Category Archives: CCNP Studies

Finished TSHOOT and SWITCH in the same week!!! I am a CCNP!!

This is awesome, I passed Switch and TSHOOT in the same week!!!  I did not really blog a ton about SWITCH since it came very easy to me.  A lot of the concepts where not hard except for voice VLANs and Wireless since I have never worked with them before in a production enviornment.  I have not updated this page for a while.  I look over my ROUTE still when I get lost with how certain things work.  Long story short a customer had an issue with their BGP routes where another AS next to them peered only certain routes and for some reason a network was coming in that looked like it should only be iBGP for Sprint.  I had to remember how to “properly”  apply a Pre-fix list.

Which brings me to another interesting topic, on January 24th I took a step in a new direction.  I work for a Service provider who also provides Data Center services.  I cannot describe how awesome of a opportunity this is for me.  I get to work with Cisco, Juniper , VMware and F5 equipment.  This is so amazing, everything I have worked for in my small GNS3 lab and crap switches I am able to apply to the real world.

But anyways, I am a CCNP as of Friday March 11th,2011.   For anyone looking to take the CCNP exams after their CCNA go for it.  Its the best thing you will ever do for yourself.  I have learned so much from these exams and I am finally able to apply what I have learned in the work place.   Being able to use the skills I learned and spent many hours labbing in the workplace to make 1’s and 0’s route/switched properly is just plane awesome!!!

Which brings me to my next dilema… what next?  I have no idea.  From what everyone says to do is go for my CCIE.  I honestly do not think I am ready for that type of certification… its huge.  I think I will study off and on for the next year + for my CCIE.  As of right now I am going to get into the Juniper RS and Juniper Security track.  So exciting.

I will update this page more often.  Some things I need to accomplish in the next few weeks I will blog about will be things as far as Juniper,VMware(weighing out the options of my VCP)and some new IPv6 tactics.

Advertisements

Switchport Connections to Voice Vlans and Qos/Cos

*Because the sound quality of an IP phone call can deteriorate if the data is unevenly transmitted, the switch supports quality of service (QoS) based on IEEE 802.1P class of service (CoS)
*The Port Fast feature is automatically enabled when voice VLAN is configured
-Expansion on this, as soon as I enter in
Switchport access voice vlan 100 on fa0/1
if I
Sh run int Fa0/1
it will have spanning-tree portfast enabled.
*802.1p = CoS
*Voice Vlan is only supported on access ports and not on trunk ports..
but, you can do it.  I think the issue with this is that you used to be able to do this since you could set a trunk with another Cisco switch if it uses dot1q and start VLAN-hopping if all VLANS are allowed… this is why we use the switchport access vlan #
*Interesting thing about voice is spanning-tree, there are actually multiple instances of it ran if you have a Voice Vlan with the switchport Voice Vlan ID VVID, it will show up as a second instance.
*CDP has to be enabled on the interface connected to the voice port.  Reason why is if I put a computer or something on that interface, it will not work!!!  Phones will Tag their VLANs for Voice vlan 110 lets say and use CDP to enable it Security!!!!  If you are not using Cisco phones in this case then oh noeeessss!!!
*Most Cisco IP phones contain a 3 port switch internal
*Skinny – > When a IP phone picksup the phone to the CCM

Commands to setup voice
Switchport access voice vlan 110
Switchport access voice vlan dot1p
Switchport access voice vlan untagged
Switchport access voice ?

Configure how the Cisco IP Phone carries voice traffic:

•vlan-id—Configure the Cisco IP Phone to forward all voice traffic through the specified VLAN. By default, the Cisco IP Phone forwards the voice traffic with an 802.1Q priority of 5. Valid VLAN IDs are from 1 to 4094.

•dot1p—Configure the Cisco IP Phone to use 802.1p priority tagging for voice traffic and to use the default native VLAN (VLAN 0) to carry all traffic. By default, the Cisco IP Phone forwards the voice traffic with an 802.1p priority of 5.

•none—Allow the IP phone to use its own configuration to send untagged voice traffic.

•untagged—Configure the phone to send untagged voice traffic.

Commands to verify

Sh Vlan x
Sh int fa0/1 switchport
Sh Spanning-tree x

Wireless stuff

-QoS/Cos When it comes to Voice

-One thing to keep in mind with QoS and layer 2 switching is that since its layer 2 every frame is going to look the same to a switch, so adding any QoS in a enviornment is added a switch that switches that layer 2 frame will not put any kind of priority on it.  At Layer 2 at least.

That is why we use a pile of Junk Called CoS(Class of service)

CoS – Is used so there is no need for a QoS At layer 2, this works so that there are no opening of packets since it cannot… and reduces over head since there is no type of stateful inspection.

ToS – Is a Layer 3 type of Inspection where also reduces overhead since there does not have to be a statefull connection to open up the packet and look inside to view what exactly is it so it is tagged at a ToS Field.

Marking is Marking CoS or ToS as a certain #… Voice by default is a CoS #5. you can go 0-7.

*When CoS is applied within a Dot1q tag on a frame.  CoS Is normally added within that frame within Switch Boundries to make “like” QoS Decisions.

Delay – > Time Required to send a packet from A to B

Jitter – > The best way for me to remember this is if I was streaming internet radio, if half way through the packets drop, no mussicczzzz then start again.  Voice is very sensitive to jitter since a conversation cannot drop packets.

Loss – > Packets being congested and dropped without being Delivered.

QoS Can be delivered amoung three different Ways…

Best Effort – > This is not exactly QoS… when a network forwards packets amoung what order it came in on, this is more for as quick as possible rather than quality. So voice packets are the same quality as data packets which ever ones are first get switched first.

Integrated Services Model – > I might have to come back to this but what it sounds like is QoS Will check every different path it will take if that is the following and check to see if it is okay congested or the fastest way to route / switch.

Differentiated services Model(DSCP) – > What this will do is put different services on different QoS Levels, allowing it to mark a certain number for the priority… everything else that is not QoS is simply at a best effort.

Classification – > How important a packet is to QoS Can be mapped back to a ACL,Protocol(TCP/UDP) Port number or in some cases stateful inspection)

Trust Boundry – > Something I might have to come back on, but usually where a network would connect its edge to end users on a Acces level switch.  This is sort of where the ToS and DSCP come into play. *KEEP IN MIND* a IP phone since it has a internal switch it is always considered part of the trusted network.

How to Enable QoS on a Interface for a Phone?

Switch(Config)#mls qos
When this is entered in all Switchports are untrusted untill further commands are entered on each individual interface.  This is what I view as turning on QoS on a Switch.

Switch(config-if)# mls qos trust {cos | ip-precedence | dscp}

This is clearly entered in on a Per interface line level.  for Incomming packets.

Switch(config-if)# mls qos trust device cisco-phone

This is just like using the VVID this will only trust the packets if a Phone is plugged in and acitvely sending CDP packets.

Switch(Config-if)# mls qos trust cos

Should in most cases be used on trunk ports.

Auto-QoS

Uses the best possible QoS Features, I would say this is the best bargain here….

Switch(config-if) auto qos voip {cisco-phone | cisco-softphone | trust}

In this case voip ciscophone/cisco softphone are pretty obvious, trust would be a router – > switch switch – > switch

Switch(config-if) auto qos voip

Is a Marco that will configure all the commands for you.

How to Check is QoS is functioning?

Sh run int Fa0/1
sh mls qos int Fa0/1
Sh int fa0/1 switchport – there is a trust field.
sh auto qos int fa0/1

First set of Switch Notes the basics plus PVALNS and Etherchannel.

