Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Internetwork
Routing
(ver5)
Arranged by:
Eng. AHMED NABIL
2012-2013
1
Ahmed Nabil
Cisco ip routing
(Route Course
/ SP Route)
legacy BSCI course
Arranged by:
Eng.Ahmed Nabil
2012-2013 2
Ahmed Nabil
Course contents
1- Routing principles
2- Routed protocols advanced features
3- OSPF in single area
4- OSPF in multiple areas
5- Manipulating Multiple Routing protocols
(Redistribution)
6- Routing updates filters and Route Maps
7- Policy Based Routing (PBR)
8- Border Gateway Protocol (BGP)
9- IS-IS and Integrated IS-IS
10- EIGRP
11-Branch offices and Mobile users secure Routing
12-IPv6 and OSPF ver3
3
Ahmed Nabil
References
1- Cisco Press Self Study Guide
2- Cisco Student Guide
3- Sybex Book
4- Cisco Academy Curriculum
5- Cram Master Book
6- TestKing Exam Guide
7- Pass4Sure Exam Guide
8- CiscoPedia Guide
9-Cisco Labs
10- CCIE Professional Development
routing guide
4
Ahmed Nabil
Index
Module 0:
Cisco Certificates ………..…… page 6
Network Design models …….. page 13
Module 1:
Routing protocols Principles ……. page 23
Routed protocols features ……... page 47
Module 2:
OSPF in Single Area ……….. page 54
OSPF in Multiple Areas ……... page 81
Module 3:
Redistributing different routing protocols …….. page 100
Module 4:
Controlling routing updates (route filters) …….. page 112
Policy Based Routing (PBR) – Policy Maps ….. Page 128
Module 5:
IS-IS and Integrated IS-IS …………………….. Page 134
Module 6:
EIGRP (Enhanced IGRP) ……………………. Page 161
Module 8:
BGP (Border Gateway Protocol) ……………… page 199
Module 9:
Branch office routing ……………………………. Page 242
Module 10:
IPv6 Basics ………………………………….. Page 276
IPv6 routing features ……………………….. page 304
IPv4 to IPv6 transition (Tunneling) ………… page 330
SP Route
SP Advanced
Route
SP Edge
SP Core
6
Ahmed Nabil
Cisco Different Certifications Fields
CCIE
CCIE Routing
CCDE Service Provider
and Switching
CCDA
CCNA &
CCNA SP
CCNA
7
Ahmed Nabil
Cisco Qualified Specialist
8
Ahmed Nabil
642-902 ROUTE
Implementing Cisco IP Routing
Course Objectives
Upon completing this course, the student will be able to meet
these overall objectives:
•Plan and document the configuration and verification of
routing protocols and their optimization in enterprise
networks.
•Identify the technologies, components, and metrics of
EIGRP used to implement and verify EIGRP routing in
diverse, large-scale internetworks based on requirements.
•Identify, analyze, and match OSPF multiarea routing
functions and benefits for routing efficiencies in network
operations in order to implement and verify OSPF routing in
a complex enterprise network.
•Implement and verify a redistribution solution in a multi-
protocol network that uses Cisco IOS features to control
path selection and provides a loop-free topology according
to a given network design and requirements.
•Evaluate common network performance issues and identify
the tools needed to provide Layer 3 path control that uses
Cisco IOS features to control the path.
•Implement and verify a Layer 3 solution using BGP to
connect an enterprise network to a service provider.
9
AHMED NABI
•Module 0: Course Overview
11
Ahmed Nabil
642-901 BSCI (retired)
• Building Scalable Cisco Internetworks
• Exam Number: 642-901
• Associated Certifications: CCNP, CCIP, CCDP,
recommended for CCNP Voice & CCNP Security
• Exam Topics
Implement EIGRP operations.
Explain the functions and operations of EIGRP (e.g., DUAL).
Configure EIGRP routing. (e.g., Stub Routing, authentication, etc.)
Verify or troubleshoot EIGRP routing configurations.
Implement multiarea OSPF operations.
Explain the functions and operations of multiarea OSPF.
Configure multiarea OSPF routing. (e.g., Stub, NSSA,
authentication, etc.)
Verify or troubleshoot multiarea OSPF routing configurations.
Describe integrated IS-IS.
Describe the features and benefits of integrated IS-IS.
Configure and verify integrated IS-IS.
Implement Cisco IOS routing features.
Describe, configure or verify route redistribution between IP routing
IGPs. (e.g., route-maps, default routes, etc.)
Describe, configure or verify route filtering (i.e., distribute-lists and
passive interfaces).
Describe and configure DHCP services (e.g., Server, Client, IP
helper address, etc.).
Implement BGP for enterprise ISP connectivity
Describe the functions and operations of BGP.
Configure or verify BGP operation in a non-transit AS (e.g.,
authentication).
Configure BGP path selection. (i.e., Local Preference, AS Path,
Weight or MED attributes).
Implement multicast forwarding.
Describe IP Multicast (e.g., Layer-3 to Layer-2 mapping, IGMP,etc.).
Describe, configure, or verify IP multicast routing (i.e., PIM Sparse-
Dense Mode).
Implement IPv6.
Describe IPv6 addressing operations.
12
Describe, configure or verify OSPF routing with IPv6 addressingAHMED NABI
Networks Design
Model
13
Ahmed Nabil
IIN and Cisco SONA Framework
The Cisco vision of the future IIN (Intelligent Information Network)
encompasses these features:
1- Integration of networked resources and information assets that
have been largely unlinked:
The modern converged networks with integrated voice, video, and
data require that Information Technology (IT) departments more
closely link the IT infrastructure with the network.
2-Intelligence across multiple products and infrastructure layers:
The intelligence built into each component of the network is extended
network-wide and applies end-to-end.
3-Active participation of the network in the delivery of services and
applications:
With added intelligence, the IIN makes it possible for the network to
actively manage, monitor, and optimize service and application
delivery across the entire IT environment.
With the listed features, the IIN offers much more than basic
connectivity, bandwidth for users, and access to applications. The IIN
offers end-to-end functionality and centralized, unified control that
promotes true business transparency and agility.
The IIN technology vision offers an evolutionary approach that
consists of three phases in which functionality can be added to the
infrastructure as required:
1-Integrated transport: Everything—data, voice, and video—
consolidates onto an IP network for secure network convergence. By
integrating data, voice, and video transport into a single, standards-
based, modular network, organizations can simplify network
management and generate enterprise-wide efficiencies.
2-Integrated services: After the network infrastructure has been
converged, IT resources can be pooled and shared or ―virtualized‖ to
flexibly address the changing needs of the organization. Integrated
services help to unify common elements, such as storage and data
center server capacity. By extending virtualization capabilities to
encompass server, storage, and network elements, an organization
can transparently use all its resources more efficiently.
3-Integrated applications: With Application-Oriented Networking
(AON) technology, Cisco has entered the third phase of building the
IIN. This phase focuses on making the network ―application-aware‖ so
it can optimize application performance and more efficiently deliver
networked applications to users. In addition to capabilities such as
content caching, load balancing, and application-level security. 14
Ahmed Nabil
Cisco SONA Framework
• With its vision of the IIN, Cisco is helping organizations to
address new IT challenges, such as the deployment of
service-oriented architectures, Web services, and
virtualization.
Applications
Layer
Interactive
Services
Layer
Network
Infrastructure
Layer
15
Ahmed Nabil
The Cisco SONA framework shows how integrated systems can both allow
a dynamic, flexible architecture, and provide for operational efficiency
through standardization and virtualization.
It brings forth the notion that the network is the common element that
connects and enables all components of the IT infrastructure. Cisco SONA
outlines these three layers of the IIN:
1- Network infrastructure layer:
This layer is where all the IT resources are interconnected across a
converged network foundation. The IT resources include servers, storage,
and clients. The network infrastructure layer represents how these resources
exist in different places in the network, including the campus, branch, data
center, WAN and Metropolitan Area Network (MAN), and teleworker. The
objective for customers in this layer is to have anywhere and anytime
connectivity.
2- Interactive services layer: This layer enables efficient allocation of
resources to applications and business processes that are delivered through
the networked infrastructure.
This layer comprises these services:
— Voice and collaboration services
— Mobility services
— Security and identity services
— Storage services
— Computer services
— Application networking services
— Network infrastructure virtualization
— Services management
— Adaptive management services
3- Application layer:
This layer includes business applications and collaboration applications.
The objective for customers in this layer is to meet business requirements
and achieve efficiencies by leveraging the interactive services layer.
16
Ahmed Nabil
Cisco Network Models
Cisco provides the enterprise-wide
Systems architecture that helps
companies to protect,
optimize, and grow
the infrastructure that
supports business processes.
The architecture provides
integration of the entire network
—campus, data center, WAN,
branches, and teleworkers—
offering staff secure access to the tools,
processes, and services.
Cisco provides solution for the following enterprise
networks:
a) Cisco Enterprise Campus Architecture
b) Cisco Enterprise Data Center Architecture
c) Cisco Enterprise Branch Architecture
d) Cisco Enterprise Teleworker Architecture
e) Cisco Enterprise WAN Architecture
Where all Enterprises network differs in their network infrastructure needs,
such as:
1- Advanced Intranet Switching
2- Advanced Network Routing
3- IP Multicasting
4- Load-Balancing
5- Redundancy & high availability
6- Security
7- QOS
8- IP Telephony
9- WAN Access
10- VPN Access
11-MPLS VPNs
12-Network Management
17
Ahmed Nabil
Hierarchical Network Design
1-Access Layer:
• It is present where the end users are connected to the network
• L3 basic Routing
• High port density
• L3 services as basic traffic filtering,
basic QOS, Security (Access Lists)
, VLANS, DHCP & NAT.
18
Ahmed Nabil
2-Distribution Layer:
• Provides interconnection between the campus network
access & core layers
• High L3 throughput
• Security & policy based connectivity
• QOS
• Scalability, redundant & resilient high
• speed link
3-Core Layer:
• Provide connectivity of all distribution layer devices, it is
referred to as the backbone
• very high throughput at L2 or L3
• no packet manipulation (no access list, no packet
filteration)
• redundancy & resiliency
• Advanced QOS functions
19
Ahmed Nabil
Modular Network Design
(Enterprise Composite Network Model)
ECNM
• ECNM contains:
1-Enterprise Campus (Access-Distribution-Core)
2-Enterprise edge
3-Service provider edge
20
Ahmed Nabil
• Scalable network design:
1- Access Layer:
- Entry point for users into the network.
- Security , VLANS , Access lists, DHCP & NAT.
2- Distribution Layer:
- Consolidation point for traffic and location for
corporate resources.
- Provide services for access layer hosts & packet
manipulation.
3- Core Layer:
- Quick and efficient transit between divisions.
- Provide redundancy.
21
Routing Protocols
23
• Protocol:
It is a set of rules that define how something works.
•Routing protocol:
-It is a set of rules that define how routing works.
-It is the exchange of information between routers so as
every router can has an overview about the existence or
disappearance of networks
-Its final target is to build a routing table for routers
•Routed protocol :
- It is responsible for end to end data delivery using:
1- logical addressing.
2- Encapsulating data from end to end
(end to end delivery)
24
• Router Functions :
1- Routing
It is the ability to choose the proper direction (best path
or best interface) to transfer data to a far destination
networks, through understanding the logical topology of
the network defined by the routing protocol
(aids end to en data delivery / Network layer process)
2- Switching
It is the ability to transfer data across the router from
input interface to the output interface chosen by the
routing process in a proper format
(aids hop to hop data delivery / Data Link layer
process)
4- Security
Cisco router can act as firewall, VPN server, VPN
client, IPS/IDS (Intrusion Prevention System / Intrusion
Detection System), NAC (Network Admission
Controller).
25
• Router process :
3- The router will remove the frame header and trailer (switching
function).
4- The router will deliver the packet to the routing process to find
the best path for the packet to reach the destination by
checking the routing table.
5- The routing process will find the best path and deliver the
packet to the switching function again.
6-Switching process will create new frame header and trailer (will
make encapsulation) for the packet based on the O/P
interface defined encapsulation (whether it is Ethernet or
Frame Relay or ATM or PPP,…..)
26
• Routing procedure :
1- Is the protocol stack exist?
That point depend on the IOS supported features (whether desktop
features or enterprise set or service provider set is used)
-Is the Routed protocol S/W exist on the IOS or not
(i.e. do IPX exist (if you need to route IPX packets, IPv6,…. ))
-Is the Routing protocol S/W exist on the IOS or not
(i.e. do IS-IS exist, do BGP exist, ……)
Static RP
Dynamic RP
28
Static Routing
• Characteristics:
1- If only one path to destination is available, you can use
a static routing .
2- No routing traffic overhead.
3- Could be used in slow WAN links.
4- High administration overhead.
30
Default Static Route:
Used to define path to internetworks default Gateway of
last resort
(config)# ip route 0.0.0.0 0.0.0.0 {o/p interface
/ ip address of next hop}
Default Network:
Default Gateway of last resort
Dynamic RP
Characteristics:
1- Used if multiple paths exist to the network and an
automatic way for detecting best path or transitioning to
another path in case of primary fail
2-Part of the bandwidth is used for sending routing
updates that will help for the discovery of best routes
3-It has no administrative overhead
IGP / EGP
1- IGP (Interior Gateway Protocol)
• Protocol that works within single AS.
• AS (Autonomous System) is the domain under single
technical administration or in other words that work under
single routing policy
Ex: Rip , OSPF, IS-IS , IGRP , EIGRP.
2- EGP (Exterior Gateway Protocol)
• Protocol that works between different ASs.
Ex: EGP , BGP. 32
Distance Vector / Link State / Hybrid
Distance Vector:
Ex: RIP and IGRP
At start up:
1- Each router collect its directly connected networks.
2- Each router will add these networks to its routing table.
3- Each router will send its full routing table out of all its active
interfaces on broadcast address 255.255.255.255 every
certain period (30sec for RIP, 90 sec for IGRP)
4-Routers receiving updates will use Bellman Ford Algorithm to
calculate table updates
After convergence :
- Only periodic updates is sent every period to indicate any
changes.
At change :
- Triggered update with full routing table is sent.
- Advantages:
1- Simple Implementation and configuration
2- Need low memory (only routing table)
3- Need low CPU (use Bellman Ford algorithm)
- Disadvantages:
1- Slow convergence
2- Classfull
3- High BW utilization during convergence period
4- Susceptible to routing loops
After convergence :
- Periodic updates after long period .
(LSA refreshment)
At change :
1- The router that feels the change will send partial
triggered update.
2- Each router will take a copy of the update then send it to
its neighbors then each router rebuild the tree again.
34
Advantages:
1- Fast convergence
2- Classless
3- Low BW utilization during convergence period (no
periodic
updates)
4- No routing loops
5- Reliable protocol
Disadvantages:
1- Complex Implementation and configuration
2- Need high memory (routing table, neighbor table &
topology database)
3- Need high CPU (use Dijkstra ‖SPF‖ algorithm)
35
Classfull / Classless
• Classfull routing protocol :
- A protocol that doesn‘t send a subnet mask in its
update. (i.e. RIP , IGRP)
- But the subnet mask must exist in the routing table, so
the router that receives update without mask must have
some rules to estimate the mask
Rule 1 :
- If the advertising interface is in a different major network
than the update major network (discontiguous
boundary), the sending router will auto summarize the
update (instead of advertising specific subnet(s), it will
advertise a major network)
Rule 2 :
- If the receiving interface is in the same major network
as the update major network, so the interface subnet
mask will be applied to the update.
