Advanced Boot Camp Day 1to4

8/12/2019 Advanced Boot Camp Day 1to4

1/140

Advanced Boot camp Day 1 Day 4Technology Labs


2/140

Day 1

Switching

In order to properly configure switches for the CCIE Lab examination the subsequent topicsand configurations must be understood. At the time of writing this Technology workbook

!""#s and !"$#s were co%resident in the &'( Lab. )owe*er by the time of reading thisdocument you may ha*e + x !"$#s in your lab. Thus !"$#s are used in the following section

labs and for explanatory purposes.

MAC Address epiration

All modern Cisco switching platforms store and forward Ethernet frames and need to build aContent Addressable ,emory -CA, table to understand which source ,ac addresses are

connected to which ports. If a switch does not ha*e a CA, table entry for a destination ,acaddress it must forward the frame out e*ery port. /eedless to say forwarding unicast

multicast and broadcast to e*ery switch port could cause security as well as bandwidthissues. In *olume II we discuss the security issues in great detail but for now we will use the

,ac address expiration to limit the chances of forwarding traffic out e*ery port. (ome de*icescan not or will not send gratuitous A&0s on regular inter*als1 therefore there is a chance their

dynamically learned ,ac%addresses may be remo*ed from the CA, table. Instead of allowingthe switch to forward traffic destined to this de*ice out e*ery switch port the ,ac address

aging timer can be increased from the default -!## seconds to a greater *alue.

Switch(config)#mac address-table aging-time 4000 (increases timer to a little

over an hour)

0 This *alue disables aging. (tatic address entries are ne*er aged or remo*edfrom the table.

2#%2###### Aging time in seconds. The range is 2# to 2###### seconds.

vlan*lan%id -3ptional (pecify the 4LA/ I5 to which to apply the aging time. The range

is 2 to +#6+.

STAT!C Mac addresses

7nfortunately there are some de*ices that can ne*er send gratuitous A&0s to the switch. 8or

these de*ices we can statically configure their ,AC Addresses to a*oid flooding.

Switch(config)#mac address-table static 1234.1234.1234 vlan 4 interfacegigabitethernet0/2


3/140

mac%addr 5estination ,AC address -unicast or multicast to add to the address table.

0ackets with this destination address recei*ed in the specified 4LA/ are

forwarded to the specified interface.

vlan *lan%id (pecify the 4LA/ for which the packet with the specified ,AC address isrecei*ed. The range is 2 to +#6+.

interfaceinterface%id

Interface to which the recei*ed packet is forwarded. 4alid interfaces includephysical ports and port channels.

Another useful *ariant of the static command is the drop option. 9y including the keyword

drop than unicast ,AC address filtering will allow the switch to drop traffic with a specific

source or destination ,AC address. :hy only unicast you may ask; This is because multicastcreates a multicast ,ac%address by using the last

to a destination ,ac%address of 8888.8888.8888.

To block -filter a ,ac%address in a switch we would configure something like this>

Switch(config)#mac address-table static 1111.1111.1111 vlan 2 drop

"LA#S

)ey here is a topic that should be pretty familiar. If not than please read this briefexplanation. A 4irtual Local Area /etwork -4LA/ is simply a broadcast domain. In otherwords a 4LA/ is a layer < boundary. Typically a 4LA/ is associated with a Layer ! subnet but

in reality they are independent. 8or example on a (4I -(witched 4irtual Interface A?A-interface 4LA/ I can configure a primary subnet -I0 Address and se*eral secondary I0

addresses. :hat we do find with 4LA/s at least with !""# or !"$# switches in particular isthat this broadcast domain is usually mapped to an instance of (panning Tree or 04(T.

To configure 4LA/s we need to add them to the 4LA/ database. 5epending on the switch

model this is performed from the global configuration or from the 4LA/ 5ATA9A(E prompt-depreciated. 4irtual Trunk 0rotocol -4T0 adds some automation to this process but for now

we assume we are in the default (er*er ,ode and can manually add 4LA/s to the 4LA/database.

The recommended method for adding 4LA/s when possible is from the global configuration

prompt.

switch(config)#vlan 100switch(config-vlan)#name VOICswitch(config-vlan)#e!it


4/140

To assign the new *lans to a switch port you must configure the following>

switch(config)#int fa0/1switch(config-if)#s"itchport mode accessswitch(config-if)#s"itchport access vlan 100

Tr$n%s

:ith trunks we can than transport the 4LA/s we ha*e created o*er a single uplink. Trunks aresaid to carry multiple colors or tags. :ith @#

Switch#config#re terminal

Switch (config)# vlan dot1% tag nativeSwitch (config)# end

"T&

Cisco pro*ides the 4LA/ Trunking 0rotocol -4T0 to automate the configuration of 4LA/s. If

you recall from the pre*ious 4LA/ section in order to add a 4LA/ to a switch we needed toadd the 4LA/ to the switchBs 4LA/ database. This exercise could be daunting if we had 2##


5/140

switches in a large office building. Instead of configuring each switch to support se*eral4LA/( with 4T0 you only ha*e to create the 4LA/s on a switch configured as a ser*er and

allow the other switches to dynamically learn the 4LA/s o*er their trunks. 9est practice is torun these other switches in a read only client mode. If more than one switch is configured as

a ser*er than the switch with the highest re*ision number would control the 4LA/ database.Transparent mode is a third option that is used to allow 4T0 information to pass%through a

switch but that specific switch will ignore the 4T0 and refer to its own manually assigned4LA/s.

It is important to remember that all switches by default are 4T0 ser*ers. The 4T0 ser*er is

where you would create remo*e or modify 4LA/s. If for some reason you remo*e a switchfrom a lab or spares en*ironment that was configured as a ser*er and then introduce the

switch into the production network e*en if for only a few minutes before you reconfigure it asa client if it has a higher re*ision number it will take control of the 4T0 database.

This 4T0 ser*er sends ad*ertisements across the 4T0 domain e*ery " minutes or whene*er a

change is made in the 4LA/ database. The ad*ertisement contains all the different 4LA/names 4LA/ numbers what switches ha*e ports in what 4LA/s and a re*ision number.

:hene*er a switch recei*es an update with a larger re*ision number than the last one it

applied it applies that re*ision.

4T0 switches can operate in three different modes>

Server the default where all 4LA/ adds changes and remo*als are allowed

Client where no changes can be made only new re*isions can be recei*ed from the

4T0 ser*er switches.

Transparent where local 4LA/ information can be changed but that information is

not sent out to other switches. Transparent switches also do not apply 4T0ad*ertisements from other switches but they do forward those ad*ertisements on.

4T0 pruning is the process of not sending unnecessary broadcast traffic for 4LA/s to switches

that do not ha*e any ports assigned to those 4LA/s. 0runing sa*es bandwidth becausebroadcasts donBt ha*e to be sent to switches that donBt need them to configure 4T0 you use

the *tp global configuration mode command. :ith this command you can specify thefollowing>

VTP domain the name of the 4T0 domain. All switches communicating with 4T0 in

the same domain must ha*e the same 4T0 domain name.

VTP mode either ser*er client or transparent

VTP password a password to control who can and cannot recei*e 4T0 information


6/140

VTP pruning 4T0 pruning is either turned on or off

VTP version 9e aware that most switches do not support 4!

D/ote the 4T0 password is highly recommended to a*oid switches from accidentally becoming

a 4T0 ser*er.

'ther(channel

Ether%channel allows a Cisco switch to bond together up to @ Ethernet ports into a singlechannel. An Ether%channel uses a single port for spanning%tree purposes. If a link in the

channel were to fail than Ethernet frames would simply be forwarded across another port inthe channel without relearning the spanning%tree topology. In addition to failo*er and

redundancy ether%channels can be configured to pro*ide load balancing across each port inthe channel.

Ether%channels send traffic load across the links in a channel con*erting the frame from binary

to a new numeric *alue from source or destination ,ac%address or I0 address. The selected

mode weather it is I0 or ,ac%address is applied to all Ether%channels configured on theswitch.

If you configured load balancing based on source ,ac%addresses than different de*ices based

on their source ,ac%address would be distributed across each port per de*ice. 8or examplethe first de*iceBs source ,ac%address would be forwarded on the first port of the Ether%

channel while the second de*ice would be forwarded out the second port of the Ether%channel.

:hile source ,ac%address load balancing works well for equally distributing traffic acrossEther%channel ports because there are multiple 0C de*ices -sources going to *arious

destinations 5estination ,ac%address load balancing works well with multiple ser*ers or

gateways that are accessed by 0Cs In other words traffic destined to each ser*er would usea separate port in the Ether%channel.

If there is a mixture of end 0C de*ices and ser*ers than source%and%destination ,ac%address

forwarding is the best method for load balancing. 3f course ,ac%address based loadbalancing is intended for layer Ether%channels. If we were configuring load balancing for layer

! Ether%channels we would simply use source I0 destination I0 or sourcedestination loadbalancing depending on the same scenarios as the ,ac%address load balancing.

&ort Aggregation &rotocol

0ort Aggregation 0rotocol -0Ag0 is a Cisco proprietary method of automatically creatingEther%channel links. 0Ag0 packets are sent between Ethernet ports in order to negotiate theforming of Ethernet%channels. 0Ag0 can not work properly on the following configurations>

5ynamic 4LA/s.

5ifferent speeds or port duplex..

The 0Ag0 modes are explained below.


7/140

2. on> 0Ag0 will not run. The channel is forced to come up.

0Ag0 will not run. The channel is forced to remain down.

!. auto> 0Ag0 is running passi*ely. The formation of a channel is desired1 howe*erit is not initiated.

desirable> 0Ag0 is running acti*ely. The formation of a channel is desired and initiated.

Lin% Aggregate Control &rotocol )LAC&*

LAC0 is a standards based -IEEE @#

3n> ,anual with no without any LAC0 negotiation

3ff> The link aggregation will not be formed.

0assi*e> The switch does not initiate the channel but does understand inbound LAC0packets. The peer -in acti*e state initiates negotiation -when it sends out an LAC0

packet which we recei*e and answer e*entually to form the aggregation channel withthe peer. 0.

Acti*e> The link aggregate will be formed if the other end runs in LAC0 acti*e or

passi*e mode. This is similar to the desirable mode of 0Ag0.

As mentioned pre*iously both LAC0 and 0Ag0 are used to dynamically pro*ision Ethernetports as Ether%channels. If the Ether%channel is manually pro*isioned by using the mode FonG

key word than neither LAC0 nor 0ag0 is used. In any case load balancing using source ,ac%address destination ,ac%address sourcedestination mac%address or source destination

sourcedestination I0 addressing can be use with all methods.

