Table of Contents - Noodlez.org Courses... · OSPF backbone also distributes routing information...

Table of Contents Chapter 1 Open Shortest Path First (OSPF) Multi-Area 1 Operations Chapter 2 Enhanced Interior Gateway Routing Protocol 57 (EIGRP) Chapter 3 Border Gateway Protocol (BGP) 127 Chapter 4 Default Routing 175 Chapter 5 Dynamic MultiPoint Virtual Private Networks 201 (DMVPNs) Appendix Configuration Examples 289

Open Shortest Path First

(OSPF) Multi-Area Operations

2

3

Area 0

Area 1 Area 2Autonomous System

• Consists of areas within an autonomous system• Minimizes routing update traffic

OSPF Hierarchical Routing

Area – An area is a grouping of contiguous OSPF networks and hosts. OSPF areas are logical subdivisions of OSPF autonomous systems. The topology of each area is invisible to entities in other areas, and each area maintains its own topological database. Autonomous System – OSPF autonomous systems are the largest entity within an OSPF internetwork. They consist of a collection of networks that are under a common administration and share a common routing strategy. An autonomous system, sometimes called a domain, is logically subdivided into multiple areas. The hierarchical topology of OSPF has several important benefits. Routing update traffic can be reduced through route summarization between the outlying areas and the backbone, so the topological databases and SPF trees remain manageable and more efficient. Within each autonomous system, a central area must be defined as area 0. All others areas are connected off the central, or backbone area. Area 0 is also called the transit area because all other areas communicate through it. The OSPF backbone also distributes routing information between OSPF areas. The OSPF backbone has all the properties of a normal OSPF area. Backbone routers maintain OSPF routing information using the same procedures and algorithms as internal routers. If proper route summarization and other techniques (such as creation of stub areas) are implemented, the backbone topology is invisible to routers in other areas, while the topologies of individual areas are invisible to backbone routers.

4

The Link-State Database

Link-State Database

• Each router within an area has exact same database (convergence)• Database contains information to construct entire network topology

Link-State Database

Each router maintains link-state records including information about each of its interfaces and reachable neighbors. Through flooding, each router distributes its state to all other routers in the area/autonomous system. As a result, each router possesses an identical database describing the area/autonomous system. All routers run the SPF algorithm in parallel. Using the link state database, each router then constructs a tree of the shortest paths with itself as the root. Each destination within the AS is contained within the SPF tree. OSPF routers in the same area will have the same link-state database and run the same OSPF algorithm with themselves as the root. The records in this database are used by the SPF algorithm to determine network topology and to compute the shortest path to a destination. The characteristics of the link-state database are as follows:

• All routers belonging to the same area have identical databases. • Calculating routes by using the SPF is performed separately for each

area. • LSA flooding is contained within the area that experienced the change. • The link-state database can be composed of five different types of LSAs. • A router has a separate database for each area to which it belongs.

5

Link State Advertisement (LSA)

e0/0 s0/0

LSA (e0/0 is down)

LSA = Routing Update

• Current LSA DB is exchanged between routers during neighbor establishment• Only changes to DB are exchanged thereafter

Establishing NeighborLSA Database

LSA Database

Link State Advertisement (LSA): OSPF packet containing source, destination, and routing information, which are advertised to all OSPF routers in a hierarchical area. A link is any type of directly connected network on an OSPF router. The state is the condition of the link, whether it is up or down. An advertisement is the method OSPF uses to provide information to other routers. Link State Advertisements are packets used to advertise changes in the condition of a specific link to other routers. LSAs are the building blocks of the OSPF database. Individually they act as database records; in combination, they describe the entire OSPF topology. OSPF is a link-state protocol that uses a least-cost algorithm to calculate the best path for each network destination. Once an OSPF-speaking router forms an adjacency with a neighbor, it generates a link-state update and floods this packet into the network. Each update packet contains one or more LSAs, which contain information the local router is injecting into the network. Each specific LSA type encodes particular data from the viewpoint of the local router. During initial neighbor discovery/establishment, OSPF routers exchange databases. From this point on only changes to the database are exchanged between neighbors. Individual LSAs are periodically resent by the originating router, though. This is referred to as an LSA refresh and by default is 30 minutes. The max age for an LSA is 60 minutes, meaning if an LSA has not been updated or refreshed in a 60-minute period, it is deleted from the database.

6

Types of Link-State Updates

Routing Table Codes

O - OSPF Derived Intra-Area (Type 1 Router LSA)O - OSPF Derived Intra-Area (Type 2 Network LSA)IA - Inter-Area (Type 3 & 4 Summary LSA)E1 - Type 1 External Route (Type 5 AS Ext Link)E2 - Type 2 External Route (Type 5 AS Ext Link)

Router(1)

Area 1Area 0

Network(2) External(5)DR

ASBRExternal

AS

Summary(3)

Summary(4)

ABR(1)

Several factors determine the type LSA generated from a router. Some of these are the type of router (internal, ABR, ASBR) generating the LSA, its location in the topology, the location within the topology of the network information contained in the LSA, etc. The following are the definitions for each LSA type: Type 1 (Router): Generated by each router for each area to which it

belongs. They describe the states of the router’s directly connected links to the area. These are only flooded within a particular area.

Type 2 (Network): Generated by designated routers (DR). They

describe the set of routers attached to a particular broadcast network. This type of LSA is flooded only in the area that contains the network.

Type 3 & 4 (Summary): Generated by ABRs. They describe inter-area

routes. They are flooded throughout the advertisement’s associated area. Type 3 describes routes to networks, also used for aggregating routes. Type 4 describes routes to ASBRs.

7

Type 5 (External): Originated by ASBRs as a result of the route redistribution process. They describe routes to destinations external to the AS. Flooded throughout an AS except for stub areas.

8

Processing LSAs

Is entry inlink-state

database? Yes

No

Run SPF to calculate new routing table

Add to database

Flood LSA

Yes

No

Yes

Send LSUwith newer

information to source

End

LSA

LSU

Is seq. #newer?

No

A

Ignore LSA

Send LSAckto Neighbor

Goto A

Is seq. # the same?

End

LSAs are handled in a very efficient manner between the source router (attached to the link) and the nearest neighboring router. The incoming LSA is checked against existing entries in the topological database. Each database entry has a sequence number (also called a version number), and only the largest number (indicating the most recent record) is kept. If the entries are identical, then there is no need to forward the LSA to other routers. If the incoming LSA is different from the topological database, then the database is updated and the LSA is forwarded through the network until all databases are synchronized. Associating sequence numbers with LSAs contributes to the efficiency of link-state routing technology.

9

External LSA – Types E1 & E2

BGPOSPF

Ext LSA

router ospf 100redistribute bgp 1 subnetsnetwork 148.43.0.0 0.0.255.255 area 0

148.43.0.0/16 is variably subnetted.......

O 148.43.200.64/28........Serial0/0O E2 148.43.200.248/29..........Serial0/0

• Type 5 LSA (External) are derived from information beingredistributed into OSPF from another routing information source

• Type 5 LSA are listed in the routing table as O E1 or E2 routes

Type 5 External LSAs are developed by routing information being redistributed from another routing information source into OSPF. Routing information sources are identified by the codes listed in the routing table – connected, static, routing protocol. Redistribution is configured on the router as shown above. In this example, routing information learned via the BGP protocol is redistributed into the OSPF protocol. Once redistribution is configured, the OSPF router becomes an ASBR. When this information is redistributed into OSPF, it is stored in the database as one or more type 5 LSAs. It is then sent to neighboring routers as type 5.

10

OSPF External Routes

• OSPF has two types of external routes: E1 & E2

• E2 routes use only the external cost (initial cost assigned to it during the redistribution process). Internal cost is not added as the LSA travels across the OSPF topology

• E1 routes take into account the external and internal cost.

• By default, when routes are redistributed into OSPF they are E2.

• The default metric for external routes (E1 or E2) is 20, exceptfor BGP routes, which have a default metric of 1

OSPF has two types of external routes: E1 & E2. The difference between the two is how the metric (cost) is calculated. An E2 route only utilizes the default or seed metric applied during the redistribution process. As this external route moves through the OSPF topology, the internal cost is not applied. Regardless of where the route is located within the topology, it will only have the seed metric applied. An E1 route on the other hand utilizes both the seed metric (external) and the internal cost. As the route moves through the OSPF topology, the cost is calculated and applied. By default, routes redistributed into OSPF are E2. Both types have a default metric of 20 unless the source is BGP in which case the default metric is 1. As a general rule, if there is only one ASBR, then redistribute the routes as E2. If there are multiple ASBRs, then redistribute them as E1.

11

Show IP OSPF DatabaseOSPF Router with ID (148.43.200.2) (Process ID 100)

Router Link States (Area 1)Link ID ADV Router Age Seq# Checksum Link count

148.43.200.2 148.43.200.2 573 0x80000003 0x004DA7 6148.43.200.3 148.43.200.3 572 0x80000003 0x000AB5 2148.43.200.8 148.43.200.8 573 0x80000003 0x001BA3 2

Summary Net Link States (Area 1)

Link ID ADV Router Age Seq# Checksum148.43.200.112 148.43.200.8 562 0x80000001 0x00E917148.43.200.128 148.43.200.3 572 0x80000001 0x00E451148.43.200.144 148.43.200.8 562 0x80000001 0x00A3BD

Summary ASB Link States (Area 1)

Link ID ADV Router Age Seq# Checksum148.43.200.7 148.43.200.3 572 0x80000001 0x00637D148.43.200.7 148.43.200.8 564 0x80000001 0x004596

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag148.17.0.0 148.43.200.7 591 0x80000001 0x005516 0148.18.0.0 148.43.200.7 591 0x80000001 0x004921 0

The show IP OSPF database command is used to view the OSPF link-state (topology) database. Each LSA gets an entry into this database and is organized by area and the type of LSA. The database contains six columns: 1) Link ID – will either be the router ID (LSA type 1 &4), the destination network number (LSA type 3 & 5), or IP of the interface of the DR (LSA type 2). 2) ADV Router – router ID of advertising router. 3) Age – age of LSA in seconds. 4) Seq# – sequence number to determine if LSA updates are newer, older,

or duplicates. Sequence numbers are 32-bit fields expressed as 8 hexadecimal characters. The left-most bit of the 32 begins in a 'set' state...creating this hex value: 0x80000000. The first sequence number for a particular LSA would be 0x80000001, then 0x80000002, etc.

5) Checksum – used for error detection. 6) Link count – number of interfaces or links in an area, only shown on Router Link States; OSPF adds a “stub link” for each point-to-point interface.

12

Note: The show ip ospf database command does not show all information contained

within the database. There is no single show command, which will show all information in the database. There are several extensions to the Show IP OSPF

Database command. By utilizing each of these extensions individually, it is possible to view the different parts that make up the database.

13

Show IP OSPF Database Router-- Displays Type 1 LSAs

Routing Bit Set on this LSALS age: 1385Options: (No TOS-capability, DC)LS Type: Router LinksLink State ID: 148.43.200.8Advertising Router: 148.43.200.8LS Seq Number: 8000000FChecksum: 0xF1C9Length: 84Area Border RouterNumber of Links: 4

(continued on next slide)

LS Age age in seconds of the LSA LS Type type of LSA (router, summary, external) Link State ID the originating router's router ID Advertising Router advertising router’s router ID LS Seq Number link state sequence number; used for tracking LSAs Checksum checksum of the LSA packet Length number of bytes in the LSA Area Border Router lists type of router (example shows an ABR) Number of Links number of active links on the router within a particular area; OSPF builds an additional stub link for each point-to-point link identifying the subnet on which this point-to-point resides.

14

Link connected to: a Transit Network(Link ID) Designated Router address: 148.43.200.193(Link Data) Router Interface address: 148.43.200.195Number of TOS metrics: 0TOS 0 Metrics: 1

Link connected to: a Stub Network(Link ID) Network/subnet number: 148.43.200.48(Link Data) Network Mask: 255.255.255.240Number of TOS metrics: 0TOS 0 Metrics: 1

Link connected to: another Router (point-to-point)(Link ID) Neighboring Router ID: 148.43.200.7(Link Data) Router Interface address: 148.43.200.17Number of TOS metrics: 0TOS 0 Metrics: 64

Link connected to: a Stub Network(Link ID) Network/subnet number: 148.43.200.16(Link Data) Network Mask: 255.255.255.252Number of TOS metrics: 0TOS 0 Metrics: 64

Show IP OSPF Database Router

'Link connected to’ field: there are four possible types of links identified by router LSAs: 1. Point-to-Point: This link interconnects two routers such as a serial link

˚ Link ID – neighbor router’s router ID ˚ Link Data – address of the local router’s interface directly

connected to the neighbor. 2. Transit Network: a multi-access network (such as FastEthernet).

˚ Link ID – designated router address ˚ Link Data – address of the local router’s interface directly

connected to the neighbor. 3. Stub Network: a network that is a dead-end link with one router attached.

˚ Link ID – network IP address of the subnet ˚ Link Data – the subnet mask of the network

4. Virtual Link: identifies a virtual link configured between two routers.

˚ Link ID – neighbor router’s router ID ˚ Link Data – address of the local router’s interface utilized for the

virtual link

15

Also listed with each of the above type links is the metric or cost associated with that network (interface). When using IP Unnumbered, point-to-point link entries do not list the local router’s interface IP address. It uses the SNMP MIB II Index value associated with that interface. OSPF does not add a stub network entry for point-to-point unnumbered links.

16

Show IP OSPF Database Summary -- Displays Type 3 LSAs

Routing Bit Set on this LSA

LS age: 1653

Options: (No TOS-capability, DC, Upward)

LS Type: Summary Links(Network)

Link State ID: 148.43.200.64 (summary Network Number)

Advertising Router: 148.43.200.3

LS Seq Number: 8000000F

Checksum: 0xC8DF

Length: 28

Network Mask: /28

TOS: 0 Metric: 65

A type 3 LSA is also referred to as a Summary LSA and is generated by an ABR. Summary LSAs advertise networks residing in a specific area to all other areas within the OSPF domain – inter-area networks. Route summarization is not automatic in OSPF and must be manually configured on the ABR. ABRs flood summary LSAs regardless if the routes listed in the LSAs are summarized. Below are the definitions of the fields in a summary LSA: LS Age age in seconds of the LSA LS Type type of LSA (router, summary, external) Link State ID advertised network (subnet) Advertising Router advertising router’s router ID - this is the ABR, not necessarily the owner of the network LS Seq Number link state sequence number; used for tracking LSAs Checksum checksum of the LSA packet Length number of bytes in the LSA Network Mask subnet mask of the advertised network (subnet) Metric metric or cost associated with this network from the advertising router’s perspective

17

Routing Bit Set on this LSA

LS age: 426

Options: (No TOS-capability, DC)

LS Type: AS External Link

Link State ID: 148.17.0.0 (External Network Number )

Advertising Router: 148.43.200.7

LS Seq Number: 80000002

Checksum: 0x5317

Length: 36

Network Mask: /24Metric Type: 2 (Larger than any link state path)TOS: 0Metric: 20Forward Address: 0.0.0.0External Route Tag: 0

Show IP OSPF Database External -- Displays Type 5 LSAs

LS age age in seconds of the LSA LS Type LSA type Link State ID IP address of the external network Advertising Router address of the ASBR advertising this external route LS Seq Number link state sequence number; used for tracking LSAs Checksum checksum of the LSA packet Length length in bytes of the LSA Network Mask network/subnet mask of the network in the link state ID Metric Type identifies route as OSPF external type 1 or 2 Metric metric or cost associated with this network

18

Forward Address Data traffic for the advertised destination will be forwarded to this address. If the forwarding address is set to 0.0.0.0, data traffic will be forwarded to the originator of the advertisement External Route Tag External route tag, a 32-bit field attached to each external route. This is not used by the OSPF protocol itself but can be used in conjunction with route maps to manipulate an OSPF external route. The following two labs are the same except that one uses unnumbered links and the other numbered links. Both labs can be done (time permitting). Regardless, the numbered lab configuration should be saved for use later in this chapter. (Classes using the network simulator do not save.)

19

OSPF Point to Point Unnumbered NetworkLoopback Address

148.43.200.7/32

148.43.200.49/28f0/0

148.43.200.65/28

148.43.200.81/28

148.43.200.129/28

f0/0

f0/0

1 4

7

5f0/0

f0/0

f0/0

Loopback148.43.200.2/32

Loopback148.43.200.5/32

148.43.200.161/28

148.43.200.97/28

148.43.200.113/28

s0/0/0

S0/0/1

S0/0/0

s0/0/0

S0/0//1

S0/0/0

6

2

S0/0/0

s0/0/1

3

f0/0s0/0/1

S0/0/1

s0/0/0

S0/0/1

S0/0/0

S0/0/1S0/2/0S0/2/1

Area 0

Area 0

Area 1

Area 1

Area 0

Area 0

Area 2

Area 2

Loopback Addresses148.43.200.1/32148.43.200.8/32




Install network above. Use the “show int xx”, “show ip int brief”, “show run”, & “show ip route” commands to assist in troubleshooting. Once all networks are in everyone’s routing table, the installation is complete. Note that the serial interfaces are to be configured as unnumbered. Two loopback addresses have been assigned to each ABR. For the purposes of configuring multiple areas, serials in different areas have to be referenced to different loopback address.

20

1 4

8

5

f0/0

f0/0

f0/0

f0/0

Loopback148.43.200.2/32

Loopback148.43.200.5/32

Loopback148.43.200.8/32

148.43.200.49/28

148.43.200.161/28

148.43.200.65/28

148.43.200.97/28

148.43.200.113/28

s0/0/0

S0/0/1

s0/0/1

s0/0/0

s0/0/1

s0/0/0

7

OSPF Point to Point Unnumbered Network

2

S0/0/1

s0/0/0

3148.43.200.81/28

f0/0148.43.200.145/28

s0/0/0

S0/0/1

s0/0/0

S0/0/1

S0/0/0

S0/0/1S0/2/0S0/2/1

f0/0

f0/0

Area 0

Area 0Area 1

Area 1

Area 0

Area 0

Area 2

Area 2





6

Loopback148.43.200.6/32

s0/0/0

S0/0/1

f0/0148.43.200.129/28

Area 2

8-router and simulatorconfiguration

Eight router and network simulator alternate configuration: The topology above should be used instead of the topology on the previous page if the class is using eight routers, or is using the network simulator.

21

1 4

7

5

f0/0

f0/0

f0/0

f0/0

Loopback148.43.200.1/32

Loopback148.43.200.2/32

Loopback148.43.200.4/32

Loopback148.43.200.5/32

Loopback148.43.200.7/32

148.43.200.49/28

148.43.200.145/28

148.43.200.65/28

148.43.200.97/28

148.43.200.113/28

s0/0/0.205

S0/0/1.177

S0/0/0.178

S0/0/0.209

S0/0/1.193

s0/0/0.194

6Loopback

148.43.200.6/32

2

s0/0/0.182

s0/0/1.181

Loopback148.43.200.3/32

3

148.43.200.81/28f0/0

148.43.200.129/28s0/0/1.185

S0/0/1.197

s0/0/0.198

S0/0/1.190

S0/0/0.206

S0/0/1.210S0/2/0

.186 S0/2/1.189

148.43.200.176/30

148.43.200.180/30

148.

43.2

00.1

84/3

0 148.43.200.188/30

148.43.200.192/30

148.43.200.196/30

f0/0

f0/0

OSPF Point to Point Numbered Network

Area 0

Area 1

Area 1

Area 0Area 2

Area 2

148.43.200.204/30 148.43.200.208/30Area 0Area 0

Install the network above. Use the “show int xx”, “show ip int brief”, “show run”, & “show ip route” commands to assist in troubleshooting. Once all networks are in everyone’s routing table, the installation is complete. Classes using actual routers should save this configuration for use later.

22

1 4

8

5

f0/0

f0/0

f0/0

f0/0

Loopback 148.43.200.1/32

Loopback148.43.200.2/32

Loopback148.43.200.4/32

Loopback148.43.200.5/32

Loopback148.43.200.8/32

148.43.200.49/28

148.43.200.161/28

148.43.200.65/28

148.43.200.97/28

148.43.200.113/28

s0/0/0.205

S0/0/1.177

S0/0/0.178

S0/0/1 .193

S0/0/0 .194

7Loopback148.43.200.7/32

2

s0/0/0.182

s0/0/1.181

Loopback148.43.200.3/32

3

148.43.200.81/28 f0/0148.43.200.145/28

s0/0/1.185

S0/0/1 .201

s0/0/0 .202

S0/0/1.190

S0/0/0.206 S0/0/1

.210

S0/2/0.186 S0/2/1

.189

148.43.200.176/30

148.43.200.180/30

148.43.200.184/30

148.43.200.188/30

148.43.200.192/30

148.43.200.200/30

f0/0

f0/0


Area 0Area 1

Area 1

Area 0

Area 2

Area 2

6

Loopback148.43.200.6/32

148.43.200.196/30Area 2s0/0/0 .198

S0/0/1 .197

f0/0148.43.200.129/28

s0/0/0.209148.43.200.204/30

148.43.200.208/30Area 0

Area 0


Eight router and network simulator alternate configuration: The topology above should be used instead of the topology on the previous page if the class is using eight routers, or is using the network simulator. Classes using actual routers should save this configuration for use later.

23

1 4

7

5

f0/0

f0/0

f0/0

f0/0

Loopback148.43.200.1/32

Loopback148.43.200.2/32

Loopback148.43.200.4/32

Loopback148.43.200.5/32

Loopback148.43.200.7/32

148.43.200.49/28

148.43.200.145/28

148.43.200.65/28

148.43.200.97/28

148.43.200.113/28

s0/0/0.205

S0/0/1.177

S0/0/0.178

S0/0/0.209

S0/0/1.193

s0/0/0.194

6Loopback

148.43.200.6/32

2

s0/0/0.182

s0/0/1.181

Loopback148.43.200.3/32

3

148.43.200.81/28f0/0

148.43.200.129/28s0/0/1.185

S0/0/1.197

s0/0/0.198

S0/0/1.190

S0/0/0.206

S0/0/1.210S0/2/0

.186 S0/2/1.189

148.43.200.176/30

148.43.200.180/30

148.

43.2

00.1

84/3

0

148.43.200.188/30

148.43.200.192/30

148.43.200.196/30

f0/0

f0/0


Area 1

Area 1

Area 1

Area 1

Area 1

Area 1

148.43.200.204/30 148.43.200.208/30Area 1Area 0

f0/1.213 148.43.200.212/30

f0/1.214

Area 2

As time permits, install network above, or modify the previous topology. Do not save it! Do not overwrite your previously saved numbered topology. Use the “show int xx”, “show ip int brief”, “show run”, & “show ip route” commands to assist in troubleshooting. Once all networks are in everyone’s routing table (see next paragraph), the installation is complete. Note that in this lab area 2 is not connected to area 0. Once network is built, verify that all routers except for 2 & 5 do not have network 148.43.200.212 in their routing table. Once this complete, define an area 0 on once of the serial links connect to router 2 or 5. Network 148.43.200.212 should now be in everyone’s routing table.

24

1 4

8

5

f0/0

f0/0

f0/0

f0/0

Loopback 148.43.200.1/32

Loopback148.43.200.2/32

Loopback148.43.200.4/32

Loopback148.43.200.5/32

Loopback148.43.200.8/32

148.43.200.49/28

148.43.200.161/28

148.43.200.65/28

148.43.200.97/28

148.43.200.113/28

s0/0/0.205

S0/0/1.177

S0/0/0.178

S0/0/1 .193

S0/0/0 .194

7Loopback148.43.200.7/32

2

s0/0/0.182

s0/0/1.181

Loopback148.43.200.3/32

3

148.43.200.81/28 f0/0148.43.200.145/28

s0/0/1.185

S0/0/1 .201

s0/0/0 .202

S0/0/1.190

S0/0/0.206 S0/0/1

.210

S0/2/0.186 S0/2/1

.189

148.43.200.176/30

148.43.200.180/30

148.43.200.184/30148.43.200.188/30 148.43.200.192/30

148.43.200.200/30

f0/0

f0/0


Area 1

Area 1

Area 1

Area 1

Area 1

Area 1

6

Loopback148.43.200.6/32

148.43.200.196/30Area 1s0/0/0 .198

S0/0/1 .197

f0/0148.43.200.129/28


s0/0/0.209148.43.200.204/30

148.43.200.208/30Area 1

Area 1

f0/1.213 148.43.200.212/30

f0/1 .214

Area 2

As time permits, install network above, or modify the previous topology. Do not save it! Do not overwrite your previously saved numbered topology. Use the “show int xx”, “show ip int brief”, “show run”, & “show ip route” commands to assist in troubleshooting. Once all networks are in everyone’s routing table (see next paragraph), the installation is complete. Note that in this lab area 2 is not connected to area 0. Once network is built, verify that all routers except for 2 & 6 do not have network 148.43.200.212 in their routing table. Once this complete, define an area 0 on once of the serial links connect to router 2 or 6. Network 148.43.200.212 should now be in everyone’s routing table. Simulator classes: Each student will initially configure both router 2 and 6 only. All other routers will already be configured. When it is time to configure an Area 0, configure it on the interfaces that link routers 2 and 3. Note: Using the OSPF interface-area configuration on the interface overrides any network statement.

25

Route Summarization

• Minimizes number of routing table & database entries

• Localizes impact of a topology change – flooded only in originating area

• Directly affects the amount of bandwidth, CPU, & memory resources consumed by OSPF process

Area 0 Backbone

ABRs

Area 1

Summarization

xx Area 2Area 3

Summarizing is the consolidation of multiple routes into one single advertisement. Proper summarization requires contiguous addressing. Route summarization directly affects the amount of bandwidth, CPU, and memory resources consumed by the OSPF process. With summarization, if a network link fails, the topology change will not be propagated into the backbone (and other areas by way of the backbone). As such, flooding outside the area will not occur, so routers outside of the area with the topology change will not have to run the SPF algorithm (also called the Dijkstra algorithm after the computer scientist who invented it). Running the SPF algorithm is a CPU-intensive activity. There are two types of summarization:

1. Inter-area route summarization - Inter-area route summarization is done on ABRs and applies to routes from within the autonomous system. It does not apply to external routes injected into OSPF via redistribution. In order to take advantage of summarization, network numbers in areas should be assigned in a contiguous way so as to be able to consolidate these addresses into one range. The next graphic illustrates inter-area summarization.

26

2. External route summarization - External route summarization is specific to external routes that are injected into OSPF via redistribution. Here again, it is important to ensure that external address ranges that are being summarized are contiguous. Summarizing overlapping ranges from two different routers could cause packets to be sent to the wrong destination.

27

• Inter-area (IA) summary link carries summarized mask• One entry can represent several subnets• Summarization should take place towards the backbone (area 0)• Manual summarization only in OSPF

O 131.108.8.0 255.255.252.0O 131.108.12.0 255.255.252.0O 131.108.16.0 255.255.252.0O 131.108.20.0 255.255.252.0O 131.108.24.0 255.255.252.0O 131.108.28.0 255.255.252.0

Routing Table for B LSAs sent to Router C

IA 131.108.16.0 255.255.240.0

Area 1 Area 0ABR

Summarization

BA C

IA 131.108.8.0 255.255.248.0

Route Summarization at ABR

Route summarization minimizes the number of entries in the routing table and database in the receiving routers. Summarization is done on ABRs and applies to routes within the autonomous system. Although summarization could be configured between any two areas, it is better to summarize in the direction of the backbone. This way, the backbone receives all the aggregate addresses and in turn injects them, already summarized, into other areas. In order to take advantage of summarization, network numbers in areas should be assigned in a contiguous way to be able to group these addresses into one range. Summary routes are advertised with a mask. The mask specifies the range of addresses to be summarized into one route. Because the mask 255.255.240.0 does not use the low-order, four bits of the third octet, neither subnet 131.108.8.0 nor 131.108.12.0 can be summarized using this mask, because it creates an invalid zero subnet. Even so, route summarization can represent the remaining four subnets with one advertisement.

28

How do you know what network and mask to use? One method of determining which network summary to use is to convert the subnets to binary and identify which network bits the subnets have in common. See the bold bits below. Compare to a suggested summary 131.108.16.0 /20 : 131.108.16.0 = 10000011 . 01101100 . 00010000 . 00000000 131.108.20.0 = 10000011 . 01101100 . 00010100 . 00000000 131.108.24.0 = 10000011 . 01101100 . 00011000 . 00000000 131.108.28.0 = 10000011 . 01101100 . 00011100 . 00000000

29

Summarization Cost

• Cost associated with the summarized route is taken from the highest cost subnet being summarized.

Area 1 Area 0148.43.200.0/25, cost 391

148.43.200.128/26, cost 195

148.43.200.192/26, cost 97

router ospf 100area 1 range 148.43.200.0/24

148.43.200.0/24, cost 391ABR

OSPF RFC 1583 called for calculating the metric for summary routes based on the minimum metric of the component paths available. OSPF RFC 2178 (now obsolete by RFC 2328) changed the specified method for calculating metrics for summary routes so the component of the summary with the maximum (or largest) cost would determine the cost of the summary. Prior to IOS 12.0, Cisco was compliant with the then-current RFC 1583. As of IOS 12.0, Cisco changed the behavior of OSPF to be compliant with the new standard, RFC 2328. This situation created the possibility of sub-optimal routing if all of the ABRs in an area were not upgraded to the new code at the same time. In order to address this potential problem, a command has been added to the OSPF configuration of Cisco IOS that allows you to selectively disable compatibility with RFC 2328. The new configuration command is under router ospf, and has the following syntax: [no] compatible rfc1583

http://www.ietf.org/rfc/rfc1583.txt






30

Summary Route to Interface Null0

When the ABR enters a summarization command, a summarized route to null0appears in the ABR’s own routing table. The summary route also appears

as an Inter-Area route in the backbone router’s routing table.

Area 1Area 0

148.43.200.128/26

148.43.200.192/26

148.43.200.0/25 router ospf 100area 1 range 148.43.200.0/24

148.43.200.0/24

ABRABR Routing Table will contain a summary route using the Null0 exit interface

O 148.43.200.0/25 S0/0/0O 148.43.200.128/26 S0/0/1O 148.43.200.192/26 S0/2/0O 148.43.200.0/24 null0

S0/0/0

S0/0/1

S0/2/0

S0/2/1ABRO IA 148.43.200.0/24 S0/0/0

When summarization is configured in OSPF, a summary route pointing to the Null0 interface is created in the summarizing router's routing table. The summary route also appears in the receiving router's routing table as an inter-area route. The subnets of the summary route are no longer present in that router's topology database or routing table. If the null0 entry were not present, and the backbone router above were to advertise a default route to Area 1, there is a possibility that a routing loop could be created, as illustrated on the next page.

31

Preventing Routing Loops

External default routeadvertised from Area 0

Area 1 Area 0

148.43.200.128/26

148.43.200.192/26

148.43.200.0/25 router ospf 100area 1 range 148.43.200.0/24

148.43.200.0/24

ABRABR Routing Table will contain a summary route using the Null0 exit interface

O 148.43.200.0/25 S0/0/0O 148.43.200.128/26 S0/0/1O 148.43.200.192/26 S0/2/0O 148.43.200.0/24 null0O E2 0.0.0.0/0 S0/2/1

S0/0/0

S0/0/1

S0/2/0

S0/2/1

0.0.0.0/0

X Traffic continues to the 148.43.200.192/26

network.Why?

Network .192/26 goes down. Traffic still comes in to addresses in that range.What happens?What would happen if the summarized route to null0 were not in the ABR routing table?

ABR

The longest match rule dictates that traffic coming into the ABR from Area 0 for one of the summarized subnets will be passed to the subnet (a /26, for example, is a longer match, or mask, than the summary /24). If one of the subnets being summarized were to go down, the network entry for that route would disappear from the ABR's routing table. In that case, the Null0 path is used to kill traffic that may arrive for that subnet. In this example, the backbone routers have no record of the /26 subnet -- only the summary /24, so they will continue to forward traffic in the .192/26 range toward the ABR. The ABR, having no routing table entry for the .192/26 network because it is down, will send traffic for that destination to the interface associated with the /24 routing table entry...null0. A null interface is a 'virtual bit-bucket', and is sometimes called a discard route. If a default route is also present, advertised from the backbone area, and the routing table entry to null0 were not present, any traffic arriving at the ABR for network .192/26 would be returned to Area 0. It would then be sent back to the ABR, based on the 148.43.200.0/24 entry in the backbone router's routing table. The ABR would once again send the traffic back to Area 0, based on the default route....and so on. The null interface entry in the ABR's routing table protects the topology from the disastrous consequences of the routing loop.

32

Configure Route Summarization

Router(config-router)#summary-address 150.150.8.0 255.255.252.0

summary-address address mask [not-advertise] [tag tag]

• Consolidates external routes at the ASBR

Router(config-router)#area 2 range 148.43.200.0 255.255.255.0 cost 60

area area-id range address mask [advertise | not-advertise] [cost cost]

• Consolidates IA (inter-area) routes on an ABR

The above commands are applied as part of the OSPF configuration. Area-id is the area containing the networks to be summarized. The address & mask portions of the command define the summarized range. The optional cost cost extension specifies a cost for the summary advertisement. (The cost value can be from 0 to 16777215.) The optional advertise | not-advertise extensions let you suppress the summary route. If not-advertise is specified, neither the summary route nor the subnets in the range are advertised. The tag extension lets you match a route map value for controlling redistribution at the ASBR. Any single subnet to be advertised by OSPF that fits within the summarized

range causes the summarized address to be advertised and the subnet advertisement to be suppressed.

Be aware that when using this command, it is possible to advertise networks as part of the summarization that your router does not have in its routing table. Example: You control these three networks: 150.150.0.0 /24 150.150.1.0 /24 and 150.150.3.0 /24 You configure: router (config-router) #area 2 range 150.150.0.0 255.255.252.0

33

This /22 summary covers IPs from 150.150.0.0 to 150.150.3.255, so it does indeed cover your entire range of addresses, but it also claims ownership of the 150.150.2.0 /24, which does not belong to you. You may shortly start receiving that network's packets, though. When any of the three /24s you own try to advertise, the entire /22 is advertised instead. As you can see, care must be taken to plan a good summarization statement.

34

1) Configure routers for a multi-area OSPF network or TFTP config files if available.

2) Router 2 & 5 add eight sequential loopback interfaces with IP addresses for each.- Loopback 10 - 17- configure each interface with the command "ip ospf network point-to-point"- Router 2 use IP 150.150.0.1, 150.150.1.1, 150.150.2.1, 150.150.3.1, 150.150.4.1,

150.150.5.1, 150.150.6.1, & 150.150.7.1; use a mask of 255.255.255.0 on all.- Router 5 use IP 150.150.8.1, 150.150.9.1, 150.150.10.1, 150.150.11.1, 150.150.12.1,

150.150.13.1, 150.150.14.1, 150.150.15.1; use a mask of 255.255.255.0 on all.- add network statement of 150.150.0.0 0.0.255.255 area 1 or 2 under OSPF.

3) All routers do sho ip route; loopback addresses from routers 2 & 5 should be in routing table. Also examine the OSPF database for the 150.150.0.0 networks.

4) Routers 1,3,4, & 6 are ABRs. Summarize loopback addresses there.

5) Router 7 do sho ip route; shows two summarized routes, one from each ABR.

6) On Router 7, change the OSPF cost on a serial interface. router(config-if)#ip ospf cost 500

7) Router 7 should only show one summarized route now.

Route Summarization PE

OSPF treats a loopback interface as a host. Regardless of the mask assigned to the interface, OSPF will advertise it as a /32. By configuring the interface with the command “ip ospf network point-to-point”, OSPF will advertise the assigned mask. Prior to actually configuring the OSPF route summarization, proper address & mask values to be used within the command must be calculated. Note that routers performing summarization do not actually see the affects of it. Which router(s) see the full affects of the summarization taking place within the OSPF topology? Simulator classes: Step 1 is already completed. Each student will perform steps 2 through 7.

35

Types of Areas

Stub Area

Totally Stubby

AreaBackbone

Area 0

Does not acceptexternal LSAs.

Interconnectsareas;

accepts all LSAs.

Does not acceptexternal or summary LSAs.

NSSA Area

Does not acceptexternal LSAs

but allows themto use area as

a transit system to get to backbone.

ExternalAS

Type 7 LSA

Type 5

LSA

Area 0 is always a normal area. It must be able to accept all LSA types. Other types of areas become more and more restrictive about types of LSAs allowed. Area Restrictions Normal None; accepts all types of LSAs Stub Area No Type 5 AS-External LSAs allowed; they are suppressed at the ABR, and a default route substituted. Totally Stubby No Type 3, 4 or 5 LSAs allowed; they are Area suppressed at the ABR, and a default route substituted. NSSA Type 5 AS-External LSAs generated by area's own ASBR allowed; they traverse the area as Type 7s, and convert to Type 5s at ABR for propagation into the Backbone. Any Type 5s arriving from other areas are suppressed at the ABR, and a default route substituted. NSSA Totally Any Type 3, 4 or 5s arriving from other areas are Stubby Area suppressed at the ABR, and a default route substituted. Type 5 AS-External LSAs generated by areas own ASBR allowed; they traverse the area as Type 7s, and convert to Type 5s at ABR for propagation into the Backbone. Totally Stubby and NSSA Totally Stubby areas are Cisco proprietary variations on the RFC-supported Stub Area and NSSA.