Implementing VLANs in the Campus Network…

Some things are not 100% Clear to me

Things I need to try out and read more / master from this chapter.
*PVLANS – Setting up PVLANS* – > From Stretchs Blog, a huge help when creating PVLANS

http://packetlife.net/blog/2010/aug/30/basic-private-vlan-configuration

PAgp and LACP Etherchannel types – > I have used etherchannel before but never setup Load balancing options based off of source and destination before seems interesting.  Also I have never set it up with LACP… although there really isnt much of a difference.

*VLANS

*Trunking

*VTP

*Private VLANS

*Ether channel

Vlan 1,2,3 towards the right show how to logically assign users to different VLANS on different

Switchs do not propagate Layer 2 Broadcasts throughout different VLANs all Broadcasts are specific per VLAN

Normally VLANs will be matched with subnets, vlan 2 would be 10.2.0.0/16, VLAN 3 10.3.0.0/26 ..

All members of the VLAN are members of the Layer 2 broadcast domain.

End to End VLAN Vs Local VLAN

*End to End VLAN

*The term End to End VLAN is related to VLANs that are propagated onto different Switchs, in the picture there are 2 different VLANs HR Department and the IT department.

*VLANs are generally based off of Geographic Regions like floors etc etc

*Switchs commonly work through out VTP Clients/Servers.

*Local VLAN

*Each Access Layer Switch receives its own VLAN for every interface, so if the 4th floor has a 24 port switch, Each interface is assigned to VLAN 4 for example.

*Generally VLANs are created between the switchs, nor pictured but from 4th floor to 3rd floor there is a trunk link allowing all the VLANs.  Also at a distribution switch connected at the very bottom it normally defines the VLAN.

*Generally The information in the VLAN is sent to the distribution switch where it is routed to the core levels to reach its destination.

*Normally at the access Layer if VTP is implemented it is in transparent mode, reason being is that it is logically significant and does not need to be propagated to all the other switchs if it’s a server.

80/20 rule – Rule when designing networks, 80% of the traffic on your network was passed between local access and 20% of the traffic should be passed remotely.

20/80 rule – Vice versa since the internet and it is 2011!!  Everything is based off of this rule currently.

VLAN Support Matrix

Catalyst 2940 – > Maximum # of VLANS – > 4  VLAN ID Range – > 1-1005

Catalyst 2950 – > Maximum # of VLANS – > 250 VLAN ID Range – > 1-4094

Catalyst 2960 – > Maximum # of VLANS – > 255 VLAN ID Range – > 1-4094

Catalyst 2970 – > Maximum # of VLANS – > 1005 VLAN ID Range – > 1-4094

Catalyst 3500 – > Maximum # of VLANS – > 1005 VLAN ID Range – > 1-4094

Catalyst 2800-4000 Maxumim #  VLANS – > 4093 VLAN ID Range – >1-4094

Catalyst 6500 Maximum # of VLANS – >  4094 VLAN ID Range – >1-4094

VLAN Ranges – > What is normally Reserved #’s

0,4095 – > Reserved Range / For system uses only you cannot see these even if you use a sh vlan command

1-> Normal Range / Default VLAN, Cannot be Deleted / Can be used through VTP.

2-1001 – > Normal Range / For Ethernet VLANS, Normal uses can be deleted / VTP

1002-1005 – > Normal / These are the VLANS you cannot delete TokenR,FDDI / VTP

1006-1024 – > Reserved / For System use Only cannot see these VLANS/ NON VTP

1025 – 4094 – > Extended VLANS/ For Ethernet VLANS / Only supported in VTP version 3 , the switch also must run in transparent mode, so it wouldn’t be sent to other switchs.

How to assign a interface a VLAN

Switch#config t

Switch(Config)#Interface fa0/1

Switch(Config-if)#Switchport mode access

Switch(Config-if)#Switchport access VLAN 5

Using the Switchport host command is optional

Switchport host command – > Turns on Portfast and also turns the interface into a access port, this is really good if someone is looking to use the interface range command to given a range of interfaces instead of going 1 by one and configuring per interface.

Trunks!!!!!

Trunks are in simple what are used to carry traffic from different VLANs from one switch to another.

A access port can Carry a VLAN as in one , any more than one VLAN and it must be trunked.

*on Both sides of the trunk the native VLAN must match for 802.1Q

The purpose of a native VLAn is to enable frames that are not tagged with a VLAN ID to traverse the trunk link.

When two switchs are trunked the Sender of the VLAN will have a VID(VLAN ID) Which will be stripped as soon as it hits its neighboring Switch so the switch knows where the VLAN originated from.

Trunking Protocols..

ISL – > Inter-Switch LINK – > Cisco proprietary

802.1Q – > Industry standard.

ISL is for the most part obsolete, its never really used.  On some switches ISL Does not exists 802.1Q is the only option.

ISL FRAME

IEEE 802.1Q

802.1Q uses trunk links to employ tagging to carry frames for multiple VLANS.  Each Frame is tagged to identify the VLAN the frame belongs to.

Advantages to tagging frames using 802.1Q

*smaller overhead, since the frame is tagged instead of adding the ISL Header and trailer you are comparing 4 bytes of a tag to 30 bytes of the header + trailer.

*802.1Q Is supported by every vender

*802.1Q is supported for QoS

802.1Q Frame

The 802.1Q 4 byte Tag

TPID(tag protocol identifier)->2 byte field that has a value of 0x8100

TCI(Tag Control Information)-2 byte field which has the following info..

*PRI-3 byte priority field, for CoS

*CFI-Canonical Format Identifier-1 bit field that indicated frame format.

*VID-12 bit VLAN field

802.1q uses a internal tagging mechanism that modifies the original frame… hence the big X on the CRC/FCS … it recalculates the CRC value for the entire frame with the tag and inserts a new CRC value in a new FCS.

*If a non 802.1Q enabled device or Access port receives a 802.1Q frame, the tag data is ignored and the packet is switched at layer 2 standard Ethernet frame.

*A device MUST HAVE A MTU of 1522 or higher to pass as a 802.1Q frame.

*Baby Giants – >

ISL Adds 30 bytes to each frame – > 1548 bytes

802.1Q Adds 4 bytes to each frame   1522 bytes

This is used for the reason that Ethernet frames cannot be larger than 1518 bytes, the can become too large….

So frames between 1500-2000 are called Baby Giants.

To handle the “baby giants” They are encapsulated with either ISL or 802.1Q.

*Native VLANs with 802.1Q Trunking VLANS

Native VLAN by default is 1

Native VLAN on both sides when using trunking has to be the same VLAN, Otherwise you will receive CDP Mismatch errors constantly.   Very anoiying!!!

All Untagged VLANS go to VLAN 1 or the native VLAN…… so anything that is untagged not encapsulated for a VLAN it will be forwarded out native VLAN1

The biggest different between the two 802.1q is the tagged vs non tagged, that everything that is untagged between trunk ports is sent out to the native VLAN or VLAN 1 in most cases.

*DTP – > Dynamic Trunking Protocol…

Access – > Puts a interface into permanent non trunking mode.  Regardless of what is on the other end this will never become a trunk link.

Trunk  – > Puts the interface into permanent Trunk modem if the other interface is a access interface it will still remain a trunk port.

Nonnegotiate – > Puts the interface into permanent trunking mode but prevents the interface from generating DTP frames.

Dynamic Desirable – > default Makes the interface actively attempt to convert the link to a trunk link.  The interface becomes a trunk if the neighboring interface Is set to trunk,desirable or auto mode.

Dynamic Auto – > Makes the interface willing to convert to a trunk link.

