Date post: | 03-Apr-2018 |
Category: |
Documents |
Upload: | leon-dobrzinsky |
View: | 239 times |
Download: | 1 times |
of 42
7/28/2019 Notes to Ccie
1/42
aNOTES TO CCIE
1.ETHERNET SWITCHINGShow interface fa 0/0 switchport- vlan and trunking parameters
DTP modes-
Dynamic auto- negotiates without sending trunking , defaults to access
Dynamic desirable negotiates, tries to reach trunk state
Tip: If DTP is disabled and there is a misconfiguration there can be a failure of STP calculation and a L2
loop.
Trunking modes
Switchport trunk encapsulation
ISL- Encapsulates native vlan. Full header and trailer (30byte)
Dot1Q- Does not tag native vlan. Can be configured to tag native vlan with global command vlan dot1q
tag native. Less overhead (tag vs encapsulation) (4 byte)
Vlans
1-1001 standard
1002-1005 Default (token ring)
1006-4094 Extended
VTP configuration
Show vtp status- mode, revision number, MD5 hash
Default server mode, domain name null. Automatically inherits VTP domain from neighboring switches
on trunking interfaces.
Configuration Revision- Tracks history of vlan configuration. Higher number configuration replaces all
previous ones . VTP sends updates each time there is a change in the vlan configuration (even a client
device would send updates to all devices replacing their databases if revision number is higher)
MD5- Even without configuring a password there is an MD5 default hash based on configuration revision
number .
7/28/2019 Notes to Ccie
2/42
VTP Pruning
Prevents unnecessary flooding of broadcasts through trunking links to switches where there are no
access ports connected to the specific vlan
Enabled only on server and client VTP mode (not Transparent)
Pruning eligible vlans- switchport trunk pruning remove vlan
Each switch sends a request to neighboring switches on trunk links requesting qhich vlans they are on
the transit path for.
Trunking with non-vtp devices- Trouble with pruning, since it doesnt send request for anything the
switch assumes all vlans are active towards it. Possible solution- allowing only interesting vlans on the
trunk vlan
Trouble with pruning and transparent devices- Transparent mode switches forward VTP pruning updates
to next switch unaltered therefore causing misconfiguration of pruning
Router on a Stick
Native vlan goes to main interface unless tagged
Tagged vlans go to matching subinterfaces
Ether-Channel
(config-if)# channel-protocol
Pagp- Cisco proprietary ( Auto, Desirable)
Lacp- Open standard (Active, Passive)
Show etherchannel summary- status, members
Global configport-channel load-balance
Load balancing cant be seen from Mac addreses since its a L1 issue. You can choose different methods
of load balancing, in which basically you choose how to use a hex value from different combinations to
forward through this or that link
Advantage of using negotiation protocols- other side of link gets notified if link fails, therefore avoiding
loop.
7/28/2019 Notes to Ccie
3/42
Example of suspended due to misconfig
1 Po1(SU) Fa0/0(P) Fa0/1(s)
Layer 3 Etherchannel- port channel with routed port members
Tip- Order of operations important!!! First ports must be configured as no switchportand only then
channel-group X
Layer 2 Tunneling
Switchport mode dot1q-tunnel
Switchport access vlan sets Svlan
Adds metro tag- there is a separation between customer and provide Vlans
MTU issue- End to End Ethernet does not support fragmentation- there are 4 Bytes added, therefore
least recommended MTU- 1504 System Mtu 1504
Does not forward control protocols by default (Cdp, Etc) A solution is tunneling those protocols
L2protocol-tunnel cdp | vtp | stp
L2protocol-tunnel point-to-point lacp|pagp|udld-Etherchannel over l2-protocol tunnel
Spanning-Tree Protocol
Basic operation-
A root bridge gets chosen, then a root port on each switch for upstream to the root and designated /
blocking ports on the down path.
Choosing a Root- Lowest Bridge id
PRIORITY =
-Priority ( 0-61440, in increments of 4096)
+
-System id extension (Vlan number)
7/28/2019 Notes to Ccie
4/42
-MAC address
Spanning-tree vlan priority
Default mode PVST+, runs different instance for each vlan with different root
Designated ports are chosen based on lower cost to the root (after root port has been chosen of course)
Root and designated ports selection:
-cost
-neighbor BID
- PID (only if multiple link to same neighbor)
Timers- Hello ( root)- 2 sec default, Forward Delay(listening, learning)- 15 sec default, Maxage (aging of
root)- 20 sec default. Set on the root (only root sends BPD on converged network in legacy SPT)
Topology change is advertised by bridges by setting CAM to MaxAge therefore causing bridges to flush
their CAM tables for the specific table
PortFast- Enables port to go up without transitioning listening / learning. When a port is configured as
Portfast the bridge does not generate a topology change if the port changes state
Spanning-tree portfast default-enables portfast on all interfaces (except for turnks. If you want to enable
it on trunks you must do specifically portfast default trunk)
Uplinkfast
(config)#spanning-tree uplinkfast
Switches to alternate port in event of directly connected root port failure.
Sets high root priority (49152) and high port cost (3000) so that ports do not become designated
Backbonefast
With this feature enabled, once the switch receives an inferior BPDU (higher cost, meaning there was a
root port failure further upstream) it sends an RLQ request carrying for an alternate path and resets
Maxage to 0. Backbonefast only activates if the inferior BPDUs come from the designated bridge, so
there is no issue if a new switch that does not know the root joins the topology.
BPDU filter- Disregard BPDUs on edge ports spanning-tree bpdufilter enable . When configured globally
it only filters outgoing BPDUs, together with portfast, spanning-tree portfast default bpdufilterenable
the port will go automatically from edge to P2P when it receives BPDUs
7/28/2019 Notes to Ccie
5/42
BPDU guard Set port to inconsistent if BPDU is received on edge port. Interface- Spanning-tree
bpduguard enable. If errdisabled timer is disabled, you have to manually shut port and turning it on
again. You can chang this with command errdisable recovery cause bpduguardand set timer by
errdisable recovery interval.
