Académique Documents
Professionnel Documents
Culture Documents
1.1
General Theory
Control Plane exchanges routing protocol
Information
Data Plane forwards data packets by interface
microcode processor
Process/Fast Switching
Process Switching
Each packet triggers separate lookup
Lookups not cached
High CPU Utilisation
(config-if)# no ip route-cache
Fast Switching
Initial packet in flow is processed switched
Forwarding decision added to ip cache in data plane
(config-if)# ip route-cache
#show ip cache
Cisco Express Forwarding (CEF)
Forwarding Information Base (FIB)
Located in data plane
Built from IP route table
Contains
- Network prefix (longest match)
- Net hop
- Outgoing interface
Change in Routing Table triggers change in FIB
Adjacency Table
Located in data plane
Built from ARP, inverse ARP, and FR map
statements
Contains
- Outgoing interface
- Next hop L3 address
- L2 header information
Commands
#show ip cef
#show ipv6 cef
#show ip cef exact-route <source-ip> <dest-ip>
#show adjacency
(config)#ip cef
(config)#no ip cef
(config-if)#ip route-cache cef
(config-if)#no ip route-cache cef
#show ip interface <interface>
Additional Information
Packets that can't be CEF switched are "punted"
and will be process or fast switched
Exception packets are received by control plane
and include
- Using IP header option
- Have expiring TTL counter
- Forwarded to tunnel interface
- Unsupported encapsulation type
- Exceeds MTU and needs fragmentation
IPv4 CEF enabled by default
IPv6 CEF not enabled by default but can be enabled by
activating ipv6 unicast-routing
Two modes
Central CEF where FIB and AT are on the route processor
Distributed
CEF where FIB and AT are on line cards
Network Principles (10%)
1.2
Unicast Flooding
EIGRP
EIGRP
Auto
Any router van perform summarisation
Disables by default
Summarises along classful boundary
Summary route to Null0 is created
Will not send a classful summary route to a
neighbor who is advertising a subnet of that
major network
Can cause connectivity issues where classless
networks are discontiguous
Verify
o show ip protocol | b EIGRP
Configuration
o (config-router)# [no] auto-summary
Manual
Must select
1. Correct interface
2. Correct ASN
3. Summary address
4. Mask
Summary route is advertised only if a more specific component of
the summary route is present in the routing table.
The metric of the summary route equals to the minimum metric of
more specific routes.
Configuration
(config-if)# ip summary-address eigrp <AS> <IP
Address/Mask>
Verify
show ip route
EIGRP for IPv6
(config-if)# ipv6 summary-address eigrp <AS>
show ipv6 route eigrp
Convert address to partial binary format, identify
common bits
No auto-summarisation
3.12
Information
PBR works alongside the switching processes.
Explicitly sets the outgoing interface and next-hop.
Can make forwarding decisions based on something other than
destination prefix.
If next-hop not reachable, router will fall back to destination-based
routing.
Applied on incoming interface where traffic is received.
Can be used to match
Source/destination addresses
Protocol types
End-user applications
Fast switched PBR or CEF switched PBR.
To drop packet that does not match, use set command to route
packets to Null0.
Configuration
Commands
(config)# route-map <map-tag> [permit|deny] [sequence-number]
If deny and a match, not policy based and normal destination
based routing is performed
If no match, packet is not dropped and normal routing
applies
(config-route-map)# match ip address
matches packets permitted by an ACL
(config-route-map)# match length <min><max>
Based on L3 length
(config-route-map)# set ip next-hop <ip-address>
(config-route-map)# set interface <type number>
(config-if)# ip policy route-map <map-tag>
If default is used, use normal forwarding. If that fails, use
PBR.
Example
(config)# route-map RM_GOTOR2 permit 10
(config-route-map)# set ip next-hop 10.0.23.2
(config-route-map)# set interfaces serial 3/0.302
(config)# interface serial 3/0.302
(config-if)# ip policy route-map RM_GOTOR2
Matching Protocols/Ports
access-list 101 permit tcp any any eq telnet
route-map RM_TCP permit 10
match ip address 101
set ip next-hop 9.9.9.9
Verification
show ip policy
show route-map [map-name]
debug ip policy
traceroute
ping
3.13
Sub-Optimal Routing
Can occur when there is multiple points of redistribution between
the same two routing protocols
Routing domains have different ADs therefore a redistributed route
may be better than the directly connected route
To solve sub-optimal routing:
Use route-tagging
Change AD of redistributed routes
(config-router)# distance eigrp <internal> <external>
(config-router)# distance <AD> <source-address source-
wildcard-mask> [ACL]
3.14
Route Maps
Conditions tested against a packet/route using match commands.
If a match, set command used to modify that packet/route.
Collection of route-map statements that have same route-map
name is considered one route map.
Statement in route-map correspond to the lines of an ACL.
Common Applications
o Route filtering during redistribution
o Policy-based routing (PBR)
o BGP
Sequence numbers if not used:
1. If no entry, default is 10
2. If only one entry is defined with route-map tag, sequence
number is unchanged (editing entry)
3. If more than one entry is defined with supplied route-map
tag, error message detailing to add sequence number
4. In no route-map <map-tag> is used, whole route-map is
deleted
If route-map statements are left empty, then all routes will be
allowed without any modifications
Permit statements cause a route to be allowed if matched by the
match command
Deny statements filter the route if matched by the match
command.
