You are on page 1of 129

[3

]

CHAPTER 1

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

General Networking Theory
General Routing Concepts
Link-state and distance vector protocols
Distance vector
■ ■ ■ ■

■ ■

Forms adjacencies with neighboring routers that speak the same protocol; sends local link information to these devices. Note that although this is flooding of information to all nodes, the router is sending only the portion of information that deals with the state of its own links. Each router constructs its own complete “picture” or “map” of the network from all of the information received.

Hybrid
■ ■

Example: Enhanced Interior Gateway Routing Protocol (EIGRP) Features properties of both distance vector and link-state routing protocols

Examples: Routing Information Protocol Version 1 (RIPv1), RIPv2, Interior Gateway Routing Protocol (IGRP) Features periodic transmission of entire routing tables to directly connected neighbors Mathematically compares routes using some measurement of distance Features hop-count limitation
■ ■ ■

Path vector protocol
Example: Border Gateway Protocol (BGP). Path vector protocols are a subset of distance vector protocols; BGP uses “path vectors” or a list of all the autonomous systems a prefix has crossed to make metric decisions and to ensure a loopfree environment. In addition to the autonomous system path list, an administrator can use many other factors to affect the forwarding or receipt of traffic using BGP.

Link State
■ ■

Examples: Open Shortest Path First (OSPF), Intermediate Systemto-Intermediate System (IS-IS). Sends local connection information to all nodes in the internetwork.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[4]

CHAPTER 1

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Split horizon

Split horizon is a technique used by routing protocols to help prevent routing loops. The split-horizon rule states that an interface will not send routing information out an interface from which the routing information was originally received. Split horizon can cause problems in some topologies, such as hub-and-spoke Frame Relay configurations.

The following routes exist in the routing table—all routes use a 24-bit mask: 10.108.48.0 = 00001010 01101100 00110000 00000000 10.108.49.0 = 00001010 01101100 00110001 00000000 10.108.50.0 = 00001010 01101100 00110010 00000000 10.108.51.0 = 00001010 01101100 00110011 00000000 10.108.52.0 = 00001010 01101100 00110100 00000000 10.108.53.0 = 00001010 01101100 00110101 00000000 10.108.54.0 = 00001010 01101100 00110110 00000000 10.108.55.0 = 00001010 01101100 00110111 00000000 Notice that the first 21 bits of the subnetwork IDs are all common. These can be masked off. You can use the single route entry for all these subnetworks as follows: 10.108.48.0/21

Summarization
Summarization is the process in which the administrator collapses many routes with a long mask to form another route with a shorter mask. Route summarization reduces the size of routing tables and makes routing function more efficiently. Route summarization also helps make networks more stable by reducing the number of updates that are sent when subnets change state. Route summarization makes classless interdomain routing (CIDR) possible. Variable-length subnet masking (VLSM) promotes the use of route summarization. Some dynamic routing protocols engage in route summarization automatically for changes in a major classful network, whereas others do not. For any routing protocol within the scope of the CCIE written exam, an administrator can disable any automatic summarization that might be occurring and configure “manual” summarization. To engage in route summarization, find all the leftmost bits that are in common and create a mask that encompasses them. An example follows.

Classful and classless routing protocols
Classful routing protocols are considered legacy and do not include subnet mask information with routing updates. Examples of classful routing protocols are RIPv1 and IGRP. Because subnet mask information is not included in updates, consistency of the mask is assumed throughout the network. Classful routing protocols also feature automatic summarization of routing updates when sent across a major

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[5]

CHAPTER 1

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

classful network boundary. For example, the 10.16.0.0/16 network would be advertised as 10.0.0.0/8 when sent into a 172.16.0.0 domain. Note that although BGP and EIGRP are not classful routing protocols, both engage in automatic summarization behavior by default, and in that sense they act classful. The no auto-summary command is used to disable this behavior. Classful routing protocols feature a fixed-length subnet mask (FLSM) as a result of their inherent limitations. The FLSM leads to inefficient use of addresses and limits the network’s overall routing efficiency. By default, classful routing protocols discard traffic bound for any unknown subnet of the major classful network. For example, if your classful routing protocol receives traffic destined for 10.16.0.0 and it knows of only the 10.8.0.0 and 10.4.0.0 subnets in its routing table, it discards the traffic—even if a default route is present! The ip classless command was introduced to change this behavior. The ip classless command allows the protocol to use the default route in this case. This command is on by default with Cisco IOS Release 12.0 and later routers. As a classic example of a classless routing protocol, OSPF carries subnet mask information in updates. Wireless LAN Services Module (WLSM) is possible with such protocols.

Routing decision criteria
Routers must determine the best route to send traffic on toward its destination. This is accomplished as follows (note that the order of operations is critical and fixed):
1. Valid next-hop IP address—When updates are received, the router

first verifies that the next-hop IP address to reach the potential destination is valid.
2. Metric—The router then examines the metrics for the various routes

that might exist from a particular protocol. For example, if OSPF has several routes to the destination, the router tries to install the route with the best metric (in this case, cost) into the routing table.
3. Administrative distance—If multiple routing protocols are running

on the device, and multiple protocols are all presenting routes to the destination with valid next hops, the router examines administrative distance. The route sourced from the lowest administrative distance protocol or mechanism is installed in the routing table.
4. Prefix—The router examines the route’s prefix length. If no exact

match exists in the routing table, the route is installed. Note that this might cause the routing table to be filled with the following entries: EIGRP 172.16.2.0/24 and RIP 172.16.2.0/19. On the subject of prefix length and the routing table, remember that when a router is looking for a match in the IP routing table for the destination address, it always looks for the longest possible prefix match. For example, if the routing table contains entries of 10.0.0.0/8, 10.2.0.0/16, and 10.2.1.0/24, and your traffic is destined for 10.2.1.0/24, the longest match prefix is selected.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[6]

CHAPTER 1

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Routing Information Base and Routing Protocol Interaction
Administrative distance
If a router learns of a network from multiple sources (routing protocols or static configurations), it uses the administrative distance value to determine which route to install in the routing (forwarding) table. The default administrative distance values are listed here.
Source Connected interface Static route EIGRP summary route External BGP Internal EIGRP IGRP OSPF IS-IS RIP Exterior Gateway Protocol On-Demand Routing External EIGRP Internal BGP Unknown Administrative Distance 0 1 5 20 90 100 110 115 120 140 160 170 200 255

Administrators can create static routes that “float.” A floating static route means the administrator increases the administrative distance of the static route to be greater than the administrative distance of the dynamic routing protocol in use. This means the static route is relied on only when the dynamic route does not exist.

Routing table
The routing table has been the principal element of IP routing and the primary goal of routing protocols to build and maintain for most of modern internetworking. The main routing table model, the hop-by-hop routing paradigm, has the routing table list for each destination network the next-hop address to reach that destination. As long as the routing tables are consistent and accurate, with no misinformation, this simple hop-by-hop paradigm works well enough to deliver data to anywhere from anywhere in the network. In recent practice, this simple hop-byhop model is being abandoned for new technologies such as Multiprotocol Label Switching (MPLS). These technologies allow a simple and efficient label lookup to dictate the next hop that data should follow to reach a specific destination. Although this determination can be based on the routing table information, it can easily be based on other parameters, such as quality of service or other traffic engineering considerations. Note that MPLS is explored in its own chapter of this Short Cut.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[7]

CHAPTER 1

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Routing information base and forwarding information base interaction
The routing and forwarding architecture in Cisco routers and multilayer switches used to be a centralized, cache-based system that combined what is called a control plane and a data plane. The control plane refers to the resources and technologies used to create and maintain the routing table. The data plane refers to those resources and technologies needed to actually move data from the ingress port to the egress port on the device. This centralized architecture has migrated so that the two planes can be separated to enhance scalability and availability in the routing environment. The separation of routing and forwarding tasks has created the Routing Information Base (RIB) and the Forwarding Information Base (FIB). The RIB operates in software, and the control plane resources take the best routes from the RIB and place them in the FIB. The FIB resides in much faster hardware resources. The Cisco implementation of this enhanced routing and forwarding architecture is called Cisco Express Forwarding (CEF).

routing protocols might be a necessity because of an interim period during conversion from one to another, application-specific protocol requirements, political reasons, or a lack of multivendor interoperability. A major issue with redistribution is the seed metric to be used when the routes enter the new routing protocol. Normally, the seed metric is generated from the originating interface. For example, EIGRP would use the bandwidth and delay of the originating interface to seed the metric. With redistributed routes, however, these routes are not connected to the router. Some routing protocols feature a default seed metric for redistribution, whereas others do not. Here is a list of the defaults for the various protocols. Note that Infinity indicates a seed metric must be configured; otherwise, the route will not be used by the receiving protocol.
Protocol OSPF IS-IS RIP IGRP/EIGRP Default Seed Metric 20; except BGP, which is 1 0 Infinity Infinity

Redistribution
Redistribution between routing protocols
Route redistribution might be required in an internetwork because multiple routing protocols must coexist in the first place. Multiple

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[8]

CHAPTER 1

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Redistribution into RIP
Remember to set a default metric, using either the redistribute command or the default-metric command. The command to redistribute routes into RIP is as follows:
redistribute protocol [process-id] [match route-type] [metric metric-value] [route-map map-tag]

Redistribution into EIGRP
Remember that like RIP, you must set a default seed metric when redistributing into EIGRP. The command for redistribution into EIGRP is as follows:
redistribute protocol [process-id] [match {internal | external 1 | external 2}] [metric metric-value] [route-map map-tag]

The match keyword allows you to match certain route types when redistributing OSPF. For example, you can specify internal, or external 1, or external 2. The route-map keyword allows you to specify a route map for controlling or altering the routes that are being redistributed.

Troubleshooting routing loops
You can perform one-way or two-way redistributions. Redistribution can also be performed in multiple locations throughout the topology. With one-way redistribution, you typically pass a default route into the “edge” protocol, and take all the edge protocol routes and redistribute them into the core protocol of the network. With two-way redistribution, all routes from each routing protocol are passed into each other. If two-way redistribution is performed in multiple areas in the network, there is an excellent chance for route “feedback” and routing loops. Routing loops are highly likely to occur because routing information from one autonomous system can easily be passed back into that same autonomous system.

Redistribution into OSPF
The default seed metric is 20. The default metric type for redistributed routes is Type 2. Subnets are not redistributed by default. The command for redistribution into OSPF is as follows:
redistribute protocol [process-id] [metric metric-value] [metric-type type-value] [route-map map-tag] [subnets] [tag tag-value]

The subnets keyword is critical in this command and specifies that subnets should indeed be redistributed. The tag value allows the administrator to configure an optional tag value that can be used later to easily identify these routes.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[9]

CHAPTER 1

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

The safest way to eliminate the chance for a loop is to redistribute only in one direction (one-way redistribution). If this is not possible, and two-way redistribution is desired, try these techniques to ensure a lack of loops: Redistribute from the core protocol into the edge with filtering to block routes that are native to the edge. Apply two-way redistribution on all routes, and manipulate administrative distance associated with the external routes so that they are not selected when multiple routes exist for the same destination. An excellent technique to detect a routing loop during redistribution is to use the debug ip routing command. This command shows all routing table activity as it occurs and demonstrates a loop condition through routing table instability.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 10 ]

CHAPTER 2

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Bridging and LAN Switching
Spanning Tree Protocol 802.1D
802.1D Spanning Tree Protocol (STP) is a Layer 2 loop-prevention mechanism. It is an IEEE standards-based protocol. Over the years, Cisco has enhanced this protocol with new features to make muchneeded improvements. This chapter discusses those improvements and new IEEE versions of the protocol that dramatically improve the technology. Layer 2 loops are terrible because of no Time To Live (TTL) value in frame. Loops can cause broadcast storms, MAC table corruption, and multiple-frame copies.

while still using the same MAC address and priority value. Previously, multiple MAC addresses were needed for each VLAN to ensure uniqueness. Path cost is the measure of distance from one bridge to another. Links are assigned a cost value by STP. This cost value is based on bandwidth. Higher-bandwidth links receive a lower-cost value, and STP deems a lower-cost path as preferred to a higher-cost path. Initially with STP operations, a root bridge must be selected. This root bridge will have all of its ports in the forwarding state (designated ports) and will be the central reference point for the creation of a loopfree Layer 2 topology. For the “election” of this device, configuration bridge protocol data units (BPDU) are sent between switches for each port. Switches use a four-step process to save a copy of the “best” BPDU seen on every port. When a port receives a better BPDU, it stops sending them. If the BPDUs stop arriving for 20 seconds (the default), the port begins sending them again. The process for selecting the best BPDU is as follows:
1. Lowest root bridge ID (BID)

STP process
The bridge ID is a critical element for the creation of the spanning-tree, loop-free topology. The bridge ID consists of a 2-byte bridge priority and a 6-byte MAC address. The default priority is 32,768. Newer switch operating systems feature a third component for the bridge ID: the extended system ID. This value is just the VLAN ID. Use of the three-part bridge ID allows each VLAN to have a unique bridge ID

2. Lowest path cost to root bridge 3. Lowest sender BID 4. Lowest port ID (for example, Fa0/10 versus Fa0/20)

After the root bridge for the network has been determined, this reference point can be used to create the loop-free topology. This initial creation of the loop-free topology takes place in three steps:

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 11 ]

CHAPTER 2

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Step 1. Step 2. Step 3.

Elect a root bridge. The lowest BID wins. Elect root ports. Every nonroot bridge selects one root port. Elect designated ports. Each segment has one designated port (the bridge with the designated port is the designated bridge for that segment); all active ports on the root bridge are designated (unless you connect two ports to each other).

with the timers that control the transition times. Note that the states are carefully ordered here to demonstrate the order of transition:
1. Disabled—Administratively down 2. Blocking—BPDUs received only (20 sec) 3. Listening—BPDUs sent and received (15 sec) 4. Learning—Bridging table is built (15 sec) 5. Forwarding—Sending/receiving data

When convergence occurs, BPDUs radiate out from the root bridge over loop-free paths. Figure 2-1 shows an example of STP in action.
Lowest BID Root Bridge

STP timers are used in the process to control convergence:
■ ■

Hello—2 sec (time between each configuration BPDU) Forward Delay—15 sec (controls durations of listening/learning states) Max Age—20 sec (controls the duration of the blocking state)

DP

DP


RP DP NDP RP

Default convergence time is 30 to 50 seconds. Timer modification is possible from the root bridge. See Figure 2-2. Although the timers can be manipulated, Cisco does not recommend this. Instead, there are Cisco mechanisms that can be used to improve convergence times without direct manipulation of the timers by the administrator. Convergence time is a recognized issue with STP and the exact reason for IEEE’s creation of new versions of the protocol.

FIGURE 2-1

Spanning-tree topology

Ports have a port state under 802.1D STP. Ports begin life on the switch as disabled and gradually transition to a forwarding state as long as STP deems it is safe to do so. The possible states are listed here along

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 12 ]

CHAPTER 2

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

b. A port goes from Forwarding/Learning to Blocking.
Blocking Max Age 20 Seconds

Listening Forward Delay 15 Seconds Learning Forward Delay 15 Seconds

TCNs are sent out the root port of nonroot devices; they are sent each hello interval until they are acknowledged by the upstream device.
2. Upstream bridges process TCN on DPs. 3. The upstream switch sets the Topology Change Acknowledgement

(TCA) field of the next configuration BPDU received and sends this downstream. This causes the downstream switch to stop sending TCN BPDUs.
4. The upstream switch then sends the TCN further upstream. 5. This continues until the root bridge receives the TCN. 6. The root bridge then sets the TCA and Topology Change flags in

Forwarding

FIGURE 2-2

802.1D timers

Topology changes
STP uses a Topology Change Notification (TCN) BPDU to alert the root bridge that a topology change to the spanning tree might need to occur. The Type field of the BPDU signifies the TCN BPDU: 0x80. TCN BPDUs improve convergence time when failures in the network occur—primarily because they help in a rapid updating of the MAC address tables. The TCN process of 802.1D is as follows:
1. A bridge sends a TCN BPDU in two cases:

the next configuration BPDU sent out downstream.
7. The root bridge sets the TC flag in all BPDUs sent for Forward

Delay + Max Age. This instructs all switches to age MAC table address entries faster.

Root bridge placement
You should set the root bridge location in your network using the appropriate Cisco IOS command.

a. It takes a port into forwarding, and it has at least one designated port (DP).

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 13 ]

CHAPTER 2

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

NOTE
The CCIE written exam focuses on the Cisco IOS-based command set. As a result, no CatOS commands are shown in any of the Quick Reference Sheets.

Fast STP convergence with Cisco-proprietary enhancements to 802.1D
PortFast PortFast, shown in Figure 2-3, is a Cisco-proprietary enhancement to the 802.1D STP implementation. You apply the command to specific ports, and that application has two effects:
■ ■

You should also select a secondary root in the event the primary root fails. spanning-tree vlan vlan_ID priority priority_value allows you to modify the priority value and directly manipulate the root election. For example, spanning-tree vlan 100 priority 4096 sets the priority to 4096 for VLAN 100 on the local switch. If all switches are at the default priority value of 32,768, the bridge becomes the root. You can use the priority value of 8192 in this case on another switch to elect it as the secondary root bridge. The command spanning-tree vlan vlan_ID root primary is actually a macro command that examines the priority of the existing root and sets the priority on the local switch to be 1 less. If the default is used on the root, the priority is set to 8192. To create a secondary root, you can use the following command:
spanning-tree vlan vlan_ID root secondary

Ports coming up are put directly into the forwarding STP mode. The switch does not generate a TCN when a port configured for PortFast is going up or down—for example, when a workstation power-cycles.

Therefore, consider enabling PortFast on ports that are connected to end-user workstations. Caution must be used with PortFast ports to ensure that hubs, switches, bridges, or any other device that could cause a loop are not connected to these ports.
PortFast PortFast PortFast

This command sets the priority value to 16,384. Remember, in a Cisco environment, by default all spanning-tree mechanisms occur on a VLAN-by-VLAN basis. This is called Per-VLAN Spanning Tree (PVST+).

FIGURE 2-3

PortFast

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 14 ]

CHAPTER 2

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

UplinkFast Configure UplinkFast on wiring closet switches. It detects a directly connected failure and allows a new root port to come up almost immediately. When you are configuring UplinkFast, the local switch has a priority set to 49,152, and it adds 3000 to the cost of all links. Finally, a mechanism is included that causes the manipulation of MAC address tables for other bridges. BackboneFast Configure BackboneFast on all switches. It speeds convergence when the failure occurs and is indirectly located, such as in the core of the backbone. It reduces convergence from about 50 seconds to about 30 seconds.

RSTP defines edge ports as those not participating in STP. Edge ports can be statically configured or will be recognized by the PortFast configuration command.

RSTP port states
RSTP port states are simplified from 802.1D and consist of the following:
■ ■ ■

Discarding Learning Forwarding

Also, the port states are no longer tied directly to port roles. For example, a DP could be Discarding, even though it is destined to transition to the Forwarding state.

RSTP port roles

802.1w Rapid Spanning Tree Protocol
Rapid Spanning Tree Protocol (RSTP or IEEE 802.1w) improves on 802.1D. The protocol incorporates many new features to speed convergence, including incorporation of the ideas presented by Cisco in its enhancements to 802.1D. Although there are many, many improvements with the new technology, the configuration remains almost identical— and the two technologies can coexist. Full benefits are not realized until all systems are running RSTP, however. RSTP requires full-duplex, point-to-point connections between adjacent switches to achieve fast convergence.

■ ■

Root port—This port role exists in 802.1D, too, and is the “best” path back to the root bridge; it must exist on all nonroot bridges. Designated port—This port role exists in 802.1D, too, and there must be a DP on all segments in the topology. By default, all ports on the root bridge are DPs. Alternative port—This port role is new to 802.1w. This port is a quickly converging backup port to the current DP on a segment. Backup port—This port role is new to 802.1w. This port is a quickly converging backup to the root port for a system.

■ ■

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 15 ]

CHAPTER 2

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

RSTP BPDUs
All bridges now send BPDUs every hello time period (2 seconds by default). The BPDUs now act as a keepalive—protocol information is aged if no BPDUs are heard for three consecutive hello times.

802.1s Multiple Spanning Tree
MSTP (IEEE 802.1s) is an IEEE standard that allows several VLANs to be mapped to a reduced number of spanning-tree instances. This provides advantages over PVST+ because typical topologies need only a few spanning-tree topologies to be optimized. You configure a set of switches with the same MISTP parameters, and this becomes an MST region. With MISTP, you have an internal spanning tree capable of representing the entire MST region as a common spanning tree for backward compatibility with earlier IEEE implementations. Follow these steps to configure MISTP:

RSTP proposal and agreement process/topology change mechanism
Convergence occurs on a link-by-link basis in 802.1w. No longer is there a reliance on timers for convergence as there is in 802.1D. A proposal and agreement process replaces the timer methodology of STP and flows downstream from the root device. In RSTP, only nonedge ports moving to the Forwarding state cause a topology change (TC). The originator of a TC is now responsible for flooding it through the network.

Step 1.

Globally enable MISTP (MSTP) on your switches:
spanning-tree mode mst

Implementing RSTP
On most Cisco switches, configuring 802.1s (Multiple Spanning Tree, MST) automatically enables RSTP. Cisco did invent a mode of operation that allows you to use RSTP without the implementation of MST. It is called PVST+ mode. You can enable it on a switch with the following command:
spanning-tree mode rapid-pvst

Step 2.

Enter MST configuration submode:
spanning-tree mst configuration

Step 3.

Set the MST region name:
name name

Step 4.

Set a configuration revision number:
revision rev_num

Step 5.

Map your VLANs to MST instances:
instance int vlan range

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 16 ]

CHAPTER 2

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

You can easily verify an MSTP configuration using the following commands:
show spanning-tree mst configuration show spanning-tree mst vlan_id

Unidirectional Link Detection
Unidirectional Link Detection (UDLD), shown in Figure 2-4, detects and disables unidirectional links. A unidirectional link occurs when traffic transmitted from the local switch is received by the neighbor, but traffic sent from the neighbor is not. Unidirectional links can cause a variety of problems, including spanning-tree loops. UDLD performs tasks that autonegotiation cannot perform.

Loop Guard
As its name implies, Loop Guard is a method for ensuring that STP loops never occur in a particular topology. Even though STP guards against such loops as best it can, they could still occur because of things like unidirectional link failures or switch congestion issues. Loop Guard prevents loops conservatively by preventing alternate or root ports from becoming DPs in the topology. If BPDUs are not received on a non-DP, and Loop Guard is enabled, that port is moved into the STP loop-inconsistent Blocking state, instead of the Listening / Learning / Forwarding state. Loop Guard operates only on ports that are considered point-to-point by the spanning tree, and it cannot be run in conjunction with Root Guard on an interface. To enable Loop Guard, you can use the following global configuration mode command:
spanning-tree loopguard default

Sends function fine, but receives function inoperable.

FIGURE 2-4

UDLD

To perform UDLD, packets are sent to neighbor devices on interfaces with UDLD enabled. Therefore, both sides of the link must support UDLD. By default, UDLD is locally disabled on copper interfaces and is locally enabled on all Ethernet fiber-optic interfaces. The Cisco IOS command to enable UDLD on an interface is simply this:
udld enable

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 17 ]

CHAPTER 2

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Root Guard
Root Guard enables an administrator to enforce the root bridge placement in the network. Service providers that connect switches to customer networks are often interested in this technology because they want to ensure that no customer device inadvertently or otherwise becomes the root of the spanning tree. Root Guard ensures that the port on which Root Guard is enabled is the DP. If the switch receives superior STP BPDUs on a Root Guard–enabled port, the port is moved to a root-inconsistent STP state. This root-inconsistent state is effectively equal to the Listening port state. No traffic is forwarded across this port. This protects the current placement of the root bridge in the infrastructure. You can enable this feature on a port with the following interface configuration command:
spanning-tree guard root

You can configure BPDU Guard globally to have the feature enabled for all PortFast ports on the system. The command to do this is as follows:
spanning-tree portfast bpduguard

You can also enable the feature at the interface level. Use this command:
spanning-tree bpduguard enable

You can enable this feature at the interface level even if PortFast is not enabled on the port. Once again, the receipt of a BPDU causes the port to error-disable.

Storm Control
The Storm Control feature protects a LAN from being affected by unicast, broadcast, or multicast storms that might develop. The switch implements storm control by counting the number of packets of a specified type received within the one-second time interval and compares the measurement with a predefined suppression-level threshold. Storm Control can typically enable the administrator to control traffic by a percentage of total bandwidth or the traffic rate at which packets are received. It is important to note that when the rate of multicast traffic exceeds a set threshold, all incoming traffic (broadcast, multicast, and unicast) is dropped until the level drops below the specified threshold level. Only spanning-tree packets are forwarded in this situation. When broadcast and unicast thresholds are exceeded, traffic is blocked for only the type of traffic that exceeded the threshold.

BPDU Guard
This Cisco STP feature protects the network from loops that could occur if BPDUs were received on a PortFast port. Because BPDUs should never arrive at these ports, their reception indicates a misconfiguration or a security breach. BPDU Guard causes the port to errordisable upon the reception of these frames.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 18 ]

CHAPTER 2

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Storm Control is configured at the interface level with the following command:
storm-control {broadcast | multicast | unicast} level {level [level-low] | pps pps [pps-low]}

LAN Switching
VLAN trunking
802.1Q
The IEEE 802.1Q standard trunking protocol uses an extra tag in the MAC header to identify the VLAN membership of a frame across bridges. This tag is used for VLAN and quality of service (QoS) priority identification. The VLAN ID (VID) associates a frame with a specific VLAN and provides the information that switches need to process the frame across the network. Notice that a tagged frame is 4 bytes longer than an untagged frame and contains 2 bytes of Tag Protocol Identifier (TPID) and 2 bytes of Tag Control Information (TCI). These components of an 802.1Q tagged frame are described in more detail here:

Unicast flooding
If a destination MAC address is not in the MAC address table of the switch, the frame is flooded out all ports for that respective VLAN. Although some flooding is unavoidable and expected, excessive flooding might be caused by asymmetric routing, STP topology changes, or forwarding table overflow. Also, flooding can result from attacks on the network, especially in the case of denial-of-service (DoS) attacks. Switches can now implement a unicast flood-prevention feature. This is implemented through the following global configuration command:
mac-address-table unicast-flood {limit kfps} {vlan vlan} {filter timeout | alert | shutdown}

An alternative configuration approach found on some Catalyst model devices (such as the 6500 series) is to use what is known as Unknown Unicast Flood Blocking (UUFB). This is configured with the following simple interface command:
switchport block unicast

TPID—The Tag Protocol Identifier has a defined value of 8100 in hex; with the EtherType set at 8100, this frame is identified as carrying the IEEE 802.1Q/802.1P tag. Priority—The first 3 bits of the Tag Control Information define user priority; notice the eight (23) possible priority levels. IEEE 802.1P defines the operation for these 3 user-priority bits. CFI—The Canonical Format Indicator is a single-bit flag, always set to 0 for Ethernet switches. CFI is used for compatibility reasons between Ethernet networks and Token Ring.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 19 ]

CHAPTER 2

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

VID—VLAN ID identifies the VLAN; notice it allows the identification of 4096 (212) VLANs. Two of these identifications are reserved, permitting the creation of 4094 VLANs.