36

Area 2

0.0.0.0

Area 0

R2

BGPStub Area

Stub Areas

• Blocks external routes, reduces database• Consolidate external links - 0.0.0.0

R3

R4R1

ExternalAS

Ext. RoutesExt. Routes

OSPF allows certain areas to be configured as stub areas. Configuring a stub area reduces the size of the topological database inside an area and as a result reduces the memory requirements of routers inside that area. External networks, such as those redistributed from other protocols into OSPF, are not allowed to be flooded into a stub area. Routing from these areas to the outside world is based on a default route (0.0.0.0). This allows routers within the stub area to reduce the size of their routing table because a single default route replaces the many external routes. If your network has no external routes, there is no need to configure a stub area.

37

• Ideally a single exit point in/out of area; if multiple exit points, sub-optimal paths may be selected

• An ASBR cannot be internal to stub

• Area 0 cannot be a stub

• Transit area for virtual links disallowed

Stub Area Restrictions

Single Exit Point

Area 2

0.0.0.0

R4

XXR3

ASBR

ExternalAS

An area could be qualified as a stub when there is a single exit point from that area or if routing to outside of the area does not have to take an optimal path. The latter description is just an indication that a stub area with multiple exit points will have one or more ABRs injecting a default route into that area. Routing to the outside world could take a sub-optimal path in reaching the destination by going out of the area via an exit point that is farther to the destination than other exit points. Other stub area restrictions are that a stub area cannot be used as a transit area for virtual links. In addition, an ASBR cannot be internal to a stub area. These restrictions are made because a stub area is mainly configured not to carry external routes, and any of the situations described cause external links to be injected in that area. The backbone, of course, cannot be configured as a stub.

Any type of area other than a normal area is setting some type of restriction on the type of LSAs it will accept, in order to minimize the database size. A normal area sets no restrictions, and Area 0 is always a normal area. Therefore, we

can see again the importance of route summarization toward the backbone. It is the only way to reduce the database size for Area 0. All other areas may be able to configure as stubs or an even more restrictive type of area, allowing us

to reduce the database size for the outlying areas.

38

Stub Area Multi-Exit Points

• Routers internal to stub area only know of internal cost

• External cost values are hidden

• Sub-optimal paths external to the stub area maybe selected because of this limited knowledge of the overall topology

Area 2 Stub

0.0.0.0

0.0.0.0

256k256k

512k512k64k

T1

A

B

C

In the above example, area 2 has been configured as a stub area. It has two ABR routers each advertising a default network into the area. The default routes have an initial metric of 1. As the default networks move through the area to router A, they will pick up the internal cost associated with the path they take. Any cost external to the area associated with these default routes is not factored in. It is “invisible” to router A. Router A makes routing decisions based solely on the cost internal to the area. With this said, to reach an external network, router A would see the path to router C as preferable. However, based on the bandwidth values shown on the external links to the cloud, it can be easily seen that this is not the overall preferable path. When configuring a stub area, it is preferable to have a single exit point (ABR). If multiple exit points do exist, keep in mind that all external route metrics (cost) are hidden from routers internal to the stub area.

39

Configuring Stub Areas

Router(config-router)#

area area-id stub

• Creates a stub network


area area-id default-cost cost

• Specifies cost for default route sent into stub area

Each router within the area, including the ABR, must enter the stub area command. If a router configures an area as a stub and another router configures the same area not as a stub, then these two routers will not form a neighbor relationship (stub area flag in hello packet). The “area area-id default-cost cost” command is used to apply a seed metric (cost) to the default route prior to it entering the stub area. It is entered only on the ABR. If no default cost is applied, then the default routes advertised by the ABR into the stub area will have an initial metric of 1.

40

Stub Area Configuration Example

192.168.15.2

R3#

interface Ethernet 0ip address 192.168.14.1 255.255.255.0interface Serial 0 ip address 192.168.15.1 255.255.255.252

router ospf 100network 192.168.14.0 0.0.0.255 area 0network 192.168.15.0 0.0.0.255 area 2area 2 stub

R4#

interface Serial 0 ip address 192.168.15.2 255.255.255.252

router ospf 15network 192.168.15.0 0.0.0.255 area 2area 2 stub

Area 0 Stub Area 2

192.168.14.1

192.168.15.1S0

S0

E0

R4

R3

ExternalAS

In this example, area 2 is defined as the stub area. No external routes from the external autonomous system will be forwarded into the stub. The last line in each configuration, area 2 stub, defines the stub area. The area stub default-cost has not been configured on R3, so this router will advertise 0.0.0.0 (the default route) with a default cost metric of 1. Each router in the stub must be configured with the area stub command. The only routes that will appear in R4’s routing table are intra-area routes (designated with an O in the routing table), the default route, and inter-area routes (both designated with an IA in the routing table; the default route will also be denoted with an asterisk). Notice that both R3 and R4 are configured with the area stub command. The area stub command determines whether the routers in the stub exchange hello messages and become neighbors. This command must be included in all routers in the stub if they are to exchange routing information.

41

Stub Area PE


2) Router 7 install the following:

- Loopback 17 – 21 with ip address 148.17.0.1, 148.18.0.1, 148.19.0.1, 148.20.0.1, & 148.21.0.1. Use the mask of 255.255.0.0

- configure each interface with the command "ip ospf network point-to-point"

- Under OSPF enter the command “redistribute connected subnets”.

3) Everyone telnet to router 2 or 5 and examine routing table; note “E” routes.Also examine OSPF database for type 5 LSAs.

4) Routers 1, 2, 3, 4, 5, & 6 configure for stub area.

5) Router 2 & 5 should have default route(s) in place of original external routes.OSPF database should now have a default summary LSA(s) and no type 5.

6) Note the cost assigned to the default route. ABRs configure the "area area-id default-cost cost" to set an initial cost for the default route.

The configuration of loopback interfaces on router 7 is just for generating networks for use within the stub area lab. These loopback networks, once configured, will be redistributed into OSPF, which will create external routes within the OSPF domain. By configuring areas 1 and 2 as stub, these external routes will be blocked by the ABRs and replaced with a default route generated by the ABRs. OSPF treats a loopback interface as a host. Regardless of the mask assigned to the interface, OSPF will advertise it as a /32. By configuring the interface with the command “ip ospf network point-to-point”, OSPF will advertise the assigned mask. Once the stub areas have been configured and are working properly, ping from routers 2 and 5 to the external networks configured on router 7 to show that the default route is providing the necessary network connectivity. Simulator classes: Step 1 is already completed. Each student will perform steps 2 through 6.

42

Totally Stub Areas

• Blocks external and summary routes• Knows only intra-area and default routes

Area 2Stub Area 0.0.0.0

Area 0 Summary &

Ext. Routes

ExternalAS

Area 3

R4

R5

Summary

Routes R2

R1

Ext.

Rou

tes

R3

A totally stubby area is a stub area that blocks external routes and summary routes (inter-area routes) from being propagated into the area. This way, intra-area routes and the default of 0.0.0.0 are the only routes known to the stub area. ABRs inject the default summary link of 0.0.0.0 into the totally stubby area. Each router picks the closest ABR as a gateway to everything outside the area. The totally stubby area is a Cisco-specific feature.

43


area area-id stub no-summary


area area-id default-cost cost

Configure Totally Stubby Areas

• Creates a totally stub network• Only performed on ABR

• Specifies cost for default route sent into stub area

All routers with the area must enter the stub command. In addition to this command, the ABRs must enter the no-summary command to define a totally stubby area. If a router configures an area as a stub and another router configures the same area not as a stub, then these two routers will not form a neighbor relationship (stub area flag in hello packet). The “area area-id default-cost cost” command is used to apply a seed metric (cost) to the default route prior to it entering the stub area. It is entered only on the ABR. If no default cost is applied, then the default routes advertised by the ABR into the stub area will have an initial metric of 1.

44

Totally Stubby Configuration Example

R4#

router ospf 15network 192.168.15.0 0.0.0.255 area 2area 2 stub

R3#

router ospf 100network 192.168.14.0 0.0.0.255 area 0network 192.168.15.0 0.0.0.255 area 2area 2 stub no-summary

192.168.15.2

Area 0 Totally Stubby

Area 2

192.168.14.1192.168.15.1S0

S0

E0

ExternalAS

R4

R3

In this example, the keyword no summary has been added to the area stub command on R3. This keyword causes summary routes (inter-area) to also be blocked from the stub. Each router in the stub picks the closest ABR as a gateway to everything outside the area. The only routes that will appear in R4’s routing table are intra-area routes (designated with an O in the routing table) and the default route. No inter-area routes (designated with an IA in the routing table) will be included. It is only necessary to configure the no-summary keyword on the stub border routers. This is because the area is already configured as a stub.

45

Totally Stub Area PE


2) Everyone telnet to router 2 or 5 and examine routing table; note “IA” routes.Also examine the OSPF database.

3) Routers 2 & 5 configure for stub area.

4) Routers 1,3,4,& 6 configure for totally stub area.

5) Router 2 & 5 should have default route(s) in place of the original “IA” routes.

6) Note the cost assigned to the default route. ABRs configure the "area area-id default-cost cost" to set an initial cost for the default route.

The above lab configures areas 1 and 2 as totally stub areas thereby blocking all external and inter-area (IA) routes at the ABRs and replacing them with a default route. Once the totally stub areas have been configured and are working properly, ping between routers 2 and 5 to show that the default route is providing the necessary network connectivity. Simulator classes: Step 1 is already completed. Each student will perform steps 2 through 6.

46

• All areas must be physically interconnected to area 0.• Virtual links provide path to backbone if physical connection is

not available.• Avoid configuring virtual links if possible, for temporary fixes only.

Virtual Links (1)

Area 3

Area 1 Area 2Virtual Link

Area 0(Backbone)

Transit AreaArea 3

OSPF has certain restrictions when multiple areas are configured. One area must be defined as area 0. Area 0 is also called the backbone because all communication must go through it. All areas should be physically connected to area 0. This is because all other areas inject routing information into area 0, which in turn disseminates that information to other areas. In special cases where a new area is added after the OSPF network has been designed and configured, it is not always possible to provide that new area with direct physical access to the backbone. In these cases, a virtual link can be defined to provide the needed connectivity to the backbone. The virtual link provides the disconnected area a logical path to the backbone. The virtual link must be established between two routers that share a common area, and one of these routers must be physically connected to the backbone.

47

• Link discontiguous backbone– Merged networks– Redundancy

Area 3

Area 0 Area 0

Transit AreaArea 1 Area 2

Virtual Links (2)

OSPF has certain restrictions when multiple areas are configured. One area must be defined as area 0. Area 0 is also called the backbone because all communication must go through it. All areas should be physically connected to area 0. This is because all other areas inject routing information into area 0, which in turn disseminates that information to other areas. In special cases where a new area is added after the OSPF network has been designed and configured, it is not always possible to provide that new area with direct physical access to the backbone. In these cases, a virtual link can be defined to provide the needed connectivity to the backbone. The virtual link provides the disconnected area a logical path to the backbone. The virtual link must be established between two routers that share a common area, and one of these routers must be physically connected to the backbone.

48

Configuring Virtual Links

• Creates a virtual link


area area-id virtual-link router-id

remoterouter#show ip ospf interface Ethernet 0Ethernet0 is up, line protocol is up

Internet Address 10.64.0.2/24, Area 0Process ID 1, Router ID 10.64.0.2, Network Type BROADCAST, Cost: 10Transmit Delay is 1 sec, State DR, Priority 1Designated Router (ID) 10.64.0.2, Interface address 10.64.0.2Backup Designated router (ID) 10.64.0.1, Interface address 10.64.0.1

Within the command to configure a virtual link, two pieces of information are required: area-id & router-id. The area-id portion is the area, which is being utilized as the transit areas. The router-id is the OSPF router ID of one of the two border routers involved in the virtual link. Each router enters the other router's router ID in the command. One border router interconnects the non-0 area to the transit area and the other interconnects the transit area-to-area 0. You may be required to telnet to the distant border router to obtain the router ID.

49

Virtual Link Configuration Example

Router ID10.7.20.123

Area 3

Area 0

Area 1

Router ID10.3.10.5

R2

R2:router ospf 63network 10.3.0.0 0.0.0.255 area 1network 10.7.20.0 0.0.0.255 area 3area 1 virtual-link 10.3.10.5

R1:router ospf 100network 10.2.3.0 0.0.0.255 area 1network 10.3.10.0 0.0.0.255 area 0area 1 virtual-link 10.7.20.123

R1

In this example, area 3 does not have a direct physical connection to the backbone (area 0). All inter-area traffic still must transit the backbone, however. To provide connectivity to the backbone, a virtual link must be configured between R2 and R1. Area 1 will be the transit area and R1 will be the entry point into area 0. R2 will have a logical connection to the backbone through the transit area. Both sides of the virtual link must be configured. • R2: area 1 virtual-link 10.3.10.5—With this command, area 1 is defined

to be the transit area and R2 identifies R1 as the target router of the other side of the virtual link.

• R1: area 1 virtual-link 10.7.20.123—With this command, area 1 is

defined to be the transit area and R1 identifies R2 as the target router of the other side of the virtual link.

50

.5/30

1 4

7

f0/0

f0/0

f0/0

f0/0

f0/0148.43.200.49255.255.255.240

148.43.200.161255.255.255.240

148.43.200.65255.255.255.240

148.43.200.97255.255.255.240

148.43.200.113255.255.255.240

s0/0

s0/1

s0/0

s0/1

s0/0

6

Area 1

Area 0

Area 2

OSPF Virtual Link Network (1)

2

s0/0

s0/1

3f0/0

148.43.200.81255.255.255.240

Area 1

f0/0148.43.200.129255.255.255.240

Area 2

s0/1

s0/0

s0/0

f0/1 f0/1Area 1148.43.200.13 /30 148.43.200.14/30

.10/30

.9/30

.1 /30

.2/30

.6/30

.17/30

.18/30

.21/30

.22/30

5

148.43.200.0 255.255.255.0

42

Install the above network. Once installed, perform the PE on the next page.

51

.5/30

1

4

8

f0/0

f0/0

f0/0

f0/0

f0/0

148.43.200.49255.255.255.240

148.43.200.161255.255.255.240

148.43.200.65255.255.255.240

148.43.200.97255.255.255.240

148.43.200.113255.255.255.240

s0/0

s0/1

s0/0

s0/1

s0/0

Area 1

Area 0

Area 2

OSPF Virtual Link Network (2)

2

s0/0

s0/1

3f0/0

148.43.200.81255.255.255.240

Area 1

f0/0148.43.200.129255.255.255.240

Area 2

s0/1

s0/0

s0/0

f0/1

f0/1

Area 1148.43.200.13 /30

148.43.200.14/30

.10/30

.9/30

.1 /30

.2/30

.6/30

.17/30

.18/30

.21/30

.22/30

5

148.43.200.0 255.255.255.08-router and simulator

configuration

6

f0/0148.43.200.145255.255.255.240

Area 2

s0/1

s0/0

.26/30

.25/30

7

52

Virtual Link PE

1. Configure routers as per diagram or TFTP config files if available.

2. Install Ethernet link between routers 2 & 5.

3. Review all router routing tables; area 1 & 0 should not see routes in area 2 and vise versa.

4. Configure a virtual link between routers 1 & 5.

5. All routers should have connectivity to the entire network.

The objective of this lab is to provide virtual connectivity for area 2 to area 0 using area 1 as the transit area. Once complete ping from area 2 to area 0 to insure there is total network connectivity. Simulator classes: Steps 1 and 2 are already completed. Each student will perform steps 3 through 5.

53

Multi-Area OSPF Review

Questions

54

1. What are the two primary elements of OSPF hierarchy? a. stub & NSSA b. total stub & virtual link c. area & autonomous system d. area & backbone

2. What is primary purpose of dividing an OSPF topology into areas?

a. to make it more manageable b. to establish ABRs c. to eliminate type 3 LSAs d. to reduce the size of the topology database

3. Routers within the same area have identical link state databases.

a. true b. false

4. A router receives an LSA and already has a matching record in its database

but the sequence number on the received LSA is less (older) than what is currently in the database. What does the router do?

a. replaces the current LSA in the database and floods the LSA b. nothing c. sends an LSA with newer info to the source d. recalculates the database using SPF

5. Where do external OSPF routes originate?

a. ASBR b. when OSPF is redistributed into another protocol c. from BGP d. another autonomous system

6. What is the sequence number used for on an LSA?

a. error checking b. to determine if the LSA is already in the database c. to determine if the LSA is newer or older than what is in the database d. all of the above e. b & c

7. How is a summary LSA identified in the routing table?

a. O b. IA c. E1 d. ES

8. What is the difference between an E1 and E2 routing update? a. were received through different interfaces b. E1 is BGP, E2 is EGP c. E1 is internal and external cost; E2 is external cost only d. E1 is external cost only; E2 is external and internal cost

55

9. What is a type one LSA (router)? a. generated by OSPF routers and flooded within the area b. describes all directly connected networks on an OSPF router c. can contain information about multiple networks d. all the above

10. What are the two types of route summarization?

a. extensive and passive b. inter-area and intra-area c. external and inter-area d. intra-area and external

11. Why do we use route summarization?

a. easier to map network b. minimizes ospf database entries c. provides default route to stub areas d. keeps number of areas in network to a minimum

12. Which of the following are types of OSPF areas?

a. stub, internal, external, & NSSA b. stub, totally stub, NSSA, & external c. stub, backbone, NSSA, & totally stub d. inter-area, intra-area, stub, & totally stub

13. Stub areas_________

a. can only be area 0 b. do not receive external routes c. have only one router d. broadcasts a default route

14. Totally stub areas__________

a. receive only external routes b. do not receive external routes c. do not receive external and summary routes d. have only one router

15. Virtual links serve two purposes:

a. link an area that does not have physical connection to area 0 & patch the backbone in case of discontinuity

b. provide an option when there are not enough physical interfaces & provide more through put on serial interfaces

c. keep hardware costs to a minimum & keep cpu utilization below a prescribed level

d. allow Ethernet interfaces to emulate serial interfaces & serial interfaces to emulate fiber interfaces

56

16. In Open Shortest Path First, what does open refer to? a. the database size is unlimited b. it is a non-proprietary protocol c. the entire protocol has not been defined yet d. the bid to purchase it is still open

17. What does ABR stand for?

a. autonomous border router b. area backup router c. another bad route d. area border router

18. What does ASBR stand for?

a. auxiliary source backup router b. autonomous system boundary router c. automatic sensing baseband repeater d. asynchronous segment bandwidth reducer

19. In Open Shortest Path First, what does shortest path first refer to?

a. the router will always choose the least number of hops b. the router will always choose the shortest physical distance c. an algorithm ran on the topology database d. an algorithm ran on the adjacencies database

20. Which of the following will OSPF utilize first as the router ID?

a. highest active IP address on a physical interface b. lowest active IP address on a physical interface c. loopback address d. MAC of serial 1

21. What is the purpose of designing and installing summary routes, stub areas,

and totally stub areas? a. minimizes the size of the physical topology b. reduces router latency c. reduces the size of the topology database d. decreases the configuration size e. both b & c f. both a & d

22. What must be taken into consideration when a stub area has multiple exit

points? a. it is possible for routes to be dropped b. it is possible for sub-optimal routes to be selected c. external cost of routes is not known to internal routers d. it is only possible to use one e. both a & d f. both b & c

Enhanced Interior Gateway

Routing Protocol (EIGRP)

58

59

Characteristics of EIGRP• Cisco Proprietary

• Triggered routing updates and automatic neighbor discovery – Utilizes multicast for updates and hello packets

• Advanced Distance Vector– Uses “Reliable Transport Protocol” to send routing updates– Eliminates the need for periodic full updates

• Maintains a route topology database– Stores all routes received from neighbors

• DUAL – Diffusing Update Algorithm (loop free routing)– Has backup route readily available (feasible successor)– Actively queries neighbors if backup not available

• Simple configuration: classless, but programs like classful

• Manual route summarization at any point in the topology

• Load balancing available across unequal metric routes

EIGRP is a Cisco proprietary routing protocol that seeks to combine the advantages of link-state and distance vector routing protocols. As a 'hybrid' protocol, EIGRP includes the following features: Neighbor discovery and maintenance are dynamic, through the use of the Hello Protocol. Routing updates are exchanged between neighbors upon changes to the network topology as opposed to periodic updates regardless of changes. EIGRP uses multicast addressing as opposed to broadcast (like RIP or IGRP) for the hello protocol and routing updates. EIGRP is labeled an Advanced Distance Vector routing protocol. When exchanging information with neighbors it uses the reliable transport protocol (RTP). This guarantees delivery of information such as updates. It maintains a topology database similar to link state protocols, which allows it to make routing decisions without waiting on information from neighboring routers. This also dramatically speeds up the convergence time required for the routers within the EIGRP topology, compared to the older distance vector protocols.. EIGRP uses the Diffusing Update Algorithm (DUAL) to recalculate preferred route information within the topology database if network reach ability issues

60

occur. Within the topology database, backup routes are stored which can be automatically installed in the routing table upon failure of the primary route path. If there is not a back up available, EIGRP actively queries its neighbors for routing information. A diffusing computation ensures that the previous route information is erased from all parts of the topology. EIGRP configuration is simple in that it programs like a classful protocol (classful network statements) but has all the advantages of a classless protocol. With it being a distance vector protocol, route filtering is also easy to configure. Route summarization can be installed on any router and/or interface within the EIGRP topology. This is a very powerful tool and simplifies EIGRP topology design and implementation since there is no concept of border routers. EIGRP has the option to load balance across unequal metric paths. This load balancing is proportional to the metric of each link. Other routing protocols have to see equal metrics on routes before load balancing. This causes some links to not be utilized at all while others may become saturated with traffic.

61

EIGRP Comparison

Distance Vector RIP / IGRP

Advanced Distance Vector EIGRP

Metric

Broadcast full table every 30 Seconds

Multicast partial updates only when path or metric

changes and only to affected neighbors

Neighbor States

Uses “Hello protocol” to dynamically learn of

Neighbors resulting in faster convergence

Link State OSPF

Route Propagation

Backup Routes

Summarization

Hop Count / Bandwidth, Delay by Default

Classful Classless Classless

Multicast partial updates only when path or metric changes, to all routers in

same Area

Uses “Hello protocol” to dynamically learn of

Neighbors resulting in faster convergence

DUAL Algorithm based on Bandwidth and Delay of Link

Dijkstra Algorithm based on Bandwidth of Link

Any Router within same network directly

connected and running like Routing Protocol

No, must wait for next broadcast of

routing table

Yes, through topology database. Feasible

successor requires no neighbor queries

Yes, through topology database.

Automatic at network boundaries; no manual

summarization available

Manual only on ABRs; recommended towards the

“Backbone Area”

Automatic at network boundaries; manual

summarization available on all interfaces

You can better understand the technology used in EIGRP by comparing it with other protocols well known to the internetworking industry. Routing protocols have two major approaches:

“Routing by Rumor” Also known as distance-vector. This method is used by protocols, such as IGRP, RIP, and BGP, where each router knows only what its neighbor tells it.

“Routing by Propaganda” Also known as link-state. This method is used by protocols such as OSPF, or IS-IS, where all the routers in a region of the network share a common understanding of the region’s topology.

EIGRP is most similar to a distance vector protocol using only information it receives from its directly connected neighbors for routing decisions, but unlike a pure distance vector where only the best route is stored, EIGRP stores all routes received. Knowledge of more than one route enables the ability to switch quickly to an alternate should the current become unavailable. Additionally EIGRP takes an active role and queries its neighbors when a destination becomes unreachable if an alternate path is not available. Traditional distance vector protocols passively wait for a reported route.

62

Neighbor Table Database

Lists Neighbors

RoutingTable

Lists Best Routes

Topology Database

Lists All Routes(Feasible Successor)

HelloPackets

UpdatesFrom

Neighbors

Calculated by Routerusing info from Topology

Database (DUAL)

EIGRP Databases

The neighbor database tracks and maintains all EIGRP router neighbors...the next-hop routers and the interface, which reaches them. These directly connected neighbors are identified through the used of hello packets. Once the neighbor relationship is established, the hello packets continue at set intervals to maintain the relationship. The hello packets when used for this purpose are sometimes referred to as keepalives. The neighbor database also tracks and averages the amount of time it takes for neighbors to respond to reliable packets. This averaged time is then used to determine the retransmission time-out. (RTO). The topology database stores all EIGRP updates received from neighboring routers. Only routes being used for packet forwarding (successor routes) are advertised by those neighbors. The DUAL algorithm is applied to the topology database. The preferred routes from the topology database are then offered to the routing table as candidates. Two criteria are utilized by the routing table in the selection of entries into the table: administrative distance and metrics. The local router can also select backup routes (referred to as feasible successors) to routing table network entries. These feasible successors are also stored within the topology database.

63

EIGRP Packets

Hello: Used to establish / maintain neighbor relationships

Update: Used to send routing updates

Query: Used to ask neighbors for routing information

Reply: Response to query

ACK: Used to acknowledge a reliable packet

EIGRP supports the following five generic packet types: Hello: Hello packets are used for neighbor discovery and maintenance. They

are sent as multicasts and carry a zero acknowledgment number. Update: An update is sent to provide information on the routes that a particular

router has converged. These are sent as multicasts when a new route is discovered, or when convergence has completed (and the route is passive). They are also sent as Unicast when neighbors start up in order to synchronize the topology tables (since updates are not sent periodically as in IGRP).

Queries: When a router is performing route computation, and it does not have a feasible successor, it will send a query packet to its neighbors asking if they have a feasible successor for the destination. Queries are always multicast.

Replies: A reply packet is sent in response to a query packet. Replies are

Unicast to the originator of the query. ACK: The ACK is used for acknowledging other types of packets described

above. ACKs are hello packets that are sent as unicasts, and contain a nonzero acknowledgment number. Update, query, and reply packets are all sent reliably and require acknowledgement.

64

Neighbor Discovery Process

• EIGRP uses Hello protocol (multicast, 224.0.0.10) on every interface whose address falls within the network statement range.

• Two routers become neighbors when they exchange hello packets- must agree on autonomous system number and K-values.

• Once neighbor discovery is complete, hello’s continue as keepalives.

• Hellos sent once every 5 seconds on LAN’s, point-to-point WANs, and high speed (>T-1) multi-point WANs.

• Hellos are sent once every 60 seconds on multi-point low speed WANs (<T-1).

• Neighbor is declared dead if no EIGRP packets are received within hold interval (default three times the hello interval).

When EIGRP is enabled and an interface is found to be within its network range, the router sends periodic multicast hello packets out that interface. When another router running EIGRP within the same autonomous system receives a hello packet, it establishes a neighbor relationship between the two by responding with an update containing his complete routing information. This update packet will have the “Init" bit set, which indicates the initialization process. In response to the update, the first router sends an update with all its route information. Once acknowledged, the neighbors are considered adjacent. The hello mechanism not only dynamically discovers neighbors; it also discovers the loss of neighbors. After neighbor establishment, the hello packet is used as a “keep alive”. If a hello packet is not heard before the expiration of the hold time, then a topology change is detected. The neighbor adjacency is deleted, and all topology table entries learned from that neighbor are removed. This enables the routers to quickly re-converge if an alternate, feasible successor does not exist. The rate at which hello packets are sent is called the hello interval and can be adjusted per interface with the “ip eigrp hello-interval” command. The amount of time a router will consider a neighbor up without receiving a hello or any EIGRP packet is called the hold time, and can be adjusted per interface with the “ip eigrp hold-time” command.

65

Step by Step Neighboring

HelloI am Router A, is anyone here?

Update

Init Bit Set

I am Router B, here are all my routes

ACK Thanks !!!

Update Here are all my routes

ACKThanks !!!

Topology Database

Topology Database

Neighbors have Converged

BA

Neighboring and route discovery occur at the same time in EIGRP. Router A comes up on a link and sends out a hello. Router B (or any router on the link receiving the hello) replies with an update containing all the routes they have in their routing table, with the exception of any they may have learned previously on that interface (remember split horizon, “Don’t tell me what I told you!!”). This update will establish a neighbor relationship between the two routers. The update packet includes all information about the routes that the neighbor is using for packet forwarding, and the metric the neighbor is reporting for each route. Additionally this update packet will have the Init bit set, which indicates this is the initialization process. Router A replies to the neighbor with an ACK packet, acknowledging receipt of its update. Router A then installs all received routes from the update packet into its topology database, and sends an update including all of its successor routes to Router B. Router B installs the routes in his topology database and acknowledges the update. Each router will then run the DUAL algorithm with this new information received to determine which primary and backup routes it should store in the topology table.

66

sho ip eigrp neighbor

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq(sec) (ms) Cnt Num

1 148.43.200.105 S0/1 13 01:06:31 12 200 0 110 148.43.200.245 S0/0 12 01:59:01 16 200 0 22

Show IP EIGRP Neighbor

Process 1: Process numbers match configured autonomous system number. H: Indicates order in which the neighbors were learned. Neighbor IP address assigned to the directly connected interface of Address: of the neighbor. Interface: Interface on which hello packets are received from that neighbor. Hold: Hold-time count for that neighbor. If the hold-time expires, the

neighbor is then declared dead and the relationship is reset. Uptime: Refers to the total time the neighbor relationship has been

established. SRTT: Smooth round trip time, which refers to the average time from

when a packet is transmitted to the neighbor and an ACK, is received back from that neighbor. A 0 value would indicate that no acknowledgements are being received, and would probably be associated with a very high RTO value..

67

RTO: Retransmission time out, which refers to the amount of time the router, will wait to retransmit an unacknowledged reliable packet from a neighbor. RTO is calculated based on SRTT.

Q Cnt: Indicates the number of reliable EIGRP packets (update, query,

reply) waiting in queue to be sent to that neighbor. Any number other than 0 indicates a problem.

Seq Num: Indicates the sequence number of the last query, reply, or update packet. Sequence numbers are used on reliable packets for tracking purposes to insure delivery.

68

EIGRP Reliable Packets

• EIGRP uses the Reliable Transport Protocol (RTP)

• Updates, Queries, and Replies require explicit acknowledgement.

• Updates & Queries initially use multicast to all neighbors

- transport window size is one, follow-on packets cease until response (ACK)

- responding neighbors continue to get packets via multicast, no waiting

- if any neighbor fails to respond, packet is retransmitted unicast

- unicast packets will be retransmitted if not acknowledged (RTO reached)

- the neighbor relationship will be reset when retry limit (16) is reached.

RTP is tasked with ensuring that ongoing communication is maintained between neighboring routers. As such, a retransmission list is maintained for each neighbor. This list indicates packets (which require acknowledgement) to which responses have not yet been received. Initially, reliable packets are sent via multi-cast. If an acknowledgment is not received, the packet is resent via Unicast to the non-responsive neighbor. Since the transport window is set to 1, follow-on reliable packets will not be sent until an acknowledgement is received for the original packet. The original packet will be resent via Unicast 15 additional times (for a total of 16). If there is no acknowledgement after the 16th attempt, then the neighbor relationship is reset. EIGRP tracks the amount of time it takes a neighbor to reply each reliable packet. These times are then averaged to compute the smooth round trip time (SRTT). The SRTT is then utilized to compute the retransmission timeout (RTO). The RTO is the amount of time the router will wait for an acknowledgement before resending the original reliable packet. EIGRP reliability ensures delivery of critical route information to neighboring routers. This information is required to ensure a loop-free topology at all times.

69

Updates / Acknowledgements

A B

224.0.0.10

no ack from B???

Multicast Update/No Ack

A B

148.43.200.9

no ack from B???

Unicast Update/No Ack

A B

148.43.200.9

no ack from B???

Unicast Update 15 times/No Ack

A BReset NeighborConnection

148.43.200.9

148.43.200.9

148.43.200.9

148.43.200.9

update

update

update

An update is sent from router A to router B via multicast addressing. No acknowledgment (ACK) is received by A from B. The amount of time A will wait for the reply is called the retransmission timeout (RTO). The RTO is calculated separately for each neighbor, based on the SRTT. Once the RTO has expired, router A will retransmit the update to B but this time using Unicast addressing. Router A will attempt Unicast contact 15 times (for a total of 16 attempts) if necessary. If a response is not received by the expiration of the RTO after the 16th attempt, the neighbor relationship is reset.

70

Administrative Distance Defaults

Connected Interface 0

Static Route 1

RIP 120

IGRP 100

EIGRP 90

OSPF 110

External BGP 20

Administrative distance is a value assigned to a route, usually categorized by protocol, which indicates to the IOS the value of trust that should be given. This allows the IOS to choose a route between two protocols in the event they had both learned of a route to the same destination. This should not be confused with a metric, which is used to choose a route learned by the same protocol. Administrative distance is a rating of the trustworthiness of a routing information source, such as an individual router or a group of routers. Distance is an integer from 0 to 255. In general, the higher the value, the lower the trust rating. A distance of 255 means the routing information source cannot be trusted at all and should be ignored. Specifying distance values enables the router to discriminate between sources of routing information. The router always picks the route whose routing protocol has the lowest distance.

71

EIGRP Metrics

A B

Bandwidth 256 kbsDelay 250000 msLoad 147/255Reliability 253/255MTU 1500Hop Count 3

Vector Metrics

Routing Update

[K1xBW + ((K2xBW)/(256-load)) + K3xDelay]x[K5/(reliability + K4)]

Composite Metric Calculation

Composite Metric = 6410000

• EIGRP calculates/utilizes two different metrics: Vector & Composite.• Vector consists of six elements and is advertised to neighbor routers.• Composite is calculated using the vector elements and is not shared.• Composite metric is used to determine the preferred route.

EIGRP utilizes two types of metrics: Vector and Composite. Vector metrics consist of six different components.

1. Bandwidth 2. Delay 3. Load 4. Reliability 5. MTU 6. Hop Count

The vector metric components are used to compute the composite metric. Vector metric components are exchanged between EIGRP neighbors. Under normal conditions, the only two components that actually affect the composite metric are bandwidth and delay. Load, reliability, and MTU are components left over from IGRP. Since IGRP sent periodic updates at set intervals, these components had value (load and reliability are averaged over time). Since EIGRP sends triggered updates when the network changes, load and reliability values are not accurate. Therefore, it is recommended that they not be used in figuring the composite metric. EIGRP has a maximum allowed hop count of 255. If a route to a destination network exceeds this, it is deemed unreachable.

72

Hop count is not used as a variable unless there is a tie in the composite metric between two routes or all of the other components are “turned off” for the composite metric computation. The composite metric value is derived by placing the vector metric values in a mathematical formula. The composite metric value is used by the router to determine the preferred routes. The lower the value, the more preferred. Composite metric is not shared with neighbor routers.

73

router2#sho ip eigrp topo 148.18.0.0/17IP-EIGRP (AS 1): Topology entry for 148.18.0.0/17State is Passive, Query origin flag is 1, 1 Successor(s), FD is

2169856Routing Descriptor Blocks:148.18.1.2 (Serial0/0), from 148.18.1.2, Send flag is 0x0

Composite metric is (2169856/256), Route is InternalVector metric:Minimum bandwidth is 1544 KbitTotal delay is 20000 microsecondsReliability is 0/255Load is 1/255Minimum MTU is 1500Hop count is 1

Displaying Vector Metrics

To display the composite and vector metrics associated with a destination network, use the “show ip eigrp topology” command and specify the destination network. Example above: sho ip eigrp topo 148.18.0.0/17

74

Composite Metric Calculation

[K1xBW + ((K2xBW)/(256-load)) + K3xDelay]x[K5/(reliability + K4)]• K-values are numbers used in the conversion from vector to composite metric. By

changing a K-value, preference or weight can be given to a certain vector metric.

• Default K-values: K1=1, K2=0, K3=1, K4=0, K5=0

K1xBW + K3xDelay

BW* + Delay***BW = 107/ minimum BW along path in kbs X 256

**Delay = sum of all delays in the path, in tens of microseconds, X 256

Note: If K5 = 0, the formula reduces to: [K1xBW + ((K2xBW)/(256-load)) + K3xDelay]

The above formula is used for computing the composite metric. The vector metric component values are placed in the designated areas of the formula. K-values are numbers used for the conversion of vector metric values to composite metric. By changing the K-value number, preference or weighting can be given to certain vector metrics. By default, only K1 and K3 have a value associated: 1. This in turn means the only two vector metric values that are considered important are bandwidth and delay. All of the other associated vector metric values have a K-value of 0, which has the affect of “zeroing out” their value in the formula. The bandwidth value used in the composite metric formula is not actually the bandwidth value associated with the interface. It is a number derived from the formula 107 divided by the minimum interface bandwidth value along the route in kilo-bits per seconds. This value is then multiplied by 256. Delay is the sum of all the delays in tens of microseconds assigned to each interface in the path to the destination network multiplied by 256. The bandwidth and delay metrics are applied on an outgoing basis.

