chatasos (ccie-in-2-months.blogspot.

com) – Notes: The Series (NTS) for CCIE SP Lab

Notes: The Series (NTS)

Here you will find some of my blog posts (the so-called "Notes: The Series", aka NTS) that
include my personal notes while preparing for the CCIE SPv3 lab. I have put them here so it's
easier for the reader and the community to find all the information in one place.

These should not be treated as a teaching guide, but just a simple guide with interesting
information that might be useful to others besides me. In the majority of the posts, the
included information refers to the lab exam software versions, but there are quite a few of
notes and configuration examples that refer to newer versions. Hopefully the information is
correct at its majority, but if you encounter anything that seems wrong, please don’t hesitate
to write a comment under the relevant NTS page.

I have used various colors, either on the text or on the background, to aid focusing where
needed. IOS and IOS-XR have a distinct background color, so it's easier to find the one
you're looking for (i tried to put a lot of information about IOS-XR too, since it plays an
important role in the exam). Things that i consider tricky or important are colored in yellow
background. Cli commands and important cli outputs are colored in blue, while green
and red are used to differentiate between correct and wrong/error/warning wherever
possible.

You can always find the latest version of this file under NTS.

History

Version
Comments
V1.0 Initial version
V1.1
Intro & About me added

1 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

About me and the CCIE

While my fist CCIE was completed in 3 months, for this one i had put 2 months as a target
due to various major projects running in the following months at my work. You can read the
complete story of my success here.

What is my advice to everyone thinking of trying the current CCIE SP lab? Learn the core
technologies (IGPs, MP-BGP, MPLS/TE, Multicast, IPv6) inside-out, combine and test them
in all possible scenarios (one above the other, one combined with the other, multiple
combinations above or below other technologies, etc.) and then focus on configuration speed.
Think fast, act faster. When you become a master on that, spend some time on every other
topic too. And don't risk any challenges, unless you're crazy like me!

My proposed hints for passing the CCIE SP lab:

 Read the RFCs, participate in IETF WGs

 Use GNS3 for your IOS (and soon IOS-XR) needs
 Use INE's rack rentals or PEC Gold Labs or your work's lab for your IOS-XR
needs
 Use INE's full scale labs for testing and improving your readiness
 Keep track of your progress, rate yourself as much as possible but always be honest
 Enable IPv6 on something every day
 Live with MPLS, sleep with MPLS, eat with MPLS, dream of MPLS
 Master the trio of success
 Don't be afraid of changing early your lab tactic if it doesn't work for you
 Take typing lessons

Lab study days 59 Average lab study hours per day 6

(from which ~1,5 hours on avg were spent daily on this blog)

Personally i believe that for someone with a good experience in networking, with
deep understanding of the technologies and with the willingness to devote some hours
of his/her daily schedule to studying and practicing, while at the same time being
honest with his/her readiness, it’s absolutely doable to pass any CCIE lab in just a few
months, as long as he/she improves his/her time management skills to compensate for
the strict lab timings.
 --
Tassos
CCIE #19858

Lab study hours

354,5

(from which ~100 hours were spent on this blog)

Result
PASS

2 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Table of Contents
UNI-ENI Vlans vs Private Vlans
............................................................................................................................. 4 Frame-
Relay.........................................................................................................................................................
.... 7 PPP/Serial/POS
...................................................................................................................................................... 14
RIP/RIPng.................................................................................................................................................
............. 22
EIGRP.......................................................................................................................................................
.............27
OSPFv2/OSPFv3......................................................................................................................................
.............. 38 IS-IS
..................................................................................................................................................................
.....54 BGP
..................................................................................................................................................................
...... 71 Advanced
BGP.......................................................................................................................................................8
5 VRF
..................................................................................................................................................................
.... 102
MPLS/LDP...............................................................................................................................................
............ 111 L3VPN Redistribution
......................................................................................................................................... 124 Inter-AS
MPLS L3VPN.......................................................................................................................................
135 CsC
..................................................................................................................................................................
..... 148
6PE/6VPE.................................................................................................................................................
............ 162
AToM/L2VPN/VPLS...............................................................................................................................
............176 RSVP/MPLS-TE
.................................................................................................................................................. 203
Advanced MPLS-
TE............................................................................................................................................ 229
Multicast ..................................................................................................................................................
............ 270 Advanced Multicast
............................................................................................................................................. 281
Multicast
VPN......................................................................................................................................................
293 BFD
..................................................................................................................................................................
.... 304 QoS
..................................................................................................................................................................
..... 309 Other
..................................................................................................................................................................
.. 313

3 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

UNI-ENI Vlans vs Private Vlans

UNI-ENI Vlans (or just UNI Vlans)

Types

 Isolated Vlans
 Community Vlans Characteristics

 Configuration happens under the Vlan

 Port configuration doesn't include Vlan type
 Each port can include many UNI-ENI Vlans
 Apply to access, trunk, tunnel ports
 There is only local significance per switch
 L3 config applies to each Vlan separately
 MAC addresses are learned on each vlan separately
 Configuration

IOS

ME-3400(config)#vlan 150 ME-3400(config-vlan)#uni-vlan ?

community UNI/ENI community VLAN isolated UNI/ENI

isolated VLAN

IOS

vlan 150

uni-vlan community

Verification

IOS

ME-3400#sh vlan uni-vlan type

Vlan Type

---- ----------------- 1 UNI isolated

150 UNI isolated

1301. 1301  UNI community

1302. 1302  UNI community
4 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Private Vlans

Types

 Primary Vlan
 Secondary Vlans

o Isolated Vlans
o Community Vlans
Characteristics

 Configuration happens under the Vlan and under the Port

 Port configuration includes a pair of Private Vlans
 Each port can include only one pair of Private Vlans
 Apply only to access ports
 There can be global significance between multiple trunked switches
 VTPv3 required to transfer them automatically across switches
 L3 config applies to Primary Vlan only
 MAC addresses are replicated from Secondary to Primary Vlans

Configuration

IOS

vlan 100

private-vlan primary

private-vlan association 200,300 !

vlan 200

private-vlan isolated

!
vlan 300

private-vlan community

!
interface GigabitEthernet0/7

port-type nni
switchport private-vlan mapping 100 200,300 switchport
mode private-vlan promiscuous

!
interface GigabitEthernet0/11

switchport private-vlan host-association 100 200

switchport mode private-vlan host

!
interface GigabitEthernet0/12

switchport private-vlan host-association 100 300

switchport mode private-vlan host
 Primary vlan is configured on every type of port.

5 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Verification

IOS

ME-3400#sh vlan private-vlan

Primary Secondary Type Ports

------- --------- -----------------
------------------------------------- -----
100
100
200 300

isolated
community
Gi0/7, Gi0/11
Gi0/7, Gi0/12
6

NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Frame-Relay
Multiprotocol Interconnect over Frame-Relay is defined in RFC 2427. PPP over Frame Relay
is defined in RFC 1973.

FECN/BECN

FECN (Forward Explicit Congestion Notification)

o If set to 1, it indicates that congestion was experienced in the direction of the frame

transmission, so the destination is informed of that congestion. BECN (Backwards Explicit

Congestion Notification)

o If set to 1, it indicates that congestion was experienced in the direction opposite of the
frame transmission, so the source is informed of that congestion.

DE

If set to 1 by a DTE device, it indicates that the frame has lower importance than other
frames, so when the
networkbecomescongested,DCEdevicescandiscardthisframebeforediscardingother
framesthatdonot have the DE bit set.
LMI

LMI VC status messages provide communication and synchronization between Frame Relay
DTE and DCE devices, aka reporting on the status of PVCs.

It's enabled by default in all Frame-Relay interfaces and it's type (Cisco, ANSI, Q933a) is
automatically detected.

Use keepalives to track PVC status end-to-end if multiple frame-relay providers are in
between end-points.

IOS

interface Serial2/0 encapsulation frame-relay frame-relay

interface-dlci 100

class FR-MAPCLASS !

map-class frame-relay FR-MAPCLASS

frame-relay end-to-end keepalive mode bidirectional

CRC

Frame Relay uses cyclic redundancy check (CRC) as an error-checking mechanism. No error
correction takes place.
7 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Frame-Relay Switching

Routers can be configured as Frame Relay switches (frames from a PVC arriving on an
incoming interface are switched to another PVC on an outgoing interface, so the incoming
DLCI in the arriving frames is replaced by an outgoing DLCI). It applies only to physical
interfaces.

IOS

frame-relay switching

!
interface Serial2/0

encapsulation frame-relay
clockrate 64000
frame-relay intf-type dce
frame-relay route 200 interface Serial2/1 201

!
interface Serial2/1

encapsulation frame-relay
clockrate 64000
frame-relay intf-type dce
frame-relay route 201 interface Serial2/0 200

"frame-relay
switching"mightalsoberequiredincaseofAToM.YoushouldgetAToMworking
withoutframe-relayswitching,butafteryoureloadtherouteryoumaygetamessage"Must
enable frame-relay switching to configure
DCE/NNI"whilethebootloaderisrunning.

"no keepalive"mustbeconfiguredinrealnetworks,GNS3canworkwithoutit.

Address Resolution

IPv4
o Inverse ARP

o Static mapping IPv6

o Static mapping
IPv6 doesn't need a map for local ping to work (unlike IPv4).

