Anda di halaman 1dari 341

Advanced

Internetwork
Routing
(ver5)

Arranged by:
Eng. AHMED NABIL
2012-2013
1
Ahmed Nabil
Cisco ip routing
(Route Course
/ SP Route)
legacy BSCI course

Arranged by:
Eng.Ahmed Nabil

2012-2013 2
Ahmed Nabil
Course contents
1- Routing principles
2- Routed protocols advanced features
3- OSPF in single area
4- OSPF in multiple areas
5- Manipulating Multiple Routing protocols
(Redistribution)
6- Routing updates filters and Route Maps
7- Policy Based Routing (PBR)
8- Border Gateway Protocol (BGP)
9- IS-IS and Integrated IS-IS
10- EIGRP
11-Branch offices and Mobile users secure Routing
12-IPv6 and OSPF ver3

3
Ahmed Nabil
References
1- Cisco Press Self Study Guide
2- Cisco Student Guide
3- Sybex Book
4- Cisco Academy Curriculum
5- Cram Master Book
6- TestKing Exam Guide
7- Pass4Sure Exam Guide
8- CiscoPedia Guide
9-Cisco Labs
10- CCIE Professional Development
routing guide

4
Ahmed Nabil
Index
Module 0:
Cisco Certificates ………..…… page 6
Network Design models …….. page 13

Module 1:
Routing protocols Principles ……. page 23
Routed protocols features ……... page 47
Module 2:
OSPF in Single Area ……….. page 54
OSPF in Multiple Areas ……... page 81

Module 3:
Redistributing different routing protocols …….. page 100
Module 4:
Controlling routing updates (route filters) …….. page 112
Policy Based Routing (PBR) – Policy Maps ….. Page 128

Module 5:
IS-IS and Integrated IS-IS …………………….. Page 134
Module 6:
EIGRP (Enhanced IGRP) ……………………. Page 161

Module 8:
BGP (Border Gateway Protocol) ……………… page 199
Module 9:
Branch office routing ……………………………. Page 242
Module 10:
IPv6 Basics ………………………………….. Page 276
IPv6 routing features ……………………….. page 304
IPv4 to IPv6 transition (Tunneling) ………… page 330

Appendix A: IPSec VPNs


Appendix B: Exam Labs, HotSpot & Drag Drop
Appendix C: Course Labs 5
Ahmed Nabil
Cisco Certifications model

SP Route

SP Advanced
Route

SP Edge

SP Core

6
Ahmed Nabil
Cisco Different Certifications Fields

CCIE
CCIE Routing
CCDE Service Provider
and Switching

CCNP CCDP CCNP SP

CCDA
CCNA &
CCNA SP
CCNA

Network Implementation Network Design Network Service Provider

CCIE CCIE CCIE


Security Voice ServiceCCIE
Provider
Wireless

CCNP security CCNP Voice CCIP


CCNP wireless

CCNA & CCNA&


CCNA & CCNA
CCNP Security
CCNA Voice CCNA wireless

Network Security Voice Networks Wireless

7
Ahmed Nabil
Cisco Qualified Specialist

 One exam gives you one specialist certificate

• Advances Routing and Switching


(Field, Sales, Solution Engineer)
• Content Networking
• IP Communications Certifications
• Network Management Certifications
• Optical Certification
• Storage Networking Certifications
• VPN and Security Certifications
• Wireless LAN Certifications
• Sales Specialist

8
Ahmed Nabil
642-902 ROUTE
Implementing Cisco IP Routing

Course Objectives
Upon completing this course, the student will be able to meet
these overall objectives:
•Plan and document the configuration and verification of
routing protocols and their optimization in enterprise
networks.
•Identify the technologies, components, and metrics of
EIGRP used to implement and verify EIGRP routing in
diverse, large-scale internetworks based on requirements.
•Identify, analyze, and match OSPF multiarea routing
functions and benefits for routing efficiencies in network
operations in order to implement and verify OSPF routing in
a complex enterprise network.
•Implement and verify a redistribution solution in a multi-
protocol network that uses Cisco IOS features to control
path selection and provides a loop-free topology according
to a given network design and requirements.
•Evaluate common network performance issues and identify
the tools needed to provide Layer 3 path control that uses
Cisco IOS features to control the path.
•Implement and verify a Layer 3 solution using BGP to
connect an enterprise network to a service provider.

9
AHMED NABI
•Module 0: Course Overview

•Module 1: Planning Routing Services

•Module 2: Implementing an EIGRP based Solution

•Module 3: Implementing a Scalable Multiarea Network OSPF


based Solution

•Module 4: Implement an IPv4 based redistribution solution

•Module 5: Implement Path Control

•Module 6: Connecting an Enterprise Network to ISP


Networks

•E-Learning ROUTE-01 of 3: Implement Path Control


•E-Learning ROUTE-02 of 3: Implementing IPv6
•E-Learning ROUTE-03 of 3: Implementing Routing Facilities
for Branch Offices and Mobile Workers
642-883 SPRoute
• Module 0: Course Overview

• Module 1: Understanding Service Provider


Routing Protocol (including RIP2 & EIGRP)

• Module 2: Implementing OSPF in the SP


network (Single and Multi Areas)

• Module 3: Implementing Integrated IS-IS in SP


Network

• Module 4: Implement an IPv4 based


redistribution solution

• Module 5: Implement Tools for Path Selection

• Module 6: Implement Basic BGP routing in SP


Network

11
Ahmed Nabil
642-901 BSCI (retired)
• Building Scalable Cisco Internetworks
• Exam Number: 642-901
• Associated Certifications: CCNP, CCIP, CCDP,
recommended for CCNP Voice & CCNP Security
• Exam Topics
Implement EIGRP operations.
Explain the functions and operations of EIGRP (e.g., DUAL).
Configure EIGRP routing. (e.g., Stub Routing, authentication, etc.)
Verify or troubleshoot EIGRP routing configurations.
Implement multiarea OSPF operations.
Explain the functions and operations of multiarea OSPF.
Configure multiarea OSPF routing. (e.g., Stub, NSSA,
authentication, etc.)
Verify or troubleshoot multiarea OSPF routing configurations.
Describe integrated IS-IS.
Describe the features and benefits of integrated IS-IS.
Configure and verify integrated IS-IS.
Implement Cisco IOS routing features.
Describe, configure or verify route redistribution between IP routing
IGPs. (e.g., route-maps, default routes, etc.)
Describe, configure or verify route filtering (i.e., distribute-lists and
passive interfaces).
Describe and configure DHCP services (e.g., Server, Client, IP
helper address, etc.).
Implement BGP for enterprise ISP connectivity
Describe the functions and operations of BGP.
Configure or verify BGP operation in a non-transit AS (e.g.,
authentication).
Configure BGP path selection. (i.e., Local Preference, AS Path,
Weight or MED attributes).
Implement multicast forwarding.
Describe IP Multicast (e.g., Layer-3 to Layer-2 mapping, IGMP,etc.).
Describe, configure, or verify IP multicast routing (i.e., PIM Sparse-
Dense Mode).
Implement IPv6.
Describe IPv6 addressing operations.
12
Describe, configure or verify OSPF routing with IPv6 addressingAHMED NABI
Networks Design
Model

13
Ahmed Nabil
IIN and Cisco SONA Framework
The Cisco vision of the future IIN (Intelligent Information Network)
encompasses these features:
1- Integration of networked resources and information assets that
have been largely unlinked:
The modern converged networks with integrated voice, video, and
data require that Information Technology (IT) departments more
closely link the IT infrastructure with the network.
2-Intelligence across multiple products and infrastructure layers:
The intelligence built into each component of the network is extended
network-wide and applies end-to-end.
3-Active participation of the network in the delivery of services and
applications:
With added intelligence, the IIN makes it possible for the network to
actively manage, monitor, and optimize service and application
delivery across the entire IT environment.
With the listed features, the IIN offers much more than basic
connectivity, bandwidth for users, and access to applications. The IIN
offers end-to-end functionality and centralized, unified control that
promotes true business transparency and agility.
The IIN technology vision offers an evolutionary approach that
consists of three phases in which functionality can be added to the
infrastructure as required:
1-Integrated transport: Everything—data, voice, and video—
consolidates onto an IP network for secure network convergence. By
integrating data, voice, and video transport into a single, standards-
based, modular network, organizations can simplify network
management and generate enterprise-wide efficiencies.
2-Integrated services: After the network infrastructure has been
converged, IT resources can be pooled and shared or ―virtualized‖ to
flexibly address the changing needs of the organization. Integrated
services help to unify common elements, such as storage and data
center server capacity. By extending virtualization capabilities to
encompass server, storage, and network elements, an organization
can transparently use all its resources more efficiently.
3-Integrated applications: With Application-Oriented Networking
(AON) technology, Cisco has entered the third phase of building the
IIN. This phase focuses on making the network ―application-aware‖ so
it can optimize application performance and more efficiently deliver
networked applications to users. In addition to capabilities such as
content caching, load balancing, and application-level security. 14
Ahmed Nabil
Cisco SONA Framework
• With its vision of the IIN, Cisco is helping organizations to
address new IT challenges, such as the deployment of
service-oriented architectures, Web services, and
virtualization.

• Cisco SONA (Service-Oriented Network Architecture)


formerly called AVVID (Architecture for Voice, Video &
Integrated Data) is an architectural framework that guides
the evolution of enterprise networks to an IIN.

• The Cisco SONA framework provides several advantages


to enterprises, such as the following:
1- Outlines the path towards the IIN
2- Illustrates how to build integrated systems across a fully
converged IIN
3- Improves flexibility and increases efficiency, which results
in optimized applications, processes, and resources

• Cisco SONA uses the extensive product line services,


proven architectures, and experience of Cisco and its
partners to help the enterprises achieve their business
goals.
Cisco SONA Framework Layers

Applications
Layer

Interactive
Services
Layer

Network
Infrastructure
Layer

15
Ahmed Nabil
The Cisco SONA framework shows how integrated systems can both allow
a dynamic, flexible architecture, and provide for operational efficiency
through standardization and virtualization.
It brings forth the notion that the network is the common element that
connects and enables all components of the IT infrastructure. Cisco SONA
outlines these three layers of the IIN:
1- Network infrastructure layer:
This layer is where all the IT resources are interconnected across a
converged network foundation. The IT resources include servers, storage,
and clients. The network infrastructure layer represents how these resources
exist in different places in the network, including the campus, branch, data
center, WAN and Metropolitan Area Network (MAN), and teleworker. The
objective for customers in this layer is to have anywhere and anytime
connectivity.
2- Interactive services layer: This layer enables efficient allocation of
resources to applications and business processes that are delivered through
the networked infrastructure.
This layer comprises these services:
— Voice and collaboration services
— Mobility services
— Security and identity services
— Storage services
— Computer services
— Application networking services
— Network infrastructure virtualization
— Services management
— Adaptive management services
3- Application layer:
This layer includes business applications and collaboration applications.
The objective for customers in this layer is to meet business requirements
and achieve efficiencies by leveraging the interactive services layer.

16
Ahmed Nabil
Cisco Network Models
Cisco provides the enterprise-wide
Systems architecture that helps
companies to protect,
optimize, and grow
the infrastructure that
supports business processes.
The architecture provides
integration of the entire network
—campus, data center, WAN,
branches, and teleworkers—
offering staff secure access to the tools,
processes, and services.
Cisco provides solution for the following enterprise
networks:
a) Cisco Enterprise Campus Architecture
b) Cisco Enterprise Data Center Architecture
c) Cisco Enterprise Branch Architecture
d) Cisco Enterprise Teleworker Architecture
e) Cisco Enterprise WAN Architecture
Where all Enterprises network differs in their network infrastructure needs,
such as:
1- Advanced Intranet Switching
2- Advanced Network Routing
3- IP Multicasting
4- Load-Balancing
5- Redundancy & high availability
6- Security
7- QOS
8- IP Telephony
9- WAN Access
10- VPN Access
11-MPLS VPNs
12-Network Management

17
Ahmed Nabil
Hierarchical Network Design

1-Access Layer:
• It is present where the end users are connected to the network
• L3 basic Routing
• High port density
• L3 services as basic traffic filtering,
basic QOS, Security (Access Lists)
, VLANS, DHCP & NAT.

18
Ahmed Nabil
2-Distribution Layer:
• Provides interconnection between the campus network
access & core layers
• High L3 throughput
• Security & policy based connectivity
• QOS
• Scalability, redundant & resilient high
• speed link

3-Core Layer:
• Provide connectivity of all distribution layer devices, it is
referred to as the backbone
• very high throughput at L2 or L3
• no packet manipulation (no access list, no packet
filteration)
• redundancy & resiliency
• Advanced QOS functions

19
Ahmed Nabil
Modular Network Design
(Enterprise Composite Network Model)
ECNM
• ECNM contains:
1-Enterprise Campus (Access-Distribution-Core)
2-Enterprise edge
3-Service provider edge

20
Ahmed Nabil
• Scalable network design:
1- Access Layer:
- Entry point for users into the network.
- Security , VLANS , Access lists, DHCP & NAT.
2- Distribution Layer:
- Consolidation point for traffic and location for
corporate resources.
- Provide services for access layer hosts & packet
manipulation.
3- Core Layer:
- Quick and efficient transit between divisions.
- Provide redundancy.

Scalable design provides:


-scalability.
-Predictability.
-Flexibility.

21
Routing Protocols

Routing Protocol Comparison


EIGRP OSPF IS-IS
Parameters

Size of Network Large Large Very Large


(Small-Medium-Large-Very Large)

Speed of Convergence Very High High High


(Very High-High-Medium-Low)

Use of VLSM Yes Yes Yes


(Yes-No)

Mixed-Vendor Devices No Yes Yes


(Yes-No)

Network Support Staff Knowledge Good Good Fair


(Good-Poor)
22
Ahmed Nabil
Principles of
Routing Protocols
&
Routed Protocol
Features

23
• Protocol:
It is a set of rules that define how something works.

•Routing protocol:
-It is a set of rules that define how routing works.
-It is the exchange of information between routers so as
every router can has an overview about the existence or
disappearance of networks
-Its final target is to build a routing table for routers

Ex: RIPv1,RIPv2 , IGRP , EIGRP,IS-IS,


OSPF, BGP

•Routed protocol :
- It is responsible for end to end data delivery using:
1- logical addressing.
2- Encapsulating data from end to end
(end to end delivery)

Ex: IPv4, IPv6, IPX , Apple talk.

24
• Router Functions :

1- Routing
It is the ability to choose the proper direction (best path
or best interface) to transfer data to a far destination
networks, through understanding the logical topology of
the network defined by the routing protocol
(aids end to en data delivery / Network layer process)

2- Switching
It is the ability to transfer data across the router from
input interface to the output interface chosen by the
routing process in a proper format
(aids hop to hop data delivery / Data Link layer
process)

3- Quality of service (QOS)


Providing priority to certain class of traffic, to provide it
with the minimum delay, jitter & packet loss.

4- Security
Cisco router can act as firewall, VPN server, VPN
client, IPS/IDS (Intrusion Prevention System / Intrusion
Detection System), NAC (Network Admission
Controller).

5-Wireless LAN Controllers (WLC)

6- VoIP Gateway and call manager express

And many other functions, but the main function in any


router is Routing and Switching

25
• Router process :

1- Incoming frame to the interface.

2- If the frame has the same L2 address as the receiving


interface, the frame will be accepted otherwise it will be
dropped.

3- The router will remove the frame header and trailer (switching
function).

4- The router will deliver the packet to the routing process to find
the best path for the packet to reach the destination by
checking the routing table.

5- The routing process will find the best path and deliver the
packet to the switching function again.

6-Switching process will create new frame header and trailer (will
make encapsulation) for the packet based on the O/P
interface defined encapsulation (whether it is Ethernet or
Frame Relay or ATM or PPP,…..)

26
• Routing procedure :
1- Is the protocol stack exist?
That point depend on the IOS supported features (whether desktop
features or enterprise set or service provider set is used)
-Is the Routed protocol S/W exist on the IOS or not
(i.e. do IPX exist (if you need to route IPX packets, IPv6,…. ))
-Is the Routing protocol S/W exist on the IOS or not
(i.e. do IS-IS exist, do BGP exist, ……)

2- Activate the routing features by using


(config)# ip routing
That command is enabled by default to activate routing for IP routed
protocol.

3- Activate the routing protocol on a router interface


(config)# router <protocol>
(config-router)# network <direct connected network id>

4- This will enable sending and receiving routing information (updates)


on the activated interfaces.

5- The forwarding decisions (information in the routing table) are built


from the exchange of the updates

6- Routing table contents:


6.1 The type of routing protocol that created the routing entry
6.2 Destination network prefix and prefix length
6.3 Next hop IP
6.4 Output interface
6.5 Administrative distance and Metric of the routing
entry, Where the RTG table has the path with least admin.
distance and least metric.
6.6 Timer to indicate how much time has been elapsed since the
last update of a specific entry
Gateway of last resort is not set
10.0.0.0/8 is subnetted, 2 subnets,
R 10.1.1.0/24 [120/1] via 10.1.2.2, 00:00:05, Ethernet0
R 10.1.3.0/24 [120/2] via 10.1.2.2, 00:00:05, Ethernet027
Routing protocols
classifications

Static RP
Dynamic RP

IGP/EGP Distance vector /


Classfull /
Link state /
Classless
Advanced
Distance Vector

28
Static Routing

• Characteristics:
1- If only one path to destination is available, you can use
a static routing .
2- No routing traffic overhead.
3- Could be used in slow WAN links.
4- High administration overhead.

Static Route: Used to define path to Stub networks

(config)# ip route <dst. net.> <mask> {o/p interface / ip


address of next hop} [distance] [permanent]

Ex: you can configure Router A as in the figure or as below


RouterA# config t
RouterA(config)#ip route 10.2.0.0 255.255.0.0
10.1.1.1

RouterA# show ip route


<output omitted>
S 10.2.0.0/16 [1/0] via 10.1.1.1
29
Floating Static:
(config)# ip route <dst. net.> <mask> {o/p interface / ip
address of next hop} [ Admin. Dist.]

- Floating static configured by changing the admin. Dist. Of


static route to be least preferred over a dynamic routing
protocol, so the static route will be backup for the
dynamic protocol, in an immediate convergence fashion

30
Default Static Route:
Used to define path to internetworks default Gateway of
last resort
(config)# ip route 0.0.0.0 0.0.0.0 {o/p interface
/ ip address of next hop}

Default Network:
Default Gateway of last resort

(config)#ip default-network <default network>


This command used with EIGRP to advertise default
routes.
The path of the specified network (discovered by any other
routing method) will be the same path that will be chosen
as the default route, which mean that the default route is
linked to the path of the specified network, if that path
changed, so that default route will follow that change

(config-router)# default-information originate


This command used with OSPF, ISIS and RIP2 to advertise
default routes 31
• IP null 0 interface:
(config)# ip route 10.0.0.0 255.0.0.0 null 0
- Instead of using access list, we force the packets to
an interface when going to a specific destination
network, this has less effect on CPU than Access
list
- The null 0 interface is just like a trash.

Dynamic RP
Characteristics:
1- Used if multiple paths exist to the network and an
automatic way for detecting best path or transitioning to
another path in case of primary fail
2-Part of the bandwidth is used for sending routing
updates that will help for the discovery of best routes
3-It has no administrative overhead

IGP / EGP
1- IGP (Interior Gateway Protocol)
• Protocol that works within single AS.
• AS (Autonomous System) is the domain under single
technical administration or in other words that work under
single routing policy
Ex: Rip , OSPF, IS-IS , IGRP , EIGRP.
2- EGP (Exterior Gateway Protocol)
• Protocol that works between different ASs.
Ex: EGP , BGP. 32
Distance Vector / Link State / Hybrid
Distance Vector:
Ex: RIP and IGRP
At start up:
1- Each router collect its directly connected networks.
2- Each router will add these networks to its routing table.
3- Each router will send its full routing table out of all its active
interfaces on broadcast address 255.255.255.255 every
certain period (30sec for RIP, 90 sec for IGRP)
4-Routers receiving updates will use Bellman Ford Algorithm to
calculate table updates
After convergence :
- Only periodic updates is sent every period to indicate any
changes.
At change :
- Triggered update with full routing table is sent.

- Advantages:
1- Simple Implementation and configuration
2- Need low memory (only routing table)
3- Need low CPU (use Bellman Ford algorithm)

- Disadvantages:
1- Slow convergence
2- Classfull
3- High BW utilization during convergence period
4- Susceptible to routing loops

Solutions for routing loops:


1- Triggered poisoned route with poison reverse (solve slow
convergence problem also)
2- Split horizon (route learned from interface can never be
advertised back on the same interface)
3- Hold down timer (do not learn about a failed network until:
- It returned back
- It is learned with a better metric
- Hold down time expires (180 sec for RIP, 280 for IGRP) 33
Link State :
Ex: OSPF & IS-IS
At start up :
1- Each router will try to discover its neighbors. (using
Hello protocol)
2- Each router will collect information about its interfaces
and send it to its neighbors in a packet called LSA.
3- Each router that receives the LSA will take a copy and
send it as it is to its other neighbors.
4- Each router will form LSDB from all LSAs.
5- Each router will draw a LSDB tree.
6- Each router will apply the SPF algorithm (Dijkstra
algorithm) on the LSDB tree to form SPF tree (RTG
table).

After convergence :
- Periodic updates after long period .
(LSA refreshment)
At change :
1- The router that feels the change will send partial
triggered update.
2- Each router will take a copy of the update then send it to
its neighbors then each router rebuild the tree again.
34
Advantages:
1- Fast convergence
2- Classless
3- Low BW utilization during convergence period (no
periodic
updates)
4- No routing loops
5- Reliable protocol

Disadvantages:
1- Complex Implementation and configuration
2- Need high memory (routing table, neighbor table &
topology database)
3- Need high CPU (use Dijkstra ‖SPF‖ algorithm)

Hybrid (Advanced D.V) :


Ex: RIPv2, EIGRP

• EIGRP is considered Hybrid or advanced D.V., while


RIPv2 is not considered hybrid, but it is advanced D.V.
• It groups some advantages from Distance Vector and
others from Link State
• Each router will send its full routing table to its
neighbors at start up.
• At change send partial triggered update.
• Updates are sent on multicast / unicast addresses

35
Classfull / Classless
• Classfull routing protocol :
- A protocol that doesn‘t send a subnet mask in its
update. (i.e. RIP , IGRP)
- But the subnet mask must exist in the routing table, so
the router that receives update without mask must have
some rules to estimate the mask

Rule 1 :
- If the advertising interface is in a different major network
than the update major network (discontiguous
boundary), the sending router will auto summarize the
update (instead of advertising specific subnet(s), it will
advertise a major network)

Rule 2 :
- If the receiving interface is in the same major network
as the update major network, so the interface subnet
mask will be applied to the update.

Rule 3 :
- If update has different major network than the receiving
interface , the update will take the default subnet mask.

Restriction 1 :
- VLSM can never be supported. (only FLSM (Fixed
Length Subnet Mask))
Restriction 2 :
- Discontiguous networks design are prohibited (All
contiguous networks must be in one side of the
network) 36
• Classfull RP C/C‘s:
Classlfull RP does not send the subnet mask in its
updates.
1- Can not support VLSM.
2- Discontiguous networks will make routing problems
3- Auto summarization is made on the discontiguous
network boundary and can never be stopped
Ex: RIPv1 & IGRP

This is a Discontiguous network problem

• Classless RP C/C‘s:
Classless RP send the subnet mask in its updates.
1- Support VLSM.
2- Support discontiguous networks.
(Auto summarization can be stopped)
3- Support manual
summarization
and CIDR.
Ex: RIPv2, EIGRP, OSPF,
IS-IS & BGP

Auto summary must be disabled in such a case


37
Routing table searching:
- It is based on best matching (subnet and mask), that‘s
why mask is important in routing table
- Then if more than one subnet matches, longest bit match
between packet destination IP and subnet indicates the
preferable path
-Then look for route with lowest administrative distance
-Then finally route with lowest metric

• Classfull thinking :
- If a major network exists in the RTG table, so for sure all
its subnets must also exist in the RTG table.

• Classless thinking :
- If a major network exists in the RTG table, so may be not
all its subnets must exist in the RTG table.

38
Classfull searching example
Router# show ip route

<output omitted>
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
10.0.0.0/24 is subnetted, 3 subnets,
R 10.1.1.0/24 [120/1] via 10.1.2.2, 00:00:05, Ethernet0
C 10.1.2.0/24 is directly connected, Ethernet0
R 10.1.3.0/24 [120/2] via 10.1.2.2, 00:00:05, Ethernet0
R 192.168.24.0/24 [120/2] via 10.1.2.2, 00:00:16, Ethernet0
R 172.16.0.0/16 [120/3] via 10.1.2.2, 00:00:16, Ethernet0
S* 0.0.0.0/0 [120/3] via 10.1.2.2, 00:00:05, Ethernet0

Where will the router having the above routing table send
traffic bound for the following destinations, if IP classless
command is not enabled?

• 192.168.24.3 , Forwarded (exact subnet match)


• 172.16.5.1 , Forwarded (exact subnet match)
• 10.1.2.7 , Forwarded (exact subnet match)
• 200.100.50.0 , Forwarded (didn‘t match a major network,
source Default Route)
• 10.2.2.2 ,Dropped (match a major network 10.0.0.0, but
didn‘t match a subnet)

39
Classfull Searching in routing table
Incoming IP packet

Check
RTG table

NO Yes
Match Default Forward
major Route packet
Network Exist?

Yes
NO

NO
Match Drop packet
subnets

Yes
40
Classless Searching in routing table
(config)#ip classless
That command which is enabled by default will enable
classless searching
Incoming IP packet

Check
RTG table

NO Yes
Match Default Forward
major Route packet
Network Exist?

Yes
NO NO

Match Drop packet


subnets

Yes

41
Major differences between protocols

42
• RIP : (Routing Information Protocol)

- RIP v1 is a Distance vector routing protocol.


- RIP v2 is an Advanced Distance vector routing
protocol.
- By default, when configuring RIP the software receives
RIP Version 1 and Version 2 packets, but sends only
Version 1 packets. This is done by configuring:

(config)#router rip

- You can configure the software to receive and send


only Version 1 packets. Alternatively, you can configure
the software to receive and send only Version 2
packets. To do so, use the following command in router
configuration mode:

(config)#router rip
(config-router)# version { 1 / 2 }

- To specify which version of RIP will be sent and


received on an individual interface basis

(config-if)# ip rip {send | receive} version {1 | 2 | 1 2}

43
• Configuration:
(config)# router rip
(config-router)# network <direct connected network>
• Network command activates the interfaces to
1) send updates
2) receive updates
3) Advertise routing
entries learned
on that interface

• If we don‘t want to send updates through interface,


make that interface as passive interface, which is
mainly used on Ethernet LAN interfaces, where no
routers exist
(config-router)# passive-interface <interface name>
- Passive interface listen to updates but doesn‘t send
updates.

• Because RIP is normally a broadcast protocol, in order


for RIP routing updates to reach non-broadcast
networks.
(config-router)# neighbor <IP address of neighbor>
Which is used to define neighbors statically (next hops,
that updates must be sent to)

44
Comparing RIPv1 & RIPv2
RIP v.1 RIP v.2
- Classfull - Classless
- Broadcast updates - Multicast updates
(255.255.255.255) (224.0.0.9)
- Metric = hop count - Metric = hop count
(max. =15) (max.=15)
- Admin. Dist. = 120 - Admin. Dist. = 120
- Periodic updates with full routing -Periodic updates with full routing
table every 30sec. table every 30sec.
- Triggered full routing table at -Triggered partial updates (affect
changes part only) at changes
- No authentication. - Support Authentication. (clear
text or MD5)
-Symbol in routing table ―R‖ -Symbol in routing table ―R‖
-Update cannot contain more than
25 entry, so if more than 25 exist,
so every period more than one
packet is advertised

• RIP v.2 configuration:


(config)# router rip
(config-router)# version 2
To disable auto summary:
(config-router)# no auto-summary
For manual summarization:
(config-if)# ip summary-address rip
<summary address> <mask>

22 45
Auto and Manual Summarization :
Protocol Auto Can be Manual
summarization disabled summarization
RIP v.1 YES NO NO
IGRP YES NO NO
OSPF NO ----- YES
IS-IS NO ----- YES
RIP v.2 YES YES YES
EIGRP YES YES YES

/24 /16

No auto summary effect on RIPv2

46
Routed Protocol
Features

47
Routed Protocols Features
• IP v.4:
- It is a 32 bits address assigned by IANA.
- Current challenges for IP addressing:
A) IP address exhaustion (shortage).
B) Routing table growth and manageability.

A)Solutions for extending IP addressing:


1- Private addresses: ―RFC 1918‖
Class A : 10.0.0.0 10.255.255.255
Class B : 172.16.0.0 172.31.255.255
Class C : 192.168.0.0 192.168.255.255

2- NAT and PAT:


-Network Address Translation is used to translate the inside
local address to inside global address.
-Port Address Translation uses the IP address and port
numbers to translate many local IPs to one global IP
address.

a) Static NAT
- Fixed one local to one global address translation, that type
mainly used with servers

b) Dynamic NAT
- Each local address can be translated to one global address
picked up by the NAT device from a NAT pool of
addressess
c) Dynamic NAT with Overload (PAT)
- Many local devices can use one global address, by
translating port numbers
-If you have many global address, so you need a NAT pool
48
3- Using subnetting:
- Divide the major network into
subnets.
4- Using VLSM:
- Further subnetting for the subnets
of the same major network
Ex: 192.168.1.0/24

192.168.1.0/26 192.168.1.64/26 192.168.1.128/26 192.168.1.192/26

192.168.1.192/30 .1.196/30 .1.200/30 .1.204/30

To enable using the first and last subnet use


command.
(config)# ip subnet-zero
Which is enabled by default

49
Example on VLSM

Solution

192.168.49.160/30
192.168.49.164/30
192.168.49.168/30
192.168.49.172/30
192.168.49.176/30

50
5- IP un-numbered:
Any layer 3 interface need IP address to be active (live
and kicking in IP world).
But in some cases may be we need to activate interface
without wasting IPs, in that case IP unnumbered is the
solution, where you can deceive the interface by giving
it a null IP.

On router:
(config)# int s0/0
(config-if)# ip unnumbered <int. name>

- If int. name is e0/0 as example so s0/0 will inherit the IP


of e0/0.

- Mostly we inherit the IP of a loopback interface as the


most common solution in most cases.

- This is the only case that the two routers see each
other and the two serial interfaces are not in the same
subnet.

- Mostly static routing will be used in that case, cause


most dynamic routing protocols will neglect updates
from peer not on the same subnet.

51
6- Route summarization:
- It is grouping a set of subnet and advertise them as one
summary address.
Ex1: Summarize the networks from 172.16.12.0/24 till
172.16.15.0/24

Ex2: Summarize the networks from


172.16.11.0/24 till 172.16.16.0/24

These networks
must be advertised
as 3 entries

52
7- CIDR:
- Classless Inter Domain Routing (supernetting).
- It is grouping a set of major networks and advertise
them as one super network (CIDR block).

Ex: What is the CIDR Block for Major networks


from 192.168.8.0/24 till 192.168.15.0/24

53
OSPF
in
single area

Ahmed Nabil
54
Overview
OSPF C/C‘s

1- Open Standard link state routing protocol

2- Send partial triggered updates called LSA at start up and


at changes

3- Updates is sent on multicast (224.0.0.5 or 224.0.0.6 /


unicast addresses)

4- While convergence period a LSDB (Link State DataBase)


refreshment updates is sent every 30min.

5- LSDB entries expires after 60 min. (maxage) without


refreshment

6- Symbol in routing table is ―O‖

7- Administrative Distance = 110

8- Metric is cost = 108/BW of interface , BW of interface is


T1(1.54Mbps) by default, and can be controlled using
(config-if)#bandwidth <BW in units of Kbps>
Max hop count for networks is undefined

9- Support equal load sharing with default of 4 paths and


maximum of 6 paths

10- Support Hierarchical design

Ahmed Nabil 55
• OSPF tables:
1- Neighbor table (adjacency table)
- List of all neighbors (a neighbor is direct connected &
understands the same protocol)
#show ip ospf neighbors
2- Topology table (Link State Data Base - LSDB)
Contains all routers and their attached links in the area or
network,
or in other way all routes to all destination networks.
All routers within an area has identical copy of it.
#show ip ospf database
3- Routing table (forwarding database)
- Best routes to all destination networks.
#show ip route [ospf]
• OSPF topologies:
1- BMA (Broadcast Multiple Access)
Ex: Ethernet & Token ring links

2- Point to point
A network that joins a single pair of routers.
Ex: Interfaces running PPP or HDLC or point to point
sub interfaces ATM & Frame Relay

3- NBMA (Non Broadcast Multiple Access)


A network that interconnects more than two routers but that
has no broadcast capability.
Ex: Multipoint ATM, Frame Relay & X.25
OSPF autodetects the interface type, so it can
detect how the operation will work.
56
• OSPF packet types:

1- Hello packet:
- Used for neighbor
discovery and
maintenance of neighbor
relationship.
- Sent periodically on
multicast address
224.0.0.5 (all OSPF routers)
every 10sec. on BMA topology,
point to point links and
NBMA point to point links
& every 30sec. on NBMA multipoint topology

2- DDP (DBD): DataBase Description Packet.


- It contains summary of entries inside LSDB.

3- LSR: Link State Request packet.


- To request a part of LSDB from neighbor.

4- LSU: Link State Update (Group of LSAs)


- It is the detailed information for entries inside the LSDB.

5- LSACK: Link State Acknowledgement.


- Acknowledges the reception of LSUs.

57
• Operation of OSPF in BMA:
1- Neighbor discovery (hello protocol) – forming adjacency:
1.1- down state:
- No communication yet.

1.2 - Initial state:


- The first discovery hello is sent.

