1 CCIE RS v5 Step by Step

Embed Size (px)

DESCRIPTION

1 CCIE RS v5 Step by Step

Citation preview

CCIE R&S v5 Advanced Technology Labs - LAN SwitchingoLayer 2 Access Switchports : OK oLayer 2 Dynamic Switchports: OKDTP Negotiation: OK On: Puts the port into permanent trunking mode and negotiates to convert the link into a trunk link. The port becomes a trunk port even if the neighboring port does not agree to the change. Desirable: Actively attempt to form a trunk, subject to neighbor agreement. The port becomes a trunk port if the neighboring port is set to on, desirable, or auto mode. Auto: Makes the port willing to convert the link to a trunk link. The port becomes a trunk port if the neighboring port is set to on or desirable mode. This is the default mode. Off. (Is access mode in Cisco IOS software.) Never become a trunk, even if the neighbor tries. Puts the LAN port into permanent nontrunking mode and negotiates to convert the link into a nontrunking link. Nonnegotiate: Puts the port into permanent trunking mode but prevents the port from generating DTP frames. You must configure the neighboring port manually as a trunk port to establish a trunk link. With Cisco devices, there are three Ethernet trunk encapsulation types: ISL: Uses ISL encapsulation on the trunk link. Dot1q: Uses 802.1Q encapsulation on the trunk link. Negotiate: Specifies that the LAN port negotiate with the neighboring LAN port to become an ISL (preferred) or 802.1Q trunk, depending on the configuration and capabilities of the neighboring LAN port.** DTP Negotiated Interface ModesAutoDesirableTrunkAccess

AutoAccessTrunkTrunkAccess

DesirableTrunkTrunkTrunkAccess

TrunkTrunkTrunkTrunkLimited connectivity

AccessAccessAccessLimited connectivity

o802.1q Dynamic Trunking: OKo802.1q Native VLAN : Untaged ( se voc quer transportar um trafego com vlan native em um trunk 801.2q necessrio configurar o switchport trun native vlan x, pois todos os pacotes da vlan so tageados menos o da vlan nativa.

TIP: Pode-se configurar o switch com o comando vlan tag native x caso tenha necessidade de enviar um pacote com tag de VLAN.

oVTP Domain / Transparent/ VTP Password / VTP Pruning / Prune-Eligible List oVerso do protocolo VTP: 1, 2 ou 3 Tipos de mensagem VTP: Summary advertisements: Por padro, os switches Catalyst emitem anncios de resumo em incrementos de cinco minutos. Os anncios de resumo informam aos Catalysts adjacentes o nome de domnio VTP atual e o nmero de reviso da configurao. Quando o switch recebe um pacote de anncio de resumo, ele compara o nome de domnio VTP com seu prprio nome de domnio VTP. Se os nomes forem diferentes, o switch simplesmente ignorar o pacote. Se os nomes forem iguais, o switch comparar a reviso da configurao com sua prpria reviso. Se a sua prpria reviso da configurao for superior ou igual, o pacote ser ignorado. Se for inferior, um pedido de anncio ser enviado. Subset advertisement: Sempre que voc adiciona, exclui ou altera uma VLAN em um Catalyst, o servidor Catalyst onde as alteraes foram realizadas incrementar a reviso de configurao e emitir um anncio de resumo. Um ou mais anncios de subconjuntos seguiro o anncio de resumo. Um anncio de subconjunto contm umalista de informaessobre a VLAN. Se houver vrias VLANs, mais de um anncio de subconjunto poder ser solicitado para anunciar todas as VLANs. Advertisement requests: O switch foi reiniciado. O nome de domnio VTP foi alterado. O switch recebeu um anncio de resumo VTP com uma reviso de configurao maior que sua prpria. Ao receber um pedido de anncio, um dispositivo VTP envia um anncio de resumo. Um ou mais anncios de subconjunto seguem o anncio de resumo.

Modos do VTP possvel configurar um switch para operar em um destes modos do VTP: Servidor No modo de servidor VTP, voc pode criar, modificar e excluir VLANs, bem como especificar outros parmetros de configurao, como verso e remoo do VTP, para todo o domnio VTP. Os servidores VTP anunciam sua configurao de VLAN para outros switches do mesmo domnio VTP e sincronizam essa configurao com outros switches com base nos anncios recebidos atravs de links de tronco. Servidor VTP o modo padro. Cliente Os clientes VTP comportam-se da mesma maneira que os servidores VTP, mas no possvel criar, alterar nem excluir VLANs nesses clientes. Transparente switches VTP transparentes no participam no VTP. Os switches VTP transparentes no anunciam sua configurao de VLAN nem sincronizam essa configurao com base nos anncios recebidos. Contudo, eles encaminham os anncios VTP recebidos atravs de suas portas de tronco no VTP Verso 2. Desativado (configurvel somente nos switches CatOS) Nos trs modos descritos, os anncios VTP so recebidos e transmitidos assim que o switch entra no estado de domnio de gerenciamento. No modo desativado, os switches se comportam como no modo transparente VTP, porm, a nica diferena que os anncios VTP no so encaminhados. VTP Version 3 Do again!!!

PDF:VTP_configurations.pdf

Layer 2 EtherChannel ( ON with ON )/ Layer 2 EtherChannel with PAgP/ Layer 2 EtherChannel with LACP/ Layer 3 EtherChannelFormode, select one of these keywords:activeEnables LACP only if an LACP device is detected. It places an interface into an active negotiating state, in which the interface starts negotiations with other interfaces by sending LACP packets.auto Enables PAgP only if a PAgP device is detected. It places an interface into a passive negotiating state, in which the interface responds to PAgP packets it receives but does not start PAgP packet negotiation.desirableUnconditionally enables PAgP. It places an interface into an active negotiating state, in which the interface starts negotiations with other interfaces by sending PAgP packets.onForces the interface to channel without PAgP. With theonmode, a usable EtherChannel exists only when an interface group in theonmode is connected to another interface group in theonmode.non-silentIf your switch is connected to a partner that is PAgP-capable, you can configure the switch interface for nonsilent operation. You can configure an interface with thenon-silentkeyword for use with theautoordesirablemode. If you do not specifynon-silentwith theautoordesirablemode, silent is assumed. The silent setting is for connections to file servers or packet analyzers. This setting allows PAgP to operate, to attach the interface to a channel group, and to use the interface for transmission.passiveEnables LACP on an interface and places it into a passive negotiating state, in which the interface responds to LACP packets that it receives, but does not start LACP packet negotiation.

Mode:ON + ON = (Channel)On / Active / Passive + Off = ( No Channel ) Active + Active = ( Channel ) Active + Passive = ( Channel ) Passive / On + Passive = ( No Channel )

The load-balancing keywords indicate these values:

src-macSource MAC addressesdst-macDestination MAC addressessrc-dst-macSource and destination MAC addressessrc-ipSource IP addressesdst-ipDestination IP addressessrc-dst-ipSource and destination IP addresses (Default)src-portSource Layer 4 portdst-portDestination Layer 4 portsrc-dst-portSource and destination Layer 4 port Balance simple explanations:Use the option that provides the balance criteria with the greatest variety in your configuration. For example, if the traffic on an EtherChannel is going only to a single MAC address and you use the destination MAC address as the basis of EtherChannelload balancing, the EtherChannel always chooses the same link in that EtherChannel; using source addresses or IP addresses might result in better load balancing.

PDF:Etherchannel_802.1q_InterVlan Routing.pdf

STP:PDF:STP_MST_features.pdfSTP Root Bridge Election

Some of the terminologies that has to be kept in mind wile designing STP:

1- Root ID The lowest Bridge-ID in the topology2- Cost of Path Cost of all links from the desired switch to the root bridge3- Bridge ID (BID) of the transmitting switch4- Port ID Transmitting switch port ID5- STP timer values Max_Age, Hello Time,6- Forward Delay

BPDU Process :

1. Electing a Root Bridge :BPDU s were sent in the broadcast domain. The switch with the lowest bridge ID is elected as a root bridge.

2. One Root port is elected on each non root bridge: With the help of received BPDUs the path cost on all switch ports were compared. The port with the lowest cost to the root is automatically assigned as a root port.

3. Election of Designated and Non-designated Ports:All the switch ports in the root bridge will be acting as a designated port. When 2 switches connected to the same segment sends BPDUs, there will be 2 root ports and the port with the lowest BID other than these 2 root ports will be acting as a designated port. The other port will be blocked.

Spanning-Tree Port RolesRoot Port (RP) (UPSTREAM_BDPU) - It is a port on a non-root switch, which is the shortest (the best) path towards the root bridge. Root Bridge does NOT have any root ports. (No shortest path to itself ;-) )Designated Port (DP) (DOWNSTREAM_BPDU) - It is a port that is in the forwarding state. All ports of the root bridge are designated ports (they are never in a blocking state). BPDU frames our sent out this port.Non-Designated Port (NDP) - It is a port that is in a blocking state in the STP topology.Topology Change Notification (TCN) - the type of BPDU that a switch will send if it detects the topology change (port going down, or TCN received). This BPDU is sent out the Root Port (upstream) towards the root bridge informing it, that the tree needs to be recomputed.Topology Change Acknowledgement (TCA) - the type of BPDU that is sent back to the sender of TCN BPDU, acknowledging the reception of the notification.

Topology ChangesThese are the differences between the RSTP and the 802.1D in handling spanningtree topology changes:DetectionUnlike 802.1D in whichanytransition between the blocking and the forwarding state causes a topology change,onlytransitions from the blocking to the forwardingstate cause a topology change with RSTP (only an increase in connectivity is considered a topology change). State changes on an edge port do not cause a topology change. When an RSTP switch detects a topology change, it deletes the learned information on all of its nonedge ports except on those from which it received the TC notification.Notification the RSTP does not use TCN BPDUs, unlike 802.1D. However, for 802.1D interoperability, an RSTP switch processes and generates TCN BPDUs.AcknowledgementWhen an RSTP switch receives a TCN message on a designated port from an 802.1D switch, it replies with an 802.1D configuration BPDU with the TCA bit set. However, if the TC-while timer (the same as the TC timer in 802.1D) is active on a root port connected to an 802.1D switch and a configuration BPDU with the TCA set is received, the TC-while timer is reset.This method of operation is only required to support 802.1D switches. The RSTP BPDUs never have the TCA bit set.PropagationWhen an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them.Protocol migrationFor backward compatibility with 802.1D switches, RSTP selectively sends 802.1D configuration BPDUs and TCN BPDUs on a per-port basis.When a port is initialized, the migrate-delay timer is started (specifies the minimum time during which RSTP BPDUs are sent), and RSTP BPDUs are sent. While this timer is active, the switch processes all BPDUs received on that port and ignores the protocol type.If the switch receives an 802.1D BPDU after the port migration-delay timer has expired, it assumes that it is connected to an 802.1D switch and starts using only 802.1D BPDUs. However, if the RSTP switch is using 802.1D BPDUs on a port and receives an RSTP BPDU after the timer has expired, it restarts the timer and starts using RSTP BPDUs on that port.