The following global configuration example displays the load balancing choices a*ailable to

Ether%channels>


8/140

The following is an example of a 0Ag0 Layer < Ether%channel configuration>

Layer 2switch-configH interface range fastEthernet0/ ! "

switch-config%if%rangeH switchport mode accessswitch-config%if%rangeH switchport access vlan #00

switch-config%if%rangeH channel!group # mode desira$le

The following is an example of a LAC0 Layer ! Ether%channel configuration>

Layer %switch-configH int port!channel #

switch-config%ifH no switchport

switch-config%ifH ip add #0 2&2&2&0switch-configH interface range fastEthernet 0/2 ' (switch-config%if%rangeH no switchport

switch-config%if%rangeH channel!group # mode active(panning Tree

Spanning Tree

9y default the Cisco switch uses @#


9/140

The switch that is designated as &33T only has designated ports to other connected switches.The other switches -non%root ha*e root ports to the connections that are closest to the &33T

switch as well as designated ports connected to other switches with a longer path back to the&33T. 9ecause of a loop free topology when using spanning tree path costs and port

priorities are used to determine which switch and port needs to be blocked. 8or e*ery 4LA/one port in a redundant patch must be blocked.

(panning tree calculates the longest path from &33T and determines the switch to be

blocked. This beha*ior can be o*erridden by manipulating the path costs and additionallychanging port priorities to manipulate which port -linear on the longest path is chosen to be

blocked. Jou will notice in this example the layer < patch with a longer path cost of !# ischosen as the segment to block. 9y manually configuring a higher port priority on (:! the

port on (:+ will be blocked.

Spanning Tree Diagram

&(T0 must also designate a &33T as well as calculating path costs and port priorities.)owe*er instead of optionally enabling uplink fast to reduce the time to failo*er to redundant

uplinks @#


10/140

+ST& Diagram

S&A#,+S&A#

The (witch 0ort Analyer -(0A/ is used to monitor traffic from 4LA/s andor Ethernet ports

on a switch. A *ery common application for this configuration is to connect a passi*e intrusion

detection system -I5( or packet sniffing application. Ethereal is packet sniffing software thatcan be downloaded from> http>www.ethereal.comdownload.html. In addition to capturingtraffic from a connected switch &(0A/ can be used to capture traffic from remote switch

connected to the destination -sniffing port with a dot2q trunk.

The following example displays how to configure a remote span session>

Switch #

switch2-config%*lanHvlan switch2-config%*lanHname remote!spanswitch2-config%*lanHremote!span

switch2-config- monitor session # source interface .a0/# $othswitch2-config- monitor session # destination remote vlan

Switch 2

switch2-config- monitor session # source vlan rswitch2-config- monitor session # destination interface fastEthernet 0/#2
http://www.ethereal.com/download.htmlhttp://www.ethereal.com/download.html


11/140

Controlling Telnet Access

Telnet is controlled from the 4TJ lines. The following configuration does not require a

password to access the de*ice with pri*ilege 2" access rights but limits access to the 4TJ lineto only the protocol Telnet from only the 2.2.2.2 I0 address.

line vty 0 (

access!class # ineec!timeout 20 0

privilege level #no login

transport input telnet

access!list # permit #

To hide addresses while trying to establish a Telnet session from the router or switch use the

service hide!telnet!addressglobal command.

To a*oid the router from sending information to an idle telnet session use the ser*ice telnet!

eroidlecommand. 5ata transfer is resumed if the logged in 4TJ user enters the resumecommand for the idle session.

/ormally telnet only sends one character at a time. The service naglecommand canimpro*e performance by sending multiple characters in each telnet packet.

Strom Control

This technique is used to pre*ent switch ports being o*erloaded by a broadcast multicast or

unicast traffic on a per port basis. (torm control creates threshold so excessi*e traffic isdropped until traffic drops below threshold. The thresholds are set as a percentage of the

interface. 8or example if the traffic is set to 2## it is always permitted and if it were set to #.#

than that type of traffic is ne*er permitted. The following example illustrates how differentthresholds are set for unicast broadcast and multicast traffic.

switch-config%ifH storm!control $roadcast level 2switch-config%ifH storm!control unicast level 2switch-config%ifH storm!control multicast level 20

Bloc%ing9locking pre*ents unicast or multicast from being flooded into the port when enabled. The defaultbeha*ior of a switch is to forward the packets with unknown destination ,AC addresses to all its ports.This might not always be desirable especially in terms of security. If you configure a port block featurethen depending on what type of traffic you specified unicast or multicast packets are not forwardedfrom one port to another

switch-config%if%rangeHswitchport block ; multicast 9lock unknown multicast addresses unicast 9lock unknown unicast addresses


12/140

&rotected &orts

0ri*ate 4LA/s will be discussed in 4olume II. 3ne thing to note about 0ri*ate 4LA/ is thatthey can not co%exist with 4T0 *ersion < or lower. A workaround for this limitation is to

configure a switch in Transparent 4T0 mode. If for some reason the switch must be a 4T0ser*er than protected ports can be used in a limited manner to pro*ide a subset of the same

isolation.

A protected port feature is used in those en*ironments where no traffic can be forwardedbetween two ports on the same switch. This way one neighbor connected to one port does

not see the traffic that is generated by another neighbor connected to the second port. Theblocking of traffic -unicast broadcast or multicast only works when both ports are protected.

:hen a protected port is communicating with an unprotected port the traffic is forwarded inthe usual manner. 3nce the ports are protected traffic between them can only be forwarded

by a Layer ! de*ice.(w


13/140

switchHconfigure terminal

switch-configHip radius source!interface Vlanswitch-configHradius!server host #0

switch-configHradius!server 4ey ciscoswitch-configHend

Macros

,acros can be used to group common switch configurations together. ,acros along with the

interface%range command helps to reduce the amount of effort needed to deploy switches.

)ere is useful ,acro to be used in the switches for a ping script.

Sw1(config)#macro name PINGEnter macro commands one per line. End with the character '@'.

do ping 142.22.12.1do ping 142.22.13.1do ping 144.21.1.1do ping 1!.1.2".2do ping 142.22.12.2@

Sw1(config)# Sw1config!"macro glo#al a$$l% PING

Switching LABScenario

This is the first Lab in a series of Labs that will build on them sel*es. There is no need for

initial configurations because this first lab will construct the Layer < topology to be used for allother labs in 4olume I of this technology workbook. 0lease sa*e your configurations after each

lab to a*oid any rework when progressing to other labs. The point of this Lab is to build a newinfrastructure for Turn%?ey Inc. This company has hired you to interconnect -+ branch

locations and - http>www.cisco.comuni*ercdhomehome.htm. As the labs progress lessand less support information is pro*ided in the introduction section of the lab.
http://www.cisco.com/univercd/home/home.htmhttp://www.cisco.com/univercd/home/home.htm


14/140

Topology

As pre*iously mentioned LA9 2 will build the Layer < infrastructure. At 9ranch 2 we will ha*e

a mixed L< and L! en*ironment. This is due to some de*ices needing so span 4LA/s acrossthe campus. In the I58 -Access Layer some 4LA/s will be routed and others Trunked to the

C3&E.

In addition to the campus network at 9ranch -2 we will also build a 4LA/ between se*eral ofthe routers to imitate a Leased Ethernet ser*ice.

This Topology is supported inn CC933TCA,0Bs rack rentals but should also work in other

&ack &ental sites or a home lab with -+ !"$# switches and -@ routers. The next pagepro*ides the physical Ethernet topology. As you progress to Lab < and others the topology

will include 8rame%relay and logical I0 addressing and &outing information.


15/140

&hysical Diagram


16/140

Switch2 Tas%s

Tas4 # )5asic VL16*3 Configure (:2 such that it pro*ides the database for the 4LA/s in

the following table. All other switches should learn the 4LA/s from (:2. 7se a controlmechanism to pre*ent new switches from accidentally controlling the 4LA/ database when

added into the network. Also add the appropriate hostnames and interface descriptions to allde*ices based on the diagram.

$%& $%& &ame2 Vlan2&rs$an

' Vlan'&trunke(

) Vlan)&trunke(

* Vlan*&sw1tosw2

+ Vlan+&sw1tor1

, Vlan,&sw2tor1

- Vlan-&sw1tosw'

. Vlan.&sw'tosw)

1/ Vlan1/&Lease(

11 Vlan11&sw2tosw)

Tas4 2 )Load 5alance and Trun4s*3 4lan ! and + should be trunked on a pair -


17/140

Tas4 )7onitoring*3 Turn%key would like to connect a packet sniffer to 8#2" on sw! to

analye the 4LA/2# traffic on &D/ote *irtual I0 addresses will be used later.

VL16 VL16 6ame 9evice 8P< 4lan


18/140

Switch2 Answers )Don3t pee%*

Try to complete these labs with minimal looking at the answers. The completed answers will

be pro*ided on a thumb dri*e.

Tas4 # )5asic VL16*3The 4T0 and 4lan information was supposed to be configured on (:2>Sw1(config)#tp domain trne*Sw1(config)#tp mode sererSw1(config)#tp password ciscoSw1(config)#lan 2Sw1(config+lan)#name lan2,rspan same for other Vlans!

The other switches

on the other switches>Sw-(config)#tp mode clientSw-(config)#tp domain trne*Sw-(config)#tp password cisco

In order to pre*ent accidental 4lan changes we set the 4T0 password to Cisco

The names and interface description should be based from the Table.

8or example>interface landescription lan,sw1tosw2ip address 1!...2 2.2.2.22

To test your configuration issue the following commands>

Sw1#sh tp stats/ ersion 0 2onfigration eision 0 1a-imm $%&s spported locall* 0 1!!

&m5er of e-isting $%&s 0 23/ 6perating ode 0 Serer/ 7omain &ame 0 trne*/ /rning ode 0 Ena5led/ 2 ode 0 7isa5led/ raps 8eneration 0 7isa5led7 digest 0 !-3 !-1 !-"9 !-93 !-24 !-" !-:4 !-;1onfigration last modified 5* !.!.!.! at 3+1+3 !20!3042$ocal pdater


19/140

emote S/%& $%&0 &o

$%&


20/140

=0 1!! ;acp : ode0 7isa5led emote S/%& $%&0 &o

$%&


21/140

Sw10

port+channel load+5alance src+dst+mac

interface /ort+channel1switchport trn encapslation dot1?

switchport trn natie lan switchport trn allowed lan 2+switchport mode trninterface /ort+channel2switchport trn encapslation dot1?switchport trn natie lan 9switchport trn allowed lan 2+4A9switchport mode trninterface :astEthernet!B1switchport trn encapslation dot1?switchport trn natie lan switchport trn allowed lan 2+switchport mode trnchannel+grop 1 mode on

interface :astEthernet!B2!switchport trn encapslation dot1?switchport trn natie lan switchport trn allowed lan 2+switchport mode trnchannel+grop 1 mode oninterface :astEthernet!B21switchport trn encapslation dot1?switchport trn natie lan 9switchport trn allowed lan 2+4A9switchport mode trnchannel+grop 2 mode oninterface :astEthernet!B22switchport trn encapslation dot1?switchport trn natie lan 9switchport trn allowed lan 2+4A9switchport mode trnchannel+grop 2 mode on

interface lan1no ip addressshtdowninterface lan3description lan3,trnedip address 1!.3.3.1 2.2.2.!interface lan4description lan4,trnedip address 1!.4.4.1 2.2.2.!

interface landescription lan,sw1tosw2ip address 1!...1 2.2.2.22interface lan9description lan9,sw1tosw3ip address 1!.9.9.1 2.2.2.22


22/140

8or the load balancing we needed source ,ac%address L9 closest to the 0C de*ices so thateach de*ice would be load balanced based on source ,ac addresses to equally use each port

in the Ether%channel.