75

Show IP Protocol

• displays K value settings

nc3#show ip protocolRouting Protocol is "eigrp 1"Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Default networks flagged in outgoing updatesDefault networks accepted from incoming updatesEIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0EIGRP maximum hop count 100EIGRP maximum metric variance 1Redistributing: eigrp 1Automatic network summarization is in effectRouting for Networks:148.33.0.0

Routing Information Sources:Gateway Distance Last Update148.33.0.34 90 00:04:34148.33.0.30 90 00:04:35

Distance: internal 90 external 170

The above formula is used for computing the composite metric. The vector metric component values are placed in the designated areas of the formula. K-values are numbers used for the conversion of vector metric values to composite metric. By changing the K-value number, preference or weighting can be given to certain vector metrics. By default, only K1 and K3 have a value associated: 1. This in turn means the only two vector metric values that are considered important are bandwidth and delay. All of the other associated vector metric values have a K-value of 0, which has the affect of “zeroing out” their value in the formula. The bandwidth value used in the composite metric formula is not actually the bandwidth value associated with the interface. It is a number derived from the formula 107 divided by the minimum interface bandwidth value along the route in kilo-bits per seconds. This value is then multiplied by 256. Delay is the sum of all the delays in tens of microseconds assigned to each interface in the path to the destination network multiplied by 256. The bandwidth and delay metrics are applied on an outgoing basis.

76

Focus on Bandwidth and Delay

[ ( ) + Sum of all Delays] x 25610 7Minimum Bandwidth

BW 1544 kbps

Delay 20000

BW 115 kbps

Delay 20000

BW 10000 kbps

Delay 1000

T-1 115 kbs

[ ( ) + 4100] x 256 = 2331046910000000115

Note: Bandwidth of 115 kbps is expressed in formula as 115.

Delay is in tens of microseconds. “Show interface” shows microseconds and must be divided by 10 for use in the formula.

When placing the values in the formula, insure the bandwidth is expressed in kbs; 115kbps would be entered as 115. The delay value shown utilizing the “sho interface” command is in microseconds. This must be converted to tens of microseconds by dividing it by 10 before it is used to calculate the metric. In the above example, 115 kbs is the lowest bandwidth in the path so it is utilized for the bandwidth value in the formula. The value of 115 is divided into 107. The delay values listed in the path are divided by ten and added together for a composite value. These two values are then added together and multiplied by 256. This value is the composite metric.

77

Interface Default Values

Interface Type Bandwidth (kbps) Delay (Microseconds)

Ethernet

Fast Ethernet

Tunnel

Serial Interface

Low Speed Serial Int Below T-1

ISDN BRI

ISDN PRI

Dialer interface

Channelized T1 or E1

Async interface

Loopback

10000

100000

9

1544

115

64

64

56

N * 64

TTY line speed

8000000

1000

100

500000

20000

20000

20000

20000

20000

20000

100000

5000

The default values of bandwidth and delay are usually correct for LAN interfaces but tend to be incorrect for the WAN interfaces. Bandwidth and sometimes delay must be specified for each WAN interface using the “bandwidth” or “delay” commands. The tunnel interface default bandwidth of 9kb/s is particularly inaccurate for our uses. We tend to use tunneling primarily in the JNN mesh topology, with fastethernet interfaces, so the bandwidth must be specified as 100,000. Since that figure is in thousands, that sets the tunnel interface at 100mb/s for metric computation.. The bandwidth and delay specified on an interface affect only the metric calculation and have no impact on the actual speed or time in the transfer of packets.

78

DUAL Algorithm

• Diffusing Update Algorithm (DUAL)

• Tracks all routes advertised by all neighbors

• Selects loop-free path using a successor and feasible successorsIf successor is lost: Use a feasible successorIf no feasible successor: Query all neighbors and recompute new successor

• Once new Successor is selected, update all neighbors of new topology

• All neighbors now must decide if new topology affects their “Best Path”election

The DUAL algorithm rules the decision process for all route computations. It tracks all routes advertised by all neighbors. The metric information, known as a distance, is used by DUAL to select efficient loop-free paths. The lowest-cost route is calculated by adding the cost between the next-hop router and the destination (reported distance) to the cost between the local router and the next-hop router (as determined by the local router's outgoing interface BW and delay configuration.) The total is referred to as the feasible distance. A successor is a neighboring router used for packet forwarding that has a least-cost path to a destination that is guaranteed not to be part of a routing loop. Multiple successors can exist, if they have the same feasible distance and use different next-hop routers. All successors are added to the routing table. The next-hop router(s) for the backup path is referred to as the FS (feasible successor). In order to qualify as a feasible successor, a next-hop router must have a RD (reported distance) less than the FD (feasible distance) of the current successor route. If the successor’s route is no longer valid and a suitable feasible successor exists, this feasible successor replaces an invalid successor in the routing table without a recomputation. More than one feasible successor can be kept at one time. When there are no feasible successors but there are neighbors advertising the destination, neighbor queries and a recalculation must occur. This process will determine a new successor, if a loop-free route still exists. The amount of time it takes to recalculate the route affects the convergence time.

79

DUAL-EIGRP Definitions

The metric to reach a destination network as advertised or reported by a router to each of its neighbors. Also called Advertised Distance (AD).

A neighbor router used for packet forwarding to a destination network that has the lowest metric path, and is guaranteed loop-free.

The metric to a destination network through the successor. The FD is a combination of the successor’s RD and the metric of the local routers interface used to reach the successor.

A neighbor router used as a back-up to the successor and is guaranteed loop-free. In order to become an FS, the router’s RD must be less than the FD of the Successor. Requires no recompilation of topology table upon failure of the successor.

REPORTED DISTANCE

FEASIBLE SUCCESSOR

FEASIBLE DISTANCE

SUCCESSOR

The reported or advertised distance is the metric advertised by each router to a destination network. The router that is determining the best path (performing the DUAL operation) does not add its own interface metrics to compute the reported distance. It is simply the metric for a destination as advertised by the neighbor. The feasible distance is the lowest metric route from the router performing the DUAL operation to the destination network. The router uses the reported distance and the metric on the interface receiving the advertisement to calculate the feasible distance. A successor is the next-hop router (neighbor) for traffic from the current router to a destination. A successor is chosen because it has the lowest feasible distance to a destination. There can be multiple successors. If so, the multiple routes would have the same feasible distance and load balancing would take place. A neighbor router that is not selected as the successor can qualify as a feasible successor if it meets the feasibility condition. The condition is met if a neighbor has reported distance to a destination is lower than the successor’s feasible distance to that same destination. A feasible successor is simply a backup route within the topology database. There can be multiple feasible successors. When there are feasible successors present and the successor’s route is lost, the process for determining a replacement path is very simple: the feasible successor is immediately chosen without a DUAL process-taking place. The concept of feasible condition and feasible successors are central to loop avoidance.

80

Successor & Feasible Successor

Network148.43.200.128 /28

5

15

5

5

10

5

C

B

A

XZ

RD= 5

FD= 5

5

RD= 5

FD= 10

RD= 5

FD= 10

RD= 5

FD= 20

ROUTER A

RD= 10

FD= 15

ROUTER B

RD= 10

FD= 20

ROUTER C

RD= 20

FD= 25

S

FS

• All RD & FD values are based on network 148.43.200.128 being the destination.• The successor and feasible successor selections are based on router Z’s network

perspective.

C

Router Z has determined that the lowest feasible distance (FD) to network 148.43.200.128/28 is 15. Based on this information, router A is elected as the successor. Candidates for a feasible successor are routers B and C. Router C is not eligible as its reported distance is higher than the feasible distance of the successor. Router B however has a reported distance of 10, which is lower than the feasible distance of 15, so it is chosen as a feasible successor. To understand the process shown on the slide, begin at Router X. That router advertises vector metrics for destination network 148.43.200.128 28 to Routers A, B, and C. The vector metrics are represented on the slide as just '5,' for simplicity. Routers A, B, and C use the advertised vector metric 5 as the RD (reported by Router X) to reach network .128. They combine that RD with the locally determined metric for the link between them and Router X ...5, 5, and 15 for A, B, and C, respectively...and determine a feasible distance (FD) to network .128. For Router A, for instance, the RD of 5 is added to the distance of 5 (as determined by A's interface configuration) for a total FD of 10. This would be the composite metric at A. Router Z would in turn receive vector metric advertisements from A, B, and C. Taking that RD and combining, it with the metric of the interface on Z gives Z its FD for each path.

81

• Path from router Z to router A (successor) goes down.• Router B automatically becomes the successor – no DUAL calculation performed.• Router Z then determines whether there is a new feasible successor available.

Network148.43.200.128 /28

5

15

5

5

10

5

B

A

XZ

RD= 5

FD= 5

5

RD= 5

FD= 10

RD= 5

FD= 10

RD= 5

FD= 20

ROUTER A

RD= 10

FD= 15

ROUTER B

RD= 10

FD= 20

ROUTER C

RD= 20

FD= 25

S

C

Reacting to Outage

The path between routers Z and A fails. Router B immediately becomes the successor. Z then begins the process to determine if there is a feasible successor available. Since router C’s RD is equal to router B’s FD, then C is not eligible to become a FS. The feasible successor's RD must be less then the successor's FD to the destination.

82

Query Process

• Router A is the successor for Z to network 148.43.200.128; no feasible successor.• The link from router Z to A goes down.• Router Z sends queries to neighbors asking for route info for 148.43.200.128.

Network

148.43.200.128 /28

5

15

10

10

10

5

C

B

A

XZ

RD= 5

FD= 5

5

RD= 5

FD= 10

RD= 5

FD= 15

RD= 5

FD= 20

ROUTER A

RD= 10

FD= 15

ROUTER B

RD= 15

FD= 25

ROUTER C

RD= 20

FD= 30

S

query

Router A is the successor for router Z to forward packets to network 148.43.200.128/28. There is no FS because no other router meets the feasibility condition. The path between routers Z and A fails. Router Z must send queries to each of its remaining neighbors requesting route information for network 148.43.200.128/28.

83

RD= 5

FD= 10

• Routers B & C reply to the query.• Router B is selected as the successor.• Router C is selected as the feasible successor.

Network

148.43.200.128 /28

5

15

10

10

10

5

C

B

A

XZ

RD= 5

FD= 5

5

RD= 5

FD= 15

RD= 5

FD= 20

ROUTER A

RD= 10

FD= 15

ROUTER B

RD= 15

FD= 25

ROUTER C

RD= 20

FD= 30

S response to query

FS

Query Reply

Routers B and C respond to router Z with route information to the requested network. Based on the RD sent by each, router B is selected as the successor because it has the lower FD. Router C is then selected as an FS because its RD is lower than the successor’s FD.

84

Configuring EIGRP

router(config)#router eigrp autonomous system number

router(config-router)#network network-number [wildcard-mask]

• enables EIGRP and defines the autonomous system number.

• selects directly connected networks/interfaces that will participate in the EIGRP process.

• the network number can either be classful or can be used in conjunction with a wildcard mask to specify individual networks/interfaces.

Example: router(config)#router eigrp 22router(config-router) network 148.43.200.0 0.0.0.255

or router(config-router) network 148.43.0.0

Use the “router eigrp as number” command to enable eigrp routing and define an autonomous system number. This does not actually have to be an assigned or valid AS number even though it could be. Each router within the EIGRP topology must use the same number though in order to from neighbor relationships. The network statement defines the interfaces or directly connected networks over which EIGRP will operate. Once a network statement is configured, EIGRP compares the network assigned to each interface to the range defined in the network statement. If the network assigned to an interface is within the range in the network statement, EIGRP will operate through that interface and will advertise the network assigned to the interface. If is not within the range, EIGRP will not operate on that interface. EIGRP network statements can be classful or can be used in conjunction with a wild-card mask. The wild card mask allows administrator to specify individual interfaces for EIGRP operation or in some cases to keep EIGRP from operating on a specific interface.

NOTE: Auto-summary is enabled by default in EIGRP. Turn it off by typing no

auto-sum or just no auto at the config-router prompt.

85

Passive Interface

• Prevents routing protocol packets from being generated on the interface.

• If there is no EIGRP speaking device connected to the interface, there is no need to transmit EIGRP information from the interface.

• Still allows the announcement of the network to the rest of the EIGRP community.

Router(config-router)#passive-interface interface

When a network statement is installed under EIGRP two things, take place. EIGRP announces that it has the specified network to all neighbors, and EIGRP begins sending EIGRP packets, such as hello’s and routing updates. There are cases where you need to announce the network but the network itself consists of non-EIGRP speaking devices, such as a LAN with purely host computers. In this case, there is no need to send EIGRP packets out this interface as none of the host computers need or understand EIGRP information. The use of the Passive Interface command allows the network to be announced but stops the transmitting of EIGRP packets out the interface.

86

EIGRP 7-Router Network

1 4

7

5

f0/0

f0/0

f0/0

f0/1

f0/0

Loopback Address148.43.200.1 /32





148.43.200.128 /28

148.43.200.80 /28

148.43.200.160 /28

148.43.200.192 /28

148.43.200.224 /28

s0/0

s0/1

s0/0

s0/0s0/1

s0/0


2

s0/0

s0/1


3148.43.200.144 /28

f0/0148.43.200.208 /28

s0/1

s0/1

s0/0

s0/1

s0/0

s0/2 s0/3 s0/1148.43.200.96 /30

148.

43.2

00.1

00 /3

0148.43.200.104 /30

148.43.200.108 /30

148.43.200.180 /30 148.43.200.240 /30

148.43.200.176 /30 148.43.200.244 /30

.97

.98.101

.102

.105

.106

.109.110

.181

.182

.177

.178

.241

.242

.245

.246

f0/0148.43.200.64 /28

f0/1148.43.200.184 /29

f0/1148.43.200.248 /29

f0/06

7

Install the network shown above. This topology is only for classes working with 7 routers.

87

EIGRP 8-Router Network

1 4

7

f0/0

f0/0

f0/1

f0/0

Loopback Addresses148.43.200.1 /32



148.43.200.128 /28

Loopback Address 148.43.200.8 /32

148.43.200.80 /28

148.43.200.160 /28

148.43.200.192 /28s0/0

s0/1

s0/0

s0/0

s0/1

7Loopback Address148.43.200.7 /32

2

s0/0

s0/1


3148.43.200.144 /28

f0/0148.43.200.208 /28

s0/1

s0/0

s0/1

s0/0

s0/2s0/3

s0/1148.43.200.96 /30

148.43.200.100 /30

148.43.200.104 /30

148.43.200.108 /30

148.43.200.180 /30

148.43.200.240 /30

148.43.200.176 /30 148.43.200.244 /30

.97

.98 .101

.102

.105

.106

.109

.110

.181

.182

.177

.178

.241

5

f0/0Loopback Address

148.43.200.5 /32

148.43.200.224 /29s0/0

s0/1

.242

.245

.246

f0/0148.43.200.64 /28

f0/0148.43.200.248 /29

f0/0

s0/1

s0/0148.43.200.232 /30.233

.234Loopback Address

148.43.200.6 /32 6

8

This diagram should be used by the classes with eight routers, and by the classes using the network simulator.

88

router7#sho ip roCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static route

Gateway of last resort is not set

148.43.0.0/16 is variably subnetted, 26 subnets, 4 masksC 148.43.200.7/32 is directly connected, Loopback0D 148.43.200.244/30 [90/2681856] via 148.43.200.106, 00:03:56, Serial0/2D 148.43.200.240/30 [90/2425856] via 148.43.200.110, 00:03:56, Serial0/3D 148.43.200.248/29 [90/2428416] via 148.43.200.110, 00:03:56, Serial0/3D 148.43.200.224/28 [90/2428416] via 148.43.200.110, 00:03:56, Serial0/3D 148.43.200.208/28 [90/2172416] via 148.43.200.106, 00:03:56, Serial0/2D 148.43.200.192/28 [90/2172416] via 148.43.200.110, 00:03:56, Serial0/3D 148.43.200.180/30 [90/2681856] via 148.43.200.98, 00:03:56, Serial0/0D 148.43.200.176/30 [90/2681856] via 148.43.200.102, 00:03:56, Serial0/1D 148.43.200.184/29 [90/2684416] via 148.43.200.102, 00:03:56, Serial0/1

[90/2684416] via 148.43.200.98, 00:03:56, Serial0/0D 148.43.200.160/28 [90/2684416] via 148.43.200.102, 00:03:57, Serial0/1

[90/2684416] via 148.43.200.98, 00:03:57, Serial0/0D 148.43.200.144/28 [90/2172416] via 148.43.200.102, 00:03:57, Serial0/1D 148.43.200.128/28 [90/2172416] via 148.43.200.98, 00:03:57, Serial0/0

Show IP Route

.248 network

.208 network

.184 network

NOTE: The show command displays on pages 26 – 29 are not based on the network just installed on previous page. They are for use to explain the different information

provided by each command. The D in the left hand column indicates the route was learned by EIGRP and originated internal to this autonomous system. An EX would indicate that the route was installed by EIGRP but it originated outside the AS and was redistributed into the EIGRP protocol. This is a flag to allow EIGRP to differentiate between internally and externally learned routes. Internal EIGRP routes have a distance of 90 and external have a distance of 170 Whenever two equal costs paths are learned by EIGRP, both will be installed in the routing table and automatic load balancing will take place across the two. Take note of the of the network entries above in red: “.248”, “.208”, & “.184”. On the next slides, we will examine these in the topology database.

89

router7#sho ip eigrp topoIP-EIGRP Topology Table for AS(1)/ID(148.43.200.7)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status

P 148.43.200.248/29, 1 successors, FD is 2428416via 148.43.200.110 (2428416/1916416), Serial0/3via 148.43.200.106 (2684416/2172416), Serial0/2

Show IP EIGRP Topology (1)

exit interface to reach this next hopSerial0/2

feasible distance/reported distance of this entry(2684416/2172416)

address of feasible successorvia 148.43.200.106

exit interface to reach this next hopSerial0/3

feasible distance/reported distance of this entry(2428416/1916416)

address of successor (next hop)via 148.43.200.110

the feasible distance (metric) of successorFD is 2428416

number of successors for this network1 successors

destination network148.43.200.248/29

• only lists successors & FS • possible to have multiple successors

The “show ip eigrp topology” command lists all EIGRP known destination networks and the successors and feasible successors for each. It is possible for other next hop routers for listed destination networks to be known by EIGRP but they are not shown when using this command. The table above provides a brief explanation for each of the entries corresponding to destination network entry. The entry lists the number of successors, the feasible distance of the successor(s), and then followed by the next hop addresses of the successor(s) and feasible successor(s) with the FD and RD for each. It is possible to have multiple successors and feasible successors. At a minimum, there will always be at least a successor for an entry. It is possible to not have any feasible successors. There are several code listed at the top of the display. These codes are applied to each entry depending on its status: Passive This network is available and installation can occur in the routing table. Passive is the correct state for a stable network. Active Network is currently unavailable; there are outstanding queries for this network. Update Network is being updated or waiting for an acknowledgment for an update sent.

90

Query There is an outstanding query for this network (other than Active state) or waiting for acknowledgment on a reply sent to a query. Reply Router is generating a reply pertaining to this network or waiting for an acknowledgement on a previously sent reply SIA Stuck in Active, a query was generated for this network and a reply was not received within a three-minute period.

91

Show IP EIGRP Topology (2)router7#sho ip eigrp topoIP-EIGRP Topology Table for AS(1)/ID(148.43.200.7)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status



P 148.43.200.208/28, 1 successors, FD is 2172416via 148.43.200.106 (2172416/28160), Serial0/2






.184 network

.248 network

.208 network

The sho ip eigrp topology command displays only successors and feasible successors. It is possible to have other network information within the topology database that has not been designated a successor or feasible successor. Now examine the networks noted on the previous page in the routing table: “.248”, “.208”, & “.184”. .248: Listed as having one successor but has two next hop addresses through which it can be reached (via). The first, .110, is the successor and the second, .106, is the feasible successor. When this show command displays “1 successor” for a network entry, the first “via” entry is the successor and any follow on entries are feasible successors. This can be verified by comparing the feasible distance of the “.110” entry (2428426) with the reported distance of the “.106” entry (2172416). Since the RD of“.106” is lower than the FD of the successor, then “.106” is a feasible successor. .208: Listed as having one successor. One next hop address is listed for this destination network. This is the successor and there are no feasible successors. If there is route failure through this successor, there is no backup route and the .208 net will be removed from the routing table.

92

.184: Listed as having two successor followed by two next hop address entries. These are both successors with each having the same FD. There are no feasible successors. Both of these next hop addresses will be entered in the routing table for this destination network and load balancing will take place between the two.

93

Show IP EIGRP Topology All-Linksrouter7#sho ip eigrp topo allIP-EIGRP Topology Table for AS(1)/ID(148.43.200.7)

Codes: P - Passive, A - Active, U - Update, Q - Query, R -Reply, r - reply Status, s - sia Status

P 148.43.200.248/29, 1 successors, FD is 2428416, serno 15via 148.43.200.110 (2428416/1916416), Serial0/3via 148.43.200.106 (2684416/2172416), Serial0/2



P 148.43.200.192/28, 1 successors, FD is 2172416, serno 20via 148.43.200.110 (2172416/28160), Serial0/3




.184 network

.248 network

.208 network

The “show ip eigrp topology all-links” command displays all network routes known by EIGRP, regardless if it is a successor, feasible successor, or a route advertised by a neighbor but did not meet the feasibility condition. To determine if the route is a feasible successor the reported distance must be less than the feasible distance. For network entries, .248 and .184 the display above is the same as display for the “show ip eigrp topology” command. The .248 network still has only one successor and a feasible successor listed. The .184 network only has two successors listed. However, for network entry .208 it now shows two next hop addresses. The entry indicates it has one successor, which is the .106 next hop address. It then lists a next hop of .110. By comparing the RD of .110 (2428416) with the FD of .106 (2172416), it can be seen that .110 does not meet the feasibility condition and therefore cannot be a feasible successor. Even though the router knows about the route to network .208 through the next hop address of .110, it will not use it as a backup upon failure of the successor, .106. It will go though the process of querying its neighbors for route information to this network to determine a new path.

94

When a feasible successor exists, and the successor is lost, the feasible successor will be installed as the new successor (no query). A simple update packet is sent informing all neighbors of the new “best route”.

Without a feasible successor, when the successor is lost, EIGRP must query all its neighbors, receive replies from each, then begin a DUAL process to select the new successor and possible feasible successors. This process causes all routers involved to use processor and memory resources which could otherwise be used for packet forwarding.

Feasible Successor Importance

Designing Feasible Successors

• The goal of good network design should be to have feasible successors built in for each successor. This may not be obtainable in all situations but there should be as many feasible successors as possible.

• The reported distance of a neighbor must be lower than the feasible distance of the successor for it to become a feasible successor.

• The feasible successor is based on metrics. By default, only bandwidth and delay on interfaces are used to calculate the metric.

• Manipulating the metrics may allow the designation of a feasible successor.

- Note: only the minimum bandwidth in the route is used in the metriccalculation; the sum of all the delays is used. Therefore, changingthe bandwidth on an interface within the route may or may notaffect the overall metric.

95

Manipulating the Metric (1)

• Default bandwidth values are usually correct for LAN interfaces.

• Default bandwidth tends to be incorrect for the WAN interfaces.

• Bandwidth and sometimes delay must be specified for WAN interfaces.

To set interface bandwidth:Router7(config-if)# bandwidth <bw-in-kbps>

To set interface delay:Router7(config-if)# delay <delay-in-tens-of-microseconds>

By manipulating the bandwidth and/or the delay, you can design feasible successors within the EIGRP topology. Once the EIGRP network is operational, EIGRP show commands will help determine where feasible successors currently exist and what must be done to create feasible successors to networks that do not have them. The bandwidth command value is in kilo-bits per second (kbps). To enter a value of 256 kbps, the command would simply be “bandwidth 256”. The delay command value is in tens of microseconds. To enter a value of 10,000 microseconds, the command would be “delay 1000”. However, a “show int XX” command for this interface would show a delay value of 10,000.

96

BW 1544kbps

Delay 20000

BW 115kbps

Delay 20000

BW 10000kbps

Delay 1000

T-1 115kbs

Manipulating the Metric (2)

• Changing the above T-1 link bandwidth setting from 1544 kbps to 512 kbps has no affect on the overall link metric value (115 kbps is still minimum on link).

• Changing the delay on any interface in the path will affect the overall metric.

Be aware! When an EIGRP router calculates the composite metric, it only uses the minimum bandwidth within the route to a destination network. It is very possible to change the bandwidth value on a router interface without affecting the composite metric. For example, changing the above T-1 link bandwidth setting from 1544 to 512 would have no effect on the overall link metric, because 115 is still the minimum bandwidth on the link. Choosing a value lower than the minimum bandwidth in the route or actually changing the bandwidth on the interface, which already is the minimum, is the only way manipulating the bandwidth will have any affect on the composite metric. On the other hand, delay is cumulative across the route to the destination network. Changing the delay on any interface within the route will have a direct effect on the composite metric.

97

Feasible Successor Lab

Using the network built during previous lab, find all Feasible Successors.

7-router topology:

Assign bandwidth on interfaces as shown on diagram (both ends of interface)Router 7 should now see a FS to routers 2 and 5.Routers 2 and 5 should see a FS to 7 and all routers on the other side of 7.Router 1 should now see a FS to 3 and 3 should see a FS to 1.Router 4 should now see a FS to 6 and 6 should see a FS to 4.

8-router topology:

Assign bandwidth on interfaces as shown on diagram (both ends of interface)Router 8 should now see a FS to router 2.Router 2 should see a FS to 8,7,6,5,4and 3.Router 1 should now see a FS to 3 and 3 should see a FS to 1.Router 4 should now see a FS to 6 and 6 should see a FS to 4.Router 5 should now see a FS to 7 and 7 should see a FS to 5.

1. Apply the bandwidth values shown on the correct diagram on the opposite

page to the appropriate interfaces. Once completed, conduct a “show run” command to insure changes are correct. If changes are correct, perform a “clear ip route *” command. This flushes the routing table and forces the bandwidth changes to be used in recalculating the routing table. Then do the “show ip eigrp topo” command to verify that feasible successors have been installed in the topology database.

2. From the hub router (7 or 8), perform a “show ip route”. The route to 148.43.200.2 is via 148.43.200.102 (router 3). Perform a “show ip eigrp topo”. Note to address 148.43.200.3 there is also a feasible successor, 148.43.200.98 (router 1). Annotate the FD & RD for the feasible successor.

3. The goal is by changing the metrics, router 1 becomes the successor for router 7 to IP address 148.43.200.2. On the hub router (7 or 8), change the bandwidth on interface s0/0 from 240 to 300. Perform a “show ip route”. Was there any change in the successor? Perform a “show ip eigrp topo." Was there any change to the FD & RD for the feasible successor?

4. Change the delay on interface s0/0 from 2000 to 1000 (tens of microseconds). Perform a “show ip route”. Was there a change to the successor? Perform a “show ip eigrp topo”. Was there a change to the feasible successor?

5. Reset bandwidth and delay on the hub router to original values.

98

7-Router Bandwidth Changes

1 4

7

5

f0/0

f0/0

f0/0

f0/1

f0/0


Loopback148.43.200.2 /32


Loopback148.43.200.5 /32


148.43.200.128 /28

148.43.200.80 /28

148.43.200.160 /28

148.43.200.192 /28

148.43.200.224 /28

s0/0

s0/1

s0/0

s0/0s0/1

s0/0


2

s0/0

s0/1


3148.43.200.144 /28

f0/0148.43.200.208 /28

s0/1

s0/1

s0/0

s0/1

s0/0

s0/2 s0/3 s0/1240 kbs

254

kbs 254 kbs

240 kbs

236 kbs 236 kbs

240 kbs 240 kbs

.97

.98.101

.102

.105

.106

.109.110

.181

.182

.177

.178

.241

.242

.245

.246

f0/0148.43.200.64 /28

f0/1148.43.200.184 /29

f0/1148.43.200.248 /29

f0/06

7

8-Router Bandwidth Changes

1 4

7

f0/0

f0/0

f0/1

f0/0




148.43.200.128 /28

Loopback Address 148.43.200.8 /32

148.43.200.80 /28

148.43.200.160 /28

148.43.200.192 /28s0/0

s0/1

s0/0

s0/0

s0/1

7Loopback Address148.43.200.7 /32

2

s0/0

s0/1


3148.43.200.144 /28

f0/0148.43.200.208 /28

s0/1

s0/0

s0/1

s0/0

s0/2s0/3

s0/1.97

.98 .101

.102

.105

.106

.109

.110

.181

.182

.177

.178

.241

5

f0/0Loopback

148.43.200.5 /32

148.43.200.224 /29s0/0

s0/1

.242

.245

.246

f0/0148.43.200.64 /28

f0/0148.43.200.248 /29

f0/0

s0/1

s0/0

.233

.234Loopback

148.43.200.6 /32 6

8240 kbs

254

kbs 254 kbs

240 kbs

236 kbs

240 kbs240 kbs

240 kbs

236 kbs

99

Load BalancingAutomatically occurs across equal cost (metric) paths.Shows both paths in routing table.One packet on route A, One packet on route B, etc.

sho ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static route

Gateway of last resort is not set

148.43.0.0/16 is variably subnetted, 15 subnets, 2 masksD 148.43.200.5/32 [90/2297856] via 148.43.200.245, 01:57:03, Serial0D 148.43.200.4/32 [90/46226176] via 148.43.200.105, 01:04:34, Serial0

[90/46226176] via 148.43.200.105, 01:04:34, Serial1D 148.43.200.3/32 [90/2809856] via 148.43.200.105, 01:04:31, Serial1D 148.43.200.2/32 [90/3321856] via 148.43.200.105, 01:04:34, Serial1

56K (Metric 46226176)

56K (Metric 46226176)A B

Load balancing is a concept that allows a router to take advantage of multiple best paths to a given destination. If a router receives and installs multiple paths with the same administrative distance and metric to a destination, load balancing can occur. Equal cost paths can usually be found by using the show ip route command. As shown in the example above two equal cost paths have been installed and load balancing will take place.

100

Load Balancing Unequal Costs

EIGRP supports load balancing across unequal cost paths.Up to 6 paths can share the traffic load. Default is 4.One packet on route A, One packet on route B, etc. Variance command is used to specify allowed difference between two paths.

Variance is based on Feasible Distance.

A Variance of 2 applied to a Feasible Distance of 40512000 would allow loadsharing across any route with a metric less than 81024000 (2 x 40512000).

Variance uses a ratio of the metrics – example: 56k to 64k or 7 to 8.

7 packets would be sent out the 56k link for every 8 packets sent out the 64k link.

64K (Metric 40512000)

56K (Metric 46226176)

A B

EIGRP supports unequal metric route load balancing. The “Variance” command is used to accomplish this. The value expressed in the variance command is a multiplier applied to the feasible distance of the successor. This will make all feasible successors candidates for load balancing if their feasible distance is less than the multiplied feasible distance of the successor. The distribution of packets across unequal cost paths will be a ratio of the metric, for example: using a 56k link and a 64k link would be a 7/8 ratio, meaning for every 7 packets sent out the 56k link 8 packets would be sent out the 64k link. Variance can be specified between the defaults of 1 through 128 however it is recommended you use no more than a variance of 2 as the processor cycles necessary to calculate the ratio on such unequal metric paths would not be worth the actual benefit of load sharing. The Variance command simply multiplies the feasible distance of the successor by the factor specified in the variance command. Now all feasible successors with a feasible distance of less than the “altered” feasible distance will load balance. It may be that back up routes now have a reported distance of less than the “altered” feasible distance as well, however they will not be candidates for load balancing, as they were not originally a feasible successor. Only successors and feasible successors may load balance.

101

Configuring Variance

Router7> en

Router7# config t

Router7 (config)# router eigrp 1

Router7 (config-router)# variance 2

• It is recommended that no more than a variance of 2 beused, however, a value of 1 to 128 is allowed.

Variance Lab

1. All routers perform a “show ip route” noting which links are currently load balancing (only equal cost paths).

2. All routers perform a “show ip eigrp topo” and note feasible successors.

3. All routers configure a variance of 2.

4. Perform a “clear ip route *”.

5. Perform another “show ip route” and note which links are now load sharing - only to Feasible Successors.

6. Remove the variance command.

102

Route Summarization

– EIGRP uses two methods of route summarization• Automatic (auto-summary)• Manual (no auto-summary)

– Automatic gives EIGRP same classful behavior as RIP or IGRP

• At major network boundaries the subnets will be summarized back to the Classful network mask when announced across the boundary.

– Manual enables support for discontinuous networks and allows summarization on any interface regardless of network.

EIGRP features two methods of route summarization: automatic and manual. Automatic summarization is the same type that is utilized by classful routing protocols. When routing updates are advertised across a network that is a different classful network than the update itself, the update is automatically summarized to the classful network. In today’s classless network topologies, this feature is seldom used and can cause serious network routing problems. It is generally “turned off” by utilizing the “no auto-summary” command in the EIGRP configuration. Manual route summarization is designed and configured by a network administrator. In the EIGRP routing protocol, manual summarization can be installed at any point in the network, to any EIGRP router. Unlike OSPF, EIGRP does not employ a hierarchical routing topology by grouping routers into areas and then designated border routers (summarization can only take place on these border routers). EIGRP allows the network administrator to employ summarization as required without drastic network redesign. This is a very important feature in networks that physically change on a regular basis such as those in tactical military communications.

103

Automatic Route Summarization

CBA

10.3.0.4 /30.5 .6

11.3.0.4 /30.5 .6

10.1.0.0 /16

10.2.0.0 /1612.2.0.0 /16

Router A routing table10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 10.2.0.0/16 is directly connected, FastEthernet0/1C 10.1.0.0/16 is directly connected, FastEthernet0/0C 10.3.0.4/30 is directly connected, Serial0/1D 11.0.0.0/8 [90/2681856] via 10.3.0.6, 00:05:35, Serial0/1D 12.0.0.0/8 [90/2684416] via 10.3.0.6, 00:03:19, Serial0/1

Router B routing table10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks

D 10.2.0.0/16 [90/540160] via 10.3.0.5, 00:04:54, Serial0/1D 10.0.0.0/8 is a summary, 00:04:54, Null0D 10.1.0.0/16 [90/540160] via 10.3.0.5, 00:04:54, Serial0/1C 10.3.0.4/30 is directly connected, Serial0/1

11.0.0.0/8 is variably subnetted, 2 subnets, 2 masksD 11.0.0.0/8 is a summary, 00:04:55, Null0C 11.3.0.4/30 is directly connected, Serial0/0D 12.0.0.0/8 [90/540160] via 11.3.0.6, 00:02:38, Serial0/0

Router C routing tableD 10.0.0.0/8 [90/2681856] via 11.3.0.5, 00:00:14, Serial0/1

11.0.0.0/8 is variably subnetted, 2 subnets, 2 masksD 11.0.0.0/8 is a summary, 00:00:14, Null0C 11.3.0.4/30 is directly connected, Serial0/1

12.0.0.0/8 is variably subnetted, 2 subnets, 2 masksD 12.0.0.0/8 is a summary, 00:00:14, Null0C 12.2.0.0/16 is directly connected, FastEthernet0/0

With automatic route summarization enabled (default) in EIGRP, when an update is advertised across a subnet that is within a different classful network from the update, the update is automatically summarized to the classful network. Router A installs a network statement for 10.0.0.0. All directly connected subnets on router A that fall within the 10.0.0.0 /8 range will be announced individually to router B as he is also a member of the 10.0.0.0 /8 network. Router B will install them individually and announce them to C as a summary route because C is not a member of the 10.0.0.0 /8 network. Also, B will install the summary route locally and point it to null 0. Pointing the 10.0.0.0 /8 to null 0 may lead you to believe B is unable to route traffic to the 10.0.0.0 /8 networks. Realize in the routing table, “more specific routes win”, and B will have individual statements for each 10.0.0.0 /8 sub-network, because he is a member. Router C will advertise the subnet 12.2.0.0/16 to router B but because they are interconnected with a subnet from the 11.0.0.0 network, C will auto summarize the advertisement to the classful network 12.0.0.0. Router C now believes that the whole 10.0.0.0 network resides through router B. From A and B’s perspective they now believe that the 12.0.0.0 network resides through C. In a large routed network, this could lead to packets being routed to destinations where subnets do not actually exist and the packets being discarded.

104

Manual Route Summarization

D 131.108.8.0 255.255.252.0D 131.108.12.0 255.255.252.0D 131.108.16.0 255.255.252.0D 131.108.20.0 255.255.252.0D 131.108.24.0 255.255.252.0D 131.108.28.0 255.255.252.0

Routing Table for A

D 131.108.16.0 255.255.240.0

A

D 131.108.8.0 255.255.248.0

B

Summarization per interface

As well as announcing a summary route to the neighbor, an identical copy pointing to null 0 is installed locally which prevents routing loops.

Summarization must be carefully planned. Proper summarization actually begins before the router is even deployed. It begins with allocation of IP addresses in contiguous blocks within the network topology. If this is not done, then summarization on the router becomes very difficult if not impossible. Contrary to the link state routing protocols such as OSPF or IS-IS, EIGRP enables the network designer to create a deep summarization hierarchy that reflects the designed network hierarchy. Therefore, you are not limited to a star-shaped network consisting of a backbone plus other regions, or required to summarize only on the region borders as you are in OSPF. You can configure per-interface IP address summarization with as many summarization ranges as you wish, as long as the ranges do not overlap. For each summary range configured over any interface belonging to an EIGRP process, the EIGRP process creates a summary route for the summarization range as soon as at least one more specific route falling within the summary range appears in the EIGRP topology table. This summary route points to null zero and has a lower metric than all the more specific routes covered by the summary route. It is also inserted into the main IP routing table with an administrative distance of 5. This results in the suppression of more specific routes when updates are sent over the interface where the summarization range is configured.