Configuration
Three Steps
1. Define route-map
(config)# route-map <map-tag> [permit|deny] [seq number]
default for route-map is permit with seq 10
seq defines position
2. Define matching conditions (match) and action to be taken (set)
(config-route-map)# match <condition>
statement without any match statements will be considered a
match
match can contain multiple conditions with only one condition in
the statement being true (OR)
can contain multiple match statements with all statements having
to be considered true for statement to be a match (AND)
Match criteria can be:
IP standard ACL
Extended ACL
Prefix list
(config-route-map)# set <condition>
change or add characteristics such as metrics
3. Apply route-map
Example
(config)# router ospf 10
(config-router)# redistribute eigrp 100 subnets route-map
RM-INTO-OSPF
Verification
show route-map
3.15
Loop Prevention
Tagging/Filtering
Helps with two-way multipoint redistribution as they may
cause loops.
Route-tags must be applied and filtered in both directions.
To verify if tagging is being used
show ip route <network>
Examples:
Tagging External Routes
(config)# route-map E2O permit 10
(config-route-map)# set tag 50
(config)# router ospf 10
(config-router)# redistribute eigrp 100 subnets route-map E2O
Matching External Routes
(config)# route-map O2E deny 10
(config-route-map)# match tag 50
(config)# route-map O2E permit 20
config)# router eigrp 100
(config-router)# redistribute ospf 10 metric 1000 1 255 1 1500
route-map O2E
Split-Horizon
Helps stop loops be telling router not to advertise routes out
same interface from which it was learned
Enabled by default
To disable:
(config-if)# no ip split-horizon
Used with distance vector protocols
To solve split horizon problems:
Disable split horizon on NBMA networks.
Use sub-interfaces.
Route Poisoning
If a directly connected route fails, the router will advertise a failed
route with an infinite metric.
Routers that receive infinite metric will drop the route from its
routing table.
Infinite metrics:
RIP is 16
EIGRP is infinite
OSPF is LSA age metric of 3600 seconds
3.16
Features
UDP port 520
Multicast is 224.0.0.9
Updates every 30 seconds
AD of 120
Implements split horizon and poison reverse
Metric is hop count (max 16)
16 considered unreachable
Auto-summarisation
Updates every 30 seconds and topology changes
Version 2 uses Multicast and Version 1 uses Broadcast.
Configuration
1. (config)# router rip
2. (config-router)# version 2
3. (config-router)# network x.x.x.x
4. (config-router)# no auto-summary
Enable/disable split-horizon
(config-if)# [no] ip split-horizon
Auto-summarisation advertises classful networks
To summarise interface under specific interface, use
ip summary-address rip X.X.X.X/X
Authentication
(config)# key chain <key-name>
(config-keychain)# key <key-id>
(config-keychain-key)# key-string <string>
Plain Text
(config-if)# ip rip authentication key-chain <key-name>
MD5
(config-if)# ip rip authentication mode md5
(config-if)# ip rip authentication key-chain <key-name)
Show Commands
# show ip route
# show ip rip database
3.17
Features
UDP port 521
Multicast is FF02::9
No auto-summarisation
Link-local next hops
Updates every 30 seconds
AD of 120
Implements split horizon and poison reverse
Metric is hop count (max 16)
16 considered unreachable
Updates every 30 seconds and topology changes
Configuration
No network command
1. (config)# ipv6 unicast-routing
2. (config)# ipv6 router rip <name>
3. (config-if)# ipv6 rip <name> enable
Name must be unique on local router
For manual summarisation
(config-if)# ipv6 rip summary-address
To share default route
(config-if)# ipv6 rip <name> default-information originate |
only
originate: announce dynamic and default routes
only: announce only default routes (will override originate
command)
Show commands
1. # show ipv6 route
2. # show ipv6 route rip
3. # show ipv6 protocols
4. # show ipv6 rip
5. # show ipv6 rip next-hops
6. # show ipv6 rip database
7. # debug ipv6 rip
3.18
Fundamentals
Routes only shared with adjacent neighbors
IP/88
Multicast 224.0.0.10
Uses reliable transport protocol (RTP) to ensure unicast/multicast
packets are sent in order
Administrative Distance
o Internal (within AS) = 90
o External (redistributed into AS) = 170
Diffusing Update Algorithm (DUAL)
Find shortest loop-free path to destination prefix
Only know about adjacent neighbors routes
When query is sent to neighbor it must reply in 3 minutes
(active timer)
States
Active state: While cost is being calculated
Passive state: Once DUAL has converged on a final cost
metric
If route fails and no feasible successor is available, DUAL will send
queries to working neighbor. If neighbor has a loop-free route, it
sends back a reply message.
Three Tables
Neighbor
All directly connected neighbors
Next-hop router
Interface
Topology
Learned routes from EIGRP neighbors
Destination
Metric
Routing
Best routes from topology table (successors)
Terminology
Feasible Distance (FD) is the local routers composite metric for the
best route to reach a subnet
Reported Distance/Advertised Distance (RD/AD) is the next-hop
routers best composite metric for the same subnet
Successor is the route with the best metric and placed into the
routing table
Feasible Successor is any route that meets the feasibility condition.
Stored in topology table and will become Successor if the original
successor fails.
Feasibility Condition
If a non-successor route's RD is less than the FD, the
route will be a feasible successor route
Values must match for adjacency to occur
1. K-values
2. Primary subnet
3. AS number
4. Authentication
5. Passive-interface not configured
Leak Maps
Route Map used for leaking prefix information through a summary
or stub,
Example configuration
(config)# access-list 10 permit 10.10.77.0 /24
(config)# route-map RM-LEAKMAP permit 10
(config-route-map)# match ip address 10
Summary Application
(config-if)# ip summary-address eigrp 100 10.0.0.0 255.0.0.0
leak-map RM-LEAKMAP
Stub Application
(config-router)# eigrp stub leak-map RM-LEAKMAP
Packet Types
Hello
Discovers neighbors using multicast 224.0.0.10
Unreliable multicast send every 5 seconds. In NBMA
networks, unicast sent every 60 seconds.