Loop GuardSpanning-tree loopguard default / Spanning-tree guard loop- it protects against cases offailure of just one side of the ink, just like UDLD but using BPDUs
Root Guard- Sets a STP instance on disabled on an interface when it receives a superior PDU on the
interface. Spanning-tree guard root
Multiple Spanning-Tree Protocol
Spanning-tree mst configuration-mapping instances and vlans
Spanning-tree mode mstsetting mst
Automatically uses RSTP Two- Ways BPDUs in which there is a proposal and a response
RSTP
Avoids listening process by using a proposal and request format. Link types:
-point to point full duplex no edge ports
-shared half duplex / connected to hub
-edge connected to end devices, enabled by Portfast
Port roles:
-Root
-designated
Alternate- like Uplinkfast (backup to root)
Backup- Backup to designated on same link to segment
Port states:
-Discarding
-Learning
-Forwarding
MSTP with multiple regions
7/28/2019 Notes to Ccie
6/42
Same region means same Vlan to instance mappings, same revision number and same region number.
Inter - region operations behave like a hidden cloud that collpases to a virtual bridge in respect to other
regions.
CST-common spanning-tree (inter-region)
IST-intra-region
IST- MST instance 0 (IST)Special instance to which all vlans belong by default and which is the one that
sende BPDUs and represents the region.
The CST root (common spanning tree root among regions) must always be in an MST region and not in a
PVST or RSTP region that does not run MST.
Flex Links
Switchport backup interface
Switchport backup interface mmu primary vlan- Allows mac table to move to the backup interface and
be advertised
2. FRAME RELAYNBMA- non native broadcastMultipoint vs point-to-point: Multipoint requires address resolution (in the case of frame relay,
resolving destination ip to local DLCI)
DLCI- link local L2 adddress
LMI-Local Management Interface, communicates with the frame relay switch and queries
information about the circuit. Active, inactive, deleted (wrong DLCI) , static (LMI disabled)
Address resolution- Dynamic (inverse arp) or static (frame-relay map)
Show frame-relay map: equivalent to show arp
Inverse Arp automatically enabled whenever the l3 protocol that is configured supports it (ipv4 does,
ipv6 and CLNS no). Inverse Arp does not check if l3 address is on same subnet.
Static Mappingframe-relay map {ip}{DLCI} when configured disables all inarp for circuit,protocol pair
7/28/2019 Notes to Ccie
7/42
Auto Config- router automatically attempts to get an address, and in order to do so it will learn the
encapsulation (this only when it does not have a config).
TIP: this is significant because while loading the router can create inverse
arp to 0.0.0.0 destinations which can later cause problems on l3. In this
case, you should save your config and reload.
Show frame-relay pvc circuit status
When Broadcast is enabled on a circuit, and there is handed down from L3 a packet that is broadcast or
multicast, it is sent in pseudo-broadcast. The Broadcast keyword on the mapping does not refer to the
mapping itself, it refers to the whole { circuit, protocol} pair.
Point-to-point subinterfaces do not perforn Inverse Arp and do not allow static mappings, for every
packet will be sent out same circuit
Frame Relay Switch-
Globally enableframe-relay switching . Per interface define encapsulation frame-relay andframe-relay
intf-type DCE.
Then there are 2 ways of configuring the CC:
- Legacy-Per interfaceframe-relay route [in-dlci] interface [int] [out-dlci]- Current global connect [name] [interface -1] DLCI-1] [interface-2] [DLCI-2]
Back to Back Frame relay-
Directly connected, no switching, no lmi
End-to-End keepalives
Map-Class Frame-relay End to End keepalive reply|request|passive-reply|bidirectional
Can be applied on interface withframe-relay class or on circuit with class command
3. PPPLCP-lower control protocol
Each higher layer protocol has its own control protocol
IP negotiation learns the address of the neighbor and installs it on the routing table with a /32 prefix
(besides the normal connected route)
PAP
7/28/2019 Notes to Ccie
8/42
One-Way process
Authentication PAP- Request for credentials
ppp pap sent-username {user} password {pass}-Response providing credentials
CHAP
Because passwords are hashed they have to match
Ppp authentication chap
Username {other router} password {shared password}
PPP over other protocols
Inter face virtual-template
Frame-relay interface-dlci {DLCI} pppVirtual-Template {Virtual Template}
PPP multilink-
PPOE
Server side-
Interface virtual template
Bba-group pppoe
Virtual template
Interface fa 0/0
Pppoe enable group
Client side-
Interface dialer
Encap ppp
Ip add
Dialer pool
Dialer group | persistent
Interface fa 0/0
7/28/2019 Notes to Ccie
9/42
ppoe-client dial-pool-number
ip mtu 1500- make Ethernet support fragmentation
Transparent bridging
Bridge 1 protocol ieee
Int fa 0/0
Bridge-group 1
No ip routing
Show bridge 1 group
IRB
bridge 1 irb
bridge 1 route ip
bridge 1 bridge ip
int BVI
ip address X.X.X.X (from bridge domain)
Fallback Bridging
Feature on catalyst switches that bridges legacy protocols while routing IP and IPv6
Bridge 1 protocol vlan-bridge
Int vlan 1
Bridge-group 1
4. Protocol Independent RoutingProcess Lookup for every packet
Fast Caches entries once it forwarded packets
7/28/2019 Notes to Ccie
10/42
CEF- Build table automatically from routing table
Show ip cef exact-route {source} {destination}-shows which path the packet will take
Static route to interface on multipoint interface- attempts to resolve final destination (through ARP
for example)
IP default-gateway: only with ip routing turned off
Ip default-network: classful network not directly connected tagged as default on routing
advertisements
ODR
Uses CDP to advertise routing. On Hub you configure router odr, on spokes you only have to ensure
CDP is on. The hub advertises itself as default gateway and learns connected networks to spokes. No
routing protocols can be running on spokes.
