CCIE R&S v5 Advanced Technology Labs LAN Switching• • o Layer 2 Access Switchports : OK o Layer 2 Dynamic Switchports: OK DTP Negotiation: OK On: Puts the port into permanent trunking mode and negotiates to convert the link into a trunk link. The port becomes a trunk port even if the neighboring port does not agree to the change. Desirable: Actively attempt to form a trunk, subject to neighbor agreement. The port becomes a trunk port if the neighboring port is set to on, desirable, or auto mode. Auto: Makes the port willing to convert the link to a trunk link. The port becomes a trunk port if the neighboring port is set to on or desirable mode. This is the default mode. Off. (Is access mode in Cisco IOS software.) Never become a trunk, even if the neighbor tries. Puts the LAN port into permanent nontrunking mode and negotiates to convert the link into a nontrunking link. Nonnegotiate: Puts the port into permanent trunking mode but prevents the port from generating DTP frames. You must configure the neighboring port manually as a trunk port to establish a trunk link. With Cisco devices, there are three Ethernet trunk encapsulation types: ISL: Uses ISL encapsulation on the trunk link. Dot1q: Uses 802.1Q encapsulation on the trunk link. Negotiate: Specifies that the LAN port negotiate with the neighboring LAN port to become an ISL (preferred) or 802.1Q trunk, depending on the configuration and capabilities of the neighboring LAN port. ** DTP Negotiated Interface Modes Auto Desirable Trunk Access Auto Access Trunk Trunk Access Desirable Trunk Trunk Trunk Access Trunk Trunk Trunk Trunk Limited connectivity Access o Auto Desirable Trunk Access Access Limited connectivity Access 802.1q Dynamic Trunking: OK o 802.1q Native VLAN : Untaged ( se você quer transportar um trafego com vlan native em um trunk 801.2q é necessário configurar o switchport trun native vlan x, pois todos os pacotes da vlan são tageados menos o da vlan nativa. TIP: Pode-se configurar o switch com o comando vlan tag native x caso tenha necessidade de enviar um pacote com tag de VLAN. o VTP Domain / Transparent/ VTP Password / VTP Pruning / Prune-Eligible List o Versão do protocolo VTP: 1, 2 ou 3 Tipos de mensagem VTP: o Summary advertisements: Por padrão, os switches Catalyst emitem anúncios de resumo em incrementos de cinco minutos. Os anúncios de resumo informam aos Catalysts adjacentes o nome de domínio VTP atual e o número de revisão da configuração. Quando o switch recebe um pacote de anúncio de resumo, ele compara o nome de domínio VTP com seu próprio nome de domínio VTP. Se os nomes forem diferentes, o switch simplesmente ignorará o pacote. Se os nomes forem iguais, o switch comparará a revisão da configuração com sua própria revisão. Se a sua própria revisão da configuração for superior ou igual, o pacote será ignorado. Se for inferior, um pedido de anúncio será enviado. o Subset advertisement: Sempre que você adiciona, exclui ou altera uma VLAN em um Catalyst, o servidor Catalyst onde as alterações foram realizadas incrementará a revisão de configuração e emitirá um anúncio de resumo. Um ou mais anúncios de subconjuntos seguirão o anúncio de resumo. Um anúncio de subconjunto contém uma lista de informações sobre a VLAN. Se houver várias VLANs, mais de um anúncio de subconjunto poderá ser solicitado para anunciar todas as VLANs. o Advertisement requests: O switch foi reiniciado. O nome de domínio VTP foi alterado. O switch recebeu um anúncio de resumo VTP com uma revisão de configuração maior que sua própria. Ao receber um pedido de anúncio, um dispositivo VTP envia um anúncio de resumo. Um ou mais anúncios de subconjunto seguem o anúncio de resumo. Modos do VTP É possível configurar um switch para operar em um destes modos do VTP: Servidor — No modo de servidor VTP, você pode criar, modificar e excluir VLANs, bem como especificar outros parâmetros de configuração, como versão e remoção do VTP, para todo o domínio VTP. Os servidores VTP anunciam sua configuração de VLAN para outros switches do mesmo domínio VTP e sincronizam essa configuração com outros switches com base nos anúncios recebidos através de links de tronco. Servidor VTP é o modo padrão. Cliente — Os clientes VTP comportam-se da mesma maneira que os servidores VTP, mas não é possível criar, alterar nem excluir VLANs nesses clientes. Transparente — switches VTP transparentes não participam no VTP. Os switches VTP transparentes não anunciam sua configuração de VLAN nem sincronizam essa configuração com base nos anúncios recebidos. Contudo, eles encaminham os anúncios VTP recebidos através de suas portas de tronco no VTP Versão 2. Desativado (configurável somente nos switches CatOS) — Nos três modos descritos, os anúncios VTP são recebidos e transmitidos assim que o switch entra no estado de domínio de gerenciamento. No modo desativado, os switches se comportam como no modo transparente VTP, porém, a única diferença é que os anúncios VTP não são encaminhados. VTP Version 3 – Do again!!! PDF: VTP_configurations.pdf Layer 2 EtherChannel ( ON with ON )/ Layer 2 EtherChannel with PAgP/ Layer 2 EtherChannel with LACP/ Layer 3 EtherChannel For mode, select one of these keywords: • active—Enables LACP only if an LACP device is detected. It places an interface into an active negotiating state, in which the interface starts negotiations with other interfaces by sending LACP packets. • auto —Enables PAgP only if a PAgP device is detected. It places an interface into a passive negotiating state, in which the interface responds to PAgP packets it receives but does not start PAgP packet negotiation. • desirable—Unconditionally enables PAgP. It places an interface into an active negotiating state, in which the interface starts negotiations with other interfaces by sending PAgP packets. • on—Forces the interface to channel without PAgP. With the on mode, a usable EtherChannel exists only when an interface group in the on mode is connected to another interface group in the on mode. This setting allows PAgP to operate. Mode: ON + ON = (Channel) On / Active / Passive + Off = ( No Channel ) Active + Active = ( Channel ) Active + Passive = ( Channel ) Passive / On + Passive = ( No Channel ) The load-balancing keywords indicate these values: • src-mac—Source MAC addresses • dst-mac—Destination MAC addresses • src-dst-mac—Source and destination MAC addresses • src-ip—Source IP addresses • dst-ip—Destination IP addresses • src-dst-ip—Source and destination IP addresses (Default) • src-port—Source Layer 4 port • dst-port—Destination Layer 4 port • src-dst-port—Source and destination Layer 4 port Balance simple explanations: . The silent setting is for connections to file servers or packet analyzers. If you do not specify non-silent with the auto or desirable mode. to attach the interface to a channel group. silent is assumed.• non-silent—If your switch is connected to a partner that is PAgP-capable. but does not start LACP packet negotiation. you can configure the switch interface for nonsilent operation. in which the interface responds to LACP packets that it receives. • passive—Enables LACP on an interface and places it into a passive negotiating state. and to use the interface for transmission. You can configure an interface with the non-silent keyword for use with the auto or desirable mode. STP timer values – Max_Age.Cost of Path – Cost of all links from the desired switch to the root bridge 3.pdf STP: PDF: STP_MST_features. the EtherChannel always chooses the same link in that EtherChannel.Use the option that provides the balance criteria with the greatest variety in your configuration. For example. Hello Time.pdf STP Root Bridge Election Some of the terminologies that has to be kept in mind wile designing STP: 1.Root ID – The lowest Bridge-ID in the topology 2. using source addresses or IP addresses might result in better load balancing. if the traffic on an EtherChannel is going only to a single MAC address and you use the destination MAC address as the basis of EtherChannel load balancing. PDF: Etherchannel_802.Forward Delay .Bridge ID – (BID) of the transmitting switch 4. 6.Port ID – Transmitting switch port ID 5.1q_InterVlan Routing. All ports of the root bridge are designated ports (they are never in a blocking state). 3. The port with the lowest cost to the root is automatically assigned as a root port. Root Bridge does NOT have any root ports.BPDU Process : 1.It is a port that is in a blocking state in the STP topology.It is a port that is in the forwarding state. which is the shortest (the best) path towards the root bridge. One Root port is elected on each non root bridge: With the help of received BPDUs the path cost on all switch ports were compared. Spanning-Tree Port Roles Root Port (RP) (UPSTREAM_BDPU) . Non-Designated Port (NDP) . Election of Designated and Non-designated Ports: All the switch ports in the root bridge will be acting as a designated port. 2.-) ) Designated Port (DP) (DOWNSTREAM_BPDU) . (No shortest path to itself . The switch with the lowest bridge ID is elected as a root bridge. there will be 2 root ports and the port with the lowest BID other than these 2 root ports will be acting as a designated port. Electing a Root Bridge : BPDU s were sent in the broadcast domain. .It is a port on a non-root switch. When 2 switches connected to the same segment sends BPDUs. BPDU frames our sent out this port. The other port will be blocked. if the TC-while timer (the same as the TC timer in 802. it propagates the change to all of its nonedge. the migrate-delay timer is started (specifies the minimum time during which RSTP BPDUs are sent). • Protocol migration—For backward compatibility with 802. • Notification— the RSTP does not use TCN BPDUs. The RSTP BPDUs never have the TCA bit set. unlike 802. the TC-while timer is reset. When an RSTP switch detects a topology change.1D in which any transition between the blocking and the forwarding state causes a topology change. • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port.1D. UplinkFast and BackboneFast configurations are ignored in Rapid-PVST mode.1D configuration BPDU with the TCA bit set. State changes on an edge port do not cause a topology change. only transitions from the blocking to the forwarding state cause a topology change with RSTP (only an increase in connectivity is considered a topology change). or TCN received). both features are included in . This BPDU is sent out the Root Port (upstream) towards the root bridge informing it. If the switch receives an 802.1D in handling spanning tree topology changes: • Detection—Unlike 802. However. However. However. TIPs: RSTP.the type of BPDU that is sent back to the sender of TCN BPDU.Topology Change Notification (TCN) .the type of BPDU that a switch will send if it detects the topology change (port going down. While this timer is active. it restarts the timer and starts using RSTP BPDUs on that port.1D switch and a configuration BPDU with the TCA set is received. Topology Changes These are the differences between the RSTP and the 802.1D switch and starts using only 802. RSTP selectively sends 802. the switch processes all BPDUs received on that port and ignores the protocol type.1D switch.1D BPDUs. that the tree needs to be recomputed. for 802. it replies with an 802.1D configuration BPDUs and TCN BPDUs on a per-port basis. and RSTP BPDUs are sent. designated ports and to the root port (excluding the port on which it is received).1D interoperability. if the RSTP switch is using 802.1D switches. The switch starts the TC-while timer for all such ports and flushes the information learned on them. an RSTP switch processes and generates TCN BPDUs. Topology Change Acknowledgement (TCA) . • Acknowledgement—When an RSTP switch receives a TCN message on a designated port from an 802.1D) is active on a root port connected to an 802.1D BPDU after the port migration-delay timer has expired.1D switches. it assumes that it is connected to an 802. When a port is initialized. acknowledging the reception of the notification. This method of operation is only required to support 802. it deletes the learned information on all of its nonedge ports except on those from which it received the TC notification.1D BPDUs on a port and receives an RSTP BPDU after the timer has expired. servers) as spanning-tree portfast. STP Path Selection with Port Cost: OK Com essa mudança irá afetar Local path selection. o STP UplinkFast: OK To understand how UplinkFast helps speed up the convergence. o STP BPDU Filter ( Working Inbound and Outbound )/ STP BPDU Filter Default ( Default with Portfast is works only outbound filter!) Filter BPDUs IN end OUT. STP BackboneFast:OK Indirect failures should start recalculating immediately! STP BPDU Guard/ STP BPDU Guard Default:OK The BPDU Guard feature is used to protect the Spanning Tree domain from external influence If superior BPDUs is received the will get shutdown with (err-disabled). You must apply these configurations on edge ports to avoid BPDU inferior on the STP domain! You can use together STP BPDU Guard Default and PortFast for guarantee more security in your Environment. Porém o TCN é enviado após 3 segundos! Não ocasionando perca de pacote. . o Tuning STP Convergence Timers: OK o STP PortFast: OK In order to reduce the number of topology changes. IP Phones. STP PortFast Default: OK É habilitado em todas as portas edge de um domínio STP. Convergência de aproximadamente 1 segundo. configure all edge ports in the topology (connected to hosts. STP Path Selection with Port Priority = 0 Com essa mudança irá afetar Downstream Neighbor. Portfast ports do not generate TC events when they go up or down. You configure the Loop Guard feature on a per-port basis. switches do an additional check before transitioning to the STP forwarding state. The Root Guard feature prevents a Designated Port from becoming a Root Port. The Root Guard feature forces an interface to become a designated port to prevent surrounding switches from becoming a root switch. it moves the port into a root-inconsistent state (effectively equal to a listening state). STP Root Guard:OK Root Guard is useful in avoiding Layer 2 loops during network anomalies. If a port on which the Root Guard feature receives a superior BPDU. thus maintaining the current Root Bridge status. learning. although the feature blocks inconsistent ports on a per-VLAN basis. and forwarding states.Quando habilitado o comando spanning-tree bpdufilter na interface do SW_1 ( SW_01 para RT_01) o elemento SW_01 irá parar de enviar BDPU para o RT_01. With the Loop Guard feature. Loop Guard cannot be enabled on a switch that also has Root Guard enabled . In other words. TIP: You need define manually this feature to guarantee the topology synchronization!!! STP Loop Guard proprietary ): / Unidirectional Link Detection ( Cisco- Prevention unidirectional links Loop Guard: Send L1 keep alive packets for the neighbors When implementing Loop Guard. you should be aware of the following implementation guidelines. If switches stop receiving BPDUs on a no designated port with the Loop Guard feature enabled. Root Guard provides a way to enforce the root bridge placement in the network. the switch places the port into the STP loop-inconsistent blocking state instead of moving through the listening. UDLD performs tasks that Layer 1 mechanisms. Unidirectional links can cause spanning-tree topology loops. This mode comes into play after a UDLD neighbor stops receiving UDLD updates from its adjacent peer. the local device will attempt to reestablish the UDLD connection eight times. MST: The IEEE 802. Multiple Spanning Tree Instance 0) is designated to carry all STP-related information. a special STP instance number 0 called Internal Spanning Tree (IST aka MSTI0. nor does it encapsulate VLAN numbers list configuration messages. such as auto negotiation. . both Layer 1 and Layer 2 detections work together to prevent physical and logical unidirectional connections and the malfunctioning of other protocols. When UDLD and auto-negotiation are enabled. it will proceed and errdisable the port. UDLD is useful on a fiber ports to prevent network issues resulting in miswiring at the patch panel causing the link to be in up/up status but the BPDUs are lost.1s implementation does not send BDPUs for every active STP instance separately. UDLD enables devices to detect when a unidirectional link exists and also to shutdown the affected interface. Unidirectional Link Detection is a Layer 2 protocol. UDLD in aggressive mode: UDLD aggressive mode is configured on point-to-point links. Loop Loop Loop Loop Loop Guard Guard Guard Guard Guard does not affect Uplink Fast or Backbone Fast operation must be enabled on point-to-point links only operation is not affected by the Spanning Tree timers cannot actually detect a unidirectional link cannot be enabled on Port Fast or Dynamic VLAN ports UDLD: A unidirectional link occurs when traffic is transmitted between neighbors in one direction only. If the switch is unable to reestablish the connection within this timeframe. Instead. cannot perform. In aggressive mode. The IST is the only spanning tree instance that sends and receives BPDUs. Because the MST BPDU carries information for all instances. all VLANs are assigned to the IST. within the BPDU of MSTP instances that enables corresponding instances to calculate a final topology TIP: revision number. even if regions A and B are interconnected.1s. CIST. but each MST instance x has its own topology parameters. which are encapsulated within MST BPDUs. MST maintains multiple spanning tree instances. Within each MST region.3. known as the IST. An MST instance is local to the region. 