Conditions of OSPF routers to be neighbors:


1- Same area ID.
2- Same hello & dead intervals.
3- Same authentication password.
4- Same Stub area flag.
So B will never reply with a hello until these conditions matches
With its values
Neighborship Establishment OSPF vs EIGRP

58
• Hello packet:
Version Type packet length
RID
Area ID
Check sum authentication type
Password
Password
Hello interval options (area type) router priority
Router dead interval
DR ID
BDR ID
Neighbor 1
.
.
Neighbor n

• The hello packet is encapsulated into IP packet with


protocol field in IP packet indicating OSPF payload
encapsulated

•The type field = type 1 is Hello packet.


•RID (Router ID): defined by
- command : (config-if)# router-id <ip address>
- The highest loopback ip address.
- If no loopback, the highest ip of active physical interface.
•Authentication type :
- Clear text or MD-5.
• Dead interval :
-Ahmed
Time toNabil
wait before considering the neighbor is down.
- Dead interval = 4 * hello interval.

59
1.3 – Two way state:
- The neighbor relationship is formed.

Note:
The Two way state is the final state between Drothers.

When routers running OSPF initialize, an exchange process using the


Hello protocol is the first procedure. The exchange process that happens
when routers are coming up on the network is illustrated in the example
in the figure:
1. Router A is enabled on the LAN and is in a down state because it has
not exchanged information with any other router. It begins by sending a
hello packet through each of its interfaces participating in OSPF, even
though it does not know the identity of the DR or of any other routers. The
hello packet is sent out using the multicast address 224.0.0.5.
2. All directly connected routers running OSPF receive the hello packet
from router A and add router A to their list of neighbors. This state is the
initial state (init).
3. All routers that received the hello packet send a unicast reply hello
packet to router A with their corresponding information. The neighbor field
in the hello packet includes all neighboring routers and router A.
4. When router A receives these hello packets, it adds all the routers that
had its router ID in their hello packets to its own neighbor relationship
database. This state is referred to as the two-way state. At this point, all
routers that have each other in their lists of neighbors have
established bidirectional communication.
60
5. If the link type is a broadcast network, generally a LAN link
like Ethernet, then a DR and BDR must first be selected. The
DR forms bidirectional adjacencies with all other routers on the
LAN link. This process must occur before the routers can begin
exchanging linkstate
information.

2- Election of DR & BDR (if not exist)


- DR (Designated Router) is the router having the highest :
a- First router that is ready for OSPF operation (already
booted up & has complete configuration)
b-OSPF priority (0 – 255) on interface facing the BMA
segment, default = 1, priority=0 mean can neither be DR
nor BDR
c- Router ID
-Defined value through configuration
-Highest IP address for a logical loopback interface
- Highest IP address for a physical active interface

- BDR is a Backup DR and it has the second highest


priority or RID.
- The remaining routers are called DRothers.
- The DR election is non-preemptive (no one can take DR
place, even if it has a better priority or RID, unless DR
fails)

Note: the rest of operation will be completed between each


router and their DR and BDR only

61
3- Routes discovery:
3.1- Exstart state:
- Form the master / slave relationship.
- The master is the router with the highest RID even it isn‘t the
DR.
3.2- Exchange state :
- Send the link state ID for entries in the LSDB (The master
router sends a summary for entries in the LSDB ―DBD‖)
LSID : RID sequence
3.3 - Loading state:
- Requesting details from specific LSDB entries.
3.4 – Full State: (Full adjacency)
- All routers has a common LSDB

Ahmed Nabil

62
After the DR and BDR have been selected, the routers are considered to be in
the exstart state, and they are ready to discover the link-state information
about the internetwork and create their LSDBs. The process used to discover
the network routes is the exchange protocol, and it gets the routers to a full
state of communication. The first step in this process is for the DR and BDR to
establish adjacencies with each of the other routers. When adjacent routers
are in a full state, they do not repeat the exchange protocol unless the full state
changes.
As shown in the previous figure, the exchange protocol operates as follows:
Step 1 In the exstart state, the DR and BDR establish adjacencies with each
router in the network. During this process, a master-slave relationship is
created between each router and its adjacent DR and BDR. The router with the
higher router ID acts as the master during the exchange process.
Step 2 The master and slave routers exchange one or more DBD packets. The
routers are in the exchange state.
A DBD includes information about the LSA entry header that appears in the
LSDB of the router. The entries can be about a link or about a network. Each
LSA entry header includes information about the link-state type, the address of
the advertising router, the cost of the link, and the sequence number. The
router uses the sequence number to determine the ―newness‖ of the received
link-state information.
Step 3 When the router receives the DBD, it performs these actions, as shown
in the figure:
1. It acknowledges the receipt of the DBD using the LSAck packet.
2. It compares the information it received with the information it has. If the DBD
has a more up-to-date link-state entry, then the router sends an LSR to the
other router. The process of sending LSRs is called the loading state.
3. The other router responds with the complete information about the
requested entry in an LSU packet. Again, when the router receives an LSU, it
sends an LSAck.
Step 4 The router adds the new link-state entries to its LSDB.
When all LSRs have been satisfied for a given router, the adjacent routers are
considered synchronized and in a full state. The routers must be in a full state
before they can route traffic.

At this point, all the routers in the area should have identical LSDBs.

63
LSA Sequence Numbering
• When a router encounters two instances of an LSA, it must
determine which is more recent. The LSA having the newer
(higher) LS a sequence number is more recent.

• A combination of the maximum age (maxage) and refresh


timers, as well as link-state sequence numbers, helps OSPF
maintain a database of only the most recent link-state records.
The sequence numbering scheme is a 4-byte number that
begins with 0x80000001 and ends with 0x7FFFFFFF.

• To ensure an accurate database, OSPF floods (refreshes) each


LSA every 30 minutes. Each time a record is flooded, the
sequence number is incremented by one. An LSA record will reset
its maximum age when it receives a new LSA update. An LSA will
never remain longer in the
database than the maximum age of one hour without a refresh.
LSA Operation

Ahmed Nabil

64
Creation of Adjacencies

RouterA# debug ip ospf adj

*Feb 17 18:41:51.242: OSPF: Interface Serial0/0/1 going Up


*Feb 17 18:41:51.742: OSPF: Build router LSA for area 0,
router ID 10.1.1.1, seq 0x80000013
*Feb 17 18:41:52.242: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Serial0/0/1, changed state to up
*Feb 17 18:42:01.250: OSPF: 2 Way Communication to 10.2.2.2 on
Serial0/0/1, state 2WAY
*Feb 17 18:42:01.250: OSPF: Send DBD to 10.2.2.2 on
Serial0/0/1 seq 0x9B6 opt 0x52 flag 0x7 len 32
*Feb 17 18:42:01.262: OSPF: Rcv DBD from 10.2.2.2 on
Serial0/0/1 seq 0x23ED opt0x52 flag 0x7 len 32 mtu 1500 state EXSTART
*Feb 17 18:42:01.262: OSPF: NBR Negotiation Done. We are the SLAVE
*Feb 17 18:42:01.262: OSPF: Send DBD to 10.2.2.2 on
Serial0/0/1 seq 0x23ED opt 0x52 flag 0x2 len 72
*Feb 17 18:42:01.294: OSPF: Rcv DBD from 10.2.2.2 on
Serial0/0/1 seq 0x23EE opt0x52 flag 0x3 len 72 mtu 1500 state EXCHANGE
*Feb 17 18:42:01.294: OSPF: Send DBD to 10.2.2.2 on
Serial0/0/1 seq 0x23EE opt 0x52 flag 0x0 len 32
*Feb 17 18:42:01.294: OSPF: Database request to 10.2.2.2
*Feb 17 18:42:01.294: OSPF: sent LS REQ packet to 192.168.1.102, length
12
*Feb 17 18:42:01.314: OSPF: Rcv DBD from 10.2.2.2 on
Serial0/0/1 seq 0x23EF opt0x52 flag 0x1 len 32 mtu 1500 state EXCHANGE
*Feb 17 18:42:01.314: OSPF: Exchange Done with 10.2.2.2 on Serial0/0/1
*Feb 17 18:42:01.314: OSPF: Send DBD to 10.2.2.2 on
Serial0/0/1 seq 0x23EF opt 0x52 flag 0x0 len 32
*Feb 17 18:42:01.326: OSPF: Synchronized with 10.2.2.2 on
Serial0/0/1, state FULL
*Feb 17 18:42:01.330: %OSPF-5-ADJCHG: Process 10, Nbr 10.2.2.2
on Serial0/0/1 from LOADING to FULL, Loading Done
*Feb 17 18:42:01.830: OSPF: Build router LSA for area 0,
router ID 10.1.1.1, seq 0x80000014

65
Creation of Adjacencies

RouterA# debug ip ospf adj

Ethernet interface coming up: Election


%LINK-3-UPDOWN: Interface ethernet0, changed state to up
OSPF: Interface ethernet0 going Up
OSPF: Rcv hello from 192.168.0.11 area 0 from Serial1 10.1.1.2
OSPF: End of hello processing
OSPF: Build router LSA for area 0, router ID 192.168.0.10
OSPF: send hello to 192.168.0.11 on ethernet0 seq 0x20C4 opt 0x2
flag 0x7 len 32 state INIT

OSPF: 2 Way Communication to 192.168.0.11 on Ethernet0, state 2WAY


OSPF: end of Wait on interface Ethernet0
OSPF: DR/BDR election on Ethernet0
OSPF: Elect BDR 192.168.0.12
OSPF: Elect DR 192.168.0.12
DR: 192.168.0.12 (Id) BDR: 192.168.0.12 (Id)
OSPF: Rcv DBD from 172.16.1.1 on FastEthernet0/0 seq 0x14B 7 opt
0x52 flag 0x7 len 32 mtu 1500 state EXSTART
OSPF: First DBD and we are not SLAVE

<…>

66
4 – Choosing routes:
• Each router in the area places itself into the root of the tree
that is built.
• The best path is calculated with respect to the lowest total cost
of links to a specific destination.
• Forming the routing table by applying the SPF algorithm
(Dijkstra algorithm) on the LSDB to form the RTG table.

• Operation of OSPF in point to point :


- The same operation of BMA but no DR & BDR exists.

• At convergence :
- No further updates unless the LSDB time expires (30 min.) (LSA
refreshment), periodic keepalive hellos are sent, dead interval is 4*hello,
Hello/dead=10/40 sec for BMA & P-P, 30/120 sec for NBMA multipoint.
- Summaries of individual link-state entries, not the complete link-state
entries, are sent every 30 minutes to ensure LSDB synchronization. Each
link-state entry has a timer to determine when the LSA refresh update
must be sent.
- Each link-state entry also has a maximum age of 60 minutes. If a link-
state entry has not been refreshed within 60 minutes, it is removed from
the LSDB.
67
• At change:
- The router that feels the change send LSU to DR & BDR on
224.0.0.6.
- The DR & BDR will send LSACK to the sender router.
- Then the DR will send LSU to all routers on 224.0.0.5.
- Then all routers will rebuild the SPF tree

Convergence stability :
To solve the flapping link problem, OSPF uses the convergence
stability rules (timers).

1- SPF delay time: (5sec.)


- Time to wait after hearing last update so as the router can
perform the SPF calculation.

2- SPF hold time: (10sec.)


- Delay between two SPF calculations.

68
- Basic configuration:
(config)# router ospf <process id>
! process id = 1-65535 & can never be 0, a maximum of 32
process could be supported by ospf !
(config-router)#network <net. add.> <w.c.m> area <area
id>
Or
Router(config-if)# ip ospf process-id area area-id
! Optional method to enable OSPF explicitly on an interface

or
0

Ahmed Nabil

69
Optional configuration:
OSPF Router ID
• The router is known to OSPF by the OSPF router ID number.
• LSDBs use the OSPF router ID to differentiate one router from the next.
• By default, the router ID is the highest IP address on an active
interface at the moment of OSPF process startup.
• A loopback interface can override the OSPF router ID. If a loopback
interface exists, the router ID is the highest IP address on any active
loopback interface.
• The OSPF router-id command can be used to override the OSPF
router ID.
• Using a loopback interface or a router-id command is recommended for
stability.
Define the router ID:
(config-router)# router-id <ip address>
Loopback interface:
(config)# int loopback 0
(config-if)# ip address <ip> <mask>

Router#clear ip ospf process


! This command will clear process which will help the router to use the
new RID
- Defining router priority:
(config)# int e0/0
(config-if)# ip ospf priority <no.>
- Defining interface cost:
1- (config-if)# ip ospf cost <no.>
2- (config-if)# bandwidth <no. in kbps>
3- (config-router)# ospf auto-cost reference-bandwidth <no.>
- Ospf timers:
(config-router)# timer spf <spf delay time> <spf hold time>
(config-if)# ip ospf hello-interval <no. in sec>
(config-if)# ip ospf dead-interval <no. in sec>
- Defining the no. of paths for load sharing:
(config-router)# maximum-paths <no.>
70
OSPF Router Authentication
By default, OSPF uses null authentication, which means that routing
exchanges over a network are not authenticated. OSPF supports two
other authentication methods: simple password authentication (also
called plain-text authentication), and MD5 authentication.

Recall that when neighbor authentication has been configured on a


router, the router authenticates the source of each routing update
packet that it receives. This is accomplished by the exchange of an
authenticating key (sometimes referred to as a password) that is
known to both the sending and the receiving router.

Configuring OSPF Password Authentication


Clear text password
Router(config-if)# ip ospf authentication-key password
! Assigns a simple password to be used with neighboring routers
Or
MD5 password
Router(config-if)#ip ospf message-digest-key key-id md5 key
! Assigns a hash based password to be used with neighboring routers

Activate the authentication:


Router(config-if)#ip ospf authentication [message-digest | null]
! Specifies the authentication type for an interface, using that
command with the null option will lead to cancel the password
authentication, using the message-digest option will use MD5
authentication, while using the commands without any options will
lead to use of simple plain text password.

Or activate authentication feature with the area command


Router(config-router)# area area-id authentication [message-
digest]
! Specifies the authentication type for an area
71
Example Simple Password Authentication Configuration

Example MD5 Authentication Configuration

Ahmed Nabil

72
Troubleshooting
#show ip route
RouterA# show ip route ospf

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile,


B - BGP, D - EIGRP, EX - EIGRP external, O - OSPF,
IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, E - EGP, i - IS-IS, L1 - IS-IS
level-1, L2 - IS-IS level-2, * - candidate default

Gateway of last resort is not set


10.0.0.0 255.255.255.0 is subnetted, 2 subnets
O 10.2.1.0 [110/10] via 10.64.0.2, 00:00:50, Ethernet0

#show ip ospf neighbors


RouterB# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface


10.64.0.1 1 FULL/BDR 00:00:32 10.64.0.1 Ethernet0
10.2.1.1 1 FULL/- 00:00:38 10.2.1.1 Serial0

#show ip ospf interface


RouterA# show ip ospf interface e0

Ethernet0 is up, line protocol is up


Internet Address 10.64.0.1/24, Area 0
Process ID 1, Router ID 10.64.0.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 10.64.0.2, Interface address 10.64.0.2
Backup Designated router (ID) 10.64.0.1, Interface address 10.64.0.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:02
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.64.0.2 (Designated Router)
SuppressNabil
Ahmed hello for 0 neighbor(s)

73
#show ip ospf
RouterB# show ip ospf

Routing Process "ospf 1" with ID 10.2.1.1


Supports only single TOS(TOS0) routes
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Number of DCbitless external LSA 0
Number of DoNotAge external LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Area BACKBONE(0) (Active)
Number of interfaces in this area is 2
Area has no authentication
SPF algorithm executed 10 times
Area ranges are
Link State Update Interval is 00:30:00 and due in 0:07:16
Link State Age Interval is 00:20:00 and due in 00:07:15
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0

#show ip ospf database


RouterC# show ip ospf database

OSPF Router with ID (10.2.1.1) (Process ID 10)


Router Link States (Area 1)
Link ID ADV Router Age Seq# Checksum Link
count
10.2.1.1 10.2.1.1 48 0x80000001 0xB112 2
10.64.0.2 10.64.0.2 104 0x80000008 0xB112 2
10.64.0.1 10.64.0.1 212 0x80000006 0x3F44 2

#show ip protocols

- To let any changes appear on the CLI in a live manner:


(config-router)#log-adjacency-changes
#debug ip ospf adjacency
#debug ip ospf packet
RouterC# debug ip ospf packet
Ahmed Nabil
OSPF: rcv. v:2 t:1 l:48 rid:10.64.0.2 aid:0.0.0.0 chk:6AB2
aut:0 auk:

74
OSPF operation in NBMA networks
Due to based on layer 3 concepts all devices on NBMA segment must
be in the same subnet, so OSPF (layer 3 protocol) need to treat them
as direct neighbors, on the other hand using layer 2 concepts they may
not be directly connected (no PVC between all of them) they are not next
hops to each others, but OSPF can treat them in some cases as direct
neighbors as in the case of NBMA mode.

With Frame Relay, remote sites interconnect in a variety of ways. By


default, interfaces that support Frame Relay are multipoint connection
types. The following examples are types of Frame Relay topologies:
Star topology: A star topology, also known as a hub-and-spoke
configuration, is the most common Frame Relay network topology. In this
topology, remote sites connect to a central site that generally provides a
service or application.
Full-mesh topology: In a full-mesh topology, all routers have virtual
circuits to all other destinations. This method, although costly, provides
direct connections from each site to all other sites and allows for
redundancy. To figure out how many virtual circuits are needed to
implement a fully meshed topology, use the formula n (n – 1) / 2, where n
is the number of nodes in the network.
Partial-mesh topology: In a partial-mesh topology, not all sites may
have direct access to a central site. This method reduces the cost of
implementing a full-mesh topology.

Ahmed Nabil

75
OSPF operation in NBMA networks

or partial mesh

Manual configuration mean statically define neighbors, and may be


Statically define DR/BDR
•In NBMA mode with partial mesh topology, DR/BDR must be
connected to all other routers, and need to be configured statically
•Broadcast mode simulate BMA
•Point- to- multipoint mode simulate multi point to point
•Point- to- multipoint nonbroadcast mode is used in cases where
sending
updates in a replicat unicast fashion is not available as in case of
ATM SVC
•Point-to-point mode is used in case of point-to-point subinterfaces

76
Ahmed Nabil

77
• Configuration for NBMA networks:
(config)# int s0/0
(config-if)# ip ospf network { non-broadcast / broadcast /
point-to-multipoint [non-broadcast]/ point-to-point}

- To define the neighbor statically:


(config-router)# neighbor <ip> [priority <no.>] [database-filter
all]
Default neighbor priority for th above command is 0, which means
neighbor s not a DR or BDR, database-filter option Filters
outgoing LSAs to an OSPF neighbor.
Note :
The default mode for main interface & multipoint
subinterface is non-broadcast and for point to point sub
interface is point to point.

Ex1: Routers in an NBMA mode

RouterA(config)# router ospf 100


RouterA(config-router)# network 130.130.0.0 0.0.255.255 area 0
RouterA(config-router)# network 140.140.0.0 0.0.255.255 area 0
RouterA(config-router)# neighbor 140.140.1.2 priority 0
RouterA(config-router)# neighbor 140.140.1.3 priority 0

Priority 0 , tells the local router that it is the DR (all its


neighbors have 0 priority), this method is used to define DR
statically
RouterA# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface


130.130.1.1 1 full/ — 0:00:35 128.12.1.2 s0
201.23.13.1 0 full/drother 0:00:36 140.140.1.2 s1
Ahmed Nabil
192.100.1.1 0 full/drother 0:00:34 140.140.1.3 s1

78
Ex2: Routers in Multipoint mode

130.130.1.2
S0

RouterA(config)# router ospf 100


RouterA(config-router)# network 140.140.0.0 0.0.255.255 area 0
RouterA(config-router)# network 130.130.0.0 0.0.255.255 area 0
RouterA(config)# interface serial 0
RouterA(config-if)# encapsulation hdlc
RouterA(config-if)# ip address 130.130.1.2 255.255.255.0
RouterA(config)# interface serial 1
RouterA(config-if)# encapsulation frame-relay
RouterA(config-if)# ip address 140.140.1.1 255.255.255.0
RouterA(config-if)# ip ospf network point-to-multipoint

RouterB(config)# router ospf 100


RouterB(config-router)# network 140.140.0.0 0.0.255.255 area 0
RouterB(config)# interface serial 0
RouterB(config-if)# ip address 140.140.1.2 255.255.255.0
RouterB(config-if)# encapsulation frame-relay
RouterB(config-if)# ip ospf network point-to-multipoint

RouterA# show ip ospf interface s1

Serial1 is up, line protocol is up


Internet Address 140.140.1.1/24, Area 1
Process ID 100, Router ID 120.120.1.1, Network Type Point-To-Multipoint,
Cost: 64
Transmit Delay is 1 sec, State: Point_To_Multipoint
Timer intervals configured,Hello 30, Dead 120, Wait 120, Retransmit 5
Hello due in 00:00:11
Neighbor count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 140.140.1.2
Adjacent with neighbor 140.140.1.3
Ahmed Nabil

79
Ex3: Routers using point-to-point subinterfaces

130.130.1.2
S0

RouterA(config)# router ospf 100


RouterA(config-router)# network 140.140.0.0 0.0.255.255 area 0
RouterA(config-router)# network 130.130.0.0 0.0.255.255 area 0
RouterA(config)# interface serial 0
RouterA(config-if)# encapsulation ppp
RouterA(config-if)# ip address 130.130.1.2 255.255.255.0
RouterA(config)# interface serial 1.1 point-to-point
RouterA(config-subif)# frame-relay interface-dlci 101
RouterA(config-subif)# ip address 140.140.1.1 255.255.255.0
RouterA(config-subif)#interface serial 1.2 point-to-point
RouterA(config-subif)# frame-relay interface-dlci 102
RouterA(config-subif)# ip address 140.140.2.1 255.255.255.0

RouterA# show ip ospf interface s1

Serial1 is up, line protocol is up


Internet Address 140.140.1.1/24, Area 1
Process ID 100, Router ID 120.120.1.1, Network Type Point-To-point, Cost: 64
Transmit Delay is 1 sec, State: Point_To_point
Timer intervals configured,Hello 30, Dead 120, Wait 120, Retransmit 5
Hello due in 00:00:11
Neighbor count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 140.140.1.2
Adjacent with neighbor 140.140.1.3

80
OSPF
in
Multiple
Areas

81
Ahmed Nabil
Single VS. Multiple Areas OSPF

Problems with OSPF in single area:


1-Frequent calculation of SPF algorithm (in a large sized
topology a single network instability will cause instability to the
whole topology)
2-Large link-state table (due to large network size)
3-Large routing table (due to large network size)

So routers will need high CPU power & big memory size,
The solution if you require to scale your network using OSPF,
is to use hierarchical design.

Multiple Area OSPF


1-Reduced Rate of SPF calculations.
2-Smaller routing and topology table.
3-Reduced LSU overhead by confining network instability.

82
Types of Routers
• Internal Router:
Router that has all its interfaces in the same area, it has
full LSDB for its area
(config)#router ospf <process id>
(config-router)#network <link id> <wcm> area <area id>
• ABR (Area Border Router):
Router that is responsible for connecting two or more
areas, it must has at least one interface in the backbone
area (area 0), it has full database for all areas to which it
is connected and send summary database updates
between these areas
(config)#router ospf <process id>
(config-router)#network <link id> <wcm> area 0
(config-router)#network <link id> <wcm> area <area id>
• ASBR (Autonomous System Boundary Router):
Router that has at least one interface into an external
internetwork (another AS) or other non-OSPF network
• Backbone Router:
Router that has at least one link in area 0, it could be an
internal router, ABR or ASBR

83
Types of LSAs
• Type 1 LSA:(router link LSA)
Intra-area LSA "O in routing table"
Every router generate router link advertisements and
flood it to all routers for each area to which it belong,
it describes:
1-directly attached link by its ip
2-mask of link
3-state of link, cost
4-describe whether the router is ABR or
ASBR, Type 1 LSID is the originating router RID
5-Link type (point to point to other router, stub,
multiaccess (transit), virtual link,..)
• Type 2 LSA: (Network Link LSA)
Intra-area "O in routing table"
generated by DR and flooded inside its area, its function is
that DR advertise its existence to all its area, Type2 LSID is
the ip of interface of the DR facing the segment

A type 2 network LSA


lists each of the
attached routers that
make up the transit
network, including the
DR itself, as
well as the subnet
mask used on the link.
84
• Type3 LSA:(Network Link Summary LSA)
inter-area "O-IA in routing table"
generated by ABR, ABR take type1 LSA and type2 LSA from
area and summarize theses LSAs to type3 LSA and flood it to
all AS, it describes network ips and their masks.
Type3 LSA LSID is destination network ip

• Type4 LSA:(ASBR summary LSA)


inter-area "O-IA in routing table"
generated by ABR to advertise how to reach an ASBR inside an
area to all AS, it describe path and cost to reach ASBR, so it
contains RID of ASBR & cost.

85
Ahmed Nabil
• Type5 LSA (AS External link LSA)
"OE1, OE2" in routing table
generated by ASBR and flood to all AS, it describe routes
to destination networks in an external AS

-external type 2 (OE2): doesn’t add internal cost to


external cost (default)
-external type 1(OE1): add internal cost to external cost

• Type6 LSA (Multicast OSPF-Not supported by Cisco)

• Type7 LSA (NSSA (Not-So-Stubby-Area) external LSA)


"ON1, ON2 in routing table“
generated by the ASBR of NSSA, it is similar to type 5 LSA
except they are flooded within the NSSA, ABR will
translate type7 LSA to type5 LSA and flooded to all AS
86
Link-State Advertisement Types

(Future use)
Interpreting the Routing Table: Types of Routes

Interpreting the OSPF Database

Link count: Total number of directly attached links, used only on router LSAs.
The link count includes all point-to-point, transit, and stub links. Each point-to-
point serial link counts as two; all other links count as one, including Ethernet
links. 87
Ahmed Nabil
RouterA#show ip ospf database
OSPF Router with ID (10.0.0.11) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
10.0.0.11 10.0.0.11 548 0x80000002 0x00401A 1
10.0.0.12 10.0.0.12 549 0x80000004 0x003A1B 1
100.100.100.100 100.100.100.100 548 0x800002D7 0x00EEA9 2
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
172.31.1.3 100.100.100.100 549 0x80000001 0x004EC9
Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
10.1.0.0 10.0.0.11 654 0x80000001 0x00FB11
10.1.0.0 10.0.0.12 601 0x80000001 0x00F516
10.1.1.0 10.0.0.11 7 0x80000009 0x004DC5
10.1.1.0 10.0.0.12 9 0x80000007 0x00E81B
10.1.1.0 172.31.1.1 1111 0x80000003 0x00DD82
10.1.2.0 10.0.0.11 599 0x80000003 0x00EB1C
10.1.2.0 10.0.0.12 603 0x80000001 0x004CCC
10.1.3.0 10.0.0.11 14 0x80000002 0x00E225
10.1.3.0 10.0.0.12 69 0x80000001 0x00DE29
10.200.200.13 172.31.1.1 1108 0x80000001 0x00764E
Router Link States (Area 1)
Link ID ADV Router Age Seq# Checksum Link count
10.0.0.11 10.0.0.11 19 0x80000009 0x00B6C3 3
10.0.0.12 10.0.0.12 601 0x80000005 0x0085F0 3
10.200.200.13 10.200.200.13 20 0x80000003 0x000AB2 3
10.200.200.14 10.200.200.14 62 0x8000004D 0x003C2E 3
Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
10.1.1.1 10.0.0.11 19 0x80000001 0x00D485
10.1.2.4 10.200.200.14 622 0x80000001 0x009F20
Summary Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
172.31.1.0 10.0.0.11 540 0x80000003 0x004108
172.31.1.0 10.0.0.12 542 0x80000003 0x003B0D
172.31.1.0 172.31.1.1 1399 0x80000003 0x00C5CA
172.31.2.0 10.0.0.11 536 0x80000001 0x00D762
172.31.2.0 10.0.0.12 537 0x80000001 0x00D167
172.31.2.0 172.31.1.1 1394 0x80000001 0x005C25
Summary ASB Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
100.100.100.100 10.0.0.11 536 0x80000001 0x007213
100.100.100.100 10.0.0.12 537 0x80000001 0x006C18
100.100.100.100 172.31.1.1 1394 0x80000001 0x00F6D5
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
10.254.0.0 100.100.100.100 1351 0x8000010A 0x00C518 0
88
Ahmed Nabil
Another Area’s types
AS
6. Not So Totally Stub area: 1. Back bone area: It is area 0, it is
(Totally stub + ASBR) connected to all other areas, and it
On all routers: ( - )# area 5 nssa accepts any type of LSAs except type7
On ABR: ( - )# area 5 nssa no-summery

Another
AS
Area Area
Area 5 1 2. Standard or ordinary area: (not
Type 75 area 0)
(So any area except area 0, by default
O*IA 0.0.0.0/0 is a standard area, it can have ASBR,
O*E2 Type 5
and it accepts any type of LSAs except
0.0.0.0/0 Area 0
Type 3 type7)
Type 5
Area Area
Converted to 4 2
3. Stub area: (it cannot have an ASBR)
It is done by configuration:
On ABR and all routers
Area (config-router)# area 2 stub
5. Not So Stub Area (NSSA): (Stub + 3 Type 1 LSA
ASBR) Type 2 LSA
It is a stub area that contains ASBR 4. Totally Stub area: (it cannot have an ASBR) Type 3 LSA
Type 3 LSA O*IA 0.0.0.0/0 Type 5 LSA O*E2 0.0.0.0/0
Another Type 5 LSA O*E2 0.0.0.0/0 (If the distention is in another
AS
(If the distention is in another area or another Autonomous System, just send the
Type 5 autonomous system, just send the packet from packet from the only exit you have for
O*E2 0.0.0.0/0
the only exit you have for this area (form the this area.)
ABR))
On all routers: ( - )#area 3 stub
Type 5 On ABR: ( - )#area 3 stub no-summary
Type 7
Area
4 Converted to

89
Types of Areas
• Ordinary or standard area:
Area that accept all types of LSAs (intra area, inter-area and
external), but doesnot accept type7
• Backbone Area (transit area):
It is area 0 and connect all other areas, it accept all types of areas
except type 7

90
• Stub area:
Area that its ABR does not advertise to it type 5 LSA and doesnot
accept type 7 LSA, but its ABR advertise default route instead, so
internal routers in that area type doesnot know any details about
other AS networks but can reach them using default route through
ABR, stub area can never contain an ASBR

IP routing table for router in a stub area

for Stub area: on all area routers


(config-router)#area <id> stub

91
Totally Stub area:
Area that its ABR does not advertise type 5, type 3, type 4
and does not accept type7, but instead its ABR advertise a
default route, so internal routers does not know details about
other AS networks and other Areas networks, but use default
route to reach them through their ABR.

IP routing table for router in a stub area

• for totally stub area: on ABR:


(config-router)#area <id> stub no-summary
on all other area routers:
(config-router)#area <id> stub
To define injected default route cost
(config-router)#area <area id> default-cost <cost>

92
• NSSA (Not-So-Stubby-Area):
It is a stub area that can contain ASBR, it accepts type7 LSA and
all other types except type 5 LSA and use default route instead
ABR of NSSA convert type 7 to other areain to type 5
Has O, OIA, O*IA, ON1 & ON2 routing entries

On all router in NSSA area


(config-router)# area <id> nssa

•NSSA - totally stub area: has O, O*IA, ON1 & ON2 routing entrie
It is a total stub area that can contain ASBR, it accepts type7 LSA
and use default route only
On ABR router in NSSA total stub area
(config-router)# area <id> nssa no-summary

93
Configuring summarization

– Minimizes number of routing table entries


– Localizes impact of a topology change
– Reduces LSA 3 and 5 flooding and saves CPU resources
• Summary on ABR:
(config-router)#area <id> range <summary address>
<mask>

94
summary on ASBR:
(config-router)#summary-address <address> <mask>

Advertise default route:


(config-router)#default-information originate [always] [metric value ]

Note that the path


through R1 is
preferred to
Internet until R1
path fail, then R2
will be the
alternative

default-information originate is used to dynamically advertise a


default route, only if a default route exist in the routing table,
otherwise use always keyword which is used to advertise a
default router even if no default route exist in the table
95
OSPF LSDB Overload Protection
• Excessive LSAs generated by other routers can drain local
router resources.
• This feature can limit the processing of non-self-generated
LSAs for a defined OSPF process.

Router(config-router)# max-lsa maximum-number [threshold-


percentage] [warningonly]
[ignore-time minutes] [ignore-count count-number]
[reset-time minutes]

96
Ahmed Nabil
Virtual links
• OSPF rule is that all areas must connect to area 0, but
there are cases that enforce the opposite of that due to
direct physical connections unavailability, or in case of
making redundant link to area 0

The solution is to form a virtual link between the far area and
area 0 through the transit area

(config)#router ospf <process id>


(config-router)#area <transit area id> virtual-link <next-hop RID>

Router# show ip ospf virtual-links

Virtual Link to router 10.2.2.2 is up


Transit area 0.0.0.1, via interface Ethernet0, Cost of using 10
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 0:00:08 Adjacency State FULL
97
Ahmed Nabil
This virtual link is similar to a standard OSPF adjacency;
however, in a virtual link, the routers do not have to be
directly attached to neighboring routers.
The Hello protocol works over virtual links as it does over
standard links, in 10-second intervals. However, LSA updates
work differently on virtual links. An LSA usually refreshes
every 30 minutes; LSAs learned through a virtual link have
the DoNotAge (DNA) option set, so that the LSA does not age
out. This DNA technique is required to prevent excessive
flooding over the virtual link.
RouterA#sh ip ospf virtual-links
Virtual Link OSPF_VL0 to router 10.2.2.2 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 1, via interface Serial0/0/1, Cost of using 781
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Retransmit 5
Hello due in 00:00:07
Adjacency State FULL (Hello suppressed)
Index 1/2, retransmission queue length 0, number of
retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
properly.