Inverse ARP

 "no frame-relay inverse-arp" disables only the request, replies are

always sent
 IPv6 does not use inverse ARP
 point-to-point sub-interfaces do not use inverse ARP

Don't forget to always define one interface (the one providing the clock) of each link as DCE
and set the clock
rate.
8 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

 only directly connected devices can be resolved with inverse ARP (hub-n-spoke is
an issue)
 if there is a static map for a protocol for a PVC, inverse ARP is disabled for that
PVC
 dynamic mappings created by inverse ARP are overwritten by static mappings
 use "clear frame-relay inarp" to clear the dynamic mappings
(sometimes shut/no-shut or a

reload might be needed)

Inverse ARP should be avoided when told to:

 not use dynamic maps

 not use unnecessary PVCs
 not use undefined PVCs
 use only specific PVCs

map vs interface-dlci

Frame-Relay "map" command is used on o multipoint subinterfaces

o physical interfaces without inverse-arp

o physical interfaces with IPv6

Frame-Relay "interface-dlci" command is used on
o point-to-point subinterfaces
o multipoint subinterfaces with inverse-arp o ppp over frame-relay
o interfaces with map-class required

Most IPv6 routing protocols use Link Local addresses for next hop and neighboring, so these
need to be mapped too, like the Global Unicast addresses.

In case of hub-n-spoke scenarios, OSPF adjacencies cannot be established between spokes

due to TTL=1.

When a multipoint subinterface is created on a physical interface, all the DLCIs are always
assigned to the physical interface, until they are specifically assigned to the subinterfaces.

Always prefer to use point-to-point subinterfaces.

Configurations (IOS)

Physical Interface (IPv4)

interface Se0/0

encapsulation frame-relay

ip address 10.10.10.10 255.255.255.0 frame-relay map ip

10.10.10.11 100 broadcast

"frame-relay map"isneedifDLCIsaren'tprovidedbyaframe-relayswitch.
9 NTS for CCIE SP Lab by chatasos

Always define manually the IPv6 Link Local Address on

each interface if you plan to use it in a map statement.

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Physical Interface (IPv6)

interface Se0/0

encapsulation frame-relay

ipv6 address 2001::10:10:10:1/64

ipv6 address fe80::1 link-local
frame-relay map ipv6 2001::10:10:10:2/64 100 broadcast frame-
relay map ipv6 fe80::2 100 broadcast
Mapping is required for both LLAs and GUAs in IPv6.

Point-to-Point Subinterface (IPv4)

interface Se0/0.1 point-to-point

ip address 10.10.10.1 255.255.255.0 frame-relay interface-dlci
101

Point-to-Point Subinterface (IPv6)

interface Se0/0.1 point-to-point ipv6 address

2001::10:10:10:1/64 frame-relay interface-dlci 101

Multi-point Subinterface (IPv4)

interface Se0/0.1 multipoint

ip address 10.10.10.1 255.255.255.0 frame-relay map ip
10.10.10.2 102 broadcast frame-relay map ip 10.10.10.3 103
broadcast

Multi-point Subinterface (IPv6)

interface Se0/0.1 multipoint

ipv6 address 2001::10:10:10:1/64
ipv6 address fe80::1 link-local
frame-relay map ipv6 2001::10:10:10:2/64 102 broadcast frame-
relay map ipv6 fe80::2 102 broadcast
frame-relay map ipv6 2001::10:10:10:3/64 103 broadcast frame-
relay map ipv6 fe80::3 103 broadcast
10 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Configuration Examples

point-to-point on one side

IOS

interface POS2/0

encapsulation frame-relay
!
interface POS2/0.1 point-to-point

ip address 1.1.1.1 255.255.255.0 ipv6 address fe80::1 link-

local ipv6 address 2001:1:1:1::1/64

frame-relay interface-dlci 22

IOS-XR

interface POS2/0

encapsulation frame-relay

!
interface POS2/0.1 point-to-point

ipv4 address 1.1.1.1/24

ipv6 address fe80::1 link-local ipv6 address 2001:1:1:1::1/64
pvc 22

physical interface on the other side

IOS

interface POS2/0

encapsulation frame-relay

ip address 1.1.2.2 255.255.255.0

ipv6 address 2001:1:1:1::2/64
frame-relay map ipv6 fe80::1 22 broadcast frame-relay map ipv6
2001:1:1:1::1 22 broadcast frame-relay map ip 1.1.1.1 22
broadcast frame-relay intf-type dce

IOS-XR

not supported
11 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

PPP over Frame-Relay

Use this when you have frame-relay and you require authentication or other PPP specific
characteristics.

DCE Router (IOS) interface Serial2/0

encapsulation frame-relay
clock rate 64000
frame-relay interface-dlci 100 ppp Virtual-Template1 frame-
relay intf-type dce

!
interface Virtual-Template1

ip address 1.1.1.1 255.255.255.0

DTE Router (IOS) interface Serial0/0

encapsulation frame-relay

frame-relay interface-dlci 100 ppp Virtual-Template2 !

interface Virtual-Template2
ip address 1.1.1.2 255.255.255.0

Under the virtual-template you can configure whatever parameters are applicable to ppp in
general.

You might have issues with POS interfaces and PPPoFR in GNS3. Try to use Serial
interfaces instead.

Multilink Frame-Relay

R1 (IOS)
interface Serial2/0

encapsulation frame-relay MFR1

clock rate 64000

!

interface MFR1
ip address 12.12.12.2 255.255.255.0 frame-relay map ip
12.12.12.8 100 broadcast frame-relay intf-type dce

R2 (IOS)
interface Serial0/0

encapsulation frame-relay MFR1 !

interface MFR1
ip address 12.12.12.8 255.255.255.0 frame-relay map ip
12.12.12.2 100 broadcast
12 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS

R1#sh frame-relay multilink

Bundle: MFR1, State = up, class = A, fragmentation disabled

BID = MFR1
Bundle links:

Serial2/0, HW state = up, link state = Up, LID = Serial2/0

Frame-relay configuration is the usual one. You can also use MFR subinterfaces.

Hints

If you need somehow to differentiate traffic in a Serial/POS interfaces, then using frame-relay
encapsulation on it, you can define subinterfaces based on DLCIs. Another (maybe more
complex) solution would be to use multiple ppp virtual-templates.
13 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

PPP/Serial/POS
PPP (Point-to-Point Protocol) is defined in RFC 1661. PPPoE (PPP over Ethernet) is
described in RFC 2516.

Serial

PPP

Youcanuse"no peer neighbor route"inordertodisablecreatinga/32forthepeeraddress.

Don't forget to to set the clock rate (i.e. 64000) on the DCE interface (usually the one on the
service provider

router).
Multilink PPP
R1 (IOS)
interface Serial2/0

encapsulation ppp

ppp multilink
ppp multilink group 1 clock rate 64000

!
interface Multilink1

ip address 12.12.12.1 ppp multilink

ppp multilink group 1

R2 (IOS)
interface Serial0/0

encapsulation ppp

ppp multilink

ppp multilink group 1 !

interface Multilink1 ip address 12.12.12.2 ppp multilink

ppp multilink group 1

255.255.255.0

255.255.255.0

14

NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Multichassis Multilink PPP

SGBP is used between routers to coordinate them for multilink ppp termination.

R4 (IOS)
sgbp group SGBP-GRP
sgbp member R5 5.5.5.5
sgbp source-ip 4.4.4.4
!
username SGBP-GRP password 0 SGBP-PASS !
multilink virtual-template 1
!
interface Virtual-Template1

ip unnumbered Loopback0 ppp multilink

R5 (IOS)
sgbp group SGBP-GRP
sgbp member R4 4.4.4.4
sgbp source-ip 5.5.5.5
username SGBP-GRP password 0 SGBP-PASS !
multilink virtual-template 1
!
interface Virtual-Template1

ip unnumbered Loopback0 ppp multilink

IOS

R4#sh sgbp
Group Name: SGBP-GRP Ref: 0xDE80000
Seed bid: default, 50, default seed bid setting

Member Name: R5 State: active Id: 1 Ref: 0xABC0000

Address: 5.5.5.5
Other Active Address: 20.4.5.5
15 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

PPPoE

IOS

PPPoE server

bba-group pppoe global virtual-template 1

interface Virtual-Template1

mtu 1492

ip address 10.10.10.1 255.255.255.0 !

interface X

pppoe enable group global

PPPoE client

interface X
pppoe enable

pppoe-client dial-pool-number 1

!
interface Dialer1

mtu 1492
ip address 10.10.10.2 255.255.255.0 encapsulation ppp
dialer pool 1

Interface X is assumed to be an ethernet interface.

Youmustdefine"encapsulation ppp"underthedialer,otherwisethepppcallwon'thappen.
Not all routers support the PPPoE functionality.
PPPoE server/client is not supported on IOS-XR of C12k.

PPP Authentication

IOS

Server

username USERNAME password PASSWORD !

interface POS2/0

encapsulation ppp

ppp authentication chap

16 NTS for CCIE SP Lab by chatasos
chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Client

interface POS2/0 encapsulation ppp

ppp chap hostname USERNAME ppp chap password PASSWORD

If you don't define a chap hostname, then the router's name is used as the username.

In the following example the first router authenticates the second using CHAP (encrypted),
while the second router authenticates the first using PAP (cleartext).

IOS

Server & Client #1

username R2-USER password R2-PASS !

interface POS2/0

encapsulation ppp

ppp authentication chap

ppp pap sent-username R1-USER password R1-PASS

Server & Client #2

username R1-USER password R1-PASS !

interface POS2/0

encapsulation ppp

ppp authentication pap ppp chap hostname R2-USER ppp chap

password R2-PASS

POS (Packet over SONET/SDH)

POS default MTU is 4470.

MPLS-TE isn't supported on POS frame-relay subinterfaces on C12k running IOS-XR.