3n (w! and (w+>

port+channel load+5alance src+mac

The other two switches (w2 and (w< need src%dst%mac because they will be the defaultgateways for these de*ices.

Tas4 %)Spanning Tree*3 The following configurations were needed on the following de*icesin order to set the &33T and 9locked ports per Task ! specifications>

Sw10spanning+tree mode rapid+pstspanning+tree e-tend s*stem+idspanning+tree lan 1A3A9 priorit* !

Sw20

spanning+tree mode rapid+pstspanning+tree e-tend s*stem+idspanning+tree lan 4A11 priorit* !

Sw30spanning+tree mode rapid+pstspanning+tree e-tend s*stem+id

interface /ort+channel1switchport trn encapslation dot1?switchport trn natie lan switchport trn allowed lan 2+4Aswitchport mode trnspanning+tree lan 3 cost 2!!!!!!!!interface /ort+channel2

switchport trn encapslation dot1?switchport trn natie lan 9switchport trn allowed lan 2+4A9switchport mode trn

Sw40

spanning+tree mode rapid+pstspanning+tree e-tend s*stem+id

interface /ort+channel1switchport trn encapslation dot1?switchport trn natie lan switchport trn allowed lan 2+4Aswitchport mode trninterface /ort+channel2switchport trn encapslation dot1?switchport trn natie lan 11switchport trn allowed lan 2+4A11switchport mode trn

To configure the bonus than root guard was needed on (w!


23/140

interface :astEthernet!B1switchport trn encapslation dot1?switchport trn natie lan switchport trn allowed lan 2+4Aswitchport mode trnchannel+grop 1 mode onspanning+tree gard root

interface :astEthernet!B2!switchport trn encapslation dot1?switchport trn natie lan switchport trn allowed lan 2+4Aswitchport mode trnchannel+grop 1 mode onspanning+tree gard root

Tas4 ( )7ac 1ddresses*3 In the first part of this task we are changing the ,ac aging timer

to be in synch with how often the ser*er sends gratuitous A&0s.

Sw30

mac+address+ta5le aging+time 19!! lan 3

In the next section we must configure a static ,ac%address for a de*ice that is unable to sendgratuitous A&0s.

Sw40mac+address+ta5le static 1112.1112.1112 lan 3 interface :astEthernet!B11

The next requirement was to block a ,ac%address from all switches>

mac+address+ta5le static 1234.1234.1234 lan 4 drop

The Last requirement was to make sure that unicast traffic going to mac%address destinations

not known in the CA, table were not flooded into (w< port f#2$

interface :astEthernet!B1>switchport 5loc nicast

Tas4 )7onitoring*3 The following configuration would setup a monitoring session on sw! to

sniff traffic tofrom &< *lan 2#

Sw3monitor session 1 destination interface :a!B1monitor session 1 sorce remote lan 2Sw1monitor session 1 sorce interface :a!B2monitor session 1 destination remote lan 2


24/140

Tas4, )8P 1ddresses*3 Configure I0 addresses per specifications.

Tas4: )"02*3

Sw30sername ser password ! ciscoaaa new+modelaaa athentication dot1- defalt grop radis localdot1- s*stem+ath+controlint f!B24switchport access lan 3switchport mode accessdot1- pae athenticatordot1- port+control ato

radis+serer host 12.1>9.2.1!1 ath+port 1>4 acct+port 1>4>radis+serer sorce+ports 1>4+1>4>radis+serer e* cisco

Tas4" )Telnet*3 The first part of the Task asks us to restrict telnet or (() access to 2#.#.#.#and gi*e those administrators pri*ilege le*el 2" when they log into the de*ices. In order to

configure the bonus this access must be restricted to ,on%8riday between 6am and "pm.

The following configuration on each de*ice would satisfy the abo*e requirements>

ip access+list e-tended telnetpermit ip 1!.!.!.! !.2.2.2 an* log time+range weeda*s

time+range weeda*speriodic weeda*s 90!! to 1"0!!

line t* ! 4access+class telnet inpriilege leel 1transport inpt telnet sshline t* 1access+class telnet inpriilege leel 1transport inpt telnet ssh

3n &2 configure telnet so that multiple characters are transmitted in each telnet packet.

10serice nagle


25/140

Day 1

rame +elay

Basic acts

8rame &elay is a Layer < protocol.

(erial interfaces use 59%$# connectors.

Connection%oriented to transport data between a 5TE de*ice and a 8rame

&elay switch.

(imple error checking is pro*ided by appending a 8rame Check (equence

-8C( to each frame -similar to a C&C.

/o error correction -error checking but no correctionOthatBs left to the

host.

8rame &elay uses )5LC 000 or I(5/LA05 encapsulations.

,aximum speed of 8rame is +" ,bps.

Data Lin% Connection !denti5ier )DLC!*

5LCIBs are assigned by the 8rame &elay circuit pro*ider and ha*e local significance only.

They pro*ide an identifier for the connection between the router at your site and the big8rame &elay switch at the pro*ider. There is often confusion about this so to make it clearO

the 5LCI is used only between your site and the pro*iderBs point%of%presence it has nosignificance beyond that.

5LCI states are>

9eleted;/o L,I signal is being recei*ed from switch or no ser*ice is

a*ailable from switch.

1ctive;Lines are up1 connections are acti*e. &outers are exchanging data.

8nactive;8rame relay switch to local connection is working. The remote

routersB connection to the frame switch is not working.

Local Management !nter5ace )LM!*

L,I pro*ides the control protocol for 04C setup and management. There are three types

a*ailable> Cisco A/(I and q.6!!a -default is Cisco. The ser*ice pro*ider will specify the L,Iin use. L,IPs control data keepali*es and *erify the dataflow. The L,I type must be identical

between the local de*ice -router and the local 8rame &elay switch1 it does not ha*e to beidentical for the end de*ices.

'ncaps$lation

The encapsulation choices are Cisco and IET8 with Cisco being the default. This designation

can be made through 5LCI. The encapsulation type must be identical at both end de*ices. IfCisco de*ices are used across the entire network Cisco encapsulation will likely be the

encapsulation type1 howe*er since the Cisco encapsulation type is proprietary if anothermanufacturerBs de*ices are used at the 8rame &elay endpoints then IET8 encapsulation type

will be required. &emember encapsulation can be set per interface or per destination.


26/140

Split 6ori7on and rame +elay !nter5aces

(plit horion dictates that if a router has recei*ed a route ad*ertisement from another router

it will not re%ad*ertise it back out the interface on which it was learned. The default conditionfor 8rame &elay interfaces is>

0hysical interfacesOsplit%horion is disabled by default

,ultipoint sub interfacesOsplit%horion is enabled by default

0oint%to%point sub interfacesOsplit%horion is enabled by default

!nverse(A+&

In*erse A&0 when enabled is used to automatically map frame%relay 5LCIs which are

configured in the frame%relay switch to I0 addresses configured on the remote routers. Joumay be requested to disable frame%relay in*erse A&0 on you physical or point%to%multipoint

sub interface if so than you can use frame%relay map statements after you disable thein*erse%A&0. (econdly it is best practice to make these changes while the interfaces are shut

to a*oid rebooting the router later.

In*erse%A&0 is not recommended for frame%relay hub%and%spoke topologies because it couldtake in*erse%A&0 up to $# seconds to con*erge from a site failure. In a ,E() topology this

short coming is not as impacting because e*ery site has an alternate 5LCI to e*ery site butin hub%and%spoke the spokes must always communicate *ia the hub.

Mesh

A full mesh requires 5LCIs to interconnect 04Cs between each router. Total 04CsQ


27/140

same issue with needing ,A0s exists with the spokes too. If this hub%and%spoke configurationwere pro*isioned on a carrierBs network the spokes would not need to ha*e ,A0 entries

because the pro*ider would only configure the needed 5LCI back to the )ub site.

:ith In*erse%A&0 off which is the recommended configuration all routers will ha*e ,A0statements from )ub to all spokes and from spokes to hub. 5epending on the neighbor

requirements of the routing protocol we may find oursel*es later adding map statementsbetween spokes or needing to enable the broadcast keyword.

&oint(to(point

In this configuration each 0


28/140

rame +elay DLC!,&"C and !& addressing

S!B!B!.2


29/140

rame2 Tas%s

Tas4 # )7esh*3 Configure a mesh between &2 &


30/140

rame2 Answers

Tas4 # )7esh*3 &emember to keep your interfaces shut until you ha*e configured all of yourframe relay on each interface or sub interface. (ometimes clear frame%relay inarp helps but

usually you will ha*e to either reboot or default interface to fix frame relay issues. Thesesimple problems can cost you time in the real Lab. ,ake sure to test each connection with

ping as you no shut the interfaces.

10

interface Serial!B!B!description ESC,to,2,3ip address 1"2.1>.1.1 2.2.2.!encapslation frame+rela*no frame+rela* inerse+arp .1.2 2.2.2.!frame+rela* map ip 1"2.1>.1.3 2!3 5roadcast

frame+rela* map ip 1"2.1>.1.1 2!1 5roadcastno frame+rela* inerse+arp

30interface Serial!B!B!no ip addressencapslation frame+rela*frame+rela* lmi+t*pe ansiinterface Serial!B!B!.1 mltipointdescription ESC,to,1,2ip address 1"2.1>.1.3 2.2.2.!frame+rela* map ip 1"2.1>.1.1 3!1 5roadcastframe+rela* map ip 1"2.1>.1.2 3!2 5roadcastno frame+rela* inerse+arp

1#sh frame+rela* mapSerial!B!B! (p)0 ip 1"2.1>.1.3 dlci 1!3(!->"A!-19"!)A d*namicA 5roadcastA .1.2

*pe escape se?ence to a5ort.


31/140

Sending A 1!!+5*te .1.3

*pe escape se?ence to a5ort.Sending A 1!!+5*te ! ms1#

Tas4 2 )ip address 1"2.1>.3.3 2.2.2.!frame+rela* map ip 1"2.1>.3. 3! 5roadcastframe+rela* map ip 1"2.1>.3.> 3!> 5roadcastframe+rela* map ip 1"2.1>.3.3 3!

no frame+rela* inerse+arp

0interface Serial!B!B!description C5+and+spoe+to+3+>ip address 1"2.1>.3. 2.2.2.!encapslation frame+rela*frame+rela* map ip 1"2.1>.3.3 !3 5roadcastframe+rela* map ip 1"2.1>.3. !3frame+rela* map ip 1"2.1>.3.> !3 5roadcastno frame+rela* inerse+arpframe+rela* lmi+t*pe ansi

>0interface Serial!B!B!description C5+and+spoe+to+3+

ip address 1"2.1>.3.> 2.2.2.!encapslation frame+rela*frame+rela* map ip 1"2.1>.3.3 >!3 5roadcastframe0rela% ma$ i$ 1,21+'* +/' #roa(cast his is configure( to assist in the 3i$ section later!frame+rela* map ip 1"2.1>.3.> >!3no frame+rela* inerse+arp

frame+rela* lmi+t*pe ansi

ask ' Point0to0Points!:

;;10interface Serial0/0/0.1 point-to-pointdescription P2P-to-R2ip address 172.16.2.9 255.255.255.0frame-relay interface-dlci 902

R7:interface Serial0/0/0.1 point-to-pointdescription P2P-to-R2ip address 172.16.5.7 255.255.255.0frame-relay interface-dlci 702

R8:interface Serial!B!B!.1 point+to+pointdescription /2/+to+3ip address 1"2.1>.>.9 2.2.2.!


