Upload
lgonzalez2010
View
216
Download
0
Embed Size (px)
Citation preview
8/12/2019 Advanced Boot Camp Day 1to4
1/140
Advanced Boot camp Day 1 Day 4Technology Labs
8/12/2019 Advanced Boot Camp Day 1to4
2/140
Day 1
Switching
In order to properly configure switches for the CCIE Lab examination the subsequent topicsand configurations must be understood. At the time of writing this Technology workbook
!""#s and !"$#s were co%resident in the &'( Lab. )owe*er by the time of reading thisdocument you may ha*e + x !"$#s in your lab. Thus !"$#s are used in the following section
labs and for explanatory purposes.
MAC Address epiration
All modern Cisco switching platforms store and forward Ethernet frames and need to build aContent Addressable ,emory -CA, table to understand which source ,ac addresses are
connected to which ports. If a switch does not ha*e a CA, table entry for a destination ,acaddress it must forward the frame out e*ery port. /eedless to say forwarding unicast
multicast and broadcast to e*ery switch port could cause security as well as bandwidthissues. In *olume II we discuss the security issues in great detail but for now we will use the
,ac address expiration to limit the chances of forwarding traffic out e*ery port. (ome de*icescan not or will not send gratuitous A&0s on regular inter*als1 therefore there is a chance their
dynamically learned ,ac%addresses may be remo*ed from the CA, table. Instead of allowingthe switch to forward traffic destined to this de*ice out e*ery switch port the ,ac address
aging timer can be increased from the default -!## seconds to a greater *alue.
Switch(config)#mac address-table aging-time 4000 (increases timer to a little
over an hour)
0 This *alue disables aging. (tatic address entries are ne*er aged or remo*edfrom the table.
2#%2###### Aging time in seconds. The range is 2# to 2###### seconds.
vlan*lan%id -3ptional (pecify the 4LA/ I5 to which to apply the aging time. The range
is 2 to +#6+.
STAT!C Mac addresses
7nfortunately there are some de*ices that can ne*er send gratuitous A&0s to the switch. 8or
these de*ices we can statically configure their ,AC Addresses to a*oid flooding.
Switch(config)#mac address-table static 1234.1234.1234 vlan 4 interfacegigabitethernet0/2
8/12/2019 Advanced Boot Camp Day 1to4
3/140
mac%addr 5estination ,AC address -unicast or multicast to add to the address table.
0ackets with this destination address recei*ed in the specified 4LA/ are
forwarded to the specified interface.
vlan *lan%id (pecify the 4LA/ for which the packet with the specified ,AC address isrecei*ed. The range is 2 to +#6+.
interfaceinterface%id
Interface to which the recei*ed packet is forwarded. 4alid interfaces includephysical ports and port channels.
Another useful *ariant of the static command is the drop option. 9y including the keyword
drop than unicast ,AC address filtering will allow the switch to drop traffic with a specific
source or destination ,AC address. :hy only unicast you may ask; This is because multicastcreates a multicast ,ac%address by using the last
to a destination ,ac%address of 8888.8888.8888.
To block -filter a ,ac%address in a switch we would configure something like this>
Switch(config)#mac address-table static 1111.1111.1111 vlan 2 drop
"LA#S
)ey here is a topic that should be pretty familiar. If not than please read this briefexplanation. A 4irtual Local Area /etwork -4LA/ is simply a broadcast domain. In otherwords a 4LA/ is a layer < boundary. Typically a 4LA/ is associated with a Layer ! subnet but
in reality they are independent. 8or example on a (4I -(witched 4irtual Interface A?A-interface 4LA/ I can configure a primary subnet -I0 Address and se*eral secondary I0
addresses. :hat we do find with 4LA/s at least with !""# or !"$# switches in particular isthat this broadcast domain is usually mapped to an instance of (panning Tree or 04(T.
To configure 4LA/s we need to add them to the 4LA/ database. 5epending on the switch
model this is performed from the global configuration or from the 4LA/ 5ATA9A(E prompt-depreciated. 4irtual Trunk 0rotocol -4T0 adds some automation to this process but for now
we assume we are in the default (er*er ,ode and can manually add 4LA/s to the 4LA/database.
The recommended method for adding 4LA/s when possible is from the global configuration
prompt.
switch(config)#vlan 100switch(config-vlan)#name VOICswitch(config-vlan)#e!it
8/12/2019 Advanced Boot Camp Day 1to4
4/140
To assign the new *lans to a switch port you must configure the following>
switch(config)#int fa0/1switch(config-if)#s"itchport mode accessswitch(config-if)#s"itchport access vlan 100
Tr$n%s
:ith trunks we can than transport the 4LA/s we ha*e created o*er a single uplink. Trunks aresaid to carry multiple colors or tags. :ith @#
Switch#config#re terminal
Switch (config)# vlan dot1% tag nativeSwitch (config)# end
"T&
Cisco pro*ides the 4LA/ Trunking 0rotocol -4T0 to automate the configuration of 4LA/s. If
you recall from the pre*ious 4LA/ section in order to add a 4LA/ to a switch we needed toadd the 4LA/ to the switchBs 4LA/ database. This exercise could be daunting if we had 2##
8/12/2019 Advanced Boot Camp Day 1to4
5/140
switches in a large office building. Instead of configuring each switch to support se*eral4LA/( with 4T0 you only ha*e to create the 4LA/s on a switch configured as a ser*er and
allow the other switches to dynamically learn the 4LA/s o*er their trunks. 9est practice is torun these other switches in a read only client mode. If more than one switch is configured as
a ser*er than the switch with the highest re*ision number would control the 4LA/ database.Transparent mode is a third option that is used to allow 4T0 information to pass%through a
switch but that specific switch will ignore the 4T0 and refer to its own manually assigned4LA/s.
It is important to remember that all switches by default are 4T0 ser*ers. The 4T0 ser*er is
where you would create remo*e or modify 4LA/s. If for some reason you remo*e a switchfrom a lab or spares en*ironment that was configured as a ser*er and then introduce the
switch into the production network e*en if for only a few minutes before you reconfigure it asa client if it has a higher re*ision number it will take control of the 4T0 database.
This 4T0 ser*er sends ad*ertisements across the 4T0 domain e*ery " minutes or whene*er a
change is made in the 4LA/ database. The ad*ertisement contains all the different 4LA/names 4LA/ numbers what switches ha*e ports in what 4LA/s and a re*ision number.
:hene*er a switch recei*es an update with a larger re*ision number than the last one it
applied it applies that re*ision.
4T0 switches can operate in three different modes>
Server the default where all 4LA/ adds changes and remo*als are allowed
Client where no changes can be made only new re*isions can be recei*ed from the
4T0 ser*er switches.
Transparent where local 4LA/ information can be changed but that information is
not sent out to other switches. Transparent switches also do not apply 4T0ad*ertisements from other switches but they do forward those ad*ertisements on.
4T0 pruning is the process of not sending unnecessary broadcast traffic for 4LA/s to switches
that do not ha*e any ports assigned to those 4LA/s. 0runing sa*es bandwidth becausebroadcasts donBt ha*e to be sent to switches that donBt need them to configure 4T0 you use
the *tp global configuration mode command. :ith this command you can specify thefollowing>
VTP domain the name of the 4T0 domain. All switches communicating with 4T0 in
the same domain must ha*e the same 4T0 domain name.
VTP mode either ser*er client or transparent
VTP password a password to control who can and cannot recei*e 4T0 information
8/12/2019 Advanced Boot Camp Day 1to4
6/140
VTP pruning 4T0 pruning is either turned on or off
VTP version 9e aware that most switches do not support 4!
D/ote the 4T0 password is highly recommended to a*oid switches from accidentally becoming
a 4T0 ser*er.
'ther(channel
Ether%channel allows a Cisco switch to bond together up to @ Ethernet ports into a singlechannel. An Ether%channel uses a single port for spanning%tree purposes. If a link in the
channel were to fail than Ethernet frames would simply be forwarded across another port inthe channel without relearning the spanning%tree topology. In addition to failo*er and
redundancy ether%channels can be configured to pro*ide load balancing across each port inthe channel.
Ether%channels send traffic load across the links in a channel con*erting the frame from binary
to a new numeric *alue from source or destination ,ac%address or I0 address. The selected
mode weather it is I0 or ,ac%address is applied to all Ether%channels configured on theswitch.
If you configured load balancing based on source ,ac%addresses than different de*ices based
on their source ,ac%address would be distributed across each port per de*ice. 8or examplethe first de*iceBs source ,ac%address would be forwarded on the first port of the Ether%
channel while the second de*ice would be forwarded out the second port of the Ether%channel.
:hile source ,ac%address load balancing works well for equally distributing traffic acrossEther%channel ports because there are multiple 0C de*ices -sources going to *arious
destinations 5estination ,ac%address load balancing works well with multiple ser*ers or
gateways that are accessed by 0Cs In other words traffic destined to each ser*er would usea separate port in the Ether%channel.
If there is a mixture of end 0C de*ices and ser*ers than source%and%destination ,ac%address
forwarding is the best method for load balancing. 3f course ,ac%address based loadbalancing is intended for layer Ether%channels. If we were configuring load balancing for layer
! Ether%channels we would simply use source I0 destination I0 or sourcedestination loadbalancing depending on the same scenarios as the ,ac%address load balancing.
&ort Aggregation &rotocol
0ort Aggregation 0rotocol -0Ag0 is a Cisco proprietary method of automatically creatingEther%channel links. 0Ag0 packets are sent between Ethernet ports in order to negotiate theforming of Ethernet%channels. 0Ag0 can not work properly on the following configurations>
5ynamic 4LA/s.
5ifferent speeds or port duplex..
The 0Ag0 modes are explained below.
8/12/2019 Advanced Boot Camp Day 1to4
7/140
2. on> 0Ag0 will not run. The channel is forced to come up.
0Ag0 will not run. The channel is forced to remain down.
!. auto> 0Ag0 is running passi*ely. The formation of a channel is desired1 howe*erit is not initiated.
desirable> 0Ag0 is running acti*ely. The formation of a channel is desired and initiated.
Lin% Aggregate Control &rotocol )LAC&*
LAC0 is a standards based -IEEE @#
3n> ,anual with no without any LAC0 negotiation
3ff> The link aggregation will not be formed.
0assi*e> The switch does not initiate the channel but does understand inbound LAC0packets. The peer -in acti*e state initiates negotiation -when it sends out an LAC0
packet which we recei*e and answer e*entually to form the aggregation channel withthe peer. 0.
Acti*e> The link aggregate will be formed if the other end runs in LAC0 acti*e or
passi*e mode. This is similar to the desirable mode of 0Ag0.
As mentioned pre*iously both LAC0 and 0Ag0 are used to dynamically pro*ision Ethernetports as Ether%channels. If the Ether%channel is manually pro*isioned by using the mode FonG
key word than neither LAC0 nor 0ag0 is used. In any case load balancing using source ,ac%address destination ,ac%address sourcedestination mac%address or source destination
sourcedestination I0 addressing can be use with all methods.
The following global configuration example displays the load balancing choices a*ailable to
Ether%channels>
8/12/2019 Advanced Boot Camp Day 1to4
8/140
The following is an example of a 0Ag0 Layer < Ether%channel configuration>
Layer 2switch-configH interface range fastEthernet0/ ! "
switch-config%if%rangeH switchport mode accessswitch-config%if%rangeH switchport access vlan #00
switch-config%if%rangeH channel!group # mode desira$le
The following is an example of a LAC0 Layer ! Ether%channel configuration>
Layer %switch-configH int port!channel #
switch-config%ifH no switchport
switch-config%ifH ip add #0 2&2&2&0switch-configH interface range fastEthernet 0/2 ' (switch-config%if%rangeH no switchport
switch-config%if%rangeH channel!group # mode active(panning Tree
Spanning Tree
9y default the Cisco switch uses @#
8/12/2019 Advanced Boot Camp Day 1to4
9/140
The switch that is designated as &33T only has designated ports to other connected switches.The other switches -non%root ha*e root ports to the connections that are closest to the &33T
switch as well as designated ports connected to other switches with a longer path back to the&33T. 9ecause of a loop free topology when using spanning tree path costs and port
priorities are used to determine which switch and port needs to be blocked. 8or e*ery 4LA/one port in a redundant patch must be blocked.