TIPs: UplinkFast and BackboneFast configurations are ignored in Rapid-PVST mode; both features are included in RSTP. STP Path Selection with Port Cost: OKCom essa mudana ir afetar Local path selection. STP Path Selection with Port Priority = 0Com essa mudana ir afetar Downstream Neighbor.oTuning STP Convergence Timers: OKoSTP PortFast: OKIn order to reduce the number of topology changes, configure all edge ports in the topology (connected to hosts, IP Phones, servers) as spanning-tree portfast. Portfast ports do not generate TC events when they go up or down. STP PortFast Default: OK habilitado em todas as portas edge de um domnio STP.oSTP UplinkFast: OKTo understand how UplinkFast helps speed up the convergence. Convergncia de aproximadamente 1 segundo. Porm o TCN enviado aps 3 segundos! No ocasionando perca de pacote. STP BackboneFast:OK

Indirect failures should start recalculating immediately!

STP BPDU Guard/ STP BPDU Guard Default:OKThe BPDU Guard feature is used to protect the Spanning Tree domain from external influenceIf superior BPDUs is received the will get shutdown with (err-disabled).You must apply these configurations on edge ports to avoid BPDU inferior on the STP domain!You can use together STP BPDU Guard Default and PortFast for guarantee more security in your Environment.oSTP BPDU Filter ( Working Inbound and Outbound )/ STP BPDU Filter Default ( Default with Portfast is works only outbound filter!)Filter BPDUs IN end OUT.Quando habilitado o comando spanning-tree bpdufilter na interface do SW_1 ( SW_01 para RT_01) o elemento SW_01 ir parar de enviar BDPU para o RT_01.

STP Root Guard:OK

Root Guard is useful in avoiding Layer 2 loops during network anomalies. The Root Guard feature forces an interface to become a designated port to prevent surrounding switches from becoming a root switch. In other words, Root Guard provides a way to enforce the root bridge placement in the network. The Root Guard feature prevents a Designated Port from becoming a Root Port. If a port on which the Root Guard feature receives a superior BPDU, it moves the port into a root-inconsistent state (effectively equal to a listening state), thus maintaining the current Root Bridge status. TIP:You need define manually this feature to guarantee the topology synchronization!!!

STP Loop Guard / Unidirectional Link Detection ( Cisco-proprietary ):Prevention unidirectional links Loop Guard:Send L1 keep alive packets for the neighbors When implementing Loop Guard, you should be aware of the following implementationguidelines;With the Loop Guard feature, switches do an additional check before transitioning to the STP forwarding state. If switches stop receiving BPDUs on a no designated port with the Loop Guard feature enabled, the switch places the port into the STP loop-inconsistent blocking state instead of moving through the listening, learning, and forwarding states.You configure the Loop Guard feature on a per-port basis, although the feature blocksinconsistent ports on a per-VLAN basis. Loop Guard cannot be enabled on a switch that also has Root Guard enabled Loop Guard does not affect Uplink Fast or Backbone Fast operation Loop Guard must be enabled on point-to-point links only Loop Guard operation is not affected by the Spanning Tree timers Loop Guard cannot actually detect a unidirectional link Loop Guard cannot be enabled on Port Fast or Dynamic VLAN ports UDLD:A unidirectional link occurs when traffic is transmitted between neighbors in one direction only. Unidirectional Link Detection is a Layer 2 protocol. UDLD performs tasks that Layer 1mechanisms, such as auto negotiation, cannot perform. When UDLD and auto-negotiation are enabled, both Layer 1 and Layer 2 detections work together to prevent physical and logical unidirectional connections and the malfunctioning of other protocols. Unidirectional links can causespanning-tree topology loops. UDLD enables devices to detect when a unidirectional link exists and also to shutdown the affected interface. UDLD is useful on a fiber ports to preventnetwork issues resulting in miswiring at the patch panel causing the link to be in up/up status but the BPDUs are lost.

UDLD inaggressive mode:UDLD aggressive modeis configured on point-to-point links. This mode comes into play after a UDLD neighbor stops receiving UDLD updates from its adjacent peer. In aggressive mode, the local device will attempt to re-establish the UDLD connection eight times. If the switch is unable to re-establish the connection within this timeframe, it will proceed and errdisable the port.

MST:The IEEE 802.1s implementation does not send BDPUs for every active STP instance separately, nor does it encapsulate VLAN numbers list configuration messages. Instead, a special STP instance number 0 called Internal Spanning Tree (IST aka MSTI0, Multiple Spanning Tree Instance 0) is designated to carry all STP-related information.

IST, CIST, and CST Overview

Unlike other spanning tree protocols, in which all the spanningtree instances are independent; MST establishes and maintains IST, CIST, and CST spanningtrees:An IST is the spanningtree that runs in an MST region.Within each MST region, MST maintains multiple spanningtree instances. Instance 0 is a special instance for a region, known as the IST. All other MST instances are numbered from 1 to 4094.The IST is the only spanningtree instance that sends and receives BPDUs. All of the other spanningtree instance information is contained in MSTP records (M-records), which are encapsulated within MST BPDUs. Because the MST BPDU carries information for all instances, the number of BPDUs that need to be processed to support multiple spanningtree instances is significantly reduced.All MST instances within the same region share the same protocol timers, but each MST instance x has its own topology parameters, such as root bridge ID, root path cost, and so forth. By default, all VLANs are assigned to the IST.An MST instance is local to the region; for example, MST instance 1 in region A is independent of MST instance 1 in region B, even if regions A and B are interconnected.A CIST is a collection of the ISTs in each MST region.The CST interconnects the MST regions and single spanningtrees.The spanningtree computed in a region appears as a sub-tree in the CST that encompasses the entire switched domain. The CIST is formed by the spanningtree algorithm running among switches that support the 802.1w, 802.1s, and 802.1D standards. The CIST inside an MST region is the same as the CST outside a region.

M-Record is a sub-field, within the BPDU of MSTP instances that enables corresponding instances to calculate a final topology

TIP: revision number, treat this number like a software version number in programming start from 1 and work upwards (1,2,3,4 etc). Keep in mind that you have to change it manually (this isnt VTP) on all MST switches it doesnt update automatically

MST Path selection

Same election process as CST/PVST

MST Root Bridge Election Root Bridge: 1-Lowest BIDRoot port:1-Lowest cost2-Lowest upstream BID3-Lowest port ID

MST Path Selection with Port Cost (Will choose the lowest cost to Root Port)MST Path Selection with Port Priority (Will choose the lowest Port-Priority to became the root port)MST and Rapid Spanning Tree (Transaction almost immediately the ports states)

PDF:Protect Ports_STP brodcastStorm.pdf Protected Ports: OKSome applications require that no traffic be forwarded by the Layer 2 protocol between ports on the same switch. In such an environment, there is no exchange of unicast, broadcast, or multicast traffic between ports on the switch, and traffic between ports on the same switch is forwarded through a Layer 3 device such as a router.To meet this requirement, you can configure Catalyst2950 ports as protected ports (also referred to as private VLAN edge ports). Protected ports do not forward any traffic to protected ports on the same switch. This means that all traffic passing between protected portsunicast, broadcast, and multicastmust be forwarded through a Layer 3 device (You cant configure vlan as mode switch mode access in sub. interfaces). Protected ports can forward any type of traffic to nonprotected ports, and they forward as usual to all ports on other switches. Dynamically learnt addresses are not retained if the switch is reloaded.Commando that you apply on interface: switchport protected

Traffic Storm Control : OK

A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. The traffic storm control feature prevents LAN ports from being disrupted by a broadcast, multicast, or unicast traffic storm on physical interfaces.Traffic storm control (also called traffic suppression) monitors incoming traffic levels over a 1-second traffic storm control interval, and during the interval it compares the traffic level with the traffic storm control level that you configure. The traffic storm control level is a percentage of the total available bandwidth of the port. Each port has a single traffic storm control level that is used for all types of traffic (broadcast, multicast, and unicast).Traffic storm control monitors the level of each traffic type for which you enable traffic storm control in 1-second traffic storm control intervals.In all releases, and by default in Release 12.2(33)SXJ and later releases, within an interval, when the ingress traffic for which traffic storm control is enabled reaches the traffic storm control level that is configured on the port, traffic storm control drops the traffic until the traffic storm control interval ends. Release 12.2(33)SXJ and later releases support these configurable traffic storm control optional actions:ShutdownWhen a traffic storm occurs, traffic storm control puts the port into the error-disabled state. To reenable ports, use the error-disable detection and recovery feature or theshutdownandno shutdowncommands.TrapWhen a traffic storm occurs, traffic storm control generates an SNMP trap.

MAC-Address Table Static Entries and Aging: OK

To switch frames between LAN ports efficiently, the switch maintains an address table. When the switch receives a frame, it associates the media access control (MAC) address of the sendingnetwork devicewith the LAN port on which it was received.The switch dynamically builds the address table by using the MAC source address of the frames received. When the switch receives a frame for a MAC destination address not listed in its address table, it floods the frame to all LAN ports of the same VLAN except the port that received the frame. When the destination station replies, the switch adds its relevant MAC source address and port ID to the address table. The switch then forwards subsequent frames to a single LAN port without flooding all LAN ports.You can also enter a MAC address, which is termed a static MAC address, into the table. These static MAC entries are retained across a reboot of the switch.In addition, you can enter a multicast address as a statically configured MAC address. A multicast address can acceptmorethan one interface as its destination.