VLAN Trunking Protocol (VTP) is a Cisco-proprietary Layer 2 multicast messaging protocol that synchronizes VLAN information across all media types and tagging methods on your switches. To enjoy the benefits of VTP, your switches must meet the following requirements:
■ ■ ■ ■

802.1Q trunks feature a concept called the native VLAN. The native VLAN is a VLAN for which frames are not tagged. Here are the aspects of the native VLAN:
■ ■ ■

You must configure the VTP domain name identically on each device; domain names are case-sensitive. The switches must be adjacent. The switches must be connected with trunk links. The same VTP password must be configured if used in the domain.

The VLAN a port is in when not trunking. The VLAN from which frames are sent untagged on an 802.1Q port. The VLAN to which frames are forwarded if received untagged on an 802.1Q port.

Generally, you find four items in all VTP messages:
■ ■ ■ ■

Cisco switches produce errors if the native VLAN does not match at each end of the link. The default native VLAN in Cisco devices is VLAN 1. You can control the 802.1Q VLAN traffic that is sent over a trunk; this is possible for security purposes or load balancing. The command used to create and control trunks on Cisco IOS-based switches is the interface command:
switchport trunk {allowed vlan vlan-list} | {encapsulation {dot1q | isl | negotiate}} | {native vlan vlan-id} | {pruning vlan vlan-list}

VTP protocol version (either 1 or 2) VTP message type Management domain name length Management domain name

VTP has four possible message types:
■ ■ ■ ■

Summary advertisements Subset advertisements Advertisement requests VTP Join messages (used for pruning)

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 20 ]

CHAPTER 2

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

The VTP configuration revision number is extremely important. This value is used to determine whether a switch has stale information about VLANs and ultimately controls whether the switch overwrites its VLAN database with new information. The revision number increments each time a change is made to the VLAN database on a Server mode VTP system. The number is one from 0 to 4,294,967,295. You must ensure when introducing new Server mode switches that you do not inadvertently overwrite the VLAN database because of a higher configuration revision number on the new switch. Introducing new switches in Transparent mode helps ensure that this problem never results. You have three possible modes for your VTP servers:

Here is a sample configuration of VTP for a Server mode system in Cisco IOS mode. Note that changing the VTP domain on this system resets the configuration revision number to 0:
Switch# configure terminal Switch(config)# vtp mode server Setting device to VTP SERVER mode. Switch(config)# vtp domain Lab_Network Setting VTP domain name to Lab_Network Switch(config)# end Switch#

VTP pruning
Server—This mode enables you to create, modify, and delete VLANs; these changes are advertised to VTP Client mode systems; Catalyst switches default to this mode. Client—This mode does not allow for the creation, modification, or deletion of VLANs on the local device; VLAN configurations are synchronized from Server mode system(s). Transparent—This mode permits the addition, deletion, and modification of VLAN information, but the information resides only locally on the Transparent device; these systems forward advertisements from servers but do not process them. VTP pruning enables you to limit the amount of traffic sent on trunk ports. It limits the distribution of flooded frames to only switches that have members of the particular VLAN. You can enable VTP pruning with this command:
vtp pruning

When you enable pruning on the switch, all VLANs are pruned by default (with the exception of VLAN 1). You need to configure pruning on only one VTP server, and the setting automatically propagates. You can change this behavior by making select VLANs you choose pruneineligible. This is done with the following command:
switchport trunk pruning vlan {none | {{add | remove} vlan[,vlan[,vlan[,...]]}} except |

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 21 ]

CHAPTER 2

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

The Cisco IOS command is as follows:
vtp pruning

■ ■

The same allowed range of VLANs must be configured on all ports in an EtherChannel. Interfaces with different STP port path costs can form an EtherChannel. After an EtherChannel has been configured, a configuration made to the physical interfaces affects the physical interfaces only.

EtherChannel
EtherChannel allows you to bundle redundant links and treat them as a single link, thus achieving substantial bandwidth and redundancy benefits. It is often advisable to use an EtherChannel for key trunks in your campus design. Notice that EtherChannel affects STP, because ordinarily one or more of the links would be disabled to prevent a loop. Be aware of the following guidelines for EtherChannel:
■ ■ ■ ■ ■ ■ ■ ■

EtherChannel load balancing can use MAC addresses, IP addresses, or Layer 4 port numbers—either source, destination, or both source and destination addresses. Here is an example:
Router# configure terminal Router(config)# interface range fastethernet 2/2 -8 Router(config-if)# channel-group 2 mode desirable Router(config-if)# end

All Ethernet interfaces on all modules must support EtherChannel. You have a maximum of eight interfaces per EtherChannel. The ports do not need to be contiguous or on the same module. All ports in the EtherChannel must be set for the same speed and duplex. Enable all interfaces in the EtherChannel. An EtherChannel will not form if one of the ports is a Switched Port Analyzer (SPAN) destination. For Layer 3 EtherChannels, assign a Layer 3 address to the portchannel logical interface, not the physical interfaces. Assign all EtherChannel ports to the same VLAN or ensure they are all set to the same trunk encapsulation and trunk mode.

Ethernet
Ethernet refers to the family of LAN products covered by the IEEE 802.3 standard. This standard defines the carrier sense multiple access collision detect (CSMA/CD) protocol. Four data rates are currently defined for operation over optical fiber and twisted-pair cables:
■ ■

10 Mbps—10BASE-T Ethernet 100 Mbps—Fast Ethernet

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 22 ]

CHAPTER 2

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

■ ■

1000 Mbps—Gigabit Ethernet 10,000 Mbps—10 Gigabit Ethernet

802.3U (Fast Ethernet)
Fast Ethernet refers to any one of a number of 100-Mbps Ethernet specifications. As its name implies, Fast Ethernet offers speeds 10 times that of the 10BASE-T Ethernet specification. Although Fast Ethernet is a much faster technology, it still preserves such qualities as frame format, MAC mechanisms, and maximum transmission unit (MTU). These similarities permit you to use existing 10BASE-T applications and network management tools on Fast Ethernet networks.

Ethernet has replaced just about every other LAN technology because of the following reasons:
■ ■ ■ ■

It is easy to understand, implement, manage, and maintain. It has a relatively low cost. It provides extensive topological flexibility. It is a standards-compliant technology.

802.3Z (Gigabit Ethernet) 802.3
802.3 defines the original shared media LAN technology. This early Ethernet specification runs at 10 Mbps. Ethernet can run over various media such as twisted pair and coaxial. You often see 802.3 Ethernet referred to as different terms because of the differences in the underlying media. Here are examples:
■ ■ ■ ■

Once again, this Ethernet technology builds on the foundations of the old, but it increases speeds tenfold over Fast Ethernet to 1000 Mbps, or 1 gigabit per second (Gbps).

802.3AB (Gigabit Ethernet over Copper)
Gigabit Ethernet over Copper (also known as 1000BASE-T) is yet another extension of the existing Fast Ethernet standard. 802.3AB specifies Gigabit Ethernet operation over the Category 5e/6 cabling systems already installed. This reuse of the existing infrastructure helps make 802.3AB a highly cost-effective solution.

10BASE-T—Ethernet over Twisted Pair Media 10BASE-F—Ethernet over Fiber Media 10BASE2—Ethernet over Thin Coaxial Media 10BASE5—Ethernet over Thick Coaxial Media

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 23 ]

CHAPTER 2

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

10 Gigabit Ethernet
The latest in Ethernet technologies, 10 Gigabit Ethernet, provides the following features:
■ ■ ■

High bandwidth Low cost of ownership Scalability from 10 Mbps to 10,000 Mbps

Long Reach Ethernet
The Cisco Long Reach Ethernet (LRE) networking solution delivers 5to 15-Mbps speeds over existing Category 1/2/3 wiring. As the name conveys, this Ethernet-like performance extends 3500 to 5000 feet.

Gigabit Interface Converter
The Gigabit Interface Converter (GBIC) is a Cisco standards-based hotswappable input/output device that plugs into a Gigabit Ethernet slot on a Cisco network device. This flexibility allows you to inexpensively adapt your network equipment to any changes in the physical media that might be introduced. You can intermix GBICs in a Cisco device to support any combination of 802.3z-compliant 1000BASE-SX, 1000BASE-LX/LH, or 1000BASE-ZX interfaces. Upgrading to the latest interface technologies is simple thanks to these GBICs.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 24 ]

CHAPTER 3

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

IP
Addressing
IPv4 addresses
IPv4 addresses consist of 32 bits. These 32 bits are divided into four sections of 8 bits, each called an octet. Addresses are typically represented in dotted-decimal notation. For example:
10.200.34.201

Class E addresses have the first 4 bits set to 1111 and have a first octet of 248 to 255. These addresses are reserved for experimental use.

Subnetting
Subnetting allows for the creation of smaller, more-efficient networks. Overall network traffic is reduced, and security measures can be easily introduced in a subnetted network. The IP address is 32 bits in length. It has a network ID portion and a host ID portion. The number of bits used for the host ID dictates the number of hosts possible on the network or subnetwork. One address is reserved for the network ID (all host bits set to 0), and one address is reserved for a subnet broadcast (all host bits set to 1). To calculate the number of hosts available on a subnet, use the formula 2 ^ n – 2, where n is the number of bits used for the host ID. To identify subnets, bits are “borrowed” from the host portion. The number of subnets that can be created depends on the number of bits borrowed. The number of subnets available is calculated with 2 ^ n, where n is the number of bits “borrowed.” Here is an example of subnetting. Take the address 10.172.16.211 with a subnet mask of 255.255.192.0. First note that this mask uses 18 bits. There are 14 bits left for host addressing. That means that on a subnet here 2 ^ 14 – 2 addresses are available. That is, 16,382 host addresses are possible. A default Class A network uses 8 bits for the mask. Here 10 bits are “borrowed” from the host portion. That allows for the creation of 2 ^ 10 = 1024 subnets.

Subnet masks identify which portion of the address identifies a particular network and which portion identifies a host on the network. The address classes defined for public and private networks consist of the following subnet masks:
Class A 255.0.0.0 (8 bits) Class B 255.255.0.0 (16 bits) Class C 255.255.255.0 (24 bits)

Class A addresses begin with 0 and have a first octet in decimal of 1 to 127. Class B addresses begin with 10 and range from 128 to 191. Class C addresses begin with 110 and range from 192 to 223. Class D and Class E addresses also are defined. The Class D address space has the first 4 bits set to 1110 and has a first octet of 224 to 247. These addresses are used for IP multicast.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 25 ]

CHAPTER 3

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Address Resolution Protocol
Address Resolution Protocol (ARP) is used to resolve IP addresses to MAC addresses in an Ethernet network. A host wanting to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the IP address in the request then replies with its physical hardware address. When a MAC address is determined, the IP address association is stored in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network. Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol (SNAP). Reverse Address Resolution Protocol (RARP) works the same way as ARP, except that the RARP request packet requests an IP address rather than a MAC address. Use of RARP requires a RARP server on the same network segment as the router interface. RARP often is used by diskless nodes that do not know their IP addresses when they boot. The Cisco IOS Software attempts to use RARP if it does not know the IP address of an interface at startup. Also, Cisco routers can act as RARP servers by responding to RARP requests that they can answer.

packet, giving its own local MAC address. The host that sent the ARP request then sends its packets to the router, which forwards them to the intended host. Proxy ARP is enabled by default. To enable proxy ARP if it has been disabled, use the following command:
Router(config-if)# ip proxy-arp

Defining static ARP cache entries
To configure static mappings, use the following command:
Router(config)# arp ip-address hardware-address type

Use the following command to set the length of time an ARP cache entry stays in the cache:
Router(config-if)# arp timeout seconds

Setting ARP encapsulations
Cisco routers can actually use three forms of address resolution: ARP, proxy ARP, and Probe (similar to ARP). Probe is a protocol developed by Hewlett-Packard (HP) for use on IEEE 802.3 networks. By default, standard Ethernet-style ARP encapsulation (represented by the arpa keyword) is enabled on the IP interface. You can change this encapsulation method to SNAP or HP Probe, as required by your

Enabling proxy ARP
Cisco routers use proxy ARP to help hosts with no knowledge of routing determine the MAC addresses of hosts on other networks. If the router receives an ARP request for a host that is not on the same network as the ARP request sender, and if the router has all of its routes to that host through other interfaces, it generates a proxy ARP reply

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 26 ]

CHAPTER 3

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

network, to control the interface-specific handling of IP address resolution into 48-bit Ethernet hardware addresses. To specify the ARP encapsulation type, use the following command:
Router(config-if)# arp {arpa | probe | snap}

HSRP detects when the designated active router fails, at which point a selected standby router assumes control of the MAC and IP addresses of the Hot Standby group. A new standby router is also selected at that time. Devices that are running HSRP send and receive multicast User Datagram Protocol (UDP)-based hello packets to detect router failure and to designate active and standby routers. For an example of an HSRP topology, see Figure 3-1.
HSRP HSRP Group

Hot Standby Router Protocol
The Hot Standby Router Protocol (HSRP) provides high network availability by routing IP traffic from hosts without relying on the availability of any single router. HSRP is used in a group of routers to select an active router and a standby router. The active router is the router of choice for routing packets; a standby router is a router that takes over the routing duties when an active router fails, or when other preset conditions are met. HSRP is useful for hosts that do not support a router discovery protocol (such as Internet Control Message Protocol [ICMP] Router Discovery Protocol [IRDP]) and that cannot switch to a new router when their selected router reloads or loses power. When the HSRP is configured on a network segment, it provides a virtual MAC address and an IP address that is shared among a group of routers running HSRP. The address of this HSRP group is referred to as the virtual IP address. One of these devices is selected by the protocol to be the active router.

Active Router Virtual Router

Standby Router

FIGURE 3-1

HSRP topology

Devices that are running HSRP send and receive multicast UDP-based hello packets to detect router failure and to designate active and standby routers. You can configure multiple Hot Standby groups on an interface, thereby making fuller use of redundant routers and load sharing. To do so, specify a group number for each Hot Standby command you configure for the interface.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 27 ]

CHAPTER 3

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

To enable the HSRP on an interface, use the following command:
Router(config-if)# standby [group-number] ip [ip-address [secondary]]

You can also configure the interface to track other interfaces so that if one of the other interfaces goes down, the device’s Hot Standby priority is lowered:
Router(config-if)# standby [group-number] track type number [interface-priority]

Whereas the preceding represents the only required HSRP configuration commands, you should be familiar with many others for configuring additional HSRP behaviors. To configure the time between hello packets and the hold time before other routers declare the active router to be down, use the following command:
Router(config-if)# standby [group-number] timers [msec] hellotime [msec] holdtime

You can also specify a virtual MAC address for the virtual router:
Router(config-if)# standby [group-number] mac-address macaddress

You can also set the Hot Standby priority used in choosing the active router. The priority value range is from 1 to 255, where 1 denotes the lowest priority and 255 denotes the highest priority:
Router(config-if)# standby [group-number] priority priority

Finally, you can configure HSRP to use the burned-in address of an interface as its virtual MAC address rather than the preassigned MAC address (on Ethernet and FDDI) or the functional address (on Token Ring):
Router(config-if)# standby use-bia [scope interface]

Gateway Load Balancing Protocol
Gateway Load Balancing Protocol (GLBP) takes HSRP even further. Instead of just providing backup for a failed router, it can also handle the load balancing between multiple routers. GLBP provides this functionality using a single virtual IP address and multiple virtual MAC addresses. Workstations are configured with the same virtual IP address, and all routers in the virtual router group participate in forwarding packets. GLBP members communicate with each other using hello messages sent every three seconds to the multicast address 224.0.0.102.

You can also configure a router with higher priority to preempt the active router. In addition, you can configure a preemption delay after which the Hot Standby router preempts and becomes the active router:
Router(config-if)# standby [group-number] preempt [delay {minimum delay | reload delay | sync delay}]

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 28 ]

CHAPTER 3

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Members of a GLBP group elect one gateway to be the active virtual gateway (AVG) for that group. It is the job of other group members to back up for the AVG in the event that the AVG fails. The AVG assigns a virtual MAC address to each member of the GLBP group. The AVG is responsible for answering ARP requests for the virtual IP address. Load sharing is achieved by the AVG replying to the ARP requests with different virtual MAC addresses that the group members will respond to. Although you can use many optional commands with GLBP, the primary command to enable GLBP is as follows:
glbp group ip [ip-address [secondary]]

Network Address Translation
Network Address Translation (NAT) allows an organization to use private IP address space inside the organization (or any other IP address it might require) and present this IP address differently to the outside networks. Organizations might use NAT for the following purposes:

To connect private IP internetworks that use nonregistered IP addresses to the Internet, NAT translates the internal local addresses to globally unique IP addresses before sending packets to the outside network. Internal addresses must be changed, and this creates a large administrative burden. NAT is used instead to translate addresses. To do basic load sharing of TCP traffic. A single global IP address is mapped to many local IP addresses by using the TCP load distribution feature.

■ ■

Note how similar this command is to the HSRP configuration command.

Virtual Router Redundancy Protocol
Virtual Router Redundancy Protocol (VRRP) is so similar to HSRP that it can be basically thought of as the standards-based version of the protocol. Like HSRP, it lacks the inherent load-balancing capabilities that GLBP provides. Although there are many customization commands, the command to enable the protocol is just like that of the other redundancy protocols in structure:
vrrp group ip ip-address [secondary]

NAT uses the following definitions:
■ ■ ■ ■

Inside local address—The IP address that is assigned to a host on the inside network. Often, this is a nonregistered IP address. Inside global address—A legitimate IP address that represents one or more inside local IP addresses to the outside world. Outside local address—The IP address of an outside host as it appears to the inside network. Outside global address—The IP address assigned to a host on the outside network by the owner of the host.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 29 ]

CHAPTER 3

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

For a depiction of this NAT terminology, see Figure 3-2.
NAT Terminology
Inside Outside Local 2.2.2.2 Outside

Configuring static translations To establish a static translation between an inside local address and an inside global address, use the following global configuration command:
Router(config)# ip nat inside source static local-ip global-ip

To mark the appropriate interface as connected to the inside, use the following interface configuration command:
Router(config-if)# ip nat inside
Inside Local 10.20.0.10 Inside Global 2.0.0.1 Outside Global 2.2.2.2

To mark the appropriate interface as connected to the outside, use the following interface configuration command:
Router(config-if)# ip nat outside

FIGURE 3-2

NAT terminology

Configuring dynamic translations To define a pool of global addresses to be allocated as needed, use the following global configuration command:
Router(config)# ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

Translating inside source addresses
You can configure static or dynamic inside source translation:

Static translation establishes a one-to-one mapping between your inside local address and an inside global address. Static translation is useful when a host on the inside must be accessible by a fixed address from the outside. Dynamic translation establishes a mapping between an inside local address and a pool of global addresses.

To define a standard access list permitting those addresses that are to be translated, use the following global configuration command:
Router(config)# access-list access-list-number permit source [source-wildcard]

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 30 ]

CHAPTER 3

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Next, establish dynamic source translation, specifying the access list defined in the prior step, using the following global configuration command:
Router(config)# ip nat inside source list access-list-number pool name

Translating overlapping addresses
You can use NAT to translate inside addresses that overlap with outside addresses. Use this feature if your IP addresses in the stub network are legitimate IP addresses belonging to another network and you want to communicate with those hosts or routers. You can configure the translations using static or dynamic means. To do so, use the same commands from the “Translating inside source addresses” section, but use the ip nat outside source syntax.

To mark the appropriate interface as connected to the inside, use the following interface configuration command:
Router(config-if)# ip nat inside

To mark the appropriate interface as connected to the outside, use the following interface configuration command:
Router(config-if)# ip nat outside

TCP load distribution
If your organization has multiple hosts that must communicate with a heavily used host, you can establish a virtual host on the inside network that coordinates load sharing among real hosts. Destination addresses that match an access list are replaced with addresses from a rotary pool. Allocation is done on a round-robin basis, and only when a new connection is opened from the outside to the inside. First, define a pool of addresses containing the addresses of the real hosts in global configuration mode:
Router(config)# ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} type rotary

Overloading an inside global address
You can conserve addresses in the inside global address pool by allowing the router to use one global address for many local addresses. When multiple local addresses map to one global address, the TCP or UDP port numbers of each inside host distinguish between the local addresses. To permit this behavior, use the dynamic translations configuration from the previous section and include the overload keyword as follows:
Router(config)# ip nat inside source list access-list-number pool name overload

Next, define an access list permitting the address of the virtual host in global configuration mode:
Router(config)# access-list access-list-number permit source [source-wildcard]

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 31 ]

CHAPTER 3

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Next, establish dynamic inside destination translation, specifying the access list defined in the prior step:
Router(config)# ip nat inside destination list access-listnumber pool name

To clear a simple dynamic translation entry containing an outside translation, use the following command:
Router# clear ip nat translation outside local-ip global-ip

To mark the appropriate interface as connected to the inside, use the following interface configuration command:
Router(config-if)# ip nat inside

To clear an extended dynamic translation entry, use the following command:
Router# clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip localport global-ip global-port]

To mark the appropriate interface as connected to the outside, use the following interface configuration command:
Router(config-if)# ip nat outside

To display active translations, use the following command:
Router# show ip nat translations [verbose]

Monitoring and maintaining NAT
To clear all dynamic address translation entries from the NAT translation table, use the following command:
Router# clear ip nat translation *

To display translation statistics, use the following command:
Router# show ip nat statistics

Internet Control Message Protocol
Internet Control Message Protocol (ICMP) assists the operation of the IP network by delivering messages about the network’s functionality— or lack thereof. ICMP includes functions for the following:
■ ■

To clear a simple dynamic translation entry containing an inside translation, or both inside and outside translation, use the following command:
Router# clear ip nat translation inside global-ip local-ip [outside local-ip global-ip]

Communicating network errors—Such as host or network unreachable. Announcing network congestion—An example is the ICMP Source Quench messages used to cause a sender to slow down transmission because of a router buffering too many packets.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 32 ]

CHAPTER 3

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

■ ■

Provide troubleshooting tools—The Echo function is used by the ping utility to test connectivity between two systems. Communicate timeouts in the network—If a packet’s TTL reaches 0, an ICMP message can be sent announcing this fact.

Services
Network Time Protocol
There are many reasons that an administrator will want to keep the time accurate on all systems in the infrastructure. Network Time Protocol (NTP) assists the administrator in this goal by automatically synchronizing the time between network devices. Devices in the network running NTP can receive the correct time from an authoritative time source, such as a Cisco router, a radio clock, or an atomic clock attached to a timeserver. To configure a router to receive the time from an authoritative time source on the network, use the following command:
ntp server {{[vrf vrf-name] ip-address | hostname} [version number] [key key-id] [source interface] [prefer]}

ICMP protocol unreachable messages
If the Cisco device receives a nonbroadcast packet destined for itself that uses an unknown protocol, it sends an ICMP protocol unreachable message back to the source. Similarly, if the device receives a packet that it is unable to deliver to the ultimate destination because it knows of no route to the destination address, it sends an ICMP host unreachable message to the source. This feature is enabled by default. To enable it if it’s disabled, use the following command:
Router(config-if)# ip unreachables

ICMP redirects
If the router resends a packet through the same interface on which it was received, the Cisco IOS Software sends an ICMP redirect message to the originator of the packet, telling the originator that the router is on a subnet directly connected to the receiving device and that it must forward the packet to another system on the same subnet. To enable the sending of ICMP redirect messages if this feature was disabled, use the following command:
Router(config-if)# ip redirects

Some platforms have a battery-powered hardware clock, referred to as the calendar, in addition to the software-based system clock. The hardware clock runs continuously, even if the router is powered off or rebooted. It is a good practice to periodically update the hardware clock with the time learned from NTP. To do this, use this command:
ntp update-calendar

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 33 ]

CHAPTER 3

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

To have the router provide the correct time for the network, you can use this command:
ntp master [stratum]

DHCP
DHCPDISCOVER (Broadcast) NAT Terminology DHCPOFFER (Unicast) DHCPREQUEST (Broadcast) DHCP Client DHCP Enabled Router DHCPACK (Unicast)

The stratum value is an indicator of how close a device is to the master time source. Consider it like a hop count. If you set the stratum to 1 on the router, you are indicating that it is itself the authoritative time source. You can also have the router synchronize the clock of a peer router, or be synchronized from that peer. The command to configure this is as follows:
ntp peer {{[vrf vrf-name] ip-address | hostname}[normalsync][version number] [key key-id] [source interface] [prefer]}

FIGURE 3-3

DHCP

Configuring a Cisco device as a DHCP server
To configure the DHCP address pool name and enter DHCP pool configuration mode, use the following command:
Router(config)# ip dhcp pool name

You should also note that NTP messages can be authenticated to ensure that accurate time is being sent to all devices.

DHCP
Cisco devices can function as DHCP servers. They can be configured to forward requests to secondary servers should the Cisco device be unable to satisfy the request. Figure 3-3 shows the four-step process that the router participates in to provide DHCP services.

The DHCP server assumes that all IP addresses in a DHCP address pool subnet are available for assigning to DHCP clients. You must specify the IP address that the DHCP server should not assign to clients. To do so, use the following command:
Router(config)# ip dhcp excluded-address low-address [highaddress]

To configure a subnet and mask for the DHCP address pool, use the following command in DHCP pool configuration mode:
Router(config-dhcp)# network network-number [mask | /prefixlength]

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 34 ]

CHAPTER 3

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Additional DHCP pool configuration mode commands enable you to configure additional parameters for the scope, including default gateway, domain name, DNS server addresses, Windows Internet Naming Service (WINS) server addresses, and so on.

To actually redirect traffic on an interface to a cache engine, use the following interface configuration command:
ip wccp {web-cache | service-number} redirect out

Web Cache Communication Protocol
Web Cache Communication Protocol (WCCP) allows an administrator to forward web traffic to a Cisco cache engine. The Cisco cache engine reduces transmission costs and downloading time for clients. When users request web pages, the WCCP-capable router sends the requests to a cache engine. If the cache engine has a copy of the requested page in storage, the cache engine sends the user that page. If there is no cached copy, the cache engine retrieves the requested page from the web server, stores a copy, and forwards the page to the user. The routers and the cache engine operate transparently from the perspective of end users. End users do not know that the page came from the cache engine rather than the web server. The global configuration command used on the router to enable the protocol is this:
ip wccp {web-cache | service-number} [group-address groupaddress] [redirect-list access-list] [group-list access-list] [password [0-7] password]

Domain Name System
Cisco routers can participate in the Domain Name System (DNS). For example, you can specify a default domain name that the Cisco IOS Software uses to complete domain name requests. You can specify either a single domain name or a list of domain names. Any IP hostname that does not contain a domain name has the domain name you specify appended to it before being added to the host table. To specify this domain name, use the following command:
Router(config)# ip domain name name

To define a list of default domain names to complete unqualified host names, use the following command:
Router(config)# ip domain list name

You can also specify DNS name servers for the router or switch to call on for name resolution. To do so, use the following command:
Router(config)# ip name-server server-address1 [serveraddress2...server-address6]

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 35 ]

CHAPTER 3

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

If you do not want to enable your router to use DNS for name resolution, you can use the following command to disable this default behavior:
Router(config)# no ip domain-lookup

Network Management
Logging and syslog
Cisco devices communicate with an administrator through system messages. These system messages are typically sent to a logging process, so they are most often called syslog messages. Syslog is also the name of the UNIX-based service that handles system messages from UNIX systems (and also Cisco devices if configured to do so). Logging is enabled by default. The no logging on command actually forces system messages to the console. In fact, this can impede the performance of the Cisco device because processes must wait for messages to be written to the console before the processes can continue their operations. It is recommended that the administrator leave the logging process enabled (the default behavior); that way logging messages can be written to the console more efficiently. Because there is really no way out to stop the sending of system messages to the console, administrators should use the logging synchronous command in line configuration mode. This command prevents these messages from “interrupting” typing at the console.