RouterA#sh ip ospf neighbor


Neighbor ID Pri State Dead Time Address Interface
10.200.200.13 1 FULL/DR 00:00:33 10.1.1.3
FastEthernet0/0
10.2.2.2 0 FULL/ - - 172.16.1.2 OSPF_VL0
10.2.2.2 0 FULL/ - 00:00:32 172.16.1.2 Serial0/0/1
98
Verification and troubleshooting

• #sh ip protocols
• #sh ip route
• #sh ip ospf neighbors
• #sh ip ospf interface
• #sh ip ospf database
• #sh ip ospf border-routers
• #sh ip ospf virtual-links
• (config-router)#log-adjacency-changes

Design considerations
Cisco recommend the following:
• 50 routers per area (max)
• 60 neighbours per router (max)
• 3 areas per router (max)
• Router can not be a DR or BDR for more than one
network segment

99
Ahmed Nabil
Manipulating Multiple
Routing Protocols

(Redistribution)

100
Ahmed Nabil
Why we need multiple routing protocols?

A) Migration
-From FLSM to VLSM
-From flat design to hierarchical design (to facilitate route
summarization which enhance network scalability)

B) Boundary between ASs


C) Different departments might require different routing needs
D) Unix host based routing (centre that contain UNIX servers)
run RIP only, but your network require another protocol for
inter routing
E) Mixed router vendor environment (use EIGRP on Cisco
routers, use OSPF on non-Cisco router)
101
Ahmed Nabil
Redistribution
• It is the mechanism that allow to connect different domains, so
as the different Routing protocol can exchange and advertise
routing updates as if they are a single protocol
• The redistribution is performed on the router that lies at the
boundary between different domains or runs multiple protocols

Methods of redistribution
• One way redistribution:
redistribute networks learned by a certain protocol in a single
direction
• Two way redistribution:
redistributes all routes from a routing process to another and vice-
versa
Redistributing VS. Redistributed protocol
• Redistributing protocol:
It is the native protocol that will transform another protocol to its
form
• Redistributed Protocol:
It is the non-native protocol that will be transformed to another
protocol form
- note: in order for any routes to be redistributed it must exist in
the routing table of the redistributing router 102
Configuring Redistribution

• Redistribution supports all protocols


RIP, IGRP, EIGRP, OSPF, IS-IS, ISO-IGRP, ODR,
BGP, Static and Connected
RtrA(config-router)# redistribute ?
bgp Border Gateway Protocol (BGP)
connected Connected
egp Exterior Gateway Protocol (EGP)
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
igrp Interior Gateway Routing Protocol (IGRP)
isis ISO IS-IS
iso-igrp IGRP for OSI networks
mobile Mobile routes
odr On Demand stub Routes
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
static Static routes

• But consider the following:


1-Redistribution vary slightly among different protocols
2-Only protocols that support the same stack are redistributed
-IP RIP AND OSPF
-IPX RIP cannot with OSPF
-IP EIGRP cannot with IPX EIGRP or Apple Talk EIGRP
3-Redistribution occur automatically between:
-IGRP & EIGRP if both in same AS
-Static into RIP
-Connected into any protocol using network command
4-Redistribution of classless updates to a classfull protocol
could cause problems 103
Ahmed Nabil
Redistribution issues
1) Administrative Distance:
The redistributed protocol inherit the admin. distance of
the redistributing protocol
2)Metric:
a seed metric (initial metric) is assigned to a
redistributed route, then that metric is incremented
according to the normal redistributing protocol
policies
• The seed metric is adjusted from:
1-The default-metric command
2-The redistribution command using metric option or
route map option (override the default-metric
command) Default Seed metrics
• If Redistributing is
-RIP metric is infinity
-IGRP/EIGRP metric is infinity
-OSPF metric is
20 (external type2) for all
except 1 (type2) for BGP
& Subnets do not redistribute
by default
-IS-IS metric is 0 (level2)
so RIP/IGRP/EIGRP does not advertise a
redistributed route unless a seed metric is
configured
104
Ahmed Nabil
Redistribution Implementation
Consideration and problems

1-Two exit points with one way redistribution on both points


on the same way
This will cause Routing loops

2-Two exit points with one way redistribution on


both points on the opposite ways
This will cause Routing feedback (incompatible
routing information)

3-Two exit points with one way redistribution on


only one of the points
This will cause sub-optimal path selection (not best
path routing)

4- Inconsistent convergence time:


Different routing protocols converge at different
times
105
Ahmed Nabil
Redistribution Techniques

• We can conclude that existence of two exit point will


cause a problem so we must use one of the
following:

1)Redistribute in a way and use default or static routes


in the other way

2)Redistribute in both ways and use route filters (to


filter any route trying to be redistributed back)

3)Redistribute in both ways and change admin.


distance (make admin. distance of external routes
higher than internal routes. EIGRP does that by
default)

106
Ahmed Nabil
• (config)#router <redistributing protocol>

• (config-router)#redistribute <redistributed protocol>


[process id]

[metric <seed metric>] ! Initial metric for redistributed routes!

[match {internal/external 1/extenal 2}]


! If OSPF is redistributed: match O, OIA to be redistributed
or match OE1 to be redistributed
or match OE2 to be redistributed !

[metric-type {1/2}] ! Metric type for redistributed routes into OSPF!

[subnets] ! Consider subnets for redistribution into OSPF!

{level-1/level-1-2/level-2}
! If IS-IS is redistributing:
redistribute routes to IS-IS as iL1 or iL2 (default is iL2)
If IS-IS is redistributed:
redistribute iL1 routes or iL2 routes or both !

[route-map <map name>] ! use route filter with redistribution !

[tag <tag name>] ! Set tag for routes redistributed !


107
Ahmed Nabil
Redistributing into RIP

Redistributing into OSPF

• Default metric is 20.


• Default metric type is 2.
• Subnets do not redistribute by default. 108
Ahmed Nabil
Redistributing into EIGRP

• Bandwidth in kilobytes = 10000


• Delay in 10s of microseconds =
100
• Reliability = 255 (maximum)
• Load = 1 (minimum)
• MTU = 1500 bytes
Redistributing into IS-IS

metric 10

• Routes are introduced as level 2 with a metric of 0 by


default.
109
Ahmed Nabil
Example: Before Redistribution

B Routing Table

R 10.0.0.8

For
Redistribution
Ospf1

110
Ahmed Nabil
Example: Routing Tables after Route Redistribution

R 10.0.0.8

Example: Routing Tables after Summarizing Routes and


Redistributions

111
Ahmed Nabil
Controlling routing
updates traffic
&
Policy Based Routing
(PBR)

112
Ahmed Nabil
Controlling routing updates traffic

1-Default and static routes


2-Passive interfaces
3-Changing admin. distance
4-Route filtering (Distribute list)
5-Route filtering (Prefix List)
6-Route Maps

Passive interfaces
(config-router)#passive-interface <interface name>
(config-router)# passive-interface default

Note:
Passive interface will cause RIP and IGRP to stop sending
updates, But it can receive updates.
Passive interface may be also used with OSPF, ISIS & EIGRP,
but it will prevent also sending updates & hellos,
So no adjacencies could be formed with neighbors on a
passive interface, no updates can be either sent or received.
113
Ahmed Nabil
Using admin. distance to influence the route selection
• For EIGRP & BGP:
(Config-router)#distance eigrp <internal distance> <external distance>
(Config-router)#distance bgp <internal distance> <external distance>
• For OSPF:
(config-router)#distance ospf external <value> inter-area <value>
intra-area <value>
• for all protocols: used with all protocols to specify certain networks
(config-router)#distance <value> [<src of updates address> <wcm>]
[<access-list number or name for advertised routes>]

Remember that changing the admin distance will


help to avoid redistribution problems

114
Ahmed Nabil
Example: Redistribution Using Administrative Distance

Redistribution using two exit points will cause Sub-Optimal paths,


routing feedback & may be routing loops
Router P3R1 & Router P3R2
router ospf 1
redistribute rip metric 10000 metric-type 1 subnets
network 172.31.0.0 0.0.255.255 area 0
!
router rip
version 2
redistribute ospf 1 metric 5
network 10.0.0.0
no auto-summary

115
Ahmed Nabil
We will perform redistribution and use higher administrative
distance for redistributed routes
hostname P3R1 hostname P3R2
!
router ospf 1
redistribute rip metric 10000 metric-type 1 subnets
network 172.31.0.0 0.0.255.255 area 0
distance 125 0.0.0.0 255.255.255.255 64
!
router rip
version 2
redistribute ospf 1 metric 5
network 10.0.0.0
no auto-summary
!
access-list 64 permit 10.3.1.0
access-list 64 permit 10.3.3.0
access-list 64 permit 10.3.2.0
access-list 64 permit 10.200.200.31
access-list 64 permit 10.200.200.34
access-list 64 permit 10.200.200.32
access-list 64 permit 10.200.200.33

116
Ahmed Nabil
Distribute List

• It allow to apply access-list to routing updates, due


to ACL does not filter traffic sourced by the router,
but distribute list can do that action
• Distribute list allow update filtering based on:
-incoming interface
-outgoing interface
-redistribution from another routing protocol

Note: If distribute list is used with OSPF on an


incoming update, that update is entered to LSDB
(so as for OSPF to have a detailed database), but
these filtered routes are not entered in the routing
table

Configuring Distribute list


• (config-router)#distribute-list <access-list number
or name>
{out <interface-name/routing protocol process>
/in <interface name>}

117
Ahmed Nabil
Distribute list action

Is there
filter for that Yes Is there
Routing an entry
interface for
update for this route?
routing
process

no

Permit Deny
no match
process in ACL in ACL
route
normally

Drop route

118
Ahmed Nabil
Example1
• Hide network 10.0.0.0 from router C using interface
filtering

Eigrp 1

B(config)#router eigrp 1
B(Config-router)#network 172.16.0.0
B(Config-router)#network 192.168.5.0
B(Config-router)#distribute-list 7 out s0
B(config)#access-list 7 deny 10.0.0.0 0.255.255.255
B(config)#access-list 7 permit any
Example2
Controlling Redistribution with Distribute Lists

119
Ahmed Nabil
Prefix Lists
• Used to filter a range of routes, which is impossible using
normal ACL, also it is impossible to specify the subnet mask
of updates that is required to be filtered using ACL, only prefix
list can match subnet and their masks
(config)#ip prefix-list <list name> description <description statement>
(config)#ip prefix-list <list name>[seq. no.] <deny/permit> <prefix>/<prefix
length> [ge <prefix length>][le <prefix length>]
! Seq. no. is optional and will start with 5 for the first statement
and incremented by 5 for further statements !
Note: implicit deny at the end

The keyword le (less than or equal) indicates that the range of


prefix lengths to be matched is from the length specified, after
the prefix to the length specified after the le keyword. The ge
keyword (greater than or equal) specifies the minimum length
of the prefix in a range of addresses. If it is used with no le
keyword, it is assumed that the maximum length for the range
of prefixes matched is 32 bits, the maximum number of bits in
an IPv4prefix. When used with the le keyword, the maximum
matched length of the range is specified after le.

Activate Prefix list:

(config-router)#neighbor <ip of neighbor> prefix-list name <in/out>


! Mainly used with BGP!

Or using distribute-list ! Used with any routing protocol !


(config-router)#distribute-list prefix-list name {in/out} <interface name>

Or using Route-Map (discussed later) – most commonly used opton

120
Example 1
• Deny default route
(config)#ip prefix-list ccnp1 deny 0.0.0.0/0
! To deny exactly 0.0.0.0/0 !

(config)#ip prefix-list ccnp1 permit 0.0.0.0/0 le 32


! To permit all routes !

Example 2
• Deny 172.16.0.0/24 from update containing
172.16.0.0/24, 172.16.0.0/20 & 172.16.0.0/16

(config)#ip prefix-list ccnp2 permit 172.16.0.0/16 le 20


(config)#ip prefix-list name deny 0.0.0.0/0 le 32
! To deny all routes ! (no need for the last command
as it exists by default !

For displaying a prefix-list:


#sh ip prefix-list

121
Ahmed Nabil
Route Maps
• The common uses of route maps:
1-Redistribution route filtering:
For routing updates filtering ( a more sophisticated
alternative to distribute list) & update modification
(modify metrics, metric types,...)
2-PBR (Policy Based Routing) – called Policy Maps
Routed traffic filtering and shaping
3-NAT
Use route-maps is used with NAT to permit users that
can be translated instead of access-list
4-BGP policy implementation

Route Maps C/Cs

• They work like sophisticated ACL (permit/deny/modify)


- A list of statements compose a route map
- It consists of main statements, where each containing
some conditions
-Top down processing like an access list
-Once there is a match (apply the first match), then leave
the route map
• Lines are sequence-numbered for easier editing (for
insertion of lines and deletion of lines)
• Rout maps are named not numbered
• Match and set criteria is used, they are similar to if-
then scripting language
122
Route map for Redistribution configuration
1)Create route map
(config)#route-map <map-tag> <permit/deny> [seq. no.]
(config-route-map)#match <condition>
(config-route-map)#set <condition>

• Permit in route map statement means permit route


redistribution and apply set
• Deny Permit in route map statement means deny route
from being redistributed

! If match takes place, and main statement is permit, then


redistribute & apply the set, if main statement is deny then
filter the route (if Route map is used for redistribution), if no
Match, then look for another statement !

! Seq. no. is optional, but if not specified, it will be 10, so form


more than one statement, it must be specified, otherwise
each statement will override the previous statement !

2-Activate route map for redistribution


(config-router)#redistribute <protocol> [route-map <map-tag>]

123
Ahmed Nabil
Route map configuration
Create route map
(config-route-map)#route-map <map-tag> deny [seq. no.]
(config-route-map)#match <condition>
! If main statement is deny, so no need for Set statement !
(config-route-map)#route-map <map-tag> permit [seq. no.]
(config-route-map)#match <condition>
! If no Set statement exist, that means no change will be applied !
(config-route-map)#route-map <map-tag> permit [seq. no.]
(config-route-map)#set <condition>
! If no Match statement exist, that means match any !
(config-route-map)#route-map <map-tag> permit [seq. no.]
(config-route-map)#match <condition a><condition b><condition c>
(config-route-map)#set <condition>
!If many match conditions exist horizontally that means a logical OR
(match condition a OR b OR c )!
(config-route-map)#route-map <map-tag> permit [seq. no.]
(config-route-map)#match <condition x>
(config-route-map)#match<condition y>
(config-route-map)#match<condition z>
(config-route-map)#set <condition d>
(config-route-map)#set <condition e>
! If many match or Set exist vertically, that mean a logical AND
(match condition x AND y AND z, then Set d AND e)!
(config-route-map)#route-map <map-tag> permit [seq. no.]
! If no match (mean match any) ,no Set (mean don‘t modify
anything),the full statement will mean permit any with no changes
(config-route-map)#route-map <map-tag> deny [seq. no.]
! If no match (mean match any), deny in main statement (mean filter
route), so the full statement mean deny any route)!
124
Route map processing for redistribution
yes

Is there yes Match Is there


Incoming update no
a route map?
criteria Other
statements

yes
no

permit in deny in
no
the main the main
line statement line statement

Process deny update


Route apply set from being
normaly and redistribute redistributed
Match conditions with Route map for redistribution
(config-route-map)#match interface <int. name>
! Match routes learned on certain interface in the routing table of the
redistributing router !
(config-route-map)#match ip address <ACL no.>
! Put Access-list that contain network ids for networks in the routing table
of the redistributing router !
(config-route-map)#match ip next hop <ACL no.>
! Put Access-list that contain next hop IPs for next hops existing in the
routing table of the redistributing router !
(config-route-map)#match metric <value>
! Match certain metric values contained in the routing table of the
redistributing router !
(config-route-map)#match route-type <type>
! Match certain route types in the routing table of the redistributing router
as [external | internal | level-1 | level-2 |local] !
Set conditions with Route map for redistribution
(config-route-map)#set level <1/2> ! Change IS-IS route type !
(config-route-map)#set metric <value> ! Change metric value !
(config-route-map)#set metric-type <internal/type1/type2> ! Change OSPF
route type ! 125
Example1
Use Route maps to avoid redistribution loops

For the following diagram this will perform routing feedback


and sub-optimal path
use route map to avoid these situations

On A & B we will distribute and use route filters


(config)#access-list 1 permit 192.168.1.0 0.0.255.255
(config)#route-map nofeedback deny 10
(config-route-map)#match ip address 1
Or (config-route-map)#match route-type external
(config-route-map)#route-map nofeedback permit 20
(config-route-map)#exit
(config)#router rip
(config-router)#version 2
(config-router)#redistribute ospf 1 metric 4 route-map
nofeedback
(config-router)#router ospf 1
(config-router)#redistribute rip subnets

126
Ahmed Nabil
Example2
Use Route map to form redistribution policy

Form the following Policy,


redistribute RIP updates into OSPF using the following
policy:
1.Routes 10.1.0.0/16 &172.16.1.0/24 are redistributed
with an OSPF cost of 500, external type1
2.route 10.0.0.0/16 are not redistributed
3.all other routes are redistributed with an OSPF metric
of 5000

(config)#access-list 1 permit 10.1.0.0 0.0.255.255


(config)#access-list 2 permit 172.16.1.0 0.0.0.255
(config)#access-list 3 permit 10.0.0.0 0.0.255.255

(config)#router ospf 10
(config-router)#redistribute rip subnets route-map
CCNP
(config)#route-map CCNP permit 10
(config-route-map)#match ip address 1 2
(config-route-map)#set metric 500
(config-route-map)#set metric-type type-1
(config-route-map)#route-map CCNP deny 20
(config-route-map)#match ip address 3
(config-route-map)#route-map CCNP permit 30
(config-route-map)#set metric 5000
127
PBR (Policy Based Routing)
(Policy Map)

• It is used for routed data filtering and shaping, due


to current organizations need freedom to implement
packet forwarding and routing according to their
own policies in a way that goes beyond traditional
routing concerns
• PBR allow for permit traffic/deny traffic/redirect
traffic
• PBR is implemented by Route maps

PBR C/Cs
1-Source based routing
different sources goes through different paths

2-QOS
mark different traffic with different TOS values in IP
packets

3-Load Sharing
distribute traffic on multiple paths

4-Cost saving
by distributing traffic among low-BW, low cost and high-
BW, high cost connections
128
Ahmed Nabil
Route map for PBR configuration
1)Create route map (policy map)
(config)#route-map <map-tag> <permit/deny> [seq. no.]
(config-route-map)#match <condition>
(config-route-map)#set <condition>

• Permit in route map statement means permit PBR


by applying the set
• Deny Permit in route map statement means deny
PBR and use normal Routing process

2)Activate route map for PBR


(config)#interface <interface name>
(config-if)#ip policy route-map <map-tag>

(config-if)#ip route-cache policy


! To enable route-caching feature to router interface,
this will make routing performance faster !

(config)#ip local policy <map-tag>


! By default packets sourced by the local router is not
affected by a policy map configured on the same
router, that command will force packets sourced by
the local router to be affected by the policy
configured on that router !

129
Ahmed Nabil
Route-map processing for PBR
yes

Is there yes Match


no Is there
Incoming packet a policy
criteria
Other
map?
statements

yes
no

permit in deny in
the main the main no
line statement line statement

Use
Is there entry no Discard
default packet
in routing table
routing
process yes
(destinatio
n based apply set
routing
table)

Match conditions
(config-route-map)#match ip address [ACL no. or name]
! Put Access-list that contain IP addresses that will be matched with
incoming packets source ip !
(config-route-map)#match length <min> <max>
! Check incoming packet min & max length !
(config-route-map)#match tos <value>
! Match TOS value in an incoming ip packet !
(config-route-map)#match ip-precedence <value>
! Match ip precedence value in an incoming ip packet !
130
Ahmed Nabil
Set conditions

(config-route-map)#set ip next-hop <ip address>


! Redirect the incoming packet to the next hop ip specified in
the command (only if an exact matching route to the
destination exist in the routing table) !
(config-route-map)#set ip default next-hop <ip address>
! Redirect the incoming packet to the next hop ip specified in
the command (even if an exact matching route to the
destination does not exist in the routing table) !
(config-route-map)#set interface <type>
! Redirect the incoming packet to the output interface
specified in the command (only if an exact matching route
to the destination exist in the routing table) !
(config-route-map)#set ip default interface <type>
! Redirect the incoming packet to the output interface
specified in the command (even if an exact matching route
to the destination does not exist in the routing table) !
(config-route-map)#set ip tos <value>
! Change TOS value in the incoming ip packet (packet
marking or colouring) !
(config-route-map)#set ip precedence <value>
!Change ip precedence value in the incoming ip packet
(packet marking or colouring)!

Notice that default route is not an exact routing entry match

If more than interface or next hop has been specified in


the same command the router will choose the first
active interface or next hop
131
Example

For the shown exhibit


-all traffic using default route and sources from subnet
1.1.0.0 should go through ISP A
-all traffic using default route and sources from subnet
1.2.0.0 should go through ISP B
-all other traffic must be denied
RouterA(config)# access-list 1 permit ip 1.1.0.0 0.0.255.255
RouterA(config)# access-list 2 permit ip 1.2.0.0 0.0.255.255

RouterA(config)# route-map load-sharing permit 10


RouterA(config-route-map)# match ip address 1
RouterA(config-route-map)# set ip default next-hop 6.6.6.6
RouterA(config-route-map)# route-map load-sharing permit 20
RouterA(config-route-map)# match ip address 2
RouterA(config-route-map)# set ip default next-hop 7.7.7.7
RouterA(config-route-map)# route-map load-sharing permit 30
RouterA(config-route-map)# set default interface null0

RouterA(config)# interface ethernet 0


RouterA(config-if)# ip address 1.1.1.1 255.255.255.0
RouterA(config-if)# ip policy route-map load-sharing

RouterA(config)# interface serial 0


RouterA(config-if)# ip address 6.6.6.5 255.255.255.0

RouterA(config)# interface serial 1


RouterA(config-if)# ip address 7.7.7.6 255.255.255.0

132
Verifying Policy-Based Routing Examples

RouterA# show ip policy

Interface Route map


Ethernet0 load-sharing

RouterA# show route-map


route-map load-sharing, permit, sequence 10
Match clauses:
ip address (access-lists): 1
Set clauses:
ip default next-hop 6.6.6.6
Policy routing matches: 3 packets, 168 bytes
route-map load-sharing, permit, sequence 20
Match clauses:
ip address (access-lists): 2
Set clauses:
ip default next-hop 7.7.7.7
route-map load-sharing, permit, sequence 30
Set clauses:
default interface null0

RouterA# debug ip policy


Policy routing debugging is on

11:51:25: IP: s=1.1.1.1 (Ethernet0), d=190.168.1.1,


len 100, policy match
11:51:25: IP: route map load-sharing, item 10,
permit
11:51:25: IP: s=1.1.1.1 (Ethernet0), d=190.168.1.1
(Serial0), len 100, policy routed
11:51:25: IP: Ethernet0 to Serial0 6.6.6.6

#traceroute <ip>
#ping <ip> , with record option
133
Ahmed Nabil
IS-IS
(Intermediate System to
Intermediate System)

134
Ahmed Nabil
IS-IS overview
• Why IS-IS is used?
1-IS-IS is the most popular (RFC 1195) open standard,
scalable and stable IP routing protocol in the ISP industry
& it was developed before OSPF
2-The simplicity and stability of IS-IS make it robust in large
internetworks, so no need to use another protocol instead
3-US government mandated (forced) the support of an OSI
routing protocol (IS-IS, ISO-IGRP, static CLNS routes)
4-Simpler implementation than OSPF, it make efficient use of
bandwidth, memory and processor
5- Well positioned for IPv6, IS-IS updates is not carried within
another routed protocol, so it is routed protocol
independent

• Why IS-IS is not widely spread?


1-Due to new business typically choose OSPF because
it is a widely supported IP protocol
2-Today it is hard to find information and expertise on
IS-IS

• IS-IS/OSI model overview


OSI TCP/IP
CLNS IP
IS-IS OSPF, Integrated IS-IS
IS ROUTER
ES HOST
Domain AS
ES-IS ARP
135
Ahmed Nabil
• Two types of OSI network-layer services are available to
the OSI transport layer:
– Connectionless Network Service (CLNS)
• CLNS performs datagram transport
– Connection-mode Network Service (CMNS)
• CMNS requires explicit establishment of paths
between communicating transport-layer entities

Those services can support both logical addressing


(NSAP address), and providing method of data delivery from
end to end (CLNP)

• CLNS/CLNP:
– CLNP is a an OSI network-layer protocol that carries
upper-layer data and error indications over connectionless links
– CLNS provides network-layer services to the transport layer
via CLNP
– When support is provided for CLNS, the routing
uses routing protocols to exchange routing information

• CMNS/CONP:
– CONP is an OSI network-layer protocol that carries upper-layer
data and error indications over connection-oriented links
– CMNS performs functions related to the explicit establishment
of paths via CONP
– When support is provided for CMNS, the routing uses the X.25
protocols as the relaying functions

136
Ahmed Nabil
OSI Layer 3 addressing
(CLNS Addressing)
• CLNS (Connection Less Network Protocol, is an OSI
routed protocol that support both L3 logical addressing &
End-to-end data delivery through CLNS packet, just like
IP protocol do.
• unlike IP address, CLNS address apply to entire nodes
and not interfaces.
• CLNS address is called NSAP (Network Service Access
Point).
• NSAP identifies any system in the OSI model.
• NSAP contains:
1-Domain address
2-Area address
3-Device (system) address
4-Link to the upper (higher) layer process (protocol)
• NSAP address:

in
Cisco implementation
(1-13 byte)

137
Ahmed Nabil
Cisco implementation for NSAP address structure
• a) IDP (Initial Domain Part):
-AFI (Authority Format Identifier):
It is the main domain (authority) id.
i.e.: 49 reserved for locally administered (private) domain
-IDI (Initial Domain Identifier):
It is the sub-domain id.
• b) DSP (Domain Specific Part):
-HODSP (High Order DSP):
It is the area id, unique within domain.
-System id:
It is the device id, unique within area.
-NSEL (Network Selector):
It identifies a process (application) on the device, it
corresponds to a port number in IP environment.

• Note: when dealing with routers we don't target a


higher protocol for the router, so NSEL is identified as
0
• NSAP address with NSEL=0 is called a NET (Network
Entity Title), so every IS must have a NET address, but
an ES can have an NSAP address.
• Cisco does not support ISO routing between different
domains so AFI, IDI and HODSP is considered in
Cisco implementation for NSAP as Area Address

138
Ahmed Nabil
Rules of ISO addressing
1-The ISO address is assigned to the system, not to the
interface
2-The router has one NET address
3-All routers within an area must use the same area
address
4-System id must be unique within the area
5-System id must have the same length for all ISs and ESs
within the domain (For Cisco implementation system id
is fixed for 6 bytes)
OSI Layer 2 address
SNPA address
• SNPA (Sub Network Point of Attachment) address is
equivalent to layer 2 data-link layer address
corresponding to the Layer 3 NSAP address, it is
identified by:
1-MAC address on LAN interfaces
2-Virtual Circuit id for (X.25, ATM, Frame Relay)
3-Encapsulation type for point to point (ex: HDLC for HDLC)
•Interfaces uniquely identified by circuit ID:
– One octet number on point-to-point interfaces (like 0x00)
– Circuit ID concatenated with 6-octet system ID
of a designated router on broadcast multiaccess
networks to form 7-octet LAN ID (1921.6800.0001.01)

139
Ahmed Nabil
Basic operation of OSI routing

OSI routing levels


1- OSI Level 0 routing:
• It begins when the ES discovers the nearest IS
• When an ES need to send a packet to another ES, it sends
the packet to its nearest IS, this process known as level 0
routing
2- OSI Level 1 routing:
• Routing between ISs within the same area
• It is called intra-area routing
• System id is used to route within an area, while area id is
not considered

3- OSI level 2 routing:


• Routing between different areas
• It is called inter-area routing
• Area portion in the OSI address is considered, while
system id is not considered
4- OSI L3 routing:
• Routing between separate domains
• It is not supported by Cisco

140
Ahmed Nabil
• Level 0 routing is conducted by ES-IS
• Level 1 routing is performed IS-IS
• Level 2 routing is performed IS-IS
• Level 3 routing is performed IDRP (Inter Domain Routing
Protocol)

141
Ahmed Nabil
ES-IS discovery protocol operation

• It permits ES and IS to discover one another (form


adjacencies)

ES-IS performs that function:


a) Identifies the area prefix to ES
b) Creates adjacencies between ES & IS
c) Creates data-link to network address mapping (as ARP)

• ES-IS forms adjacencies between end systems (ESs) and


routers (ISs).
• ESs transmit ESHs to IS.
• ISs transmit ISHs to ES.
• ISs transmit IIHs to other ISs.

142
Ahmed Nabil
IS-IS Features
• Link-state routing protocol based on OSI model
• Use Dijkstra's SPF algorithm
• A router can only exist in one area
• Support two routing levels: Level 1 and level 2 routing
• Level 1 router:(like OSPF internal nonbackbone
routers)
-Router that build a L1 LSDB containing system ids only
and router interface to reach these system id, because it
make routing inside the area only.
• Level 2 router:(like OSPF ABR)
-Router that build a L2 LSDB about areas only and
interfaces to reach these areas, because it make routing
between areas only.
• Level 1 / Level 2 router: (like OSPF backbone routers)
-Router that build both L1 & L2 LSDB, so it support both
intra-area and inter-area routing, each L1/2 router
advertise a default route to all routers inside its area, it
act as Area Border Router (ABR) in a totally stub area.
• The IS-IS Backbone is not an area, it is the continuous
path containing all L2 & L1/L2 routers, so extending it is
very flexible.

143
Ahmed Nabil
OSI IS-IS routing process

1-When an ES is required to send a packet to another ES,


the packet goes to the nearest L1 router determined by
ES-IS.

2-When a L1 router receive a packet, it compare the area id


of destination with it's area id.
-if they are equal router will use its L1 database to route by
system ids.
-else, route the packet to the nearest L1/L2 router

3-When L1/L2 router receive a packet, it compare the area id


of destination and itself.
-if equal use L1 database to route by system id.
-else, use L2 database to route by area id, and the packet
travels across the L2 backbone till it reach the destination
area.

4-When packet arrive to destination area, level1 routing is


used again to route the packet to its final destination.

144
Ahmed Nabil
Traffic flow process example

Consider traffic from router R7 to router R9.


1. R7 recognizes that the prefix (49.00CC) of R9 is not the same
as the prefix (49.00BB) of R7. R7 therefore passes the traffic to
the closest Level 1-2 router, R5. R7 uses its Level 1 topology
database to find the best path to R5.
2. R5 uses its Level 2 topology database to pick the best next hop
to reach the prefix 49.00CC: R3. R5 does not use the destination
system ID in this decision.
3. R3 uses its Level 2 topology database to pick the best next hop
to reach the prefix 49.00CC: R1. R3 does not use the destination
system ID in this decision.
4. R1 uses its Level 2 topology database to pick the best next hop
to reach the prefix 49.00CC: R8. R1 does not use the destination
system ID in this decision.
5. R8 recognizes that the prefix (49.00CC) of R9 is the same as
the prefix (49.00CC) of R8. R8 therefore passes the traffic to R9
using its Level 1 topology database to find the best path.
145
•Asymmetric routing could
take place (the data sent
from X to Y, can take a
1
5
path, while the data sent
from Y to X could take
another path, that is
because L1 router is blind,
it only send data destined
to another area to its
nearest L1/L2 router)

Example: OSI Area Routing


In the previous figure, area 1 contains two routers:
One router borders area 2 and is a Level 1-2 IS.
The other router is contained within the area and is a Level 1
only.
Area 2 has many routers:
A selection of routers is specified as Level 1. The routers route
either internally to that area or to the exit points (the Leve1 2
routers).
Level 1-2 routers form a chain across the area linking to the
neighbor areas. Although the middle router of the three Level 1-2
routers does not link directly to another area, the middle router
must support Level 2 routing to ensure that the backbone is
contiguous. If the middle router fails, the other Level 1-only
routers cannot perform the Level 2 function
(despite providing a physical path across the area), and the
backbone is broken.
Area 3 contains one router that borders areas 2 and 4, yet it has
no intra-area neighbors and is performing Level 2 functions only.
If you add another router to area 3, the border router reverts to
Level 1-2 functions.
146
As the figure shows, the border between the areas in an IS-IS
network is the link between Level 2 routers. (This is in contrast to
OSPF, where the border exists inside the ABR itself.)

In the figure, symmetric routing does not occur because Level 2


details are hidden from Level 1 routers, which recognize only a
default route to the nearest Level 1-2 router. Traffic from router X
to router Y flows from router X to its closest Level 1-2 router. The
Level 1-2 router then forwards the traffic along the shortest path
to the destination area (area 2). When the traffic flows into area 2,
the traffic is routed along the shortest intra-area path to router Y.

Router Y routes return packets to router X via its nearest Level 1-


2 router. The Level 1-2 router recognizes the best route to area 1
via area 4, based on the lowest-cost Level 2 path.
Because Level 1 and Level 2 computations are separate, the path
taken from router Y back to router X is not necessarily the least-
cost path from router Y to router X.
Asymmetric routing (packets taking different paths in different
directions) is not detrimental to the network; however, this type of
routing can make troubleshooting difficult and is sometimes
a symptom of suboptimal design. Like Enhanced Interior Gateway
Routing Protocol (EIGRP) and OSPF, a good IS-IS design is
generally hierarchical.

147
Route Leaking (route injection)
• In the case of existence of multi-exit ISs to a certain area, sub-
optimal routing can take place.
•A feature available since Cisco IOS Software Release 12.0
allows selected Level 2 routes to leak in a controlled manner to
Level 1 routers, which helps avoid asymmetric routing.
• Route leaking helps reduce suboptimal routing by providing a
mechanism for leaking, or redistributing, Level 2 information into
Level 1 areas. By having more detail about interarea routes, a
Level 1 router is able to make a better choice about which Level
1-2 router to forward the packet.
• To implement route leaking, an up/down bit in the TLV is used to
indicate whether or not the route identified in the TLV has been
leaked. If the up/down bit is set to 0 the route was originated
within that Level 1 area.
• If the up/down bit is set to 1 the route has been redistributed into
the area from Level 2. The up/down bit is used to prevent routing
loops: a Level 1-2 router does not readvertise into Level 2 any
Level 1 routes that have the up/down bit set. Route leaking
should be planned and deployed carefully to avoid the situation
where any topology change in one area results in having to
recompute many routes in all other areas.