105

Another important factor to remember when summarizing is that there only has to be one subnet within the summarized range for the summarized address to be advertised. It is very possible to advertise subnets within this summarized range, which are not reachable by the router.

106

Creating Summary Routes

This command will cause all route announcements that fall within the <network> <mask> specified to be summarized before being sent out interface s0/0.

•Router7> en•Router7# config t•Router7 (config)# int s0/0•Router7 (config-if)# ip summary-address eigrp <as-number> <network> <mask>

Summarization Lab

All routers do “sho ip route” and count the number of routing entries.

All routers apply summarization as follows:router 1 - s0/0 can use 148.43.200.128 /26router 2 - s0/0 and s0/1 can use 148.43.200.160 /27router 3 - s0/0 can use 148.43.200.128 /26router 4 - s0/0 can use 148.43.200.192 /26

router 5 - (7-router topology) s0/0 and s0/1 can use 148.43.200.224 /27- (8-router and simulator topology) s0/0 can use 148.43.200.224 /27

router 6 - (7-router topology) s0/1 can use 148.43.200.192 /26- (8-router and simulator topology) s0/1 can use 148.43.200.224 /27

router 7 - (7-router topology) All serials use 148.43.200.64 /27 and 148.43.200.96 /28- (8-router and simulator topology) s0/1 can use 148.43.200.192 /26

router 8 - All serials use 148.43.200.64 /27 and 148.43.200.96 /28

All routers now do “sho ip route” and count number of routing entries.

107

1f0/0

148.43.200.128 /28

148.43.200.80 /28

s0/0

s0/1

s0/1

EIGRP Summarization Problem

2

s0/1

s0/0

3s0/0

s0/0s0/2

.97

.98 .101

.102

.181

.182

.177

.178

e1/0148.43.200.64 /28

Routing table.129

Router7#ping 148.43.200.129Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 148.43.200.129, timeout is 2 seconds: !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/28 msRouter7#trace 148.43.200.129Tracing the route to 148.43.200.129

1 148.43.200.102 4 msec 4 msec 8 msec2 148.43.200.177 12 msec 8 msec 8 msec3 148.43.200.181 8 msec * 8 msec

e0/0

7

148.43.0.0/16 is variably subnetted, 17 subnets, 5 masksC 148.43.200.100/30 is directly connected, Serial0/1D 148.43.200.96/28 is a summary, 00:01:10, Null0D 148.43.200.6/32 [90/10718720] via 148.43.200.106, 00:01:10, Serial0/3D 148.43.200.5/32 [90/11818496] via 148.43.200.106, 00:01:10, Serial0/3D 148.43.200.4/32 [90/11306496] via 148.43.200.110, 00:01:10, Serial0/1D 148.43.200.3/32 [90/10718720] via 148.43.200.102, 00:01:10, Serial0/2D 148.43.200.2/32 [90/11818496] via 148.43.200.102, 00:01:10, Serial0/2D 148.43.200.1/32 [90/11306496] via 148.43.200.98, 00:01:10, Serial0/0D 148.43.200.192/26

[90/10593280] via 148.43.200.106, 00:01:10, Serial0/3D 148.43.200.128/26

[90/10593280] via 148.43.200.102, 00:01:10, Serial0/2

The above diagram shows the routing table from the hub router. It has route 148.43.200.128/26 via interface serial 0/2 installed in its table. S0/2 is directly connected to router 3. Router 1 and router 3 are both advertising the summary route 148.43.200.128/26 to the hub router. However, because router 3 is advertising a lower metric than router 1, only the advertisement from 3 is installed in the table. This does not seem to be a problem though because router three has connectivity to all of the summarized subnets. This is proven by conducting a ping and trace route to the address 148.43.200.129, which resides on a subnet directly connected to router 1. By viewing the results of the trace, it can be seen that the path to reach .129 travels from the hub router, through 3, then 2 and on to 1.

108

1f0/0

148.43.200.128 /28

148.43.200.80 /28

s0/0

s0/1

s0/1

2

s0/1

s0/0

3

s0/0

s0/0s0/2

.97

.98 .101

.102

.181

.182

.177

.178

e1/0148.43.200.64 /28

148.43.0.0/16 is variably subnetted, 17 subnets, 5 masksC 148.43.200.100/30 is directly connected, Serial0/1D 148.43.200.96/28 is a summary, 00:01:10, Null0D 148.43.200.6/32 [90/10718720] via 148.43.200.106, 00:01:10, Serial0/3D 148.43.200.5/32 [90/11818496] via 148.43.200.106, 00:01:10, Serial0/3D 148.43.200.4/32 [90/11306496] via 148.43.200.110, 00:01:10, Serial0/1D 148.43.200.3/32 [90/10718720] via 148.43.200.102, 00:01:10, Serial0/2D 148.43.200.2/32 [90/11818496] via 148.43.200.102, 00:01:10, Serial0/2D 148.43.200.1/32 [90/11306496] via 148.43.200.98, 00:01:10, Serial0/0D 148.43.200.192/26

[90/10593280] via 148.43.200.106, 00:01:10, Serial0/3D 148.43.200.128/26

[90/10593280] via 148.43.200.102, 00:01:10, Serial0/2

Routing table.129

e0/0

Router7#ping 148.43.200.129Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 148.43.200.129, timeout is 2 seconds:U.U.USuccess rate is 0 percent (0/5)

Router7#trace 148.43.200.129Tracing the route to 148.43.200.129

1 148.43.200.102 8 msec 4 msec 4 msec2 148.43.200.102 !H * !H

7

Summarization Hides Subnets

Problems can occur though when there are network disruptions within the “summarized area”. In the above example, the network connection between router 1 and 2 fails. But since there are still subnets being advertised by router 3 via interface s0/0 that fall within the summarized network configured on interface s0/0, router 3 continues to advertise the summarized network towards the hub router. It continues to do this even though it now cannot reach all the subnets that were originally covered by this summarization. Using the ping and trace tools again, the address 148.43.200.129 is unreachable even though there is a network path to this subnet from the hub router. EIGRP does not offer this path to the routing table as a candidate because the route through 3 still has a lower metric. As long as there is a single subnet that falls within a summarized range being advertised via an interface that has this summarization configured, the router advertises the summarized network. This can lead to certain subnets within the summarized range not being reachable in certain situations even though there is an operational network path to this subnet. Careful planning must be used when designing and implementing route summarization in an EIGRP topology. The benefits that route summarization provide can sometimes be outweighed by network reach ability issues.

109

Query Response Process (1)

• No entry in topology database for route in question, reply with unreachable.

• If querying router is the successor for route in question and feasible successor exists, the queried router replies with this information.

• If querying router is the successor for route in question and feasible successor does not exist, the queried router queries its neighbors.

• If the query was received from a neighbor that is not the successor for this destination, then the queried router replies with its successor information.

query

BA

??????

When the route to a destination network through a successor fails and there is no feasible successor available, the EIGRP router issues a query to all of its neighbors asking for route information for the network in question. Depending on the status of the querying router and the neighbor, which is queried in relation to the network in question, there are four possible actions that can be taken (listed above). Each is covered in the next four slides.

110

• No entry in topology database for route in question, reply with unreachable.

query for network X

A B

network x

topo db

no entry for network x

unreachable


In the example above, router A loses connectivity to network X through its successor. There is no feasible successor available. It sends a query to router B asking for route information to network X. Router B checks its topology database and finds it has no entry for network X. It then sends a reply to router A stating that network X is unreachable. Network unreachable is an acceptable response to a query.

111

• If querying router is the successor for route in question and feasible successor exists, the queried router replieswith this information.

query for network X

topo db

x succ. Ax FS C

network x

reply – route to x

C

BA


In the example above, router A loses connectivity to network X through its successor. There is no feasible successor available. It sends a query to router B asking for route information to network X. Router B checks its topology database and finds that router A is the successor and that router C is the feasible successor. Router B then sends a reply to router A stating that its successor to network X is router C.

112

• If querying router is the successor for route in question andfeasible successor does not exist, the queried router queries its neighbors.

query for network X

topo db

x succ. Ano FS x

network x

C

query fo

r

network

X

BA


In the example above, router A loses connectivity to network X through its successor. There is no feasible successor available. It sends a query to router B asking for route information to network X. Router B checks its topology database and finds that router A is the successor and there is no feasible successor. Router B then queries its neighbors for route information to network X.

113

• If the query was received from a neighbor that is not the successor for this destination, then the queried router replies with its successor information.

query for network X

topo db

x succ. C

network x

reply – succ. to x is CA

C

B


In the example above, router A loses connectivity to network X through its successor. There is no feasible successor available. It sends a query to router B asking for route information to network X. Router B checks its topology database and finds that router C is the successor for network X. Router B then sends a reply to router A stating that its successor to network X is router C.

114

Stuck in Active (SIA)

Large Delay

queryA B

C

D

No answer locally, so thisneighbor must query his

neighbors and so on.

query

query

query

query

• SIA occurs when queries are not answered in a timely manner• Can cause severe network disruptions.

When the successor for a destination network is lost and there is no feasible successor, an EIGRP router sends a query to all of its neighbors requesting route information for the network in question. It can take so long time for a query to be answered that the router that issued the query gives up and clears its connection to the router that is not answering, effectively restarting the neighbor session. This is known as a stuck in active (SIA) state. SIA routes occur when it takes too long for a query to reach the end of the network and for a reply to travel back. In the graphic above, the neighbor relationship between router A and B could be reset simply because neighbor B could not respond to A until it receives a response from C. This is undesirable as traffic between A and D could flow with no problems. An SIA problem usually involves only one route. Routers A and B could be routing for hundreds of other networks with no problems. However, when the neighbor connection is reset, routing for all networks via routers A and B is temporarily disrupted. If SIA problems are occurring routinely within an EIGRP topology, it appears the network is congested. SIA problems are often misdiagnosed as other problems like insufficient bandwidth or router latency.

115

The wait time for the answer to a query is three minutes. If any neighbor has not replied to a query within this time, the neighbor connection is reset. It is important to remember that a router must receive replies from all queried neighbors for the query process to be completed. Therefore, if a router queries four neighbors and receives prompt replies from three, the router will continue to wait on the fourth neighbor to reply before making a routing decision on the queried network. It will wait the three-minute period at which time it will reset the neighbor connection.

116

Limiting the Query Range

1. Route Summarization- keeps individual subnets from being advertised.- if there is not an exact match in topo database, query isanswered immediately as “network unreachable”.

- relies on neighbor router to perform summarization.

2. Route Filtering- can provide same benefits as route summarization.- does not rely on neighbor router to implement.

3. EIGRP Stub Option- routers designated as stubs are not sent queries by neighboring routers.

Limiting the query range of an EIGRP topology is an effective way to control SIA route problems. Three techniques, which can be implemented to limit the range, are route summarization, route filtering, and EIGRP stub option. In all actuality, though, these techniques do not limit queries once they are sent by a router, but limit the requirements for the router to send a query in the first place. These techniques limit the overall knowledge of network topology by EIGRP. There is a fine line between letting EIGRP know too much about the network topology so as to cause SIA problems and not know enough to effectively route packets.

117

Summarization Prevents Query

A B

summarization

summarization

Z

D

C

• Network failure on router Z is localized by the use of summarizationand is not sent to routers A, B, C, & D; query process not started.

Route summarization segments the EIGRP topology by combining multiple subnets from a region within the topology into larger consolidated networks. This “hides” various subnets from routers and tells them about a very large network. Any packet within this large range is simply routed to the summarizing router and it is then distributed to the various subnets by it. The way that this limits the query range is that when a single subnet within the summarized network fails, it is hidden from the routers receiving the summarized information. They do not know about this failure and do not have to go through the query process to find a new route to it. In using route summarization to limit the query range, routers must rely on their neighboring routers to implement it. In other words, the routers performing summarization do not see the effects or get the benefits from it. In situations where an administrator is not in charge of all the routers within the EIGRP topology, he must rely on another entity to perform the summarization. Since this summarization may not provide any direct benefits to them, they may or may not be willing to comply.

118

A B

route filtering

route filtering

Z

D

C

• Network failure on router Z is localized by the use of route filteringand is not received by routers C & D nor forwarded to routers A & B.

• Query process not started.

Route Filtering Prevents Query

Route filtering is another technique that can be used to limit the query range. If implemented correctly, it can provide the same results as summarization. However, unlike summarization, the routers performing the filtering can see the results immediately. Through the use of distribution lists and route maps, a network administrator can control what routing information is received and propagated by a router. Route filtering can be used to “hide” individual subnets from routers but other techniques must then be implemented to describe to them a consolidation of these subnets. Techniques such as static routes and default routing can be used for this function.

119

• Network failure on router Z occurs. Router B only queries neighbors C & D. No queries are sent to routers A, E, or F because they are designated as stubs.

A

Z

D

C

E

stub

F

B

stub

stubqu

ery

query

Using the Stub Option

The EIGRP stub option, when configured on a router, allows that router to send a flag to neighbor routers essentially telling them not to query it. This technique works very well in hub – spoke topographies or where any router simply has a single network connection to another router. If a router only has a single connection to one EIGRP neighbor, it must route through that neighbor to reach any other subnets within the topology. Why then would the neighbor router query this “single threaded” router for information if it has to rely on the querying router for all of its information? Defining a router as a stub keeps neighboring routers from querying it.

120

EIGRP Stub Command

router(config)#router eigrp autonomous system number

router(config-router)#eigrp stub

Extensions to command: [receive only|connected|static|summary]

• receive only – prevents router from sharing any if its routes with eigrp neighbors• connected – permits the router to send connected routes via eigrp• static – permits the router to send static routes via eigrp• summary – permits the router to send summary eigrp routes

Use the “eigrp stub” command to define a router as a stub within the EIGRP topology. This command is configured to the EIGRP routing protocol. There are four extensions to the command: receive only, connected, static, summary. Receive only restricts the router from sharing any of its routes with any other router in the network. If configured, the other three options cannot be used. Connected permits the sharing of connected routes with EIGRP neighbors. If the connected routes are not covered by a network statement, it is necessary to redistribute the routes into EIGRP. Connected is enabled by default. Static permits the router to share static routes with EIGRP neighbors. These routes must be redistributed into the EIGRP protocol. Summary permits the router to share EIGRP summary routes to neighboring routers. This option is enabled by default.

121

EIGRP

Review Questions

122

1. EIGRP is a ___________ protocol. a. link state b. distance vector c. enhanced d. hybrid

2. EIGRP is Cisco proprietary.

a. true b. false

3. What are triggered updates?

a. updates sent at set times regardless of network changes b. updates that are sent based on criteria within a route map c. updates sent in response to network changes d. there is no such thing as a triggered update

4. The hello protocol is used for:

a. neighbor discovery only b. neighbor discovery and maintenance c. neighbor AS verification d. routing table maintenance

5. What are the 5 types of EIGRP packets?

a. hello, update, query, ACK, resend b. hello, Unicast, query, ACK, reply c. hello, update, quest, ACK, reply d. hello, update, query, ACK, reply

6. These types of EIGRP packets require acknowledgment. a. update, query, reply b. ACK, hello, query c. hello, update, multicast d. multicast, Unicast, broadcast

7. What is the next step if a neighbor does not respond to a packet that

requires acknowledgment? a. resend the packet as multicast b. break the neighbor connection c. resend the packet unicast d. resend the packet broadcast

8. How many times will a router resend a packet unicast prior to breaking the neighbor connection? a. 2 b. 14 c. 15 d. 16

123

9. When hello packets are used for link integrity purposes, they are referred to as ___________. a. ACK b. reply c. keepalives e. query

10. The destination address for hello packets is:

a. neighbor’s address b. 224.0.0.1 c. 224.0.0.10 d. 255.255.255.255

11. What are the hello & hold times for EIGRP on a LAN segment?

a. 10/40 seconds b. 5/15 seconds c. 10/20 seconds d. 15/45 seconds

12. For two EIGRP routers to become neighbors they must agree on

________. a. K-values and AS number b. hello interval and area ID c. router ID and dead interval d. delay and bandwidth

13. In the “show ip eigrp nei” command, SRTT is what?

a. refers to the average time for a neighbor to send an acknowledgement. b. the amount of time a router will wait for a reply. c. amount of time it takes for a host to reply to an echo request. d. neighbor router ID.

14. Composite metrics are advertised to neighbor routers.

a. true b. false

15. Vector metrics consist of ______ components.

a. 5 b. 4 c. 3 d. 6

16. A route has a minimum BW of 256k & a total delay of 45000. What is the

composite metric? a. 111520000 b. 11152000 c. 1115200 d. 1152

124

17. The successor is ________. a. neighbor with the highest reported distance b. neighbor with highest router ID c. neighbor selected for packet forwarding to a destination network d. neighbor that passed the feasibility condition

18. To become a feasible successor, a router must_________

a. have a reported distance less than the successor’s feasible distance b. have a feasible distance lower than the successors reported distance c. have an SRTT less than the successors RTO d. have a metric less than the successors to the destination network

19. What is the reason for the feasibility condition?

a. minimize the topology database b. minimize router latency c. insure loop free routing d. both a & b

20. DUAL stands for __________.

a. 2 b. diffusing update algorithm c. database UNIX algorithm d. diffusing underlying algorithm

21. If the path to the successor fails, the router will use any matching route in the topology database. a. yes, this speeds up convergence b. yes, all routes are stored in the database c. no, only feasible successors d. no, a query must be sent first

22. EIGRP can be configured like a classful or classless protocol.

a. true b. false

23. The “show ip eigrp topology” command shows all entries in the database.

a. true b. false

24. Changing the bandwidth at any point in a route will change the metric.

a. true b. false

25. Manipulating the metric can be used as a tool to build feasible successors

into a topology. a. true b. false

125

26. The command to change the delay on an interface is _________. a. router(config)#delay xxxxx b. router(config-router)#delay xxxxx c. router(config-if)#delay xxxxx d. router(config-line)#delay xxxxx

27. In EIGRP, load balancing occurs automatically on unequal paths.

a. true b. false

28. The variance command does which of the following?

a. causes all known routes to be candidates for load balancing b. multiples the feasible distance of the successor by the value used in

the command c. varies the metric of the feasible successor d. causes EIGRP to alternate the interface route updates are sent

29. What are the two type of route summarization used in EIGRP? a. internal and external b. auto and manual c. composite and vector d. single and multiple

30. Route summarization is configured at what location on the router? a. within the EIGRP routing protocol b. from the global configuration mode c. on the interface d. none of the above

31. When summarizing, it is possible to advertise subnets that the router has

no knowledge about. a. true b. false

32. What is SIA – stuck in active?

a. a reply has not been received from a hello b. the time to wait for the reply on a query has been exceeded c. a Unicast packet has been sent 16 times d. this is a normal operational state

33. What can be implemented to limit the query range?

a. variance, summarization, filtering b. filtering, feasible successor, filtering c. summarization, filtering variance d. filtering, summarization, stub option

126

34. You are experiencing SIA problems with routes not under your control. What can you implement immediately to correct the problem? a. stub option b. filtering c. summarization d. variance

35. What does configuring an EIGRP router as a stub do?

a. keeps external routing information from being forwarded to it b. can only be used on single homed routers c. keeps queries from being sent to it d. summarizes all routing information

36. A router receives a query and finds no entry for the route in its database.

What does it do next? a. queries its neighbors

b. runs the feasibility condition c. replies with unreachable d. route goes SIA

Border Gateway Protocol

(BGP)

128

129

Internet

AS-86AS-36

AS-82

AS-43AS-66

AS-51

AS-7

• An autonomous system is a collection of networks under a singleadministrative control which share a common routing strategy.

• The collection of autonomous systems interconnected using BGP form the backbone of the internet.

BGP 4 Autonomous System

The Internet is formed by the interconnection of many privately owned and autonomous networks, each one run by an independent organization. These organizations often have different policies for routing packets within their own networks and for exchanging packets with other organizations. This fundamental factor of ownership and management control leads to the internal-external distinction. Routing must still take place within an autonomous network, because there will usually be many alternative pathways that packets can travel. Nowadays, this routing is usually done using link-state protocols such as OSPF. An autonomous system is one network or set of networks under a single administrative control. An autonomous system might be the set of all computer networks owned by a company, or a college. Companies and organizations might own more than one autonomous system, but the idea is that each autonomous system is managed independently with respect to BGP. An autonomous system is often referred to as an “AS”. A good example is UUNet, who use one autonomous system as their European network, and a separate autonomous system for their domestic networks in the Americas.

130

If you draw a network map of autonomous systems, three distinct types can be identified:

1. A Stub AS is only connected to one other AS. For routing purposes, it could be regarded as a simple extension of the other AS. In fact, most networks with a single Internet connection don't have a unique AS number autonomous system signed, and their network addresses are treated as part of the parent AS.

2. A Transit AS has connections to more than one other AS and allows itself

to be used as a conduit for traffic (transit traffic) between other autonomous systems. Most large Internet Service Providers are transit autonomous systems. Military autonomous systems do not allow transit traffic.

3. A Multihomed AS has connections to more than one other AS, but does

not allow transit traffic to pass, though its interior hosts may route traffic through multiple autonomous systems. This is the typical configuration for a large corporate network with multiple redundant Internet connections, which does not wish to pass traffic for others.

131

AS # Provider701 UUnet (U.S. domestic) (AS 701-705)

1239 Sprint

3356 Level 3 Communications

7018 AT&T WorldNet

209 Qwest

3561 Cable and Wireless

3549 Global Crossing

2914 Verio

702 UUnet (International)

Autonomous System Numbers

The American Registry for Internet Numbers (ARIN) defines Autonomous System Numbers as: "Autonomous System Numbers (ASNs) are globally unique numbers that are used to identify autonomous systems and which enable an AS to exchange exterior routing information between neighboring Autonomous systems. An AS is a connected group of IP networks that adhere to a single and clearly defined routing policy." To identify each autonomous system, a globally unique number is assigned to each one from a centralized authority (ARIN) so that there are no duplicate numbers. Globally Unique means exactly that – “within the entire Internet all around the globe, the AS number should be unique”. The AS number will be from 1 to 64511, and the next highest unused number is what is generally assigned. These numbers are referred to as AS numbers. The American Registry for Internet Numbers (ARIN) is the authority responsible for tracking and assigning these numbers as well as managing IP address allocations and assignments. ARIN charges a fee to organizations wishing to obtain an AS number to cover the administrative costs associated with managing AS number registrations and assignments. To receive an AS number from ARIN, you must be able to prove you are dual homed to the Internet, which means that you have more than one Internet provider with which you plan to run BGP.

132

You must also have a unique routing policy that differs from your BGP peers. Some companies have difficulty getting an AS number. If it is not necessary to connect to the Internet, or you are part of a special type of BGP configuration, you can use any of the AS numbers 64512 through 65535. However, these numbers should NOT be seen on the global Internet. One example of when you might use private AS numbers is in BGP confederations. The confederation AS number should not be seen on the global Internet. In 2009, about 48,000 of the possible 65,535 16-bit AS numbers had been assigned, with around 33,000 of them advertised on the global grid. This compares to about 5,000 assigned and fewer than 600 active on the web in 1996. In coming years, the pool of available AS numbers can expand exponentially, as 32-bit numbers are grouped in with the existing16-bit numbers. Rather than a possible range of 0 to 65535, the top end of the range will end at 4294967295. This new global policy was scheduled to take effect in Jan. 2010, and has been pushed back to 2011. The extended range of numbers has been available for assignment since 2007.

BGP learns and exchanges path information regarding the route to a given destination network by keeping lists of AS numbers and associating them with destination networks. This is why AS numbers should be unique. BGP makes certain that an AS number does not appear in a path more than once, thereby

preventing routing loops.

http://www.inetdaemon.com/tutorials/internet/index.html



133

InterconnectingAutonomous Systems

BGPAS –1

AS –2

• BGP is designed to interconnect two different autonomous systems.

• If a group of routers share a common AS, use an IGP.

A routing protocol used to connect autonomous systems is referred to as an exterior gateway protocol (EGP). The Border Gateway Protocol (BGP) is an EGP used to make policy based routing decisions between autonomous systems. BGP version 4 (BGP-4) is the latest version of BGP and is defined in RFC 1771. The Exterior Gateway Protocol (EGP) and BGP versions 1 through 3 do not support CIDR and are not used across the public Internet. The main goal of BGP is to provide an inter-domain routing system that guarantees the loop-free exchange of routing information between autonomous systems. Routers exchange information about paths to destination networks. It is important that when two autonomous systems interconnect, that routing information between the two can be controlled. BGP gives the network administrator the capability to implement policies to control and/or manipulate the routing taking place between the two autonomous systems. BGP is not designed to operate as an interior gateway protocol (IGP) – internal to an autonomous system.

134

Interior vs Exterior Routing

Interior Routing• Works within an Autonomous System.• Selects routes based on metrics or cost.

- hop count, bandwidth, delay, reliability, load

Exterior Routing• Normally works between Autonomous Systems.• Selects routes based on policy, not metrics.

An interior routing protocol or IGP (interior gateway protocol) routes within an autonomous system (AS). An IGP determines the best path within a network topology utilizing variables such as bandwidth, delay, or hop count. RIP uses hop count; the path with the fewest number of layer three devices to reach the destination network is the preferred path. OSPF utilizes bandwidth and EIGRP utilizes bandwidth and delay assigned to an interface. All interior routing protocols use outbound metrics or costs to decide where to send packets. An exterior routing protocol or EGP (exterior gateway protocol) routes between autonomous systems. BGP is an example of an EGP. BGP does not use the same type of variables as IGPs to determine the best path. BGP is a policy based routing protocol that allows an administrator of an AS to control traffic based on a multitude of route attributes. It gives the flexibility to establish rules to fit the routing needs of the AS. Traffic entering, exiting, or even transiting an AS can have policies established to manipulate the flow. This can allow all available bandwidth to be utilized effectively.

135

External Routing History

• 1982 – Exterior Gateway Protocol (EGP)

• 1989 – BGP version 1

• 1990 & 91 – BGP versions 2 & 3

• 1995 – BGP version 4 (supports CIDR)

Routing in the early Internet was done using a small number of centralized core routers that maintained complete information about network reach ability on the Internet. They exchanged information using the historical interior routing protocol, the Gateway-to-Gateway Protocol (GGP). Around the periphery of this core were located other non-core routers, sometimes standalone and sometimes collected into groups. These exchanged networks reach ability information with the core routers using the first TCP/IP exterior routing protocol: the Exterior Gateway Protocol (EGP). Like its interior routing counterpart GGP, EGP was developed by Internet pioneers Bolt, Beranek, and Newman (BBN) in the early 1980s. It was first formally described in an Internet standard in RFC 827, Exterior Gateway Protocol (EGP), published in October 1982. This draft document was superseded in April 1984 by RFC 904, Exterior Gateway Protocol Formal Specification. Like GGP, EGP is now considered obsolete, having been replaced by the Border Gateway Protocol (BGP). However, also like GGP, it is an important part of the history of TCP/IP routing When the Internet grew and moved to the autonomous system (AS) architecture, EGP was still able to function as the exterior routing protocol for the Internet. However, as the number of autonomous systems in an internetwork grows, the importance of communication between them grows as well. EGP was functional but had several weaknesses that became more problematic as the Internet grew

136

in size. It was necessary to define a new exterior routing protocol that would provide enhanced capabilities for use on the growing Internet. In June 1989, the first version of this new routing protocol was formalized, with the publishing of RFC 1105, A Border Gateway Protocol (BGP). This initial version of the BGP standard defined most of the concepts behind the protocol, as well as key fundamentals such as messaging, message formats, and how devices operate in general terms. It established BGP as the Internet's exterior routing protocol of the future. Due to the importance of a protocol, that spans the Internet, work continued on BGP for many years after the initial standard was published. The developers of BGP had to correct problems with the initial protocol, refine BGP's operation, improve efficiency, and add features. It was also necessary to make adjustments to allow BGP to keep pace with other changes in the TCP/IP protocol suite, such as the invention of classless addressing and routing. As you might imagine, changing the version of a protocol like BGP is not an easy undertaking. Any modification of the protocol would require the coordination of many different organizations. The larger the Internet grows, the more difficult this would be. As a result, despite frequent version changes in the early 1990s, BGP-4 remains today the current version of the standard, and is the one that is widely used. Any newer version of BGP is backwards compatible with earlier versions. In fact, BGP peers exchange BGP version information to determine the highest revision that they both support. If one neighbor supports a higher, newer version, it will operate with the lower version instead, in order to match the other neighbor's capability.

137

When & When Not to use BGP

BGP is appropriate when at least one of the following exist:• An AS has multiple connections to other autonomous systems.

• The flow of routing traffic entering or leaving an AS must be manipulated.

• An AS allows packets to transit through it to reach another AS.

• The effects and drawbacks of BGP are well understood.

BGP should not be used if one of the following exist:• A single connection to the internet or other AS.

• Routing policy and route selection are not a concern for an AS.

• Lack of memory/processor power on BGP routers to handle constant updates.

• Limited understanding of route filtering and BGP path selection process.

• Low Bandwidth between autonomous systems.

BGP was designed to allow Internet Service Providers (ISPs) to communicate and exchange packets. These ISPs have multiple connections to one another at both public and private peering points. Since the major ISPs have multiple connections to one another, a routing protocol had to be developed to manipulate how and under what conditions a meeting point could be used to exchange packets. BGP is a policy based routing protocol used to implement this peering agreement between two or more autonomous systems. BGP, if not properly controlled and filtered, has the potential to allow an outside AS to affect your routing decisions. If only one entry/exit point exists in an AS, a default route should be considered. BGP is used to select a pathway to leave your AS or to recommend to an outside AS the preferred entry point. With only one point of entry/exit, using BGP would not accomplish anything except to use router CPU and memory resources. The only policy that can be changed is how a packet enters or leaves an AS. Once a packet enters another AS, that AS’s policy will take over and decide how to route the packet.

138

BGP Features

• Open, non-proprietary.

• Supports VLSM.

• Supports route summarization & CIDR.

• Reliable update – utilizes TCP (179).

• Incremental, triggered updates.

• Robust metrics – path vectors/attributes.

• Designed to scale to very large internetworks.

BGP is an open, non-proprietary protocol in the public domain. It is not owned by any one entity and can be used by any vendor. BGP supports variable length subnet masking to allow for the efficient allocation of IP addresses. BGP allows for route summarization and CIDR. This is extremely important when dealing with large networks to keep the routing tables at a manageable level and to reduce router latency when routing decisions are being made. It is also extremely important that it supports the implementation of CIDR. Currently there are hundreds of thousands of routes in the routing table of Internet core routers. Without CIDR, this number would exceed 2,000,000. BGP utilizes TCP (port 179) as its reliable transport mechanism. This insures the reliable delivery of update packets so that all routers are converged with the same routing information. Unlike IGPs with built in transport protocols which have a window size of one, BGP’s utilization of TCP allows for a dynamic window which can transmit up to 65,576 bytes before it stops and waits for acknowledgement. This is necessary for BGP, which can be responsible for the updating of thousands of routes at any one time. BGP sends updates only during network changes. This allows BGP traffic to be minimized and network bandwidth to be fully utilized for routing user traffic.

139

BGP is a policy based routing protocol. Policies or rules can be implemented based on a variety of routing attributes to manipulate traffic flow patterns. This allows a network administrator to implement policies to fit the needs of the autonomous system in question. BGP is designed to scale to very large internetworks, with a robust system of metrics. BGP tracks and utilizes as a routing attribute the autonomous system in the path to reach a destination network. Each update sent by BGP specifies the complete pathway to the destination network as a series of autonomous system path segments -- e.g., AS1 to AS5 to AS3, etc. This insures a loop free route, because a BGP router will not accept a route which includes its own AS in its path, or another AS appearing more than once in the path.

140

BGP Packets

• Open – starts a BGP session between neighbors.

• Keepalive – maintains neighbor connectivity.

• Update – routing update.

• Notification – notifies neighbor of error, connection closed.

The open message opens a BGP communications session between neighbors. It is the first message sent by each side after a transport-protocol connection is established. The receiving neighbor confirms an open message by replying with a keepalive message. The open message must be confirmed before updates, notifications, and keepalives can be exchanged between neighbors. Open messages contain the following information:

- Version Number - AS Number - Holdtime - Router ID - Optional Parameters

The keepalive message notifies BGP peers that a device is active. Keepalives are sent often enough to keep the sessions from expiring. The default for BGP is a keepalive interval of 60 seconds and a hold time of 180 seconds. An update message is used to provide routing updates to other BGP systems, allowing routers to build a consistent view of the network topology. Updates are sent using TCP to ensure reliable delivery. An update message can advertise a route, withdraw a route, and advertise all associated attributes. An update contains information about one path only; multiple paths require multiple updates.

141

A single update may contain information about numerous networks reachable through that path. The notification message is sent when an error condition is detected. Notifications are used to close an active session and to inform any connected routers of why the session is being closed.

142

BGP Databases

• Neighbor Table- list all BGP neighbors.

• BGP Topology Table- lists all networks learned from neighbors.

• IP Routing Table- lists preferred paths to destination networks.

BGP establishes and/or maintains three different databases: neighbor table, topology table, and the routing table. Unlike IGPs, BGP does not have automatic neighbor discovery. Each neighbor must be configured by IP address and AS number. BGP establishes a TCP connection with each neighbor and maintains the relationship by periodically sending keepalive packets. After the neighbor relationship is established, the routers exchange the BGP routes in their routing tables. These routes are then placed into the router’s BGP topology database. All BGP information learned from a router’s neighbors are placed into the BGP topology database. The best routes are then selected from the topology database using the BGP selection process. These routes are then offered to the routing table as candidates. The routing table selects the best routes from all candidate routes offered from all routing information sources. Utilizing the administrative distance and then metrics, the preferred candidates are selected for installation into the routing table.

143

7-Router BGP Network Lab

4

7

f0/0

f0/0

f0/0

f0/0

f0/0

148.43.200.49/28

148.43.200.145/28

148.43.200.65/28

148.43.200.97/28

148.43.200.113/28

s0/0/0

s0/0/1

s0/0/0

s0/0/0

s0/0/1

s0/0/0

2

s0/0/0

s0/0/1

3f0/0

148.43.200.81/28

f0/0148.43.200.129/28

s0/0/1

s0/0/0

s0/0/0 s0/0/1

.26/30

.6/30

.5/30

.9/30

.10/30 .13/30.14/30

.17/30

.18/30

.21/30

.22/30

AS - 1

AS - 2

AS - 3

AS - 7

AS - 4

AS - 5

AS - 6.25/30

1

6

5

Install the above directly connected network. The network is complete when the IP routing table shows the directly connected networks. Do not configure a routing protocol.

144

4

f0/0

f0/0

f0/0

f0/0f0/0

148.43.200.49/28

148.43.200.161/28

148.43.200.65/28

148.43.200.97/28

148.43.200.113/28

s0/0/0

s0/0/1

s0/0/0

s0/0/0s0/0/1

s0/0/0

6

2

s0/0/0

s0/0/1

3f0/0

148.43.200.81/28

f0/0148.43.200.129/28

s0/0/1

s0/0/0

s0/0/0 s0/0/1

.9/30

.6/30

.5/30

.1/30

.2/30.13/30

.14/30

.17/30

.18/30

.21/30

.22/30

AS - 1

AS - 2

AS - 3

AS - 8 AS - 4

AS - 5

AS - 6

.10/30

1

5

8-Router / Simulator BGP Network

6f0/0

148.43.200.145/28

s0/0/0.26/30AS - 7

8

.25/30 s0/0/1

Install the above directly connected network. The network is complete when the IP routing table shows the directly connected networks. Do not configure a routing protocol. Simulator classes will configure only their own station.

145

BGP Commands

Autonomous-system Identifies the local autonomous system

Enable BGP at the global configuration prompt:

Router(config)#

router bgp autonomous-system

The router bgp command enables the bgp routing protocol. The syntax of basic BGP configuration commands is similar to the syntax for configuring internal routing protocols. However, there are significant differences in the way that an external protocol functions. Use the router bgp command to activate the BGP protocol and identify the local autonomous system. Only one instance of BGP can be enabled on a router – it can only route for one autonomous system.

146

External vs. Internal BGP Neighbors

• External BGP Neighbor- a router whose administrative and policy control is outside of your AS

• Internal BGP Neighbor- a router who falls under the administrative control of a single AS and is assumed

to follow a consistent policy with other BGP speakers of that AS.

AS-1

AS-2

AS-3

External neighbors External neighbors

Internal neighbors

Non-BGP router

BGP supports two types of exchanges of routing information: exchanges between different autonomous systems and exchanges within a single AS.

• When used between autonomous systems, BGP is called external BGP (EBGP) and BGP sessions perform inter-AS routing. The administrative distance of external BGP is 20.

• When used within an AS, BGP is called internal BGP (IBGP) and BGP sessions perform intra-AS routing. The administrative distance of internal BGP is 200.

A BGP system shares network reachability information with adjacent BGP systems, which are referred to as neighbors or peers. BGP systems are arranged into groups. In an external BGP group, the peers in the group—called external peers—are in different autonomous systems and normally share a subnet. In an external group, the next hop is computed with respect to the interface that is shared between the external peer and the local router. An internal routing protocol (IGP) is not exchanged with an external BGP neighbor. The address, which your router points to, must be reachable without using a routing protocol. This can be accomplished either by pointing at an address that is reachable by a directly connected network or by using static routes to that IP address. Generally, the neighbor address that is used is a directly connected address of the other router.