Rule 3 :
- If update has different major network than the receiving
interface , the update will take the default subnet mask.
Restriction 1 :
- VLSM can never be supported. (only FLSM (Fixed
Length Subnet Mask))
Restriction 2 :
- Discontiguous networks design are prohibited (All
contiguous networks must be in one side of the
network) 36
• Classfull RP C/C‘s:
Classlfull RP does not send the subnet mask in its
updates.
1- Can not support VLSM.
2- Discontiguous networks will make routing problems
3- Auto summarization is made on the discontiguous
network boundary and can never be stopped
Ex: RIPv1 & IGRP
• Classless RP C/C‘s:
Classless RP send the subnet mask in its updates.
1- Support VLSM.
2- Support discontiguous networks.
(Auto summarization can be stopped)
3- Support manual
summarization
and CIDR.
Ex: RIPv2, EIGRP, OSPF,
IS-IS & BGP
• Classfull thinking :
- If a major network exists in the RTG table, so for sure all
its subnets must also exist in the RTG table.
• Classless thinking :
- If a major network exists in the RTG table, so may be not
all its subnets must exist in the RTG table.
38
Classfull searching example
Router# show ip route
<output omitted>
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
10.0.0.0/24 is subnetted, 3 subnets,
R 10.1.1.0/24 [120/1] via 10.1.2.2, 00:00:05, Ethernet0
C 10.1.2.0/24 is directly connected, Ethernet0
R 10.1.3.0/24 [120/2] via 10.1.2.2, 00:00:05, Ethernet0
R 192.168.24.0/24 [120/2] via 10.1.2.2, 00:00:16, Ethernet0
R 172.16.0.0/16 [120/3] via 10.1.2.2, 00:00:16, Ethernet0
S* 0.0.0.0/0 [120/3] via 10.1.2.2, 00:00:05, Ethernet0
Where will the router having the above routing table send
traffic bound for the following destinations, if IP classless
command is not enabled?
39
Classfull Searching in routing table
Incoming IP packet
Check
RTG table
NO Yes
Match Default Forward
major Route packet
Network Exist?
Yes
NO
NO
Match Drop packet
subnets
Yes
40
Classless Searching in routing table
(config)#ip classless
That command which is enabled by default will enable
classless searching
Incoming IP packet
Check
RTG table
NO Yes
Match Default Forward
major Route packet
Network Exist?
Yes
NO NO
Yes
41
Major differences between protocols
42
• RIP : (Routing Information Protocol)
(config)#router rip
(config)#router rip
(config-router)# version { 1 / 2 }
43
• Configuration:
(config)# router rip
(config-router)# network <direct connected network>
• Network command activates the interfaces to
1) send updates
2) receive updates
3) Advertise routing
entries learned
on that interface
44
Comparing RIPv1 & RIPv2
RIP v.1 RIP v.2
- Classfull - Classless
- Broadcast updates - Multicast updates
(255.255.255.255) (224.0.0.9)
- Metric = hop count - Metric = hop count
(max. =15) (max.=15)
- Admin. Dist. = 120 - Admin. Dist. = 120
- Periodic updates with full routing -Periodic updates with full routing
table every 30sec. table every 30sec.
- Triggered full routing table at -Triggered partial updates (affect
changes part only) at changes
- No authentication. - Support Authentication. (clear
text or MD5)
-Symbol in routing table ―R‖ -Symbol in routing table ―R‖
-Update cannot contain more than
25 entry, so if more than 25 exist,
so every period more than one
packet is advertised
22 45
Auto and Manual Summarization :
Protocol Auto Can be Manual
summarization disabled summarization
RIP v.1 YES NO NO
IGRP YES NO NO
OSPF NO ----- YES
IS-IS NO ----- YES
RIP v.2 YES YES YES
EIGRP YES YES YES
/24 /16
46
Routed Protocol
Features
47
Routed Protocols Features
• IP v.4:
- It is a 32 bits address assigned by IANA.
- Current challenges for IP addressing:
A) IP address exhaustion (shortage).
B) Routing table growth and manageability.
a) Static NAT
- Fixed one local to one global address translation, that type
mainly used with servers
b) Dynamic NAT
- Each local address can be translated to one global address
picked up by the NAT device from a NAT pool of
addressess
c) Dynamic NAT with Overload (PAT)
- Many local devices can use one global address, by
translating port numbers
-If you have many global address, so you need a NAT pool
48
3- Using subnetting:
- Divide the major network into
subnets.
4- Using VLSM:
- Further subnetting for the subnets
of the same major network
Ex: 192.168.1.0/24
49
Example on VLSM
Solution
192.168.49.160/30
192.168.49.164/30
192.168.49.168/30
192.168.49.172/30
192.168.49.176/30
50
5- IP un-numbered:
Any layer 3 interface need IP address to be active (live
and kicking in IP world).
But in some cases may be we need to activate interface
without wasting IPs, in that case IP unnumbered is the
solution, where you can deceive the interface by giving
it a null IP.
On router:
(config)# int s0/0
(config-if)# ip unnumbered <int. name>
- This is the only case that the two routers see each
other and the two serial interfaces are not in the same
subnet.
51
6- Route summarization:
- It is grouping a set of subnet and advertise them as one
summary address.
Ex1: Summarize the networks from 172.16.12.0/24 till
172.16.15.0/24
These networks
must be advertised
as 3 entries
52
7- CIDR:
- Classless Inter Domain Routing (supernetting).
- It is grouping a set of major networks and advertise
them as one super network (CIDR block).
53
OSPF
in
single area
Ahmed Nabil
54
Overview
OSPF C/C‘s
Ahmed Nabil 55
• OSPF tables:
1- Neighbor table (adjacency table)
- List of all neighbors (a neighbor is direct connected &
understands the same protocol)
#show ip ospf neighbors
2- Topology table (Link State Data Base - LSDB)
Contains all routers and their attached links in the area or
network,
or in other way all routes to all destination networks.
All routers within an area has identical copy of it.
#show ip ospf database
3- Routing table (forwarding database)
- Best routes to all destination networks.
#show ip route [ospf]
• OSPF topologies:
1- BMA (Broadcast Multiple Access)
Ex: Ethernet & Token ring links
2- Point to point
A network that joins a single pair of routers.
Ex: Interfaces running PPP or HDLC or point to point
sub interfaces ATM & Frame Relay
1- Hello packet:
- Used for neighbor
discovery and
maintenance of neighbor
relationship.
- Sent periodically on
multicast address
224.0.0.5 (all OSPF routers)
every 10sec. on BMA topology,
point to point links and
NBMA point to point links
& every 30sec. on NBMA multipoint topology
57
• Operation of OSPF in BMA:
1- Neighbor discovery (hello protocol) – forming adjacency:
1.1- down state:
- No communication yet.
58
• Hello packet:
Version Type packet length
RID
Area ID
Check sum authentication type
Password
Password
Hello interval options (area type) router priority
Router dead interval
DR ID
BDR ID
Neighbor 1
.
.
Neighbor n
59
1.3 – Two way state:
- The neighbor relationship is formed.
Note:
The Two way state is the final state between Drothers.
61
3- Routes discovery:
3.1- Exstart state:
- Form the master / slave relationship.
- The master is the router with the highest RID even it isn‘t the
DR.
3.2- Exchange state :
- Send the link state ID for entries in the LSDB (The master
router sends a summary for entries in the LSDB ―DBD‖)
LSID : RID sequence
3.3 - Loading state:
- Requesting details from specific LSDB entries.
3.4 – Full State: (Full adjacency)
- All routers has a common LSDB
Ahmed Nabil
62
After the DR and BDR have been selected, the routers are considered to be in
the exstart state, and they are ready to discover the link-state information
about the internetwork and create their LSDBs. The process used to discover
the network routes is the exchange protocol, and it gets the routers to a full
state of communication. The first step in this process is for the DR and BDR to
establish adjacencies with each of the other routers. When adjacent routers
are in a full state, they do not repeat the exchange protocol unless the full state
changes.
As shown in the previous figure, the exchange protocol operates as follows:
Step 1 In the exstart state, the DR and BDR establish adjacencies with each
router in the network. During this process, a master-slave relationship is
created between each router and its adjacent DR and BDR. The router with the
higher router ID acts as the master during the exchange process.
Step 2 The master and slave routers exchange one or more DBD packets. The
routers are in the exchange state.
A DBD includes information about the LSA entry header that appears in the
LSDB of the router. The entries can be about a link or about a network. Each
LSA entry header includes information about the link-state type, the address of
the advertising router, the cost of the link, and the sequence number. The
router uses the sequence number to determine the ―newness‖ of the received
link-state information.
Step 3 When the router receives the DBD, it performs these actions, as shown
in the figure:
1. It acknowledges the receipt of the DBD using the LSAck packet.
2. It compares the information it received with the information it has. If the DBD
has a more up-to-date link-state entry, then the router sends an LSR to the
other router. The process of sending LSRs is called the loading state.
3. The other router responds with the complete information about the
requested entry in an LSU packet. Again, when the router receives an LSU, it
sends an LSAck.
Step 4 The router adds the new link-state entries to its LSDB.
When all LSRs have been satisfied for a given router, the adjacent routers are
considered synchronized and in a full state. The routers must be in a full state
before they can route traffic.
At this point, all the routers in the area should have identical LSDBs.
63
LSA Sequence Numbering
• When a router encounters two instances of an LSA, it must
determine which is more recent. The LSA having the newer
(higher) LS a sequence number is more recent.
Ahmed Nabil
64
Creation of Adjacencies
65
Creation of Adjacencies
<…>
66
4 – Choosing routes:
• Each router in the area places itself into the root of the tree
that is built.
• The best path is calculated with respect to the lowest total cost
of links to a specific destination.
• Forming the routing table by applying the SPF algorithm
(Dijkstra algorithm) on the LSDB to form the RTG table.
• At convergence :
- No further updates unless the LSDB time expires (30 min.) (LSA
refreshment), periodic keepalive hellos are sent, dead interval is 4*hello,
Hello/dead=10/40 sec for BMA & P-P, 30/120 sec for NBMA multipoint.
- Summaries of individual link-state entries, not the complete link-state
entries, are sent every 30 minutes to ensure LSDB synchronization. Each
link-state entry has a timer to determine when the LSA refresh update
must be sent.
- Each link-state entry also has a maximum age of 60 minutes. If a link-
state entry has not been refreshed within 60 minutes, it is removed from
the LSDB.
67
• At change:
- The router that feels the change send LSU to DR & BDR on
224.0.0.6.
- The DR & BDR will send LSACK to the sender router.
- Then the DR will send LSU to all routers on 224.0.0.5.
- Then all routers will rebuild the SPF tree
Convergence stability :
To solve the flapping link problem, OSPF uses the convergence
stability rules (timers).
68
- Basic configuration:
(config)# router ospf <process id>
! process id = 1-65535 & can never be 0, a maximum of 32
process could be supported by ospf !
(config-router)#network <net. add.> <w.c.m> area <area
id>
Or
Router(config-if)# ip ospf process-id area area-id
! Optional method to enable OSPF explicitly on an interface
or
0
Ahmed Nabil
69
Optional configuration:
OSPF Router ID
• The router is known to OSPF by the OSPF router ID number.
• LSDBs use the OSPF router ID to differentiate one router from the next.
• By default, the router ID is the highest IP address on an active
interface at the moment of OSPF process startup.
• A loopback interface can override the OSPF router ID. If a loopback
interface exists, the router ID is the highest IP address on any active
loopback interface.
• The OSPF router-id command can be used to override the OSPF
router ID.
• Using a loopback interface or a router-id command is recommended for
stability.
Define the router ID:
(config-router)# router-id <ip address>
Loopback interface:
(config)# int loopback 0
(config-if)# ip address <ip> <mask>
Ahmed Nabil
72
Troubleshooting
#show ip route
RouterA# show ip route ospf
73
#show ip ospf
RouterB# show ip ospf
#show ip protocols
74
OSPF operation in NBMA networks
Due to based on layer 3 concepts all devices on NBMA segment must
be in the same subnet, so OSPF (layer 3 protocol) need to treat them
as direct neighbors, on the other hand using layer 2 concepts they may
not be directly connected (no PVC between all of them) they are not next
hops to each others, but OSPF can treat them in some cases as direct
neighbors as in the case of NBMA mode.
Ahmed Nabil
75
OSPF operation in NBMA networks
or partial mesh
76
Ahmed Nabil
77
• Configuration for NBMA networks:
(config)# int s0/0
(config-if)# ip ospf network { non-broadcast / broadcast /
point-to-multipoint [non-broadcast]/ point-to-point}
78
Ex2: Routers in Multipoint mode
130.130.1.2
S0
79
Ex3: Routers using point-to-point subinterfaces
130.130.1.2
S0
80
OSPF
in
Multiple
Areas
81
Ahmed Nabil
Single VS. Multiple Areas OSPF
So routers will need high CPU power & big memory size,
The solution if you require to scale your network using OSPF,
is to use hierarchical design.
82
Types of Routers
• Internal Router:
Router that has all its interfaces in the same area, it has
full LSDB for its area
(config)#router ospf <process id>
(config-router)#network <link id> <wcm> area <area id>
• ABR (Area Border Router):
Router that is responsible for connecting two or more
areas, it must has at least one interface in the backbone
area (area 0), it has full database for all areas to which it
is connected and send summary database updates
between these areas
(config)#router ospf <process id>
(config-router)#network <link id> <wcm> area 0
(config-router)#network <link id> <wcm> area <area id>
• ASBR (Autonomous System Boundary Router):
Router that has at least one interface into an external
internetwork (another AS) or other non-OSPF network
• Backbone Router:
Router that has at least one link in area 0, it could be an
internal router, ABR or ASBR
83
Types of LSAs
• Type 1 LSA:(router link LSA)
Intra-area LSA "O in routing table"
Every router generate router link advertisements and
flood it to all routers for each area to which it belong,
it describes:
1-directly attached link by its ip
2-mask of link
3-state of link, cost
4-describe whether the router is ABR or
ASBR, Type 1 LSID is the originating router RID
5-Link type (point to point to other router, stub,
multiaccess (transit), virtual link,..)
• Type 2 LSA: (Network Link LSA)
Intra-area "O in routing table"
generated by DR and flooded inside its area, its function is
that DR advertise its existence to all its area, Type2 LSID is
the ip of interface of the DR facing the segment
85
Ahmed Nabil
• Type5 LSA (AS External link LSA)
"OE1, OE2" in routing table
generated by ASBR and flood to all AS, it describe routes
to destination networks in an external AS
(Future use)
Interpreting the Routing Table: Types of Routes
Link count: Total number of directly attached links, used only on router LSAs.