17 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

POS Configuration

You will find most configurations parameters under the following command:

IOS

R1(config-if)#pos ?

ais-shut
delay
flag
framing
report
scramble-atm
threshold

Send LAIS when shutdown Delay POS alarm triggers Specify byte
value specify framing

enable reporting of selected alarms Enable POS SPE scrambling

Set BER threshold values

Verification checks can be performed with:

IOS

R1#sh controllers pos2/0 POS2/0

SECTION

LOF =

LINE

AIS =

PATH

0 LOS=0 0 RDI=0

BIP(B1) =0

FEBE=0 BIP(B2) =0

FEBE=0 BIP(B3) =0 TIM=0 TIU =0 PSE=0 NSE =0

Active Defects: PUNEQ

Active Alarms: None
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP
B3-TCA

Framing: SONET

APS

COAPS = 0 PSBF = 0
State: PSBF_state = False Rx(K1/K2): 00/00 Tx(K1/K2): 00/00
S1S0 = 00, C2 = 00
Remote aps status (none); Reflected local aps status (none)
CLOCK RECOVERY

RDOOL = 0

State: RDOOL_state = False PATH TRACE BUFFER: STABLE

0 RDI=0 0 UNEQ=1

AIS =
PLM =
LOP = 0 NEWPTR = 0

Remote hostname : Remote interface: Remote IP addr : Remote

Rx(K1/K2): /

Tx(K1/K2): /

18

NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

BER thresholds: SF = 10e-3 SD = 10e-6

TCA thresholds: B1 = 10e-6 B2 = 10e-6 B3 = 10e-6

Clock source: line

Don't expect all things to work in GNS3.

Keepalives

The keepalive command applies to serial interfaces using HDLC or PPP encapsulation. It
does not apply to serial interfaces using Frame Relay encapsulation.

Keepalives are independent between the two peers. One peer end can have keepalives
enabled; the other end can have them disabled. Even if keepalives are disabled locally, LCP
still responds with ECHOREP packets to the ECHOREQ packets it receives.

CRC

The cyclic redundancy check (CRC) on a serial interface defaults to a length of 16 bits. You
can change it to 32 bits.

IOS
interface POS2/0

crc 32

IOS

R1#sh int pos2/0

POS2/0 is up, line protocol is up

Hardware is Packet over Sonet

Internet address is 10.10.10.1/24
MTU 4470 bytes, BW 155000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255 Encapsulation

HDLC, crc 32, loopback not set
19 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

POS Channel

POS channel link bundling provides load-balancing across all active links in a bundle.

IOS

interface pos-channel 1
ip address 30.30.30.1 255.255.255.0

!
interface pos2/0

channel-group 1 !

interface pos3/0 channel-group 1

POS link bundling is supported on very specific hardware.

APS

The APS feature provides redundancy and allows for a switchover of POS circuits in the
event of circuit failure.

You configure a pair of SONET/SDH lines for line redundancy. When the Working (W)
interface fails, the Protect (P) interface quickly assumes the traffic load (usual swichover time
is 50 ms)
Most configuration options are found under the "aps" command:

IOS

R1(config-if)#aps authentication force

group

lockout
manual
protect reflector revert signalling timers unidirectional
working

?
Authentication string
Force channel
Group association
Lockout protection channel
Manually switch channel
Protect specified circuit
Configure for reflector mode APS Specify revert operation and
interval Specify SONET/SDH K1K2 signalling
APS timers
Configure for unidirectional mode Working channel number

20

NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Configuration

IOS

interface Loopback0
ip address 1.1.1.1 255.255.255.255

!
interface POS2/0

ip address 10.10.10.1 aps group 10

aps working 1

!
interface POS3/0
ip address 20.20.20.1 aps group 10
aps protect 1 1.1.1.1 aps revert 1

255.255.255.0
255.255.255.0

You need the configure a similar setup on the peer router too.

You can have the Working and Protect interfaces on different routers and they will
communicate each other using PGP (Protect Group Protocol), which runs over UDP.

IOS

R1#sh aps
POS3/0 APS Group 10: protect channel 0 (Inactive)

Working channel 1 at 1.1.1.1 (Enabled) bidirectional,

revertive (60 seconds)
PGP timers (default): hello time=1; hold time=3

hello fail revert time=120

SONET framing; SONET APS signalling by default Received K1K2:
0x00 0x00

No Request (Null) Transmitted K1K2: 0x00 0x05

No Request (Null)
Remote APS configuration: (null)

POS2/0 APS Group 10: working channel 1 (Active) Protect at

1.1.1.1

PGP timers (from protect): hello time=1; hold time=3 SONET

framing
Remote APS configuration: (null)

You need an ADM between the routers for the K1/K2 signals to work.
21 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

RIP/RIPng
RIPv1 (Routing Information Protocol v1) is defined in RFC 1058. RIPv2 is defined in RFC
2453.
RIPng (RIP for IPv6) is defined in RFC 2080.

RIP uses UDP port 520.

Metric = hop count (1-16) - use offset-list to modify Admin distance is 120.
RIP v1

If the advertised prefix is part of a directly connected network, the subnet mask of that
connected interface is used as the subnet mask of the prefix. Otherwise, major classes A/B/C
are used accordingly.

Use secondary ip addresses on intermediate links to fix the discontinuous class issues in RIP
v1.

RIP v1 updates are sent as broadcast to 255.255.255.255

RIP v2

classless routing
next-hop included in updates
authentication
external route tags
multicast updates (to 224.0.0.9)

RIP default mode

 send v1 updates
 listen to v1/v2 updates Passive interface

 listens to RIP messages (use filtering to block if required)

 doesn't send RIP updates (unless a specific neighbor is configured)
 updates the routing table
22 NTS for CCIE SP Lab by chatasos
chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

InIOS,youcanuse"ip rip
triggered"underserialinterfaces(onbothneighbors)tominimizethe number of updates.

Unicast updates

You can specify a specific neighbor for sending unicast updates.

IOS

router rip neighbor 10.1.1.2

IOS-XR

router rip neighbor 10.1.1.2

Usethecommand"no validate-update-
source"undertheRIPprocessifyouwanttoenable exchange of routes between neighbors with
different networks.

Configuration

IOS

router rip version 2 network 10.0.0.0 no auto-summary

IOS-XR

router rip interface X

!
no auto-summary

IOS-XR has v2 enabled by default. You need the change the send/receive version under the
interface if v1 is required.

Unless told otherwise, always enable v2 and disable auto-summary.

23 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Route Summarization

IOS

interface Serial2/0
ip summary-address rip x.x.x.x y.y.y.y

IOS-XR

not supported
Route Filtering

 prefix-list & gateway

o distribute-list prefix PREFIXES gateway SOURCES in
 extended ACL
o distribute-list X in
o access-list x permit ip host SOURCE host PREFIX

Authentication

Two methods:

 clear text
 MD5

IOS

interface X
ip rip authentication mode md5
ip rip authentication key-chain KEYCHAIN

!
key chain KEYCHAIN

key 1
key-string TESTPASS

IOS-XR

router rip

interface TenGigE0/0/0/0
authentication keychain KEYCHAIN mode md5

!
key chain KEYCHAIN

key 1
key-string TESTPASS
24 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

PE-CE

CE

IOS

router rip

version 2 network 10.0.0.0 no auto-summary

IOS-XR

router rip interface X

!
no auto-summary

PE

IOS

router rip
address-family ipv4 vrf VPN

network 10.0.0.0 no auto-summary version 2

exit-address-family

IOS-XR

router rip
vrf VPN

interface X
!
no auto-summary

In IOS, if RIP v2 is to be used, then it must be defined under the ipv4 vrf address-family on
the PE.

RIPng (IPv6)

Same as RIPv2, except:

 uses UDP port 521 (can be changed)
 updates are sent to FF02::9 (can be changed)
 metric can be changed per incoming interface (not per received/advertised prefix)
25 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS

interface X
ipv6 rip RIPNG enable

!
ipv6 router rip RIPNG

port 528 multicast-group FF02::8

IOS-XR

not supported

Defining the RIPng process is not required in IOS; it gets automatically created once you
enable it under an interface. Removing the RIPng process will also remove all other
configuration from interfaces.

Process name is only locally significant.

Since you can have multiple RIPng processes, you must use a different UPD port for every
RIPng process to
differentiate the incoming updates.

26 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

EIGRP
EIGRP (Enhanced Interior Gateway Routing Protocol) is described in draft-savage-eigrp.

EIGRP is protocol number 88.

Packets are sent to multicast 224.0.0.10 (IPv4) or FF02::A (IPv6).
Metrics

bandwidth
o minimum bandwidth (kbps) => 10^7 / bandwidth

delay
o total route delay (tens of microseconds) => delay/10

reliability
o likelihood of successful packet transmission (0-255)

load
o effective load of the route (0-255)

mtu
o minimum MTU size (bytes)

All metrics are calculated from the outgoing interface towards the destination.
metric = [K1 * bandwidth + (K2 * bandwidth) / (256 - load) + K3 * delay] * [K5 / (reliability
+ K4)]

Default

 K1=K3=1
 K2=K4=K5=0
Bandwidth and Delay are the ones used by default. metric = (10^7/bandwidth +
delay/10) x 256 Example

 minimum bandwidth = 100 Kbps

 total delay = 20000 + 5000 = 25000 usec
 metric = (10^7/100 + 25000/10 ) x 256 = 26240000

Mismatched K values (weights for EIGRP metrics) can prevent neighbor

relationships.
27 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS

router eigrp 1
metric weights 0 1 0 1 0 0

IOS-XR

router eigrp 1 address-family ipv4

metric weights 0 1 0 1 0 0
Route Selection

 The lowest calculated metric from a router to a destination is called the feasible
distance (FD) of that destination
 If a neighbor's advertised distance to a destination is lower than router's FD, then
that neighbor becomes a feasible successor (FS) to the specific destination
 Every destination for which there is at least one FS, will be installed in the router's
EIGRP topology
 For every destination in the router's EIGRP topology, the route with the lowest
metric will be installed

in the RIB

 The neighbor advertising that route will be successor for that destination

Load Balancing

By default traffic to equal cost paths (up to 4) is load balanced. Unequal-Cost Load
Balancing

You can use a variance as a multiplier to determine which routes are feasible for
unequal-cost load balancing, according to the following condition:

route metric < lowest cost metric * variance

Routes that follow the above rule are installed into RIB as long as maximum-paths
(default=4) is not exceeded.