How to leake routes (inject routes)


router isis
redistribute isis ip level-2 into level-1 distribute-list 100

Where 100 is access-list or prefix-list contains the required


leaked route.

Leaked routes takes the symbol ― i ia‖ = isis inter-area in routing


table.
148
Ahmed Nabil
IS-IS network types
1-Point to point
2-BMA (Broadcast Multiple Access)
3-NBMA (Non BMA)
we have only two modes
3.1-Broadcast mode for Full mesh topology for multipoint
interfaces (will simulate BMA)
3.2-Point-to-point mode for Partial mesh point to point sub-
interfaces (will simulate point to point)

IS-IS operation
1)Forming Adjacency (neighbour discovery):
send L1 IIH (IS to IS Hello) or L2 IIH or both for Broadcast
media every 10 sec
Send P2P hello for point to point media every 10 sec
2)Elect DIS (Designated IS) called pseudo node:
-Router having highest priority (0-127) default to 64
-Then highest MAC address or SNPA address
but note that all routers will form adjacencies with DIS and
each others too, but only DIS generate pseudo node LSP
(as type2 LSA in OSPF)
and it also decrease adjacency
overhead, but it is not
guaranteed to stay if a
better IS exists on the LAN,
but there is no Backup DIS
is elected
149
DIS will have circuit Id =system id +1byte no zero value
i.e.(0x01)
others have circuit Id =system id +1byte (0x00)

These values is helpful in troubleshooting commands to


distinguish DIS from other ISs

For L1 there is a DIS, and for L2 there may be another DIS or


could be the same DIS for both L1 and L2

All updates is sent on multicast MAC address that is understood


by all ISs and also DIS

Later we will discuss DIS full function after getting knowledge


about the adjacency formation

On a LAN, separate Level 1 and Level 2 IIHs are sent periodically


as multicasts to a multicast MAC address. Level 1
announcements are sent to the AllL1IS multicast MAC address
0180.C200.0014, and Level 2 announcements are sent to the
AllL2IS multicast MAC address
0180.C200.0015.

150
Ahmed Nabil
3)Forming LSDB (route discovery):
Each router exchange IS-IS packets with each other to form L1
and L2 LSDB.

-CSNP (Complete Sequence Number PDU) as DDP or DBD


Used to describe the complete list of LSP in the LSDB of a router
In BMA network DIS send CSNP periodically every 10 seconds to
assure synchronization inside the segment
-PSNP (Partial Sequence Number PDU) as LSR & LSACK
Used to request missing parts of database and also used as
acknowledgement
-Link State Packet (LSP) as LSU
contain full information for certain parts of LSDB described in TLV
(Type/Length/Value) fashion.

ES Neighbors 3

The LSP will contain a


LSP header and
all available TLVs
(which form LSDB)
151
Ahmed Nabil
The figure shows examples of three types of PDUs (all with IEEE 802.2 Logical
Link Control [LLC] encapsulation). IS-IS and ES-IS PDUs are encapsulated
directly in a data-link PDU (frame); there is no Connectionless Network
Protocol (CLNP) header and no IP header. (In
other words, IS-IS and ES-IS do not put routing information in IP or CLNP
packets; rather, they put routing information directly in a data link layer frame.)
True CLNP (data) packets contain a full CLNP header between the data-link
header and any higher-layer CLNS information.
The IS-IS and ES-IS PDUs contain variable-length fields, depending on the
function of the PDU. Each field contains a type code, a length, and the
appropriate values; this information is known as the TLVs.

In IS-IS, characteristics of a router are defined by an LSP. The


router‘s LSP contains an LSP header and TLV fields.

An LSP header includes the following:


— The PDU type and length
LSP Header — The LSP ID
— The LSP sequence number, used to identify
duplicate LSPs and to ensure that the
latest LSP information is stored in the topology table
IS Neighbors — The remaining lifetime for the LSP, which is used
TLV to age out LSPs
TLV variable-length fields contain elements
including:
ES Neighbors — The neighbor ISs of the router, which are used to
TLV build the map of the network
— The neighbor ESs of the router
— Authentication information, which is used to
TLV
………….. secure routing updates
— Attached IP subnets (optional for Integrated IS-
IS) 152
Adjacency on Broadcast link
DIS will send periodically CSNP every 10 sec, so any new IS that
enters the segment will hear that CSNP from DIS, then it will compare
CSNP sequence no. with its LSDB, and will request any missing LSDB
parts using PSNP on a multicast MAC, which is heard by all ISs,
but no one will respond, only DIS will respond with LSP,
But if the new IS has more LSDB or a change occur it will send LSPs
on multicast MAC, so all ISs including DIS will hear it and accept it in
LSDB (so all ISs hear LSP at the same time),
that‘s why it could be said that all ISs form adjacencies with its others,
and that‘s why no need for Backup DIS, cause all ISs are synchronized at
the same time

Adjacency on point to point link


The adjacency in that
case is much
straight forward
due to there are
only two neighbors on the link

4)Form Routing table:


-apply Dijkstra to find best paths to ISs based on metric
(default, delay, expense, error)
Cisco use only the default metric which is a fixed count default
to 10 per interface
-apply PRC (Partial Route Calculation) to find best path to leaf
nodes as ESs
153
Integrated IS-IS C/C's
• Link-State routing protocol
• Support both IP routing and CLNS routing
• Admin. distance of IS-IS for CLNS=110
• Admin. distance of IS-IS for IP=115
• entry in IP routing table "iL1" or "iL2―
• Send updates on unicast address in case of point-to-point,
but for broadcast medias use multicast 0180.C200.0014 for
L1 announcements & 0180.C200.0015 for L2
announcements, for Integrated ISIS use 224.0.0.19 (all IP
L1 ISs), 224.0.0.20 (all IP L2 ISs), 224.0.0.21 (all IP ISs).
• Classless
• Reliable
• IS can only belong to a single area
• More scalable than OSPF (its backbone is a path that can
easily be extended)
• Less CPU intensive than OSPF (use PRC for IP networks
and subnets)
• Form adjacencies with all neighbors
• Support manual route summarization
• Metric could be (default, delay, expense, error), but Cisco
support by default only the metric called default (referred to
as cost)=10/interface, which can be changed manually (0-
63)
• Each router still need NET address in order to perform
Dijkstra on ISs
• Each interface need unique IP in order to perform PRC on
IP subnets
• Recommended maximum number of routers per area =
1000
• LSP refreshment is done every 15 minutes, maximum age
time for a LSP entry in database is 20 minutes
154
Configuration
1)Activate routing action
(config)#clns routing
(config)#ip routing
2)Activate routing protocol
(config-if)#ip router isis
(config-if)#clns router isis
3)Define a node address
(config)#router isis [tag]
(config-router)#net <NET address>
! Only one process is support for ISIS !
4)optional
-choose router level:
(config-router)#is-type {level-1/level-1-2/level-2 only}
default is level-1-2, this save memory & CPU for non level-1-2
-choose interface level for L1/L2 router:
(config-if)#isis circuit-type {level-1/level-1-2/level-2 only}
default is level-1-2
-change isis metric:
(config-if)# isis metric metric [delay-metric [expense-metric
[errormetric]]] {level-1 | level-2}
(config-if)#isis metric {1-63} {level-1 | level-2}
,default = 10
Or, Router(config-router)# metric default-value {level-1 | level-2}
• Alternately, configures the metric globally for all interfaces
-Summarization:
(config-router)#summary-address <network address> <mask>
155
Configuration Example
12.0.0.0/8

11.0.0.0/8
S0

S1

R2# show ip protocols

Routing Protocol is "isis"


Sending updates every 0 seconds
Invalid after 0 seconds, hold down 0, flushed after 0
Outgoing update filter list for all interfaces is
Incoming update filter list for all interfaces is
Redistributing: isis
Address Summarization:
None
Routing for Networks:
Serial0
Serial1 Level-1
Ethernet0
Routing Information Sources:
Gateway Distance Last Update Level-1
11.0.0.1 115 00:11:44
13.0.0.1 115 00:11:44
14.0.0.1 115 00:11:44
Distance: (default is 115)

R1#show ip route isis

i L1 11.0.0.0/8 [115/70] via 13.0.0.2, Sserial0


via 14.0.0.2, Serial1
i L2* 0.0.0.0/0 [115/35] via 13.0.0.2, Serial0

Verification and troubleshooting


In show commands, Cisco replace the system id by the configured
Hostname to make troubleshooting easier, so hostname is an essential
configuration
• #sh ip protocols, #sh clns protocols
• #sh ip route
• #sh isis route !display level 1 routing table!
• #sh clns route !display level 2 routing table!
• #sh isis topology
• #debug isis adj packets 156
Troubleshooting Example

R1# show clns route

CLNS Prefix Routing Table


49.0001.0000.0000.0001.00, Local NET Entry
R1# show isis route

IS-IS Level-1 Routing Table - version 312


System Id Next-Hop Interface SNPA Metric State
R2 R2 Se0 *HDLC* 10 Up L2-IS
R4 R4 Se1 *HDLC* 10 Up
R1 --
Default route out of area - (via 1 L2-attached IS)
System Id Next-Hop Interface SNPA Metric State
R2 Se0 *HDLC* 10 Up

R2# show clns route

CLNS Prefix Routing Table


49.0001.0000.0000.0002.00, Local NET Entry
49.0002 [110/10]
via R5, IS-IS, Up, Ethernet0
49.0001 [110/0]
via R2, IS-IS, Up

R2# show isis route

IS-IS Level-1 Routing Table - version 47


System Id Next-Hop Interface SNPA Metric State
R4 R4 Se1 *HDLC* 10 Up
R1 R1 Se0 *HDLC* 10 Up
157
Ahmed Nabil
R2# show clns neighbors

System Id Interface SNPA State Holdtime Type Protocol


R1 Se0 *HDLC* Up 28 L1 IS-IS
R4 Se1 *HDLC* Up 22 L1 IS-IS
R5 Et0 0000.0c92.de4c Up 20 L2 IS-IS

R2# show clns interface serial 0

Serial0 is up, line protocol is up


Checksums enabled, MTU 1500, Encapsulation HDLC
ERPDUs enabled, min. interval 10 msec.
RDPDUs enabled, min. interval 100 msec., Addr Mask enabled
Congestion Experienced bit set at 4 packets
CLNS fast switching disabled
CLNS SSE switching disabled
DEC compatibility mode OFF for this interface
Next ESH/ISH in 12 seconds
Routing Protocol: IS-IS
Circuit Type: level-1
Interface number 0x1, local circuit ID 0x101
Level-1 Metric: 10, Priority: 64, Circuit ID: R2.00
Number of active level-1 adjacencies: 1
Next IS-IS Hello in 5 seconds
R2# show clns protocol
IS-IS Router: <Null Tag>
System Id: 0000.0000.0001.00 IS-Type: level-1-2
Manual area address(es):
49.0001
Routing for area address(es):
49.0001
Interfaces supported by IS-IS:
Serial0 - IP
Ethernet0 - IP
Redistribute:
static (on by default)
Distance for L2 CLNS routes: 110
RRR level: level-1
Generate narrow metrics: level-1-2
Accept narrow metrics: level-1-2
Generate wide metrics: none
Accept wide metrics: none

R1# show isis topology

IS-IS paths to level-1 routers


System Id Metric Next-Hop Interface SNPA
R1 --
R2 10 R2 Se0 *HDLC*
R4 10 R4 Se1 *HDLC*

R2# show isis topology

IS-IS paths to level-1 routers


System Id Metric Next-Hop Interface SNPA
R1 10 R1 Se0 *HDLC*
R2 --
R4 10 R4 Se1 *HDLC*
IS-IS paths to level-2 routers
System Id Metric Next-Hop Interface SNPA
R2 --
R5 10 R5 Et0 0010.7bb5.9e20 158
Example
• For the shown diagram perform the following:
1-Redistribute routes of the EIGRP domain as IS-IS
level 1 routes with default seed metric
2-Redistribute Level 2 routes of the IS-IS domain as
EIGRP routes with seed metric (BW=10Mbps,
delay=100micro seconds, reliability=255, load=1,
MTU=1500byte)

EIGRP IS-IS

Solution
(config)#interface ……
(config-if)#ip router isis
(config-if)#end
(config)#router isis
(config-router)#net 49.0001.xxx……
(config-router)#redistribute eigrp 100 level-1
(config-router)#redistribute connected level-1
(config)#router eigrp 100
(config-router)#network ………
(config-router)#redistribute isis level-2 metric 10000 10
255 1 1500
(config-router)#end
#copy run start

159
Ahmed Nabil
OSPF V.S. IS-IS

– OSPF is based on a central backbone with all


other areas attached to it.
• In OSPF the border is inside routers (ABRs).
• Each link belongs to one area.

– In IS-IS the area borders lie on links.


• Each IS-IS router belongs to exactly one area.
• IS-IS is more flexible when extending the
backbone.
– Supports OSI and TCP/IP
– More extensible through TLV (Type, Length,
and Value) design
– IS-IS has less complexity in forming database (two
types of LSPs) in comparison to OSPf which has many
types of LSAs

160
Ahmed Nabil
Enhanced
Interior Gateway
Routing
Protocol
(EIGRP)

161
Ahmed Nabil
• EIGRP features:

1- Advanced D.V protocol:


Classless, no periodic updates, multicast updates, manual
summarization, triggered partial updates at change

2- Rapid convergence
Use DUAL (Diffusion Update Algorithm) that keep a backup route
for each best route, if available

3- Loop free topology


DUAL sets a conditions for choosing its best routes and backup
routes, which is called the feasibility conditions

4- Easy configuration
Its origin is D.V

5- Seamless connectivity across all data link layer protocols


Work with BMA, NBMA, point-to-point protocols with the operation

6- Reduce B.w waste


No periodic updates

7- Efficient updating
Incremented updates, triggered & partial updates

8- Support multiple network layer protocols


IP, IPX & AppleTalk, EIGRP makes separate routing, neighbor &
topology table for each protocol

9- Use composite metric and compatible with IGRP


Composite metric depends on B.W, delay, load, reliability, MTU)
EIGRP metric (32 bits)= 256 * IGRP metric (24 bits)

10- Load balancing


Across equal and unequal path costs
162
Ahmed Nabil
• EIGRP components:

1- PDM (Protocol Dependent Module)


- Depends on the routed protocol (IP, IPX, Appletalk).
- It allows EIGRP to adapt according to the routed protocol.
- Each protocol has its own EIGRP module and operates
independently from any of the others that may be running.
The IP-EIGRP module, for example, is responsible for
sending and receiving EIGRP packets that are encapsulated
in IP. IP-EIGRP is also responsible for parsing. EIGRP
packets and informing DUAL of the new information that has
been received.

2- DUAL (Diffusion Update ALgorithm)


- It is a finite state machine.
- Responsible for maintenance of routing table and topology
table using some conditions

3- RTP (Retransmission Transport Protocol)


- To provide reliability using ACK (like TCP), but with a stop-
and-wait mechanism.
- RTP using 2 timers:
a) SRTT (smooth round trip time)
- Average time between sending a message and receiving
back a reply
b) RTO (retransmission time out)
- RTO is the time waiting for ACK, before retransmitting the
packet
NOTE:
- Neighbor to be dead after:
a) 16 RTO.
b) Dead interval.

163
Ahmed Nabil
• EIGRP terminologies :

1- Neighbor table
(list of all neighbors)
#show ip eigrp neighbors
2- Topology table
(list of all routes to all destination network, as a matter of
fact, it is routing tables of all neighbors)
#show ip eigrp topology [all-links]
3- Routing table
(best routes to all destination networks)
#show ip route [eigrp]

4- Successor ‗S‘
(the best route)
5- Feasible successor ‗FS‘
(the backup route)
6- Feasible distance ‗FD‘
(the metric from source to destination)
7- Advertised distance ‗AD‘
(the metric from my neighbor to destination)
164
Ahmed Nabil
• EIGRP packet types:

1- Hello packet:
- Used for neighbor discovery and maintains neighbor
relationship
- Sent periodically on 224.0.0.10
- Period of Hello:
5 sec. On fast links ( > 1.54 Mbps) & point to point links
60 sec. On slow links (<or= 1.54 Mbps)
Dead interval = 3 * hello interval (15sec for fast links, 180
sec for slow links)

2- Update packet:
- Contain the RTG table at startup (sent unicast).
- Contain partial update in case of change (sent multicast
on 224.0.0.10)

3- Query packet:
- It is sent if the S is lost and there is no FS in the
topology table on multicast 224.0.0.10, it is used to
declare the failure of a link & requesting information
about another path from the neighbor

4- Reply packet:
- It is the reply for the query, sent on unicast address

5- Ack packet:
- Acknowledges all EIGRP packets except Hello packet

165
Ahmed Nabil
• Operation :
At startup:
 Every router discover its neighbors (begin establishing
adjacency) using hello protocol.
 EIGRP routers to be neighbors:
1- they must have the same AS no.
2- they must have the same K-values.

- The routers will form adjacency even if hello & dead


intervals
didn‘t match

The debug output below will display that action


RouterA# debug eigrp packets

Mismatched adjacency values


01:39:13: EIGRP: Received HELLO on Serial0/0 nbr 10.1.1.2
01:39:13:AS 200, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 0/0
01:39:13: K-value mismatch

166
Ahmed Nabil
 Then the router exchanges its routing table with its neighb
 From the RTG tables of neighbors the router forms
the topology table.

Each router will apply DUAL algorithm on its


Topology
table to form a routing table
Configuring EIGRP metric K-values

167
Ahmed Nabil
The command below #debug eigrp packets
Will display that operation
RouterA# debug eigrp packets

Normal Hello Processing


01:38:29: EIGRP: Sending HELLO on Serial0/0
01:38:29: AS 200, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
01:38:31: EIGRP: Received HELLO on Serial0/0 nbr 10.1.2.2
01:38:31: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ
un/rely 0/0
Received EIGRP Update
01:38:33: EIGRP: Received UPDATE on Serial0/0 nbr 10.1.2.2
01:38:33: AS 2100, Flags 0x0, Seq 23/37 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 0/0
01:38:33: EIGRP: Enqueueing ACK on Serial0/0 nbr 10.1.2.2
01:38:33: Ack seq 23 iidbQ un/rely 0/0 peerQ un/rely 1/0
01:38:33: EIGRP: Sending ACK on Serial0/0 nbr 10.1.2.2
01:38:33: AS 200, Flags 0x0, Seq 0/23 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 1/0
01:38:33: EIGRP: Enqueueing UPDATE on Serial0/0 iidbQ un/rely 0/1
serno 75-75
01:38:33: EIGRP: Sending UPDATE on Serial0/0 nbr 10.1.2.2
01:38:33: AS 200, Flags 0x0, Seq 38/23 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 0/1 serno 75-75
01:38:33: EIGRP: Received ACK on Serial0/0 nbr 10.1.2.2
01:38:33: AS 200, Flags 0x0, Seq 0/38 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 0/1

At convergence:
- no periodic updates, only hello packets
• Hellos sent periodically every 5 seconds on the following
links:
- Broadcast media: Ethernet, Token Ring, FDDI
- Point-to-point serial links: (PPP), (HDLC)
- Point-to-point subinterface: Frame Relay, ATM
- Multipoint circuits with bandwidth greater than T1:
Frame Relay, ATM, ISDN PRI
• Hellos sent every 60 seconds on the following links:
- Multipoint circuits with bandwidth less than or equal
to T1: ISDN BRI, Frame Relay, SMDS, ATM, and X.25
• Hold time by default is three times the hello time 168
Ahmed Nabil
At change:
• 1- If there is a FS:
• If the router has a FS in its topology table, it will use it
in case of the S failure and it will send update to
indicate that it uses a new route.
• 2- If there is no FS:
• The router sends a query packet to ask for another
route to the destination network.
• The other routers will reply the query

The debug command below will show that action

•RouterA# debug eigrp packets

Shut down of a neighbor's interface


•01:38:11: EIGRP: Received QUERY on Serial0/0 nbr 10.1.2.2
•01:38:11: AS 200, Flags 0x0, Seq 24/38 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
•01:38:11: EIGRP: Enqueueing ACK on Serial0/0 nbr 10.1.2.2
•01:38:11: Ack seq 24 iidbQ un/rely 0/0 peerQ un/rely 1/0
•01:38:11: EIGRP: Sending ACK on Serial0/0 nbr 10.1.2.2
•01:38:11: AS 200, Flags 0x0, Seq 0/24 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 1/0
•01:38:11: EIGRP: Sending REPLY on Serial0/0 nbr 10.1.2.2
•01:38:11: AS 200, Flags 0x0, Seq 39/24 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely
0/1 serno 76-76
•01:38:11: EIGRP: Received ACK on Serial0/0 nbr 10.1.2.2
•01:38:11: AS 200, Flags 0x0, Seq 0/39 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

169
Ahmed Nabil
• Route selection:
- By applying DUAL on the topology table to get the RTG
table.
- DUAL:
1- Track all routes advertised by neighbors.
2- Select a loop free path using a successor ‗S‘ and ‗FS‘.
3- If a S is lost, FS is used.
4- If no FS available, it queries neighbors and recalculate S.
5- It can hold up to 4 routes by default and 6 as max. for the
same destination network in the RTG table.
6- It can differentiate between different types of paths :
- internal path (Admin. Dist.=90 & symbol in RTG table is ‗D‘.
- summary path (Admin. Dist.=5 & symbol in RTG table is ‗D‘
out of interface null 0.
-external path (Admin. Dist. =170 & symbol in RTG table is
‗DEX‘.

• How to choose S?
- S is the route that have the least metric.
Metric = 256* [k1*BW + (k2*BW / 256-load) + k3*delay +
(k5 / reliability+k4)]
By default, k1=k3=1 , k2=k4=k5=0
7
BW=10 /BWi, BWi=Bandwidth of interface in units of Kbps
Delay=delayi * 10, delayi=delay of interface in
microseconds
These values can be observed from the #show interface
command
• How to choose FS?
―This is called the feasibility condition‖
The route that satisfy that inequality FD (S) > AD ( FS) ,
is eligible to be the FS
170
Ahmed Nabil
Example on EIGRP route calculation
Which path from A to D is better when using EIGRP protoco

All delays
in units of tens of
microseconds

• Delay is the sum of all the delays of the links along the
paths:
Delay = [delay in tens of microseconds] x 256
• BW is the lowest bandwidth of the links along the
paths:
BW = [10,000,000 / (bandwidth in kbps)] x 256
ABCD Least Bandwidth 64 kbps, Total Delay
6,000
7
Metric= [10 /64 + 6000] x 256=41,536,000
A  X  Y  Z  D Least BW 256 kbps, Total Delay 8,000
7
Metric= [10 /256 + 8000] x 256=12,048,000

Least metric is path A  X  Y  Z  D


171
Ahmed Nabil
Offset Lists

EIGRP Offset Lists, the final tool for manipulating the EIGRP
metrics , allow an engineer to simply add a value–an offset, if
you will-to the calculated integer metric for a given prefix. To
do so, an engineer can create and enable an EIGRP Offset
List that defines the value to add to the metric, plus some
rules regarding which routes should be matched and
therefore have the value added to their computed FD.
An Offset List can perform the following functions:
■ Match prefixes/prefix lengths using an IP ACL, so that the
offset is applied only to routes matched by the ACL with a
permit clause
■ Match the direction of the Update message, either sent
(out) or received (in)
■ Match int interface on which the Update is sent or received
■ Set the integer metric added to the calculation for both the
FD and RD calculations for the route
The configuration itself uses the following command in
EIGRP configuration mode, in addition to any referenced IP
ACLs:
(config-roiuter)#offset-list {access-list-number | access-list-
name} {in | out} offset [interfacetype interface-number]

Example:
WAN1(config)#access-list 11 permit 10.11.1.0
WAN1(config)#router eigrp 1
WAN1(config-router)#offset-list 11 in 3 Serial0/0/0.1
WAN1(config-router)#end
Mar 2 11:34:36.667: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1:
Neighbor 10.1.1.2
(Serial0/0/0.1) is resync: peer graceful-restart
172
Ahmed Nabil
Before using the offset list
WAN1#show ip eigrp topo 10.11.1.0/24
IP-EIGRP (AS 1): Topology entry for 10.11.1.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is
2172416
Routing Descriptor Blocks:
10.1.1.2 (Serial0/0/0.1), from 10.1.1.2, Send flag is 0x0
Composite metric is (2172416/28160), Route is Internal

After applying offset-list:


WAN1#show ip eigrp topo 10.11.1.0/24
IP-EIGRP (AS 1): Topology entry for 10.11.1.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is
2172416
Routing Descriptor Blocks:
10.1.1.2 (Serial0/0/0.1), from 10.1.1.2, Send flag is 0x0
Composite metric is (2172419/28163), Route is Internal
Vector metric:
Minimum bandwidth is 1544 Kbit
Total delay is 20100 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 1
! output omitted for brevity

The offset-list 11 in 3 s0/0/0.1 command tells Router WAN1 to


examine all EIGRP Updates received on S0/0/0.1,
and if prefix 10.11.1.0 is found, add 3 to the computed FD and
RD for that prefix.

Ahmed Nabil
Dual Example:

Stable Network

Link between B & D fails, so


D lost his best path to
Network 10.1.1.0/24

D sends a query to its existing


Neighbors (C & E) asking for a
new path & announcing the link
failure from its side

C answers with a reply with


a worst path, but valid, while
E queries C.
D cannot take any decisions unless
All queries are replied
174
Ahmed Nabil
C also replies to E
announcing existence
of the path to 10.1.1.0/24

Replies returns to D,
So D can finally take a decision

Again the network re-converged


Though the DUAL effect

175
Ahmed Nabil
• Query problem:
- The router has to get all the replies from the neighbors with
an outstanding query before the router calculates the
successor information
- If any neighbor fails to reply to the query the network will
(Stuck in Active)
- Contrary to popular belief, queries are not
bounded by AS boundaries. Queries from
AS 1 are propagated to AS 2

• Solutions (Query limiting or Query scoping)


1- SIA timer ( 3 min.)
If the router Stuck In Active by a neighbor, it will wait 3 min. then:
a) Reset its neighbor relationship.
b) Re-establish the neighborship process.
This method in some cases is considered rude.
New EIGRP messages are introduced SIA query & SIA reply.
Active Process Enhancement
Before After
Router A resets relationship to Router A sends an SIA-Query at
router B when the normal half of the normal active timer.
active timer expires. However, Router B acknowledges the
the problem is the link query there by keeping the
between router B and C. relationship up.

176
Ahmed Nabil
The previous figure on the left illustrates what would
happen before this feature was introduced. Router A
sends a query for network 10.1.1.0/24 to router B.
Router B has no entry for this network, so it queries
router C. If problems exist between router B and C, the
reply packet from router C to router B may be delayed
or lost. Router A has no visibility of downstream
progress and
assumes that the lack of response indicates problems
with router B. After the router A 3-minute active timer
expires, the neighbor relationship with router B is
reset, along with all known routes from router B.
By contrast, with the active process enhancement
feature, router A queries downstream router B (with an
SIA-Query) at the midway point of the active timer (1.5
minutes by default) about the status of the route.
Router B responds (with an SIA-Reply) that it is
searching for a replacement route. Upon receiving this
SIA-Reply response packet, router A validates the
status of router B and does not terminate the neighbor
relationship.
Meanwhile router B sends up to three SIA-Queries to
router C. If they go unanswered, router B
terminates the neighbor relationship with router C.
Router B then updates router A with an
SIA-Reply indicating that the network 10.1.1.0/24 is
unreachable. Routers A and B remove the
active route from their topology tables. The neighbor
relationship between routers A and B
remains intact.
177
Ahmed Nabil
2- Using summarization
(config-if)# ip summary-address eigrp <AS> <address> <mask

You have just given


me the summary, so
I don‘t know the specific
Subnet 172.30.1.0/24

178
Ahmed Nabil
3- Graceful Shutdown
Graceful shutdown, implemented with
the goodbye message feature, is
designed to improve
EIGRP network convergence.
In the figure, router A is using router B
as the successor for a number of
routes; router C is the feasible
successor for the same routes.
Router B normally would not tell router A if the EIGRP
process on router B was going down; for example, if router B was
being reconfigured. Router A would have to wait for its hold timer to
expire before it would discover the change and react to it. Packets
sent during this time would be lost.
With graceful shutdown, the goodbye message is broadcast when an
EIGRP routing process is shut down to inform adjacent peers about
the impending topology change. This feature allows
supporting EIGRP peers to synchronize and recalculate neighbor
relationships more efficiently than would occur if the peers
discovered the topology change after the hold timer expired.
Goodbye messages are sent in hello packets. EIGRP sends an
interface goodbye message with all K values set to 255 when taking
down all peers on an interface. The following message is displayed
by routers that support goodbye messages when one is received:
*Apr 26 13:48:42.523: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1:
Neighbor 10.1.1.1 (Ethernet0/0) is down: Interface Goodbye received
A Cisco router that runs a software release that does not support the
goodbye message will misinterpret the message as a K-value
mismatch and therefore display the following message:
*Apr 26 13:48:41.811: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1:
Neighbor 10.1.1.1 (Ethernet0/0) is down: K-value mismatch
Note The receipt of a goodbye message by a peer that does not
support this feature does not disrupt normal network operation. The
peer will terminate the session when the hold timer expires. The
sending and receiving routers will reconverge normally after the
sender reloads. 179
Ahmed Nabil
4- Defining stub networks
If network 10.1.1.0/24 in a topology like the one shown below
fails, all routers will Stuck In waiting for each others replies

Configure the routers as stub, so the queries will send to


non stub only.
(config-router)#eigrp stub [receive only
|connected|static|summary]
• receive-only: Prevents the stub from sending any type of
route.
• connected: Permits stub to send connected routes
(may still need to redistribute).
• static: Permits stub to send static routes (must still
redistribute).
• summary: Permits stub to send summary routes.
• Default is connected and summary.

180
Ahmed Nabil
Example: eigrp stub Parameters

If stub connected is
configured:
• B will advertise
10.1.2.0/24 to A.
• B will not advertise
10.1.2.0/23, 10.1.3.0/23, or
10.1.4.0/24.
If stub summary is
configured:
• B will advertise
10.1.2.0/23 to A.
• B will not advertise
10.1.2.0/24, 10.1.3.0/24,
or 10.1.4.0/24.

If stub static is
configured:
• B will advertise
10.1.4.0/24 to A.
• B will not advertise
10.1.2.0/24, 10.1.2.0/23,
or 10.1.3.0/24.
If stub receive-only is
configured:
• B will not advertise
anything
to A, so A needs to have a
static route to the
networks
behind B to reach them. 181
Ahmed Nabil
• Configuration:
(config)# router eigrp <AS no.>
! Up to 32 process (AS) can be configured on the same
router !
(config-router)# network <ip> [<w.c.m>]

Example 1

Example 2

182
Ahmed Nabil
Auto and Manual summary:
(config-router)# no auto-summary
(config-if)# ip summary-address eigrp <AS> <ip> <mask>
[admin distance]

172.16.2.0

• Summarization is configurable on a per-interface basis


in any router within a network.
• When summarization is configured on an interface, the
router immediately creates a route pointing to null0.
– Loop-prevention mechanism
• When the last specific route of the summary goes away,
the summary is deleted.
• The minimum metric of the specific routes is used as
the metric of the summary route.
RouterC#show ip route
<output omitted>
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:00:04, Null0
D 172.16.1.0/24 [90/156160] via 10.1.1.2, 00:00:04, FastEthernet0/0
D 172.16.2.0/24 [90/20640000] via 10.2.2.2, 00:00:04, Serial0/0/1
C 192.168.4.0/24 is directly connected, Serial0/0/0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.2.2.0/24 is directly connected, Serial0/0/1
C 10.1.1.0/24 is directly connected, FastEthernet0/0
D 10.0.0.0/8 is a summary, 00:00:05, Null0
183
Ahmed Nabil
Timers :
Hello & dead timers
(config-if)# ip hello-interval eigrp <AS> <sec>
(config-if)# ip hold-time eigrp <AS> <sec>

Stuck In Active timer


(config-router)# timers active-time {<no. in sec> / disable}
• EIGRP load sharing:
(config-router)# traffic share-balance
(config-router)# variance <multiplier>
, default multiplier = 1, There can be up to six entries in
the routing table for the same destination
(config-router)# maximum-paths maximum-path
Default 4, max 16 or more
.

• Router E chooses router C to get to network Z because


FD = 20
• With a variance of 2, router E chooses router B to get to
network Z (20 + 10 = 30) < [2 x (FD) = 40].
• Router D is not used to get to network Z (45 > 40).
Note: If the variance multiplier matched a path, that does
not mean that it can be used for load-sharing, due to the
new route must satisfy the feasibility condition also
(AD (FS)<FD (S)) 184
Ahmed Nabil
Using the default network command:

Ahmed Nabil
186
Ahmed Nabil
By default EIGRP uses 50% of the link BW for its updates.
EIGRP supports different WAN links:

• Point-to-point links
Treats bandwidth as T1 by default, so it is better to
manually configure bandwidth as the real BW, using
(config-if)#bandwidth <BW in units of kbps>

• ISDN PRI
EIGRP uses the
bandwidth on the main
interface divided by the
number of neighbors on
that interface to get the
bandwidth information
per neighbor.