To have the Cisco device store syslog messages in an internal buffer, administrators should ensure the logging process is in its default enabled state (logging console command) and then use the command logging buffered. This will use a default size of 4096 bytes. This can be changed by specifying an optional size at the end of the logging buffered command. To view the contents of the buffer, there is the show logging command. The oldest messages display first. When the buffer fills to capacity, new messages overwrite the oldest messages. The buffer can be cleared anytime with the clear logging command. Syslog messages can be stored on a server (UNIX- or Windows-based) in the network. CiscoWorks LAN Management Suite (LMS) features a built-in syslog server application that stores these messages in a searchable database. It allows the filtering of messages, reporting on messages, and even action filters that allow automated responses to certain messages, including pages and e-mails. To send system messages to a UNIX or CiscoWorks syslog server, ensure the logging process is enabled and then issue the command logging x.x.x.x, where x.x.x.x is the IP address of the syslog server. The command can be entered multiple times to configure multiple destinations for the messages. To limit the sending of all messages, use the logging trap level command, where level is the number or the name of the severity level. For example, logging trap notifications restricts the messages sent to only those of level 0 through 5. This keeps debugging and informational messages from being sent to the server. UDP port 514 is used for syslog messages, so be sure that your firewalls permit this port if you need the messages to pass through such devices.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 36 ]

CHAPTER 3

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

UNIX syslog servers use a facility code to identify the source of syslog messages. They use this code to create different logs for the different sources of messages. Sample facilities include lpr for the Line Printer System and mail for the e-mail system. UNIX syslog servers reserve the facility codes local0 through local7 for log messages received from remote servers and network devices. To have switches use one log file on the server and routers use another, change the facility code for switches using the logging facility local6 command. By default, Cisco devices use local7 for their messages so that your router messages will be in a different log. Note that CiscoWorks requires the use of local7. Some devices even allow logging of system messages to a file in flash memory. The command to do this is simply logging file flash:myname.txt. This command can also set size limits on the file and control the types of messages that are sent to flash. Administrators should stamp syslog messages with the date and time that they were generated. This is accomplished with the service timestamps log datetime command.

CiscoWorks

HTTP

SNMP

Admin Workstation

CiscoWorks Server

Managed Devices

FIGURE 3-4

CiscoWorks

SNMP Version 2c
At a minimum, to configure a Cisco device for SNMP, you need to assign passwords—known as community strings in SNMP. Here are typical Cisco IOS global configuration commands for setting strings that permit configuration and monitoring, respectively:
snmp-server community [string] rw snmp-server community [string] ro

Simple Network Management Protocol
Simple Network Management Protocol (SNMP) is a part of the TCP/IP suite of protocols. It gives powerful monitoring capabilities. CiscoWorks relies on SNMP and various other protocols to configure and monitor Cisco equipment. For an example, see Figure 3-4.

Typically, you view information obtained by SNMP using a graphical user interface, like that provided by CiscoWorks. You should be aware of several show commands for monitoring SNMP activities on the equipment. Here are some examples:

no snmp-server—Disables SNMP agent operation

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 37 ]

CHAPTER 3

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

show snmp engineid—Displays the identification of the local SNMP engine and all remote engines that have been configured on the router show management event—Displays the SNMP event values that have been configured on your routing device through the use of the event Management Information Base (MIB) show snmp—Checks the status of SNMP communications show snmp group—Displays the names of groups on the router and the security model, the status of the different views, and the storage type of each group show snmp pending—Displays the current set of pending SNMP requests show snmp sessions—Displays the current SNMP sessions show snmp user—Displays information on each SNMP username in the group username table

snmp-server view view-name oid-tree {included | excluded}

Notice how you provide the view with a name, and then you specify the portion of the MIB tree that the user can access. The example here adds the Internet portion of the tree and everything below it to the view name SAMPLEVIEW. This is basically the entire MIB structure:
snmp-server view SAMPLEVIEW internet included

■ ■

If you want a user or group of users to be able to access this view of the MIB that you defined, use the following syntax:
snmp-server group [groupname {v1 | v2c | v3 [auth | noauth | priv]}][read readview] [write writeview] [notify notifyview] [access access-list]

■ ■ ■

Here is an example of the creation of a group to use the view:
snmp-server group MYSAMPLEGROUP v3 auth read SAMPLEVIEW

SNMP Version 3
SNMP Version 3 dramatically improves upon the security model for the management protocol. Whereas previous versions used clear-text passwords, SNMP Version 3 provides for authentication and encryption of network management information. With SNMP Version 3, you create a view that defines what MIB variables a particular user or group of users can access. Here is the syntax to create a view. Note that all the commands that follow are global configuration mode commands:

Adding a user account to this group is a simple matter. Use the syntax shown here:
snmp-server user username groupname [remote ip-address [udpport port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password ]} [access access-list]

Here is sample syntax using the group we just created:
snmp-server user jsmith MYSAMPLEGROUP v3 auth md5 secret

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 38 ]

CHAPTER 3

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Switched Port Analyzer
Network analysis in a switched Cisco environment is handled using Switched Port Analyzer (SPAN). Traffic is mirrored from source ports to a destination port on the switch; a network analyzer should be located at the destination switch. SPAN is available in several forms:
■ ■ ■
D1

3. monitor session 1 source remote vlan999 monitor session 1 destination interface fa4/48

Switch D

D2 Probe

Destination Switch (Data Center)

C3 Switch C C1 A3 Switch A A2 A1

1. VTP Server vlan999 remote span C2 B4 Switch B B3 B1 B2

Immediate Switch (Building Distribution)

Local SPAN—SPAN source port(s) and the destination port are located on the same device. VLAN-based SPAN (VSPAN)—The source is a VLAN as opposed to one or more ports. Remote SPAN (RSPAN)—The SPAN source and destination ports are located on different switches; a special-purpose VLAN carries the mirrored frames to the destination port in the network.

Source Switches (Building Access)

2. monitor session 1 source interface fast ethernet 1/1 both monitor session 1 destination remote vlan999

FIGURE 3-5

RSPAN

Figure 3-5 shows a sample RSPAN configuration.

You should be aware of important guidelines for SPAN:
■ ■ ■ ■ ■

You can configure destination ports as trunks to capture tagged traffic. A port specified as a destination port in one SPAN session cannot be a destination port for another SPAN session. A port channel interface (an EtherChannel) cannot be a destination. If you specify multiple ingress source ports, the ports can belong to different VLANs. Destination ports never participate in any spanning-tree instance.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 39 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

IP Routing
Open Shortest Path First
Open Shortest Path First (OSPF) link-state routing protocol is designed to be more scalable and efficient than Routing Information Protocol (RIP). Some OSPF features you should be aware of are as follows:
■ ■ ■

■ ■ ■

Type 3, Link-State Request (LSR)—Requests link state specifics from the router Type 4, Link-State Update (LSU)—Sends requested link-state records Type 5, Link-State Acknowledgment (LSA)—Acknowledges the other packet types

Runs on IP and uses protocol 89. Classless with variable-length subnet mask (VLSM) support. Uses multicasts (224.0.0.5—all shortest path first [SPF] routers; 224.0.0.6—Designated Router [DR]/Backup Designated Router [BDR]) for hellos and updates. Plain text and Message Digest Algorithm 5 (MD5) authentication available. Dijkstra’s algorithm is used to produce a shortest-path tree for each destination. Link-state advertisements are used to build a database of the topology.

OSPF adjacencies
■ ■ ■ ■

Occurs through the exchange of hello packets. After adjacency is established, link-state databases (LSDB) are synched. Two OSPF neighbors on a point-to-point link form full adjacency with each other. In LANs, all routers form adjacency with the DR and BDR; updates need to be sent only to the DR, which updates all other routers; all other routers on the LAN are called DROTHERS and maintain a partial neighbor relationship with each other.

■ ■

OSPF packet types
■ ■

Type 1, Hello—These packets are used to build adjacencies Type 2, Database Description (DBD)—Checks for database synchronization between routers

After adjacencies have been established, LSAs are exchanged through a reliable mechanism. LSAs are flooded to ensure topological awareness. LSAs have a sequence number and a lifetime value. LSAs convey the cost of links used for the SPF calculation. The cost metric is based on interface bandwidth. The LSA aging timer is a 30-minute default.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 40 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Hello packets are sent periodically and contain the following fields:

neighbors. This is the beginning of the Init State.
3. Router 2 sends a unicast hello packet response to Router 1. 4. Router 1 receives the hello and notes that it is listed in the packet.

Router ID—Identifies the router; highest IP chosen; loopback overrides all interfaces, however; can also be set with the routerid command; this ID is used to break ties for DR election. Hello/Dead intervals—Frequency at which hellos are sent and the amount of time that can elapse before router is declared dead; default is 10 seconds, and the default dead interval is 4 times that for an Ethernet-type network; these defaults vary based on network type. Neighbors—List of the adjacent routers. Area ID—Area identifier (always 0 for backbone). Router priority—Priority value used for DR and BDR election. DR/BDR addresses—IP addresses of the DR and BDR if known. Authentication password—This password must match on routers configured for authentication. Stub area flag—All routers in the area must agree on this setting to form a stub area.

It adds Router 2 to its list of neighbors. Router 1 knows that it has bidirectional communication with Router 2. This is known as the two-way state.
5. In a LAN environment, the DR and BDR are elected. 6. In a LAN environment, the hello packets function as a keepalive

■ ■ ■ ■ ■ ■

mechanism every 10 seconds. After the DR and BDR are established, the routers are in Exstart State, and they are ready to exchange database information. The exchange protocol functions as follows:
1. In the Exstart State, the DR and BDR establish an adjacency with

each router in the network; a master-slave relationship is formed with the router ID indicating the master in the relationship.
2. The master and slave routers exchange DBD packets; this is called

the Exchange State. The LSAs in the DBD include sequence numbers that are used to indicate “freshness.”
3. When a DBD is received, the router acknowledges the receipt and

Here are the details of the exchange process between two routers on a LAN (Router 1 and Router 2) and the OSPF adjacency states involved:
1. Router 1 begins in the down state because it is not exchanging

OSPF information with any other router. It sends hello packets via multicast address 224.0.0.5 (all SPF).
2. Router 2 receives the OSPF hello and adds Router 1 in its list of

compares the information with its current database. If more recent information is described in the DBD, the router sends an LSR to request the information. This is called the Loading State. The router receiving the LSR responds with an LSU; this LSU is also acknowledged by the receiver.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 41 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

4. The router adds the new information to its LSDB. 5. When the exchange completes, the routers are in Full State.

Nonbroadcast multiaccess modes of operation
RFC-compliant modes:

Router information is later maintained using the following process:
1. The router notices the change and multicasts an LSU to the OSPF

Nonbroadcast multiaccess (NBMA) ■ One IP subnet required.
■ ■ ■ ■ ■

DR and BDR multicast address of 224.0.0.6.
2. The DR acknowledges the LSU and floods to all using multicast

Must manually configure neighbors—neighbor address [priority number] [poll-interval number] DR/BDR election. DR/BDR need full connectivity with all routers. Sometimes used in partial mesh. Frame Relay and ATM networks default to this type.

224.0.0.5. This process involves acknowledgments, too.
3. The DR also sends the LSU to any other networks to which it is

attached.
4. Routers update their LSDB with the new information in the LSU.

Summaries are sent every 30 minutes to ensure synchronization, and link state entries have a Max Age of 60 minutes.

Point-to-multipoint ■ One IP subnet required.

Hello packets used to discover neighbors. DR/BDR not required. Sometimes used in partial mesh.

Point-to-point links
Typically, a point-to-point link is a serial link, but it might also be a subinterface in a Frame Relay or ATM network. No DR or BDR election exists in the point-to-point environment. Packets are multicast to 224.0.0.5.

■ ■

Modes from Cisco:

Point-to-multipoint nonbroadcast ■ Used if interface does not support multicast capabilities.
■ ■

Neighbors must be manually configured. DR/BDR election is not required.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 42 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Broadcast ■ Makes WAN appear as LAN.
■ ■ ■ ■

Troubleshooting neighbor relationships
OSPF neighbor list is empty:
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

One IP subnet required. Hellos discover neighbors. DR/BDR elected. Requires full mesh.

OSPF not enabled properly on appropriate interfaces. Layer 1 or 2 not functional. Passive interface configured. Access list(s) blocking OSPF packets in multiple directions. Error in IP address or subnet mask configuration. Hello or dead interval mismatch. Authentication configuration error. Area ID mismatch. Stub flag mismatch. OSPF adjacency exists with secondary IP addressing or asynchronous interface. Incorrect configuration type for NBMA environment.

Point-to-point ■ One IP subnet required.
■ ■

No DR/BDR election. Interfaces can be LAN or WAN.

You can use the following command to define the OSPF network type:
Router(config-if)# ip ospf network [{broadcast | nonbroadcast | point-to-multipoint | point-to-multipoint nonbroadcast}]

Here is an example of statically defining adjacencies in a nonbroadcast multiaccess environment:
RouterA(config)# router ospf 1 RouterA(config-router)# network 172.16.0.0 0.0.255.255 area 0 RouterA(config-router)# neighbor 172.16.0.5 priority 0 RouterA(config-router)# neighbor 172.16.0.10 priority 0

OSPF neighbor stuck in Attempt State:
■ ■

Misconfigured neighbor statement. Unicast nonfunctional in NBMA environment.

Priorities are set to 0 for the neighboring routers to ensure that RouterA becomes the DR. This is the only router with full connectivity. Note that you can also set a router’s priority locally using the ip ospf priority interface configuration command.

OSPF neighbor stuck in Init State:

Access list or Layer 2 problem blocking hellos in one direction.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 43 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

■ ■ ■

Multicast nonfunctional on one side. Authentication configured on only one side. Broadcast keyword missing from the map command.

■ ■

Backbone routers—At least one interface in the backbone area. Autonomous System Boundary Router (ASBR)—Inject routes into the OSPF network learned from another protocol; this router might be located anywhere (it might also be backbone, internal, or ABR).
External Routing Protocol

OSPF neighbor stuck in Two-Way State:
■ ■ ■ ■ ■ ■

Priority 0 configured on all routers. OSPF neighbor stuck in Exstart/Exchange. Mismatched interface maximum transmission unit (MTU). Duplicate router IDs on routers. Broken unicast connectivity. Network type of point-to-point between Primary Rate Interface (PRI) and Basic Rate Interface (BRI)/dialer.

OSPF Router Types

Autonomous System
Autonomous System Boundary Router and Backbone Router

Backbone Area (Area 0)

OSPF neighbor stuck in Loading State:
■ ■

Area Border Router and Backbone Router

Internal and Backbone Router

Mismatched MTU. Corrupted link-state request packet.
Area 10 Area 20 Internal Router

Router types
■ ■

Internal routers—All interfaces belong within the same area; these routers have a single link-state database. Area Border Routers (ABR)—Connect one or more areas to the backbone; act as gateway for interarea traffic; separate link-state database for each connected area.

FIGURE 4-1

OSPF router types

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 44 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

LSA types
OSPF uses various types of LSAs in its operation. You should be familiar with the following types for the CCIE written exam.

AS External (Type 5)—Originated by ASBRs and advertises an external destination or a default route to an external destination; flooded throughout the autonomous system. NSSA External (Type 7)—Originated by ASBRs in not-so-stubby areas.

Type 1 2 3 4 5 7
■ ■

Description Router Network Network Summary ASBR Summary AS External NSSA External

Types of routes
OSPF uses routing designators in the routing table to distinguish between types of routes. Here are the designators used and their meaning. Remember, these can be seen using the show ip route command:

Router LSA (Type 1)—Lists all of a router’s links and their state. These LSAs are flooded within the area they originated. Network LSA (Type 2)—Produced by the DR on every multiaccess network. These LSAs list all attached routers, including the DR itself; they are flooded within the originating area. Network Summary (Type 3)—Originated ABRs; sent into an area to advertise destinations outside the area; flooded throughout the autonomous system. ASBR Summary (Type 4)—Also originated by ABRs; the destination advertised is an ASBR; flooded throughout the autonomous system.

O—OSPF intra-area (router LSA)—Networks from within the same area as the router; Type 1 LSAs are used to advertise. O IA—OSPF interarea (summary LSA)—These are networks outside of the area of the router, but within the autonomous system; Type 3 LSAs are used to advertise. O E1—Type 1 external routes—Networks outside of the autonomous system; advertised by Type 5 LSAs; calculate cost by adding the external cost to the internal cost of each link that the packet crosses; used when multiple ASBRs are advertising the external route. O E2—Type 2 external routes—Networks outside of the autonomous system; advertised by Type 5 LSAs; cost is always the external cost only. This is the default type on Cisco routers.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 45 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Areas
Routers must share an identical link-state database with other routers in the same area. Area ID 0 is reserved for the backbone area. The backbone is responsible for summarizing each area to every other area. You configure a router for the backbone area by placing interface(s) in area 0 via the network command. For example:
Router(config)# router ospf 1 Router(config-router)# network 10.10.0.1 0.0.0.0 area 0

Totally stubby area—Also block summary (Type 3 LSAs); the only exception is a single Type 3 default LSA. To configure an area as totally stubby, use the following command:
Router(config-router)# area area-id stub [no-summary]

The no-summary keyword needs to be used on the ABR only. You can change the cost of the default route sent into the totally stubby area using the following router configuration command (default cost is 1):
area area-id default-cost cost

Autonomous System
Backbone Area (Area 0)

Autonomous System
Backbone Area (Area 0)

Area 10

Area 20
Does not except External LSAs (Type 5)

Area 10 Stub

Area 20 Totally Stubby Does not except External LSAs (Type 5); Summary LSAs (Type 4); or Summary Network (Type 3) LSAs

FIGURE 4-2

OSPF areas

Stub area—An area into which external LSAs are not flooded (Type 4 and 5 LSAs are blocked). Adjacencies do not form with any other router not marked as stub. Virtual links cannot be configured within a stub. To configure an area as stub, use the following command:
Router(config-router)# area area-id stub

FIGURE 4-3

Stub and totally stubby areas

Not-so-stubby areas—Allows external routes to be advertised into the stub area Type 7 LSAs. A not-so-stubby area (NSSA) ASBR generates the Type 7 LSA, and an NSSA ABR translates it into a Type 5 LSA, which gets sent into the OSPF domain. To

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 46 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

configure an NSSA, use the following router configuration command:
area area-id nssa [no-redistribution] [defaultinformation-originate]

Configuring basic single-area OSPF
First, you must enable the OSPF routing process on the router using the following global configuration command:
router ospf process-id

The area area-id nssa command is used on all routers in the area; it is used in place of the area stub command.
RIP Type 7 LSA Type 5 LSA

Use the network command in router configuration mode to identify those interfaces that are to participate in OSPF:
network address inverse-mask area [area-id]

RIP AS 10.10.0.0

Verification commands include the following:
NSSA 1 Area 0

■ ■

show ip protocols show ip route ospf show ip ospf interface show ip ospf show ip ospf neighbor [detail]

FIGURE 4-4

Not-so-stubby areas

Here is a summary of the LSA types permitted in each area.
Area Backbone Nonbackbone Stub LSA 1 Yes Yes Yes LSA 2 Yes Yes Yes Yes Yes LSA 3 Yes Yes Yes No Yes LSA 4 Yes Yes Yes No Yes LSA 5 Yes Yes No No No LSA 7 No No No No Yes

■ ■ ■

OSPF router ID
The router ID is how the router is identified in OSPF. The router ID also is used to break a tie for DR/BDR if the administrator has not set the OSPF priority values on routers using the ip ospf priority

Totally stubby Yes NSSA Yes

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 47 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

command. The router with the highest router ID wins the election in that case. Here is the process for router ID selection:
1. The router ID as set with the router-id address router configura-

Default route advertisements in OSPF
For an OSPF router to advertise a default route into an area, the command default-information originate must be used. If the advertising router does not possess a default route in its routing table, you can use the always keyword to still generate the default route to 0.0.0.0. The complete router configuration command syntax for generating default routes is as follows:
default-information originate [always] [metric metric_value] [metric-type type-value] [route-map map-name]

tion command. If you are using this command after OSPF has selected a router ID, you should use clear ip ospf process to reset.
2. The highest IP address on a loopback interface. 3. The highest IP address on an active interface.

Use show ip ospf to verify the router ID selection.

Route summarization
Two types of summarization exist in OSPF: interarea, which is performed on ABRs, and external route summarization, which is performed on routes redistributed into OSPF autonomous systems. To configure interarea route summarization on the ABR, use the following router configuration command:
area area-id range address mask

If you do not specify a metric value, the default of 10 is used. The metric-type allows you to specify a Type 1 or Type 2 external route. Finally, the route-map option allows you to control the generation of the default route further. For example, the default route is generated only if the route map is satisfied.

Authentication
Type 1—clear text; least secure. To configure:
Step 1.

To configure route summarization on an ASBR to summarize external routes, use the following router configuration command:
summary-address address mask [not-advertise] [tag tag]

Enable area authentication on all routers in the area; use the following router configuration command:
area area_id authentication

The not-advertise optional keyword suppresses routes that match the specified prefix. The tag value can be used as a “match” value for controlling redistribution with route maps on the ABR.

Step 2.

Enter the clear-text password on the interface in interface configuration mode:
ip ospf authentication-key password

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 48 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Type 2—MD5; most secure. To configure:
Step 1.

Enable MD5 area authentication on all routers in the area using router configuration mode:
area area_id authentication message-digest

You can also override the calculated cost value in any interface directly by using the following interface configuration command:
ip ospf cost value

Values range from 1 to 65,535.

Step 2.

Set the key and password on the interfaces using interface configuration mode:
ip ospf message-digest-key key_value md5 password

Optional OSPF interface parameters
Additional optional interface parameters not covered elsewhere in this Short Cut include the following:
■ ■ ■ ■

Changing the cost metric
The Cisco implementation of OSPF calculates the metric using the following formula: cost = reference bandwidth/bandwidth The default reference bandwidth is 100 Mbps. The bandwidth value is that which is configured on the interface using the bandwidth command. If you are using many interfaces faster than 100 Mbps, consider resetting the reference bandwidth value. You can do so on each router using the following router configuration mode command:
auto-cost reference-bandwidth refbw

ip ospf retransmit-interval—Specifies the number of seconds between LSA retransmissions. ip ospf transmit-delay—Sets the number of seconds required to send a link-state update. ip ospf hello-interval—Specifies the time between hello packets; must match on all routers in the network. ip ospf dead-interval—Number of seconds before the router is considered dead; must match on all routers in the network.

Note that reference bandwidth is in megabits per second. For example, if you want to ensure Gigabit Ethernet interfaces evaluate to a cost of 5, set the refbw on each router to 5000. (Valid values are from 1 to 4,294,967.)

Administrative distance and OSPF
Three different administrative distance values are possible for OSPF— intra-area routes, interarea routes, and external routes. By default, all

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 49 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

are set to 110; these can be changed with the following router configuration command:
distance ospf {[intra-area dist1] [inter-area dist2] [external dist3]}

Changing LSA group pacing
Routers group LSAs and pace refreshing, checksumming, and aging functions so that the resource strain on the router is reduced. This is default behavior; it can be tweaked with the following router configuration command:
timers lsa-group-pacing seconds

OSPF passive interface
To set a passive interface in OSPF, use the following router configuration command:
passive-interface interface-type interface-number

Blocking LSA flooding
You can prevent the default flooding behavior; to do so on a broadcast, nonbroadcast, or point-to-point network, use the following interface configuration command:
ospf database-filter all out

When used with OSPF, this command prevents the interface from sending hello packets and therefore prevents an adjacency from forming. It also prevents the sending or receiving of routing information through the interface. The specified interface address appears as a stub network in the OSPF domain, therefore.

On point-to-multipoint networks, use the following router configuration command:
neighbor ip-address database-filter all out

Configuring route calculation timers
You can configure the delay between when a topology change is received and when the SPF calculation takes place. You can also configure the hold time between two consecutive SPF calculations. Use the following router configuration command:
timers spf spf-delay spf-holdtime

Reducing LSA flooding
Reduces the flooding of LSAs in stable topologies by setting LSAs to “do not age”; this is accomplished with the following interface configuration command on a per-interface basis:
ip ospf flood-reduction

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 50 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Virtual links
A virtual link is a link to the backbone through a nonbackbone area. Virtual links are created between two ABRs, and the area cannot be stub. Virtual links are typically implemented as a temporary fix for OSPF design issues. For example, they can be used to connect an area that has no direct connection to the backbone area. Or they can be used to connect to disconnected area 0s (backbones). The following command configures a virtual link:
area transit_area_id virtual-link router_id_of_remote
Virtual Link

To configure OSPF for on-demand circuits on a per-interface basis, use the following interface configuration command:
ip ospf demand-circuit

If the router is part of a point-to-point topology, only one end of the demand circuit must be configured with this command, although all routers must support the feature. If the router is part of a point-tomultipoint topology, only the multipoint end must be configured with this command. Also, this feature does not work in a broadcast-based topology. Finally, the feature is not supported for use with an asynchronous interface.

OSPF Graceful Restart
Area 10 Area 1 Area 0

FIGURE 4-5

Virtual links

RFC 3623 defines OSPF Graceful Restart. This functionality is incorporated into Cisco routers thanks to the Nonstop Forwarding (NSF) capability that Cisco has engineered into the Border Gateway Protocol (BGP), Enhanced Interior Gateway Routing Protocol (EIGRP), OSPF, and Intermediate System-to-Intermediate System (IS-IS) protocols. The idea behind OSPF Graceful Restart/NSF is to allow the router to continue forwarding packets, even while undergoing specific wellknown failure conditions. Perhaps a software upgrade is occurring, or a route processor crash is affecting the router. NSF allows for the continued forwarding of packets. Before RFC 3623, Cisco offered a proprietary version of NSF. Cisco now refers to this version as Cisco NSF. The OSPF RFC 3623 Graceful

OSPF over on-demand circuits
On-demand circuit is an enhancement that allows efficient operations over dialup, ISDN, and other on-demand circuits. With this feature, periodic hellos are suppressed, and the periodic refreshes of LSAs are not flooded over the demand circuit. These types of packets bring up the link only the first time—or when you have a topology change that needs to be propagated.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 51 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Restart feature enables you to configure IETF NSF in multivendor networks. Cisco now refers to this version as simply IETF NSF. OSPF NSF operates in one of two modes when it comes to failover operations. The first possible mode is called Restarting mode. In Restarting mode, the OSPF router process performs nonstop forwarding recovery because of a route processor switchover. The second possible mode is Helper mode. In Helper mode, a neighboring router restarts, and the Helper mode router assists in the nonstop forwarding recovery process. Enabling IETF NSF on the Cisco router is simple. Enter router configuration mode for the OSPF process and issue the following command:
nsf ietf

A discontiguous area 0 exists.

Neighbor is not advertising external routes:
■ ■

Area is configured as stub or NSSA. The NSSA ABR is not translating Type 7 into Type 5 LSAs.

Neighbor is not advertising default routes:
■ ■ ■ ■

No default-information originate command. No default route in the routing table. Stub area is in use. NSSA border router is not originating Type 7.