(panning tree calculates the longest path from &33T and determines the switch to be
blocked. This beha*ior can be o*erridden by manipulating the path costs and additionallychanging port priorities to manipulate which port -linear on the longest path is chosen to be
blocked. Jou will notice in this example the layer < patch with a longer path cost of !# ischosen as the segment to block. 9y manually configuring a higher port priority on (:! the
port on (:+ will be blocked.
Spanning Tree Diagram
&(T0 must also designate a &33T as well as calculating path costs and port priorities.)owe*er instead of optionally enabling uplink fast to reduce the time to failo*er to redundant
uplinks @#
8/12/2019 Advanced Boot Camp Day 1to4
10/140
+ST& Diagram
S&A#,+S&A#
The (witch 0ort Analyer -(0A/ is used to monitor traffic from 4LA/s andor Ethernet ports
on a switch. A *ery common application for this configuration is to connect a passi*e intrusion
detection system -I5( or packet sniffing application. Ethereal is packet sniffing software thatcan be downloaded from> http>www.ethereal.comdownload.html. In addition to capturingtraffic from a connected switch &(0A/ can be used to capture traffic from remote switch
connected to the destination -sniffing port with a dot2q trunk.
The following example displays how to configure a remote span session>
Switch #
switch2-config%*lanHvlan switch2-config%*lanHname remote!spanswitch2-config%*lanHremote!span
switch2-config- monitor session # source interface .a0/# $othswitch2-config- monitor session # destination remote vlan
Switch 2
switch2-config- monitor session # source vlan rswitch2-config- monitor session # destination interface fastEthernet 0/#2
http://www.ethereal.com/download.htmlhttp://www.ethereal.com/download.html8/12/2019 Advanced Boot Camp Day 1to4
11/140
Controlling Telnet Access
Telnet is controlled from the 4TJ lines. The following configuration does not require a
password to access the de*ice with pri*ilege 2" access rights but limits access to the 4TJ lineto only the protocol Telnet from only the 2.2.2.2 I0 address.
line vty 0 (
access!class # ineec!timeout 20 0
privilege level #no login
transport input telnet
access!list # permit #
To hide addresses while trying to establish a Telnet session from the router or switch use the
service hide!telnet!addressglobal command.
To a*oid the router from sending information to an idle telnet session use the ser*ice telnet!
eroidlecommand. 5ata transfer is resumed if the logged in 4TJ user enters the resumecommand for the idle session.
/ormally telnet only sends one character at a time. The service naglecommand canimpro*e performance by sending multiple characters in each telnet packet.
Strom Control
This technique is used to pre*ent switch ports being o*erloaded by a broadcast multicast or
unicast traffic on a per port basis. (torm control creates threshold so excessi*e traffic isdropped until traffic drops below threshold. The thresholds are set as a percentage of the
interface. 8or example if the traffic is set to 2## it is always permitted and if it were set to #.#
than that type of traffic is ne*er permitted. The following example illustrates how differentthresholds are set for unicast broadcast and multicast traffic.
switch-config%ifH storm!control $roadcast level 2switch-config%ifH storm!control unicast level 2switch-config%ifH storm!control multicast level 20
Bloc%ing9locking pre*ents unicast or multicast from being flooded into the port when enabled. The defaultbeha*ior of a switch is to forward the packets with unknown destination ,AC addresses to all its ports.This might not always be desirable especially in terms of security. If you configure a port block featurethen depending on what type of traffic you specified unicast or multicast packets are not forwardedfrom one port to another
switch-config%if%rangeHswitchport block ; multicast 9lock unknown multicast addresses unicast 9lock unknown unicast addresses
8/12/2019 Advanced Boot Camp Day 1to4
12/140
&rotected &orts
0ri*ate 4LA/s will be discussed in 4olume II. 3ne thing to note about 0ri*ate 4LA/ is thatthey can not co%exist with 4T0 *ersion < or lower. A workaround for this limitation is to
configure a switch in Transparent 4T0 mode. If for some reason the switch must be a 4T0ser*er than protected ports can be used in a limited manner to pro*ide a subset of the same
isolation.
A protected port feature is used in those en*ironments where no traffic can be forwardedbetween two ports on the same switch. This way one neighbor connected to one port does
not see the traffic that is generated by another neighbor connected to the second port. Theblocking of traffic -unicast broadcast or multicast only works when both ports are protected.
:hen a protected port is communicating with an unprotected port the traffic is forwarded inthe usual manner. 3nce the ports are protected traffic between them can only be forwarded
by a Layer ! de*ice.(w
8/12/2019 Advanced Boot Camp Day 1to4
13/140
switchHconfigure terminal
switch-configHip radius source!interface Vlanswitch-configHradius!server host #0
switch-configHradius!server 4ey ciscoswitch-configHend
Macros
,acros can be used to group common switch configurations together. ,acros along with the
interface%range command helps to reduce the amount of effort needed to deploy switches.
)ere is useful ,acro to be used in the switches for a ping script.
Sw1(config)#macro name PINGEnter macro commands one per line. End with the character '@'.
do ping 142.22.12.1do ping 142.22.13.1do ping 144.21.1.1do ping 1!.1.2".2do ping 142.22.12.2@
Sw1(config)# Sw1config!"macro glo#al a$$l% PING
Switching LABScenario
This is the first Lab in a series of Labs that will build on them sel*es. There is no need for
initial configurations because this first lab will construct the Layer < topology to be used for allother labs in 4olume I of this technology workbook. 0lease sa*e your configurations after each
lab to a*oid any rework when progressing to other labs. The point of this Lab is to build a newinfrastructure for Turn%?ey Inc. This company has hired you to interconnect -+ branch
locations and - http>www.cisco.comuni*ercdhomehome.htm. As the labs progress lessand less support information is pro*ided in the introduction section of the lab.
http://www.cisco.com/univercd/home/home.htmhttp://www.cisco.com/univercd/home/home.htm8/12/2019 Advanced Boot Camp Day 1to4
14/140
Topology
As pre*iously mentioned LA9 2 will build the Layer < infrastructure. At 9ranch 2 we will ha*e
a mixed L< and L! en*ironment. This is due to some de*ices needing so span 4LA/s acrossthe campus. In the I58 -Access Layer some 4LA/s will be routed and others Trunked to the
C3&E.
In addition to the campus network at 9ranch -2 we will also build a 4LA/ between se*eral ofthe routers to imitate a Leased Ethernet ser*ice.
This Topology is supported inn CC933TCA,0Bs rack rentals but should also work in other
&ack &ental sites or a home lab with -+ !"$# switches and -@ routers. The next pagepro*ides the physical Ethernet topology. As you progress to Lab < and others the topology
will include 8rame%relay and logical I0 addressing and &outing information.
8/12/2019 Advanced Boot Camp Day 1to4
15/140
&hysical Diagram
8/12/2019 Advanced Boot Camp Day 1to4
16/140
Switch2 Tas%s
Tas4 # )5asic VL16*3 Configure (:2 such that it pro*ides the database for the 4LA/s in
the following table. All other switches should learn the 4LA/s from (:2. 7se a controlmechanism to pre*ent new switches from accidentally controlling the 4LA/ database when
added into the network. Also add the appropriate hostnames and interface descriptions to allde*ices based on the diagram.
$%& $%& &ame2 Vlan2&rs$an
' Vlan'&trunke(
) Vlan)&trunke(
* Vlan*&sw1tosw2
+ Vlan+&sw1tor1
, Vlan,&sw2tor1
- Vlan-&sw1tosw'
. Vlan.&sw'tosw)
1/ Vlan1/&Lease(
11 Vlan11&sw2tosw)
Tas4 2 )Load 5alance and Trun4s*3 4lan ! and + should be trunked on a pair -
8/12/2019 Advanced Boot Camp Day 1to4
17/140
Tas4 )7onitoring*3 Turn%key would like to connect a packet sniffer to 8#2" on sw! to
analye the 4LA/2# traffic on &D/ote *irtual I0 addresses will be used later.
VL16 VL16 6ame 9evice 8P< 4lan
8/12/2019 Advanced Boot Camp Day 1to4
18/140
Switch2 Answers )Don3t pee%*
Try to complete these labs with minimal looking at the answers. The completed answers will
be pro*ided on a thumb dri*e.
Tas4 # )5asic VL16*3The 4T0 and 4lan information was supposed to be configured on (:2>Sw1(config)#tp domain trne*Sw1(config)#tp mode sererSw1(config)#tp password ciscoSw1(config)#lan 2Sw1(config+lan)#name lan2,rspan same for other Vlans!
The other switches
on the other switches>Sw-(config)#tp mode clientSw-(config)#tp domain trne*Sw-(config)#tp password cisco
In order to pre*ent accidental 4lan changes we set the 4T0 password to Cisco
The names and interface description should be based from the Table.
8or example>interface landescription lan,sw1tosw2ip address 1!...2 2.2.2.22
To test your configuration issue the following commands>
Sw1#sh tp stats/ ersion 0 2onfigration eision 0 1a-imm $%&s spported locall* 0 1!!
&m5er of e-isting $%&s 0 23/ 6perating ode 0 Serer/ 7omain &ame 0 trne*/ /rning ode 0 Ena5led/ 2 ode 0 7isa5led/ raps 8eneration 0 7isa5led7 digest 0 !-3 !-1 !-"9 !-93 !-24 !-" !-:4 !-;1onfigration last modified 5* !.!.!.! at 3+1+3 !20!3042$ocal pdater
8/12/2019 Advanced Boot Camp Day 1to4
19/140
emote S/%& $%&0 &o
$%&
8/12/2019 Advanced Boot Camp Day 1to4
20/140
=0 1!! ;acp : ode0 7isa5led emote S/%& $%&0 &o
$%&
8/12/2019 Advanced Boot Camp Day 1to4
21/140
Sw10
port+channel load+5alance src+dst+mac
interface /ort+channel1switchport trn encapslation dot1?
switchport trn natie lan switchport trn allowed lan 2+switchport mode trninterface /ort+channel2switchport trn encapslation dot1?switchport trn natie lan 9switchport trn allowed lan 2+4A9switchport mode trninterface :astEthernet!B1switchport trn encapslation dot1?switchport trn natie lan switchport trn allowed lan 2+switchport mode trnchannel+grop 1 mode on
interface :astEthernet!B2!switchport trn encapslation dot1?switchport trn natie lan switchport trn allowed lan 2+switchport mode trnchannel+grop 1 mode oninterface :astEthernet!B21switchport trn encapslation dot1?switchport trn natie lan 9switchport trn allowed lan 2+4A9switchport mode trnchannel+grop 2 mode oninterface :astEthernet!B22switchport trn encapslation dot1?switchport trn natie lan 9switchport trn allowed lan 2+4A9switchport mode trnchannel+grop 2 mode on
interface lan1no ip addressshtdowninterface lan3description lan3,trnedip address 1!.3.3.1 2.2.2.!interface lan4description lan4,trnedip address 1!.4.4.1 2.2.2.!
interface landescription lan,sw1tosw2ip address 1!...1 2.2.2.22interface lan9description lan9,sw1tosw3ip address 1!.9.9.1 2.2.2.22
8/12/2019 Advanced Boot Camp Day 1to4
22/140
8or the load balancing we needed source ,ac%address L9 closest to the 0C de*ices so thateach de*ice would be load balanced based on source ,ac addresses to equally use each port
in the Ether%channel.