The link count includes all point-to-point, transit, and stub links. Each point-to-
point serial link counts as two; all other links count as one, including Ethernet
links. 87
Ahmed Nabil
RouterA#show ip ospf database
OSPF Router with ID (10.0.0.11) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
10.0.0.11 10.0.0.11 548 0x80000002 0x00401A 1
10.0.0.12 10.0.0.12 549 0x80000004 0x003A1B 1
100.100.100.100 100.100.100.100 548 0x800002D7 0x00EEA9 2
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
172.31.1.3 100.100.100.100 549 0x80000001 0x004EC9
Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
10.1.0.0 10.0.0.11 654 0x80000001 0x00FB11
10.1.0.0 10.0.0.12 601 0x80000001 0x00F516
10.1.1.0 10.0.0.11 7 0x80000009 0x004DC5
10.1.1.0 10.0.0.12 9 0x80000007 0x00E81B
10.1.1.0 172.31.1.1 1111 0x80000003 0x00DD82
10.1.2.0 10.0.0.11 599 0x80000003 0x00EB1C
10.1.2.0 10.0.0.12 603 0x80000001 0x004CCC
10.1.3.0 10.0.0.11 14 0x80000002 0x00E225
10.1.3.0 10.0.0.12 69 0x80000001 0x00DE29
10.200.200.13 172.31.1.1 1108 0x80000001 0x00764E
Router Link States (Area 1)
Link ID ADV Router Age Seq# Checksum Link count
10.0.0.11 10.0.0.11 19 0x80000009 0x00B6C3 3
10.0.0.12 10.0.0.12 601 0x80000005 0x0085F0 3
10.200.200.13 10.200.200.13 20 0x80000003 0x000AB2 3
10.200.200.14 10.200.200.14 62 0x8000004D 0x003C2E 3
Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
10.1.1.1 10.0.0.11 19 0x80000001 0x00D485
10.1.2.4 10.200.200.14 622 0x80000001 0x009F20
Summary Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
172.31.1.0 10.0.0.11 540 0x80000003 0x004108
172.31.1.0 10.0.0.12 542 0x80000003 0x003B0D
172.31.1.0 172.31.1.1 1399 0x80000003 0x00C5CA
172.31.2.0 10.0.0.11 536 0x80000001 0x00D762
172.31.2.0 10.0.0.12 537 0x80000001 0x00D167
172.31.2.0 172.31.1.1 1394 0x80000001 0x005C25
Summary ASB Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
100.100.100.100 10.0.0.11 536 0x80000001 0x007213
100.100.100.100 10.0.0.12 537 0x80000001 0x006C18
100.100.100.100 172.31.1.1 1394 0x80000001 0x00F6D5
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
10.254.0.0 100.100.100.100 1351 0x8000010A 0x00C518 0
88
Ahmed Nabil
Another Area’s types
AS
6. Not So Totally Stub area: 1. Back bone area: It is area 0, it is
(Totally stub + ASBR) connected to all other areas, and it
On all routers: ( - )# area 5 nssa accepts any type of LSAs except type7
On ABR: ( - )# area 5 nssa no-summery
Another
AS
Area Area
Area 5 1 2. Standard or ordinary area: (not
Type 75 area 0)
(So any area except area 0, by default
O*IA 0.0.0.0/0 is a standard area, it can have ASBR,
O*E2 Type 5
and it accepts any type of LSAs except
0.0.0.0/0 Area 0
Type 3 type7)
Type 5
Area Area
Converted to 4 2
3. Stub area: (it cannot have an ASBR)
It is done by configuration:
On ABR and all routers
Area (config-router)# area 2 stub
5. Not So Stub Area (NSSA): (Stub + 3 Type 1 LSA
ASBR) Type 2 LSA
It is a stub area that contains ASBR 4. Totally Stub area: (it cannot have an ASBR) Type 3 LSA
Type 3 LSA O*IA 0.0.0.0/0 Type 5 LSA O*E2 0.0.0.0/0
Another Type 5 LSA O*E2 0.0.0.0/0 (If the distention is in another
AS
(If the distention is in another area or another Autonomous System, just send the
Type 5 autonomous system, just send the packet from packet from the only exit you have for
O*E2 0.0.0.0/0
the only exit you have for this area (form the this area.)
ABR))
On all routers: ( - )#area 3 stub
Type 5 On ABR: ( - )#area 3 stub no-summary
Type 7
Area
4 Converted to
89
Types of Areas
• Ordinary or standard area:
Area that accept all types of LSAs (intra area, inter-area and
external), but doesnot accept type7
• Backbone Area (transit area):
It is area 0 and connect all other areas, it accept all types of areas
except type 7
90
• Stub area:
Area that its ABR does not advertise to it type 5 LSA and doesnot
accept type 7 LSA, but its ABR advertise default route instead, so
internal routers in that area type doesnot know any details about
other AS networks but can reach them using default route through
ABR, stub area can never contain an ASBR
91
Totally Stub area:
Area that its ABR does not advertise type 5, type 3, type 4
and does not accept type7, but instead its ABR advertise a
default route, so internal routers does not know details about
other AS networks and other Areas networks, but use default
route to reach them through their ABR.
92
• NSSA (Not-So-Stubby-Area):
It is a stub area that can contain ASBR, it accepts type7 LSA and
all other types except type 5 LSA and use default route instead
ABR of NSSA convert type 7 to other areain to type 5
Has O, OIA, O*IA, ON1 & ON2 routing entries
•NSSA - totally stub area: has O, O*IA, ON1 & ON2 routing entrie
It is a total stub area that can contain ASBR, it accepts type7 LSA
and use default route only
On ABR router in NSSA total stub area
(config-router)# area <id> nssa no-summary
93
Configuring summarization
94
summary on ASBR:
(config-router)#summary-address <address> <mask>
96
Ahmed Nabil
Virtual links
• OSPF rule is that all areas must connect to area 0, but
there are cases that enforce the opposite of that due to
direct physical connections unavailability, or in case of
making redundant link to area 0
The solution is to form a virtual link between the far area and
area 0 through the transit area
• #sh ip protocols
• #sh ip route
• #sh ip ospf neighbors
• #sh ip ospf interface
• #sh ip ospf database
• #sh ip ospf border-routers
• #sh ip ospf virtual-links
• (config-router)#log-adjacency-changes
Design considerations
Cisco recommend the following:
• 50 routers per area (max)
• 60 neighbours per router (max)
• 3 areas per router (max)
• Router can not be a DR or BDR for more than one
network segment
99
Ahmed Nabil
Manipulating Multiple
Routing Protocols
(Redistribution)
100
Ahmed Nabil
Why we need multiple routing protocols?
A) Migration
-From FLSM to VLSM
-From flat design to hierarchical design (to facilitate route
summarization which enhance network scalability)
Methods of redistribution
• One way redistribution:
redistribute networks learned by a certain protocol in a single
direction
• Two way redistribution:
redistributes all routes from a routing process to another and vice-
versa
Redistributing VS. Redistributed protocol
• Redistributing protocol:
It is the native protocol that will transform another protocol to its
form
• Redistributed Protocol:
It is the non-native protocol that will be transformed to another
protocol form
- note: in order for any routes to be redistributed it must exist in
the routing table of the redistributing router 102
Configuring Redistribution
106
Ahmed Nabil
• (config)#router <redistributing protocol>
{level-1/level-1-2/level-2}
! If IS-IS is redistributing:
redistribute routes to IS-IS as iL1 or iL2 (default is iL2)
If IS-IS is redistributed:
redistribute iL1 routes or iL2 routes or both !
metric 10
B Routing Table
R 10.0.0.8
For
Redistribution
Ospf1
110
Ahmed Nabil
Example: Routing Tables after Route Redistribution
R 10.0.0.8
111
Ahmed Nabil
Controlling routing
updates traffic
&
Policy Based Routing
(PBR)
112
Ahmed Nabil
Controlling routing updates traffic
Passive interfaces
(config-router)#passive-interface <interface name>
(config-router)# passive-interface default
Note:
Passive interface will cause RIP and IGRP to stop sending
updates, But it can receive updates.
Passive interface may be also used with OSPF, ISIS & EIGRP,
but it will prevent also sending updates & hellos,
So no adjacencies could be formed with neighbors on a
passive interface, no updates can be either sent or received.
113
Ahmed Nabil
Using admin. distance to influence the route selection
• For EIGRP & BGP:
(Config-router)#distance eigrp <internal distance> <external distance>
(Config-router)#distance bgp <internal distance> <external distance>
• For OSPF:
(config-router)#distance ospf external <value> inter-area <value>
intra-area <value>
• for all protocols: used with all protocols to specify certain networks
(config-router)#distance <value> [<src of updates address> <wcm>]
[<access-list number or name for advertised routes>]
114
Ahmed Nabil
Example: Redistribution Using Administrative Distance
115
Ahmed Nabil
We will perform redistribution and use higher administrative
distance for redistributed routes
hostname P3R1 hostname P3R2
!
router ospf 1
redistribute rip metric 10000 metric-type 1 subnets
network 172.31.0.0 0.0.255.255 area 0
distance 125 0.0.0.0 255.255.255.255 64
!
router rip
version 2
redistribute ospf 1 metric 5
network 10.0.0.0
no auto-summary
!
access-list 64 permit 10.3.1.0
access-list 64 permit 10.3.3.0
access-list 64 permit 10.3.2.0
access-list 64 permit 10.200.200.31
access-list 64 permit 10.200.200.34
access-list 64 permit 10.200.200.32
access-list 64 permit 10.200.200.33
116
Ahmed Nabil
Distribute List
117
Ahmed Nabil
Distribute list action
Is there
filter for that Yes Is there
Routing an entry
interface for
update for this route?
routing
process
no
Permit Deny
no match
process in ACL in ACL
route
normally
Drop route
118
Ahmed Nabil
Example1
• Hide network 10.0.0.0 from router C using interface
filtering
Eigrp 1
B(config)#router eigrp 1
B(Config-router)#network 172.16.0.0
B(Config-router)#network 192.168.5.0
B(Config-router)#distribute-list 7 out s0
B(config)#access-list 7 deny 10.0.0.0 0.255.255.255
B(config)#access-list 7 permit any
Example2
Controlling Redistribution with Distribute Lists
119
Ahmed Nabil
Prefix Lists
• Used to filter a range of routes, which is impossible using
normal ACL, also it is impossible to specify the subnet mask
of updates that is required to be filtered using ACL, only prefix
list can match subnet and their masks
(config)#ip prefix-list <list name> description <description statement>
(config)#ip prefix-list <list name>[seq. no.] <deny/permit> <prefix>/<prefix
length> [ge <prefix length>][le <prefix length>]
! Seq. no. is optional and will start with 5 for the first statement
and incremented by 5 for further statements !
Note: implicit deny at the end
120
Example 1
• Deny default route
(config)#ip prefix-list ccnp1 deny 0.0.0.0/0
! To deny exactly 0.0.0.0/0 !
Example 2
• Deny 172.16.0.0/24 from update containing
172.16.0.0/24, 172.16.0.0/20 & 172.16.0.0/16
121
Ahmed Nabil
Route Maps
• The common uses of route maps:
1-Redistribution route filtering:
For routing updates filtering ( a more sophisticated
alternative to distribute list) & update modification
(modify metrics, metric types,...)
2-PBR (Policy Based Routing) – called Policy Maps
Routed traffic filtering and shaping
3-NAT
Use route-maps is used with NAT to permit users that
can be translated instead of access-list
4-BGP policy implementation
123
Ahmed Nabil
Route map configuration
Create route map
(config-route-map)#route-map <map-tag> deny [seq. no.]
(config-route-map)#match <condition>
! If main statement is deny, so no need for Set statement !
(config-route-map)#route-map <map-tag> permit [seq. no.]
(config-route-map)#match <condition>
! If no Set statement exist, that means no change will be applied !
(config-route-map)#route-map <map-tag> permit [seq. no.]
(config-route-map)#set <condition>
! If no Match statement exist, that means match any !
(config-route-map)#route-map <map-tag> permit [seq. no.]
(config-route-map)#match <condition a><condition b><condition c>
(config-route-map)#set <condition>
!If many match conditions exist horizontally that means a logical OR
(match condition a OR b OR c )!
(config-route-map)#route-map <map-tag> permit [seq. no.]
(config-route-map)#match <condition x>
(config-route-map)#match<condition y>
(config-route-map)#match<condition z>
(config-route-map)#set <condition d>
(config-route-map)#set <condition e>
! If many match or Set exist vertically, that mean a logical AND
(match condition x AND y AND z, then Set d AND e)!
(config-route-map)#route-map <map-tag> permit [seq. no.]
! If no match (mean match any) ,no Set (mean don‘t modify
anything),the full statement will mean permit any with no changes
(config-route-map)#route-map <map-tag> deny [seq. no.]
! If no match (mean match any), deny in main statement (mean filter
route), so the full statement mean deny any route)!
124
Route map processing for redistribution
yes
yes
no
permit in deny in
no
the main the main
line statement line statement
126
Ahmed Nabil
Example2
Use Route map to form redistribution policy
(config)#router ospf 10
(config-router)#redistribute rip subnets route-map
CCNP
(config)#route-map CCNP permit 10
(config-route-map)#match ip address 1 2
(config-route-map)#set metric 500
(config-route-map)#set metric-type type-1
(config-route-map)#route-map CCNP deny 20
(config-route-map)#match ip address 3
(config-route-map)#route-map CCNP permit 30
(config-route-map)#set metric 5000
127
PBR (Policy Based Routing)
(Policy Map)
PBR C/Cs
1-Source based routing
different sources goes through different paths
2-QOS
mark different traffic with different TOS values in IP
packets
3-Load Sharing
distribute traffic on multiple paths
4-Cost saving
by distributing traffic among low-BW, low cost and high-
BW, high cost connections
128
Ahmed Nabil
Route map for PBR configuration
1)Create route map (policy map)
(config)#route-map <map-tag> <permit/deny> [seq. no.]
(config-route-map)#match <condition>
(config-route-map)#set <condition>
129
Ahmed Nabil
Route-map processing for PBR
yes
yes
no
permit in deny in
the main the main no
line statement line statement
Use
Is there entry no Discard
default packet
in routing table
routing
process yes
(destinatio
n based apply set
routing
table)
Match conditions
(config-route-map)#match ip address [ACL no. or name]
! Put Access-list that contain IP addresses that will be matched with
incoming packets source ip !
(config-route-map)#match length <min> <max>
! Check incoming packet min & max length !
(config-route-map)#match tos <value>
! Match TOS value in an incoming ip packet !
(config-route-map)#match ip-precedence <value>
! Match ip precedence value in an incoming ip packet !
130
Ahmed Nabil
Set conditions
132
Verifying Policy-Based Routing Examples
#traceroute <ip>
#ping <ip> , with record option
133
Ahmed Nabil
IS-IS
(Intermediate System to
Intermediate System)
134
Ahmed Nabil
IS-IS overview
• Why IS-IS is used?
1-IS-IS is the most popular (RFC 1195) open standard,
scalable and stable IP routing protocol in the ISP industry
& it was developed before OSPF
2-The simplicity and stability of IS-IS make it robust in large
internetworks, so no need to use another protocol instead
3-US government mandated (forced) the support of an OSI
routing protocol (IS-IS, ISO-IGRP, static CLNS routes)
4-Simpler implementation than OSPF, it make efficient use of
bandwidth, memory and processor
5- Well positioned for IPv6, IS-IS updates is not carried within
another routed protocol, so it is routed protocol
independent
• CLNS/CLNP:
– CLNP is a an OSI network-layer protocol that carries
upper-layer data and error indications over connectionless links
– CLNS provides network-layer services to the transport layer
via CLNP
– When support is provided for CLNS, the routing
uses routing protocols to exchange routing information
• CMNS/CONP:
– CONP is an OSI network-layer protocol that carries upper-layer
data and error indications over connection-oriented links
– CMNS performs functions related to the explicit establishment
of paths via CONP
– When support is provided for CMNS, the routing uses the X.25
protocols as the relaying functions
136
Ahmed Nabil
OSI Layer 3 addressing
(CLNS Addressing)
• CLNS (Connection Less Network Protocol, is an OSI
routed protocol that support both L3 logical addressing &
End-to-end data delivery through CLNS packet, just like
IP protocol do.
• unlike IP address, CLNS address apply to entire nodes
and not interfaces.
• CLNS address is called NSAP (Network Service Access
Point).