Hold-time value tells neighbors how often to expect Hellos
and defaults to 3 x Hello interval.
Timers do not need to match
router(config-if)# ip hello-interval eigrp <asn> <interval>
router(config-if)# ip hold-time eigrp <asn> <interval>
Update
Convey routing prefix and metric information
Features
Non-periodic meaning they're not sent at defined
intervals
Partial updates as only changed routing information is
sent
Only routers that require updates will receive them
Uses RTP
Acknowledgement
Unicast Hello packets with no data.
Uses RTP.
Query
Will be sent to all destinations marked as active (meaning
that route has failed) and no feasible successor.
If neighbor does not have alternative route, it will query its
own neighbors
Will be looking for exact prefix in reply.
Uses RTP.
Reply
If neighbor receives a query and has a loop-free route, a
reply packet will be sent back.
Once a reply is received, the originating router will add the
loop-free route as a successor.
If no reply, the prefix will be removed from topology table.
Stuck in Active (SIA)
When route goes active a query is initiated and waits to receive a
reply from every query it sent.
If no reply to query is received with the set time (3 minutes
default), it will go into the SIA state.
Once active timer expires, neighbor relationship is reset.
EIGRP DUAL-3-SIA messages will be received when in this state
Packets
When active timer is half way through (90 seconds default),
an SIA Query packet is sent to its neighbors.
Each neighbor then must respond with an SIA Reply to
confirm its still searching for a replacement route.
If SIA Reply is received, the neighbor relationship will not be
terminated.
Can limit using stubs or summarization.
3.19
Authentication
IPv4
Only supports MD5
Key chain can consist of one or more authentication keys
Key name doesn't have to match, but key ID does
Configuration
(config)# key chain <name>
(config-keychain)# key <key ID>
(config-keychain-key)# key-string <passcode>
(config-keychain-key)# accept-lifetime <start> <stop>
(config-keychain-key)# send-lifetime <start> <end>
(config)# interface <interface>
(config-if)# ip authentication key-chain eigrp <AS>
<name>
(config-if)# ip authentication mode eigrp <AS> md5
Time based options configured under (config-
keychain-key)#
Accept-lifetime
Period in which the key can be received
Send-lifetime
Period in which the key can be sent
Verification
show ip eigrp <AS> interface detail <interface>
show key chain
debug eigrp packet terse
IPv6
Configuration almost identical to ipv4 except for the use of
ipv6 instead of ip
Configuration
(config)# router eigrp <AS>
(config-router)# eigrp router-id <RID>
(config-router)# network <ip-address [wildcard-mask]>
Verification
show ip eigrp neighbors [detail]
H = Order peering was formed
Address = IP address of peer
Interface = Interface peer is connected
Hold = Time to wait to hear from its neighbor before
declaring it unreachable
Uptime = Time since neighborship formed
SRTT = Time required for router to send packet to neighbor
and receive acknowledgment
RTO = Retransmission timeout
Q = Number of packets waiting to be sent
Can indicate network congestion
show ip eigrp interface [detail]
show ip protocols
show ip eigrp topology
3.20
Stub
Stub options include
Summary route
Static route
Leak-map
Limits propagation of EIGRP queries
Good for slow, unreliable links
Avoids routes getting SIA
By default, stub routers to not advertise updates received from its
peers
By default, will only advertise connected and summary routes
When router is configured as a stub, EIGRP adjacency needs to be
reestablished
Configuration
(config-router)# eigrp stub ?
By default, only connected and summary routes are
advertised
connected: Advertises connected routes matched by
network command
receive-only: Router is a receive-only neighbor
leak-map: Allows dynamic prefixes based on a leak
map
static: Advertises static routes
summary: Advertises manual/auto summarised routes
redistributed: Advertises redistributed routes from
other protocols and AS's
Verification
show ip eigrp neighbors detail
show ip route
RT won't change with a stub, but only limits what
information to send to its neighbors
3.21
Information
CEF supports per-packet and per-destination load balancing
Equal Cost Load Balancing
o Default value is 4
o Maximum allowed paths generally 32
o Value of 1 disables load-balancing
o Configuration
(config-router)# maximum-paths <#>
Unequal Cost Load Balancing
o Disabled by default
o Traffic takes best path plus one or more suboptimal paths
o Only feasible successor routes are considered
o Variance multiplier works by multiplying the Successor
Route’s RD by the variance. If the feasible successor’s FD is
less than the result, it will be used.
o Configuration
(config-router)# variance <multiplier>
Verification
show ip protocols
show ip route
show ip eigrp topology
show ip eigrp topology <address/mask>
3.22
Metrics
Information
By default only K1 and K3 are enabled
Only K1 and K3 are enabled by default as these are
static values. K2 and K4 are dynamic and change over
time.
Default: K1 = 1, K2 = 0, K3 = 1, K4 =0, K5 = 0
Default calculation: metric = 256 * { [(10^7)/
minimum-bandwidth] + [cumulative-delay]}
EIGRP uses the slowest bandwidth in the path and the
sum of delays.