3n (w! and (w+>
port+channel load+5alance src+mac
The other two switches (w2 and (w< need src%dst%mac because they will be the defaultgateways for these de*ices.
Tas4 %)Spanning Tree*3 The following configurations were needed on the following de*icesin order to set the &33T and 9locked ports per Task ! specifications>
Sw10spanning+tree mode rapid+pstspanning+tree e-tend s*stem+idspanning+tree lan 1A3A9 priorit* !
Sw20
spanning+tree mode rapid+pstspanning+tree e-tend s*stem+idspanning+tree lan 4A11 priorit* !
Sw30spanning+tree mode rapid+pstspanning+tree e-tend s*stem+id
interface /ort+channel1switchport trn encapslation dot1?switchport trn natie lan switchport trn allowed lan 2+4Aswitchport mode trnspanning+tree lan 3 cost 2!!!!!!!!interface /ort+channel2
switchport trn encapslation dot1?switchport trn natie lan 9switchport trn allowed lan 2+4A9switchport mode trn
Sw40
spanning+tree mode rapid+pstspanning+tree e-tend s*stem+id
interface /ort+channel1switchport trn encapslation dot1?switchport trn natie lan switchport trn allowed lan 2+4Aswitchport mode trninterface /ort+channel2switchport trn encapslation dot1?switchport trn natie lan 11switchport trn allowed lan 2+4A11switchport mode trn
To configure the bonus than root guard was needed on (w!
8/12/2019 Advanced Boot Camp Day 1to4
23/140
interface :astEthernet!B1switchport trn encapslation dot1?switchport trn natie lan switchport trn allowed lan 2+4Aswitchport mode trnchannel+grop 1 mode onspanning+tree gard root
interface :astEthernet!B2!switchport trn encapslation dot1?switchport trn natie lan switchport trn allowed lan 2+4Aswitchport mode trnchannel+grop 1 mode onspanning+tree gard root
Tas4 ( )7ac 1ddresses*3 In the first part of this task we are changing the ,ac aging timer
to be in synch with how often the ser*er sends gratuitous A&0s.
Sw30
mac+address+ta5le aging+time 19!! lan 3
In the next section we must configure a static ,ac%address for a de*ice that is unable to sendgratuitous A&0s.
Sw40mac+address+ta5le static 1112.1112.1112 lan 3 interface :astEthernet!B11
The next requirement was to block a ,ac%address from all switches>
mac+address+ta5le static 1234.1234.1234 lan 4 drop
The Last requirement was to make sure that unicast traffic going to mac%address destinations
not known in the CA, table were not flooded into (w< port f#2$
interface :astEthernet!B1>switchport 5loc nicast
Tas4 )7onitoring*3 The following configuration would setup a monitoring session on sw! to
sniff traffic tofrom &< *lan 2#
Sw3monitor session 1 destination interface :a!B1monitor session 1 sorce remote lan 2Sw1monitor session 1 sorce interface :a!B2monitor session 1 destination remote lan 2
8/12/2019 Advanced Boot Camp Day 1to4
24/140
Tas4, )8P 1ddresses*3 Configure I0 addresses per specifications.
Tas4: )"02*3
Sw30sername ser password ! ciscoaaa new+modelaaa athentication dot1- defalt grop radis localdot1- s*stem+ath+controlint f!B24switchport access lan 3switchport mode accessdot1- pae athenticatordot1- port+control ato
radis+serer host 12.1>9.2.1!1 ath+port 1>4 acct+port 1>4>radis+serer sorce+ports 1>4+1>4>radis+serer e* cisco
Tas4" )Telnet*3 The first part of the Task asks us to restrict telnet or (() access to 2#.#.#.#and gi*e those administrators pri*ilege le*el 2" when they log into the de*ices. In order to
configure the bonus this access must be restricted to ,on%8riday between 6am and "pm.
The following configuration on each de*ice would satisfy the abo*e requirements>
ip access+list e-tended telnetpermit ip 1!.!.!.! !.2.2.2 an* log time+range weeda*s
time+range weeda*speriodic weeda*s 90!! to 1"0!!
line t* ! 4access+class telnet inpriilege leel 1transport inpt telnet sshline t* 1access+class telnet inpriilege leel 1transport inpt telnet ssh
3n &2 configure telnet so that multiple characters are transmitted in each telnet packet.
10serice nagle
8/12/2019 Advanced Boot Camp Day 1to4
25/140
Day 1
rame +elay
Basic acts
8rame &elay is a Layer < protocol.
(erial interfaces use 59%$# connectors.
Connection%oriented to transport data between a 5TE de*ice and a 8rame
&elay switch.
(imple error checking is pro*ided by appending a 8rame Check (equence
-8C( to each frame -similar to a C&C.
/o error correction -error checking but no correctionOthatBs left to the
host.
8rame &elay uses )5LC 000 or I(5/LA05 encapsulations.
,aximum speed of 8rame is +" ,bps.
Data Lin% Connection !denti5ier )DLC!*
5LCIBs are assigned by the 8rame &elay circuit pro*ider and ha*e local significance only.
They pro*ide an identifier for the connection between the router at your site and the big8rame &elay switch at the pro*ider. There is often confusion about this so to make it clearO
the 5LCI is used only between your site and the pro*iderBs point%of%presence it has nosignificance beyond that.
5LCI states are>
9eleted;/o L,I signal is being recei*ed from switch or no ser*ice is
a*ailable from switch.
1ctive;Lines are up1 connections are acti*e. &outers are exchanging data.
8nactive;8rame relay switch to local connection is working. The remote
routersB connection to the frame switch is not working.
Local Management !nter5ace )LM!*
L,I pro*ides the control protocol for 04C setup and management. There are three types
a*ailable> Cisco A/(I and q.6!!a -default is Cisco. The ser*ice pro*ider will specify the L,Iin use. L,IPs control data keepali*es and *erify the dataflow. The L,I type must be identical
between the local de*ice -router and the local 8rame &elay switch1 it does not ha*e to beidentical for the end de*ices.
'ncaps$lation
The encapsulation choices are Cisco and IET8 with Cisco being the default. This designation
can be made through 5LCI. The encapsulation type must be identical at both end de*ices. IfCisco de*ices are used across the entire network Cisco encapsulation will likely be the
encapsulation type1 howe*er since the Cisco encapsulation type is proprietary if anothermanufacturerBs de*ices are used at the 8rame &elay endpoints then IET8 encapsulation type
will be required. &emember encapsulation can be set per interface or per destination.
8/12/2019 Advanced Boot Camp Day 1to4
26/140
Split 6ori7on and rame +elay !nter5aces
(plit horion dictates that if a router has recei*ed a route ad*ertisement from another router
it will not re%ad*ertise it back out the interface on which it was learned. The default conditionfor 8rame &elay interfaces is>
0hysical interfacesOsplit%horion is disabled by default
,ultipoint sub interfacesOsplit%horion is enabled by default
0oint%to%point sub interfacesOsplit%horion is enabled by default
!nverse(A+&
In*erse A&0 when enabled is used to automatically map frame%relay 5LCIs which are
configured in the frame%relay switch to I0 addresses configured on the remote routers. Joumay be requested to disable frame%relay in*erse A&0 on you physical or point%to%multipoint
sub interface if so than you can use frame%relay map statements after you disable thein*erse%A&0. (econdly it is best practice to make these changes while the interfaces are shut
to a*oid rebooting the router later.
In*erse%A&0 is not recommended for frame%relay hub%and%spoke topologies because it couldtake in*erse%A&0 up to $# seconds to con*erge from a site failure. In a ,E() topology this
short coming is not as impacting because e*ery site has an alternate 5LCI to e*ery site butin hub%and%spoke the spokes must always communicate *ia the hub.
Mesh
A full mesh requires 5LCIs to interconnect 04Cs between each router. Total 04CsQ
8/12/2019 Advanced Boot Camp Day 1to4
27/140
same issue with needing ,A0s exists with the spokes too. If this hub%and%spoke configurationwere pro*isioned on a carrierBs network the spokes would not need to ha*e ,A0 entries
because the pro*ider would only configure the needed 5LCI back to the )ub site.
:ith In*erse%A&0 off which is the recommended configuration all routers will ha*e ,A0statements from )ub to all spokes and from spokes to hub. 5epending on the neighbor
requirements of the routing protocol we may find oursel*es later adding map statementsbetween spokes or needing to enable the broadcast keyword.
&oint(to(point
In this configuration each 0
8/12/2019 Advanced Boot Camp Day 1to4
28/140
rame +elay DLC!,&"C and !& addressing
S!B!B!.2
8/12/2019 Advanced Boot Camp Day 1to4
29/140
rame2 Tas%s
Tas4 # )7esh*3 Configure a mesh between &2 &
8/12/2019 Advanced Boot Camp Day 1to4
30/140
rame2 Answers
Tas4 # )7esh*3 &emember to keep your interfaces shut until you ha*e configured all of yourframe relay on each interface or sub interface. (ometimes clear frame%relay inarp helps but
usually you will ha*e to either reboot or default interface to fix frame relay issues. Thesesimple problems can cost you time in the real Lab. ,ake sure to test each connection with
ping as you no shut the interfaces.
10
interface Serial!B!B!description ESC,to,2,3ip address 1"2.1>.1.1 2.2.2.!encapslation frame+rela*no frame+rela* inerse+arp .1.2 2.2.2.!frame+rela* map ip 1"2.1>.1.3 2!3 5roadcast
frame+rela* map ip 1"2.1>.1.1 2!1 5roadcastno frame+rela* inerse+arp
30interface Serial!B!B!no ip addressencapslation frame+rela*frame+rela* lmi+t*pe ansiinterface Serial!B!B!.1 mltipointdescription ESC,to,1,2ip address 1"2.1>.1.3 2.2.2.!frame+rela* map ip 1"2.1>.1.1 3!1 5roadcastframe+rela* map ip 1"2.1>.1.2 3!2 5roadcastno frame+rela* inerse+arp
1#sh frame+rela* mapSerial!B!B! (p)0 ip 1"2.1>.1.3 dlci 1!3(!->"A!-19"!)A d*namicA 5roadcastA .1.2
*pe escape se?ence to a5ort.
8/12/2019 Advanced Boot Camp Day 1to4
31/140
Sending A 1!!+5*te .1.3
*pe escape se?ence to a5ort.Sending A 1!!+5*te ! ms1#
Tas4 2 )ip address 1"2.1>.3.3 2.2.2.!frame+rela* map ip 1"2.1>.3. 3! 5roadcastframe+rela* map ip 1"2.1>.3.> 3!> 5roadcastframe+rela* map ip 1"2.1>.3.3 3!
no frame+rela* inerse+arp
0interface Serial!B!B!description C5+and+spoe+to+3+>ip address 1"2.1>.3. 2.2.2.!encapslation frame+rela*frame+rela* map ip 1"2.1>.3.3 !3 5roadcastframe+rela* map ip 1"2.1>.3. !3frame+rela* map ip 1"2.1>.3.> !3 5roadcastno frame+rela* inerse+arpframe+rela* lmi+t*pe ansi
>0interface Serial!B!B!description C5+and+spoe+to+3+
ip address 1"2.1>.3.> 2.2.2.!encapslation frame+rela*frame+rela* map ip 1"2.1>.3.3 >!3 5roadcastframe0rela% ma$ i$ 1,21+'* +/' #roa(cast his is configure( to assist in the 3i$ section later!frame+rela* map ip 1"2.1>.3.> >!3no frame+rela* inerse+arp
frame+rela* lmi+t*pe ansi
ask ' Point0to0Points!:
;;10interface Serial0/0/0.1 point-to-pointdescription P2P-to-R2ip address 172.16.2.9 255.255.255.0frame-relay interface-dlci 902
R7:interface Serial0/0/0.1 point-to-pointdescription P2P-to-R2ip address 172.16.5.7 255.255.255.0frame-relay interface-dlci 702
R8:interface Serial!B!B!.1 point+to+pointdescription /2/+to+3ip address 1"2.1>.>.9 2.2.2.!