• NSAP identifies any system in the OSI model.
• NSAP contains:
1-Domain address
2-Area address
3-Device (system) address
4-Link to the upper (higher) layer process (protocol)
• NSAP address:
in
Cisco implementation
(1-13 byte)
137
Ahmed Nabil
Cisco implementation for NSAP address structure
• a) IDP (Initial Domain Part):
-AFI (Authority Format Identifier):
It is the main domain (authority) id.
i.e.: 49 reserved for locally administered (private) domain
-IDI (Initial Domain Identifier):
It is the sub-domain id.
• b) DSP (Domain Specific Part):
-HODSP (High Order DSP):
It is the area id, unique within domain.
-System id:
It is the device id, unique within area.
-NSEL (Network Selector):
It identifies a process (application) on the device, it
corresponds to a port number in IP environment.
138
Ahmed Nabil
Rules of ISO addressing
1-The ISO address is assigned to the system, not to the
interface
2-The router has one NET address
3-All routers within an area must use the same area
address
4-System id must be unique within the area
5-System id must have the same length for all ISs and ESs
within the domain (For Cisco implementation system id
is fixed for 6 bytes)
OSI Layer 2 address
SNPA address
• SNPA (Sub Network Point of Attachment) address is
equivalent to layer 2 data-link layer address
corresponding to the Layer 3 NSAP address, it is
identified by:
1-MAC address on LAN interfaces
2-Virtual Circuit id for (X.25, ATM, Frame Relay)
3-Encapsulation type for point to point (ex: HDLC for HDLC)
•Interfaces uniquely identified by circuit ID:
– One octet number on point-to-point interfaces (like 0x00)
– Circuit ID concatenated with 6-octet system ID
of a designated router on broadcast multiaccess
networks to form 7-octet LAN ID (1921.6800.0001.01)
139
Ahmed Nabil
Basic operation of OSI routing
140
Ahmed Nabil
• Level 0 routing is conducted by ES-IS
• Level 1 routing is performed IS-IS
• Level 2 routing is performed IS-IS
• Level 3 routing is performed IDRP (Inter Domain Routing
Protocol)
141
Ahmed Nabil
ES-IS discovery protocol operation
142
Ahmed Nabil
IS-IS Features
• Link-state routing protocol based on OSI model
• Use Dijkstra's SPF algorithm
• A router can only exist in one area
• Support two routing levels: Level 1 and level 2 routing
• Level 1 router:(like OSPF internal nonbackbone
routers)
-Router that build a L1 LSDB containing system ids only
and router interface to reach these system id, because it
make routing inside the area only.
• Level 2 router:(like OSPF ABR)
-Router that build a L2 LSDB about areas only and
interfaces to reach these areas, because it make routing
between areas only.
• Level 1 / Level 2 router: (like OSPF backbone routers)
-Router that build both L1 & L2 LSDB, so it support both
intra-area and inter-area routing, each L1/2 router
advertise a default route to all routers inside its area, it
act as Area Border Router (ABR) in a totally stub area.
• The IS-IS Backbone is not an area, it is the continuous
path containing all L2 & L1/L2 routers, so extending it is
very flexible.
143
Ahmed Nabil
OSI IS-IS routing process
144
Ahmed Nabil
Traffic flow process example
147
Route Leaking (route injection)
• In the case of existence of multi-exit ISs to a certain area, sub-
optimal routing can take place.
•A feature available since Cisco IOS Software Release 12.0
allows selected Level 2 routes to leak in a controlled manner to
Level 1 routers, which helps avoid asymmetric routing.
• Route leaking helps reduce suboptimal routing by providing a
mechanism for leaking, or redistributing, Level 2 information into
Level 1 areas. By having more detail about interarea routes, a
Level 1 router is able to make a better choice about which Level
1-2 router to forward the packet.
• To implement route leaking, an up/down bit in the TLV is used to
indicate whether or not the route identified in the TLV has been
leaked. If the up/down bit is set to 0 the route was originated
within that Level 1 area.
• If the up/down bit is set to 1 the route has been redistributed into
the area from Level 2. The up/down bit is used to prevent routing
loops: a Level 1-2 router does not readvertise into Level 2 any
Level 1 routes that have the up/down bit set. Route leaking
should be planned and deployed carefully to avoid the situation
where any topology change in one area results in having to
recompute many routes in all other areas.
IS-IS operation
1)Forming Adjacency (neighbour discovery):
send L1 IIH (IS to IS Hello) or L2 IIH or both for Broadcast
media every 10 sec
Send P2P hello for point to point media every 10 sec
2)Elect DIS (Designated IS) called pseudo node:
-Router having highest priority (0-127) default to 64
-Then highest MAC address or SNPA address
but note that all routers will form adjacencies with DIS and
each others too, but only DIS generate pseudo node LSP
(as type2 LSA in OSPF)
and it also decrease adjacency
overhead, but it is not
guaranteed to stay if a
better IS exists on the LAN,
but there is no Backup DIS
is elected
149
DIS will have circuit Id =system id +1byte no zero value
i.e.(0x01)
others have circuit Id =system id +1byte (0x00)
150
Ahmed Nabil
3)Forming LSDB (route discovery):
Each router exchange IS-IS packets with each other to form L1
and L2 LSDB.
ES Neighbors 3
11.0.0.0/8
S0
S1
EIGRP IS-IS
Solution
(config)#interface ……
(config-if)#ip router isis
(config-if)#end
(config)#router isis
(config-router)#net 49.0001.xxx……
(config-router)#redistribute eigrp 100 level-1
(config-router)#redistribute connected level-1
(config)#router eigrp 100
(config-router)#network ………
(config-router)#redistribute isis level-2 metric 10000 10
255 1 1500
(config-router)#end
#copy run start
159
Ahmed Nabil
OSPF V.S. IS-IS
160
Ahmed Nabil
Enhanced
Interior Gateway
Routing
Protocol
(EIGRP)
161
Ahmed Nabil
• EIGRP features:
2- Rapid convergence
Use DUAL (Diffusion Update Algorithm) that keep a backup route
for each best route, if available
4- Easy configuration
Its origin is D.V
7- Efficient updating
Incremented updates, triggered & partial updates
163
Ahmed Nabil
• EIGRP terminologies :
1- Neighbor table
(list of all neighbors)
#show ip eigrp neighbors
2- Topology table
(list of all routes to all destination network, as a matter of
fact, it is routing tables of all neighbors)
#show ip eigrp topology [all-links]
3- Routing table
(best routes to all destination networks)
#show ip route [eigrp]
4- Successor ‗S‘
(the best route)
5- Feasible successor ‗FS‘
(the backup route)
6- Feasible distance ‗FD‘
(the metric from source to destination)
7- Advertised distance ‗AD‘
(the metric from my neighbor to destination)
164
Ahmed Nabil
• EIGRP packet types:
1- Hello packet:
- Used for neighbor discovery and maintains neighbor
relationship
- Sent periodically on 224.0.0.10
- Period of Hello:
5 sec. On fast links ( > 1.54 Mbps) & point to point links
60 sec. On slow links (<or= 1.54 Mbps)
Dead interval = 3 * hello interval (15sec for fast links, 180
sec for slow links)
2- Update packet:
- Contain the RTG table at startup (sent unicast).
- Contain partial update in case of change (sent multicast
on 224.0.0.10)
3- Query packet:
- It is sent if the S is lost and there is no FS in the
topology table on multicast 224.0.0.10, it is used to
declare the failure of a link & requesting information
about another path from the neighbor
4- Reply packet:
- It is the reply for the query, sent on unicast address
5- Ack packet:
- Acknowledges all EIGRP packets except Hello packet
165
Ahmed Nabil
• Operation :
At startup:
Every router discover its neighbors (begin establishing
adjacency) using hello protocol.
EIGRP routers to be neighbors:
1- they must have the same AS no.
2- they must have the same K-values.
166
Ahmed Nabil
Then the router exchanges its routing table with its neighb
From the RTG tables of neighbors the router forms
the topology table.
167
Ahmed Nabil
The command below #debug eigrp packets
Will display that operation
RouterA# debug eigrp packets
At convergence:
- no periodic updates, only hello packets
• Hellos sent periodically every 5 seconds on the following
links:
- Broadcast media: Ethernet, Token Ring, FDDI
- Point-to-point serial links: (PPP), (HDLC)
- Point-to-point subinterface: Frame Relay, ATM
- Multipoint circuits with bandwidth greater than T1:
Frame Relay, ATM, ISDN PRI
• Hellos sent every 60 seconds on the following links:
- Multipoint circuits with bandwidth less than or equal
to T1: ISDN BRI, Frame Relay, SMDS, ATM, and X.25
• Hold time by default is three times the hello time 168
Ahmed Nabil
At change:
• 1- If there is a FS:
• If the router has a FS in its topology table, it will use it
in case of the S failure and it will send update to
indicate that it uses a new route.
• 2- If there is no FS:
• The router sends a query packet to ask for another
route to the destination network.
• The other routers will reply the query
169
Ahmed Nabil
• Route selection:
- By applying DUAL on the topology table to get the RTG
table.
- DUAL:
1- Track all routes advertised by neighbors.
2- Select a loop free path using a successor ‗S‘ and ‗FS‘.
3- If a S is lost, FS is used.
4- If no FS available, it queries neighbors and recalculate S.
5- It can hold up to 4 routes by default and 6 as max. for the
same destination network in the RTG table.
6- It can differentiate between different types of paths :
- internal path (Admin. Dist.=90 & symbol in RTG table is ‗D‘.
- summary path (Admin. Dist.=5 & symbol in RTG table is ‗D‘
out of interface null 0.
-external path (Admin. Dist. =170 & symbol in RTG table is
‗DEX‘.
• How to choose S?
- S is the route that have the least metric.
Metric = 256* [k1*BW + (k2*BW / 256-load) + k3*delay +
(k5 / reliability+k4)]
By default, k1=k3=1 , k2=k4=k5=0
7
BW=10 /BWi, BWi=Bandwidth of interface in units of Kbps
Delay=delayi * 10, delayi=delay of interface in
microseconds
These values can be observed from the #show interface
command
• How to choose FS?
―This is called the feasibility condition‖
The route that satisfy that inequality FD (S) > AD ( FS) ,
is eligible to be the FS
170
Ahmed Nabil
Example on EIGRP route calculation
Which path from A to D is better when using EIGRP protoco
All delays
in units of tens of
microseconds
• Delay is the sum of all the delays of the links along the
paths:
Delay = [delay in tens of microseconds] x 256
• BW is the lowest bandwidth of the links along the
paths:
BW = [10,000,000 / (bandwidth in kbps)] x 256
ABCD Least Bandwidth 64 kbps, Total Delay
6,000
7
Metric= [10 /64 + 6000] x 256=41,536,000
A X Y Z D Least BW 256 kbps, Total Delay 8,000
7
Metric= [10 /256 + 8000] x 256=12,048,000
EIGRP Offset Lists, the final tool for manipulating the EIGRP
metrics , allow an engineer to simply add a value–an offset, if
you will-to the calculated integer metric for a given prefix. To
do so, an engineer can create and enable an EIGRP Offset
List that defines the value to add to the metric, plus some
rules regarding which routes should be matched and
therefore have the value added to their computed FD.
An Offset List can perform the following functions:
■ Match prefixes/prefix lengths using an IP ACL, so that the
offset is applied only to routes matched by the ACL with a
permit clause
■ Match the direction of the Update message, either sent
(out) or received (in)
■ Match int interface on which the Update is sent or received
■ Set the integer metric added to the calculation for both the
FD and RD calculations for the route
The configuration itself uses the following command in
EIGRP configuration mode, in addition to any referenced IP
ACLs:
(config-roiuter)#offset-list {access-list-number | access-list-
name} {in | out} offset [interfacetype interface-number]
Example:
WAN1(config)#access-list 11 permit 10.11.1.0
WAN1(config)#router eigrp 1
WAN1(config-router)#offset-list 11 in 3 Serial0/0/0.1
WAN1(config-router)#end
Mar 2 11:34:36.667: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1:
Neighbor 10.1.1.2
(Serial0/0/0.1) is resync: peer graceful-restart
172
Ahmed Nabil
Before using the offset list
WAN1#show ip eigrp topo 10.11.1.0/24
IP-EIGRP (AS 1): Topology entry for 10.11.1.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is
2172416
Routing Descriptor Blocks:
10.1.1.2 (Serial0/0/0.1), from 10.1.1.2, Send flag is 0x0
Composite metric is (2172416/28160), Route is Internal
Ahmed Nabil
Dual Example:
Stable Network
Replies returns to D,
So D can finally take a decision
175
Ahmed Nabil
• Query problem:
- The router has to get all the replies from the neighbors with
an outstanding query before the router calculates the
successor information
- If any neighbor fails to reply to the query the network will
(Stuck in Active)
- Contrary to popular belief, queries are not
bounded by AS boundaries. Queries from
AS 1 are propagated to AS 2
176
Ahmed Nabil
The previous figure on the left illustrates what would
happen before this feature was introduced. Router A
sends a query for network 10.1.1.0/24 to router B.
Router B has no entry for this network, so it queries
router C. If problems exist between router B and C, the
reply packet from router C to router B may be delayed
or lost. Router A has no visibility of downstream
progress and
assumes that the lack of response indicates problems
with router B. After the router A 3-minute active timer
expires, the neighbor relationship with router B is
reset, along with all known routes from router B.
By contrast, with the active process enhancement
feature, router A queries downstream router B (with an
SIA-Query) at the midway point of the active timer (1.5
minutes by default) about the status of the route.
Router B responds (with an SIA-Reply) that it is
searching for a replacement route. Upon receiving this
SIA-Reply response packet, router A validates the
status of router B and does not terminate the neighbor
relationship.
Meanwhile router B sends up to three SIA-Queries to
router C. If they go unanswered, router B
terminates the neighbor relationship with router C.
Router B then updates router A with an
SIA-Reply indicating that the network 10.1.1.0/24 is
unreachable. Routers A and B remove the
active route from their topology tables. The neighbor
relationship between routers A and B
remains intact.
177
Ahmed Nabil
2- Using summarization
(config-if)# ip summary-address eigrp <AS> <address> <mask
178
Ahmed Nabil
3- Graceful Shutdown
Graceful shutdown, implemented with
the goodbye message feature, is
designed to improve
EIGRP network convergence.
In the figure, router A is using router B
as the successor for a number of
routes; router C is the feasible
successor for the same routes.
Router B normally would not tell router A if the EIGRP
process on router B was going down; for example, if router B was
being reconfigured. Router A would have to wait for its hold timer to
expire before it would discover the change and react to it. Packets
sent during this time would be lost.
With graceful shutdown, the goodbye message is broadcast when an
EIGRP routing process is shut down to inform adjacent peers about
the impending topology change. This feature allows
supporting EIGRP peers to synchronize and recalculate neighbor
relationships more efficiently than would occur if the peers
discovered the topology change after the hold timer expired.
Goodbye messages are sent in hello packets. EIGRP sends an
interface goodbye message with all K values set to 255 when taking
down all peers on an interface. The following message is displayed
by routers that support goodbye messages when one is received:
*Apr 26 13:48:42.523: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1:
Neighbor 10.1.1.1 (Ethernet0/0) is down: Interface Goodbye received
A Cisco router that runs a software release that does not support the
goodbye message will misinterpret the message as a K-value
mismatch and therefore display the following message:
*Apr 26 13:48:41.811: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1:
Neighbor 10.1.1.1 (Ethernet0/0) is down: K-value mismatch
Note The receipt of a goodbye message by a peer that does not
support this feature does not disrupt normal network operation. The
peer will terminate the session when the hold timer expires. The
sending and receiving routers will reconverge normally after the
sender reloads. 179
Ahmed Nabil
4- Defining stub networks
If network 10.1.1.0/24 in a topology like the one shown below
fails, all routers will Stuck In waiting for each others replies
180
Ahmed Nabil
Example: eigrp stub Parameters
If stub connected is
configured:
• B will advertise
10.1.2.0/24 to A.