K1 (Bandwidth)
Least value of the bandwidth for all links between
local router and destination
Can be changed using interface command
o (config-if)# bandwidth
Doesn't change actual bandwidth of the interface, just
influence metric calculation
K2 (Load)
Worst load on link between source and destination
(based on per-packet rate)
Txload: Outgoing interface
Rxload: Incoming interface
Txload value will be used
Value between 1 and 255
K3 (Delay)
Cumulative interface delay of route on all links
between source and destination
Can be changed using interface command
o (config-if)# delay
Doesn't change actual delay of the interface, just
influence metric calculation
K4 (Reliability)
Worst reliability between source and destination
(based on keepalives)
255/255 is 100% and no issues on link
If value decreases, link has issues
Value between 1 and 255
K5 (MTU)
MTU being exchanged between EIGRP neighbors
Not used for the metric calculation
Used when equal cost paths for same destination
exceed the number of allowed paths set from
maximum-paths command
Configuration
(config-if)# bandwidth <value>
(config-if)# delay <value>
(config-router)# metric weights {tos} <k1> <k2> <k3> <k4> <k5>
Verification
show interface <interface>
show ip protocols
3.23
EIGRP for IPv6
Information
Multicast is FF02::A
No network command needed, enabled on individual
interface
No auto-summarization
Uses the neighbor’s link-local address as the next-hop
IP address
Redistribution will not include connected networks
Not using include-connected command
o Does not redistribute connected prefixes
o Does not affect adjacencies
Authentication is IPv6 AH/ESP
Configuration
(config)# ipv6 unicast-routing
(config)# no ipv6 unicast-routing
Will remove all IPv6 protocols and routes
(config)# ipv6 router eigrp <AS>
(config-router)# eigrp router-id <rid>
(config-if)# ipv6 eigrp <AS>
Set link-local
(config-if)# ipv6 address <link-local address> link-local
(config-if)# ipv6 bandwidth-percent eigrp <asn> <bandwidth-
percentage>
(config-if)# ipv6 hello-interval eigrp <asn> <seconds>
Verification
show ipv6 route eigrp
show ipv6 protocols
show ipv6 eigrp neighbors
show ipv6 eigrp interfaces details
show ipv6 eigrp topology [all-links]
Named EIGRP
Gather all EIGRP configuration in one place
Helps eliminate configuration complexity
Three Modes
1. Address Family
Configure general settings like RID, stub and network
command (for IPv4). You can configure multiple address-
families under one instance.
2. Address Family Interface
Configure interface settings such as timers, passive
interfaces, authentication and summary
3. Address Family Topology
Configure settings that impact the topology table such
as variance, redistribution, and metrics
Configuration
IPv4
(config)# router eigrp <virtual-instance-name>
(config-router)# address-family ipv4 [multicast] [unicast] [vrf]
autonomous-system <ASN>
Address Family Mode example
(config-router-af)# network <network-address>
(config-router-af)# af-interface default | shutdown |
summary-address
(config-router-af)# topology base
(config-router-af-interface)# passive-interface
Family Interface Mode example
IPv6
(config-router)# address-family ipv6 [unicast] [vrf] autonomous-
system <ASN>
Verification
show ip|ipv6 eigrp neighbors
show ip|ipv6 eigrp topology
show ip|ipv6 route eigrp
show ip|ipv6 protocols
3.24
General Theory
o OSPF header is 24-bytes
o Runs the Dijkstra algorithm on the LSDB
o OSPF process ID is locally significant
o IP protocol type 89
o Metric is cumulative cost of outgoing interfaces
o 224.0.0.5 is All Routers
o 224.0.0.6 is All DRs
o States
Packet type is a 1-byte field in the OSPF header
OSPF Packet Types
Type 1 - Hello
Multicast periodically to 224.0.0.5
On broadcast/NBMA networks, used to elect
DR/BDR
Must match for adjacency to form
o Area ID
o HelloInterval
o RouterDeadInterval
o Authentication
Type 2 - Database Descriptor (DBD)
Starts when adjacency is formed to synchronize
the LSDB
Router summarizes LSDB with the DBD carrying
the LSA header
LSA header contents
o Type of LSA
o Link State ID
o Advertising router
o LSA sequence number
If neighbor see the LSA has a more recent LSDB,
it requests the newer LSAs from its neighbor
Master/slave relationship with the master
initiating the DB packet exchange
o Router with highest RID become master
Contains outgoing interface MTU
o MTU must match for FULL adjacency to
be reached
Type 3 - Link State Request (LSR)
Sent to neighbors to request most recent
version parts of the database
Contains
o Type of LSA requested
o Link state ID
o RID of requesting router
Type 4 - Link State Update (LSU)
Implement flooding of LSAs
LSAs contained in the LSU
Describes portion of the OSPF network
Information in each LSA contains
o Routing
o Metric
o Topology
Type 5 - Link State Acknowledgment (LSAck)
Acknowledges the receipt of each LSA
3.25
States
States (No DR)
Requirements
o Hello/dead timers must match
o Not passive on connected interface
o Must be in same area
o RIDs are unique
o MTU must match
o Authentication must be passed
1. DOWN: no Hellos received; process not started.
2. INIT: detected Hello from neighbor but hasn't seen its own RID,
called ATTEMPT on on NBMA network.
3. 2-WAY: Route has need its own RID, matching parameters can be
compared, DR/BDR election takes place and end of this state.
4. EXSTART: initial sequence numbers will be decided for exchange,
router with highest RID will become master and will poll slave.
5. EXCHANGE: router will describe its LSDB by sending DBDs, LSA
header contains link-state type, advertising router, link cost, and
sequence number.
6. LOADING: finished information exchange, routers can send LSRs for
missing LSAs, neighbors respond with LSUs.