DTP Modes per different type…

Access

Dynamic and Access = Access

Access and Dynamic Desirable = Access

Access and trunk = Limited connectivity

Access and Access = Access

Dynamic Auto

Dynamic Auto and Dynamic Auto = Access

Dynamic Auto and Dynamic Desirable = Trunk

Dynamic Desirable and Trunk = Trunk

Dunamic Desirable and Access = Access

Trunk

Trunk and Dynamic Auto = Trunk

Trunk and Dynamic Desirable = Trunk

Trunk and Trunk = Trunk

Trunk and Access = Limited Connectivity

Dynamic Desirable

-Tries to negotiate anything into a trunk, it will Negotiate anything but Access

Dynamic Desirable and Access = Access.

Configuring a Trunk

Switch(config)# interface type mod/port
Switch(config-if)# switchport

 

 

Switch(config-if)# switchport trunk encapsulation {isldot1q negotiate}

The switchport trunk encapsulation command configures the type of enccapsulation for the port:

  • isl – VLANs are tagged by encapsulating each frame with the Cisco ISL protocol.
  • dot1q – VLANs are tagged in each frame using the IEEE 802.1Q standard protocol. The native VLAN is sent normally and is untagged.
  • negotiate – The default configuration, negotiates the encapsulation to select either ISL or 802.1Q, whichever both ends of the trunk support. If both ends support both types, ISL is used.

Switch(config-if)# switchport trunk native vlan vlan-id – > how to change the native VLAN

 

Switch(config-if)# switchport trunk allowed vlan {vlan-listall | {addexceptremovevlan-list}

  • vlan-list – An explicit list of VLAN numbers, separated by commas or dashes.
  • all – All active VLANs (from 1 to 4094) will be allowed
  • add vlan-list – A list of VLAN numbers will be added to the already configured list; this is a shortcut to keep from typing a long list of numbers.
  • except vlan-list – All VLANs (1 to 4094) will be allowed, except for the VLAN numbers listed; this is a shortcut to keep from typing a long list of numbers.
  • remove vlan-list – A list of VLAN numbers will be removed from the already configured list; this is a shortcut to keep from typing a long list of numbers.

Switch(config-if)# switchport mode {trunkdynamic {desirableauto}}

The switchport mode command sets the trunking mode to any of the following:

  • trunk – Sets the port in permanent trunking mode.
  • dynamic desirable (default setting) – The port attemtps to actively convert the link to trunking mode. It “asks” the other end of the trunk link to bring up a trunk. If the far-end switch prot is configured as trunk, dynamic desirable, or dynamic auto mode, trunking is negotiated successfully.
  • dynamic auto – The port turns into a trunk link only if the far-end of the switch actively requests it. If both ends are dynamic auto, the trunk does not form. If the other end of the switch is trunking mode or dynamic desirable mode, trunking is negotiated.

Verification on Interfaces…

Sh run int fa0/1

Sh int fa0/1 Trunk

Sh int fa0/1 Switchport

VTP – > VLAN trunking Protocol

Cisco proprietary

3 Different Modes of VTP

Client – > Will Waite for revisions from servers/ This will not add to the NVRAM or the VLAN.dat database file.  Clients are not capable of adding or modifying VLANs.

Server – > servers create,modify or delete VLANS.  VLANs are saved in the VLAN.Dat database and are saved into NVRAM.

Transparent – > Created and modifies its on Internal VLANS.  It will in fact forward VTP advertisements, Does not synchronize its own VLAN configuration with other switchs in the domain.  Information is saved within NVRAM / VLAN.dat.

Keep in mind depending on what version of VTP Transparent mode has two different effects..

VTP1 – > Switch Does not relay VTP information unless VTP domain name and VTP version numbers Match on other Switches

VTP2 – > They will forward VTP received advertisements out their trunk ports Regardless of what Domain they are using.

*The following have to match to accept a VTP revision.

Domain

Password

Revision Number has to be higher than the current revision

Each time a revision has been made for VTP the increment goes up by 1.

*VTP advertisements are multicast

*VTP Servers / clients synchronize the highest Revision #

*VTP advertisements are sent out every 5 minutes or when there is a change

*VTP Pruning

VTP pruning uses VLAN advertisements to determine when a trunk connection is flooding traffic Needlessly.  By default a trunk connection carries traffic for all VLANs that is allows in the VTP domain.  Some Switchs do not have local ports configured for certain VLANs.

To make a long story short here, Traffic from Port 1 on Switch A goes to Switch B to Switch D.  This saves bandwith for this topology,  So Switch C and Switch E are pruned for that VLAN.  So if Port 5 on Switch B does not have that VLAN allowed it will be pruned.  In some cases this works out well like in the above topology.

This will prevent un needed traffic going to switchs C and E

*Differences in Between VTP Versions

Versions 1 & 3

VTP2 = Supports Token Ring

Transparent Mode works deifferently as noted prior.

Consistancy checks

VTP3

Supports Extended VLANS 1025-4094

Advertising Private VLANS

Improved Server Authentication

Works with VTP1&2

Configurable on a per interface basis

VTP Message Types…

Summary Advertisements..

*5 minute Advertisements

*Include Domain and Revision #

Subset Advertisements

*Add,Delete or Change a VLAN

Advertisements Requests

*The switch has been reset

*VTP Domain Name has been changed.

*The Switch has received a summary advertisement with a higher configuratoion Revision than its own.

VTP Commands…

Configuring VTP

Configuring VTP Management Domain

switch(config)#vtp domain domain-name

 

switch(config)vtp mode {serverclienttransparent}

Server Mode= Default Mode

Each Domain Must have 1 server

Server and Server are no issue, but the Subset advertisement which has a higher revision number will be used

Switch(config)#vtp password password

 

Password can be configured only on servers and clients

switch(config)#vtp version {12}

VTP version 1 is Default.

VTP pruning

switch(config)#vtp pruning

 

If this command is used on a VTP server, it is advertised to the rest of the domain and all listening switches will also enable pruning.

switch(config-if)#switchport trunk pruning vlan {addexceptnoneremovevlan-list

Pruning is a bit odd on a Native vlan  / VLAN 1, reason why is that every non tagged trunk broadcast will be sent out to that native vlan if there is a host or a switch attached that way, so there would be no way of preventing that… atleast that I know of.

From – http://www.firewall.cx/vlans-vtp-pruning.php

Note: VTP Pruning is disabled by default on all Cisco Catalyst switches and can be enabled by issuing the “set vtp pruning enable” command.If this command is issued on the VTP Server(s) of your network, then pruning is enabled for the entire management domain.

VTP Pruning configuration and commands are covered in section 11.4 as outlined in the VLAN Introduction page, however, we should inform you that you can actually enable pruning for specific VLANs in your network.

When you enable VTP Pruning on your network, all VLANs become eligible for pruning on all trunk links. This default list of pruning eligibility can thankfully be modified to suite your needs but you must first clear all VLANs from the list using the “clear vtp prune-eligible vlan-range” command and then set the VLAN range you wish to add in the prune eligible list by issuing the following command: “set vtp prune-eligible vlan-range” where the ‘vlan-range’ is the actual inclusive range of VLANs e.g ‘2-20’.

By default, VLANs 2–1000 are eligible for pruning. VLAN 1 has a special meaning because it is normally used as a management VLAN and is never eligible for pruning, while VLANs 1001–1005 are also never eligible for pruning. If the VLANs are configured as pruning-ineligible, the flooding continues as illustrated in our examples.