Backup Interface-
Configured on Primary interface, line protocol goes up only when primary goes down
Backup interface
Enhanced Tracking
Ip sla monitor 1
Type {action}
Frequency
Ip sla monitor schedule 1 start-time
Track 1 rtr 1 / line protocol/etc
Many options for btoh ip sla (ip icmp, tcp connect,etc) and for track objects
Policy Routing
Ip policy
Local traffic-Ip local policy
Set ip next-hop verify reachability 10.0.0.138 track 6
GRE
Ip protocol 47
7/28/2019 Notes to Ccie
11/42
Default gre/ip
Recursive routing failure- when a route for the tunnel destination is received through the loopback
Keepalive- tracks reachability to destination (pings destination from source), can be used to track
connectivity. An option for reliability routing is configuring the secondary interface as backup to the
tunnel, then it will come up when the tunnel goes down which means reachability came down (even
if physical interface is up)
5. RIPUDP port 520
Rip version 1- classful, broadcast
Rip version 2 classless, multicast 224.0.0.9
Version 1- if it receives a subnetted prefix it assumes the mask is of the interface on which the
prefix is received, or the classful summary
To change version per link, configure on interface ip rip send|receive version
Split-horizon: Enabled by default on all interfaces except main interface of frame relay
Timers
Default-
Update 30
Invalid 180
Hold Down 180
Flush 240
Sleep Delay regular update for this time after receiving a triggered update
Global rip- timers basic , interface ip rip advertise
Flash-update-threshold suppreses flash update if regular is due in this time or less
Output-delay delays time between packets in same update
Neighbor x.x.x.x- enables unicast updates
Passive-interface- suppresses only multicast/broadcast updates
7/28/2019 Notes to Ccie
12/42
Metric
Hop Count -15 maximum
Metric is incremented by a hop on the outbound update
Offset list 0|acc-list out|in {number of hops incremented} {interface}
Authentication
Int e0/o
Ip rip authentication mode text|md5
Ip rip authentication key-chain {key-chain}
Summarization
Interface
Ip summary-address rip
Cannot advertise supernets (only summarizes up to classful boundary)
Filtering
Useful because can filter based on prefix lists
When you filter based on extended access-lists the source address is the one tha appears as source, not
the next-hop. You can also filter source on prefix lists by using distribute-list {prefix-matching} gateway
{neighbor matching}
Default Route
Default-information originate {route-map}
Advertises 0.0.0.0/0- by specifying route-map we can set interface and match addreses- in which case
will only advertise default if specified addresses are in routing table.
Triggered updates-
Interface e0/0
Ip rip triggered-updates
Disables regular updates and sends only triggered updates on particular interface
7/28/2019 Notes to Ccie
13/42
Validate update source check to see if update comes from valid source (same subnet as interface). By
default no check is performed on unnumbered interfaces
6. EIGRP-ip protocol 88
-224.0.0.10 multicast for establishing adjacecies
-RTP (own transport protocol)
-uses unicast in normal running of protocol (except for updates)
-AS number fundamental to establishing adjacencies ( not merely local)
-queue count should be 0 between neighbors (show ip eigrp neighbors)
-debug eigrp packets
-feasible Succesors- succesors with lower AD than my FD
-show ip eigrp topology- shows succesors and feasible succesors
Auto-Summary
Creates null route for summary
Packet types
Mixed multicast and unicast
Hello- Multicast to 224.0.0.10. Can be changed with neighborcommand. Not reliable (does not wait
for ACK)
Ack-Always unicast, basically a hello packet with no data and non zero ack number
Update- Unicast if its advertising topology to new neighbor, multicast in regular updates. Uses RTP
Query Multicast when looking for route, unicast when replying there is no route. Uses RTP
Reply- Unicast reply to query with route
Timers
Hello- Interval for sending hellos. Default 5 for fast links, 60 for slow. Configured under interface ip
eigrp hello-time/ ip hello-interva eigrp
7/28/2019 Notes to Ccie
14/42
Hold-time- sent in hello and we say to neighbor how long to wait to declare me unreachable.
Default 15 for fast and 180 for slow. Configured under interface ip eigrp hold-time/ ip hold-time
eigrp
Authentication
-supports only MD5
-key number must match
interface
Ip authentication mode eigrp {as} md5
Ip authentication key-chain eigrp {as} {key-chain}
Time-based:
On key-chain use send-lifetime and accept-lifetime
Metric
Bandwidth- 10^7*256/lowest link
Delay 256* Total delay
Load
Reliability
MTU
AD- Metric as calculated by next hop neighbor. If it is better than my FD, it will be feasible successor
Best practice is modifying relay for traffic engineering purposes since it is cumulative
Unequal load sharing
Only looks for feasible succesors
Router eigrp
Variance X
Traffic-share balanced (on by default)
Eigrp summary and leak-maps
7/28/2019 Notes to Ccie
15/42
Summarization helps in not only reducing routing table size but also reducing number of queries-
routers dont send queries for subnets they never had in their routing tables. Besides, it can be used fror
traffic manipulation with leak maps- because you can advertise both a summary and longer matches to
specific neighbors.
Stub Routers
Router eigrp 100
Eigrp stub
Does not receive any query messages- and does not advertise any routes from neighbors to other
neighbors by default. The default options is stub connected summary- only advertises those routes to
neighbors. Therefore though we dont pass on routes from neighbors, we can summarize and pass hoe
prefixes
Eigrp stub leak-map
Default distribution
The command default-information controls only the accepting of default routes on eigrp, not the
distribution.
In order to actually distribute default information we have to obtain such a network, and then distribute
it with either networkcommand ( for 0.0.0.0 net) or ip default-network(for any network)
Filtering
Distribute-list {standard|extended ACL}|prefix-lit {name}| route-map {name} in-extended matches
source (neighbor), route-map can match also tags or metric
Router-id: Essentially its a mechanism for preventing loops in redistributed routes, so that
redistributed routes never go again through the same router
Router eigrp xxxx
Eigrp router-id
Improtant Review!!!!