Troubleshooting OSPF route advertisements
OSPF neighbor is not advertising routes:
■ ■ ■

Troubleshooting OSPF route installation
OSPF installing no routes in routing table:
■ ■ ■ ■ ■

Network type mismatch IP address or subnet mask misconfiguration Unnumbered/numbered point-to-point configuration Distribute list Broken permanent virtual circuit (PVC) in full-mesh broadcast mode Frame network

OSPF is not enabled on interface. Advertising interface is down. Secondary interface is in different area from primary interface.

ABR is not advertising summary route:
■ ■

Area is configured as totally stubby area. ABR lacks area 0 connectivity.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 52 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

OSPF not installing external routes:
■ ■

Troubleshooting CPUHOG syslog reports
CPUHOG messages during adjacency establishments:
■ ■ ■

Forwarding address not known through intra-area or interarea route ABR not generating Type 4 LSAs

No packet-pacing code executing CPUHOG messages during LSA refresh No LSA group-pacing code

Troubleshooting redistribution
Not advertising external routes:
■ ■

subnets keyword is missing. Distribute list.

Troubleshooting dial-on-demand routing issues
Hello packets are bringing up the link:

Hellos are permitted as interesting traffic.

Troubleshooting route summarization
Router not summarizing interarea routes:
■ ■ ■

Demand circuit keeps bringing up the link:
■ ■ ■ ■

Link flapping. Network type is broadcast. PPP host route being redistributed. One router is not demand-circuit-capable.

No area range command on ABR Router not summarizing external routes No summary-address command on ASBR

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 53 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Troubleshooting SPF calculations
SPF running constantly:
■ ■ ■

“Bad Checksum”:
■ ■ ■

Device is corrupting the packet. Sending router’s interface is bad, or a software bug exists. Receiving router’s interface is bad, or a software bug exists.

Flapping route Neighbor flapping Duplicate router ID

General troubleshooting commands Troubleshooting common error messages
“Could Not Allocate Router ID”:
■ ■

show ip ospf neighbor [interface-type interface-number] [neighborid] [detail]—Displays OSPF neighbor information on a per-interface basis. show ip ospf [process-id]—Displays general information about OSPF routing processes. show ip ospf interface [interface-type interface-number]—Displays OSPF-related interface information. show ip ospf database—Displays lists of information related to the OSPF database for a specific router. debug ip ospf packet—This EXEC command displays information about each OSPF packet received:
Router# debug ip ospf packet OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.116 aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x0

No enabled interface with valid IP Not enough interfaces up with IP addresses for multiple OSPF processes

“%OSPF-4-BADLSATYPE: Invalid lsa: Bad LSA type” Type 6:
■ ■

Neighboring router is sending MOSPF packets that are not supported on Cisco routers. Eliminate the error with the ignore lsa mospf command.

“OSPF-4-ERRRCV”:

OSPF received an invalid packet because of a mismatched area ID, a bad checksum, or OSPF not enabled on a receiving interface.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 54 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

The possible output values are as follows:
■ ■ ■ ■ ■ ■ ■ ■ ■

Interior Gateway Protocols

v:—Version of OSPF t:—Specifies the OSPF packet type (1: Hello, 2: DBD, 3: LSR, 4: LSU, 5: LAAck) rid:—Provides the OSPF router ID aid:—Shows the area ID chk:—Displays the checksum aut:—Provides the authentication type (0: no, 1: simple password, 2: MD5) auk:—Specifies the authentication key keyed:—Displays the MD5 key ID seq:—Provides the sequence number
■ ■ ■
AS 100 Possible Protocols Include: IGRP, EIGRP, OSPF, RIP, IS-IS
BGP

Exterior Gateway Protocols

AS 200

FIGURE 4-6

Exterior Gateway Protocol

BGP is an advanced path vector protocol and includes the following: Reliable updates Triggered updates only Rich metrics (path attributes) Scalable to massive networks

BGP
BGP introduction
Border Gateway Protocol (BGP) is an Exterior Gateway Protocol (EGP) used for routing between autonomous systems. It enables routing policies and improves security.

Because of these enhancements, BGP is often described as advanced distance vector. Perhaps the most technically accurate description is path vector. Common uses for BGP include the following:

Customer connected to one Internet service provider (ISP) (not always required, however)

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 55 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

■ ■ ■

Customer connected to several ISPs Service provider networks (transit autonomous system) Network cores of very large enterprise networks

■ ■ ■ ■

Prefer shortest autonomous system paths (compare length only) Prefer lowest origin code (IGP < EGP < Incomplete) Prefer lowest Multiexit Discriminator (MED) Prefer external paths over internal BGP (iBGP) paths For iBGP paths, prefer path through closest IGP neighbor For external BGP (eBGP) paths, prefer the oldest path Prefer paths from router with lower BGP router ID

Session establishment
BGP neighbors are not discovered; they must be configured manually on both sides of the connection. TCP port number 179 is used. Only one session remains if both connection attempts succeed. The show ip bgp summary command gives an overview of the session status. Indications include Idle, Active, OpenSent, OpenConfirm, and Established. Keepalives are sent every 60 seconds. Peers can use an MD5 shared secret.

■ ■ ■

The best routes (valid and reachable) are propagated to BGP neighbors. The best BGP routes are copied into the IP routing table after the router checks administrative distance values. The BGP process injects local routes in two different ways:
■ ■

Route processing
All routes received after the neighbor establishment are saved in memory. If more than one way to reach a destination exists, the best is selected. Use the show ip bgp command to view all the routing information received from all neighbors. The best route selection criteria occurs in this order:
■ ■ ■ ■

Using the network configuration commands. This command lists networks that are candidates if they appear in the routing table. Using redistribution by another routing protocol.

Route summarization
Automatic classful summarization is enabled by default. When you disable automatic summarization, the routes introduced locally into the BGP table are not summarized.

Exclude any route with inaccessible next hop Prefer highest weight (local to router) Prefer highest local preference (global within autonomous system) Prefer routes that the router originated

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 56 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

BGP basic configuration
To start BGP on your router, use the following global configuration command:
router bgp as-number

Announcing networks
To disable automatic summarization, use the following router configuration command:
no auto-summary

A public autonomous system number can be obtained from the appropriate agency, or a private autonomous system number is possible in some situations (64,512 to 65,535). Only one BGP process is permitted per router. To configure your BGP neighbors, use the following router configuration commands:
neighbor ip-address remote-as as-number neighbor ip-address description neighbor description

To manually define a network for advertisement by BGP, use the following router configuration command:
network network-number [mask network-mask]

To temporarily disable a neighborship, use the following router configuration command:
neighbor ip-address shutdown

If you use this command and auto-summarization is on (the default behavior), at least one of the subnets must be present in the forwarding table for the major network prefix to be advertised. If auto-summarization is disabled, an exact match is required in the forwarding table. You can use the mask keyword to specify a specific subnet with the network command. If you would like to modify attributes before inserting prefixes into the BGP table, you can use a route map in the network command in router configuration mode:
network network-number [mask network-mask] [route-map map-tag]

To configure MD5 authentication between neighbors, use the following router configuration command. Keep in mind the password string must match on both routers.
neighbor ip-address password string

This option might be used for one or more of the following:
■ ■ ■ ■

Change the weight of a locally sourced route Manipulate source routes with BGP communities Set the local preference Change the value of the MED

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 57 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

To advertise routes based on route redistribution, examine the following sample command syntax:
Router(config)# router bgp 64500 Router(config-router)# redistribute ospf 1 Router(config-router)# distribute-list prefix MY_PREFIX_LIST out

Aggregation in BGP
Use the following router configuration command to configure route summarization to suppress the advertising of individual networks. Remember, at least one network of the summarized space must exist in the BGP table:
aggregate-address address-prefix mask summary-only

One caveat here is that the routes have an origin code of unknown. This makes them seem inferior to other routes per the BGP route-selection process. Notice the optional use of the distribute list syntax to suppress certain networks from being advertised in updates. Redistribution can be configured in conjunction with a route map to reset the origin code or set other attributes. Here is an example:
Router(config)# router bgp 64500 Router(config-router)# redistribute ospf 1 route-map MY_ROUTE_MAP

Route selection using policy controls
Autonomous system path filtering with regular expressions
String matching—A string of characters in the regular expression matches any equivalent substring in the autonomous system path; 29 has three matches in | 210 291 1296 29 |, for example. String matching alternatives—The pipe symbol (|) means “or.” String matching ranges and wildcards—Brackets ([ ]) can be used for ranges, and the period (.) can match any single character. String matching delimiters—The caret (^) matches the beginning of string, the dollar sign ($) matches the end of the string, and an underscore (_) matches any delimiters. String matching grouping—Parentheses can group smaller expressions into larger expressions.

Classless BGP
To manually announce a classless prefix, be sure to use the following router configuration command:
= network ip-prefix-address mask subnet-mask

You should also consider creating a static route pointing to null0 to create a matching prefix in the IP forwarding table to ensure the subnet is advertised.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 58 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

String matching special characters—You can use the backslash (\) to remove the special meaning of the character that follows. String matching repeating operators—An asterisk (*) means the expression preceding repeats zero or more times, a question mark (?) means the expression preceding repeats zero or one time, and a plus sign (+) means the expression preceding repeats one or more times. Here are some string matching examples: _200_ ^200$ _200$ ^200_. ^[0-9]+$ All routes going through autonomous system 200 Directly connected to autonomous system 200 Originated in autonomous system 200 Networks behind autonomous system 200 Autonomous system paths one autonomous system long Networks originating in the neighbor autonomous system Networks originated in local autonomous system Matches everything

Autonomous system path filters configured inbound on a router select those routes that are allowed.
Router A BGP Table Incoming Neighbor Outgoing Neighbor

Filter-List In

Filter-List Out

FIGURE 4-7

AS-path filters

^([0-9]+)(_\1)*$

Routes that are selected enter the local BGP table when the selection is applied on the incoming routes from a neighbor. Routes that are not selected are silently dropped. Routes selected if an outbound filter is used are transmitted to the neighbor when the selection is applied. Routes that are not selected are used locally but are never sent to the neighbor. The commands used to configure an autonomous system path list are relatively simple. First, configure an autonomous system path access list as follows in global configuration mode:
ip as-path access-list access-list-number {permit | deny} as-regular-expression

^$ .*

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 59 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

To set up a BGP filter, use the neighbor filter-list router configuration command:
neighbor {ip-address | peer-group-name} filter-list accesslist-number {in | out}

To create an entry in a prefix list, use the ip prefix-list global configuration command:
ip prefix-list list-name [seq seq-value] deny | permit network/len [ge ge-value] [le le-value]

Monitoring the use of regular expressions is critical. To display routes matching the autonomous system path regular expression, use the show ip bgp regexp command. To display routes that conform to a specified filter list, use the show ip bgp filter-list command. To display a specific access list or all autonomous system path access lists in the router, use the show ip as-path-access-list command.

You can use the parameters ge (greater than) and le (less than) to specify the range of the prefix length to be matched for prefixes that are more specific than network/len. The exact match is assumed when neither ge nor le is specified. The range is assumed to be from ge-value to 32 only if the ge attribute is specified. The range is assumed to be from le to le-value only if the le attribute is specified. To distribute BGP neighbor information as specified in a prefix list, use the following router configuration command:
neighbor {ip-address | peer-group-name} prefix-list prefixlistname {in | out}

Prefix lists
Prefix lists are a powerful method to control the updates coming from other BGP speaking routers.

ISP1
BGP

This might be useful to suppress a more specific route or to change the path used to reach a certain destination. To suppress networks from being advertised in updates, use the following router configuration command:
distribute-list {access-list-number | name | prefix-list prefix-listname} out [interface-name | routing-process | autonomous-system-number]

Multihomed Customer

Internet

BGP

ISP2
Service Providers May Need to Filter IP Prefixes Being Announced by Customer

To display information about a prefix list or prefix list entries, use the show ip prefix-list command.

FIGURE 4-8

Prefix filtering

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 60 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Outbound Route Filtering
Outbound Route Filtering (ORF) is a prefix-based BGP feature that is enabled through the advertisement of ORF capabilities to peer routers. The advertisement of the ORF capability indicates that a BGP-speaking router can accept a prefix list from a neighbor and apply the prefix list to locally configured ORFs (if any exist). When this capability is enabled, the BGP speaker can install an inbound prefix list filter to the remote peer as an outbound filter, which reduces unwanted routing updates. An ORF message contains the following information:
■ ■ ■ ■

An ORF type of NLRI-based filtering (type 1) uses the following actions:
■ ■ ■

ADD—Adds a line to a prefix list filter on the remote peer DELETE—Removes a line from a filter that was previously installed on a remote peer DELETE ALL—Removes all previously installed filters on the remote peer

To advertise ORF capabilities to a peer router, use the neighbor orf prefix-list command in address family or router configuration mode:
neighbor {ip-address} [capability] orf prefix-list [receive | send | both]

Address Family Information (AFI) and Subsequent Address Family Information (SAFI) for which the filter should be used ORF type When to refresh (immediate or deferred refresh) List of ORF entries where the actual filter is defined

Use the clear ip bgp neighbor command with the prefix-filter keyword to push out the existing ORF prefix list so that a new route refresh can be received from a neighbor. The neighbor uses the ORF prefix list previously negotiated.

Commonly used ORF types are as follows:
■ ■ ■ ■

ORF type 1 filters based on Network Layer Reachability Information (NLRI) ORF type 2 filters based on standard BGP community attributes ORF type 3 filters based on extended BGP community attributes ORF type 128 filters based on Cisco-proprietary implementation of prefix filtering (prefix lists)

Filtering with route maps
Route maps are also a power filtering tool. They can be used to accomplish the following tasks:
■ ■ ■

Filter on IP prefixes coming from a specific autonomous system Filter on other BGP attributes Modify BGP attributes

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 61 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Match clauses in the BGP route map can be based on the following:
■ ■ ■ ■ ■ ■ ■ ■

IP network numbers and subnet masks (prefix list or access list) Route originator Next hop Origin code Tag value attached to an Interior Gateway Protocol (IGP) route Autonomous system path Community IGP route type

permitting a route, the route is implicitly denied and dropped. The syntax required is as follows:
Router(config-router)# neighbor ip-address route-map name in | out

The show ip bgp route-map command displays selected routes from a BGP routing table based on the contents of a route map.

Implementing changes in policy
The traditional method of clear ip bgp * is disruptive. Soft reconfiguration was introduced in Cisco IOS Release 11.2 to facilitate nondisruptive changes in BGP. When you configure soft-reconfiguration inbound for a neighbor, the router stores all routes received from that neighbor as an extra copy in memory. This copy is taken before any filtering is applied by the router to routes it receives. When you have completed the changes to filters and route maps that are applied on incoming information, use clear ip bgp ip-address soft on the router in privileged EXEC mode. When you have completed the changes to filters and route maps that are applied on the outgoing information, execute clear ip bgp ipaddress soft out on the router in privileged EXEC mode. Route refresh is another new feature in the Cisco implementation of BGP. Routers use the route refresh feature to ask a neighbor to resend all the routing information when needed. Use the clear ip bgp * command to send a route refresh message to all neighbors or clear ip bgp ip-address to send a route refresh message to a specific neighbor.

With a route map, the following can be set:
■ ■ ■ ■ ■ ■

Origin Next hop Weight Community Local preference MED

You can apply a route map on incoming or outgoing routing information for a neighbor. The routing information must be permitted by the route map to be accepted. If the route map has no statement explicitly

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 62 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

BGP path attributes
Mandatory well-known attributes
Origin—Specifies the router’s origin
■ ■ ■

Transitive attributes
Aggregator—IP address and autonomous system of the router that performed aggregation Community—Used for route tagging

IGP EGP Unknown—Route was redistributed

Influencing route selection using weights
Using weight
You can use weight to provide local routing policy, and you can use local preference to establish autonomous system–wide routing policy. To assign a weight to a neighbor connection, use the neighbor weight router configuration command:
neighbor {ip-address | peer-group-name} weight weight

AS-Path—Sequence of autonomous system numbers through which the route is accessible Next-Hop—IP address of the next-hop router

Discretionary well-known attributes
Local Preference—Used for consistent routing policy with an autonomous system Atomic Aggregate—Informs the neighbor autonomous system that the originating router aggregated routes

This approach assigns a weight value to all route updates from the neighbor. Higher weights are preferred. You can also configure the router so that all incoming routes that match an autonomous system filter receive the configured weight. Use the following router configuration command to do so:
neighbor {ip-address | peer-group-name} filter-list accesslist-number {in | out | weight weight}

Nontransitive attributes
Multiexit Discriminator—Used to discriminate between multiple entry points into an autonomous system

You can also set weight with a route map in more complex scenarios.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 63 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

The default weight value is 32,768 for locally originating networks (including those via redistribution) and is 0 for all other networks.

Using local preference
Local preference can be used to influence route selection within the local autonomous system; in fact, this attribute is stripped from outgoing updates via eBGP. You should decide between the use of weight or local preference. The default local preference for iBGP and local routes is 100; all others are 0 by default. You can apply local preference in the following ways:
■ ■

You manipulate autonomous system paths by prepending autonomous system numbers to existing autonomous system paths. Typically, you perform autonomous system path prepending on outgoing eBGP updates over the nondesired return path. Because the autonomous system paths sent over the nondesired link become longer than the autonomous system path sent over the preferred path, the nondesired link is now less likely to be used as the return path. To avoid conflicts with BGP loop-prevention mechanisms, no other autonomous system number, except that of the sending autonomous system, should be prepended to the autonomous system path attribute. You can configure manual manipulation of the autonomous system path attribute (prepending) using a route map with the set as-path prepend command.

Using a route map with the set local-preference command Using the bgp default local-preference command to change the default local preference value applied to all updates coming from external neighbors or originating locally

BGP Multi Exit Discriminator (MED)
You can apply the MED attribute on outgoing updates to a neighboring autonomous system to influence the route selection process in that autonomous system. The MED attribute is useful only when you have multiple entry points into an autonomous system. The default value of the MED attribute is 0. A lower value of MED is more preferred. A router prefers a path with the smallest MED value but only if weight, local preference, autonomous system path, and origin code are equal. MED is not a mandatory attribute; no MED attribute is attached to a route by default. The only exception is if the router is originating

For verification, you can use the use the command show ip bgp prefix to display the locally applied value.

Autonomous system path prepending
In networks where connections to multiple providers are required, it is difficult to specify a return path to be used for traffic returning to the autonomous system. One BGP mechanism you can use is autonomous system path prepending. Autonomous system path prepending potentially allows the customer to influence the route selection of its service providers.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 64 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

networks that have an exact match in the routing table (through the network command or through redistribution). In that case, the router uses the metric in the routing table as the MED attribute value. Using the default-metric command in BGP configuration mode causes all redistributed networks to have the specified MED value. You can use a route map to set MED on incoming or outgoing updates. Use the set metric command within route map configuration mode to set the MED attribute. You must use the command bgp bestpath med confed when you use MED within a confederation to influence the route selection process. A router compares MED values for those routes that originate in the confederation.

The actual community attribute is a transitive optional attribute. The value of this attribute is a 32-bit number in the possible range of 0 to 4,294,967,200. You can tag each network in a BGP routing table with a set of communities. The default community is Internet (0). The BGP standards define several well-known communities for your use:
■ ■ ■ ■

no-export—Do not advertise routes to real eBGP peers. no-advertise—Do not advertise routes to any peer. local-as—Do not advertise routes to any eBGP peers. internet—Advertise this route normally; this is the default community value.

Because the community attribute is a transitive optional attribute, routers that do not support communities pass them along unchanged. To define your own communities, you use a 32-bit community value that is split into two parts:
■ ■

BGP communities
A community is an attribute used to set an identifier’s BGP routes. A router can apply it to any BGP route by using a route map. Other routers can then perform any action based on the tag (community) that is attached to the route. Any BGP router can tag routes in incoming and outgoing routing updates or when doing redistribution. In addition, any BGP router can filter routes in incoming or outgoing updates or select preferred routes based on the community values. By default, communities are stripped in outgoing BGP updates.

High-order 16 bits that contain the autonomous system number of the autonomous system that defines the community meaning Low-order 16 bits that have local significance

You can specify a 32-bit community value as follows: [AS-number]:[low-order-16-bits]

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 65 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

You use communities in well-planned step-by-step fashion. Here are the steps that you should consider and examples of each:
Step 1.

set keyword overwrite existing communities unless you specify the additive option. After you have created the route map, you can apply it to inbound or outbound BGP updates using the following router configuration command:
neighbor ip-address route-map map in | out

Define administrative policy goals. Example—Solve asymmetric customer routing problems.

Step 2.

Design filters and path selection policy to achieve administrative goals. Example—Set local preference of customer routes to 75 for customers using the backup ISP.

To apply a route map to redistributed routes, use the following router configuration command:
redistribute protocol route-map map

Step 3.

Define communities to be used to achieve individual goals. Example—Community 367:20 indicates that the local preference of the route should be lowered to 75.

To actually configure BGP communities, you can use the following steps:
Step 1. Step 2. Step 3. Step 4. Step 5.

By default, communities are stripped in outgoing BGP updates; therefore, you must manually configure community propagation to BGP neighbors. You can do so using the following command:
neighbor ip-address send-community

Configure route tagging with BGP communities. Configure BGP community propagation. Define BGP community access lists (community lists) to match BGP communities. Configure route maps that match on community lists and filter routes or set other BGP attributes. Apply route maps to incoming or outgoing updates.

Keep in mind that BGP peer groups are ideal for configuring BGP community propagation toward a large number of neighbors. You can use a standard community access list to find community attributes in routing updates. A standard community list is defined by its assigned list number. The list number uses a range from 1 to 99. Community lists are similar to standard IP access lists in these ways:
■ ■

Route tagging with communities is always done with a route map. You can specify any number of communities; communities specified in the

The router evaluates the lines in the community list sequentially. If no line matches communities attached to a BGP route, the route is implicitly denied.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 66 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Standard community lists differ from standard IP access lists in these ways:
■ ■

The keyword internet should be used to permit any community value. If more values are listed in a single line, they all have to be in an update to have a match.

list. You can use the exact option to ensure that all communities attached to the route have to match the community list. Remember, you can use route maps to filter routes or set other BGP attributes based on communities attached to routes.

Route reflectors
BGP requires that all BGP peers in the same autonomous system form an iBGP session with all peers in the autonomous system. This is too difficult in many environments. Route reflectors are fully functional iBGP speakers that form iBGP sessions with other iBGP speakers, and they also perform a second function—they forward routes from other iBGP speakers to route reflector clients. The route reflector clients form iBGP sessions only with the route reflectors. The route reflectors and the clients form a cluster. To configure route reflectors, consider these initial tasks:

Here is the global configuration mode syntax for the creation of the standard community list:
ip community-list 1-99 permit | deny value [ value ... ]

To create an extended community list, use the following global configuration mode syntax:
ip community-list 100-199 permit | deny regexp

These extended community lists are like simple community lists, but they match based on regular expressions. Specifically, communities attached to a route are ordered, converted to a string, and matched with regexp. You can use the .* syntax to match any community value. Community lists are used in match conditions in route maps to match on communities attached to BGP routes. After you create your community lists, you can match to these lists in your route maps. A route map with a community list matches a route if at least some communities attached to the route match the community

■ ■ ■ ■

Configure the proper cluster ID value on the route reflectors. Configure the route reflector with information about which iBGP neighbor sessions are reaching their clients. In the clients, remove all iBGP sessions to neighbors that are not a route reflector in the client cluster. Make sure that the iBGP neighbor is removed on both ends of the iBGP session.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 67 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

The command used to configure the cluster ID if the BGP cluster has redundant route reflectors is as follows:
bgp cluster-id cluster-id

Step 4.

The command used to configure the router as a BGP route reflector and configure the specified neighbor as its client is as follows:
neighbor ip-address route-reflector-client

Configure other neighbors within the same parent autonomous system by specifying their subautonomous system number as the remote autonomous system number; other confederation peers from different subautonomous systems must also be identified as external confederation peers using the bgp confederation peers command. Configure any eBGP neighbors as you normally would.

Step 5.

Confederations
Confederations are another method of solving the iBGP full-mesh requirement. Confederations are smaller subautonomous systems created within the primary autonomous system to decrease the number of BGP peer connections. Five steps are used in the configuration of confederations:
Step 1. Step 2. Step 3.

Peer groups
To configure one router with multiple BGP peer relationships, configurations can be quite complex. Peer groups simplify the configuration process. You make peer groups and assign neighbors with the same policies to the group. Peer group members inherit the policies assigned to the group. To configure BGP peer groups on Cisco IOS routers, complete the following steps:
Step 1. Step 2. Step 3. Step 4.

Enable BGP using the member autonomous system number. Configure the confederation identifier using the bgp confederation identifier command. Configure fully meshed iBGP subautonomous system neighbor relationships using the subautonomous system number as the remote autonomous system number (ASN) for all internal iBGP peers.

Create a BGP peer group; use the neighbor peer-group router configuration command. Specify parameters for the BGP peer group. Create a BGP neighbor. Assign a neighbor to the peer group; use the neighbor peer-group router configuration command.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 68 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

network backdoor command
The network backdoor router configuration command causes the administrative distance assigned to the network to be forced to 200. The goal is to make IGP-learned routes preferred. A network that is marked as a backdoor is not sourced by the local router, but should be learned from external neighbors. You should be sure to verify the route is in the BGP table for the command to have the desired effect.

Troubleshooting and monitoring BGP
Important commands not included elsewhere in the BGP Short Cuts include the following:
■ ■ ■

show ip bgp neighbors ip-address—Displays detailed neighbor information show ip bgp—Displays all the routes in the BGP table show ip bgp ip-prefix [mask subnet-mask]—Displays detailed information about all paths for a single prefix debug ip tcp transactions—Displays all TCP transactions debug ip bgp events—Displays significant BGP events debug ip bgp keepalives—Debugs BGP keepalive packets debug ip bgp updates—Displays all incoming or outgoing BGP updates debug ip bgp updates acl—Displays all incoming and sent updates matching an ACL debug ip bgp ip-address updates [acl]—Displays all BGP updates received from or sent to a specific neighbor

Configuring the BGP maximum-prefix function
To control how many prefixes a BGP router can receive from a neighbor, use the neighbor maximum-prefix router configuration command.

■ ■ ■ ■

Route dampening
Flapping routes create problems for BGP. An approach was created to remove the update about a flapping route until it can be guaranteed that the destination is more stable. This additional BGP scalability mechanism, called route flap dampening, was created to reduce route update processing requirements by suppressing unstable routes. To enable route dampening, use the bgp dampening command.
■ ■

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 69 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

EIGRP
Enhanced Interior Gateway Routing Protocol (EIGRP) is a hybrid routing protocol—combining features of both distance vector and linkstate routing protocols. Advantages include the following:
■ ■ ■ ■ ■ ■ ■ ■

■ ■

Bandwidth—Expressed in kilobytes; to adjust the bandwidth value assigned to an interface, use the bandwidth command. Delay—Expressed in microseconds; it can be adjusted using the delay command; when manipulating metrics, consider delay because bandwidth would affect other protocols, too. Reliability—Expressed as a number in the range of 1 to 255; 1 is a completely unreliable link. Load—Expressed as a number in the range of 1 to 255; 1 is a minimally loaded link. MTU—Maximum transmission unit; the smallest recorded MTU in the path.