8/12/2019 Advanced Boot Camp Day 1to4
32/140
frame+rela* interface+dlci 9!3
Configure the opposite on &< or &! to connect to the 0.4." 2.2.2.!encapslation pppcloc rate 2!!!!!!ppp athentication chapppp chap hostname serppp chap password ! cisco
90sername ser password ! cisco
interface Serial!B!B1description ///+to+"ip address 1"2.1>.4.9 2.2.2.!encapslation pppppp athentication chap
8/12/2019 Advanced Boot Camp Day 1to4
33/140
8/12/2019 Advanced Boot Camp Day 1to4
34/140
Day 1
+!&v/There are two *ersions of &I0O*ersions 2 and
&@-config%ifHip rip v2!$roadcast
8/12/2019 Advanced Boot Camp Day 1to4
35/140
#eighbors
Connected neighbors simply need &I0*< enabled globally and a connected network entry and
they are ready to exchange updates. (econdly no auto summary needs to be configured ifclassless summaries are required.
roter ripnetwor 1"2.1>.!.!no ato+smmar*
If it is desired to not send updates to interfaces without connected neighbors than the passi*einterface command can be used. There are two different approaches to using this
configuration. The first is to use the Rpassi*e%interface defaultS and the specify whichinterfaces will allow the updates>
oter rippassie+interface defalt
no passie+interface :astEthernet!B!
The second choice is to ust do a passi*e%interface command to the specific interfaces thatyou desire to disable the updates>
oter rippassie+interface f!B!
There are times when broadcast updates or multicast are permitted or limited because of the
frame%relay map statements. In these cases the passi*e interface commands can be used tosuppress the broadcastmulticast with the combination of the neighbor command to send a
unicast update to the neighbors I0 address>
oter ripneigh5or 1"2.1>.>.3
And lastly it is possible to send updates to a neighbor that is not physically connected. Two
scenarios come to mind neighbors o*er 000 with non%connected and different subnets or a&(0A/ session. The former is an ad*anced topic so we will lea*e it for 4olume II but the
ladder is something we can configure with are current bag of tricks. In order to recei*e &I0*
oter ripno alidate pdate sorce
This command makes it so the &I0 router doesnBt care who is sending the update.
8/12/2019 Advanced Boot Camp Day 1to4
36/140
Loop &rotection
The split horion rule reduces the incidence of routing loops. (plit horion pre*ents two%node
loops between neighbors -tight loops by not ad*ertising the routes on the same interfacefrom which they were learned. (plit horion also eliminates unnecessary updates.
(plit horion with the addition of poison re*erse allows the routing protocol to ad*ertise all
routes out an interface but those learned from earlier updates coming into that interface aremarked with infinite distance metrics. 0oison re*erse guards against loops spanning multiple
&I0 routers.
7nfortunately there are some issues with (plit )orion in a )ub and (poke /etworkIn a hub and spoke network routes from remote frame relay sites will not be sent to other
remote locations because of the split horion enabled by default on the sub interfaces. It ispossible to disable split horion but than we loose the loop protection. 5isabling (plit )orion
will ensure full connecti*ity between all locations in a hub and spoke topology using &I0*
access+list 1 permit 1!.!.!.! !.2.2.2access+list 2 permit 1"2.1>.3.! !.!.!.2roter rip
distri5te+list 1 in ethernet !distri5te+list 2 ot
9ecause distribute%list can use access%list we can ha*e some *ery complex filtering usingbinary. The following example is filtering only the odd prefixes using an access%list basedprefix list>
Allow only odd routes from 2.2.#.# from &2 to other routers.
&etwor 1.1.1.! !.!.24.2* networ D!
8/12/2019 Advanced Boot Camp Day 1to4
37/140
* mas D 1
;inar* 6ctet 129 >4 32 1> 9 4 2 1
1.1.1.! ! ! ! ! ! ! ! 11.1.3.! ! ! ! ! ! ! 1 11.1..! ! ! ! ! ! 1 ! 1
as 11111111.11111111.1111111!.!!!!!!!!&etwor !!!!!!!1.!!!!!!!1.!!!!!!!1.!!!!!!!!:irst host !!!!!!!1.!!!!!!!1.!!!!!!!1.!!!!!!!!2nd host !!!!!!!1.!!!!!!!1.!!!!!!11.!!!!!!!!
The tet?
r2lab-configH 4ey chain ciscor2lab-config%keychainH 4ey #
r2lab-config%keychain%keyH 4ey!string cisco
De5a$lt +o$tes
5efault routes can be ad*ertised in &I0*< in the following ways> &edistribute static Rip route #.#.#.# #.#.#.# null# permanentS
5efault information originate Rip default network 2.#.#.#S
8/12/2019 Advanced Boot Camp Day 1to4
38/140
+!&v/ LAB
Scenario
(o far we ha*e setup the basic campus network at Turn%?ey IncBs branch office as well as the
leased Ethernet and 8rame relay :A/ connections between the sites. /ormally in a proect
similar in scope we would not configure any of the network management or security featuresuntil after we ha*e tested the network stability and performance. In most networkdeployments it is a also a good idea to enable an easy to configure routing protocol so we can
test the infrastructure. In this scenario we will use basic rip and a few tweaks to testconnecti*ity. Afterwards we can enable more complex features and optimie the routing with
other protocols.
+!&2 Tas%s
Tas4 # )5asic @8Pv2*3 Configure e*ery router with &I0*
8/12/2019 Advanced Boot Camp Day 1to4
39/140
&@>
Int lo#Ip address 2!2.#.2.2
8/12/2019 Advanced Boot Camp Day 1to4
40/140
+!&2 Answers
Tas4 # )5asic @8Pv2*3To use the least amount of /etwork statements on e*ery router configure>
roter ripersion 2networ !.!.!.!no ato+smmar*
3n the switches we would configure 2#.#.#.# because (4I interfaces -4lan do not configure
under #.#.#.#>
roter rip
ersion 2networ 1!.!.!.!no ato+smmar*
(:2> also needs 26.3.3 2.2.2.!no ip split+horionframe+rela* map ip 1"2.1>.3.3 3!frame+rela* map ip 1"2.1>.3. 3! 5roadcastframe+rela* map ip 1"2.1>.3.> 3!> 5roadcastno frame+rela* inerse+arp
To test all the I0 address connecti*ity from &2 use the following TCL script>
tclsh
foreach address F1!.3.3.11!.3.3.21!.4.4.11!.4.4.21!...11!...21!.>.>.11!.>.>.21!.".".11!.".".21!.9.9.1
8/12/2019 Advanced Boot Camp Day 1to4
41/140
1!.9.9.21!...11!...212.1>9.1!.112.1>9.1!.212.1>9.1!.312.1>9.1!.12.1>9.1!.>
12.1>9.1!.1"2.1>.1.21"2.1>.1.31"2.1>.2.21"2.1>.2.1"2.1>.3.31"2.1>.3.1"2.1>.3.>1"2.1>..21"2.1>.."1"2.1>.>.31"2.1>.>.9G Fping HaddressG
Tas4 2 )@oute Aptimiation*3
3n &2 &.!.! !.!.2.2
Show ip rote
8atewa* of last resort is not set
12.1>9.1!.!B24 I12!B1J ia 1!.>.>.1A !!0!!01A :astEthernet!B! 1"2.1>.!.!B1> is aria5l* s5nettedA 9 s5netsA 2 mass 1"2.1>.4.9B32 I12!B3J ia 1!.>.>.1A !!0!!01A :astEthernet!B! 1"2.1>.4.!B24 I12!B3J ia 1!.>.>.1A !!0!!01A :astEthernet!B! 1"2.1>..!B24 I12!B2J ia 1!.>.>.1A !!0!!01A :astEthernet!B! 1"2.1>.>.!B24 I12!B2J ia 1!.>.>.1A !!0!!01A :astEthernet!B! 1"2.1>.1.!B24 is directl* connectedA Serial!B!B! 1"2.1>.2.!B24 I12!B2J ia 1!.>.>.1A !!0!!01"A :astEthernet!B! 1"2.1>.4."B32 I12!B3J ia 1!.>.>.1A !!0!!01"A :astEthernet!B! 1"2.1>.3.!B24 I12!B2J ia 1!.>.>.1A !!0!!01"A :astEthernet!B! 1!.!.!.!B9 is aria5l* s5nettedA 9 s5netsA 2 mass
20roter ripersion 2offset+list rip in 2 Serial!B!B!.1networ !.!.!.!no ato+smmar*
ip access+list standard rippermit 1!.!.!.! !.2.2.2permit 12.1>9.1!.!
8/12/2019 Advanced Boot Camp Day 1to4
42/140
Show ip rote
1!.!.!.!B9 is aria5l* s5nettedA 9 s5netsA 2 mass 1!.11.11.!B3! I12!B2J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!...!B3! I12!B2J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!.9.9.!B3! I12!B1J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!.".".!B3! I12!B2J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B!
1!.>.>.!B3! I12!B1J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!...!B3! I12!B1J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!.4.4.!B24 I12!B1J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B! 1!.3.3.!B24 I12!B1J ia 12.1>9.1!.1A !!0!!0!A :astEthernet!B!
30roter ripersion 2offset+list rip in 2 Serial!B!B!.1networ !.!.!.!no ato+smmar*
ip access+list standard rippermit 1!.!.!.! !.2.2.2permit 12.1>9.1!.!
1!.11.11.!B3! I12!B2J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!...!B3! I12!B2J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!.9.9.!B3! I12!B1J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!.".".!B3! I12!B2J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!.>.>.!B3! I12!B1J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!...!B3! I12!B1J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!.4.4.!B24 I12!B1J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B! 1!.3.3.!B24 I12!B1J ia 12.1>9.1!.1A !!0!!02!A :astEthernet!B!
3n &= and &@ run a TCL script with Trace route>tclsh
foreach address F1!.3.3.11!.3.3.21!.4.4.11!.4.4.21!...11!...21!.>.>.11!.>.>.21!.".".11!.".".21!.9.9.11!.9.9.21!...11!...2G Ftrace HaddressG
*pe escape se?ence to a5ort.racing the rote to 1!.3.3.1
1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!.3.3.2
1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!.3.3.2 29 msec 29 msec K
8/12/2019 Advanced Boot Camp Day 1to4
43/140
*pe escape se?ence to a5ort.racing the rote to 1!.4.4.1
1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!.4.4.2
1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!.4.4.2 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!...1
1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!...2
1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!...2 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!.>.>.1
1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!.>.>.2
1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!.>.>.2 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!.".".1
1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!.3.3.2 29 msec "> msec K*pe escape se?ence to a5ort.racing the rote to 1!.".".2
1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!...2 29 msec 29 msec 29 msec 4 1!.".".2 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!.9.9.1
1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!.9.9.2
1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!.9.9.2 29 msec 29 msec K*pe escape se?ence to a5ort.
racing the rote to 1!...1
1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!.9.9.2 29 msec 29 msec K*pe escape se?ence to a5ort.racing the rote to 1!...2
1 1"2.1>..2 29 msec 29 msec 29 msec 2 12.1>9.1!.1 29 msec 29 msec 29 msec 3 1!.9.9.2 29 msec 29 msec 29 msec
8/12/2019 Advanced Boot Camp Day 1to4
44/140
Tas4 % )1uthentication*3 ,5" authentication is the correct answer.