TIP:If you enable theauto-learnoption, the switch will update the entry if the same MAC address is seen on a different port.

The switch uses a mechanism called aging to keep the Ethernet switching table current. For each MAC address in the Ethernet switching table, the switch records a timestamp of when the information about the network node was learned. Each time the switch detects traffic from a MAC address that is in its Ethernet switching table, it updates the timestamp of that MAC address. A timer on the switch periodically checks the timestamp, and if it is older than the value set formac-table-aging-time, the switch removes the node's MAC address from the Ethernet switching table. This aging process ensures that the switch tracks only active MAC addresses on the network and that it is able to flush out from the Ethernet switching table MAC addresses that are no longer available.You configure how long MAC addresses remain in the Ethernet switching table using themac-table-aging-timestatement in either theedit ethernet-switching-optionsor thevlanshierarchy, depending on whether you want to configure it for the entire switch or only for specific VLANs.For example, if you have a printer VLAN, you might choose to configure the aging time for that VLAN to be considerably longer than for other VLANs so that MAC addresses of printers on this VLAN age out less frequently. Because the MAC addresses remain in the table, even if a printer has been idle for some time before traffic arrives for it, the switch still finds the MAC address and does not need to flood the traffic to all other interfaces.Similarly, in a data center environment where the list of servers connected to the switch is fairly stable, you might choose to increase MAC address aging time, or even set it to unlimited, to increase the efficiency of the utilization of network bandwidth by reducing flooding

oSPAN / RSPAN / ERSPAN / PSPAN / VSPAN = Precisa testar !!!

SPAN Terminology Ingress traffic-Traffic that enters the switch. Egress traffic-Traffic that leaves the switch. Source (SPAN) port-A port that is monitored with use of the SPAN feature. Source (SPAN) VLAN-A VLAN whose traffic is monitored with use of the SPAN feature. Destination (SPAN) port-A port that monitors source ports, usually where a network analyzer is connected. Reflector Port-A port that copies packets onto an RSPAN VLAN. Monitor port-A monitor port is also a destination SPAN port in Catalyst 2900XL/3500XL/2950 terminology.Overviwe about SPANs mode. Local SPAN-The SPAN feature is local when the monitored ports are all located on the same switch as the destination port. This feature is in contrast to Remote SPAN (RSPAN), which this list also defines. Remote SPAN (RSPAN)-Some source ports are not located on the same switch as the destination port. RSPAN is an advanced feature that requires a special VLAN to carry the traffic that is monitored by SPAN between switches. RSPAN is not supported on all switches. Check the respective release notes or configuration guide to see if you can use RSPAN on the switch that you deploy. Port-based SPAN (PSPAN)-The user specifies one or several source ports on the switch and one destination port. VLAN-based SPAN (VSPAN)-On a particular switch, the user can choose to monitor all the ports that belong to a particular VLAN in a single command. ESPAN-This means enhanced SPAN version. This term has been used several times during the evolution of the SPAN in order to name additional features. Therefore, the term is not very clear. Use of this term is avoided in this document. Administrative source-A list of source ports or VLANs that have been configured to be monitored. Operational source-A list of ports that are effectively monitored. This list of ports can be different from the administrative source. For example, a port that is in shutdown mode can appear in the administrative source, but is not effectively monitored.

oVoice VLAN:OK

Rede Local baseada em classificao e marcao de pacotes

Se as ligaes Voip e o trfego de desktop estiverem na mesma VLAN, cada trfego tentar utilizar a banda disponvel sem considerao com o outro perfil de trfego. Para evitar essa questo utilize diferentes VLANs para permitir a segregao do VoIP dos outros dados. Aps a separao dos dados, polticas de QoS podem ser aplicadas para priorizar o VoIP na rede.

O componente importante de uma rede de telefonia IP bem sucedida o correto provisionamento da largura de banda, representando o mnimo de banda para um determinado link que no deve exceder 75% do total da largura de banda ( na prtica os valores so questionveis).

O trfego padro de uma ligao consiste em 2 tipos de trfego:

Stream de Voz: Pacotes RTP com as amostras de vozCall Control Signaling: Pacotes responsveis pela sinalizao das chamadasVLAN de Voz

Alguns modelos de Switches oferecem features chamadas de auxiliary VLAN ou voice VLAN. Esse modelo de VLANs permite a atribuio dos telefones em sua prpria VLAN sem a interveno do usurio final.

O usurio simplesmente coloca o telefone no Switch que ento providencia ao telefone as configuraes necessrias da VLAN.

Com os telefones IP em suas prprias sub-redes e VLANs, os administradores podem facilmente identificar e aplicar as polticas de QoS e segurana alm da convergncia da estrutura fsica.

PoE ( Power over Ethernet ):

A tecnologia PoE permite que o Switch ou Patch Pannel fornea energia diretamente ao telefone IP.

Classificao e Marcao

A tcnica de Classificao e Marcao identifica o perfil para priorizao adequada de cada trfego da rede. O trfego examinado e classificado, o que pode ser feito pela examinaro de informaes de diferentes camadas (modelo OSI).

O trfego pode ser classificado seguindo qualquer um dos critrios abaixo:

Camada 2: endereo MAC, cabealho 802.1q (e 802.1p), cabealho MPLS, CLP (ATM), DE (Frame-Relay) ou pela interface de entrada.Camada 3: precedncia IP, DSCP, endereo IP ou interface de entrada.Camada 4: portas TCP ou UDP ou interface de entradaCamada 7: assinatura de aplicaes ou interface de entradaTodo trfego classificado ou agrupado de acordo com esses critrios sero marcados de acordo com a sua classificao.

As marcaes de QoS estabelece nveis de prioridade ou prioridades de classes para trfego de rede em cada Switch.

NOTETraditionally, a switchport on a Cisco switch that receives tagged packets is referred to as a trunk port. However, when you configure a switchport to connect to a Cisco IP Phone, you configure it as an access port (for the untagged data from the PC) while supporting tagged traffic from the IP phone. So, think of these ports as "access ports supporting tagged voice VLAN traffic."

NOTEKeep in mind that Cisco IP phones will be able to receive this voiceVLAN configurationfrom the switch via CDP. After it receives the voice VLAN number, the IP Phone begins tagging its own packets. Non-Cisco IP Phones cannot understand CDP packets. This typically requires you to manually configure each of the non-Cisco IP Phones with its voice VLAN number from a local phone configuration window (on the IP phone).

oSmartport Macros:OK

Understanding SmartPort MacrosSmartport macros provide a convenient way to save and share common configurations. You can use Smartport macros to enable features and settings based on the location of a switch in the network and for mass configuration deployments across the network.Each Smartport macro is a set of CLI commands that you define. SmartPort macro sets do not contain new CLI commands; Each Smartport macro is a group of existing CLI commands.When you apply a SmartPort macro on an interface, the CLI commands contained within the macro are configured on the interface. When the macro is applied to an interface, the existing interface configurations are not lost. The new commands are added to interface and are saved in the running configuration file.

TIP-1:If you modify a macro definition by adding or deleting commands, the changes are not reflected on the interface where the original macro was applied. You need to reapply the updated macro on the interface to apply the new or changed commands.

TIP-2:You can use themacro tracemacro-nameinterface configuration command to show what macros are running on an interface or to debug the macro to determine any syntax or configuration errors.

Cisco-Default Smartports Macros

cisco-global: Use this global configuration macro to enable load balancing across VLANs, provide rapid convergence of spanning-tree instances and to enable port error recovery.cisco-desktop: Use this interface configuration macro for increased network security and reliability when connecting a desktop device, such as a PC, to a switch port.cisco-phone: Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.cisco-switch: Use this interface configuration macro when connecting an access switch and a distribution switch or between access switches connected using GigaStack modules or GBICs.cisco-router: Use this interface configuration macro when connecting the switch and a WAN router.cisco-lre-cpe: Use this interface configuration macro to optimize performance when the switch is installed in apartment buildings or hotels, or when it is used to deliver Video-on-Demand (VoD), or multicast video.cisco-wireless: Use this interface configuration macro when connecting the switch and a wireless access point.

PDF:

Smart Port_Macro.pdf

Private VLANsA private VLAN domain has only one primary VLAN. Each port in a private VLAN domain is a member of the primary VLAN; the primary VLAN is the entire private VLAN domain.Secondary VLANs provide isolation between ports within the same private VLAN domain. The following two types are secondary VLANs within a primary VLAN:

Isolated VLANsPorts within an isolated VLAN cannot communicate directly with each other at the Layer 2 level.Community VLANsPorts within a community VLAN can communicate with each other but cannot communicate with ports in other community VLANs or in any isolated VLANs at the Layer 2 level.

Primary VLANs and the two types of secondary VLANs (isolated and community) have these characteristics:

Primary VLAN the primary VLAN carries traffic from the promiscuous ports to the host ports, both isolated and community, and to other promiscuous ports.Isolated VLAN an isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports. You can configure multiple isolated VLANs in a private VLAN domain; all the traffic remains isolated within each one. Each isolated VLAN can have several isolated ports, and the traffic from each isolated port also remains completely separate.Community VLANa community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port and to other host ports in the same community. You can configure multiple community VLANs in a private VLAN domain. The ports within one community can communicate, but these ports cannot communicate with ports in any other community or isolated VLAN in the private VLAN.