32/140

frame+rela* interface+dlci 9!3

Configure the opposite on &< or &! to connect to the 0.4." 2.2.2.!encapslation pppcloc rate 2!!!!!!ppp athentication chapppp chap hostname serppp chap password ! cisco

90sername ser password ! cisco

interface Serial!B!B1description ///+to+"ip address 1"2.1>.4.9 2.2.2.!encapslation pppppp athentication chap


33/140


34/140

Day 1

+!&v/There are two *ersions of &I0O*ersions 2 and

&@-config%ifHip rip v2!$roadcast


35/140

#eighbors

Connected neighbors simply need &I0*< enabled globally and a connected network entry and

they are ready to exchange updates. (econdly no auto summary needs to be configured ifclassless summaries are required.

roter ripnetwor 1"2.1>.!.!no ato+smmar*

If it is desired to not send updates to interfaces without connected neighbors than the passi*einterface command can be used. There are two different approaches to using this

configuration. The first is to use the Rpassi*e%interface defaultS and the specify whichinterfaces will allow the updates>

oter rippassie+interface defalt

no passie+interface :astEthernet!B!

The second choice is to ust do a passi*e%interface command to the specific interfaces thatyou desire to disable the updates>

oter rippassie+interface f!B!

There are times when broadcast updates or multicast are permitted or limited because of the

frame%relay map statements. In these cases the passi*e interface commands can be used tosuppress the broadcastmulticast with the combination of the neighbor command to send a

unicast update to the neighbors I0 address>

oter ripneigh5or 1"2.1>.>.3

And lastly it is possible to send updates to a neighbor that is not physically connected. Two

scenarios come to mind neighbors o*er 000 with non%connected and different subnets or a&(0A/ session. The former is an ad*anced topic so we will lea*e it for 4olume II but the

ladder is something we can configure with are current bag of tricks. In order to recei*e &I0*

oter ripno alidate pdate sorce

This command makes it so the &I0 router doesnBt care who is sending the update.


36/140

Loop &rotection

The split horion rule reduces the incidence of routing loops. (plit horion pre*ents two%node

loops between neighbors -tight loops by not ad*ertising the routes on the same interfacefrom which they were learned. (plit horion also eliminates unnecessary updates.

(plit horion with the addition of poison re*erse allows the routing protocol to ad*ertise all

routes out an interface but those learned from earlier updates coming into that interface aremarked with infinite distance metrics. 0oison re*erse guards against loops spanning multiple

&I0 routers.

7nfortunately there are some issues with (plit )orion in a )ub and (poke /etworkIn a hub and spoke network routes from remote frame relay sites will not be sent to other

remote locations because of the split horion enabled by default on the sub interfaces. It ispossible to disable split horion but than we loose the loop protection. 5isabling (plit )orion

will ensure full connecti*ity between all locations in a hub and spoke topology using &I0*

access+list 1 permit 1!.!.!.! !.2.2.2access+list 2 permit 1"2.1>.3.! !.!.!.2roter rip

distri5te+list 1 in ethernet !distri5te+list 2 ot

9ecause distribute%list can use access%list we can ha*e some *ery complex filtering usingbinary. The following example is filtering only the odd prefixes using an access%list basedprefix list>

Allow only odd routes from 2.2.#.# from &2 to other routers.

&etwor 1.1.1.! !.!.24.2* networ D!


37/140

* mas D 1

;inar* 6ctet 129 >4 32 1> 9 4 2 1

1.1.1.! ! ! ! ! ! ! ! 11.1.3.! ! ! ! ! ! ! 1 11.1..! ! ! ! ! ! 1 ! 1

as 11111111.11111111.1111111!.!!!!!!!!&etwor !!!!!!!1.!!!!!!!1.!!!!!!!1.!!!!!!!!:irst host !!!!!!!1.!!!!!!!1.!!!!!!!1.!!!!!!!!2nd host !!!!!!!1.!!!!!!!1.!!!!!!11.!!!!!!!!

The tet?

r2lab-configH 4ey chain ciscor2lab-config%keychainH 4ey #

r2lab-config%keychain%keyH 4ey!string cisco

De5a$lt +o$tes

5efault routes can be ad*ertised in &I0*< in the following ways> &edistribute static Rip route #.#.#.# #.#.#.# null# permanentS

5efault information originate Rip default network 2.#.#.#S


38/140

+!&v/ LAB

Scenario

(o far we ha*e setup the basic campus network at Turn%?ey IncBs branch office as well as the

leased Ethernet and 8rame relay :A/ connections between the sites. /ormally in a proect

similar in scope we would not configure any of the network management or security featuresuntil after we ha*e tested the network stability and performance. In most networkdeployments it is a also a good idea to enable an easy to configure routing protocol so we can

test the infrastructure. In this scenario we will use basic rip and a few tweaks to testconnecti*ity. Afterwards we can enable more complex features and optimie the routing with

other protocols.

+!&2 Tas%s

Tas4 # )5asic @8Pv2*3 Configure e*ery router with &I0*


39/140

&@>

Int lo#Ip address 2!2.#.2.2


40/140

+!&2 Answers

Tas4 # )5asic @8Pv2*3To use the least amount of /etwork statements on e*ery router configure>

roter ripersion 2networ !.!.!.!no ato+smmar*

3n the switches we would configure 2#.#.#.# because (4I interfaces -4lan do not configure

under #.#.#.#>

roter rip

ersion 2networ 1!.!.!.!no ato+smmar*

(:2> also needs 26.3.3 2.2.2.!no ip split+horionframe+rela* map ip 1"2.1>.3.3 3!frame+rela* map ip 1"2.1>.3. 3! 5roadcastframe+rela* map ip 1"2.1>.3.> 3!> 5roadcastno frame+rela* inerse+arp

To test all the I0 address connecti*ity from &2 use the following TCL script>

tclsh

foreach address F1!.3.3.11!.3.3.21!.4.4.11!.4.4.21!...11!...21!.>.>.11!.>.>.21!.".".11!.".".21!.9.9.1


41/140

1!.9.9.21!...11!...212.1>9.1!.112.1>9.1!.212.1>9.1!.312.1>9.1!.12.1>9.1!.>

12.1>9.1!.1"2.1>.1.21"2.1>.1.31"2.1>.2.21"2.1>.2.1"2.1>.3.31"2.1>.3.1"2.1>.3.>1"2.1>..21"2.1>.."1"2.1>.>.31"2.1>.>.9G Fping HaddressG

Tas4 2 )@oute Aptimiation*3

3n &2 &.!.! !.!.2.2

Show ip rote

8atewa* of last resort is not set

12.1>9.1!.!B24 I12!B1J ia 1!.>.>.1A !!0!!01A :astEthernet!B! 1"2.1>.!.!B1> is aria5l* s5nettedA 9 s5netsA 2 mass 1"2.1>.4.9B32 I12!B3J ia 1!.>.>.1A !!0!!01A :astEthernet!B! 1"2.1>.4.!B24 I12!B3J ia 1!.>.>.1A !!0!!01A :astEthernet!B! 1"2.1>..!B24 I12!B2J ia 1!.>.>.1A !!0!!01A :astEthernet!B! 1"2.1>.>.!B24 I12!B2J ia 1!.>.>.1A !!0!!01A :astEthernet!B! 1"2.1>.1.!B24 is directl* connectedA Serial!B!B! 1"2.1>.2.!B24 I12!B2J ia 1!.>.>.1A !!0!!01"A :astEthernet!B! 1"2.1>.4."B32 I12!B3J ia 1!.>.>.1A !!0!!01"A :astEthernet!B! 1"2.1>.3.!B24 I12!B2J ia 1!.>.>.1A !!0!!01"A :astEthernet!B! 1!.!.!.!B9 is aria5l* s5nettedA 9 s5netsA 2 mass

20roter ripersion 2offset+list rip in 2 Serial!B!B!.1networ !.!.!.!no ato+smmar*

ip access+list standard rippermit 1!.!.!.! !.2.2.2permit 12.1>9.1!.!


42/140

Show ip rote

1!.!.!.!B9 is aria5l* s5nettedA 9 s5netsA 2 mass 1!.11.11.!B3! I12!B2J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!...!B3! I12!B2J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!.9.9.!B3! I12!B1J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!.".".!B3! I12!B2J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B!

1!.>.>.!B3! I12!B1J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!...!B3! I12!B1J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!.4.4.!B24 I12!B1J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!.3.3.!B24 I12!B1J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B!

30roter ripersion 2offset+list rip in 2 Serial!B!B!.1networ !.!.!.!no ato+smmar*

ip access+list standard rippermit 1!.!.!.! !.2.2.2permit 12.1>9.1!.!

1!.11.11.!B3! I12!B2J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!...!B3! I12!B2J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!.9.9.!B3! I12!B1J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!.".".!B3! I12!B2J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!.>.>.!B3! I12!B1J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!...!B3! I12!B1J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!.4.4.!B24 I12!B1J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!.3.3.!B24 I12!B1J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B!

3n &= and &@ run a TCL script with Trace route>tclsh

foreach address F1!.3.3.11!.3.3.21!.4.4.11!.4.4.21!...11!...21!.>.>.11!.>.>.21!.".".11!.".".21!.9.9.11!.9.9.21!...11!...2G Ftrace HaddressG

*pe escape se?ence to a5ort.racing the rote to 1!.3.3.1

1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!.3.3.2

1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!.3.3.2 29 msec 29 msec K


43/140

*pe escape se?ence to a5ort.racing the rote to 1!.4.4.1


1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!.4.4.2 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!...1

1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!...2

1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!...2 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!.>.>.1

1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!.>.>.2

1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!.>.>.2 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!.".".1

1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!.3.3.2 29 msec "> msec K*pe escape se?ence to a5ort.racing the rote to 1!.".".2

1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!...2 29 msec 29 msec 29 msec 4 1!.".".2 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!.9.9.1


1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!.9.9.2 29 msec 29 msec K*pe escape se?ence to a5ort.

racing the rote to 1!...1

1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!.9.9.2 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!...2

1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!.9.9.2 29 msec 29 msec 29 msec


44/140

Tas4 % )1uthentication*3 ,5" authentication is the correct answer.