• B will not advertise
10.1.2.0/23, 10.1.3.0/23, or
10.1.4.0/24.
If stub summary is
configured:
• B will advertise
10.1.2.0/23 to A.
• B will not advertise
10.1.2.0/24, 10.1.3.0/24,
or 10.1.4.0/24.
If stub static is
configured:
• B will advertise
10.1.4.0/24 to A.
• B will not advertise
10.1.2.0/24, 10.1.2.0/23,
or 10.1.3.0/24.
If stub receive-only is
configured:
• B will not advertise
anything
to A, so A needs to have a
static route to the
networks
behind B to reach them. 181
Ahmed Nabil
• Configuration:
(config)# router eigrp <AS no.>
! Up to 32 process (AS) can be configured on the same
router !
(config-router)# network <ip> [<w.c.m>]
Example 1
Example 2
182
Ahmed Nabil
Auto and Manual summary:
(config-router)# no auto-summary
(config-if)# ip summary-address eigrp <AS> <ip> <mask>
[admin distance]
172.16.2.0
Ahmed Nabil
186
Ahmed Nabil
By default EIGRP uses 50% of the link BW for its updates.
EIGRP supports different WAN links:
• Point-to-point links
Treats bandwidth as T1 by default, so it is better to
manually configure bandwidth as the real BW, using
(config-if)#bandwidth <BW in units of kbps>
• ISDN PRI
EIGRP uses the
bandwidth on the main
interface divided by the
number of neighbors on
that interface to get the
bandwidth information
per neighbor.
• NBMA
- Point-to-point links
Treats bandwidth as T1 by default, so it is better to
manually configure bandwidth as the CIR of the PVC
-Multipoint links (Frame Relay, ATM, Switched
Multimegabit Data Service (SMDS))
EIGRP uses the bandwidth on the main interface divided
by the number of neighbors on that interface to get the
bandwidth information per neighbor,
So for Multipoint interfaces with non-uniform CIRs
Convert to point-to-point configuration or
manually configure bandwidth by multiplying the lowest
CIR by the number of PVCs 187
Ahmed Nabil
NBMA point to point links, need to configure BW of PVC
on each subinterface
189
Ahmed Nabil
Configuring EIGRP MD5 Authentication
Router(config-if)#
ip authentication mode eigrp autonomous-system md5
• Specifies MD5 authentication for EIGRP packets
Router(config-if)#
ip authentication key-chain eigrp autonomous-system
name-of-chain
• Enables authentication of EIGRP packets using key in the
Keychain
Router(config-keychain-key)#
accept-lifetime start-time {infinite | end-time | duration
seconds}
• Optional: Specifies when key will be accepted for received
packets
Router(config-keychain-key)#
send-lifetime start-time {infinite | end-time | duration
seconds}
• Optional: Specifies when key can be used for sending packets
190
Ahmed Nabil
EIGRP Authentication Configuration Checklist
The EIGRP authentication configuration process requires several
commands, which are summarized as follows:
Step 1. Create an (authentication) key chain:
Create the chain and give it a name with the key chain name global
command (also puts the user into key chain config mode). The name
does not have to match on the neighboring routers.
Create one or more key numbers using the key number command in
key chain configuration mode. The key numbers do not have to
match on the neighboring routers.
Define the authentication key‘s value using the key-string value
command in key configuration mode. The key strings must match on
the neighboring routers.
(Optional) Define the lifetime (time period) for both sending and
accepting each key string.
Step 2. Enable EIGRP MD5 authentication on an interface, for a
particular EIGRP ASN, using the ip authentication mode eigrp asn
md5 interface subcommand.
Step 3. Refer to the correct key chain to be used on an interface
using the ip authentication key-chain eigrp asn name-of-chain
interface subcommand.
The configuration at Step 1 is fairly detailed, but Steps 2 and 3 are
relatively simple. Essentially, IOS configures the key values
separately (Step 1) and then requires an interface subcommand
to refer to the key values. To support the ability to have multiple
keys, and even multiple sets of keys, the configuration includes the
concept of a key chain and multiple keys on each key chain.
Key Chain Time-Based Logic The key chain configuration concept,
as outlined in Step 1, allows the engineer to migrate from one key
value to another over time. Just like a real key chain that has
multiple keys, the IOS key chain concept allows the configuration of
multiple keys—each identified with a number. If no lifetime has been
configured for a key, it is considered to be
valid during all time frames. However, when a key has been
defined with a lifetime, the key is valid only during the valid
lifetime.
The existence of multiple keys in a key chain, and the existence
of valid lifetimes for each key, can cause some confusion about
when the keys are used. The rules can be summarized
as follows:
■ Sending EIGRP messages: Use the lowest key number among
all currently valid keys.
■ Receiving EIGRP message: Check the MD5 digest using ALL
currently valid keys.
R1 R2
<output omitted> <output omitted>
key chain R1chain key chain R2chain
key 1 key 1
key-string firstkey key-string firstkey
accept-lifetime 04:00:00 Jan 1 2006 accept-lifetime 04:00:00 Jan 1 2006
infinite infinite
send-lifetime 04:00:00 Jan 1 2006 send-lifetime 04:00:00 Jan 1 2006
04:01:00 Jan 1 2006 infinite
key 2 key 2
key-string secondkey key-string secondkey
accept-lifetime 04:00:00 Jan 1 2006 accept-lifetime 04:00:00 Jan 1 2006
infinite infinite
send-lifetime 04:00:00 Jan 1 2006 send-lifetime 04:00:00 Jan 1 2006
infinite infinite
<output omitted> <output omitted>
interface FastEthernet0/0 interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0 ip address 172.17.2.2 255.255.255.0
! !
interface Serial0/0/1 interface Serial0/0/1
bandwidth 64 bandwidth 64
ip address 192.168.1.101 ip address 192.168.1.102 255.255.255.224
255.255.255.224 ip authentication mode eigrp 100 md5
ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100
ip authentication key-chain eigrp 100 R2chain
R1chain !
! router eigrp 100
router eigrp 100 network 172.17.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255 network 192.168.1.0
network 192.168.1.0 auto-summary
auto-summary
Note: R1 key id 1 will expire after 1 minute for sent updates
R1#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
*Jan 21 16:38:51.745: EIGRP: received packet with MD5 authentication, key id = 1
*Jan 21 16:38:51.745: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.102
*Jan 21 16:38:51.745: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0
194
Ahmed Nabil
• Troubleshooting:
#show ip route
195
Ahmed Nabil
#show ip protocols
RouterA# show ip protocols
197
Ahmed Nabil
Verifying EIGRP Operations:
Unstable Network
RouterA# debug ip eigrp
198
Ahmed Nabil
BGP
(Border Gateway Protocol)
199
Ahmed Nabil
Overview
• BGPv4 is an Exterior Gateway Protocol (EGP) that can
exchange routing updates between different
Autonomous Systems, so it operate mainly at the border
of an AS.
• BGP is not designed to choose paths based on
bandwidth, delay and other metrics, but paths are
chosen based on policy attributes.
• AS is a collection of networks under a single technical
administration, AS is identified by a unique number
between 1 – 65535.The range 64512 - 65535 is
reserved for private use.
IGPs work within AS
BGP messages
1-Open message
It is used to open BGP session with a neighbor
(Includes holdtime and BGP router ID
2-Keepalive message
Periodic message that is sent to keep TCP session
stay still
3-Update message
It contain information about destination networks
and the attributes to reach these networks
4-Notification message
Sent to identify that an error condition is detected
for a certain router (i.e. memory or CPU error) 202
BGP neighbor states
• A BGP peer, also known as a BGP neighbor, is a specific
term that is used for BGP speakers that have established a
neighbor relationship.
• Any two routers that have formed a TCP connection to
exchange BGP routing information are called peers or
neighbors.
204
Ahmed Nabil
BGP Start up Operation
after neighbor command is written
(config)#router bgp <as#>
(config-router)#neighbor <neighbor ip> remote-as <neighbor
as#>
Idle state:
router is searching IP routing table to see if a route exists to
reach the neighbor
Connect state:
router found route and has completed TCP 3-way handshake
Open sent:
open message is sent
Active state:
waiting confirmation on parameters to establish session
Open confirm:
receive agreement on parameters to establish session
Established state:
peering is formed
RouterA# debugand routing
ip bgp exchange begins
events
BGP events debugging is on
BGP : 172.16.1.2 passive open
BGP : 172.16.1.2 went from idle to connect
BGP : 172.16.1.2 open rcvd, version 4
BGP : 172.16.1.2 went from connect to open sent
BGP : 172.16.1.2 sending open, version 4
BGP : 172.16.1.2 went from open sent to open confirm
BGP : Scanning routing tables
BGP : 172.16.1.2 went from open confirm to established
Update
11.0.0.0 About
11.0.0.0
206
Ahmed Nabil
2-BGP run on borders and IGP inside AS
4-Routing Table
No BGP
3-Update 11.0.0.0
4-Routing Table
No BGP
• Conclude:
BGP must run on all transit AS routers to avoid black holes, or otherwise
redistribution from BGP into IGP must take place
• Synchronization rule: (To avoid Black Holes)
Router cannot advertise routes to eBGP neighbor unless it exist in IP
routing table by an IGP (non-BGP)
To avoid synchronization problems (black holes):
1-redistribute BGP routes into IGP protocol (big headache for IGPs, due
to BGP table is very large and IGP is not designed for that scalable
networks)
2-run BGP on all transit AS routers and disable synchronization
(config-router)#no-synchronization
207
BGP Synchronization
•Synchronization rule:
Do not use or advertise to an external neighbor a route learned
by IBGP until a matching route has been learned from an IGP.
• Ensures consistency of information throughout the AS
• Avoids black holes within the AS
• Safe to turn off if all routers in the AS are running full-mesh
IBGP, default.
Router(config-router)# no synchronization
• Disables BGP synchronization so a router can advertise
routes in BGP without learning them in IGP, but make
sure that you make all restrictions to avoid black holes
• Conclude:
BGP must run in full mesh fashion (sessions between all
BGP neighbors) to avoid split horizon rule
209
Ahmed Nabil
4-BGP must run in full mesh fashion
212
Method 2:
(config)#router bgp <as#>
(config-router)#network <address> [mask <mask>]
This command was not designed to perform summarization by
itself.
The aggregate-address command was designed for
summarization.
• To use the network statement for summarization, the
network number and mask used must already exist exactly
in the routing table.
• If the route was already summarized by EIGRP or OSPF,
that summarization can be announced into BGP with the
network and mask commands.
• If the route was not already summarized, a null static route
must be created for BGP to announce this summarization.
(config)#ip route <address> <mask> null0
213
Ahmed Nabil
Cautions about Network Statement
• If a network statement is used for
summarization,
do not use the more specific entries and the
summarized route as shown here.
• If both are used, the
summarized route and the
more specific routes will
be announced.
• 192.168.24.0/22 does not
exist in the IP routing table
without the null route.
• BGP will not announce the network unless
the summarized route
is already present in the
routing table.
214
3-Source of updates behaviour
• A router will never receive an update from a source unless that source
address is identified in its neighbor command (in its neighbor list)
• When a BGP packet is received for a new BGP session, the source
address of the packet is compared to the list of neighbor statements.
– If a match is found, a relationship is established.
– If no match is found, the packet is ignored.
• Make sure the source IP address matches the address that the other
router has in its neighbor statement.
• To identify the source of updates for a certain neighbor
(config)#router bgp <as#>
(config-router)#neighbor <neighbor ip> update-source <interface
name>
This command allows the BGP process to use the IP address of a
specified interface as the source IP address of all BGP updates to that
neighbor.
• A loopback interface is usually used, as it will be available as long as
the router is operational.
• The IP address used in this command will be the destination IP
address of all BGP updates and should be the loopback interface of
the other router.
• The update-source command is normally used only with IBGP
neighbors.
• The address of an EBGP neighbor must be directly connected by
default. The loopback of an EBGP neighbor is not directly connected.
215
4-eBGP multihop
• Due to eBGP neighbors must be directly connected, so using
multiple links between the two neighbors, or using loopback
as source of update will cause a problem for the advertised
updates
we can use the following command
(config-router)#neighbor <neighbor ip> ebgp-multihop [no.
of hops]
but to reach that hop there will never be an IGP or connected
that could do that, so a static route is required to reach that
hop , default hop =255 if we used ebgp-multihop, in fact no.
of hops is a TTL, so hop (TTL)=1 if that command is notused.
216
5-Next hop behavior
-Router A advertises
network 172.16.0.0 to
router B in EBGP, with
a next hop of 10.10.10.3.
-Router B advertises
172.16.0.0 in IBGP to
router C, keeping 10.10.10.3
as the next-hop address.
-So C see the next hop to reach
172.16.0.0 is 10.10.10.3
(next AS entry point)
To override that behaviour
(config-router)#neighbor <neighbor ip> next-hop-self
So if B has written
(config-router)# neighbor 172.20.10.2 next-hop-self
So C will see 172.16.0.0 with next hop 172.20.10.1
217
Next Hop on a Multiaccess Network
The following takes place in a
multiaccess network:
• Router B advertises
network 172.30.0.0 to
router A in EBGP with
a next hop of 10.10.10.2,
not 10.10.10.1. This avoids
an unnecessary hop.
• BGP is being efficient by
informing AS 64520 of the
best entry point into AS 65000
for network 172.30.0.0.
• Router B in AS 65000 also advertises to AS 64520 that
the best entry point for each network in AS 64600 is the
next hop of router C because that is the best pathway to
transit AS 65000 to AS 64600 from AS 64520.
Example: next-hop-self Configuration
218
6-BGP peer groups
• If there are multiple neighbors the configuration will be a
big overhead and configuration mistakes could happen
• Peer groups is defining a template with configuration
parameters and assign these parameters to a group of
neighbors
• Useful when many neighbors have the same
outbound policies
• Members can have a different inbound policy
• Its target is to Simplify configuration
Example:
221
Ahmed Nabil
8-Multihoming
• Multiple connections to ISP is required to increase
reliability (redundancy) and performance (load
sharing)
– Reliability—If one ISP or connection fails, there
is still Internet access
– Performance—Better path selection to common
Internet destinations
• Types of connectivity:
1-Default routes from all providers
– Pass default route to internal routers
222
Ahmed Nabil
Default Routes from All Providers
– Low memory and CPU usage
– ISPs send BGP default route
• Default route passed into IGP
• Choice of exit point when multiple default routes
exist will be lowest IGP metric
– The AS of the customer sends all of its routes to
providers (ISPs)
– Inbound path to the AS of the customer is decided by
the ISPs
223
Ahmed Nabil
Provider-Owned Routes and the Default Route from
Each Provider
– Medium memory and CPU usage
– Best path to ISP-owned networks and to customer specific
networks are usually the shortest AS path
– Have ability to override path choice for some networks
– IGP metric to default route used for all other destinations
• Partial table from ISP and BGP running on all internal routers
(recommended):
– Path manipulation is easier using BGP attributes.