7. FULL: LSDB are identical and adjacencies have been formed.
States (With DR)
Overall process is similar as no DR
Routers will exchange LSDB with DR/BDR only
Router will be in FULL state with DR and 2-WAY state
with non-DR neighbors
Configuration
OSPF can be configured in the router process or on the interface
directly
Router Process Config
(config-if)# ip address <IP Address / Subnet>
(config)# router ospf <process ID>
(config-router)# network <IP Address / Subnet> area <area ID>
Interface Config
(config-if)# ip address <IP Address / Subnet>
(config-if)# ip ospf <process ID> area <area ID>
Neighbor Verification
show ip ospf neighbor
show ip ospf
show ip ospf database
show ip protocola
debug ip ospf packet
debug ip ospf hello
debug ip ospf adjacency
Authentication
Authenticates the source of each update
Authentication data field added to each OSPF packet
Methods
o Null (no authentication)
o Clear-text
o MD5
1. Configure key-id and keyword
(config-if)# ip ospf message-digest-key <key-id> md5
<keyword>
2. Enable authentication
(config-if)# ip ospf authentication message-digest
(config-router)# area <area-id> authentication
message-digest
Verification
show ip ospf interface
SHA
Supported since 15.4(1)T
Configuration
Step 1
# key chain <key-name>
(keychain)# key <key-id>
(keychain-key)# key-string <passcode>
(keychain-key)# cryptographic-algorithm <algorithm>
o sha-1
o sha-256
o sha-384
o sha-512
o md5
Step 2
(config-if)# ip ospf authentication key-chain <key-name>
Verification
show key chain
show ip ospf interfce
show ip ospf nei
Interface settings takes precedence over router process settings
Can use different keys at same time for seamless rollover
OSPF updates will be sent using each key
IPv6
Uses IPsec
Authentication fields removed from header and require AH
and ESP for CIA
To use AH: ipv6 ospf authentication
To use ESP: ipv6 ospf encryption
3.26a
Point-to-Point
o No DR/BDR election
o H=10, D=40
o Multicast to dynamically discover neighbors
o Default for serial/frame-relay links
o ip ospf network point-to-point
Broadcast
o DR/BDR election
o H=10, D=40
o Multicast to dynamically discover neighbors
o ip ospf network broadcast
Nonbroadcast
o More than two routers with no broadcast capability
o DR/BR election
o H=30, D=120
o Static configuration for neighbors
o Used with ATM/FR neworks
o ip ospf network broadcast
Point-to-Multipoint
o Logical connection of P2P links
o H=30, D=120
o No DR/BDR election
o Multicast to dynamically discover neighbors
Point-to-Multipoint Nonbroadcast
o Similar point-to-multipoint but no dynamic neighbor
discovery
o No DR/BDR election
o H=30, D=120
o ip ospf network point-to-multipoint non-broadcast
Loopback
o Default type on loopback interfaces
3.26b
LSA Types
Intra-area Type
Type 1 (Router LSA)
Contains IP prefix of each directly connected
interface
Four Types
o Point-to-Point
Link ID: Neighbor RID
o Transit
Link ID: IP address of DR
o Stub
Link ID: IP network
o Virtual Link
Link ID: Neighbor RID
Flooded within same area
show ip ospf database router | self-originate
Type 2 (Network LSA)
Created for multi-access networks
DR generates type 2 and floods to other routers
in same area
Contains subnets and connected interfaces
show ip ospf database network
Interarea Type
Type 3 (Network Summary)
Generated by the ABR
Contains prefixes from interarea routes
Takes type 1 and 2 LSAs, generate a type 3 and
floods to adjoining areas
Contains subnets and the cost to reach each
subnet
show ip ospf database summary
Type 4 (ASBR Summary)
Generated by ABR bordering an area that
contains an ASBR
Tells routers about the router that generated
the type 5 LSA
Flooded into adjacent areas
Created when ABR sees a type 1 LSA from an
ASBR with the ASBR bit set
show ip ospf database asbr-summary
Type 5 (AS External)
Generated by ASBR
Describes external prefix and gateway to reach
it
Flooded into adjacent areas
show ip ospf database external
Type 7 (NSSA External)
Created by ASBR inside a NSSA
Flooded only within the NSSA
Converted to a type 5 LSA when it reaches an ABR
Area Types
o Backbone
Area 0
All areas must connect to the backbone
o Normal
Non-backbone area
LSDB can contain internal and external routes
Can contain LSA types 1 through 5
o Transit
o Stub
Contain LSAs type 1 and 2 from within same area
Received type 3 LSAs from other areas
Has default route to reach external network
Does not allow type 4 or 5 LSAs
(config-router)# area <#> stub
o Totally Stub
Contains only type 1 and 2 LSAs
ASBR will filter type 3 LSAs
Does not allow type 3, 4 or 5 LSAs
ABR injects default summary link 0.0.0.0
Router picks closest ABR as gateway
(config-router)# area <#> stub no-smmary
o NSSA
Injects eternal prefixes into OSPF routing domain
Allows ASBR to advertise external links to ABR
Type 5 not allowed in
ABR converts type 7 LSA to a type 5 LSA and floods to
rest of OSPF area
ABR won't inject default route into an NSSA unless
told to
(config-router)# area <#> nssa
o Totally NSSA
Same a NSSA but has a default route
(config-router)# area <#> nssa no-summary
3.26c
Internal Router
o All interfaces are in a single area
Backbone Router
o At least one interface is connected to the backbone area
ABR
o Has interfaces connected to at least two different OSPF
areas
o Contains LSDB information for each area
ASBR
