Notes to Ccie

7/28/2019 Notes to Ccie

1/42

aNOTES TO CCIE

1.ETHERNET SWITCHINGShow interface fa 0/0 switchport- vlan and trunking parameters

DTP modes-

Dynamic auto- negotiates without sending trunking , defaults to access

Dynamic desirable negotiates, tries to reach trunk state

Tip: If DTP is disabled and there is a misconfiguration there can be a failure of STP calculation and a L2

loop.

Trunking modes

Switchport trunk encapsulation

ISL- Encapsulates native vlan. Full header and trailer (30byte)

Dot1Q- Does not tag native vlan. Can be configured to tag native vlan with global command vlan dot1q

tag native. Less overhead (tag vs encapsulation) (4 byte)

Vlans

1-1001 standard

1002-1005 Default (token ring)

1006-4094 Extended

VTP configuration

Show vtp status- mode, revision number, MD5 hash

Default server mode, domain name null. Automatically inherits VTP domain from neighboring switches

on trunking interfaces.

Configuration Revision- Tracks history of vlan configuration. Higher number configuration replaces all

previous ones . VTP sends updates each time there is a change in the vlan configuration (even a client

device would send updates to all devices replacing their databases if revision number is higher)

MD5- Even without configuring a password there is an MD5 default hash based on configuration revision

number .


2/42

VTP Pruning

Prevents unnecessary flooding of broadcasts through trunking links to switches where there are no

access ports connected to the specific vlan

Enabled only on server and client VTP mode (not Transparent)

Pruning eligible vlans- switchport trunk pruning remove vlan

Each switch sends a request to neighboring switches on trunk links requesting qhich vlans they are on

the transit path for.

Trunking with non-vtp devices- Trouble with pruning, since it doesnt send request for anything the

switch assumes all vlans are active towards it. Possible solution- allowing only interesting vlans on the

trunk vlan

Trouble with pruning and transparent devices- Transparent mode switches forward VTP pruning updates

to next switch unaltered therefore causing misconfiguration of pruning

Router on a Stick

Native vlan goes to main interface unless tagged

Tagged vlans go to matching subinterfaces

Ether-Channel

(config-if)# channel-protocol

Pagp- Cisco proprietary ( Auto, Desirable)

Lacp- Open standard (Active, Passive)

Show etherchannel summary- status, members

Global configport-channel load-balance

Load balancing cant be seen from Mac addreses since its a L1 issue. You can choose different methods

of load balancing, in which basically you choose how to use a hex value from different combinations to

forward through this or that link

Advantage of using negotiation protocols- other side of link gets notified if link fails, therefore avoiding

loop.


3/42

Example of suspended due to misconfig

1 Po1(SU) Fa0/0(P) Fa0/1(s)

Layer 3 Etherchannel- port channel with routed port members

Tip- Order of operations important!!! First ports must be configured as no switchportand only then

channel-group X

Layer 2 Tunneling

Switchport mode dot1q-tunnel

Switchport access vlan sets Svlan

Adds metro tag- there is a separation between customer and provide Vlans

MTU issue- End to End Ethernet does not support fragmentation- there are 4 Bytes added, therefore

least recommended MTU- 1504 System Mtu 1504

Does not forward control protocols by default (Cdp, Etc) A solution is tunneling those protocols

L2protocol-tunnel cdp | vtp | stp

L2protocol-tunnel point-to-point lacp|pagp|udld-Etherchannel over l2-protocol tunnel

Spanning-Tree Protocol

Basic operation-

A root bridge gets chosen, then a root port on each switch for upstream to the root and designated /

blocking ports on the down path.

Choosing a Root- Lowest Bridge id

PRIORITY =

-Priority ( 0-61440, in increments of 4096)

+

-System id extension (Vlan number)


4/42

-MAC address

Spanning-tree vlan priority

Default mode PVST+, runs different instance for each vlan with different root

Designated ports are chosen based on lower cost to the root (after root port has been chosen of course)

Root and designated ports selection:

-cost

-neighbor BID

- PID (only if multiple link to same neighbor)

Timers- Hello ( root)- 2 sec default, Forward Delay(listening, learning)- 15 sec default, Maxage (aging of

root)- 20 sec default. Set on the root (only root sends BPD on converged network in legacy SPT)

Topology change is advertised by bridges by setting CAM to MaxAge therefore causing bridges to flush

their CAM tables for the specific table

PortFast- Enables port to go up without transitioning listening / learning. When a port is configured as

Portfast the bridge does not generate a topology change if the port changes state

Spanning-tree portfast default-enables portfast on all interfaces (except for turnks. If you want to enable

it on trunks you must do specifically portfast default trunk)

Uplinkfast

(config)#spanning-tree uplinkfast

Switches to alternate port in event of directly connected root port failure.

Sets high root priority (49152) and high port cost (3000) so that ports do not become designated

Backbonefast

With this feature enabled, once the switch receives an inferior BPDU (higher cost, meaning there was a

root port failure further upstream) it sends an RLQ request carrying for an alternate path and resets

Maxage to 0. Backbonefast only activates if the inferior BPDUs come from the designated bridge, so

there is no issue if a new switch that does not know the root joins the topology.

BPDU filter- Disregard BPDUs on edge ports spanning-tree bpdufilter enable . When configured globally

it only filters outgoing BPDUs, together with portfast, spanning-tree portfast default bpdufilterenable

the port will go automatically from edge to P2P when it receives BPDUs


5/42

BPDU guard Set port to inconsistent if BPDU is received on edge port. Interface- Spanning-tree

bpduguard enable. If errdisabled timer is disabled, you have to manually shut port and turning it on

again. You can chang this with command errdisable recovery cause bpduguardand set timer by

errdisable recovery interval.