7/28/2019 Notes to Ccie
16/42
Router eigrp xxx
Eigrp router-id
Metric maximum-hops
Distance eigrp {internal} {external}
Log-neighbor-changes
Log-neighbor-warnings {minutes}
Timers {inactive} disable
OSPF
-Links State
-djikstra
-only works as link state for intra area topology
-Most specific match for networkstatement determines which area the interface is in
-transport 89
-hello multicast to 224.0.0.5/224.0.0.6 or unicast
Paramteters for forming adjacency:
Common
-interface area id
-intervals
-interface MTU
-interface network address
-network type
-authentication
-stub flags
Unique
7/28/2019 Notes to Ccie
17/42
-router id
-ip address of interface
OSPF ADJACENCY
Down
Init- hello has been received but has not contained yet our router-id meaning it has not
acknowledged that it received a hello
2-way bidirectional communication is present ( we share each other ids in our hellos)
Ex-Start- Negotating adjacency and checking for matching of parameters
Exchange- Exchanging databases
Loading
Full
Basic Lsas (intraarea)
Router LSA
The advertisement of its links is going to depend on the network type of the link. For loopback
interfaces, the link state is going to be stub with a /32 address advertised. For P2P interfaces, if
there are no neighbors it is going to be a stub, if there are neighbors it will be point-to-point. For
Broadcast networks, it will be advertised as transit and it will contain the address of the DR.
Lsa type 1- router Lsa
Lsa type 2- network lsa, advertised by LSA
Network Types
Network Broadcast
-Elects DR and BDR
-DR and BDR form full adjacencies with all routers. Other adjacencies remain 2WAY.
-Routers send their LSU to DRs on 224.0.0.6 and DRs flood to 224.0.0.5
-DR is chosen by priority and router-id, but there is no preemption, meaning ultimately what
matters most is time of start of OSPF process. Best practice is configuring priority 0 on those routers
we dont want to be DR or BDR.
Interface fa 0/0
7/28/2019 Notes to Ccie
18/42
Ip ospf priority 0
Network Non-Broadcast
Behaves just as Broadcast, but neighbors must be defined statically. We must remember that in order
for this to work properly, there must be a full mesh L2, otherwise we run into issues with DR election,
and even if we make the hubbe the DR, since the DR doesnt change the next hop, we still wont have
connectivity between networks behind the spokes.
Point to Multipoint
Neighbors are discovered dynamically and each adjacency is treated separately as a P2P link. No DR/BDR
is elected.
Point to Point
Similar to multipoint, but supports only two neighbors on link. Network types are compatible between
them if DR election election process is the same. However, care must be taken that other parameters
match as well.
Important: If network types dont agree on DR/no DR, adjacencies will form, however the database
will not be truly synchronized (LSAs will differ on their view of the network), and therefore no routes
will be installed
Point to Multipoint Non Broadcast
Same as multipoint, however neighbors must be statically defined. It is good in order to define per-
neighbor cost.
Router ospf XXXX
Neighbor y.y.y.y cost {cost}
Loopback Network
Always advertises as /32 independently of subnet mask in the LB itself
Path Selection
-cost is 100,000,000 / BW in ciscos implementation
-reference bandwidth can be changed
Router osfp xxx
Auto-cost reference-bandwidth
O>O(IA)>O(E1)>O(E2)>O(N1)>O()
7/28/2019 Notes to Ccie
19/42
O(IA):When a router receives an IA route, it adds the cost that is advertised in the summary to the cost it
calculates through SPF to the ABR and that is the cost to the destination
O(E2): The cost is comprised basically only of the metric advertised by the ASBR, which by default is 20.
If there is a tie, the tie-breaker is the forward metric, which is the cost of the router to the ASBR. If the
ASBR is in another area, then there are going to be LSA4 describing them from the ABR.
Timers
Default 10 for hello, 40 for dead-Broadcast and Point to Point
Default 30 for hello, 120 for dead- Other network types
Interface fast-ethernet 0/0
Ip ospf hello-time
Ip ospf dead-time
OR
Ip ospf dead-time {minimal/xxx} hello-multiplier {y}
Minimizing timers to a certain point can elevate CPU and cause flapping of adjacencies. The best option
probably would be to implement BFD.
OSPF Authentication
Can be configured at area level or link level. However, the password ro key itself is always configured
under the link.