 

*Private VLANS

Reasons for Private VLANS are for Preventing Layer 2 connectivity between end devices on a switch within the same VLAN

Private VLAN Types

Isolated – > An Isolated Port within a PVLAN has complete Layer 2 Seperation with all ports within the PVLAN except the promiscuous ports.  PVLANS Block all traffic to isolated ports, except the traffic from promiscuous ports.  Traffic received from an isolated port is forwarded only to promiscuous ports.

Green is a example of  Isolated PVLAN where it can only speak to itself in its own Broadcast domain and it can only speak with the Promiscuous PVLAN type.

Promiscuous – > This type of Port can communicate with any Device Within the PVLAN.

Community VLANS – > Community Ports Hence their names communicate with themselves.  As shown in the topology.

PVLANs are created by the following…

-Primary VLAN

-Seconday VLAN

Primary VLAN – > High level VLAN of the private VLAN.  A Primary VLAN can be composed of many secondary VLANS.

Secondary VLAN – > Every secondary VLAN is considered a Sub system or Child of a Primary VLAN.

There are 2 types of Secondary VLANs or Reasons to Run them…

#1 Community private VLANS – > Ports that belong to the community PVLANS can communicate with other Community VLANS and promiscuous ports.  Of the same Private VLAN number.

#2 Isolated VLANs – > Ports that belong to an isolated PVLAN can commncate only with Promiscuous VLANS.

Private VLAN Configuration…

A example I pulled from

http://www.networkengineerblog.com/2009/06/cisco-switch-private-vlan-pvlan.html

Switch(config)#vlan 100

Switch(config-vlan)#private-vlan community

Switch(config-vlan)#exit

Switch(config)#vlan 200

Switch(config-vlan)#private-vlan community

Switch(config-vlan)#exit

Switch(config)#vlan 86

Switch(config-vlan)#private-vlan isolated

Switch(config-vlan)#exit

Switch(config)#vlan 10

Switch(config-vlan)#private-vlan primary

Switch(config-vlan)#private-vlan association 100,200,86

Switch(config-vlan)#exit

VLAN creation, here is where All the VLANs are created.

VLAN 100,200 – > Community VLAN

VLAN86 – > Isolated VLAN

PVLAN10 – > Primary VLAN

Switch(config)#interface gig2/1

Switch(config-if)#switchport mode private-vlan promiscuous

Switch(config-if)#private-vlan mapping 10 100,200,86

Switch(config)#interface range Gig2/2 – 3

Switch(config-if-range)#switchport private-vlan host-association 10 100

Switch(config)#interface range Gig2/4 – 5

Switch(config-if-range)#switchport private-vlan host-association 10 200

Switch(config)#interface range Gig2/6 – 7

Switch(config-if-range)#switchport private-vlan host-association 10 86

On each Gig 2/2,2/42/6 we are associating each VLAN with that interface, they are already defines as either isolated, community of promiscuous.

Ways to verify Private VLANs?

Show Vlan Private-vlan

*Port Protect feature.

Used on lower end switchs, this works similar to Private VLANS.

Protected ports are a simple version of private VLANS.  Traffice can flow only between a protected and unprotected port and unprotected and unprotected… if there both protected no traffic will flow.

*Ether Channel

*Etherchannel Provides redundancy

*up to 8 interfaces

*Load balancing is possible between the links part of the same etherchannel.

*Prevents Spanning tree seen as one interface when redundant links are used.

2 Primary protocols for Etherchannel.

PAgP – > Cisco proprietary,

LACP – > Industry standard 802.3ad,

PAgP Modes

PAgP Packets are sent out every 30 seconds.

Auto – > Places a interfaces in passive negotiating, it will respond to packets sent to it but it will not sent any.

Desirable – > Places an interface in active negotiation statem in which the interface iniates negotiations with other interfaces by sending the PAgP packets.

On – > Forces the intercace to channel without PAgP.  These do not exchange PAgP packets.

Non-Silent – > Normally used for things like servers,SPAN, Probes etc etc non switches.

LACP Modes…

Passive – > Default, Same

Active – > Sends to negotiate

On – > Forces interface to the channel without PAgP or LACP

Optional Parameters for LACP

System priority

Port priority

Administrative Key

Guidelines to creating a Portchannel / Ethernetchannel

Etherchannel support – > all interfaces on the modules support etherchannel max of 8 interfaces.
Speed and duplex – > make sure they are all the same bandwith and same duplex speed.

SPAN – Etherchannel will not form if one interface has a destination to a SPAN Node.

VLAN – > All interfaces in the port channel absolutely have to be assigned to the samw VLAN, as well as Native VLAN.

Etherchannel Load Balancing options…

Use the “Port-channel Load-balance” Command.  Theres a ton of different things load balancing can be set to… src/dest of MAC or src/dest or the IP address or Port.

Starting out with 642-813 – SWITCH my new home lab and GNS3

Well, since passing ROUTE on December 22nd I decided to take the next step and go with SWITCH.  I hope to pass by mid February.  I have read the entire FLG which is half the size of the ROUTE book!!  Theres a ton of really interesting material.  Some things I will not be able to lab at home unfortunately.  Things with 4500/6500 cat switchs.  I do however have access to 2 3750’s are my current employer which I plan to lab some things that I cannot lab at home.

I have read the book cover to cover over the past 2-3 weeks and I have most concepts down, I will do some simple spanning-tree for the next few days move into rstp and go for the VLAN spanning tree types.  I decided to bust my old 2950s out of the closet and hook them up today.  I spent some time today getting everything ready and had to create some cabling for my trunk ports.

 

CLICK ON IMAGE TO SEE FULL SIZE!

yupp, its a mess in my basement.

But anyways, I was able to make some virtual routers in GNS3 and attach them to my switchs.  My current machine has 2 NIC cards.  One is attached to my 2900XL switch at the very bottom configured on the switch as a trunk.  the other is a access port where the machine uses for primary purposes. It does have a physical IP address.  But it will carry the traffic for the interface configured on the virtual router.

Its pretty simple, if you create a cloud device, go to NIO and select your NIC card.  Which I selected my secondary NIC card it will show up.  I have everything going through my 2900XL switch at the very bottom.

Well thats about it… Im hoping to have some Spanning tree instances for the next week or so then eventually move onto HSRP,VRRP and GLBP.  I am pretty sure I will be able to do all three redundancy protocols through GNS3 just not with L3 switchs 😦

Passed 642-902 ROUTE!

wooo Im excited, second shot I passed the exam.

 

This was my second shot at the exam,  For anyone looking to pass this exam alot of my notes are covered within the exam.  I would recommend looking at the 642-902 blue print.  My study guides were the following…

 

-Cisco Foundation Guide to learning

-CBT Nuggets 642-902

-Lots of Lab work with GNS3

-Lots of Lab work at home with 3×2610 routes, one kick ass 2511 terminal server and many crap 2500 routers which are going to be given away as of today!!!

 

I would have passed my first time but, looking everything over I found my mistakes, I labbed a little more with the parts I have done wrong and I found what I was bad at.

 

For anyone taking this exam in the near future my advice is to know everything forwards and backwards.  Make sure you know your IGPS(EIGRP, OSPF) Very well, Make sure you know your BGP very well….. Make sure you are the PBR master.  Make sure you master IPv6.

On another note I am receiving a couple hundred hits per day which is amazing since I started this blog 3 months ago I was receiving maybe a few per day!!

 

 

BGP Notes

BGP

 

Numbers

Port 179 TCP ports

eBGP AD = 20

iBGP AD = 200

 

Attributes

Path Vector Protocol.

 

 

When an update it sent it sends an Ack, updates are incremental… only sends updates when something changes.