6n " and 90int s!B!B!.3ip rip athentication mode mdip rip athentication e*+chain cisco

e* chain ciscoe* 1e*+string cisco

6n 2 and 30

int s!B!B!.1ip rip athentication mode mdip rip athentication e*+chain cisco

e* chain ciscoe* 1e*+string cisco

Tas4 ( ).3.>neigh5or 1"2.1>.3.distri5te+list ripin in Serial!B!B!.3

0roter ripersion 2passie+interface Serial!B!B!networ !.!.!.!neigh5or 1"2.1>.3.>neigh5or 1"2.1>.3.3no ato+smmar*

>0

roter ripersion 2passie+interface Serial!B!B!networ !.!.!.!neigh5or 1"2.1>.3.neigh5or 1"2.1>.3.3no ato+smmar*

>0de5g ip ripLl 2 10230!3.>10


45/140

KLl 2 10230!3.>10 1!.4.4.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1!...!B3! ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1!.>.>.!B3! ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1!.".".!B3! ia !.!.!.! in 3 hopsKLl 2 10230!3.>10 1!.9.9.!B3! ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1!...!B3! ia !.!.!.! in 3 hopsKLl 2 10230!3.>10 1!.11.11.!B3! ia !.!.!.! in 3 hopsKLl 2 10230!3.>10 13!.!.2.!B24 ia !.!.!.! in 3 hops

KLl 2 10230!3.>10 13!.!.4.!B24 ia !.!.!.! in 3 hopsKLl 2 10230!3.>10 13!.!.>.!B24 ia !.!.!.! in 3 hopsKLl 2 10230!3.>10 131.!.1.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 131.!.3.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 131.!..!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1"2.1>.1.!B24 ia !.!.!.! in 1 hopsKLl 2 10230!3.>10 1"2.1>.2.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1"2.1>.3.!B24 ia !.!.!.! in 1 hopsKLl 2 10230!3.>10 1"2.1>..!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1"2.1>.>.!B24 ia !.!.!.! in 1 hopsKLl 2 10230!3.>10 12.1>9.1!.!B24 ia !.!.!.! in 1 hopsKLl 2 10230!>.1430 .3.3 in 4 hopsKLl 2 10230!>.1430 13!.!.4.!B24 ia 1"2.1>.3.3 in 4 hopsKLl 2 10230!>.1430 13!.!.>.!B24 ia 1"2.1>.3.3 in 4 hopsKLl 2 10230!>.1430 131.!.1.!B24 ia 1"2.1>.3.3 in 3 hopsKLl 2 10230!>.14"0 131.!.3.!B24 ia 1"2.1>.3.3 in 3 hopsKLl 2 10230!>.14"0 131.!..!B24 ia 1"2.1>.3.3 in 3 hopsKLl 2 10230!>.14"0 1"2.1>.1.!B24 ia 1"2.1>.3.3 in 2 hopsKLl 2 10230!>.14"0 1"2.1>.2.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!>.14"0 1"2.1>.3.!B24 ia !.!.!.! in 1 hopsKLl 2 10230!>.14"0 1"2.1>..!B24 ia !.!.!.! in 2 hopsKLl 2 10230!>.14"0 1"2.1>.>.!B24 ia 1"2.1>.3.3 in 2 hopsKLl 2 10230!>.14"0 12.1>9.1!.!B24 ia !.!.!.! in 1 hops

Tas4 ).iltering*3 A distribute%list is needed to filter these routes. &emember &I0 waits for

the 8L7() time to remo*e routes. Mi*e it a few minutes and then look at the routing tables.

20roter ripersion 2offset+list rip in 2 Serial!B!B!.1networ !.!.!.!distri5te+list ripin in Serial!B!B!.3no ato+smmar*

ip access+list standard ripinpermit 13!.!.!.! !.!.24.2permit 131.!.1.! !.!.24.2

I12!B1J ia 1"2.1>.1.3A !!0!!0!3A Serial!B!B!.1 13!.!.!.!B24 is s5nettedA 3 s5nets 13!.!.2.! I12!B1J ia 1"2.1>.."A !!0!!01!A Serial!B!B!.3 13!.!.>.! I12!B1J ia 1"2.1>.."A !!0!!012A Serial!B!B!.3 13!.!.4.! I12!B1J ia 1"2.1>.."A !!0!!012A Serial!B!B!.3 131.!.3.! I12!B2J ia 12.1>9.1!.3A !!0!!014A :astEthernet!B! I12!B2J ia 1"2.1>.1.3A !!0!!0!A Serial!B!B!.1 131.!.1.! I12!B2J ia 12.1>9.1!.3A !!0!!01>A :astEthernet!B!


46/140

I12!B2J ia 1"2.1>.1.3A !!0!!0!>A Serial!B!B!.1 131.!..! I12!B2J ia 12.1>9.1!.3A !!0!!01>A :astEthernet!B! I12!B2J ia 1"2.1>.1.3A !!0!!0!>A Serial!B!B!.1

30roter ripersion 2offset+list rip in 2 Serial!B!B!.1

networ !.!.!.!distri5te+list ripin in Serial!B!B!.3no ato+smmar*

ip access+list standard ripinpermit 13!.!.!.! !.!.24.2permit 131.!.1.! !.!.24.2

13!.!.!.!B24 is s5nettedA 3 s5nets 13!.!.2.! I12!B2J ia 12.1>9.1!.2A !!0!!01A :astEthernet!B! I12!B2J ia 1"2.1>.>.9A !!0!!0!1A Serial!B!B!.3 I12!B2J ia 1"2.1>.1.2A !!0!!0!A Serial!B!B!.1 13!.!.>.! I12!B2J ia 12.1>9.1!.2A !!0!!02!A :astEthernet!B! I12!B2J ia 1"2.1>.>.9A !!0!!0!3A Serial!B!B!.3 I12!B2J ia 1"2.1>.1.2A !!0!!01!A Serial!B!B!.1 13!.!.4.! I12!B2J ia 12.1>9.1!.2A !!0!!02!A :astEthernet!B!

I12!B2J ia 1"2.1>.>.9A !!0!!0!3A Serial!B!B!.3 I12!B2J ia 1"2.1>.1.2A !!0!!01!A Serial!B!B!.1 131.!.!.!B24 is s5nettedA 3 s5nets 131.!.3.! I12!B1J ia 1"2.1>.>.9A !!0!!0!4A Serial!B!B!.3 131.!.1.! I12!B1J ia 1"2.1>.>.9A !!0!!0!4A Serial!B!B!.3 131.!..! I12!B1J ia 1"2.1>.>.9A !!0!!0!4A Serial!B!B!.3

;ons0 onfigre on the interface of 2A3A"Aand 9 (config0su#if!"i$ ri$ triggere(to onl* send pdates when changes occr.


47/140

Day 1

+ed$ndancy

6ot Standby +o$ter &rotocol )6S+&*)ot (tandby &outer 0rotocol -)(&0 is a Cisco proprietary redundancy protocol for

establishing a fault%tolerant default gateway. The protocol establishes a framework betweennetwork routers in order to achie*e default gateway failo*er if the primary gateway should

become inaccessible in close association with a rapid%con*erging routing protocol like EIM&0or 3(08. 9y multicasting packets )(&0 sends its hello messages to the multicast address


48/140

1ctive;The router is doing what it does route.

Stand$y;:aiting waiting waiting.

Spea4ing and listening;The router is sending and recei*ing hello

messages.

Listening;The router is recei*ing hello messages.

The following example configures a (4I interface to ha*e a *irtual I0 address of 2#.


49/140

9ateway Load Balancing &rotocol )9LB&*

Mateway Load 9alancing 0rotocol -ML90 is a Cisco proprietary protocolthat attempts too*ercome the limitations of existing redundant router protocols by adding basic load balancing

functionality. In addition to being able to set priorities on different gateway routers ML90 also

allows a weighting parameter to be set. 9ased on this weighting -compared to others in thesame *irtual router group A&0 requests will be answered with ,AC addresses pointing to

different routers. Thus load balancing is not based on traffic load but rather on the numberof hosts that will use each gateway router.

The Acti*e 4irtual Mateway -A4M maintains a table of the 4irtual Mateway I0 address to mac%

address mapping of the Acti*e 4irtual 8orwarders -A48. :hen the end hosts A&0 than theA4M decides which router A48Bs mac%address to respond to the A&0. In other words de*ices

will be equally di*ided between multiple routers with unique mac%addresses but sharing acommon *irtual I0 address. This way 5)C0 can hand out a single gateway address while the

A4M pro*ides the load balancing mechanism.

The following example shows a basic ML90 example>

+o$ter 1

track 30 interface Serial3/0 line-protocol up delay 30

!

interface astthernet"/0

ip address "0""" $%%$%%$%%0

duple& full

gl'p " ip "0"""0

gl'p " weighting "00 lower %

gl'p " weighting track 30

gl'p " forwarder preempt delay minimum 0

+o$ter /

track 30 interface Serial3/0 line-protocol up delay 30

!

interface astthernet"/0

ip address "0""$ $%%$%%$%%0

duple& full

gl'p " ip "0"""0

gl'p " priority %

gl'p " weighting "00 lower %

gl'p " weighting track 30

gl'p " forwarder preempt delay minimum 0

D/ote at the time of writing this workbook the !"$#s do not support the ML90 feature.

6S+& Lab

6S+&2 Tas%s

Tas4 # )


50/140

routers wait 2 minute prior to re*erting back to the primary. 9oth routers must track theirconnection to &2.


51/140

6S+&2 Answers

Tas4 # )!stand5* name lan3stand5* trac :astEthernet!B1interface lan4description lan4,trnedip address 1!.4.4.1 2.2.2.!stand5* 1 ip 1!.4.4.24stand5* 1 name lan4

Sw1#sh stand5*lan3 + 8rop ! State is Acti4e 2 state changesA last state change !10440> irtal ! secs %ctie roter is local Stand5* roter is 1!.3.3.2A priorit* 1!! (e-pires in ".2!" sec) /riorit* 2 (configred 2) rac interface :astEthernet!B1 state =p decrement 1!


52/140

lan3 + 8rop ! State is Stan(#% 1 state changeA last state change !104>0!9 irtal ! secs %ctie roter is local Stand5* roter is 1!.4.4.1A priorit* 1!! (e-pires in 9.492 sec) /riorit* 2 (configred 2)

rac interface :astEthernet!B1 state =p decrement 1!


53/140


54/140

Day /

:S&3(08 is a Link (tate routing protocol that uses 5ikstraBs shortest path first -(08 algorithm.3(08 is an open standard -following &8C 2


55/140

/oteD )ighest &outer I5 wins 5& election 0riority can offset election

To configure a &I5 under the 3(08 process than program the following>

router%id 2.2.2.2

LSA

There are + general L(As

&outer L(As -Type 2 L(As describe the routers attached to a network.

/etwork L(As -Type < L(As describe the networks attached to an 3(08 router.

(ummary L(As -Type ! and Type + L(As condense routing information at area

borders.