802. MST instance 1 in region A is independent of MST instance 1 in region B.IST.1w. The CIST is formed by the spanning tree algorithm running among switches that support the 802. root path cost.2. and so forth. MST establishes and maintains IST. such as root bridge ID. Keep in mind that you have to change it manually (this isn’t VTP) on all MST switches it doesn’t update automatically . and CST Overview Unlike other spanning tree protocols. The spanning tree computed in a region appears as a sub-tree in the CST that encompasses the entire switched domain. All other MST instances are numbered from 1 to 4094. By default. • The CST interconnects the MST regions and single spanning trees. CIST. M-Record is a sub-field. in which all the spanning tree instances are independent. for example.1D standards. the number of BPDUs that need to be processed to support multiple spanning tree instances is significantly reduced. All of the other spanning tree instance information is contained in MSTP records (M-records).4 etc). Instance 0 is a special instance for a region. All MST instances within the same region share the same protocol timers. The CIST inside an MST region is the same as the CST outside a region. • A CIST is a collection of the ISTs in each MST region. treat this number like a software version number in programming start from 1 and work upwards (1. and 802. and CST spanning trees: • An IST is the spanning tree that runs in an MST region. MST Path selection Same election process as CST/PVST MST Root Bridge Election Root Bridge: 1-Lowest BID Root port: 1-Lowest cost 2-Lowest upstream BID 3-Lowest port ID MST Path Selection with Port Cost (Will choose the lowest cost to Root Port) MST Path Selection with Port Priority (Will choose the lowest Port-Priority to became the root port) MST and Rapid Spanning Tree (Transaction almost immediately the ports states) PDF: Protect Ports_STP brodcastStorm.pdf Protected Ports: OK Some applications require that no traffic be forwarded by the Layer 2 protocol between ports on the same switch. In such an environment, there is no exchange of unicast, broadcast, or multicast traffic between ports on the switch, and traffic between ports on the same switch is forwarded through a Layer 3 device such as a router. To meet this requirement, you can configure Catalyst 2950 ports as protected ports (also referred to as private VLAN edge ports). Protected ports do not forward any traffic to protected ports on the same switch. This means that all traffic passing between protected ports—unicast, broadcast, and multicast—must be forwarded through a Layer 3 device (You can´t configure vlan as mode switch mode access in sub. interfaces). Protected ports can forward any type of traffic to nonprotected ports, and they forward as usual to all ports on other switches. Dynamically learnt addresses are not retained if the switch is reloaded. Commando that you apply on interface: switchport protected Traffic Storm Control : OK A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. The traffic storm control feature prevents LAN ports from being disrupted by a broadcast, multicast, or unicast traffic storm on physical interfaces. Traffic storm control (also called traffic suppression) monitors incoming traffic levels over a 1second traffic storm control interval, and during the interval it compares the traffic level with the traffic storm control level that you configure. The traffic storm control level is a percentage of the total available bandwidth of the port. Each port has a single traffic storm control level that is used for all types of traffic (broadcast, multicast, and unicast). Traffic storm control monitors the level of each traffic type for which you enable traffic storm control in 1-second traffic storm control intervals. In all releases, and by default in Release 12.2(33)SXJ and later releases, within an interval, when the ingress traffic for which traffic storm control is enabled reaches the traffic storm control level that is configured on the port, traffic storm control drops the traffic until the traffic storm control interval ends. Release 12.2(33)SXJ and later releases support these configurable traffic storm control optional actions: • Shutdown—When a traffic storm occurs, traffic storm control puts the port into the error-disabled state. To reenable ports, use the error-disable detection and recovery feature or the shutdown and no shutdown commands. • Trap—When a traffic storm occurs, traffic storm control generates an SNMP trap. MAC-Address Table Static Entries and Aging: OK To switch frames between LAN ports efficiently, the switch maintains an address table. When the switch receives a frame, it associates the media access control (MAC) address of the sending network device with the LAN port on which it was received. The switch dynamically builds the address table by using the MAC source address of the frames received. When the switch receives a frame for a MAC destination address not listed in its address table, it floods the frame to all LAN ports of the same VLAN except the port that received the frame. When the destination station replies, the switch adds its relevant MAC source address and port ID to the address table. The switch then forwards subsequent frames to a single LAN port without flooding all LAN ports. You can also enter a MAC address, which is termed a static MAC address, into the table. These static MAC entries are retained across a reboot of the switch. In addition, you can enter a multicast address as a statically configured MAC address. A multicast address can accept more than one interface as its destination. TIP: If you enable the auto-learn option, the switch will update the entry if the same MAC address is seen on a different port. The switch uses a mechanism called aging to keep the Ethernet switching table current. For each MAC address in the Ethernet switching table, the switch records a timestamp of when the information about the network node was learned. Each time the switch detects traffic from a MAC address that is in its Ethernet switching table, it updates the timestamp of that MAC address. A timer on the switch periodically checks the timestamp, and if it is older than the value set for mac-table-aging-time, the switch removes the node's MAC address from the Ethernet switching table. This aging process ensures that the switch tracks only active MAC addresses on the network and that it is able to flush out from the Ethernet switching table MAC addresses that are no longer available. You configure how long MAC addresses remain in the Ethernet switching table using the mac-tableaging-time statement in either the edit ethernet-switching-options or the vlans hierarchy, depending on whether you want to configure it for the entire switch or only for specific VLANs. For example, if you have a printer VLAN, you might choose to configure the aging time for that VLAN to be considerably longer than for other VLANs so that MAC addresses of printers on this VLAN age out less frequently. Because the MAC addresses remain in the table, even if a printer has been idle for some time before traffic arrives for it, the switch still finds the MAC address and does not need to flood the traffic to all other interfaces. Similarly, in a data center environment where the list of servers connected to the switch is fairly stable, you might choose to increase MAC address aging time, or even set it to unlimited, to increase the efficiency of the utilization of network bandwidth by reducing flooding o SPAN / RSPAN / ERSPAN / PSPAN / VSPAN = Precisa testar !!! SPAN Terminology Ingress traffic-Traffic that enters the switch. Egress traffic-Traffic that leaves the switch. Source (SPAN) port -A port that is monitored with use of the SPAN feature. Source (SPAN) VLAN -A VLAN whose traffic is monitored with use of the SPAN feature. Destination (SPAN) port -A port that monitors source ports, usually where a network analyzer is connected. Reflector Port -A port that copies packets onto an RSPAN VLAN. Monitor port-A monitor port is also a destination SPAN port in Catalyst 2900XL/3500XL/2950 terminology. Overviwe about SPANs mode. Operational source-A list of ports that are effectively monitored. O componente importante de uma rede de telefonia IP bem sucedida é o correto provisionamento da largura de banda. representando o mínimo de banda para um determinado link que não deve exceder 75% do total da largura de banda ( na prática os valores são questionáveis). cada tráfego tentará utilizar a banda disponível sem consideração com o outro perfil de tráfego. This list of ports can be different from the administrative source. Use of this term is avoided in this document. For example. o Voice VLAN:OK Rede Local baseada em classificação e marcação de pacotes Se as ligações Voip e o tráfego de desktop estiverem na mesma VLAN. a port that is in shutdown mode can appear in the administrative source. Therefore. RSPAN is not supported on all switches. Remote SPAN (RSPAN)-Some source ports are not located on the same switch as the destination port. the user can choose to monitor all the ports that belong to a particular VLAN in a single command. RSPAN is an advanced feature that requires a special VLAN to carry the traffic that is monitored by SPAN between switches. Check the respective release notes or configuration guide to see if you can use RSPAN on the switch that you deploy. This feature is in contrast to Remote SPAN (RSPAN). which this list also defines. O tráfego padrão de uma ligação consiste em 2 tipos de tráfego: Stream de Voz: Pacotes RTP com as amostras de voz Call Control Signaling: Pacotes responsáveis pela sinalização das chamadas VLAN de Voz . Local SPAN-The SPAN feature is local when the monitored ports are all located on the same switch as the destination port. but is not effectively monitored. ESPAN-This means enhanced SPAN version. Port-based SPAN (PSPAN)-The user specifies one or several source ports on the switch and one destination port. VLAN-based SPAN (VSPAN)-On a particular switch. Após a separação dos dados. the term is not very clear. This term has been used several times during the evolution of the SPAN in order to name additional features. Para evitar essa questão utilize diferentes VLANs para permitir a segregação do VoIP dos outros dados. Administrative source-A list of source ports or VLANs that have been configured to be monitored. políticas de QoS podem ser aplicadas para priorizar o VoIP na rede. endereço IP ou interface de entrada. NOTE Traditionally. Com os telefones IP em suas próprias sub-redes e VLANs. cabeçalho MPLS. O tráfego é examinado e classificado. you configure it as an . Camada 3: precedência IP. when you configure a switchport to connect to a Cisco IP Phone.Alguns modelos de Switches oferecem features chamadas de “auxiliary VLAN” ou “voice VLAN”. CLP (ATM). Esse modelo de VLANs permite a atribuição dos telefones em sua própria VLAN sem a intervenção do usuário final. As marcações de QoS estabelece níveis de prioridade ou prioridades de classes para tráfego de rede em cada Switch. o que pode ser feito pela examinarão de informações de diferentes camadas (modelo OSI). Camada 4: portas TCP ou UDP ou interface de entrada Camada 7: assinatura de aplicações ou interface de entrada Todo tráfego é classificado ou agrupado de acordo com esses critérios serão marcados de acordo com a sua classificação. os administradores podem facilmente identificar e aplicar as políticas de QoS e segurança além da convergência da estrutura física. DSCP. O tráfego pode ser classificado seguindo qualquer um dos critérios abaixo: Camada 2: endereço MAC.1q (e 802. a switchport on a Cisco switch that receives tagged packets is referred to as a trunk port. However. PoE ( Power over Ethernet ): A tecnologia PoE permite que o Switch ou Patch Pannel forneça energia diretamente ao telefone IP. DE (FrameRelay) ou pela interface de entrada.1p). Classificação e Marcação A técnica de Classificação e Marcação identifica o perfil para priorização adequada de cada tráfego da rede. O usuário simplesmente coloca o telefone no Switch que então providencia ao telefone as configurações necessárias da VLAN. cabeçalho 802. the IP Phone begins tagging its own packets. When you apply a SmartPort macro on an interface. Non-Cisco IP Phones cannot understand CDP packets. You need to reapply the updated macro on the interface to apply the new or changed commands. SmartPort macro sets do not contain new CLI commands. Cisco-Default Smartports Macros cisco-global: Use this global configuration macro to enable load balancing across VLANs. Each Smartport macro is a set of CLI commands that you define." NOTE Keep in mind that Cisco IP phones will be able to receive this voice VLAN configuration from the switch via CDP. So. o Smartport Macros:OK Understanding SmartPort Macros Smartport macros provide a convenient way to save and share common configurations. think of these ports as "access ports supporting tagged voice VLAN traffic. such as a PC. . provide rapid convergence of spanning-tree instances and to enable port error recovery. the CLI commands contained within the macro are configured on the interface.access port (for the untagged data from the PC) while supporting tagged traffic from the IP phone. TIP-2: You can use the macro trace macro-name interface configuration command to show what macros are running on an interface or to debug the macro to determine any syntax or configuration errors. When the macro is applied to an interface. This typically requires you to manually configure each of the non-Cisco IP Phones with its voice VLAN number from a local phone configuration window (on the IP phone). cisco-desktop: Use this interface configuration macro for increased network security and reliability when connecting a desktop device. to a switch port. You can use Smartport macros to enable features and settings based on the location of a switch in the network and for mass configuration deployments across the network. Each Smartport macro is a group of existing CLI commands. After it receives the voice VLAN number. TIP-1: If you modify a macro definition by adding or deleting commands. The new commands are added to interface and are saved in the running configuration file. the existing interface configurations are not lost. the changes are not reflected on the interface where the original macro was applied. Primary VLANs and the two types of secondary VLANs (isolated and community) have these characteristics: . cisco-router: Use this interface configuration macro when connecting the switch and a WAN router. or when it is used to deliver Video-on-Demand (VoD). PDF: Smart Port_Macro. The following two types are secondary VLANs within a primary VLAN: • Isolated VLANs—Ports within an isolated VLAN cannot communicate directly with each other at the Layer 2 level. the primary VLAN is the entire private VLAN domain. cisco-switch: Use this interface configuration macro when connecting an access switch and a distribution switch or between access switches connected using GigaStack modules or GBICs. Each port in a private VLAN domain is a member of the primary VLAN. cisco-lre-cpe: Use this interface configuration macro to optimize performance when the switch is installed in apartment buildings or hotels. Secondary VLANs provide isolation between ports within the same private VLAN domain. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features.cisco-phone: Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. or multicast video. • Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other community VLANs or in any isolated VLANs at the Layer 2 level. but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.pdf Private VLANs A private VLAN domain has only one primary VLAN. cisco-wireless: Use this interface configuration macro when connecting the switch and a wireless access point. You can configure multiple community VLANs in a private VLAN domain. all the traffic remains isolated within each one. Each isolated VLAN can have several isolated ports.