 

Incremental and triggered.

 

Slowest convergence time.

 

 

 

BGP styles

 

Default Route Only – > Edge router sends a static route from the edge router to BGP through 0.0.0.0

 

Possible to advertise your networks into Bgp from IGP

 

 

Partial Updates – >

 

Business–à BGP -> 2nd Business.

-à 2nd BGP ->>>> 3rd business.

 

Having routes only for certain sites..

 

So routes for only 1st bgp to first Edge router etc.

 

 

Full updates

 

Edge Router gets the entire Routing Table of the internet..

 

BGP table, BEST paths to routes on the internet.

 

Without Tuning BGp acts similar to RIP! – > so if not configured it will hop from autonomous system to autonomous system.

 

Single Honed BGP – > Having one connection from a Router out to BGP

Dual Hones BGP – > two options

a.)    one router connected to 2 links out to a BGP

b.)    2 routers connected to two different links out to the same BGP

 

This is setup for load balancing and for Redundancy

 

Multi-Honed

One router or multiple routers going out to different BGPs per router.

 

BGP Speaker – > Any router that Runs BGP

 

 

 

Tables

Neighbors

BGP table – > a list of all BGP routes.

Routing table – > list of best Routes.

 

Public and Private AS#’s

 

iBGP – > 2 routers in the Same AS

eBGP – > Neighbor relationship linking 2 different AS

 

Peering – > When two routers form a Neighbor relationship

 

iBGP relationships – > Do not have to be physically connected together…  Since it runs over other routers in that AS, the Data/packets for new routes flow through the routes through non IBGP’s.

 

 

Blackhole – > since the traffic goes over a IGP router out to BGP… if it cant find the destination since it doesn’t have it.. it take a look at the destination does not know what exactly to do with it and it possibly drops the packet.

 

BGP Configuration..

 

BGP Neighbors are manually configured.

 

Config t

Router bgp 6500(AS)

 

 

How to configure a Neighbor? EBGP

 

Neighbor 10.1.45.1 (interface that connects) remote-as 5500(as system externally in)

 

Neighbors can peer with other neighbors without sending any data first.

 

BGP offers passive and active similar to EIGRP, Active is searching for a route

 

 

IBGP – > when configuring IBGP networks internally the best thing to do to neighbor then is to use loopbacks.. just incase the router that is attached to it goes down.

 

 

How to Configure a Neighbor?  IBGP?

Router bgp

neighbor 1.1.1.1 remote-as 5500

 

doing this the relationship will never form it will stay at active… this is only for internal

 

reason why is since they are attached via loop back address.  Since the router that see’s 1.1.1.1 as its neighbor will not have a interface that has a address of 1.1.1.1 being that it is a loop back.  So when it gets the neighbor packet from a lets say source 192.168.5.1 it is not going to form that neighbor relationship…. so on this router we have to do the following… this all has to do with the source address..

 

so we have to do the following..

 

neighbor 1.1.1.1 update-source lo1(the loopback interface on that neighbor)

 

this will move the neighbor relationship from active to passive/how many prefixes.

 

EBGP Multihop

 

neighbor 5.5.5.5 multi-hop 2(hops)

 

This is a bit confusing but, intstead of 1 hop to a loopback its 2… since you use a interface connected to a router + the loopback.

 

This command is really used for interfaces like a loopback that are not directly connected.

 

 

 

How to advertise networks

 

2 ways, Network command and Redistribution..

 

Using Network Command

 

Network 10.0.0.0 – > Will auto summarize this network into 10.0.0.0 like RIP

Every other BGP router will have 10.0.0.0 in its network..

Network 10.1.1.0 mask 255.255.255.0 – > this has to match the subnet mask for what I have set the interface for.

 

By default auto-summarazation is turned on.

 

So any redistributed route is Classful.

 

BGP Syncronization

 

Do not advertise a route learned via IBGP Until you learn from that route from the IGP……. So a route has to be learned via ospf eigrp etc etc until BGP will syncronize and send that route.

 

or…. you can turn off router syncronization..

 

Simply typing in

router bgp 6500

no sycnchronization

 

BGP next Hop process…

 

When configuring routes, keep in mind.

 

When IBGP forms routes it will keep the same Next hop this is bad.

When EBGP forms route it will change appropriately

 

So if I have routes to outside of my Own AS, my igrp will have that address instead of the router that is correctly adjacent to it which should not get the right IP.

 

Neighbor 1.1.1.1 next-hop-self – > tells that other router(1.1.1.1) For all its routing that the next hop will be itself….. so I telling my neighbor 1.1.1.1 I am the next hop.

 

BGP tuning and Attributes..

 

Manditory Attributes – > example is a next hop address..

 

Well known Attributes..

AS Path – > mandatory

Next Hop – > mandatory

Origin – > mandatory

 

 

Local Preference – > discretionary

Atomic Aggregate – > discretionary

 

Optional Attributes..

Aggregator

Multi-exit Discriminator(Med/Metric)

 

Goes from top down… Bold are the most important.

 

How BGP finds the best path / Metric.

Ignore routes with Inaccessible next hop address

Highest Weight

Highest Local_Pref

Prefer the path that was locally originated with Network commands

Shortest AS_Path

Path with lowest origin type

Lowest MED

eBGP over iBGP

Lowest IGP metric to the BGP next hop

Determine If multiple paths require installation for BGP Multipath

If both paths are external, prefer the path received first

Prefer the route that comes from BGP router lowest RID

If the originater Rid if the same for multiple path with the minimum cluster list length

Prefer the path tha comes from the lowest Neighbor address.

 

Weight / Local_pref, AS_Path etc etc are all set the same.. so they are all tied by default.. so they have to bet set.

 

Weight = Cisco Propriatary, Stays Local to a BGP router,

You can specificy a router to have higher weight from R1 over R2 , if you get a router that has multiple routes… it will say the weight of R1 is higher so take R1 instead of R2.

 

Weight is automatically set to 0

More Weight = the better

This is Local per Router.

 

Setting the weight..

R1(config –router)BGP 5500

Neighbor 10.1.15.5 weight 500(sets the weight for all the routes to that neighbor to 500)

So for neighbor 10.1.15.5 any routes I know that that neighbor has it will send it there opposed to the other weights if they were 0

 

 

 

 

 

 

If weight is tied we go to LOCAL_PREF

 

Local Pref – > Something that is advertised to other routers…

 

AS_path – > Highly unlike but it is Hop count from the original BGP router.

 

More attribute Information…

 

Weight

AS-Path

Next Hop Address

Origin

Local Preference

Metric

 

Things that would not allow a BGP route to be in the IP Route table..

1st.) Syncronization

2.) Remember to look at the next hop address.. remember that EBGP will change the Hop to the next hop AS.  Next Hop Self would work.

 

 

Clear ip BGP *

 

 

Neighbor 10.1.15.2 shutdown  – > shuts down that neighbor but, it will keep all the attributes……….. so to add that neighbor again it will come back up with all the attribute settings.

 

 

Origin Attribute – > Where the route came from…. Typically its from a network command if it says i… if it is denoted at ? it is normally redistributed into bgp.

 

 

Local_pref – > Path with Highest local preference. The difference between the Local preference and weight is that Local Preference will advertise to the entire AS, does not get advertised outside of the AS.

 

Default = 100

 

Using local to make a BGP Router in a AS..

 

Bgp default local-preference 600

So every single route it advertises to other routes it will mark as 600, keep in mind if the weight is different that will break the ties.