147

In an internal BGP group, all peers in the group—called internal peers—are in the same AS. Internal peers can be anywhere in the local AS and do not have to be directly connected to each other. Internal groups use routes from an IGP to resolve forwarding addresses. The internal BGP peers would typically be the AS edge routers, each receiving different BGP updates from their external peers. The internal BGP peering is set up so that these edge routers can share the external routes they learn. They propagate these external routes among all other internal routers running internal BGP, computing the next hop by taking the BGP next hop received with the route and resolving it using information from one of the interior gateway protocols. The address that BGP points at for an internal BGP neighbor must also be reachable. This can be by a directly connected network or static routes, but it also can be reachable by the internal routing protocol. Since other routers in an AS can usually be reached by multiple paths, a loopback address is generally used.

iBGP? Maybe not a good idea. Beware of messages from the

dark and murky address space.

Although internal BGP exists (iBGP), and BGP neighbor relationships can be established internal to the AS, BGP should not be used to establish internal

routing tables. Protocols explicitly designed for internal routing (OSPF, EIGRP) should be used. Issues with iBGP include:

-- being verbose. BGP sends many messages, eating up bandwidth.

-- being vulnerable to a variety of attacks because of security holes. 'Backdoor

peers' may be established, which can advertise the entire internet to your routers...completely exhausting memory resources. There have also been

studies showing that spam, and more sinister cyber-attacks have originated from what is called the 'dark and murky address space.’ These are network address

blocks not normally seen in global routing tables, which can announce themselves to BGP routers, be advertised within your AS, and serve as a source

of attacks before 'withdrawing' from the protocol mesh.

-- routing oscillation, leading to a high level of 'update churn.’ Conflicting preferred route information distributed within your AS by iBGP peers can cause this damaging confusion of the routing tables, and a resulting traffic disruption.

-- BGP is something of a resource hog. It is often recommended that your BGP edge router should not even provide local LAN connectivity for users,

because the router CPU resources need to be reserved for the BGP processing. This is not a protocol you would want to build an internal topology around.

148

EBGP neighbors expect to be directly connected

Identify Your Neighbors

AS –1

AS –2 BGP

148.43.200.18

148.43.200.17

EBGP neighbors expect to be directly connected. The neighbor address is the IP address of the interface used for the BGP connection. Using the appropriate network diagram, identify the neighbor IPs for your router

149

BGP Commands - Neighbors

• Activates a BGP session on an interface.

• Used for both external and internal neighbors.

• The ip-address is the IP address of the neighboring router's interface to which you are directly connected.

• The autonomous-system is the AS number of the neighbor router.

neighbor ip-address remote-as autonomous-system


Two BGP speaking routers trying to become neighbors will first bring up the TCP connection between one another and then send open messages in order to exchange values such as the AS number, the BGP version, the BGP router ID, the keepalive hold time, etc. After these values are confirmed and accepted, the neighbor connection will be established. Any state other than established is an indication that the two routers did not become neighbors and hence the BGP updates will not be exchanged. Two BGP routers become neighbors or peers once they establish a TCP connection between one another. The TCP connection is needed for the two peer routers to exchange reliable updates. The neighbor command used to establish a TCP connection is as follows: neighbor ip-address remote-as number -- The ip-address is the next hop directly connected address for EBGP and any IP address on the other router, which is reachable via any means (connected, static, or IGP) for IBGP. -- The remote-as number is the AS number where the neighbor is located. This number must be the same as the one used by the neighbor to enable BGP: external neighbor, different AS; internal neighbor, same AS.

150

In an IGP, neighbor discovery is automatic and is initiated by entering the network statement. The network statement starts the IGP process on an interface. In BGP, neighbor discovery must be manually configured. The neighbor statement starts the BGP process on an interface.

151

Show IP BGP Summary

router7#sho ip bgp sumBGP router identifier 148.43.200.7, local AS number 7BGP table version is 14, main routing table version 147 network entries using 819 bytes of memory7 path entries using 336 bytes of memory8/7 BGP path/bestpath attribute entries using 928 bytes of memory6 BGP AS-PATH entries using 144 bytes of memory0 BGP route-map cache entries using 0 bytes of memory0 BGP filter-list cache entries using 0 bytes of memoryBGP using 2227 total bytes of memoryBGP activity 7/0 prefixes, 7/0 paths, scan interval 60 secs

Neighbor V AS MsgRcv MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

148.43.200.9 4 1 58 58 14 0 0 00:48:02 3148.43.200.1 4 4 14 14 14 0 0 00:03:16 3

The show ip bgp summary command shows the status of BGP neighbors. BGP table version Internal version number of BGP database. Main routing table version Last version of BGP database that was injected into

main routing table. Neighbor IP address of a neighbor. V BGP version number spoken to that neighbor. AS That neighbor's autonomous system number. MsgRcvd BGP messages received from that neighbor. MsgSent BGP messages sent to that neighbor. TblVer Last version of the BGP database sent to the

neighbor. InQ Number of messages from that neighbor waiting to be

processed.

152

OutQ Number of messages waiting to be sent to that neighbor.

Up/Down The length of time that the BGP session has been in

state Established, or the current state if it is not established.

State Current state of the BGP session. (refer to next page)

153

State/PfxRcd

Idle = The router is looking in the routing table to find a match for theaddress specified in the neighbor statement.

Active = The router is establishing a TCP connection with theneighbor.

Open = The router is exchanging BGP open messages with the neighbor.

Number = The neighbor relationship is established. The number in the column indicates the actual number of networks advertised by the neighbor.

Once the neighbor statement is entered, the router searches for a match for the address specified in the neighbor statement. This allows the router to begin the BGP neighbor establishment on the interface associated with that address. If the state stays in the idle mode, then a common cause is the address specified in the neighbor statement is incorrect. Once a match is found for the address specified in the neighbor statement, the router begins opening a TCP connection to the neighbor (three-way handshake). This is the active mode. Once the TCP connection is established, the router begins sending open messages to the neighbor. If no response is received from the neighbor within 5 seconds, then the router returns to the active state. This process will continue until the neighbor responds. A common cause for the router to be stuck in the open state is an incorrect AS number in the neighbor statement. Once each neighbor has confirmed the open messages, the neighbor relationship is established. At this time, there should be a number in the state/pfxrcd column, which indicates the number of networks being advertised by the neighbor. The number could very well be zero, though. This still indicates the neighbor relationship is established, but no networks are being advertised.

154

BGP Commands - Network

• Allows BGP to advertise a route if it is in the Routing Table.

- The network command must include all networks you want to advertise, not just those locally connected.

- For the route designated in the network command to be advertised, theremust be an exact match in the routing table.

• This command differs from the network command in IGPs inthat it does not activate the protocol on an interface.


network network-number mask network mask

The network-number is the network address of a network you wish to advertise. It does not have to be a network directly connected to your router, but must be listed in the routing table. The network mask is the associated mask of that network.

The network command controls what networks the router advertises. This is a different concept from network commands used to configure IGPs. With this command we are not trying to run BGP on a certain interface (this is done by neighbor statements); rather we are trying to indicate to BGP what networks it should advertise to its neighbors. The mask portion is used because BGP4 supports subnetting/VLSM and super-netting (CIDR). A maximum of 200 entries of the network command are accepted. For the network, command to advertise a network there must be an exact match (address & mask) in the routing table. It does not matter the source of this entry (connected, static, IGP, etc.), just that there is a match. Because the BGP network command will advertise, a route learned from a source other than BGP, this can be considered a form of redistribution.

155

Show IP BGP

router7#sho ip bgpBGP table version is 14, local router ID is 148.43.200.7Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path*> 148.43.200.48/28 148.43.200.9 0 0 1 i*> 148.43.200.64/28 148.43.200.9 0 1 2 i*> 148.43.200.80/28 148.43.200.9 0 1 2 3 i*> 148.43.200.96/28 148.43.200.14 0 0 4 i*> 148.43.200.112/28 148.43.200.14 0 4 5 i*> 148.43.200.128/28 148.43.200.14 0 4 5 6 i*> 148.43.200.144/28 0.0.0.0 0 32768 i

The show ip bgp command displays the BGP topology database. All routing information learned from BGP neighbors is stored here. BGP table version Internal version number of the table. This number is

incremented whenever the table is updated. local router ID Router ID for BGP process. Status Codes Status of the table entry. The status is displayed at

the beginning of each line in the table. It can be one of the following values:

s---The table entry is suppressed, (usually due to

route summarization). *---The table entry is valid. >---The table entry is the best entry to use for that

network. i----The table entry was learned via an internal BGP

session.

156

Origin codes Indicates the origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values:

i----Entry originated from IGP and was advertised with

a network router configuration command. e---Entry originated from EGP. ?---Origin of the path is not clear. Usually, this is a

route that is redistributed into BGP from an IGP. Network IP address of a network entity. Next Hop IP address of the next system that is used when

forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the router is the owner of that network.

Metric Also called the multi-exit discriminator (MED). If

shown, this is the value of the inter-autonomous system metric. The MED is an indication to external neighbors about the preferred path into an AS. This field is frequently not used. The default is 0; lower metric values are preferred.

LocPrf Local preference is an attribute provided to internal

neighbors about the preferred path to exit the AS. The default value is 100. Higher values are preferred.

Only used with iBGP. Weight Weight is an attribute, which is used internal to the

router for path selection. It is not exchanged with other routers in the network. Networks originated by the router are weighted 32768. The possible range is 0 to 65535. A higher weight is preferred. This is a Cisco-only feature.

Path Autonomous system paths to the destination network.

There can be one entry in this field for each autonomous system in the path. Reference the origins codes above.

Setting a Metric is a way to influence external neighbors' choice of a path into your AS. Setting a Local Preference can influence internal neighbors' choice of a path out of the AS. Setting a path's Weight lets the local router define the best path of multiple candidates from multiple external neighbors. -- For a detailed explanation of the complicated BGP Best Path Selection Algorithm, do a web search for the italicized term. An explanation is currently Document ID: 13753 on Cisco's web site.

157

Clear IP BGP * or {address}

• This command should be performed after aconfiguration change to BGP.

• This forces the change to take effect immediately.

• Will interrupt the TCP connection.

• Use * to reset all connections.

• Use {address} to reset individual connection where{address} is the neighbor IP of the connection to reset.

• Discretion must be used when performing this command; allBGP routing information will be lost and may not reconvergefor several minutes.

When configuration changes are made to BGP, these will not necessarily take effect immediately. Configuration changes do not force an update message to be sent. Therefore, to implement these changes, the BGP connection must be reset. There are two options for doing this: reset all connections or reset an individual neighbor connection.

• To reset all neighbor connection, utilize the “*” in conjunction with the clear command.

• To reset a single neighbor connection, utilize the neighbor’s ip address with the clear command.

Special care must be given when using this command. It will interrupt the routing of traffic utilizing BGP derived routing information. Prior to utilizing this command, coordination may have to be made with users to insure an untimely service interruption is not incurred. In addition, for routers that are operating with multiple BGP neighbors, resetting all neighbor connections at the same time will cause all neighbor relationships to be reestablished at the same time and all BGP routing information to be exchanged simultaneously. If large amounts of routing information are received from multiple neighbors at the same time, this could overwhelm the router causing extended delays to the service interruption.

158

BGP Summarization Options

• Network command with no mask & auto summary enabled.- command advertises classful network if at least one subnet is

present in routing table; auto summary is off by default.

• Static route pointing to Null 0, network command.- static route forces summarized network into routing table, allowing it to

be advertised by network command.

• Aggregate address command.- advertises a summary route if a subnet of this exists in BGP database.- summary-only extension suppresses subnets from being advertised.- as-set command causes all AS path info from subnets to be included

in summary.

There are three options when summarizing with BGP.

1. The network command can be utilized with no mask. This causes a classful network to be advertised when there is at least one subnet from the classful network in the routing table. This is referred to as automatic summarization (RIP & EIGRP). To disable this auto summarization feature, utilize the command no auto-summarization. Since classful networks are rarely used in today’s routing, auto-summarization is no longer part of the default behavior of BGP, since IOS ver 12.2 (8) T.

2. The network command advertises the specified route and mask

configured in the command if there is an exact match in the routing table. An easy way to advertise a summarized network is to force an entry into the routing table and then advertise this with the BGP network command. To force an entry into the routing table, configure a static route pointing to the null0 interface. It must be noted though that any more specific routes to the summarized static route are not automatically suppressed and may still be advertised. Also, the summarized route advertised by BGP shows it originating from that AS. If any of the subnets being summarized by this originated from another AS, this information is not carried forward.

159

3. The BGP aggregate address command summarizes and advertises the configured address and mask if at least one subnet of the summarized address exists in the BGP topology database. The summary-only extension to the command suppresses any subnets within the summarized address from being advertised. The as-set extension causes all as path information from each summarized subnet to be included in the advertised summarized network. This assists in avoiding routing loops. Configuring a summarized route without the as-set extension is referred to as 'atomic aggregation.' The atomic-aggregate attribute is included in any aggregate advertisement to let the neighbor router know that the advertised route is aggregated. Using the as-set extension includes the aggregator attribute in the advertisement, which identifies the AS and IP address (router ID for Cisco IOS) of the router, which originated the route.

As stated earlier, for the summarized address to be advertised, there must be at least one subnet of this summarized address in the BGP database. It may be necessary to configure network commands for these subnets to install them in the BGP database. Technically, there only has to be one subnet of the summarized address in the BGP database but if for any reason this route is removed from the database, then the summarized address will no longer be advertised. If required, it is a good practice to insure multiple (if not all) of the summarized subnets are installed in the database.

160

BGP Summarization Commands

router(config)# ip route ip address mask null0

router(config-router)# network address mask mask

router(config-router)# aggregate-address ip address mask[summary-only] [as-set]

- configures static route pointed at null0; address & mask are summarized network

• Network Command and Static Route:

• BGP Aggregate Address Command:

- configures BGP to advertise summarized static route

- configures BGP to advertise a summarized network- summary-only suppresses subnets of summarized network from being advertised- as-set causes as path info from subnets to be included in summarized advertisement

To install a summarized static route, from the global configuration mode, use the “ip route address mask interface” command. The address and mask are the summarized network to advertise. The interface used is null0. The idea is that the routing table will have subnets or routes with a more exact match installed and the summarized route pointing to null0 will never be utilized. If for any reason it is, the packet is dumped. After the static route is configured, this will force the entry into the routing table. At this point, configure a network statement in BGP that matches the static route installed. This summarized network will then be advertised by BGP to its neighbors. Use the aggregate-address command to advertise a summarized route in BGP. The command is configured as part of BGP. The ip address and mask define the summarized network to be advertised. For this to be advertised, though, there must be at least one subnet of this network in the BGP database. If there are no subnet entries in the BGP database for this summarized network, a network statement for the subnets will have to be configured. With no extensions to the command, the subnets will be advertised, as well as the summarized network. By adding the summary-only extension to the command, this will suppress any subnets of the summarized network from being advertised. By using the “show ip bgp” command, the suppressed subnets can be viewed. Adding the as-set extension will cause the AS path information from any summarized subnets to be included in the advertised summarized route.

161

BGP Summarization Lab (1)

1. Use the previously configured network topology.

2. Each router install a static route to null0 using the following networks:

- router 1 148.11.0.0 255.255.252.0- router 2 148.12.0.0 255.255.252.0- router 3 148.13.0.0 255.255.252.0- router 4 148.14.0.0 255.255.252.0- router 5 148.15.0.0 255.255.252.0- router 6 148.16.0.0 255.255.252.0- router 7 148.17.0.0 255.255.252.0- router 8 148.18.0.0 255.255.252.0

3. Configure a network command in BGP to match the static route.

4. Verify that the static route is being advertised to your neighbor(s).

5. Remove static route and network statement.

Use the directly connected network configured earlier in the chapter. Configure BGP neighbor relationships between each of the routers. Install the static routes listed above pointing to null0. Once this route is in the routing table, advertise it with a network statement in BGP. Take note that no subnets of this summarized route actually exist. This summarized route was just “made up”. When summarizing, it is important to insure that all parts of the summarized address are actually reachable.

162


1. Each router install the following loopback interfaces:

- router 1 loopback 0 – 7 using networks 148.11.0.1 - 148.11.7.1 each with a mask of 255.255.255.0

- router 2 loopback 0 – 7 using networks 148.12.0.1 - 148.12.7.1 each /24- router 3 loopback 0 – 7 using networks 148.13.0.1 - 148.13.7.1 each /24- router 4 loopback 0 – 7 using networks 148.14.0.1 - 148.14.7.1 each /24- router 5 loopback 0 – 7 using networks 148.15.0.1 - 148.15.7.1 each /24- router 6 loopback 0 – 7 using networks 148.16.0.1 - 148.16.7.1 each /24- router 7 loopback 0 – 7 using networks 148.17.0.1 - 148.17.7.1 each /24- router 8 loopback 0 – 7 using networks 148.18.0.1 - 148.18.7.1 each /24

2. Configure a network command in BGP for each loopback network. Verify advertisement.

3. Configure aggregate-address command in BGP to summarize all loopback networks. Verify summarized address along with subnets are being advertised.

4. Add the summary-only extension. Verify subnets are being suppressed.

Each router is installing several loopback interface networks. This is simply to generate networks for the purpose of route summarization. This is a classroom-training tool only. Students using the network simulator will perform Router 3's configuration. Once the loopback networks are installed, advertise these to your neighbors using networks commands in BGP. Classes using the network simulator must console into the neighbor router to confirm that the networks appear in the routing table. Once complete, use the aggregate-address command to advertise a summarized network to your neighbors. Note that all of the subnets are still being advertised. Classes using the network simulator must console into the neighbor router to confirm that the networks appear in the routing table. Add the summary-only extension to the aggregate address command. Note that the subnets are now not being advertised and are listed as suppressed in the local BGP database. Classes using the network simulator must console into the neighbor router to confirm that only the summary network appears in the routing table.

163


1. Router 3 remove the aggregate route command.

2. All other routers verify that each of the loopback networks from router 3 are being advertised. Also verify that the AS path information is attached.

3. Router 1 install an aggregate address configuration with the summary-only extension for router 3’s loopback networks.

4. Routers 4, 5, 6, 7 and 8 verify the aggregate route is being received. Verify the AS path information. It should show the aggregate route originating from AS 1.

5. Router 1 remove the aggregate route command from BGP and then add the command back with both the summary-only and as-set extensions.

6. Routers 4, 5, 6, 7 and 8 should now show the AS path for the aggregate route originating from AS 3.

Students using the network simulator will perform the operations of Routers 1, 3, and 8. Router 3 removes its summarization. This allows the loopback networks to be advertised individually. Router 1 summarizes the loopback networks being advertised by router 3 and uses the summary-only extension. Routers 4, 5, 6, 7 and 8 will see the summarized route with the subnets being suppressed. The AS path shows the summarized route as originating from AS 1. Router 1 removes the aggregate route configuration and then adds it back with the summary-only and the as-set extensions. Routers 4, 5, 6, 7, and 8 should now show the summary route originating from AS 3.

164

Route Redistribution

• Even though edge routers of autonomous systems establish a BGP connection, the routes learned are not automatically shared with the routers internal to the AS. Some form of route redistribution must be performed.

• Redistribution exports route information from one source (like BGP) into a routing protocol that otherwise would not have learned the route info. Sources could be:

- another routing protocol- static - connected

• It is possible for a router to operate with multiple routing protocols enabled. By default, different routing protocols do not exchange routing information.

• When routing information from one protocol is redistributed into another, all associated attributes are lost. This can lead to routing loops, so as a general rule, other options should be considered before redistribution is implemented and then it must be very carefully planned.

165

Redistribution Configuration

4

EIGRP

OSPF

7

1

router ospf 100redistribute bgp 7 subnetsredistribute eigrp 7 subnetsdefault-information originate

router eigrp 7Redistribute bgp 7 metric 256 1000 0 1 1redistribute ospf 100 metric 256 1000 0 1 1redistribute static

WWW

External AS3

BGP

Static routeTo 0.0.0.0

Redistributed routes appear as:D EX routes in EIGRP orO E2 routes in OSPF

in the routing table

When redistributing another protocol into OSPF, be sure to include the key word “subnets”. This will insure that sub-networks within EIGRP or BGP are redistributed into OSPF. If it is not used, then only classful networks will be redistributed into OSPF. OSPF has two types of external routes: E1 & E2. The difference between the two is how the metric (cost) is calculated. An E2 route only utilizes the default or seed metric applied during the redistribution process. As this external route moves through the OSPF topology, the internal cost is not applied. Regardless of where the route is located within the topology, it will only have the seed metric applied. An E1 route on the other hand utilizes both the seed metric (external) and the internal cost. As the route moves through the OSPF topology, the cost is calculated and applied. By default, routes redistributed into OSPF are E2. Both types have a default metric of 20 unless the source is BGP in which case the default metric is 1. As a general rule, if there is only one ASBR, then redistribute the routes as E2. If there are multiple ASBR’s, then redistribute them as E1.

166

Redistributing into EIGRP: Unlike OSPF, which automatically sets a default metric for redistributed routes, EIGRP does not. An initial or seed metric must be supplied. If it is not, no routes will be redistributed. The numbers listed correlate to the following:

256 Bandwidth in kbs 1000 Delay in 10’s of microseconds 0 Reliability (0 – 255) where 255 is 100% reliable 1 Load (1 – 255) where 255 is 100% loaded 1 MTU of path

The routes redistributed into EIGRP will appear in the routing table with a D EX designation -- external routes learned from EIGRP. These external routes will have an administrative distance of 170, rather then the default EIGRP internal distance of 90.

167

BGP Lab

AS 1 - 148.43.200.0/24 AS 2 - 148.43.201.0/24

s0/0/0

s0/0/1

4

s0/0/0

3s0/0/0

s0/0/12

s0/0/0

s0/0/1

1s0/0/1 s0/0/0

s0/0/1

7

s0/0/0

5

s0/0/0

s0/0/1

6

s0/0/1

s0/0/0

s0/0/18

f0/0

f0/0

f0/0

f0/0f0/0

f0/0

f0/0

f0/0

/25

/28

/26

/27/27

/28

/26

/25f0/1 f0/1

Install the network above. The connection between the BGP routers can be through serial interfaces, if available, or by crossover from ethernet interface to ethernet interface, as shown above. Allocate and assign IP addresses within each AS. Enable OSPF in AS 1 and EIGRP in AS 2. Establish a BGP connection between the two autonomous systems and perform route summarization. Advertise the summarized BGP route within each AS via the IGP. Ensure all subnets within both autonomous systems are reachable from the distant AS. Simulator classes: IPs are already allocated. Stations 1 through 4 will configure routers 1 and 2, and the host computer IP for router 1 using Local Area Connection 4. All other routers are already configured. Stations 5 through 8 will configure routers 5 and 8, and the host computer IP for router 8 using Local Area Connection 4. All other routers are already configured. LAN fastethernet interfaces are f1/0 on the simulators.

168

BGP Review Questions

169

1. BGP is commonly used as an____________ routing protocol. a. Interior b. Internal c. Exterior d. a and b

2. A network based on one authority for management is called

________________. a. Known system b. An autonomous system c. Small system d. Singular system

3. What agency controls the distribution of AS numbers?

a. IETF b. ARIN c. AFN d. Microsoft

4. Two routers that have a direct BGP connection are called

______________________. a. Neighbors b. TCP c. Groups d. Packets

5. BGP uses what Transport protocol to ensure reliability?

a. TCP b. UDP c. CDP d. LDP

6. Which of the following is a BGP message type?

a. Open b. Update c. Notification d. Keepalive e. All of the above

7. Of the four BGP messages, which is used to provide routing updates?

a. Keepalive b. Open c. Notification d. Update

8. When does BGP send all BGP routes to its neighbors? a. During an update b. After the 5th keepalive c. Immediately after the OPEN message d. After destination notification

170

9. What command is used to enable BGP on your router?

a. Router bgp xxx b. Route bgp xxx c. Config Router bgp xxx d. ip Router bgp xxx

10. Neighbor statements are used to enable BGP on an interface.

a. true b. false

11. Internal BGP neighbors have ______________.

a. the same AS number b. a high metric c. must be directly connected d. different AS numbers

12. An Autonomous system that allows packets to transit through it to reach

another AS is considered what? a. A Transit Dynamic System b. A Transit Autonomous System c. A Transit Testing Center d. A Transit Encapsulation

13. BGP is an open protocol.

a. True b. False

14. BGP supports redistribution. a. True b. False

15. BGP does not support route summarization.

a. True b. False

16. Clear IP BGP * is used to do what? a. Reset all protocol connections b. Starts the BGP process during OSPF synchronization c. Stops the BGP process during OSPF synchronization d. Reset all BGP neighbor connections on that router

17. Sho IP BGP displays the IP routing table.

a. True b. False

18. Sho IP route displays the BGP routing table.

a. True b. False

171

19. To display the status of all BGP connections which command would you use?

a. Show IP Router b. Sho IP BGP Sum c. Show BGP Sum d. Sho Router

20. In order to reset only one TCP connection between BGP Neighbors, what

command must be used? a. Clear IP BGP xxx.xxx.xxx.xxx (x=the IP Address of your router) b. Clear IP BGP xxx.xxx.xxx.xxx (x=the Loopback Address of your

neighbor) c. Clear IP BGP xxx.xxx.xxx.xxx (x=the OSPF Address of your router) d. Clear IP BGP xxx.xxx.xxx.xxx (x= the IP address of the neighbor)

21. What is the primary RFC for BGP?

a. RFC 1221 b. RFC 1331 c. RFC 1661 d. RFC 1771

22. When performing a “show IP BGP command”, an “i”status code before

the network entry would indicate what? a. An internal OSPF neighbor has old us about this network b. An internal BGP neighbor has told us about this network c. An interior BGP network has told us about this network d. An interior OSPF network has told us about this network

23. If the next hop address is shown as 0.0.0.0 when performing a sho IP

BGP Command, what does this signify? a. The neighbor router is the absolute owner of the network listed b. This router cannot find the network listed beside the 0.0.0.0 c. This router is the absolute owner of the network listed beside the

0.0.0.0 d. The neighbor router cannot find the network listed beside the 0.0.0.0

24. Local Preference is used to determine the best pathway to leave the AS

to reach an outside network in the case that you have more than one exit point. a. True b. False

25. The BGP Multi-Exit Discriminator (MED) is used to inform the distant AS

of the recommended entrance points to your Autonomous System. a. True b. False

172

26. External BGP has an administrative distance of ______. a. 2 b. 20 c. 200 d. 2000

27. Internal BGP has an administrative distance of ______.

a. 2 b. 20 c. 200 d. 2000

28. BGP will not accept updates that have originated from its own AS.

a. True b. False

29. BGP uses what TCP port for establishing its connections?

a. 179 b. 121 c. 800 d. 140

30. What does BGP use for its router ID?

a. Your Subnet Mask b. Highest IP on an Active Interface c. Your Autonomous System Number d. Your BGP Neighbors IP Address e. All of the above

31. What protocol did BGP replace?

a. AGP b. OGP c. EGP d. SGP

32. BGP is a CISCO product

a. True b. False

33. By default, how often does BGP send updates?

a. Every 30 seconds b. Every 60 seconds c. Whenever you change your password d. Whenever network changes occur

34. BGP stands for ________________. a. Baseline Group Process b. Baseline Gateway Process c. Border Group Protocol d. Border Gateway Protocol

173

35. Which of the following is not an appropriate situation to use BGP?

a. When the autonomous system is a transit autonomous system b. When there are multiple exit points c. When there is a single exit point d. When the network engineer understands BGP

36. When there is a single exit point into/out of and autonomous system, what

is the preferred method? a. BGP b. OSPF c. Static route d. IBGP

37. What command is used to advertise a network with BGP?

a. ip route b. neighbor c. network d. default

38. You want to establish a BGP connection with directly connected interface 1.1.1.1 in AS 69. Your address is 2.2.2.2 in AS 101. What command should you used for this?

a. network 1.1.1.1 remote-as 69 b. network 2.2.2.2 remote-as 101 c. neighbor 1.1.1.1 mask 69 d. neighbor 1.1.1.1 remote-as 69

39. Autonomous System numbers are __________.

a. arbitrary b. assigned c. classless d. between 1 and 6,535

40. EBGP neighbors expect to be ___________.

a. happy b. directly connected c. interconnected by an IGP d. classless

41. IGPs use ______ to route traffic while BGP uses ______.

a. distance, neighbor b. metric, policy c. cost, metric d. policy, cost

42. BGP supports CIDR.

a. true b. false

174

43. What are three types of BGP route summarization?

a. internal, external, & inter-area b. automatic, static route/network command, & aggregate address

command c. automatic, intra-AS, & inter-AS d. automatic, static route/neighbor command, & aggregate address

command

44. What does the summary-only extension to the aggregate address command do in BGP?

a. suppresses as path information b. suppresses subnets of the summarized route c. will only accept summary routes d. supports CIDR

45. Which is true about the static route/network command summarization

technique? a. the static route must be redistributed into BGP b. the static route distance must be set c. subnets of the summarized static route are not suppressed d. BGP must be redistributed into the static route

46. What is the range for private AS numbers?

a. 6452 through 6535 b. 64512 through 65535 c. 65412 through 65355 d. anything above the assigned range

Default Routing

176

177

What is a Default Route?

s0s1

s2

148.17.2.0/24

148.17.3.0/24

148.17.1.0/24

s3

Internet

e0

148.20.0.43destination address

Gateway of last resort is 148.18.16.255 to network 0.0.0.0

148.17.0.0/16 is variably subnetted, 23 subnets, 4 masks

D 148.17.1.0/24 Serial0D 148.17.2.0/24 Serial1D 148.17.3.0/24 Serial2D*EX 0.0.0.0/0 Serial3

• Default route in routing table listed as 0.0.0.0/0 (matches all IPs)• Always used as a last resort – longest match rule.

Simply stated, a default route is one that is used when no other matching routing table entry is found. It appears in the routing table as a route to network 0.0.0.0 and you know it is set when the output of sho ip route contains an entry similar to the following entry at the top of the routing table: Gateway of last resort is 192.168.4.1 to network 0.0.0.0 Any packet whose destination address is not matched by a more specific routing table entry (one with a longer mask) will take the path to the gateway of last resort. The gateway of last resort is a router that has more complete routing information and can forward the packet to its destination. If there is no default route and the packet’s destination address is not found in the routing table, then the packet is dropped and an ICMP Destination or Network Unreachable is returned to the source IP address. The term gateway originated in the early 1980s, when the world of networking equipment consisted of bridges and gateways. Bridges connect media that use the same (or nearly the same) data-link protocols, such as Ethernet to Ethernet. Gateway is the older term for a router and originated because it was the gateway through which one was able to send packets to a network that used different media and incompatible data-link protocols. In the late 1980s, the term router was coined to reflect the function of routing packets to the proper destination.

178

Today, the term gateway refers to a networking component that converts a higher-level protocol into a different higher-level protocol. An example of this is a mail gateway that converts the OSI X.400 mail protocol into the Internet’s RFC822 protocol format. The older use of the term exists in a variety of places, including older RFCs, networking texts, and software. A review of RFC1009 clearly defines the terms router and gateway.

179

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static route

Gateway of last resort is 148.18.16.255 to network 0.0.0.0

148.18.0.0/16 is variably subnetted, 51 subnets, 6 masksD 148.18.120.252/30 [90/1787392] via 148.18.16.255, 03:46:01, Serial2/0D 148.18.20.132/30 [90/11023872] via 148.18.57.255, 03:46:05, Serial3/0S 148.18.110.244/30 [1/0] via 148.18.110.250

(portions deleted)

D*EX 0.0.0.0/0 [170/2767360] via 148.18.16.255, 03:45:34, Serial2/0

• Default route listed as “gateway of last resort” in routing table• Possible for router to learn of multiple default routes• Same rules apply as for other routes – distance & metrics• Gateway of last result does not have to be 0.0.0.0

Default Routing

Routers use routing tables to compute the next hop for a packet. Routing tables can take many forms, but here is a simple model that can explain most Internet routing. Each entry in a routing table has at least two fields - IP Address Prefix and Next Hop. The Next Hop is the IP address of another host or router that is directly reachable via an Ethernet, serial link, or some other physical connection. The IP Address Prefix specifies a set of destinations for which the routing entry is valid. In order to be in this set, the beginning of the destination IP address must match the IP Address Prefix, which can have from 0 to 32 significant bits. For example, an IP Address Prefix of 128.8.0.0/16 would match any IP Destination Address of the form 128.8.X.X. If no routing table entries match a packet's Destination Address, the packet is discarded as undeliverable (possibly with an ICMP notification to the sender). If multiple routing table entries match, the longest match is preferred. The longest match is the entry with the most 1 bits in its subnet mask. To avoid needing routing entries for every possible Internet destination, most hosts and routers use a default route (some routing tables contain nothing but a single default route). A default route has a Routing Address/Mask pair of 0.0.0.0/0.0.0.0. In other words, it matches every IP address, but since there are no 1 bits in its subnet mask, any other match would be selected by the longest match rule.

180

The default route will only be used if there are no other matches in the routing table, thus its name. Default routes are quite common, and are put to best use on networks with only a single link connecting to the global Internet. On such a network, routing tables will have entries for local nets and subnets, as well as a single default route leading to the outbound link. However, remember that all Next Hops must be directly reachable, so the default routes will not necessarily point to the same IP address. In addition, some networks (large Internet service providers, mostly) use defaultless routing tables that must be able to match every IP address in the global network.

181

Why use a Default Route?

• Provides a route for unknown destination networks.

• Packets for unknown destinations are not just “dropped”.

• Decreases the amount of information required to be carried in routing table.

• Decreases router latency due to lengthy route lookup.

• Limits the propagation of route updates.

• If implemented correctly, can dramatically increase the overall performance of a router and a routed network.

Users want access to all parts of the network (Internet) at all times. If a packet is received from a user device with a destination address that does not have a matching network in the routing table, the packet is simply dumped. By having a default route/gateway of last resort installed in the routing table, there will always be a match for any packet received. When a router is connected to the Internet (SIPR/NIPR), a default route can be very useful. Without a default route, the router would have to have a route for every destination on the Internet. This could very easily amount to hundreds of thousands of entries. With a default route, a router needs to know only about the destinations internal to its autonomous system. The default route will forward packets destined for external addresses to the Internet service provider. Topology changes can be a big problem in very large routed networks. As the network increases in size, topology changes occur more frequently resulting in an increasing number of updates being propagated through the topology. Each update that is received by the router must be processed, which utilizes CPU cycles and memory. As this increases, the demands on the router also increase. This can cause latency issues to arise in the routing of user information. Very frequently, this problem is blamed on lack of bandwidth. Installing a default route effectively hides these changes from the topology using the default route.

182

Implementing a Default Route

Creating the Default Route-- Static Route-- IP Default Network Command

Propagating into an IGP-- OSPF-- EIGRP

There are different techniques for implementing a default route. The static route and IP default network command place a default route and gateway of last resort in the router in which these commands are configured. To share the default route with other routers in the topology, it must be propagated via an IGP. That is, it must be learned by the IGP, then advertised to all the routers running that IGP in the topology. The techniques for propagating the default route in the OSPF and EIGRP IGPs are discussed in this chapter. There is no one best way to configure a default route and then pass it throughout the topology. It is best to understand the different techniques and then utilize the one that best fits your needs.

183

Static Default Route

ip route network mask [address | interface] [distance] [permanent]

Network Destination network for the static route.

Mask Prefix mask for the destination network.

Address IP address of the next hop that can be used to reach that network.

Interface Interface number on router to exit to reach destination network.

distance (Optional) Administrative distance for the static route.

permanent (Optional) Specifies that the route will not be removed .

Router(config)#

Above is the command to configure a static route – ip route.

˚ The network is the destination network.

˚ The mask is the subnet mask for this destination network.

˚ The address is the IP address of the next hop to reach this network.

˚ The interface is the interface on the router to exit to reach this network.

˚ The distance is used to set the administrative distance of this static route.

˚ The permanent command is used to keep the static route in the routing table regardless if the next hop address is reachable of the exit interface is up.

184

Static Default Route Options

148.43.200.10

s0/0

• ip route 0.0.0.0 0.0.0.0 s0/0 (points to exit interface)or

• ip route 0.0.0.0 0.0.0.0 148.43.200.10 (next hop address – connected)

• Either method will install default route into routing table.

Configuring a static default route is done the same as any other static route; except the network and mask are all 0s, (this covers the range of all IPs). The route can be pointed to an exit interface or the next hop address of a directly connected neighbor router. By pointing the static default route to an exit interface, as shown below, you gain the advantage of only needing one route look-up. D*EX 0.0.0.0/0 [170/2767360] via 148.18.16.255, 03:45:34, Serial 2/0 When no other match for a packet is found in the routing table, except the default route, the packet can be immediately forwarded out Serial 2/0 (in this example). If the directly connected next hop address is used instead, a second route look-up would occur each time the default route is selected for packet forwarding. (Example: D*EX 0.0.0.0/0 [170/2767360] via 148.18.16.255) With this configuration, a route look-up to determine which exit interface to use to get to 148.18.16.255 would have to occur. With either technique, it is possible for a route to not exist to actual Internet destinations, but simply be a layer two connection. In the picture above, if the router in the cloud has no routing table entry for the packet destination address, and no default route configured, the packets could still be dropped. This can be misleading, because in the internal topology the routers believe there is a default destination, when in actuality there is not.