Loop GuardSpanning-tree loopguard default / Spanning-tree guard loop- it protects against cases offailure of just one side of the ink, just like UDLD but using BPDUs

Root Guard- Sets a STP instance on disabled on an interface when it receives a superior PDU on the

interface. Spanning-tree guard root

Multiple Spanning-Tree Protocol

Spanning-tree mst configuration-mapping instances and vlans

Spanning-tree mode mstsetting mst

Automatically uses RSTP Two- Ways BPDUs in which there is a proposal and a response

RSTP

Avoids listening process by using a proposal and request format. Link types:

-point to point full duplex no edge ports

-shared half duplex / connected to hub

-edge connected to end devices, enabled by Portfast

Port roles:

-Root

-designated

Alternate- like Uplinkfast (backup to root)

Backup- Backup to designated on same link to segment

Port states:

-Discarding

-Learning

-Forwarding

MSTP with multiple regions


6/42

Same region means same Vlan to instance mappings, same revision number and same region number.

Inter - region operations behave like a hidden cloud that collpases to a virtual bridge in respect to other

regions.

CST-common spanning-tree (inter-region)

IST-intra-region

IST- MST instance 0 (IST)Special instance to which all vlans belong by default and which is the one that

sende BPDUs and represents the region.

The CST root (common spanning tree root among regions) must always be in an MST region and not in a

PVST or RSTP region that does not run MST.

Flex Links

Switchport backup interface

Switchport backup interface mmu primary vlan- Allows mac table to move to the backup interface and

be advertised

2. FRAME RELAYNBMA- non native broadcastMultipoint vs point-to-point: Multipoint requires address resolution (in the case of frame relay,

resolving destination ip to local DLCI)

DLCI- link local L2 adddress

LMI-Local Management Interface, communicates with the frame relay switch and queries

information about the circuit. Active, inactive, deleted (wrong DLCI) , static (LMI disabled)

Address resolution- Dynamic (inverse arp) or static (frame-relay map)

Show frame-relay map: equivalent to show arp

Inverse Arp automatically enabled whenever the l3 protocol that is configured supports it (ipv4 does,

ipv6 and CLNS no). Inverse Arp does not check if l3 address is on same subnet.

Static Mappingframe-relay map {ip}{DLCI} when configured disables all inarp for circuit,protocol pair


7/42

Auto Config- router automatically attempts to get an address, and in order to do so it will learn the

encapsulation (this only when it does not have a config).

TIP: this is significant because while loading the router can create inverse

arp to 0.0.0.0 destinations which can later cause problems on l3. In this

case, you should save your config and reload.

Show frame-relay pvc circuit status

When Broadcast is enabled on a circuit, and there is handed down from L3 a packet that is broadcast or

multicast, it is sent in pseudo-broadcast. The Broadcast keyword on the mapping does not refer to the

mapping itself, it refers to the whole { circuit, protocol} pair.

Point-to-point subinterfaces do not perforn Inverse Arp and do not allow static mappings, for every

packet will be sent out same circuit

Frame Relay Switch-

Globally enableframe-relay switching . Per interface define encapsulation frame-relay andframe-relay

intf-type DCE.

Then there are 2 ways of configuring the CC:

- Legacy-Per interfaceframe-relay route [in-dlci] interface [int] [out-dlci]- Current global connect [name] [interface -1] DLCI-1] [interface-2] [DLCI-2]

Back to Back Frame relay-

Directly connected, no switching, no lmi

End-to-End keepalives

Map-Class Frame-relay End to End keepalive reply|request|passive-reply|bidirectional

Can be applied on interface withframe-relay class or on circuit with class command

3. PPPLCP-lower control protocol

Each higher layer protocol has its own control protocol

IP negotiation learns the address of the neighbor and installs it on the routing table with a /32 prefix

(besides the normal connected route)

PAP


8/42

One-Way process

Authentication PAP- Request for credentials

ppp pap sent-username {user} password {pass}-Response providing credentials

CHAP

Because passwords are hashed they have to match

Ppp authentication chap

Username {other router} password {shared password}

PPP over other protocols

Inter face virtual-template

Frame-relay interface-dlci {DLCI} pppVirtual-Template {Virtual Template}

PPP multilink-

PPOE

Server side-

Interface virtual template

Bba-group pppoe

Virtual template

Interface fa 0/0

Pppoe enable group

Client side-

Interface dialer

Encap ppp

Ip add

Dialer pool

Dialer group | persistent

Interface fa 0/0


9/42

ppoe-client dial-pool-number

ip mtu 1500- make Ethernet support fragmentation

Transparent bridging

Bridge 1 protocol ieee

Int fa 0/0

Bridge-group 1

No ip routing

Show bridge 1 group

IRB

bridge 1 irb

bridge 1 route ip

bridge 1 bridge ip

int BVI

ip address X.X.X.X (from bridge domain)

Fallback Bridging

Feature on catalyst switches that bridges legacy protocols while routing IP and IPv6

Bridge 1 protocol vlan-bridge

Int vlan 1

Bridge-group 1

4. Protocol Independent RoutingProcess Lookup for every packet

Fast Caches entries once it forwarded packets


10/42

CEF- Build table automatically from routing table

Show ip cef exact-route {source} {destination}-shows which path the packet will take

Static route to interface on multipoint interface- attempts to resolve final destination (through ARP

for example)

IP default-gateway: only with ip routing turned off

Ip default-network: classful network not directly connected tagged as default on routing

advertisements

ODR

Uses CDP to advertise routing. On Hub you configure router odr, on spokes you only have to ensure

CDP is on. The hub advertises itself as default gateway and learns connected networks to spokes. No

routing protocols can be running on spokes.