Traffic Sharing

balanced (default)

o traffic is distributed proportionately to the ratios of the route metrics

minimum
o traffic is distributed equally across all paths that have a cost equal to the minimum cost
path
28

NTS for CCIE SP Lab by chatasos

In general:

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

variance
o affects what non-lowest cost routes are installed into RIB

traffic-share
o affects how traffic is distributed across best routes
IOS

router eigrp 1
traffic-share min across-interfaces variance x

IOS-XR

router eigrp 1 address-family ipv4

variance x
Traffic-share is not supported in IOS-XR.

Stub Routing

Arouterthatisconfiguredasastubwiththe"eigrp
stub"commandcannotbeusedastransitandshares connected and summary routing information
with all neighbor routers by default. Generally, the following can be permitted/denied
explicitly :

 connected
 static
 summary
 redistributed
 leak-map
 receive-only
Stub routing also minimizes the exchange of queries.

Route Summarization

IOS

interface X
ip summary-address eigrp 100 x.x.x.x y.y.y.y

In order to use only one path for traffic forwarding, but install more different-cost paths into
RIB (for faster

convergence), you can use a combination of both features.

29 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS-XR

router eigrp 100 address-family ipv4

interface X summary-address x.x.x.x/y

Default route can be originated the same way

Split-horizon

An alternative is poison-reverse: Once you learn of a route through an interface, advertise it

as unreachable back through that same interface.

Configuration

IOS

router eigrp 1

network 1.1.1.0 0.0.0.255 !

ipv6 router eigrp 1

!
interface X
ipv6 eigrp 1

IOS-XR

router eigrp 1

address-family ipv4 interface X

!
address-family ipv6

interface X

"ip hello-interval eigrp x"and"ip hold-time eigrp

x"underaninterfacecanbeusedto tune the convergence time.
Split horizon blocks route information from being advertised by a router out of any interface
from which that

information originated. With non-broadcast networks (such as Frame Relay multipoint), you
may want to

disableitwith"no ip split-horizon eigrp x".

30 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Authentication

IOS

interface X
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 KEYCHAIN

!
key chain KEYCHAIN

key 1
key-string TESTPASS

IOS-XR

router eigrp 1

address-family ipv4 interface X

authentication keychain KEYCHAIN !

key chain KEYCHAIN key 1

key-string TESTPASS
send-lifetime 1:00:00 february 01 2014 infinite accept-
lifetime 1:00:00 february 01 2014 infinite

Only MD5 is supported.

Key-chains in IOS-XR might require the use of lifetimes.

PE-CE

R1 (CE)

IOS

router eigrp 1
network 1.1.1.0 0.0.0.255

IOS-XR

router eigrp 1

address-family ipv4 interface X

31 NTS for CCIE SP Lab by chatasos

R2 (PE)

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS

router eigrp 100

address-family ipv4 vrf VPN autonomous-system 1

network 1.1.1.0 0.0.0.255 exit-address-family

IOS-XR

router eigrp 100

vrf VPN

address-family ipv4

autonomous-system 1 interface X

CE EIGRP process number and PE EIGRP autonomous-system must match.

Somesoftwarereleasesrequirethemanualadditionof"no auto-
summary"undertheEIGRPprocess. Try to remove the whole EIGRP config and then reapply
it if this is the case.

EIGRP adjacency might not get established in IOS devices if you initially forget to add the
autonomous-
system number and add it later.

For IPv6 VRFs you have to use the named configuration on IOS (see below).

Verification

IOS

R1#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(1)

H Address Seq
Num
0 10.1.2.2
4

Interface

Fa0/0

Hold Uptime SRTT

(sec) (ms)
14 00:32:28 1280
Hold Uptime SRTT
(sec) (ms)
13 00:32:47 54

RTO Q Cnt

5000 0

RTO Q Cnt

324 0

R2#sh ip eigrp vrf VPN_A neighbors EIGRP-IPv4 Neighbors for

AS(1) VRF(VPN)

H Address Seq

Num
0 10.1.2.1
4

Interface

Fa1/0

32

NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS-XR
GSR#sh eigrp vrf VNP neighbors
Sun Jan 12 19:23:12.845 UTC
IPv4-EIGRP neighbors for AS(1) vrf VPN

H Address Seq

Num
0 10.1.0.10
4

IOS

Interface

Gi0/1/0/1.1019

Hold Uptime SRTT RTO Q (sec) (ms) Cnt

13 00:01:10

8 200 0

R1#sh ip eigrp topology

EIGRP-IPv4 Topology Table for AS(1)/ID(1.1.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R -
Reply,

r - reply Status, s - sia Status

P 10.5.8.0/24, 1 successors, FD is 30720

via 10.1.2.2 (30720/28160), FastEthernet0/0

P 8.8.8.8/32, 1 successors, FD is 158720

via 10.1.2.2 (158720/156160), FastEthernet0/0

P 10.1.2.0/24, 1 successors, FD is 28160 via Connected,

FastEthernet0/0

P 1.1.1.1/32, 1 successors, FD is 128256 via Connected,

Loopback0

R2#sh ip eigrp vrf VPN topology

EIGRP-IPv4 Topology Table for AS(1)/ID(10.1.2.2) VRF(VPN)
Codes: P - Passive, A - Active, U - Update, Q - Query, R -
Reply,

r - reply Status, s - sia Status

P 10.5.8.0/24, 1 successors, FD is 28160 via VPNv4 Sourced

(28160/0)
P 8.8.8.8/32, 1 successors, FD is 156160 via VPNv4 Sourced
(156160/0)

P 10.1.2.0/24, 1 successors, FD is 28160 via Connected,

FastEthernet1/0

P 1.1.1.1/32, 1 successors, FD is 156160

via 10.1.2.1 (156160/128256), FastEthernet1/0

IOS-XR

GSR#sh eigrp vrf VPN topology Sun Jan 12 19:30:02.425 UTC

33 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IPv4-EIGRP Topology Table for AS(1)/ID(19.19.19.19) VRF: VPN

Codes: P - Passive, A - Active, U - Update, Q - Query, R -

Reply, r - reply Status, s - sia Status

P 10.10.10.10/32, 1 successors, FD is 130816

via 10.1.0.10 (130816/128256), GigabitEthernet0/1/0/1.1019

P 10.9.9.9/32, 1 successors, FD is 130816 via VPNv4 Sourced

(130816/0)

P 10.0.0.0/24, 1 successors, FD is 2816 via VPNv4 Sourced

(2816/0)

P 10.1.0.0/24, 1 successors, FD is 2816

via Connected, GigabitEthernet0/1/0/1.1019

EIGRP route attributes are transferred as extended communities, EIGRP metric is transferred
as BGP MED.

IOS

R2#sh bgp vpnv4 unicast vrf VPN 8.8.8.8/32

BGP routing table entry for 100:1:8.8.8.8/32, version 10
Paths: (1 available, best #1, table VPN)

Not advertised to any peer Local

5.5.5.5 (metric 3) from 3.3.3.3 (3.3.3.3)
Origin incomplete, metric 156160, localpref 100, valid,
internal,

best
Extended Community: RT:100:1 Cost:pre-bestpath:128:156160

0x8800:32768:0 0x8801:1:130560 0x8802:65281:25600

0x8803:65281:1500

0x8806:0:0

Originator: 5.5.5.5, Cluster list: 3.3.3.3 mpls labels in/out

nolabel/23

Named vs AS

The following is applicable only to IOS.





Named (new)
o supports VRFs under IPv4 and IPv6
o supports IPv6 VRF-Lite
o interface configuration goes under the af-interface under the address-family

AS (old)

o o

supports VRFs under IPv4 only

interface configuration goes under the physical interface
34

NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Named Configuration (new)

IOS

interface POS2/0
ip address 10.10.10.1 255.255.255.0 ipv6 address
2001:20:20:20::1/64 ipv6 eigrp 2

router eigrp EIGRP1

address-family ipv4 unicast autonomous-system 1 !

af-interface POS2/0 hello-interval 20 hold-time 60

exit-af-interface !
network 10.10.10.0

exit-address-family

!
address-family ipv6 !

0.0.0.255

unicast autonomous-system 2

af-interface POS2/0
authentication mode md5 authentication key-chain KEYCHAIN

exit-af-interface

! exit-address-family

AS Configuration (old)

IOS

interface POS2/0
ip address 10.10.10.2 255.255.255.0
ip hello-interval eigrp 1 20
ip hold-time eigrp 1 60
ipv6 address 2001:20:20:20::2/64
ipv6 eigrp 2
ipv6 authentication mode eigrp 2 md5
ipv6 authentication key-chain eigrp 2 KEYCHAIN

router eigrp 1
network 10.10.10.0 0.0.0.255

ipv6 router eigrp 2

35 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS

R1#sh eigrp address-family ipv4 neighbors

EIGRP-IPv4 VR(EIGRP1) Address-Family Neighbors for AS(1)

H Address Seq

Num
0 10.10.10.2
30

Interface

PO2/0

Hold Uptime
(sec)

45 00:56:05

Hold Uptime
(sec)

43 00:56:23

SRTT RTO Q
(ms) Cnt

46 276 0

SRTT RTO Q
(ms) Cnt

42 252 0

Multicast
Flow Timer

R2#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(1)

H Address Seq

Num
0 10.10.10.1
29

Interface

PO2/0

R1#sh eigrp address-family ipv6 int det

EIGRP-IPv6 VR(EIGRP1) Address-Family Interfaces for AS(2)

Xmit Queue Mean

Pending
Interface Peers Un/Reliable SRTT Routes
PO2/0 1 0/0 1601 7969 0

Pacing Time
Un/Reliable
0/1

Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/0 Un/reliable ucasts: 4/8
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 3 Out-of-sequence rcvd: 2 Topology-ids
on interface - 0

Authentication mode is md5, key-chain is "KEYCHAIN"

R2#sh ipv6 eigrp int det EIGRP-IPv6 Interfaces for AS(2)

Xmit Queue Mean

Pending
Interface Peers Un/Reliable SRTT Routes
PO2/0 1 0/0 32 50 0

Pacing Time
Un/Reliable
0/1
Multicast
Flow Timer

Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/0 Un/reliable ucasts: 3/6
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0

36 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Retransmissions sent: 2 Out-of-sequence rcvd: 1 Topology-ids

on interface - 0
Authentication mode is md5, key-chain is "KEYCHAIN"
37 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

OSPFv2/OSPFv3
OSPFv2 (Open Shortest Path First v2) is defined in RFC 2328. OSPFv3 is defined in RFC
5340.
OSPFv2 as PE/CE protocol is defined in RFC 4577.