VLSM support Rapid convergence thanks to Diffusing Update Algorithm (DUAL) Low CPU utilization—with typically only hellos and partial updates being sent on a link Incremental updates Scalability Ease of configuration Automatic route summarization, or manual route summarization MD5 route authentication

■ ■ ■

The metric formula used by EIGRP is as follows: metric = [K1 * BW + ((K2 * BW)/(256 – load)) + K3 * delay] By default, K1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0. If you manipulate the K values on one router, you must manipulate on all. EIGRP uses a 32-bit metric as opposed to the 24-bit metric of IGRP; the two are compatible automatically during redistribution, however.

EIGRP uses IP protocol 88. It uses a multicast address of 224.0.0.10 for hellos and routing updates.

EIGRP’s metric
EIGRP uses a composite metric like Interior Gateway Routing Protocol (IGRP), but it is modified with a multiplier of 256. Bandwidth and delay are the defaults enabled. EIGRP calls the metric feasible distance. All the possible metric values are as follows:

EIGRP packets
■ ■

Hello—Establish neighbor relationships Update—Send routing updates

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 70 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

■ ■ ■

Query—Ask neighbors about routing information Reply—Respond to queries Ack—Used to acknowledge reliable packets

Initial route discovery
Router discovery and route exchange happen simultaneously as follows:
1. Router comes up and sends hellos.

The address used for hello packets is 224.0.0.10; autonomous system numbers must match. Hellos are sent every 5 seconds on broadcast links and point-to-point serial links, point-to-point subinterface links, and multipoint circuits greater than T1. They are sent every 60 seconds on other link types. The hold time defaults to 3 times the hello time. Neighborships form even if the values do not match.

2. Reply from a neighbor includes Update. 3. Ack packets are sent. 4. Update process occurs in the opposite direction.
Hello Packet Hello and Complete Routing Info

EIGRP reliability
Packets that require acknowledgment are as follows:
■ ■ ■

Ack and Complete Routing Info Ack and Converged

Update Query Reply

FIGURE 4-9

EIGRP discovery and route exchange

EIGRP DUAL
The lowest-cost route is calculated by adding the cost between the next-hop router and the destination (advertised distance [AD]) and the cost between the local router and the next hop. This sum is referred to as the feasible distance (FD). A successor is a neighboring router that the local router has selected to forward packets to the destination. Multiple successors can exist if they have equal-cost paths.

Packet that do not are as follows:
■ ■

Hello Ack

Neighbor reset after retry limit (16) is reached. Slow neighbors are sent unicast packets instead.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 71 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

The next-hop router for a backup path is called the feasible successor. To qualify as a feasible successor, a next-hop router must have an AD less than the FD of the current successor route. More than one feasible successor can exist. The feasible successor means that a new path can be selected without recalculation and is a major advantage in EIGRP for convergence. Remember, EIGRP acts classful by default and automatically summarizes on major network boundaries. You typically want to disable this feature with the no auto-summary router configuration command.

the command considers the network listed in that command as the lastresort gateway. You should define the default route using a static route to ensure it is advertised.

Verification
A command that deserves some elaboration is the show ip eigrp topology command. The codes in the output are as follows:
■ ■

Passive—This network is available, and installation can occur in the routing table. Active—This network is currently unavailable, and installation cannot occur in the routing table. Update (U)—Applies if a network is being updated (placed in an update packet); this code also applies if the router is waiting for an acknowledgment for this update packet. Query (Q)—Applies if an outstanding query packet exists for this network other than being in the active state; also applies if the router is waiting for an acknowledgment for a query packet. Reply (R)—Applies if the router is generating a reply for this network or is waiting for an acknowledgment for the reply packet. Stuck in active (SIA) status—Signifies an EIGRP convergence problem for the network with which it is associated.

Configuring EIGRP
To enable EIGRP, use the following global configuration command:
router eigrp autonomous-system-number ■

To identify the interfaces participating in EIGRP, use the following router configuration command:
network network-number [wildcard-mask]

Using the default-network Command
Using the default-network command, you can configure a default route for the EIGRP process so that it propagates to other EIGRP routers within the same autonomous system. A router configured with

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 72 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

EIGRP route summarization
EIGRP performs auto-summarization by default. You can enable manual summarization. Keep the following in mind about manual summarization:
■ ■

You set the variance to a number from 1 to 128. The default is 1, which indicates equal-cost load balancing. The multiplier defines the range of metric values that are accepted for load balancing by the EIGRP process. For example, if you want load balancing to occur between two links, and one has a metric of 1000 and the other has a metric of 2000, you need to set the variance to 2 to cause load balancing between the two links.

Summarization is configurable on a per-interface basis in any router within a network. When summarization is configured on an interface, the router immediately creates a route pointing to null0. This is a loopprevention mechanism. When the last specific route of the summary goes away, the summary is deleted. The minimum metric of the specific routes is used as the metric of the summary route.

Bandwidth utilization
By default, EIGRP uses up to 50 percent of the bandwidth of an interface or subinterface, which is set with the bandwidth parameter. This percentage can be changed on a per-interface basis by using the ip bandwidth-percent eigrp nnn interface configuration command. In this command, nnn is the percentage of the configured bandwidth that EIGRP can use. This percentage can be greater than 100. This is useful if the bandwidth is configured artificially low for routing policy reasons.

■ ■

To disable auto-summarization, use the no auto-summary command in EIGRP router configuration mode. Use the ip summary-address eigrp interface command to manually create a summary route at an arbitrary network boundary within an EIGRP domain.

EIGRP stub routing Unequal-cost load balancing
The degree to which EIGRP performs load balancing is controlled with the variance command. Often used in a hub-and-spoke topology. Only routes you specify are propagated from the stub router. The stub router responds to all queries with the message “inaccessible.” A router that is configured as a stub sends a special peer information packet to all neighboring routers to report its status as a stub router. Nonstub routers do not query stub routers. The stub routing feature by itself does not prevent routes from

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 73 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

being advertised to the stub router. You must configure the summarization or default route behavior. To configure the stub router, use the following router configuration command:
eigrp stub [receive-only | connected | static | summary]

Using a distribute list with redistribution helps prevent route feedback. Route feedback occurs when routes originally learned from one routing protocol get redistributed back into that protocol. Route feedback can help lead to routing loops caused by redistribution.

The optional keywords with this command control which routes the router advertises to its nonstub peers.

Route maps
Route maps are complex access lists that allow conditions to be tested against a packet or route using the match commands. If the conditions match, actions can be taken to modify attributes of the packet or route. These actions are specified by set commands. Several of the more common applications for route maps are as follows:
■ ■ ■ ■

Route Filtering and Policy Routing
Distribute lists
You can filter routing update traffic for any protocol by defining an access list and applying it to a specific routing protocol. You use the distribute-list command and link it to an access list to complete the filtering of routing update traffic. For outbound traffic, the appropriate router configuration mode command is as follows:
distribute-list {access-list-number | name} out [interfacename | routing-process | [autonomous-system number]]

Route filtering during redistribution Policy-based routing (PBR) Network Address Translation (NAT) Implementing BGP policies

To define the route map conditions and set the sequence number of route map lines, use the following global configuration mode commands:
route-map map-tag [permit | deny] [sequence-number]

For inbound traffic, the appropriate router configuration command is as follows:
distribute-list {access-list-number | name} in [type number]]

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 74 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

To define the conditions to match, use the following command:
match {conditions}

Redistribution
Although redistribution between certain protocols has unique concerns and characteristics, the following generic steps apply to all routing protocol combinations:
Step 1. Step 2. Step 3. Step 4.

To define the actions to be taken, use the following command:
set {actions}

Locate the boundary router that requires configuration of redistribution. Determine which routing protocol is the core or backbone protocol. Determine which routing protocol is the edge or short-term protocol. Select a method for injecting the required edge protocol routes into the core.

Policy routing
PBR enables you to implement policies that selectively cause packets to take different paths; this allows you to vary from the typical destinationbased approach of IP. For example, you can easily configure routes to flow based on source address information. You can also mark traffic with different type of service (ToS) configurations. You implement PBR through the use of route maps to implement policy. To identify a route map to use for PBR on an interface, use the following command:
ip policy route-map map-tag

Use the following router configuration command to redistribute routes into RIP:
redistribute protocol [process-id] [match route-type] [metric metric-value] [route-map map-tag]

PBR must be configured before PBR fast switching can be enabled. Fast switching of PBR is disabled by default. To configure fastswitched PBR, use the ip route-cache policy command in interface configuration mode.

Use the following command to redistribute routes into OSPF:
redistribute protocol [process-id] [metric metric-value] [metric-type type-value] [route-map map-tag] [subnets] [tag tag-value]

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 75 ]

CHAPTER 4

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Use the following command to redistribute routes into EIGRP:
redistribute protocol [process-id] [match {internal | external 1 | external 2}] [metric metric-value] [route-map map-tag]

Use the following command to redistribute routes into IS-IS:
redistribute protocol [process-id] [level level-value] [metric metric-value] [metric-type type-value] [route-map map-tag]

Route tagging
Various routing protocols support tag fields. This tag field provides a location where additional information about a route can be stored. This field is commonly used to identify the autonomous system from which a route was obtained when a route is learned from a different autonomous system. Route tagging enables you to customize routing and maintain flexible policy controls.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 76 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Quality of Service (QoS)
Introduction
Voice, video, and data travel side by side over today’s converged networks. Some of these traffic types (for example, VoIP) need better treatment (that is, higher priority) than other types of traffic (for example, FTP). Fortunately, Cisco offers a suite of QoS tools for providing special treatment for special traffic. In the absence of QoS, traffic might suffer from one or more of the following symptoms:
■ ■

You have two categories of QoS tools: Integrated Services (IntServ) and Differentiated Services (DiffServ). IntServ provides QoS by guaranteeing treatment to a particular traffic flow. A commonly used IntServ tool is RSVP (Resource Reservation Protocol). As the name suggests, DiffServ differentiates (that is, classifies) between different types of traffic and provides different levels of service based on those distinctions. Instead of forcing every network device to classify traffic, DiffServ can mark packets with a particular priority marking that can be referenced by other network devices.

ToS and IP Precedence
Packet marking can be accomplished by altering bits in an IPv4 header’s ToS byte. Two common markings that use the ToS byte are IP Precedence and Differentiated Services Code Point (DSCP). IP Precedence is an older approach than DSCP and uses the 3 leftmost bits in the ToS byte. With 3 bits to use, IP Precedence values can range from 0 to 7. Cisco recommends that IP Precedence values 6 and 7 never be used because they are reserved for network use. Cisco IOS Software accepts either an IP Precedence number or its equivalent name, as shown in the following table.

Delay (latency)—Excessive time required for a packet to traverse the network Delay variation (jitter)—The uneven arrival of packets, which in the case of VoIP can be interpreted by the listener as dropped voice packets Packet loss—Dropping packets, especially problematic for User Datagram Protocol (UDP) traffic (for example, VoIP), which does not retransmit dropped packets

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 77 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

IP Precedence Value 0 1 2 3 4 5 6 7

Name Routine Priority Immediate Flash Flash-override Critical Internet Network

ToS byte

1

2

3

4

5

6

7

8

Inside an IPv4 header is a Type of Service (ToS) byte. The 3 left most bits in that byte can be used to mark the packet with an IP Precedence value (0–7). Alternately, the 6 leftmost bits in the ToS byte can be used to mark the packet with a DSCP value (0–63).

IP Precedence

DSCP

FIGURE 5-1

Layer 3 packet markings

Differentiated Services Code Point
Differentiated Services Code Point (DSCP) uses the 6 leftmost bits in an IPv4 header’s ToS byte. With 6 bits at its disposal, DSCP has up to 64 DSCP values (0 to 63) assigned to various classes of traffic. With so many values to select from, to maintain relative levels of priority among routers, the IETF recommends selected DSCP values for use. These values, called Per-Hop Behaviors (PHB), determine how packets are treated at each hop along the path from the source to the destination.

When configuring a router to mark or recognize a DSCP value, the decimal number itself can be used. However, a more convenient method is to use the name of specific DSCP values. Assured Forwarding (AF) PHBs are typically used to identify different levels of priority for data applications. For latency-sensitive applications, however, the Expedited Forwarded (EF) PHB can be used. A listing of commonly used PHB names and their corresponding DSCP values is shown in the following table.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 78 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

PHB Class 1 Class 2 Class 3 Class 4

Low Drop Preference AF11 (10) AF21 (18) AF31 (26) AF41 (34) EF (46)

Medium Drop Preference AF12 (12) AF22 (20) AF32 (28) AF42 (36)

High Drop Preference AF13 (14) AF23 (22) AF33 (30) AF43 (38)

Class of Service
While an IP header’s ToS byte can be used for Layer 3 markings, a class of service (CoS) marking can be used for Layer 2 markings. Specifically, CoS markings are applied to frames crossing an IEEE 802.1Q or an Inter-Switch Link (ISL) trunk. Regardless of the trunk type, CoS markings use 3 bits. So, like IP Precedence, CoS values range from 0 through 7, and again, values 6 and 7 are reserved.

Notice that the AF PHBs are grouped into four classes. Examining these DSCP values in binary reveals that the 3 leftmost bits of all the Class 1 AF PHBs are 001 (that is, a decimal value of 1), the 3 leftmost bits of all the Class 2 AF PHBs are 010 (that is, a decimal value of 2), the 3 leftmost bits of all the Class 3 AF PHBs are 011 (that is, a decimal value of 3), and the 3 leftmost bits of all the Class 4 AF PHBs are 100 (that is, a decimal value of 4). Because IP Precedence examines these 3 leftmost bits, all Class 1 DSCP values would be interpreted by an IP Precedence–aware router as an IP Precedence value of 1. The same applies to the Class 2, 3, and 4 PHB values. In a similar fashion, the 3 leftmost bits of the EF PHB are 101 (that is, a decimal value of 5). Therefore, the EF PHB would be interpreted by an IP Precedence–aware router as an IP Precedence of 5, the highest IP Precedence value that we should assign. Because of these associations that exist between DSCP markings and IP Precedence, DSCP is said to be “backward compatible” with IP Precedence.

Network-Based Application Recognition
Cisco offers multiple approaches to identify packets to mark. For example, packets could be classified and marked if they match a particular access list or if they came into a router on a particular interface. However, one of the most powerful Cisco IOS tools for performing packet classification is Network-Based Application Recognition (NBAR). NBAR can look beyond Layer 4 information, all the way up to the application layer, where NBAR can recognize such packet attributes as character strings in a URL. NBAR is accomplished using the MQC, the Modular QoS (quality of service) CLI (command-line interface). This tool is shown later in this section. NBAR is used in a class map to identify traffic. The match protocol keywords are used to trigger NBAR, as follows:
class-map IDENTIFY_HTTP match protocol http

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 79 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Queuing Techniques
Just marking a packet does not change its operation, unless QoS tools are enabled that can reference that marking. Fortunately, multiple QoS tools can make forwarding or dropping decisions based on these markings. Queuing techniques are often referred to as congestion management tools. Queuing tools decide how packets are emptied from an interface’s output queue. Several queuing tools are available in the Cisco IOS Software:

Custom queuing—A legacy queuing approach that services up to 16 queues in a round-robin fashion, emptying a specified number of bytes from each queue during each round-robin cycle Class-based weighted fair queuing (CBWFQ)—Very similar to LLQ, with the exception of having no priority queuing mechanism IP RTP priority—A legacy queuing approach for voice traffic that placed a range of UDP ports in a priority queue, with all other packets treated with WFQ

■ ■

First-In, First-Out (FIFO)—The default queuing mechanism on high-speed interfaces (that is, greater than 2.048 Mbps), which does not reorder packets Weighted Fair Queuing (WFQ)—The default queuing mechanism on low-speed interfaces, which makes forwarding decisions based on a packet’s size and Layer 3 priority marking Low latency queuing (LLQ)—The preferred queuing method for voice and video traffic, where traffic can be classified in up to 64 different classes, with different amounts of bandwidth given to each class; includes the ability to give priority treatment to one or more classes Priority queuing—A legacy queuing approach with four queues, where higher-priority queues must be emptied before forwarding traffic from any lower-priority queues

Weighted fair queuing (WFQ) is enabled by default on slow-speed interfaces (that is, 2.048 Mbps and slower). WFQ allocates a queue for each flow, for as many as 256 flows by default. WFQ uses IP Precedence values to provide a weighting to fair queuing (FQ). When emptying the queues, FQ, sometimes called “flow-based queuing,” does “byte-by-byte” scheduling. Specifically, FQ looks 1 byte deep into each queue to determine whether an entire packet can be sent. FQ then looks another byte deep into the queue to determine whether an entire packet can be sent. As a result, smaller traffic flows and smaller packet sizes have priority over bandwidth-hungry flows with large packets. In the following example, three flows simultaneously arrive at a queue. Flow A has three packets, which are 128 bytes each. Flow B has a single 96-byte packet. Flow C has a single 70-byte packet. After 70 byte-by-byte rounds, FQ can transmit the packet from flow C. After an additional 26 rounds, FQ can transmit the packet from flow B. After an additional 32 rounds, FQ can transmit the first packet from flow A.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 80 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Another 128 rounds are required to send the second packet from flow A. Finally, after a grand total of 384 rounds, the third packet from flow A is transmitted.
128 Bytes A3 128 Bytes A2 128 Bytes A1 96 Bytes B1 70 Bytes C1 Output Queue A3 A2 A1 B1 C1

Cisco IOS Software, the formula for weight is WEIGHT = 32768/(IP Prec. + 1). Using the pre-Cisco IOS Release 12.0(5)T formula, the sequence numbers are as follows: A1 = 4096 / (5 + 1) * 128 = 87,381 A2 = 4096 / (5 + 1) * 128 + 87,381 = 174,762 A3 = 4096 / (5 + 1) * 128 + 17,4762 = 262,144 B1 = 4096 / (0 + 1) * 96 = 393,216 C1 = 4096 / (0 + 1) * 70 = 286,720
IP Prec.

FIGURE 5-2

Fair queuing

128 Bytes 5 A3

128 Bytes A2

128 Bytes A1 96 Bytes

With WFQ, a packet’s IP Precedence influences the order in which it is emptied from a queue. Consider the previous scenario with the addition of IP Precedence markings. In this scenario, flow A’s packets are marked with an IP Precedence of 5, whereas flow B and flow C have default IP Precedence markings of 0. The order of packet servicing with WFQ is based on “sequence numbers,” where packets with the lowest sequence numbers are emptied first. The sequence number is the “weight” of the packet multiplied by the number of byte-by-byte rounds that must be completed to service the packet (that is, just as in the FQ example). The Cisco IOS Software calculates a packet’s weight differently depending on the Cisco IOS version. Before Cisco IOS Release 12.0(5)T, the formula for weight was WEIGHT = 4096/(IP Prec. + 1). In more recent versions of the

0

B1 70 Bytes

B1

C1

A3

A2

A1

0 Output Queue

C1

Sequence Number* = 4096/(IP Prec. + 1)
* In IOS 12.0(5)T and later, the Sequence Number = 32768/(IP Prec. + 1).

FIGURE 5-3

Weighted fair queuing

Therefore, after the weighting is applied, WFQ empties packets from the queue in the following order: A1—A2—A3—C1—B1. With only FQ, packets are emptied from the queue in the following order: C1— B1—A1—A2—A3.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 81 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Custom queuing (CQ) enhances some of the characteristics of WFQ by allowing the administrator to specify which traffic goes into a particular queue. Also, a “weight” can be assigned to each of the queues, which specifies how many bytes are emptied from a queue during each roundrobin servicing of the queues. Consider the following custom queuing example:
Router(config)#queue-list 1 protocol ip 1 tcp www Router(config)#queue-list 1 protocol ip 2 tcp telnet Router(config)#queue-list 1 default 3 Router(config)#queue-list 1 queue 1 byte-count 1500 limit 512 Router(config)#queue-list 1 queue 2 byte-count 1500 limit 512 Router(config)#queue-list 1 queue 3 byte-count 3000 limit 512 ! Router(config)#interface serial 0/1 Router(config-if)#bandwidth 128 Router(config-if)#custom-queue-list 1

In the preceding example, 1500 bytes are emptied from queue 1 and from queue 2 during each round-robin cycle, and 3000 bytes are emptied from queue 3 during each round-robin cycle. Therefore, a bandwidth percentage for each traffic type can be calculated as follows: Total number of bytes serviced during each round-robin cycle = 1500 + 1500 + 3000 = 6000 Percentage of bandwidth for World Wide Web traffic = 1500/6000 = .25 = 25 percent Percentage of bandwidth for Telnet traffic = 1500/6000 = .25 = 25 percent Percentage of bandwidth for default traffic = 3000/6000 = .5 = 50 percent CQ does, however, have a “deficit” issue. Specifically, when CQ is emptying bytes from a queue, it cannot send a partial packet. Consider a situation in which two packets are in queue 1, a 1499-byte packet and a 1500-byte packet. Queue 1 is configured to forward 1500 bytes per round. After the 1499-byte packet is transmitted, the 1500-byte level has not yet been reached. CQ therefore sends the following packet. Because CQ cannot send a partial packet, it sends the entire 1500-byte packet. As a result, even though queue 1 was configured to send only 1500 bytes per round, in this example, 2999 bytes were forwarded. On the Cisco 12000 series of routers, this deficit issue is overcome with MDRR (Modified Deficit Round Robin). MDRR keeps track of the

In the preceding example, a queue list (numbered 1) is defined. The queue list specifies that World Wide Web traffic goes in queue 1. Telnet traffic goes in queue 2, and other traffic (that is, default traffic) goes in queue 3. CQ services these queues in a round-robin fashion. As CQ empties the queues, the number of bytes emptied from each queue is influenced with the byte-count option seen in the example. The number of packets that can be placed in a particular queue can also be specified with the limit option. In the preceding example, each queue can accommodate 512 packets. Finally, the queue list is applied to interface serial 0/1.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 82 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

extra bytes sent and adjusts how many bytes can be sent in subsequent rounds. MDRR can operate in either of two modes:
■ ■

priority to specific traffic, it can lead to protocol starvation. Consider the following PQ example:
Router(config)#priority-list 1 protocol ip high tcp www Router(config)#priority-list 1 protocol ip medium tcp telnet Router(config)#priority-list 1 default low ! Router(config)#interface serial 0/1 Router(config-if)#priority-group 1

Strict priority—Defines a priority queue that must be completely empty before any other traffic is sent. Alternate priority—Is a “low-latency queue” that alternates with each of the other queues so that traffic is not “starved out.” For example, consider queues 1, 2, and 3, where queue 1 is a lowlatency queue. With alternate priority mode, the queues would be serviced as follows: 1, 2, 1, 3, 1.

Also, with DRR queuing, the number of bytes transmitted in one round is defined as maximum transmission unit (MTU) + (weight – 1) * 512. This number of bytes is transmitted from a queue, or until the queue is empty. If more than this number of bytes is sent, to finish servicing a packet that had already started to be serviced, the DRR remembers this deficit, and in the next round, the deficit is subtracted from the number of bytes to service from the queue. Priority queuing (PQ) can give “strict” priority to latency-sensitive applications (for example, e-commerce applications). PQ gives priority to specific packets by placing those packets in a “high”-priority queue. Other packets are placed in a “medium,” “normal,” or “low” queue. However, if any packets are in the high queue, none of the packets in lower-priority queues are sent. Similarly, when packets are in the “medium” queue, no packets are sent from the “normal” or “low” queues. Although this approach does accomplish the goal of giving

In the preceding example, a priority list (numbered 1) is created. The priority list specifies that World Wide Web traffic goes in the “high” queue. Telnet traffic goes in the “medium” queue, and all other traffic (that is, default traffic) goes in the “low” queue. The priority-list is then applied to interface Serial 0/1. The potential for protocol starvation exists, because if at any time you have World Wide Web packets in the “high” queue, none of the packets from lower priority queues are forwarded until all of the World Wide Web packets have been forwarded. IP Real-time Transport Protocol (RTP) priority combines some of the best aspects of PQ and WFQ. Specifically, IP RTP priority allows a range of UDP ports to be placed in a priority queue, while all other packets are treated with WFQ. Therefore, VoIP packets, which use UDP ports, can be assigned to the priority queue. Fortunately, to prevent protocol starvation, a bandwidth limit is set for the priority

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 83 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

queue. IP RTP priority is configured using the following interface configuration mode command:
Router(config-if)#ip rtp priority starting-udp-port port-number-range bandwidth

The first step of MQC is to create class maps, which categorize traffic types. The following command enters class map configuration mode:
Router(config)#class-map [match-any | match-all] class name

Note that the port-number-range is not the last port number in the range. Rather, it is the number of ports in the range. For example, the following command specifies that 64 kbps of bandwidth should be made available for packets using UDP ports in the range 16,384 through 32,767:
Router(config-if)#ip rtp priority 16384 16383 64

Once in class map configuration mode, multiple match statements can be used to match traffic, and all traffic meeting the criteria specified by the match command is categorized under the class map. If multiple match statements are specified, by default all match statements must be met before a packet is classified by the class map. However, by using the match-any option, if any individual match condition is met, the packet is classified by the class map. After the class maps are defined, the first step of MQC is complete. The second step is to create a policy map to assign characteristics (for example, marking) to the classified traffic. To enter policy map configuration mode, issue the following command:
Router(config)#policy-map policy name

Notice that the sum of the starting-udp-port and the port-number-range equals the last UDP port number in the range (that is, 16,384 + 16,383 = 32,767). The main drawback of IP RTP priority is its inability to place TCP ports in the priority queue. As an example, H.323 call setup uses TCP ports. These call setup packets, however, cannot be placed in a priority queue using IP RTP priority.

CBWFQ and LLQ
With modern versions of the Cisco IOS Software, Cisco recommends CBWFQ or LLQ approaches to queuing. Both methods are configured using MQC.

From policy map configuration mode, enter policy-map-class configuration mode with this command:
Router(config-pmap)#class class name

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 84 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

From policy-map-class configuration mode, QoS policies can be assigned to traffic classified by the class map. Finally, in the third step, the policy map is applied to an interface, Frame Relay map class, or ATM virtual circuit with this command:
Router(config-if)#service-policy {input | output} policy map name

command. Voice packets are placed in the VOICE class. The CCIESTUDY policy map gives 128 kbps of bandwidth to the HTTP traffic while giving 256 kbps of priority bandwidth to voice traffic. The policy map is then applied outbound to interface serial 0/1.