• NBMA
- Point-to-point links
Treats bandwidth as T1 by default, so it is better to
manually configure bandwidth as the CIR of the PVC
-Multipoint links (Frame Relay, ATM, Switched
Multimegabit Data Service (SMDS))
EIGRP uses the bandwidth on the main interface divided
by the number of neighbors on that interface to get the
bandwidth information per neighbor,
So for Multipoint interfaces with non-uniform CIRs
Convert to point-to-point configuration or
manually configure bandwidth by multiplying the lowest
CIR by the number of PVCs 187
Ahmed Nabil
NBMA point to point links, need to configure BW of PVC
on each subinterface

NBMA multipoint links with non uniform CIRs for PVCs


So
Configure lowest CIR VC as point-to-point, specify BW = CIR
Configure higher CIR VCs as multipoint, combine CIRs

To change BW percentage to be used by updates


(config-if)# ip bandwidth-percent eigrp <AS> <percentage>
, default percent=50 188
Ahmed Nabil
Router Authentication
• Many routing protocols support authentication such that a
router authenticates the source of each routing update
packet that it receives.
• Simple password authentication is supported by:
– IS-IS
– OSPF
– RIPv2
• MD5 authentication is supported by:
– OSPF
– RIPv2
– BGP
– EIGRP
Simple Password vs. MD5 Authentication
• Simple password authentication:
– Router sends packet and key.
– Neighbor checks whether key matches its key.
– Process not secure.
• MD5 authentication:
– Configure a key (password) and key ID; router generates a
message digest, or hash, of the key, key ID and message.
– Message digest is sent with packet; key is not sent.
– Process OS secure.
EIGRP MD5 authentication:
• Router generates a message digest, or hash, of the key,
key ID, and message.
• EIGRP allows keys to be managed using key chains.
• Specify key ID (number), key, and lifetime of key.
• First valid activated key, in order of key numbers, is used.

189
Ahmed Nabil
Configuring EIGRP MD5 Authentication
Router(config-if)#
ip authentication mode eigrp autonomous-system md5
• Specifies MD5 authentication for EIGRP packets
Router(config-if)#
ip authentication key-chain eigrp autonomous-system
name-of-chain
• Enables authentication of EIGRP packets using key in the
Keychain

Router(config)# key chain name-of-chain


• Enters configuration mode for the keychain
Router(config-keychain)# key key-id
• Identifies key and enters configuration mode for the keyid
Router(config-keychain-key)# key-string text
• Identifies key string (password)

Router(config-keychain-key)#
accept-lifetime start-time {infinite | end-time | duration
seconds}
• Optional: Specifies when key will be accepted for received
packets
Router(config-keychain-key)#
send-lifetime start-time {infinite | end-time | duration
seconds}
• Optional: Specifies when key can be used for sending packets

Note If the service password-encryption command is not used when


implementing EIGRP authentication, the key string will be stored as
plaintext in the router configuration. If you configure the service
password-encryption command, the key string will be stored and
displayed in an encrypted form; when it is displayed, there will be an
encryption type of 7 specified before the encrypted key string.

190
Ahmed Nabil
EIGRP Authentication Configuration Checklist
The EIGRP authentication configuration process requires several
commands, which are summarized as follows:
Step 1. Create an (authentication) key chain:
Create the chain and give it a name with the key chain name global
command (also puts the user into key chain config mode). The name
does not have to match on the neighboring routers.
Create one or more key numbers using the key number command in
key chain configuration mode. The key numbers do not have to
match on the neighboring routers.
Define the authentication key‘s value using the key-string value
command in key configuration mode. The key strings must match on
the neighboring routers.
(Optional) Define the lifetime (time period) for both sending and
accepting each key string.
Step 2. Enable EIGRP MD5 authentication on an interface, for a
particular EIGRP ASN, using the ip authentication mode eigrp asn
md5 interface subcommand.
Step 3. Refer to the correct key chain to be used on an interface
using the ip authentication key-chain eigrp asn name-of-chain
interface subcommand.
The configuration at Step 1 is fairly detailed, but Steps 2 and 3 are
relatively simple. Essentially, IOS configures the key values
separately (Step 1) and then requires an interface subcommand
to refer to the key values. To support the ability to have multiple
keys, and even multiple sets of keys, the configuration includes the
concept of a key chain and multiple keys on each key chain.
Key Chain Time-Based Logic The key chain configuration concept,
as outlined in Step 1, allows the engineer to migrate from one key
value to another over time. Just like a real key chain that has
multiple keys, the IOS key chain concept allows the configuration of
multiple keys—each identified with a number. If no lifetime has been
configured for a key, it is considered to be
valid during all time frames. However, when a key has been
defined with a lifetime, the key is valid only during the valid
lifetime.
The existence of multiple keys in a key chain, and the existence
of valid lifetimes for each key, can cause some confusion about
when the keys are used. The rules can be summarized
as follows:
■ Sending EIGRP messages: Use the lowest key number among
all currently valid keys.
■ Receiving EIGRP message: Check the MD5 digest using ALL
currently valid keys.

For example, consider the case shown in Figure. The figure


represents the logic in a single router, Router R1, both when
receiving and sending EIGRP messages on the right.
The figure shows a key chain with four keys. All the keys have
lifetimes configured. Key 1‘s lifetime has passed, making it
invalid. Key 4‘s lifetime has yet to begin, making it invalid.
However, keys 2 and 3 are both currently valid.

Figure shows that the EIGRP


message sent by Router R1
uses key 2, and key 2 only.
Keys 1 and 4 are ignored
because they are currently
invalid; R1 then simply
chooses the lowest-
numbered key among the two
valid keys. The figure also
shows that R1 processes the
received EIGRP message
using both key 2 and key 3,
because both are currently
valid.
Example MD5 Authentication Configuration

R1 R2
<output omitted> <output omitted>
key chain R1chain key chain R2chain
key 1 key 1
key-string firstkey key-string firstkey
accept-lifetime 04:00:00 Jan 1 2006 accept-lifetime 04:00:00 Jan 1 2006
infinite infinite
send-lifetime 04:00:00 Jan 1 2006 send-lifetime 04:00:00 Jan 1 2006
04:01:00 Jan 1 2006 infinite
key 2 key 2
key-string secondkey key-string secondkey
accept-lifetime 04:00:00 Jan 1 2006 accept-lifetime 04:00:00 Jan 1 2006
infinite infinite
send-lifetime 04:00:00 Jan 1 2006 send-lifetime 04:00:00 Jan 1 2006
infinite infinite
<output omitted> <output omitted>
interface FastEthernet0/0 interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0 ip address 172.17.2.2 255.255.255.0
! !
interface Serial0/0/1 interface Serial0/0/1
bandwidth 64 bandwidth 64
ip address 192.168.1.101 ip address 192.168.1.102 255.255.255.224
255.255.255.224 ip authentication mode eigrp 100 md5
ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100
ip authentication key-chain eigrp 100 R2chain
R1chain !
! router eigrp 100
router eigrp 100 network 172.17.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255 network 192.168.1.0
network 192.168.1.0 auto-summary
auto-summary
Note: R1 key id 1 will expire after 1 minute for sent updates
R1#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
*Jan 21 16:38:51.745: EIGRP: received packet with MD5 authentication, key id = 1
*Jan 21 16:38:51.745: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.102
*Jan 21 16:38:51.745: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0

R2#debug eigrp packets


EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
R2#
*Jan 21 16:38:38.321: EIGRP: received packet with MD5 authentication, key id = 2
*Jan 21 16:38:38.321: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.101
*Jan 21 16:38:38.321: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0
Note: R1 key id 1 will expired for sent updates so it will use key id 2,
that‘s why R2 will deal with key 2 193
R1#
*Jan 21 16:23:30.517: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.102
(Serial0/0/1) is up: new adjacency

R1#show ip eigrp neighbors


IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.1.102 Se0/0/1 12 00:03:10 17 2280 0 14
R1#show ip route
<output omitted>
Gateway of last resort is not set
D 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:02:22, Serial0/0/1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:31:31, Null0
C 172.16.1.0/24 is directly connected, FastEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.96/27 is directly connected, Serial0/0/1
D 192.168.1.0/24 is a summary, 00:31:31, Null0
R1#ping 172.17.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms

R1(config-if)#key chain R1chain


R1(config-keychain)#key 2
R1(config-keychain-key)#key-string wrongkey

R2#debug eigrp packets


EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
R2#
*Jan 21 16:50:18.749: EIGRP: pkt key id = 2, authentication mismatch
*Jan 21 16:50:18.749: EIGRP: Serial0/0/1: ignored packet from 192.168.1.101, opc
ode = 5 (invalid authentication)
*Jan 21 16:50:18.749: EIGRP: Dropping peer, invalid authentication
*Jan 21 16:50:18.749: EIGRP: Sending HELLO on Serial0/0/1
*Jan 21 16:50:18.749: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Jan 21 16:50:18.753: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.101
(Serial0/0/1) is down: Auth failure

R2#show ip eigrp neighbors


IP-EIGRP neighbors for process 100
R2#

194
Ahmed Nabil
• Troubleshooting:
#show ip route

RouterA# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP,


D - EIGRP, EX - EIGRP external, O - OSPF,
(text omitted)
* - candidate default,
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
D 172.16.1.0 [90/10639872] via 10.1.2.2, 06:04:01, Serial0/0
10.0.0.0/24 is subnetted, 4 subnets
D 10.1.3.0 [90/10514432] via 10.1.2.2, 05:54:47, Serial0/0
D 10.3.1.0 [90/10639872] via 10.1.2.2, 06:19:41, Serial0/0
C 10.1.2.0 is directly connected, Serial0/0
C 10.1.1.0 is directly connected, Ethernet0/0

#show ip eigrp topology [all-links]


RouterA# show ip eigrp topology

IP-EIGRP Topology Table for AS(100)/ID(10.1.2.1)


Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 10.1.3.0/24, 1 successors, FD is 10514432
via 10.1.2.2 (10514432/28160), Serial0/0
P 10.3.1.0/24, 1 successors, FD is 10639872
via 10.1.2.2 (10639872/384000), Serial0/0
P 10.1.2.0/24, 1 successors, FD is 10511872
via Connected, Serial0/0
P 10.1.1.0/24, 1 successors, FD is 2190
via Connected, Ethernet0/0
P 172.16.1.0/24, 1 successors, FD is 10639872
via 10.1.2.2 (10639872/384000), Serial0/0

195
Ahmed Nabil
#show ip protocols
RouterA# show ip protocols

Routing Protocol is "eigrp 100"


Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 100
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.1.0.0/16
10.0.0.0
Routing Information Sources:
Gateway Distance Last Update
10.1.2.2 90 05:50:13
Distance: internal 90 external 170

#show ip eigrp neighbors

#show ip eigrp traffic


#debug eigrp packet [query / reply / update]
#debug ip eigrp
196
Ahmed Nabil
Verifying EIGRP Operations:
Stable Network

RouterA# debug ip eigrp

IP-EIGRP Route Events debugging is on

01:57:23: IP-EIGRP: Processing incoming UPDATE packet


01:57:23: IP-EIGRP: Int 172.16.1.0/24 M 10639872 -
9999872 640000
SM 384000 - 256000 128000

– Router A receives an update packet from router B that


contains internal (int) network 172.16.1.0/24.
– Feasible distance = router A cost to get to 172.16.1.0/24.
10639872 = 9999872 + 640000
– Advertised distance = the metric router B sent to router A
to reach 172.16.1.0/24.
SM (source metric) = 384000 = 256000 + 128000
– EIGRP metric (10639872) = bandwidth (9999872) + delay
(640000).

197
Ahmed Nabil
Verifying EIGRP Operations:
Unstable Network
RouterA# debug ip eigrp

IP-EIGRP Route Events debugging is on

• Shutdown an EIGRP neighbor interface for network


172.16.1.1/24.
• Router A receives a query looking for a lost pathway from
Router B.

01:56:57: IP-EIGRP: Processing incoming QUERY packet


01:56:57: IP-EIGRP: Int 172.16.1.0/24 M 4294967295 - 0
4294967295 SM 4294967295 - 0 4294967295

• The metric of 42949672295 is the highest possible value for


a metric. It signifies that router B is telling router A that
network 172.16.1.0/24 is no longer reachable through router
B, and checks if router A has an alternate pathway to that
network.

01:56:57: IP-EIGRP: 172.16.1.0/24 routing table not


updated
01:56:57: IP-EIGRP: 172.16.1.0/24 - not in IP
routing table
• Router A realizes that if it cannot use B for 172.16.1.0/24, it
does not have an entry in the routing table to get to that
network.

01:56:57: IP-EIGRP: Int 172.16.1.0/24 metric


4294967295 - 0 4294967295

• Router A sends an update to router B saying it does not know


how to reach that route either.

198
Ahmed Nabil
BGP
(Border Gateway Protocol)

199
Ahmed Nabil
Overview
• BGPv4 is an Exterior Gateway Protocol (EGP) that can
exchange routing updates between different
Autonomous Systems, so it operate mainly at the border
of an AS.
• BGP is not designed to choose paths based on
bandwidth, delay and other metrics, but paths are
chosen based on policy attributes.
• AS is a collection of networks under a single technical
administration, AS is identified by a unique number
between 1 – 65535.The range 64512 - 65535 is
reserved for private use.
IGPs work within AS

When BGP is not appropriate?


1-Single connection to Internet or other AS
2-Lack of memory and processing power to handle updates
3-Low bandwidth between ASs
4-Limited understanding of route filtering & BGP path
selection process
When BGP is most appropriate?
1-An AS allows packets to transit through it to reach
other AS (e.g. Service Provider)
2-An AS has multiple connections to other AS
3-Routing policy & route selection for traffic entering or
leaving the AS must be manipulated 200
BGP C/Cs
• BGP is a path vector protocol (advanced distance vector).
(IGPs announce networks and describe the cost to reach
those networks, BGP announces pathways and the networks
that are reachable at the end of the pathway. BGP describes
the pathway by using attributes which are similar to metrics)

• Reliable updates: BGP run on top of TCP port 179.


• Full BGP tables is exchanged at start-up.
• Incremental batched updates every 30 sec at change.
• BGP has no method for dynamic neighbor discovery, all
neighbors must be discover manually using the neighbor
command.
• Updates is sent on unicast address to the statically configured
neighbors.
• Periodic keepalive messages to verify TCP connectivity.
• Use rich metrics called path attributes.
• Designed to scale huge internetworks.
• Support VLSM & CIDR (classless)
• Loop free (use BGP split-horizon & AS path list to avoid loops
inside AS and between ASs)
• Its symbol in routing table is B.
• External BGP has admin. distance 20.
• Internal BGP has admin. distance 200.
• BGP allows administrators to define policies or rules
for how data will flow through the Autonomous Systems.
201
BGP Tables
1-Neighbor table:
List of BGP neighbors "BGP peers" (configured statically
with the neighbor command & can be reachable)

2-BGP forwarding database table:


- List of all networks learned from each neighbor,
- Contain multiple paths to destination networks with attributes
for each path
- Best paths in that table is advertised to neighbors in routing
updates

3-IP routing table


List of best paths to destination networks

BGP messages
1-Open message
It is used to open BGP session with a neighbor
(Includes holdtime and BGP router ID

2-Keepalive message
Periodic message that is sent to keep TCP session
stay still

3-Update message
It contain information about destination networks
and the attributes to reach these networks

4-Notification message
Sent to identify that an error condition is detected
for a certain router (i.e. memory or CPU error) 202
BGP neighbor states
• A BGP peer, also known as a BGP neighbor, is a specific
term that is used for BGP speakers that have established a
neighbor relationship.
• Any two routers that have formed a TCP connection to
exchange BGP routing information are called peers or
neighbors.

BGP Starts its operation when neighbors are


statically defined, using the neighbor command
External BGP
• When BGP
neighbors belong to
different autonomous
systems they are
called EBGP.
• EBGP neighbors, by
default, need to be
directly connected.
Internal BGP
•IGBP refers to the
presence of BGP
neighbors within the
same AS.
• The neighbors do not
have to be directly
connected, because they
can be reached through
an IGP.
203
Configuring BGP neighbors

This mean C is configuring A as eBGP

This mean A is configuring B as iBGP


and C as eBGP

This mean B is configuring A as iBGP

204
Ahmed Nabil
BGP Start up Operation
after neighbor command is written
(config)#router bgp <as#>
(config-router)#neighbor <neighbor ip> remote-as <neighbor
as#>
Idle state:
router is searching IP routing table to see if a route exists to
reach the neighbor
Connect state:
router found route and has completed TCP 3-way handshake
Open sent:
open message is sent
Active state:
waiting confirmation on parameters to establish session
Open confirm:
receive agreement on parameters to establish session
Established state:
peering is formed
RouterA# debugand routing
ip bgp exchange begins
events
BGP events debugging is on
BGP : 172.16.1.2 passive open
BGP : 172.16.1.2 went from idle to connect
BGP : 172.16.1.2 open rcvd, version 4
BGP : 172.16.1.2 went from connect to open sent
BGP : 172.16.1.2 sending open, version 4
BGP : 172.16.1.2 went from open sent to open confirm
BGP : Scanning routing tables
BGP : 172.16.1.2 went from open confirm to established

Why a router could stuck in active state?


•Neighbor peering with the wrong address
•Neighbor does not have neighbor statement for this router
•Neighbor does not have a route to the source IP address of
the BGP open packet generated by this router 205
Understanding BGP Requirements
1-BGP runs on borders of AS but no IGP

Update
11.0.0.0 About
11.0.0.0

B has E in its neighbor table (using neighbor


command), but for B to send update about 11.0.0.0 to
E the update is encapsulated in a packet with
destination IP of E, but there is no IGP running in the
AS 65102, so B cant find a path for E in its routing
table, so Bwill drop any updates going to E
• Conclude:
IGP must run inside the AS, so as the BGP neighbors
could be reachable

206
Ahmed Nabil
2-BGP run on borders and IGP inside AS
4-Routing Table
No BGP

8-data with dst ip 11.0.0.1

3-Update 11.0.0.0

1-Update 6-Update 11.0.0.0


About 2-Routing Table 5-Routing Table 7-Routing Table
11.0.0.0 11.0.0.0
B 11.0.0.0 B 11.0.0.0 B 11.0.0.0

4-Routing Table
No BGP

Updates now can pass from A to B to E (C & D will consider it


an IP packet destined to E), update will go from E to F, but any
returning data coming from F will goto E and from E to C or D,
but due to C & D doesnot have an entry for 11.0.0.0 in their
routing table , so packets destined to 11.0.0.0 will be dropped,
so black hole for data exists in AS65102

• Conclude:
BGP must run on all transit AS routers to avoid black holes, or otherwise
redistribution from BGP into IGP must take place
• Synchronization rule: (To avoid Black Holes)
Router cannot advertise routes to eBGP neighbor unless it exist in IP
routing table by an IGP (non-BGP)
To avoid synchronization problems (black holes):
1-redistribute BGP routes into IGP protocol (big headache for IGPs, due
to BGP table is very large and IGP is not designed for that scalable
networks)
2-run BGP on all transit AS routers and disable synchronization
(config-router)#no-synchronization
207
BGP Synchronization
•Synchronization rule:
Do not use or advertise to an external neighbor a route learned
by IBGP until a matching route has been learned from an IGP.
• Ensures consistency of information throughout the AS
• Avoids black holes within the AS
• Safe to turn off if all routers in the AS are running full-mesh
IBGP, default.
Router(config-router)# no synchronization
• Disables BGP synchronization so a router can advertise
routes in BGP without learning them in IGP, but make
sure that you make all restrictions to avoid black holes

Example: BGP Synchronization

• If synchronization is on (the default), then:


– Routers A, C, and D would not use or advertise the
route to 172.16.0.0 until they receive the matching
route via an IGP.
– Router E would not hear about 172.16.0.0.
• If synchronization is off, then:
– Routers A, C, and D would use and advertise the
route they receive via IBGP; router E would hear
about 172.16.0.0.
– If router E sends traffic for 172.16.0.0, routers A, C,
and D would route the packets correctly to router B.
208
3-BGP and IGP run on all routers of transit AS

• BGP Split horizon rule: "avoid routing loops inside the


AS"
Route learned by iBGP neighbor can never be advertised
back to another iBGP neighbor

If Router A advertise a route to its eBGP neighbor B, so B


must advertise that routes to all it other neighbors, so B
will advertise it to C & D, but due to split horizon rule, C
or D can never advertise that route again to their iBGP
neighbor as E, so E will never learn about that route.

• Conclude:
BGP must run in full mesh fashion (sessions between all
BGP neighbors) to avoid split horizon rule

209
Ahmed Nabil
4-BGP must run in full mesh fashion

• Full mesh BGP problem:


This will cause multiple TCP sessions, so a lot of CPU,
memory and bandwidth overhead will take place in the
network
The solution is to use:
1-Confederations:
divide the AS to sub ASs, where each Sub AS act with eBGP with
other sub Ass, so loops is avoided according to the eBGP
rules (the advertised route must contain a list of ASs that the
route traverses, so if a router finds its local AS in the AS path
list it will detect that the update was looped)
2-Route reflector:
to configure certain routers to override split horizon rule (route
reflector router)
Router Reflector configuration
• On Route Reflector only
(config)#router bgp <as#>
(config-router)#neighbor <neighbor ip> route-reflector-client
210
BGP considerations
1-Advertise routes in BGP updates (populate BGP table)
1.1-Redistribute IGP routes into BGP
1.2-Use Network command (Recommended)
(config)#router bgp <as#>
(config-router)#network <network address> [mask <subnet
mask>]
Note: If no mask is specified, default masks is assumed
Note: There must be an exact match for that route in IP routing
table learned by IGP (non-BGP) so as for BGP to populate
that route in BGP table and advertise it to eBGP neighbors
"synchronization rule― or disable syncronization

1. RouterB(config)# router bgp 65000

2. RouterB(config-router)# neighbor 10.1.1.2 remote-as 64520

3. RouterB(config-router)# neighbor 192.168.2.2 remote-as 65000

4. RouterB(config-router)# network 172.16.10.0 mask 255.255.255.0

5. RouterB(config-router)# network 192.168.1.0

6. RouterB(config-router)# network 192.168.3.0

7. RouterB(config-router)# no synchronization 211


2-Advertise summarized routes
(CIDR and Aggregate address)
• With BGP4, routes can be aggregated by any AS on any BGP
router.
• BGP4 is classless, supports VLSM and longest match routing,
and carries a network mask for each network in the update.

• Auto summary is enabled by default at discontiguous network


boundaries.
• To disable auto-summary
(config-router)#no auto-summary
• Manual summarization
Method 1: Recommended method of summarization for BGP
(config)#router bgp <as#>
(config-router)#aggregate-address <summary address> <mask>
[summary-only][as-set]
-Creates an aggregate (summary) entry in the BGP table
-Does not need an exact match in match in the routing table, due to
BGP null route automatically generated, Null static route not needed
but at least one of the specific routes must exist.
-Uses the summary-only option to advertise only the summary and not
the specific routes
-Adds the as-set option to include a list of all the autonomous system
numbers that the more specific routes have passed through

212
Method 2:
(config)#router bgp <as#>
(config-router)#network <address> [mask <mask>]
This command was not designed to perform summarization by
itself.
The aggregate-address command was designed for
summarization.
• To use the network statement for summarization, the
network number and mask used must already exist exactly
in the routing table.
• If the route was already summarized by EIGRP or OSPF,
that summarization can be announced into BGP with the
network and mask commands.
• If the route was not already summarized, a null static route
must be created for BGP to announce this summarization.
(config)#ip route <address> <mask> null0

213
Ahmed Nabil
Cautions about Network Statement
• If a network statement is used for
summarization,
do not use the more specific entries and the
summarized route as shown here.
• If both are used, the
summarized route and the
more specific routes will
be announced.
• 192.168.24.0/22 does not
exist in the IP routing table
without the null route.
• BGP will not announce the network unless
the summarized route
is already present in the
routing table.

routerC# show ip bgp

BGP table version is 28, local router ID is 172.16.2.1


Status codes: s = suppressed, * = valid, > = best, and i = internal
Origin codes : i = IGP, e = EGP, and ? = incomplete

Network Next Hop Metric LocPrf Weight Path


*> 192.168.24.0/22 0.0.0.0 0 32768 i
s> 192.168.24.0 0.0.0.0 0 32768 i
s> 192.168.25.0 0.0.0.0 0 32768 i
s> 192.168.26.0 0.0.0.0 0 32768 i
s> 192.168.27.0 0.0.0.0 0 32768 i

214
3-Source of updates behaviour
• A router will never receive an update from a source unless that source
address is identified in its neighbor command (in its neighbor list)
• When a BGP packet is received for a new BGP session, the source
address of the packet is compared to the list of neighbor statements.
– If a match is found, a relationship is established.
– If no match is found, the packet is ignored.
• Make sure the source IP address matches the address that the other
router has in its neighbor statement.
• To identify the source of updates for a certain neighbor
(config)#router bgp <as#>
(config-router)#neighbor <neighbor ip> update-source <interface
name>
This command allows the BGP process to use the IP address of a
specified interface as the source IP address of all BGP updates to that
neighbor.
• A loopback interface is usually used, as it will be available as long as
the router is operational.
• The IP address used in this command will be the destination IP
address of all BGP updates and should be the loopback interface of
the other router.
• The update-source command is normally used only with IBGP
neighbors.
• The address of an EBGP neighbor must be directly connected by
default. The loopback of an EBGP neighbor is not directly connected.

215
4-eBGP multihop
• Due to eBGP neighbors must be directly connected, so using
multiple links between the two neighbors, or using loopback
as source of update will cause a problem for the advertised
updates
we can use the following command
(config-router)#neighbor <neighbor ip> ebgp-multihop [no.
of hops]
but to reach that hop there will never be an IGP or connected
that could do that, so a static route is required to reach that
hop , default hop =255 if we used ebgp-multihop, in fact no.
of hops is a TTL, so hop (TTL)=1 if that command is notused.

216
5-Next hop behavior

• BGP is an AS by AS routing protocol, not a router


by router routing protocol, so in BGP next hop does
not mean the next hop router, it means the ip
address to reach the next AS

-Router A advertises
network 172.16.0.0 to
router B in EBGP, with
a next hop of 10.10.10.3.
-Router B advertises
172.16.0.0 in IBGP to
router C, keeping 10.10.10.3
as the next-hop address.
-So C see the next hop to reach
172.16.0.0 is 10.10.10.3
(next AS entry point)
To override that behaviour
(config-router)#neighbor <neighbor ip> next-hop-self

Forces all updates for this neighbor to be


advertised with this router as the next hop.
The IP address used for the next-hop-self will be
the same as the source IP address of the BGP
packet.

So if B has written
(config-router)# neighbor 172.20.10.2 next-hop-self
So C will see 172.16.0.0 with next hop 172.20.10.1
217
Next Hop on a Multiaccess Network
The following takes place in a
multiaccess network:
• Router B advertises
network 172.30.0.0 to
router A in EBGP with
a next hop of 10.10.10.2,
not 10.10.10.1. This avoids
an unnecessary hop.
• BGP is being efficient by
informing AS 64520 of the
best entry point into AS 65000
for network 172.30.0.0.
• Router B in AS 65000 also advertises to AS 64520 that
the best entry point for each network in AS 64600 is the
next hop of router C because that is the best pathway to
transit AS 65000 to AS 64600 from AS 64520.
Example: next-hop-self Configuration

218
6-BGP peer groups
• If there are multiple neighbors the configuration will be a
big overhead and configuration mistakes could happen
• Peer groups is defining a template with configuration
parameters and assign these parameters to a group of
neighbors
• Useful when many neighbors have the same
outbound policies
• Members can have a different inbound policy
• Its target is to Simplify configuration

Configuration without peer groups for 15 neighbor


(config)#router bgp <as#>
(config-router)#neighbor <ip> remote-as <as>
*15 times
(config-router)#neighbor <ip> route-reflector-client
*15 times
(config-router)#neighbor <ip> source-update loopback0
*15 times
(config-router)#neighbor <ip> next-hop-self
*15 times
(config-router)#neighbor <ip> route-map <name> <in/out>
*15 times
(config-router)#neighbor <ip> prefix-list <name> <in/out>
*15 times
(config-router)#neighbor <ip> distribute-list <name>
<in/out>
*15 times
• we may need about 105 command on a single router 219
Configuration with peer groups for 15 neighbor
(config)#router bgp <as>
(config-router)#neighbor <peer group name> peer-group
(config-router)#neighbor <ip> peer-group <peer group name>
*15 times
(config-router)#neighbor <peer group name> route-reflector-client
(config-router)#neighbor <peer group name> source-update loopback0
(config-router)#neighbor <peer group name> next-hop-self
(config-router)#neighbor <peer group name> route-map <name> <in/out>
(config-router)#neighbor <peer group name> prefix-list <name> <in/out>
(config-router)#neighbor <peer group name> distribute-list <name> <in/out>
• we may need about 21 command on a single router

Example:

Router C Without a Peer Group


router bgp 65100
neighbor 192.168.24.1 remote-as 65100
neighbor 192.168.24.1 update-source loopback 0
neighbor 192.168.24.1 next-hop-self
neighbor 198.168.24.1 distribute-list 20 out
neighbor 192.168.25.1 remote-as 65100
neighbor 192.168.25.1 update-source loopback 0
neighbor 192.168.25.1 next-hop-self
neighbor 198.168.25.1 distribute-list 20 out
neighbor 192.168.26.1 remote-as 65100
neighbor 192.168.26.1 update-source loopback 0
neighbor 192.168.26.1 next-hop-self
neighbor 198.168.26.1 distribute-list 20 out

Router C Using a Peer Group


router bgp 65100
neighbor internal peer-group
neighbor internal remote-as 65100
neighbor internal update-source loopback 0
neighbor internal next-hop-self
neighbor internal distribute-list 20 out
neighbor 192.168.24.1 peer-group internal
neighbor 192.168.25.1 peer-group internal
neighbor 192.168.26.1 peer-group internal 220
7-Authenticating in BGP
• BGP authentication uses MD5.
• Configure a key (password); router generates a message
digest, or hash, of the key and the message.
• Message digest is sent; key is not sent.
• Router generates and checks the MD5 digest of every
segment sent on the TCP connection. Router authenticates
the source of each routing update packet that it receives

Router(config-router)# neighbor {ip-address | peer-group-


name} password string

221
Ahmed Nabil
8-Multihoming
• Multiple connections to ISP is required to increase
reliability (redundancy) and performance (load
sharing)
– Reliability—If one ISP or connection fails, there
is still Internet access
– Performance—Better path selection to common
Internet destinations

• Types of connectivity:
1-Default routes from all providers
– Pass default route to internal routers

2-ISPs pass default routes + selected specific routes


owned by ISP
– Redistribute into Interior Gateway Protocol
(IGP) for internal routers, or
– Run BGP on all routers in the AS

3-ISPs pass all routes in their routing tables to


customer AS
– Run BGP on all internal routers; turn off
BGP synchronization

222
Ahmed Nabil
Default Routes from All Providers
– Low memory and CPU usage
– ISPs send BGP default route
• Default route passed into IGP
• Choice of exit point when multiple default routes
exist will be lowest IGP metric
– The AS of the customer sends all of its routes to
providers (ISPs)
– Inbound path to the AS of the customer is decided by
the ISPs

223
Ahmed Nabil
Provider-Owned Routes and the Default Route from
Each Provider
– Medium memory and CPU usage
– Best path to ISP-owned networks and to customer specific
networks are usually the shortest AS path
– Have ability to override path choice for some networks
– IGP metric to default route used for all other destinations

Partial Table: Redistribute into IGP or Run BGP on


Internal Routers

• BGP redistributed into IGP (not recommended):


– Use IGP metric to exit AS for specific routes.
– Only administrators of edge routers need to understand BGP.

• Partial table from ISP and BGP running on all internal routers
(recommended):
– Path manipulation is easier using BGP attributes.
– Router configuration is more complex. 224
Full Routes from All Providers
– Higher memory and CPU usage
– Reach all destinations by best path
• Usually shortest AS path
– Can manually tune all pathways

Run BGP on Core Routers and Turn Off


Synchronization

• OSPF processes all local packets for the networks


owned by AS 65001.
• BGP processes all packets transiting across AS 65001
to other Autonomous Systems. 225
Filter BGP Advertisements to ISPs

Router A Router B

router bgp 64500 router bgp 64500


network 10.0.0.0 network 10.0.0.0
neighbor 192.168.1.1 remote-as 65000 neighbor 172.16.1.1 remote-as 64900
neighbor 192.168.1.1 distribute-list 7 out neighbor 172.16.1.1 distribute-list 7 out
(text omitted) (text omitted)
access-list 7 permit 10.0.0.0 0.255.255.255 access-list 7 permit 10.0.0.0 0.255.255.255

Prevent a non-ISP (stub) AS from becoming a transit


network by performing route advertisement filtering
using access lists.

226
Ahmed Nabil
BGP attributes
• BGP is not designed to choose paths based on bandwidth, delay
and other metrics, but paths are chosen based on policy
attributes
• Attributes are classified as follows:
Well known attributes:
must be recognized by all compliant BGP implementation, Are
propagated to other neighbors
-well known mandatory
must present in all update messages (ex.: as-path, next-hop, origin)
-well known discretionary
may be present in update messages
(ex.: local preference, atomic aggregate)
Optional attributes:
recognised by some implementations (expected not to be
recognised by every router (depend on router position in
AS))
Recognized optional attributes are propagated to other
neighbors based on their meaning
-Optional transitive
if not recognised are marked as partial and propagated to
other neighbors
(ex.: aggregator, community)
-Optional non transitive
discarded if not recognised
(ex.: MED (Multi Exit Discriminator))
-Cisco Attribute:
local attribute on Cisco routers, it is not advertised in any
updates
ex.: weight
227
1-AS path attribute

• The AS path attribute is Well known mandatory, transitive

• It is a list of AS numbers that a route has traversed to reach a


router

• Shortest AS path is prefered

• AS path list is used to avoid loops between ASs

• A list of Autonomous Systems that a route has


traversed
– For example, on router B, the path to 192.168.1.0
is
the AS sequence (65500, 64520).