Interface fa
Ip ospf message-digest-key X md5 {password}
Ospf Summarization
Generated only at points in which it does not influence SPF
-ABR Area {area} range {address} {mask}
-ASBR Summary address {address} {mask}
Generates a summary route to NULL can be disable with no discard-route {external|internal}
The cost of a summarized route is by default the cost of the lowest of the subnets. To make the behavior
change to that of RFC 2328 that it should be the highest metric you must issue no compatible rfc1583
7/28/2019 Notes to Ccie
20/42
Stub Areas
Stub flag must match for adjacencies to form
Stub area- removes LSA 5 and LSA4 and advertises instead a default within the LSA 3.Area {x} stub
Totally stubby area- removes also type 3 LSA and replaces with default area {x} stub no summary-only
needs be configured on the ABR
Nssa- Generates type 7 LSAs. Does not generate default route automatically-only if you issue area {x}
nssa default-information-originate. NSSA areas wont accept external routes that came not from an ASBR
on their own area. Once a type 7 LSA gets to the ABR, it is translated to a type 5 LSA. NOTICE: this LSA
contains the original address of the ASBR, and it is preserved when translated (unlike type 5 in which the
LSA says 0.0.0.0)
Totally not so stubby area- same as NSSA but filters summary as well
Filtering
-area {x} filter-list prefix {xxxx} in]out
Area is the area it comes from, and out/in is the direction to area 0 or in from area 0
Interface e 1/0
Ip ospf {x} database-filter all out
OR
Router ospf {x}
Neighbor {x.x.x.x} database-filter all out-must be configured as point-to-point or point-to-
multipoint
If we need to suppress forwarding address and set it to be on the translator to type 5 we define
Area {x} nssa translate type7 supress-fa
Miscellaneous
Router ospf XXX
Ignore lsa mospfignore syslog for lsa type 6
timers pacing retransmission {sec}-time in queue of consecutive updates (including
retransmitted)
7/28/2019 Notes to Ccie
21/42
int fa 0/0
ip ospf retransmit-interval-time the process waits ont his interface before retransmitting an LSA
that wasnt acknowledged
summary-address x.x.x.x y.y.y.y no-advertise- a different way of filtering a prefix (only on an ASBR)
range area 0 x.x.x.x y.y.y.y not-advertise- same as above for IA routes on ABR
max-lsa-
redistribute maximum-prefix-both this and max-lsa have options for either issuing warning or ignoring
after maximum prefix number. {warning-only} {percentage-threshold}
REDISTRIBUTION
-routing redistribution occurs fro the routing table, not the underlying databases. The redistribution
command takes the routes learned from a particular protocol + the subnets of interfaces included on a
protocol
-when the manual redistribute connectedis issued, the interfaces dont get advertised anymore in the
redistribute {protocol}
-RIP and EIGRP forward information from the routing table only in their advertisements, while in OSPF
and BGP the advertisements come from their respective databases
Redistribution into RIP
-does not differentiate between external and internal routes-
-does not have a default metric, therefore must be specified on the commandredistribute {protocol}
metric or default-metric
Redistributing into eigrp
-external routes 170/ internal 90
-uses router id for additional loop prevention
-no default metric unless redistribution is from another EIGRP/IGRP process
7/28/2019 Notes to Ccie
22/42
Redistribtuing into OSPF
-same AD of external/internal by default, but can be changed
-O>O(IA)>E1>E2>N1>N2
-defaults to metric 20 and metric type E2
-must use subnets keyword so that no only classful subnet is advertised
-O(E2)-metric remains as advertised by the AASBR (internal cost is not added). Only if there is a tie the
internal cost is considered
-O(E1)-preffered over E2, cost is the sum of internal cost to the ASBR and the advertised metric by the
ASBR.
Redistributing into BGP
-Uses Origin code to recognize redistributed routes
-does not redistribute external ospf routes by default
-When redistributing BGP into an IGP, by default only EBGP is redistributed
Preventing Loops
-Two general kind of loops: metric loops among same protocol, and AD loops among different protocols
-With distance vector protocols, since the information is distributed from the routing table, we can run
into the case where a rotuter receives an update but does not distribute it because it was npot installed
in the routing table. For eigrp we will see FD unreachable
Metric Issue 1:
On RIP, which does not have a difference between internal and external routes, you can get a
redistributed route back thorugh another redistribution point with a better metric. The best solution is
tagging routes so that they dont get redistributed again
AD Issue:
When a route is received on a looped path with lower AD, the higher AD is withdrawn then the other
one a s well, which makes the higher AD reinstall and so on.
Ip route profile-measures routing table stability
Distance {x} {source} {ACL}
7/28/2019 Notes to Ccie
23/42
BGP
-Difference between policy and metric mainly resides in that while metric is based on the topology and
the path, attributes are assigned to a destination
-If both speakers begin their TCP process simultaneously, the higher id becomes CLIENT
EBGP
-neighbor {x.x.x.x} ebgp-multihop-increases ttl beyond default (1)
-neighbor {x.x.x.x} ttl-security hops{y}-increases ttl but also implements security (packets are discarded if
incorrect TTL)
-neighbor {x.x.x.x} disable-connected-check-disble connectivity requirement for EBGP without increasing
TTL
-next-hop is set to my source-update for particular neighbor
IBGP
-TTL default 255
-does not advertise IBGP routes to IBGP neighbors
-does not modify NEXT_HOP by default
PEERING
-uses the update source of whatever outgoing interface the routing table assigns (unless configured)
-negotiation settles on lower timers
-IDLE
-CONNECT
-ACTIVE
-OpenSent
-OpenConfirmed
-Established
4-BYTE AS
-Format 0.0-65535.65535
7/28/2019 Notes to Ccie
24/42
-versions that do not support 4 byte see a 4 byte AS as 2354
IBGP rules
-Local-As can be set to specific neighbor neighbor {xxxx} {RAS} local-as {{dual-as}}
-dual-as makes the router send both its global as and the local one
-peer-group {name}
-neighbor x.x.x.x peer-group {name}
-show ip bgp {x.x.x.x}- shows also routes that are inaccessible
-neighbor x.x.x.x|peer-group next-hop-self- changes next-hop to whatever source-update to that
neighbor
-next-hop can also be set with route-map to a third party
Route Reflector
-centralized
-loop prevention through cluster-id and originator-id
-non-client peer are advertised only to ebgp peers and clients
-best practice for RRs is applying a peer group to client routers, so that the RR doe s not need to run
path selection multiple times
-show ip bgp regexp $-locally originated
-If we have multiple RRs on same cluster, we should set cluster-id to be manually the same to prevent
loops (they arent going to loop in data plane, just the updates)
Router bgp x
Bgp cluster-id
-One of the issues that may arise when configuring multiple RRs is that they may not agree on best path
selection if left randomly
BGP confederation
Confederation identifier- True AS
Confederation peers-remote Ases that belong to same confederation
-Next hop is not changed when advertised to a confederation ebgp peer
7/28/2019 Notes to Ccie
25/42
-TTL is set to1 by default, just like true EBGP
Bgp bestpath med confed-include med in intra-confederation path selection
Local-as vs no-export- If we set community no-export, routes will be advertised to confed peers, and
only not to true EBGP peers. However, with local-as community, they wont be advertised to confed
ebgp peers either
Router Advertisement
-metric is inherited from IGP metric (both when configured with networkstatement or with redistribute)
-network statement is installed as origin I
-for network statement to be installed, there must be exact match on routing table
-redistribute is installed as Incomplete (?)
