neighborships with duplicate IDs -- must be unique

domain-wide OSPF will not start without a RID If duplicate IDs are used, different routers will form neighborships

differently depending on when the routers are powered on o Using the Same IP MTU

From a design standpoint, the MTU on all Layer-2 adjacent devices should match

ip mtu value interface command Routers won’t exchange topology with mismatched MTUs

o OSPF Authentication Authentication Type 0: ip ospf authentication null Authentication Type 1: clear text

ip ospf authentication ip ospf authentication-key key-value

Authentication Type 2: md5 ip ospf authentication message-digest ip ospf message-digest key-number md5 key-value (max 16

chars) Keys must be configured per interface Can be configured area-wide with area num authentication

[message-digest] - individual interface setting overrides debug ip ospf adj shows when authentication mismatch occurs No key lifetimes like with EIGRP, but multiple keys can be configured

OSPF Neighbors and Adjacencies on WANs:

OSPF Network Types o Set per interface/subinterface o ip ospf network type [type=broadcast, non-broadcast, point-to-multipoint,

point-to-point OSPF Neighborship Over Point-to-Point Links

o No special commands need to be issued Neighborship on MPLS VPN

o OSPF neighborship is formed with the PE router, not CE routers on the other side of the cloud

Neighborship on Metro Ethernet o Neighborship forms between individual routers

Chapter 6: OSPF Topology, Routes, and Convergence LSAs and the OSPF Link State Database:

LSA Type 1: Router LSA o Each router creates a Type 1 LSA to represent itself o Lists RID and all interface IPs for the single area o ABRs create a separate Type 1 LSA for each connected area o Each router in an area has a copy of every router’s Type 1 LSA o Interfaces with no elected DR list the interface’s subnet number & mask and

OSPF cost (these are OSPF stub networks) o Interfaces with an elected DR list the IP of the DR and a note that the link

attaches to a transit network (LSA Type 2) o Interfaces with reachable neighbors but no DR list the neighbor’s RID o Link State Identifier (LSID) = RID o Recommended to set the RID to a stable predictable value via either

loopback interface or OSPF router-id value command LSA Type 2: Network LSA

o Background on DRs The LSDB requires links exist only between a pair of nodes OSPF uses a DR to create and flood Type 2 LSAs for a subnet DRs aid in the process of LSDB exchange over a subnet DR / BDR Election Process (based on Hello messages):

Choose router with highest priority (default 1, max 255, set with ip ospf priority value int command, 0=ineligible for DR or BDR)

If tied on priority use router with highest RID Choose BDR based on next-highest priority / RID

If a DR / BDR exist, no re-election takes place, even if better a better priority / RID appears

If the DR fails, the BDR becomes the DR. A new election takes place to determine the new BDR.

If the BDR fails, a new BDR is elected while the DR remains unchanged

If the DR fails, then comes back online, it does not become the DR again automatically

o Type 2 Network LSA Concepts OSPF Type 2 LSAs are used on multiaccess networks where more

than two routers are connected to the same subnet Each router’s Type 1 LSA lists a connection to the Type 2 LSA, called

a pseudonode or transit network The Type 2 LSA lists a reference back to each Type 1 router LSA in

the subnet The DR creates the Type 2 LSA for the subnet and assigns an LSID of

the DR’s int IP of the subnet, and lists the DR’s RID as the advertising router

With a database of Type 1 and Type 2 LSAs, the SPF process can model the topology within a single area

o Type 2 LSA Show Commands show ip ospf database displays a separate line for each LSA show ip ospf database router IP displays the details of a router’s

LSAs, including reference to Type 2 Transit Network link show ip ospf database network DR-IP displays the details of the

Type 2 LSA LSA Type 3: Summary LSA

o ABRs do not forward Type 1 & 2 LSAs between areas o ABRs generate a Type 3 Summary LSA for each connected area (subnet),

and advertise to each area the Type 3 Summary LSA o Type 3 LSAs contain an LSID of the subnet, the advertising ABR’s RID, and

the subnet mask Limiting the Number of LSAs

o The number of LSAs a Cisco router can learn is not limited by default o max-lsa value OSPF subcommand limits the number of LSAs o When the max value has been reached, the router issues a log message,

then ignores new LSAs for a period of time. The process then repeats. Eventually, the router dumps its LSDB and starts over

Summary of Internal LSA Types o Type 1, 2, and 3 LSAs are all internal to the OSPF domain. Type 4, 5 and 7

are used with external routes redistributed into OSPF o Type 1 LSA: Router > represents individual router > show ip ospf database

router > LSID = RID > created by each router o Type 2 LSA: Network > represents the subnet in which the DR exists > show

ip ospf database network > LSID = IP of DR > created by DR o Type 3 LSA: Summary > represents a subnet in another area > show ip ospf

database summary > LSID = subnet number > created by an ABR

The Database Exchange Process:

OSPF Message and Neighbor State Reference o OSPF Message Types and Functions

1: Hello: Used to discover neighbors, supply info to confirm two routers should be allowed to become neighbors, bring a neighborship to a 2-way state, monitor a neighbor’s responsiveness

2: Database Description (DD or DBD): Exchange brief versions of each LSA typically on initial topology exchange so the router knows a list of the the neighbor’s known LSAs

3: Link-State Request (LSR): A packet that lists the LSIDs of LSAs the sender of the LSR would like the receiver of the LSR to supply during DB exchange

4: Link-State Update (LSU): A packet that contains fully detailed LSAs, typically sent in response to an LSR

5: Link-State Ack (LSAck): Confirms receipt of LSU message

o OSPF Neighbor States Down: no Hellos have been received from the neighbor for more than

the dead interval Attempt: Used when the neighbor is defined with the neighbor

command, after sending a Hello but before receiving a Hello from the neighbor

Init: A permanent state for when potential neighbors’ Hello parameters do not match. A Hello has been received but did not contain the local router’s RID or has parameters that do not pass the neighborship check

2Way: A Hello has been received from the neighbor with the router’s RID and all verification checks have passed

ExStart: Currently negotiating the DD sequence numbers and master/slave logic for DD packets

Exchange: Finished negotiating DD process particulars and is currently exchanging DD packets

Loading: All DD packets have been exchanged and routers are exchanging full LSAs via LSR, LSU and LSAck packets

Full: Neighbors are fully adjacent and believe all LSDBs in the area are identical. Routing table calculations can begin

Exchange Without a Designated Router

When two routers on a link reach 2Way, they decide whether or not to exchange their LSDB entries. Without a DR, LSDBs are always exchanged

Step 1: Discover LSAs known the to neighbor but not myself Step 2: Discover LSAs known to both, but neighbor is more

current Step 3: Ask neighbor for LSAs identified in Step 1 and Step 2

o Discovering a Description of the Neighbor’s LSDB

1: Multicast DD packets to 224.0.0.5 2: When sending first DD change to ExStart state until the router with

the highest RID becomes the Master in a M/S relationship 3: After electing a Master, change to Exchange state 4: Multicast DD packets to each other until both have the same shared

view of the LSIDs known to both routers in that area DD messages do not contain full LSAs, only headers which include

LSIDs of the LSA, and the LSA sequence number. LSA seq #s begin at 0x80000001 and increment every time the state changes.