228
Ahmed Nabil
2-Next hop attribute

• The next-hop attribute is Well known mandatory,


transitive

• It is the ip address of the next AS to reach a given


network

• Next hop must be reachable so as the route is valid for


use

• For self originated route next hop is 0.0.0.0

The IP address of the next AS to reach a given network:


• Router A advertises network 172.16.0.0 to router B in
EBGP, with a next hop of 10.10.10.3
• Router B advertises172.16.0.0 in IBGP to router C,
keeping 10.10.10.3 as the next-hop address

229
Ahmed Nabil
3-Origin attribute

• Well known mandatory, transitive

• The origin attribute informs all Autonomous Systems


in the internetwork how the prefixes were introduced
into BGP, It defines the origin of the path
information

• The origin could be:


-IGP(i): the route is interior to the originating AS, this
normally happens when network command is used
to advertise the route
-EGP(e): the route is learned via EGP (old protocol),
this happen when a route was redistributed from
EGP
-incomplete(?): the origin is unknown, this happen
when the route is redistributed from IGP or static
into BGP

• Least origin is preferred (i<e<?)

230
Ahmed Nabil
4-Local preference attribute

• Well known discretionary, and is passed only within the


AS.

• The local preference is Advertised between iBGP


neighbors

• It provides an indication to routers in the inside of the AS


about which path is preferred to exit the AS (best way to
leave the AS, it influence outbound traffic from AS)

• Higher local preference is preferred

• Default local preference=100

Any router inside the AS 64520 will prefer to exit that


AS using path through A

231
Ahmed Nabil
5-Multi Exit Discriminator (MED) attribute

• The MED is an optional, non transitive


• It is called metric
• Advertised between eBGP neighbors
• MED is an indication to eBGP neighbors about the
prefered path to enter an AS (affect how others can
enter your AS, it influence inbound traffic to an AS)
• MED is used to advertise to EBGP neighbors how
to exit their AS to reach networks Owned by this AS.
• Lowest MED is prefered
• Default MED=0
• MED is not compared between neighbors from
different ASs, unless
(config-router)#bgp-always-compare-med

A will choose to exit


AS 65000 through B
To reach 172.20.0.0

232
6-Weight attribute

• Cisco attribute

• Configured locally on the router and is not


propagated to any BGP neighbor

• It identify a weight for routes from each neighbor

• Highest weight is preferred

• Default weight for self originated routes are 32768,


for other routes default is 0 (weight 0-65535)

A will choose path through B


to reach network 172.20.0.0

233
Ahmed Nabil
7-Atomic aggregate attribute
• Well known discretionary
• It informs the routers that the originating router has
performed aggregation (summarization) for routes,
list of ASs that contain these routes can be
advertised (aggregate-address command)

8-Aggregator attribute
• Optional transitive
• It specifies the BGP router ID & AS no. of the
router that perform the route aggregation

9- Community attribute
• Optional transitive
• It is the grouping of routes and tag them for
filtration actions
• All routes by default are members in a
community called the Internet

234
BGP route selection process
• The BGP forwarding table usually has multiple pathways
from which to choose for each network.
• BGP is not designed to perform load balancing:
• Paths are chosen because of policy.
• Paths are not chosen based upon bandwidth.
• The BGP selection process eliminates any multiple
pathways through attrition until a single best pathway is
left.
• That best pathway is submitted to the routing table
manager process and evaluated against the methods of
other routing protocols for reaching that network
(administrative distance).
• The routing protocol with the lowest administrative
distance will be installed in the routing table.

• Consider only synchronized routes, routes with no AS


loops and valid next hop routes, then:
1-Prefer highest weight (local to router)
2-Prefer highest local preference (global within AS)
3-Prefer route originated by the local router (next hop 0.0.0.0)
4-Prefer shortest AS path
5-Prefer lowest origin code (i (IGP) < e (EGP) < ?
(incomplete))
6-Prefer lowest MED (from other AS)
7-For routes from other AS, prefer eBGP path over iBGP path
7*-Prefer oldest route from eBGP path (more stable)
7**-Prefer path through the closest (lowest metric) IGP
neighbors
9-Prefer the path from lowest neighbor BGP router ID
• Finally only a single path is selected, and no load sharing
is available
235
Optimize attributes
Local preference is used in the following ways:
• Within an AS between IBGP speakers
• Used to determine the best pathway to leave the
AS to reach an outside network
• Set to 100 by default; higher values are preferred
(config-router)#bgp default local-prefrence <value>
or
(config)#route-map <name> {permit/deny} [<seq no.>]
(config-route-map)#match ip address <acl #>
(config-route-map)#set local-preference <local
preference>
• Changes the default local preference value
• All routes advertised to an IBGP neighbor are set to the
value specified using this command
RouterC# show ip bgp

BGP table version is 7, local router ID is 3.3.3.3


Status codes: s suppressed, d damped, h history, * valid, > best,
i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i172.16.0.0 172.20.50.1 100 0 65005 65004 i
*>i 192.168.28.1 100 0 65002 65003 i
*>i172.24.0.0 172.20.50.1 100 0 65005 i
* i 192.168.28.1 100 0 65002 65003 65004
* i172.30.0.0 172.20.50.1 100 0 65005 65004 i
*>i 192.168.28.1 400 0 65002 65003 65004i

Best (>) pathways for networks 172.16.0.0/16 and 172.24.0.0/16 have not changed.
Best (>) pathway for network 172.30.0.0 has changed to a new next hop of 192.168.28.1
due to the next hop of 192.168.28.1 having a higher local preference, 400.
236
• MED is used when multiple pathways exist between two ASs
• A lower MED value is preferred.
• The default setting for Cisco is MED = 0.
• The metric is nontransitive.
• By default, MED is shared only between two Autonomous
Systems that have multiple EBGP connections with each other.

(config-router)#default-metric <value>
or
(config)#route-map <name> {permit/deny} [<seq no.>]
(config-route-map)#match ip address <acl #>
(config-route-map)#set metric <MED value>
• MED is considered the metric of BGP.
• All routes advertised to an EBGP neighbor are set to the
value specified using this command.
RouterZ# show ip bgp
BGP table version is 7, local router ID is 122.30.1.1
Status codes: s suppressed, d damped, h history, * valid,
> best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i192.168.24.0 172.20.50.2 100 100 0 65001 i
* i 192.168.28.2 200 100 0 65001 i
* i192.168.25.0 172.20.50.2 200 100 0 65001 i
*>i 192.168.28.2 100 100 0 65001 i
* i192.168.26.0 172.20.50.2 200 100 0 65001 i
*>i 192.168.28.2 100 100 0 65001 i
•For all networks: Weight is equal (0); local preference is equal (100); routes are not originated
in this AS; AS path is equal (65001); origin code is equal (i).
• 192.168.24.0 has a lower metric (MED) through 172.20.50.2 (100) than 192.168.28.2 (200).
• 192.168.25.0 has a lower metric (MED) through 192.168.28.2 (100) than 172.20.50.2 (200).
• 192.168.26.0 has a lower metric (MED) through 192.168.28.2 (100) than 172.20.50.2 (200).
237
Route maps for BGP policy implementation
1-Create route map:
(config)#route-map <name> <permit/deny> [seq. no.]
(config-route-map)#match <conditions>
(config-route-map)#set <condition>
2-Activate route map:
(config-router)#neigbhor <ip/peer group> route-map
<name> <in/out>
-Match conditions:
match ip address <acl#>
match community <community name>
-Set conditions:
set local-preference <no.>
set weight <no.>
set metric <no.>
set as-path <path list>

238
Ahmed Nabil
Verification and Troubleshooting
#sh ip bgp
#sh ip bgp summary
#sh ip route
#debug ip bgp [events/updates/keepalives]
#clear ip bgp <*/address>
(config-router)#[no] neighbor <ip/peer group> shutdown

RouterA# show ip bgp summary

BGP table version is 23, main routing table version 23


10 network entries and 11 paths using 1242 bytes of memory
4 BGP path attribute entries using 380 bytes of memory
BGP activity 23/13 prefixes, 38/27 paths
0 prefixes revised.

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd


10.1.1.100 4 65200 211 211 13 0 0 00:01:53 5
192.168.1.18 4 65101 214 226 23 0 0 00:00:13 1
192.168.1.34 4 65101 214 226 23 0 0 00:00:09 1
192.168.1.50 4 65101 214 225 23 0 0 00:00:06 3

If no state in the state column this indicates an established state


RouterA# show ip bgp

BGP table version is 23, local router ID is 192.168.1.49


Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path


*> 10.0.0.0 10.1.1.100 0 0 65200 i
*> 172.16.10.0/24 10.1.1.100 0 0 65200 i
*> 172.16.11.0/24 10.1.1.100 0 0 65200 i
*>i172.26.1.16/28 192.168.1.50 0 100 0 i
*>i172.26.1.32/28 192.168.1.50 0 100 0 i
*>i172.26.1.48/28 192.168.1.50 0 100 0 i
*> 192.168.1.0 0.0.0.0 0 32768 i
*> 192.168.2.0 10.1.1.100 0 65200 65102 i
*> 192.168.2.64/28 10.1.1.100 0 65200 65102 i
* i192.168.101.0 192.168.1.34 0 100 0 i
*>i 192.168.1.18 0 100 0 i

The table displays networks from lowest network to highest.

239
Clearing the BGP Session
• When policies such as access lists, timers, or attributes are
changed, the BGP session must be reset.
• The change takes effect immediately, and the next time a
prefix or pathway is advertised or received, the new policy will
be used. It can take a long time for the policy to be applied to
all networks.
• The session should be reset to ensure the policy is
immediately applied to all affected prefixes and pathways.
• You must trigger an update to ensure that the policy is
immediately applied to all affected prefixes and paths.
• Ways to trigger an update:
– Hard reset
– Soft reset
Router# clear ip bgp {*|neighbor-address}
[soft {in | out}]
• Resets all BGP connections with this router using * or Resets
only a single neighbor
• If not using soft option (hard reset):
- Entire BGP forwarding table is discarded
- BGP session transitions from established to idle; everything
must be relearned
Using Soft Reset option:
• Routes learned from this neighbor are not lost.
• This router resends all BGP information to the neighbor without
resetting the connection.
• The connection remains established.
• This option is highly recommended when you are changing
outbound policy.
• The soft out option does not help if you are changing inbound
policy. 240
RouterA# show ip bgp neighbors

BGP neighbor is 10.1.1.1, remote AS 65000, external link


Index 1, Offset 0, Mask 0x2
BGP version 4, remote router ID 172.16.10.1
BGP state = Established, table version = 5, up for 00:10:47
Last read 00:00:48, hold time is 180, keepalive interval is
60 seconds
Minimum time between advertisement runs is 30 seconds
Received 16 messages, 0 notifications, 0 in queue
Sent 15 messages, 1 notifications, 0 in queue
Prefix advertised 1, suppressed 0, withdrawn 0
Connections established 1; dropped 0
Last reset 00:16:35, due to Peer closed the session
2 accepted prefixes consume 64 bytes

routerA# debug ip bgp updates

BGP updates debugging is on


RTRA# clear ip bgp *

3w5d: BGP: 10.1.1.1 computing updates, neighbor version 0, table


version 1, starting at 0.0.0.0
3w5d: BGP: 10.1.1.1 update run completed, ran for 0ms, neighbor
version 0, start version 1, throttled to 1, check point net 0.0.0.0
3w5d: BGP: 10.1.1.1 rcv UPDATE w/ attr: nexthop 10.1.1.1, origin i,
aggregated by 65000 172.16.10.1, path 65000
3w5d: BGP: 10.1.1.1 rcv UPDATE about 172.16.0.0/16
3w5d: BGP: nettable_walker 172.16.0.0/16 calling revise_route
3w5d: BGP: revise route installing 172.16.0.0/16 -> 10.1.1.1
3w5d: BGP: 10.1.1.1 rcv UPDATE w/ attr: nexthop 10.1.1.1, origin i,
metric 0, path 65000
3w5d: BGP: 10.1.1.1 rcv UPDATE about 192.168.1.0/24
3w5d: BGP: nettable_walker 192.168.1.0/24 calling revise_route
3w5d: BGP: revise route installing 192.168.1.0/24 -> 10.1.1.1

241
Branch office Internet
Access

242
Ahmed Nabil
Branch Office Connectivity
The needs of branch offices are changing. This is due to the
adoption of unified networks that support voice, video, and
data; the consolidation of IT resources; and the physical mobility
of many users.
Many options exist today for private connectivity between an
Enterprise branch office and the core of an Enterprise network.
These options include leased lines, Frame Relay, MPLS VPNs,
and Metro Ethernet. Although each differs in some way, they all
share an important characteristic: They provide an inherently
private path over which two Enterprise routers can send packets
to each other.
Several other public options exist for branch office connectivity. All
these options use the Internet for connectivity between the branch
office and the core of the Enterprise network.
Regardless of the particular physical Internet access technology–
typically digital subscriber line (DSL), cable, or wireless
broadband–all these options use a public Internet to forward the
packets.
The differences between the public Internet and private
connectivity mean that the branches need to use several
additional functions just to make the connectivity work, plus
the branches need to add other functions to make the connection
secure. This chapter focuses on the functions required, and how
they impact routing between the branch and the rest of the
Enterprise.
The branch routing for the Internet-connected branch differs in
part depending on the design.

243
Ahmed Nabil
Branch Office Design Considerations

Some design considerations for branch offices include


- Connectivity technologies: What WAN options are available?
- Resiliency: How much downtime can the site tolerate? Are
there alternate WAN paths available?
- Routing: Will the WAN support routing protocols?
- Services: Are services such asDHCP, NAT, WAN optimization,
and QoS needed at the branch?
- Security and compliance: What security is needed, where will
it be placed, and how will that affect routing?
-Mobility: Do teleworkers use this branch for VPN access?

Strive for a consistent design across your branch offices, with a


structured method of handling change management and
configuration. Branch offices have different needs from campus
locations, but you can still have a common design foundation
by creating standard designs for different size offices. Each
category of branch office is its own ―place in the
network.‖ Categorize offices not only by the number of users they
have, but also by how critical the branch is. The
following office profiles are meant as a baseline, not a
recommendation for every network.

244
Ahmed Nabil
Small Branch Office Design
A small branch office typically leverages an ISR router to
provide multiple services such as WAN and PSTN
connectivity,
NAT, WAN optimization, firewall, and DHCP. Its WAN
connectivity might be a T1 primary link with a cable or DSL
backup link using an IPsec VPN. You might run a routing
protocol or simply use floating static routes. The infrastructure
typically consists of Layer 2 switching—either internal to the
router or using an external switch, computers, phones, and
printers.
This design is cost-effective and provides minimum devices to
manage. However, network resiliency suffers because the
router is a single point of failure.

Medium Branch Office Design


A medium-sized branch office requires some additional
resiliency and network equipment. There typically are
redundant
WAN routers with dual connections to a private WAN using
either MPLS or Frame Relay. The routers will be higher
capacity devices but might still provide services such as
firewall, NAT, DHCP, and WAN optimization. The network
might use a FHP such as HSRP. The infrastructure typically
consists of either Layer 2 or Layer 3 external switches,
computers, phones, and printers.
This design is more resilient than the small office design.
However, the dual paths add path control complexity and
dynamic
routing is needed to accomplish load sharing across the links.
Documenting traffic flows becomes more important.

245
Ahmed Nabil
Large Branch Office Design
A large branch office is similar to a campus design in that it
typically uses a layered design with redundancy at all but the
access layer. Stand-alone devices for firewalls and WAN
optimization might be used, along with multilayer switches. This
branch can provide services to other branches and can thus
benefit from an MPLS WAN with its any-to-any connectivity.
The infrastructure is engineered for high availability. It typically
consists of dual WAN access routers, dual distribution
switches, and dual firewalls.

Implementing Branch Offices


Because a CCNP-level engineer should handle the device
configuration, we start at that step of the plan. The
implementation is likely an upgrade to an existing branch office
network, so the first step is to identify and document the current
configuration of every device and the services it provides.
These services might include NAT, HSRP, ACLs, firewall, or
redirection services such as PBR. The IP address schema must
also be documented.
To see the NAT settings, you might use the commands show ip
nat translations and show ip nat statistics. To document
DHCP, use the commands show ip dhcp pool and show ip dhcp
server statistics. The show access-lists and show ip
interface commands give you information about ACLs and
where they are applied. To see what IOS firewall rules are in
place, use the commands show ip inspect interfaces and show
zone-pair security. Verify HSRP operation with show
standby brief. The command show ip policy displays any PBR
policies.

246
Ahmed Nabil
DHCP Services
• DHCP is used to provide dynamic IP address allocation to
TCP/IP hosts and Cisco Systems devices. It utilizes a
client/server model, and the DHCP server can be a Windows
server, a UNIX-based server, or a Cisco IOS device.

• Configuring Cisco IOS devices as DHCP servers, DHCP relay


agents, and DHCP clients allows a network administrator to
implement more options for DHCP and also to implement
levels of DHCP service for a more robust and efficient
network solution.

• DHCP is structured on the Bootstrap Protocol (BOOTP)


server and BOOTP well-known ports in User Datagram
Protocol (UDP). Previous to DHCP, IP addresses were
manually administered to IP hosts, which was a tedious,
error-prone, and labor-intensive process.
DHCP allows IP addresses to be automatically assigned to
DHCP clients. The DHCP service can be implemented with a
server or with a Cisco IOS device.

247
Understanding the Function of DHCP

The figure shows the steps that occur when a DHCP client
requests an IP address from a DHCP server.
1. The host sends a DHCPDISCOVER broadcast message to
locate a DHCP server.
2. A DHCP server offers configuration parameters such as an IP
address, a MAC address of DHCP server, a domain name, a
default gateway, and a lease for the IP address to the client in a
DHCPOFFER unicast message.
3. The client returns a formal request for the offered IP address to
the DHCP server in a DHCPREQUEST broadcast message.
4. The DHCP server confirms that the IP address has been
allocated to the client by returning a DHCPACK unicast message
to the client.
A DHCP client may receive offers from multiple DHCP servers
and can accept any one of the offers. However, the client usually
accepts the first offer that it receives. Also, the offer from
the DHCP server is not a guarantee that the IP address will be
allocated to the client. The server usually reserves the address
until the client has had a chance to formally accept the address.
248
DHCP supports three possible address allocation mechanisms:
- Manual: The network administrator assigns the IP address to a
specific MAC address.
DHCP is used to dispatch the assigned address to the host.
- Automatic: The IP address is permanently assigned to a host.
- Dynamic: The IP address is assigned to a host for a limited time
or until the host explicitly releases the address. This mechanism
supports automatic address reuse when the host to which the
address has been assigned no longer needs the address.

249
Configuring a DHCP Server
Router(config)#service dhcp
Enables DHCP features on router; it is on by default.
Router(config)#ip dhcp pool [pool name]
• Enables a DHCP pool for use by hosts
Router(config-dhcp)#import all
• Used to import DHCP option parameters into the DHCP server
database. Used for remote DHCP pools, Imports DNS and other
missing information from IPCP
Router(config-dhcp)#default-router [host address]
• Specifies the default router for the pool to use
Router(config-dhcp)#network [network address][subnet mask]
• Specifies the network and subnet mask of the pool
Router(config)#ip dhcp excluded-address lowaddress [high
address]
• Specifies the IP address that the DHCP server should not
assign to DHCP clients
Router(config-dhcp)# domain-name domain
Specifies the domain name for the client.
Router(config-dhcp)#dns-server addres [address2...address8]
• Specifies the IP address of a Domain Name System (DNS)
server that is available to a DHCP client. One is required, but
up to eight can be specified.
Router(config-dhcp)#lease {days [hours] [minutes] | infinite}
•Specifies the duration of the lease. The default is a one-day
lease.
Router(config-if)#ip address dhcp
• Specify that in order for the router to get an IP address for its
interface it should ask a DHCP server.
•Additional commands are available to customize manual
bindings for individual clients, including MAC addresses.
Additional options are also available with implementation of
the DHCP relay agent function. 250
Configuration Example

The following is an example of the partial command syntax


for this feature:
•Central Router
ip dhcp-excluded address 10.0.0.1 10.0.0.5
ip dhcp pool central
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1 10.0.0.5
domain name central.com
dns-server 10.0.0.2
interface fastethernet0/0
ip address 10.0.0.1 255.255.255.0

•Remote Router
ip dhcp pool client
network 20.0.0.0 255.255.255.0
ip dhcp-excluded address 20.0.0.2
default-router 20.0.0.2
import all
interface fastethernet0/0
ip address dhcp

# Show ip dhcp binding


Displays the bindings between IP, MAC on a DHCP server 251
IP helper address:
-The host can not send broadcast to DHCP because the
router will block it.

-Solution:Router changes the broadcast to unicast to DHCP ser

(config)# int e0/0


(config-if)# ip helper-address < ip add.>
The interface that will receive the broadcasts for UDP
services, will translate the local broadcast address in the
packet to the specified address, it could be unicast
address or direct broadcast address, but the following
command must be enabled
(config-if)#ip directed-broadcast
By default this command will forward the following services :
• Trivial File Transfer Protocol (TFTP—port 69)
• Domain Naming System (DNS—port 53)
• NetBIOS Name Server (port 137)
• NetBIOS Datagram Server (port 138)
• Time service (port 37)
• Bootstrap Protocol (BootP) / DHCP client and server
datagrams (ports 67 and 68)
• TACACS service via the login host protocol (port 49)
• IEN-116 Name Service (port 42—obsolete)
252
To filter or add new protocols
(config-if)# [no] ip forward protocol udp <protocol name or
number>
Example: Multiple Servers: Remote Networks

Ports can be eliminated from the forwarding service, the


following is an example:
interface fastethernet0/0
ip address 144.253.1.100 255.255.255.0
ip helper-address 144.253.2.255
no ip forward-protocol udp 137
no ip forward-protocol udp 138
no ip forward-protocol udp 37
ip forward-protocol udp 8000

This configuration would cause time and NetBIOS ports to


not be forwarded, and UDP port 8000 would be added to the
forwarded list.
253
Relay Agent Option Support

Relay Agent

Router(config)#ip dhcp information option


Enables the system to insert the DHCP relay agent information
option (82) in forwarded BOOTREQUEST messages to a DHCP
server. Disabled by default.
When you use the ip dhcp relay information option command, the
relay agent adds the circuit identifier suboption and the remote ID
suboption to the relay agent information and forwards
them to a DHCP server. The following explains the DHCP relay
services process:
1. The DHCP client generates a DHCP request and broadcasts it on
the network.
2. The DHCP relay agent intercepts the broadcast DHCP request
packet and inserts the relay agent information option (82) in the
packet. The relay agent option contains the related suboptions.
3. The DHCP relay agent unicasts the DHCP packet to the DHCP
server.
4. The DHCP server receives the packet and uses the suboptions to
assign IP addresses and other configuration parameters and
forwards them back to the client.
5. The suboption fields are stripped off of the packet by the relay
agent while forwarding to the client.
254
Configuring NAT
When the branch router receives a packet over the LAN interface,
it has several options of how to process the packet. For instance,
using the medium-sized branch, which has a leased line into the
Enterprise plus a DSL Internet connection, the router could do the
following:
■ Forward the packet out the serial interface, unchanged, to the
rest of the Enterprise network.
■ Forward the packet out the tunnel, changed somewhat
(encrypted, encapsulated, and so on), to the rest of the Enterprise
network.
■ Forward the packet over the Internet link (the DSL dialer
interface), after using NAT to change the source private address
to a public address, to some public IP destination address.

Only the third option requires NAT. Thankfully, NAT configuration


easily supports the concept of performing NAT for traffic going to
Internet destinations and not performing NAT for traffic in the
tunnel.

NAT types:

a) Static NAT
- Fixed one local to one global address translation, that type
mainly used with servers
(config)#ip nat inside source static <inside local ip> <inside
global ip>

b) Dynamic NAT
- Each local address can be translated to one global address
picked up by the NAT device from a NAT pool of addressess

255
Ahmed Nabil
To define a pool:
(config)#ip nat pool <pool name> <start ip> <end ip>
{netmask/prefix-length} <subnet mask>
To activate NAT process:
(config)#ip nat inside source list <acl no.> pool <pool
name>

c) Dynamic NAT with Overload (PAT)


- Many local devices can use one global address, by
translating port numbers

-If you have many global address, so you need a NAT pool

To define a pool:
(config)#ip nat pool <pool name> <start ip> <end ip>
netmask <subnet mask>

To activate NAT process:


(config)#ip nat inside source list <acl no.> pool <pool
name> overload

-If you have only one global address, so give that address
to a serial interface, and no need for a NAT pool:
(config)# ip nat inside source list <ACL no.> interface
<int. name> overload

NOTE: In all types you have to define direction for NAT:


(config-if)#ip nat inside
(config-if)#ip nat outside

To display NAT table:


#show ip nat translation

256
Ahmed Nabil
Example shows a sample configuration, using
Router BO1. This configuration assumes that BO1 was already
configured.
interface fastethernet 0/0
ip address 10.99.1.9 255.255.255.0
ip nat inside
interface dialer 2
ip nat outside
ip nat inside source list local-lan interface dialer2 overload
ip access-list extended local-lan
permit ip 10.99.1.0 0.0.0.255 any

The configuration shows NAT overload, using a single public IP


address–namely, dialer2‘s dynamically learned IP address. ACL
local-lan matches all packets whose source IP address is from
the branch‘s local LAN subnet (10.99.1.0/24). The ACL,
referenced by the ip nat inside global command, tells the router to
NAT traffic permitted by this ACL. The traffic going through the
tunnel will already be encapsulated in a new IP header, and no
longer have a source address from the LAN subnet, so only traffic
destined for Internet destinations will have NAT applied. Finally,
the interface subcommands ip nat inside and ip nat outside tell
the interfaces on which to attempt the translation.

257
Ahmed Nabil
NAT using Route Maps

NAT using Route Maps instead of ACLs

258
NAT with Route Maps give more details in NAT table

259
Ahmed Nabil
Broadband Internet Access Basics
The term broadband has been around in the world of networking
for a long time. The original meaning related to the frequency
bands used by some Layer 1 standards that used a wider
(broader) range of frequencies to achieve a higher bit rate. Today,
the term broadband has grown to become synonymous with high
speed.

Configuring a DSL Connection


Assume that this branch already has a WAN connection, and you
are adding redundancy by provisioning a backup DSL connection.
Voice does not use all the available bandwidth on a phone line; it
uses frequencies up to only approximately 3 kHz. DSL was
created to use the space between 3 kHz and 1 MHz to send data
traffic over a telephone local loop. Thus, both voice and data can
be sent simultaneously over the same connection. (Some variants
of DSL use the entire spectrum, however, so no voice can be
sent.) DSL is a physical layer medium that extends between the
subscriber‘s DSL modem and the provider‘s DSL Access
Multiplexer (DSLAM).

Asymmetrical DSL has higher downstream (from the provider‘s


Central Office to the subscriber) bandwidth than upstream (from
the subscriber to the CO.) Symmetrical DSL has the same
bandwidth both downstream and upstream.
You sometimes see these referred to as ―asynchronous‖ and
―synchronous‖ DSL.

260
Ahmed Nabil
Note: Although the human voice generates frequencies
below 4000 Hz, the human ear can hear some higher
frequencies, so some DSL installations require the use of
filters on the lines connected to the phones. These filters
prevent humans from hearing some of the higher frequency
DSL tones.

The various types of DSL include


- ADSL: Asymmetric DSL supports both voice and data.
Downstream bandwidth goes up to 8 Mbps; upstream goes
up to 1 Mbps. Two other versions, ADSL2 and ADSL2+, provide
24 Mbps downstream and 1.5 Mbps upstream. The
maximum distance from the CO is 18,000 feet, or 5.46 km.
- VDSL: Very-high-rate DSL can be either symmetric or
asymmetric and can carry voice along with data. Maximum
symmetric bandwidth is 26 Mbps; maximum asymmetric is 52
Mbps downstream and 13 Mbps upstream. The
maximum distance from the CO is 4,500 feet, or 1.37 km.
- SDSL: Symmetric DSL carries only data, with a maximum for
both downstream and upstream of 768 kbps. The
distance limitation is 22,000 feet, or 6.7 km. It is a proprietary
technology that uses only one twisted pair of wires.
- HDSL: High-data-rate DSL uses two twisted pairs of wires to
achieve a maximum symmetrical bandwidth of 2.048
Mbps. Its maximum distance from the CO is 12,000 feet, or 3.7
km. HDSL carries only data, no voice.
- G.SHDSL: Symmetric High-speed DSL has a symmetrical data
rate of 2.3 Mbps and the longest maximum distance:
28,000 feet, or 8.52 km. It also carries only data, no voice.

261
Figure shows how ADSL components work together in a typical
residential implementation. The telephone company‘s Central Office
forwards both POTS and DSL data traffic over the same line to the
subscriber. The line enters at the Network Interface Device (NIDS)
and branches toward the telephone and the PC. A low-pass filter
blocks everything but voice frequencies from reaching the phone. A
DSL modem (or router with a DSL interface) forwards data to the PC.
When the Central Office receives traffic from the subscriber, a splitter
sends voice frequencies to the PSTN switch and DSL frequencies to
the DSLAM. The DSLAM sends data traffic to a router for forwarding
to the Internet.

Recall that DSL is a Layer 1—Physical Layer—technology. Following are


the three methods of carrying data at Layer 2 over DSL:
- Bridging: Based on RFCs 1483 and 2684. Ethernet traffic is just bridged
from the subscriber PCs, through the DSL modem and the DSLAM, to a
provider router. Is not as secure or scalable as other methods.
- Point-to-Point Protocol over Ethernet (PPPoE): The most common
Layer 2 method of carrying data over DSL. PPP traffic is encapsulated in
Ethernet frames.
-Point-to-Point Protocol over ATM (PPPoA): PPP packets are routed
over ATM between the subscriber equipment and the provider. 262
In the following example we use PPoA, which requires a CPE
router because traffic is routed from the subscriber PCs to
the aggregation router. The PPP session is established between
the CPE router and the aggregation router. Either Password
Authentication Protocol (PAP) or Challenge Handshake
Authentication Protocol (CHAP) authentication can be
used. Multiple users are supported if the CPE router is configured
to do DHCP and NAT. Traffic between the CPE router
and the aggregation router is encapsulated as ATM at Layer 2.
When configuring PPPoA you must set up the internal Ethernet
interface, a dialer interface, NAT or PAT, DHCP, and a
static default route. Because this is ATM, you must configure
Virtual Path Identifier (VPI) and Virtual Circuit Identifier
(VCI) information on the external interface to match that of the
provider. The type of ATM encapsulation must be specified
PPPoA must be enabled, and the ATM interface must be linked to
the virtual dialer interface. A dialer pool is associated
with PVC. The final configuration is shown in the following
examples.
263
Configuring DSL
DSL configuration–even ignoring related services like DHCP and
NAT–requires several steps. The goal of this section is to give you
a general idea of the configuration by showing
one example, just to give you a sense of the configuration pieces.
To appreciate the sample configuration, first consider that DSL is
a switched connection.
Most people think DSL (and cable) provide an always on or
leased Internet connection, because typically the user does not
need to do anything to start and stop the connection.
However, a router can start and stop the DSL connection–or using
the traditional terms, the router can dial and hang-up the
connection. The idea that DSL routers do something to
dial the connection means that the connection is actually
switched.

Internal Ethernet interface:


interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip nat inside

Dialer interface:
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap
ppp chap password 0 dslpass

264
External ATM interface:
interface ATM1/0
description DSL interface
no ip address
dsl operating-mode auto
pvc 1/100
encapsulation aal5mux ppp dialer
dialer pool-member 1

DHCP:
ip dhcp pool Users
import all
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1

Port address translation (PAT)


access-list 100 permit ip 172.16.1.0 0.0.0.255 any
ip nat inside source list 100 interface Dialer1 overload

Static default route:


ip route 0.0.0.0 0.0.0.0 Dialer1

To verify and troubleshoot the DSL configuration, use the


commands show dsl interface atm number, debug atm events,
debug ppp authentication, show ip route, ping, and
traceroute.

265
The main pieces of the DSL configuration as shown in this section
are as follows:
■ The configuration creates a dialer interface.
■ The Layer 3 and PPP configuration related to DSL is applied to the
dialer interface.
■ The ATM configuration is applied to the physical ATM interface.
■ The ATM interface is linked to the dialer interface.
■ An IP route forwards traffic out the dialer interface, which triggers the
DSL encapsulation process.

The dialer interface has five subcommands in this case, including three
related to PPP. One command tells the router to use PPP to learn its IP
address from the ISP (ip address negotiated).
The dialer pool 1 command tells the dialer interface that when it needs to
signal a new connection, look for interfaces with dialer pool-member 1
configured, such as interface ATM 0/0.
First examine the ATM interface. The configuration defines the VPI/VCI as
0/42; the ISP needs to match this value, or more likely, dictates the value
to the customer. The encapsulation command defines that PPP will also
be used.
The encapsulation aal5mux ppp dialer defines that this PVC will use the
logic of a dialer interface. Finally, the dialer pool-member 1 command
associates the ATM interface with the dialer interface 266
Configuring an IPsec VPN
IPsec is not covered in depth on the ROUTE exam, but you
need to understand it well enough to verify the configuration
and add routing across it.
Details in a separate Appendix at the end of the book.
This sample branch uses an IPsec VPN to connect to the
headquarters when the backup DSL link is active.
When IPsec establishes a VPN between two peer hosts, it sets
up a security association (SA) between them. SAs are
unidirectional, so each bidirectional data session requires two.
The Internet Security Association and Key Management
Protocol (ISAKMP) defines how SAs are created and deleted.
An IPsec transform set defines how VPN data will be protected by
specifying the IPsec protocols that will be used. You
can specify up to four transforms, and the algorithm to use with
each. You can also configure either tunnel or transport
mode. (Tunnel is default.)
You use a crypto ACL to identify traffic that should be protected by
the IPsec VPN. Any traffic permitted in the ACL will
be sent over the VPN. Traffic denied by the ACL will not be
dropped; it will simply be sent normally.
A crypto map pulls together the transform sets and crypto ACLs
and associates them with a remote peer. After the crypto
map is configured, it must be applied to an interface for it to take
effect. It is applied at the outgoing interface—the one
that VPN traffic uses to reach the other end of the VPN. You
might need to use a static route or otherwise adjust your
routing to force traffic bound for the VPN destination networks to
use the correct outgoing interface.