-metric is non transitive, so will not be forwarded beyond 1 ebgp neighbor
Aggregation
-aggreggate address x.x.x.x mask y.y.y.y summary only| suppress-map status code s (suppressed)
-neighbor x.x.x.x unsupress-mapsimilar to leak-map in EIGRP
-attribute-map| route-map- at the end of network command or of aggregate command, changes the
attributes of the prefix locally
-advertise-mapused to control which Ases area passed on when AS-SET is configured
-bgp inject-map {xxx} exist-map {yyy}-generates longer prefixes froma an aggregate
Best-Path
-Weight, Local Preference, Locally originated, As-Path, Origin, Metric, Ebgp vs Ibgp, IGP Metric
-If all of the above are equal the BGP looks at the maximum-paths configured to decide for installing
multiple routes.
-Even if multiple routes are installed only one will be chosen as best (based on tie breakers) and
advertised to neighbors
-Outbound traffic is easy to influence through weight and Local Preference, however inbound traffic is
harder to influence because metric is not transitive and with As-Path prepending you also have little
control.
7/28/2019 Notes to Ccie
26/42
-A partial solution to inbound traffic engineering is provided in agreements about setting cpolicy
through communities. That way, I can influence the local preference that an ISP assigns to my prefixes
through a community that I signal
-ip bgp-community new-format-sets to AA:NN
-well known communities: no-export, no-advertise and local-as (like no export but includes confed-
ebgp)
-a community can be set on a route-map, but it must me matched from inside a community-list
-send-community must be specified for community values to be advertised
Filtering
-extended access-lists can be configured to match prefix as well (in this case source is prefix and
destination is mask)
-Order of filtering:
-Inbound : filter-list, Route-map, distribute-list
-Outbound: distribute-list, ORF, filter-list, route-map
MPLS
-4 byte header
-LFIB: CEF table + labels
-PE adds labels label push
-label operations : push (add label), swap (forward towards new label), pop (remove tag)
-neighbor discovery on UDP 646 to 224.0.0.2
-neighbor adjacency on TCP 646 between routers, sourced with router-id
-penultimate pop-tagging: instead of the PE having to do MPLS lookup for incoming packets, the
penultimate hop in the LSP pops the mpls lable and forwards it to the PE untagged
-If we set next-hop-self and DO NOT set the LB as next-hop in BGP, we are going to remove the tag a
step too early which will result in traffic being dropped
L3 VPNs
7/28/2019 Notes to Ccie
27/42
-vpnv4 route: prefix+ RD
-vpn label: from BGP VPNV4
-transport label: label to the other PE
-RIP and EIGRP are both established with global process and address families
-On EIGRP auntonomous-system must be configured under address family as well, since it can be
different for various A.F
-no bgp default route-target filter : do not discard vpnv4 prefixes if you dont have corresponding RT-
used on vpnv4 reflectors
-ospf is configured per process (no address families, each process is assigned to a VRF)
-redistributed routes come as IA routes. This is why if we need to choose them over other O routes we
need sham links
-loopbacks for sham-links should NOT get advertised into OSPF
IPV6
-unspecified-::0/128
-loopback::1/128
-multicastFF00::/8
-link-localFE80::/10
-private FC00::/7. FC00::/8-40bit Global ID is assigned automatically by router. FD00::/8-assigned by
central registar
-Globally routable: 2000::/3. The first 48 bits are organizationally unique, next 16 bits SLA (site level
aggregation) for your purposes
-Neighbor Discovery is built in on ICMP and replaces completely ARP for broadcast networks
-eui format: 64-bit, derived: 7
th
bit from mac is inverted, padding added in middle : 0xFF 0xFE
-Neighbor discovery and Neighbor advertisement is like ARP, Router discovery and Router
Advertisement is only for gateways
-no equivalent on IOS to InArp, therefore static maps are always needed on multipoint FR
-no proxy ND (all resolutions are static)
7/28/2019 Notes to Ccie
28/42
-sdm prefer dual-ipv4-and-ipv6 necessary on most switches to support ipv6 unicast-routing
-link-local address can be same on multiple interfaces, therefore route to link-local address has to
specify exit interface
-local routes- routes to specific interface address with /128
--next-hop on dynamic protocols is always link-local address
EIGRPv6
-protocol 88 multicast FF02::A
-process needs to be enabled per interface but also with no shutdown on global level
-router-id is an ipv4 address
OSPFv3
-protocol 89 FF02::5 & FF02::6
-ipv4 router-id
-authentication uses ipv6 methods (including the ipsec that is in-built)
-Type 8 Lsa: for link-local addresses
-Type 9: Intra-Area prefix LSA
-ipv6 ospf authentication ipsec spi {x} sha1/md5 {hex}
MP-BGP IPv6
-transport (neighborships) can be either ipv4 or ipv6 and that is unrelated to the NLRI advertisement,
which are defined on ipv6 address family
-next-hop must be set to be from same address space (ipv4/ipv6) to be reachable