The Master controls the flow process with the slave responding to the Master.

o Exchanging the LSAs After determining a shared set of LSIDs, routers change to Loading

state and transfer full LSAs that they do not themselves have 1: Transition neighbor state to Loading 2: For missing LSAs, send a LSR with the LSID of the requested LSA 3: Respond to an LSR with an LSU listing one or more LSAs in each

message 4: Acknowledge receipt with LSAck (explicit ack) or by sending the

same LSA that was received back to the other router in an LSU message (implicit ack)

5: Transition to Full when all LSAs have been sent, received and ack’d Exchange With a Designated Router

o Non-DR performs message exchange via multicast 224.0.0.6 o DR performs message exchange via 224.0.0.5 o Messages sent to 224.0.0.6 are processed by DR and BDR only o The DR acts as a pseudonode to give each router the appearance of only

communicating with one other router (fake 2-node link) o DROthers = IOS term for non-DR non-BDR o DROthers do not directly exchange with each other and remain in 2Way state

Flooding Throughout the Area o By requesting only unknown or newer LSAs, routers prevent an LSA from

looping Periodic Flooding

o Each LSA is reflooded every 30 minutes based on the individual LSA age o When an LSA is reflooded, the seq # is incremented o When a router removes an LSA from its LSDB, it sets the MaxAge to 3600

seconds (60m) and floods the LSA. Other routers see the MaxAge of 3600 and remove the LSA from their respective LSDBs

Choosing the Best OSPF Routes:

o Choice of best route: Analyze the LSDB to find all routes to a subnet Add OSPF cost for all outgoing interfaces to the route Choose the route with the lowest cost

o View OSPF cost with show ip ospf interface OSPF Metric Calculation for Internal OSPF Routes

o Calculating the Cost of Intra-Area Routes Router Analyzes the LSDB:

1: Finds all subnets in the area based on stub interfaces listed in Type 1 and Type 2 LSAs

2: Runs SPF to find all possible paths from itself to each subnet 3: Calculates OSPF interface costs for all outgoing interfaces in

each route, and chooses the route with the lowest total cost default maximum-paths setting = 4. OSPF performs equal-cost load-

balancing, but does not support unequal cost LB o Calculating the Cost of Inter-Area Routes

1: Calculate the lowest cost to the ABR 2: Add the cost reported by the ABR (Type 3 LSA) to the subnet show ip route ospf and show ip ospf database summary IP display

cost to routes show ip route IP mask explicitly lists OSPF route type (ie inter area) show ip route ospf shows code O IA for OSPF Inter Area Inter area routes are those learned through Type 3 LSAs

o Special Rules Concerning Intra-Area and Inter-Area Routes on ABRs Issue occurs when more than one ABR connects to the same two

areas Under OSPF, when choosing a route, intra-area is always better than

inter-area, regardless of metric If an ABR learns a Type 3 LSA inside a non-backbone area, the ABR

ignores that LSA when calculating its own routes Metric and SPF Calculations

o Changes to Type 3 LSAs do not require SPF recalculation because Type 3 LSAs do not describe the topology like Type 1 and Type 2

Metric Tuning o Changing the Reference Bandwidth

Default reference bandwidth 100 Mbps Recommended reference bandwidth be the same on all OSPF routers

in the domain (the setting is local to each router) OSPF interface cost = reference bandwidth / interface bandwidth

(OSPF rounds down in the case of a fraction) Change default reference bandwidth with auto-cost reference-

bandwidth value (in Mbps) OSPF router subcommand Useful if the OSPF domain has interfaces faster than 100 Mbps Example: default 100 means FaE OSPF cost = 1, and GigE = 1.

Setting of 1000 means FaE = 10, and GigE = 1. o Setting Bandwidth

OSPF cost can be indirectly set with the bandwidth int command. Serial links default to 1544 and Ethernet defaults to the link speed

o Configuring Cost Directly ip ospf cost value interface subcommand

o Verifying OSPF Cost Settings show ip ospf interface brief show ip ospf interface int

Chapter 7: OSPF Route Summarization, Filtering and Default Routing

Route Filtering:

o OSPF routers do not advertise routes: only LSAs o Because all OSPF routers in an area must have the same LSDB, LSAs in an

area cannot be filtered o Type 1 & 2 LSAs cannot be filtered, only Type 3 and Type 5

Type 3 LSA Filtering o Use router ospf subcommand: area area filter-list prefix name {in | out} o In and Out are relative to the area listed in the command. For example, area

0 filter-list prefix a0in in would filter based on Type 3 LSAs entering Area 0. o Prefix-list matches subnets, with deny = filtered o OSPF performs filtering by not flooding matched Type 3 LSAs into an area

Filtering OSPF Routes Added to the Routing Table

o Type 3 LSA filtering affects an entire area, not individual routers o By using distribute-list prefix name in OSPF router subcommand, you can

alter the OSPF logic: LSDB > SPF > distribute-list in > IP routing table o Command must refer to numbered or named ACL, prefix list, or route map. o Routes matched with deny are filtered o The command can optionally include an interface

Route Summarization:

o Summarization can only occur on ABRs and ASBRs because the LSDB must be the same for all routers in an area

Manual Summarization at ABRs o area area range subnet mask [cost cost] command replaces individual

Type 3 LSAs with a single summarized Type 3 LSA o The default metric is the best of the subordinate subnets o If no subordinate subnets exist, the summary Type 3 LSA is not advertised o additional option not-advertise to filter the summary Type 3 LSA

Manual Summarization at ASBRs o An ASBR is a router that redistributes routes from an external source o ASBRs create Type 5 LSAs, which are external summary LSAs o Uses OSPF router subcommand summary-address ip mask [not-

advertise] which works similarly to ABR’s area range command, except it creates Type 5 LSA summaries instead of Type 3

Default Routes and Stub Areas:

o ABR alternative: area 0 range 0.0.0.0 0.0.0.0 o ASBR alternative: summary-address 0.0.0.0 0.0.0.0

Domain-wide Defaults Using the default-information originate Command o default-information originate [always] [metric value] [metric-type value]

[route-map name] o With default parameters, an External Type 2 Route via Type 5 LSA with a

metric of 1 is injected into the routing table, but only if the router itself has a default route

o always advertises the default route even if the router doesn’t have one in its table

o metric-type determines External Type 1 or External Type 3 Stubby Areas

o Introducing Stubby Areas In a stub area, ABRs create a default route using Type 3 LSAs with

subnet and mask 0.0.0.0 ABRs do not flood Type 5 LSAs into a stub area ABRs may not flood other Type 3 LSAs into a stub area The default route has a default metric of 1 Routers inside stub areas cannot redistribute external routes into the

area All routers in the stub area must be configured to be stubby Four Types: Stubby, Not-So-Stubby, Totally-Stubby, Totally-Not-So-

Stubby For all types, the ABR filters Type 5 LSAs For Totally areas, the ABR filters Type 3 LSAs also For non-Totally areas, Type 3 LSAs work as normal Both types of “Totally” areas are Cisco-proprietary

o Configuring and Verifying Stubby Areas Stubby: area area stub on each router Set the metric of the default route: area area default-metric value on

an ABR. Default is 1 and can differ on each ABR show ip ospf confirms if the router thinks its a stub show ip ospf database database-summary displays stats about the

numbers and types of LSAs in the area, confirming whether or not the area is a stub

o Configuring and Verifying Totally Stubby Areas Totally Stubby: area area stub no-summary on the ABRs, configure

all other routers as area area stub o The Not-So-Stubby Area (NSSA)