Another TIP:Terminology:

Promiscuous Port This is the primary VLAN that can communicate with all the other Isolated & Community ports with the PVLAN environment.Isolated Port This is a secondary VLAN that will only communicate with the primary promiscuous VLAN. Isolated ports cannot even communicate with other isolated ports. Since we are talking about VLANs, communication is blocked at the Layer 2 perspective. (At which layer do VLANs operate at, Layer 2)Community Port This is another type of a secondary VLAN, like Isolated ports a community port can also communicate with the primary promiscuous VLAN. The big difference here is that a port configured in a secondary community VLAN can also communicate with other ports configured as community ports. They will not however be able to communicate with ports configured in an isolated VLAN.Traffic Flows:

Since these Private VLANs operate at layer 2 it is worth pointing out some specific traffic flows, after all it is worth considering the implication of this isolation and typical broadcast/multicast flows:

Broadcast TrafficThe promiscuous port will forward broadcast traffic to all isolated & community ports. (Including trunks)The Isolated port will only forward the broadcast to a promiscuous port. (Including trunks)Community ports will forward broadcast to the promiscuous & other community ports. (Including trunks)

PDF:PrivateVLANs.pdf

Layer 2 WAN Circuits

HDLC: OKhdlc-101211214058-phpapp01.pptxPPP:The Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-to-point links. PPP is comprised of three main components:1. A method for encapsulating multi-protocol datagrams.2. A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection.3. A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols.PPP Authentication ( PAP and CHAP )PAP authentication involves a two-way handshake where the username and password are sent across the link in clear text; hence, PAP authentication does not provide any protection against playback and line sniffing.R1 and R2R1#!username R1 password 0 ciscointerface Serial0/0 ip address 1.1.1.1 255.255.255.0 encapsulation ppp ppp authentication pap ppp pap sent-username R2 password 0 cisco

R2#!username R2 password 0 cisco!interface Serial0/0 ip address 1.1.1.2 255.255.255.0 encapsulation ppp ppp authentication pap ppp pap sent-username R1 password 0 cisco

CHAP authentication, on the other hand, periodically verifies the identity of the remote node using a three-way handshake. After the PPP link is established, the host sends a "challenge" message to the remote node. The remote node responds with a value calculated using a one-way hash function. The host checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise, the connection is terminated.R1 and R2R1#username R1 password 0 ciscointerface Serial0/0 ip address 1.1.1.1 255.255.255.0 encapsulation chap clock rate 2000000 ppp authentication chap R2#!username R2 password 0 cisco!interface Serial0/0 ip address 1.1.1.2 255.255.255.0 encapsulation ppp clock rate 2000000 ppp authentication chap!PPP MultilinkThe Multilink PPP feature provides load balancing functionality over multiple WAN links while providing multivendor interoperability, packet fragmentation, proper sequencing, and load calculation on both inbound and outbound traffic. Cisco's implementation of Multilink PPP supports the fragmentation and packet sequencing specifications in RFC 1990. Additionally, you can change the default endpoint discriminator value that is supplied as part of user authentication. Refer to RFC 1990 formoreinformation about the endpoint discriminator. Multilink PPP allows packets to be fragmented and the fragments to be sent at the same time over multiple point-to-point links to the same remote address. The multiple links come up in response to a defined dialer load threshold. The load can be calculated on inbound traffic or outbound traffic, as required for the traffic between the specific sites. Multilink PPP provides bandwidth on demand and reducestransmissionlatency across WAN links. Multilink PPP is designed to work over synchronous and asynchronous serial types ofsingleor multiple interfaces that have been configured to support both dial-on-demand rotary groups and PPP encapsulation.

Multilink PPP Minimum Links MandatoryMultilink PPP allows multiple PPP links to be established in parallel to the same destination. Multilink PPP is often used to increase the amount of bandwidth between points. The Multilink PPP Minimum Links Mandatory feature enables you to configure the minimum number of links that are required in a Multilink PPP bundle to keep the bundle active.The Multilink PPP Minimum Links Mandatory feature causes all Network Control Protocols (NCPs) for a Multilink PPP bundle to be disabled until the Multilink PPP bundle has the required minimum number of links. When a new link is added to a Multilink PPP bundle to bring the number of links up to the required number of minimum links, the NCPs are activated for the Multilink PPP bundle. When a link is removed from a Multilink PPP bundle, the number of links falls below the required minimum number of links for that Multilink PPP bundle, and the NCPs are disabled for that Multilink PPP bundle.TIP:Synchronous: ( send frames of large data blocks)The synchronous format, receiver or transmitters are synchronized. A block of information is transmitted along with the synchronization information. This is clk oriented transmission format. This information is specially used for high speed transmission. Usually in this synchronous system one or two SYNC character are used for data synchronous data system. Transmission device send data continuously to receiving device. If the data is not ready this system continuously synchronous data until the data is unviable.

Asynchronous: (sent in individual bytes)It is character oriented. Each character comes with the information of start and stop ( each 8 bits ). In this system 1 for mark, 0 for space. When data are being transmitted a receiver stay at high at logic 1. This is specially used in low speed transmission.PPPoE

Header PPPoE format Packet:

Configurations: PPPoE without and with DHCP.http://blog.ine.com/2008/01/20/example-configurations-for-ppp-over-ethernet-pppoe/TIP:http://www.differencebetween.net/technology/difference-between-dhcp-and-pppoe/

Configuring PPPoE in a VPDN group limited PPPoE configuration options because only one PPPoE VPDN group with one virtual template is permitted on a device.

The PPPoE Profiles feature (bba-group) provides simplicity and flexibility in PPPoE configuration by separating PPPoE from VPDN configuration. The PPPoE Profiles feature allows multiple PPPoE profiles, each with a different configuration, to be used on a single device.

CCIE R&S v5 Advanced Technology Labs - IP RoutingoRouting to Multipoint Broadcast Interfaces: OKoRouting to NBMA Interfaces: OKNBMA (non-broadcast multiple access) is one of four network types in the OSPF (Open Shortest Path First) communications protocol. NBMA is used to accurately model X.25 and frame relay environments in multiple-access networks where there are no intrinsic broadcast and multicast capabilities. The other OSPF network types are: broadcast, point-to-point, and point-to-multipoint. In an NBMA configuration, OSPF sends HELLO packets (packets sent periodically to establish and confirm neighbor relationships between routers) to each router one at a time rather than multicasting them. The HELLO timer (which tells the router how often to send HELLO packets) is extended from 10 to 30 seconds and the dead router timer (which tells the router how long to wait before it decides that a neighboring router is not functioning) is extended from 40 to 120 seconds.Site:http://ccieblog.co.uk/ospf/ospf-non-broadcast-nbma-network

Longest Match Routing:OK As an example, if you have a routing table entry which is similar to the following :--- 192.168.128.0/23 -> next hop 192.168.1.1 via FastEthernet0/0When the router receives a packet destined for 192.168.129.14, the router will compare the first 23 bits of 192.168.129.14 to 192.168.128.0 and if they match (which they do) then the router will transmit the packet out of FastEthernet0/0 using the destination MAC address of 192.168.1.1.

To summarize this subject: The longest match is referring to the longest or most specific prefix which is matched against a destination address.

TIP:Longer prefixes are always preferred over shorter ones when forwarding a packet.

Floating Static Routes:OKYou can configure two different ways for the same destinations with different AD. The lowest AD will be choosing and when this bring down another AD will bring UP.

Reliable Static Routing with Enhanced Object Tracking:OK

The Reliable Static Routing Backup Using Object Tracking feature introduces the ability for the Cisco IOS software to use Internet Control Message Protocol (ICMP) pings to identify when a Point-to-Point over Ethernet (PPPoE) or IP Security Protocol (IPSec) Virtual Private Network (VPN) tunnel goes down, allowing the initiation of a backup connection from any alternative port. The Reliable Static Routing Backup Using Object Tracking feature is compatible with both preconfigured static routes and Dynamic Host Configuration Protocol (DHCP) configurations.

Traffic from the remote LAN is forwarded to the main office from the primary interface of the remote router. If the connection to the main office is lost, the status of the tracked object changes from up to down. When the state of the tracked object changes to down, the routing table entry for the primary interface is removed and the preconfigured floating static route is installed on the secondary interface. Traffic is then forwarded to the preconfigured destination from the secondary interface. When the state of the tracked object changes from down to up, the routing table entry for the primary interface is reinstalled and the floating static route for the secondary interface is removed

Policy Routing:OK

Each entry in a route map statement contains a combination of match and set clauses/commands. The match clauses define the criteria for whether appropriate packets meet the particular policy (that is, the conditions to be met). The set clauses than explain how the packets should be routed once they have met the match criteria. For each combination of match and set commands in a route map statement, all sequential match clauses must be met simultaneously by the packet for the set clauses to be applied. There may be multiple sets of combinations of match and set commands in a full route map statement. The route maps statements can also be marked aspermitor deny. If the statement is marked as a deny, the packets meeting the match criteria are sent back through the normal forwarding channels (in other words, destination-based routing is performed). Only if the statement is marked as permit and the packets meet the match criteria are all the set clauses applied. If the statement is marked as permit and the packets do not meet the match criteria, then those packets are also forwarded through the normal routing channel.

Policy-based routing is applied to incoming packets. All packets received on an interface with policy-based routing enabled are considered for policy-based routing. The router passes the packets through enhanced packet filters called route maps. Based on the criteria defined in the route maps, packets are forwarded/routed to the appropriate next hop.

Reliable Policy Routing:OKReliable Policy Routing can be configured by using the "set ip next-hop verify-availability" statement in a route-map. There are two ways to verify the availability of the next-hop. One way is to use CDP. The other way is to use a tracked object (e.g. IP SLA).

Packet Capture: Wireshark_capituras\ICMP_IP_SLA.pcap

Verify availability of next-hop using CDP: route-map PBR_FROM_R3 permit 10 match ip address FROM_R3_TO_R4 set ip next-hop 155.1.0.5 set ip next-hop verify-availability set ip default next-hop 155.1.146.4 Verify availability using a tracked object: route-map PBR_FROM_R3 permit 20 match ip address FROM_R3_TO_R5 set ip next-hop verify-availability 155.1.146.4 1 track 1 set ip default next-hop 155.1.0.5

Local Policy Routing:OKCisco IOS has a special feature called local policy routing, which permits to apply a route-map to local (router-generated) traffic. The first way we can use this feature is to re-circulate local traffic (and force it re-enter the router). Heres an example. By default, locally-generated packets are not inspected by outgoing access-lists. This may cause issues when local traffic is not being reflected under reflexive access-list entries. Say with configuration like that:! Reflect all "session-oriented" traffic:

ip access-list extended EGRESS permit tcp any any reflect MIRROR permit icmp any any reflect MIRROR permit udp any any reflect MIRROR Evalute the reflected entriesip access-list extended INGRESS evaluate MIRROR permit ospf any any!interface fast 0/0 ip address 54.1.1.6 255.255.255.0 ip access-group INGRESS in ip access-group EGRESS out

You would not be able to telnet out of a router to destinations behind the Fast interface, even though TCP sessions are reflected in access-list. To fix the issue, we may use local-policy to force the local traffic re-enter the router and be inspected by outgoing access-list:! Redirect local telnet traffic via the Loopback interface!ip access-list extended LOCAL_TRAFFIC permit tcp any any eq 23!route-map LOCAL_POLICY 10 match ip address LOCAL_TRAFFIC set interface Loopback0!! Traffic sent to Loopback interface re-enters the router!Interface Loopback0 ip address 150.1.6.6 255.255.255.50

Command to apply the local-policy!ip local policy route-map LOCAL_POLICY

With this configuration, local telnet session will re-enter the router and hit the outgoing access-list, thereby triggering a reflected entry. This same idea may be utilized to force CBAC inspection of locally-generated traffic, by since 12.3T there has been a special IOS feature to do this natively.