• Primary VLAN— the primary VLAN carries traffic from the promiscuous ports to the host ports. but these ports cannot communicate with ports in any other community or isolated VLAN in the private VLAN. You can configure multiple isolated VLANs in a private VLAN domain. and the traffic from each isolated port also remains completely separate. The ports within one community can communicate. • Isolated VLAN — an isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports. • Community VLAN—a community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port and to other host ports in the same community. . and to other promiscuous ports. both isolated and community. (Including trunks) Community ports will forward broadcast to the promiscuous & other community ports.pdf . Isolated ports cannot even communicate with other isolated ports. (Including trunks) PDF: PrivateVLANs.Another TIP: Terminology: Promiscuous Port – This is the ‘primary’ VLAN that can communicate with all the other Isolated & Community ports with the PVLAN environment. Isolated Port – This is a ‘secondary’ VLAN that will only communicate with the ‘primary’ promiscuous VLAN. They will not however be able to communicate with ports configured in an ‘isolated’ VLAN. communication is blocked at the Layer 2 perspective. Layer 2) Community Port – This is another type of a ‘secondary’ VLAN. Traffic Flows: Since these Private VLANs operate at layer 2 it is worth pointing out some specific traffic flows. after all it is worth considering the implication of this isolation and typical broadcast/multicast flows: Broadcast Traffic The promiscuous port will forward broadcast traffic to all isolated & community ports. The big difference here is that a port configured in a ‘secondary’ community VLAN can also communicate with other ports configured as community ports. like Isolated ports a community port can also communicate with the ‘primary’ promiscuous VLAN. (Including trunks) The Isolated port will only forward the broadcast to a promiscuous port. (At which layer do VLANs operate at. Since we are talking about VLANs. A method for encapsulating multi-protocol datagrams. hence. R1 and R2 R1# ! username R1 password 0 cisco interface Serial0/0 ip address 1. PAP authentication does not provide any protection against playback and line sniffing. and testing the data-link connection.1.1.255. A Link Control Protocol (LCP) for establishing. 3.1 255. Layer 2 WAN Circuits HDLC: OK hdlc-101211214058-phpapp01.255. PPP Authentication ( PAP and CHAP ) PAP authentication involves a two-way handshake where the username and password are sent across the link in clear text.pptx PPP: The Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-to-point links.2 255. 2.1.255.0 encapsulation ppp .1. PPP is comprised of three main components: 1. A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols. configuring.255.0 encapsulation ppp ppp authentication pap ppp pap sent-username R2 password 0 cisco R2# ! username R2 password 0 cisco ! interface Serial0/0 ip address 1. If the values match.0 encapsulation ppp clock rate 2000000 ppp authentication chap ! PPP Multilink The Multilink PPP feature provides load balancing functionality over multiple WAN links while providing multivendor interoperability. Refer to RFC 1990 for more information about the endpoint discriminator. the connection is terminated. The multiple links come up in response to a defined dialer load threshold. .255. and load calculation on both inbound and outbound traffic. on the other hand.255.1. Additionally.1.ppp authentication pap ppp pap sent-username R1 password 0 cisco CHAP authentication. R1 and R2 R1# username R1 password 0 cisco interface Serial0/0 ip address 1. Multilink PPP allows packets to be fragmented and the fragments to be sent at the same time over multiple point-to-point links to the same remote address.1 255.1. After the PPP link is established. proper sequencing. you can change the default endpoint discriminator value that is supplied as part of user authentication. Multilink PPP provides bandwidth on demand and reduces transmission latency across WAN links. Cisco's implementation of Multilink PPP supports the fragmentation and packet sequencing specifications in RFC 1990.1. as required for the traffic between the specific sites.255. otherwise.255.0 encapsulation chap clock rate 2000000 ppp authentication chap R2# ! username R2 password 0 cisco ! interface Serial0/0 ip address 1. the authentication is acknowledged. packet fragmentation. The host checks the response against its own calculation of the expected hash value. periodically verifies the identity of the remote node using a three-way handshake. The load can be calculated on inbound traffic or outbound traffic. The remote node responds with a value calculated using a one-way hash function.2 255. Multilink PPP is designed to work over synchronous and asynchronous serial types of single or multiple interfaces that have been configured to support both dial-on-demand rotary groups and PPP encapsulation. the host sends a "challenge" message to the remote node. Transmission device send data continuously to receiving device. Each character comes with the information of start and stop ( each 8 bits ). When a new link is added to a Multilink PPP bundle to bring the number of links up to the required number of minimum links. Asynchronous: (sent in individual bytes) It is character oriented. receiver or transmitters are synchronized. This is specially used in low speed transmission. The Multilink PPP Minimum Links Mandatory feature enables you to configure the minimum number of links that are required in a Multilink PPP bundle to keep the bundle active. When data are being transmitted a receiver stay at high at logic 1. In this system 1 for mark. If the data is not ready this system continuously synchronous data until the data is unviable. and the NCPs are disabled for that Multilink PPP bundle. the number of links falls below the required minimum number of links for that Multilink PPP bundle. This information is specially used for high speed transmission. The Multilink PPP Minimum Links Mandatory feature causes all Network Control Protocols (NCPs) for a Multilink PPP bundle to be disabled until the Multilink PPP bundle has the required minimum number of links. PPPoE Header PPPoE format Packet: . Multilink PPP is often used to increase the amount of bandwidth between points. TIP: Synchronous: ( send frames of large data blocks) The synchronous format. Usually in this synchronous system one or two SYNC character are used for data synchronous data system. When a link is removed from a Multilink PPP bundle. the NCPs are activated for the Multilink PPP bundle. 0 for space.Multilink PPP Minimum Links Mandatory Multilink PPP allows multiple PPP links to be established in parallel to the same destination. This is clk oriented transmission format. A block of information is transmitted along with the synchronization information. net/technology/difference-betweendhcp-and-pppoe/ Configuring PPPoE in a VPDN group limited PPPoE configuration options because only one PPPoE VPDN group with one virtual template is permitted on a device. NBMA is used to accurately model X. The other OSPF network types are: broadcast. each with a different configuration. http://blog. point-to-point.Configurations: PPPoE without and with DHCP. The PPPoE Profiles feature (bba-group) provides simplicity and flexibility in PPPoE configuration by separating PPPoE from VPDN configuration.com/2008/01/20/example-configurations-for-ppp-overethernet-pppoe/ TIP: http://www.ine. and point- . to be used on a single device.25 and frame relay environments in multiple-access networks where there are no intrinsic broadcast and multicast capabilities. CCIE R&S v5 Advanced Technology Labs IP Routing • • o Routing to Multipoint Broadcast Interfaces: OK o Routing to NBMA Interfaces: OK NBMA (non-broadcast multiple access) is one of four network types in the OSPF (Open Shortest Path First) communications protocol. The PPPoE Profiles feature allows multiple PPPoE profiles.differencebetween. 168.14.168. the router will compare the first 23 bits of 192.128.1.128.co. To summarize this subject: The longest match is referring to the longest or most specific prefix which is matched against a destination address.uk/ospf/ospf-non-broadcast-nbma-network Longest Match Routing:OK As an example.0 and if they match (which they do) then the router will transmit the packet out of FastEthernet0/0 using the destination MAC address of 192. .168.129.14 to 192. In an NBMA configuration.129.168.168. The HELLO timer (which tells the router how often to send HELLO packets) is extended from 10 to 30 seconds and the dead router timer (which tells the router how long to wait before it decides that a neighboring router is not functioning) is extended from 40 to 120 seconds. if you have a routing table entry which is similar to the following : --- 192.0/23 -> next hop 192.1 via FastEthernet0/0 When the router receives a packet destined for 192. OSPF sends HELLO packets (packets sent periodically to establish and confirm neighbor relationships between routers) to each router one at a time rather than multicasting them.1. Site: http://ccieblog.1.to-multipoint.168. Reliable Static Routing with Enhanced Object Tracking:OK The Reliable Static Routing Backup Using Object Tracking feature introduces the ability for the Cisco IOS software to use Internet Control Message Protocol (ICMP) pings to identify when a Point-to-Point over Ethernet (PPPoE) or IP Security Protocol (IPSec) Virtual Private Network (VPN) tunnel goes down. The lowest AD will be choosing and when this bring down another AD will bring UP. Traffic from the remote LAN is forwarded to the main office from the primary interface of the remote router. If the connection to the main office is lost. The Reliable Static Routing Backup Using Object Tracking feature is compatible with both preconfigured static routes and Dynamic Host Configuration Protocol (DHCP) configurations. the routing table entry for the primary interface is removed and the preconfigured . allowing the initiation of a backup connection from any alternative port. the status of the tracked object changes from up to down.TIP: Longer prefixes are always preferred over shorter ones when forwarding a packet. Floating Static Routes:OK You can configure two different ways for the same destinations with different AD. When the state of the tracked object changes to down. the routing table entry for the primary interface is reinstalled and the floating static route for the secondary interface is removed Policy Routing:OK Each entry in a route map statement contains a combination of match and set clauses/commands. IP SLA).floating static route is installed on the secondary interface. For each combination of match and set commands in a route map statement. There may be multiple sets of combinations of match and set commands in a full route map statement. The set clauses than explain how the packets should be routed once they have met the match criteria. then those packets are also forwarded through the normal routing channel. All packets received on an interface with policy-based routing enabled are considered for policy-based routing. If the statement is marked as permit and the packets do not meet the match criteria. The match clauses define the criteria for whether appropriate packets meet the particular policy (that is. There are two ways to verify the availability of the next-hop. Traffic is then forwarded to the preconfigured destination from the secondary interface. packets are forwarded/routed to the appropriate next hop. the conditions to be met). If the statement is marked as a deny. When the state of the tracked object changes from down to up. Reliable Policy Routing:OK Reliable Policy Routing can be configured by using the "set ip next-hop verifyavailability" statement in a route-map. all sequential match clauses must be met simultaneously by the packet for the set clauses to be applied. Policy-based routing is applied to incoming packets. One way is to use CDP. destination-based routing is performed). The other way is to use a tracked object (e.g. Based on the criteria defined in the route maps. The router passes the packets through enhanced packet filters called route maps. Only if the statement is marked as permit and the packets meet the match criteria are all the set clauses applied. The route maps statements can also be marked as permit or deny. the packets meeting the match criteria are sent back through the normal forwarding channels (in other words. Packet Capture: . Wireshark_capituras\ICMP_IP_SLA.pcap Verify availability of next-hop using CDP: route-map PBR_FROM_R3 permit 10 match ip address FROM_R3_TO_R4 set ip next-hop 155.1.0.5 set ip next-hop verify-availability set ip default next-hop 155.1.146.4 Verify availability using a tracked object: route-map PBR_FROM_R3 permit 20 match ip address FROM_R3_TO_R5 set ip next-hop verify-availability 155.1.146.4 1 track 1 set ip default next-hop 155.1.0.5 Local Policy Routing:OK Cisco IOS has a special feature called local policy routing, which permits to apply a route-map to local (router-generated) traffic. The first way we can use this feature is to re-circulate local traffic (and force it re-enter the router). Here’s an example. By default, locally-generated packets are not inspected by outgoing access-lists. This may cause issues when local traffic is not being reflected under reflexive access-list entries. Say with configuration like that: ! Reflect all "session-oriented" traffic: ip access-list extended EGRESS permit tcp any any reflect MIRROR permit icmp any any reflect MIRROR permit udp any any reflect MIRROR Evalute the reflected entries ip access-list extended INGRESS evaluate MIRROR permit ospf any any ! interface fast 0/0 ip address 54.1.1.6 255.255.255.0 ip access-group INGRESS in ip access-group EGRESS out You would not be able to telnet out of a router to destinations behind the Fast interface, even though TCP sessions are reflected in access-list. To fix the issue, we may use local-policy to force the local traffic re-enter the router and be inspected by outgoing access-list: ! Redirect local telnet traffic via the Loopback interface ! ip access-list extended LOCAL_TRAFFIC permit tcp any any eq 23 ! route-map LOCAL_POLICY 10 match ip address LOCAL_TRAFFIC set interface Loopback0 ! ! Traffic sent to Loopback interface re-enters the router ! Interface Loopback0 ip address 150.1.6.6 255.255.255.50 Command to apply the local-policy ! ip local policy route-map LOCAL_POLICY With this configuration, local telnet session will re-enter the router and hit the outgoing access-list, thereby triggering a reflected entry. This same idea may be utilized to force CBAC inspection of locally-generated traffic, by since 12.3T there has been a special IOS feature to do this natively. The other useful application of local policy routing is using it for traffic filtering. For example you may want to prohibit outgoing telnet sessions from local router to a certain destination: ip access-list extended BLOCK_TELNET permit tcp any host 150.1.1.1 eq 23 ! route-map LOCAL_POLICY 10 match ip address BLOCK_TELNET set interface Null 0 ! ! Command to apply the local-policy ! ip local policy route-map LOCAL_POLICY ! The syntax is somewhat similar to the vlan access-maps used on Catalyst switches, and similarly the route-map is applied “globally”, i.e. to all router traffic, going out on any interface. Note that you may use the same idea to block incoming session, simply by reversing entries in access-list. (e.g. “permit tcp any eq 23 host 150.1.1.1″). Best of all, with PBR you may apply additional criteria to incoming traffic, e.g. match packet sizes. The last example is the use of local PBR to apply special treatment to management/control plane traffic – e.g. use different output interfaces for out-of-band management. With local PBR you may also apply special marking for control traffic, e.g. selectively assign IP precedence values. ip access-list extended MANAGEMENT_TRAFFIC permit tcp any eq 23 any permit tcp any eq 22 any ! route-map LOCAL_POLICY 10 match ip address MANAGEMENT_TRAFFIC set interface fast 0/1 set ip precedence 7 ip local policy route-map LOCAL_POLICY Keep these simple features in mind, while considering options for you CCIE lab task solution. GRE Tunneling:OK Capture_(IP_GRE_EIGRP): Wireshark_capituras\(IP_GRE_EIGR).pcap Routing Process: ccna.com.net/blog/2012/feb/27/gre-vs-ipip-tunneling/ http://www.com/portal/Technical_Support___Documents/Technical _Documents/Security_Products/H3C_SecPath_F1000E/Configuration/Operation_Manual/H3C_SecPath_HighEnd_OM(F3169_F3207)-5PW106/06/201109/725905_1285_0. keep passenger and transport network routing information disjointed with one of these methods: .h3c.http://blog.htm GRE Tunneling and Recursive Routing:OK Problems with recursive routing can be avoided by configuring appropriate static routes to the tunnel destination. %TUN-RECURDOWN Interface Tunnel 0 temporarily disabled due to recursive routing Solutions: To avoid recursive routing problems.br/2008/12/23/pr-tunelamento-gre-genericrouting-encapsulation/ http://packetlife. This situation will cause the tunnel interface to bounce up and down. A recursive route is when the best path to the "tunnel destination" is through the tunnel itself. You will see the following error when there is a recursive routing problem. pcap Wireshark_capituras\(IP_GRE_EIGR). In fact. ->Use a different routing protocol. a router is automatically considered to be a stub when no IP routing protocols have been configured. This is to combat issue when using a multipoint interface that there is the possibility that end to end connectivity is unavailable but the line protocol remains up as of other active DLCI connected to the multipoint interface.pcap ODR . If the interface has multiple logical IP networks configured. This installation is accomplished without requiring the configuration of an IP routing protocol on the stubs. Wireshark_capituras\(Ping_SRC_IP_Dst_GRE_Backup_interface_). ->Use static routes to override the first hop. from the standpoint of ODR.