267
Configuring an IPsec VPN
To fully understand the IPsec configuration, you need a deeper
understanding of the security protocols than the detail included in this
book. However, if you ignore the particulars about security protocols, a
sample configuration can reveal some interesting facts about branch
routing, which is the focus of this chapter.

Focus first on the crypto map (named branchmap) and the dialer
interface. The dialer interface enables IPsec with the crypto map
branchmap command, causing IOS to consider applying IPsec to packets
exiting Dialer 2. The crypto map causes IOS to only encrypt and tunnel
the packets that are matched by ACL 101 in this case. (See the arrows in
the figures as to how the crypto map is linked to using ACL 101.) The
crypto map also identifies
the destination IP address used when the encapsulation takes place
(128.107.9.9). 268
This address is the public IP address of the device on the other
end of the tunnel; the earlier figures showed that as Router Ent1.
Next, think about a packet received by BO1 over the LAN, in light
of ACL 101, and in light of the crypto map processing outbound
traffic on interface Dialer 2. The packet arrives in BO1‘s F0/0
interface. The packet may be processed by a GRE tunnel first, or
it may not. Then, some route must route the packet out Dialer 2.
At that point, the logic of the commands in Figure finally begins.
Continuing with this same packet, the ACL matches packets that
were tunneled by GRE, or other packets that come from the LAN
and are going toward the rest of the Enterprise. The first line in
the ACL matches the packets from the local LAN (10.99.1.0/8)
going to another destination in the Enterprise. The second line in
the ACL matches all GRE packets. Note that packets destined to
some public IP address in the Internet would not match the ACL
with a permit action. So, only packets destined for the Enterprise
network match ACL 101; only the packets permitted by ACL 101
will be processed by the IPsec tunnel logic.

To verify the IPSEC VPN, use the following commands:


- show crypto map: Shows the crypto ACLs, any peers, and the
interface where the crypto map is applied
- show crypto isakmp sa: Shows information about the ISAKMP
security associate negotiation process
- show crypto IPsec sa: Shows the settings used by current
SAs, including tunnel status and peers

269
Configuring a Floating Static Route
The IPsec tunnel can be used solely as a backup link, or you can
load balance between it and the primary link. To use it
as a backup link, you can configure a floating static route. A
floating static route is one with an administrative distance
greater than the primary route. If the primary route is active, the
static route will not be placed into the routing table due
to its higher AD. But when the primary route is down, the static
route will be used.

The command syntax for a floating static route is:


ip route destination-network next-hop-address
administrative-distance
You can find the AD of the primary route by using the command
show ip protocols. EIGRP has an AD of 90, so you might use 100
as the AD of a floating static route when the primary route is
learned via EIGRP.

270
Configuring Dynamic Routing over a GRE Tunnel
To use the IPsec tunnel as an ―always on‖ connection, you need
to send routing updates over it. However, IPsec VPNs do
not carry broadcast or multicast traffic. You need to create a
tunnel within the IPsec tunnel to carry the routing traffic.
Four ways to do this include
- DMVPN: Creates multipoint tunnels on-demand. Good for
scenarios when spoke-to-spoke connections are needed.
- GET VPN: Creates encrypted multipoint tunnels on-demand.
Good for scenarios when secure spoke-to-spoke
connections are needed.
- Virtual Tunnel Interface (VTI): Creates an always-on tunnel
that carries unicast and multicast traffic. Enables you
to configure the routing protocol on the tunnel interface, saving
the 4 extra bytes required for a GRE header.
- Generic Routing Encapsulation (GRE): GRE is a tunneling
protocol that can support multiple Layer 3 protocols.
It enables the use of multicast routing protocols across the tunnel.
It adds a 20-byte IP header and a 4-byte GRE header. GRE does
not encrypt traffic or use any strong security measures to protect
the traffic. GRE can be used along with IPsec to provide data
source authentication, data confidentiality, and assurance of data
integrity. GRE over IPsec tunnels are typically configured in a
hub-and-spoke topology over an untrusted WAN to minimize the
number of tunnels that each router must maintain.

271
In this section, we configure a GRE tunnel to carry EIGRP traffic
over the IPSEC tunnel. This basically creates a tunnel within a
tunnel, as shown

Configuring a GRE tunnel is fairly easy. Follow these steps on the


routers at each end of the tunnel:
1. Create a loopback interface to use as the tunnel endpoint.
Using a loopback rather than a physical interface adds stability to
the configuration.
2. Create the GRE tunnel interfaces
- Requires Tunnel Source, Tunnel destination, Tunnel mode
3. Add the tunnel subnet to the routing process so that it
exchanges routing updates across that interface.
4. Add GRE traffic to the crypto access list, so that IPsec encrypts
the GRE tunnel traffic

272
GRE Tunnel Configuration

interface tunnel 9
ip address 10.99.2.1 255.255.255.255
tunnel source loopback 1
tunnel destination 10.12.1.9
interface loopback 1
ip address 10.12.1.1 255.255.255.0
router eigrp 1
network 10.12.1.1 0.0.0.0
network 10.99.2.1 0.0.0.0
ip route 10.12.1.9 255.255.255.255 dialer2

The tunnel configuration just uses three subcommands: one to


define the source IP address (indirectly, as loopback 1‘s
10.12.1.1), the tunnel destination (10.12.1.9), and the interface‘s
passenger protocol address (IP address 10.99.2.1). The tunnel
mode command is not needed, because IOS defaults to use IPv4
as the transport protocol, which then allows any of the supported
passenger protocols.
The configuration also requires two main branches of logic for
routing to work correctly.
First, for the tunnel to function, the tunnel destination must be
reachable; in this example, a static route was added for this
purpose. Additionally, the routers need to exchange
routes that will list the tunnel interface as the outgoing interface,
which in turn directs packets through the tunnel. The example
includes the EIGRP configuration that enables
EIGRP on tunnel 9 just as a reminder that one of the primary
motivations for bothering with the GRE tunnel is to support IGP
routing protocols.

273
274
Ahmed Nabil
Following are the steps in Figure 19-12:
Step 1. R1 has the original packet in memory, source 10.99.1.1 (PC1),
destination 10.1.1.1 (S1).
Step 2. BO1‘s best route for destination 10.1.1.1 uses outgoing interface
tunnel 9. This route may have been learned by an IGP running over this
GRE tunnel.
Step 3. BO1 adds a new IPv4 header and GRE header to the original
packet. This new packet as a destination based on BO1‘s tunnel 9
subcommand tunnel destination, is address 10.12.1.9.
Step 4. BO1 routes the packet formed in the previous step. This best
route for 10.12.1.9 lists Dialer 2 as the outgoing interface. The crypto map
on interface Dialer 2 refers to an ACL, and ACL matches this packet with a
permit action. This combination of logic tells BO1 to use IPsec to encrypt
this packet for transmission over the IPsec tunnel.
Step 5. BO1 encrypts the packet that was created in Step 3–in other
words, it encrypts the GRE-created packet.
Step 6. BO1 encapsulates the encrypted data, adding several IPsec
headers, plus a new IPv4 header. The new IPv4 header uses BO1‘s
public IPv4 address as source and the configured public IPv4 address of
the other end of the IPsec tunnel as destination. Per the example, the
destination IP address would be 128.107.9.9.
Step 7. BO1 routes this latest packet, with its destination IP address of
128.107.9.9, matching a route (probably a default route) that lists Dialer 2
(again) as the outgoing interface. However, the crypto map‘s ACL does
not match the packet with a permit action, so BO1 bypasses any further
IPsec functions and simply tries to forward the packet.
Step 8. Forwarding out the dialer interface then causes this DSL-
connected router to forward the packet out the underlying ATM interface,
which performs the encapsulation and segmentation previously shown in
Figure.

Interestingly, this process drives the branch router to make comparisons


to the routing table three separate times when forwarding this data. The
most important thing to remember from this example is to get a sense for
how the pieces work together and how the steps add additional headers.

275
IP version 6

- Addressing
-Data delivery
-Routing Protocols
-Transition from IPv4 to IPv6

276
Ahmed Nabil
9-IPv6:
Why Do We Need a Larger Address Space?
• Internet population
– Approximately 2.5 billion users in November 2010
– Emerging population and geopolitical and address space
• Mobile users
– PDA, tablet-PC, notepad, and so on
– Approximately 200 million in 2010.
• Mobile phones
– Already more than billion mobile phones delivered by the
industry
• Transportation
– 1.2 billion automobiles forecast for 2010
– Internet access in planes – Example: Lufthansa
• Consumer devices
– Sony mandated that all its products be IPv6-enabled by
2005
– Billions of home and industrial appliances

• IPv6 satisfies the increasingly complex requirements


of hierarchical addressing that IP version 4 (IPv4) does
not provide. One key benefit is that IPv6 can recreate
end-to-end communications without the need for
Network Address Translation (NAT)—a requirement for a
new generation of shared-experience and real-time
applications.
• Transitions to IPv6 from IPv4 deployments can use a
variety of techniques, including an autoconfiguration
function. This lesson describes the functionality and
benefits of IPv6. Cisco Systems currently supports IPv6
in Cisco IOS Software Release 12.2(2)T and later.
277
IP v.6 Characteristics:
• Larger address space
- Global reachability and flexibility
- Aggregation
- Multihoming
- Autoconfiguration
- Plug-and-play
- End to end without NAT
- Renumbering

• Simpler header
- Routing efficiency
- Performance and forwarding
- rate scalability
- No broadcasts
- No checksums
- Extension headers
- Flow labels
- address renumbering and modification.

 Mobility and security


- Mobile IP & IPSec

278
A- larger address space

IPv4
• 32 bits or 4 bytes long
~= 4,200,000,000 possible addressable nodes

IPv6
128 bits address so no. of IPs = 2^128 possible IP
= 3.4 * 10^38 possible IP =5 * 10^28 ip/human.

B- Global reachability and flexibility:


-This is done by using unique IP for each device.
- IPv6 gives every user multiple global addresses that can be
used for a wide variety of devices, including cell phones,
personal digital assistants (PDAs), and IP-enabled vehicles.
Quadrupling
the available 32-bit IPv4 address space to 128 bits, IPv6
addresses the need for always-on environments. These
addresses are reachable without using IP address
translation, pooling, and temporary allocation techniques.

279
• IP v.6 Format :
1- Coloned Hexa decimal form.
X:X:X:X:X:X:X:X
Field
X = 4 hexa char. = 16 bits

2- Leading zeros in a field is optional.


Ex: 2003:0001:X:X:X:X:X:X
= 2003: 1 :X:X:X:X:X:X

3- Successive zeros in a field are represented as :0:


Ex: 203B:0000:130F:0000:X:X:X:X
= 203B: 0 :130F: 0 :X:X:X:X

4- Successive fields of zeros is represented by : : and


can be used only once.
Ex: 203B:0000:0000:130F:0000:0000:0000:ABCD
= 203B: 0 : 0 :130F: : ABCD

• If two ―::‖ notations are placed in the address, there is


no way to identify the size of each block of zeros.
= 203B: :130F: :ABCD => incorrect

Examples:

1- FF02: 0 : 0 : 0 : 0 : 0 : 0 : 0005 => FF02::5


2- 0 : 0 : 0 : 0 : 0 : 0 : 0 : 1 => ::1
3- 0 : 0 : 0 : 0 : 0 : 0 : 0 : 0 => ::

280
IPv6 address assignmenet (Getting a logical address )
This is done through
-Stateless Auto configuration
(NDP = Neighbor Discovery Protocol)
Stateless DHCP for IPv6 is also called ―DHCP-lite‖.

(Router Advertisement)

-What is my link address


(Router Solicitation)

So giving an IPv6 address


can be done using:
-NDP (DHCP-Lite) – Part of ICMPv6
-DHCPv6
-Manually
281
IPv6 Global Unicast (and Anycast) Addresses

Interface Identifiers
• Cisco uses the extended universal identifier (EUI)-64 format
to do stateless autoconfiguration.
• This format expands the 48-bit MAC address to 64 bits by
inserting ―FFFE‖ into the middle between the upper 3 bytes
(Organizational Unique Identifier [OUI] field) and the
lower 3 bytes (serial number) of the link layer address.
• To make sure that the chosen address is from a unique
Ethernet MAC address, the universal/local (U/L bit) is set to 1
for global scope (0 for local scope), the seventh bit in the
high-order byte is set to 1(equivalent to the IEEE G/L bit).

282
• Forms of IP v.6 destination address:

Broadcast

Unicast Multicast Anycast


Does not
exist

Only one device A complete group Any device from a


has to of devices has to certain group has to
receive the packet receive the packet receive the packet
1- Unicast:

Link local Aggregate loopback


Site local
global & unspecified
Address (::1/128)
&
IPv4 mapped

Used within
the local site public IP
uses with directly
Connected device (private add.)
(local protocol messages) (FEC0::/10)
(FE80::/10) 283
IPv6 is defined on most of the current data link layers,
including the following:
Ethernet*
PPP*
High-Level Data Link Control (HDLC)*
FDDI
Token Ring
ATM**
Frame Relay***

* Cisco supports these data link layers.


** Cisco supports only ATM permanent virtual circuit (PVC)
and ATM LAN Emulation
*** Cisco supports only Frame Relay PVC.

Point-to-Point Links auto addressing (EUI):


Recall that an IPv6 interface uses its MAC address to create
its link-local address. A serial link has no MAC address
associated with it, so it uses one from an Ethernet interface.
You can manually configure the link-local address to make it
more recognizable. Be sure to begin the IPv6 address with
the link-local prefix FE80.

Note: A single interface may be assigned multiple IPv6


addresses of any type: unicast, anycast, or multicast.

1- Broadcast
- Not supported by IP v6, any protocol or application
that was equireing a broadcasting feature have moved
to use a multicast option
284
2- Multicast
- Group of devices that have the same address, & packet
should reach all the destinations having that multicast
address.
Routers decide to forward the multicast packet to all
destinations having that address.
- Has the range:
FF00: : /8 FFFF: :/8
Multicasting is extremely important to IPv6, because it is at
the core of many IPv6 functions.

Well known
User defined

loopback
Internal subnet
external subnet

• IPv6 multicast addresses are defined


by the prefix FF00::/8. The second octet
defines the lifetime (flag) and the scope of the multicast address.
— The flag parameter is equal to 0 for a permanent, or well-known,
multicast address.
For a temporary multicast address, the flag is equal to 1.
— The scope parameter is equal to 1 for the scope of the interface
(loopback transmission), 2 for the link scope (similar to unicast link-
local scope), 3 for subnetlocal scope where subnets may span
multiple links, 4 for admin-local scope (administratively configured),
5 for the site scope, 8 for the organizational scope
(multiple sites), and E for the global scope. For example, a multicast
address starting with FF02::/16 is a permanent multicast address
with a link-local scope.
• The multicast group ID consists of the lower 112 bits of the
multicast address.
• There is no Time to Live (TTL) in IPv6 multicast. The scoping is
defined inside the address. 285
Examples of Permanent Multicast Addresses
The multicast addresses, FF00:: to FF0F::, are reserved.
Within that range, the following are some examples of
assigned addresses (there are many more assignments
made; assignments are tracked by the Internet Assigned
Numbers Authority [IANA]):

Multicast

FF02::1:FFXX:XXXX — Solicited-node (Instead of ARP in IPv6


– Part of NDP –ICMPv) multicast on link, where XX:XXXX is
the rightmost 24 bits of the corresponding unicast or anycast
address of the node. (Neighbor solicitation messages are
sent on a local link when a node wants to determine the link-
layer address of another node on the same local link, similar
to Address Resolution Protocol [ARP] in IPv4.)

The site-local multicast scope has an administratively


assigned radius and has no direct correlation to the (now
deprecated) site-local unicast prefix of FEC0::/10.

286
3- Any cast (Global unicast)
Group of devices that have the same function, & packet
should reach only one of the destinations.
Routers decide on closest device to reach that destination.

• Characterized by:
– One-to-nearest (allocated from unicast address space).
– Multiple devices share the same address.
– All anycast nodes should provide uniform service.
– Source devices send packets to anycast address.
– Routers decide on closest device to reach that
destination.
– Suitable for load balancing and content delivery services.

Anycast addresses are syntactically indistinguishable from


global unicast addresses because anycast addresses are
allocated from the global unicast address space.

When a unicast address is assigned to more than one


interface, thus turning it into an anycast address, the nodes
to which the address is assigned must be explicitly
configured to use and
recognize the anycast address.
For devices that are not configured for anycast, these
addresses appear as unicast addresses.
Note: Anycast addresses must not be used as the source
address of an IPv6 packet.
287
Examples for anycast addressing needs:
Multiple ISPs and LANs with Multiple Routers
An example of anycast use in a Border Gateway Protocol
(BGP) multihomed network is when a customer has
multiple ISPs with multiple connections to one another.
The customer can
configure a different anycast address for each ISP.
Each router for the given ISP has the same configured
anycast address. The source device can choose which
ISP to send the packet to; however, the routers along the
path determine the
closest router to reach that ISP using the IPv6 anycast
address.
Another use for an anycast is when a LAN is attached to
multiple routers. These routers can have the same IPv6
anycast address so that distant devices need to identify
only the anycast address. Intermediate devices can
choose the best pathway to reach the closest entry point
to that subnet.

288
4- Unicast
Link-Local Address

• Link-local addresses have a scope limited to the link and


are dynamically created on all IPv6 interfaces by using a
specific link-local prefix FE80::/10 and a 64-bit interface
identifier.
It is like what we call in IPv4 the APIPA address (Automatic
Private IP Address) which used to have the address
(169.254.0.0/16), which is used only inside the local LAN (non
routable)
• Link-local addresses are used for automatic address
configuration, neighbor discovery, and router discovery.
Link-local addresses are also used by many routing
protocols.
• Link-local addresses can serve as a way to connect devices
on the same local network without needing global addresses.

Site-Local Address
It is like the private IPs in the IPv4 scheme, it is mainly
helpful for private WAN addressing without any need for
IANA registration.

289
Global unicast addresses

are defined by a global routing prefix, a subnet ID, and an


interface ID. The IPv6 unicast address space encompasses
the entire IPv6 address range, with the exception of FF00::/8
(1111 1111), which is used for multicast addresses. The
current global unicast address assignment by the Internet
Assigned Numbers Authority (IANA) uses the range of
addresses that start with binary value 001 (2000::/3), which is
one-eighth of the total IPv6 address space and is the largest
block of assigned block addresses.
Addresses with a prefix of 2000::/3 (001) through E000::/3
(111), with the exception of the FF00::/8 (1111 1111) multicast
addresses, are required to have 64-bit interface identifiers in
the
extended universal identifier (EUI)-64 format.
The IANA is allocating the IPv6 address space in the ranges
of 2001::/16 to the registries.

290
Data delivery Characteristics

1- Plug and play configuration ( NDP and EUI-64)

2- Load Sharing & Redundancy (Anycast)

3- Enhanced Security (Integrated IPSec)

4- Enhanced Mobility (Integrated Mobile IP)

5-Simpler and more efficient Header that carry data from end to
end

6- Integrated Quality of Service ( Traffic Class bits in IP Packet)

7- Integrated support for MPLS (Label bits in IPv6 packet)

8- Stable Routing (Same Routing methods as IPv4)

9- Easy communication with IPv4 (Transition Richness)

291
Plug and Play
This is done through
-Stateless Auto configuration (Getting a logical address)

Autoconfiguration enables the plug-and-play feature, which allows


devices to connect themselves to the network without any
configuration and without any servers (like DHCP servers). This key
feature enables deployment of new devices on the Internet, such as
cellular phones, wireless devices, home appliances, and home
networks.
Stateless DHCP for IPv6 is also called ―DHCP-lite.
A router on the local link can send network information, such as a
64-bit prefix of the local link network and the default route. It sends
this to all the nodes on the local link. A host can autoconfigure itself
by appending its IPv6 interface identifier (64 bit format) to the local
link prefix (64 bits). This process results in a full 128-bit address that
is usable and guaranteed to be globally unique.

-What is my link address


(Router Solicitation)
(Router Advertisement)

-Renumbering
Getting new
addressing
scheme

292
Integrated Mobile IP & Integrated security features
IP v6 uses Mobile IP & IPsec as a mandatory protocol to
provide end to end security.
Mobile IP enables mobile
devices to move without
breaking current
connections. In IPv6, mobility
is built in, which means that
any IPv6 node can use it as
needed. However, in IPv4,
mobility is a new function
that must be added.

The routing headers of IPv6 make Mobile IPv6 much more


efficient for end nodes than Mobile IPv4. Mobility takes
advantage of the flexibility of IPv6. For example, binding
uses some header options (destination) that are
mandatory for every IPv6 device. Also, IPv6 mobility
creates a new ―mobility‖ extension header.

IPsec is the IETF standard for IP network security,


available for both IPv4 and IPv6.
Although the functionalities are essentially identical in
both environments, IPsec is mandatory in IPv6. IPsec is
enabled on every IPv6 node and is available for use. The
availability of IPsec on all nodes makes the IPv6 Internet
more secure. IPsec also requires keys for each party,
which implies a global key deployment and distribution.

293
Simpler header
Simpler and more efficient header means:
• 64-bit aligned fields and fewer fields
• Improved routing efficiency and performance
• Faster forwarding rate with better scalability
• IPv6 has extension headers.
• It handles the options more efficiently.

IP v.6 packet is simpler than IP v.4. (no fragmentation field).


The IP version 4 (IPv4) header contains 12 basic header fields,
followed by an options field and a data portion (usually the
transport layer segment). The basic IPv4 header has a fixed
size of 20 octets. The variable-length options field increases
the size of the total IP header. IPv6 contains 5 of the 12 IPv4
basic header fields. The IPv6 header does not require the
other seven fields.

294
IPv4 IPv6
Routers handle fragmentation in IPv4, which causes a
variety of processing issues. IPv6 routers no longer
perform fragmentation. Instead, a discovery process is
used to determine the optimum maximum transmission
unit (MTU) to use during a given session.
In the discovery process, the source IPv6 device attempts
to send a packet at the size that is specified by the upper
IP layers, for example, the transport and application
layers.
If the device receives an ―ICMP packet too big‖ message,
it retransmits the MTU discover packet with a smaller MTU
and repeats the process until it gets a response that the
discover packet arrived intact. Then it sets the MTU for the
session.

The discovery process is beneficial because, as routing


pathways change, a new MTU might be more appropriate.
A device performs an MTU discovery every 5 minutes to
see whether the MTU has increased along the pathway.
Application and transport layers for IPv6 accept MTU
reduction notifications from the IPv6 layer.
If they do not accept the notifications, IPv6 has a
mechanism to fragment packets that are too large;
however, upper layers are encouraged to avoid sending
messages that require fragmentation.

295
The IPv6 header has 40 octets in contrast to the 20 octets in
IPv4. IPv6 has a smaller number of fields, and the header is 64-
bit aligned to enable fast processing by current processors.
Address fields are four times larger than in IPv4.
The IPv6 header contains these fields:
• Version: A 4-bit field, the same as in IPv4. It contains the
number 6 instead of the number 4 for IPv4.
• Traffic Class: An 8-bit field similar to the type of service (ToS)
field in IPv4. It tags the packet with a traffic class that it uses in
differentiated services (DiffServ).
• Flow Label: A completely new 20-bit field. It tags a flow for the
IP packets. It can be used for multilayer switching techniques
and faster packet-switching performance.
• Payload Length: Similar to the Total Length field of IPv4.
• Next Header: The value of this field determines the type of
information that follows the basic IPv6 header. It can be a
transport-layer packet, such as TCP or UDP, or it can be an
extension header. The next header field is similar to the Protocol
field of IPv4.
• Hop Limit: This field specifies the maximum number of hops
that an IP packet can traverse. Each hop or router decreases this
field by one (similar to the Time to Live [TTL] field in IPv4).
Because there is no checksum in the IPv6 header, the router can
decrease the field without recomputing the checksum. On IPv4
routers the recomputation costs processing time.
• Source Address: This field has 16 octets or 128 bits. It
identifies the source of the packet.
• Destination Address: This field has 16 octets or 128 bits. It
identifies the destination of the packet.
• Extension Headers: The extension headers, if any, and the
data portion of the packet follow the eight fields. The number of
extension headers is not fixed, so the total length of the
extension header chain is variable.

296
There are many types of extension headers. When multiple
extension headers are used in the same packet, the order of the
headers should be as follows:
1. IPv6 header: This header is the basic header described in the
previous figure.
2. Hop-by-hop options header: When this header is used for the
router alert (Resource Reservation Protocol [RSVP] and
Multicast Listener Discovery version 1 [MLDv1]). When present,
the hop-by-hop options header always follows immediately after
the basic IPv6 packet header. This header (Value=0) is
processed by all hops in the path of a packet.
3. Destination options header (when the routing header is used):
This header (value = 60) can follow any hop-by-hop options
header, in which case the destination options header is
processed at the final destination and also at each visited
address specified by a routing header. Alternatively, the
destination options header can follow any Encapsulating
Security Payload (ESP) header, in which case the destination
options header is processed only at the final destination. For
example, mobile IP uses this header.
4. Routing header: This header (value = 43) is used for source
routing and mobile IPv6.
5. Fragment header: This header is used when a source must
fragment a packet that is larger than the MTU for the path
between itself and a destination device. The fragment header is
used in each fragmented packet.
6. Authentication header (AH) and Encapsulating Security
Payload header (ESP): The authentication header AH (value = 51)
and the ESP header (value = 50) are used within IPsec to provide
authentication, integrity, and confidentiality of a packet. These
headers are identical for both IPv4 and IPv6.
7. Upper-layer header: The upper-layer (transport) headers are
the typical headers used inside a packet to transport the data.
The two main transport protocols are TCP (value = 6) and UDP
(value = 17). 297
IPv6 Routing Protocols

• IP routing protocols supporting IPv6 and their IOS


release:
– Integrated IS-IS for IPv6 – Release 12.0(22)S and 12.2(8)T
– BGP extensions for IPv6 – Release 12.0(22)S and 12.2(2)T
– RIP for IPv6 – Release 12.0(22)S and 12.2(2)T
– Static routes – Release 12.0(22)S and 12.2(2)T
– EIGRP for IPv6
– OSPF for IPv6

Configuring IPv6:
(config)#ipv6 unicast-routing
(config)#ipv6 route <prefix> </prefix length> {interface / next
hop ip}
(config)#interface fa0/0
(config-if)#ipv6 address <address> </ prefix length > [eui-64]
The eui-64 parameter forces the router to complete the
address low-order 64-bits by using an EUI-64 interface ID.

Example:

298
Address Aggregation

2001:0410::/32

Larger address spaces make room for large address


allocations to ISPs and organizations. An ISP aggregates
all the prefixes of its customers into a single prefix and
announces the single prefix to the IPv6 Internet. The
increased address space is sufficient to allow
organizations to define a single prefix for the entire
network as well.

• Aggregation of prefixes announced in the global routing


table
• Efficient and scalable routing
• Improved bandwidth and functionality for user traffic

299
Basic IPv6 configuration

R2# show running-config


! lines omitted for brevity
interface FastEthernet0/0
ipv6 address 2000:0:0:4::/64 eui-64
!
interface FastEthernet0/1
ipv6 address 2000:0:0:2::2/64
!
interface Serial0/0/1
ipv6 address 2000:0:0:1::/64 eui-64
!
R2# show interfaces fa0/0
FastEthernet0/0 is up, line protocol is up
Hardware is Gt96k FE, address is 0013.197b.5004 (bia
0013.197b.5004)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255 300
R2# show ipv6 interface brief
FastEthernet0/0 [up/up]
FE80::213:19FF:FE7B:5004
2000::4:213:19FF:FE7B:5004
FastEthernet0/1 [up/up]
FE80::213:19FF:FE7B:5005
2000:0:0:2::2
Serial0/0/0 [administratively down/down]
unassigned
Serial0/0/1 [up/up]
FE80::213:19FF:FE7B:5004
2000::1:213:19FF:FE7B:5004
Serial0/1/0 [administratively down/down]
unassigned
Serial0/1/1 [administratively down/down]
Unassigned

R2# show ipv6 route


IPv6 Routing Table - Default - 7 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

C 2000:0:0:1::/64 [0/0] via Serial0/0/1, directly connected


L 2000::1:213:19FF:FE7B:5004/128 [0/0] via Serial0/0/1, receive
C 2000:0:0:2::/64 [0/0] via FastEthernet0/1, directly connected
L 2000:0:0:2::2/128 [0/0] via FastEthernet0/1, receive
C 2000:0:0:4::/64 [0/0] via FastEthernet0/0, directly connected
L 2000::4:213:19FF:FE7B:5004/128 [0/0] via FastEthernet0/0, receive
L FF00::/8 [0/0] via Null0, receive

301
R2# debug ipv6 nd
ICMP Neighbor Discovery events debugging is on

R2# ping ipv6 2000:0:0:2::3


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2000:0:0:2::3, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms

R2#
*Sep 2 17:07:25.807: ICMPv6-ND: DELETE -> INCMP: 2000:0:0:2::3
*Sep 2 17:07:25.807: ICMPv6-ND: Sending NS for 2000:0:0:2::3 on
FastEthernet0/1
*Sep 2 17:07:25.807: ICMPv6-ND: Resolving next hop 2000:0:0:2::3
on interface
FastEthernet0/1
*Sep 2 17:07:25.811: ICMPv6-ND: Received NA for 2000:0:0:2::3 on
FastEthernet0/1
from 2000:0:0:2::3
*Sep 2 17:07:25.811: ICMPv6-ND: Neighbour 2000:0:0:2::3 on
FastEthernet0/1 : LLA
0013.197b.6588

R2# undebug all


All possible debugging has been turned off

R2# show ipv6 neighbors


IPv6 Address Age Link-layer Addr State Interface
2000:0:0:2::3 0 0013.197b.6588 REACH Fa0/1
FE80::213:19FF:FE7B:6588 0 0013.197b.6588 REACH Fa0/1

302
R2# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)# interface fa0/1
R2(config-if)# no ipv6 address
R2(config-if)# ipv6 address autoconfig
R2(config-if)#^Z

R2# show ipv6 interface brief


FastEthernet0/0 [up/up]
FE80::213:19FF:FE7B:5004
2000::4:213:19FF:FE7B:5004
FastEthernet0/1 [up/up]
FE80::213:19FF:FE7B:5005
2000::2:213:19FF:FE7B:5005
Serial0/0/0 [administratively down/down]
unassigned
Serial0/0/1 [up/up]
FE80::213:19FF:FE7B:5004
2000::1:213:19FF:FE7B:5004
Serial0/1/0 [administratively down/down]
unassigned
Serial0/1/1 [administratively down/down]
unassigned

303
IPv6 Routing Protocols

• IPv6 routing types


– Static
– RIPng (RFC 2080)
– IS-IS for IPv6
– MP-BGP4 (RFC 2545/2858)
– EIGRP for IPv6
– OSPFv3 (RFC 2740)

• The ipv6 unicast-routing command is required to enable


IPv6 before any routing protocol configured.

Configuring Static IPv6 route:


(config)#ipv6 unicast-routing
(config)#ipv6 route <prefix> <prefix length> {interface / next
hop ip}

304
RIPng (RIP next Generation)
Theory and Comparisons to RIP-2
The RIPng RFC states that the protocol uses many of the
same concepts and conventions as the original RIP-1
specification, also drawing on some RIP-2 concepts.
However, knowing that many of you might not remember a
lot of details about RIP-2, particularly because
RIP-2 is included in the CCNA certification rather than CCNP,
variety of facts about RIP-2 and RIPng.

The overall operation of RIPng closely matches RIP-2. In


both, routers send periodic full updates with all routes,
except for routes omitted due to Split Horizon rules. No
neighbor relationships occur; the continuing periodic
Updates, on a slightly-variable 30 second period,
also serve the purpose of confirming that the neighboring
router still works. 305
The metrics work exactly the same. When a router ceases to see a
route in received updates, ceases to receive updates, or receives a
poisoned (metric 16) route, it reacts to converge, but relatively
slowly compared to EIGRP and OSPF.

Some differences relate specifically to IPv6. First, the update


messages themselves list IPv6 prefixes/ lengths, rather than
subnet/mask. In RIP-1 and RIP-2, RIP encapsulated RIP Update
messages inside an IPv4 and UDP header; with IPv6, the
encapsulation uses IPv6 packets, again with a UDP header.

The last difference of note is that because IPv6 supports


authentication using the Ipsec Authentication Header (AH), RIPng
does not natively support authentication, instead relying on IPsec.

Configuring RIPng
RIPng uses a new command style for the basic configuration, but
most of the optional features and verification commands look much
like the commands used for RIP for IPv4.

This section first takes a look at the basic RIPng configuration,


accepting as many defaults as possible.

The big difference between RIP-2 and RIPng configuration is that


RIPng discards the ageold RIP network command in deference to the
ipv6 rip name enable interface subcommand, which enables RIPng
on the interface. Another difference relates to the routing of
IPv4 and IPv6: IOS routes IPv4 by default (due to a default global
configuration command of ip routing), but IOS does not route IPv6
by default (a default of no ipv6 unicast routing).

Finally, RIPng allows multiple RIPng processes on a single router, so


IOS requires that each RIPng process is given a text name that
identifies each RIPng process for that one router–another difference
compared to RIP-2.
306
The following list shows the basic configuration steps for RIPng,
including steps to enable IPv6 routing and enabling IPv6 on the
interfaces.

Step 1. Enable IPv6 routing with the ipv6 unicast-routing global


command.

Step 2. Enable RIPng using the ipv6 router rip name global
configuration command. The name must be unique on a router but
does not need to match neighboring routers.

Step 3. Enable IPv6 on the interface, typically with one of these two
methods:
Configure an IPv6 unicast address on each interface using the ipv6
address address/prefix-length [eui-64] interface command.
Configure the ipv6 enable command, which enables IPv6 and causes
the router to derive its link local address.

Step 4. Enable RIP on the interface with the ipv6 rip name enable
interface subcommand (where the name matches the ipv6 router rip
name global configuration command).