OSPF is protocol 89.

Sends updates to multicast 224.0.0.5 (all OSPF routers) and 224.0.0.6 (all DR routers)

Adjacencies

Adjacency can be formed between different networks if "ip unnumbered" is used on both
sides.

If multiple "network" commands are used, the most specific wins. The following must
match for adjacency to be successful:

 area
 hello/dead timers
 mtu
 network type
 stub
 authentication

DR election per network type

DR/BDR
o broadcast (default on ethernet, multicast hellos)
o non-broadcast (default on frame-relay, unicast hellos)

no DR/BDR
o point-to-point(default on serial/pos, multicast hellos) o point-to-multipoint (multicast
hellos)
o point-to-multipoint non-broadcast (unicast hellos)

Use the "neighbor" command to send unicast hellos.

Youcanusethecommands"ip ospf hello-interval"and"ip ospf dead-
interval"inorder

to tune the convergence time. Fast hellos (1 sec) are also possible using the "minimal"
keyword.
38 NTS for CCIE SP Lab by chatasos
chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

By default the loopback interface is advertised as a /32 (stub). Use network-type point-to-
point under the

loopback interface to advertise it with the original subnet mask.

Path Selection

 "bandwidth" under the interface (not applicable to IOS-XR)

 "ip ospf cost" under the interface
 "auto-cost reference-bandwidth" under the ospf process
 "neighbor x.x.x.x cost" under the ospf process

OSPF Route Preference

O - OSPF (intra-area)
IA - OSPF inter area
E1 - OSPF external type 1
E2 - OSPF external type 2
N1 - OSPF NSSA external type 1 N2 - OSPF NSSA external type 2

Distance and metric are evaluated as a second step, between routes of same type.

LSAs

LSA types carried in IPv6 Stub areas:

 Router-LSAs
 Network-LSAs
 Inter-Area-Prefix-LSAs
 Link-LSAs
 Intra-Area-Prefix-LSAs

LSA types carried in IPv6 NSSA areas:

 Router-LSAs
 Network-LSAs
 Inter-Area-Prefix-LSAs
 Link-LSAs
 Intra-Area-Prefix-LSAs
 NSSA-LSAs

LSA types carried in IPv4 Stub areas:

 Router-LSAs
 Network-LSAs
 Summary-LSAs

LSA types carried in IPv4 NSSA areas:

39 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

 Router-LSAs
 Network-LSAs
 Summary-LSAs
 NSSA-LSAs

NSSA

The NSSA ASBR redistributes routes into OSPF and originates the Type-7 LSAs.
Type-7 LSAs are only flooded within the originating NSSA area.

Type-7 LSAs have a propagate (P) bit that, when set, tells an NSSA ABR to translate
a Type-7 LSA into a Type-5 LSA.

The NSSA ABR translates Type-7 LSAs into Type-5 LSAs and floods them into area
0.

If there are multiple NSSA ABRs, the router with the highest Router ID is elected as
the translator.

The NSSA ASBR and the NSSA ABR can be the same router.
Preference between two Type-7 LSAs is determined by the following tie breaker
rules:

 An LSA with the P-bit set is preferred over one with the P-bit clear
 If the P-bit settings are the same, the LSA with the higher router ID is preferred
 Links

 IETF - RFC 3101

LSDB optimization

You can decrease the LSA DB size by doing one or more of the following:

 configure interfaces as unnumbered

 remove network LSAs (caused by DRs) by using point-to-point as network type on
interfaces
 remove transit prefixes by activating prefix-suppression

Prefixes that will be removed by prefix-suppression can be found under "Link

connected to: a Stub Network" in Router LSAs (loopbacks, secondary IPs and passive
interfaces are excluded).

LSA flood-reduction

OSPF requires every LSA to be refreshed by default every 1800 seconds (30 mins) or
else the LSA will expire when it reaches 3600 seconds (1 hour).
40 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

When flood-reduction is enabled on a router (towards a neighbor), then this router will flood
its self- originated LSAs with the DoNotAge (DNA) bit set, so they do not have to be re-
flooded every 30 mins. Of course any change in the contents of the LSA will cause the new
LSA to be re-flooded (again with the DoNotAge bit set).

IOS

interface X

ip ospf flood-reduction ipv6 ospf flood-reduction

IOS-XR

router ospf X

flood-reduction enable

area 0

flood-reduction enable

interface X

flood-reduction enable

In IOS-XR, flood-reduction can be configured under the ospf process, under a specific area
and under a specific interface.

Prefer to enable it on stable topologies.

The demand-circuit offers the same functionality plus the suppression of periodic hello
packets. Links

IETF - RFC 1793

Route Filtering




distribute-list
o in: filter the routes from entering the RIB
o out: filter the redistributed routes (E1/E2) entering OSPF on an ASBR

stub area

o o o o

LSA-3

stub (filter LSA-5)

totally stub (filter LSA-3/4/5)
nssa (filter LSA-5, allow LSA-7)
totally nssa (filter LSA-3/4/5, allow LSA-7) prefix filter
"area x filter-list prefix x"
41

NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

LSA Searching

Depending on what type of LSAs you're searching for, you can use the following commands
to do so:

IOS

sh ip ospf database router | i Link State ID Link State ID:

x.x.x.x

sh ip ospf database network | i Link State ID

Link State ID: x.x.x.x (address of Designated Router)

sh ip ospf database summary | i Link State ID Link State ID:

x.x.x.x (Summary Network Number)

sh ip ospf database asbr-summary | i Link State ID Link State

ID: x.x.x.x (AS Boundary Router address)

sh ip ospf database external | i Link State ID Link State ID:

x.x.x.x (External Network Number)

IOS-XR
sh ospf database router | i Link State ID Link State ID:
x.x.x.x

sh ospf database network

Link State ID: x.x.x.x

sh ospf database summary

Link State ID: x.x.x.x

| i Link State ID
(address of Designated Router)

| i Link State ID (Summary Network Number)

sh ospf database asbr-summary | i Link State ID

Link State ID: x.x.x.x (AS Boundary Router address)

sh ospf database external | i Link State ID

Link State ID: x.x.x.x (External Network Number)

Searching for IPv6 is a little bit different, because the IPv6 prefix information is stored in
another attribute.
42 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Summarization

Type-3 summary o atABR

o area x range

o area 1 range Type-5 summary

10.10.10.0 255.255.255.0 (IOS) 10.10.10.0/24 (IOS-XR)

o at ASBR
o summary-address 20.20.20.0 255.255.255.0 (IOS) o summary-prefix
20.20.20.0/24 (IOS-XR)

Both types of summarization can also accept "not-advertise" as parameter. Sub-routes

must pre-exist in order for the summaries to be advertised.

OSPFv3
Multicast addresses have become FF02::x from 224.0.0.x (where x=5 for all OSPF routers, or
x=6 for all DR

routers).
OSPFv3 runs per-link instead of per-subnet.
You cannot automatically detect OSPFv3 neighbors when using NBMA interfaces. You must
manually

configure your router to detect neighbors when using an NBMA interface.

All manually configured neighbors in OSPFv3 must be identified by their link-local IPv6
address.

On all OSPFv3 interfaces except virtual links, OSPFv3 packets are sent using the interface's
associated link- local unicast address as the source address.

On virtual links, a global scope IPv6 address must be used as the source address for OSPFv3
packets.

Router-LSAs (Type-1) and Network-LSAs (Type-2) no longer contain network addresses,

but simply express topology information.

Link-LSAs (Type-8) include the prefixes which are configured on links and are flooded only
on local-link scope. Link-local addresses appear only in Link-LSAs.

For Stub areas, the Inter-area Prefix LSA can only be a default route. For NSSA areas, the
AS-External LSA can also be a default route.
If there is no IPv4 address assigned to any interface, then you must manually configure an
IPv4-formatted

router-id under the OSPFv3 process.

43 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS

ipv6 router ospf 1 router-id 2.2.0.2

!
interface Ethernet1/0

ipv6 ospf 1 area 0

IOS-XR

router ospfv3 1
router-id 2.2.0.8 address-family ipv6 unicast area 0

interface Loopback0 passive

!
interface GigabitEthernet0/2/1/1

A use for running multiple OSPFv3 instances is to have a single link belong to two or more
OSPFv3 areas. Also on a LAN you can have multiple adjacencies between different routers,
each one on a separate OSPFv3 process/instance.

OSPFv2 Authentication

 Null(Type0) -default
 Plain-text (Type 1)
 MD5 (Type 2)

In IOS, you can configure the authentication type under the ospf process or under the
interface.

IOS

router ospf 1
area 0 authentication

!
interface X

ip ospf authentication
ip ospf authentication-key xxx

IOS

router ospf 1
area 0 authentication message-digest

!
interface X

ip ospf authentication message-digest ip ospf message-

digest-key 1 md5 xxx
44 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

In IOS-XR, you can configure the authentication type/key under the ospf process, under the
area or under the interface.