External L(As -Type " and Type = L(As describe routes to external networks.

Type 2 L(As are router link ad*ertisements that are passed within an area by all 3(08routers. They describe the router links to the network. Type 2 L(As are only flooded within a

particular area.

Type < L(As are network link ad*ertisements that are flooded within an area by the

5esignated &outer. They describe ALL the routers attached to specific networks including the5&. These L(As are flooded only in the originating area.

Type ! L(A are summary link ad*ertisements that are passed between areas. They describe

the networks within an area.

Type + L(As are summary link ad*ertisements that are passed between areas. They describethe path to the A(9&. Type + L(As do not get flooded into stub areas.

Type " L(As are passed between and flooded into areas by A9(&s. They describe routes

external to the A(. (tub areas and /((As do not recei*e these L(As.

Type = L(As are /((A A(%external routes that are flooded by the A(9&. They are similar to

Type " L(As but unlike Type " L(As which are flooded into multiple areas Type = L(As are

only flooded into /((As. Type = L(As are con*erted to Type " L(As by A9&s before beingflooded into the area backbone.

Area types

6ormal 1reas3 These areas can either be standard areas or transit -backbone areas.

(tandard areas are defined as areas that can accept intra%area inter%area and external

routes. The backbone area is the central area to which all other areas in 3(08 connect.

6ote3 Intra%area routes refer to updates that are passed within the area. Inter%area routesrefer to updates that are passed between areas. External routes refer to updates passed from

another routing protocol into the 3(08 domain by the Autonomous (ystem 9order &outer-A(9&.

Stu$ 1reas3These areas do not accept routes belonging to external autonomous systems

-A(1 howe*er these areas ha*e inter%area and intra%area routes. In order to reach theoutside networks the routers in the stub area use a default route which is inected into the

area by the Area 9order &outer -A9&. A stub area is typically configured in situations where


56/140

the branch office need not know about all the routes to e*ery other office instead it could usea default route to the central office and get to other places from there. )ence the memory

requirements of the leaf node routers is reduced and so is the sie of the 3(08 database.To define an area as a stub area use the 3(08 router configuration command area =area

id? stu$

Totally Stu$ 1reas3These areas do not allow routes other than intra%area and the defaultroutes to be propagated within the area. The A9& inects a default route into the area and all

the routers belonging to this area use the default route to send any traffic outside the area.To define a totally stub area use the 3(08 router configuration command area =area id?

stu$ no!summary on the A9&.

6SS13This type of area allows the flexibility of importing a few external routes into the areawhile still trying to retain the stub characteristic. Assume that one of the routers in the stub

area is connected to an external A( running a different routing protocol it now becomes theA(9& and hence the area can no more be called a stub area. )owe*er if the area is

configured as a /((A then the A(9& generates a /((A external link%state ad*ertisement

-L(A -Type%= which can be flooded throughout the /((A area. These Type%= L(As arecon*erted into Type%" L(As at the /((A A9& and flooded throughout the 3(08 domain.

External network L(As -type " redistributed from other routing protocols into 3(08 are notpermitted to flood into a stub area.To define a /((A use the 3(08 router configuration command area =area id? nssa

If you desire to allow a #.#.#.# into the /((A area in addition to the Type !+ summaries thanconfigure area =area id? nssa default!information!originate

Totally 6SS13 This area still can send the Type = L(As to the A9& but only recei*es a #.#.#.#

default route from the A9&. To configure a Totally /((A configure area =area id? nssa no!summary

S$mmaries

There two methods for summariing networks on 3(08

O Area range used to summarie between 3(08 areas. Always done on an A9& area 2 range 20"&&0&0 2&2&2&0

O (ummary%address used to summarie external routes redistributed into 3(08.

Always done on an A(9& summary!address 20"&&0&0 2&2&2&0

(ummaries will inect a /7LL# route into the routing table. If you are required to remo*e the/7LL# the following commands can be entered for the 3(08 process.

no discard!route internal ' used with area range no discard!route eternal ' used with summary!address

:S& MetricsE*ery routing protocol has metric used to prefer one route o*er the other. 8or 3(08 themetric that is used is cost. :ith 3(08 the cost is a number that is in*ersely proportional to

the bandwidth of the link. In other words the higher the cost the LE(( the link is preferred.The lower the cost the ,3&E the link is preferred. 9y default 3(08 load balances on up to

four equal cost paths.The formula that 3(08 uses to calculate the cost of a link is>

Cost Q 2######## bandwidth of the link

3r


57/140

Cost Q 2#@ bandwidth of the link8or example a 2#,b 2#9ase%T Ethernet linkBs cost would be calculated as>

Cost Q 2######## 2####### Q 2#3r

Cost Q 2#@ 2#=Q 2#:ith this formula the cost of a $+k 8rame &elay link would be 2"$< and the default cost of a

T%2 would be $+.(o you may be asking Fwhat about a 2##,b Ethernet link or a Migabit Ethernet link;G The

cost of a 2##,b Ethernet link or faster when calculated with this formula ends up being ust2.

/ote that the bandwidth of 2#@is the same as the bandwidth of 2##,b Ethernet or2######## -commas are placed to show the @ eros in two sets of +. This *alue is the

default Freference bandwidthG. This can be changes thus causing all 3(08 cost *alues to bechanged on that router with the ospf auto%cost reference%bandwidth command.

To manually change the cost of a link you would use the following command on the interfacethat you wish to change>

ip ospf cost Vnew costW

3(08 prefers Intra Area 0ath o*er Inter Area 0aths.

&assive :S& !nter5ace

:ith a passi*e%interface no hello packets are sent and therefore an adacency will ne*er occur

with this interface.

:S& M$lticast Addresses

ip ospf dead!interval minimal hello!multiplier


58/140

8or example to set the hello to


59/140

:S& Topology

:S&2 :S& Tas%sVlans '5)5*5-5.511

Tas4 # )5asic ASP.*3Add the following loop backs>10$o1


60/140

Add the loop backs and existing networks into 3(08 -for the loopbacks use any areas of your

choice but you can not use redistribute connected or network commands from within the

3(08 process. Create &I5s that are not currently being routed and use network commands to

add networks for the switches at the branch site.

3n &= add the e*en addresses and on &@ add the 3dd. This time you must use redistributeconnected for the loop back I0s but make sure the 000 network is not added. Jou can use

network commands for the (###.2. Configure Areas based on the abo*e diagram.

Tas4 2 )9efault @oute*3 Add a new loop back to &= -


61/140

router0i( 1111/ 7anuall% set the 3I6s to a4oi( $ro#lems later!

log+adPacenc*+changesno discard+rote internalarea ! range 1!.!.!.! 2.!.!.!area 2 irtal+lin 1.1.1.1area 4 irtal+lin 1.1.1.2!area 4 irtal+lin 1.1.1.4!networ 1!.3.3.1 !.!.!.! area 4

networ 1!.4.4.1 !.!.!.! area 4networ 1!...1 !.!.!.! area 4networ 1!.>.>.1 !.!.!.! area 2networ 1!.".".1 !.!.!.! area 1networ 1!.9.9.1 !.!.!.! area 4networ 12.1>9.1!.1 !.!.!.! area !

Sw20roter ospf 1roter+id 1.1.1.2! log+adPacenc*+changesno discard+rote internalarea 1 irtal+lin 1.1.1.1area 4 range 1!.!.!.! 2.!.!.!area 4 irtal+lin 1.1.1.1!area 4 irtal+lin 1.1.1.3!area 4 irtal+lin 1.1.1.4!networ 1!.3.3.2 !.!.!.! area 4networ 1!.4.4.2 !.!.!.! area 4networ 1!...2 !.!.!.! area 4networ 1!.".".1 !.!.!.! area 1networ 1!.11.11.1 !.!.!.! area 4

Sw30interface landescription lan,sw3tosw4ip address 1!...1 2.2.2.22i$ os$f mtu0ignore mismatche( 78!

roter ospf 1roter+id 1.1.1.3! log+adPacenc*+changes

area 4 irtal+lin 1.1.1.2!networ 1!.9.9.2 !.!.!.! area 4networ 1!...1 !.!.!.! area 4

Sw40interface landescription lan,sw3tosw4ip address 1!...2 2.2.2.22i$ os$f mtu0ignore

roter ospf 1roter+id 1.1.1.4! log+adPacenc*+changesarea 4 range 1!.!.!.! 2.!.!.!area 4 irtal+lin 1.1.1.2!

area 4 irtal+lin 1.1.1.1!networ 1!.!.!.! !.2.2.2 area 4

10interface $oop5ac1ip address 1!.1!.1!.1 2.2.2.!i$ os$f network $oint0to0$oint remo4es 9'2!

i$ os$f 1 area 2 Alternati4e to using the network comman(!

interface :astEthernet!B!description lan>,sw1tor1ip address 1!.>.>.2 2.2.2.22


62/140

i$ os$f 1 area 2dple- atospeed atointerface :astEthernet!B1description lan")sw2tor1ip address 1!.".".2 2.2.2.22i$ os$f 1 area 1

dple- atospeed atointerface Serial!B!B!description ESC,to,2,3ip address 1"2.1>.1.1 2.2.2.!encapslation frame+rela*i$ os$f 1 area /

no frame+rela* inerse+arp .1.2 2.2.2.!ip ospf 1 area !frame+rela* map ip 1"2.1>.1.3 2!3 5roadcast (esh /s to 3 and 1)frame+rela* map ip 1"2.1>.1.1 2!1 5roadcastno frame+rela* inerse+arpinterface Serial!B!B!.2 point+to+pointdescription /2/+to+;;1ip address 1"2.1>.2.2 2.2.2.!

ip ospf 1 area "frame+rela* interface+dlci 2!interface Serial!B!B!.3 point+to+pointip address 1"2.1>..2 2.2.2.!ip rip triggeredip rip athentication mode mdip rip athentication e*+chain ciscoip ospf 1 area >frame+rela* interface+dlci 2!"roter ospf 1


63/140

roter+id 1.1.1.2 log+adPacenc*+changesarea > nssa no+smmar*redistri5te static metric+t*pe 1 s5netsdefalt+information originate metric+t*pe 1distri5te+list prefi- area! in