307
R1# show running-config
! The output is edited to remove lines not pertinent to this example.
! Next, step 1‘s task: enable IPv6 routing
ipv6 unicast-routing
!
! Next, on 5 interfaces, steps 3 and 4: configuring an IPv6 address,
! and enable RIPng, process ―fred‖.
interface FastEthernet0/0.1
ipv6 address 2012::1/64
ipv6 rip fred enable
!
interface FastEthernet0/0.2
ipv6 address 2017::1/64
ipv6 rip fred enable
!
interface FastEthernet0/1.18
ipv6 address 2018::1/64
ipv6 rip fred enable
!
interface Serial0/0/0.3
ipv6 address 2013::1/64
ipv6 rip fred enable
!
interface Serial0/0/0.4
ipv6 address 2014::1/64
ipv6 rip fred enable
!
interface Serial0/0/0.5
ipv6 address 2015::1/64
ipv6 rip fred enable
!
! Next, step 2‘s task, creating the RIPng process named ―fred‖
ipv6 router rip fred

308
Ahmed Nabil
R3# show ipv6 route rip
IPv6 Routing Table - Default - 19 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
R 2005::/64 [120/3]
via FE80::11FF:FE11:1111, Serial0/0/0.1
via FE80::22FF:FE22:2222, Serial0/0/0.2
R 2012::/64 [120/2]
via FE80::11FF:FE11:1111, Serial0/0/0.1
via FE80::22FF:FE22:2222, Serial0/0/0.2
! lines omitted for brevity...
R 2099::/64 [120/3]
via FE80::22FF:FE22:2222, Serial0/0/0.2
via FE80::11FF:FE11:1111, Serial0/0/0.1
! Unlike show ip protocols, show ipv6 protocols displays little info.

R3# show ipv6 protocols


IPv6 Routing Protocol is ―connected‖
IPv6 Routing Protocol is ―rip barney‖
Interfaces:
Serial0/0/0.2
Serial0/0/0.1
FastEthernet0/

309
Ahmed Nabil
Integrated Intermediate System-to-Intermediate System
(IS-IS)
• Same as for IPv4
• Extensions for IPv6:
– Two new Type, Length, Value (TLV) attributes:
• IPv6 reachability (with 128-bit prefix) – TLV 236
• IPv6 interface address (with 128 bits) – TLV 232
– New protocol identifier
– Not yet an IETF standard

Multiprotocol Border Gateway Protocol (MP-BGP) (RFC 2858)


Multiprotocol BGP is used to enable BGP4 to carry
information of other protocols than IPv4, for example,
Multiprotocol Label Switching (MPLS) and IPv6.
Multiprotocol extensions for BGP4:
• New identifier for the address family

IPv6 specific extensions:


• Scoped addresses: NEXT_HOP contains a global IPv6
address and potentially a link-local address
(only when there is a link-local reachability with the peer).
• NEXT_HOP and Network Layer Reachability Information
(NLRI) are expressed as IPv6 addresses and prefix in the
multiprotocol attributes.
The following example shows the BGP commands
RouterA(config)# ipv6 unicast-routing
RouterA(config)# router bgp 65000
RouterA(config-rtr)# router-id 10.255.255.1
RouterA(config-rtr)# neighbor 2001:0:1:1:5::4 remote-as 65001
RouterA(config-rtr)# address-family ipv6 unicast
RouterA(config-rtr-af)# neighbor 2001:0:1:5::4 activate
RouterA(config-rtr-af)# network 2001:0:1::/48
310
EIGRP for IPv6
Cisco originally created EIGRP to advertise routes for IPv4, IPX, and
AppleTalk. This original EIGRP architecture easily allowed for yet
another Layer 3 protocol, IPv6, to be added. As a result, Cisco did
not have to change EIGRP significantly to support IPv6, so
many similarities exist between the IPv4 and IPv6 versions of EIGRP.

Note: Many documents, including this chapter, refer to the IPv6


version of EIGRP as EIGRP for IPv6. However, some documents at
www.cisco.com also refer to this protocol as EIGRPv6, not because
it is the sixth version of the protocol, but because it implies a
relationship with IPv6.

As with the previous section ―RIP Next Generation (RIPng),‖ this


section begins with a discussion of the similarities and differences
between the IPv4 and IPv6 versions of EIGRP. The remaining
coverage of EIGRP focuses on the changes to EIGRP configuration
and verification in support of IPv6.

EIGRP for IPv4 and IPv6–Theory and Comparisons


For the most part, EIGRP for IPv4 and for IPv6 have many
similarities. The following list outlines some of the key differences:
■ EIGRP for IPv6 advertises IPv6 prefixes/lengths, rather than IPv4
subnet/mask information.
■ EIGRP for IPv6 uses the neighbor‘s link local address as the next-
hop IP address.
■ EIGRP for IPv6 encapsulates its messages in IPv6 packets, rather
than IPv4 packets.
■ Like RIPng and OSPFv3, EIGRP for IPv6 authentication relies on
IPv6‘s built-in authentication and privacy features.
■ EIGRP for IPv6 has no concept of classful networks, so EIGRP for
IPv6 cannot perform any automatic summarization.
■ EIGRP for IPv6 does not require neighbors to be in the same IPv6
subnet as a requirement to become neighbors.
Other than these differences, most of the details of EIGRP for IPv6
works like EIGRP for IPv4.
311
FF02::A

Configuring EIGRP for IPv6


EIGRP for IPv6 follows the same basic configuration style as for
RIPng, plus a few additional steps, as follows:
Step 1. Enable IPv6 routing with the ipv6 unicast-routing global
command.
Step 2. Enable EIGRP using the ipv6 router eigrp {1 – 65535} global
configuration command.
Step 3. Enable IPv6 on the interface, typically with one of these two
methods:
Configure an IPv6 unicast address on each interface, using the ipv6
address address/prefix-length [eui-64] interface command.
Configure the ipv6 enable command, which enables IPv6 and causes
the router to derive its link local address.
Step 4. Enable EIGRP on the interface with the ipv6 eigrp asn
interface subcommand (where the name matches the ipv6 router
eigrp asn global configuration command).
Step 5. Enable EIGRP for IPv6 with a no shutdown command while in
EIGRP configuration mode.
Step 6. If no EIGRP router ID has been automatically chosen, due to
not having at least one working interface with an IPv4 address,
configure an EIGRP router ID with the eigrp router-id rid command in
EIGRP configuration mode.
312
Ahmed Nabil
R1# show running-config
! output is edited to remove lines not pertinent to this example
! Configuration step 1: enabling IPv6 routing
ipv6 unicast-routing
! Next, configuration steps 3 and 4, on 5 different interfaces
interface FastEthernet0/0.1
ipv6 address 2012::1/64
ipv6 eigrp 9
!
interface FastEthernet0/0.2
ipv6 address 2017::1/64
ipv6 eigrp 9
!
interface FastEthernet0/1.18
ipv6 address 2018::1/64
ipv6 eigrp 9
!
interface Serial0/0/0.3
ipv6 address 2013::1/64
ipv6 eigrp 9
!
interface Serial0/0/0.4
ipv6 address 2014::1/64
ipv6 eigrp 9
!
interface Serial0/0/0.5
ipv6 address 2015::1/64
ipv6 eigrp 9
!
! Configuration steps 2, 5, and 6
ipv6 router eigrp 9
no shutdown
router eigrp 10.10.34.3

313
#sh ip route
D 2005::/64 [90/2684416]
via FE80::11FF:FE11:1111, Serial0/0/0.1
via FE80::22FF:FE22:2222, Serial0/0/0.2
D 2012::/64 [90/2172416]
via FE80::22FF:FE22:2222, Serial0/0/0.2
via FE80::11FF:FE11:1111, Serial0/0/0.1
D 2014::/64 [90/2681856]
via FE80::11FF:FE11:1111, Serial0/0/0.1
D 2015::/64 [90/2681856]
via FE80::11FF:FE11:1111, Serial0/0/0.1
! lines omitted for brevity...
D 2099::/64 [90/2174976]
via FE80::22FF:FE22:2222, Serial0/0/0.2
via FE80::11FF:FE11:1111, Serial0/0/0.1

! show ipv6 protocols displays less info than its IPv4 cousin.
R3# show ipv6 protocols
IPv6 Routing Protocol is ―eigrp 9‖
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Interfaces:
FastEthernet0/0
Serial0/0/0.1
Serial0/0/0.2
Redistribution:
None
Maximum path: 16
Distance: internal 90 external 170

R3# show ipv6 eigrp neighbors


IPv6-EIGRP neighbors for process 9
H Address Interface Hold Uptime SRTT RTO Q Seq
1 Link-local address: Se0/0/0.2 14 01:50:51 3 200 0 82
FE80::22FF:FE22:2222
314
R3# show ipv6 eigrp topology
IPv6-EIGRP Topology Table for AS(9)/ID(10.10.34.3)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 2005::/64, 2 successors, FD is 2684416
via FE80::11FF:FE11:1111 (2684416/2172416), Serial0/0/0.1
via FE80::22FF:FE22:2222 (2684416/2172416), Serial0/0/0.2
P 2012::/64, 2 successors, FD is 2172416
via FE80::11FF:FE11:1111 (2172416/28160), Serial0/0/0.1
via FE80::22FF:FE22:2222 (2172416/28160), Serial0/0/0.2
P 2013::/64, 1 successors, FD is 2169856
via Connected, Serial0/0/0.1
! lines omitted for brevity
P 2099::/64, 2 successors, FD is 2174976
via FE80::11FF:FE11:1111 (2174976/30720), Serial0/0/0.1
via FE80::22FF:FE22:2222 (2174976/30720), Serial0/0/0.2

315
How OSPF for IPv6 Works
•Similar to IPv4

• Same mechanisms, but a major rewrite of the internals of the


protocol.

• Updated features for IPv6

• OSPF for IPv6 currently an IETF proposed standard

• OSPF is a routing protocol for IP. It is a link-state protocol, as


opposed to a distance vector protocol. Think of a link as being an
interface on a networking device. A link-state protocol makes its
routing decisions based on the states of the links that connect
source and destination machines.

• The state of a link is a description of that interface and its


relationship to its neighboring networking devices. The interface
information includes the IPv6 prefix of the interface, the network
mask, the type of network that it is connected to, the routers
connected to that network, and so on.

• This information is propagated in various types of link-state


advertisements (LSAs). A collection of LSA data on a router is stored
in a link-state database (LSDB). The contents of the
database, when subjected to Dijkstra‘s algorithm, result in the
creation of the OSPF routing table.

• The difference between the database and the routing table is that
the database contains a complete collection of raw data; the routing
table contains a list of shortest paths to known
destinations via specific router interface ports.

OSPFv3, which is described in RFC 2740, supports IPv6.

316
Ahmed Nabil
OSPFv3—Hierarchical Structure
• Topology of an area is invisible
from outside of the area:
– LSA flooding is bounded by area.
– SPF calculation is performed
separately for each area.
• Backbones must be contiguous.
• All areas must have
a connection to the backbone:
– Otherwise a virtual
link must be used to
connect to the backbone.

OSPFv3—messages
• OSPFv3 uses the same basic packet types as OSPFv2:
– Hello
– Database description (DBD)
– Link state request (LSR)
– Link state update (LSU)
– Link state acknowledgment (ACK)

– Neighbor discovery and adjacency formation mechanism


are identical.

– RFC-compliant NBMA and point-to-multipoint topology


modes are supported. Also supports other modes from
Cisco, such as point-to-point and broadcast, including the
interface.

– LSA flooding and aging mechanisms are identical.

317
Enhanced Routing Protocol Support Differences from OSPFv2

– OSPF packet type


OSPFv3 has the same five packet types, but some fields have
been changed.

All OSPFv3 packets have a 16-byte header vs. the 24-


byte header in OSPFv2.

318
Ahmed Nabil
OSPFv3 vs OSPF v2

319
1- OSPFv3 uses IPv6 link-local addresses to identify the
OSPFv3 adjacency neighbors.

2- OSPFv2 does not define or allow for multiple instances per


link, although similar functionality could be furnished by
other mechanisms, such as subinterfaces. OSPFv3 has
explicit support for instances through the instance field.
• This structure allows separate autonomous systems, each
running OSPF, to use a common link. A single link could
belong to multiple areas.
• Instance ID is a new field that is used to allow multiple
OSPFv3 protocol instances per link.
• In order to have two instances talk to each other, they need
to have the same instance ID. By default, it is 0, and for any
additional instance it is increased.

3- Security and Authentication


• OSPFv3 uses IPv6 AH and ESP extension headers instead
of variety of the mechanisms defined in OSPFv2.

5- Multicast addresses:
• FF02::5—Represents all SPF routers on the link-local
scope; equivalent to 224.0.0.5 in OSPFv2
• FF02::6—Represents all DR routers on the link-local scope;
equivalent to 224.0.0.6 in OSPFv2

6- Removal of address semantics


• IPv6 addresses are no longer present in OSPF packet
header (part of payload information).
• Router LSA and network LSA do not carry IPv6 addresses.
• Router ID, area ID, and link-state ID remain at 32 bits.
• DR and BDR are now identified by their router ID and not by
their IP address. 320
LSA Types for IPv6
LSA Function
LSA Type
Code
Router LSA 1 0x2001
Network LSA 2 0x2002
Interarea prefix LSA 3 0x2003
Interarea router LSA 4 0x2004
AS external LSA 5 0x2005
Group membership LSA 6 0x2006
Type 7 LSA 7 0x2007
Link-LSA 8 0x2008
Intra-area prefix LSA 9 0x2009

OSPFv3 LSA features include the following:


• The LSA is composed of a router ID, area ID, and link-state ID.
They are each 32 bits and are not derived from an IPv4 address.

• Router LSAs and network LSAs contain only 32-bit IDs. They
do not contain prefixes.

• LSAs have flooding scopes that define a diameter that they


should be flooded to:
— Link local: Flood all routers on the link.
— Area: Flood all routers within an OSPF area.
— Autonomous system (AS): Flood all routers within the entire
OSPF AS. useful in an NSSA.

321
The two renamed LSAs are as follows:
• Interarea prefix LSAs for area border routers (ABRs) (type
3):
•Type 3 LSAs advertise internal networks to routers in other areas
(interarea routes). Type 3 LSAs may represent a single network
or a set of networks summarized into one advertisement. Only
ABRs generate summary LSAs. In OSPF for IPv6, addresses for
these LSAs are expressed as prefix, prefix length instead of
address, mask. The default route is expressed as a prefix with
length 0.
• Interarea router LSAs for autonomous system boundary
routers (ASBRs) (type 4):
Type 4 LSAs advertise the location of an ASBR. Routers that are
trying to reach an external network use these advertisements to
determine the best path to the next hop. ASBRs generate type 4
LSAs.

The two new LSAs in IPv6 are as follows:


• Link LSAs (type 8): Type 8 LSAs have link-local flooding
scope and are never flooded beyond the link with which they are
associated. Link LSAs provide the link-local address of the router
to all other routers attached to the link, inform other routers
attached to the link of a list of IPv6 prefixes to associate with the
link, and allow the router to assert a collection of options bits to
associate with the network LSA that will be originated for the link.
• Intra-area prefix LSAs (type 9): A router can originate multiple
intra-area prefix LSAs for each router or transit network, each with
a unique link-state ID. The link-state ID for each intra-area prefix
LSA describes its association to either the router LSA or the
network LSA. The link-state ID also contains prefixes for stub and
transit networks.
* Type 3 and type 9 LSAs carry all IPv6 prefix information,
which, in IPv4, is included in router LSAs and network LSAs.
OSPFv3 Configuration

To configure OSPFv3, first enable IPv6, and then enable OSPFv3


and specify a router ID, using the following commands:
Router(config)#ipv6 unicast-routing
Router(config)#ipv6 router ospf process-id
Enables an OSPF process on the router. The process ID parameter
identifies a unique OSPFv3 process. This command is used on a
global basis.

Router(config-rtr)#router-id router-id
For an IPv6-only router, a router ID parameter must be defined in
the OSPFv3 configuration as an IPv4 address using the router-id
router-id command. You can use any IPv4 address as the router ID
value.

Router(config-if)#ipv6 ospf process-id area area-id [instance


instance-id]
Enables OSPF for IPv6 on an interface.

• Configuring area range: (manual summary)


(config-rtr)# area area-id range prefix/prefix length [advertise
| notadvertise][cost cost]

• Showing new LSAs:


show ipv6 ospf [process-id] database link
show ipv6 ospf [process-id] database prefix

323
Ahmed Nabil
Example:
(config)#ipv6 unicast-routing
(config)# ipv6 router ospf 1
(config-rtr)# router-id 2.2.2.2
Router(config-rtr)#area range 1 2001:0DB8::/48
(config)# interface Ethernet0/0
(config-if)# ipv6 address 3FFE:FFFF:1::1/64
(config-if)# ipv6 ospf 1 area 0
(config-if)# ipv6 ospf priority 20
The priority number is used to in the designated router
election.
(config-if)# ipv6 ospf cost 20
The cost of sending a packet on the interface, expressed
in the link state metric.

The cost of the summarized routes will be the highest cost of


the routes being summarized. For example, if the following
routes are summarized:

OI 2001:0DB8:0:0:7::/64 [110/20]
via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0
OI 2001:0DB8:0:0:8::/64 [110/100]
via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0
OI 2001:0DB8:0:0:9::/64 [110/20]
via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0

They become one summarized route:


OI 2001:0DB8::/48 [110/100]
via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0

324
Ahmed Nabil
OSPFv3 Configuration Example
Router1#
interface S1/1
ipv6 address
2001:410:FFFF:1::1/64
ipv6 ospf 100 area 0

interface S2/0
ipv6 address
3FFE:B00:FFFF:1::2/64
ipv6 ospf 100 area 1

ipv6 router ospf 100


router-id 10.1.1.3

Router2#
interface S3/0
ipv6 address
3FFE:B00:FFFF:1::1/64
ipv6 ospf 100 area 1

ipv6 router ospf 100


router-id 10.1.1.4
Verifying OSPFv3
Router2#show ipv6 ospf int s 3/0
S3/0 is up, line protocol is up
Link Local Address 3FFE:B00:FFFF:1::1, Interface ID 7
Area 1, Process ID 100, Instance ID 0, Router ID 10.1.1.4
Network Type POINT_TO_POINT, Cost: 1
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Retransmit 5
Hello due in 00:00:02
Index 1/1/1, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 3, maximum is 3
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.1.1.3
Suppress hello for 0 neighbor(s) 325
Ahmed Nabil
Router2#show ipv6 ospf neighbor detail
Neighbor 10.1.1.3
In the area 0 via interface S2/0
Neighbor: interface-id 14, link-local address
3FFE:B00:FFFF:1::2
Neighbor priority is 1, State is FULL, 6 state changes
Options is 0x63AD1B0D
Dead timer due in 00:00:33
Neighbor is up for 00:48:56
Index 1/1/1, retransmission queue length 0, number of
retransmission 1
First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec

R3#show ipv6 ospf database database-summary


Area 0 database summary
LSA Type Count Delete Maxage
Router 3 0 0
Network 0 0 0
Link 3 0 0
Prefix 3 0 0
Inter-area Prefix 6 0 0
Inter-area Router 0 0 0
Type-7 External 0 0 0
Subtotal 15 0 0

Process 1 database summary


LSA Type Count Delete Maxage
Router 7 0 0
Network 1 0 0
Link 7 0 0
Prefix 8 0 0
Inter-area Prefix 14 0 0
Inter-area Router 2 0 0
Type-7 External 0 0 0
Type-5 Ext 3 0 0
Total 42 0 0
326
Ahmed Nabil
#show ipv6 ospf database
Router Link States (Area 1)

ADV Router Age Seq# Fragment ID Link count Bits


26.50.0.1 1812 0x80000048 0 1 None
26.50.0.2 1901 0x80000006 0 1 B

Net Link States (Area 1)

ADV Router Age Seq# Link ID Rtr count


26.50.0.1 57 0x8000003B 3 4

Inter-Area Prefix Link States (Area 1)

ADV Router Age Seq# Prefix


26.50.0.2 139 0x80000003 3FFE:FFFF:26::/64
26.50.0.2 719 0x80000001 3FFE:FFF:26::/64

Inter-Area Router Link States (Area 1)

ADV Router Age Seq# Link ID Dest RtrID


26.50.0.2 772 0x80000001 1207959556 72.0.0.4
26.50.0.4 5 0x80000003 1258292993 75.0.7.1

Link (Type-8) Link States (Area 1)

ADV Router Age Seq# Link ID Interface


26.50.0.1 1412 0x80000031 3 Fa0/0
26.50.0.2 238 0x80000003 3 Fa0/0
Intra-Area Prefix Link States (Area 1)

ADV Router Age Seq# Link IDRef-Istype Ref-LSID


26.50.0.1 1691 0x8000002E 0 0x2001 0
26.50.0.1 702 0x80000031 1003 0x2002 3
26.50.0.2 1797 0x80000002 0 0x2001 0

Type-5 AS External Link States


ADV Router Age Seq# Prefix
72.0.0.4 287 0x80000028 3FFE:FFFF:A::/64
72.0.0.4 38 0x80000027 3FFE:FFFF:78::/64
75.0.7.1 162 0x80000007 3FFE:FFFF:8::/64 327
Ahmed Nabil
IPv6 IGP Redistribution
IPv6 routing protocols can perform route redistribution, much like IPv4
route redistribution. The following list summarizes some of those key
similarities between both IPv4 and IPv6 route redistribution:

■ Redistribution takes routes from the IP routing table, not from the
topology tables and databases controlled by the source routing protocol.

■ Route maps can be applied when redistributing for the purpose of


filtering routes, setting metrics, and setting route tags.

■ The same basic mechanisms exist in IPv6 to defeat routing loop


problems: administrative distance, route tags, and filtering.

■ The routing protocols use the same default administrative distance (AD)
settings for internal and external routes.

■ The redistribution configuration uses practically the same syntax with


the same commands.

Some differences do exist, both in configuration and in concept, as


follows:
■ Any matching done with distribution lists or route maps would use IPv6
prefix lists and IPv6 ACLs, which match based on IPv6 prefix and length.

■ The IPv6 version of the redistribute command takes only routes learned
from an IGP but by default does not take connected routes on
interfaces enabled for that IGP. To also redistribute those connected
routes, the redistribute command must include the include-connected
parameter. When an IPv4 routing protocol redistributes from an IGP, it
always attempts to take both the IGP-learned routes and the connected
routes for interfaces enabled for that IGP.

■ Unlike OSPFv2, OSPFv3 does not require a subnets parameter on the


redistribute command, because IPv6 does not maintain the IPv4 concept
of classful networks and the subnets inside those classful networks.
328
Configuration without route map:
R2(config)# ipv6 router rip left
R2(config-rtr)# redistribute ospf 5 include-connected

Configuration with
route map:

R2# show run


ipv6 router ospf 5
router-id 2.2.2.2
redistribute rip left route-map only-RIP-lan include-connected
!
ipv6 router rip left
redistribute ospf 5 metric 3 include-connected
ipv6 prefix-list rip-to-ospf seq 5 permit 2000::/64
ipv6 prefix-list rip-to-ospf seq 10 permit 2000:0:0:4::/64
!
route-map only-RIP-lan permit 10
match ipv6 address prefix-list rip-to-ospf
set metric 200

First, the configuration shows an IPv6 prefix list and a route map that uses
a match ipv6 command that refers to the prefix list. The route map
matches the two LAN subnets in the RIP domain with the first route map
clause and sets the metric to 200. The implied deny clause at the end of
the route map matches all other routes, which makes R2 filter all other
routes from being redistributed into OSPF. As a result, the serial IPv6
subnet, 2000:0:0:1::/64, is filtered by the redistribution process. The show
ipv6 route ospf command on R3 will confirm that R3 learned routes for
both LAN subnets in the RIP domain but no other routes. Of particular
interest, note that OSPFv3 lists the route as OSPF external Type 2,
because just like OSPFv2, OSPFv3 defaults to redistribute routes as
external Type 2 routes. Note also that the output lists metrics for each
route as 200, because R2 set the metric to 200, and OSPF does not add
anything to the metric of E2 routes.
329
Ahmed Nabil
H-Transition richness to IP v.6:

• Transition richness means:


– No fixed day to convert, no need to convert all at
once
– Different transition mechanisms are available
• Use of dual stack or 6-to-4 tunnels
– Different compatibility mechanisms
 IPv4 and IPv6 nodes can communicate.

1) By using Dual stack with both IPv4 and IPv6


configured on the interface of a network device.

2) 6-to-4 tunneling or ―IPv6 over IPv4‖


Encapsulate the IP v.6 packet into IP v.4 packet.
Tunneling reserved address (2002::).

3) NAT-PT (NAT-Protocol Translation)

330
Tunneling
Tunneling refers to a process by which one router or host
encapsulates the IPv6 packet inside an IPv4 packet.
The networking devices forward the IPv4 packet, ignoring the fact
that the packet‘s payload is an IPv6 packet. Some later device or
host decapsulates the original IPv6 packet, forwarding it on to the
final destination.

This section begins by examining the concepts behind IPv6


tunneling. Then the text more closely examines the two main
categories of tunnels: point-to-point tunnels and multipoint
tunnels.

Point-to-Point IPv6 Tunnels


Some tunnels use a point-to-point concept, whereas others use a
multipoint concept. For point-to-point, two devices (and only two)
sit at the ends of the tunnel, as did routers R1
and R3 in Figure. These point-to-point tunnels work like a virtual
point-to-point serial link.

To create the tunnel shown in the figure, each router configures a


type of virtual interface called a tunnel interface. The configuration
associated with the tunnel interfaces tells IOS the encapsulation
details (tunnel mode), R1 uses tunnel interface 0, and R3 uses
tunnel interface 3. The tunnel interface numbers can be any
integer (up into the low billions), much like choosing loopback
interface numbers. 331
The two routers on the ends of the tunnel treat the tunnel
interfaces like serial interfaces on a point-to-point serial link, at
least from a Layer 3 forwarding perspective. For example, to
support IPv6, the engineer would actually enable IPv6 on the
tunnel interfaces and configure a routing protocol so that it runs
over the tunnel interfaces.

Point-to-Multipoint IPv6 Tunnels


Multipoint IPv6 tunnels allow the sending router–the ―point‖ if
you will–to use a single tunnel interface to send packets to
multiple remote routers. In some ways, a multipoint tunnel works
much like a LAN, or even more like a Non-Broadcast Multi-
Access (NBMA) network like Frame Relay. Multipoint tunnels still
encapsulate the IPv6 packets, but they need additional logic so
that the sending router (the ―point‖) knows to which of several
remote routers (the ―multipoints‖) to send the encapsulating
IPv4 packet.
The biggest leap in logic from point-to-point tunnels to point-to-
multipoint tunnels is the logic in how a router chooses which of
the many remote tunnel endpoints should receive a particular
packet. Multipoint tunnels rely on either the IPv6 packet‘s
destination address, or next-hop information in the IPv6 routing
table, to determine which of the multiple remote devices should
receive a given packet. This decision happens dynamically on the
sending router. In some cases, this dynamic decision process can
result in less configuration when adding a new member of the
multipoint group.

In all types of multipoint IPv6 tunnels, the tunneling process starts


when the router receives an IPv6 packet and then tries to route
that packet out the multipoint tunnel interface.

332
Ahmed Nabil
This action triggers the logic by which the source router
determines how to forward the IPv6 packet, inside an IPv4
packet, to the correct router.
In this case, R1 acts as the point–the encapsulating router
that must dynamically decide to what IPv4 address to
encapsulate and send the IPv6 packet.
illustrates the following steps:
Step 1. R1 receives an IPv6 packet in its LAN interface and
decides that the packet should be forwarded out its multipoint
tunnel interface.

Step 2. R1 analyzes the destination IPv6 address, deriving the


tunnel endpoint‘s IPv4 address (in this case, R9‘s IPv4 address).

Step 3. R1 builds an IPv4 packet header, with its own address as


source address and using R9‘s IPv4 address as the destination
(as derived at Step 2).

Step 4. R1 puts the original IPv6 packet into the new IPv4 packet

333
Tunneling IPv6 over IPv4
A tunnel serves as a virtual point-to-point link between IPv6 domains. It
doesn‘t matter what the underlying IPv4 structure
is if there is IP reachability between the tunnel endpoints. This exam
covers five ways to tunnel IPv6 over IPv4:
- Manual Tunnels
- GRE Tunnels
- 6to4 Tunnels
- IPv4-Compatible IPv6 Tunnels
-Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)

Manual Tunnels
When you manually create the tunnel, the source and destination IP
addresses are IPv4 addresses because IPv4 is the transport protocol. You
might want to use loopback addresses for increased stability. IPv6
addresses go on the tunnel interfaces because IPv6 is the passenger
protocol. Because IPv6 considers the tunnel a point-to-point link, the
address of each end of the tunnel is in the same subnet. Include the
command tunnel mode IPv6IP in tunnel configuration mode to enable
IPv6 over IP encapsulation.

334
GRE Tunnels
GRE is the default tunnel mode for Cisco routers. It provides
more flexibility because it is protocol-agnostic. It can carry
multiple protocols and can use multiple protocols for its transport,
including IPv6 and routing protocols.
Configuring an IPv4 GRE tunnel to carry IPv6 traffic is the same
as configuring a manual tunnel except you do not have
to specify the tunnel mode because GRE is the default. You can
allow a routing protocol on the tunnel interface, too. The
process is the same as enabling it on a physical interface.
To configure a completely IPv6 GRE tunnel, use IPv6 interface
addresses as the tunnel source and destination. Give the tunnel
endpoints IPv6 addresses, too. You need a command to identify
that the transport protocol is IPv6. That command, given in tunnel
configuration mode, is tunnel mode gre ipv6.

335
6to4 Tunnels
This technique dynamically creates tunnels that IPv6 considers
point-to-multipoint interfaces. You use the reserved prefix
2002::/16 in your IPv6 domain and then add the IPv4 address of
the dual-stack router on the other side of the IPv4 domain as the
next 32 bits of the network address. This means you need to
translate that IP address into hexadecimal.
When IPv6 traffic arrives at an edge dual-stack router with a
destination IPv6 prefix of 2002::/16, the router looks at the
first 48 bits, derives the embedded IPv4 address from them, and
uses it to determine the packet destination. The router then
encapsulates the IPv6 packet in an IPv4 packet with the extracted
IPv4 address as the packet destination.
Configure a tunnel as before, using IPv4 addresses as the
source, but do not manually specify a destination. Give the
tunnel an IPv6 address as previously described, with the tunnel
destination embedded in its prefix. The tunnel mode command is
tunnel mode ipv6ip 6to4.
Each router needs a route to its peer on the other side of the IPv4
network. The only current options for this are static routes and
BGP.

IPv4-Compatible IPv6 Tunnels


This type has been deprecated. It encodes the IPv4 address of
the tunnel source in the lowest 32 bits of the IPv6 tunnel address
and then pads the rest of the bits with zeros. It uses the tunnel
mode command tunnel mode ipv6ip autotunnel.

336
6- to-4 tunnel configuration example:

ipv6 unicast-routing
!
interface Loopback1
ip address 10.9.9.1 255.255.255.255
!
interface Tunnel0
no ip address
ipv6 address 2002:a09:901::/128
tunnel source Loopback1
tunnel mode ipv6ip 6to4
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ipv6 address 2002:A09:901:1::1/64
!
ipv6 route 2002::/16 Tunnel0

337
Ahmed Nabil
ISATAP Tunnels
ISATAP tunnels are similar to the other two tunnels techniques in
that an IPv4 address is encoded into the IPv6 address.
It is meant to be used within a site, between hosts and routers,
although it can be used between sites.
The tunnel source address is an IPv4 address. Do not specify a
tunnel destination. The IPv6 address of the tunnel itself
combines the network prefix, 0000:5EFE, and the 32-bit IPv4
tunnel source address. The IPv4 address is encoded into the
least significant 32 bits of the address. You can use any network
prefix. The tunnel interface link-local address still starts with FE80
and then uses 0000:5EFE plus the encoded IPv4 address.
For instance, the link-local address of a tunnel that uses 10.8.8.8
as its source is FE80::5EFE:A08:808
The unicast IPv6 address of that same tunnel interface, assuming
that prefix 2001:1:2:3/64 was assigned to the interface, is
2001:1:2:3:0:5EFE:A08:808 ISATAP tunnels do not support
multicast. A route is needed to the tunnel destination if it is in a
different subnet; this can be either a static route or a BGP route.

338
ISATAP tunnel configuration example:
R1# show running-config
ipv6 unicast-routing
interface Loopback1
ip address 10.9.9.1 255.255.255.255
interface Tunnel9
no ip address
ipv6 address 2000:0:1:9::/64 eui-64
tunnel source Loopback1
tunnel mode ipv6ip isatap
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ipv6 address 2000:0:1:1::1/64
ipv6 route 2000:0:1:3::/64 2000:0:1:9:0:5EFE:A09:903
ipv6 route 2000:0:1:4::/64 2000:0:1:9:0:5EFE:A09:904

R3# show running-config


! only relevant portions shown
ipv6 unicast-routing
interface Loopback3
ip address 10.9.9.3 255.255.255.255
interface Tunnel9
no ip address
ipv6 address 2000:0:1:9::/64 eui-64
tunnel source Loopback3
tunnel mode ipv6ip isatap
interface FastEthernet0/1
ip address 10.1.3.3 255.255.255.0
ipv6 address 2000:0:1:3::3/64
ipv6 route 2000:0:1:1::/64 2000:0:1:9:0:5EFE:A09:901
ipv6 route 2000:0:1:4::/64 2000:0:1:9:0:5EFE:A09:904
339
340
Ahmed Nabil
The End
Finally I would like to thank all of my beloved
friends whom read that book and I hope you all
get the full benefit from that training, you are
the future, please make our future reaches it
best, don't forget our famous rule “one is none,
two are one”, by Respect we will be all
together over the top.
Always Remember me with the best
Long Live EGYPT
God bless you All

Ahmed Nabil