The other useful application of local policy routing is using it for traffic filtering. For example you may want to prohibit outgoing telnet sessions from local router to a certain destination:

ip access-list extended BLOCK_TELNET permit tcp any host 150.1.1.1 eq 23!route-map LOCAL_POLICY 10 match ip address BLOCK_TELNET set interface Null 0

!! Command to apply the local-policy!ip local policy route-map LOCAL_POLICY!The syntax is somewhat similar to the vlan access-maps used on Catalyst switches, and similarly the route-map is applied globally, i.e. to all router traffic, going out on any interface. Note that you may use the same idea to block incoming session, simply by reversing entries in access-list. (e.g. permit tcp any eq 23 host 150.1.1.1). Best of all, with PBR you may apply additional criteria to incoming traffic, e.g. match packet sizes.

The last example is the use of local PBR to apply special treatment to management/control plane traffic e.g. use different output interfaces for out-of-band management. With local PBR you may also apply special marking for control traffic, e.g. selectively assign IP precedence values.

ip access-list extended MANAGEMENT_TRAFFIC permit tcp any eq 23 any permit tcp any eq 22 any!route-map LOCAL_POLICY 10 match ip address MANAGEMENT_TRAFFIC set interface fast 0/1 set ip precedence 7

ip local policy route-map LOCAL_POLICY

Keep these simple features in mind, while considering options for you CCIE lab task solution.

GRE Tunneling:OKCapture_(IP_GRE_EIGRP):

Wireshark_capituras\(IP_GRE_EIGR).pcap

Routing Process:

http://blog.ccna.com.br/2008/12/23/pr-tunelamento-gre-generic-routing-encapsulation/http://packetlife.net/blog/2012/feb/27/gre-vs-ipip-tunneling/

http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_F1000-E/Configuration/Operation_Manual/H3C_SecPath_High-End_OM(F3169_F3207)-5PW106/06/201109/725905_1285_0.htm

GRE Tunneling and Recursive Routing:OKProblems with recursive routing can be avoided by configuring appropriate static routes to the tunnel destination. A recursive route is when the best path to the "tunnel destination" is through the tunnel itself. This situation will cause the tunnel interface to bounce up and down. You will see the following error when there is a recursive routing problem.

%TUN-RECURDOWN Interface Tunnel 0temporarily disabled due to recursive routing

Solutions:

To avoid recursive routing problems, keep passenger and transport network routing information disjointed with one of these methods:->Use a different Autonomous System (AS) number or tag.->Use a different routing protocol.->Use static routes to override the first hop, but watch for routing loops.-> You can configure some acl to avoid route back to the tunnel.

Wireshark_capituras\(IP_GRE_OSPF).pcap

Wireshark_capituras\(IP_GRE_EIGR).pcap

GRE Backup Interface / GRE Reliable Backup Interface:OKToday I also looked at using GRE for backup interface specifically using the keep alive feature. This is to combat issue when using a multipoint interface that there is the possibility that end to end connectivity is unavailable but the line protocol remains up as of other active DLCI connected to the multipoint interface. We previously used other preferential solution like ip sla or using p2p interfaces but this a legacy version of doing it. I need to know for the exam so I will lab it out.Wireshark_capituras\(Ping_SRC_IP_Dst_GRE_Backup_interface_).pcap

ODR - On-Demand Routing:OKODR allows you to easily install IP stub networks where the hubs dynamically maintain routes to the stub networks. Thisinstallationis accomplished without requiring the configuration of an IP routing protocol on the stubs. In fact, from the standpoint of ODR, a router is automatically considered to be a stub when no IP routing protocols have been configured.A stub router that supports the ODR feature advertises IP prefixes corresponding to the IP networks configured on all directly connected interfaces. If the interface has multiple logical IP networks configured, only the primary IP network is advertised through ODR. Because ODR advertises IP prefixes and not simply IP network numbers, ODR is able to carry variable-length subnet mask (VLSM) information.Once ODR is enabled on a hub router, the hub router begins installing stub network routes in the IP forwarding table. The hub router also can be configured to redistribute these routes into any configured dynamic IP routing protocols.ODR uses the Cisco Discovery Protocol to carry minimal routing information between the hub and stub routers. The stub routers send IP prefixes to the hub router. The hub router provides default route information to the stub routers, thereby eliminating the need to configure a default route on each stub router.

TIP: Be careful that you do not forget CDP enabled. ODR works properly on either broadcast or non-broadcast networks. ODR is not CPU intensive and it consumes very little bandwidth. ODR it is able to carry VLSM information. ODR supports several settings.

Configurations:ODR.pdfPacket capture:Wireshark_capituras\(cdp.tlv.type) or (text)_ODR.pcap

CCIE R&S v5 Advanced Technology Labs - RIP RIPv2 Basic Configuration:OK

oRIPv2 Authentication ( without and with MD5 ):OK

The Key chain is the same for without and with MD5:

YOU MUST APPLY IN BOTH DIRECTIONS!!!#key chain RIP key 1 key-string ccie ip rip authentication key-chain RIP##

Without MD5##Interface x/xip rip authentication key-chain RIP#

With MD5##Interface x/xip rip authentication key-chain RIP ip rip authentication mode md5#

Wireshark_capituras\RIP_Key-chain_sem MD5_(rip.auth.passwd).pcap

Wireshark_capituras\RIP_Key-chain_com MD5_(rip.auth.passwd).pcap

RIPv2 Split Horizon:OK

Split horizon is a method of preventing a routing loop in a network. The basic principle is simple: Information about the routing for a particular packet is never sent back in the direction from which it was received. Split horizon can be achieved by means of a technique called poison reverse. This is the equivalent of route poisoning all possible reverse paths - that is, informing all routers that the path back to the originating node for a particular packet has an infinite metric. Split horizon with poison reverse is more effective than simple split horizon in networks with multiple routing paths, although it affords no improvement over simple split horizon in networks with only one routing path.Example:

RouterA: Loopback: 2.2.2.2 /32 ; Router B: Loopback: 2.2.2.2/32Router_C(config-router)#*Mar 1 01:03:18.383: RIP: received v2 update from 150.30.0.3 on FastEthernet0/0*Mar 1 01:03:18.387: 1.1.1.1/32 via 0.0.0.0 in 2 hops*Mar 1 01:03:18.391: 2.2.2.2/32 via 0.0.0.0 in 1 hops*Mar 1 01:03:18.395: 150.20.20.0/24 via 0.0.0.0 in 1 hopsR4(config-router)#*Mar 1 01:03:25.519: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (150.30.0.4)*Mar 1 01:03:25.523: RIP: build update entries*Mar 1 01:03:25.527: 3.0.0.0/8 via 0.0.0.0, metric 1, tag 0R4(config-router)#*Mar 1 01:03:44.943: RIP: received v2 update from 150.30.0.3 on FastEthernet0/0*Mar 1 01:03:44.943: 2.2.2.2/32 via 0.0.0.0 in 2 hops*Mar 1 01:03:44.947: 3.3.3.3/32 via 0.0.0.0 in 1 hops*Mar 1 01:03:44.951: 150.20.20.0/24 via 0.0.0.0 in 1 hopsoRIPv2 Auto-Summary:OKR2(config-router)#do sh ip ro ripR 1.0.0.0/8 [120/1] via 150.10.1.1, 00:00:03, FastEthernet0/0R2(config-router)#do sh ip proRouting Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds, next due in 13 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Redistributing: rip Default version control: send version 2, receive version 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 2 2 RIP FastEthernet0/1 2 2 FastEthernet1/1 2 2 Automatic network summarization is in effect Maximum path: 4 Routing for Networks: 2.0.0.0 150.10.0.0 150.20.0.0 150.50.0.0 Passive Interface(s): Loopback2 Routing Information Sources: Gateway Distance Last Update 150.20.20.3 120 00:00:07 Gateway Distance Last Update 150.10.1.1 120 00:00:08 150.50.0.4 120 03:48:16 Distance: (default is 120)R2(config-router)#

RIPv2 Send and Receive Versions:OKLocal router ( R1 )R1(config)#do sh ip proRouting Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds, next due in 12 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Redistributing: rip Default version control: send version 2, receive version 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 1 2 RIP Automatic network summarization is not in effect Maximum path: 4 Routing for Networks: 1.0.0.0 10.0.0.0 66.0.0.0 150.10.0.0 Passive Interface(s): Loopback1 Loopback11 Loopback12 Loopback13 Loopback14 Loopback15 Passive Interface(s): Loopback16 Loopback66 Routing Information Sources: Gateway Distance Last Update 150.10.1.2 120 00:00:09 Distance: (default is 120)

Remote ( R2 )

R2(config-if)#do sh ip proRouting Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds, next due in 21 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Redistributing: rip Default version control: send version 2, receive version 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 1 2 1 RIP Automatic network summarization is not in effect Maximum path: 4 Routing for Networks: 2.0.0.0 150.10.0.0 150.20.0.0 150.50.0.0 Passive Interface(s): Loopback2 Routing Information Sources: Gateway Distance Last Update 150.10.1.1 120 00:00:21 Distance: (default is 120)

Wireshark_capituras\(rip.version)_V1 and V2_Filter.pcap

RIPv2 Manual Summarization:OK

128 64 32 16 8 4 2 1

Address: 1.1.2.1 Binary: 00000001.0000001.00000010.00000000

Address: 1.1.3.1 Binary: 00000001.0000001.00000011.00000000

Address: 1.1.4.1 Binary: 00000001.0000001.00000100.00000000

Address: 1.1.5.1 Binary: 00000001.0000001.00000101.00000000

Address: 1.1.6.1 Binary: 00000001.0000001.00000110.00000000

Final IP summary: 1.1.2.0/21

Command applications!Interface x/xIp summary rip 1.1.2.0 255.255.248.0

R2 receved ip route update from R1:R2(config-if)#do sh ip ro rip 1.0.0.0/21 is subnetted, 1 subnetsR 1.1.0.0 [120/1] via 150.10.1.1, 00:00:11, FastEthernet0/0

Wireshark_capituras\RIP_Summary address_1.1.2.0-21.pcapoRIPv2 Convergence Timers:OKoRIPv2 Offset List:OK

TIP:R3(config-router)#offset-list filter in 16 fastEthernet 0/0Access-list type conflicts with prior definition% This command only accepts named standard IP access-lists.