NSSAs act like regular stub areas, except Type 7 external LSAs can be injected into the area from an ASBR

Use area nssa command instead of area stub Use area area nssa no-summary to create a Totally NSSA

Chapter 8: OSPF Virtual Links and Frame Relay Operations Virtual Links:

Understanding OSPF Virtual Link Concepts o OSPF requires that area 0 be contiguous o The virtual link acts as a point-to-point connection residing in area 0 o Each router configures the other’s RID and the area through which the virtual

link passes o The routers pass messages between each other encapsulated in unicast IP

packets o The routers mark the Do Not Age (DNA) bit in the LSAs so they do not reflood

the LSAs every 30 minutes to reduce traffic on the virtual link o The virtual link receives an OSPF cost just like a regular link

Configuring OSPF Virtual Links With No Authentication o Configured with area transit-area virtual-link remote-RID command o The transit area must not be stubby o The authentication normally configured on an interface, as well as Hello and

Dead timers, must be configured with this command o The cost is as if it were a point-to-point link using the transit area’s LSDB

Verifying the OSPF Virtual Link o show ip ospf virtual-links displays info about the link o show ip ospf neighbor displays adjacency state and virtual link interface

Configuring Virtual Link Authentication o Type 0 (none): area transit-area virtual-link remote-RID authentication

null o Type 1 (clear): area transit-area virtual-link remote-RID authentication

authentication-key value o Type 2 (md5): area transit-area virtual-link remote-RID authentication

message-digest message-digest-key key-num md5 key-value

OSPF Over Multipoint Frame Relay:

IP Subnetting Design Over Frame Relay o Sample Configuration Using Physical Interfaces

Default Cisco IOS Frame Relay Inverse ARP allows DLCI/IP mappings to happen dynamically

Full mesh of PVCs required for full connectivity o Sample Configuration Using Multipoint Subinterfaces

With multipoint subinterfaces, require either frame-relay interface-dlci or frame-relay map commands

OSPF Challenges When Using Multipoint o Neighbor Discovery or Static Neighbor Definition

OSPF network type is a per-interface setting Frame Relay networks require multicasts and broadcasts to be sent

over each PVC because FR networks are unable to replicate bc/mc packets

Neighbor discovery is possible when the network type allows for discovery using Hellos and Inverse ARP

If the network allows neighbor discovery and you use frame-relay map, be sure to use broadcast keyword

If the network does not allow neighbor discovery, configure neighbors statically

o To Use a Designated Router, Or Not PVCs must exist between the DR/BDR and every other router in the

subnet Alternatively, configure the OSPF network type to not require a

DR/BDR o Mapping Issues With a Partial Mesh

For any routers without a direct PVC, statically configure an IP to DLCI mapping to the other router’s next-hop IP and a DLCI that connects to a router that has PVCs to each of the two routers

Configuring and Verifying OSPF Operations on Frame Relay OSPF Network Types:

ip ospf network broadcast - uses DR/BDR, discovers neighbors dynamically, default Hello 10s, Cisco proprietary

ip ospf network nonbroadcast - uses DR/BDR, default Hello 30s

ip ospf network point-to-multipoint - discovers neighbors dynamically, default Hello 30s, Cisco proprietary

ip ospf network point-to-multipoint nonbroadcast - default Hello 30s

o Using Network Type Nonbroadcast (NBMA) Routers elect DR/BDR and do not multicast Hellos for discovery. neighbor next-hop-IP [cost value] [priority value] DR must be able to directly communicate (PVC) with all other routers higher-priority (up to 255) = better choice for DR/BDR. 0 = ineligible Router will learn of routes not directly connected with a PVC from

OSPF, but cannot ping them until the int/sub-int command frame-relay map ip IP DLCI broadcast is used

o Using Network Type Point-to-Multipoint No DR/BDR election, dynamically discover neighbors Router will learn of routes not directly connected with a PVC from

OSPF, but cannot ping them until the int/sub-int command frame-relay map ip IP DLCI broadcast is used

o Using Network Type Point-to-Multipoint Nonbroadcast Works similar to point-to-multipoint, but does not discovery neighbors

through broadcast - no DR/BDR Router will learn of routes not directly connected with a PVC from

OSPF, but cannot ping them until the int/sub-int command frame-relay map ip IP DLCI broadcast is used

OSPF neighbor command required

Chapter 9: Basic IGP Redistribution

Route Redistribution Basics:

The Need For Route Redistribution o Different IGPs, different IGP AS’s, mergers, etc

Redistribution Concepts and Processes o Requires at least one router to:

Use at least 1 working interface with each routing domain A working routing protocol configuration for each routing domain Additional redistribution configuration for each routing protocol

o The redistribution process does not attempt to convert metrics (topology table) between routing protocols - it only uses the information in the IP routing table

o redistribute includes passive interfaces on a routing protocol

Redistribution into EIGRP:

EIGRP redistribute Command Reference o redistribute protocol [process-id | as-number] [metric bw delay

reliability load mtu] [match {internal | nssa-external | external 1 | external 2}] [tag value] [route-map name]

o protocol = rip, ospf, eigrp, is-is, bgp, connected, static o metric = assign values to the redistributed routes o match = filters OSPF route types o tag = for route maps o route-map = for filtering, setting metrics and tagging

Configuring EIGRP Redistribution with Default Metric Components o When redistributing EIGRP into EIGRP, the metrics from the source AS are

redistributed with the routes. All other protocols must use one of these EIGRP subcommands:

default-metric affects all redistributed routes metric parameters on redistribute command affect only that route route-map lets you choose individual routes and overrides the

previous two commands

Verifying EIGRP Redistribution o show ip eigrp topology displays “via Redistributed”

Redistribution into OSPF:

OSPF redistribute Command Reference o redistribute protocol [process-id | as-number] [metric value] [metric-

type value] [match {internal | nssa-external | external 1 | external 2}] [tag value] [route-map map-tag] [subnets]

o protocol = rip, ospf, eigrp, is-is, bgp, connected, static o metric-type = 1 (E1) or 2 (E2) o match = filters OSPF route types when filtering from another OSPF process o tag = for route maps o route-map = for filtering, setting metrics and tagging o subnets = redistribute subnets of classful networks. Without this, only classful

networks are redistributed (unique to OSPF redistribute command)

Configuring OSPF Redistribution with Minimal Parameters o Defaults:

default metric of 1 when coming from BGP source route’s metric when coming from another OSPF default metric of 20 from all others Type 5 outside NSSA, Type 7 inside NSSA Use External Type 2 Redistribute only classful networks

Setting OSPF Metrics on Redistributed Routes o Works like EIGRP

LSAs and Metrics for External Type 2 Routes Upon redistribution, the router becomes an ASBR and the Type 5 LSA

includes: LSID = subnet number Subnet Mask RID of the ASBR injecting the routes Metric as set by the ASBR External Metric Type: 1 or 2

ABRs flood the Type 5 LSA received from the ASBR into non-stubby areas

o Determining the Next-Hop for Type 2 External Routes-Intra-area Routers choose the lowest-cost route to the ASBR that advertised the

route When a tie exists:

1: find the ASBRs listed in the Type 5 LSA 2: calculate the lowest cost to reach the ASBRs 3: Use the outgoing interface and next hop based on the best

route to reach the ASBR Use the value of the metric used in the Type 5 LSA

o Determining the Next-Hop for Type 2 External Routes-Interarea Calculate the cost to reach the ABR, then add the ABR’s cost to reach

the ASBR The ABR creates a Type 4 LSA for this purpose When an ABR receives a Type 5 from an ASBR, it creates a Type 4

and floods it into its attached (non-area-0) areas show ip ospf database asbr-summary show ip ospf border-routers

Redistributing Into OSPF as E1 Routes o E1 routes add the internal cost of reaching the ASBR to the external cost

defined on the redistributing ASBR. o Cost = best intra-area cost to reach the ABR + Type 4 cost + Type 5 cost o redistribute metric-type 1 command

A Brief Comparison of E1 and E2 Routes o E1 = internal cost + external cost o E2 = only external cost (unless a tie breaker is needed) o Useful mostly when multiple ASBRs advertise the same subnet o When the prefix/length is the same, OSPF prefers E1

External Routes in NSSA Areas o The ASBR in the NSSA injects a Type 7 LSA which remains in the NSSA o The ABRs convert the Type 7 LSA into a Type 5 LSA for all the other areas

Chapter 10: Advanced IGP Redistribution Redistribution With Route Maps and Distribute Lists:

o A Route Map can do the following: Identify the subset of routes to filter or change based on the route’s

prefix/length and others Make filtering choices about which routes are redistributed and which

are not Set the metric to different values based on information matchable in

the route map Set the external type for individual routes Set a route tag that can be matched at different redistribution points

Overview of Using route-map With Redistribution o Routes are identified by the match command

match interface int [..int ..int etc] > looks at outgoing interface of routes

match ip address [ACL | prefix-list] > examines route destination prefix/length

match ip next-hop ACL match ip route-source ACL > matches advertising router’s IP match metric value [+- deviation] > matches route’s metric (or range) match route-type [internal | external [type-1 | type-2] | level-1 |

level-2] match tag value [..value ...value etc] > matches the route tag, which

requires that another router has set the tag

o Route maps referenced by redistribute commands always attempt to filter routes, unless it is matched with a permit clause, in which case the route is redistributed

o If a route is not filtered by the route-map, it can have values changed via route-map set:

set metric value (for RIP, OSPF, IS-IS) set metric bw delay reliability load mtu (for EIGRP) set metric-type [type-1 | type-2] (for OSPF) set tag value

Filtering Redistributed Routes with Route Maps o Configuring Route Filtering With Redistribution

define ACL or prefix-list define route-map implement with redistribute command

o Verifying Redistribution Filtering Operations Redistribution involves taking entries from the IP routing table and

adding them to a routing protocol’s topology table. Examining the protocol’s topology table verifies the correct entries

show ip route subnet show access-list and show ip prefix-list detail displays incremented

counters when redistributed routes are matched show ip eigrp topology and show ip ospf database

Setting Metrics When Redistributing o Configuring the Metric Settings

Include set metric in route-map clauses redistribute protocol id route-map set-metric

o Verifying the Metric Settings View topology / database table to view implemented metrics

Setting the External Route Type o IOS automatically sets the redistributed route to Type 2 unless changed with

route-map subcommand set metric-type type-1 Redistribution Filtering With the distribute-list Command

o Use distribute-list to match all routes in an ACL or prefix-list with no need for route-map options (such as tagging, metric, etc)

o Command must use the out direction o distribute-list [ACL-name/number | prefix name] out protocol

process/ASN

Issues With Multiple Redistribution Points:

Preventing Routing Domain Loops With Higher Metrics o By setting a higher metric on the redistributed routes, when a route goes from

one domain to another and back into the original domain, it will have a less desireable metric than the domain’s internal route

Preventing Routing Domain Loops With Administrative Distance o AD is considered before metric o redistribution is based on the IP routing table, so a router that has two

potential routes for a subnet will add the route with the lower AD into the IP routing table, so the redistribution process never sees the alternate route to begin with

o Setting AD per Route Source for Internal and External Routes routing protocol subcommand:

RIP: distance AD EIGRP: distance eigrp internal-AD external-AD OSPF: distance ospf external AD intra-area AD inter-area

AD Domain Loop Problems With More Than Two Routing Domains

o Using Per-Route Administrative Distance Settings routing protocol subcommand: distance AD ip-adv-router wc-mask

[acl-name-or-number] o Preventing Domain Loops by Filtering on Subnet While Redistributing

Apply route-map filter

o Preventing Domain Loops by Filtering on route-tag Using Distribute Lists With route-map you can assign a tag to routes as they are

redistributed into one domain, and then prevent them from being re-redistributed back into the originating domain by filtering via route-tag

Chapter 11: Policy-Based Routing and IP Service Level Agreement

Policy-Based Routing:

Matching the Packet and Setting the Route o match ip address or match length min max (in bytes) o set ip next-hop IP [...IP ...IP etc] > IP must be in a connected subnet o set ip default next-hop IP [...IP ...IP etc] > same except first attempt is

based on routing table o set interface int-type int-number [..int-type int-number] > uses the first

interface in the list that is up o set default interface int-type int-number [..int-type int-number] > same

except first attempt is based on routing table o Enable PBR with int command ip policy route-map name

PBR Configuration Example o int command: ip policy route-map name o route-map name permit

match ip address ACL set ip next-hop IP

o access-list name/# permit ip host Source-IP Destination-subnet wc-mask

o show ip policy displays active policies and their interfaces o Use traceroute as a method to verify operation

How the default Keyword Impacts PBR Logic Ordering o Without default, IOS applies the PBR logic first, then normal routing second if

the PBR logic fails o With default, IOS applies normal routing logic first (with the exception of

ignoring default routes), then PBR logic Additional PBR Functions

o Applying PBR to Locally Created Packets ip local policy route-map name global command applies PBR logic

to packets generated by the router itself o Setting IP Precedence

Configure PBR as normal but add a set command to mark the IPP or ToS field

set ip precedence value set ip tos value

o PBR With IP SLA PBR can choose routes based on network health, ie IP SLA

IP Service-Level Agreement:

Understanding IP SLA Concepts o IP SLA uses “operations” which are configurable packets to be sent at

configurable times. Data is collected on the details of the response packets

Configuring and Verifying IP SLA o 1: create the IP SLA operation with global command ip sla sla-ops-number

(integer operation number) o 2: Define operation type and parameters with SLA subcommand. Example:

icmp-echo parameters o 3: Optionally define a non-default frequency of the operation with SLA

subcommand frequency seconds o 4: Schedule the SLA with global command ip sla schedule sla-ops-number

[time settings] - Example: ip sla schedule 1 start-time now life forever o Verify with show ip sla configuration and show ip sla statistics

Tracking SLA Operations to Influence Routing o Configuring a Static Route to Track an IP SLA Operation

1: global command track object-number ip sla sla-ops-number [state | reachability]

2: optionally configure delay to regulate flapping with track subcommand delay [down seconds | up seconds]

3: configure the static route with global command ip route destination mask [interface | next-hop] track object-number

Use show track command to view details o Configuring PBR to Track an IP SLA

route-map subcommand: set ip next-hop verify-availability IP track object-number

Chapter 12: Internet Connectivity and BGP

Introduction to BGP:

BGP Basics o BGP forms neighbor relationships before sending routing information o Neighbors are explicitly configured (not discovered) and are not

necessarily on the same subnet o Uses TCP port 179 to exchange information o Advertises prefix/length known as Network Layer Reachability

Information (NLRI) o Advertises Path Attributes (PA) instead of metrics o Emphasis on scalability, and may not always choose the most efficient

route o Uses Path Vector logic which is similar to distance vector logic

BGP ASNs and the AS_SEQ Path Attribute o AS_Path Path Attribute (PA) has many subcomponents, including

AS_Seq o AS_Seq lists the AS’s that a route passes through o When a BGP router advertises a path, it adds its own ASN to the

AS_Seq PA o When a BGP router receives a route advertisement that already

contains its own ASN in the AS_Seq, the update is ignored to prevent routing loops

Internal and External BGP o iBGP is used when two BGP neighbors (peers) are in the same ASN,

eBGP in different ASNs o Routers do not update the AS_Path when advertising via iBGP

Public and Private ASNs o ASNs 0, 65535 reserved o 1 - 64495 = public o 64496 - 65511 = Reserved for use in documentation o 65512 - 65534 = private use

Outbound Routing Toward the Internet:

Comparing BGP and Default Routing for Enterprises o BGP is most useful when more than one connection to an ISP exists

and when you want to influence the paths each route takes Single Homed

o Static default route most common o 1: The ISP router uses BGP to advertise a default route to the

enterprise o 2: The enterprise’s IGP must advertise a default route o 3: BGP must be configured on the enterprise router and advertise the

enterprise’s public prefix o A discard route is helpful, for instance with a 10.0.0.0/8 network, any

unnasigned addresses will attempt connection through the Internet before being discarded -- to remedy, create a static route on the Internet-facing router of 10.0.0.0/8 to null0, but do not advertise that route into the rest of the enterprise

Dual Homed o Preferring One Path Over Another For All Destinations

BGP can be used but is not required in this case (default routes can be used instead)

Distinguish between the two routes with metrics and administrative distance

o Choosing One Path Over Another With BGP Multiple routers must run BGP to prevent routing loops when

also using default routes with BGP o Partial and Full BGP Updates

Default route only: the ISP only advertises a default route through BGP

Full updates: the ISP advertises the entire BGP table Partial updates: the ISP advertises a default route as well as

specific routes in the BGP table Single Multihomed

o Single link per ISP with connections to 2 or more ISPs o Most rules with dual-homed connections apply

Dual Multihomed o Most often BGP is used to determine best path per route

Chapter 13: External BGP External BGP For Enterprises:

eBGP Neighbor Configuration Router must configure router bgp ASN global command The IP address of each neighbor and their ASN: neighbor IP remote-

as ASN BGP subcommand o Requirements For Forming eBGP Neighborships

The local router’s route bgp ASN must match the reference to the neighbor’s neighbor remote-as ASN command

The BGP router IDs of the two routers must not be the same MD5 authentication must pass if configured: neighbor neighbor-IP

password key Each router must share a TCP connection BGP RID chosen like EIGRP, OSPF: bgp router-id RID, highest

loopback address, highest other up/up interface o Issues When Redundancy Exists Between eBGP Neighbors

If the TCP interface fails, the neighborship fails Option 1: configure two neighbor commands on each router, one for

each interface Option 2 (Preferred): Use loopbacks for TCP connection endpoints -

as long as the two neighbors have a working route to each other’s loopback interface, the TCP connection won’t fail if one of the links goes down

Configuration: 1: Configure an IP on a loopback on each router 2: Use the loopback IP as the source on neighbor remote-IP

update-source local-loopback-int 3: Configure BGP neighbor on each router to refer to the other

router’s loopback IP 4: Make sure each router has IP routes so they can forward to

each other’s loopback 5: Configure eBGP multihop with neighbor remote-IP ebgp-

multihop TTL command If using an IGP instead of a static route, make sure the routers

become IGP neighbors over all redundant links

o eBGP Multihop Concepts TTL must be 2 or higher to prevent packet from being discarded when

reaching the router’s internal logic -- when the packet goes from the physical interface to the loopback, the TTL on the packet is decremented by 1. IOS sets the BGP packet TTL to 1 by default, so with default settings the packet is discarded when it reaches the remote loopback

o Configuring eBGP Redundancy and Authentication 1: loopback address 2: static routes to remote loopback 3: BGP neighbor commands about remote neighbor

BGP Internals and Verifying eBGP Neighbors BGP Neighbor States:

Idle: either administratively down or awaiting next retry attempt Connect: waiting for the TCP connection to complete Active: TCP connection is complete but no BGP messages

have been sent yet Opensent: TCP complete, BGP Open message sent, but net

yet received back from BGP peer Openconfirm: Open has been sent and received, waiting for

BGP Keepalive (confirming neighbor parameters matched) or BGP Notification (to learn that there is a mismatch in parameters)

Established: neighbor parameters match and the neighborship is fully established and can now exchange Update messages

o Verifying eBGP Neighbor Status show ip bgp summary and show ip bgp neighbors [neighbor-ID] show tcp brief displays connections with socket/port numbers

o Administratively Controlling Neighbor Status [no] neighbor IP shutdown

o BGP Message Summary Open: used to establish neighborship and exchange basic parameters

like ASN and MD5 Keepalive: maintains neighborship, BGP goes down if keepalive is not

received within Hold time period Update: exchange PAs and associate prefix/length (NLRI) that use

those attributes Notification: signals BGP error and typically results in neighborship

reset

Verifying the BGP Table:

The BGP Update Message o All learned routes are placed into the BGP table, then the best routes are

placed into the IP routing table o The Update message is used to announce and withdraws routes

Examining the BGP Table o show ip bgp o The AS_Path attribute lists the newest added part of the path on the left, and

the oldest on the right o show ip route can confirm more BGP route details

Viewing Subsets of the BGP Table o show ip bgp 0.0.0.0 0.0.0.0 - list possible default routes o show ip bgp prefix [mask] - list possible routes per prefix o show ip bgp neighbors ip received-routes - lists routes learned from single

neighbor before inbound filtering o show ip bgp neighbors ip routes - lists routes from a single neighbor that

passed inbound filtering o show ip bgp neighbors ip advertised-routes - lists routes after applying

outbound filters o show ip bgp summary - lists the number of prefixes learned per neighbors

Injecting Routes into BGP for Advertisement to the ISPs:

Injecting Routes Using the network Command o BGP has no concept of being enabled or disabled on individual interfaces,

unlike EIGRP and OSPF o The BGP network command compares the parameters with the contents of

the IP routing table - it looks for a prefix that exactly matches the parameters of the network command from the IP routing table and places matches into the BGP table

o Use a discard route on the Internet-facing router when the router only knows a subset of the total prefix that needs to be advertised

o Without a subnet mask, the BGP network command assumes a classful network

The Effect of auto-summary on the BGP network Command o BGP defaults to no auto-summary as of IOS 12.3 mainline o If auto-summary is configured, a route is added for the classful network if

any subset of the routes for the classful network are in the IP routing table Injecting Routes Using Redistribution

o Goals: inject only public IP range, not private - and advertise one route for public address range, not individual subnets

o Use BGP redistribute command when the router knows all the routes via IGP, otherwise, when only a subset of the routes are known:

o Option 1: Use IGP route summarization to create a route for the entire prefix o Option 2: Use a discard route on the Internet-facing router o Option 3: Use BGP route summarization to make BGP advertise only the

entire prefix and not sub-routes o BGP aggregate-address subnet mask summary-only command