Backup Interface-

Configured on Primary interface, line protocol goes up only when primary goes down

Backup interface

Enhanced Tracking

Ip sla monitor 1

Type {action}

Frequency

Ip sla monitor schedule 1 start-time

Track 1 rtr 1 / line protocol/etc

Many options for btoh ip sla (ip icmp, tcp connect,etc) and for track objects

Policy Routing

Ip policy

Local traffic-Ip local policy

Set ip next-hop verify reachability 10.0.0.138 track 6

GRE

Ip protocol 47


11/42

Default gre/ip

Recursive routing failure- when a route for the tunnel destination is received through the loopback

Keepalive- tracks reachability to destination (pings destination from source), can be used to track

connectivity. An option for reliability routing is configuring the secondary interface as backup to the

tunnel, then it will come up when the tunnel goes down which means reachability came down (even

if physical interface is up)

5. RIPUDP port 520

Rip version 1- classful, broadcast

Rip version 2 classless, multicast 224.0.0.9

Version 1- if it receives a subnetted prefix it assumes the mask is of the interface on which the

prefix is received, or the classful summary

To change version per link, configure on interface ip rip send|receive version

Split-horizon: Enabled by default on all interfaces except main interface of frame relay

Timers

Default-

Update 30

Invalid 180

Hold Down 180

Flush 240

Sleep Delay regular update for this time after receiving a triggered update

Global rip- timers basic , interface ip rip advertise

Flash-update-threshold suppreses flash update if regular is due in this time or less

Output-delay delays time between packets in same update

Neighbor x.x.x.x- enables unicast updates

Passive-interface- suppresses only multicast/broadcast updates


12/42

Metric

Hop Count -15 maximum

Metric is incremented by a hop on the outbound update

Offset list 0|acc-list out|in {number of hops incremented} {interface}

Authentication

Int e0/o

Ip rip authentication mode text|md5

Ip rip authentication key-chain {key-chain}

Summarization

Interface

Ip summary-address rip

Cannot advertise supernets (only summarizes up to classful boundary)

Filtering

Useful because can filter based on prefix lists

When you filter based on extended access-lists the source address is the one tha appears as source, not

the next-hop. You can also filter source on prefix lists by using distribute-list {prefix-matching} gateway

{neighbor matching}

Default Route

Default-information originate {route-map}

Advertises 0.0.0.0/0- by specifying route-map we can set interface and match addreses- in which case

will only advertise default if specified addresses are in routing table.

Triggered updates-

Interface e0/0

Ip rip triggered-updates

Disables regular updates and sends only triggered updates on particular interface


13/42

Validate update source check to see if update comes from valid source (same subnet as interface). By

default no check is performed on unnumbered interfaces

6. EIGRP-ip protocol 88

-224.0.0.10 multicast for establishing adjacecies

-RTP (own transport protocol)

-uses unicast in normal running of protocol (except for updates)

-AS number fundamental to establishing adjacencies ( not merely local)

-queue count should be 0 between neighbors (show ip eigrp neighbors)

-debug eigrp packets

-feasible Succesors- succesors with lower AD than my FD

-show ip eigrp topology- shows succesors and feasible succesors

Auto-Summary

Creates null route for summary

Packet types

Mixed multicast and unicast

Hello- Multicast to 224.0.0.10. Can be changed with neighborcommand. Not reliable (does not wait

for ACK)

Ack-Always unicast, basically a hello packet with no data and non zero ack number

Update- Unicast if its advertising topology to new neighbor, multicast in regular updates. Uses RTP

Query Multicast when looking for route, unicast when replying there is no route. Uses RTP

Reply- Unicast reply to query with route

Timers

Hello- Interval for sending hellos. Default 5 for fast links, 60 for slow. Configured under interface ip

eigrp hello-time/ ip hello-interva eigrp


14/42

Hold-time- sent in hello and we say to neighbor how long to wait to declare me unreachable.

Default 15 for fast and 180 for slow. Configured under interface ip eigrp hold-time/ ip hold-time

eigrp

Authentication

-supports only MD5

-key number must match

interface

Ip authentication mode eigrp {as} md5

Ip authentication key-chain eigrp {as} {key-chain}

Time-based:

On key-chain use send-lifetime and accept-lifetime

Metric

Bandwidth- 10^7*256/lowest link

Delay 256* Total delay

Load

Reliability

MTU

AD- Metric as calculated by next hop neighbor. If it is better than my FD, it will be feasible successor

Best practice is modifying relay for traffic engineering purposes since it is cumulative

Unequal load sharing

Only looks for feasible succesors

Router eigrp

Variance X

Traffic-share balanced (on by default)

Eigrp summary and leak-maps


15/42

Summarization helps in not only reducing routing table size but also reducing number of queries-

routers dont send queries for subnets they never had in their routing tables. Besides, it can be used fror

traffic manipulation with leak maps- because you can advertise both a summary and longer matches to

specific neighbors.

Stub Routers

Router eigrp 100

Eigrp stub

Does not receive any query messages- and does not advertise any routes from neighbors to other

neighbors by default. The default options is stub connected summary- only advertises those routes to

neighbors. Therefore though we dont pass on routes from neighbors, we can summarize and pass hoe

prefixes

Eigrp stub leak-map

Default distribution

The command default-information controls only the accepting of default routes on eigrp, not the

distribution.

In order to actually distribute default information we have to obtain such a network, and then distribute

it with either networkcommand ( for 0.0.0.0 net) or ip default-network(for any network)

Filtering

Distribute-list {standard|extended ACL}|prefix-lit {name}| route-map {name} in-extended matches

source (neighbor), route-map can match also tags or metric

Router-id: Essentially its a mechanism for preventing loops in redistributed routes, so that

redistributed routes never go again through the same router

Router eigrp xxxx

Eigrp router-id

Improtant Review!!!!