->Use a different Autonomous System (AS) number or tag. A stub router that supports the ODR feature advertises IP prefixes corresponding to the IP networks configured on all directly connected interfaces. Because ODR advertises IP . We previously used other preferential solution like ip sla or using p2p interfaces but this a legacy version of doing it. only the primary IP network is advertised through ODR. Wireshark_capituras\(IP_GRE_OSPF).pcap GRE Backup Interface / GRE Reliable Backup Interface:OK Today I also looked at using GRE for backup interface specifically using the keep alive feature. but watch for routing loops.On-Demand Routing:OK ODR allows you to easily install IP stub networks where the hubs dynamically maintain routes to the stub networks. I need to know for the exam so I will lab it out. -> You can configure some acl to avoid route back to the tunnel. ODR it is able to carry VLSM information. The hub router also can be configured to redistribute these routes into any configured dynamic IP routing protocols. The stub routers send IP prefixes to the hub router. Configurations: ODR.prefixes and not simply IP network numbers.type) or (text)_ODR. TIP: Be careful that you do not forget CDP enabled.pcap • CCIE R&S v5 Advanced Technology Labs RIP • . ODR supports several settings. ODR uses the Cisco Discovery Protocol to carry minimal routing information between the hub and stub routers. ODR works properly on either broadcast or non-broadcast networks.pdf Packet capture: Wireshark_capituras\(cdp. ODR is not CPU intensive and it consumes very little bandwidth.tlv. ODR is able to carry variablelength subnet mask (VLSM) information. thereby eliminating the need to configure a default route on each stub router. The hub router provides default route information to the stub routers. the hub router begins installing stub network routes in the IP forwarding table. Once ODR is enabled on a hub router. The basic principle is simple: Information about the routing for a particular packet is never sent back in the direction from which it was received.pcap Wireshark_capituras\RIP_Key-chain_com MD5_(rip.auth. RIPv2 Basic Configuration:OK o RIPv2 Authentication ( without and with MD5 ):OK The Key chain is the same for without and with MD5: YOU MUST APPLY IN BOTH DIRECTIONS!!! # key chain RIP key 1 key-string ccie ip rip authentication key-chain RIP # # Without MD5 # # Interface x/x ip rip authentication key-chain RIP # With MD5 # # Interface x/x ip rip authentication key-chain RIP ip rip authentication mode md5 # Wireshark_capituras\RIP_Key-chain_sem MD5_(rip.that is. informing all routers that the path back to the originating node for a particular packet has . Split horizon can be achieved by means of a technique called poison reverse.auth.passwd).pcap RIPv2 Split Horizon:OK Split horizon is a method of preventing a routing loop in a network.passwd). This is the equivalent of route poisoning all possible reverse paths . 0.20.2/32 Router_C(config-router)# *Mar 1 01:03:18.0 in 1 hops *Mar 1 01:03:44. 00:00:03. FastEthernet0/0 .0. Example: RouterA: Loopback: 2.0.3 on FastEthernet0/0 *Mar 1 01:03:18.20.3.0.0 in 1 hops o RIPv2 Auto-Summary:OK R2(config-router)#do sh ip ro rip R 1.0.1.20.519: RIP: sending v2 update to 224.383: RIP: received v2 update from 150.30.0.0 in 2 hops *Mar 1 01:03:18.4) *Mar 1 01:03:25.0.0 in 2 hops *Mar 1 01:03:44.943: RIP: received v2 update from 150.0.391: 2.2.0.3 on FastEthernet0/0 *Mar 1 01:03:44.943: 2.387: 1.2.0.0.10.0.0.0.0.2/32 via 0.0.0.3/32 via 0.0/24 via 0.527: 3.30.2.30.0.2/32 via 0.0.2. metric 1.951: 150.1/32 via 0.1.20.1. Split horizon with poison reverse is more effective than simple split horizon in networks with multiple routing paths.0.3.0/8 [120/1] via 150.0 in 1 hops R4(config-router)# *Mar 1 01:03:25.0.0/8 via 0. tag 0 R4(config-router)# *Mar 1 01:03:44.947: 3.395: 150.523: RIP: build update entries *Mar 1 01:03:25.0.2.0/24 via 0. although it affords no improvement over simple split horizon in networks with only one routing path.0.2. Router B: Loopback: 2.2.9 via FastEthernet0/0 (150.2 /32 .0 in 1 hops *Mar 1 01:03:18.1.an infinite metric.0.2. 1. flushed after 240 Redistributing: rip Default version control: send version 2.3 120 00:00:07 Gateway Distance Last Update 150.0.50.0.0 150.0 150.0.0 150.20. receive version 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 2 2 RIP FastEthernet0/1 2 2 FastEthernet1/1 2 2 Automatic network summarization is in effect Maximum path: 4 Routing for Networks: 2. next due in 13 seconds Invalid after 180 seconds.4 120 03:48:16 Distance: (default is 120) R2(config-router)# RIPv2 Send and Receive Versions:OK Local router ( R1 ) R1(config)#do sh ip pro Routing Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set .20.1 120 00:00:08 150.0.20.50.0.0 Passive Interface(s): Loopback2 Routing Information Sources: Gateway Distance Last Update 150. hold down 180.10.R2(config-router)#do sh ip pro Routing Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds.10.0. 1.0.Sending updates every 30 seconds.0.0.0 10. hold down 180.0 150. hold down 180.0. next due in 12 seconds Invalid after 180 seconds.0.0. receive version 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 1 2 RIP Automatic network summarization is not in effect Maximum path: 4 Routing for Networks: 1.10.0 66.2 120 00:00:09 Distance: (default is 120) Remote ( R2 ) R2(config-if)#do sh ip pro Routing Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds. receive version 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 1 2 1 RIP Automatic network summarization is not in effect Maximum path: 4 Routing for Networks: .10.0 Passive Interface(s): Loopback1 Loopback11 Loopback12 Loopback13 Loopback14 Loopback15 Passive Interface(s): Loopback16 Loopback66 Routing Information Sources: Gateway Distance Last Update 150. next due in 21 seconds Invalid after 180 seconds. flushed after 240 Redistributing: rip Default version control: send version 2.0. flushed after 240 Redistributing: rip Default version control: send version 2. 0000001.0 255.0 150.1 Binary: 00000001.10.1.6.2.1 120 00:00:21 Distance: (default is 120) Wireshark_capituras\(rip.20.4.1.0 150.0.00000000 Address: 1.2.0 R2 receved ip route update from R1: R2(config-if)#do sh ip ro rip .0 150.0/21 Command applications! Interface x/x Ip summary rip 1.1 Binary: 00000001.1.3.00000010.5.00000000 Final IP summary: 1.0000001.50.1.00000110.0 Passive Interface(s): Loopback2 Routing Information Sources: Gateway Distance Last Update 150.255.10.00000000 Address: 1.0000001.1.pcap RIPv2 Manual Summarization:OK 128 64 32 16 8 4 2 1 Address: 1.1.00000101.0.00000000 Address: 1.version)_V1 and V2_Filter.00000011.248.1.0.2.0.1 Binary: 00000001.0000001.2.0000001.0.1.00000100.1 Binary: 00000001.00000000 Address: 1.1 Binary: 00000001. R 1.0-21. flushed after 240 Redistributing: rip Default version control: send version 2.0 150.1.0.2.255 # router rip version 2 passive-interface Loopback3 offset-list filter in 16 FastEthernet0/0 # R3(config-router)#do sh ip prot Routing Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Incoming routes in FastEthernet0/0 will have 16 added to metric if on list filter Sending updates every 30 seconds.0.0.pcap o RIPv2 Convergence Timers:OK o RIPv2 Offset List:OK TIP: R3(config-router)#offset-list filter in 16 fastEthernet 0/0 Access-list type conflicts with prior definition % This command only accepts named standard IP access-lists.0 Passive Interface(s): .0/21 is subnetted. FastEthernet0/0 Wireshark_capituras\RIP_Summary address_1.0 150.0.20.1.30.1.50.0.1.0 0. hold down 180. # ip access-list standard filter permit 150.0 [120/1] via 150.0.10.0.0.0. receive version 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 2 2 FastEthernet0/1 2 2 Automatic network summarization is not in effect Maximum path: 4 Routing for Networks: 3. 00:00:11.0. next due in 26 seconds Invalid after 180 seconds. 1 subnets 1. 10.0/24 via 0.0. Topology: R2 (f1/1) (f1/1) R4 R2(config-router)#do sh ip prot .719: 1.0.0/24 via 0.20.0.0.50.4 120 00:00:02 Gateway Distance Last Update 150.20.0.0/21 via 0.0 in 3 hops *Mar 1 00:47:00.0 in 2 hops *Mar 1 00:47:00.0.2 on FastEthernet0/1 *Mar 1 00:47:00.2/32 via 0.Loopback3 Routing Information Sources: Gateway Distance Last Update 150.4/32 via 0.0 in 2 hops *Mar 1 00:47:00.0.20.743: 150.0.4.255 (46 matches) RIPv2 Filtering with Passive Interface:OK Updates from R2 interfaces F1/1 to R4.0.0 in 1 hops *Mar 1 00:47:00.2.0.0 in 2 hops *Mar 1 00:47:00.0.355: 150.719: RIP: received v2 update from 150.255 R3(config)# R3(config)# R3(config)#do sh access-list Standard IP access list filter 10 permit 150.1.739: 150.0.50.0 in 3 hops *Mar 1 00:47:00.2.0 in 17 hops (inaccessible) R3(config)#do sh run | se access-list ip access-list standard filter permit 150.30.2 120 00:00:00 Distance: (default is 120) Log: R3(config-router)#do deb ip rip *Mar 1 00:47:00.0.0.0.347: 4.0.347: RIP: received v2 update from 150.0.723: 2.4. wildcard bits 0.0.30.0.1.0.0.0.727: 4. You can see below the R4 only received updated from R2(interface f1/1) and another interface send and received update( Interface f0/0).0.4.1/32 via 0.20.0 0.30.50.0.0/24 via 0.731: 10.4 on FastEthernet0/0 *Mar 1 00:47:00.0.1.0 in 2 hops *Mar 1 00:47:00.10.4.0.0.4/32 via 0.0. 203: 33.3.30.0.33/32 via 0.0.0.171: 3.0 150.199: 10.3/32 via 0. tag 0 *Mar 1 01:15:01.10.0. receive version 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 2 2 RIP FastEthernet0/1 2 2 Loopback33 2 2 Automatic network summarization is not in effect Maximum path: 4 Routing for Networks: 2.0/24 via 0.33.0.2.1.0.0.0. flushed after 240 Redistributing: rip Default version control: send version 2.0 in 2 hops .0.33.50.0.3 120 00:00:23 150.0.20.9 via FastEthernet1/1 (150.0.171: 4.0.0.4.0.0.191: 1.0.0.0 in 3 hops *Mar 1 01:15:01.0.0.171: 150.0.10.4/32 via 0.4) *Mar 1 01:15:01.199: 3.0.0.0 150.0.Routing Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds.1 120 00:00:24 150. tag 0 *Mar 1 01:15:01.191: RIP: received v2 update from 150. next due in 25 seconds Invalid after 180 seconds.2.0 150.2/32 via 0.0 Passive Interface(s): FastEthernet1/1 Loopback2 Routing Information Sources: Gateway Distance Last Update 150.3/32 via 0.1.10.0.1/32 via 0. hold down 180.171: RIP: build update entries *Mar 1 01:15:01.0. tag 0 *Mar 1 01:15:01.50.0. metric 1.0 33.20.3 on FastEthernet0/0 *Mar 1 01:15:01.0 in 1 hops *Mar 1 01:15:01.3.4.3.0 in 3 hops *Mar 1 01:15:01.0.0 in 2 hops *Mar 1 01:15:01.50. metric 1.0.20.0.3.4 120 00:00:15 Distance: (default is 120) R4(config)#do deb ip rip *Mar 1 01:15:01.0.0/21 via 0.30.0.0.1. metric 2.167: RIP: sending v2 update to 224.195: 2. 0.1.0.5.0/21 via 0.0.0. metric 2.1. tag 0 *Mar 1 01:15:18.0.66.0.0.0.0. tag 0 *Mar 1 01:15:18.0 in 3 hops *Mar 1 01:15:01.1. tag 0 *Mar 1 01:15:18.0/24 via 0.0 in 3 hops *Mar 1 01:15:30.30.679: 150.3.0/24 via 0.0.20.4.5.0.0.0 in 2 hops RIPv2 Filtering with Prefix-Lists:OK R1 won’t advertise 1.0.50.671: 10.2.0.0.3.795: 4.0.0.4/32 via 0.9 via FastEthernet1/1 (150.10.0. tag 0 *Mar 1 01:15:30.33.0.667: 4.0/24 via 0.10.827: 150.0 in 1 hops *Mar 1 01:15:01. metric 1.50.0 in 3 hops *Mar 1 01:15:30.1/32 ip prefix-list R1_to_R2 seq 15 permit 0.0 in 2 hops *Mar 1 01:15:30.679: 150.0.4.0.50.215: 150.0.0.0.0.0.0.0.827: 10.0/24 via 0. metric 3.0.0.0.0.33.0.0.1.4.0/24 via 0.0 in 3 hops *Mar 1 01:15:30.3/32 via 0.1. tag 0 *Mar 1 01:15:18.827: 150.3 on FastEthernet0/0 *Mar 1 01:15:30. metric 2.0 in 1 hops *Mar 1 01:15:30.0 in 2 hops *Mar 1 01:15:01.66.0.0.0.1.0/24 via 0.827: 150.0.0.2/32 via 0. tag 0 *Mar 1 01:15:26.0.675: 33.0.0.10. metric 1.4) *Mar 1 01:15:26.0.0/24 via 0. tag 0 *Mar 1 01:15:26.659: RIP: build update entries *Mar 1 01:15:18.20. tag 0 *Mar 1 01:15:26.211: 150.0.215: 150.3.0.1/32 to R2.0.0/24 via 0. tag 0 *Mar 1 01:15:18.4/32 via 0.799: 150.2.675: 66.0 in 1 hops *Mar 1 01:15:30.0.2.0.0.0. Topology: R1 R2 R1(config)#do sh run | se ip prefix ip prefix-list R1_to_R2 seq 5 deny 1.791: 3.0.33.0.0 in 2 hops *Mar 1 01:15:30.1/32 via 0. tag 0 *Mar 1 01:15:18.0.0. metric 2.0/24 via 0.0 in 2 hops *Mar 1 01:15:18.2.0.0.815: RIP: received v2 update from 150.0.66.0.659: 1.1/32 via 0.0.791: RIP: build update entries *Mar 1 01:15:26.0.1.4) *Mar 1 01:15:18.0.0/24 via 0.0.10.1/32 ip prefix-list R1_to_R2 seq 10 deny 1.50.787: RIP: sending v2 update to 224.663: 2.1.1/32 and 1. metric 2.66.0.0/24 via 0.0.4.0.0.827: 33.20.33/32 via 0.20.815: 1.3.33/32 via 0.*Mar 1 01:15:01.2/32 via 0. metric 3.10.0.655: RIP: sending v2 update to 224.2.823: 3.30.0.0.0.33.2.207: 66.0.827: 66.1. metric 3.1.819: 2.0/24 via 0.30. metric 1.0.0.66.0/0 ge 32 .66.3/32 via 0.0/21 via 0.9 via FastEthernet0/0 (150.1.0 in 2 hops *Mar 1 01:15:30.0. tag 0 *Mar 1 01:15:18. metric 1. 0.1/32 from R1.10.1.1.1 [120/1] via 150.0/32 is subnetted.1 [120/1] via 150.10. 00:00:01. 6 subnets R 1. 00:00:07.1. 00:00:07. FastEthernet0/0 R 10. 00:00:10.1.1.1.# # R1(config)#do sh run | sec router rip router rip version 2 passive-interface Loopback1 network 1.1.1.10. FastEthernet0/0 R 1.1 [120/1] via 150. FastEthernet0/0 FastEthernet0/0 FastEthernet0/0 FastEthernet0/0 .1 1.1 [120/1] via 150.1.1.0.1.1.1.1.1. 00:00:10. R 1. FastEthernet0/0 R2(config-router)# R2(config-router)#do cle ip ro * R2(config-router)# R2(config-router)#do sh ip rou rip | in 1. 00:00:07.1. FastEthernet0/0 R 1. R 1.1 [120/1] via 150.10.1. R 1.10.1 [120/1] via 150.10.1.10. 00:00:01.1. 00:00:01.1.10.1.1. FastEthernet0/0 R 1.3.1.5.1 [120/1] via 150.1.1 [120/1] via 150.3.1.1.1.10.0. 00:00:01. 00:00:01.1 [120/1] via 150.1.1.1. 00:00:07.1.0.0/32 is subnetted.1.1.0.2.1.0 distribute-list prefix R1_to_R2 in FastEthernet0/0 no auto-summary # R2(config-router)#do sh ip ro rip | in 1.10.10.1.1.1.1.6.1.10. 00:00:01. R2(config-router)#do sh ip rou rip 1.4.1 [120/1] via 150.1.6.2.3.1.1.1 [120/1] via 150.6. FastEthernet0/0 R 1.1 [120/1] via 150. 00:00:07.1. 6 subnets R 1. R 1. FastEthernet0/0 R 1.5.1.1 [120/1] via 150.10.0. 00:00:10.10.1.1.1.10.0.4.1 [120/1] via 150.1. FastEthernet0/0 RIPv2 Filtering with Standard Access-Lists:OK Topology: R1 R2 R2 received updated 1.1. FastEthernet0/0 R 1. FastEthernet0/0 R 1. 00:00:10. FastEthernet0/0 R 1.10.1 [120/1] via 150.1.10.0 network 150. 0.3.6. FastEthernet0/0 R 1.1.1.0/32 is subnetted.1.1.1. Topology: R1 R2 .0.1.1 1.5. the "destination" is the prefix to permit or deny.0.1 access-list 1 permit any R2(config)# R2(config)#do sh run | be router rip router rip version 2 passive-interface Loopback2 network 2.1.1.1 [120/1] via 150.10. 00:00:10.0.10.1. 00:00:01.0 network 150. 00:00:10.1.0.1.10.1.1 [120/1] via 150. 00:00:01. FastEthernet0/0 R 1.0 distribute-list 1 in FastEthernet0/0 no auto-summary R2(config-router)# R2(config-router)#do sh ip rout rip | in 1.1 [120/1] via 150.6.10. 5 subnets R 1.1 [120/1] via 150.1.0.10. 00:00:01.4.0 network 33. FastEthernet0/0 R2(config-router)# R2(config-router)#do sh access-list Standard IP access list 1 10 deny 1.1 [120/1] via 150.1.1.1. FastEthernet0/0 R 1.2. FastEthernet0/0 R 1. 00:00:01.10.10.1.R 1. FastEthernet0/0 # # R2(config)#do sh run | se access-list access-list 1 deny 1.1.1. the logic is a little bit different: the "source" in the access-list is the ip of the advertising router.50.0.1.0.0.1 [120/1] via 150.20.1.1.1 (6 matches) 20 permit any (42 matches) # RIPv2 Filtering with Extended Access-Lists:OK If we try to use extended access-lists.1.0 network 150. FastEthernet0/0 R 1.1.6.0 network 150.4.1 [120/1] via 150. 00:00:01.10. 10.10.1 host 1.0/32 is subnetted.1.1 [120/1] via 150.1.1.1.0 access-list 1 deny 150.66.6.0.1 [120/1] via 150.2. 00:00:20.0.3.5.1.6.1 (6 matches) 20 permit ip any any (7 matches) # # R2(config)#do sh ip ro rip 1.0.50.1.0 network 150. FastEthernet0/0 R 1.# access-list 100 deny ip host 150.10. 00:00:20.0. FastEthernet0/0 # o RIPv2 Filtering with Offset Lists:OK Topology: R2 R3 R2(config-router)#do sh run | se access-list access-list 1 deny 1.1.10.0 network 150. FastEthernet0/0 R 1.1.1 access-list 1 deny 1.0 distribute-list 100 in FastEthernet0/0 # # R2(config)#do sh access-list Extended IP access list 100 10 deny ip host 150.1 [120/1] via 150.1.66.0.0.2.1.1.0 R2(config-router)# do sh run | sec router rip router rip .1 access-list 100 permit ip any any # router rip version 2 network 2.1 [120/1] via 150.0.10.1.10.1 access-list 1 permit 1. 