Weighted RED
The purpose of Weighted Random Early Detection (WRED) is to prevent an interface’s output queue from filling to capacity, because if a queue is completely full, all newly arriving packets are discarded. Some of those packets might be high priority, and some might be low priority. However, if the queue is full, no room exists for any packet. WRED is referred to as a congestion-avoidance QoS tool. It can also prevent a problem called global synchronization, in which all TCP senders back off as packets at a full queue are dropped, and then all senders begin to increase the amount of traffic sent, until another synchronized back-off is triggered. Global synchronization results in poor utilization of interface bandwidth. With a congestion-avoidance tool, drop thresholds are defined for various markings (for example, DSCP markings). Therefore, as a queue begins to fill, lower-priority packets are dropped more aggressively than higher-priority packets, thus preventing the queue from ever filling to capacity. The Cisco congestion-avoidance tool of choice is WRED. WRED can be configured in interface configuration mode. However, an MQC approach is also supported. Three parameters that can be configured for each IP Precedence value or DSCP value include the minimum

Here is an LLQ example that illustrates the MQC approach:
Router(config)#class-map SURFING Router(config-cmap)#match protocol http Router(config-cmap)#exit Router(config)#class-map VOICE Router(config-cmap)#match protocol rtp Router(config-cmap)#exit Router(config)#policy-map CCIESTUDY Router(config-pmap)#class SURFING Router(config-pmap-c)#bandwidth 128 Router(config-pmap-c)#exit Router(config-pmap)#class-map VOICE Router(config-pmap-c)#priority 256 Router(config-pmap-c)#exit Router(config-pmap)#exit Router(config)#interface serial 0/1 Router(config-if)#service-policy output CCIESTUDY

In the preceding example, NBAR is being used to recognize HTTP traffic, and that traffic is placed in the SURFING class. Note that NBAR is invoked with the Router(config-cmap)# match protocol

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 85 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

threshold, maximum threshold, and mark probability denominator. The minimum threshold specifies the number of packets in a queue before the queue considers discarding packets having a particular marking. The probability of discard increases until the queue depth reaches the maximum threshold. After a queue depth exceeds the maximum threshold, all other packets with a particular marking that attempt to enter the queue are discarded. However, the probability of packet discard when the queue depth equals the maximum threshold is 1 / (mark probability denominator). For example, if the mark probability denominator were set to 10, when the queue depth reached the maximum threshold, the probability of discard for the specified marking would be 1 / 10 (that is, a 10 percent chance of discard).

When configuring WRED, the Cisco IOS Software automatically assigns default values to these parameters. However, these parameters can be altered, and the marking WRED pays attention to (that is, IP Precedence or DSCP) can be specified. Following is the syntax to enable WRED in interface configuration mode:
random-detect [dscp-based | prec-based]

If neither dscp-based nor prec-based is specified, WRED defaults to prec-based. Following is the syntax to specify WRED parameters for both IP Precedence values and DSCP values:
random-detect precedence random-detect dscp

Max. threshold for IP Prec. 0 and 3
As an output queue begins to fill to capacity, WRED can discard lower-priority packets more aggressively than higherpriority packets.

To specify WRED parameters for a specific class of traffic, using the MQC approach, the exact commands just shown can be entered in policy-map-class configuration mode. To reinforce this syntax, consider the following example, where the goal is to configure WRED on interface ethernet 0/0. After the output queue depth reaches 25 packets, the possibility is introduced that a DSCP value of AF13 be discarded. Packets marked with a DSCP value of AF12 should not be discarded until the queue depth reaches 30 packets. Finally, packets marked with a DSCP value of AF11 should not have any chance of discard until the queue depth reaches 35 packets. If the queue depth exceeds 100 packets, there should be a 100 percent chance of discard for these three DSCP values. However, when the queue depth is exactly 100 packets, the percent chance of discard for these various packet types should be 25 percent.

Min. threshold for IP Prec. 3 Min. threshold for IP Prec. 0

Output queue

FIGURE 5-4

Weighted Random Early Detection (WRED)

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 86 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Router(config)#interface ethernet 0/0 Router(config-if)#random-detect dscp-based Router(config-if)#random-detect dscp af13 25 100 4 Router(config-if)#random-detect dscp af12 30 100 4 Router(config-if)#random-detect dscp af11 35 100 4

ment to frames in that queue. Specifically, the expedite queue must be empty before any additional queues are serviced. This behavior can lead to protocol starvation. Following is an example of a WRR configuration:
Switch(config)#interface gig 0/5 Switch(config-if)#wrr-queue bandwidth 1 2 3 4 Switch(config-if)#wrr-queue cos-map 4 5

Examine the solution, and notice that the mark probability denominator is 4. This value was chosen to meet the requirement that there be a 25 percent chance of discard when the queue depth equals the maximum threshold (that is, 1 / 4 = .25). Also, notice that a DSCP value of AF13 is dropped before a DSCP value of AF12, which is dropped before a DSCP value of AF11. This approach is consistent with the definition of these PHBs, because the last digit in the AF DSCP name indicates its drop preference. For example, a value of AF13 would drop before a value of AF12.

In the preceding example, the wrr-queue command assigns the weights 1, 2, 3, and 4 to the switch’s four queues. The first queue, with a weight of 1, gets only one-third the bandwidth given to the third queue, which has a weight of 3. The wrr-queue cos-map command instructs frames marked with a CoS of 5 to enter the fourth queue.

WRR/Queue Scheduling
Some Cisco Catalyst switches also support their own queuing method, called weighted round robin (WRR). For example, a Catalyst 2950 switch has four queues, and WRR can be configured to place frames with specific CoS markings in certain queues (for example, CoS values 0 and 1 are placed in queue 1). Weights can be assigned to the queues, influencing how much bandwidth the various markings receive. The queues are then serviced in a round-robin fashion. On some platforms, one of the switch’s queues can be designated as an “expedite” queue, which gives priority treat-

Shaping Versus Policing
While some of the congestion-management techniques can guarantee bandwidth amounts, you might want to limit bandwidth usage in some situations. For example, you might need to prevent oversubscription of a link. Two categories of traffic conditioning exist:
■ ■

Policing—Limits traffic rates, with excess traffic being dropped Shaping—Limits traffic rates, with excess traffic being delayed (that is, buffered)

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 87 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

As seen in the preceding description, shaping buffers excess traffic, whereas policing drops excess traffic. These characteristics suggest that policing is more appropriate on high-speed interfaces, whereas shaping is more appropriate on low-speed interfaces. For policing and shaping tools to limit bandwidth, they don’t transmit all the time. Specifically, they send a certain number of bits or bytes at line rate, and then they stop sending until a specific timing interval (for example, one-eighth of a second) is reached. When the timing interval is reached, the interface again sends a specific amount of traffic at line rate, it stops, and it waits for the next timing interval. This process repeats over and over, allowing an interface to send an average bandwidth that might be below the physical speed of the interface. Both policing and shaping configurations can specify a committed information rate (CIR), committed burst (Bc), and excess burst (Be). The CIR is the average number of bits sent during 1 second. The Bc indicates how many bits or bytes can be sent at line rate during a timing interval. The Be allows more than Bc bits or bytes to be sent during a timing interval if some bits or bytes were unused during a previous timing interval. While policing and shaping can be configured using the MQC method previously described, legacy methods include committed access rate (CAR) for policing, Generic Traffic Shaping (GTS) for shaping, and Frame Relay Traffic Shaping (FRTS) for shaping. GTS can be applied to an interface or a subinterface, and FRTS can be applied to an interface, subinterface, or Frame Relay data-link connection identifier

(DLCI). Other queuing methods, such as PQ, CQ, or WFQ, can be applied to traffic after GTS shapes it. However, GTS uses WFQ in its shaping queue. A modern approach to policing is Class-Based Policing (CB-Policing), which uses the previously described MQC process. The goal of the following CB-Policing example is to limit outgoing web traffic to 100 kbps and Telnet traffic to 50 kbps on interface ethernet 0/0.
g
Router A E 0/0 HTTP (100 kbps max) Telnet (50 kbps max) Router B

FIGURE 5-5

CB-Policing

RouterA(config)#class-map WEB RouterA(config-cmap)#match protocol http RouterA(config-cmap)#exit RouterA(config)#class-map TELNET RouterA(config-cmap)#match protocol telnet RouterA(config-cmap)#exit RouterA(config)#policy-map POLICING_EXAMPLE RouterA(config-pmap)#class WEB RouterA(config-pmap-c)#police 100000 RouterA(config-pmap-c)#exit RouterA(config-pmap)#class-map TELNET RouterA(config-pmap-c)#police 50000 RouterA(config-pmap-c)#exit

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 88 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

RouterA(config-pmap-c)#exit RouterA(config-pmap)#exit RouterA(config)#interface ethernet 0/0 RouterA(config-if)#service-policy output POLICING_EXAMPLE

RouterA(config-pmap)#class HTTP RouterA(config-pmap-c)#shape average 256000 RouterA(config-pmap-c)#bandwidth 128 RouterA(config-pmap-c)#exit RouterA(config-pmap)#exit RouterA(config)#interface serial 0/0 RouterA(config-if)#service-policy output WEB

Shaping can also be configured using this MQC approach. When configuring CB-Shaping, traffic can be shaped to either “average” or “peak.” If shape average is specified, traffic is sent at the CIR, with bursting of Be bits per timing interval allowed. If shape peak is specified, the router attempts to forward traffic at the peak rate: Peak Rate = CIR * (1 + Be/Bc). The shaping to peak method can result in occasional packet loss, requiring retransmission. In the following CB-Shaping example, CBWFQ is combined with CBShaping to specify that HTTP traffic can have at least 128 kbps but no more than 256 kbps as the packets exit the serial 0/0 interface. Note that the units of measure for the CIR are in bits per second.
Router A IP WAN s 0/0

Link-Efficiency Tools
As a final category of QoS tools, consider how to make the most of the often-limited bandwidth on WAN links. Data could be compressed before it is sent, or large payloads could be fragmented, so that smaller payloads could be interleaved among those fragments to prevent excessive serialization delay (the time it takes for packets to exit an interface). This approach is referred to as link fragmentation and interleaving (LFI). The category of tools under which compression and LFI fall is called link-efficiency tools. First, consider header compression. One way to preserve bandwidth on the WAN is to compress the TCP and UDP headers. However, this “compression” does not actually run any sort of compression algorithm. Instead, header compression leverages the fact that most of the information in a packet’s header does not change during the session. For example, the source and destination IP addresses usually remain the same during the session. Likewise, the source and destination TCP/UDP port numbers typically do not vary during the session. Therefore, information that does not change during the session is cached in the routers at each end of a link. A much

HTTP (128 kbps Min/256 kbps Max)

FIGURE 5-6

CB-Shaping and CB-WFQ

RouterA(config)#class-map HTTP RouterA(config-cmap)#match protocol http RouterA(config-cmap)#exit RouterA(config)#policy-map WEB

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 89 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

slimmed-down header contains things such as the session context ID (CID), which identifies the particular flow that the packet is associated with, and perhaps a checksum is sent as a compressed header. The routers at each end of the link combine the compressed header with the cached header to generate a standard header, which is applied to a packet before sending the packet to the destination. Following is the syntax to configure TCP header compression in interface configuration mode for both PPP or High-level Data Link Control (HDLC) links and Frame Relay circuits: ip tcp header-compression [passive]—Enables TCP header compression on a PPP or HDLC interface frame-relay ip tcp header-compression [passive]—Enables TCP header compression on a Frame Relay interface Voice is carried by the RTP, which is encapsulated inside UDP. When combined, the IP, UDP, and RTP headers on voice packets total approximately 40 bytes in size. However, after enabling RTP Header Compression (cRTP), the header size is reduced to approximately 2 to 4 bytes, thus permitting more voice calls on a WAN link. Following is the syntax to configure RTP header compression in interface configuration mode for PPP, HDLC, or Frame Relay circuits: ip rtp header-compression [passive]—Enables RTP header compression on a PPP or HDLC interface frame-relay ip rtp header-compression [passive]—Enables RTP header compression on a Frame Relay interface

Notice the optional passive keyword in the preceding commands. When the passive keyword is specified, these interfaces send compressed headers only if they receive compressed headers. In the following configuration example, routers R1 and R2 are interconnected using their serial 0/0 interfaces. The goal is to configure cRTP between the routers.
R1 s 0/0 s 0/0 R2

Passive cRTP

FIGURE 5-7

RTP Header Compression

R1(config)#interface serial 0/0 R1(config-if)#ip rtp header-compression passive R2(config)#interface serial 0/0 R2(config-if)#ip rtp header-compression

Note that only one side of the link uses the passive keyword. If both sides are set to be passive, cRTP does not occur, because neither side of the link ever sends compressed headers. To reduce the latency experienced by a large packet exiting an interface (that is, serialization delay), Multilink PPP (MLP) can be used in a PPP environment, and FRF.12 can be used in a VoIP over Frame Relay environment. First, consider MLP.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 90 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Multilink PPP, by default, fragments traffic. This characteristic can be leveraged for QoS purposes, and MLP can be run even over a single link. The MLP configuration is performed under a virtual multilink interface, and then one or more physical interfaces can be assigned to the multilink group. The physical interface does not have an IP address assigned. Instead, the virtual multilink interface has an IP address assigned. For QoS purposes, a single interface is typically assigned as the sole member of the multilink group. Following is the syntax to configure MLP: interface multilink [multilink_interface_number]—Creates a virtual multilink interface ip address ip_address subnet_mask—Assigns an IP address to the virtual multilink interface ppp multilink—Configures fragmentation on the multilink interface ppp multilink interleave—Shuffles the fragments ppp fragment-delay [serialization_delay]—Specifies how long it takes for a fragment to exit the interface encapsulation ppp—Enables PPP encapsulation on the physical interface no ip address—Removes the IP address from the physical interface multilink-group [multilink_group_number]—Associates the physical interface with the multilink group

In the following example, the goal is to configure MLP on routers R1 and R2 so that they have a serialization delay of 10 ms on their serial 0/0 interfaces.
R1 s 0/0 s 0/0 R2

10 ms Serialization Delay

FIGURE 5-8

Multilink PPP

R1(config)#interface multilink 1 R1(config-if)#ip address 10.1.1.1 255.255.255.0 R1(config-if)#ppp multilink R1(config-if)#ppp multilink interleave R1(config-if)#ppp fragment-delay 10 R1(config-if)#exit R1(config)#interface serial 0/0 R1(config-if)#encapsulation ppp R1(config-if)#no ip address R1(config-if)#multilink-group 1 R2(config)#interface multilink 1 R2(config-if)#ip address 10.1.1.2 255.255.255.0 R2(config-if)#ppp multilink R2(config-if)#ppp multilink interleave R2(config-if)#ppp fragment-delay 10 R2(config-if)#exit

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 91 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

R2(config)#interface serial 0/0 R2(config-if)#encapsulation ppp R2(config-if)#no ip address R2(config-if)#multilink-group 1
R1 Frame Relay Cloud s 0/1.1 DLCI 101 CIR = 64 kbps

LFI can also be performed on a Frame Relay link using FRF.12. The configuration for FRF.12 is based on an FRTS configuration. Only one additional command is given, in map-class configuration mode, to enable FRF.12. The syntax for that command is as follows: Router(config-map-class)#frame-relay fragment fragment-size— Specifies the size of the fragments As a rule of thumb, the packet size should be set to the line speed divided by 800. For example, if the line speed is 64 kbps, the fragment size can be calculated as follows: fragment size = 64,000 / 800 = 80 bytes This rule of thumb specifies a fragment size (80 bytes) that creates a serialization delay of 10 ms. The following example shows an FRF.12 configuration to create a serialization delay of 10 ms on a link that is clocked at a rate of 64 kbps. Because FRF.12 is configured as a part of FRTS, CIR and Bc values are also specified.

FIGURE 5-9

FRF.12

R1(config)#map-class frame-relay FRF12-EXAMPLE R1(config-map-class)#frame-relay cir 64000 R1(config-map-class)#frame-relay bc 640 R1(config-map-class)#frame-relay fragment 80 R1(config-map-class)#exit R1(config)#interface serial 0/1 R1(config-if)#frame-relay traffic-shaping R1(config-if)#interface serial 0/1.1 point-to-point R1(config-subif)#frame-relay interface-dlci 101 R1(config-fr-dlci)#class FRF12-EXAMPLE

AutoQoS
Optimizing a QoS configuration for VoIP can be a daunting task. Fortunately, Cisco added a feature called AutoQoS to many of its router and switch platforms to automatically generate router-based or switchbased VoIP QoS configurations.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 92 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

The following router platforms support AutoQoS:
■ ■ ■ ■ ■

1700 series 2600 series 3600 series 3700 series 7200 series

Before enabling AutoQoS on a router interface, consider these prerequisites:
■ ■ ■ ■

CEF must be enabled. A QoS policy must not be currently attached to the interface. The correct bandwidth should be configured on the interface. An IP address must be configured on an interface if its speed is less than 768 kbps.

Cisco also supports the AutoQoS feature on the following Catalyst switch series:
■ ■ ■ ■

2950 (EI) 3550 4500 6500

Note that the interface’s bandwidth determines which AutoQoS features are enabled. If an interface’s bandwidth is less than 768 kbps, it is considered a low-speed interface. On a low-speed interface, AutoQoS configures MLP, which requires an IP address on the physical interface. AutoQoS takes that IP address from the physical interface and uses it for the virtual multilink interface it creates. To verify that AutoQoS is configured for a router interface, you can use the following command:
show auto qos voip [interface interface-identifier]

On a router platform, the following command enables AutoQoS from either interface configuration mode or DLCI configuration mode (for a Frame Relay circuit):
auto qos voip [trust] [fr-atm]

The trust option indicates that AutoQoS should classify voice traffic based on DSCP markings, instead of using NBAR. The fr-atm option enables the AutoQoS feature for Frame Relay-to-ATM links and is issued from DLCI configuration mode.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 93 ]

CHAPTER 5

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

s 0/0

IP WAN

(EI) and 3550 switches, and their AutoQoS feature recognizes a Cisco IP Phone. To configure AutoQoS on these platforms, issue the following commands from interface configuration mode: auto qos voip trust—Configures the interface to trust CoS markings for classifying VoIP traffic auto qos voip cisco-phone—Detects the presence of a Cisco IP Phone, using CDP To troubleshoot and verify AutoQoS on a Catalyst switch, you can use the following commands: show auto qos [interface interface-identifier]—Displays the configuration applied by AutoQoS show mls qos interface [interface-identifier]—Displays interfacelevel QoS statistics This section has broadly addressed the features enabled by AutoQoS. The specific features are shown in the following table.
QoS Mechanism Classification Marking Congestion management Shaping Link efficiency Router Feature NBAR and DSCP CB-Marking LLQ CB-Shaping or FRTS Header compression and LFI Switch Feature Port trust states CoS to DSCP re-marking WRR

interface serial 0/0 auto QoS voip

FIGURE 5-10

AutoQos

The Catalyst 6500 running in Hybrid mode (that is, using the CatOS for switch functions) also supports AutoQoS. To enable AutoQoS on a Hybrid mode Catalyst 6500, you must first enable AutoQoS globally and then for a specific port. Following are the required commands: set qos autoqos—Globally enables AutoQoS set port qos <mod/port> autoqos trust [cos | dscp]—Enables AutoQoS for a specific port Note that the Catalyst 6500 can trust either CoS or DSCP values for its queuing decision. If the port trusts DSCP markings, you can add the following command, which recognizes that the port is connected to a Cisco IP Phone or a Cisco SoftPhone, which is software that runs on a PC:
set port qos <mod/port> autoqos voip [ciscosoftphone | ciscoipphone]

The port must have CDP (Cisco Discovery Protocol) Version 2 enabled to recognize an attached Cisco IP Phone. Although they do not recognize a Cisco SoftPhone, AutoQoS can be configured on Catalyst 2950

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 94 ]

CHAPTER 6

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

.2

WAN
Frame Relay
Local Management Interface (LMI)
Connection between customer (data terminal equipment, DTE) and service provider (data communications equipment, DCE) is known as User-Network Interface (UNI). It is in this area where Frame Relay operates. The Network-to-Network Interface (NNI) is used to describe how different Frame Relay provider networks interconnect. Providers often use ATM in the cloud to carry the Frame Relay data. Frame Relay multiplexes many virtual circuits (VC) over a single physical transmission link. It uses data-link connection identifiers (DLCI) on each DTE to identify the different virtual circuits. The DLCI is typically only locally significant between the DTE and the frame switch. Some providers allow the customers to choose the DLCI. DLCIs 0–15 and 1008–1023 are reserved. The specific range of DLCIs available is dependent upon the Local Management Interface (LMI) type in use. DLCIs must be mapped to a remote IP address to direct traffic over the correct VC. Cisco routers support dynamic (Inverse Address Resolution Protocol, IARP) and manual mappings of DLCIs to remote IP addresses.

DLCI 300

.1

DLCI 200

DLCI 100

172.16.23.0/24
DLCI 400

.3

FIGURE 6-1

Frame Relay

LMI provides signaling and status updates between the DTE and DCE. It also provides the DTE with its DLCI. The LMI can be autosensed on Cisco IOS Release 11.2 or later. One of three types is used: Cisco, American National Standards Institute (ANSI), or Q.933. Possible LMI status indications include the following:
■ ■ ■

Active—Connection is active, and the routers can exchange data. Inactive—Local connection is functioning, but the remote connection is not. Deleted—No LMI received from switch, DLCI removed from switch, or no service from DTE to DCE.

Nonbroadcast multiaccess (NBMA) networks
NBMA capability allows the customer to communicate with any remote site provided the provider has established a VC. A hub and spoke is often used because of the per-VC charge that typically exists. Permanent virtual circuit (PVC) or switched virtual circuit (SVC) can be used—typically PVC.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 95 ]

CHAPTER 6

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Configuring basic Frame Relay
To set the encapsulation to Frame Relay, use the following command:
Router(config-if)# encapsulation frame-relay [cisco | ietf]

Subinterfaces
Subinterfaces can solve split-horizon issues that arise with distance vector protocols and hub-and-spoke topologies. Subinterfaces might be configured as point-to-point or multipoint. Split horizon can still be an issue in the multipoint environment. Multipoint does offer an advantage in that a single subnet is needed as opposed to multiple subnet addresses. The steps for a Frame Relay subinterface configuration include the following:
Step 1. Step 2. Step 3.

If you must specify the LMI type, use this command:
Router(config-if)# frame-relay lmi-type {ansi | cisco | q933a}

For dynamic address mapping (IARP), no further configuration is required. If IARP has been disabled on an interface, you can enable it with the following command:
Router(config-if)# frame-relay inverse-arp

Remove any network layer addressing assigned at the physical interface level. Configure Frame Relay encapsulation at the physical interface level. Create the subinterface using the following command:
Router(config)# interface serial number.subinterfacenumber {multipoint | point-to-point}

To configure a static mapping, use the following interface configuration command:
frame-relay map protocol protocol-address dlci [broadcast] [ietf | cisco]

The keywords indicate the following:
■ ■ ■

Step 4.

protocol-address—Specifies the destination protocol address dlci—The DLCI number needed to connect to the remote protocol address broadcast—Specifies that broadcasts/multicasts should be forwarded; often used to ensure that routing protocol traffic should be sent across the PVC ietf/cisco—Used to specify the Frame Relay encapsulation type
Step 5.

Assign the subinterface a network address; you can use the ip unnumbered command if you want to reference an address from another interface—such as a loopback interface. If you configured a point-to-point subinterface—or if you configured multipoint and are not using IARP—you must configure the local DLCI using the following command:
Router(config-subif)# frame-relay interface-dlci dlci-number

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 96 ]

CHAPTER 6

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

NOTE
You cannot assign a subinterface to point-to-point communications and then reassign to multipoint without rebooting the router. To work around this, just select a new subinterface number.
Boston

Boston(config-if)# frame-relay map ip 10.10.10.2 100 broadcast Boston(config-if)# frame-relay map ip 10.10.10.3 110 broadcast Boston(config-if)# interface serial 0.2 point-to-point Boston(config-if)# ip address 172.16.10.1 255.255.255.0 Boston(config-if)# frame-relay interface-dlci 200 New York(config)# interface serial 0 New York(config-if)# encapsulation frame-relay New York(config-if)# ip address 10.10.10.2 255.255.255.0
.1 s0.1 .1 s0.2
200 100 110

New York(config-if)# frame-relay map ip 10.10.10.1 120 broadcast New York(config-if)# frame-relay map ip 10.10.10.3 120 broadcast
172.16.10.0/24

New York(config-if)# no shutdown Providence(config)# interface serial 0 Providence(config-if)# encapsulation frame-relay Providence(config-if)# ip address 10.10.10.3 255.255.255.0

120

130

210

.2 10.10.10.0/24 New York

.3

.2

Providence(config-if)# frame-relay map ip 10.10.10.1 130 broadcast Providence(config-if)# frame-relay map ip 10.10.10.2 130 broadcast Providence(config-if)# no shutdown Newark(config)# interface serial 0 Newark(config-if)# encapsulation frame-relay Newark(config-if)# ip address 172.16.10.2 255.255.255.0 Newark(config-if)# frame-relay interface-dlci 210 Newark(config-if)# no shutdown

Providence

Newark

FIGURE 6-2

Frame Relay example

Here is an example:
Boston(config)# interface serial 0 Boston(config-if)# encapsulation frame-relay Boston(config-if)# no ip address Boston(config-if)# no shutdown Boston(config-if)# interface serial 0.1 multipoint Boston(config-if)# ip address 10.10.10.1 255.255.255.0

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 97 ]

CHAPTER 6

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Traffic Shaping
Flow terminology
■ ■

Frame Relay traffic shaping is often used when a speed mismatch exists between sites or you notice that Frame Relay connections are occasionally congested. Configuring traffic shaping involves the following steps:
Step 1.

Local Access Rate—Clock speed of the connection to the Frame Relay cloud; rate at which data flows into or out of the network. Committed Information Rate (CIR)—Rate in bits per second (bps) at which the Frame switch agrees to transfer data; usually averaged over time called committed rate measurement interval (Tc). Oversubscription—The sum of all the CIRs of the VCs coming into the device exceeds the access line speed. Committed Burst (Bc)—Maximum data in bits that the Frame switch agrees to transfer during any Tc; CIR/Tc = Bc. Excess Burst (Be)—Maximum number of bits the Frame switch attempts to transfer beyond the CIR for the first time interval only. Forward Explicit Congestion Notification (FECN)—Frame switch sets this bit to indicate congestion is being experienced. Backward Explicit Congestion Notification (BECN)—Another bit that can be set to indicate congestion on the switch; Cisco IOS Release 11.2 and later allow a router to respond to this bit setting. Discard Eligibility (DE) indicator—The DE bit is set on the oversubscribed traffic.

Specify a map class with the following command:
Router(config)# map-class frame-relay map-classname

Step 2.

Configure the options for traffic shaping; the following options are available:

■ ■ ■ ■ ■

Define the average and peak rates on the VC associated with the map class; use the following command:
Router(config-map-class)# frame-relay trafficrate average [peak]

Specify that the router dynamically fluctuates the rate based on BECNs; use the following command:
Router(config-map-class)# frame-relay adaptive-shaping

Specify a queuing strategy for the virtual circuit; see the QoS section configurations.

Step 3.

Map the map class to virtual circuits on the interface; use the following command:
Router(config-if)# frame-relay class map-classname

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 98 ]

CHAPTER 6

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Step 4.

Enable traffic shaping with the following command:
Router(config-if)# frame-relay traffic-shaping

Verifying Frame Relay
■ ■

show interface—Encapsulation verification show frame-relay pvc—Status and traffic statistics; BECN and FECN data show frame-relay map—View DLCI mappings show frame-relay lmi—LMI traffic statistics debug frame-relay lmi—Displays LMI information clear frame-relay-inarp—Clears dynamically created mappings show traffic-shape—Displays the current traffic shaping configuration show traffic-shape statistics—Displays the current traffic shaping statistics debug frame-relay lmi—Displays information on the LMI packet exchange debug frame-relay packet—Displays packet level of Frame Relay activities

Dynamic Multipoint VPN
Dynamic Multipoint VPN (DMVPN) uses generic routing encapsulation (GRE) tunnels, IPsec encryption, and the Next-Hop Resolution Protocol (NHRP) to better scale IPsec virtual private networks (VPN). Specifically, these protocols combine to provide much easier configurations of VPNs and the dynamic discovery of tunnel endpoints. Ease of configuration is provided thanks to crypto profiles. These crypto profiles replace the need for defining static crypto maps. Remember that DMVPN relies on two Cisco-enhanced standards-based technologies. NHRP is a client/server protocol with the hub as the server and the spokes as clients. This protocol allows the hub to maintain a database of the public IP addresses used on the spokes. Clients can query the database for the address of endpoint spoke systems for the creation of tunnels between them. mGRE Tunnel Interface allows a single GRE interface to support multiple IPsec tunnels.