16/42

Router eigrp xxx

Eigrp router-id

Metric maximum-hops

Distance eigrp {internal} {external}

Log-neighbor-changes

Log-neighbor-warnings {minutes}

Timers {inactive} disable

OSPF

-Links State

-djikstra

-only works as link state for intra area topology

-Most specific match for networkstatement determines which area the interface is in

-transport 89

-hello multicast to 224.0.0.5/224.0.0.6 or unicast

Paramteters for forming adjacency:

Common

-interface area id

-intervals

-interface MTU

-interface network address

-network type

-authentication

-stub flags

Unique


17/42

-router id

-ip address of interface

OSPF ADJACENCY

Down

Init- hello has been received but has not contained yet our router-id meaning it has not

acknowledged that it received a hello

2-way bidirectional communication is present ( we share each other ids in our hellos)

Ex-Start- Negotating adjacency and checking for matching of parameters

Exchange- Exchanging databases

Loading

Full

Basic Lsas (intraarea)

Router LSA

The advertisement of its links is going to depend on the network type of the link. For loopback

interfaces, the link state is going to be stub with a /32 address advertised. For P2P interfaces, if

there are no neighbors it is going to be a stub, if there are neighbors it will be point-to-point. For

Broadcast networks, it will be advertised as transit and it will contain the address of the DR.

Lsa type 1- router Lsa

Lsa type 2- network lsa, advertised by LSA

Network Types

Network Broadcast

-Elects DR and BDR

-DR and BDR form full adjacencies with all routers. Other adjacencies remain 2WAY.

-Routers send their LSU to DRs on 224.0.0.6 and DRs flood to 224.0.0.5

-DR is chosen by priority and router-id, but there is no preemption, meaning ultimately what

matters most is time of start of OSPF process. Best practice is configuring priority 0 on those routers

we dont want to be DR or BDR.

Interface fa 0/0


18/42

Ip ospf priority 0

Network Non-Broadcast

Behaves just as Broadcast, but neighbors must be defined statically. We must remember that in order

for this to work properly, there must be a full mesh L2, otherwise we run into issues with DR election,

and even if we make the hubbe the DR, since the DR doesnt change the next hop, we still wont have

connectivity between networks behind the spokes.

Point to Multipoint

Neighbors are discovered dynamically and each adjacency is treated separately as a P2P link. No DR/BDR

is elected.

Point to Point

Similar to multipoint, but supports only two neighbors on link. Network types are compatible between

them if DR election election process is the same. However, care must be taken that other parameters

match as well.

Important: If network types dont agree on DR/no DR, adjacencies will form, however the database

will not be truly synchronized (LSAs will differ on their view of the network), and therefore no routes

will be installed

Point to Multipoint Non Broadcast

Same as multipoint, however neighbors must be statically defined. It is good in order to define per-

neighbor cost.

Router ospf XXXX

Neighbor y.y.y.y cost {cost}

Loopback Network

Always advertises as /32 independently of subnet mask in the LB itself

Path Selection

-cost is 100,000,000 / BW in ciscos implementation

-reference bandwidth can be changed

Router osfp xxx

Auto-cost reference-bandwidth

O>O(IA)>O(E1)>O(E2)>O(N1)>O()


19/42

O(IA):When a router receives an IA route, it adds the cost that is advertised in the summary to the cost it

calculates through SPF to the ABR and that is the cost to the destination

O(E2): The cost is comprised basically only of the metric advertised by the ASBR, which by default is 20.

If there is a tie, the tie-breaker is the forward metric, which is the cost of the router to the ASBR. If the

ASBR is in another area, then there are going to be LSA4 describing them from the ABR.

Timers

Default 10 for hello, 40 for dead-Broadcast and Point to Point

Default 30 for hello, 120 for dead- Other network types

Interface fast-ethernet 0/0

Ip ospf hello-time

Ip ospf dead-time

OR

Ip ospf dead-time {minimal/xxx} hello-multiplier {y}

Minimizing timers to a certain point can elevate CPU and cause flapping of adjacencies. The best option

probably would be to implement BFD.

OSPF Authentication

Can be configured at area level or link level. However, the password ro key itself is always configured

under the link.

Interface fa

Ip ospf message-digest-key X md5 {password}

Ospf Summarization

Generated only at points in which it does not influence SPF

-ABR Area {area} range {address} {mask}

-ASBR Summary address {address} {mask}

Generates a summary route to NULL can be disable with no discard-route {external|internal}

The cost of a summarized route is by default the cost of the lowest of the subnets. To make the behavior

change to that of RFC 2328 that it should be the highest metric you must issue no compatible rfc1583


20/42

Stub Areas

Stub flag must match for adjacencies to form

Stub area- removes LSA 5 and LSA4 and advertises instead a default within the LSA 3.Area {x} stub

Totally stubby area- removes also type 3 LSA and replaces with default area {x} stub no summary-only

needs be configured on the ABR

Nssa- Generates type 7 LSAs. Does not generate default route automatically-only if you issue area {x}

nssa default-information-originate. NSSA areas wont accept external routes that came not from an ASBR

on their own area. Once a type 7 LSA gets to the ABR, it is translated to a type 5 LSA. NOTICE: this LSA

contains the original address of the ASBR, and it is preserved when translated (unlike type 5 in which the

LSA says 0.0.0.0)

Totally not so stubby area- same as NSSA but filters summary as well

Filtering

-area {x} filter-list prefix {xxxx} in]out

Area is the area it comes from, and out/in is the direction to area 0 or in from area 0

Interface e 1/0

Ip ospf {x} database-filter all out

OR

Router ospf {x}

Neighbor {x.x.x.x} database-filter all out-must be configured as point-to-point or point-to-

multipoint

If we need to suppress forwarding address and set it to be on the translator to type 5 we define