185

Another Default Route Option

148.43.200.0/24

• ip route 0.0.0.0 0.0.0.0 148.43.200.0 (next hop address – via protocol)

• Next hop address is learned via a routing protocol and placed into routing table. Static route is then pointed to that network.

BGP

A default static route can also be set up by pointing the route to a destination network being advertised from a neighbor router via a routing protocol. This can be a more realistic routing scenario. If for any reason there are actual routing problems within the ISP networks, the network the static route is being pointed to would stop being advertised. This would lead to the route being removed from the routing table. Once this happens, the static default route would also be removed from the routing table. If the static default route is being advertised to neighbors within the topology, once it is removed from the edge router's table, it is no longer shared with the internal neighbors. Within DOD networks, when a unit receives service from the DISN or GIG, it is a common practice for the DISN router to advertise a default network via BGP. The organization requesting service then uses that network as the target for the installation of a default route.

186

IP Default-Network Command

ip default-network network

• Used to designate a classful network as a default route.

• Classful network must be installed in the routing table.

• When used in conjunction with EIGRP, network must belearned via EIGRP and then is propagated via EIGRP asgateway of last resort.

Router(config)#

The ip default-network command is classful. It is used to designate a classful network to be used as a default network. The classful network must be in the routing table for it to be considered as a gateway of last resort. Multiple default networks can be configured. All those configured that are in the routing table are tagged as candidate default routes. The router goes through the normal process (distance/metric) to determine the selection of the gateway of last resort. If a tagged default network is not chosen as the gateway of last resort, it is then used as a backup. When a classful network is learned by a router via EIGRP and this network number is used in the ip default-network command, the network is then advertised to its EIGRP neighbors as a default network automatically. The network is propagated throughout the EIGRP topology as a default route.

187

IP Default-Network Command

148.43.0.0/16

BGP

• ip default-network 148.43.0.0

• Command designates classful network as default route and it is set asthe gateway of last resort. Points to next hop address associated withnetwork in routing table.

In the above scenario, a router learns of a classful network via BGP. It is installed in the routing table. Utilizing the command “ip default-network 148.43.0.0” causes the network to be designated as a default route candidate. It will be installed as the gateway of last resort pointing to the next hop associated with the network in the routing table.

188

Propagating a Default Route via an IGP

EIGRPTwo methods to distribute in EIGRP

1. IP default-network command.- network specified in command must be learned by EIGRP for it to share with neighbors as a default route.

2. Static default route- redistribute static into EIGRP.

OSPFDefault-information originate command

- if gateway of last resort is set, causes default route to be redistributed into OSPF.

Once an edge router has a default route installed, the next step is to propagate this information to its neighbors. The most effective way to do this is to propagate it via an existing IGP. Two of the more common are OSPF and EIGRP. There are two methods for propagating a default route in EIGRP. The first is to have a classful network, which was learned via EIGRP, and then reference this network in the “ip default- network” command. The network is then propagated through the EIGRP domain as a default route. The second method is to install a default static route. The static route is then redistributed into EIGRP. If there are multiple static routes within the routing table, they will also be redistributed. Consideration must be given as to whether these should be filtered from the redistribution process. The method for distributing a default route within OSPF is to utilize the “default-information originate” command. This is configured as part of the OSPF process. If a gateway of last resort is set on the router, the command causes a default route to be redistributed into the OSPF process. This is then propagated throughout the OSPF domain.

189

Propagating via an IGP - EIGRP

148.43.0.0/16

EIGRP

• Classful network is advertised to router 1 via EIGRP.• Router 1 configures “ip default-network 148.43.0.0” command.• Router 1 advertises 148.43.0.0 as default network to neighbors.• Neighbors install 148.43.0.0 as gateway of last resort.

1

148.43.0.0/16

148.43.0.0/16

148.4

3.0.0/16

In the above example, network 148.43.0.0 is advertised to route 1 via EIGRP. Router 1 enters the configuration “ip default-network 148.43.0.0. This tags the route as a default route candidate and it is entered in the router 1 routing table as the gateway of last resort. The network is then advertised to the EIGRP neighbors as a default route candidate and it is entered into their routing tables as the gateway of last resort. The “ip default-network” command is classful. Therefore, it can only be used if there is a classful network to reference it to in the routing table.

190

Redistribute Static

router(config)# router eigrp autonomous system number

router(config-router)# redistribute static

- enables EIGRP and defines the autonomous system number

- redistributes the default static route into the EIGRP routing process

- default route is then shared with EIGRP neighbors

- command will redistribute all static routes in the routing table, not just the default route

Once a static default route is in the edge router’s routing table, by configuring the command redistribute static to the EIGRP routing process, the default route will be shared with the edge router’s EIGRP neighbors. The default route will be shared by all EIGRP neighbors across the topology until all routers have learned it. As it is advertised from neighbor to neighbor, EIGRP will calculate the metric as it would with any other route. If there are multiple paths within the topology to the edge router, the preferred path will be installed I the routing table. The redistribute static command will cause all static routes installed in the routing table to be shared with EIGRP neighbors. If the desired result is to have only the default, route shared and not other static routes, routing filtering must be configured.

191

Propagating via an IGP – EIGRP

• Network 148.43.0.0 advertised to router 1 via BGP.• Router 1 installs default static route to 148.43.0.0.• Router 1 redistributes static into EIGRP.• Default route propagated to neighbors via EIGRP.

148.43.0.0/16

BGP1

0.0.0.0/0

0.0.0.0/0

0.0.0.

0/0

In the above example, network 148.43.0.0 is advertised to router 1 via BGP. It is installed into the routing table with BGP as the source. Router 1 installs a default static route pointing to network 148.43.0.0. The static route is installed in the routing table and is selected as the gateway of last resort. Router 1 then redistributes static into EIGRP. The default route is then advertised to the EIGRP neighbors. Note that during this operation, the default static route does not have to be pointed to a classful network. It can be pointed to an exit interface, connected IP address, or any other route within the routing table.

192

Propagating via an IGP – OSPF

• Network 148.43.0.0 advertised to router 1 via BGP.• Router 1 installs default static route to 148.43.0.0 or uses IP

default-network command. • Router 1 uses the default-information originate command within OSPF.• Default route propagated to neighbors via OSPF.

148.43.0.0/16

BGP1

0.0.0.0/0

0.0.0.0/0

0.0.0.0

/0

Network 148.43.0.0 is advertised to router 1 via BGP. Router 1 then configures a default static route pointing to this network. The static route is then installed in the routing table and selected as the gateway of last resort. Router 1 configures OSPF with the “default-information originate” command. This redistributes a default route into OSPF. This default route is then advertised to the OSPF neighbors. Note that during this operation, the default static route does not have to be pointed to a classful network. It can be pointed to an exit interface, connected IP address, or any other route within the routing table. If there is a gateway of last resort set, then a default route is redistributed into OSPF.

193

Propagating Default Route in OSPF

default-information originate [always] [metric metric-value] [metric-type type-value] [route-map map-name]

• default-information originate When a gateway of last resort is present in the router, causes a default route to be redistributed into OSPF.

• always (Optional) Always advertises the default route regardless of whether the software has a default route.

• metric (Optional) Metric used for generating the default route.The default metric value is 10.

• metric-type (Optional) External link type: Type 1 or 2 external route.

• route-map (Optional) References the designated route map.

Router(config)#

˚ The “default-information originate” command is configured as part of OSPF. It redistributes a default route into OSPF if the gateway of last resort is set on the router.

˚ The always extension configures a default route to be redistributed

regardless of whether the gateway of last resort is set or not.

˚ The metric extension allows the configuration of a seed metric to be set on the redistributed default route.

˚ The metric-type extension allows the redistributed route to be set as a

type 1 or type 2 external OSPF route. The default is type 2.

˚ The route-map extension tells the redistribution process of the default route to reference a route map. The guidelines established within the route map are then applied to the redistribution process.

194

47f0/0

f0/0

/26

7.7.7.0/24

/26

/27

/26

s0/0

s0/1

s0/1

s0/1

S0/0

s0/0

6

2

s0/1

s0/0

3/27/26

s0/1

s0/0

s0/0 s0/1

AS - 1 148.18.1.0/24

AS - 7

1

5

AS - 4 148.24.1.0/24

f0/0

f0/0

f0/0

f0/0

f0/0

Default Routing 7-Router Lab 1

Simulator classes will skip this exercise

Allocate IP addresses within each AS. Utilize IPs from within each block for connections to router 7. Install BGP between routers 1 & 7 and 4 & 7. Routers 1 & 4 perform route summarization to router 7. Advertise the network 140.50.0.0 from router 7 to routers 1 and 4. This will be utilized by routers 1 & 4 as the default network. Configure EIGRP in AS-1 and AS-4. Edge routers install a static default route to the classful network. Redistribute static into EIGRP. Routers 1 – 6 should have their gateway of last resort set. Conduct a ping test from router 3 to router 6. In AS-1 and 4, turn off EIGRP and configure OSPF. Edge routers configure OSPF with the default-information originate command. Routers 1 – 6 should have their gateway of last resort set. Conduct a ping test from router 3 to router 6.

195


8f0/0

f0/0

/26

7.7.7.0/24

/26

/27

/26

s0/0

s0/1

s0/0

s0/0

S0/1

s0/0

2

s0/0

s0/1

3/27/26

s0/1

s0/0

s0/0 s0/1

AS - 1 148.18.1.0/24

AS - 7

1

5

AS - 4 148.24.1.0/24

f0/0

f0/0

f0/0

f0/0

f0/0

4

7

/26

s0/0

s0/16 f0/0

Simulator classes will skip this exercise Allocate IP addresses within each AS. Utilize IPs from within each block for connections to router 8. Install BGP between routers 1 & 8 and 4 & 8. Routers 1 & 4 perform route summarization to router 8. Advertise the network 140.50.0.0 from router 8 to routers 1 and 4. This will be utilized by routers 1 & 4 as the default network. Configure EIGRP in AS-1 and AS-4. Edge routers install a default static route to the classful network. Redistribute static into EIGRP. Routers 1 – 7 should have their gateway of last resort set. Conduct a ping test from router 3 to router 7. In AS-1 and 4, turn off EIGRP and configure OSPF. Edge routers configure OSPF with the default-information originate command. Routers 1 – 7 should have their gateway of last resort set. Conduct a ping test from router 3 to router 7.

196

47f0/0

f0/0

/26

7.7.7.0/24

/26

/27

/26

s0/0

s0/1

s0/1

s0/1

S0/0

s0/0

6

2

s0/1

s0/0

/27/26

s0/1

s0/0

s0/0

s0/1

AS - 7

1

5f0/0

f0/0

f0/0

f0/0

f0/0

AS - 1 148.16.1.0/24 AS - 4 148.26.1.0/24

s0/2

s0/3

3s0/0 s0/1


Configure BGP between the edge routers as shown above. Advertise the network 140.50.0.0 from router 7 to other BGP routers. Operate each AS with EIGRP and then OSPF. Install default routing within each AS with each protocol. Conduct a ping test from router 2 to router 5. With two edge routers present, there will be multiple default route candidates. Note how each internal router (2 & 5) reacts to the multiple default routes. Make changes to the network – link down, manipulate metrics, etc. - to see how the routers react from a default network standpoint.

197


8f0/0

f0/0

/26

7.7.7.0/24

/26

s0/0

s0/1

s0/0

2

s0/0

s0/1

/27

s0/0 s0/1

AS - 8

1

f0/0

f0/0

AS - 1 148.16.1.0/24

s0/2 s0/3

3s0/1

/27

/26

s0/0

S0/1

s0/0

/28

s0/1

s0/0

5

AS - 4 148.26.1.0/24

f0/0

f0/0

f0/0

4

7

/26

s0/0

s0/16 f0/0

s0/1

Simulator classes willperform this exercise.

Equipment classes, allocate IPs. Simulator classes will use the IP addressing scheme shown on their screens.

Simulator class students: each student will configure routers 1, 4, and 8. All other routers are already configured. Routers 1, 2, and 3 will use OSPF as the internal protocol. Routers 4, 5, 6 and 7 will use EIGRP as the internal protocol. All stations configure the host computer for router 1 on Local Area Connection 4. Everyone: Configure BGP between the edge routers as shown above. Advertise the network 140.50.0.0 from router 8 to other BGP routers. Operate each AS with EIGRP and then OSPF. Install default routing within each AS with each protocol. Conduct a ping test from router 2 to router 6. With two edge routers present, there will be multiple default route candidates. Note how each internal router (2 & 6) reacts to the multiple default route candidates. Make changes to the network – link down, manipulate metrics, etc. - to see how the routers react from a default network standpoint.

198

Default Routing Review Questions

199

1. Which of the following best describes a default route? a. A backup for internal routes b. A routing table entry that matches all destination IP’s c. A route that points to core internet routers d. A backup route for use if the routing protocol fails

2. What is the difference between a default route and a gateway of last

resort? a. Nothing, they are the same b. Multiple default routes can be candidates for the gateway c. Multiple gateways can be candidates for default routes d. Gateways of last resort are Internet core routers and default routes

are part of this

3. What are the options for pointing a static route? a. interface and next hop b. distance and metric c. ip default-network and default-information originate d. always and metric-type

4. Which of the following is a benefit of default routing?

a. ease of configuration b. limits the spread of routing updates c. increases the amount of bandwidth d. decreases the reliance on ICMP

5. Which of the following is a benefit of default routing?

a. requires no routing protocol configuration b. limits the spread of SNMP c. reduces the size of the routing table d. eliminates the need for routing updates

6. The “ip default-network” command is considered classful.

a. true b. false

7. A router receives a classful network advertisement via BGP. This router is

also operating with EIGRP. The router installs the “ip default-network” command with this classful network number. This default network will be shared with its EIGRP neighbors.

a. true b. false

8. The “default-information originate” command within OSPF does what?

a. installs a gateway of last resort into the routing table b. configures that router to become an ASBR c. sets up a default static route d. redistributes a default route into the OSPF process

200

9. It is possible to set the metric of the default route redistributed into OSPF. a. true b. false

10. Which of following can occur if default routing is not implemented?

a. increased router performance b. decreased routing table size c. additional router configuration d. router latency

11. Within OSPF, the default route must be pointed at a classful network.

a. false b. true

12. The “ip-default network” command redistributes a default route into

EIGRP. a. true b. false

Dynamic Multi-Point

Virtual Private Networks DMVPN

202

203

JNN Network – Satellite Backbone

Hub Node

BN CPN BN CPN

STEP

Ku TDMA

Ku FDMA

(BCT)

(Battalion level unit)

JNN

(Div/Corps)

DISN/GIG

DISN/GIG(cable)

The JNN network utilizes a Ku Band commercial satellite network for the backbone interconnectivity of its systems. Both Time Division Multiple Access (TDMA) and Frequency Division Multiple Access (FDMA) are utilized. The JNN network architecture is composed of three primary elements: 1) the Unit Hub Node (UHN), 2) the Joint Network Node (JNN), and 3) the Battalion Command Post Node (Bn CPN) These systems provide communications support to the various elements within an Army Division. The UHN is located at the Division and/or the Corps element. It provides connectivity to the Defense Information Systems Network (DISN) and the Global Information Grid (GIG). The UHN uses both FDMA and TDMA satellite links. The JNN is located at the Brigade Combat Team (BCT) element. It serves as both a distribution point for the various systems within the BCT and provides direct network services for the Brigade headquarter elements. The JNN can utilize both TDMA and FDMA satellite connectivity. It has a single FDMA link, which is usually, connects to the UHN. The Bn CPN provides direct network access to users within a Battalion element. It uses only TDMA satellite connectivity. It has permanent links to the UHN and/or JNN and can establish on demand connections to other CPNs within the BCT.

204

Why Satellite?

• Allows for beyond line of sight (BLOS) extension.

• Accessible from virtually anywhere on the battlefield.

• No need for extensive “link” planning for installation of ground systems at a new location.

• Scales well for maneuver units.

• Current ground equipment readily transportable.

The use of satellite communications by the JNN network allows for the installation and operation of a very flexible intra-network backbone for its users. Tactical line of sight radio systems are normally limited to a maximum range of approximately 40 miles. This limits the area on a battlefield that maneuver units can cover. With satellite, two systems can establish a radio link as long as they are within the earth “footprint” of the satellite coverage. This coverage can be rather large allowing systems to be hundreds of miles apart. LOS radio link installation requires extensive planning and engineering utilizing complex computer programs to provide a “profile”. It is not always possible to establish an LOS radio link between two locations. Whenever LOS radio systems are moved to a new location, this link planning must be conducted again prior to the installation of the new radio link. Satellite on the other hand requires initial link planning for the installation of radio links. Once this is done, systems can move almost anywhere within the footprint and reestablish the radio link. In addition, there are very virtually no limits to establishing a satellite link as long as there is a clear line of sight path between the earth system and the satellite. With the flexibility noted above, satellite based systems serve well in meeting the needs of Army combat units. As changes occur on the battlefield and units are required to move, satellite based systems provide them the ability to rapidly terminate and reestablish communications in a minimal amount of time.

205

The current satellite systems utilized with the JNN systems are mounted on a tactical two wheeled trailer pulled by a HMMWV. This makes the system readily transportable for tactical maneuver units.

206

FDMA

• Users xmit on one carrier frequency and receive on another.• 2 carriers per full duplex link (point to point).• Scales poorly - inefficient use of space segment.• Does not support ad hoc networking.• Dedicated bandwidth, not shared.• No delay for link connection.

TDMA

• Users share carrier(s) for both xmit and receive.• Additional carriers can be defined to support network growth.• Scales well – efficient use of valuable space resource.• Supports ad hoc networking well.• Bandwidth is a shared resource, not dedicated.• Slight delay in establishing link connection.

Space Segment Usage/Efficiency

* Space segment efficiency directly related to type of modulation/encoding used.

Provided by BCBL(G)

Frequency Division Multiple Access: FDMA is a traditional technique whereby earth stations transmit simultaneously on different pre-assigned frequencies, into a common satellite transponder. In addition, the FDMA carrier is allotted a certain amount of bandwidth. This carrier is constantly being transmitted to the satellite, processed by it, and retransmitted back to earth by it regardless of user traffic. Only the system assigned a certain transmit frequency can use the allocated bandwidth. Time Division Multiple Access: TDMA is a digital transmission technology that allows a number of users to access a single radio frequency (RF) carrier without interference by allocating unique time slots to each user within each carrier. The type utilized within JNTC-S is referred to as Multi-Frequency TDMA Demand Assigned Multiple Access. This allows for dynamic allocation of time slots based on user requirements and allows multiple carriers on the satellite within the TDMA network. This forms a “bandwidth pool” for the users.

207

FDMA/TDMA Satellite Payload Users Present

• Above depicts two users communicating via a satellite link - TDMA or FDMA.• Spectrum analyzer display depicts the radio carrier used between the two systems.• The carrier has a center frequency plus a certain amount of bandwidth.• Amount of bandwidth is dependant upon data rate transfer.

The above diagram displays two ground based satellite systems with a radio link established between the two through a satellite. This could be an FDMA or TDMA link. There are two users communicating through this link with laptop computers. Depicted between the two systems is a display from a spectrum analyzer. The “hump” on the screen is a representation of the radio carrier being received by one of the satellite systems. The carrier has a center frequency and a certain amount of bandwidth being utilized on each side of this center frequency. The amount of bandwidth is determined by the data rate being transmitted by the earth systems.

208

• Above depicts two systems with no user data being transferred.• Satellite resource utilization remains unchanged on an FDMA link.• Carrier can only be utilized by systems with the pre-assigned frequency & bandwidth.• User activity or inactivity has no affect on satellite resource utilization.

FDMA Satellite PayloadNo Users Present

The diagram now shows no user traffic being transmitted through the satellite radio link. From a satellite resource utilization standpoint, there would be no change on an FDMA link (as depicted by the spectrum analyzer display). FDMA systems have pre-assigned frequencies and pre-assigned bandwidth allocation; only the systems allocated these resources can utilize them. User activity or inactivity has no affect on satellite resource utilization.

209

• Above depicts two systems with no user data being transferred.• No satellite resources are utilized on a TDMA link.• Once user data transfer is complete, bandwidth is returned to a pool for use by

other systems.• Bandwidth is allocated on demand - based on user requirements.• User activity or inactivity has a direct affect on satellite resource utilization.

TDMA Satellite PayloadNo Users Present

The diagram still shows no user traffic being transmitted through the satellite radio link. From a satellite resource utilization standpoint, there would be a change on a TDMA link (as depicted by the spectrum analyzer display). Resources on a TDMA satellite network are allocated based on user requirements. When users communicating through a TDMA satellite link have information to transfer, resources are allocated, a carrier (center frequency and bandwidth), to support the requirement. Once the transfer of this information is complete, the resources are returned to a pool for use by other systems as needed.

210

• Internet Engineering Task Force (IETF): A VPN is “An emulation of a private Wide Area Network (WAN) using shared or public IP facilities, such as the Internet orprivate IP backbones.”

• In simpler terms, a VPN is an extension of a private intranet across a publicnetwork (the Internet) that ensures secure and cost-effective connectivity between the two communicating ends.

Headquarters Home Office

Branch OfficeInternet

Virtual Private Network (VPN)

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. A virtual private network can be contrasted with an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same capabilities, but at a much lower cost. VPNs establish a secure network over insecure or public networks. VPNs can take many different forms and be implemented in various ways. VPNs achieve their security by encrypting the traffic that they transport, preventing eavesdropping, or interception. In simplest terms, a VPN is fundamentally a secure tunnel established between two or more endpoints. A VPN can be constructed with or without the knowledge of the network provider, and can span multiple network providers.

211

New IP Hdr

TunnelHdr

Orig IP Hdr

TCP Hdr

TunnelTrailer

Tunneling

Data TCP Hdr IP Hdr original IP packet

IP packet encapsulated w/tunnel protocol

• VPNs are established with the help of private logical tunnels. Tunneling is theencapsulation of one protocol within another.

• Tunnels enable the two ends to exchange data in a manner that resembles point-to-point communications.

• From a routing protocol stand point, the two routers depicted above would act asdirectly connected neighbors through the tunnel even though there may be several other routers physically between them.

Data

The VPNs are established with the help of private logical "tunnels.” These tunnels enable the two ends to exchange data in a manner that resembles point-to-point communication. Tunneling technology lies at the core of VPNs. In addition, elaborate security measures and mechanisms can be used to ensure safe passage of sensitive data across an unsecured medium. Tunneling is the technique of encapsulating a data packet in a tunneling protocol, such as IP Security (IPSec), Point-to-Point Tunneling Protocol (PPTP), or Layer 2 Tunneling Protocol (L2TP), and then finally packaging the tunneled packet into an IP packet. The resultant packet is then routed to the destination network using the overlying IP information. Because the original data packet can be of any type, tunneling can support multi-protocol traffic, including IP, ISDN, FR, and ATM.

212

Tunnel Protocols

• Point-to-Point Tunneling Protocol (PPTP)

• Layer 2 Tunneling Protocol (L2TP)

• Internet Security Protocol (IPSec)*

• Generic Routing Encapsulation (GRE)

• Multi-point Generic Routing Encapsulation (mGRE)*

*utilized within the JNN network architecture

˚ Point-to-Point Tunneling Protocol (PPTP) - Developed by Microsoft,

3COM, and Ascend Communications, PPTP was proposed as an alternative to IPSec. However, IPSec still remains the favorite tunneling protocol. PPTP operates at layer 2 (Data Link layer) of the OSI model and is used for secure transmission of Windows-based traffic.

˚ Layer 2 Tunneling Protocol (L2TP) - Developed by Cisco Systems,

L2TP was also intended to replace IPSec as the de facto tunneling protocol. However, IPSec still continues to be the dominant protocol for secure communication over the Internet. L2TP is a combination of Layer 2 Forwarding (L2F) and PPTP and is used to encapsulate Point-to-Point Protocol (PPP) frames to be sent over X.25, FR, and ATM networks.

˚ IP Security (IPSec) - Developed by IETF, IPSec is an open standard that

ensures transmission security and user authentication over public networks. Unlike other encryption techniques, IPSec operates at the Network layer of the seven-layer Open System Interconnect (OSI) model. Therefore, it can be implemented independently of the applications running over the network. As a result, the network can be secured without the need to implement and coordinate security for each individual application.

213

˚ Generic Routing Encapsulation (GRE) - A tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP inter-network. GRE allows routing updates to be sent over links that do not support broadcast and/or multicast.

˚ Multi-Point Generic Routing Encapsulation (mGRE) - mGRE allows a

single GRE tunnel interface to support multiple tunnels (GRE is strictly point to point). This greatly simplifies the tunnel configuration and when used in conjunction with NHRP, tunnels can be established dynamically.

http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/usergd/glossary.htm#40624

http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/usergd/glossary.htm#97231

214

2.2.2.1/30s0/0s0/0

1.1.1.1/3012.12.12.0/24 11.11.11.0/24

.2 .2

UDPUDP IP HdrIP HdrPayloadPayload Tunn

IP HdrTunnIP Hdr

UDPUDP IP HdrIP

HdrPayloadPayload

GREGREs – 12.12.12.2d – 11.11.11.2

s – 12.12.12.2d – 11.11.11.2

UDPUDP IP HdrIP

HdrPayloadPayload

s – 12.12.12.2d – 11.11.11.2

s – 1.1.1.1d – 2.2.2.1

GRE Tunnel

• Routers 1 & 2 have a GRE tunnel established.

- host 12.12.12.2 sends a packet to host 11.11.11.2- router 1 encapsulates the packet with the IPs assigned to serial interfaces.- router 2 de-encapsulates and delivers original packet.

• Packet is routed through the internet based on the tunnel IP header.

1 2Internet

Generic Routing Encapsulation (GRE) is a Cisco proprietary (but published) standard for encapsulating routing protocols. It can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP inter-network. By connecting multi-protocol sub-networks in a single-protocol backbone environment, IP tunneling that uses GRE allows network expansion across a single-protocol backbone environment. GRE, as specified in [RFC2784], is an IETF standard defining multi-protocol encapsulation format that could be suitable to tunnel any network layer protocol over any network layer protocol. Because GRE can encapsulate differing protocols, it has been widely used to transport traffic between locations using a shared protocol, but joined by a WAN connection using a different layer 3 protocol...two locations using IPX, for instance, which need to communicate through an IP backbone. Gre may also be used to provide VPN services for networks configured with potentially overlapping private address space. A GRE header allows the identification of the type of the protocol that is being carried over the GRE tunnel, thus allowing IP networks to serve as a bearer service onto which a virtual multi-protocol network can be designed and implemented.GRE can be used to transport multicast routing protocol traffic across unicast IPSEC tunnels.

http://www.books24x7.com/viewer.asp?bkid=5395&destid=664#664

215

interface Tunnel0 creates a tunnel interface

ip address 10.10.10.1 255.255.255.252 assigns IP address & mask to tunnel

tunnel source Serial0/0 specifies which physical interface tunnel will utilize

tunnel destination 148.43.200.9 specifies the physical address associated with the distant end of the tunnel

GRE Tunnel Configuration

• GRE tunnels are point-to-point networks.

• GRE is the default tunnel encapsulation on a Cisco router.

• The physical IPs are used for encapsulating & routing the packet.

. The configuration commands above will establish a simple static GRE tunnel on a router. Once configured, the router treats the virtual tunnel interface the same as a physical interface. interface tunnel0: creates the tunnel interface; the tunnel can be designated with any unique number. (NOTE: the three following commands are applied to the tunnel interface) ip address: assigns an ip address and mask to the tunnel interface. tunnel source: specifies which physical interface on the router the tunnel interface will utilize to establish a connection to the distant end tunnel interface. tunnel destination: specifies the address of the physical interface the distant end tunnel interface is utilizing as its tunnel source. GRE IP is the default tunnel encapsulation on a Cisco router and therefore does not have to be configured.

216

GRE Tunnel Lab 1

interface Tunnel0ip address 10.10.10.1 255.255.255.252tunnel source Serial0/0tunnel destination 148.43.200.9

interface Tunnel0ip address 10.10.10.2 255.255.255.252tunnel source Serial0/0tunnel destination 148.43.200.10

148.43.200.9/30s0/0s0/0

148.43.200.10/3012.12.12.0/24 11.11.11.0/24

• Install the network as shown above.

• Enable EIGRP; configure network statements for the tunnel sand ethernet interface networks only.

• Once complete, ping from host computer to host computer.

In this lab, establish a point-to-point router network. Then configure tunnel interfaces on each router using the configuration examples above. Once the tunnel interfaces are installed, configure EIGRP with network statements for the tunnel interfaces and the Ethernet segments. Perform a ping test from a host on one Ethernet segment to a host the other. Examine the routing table of each router. What is the next hop address of the networks learned via EIGRP? The above diagram has a tunnel being established between two directly connected routers. It is possible to establish a tunnel between two routers with multiple routers in between. The two tunnel interfaces would act as if they are directly connected. The same routing protocol cannot be used on both the tunnel interface and the physical interface acting as the tunnel source.

217

18.18.18.0/24

f0/0

GRE Tunnel Lab 2

f0/0

f0/0

f0/0

f0/0

f0/0

f0/0

.193/28

.194/28

.195/28

.198/28

.197/28

.196/28.199/28

11.11.11.0/24

12.12.12.0/24

13.13.13.0/24

17.17.17.0/2414.14.14.0/24

15.15.15.0/24

16.16.16.0/24

1

2

3

4

5

6

7

8

f0/0.200/28

If time permits, install the above network within the classroom. The above is a broadcast multi-access network. The goal is to establish tunnels between all the systems. The following is a configuration example for router 1. Based on this example, as a group come up with an addressing & configuration scheme for each router within the tunneled network:

˚ Tunnel0 10.10.10.1/30, dest 148.43.200.194 ˚ Tunnel1 10.10.10.5/30, dest 148.43.200.195 ˚ Tunnel2 10.10.10.9/30, dest 148.43.200.196 ˚ Tunnel3 10.10.10.13/30, dest 148.43.200.197 ˚ Tunnel4 10.10.10.17/30, dest 148.43.200.198 ˚ Tunnel5 10.10.10.21/30, dest 148.43.200.199 ˚ Tunnel6 10.10.10.25/30, dest 148.43.200.200

How many /30 subnets would need to be created in this topology? By having all of these tunnels permanently in place, what affect would this have on the TDMA satellite network? If a router was added or removed from the topology, what would have to take place within the configurations? The statically configured point-to-point nature of these GRE tunnels, each needing dedicated satellite bandwidth makes them a poor choice for our networks.

218

DMVPN

CommercialTDMA

Bn CPN Bn CPN

JNN

• DMVPN technology is used within the JNN network architecture.

• Static VPNs are configured by Bn CPN systems to the Hub/JNNs .

• VPN connections between CPN systems are dynamically established, as needed, utilizing DMVPN technology.

• TDMA satellite bandwidth is a shared resource; DMVPNs allow this to be utilized more efficiently.

The JNN network uses satellite links as the backbone to interconnect its IP based systems. There are two types of satellite networks within the JNN architecture: Time Division Multiple Access (TDMA) and Frequency Division Multiple Access (FDMA). For the past several years, legacy tactical communications systems have utilized FDMA satellite networks. FDMA satellite ground stations are assigned an uplink frequency, a downlink frequency, and a certain amount of bandwidth. These resources can then only be used by that system even if there is actually no user communications going through this link. TDMA, on the other hand, pools satellite bandwidth for use by ground systems on an as needed or on-demand basis. It is somewhat similar to a radio Ethernet network. For IP based systems to effectively utilize this TDMA network, dynamic multi-point virtual private networks (DMVPN) are established. IP Security (IPSec) is used to encrypt and authenticate the DMVPN traffic. DMVPNs need two protocols we have not yet configured: multi-point generic routing encapsulation (mGRE) and next hop resolution protocol (NHRP). A DMVPN network is based on a hub/spoke topology. One system acts as the hub and all the others are spokes. Each spoke configures a permanent virtual connection to the hub. When a spoke system has traffic for another spoke, it is first routed through the hub. Using NHRP, the hub provides the appropriate information so that a temporary link can be made between the two spoke systems. Since these satellite links are established as needed, and are 'torn down' after use, the DMVPN TDMA mesh efficiently uses the satellite resources.

219

What is a DMVPN?

• DMVPNs allow the dynamic establishment of multiple GRE tunnelsthrough a single tunnel interface.

- based on a hub/spoke network design- tunnels can be established dynamically (as needed)- more efficiently utilizes network resources- minimizes router configuration size- allows routers to be added or removed from the topology without reconfiguring present routers

•Two protocols are utilized within DMVPNs.

- Multi-point GRE (mGRE)- Next Hop Resolution Protocol (NHRP)

The idea behind DMVPNs is that tunnels between certain routers will be established only when needed. This has many benefits. The design is based on a hub/spoke topology with all spoke systems having a permanently configured tunnel to the hub system. Then as required the spoke systems dynamically establish tunnels between each other with information provided by the hub. This establishing of tunnels as needed and then terminating them once packet transfer is complete is very efficient in that network resources are only utilized when needed. Permanent VPNs (tunnels) utilize network resources even when there is no user traffic being transferred through the tunnel. When utilizing static tunnels with GRE, a separate tunnel interface and sub-net must be configured between the hub and each spoke. Depending on the number of routers involved, the size of the configuration and the numbers of IPs required can be become quite extensive. DMVPNs, by contrast, have a simple configuration and the size of the configuration remains the same regardless of the number of routers participating. As the network topology changes (adding or removing routers), the configurations of the existing routers do not have to be modified. This makes the scaling of a DMVPN network very flexible. Static tunnels by contrast would require configuration changes to all routers within the network topology.

220

To fully establish DMVPNs then, three protocols are used: Multi-point GRE (mGRE), Next Hop Resolution Protocol (NHRP), and a dynamic routing protocol (OSPF or EIGRP).

221

Multi-Point Generic Router Encapsulation

• mGRE — allows a single GRE tunnel interface to support multiple tunnels.

• GRE tunnel configuration consists of:- ip address & mask- tunnel source- tunnel destination- optional tunnel key

• mGRE tunnel configuration consists of:- ip address & mask- tunnel source- tunnel key

• With mGRE, the tunnel destination is not defined.

• mGRE relies on NHRP to supply the tunnel destination information which it then utilizes to dynamically establish the tunnel.

Tunneling protocols such as IPSec can only support IP unicast traffic. Routing protocols such as OSPF and EIGRP exchange routing information via multi-cast therefore tunneling protocols such as IPSec cannot support dynamic routing. GRE was created to support multi-protocol traffic (IPX & AppleTalk) and in addition support all types of IP traffic (unicast, broadcast, & multicast). GRE however only supports point-to-point tunneling in which the source and destination addresses are specified. For each additional tunnel, a separate tunnel interface must be configured with the source and destination specified. mGRE, on the other hand, allows the establishment of multiple tunnels via a single tunnel interface. It is in a sense a broadcast multi-access tunnel interface. Within the mGRE configuration, only the source addressing information is supplied. The destination address is learned dynamically relying on some other protocol such as NHRP.

222

• Client/server protocol: hub is server & spokes are clients.

• Each client registers with server: tunnel address and associatedtunnel source interface address (physical).

• Server maintains an NHRP database of these registrations.

• Clients request next hop information (tunnel to physical addressresolution) from server to establish dynamic tunnel to anotherspoke.

Next Hop Resolution Protocol (NHRP)

Next Hop Resolution Protocol (NHRP) is a client/server protocol that provides the capability for the spoke routers to dynamically learn the exterior physical interface address of other spoke routers within the DMVPN topology. Spoke routers a considered the clients and the hub router is the Next Hop Server (NHS). NHRP was originally used by Non-Broadcast Multi-Access (NBMA) networks in a multiprotocol network layer environment. A source station (host or router) connected to an NBMA subnetwork used NHRP to learn "NBMA next hop" address associated with a destination network. NHRP has been incorporated into the DMVPN Broadcast Multi-Access environment as a means to discover the destination physical address needed to perform the extra tunnel encapsulation. When a host within the JNN system creates an IP packet and sends it to the local router, a route look-up takes place as usual. The router looks for the appropriate exit interface, which will reach the destination network. Within our TDMA / DMVPN topology, the exit interface will be listed as the local tunnel interface. Furthermore, the next hop address (the 'via' address in the routing table entry) will be the tunnel interface IP address of the distant station. An NHRP Resolution Request is therefore generated toward the NHS. This request is to discover what physical interface address (tunnel source interface) at the distant station matches the distant tunnel interface address.

223

(Remember, the destination tunnel source addressed was defined in GRE configurations, but not in mGRE.) The NHS has this info as a result of each client router's NHRP registration with the next hop server

224

• Hub is the NHRP server, spokes are clients.• Clients register to server with address mapping information.• Server replies to clients once registration is complete.

NHRP (1)

tunnel 10.10.10.2/28f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28f0/1 148.43.200.1/29

NHRPRegistration10.10.10.2 148.43.200.10

client 1

serverRegistration

ReplyNHRP

Registration10.10.10.3 148.43.200.20

client 2

TDMATDMA

NHRP Database10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20

The registration request is sent from the client (spoke) to the server (hub) in order to identify or register its NHRP information. The destination protocol address field is set to the server’s IP address or address of the client in the event the client is not specifically configured with next hop server information. If the address field is set with the server’s address or with a client’s address that is within the same subnet as the server, then the server places the client NHRP information in its NHRP database. The server then sends a registration reply to the client informing it is now registered with this server. If the destination protocol address field is not set with the server’s address and the client IP is not within the same subnet as the server, then the server forwards the registration to another next hop server.