#ip access-list standard filter permit 150.50.0.0 0.0.0.255 #router rip version 2 passive-interface Loopback3 offset-list filter in 16 FastEthernet0/0#

R3(config-router)#do sh ip protRouting Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Incoming routes in FastEthernet0/0 will have 16 added to metric if on list filter Sending updates every 30 seconds, next due in 26 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Redistributing: rip Default version control: send version 2, receive version 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 2 2 FastEthernet0/1 2 2 Automatic network summarization is not in effect Maximum path: 4 Routing for Networks: 3.0.0.0 150.20.0.0 150.30.0.0 Passive Interface(s): Loopback3 Routing Information Sources: Gateway Distance Last Update 150.30.0.4 120 00:00:02 Gateway Distance Last Update 150.20.20.2 120 00:00:00 Distance: (default is 120)

Log:R3(config-router)#do deb ip rip *Mar 1 00:47:00.347: RIP: received v2 update from 150.20.20.2 on FastEthernet0/1*Mar 1 00:47:00.347: 4.4.4.4/32 via 0.0.0.0 in 2 hops*Mar 1 00:47:00.355: 150.30.0.0/24 via 0.0.0.0 in 2 hops*Mar 1 00:47:00.719: RIP: received v2 update from 150.30.0.4 on FastEthernet0/0*Mar 1 00:47:00.719: 1.1.0.0/21 via 0.0.0.0 in 3 hops*Mar 1 00:47:00.723: 2.2.2.2/32 via 0.0.0.0 in 2 hops*Mar 1 00:47:00.727: 4.4.4.4/32 via 0.0.0.0 in 1 hops*Mar 1 00:47:00.731: 10.10.1.1/32 via 0.0.0.0 in 3 hops*Mar 1 00:47:00.739: 150.10.1.0/24 via 0.0.0.0 in 2 hops*Mar 1 00:47:00.743: 150.50.0.0/24 via 0.0.0.0 in 17 hops (inaccessible)

R3(config)#do sh run | se access-list ip access-list standard filter permit 150.50.0.0 0.0.0.255R3(config)#R3(config)#R3(config)#do sh access-list Standard IP access list filter 10 permit 150.50.0.0, wildcard bits 0.0.0.255 (46 matches) RIPv2 Filtering with Passive Interface:OKUpdates from R2 interfaces F1/1 to R4.You can see below the R4 only received updated from R2(interface f1/1) and another interface send and received update( Interface f0/0).

Topology:

R2 (f1/1) (f1/1) R4

R2(config-router)#do sh ip protRouting Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds, next due in 25 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Redistributing: rip Default version control: send version 2, receive version 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 2 2 RIP FastEthernet0/1 2 2 Loopback33 2 2 Automatic network summarization is not in effect Maximum path: 4 Routing for Networks: 2.0.0.0 33.0.0.0 150.10.0.0 150.20.0.0 150.50.0.0 Passive Interface(s): FastEthernet1/1 Loopback2 Routing Information Sources: Gateway Distance Last Update 150.20.20.3 120 00:00:23 150.10.1.1 120 00:00:24 150.50.0.4 120 00:00:15 Distance: (default is 120)

R4(config)#do deb ip rip*Mar 1 01:15:01.167: RIP: sending v2 update to 224.0.0.9 via FastEthernet1/1 (150.50.0.4)*Mar 1 01:15:01.171: RIP: build update entries*Mar 1 01:15:01.171: 3.3.3.3/32 via 0.0.0.0, metric 2, tag 0*Mar 1 01:15:01.171: 4.4.4.4/32 via 0.0.0.0, metric 1, tag 0*Mar 1 01:15:01.171: 150.30.0.0/24 via 0.0.0.0, metric 1, tag 0*Mar 1 01:15:01.191: RIP: received v2 update from 150.30.0.3 on FastEthernet0/0*Mar 1 01:15:01.191: 1.1.0.0/21 via 0.0.0.0 in 3 hops*Mar 1 01:15:01.195: 2.2.2.2/32 via 0.0.0.0 in 2 hops*Mar 1 01:15:01.199: 3.3.3.3/32 via 0.0.0.0 in 1 hops*Mar 1 01:15:01.199: 10.10.1.1/32 via 0.0.0.0 in 3 hops*Mar 1 01:15:01.203: 33.33.33.33/32 via 0.0.0.0 in 2 hops*Mar 1 01:15:01.207: 66.66.66.0/24 via 0.0.0.0 in 3 hops*Mar 1 01:15:01.211: 150.10.1.0/24 via 0.0.0.0 in 2 hops*Mar 1 01:15:01.215: 150.20.20.0/24 via 0.0.0.0 in 1 hops*Mar 1 01:15:01.215: 150.50.0.0/24 via 0.0.0.0 in 2 hops*Mar 1 01:15:18.655: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (150.30.0.4)*Mar 1 01:15:18.659: RIP: build update entries*Mar 1 01:15:18.659: 1.1.0.0/21 via 0.0.0.0, metric 3, tag 0*Mar 1 01:15:18.663: 2.2.2.2/32 via 0.0.0.0, metric 2, tag 0*Mar 1 01:15:18.667: 4.4.4.4/32 via 0.0.0.0, metric 1, tag 0*Mar 1 01:15:18.671: 10.10.1.1/32 via 0.0.0.0, metric 3, tag 0*Mar 1 01:15:18.675: 33.33.33.33/32 via 0.0.0.0, metric 2, tag 0*Mar 1 01:15:18.675: 66.66.66.0/24 via 0.0.0.0, metric 3, tag 0*Mar 1 01:15:18.679: 150.10.1.0/24 via 0.0.0.0, metric 2, tag 0*Mar 1 01:15:18.679: 150.50.0.0/24 via 0.0.0.0, metric 1, tag 0*Mar 1 01:15:26.787: RIP: sending v2 update to 224.0.0.9 via FastEthernet1/1 (150.50.0.4)*Mar 1 01:15:26.791: RIP: build update entries*Mar 1 01:15:26.791: 3.3.3.3/32 via 0.0.0.0, metric 2, tag 0*Mar 1 01:15:26.795: 4.4.4.4/32 via 0.0.0.0, metric 1, tag 0*Mar 1 01:15:26.799: 150.30.0.0/24 via 0.0.0.0, metric 1, tag 0*Mar 1 01:15:30.815: RIP: received v2 update from 150.30.0.3 on FastEthernet0/0*Mar 1 01:15:30.815: 1.1.0.0/21 via 0.0.0.0 in 3 hops*Mar 1 01:15:30.819: 2.2.2.2/32 via 0.0.0.0 in 2 hops*Mar 1 01:15:30.823: 3.3.3.3/32 via 0.0.0.0 in 1 hops*Mar 1 01:15:30.827: 10.10.1.1/32 via 0.0.0.0 in 3 hops*Mar 1 01:15:30.827: 33.33.33.33/32 via 0.0.0.0 in 2 hops*Mar 1 01:15:30.827: 66.66.66.0/24 via 0.0.0.0 in 3 hops*Mar 1 01:15:30.827: 150.10.1.0/24 via 0.0.0.0 in 2 hops*Mar 1 01:15:30.827: 150.20.20.0/24 via 0.0.0.0 in 1 hops*Mar 1 01:15:30.827: 150.50.0.0/24 via 0.0.0.0 in 2 hops

RIPv2 Filtering with Prefix-Lists:OKR1 wont advertise 1.1.2.1/32 and 1.1.5.1/32 to R2.Topology:R1 R2R1(config)#do sh run | se ip prefixip prefix-list R1_to_R2 seq 5 deny 1.1.2.1/32ip prefix-list R1_to_R2 seq 10 deny 1.1.5.1/32ip prefix-list R1_to_R2 seq 15 permit 0.0.0.0/0 ge 32##R1(config)#do sh run | sec router riprouter rip version 2 passive-interface Loopback1network 1.0.0.0network 150.10.0.0 distribute-list prefix R1_to_R2 in FastEthernet0/0 no auto-summary#R2(config-router)#do sh ip ro rip | in 1.1 1.0.0.0/32 is subnetted, 6 subnetsR 1.1.1.1 [120/1] via 150.10.1.1, 00:00:01, FastEthernet0/0R 1.1.3.1 [120/1] via 150.10.1.1, 00:00:01, FastEthernet0/0R 1.1.2.1 [120/1] via 150.10.1.1, 00:00:01, FastEthernet0/0R 1.1.5.1 [120/1] via 150.10.1.1, 00:00:01, FastEthernet0/0R 1.1.4.1 [120/1] via 150.10.1.1, 00:00:01, FastEthernet0/0R 1.1.6.1 [120/1] via 150.10.1.1, 00:00:01, FastEthernet0/0R2(config-router)# R2(config-router)#do cle ip ro * R2(config-router)#R2(config-router)#do sh ip rou rip | in 1.1. R 1.1.1.1 [120/1] via 150.10.1.1, 00:00:07, FastEthernet0/0R 1.1.3.1 [120/1] via 150.10.1.1, 00:00:07, FastEthernet0/0R 1.1.4.1 [120/1] via 150.10.1.1, 00:00:07, FastEthernet0/0R 1.1.6.1 [120/1] via 150.10.1.1, 00:00:07, FastEthernet0/0R 10.10.1.1 [120/1] via 150.10.1.1, 00:00:07, FastEthernet0/0