IPV6 transitions
-GRE
-IPV6IP(protocol 41)
-TEREDO tunnels (over UDP)-not implemented really on routers but on end hosts
-6to4 : ipv6 addresses are assigned on a 2002:{ipv4 address in hex}::/48
-ISATAP
7/28/2019 Notes to Ccie
29/42
MULTICAST
-IGMP host to router
-PIM/MSDP
IGMP
-IGMP default version is 2
-IGMP version 1 & 2 only allow {*,G} join, while IGMP version 3 allows {S, G}
-ip igmp static-group : statically assigns a group
PIM
-protocol independent (does not advertise topology, relies on IGP calculated topology for loopprevention)
-pim version 2 by default
-version 1 sent queries embedded on IGMP, version 2 uses 224.0.0.13 protocol 103
-dense mode: considered implicit join
-dense sparse mode : considered explicit join
-sparse-dense mode : sparse for groups with an RP, dense for others
-MSDP: signaling between RPs
-RPF check: checks to see if multicast was received on same interface as the outgoing interface for
unicast forwarding to the source
-in Multicast Routing Table {S,G} is preferred over {*,G}
PIM DM
-finds neighbors on 224.0.0.13
-automatically enables IGMP
-Assert message: used when there are multiple mcast routers on same segment. The winner fr the
segment will be based on lowest unicast metric to source
-Graft message: used for unpruning an interface which was previously announced as pruned
PIM SM
7/28/2019 Notes to Ccie
30/42
-register message make the RP know the senders
-join messages advertise the receivers
-after packets are started to be forwarded, the STP is changed to the SPT
-RPF failures can be dealt with static mroutes, or from MP BGP
-static mroutes do not choose on longest match, but on ordered match. (Newer versions appear to fix
this)
-RPF is done aso on PIM register messages (by RP)
-show ip mroute count
Auto RP
-mapping agent 224.0.1.39 and listeners to 224.0.1.40Auto-rp listener (for those groups, uses DM)
-GRE tunnel can be used to avoid split-horizon issues or send multicast ovr non-multicast routing
networks
-ip pim spt-threshold infinity: do not switch to SPT
BSR
-RP candidate, bootstrap router (similar to mapping agent)
Bi-Directional PIM
-only allows shared-trees (does not switch to SPT, and ony linstalls {*,G})
-ip pim bidir enable
-ip pim rp-address x.x.x.x bidir
SSM
-no {*, S}, therefore no need for RP
-ip pim sss default: uses range reserved for source specific multicast
-has to be configured with igmp version 3
MSDP
-used to communicate between RPs
7/28/2019 Notes to Ccie
31/42
-can be used to provide for anycast
-anycast is simply based on same address which is forwarded on shortst path due to
IGP
-ip msdp peer x.x.x.x connect-source y
-show ip msdp sa-cache: see entries learned from an msdp peer
IPv6
-MLD replaces IGMP, and is in-built on ICMPv6
-FFXY::/8, x-flags, y-scope
-FF02 are link-local scope, FF05 are site local, FF0E global
-those values are defined on RFC but not enforced automatically on IOS (filtering is up to you)
-PIM behaves similarly to ipv4 PIM but supports only sparse mode
-by default when you enable ipv6 multicast-routing it is enabled on all ipv6 interfaces, to disable it you
use no ipv6 pim
-MLD version 1 is equivalent to IGMP version 2, version 2 is equivalent to IGMP version 3
-RP can be configured either statically or with BSR (no auto-rp supported)
-embedded rp : begins with FF7Y and embeds rp
-instead of mroute ipv6 route {} multicast
QOS
-Intserv vs Diffserv: Intserv reserves bandwidth end to end for each flow, DiffServ classifies traffic into
classes and defined at network edges
-DSCP has 6 bits to manipulate, while ip precedence and L2 markings (MPLS EXP, CoS) have 3 bits
-DSCP custom classes: default (0), EF (46), AF (AFxy)(x is 1-4, where higher is better, y is 1-3 drop
precedence where lower is better), CSx(x=1-7)
-When configuring a Policy-map, once a packet matches a class no further testing is done against other
classes, therefore the order should be from more specific to less
-match destination-address|source-address: mostly useful on ehternet sub-ifs
7/28/2019 Notes to Ccie
32/42
-ip nbar port-map: can create custom mappings of our own for protocols. You can see associations
through show ip nbar port-map
-when configured as match-all, if matching is on same line it is still OR logic
FIFO
-disable fair-queuing
-hold-queue out: configure depth of the queue
FQ
-fair queue starts from lowest flow and allocates bandwidth equally to each flow each time dividing the
remaining difference equally
-Weighted fair queuing operates similarly but weights each flow according to TOS
CBWFQ
-specifying weight manually (through bandwidth)
Flow/Conversation
NumbersWeight Description
Below 2^N Weight(i)=32384/(IP_Precedence(i)+1)
Dynamic flows, unclassified
traffic. This is the classic
fair-queue.
2^N2^N+7 Weight(i)=1024
Link Queues. Routingupdates, Layer 2 Keepalives
etc. Basically its the trafficmarked as PAK_PRIORITY
inside the router.
2^N+8 Weight(i)=0
LLQ or the priority queue.
CBWFQ always service this
queue first, but de-queuedpackets are policed using the
defined token bucket
parameters.