– Router configuration is more complex. 224
Full Routes from All Providers
– Higher memory and CPU usage
– Reach all destinations by best path
• Usually shortest AS path
– Can manually tune all pathways
Router A Router B
226
Ahmed Nabil
BGP attributes
• BGP is not designed to choose paths based on bandwidth, delay
and other metrics, but paths are chosen based on policy
attributes
• Attributes are classified as follows:
Well known attributes:
must be recognized by all compliant BGP implementation, Are
propagated to other neighbors
-well known mandatory
must present in all update messages (ex.: as-path, next-hop, origin)
-well known discretionary
may be present in update messages
(ex.: local preference, atomic aggregate)
Optional attributes:
recognised by some implementations (expected not to be
recognised by every router (depend on router position in
AS))
Recognized optional attributes are propagated to other
neighbors based on their meaning
-Optional transitive
if not recognised are marked as partial and propagated to
other neighbors
(ex.: aggregator, community)
-Optional non transitive
discarded if not recognised
(ex.: MED (Multi Exit Discriminator))
-Cisco Attribute:
local attribute on Cisco routers, it is not advertised in any
updates
ex.: weight
227
1-AS path attribute
228
Ahmed Nabil
2-Next hop attribute
229
Ahmed Nabil
3-Origin attribute
230
Ahmed Nabil
4-Local preference attribute
231
Ahmed Nabil
5-Multi Exit Discriminator (MED) attribute
232
6-Weight attribute
• Cisco attribute
233
Ahmed Nabil
7-Atomic aggregate attribute
• Well known discretionary
• It informs the routers that the originating router has
performed aggregation (summarization) for routes,
list of ASs that contain these routes can be
advertised (aggregate-address command)
8-Aggregator attribute
• Optional transitive
• It specifies the BGP router ID & AS no. of the
router that perform the route aggregation
9- Community attribute
• Optional transitive
• It is the grouping of routes and tag them for
filtration actions
• All routes by default are members in a
community called the Internet
234
BGP route selection process
• The BGP forwarding table usually has multiple pathways
from which to choose for each network.
• BGP is not designed to perform load balancing:
• Paths are chosen because of policy.
• Paths are not chosen based upon bandwidth.
• The BGP selection process eliminates any multiple
pathways through attrition until a single best pathway is
left.
• That best pathway is submitted to the routing table
manager process and evaluated against the methods of
other routing protocols for reaching that network
(administrative distance).
• The routing protocol with the lowest administrative
distance will be installed in the routing table.
Best (>) pathways for networks 172.16.0.0/16 and 172.24.0.0/16 have not changed.
Best (>) pathway for network 172.30.0.0 has changed to a new next hop of 192.168.28.1
due to the next hop of 192.168.28.1 having a higher local preference, 400.
236
• MED is used when multiple pathways exist between two ASs
• A lower MED value is preferred.
• The default setting for Cisco is MED = 0.
• The metric is nontransitive.
• By default, MED is shared only between two Autonomous
Systems that have multiple EBGP connections with each other.
(config-router)#default-metric <value>
or
(config)#route-map <name> {permit/deny} [<seq no.>]
(config-route-map)#match ip address <acl #>
(config-route-map)#set metric <MED value>
• MED is considered the metric of BGP.
• All routes advertised to an EBGP neighbor are set to the
value specified using this command.
RouterZ# show ip bgp
BGP table version is 7, local router ID is 122.30.1.1
Status codes: s suppressed, d damped, h history, * valid,
> best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i192.168.24.0 172.20.50.2 100 100 0 65001 i
* i 192.168.28.2 200 100 0 65001 i
* i192.168.25.0 172.20.50.2 200 100 0 65001 i
*>i 192.168.28.2 100 100 0 65001 i
* i192.168.26.0 172.20.50.2 200 100 0 65001 i
*>i 192.168.28.2 100 100 0 65001 i
•For all networks: Weight is equal (0); local preference is equal (100); routes are not originated
in this AS; AS path is equal (65001); origin code is equal (i).
• 192.168.24.0 has a lower metric (MED) through 172.20.50.2 (100) than 192.168.28.2 (200).
• 192.168.25.0 has a lower metric (MED) through 192.168.28.2 (100) than 172.20.50.2 (200).
• 192.168.26.0 has a lower metric (MED) through 192.168.28.2 (100) than 172.20.50.2 (200).
237
Route maps for BGP policy implementation
1-Create route map:
(config)#route-map <name> <permit/deny> [seq. no.]
(config-route-map)#match <conditions>
(config-route-map)#set <condition>
2-Activate route map:
(config-router)#neigbhor <ip/peer group> route-map
<name> <in/out>
-Match conditions:
match ip address <acl#>
match community <community name>
-Set conditions:
set local-preference <no.>
set weight <no.>
set metric <no.>
set as-path <path list>
238
Ahmed Nabil
Verification and Troubleshooting
#sh ip bgp
#sh ip bgp summary
#sh ip route
#debug ip bgp [events/updates/keepalives]
#clear ip bgp <*/address>
(config-router)#[no] neighbor <ip/peer group> shutdown
239
Clearing the BGP Session
• When policies such as access lists, timers, or attributes are
changed, the BGP session must be reset.
• The change takes effect immediately, and the next time a
prefix or pathway is advertised or received, the new policy will
be used. It can take a long time for the policy to be applied to
all networks.
• The session should be reset to ensure the policy is
immediately applied to all affected prefixes and pathways.
• You must trigger an update to ensure that the policy is
immediately applied to all affected prefixes and paths.
• Ways to trigger an update:
– Hard reset
– Soft reset
Router# clear ip bgp {*|neighbor-address}
[soft {in | out}]
• Resets all BGP connections with this router using * or Resets
only a single neighbor
• If not using soft option (hard reset):
- Entire BGP forwarding table is discarded
- BGP session transitions from established to idle; everything
must be relearned
Using Soft Reset option:
• Routes learned from this neighbor are not lost.
• This router resends all BGP information to the neighbor without
resetting the connection.
• The connection remains established.
• This option is highly recommended when you are changing
outbound policy.
• The soft out option does not help if you are changing inbound
policy. 240
RouterA# show ip bgp neighbors
241
Branch office Internet
Access
242
Ahmed Nabil
Branch Office Connectivity
The needs of branch offices are changing. This is due to the
adoption of unified networks that support voice, video, and
data; the consolidation of IT resources; and the physical mobility
of many users.
Many options exist today for private connectivity between an
Enterprise branch office and the core of an Enterprise network.
These options include leased lines, Frame Relay, MPLS VPNs,
and Metro Ethernet. Although each differs in some way, they all
share an important characteristic: They provide an inherently
private path over which two Enterprise routers can send packets
to each other.
Several other public options exist for branch office connectivity. All
these options use the Internet for connectivity between the branch
office and the core of the Enterprise network.
Regardless of the particular physical Internet access technology–
typically digital subscriber line (DSL), cable, or wireless
broadband–all these options use a public Internet to forward the
packets.
The differences between the public Internet and private
connectivity mean that the branches need to use several
additional functions just to make the connectivity work, plus
the branches need to add other functions to make the connection
secure. This chapter focuses on the functions required, and how
they impact routing between the branch and the rest of the
Enterprise.
The branch routing for the Internet-connected branch differs in
part depending on the design.
243
Ahmed Nabil
Branch Office Design Considerations
244
Ahmed Nabil
Small Branch Office Design
A small branch office typically leverages an ISR router to
provide multiple services such as WAN and PSTN
connectivity,
NAT, WAN optimization, firewall, and DHCP. Its WAN
connectivity might be a T1 primary link with a cable or DSL
backup link using an IPsec VPN. You might run a routing
protocol or simply use floating static routes. The infrastructure
typically consists of Layer 2 switching—either internal to the
router or using an external switch, computers, phones, and
printers.
This design is cost-effective and provides minimum devices to
manage. However, network resiliency suffers because the
router is a single point of failure.
245
Ahmed Nabil
Large Branch Office Design
A large branch office is similar to a campus design in that it
typically uses a layered design with redundancy at all but the
access layer. Stand-alone devices for firewalls and WAN
optimization might be used, along with multilayer switches. This
branch can provide services to other branches and can thus
benefit from an MPLS WAN with its any-to-any connectivity.
The infrastructure is engineered for high availability. It typically
consists of dual WAN access routers, dual distribution
switches, and dual firewalls.
246
Ahmed Nabil
DHCP Services
• DHCP is used to provide dynamic IP address allocation to
TCP/IP hosts and Cisco Systems devices. It utilizes a
client/server model, and the DHCP server can be a Windows
server, a UNIX-based server, or a Cisco IOS device.
247
Understanding the Function of DHCP
The figure shows the steps that occur when a DHCP client
requests an IP address from a DHCP server.
1. The host sends a DHCPDISCOVER broadcast message to
locate a DHCP server.
2. A DHCP server offers configuration parameters such as an IP
address, a MAC address of DHCP server, a domain name, a
default gateway, and a lease for the IP address to the client in a
DHCPOFFER unicast message.
3. The client returns a formal request for the offered IP address to
the DHCP server in a DHCPREQUEST broadcast message.
4. The DHCP server confirms that the IP address has been
allocated to the client by returning a DHCPACK unicast message
to the client.
A DHCP client may receive offers from multiple DHCP servers
and can accept any one of the offers. However, the client usually
accepts the first offer that it receives. Also, the offer from
the DHCP server is not a guarantee that the IP address will be
allocated to the client. The server usually reserves the address
until the client has had a chance to formally accept the address.
248
DHCP supports three possible address allocation mechanisms:
- Manual: The network administrator assigns the IP address to a
specific MAC address.
DHCP is used to dispatch the assigned address to the host.
- Automatic: The IP address is permanently assigned to a host.
- Dynamic: The IP address is assigned to a host for a limited time
or until the host explicitly releases the address. This mechanism
supports automatic address reuse when the host to which the
address has been assigned no longer needs the address.
249
Configuring a DHCP Server
Router(config)#service dhcp
Enables DHCP features on router; it is on by default.
Router(config)#ip dhcp pool [pool name]
• Enables a DHCP pool for use by hosts
Router(config-dhcp)#import all
• Used to import DHCP option parameters into the DHCP server
database. Used for remote DHCP pools, Imports DNS and other
missing information from IPCP
Router(config-dhcp)#default-router [host address]
• Specifies the default router for the pool to use
Router(config-dhcp)#network [network address][subnet mask]
• Specifies the network and subnet mask of the pool
Router(config)#ip dhcp excluded-address lowaddress [high
address]
• Specifies the IP address that the DHCP server should not
assign to DHCP clients
Router(config-dhcp)# domain-name domain
Specifies the domain name for the client.
Router(config-dhcp)#dns-server addres [address2...address8]
• Specifies the IP address of a Domain Name System (DNS)
server that is available to a DHCP client. One is required, but
up to eight can be specified.
Router(config-dhcp)#lease {days [hours] [minutes] | infinite}
•Specifies the duration of the lease. The default is a one-day
lease.
Router(config-if)#ip address dhcp
• Specify that in order for the router to get an IP address for its
interface it should ask a DHCP server.
•Additional commands are available to customize manual
bindings for individual clients, including MAC addresses.
Additional options are also available with implementation of
the DHCP relay agent function. 250
Configuration Example
•Remote Router
ip dhcp pool client
network 20.0.0.0 255.255.255.0
ip dhcp-excluded address 20.0.0.2
default-router 20.0.0.2
import all
interface fastethernet0/0
ip address dhcp
Relay Agent
NAT types:
a) Static NAT
- Fixed one local to one global address translation, that type
mainly used with servers
(config)#ip nat inside source static <inside local ip> <inside
global ip>
b) Dynamic NAT
- Each local address can be translated to one global address
picked up by the NAT device from a NAT pool of addressess
255
Ahmed Nabil
To define a pool:
(config)#ip nat pool <pool name> <start ip> <end ip>
{netmask/prefix-length} <subnet mask>
To activate NAT process:
(config)#ip nat inside source list <acl no.> pool <pool
name>
-If you have many global address, so you need a NAT pool
To define a pool:
(config)#ip nat pool <pool name> <start ip> <end ip>
netmask <subnet mask>
-If you have only one global address, so give that address
to a serial interface, and no need for a NAT pool:
(config)# ip nat inside source list <ACL no.> interface
<int. name> overload
256
Ahmed Nabil
Example shows a sample configuration, using
Router BO1. This configuration assumes that BO1 was already
configured.
interface fastethernet 0/0
ip address 10.99.1.9 255.255.255.0
ip nat inside
interface dialer 2
ip nat outside
ip nat inside source list local-lan interface dialer2 overload
ip access-list extended local-lan
permit ip 10.99.1.0 0.0.0.255 any
257
Ahmed Nabil
NAT using Route Maps
258
NAT with Route Maps give more details in NAT table
259
Ahmed Nabil
Broadband Internet Access Basics
The term broadband has been around in the world of networking
for a long time. The original meaning related to the frequency
bands used by some Layer 1 standards that used a wider
(broader) range of frequencies to achieve a higher bit rate. Today,
the term broadband has grown to become synonymous with high
speed.
260
Ahmed Nabil
Note: Although the human voice generates frequencies
below 4000 Hz, the human ear can hear some higher
frequencies, so some DSL installations require the use of
filters on the lines connected to the phones. These filters
prevent humans from hearing some of the higher frequency
DSL tones.
261
Figure shows how ADSL components work together in a typical
residential implementation. The telephone company‘s Central Office
forwards both POTS and DSL data traffic over the same line to the
subscriber. The line enters at the Network Interface Device (NIDS)
and branches toward the telephone and the PC. A low-pass filter
blocks everything but voice frequencies from reaching the phone. A
DSL modem (or router with a DSL interface) forwards data to the PC.
When the Central Office receives traffic from the subscriber, a splitter
sends voice frequencies to the PSTN switch and DSL frequencies to
the DSLAM. The DSLAM sends data traffic to a router for forwarding
to the Internet.
Dialer interface:
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap
ppp chap password 0 dslpass
264
External ATM interface:
interface ATM1/0
description DSL interface
no ip address
dsl operating-mode auto
pvc 1/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
DHCP:
ip dhcp pool Users
import all
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
265
The main pieces of the DSL configuration as shown in this section
are as follows:
■ The configuration creates a dialer interface.
■ The Layer 3 and PPP configuration related to DSL is applied to the
dialer interface.
■ The ATM configuration is applied to the physical ATM interface.
■ The ATM interface is linked to the dialer interface.
■ An IP route forwards traffic out the dialer interface, which triggers the
DSL encapsulation process.
The dialer interface has five subcommands in this case, including three
related to PPP. One command tells the router to use PPP to learn its IP
address from the ISP (ip address negotiated).
The dialer pool 1 command tells the dialer interface that when it needs to
signal a new connection, look for interfaces with dialer pool-member 1
configured, such as interface ATM 0/0.
First examine the ATM interface. The configuration defines the VPI/VCI as
0/42; the ISP needs to match this value, or more likely, dictates the value
to the customer. The encapsulation command defines that PPP will also
be used.
The encapsulation aal5mux ppp dialer defines that this PVC will use the
logic of a dialer interface. Finally, the dialer pool-member 1 command
associates the ATM interface with the dialer interface 266
Configuring an IPsec VPN
IPsec is not covered in depth on the ROUTE exam, but you
need to understand it well enough to verify the configuration
and add routing across it.
Details in a separate Appendix at the end of the book.
This sample branch uses an IPsec VPN to connect to the
headquarters when the backup DSL link is active.
When IPsec establishes a VPN between two peer hosts, it sets
up a security association (SA) between them. SAs are
unidirectional, so each bidirectional data session requires two.