Area {x} nssa translate type7 supress-fa

Miscellaneous

Router ospf XXX

Ignore lsa mospfignore syslog for lsa type 6

timers pacing retransmission {sec}-time in queue of consecutive updates (including

retransmitted)


21/42

int fa 0/0

ip ospf retransmit-interval-time the process waits ont his interface before retransmitting an LSA

that wasnt acknowledged

summary-address x.x.x.x y.y.y.y no-advertise- a different way of filtering a prefix (only on an ASBR)

range area 0 x.x.x.x y.y.y.y not-advertise- same as above for IA routes on ABR

max-lsa-

redistribute maximum-prefix-both this and max-lsa have options for either issuing warning or ignoring

after maximum prefix number. {warning-only} {percentage-threshold}

REDISTRIBUTION

-routing redistribution occurs fro the routing table, not the underlying databases. The redistribution

command takes the routes learned from a particular protocol + the subnets of interfaces included on a

protocol

-when the manual redistribute connectedis issued, the interfaces dont get advertised anymore in the

redistribute {protocol}

-RIP and EIGRP forward information from the routing table only in their advertisements, while in OSPF

and BGP the advertisements come from their respective databases

Redistribution into RIP

-does not differentiate between external and internal routes-

-does not have a default metric, therefore must be specified on the commandredistribute {protocol}

metric or default-metric

Redistributing into eigrp

-external routes 170/ internal 90

-uses router id for additional loop prevention

-no default metric unless redistribution is from another EIGRP/IGRP process


22/42

Redistribtuing into OSPF

-same AD of external/internal by default, but can be changed

-O>O(IA)>E1>E2>N1>N2

-defaults to metric 20 and metric type E2

-must use subnets keyword so that no only classful subnet is advertised

-O(E2)-metric remains as advertised by the AASBR (internal cost is not added). Only if there is a tie the

internal cost is considered

-O(E1)-preffered over E2, cost is the sum of internal cost to the ASBR and the advertised metric by the

ASBR.

Redistributing into BGP

-Uses Origin code to recognize redistributed routes

-does not redistribute external ospf routes by default

-When redistributing BGP into an IGP, by default only EBGP is redistributed

Preventing Loops

-Two general kind of loops: metric loops among same protocol, and AD loops among different protocols

-With distance vector protocols, since the information is distributed from the routing table, we can run

into the case where a rotuter receives an update but does not distribute it because it was npot installed

in the routing table. For eigrp we will see FD unreachable

Metric Issue 1:

On RIP, which does not have a difference between internal and external routes, you can get a

redistributed route back thorugh another redistribution point with a better metric. The best solution is

tagging routes so that they dont get redistributed again

AD Issue:

When a route is received on a looped path with lower AD, the higher AD is withdrawn then the other

one a s well, which makes the higher AD reinstall and so on.

Ip route profile-measures routing table stability

Distance {x} {source} {ACL}


23/42

BGP

-Difference between policy and metric mainly resides in that while metric is based on the topology and

the path, attributes are assigned to a destination

-If both speakers begin their TCP process simultaneously, the higher id becomes CLIENT

EBGP

-neighbor {x.x.x.x} ebgp-multihop-increases ttl beyond default (1)

-neighbor {x.x.x.x} ttl-security hops{y}-increases ttl but also implements security (packets are discarded if

incorrect TTL)

-neighbor {x.x.x.x} disable-connected-check-disble connectivity requirement for EBGP without increasing

TTL

-next-hop is set to my source-update for particular neighbor

IBGP

-TTL default 255

-does not advertise IBGP routes to IBGP neighbors

-does not modify NEXT_HOP by default

PEERING

-uses the update source of whatever outgoing interface the routing table assigns (unless configured)

-negotiation settles on lower timers

-IDLE

-CONNECT

-ACTIVE

-OpenSent

-OpenConfirmed

-Established

4-BYTE AS

-Format 0.0-65535.65535


24/42

-versions that do not support 4 byte see a 4 byte AS as 2354

IBGP rules

-Local-As can be set to specific neighbor neighbor {xxxx} {RAS} local-as {{dual-as}}

-dual-as makes the router send both its global as and the local one

-peer-group {name}

-neighbor x.x.x.x peer-group {name}

-show ip bgp {x.x.x.x}- shows also routes that are inaccessible

-neighbor x.x.x.x|peer-group next-hop-self- changes next-hop to whatever source-update to that

neighbor

-next-hop can also be set with route-map to a third party

Route Reflector

-centralized

-loop prevention through cluster-id and originator-id

-non-client peer are advertised only to ebgp peers and clients

-best practice for RRs is applying a peer group to client routers, so that the RR doe s not need to run

path selection multiple times

-show ip bgp regexp $-locally originated

-If we have multiple RRs on same cluster, we should set cluster-id to be manually the same to prevent

loops (they arent going to loop in data plane, just the updates)

Router bgp x

Bgp cluster-id

-One of the issues that may arise when configuring multiple RRs is that they may not agree on best path

selection if left randomly

BGP confederation

Confederation identifier- True AS

Confederation peers-remote Ases that belong to same confederation

-Next hop is not changed when advertised to a confederation ebgp peer


25/42

-TTL is set to1 by default, just like true EBGP

Bgp bestpath med confed-include med in intra-confederation path selection

Local-as vs no-export- If we set community no-export, routes will be advertised to confed peers, and

only not to true EBGP peers. However, with local-as community, they wont be advertised to confed

ebgp peers either

Router Advertisement

-metric is inherited from IGP metric (both when configured with networkstatement or with redistribute)

-network statement is installed as origin I

-for network statement to be installed, there must be exact match on routing table

-redistribute is installed as Incomplete (?)