IOS-XR

router ospf 1 authentication-key xxx authentication

area 0
authentication-key xxx authentication interface X

authentication-key xxx authentication

IOS-XR

router ospf 1

authentication message-digest message-digest-key 1 md5 xxx

area 0
authentication message-digest message-digest-key 2 md5 xxx
interface X authentication message-digest

message-digest-key 3 md5 xxx

You can always use various combination of enabling authentication for a specific area (under
the ospf process) or for a specific adjacency (under the interface).

More specific configurations override the less specific ones.

OSPFv3 Authentication

You can configure an authentication (AH) or encryption (ESP) policy, either on an interface
or for an OSPFv3 area/process.

IPSec AH
Authentication

o MD5 o SHA1

IPSec ESP
Encryption

o 3DES
o AES (128,192,256 bits)
45

NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

o DES

o NULL Authentication

o MD5 o SHA1

To use the IPsec AH (for authentication), you must use commands with the
"authentication" keyword. To use the IPsec ESP (for authentication & confidentiality),
you must use commands with the

"encryption" keyword.
ESP may use encryption and authentication or only authentication (when encryption=null),
but is not

recommended.

IOS

ipv6 router ospf 1

area 0 authentication ipsec spi 256 md5 yyy
area 0 encryption ipsec spi 256 esp 3des md5 yyy

!
interface X

ipv6 ospf authentication ipsec spi 256 md5 zzz

ipv6 ospf encryption ipsec spi 256 esp 3des md5 zzz

IOS > 12.3(4)T is required for OSPFv3 IPsec authentication.

IOS-XR

router ospfv3 1
authentication ipsec spi 256 md5 password xxx encryption ipsec
spi 256 esp 3des password xxx

!
area 0

authentication ipsec spi 256 md5 password yyy

encryption ipsec spi 256 esp 3des password yyy !

interface GigabitEthernet0/2/1/1.78 authentication ipsec spi
256 md5 password zzz encryption ipsec spi 256 esp 3des
password zzz

More specific configurations override the less specific ones.

Links

IETF - RFC 4552

46 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Options Bits

Hello/DBD/LSA Options Bits

 V6 bit: It should be set, unless the router will not participate in IPv6 topology
calculation and IPv6 transit routing. If this bit is clear, the router/link should be
excluded from any IPv6 routing calculations.
 R bit: It should be set, unless the router will not participate in any transit routing. It
allows the router to participate in the unicast topology, but does not allow transit
traffic.
 E bit: It should be set if the interface attaches to a regular area (i.e., not a stub or
NSSA area).
 N bit: It should be set if the interface attaches to an NSSA area.
 DC bit: This bit describes the router's handling of demand circuits. It should be set
in Hellos/DBDs if
 the router wishes to suppress the sending of future Hellos over the interface. It should
be set in LSAs, if the router can correctly process the DoNotAge bit when it appears
in the LS age field of LSAs.

IPv6 Prefix Options Bits

 NU bit: The "No Unicast" capability bit. If set, the prefix should be excluded from
IPv6 unicast calculations. If not set, it should be included.
 LA bit: The "Local Address" capability bit. If set, the prefix is actually an IPv6
interface address of the Advertising Router.
 P bit: The "Propagate" bit. Set on NSSA area prefixes that should be readvertised
by the translating NSSA area border.



Special multi-hop adjacencies

virtual-link
o connects two areas 0 or extends area 0 across a transit area
o uses a transit area in order to connect areas 0 or extend area 0
o used in normal environments with multiple areas 0 or area 0 extension o configured
betweens two ABRs under the OSPF process

sham-link
o connects two areas X (including 0)
o uses the MPLS core in order to connect the areas
o used in MPLS VPN environments with backdoor links
o configured betweens two PEs/ABRs under the OSPF vrf process

Virtual-Link

All areas in an OSPF autonomous system must be connected to area 0. When this is not
possible in terms of direct connectivity, then a virtual-link can be used in order to connect the
non-backbone areas to area 0, as long as there is a common area between them.
DN bit: The "Down" bit. This bit controls an inter-area-prefix-LSAs or AS-external-LSAs re-

advertisement in a VPN environment. It is used for loop prevention in PE=>CE=>PE

advertisements

and should not be checked in CE multi-vrf (vrf-lite) scenarios.

47 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

connect two areas 0

o R1 <=(area 0)=> R2 <=(area 1)=> R3 <=(area 0)=> R4
o a virtual link can be configured between ABRs R2,R3 that connect to area 0 from different

sides and have a common area between them extend area 0

o R1 <=(area 0)=> R2 <=(area 1)=>R3 <=(area 2)=> R4

o a virtual link can be configured between ABRs R2,R3 that connect to a common area, with

only one ABR directly connected to area 0.

o area 0 is extended to R3, in order to serve area 2

For virtual-links in OSPFv3 you have to use the remote neighbor's router-id (IPv4 format).

ABR #1

IOS

router ospf 1
area 1 virtual-link 2.2.2.2

IOS-XR

router ospf 1
area 1
virtual-link 2.2.2.2 ABR #2

IOS

router ospf 1
area 1 virtual-link 3.3.3.3

IOS-XR

router ospf 1
area 1

virtual-link 3.3.3.3 Sham-Link

To make a route through an MPLS backbone appear to be an intra-area route, it is necessary

to make it appear as if there is an intra-area link connecting the two PE routers. A sham link
can be thought of as a indirect relation between two VRFs. If two VRFs are to be connected
by a sham link, each VRF must be associated with a "Sham Link Endpoint Address", a 32-bit
IPv4 address that is treated as an address of the PE router containing that VRF.

If a common area does not exist between the ABRs, then an additional area can be created to
become the

transit area.

The transit area through which the virtual link is configured, must have full routing
information, so it cannot

be any type of stub area. If this is the case, a GRE tunnel can be used to connect the two areas
0.
48 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

The Sham Link Endpoint Address is an address in the VPN's address space, not the SP's
address space.

The sham link is an unnumbered point-to-point intra-area link and is advertised as a type 1
LSA.

Sham links are treated as OSPF Demand Circuits. This means that LSAs will be flooded over
them, but periodic refresh traffic will be avoided. Normal flooding is done over the backdoor
link, but if that fails, flooding will occur over the sham-link (because LSA synchronization
between sites must continue).

Configuration Steps

 Create a /32 loopback that belongs to the relevant VRF on both PEs
 Advertise the above /32 into BGP VPNv4 on both PEs
 Don't advertise the above /32 into the OSPF vrf process on both PEs
 Create a sham-link between the above /32 of the PEs under the OSPF vrf process

PE1

IOS

interface Loopback1
vrf forwarding VPN
ip address 1.1.1.1 255.255.255.255
 !
router ospf 100 vrf VPN

area 0 sham-link 1.1.1.1 2.2.2.2

IOS-XR

interface Loopback1
vrf VPN
ipv4 address 1.1.1.1/32

!
router ospf 100

vrf VPN area 0

sham-link 1.1.1.1 2.2.2.2 PE2

IOS

interface Loopback1
vrf forwarding VPN
ip address 2.2.2.2 255.255.255.255

router ospf 100 vrf VPN

area 0 sham-link 2.2.2.2 2.1.1.1

It must not be advertised inside customer's OSPF, because when there is no BGP VPNv4
route to

the Sham Link Endpoint Address, that address must become unreachable, so that the sham
link comes down.
49 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS-XR

interface Loopback1
vrf VPN
ipv4 address 2.2.2.2/32

!
router ospf 100

vrf VPN area 0

sham-link 2.2.2.2 1.1.1.1 Verification

IOS

R1#sh ip ospf sham-links

Sham Link OSPF_SL0 to address 2.2.2.2 is up Area 0 source
address 1.1.1.1

Run as demand circuit

DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,

Hello due in 00:00:04

Adjacency State FULL (Hello suppressed)
Index 2/2, retransmission queue length 0, number of
retransmission 0 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec

R1#sh ip ospf interface | b _SL OSPF_SL0 is up, line protocol

is up

Internet Address 0.0.0.0/0, Area 0

Process ID 100, Router ID 10.10.10.1, Network Type SHAM_LINK,
Cost: 1 Topology-MTID Cost Disabled Shutdown Topology Name

0 1 no no Base Configured as demand circuit.

Run as demand circuit.
DoNotAge LSA allowed.
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Retransmit 5

oob-resync timeout 40

Hello due in 00:00:06

Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 4 msec Neighbor
Count is 1, Adjacent neighbor count is 1

50 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Adjacent with neighbor 10.10.10.2 (Hello suppressed)

Suppress hello for 1 neighbor(s) R1#sh ip ospf neighbor

Neighbor ID
Interface
...
10.10.10.2
OSPF_SL0
...
Pri State
 0 FULL/

Dead Time - -

Address

2.2.2.2

R1#sh ip ospf neighbor detail | b 2.2.2.2 Neighbor 10.10.10.2,

interface address 2.2.2.2

In the area 0 via interface OSPF_SL0

Neighbor priority is 0, State is FULL, 6 state changes DR is

0.0.0.0 BDR is 0.0.0.0
Options is 0x32 in Hello (E-bit, L-bit, DC-bit) Options is
0x72 in DBD (E-bit, L-bit, DC-bit, O-bit) LLS Options is 0x1
(LR)

Neighbor is up for 00:12:16

Index 2/2, retransmission queue length 0, number of
retransmission 0 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec

IOS-XR

GSR#sh ospf vrf VPN sham-links

Sham Links for OSPF 2, VRF VPN

Sham Link OSPF_SL0 to address 2.2.2.2 is up Area 0, source

address 1.1.1.1
IfIndex = 2

Run as demand circuit

DoNotAge LSA allowed., Cost of using 1
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Retransmit 5

Hello due in 00:00:08

Adjacency State FULL (Hello suppressed)
Number of DBD retrans during last exchange 0
Index 2/2, retransmission queue length 0, number of
retransmission 0 First 0(0)/0(0) Next 0(0)/0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
Both sham-links and virtual-links can have most of their "interface" attributes (hellos, cost,
authentication, etc.) configured (IOS-XR gives more options).