30

interface $oop5ac1ip address 1!.13.13.1 2.2.2.!ip ospf networ point+to+pointip ospf 1 area 3interface :astEthernet!B!description lan1!,$easedip address 12.1>9.1!.3 2.2.2.!ip ospf 1 area !dple- atospeed atointerface :astEthernet!B1no ip addressshtdowndple- atospeed atointerface Serial!B!B!no ip addressencapslation frame+rela*frame+rela* lmi+t*pe ansiinterface Serial!B!B!.1 mltipointdescription ESC,to,1,2ip address 1"2.1>.1.3 2.2.2.!ip ospf 1 area !frame+rela* map ip 1"2.1>.1.1 3!1 5roadcastframe+rela* map ip 1"2.1>.1.2 3!2 5roadcastno frame+rela* inerse+arpinterface Serial!B!B!.2 mltipointdescription C5+and+spoe++>

ip address 1"2.1>.3.3 2.2.2.!no ip split+horionip ospf dead+interal minimal hello+mltiplier 4ip ospf 1 area 3frame+rela* map ip 1"2.1>.3.3 3!frame+rela* map ip 1"2.1>.3. 3! 5roadcastframe+rela* map ip 1"2.1>.3.> 3!> 5roadcastno frame+rela* inerse+arpinterface Serial!B!B!.3 point+to+pointdescription /2/+to+>ip address 1"2.1>.>.3 2.2.2.!ip rip triggeredip rip athentication mode mdip rip athentication e*+chain ciscoip ospf 1 area frame+rela* interface+dlci 3!9

roter ospf 1roter+id 1.1.1.3 log+adPacenc*+changesarea ! range 1!.!.!.! 2.!.!.!area 3 st5area nssaredistri5te static metric+t*pe 1 s5netsneigh5or 1"2.1>.3.neigh5or 1"2.1>.3.>defalt+information originate metric+t*pe 1distri5te+list prefi- area! in


64/140

0interface :astEthernet!B!description lan1!,$easedip address 12.1>9.1!. 2.2.2.!ip ospf 1 area !dple- atospeed ato

interface :astEthernet!B1no ip addressshtdowndple- atospeed ato

interface Serial!B!B!description C5+and+spoe+to+3+>ip address 1"2.1>.3. 2.2.2.!encapslation frame+rela*ip ospf dead+interal minimal hello+mltiplier 4ip ospf 1 area 3frame+rela* map ip 1"2.1>.3.3 !3 5roadcastframe+rela* map ip 1"2.1>.3. !3 5roadcastframe+rela* map ip 1"2.1>.3.> !3 5roadcastno frame+rela* inerse+arpframe+rela* lmi+t*pe ansiinterface Serial!B!B1no ip addresscloc rate 2!!!!!!roter ospf 1roter+id 1.1.1. log+adPacenc*+changesarea 3 st5neigh5or 1"2.1>.3.3 priorit* 1!!distri5te+list prefi- area! in

90interface $oop5ac!

ip address 131.!.2.1 2.2.2.! secondar*ip address 131.!.3.1 2.2.2.! secondar*ip address 131.!.4.1 2.2.2.! secondar*ip address 131.!..1 2.2.2.! secondar*ip address 131.!.>.1 2.2.2.! secondar*ip address 131.!.1.1 2.2.2.!ip rip adertise 2!interface $oop5ac2ip address 2!9.1.1.2 2.2.2.2ip rip adertise 2!interface Serial!B!B!.1 point+to+pointdescription /2/+to+3ip address 1"2.1>.>.9 2.2.2.!ip rip triggeredip rip adertise 2!ip rip athentication mode mdip rip athentication e*+chain ciscoframe+rela* interface+dlci 9!3interface Serial!B!B1description ///+to+"ip address 1"2.1>.4.9 2.2.2.!ip rip adertise 2!encapslation pppppp athentication chap


65/140

roter ospf 1roter+id 1.1.1.9 log+adPacenc*+changesarea nssaredistri5te connected metric+t*pe 1 s5nets rote+map ospfre(istri#ute ri$ su#nets route0ma$ re(ist

networ 1"2.1>.>.9 !.!.!.! area

roter ripersion 2timers 5asic 2! 4! ! 12!re(istri#ute os$f 1 metric 1 route0ma$ os$f2ri$

passie+interface defaltno passie+interface Serial!B!B1networ 1"2.1>.!.!networ !.!.!.!neigh5or 1"2.1>.>.3no ato+smmar*

o iew the 5asic 6S/: configrations for "A>A and ;;1 refer to answers proided in the thm5 drie

Tas4 2 )9efault @oute*3 Add a new loop back to &= -


66/140

Tas4 % )@edundancy*3(ince A&EA # has se*eral points of failure in this topology it is

important to configure *irtual links on routers that could potentially become Areas separatedfrom Area #. The best way to determine where to place the *irtual links is draw out the

failure scenarios from the 3(08 topology. The following 4Ls were configured for this lab>

SN1roter ospf 1roter+id 1.1.1.1!area 2 irtal+lin 1.1.1.1 (to 1)

area 4 irtal+lin 1.1.1.2! (to Sw2)area 4 irtal+lin 1.1.1.4! (to Sw4)

SN2roter+id 1.1.1.2!area 1 irtal+lin 1.1.1.1 (to 1)area 4 irtal+lin 1.1.1.1! (to Sw1)area 4 irtal+lin 1.1.1.3! (to Sw3)area 4 irtal+lin 1.1.1.4! (to Sw4)

SN4area 4 irtal+lin 1.1.1.2! (to Sw2)

area 4 irtal+lin 1.1.1.1! (to Sw1)

1area 1 irtal+lin 1.1.1.2! (to Sw2)area 2 irtal+lin 1.1.1.1! (to Sw1)

Sw3area 4 irtal+lin 1.1.1.2! (to sw2)

Tas4 ( )Summaries*3(ummarie the 2#.#.#.# networks in the branch site to the smallestbit boundaries and do not allow any null routes in the routing tables or !< ad*ertised to any

neighbors. Lea*e the three new loop backs with a

Sw40roter ospf 1no discard+rote internal

area 4 range 1!.!.!.! 2.!.!.!

Sw20roter ospf 1no discard+rote internalarea 4 range 1!.!.!.! 2.!.!.!

Sw10roter ospf 1no discard+rote internalarea ! range 1!.!.!.! 2.!.!.!


67/140

3n all of the routers external to the branch site a distribute list in was needed to filter out the

more specific -longer mask prefixes.

&.!.!B1> le 32ip prefi-+list area! se? 4 permit 13!.!.2.!B24ip prefi-+list area! se? permit 13!.!.4.!B24ip prefi-+list area! se? > permit 13!.!.>.!B24ip prefi-+list area! se? " permit 13!.!.9.!B24ip prefi-+list area! se? 9 permit 131.!.1.!B24ip prefi-+list area! se? permit 131.!.3.!B24

ip prefi-+list area! se? 1! permit 131.!..!B24ip prefi-+list area! se? 11 permit 131.!.".!B24ip prefi-+list area! se? 12 permit 1!.1!.1!.!B24ip prefi-+list area! se? 13 permit 1!.11.11.!B24ip prefi-+list area! se? 14 permit 1!.12.12.!B24ip prefi-+list area! se? 1 permit 1!.13.13.!B24

(how I0 route on &

8atewa* of last resort is 1"2.1>.." to networ !.!.!.!

12.1>9.1!.!B24 is directl* connectedA :astEthernet!B! 1"2.1>.!.!B24 is s5nettedA s5nets 1"2.1>..! is directl* connectedA Serial!B!B!.36 .1.! is directl* connectedA Serial!B!B!.1 1"2.1>.2.! is directl* connectedA Serial!B!B!.26 .."A !104>043A Serial!B!B!.36 &1 13!.!.>.! I11!B94J ia 1"2.1>.."A !104>043A Serial!B!B!.36 &1 13!.!.4.! I11!B94J ia 1"2.1>.."A !104>043A Serial!B!B!.3 1!.!.!.!B9 is aria5l* s5nettedA 4 s5netsA 2 mass6 9.1!.3A !104>01A :astEthernet!B! 1!.12.12.!B24 is directl* connectedA $oop5ac16 9.1!.1A !104>01A :astEthernet!B! IA 1////9- ?11/9'@ 4ia 1.21+-1/15 /1:)):2)5 ;ast9.1!.3A !104>01A :astEthernet!B!6 E1 131.!.1.! I11!B9J ia 12.1>9.1!.3A !104>01A :astEthernet!B!6 E1 131.!..! I11!B9J ia 12.1>9.1!.3A !104>01A :astEthernet!B!SK !.!.!.!B! I1B!J ia 1"2.1>.."

Tas4 )6571*3,ake sure 3(08 is /9,A on the )ub and (poke and that the hello timer is


68/140

/eighbor commands gi*ing the )79 a priority ip address 1"2.1>.3. 2.2.2.!encapslation frame+rela*i$ os$f (ea(0inter4al minimal hello0multi$lier ) (his command is a mltiplier of how man* times in 1 second the deice will send an 6S/:hello.)

Tas4 , )Testing*30ing test connecti*ity from &2 to e*ery network.

tclsh

foreach address F1!.3.3.11!.3.3.21!.4.4.11!.4.4.21!...11!...2

1!.>.>.11!.>.>.21!.".".11!.".".21!.9.9.11!.9.9.21!...11!...212.1>9.1!.112.1>9.1!.212.1>9.1!.312.1>9.1!.12.1>9.1!.>12.1>9.1!.1"2.1>.1.21"2.1>.1.31"2.1>.2.21"2.1>.2.1"2.1>.3.31"2.1>.3.1"2.1>.3.>1"2.1>..21"2.1>.."1"2.1>.>.31"2.1>.>.91!.1!.1!.11!.12.12.11!.13.13.12!9.1.1.12!9.1.1.2G Fping HaddressG

Sw106S/: oter with !4 !-9!!!!!!9 !-!!3!E; 21.1.1. 1.1.1. 1">! !-9!!!!!! !-!!9%% 11.1.1.> 1.1.1.> >2> !-9!!!!!!" !-!!9" 1


69/140

1.1.1. 1.1.1. 33 !-9!!!!!!" !-!!9>4 11.1.1.1! 1.1.1.1! 29 !-9!!!!!! !-!!2!9 41.1.1.2! 1.1.1.2! 1 (7&%) !-9!!!!!!4 !-!!;"41 41.1.1.3! 1.1.1.3! > (7&%) !-9!!!!!!2 !-!!339 11.1.1.4! 1.1.1.4! (7&%) !-9!!!!!!2 !-!!917: 2

&et $in States (%rea !)

$in 9.1!. 1.1.1. 34 !-9!!!!!!> !-!!1"!

Smmar* &et $in States (%rea !)

$in ! !-9!!!!!!4 !-!!;4%1!.13.13.! 1.1.1.> 39 !-9!!!!!!4 !-!!2%>1"2.1>.2.! 1.1.1.2 " !-9!!!!!!4 !-!!4>E:1"2.1>.2.! 1.1.1. 4! !-9!!!!!!4 !-!!1131"2.1>.3.! 1.1.1.3 3>1 !-9!!!!!!9 !-!!27!31"2.1>.3.! 1.1.1.> 39 !-9!!!!!!> !-!!1:1!

1"2.1>..! 1.1.1.2 " !-9!!!!!!4 !-!!2!E1"2.1>.>.! 1.1.1.3 >11 !-9!!!!!!4 !-!!1417

Smmar* %S; $in States (%rea !)

$in

oter $in States (%rea 1)

$in 9 !