-metric is non transitive, so will not be forwarded beyond 1 ebgp neighbor

Aggregation

-aggreggate address x.x.x.x mask y.y.y.y summary only| suppress-map status code s (suppressed)

-neighbor x.x.x.x unsupress-mapsimilar to leak-map in EIGRP

-attribute-map| route-map- at the end of network command or of aggregate command, changes the

attributes of the prefix locally

-advertise-mapused to control which Ases area passed on when AS-SET is configured

-bgp inject-map {xxx} exist-map {yyy}-generates longer prefixes froma an aggregate

Best-Path

-Weight, Local Preference, Locally originated, As-Path, Origin, Metric, Ebgp vs Ibgp, IGP Metric

-If all of the above are equal the BGP looks at the maximum-paths configured to decide for installing

multiple routes.

-Even if multiple routes are installed only one will be chosen as best (based on tie breakers) and

advertised to neighbors

-Outbound traffic is easy to influence through weight and Local Preference, however inbound traffic is

harder to influence because metric is not transitive and with As-Path prepending you also have little

control.


26/42

-A partial solution to inbound traffic engineering is provided in agreements about setting cpolicy

through communities. That way, I can influence the local preference that an ISP assigns to my prefixes

through a community that I signal

-ip bgp-community new-format-sets to AA:NN

-well known communities: no-export, no-advertise and local-as (like no export but includes confed-

ebgp)

-a community can be set on a route-map, but it must me matched from inside a community-list

-send-community must be specified for community values to be advertised

Filtering

-extended access-lists can be configured to match prefix as well (in this case source is prefix and

destination is mask)

-Order of filtering:

-Inbound : filter-list, Route-map, distribute-list

-Outbound: distribute-list, ORF, filter-list, route-map

MPLS

-4 byte header

-LFIB: CEF table + labels

-PE adds labels label push

-label operations : push (add label), swap (forward towards new label), pop (remove tag)

-neighbor discovery on UDP 646 to 224.0.0.2

-neighbor adjacency on TCP 646 between routers, sourced with router-id

-penultimate pop-tagging: instead of the PE having to do MPLS lookup for incoming packets, the

penultimate hop in the LSP pops the mpls lable and forwards it to the PE untagged

-If we set next-hop-self and DO NOT set the LB as next-hop in BGP, we are going to remove the tag a

step too early which will result in traffic being dropped

L3 VPNs


27/42

-vpnv4 route: prefix+ RD

-vpn label: from BGP VPNV4

-transport label: label to the other PE

-RIP and EIGRP are both established with global process and address families

-On EIGRP auntonomous-system must be configured under address family as well, since it can be

different for various A.F

-no bgp default route-target filter : do not discard vpnv4 prefixes if you dont have corresponding RT-

used on vpnv4 reflectors

-ospf is configured per process (no address families, each process is assigned to a VRF)

-redistributed routes come as IA routes. This is why if we need to choose them over other O routes we

need sham links

-loopbacks for sham-links should NOT get advertised into OSPF

IPV6

-unspecified-::0/128

-loopback::1/128

-multicastFF00::/8

-link-localFE80::/10

-private FC00::/7. FC00::/8-40bit Global ID is assigned automatically by router. FD00::/8-assigned by

central registar

-Globally routable: 2000::/3. The first 48 bits are organizationally unique, next 16 bits SLA (site level

aggregation) for your purposes

-Neighbor Discovery is built in on ICMP and replaces completely ARP for broadcast networks

-eui format: 64-bit, derived: 7

th

bit from mac is inverted, padding added in middle : 0xFF 0xFE

-Neighbor discovery and Neighbor advertisement is like ARP, Router discovery and Router

Advertisement is only for gateways

-no equivalent on IOS to InArp, therefore static maps are always needed on multipoint FR

-no proxy ND (all resolutions are static)


28/42

-sdm prefer dual-ipv4-and-ipv6 necessary on most switches to support ipv6 unicast-routing

-link-local address can be same on multiple interfaces, therefore route to link-local address has to

specify exit interface

-local routes- routes to specific interface address with /128

--next-hop on dynamic protocols is always link-local address

EIGRPv6

-protocol 88 multicast FF02::A

-process needs to be enabled per interface but also with no shutdown on global level

-router-id is an ipv4 address

OSPFv3

-protocol 89 FF02::5 & FF02::6

-ipv4 router-id

-authentication uses ipv6 methods (including the ipsec that is in-built)

-Type 8 Lsa: for link-local addresses

-Type 9: Intra-Area prefix LSA

-ipv6 ospf authentication ipsec spi {x} sha1/md5 {hex}

MP-BGP IPv6

-transport (neighborships) can be either ipv4 or ipv6 and that is unrelated to the NLRI advertisement,

which are defined on ipv6 address family

-next-hop must be set to be from same address space (ipv4/ipv6) to be reachable

IPV6 transitions

-GRE

-IPV6IP(protocol 41)

-TEREDO tunnels (over UDP)-not implemented really on routers but on end hosts

-6to4 : ipv6 addresses are assigned on a 2002:{ipv4 address in hex}::/48

-ISATAP


29/42

MULTICAST

-IGMP host to router

-PIM/MSDP

IGMP

-IGMP default version is 2

-IGMP version 1 & 2 only allow {*,G} join, while IGMP version 3 allows {S, G}

-ip igmp static-group : statically assigns a group

PIM

-protocol independent (does not advertise topology, relies on IGP calculated topology for loopprevention)