6n " and 90int s!B!B!.3ip rip athentication mode mdip rip athentication e*+chain cisco
e* chain ciscoe* 1e*+string cisco
6n 2 and 30
int s!B!B!.1ip rip athentication mode mdip rip athentication e*+chain cisco
e* chain ciscoe* 1e*+string cisco
Tas4 ( ).3.>neigh5or 1"2.1>.3.distri5te+list ripin in Serial!B!B!.3
0roter ripersion 2passie+interface Serial!B!B!networ !.!.!.!neigh5or 1"2.1>.3.>neigh5or 1"2.1>.3.3no ato+smmar*
>0
roter ripersion 2passie+interface Serial!B!B!networ !.!.!.!neigh5or 1"2.1>.3.neigh5or 1"2.1>.3.3no ato+smmar*
>0de5g ip ripLl 2 10230!3.>10
8/12/2019 Advanced Boot Camp Day 1to4
45/140
KLl 2 10230!3.>10 1!.4.4.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1!...!B3! ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1!.>.>.!B3! ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1!.".".!B3! ia !.!.!.! in 3 hopsKLl 2 10230!3.>10 1!.9.9.!B3! ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1!...!B3! ia !.!.!.! in 3 hopsKLl 2 10230!3.>10 1!.11.11.!B3! ia !.!.!.! in 3 hopsKLl 2 10230!3.>10 13!.!.2.!B24 ia !.!.!.! in 3 hops
KLl 2 10230!3.>10 13!.!.4.!B24 ia !.!.!.! in 3 hopsKLl 2 10230!3.>10 13!.!.>.!B24 ia !.!.!.! in 3 hopsKLl 2 10230!3.>10 131.!.1.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 131.!.3.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 131.!..!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1"2.1>.1.!B24 ia !.!.!.! in 1 hopsKLl 2 10230!3.>10 1"2.1>.2.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1"2.1>.3.!B24 ia !.!.!.! in 1 hopsKLl 2 10230!3.>10 1"2.1>..!B24 ia !.!.!.! in 2 hopsKLl 2 10230!3.>10 1"2.1>.>.!B24 ia !.!.!.! in 1 hopsKLl 2 10230!3.>10 12.1>9.1!.!B24 ia !.!.!.! in 1 hopsKLl 2 10230!>.1430 .3.3 in 4 hopsKLl 2 10230!>.1430 13!.!.4.!B24 ia 1"2.1>.3.3 in 4 hopsKLl 2 10230!>.1430 13!.!.>.!B24 ia 1"2.1>.3.3 in 4 hopsKLl 2 10230!>.1430 131.!.1.!B24 ia 1"2.1>.3.3 in 3 hopsKLl 2 10230!>.14"0 131.!.3.!B24 ia 1"2.1>.3.3 in 3 hopsKLl 2 10230!>.14"0 131.!..!B24 ia 1"2.1>.3.3 in 3 hopsKLl 2 10230!>.14"0 1"2.1>.1.!B24 ia 1"2.1>.3.3 in 2 hopsKLl 2 10230!>.14"0 1"2.1>.2.!B24 ia !.!.!.! in 2 hopsKLl 2 10230!>.14"0 1"2.1>.3.!B24 ia !.!.!.! in 1 hopsKLl 2 10230!>.14"0 1"2.1>..!B24 ia !.!.!.! in 2 hopsKLl 2 10230!>.14"0 1"2.1>.>.!B24 ia 1"2.1>.3.3 in 2 hopsKLl 2 10230!>.14"0 12.1>9.1!.!B24 ia !.!.!.! in 1 hops
Tas4 ).iltering*3 A distribute%list is needed to filter these routes. &emember &I0 waits for
the 8L7() time to remo*e routes. Mi*e it a few minutes and then look at the routing tables.
20roter ripersion 2offset+list rip in 2 Serial!B!B!.1networ !.!.!.!distri5te+list ripin in Serial!B!B!.3no ato+smmar*
ip access+list standard ripinpermit 13!.!.!.! !.!.24.2permit 131.!.1.! !.!.24.2
I12!B1J ia 1"2.1>.1.3A !!0!!0!3A Serial!B!B!.1 13!.!.!.!B24 is s5nettedA 3 s5nets 13!.!.2.! I12!B1J ia 1"2.1>.."A !!0!!01!A Serial!B!B!.3 13!.!.>.! I12!B1J ia 1"2.1>.."A !!0!!012A Serial!B!B!.3 13!.!.4.! I12!B1J ia 1"2.1>.."A !!0!!012A Serial!B!B!.3 131.!.3.! I12!B2J ia 12.1>9.1!.3A !!0!!014A :astEthernet!B! I12!B2J ia 1"2.1>.1.3A !!0!!0!A Serial!B!B!.1 131.!.1.! I12!B2J ia 12.1>9.1!.3A !!0!!01>A :astEthernet!B!
8/12/2019 Advanced Boot Camp Day 1to4
46/140
I12!B2J ia 1"2.1>.1.3A !!0!!0!>A Serial!B!B!.1 131.!..! I12!B2J ia 12.1>9.1!.3A !!0!!01>A :astEthernet!B! I12!B2J ia 1"2.1>.1.3A !!0!!0!>A Serial!B!B!.1
30roter ripersion 2offset+list rip in 2 Serial!B!B!.1
networ !.!.!.!distri5te+list ripin in Serial!B!B!.3no ato+smmar*
ip access+list standard ripinpermit 13!.!.!.! !.!.24.2permit 131.!.1.! !.!.24.2
13!.!.!.!B24 is s5nettedA 3 s5nets 13!.!.2.! I12!B2J ia 12.1>9.1!.2A !!0!!01A :astEthernet!B! I12!B2J ia 1"2.1>.>.9A !!0!!0!1A Serial!B!B!.3 I12!B2J ia 1"2.1>.1.2A !!0!!0!A Serial!B!B!.1 13!.!.>.! I12!B2J ia 12.1>9.1!.2A !!0!!02!A :astEthernet!B! I12!B2J ia 1"2.1>.>.9A !!0!!0!3A Serial!B!B!.3 I12!B2J ia 1"2.1>.1.2A !!0!!01!A Serial!B!B!.1 13!.!.4.! I12!B2J ia 12.1>9.1!.2A !!0!!02!A :astEthernet!B!
I12!B2J ia 1"2.1>.>.9A !!0!!0!3A Serial!B!B!.3 I12!B2J ia 1"2.1>.1.2A !!0!!01!A Serial!B!B!.1 131.!.!.!B24 is s5nettedA 3 s5nets 131.!.3.! I12!B1J ia 1"2.1>.>.9A !!0!!0!4A Serial!B!B!.3 131.!.1.! I12!B1J ia 1"2.1>.>.9A !!0!!0!4A Serial!B!B!.3 131.!..! I12!B1J ia 1"2.1>.>.9A !!0!!0!4A Serial!B!B!.3
;ons0 onfigre on the interface of 2A3A"Aand 9 (config0su#if!"i$ ri$ triggere(to onl* send pdates when changes occr.
8/12/2019 Advanced Boot Camp Day 1to4
47/140
Day 1
+ed$ndancy
6ot Standby +o$ter &rotocol )6S+&*)ot (tandby &outer 0rotocol -)(&0 is a Cisco proprietary redundancy protocol for
establishing a fault%tolerant default gateway. The protocol establishes a framework betweennetwork routers in order to achie*e default gateway failo*er if the primary gateway should
become inaccessible in close association with a rapid%con*erging routing protocol like EIM&0or 3(08. 9y multicasting packets )(&0 sends its hello messages to the multicast address
8/12/2019 Advanced Boot Camp Day 1to4
48/140
1ctive;The router is doing what it does route.
Stand$y;:aiting waiting waiting.
Spea4ing and listening;The router is sending and recei*ing hello
messages.
Listening;The router is recei*ing hello messages.
The following example configures a (4I interface to ha*e a *irtual I0 address of 2#.
8/12/2019 Advanced Boot Camp Day 1to4
49/140
9ateway Load Balancing &rotocol )9LB&*
Mateway Load 9alancing 0rotocol -ML90 is a Cisco proprietary protocolthat attempts too*ercome the limitations of existing redundant router protocols by adding basic load balancing
functionality. In addition to being able to set priorities on different gateway routers ML90 also
allows a weighting parameter to be set. 9ased on this weighting -compared to others in thesame *irtual router group A&0 requests will be answered with ,AC addresses pointing to
different routers. Thus load balancing is not based on traffic load but rather on the numberof hosts that will use each gateway router.
The Acti*e 4irtual Mateway -A4M maintains a table of the 4irtual Mateway I0 address to mac%
address mapping of the Acti*e 4irtual 8orwarders -A48. :hen the end hosts A&0 than theA4M decides which router A48Bs mac%address to respond to the A&0. In other words de*ices
will be equally di*ided between multiple routers with unique mac%addresses but sharing acommon *irtual I0 address. This way 5)C0 can hand out a single gateway address while the
A4M pro*ides the load balancing mechanism.
The following example shows a basic ML90 example>
+o$ter 1
track 30 interface Serial3/0 line-protocol up delay 30
!
interface astthernet"/0
ip address "0""" $%%$%%$%%0
duple& full
gl'p " ip "0"""0
gl'p " weighting "00 lower %
gl'p " weighting track 30
gl'p " forwarder preempt delay minimum 0
+o$ter /
track 30 interface Serial3/0 line-protocol up delay 30
!
interface astthernet"/0
ip address "0""$ $%%$%%$%%0
duple& full
gl'p " ip "0"""0
gl'p " priority %
gl'p " weighting "00 lower %
gl'p " weighting track 30
gl'p " forwarder preempt delay minimum 0
D/ote at the time of writing this workbook the !"$#s do not support the ML90 feature.
6S+& Lab
6S+&2 Tas%s
Tas4 # )
8/12/2019 Advanced Boot Camp Day 1to4
50/140
routers wait 2 minute prior to re*erting back to the primary. 9oth routers must track theirconnection to &2.
8/12/2019 Advanced Boot Camp Day 1to4
51/140
6S+&2 Answers
Tas4 # )!stand5* name lan3stand5* trac :astEthernet!B1interface lan4description lan4,trnedip address 1!.4.4.1 2.2.2.!stand5* 1 ip 1!.4.4.24stand5* 1 name lan4
Sw1#sh stand5*lan3 + 8rop ! State is Acti4e 2 state changesA last state change !10440> irtal ! secs %ctie roter is local Stand5* roter is 1!.3.3.2A priorit* 1!! (e-pires in ".2!" sec) /riorit* 2 (configred 2) rac interface :astEthernet!B1 state =p decrement 1!
8/12/2019 Advanced Boot Camp Day 1to4
52/140
lan3 + 8rop ! State is Stan(#% 1 state changeA last state change !104>0!9 irtal ! secs %ctie roter is local Stand5* roter is 1!.4.4.1A priorit* 1!! (e-pires in 9.492 sec) /riorit* 2 (configred 2)
rac interface :astEthernet!B1 state =p decrement 1!
8/12/2019 Advanced Boot Camp Day 1to4
53/140
8/12/2019 Advanced Boot Camp Day 1to4
54/140
Day /
:S&3(08 is a Link (tate routing protocol that uses 5ikstraBs shortest path first -(08 algorithm.3(08 is an open standard -following &8C 2
8/12/2019 Advanced Boot Camp Day 1to4
55/140
/oteD )ighest &outer I5 wins 5& election 0riority can offset election
To configure a &I5 under the 3(08 process than program the following>
router%id 2.2.2.2
LSA
There are + general L(As
&outer L(As -Type 2 L(As describe the routers attached to a network.