Above 2^N+8
Weight(i) =
Const*Interface_BW/Class_BWOR
Weight(i)=Const*100/Bandwidth_Percent
User-defined classes. Thoseclasses are treated by
CBWFQ as the RSVP flows,
with relatively low weights.Their weights are
7/28/2019 Notes to Ccie
33/42
LLQ
-priority class is always served best, policer is engaged only during congestion
-equivalent to weight 0
-in general, if you have multiple classes configured with priority they will share same queue but can be
policed differently
WRED
-designed for congestion avoidance in TCP. Due to tail drop, the issue that can arise is multiple
retransmissions and synchronization
-assigns drop probability to prioritize high precedence traffic
-parameters: minimum threshold, maximum threshold, mark probability
-higher precedence traffic has higher minimum threshold
-can also be configured to look at DSCP
SHAPING
-delays traffic to smoothen it
-Bc/Tc=CIR (CIR measures time in sec, while Tc is in ms)
-Be accumulates over idle periods
POLICING
-colors ( conform,exceed violate)
-Two rate
Frame relay Shaping
Legacy:
-frame-relay traffic-shaping
-map-class
MQC:
-no frame-relay traffic-shaping command
-map-class is configured, but only to insert on it the service-policy
7/28/2019 Notes to Ccie
34/42
RSVP
-path messages from source (Tspec, Rspec)
-RSV messages from destination to source
-ip rsvp bandwidth(on interface level)
-used for MPLS -TE (outside scope of R&S)
-assigns weight of its own to reserved queue
-ip rsvp-sender host-configures router to send PATH messages
CATALYST QOS
-enabled with mls qos
-by default, when mls is enabled, markings made by previous devices are erased. The feature can be
disabled by no mls qos rewrite dscp
-trust boundaries can be established by mls qos trust cos|dscp|ip-precedence
-mls qos map(dscp-cos, cos-dscp, dscp-mutation)
-mls qos aggregate-policer
-priority-queue out: similar to priority in MQC but without policer
-srr-queue bandwidth shape
SECURITY
-an ip access-list applied on an interface does not affect locally generated traffic
-established flag matches pacets that are response to session initiated
-log: created in order to log traffic, causes packets to be process-switched
-time based ACL:
Time range {leon}
Periodic|absolute
Access-list {xx} {arguments} time-range {name of time range}
-lock and key- allows access with authentication
7/28/2019 Notes to Ccie
35/42
-ip access-list resequence
-ip access-list {x}dynamic {name of entry} {arguments}
-must run access-enable command to activate
Line vty
Autocommand access-enable host timeout {x}
Reflexive ACL
-on outbound ACL permit {statements} reflect {name}
-on inbound ACL evaluate {name}
-reflexive ACL do not classify locally generated traffic (like all ACL) so to permit incoming traffic that is a
response to local traffic you must create manual entry
TCP Intercept
-ip tcp intercept
-ip tcp intercept mode watch|intercept (default intercept)
-intercept proxies connections, watch only monitors them and sends RST for half-open
-ip port-map: changes port-protocol associations
CBAC
-ip inspect name {name}
-interface fa 0/0
Ip inspect {name} out|in
-ip eaccess-group {ACL} in
ZBF
-parameter-map inspect| inspect protocol is used to configure general settings
-class-map type inspect
-policy-map type inspect
7/28/2019 Notes to Ccie
36/42
-zone-pair
Service-policy type inspect
-interface fa 0/0
Zone-member
AAA
-AAA new-model
-AAA authentication login|enable default group {radius|tacacs} {local|line|none}
-radius-server|tacacs-host {x.x.x.x}
-radius-server key
Port-security
-can be configured on both access and trunk links but not on dynamic DTP links
-static, sticky CAM table
-switchport port-security
-if you use protected mode on trun lins, learning is going to be disabled for all vlans when limit is
reached
-static mac-address-table configurations disables dynamic learning
-stormguard- level is a percentage of interface speed. There is a caveat with multicast limit,that when it
is reached all traffic is suppressed
-aaa authentication dot1x: authenticates a port based on credentials requested from the connected
host and passed to a radius/tacacs server
-dot1x system-auth-control
-on interface: dot1x port-control auto
PACL
Port ACL L3/L2, can only be applied inbound
Mac ACL on PACL do not affect IP traffic
RACL
7/28/2019 Notes to Ccie
37/42
Applied on routed ports/ SVIs
VACL
Applied on vlan, applies to all traffic
-vlan access-map
Match
Action
-vlan filter {name of vlan map} vlan-list {x}
SNMP
-udp ports 161/162
-SNMP polling is the NMS querying the devices, while SNMP trap or inform is the device sending
unsolicited updates
-snmp-server community
-snmp-server enable traps
-snmp-server host {X.X.X.X} {traps}
RMON
-monitors MIBs
-based on a delta (change) of a variable
-rmon alarm {x} {mib} {time-sample} delta|absolute r ising-threshold {x} {event number}
-rmon event {y} log description
DHCP snooping
-ip dhcp snooping
-ip dhcp snooping trust {interface}
-ip arp inspection vlan {x}
-ip arp inspection filter {xxxx} vlan {y}
7/28/2019 Notes to Ccie
38/42
Interface fa 0/0
Ip verify source
-no ip dhcp snooping information-option
Protected ports
-switchport protected: forbids communication with other protected ports on same vlan (only for one
switch)
Private vlan
-promiscous, community, isolated
-vtp mode must be transparent
-vlan x
Private-vlan primary
Private-vlan association x,y,z
-vlan y
Private-vlan community|associated
-interface fa 0/0
Switchport mode private-vlan host|promiscous
Switchport private-vlan mapping {primary} {secondary}
OR
Switchport private-vlan host-assoication {primary} {secondary}
HSRP
224.0.0.2 port UDP 1985
-default non preempt
-virtual mac 0000.0c07.acXX(group id)-can be changed with standby use-bia
VRRP
-is preemptive by default
7/28/2019 Notes to Ccie
39/42
-0000.5E00.01XX
-ip protocol 112
-224.0.0.18
GLBP
-enables load-sharing
-not preemptive by default
-glbp load-balancing {weight}
-224.0.0.102
-UDP 3222
NAT
DHCP
-UDP ports 67, 68
-dhcp option 82 (information option)
-ip dhcp host uses client-id
DNS
-client enabled by default (disabled with no ip domain-lookup)
-ip name-serverif not configured will broadcast requests
-ip dns server
-ip host {name} {ip}
-
NETFLOW
-ip flow ingress|egress
-ip flow-export {destination}
WCCP
7/28/2019 Notes to Ccie
40/42
Ip wccp web-cache
Int fa 0/1
Ip wccp web-cache redirect in|out
-the router will learn dynamically the content engines once WCCP is enabled globally
NTP
-stratum refers to reliability (1 is most reliable)
-ntp master {stratum}
-clock can be immediately synchronized or sqeued towards time
-in order for the time to be immediately synchronized you should first configure time and then configure
NTP
-NTP authentication-key {x} md5 {yyyy}
-ntp trusted-key {x}
-ntp authenticate
-ntp server {x.x.x.x} key 1
Syslog
-debugging levels 0-7 in decreasing order of criticality
-logging {host} ipsends to remote syslog server
-service timestamps
-Banners:
Motd-first banner when connecting
Login banner
Enable banner
EEM
-applet
7/28/2019 Notes to Ccie
41/42
-event, action
7/28/2019 Notes to Ccie
42/42