5 subnets R 1. FastEthernet0/0 R 1.1.1.10.1 access-list 1 deny 1.0 network 150. 00:00:20.1.1. 00:00:20.1 access-list 1 deny 1.1.1.1.4. FastEthernet0/0 R 1.20.1.5.1 access-list 1 deny 66.1.1.1.1.10.1 [120/1] via 150.4.1 host 1.10.1.1.1 access-list 1 deny 1. 00:00:20.3.3.1.1. O . L2 .0.0 network 150.10.1.periodic downloaded static route Gateway of last resort is not set 1. EX .IS-IS level-2 ia .0 1 # R2(config-router)#do sh run | se access-list access-list 1 deny 2. P . S . L1 .mobile.2.IS-IS.0. E2 .50.0.connected.0. N2 .IS-IS summary.0 in 16 hops (inaccessible) RIPv2 Filtering with Administrative Distance:OK Topology: R1 R2 # router rip version 2 network 2.10.1/32 via 0. IA .0 network 150.0. M .2.EIGRP external.0.IS-IS inter area.BGP D .static.50.1 0.OSPF. R .0 network 150.0/32 is subnetted.RIP.0 network 150.6.0.20. U .EIGRP.20.0.IS-IS level-1.OSPF external type 2 i .OSPF NSSA external type 1.2 on FastEthernet0/1 *Mar 1 00:15:49.0 distance 200 150.0 no auto-summary R2(config-router)# R3(config)#do deb ip rip *Mar 1 00:15:49.per-user static route o .20. B .10.version 2 offset-list 1 out 15 FastEthernet0/1 network 2.0. * .OSPF inter area N1 .0.0. 5 subnets .0.1.candidate default.867: RIP: received v2 update from 150.OSPF external type 1. su .ODR.0 network 150.0 network 150.20.2 access-list 1 permit any # R2(config-router)#do sh ip ro Codes: C .0.0.OSPF NSSA external type 2 E1 .867: 1.0.0. 1.1.4.0 is directly connected.0 network 150.0.1.1.0.1.0. FastEthernet0/0 R2(config-router)# R2(config-router)# R2(config-router)#do sh access-list Standard IP access list 1 10 deny 2.1 # router rip version 2 network 2. 00:00:13.1.1 [200/1] via 150.5. FastEthernet0/0 1.50.1.1 access-list 1 permit 1.2.10.2.1.1. 00:00:13.1.10.0/32 is subnetted.1 0.10.1 [200/1] via 150.0.0 network 150. Loopback2 10.0 distance 250 150. 00:00:13.10.1. 1 subnets C 150.2.0 network 150.2. 1 subnets C 2.1 [200/1] via 150. FastEthernet0/0 2. FastEthernet0/0 1.1 [200/1] via 150.0.2 is directly connected.0. FastEthernet0/0 1.1.1.10.10.1.10.1.2. FastEthernet0/0 1.20.6.1 [200/1] via 150.0/32 is subnetted.0.1.0 1 # R2(config)#do sh ip prot Routing Protocol is "rip" Outgoing update filter list for all interfaces is not set . 00:00:13.2 20 permit any (48 matches) # o RIPv2 Filtering with Per-Neighbor AD:OK # access-list 1 permit 1.0.1.0.0.1.1.10.1. 00:00:13.1.R R R R R 1.5.0. FastEthernet0/0 R 1.0 150.1 [120/1] via 150. 00:00:13.0.2. 00:00:13.10. FastEthernet0/0 10.1. FastEthernet0/0 R 1.1.10.1.0/32 is subnetted.1. 00:00:13.10. hold down 180. 6 subnets R 1.0 250 1 R2(config)# R2(config)#do sh ip ro rip 1. FastEthernet0/0 R 1. FastEthernet0/0 R 1.0.0. FastEthernet0/0 R 1.1.1. 00:00:13.0.50. receive version 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 2 2 RIP FastEthernet0/1 2 2 FastEthernet1/1 2 2 Loopback2 2 2 Automatic network summarization is in effect Maximum path: 4 Routing for Networks: 2.1 250 00:00:01 Distance: (default is 120) Address Wild mask Distance List 150.10.0 Routing Information Sources: Gateway Distance Last Update 150. next due in 24 seconds Invalid after 180 seconds.1 [250/1] via 150.0.0 150.10.0.1.1 [120/1] via 150.1. 00:00:13.10. flushed after 240 Redistributing: rip Default version control: send version 2.1.10.1.0/32 is subnetted.1.1.1.1 [120/1] via 150.3. 00:00:13.1.1.0.5.1.6.1.0.1 [120/1] via 150.10.1.0 150. FastEthernet0/0 R2(config)# RIPv2 Default Routing Topology: R1 R2 R3 . 1 subnets R 10. 00:00:13.0.20.Incoming update filter list for all interfaces is not set Sending updates every 30 seconds.10.10.0.10.1.1 [120/1] via 150.1 0.1.4.1.1.1.1.1 [250/1] via 150.0. S .0. E2 .OSPF external type 1.periodic downloaded static route Gateway of last resort is 1.OSPF external type 2 i .0 no auto-summary # R2(config-if)#do sh ip ro Codes: C .pcap Configurations: R1: R1(config-router)#do sh run | sec router rip router rip version 2 network 1. su .0.0.0 . M . IA .OSPF.0.IS-IS.IS-IS inter area.static.IS-IS summary. Advertising a default route via RIP is done by a single command that is executed in RIP router configuration mode.EIGRP.0.1 to network 0.EIGRP external.OSPF NSSA external type 1. P .2.0.ODR.OSPF inter area N1 .0 network 2. EX .candidate default.0 default-information originate no auto-summary R1(config-router)# R2(config-router)#do sh run | sec router rip router rip version 2 network 1. U .0. L2 .0. N2 . Utilizing this type of configuration can a company money due to the man hours required to configure a static default route on each and every router and/or switch in the network and that does not include general router/switch maintenance. O .per-user static route o .0.mobile.0 network 99.IS-IS level-2 ia .0.IS-IS level-1. R . L1 .OSPF NSSA external type 2 E1 .RIP has a built in feature in which allows it to advertise a default route to its direct neighbors which will propagate throughout the entire RIP routing domain.connected. * .RIP. B . This command is default-information originate Wireshark_capituras\RIP_default-information_route_receveid from R1 do R3(r1-r2-r3).1.BGP D . 0.EIGRP external.1.0/8 is variably subnetted.0. 00:00:24. FastEthernet0/1 2.0.3. 00:00:23.1.0.0.1.2. FastEthernet0/0 R3(config-router)#do sh run | sec router rip router rip version 2 network 1.1.OSPF.2. FastEthernet0/1 C 1.OSPF NSSA external type 2 E1 .0/0 [120/1] via 1.2.3.0/24 [120/1] via 1.1.1.0/32 is subnetted.3.1.RIP.3.1.0. 1 subnets R 99.1.0/24 is directly connected.1.1.IS-IS inter area.OSPF NSSA external type 1.0.OSPF inter area N1 . 2 masks R 1.0. 00:00:08.2.1. Loopback3 99.2 [120/1] via 1.0.2.0/32 is subnetted.0/8 is variably subnetted.0.1. B .1.0.2. su .mobile.candidate default. FastEthernet0/1 R* 0. R . FastEthernet0/1 .3. FastEthernet0/1 R 1.0/32 is subnetted.0. 00:00:09.0/32 is subnetted.0.3. 00:00:01.3. FastEthernet0/0 C 1. 00:00:03.0/24 [120/1] via 1. 00:00:23. S . FastEthernet0/1 R 1. * . FastEthernet0/1 3.0/24 is directly connected.2. P .3.1.connected.0.99. 4 subnets. 1 subnets R 2.periodic downloaded static route Gateway of last resort is 1. Loopback2 R 3.0 no auto-summary R3(config-router)# R3(config-router)# R3(config-router)#do sh ip ro Codes: C .1. FastEthernet1/0 [120/1] via 1.3.1.1.2 to network 0.EIGRP.0.10.IS-IS level-1.1. 4 subnets. EX .static.3.0.2.0/0 [120/2] via 1. L1 .0.0.3. U . N2 . 1 subnets C 2.IS-IS summary.IS-IS.99.2.2.0. 00:00:24.2.2.10.1.0/24 is directly connected. M . FastEthernet0/0 2.10/32 [120/2] via 1. 1 subnets C 3.2.per-user static route o .0/24 is directly connected. E2 .0/8 [120/1] via 1.ODR.1.IS-IS level-2 ia .1.1.0 network 3.OSPF external type 2 i . 00:00:23.10. O .0.3 is directly connected.BGP D .OSPF external type 1.2 is directly connected.0. FastEthernet0/1 R 1.1. FastEthernet1/0 [120/1] via 1. L2 .99 [120/2] via 1. 2 masks C 1. 00:00:23. IA . 00:00:04.3. FastEthernet0/1 R* 0.10.0.1. FastEthernet1/0 C 1.0.3.0.1.10/32 [120/1] via 1.2.0 1.1. 2 source-interface Loopback1 timeout 1000 frequency 2 # .0.69.0.0 network 10.0.255 Null0 track 1 # ip prefix-list ccie seq 10 permit 69.255. For me it was a little bit confusing at the beginning because the route-map is used in a non-standard fashion in our case.0 default-information originate route-map filter no auto-summary # route-map filter permit 10 set interface FastEthernet0/0 # RIPv2 Reliable Conditional Default Routing:OK Well now the last thing is that we can add “reliable” information to our routemap. RIPv2 Conditional Default Routing:OK Ok same thing like in 3) but we will specify and exit interface where the route-map is sent out. # router rip network 1. All other interfaces are denied then.255.69.0.69.69/32 # ip sla 1 icmp-echo 2.2.69 255. We will first need to configure a route map where we declare the interface where the default route should be sent out. # ip route 69.69. With reliable here we want to actively track some cases. what I am going to do now is I will actively track the loopback of R2 (could be of course any other ip address) with icmp echoes and will inject a default route into the rip domain as long as R2s loopback is available.2. To do this we use the IOS feature called IP SLA. With the conditions we used in 5) we can only take care of conditions that are brought to us by routing-protocols etc. A RIP Passive Interface in a nut shell prevents the RIP routing process from sending multicast/broadcast updates out a specified interface. you must utilize a feature called “Passive Interface”. If you configure a static neighbor. So with that in mind.0. R1 R2 There is however another advantage to configuring RIP with static neighbor relationships which is added security but there is one catch!!! By default RIPv2 will send multicast updates out all interfaces specified within the range of the network command. Keep in mind a Passive Interface DOES NOT block multicast/broadcast updates therefore the router would still process received RIP updates. not only will that router send updates via unicast to that neighbor out the respected link. A RIP Passive interface however does not block unicast updates. it’s quite common in secure networks the passive interface feature will be utilized on all interfaces and the neighbors will statically be configured to prevent RIP route snooping via Wireshark. It will also send multicast updates out the same link as well.0.0 network 10.0.0 default-information originate route-map filter_reliable no auto-summary # RIPv2 Unicast Updates:OK Topologia.ip sla schedule 1 life forever start-time now # track 1 rtr 1 # route-map filter_reliable permit 10 match ip address prefix-list ccie # router rip version 2 passive-interface Loopback1 network 1. . To prevent this from happening.0. 1 neighbor 10.0 in 1 hops *Mar 1 00:11:18.20.0.10.10.2 on Serial0/1 *Mar 1 00:11:18.20.10.0 in 1 hops *Mar 1 00:11:18.0.743: 10.20.20.735: 20.2 on Serial0/0 *Mar 1 00:11:18.0.0.0.10.2 no auto-summary R2(config-router)#do sh run | se router rip router rip version 2 passive-interface Serial0/0 passive-interface Serial0/1 passive-interface Loopback2 network 2.2.2/32 via 0.735: 20.739: 2.10.0.0/24 via 0.0.1 no auto-summary R1(config-router)# *Mar 1 00:11:18.2.10.0.0 in 1 hops *Mar 1 00:11:18.739: 10.10.0.0.1/32 via 0.0 neighbor 20.2 via Serial0/0 (10.0 in 1 hops *Mar 1 00:11:18.0 network 20.587: RIP: sending v2 update to 10.0.0 network 20.10.10.0.0.10.20.0 in 1 hops *Mar 1 00:11:18.20.0.0.735: 2.0/24 via 0.10.0.0.0.0 neighbor 20.0 network 10.731: RIP: received v2 update from 10.10.0.0 network 10.0 in 1 hops R1(config-router)# *Mar 1 00:11:37.2/32 via 0.10.20.0.1/32 via 0.739: RIP: received v2 update from 20.1) .0.0.20.20.20.0.Configurations: R1(config-router)#do sh run | sec router rip router rip version 2 passive-interface Serial0/0 passive-interface Serial0/1 passive-interface Loopback1 network 1.2.2 neighbor 10.2.0.10. 0. metric 1.0.1.419: 1.0/24 via 0.0.1.0. metric 1.0.20. metric 1.223: 10.587: RIP: build update entries *Mar 1 00:11:37.1/32 via 0. tag 0 *Mar 1 00:02:20.0.0.3.1.591: 20.10. tag 0 R1(config-if)# *Mar 1 00:02:26.591: 1.0.1. tag 0 *Mar 1 00:02:20.2/32 via 0. metric 1.2 on FastEthernet0/0 *Mar 1 00:02:26.20.611: 66.0.1.0.10. tag 0 *Mar 1 00:02:20.411: RIP: sending v2 update to 255.0.0. tag 0 .0.611: 10.0.4.0/8 via 0.1.0.831: RIP: received v2 update from 150.0.10.3.599: 1.1.10.1/32 via 0.20.0. tag 0 R1(config-router)# *Mar 1 00:11:39. metric 1.0.0.0 in 1 hops R1(config)# R1(config)#interface fas 0/0 R1(config-if)#ip rip v2-broadcast R1(config-if)# *Mar 1 00:02:50. metric 1.0.0.0.1/32 via 0.0.1/32 via 0.0.5.415: 1.587: 1.0.0.1.10.1/32 via 0. tag 0 *Mar 1 00:11:37. metric 1.0.9 via FastEthernet0/0 (150. tag 0 o RIPv2 Broadcast Updates:OK R1(config-if)# R1(config-if)# *Mar 1 00:02:20.0.219: 1.0/24 via 0.0.255.219: RIP: sending v2 update to 20.0. tag 0 *Mar 1 00:11:37.1/32 via 0.20.0.1) *Mar 1 00:02:20. metric 1.1.1/32 via 0. metric 1. metric 1.607: 1.835: 2.10.1/32 via 0. metric 1.255.0.0. metric 1.0.1.591: 20. tag 0 *Mar 1 00:02:20.1.1. tag 0 *Mar 1 00:02:20.0.603: 1.255 via FastEthernet0/0 (150.219: RIP: build update entries *Mar 1 00:11:39.1/32 via 0.2 via Serial0/1 (20.415: RIP: build update entries *Mar 1 00:02:50.0.20.0.0.66.223: 10.1.0.1) *Mar 1 00:02:50.20.0.0.0.0.1) *Mar 1 00:11:39.1. metric 1.1/32 via 0.2. tag 0 *Mar 1 00:11:39.0.1/32 via 0. tag 0 *Mar 1 00:02:20.66.1.0.831: RIP: received packet with MD5 authentication *Mar 1 00:02:26. tag 0 *Mar 1 00:02:50.2/32 via 0. metric 1.0.591: RIP: build update entries *Mar 1 00:02:20.419: 1.0.0.20. metric 1.595: 1.0.0.0. metric 1.599: 1. tag 0 *Mar 1 00:02:50.587: RIP: sending v2 update to 224. tag 0 *Mar 1 00:02:20.1/32 via 0.0.1.0.1.10.0.0.6.1.20.*Mar 1 00:11:37. tag 0 *Mar 1 00:11:39.2. metric 1.0/24 via 0.10.0.0.1. metric 1.255.0. metric 1.0.1.66.1/32 via 0.4.535: RIP: received packet with MD5 authentication *Mar 1 00:02:53.0.0.1.0.1/32 via 0.11.0.0.10.2 on FastEthernet0/0 *Mar 1 00:02:53.0.11.0.535: RIP: received v2 update from 150.0/24 via 0.419: 10.0.0 encapsulation ppp clock rate 2000000 .0. tag 0 *Mar 1 00:02:50.1 255.1. tag 0 *Mar 1 00:02:50.0.0.0 in 1 hops R1(config-if)# RIPv2 Source Validation:OK Use the no validate update-source interface command if the neighbor is speaking to the router using an IP not on the local subnet (secondary address is an example) Topologia.5. metric 1.419: 1.1/32 via 0.419: 66.0. R1 R2 R1: # interface Serial0/0 ip address 11. tag 0 R1(config-if)# *Mar 1 00:02:53.419: 1.*Mar 1 00:02:50.0.10.0/8 via 0.0.419: 1. tag 0 *Mar 1 00:02:50.0. metric 1. metric 1.1/32 via 0.255.6.1.0.66.1.0. tag 0 *Mar 1 00:02:50.539: 2. 10.255.0.10.0.2 255.255.0 no auto-summary R1(config-router)# # R1(config-router)# no validate-update-source R1(config-router)#do sh run | se router rip router rip version 2 no validate-update-source network 0.2 on Serial0/0 *Mar 1 01:11:17.0.847: RIP: ignored v2 update from bad source 10.0.10.10.10.0.467: 2.0.0 no auto-summary R1(config-router)# YOU must configure this feature in both directions!!! LOGS *Mar 1 01:11:17.2.2.0 in 1 hops R1(config-router)# .2/32 via 0.10.end # R2: # interface Serial0/0 ip address 10.0 encapsulation ppp clock rate 2000000 end # R1(config)#router rip R1(config-router)#validate-update-source *Mar 1 01:09:52.463: RIP: received v2 update from 10.2 on Serial0/0 # R1(config-router)#do sh run | se router rip router rip version 2 validate-update-source network 0. 0.periodic downloaded static route Gateway of last resort is not set 1.static.11. P .1.11.0. E2 .0.BGP D .0.OSPF NSSA external type 1.mobile. S .OSPF external type 1. N2 .IS-IS inter area. EX .OSPF.candidate default.0.11. 1 subnets C 10.1/32 via 0. R .IS-IS level-1.479: RIP: sending v2 update to 224.IS-IS summary.2 [120/1] via 10.0/32 is subnetted.1 is directly connected.2.11.0. E2 .per-user static route o .2. P . L2 . 00:00:26 2.1.OSPF NSSA external type 2 E1 . U .1.1) *Mar 1 01:11:24.EIGRP external. Loopback1 2.static.11.0/32 is subnetted.10. IA .0. M .OSPF external type 1.OSPF.candidate default.periodic downloaded static route Gateway of last resort is not set 1.10.0.479: 1. 00:00:24 10.OSPF external type 2 i .EIGRP.0/24 is subnetted.2 is directly connected. O .connected.0. IA .*Mar 1 01:11:24.0/32 is subnetted.IS-IS inter area. B .0.OSPF external type 2 i .0. tag 0 # R1(config-router)#do sh ip ro Codes: C . 1 subnets C 2.OSPF inter area N1 . U . Serial0/0 R1(config-router)# ============================================== ============================ R2(config-router)#do sh ip ro Codes: C .0 is directly connected.OSPF NSSA external type 1.OSPF inter area N1 .connected.IS-IS level-1. Loopback2 . 1 subnets R 1. * .10.0. L1 . O . * .0.ODR. R .EIGRP.EIGRP external. 1 subnets C 1.0. N2 . L1 .1.OSPF NSSA external type 2 E1 . Serial0/0 11.1.2. S . L2 .IS-IS level-2 ia .IS-IS summary.479: RIP: build update entries *Mar 1 01:11:24.mobile.0/32 is subnetted.RIP. EX . metric 1. 1 subnets R 2.per-user static route o . su .BGP D .10.1.1 [120/1] via 11. 1 subnets C 11.IS-IS level-2 ia .11.IS-IS.0.0.ODR.0/32 is subnetted.0.IS-IS.2. M .9 via Serial0/0 (11.RIP. su .1. B .2 is directly connected.2. The RIP process operates from UDP port 520.10.com/site/plan4ccie/config-template-vol1/01-inevol1-outline/lab04-rip Things you must never forget about RIP.10.pdf Convergence in RIP Internetworks: http://technet. The metric used by RIP is hop count. .11.10.0/24 is subnetted. 2.com/en-us/library/cc940478.0/32 is subnetted. 1 subnets C 10.0. Serial0/0 RIP_commands. Serial0/0 11.0.aspx https://sites.0.0.microsoft. 1 subnets C 11.google.0 is directly connected. 1.1 is directly connected. with 1 signifying a directly connected network of the advertising router and 16 signifying an unreachable network.11. “default-information originate” command advertises a default route even if a default route does not exist in the routing table.0.g. distribute-list inbound filtering. 12. The additional “passive-interface” command is required to accomplish this.0. it can use a standard access list. With RIP. 5. With RIP. and (2) this classful network is in the local router’s IP routing table. 