■ ■ ■ ■ ■ ■ ■ ■

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 99 ]

CHAPTER 7

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

IP Multicasting
Introduction
Consider a video stream that needs to be sent to multiple recipients in a company. One approach is to unicast the traffic. The source server sends a copy of every packet to every receiver. Obviously, this approach has serious scalability limitations. An alternative approach is to broadcast the video stream so that the source server has to send each packet only one time. However, everyone in the network receives the packet in that scenario, even if they do not want it. IP multicast technologies provide the best of both worlds. With IP multicast, the source server sends only one copy of each packet, and packets are sent only to intended recipients. Specifically, receivers join a multicast group, denoted by a Class D IP address (that is, in the range 224.0.0.0 through 239.255.255.255). The source sends traffic to the Class D address, and through switch and router protocols, packets are forwarded only to intended stations. These multicast packets are sent via User Datagram Protocol (UDP) (that is, best effort). Therefore, congestion-avoidance mechanisms such as weighted random early detection (WRED), which causes TCP flows to go into TCP slow start, are not effective for multicast. When doing a multicast design, also be aware of the potential for duplicate packets being received and the potential for packets to arrive out of order.
Multicast Server
Destination Address: 224.1.1

Multicast Group:224.1.1.1

Receiver 10.1.1.1

Receiver 10.1.1.2 Non-Receiver 10.1.1.3

With multicast transmission, the server sends a single copy of each packet addressed to the Class D multicast IP address. Packets are only forwarded to receivers.

FIGURE 7-1

IP multicast

Internet Group Management Protocol / Cisco Group Management Protocol
The protocol used between clients (PCs) and routers to let routers know which of their interfaces have multicast receivers attached is Internet Group Management Protocol (IGMP). There are three versions of IGMP. However, only two versions are in widescale deployment:

IGMP Version 1—When a PC wants to join a multicast group, it sends an IGMP Report message (often called a Join message) to the router, letting the router know it wants to receive traffic for a specific group. Every 60 seconds, by default, the router sends an

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 100 ]

CHAPTER 7

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

IGMP Query message to determine whether the PC still wants to belong to the group. There can be up to a 3-minute delay before the router realizes that the receiver left the group. The destination address of this router query is 224.0.0.1, which addresses all IP multicast hosts.

group-specific query, which would not be correctly interpreted by an IGMPv1 receiver.
IGMPv2 Router
The IGMPv2 router suppresses its normal group-specific query, since the IGMPv1 receiver would not be able to respond to the v2 query.

IGMP Version 2—Similar to IGMP Version 1, except that IGMP Version 2 can send queries to a specific group, and a “Leave” message is supported. Specifically, a receiver can proactively send a Leave message when it no longer wants to participate in a multicast group, allowing the router to prune its interface earlier. IGMP Version 3—Introduces Source-Specific Multicast (SSM) capabilities to the protocol. This allows hosts to signal group membership with filtering capabilities for possible sources. A host can signal either that it wants to receive traffic from all sources or that it wants to receive traffic from only specific sources.
FIGURE 7-2

Leave Message

X

IGMPv2 Receiver

IGMPv1 Receiver

IGMP V2 router with V1 and V2 receivers

IGMP Version 1 and Version 2 hosts and routers do have some interoperability. When an IGMPv2 hosts sends an IGMPv2 report to an IGMPv1 router, the IGMP message type appears to be invalid, and it is ignored. Therefore, an IGMPv2 host must send IGMPv1 reports to an IGMPv1 router. In an environment with an IGMPv2 router and a mixture of IGMPv1 and IGMPv2 receivers, the Version 1 receivers respond normally to IGMPv1 or IGMPv2 queries. However, the Version 2 router must ignore any Leave message while IGMP receivers are present, because if the router processed the IGMPv2 Leave message, it would send a

As mentioned earlier, multicast routers can periodically send queries out of an interface to determine whether any multicast receivers still exist off that interface. However, you might have a situation in which more than one multicast router exists on a broadcast media segment (for instance, Ethernet). Therefore, one router must be designated as the “querier” for that segment. This IGMP-designated querier is the router that has the lowest unicast IP address. To determine which router on a multiaccess network is the querier, issue the following command:
show ip igmp interface [interface-id]

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 101 ]

CHAPTER 7

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

The output from the preceding command identifies the IP address of the IGMP querier. In addition, the following command displays the IP multicast groups that a router is aware of:
show ip igmp group

Addressing
In a multicast network, the source sends multicast packets with a Class D destination address. The 224.0.0.0 through 239.255.255.255 address range is the Class D address range, because the first 4 bits in the first octet of a Class D address are 1110. Some ranges of addresses in the Class D address space are dedicated for special purposes: 224.0.0.0–224.0.0.255 (Reserved link-local addresses) 224.0.1.0–238.255.255.255 (Globally scoped addresses) 232.0.0.0–232.255.255.255 (Source-specific multicast addresses) 233.0.0.0–233.255.255.255 (GLOP addresses) 239.0.0.0–239.255.255.255 (Limited-scope addresses)

When a Layer 2 switch receives a multicast frame on an interface, by default the switch floods the frame out all other interfaces. To prevent this behavior, the switch needs awareness of what interfaces are connected to receivers for specific multicast groups. Approaches for training the switch include the following:

Cisco Group Management Protocol (CGMP)—A Ciscoproprietary approach used on lower-end switches that allows a Cisco router to tell a Cisco switch which of its interfaces are connected to multicast receivers for specific multicast groups IGMP snooping—Used on higher-end switches; allows a switch to autonomously determine which interfaces are connected to receivers for specific multicast groups by eavesdropping on the IGMP traffic being exchanged between clients and routers GARP Multicast Registration Protocol (GMRP)—A standardsbased approach for letting a receiver proactively inform its upstream switch that the receiver wants to belong to a specific multicast group Router-Port Group Management Protocol (RGMP)—A proprietary approach that allows a switch to send IP multicast packets to only multicast-enabled routers that want to receive traffic for specific IP multicast groups

Reserved link-local addresses—Used, for example, by many network protocols. Open Shortest Path First (OSPF) uses 224.0.0.5 and 224.0.0.6. RIPv2 uses 224.0.0.9, and Enhanced Interior Gateway Routing Protocol (EIGRP) uses 224.0.0.10. Other “well-known” addresses in this range include 224.0.0.1, which addresses all multicast hosts, and 224.0.0.2, which addresses all multicast routers. Globally scoped addresses—Used for general-purpose multicast applications. Can extend beyond the local autonomous system.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 102 ]

CHAPTER 7

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Source-specific multicast (SSM) addresses—Used in conjunction with IGMPv3 to allow a multicast receiver request, not only for membership in a group, but also to request specific sources to receive traffic from. Therefore, in an SSM environment, multiple sources with different content can all be sending to the same multicast destination address. GLOP addresses—Provide a globally unique multicast address range based on autonomous system numbers. For example, if a company had an autonomous system number of 65000, its globally unique range of multicast IP addresses would be 233.253.232.0 to 233.253.232.255. The autonomous system number is used to calculate the second and third octets in this address range. First, convert the autonomous system number to hexadecimal (that is, 65000 in decimal equals FD-E8 in hexadecimal). FD in hexadecimal equals 253 in decimal, and E8 in hexadecimal equals 232 in decimal. The first octet of a GLOP address is always 233. Limited-scope addresses—Used for internal multicast applications (that is, traffic that doesn’t leave the autonomous system), much like the RFC 1918 address space is a “private” address space.

bits) of a multicast MAC address (in hex) is 01-00-5e. The twenty-fifth bit is always 0. The last 23 bits of the multicast MAC address come directly from the last 23 bits of the multicast IP address. Consider the following examples:

Given a multicast IP address of 224.1.10.10, calculate the corresponding multicast MAC address. First, convert the last three octets to binary: 0000.0001.0000.1010.0000.1010 If the leftmost bit is not already 0, it should be changed to 0, because the twenty-fifth bit of a multicast MAC address is always 0: 0000.0001.0000.1010.0000.1010 Convert each nibble (that is, 4-bit section) into its hexadecimal equivalent: 01-0a-0a Prepend 01-00-5e to the calculated address to produce the multicast MAC address: 01-00-5e-01-0a-0a

In addition to Layer 3 addresses, multicast applications must also have Layer 2 addresses (that is, MAC addresses). Fortunately, these Layer 2 addresses can be constructed directly from the Layer 3 multicast addresses. A MAC address is a 48-bit address, and the first half (24

Given a multicast IP address of 224.129.10.10, calculate the corresponding multicast MAC address. First, convert the last three octets to binary: 1000.0001.0000.1010.0000.1010

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 103 ]

CHAPTER 7

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

If the leftmost bit isn’t already 0, it should be changed to a 0, because the twenty-fifth bit of a multicast MAC address is always 0: 0000.0001.0000.1010.0000.1010 Convert each nibble (that is, 4-bit section) into its hexadecimal equivalent: 01-0a-0a Prepend 01-00-5e to the calculated address to produce the multicast MAC address: 01-00-5e-01-0a-0a Notice that both Layer 3 IP addresses translate into the same Layer 2 MAC address. This overlap permits 32 Layer 3 multicast addresses to map to the same Layer 2 multicast MAC address. So, care must be taken when selecting Layer 3 multicast addresses to avoid this overlap.

forwarded. If the multicast packet is coming in a different interface, the RPF check fails, and the packet is discarded.

RPF Check—PASS 10.1.1.1 Network Interface s 0/0

10.0.0.0/8 s 0/0 Video Server Unicast Routing Table s 0/1 RPF Check—FAIL Receiver

The RPF check compares incoming packets with the unicast routing table to determine if a packet is arriving on the correct interface.

FIGURE 7-3

RPF check

Only members of a multicast group receive packets destined for that group. However, the sender does not need to be a member of the group. Multicast traffic flows from a source to a destination over a “distribution tree,” which is a loop-free path. The two types of distribution trees are as follows:

Distribution Trees
To combat the issue of receiving duplicate packets, Cisco routers perform a Reverse Path Forwarding (RPF) check to determine whether a multicast packet is entering a router on the correct interface. An RPF check examines the source address of an incoming packet and checks it against the router’s unicast routing table to see what interface should be used to get back to the source network. If the incoming multicast packet is using that interface, the RPF check passes, and the packet is

Source distribution tree—A source distribution tree creates an optimal path between each source router and each last-hop router (that is, a router connected to a receiver) at the expense of increased memory usage. Source distributions trees place (S, G) states in a router’s multicast routing table to indicate the address of the source (S) and the address of the group (G).

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 104 ]

CHAPTER 7

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Source Router

Source Router

Source Router

Rendezvous Point (RP)

Source Router

Source 1 Sending to 225.1.2.3

Source 2 Sending to 225.1.2.3 Source 1 Sending to 225.1.2.3 Source 2 Sending to 225.1.2.3

Last-Hop Router
With a Source Distribution Tree, each source router for a multicast group forms a shortestpath tree to each last-hop router for that group, creating additional multicast routing entries in the routers. However, there is an optimal path between each source router and each last-hop router. With a Shared Distribution Tree, each source router for a multicast group forms a shortestpath tree to the RP. The RP then sends the multicast data to the last-hop routers. The Shared Distribution Tree approach results in fewer routing entries in the routers. However, suboptimal paths often result.

Last-Hop Router

Receiver Member of 225.1.2.3

Receiver Member of 225.1.2.3

FIGURE 7-4

Source distribution tree

FIGURE 7-5

Shared distribution tree

Shared distribution tree—A shared distribution tree creates a tree from a central “rendezvous point” (RP) router to all last-hop routers, with source distribution trees being created from all sources to the RP, at the expense of increased delay. Shared distribution trees place (*, G) states in a router’s multicast routing table to indicate that any device could be the source (that is, using the wildcard [*] character) for the group (G). This (*, G) state is created in routers along the shared tree from the RP to the last-hop routers. Because each source for a group does not require its own (S, G), the memory requirement is less for a shared tree compared to a source tree.

PIM-DM Mechanics
Cisco routers use the Protocol-Independent Multicast (PIM) protocol to construct IP multicast distribution trees. PIM’s protocol independence suggests that it can run over an IP network, regardless of the underlying unicast routing protocol, such as OSPF or EIGRP. The two varieties of PIM are PIM-Dense Mode (PIM-DM) and PIM-Sparse Mode (PIMSM). PIM-DM uses a source distribution tree, whereas PIM-SM uses a shared distribution tree.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 105 ]

CHAPTER 7

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

A router is globally enabled for multicast routing with the following global configuration mode command:
Router(config)#ip multicast-routing

After IP multicast has been globally enabled, individual interfaces need to be configured for PIM support. To configure an interface to participate in an IP multicast network using PIM, issue the following interface configuration mode command:
Router(config-if)#ip pim {dense-mode | sparse-mode | sparsedense-mode}

pruned. However, if another router is on the same broadcast medium as the router that sent the prune, and if that other router has IP multicast receivers attached, the Prune message is ignored. The Prune message is ignored because the router that is attached to IP multicast receivers sends a “Join Override” message.
Step 4.

If a receiver comes up on a router that was previously pruned from the tree, that router can rejoin the tree by sending a “Graft” packet.

Cisco recommends sparse-dense-mode, which uses Dense Mode to automatically learn the location of an RP, after which the interface runs in Sparse Mode. First, consider the formation of a PIM-Dense Mode distribution tree:
Step 1. Step 2.

A major consideration for PIM-DM, however, is that this “flood-andprune” behavior repeats every 3 minutes. Therefore, PIM-DM does not scale well. A better alternative is PIM-SM.

PIM-SM Mechanics
Next, consider the formation of a PIM-SM distribution tree:
Step 1.

A multicast source comes up and begins flooding multicast traffic throughout the network. If more than one router is forwarding over a common broadcast medium (for example, an Ethernet link), “Assert” messages are used to determine the PIM forwarder. The router with the better metric or (by default) the highest IP address wins the election. Some routers might not have multicast receivers for the group whose traffic is currently being flooded. Those routers send a “Prune” message to their upstream router, requesting that their branch of the distribution tree be

A receiver sends an IGMP Report message to its router indicating that it wants to participate in a particular multicast group. The receiver’s router (that is, the “last-hop router”) sends a Join message to the RP, creating (*, G) state along a shared tree between the RP and the last-hop router. A source comes up and creates a source tree between its router (that is, the “first-hop router”) and the RP. (S, G) state is created in routers along this path. However, before

Step 3.

Step 2.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 106 ]

CHAPTER 7

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

the source tree is completely established, the source sends its multicast packets to the RP encapsulated inside unicast Register messages.
Step 3.

Comparing PIM-DM to PIM-SM suggests that PIM-SM offers the benefits of PIM-DM (that is, optimal pathing) without PIM-DM’s flood-and-prune behavior. A distribution tree’s topology can be determined by examining the multicast routing table of multicast routers in the topology. The show ip mroute command displays a router’s multicast routing table:
Router#show ip mroute IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel, Y - Joined MDT-data group, y - Sending to MDT-data group Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 224.0.100.4), 02:37:12, RP is 192.168.47.14, flags: S Incoming interface: Serial0, RPF neighbor

After the RP receives the first multicast packet over the source tree, it sends a Register Stop message to the source, telling the source to stop sending the multicast traffic inside Register messages. Two trees now exist: a source tree from the first-hop router to the RP, and a shared tree from the RP to the last-hop router. However, this might not be the optimal path. The last-hop router observes from where the multicast traffic is arriving, and the last-hop router sends a Join message directly to the first-hop router to form an optimal path (that is, a source path tree) between the source and the receiver. Because the last-hop router no longer needs multicast traffic from the RP, because it is receiving the multicast traffic directly from the first-hop router, it sends an (S, G) RP-bit prune message to the RP, asking the RP to stop sending multicast traffic. With the shared tree to the last-hop router pruned, the RP no longer needs to receive multicast traffic from the firsthop router. So the RP sends an (S, G) Prune message to the first-hop router. At this point, traffic flows in an optimal path from the first-hop router to the last-hop router. The process of cutting over from the path via the RP to the direct path is called shortest path tree (SPT) switchover.

Step 4.

Step 5.

Step 6.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 107 ]

CHAPTER 7

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

10.4.53.4 Outgoing interface list: Ethernet1, Forward/Sparse, 02:37:12/0:03:42 Ethernet2, Forward/Sparse, 02:52:12/0:01:23 (192.168.46.0/24, 224.0.100.4), 02:37:12, flags: RT Incoming interface: Ethernet1, RPF neighbor 10.4.53.4 Outgoing interface list: Ethernet2, Forward/Sparse, 02:44:21/0:01:47

Auto-RP
Cisco routers support two methods for automatically configuring an RP: Auto-RP and Bootstrap Router (BSR). Routers willing to serve as an RP are called candidate RPs, and they make their candidacy known to other routers called mapping agents using the multicast address 224.0.1.39. A mapping agent then makes the location of an RP known to other multicast routers in the network using the multicast address 224.0.1.40. By default, the mapping agent advertises the candidate RP with the highest IP address. The global configuration command ip pim send-rp-announce interface scope ttl [group-list acl] is issued on candidate RPs. To identify a router as a mapping agent, use the global configuration mode command ip pim send-rp-discovery scope ttl. Whereas Auto-RP is a Cisco approach, PIMv2 added a standards-based approach to make the location of RPs known throughout the multicast network. Specifically, PIMv2, which uses protocol 103, supports a feature called BSR, which performs a similar function to Auto-RP. Routers that are candidates to become the RP can be configured with the global configuration mode command ip pim rp-candidate interface ttl group-list acl. Routers that are candidates to become the bootstrap router (similar to an Auto-RP mapping agent) can be configured with the global configuration mode command ip pim bsr-candidate interface hash-mask-length [priority]. Because BSR leverages PIM messages, reserved multicast group addresses (for example, 224.0.1.40, used by Auto-RP) are not required for RP advertisement.

Notice the (*, G) and (S, G) entries. Other valuable information contained in the mroute table includes the Incoming Interface List (IIF), which shows on which interface traffic is entering the router, and the Outgoing Interface List (OIL), which shows the router interfaces over which the multicast traffic is being forwarded.

Rendezvous Points
In a PIM-SM network, one or more routers need to be designated as RPs. These routers are the “central point” to which multicast servers send traffic that is to be dispersed to clients who want to receive it. Non-RPs can be configured to point to a statically defined RP with the global configuration mode command ip pim rp-address ip-address. However, in larger topologies, Cisco recommends that RPs be automatically configured.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 108 ]

CHAPTER 7

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Anycast RP
Anycast RP provides load sharing and redundancy in PIM-SM networks. This technology allows multiple RPs to load-share and act as hot backup routers for each other. Multicast Source Discovery Protocol (MSDP) makes Anycast RP possible. In Anycast RP, two or more RPs are configured with the same IP address and 32-bit mask on loopback interfaces. All the downstream routers are configured with this address as the RP address. IP routing automatically selects the topologically closest RP for each source and receiver. Because sources may register with one RP and receivers may join a different RP, a method is needed for the RPs to exchange information about active sources. This information exchange is done using MSDP. In Anycast RP, all the RPs are configured to be MSDP peers with each other. When a source registers with one RP, an SA message is sent to the other RPs, informing them that an active source exists for a particular multicast group. The result is that each RP knows about the active sources in the area of the other RPs. If any of the RPs were to fail, IP routing would converge, and one of the RPs would become the active RP in more than one area.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 109 ]

CHAPTER 8

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Security
Access Lists / Extended IP Access Lists
Many types of access lists are available in Cisco IOS Software for many different protocols. Here is a complete list.
Protocol IP Extended IP Ethernet type code Ethernet address Transparent bridging (protocol type) Transparent bridging (vendor code) Extended transparent bridging DECnet and extended DECnet Xerox Network Systems (XNS) Extended XNS AppleTalk Source-route bridging (protocol type) Source-route bridging (vendor code) IPX Range 1–99, 1300–1999 100–199, 2000–2699

Protocol Extended IPX IPX SAP Standard Virtual Integrated Network Service (VINES) Extended VINES Simple VINES

Range 900–999 1000–1099 1–100 101–200 201–300

You are permitted one access list per protocol, per interface, per direction.
One access list per protocol, per direction, per interface

fa 0/0

200–299 700–799 200–299 700–799 1100–1199 300–399 400–499 500–599 600–699 200–299 700–799 800–899
© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details. Server Inbound access list filters traffic before entering the router; an outbound access list filters traffic before it exits the router

FIGURE 8-1

Access control lists

At the end of every access list is an implied “deny all traffic” access control entry (ACE). Therefore, if a packet does not match any of your criteria statements, it is blocked. Remember that the order of access list statements is important! For example, if you create a criteria statement that explicitly permits all traffic, no statements added later are ever checked.

[ 110 ]

CHAPTER 8

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

When you are editing an access list and need to reorder entries, you should first delete the old list with the no access-list command. If you do not first delete the previous version of the access list, when you copy or type commands on your router, you append additional access control list (ACL) statements to the end of the existing access list. The following ACLs are supported for IP:
■ ■ ■

command to set the number of packets that cause the system to generate a log message. If you enable Cisco Express Forwarding (CEF) and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. To create an extended access list, use the following global configuration mode command:
access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log | loginput] [time-range time-range-name] [fragments]

Standard access lists for filtering based on source address Extended access lists for filtering on source or destination address or port numbers Dynamic extended IP access lists that grant access per user to a specific source or destination host basis through a user authentication process Reflexive access lists that allow IP packets to be filtered based on session information

You can identify IP access lists with a name rather than a number. To create a standard access list, use the following command:
ip access-list standard name

To create an extended access list, use the following command:
ip access-list extended name

To create a standard access list, use the following global configuration mode syntax:
access-list access-list-number {deny | permit} source [source-wildcard] [log]

The Cisco IOS Software can provide logging messages about packets permitted or denied by a standard IP access list. The first packet that triggers the access list causes an immediate logging message, and subsequent packets are collected over 5-minute intervals before they are displayed or logged. You can use the ip access-list log-update

You can specify whether the system examines noninitial IP fragments of packets when applying an IP extended access list. Before this option was added, nonfragmented packets and the initial fragment of a packet were processed by IP extended access lists, but noninitial fragments were permitted by default. The IP Extended Access Lists with Fragment Control feature allows more granularity of control over noninitial packets.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 111 ]

CHAPTER 8

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

The optional fragments keyword is available with four IP access list commands (access-list [IP extended], deny [IP], dynamic, and permit [IP]). By specifying the fragments keyword in an access list entry, that particular access list entry applies only to noninitial fragments of packets; the fragment is either permitted or denied accordingly. The Turbo Access Control Lists (Turbo ACL) feature processes access lists more expediently than conventional access lists. To enable the Turbo ACL feature, use the following command:
access-list compiled

Unicast Reverse Path Forwarding
The Unicast Reverse Path Forwarding feature (Unicast RPF) helps the network guard against malformed or “spoofed” IP packets passing through a router. A spoofed IP address is one that is manipulated to have a forged IP source address. Unicast RPF allows the administrator to drop packets that lack a verifiable source IP address at the router. Note how similar this is to the Reverse Path Forwarding check with multicast traffic. In that case, traffic was dropped to avoid loops. Unicast RPF is enabled on a router interface. When this feature is enabled, the router checks packets that arrive inbound on the interface to see whether the source address matches the receiving interface. Cisco Express Forwarding (CEF) is required on the router because the Forwarding Information Base (FIB) is the mechanism checked for the interface match. Administrators can decide to drop packets that arrive on an interface without a return path to the source in the FIB, or they can just have counters increment in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF. Whether packets that fail the Unicast RPF check are dropped is controlled by the use of an ACL with the ip verify unicast reversepath command. If an ACL is specified in the command and a packet fails the Unicast RPF check, the ACL is checked to see whether the packet should be dropped or forwarded. If no ACL is specified in the

Use the show access-list compiled EXEC command to verify that the Turbo ACL feature has been successfully configured on your router. You can implement access lists based on the time of day and week using the time-range global configuration command. To do so, first define the name and times of the day and week of the time range and then reference the time range by name in an access list to apply restrictions to the access list. To restrict access to a vty and the addresses in an access list, use the following command:
access-class access-list-number {in | out}

To restrict access to an interface, use the following command:
ip access-group {access-list-number | access-list-name} {in | out}

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 112 ]

CHAPTER 8

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Unicast RPF command, the router drops the unverifiable packet, and the counters are updated. Note that you can use ACL logging to obtain the source address information. Just be sure to specify the log option in the ACL used with the ip verify unicast reverse-path command. To implement Unicast RPF, ensure that CEF is enabled on the router, and use the ip verify unicast reverse-path list interface configuration command.
FIGURE 8-2
CBAC

Inspected TCP Connection Internet Permitted TCP Return Traffic

CBAC functions on a router as follows:
■ ■ ■

Control traffic is inspected by an administrator-configured CBAC rule (for example, ip inspect name MYCBACRULE tcp). CBAC creates a dynamic ACL allowing return traffic through the router. Inspection continues with dynamic ACLs being created and removed as needed; application-specific attacks are also monitored for. Application termination is detected, or timeouts occur and dynamic ACLs are removed.

Context-Based Access Control
Context-Based Access Control (CBAC) makes firewall-like stateful packet filtering a possibility on your Cisco IOS router (see Figure 8-2). This capability makes the Cisco IOS router act much like a Cisco PIX or Adaptive Security Appliance. Using CBAC, the router can permit TCP and User Datagram Protocol (UDP) connections from the “trusted” inside interface of the network to “untrusted” outside interfaces (for example, an Internet connection to an Internet service provider). The router then creates a stateful session table to monitor for the appropriate return traffic for these TCP and UDP sessions. Stateful packet filtering is much more powerful than traditional firewall packet filtering in that it can examine application layer information to ensure traffic is safe for entrance into the network. Traditional filtering was often limited to source address inspection, for example.

CBAC can be configured to support all TCP connections or all UDP sessions. You can also configure CBAC to inspect certain applicationlayer protocols:
■ ■ ■ ■ ■

FTP Simple Mail Transport Protocol (SMTP) HTTP ICMP Session Initiation Protocol (SIP)

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 113 ]

CHAPTER 8

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Configuring CBAC on a router involves the following tasks:
■ ■

For TCP and UDP inspection:
ip inspect name inspection-name tcp [alert {on | off}] [audit-trail {on | off}] [timeout seconds] ip inspect name inspection-name udp [alert {on | off}] [audit-trail {on | off}] [timeout seconds] ■

Determine whether CBAC will be configured on an “internal” or “external” interface. Ensure access lists configured for outbound traffic permit the CBAC-analyzed traffic, and ensure access lists configured for inbound traffic deny the CBAC-analyzed traffic. Configure global timeouts and thresholds:
ip inspect tcp synwait-time seconds ip inspect tcp finwait-time seconds ■

Apply the inspection rule to an interface:
ip inspect inspection-name {in | out}

Configure audit trail messages:
ip inspect audit-trail

Define an inspection rule. For an application layer protocol:
ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

LAN Security
Switch port security
You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. You can configure these types of secure MAC addresses:

For an RPC application layer protocol:
ip inspect name inspection-name rpc program-number number [wait-time minutes] [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

For Java blocking:
ip inspect name inspection-name http [java-list accesslist] [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

Static secure MAC addresses—Manually configured by using the switchport port-security mac-address MAC address interface configuration command.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 114 ]

CHAPTER 8

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

■ ■

Dynamic secure MAC addresses—Dynamically learned, stored only in the address table and removed when the switch restarts. Sticky secure MAC addresses—Dynamically learned or manually configured, stored in the address table, and added to the running configuration. These addresses can be saved in the configuration file.