Smmar* &et $in States (%rea 1)

$in !-!!>7%

1!.4.4.! 1.1.1.1! 3> !-9!!!!!!> !-!!>11!...! 1.1.1.1! 3" !-9!!!!!!> !-!!27E;1!.>.>.! 1.1.1.1! 3" !-9!!!!!!> !-!!1>!11!.9.9.! 1.1.1.1! 3" !-9!!!!!!> !-!!E"2;1!...! 1.1.1.1! 3" !-9!!!!!! !-!!7341!.1!.1!.! 1.1.1.1! 3" !-9!!!!!!4 !-!!7331!.11.11.! 1.1.1.1! 3" !-9!!!!!!4 !-!!;!71"2.1>.1.! 1.1.1.1! 3" !-9!!!!!!4 !-!!2;!312.1>9.1!.! 1.1.1.1! 3" !-9!!!!!!> !-!!1%1

Smmar* %S; $in States (%rea 1)


70/140

$in .1 1.1.1.1! 39 !-9!!!!!!4 !-!!%3%


$in !-!!>7%1!.4.4.! 1.1.1.1! 39 !-9!!!!!!> !-!!>11!...! 1.1.1.1! 39 !-9!!!!!!> !-!!27E;1!.".".! 1.1.1.1 2 !-9!!!!!!4 !-!!3E>1!.9.9.! 1.1.1.1! 3 !-9!!!!!!> !-!!E"2;1!...! 1.1.1.1! 3 !-9!!!!!! !-!!7341!.11.11.! 1.1.1.1! 3 !-9!!!!!!4 !-!!;!7

1"2.1>.1.! 1.1.1.1 2 !-9!!!!!!4 !-!!"E!1"2.1>.1.! 1.1.1.1! 1"9 !-9!!!!!!; !-!!17!%12.1>9.1!.! 1.1.1.1! 3 !-9!!!!!!> !-!!1%1


$in 1 !-9!!!!!! !-!!4!7 21.1.1.4! 1.1.1.4! 24 !-9!!!!!!% !-!!94; 2

&et $in States (%rea 4)

$in %1!.9.9.1 1.1.1.1! 41 !-9!!!!!!4 !-!!34%:1!...2 1.1.1.4! 24 !-9!!!!!!4 !-!!9;11!.11.11.2 1.1.1.4! 24 !-9!!!!!!4 !-!!7!7


$in .>.! 1.1.1.1! 41 !-9!!!!!!> !-!!1>!11!.".".! 1.1.1.2! 3> !-9!!!!!!> !-!!2491!.1!.1!.! 1.1.1.1! 42 !-9!!!!!!4 !-!!7331"2.1>.1.! 1.1.1.1! 42 !-9!!!!!!4 !-!!2;!31"2.1>.1.! 1.1.1.2! 3> !-9!!!!!!4 !-!!EE312.1>9.1!.! 1.1.1.1! 42 !-9!!!!!!4 !-!!1:


$in


71/140

1.1.1.2 1.1.1.3! 19 !-9!!!!!!% !-!!"921.1.1.2 1.1.1.4! 2" !-9!!!!!!4 !-!!2;31.1.1.3 1.1.1.1! 43 !-9!!!!!!4 !-!!E931.1.1.3 1.1.1.2! 3" !-9!!!!!!4 !-!!;>>31.1.1.3 1.1.1.3! 19 !-9!!!!!!% !-!!>E;1.1.1.3 1.1.1.4! 2" !-9!!!!!!4 !-!!49;

*pe+ %S E-ternal $in States

$in 2! !-9!!!!!!4 !-!!9"%2 11!.2.3." 1.1.1.2 94 !-9!!!!!!4 !-!!1>1 !1!.9.9.9 1.1.1.3 >2! !-9!!!!!!4 !-!!9E3 !


72/140


73/140

Day /

'!9+&

:verviewEIM&0 is a Cisco proprietary protocol that combines the attributes of a Link (tate and a

5istance 4ector routing protocol. It is considered a YhybridB routing protocol. EIM&0 wasreleased as an enhancement to CiscoPs other proprietary routing protocol IM&0. EIM&0

supports automatic route summariation 4L(, addressing multicast updates non%periodicupdates unequal%cost load balancing and independent support for I0K and AppleTalk.

EIM&0 added many features to o*ercome the limitations of IM&0>

The 5iffusing 7pdate Algorithm -57AL

Loop%free networks

Incremental updates instead of periodic -only send changes as they occur

?nowledge about neighbors as opposed to the entire network Independent (upport for I0 I0K and AppleTalk

Classless routing

Efficient summariation of networks

Efficient use of link bandwidth for routing updates

Authentication

EIM&0 uses the same metrics as IM&0

8pdates

EIM&0 sends hello packets e*ery " seconds on high bandwidth links like 000 and )5LC leased

lines Ethernet T& 855I and 8rame &elay point%to%point and AT,. It sends helloBs e*ery $#seconds on low bandwidth multipoint links like 8& multipoint and AT, multipoint links.

EIM&0 reliable packets are> 7pdate uery and &eply.

EIM&0 unreliable packets are> )ello and Ack.

7pdates are always transmitted reliably. 7pdates con*ey reachability of destinations. 3n

disco*ery of a new neighbor update packets are sent so the neighbor can build its topologytable. These update packets are unicast. In other cases such as a link cost change updates

are multicast.

9oth queries and replies are transmitted reliably. :hen destinations go into acti*e statequeries and replies are sent. ueries are always multicast unless they are sent in response to

a recei*ed query. In this case a reply is unicast back to the successor that originated the

query. &eplies are always sent in response to queries to indicate to the originator that it does

not need to go into acti*e state because it has feasible successors. &eplies are unicast to theoriginator of the query.


74/140

A$thentication

Authentication inn EIM&0 is *ery similar to &I0 4< Authentication except for EIM&0 only

supports ,5" Authentication. EIM&0 uses key chains and interface commands to configureauthentication.

r2lab-configH interface s0

r2lab-config%ifH ip authentication mode eigrp 222 mdr2lab-config%ifH ip authentication 4ey!chain eigrp 222 cisco

r2lab-configH 4ey chain ciscor2lab-config%keychainH 4ey #

r2lab-config%keychain%keyH 4ey!string ccie

De5a$lt +o$tes

5efault routes can be configured in EIM&0 in three different ways> Rip summary address eigrp 2## #.#.#.# #.#.#.#S

Rip default network Rredistribute ip route #.#.#.# #.#.#.# null #S

O Rredistribute static or network #.#.#.#

The ip default network must be a classful network that is used as the candidate defaultnetwork in EIM&0. This method is legacy left o*er from IM&0.

S$mmari7ation

In EIM&0 Auto summary is on by default and it is used to summarie to classful boundaries.

/o auto%summary allows the router to summarie to bit boundaries. This type ofsummariation is configured on the interface and split horion must be disabled for it to work.

As you can see in the following example an A5 of " is assigned to summaries>

r2lab-config%ifH ip summary%address eigrp


75/140

Load;7tiliation on a link between source and destination measured in bits

per second on its worst link

7TB;The smallest ,aximum Transmission 7nit

The default for EIM&0 is to use only bandwidth and delay when calculating the metric. EIM&0

uses the following scaled *alues to determine the total metric to the network>EIM&0 ,etric Q

,etric Q 9andwidth Z 5elayAfter two routers become neighbors each will send routing updates -and other packets to

the other using a reliable multicast scheme.

8or example assume that router 2 has a series of packets such as a routing table updatewhich must be transmitted to routers 2 ! and +. &outer 2 will send the first packet to the

EIM&0 multicast address (ending )ELL3 on Ethernet#2

A( $$$ 8lags #x# (eq # Ack #

EIM&0> (ending )ELL3 on Ethernet#2

A( $$$ 8lags #x# (eq # Ack #


76/140

EIM&0> &ecei*ed 705ATE on Ethernet#2 from 2#.

A( $$$ 8lags #x2 (eq 2 Ack #

EIM&0> (ending )ELL3AC? on Ethernet#2 to 2#.

A( $$$ 8lags #x# (eq # Ack 2

EIM&0> (ending )ELL3AC? on Ethernet#2 to 2#.

A( $$$ 8lags #x# (eq # Ack 2

EIM&0> &ecei*ed 705ATE on Ethernet#2 from 2#.

A( $$$ 8lags #x# (eq


77/140

'!9+& St$b

A (T79 set a flag bit in the hello packets and affects what the router will ad*ertise. Typically it

is use to send a reduced routing table so it reduces processing on the router and controlswhat networks are ad*ertised.

8our options exist for what a stub router can send> recei*e%only summary connected andstatic

'!9+& LAB

Scenario

Turn%key is at it again e*en though they were impressed with the 3(08 configuration they

still desire to keep the configurations in the routers but disable the 3(08 in order to test dri*eEIM&0.


78/140


79/140

Tas4 % )9efaults*3&< and &! should send a default route into EIM&0 to reach the I(0

routers make sure the I(0 routers -&=&@ do not use this default route.

Tas4 ( )@outing Ta$le*34erify the routing tables in your equipment and make adustmentsuntil they look the same as Task +.

208atewa* of last resort is 1"2.1>.." to networ !.!.!.!

12.1>9.1!.!B24 is directl* connectedA :astEthernet!B! 1"2.1>.!.!B1> is aria5l* s5nettedA 9 s5netsA 2 mass7 1"2.1>.4.9B32 I!B291>9>J ia 1"2.1>.."A !!012043A Serial!B!B!.37 1"2.1>.4.!B24 I!B291>9>J ia 1"2.1>.."A !!012043A Serial!B!B!.3 1"2.1>..!B24 is directl* connectedA Serial!B!B!.37 1"2.1>.>.!B24 I!B21"!112J ia 12.1>9.1!.3A !!012042A :astEthernet!B! 1"2.1>.1.!B24 is directl* connectedA Serial!B!B!.1 1"2.1>.2.!B24 is directl* connectedA Serial!B!B!.27 1"2.1>.4."B32 I!B291"!112J ia 12.1>9.1!.3A !!012044A :astEthernet!B!7 1"2.1>.3.!B24 I!B21"!112J ia 12.1>9.1!.>A !!012044A :astEthernet!B! I!B21"!112J ia 12.1>9.1!.A !!012044A :astEthernet!B!

I!B21"!112J ia 12.1>9.1!.3A !!012044A :astEthernet!B! 13!.!.!.!B24 is s5nettedA > s5nets7 13!.!.2.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.3.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.1.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.>.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.4.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!..! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.3 1!.!.!.!B9 is aria5l* s5nettedA 4 s5netsA 2 mass7 1!.13.13.!B24 I!B139>J ia 12.1>9.1!.3A !!01302A :astEthernet!B! 1!.12.12.!B24 is directl* connectedA $oop5ac17 1!.1!.1!.!B24 I!B21"49>!3J ia 1"2.1>.1.1A !!01204>A Serial!B!B!.17 1!.!.!.!B9 I!B2>112J ia 12.1>9.1!.1A !!01204A :astEthernet!B! 131.!.!.!B24 is s5nettedA > s5nets7 131.!.3.! I!B229112J ia 12.1>9.1!.3A !!01204A :astEthernet!B!7 131.!.2.! I!B229112J ia 12.

Documents

Advanced Boot Camp Day 1to4