The Internet Security Association and Key Management
Protocol (ISAKMP) defines how SAs are created and deleted.
An IPsec transform set defines how VPN data will be protected by
specifying the IPsec protocols that will be used. You
can specify up to four transforms, and the algorithm to use with
each. You can also configure either tunnel or transport
mode. (Tunnel is default.)
You use a crypto ACL to identify traffic that should be protected by
the IPsec VPN. Any traffic permitted in the ACL will
be sent over the VPN. Traffic denied by the ACL will not be
dropped; it will simply be sent normally.
A crypto map pulls together the transform sets and crypto ACLs
and associates them with a remote peer. After the crypto
map is configured, it must be applied to an interface for it to take
effect. It is applied at the outgoing interface—the one
that VPN traffic uses to reach the other end of the VPN. You
might need to use a static route or otherwise adjust your
routing to force traffic bound for the VPN destination networks to
use the correct outgoing interface.
267
Configuring an IPsec VPN
To fully understand the IPsec configuration, you need a deeper
understanding of the security protocols than the detail included in this
book. However, if you ignore the particulars about security protocols, a
sample configuration can reveal some interesting facts about branch
routing, which is the focus of this chapter.
Focus first on the crypto map (named branchmap) and the dialer
interface. The dialer interface enables IPsec with the crypto map
branchmap command, causing IOS to consider applying IPsec to packets
exiting Dialer 2. The crypto map causes IOS to only encrypt and tunnel
the packets that are matched by ACL 101 in this case. (See the arrows in
the figures as to how the crypto map is linked to using ACL 101.) The
crypto map also identifies
the destination IP address used when the encapsulation takes place
(128.107.9.9). 268
This address is the public IP address of the device on the other
end of the tunnel; the earlier figures showed that as Router Ent1.
Next, think about a packet received by BO1 over the LAN, in light
of ACL 101, and in light of the crypto map processing outbound
traffic on interface Dialer 2. The packet arrives in BO1‘s F0/0
interface. The packet may be processed by a GRE tunnel first, or
it may not. Then, some route must route the packet out Dialer 2.
At that point, the logic of the commands in Figure finally begins.
Continuing with this same packet, the ACL matches packets that
were tunneled by GRE, or other packets that come from the LAN
and are going toward the rest of the Enterprise. The first line in
the ACL matches the packets from the local LAN (10.99.1.0/8)
going to another destination in the Enterprise. The second line in
the ACL matches all GRE packets. Note that packets destined to
some public IP address in the Internet would not match the ACL
with a permit action. So, only packets destined for the Enterprise
network match ACL 101; only the packets permitted by ACL 101
will be processed by the IPsec tunnel logic.
269
Configuring a Floating Static Route
The IPsec tunnel can be used solely as a backup link, or you can
load balance between it and the primary link. To use it
as a backup link, you can configure a floating static route. A
floating static route is one with an administrative distance
greater than the primary route. If the primary route is active, the
static route will not be placed into the routing table due
to its higher AD. But when the primary route is down, the static
route will be used.
270
Configuring Dynamic Routing over a GRE Tunnel
To use the IPsec tunnel as an ―always on‖ connection, you need
to send routing updates over it. However, IPsec VPNs do
not carry broadcast or multicast traffic. You need to create a
tunnel within the IPsec tunnel to carry the routing traffic.
Four ways to do this include
- DMVPN: Creates multipoint tunnels on-demand. Good for
scenarios when spoke-to-spoke connections are needed.
- GET VPN: Creates encrypted multipoint tunnels on-demand.
Good for scenarios when secure spoke-to-spoke
connections are needed.
- Virtual Tunnel Interface (VTI): Creates an always-on tunnel
that carries unicast and multicast traffic. Enables you
to configure the routing protocol on the tunnel interface, saving
the 4 extra bytes required for a GRE header.
- Generic Routing Encapsulation (GRE): GRE is a tunneling
protocol that can support multiple Layer 3 protocols.
It enables the use of multicast routing protocols across the tunnel.
It adds a 20-byte IP header and a 4-byte GRE header. GRE does
not encrypt traffic or use any strong security measures to protect
the traffic. GRE can be used along with IPsec to provide data
source authentication, data confidentiality, and assurance of data
integrity. GRE over IPsec tunnels are typically configured in a
hub-and-spoke topology over an untrusted WAN to minimize the
number of tunnels that each router must maintain.
271
In this section, we configure a GRE tunnel to carry EIGRP traffic
over the IPSEC tunnel. This basically creates a tunnel within a
tunnel, as shown
272
GRE Tunnel Configuration
interface tunnel 9
ip address 10.99.2.1 255.255.255.255
tunnel source loopback 1
tunnel destination 10.12.1.9
interface loopback 1
ip address 10.12.1.1 255.255.255.0
router eigrp 1
network 10.12.1.1 0.0.0.0
network 10.99.2.1 0.0.0.0
ip route 10.12.1.9 255.255.255.255 dialer2
273
274
Ahmed Nabil
Following are the steps in Figure 19-12:
Step 1. R1 has the original packet in memory, source 10.99.1.1 (PC1),
destination 10.1.1.1 (S1).
Step 2. BO1‘s best route for destination 10.1.1.1 uses outgoing interface
tunnel 9. This route may have been learned by an IGP running over this
GRE tunnel.
Step 3. BO1 adds a new IPv4 header and GRE header to the original
packet. This new packet as a destination based on BO1‘s tunnel 9
subcommand tunnel destination, is address 10.12.1.9.
Step 4. BO1 routes the packet formed in the previous step. This best
route for 10.12.1.9 lists Dialer 2 as the outgoing interface. The crypto map
on interface Dialer 2 refers to an ACL, and ACL matches this packet with a
permit action. This combination of logic tells BO1 to use IPsec to encrypt
this packet for transmission over the IPsec tunnel.
Step 5. BO1 encrypts the packet that was created in Step 3–in other
words, it encrypts the GRE-created packet.
Step 6. BO1 encapsulates the encrypted data, adding several IPsec
headers, plus a new IPv4 header. The new IPv4 header uses BO1‘s
public IPv4 address as source and the configured public IPv4 address of
the other end of the IPsec tunnel as destination. Per the example, the
destination IP address would be 128.107.9.9.
Step 7. BO1 routes this latest packet, with its destination IP address of
128.107.9.9, matching a route (probably a default route) that lists Dialer 2
(again) as the outgoing interface. However, the crypto map‘s ACL does
not match the packet with a permit action, so BO1 bypasses any further
IPsec functions and simply tries to forward the packet.
Step 8. Forwarding out the dialer interface then causes this DSL-
connected router to forward the packet out the underlying ATM interface,
which performs the encapsulation and segmentation previously shown in
Figure.
275
IP version 6
- Addressing
-Data delivery
-Routing Protocols
-Transition from IPv4 to IPv6
276
Ahmed Nabil
9-IPv6:
Why Do We Need a Larger Address Space?
• Internet population
– Approximately 2.5 billion users in November 2010
– Emerging population and geopolitical and address space
• Mobile users
– PDA, tablet-PC, notepad, and so on
– Approximately 200 million in 2010.
• Mobile phones
– Already more than billion mobile phones delivered by the
industry
• Transportation
– 1.2 billion automobiles forecast for 2010
– Internet access in planes – Example: Lufthansa
• Consumer devices
– Sony mandated that all its products be IPv6-enabled by
2005
– Billions of home and industrial appliances
• Simpler header
- Routing efficiency
- Performance and forwarding
- rate scalability
- No broadcasts
- No checksums
- Extension headers
- Flow labels
- address renumbering and modification.
278
A- larger address space
IPv4
• 32 bits or 4 bytes long
~= 4,200,000,000 possible addressable nodes
IPv6
128 bits address so no. of IPs = 2^128 possible IP
= 3.4 * 10^38 possible IP =5 * 10^28 ip/human.
279
• IP v.6 Format :
1- Coloned Hexa decimal form.
X:X:X:X:X:X:X:X
Field
X = 4 hexa char. = 16 bits
Examples:
280
IPv6 address assignmenet (Getting a logical address )
This is done through
-Stateless Auto configuration
(NDP = Neighbor Discovery Protocol)
Stateless DHCP for IPv6 is also called ―DHCP-lite‖.
(Router Advertisement)
Interface Identifiers
• Cisco uses the extended universal identifier (EUI)-64 format
to do stateless autoconfiguration.
• This format expands the 48-bit MAC address to 64 bits by
inserting ―FFFE‖ into the middle between the upper 3 bytes
(Organizational Unique Identifier [OUI] field) and the
lower 3 bytes (serial number) of the link layer address.
• To make sure that the chosen address is from a unique
Ethernet MAC address, the universal/local (U/L bit) is set to 1
for global scope (0 for local scope), the seventh bit in the
high-order byte is set to 1(equivalent to the IEEE G/L bit).
282
• Forms of IP v.6 destination address:
Broadcast
Used within
the local site public IP
uses with directly
Connected device (private add.)
(local protocol messages) (FEC0::/10)
(FE80::/10) 283
IPv6 is defined on most of the current data link layers,
including the following:
Ethernet*
PPP*
High-Level Data Link Control (HDLC)*
FDDI
Token Ring
ATM**
Frame Relay***
1- Broadcast
- Not supported by IP v6, any protocol or application
that was equireing a broadcasting feature have moved
to use a multicast option
284
2- Multicast
- Group of devices that have the same address, & packet
should reach all the destinations having that multicast
address.
Routers decide to forward the multicast packet to all
destinations having that address.
- Has the range:
FF00: : /8 FFFF: :/8
Multicasting is extremely important to IPv6, because it is at
the core of many IPv6 functions.
Well known
User defined
loopback
Internal subnet
external subnet
Multicast
286
3- Any cast (Global unicast)
Group of devices that have the same function, & packet
should reach only one of the destinations.
Routers decide on closest device to reach that destination.
• Characterized by:
– One-to-nearest (allocated from unicast address space).
– Multiple devices share the same address.
– All anycast nodes should provide uniform service.
– Source devices send packets to anycast address.
– Routers decide on closest device to reach that
destination.
– Suitable for load balancing and content delivery services.
288
4- Unicast
Link-Local Address
Site-Local Address
It is like the private IPs in the IPv4 scheme, it is mainly
helpful for private WAN addressing without any need for
IANA registration.
289
Global unicast addresses
290
Data delivery Characteristics
5-Simpler and more efficient Header that carry data from end to
end
291
Plug and Play
This is done through
-Stateless Auto configuration (Getting a logical address)
-Renumbering
Getting new
addressing
scheme
292
Integrated Mobile IP & Integrated security features
IP v6 uses Mobile IP & IPsec as a mandatory protocol to
provide end to end security.
Mobile IP enables mobile
devices to move without
breaking current
connections. In IPv6, mobility
is built in, which means that
any IPv6 node can use it as
needed. However, in IPv4,
mobility is a new function
that must be added.
293
Simpler header
Simpler and more efficient header means:
• 64-bit aligned fields and fewer fields
• Improved routing efficiency and performance
• Faster forwarding rate with better scalability
• IPv6 has extension headers.
• It handles the options more efficiently.
294
IPv4 IPv6
Routers handle fragmentation in IPv4, which causes a
variety of processing issues. IPv6 routers no longer
perform fragmentation. Instead, a discovery process is
used to determine the optimum maximum transmission
unit (MTU) to use during a given session.
In the discovery process, the source IPv6 device attempts
to send a packet at the size that is specified by the upper
IP layers, for example, the transport and application
layers.
If the device receives an ―ICMP packet too big‖ message,
it retransmits the MTU discover packet with a smaller MTU
and repeats the process until it gets a response that the
discover packet arrived intact. Then it sets the MTU for the
session.
295
The IPv6 header has 40 octets in contrast to the 20 octets in
IPv4. IPv6 has a smaller number of fields, and the header is 64-
bit aligned to enable fast processing by current processors.
Address fields are four times larger than in IPv4.
The IPv6 header contains these fields:
• Version: A 4-bit field, the same as in IPv4. It contains the
number 6 instead of the number 4 for IPv4.
• Traffic Class: An 8-bit field similar to the type of service (ToS)
field in IPv4. It tags the packet with a traffic class that it uses in
differentiated services (DiffServ).
• Flow Label: A completely new 20-bit field. It tags a flow for the
IP packets. It can be used for multilayer switching techniques
and faster packet-switching performance.
• Payload Length: Similar to the Total Length field of IPv4.
• Next Header: The value of this field determines the type of
information that follows the basic IPv6 header. It can be a
transport-layer packet, such as TCP or UDP, or it can be an
extension header. The next header field is similar to the Protocol
field of IPv4.
• Hop Limit: This field specifies the maximum number of hops
that an IP packet can traverse. Each hop or router decreases this
field by one (similar to the Time to Live [TTL] field in IPv4).
Because there is no checksum in the IPv6 header, the router can
decrease the field without recomputing the checksum. On IPv4
routers the recomputation costs processing time.
• Source Address: This field has 16 octets or 128 bits. It
identifies the source of the packet.
• Destination Address: This field has 16 octets or 128 bits. It
identifies the destination of the packet.
• Extension Headers: The extension headers, if any, and the
data portion of the packet follow the eight fields. The number of
extension headers is not fixed, so the total length of the
extension header chain is variable.
296
There are many types of extension headers. When multiple
extension headers are used in the same packet, the order of the
headers should be as follows:
1. IPv6 header: This header is the basic header described in the
previous figure.
2. Hop-by-hop options header: When this header is used for the
router alert (Resource Reservation Protocol [RSVP] and
Multicast Listener Discovery version 1 [MLDv1]). When present,
the hop-by-hop options header always follows immediately after
the basic IPv6 packet header. This header (Value=0) is
processed by all hops in the path of a packet.
3. Destination options header (when the routing header is used):
This header (value = 60) can follow any hop-by-hop options
header, in which case the destination options header is
processed at the final destination and also at each visited
address specified by a routing header. Alternatively, the
destination options header can follow any Encapsulating
Security Payload (ESP) header, in which case the destination
options header is processed only at the final destination. For
example, mobile IP uses this header.
4. Routing header: This header (value = 43) is used for source
routing and mobile IPv6.
5. Fragment header: This header is used when a source must
fragment a packet that is larger than the MTU for the path
between itself and a destination device. The fragment header is
used in each fragmented packet.
6. Authentication header (AH) and Encapsulating Security
Payload header (ESP): The authentication header AH (value = 51)
and the ESP header (value = 50) are used within IPsec to provide
authentication, integrity, and confidentiality of a packet. These
headers are identical for both IPv4 and IPv6.
7. Upper-layer header: The upper-layer (transport) headers are
the typical headers used inside a packet to transport the data.
The two main transport protocols are TCP (value = 6) and UDP
(value = 17). 297
IPv6 Routing Protocols
Configuring IPv6:
(config)#ipv6 unicast-routing
(config)#ipv6 route <prefix> </prefix length> {interface / next
hop ip}
(config)#interface fa0/0
(config-if)#ipv6 address <address> </ prefix length > [eui-64]
The eui-64 parameter forces the router to complete the
address low-order 64-bits by using an EUI-64 interface ID.