 

 

Metric attribute…

 

0 is default

Tries to influence other AS

Works between AS

Different than a IGP Lower = Better.

 

<Config-router>Default-metric 200

 

Or you can do a route map.

 

Config-route-map#set metric 200

 

 

 

Neighbor command more than likely just tells the packet where to go to what destination…

 

 

 

 

 

 

 

 

 

 

 

BGP Configuration Part Deux

BGP configuration part 2

Advertising networks.

Now since I have been working only with IGP’s normally the network command in a IGP would do two things

Form a neighbor relationship and advertise the routes for that network.

With BGP Neighbors are statically defined, so by typing in the neighbor x.x.x.x remote-as will statically define a neighbor.

To send out a network advertisement it must be done like this.

With Debugging on.

r2(config)#router bgp 6400

r2(config-router)#network 100.2.2.0 mask 255.255.255.0

r2(config-router)#

*Mar  1 08:31:13.029: BGP: Applying map to find origin for 100.2.2.0/24

*Mar  1 08:31:13.037: BGP: Applying map to find origin for 100.2.2.0/24

*Mar  1 08:31:13.041: BGP: Applying map to find origin for 100.2.2.0/24

View from R3

r4#sh ip bgp

BGP table version is 7, local router ID is 4.4.4.4

Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,

r RIB-failure, S Stale

Origin codes: i – IGP, e – EGP, ? – incomplete

Network          Next Hop            Metric LocPrf Weight Path

*> 100.2.2.0/24     2.2.2.2                  0             0 6400 i

A view from R3

r3#sh ip bgp

BGP table version is 1, local router ID is 3.3.3.3

Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,

r RIB-failure, S Stale

Origin codes: i – IGP, e – EGP, ? – incomplete

Network          Next Hop            Metric LocPrf Weight Path

* i100.2.2.0/24     2.2.2.2                  0    100      0 6400 i

r3#ping 10.2.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:

…..

Success rate is 0 percent (0/5)

This will not Ping?????

Since Eigrp Router does not Have BGP running it will NOT route that packet since it has no idea where 10.2.2.1 is.

BGP Synchronization is turned on by default on most IOS versions.

Synchronization – > Do not use or advertise a route learned with IBGP until the same route has been learned from IGP

Also judging by the next hop address which is the Loopback interface of 2.2.2.2

With Ebgp it will change the next hop address from where it originated from.  So what I will have to do is tell R3 to use R4 as the next hop…. The way I will do that is the following….

r4(config-router)#neighbor 3.3.3.3 next-hop-self

moving to R3

r3#sh ip bgp

BGP table version is 2, local router ID is 3.3.3.3

Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,

r RIB-failure, S Stale

Origin codes: i – IGP, e – EGP, ? – incomplete

Network          Next Hop            Metric LocPrf Weight Path

*>i100.2.2.0/24     4.4.4.4                  0    100      0 6400 i

> Indicating it is the best route and will be installed on the routing table.

BGP Configuration IBGP/EBGP

Basic BGP topology First connecting Neighbors(IBGP)

 

R1 Interfaces

Lo1-1.1.1.1/32

F0/1 – 192.168.2.1/30

F0/0 – 192.168.1.1/30

 

R3 Interfaces

Lo3-3.3.3.3/32

F0/0-192.168.2.2/30

 

R4 Interfaces

Lo4- 4.4.4.4/32

F0/0 – 192.168.1.1/30

F0/1 – 192.168.3.1

 

R2 Interfaces

Lo2 – 2.2.2.2/32

F0/0 – 192.168.3.2

 

 

 

From R1

 

Router BGP 6500

Neighbor 192.168.1.2 remote-as 6500

Neighbor 192.168.2.2 remote-as 6500

 

From R4

Router BGP 6500

Neighbor 192.168.1.1 remote-as 6500

Neighbor 192.168.2.2 remote-as 6500

 

From R3

Router BGP 6500

Neighbor 192.168.2.1 remote-as 6500

Neighbor 192.168.1.2 remote-as 6500

 

 

 

 

 

Using Loopbacks as Destination addresses

 

R1

r1(config)#

r1(config)#router eigrp 1

r1(config-router)#network 1.1.1.1 0.0.0.0

r1(config-router)#network 192.168.0.0 0.0.255.255

 

R3

r3(config)#router eigrp 1

r3(config-router)#network 3.3.3.3 0.0.0.0

r3(config-router)#network 192.168.0.0 0.0.255.255

 

R4

r4(config)#router eigrp 1

r4(config-router)#network 4.4.4.4 0.0.0.0

r4(config-router)#network 192.168.0.0 0.0.255.255

 

Now, for the BGP Setting.  Now we will configure R4 and R3 as bgp neighbors.  They do not have to be directly connected as long as they are reachable on the network.  We will not use the interface ip address of R3 or R4 we will simply use the loop back addresses.  We only have one connection to each routers but if we had redundant connections loop back addresses are a much better idea…. But the problem here is they have to be reachable via the IGP in this case EIGRP.

 

 

 

From R4

 

r4#ping 3.3.3.3

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 120/209/316 ms

r4#

 

r4(config)#router bgp 6500

r4(config-router)#neighbor 3.3.3.3 remote-as 6500

r4(config-router)#neighbor 3.3.3.3 update-source lo4

 

 

From R3

r4(config)#router bgp 6500

r4(config-router)#neighbor 3.3.3.3 remote-as 6500

r4(config-router)#neighbor 3.3.3.3 update-source lo4

r4(config-router)#

*Mar  1 04:53:53.706: %BGP-5-ADJCHANGE: neighbor 3.3.3.3 Up

 

 

r4#sh ip bgp sum

BGP router identifier 4.4.4.4, local AS number 6500

BGP table version is 1, main routing table version 1

 

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

3.3.3.3         4  6500       5       5        1    0    0 00:02:08        0

 

We have to use the Update-source loopback command.

 

The reason why is when BGP peers with a neighbor it expects the update to come from that source address.

 

When 4.4.4.4 sends out an update to 3.3.3.3 this is what it will show in the packet

Source 192.168.1.2

Destination 3.3.3.3

 

BGP will discard that packet since it did not come from 4.4.4.4

 

By updating source it can come out of any interface we would like it to it will have a source of 4.4.4.4

 

Also keep in mind it has to be reachable, through static,eigrp,ospf etc etc if it is reachable it can become a IBGP neighbor.

 

 

 

 

 

Configuring EBGP

 

 

From R4

 

r4(config-router)#neighbor 2.2.2.2 remote-as 6400

r4(config-router)#neighbor 2.2.2.2 update-source lo4

r4(config-router)#neighbor 2.2.2.2 ebgp-multihop 5

r4(config-router)#

*Mar  1 06:15:04.866: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 Up

 

 

From R2

 

 

r2(config-router)#neighbor 4.4.4.4 remote-as 6500

r2(config-router)#neighbor 4.4.4.4 update-source l02

r2(config-router)#neighbor 4.4.4.4 ebgp-multihop 5

r2(config-router)#

 

 

 

The same has to be done here with the Update-source since it will come from each interface.  The other command we are using here since it Is EBGP It HAS TO BE DIRECTLY CONNECTED!  With EBGP even if a destination is reachable it has to be connected directly.  In my case I simply did static routes to each.. we could use a IGP but its pointless.  But they have to be directly connect.

 

At that point since we are using Loopbacks in case of redundancy.  I have only 1 outgoing interface but in some cases ISP’s / CE routers might have 2 or 3 connections if they are all static routes they will all load balance.  Also this is where a loop back is good to use if one of the directly connected routes would go down.