-pim version 2 by default

-version 1 sent queries embedded on IGMP, version 2 uses 224.0.0.13 protocol 103

-dense mode: considered implicit join

-dense sparse mode : considered explicit join

-sparse-dense mode : sparse for groups with an RP, dense for others

-MSDP: signaling between RPs

-RPF check: checks to see if multicast was received on same interface as the outgoing interface for

unicast forwarding to the source

-in Multicast Routing Table {S,G} is preferred over {*,G}

PIM DM

-finds neighbors on 224.0.0.13

-automatically enables IGMP

-Assert message: used when there are multiple mcast routers on same segment. The winner fr the

segment will be based on lowest unicast metric to source

-Graft message: used for unpruning an interface which was previously announced as pruned

PIM SM


30/42

-register message make the RP know the senders

-join messages advertise the receivers

-after packets are started to be forwarded, the STP is changed to the SPT

-RPF failures can be dealt with static mroutes, or from MP BGP

-static mroutes do not choose on longest match, but on ordered match. (Newer versions appear to fix

this)

-RPF is done aso on PIM register messages (by RP)

-show ip mroute count

Auto RP

-mapping agent 224.0.1.39 and listeners to 224.0.1.40Auto-rp listener (for those groups, uses DM)

-GRE tunnel can be used to avoid split-horizon issues or send multicast ovr non-multicast routing

networks

-ip pim spt-threshold infinity: do not switch to SPT

BSR

-RP candidate, bootstrap router (similar to mapping agent)

Bi-Directional PIM

-only allows shared-trees (does not switch to SPT, and ony linstalls {*,G})

-ip pim bidir enable

-ip pim rp-address x.x.x.x bidir

SSM

-no {*, S}, therefore no need for RP

-ip pim sss default: uses range reserved for source specific multicast

-has to be configured with igmp version 3

MSDP

-used to communicate between RPs


31/42

-can be used to provide for anycast

-anycast is simply based on same address which is forwarded on shortst path due to

IGP

-ip msdp peer x.x.x.x connect-source y

-show ip msdp sa-cache: see entries learned from an msdp peer

IPv6

-MLD replaces IGMP, and is in-built on ICMPv6

-FFXY::/8, x-flags, y-scope

-FF02 are link-local scope, FF05 are site local, FF0E global

-those values are defined on RFC but not enforced automatically on IOS (filtering is up to you)

-PIM behaves similarly to ipv4 PIM but supports only sparse mode

-by default when you enable ipv6 multicast-routing it is enabled on all ipv6 interfaces, to disable it you

use no ipv6 pim

-MLD version 1 is equivalent to IGMP version 2, version 2 is equivalent to IGMP version 3

-RP can be configured either statically or with BSR (no auto-rp supported)

-embedded rp : begins with FF7Y and embeds rp

-instead of mroute ipv6 route {} multicast

QOS

-Intserv vs Diffserv: Intserv reserves bandwidth end to end for each flow, DiffServ classifies traffic into

classes and defined at network edges

-DSCP has 6 bits to manipulate, while ip precedence and L2 markings (MPLS EXP, CoS) have 3 bits

-DSCP custom classes: default (0), EF (46), AF (AFxy)(x is 1-4, where higher is better, y is 1-3 drop

precedence where lower is better), CSx(x=1-7)

-When configuring a Policy-map, once a packet matches a class no further testing is done against other

classes, therefore the order should be from more specific to less

-match destination-address|source-address: mostly useful on ehternet sub-ifs


32/42

-ip nbar port-map: can create custom mappings of our own for protocols. You can see associations

through show ip nbar port-map

-when configured as match-all, if matching is on same line it is still OR logic

FIFO

-disable fair-queuing

-hold-queue out: configure depth of the queue

FQ

-fair queue starts from lowest flow and allocates bandwidth equally to each flow each time dividing the

remaining difference equally

-Weighted fair queuing operates similarly but weights each flow according to TOS

CBWFQ

-specifying weight manually (through bandwidth)

Flow/Conversation

NumbersWeight Description

Below 2^N Weight(i)=32384/(IP_Precedence(i)+1)

Dynamic flows, unclassified

traffic. This is the classic

fair-queue.

2^N2^N+7 Weight(i)=1024

Link Queues. Routingupdates, Layer 2 Keepalives

etc. Basically its the trafficmarked as PAK_PRIORITY

inside the router.

2^N+8 Weight(i)=0

LLQ or the priority queue.

CBWFQ always service this

queue first, but de-queuedpackets are policed using the

defined token bucket

parameters.

Above 2^N+8

Weight(i) =

Const*Interface_BW/Class_BWOR

Weight(i)=Const*100/Bandwidth_Percent

User-defined classes. Thoseclasses are treated by

CBWFQ as the RSVP flows,

with relatively low weights.Their weights are


33/42

LLQ

-priority class is always served best, policer is engaged only during congestion

-equivalent to weight 0

-in general, if you have multiple classes configured with priority they will share same queue but can be

policed differently

WRED

-designed for congestion avoidance in TCP. Due to tail drop, the issue that can arise is multiple

retransmissions and synchronization

-assigns drop probability to prioritize high precedence traffic

-parameters: minimum threshold, maximum threshold, mark probability

-higher precedence traffic has higher minimum threshold

-can also be configured to look at DSCP

SHAPING

-delays traffic to smoothen it

-Bc/Tc=CIR (CIR measures time in sec, while Tc is in ms)

-Be accumulates over idle periods

POLICING

-colors ( conform,exceed violate)

-Two rate

Frame relay Shaping

Legacy:

-frame-relay traffic-shaping

-map-class

MQC:

-no frame-relay traffic-shaping command

-map-class is configured, but only to insert on it the service-policy


34/42

RSVP

-path messages from source (Tspec, Rspec)

-RSV messages from destination to source

-ip rsvp bandwidth(on interface level)

-used for MPLS -TE (outside scope of R&S)