51 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

The OSPF Sham Link endpoint address must not be used as the endpoint address of an OSPF
Virtual Link.

OSPF Multi-Area

Applicable to OSPFv2 and OSPFv3.

It allows a link to be configured in more than one area, so that the link could be considered as
an intra-area

link in all those areas and get preference over inter-area links.
It exists as a logical construct over an existing primary interface for OSPF; however, the
neighbor state on the

primary interface is independent of the multi-area interface.

Only point-to-point adjacencies are supported.

IOS

interface Ethernet 0/0 ip ospf 1 area 0

ip ospf multi-area 1

IOS-XR

router ospf 1
area 0

interface GigabitEthernet0/2/1/2 area 1

multi-area-interface GigabitEthernet0/2/1/2 area 2

multi-area-interface GigabitEthernet0/2/1/2
The multi-area interface inherits the interface characteristics from its primary interface, but
some interface

characteristics can be configured under the multi-area interface configuration. It also inherits
the BFD characteristics from its primary interface.

OSPF Multiple-instance
Both IOS and IOS-XR allows you to run multiple OSPFv3 instances. Peer routers need to use
the same instance-id for ospfv3 communication to happen.

Also, OSPFv3 can support multiple address-families using a different instance per address-
family.
52 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Unlike OSPFv3 where the Instance ID can be used for multiple purposes, such as putting the
same interface in multiple areas, the OSPFv2 Instance ID is reserved for identifying protocol
instances.

Although the relevant RFC defines the mechanism to differentiate packets for different
instances sent and received on the same interface, Cisco's current IOS implementation allows
you to have multiple OSPFv2 processes (not instances) using only different interfaces. Some
of these processes can be VRF ones.
Links

IETF - RFC 5838 IETF - RFC 6549

53 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IS-IS
IS-IS(IntermediateSystemtoIntermediateSystem)isdefinedinISO10589andin
RFC1142andRFC 1195.
IS-IS Multi-Instance is defined in RFC 6822.

IS-IS PDU types

 LAN Hello
 Serial (Point-to-Point) Hello
 Link State PDU (LSP)
 Complete Sequence Number PDU (CSNP)
 Partial Sequence Number PDU (PSNP)

IS-IS LSPs are like OSPF LSAs. CSNPs are generated:

bythe DIS in order for all routers connected to the LAN to synchronize their
databases by routers on a point-to-point network while setting up their adjacency

PSNPs are generated:

by routers that are not synchronized with the DIS and need additional LSPs in their
database

by routers on a point-to-point network to acknowledge received LSPs

ISIS Hellos
Point-to-Point
o Serial IIH are exchanged

Multiacces/Broadcast
o L2 LAN IIH are exchanged

If you get error messages like "%CLNS-3-BADPACKET: ISIS: P2P hello, bad circuit type
0" on point-to- point (Serial/POS) interfaces on GNS3, then just ignore them.

The default hello interval is 10 seconds for non-DIS interfaces, and 3.333 seconds for DIS
interfaces.

The hello timers do not need to agree on the neighbors.

On point-to-point links where a single Hello is used, a single hello timer must be used for
both L1 and L2 adjacencies.
54 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Thefastestneighbordowndetectionwithhellotimerstuningis1sec,if"isis hello-interval
minimal" is used. For faster detection use BFD.

AllhellosarepaddedtothefullinterfaceMTUbydefault.Youcandisablethisbehaviorwith"no
isis hello
padding"(althoughCiscoroutersalwayssendthefirstfivehellospadded),ifyouarehavingtime-

sensitive application traffic that travels across low-bandwidth interfaces or you want to
minimize interface buffer resources when frequent hellos are configured.
ISIS vs CLNS

 Use"sh clns"commandstoview o neighbors

o adjacencies o hellos
o PDUs
o interfaces o metrics

 Use"sh isis"commandstoview

o neighbors

o LSPs
o topologies o SPF logs o routes

InIOS-XR,allrelatedshowcommandsarefoundunderthe"sh isis"hierarchy. If you need to

change the MTU for ISIS to work, change the CLNS MTU.
ISIS over Frame-Relay requires CLNS broadcast mapping for the particular DLCI.

NET

NET = AREA-ID + SYSTEM-ID + SEL

net = 49.0001.0000.0000.2222.00

AREA-ID = (usedforinter-arearouting) SYSTEM-ID = (usedforintra-arearouting) SEL =

00

NET must begin and end with a single octet.

Cisco IS-IS implementation requires a 6-octets System-ID.
49.0001

0000.0000.2222

55 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

In order to ease with area migration, multiple Area-IDs can be configured on each router
(System-ID must be kept the same).
IOS

router isis
max-area-addresses 5
net 49.0001.0000.0000.0002.00 net 49.0002.0000.0000.0002.00
net 49.0003.0000.0000.0002.00 net 49.0004.0000.0000.0002.00
net 49.0005.0000.0000.0002.00

In L1 adjacencies, max-area-addresses must match between neighbors.

Dynamic hostname exchange is by default enabled, but you can disable it if required.

IOS

router isis

no hostname dynamic

IOS-XR

router isis 1

hostname dynamic disable

before...

IOS

R2#sh isis neighbors

System Id Type Interface

R1 L2 Fa1/0 R2.03

after...

IOS

R2#sh isis neighbors

System Id Type Interface

0000.0000.0001 L2 Fa1/0 0000.0000.0002.03

IP Address
10.1.2.1
IP Address
10.1.2.1

State Holdtime Circuit Id UP 25

State Holdtime Circuit Id

UP

23

56

NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

R2#sh isis hostname Level System ID

2 0000.0000.0001 * 0000.0000.0002

Configuration

IOS

Dynamic Hostname (notag) R1

R2
router isis X
net 49.0001.0000.0000.2222.00 is-type level-2-only passive-
interface Loopback0

!
interface X

ip router isis

IOS-XR

router isis X
is-type level-2-only
net 49.0001.0000.0000.1111.00 interface Loopback0

passive

address-family ipv4 unicast

! interface X

circuit-type level-2-only

address-family ipv4 unicast

Althoughit'snotrequiredtouseanIS-ISprocess/instancenumber("router isis
x")inIOS,it'sbetterto use one as a reference in next tasks. IOS-XR requires a process ID.

"isis circuit-type level-2-

only"underallinterfacescreatesanemptylocalL1database. "is-type level-2-
only"undertheIS-ISprocessdoesn'tcreateaL1databaseatall.
"passive-interface X"undertheIS-ISprocessdoesn'trequire"ip router
isis"underthe interface in IOS, because the interface is automatically advertised. IOS-XR
requires the whole config (address-family, circuit-type, passive) under each interface.

For L1 adjacencies a common area (Area-ID) must be used between neighbors.

"log-adjacency-changes"inIOSor"log adjacency changes"inIOS-

XRisnotenabledby

default under the IS-IS process.

57 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

It is recommended that routers operating at a single level be configured specifically at that

level in order to minimize the number of adjacencies, LSPs, and related SPF/PRC
calculations.

Multi-area IS-IS

You can have multiple L1 area processes per router, but only one L2 area process. Interfaces
can belong to only one process.

That way you can also have connectivity between different L1 areas that are connected to the
same L1/L2 router.

IOS

router isis 1

net 49.0001.0000.0000.0003.00 !

router isis 11

net 49.0011.0000.0000.0003.00

is-type level-1 !

interface FastEthernet0/0.1 ip router isis 1

!
interface FastEthernet0/0.11

ip router isis 11

You might hit a bug in some releases with the following message appearing when trying to
activate the L1 process under an interface.

%CLNS: Duplicate system ID configured in ip vrf <default> with

router isis null

Routing table per router type & route-leaking

L1 routers have

o L1 routes for prefixes originating from L1 routers in the same area (even crossing many L2

routers)
o L1 route for the default route originating from L1/L2 routers

L1/L2 routers have

o L1 routes for prefixes originating from "attached" L1 routers o L2 routes for all other
prefixes

L2 routers have

o L2 routes for all prefixes
58

NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

When using multiple Area-IDs under the same IS-IS process of a L1/L2 router, then L1
routes from one L1

area can pass over to another L1 area.

Use route-leaking in L1/L2 routers in order to change the above. Route-leaking can be
accomplished either with distribute-list or with a route-map in IOS.

IOS

router isis
redistribute isis ip level-2 into level-1 distribute-list 100

!
address-family ipv6

redistribute isis level-2 into level-1 distribute-list

PREFIXLIST exit-address-family

access-list 100 permit ip host 1.1.1.1 host 255.255.255.255 !

ipv6 prefix-list PREFIXLIST permit 2001:1::1/128

IPv4 distribute-list used in route-leaking should have the above "awkward" format in order to
allow only 1.1.1.1/32 to be leaked.

IOS-XR

router isis X address-family ipv4

propagate level 2 into level 1 route-policy IPv4-RPL address-

family ipv6

propagate level 2 into level 1 route-policy IPv6-RPL

Leaked L2=>L1 routes appear as "ia" (inter-area) in L1 routers.

L1 routes are always preferred over L2.

Level-2 subdomain must not be partitioned in order for routing to work properly. Always
prefer to have a flat L2 network if possible.
Default admin distance of IS-IS is 115.

When doing route-leaking in IOS, you must define the ISIS process/instance right after the
"redistribute

isis" command, although you might not see it in the actual configuration.

When a L1/L2 router advertises a route from L2 to L1, it sets the U/D bit, so any other L1/L2
router that

receives this L1 LSP with the U/D bit set can ignore it and not advertise it any further.

59 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

It's good practice to also enable wide metrics when doing route-leaking in order to get
"correct" metrics for

the leaked routes.

Links

IETF - RFC 5302

Default Route & ATT bit

An LSP with the ATT bit set, creates a default route in the L1 router. More specifically, a
L1/L2 router sets
the ATT bit in a L1 LSP when it has connectivity to another L1 area too.