225

NHRPResolution

Request10.10.10.3

• Client 1 has packets destined for a network belonging to client 2.• Client 1 sends request to server for resolution of the next hop tunnel address to physical address of client 2.

NHRP Database10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20

tunnel 10.10.10.2/28f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28f0/1 148.43.200.1/29

TDMA TDMA

server

client 1 client 2

NHRP (2)

A resolution request is sent from a client to the server in order to identify the address for the next hop end point in the network. If the requested endpoint is registered with the server that has received the request, then it formulates a reply based on information contained in its database. Otherwise, the request must be forwarded to a next hop server that has a listing for that endpoint. Within the JNN DMVPN network, the request contains the destination router’s tunnel address, and is requesting the destination's associated physical address.

226

NHRPResolution

Reply10.10.10.3 148.43.200.20

• Server replies with the tunnel to physical address resolution.• Client 1 enters this into its NHRP database.

tunnel 10.10.10.2/28f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28f0/1 148.43.200.1/29

TDMA TDMA

NHRP Database

10.10.10.3 148.43.200.20

client 1 client 2

server

NHRP (3)NHRP Database

10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20

A resolution reply is sent from the server to requesting client. The reply provides a mapping of the requested destination tunnel address to the destination physical address. This information is then entered into the client’s NHRP database. This type of reply is termed an authoritative reply. The server that supports the subnet in question generates the reply. In the case where a resolution request was forwarded by an NHRP server to another server, it is possible for a server to receive a resolution reply. Once it has received the reply, it forwards it to the originating client. It also caches this reply for later use. When the same request is received again, it can use this cached information to reply instead of forwarding the request to the server that actually supports that subnet. This type of reply is termed non-authoritative.

227

dynamic tunnel

• Client 1 utilizes received NHRP info to establish a dynamic tunnel to client 2.• Tunnel will be terminated after a predetermined amount of time.

tunnel 10.10.10.2/28f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28f0/1 148.43.200.1/29

TDMA TDMA

NHRP Database10.10.10.3 148.43.200.20

TDMAclient client

UDPUDP IP HdrIP HdrPayloadPayload Tunn

IP HdrTunnIP HdrGREGRE

s – 148.43.200.10d – 148.43.200.20

NHRP (4)NHRP Database

10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20

server

Once the client (spoke) has received the reply from the server and has entered it into its NHRP database, it now has the required information to establish a dynamic tunnel to the other spoke. When configuring mGRE tunnels, the information supplied is the IP address & mask of the tunnel and the source physical interface to be utilized by the tunnel. In addition to packets utilizing the tunnel actually exiting the configured physical interface, the tunneled packet also uses the IP address assigned to the physical interface as its source address. NHRP is dynamically supplying the destination physical address. The tunnel will be terminated after a predetermined amount of time. By default, the tunnel will stay active for 120 minutes. This value can be changed within the tunnel configuration.

228

DMVPN and Routing Protocols

• For DMVPN to work properly, a routing protocol must be enabled on the tunnel interface.

• Spokes must advertise their supported networks to the hub& the hub must propagate these to all the other spokes.

• Advertisements received by a spoke router must have the subnets originating router listed as the next hop.

• The same routing protocol cannot be enabled on the tunnel & physical interfaces or recursive routing may occur.

For DMVPNs to work properly, a routing protocol must be utilized within the tunnel network so that the spokes can advertise their supported subnets to the hub. The hub then propagates these so that each spoke has knowledge of the subnets within the DMVPN topology. This is a key piece in the establishment of DMVPNs and can be easily overlooked. It is very common for a routing protocol to also be in operation on the physical network in addition to the tunnel network. It is very important that different routing protocols be utilized inside and outside of the tunnel to prevent recursive routing (routing loops). Recursive routing simply means that the routing table has found that the best path to the tunnel destination is through the tunnel. This means that the router cannot send the tunnel protocol’s TCP packets to the destination device because it thinks that they have to be encapsulated in the tunnel protocol again. This is a loop of sorts and the tunnel will be in a constant state of being torn down and rebuilt (up/down status). The other problem that can occur when using the same routing protocol inside and outside the tunnel is that packets can possibly be routed external to the tunnel. This can cause numerous problems and somewhat defeats the purpose of establishing the tunnel. In addition, if IPSec is being applied to the tunnel, any packets that should be going through the tunnel but are routed externally will not have IPSec applied.

229

OSPF & EIGRP

• Certain configuration steps must be applied to the tunnel interfacewhen utilizing OSPF and EIGRP.

• OSPF- configure OSPF network type to broadcast (ip ospf network broadcast).- configure OSPF priority so hub is always DR (ip ospf priority).- insure the IP MTU is set the same on all tunnel interfaces (ip mtu).

• EIGRP- split horizons must be disabled on the hub (no ip split-horizons eigrp).- by default, eigrp routers list themselves as the next hop for all advertisedroutes – must be disabled (no ip next-hop-self eigrp).

- configure tunnel interface bandwidth so that EIGRP related traffic can beproperly maintained.

- consideration should also be given to configuring the spoke routers as EIGRP stub routers.

Depending on the routing protocol selected, there are certain configuration steps that must be taken for it to work properly within a DMVPN environment. OSPF:

- OSPF considers a tunnel interface point to point and will not allow it to support multiple connections. Tunnel interface must be set to broadcast within OSPF.

- Once interface is set to broadcast, OSPF treats it as part of a broadcast

multi-access network. The hub router must always be the designated router. A good practice would be to set the priority of all the spokes to “0”.

- Insure that all the ip mtu setting on the tunnel interfaces within the DMVPN

topology are set the same. Two OSPF routers cannot form a neighbor relationship if this setting is different.

EIGRP:

- Split horizons must be disabled on the hub tunnel interface (split horizons is enabled by default with EIGRP). Since the hub is using a single interface to form connections with several spoke routers, EIGRP has to be able to send routing updates received from one to all other spokes. With split horizons enabled, this is not possible.

230

- By default, when an EIGRP router advertises a network, it lists itself as the next hop even if the network does not originate on that router. For DMVPNs to function properly, this must be disabled on the hub router. Networks advertised from spokes to the hub and then to other spokes must list the originating spoke as the next hop.

- The default bandwidth for a tunnel interface is 9 kbs. EIGRP will only

utilize at a maximum half the interface bandwidth – 4.5 kbs. This is too low for EIGRP to be properly maintained between neighboring routers. Set the bandwidth to a higher value such as 1000.

- Consideration should be given to configuring the EIGRP routers as stub.

By definition, the spokes should only have connections to one router, the hub. Therefore, there is no value added by allowing the hub to query the spokes.

231

• By default, OSPF treats a tunnel interface as a point to point network.• All tunnel interfaces on routers within a DMVPN net are on the same subnet.• OSPF must operate as if it is enabled on a broadcast multi-access network.• Tunnel interface must be set to broadcast for proper operation of the DMVPN.

OSPF & DMVPN –Broadcast Network

hub

spoke 1 spoke 2tunnel 10.10.10.2/28 - broadcastf0/1 148.43.200.10/29

tunnel 10.10.10.3/28 - broadcastf0/1 148.43.200.20/29

tunnel 10.10.10.1/28 - broadcastf0/1 148.43.200.1/29

TDMA TDMA

hub

spoke 1 spoke 2

OSPF considers a tunnel interface as a point-to-point network and will not allow it to support multiple OSPF neighbor connections. For DMVPNs to function properly, the tunnel interface must be set to OSPF broadcast. All tunnel interfaces belonging to routers within the same DMVPN network are configured as part of the same subnet. Configuring the tunnel interface to broadcast will cause all of these routers to function as part of the same OSPF broadcast multi-access network.

232

• Spoke routers have permanent connectivity only to the hub router.• Spoke routers will only form an OSPF neighbor relationship with the hub.• The hub must be elected as the OSPF designated router (DR).• Set all spoke routers' OSPF priority to 0.

OSPF & DMVPN - Hub is DR

TDMA TDMA

hub

spoke 1 spoke 2

tunnel 10.10.10.2/28 - priority 0f0/1 148.43.200.10/29



(DR)

(Drother) (Drother)

Once the DMVPN topology has been configured to function as an OSPF broadcast multi-access network, the OSPF priority must be configured for the designated router (DR) election. The goal is have the hub (NHRP server) always be the DR and the spokes (NHRP clients) never be the DR. To accomplish this, all spokes should have their OSPF priority configured as “0”. If there are going to be multiple hubs (servers) within a single DMVPN topology, the priority should be set according to which of these should be the DR and which should be the backup designated router (BDR).

233

• Within the JNN network, several tunnels along with IPSec are configured.• These functions add additional bytes to the packet.• To limit fragmentation, the MTU settings of the IP packets is reduced. • For two routers to form an OSPF neighbor relationship, the interfaces providing

connectivity for this must have the same IP MTU setting.

OSPF & DMVPN - IP MTU

TDMA TDMA

hub

spoke 1 spoke 2

tunnel 10.10.10.2/28 - ip mtu 1420f0/1 148.43.200.10/29

tunnel 10.10.10.3/28 - ip mtu 1420f0/1 148.43.200.20/29

tunnel 10.10.10.1/28 - ip mtu 1420f0/1 148.43.200.1/29

Within the JNN TDMA topology, several tunnels are created and IPSec is applied to these tunnels at various points. This tunnel creation and application of IPSec causes additional overhead to be added to the original IP packet causing the size (bytes) of the packet to increase. Ethernet based networks have a default maximum transmission unit (MTU) of 1500 bytes. Once the packet exceeds this size, packet fragmentation occurs. This can have detrimental effects on the processing of packets and can interfere with the operation of IPSec. To prevent the fragmentation of packets on the interface, the IP MTU size is adjusted on the tunnel interface. The actual setting can be calculated based on the additional overhead added by the above noted processes. For two routers to form an OSPF neighbor relationship, the interfaces being utilized by the routers must have the same MTU setting.

234

• By default, EIGRP has split horizons enabled - update cannot be sent out theinterface on which it was received.

• The hub must advertise each update received from a spoke to all other spokes.• Hub has only a single interface connected to the DMVPN topology.• Split horizons must be disabled on this interface.

EIGRP & DMVPN –Split Horizons

TDMA TDMA

hub

spoke 1 spoke 2tunnel 10.10.10.2/28 f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28 - no ip split-horizons eigrpf0/1 148.43.200.1/29

f0/0 148.43.200.128/27

EIGRP Update148.43.200.128/27

EIGRP Update148.43.200.128/27

(split horizons disabled)

EIGRP is a distance vector protocol and therefore employs the spit horizons route loop prevention technique. A Split horizon does not allow the advertisement of an update through an interface if that update was received on that interface. For DMVPNs to work properly all spokes must advertise their directly connected subnets to the hub and then the hub must advertise these to all the other spokes. Since the hub has only one interface connected to the DMVPN topology, split horizons must be disabled within the EIGRP process on the hub router.

235

• By default, when an EIGRP router sends an update, it lists itself as the next hop.• For DMVPN operation, the originating router must be listed as the next hop.• The next hop self function must be disabled on the hub router.

EIGRP & DMVPN –Next Hop Self

TDMA TDMA

hub

spoke 1 spoke 2tunnel 10.10.10.2/28 f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28 - no ip next-hop-self eigrpf0/1 148.43.200.1/29

f0/0 148.43.200.128/27

EIGRP Update148.43.200.128/27

via 10.10.10.2

(next hop self disabled)

EIGRP Update148.43.200.128/27

via 10.10.10.2

Routing Table

D 148.43.200.128/27via 10.10.10.2

By default, when an EIGRP router sends an update to a neighbor, it lists itself as the next hop even when on a multi-access network (all routers on the same subnet) and it is not the originating router of the update (subnet not directly connected). For the proper operation of DMVPNs, a spoke router’s routing table must list all subnets within the DMVPN topology with the originating router as the next hop. For this to happen, the EIGRP next hop self function must be disabled on the hub router.

236

• By default, EIGRP will only send its routing related traffic at 50% of the interface bandwidth - tunnel interface has a default bandwidth of 9 kbps.

• This means that EIGRP would limit its traffic to a rate of 4.5 kbps.• Set the tunnel bandwidth to match the actual speed of the physical interface.• This allows the EIGRP process to be properly maintained.

EIGRP & DMVPN Interface Bandwidth

TDMA TDMA

hub

spoke 1 spoke 2

tunnel 10.10.10.2/28 - bandwidth 100,000f0/1 148.43.200.10/29



EIGRP Traffic EIGRP Traffic

By default, EIGRP will only utilize a maximum of 50% of the configured bandwidth on an interface to send EIGRP related information. A tunnel interface by default has its bandwidth set to 9 kbps. This means that EIGRP will only send its routing related traffic at a maximum rate of 4.5 kbps. In most situations, this rate is not sufficient for an EIGRP topology to coverage properly. This could lead to routing loops and packets being dropped because of inaccurate routing information. It is recommended configuring the bandwidth of the tunnel interface to match the physical interface configured as the tunnel source. Within the JNN network, the tunnel interface commonly uses a Fast Ethernet interface as the tunnel source. Therefore, the tunnel bandwidth should be configured as 100,000.

237

• All EIGRP route information received by a spoke is from the hub.• There is no reason for the hub to send a query to a spoke.• Consideration should be given to configuring the spokes as a stub.

EIGRP & DMVPN Set Spokes to Stub

TDMA TDMA

hub

spoke 1 spoke 2

tunnel 10.10.10.2/28 f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28f0/1 148.43.200.1/29

do notquery

do notquery

eigrp stub

Within the DMVPN topology, permanent VPNs are established between the hub and each spoke. EIGRP neighbor relationships only exist between the hub and each spoke. No routing information is exchanged between spoke routers even when a dynamic VPN is established between two spokes. All EIGRP related information received by a spoke router is always from the hub. Therefore, there is no valid reason for the hub to ever query a spoke router for EIGRP route information. Consideration should be given to configuring spoke routers as EIGRP stubs.

238

interface Tunnel4444description Tunnel to BCT1 TDMA Meshbandwidth 2048ip address 144.44.4.1 255.255.255.128no ip redirectsip mtu 1400ip pim nbma-modeip pim sparse-modeip nhrp authentication 4444ip nhrp map multicast dynamicip nhrp network-id 4444ip nhrp holdtime 600ip tcp adjust-mss 1201ip ospf network broadcastip ospf cost 1050ip ospf priority 5tunnel source FastEthernet0/0tunnel mode gre multipointtunnel key 4444

Hub Tunnel Configuration

interface tunnel4444: Enters interface configuration mode and specifies a unique tunnel number. ip address : Assigns an IP address & mask to the tunnel interface. no ip redirects: Disallows ICMP redirects, which would let a ping or trace be sent back out the same interface on which it was received. ip mtu: Sets the maximum transmission unit size on the tunnel interface. If an IP packet exceeds the MTU set for the interface, the Cisco IOS software will fragment it. All devices on a physical medium must have the same protocol MTU in order to operate. Within the DMVPN network, the MTU size for the tunnel interface is set to a smaller size than what is utilized for the physical interface (such as 1500 for Ethernet). This insures that once the packet is encapsulated with mGRE and IPSec that it will not exceed the physical MTU size and be fragmented once the additional headers & encryption have been applied. ip pim nbma-mode and ip pim sparse-mode: Protocol Independent Multicast (PIM) is required in the JNN DMVPN networks to allow various applications to function. [Examples: Global Broadcast System, multipoint conferencing, message distribution between Command Post of the Future (CPOF) locations]. Implementing sparse mode and nbma mode in PIM allows this multicast traffic to be sent only to the stations requesting it, and lets PIM maintain a valid 'picture' of

239

the multicast network even though layer 2 connectivity is not constant in the TDMA mesh. ip nhrp authentication: Configure the authentication string for an interface using the Next Hop Resolution Protocol (NHRP). All routers configured with NHRP within one logical NBMA network must share the same authentication string. ip nhrp map multicast dynamic: Configures NBMA addresses for use as destinations for broadcast or multicast packets to be sent over a tunnel network. When multiple NBMA addresses are configured, the system replicates the broadcast packet for each address. When utilized with the key word dynamic, multicast & broadcast packets are sent to all entries within the NHRP database. This is configured on the Next Hop Server (the hub and possibly a JNN) so that router neighbor relationships can be established with all spoke systems dynamically. ip nhrp network-id: Enables the Next Hop Resolution Protocol (NHRP) on an interface. All NHRP stations within one logical NBMA network must be configured with the same network identifier. ip nhrp hold-time: Changes the number of seconds that NHRP NBMA addresses are advertised as valid in authoritative NHRP responses. The command affects authoritative responses only. The advertised holding time is the length of time the Cisco IOS software tells other routers to keep information that it is providing in authoritative NHRP responses. The cached IP-to-NBMA address mapping entries are discarded after the holding time expires. The NHRP cache can contain static and dynamic entries. The static entries never expire. Dynamic entries expire regardless of whether they are authoritative or non-authoritative. IP TCP adjust-mss. The TCP MSS Adjustment feature enables the configuration of the maximum segment size (MSS) for transient TCP packets that pass through the router. This value is negotiated during the set-up phase of the TCP connection. In the DMVPN network, the Ethernet maximum transmission unit (MTU) is adjusted to 1400 or some other value lower than the normal 1500 bytes, and if the effective MTU on the hosts (PCs) is not changed, the router in between the host and the server can terminate the TCP sessions. The ip tcp adjust-mss command specifies the MSS value on the intermediate router to avoid session termination or packet fragmentation. ip ospf network broadcast: Configures the OSPF network type to a type other than the default for a given medium. By default, the router sees a tunnel interface as part of a point-to-point network. By using the command and the key word broadcast, it causes OSPF to operate in a broadcast multi-access mode. ip ospf cost: Sets a metric figure that OSPF will use for shortest path calculation. This overrides use of the bandwidth figure in the SPF algorithm. ip ospf priority: Sets the OSPF router priority, which helps determine the designated router for a BMA network. When two routers attached to a network both attempt to become the designated router, the one with the higher router

240

priority takes precedence. If there is a tie, the router with the higher router ID takes precedence. A router with a router priority set to zero is ineligible to become the designated router or backup designated router. In the DMVPN topology, the hub router should always be the designated router and the spokes never be the DR. tunnel source: Designates the router physical interface to be utilized as the source for this tunnel. Any traffic originating from the tunnel will be sent through the tunnel source interface. In addition, the IP address assigned to the tunnel source will be utilized as the source address of the tunneled packets. tunnel mode gre multipoint: Sets the tunnel encapsulation mode to gre multipoint. tunnel key: Enables an ID key for a tunnel interface. This command currently applies to (GRE) only. Tunnel ID keys can be used as a form of weak security to prevent improper configuration or injection of packets from a foreign source. When GRE is used, the ID key is carried in each packet. It is not recommended to be used for security purposes. All routers wishing to establish DMVPNs must have the same key. tunnel protection ipsec profile: Associates a tunnel interface with an IP Security (IPSec) profile. Use the command to specify that IPSec encryption will be performed after the GRE has been added to the tunnel packet. The tunnel protection command can be used with multipoint GRE (mGRE) and point-to-point GRE (p-pGRE) tunnels. With p-pGRE tunnels, the tunnel destination address will be used as the IPSec peer address. With mGRE tunnels, multiple IPSec peers are possible; the corresponding NHRP mapping NBMA destination addresses will be used as the IPSec peer addresses. If you wish to configure two Dynamic Multipoint VPN (DMVPN) mGRE and IPSec tunnels on the same router, you must issue the shared keyword.

Note: There are also two commands, which apply specifically to the EIGRP

routing protocol that are no shown on the above slides. These only have to be configured on the hub router.

no ip next-hop-self eigrp: Instructs EIGRP to use the received next hop rather than itself when advertising updates received from neighbors. EIGRP routers by default always list themselves as the next hop for any network advertised even if it is not directly connected. DMVPNs cannot be established between spoke routers if this is not configured on the hub. no ip split-horizon eigrp: Split horizon says that a route cannot be advertised out an interface on which it was received. Hub routers only have one interface connected to the topology and through it make multiple neighbor routing connections. The hub must be able to propagate routing information received from one neighbor to all of its other neighbors. Split horizon therefore must be disabled.

241

JNN Tunnel ConfigurationTunnel4444bandwidth 2048ip address 144.44.4.2 255.255.255.128no ip redirectsip mtu 1400ip pim nbma-modeip pim sparse-modeip nhrp authentication 4444ip nhrp map multicast dynamicip nhrp map 144.44.4.1 22.20.22.1ip nhrp map multicast 22.20.22.1ip nhrp network-id 4444ip nhrp holdtime 600ip nhrp nhs 144.44.4.1ip tcp adjust-mss 1201ip ospf network broadcastip ospf cost 1050ip ospf priority 3tunnel source FastEthernet0/0tunnel mode gre multipointtunnel key 4444

Note: commands that are the same for the hub and spoke will not have the

explanation duplicated here. ip nhrp map: Statically configures the tunnel IP to a physical IP of a distant end router. This will force a static entry into the NHRP database. This is configured on the spoke and maps the IP’s of the hub router. ip nhrp map multicast xxx.xxx.xxx.xxx Configures NBMA addresses for use as destinations for broadcast or multicast packets to be sent over a tunnel network. The spokes use this command to identify (map) the NBMA (physical) address for the hub system and any other next hop servers. The spokes will only form a router neighbor relationship with the DR (usually the hub node) and any JNN configured to be the BDR. ip nhrp nhs: Identifies the virtual IP (tunnel) address of any NHRP next hop server. This address was previously mapped to a physical interface address in the “ip nhrp map” command.

242

CPN Tunnel Configurationinterface Tunnel4444bandwidth 2048ip address 144.44.4.3 255.255.255.128no ip redirectsip mtu 1400ip pim nbma-modeip pim sparse-modeip nhrp authentication 4444ip nhrp map 144.44.4.1 22.20.22.1ip nhrp map multicast 22.20.22.1ip nhrp map 144.44.4.2 22.20.22.2ip nhrp map multicast 22.20.22.2ip nhrp network-id 4444ip nhrp holdtime 600ip nhrp nhs 144.44.4.1ip nhrp nhs 144.44.4.2ip ospf network broadcastip ospf cost 1050ip ospf priority 0tunnel source FastEthernet0/0tunnel mode gre multipointtunnel key 4444

Notice that this CP Node has two Next Hop Servers identified and statically mapped into its own nhrp database. The ip nhrp map 144.44.4.1 22.20.22.1 configuration line maps the hub's tunnel and physical interfaces into the CP node's nhrp database as a static entry.. The ip nhrp map 144.44.4.2 22.20.22.2 configuration line maps the JNN's tunnel and physical interfaces into the CP node's nhrp database as a static entry.. The ip nhrp nhs 144.44.4.1 configuration line and the ip nhrp nhs 144.44.4.2 configuration line identifies the hub and JNN as next hop servers. The ip nhrp map multicast 22.20.22.1 configuration line and the ip nhrp map multicast 22.20.22.2 configuration line identify the hub and JNN physical interfaces which will send and receive multicast routing protocol updates to and from the CP node.

243

DMVPNLab

UHN_66030_ST2RLO0 22.230.0.226/32F0/0 172.20.254.1/30TUN 6000 172.21.254.1/25TUN 6605 172.21.78.1/25TUN 6607 172.21.79.1/25F1/0 22.230.3.254 /24OSPF Priority 5

JNN_66000_ST2RLO0 22.230.6.226/32F0/0 172.20.254.5/30TUN 6000 172.21.254.2/25F1/0 22.230.4.254 /24OSPF Priority 0

Hub



BCP_66052_ST2RLO0 22.230.40.226/32F0/0 172.20.78.17/30TUN 6605 172.21.78.3/25F1/0 22.230.40.62 /27OSPF Priority 0 BCP_66053_ST2R

LO0 22.230.42.226/32F0/0 172.20.78.25/30TUN 6605 172.21.78.4/25F1/0 22.230.44.62 /27OSPF Priority 0

BCP_66072_ST2RLO0 22.230.72.226/32F0/0 172.20.79.17/30TUN 6607 172.21.79.3/25F1/0 22.230.72.62 /27OSPF Priority 0

BCP_66073_ST2RLO0 22.230.74.226/32F0/0 172.20.79.25/30TUN 6607 172.21.79.4/25F1/0 22.230.76.62 /27OSPF Priority 0

BCT 122.230.32.0/19

BCT 222.230.64.0/19

DMAIN – OSPF Area 0 22.230.0.0/19

f1/0

f1/0

f1/0

f1/0

f1/0

f1/0

f1/0f1/0

f0/0 f0/0

f0/0

f0/0f0/0

f0/0

f0/0f0/0

TDMA

2

1

3

6

5

4

78

Install the above network as shown. Students using real hardware routers will configure f0/1 rather than f1/0. Configure the hub and spoke routers using the configuration information from the previous pages. Simulator class students will configure Router 8 and their own station's router. If you are Router 8, also configure Router 7. Enable either OSPF or EIGRP to operate on the tunnel interface and the interface supporting host computers. Do not configure a routing protocol for the physical interfaces connected to the TDMA cloud. Configure a static route that will reach all physical interface addresses out f0/0. Once complete, test for network connectivity using ping and trace between the user subnets. Use the “show ip nhrp nhs” command to confirm whether your spoke router is registered with the server. Use the “show ip nhrp” command to view the tunnels in place.

244

Show IP nhrp nhs

This command allows an NHS client to see if theyare registered with the next hop server (NHS)

Although the spoke's 'show ip nhrp' command displays the static entry for the hub/NHS, it is not a real-time indication of a successful registration with the server. At a spoke router, to check whether registration has occurred, perform the 'show ip nhrp nhs' command. If an R is listed next to the tunnel NHS address, then the server is responding to next hop resolution requests, showing that registration has taken place. The spoke router shown above has successfully registered. Troubleshooting the DMVPN mesh: Make sure layer 1 and 2 are up, then: 1. Have all spokes registered? Have any spokes registered? Registration problems are most likely tunnel interface configuration problems at one or more spokes, or at the hub. 2. Once the spokes are registered, sho ip ospf neighbor or sho ip eigrp neighbor. Lack of neighboring is most likely a routing protocol network statement issue. Also, make sure the network statement does not include the f0/0 interface. 3. Sho ip route to ensure that all LAN networks are in the routing table.

245

UHN_66030_ST2R#sh ip nhrp172.21.254.2/32 via 172.21.254.2, Tunnel6000 created 00:05:46, expire 00:09:58

Type: dynamic, Flags: unique nat registered usedNBMA address: 172.20.254.5

172.21.78.2/32 via 172.21.78.2, Tunnel6605 created 00:05:36, expire 00:09:08Type: dynamic, Flags: unique nat registeredNBMA address: 172.20.78.9



172.21.79.2/32 via 172.21.79.2, Tunnel6607 created 00:05:51, expire 00:09:50Type: dynamic, Flags: unique nat registered usedNBMA address: 172.20.79.9

Show ip nhrp (at the hub)

The “show ip nhrp” command displays the contents of the NHRP database or cache. When using it on the hub router, it shows each spoke that has registered dynamically via NHRP with the hub. Contained within each entry will be the tunnel IP address, the physical address (called an NBMA address here), how long ago the tunnel was created, how long the tunnel has to live, and how the tunnel was created -- as a static entry (manually configured at the hub) or as a dynamic entry (learned via a registration request or a next-hop resolution request). The flags that may be shown include: unique -- no other nhrp registration request may overwrite this registration. Used when nbma (physical) interface ip addresses are configured statically. nat -- indicates that the client router's IOS supports setting up dynamic tunnels to other clients, which may be behind a nat router. Does not mean nat is being used. registered -- the entry is the result of an nhrp registration request, and must be refreshed by another registration request. used -- the mapping entry has been used to allow data transfer within the last minute, and more than two minutes remain before it expires. authoritative -- the entry was learned directly from the next hop server at which the client is registered.

246

BCP_66072_ST2R#sh ip nhrp172.21.79.1/32 via 172.21.79.1, Tunnel6607 created 00:05:54, never expire

Type: static, Flags: nat usedNBMA address: 172.20.254.1

172.21.79.2/32 via 172.21.79.2, Tunnel6607 created 00:05:54, never expireType: static, Flags: nat usedNBMA address: 172.20.79.9

172.21.78.4/32 via 172.21.78.4, Tunnel6607 created 00:05:54, expire 00:08:39Type: dynamic, Flags: nat usedNBMA address: 172.20.78.25

Show ip nhrp (at a spoke)

When using the command on the spoke router, at a minimum it will show a static NHRP entry to the hub router and may show entries for any other next hop server in the topology. These entries in the database are a result of the tunnel interface configuration command “ip nhrp map xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy”, where x=the server's tunnel interface address, and y=the server's physical interface address. Example: ip nhrp map 144.44.4.2 22.20.22.2 This is the configuration entry that creates the PVC (permanent virtual circuit) to the next hop server. In addition, any dynamic (rather than static) tunnels established with other spoke routers will be displayed. The entry for 172.21.78.4/32 above is an example. Note the expire time and type.

247

IP Security (IPSec)

• Security Architecture for IP- open standard defined in RFC 2401- consists of a suite of security services & protocols- operates at layer 3 of OSI model- provides security for layer 3 and above (4 – 7)

• Three Major Components of IPSec- Modes: Transport & Tunnel - Protocols: AH & ESP - Internet Key Exchange (IKE)

The security architecture for IP (IPSec) is a suite of security services for traffic at the IP layer. It is an open standard, defined in RFC 2401 and several following RFCs. IPSec was developed by the IETF as part of IPv6 and can be implemented in IPv4. IPSec is a framework of open standards that operates at Layer 3 of the OSI model, which means that it can protect communications from the network layer (IP) and up. IPSec protocols can supply access control, authentication, data integrity, and confidentiality for each IP packet between two participating network nodes. IPSec can be used between two hosts (including clients), a gateway and a host, or two gateways. IPSec establishes a secure tunnel between endpoints, and provides authentication and encryption services to protect transported data. IPSec provides two security protocols used for transferring data: Encapsulating Security Payload (ESP) and Authentication Header (AH). AH provides connectionless integrity, data origin authentication, and anti-replay service for the IP packet. AH does not encrypt the data, but any modification of the data would be detected. ESP provides confidentiality through the encryption of the payload. Access control is provided through the use and management of keys to control participation in traffic flows.

248

IKE is a key management protocol used in IPSec to create an authenticated, secure communication channel between two entities and then negotiate the security associations for IPSec. IKE offers several advantages over manually defined keys (manual keying):

Eliminates manual configuration of keys Allows you to specify a lifetime for IPSec SA Allows encryption keys to change during IPSec sessions Supports the use of public key-based authentication and CAs Allows dynamic authentication of peers

249

IPSec Architecture

Transport Mode Tunnel Mode

AH Protocol

Authentication Algorithm

(MD5, SHA-1)

Encryption Algorithm

(DES, 3DES, AES)

Key Management(IKE)

ESP Protocol

Within the IPSec architecture, there are two modes of operation: transport and tunnel. In the transport mode, the original IP header is left in place and the IPSec process is applied to the remaining portions of the packet. In the tunnel mode, a new IP header is added to the original packet (to include original header). The IPSec process is then applied to the entire original packet. IPSec has two protocols: Authentication Header and Encapsulating Security Payload (ESP). AH provides for authentication and anti-replay services but does not encrypt the packet payload. ESP encrypts the packet payload and offers authentication and anti-replay services. There are certain algorithms that are associated with each protocol. AH only can only utilize the authentication algorithms such as MD5 & SHA-1. ESP utilizes the same authentication algorithms and in addition utilizes a different set of algorithms (DES, 3DES, AES) for the purpose of encrypting the payload. Internet Key Exchange (IKE) is utilized for the purpose of automatically authenticating IPSec peers, negotiating key exchange & security associations, & establishing keys for encryption algorithms.

250

AH & ESP

• Authentication Header (AH)- IP Protocol 51, RFC 2402- provides authentication and anti-replay services- does not encrypt IP packet payload

• Encapsulating Security Payload (ESP)- IP Protocol 50, RFC 2406- provides authentication, optional anti-replay services, & packet payload encryption

- can be used as stand alone or in conjunction with AH

AH, (RFC2402) provides packet authentication and anti-replay services. AH can be deployed in either transport or tunnel mode. In transport mode, the AH is inserted after the IP header and before an upper-layer protocol (such as TCP, UDP, and ICMP), or before any other previously inserted IPSec headers. The AH (IP protocol 51) ensures:

Data Integrity Calculates a hash of the entire IP packet, including the original IP header (not including variable fields such as the TTL), the data part of the packet, and the AH (excluding the field that will contain the calculated hash value) [either Message Authentication Code (MAC) or a digital signature]. MD5 or SHA-1 uses an extra value to calculate the hash (known only to the participating parties). The receiver performs calculations and compares to the sender's results: if they match, the packet is declared authentic.

Data Origin Authentication The AH provides source IP authentication.

Since the source, IP is included in the data, its integrity is guaranteed.

Replay Protection The AH uses an IPSec sequence number to protect against replay attacks.

251

ESP (RFC2406) provides data encryption, data authentication, and optional anti-replay services. ESP can be used on its own or with AH packet authentication. ESP encapsulates the data and can be deployed in either transport or tunnel mode. In transport mode, ESP is placed after the IP header (and any options that it contains), and before the upper layer protocol. This makes ESP and AH compatible with non-IPSec-compliant routers. Tunnel mode ESP may be employed in either hosts or security gateways. In tunnel mode, ESP protects the entire inner IP packet, including the entire inner IP header. The position of ESP in tunnel mode relative to the outer IP header is the same as for ESP in transport mode. ESP (IP protocol 50) features:

Pads a packet to prevent traffic analysis, and encrypts the result with ciphers such as DES, 3DES, AES, or Blowfish.

Optional authentication using the same algorithms as the AH protocol. Header information is not included in the authenticated data, which allows ESP-protected packets to pass through NAT. Authentication data is calculated after encryption.

Optional antireplay features. ESP can perform most of AH's functions. ESP works on encapsulation principles: all data is encrypted and then placed between a header and a trailer. This differentiates it from AH, where only a header is created.

252

AH & ESP Modes

• Transport- authenticates/encrypts only data payload- original IP header remains intact

• Tunnel- authenticates/encrypts entire IP packet- adds new IP header

Data TCP Hdr IP Hdr

ESPAuth

ESPTrailer

Data ESPHdr

OrigIP Hdr

New IPHdr

TCPHdr

Data TCP Hdr IP Hdr

ESPAuth

ESPTrailer

Data ESPHdr IP HdrTCP

Hdr

original packet original packet

ESP transport ESP tunnel

encrypted encrypted

IPSec has a transport mode and a tunnel mode. Transport mode only affects the data payload and does not modify the original IP header. In transport mode, the AH or ESP header is inserted after the IP header, but before any upper-layer protocol headers. Tunnel mode encapsulates the entire original packet as the data portion of a new packet with its own IP header. (AH and/or ESP headers are created in both modes.) Transport mode is used when both the receiver and the sender are endpoints of the communication (for example, two hosts communicating directly to each other). Tunnel mode is more convenient for site-to site VPNs because it allows tunneling of traffic through the channel established between two gateways. Transport will place an AH or ESP header right after the original IP header and before upper-layer data (TCP header and application data). If ESP is applied to the packet, only this upper-layer data is encrypted. If optional ESP authentication is used, only upper-layer data, not the IP header, is authenticated. If AH is applied to the packet, both the original IP header and the upper-layer data are authenticated

253

Tunnel mode, the most common mode of operation, allows the establishment of an encrypted and authenticated IP tunnel between two sites. The original packet is encrypted and/or authenticated and encapsulated as the data payload of a new IP packet. The new IP header is added to it with the destination address of the receiving gateway. The ESP and/or AH header is inserted between this new header and the data portion. The receiving gateway performs decryption and authentication of the packet, extracts the original IP packet (including the original source/destination IPs), and forwards it to the destination network.

254

Authentication & Encryption Algorithms

• HMAC-MD5

• HMAC-SHA-1

• DH -

• DES

• 3DES

• AES

authentication

key exchange

payload encryption

Message Digest 5 (MD5) is a hash algorithm used to authenticate packet data. Cisco routers use the MD5 hashed message authentication code (HMAC) variant that provides an additional level of hashing. A hash is a one-way encryption algorithm that takes an input message of arbitrary length and produces a fixed length output message. IKE, AH, and ESP use MD5 for authentication. Secure Hash Algorithm-1 (SHA-1) is a hash algorithm used to authenticate packet data. Cisco routers use the SHA-1 HMAC variant, which provides an additional level of hashing. IKE, AH, and ESP use SHA-1 for authentication. Diffie-Hellman (DH) is a public-key cryptography protocol. It allows two parties to establish a shared secret key used by encryption algorithms (DES or MD5, for example) over an insecure communications channel. DH is used within IKE to establish session keys. 768-bit, 1024-bit, & 1536 bit DH groups (numbered 1, 2, & 5 accordingly) are supported in the Cisco routers. Data Encryption Standard (DES) uses a 56-bit key, ensuring high-performance encryption. DES is used to encrypt and decrypt packet data. DES turns clear text into cipher text with an encryption algorithm. The decryption algorithm on the remote end restores clear text from cipher text. Shared secret keys enable the encryption and decryption.