Example:
298
Address Aggregation
2001:0410::/32
299
Basic IPv6 configuration
301
R2# debug ipv6 nd
ICMP Neighbor Discovery events debugging is on
R2#
*Sep 2 17:07:25.807: ICMPv6-ND: DELETE -> INCMP: 2000:0:0:2::3
*Sep 2 17:07:25.807: ICMPv6-ND: Sending NS for 2000:0:0:2::3 on
FastEthernet0/1
*Sep 2 17:07:25.807: ICMPv6-ND: Resolving next hop 2000:0:0:2::3
on interface
FastEthernet0/1
*Sep 2 17:07:25.811: ICMPv6-ND: Received NA for 2000:0:0:2::3 on
FastEthernet0/1
from 2000:0:0:2::3
*Sep 2 17:07:25.811: ICMPv6-ND: Neighbour 2000:0:0:2::3 on
FastEthernet0/1 : LLA
0013.197b.6588
302
R2# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)# interface fa0/1
R2(config-if)# no ipv6 address
R2(config-if)# ipv6 address autoconfig
R2(config-if)#^Z
303
IPv6 Routing Protocols
304
RIPng (RIP next Generation)
Theory and Comparisons to RIP-2
The RIPng RFC states that the protocol uses many of the
same concepts and conventions as the original RIP-1
specification, also drawing on some RIP-2 concepts.
However, knowing that many of you might not remember a
lot of details about RIP-2, particularly because
RIP-2 is included in the CCNA certification rather than CCNP,
variety of facts about RIP-2 and RIPng.
Configuring RIPng
RIPng uses a new command style for the basic configuration, but
most of the optional features and verification commands look much
like the commands used for RIP for IPv4.
Step 2. Enable RIPng using the ipv6 router rip name global
configuration command. The name must be unique on a router but
does not need to match neighboring routers.
Step 3. Enable IPv6 on the interface, typically with one of these two
methods:
Configure an IPv6 unicast address on each interface using the ipv6
address address/prefix-length [eui-64] interface command.
Configure the ipv6 enable command, which enables IPv6 and causes
the router to derive its link local address.
Step 4. Enable RIP on the interface with the ipv6 rip name enable
interface subcommand (where the name matches the ipv6 router rip
name global configuration command).
307
R1# show running-config
! The output is edited to remove lines not pertinent to this example.
! Next, step 1‘s task: enable IPv6 routing
ipv6 unicast-routing
!
! Next, on 5 interfaces, steps 3 and 4: configuring an IPv6 address,
! and enable RIPng, process ―fred‖.
interface FastEthernet0/0.1
ipv6 address 2012::1/64
ipv6 rip fred enable
!
interface FastEthernet0/0.2
ipv6 address 2017::1/64
ipv6 rip fred enable
!
interface FastEthernet0/1.18
ipv6 address 2018::1/64
ipv6 rip fred enable
!
interface Serial0/0/0.3
ipv6 address 2013::1/64
ipv6 rip fred enable
!
interface Serial0/0/0.4
ipv6 address 2014::1/64
ipv6 rip fred enable
!
interface Serial0/0/0.5
ipv6 address 2015::1/64
ipv6 rip fred enable
!
! Next, step 2‘s task, creating the RIPng process named ―fred‖
ipv6 router rip fred
308
Ahmed Nabil
R3# show ipv6 route rip
IPv6 Routing Table - Default - 19 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
R 2005::/64 [120/3]
via FE80::11FF:FE11:1111, Serial0/0/0.1
via FE80::22FF:FE22:2222, Serial0/0/0.2
R 2012::/64 [120/2]
via FE80::11FF:FE11:1111, Serial0/0/0.1
via FE80::22FF:FE22:2222, Serial0/0/0.2
! lines omitted for brevity...
R 2099::/64 [120/3]
via FE80::22FF:FE22:2222, Serial0/0/0.2
via FE80::11FF:FE11:1111, Serial0/0/0.1
! Unlike show ip protocols, show ipv6 protocols displays little info.
309
Ahmed Nabil
Integrated Intermediate System-to-Intermediate System
(IS-IS)
• Same as for IPv4
• Extensions for IPv6:
– Two new Type, Length, Value (TLV) attributes:
• IPv6 reachability (with 128-bit prefix) – TLV 236
• IPv6 interface address (with 128 bits) – TLV 232
– New protocol identifier
– Not yet an IETF standard
313
#sh ip route
D 2005::/64 [90/2684416]
via FE80::11FF:FE11:1111, Serial0/0/0.1
via FE80::22FF:FE22:2222, Serial0/0/0.2
D 2012::/64 [90/2172416]
via FE80::22FF:FE22:2222, Serial0/0/0.2
via FE80::11FF:FE11:1111, Serial0/0/0.1
D 2014::/64 [90/2681856]
via FE80::11FF:FE11:1111, Serial0/0/0.1
D 2015::/64 [90/2681856]
via FE80::11FF:FE11:1111, Serial0/0/0.1
! lines omitted for brevity...
D 2099::/64 [90/2174976]
via FE80::22FF:FE22:2222, Serial0/0/0.2
via FE80::11FF:FE11:1111, Serial0/0/0.1
! show ipv6 protocols displays less info than its IPv4 cousin.
R3# show ipv6 protocols
IPv6 Routing Protocol is ―eigrp 9‖
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Interfaces:
FastEthernet0/0
Serial0/0/0.1
Serial0/0/0.2
Redistribution:
None
Maximum path: 16
Distance: internal 90 external 170
315
How OSPF for IPv6 Works
•Similar to IPv4
• The difference between the database and the routing table is that
the database contains a complete collection of raw data; the routing
table contains a list of shortest paths to known
destinations via specific router interface ports.
316
Ahmed Nabil
OSPFv3—Hierarchical Structure
• Topology of an area is invisible
from outside of the area:
– LSA flooding is bounded by area.
– SPF calculation is performed
separately for each area.
• Backbones must be contiguous.
• All areas must have
a connection to the backbone:
– Otherwise a virtual
link must be used to
connect to the backbone.
OSPFv3—messages
• OSPFv3 uses the same basic packet types as OSPFv2:
– Hello
– Database description (DBD)
– Link state request (LSR)
– Link state update (LSU)
– Link state acknowledgment (ACK)
317
Enhanced Routing Protocol Support Differences from OSPFv2
318
Ahmed Nabil
OSPFv3 vs OSPF v2
319
1- OSPFv3 uses IPv6 link-local addresses to identify the
OSPFv3 adjacency neighbors.
5- Multicast addresses:
• FF02::5—Represents all SPF routers on the link-local
scope; equivalent to 224.0.0.5 in OSPFv2
• FF02::6—Represents all DR routers on the link-local scope;
equivalent to 224.0.0.6 in OSPFv2
• Router LSAs and network LSAs contain only 32-bit IDs. They
do not contain prefixes.
321
The two renamed LSAs are as follows:
• Interarea prefix LSAs for area border routers (ABRs) (type
3):
•Type 3 LSAs advertise internal networks to routers in other areas
(interarea routes). Type 3 LSAs may represent a single network
or a set of networks summarized into one advertisement. Only
ABRs generate summary LSAs. In OSPF for IPv6, addresses for
these LSAs are expressed as prefix, prefix length instead of
address, mask. The default route is expressed as a prefix with
length 0.
• Interarea router LSAs for autonomous system boundary
routers (ASBRs) (type 4):
Type 4 LSAs advertise the location of an ASBR. Routers that are
trying to reach an external network use these advertisements to
determine the best path to the next hop. ASBRs generate type 4
LSAs.
Router(config-rtr)#router-id router-id
For an IPv6-only router, a router ID parameter must be defined in
the OSPFv3 configuration as an IPv4 address using the router-id
router-id command. You can use any IPv4 address as the router ID
value.
323
Ahmed Nabil
Example:
(config)#ipv6 unicast-routing
(config)# ipv6 router ospf 1
(config-rtr)# router-id 2.2.2.2
Router(config-rtr)#area range 1 2001:0DB8::/48
(config)# interface Ethernet0/0
(config-if)# ipv6 address 3FFE:FFFF:1::1/64
(config-if)# ipv6 ospf 1 area 0
(config-if)# ipv6 ospf priority 20
The priority number is used to in the designated router
election.
(config-if)# ipv6 ospf cost 20
The cost of sending a packet on the interface, expressed
in the link state metric.
OI 2001:0DB8:0:0:7::/64 [110/20]
via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0
OI 2001:0DB8:0:0:8::/64 [110/100]
via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0
OI 2001:0DB8:0:0:9::/64 [110/20]
via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0
324
Ahmed Nabil
OSPFv3 Configuration Example
Router1#
interface S1/1
ipv6 address
2001:410:FFFF:1::1/64
ipv6 ospf 100 area 0
interface S2/0
ipv6 address
3FFE:B00:FFFF:1::2/64
ipv6 ospf 100 area 1
Router2#
interface S3/0
ipv6 address
3FFE:B00:FFFF:1::1/64
ipv6 ospf 100 area 1
■ Redistribution takes routes from the IP routing table, not from the
topology tables and databases controlled by the source routing protocol.
■ The routing protocols use the same default administrative distance (AD)
settings for internal and external routes.
■ The IPv6 version of the redistribute command takes only routes learned
from an IGP but by default does not take connected routes on
interfaces enabled for that IGP. To also redistribute those connected
routes, the redistribute command must include the include-connected
parameter. When an IPv4 routing protocol redistributes from an IGP, it
always attempts to take both the IGP-learned routes and the connected
routes for interfaces enabled for that IGP.
Configuration with
route map:
First, the configuration shows an IPv6 prefix list and a route map that uses
a match ipv6 command that refers to the prefix list. The route map
matches the two LAN subnets in the RIP domain with the first route map
clause and sets the metric to 200. The implied deny clause at the end of
the route map matches all other routes, which makes R2 filter all other
routes from being redistributed into OSPF. As a result, the serial IPv6
subnet, 2000:0:0:1::/64, is filtered by the redistribution process. The show
ipv6 route ospf command on R3 will confirm that R3 learned routes for
both LAN subnets in the RIP domain but no other routes. Of particular
interest, note that OSPFv3 lists the route as OSPF external Type 2,
because just like OSPFv2, OSPFv3 defaults to redistribute routes as
external Type 2 routes. Note also that the output lists metrics for each
route as 200, because R2 set the metric to 200, and OSPF does not add
anything to the metric of E2 routes.
329
Ahmed Nabil
H-Transition richness to IP v.6:
330
Tunneling
Tunneling refers to a process by which one router or host
encapsulates the IPv6 packet inside an IPv4 packet.
The networking devices forward the IPv4 packet, ignoring the fact
that the packet‘s payload is an IPv6 packet. Some later device or
host decapsulates the original IPv6 packet, forwarding it on to the
final destination.
332
Ahmed Nabil
This action triggers the logic by which the source router
determines how to forward the IPv6 packet, inside an IPv4
packet, to the correct router.
In this case, R1 acts as the point–the encapsulating router
that must dynamically decide to what IPv4 address to
encapsulate and send the IPv6 packet.
illustrates the following steps:
Step 1. R1 receives an IPv6 packet in its LAN interface and
decides that the packet should be forwarded out its multipoint
tunnel interface.
Step 4. R1 puts the original IPv6 packet into the new IPv4 packet
333
Tunneling IPv6 over IPv4
A tunnel serves as a virtual point-to-point link between IPv6 domains. It
doesn‘t matter what the underlying IPv4 structure
is if there is IP reachability between the tunnel endpoints. This exam
covers five ways to tunnel IPv6 over IPv4:
- Manual Tunnels
- GRE Tunnels
- 6to4 Tunnels
- IPv4-Compatible IPv6 Tunnels
-Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
Manual Tunnels
When you manually create the tunnel, the source and destination IP
addresses are IPv4 addresses because IPv4 is the transport protocol. You
might want to use loopback addresses for increased stability. IPv6
addresses go on the tunnel interfaces because IPv6 is the passenger
protocol. Because IPv6 considers the tunnel a point-to-point link, the
address of each end of the tunnel is in the same subnet. Include the
command tunnel mode IPv6IP in tunnel configuration mode to enable
IPv6 over IP encapsulation.
334
GRE Tunnels
GRE is the default tunnel mode for Cisco routers. It provides
more flexibility because it is protocol-agnostic. It can carry
multiple protocols and can use multiple protocols for its transport,
including IPv6 and routing protocols.
Configuring an IPv4 GRE tunnel to carry IPv6 traffic is the same
as configuring a manual tunnel except you do not have
to specify the tunnel mode because GRE is the default. You can
allow a routing protocol on the tunnel interface, too. The
process is the same as enabling it on a physical interface.
To configure a completely IPv6 GRE tunnel, use IPv6 interface
addresses as the tunnel source and destination. Give the tunnel
endpoints IPv6 addresses, too. You need a command to identify
that the transport protocol is IPv6. That command, given in tunnel
configuration mode, is tunnel mode gre ipv6.
335
6to4 Tunnels
This technique dynamically creates tunnels that IPv6 considers
point-to-multipoint interfaces. You use the reserved prefix
2002::/16 in your IPv6 domain and then add the IPv4 address of
the dual-stack router on the other side of the IPv4 domain as the
next 32 bits of the network address. This means you need to
translate that IP address into hexadecimal.
When IPv6 traffic arrives at an edge dual-stack router with a
destination IPv6 prefix of 2002::/16, the router looks at the
first 48 bits, derives the embedded IPv4 address from them, and
uses it to determine the packet destination. The router then
encapsulates the IPv6 packet in an IPv4 packet with the extracted
IPv4 address as the packet destination.
Configure a tunnel as before, using IPv4 addresses as the
source, but do not manually specify a destination. Give the
tunnel an IPv6 address as previously described, with the tunnel
destination embedded in its prefix. The tunnel mode command is
tunnel mode ipv6ip 6to4.
Each router needs a route to its peer on the other side of the IPv4
network. The only current options for this are static routes and
BGP.
336
6- to-4 tunnel configuration example:
ipv6 unicast-routing
!
interface Loopback1
ip address 10.9.9.1 255.255.255.255
!
interface Tunnel0
no ip address
ipv6 address 2002:a09:901::/128
tunnel source Loopback1
tunnel mode ipv6ip 6to4
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ipv6 address 2002:A09:901:1::1/64
!
ipv6 route 2002::/16 Tunnel0
337
Ahmed Nabil
ISATAP Tunnels
ISATAP tunnels are similar to the other two tunnels techniques in
that an IPv4 address is encoded into the IPv6 address.
It is meant to be used within a site, between hosts and routers,
although it can be used between sites.
The tunnel source address is an IPv4 address. Do not specify a
tunnel destination. The IPv6 address of the tunnel itself
combines the network prefix, 0000:5EFE, and the 32-bit IPv4
tunnel source address. The IPv4 address is encoded into the
least significant 32 bits of the address. You can use any network
prefix. The tunnel interface link-local address still starts with FE80
and then uses 0000:5EFE plus the encoded IPv4 address.
For instance, the link-local address of a tunnel that uses 10.8.8.8
as its source is FE80::5EFE:A08:808
The unicast IPv6 address of that same tunnel interface, assuming
that prefix 2001:1:2:3/64 was assigned to the interface, is
2001:1:2:3:0:5EFE:A08:808 ISATAP tunnels do not support
multicast. A route is needed to the tunnel destination if it is in a
different subnet; this can be either a static route or a BGP route.
338
ISATAP tunnel configuration example:
R1# show running-config
ipv6 unicast-routing
interface Loopback1
ip address 10.9.9.1 255.255.255.255
interface Tunnel9
no ip address
ipv6 address 2000:0:1:9::/64 eui-64
tunnel source Loopback1
tunnel mode ipv6ip isatap
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ipv6 address 2000:0:1:1::1/64
ipv6 route 2000:0:1:3::/64 2000:0:1:9:0:5EFE:A09:903
ipv6 route 2000:0:1:4::/64 2000:0:1:9:0:5EFE:A09:904
Ahmed Nabil