-assigns weight of its own to reserved queue

-ip rsvp-sender host-configures router to send PATH messages

CATALYST QOS

-enabled with mls qos

-by default, when mls is enabled, markings made by previous devices are erased. The feature can be

disabled by no mls qos rewrite dscp

-trust boundaries can be established by mls qos trust cos|dscp|ip-precedence

-mls qos map(dscp-cos, cos-dscp, dscp-mutation)

-mls qos aggregate-policer

-priority-queue out: similar to priority in MQC but without policer

-srr-queue bandwidth shape

SECURITY

-an ip access-list applied on an interface does not affect locally generated traffic

-established flag matches pacets that are response to session initiated

-log: created in order to log traffic, causes packets to be process-switched

-time based ACL:

Time range {leon}

Periodic|absolute

Access-list {xx} {arguments} time-range {name of time range}

-lock and key- allows access with authentication


35/42

-ip access-list resequence

-ip access-list {x}dynamic {name of entry} {arguments}

-must run access-enable command to activate

Line vty

Autocommand access-enable host timeout {x}

Reflexive ACL

-on outbound ACL permit {statements} reflect {name}

-on inbound ACL evaluate {name}

-reflexive ACL do not classify locally generated traffic (like all ACL) so to permit incoming traffic that is a

response to local traffic you must create manual entry

TCP Intercept

-ip tcp intercept

-ip tcp intercept mode watch|intercept (default intercept)

-intercept proxies connections, watch only monitors them and sends RST for half-open

-ip port-map: changes port-protocol associations

CBAC

-ip inspect name {name}

-interface fa 0/0

Ip inspect {name} out|in

-ip eaccess-group {ACL} in

ZBF

-parameter-map inspect| inspect protocol is used to configure general settings

-class-map type inspect

-policy-map type inspect


36/42

-zone-pair

Service-policy type inspect

-interface fa 0/0

Zone-member

AAA

-AAA new-model

-AAA authentication login|enable default group {radius|tacacs} {local|line|none}

-radius-server|tacacs-host {x.x.x.x}

-radius-server key

Port-security

-can be configured on both access and trunk links but not on dynamic DTP links

-static, sticky CAM table

-switchport port-security

-if you use protected mode on trun lins, learning is going to be disabled for all vlans when limit is

reached

-static mac-address-table configurations disables dynamic learning

-stormguard- level is a percentage of interface speed. There is a caveat with multicast limit,that when it

is reached all traffic is suppressed

-aaa authentication dot1x: authenticates a port based on credentials requested from the connected

host and passed to a radius/tacacs server

-dot1x system-auth-control

-on interface: dot1x port-control auto

PACL

Port ACL L3/L2, can only be applied inbound

Mac ACL on PACL do not affect IP traffic

RACL


37/42

Applied on routed ports/ SVIs

VACL

Applied on vlan, applies to all traffic

-vlan access-map

Match

Action

-vlan filter {name of vlan map} vlan-list {x}

SNMP

-udp ports 161/162

-SNMP polling is the NMS querying the devices, while SNMP trap or inform is the device sending

unsolicited updates

-snmp-server community

-snmp-server enable traps

-snmp-server host {X.X.X.X} {traps}

RMON

-monitors MIBs

-based on a delta (change) of a variable

-rmon alarm {x} {mib} {time-sample} delta|absolute r ising-threshold {x} {event number}

-rmon event {y} log description

DHCP snooping

-ip dhcp snooping

-ip dhcp snooping trust {interface}

-ip arp inspection vlan {x}

-ip arp inspection filter {xxxx} vlan {y}


38/42

Interface fa 0/0

Ip verify source

-no ip dhcp snooping information-option

Protected ports

-switchport protected: forbids communication with other protected ports on same vlan (only for one

switch)

Private vlan

-promiscous, community, isolated

-vtp mode must be transparent

-vlan x

Private-vlan primary

Private-vlan association x,y,z

-vlan y

Private-vlan community|associated

-interface fa 0/0

Switchport mode private-vlan host|promiscous

Switchport private-vlan mapping {primary} {secondary}

OR

Switchport private-vlan host-assoication {primary} {secondary}

HSRP

224.0.0.2 port UDP 1985

-default non preempt

-virtual mac 0000.0c07.acXX(group id)-can be changed with standby use-bia

VRRP

-is preemptive by default


39/42

-0000.5E00.01XX

-ip protocol 112

-224.0.0.18

GLBP

-enables load-sharing

-not preemptive by default

-glbp load-balancing {weight}

-224.0.0.102

-UDP 3222

NAT

DHCP

-UDP ports 67, 68

-dhcp option 82 (information option)

-ip dhcp host uses client-id

DNS

-client enabled by default (disabled with no ip domain-lookup)

-ip name-serverif not configured will broadcast requests

-ip dns server

-ip host {name} {ip}

-

NETFLOW

-ip flow ingress|egress

-ip flow-export {destination}

WCCP


40/42

Ip wccp web-cache

Int fa 0/1

Ip wccp web-cache redirect in|out

-the router will learn dynamically the content engines once WCCP is enabled globally

NTP

-stratum refers to reliability (1 is most reliable)

-ntp master {stratum}

-clock can be immediately synchronized or sqeued towards time

-in order for the time to be immediately synchronized you should first configure time and then configure

NTP

-NTP authentication-key {x} md5 {yyyy}

-ntp trusted-key {x}

-ntp authenticate

-ntp server {x.x.x.x} key 1

Syslog

-debugging levels 0-7 in decreasing order of criticality

-logging {host} ipsends to remote syslog server

-service timestamps

-Banners:

Motd-first banner when connecting

Login banner

Enable banner

EEM

-applet


41/42

-event, action


42/42

Date post:	03-Apr-2018
Category:	Documents
Upload:	leon-dobrzinsky
View:	239 times
Download:	1 times

Notes to Ccie

Documents