Chapter 14: Internal BGP and Route Filtering

Internal BGP Between Internet-Connected Routers:

Establishing the Need For iBGP With Two Internet-Connected Routers o iBGP is used between two Internet-facing routers to determine which one, if

any, has a better BGP path o Useful when one eBGP router has a full update and the other eBGP router

only has a partial update -- using iBGP the routers can communicate with each other to find the best BGP path

Configuring iBGP o Configuration is similar to eBGP, but with the same internal ASN being used

for the neighbor remote-as subcommand o ebgp-multihop is not needed because IOS does not use a TTL of 1 for iBGP o 1: configure an IP loopback interface on each router o 2: configure the loopback as the BGP source neighbor... update-source

loopback-int o 3: configure bgp neighbor command on each router to refer to the other

router’s loopback IP: neighbor neighbor-loopback-ip remote-as ASN o 4: configure each router with IP routes to the loopback interfaces

Verifying iBGP o show ip bgp neighbors lists “internal link” to show iBGP

Examining iBGP BGP Table Entries o iBGP peers do not add ASNs to the AS_Path AP o BGP Rules: only advertise the best route in a BGP Update o BGP Rules: do not advertise iBGP-learned routes to iBGP peers (similar to

Split Horizon) Understanding Next-Hop Reachability Issues With iBGP

The advertising IP of the eBGP neighbor (as set with neighbor... remote-as) does not change when an iBGP peer advertises the route to another iBGP peer

o Ensuring Routes Exist to the Next-Hop Address BGP can communicate as long as there is a route to the IP whether

via static routes or IGP routing protocol between the enterprise and the ISP

o Use neighbor neighbor-IP next-hop-self to Change the Next-Hop Address

Avoiding Routing Loops When Forwarding Toward the Internet:

Using an iBGP Mesh o Create a direct iBGP neighborship between all pertinent routers

IGP Redistribution and BGP Synchronization o no synchronization is the default o Do not consider an iBGP-learned route best unless the exact prefix was also

learned via IGP and is in the IP routing table

Route Filtering and Clearing BGP Peers:

BGP Filtering Overview o In addition to filtering with prefix/length like IGP, BGP can use PA’s o Filtering must be done per BGP neighbor o neighbor distribute-list ACL o neighbor prefix-list o neighbor filter-list (ip as-path access-list) o neighbor route-map

Inbound and Outbound BGP Filtering on Prefix/Length o BGP filtering helps prevent an AS from becoming a transit AS o show ip bgp neighbor neighbor-id advertised-routes displays post-filter

routes to the listed neighbor Clearing BGP Neighbors

o Neighbors must be cleared before new filters take effect o hard reset = bringing down TCP connection, flushing table, re-forming

neighborship o soft reset = local router resends Updates based on then-current information o Hard resets: clear ip bgp * or clear ip bgp neighbor-id o Soft resets: clear ip bgp neighbor-id [in | out] or clear ip bgp neighbor-id

soft for both directions. clear ip bgp * soft to soft clear all neighbors both directions

o show ip bgp neighbor IP lists Route Refresh capabilities. If the neighbor is incapable, the neighbor neighbor-id soft-reconfiguration inbound BGP configuration must be used

Displaying the Results of BGP Filtering o show ip bgp neighbor neighbor-id received-routes (requires neighbor

soft-reconfiguration inbound) to see pre-filter updates o show ip bgp neighbor neighbor-id advertised-routes for post-filter

Chapter 15: BGP Path Control BGP Path Attributes and Best Path Algorithm:

BGP Path Attributes that affect the BGP Best Path Algorithm o Next_Hop: lists the next-hop IP address to reach a prefix o Weight, outbound: 16-bit value set by a router when receiving Updates which

influences that one router’s route for a prefix. Not advertised to BGP peers, Cisco proprietary

o Local_Pref, outbound: 32-bit value set and communicated throughout a single AS for the purpose of influencing the choice of best route for all routers in the AS

o AS_Path, outbound & inbound: The number of ASNs in the AS_Path PA o Origin, outbound: value implying the route was injected into BGP, I (IGP), E

(EGP) or ? for incomplete information o MED, inbound: set and advertised by routers in one AS, impacting the BGP

decision of routers on the other AS. Smaller is better Overview of the BGP Best Path Algorithm

o BGP decision process mnemonic: N WLLA OMNI

o 0: Next hop: reachable? o 1: Weight: bigger is better (default 0) o 2: Local_Pref: bigger (default 100) o 3: Locally-injected routes: better than iBGP/eBGP-learned o 4: AS_Path length: smaller o 5: Origin: Prefer I over E, E over ? o 6: MED: smaller (default 0) o 7: Neighbor type: prefer eBGP over iBGP o 8: IGP metric to next hop: smaller o 9: Oldest (longest-known) eBGP route o 10: Lowest neighbor BGP RID o 11: Lowest neighbor IP address o When more than one route for a path exists, BGP runs each route through

the algorithm and chooses the best one, since BGP can only have one route to each destination in its table

Perspectives on the Core 8 Best Path Steps o Best options for influencing path decision:

1: Weight 2: Local_Pref 4: AS_Path length 6: MED (metric)

Memorization Tips for BGP Best Path o WLLA for outbound routes o OMNI for inbound (M)

Influencing an Enterprise’s Outbound Routes:

Influencing BGP Weight Is not transmitted on Updates, only affects a single Cisco router. Identifies a single router’s best route Set on inbound route Updates 0 - 65535, bigger is better. 0 for learned, 32768 for locally-injected

o Setting the BGP Administrative Weight Using a Route Map neighbor IP route-map name in applies the route map to all BGP

updates received from the neighbor. Route map matches first permit, then first deny, then implicit deny to filter routes

set weight value route-map subcommand o Setting Weight Using the neighbor weight Command

BGP subcommand neighbor IP weight value sets weight of all inbound updates from the neighbor

Setting the Local Preference Local_Pref is a PA that that identifies the best exit point in an AS to

reach a prefix Is flooded throughout the iBGP ASN, but not advertised to eBGP

peers Values 0 - 4,294,967,295 (higher is better, default 100) Change default value with bgp default local-preference value Routes learned via eBGP have no default Local_Pref, routes learned

via iBGP have default Local_Pref 100 o Setting the BGP Local_Pref Using a Route Map

neighbor IP route-map name in > set local-preference value Automatically distributed to iBGP peers

IP Routes Based on BGP Best Paths After BGP decides a route is best, it gives it to the IOS Routing Table

Manager RTM processes (among others) via AD show ip bgp rib-failures displays BGP-learned routes that don’t end

up in the IP routing table due to RTM selecting a better route o BGP and the maximum-paths Command

BGP allows multiple routes to be considered for a tie based on IGP metric (step 8) via maximum-paths but still only one best BGP route ends up in the IP routing table

Increasing the Length of the AS_Path Prepend o Route-map set as-path prepend ASN [ASN ASN ASN etc] o Use ASNs already in the path (needed for loop avoidance) o Can be used to influence inbound and outbound routes