/etwork L(As -Type < L(As describe the networks attached to an 3(08 router.
(ummary L(As -Type ! and Type + L(As condense routing information at area
borders.
External L(As -Type " and Type = L(As describe routes to external networks.
Type 2 L(As are router link ad*ertisements that are passed within an area by all 3(08routers. They describe the router links to the network. Type 2 L(As are only flooded within a
particular area.
Type < L(As are network link ad*ertisements that are flooded within an area by the
5esignated &outer. They describe ALL the routers attached to specific networks including the5&. These L(As are flooded only in the originating area.
Type ! L(A are summary link ad*ertisements that are passed between areas. They describe
the networks within an area.
Type + L(As are summary link ad*ertisements that are passed between areas. They describethe path to the A(9&. Type + L(As do not get flooded into stub areas.
Type " L(As are passed between and flooded into areas by A9(&s. They describe routes
external to the A(. (tub areas and /((As do not recei*e these L(As.
Type = L(As are /((A A(%external routes that are flooded by the A(9&. They are similar to
Type " L(As but unlike Type " L(As which are flooded into multiple areas Type = L(As are
only flooded into /((As. Type = L(As are con*erted to Type " L(As by A9&s before beingflooded into the area backbone.
Area types
6ormal 1reas3 These areas can either be standard areas or transit -backbone areas.
(tandard areas are defined as areas that can accept intra%area inter%area and external
routes. The backbone area is the central area to which all other areas in 3(08 connect.
6ote3 Intra%area routes refer to updates that are passed within the area. Inter%area routesrefer to updates that are passed between areas. External routes refer to updates passed from
another routing protocol into the 3(08 domain by the Autonomous (ystem 9order &outer-A(9&.
Stu$ 1reas3These areas do not accept routes belonging to external autonomous systems
-A(1 howe*er these areas ha*e inter%area and intra%area routes. In order to reach theoutside networks the routers in the stub area use a default route which is inected into the
area by the Area 9order &outer -A9&. A stub area is typically configured in situations where
8/12/2019 Advanced Boot Camp Day 1to4
56/140
the branch office need not know about all the routes to e*ery other office instead it could usea default route to the central office and get to other places from there. )ence the memory
requirements of the leaf node routers is reduced and so is the sie of the 3(08 database.To define an area as a stub area use the 3(08 router configuration command area =area
id? stu$
Totally Stu$ 1reas3These areas do not allow routes other than intra%area and the defaultroutes to be propagated within the area. The A9& inects a default route into the area and all
the routers belonging to this area use the default route to send any traffic outside the area.To define a totally stub area use the 3(08 router configuration command area =area id?
stu$ no!summary on the A9&.
6SS13This type of area allows the flexibility of importing a few external routes into the areawhile still trying to retain the stub characteristic. Assume that one of the routers in the stub
area is connected to an external A( running a different routing protocol it now becomes theA(9& and hence the area can no more be called a stub area. )owe*er if the area is
configured as a /((A then the A(9& generates a /((A external link%state ad*ertisement
-L(A -Type%= which can be flooded throughout the /((A area. These Type%= L(As arecon*erted into Type%" L(As at the /((A A9& and flooded throughout the 3(08 domain.
External network L(As -type " redistributed from other routing protocols into 3(08 are notpermitted to flood into a stub area.To define a /((A use the 3(08 router configuration command area =area id? nssa
If you desire to allow a #.#.#.# into the /((A area in addition to the Type !+ summaries thanconfigure area =area id? nssa default!information!originate
Totally 6SS13 This area still can send the Type = L(As to the A9& but only recei*es a #.#.#.#
default route from the A9&. To configure a Totally /((A configure area =area id? nssa no!summary
S$mmaries
There two methods for summariing networks on 3(08
O Area range used to summarie between 3(08 areas. Always done on an A9& area 2 range 20"&&0&0 2&2&2&0
O (ummary%address used to summarie external routes redistributed into 3(08.
Always done on an A(9& summary!address 20"&&0&0 2&2&2&0
(ummaries will inect a /7LL# route into the routing table. If you are required to remo*e the/7LL# the following commands can be entered for the 3(08 process.
no discard!route internal ' used with area range no discard!route eternal ' used with summary!address
:S& MetricsE*ery routing protocol has metric used to prefer one route o*er the other. 8or 3(08 themetric that is used is cost. :ith 3(08 the cost is a number that is in*ersely proportional to
the bandwidth of the link. In other words the higher the cost the LE(( the link is preferred.The lower the cost the ,3&E the link is preferred. 9y default 3(08 load balances on up to
four equal cost paths.The formula that 3(08 uses to calculate the cost of a link is>
Cost Q 2######## bandwidth of the link
3r
8/12/2019 Advanced Boot Camp Day 1to4
57/140
Cost Q 2#@ bandwidth of the link8or example a 2#,b 2#9ase%T Ethernet linkBs cost would be calculated as>
Cost Q 2######## 2####### Q 2#3r
Cost Q 2#@ 2#=Q 2#:ith this formula the cost of a $+k 8rame &elay link would be 2"$< and the default cost of a
T%2 would be $+.(o you may be asking Fwhat about a 2##,b Ethernet link or a Migabit Ethernet link;G The
cost of a 2##,b Ethernet link or faster when calculated with this formula ends up being ust2.
/ote that the bandwidth of 2#@is the same as the bandwidth of 2##,b Ethernet or2######## -commas are placed to show the @ eros in two sets of +. This *alue is the
default Freference bandwidthG. This can be changes thus causing all 3(08 cost *alues to bechanged on that router with the ospf auto%cost reference%bandwidth command.
To manually change the cost of a link you would use the following command on the interfacethat you wish to change>
ip ospf cost Vnew costW
3(08 prefers Intra Area 0ath o*er Inter Area 0aths.
&assive :S& !nter5ace
:ith a passi*e%interface no hello packets are sent and therefore an adacency will ne*er occur
with this interface.
:S& M$lticast Addresses
ip ospf dead!interval minimal hello!multiplier
8/12/2019 Advanced Boot Camp Day 1to4
58/140
8or example to set the hello to
8/12/2019 Advanced Boot Camp Day 1to4
59/140
:S& Topology
:S&2 :S& Tas%sVlans '5)5*5-5.511
Tas4 # )5asic ASP.*3Add the following loop backs>10$o1
8/12/2019 Advanced Boot Camp Day 1to4
60/140
Add the loop backs and existing networks into 3(08 -for the loopbacks use any areas of your
choice but you can not use redistribute connected or network commands from within the
3(08 process. Create &I5s that are not currently being routed and use network commands to
add networks for the switches at the branch site.
3n &= add the e*en addresses and on &@ add the 3dd. This time you must use redistributeconnected for the loop back I0s but make sure the 000 network is not added. Jou can use
network commands for the (###.2. Configure Areas based on the abo*e diagram.
Tas4 2 )9efault @oute*3 Add a new loop back to &= -
8/12/2019 Advanced Boot Camp Day 1to4
61/140
router0i( 1111/ 7anuall% set the 3I6s to a4oi( $ro#lems later!
log+adPacenc*+changesno discard+rote internalarea ! range 1!.!.!.! 2.!.!.!area 2 irtal+lin 1.1.1.1area 4 irtal+lin 1.1.1.2!area 4 irtal+lin 1.1.1.4!networ 1!.3.3.1 !.!.!.! area 4
networ 1!.4.4.1 !.!.!.! area 4networ 1!...1 !.!.!.! area 4networ 1!.>.>.1 !.!.!.! area 2networ 1!.".".1 !.!.!.! area 1networ 1!.9.9.1 !.!.!.! area 4networ 12.1>9.1!.1 !.!.!.! area !
Sw20roter ospf 1roter+id 1.1.1.2! log+adPacenc*+changesno discard+rote internalarea 1 irtal+lin 1.1.1.1area 4 range 1!.!.!.! 2.!.!.!area 4 irtal+lin 1.1.1.1!area 4 irtal+lin 1.1.1.3!area 4 irtal+lin 1.1.1.4!networ 1!.3.3.2 !.!.!.! area 4networ 1!.4.4.2 !.!.!.! area 4networ 1!...2 !.!.!.! area 4networ 1!.".".1 !.!.!.! area 1networ 1!.11.11.1 !.!.!.! area 4
Sw30interface landescription lan,sw3tosw4ip address 1!...1 2.2.2.22i$ os$f mtu0ignore mismatche( 78!
roter ospf 1roter+id 1.1.1.3! log+adPacenc*+changes
area 4 irtal+lin 1.1.1.2!networ 1!.9.9.2 !.!.!.! area 4networ 1!...1 !.!.!.! area 4
Sw40interface landescription lan,sw3tosw4ip address 1!...2 2.2.2.22i$ os$f mtu0ignore
roter ospf 1roter+id 1.1.1.4! log+adPacenc*+changesarea 4 range 1!.!.!.! 2.!.!.!area 4 irtal+lin 1.1.1.2!
area 4 irtal+lin 1.1.1.1!networ 1!.!.!.! !.2.2.2 area 4
10interface $oop5ac1ip address 1!.1!.1!.1 2.2.2.!i$ os$f network $oint0to0$oint remo4es 9'2!
i$ os$f 1 area 2 Alternati4e to using the network comman(!
interface :astEthernet!B!description lan>,sw1tor1ip address 1!.>.>.2 2.2.2.22
8/12/2019 Advanced Boot Camp Day 1to4
62/140
i$ os$f 1 area 2dple- atospeed atointerface :astEthernet!B1description lan")sw2tor1ip address 1!.".".2 2.2.2.22i$ os$f 1 area 1
dple- atospeed atointerface Serial!B!B!description ESC,to,2,3ip address 1"2.1>.1.1 2.2.2.!encapslation frame+rela*i$ os$f 1 area /
no frame+rela* inerse+arp .1.2 2.2.2.!ip ospf 1 area !frame+rela* map ip 1"2.1>.1.3 2!3 5roadcast (esh /s to 3 and 1)frame+rela* map ip 1"2.1>.1.1 2!1 5roadcastno frame+rela* inerse+arpinterface Serial!B!B!.2 point+to+pointdescription /2/+to+;;1ip address 1"2.1>.2.2 2.2.2.!