o At least one interface connected to an OSPF area and at
least one interface connected to an external non-OSPF
domain
3.26d
Virtual Links
Allows discontiguous area 0s to be connected
Join an area not directly connected to area 0 to area 0 by crossing
a transit area
Should not be used as a primary design feature
Transit area can't be a stub area
Configured on both ABRs
Needs a stable underlying intra-area
DoNotAge (DNA) option is set so LSA does not age out
Configuration
o (config-router)# area <#> virtual-link <remote rid>
{optional commands}
o Optional commands
authentication
message-digest
null
hello-interval
retransmit-interval
transmit-delay
dead-interval
authenticaton-key
message-digest-key <key-id> md5 <key>
3.27
Preferred Paths
o Intra-Area (O)
o Inter-Area (O IA)
o External Type 1 (E1)
o NSSA Type 1 (N1)
o External Type 2 (E2)
o NSSA Type 2 (N2)
Lowest cost path is selected as best path and is calculated
automatically for each intrface
o Cost = Ref BW / Interface BW
o Cost can be between 1 and 65,535
o Default Ref BW is 100Mbps
Reference BW
o Not suitable for links faster than Fa
o To adjust ref BW
(config-router)# auto-cost reference-bandwidth
o Should be consistent across OSPF domain
Default Costs
o T1 = 64
o Ethernet = 10
o Fa = 1
o Ge = 1
o 10 Ge = 1
Influencing Cost
o Change ref BW
o For specific interface, use bandwidth command
Will affect all protocols, not just OSPF
Verify using show interface command
o Direct change cost on interface
(config-if)# ip ospf cost <value>
Will override calculated cost
Verify using show ip ospf interface brief
Intra-Area Routes
o For each route, sum up individual interface costs
o Lowest cost selected as best route
o If lowest are same (equal), equal-cost load-balancing is used
Interarea Route
o Type 3 LSA sent from ABR includes lowest cost to reach a
subnet
o Internal router adds its cost to announced type 3 and selects
route with lowest cost
3.28
DR/BDR
Makes network convergence faster
DROthers are routers that are neither DR/BDR
OSPF interface with priority 1 or greater can participate. Priority 0
will disqualify router from participating.
DR/BDR election
Highest interface priority
If priority tie, highest RID
Boot order can affect DR/BDR election
RID Selection
1. RID command
2. Highest address on active loopback
3. Highest address on interface
Sequence numbers
If same: ignore LSA
If lower: ignore update, send LSU
If higher: add LSA to LSDB, send LSAck, flood LSA
3.29
General
Defined in RFC5340
Periodic reflooding every 30 minutes
RID is in IPv4 format
Same timers, network types, and neighbor states
Uses IPsec for authentication
For NBMA networks, must specify the peer
(config-if)# ipv6 ospf neighbor <neighbor-link-local>
With address-family option, adjacencies established for each family
Passive interface peer address family
Can control load-balancing in IPv6 address family
maximum-paths <number-of-paths>
Enable in global
(config)# ipv6 unicast-routing
LSA Types
Type 1 and 2 don't carry prefixes
Type 3 renamed to inter-area prefix LSA
Type 4 renamed to inter-area router LSA and still generated by the
ASBR
Type 8 (Link LSA) advertises IPv6 link-local addresses
Type 9 (Intra-area Prefix LSA) carries the prefix information
Multicast Addressing
All OSPF Routers: FF02::5
All DRs: FF02::6
Traditional Config
(config)# ipv6 unicast-routing
(config)# ipv6 router ospf <process-id>
(config-router)# router-id <rid>
(config)# interface <interface-id>
(config-if)# ipv6 ospf <process-id> area <area-id>
Address Family Config
(config)# router ospfv3 <process-id>
(config-router)# router-id
(config-router)# address-family [ipv4|ipv6] unicast
(config)# interface fa0/1
(config-if)#ospfv3 <process-id> ipv4 area <area-id>
(config-if)#ospfv3 <process-id> ipv6 area <area-id>
Verification
show ipv6 route
show ipv6 protocols
show ipv6 ospf
show ipv6 ospf neighbors
show ipv6 ospf database
show ipv6 ospf interfaces [brief]
3.30
Fundamentals
o TCP/179
o Public AS: 1 to 64,511
o Private AS: 64,512 to 65,534
o Path selection uses both path attributes and locally
significant parameters.
o IGP over incomplete routes.
o Full BGP table only sent once, then incremental updates
afterwards.
o eBGP: AD of 20
o iBGP: AD of 200
o BGP Table
Keeps a neighbor tables with which it has a BGP
connection.
Best routes from BGP table put into routing
table.
o Requirements
eBGP
Neighbors must be in different AS's
TCP session must be established
Neighbors must be directly connected
Static/default route to each peer
Authentication must match
Different RID's
iBGP
Neighbors have same AS
TCP session must be established
Neighbors must be reachable (can use an IGP
for this)
o Transit AS
Typically ISP's
All routers must have complete knowledge of
external routes
o Non-Transit AS
Generally organisations with multi-homed ISP's
Don't pass routes between ISP's
BGP routers in AS still require knowledge of all
BGP routes
o iBGP Information
TCP can't use multicast or broadcast therefore
BGP can't.
To prevent loops, routes learned through iBGP
are never propagated to other iBGP peers.
iBGP neighbors that receive updates don't send
them to other iBGP neighbors.
Sending iBGP updates is responsibility of router
with first hand knowledge on the network
behind the AS.
Must be fully meshed networks. If not route
reflectors can be used.