RIPv2 Filtering with Standard Access-Lists:OKTopology:R1 R2R2 received updated 1.1.6.1/32 from R1.R2(config-router)#do sh ip rou rip 1.0.0.0/32 is subnetted, 6 subnetsR 1.1.1.1 [120/1] via 150.10.1.1, 00:00:10, FastEthernet0/0R 1.1.3.1 [120/1] via 150.10.1.1, 00:00:10, FastEthernet0/0R 1.1.2.1 [120/1] via 150.10.1.1, 00:00:10, FastEthernet0/0R 1.1.5.1 [120/1] via 150.10.1.1, 00:00:10, FastEthernet0/0R 1.1.4.1 [120/1] via 150.10.1.1, 00:00:10, FastEthernet0/0R 1.1.6.1 [120/1] via 150.10.1.1, 00:00:10, FastEthernet0/0##R2(config)#do sh run | se access-list access-list 1 deny 1.1.6.1access-list 1 permit anyR2(config)#R2(config)#do sh run | be router riprouter rip version 2 passive-interface Loopback2 network 2.0.0.0 network 33.0.0.0 network 150.10.0.0 network 150.20.0.0 network 150.50.0.0 distribute-list 1 in FastEthernet0/0 no auto-summaryR2(config-router)#R2(config-router)#do sh ip rout rip | in 1.1 1.0.0.0/32 is subnetted, 5 subnetsR 1.1.1.1 [120/1] via 150.10.1.1, 00:00:01, FastEthernet0/0R 1.1.3.1 [120/1] via 150.10.1.1, 00:00:01, FastEthernet0/0R 1.1.2.1 [120/1] via 150.10.1.1, 00:00:01, FastEthernet0/0R 1.1.5.1 [120/1] via 150.10.1.1, 00:00:01, FastEthernet0/0R 1.1.4.1 [120/1] via 150.10.1.1, 00:00:01, FastEthernet0/0R2(config-router)#R2(config-router)#do sh access-list Standard IP access list 1 10 deny 1.1.6.1 (6 matches) 20 permit any (42 matches)#

RIPv2 Filtering with Extended Access-Lists:OKIf we try to use extended access-lists, the logic is a little bit different: the "source" in the access-list is the ip of the advertising router, the "destination" is the prefix to permit or deny.

Topology:R1 R2#access-list 100 deny ip host 150.10.1.1 host 1.1.3.1access-list 100 permit ip any any#router rip version 2 network 2.0.0.0 network 150.10.0.0 network 150.20.0.0 network 150.50.0.0 distribute-list 100 in FastEthernet0/0##R2(config)#do sh access-list Extended IP access list 100 10 deny ip host 150.10.1.1 host 1.1.3.1 (6 matches) 20 permit ip any any (7 matches)##R2(config)#do sh ip ro rip 1.0.0.0/32 is subnetted, 5 subnetsR 1.1.1.1 [120/1] via 150.10.1.1, 00:00:20, FastEthernet0/0R 1.1.2.1 [120/1] via 150.10.1.1, 00:00:20, FastEthernet0/0R 1.1.5.1 [120/1] via 150.10.1.1, 00:00:20, FastEthernet0/0R 1.1.4.1 [120/1] via 150.10.1.1, 00:00:20, FastEthernet0/0R 1.1.6.1 [120/1] via 150.10.1.1, 00:00:20, FastEthernet0/0#

oRIPv2 Filtering with Offset Lists:OKTopology:R2 R3R2(config-router)#do sh run | se access-list access-list 1 deny 1.1.1.1access-list 1 deny 1.1.3.1access-list 1 deny 1.1.2.1access-list 1 deny 1.1.5.1access-list 1 deny 1.1.4.1access-list 1 permit 1.1.6.1access-list 1 deny 66.66.66.0access-list 1 deny 150.10.1.0R2(config-router)# do sh run | sec router riprouter rip version 2 offset-list 1 out 15 FastEthernet0/1 network 2.0.0.0 network 150.10.0.0 network 150.20.0.0 network 150.50.0.0 no auto-summaryR2(config-router)#

R3(config)#do deb ip rip*Mar 1 00:15:49.867: RIP: received v2 update from 150.20.20.2 on FastEthernet0/1*Mar 1 00:15:49.867: 1.1.6.1/32 via 0.0.0.0 in 16 hops (inaccessible)

RIPv2 Filtering with Administrative Distance:OKTopology:R1 R2#router rip version 2 network 2.0.0.0 network 150.10.0.0 network 150.20.0.0 network 150.50.0.0distance 200 150.10.1.1 0.0.0.0 1#R2(config-router)#do sh run | se access-list access-list 1 deny 2.2.2.2access-list 1 permit any#R2(config-router)#do sh ip roCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 5 subnetsR 1.1.1.1 [200/1] via 150.10.1.1, 00:00:13, FastEthernet0/0R 1.1.2.1 [200/1] via 150.10.1.1, 00:00:13, FastEthernet0/0R 1.1.5.1 [200/1] via 150.10.1.1, 00:00:13, FastEthernet0/0R 1.1.4.1 [200/1] via 150.10.1.1, 00:00:13, FastEthernet0/0R 1.1.6.1 [200/1] via 150.10.1.1, 00:00:13, FastEthernet0/0 2.0.0.0/32 is subnetted, 1 subnetsC 2.2.2.2 is directly connected, Loopback2 10.0.0.0/32 is subnetted, 1 subnetsC 150.10.1.0 is directly connected, FastEthernet0/0R2(config-router)#R2(config-router)#R2(config-router)#do sh access-list Standard IP access list 1 10 deny 2.2.2.2 20 permit any (48 matches)#

oRIPv2 Filtering with Per-Neighbor AD:OK#access-list 1 permit 1.1.1.1access-list 1 permit 1.1.5.1#router rip version 2 network 2.0.0.0 network 150.10.0.0 network 150.20.0.0 network 150.50.0.0 distance 250 150.10.1.1 0.0.0.0 1#R2(config)#do sh ip protRouting Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds, next due in 24 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Redistributing: rip Default version control: send version 2, receive version 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 2 2 RIP FastEthernet0/1 2 2 FastEthernet1/1 2 2 Loopback2 2 2 Automatic network summarization is in effect Maximum path: 4 Routing for Networks: 2.0.0.0 150.10.0.0 150.20.0.0 150.50.0.0 Routing Information Sources: Gateway Distance Last Update 150.10.1.1 250 00:00:01 Distance: (default is 120) Address Wild mask Distance List 150.10.1.1 0.0.0.0 250 1

R2(config)#R2(config)#do sh ip ro rip 1.0.0.0/32 is subnetted, 6 subnetsR 1.1.1.1 [250/1] via 150.10.1.1, 00:00:13, FastEthernet0/0R 1.1.3.1 [120/1] via 150.10.1.1, 00:00:13, FastEthernet0/0R 1.1.2.1 [120/1] via 150.10.1.1, 00:00:13, FastEthernet0/0R 1.1.5.1 [250/1] via 150.10.1.1, 00:00:13, FastEthernet0/0R 1.1.4.1 [120/1] via 150.10.1.1, 00:00:13, FastEthernet0/0R 1.1.6.1 [120/1] via 150.10.1.1, 00:00:13, FastEthernet0/0 10.0.0.0/32 is subnetted, 1 subnetsR 10.10.1.1 [120/1] via 150.10.1.1, 00:00:13, FastEthernet0/0R2(config)#

RIPv2 Default RoutingTopology:R1 R2 R3 RIP has a built in feature in which allows it to advertise a default route to its direct neighbors which will propagate throughout the entire RIP routing domain. Utilizing this type of configuration can a company money due to the man hours required to configure a static default route on each and every router and/or switch in the network and that does not include general router/switch maintenance.Advertising a default route via RIP is done by a single command that is executed in RIP router configuration mode. This command is default-information originateWireshark_capituras\RIP_default-information_route_receveid from R1 do R3(r1-r2-r3).pcapConfigurations:R1:R1(config-router)#do sh run | sec router riprouter rip version 2 network 1.0.0.0 network 99.0.0.0 default-information originate no auto-summaryR1(config-router)#

R2(config-router)#do sh run | sec router riprouter rip version 2 network 1.0.0.0 network 2.0.0.0 no auto-summary#R2(config-if)#do sh ip roCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 1.1.2.1 to network 0.0.0.0

1.0.0.0/8 is variably subnetted, 4 subnets, 2 masksC 1.1.1.0/24 is directly connected, FastEthernet0/0C 1.1.2.0/24 is directly connected, FastEthernet1/0C 1.1.3.0/24 is directly connected, FastEthernet0/1R 1.10.10.10/32 [120/1] via 1.1.2.1, 00:00:03, FastEthernet1/0 [120/1] via 1.1.1.1, 00:00:08, FastEthernet0/0 2.0.0.0/32 is subnetted, 1 subnetsC 2.2.2.2 is directly connected, Loopback2R 3.0.0.0/8 [120/1] via 1.1.3.3, 00:00:01, FastEthernet0/1R* 0.0.0.0/0 [120/1] via 1.1.2.1, 00:00:04, FastEthernet1/0 [120/1] via 1.1.1.1, 00:00:09, FastEthernet0/0

R3(config-router)#do sh run | sec router riprouter rip version 2 network 1.0.0.0 network 3.0.0.0 no auto-summaryR3(config-router)# R3(config-router)#R3(config-router)#do sh ip roCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 1.1.3.2 to network 0.0.0.0

1.0.0.0/8 is variably subnetted, 4 subnets, 2 masksR 1.1.1.0/24 [120/1] via 1.1.3.2, 00:00:23, FastEthernet0/1R 1.1.2.0/24 [120/1] via 1.1.3.2, 00:00:23, FastEthernet0/1C 1.1.3.0/24 is directly connected, FastEthernet0/1R 1.10.10.10/32 [120/2] via 1.1.3.2, 00:00:23, FastEthernet0/1 2.0.0.0/32 is subnetted, 1 subnetsR 2.2.2.2 [120/1] via 1.1.3.2, 00:00:23, FastEthernet0/1 3.0.0.0/32 is subnetted, 1 subnetsC 3.3.3.3 is directly connected, Loopback3 99.0.0.0/32 is subnetted, 1 subnetsR 99.99.99.99 [120/2] via 1.1.3.2, 00:00:24, FastEthernet0/1R* 0.0.0.0/0 [120/2] via 1.1.3.2, 00:00:24, FastEthernet0/1