10. Possible solutions are static default route to Null0.Route feedback may also occur when generating a default route using “default-information originate” as RIP does not need to have a default route installed in the routing table. Default route can be advertised in the RIP domain several ways: e. Only one summary address can be configured for each classful subnet. (2) “default-information originate” command. 13. 8. OSPF. “ip default-network” command will work only if (1) the network specified in the command is a classful network. Extended ACLs when called as distribute-list in IGP have a different meaning than in redistribution or as in BGP.0. In BGP . distribute-list inbound filtering of default route. “ip default-network” command will work only if (1) the network address is a classful network that is not directly connected. Possible solutions are static route to Null0. Unlike EIGRP the key numbers do not need to match for RIP authentication. In RIP. 6. RIP sends periodic updates every 30 seconds minus a small random variable that prevents the updates of neighboring routers from becoming synchronized. and BGP. 11. via any means. 9. route feedback may occur when generating summaries because RIP does not generate a route to Null0 like EIGRP. and (3) “ip default-network” command. The route map referenced in this command cannot use an extended access list. and (2) the router must have a directly connected interface onto the specified classful network. (1) static route to 0. 7. 4.Supernet advertisement (advertising any network prefix less than its classful major network) is not allowed in RIP route summarization (“ip summary-address rip …”).3. Unlike EIGRP the “neighbor” command under RIP process does not automatically suppress the sending of broadcast or multicast updates. with the “redistribute static” command. updates might not be sourced by the secondary address. 19.3 host 155.”) is used on Cisco routers to delay the initiation of RIPv2 neighbor sessions until the network connectivity between the neighbor routers is fully operational. CCIE R&S v5 Advanced Technology Labs – EIGRP • . 14..0. In IGP distribute-list the “source” field in the ACL matches the update source of the route. and the “destination” represents the subnet mask..If we have high-end router on one side and low-speed router on other side. thereby ensuring that the sequence number of the first MD5 packet that the router sends to the non-Cisco neighbor router is 0.g. we can configure either (1) RIP authentication. and the “destination” field represents the network address. or (2) unicast RIP updates on the existing RIP routers. 18.0”.1. e.If an interface is configured with secondary IP addresses and split horizon is enabled.If we want to prevent the sending of RIP updates to a new router upon joining in an existing RIP domain.If split horizon is enabled. This command is only available on point-to-point serial links and must be configured on both ends of the link before taking affect. 16.and redistribution the “source” field in the ACL represents the network address. The interface command “ip rip triggered” enables the router to send triggered updates only when there is a topology change.1. then we can use “output-delay …” command on the high-end router to increase the interpacket delay for RIP updates and we can use “input-queue …” command on the low-speed router to increase the size of RIP input queue.7. 15. 17.The IP-RIP Delay Start feature (“ip rip initial-delay . 20. neither automatic summary nor interface summary addresses are advertised. “access-list 100 deny ip host 155. One routing update is sourced per network number unless split horizon is disabled.“validate-update-source” does not validate source (if it is in the same subnet) of “ip unnumbered” interfaces. it sends its topology table to the neighbor with an initialization bit set. and support for multiple network layer protocols. This is the time in which the ASA can expect to receive a hello packet from that neighbor. routing updates are not exchanged unless there is a change in the network topology. The hello packets are sent out as multicast messages. The neighbor relationship is maintained through the hello packets. the neighbor sends its topology table back to the ASA. If the ASA does not receive a hello packet from that neighbor within the hold time advertised by that neighbor. When the neighbor receives the topology update with the initialization bit set. Once this neighbor relationship is established. the hello messages sent to that neighbor are sent as unicast messages. Propagation of partial updates is automatically bounded so that only those routers that need the information are updated. Instead. Routing updates and acknowledgements are sent out as unicast messages. No response is expected to a hello message. A router running EIGRP stores all the neighbor routing tables so that it can quickly adapt to alternate routes. Its support for variable-length subnet masks permit routes to be automatically summarized on a network number boundary. support for variable-length subnet mask. The exception to this is for statically defined neighbors. EIGRP can be configured to summarize on any bit boundary at any interface. . In addition. As a result of these two capabilities. EIGRP does not make periodic updates. EIGRP does not send out periodic route updates. These queries propagate until an alternate route is found. Key capabilities that distinguish EIGRP from other routing protocols include fast convergence. the ASA considers that neighbor to be unavailable. EIGRP routers send out multicast hello packets to announce their presence on the network. Neighbor discovery is the process that the ASA uses to dynamically learn of other routers on directly attached networks. EIGRP updates are sent out only when the network topology changes. Unlike IGRP and RIP. If you use the neighbor command to configure a neighbor. EIGRP queries its neighbors to discover an alternate route. Each hello packet received from a neighbor contains a hold time. If no appropriate route exists. it sends partial updates only when the metric for a route changes.Overview: EIGRP is an enhanced version of IGRP developed by Cisco. support for partial updates. EIGRP consumes significantly less bandwidth than IGRP. When the ASA receives a hello packet from a new neighbor. including neighbor discover/recovery. four key technologies. not just the least-cost route. the route is marked as stuck-in-active. another route is chosen from the feasible successors. DUAL queries the EIGRP neighbors for a route. DUAL being important for route computations. . If a feasible successor is not found in the topology table. step-by-step:OK.The EIGRP protocol uses four key algorithm technologies. Reliable Transport Protocol (RTP). DUAL marks the route as active. All routes in the topology table that point to the unresponsive neighbor as a feasibility successor are removed. During route recomputation. a route recomputation must occur. the ASA waits for three minutes to receive a response from its neighbors. The least-cost route is inserted into the routing table. A successor is a neighboring router used for packet forwarding that has a least-cost path to a destination. who in turn query their neighbors. During route recomputation. If the main route fails. The other routes remain in the topology table. DUAL saves all routes to a destination in the topology table. The feasibility calculation guarantees that the path is not part of a routing loop. If the ASA does not receive a response from a neighbor. Routers that do not have a feasible successor for the route return an unreachable message. and the fourth one. Keys for EIGRP that you MUST keeping in your mind: EIGRP Updates. By default. TIP: . . uma rede declarada 10.1.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1c feigrp. EIGRP Auto-Summary: OK Quando aplicado esse comando no processo EIGRP em questão.0.0/172.16.1.com/4392357/ccie-eigrp-theory-flash-cards/ EIGRP Network Statement: OK Configurações básicas do EIGRP. todas as rotas irão sumarizar e anunciar classfull networks.1.0.10.0/8.0. isso pode causar alguns problemas em redes descontiguas: 192.10. .http://www.cisco.0 com o auto-sumary essa rede será anunciada como 10. Por exemplo.html#wp1012316 http://quizlet. 100-byte ICMP Echos to 172.2 (FastEthernet0/0) is resync: summary configured R1(config-router)# R1(config-router)# R1(config-router)#do ping 172.16.179: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.40. timeout is 2 seconds: . 100-byte ICMP Echos to 172..16. round-trip min/avg/max = 56/63/80 ms R1(config-router)# EIGRP Multi-AF Mode : Teoria OK ( falta testar no Lab ):OK .3.10. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).16.40.16.40. Sending 5. Sending 5..R1(config-router)#do ping 172.16.3..3 Type escape sequence to abort.40..3 Type escape sequence to abort. Success rate is 0 percent (0/5) R1(config-router)# R1(config-router)#no auto-summary R1(config-router)# *Mar 1 01:44:09. http://blog. The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.html . http://www. You can configure multiple keys with specific lifetimes. porém.TIP: Somente é possível configurar um autonomo system dentro de cada EIGRP named domain. regardless of how many valid keys exist. and uses the first valid key that it encounters.com/bid/105129/EIGRP-Named-Mode EIGRP MD5 & SHA-256 Authentication:OK EIGRP route authentication provides MD5 authentication of routing updates from the EIGRP routing protocol. Quando se é criado um novo EIGRP named domain é.boson. which is stored locally. The software examines the key numbers in the order from lowest to highest. preciso redistribuir caso tenha a necessidade de comunicação entre instancias EIGRP Named.cisco.com/c/en/us/td/docs/iosxml/ios/iproute_eigrp/configuration/15-s/ire-15-s-book/ire-sha256. os autônomos system devem estar dentro do mesmo AS. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and the MD5 authentication key in use. Não é obrigatório os nomes dos neighbors eigrp serem iguais. Only one authentication packet is sent. Each key has its own key identifier (specified with the key number key chain configuration command). Note that the device needs to know the time to configure keys with lifetimes. because this number is exchanged in the hello packets.pcapng bits with EIGRP http://labs. the authentication is applied at the link level.pcapng About SHA ( Secure Hash Algorithm ) http://en. In Classic Mode.Topology for EIGRP named with MD5 and HCAM-SHA-256 bits R1 R2 MD5 authentication: Wireshark_capituras\EIGRP_MD5_.com/workbook/view/rs-v5-workbook/task/5-4-eigrpmd5-sha-256-authentication-MjA4Nw%3D%3D TIP: EIGRP supports MD5 authentication in Classic (Autonomous System) Mode. whereas in Named Mode it is applied at the af-interface mode under the SAFI. but only the lowest active key number will be exchanged in EIGRP packets. o EIGRP Key Chain Rotation: Voltar!!! o EIGRP Unicast Updates:OK Para formação do neighbors em rede broadcast é necessário a configuração de neig estático para full conectividade.ine.org/wiki/Secure_Hash_Algorithm EIGRP named with SHA 256 bits authentications Wireshark_capituras\(eigrp. For MD5 authentication in both Classic and Named modes.wikipedia. Segue exemplo no link abaixo: .tlv_type)_SHA-256 Named. The key chain can contain multiple keys. the key chain is defined globally. and both MD5 and SHA-256 in Multi-AF (Named) Mode. Note that the key ID must match for authentication to occur. 255. .9. su .BGP D .38.br/2011/03/lab-60-eigrp-unicastcommunication.com. Null0 130.0.1.RIP. N2 . IA .OSPF.255.OSPF NSSA external type 2 E1 .255.IS-IS level-2 ia .local. % .NHRP.candidate default.replicated route.0 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 ROLLOVER ip summary-address eigrp 10 10. C .0.LISP + ..mobile. 1 subnets D 130.OSPF NSSA external type 1.periodic downloaded static route. L2 .blogspot.OSPF external type 2 i .10. M .1.0/8 is variably subnetted.0/21 is a summary.OSPF external type 1.IS-IS level-1. S . L1 .2. B .static.per-user static route o ..html o EIGRP Summarization:OK Topology: R1 – R2 R1#sh ip rou eigrp Codes: L . FastEthernet0/0 [90/30720] via 9.0. E2 .next hop override Gateway of last resort is not set 10. 7 subnets.10. 00:04:28.IS-IS inter area.connected.OSPF inter area N1 . EX . Current configuration : 218 bytes ! interface FastEthernet0/0 ip address 150. R .2.EIGRP. P .ODR...0 [90/30720] via 150.IS-IS summary.9. U .http://hackingcisco. 00:04:28.38. O . H . FastEthernet3/0 R1# R1#sh run inter f0/0 Building configuration.IS-IS.0.248.0 duplex full end R1#sh run inter f3/0 Building configuration. * . 3 masks D 10. l .EIGRP external.10.0 255.0/24 is subnetted.0.1 255.10. 00:19:18.1. 38. 00:06:32. 00:06:32.9.OSPF external type 1.9.0/8 is variably subnetted.1.0 255. M . FastEthernet0/0 [90/156160] via 9. FastEthernet0/0 [90/156160] via 9. Sumarizamos em um router ( Router A ) e este divulga uma rota default para todos os elementos da rede que estiverem no mesmo dominio de AS.0.0/21 [90/156160] via 150. S .1.BGP D .OSPF inter area N1 .1. L1 .90. 00:06:32.0. FastEthernet3/0 D 10.EIGRP external.EIGRP.0 duplex full end R2#sh ip ro eigrp Codes: L . P .OSPF external type 2 i .IS-IS inter area. E2 .9. % .IS-IS summary.38.NHRP.Current configuration : 215 bytes ! interface FastEthernet3/0 ip address 9. FastEthernet3/0 R2# EIGRP Summarization with Default Routing:OK Comportamento do EIGRP summary é igual o a RIP. N2 . IA .1.0/24 [90/156160] via 150.0.1.replicated route. * .1.1.10.9.0. 00:06:32.RIP. 00:06:32. B .IS-IS level-2 ia .OSPF NSSA external type 1.static.248.per-user static route o .IS-IS.38.OSPF.ODR. 2 masks D 10.90 [90/156160] via 150.candidate default.0.1.OSPF NSSA external type 2 E1 . l . . H .9. R .255.9.mobile. EX . 2 subnets.10. 00:06:32. 1 subnets D 90.9.periodic downloaded static route. L2 .9.local.1 255. su .LISP + . C .10.next hop override Gateway of last resort is not set 10.1.IS-IS level-1.0/32 is subnetted.10.90. O .255.0.0 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 ROLLOVER ip summary-address eigrp 10 10. U . FastEthernet0/0 [90/156160] via 9.connected.255. FastEthernet3/0 90. local.255.RIP.0.1. IA . L1 . su . EX .0.NHRP. IA .per-user static route o . R .0.next hop override .RIP. P .IS-IS level-2 ia .0. Null0 130.0.OSPF NSSA external type 2 E1 .0.replicated route. M .0.OSPF.OSPF inter area N1 .1 255. E2 .0. E2 .NHRP. R .255. FastEthernet0/0 [90/30720] via 9.LISP + .IS-IS level-2 ia .0 [90/30720] via 150.BGP D .EIGRP.EIGRP. O .2. * . 00:11:52. N2 . C . L1 .OSPF NSSA external type 2 E1 .0.0 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 ROLLOVER ip summary-address eigrp 10 0.LISP + .IS-IS summary.static.OSPF external type 1.IS-IS level-1. EX .OSPF external type 1. O . B .OSPF inter area N1 .per-user static route o .EIGRP external.static.0 R1(config-if)#do sh ip ro eigrp Codes: L .1. su . C . H .connected. N2 .0 0.0. % .OSPF NSSA external type 1. R2# R2#sh ip rou eigrp Codes: L .connected. % .EIGRP external.candidate default.0.38.periodic downloaded static route.10.0/24 is subnetted.IS-IS inter area. FastEthernet3/0 Log: R2 antes e depois de aplicado o commando summary com defatult routing.38.Comando configurations: interface FastEthernet0/0 ip address 150.ODR. M .OSPF NSSA external type 1. 1 subnets 130.OSPF external type 2 i .9.mobile. S .replicated route. 00:11:52.BGP D . L2 .OSPF external type 2 i . L2 .1.next hop override Gateway of last resort is 0. U .IS-IS summary. l . l . U .0 to network 0. S .10.candidate default. * .mobile.OSPF.2.IS-IS inter area. B . H . P .IS-IS.local.IS-IS.0 D* D 0.0/0 is a summary. 00:03:07.periodic downloaded static route.ODR.IS-IS level-1.9. 1.9.connected. * .38. % .1.1.0.2.0/0 [90/30720] via 150.3.0.0.38.38.1 (FastEthernet0/0) is resync: peer gracefulrestart R2# R2#sh ip rou eigrp Codes: L .90.D D D D D D 10.local.0/24 [90/156160] via 150. U .2/32 [90/156160] via 150. FastEthernet0/0 10.38. FastEthernet0/0 10. 00:00:04.IS-IS level-1.LISP + .38. l .1.candidate default. N2 .38.EIGRP.1. O .1. 00:00:05.1. 00:00:04.1.1. S .10.mobile. M .38.1/32 [90/156160] via 150. 1 subnets D 90. FastEthernet0/0 [90/30720] via 9.10.1. 00:00:04.90 [90/156160] via 150. R . 00:00:04.IS-IS.per-user static route o .1. H .4.RIP.IS-IS level-2 ia . L1 .1. B .5.2/32 [90/156160] via 150. EX .1.1. FastEthernet0/0 10. FastEthernet3/0 .38.38. FastEthernet0/0 90. 00:00:04.static.periodic downloaded static route.BGP D .1.OSPF NSSA external type 1. 00:00:05.1 to network 0.1.OSPF external type 2 i .0. FastEthernet0/0 R2# R2# R2# *Oct 24 14:46:18.0 D* R2# 0. P .9.1. E2 .0/32 is subnetted. 00:00:04.0.EIGRP external.1. 