Path selection uniform across AS.
o BGP Session Reset
Hard
o clear ip bgp *
o clear ip bgp [neighbor-address]
Soft
o clear ip bgp {* | neighbor-address} out
o clear ip bgp {* | neighbor-address} in
3.30a
Peer Group
o Information
Neighbors with same update policies can be
grouped into peer groups
Simplified configuration and improved
performance
Policies of a peer group similar to a template
Members inherit all peer group configuration
Options that affect inbound updates can be
overridden
Updates generated once per peer group
TCP transmission still done once per neighbor
IOS assigns peer group leader that will generate
the update
Scenarios
o iBGP
o ISP with multiple customers
Configuration
o Configuration can include
update-source
next-hop-self
Authentication
Filtering
o Configuration example
(config)# router bgp <asn>
(config-router)# neighbor <peer-group-name> peer-
group
(config-router)# neighbor <peer-group-name>
<setting>
(config-router)# neighbor <peer-group-name> route-
map <route-map> [out|in]
(config-router)# neighbor <ip-address> peer-group
<peer-group-name>
(config-router)# neighbor <ip-address> peer-group
<peer-group-name>
clear ip bgp peer-group <peer-group-name>
3.30b
Active
Active router (higher IP) starts new TCP connection with
its peer.
Passive
Passive router (lower IP) listens for new connection.
Configuration
(config-router)# neighbor <peer-ip-address> transport
connection-mode [active|passive]
3.30c
Message Types
Open:
Sent once TCP 3-way handshake is completed
Establishes neighborship and allows the exchange
of update, keepalive, and notification messages.
Open message includes:
o Version (Must Match)
o Senders ASN
o Hold Time
o Local BGP RID
o Optional Parameters
Keepalive:
Ensure connection is alive between peers.
If hold-time is 0, periodic keepalives not sent.
Every 60 seconds by default.
Update:
Advertises feasible routes, withdrawn routes, or
both.
Path attributes which describe the characteristics
of the advertised path.
Network Layer Reachability Information (NLRI) that
contains a list of IP address prefixes for advertised
routes.
Notification:
Sent when BGP router detects an error condition.
Contains:
Error Code
Error Subcode
Data Related to Error
States
Idle:
BGP router tries to initiate a TCP connection with a
peer.
Listens for incoming connection from that peer.
Also if process in administratively down.
Connect:
Wait for TCP connection with peer to be complete
(three-way handshake).
Router with highest IP address manages the
connection.
Active:
Active router (higher IP) starts new TCP connection
with its peer.
Passive router (lower IP) listens for new
connection.
Listens for incoming connections in case the
remote BGP neighbor tries to establish a
connection.
OpenSent:
Both routers perform sanity checks (incorrect
version numbers, wrong AS number, etc.). Will
respond with a notification message and return to
Idle state.
If checks don't pass, routers move back to Idle
state.
BGP waits for an Open message from the remote
BGP neighbor.
If everything is OK then BGP starts sending
keepalive messages.
Hold time is negotiated (lowest value is picked).
OpenConfirm:
Each router waits to receive a keepalive.
Keepalive: 60 seconds by default.
BGP will keep sending keepalive messages.
If a notification message from the remote BGP
neighbor is received, then fall back to Idle state.
Established:
Neighbor adjacency is complete.
Peers exchange updates.
If keepalive or update message received, hold
timer will be reset.
If notification message is received, go back to Idle
state.
Troubleshooting
Idle state when neighbor remote-as command
used. If route found, goes to connect state.
Open message sent to neighbor. If no response in 5
seconds, go to active state. If a response, go to
open confirm state.
When paths to neighbors have been found, go to
established state.
If toggle between Idle and Active, ASN may be
misconfigured.
Idle State
Ensure neighbor announces route in its local
routing protocol (IGP) for iBGP neighbors.
Verify correct IP address in neighbor
statment.
Active State
Open pack sent but no response.
Neighbor may have no return route to
source IP address.
No neighbor statement peering back or peer
has wrong IP address.
Timers
Keepalive & Hold-Time
Keepalive
Ensure connection is alive between peers.
If hold-time is 0, periodic keepalives not
sent.
Every 60 seconds by default.
Hold-Time
Advertised in open messages.
If no message received within hold-time,
BGP connection is dropped.
3 times the keepalive = 180 seconds.
BGP hold-time value can be zero and implies
that the speaker does not expect keepalive
messages from its peer to maintain the BGP
session
Advertisement Interval
Default advertisement interval is 30 seconds for
eBGP peers and 0 seconds for iBGP peers.
Helps maintain stable routing table.
3.30
Configuration
eBGP
(config)# router bgp <asn>
(config-router)# neighbor <peer-ip-address> remote-as <peer-asn>
iBGP
(config)# router bgp <asn>
(config-router)# neighbor <peer-ip-address> remote-as <peer-asn>
Verification
show ip bgp summary
show ip bgp neighbor <ip-address>
Authentication
Authenticate the source of each routing update packet received.
MD5 hash stored in TCP option 19.
Same password on both peers.
Can update password on existing session if completed in session
timeout window (default is 180 seconds).
Configuration
(config)# router bgp 65000
(config-router)# neighbor 172.16.12.2 remote-as 65000
(config-router)# neighbor 172.16.12password cisco
Verification
show ip bgp summary
3.31
3.31a
o Information
Routers are usually directly connected to each other.
Routers must pass three-way handshake.
Neighbor must be reachable without using an IGP.
Only on BGP instance at a time on any router.
eBGP relationship must span a maximum of one hop by default.