The following interface configuration commands are used to enable and configure port security:
switchport port-security switchport port-security maximum value [vlan [vlan-list]] switchport port-security violation {protect | restrict | shutdown} switchport port-security mac-address mac-address [vlan vlan-id] switchport port-security mac-address sticky

To enable sticky learning, enter the switchport port-security macaddress sticky interface configuration command. You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs:

You can use port security aging to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port:
■ ■

Protect—Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. Restrict—Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses; you are notified. Shutdown—Port security violation causes the interface to immediately become error-disabled and turns off the port LED; it also sends a Simple Network Management Protocol (SNMP) trap, logs a syslog message, and increments the violation counter.

Absolute—The secure addresses on the port are deleted after the specified aging time. Inactivity—The secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.
switchport port-security aging {static | time time | type {absolute | inactivity}}

IP Source Guard
IP Source Guard is a Catalyst security feature related to DHCP snooping. IP source guard helps prevent IP spoofing by allowing only the IP addresses that are obtained through DHCP snooping on a particular port. When a client receives an IP address from the authorized DHCP server, a port access control list (PACL) is installed on the port. This PACL allows traffic in the interface as long as it is sourced from the DHCP provided IP address.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 115 ]

CHAPTER 8

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

The steps to configuring IP source guard are as follows:
Step 1.

Configure DHCP snooping in global configuration mode:
ip dhcp snooping
Workstation Switch Running 802.1X Port-based Authentication Authentication Server

Step 2.

Enable DHCP snooping for the appropriate VLANs:
ip dhcp snooping vlan number

FIGURE 8-3

802.1X port-based authentication

Step 3.

Configure the trust state of the interface:
no ip dhcp snooping trust

You control the port authorization state by using the dot1x portcontrol interface configuration command and these keywords:

Step 4.

Configure the IP Source Guard feature:
ip verify source vlan dhcp-snooping port-security ■ ■

force-authorized—Disables 802.1X authentication and causes the port to transition to the authorized state without any authentication exchange required force-unauthorized—Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate auto—Enables 802.1X authentication and causes the port to begin in the unauthorized state

802.1X Port-Based Authentication
The IEEE 802.1X standard defines a client/server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports (see Figure 8-3). The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN.

802.1X port-based authentication is supported in two topologies:
■ ■

Point-to-point Wireless LAN

Use the following commands to enable 802.1X authentication:
Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x {default} method1 [i...] Switch(config)# dot1x system-auth-control Switch(config-if)# dot1x port-control auto

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 116 ]

CHAPTER 8

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Device Security / Access
Remember, you will find no substitute for physical security of your Cisco devices. Not only can the devices be easily stolen, but access to the console port allows passwords to be reset and security into the network to be breached. After ensuring your devices are physically secured, you should place passwords on the various operating modes of your device. It is simple to set local passwords and security on your router or switch to help protect the operating modes and line access. Use the following syntax to protect access to the console port with a local password:
CiscoDevice(config)# line console 0 CiscoDevice(config-line)# login CiscoDevice(config-line)# password cisco

Note
The preceding passwords are stored in the configuration in plain text. To ensure that they are encrypted—along with all other plain-text passwords that might exist—use the service password-encryption command.

For enacting local security, you can configure 16 different privilege levels, numbered 0 through 15. To configure a privilege level for users and associate commands with that privilege level, use the privilege command in global configuration mode. For example, to set the use of the configure command to level 14, use the following command:
privilege exec level 14 configure

Notice that the preceding command login permits the use of local password checking on the line. You can use the no login command to disable password checking. The sample syntax is used to protect the Telnet lines with a local password as follows:
CiscoDevice(config)# line vty 0 4 CiscoDevice(config-line)# login CiscoDevice(config-line)# password cisco

To protect access to privileged mode, you can use the enable password global configuration command. You can specify a privilege level if you are using various levels in your local security model. If no level is specified, the default level 15 is assumed. This privilege level provides full access to the privileged mode commands by default. For additional protection, use the enable secret command to set an encrypted privileged mode password. Again, you can use the level argument to assign the password to a particular privilege level. It is a best practice to set both versions of the privileged mode password (enable password and enable secret), but you should set them to different values. If you attempt to set the passwords the same, you get a warning, but the password is still accepted. After you set a password

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 117 ]

CHAPTER 8

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

using the enable secret command, a password set using the enable password command works only if the enable secret is disabled or an older version of Cisco IOS Software is being used, such as when running an older rxboot image. Also part of the local security model is the username command. It provides username and password authentication for login purposes only. Add a username entry for each remote system that the local router communicates with and requires authentication from (for example, Challenge Handshake Authentication Protocol [CHAP], used with PPP). The remote device must have a username entry for the local router. This entry must have the same password as the local router’s entry for that remote device. You can also use this command to define usernames that get special treatment. For example, you can use this command to define a “guest” username that does not require a password but connects the user to a general-purpose information service.

You can and should configure multiple authentication sources. For example, if your TACACS+ servers are unavailable (an error is returned when access fails), you should have authentication seamlessly fail over to some other method—perhaps the local username and password database on the device.

Workstation

Access Server

Cisco Secure ACS Providing TACACS+ Authentication

FIGURE 8-4

TACACS+

To configure authentication on a router or switch, complete the following steps:
Step 1.

Enable AAA on the device using the aaa new-model command. This command permits the use of modern security protocols such as TACACS+, RADIUS, and Kerberos. Define the source of authentication. For example, you can use the tacacs-server host command to define the TACACS+ servers you are using for authentication. You can then use the aaa group server tacacs+ command to group these servers. Define a list of authentication methods to try using the aaa authentication login command. If you specify TACACS+ servers first and you get no response from them (an error is returned), the next listed method is tried.

Authentication, authorization, and accounting
You can also ensure security in the network through the use of AAA— authentication, authorization, and accounting.

Step 2.

Authentication
Authentication can be accomplished using usernames and passwords configured locally on the switch, one or more RADIUS servers, or one or more TACACS+ servers.

Step 3.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 118 ]

CHAPTER 8

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Step 4.

Apply a method list to router or switch line using the login authentication command.

exec—The server must return permission for the user to run an EXEC session. network—The server must return permission to use network-related services. reverse-access—The server must return permission for a reverse Telnet session.
Step 3.

Authorization
Once authenticated, a user is placed in user EXEC mode by default. Configure authorization with the following steps:
Step 1.

Configure the RADIUS or TACACS+ servers that contain the authorization database. These are typically already defined for you using Step 1 from the configuration of authentication. Define a method list of authorization methods that are to be tried in sequence using the aaa authorization command. In this command, you not only specify the authorization sources (for example, a group of TACACS+ servers), but you also specify the function or service needing authorization. This is done with one of the following keywords: commands—The authorization server must return permission to use any command at any level. config-commands—The server must return permission to use a configuration command. configuration—The server must return permission to enter configuration mode.

Apply the authorization method list to a specific line on the device using the authorization command.

Accounting
The RADIUS and TACACS+ servers can also collect usage information for auditing or even billing purposes.
Step 1. Step 2.

Step 2.

Define the accounting servers; typically this is completed in Step 1 of the authentication process. Define a method list providing a sequence of accounting methods using the command aaa accounting. In this command, you specify functions that trigger accounting— for example: system—Major events such as reload exec—User authentication into an EXEC session commands—Information about any executed commands You can also specify that certain types of accounting records be sent:

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 119 ]

CHAPTER 8

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

start-stop—Events are recorded when they start and stop. stop-only—Events are recorded when they stop. none—No events are recorded.
Step 3.

Apply the accounting method to a line on the device using the accounting command.

RADIUS versus TACACS
Be aware of the differences between these two security protocols, as outlined here.
RADIUS Transport protocol Encryption AAA Standards-based User Datagram Protocol (UDP) Encrypts only the password Combines authentication and authorization Industry standard TACACS+ TCP Encrypts entire body Separates AAA functions Cisco-proprietary

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 120 ]

CHAPTER 9

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

MPLS
Multiprotocol Label Switching Overview
Multiprotocol Label Switching (MPLS) leverages the efficiency of Cisco Express Forwarding (CEF) and the intelligence provided by IP routing. Remember that CEF allows for the creation of a copy of the routing information base in memory in the Cisco router or switch. This memory-based structure is called the Forwarding Information Base (FIB), and it allows for remarkable packet forwarding times through what traditionally had been much slower devices. MPLS appends a label to packets. This label can be used for efficient forwarding decisions through an MPLS network. Using MPLS, the Layer 3 header information can be analyzed once as the packet enters the MPLS domain. After this single Layer 3 examination, a label can be appended that will allow the subsequent MPLS devices to skip the traditional Layer 3 routing process. Although labels typically correspond to Layer 3 destination addresses, it is important to note that the labels could also correspond to QoS requirements, source address, or a variety of other criteria.

Label Switch Router
A Label Switch Router (LSR) is the device that makes MPLS possible. These devices can be grouped into two categories:

Edge LSR—This device resides at the edge of the MPLS network and has many functions it is responsible for as a result. These functions include the following: Label distribution Packet forwarding based on labels Label imposition (insertion) Label disposition (removal)

LSR—This device does not reside at the edge of the MPLS network, and therefore it is only typically responsible for the following: Label distribution Packet forwarding based on labels

Note that service providers typically refer to an Edge LSR as a PE (Provider Edge) router and an LSR as a P (Provider) router, as shown in Figure 9-1.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 121 ]

CHAPTER 9

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Label format
Dest. 10.10.10.1 Label = 21 Label = 25 Dest. 10.10.10.1

MPLS Domain

FIGURE 9-1

LSRs

The MPLS label is a 4-byte identifier used in the MPLS process. The label identifies the destination and the services the packet will receive. This is called the Forwarding Equivalence Class (FEC). Labels are locally significant. Each LSR independently maps a label to a FEC. The LSRs then exchange these label bindings. The 32-bit label field used by MPLS is shown in Figure 9-3.
Label 0 EXP S 24 TTL 31

Examine the architecture of the LSR shown in Figure 9-2. Notice how the Label Forwarding Information Base (LFIB) in the data plane is used to forward labeled packets, and the control plane mechanisms are used to build this LFIB.
LSR Control Plane Routing Protocol IP Routing Table Label Exchange Protocol

19 20 22 23

FIGURE 9-3

MPLS label format

Notice this label contains the following fields:
1. 20-bit label 2. 3-bit experimental field—typically used to carry IP precedence or

class of service
3. Bottom-of-Stack bit—used to determine whether the label is the

Data Plane Label Forwarding Table (LFIB)

last in the stack of labels
4. 8-bit TTL field—used to prevent looping of packets

FIGURE 9-2

Architecture of the LSR

With Frame Mode MPLS, the label is inserted between the Layer 2 and Layer 3 header. With Cell Mode MPLS, the fields in the ATM header are used as the label.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 122 ]

CHAPTER 9

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Note the Bottom-of-Stack bit is required because some packets can have multiple labels. This can happen for the following reasons:

Dest. 10.10.10.1

Label = 21

Label = 25

Dest. 10.10.10.1

MPLS virtual private networks (VPN) (two labels)—One label is used to locate the egress router, and the second is used to identify the VPN. MPLS traffic engineering (two or more labels)—One label points to the endpoint of the tunnel, and the other label points to the destination. MPLS VPNs used in conjunction with MPLS traffic engineering (three or more labels).

MPLS Domain

IP Lookup 10.10.10/24 -> Label 21

LFIB Label Swap Label 21 -> Label 25

LFIB Label Popped IP Lookup 10.10.10/24 -> Next Hop

FIGURE 9-4

Label imposition/disposition

Label distribution Label imposition/disposition
The LSR (or Edge LSR) performs one or more of the following functions:
■ ■ ■

Label Distribution Protocol (LDP) is used to exchange labels between adjacent routers. LDP is session-based based and has the following characteristics:
■ ■ ■

Ingress Edge LSR—Inserts (imposes) the label or stack of labels. Core (Interior) LSR—Top label is swapped with the next-hop label or stack of labels. Egress Edge LSR—The label is removed (popped).

Hello messages are sent periodically on MPLS-enabled interfaces; these messages initiate session establishment. Hello messages are UDP (port 646) sent to multicast 224.0.0.2 (all routers). TCP is used to actually establish the session (port 646).

Figure 9-4 shows this process.

Label-Switched Path
The Label-Switched Path (LSP) is simply the sequence of LSRs that make up the Forwarding Equivalence Class (FEC) path. LSPs are

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 123 ]

CHAPTER 9

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

unidirectional, which means that the return path might be different. However, routing protocols typically provide symmetric paths, so if MPLS is based on the routing table output, it is often symmetric too. Penultimate Hop Popping (PHP) is used in the LSP to improve efficiency in the MPLS operations. Figure 9-5 shows the issue if PHP is not used in the MPLS network.
Dest. 10.10.10.1 Label = 21 Label = 30 Label = 25 Dest. 10.10.10.1

Figure 9-6 shows the use of PHP to increase efficiency.
Dest. 10.10.10.1 Label = 21 Label = 30 Label Pop Dest. 10.10.10.1

MPLS Domain

FIB Consulted for Label Imposition

LFIB Used for Label Swap

LFIB Used and Label Popped

FIB Consulted for Next Hop

FIGURE 9-6
MPLS Domain

PHP

Route Descriptor
LFIB Used for Label Swap Both FIB and LFIB Needed

FIB Consulted for Label Imposition

FIGURE 9-5

No PHP

Notice that both a FIB and LFIB lookup are required on the egress router. This is because the LFIB must be consulted to learn that the label should be removed (popped) and the FIB needs to be used to forward the packet to the next-hop IP address.

The Route Descriptor (RD) is a key MPLS element that allows service providers to implement MPLS VPNs for customers. The following discussion is based on the sample MPLS VPN topology shown in Figure 9-7.
Service Provider Network

Customer A 10.100.10.0/24

Customer A

PE Router 1

Customer B 10.100.10.0/24

Customer B

FIGURE 9-7

MPLS VPN topology

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 124 ]

CHAPTER 9

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

On PE Router 1, a VPN Routing and Forwarding (VRF) table is configured for each customer (Customer A and Customer B). These VRF tables contain the routes advertised by each customer. What if each customer has the same prefix to advertise? In this example, notice that each customer wants to advertise the 10.100.10.0/24 prefix. The PE Router 1 handles this situation by prepending an RD to the IPv4 prefix to uniquely identify the prefixes as belonging to particular VPN customers. The combination of the IPv4 and RD is called the VPNIPv4 address. The PE Router 1 device can propagate the prefix information to the other provider routers using Multiprotocol BGP. Multiprotocol BGP is an option because it supports an extended community attribute field. This field can carry the VPN-IPv4 address. The VRF tables on PE Router 1 also contain what is called an Export Target. This attribute determines which target PE routers will receive the VPN-IPv4 address information. On the receiving PE routers, an Import Target value is set.

2. Enable label switching on a frame-mode interface:
mpls ip

3. Start the appropriate label distribution protocol on the interface:
mpls label protocol [tdp | ldp | both]

Optional:
1. Configure the MPLS ID on a router:
mpls ldp router-id interface

2. Configure a label-switching MTU:
mpls mtu bytes

3. Configure IP TTL propagation:
mpls ip propagate-tll

4. Configure conditional label distribution:
mpls ldp advertise-labels [for prefix-access-list [to peer-access-list]]

Basic MPLS configuration
Basic MPLS configuration consists of three mandatory and several optional tasks: Mandatory:
1. Use the appropriate command for your platform to enable CEF.

Monitoring MPLS is possible thanks to the following commands:
■ ■ ■ ■

show mpls ldp parameters—Displays LDP parameters show mpls interfaces—Displays MPLS status on interfaces show mpls ldp discovery—Displays all discovered LDP neighbors show mpls ldp neighbor—Displays individual LDP neighbors

Examples include the global configuration command ip cef or the interface command ip route-cache cef.

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 125 ]

CHAPTER 9

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

■ ■ ■ ■ ■ ■ ■

show mpls ldp neighbor detail—Displays more details about an LDP neighbor show mpls ldp bindings—Displays the Label Information Base show mpls forwarding-table—Displays the contents of the LFIB show ip cef detail—Displays labels attached to a packet by the Edge LSR debug mpls ldp—Debugs LDP adjacencies debug mpls lfib—Debugs LFIB events debug mpls packets —Debugs labeled packets

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 126 ]

CHAPTER 10

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

IPv6
Address Structure
An IPv6 address is 128 bits long, a much larger address space than the address space in IPv4. It can provide approximately 3.4 * 10 ^ 38 addresses. IPv6 addresses are represented as a series of 16-bit fields presented as a hexadecimal number and separated by colons (:). The format used is x:x:x:x:x:x:x:x. To shorten the writing of IPv6 addresses, you can use the following techniques:
■ ■

IPv4 Address 32-bit 10.100.34.123

IPv6 Address 128-bit 2031:0000:130F:0000:0000:09C0:876A:130B or 2031:0:130F::9C0:876A:130B

FIGURE 10-1

IP addresses

Benefits
The main benefits of IPv6 include the following:
■ ■ ■ ■ ■ ■ ■

Has a larger IP address space. Eliminates the need for Network Address Translation (NAT). Allows hosts to have multiple IPv6 addresses and networks to have multiple IPv6 prefixes (site multihoming). A fixed header size makes processing more efficient. Optional security headers. Has increased mobility and multicast capabilities. A new capability enables packet labeling to belong to particular traffic “flows” so that the sender can request special handling.

The leading 0s in a field are optional. You can use two colons (::) to compress successive hexadecimal fields of 0s at the beginning, middle, or end of an IPv6 address; this can be done one time in an address (see Figure 10-1).

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 127 ]

CHAPTER 10

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Datagram Structure
The header has eight fields:
■ ■ ■

Address types
Scope types under version 6 include the following:
■ ■

Version—A 4-bit field that indicates the IP version. Traffic Class—An 8-bit field that tags packets with a traffic class used in differentiated services. Flow Label—A 20-bit field that a source uses to label sequences of packets for which the source requests special handling by the IPv6 routers. Payload Length—A 16-bit field similar to the Total Length field in the IPv4 packet header. Next Header—An 8-bit field similar to the Protocol field in the IPv4 packet header. This field differs from IPv4 because there can be a stack of multiple headers within one IPv6 header, unlike IPv4. Hop Limit—This 8-bit field specifies the maximum number of hops an IP packet can traverse and is similar to the Time To Live (TTL) field in the IPv4 packet header. Source Address—This 128-bit (16-octet) field contains the packet’s source address. Destination Address—This 128-bit (16-octet) field contains the destination address.

Unicast Anycast—An identifier for a set of interfaces that typically belong to different nodes. A packet sent to an anycast address is delivered to the closest interface, as defined by the routing protocols in use, identified by the anycast address. Multicast

■ ■

Address scopes

Link-local address—A link-local address is an IPv6 unicast address that you can manually configure or have automatically configured on an IPv6 interface. When configured automatically, the address uses the link-local prefix FE80::/10 (1111 111010) and the interface identifier. Link-local addresses are used in the neighbor discovery protocol, the stateless autoconfiguration process, and many other control operations such as routing protocols themselves. Site-local address—Site-local addresses are IPv6 unicast addresses that use the prefix FEC0::/10 (1111 111011) and concatenate the subnet identifier (the 16-bit field) with the interface identifier. These addresses are similar to RFC 1918 private addresses in IPv4—they are not advertised beyond the local site. This feature has been deprecated in the standards.

■ ■

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 128 ]

CHAPTER 10

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Global aggregatable address—Aggregatable global unicast addresses enable strict aggregation of routing prefixes that limits the number of routing table entries in the global routing table. These are the unique addresses assigned by service providers or regional registries for participation in the public network.

IPv6 Multicast
It is important to realize that IPv6 multicast is based on the same basic principles as IPv4 multicast. One big difference, however, is that IPv6 relies on multicast for many more functions. For example, neighbor discovery, node autoconfiguration, and Mobile IPv6 all rely heavily on IPv6 multicast for their operations. Also realize that Internet Group Management Protocol (IGMP) is dropped in IPv6 multicast. Multicast Listener Discovery (MLD) now replaces IGMP. You should immediately recognize a multicast address in IPv6. The address starts with FF, as shown in Figure 10-2.
11111111 Flags Scope Group ID

IPv6 neighbor discovery
IPv6 neighbor discovery allows for the following functions:
■ ■ ■

Determine the link-layer address of a device on the same local link—note this is similar to the function of ARP in IPv4 Find neighbor routers Track neighbor routers

The IPv6 neighbor discovery process is the solicited-node multicast address. Any node must join the multicast group corresponding to each of its unicast and anycast addresses. The solicited-node address is composed of the FF02:0:0:0:0:1:FF/104 prefix concatenated with the rightmost 24 bits of the corresponding unicast or anycast address. The solicited-node addresses are used for neighbor solicitation messages. The source node takes the rightmost 24 bits of the IPv6 address of the destination node and sends a neighbor solicitation message to the multicast group on the link-local address. The corresponding node responds with its link-layer address.

FF

FIGURE 10-2

IPv6 multicast addresses

Also note that the scope portion of the IPv6 multicast address controls how far the multicast traffic can flow through the network. Figure 10-3 provides some examples.
11111111 Flags Scope Group ID

Examples: 2 – link local scope 5 – site local E – global scope FF05::2 – all routers in the site local scope

FIGURE 10-3

IPv6 multicast addresses—scope

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 129 ]

CHAPTER 10

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

Deployment strategies
Three primary mechanisms help with the transition from IPv4 to IPv6:
■ ■ ■

■ ■

Both versions recognize the same network types—and both treat these network types in a similar manner. The link-state advertisement (LSA) flooding and aging mechanisms are identical in the two protocols and the timers.

Dual stack—Both the IPv4 and the IPv6 stacks run on a system; this system can communicate with both IPv6 and IPv4 devices. Tunneling—IPv6 packets are encapsulated to traverse IPv4 networks and vice versa. Translation—This mechanism translates one protocol to the other to facilitate communication between the two networks.

Although there are many similarities, some differences do exist. Note, for instance, the following:
■ ■ ■

Link-local addresses are used for the formation of adjacencies. Multiple IPv6 subnets can be assigned to a single link; OSPFv3 is per interface, not per network. Two nodes can communicate over a link even if they do not share a common subnet.

Open Shortest Path First Version 3
Open Shortest Path First Version 3 (OSPFv3) has more similarities to the previous version of the routing protocol than it does differences. You should leverage your existing knowledge of OSPFv2 while you study this protocol. Here are just some of the similarities between the two protocols:
■ ■

Here is a sample OSPFv3 configuration. This configuration is based on Figure 10-4.
OSPFv3 for IPv6
12::12:1/64

A0

12::12:2/64 S1/0

The two are so similar in nature that they can run concurrently in the network without problems. OSPFv3 uses the same basic packet types as the previous version; for example, a Database Description Packet is still used to check for database synchronization. The neighbor discovery process and the adjacency formation process between two OSPFv3 speakers is identical to that of the previous version.

R1
S1/1 13::13:1/64

S1/0

R2
S1/1 24::24:2/64

A13
13::13:3/64 S1/0

A24
24::24:4/64 S1/0

R3

R4

FIGURE 10-4

OSPFv3 sample configuration

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 130 ]

CHAPTER 10

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

R1 R1(config)# ipv6 unicast-routing R1(config)# ipv6 router ospf 1 R1(config-router)# router-id 0.0.0.1 R1(config-router)# interface serial 1/0 R1(config-if)# ipv6 ospf 1 area 0 R1(config-if)# interface serial 1/1 R1(config-if)# ipv6 ospf 1 area 13 R2 R2(config)# ipv6 unicast-routing R2(config)# ipv6 router ospf 1 R2(config-router)# router-id 0.0.0.2 R2(config-router)# interface serial 1/0 R2(config-if)# ipv6 ospf 1 area 0 R2(config-if)# interface serial 1/1 R2(config-if)# ipv6 ospf 1 area 24 R3 R3(config)# ipv6 unicast-routing R3(config)# ipv6 router ospf 1 R3(config-router)# router-id 0.0.0.3 R3(config-router)# interface serial 1/0 R3(config-if)# ipv6 ospf 1 area 13 R4 R4(config)# ipv6 unicast-routing R4(config)# ipv6 router ospf 1 R4(config-router)# router-id 0.0.0.4 R4(config-router)# interface serial 1/0 R4(config-if)# ipv6 ospf 1 area 24

Enhanced Interior Gateway Routing Protocol Version 6
Like OSPFv3, EIGRPv6 can coexist with the previous version of the protocol. Also, EIGRPv6 is configured using interface configuration commands rather than the network command. Once again, link-local addressing is used for adjacencies. Like OSPFv3, a router ID value is required. This value is automatically taken from an interface with an IPv4 address. If there is no such interface, you must provide the router ID. Also, note that the routing process has a shutdown feature and defaults to the shutdown state. Finally, it is worth noting that there is no longer any auto-summarization behavior, as in the previous version of the protocol. The following configuration is based on Figure 10-5.
S0/0/0 12::/64 S0/0/1 S0/0/1 S0/0/0

R1
FA0/0 13::/64 FA0/0

R2
FA0/0

IPv6 EIGRP 100

24::/64 FA0/0

3:1::3/64 3:2::3/64 3:3::3/64

R3

R4

FIGURE 10-5
R1

Sample EIGRPv6 configuration

R1(config)# ipv6 unicast-routing R1(config)# ipv6 router eigrp 100

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

[ 131 ]

CHAPTER 10

CCIE Routing and Switching Exam Quick Reference Sheets by Anthony Sequeira

R1(config-router)# router-id 0.0.0.1 R1(config-router)# no shutdown R1(config-router)# interface serial 0/0/1 R1(config-if)# ipv6 eigrp 100 R1(config-if)# interface fastethernet 0/0 R1(config-if)# ipv6 eigrp 100 R2 R2(config)# ipv6 unicast-routing R2(config)# ipv6 router eigrp 100 R2(config-router)# router-id 0.0.0.2 R2(config-router)# no shutdown R2(config-router)# interface serial 0/0/1 R2(config-if)# ipv6 eigrp 100 R2(config-if)# interface fastethernet 0/0 R2(config-if)# ipv6 eigrp 100 R3 R3(config)# ipv6 unicast-routing R3(config)# ipv6 router eigrp 100 R3(config-router)# router-id 0.0.0.3 R3(config-router)# no shutdown R3(config-router)# interface fastethernet 0/0 R3(config-if)# ipv6 eigrp 100 R3(config-if)# interface loopback 301 R3(config-if)# ipv6 eigrp 100 R3(config-if)# interface loopback 302 R3(config-if)# ipv6 eigrp 100 R3(config-if)# interface loopback 303

R4 R4(config)# ipv6 unicast-routing R4(config)# ipv6 router eigrp 100 R4(config-router)# router-id 0.0.0.4 R4(config-router)# no shutdown R4(config-if)# interface fastethernet 0/0 R4(config-if)# ipv6 eigrp 100

© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.