00:00:04.1.NHRP.next hop override Gateway of last resort is 150.151: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 150.10.10.ODR.OSPF.OSPF inter area N1 .IS-IS inter area.OSPF NSSA external type 2 E1 .OSPF external type 1.replicated route.38.0. su .90. IA . L2 . C .2/32 [90/156160] via 150.IS-IS summary.0/24 [90/156160] via 150.10.1.10. FastEthernet0/0 10.10. FastEthernet0/0 10. .90 access-list 1 permit 10.0. EIGRP Summarization with Leak Map:OK TIP: Route leaking is a technique which is used together with summarization. Current configuration : 226 bytes ! interface FastEthernet0/0 ip address 150.1 255.0.. Configurations: Topology: R1—R2—R3 R1(config-if)# R1(config-if)#do sh run | se access-list access-list 1 permit 90.0 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 ROLLOVER ip summary-address eigrp 10 0..10.255.90.0.10.2 access-list 1 deny any R1(config-if)# R1(config-if)#do sh run | sec route-map route-map filter permit 10 match ip address 1 set tag 69 R1(config-if)#do sh run inter f0/0 Building configuration.1. Leak map reffernces an access-list and whatever network is permitted in the access-list will be leaked along summary route.0.1 access-list 1 permit 10. It is used in the situations where we want to save memory by summarizing routes but still want some routes to be preffered over others for some reasons.0 0.4.2.0 leak-map filter duplex full end R1(config-if)#do sh run inter f3/0 Building configuration.90. ..255.38. OSPF NSSA external type 2 E1 .OSPF external type 1.38.IS-IS level-2 ia .1 (4 matches) 20 permit 10.1.2.LISP + .90 (4 matches) 10 permit 10.static.10.IS-IS inter area.OSPF. B . * .0.0 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 ROLLOVER ip summary-address eigrp 10 0.38.0. 00:00:25.replicated route.9. H .0. l .9.1 (FastEthernet3/0) is resync: peer graceful-restart .90.IS-IS.1 255.OSPF inter area N1 .BGP D . % . S .1 (FastEthernet0/0) is resync: peer gracefulrestart R2(config)# *Oct 25 09:53:06.751: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 9.4. M .38.1 to network 0. IA .9.EIGRP. FastEthernet0/0 [90/30720] via 9.1.2 (4 matches) 40 deny any (20 matches) R1(config-if)# # After and before filter applied: R2: R2(config)#do sh ip ro ei Codes: L . L2 .0 0.1. su .9.OSPF NSSA external type 1.0 leak-map filter duplex full end # R1(config-if)#do sh access-list Standard IP access list 1 30 permit 90.IS-IS summary.candidate default.Current configuration : 223 bytes ! interface FastEthernet3/0 ip address 9.9.255.0 D* 0. U .0. R .0/0 [90/30720] via 150.0.0.90.RIP. E2 .next hop override Gateway of last resort is 150. EX .connected.OSPF external type 2 i .EIGRP external.ODR.1.mobile. C . FastEthernet3/0 R2(config)# R2(config)# *Oct 25 09:52:58.NHRP. P .9.255.local.259: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 150.periodic downloaded static route.1.10. O . L1 .IS-IS level-1.0. 00:00:25. N2 .per-user static route o .0. 0. 2 subnets D 10. N2 . % . L2 . U .0.IS-IS.local. 00:01:51.9.NHRP.0/32 is subnetted.candidate default.0.BGP D .IS-IS level-1.0.1.OSPF inter area N1 .1.10. 00:00:27.OSPF.1. FastEthernet3/0 10.9.9.38.1 to network 0.IS-IS. * .1. S .10.1. * .OSPF inter area N1 .OSPF NSSA external type 2 E1 .BGP D .1. 00:00:27. su .OSPF external type 1.per-user static route o .1.1.0 D* 0. FastEthernet0/0 [90/30720] via 9.1.RIP.9.OSPF NSSA external type 1.IS-IS summary.38.10.next hop override Gateway of last resort is 150.local.1 [90/156160] via 150.candidate default.2. su . H . H .0. l . L2 .9. L1 .IS-IS inter area.1.RIP.IS-IS inter area.connected.OSPF. l . FastEthernet1/0 150.10.9.9.1. FastEthernet3/0 90.0/24 is subnetted.OSPF external type 2 i . B .NHRP. FastEthernet1/0 9. % .0.per-user static route o . IA .IS-IS level-2 ia .EIGRP.2.ODR.90 [90/156160] via 150.EIGRP.static.replicated route.0.1. FastEthernet1/0 . M .38.1.0 [90/153600] via 130.90.9.0.1.9.0.1. C .replicated route. N2 .0/32 is subnetted. 00:02:35. P .0 D* D D 0.0/0 [90/30720] via 150. 00:00:27.0/24 is subnetted.2 to network 0.2. M . U . 00:02:35.10. C .EIGRP external.connected.1. 1 subnets D 90. B .static. 00:01:51.mobile. R .mobile. R . EX .periodic downloaded static route. 1 subnets 9. FastEthernet0/0 [90/156160] via 9. 00:00:27.ODR.0. FastEthernet0/0 [90/156160] via 9.1. FastEthernet0/0 [90/156160] via 9. L1 .R2(config)#do sh ip ro ei Codes: L . FastEthernet3/0 D 10.4.OSPF NSSA external type 1. IA .38.0. 00:00:27.0. 00:01:51.10.0 [90/153600] via 130.0/0 [90/204800] via 130.1.0.IS-IS level-2 ia .0.OSPF external type 2 i .LISP + .2 [90/156160] via 150.next hop override Gateway of last resort is 130.0. E2 . FastEthernet3/0 R2(config)# R3: R3(config)# R3(config)#do sh ip rou eigr Codes: L .38.38. EX .LISP + . 1 subnets 150.90.OSPF external type 1.IS-IS summary.periodic downloaded static route. O .OSPF NSSA external type 2 E1 . 00:00:27.2. E2 .9.38.EIGRP external. S .IS-IS level-1. P . O . 10. 00:00:23.candidate default. N2 . FastEthernet1/0 10. 00:00:23.OSPF external type 1.2 to network 0.0 D* 0. E2 .R3(config)# R3(config)# R3(config)# R3(config)#do sh ip rou eigr Codes: L . You can also use a floating summary route when configuring the ip summary-address eigrp xx ( Distance administrative ) command.0. FastEthernet1/0 R3(config)# EIGRP Floating Summarization: NOK.4. 1 subnets D 90.0/32 is subnetted. FastEthernet1/0 D 10.IS-IS level-1.10. FastEthernet1/0 150.2. EX . 00:03:57.IS-IS level-2 ia .0.1.0/32 is subnetted. B . 2 subnets D 10.IS-IS.0/0 [90/204800] via 130. R .IS-IS inter area. 00:03:57. FastEthernet1/0 9. 00:00:23. * . 00:03:57.10.EIGRP external.90.0.2.1. U .0.OSPF external type 2 i . 1 subnets D 9. The floating summary route is created by applying a default route and administrative distance at the interface level. P .0.EIGRP.2.1.1 [90/2713600] via 130.2. 1 subnets D 150.OSPF NSSA external type 2 E1 . Falta emular no lab …IOS 12.10.0. su . l .OSPF.ODR.0.1. . IA .90.10.2.1.2 [90/2713600] via 130.mobile.10.replicated route.connected.9.0/24 is subnetted.local. % .LISP + .2. C . H .10.static.OSPF NSSA external type 1.1.periodic downloaded static route.2.1.0.38.2. S .per-user static route o .OSPF inter area N1 .0 [90/153600] via 130.0 [90/153600] via 130.38. This enhancement was introduced in Cisco IOS Release 12.90 [90/2713600] via 130.0. FastEthernet1/0 90.BGP D .1.next hop override Gateway of last resort is 130. L2 .2 e 15.IS-IS summary.0/24 is subnetted. O .10. M .9.0.0.NHRP. L1 . The following scenarios illustrate the behavior of this enhancement.10.RIP.2 não oferece a opção de distance no final de comando para emular corretamente a topologia. o EIGRP Metric Weights:OK Default K values are as follows: K1 = K3 = 1 K2 = K4 = K5 = 0 K6 = 0 The EIGRP Wide Metrics feature also introduces K6 as an additional K value for future use.o EIGRP Poisoned Floating Summarization: NOK. You must applied this configurations on both side!!!! .2 não oferece a opção de distance no final de comando para emular corretamente a topologia. Falta emular no lab …IOS 12.2 e 15. 1 (Serial4/0) is up: new adjacency 10: Neighbor 10: Neighbor 10: Neighbor 10: Neighbor R1(config-router-af)#do sh ip eigrp nei EIGRP-IPv4 VR(ccie) Address-Family Neighbors for AS(10) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 9.1.527: %DUAL-5-NBRCHANGE: EIGRP-IPv4 9.523: %DUAL-5-NBRCHANGE: EIGRP-IPv4 9.38.1 (FastEthernet0/0) is down: K-value mismatch R2(config-router-af)# *Oct 25 20:25:31.38. K5=1 K6=1 Metric rib-scale 128 Metric version 64bit NSF-aware route hold timer is 240 Router-ID: 90.90.9.9.1.515: %DUAL-5-NBRCHANGE: EIGRP-IPv4 150.2 Se4/0 12 00:02:42 110 660 0 72 0 150.38. K4=1. K3=1.90 Topology : 0 (base) Active Timer: 3 min Distance: internal 90 external 170 Maximum path: 4 Maximum hopcount 100 Maximum metric variance 1 Total Prefix Count: 10 Total Redist Count: 1 .1 (FastEthernet0/0) is up: new adjacency *Oct 25 20:25:31.Logs: R2(config-router-af)# *Oct 25 20:25:26. K2=1.90.9.2 Fa0/0 12 00:02:42 109 654 0 73 R1(config-router-af)# R1(config-router-af)# R1(config-router-af)#do sh ip prot *** IP Routing is NSF aware *** Routing Protocol is "eigrp 10" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP-IPv4 VR(ccie) Address-Family Protocol for AS(10) Metric weight K1=1.9.9.167: %DUAL-5-NBRCHANGE: EIGRP-IPv4 150.1.9.1 (Serial4/0) is down: K-value mismatch *Oct 25 20:25:27. 38.9.0.0.0.Automatic Summarization: disabled Maximum path: 4 Routing for Networks: 9.9.0 Routing Information Sources: Gateway Distance Last Update 9.0.0.2 90 00:02:46 150.pcapng o EIGRP Unequal Cost Load Balancing:OK .0 network 10.k1)_0.1.0.0.38.2 90 00:02:46 Distance: internal 90 external 170 # R1(config-router-af)#do sh run | se router eigrp router eigrp ccie ! address-family ipv4 unicast autonomous-system 10 ! af-interface Serial4/0 authentication mode md5 authentication key-chain ROLLOVER exit-af-interface ! af-interface FastEthernet0/0 authentication mode md5 authentication key-chain ROLLOVER exit-af-interface ! topology base exit-af-topology network 9.0 network 150.0 10.0.38.par.0 150.0.0 metric weights 0 1 1 1 1 1 1 exit-address-family # Wireshark_capituras\(eigrp.0. local.168. O .1.EIGRP external.. EX .OSPF. U .2 Fa0/0 10 00:03:18 67 402 0 103 R1(config-router-af-topology)# R1(config-router-af-topology)#do sh run inter f 1/0 Building configuration. L2 .. R .IS-IS level-2 ia .OSPF NSSA external type 1.IS-IS summary.1 255. Current configuration : 101 bytes ! interface FastEthernet1/0 bandwidth 50000 ip address 192. * . IA . S .candidate default.BGP D .per-user static route o . % .168.next hop override .EIGRP.168.IS-IS inter area.255.168. E2 . N2 .RIP..OSPF inter area N1 .0 duplex full end R1(config-router-af-topology)#do sh run inter f 0/0 Building configuration. su . M . P .IS-IS level-1.connected.255.LISP + .. Topologia: R1 – R2 R1(config-router-af-topology)#do sh ip eigrp nei EIGRP-IPv4 VR(ccie) Address-Family Neighbors for AS(10) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 192.OSPF external type 1.periodic downloaded static route. H . C .2.Podemos efetuar o balanceamento com custos desiguais com o comando: variance x.mobile. B .replicated route.2 Fa1/0 10 00:03:17 65 390 0 105 0 192.ODR.255.2.IS-IS.0 duplex full end R1(config-router-af-topology)#do sh ip ro eigrp Codes: L .static.OSPF external type 2 i .255. l .OSPF NSSA external type 2 E1 .1.1 255.NHRP. L1 . Current configuration : 84 bytes ! interface FastEthernet0/0 bandwidth 100000 ip address 192. 0.0/32 is subnetted.168. 00:00:02. R .2. H .IS-IS summary.Gateway of last resort is not set 20. 1 subnets D 20. U .0 exit-address-family About traffic-share: .OSPF external type 1.20.2. IA .IS-IS inter area.NHRP.1.0. E2 .1. N2 . 1 subnets D 20.candidate default.0.20 [90/154240] via 192.IS-IS.1.2.0/32 is subnetted.RIP.2.OSPF external type 2 i .OSPF.168. L2 .IS-IS level-2 ia .LISP + . FastEthernet0/0 R1(config-router-af-topology)# R1(config-router-af-topology)# R1(config-router-af-topology)# R1(config-router-af-topology)#variance 2 R1(config-router-af-topology)# R1(config-router-af-topology)#do sh ip ro eigrp Codes: L .per-user static route o .mobile. FastEthernet1/0 [90/103040] via 192. B . M . L1 . C .20 [90/103040] via 192.EIGRP. FastEthernet0/0 R1(config-router-af-topology)# R1(config-router-af-topology)#do sh run | se router eigrp router eigrp ccie ! address-family ipv4 unicast autonomous-system 10 ! topology base variance 2 exit-af-topology network 10.20. EX .connected.0 network 192.EIGRP external.168.0. 00:00:02.next hop override Gateway of last resort is not set 20.OSPF NSSA external type 2 E1 . su .periodic downloaded static route.local.168.OSPF NSSA external type 1.OSPF inter area N1 . l .static.2.IS-IS level-1.BGP D . * .0 network 192.0. % . P .0.168.replicated route. O .20.ODR. S . 00:01:58.20. to limit this number. TIP: The timers active-time command controls how long an EIGRP router will wait for a reply to a query message before considering the route Stuck In Active (SIA) and Declaring the neighbor from which a reply was not received as down. the best route will transport traffic three times that of the worst route. o EIGRP Traffic Engineering with Metric:OK Você pode mudar as metricas com os K´s values para manipulação ou usar o Delay nas interfaces para manipular os updates route. Unlike OSPF for example.With the traffic-share command. if there are multiple minimum-cost paths and traffic-share-min is configured. o EIGRP Convergence Timers:OK Unlike OSPF. The multiple paths that make up a singlehop transport to a common destination are called a load-sharing group. EIGRP hello and hold-time intervals do not need to match to form adjacencies. If a reply had not come back from RX. if variance is set to 3 and traffic-share is set to balanced. the locally configured Hold-Time interval defines for how long the remote router will wait for a EIGRP packet before resetting the adjacency. About maximum-paths: With the maximum-paths command. By default. use themaximum-paths command. the locally configured Hello interval defines the local rate interval for sending EIGRP hello packets but the value is not transmited in EIGRP Hello packets. For example. The default value is 4. the router uses up to six paths to share traffic across. The query and reply process is used to discover alternate paths to a route for which the successor is lost. EIGRP will use equal-cost load balancing. where traffic will be distributed proportionally to the ratio of the metrics. the command is set to balanced. the route would have . RY would wait for the timers active-time to expire. Just like OSPF for example. If this timer had expired. thus the value is transmited in EIGRP Hello packets. and summary) can be used in any combination but cannot be used with the receive-only keyword. it may be necessary to redistribute connected routes with the redistribute connected command under the EIGRP process. The connected keyword will permit the EIGRP Stub Routing feature to send connected routes. The eigrp stub command can be modified with several options. The static keyword will permit the EIGRP Stub Routing feature to send static routes. and these options can be used in any combination except for the receive-only keyword. It will still be necessary to redistribute static routes with the redistribute static command. connected and summary routes will not be sent automatically. Four optional keywords can be used with the eigrp stub command to modify this behavior: • receive-only • connected • static • summary This section provides configuration examples for all forms of the eigrp stub command. and the neighbor relationship to R8 would have been reset.been considered SIA. and the receive-only keyword will not permit any other option to be specified because it prevents any type of route from being sent. If any of these three keywords is used individually with the eigrp stub command. including internal static routes that normally would be automatically redistributed. EIGRP will not send any static routes. static. The three other optional keywords (connected. Without the configuration of this option. o EIGRP Stub Routing A router that is configured as a stub with the eigrp stub command shares connected and summary routing information with all neighbor routers by default. . The receive-only keyword will restrict the router from sharing any of its routes with any other router in that EIGRP autonomous system. If the connected routes are not covered by a network statement. This option is enabled by default. Summary routes can be created manually with the summary address command or automatically at a major network border router with the auto-summary command enabled. This option is enabled by default. o EIGRP Stub Routing with Leak Map o EIGRP Filtering with Passive Interface o EIGRP Filtering with Prefix-Lists o EIGRP Filtering with Standard Access-Lists o EIGRP Filtering with Extended Access-Lists o EIGRP Filtering with Offset Lists o EIGRP Filtering with Administrative Distance o EIGRP Filtering with Per Neighbor AD o EIGRP Filtering with Route Maps o EIGRP Bandwidth Pacing o EIGRP Default Metric o EIGRP Neighbor Logging .The summary keyword will permit the EIGRP Stub Routing feature to send summary routes. Unlike OSPF. 180 seconds for low-speed non-broadcast multiaccess (NBMA) networks and 15 seconds for all other networks. if the leakmap keyword is configured but the access-list does not exist or the route map does not reference the access list. (2) “ip summary-address 0. and (3) “ip default-network . the hold time is three times the Hello interval. “passive-interface” command for an interface does not stop advertising of that interface in the EIGRP updates. "ip summary-address eigrp 100 0. the network specified by the “ip default-network …” command must be advertised into EIGRP. EIGRP sources its messages always from the address in the primary subnet. (1) static route to 0. so the IP addresses of neighbors must be in the subnet of the primary subnets. Unlike RIP. Otherwise the default route (to null interface) generated by this command. .0 0. leak-map .o EIGRP Router-ID o EIGRP Maximum Hops Things to remember. EIGRP auto-summarizes connected. leak-map option ("ip summary-address eigrp .. the summary address and all component routes are sent. Default route can be advertised in the EIGRP domain several ways: e. To establish neighbor relationship.. leak-map option with “eigrp stub .0.0.g..0..0.0 …” command. may black hole the traffic.0 250" should be used along with higher administrative distance (floating route) if this router already has a default route in its routing table leaned via any other means. The IP header of an EIGRP packet specifies protocol number 88.” command has the same functionality as leak-map option with “ip summary-address …” command.0.0. the neighbors must be in the same IP subnet. the hello and hold time parameters do not need to match to form EIGRP neighbor relationships.. By default.0 0.") is only available under physical and virtual-template interfaces. While generating default route.. with the “redistribute static” command.0.. Routers will not form EIGRP neighbors over secondary networks.. for EIGRP to propagate the default route. Again. While EIGRP supports secondary IP addresses and subnets. Two sides must also match metric weights (K values) in order to form EIGRP neighbor adjacency.0. internal routes across classful network boundaries.” command.0.0.0. .Unlike RIP. “passive-interface …” command should not be used along with it. otherwise it will stop sending EIGRP hello packets. “gateway” option in “distribute-list .” command is only available with prefix-list. The “ip bandwidth-percent . In EIGRP authentication.. If configured with multiple keys. A route map may be configured with both the “redistribute . it’s better to use “delay”. the only way to verify it.. the update is dropped. EIGRP only sends the lowest numbered valid key but accepts any valid key.” and the “distribute-list . but not with ACL. doesn’t work for EIGRP external routes. The “show ip interface” command doesn’t verify split horizon for EIGRP. Unlike RIP. So configuring this command on the frame-relay physical interface does not affect EIGRP process at all.” commands in the same routing process. The “default-metric …” command does not affect in EIGRP-to-EIGRP redistribution.. An active route becomes passive when a reply has been received from every queried neighbor. with EIGRP split horizon is enabled on all frame-relay multipoint interfaces (physical or subinterface). The router originating the external route inserts its EIGRP router-id in the update. To change the EIGRP metric. so it will not affect other protocols (OSPF) dependent on “bandwidth”. A route becomes active when no feasible successor exists in its topology table. EIGRP only needs “neighbor …” command to send unicast updates. is by checking running configuration.” command can have values greater than 100 percent if the bandwidth is configured (by the “bandwidth …” interface configuration command) artificially low due to policy reasons. “passive interface …” command in the frame-relay physical interface does not inherited by the subinterfaces... key number must match along with key string on both sides. EIGRP does not automatically summarize external routes. The administrative distance filtering technique only works for EIGRP internal routes. The distance of external EIGRP cannot be changed on a per prefix basis.. If an update is received back in with the router-id matching the local router-id.. CCIE R&S v5 Advanced Technology Labs OSPF • . • o OSPF over Broadcast Media o OSPF over DMVPN o OSPF DR/BDR Election Manipulation o OSPF Network Point-to-Point o OSPF Network Point-to-Multipoint o OSPF Network Point-to-Multipoint Non-Broadcast o OSPF Network Loopback o OSPF Path Selection with Auto-Cost o OSPF Path Selection with Cost o OSPF Path Selection with Bandwidth o OSPF Path Selection with Per-Neighbor Cost o Discontiguous OSPF Areas with Virtual-Links o OSPF Path Selection with Non-Backbone Transit Areas o OSPF Path Selection with Virtual-Links o OSPF Demand Circuit o OSPF Flooding Reduction o OSPF Clear Text Authentication o OSPF MD5 Authentication o OSPF MD5 Authentication with Multiple Keys o OSPF SHA Authentication o OSPF Null Authentication o OSPF Internal Summarization o OSPF Path Selection with Summarization o OSPF External Summarization o OSPF Stub Areas . o OSPF Totally Stubby Areas o OSPF Not-So-Stubby Areas o OSPF Not-So-Stubby Areas and Default Routing o OSPF Not-So-Totally-Stubby Areas o OSPF Stub Areas with Multiple Exit Points o OSPF NSSA Type-7 to Type-5 Translator Election o OSPF NSSA Redistribution Filtering o OSPF LSA Type-3 Filtering o OSPF Forwarding Address Suppression o OSPF Default Routing o OSPF Conditional Default Routing o OSPF Reliable Conditional Default Routing o OSPF Filtering with Distribute-Lists o OSPF Summarization and Discard Routes o OSPF Filtering with Administrative Distance o OSPF Filtering with Route-Maps o OSPF NSSA ABR External Prefix Filtering o OSPF Database Filtering o OSPF Stub Router Advertisement o OSPF Interface Timers o OSPF Global Timers o OSPF Resource Limiting o Miscellaneous OSPF Features Things to remember: The IP header of an OSPF packet specifies protocol number 89. . the "neighbor . the advertisement of a Type 3 LSA from one area to another hides the topology in the original area from the second area... metric (cost).. OSPF uses Link State logic. cost ." command must be used to identify neighbors... But on point-to-multipoint non-broadcast networks. In non-broadcast network. . or (iv) "neighbor . As only broadcast and non-broadcast network type elects DR/BDR. OSPF sees secondary networks as stub networks and cannot make adjacencies over secondary addresses. Inside an area." command. but between areas OSPF acts much like a Distance Vector (DV) protocol in some regard. hello/dead timers. assigning a cost to a neighbor is optional. Routers in NSSA can only be adjacent with the routers in NSSA or totally NSSA. To establish OSPF neighbor adjacency.. OSPF will advertise a secondary network or subnet only if it is also running on the primary network or subnet and OSPF routes of secondary addresses must be in same area as the primary address to be advertised. another routing protocol such as RIP should be running and redistributed into OSPF. The primary interface and IP unnumbered interface will have OSPF enabled if a network statement matches the IP address of the primary interface. (ii) interface "ip ospf cost . Only broadcast and non-broadcast network elect DR/BDR based on priority or routerid (in case of a tie in the priority). With OSPF network types broadcast and non-broadcast. just listing a destination subnet.. Both point-to-multipoint and point-to-multipoint non-broadcast network type update the next-hop value of routes learned on partially meshed networks to the directly connected neighbor.. An OSPF external route cannot use another OSPF external route as its next hop. The internal OSPF routes can only be summarized on ABRs whereas the external (redistributed) routes can only be summarized on ASBRs. if the "neighbor. they are compatible with each other.... DR/BDR must have layer 2 connectivity to all other routers in the same area. MTU (otherwise have to use "ip ospf mtu-ignore") must match. OSPF cost can be modified using (i) interface "bandwidth .. a cost to that neighbor must be specified. and the ABR through which the subnet can be reached—all DV concepts. but they are not compatible with any other network types. To learn routes from a neighbor connected to the secondary network." command is used. Unique router-id is also required. On point-to-multipoint broadcast networks. and advertise the network as a set of endpoints instead of a transit network." command. OSPF network point-to-point is the default option for point-to-point interfaces such as HDLC. next hop values are not modified when updates are transmitted across an NBMA media." command. Another solution to this kind of problem is to create dot1q subinterfaces. Routers in stub area can only be adjacent with the routers in stubs or totally stubby area. Only OSPF point-to-multipoint and point-to-multipoint non-broadcast network types support OSPF cost value on a per neighbor basis. For example." command on point-to-multipoint non-broadcast network.. (iii) process "auto-cost reference-bandwidth . PPP. The only time that OSPF will form adjacencies between neighbors that are not on the same subnet is when the neighbors are connected through point-to-point links using "ip unnumbered".. or point-to-point NBMA subinterfaces. “ip ospf database-filter all out”." (match route-type. OSPF filtering using "area . the flooding reduction feature does not impair the detection of a neighbor router going down... NSSA ASBR can generate a default only when it has a default route in its routing table whereas NSSA ABR can generate a default route with or without a default route in its own routing table. which is prohibited in NSSA area. The command must be configured in a point-to-point link and is needed only on one side. In NSSA. only the multipoint end must be configured with this command. If the “area … range …” and "area ... “summary-address … not-adv”. Thus. filter-list prefix . or “neighbor … database-filter all out” commands can filter LSAs from OSPF database. the router-id must be identical... range .. and "distance ... “neighbor … database-filter all out” only works on point-to-multipoint network types. . out" both commands are configured for an area. ABR with the highest router-id does the LSA 7 to 5 conversion. If the authentication is wrong on the virtual-link. it does not suppress periodic hello packets.. In NSSA. the virtual-link interface will not go down immediately. filter-list prefix ... match ip route-source.. match ip next-hop). Virtual links are not allowed in the stubby area or NSSA. then the ASBR generates Type 5 external LSAs only for those networks that are explicitly permitted in the distribute list. As the virtual-link does not support periodic hellos. In this case OSPF can be tunneled over a stub area using GRE tunnel (tunnel must be connected to area 0). The main difference between flooding reduction ("ip ospf flood-reduction") and demand circuits ("ip ospf demand-circuit") is that former suppresses only periodic LSA refreshes. OSPF filtering using "distribute-list .. “default-information originate” command cannot be used. but cannot stop LSAs propagation into the OSPF database. If “distribute-list out” command is configured on an ASBR. "route-map ..". OSPF stub router (“max-metric router-lsa”) advertises all non self-originated routes/LSAs with maximum metric. OSPF demand circuit sets “do not age” flag on all LSAs learned and will only send updates when there is a change in the OSPF topology. in OSPF and in BGP." command is configured." commands can only block route from entering into local RIB... When "redistribute maximum-prefix . If the router is part of a point-tomultipoint topology. The virtual link will not come up if the only interface to reach the other end of the virtual link has a cost that is maximized (65535).. only if at least one prefix in the area range matches an entry in the prefix list. “clear ip ospf process” command should be issued if the authentication is enabled on the virtual link. since it generates Type-5 LSA. For BGP to redistribute routes into OSPF.".. "area default-cost ." command is used to specify a cost for the default summary route (default cost 1) that is sent into a stub area or NSSA.. "area . then type 3 LSAs that correspond to the area range are sent to all other areas. the redistribution limit does not apply to default routes or prefixes that are generated as a result of Type-7 to Type-5 translation. and 1 when redistributing from BGP.. not-adv". OSPF defaults to cost 20 when redistributing from an IGP.. Next-Hop-Self o BGP Next-Hop Processing .Manual Modification o iBGP Synchronization .CCIE R&S v5 Advanced Technology Labs Redistribution • • o Redistribution Case 1 o Redistribution Case 2 o Redistribution Case 3 CCIE R&S v5 Advanced Technology Labs - • BGP • o Establishing iBGP Peerings o Establishing eBGP Peerings o BGP Update Source Modification o Multihop EBGP Peerings o Neighbor Disable-Connected-Check o Authenticating BGP Peerings o iBGP Route Reflection o Large-Scale iBGP Route Reflection with Clusters o iBGP Confederation o BGP Next-Hop Processing . Advertise Map o BGP Communities o BGP Communities .AS-Set o BGP Aggregation .Attribute-Map o BGP Aggregation .AS-Path Prepending o BGP Bestpath Selection .Weight o BGP Bestpath Selection .Local Preference o BGP Bestpath Selection .MED o BGP Bestpath Selection .No-Export .Always Compare MED o BGP Bestpath Selection .AS-Path Ignore o BGP Bestpath Selection .DMZ Link Bandwidth o BGP Bestpath Selection .Summary Only o BGP Aggregation .Origin Code o BGP Bestpath Selection .Maximum AS Limit o BGP Backdoor o BGP Aggregation o BGP Aggregation .Suppress Map o BGP Aggregation .Unsuppress Map o BGP Aggregation .No-Advertise o BGP Communities .Router-IDs o BGP Bestpath Selection .o BGP over GRE o BGP Redistribute Internal o BGP Peer Groups o BGP Network Statement o BGP Auto-Summary o BGP Bestpath Selection . Deleting o BGP Conditional Advertisement o BGP Conditional Route Injection o BGP Filtering with Prefix-Lists o BGP Filtering with Standard Access-Lists o BGP Filtering with Extended Access-Lists o BGP Regular Expressions o BGP Filtering with Maximum Prefix o BGP Default Routing o BGP Local AS o BGP Local AS Replace-AS/Dual-AS o BGP Remove Private AS o BGP Dampening o BGP Dampening with Route-Map o BGP Timers Tuning o BGP Fast Fallover o BGP Outbound Route Filtering o BGP Soft Reconfiguration o BGP Next-Hop Trigger o BGP TTL Security o BGP AllowAS in CCIE R&S v5 Advanced Technology Labs MPLS • .o BGP Communities .Local-AS o BGP Communities . • o VRF Lite o MPLS LDP o MPLS Label Filtering o MP-BGP VPNv4 o MP-BGP Prefix Filtering o PE-CE Routing with RIP o PE-CE Routing with OSPF o OSPF Sham-Link o PE-CE Routing with EIGRP o EIGRP Site-of-Origin o PE-CE Routing with BGP o BGP SoO Attribute o Internet Access o MPLS VPN Performance Tuning CCIE R&S v5 Advanced Technology Labs IPSec VPN • • o IPsec VPNs with Crypto Maps o GRE over IPsec with Crypto Maps o GRE over IPsec with Crypto Profiles o IPsec Virtual Tunnel Interfaces (VTIs) o DMVPN without IPsec o DMVPN with IPsec . Multiple RP Candidates .Multiple Candidate RPs o Auto-RP .Filtering Candidate RPs o Auto-RP Listener o Auto-RP and RP/MA Placement o Filtering Auto-RP Messages o Multicast Boundary o PIM Bootstrap Router o BSR .o DMVPN Phase 1 with EIGRP o DMVPN Phase 1 with OSPF o DMVPN Phase 2 with EIGRP CCIE R&S v5 Advanced Technology Labs Multicast • • o PIM Dense Mode o Multicast RPF Failure o PIM Sparse Mode o PIM Sparse-Dense Mode o PIM Assert o PIM Accept RP o PIM DR Election o PIM Accept Register o Multicast Tunneling o Auto-RP o Auto-RP . o Filtering BSR Messages o Stub Multicast Routing & IGMP Helper o IGMP Filtering o IGMP Timers o Multicast Helper Map o Bidirectional PIM o Source Specific Multicast o Multicast BGP Extension o MSDP o Anycast RP o Catalyst IGMP Snooping o Catalyst Multicast VLAN Registration o Catalyst IGMP Profiles • CCIE R&S v5 Advanced Technology Labs IPv6 • o IPv6 Link-Local Addressing o IPv6 Unique Local Addressing o IPv6 Global Aggregatable Addressing o IPv6 EUI-64 Addressing o IPv6 Auto-Configuration o RIPng o RIPng over NBMA o RIPng Summarization . o RIPng Prefix Filtering o RIPng Metric Manipulation o RIPng Default Routing o EIGRPv6 o EIGRPv6 Summarization o EIGRPv6 Prefix Filtering o EIGRPv6 Metric Manipulation o EIGRPv6 Default Routing o OSPFv3 o OSPFv3 over NBMA o OSPFv3 Virtual Links o OSPFv3 Summarization o IPv6 Redistribution o IPv6 Filtering o IPv6 MP-BGP o IPv6 PIM and MLD o IPv6 PIM BSR o IPv6 Embedded RP o IPv6 SSM o IPv6 Tunneling o Automatic 6to4 Tunneling o ISATAP Tunneling . • CCIE R&S v5 Advanced Technology Labs QoS • o MQC Classification and Marking o MQC Bandwidth Reservations and CBWFQ o MQC Bandwidth Percent o MQC LLQ and Remaining Bandwidth Reservations o MQC WRED o MQC Dynamic Flows and WRED o MQC WRED with ECN o MQC Class-Based Generic Traffic Shaping o MQC Class-Based GTS and CBWFQ o MQC Single-Rate Three-Color Policer o MQC Hierarchical Policers o MQC Two-Rate Three-Color Policer o MQC Percent-Based Policing o QoS Pre-Classify o Advanced HTTP Classification with NBAR • CCIE R&S v5 Advanced Technology Labs Security • o AAA Authentication Lists o AAA Exec Authorization o AAA Local Command Authorization o Traffic Filtering Using Standard Access-Lists . o Traffic Filtering Using Extended Access-Lists o Filtering Fragmented Packets o Filtering Traffic with Time-Based Access Lists o Traffic Filtering with Policy-Based Routing o Preventing Packet Spoofing with uRPF o Using NBAR for Content-Based Matching o Packet Logging with Access-Lists o VLAN Filtering for IP Traffic o VLAN Filtering for Non-IP Traffic o Port Security o HSRP and Port Security o DHCP Snooping o DHCP Snooping and the Information Option o Dynamic ARP Inspection o IP Source Guard o Using Catalyst Ingress Access-Lists o Controlling Terminal Line Access o IOS Login Enhancements o Role-Based CLI o Controlling the ICMP Messages Rate o Control Plane Policing o IOS ACL Selective IP Option Drop o BGP Generic TTL Security Mechanism .