RIPv2 Conditional Default Routing:OKOk same thing like in 3) but we will specify and exit interface where the route-map is sent out. For me it was a little bit confusing at the beginning because the route-map is used in a non-standard fashion in our case. We will first need to configure a route map where we declare the interface where the default route should be sent out. All other interfaces are denied then.#router rip network 1.0.0.0 network 10.0.0.0 default-information originate route-map filter no auto-summary#route-map filter permit 10 set interface FastEthernet0/0#

RIPv2 Reliable Conditional Default Routing:OKWell now the last thing is that we can add reliable information to our route-map. With the conditions we used in 5) we can only take care of conditions that are brought to us by routing-protocols etc. With reliable here we want to actively track some cases. To do this we use the IOS feature called IP SLA.what I am going to do now is I will actively track the loopback of R2 (could be of course any other ip address) with icmp echoes and will inject a default route into the rip domain as long as R2s loopback is available.#ip route 69.69.69.69 255.255.255.255 Null0 track 1#ip prefix-list ccie seq 10 permit 69.69.69.69/32#ip sla 1 icmp-echo 2.2.2.2 source-interface Loopback1 timeout 1000 frequency 2#ip sla schedule 1 life forever start-time now#track 1 rtr 1#route-map filter_reliable permit 10 match ip address prefix-list ccie#router rip version 2 passive-interface Loopback1 network 1.0.0.0 network 10.0.0.0 default-information originate route-map filter_reliable no auto-summary#

RIPv2 Unicast Updates:OKTopologia.R1 R2 There is however another advantage to configuring RIP with static neighbor relationships which is added security but there is one catch!!! By default RIPv2 will send multicast updates out all interfaces specified within the range of the network command. If you configure a static neighbor; not only will that router send updates via unicast to that neighbor out the respected link. It will also send multicast updates out the same link as well. To prevent this from happening, you must utilize a feature called Passive Interface.A RIP Passive Interface in a nut shell prevents the RIP routing process from sending multicast/broadcast updates out a specified interface. A RIP Passive interface however does not block unicast updates. Keep in mind a Passive Interface DOES NOT block multicast/broadcast updates therefore the router would still process received RIP updates.So with that in mind, its quite common in secure networks the passive interface feature will be utilized on all interfaces and the neighbors will statically be configured to prevent RIP route snooping via Wireshark.

Configurations:R1(config-router)#do sh run | sec router riprouter rip version 2 passive-interface Serial0/0 passive-interface Serial0/1 passive-interface Loopback1 network 1.0.0.0 network 10.0.0.0 network 20.0.0.0 neighbor 20.20.20.2 neighbor 10.10.10.2 no auto-summary

R2(config-router)#do sh run | se router riprouter rip version 2 passive-interface Serial0/0 passive-interface Serial0/1 passive-interface Loopback2 network 2.0.0.0 network 10.0.0.0 network 20.0.0.0 neighbor 20.20.20.1 neighbor 10.10.10.1 no auto-summary

R1(config-router)#*Mar 1 00:11:18.731: RIP: received v2 update from 10.10.10.2 on Serial0/0*Mar 1 00:11:18.735: 2.2.2.2/32 via 0.0.0.0 in 1 hops*Mar 1 00:11:18.735: 20.20.20.0/24 via 0.0.0.0 in 1 hops*Mar 1 00:11:18.735: 20.20.20.1/32 via 0.0.0.0 in 1 hops*Mar 1 00:11:18.739: RIP: received v2 update from 20.20.20.2 on Serial0/1*Mar 1 00:11:18.739: 2.2.2.2/32 via 0.0.0.0 in 1 hops*Mar 1 00:11:18.739: 10.10.10.0/24 via 0.0.0.0 in 1 hops*Mar 1 00:11:18.743: 10.10.10.1/32 via 0.0.0.0 in 1 hopsR1(config-router)#*Mar 1 00:11:37.587: RIP: sending v2 update to 10.10.10.2 via Serial0/0 (10.10.10.1)*Mar 1 00:11:37.587: RIP: build update entries*Mar 1 00:11:37.587: 1.1.1.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:11:37.591: 20.20.20.0/24 via 0.0.0.0, metric 1, tag 0*Mar 1 00:11:37.591: 20.20.20.2/32 via 0.0.0.0, metric 1, tag 0R1(config-router)#*Mar 1 00:11:39.219: RIP: sending v2 update to 20.20.20.2 via Serial0/1 (20.20.20.1)*Mar 1 00:11:39.219: RIP: build update entries*Mar 1 00:11:39.219: 1.1.1.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:11:39.223: 10.10.10.0/24 via 0.0.0.0, metric 1, tag 0*Mar 1 00:11:39.223: 10.10.10.2/32 via 0.0.0.0, metric 1, tag 0

oRIPv2 Broadcast Updates:OK

R1(config-if)#R1(config-if)#*Mar 1 00:02:20.587: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (150.10.1.1)*Mar 1 00:02:20.591: RIP: build update entries*Mar 1 00:02:20.591: 1.1.1.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:02:20.595: 1.1.2.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:02:20.599: 1.1.3.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:02:20.599: 1.1.4.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:02:20.603: 1.1.5.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:02:20.607: 1.1.6.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:02:20.611: 10.10.1.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:02:20.611: 66.66.66.0/24 via 0.0.0.0, metric 1, tag 0R1(config-if)#*Mar 1 00:02:26.831: RIP: received packet with MD5 authentication*Mar 1 00:02:26.831: RIP: received v2 update from 150.10.1.2 on FastEthernet0/0*Mar 1 00:02:26.835: 2.0.0.0/8 via 0.0.0.0 in 1 hopsR1(config)# R1(config)#interface fas 0/0R1(config-if)#ip rip v2-broadcast R1(config-if)#*Mar 1 00:02:50.411: RIP: sending v2 update to 255.255.255.255 via FastEthernet0/0 (150.10.1.1)*Mar 1 00:02:50.415: RIP: build update entries*Mar 1 00:02:50.415: 1.1.1.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:02:50.419: 1.1.2.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:02:50.419: 1.1.3.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:02:50.419: 1.1.4.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:02:50.419: 1.1.5.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:02:50.419: 1.1.6.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:02:50.419: 10.10.1.1/32 via 0.0.0.0, metric 1, tag 0*Mar 1 00:02:50.419: 66.66.66.0/24 via 0.0.0.0, metric 1, tag 0R1(config-if)#*Mar 1 00:02:53.535: RIP: received packet with MD5 authentication*Mar 1 00:02:53.535: RIP: received v2 update from 150.10.1.2 on FastEthernet0/0*Mar 1 00:02:53.539: 2.0.0.0/8 via 0.0.0.0 in 1 hopsR1(config-if)#

RIPv2 Source Validation:OK

Use theno validate update-sourceinterface command if the neighbor isspeakingto the router using an IP not on the localsubnet(secondary address is an example)

Topologia.R1 R2

R1:#interface Serial0/0 ip address 11.11.11.1 255.255.255.0 encapsulation ppp clock rate 2000000end#

R2:#interface Serial0/0 ip address 10.10.10.2 255.255.255.0 encapsulation ppp clock rate 2000000end#R1(config)#router ripR1(config-router)#validate-update-source *Mar 1 01:09:52.847: RIP: ignored v2 update from bad source 10.10.10.2 on Serial0/0#R1(config-router)#do sh run | se router riprouter rip version 2validate-update-source network 0.0.0.0 no auto-summaryR1(config-router)##

R1(config-router)# no validate-update-sourceR1(config-router)#do sh run | se router riprouter rip version 2 no validate-update-source network 0.0.0.0 no auto-summaryR1(config-router)#

YOU must configure this feature in both directions!!!

LOGS

*Mar 1 01:11:17.463: RIP: received v2 update from 10.10.10.2 on Serial0/0*Mar 1 01:11:17.467: 2.2.2.2/32 via 0.0.0.0 in 1 hopsR1(config-router)# *Mar 1 01:11:24.479: RIP: sending v2 update to 224.0.0.9 via Serial0/0 (11.11.11.1)*Mar 1 01:11:24.479: RIP: build update entries*Mar 1 01:11:24.479: 1.1.1.1/32 via 0.0.0.0, metric 1, tag 0#R1(config-router)#do sh ip roCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnetsC 1.1.1.1 is directly connected, Loopback1 2.0.0.0/32 is subnetted, 1 subnetsR 2.2.2.2 [120/1] via 10.10.10.2, 00:00:24 10.0.0.0/32 is subnetted, 1 subnetsC 10.10.10.2 is directly connected, Serial0/0 11.0.0.0/24 is subnetted, 1 subnetsC 11.11.11.0 is directly connected, Serial0/0R1(config-router)#

==========================================================================

R2(config-router)#do sh ip roCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnetsR 1.1.1.1 [120/1] via 11.11.11.1, 00:00:26 2.0.0.0/32 is subnetted, 1 subnetsC 2.2.2.2 is directly connected, Loopback2 10.0.0.0/24 is subnetted, 1 subnetsC 10.10.10.0 is directly connected, Serial0/0 11.0.0.0/32 is subnetted, 1 subnetsC 11.11.11.1 is directly connected, Serial0/0

RIP_commands.pdfConvergence in RIP Internetworks:http://technet.microsoft.com/en-us/library/cc940478.aspxhttps://sites.google.com/site/plan4ccie/config-template-vol1/01-ine-vol1-outline/lab04-ripThings you must never forget about RIP.1. The RIP process operates from UDP port 520.2. The metric used by RIP is hop count, with 1 signifying a directly connected network of theadvertisingrouter and 16 signifying an unreachable network.3. RIP sends periodic updates every 30 seconds minus a small random variable that prevents the updates of neighboring routers from becoming synchronized.4. Default route can be advertised in the RIP domain several ways: e.g. (1) static route to 0.0.0.0, with the redistribute static command, (2) default-information originate command, and (3) ip default-network command.5. With RIP, default-information originate command advertises a default route even if a default route does not exist in the routing table. The route map referenced in this command cannot use an extended access list; it can use a standard access list.6. With RIP, ip default-network command will work only if (1) the network address is a classful network that is not directly connected, and (2) this classful network is in the local routers IP routing table, via an