Influencing an Enterprise’s Inbound Routes with MED:

MED Concepts o Used to tell the ISP which path into the enterprise is best on multi-homed

connections o Advertised by one AS into another and propagated inside that AS, but not

sent to other ASes o 32-bit range, default 0 o Referred to in IOS as metric, not med

MED Configuration o neighbor IP route-map name out > set metric value

Chapter 16: IPv6 Addressing

Global Unicast Addressing, Routing and Subnetting:

Global Route Aggregation for Efficient Routing o By assigning static ranges of IPs by RIRs to each region, and a static range

to an ISP, etc, the global routing table is kept smaller Conventions For Representing IPv6 Addresses

o 128-bit, 32 hex chars, eight groups of four digits o Omit leading 0’s o Consecutive 0’s with :: only once

Conventions For Writing IPv6 Prefixes o IPv6 is completely classless o When prefix is not a multiple of 16, the zeroes must be displayed. Example:

1234:5678:90AB:CDEF::/64 1234:5678:90AB:CD00::/56

Global Unicast Prefix Assignment Example o Global Unicast addresses start with 2 or 3 o RIR assigns site prefix to ISP, etc. o ISP assigns global routing prefix or site prefix to company

Subnetting Global Unicast IPv6 Addresses Inside an Enterprise o Works like IPv4 - if a /48 site prefix is assigned, you could use /16 subnet and

/64 host Prefix Terminology

o Registry Prefix assigned by IANA to a RIR o ISP Prefix assigned by a RIR to an ISP o Site Prefix or Global Routing Prefix assigned by ISP or Registry o Subnet Prefix assigned by enterprise engineer

Assigning IPv6 Global Unicast Addresses:

Stateful DHCP for IPv6 o Similar to DHCP for IPv4 o IPv6 multicast addresseses are FF00::/8 o FF02::1:2 = unknown DHCP server with the routers working to forward to the

appropriate DHCP server Stateless Autoconfiguration

o Learning the Prefix/Length and Default Router with NDP Router Advertisements

Router Solicitation and Router Advertisement packets (ICMPv6) Multicast message for routers willing to act as default gateway and all

known IPv6 prefixes on the link FF02::2 = all IPv6 routers on the link FF02::1 = all IPv6 hosts on the link

o Calculating the Interface ID Using EUI-64 FFFE inserted into the middle, 7th host bit flipped

o Finding the DNS IP Addresses Using Stateless DHCP The DHCP server knows the IPv6 address of DNS servers, but does

not keep track of the clients Static IPv6 Address Configuration

o Either the entire 128-bit address can be configured or the 64-bit prefix with the EUI-64 address automatically configured

o DNS, gateway, etc automatically detected with NDP

Survey of IPv6 Addressing:

Overview of IPv6 Addressing o Unicast, Multicast, Anycast

Unicast IPv6 Addresses o Unique Local IPv6 Addresses

Same as IPv4 private addresses FD00::/8 + 40-bit pseudo-random global-id, 16-bit subnet

o Link Local Unicast Addresses Packet should not leave local subnet, router does not forward packet FE80::/10 (FE8, FE9, FEA FEB)

o IPv6 Unicast Address Summary ::/128 = unknown address ::1/128 = loopback

Multicast and Other Special IPv6 Addresses o FF02::/16 = link local o FF05::/16 = site local o FF02::5 ::6 = OSPF o FF02::9 = RIPng o FF02::A = EIGRP

Layer 2 Addressing Mapping and Duplicate Address Detection o Neighbor Discovery Protocol for Layer 2 Mapping

Similar to IPv4 ARP: multicast Neighbor Solicitation (NS) ICMP message is sent

Neighbor Advertisement (NA) ICMP unicast message is sent back with MAC address

NS destination is solicited node multicast address, which on a link represents all hosts with the same last 24 bits of IPv6 address

FF02::1:FF:0/104 o Duplicate Address Detection

Host sends NS message to solicited note multicast based on its own IPv6 address. If it receives a reply from a host, the address is duplicated

o Inverse Neighbor Discovery Works similar to Inverse ARP for Frame-Relay -- starts with known

Layer 2 address and discovers Layer 3 address

Configuring IPv6 Addresses on Cisco Routers:

o ipv6 unicast-routing = global command enables ipv6 routing o ipv6 address dhcp = stateful DHCP o ipv6 unnumbered int = uses same IPv6 address as referenced interface o ipv6 enable = enables IPv6 on an interface, but only gives link-local address o ipv6 address address link-local = overrides automatically-created link-local

address -- the address must conform to FE80::/10 o ipv6 address address/length anycast = designates the unicast address to

be anycast Configuring Static IPv6 Addresses on Routers

o ipv6 address address/length [eui-64] o When IOS needs a MAC address for an interface, and the interface doesn’t

have a built-in MAC address, the router uses the MAC of the lowest-numbered LAN interface (ie fa0/0)

Multicast Groups Joined by IPv6 Router Interfaces o show ipv6 interface int displays multicast groups the interface has joined

Connected Routes and Neighbors o show ipv6 route displays Local routes for unicast addresses that have more

than link-local scope The IPv6 Neighbor Table

o show ipv6 neighbors o debug ipv6 nd

Stateless Autoconfiguration o ipv6 address autoconfig

Chapter 17: IPv6 Routing Protocols and Redistribution

RIP Next Generation (RIPng):

RIPng Theory and Comparisons to RIP-2 o Uses UDP port 521 instead of 520 o Uses IPsec AH/ESP for authentication o no auto-summarization o RIPng does not advertise link-local or routes with /128 o Uses link-local as next hop -- set link-local address on interface to something

recognizable to aid in troubleshooting and verification (ie FE80::1111, FE80::2222 etc)

Configuring RIPng o IOS allows multiple RIPng processes o ipv6 router rip name - name must be unique on router, but does not need to

match other routers o Configure IPv6 address on interface o Enable RIPng on the interface: ipv6 rip name enable

Verifying RIPng o show ipv6 route rip o show ipv6 protocols o show ipv6 rip [next-hops]

EIGRP for IPv6:

EIGRP for IPv4 and IPv6 - Theory and Comparisons o Uses neighbor’s link-local address as next hop o Uses IPv6 built-in IPsec AH/ESP for authentication o no auto-summarization o Does not require IPv6 hops to be in same subnet for neighborship o Does not advertise link-local and local

Configuring EIGRP for IPv6 o ipv6 router egirp AS [1 - 65535] o Enable IPv6 on interface o ipv6 eigrp AS o no shutdown

o If no RID has been configured (due to lack of IPv4), eigrp router-id RID use configured RID use highest IPv4 address on up/up loopback use highest IPv4 address on up/up nonloopback

Verifying EIGRP for IPv6 o Same as IPv4, just use ipv6 instead of ip

OSPF Version 3:

Comparing OSPFv2 and OPSFv3 o Uses IPv6 built-in AH/ESP o Does not require neighbors on same subnet o Supports multiple instances of OSPFv3 on an interface o Neighbor’s link-local IP is the next hop o Does not advertise link-local or local

Configuring OSPFv3 o IOS does not support network for OSPFv3 o ipv6 router ospf PID o Enable IPv6 on interface o ipv6 ospf PID area area o Same RID concept as EIGRPv6 o shutdown and no shutdown can be used, but unlike EIGRPv6, it is enabled

by default Verifying OSPFv3

o Same as for IPv4, just use ipv6 instead

IPv6 IGP Redistribution:

o IPv6 redistribution takes routes learned from an IGP, but by default does not use connected routes (unless using redistribute... include-connected)

o OSPFv3 does not require subnets on redistribute o redistribute ignores local /128

Redistributing Without Route Maps o ipv6 router protocol AS/PID/name o redistribute protocol AS/PID/name [include-connected] [metric]

Redistributing With Route Maps o redistribute protocol AS/PID/name route-map name [include-connected] o route-map command match ipv6 address...