ip ospf 1 area "frame+rela* interface+dlci 2!interface Serial!B!B!.3 point+to+pointip address 1"2.1>..2 2.2.2.!ip rip triggeredip rip athentication mode mdip rip athentication e*+chain ciscoip ospf 1 area >frame+rela* interface+dlci 2!"roter ospf 1
8/12/2019 Advanced Boot Camp Day 1to4
63/140
roter+id 1.1.1.2 log+adPacenc*+changesarea > nssa no+smmar*redistri5te static metric+t*pe 1 s5netsdefalt+information originate metric+t*pe 1distri5te+list prefi- area! in
30
interface $oop5ac1ip address 1!.13.13.1 2.2.2.!ip ospf networ point+to+pointip ospf 1 area 3interface :astEthernet!B!description lan1!,$easedip address 12.1>9.1!.3 2.2.2.!ip ospf 1 area !dple- atospeed atointerface :astEthernet!B1no ip addressshtdowndple- atospeed atointerface Serial!B!B!no ip addressencapslation frame+rela*frame+rela* lmi+t*pe ansiinterface Serial!B!B!.1 mltipointdescription ESC,to,1,2ip address 1"2.1>.1.3 2.2.2.!ip ospf 1 area !frame+rela* map ip 1"2.1>.1.1 3!1 5roadcastframe+rela* map ip 1"2.1>.1.2 3!2 5roadcastno frame+rela* inerse+arpinterface Serial!B!B!.2 mltipointdescription C5+and+spoe++>
ip address 1"2.1>.3.3 2.2.2.!no ip split+horionip ospf dead+interal minimal hello+mltiplier 4ip ospf 1 area 3frame+rela* map ip 1"2.1>.3.3 3!frame+rela* map ip 1"2.1>.3. 3! 5roadcastframe+rela* map ip 1"2.1>.3.> 3!> 5roadcastno frame+rela* inerse+arpinterface Serial!B!B!.3 point+to+pointdescription /2/+to+>ip address 1"2.1>.>.3 2.2.2.!ip rip triggeredip rip athentication mode mdip rip athentication e*+chain ciscoip ospf 1 area frame+rela* interface+dlci 3!9
roter ospf 1roter+id 1.1.1.3 log+adPacenc*+changesarea ! range 1!.!.!.! 2.!.!.!area 3 st5area nssaredistri5te static metric+t*pe 1 s5netsneigh5or 1"2.1>.3.neigh5or 1"2.1>.3.>defalt+information originate metric+t*pe 1distri5te+list prefi- area! in
8/12/2019 Advanced Boot Camp Day 1to4
64/140
0interface :astEthernet!B!description lan1!,$easedip address 12.1>9.1!. 2.2.2.!ip ospf 1 area !dple- atospeed ato
interface :astEthernet!B1no ip addressshtdowndple- atospeed ato
interface Serial!B!B!description C5+and+spoe+to+3+>ip address 1"2.1>.3. 2.2.2.!encapslation frame+rela*ip ospf dead+interal minimal hello+mltiplier 4ip ospf 1 area 3frame+rela* map ip 1"2.1>.3.3 !3 5roadcastframe+rela* map ip 1"2.1>.3. !3 5roadcastframe+rela* map ip 1"2.1>.3.> !3 5roadcastno frame+rela* inerse+arpframe+rela* lmi+t*pe ansiinterface Serial!B!B1no ip addresscloc rate 2!!!!!!roter ospf 1roter+id 1.1.1. log+adPacenc*+changesarea 3 st5neigh5or 1"2.1>.3.3 priorit* 1!!distri5te+list prefi- area! in
90interface $oop5ac!
ip address 131.!.2.1 2.2.2.! secondar*ip address 131.!.3.1 2.2.2.! secondar*ip address 131.!.4.1 2.2.2.! secondar*ip address 131.!..1 2.2.2.! secondar*ip address 131.!.>.1 2.2.2.! secondar*ip address 131.!.1.1 2.2.2.!ip rip adertise 2!interface $oop5ac2ip address 2!9.1.1.2 2.2.2.2ip rip adertise 2!interface Serial!B!B!.1 point+to+pointdescription /2/+to+3ip address 1"2.1>.>.9 2.2.2.!ip rip triggeredip rip adertise 2!ip rip athentication mode mdip rip athentication e*+chain ciscoframe+rela* interface+dlci 9!3interface Serial!B!B1description ///+to+"ip address 1"2.1>.4.9 2.2.2.!ip rip adertise 2!encapslation pppppp athentication chap
8/12/2019 Advanced Boot Camp Day 1to4
65/140
roter ospf 1roter+id 1.1.1.9 log+adPacenc*+changesarea nssaredistri5te connected metric+t*pe 1 s5nets rote+map ospfre(istri#ute ri$ su#nets route0ma$ re(ist
networ 1"2.1>.>.9 !.!.!.! area
roter ripersion 2timers 5asic 2! 4! ! 12!re(istri#ute os$f 1 metric 1 route0ma$ os$f2ri$
passie+interface defaltno passie+interface Serial!B!B1networ 1"2.1>.!.!networ !.!.!.!neigh5or 1"2.1>.>.3no ato+smmar*
o iew the 5asic 6S/: configrations for "A>A and ;;1 refer to answers proided in the thm5 drie
Tas4 2 )9efault @oute*3 Add a new loop back to &= -
8/12/2019 Advanced Boot Camp Day 1to4
66/140
Tas4 % )@edundancy*3(ince A&EA # has se*eral points of failure in this topology it is
important to configure *irtual links on routers that could potentially become Areas separatedfrom Area #. The best way to determine where to place the *irtual links is draw out the
failure scenarios from the 3(08 topology. The following 4Ls were configured for this lab>
SN1roter ospf 1roter+id 1.1.1.1!area 2 irtal+lin 1.1.1.1 (to 1)
area 4 irtal+lin 1.1.1.2! (to Sw2)area 4 irtal+lin 1.1.1.4! (to Sw4)
SN2roter+id 1.1.1.2!area 1 irtal+lin 1.1.1.1 (to 1)area 4 irtal+lin 1.1.1.1! (to Sw1)area 4 irtal+lin 1.1.1.3! (to Sw3)area 4 irtal+lin 1.1.1.4! (to Sw4)
SN4area 4 irtal+lin 1.1.1.2! (to Sw2)
area 4 irtal+lin 1.1.1.1! (to Sw1)
1area 1 irtal+lin 1.1.1.2! (to Sw2)area 2 irtal+lin 1.1.1.1! (to Sw1)
Sw3area 4 irtal+lin 1.1.1.2! (to sw2)
Tas4 ( )Summaries*3(ummarie the 2#.#.#.# networks in the branch site to the smallestbit boundaries and do not allow any null routes in the routing tables or !< ad*ertised to any
neighbors. Lea*e the three new loop backs with a
Sw40roter ospf 1no discard+rote internal
area 4 range 1!.!.!.! 2.!.!.!
Sw20roter ospf 1no discard+rote internalarea 4 range 1!.!.!.! 2.!.!.!
Sw10roter ospf 1no discard+rote internalarea ! range 1!.!.!.! 2.!.!.!
8/12/2019 Advanced Boot Camp Day 1to4
67/140
3n all of the routers external to the branch site a distribute list in was needed to filter out the
more specific -longer mask prefixes.
&.!.!B1> le 32ip prefi-+list area! se? 4 permit 13!.!.2.!B24ip prefi-+list area! se? permit 13!.!.4.!B24ip prefi-+list area! se? > permit 13!.!.>.!B24ip prefi-+list area! se? " permit 13!.!.9.!B24ip prefi-+list area! se? 9 permit 131.!.1.!B24ip prefi-+list area! se? permit 131.!.3.!B24
ip prefi-+list area! se? 1! permit 131.!..!B24ip prefi-+list area! se? 11 permit 131.!.".!B24ip prefi-+list area! se? 12 permit 1!.1!.1!.!B24ip prefi-+list area! se? 13 permit 1!.11.11.!B24ip prefi-+list area! se? 14 permit 1!.12.12.!B24ip prefi-+list area! se? 1 permit 1!.13.13.!B24
(how I0 route on &
8atewa* of last resort is 1"2.1>.." to networ !.!.!.!
12.1>9.1!.!B24 is directl* connectedA :astEthernet!B! 1"2.1>.!.!B24 is s5nettedA s5nets 1"2.1>..! is directl* connectedA Serial!B!B!.36 .1.! is directl* connectedA Serial!B!B!.1 1"2.1>.2.! is directl* connectedA Serial!B!B!.26 .."A !104>043A Serial!B!B!.36 &1 13!.!.>.! I11!B94J ia 1"2.1>.."A !104>043A Serial!B!B!.36 &1 13!.!.4.! I11!B94J ia 1"2.1>.."A !104>043A Serial!B!B!.3 1!.!.!.!B9 is aria5l* s5nettedA 4 s5netsA 2 mass6 9.1!.3A !104>01A :astEthernet!B! 1!.12.12.!B24 is directl* connectedA $oop5ac16 9.1!.1A !104>01A :astEthernet!B! IA 1////9- ?11/9'@ 4ia 1.21+-1/15 /1:)):2)5 ;ast9.1!.3A !104>01A :astEthernet!B!6 E1 131.!.1.! I11!B9J ia 12.1>9.1!.3A !104>01A :astEthernet!B!6 E1 131.!..! I11!B9J ia 12.1>9.1!.3A !104>01A :astEthernet!B!SK !.!.!.!B! I1B!J ia 1"2.1>.."
Tas4 )6571*3,ake sure 3(08 is /9,A on the )ub and (poke and that the hello timer is
8/12/2019 Advanced Boot Camp Day 1to4
68/140
/eighbor commands gi*ing the )79 a priority ip address 1"2.1>.3. 2.2.2.!encapslation frame+rela*i$ os$f (ea(0inter4al minimal hello0multi$lier ) (his command is a mltiplier of how man* times in 1 second the deice will send an 6S/:hello.)
Tas4 , )Testing*30ing test connecti*ity from &2 to e*ery network.
tclsh
foreach address F1!.3.3.11!.3.3.21!.4.4.11!.4.4.21!...11!...2
1!.>.>.11!.>.>.21!.".".11!.".".21!.9.9.11!.9.9.21!...11!...212.1>9.1!.112.1>9.1!.212.1>9.1!.312.1>9.1!.12.1>9.1!.>12.1>9.1!.1"2.1>.1.21"2.1>.1.31"2.1>.2.21"2.1>.2.1"2.1>.3.31"2.1>.3.1"2.1>.3.>1"2.1>..21"2.1>.."1"2.1>.>.31"2.1>.>.91!.1!.1!.11!.12.12.11!.13.13.12!9.1.1.12!9.1.1.2G Fping HaddressG
Sw106S/: oter with !4 !-9!!!!!!9 !-!!3!E; 21.1.1. 1.1.1. 1">! !-9!!!!!! !-!!9%% 11.1.1.> 1.1.1.> >2> !-9!!!!!!" !-!!9" 1
8/12/2019 Advanced Boot Camp Day 1to4
69/140
1.1.1. 1.1.1. 33 !-9!!!!!!" !-!!9>4 11.1.1.1! 1.1.1.1! 29 !-9!!!!!! !-!!2!9 41.1.1.2! 1.1.1.2! 1 (7&%) !-9!!!!!!4 !-!!;"41 41.1.1.3! 1.1.1.3! > (7&%) !-9!!!!!!2 !-!!339 11.1.1.4! 1.1.1.4! (7&%) !-9!!!!!!2 !-!!917: 2
&et $in States (%rea !)
$in 9.1!. 1.1.1. 34 !-9!!!!!!> !-!!1"!
Smmar* &et $in States (%rea !)
$in ! !-9!!!!!!4 !-!!;4%1!.13.13.! 1.1.1.> 39 !-9!!!!!!4 !-!!2%>1"2.1>.2.! 1.1.1.2 " !-9!!!!!!4 !-!!4>E:1"2.1>.2.! 1.1.1. 4! !-9!!!!!!4 !-!!1131"2.1>.3.! 1.1.1.3 3>1 !-9!!!!!!9 !-!!27!31"2.1>.3.! 1.1.1.> 39 !-9!!!!!!> !-!!1:1!
1"2.1>..! 1.1.1.2 " !-9!!!!!!4 !-!!2!E1"2.1>.>.! 1.1.1.3 >11 !-9!!!!!!4 !-!!1417
Smmar* %S; $in States (%rea !)
$in
oter $in States (%rea 1)
$in 9 !