For session resilience, can use loopback as long as it's in the
routing table.
o Configuration
Basic
(config)# router bgp <asn>
(config-router)# bgp router-id <rid>
(config-router)# neighbor <ip-address> remote-as
<remote-asn>
o Advertising
(config-router)# network <ip-address> mask <mask>
Injects route into BGP table
Indicates which networks should originate from
this router
Must include all networks in the AS
If no mask, classful network will be used
For exact match, can configure CIDR block towards
Null0
o Next-Hop-Self
(config-router)# neighbor <ip-address> next-hop-self
Allows the router to advertise it’s connected
interface as the next hop address for all routes to
the neighbor
Not enabled by defauly
o Update-Source
(config-router)# neighbor <ip-address> update-source
<interface>
Must be used on both routers
If used with next-hop-self, specified interface will
also use next-hop address
Common to use loopback as update source
o eBGP Multihop
(config-router)#neighbor <ip-address> ebgp-multihop
[ttl]
Use if neighbors aren't directly adjacent
Increase the default of one hop
Will allow routes to eBGP loopback address
o Verification
show ip bgp summary
Table version increases as BGP table changes
Routing table has latest version of BGP database
show ip bgp summary
Verify that BGP sessions are up and established
show ip bgp neighbors <ip-address>
Information about TCP sessions and BGP parameters
show ip bgp neighbors <ip-address> received-routes
show ip bgp neighbors <ip-address> routes
show ip bgp neighbors <ip-address> advertised-routes
3.31b
AS Numbers
0 = Reserved
1-64,495 = Public AS Numbers
64,496–64,511 = Reserved for Documentation
64,512 65,534 = Private AS Numbers
65,535 = Reserved
Information
Public AS Number is required only when an AS is exchanging
routing information with other Autonomous Systems on the public
Internet.
3.31c
Private AS
64,512 65,534 = Private AS Numbers
Information
Should be used if an AS is only required to communicate via Border
Gateway Protocol with a single provider
3.31
MP-BGP
o IPv6 Extensions Include
New identifier for IPv6 address family
Scoped addresses
Next-hop attribute and NLRI expressed as IPv6
addresses
o Two Separate Protocols
Carrier protocol
Passenger protocol
o IPv6 over IPv4
IPv4 TCP sessions can carry IPv6 routing
information
Common address families
o IPv4
o IPv6
o VPNv4
o VPNv6
In IPv6 address family, neighbor needs to be
activated
network command injects prefix into BGP
database for specified address family
o IPv6 over IPv6
No IPv4 address configured
Must manually set RID
o bgp router-id <rid>
o Configuration Example
router bgp 65000
address-family ipv6 unicast
neighbor <address> activate
network <address/prefix>
o Verification
show bgp ipv4 unicast [summary]
show bgp ipv6 unicast [summary]
3.32
o Attribute Information
o Update messages contain NLRI (list of prefixes) and path
attributes.
o Attributes determine best path.
o Attributes contain three fields
Attribute Type
1st Bit: optional or well-known
2nd Bit: optional (transitive or
nontransitive)
3rd Bit: Transitive (partial or complete)
Attribute Length
Attribute Value
o Categories
Well-Known
Mandatory
o Must appear in all update
messages
o AS-Path, Next-Hop, Origin
Discretionary
o Must be recognised but does not
need to be present in update
message
o Local Preference
Optional
Transitive
May or may not be recognised, but
will be passed on
If not recognised, mark attribute as
partial
Aggregator, Community
Nontransitive
May or may not be recognised, but
not passed on
If not implemented, will be deleted
MED
o Attributes
Next-Hop
Well-known mandatory
For eBGP, next-hop changed by
advertising router
For iBGP, next-hop not changed
Weight
Cisco proprietary
Local to router
Highest weight preferred
Not exchanged between BGP routers
Value from 0 to 65,535
Default values for local routes is 32,768
Applies when one router has multiple exit
points
(config-router)# neighbor <ip-address>
weight <weight>
Local Preference
Well-known discretionary
Used to choose outbound external path
Sent to all iBGP routers in AS
Noe exchanged with eBGP
Default value of 100
Highest local preference is preferred
Originate
Can get a path in BGP table with network
command, aggregation, or redistribution
Route injected by local router
Will show next-hop of 0.0.0.0
AS Path
Well-known mandatory
Prefer shortest AS path to destination
When update passes through an AS, the
ASN is prepended to that update
Can manipulate using AS path prepending
If router receives route with own ASN as
a part of the attribute, it won't accept the
route
Only used by routers advertising to eBGP
neighbors
Origin Code
Well-known mandatory
Prefer lowest origin code
Three Values
IGP (i) wll be seen when the
network command is used
EGP (e) is not support on the
Internet as it only performs classful
routing
Incomplete (?) where origin is
unknown or learned by other
means such as redistribution
Multi Exit Discriminator (MED)
Optional nontransitive
Also called metric
Lowest MED is preferred
Indicates to external neighbors the
preferred path into an AS
Exchanged between AS's
Propagated to all routers within neighbor
AS but not to any other AS
Influences inbound traffic
eBGP Over iBGP Paths
Shortest IGP Path to BGP Next-Hop
Within AS
Lowest IP metric
Tie-Breakers
Oldest path (route that was received first)
Lowest BGP neighbor RID
Lowest neighbor IP address
Communities
Optional transitive
One way to filter incoming and outgoing
messages
Tag routes with an indicator (the
community)
Used for destinations (routes) that share
common policies
Communities dropped by default
o Selection Process
Next-hop is reachable
Route with highest weight
Highest local preference
Originated by local router
Shortest AS path
Lowest origin code (IGP < EGP < Incomplete)
Lowest MED
External paths over internal paths
For iBGP, prefer path through closest IGP neighbor
For eBGP, select oldest route
Router with lowest neighbor RID
Router with lowest neighbor IP address
o Path Selection Configuration
Weight
Must perform hard/soft reset
(config-router)# neighbor <ip-address> weight <weight>
Local Preference
Must perform hard/soft reset
Shared within AS
Default value 100
Only best path exchanged
(config-router)# bgp default local-preference <value>
AS-Path
Can influence incoming traffic by sending eBGP updates
with extended AS-path attribute
Configured using route map
set as-path prepend