 

Any time we peer with Loopbacks we must use the EBGP-Multihop command the #5 used in my command is simply the amount of hops to use.

 

 

 

 

Route-maps,Distributed Lists,Passive Lists and Prefix Lists

The first thing to remember is Route maps are always defined by ACLs…. So when matching # is always the ACL

Second thing to remember when creating a route-map and not using a sequence # the default Is 10, and it goes up within increments from 10.

Third, Route-maps are similar to ACLs, the router will scroll through the list and match the route map 10, 20, 30 etc, if it does not match it is like a implicit deny.

1.)Route maps for redistribution

Router(config)# route-map TESTpermit 10

Router(config-route-map)#match ip address 23(ACL)

So when I redistribute this I can do the following…

Router(config)#Router eigrp 1

Router(Config-Router)# Redistribute OSPF 1 route-map test

2.)Route maps for Policy Based Routing(PBR)

Router(config)# Route-map Test

Router(Config-route-map)# match ip address 23

Router(Config-route-map)#Set ip next-hop 192.168.1.1

!

Router(config) set local policy route-map Test

^^ Sets to the router itself for all traffic.

Or

Router(config)# Route-map test

Router(Config-route-map)# Set interface fa0/1

!

Router(config)# int fa0/0

Router(config-if)# ip policy route-map test

^^ Forwards out a interface so there is no matching everything goes right out of a interface

3.)Tagging routes using a Route Map

This is slightly confusing but if you are redistributing EIGRP into OSPF you can tag EIGRP routes as they are redistributed into OSPF and deny OSPF into EIGRP.

Router(config)# route-map test1 deny 6

Router(config-route-map)# match tag 1

Router(config-route-map)# route-map Test1 permit 10

Router(config-route-map# set tag 2

Router(config)# route-map Test2 deny 6

Router(config-route-map)#match tag 2

Router(config-route-map)# route-map test2 permit 10

Router(config-route-map)# set tag 1

Then when redistributing we have to do the following…

Router(config)# router eigrp 1

Router(config-router)# redistribute ospf 2 route-map test2 metric 100 100 100 100 1000

Router(config-router)# router ospf 1

Router(config-router)# redistribute eigrp 1 route-map test1 subnets

Prefix Lists

A prefix list is used to match both the subnet and the prefix in a subnet mask.  You can Permit or Deny.  Also there is a Implicit Deny at the end of the prefix list.

Ip prefix-list test1 10 deny 192.168.1.1/24 ge 24 le 30

Test1 – > Name of prefix list there are no numbered prefix lists

Deny or permit – > permitting or deny

192.168.1.1/24 – > ip address and subnet mask have to be entered

Ge or le – > greater than or less than the following CIDR notation.

Ip prefix TEST permit 0.0.0.0/0 le 32 – > Permits everything

Ip prefix Test permit 192.168.1.1/24 ge 24 le 30 – > permits any subnet above 24 le /30

We can use prefix lists in BGP

R3(config-router)#neighbor 172.12.123.1 prefix-list TEST1 out

Distributed Lists

For filtering Routing Updates and Routes being redistributed.  Uses ACL’s.   The best practice for this is for blocking routing updates.  Normally associated with OSPF.

Distribute-list 23 in

Distribute-list 23 out

Router Eigrp 1

Network 192.168.0.0

Distribute-list 23 out Fa0/1

The way this works is if a routing update goes out Fa0/1 it checks the ACL to see if its okay.

Passive Interface

Used so there are no hello packets / routing updates sent out on a interface.  The reason for this is if I had a interface that is nor participating in a IGP like EIGRP , RIP OSPF etc CPU cycles are being wasted sent out on that interface.

Router Eigrp 1

Passive-interface Default

No passive-interface Fa1/0

Network 192.168.0.0 0.0.255.255

Different IGPS handle Passive-interfaces differently

RIP – > Does not send hello multicast, but it will receive them

EIGRP-> Will not send or receive

OSPF – > Will not send or receive

.

Path Control..

 

Offset-lists

 

This is a way to increase the metric of a route, uses a ACL, the only two IGPs that support Offset-lists are RIP and EIGRP.

 

First configure a ACL

Ip access-list standard offset

Router(config-std-nacl)permit 192.168.1.0 0.0.0.255

!

Router eigrp 1

Router(config-router)offset-list 23 offset in 2000 fa0/0

 

 

What this does is increase the metric for that 192.168.1.0 route by 2000 which can be display in the IP route table.

 

 

 

IOS SLA

 

Newer feature in newer IOS’s that will alow the router to monitor any type of TCP Connections.  This will actually use TCP commands to monitor a router / path it is taking.  For example you can have a DNS server or a route pinged every 10 seconds to check to see the health or the ping in Miliseconds.  If the ping is back or the path is not up you can then take a alternative path.

 

First create the SLA

Pings every 10 seconds

!

Router(config)# ip Sla 1

Router(config-ip-sla)# icmp-echo 192.168.1.1

Router(config-ip-sla)# frequency 10

!

Set the time

!

Router(config)# ip sla schedule 1 life forever start-time now

!

Set reachibility

Router(config)# track ip sla 1 reachability

!

If it is reachable with the ping then go to this default route.

Router(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1

 

 

So what we created here was a ping every 10 seconds to the 192.168.1.1 route,  started it currently and go on forever.

 

We next check to see if it is reachable, after its reachable send all traffic out to that default route.

 

If we wanted to we could have set a SLA 2 and set a default route with a administrative distance of 3 sending all traffic out that destination if a SLA failed to ping very 10 seconds.

 

 

SLAs are also really common to create for monitoring SLA tools which can be ran on a server to display the SLA health.


OSPF ROUTE notes and fundamentals

OSPF – > Open shortest Path first.

 

 

Capabilities and other attributes…

 

Fast convergence not as fast as EIGRP

Link state routing protocol.

Uses Djikstra code to find paths.

Uses cost as metric.

Does not perform Summerization by default.  Only ABR / ASBR

All areas must connect to area 0 unless connected through VRF

All routers have a copy of LSDB

Cisco suggests an area should have no more than 50 routers.

 

 

Numbers to remember..

Multicast Address is 224.0.0.5

DR/BDR Multicast = 224.0.0.6

Port 89  packets.. Its own layer 4 Protocal sends Lsacks

Administrative distance = 110

Cost is determined the following way – > 100/link bandwith in MBPs for T1 100/1.54=64 Cost

Every 30 minutes Neighbor Routers send LSA’s to check on their neighbors with a Higher Seq #

Hello packets are 10 seconds by default, To find neighbors to check the neighbor router.

Hello packets are sent 30 seconds for NBMA networks

Dead timer is 4x the Hello packet all the time.

Router Priority by default is always 1

 

 

 

Different Type OSPF Packets.

1.)   LSA – > Updates about individual Routes….. Normaly in LSU’s they contain Multiple LSA’s.  So a LSU can come over after a LSR, it will have LSA’s for 192.168.0.0 network and 10.0.0.0 network.

 

 

 

2.)   DBD – > Data base Description Checks for Database Syncrhonization -> Contains a summary of LSDB, Which includes all known RIDS and their last sequence #.

3.)   LSR – > Link state request – > requests information about networks…

4.)   LSU -> Contains the full LSA enteries.  Multiple LSA entries can fit one OSPF Update packet.. Replies to the LSR

5.)   Lsack – > Acknoledges other packet types..  Making it reliable.

 

 

Biggest difference between the link state and the Distance vector is Distance vector relys completely on the neighbor adjacent router to give the router its best path to a destination.

 

All Link state routers keep track of the following information…

 

OSPF Neighbor Table – > OSPF neighbor table or Its adjacent neighbor table.