255

Triple DES (3DES) is also a supported encryption protocol for use in IPSec on Cisco products. The 3DES algorithm is a variant of the 56-bit DES. 3DES operates similarly to DES in that data is broken into 64-bit blocks. 3DES then processes each block three times, each time with an independent 56-bit key. 3DES effectively doubles encryption strength over 56-bit DES. Advanced Encryption Standard (AES) is the successor to DES. AES (Rijndael) is a successor to 3DES that supports variable key lengths from 128-bit, 192-bit, and 256-bit. Like 3DES, it is a symmetric, cipher block algorithm. It can be used to replace 3DES or DES in an IPSec transform set. AES characteristics include:

Private key symmetric block cipher (similar to DES). Stronger and faster then 3DES. Life expectancy of at least 20 to 30 years. Key sizes of 128-bits, 192-bits, and 256-bits. Royalty free, non-proprietary, and unpatented.

256

Transform Set

• Defines an acceptable combination of security protocolsand algorithms.

• A transform represents an IPSec protocol plus itsassociated algorithm.

• Up to three transforms can be specified per transform set.- ESP encryption algorithm- AH authentication algorithm - ESP authentication algorithm

A transform set is a combination of individual IPSec transforms designed to enact a specific security policy for traffic. Transform sets combine the following IPSec factors:

• Mechanism for payload authentication — AH transform • Mechanism for payload encryption — ESP transform • IPSec mode — transport versus tunnel

Transform sets equal a combination of an AH transform, an ESP transform, and the IPSec mode (either tunnel or transport mode). Associated with each protocol is an encryption and/or authentication algorithm. A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IP Security protected traffic. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

257

Transforms within Transform Sets

Transform type Transform Description

AH Transform (Pick up to one) ah-md5-hmacah-sha-hmac

AH with the MD5 (HMAC variant) authentication algorithmAH with the SHA (HMAC variant) authentication algorithm

ESP Encryption Transform (Pick up to one)

esp-desesp-3desesp-nullesp-aesesp-seal

ESP with the 56-bit DES encryption algorithmESP with the 168-bit DES encryption algorithm (Triple DES)Null encryption algorithmAES with the 128, 192, or 256-bit encryption algorithmSEAL with the 160-bit encryption algorithm

ESP Authentication Transform (Pick up to one)

esp-md5-hmacesp-sha-hmac

ESP with the MD5 (HMAC variant) authentication algorithmESP with the SHA (HMAC variant) authentication algorithm

A transform set specifies one or two IPSec security protocols (either Encapsulation Security Protocol or Authentication Header or both) and specifies which algorithms to use with the selected security protocol. To define a transform set, you specify one to three "transforms"—each transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer. In a transform set you could specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform. The mode (tunnel or transport) is also configured as part of the transform set but it is not associated with each individual transform. The selection of the mode applies to all the transforms within the set. The table above lists the acceptable transform combination selections for the AH and ESP protocols on a Cisco router.

258

IKE & ISAKMP

• Internet Security Association & Key Management Protocol (ISAKMP)- describes protocol independent authenticated key exchange methods- when implemented with Oakley & SKEME key exchange protocols,

the result is IKE- RFC 2408

• Internet Key Exchange (IKE)- key management protocol utilized within IPSec- authenticates IPSec peers, negotiates key exchange & SA, & establishes keys for encryption algorithms

- RFC 2409

ISAKMP (RFC 2408) describes authenticated key exchange methods. This is a generic protocol and is not tied to IPSec or any other key-using protocol. It can be implemented directly over IP or any transport layer protocol. When partially combined with Oakley (RFC 2412) and Secure Key Exchange Mechanism (SKEME) key exchange protocols, the result is the IKE (RFC 2409). Although not strictly correct, the terms IKE and ISAKMP are often used interchangeably, even in Cisco where IKE is configured with the isakmp command. IKE is a key management protocol used in IPSec to create an authenticated, secure communication channel between two entities and then negotiate the SAs for IPSec. IKE offers several advantages over manually defined keys (manual keying):

• Eliminates manual configuration of keys • Allows you to specify a lifetime for IPSec SA • Allows encryption keys to change during IPSec sessions • Supports the use of public key-based authentication and CAs • Allows dynamic authentication of peers

259

IKE Authentication Methods

• Preshared Keys- key value entered into each peer manually used to authenticate the peer.

• RSA Signatures- utilizes a digital certificate authenticated by an RSA signature.

• RSA Encryption- utilizes RSA encryption to encrypt a nonce value (random number

generated by peer) and other values.

Preshared Keys: the same preshared key is configured on each IPSec peer. IKE peers authenticate each other by computing and sending a keyed hash of data that includes the preshared key. If the receiving peer is able to create the same hash independently using its preshared key, it knows that both peers must share the same secret, thus authenticating the other peer. Preshared keys are easier to configure than manually configuring IPSec policy values on each IPSec peer. However, preshared keys do not scale well because each IPSec peer must be configured with the preshared key of every other peer with which it will establish a session. The RSA Signatures: utilizes a digital signature, where each device digitally signs a set of data and sends it to the other party. RSA signatures use a CA to generate a unique identity digital certificate that is assigned to each peer for authentication. The identity digital certificate is similar in function to the preshared key, but provides much stronger security. RSA is a public-key cryptosystem used by IPSec for authentication in IKE phase 1. RSA was developed in 1977 by Ronald Rivest, Adi Shamir, and Leonard Adelman. The initiator and the responder to an IKE session using RSA signatures send their own ID value (IDi, IDr), their identity digital certificate, and an RSA signature value consisting of a variety of IKE values, all encrypted by the negotiated IKE encryption method (DES or 3DES).

260

RSA Encryption: utilizes the RSA encryption public key cryptography standard. The method requires that each party generates a pseudorandom number (a nonce) and encrypt it in the other party's RSA public key. Authentication occurs when each party decrypts the other party's nonce with a local private key (and other publicly and privately available information) and then uses the decrypted nonce to compute a keyed hash. This system provides for deniable transactions. Either side of the exchange can plausibly deny that it took part in the exchange. Cisco IOS software is the only Cisco product that uses RSA encrypted nonces for IKE authentication. RSA encrypted nonces use the RSA public key algorithm.

261

IKE Negotiations – Two Phases

• Phase 1- Algorithms & hashes to secure IKE sessions are negotiated (policy sets).- DH is used to generate required IKE key.- Peer device identity is verified.- Purpose of Phase 1 is to establish a secure communications channel

for phase two.

• Phase 2- Negotiates IPSec session security parameters (transform sets).- Establishes IPSec security associations (SAs).- Periodically renegotiates IPSec SAs to ensure security.- Purpose of Phase 2 is to negotiate the security parameters for the actual

IPSec session.

IKE negotiates in two phases, both of which use UDP port 500.

1. Phase 1 - Peers negotiate and set up a secure, authenticated, bi-directional ISAKMP SA to handle Phase 2 negotiations. One such SA between a pair of peers can handle negotiations for multiple IPSec SAs. The peers agree on the encryption algorithm, hash algorithm, authentication method, and DH group to exchange keys and information. Peers mutually authenticate, agree on encryption and authentication algorithms to protect subsequent IKE traffic, exchange keys via DH, and lastly, establish an IKE SA (SA). IKE SAs are bi-directional; each IKE connection between peers has only one IKE SA associated with it.

2. Phase 2 - Peers negotiate IPSec (ESP and/or AH) as required. IPSec SAs are unidirectional (a different key is used in each direction) and are always negotiated in pairs to handle two-way traffic. There may be more than one pair defined between two peers. They agree on the IPSec protocol, hash algorithm, and encryption algorithm. Multiple SAs will result from Phase 2 negotiations. An SA is created for the inbound and outbound of each protocol used.

262

IKE Phase 1 has two modes: main mode and aggressive mode. Main mode uses three exchanges between peers; each exchange consists of two messages, a request, and a reply for a total of six packets exchanged. IKE Phase 2 negotiates one or more IPSec SAs to be used for the IPSec tunnel between these peers. It uses key material from IKE Phase 1 to derive IPSec keys. The initiating peer identifies what traffic it wants to protect and what encryption/authentication algorithms it supports. The receiving peer then agrees on a single protection set for this traffic and establishes keys needed for this protection set. While having different phases adds some overhead, there are advantages to this approach:

Trust between peers is established in IKE Phase 1 and IKE Phase 2. Key material established in the first phase can be used in the second

phase. Renegotiations of the first phase can be assisted by the second-phase

data.

263

IKE Security Associations (SA)

• Agreement between two systems in establishing an IKE session. - IKE Phase 1

• IKE SA consists of the following:- authentication method used- encryption and hash algorithm- DH group utilized- shared secret key values for the encryption algorithms- SA lifetime (kbs or seconds)

• A single IKE SA is established to handle secure communications bothways between the two peers.

There are two types of security associations utilized in configuring IPSec, just as there are two stages in establishing IPSec. IKE SAs describe the security parameters between two IKE devices, the first stage in establishing IPSec. IPSec SAs pertain to the actual IPSec tunnel, the second stage. At the IKE level, a single IKE SA is established to handle secure communications both ways between the two peers. Do not confuse IPSec SAs with IKE SAs. IKE SAs create the tunnel used by IPSec SAs. There is only one IKE SA between two devices, but there can be multiple IPSec SAs for the same IKE SA. At the end of the first phase, each host has an IKE SA, which specifies all parameters for this IKE tunnel: the authentication method, the encryption and hashing algorithm, the DH group used, the lifetime for this IKE SA, and the key values.

264

IPSec Security Associations (SA)

• Agreement between two systems participating in an IPSec session. - IKE Phase 2

• IPSec SA consists of the following:- destination IP address- security parameter index (SPI)- IPSec transform set- key used in algorithm- IPSec mode - SA lifetime (kbs or seconds)- Anti-replay sequence counters

• IPSec SAs are stored in the Security Association Database (SAD).

• IPSec SAs are unidirectional – four per IPSec sessions, two at each peer, one transmit, one receive.

IPSec SAs define how two or more IPSec peers will use security protocols (AH or ESP) to communicate securely on behalf of a particular flow. SAs contain the shared secret keys used to protect data in a particular flow, as well as their lifetimes. SAs are unidirectional connections and are unique per security protocol (AH or ESP). This means that if both AH and ESP services are required, two or more SAs have to be created. In a two-way communication, each party has at least two IPSec SAs: the sender and receiver each have one outgoing SA and one incoming SA. SAs can be created manually or with IKE. If created manually, the SAs are established as soon as they are created and do not expire. With IKE, SAs are established when needed and expire after a certain amount of time, or after a certain volume of traffic. The default lifetimes are 3600 seconds (one hour) and 4,608,000 kilobytes, and are periodically renegotiated. Each SA can be uniquely identified by three parameters:

1. SPI Pseudo-arbitrary 32-bit value assigned to a SA at creation. 2. IP Destination Address (The destination endpoint of the SA). 3. Security Protocol Identifier (AH or ESP in transport or tunnel mode).

Each peer maintains a Security Association Database (SAD) of active SAs for each direction (inbound and outbound) on each of its interfaces. SAs from these

265

databases decide which encryption and authentication parameters are applied to packets. SAs may be fixed for the time of traffic flow (manual IPSec). When a key management protocol is used, they are renegotiated many times during the connection flow. For each SA, the SAD entry contains the following data:

266

Five Steps of IPSec

1. Determine Interesting Traffic- ACL determines which traffic is to be encrypted.

2. IKE Phase 1- sets up secure communications channel between peers.

3. IKE Phase 2- establishes SAs between IPSec peers.

4. Data Transfer- data with IPSec protocol(s) applied is transferred between peers.

5. IPSec Tunnel Termination- IPSec SAs terminate through deletion or by timing out.

Step 1—Determine Interesting Traffic Cisco routers use access lists to define the traffic to secure. The access lists are then incorporated in a crypto policy, which causes traffic associated with permit statements to be encrypted, while traffic associated with deny statements is sent unencrypted. Step 2—IKE Phase One IKE Phase One’s main purpose is to authenticate the IPSec peers and to set up a secure channel between the peers. Step 3—IKE Phase Two IKE Phase Two occurs after IKE has established the secure tunnel in Phase One. It then performs the following:

• Negotiates a shared IPSec policy • Establishes IPSec SAs • Derives shared secret keys used for the IPSec security algorithms •

Step 4—IPSec Data Transfer Information is exchanged via the IPSec session based on the method for defining interesting traffic. Packets are encrypted and decrypted at the IPSec peers using any encryption specified in the IPSec SA.

267

Step 5—Session Termination The IPSec session can be terminated because the traffic ended and the IPSec SA was deleted or the SA can time –out based on either SA lifetime setting.

268

Step 1 – Interesting Traffic

access-list 1 permit 148.43.200.36access-list 1 permit 148.43.200.43

IPSec profile applied to interface

• Access list determines interesting traffic.• Packets that are a match to the list are encrypted then sent.• Packets that are not a match are sent in the clear. • JNN network does not utilize access lists for this purpose; all traffic is considered interesting & is encrypted.

Determining what type of traffic is deemed interesting is part of formulating a security policy for use of a VPN. The policy is then implemented in the configuration interface for each particular IPSec peer. For example, in Cisco routers and PIX Firewalls, access lists are used to determine the traffic to encrypt. The access lists are assigned to a crypto policy such that permit statements indicate that the selected traffic must be encrypted, and deny statements can be used to indicate that the selected traffic must be sent unencrypted. When interesting traffic is generated or transits the IPSec client, the client initiates the next step in the process, negotiating an IKE phase one exchange. Within the JNN network when is IPSec is utilized, all traffic is deemed “interesting” and therefore encrypted. An access list is not referenced (nor configured) for the purposes of IPSec. All traffic exiting the IPSec tunnel interface is encrypted and all traffic entering the interface is decrypted.

269

Step 2 – IKE Phase 1

negotiate policy set (IKE SA)

DH key exchange

peer identity verified

• Step one - the two peers negotiate the parameters for the IKE SA.

• Step two consists of the two peers developing a key for use in the IPSec authentication and/or encryption algorithms.

• The identity of the peer is authenticated.

The basic purpose of IKE phase one is to: • Authenticate and protect the identities of the IPSec peers • Negotiate a matching IKE SA policy between peers to protect the IKE

exchange • Perform an authenticated Diffie-Hellman exchange to establish matching

shared secret keys • Set up a secure tunnel to negotiate IKE phase two parameters

IKE phase one occurs in two modes:

1. Main mode 2. Aggressive mode

Main mode has three two-way exchanges between the initiator and receiver.

1. First exchange—The algorithms and hashes used to secure the IKE communications are agreed upon in matching IKE SAs in each peer.

2. Second exchange—This exchange uses a Diffie-Hellman exchange to generate shared secret keying material which generates shared secret keys to pass nonces, which are random numbers sent to the other party, signed, and returned to prove their identity.

3. Third exchange—This exchange verifies the other side's identity. The identity value is the IPSec peer's IP address in encrypted form.

270

The main outcome of main mode is matching IKE SAs between peers to provide a protected pipe for subsequent protected ISAKMP exchanges between the IKE peers. The IKE SA specifies values for the IKE exchange: authentication method, encryption & hash algorithms, and the DH group used, the lifetime of the IKE SA and the shared secret key values for the encryption algorithms.

In the aggressive mode, fewer exchanges are done and with fewer packets. In the first exchange, almost everything is squeezed into the proposed IKE SA values, the Diffie-Hellman public key, a nonce that the other party signs, and an identity packet. The receiver sends everything back that is needed to complete the exchange. The only thing left is for the initiator to confirm the exchange. The weakness of using this mode is that both sides have exchanged information before there is a secure channel. However, aggressive mode is faster than main mode.

271

Step 3 – IKE Phase 2

negotiate transform setstransform set 10

ESPAESMD5

tunnellife

transform set 20ESPAESMD5

tunnellife

• Phase 2 establishes a secure IPSec sessions between peers.

• Peers must have matching transform sets set establish session.

• Only transform sets are compared, not individual protocols/algorithms.

• Transform sets are the basis for building the security association (SA).

The purpose of IKE phase two is to negotiate IPSec SAs to set up the IPSec tunnel. IKE phase two performs the following functions:

• Negotiates IPSec SA parameters protected by an existing IKE SA • Establishes IPSec security associations • Periodically renegotiates IPSec SAs to ensure security • Optionally performs an additional Diffie-Hellman exchange

IKE phase 2 has one mode, called quick mode. Quick mode occurs after IKE has established the secure tunnel in phase one. It negotiates a shared IPSec policy, derives shared secret keying material used for the IPSec security algorithms, and establishes IPSec SAs. Quick mode exchanges nonces that provide replay protection. The nonces are used to generate new-shared secret key material and prevent replay attacks from generating bogus SAs. Quick mode is also used to renegotiate a new IPSec SA when the IPSec SA lifetime expires. Base quick mode is used to refresh the keying material used to create the shared secret key based on the keying material derived from the Diffie-Hellman exchange in phase one.

272

Step 4 – Data Transfer

IPSec Session

• Once IKE phase 2 is complete, SAs are established between peers.

• Security services designated within the SAs are applied to traffic between the peers.

After IKE phase two is complete and quick mode has established IPSec SAs, information is exchanged between the two peers via the IPSec tunnel. Packets are authenticated and/or encrypted/decrypted using the protocols, algorithms, and modes specified in the IPSec SA.

273

Step 5 – Tunnel Termination

IPSec Session

• Two reasons for IPSec session termination:- it is deleted- SA lifetime expires

• Once lifetime expires, SAs are renegotiated utilizing IKE phase 2.

IPSec SAs terminate through deletion or by timing out. Once an SA is terminated, the IPSec sessions between the two peers is terminated. An SA can time out when a specified number of seconds have elapsed or when a specified number of bytes have passed through the tunnel. When the SAs terminate, the keys are also discarded. When subsequent IPSec SAs are needed for a flow, IKE performs a new phase two and, if necessary, a new phase one negotiation. A successful negotiation results in new SAs and new keys. New SAs can be established before the existing SAs expire so that a given flow can continue uninterrupted.

274

traffic Matches ACLfor encryption?

yes

no Send trafficout interface.

Is there an IPSecSA for this traffic?

no

yes Encrypt andforward.

Is there an IKE SA?

no

yes

Authenticate peer& negotiate IKE SA

bad authentication

Negotiate IPSec SA.

traffic not encrypted

good authenticationand IKE SA

IPSec SA

IPSec Flow Chart

The router determines traffic must exit an interface to reach a destination network. An IPSec configuration has been applied to that interface. An access list is applied to the outbound traffic. If the traffic is denied by the access list, then the traffic is forwarded without being encrypted. If the traffic is found to match a permit statement in the access list, then the router checks to see if there is an IPSec SA in place to the next hop router for this traffic. If there is then the traffic is encrypted as per the SA and forwarded. If there is no IPSec SA in place for this traffic, then the router checks to see if there is an IKE SA in place. If there is, then the router negotiates and IPSec SA with the destination peer. Once complete, the traffic is encrypted and forwarded. If there is no IKE SA in place, the router attempts to negotiate an IKE SA with the destination peer. If this is accomplished, the two peers then negotiate an IPSec SA, and once complete the traffic is encrypted and forwarded. If an IKE SA cannot be negotiated, then the traffic is not encrypted and discarded.

275

JNN Router IPSec Configuration

crypto isakmp policy 10 defines an IKE key exchange policyencr aes 256 defines encryption algorithm & bit lengthauthentication pre-share defines IKE authentication modecrypto isakmp key CR6740ik address 0.0.0.0 0.0.0.0 defines pre-shared key & peer IP addresscrypto isakmp keepalive 60 10 defines IKE peer keepalive interval & retry period

!!crypto ipsec transform-set aes_set esp-aes 256 esp-md5-hmac defines transform set; combinationmode transport defines IPSec mode of protocols & associated algorithms!crypto ipsec profile jnn allows the grouping of several IPSec commands into a single profileset transform-set aes_set applies the transform set named “aes_set” to this profile

interface Tunnel0 configuration for interface tunnel0

tunnel protection ipsec profile jnn applies IPSec profile “jnn” to tunnel1

To define an Internet Key Exchange policy, use the crypto isakmp policy command in global configuration mode. IKE policies define a set of parameters to be used during the IKE negotiation. The priority uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest. You can configure multiple IKE policies on each peer participating in IPSec. When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer. To specify the encryption algorithm within an Internet Key Exchange (IKE) policy, use the encryption command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. The default is The 56-bit DES encryption algorithm. To specify the authentication method within an Internet Key Exchange (IKE) policy, use the authentication command in ISAKMP policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. There are three options: Pre-share, RSA signature, & RSA encrypted. To configure a preshared authentication key, use the crypto isakmp key command in global configuration mode. You must use this command to configure a key whenever you specify preshared keys in an Internet Key

276

Exchange (IKE) policy; you must enable this command at both peers. If an IKE policy includes preshared keys as the authentication method, these preshared keys must be configured at both peers—otherwise the policy cannot be used (the policy will not be submitted for matching by the IKE process). The address portion of this command identifies the IP address of the remote IPSec peer. To allow the gateway to send dead peer detection (DPD) messages to the peer, use the crypto isakmp keepalive command in global configuration mode. DPD is a keepalives scheme that allows the router to query the liveliness of its Internet Key Exchange (IKE) peer. The second’s value indicates the number of seconds between DPD messages; the range is from 10 to 3600 seconds. If you do not specify a time interval, you will receive an error message. The retries value is optional and indicates the number of seconds between DPD retries if the DPD message fails; the range is from 2 to 60 seconds. If unspecified, the default is 2 seconds. To define a transform set—an acceptable combination of security protocols and algorithms—use the crypto ipsec transform-set command in global configuration mode. The transform-set-name portion of command specifies the name of the transform set. You may specify up to four "transforms": one Authentication Header (AH), one Encapsulating Security Payload (ESP) encryption, one ESP authentication, and one compression. These transforms define the IP Security (IPSec) security protocols and algorithms. You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec SA negotiation to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peer's IPSec SAs. When Internet Key Exchange (IKE) is not used to establish SAs, a single transform set must be used. The transform set is not negotiated. To change the mode for a transform set, use the mode command in crypto transform configuration mode. This setting is only used when the traffic to be protected has the same IP addresses as the IPSec peers (this traffic can be encapsulated either in tunnel or transport mode). This setting is ignored for all other traffic (all other traffic is encapsulated in tunnel mode). If the traffic to be protected has, the same IP address as the IP Security peers and transport mode is specified, during negotiation the router will request transport mode but will accept either transport or tunnel mode. If tunnel mode is specified, the router will request tunnel mode and will accept only tunnel mode. After you define a transform set, you are put into the crypto transform configuration mode. While in this mode, you can change the mode to either tunnel or transport. This change applies only to the transform set just defined. If you do not change the mode when you first define the transform set, but later decide you want to change the mode for the transform set, you must re-enter the

277

transform set (specifying the transform name and all its transforms) and then change the mode. If you use this command to change the mode, the change will only affect the negotiation of subsequent IPSec security associations via crypto map entries that specify this transform set. (If you want the new settings to take effect sooner, you can clear all or part of the security association database. See the clear crypto sa command for more details. To define the IPSecurity (IPSec) parameters that are to be used for IPSec encryption between two IPSec routers, use the crypto ipsec profile command in global configuration mode. An IPSec profile abstracts the IPSec policy settings into a single profile that can be used in other parts of the Cisco IOS configuration. The IPSec profile shares most of the same commands with the crypto map configuration, but only a subset of the commands are valid in an IPSec profile. Only commands that pertain to an IPSec policy can be issued under an IPSec profile; you cannot specify the IPSec peer address or the access control list (ACL) to match the packets that are to be encrypted. To specify which transform sets can be used within an IPSec profile, use the set transform-set command in IPSec profile configuration mode. To associate a tunnel interface with an IP Security (IPSec) profile, use the tunnel protection command in interface configuration mode. The tunnel protection command can be used with multipoint GRE (mGRE) and point-to-point GRE (p-pGRE) tunnels. With p-pGRE tunnels, the tunnel destination address will be used as the IPSec peer address. With mGRE tunnels, multiple IPSec peers are possible; the corresponding Next Hop Resolution Protocol (NHRP) mapping nonbroadcast multi-access (NBMA) destination addresses will be used as the IPSec peer addresses. If you wish to configure two Dynamic Multipoint VPN (DMVPN) mGRE and IPSec tunnels on the same router, you must issue the shared keyword.

278

IPSec Lab

• Configure the DMVPN network on page 23 of the student guide.

• Once completed, apply IPSec utilizing the IPSec commands on the previous page.

• Once network is installed, test connectivity using ping and trace.

• Perform the show commands on the following pages.

279

IPSec Show Commands

router7#sho crypto isakmp ? *Cisco uses the term ISAKMP for IKE

key Show ISAKMP preshared keyspeers Show ISAKMP peer structurespolicy Show ISAKMP protection suite policyprofile Show ISAKMP profilessa Show ISAKMP Security Associations

router7#sho crypto ipsec ?

client Show Client Statuspolicy Show IPSEC client policiesprofile Show ipsec profile informationsa IPSEC SA tablesecurity-association Show parameters for IPSec security associationstransform-set Crypto transform sets

Shown above are the options available within the show crypto isakmp command and the show crypto ipsec command.

280

router7#sho crypto isakmp sa

dst src state conn-id slot status148.43.200.9 148.43.200.10 QM_IDLE 3 0 ACTIVE

router7#sho crypto isakmp policy

Global IKE policyProtection suite of priority 10

encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).

hash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman group: #1 (768 bit)lifetime: 86400 seconds, no volume limit

Default protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys).hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #1 (768 bit)lifetime: 86400 seconds, no volume limit

Show crypto isakmp sa & policy

To display all current Internet Key Exchange (IKE) security associations (SAs) at a peer, use the show crypto isakmp sa command in EXEC mode. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exist, it will most likely be in its quiescent state (QM_IDLE). The ISAKMP SA is idle. It remains authenticated with its peer and may be used for subsequent quick mode exchanges. It is in a quiescent state. For long exchanges, some of the MM_xxx states may be observed. To display the parameters for each Internet Key Exchange (IKE) policy, use the show crypto isakmp policy command in EXEC mode. Shown are the variables utilized within an IKE SA: encryption algorithm, hash algorithm, authentication method, DH group, & life of SA in seconds. Although the output shows "no volume limit" for the lifetimes, you can currently configure only a time lifetime (such as 86,400 seconds); volume limit lifetimes are not used. There is always a default SA included as shown above. This allows two Cisco routers to form an IKE SA if no other can be found.

281

Show crypto ipsec transform & sa

router7#sho crypto ipsec transTransform set aes_set: { esp-256-aes esp-md5-hmac }

will negotiate = { Transport, },

router7#sho crypto ipsec sainterface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 148.43.200.10protected vrf: (none)local ident (addr/mask/prot/port): (148.43.200.10/255.255.255.255/47/0)remote ident (addr/mask/prot/port): (148.43.200.9/255.255.255.255/47/0)current_peer 148.43.200.9 port 500

PERMIT, flags={origin_is_acl,}#pkts encaps: 801, #pkts encrypt: 801, #pkts digest: 801#pkts decaps: 629, #pkts decrypt: 629, #pkts verify: 629#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 148.43.200.10, remote crypto endpt.: 148.43.200.9path mtu 1500, ip mtu 1500current outbound spi: 0x609EBE60(1621016160)

(continued on next slide)

To display the configured transform sets, use the show crypto ipsec transform-set command in EXEC mode. This command shows all IPSec transform sets configured and shows the individual values within each set. To display the settings used by current security associations (SAs), use the show crypto ipsec sa command in EXEC mode. Displays all SAs on the platform. Keywords can be added to this command to show specific SAs based on certain variable.

282

inbound esp sas:spi: 0x29F9040(44011584)transform: esp-256-aes esp-md5-hmac ,in use settings ={Transport, }conn id: 3001, flow_id: SW:1, crypto map: Tunnel0-head-0sa timing: remaining key lifetime (k/sec): (4386114/767)IV size: 16 bytesreplay detection support: YStatus: ACTIVE

inbound ah sas:inbound pcp sas:outbound esp sas:spi: 0x609EBE60(1621016160)transform: esp-256-aes esp-md5-hmac ,in use settings ={Transport, }conn id: 3002, flow_id: SW:2, crypto map: Tunnel0-head-0sa timing: remaining key lifetime (k/sec): (4386100/758)IV size: 16 bytesreplay detection support: YStatus: ACTIVE

outbound ah sas:outbound pcp sas:

Show crypto ipsec sa

283

DMVPN Review Questions

284

1. A virtual private network is _____________________. a. a network that uses encryption b. an extension of a private intranet across a public network c. a network that is utilizing an OSPF virtual network d. a loopback interface

2. What is the main technology used to establish a VPN? a. NHRP b. tunneling c. IPSec d. BGP

3. Tunneling _____________?

a. adds additional header(s) to the original IP packet b. can occur at layer 2 or 3 c. can support multi-protocol environments d. all the above

4. GRE was developed by Cisco.

a. true b. false

5. GRE sets up a point-to-point tunnel.

a. true b. false

6. The source and destination address must be configured when using GRE. a. true b. false

7. In a GRE configuration, the tunnel source is specified with a _______________. a. IP address b. router ID c. interface d. grid square

8. In a fully meshed tunnel network consisting of 4 routers utilizing GRE, how many subnets would be required to support the tunnels? a. 4 b. 5 c. 6 d. 8

9. What two protocols are utilized to establish DMVPNs? a. GRE and NHRP b. NHRP and mGRE c. IPSec and GRE d. mGRE and CDP

285

10. Which of following is true concerning DMVPNs? a. based on a hub/spoke design b. minimizes router configs c. allows tunnels to be established dynamically d. all the above

11. What is the major difference in the configuration of GRE and mGRE? a. mGRE is much more detailed b. mGRE does not specify the destination address c. GRE does not specify the source address d. there is no IP address assigned in mGRE

12. GRE and mGRE support multicast traffic. a. true b. false

13. What is the purpose of NHRP in a DMVPN network? a. it provides resolution for the next hop b. it provides the destination address for mGRE c. it eliminates the requirement for a routing protocol d. ATM cannot function without it

14. NHRP ____________________. a. assists EIGRP in determining the next hop b. provides resolution of MAC to IP c. maps a tunnel IP to a physical interface IP d. is embedded into the mGRE protocol

15. NHRP is made up of _______________ a. routers and switches b. workstations and servers c. clients and servers d. PVCs and SVCs

16. An NHRP registration is sent from a _________________. a. server to a client b. client to a server c. tunnel to a physical interface d. router to a switch

17. An NHRP resolution request is sent from a _________________. a. server to a client b. client to a server c. tunnel to a physical interface d. router to a switch

286

18. An NHRP resolution reply is sent from a _________________. a. server to a client b. client to a server c. tunnel to a physical interface d. router to a switch

19. Running the same routing protocol on the tunnel and physical interfaces is a good practice. a. true b. false

20. When utilizing EIGRP in a DMVPN network, what two things must be disabled? a. next hop resolution and split horizons b. composite metric and K values c. router aggregation and stub areas d. next hop self and split horizons

21. When utilizing OSPF in a DMVPN network, the hub should always be the _________________. a. broadcast b. highest router ID c. designated router d. ABR

22. What mGRE tunnel configuration command allows the hub to send OSPF hello packets to all the spokes? a. tunnel mode gre multipoint b. ip nhrp authentication c. ip nhrp map multicast dynamic d. ip ospf network broadcast

23. What command enables NHRP on an interface? a. ip nhrp nhs b. ip nhrp authentication c. ip nhrp network-id d. ip nhrp

24. What command places a static entry into the NHRP database? a. ip nhrp static b. ip nhrp map c. ip nhrp nhs d. ip nhrp authentication

25. The show ip nhrp command displays __________________. a. static entries in the nhrp database b. dynamic entries in the nhrp database c. nhrp configuration on the router d. all entries in the nhrp database

287

26. What are the three major components of IPSec? a. ESP, AH, IKE b. tunnel, transport, IKE c. RFC’s, ISAKMP, IKE d. mode, protocol, IKE

27. IPSec operates at what layer of the OSI model? a. 1 b. 2 c. 3 d. 4

28. Authentication Header (AH) protocol encrypts the packet payload. a. true b. false

29. Encapsulating Security Payload (ESP) can provide the same services as AH. a. true b. false

30. IPSec transport mode adds a new IP header to the packet. a. true b. false

31. The Diffie-Hellman (DH) algorithm is used for _________________. a. authentication b. payload encryption c. key exchange d. making Kool-Aid

32. An IPSec transform set consists of ___________________________. a. an IPSec SA b. an IPSec protocol and associated algorithm c. an IPSec SPI and its associated protocol d. an IKE SA

33. Which of the following is the key management protocol used in IPSec? a. ISAKMP b. DH c. AES d. IKE

34. Which of following is an IKE authentication method? a. Pre-shared keys b. AH c. DH d. transform sets

288

35. IKE negotiates in how many phases? a. 37 b. 2 c. 3 d. 1

36. What is the purpose of IKE phase two? a. negotiate keys b. negotiate security associations c. establish a secure tunnel d. AES

37. In establishing an IPSec sessions, how many steps are there? a. 5 b. 3 c. 7 d. 2

38. In which IPSec step is DH used? a. 1 b. 2 c. 3 d. 4

39. If traffic to be sent has been deemed interesting by an IPSec configuration and there is an SA in place, what is the next step? a. negotiate keys b. encrypt the traffic c. decrypt the traffic d. establish an IKE SA

40. In the JNN router IPSec configuration, the command “crypto isakmp key” does what? a. configures a key for this IPSec session b. defines a pre-shared key and peer address c. defines the algorithm used for IKE d. isakmp is not used with IPSec

41. What is an IPSec profile? a. designates services for IPSec session b. allows the grouping of several IPSec commands into a single profile c. sets the priority of the IPSec session d. sets the type of IKE utilized in the IPSec session

42. When configuring a Cisco router the term ISAKMP actually refers to what? a. ISAKMP b. AES c. IPSec d. IKE

Appendix Configuration Examples

290

291

Configuration Examples

OSPF: router1(config)#router ospf 100 router1(config-router)#network 148.43.200.0 0.0.0.255 area 0 router1(config-router)#passive-interface f0/0 (DO NOT use if this interface communicates with neighbor routers.) OSPF alternate configuration (per interface): router1(config)#int s0/0/0 router1(config-if)#ip ospf 100 area 1 (places this interface in area 1; overrides network statement) router1(config-router)#passive-interface f0/0 (DO NOT use if this interface communicates with neighbor routers.) EIGRP: router(config)#router eigrp 22 (22 is the autonomous system number) router(config-router)#no auto-summary router(config-router)#network 148.43.200.0 0.0.0.255 or router(config-router)#network 148.43.0.0 router(config-router)#passive-interface f0/0 (DO NOT use if this interface communicates with neighbor routers.) BGP: router3 (config)#router bgp 3 (3 is the autonomous system number) router3(config-router)#neighbor 148.43.200.15 remote-as 4 router3(config-router)#network 150.150.10.0 mask 255.255.255.0 Default Routes: (Static route options) router2(config)#ip route 0.0.0.0 0.0.0.0 f0/0 (using exit interface) or: router2(config)#ip route 0.0.0.0 0.0.0.0 148.43.200.22 (using next hop address) Default Routes: (Propagating into the IGP) In EIGRP: Router3(config-router)#Redistribute static In OSPF: Router3(config-router)#Default-information originate with optional extensions: Router3(config-router)#Default-information originate metric 500 Router3(config-router)#Default-information originate metric-type 1

292

Route Summarization

OSPF: router(config-router)#area 2 range 150.150.0.0 255.255.252.0 EIGRP: router(config-if)#ip summary-address eigrp 22 150.150.0.0 255.255.252.0 BGP: (Has 2 summarization techniques) 1. router3(config)#ip route 150.150.8.0 255.255.252.0 null0 router3 (config)#router bgp 3 router3 (config-router)#network 150.150.8.0 mask 255.255.252.0 or: 2. router3 (config-router)#aggregate-address 150.150.8.0 255.255.252.0 (must have configured a network statement for at least one of the subnets; has optional summary-only and as-set extensions) Route Redistribution: OSPF options: router7(config)#router ospf 100 router7(config-router)#redistribute bgp 7 subnets router7(config-router)#redistribute eigrp 7 subnets router7(config-router)#default-information originate EIGRP options: router7(config)#router eigrp 7 router7(config-router)#Redistribute bgp 7 metric 256 1000 0 1 1 router7(config-router)#redistribute ospf 100 metric 256 1000 0 1 1 router7(config-router)#redistribute static Database commands: router5#show ip ospf database (with optional extensions): router5#show ip ospf database router (displays type1 LSAs) router5#show ip ospf database summary (displays summary LSAs) router5#show ip ospf database external (displays type 5 LSAs) router5#show ip ospf database network (displays type 2 LSAs) router5#show ip eigrp topology (displays routes via successors and feasible successors) router5#show ip eigrp topology all-links (displays all routes)

For comments or suggestions on this book, please email us at:

[email protected]

Subject Line: Books

mailto:[email protected]

Date post:	26-May-2020
Category:	Documents
Upload:	others
View:	9 times
Download:	1 times

Table of Contents - Noodlez.org Courses... · OSPF backbone also distributes routing information...

Documents