Static IPv6 Routes:

Works like IPv4, just using ipv6 route instead Must include outgoing interface

Chapter 18: IPv4 and IPv6 Coexistence IPv6 and IPv6 Migration and Coexistence Concepts:

Tunneling

o Point-to-Point IPv6 Tunnels Virtual Tunnel interface is created on router (similar to loopback) Virtual tunnel interface is treated similar to serial interface (point to

point) o Point-to-Multipoint IPv6 Tunnels

Similar to NBMA frame relay 1: R1 receives an IPv6 packet from its LAN int and decides it needs to

be forwarded out the multipoint tunnel 2: R1 analyzes the destination IPv6 address to derive the tunnel

endpoint’s IPv4 address 3: R1 builds an IPv4 packet header with its own address as the source

and the destination endpoint’s IPv4 address as the destination 4: R1 puts the original IPv6 packet inside the new IPv4 packet Automatic 6to4 Tunnel or ISATAP - destination IPv4 address is

embedded in destination IPv6 address o Summary of IPv6 Tunneling Methods

Manually Configured: Static : point-to-point: acts like virtual point-to-point link which supports IPv6 IGPs - useful for permanent tunnels with less overhead than GRE

GRE: Static: point-to-point: supports other Layer 3 protocols over the same tunnel

6to4: Dynamic: multipoint: needs less configuration than other types for adding a new site. Supports global unicasts with extra configuration - uses 2nd and 3rd quartets to store IPv4 addresses

ISATAP: Dynamic: multipoint: supports global unicasts for all prefixes - uses 7th and 8th quartets to store IPv4 addresses

NAT Protocol Translation o NAT-PT runs on the router and translates IPv4 to IPv6 and vice versa o Involves DNSv4 and DNSv6

Static Point-to-Point IPv6 Tunnels:

Manually-Configured Tunnels o Link-local address based on FE80::/96 + 32-bits from tunnel source address o Configuring and Verifying a Manually Configured Tunnel (prepare tunnel)

1: Ensure each router can forward between source and destination IPs. Loopback interfaces are recommended (interface loopback number)

2: interface tunnel number 3: tunnel source [int | IP] - must be local to the router 4: tunnel destination IP - must match tunnel source on other router 5: define tunnel type with tunnel mode ipv6ip - default MTU 1480

o Configuring and Verifying the Manually Configured Tunnel (enable IPv6) 1: enable ipv6 unicast-routing 2: configure IPv6 address(es) and routing protocol(s) on tunnel

interface Tunnel does not need IPv4 address show ipv6 int brief show ipv6 int tunnel0 (etc)

GRE Tunnels o tunnel mode gre ip - default MTU 1476 o no tunnel mode ipv6ip (the default for a new tunnel is GRE) o Tunnel interfaces remain up/up but won’t pass traffic if the encapsulations

don’t match o Link-local address based on IPv6 EUI-64 using lowest numbered LAN

interface’s MAC

Dynamic Multipoint IPv6 Tunnels:

o Dynamic Multipoint tunnels do not support IGPs -- requires static routes or multiprotocol BGP

Automatic 6to4 Tunnels o Using the Automatic 6to4 Prefix for All Devices

Address Format: 2002:AABB:CCDD:Subnet::/64 - AABB:CCDD = IPv4 (in hex) of site IP (usually loopback int)

When a packet arrives at the router, the destination IPv6 begins with 2002 so the router knows to forward it out the tunnel interface

When the router sees the 6to4 tunnel type, IOS encapsulates and sends the IPv6 packet to the destination IPv4 address found in quartets 2 and 3

o Configuring the Automatic 6to4 Tunnel 1: configure IPv4 loopback 2: create tunnel interface tunnel # 3: Define source IPv4 - tunnel source [int | IP] 4: Do not define destination 5: tunnel mode ipv6ip 6to4 6: Enable IPv6 on the tunnel 7: enable IPv6 routing 8: Define a static route: ipv6 route 2002::/16 tunnel #

o Using Global Unicasts with Automatic Tunnels Static routes must be added for every router’s global unicast endpoint ipv6 route remote-global-IPv6 tunnel# remote-private-IPv6 (ie

2002::/16) IPv6 ISATAP Tunnels

o Comparing ISATAP and Automatic 6to4 Concepts ISATAP uses global unicast prefixes for user subnets ISATAP tunnel interfaces use IPv6 addresses that embed the

destination IPv4 in the IPv6 address The routers need static routes for the destination end-user prefixes -

the route must list a next-hop IPv6 address which embeds the tunnel destination IPv4

ISATAP tunnel IPv6 addresses embed the IPv4 in the last two quartets ISATAP does not use reserved IPv6 addresses - only global unicast ISATAP tunnels typically have a single prefix to which all tunnel

interfaces connect, so all routers have a connected IPv6 route to that same subnet

ISATAP tunnels can automatically derive the tunnel interface ID using modified EUI-64 rules (0000:5EFE) - IPv4 in quartets 7&8

o Configuring ISATAP IPv6 Tunnels 1: IPv4 loopback 2: create tunnel 3: define tunnel source with loopback 4: do not define destination 5: tunnel mode ipv6ip isatap 6: configure IPv6 prefix with EUI-64: ipv6 address prefix/length eui-

64 7: ipv6 unicast-routing 8: for each destination router, create static ipv6 route - such as ipv6

route 2000:0:1:3::/64 2000:0:1:9:0:5EFE:A09:903

Chapter 19: Routing Over Branch Internet Connections Branch Office Broadband Internet Access:

Routing in Medium and Large Branches o Routing Using Floating Static Routes

Alter static routes to have an AD higher than 1 By making the static route have a higher AD than an IGP, the IGP

route is preferred over the static unless the IGP route fails o Dynamic Routing over the GRE Tunnel

IPsec does not forward multicasts - GRE converts multicasts to unicast

Branch Router Configuration For Broadband Access:

Configuring DHCP Server o ip dhcp pool name o network subnet mask o default-router IP o ip dhcp exclude-address IP-of-Router o dns-server IP1 IP2

VPN Configuration:

Configuring an IPsec VPN o crypto isakmp policy 1 o encryption 3des o authentication pre-share o group 2 o crypto isakmp key password address destination-IP o crypto ipsec transform-set some-name esp-3des esp-sha-hmac o crypto map branchmap 10 ipsec-isakmp o set transform-set some-name o set peer destination-IP o match address ACL o access-list ACL permit IP local-subnet wildcard destination-subnet

wildcard o access-list ACL permit gre any any o interface int o crypto map branchmap

Configuring GRE Tunnels o tunnel mode not needed because IOS defaults to IPv4 for transport