Smmar* &et $in States (%rea 1)
$in !-!!>7%
1!.4.4.! 1.1.1.1! 3> !-9!!!!!!> !-!!>11!...! 1.1.1.1! 3" !-9!!!!!!> !-!!27E;1!.>.>.! 1.1.1.1! 3" !-9!!!!!!> !-!!1>!11!.9.9.! 1.1.1.1! 3" !-9!!!!!!> !-!!E"2;1!...! 1.1.1.1! 3" !-9!!!!!! !-!!7341!.1!.1!.! 1.1.1.1! 3" !-9!!!!!!4 !-!!7331!.11.11.! 1.1.1.1! 3" !-9!!!!!!4 !-!!;!71"2.1>.1.! 1.1.1.1! 3" !-9!!!!!!4 !-!!2;!312.1>9.1!.! 1.1.1.1! 3" !-9!!!!!!> !-!!1%1
Smmar* %S; $in States (%rea 1)
8/12/2019 Advanced Boot Camp Day 1to4
70/140
$in .1 1.1.1.1! 39 !-9!!!!!!4 !-!!%3%
Smmar* &et $in States (%rea 2)
$in !-!!>7%1!.4.4.! 1.1.1.1! 39 !-9!!!!!!> !-!!>11!...! 1.1.1.1! 39 !-9!!!!!!> !-!!27E;1!.".".! 1.1.1.1 2 !-9!!!!!!4 !-!!3E>1!.9.9.! 1.1.1.1! 3 !-9!!!!!!> !-!!E"2;1!...! 1.1.1.1! 3 !-9!!!!!! !-!!7341!.11.11.! 1.1.1.1! 3 !-9!!!!!!4 !-!!;!7
1"2.1>.1.! 1.1.1.1 2 !-9!!!!!!4 !-!!"E!1"2.1>.1.! 1.1.1.1! 1"9 !-9!!!!!!; !-!!17!%12.1>9.1!.! 1.1.1.1! 3 !-9!!!!!!> !-!!1%1
Smmar* %S; $in States (%rea 2)
$in 1 !-9!!!!!! !-!!4!7 21.1.1.4! 1.1.1.4! 24 !-9!!!!!!% !-!!94; 2
&et $in States (%rea 4)
$in %1!.9.9.1 1.1.1.1! 41 !-9!!!!!!4 !-!!34%:1!...2 1.1.1.4! 24 !-9!!!!!!4 !-!!9;11!.11.11.2 1.1.1.4! 24 !-9!!!!!!4 !-!!7!7
Smmar* &et $in States (%rea 4)
$in .>.! 1.1.1.1! 41 !-9!!!!!!> !-!!1>!11!.".".! 1.1.1.2! 3> !-9!!!!!!> !-!!2491!.1!.1!.! 1.1.1.1! 42 !-9!!!!!!4 !-!!7331"2.1>.1.! 1.1.1.1! 42 !-9!!!!!!4 !-!!2;!31"2.1>.1.! 1.1.1.2! 3> !-9!!!!!!4 !-!!EE312.1>9.1!.! 1.1.1.1! 42 !-9!!!!!!4 !-!!1:
Smmar* %S; $in States (%rea 4)
$in
8/12/2019 Advanced Boot Camp Day 1to4
71/140
1.1.1.2 1.1.1.3! 19 !-9!!!!!!% !-!!"921.1.1.2 1.1.1.4! 2" !-9!!!!!!4 !-!!2;31.1.1.3 1.1.1.1! 43 !-9!!!!!!4 !-!!E931.1.1.3 1.1.1.2! 3" !-9!!!!!!4 !-!!;>>31.1.1.3 1.1.1.3! 19 !-9!!!!!!% !-!!>E;1.1.1.3 1.1.1.4! 2" !-9!!!!!!4 !-!!49;
*pe+ %S E-ternal $in States
$in 2! !-9!!!!!!4 !-!!9"%2 11!.2.3." 1.1.1.2 94 !-9!!!!!!4 !-!!1>1 !1!.9.9.9 1.1.1.3 >2! !-9!!!!!!4 !-!!9E3 !
8/12/2019 Advanced Boot Camp Day 1to4
72/140
8/12/2019 Advanced Boot Camp Day 1to4
73/140
Day /
'!9+&
:verviewEIM&0 is a Cisco proprietary protocol that combines the attributes of a Link (tate and a
5istance 4ector routing protocol. It is considered a YhybridB routing protocol. EIM&0 wasreleased as an enhancement to CiscoPs other proprietary routing protocol IM&0. EIM&0
supports automatic route summariation 4L(, addressing multicast updates non%periodicupdates unequal%cost load balancing and independent support for I0K and AppleTalk.
EIM&0 added many features to o*ercome the limitations of IM&0>
The 5iffusing 7pdate Algorithm -57AL
Loop%free networks
Incremental updates instead of periodic -only send changes as they occur
?nowledge about neighbors as opposed to the entire network Independent (upport for I0 I0K and AppleTalk
Classless routing
Efficient summariation of networks
Efficient use of link bandwidth for routing updates
Authentication
EIM&0 uses the same metrics as IM&0
8pdates
EIM&0 sends hello packets e*ery " seconds on high bandwidth links like 000 and )5LC leased
lines Ethernet T& 855I and 8rame &elay point%to%point and AT,. It sends helloBs e*ery $#seconds on low bandwidth multipoint links like 8& multipoint and AT, multipoint links.
EIM&0 reliable packets are> 7pdate uery and &eply.
EIM&0 unreliable packets are> )ello and Ack.
7pdates are always transmitted reliably. 7pdates con*ey reachability of destinations. 3n
disco*ery of a new neighbor update packets are sent so the neighbor can build its topologytable. These update packets are unicast. In other cases such as a link cost change updates
are multicast.
9oth queries and replies are transmitted reliably. :hen destinations go into acti*e statequeries and replies are sent. ueries are always multicast unless they are sent in response to
a recei*ed query. In this case a reply is unicast back to the successor that originated the
query. &eplies are always sent in response to queries to indicate to the originator that it does
not need to go into acti*e state because it has feasible successors. &eplies are unicast to theoriginator of the query.
8/12/2019 Advanced Boot Camp Day 1to4
74/140
A$thentication
Authentication inn EIM&0 is *ery similar to &I0 4< Authentication except for EIM&0 only
supports ,5" Authentication. EIM&0 uses key chains and interface commands to configureauthentication.
r2lab-configH interface s0
r2lab-config%ifH ip authentication mode eigrp 222 mdr2lab-config%ifH ip authentication 4ey!chain eigrp 222 cisco
r2lab-configH 4ey chain ciscor2lab-config%keychainH 4ey #
r2lab-config%keychain%keyH 4ey!string ccie
De5a$lt +o$tes
5efault routes can be configured in EIM&0 in three different ways> Rip summary address eigrp 2## #.#.#.# #.#.#.#S
Rip default network Rredistribute ip route #.#.#.# #.#.#.# null #S
O Rredistribute static or network #.#.#.#
The ip default network must be a classful network that is used as the candidate defaultnetwork in EIM&0. This method is legacy left o*er from IM&0.
S$mmari7ation
In EIM&0 Auto summary is on by default and it is used to summarie to classful boundaries.
/o auto%summary allows the router to summarie to bit boundaries. This type ofsummariation is configured on the interface and split horion must be disabled for it to work.
As you can see in the following example an A5 of " is assigned to summaries>
r2lab-config%ifH ip summary%address eigrp
8/12/2019 Advanced Boot Camp Day 1to4
75/140
Load;7tiliation on a link between source and destination measured in bits
per second on its worst link
7TB;The smallest ,aximum Transmission 7nit
The default for EIM&0 is to use only bandwidth and delay when calculating the metric. EIM&0
uses the following scaled *alues to determine the total metric to the network>EIM&0 ,etric Q
,etric Q 9andwidth Z 5elayAfter two routers become neighbors each will send routing updates -and other packets to
the other using a reliable multicast scheme.
8or example assume that router 2 has a series of packets such as a routing table updatewhich must be transmitted to routers 2 ! and +. &outer 2 will send the first packet to the
EIM&0 multicast address (ending )ELL3 on Ethernet#2
A( $$$ 8lags #x# (eq # Ack #
EIM&0> (ending )ELL3 on Ethernet#2
A( $$$ 8lags #x# (eq # Ack #
8/12/2019 Advanced Boot Camp Day 1to4
76/140
EIM&0> &ecei*ed 705ATE on Ethernet#2 from 2#.
A( $$$ 8lags #x2 (eq 2 Ack #
EIM&0> (ending )ELL3AC? on Ethernet#2 to 2#.
A( $$$ 8lags #x# (eq # Ack 2
EIM&0> (ending )ELL3AC? on Ethernet#2 to 2#.
A( $$$ 8lags #x# (eq # Ack 2
EIM&0> &ecei*ed 705ATE on Ethernet#2 from 2#.
A( $$$ 8lags #x# (eq
8/12/2019 Advanced Boot Camp Day 1to4
77/140
'!9+& St$b
A (T79 set a flag bit in the hello packets and affects what the router will ad*ertise. Typically it
is use to send a reduced routing table so it reduces processing on the router and controlswhat networks are ad*ertised.
8our options exist for what a stub router can send> recei*e%only summary connected andstatic
'!9+& LAB
Scenario
Turn%key is at it again e*en though they were impressed with the 3(08 configuration they
still desire to keep the configurations in the routers but disable the 3(08 in order to test dri*eEIM&0.
8/12/2019 Advanced Boot Camp Day 1to4
78/140
8/12/2019 Advanced Boot Camp Day 1to4
79/140
Tas4 % )9efaults*3&< and &! should send a default route into EIM&0 to reach the I(0
routers make sure the I(0 routers -&=&@ do not use this default route.
Tas4 ( )@outing Ta$le*34erify the routing tables in your equipment and make adustmentsuntil they look the same as Task +.
208atewa* of last resort is 1"2.1>.." to networ !.!.!.!
12.1>9.1!.!B24 is directl* connectedA :astEthernet!B! 1"2.1>.!.!B1> is aria5l* s5nettedA 9 s5netsA 2 mass7 1"2.1>.4.9B32 I!B291>9>J ia 1"2.1>.."A !!012043A Serial!B!B!.37 1"2.1>.4.!B24 I!B291>9>J ia 1"2.1>.."A !!012043A Serial!B!B!.3 1"2.1>..!B24 is directl* connectedA Serial!B!B!.37 1"2.1>.>.!B24 I!B21"!112J ia 12.1>9.1!.3A !!012042A :astEthernet!B! 1"2.1>.1.!B24 is directl* connectedA Serial!B!B!.1 1"2.1>.2.!B24 is directl* connectedA Serial!B!B!.27 1"2.1>.4."B32 I!B291"!112J ia 12.1>9.1!.3A !!012044A :astEthernet!B!7 1"2.1>.3.!B24 I!B21"!112J ia 12.1>9.1!.>A !!012044A :astEthernet!B! I!B21"!112J ia 12.1>9.1!.A !!012044A :astEthernet!B!
I!B21"!112J ia 12.1>9.1!.3A !!012044A :astEthernet!B! 13!.!.!.!B24 is s5nettedA > s5nets7 13!.!.2.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.3.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.1.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.>.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!.4.! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.37 13!.!..! I!B22"9>J ia 1"2.1>.."A !!01204>A Serial!B!B!.3 1!.!.!.!B9 is aria5l* s5nettedA 4 s5netsA 2 mass7 1!.13.13.!B24 I!B139>J ia 12.1>9.1!.3A !!01302A :astEthernet!B! 1!.12.12.!B24 is directl* connectedA $oop5ac17 1!.1!.1!.!B24 I!B21"49>!3J ia 1"2.1>.1.1A !!01204>A Serial!B!B!.17 1!.!.!.!B9 I!B2>112J ia 12.1>9.1!.1A !!01204A :astEthernet!B! 131.!.!.!B24 is s5nettedA > s5nets7 131.!.3.! I!B229112J ia 12.1>9.1!.3A !!01204A :astEthernet!B!7 131.!.2.! I!B229112J ia 12.