 

OSPF topology Table – > All other Routers in a topology table, in their Area or in the next area if its a ABR.

 

Routing Table – > Topology table including ALL paths from every single router to every network.

 

How a OSPF Router becomes a neighbor with another OSPF router….

 

1.)Down state – > Router sends hello packets on the Mulitcast address of 224.0.0.5

 

Hello packet contains the following..

RID

Area

Subnet Mask

DR/BDR

Authentication if it uses it

Stub flag

 

2.)INIT state – > Receiving router checks the hello packet(is it in the same Area, is the dead timers / hello timers are they the same at that point the router is in its up state)

 

Checks the following…

Hello / Dead Intervals

Checks Subnet Masks

Area ID

Authentication password if it uses it

Stub area flag

 

 

 

3.)Two way state – > When the router receives all the packets it sends a Unicast reply,

 

4.)   EX Start – >

Starts the DR / BDR election

 

 

 

 

4)After it is in that Up state, the two routers exchange their LSDB.  Now the routers are in a FULL relationship.

5.)Router then fowards any new LSA’s to neighbor routers.

 

OSPF Neighboring States.

 

Down – No OSPF yet sends out the Hello packet at this point on the multi cast

Initiate – Hello packet has been received

two way – Router see its on RID in a hello packet

Exstart – DR / BDR election process or it finds it.

Exchange – DBD / LSDB has been exhanged

Loading – Exhange of LSRS and LSUS to make the LSDB

Full – Neighbors are fully adjacent at this point.

 

Convergence process.

 

If the following happens..

 

192.168.1.0 ——–> Router1 > ———Router 17> ———–> Router 2(DR)

 

Router 1 will then send the multi cast 224.0.0.6 for the bdr and DR at that point to tell them it needs to flood LSU’s for flooding LSA’s.

 

At that point the DR sends a ACK telling Router 1 it received aa LSU from it.

 

Next the Router 2 / DR sends a Multicast LSU to other routers on the normal 224.0.0.5 Multicast.  Each Router responds with a Lsack.

 

If a router is connected to another area it will first forward the LSU to its DR in that area.

 

 

 

 

 

 

 

 

 

Advantages of using different Areas to break OSPF down further…

 

Reduced Overhead with SPF calculations – > Each area within itself with do calculations only for that areas, it will not, go over to the next area and flood that area with any LSA’s.

 

Smaller routing tables – > Since the ABR /ASBR summerizes routes it makes the routing table smaller so it makes chosing a path easier.

 

Reduced LSU overhead – > Instead of sending multiple LSU’s the ABR / ASBR summerizes a route.

 

Area Terminology

 

Two types of networks that exists Within a OSPF network…

 

backbone – > also known as Area 0

regular non backbone area – > Any other area that is not that backbone that is connected via area 0.

 

Internal router – > Routers that have al of their interfaces in the same area.  All routers within the area have the same LSDBs…. that meens they all have the same LSDBs for their networks, and the ABR / ASBR does the summerization… so for example area 1 is going to know about all its routes plus maybe 192.168.0.0 is comming out of another router to area 0 to another router.

Backbone router – > Router that sit in Area 0.

 

Area Border Router – > Routers that have interfaces connected to area 0 and the directly attached network.  So for example ABR from              Area 0—-R1—–R2—area 15

 

Autonomous System Boundary Router – > Routers that have at least one interface connecting to a different AS possibly a exit to the internet or possibly another IGP.

 

 

 

Designated Router – > DR – > 1 per every shared segment

BDR – > really does not do much other than back it up incase of failure

Drother – > everything else.

 

Point to Point – > Obviously has no DR

 

How are Dr / BDR’s Selected?

 

1st has to do with the OSPF priority Default is one. The highest priority wins for DR second is BDR

the tie breaker is the Router ID.

 

All Drothers to each other are ALWAYS in a 2 way state, the only full relationship other than a P2P in a Braodcast network is 2 way.

 

Full relationships are both for the DR and BDR.

 

 

How to reditribute Static Routes from a ASBR to all other routers…

 

Has to be done after setting OSPF process…

 

Router OSPF 1

redistribute static Subnets(OSPF tries to summarize automatically) metric 200 (Gives a metric of 200) Metric-type 2(sets it as E2)

 

 

 

OSPF External Types.

E1 – > Increment their Metric – > So all routers will Add the Cost per router, it will increase

E2 – > Does not Increase the metric – > so this will keep the cost metric at 200 per prior example

 

OSPF In BroadCast Mode -> Ethernet / Token Ring.

DR/BDR elections

Single 10 Second Hellos

2 multicast address 224.0.0.5/224.0.0.10

 

 

OSPF In Point to Point Networks…

No Dr/BDR

Both are in FULL mode

Hellos 10 seconds

 

OSPF Over NBMA

 

Frame Relay / ATM

 

5 Different ways of Using OSPF

 

 

No Multicast or Broadcasts

Psudo Broadcasting – When a broadcast is sent through the cloud.  Its more like a unicast thrugh the DLCI

DR/BDR HAVE TO HAVE FULL CONNECTIVITY

 

 

How To make OSPF work without connecting to Area 0 With Virtual Links.

 

Depends on the RID

 

Router ospf 1

Vir

Area 1 virtual-link 3.3.3.3 – > RID

the rid has to be the ABR/ASBR

The virtual link has to be configured on both sides

 

LSA Types..

type 1 – hello LSA

type 2 – DR /  BDR

type 3 – ABR

type 4 – ASBR – > These are from summarized

type 5 –  External Routes

 

Stub Area – > Blocks Type 5 LSA

Totally Stuby – > block type 3,4,5 LSA

 

Stub Area

 

Simple Configuration.

 

Router OSPf 1

(config-router) area 1 Stub

The reasons for blocking LSAs would be to get routes to be filtered in that area.

 

So for example if you configured R3 as regular ethernet setup and had

O E2192.168.1.0

O E2 192.168.2.0

 

If you set it up as a stub network it would then just set

 

O* 0.0.0.0 via the ABR

 

Just giving it a external path that does not give any information about the external routes.

 

0.0.0.0                        via ABR since the ABR knows the entire route.

This is best to shrink the routing table and give less over head if there are a ton of external routes.

 

Totally Stuby Area – > Blocks almost everything LSA 3,4,5.. Cisco Propriatary

 

 

the only router that has to be a Cisco Device is the ABR.

 

(config-router) area 1 stub no-summary

^^ on the ABR

 

the regular directly connected router has to be just a stub area.

 

This filters practically everything, should only have

O*IA 0.0.0.0 via ABR…

 

Since it blocks lsa 345.. .. the only other LSAs which are avaliable there would be the Dr and the hello packets

 

 

 

Not So Stubby Area

 

this is confusing….

 

Passes external routes through a type 7 LSA

 

If a Router is connected through a OSPF router to a entire area, and it is also a ASBR to something like EIGRP RIP static etc etc…

 

The router which is directly connected to the NssA router takes that area as a LSA 5…

 

Area 1 Nssa

 

The ABR would have to configured as a

 

area 1 nssa no-s

 

 

 

 

 

OSPF Commands

 

SH ip proto

SH ip OSPF Database

Router-id 1.1.1.1 – > sets RID

Clear IP ospf Proccess

sh ip ospf int

ip ospf priority(interface)0 – sets its to drother automatically

Area 10 range 192.168.1.0 255.255.252.0 -> Will Summarize that route for the area.

 

(ospf-router)auto-cost referrence bandwith 1000 – > divides it by 1000 instead of 100