The ATT bit can be managed in various ways:

IOS

router isis X
set-attached-bit route-map NODEF-ROUTEMAP

!
route-map NODEF-ROUTEMAP permit 10

match clns address CLNS-FILTER-SET !

clns filter-set CLNS-FILTER-SET permit 99.9999

Use a non-existent CLNS area if you want to avoid setting the ATT-bit.

IOS-XR

CRS(config-isis-af)#attached-bit receive ?
ignore Ignore the attached bit in received LSPs

CRS(config-isis-af)#attached-bit send ?
always-set Always set the attached bit in our LSP never-set
Never set the attached bit our LSP

You can also advertise a default route from a L2 router into a L1 router, by using the
following configuration:

IOS

router isis X
default-information originate route-map DEF-ROUTE-ROUTEMAP

!
route-map DEF-ROUTE-ROUTEMAP permit 10

set level level-1

Beware of cases where L1/L2 router connects to multiple L1 areas and somehow loses L2
connectivity.

Continuing to advertise a default route to L1 routers might lead to a blackhole.

60 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

The default route will be advertised to the L1 router, so you end up with 2 default routes (the
second one is created automatically from the LSP that has the ATT bit set, but has lower
preference).

IOS

R2#sh isis rib 0.0.0.0 0.0.0.0

IPv4 local RIB for IS-IS process 1000
IPV4 unicast topology base (TID 0, TOPOID 0x0)
=================

0.0.0.0/0
[115/L1/10] via 10.0.220.20(FastEthernet0/0.220), from
10.0.220.20, tag

0, LSP[12/12]
[115/L1/10] via 10.0.220.20(FastEthernet0/0.220), from
10.0.220.20, tag

0, LSP[0/28]

Remember to filter it from other L1/L2 adjacencies (if such a need arises).

IOS-XR

router isis X
address-family ipv4 unicast

default-information originate route-policy DEF-ROUTE-RPL

DR/DIS

LSPID "router.XX-00" (with next-to-last octet being non-zero) is being sent by a DIS, while
LSPID "router.00-00" is being sent by everyone.
IOS

R2#sh isis database

IS-IS Level-1 Link State Database:

LSPID
ATT/P/OL
R2.00-00
R2.01-00
R8.00-00
R8.09-00
R9.00-00

* *

LSP Seq Num

0x00000015
0x00000006
0x0000000B
0x00000001
0x0000000E

LSP Checksum LSP Holdtime

0xE041 1184
0xFA3B 380
0x4F55 1177
0x5E58 1177
0x7C35 806
0/0/0
0/0/0
0/0/0
0/0/0
0/0/0

IftheCircuit-Idinthe"sh isis neighbors"outputcontainsaroutername(Circuit-

ID+System- ID=LAN-ID), then this router is the DIS in the broadcast connection between
the local router and the router shown under the System-Id.

61 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS

R2#sh isis neighbors

Tag null:
System Id
R7
R7.04
R8
R8.01
R9
R9.03
Type Interface
L1 Et0/2
L1 Et0/1
L1 Et0/0
IP Address
2.2.27.7
2.2.28.8
2.2.29.9

State Holdtime Circuit Id UP 8

UP 7 UP 9

Each router generates an LSP for all its interfaces.

Each DIS generates a Pseudo-Node LSP for its attached broadcast interfaces. DR/DIS
election

 highest priority (0-127)

 highest mac address
Setting priority to 0 doesn't disable DIS election; use point-to-point to disable it.

There can be separate DRs for L1 and L2 adjacencies.

There is no backup DR. If the primary DR fails, a new DR is elected. DR preemption
is enabled by default.

"sh isis
rib"inIOSwillacceptonlyanetworkprefixasinput,butitwillreturnallroutesforthe
classful network. Always use a network mask to get the output for a specific route.

The"*"infrontofaprefixinthe"sh isis ipv6

rib"outputmeansthatthespecificroutewillbe installed in the router RIB also (not
including directly connected networks).

Overload-bit

The overload bit is included in an LSP of the router and if it is set, it notifies routers in
the area that the router is not available for transit traffic. It may be configured and
cleared independently for IPv4 and IPv6 topologies.

IOS

router isis

set-overload-bit
62 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS-XR

router isis 100

set-overload-bit
When used in combination with "wait-for-bgp", then if BGP sessions come up and BGP
keepalives are
not received from all the BGP neighbors, IS-IS will disable the overload bit after 10 minutes
by default. The IS-IS overload bit avoidance when activated, allows TE LSPs to continue
working, although the router

in that path has its overload bit set.

IOS

R1(config)#mpls traffic-eng path-selection overload allow ?

head Allow overloaded head node in TE CSPF
middle Allow overloaded middle node in TE CSPF
tail Allow overloaded tail node in TE CSPF

IOS-XR

mpls traffic-eng path-selection ignore overload

CRS(config)#mpls traffic-eng path-selection ignore overload ?

head Ignore overload node during CSPF for role head
mid Ignore overload node during CSPF for role mid
tail Ignore overload node during CSPF for role tail

<cr>

Metrics

Default metric is 10 for each interface, 0 for passive interfaces.

IOS

R2(config-if)#isis metric ? <1-16777214> Default metric

maximum Maximum metric.

All routers will exclude this link from

their

IOS-XR

SPF

GSR(config-isis-if-af)#metric ?
<1-16777214> Default metric:
maximum Maximum wide metric. All routers will exclude this
link
from the
ir SPF

<1-63> for narrow, <1-16777214> for wide

63 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Wide metrics are used in:

 MPLS-TE
 prefix tags
 multi-topology
 need for metric > 63

IOS

router isis

metric-style wide

IOS-XR

router isis 100 address-family ipv4 unicast

metric-style wide

!
address-family ipv6 unicast

metric-style wide

If two connected routers have different metric styles, an adjacency will be formed
between them and
LSPswillbeexchanged,butrouteswillnotbeinstalled.Youcanuse"debug isis rib
local"to verify if routes are being generated for use by the RIB.

The maximum metric that can be assigned to an IS-IS route is 1023 (without wide
metrics enabled).

IS-IS Authentication

Authentication can be enabled:

per domain (old style)

o "domain-password" under IS-IS process o applies to LSPs by default
o for CSNPs, PSNPs extra command is required o for Level-2 only

o clear text (type-1)

o adjacency formed but no L2 LSPs exchanged if wrong authentication per area (old style)

o "area-password" under IS-IS process

o applies to LSPs by default
o for CSNPs, PSNPs extra command is required
o for Level-1 only
o clear text (type-1)
o adjacency formed but no L1 LSPs exchanged if wrong authentication

per interface (old style)

o o

"isis-password" under interface applies to Hellos by default

64

NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

o for Level-1/Level-2
o clear text (type-1)
o no adjacency formed if wrong authentication

per interface (new style)

o "isis authentication" under interface (IOS)
o "hello-password" under interface under IS-IS process (IOS-XR) o applies to Hellos
by default
o for Level-1/Level-2
o enhanced clear text (type-1) or MD5 (type-54)
o no adjacency formed if wrong authentication

per instance (new style)

o o o o o o

Prefer to use

"authentication" under IS-IS process ( ) "lsp-password" under IS-IS process (

applies to LSPs, CSNPs, PSNPs by default
for Level-1/Level-2

enhanced clear text (type-1) or MD5 (type-54)

adjacency formed but no LSPs exchanged if wrong authentication the new way of
authentication, when not told otherwise.

You can use

For old-style
authentication you have to use "level-2" in new-style.

"text" in new-style authentication in order to be compatible with old-style authentication. area

authentication you have to use "level-1" in new-style, while for old-style domain
On point-to-point links where a single Hello is used, a common password must be used for
both L1 and L2 adjacencies.

IOS

interface FastEthernet0/0
isis authentication mode md5
isis authentication key-chain KEYCHAIN

!
key chain KEYCHAIN

key 1
key-string TESTPASS

IOS-XR

router isis 26
interface X

hello-password hmac-md5 TESTPASS

In IOS-XR, a key-chain can also be used instead of hmac-md5.

Theonlywaytoverifyauthenticationincurrentreleasesisbyusingdebugcommands("debug
isis update-packets"and"debug isis authentication information").
65 NTS for CCIE SP Lab by chatasos

IOS

IOS-XR

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IS-IS Topologies

IOS
o default is single-topology

o configure "multi-topology" under ipv6 address-family to change IOS-XR

o default is multi-topology
o configure "single-topology" under ipv6 address-family to change o

In order to allow adjacency to be formed in mismatched address-families in single-topology,

the "no adjacency-check" command must be configured under the IPv6 address
family. The same command is enabled by default in multi-topology.

Only one IPv6 process is allowed in IOS. IS-IS Single-Topology requirements

 Both IPv4 IS-IS and IPv6 IS-IS routing protocols must share a common network
topology
 Any interface configured for IPv4 IS-IS must also be configured for IPv6 IS-IS,
and vice versa
 Allrouters in the IS-IS area (for Level 1 routing) or the domain (for Level 2
routing) must support an

identical set of address families (IPv4 only, IPv6 only, or both IPv4 and IPv6) on all
interfaces

 Wide metrics are not necessary in single-topology

Links

 IETF - RFC 5120

ISIS as PE-CE

PE

IOS

router isis X
vrf VPN
net 49.0001.0000.0000.0001.00

!
interface FastEthernet0/0

vrf forwarding VPN ip router isis X

IOS-XR

not supported
66 NTS for CCIE SP Lab by chatasos
chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

CE

IOS

router isis X
net 49.0001.0000.0000.0002.00

IOS-XR

router isis X
net 49.0001.0000.0000.0002.00

IS-IS for IPv6 is not supported as a PE-CE protocol in IOS. IOS-XR doesn't support IS-IS as
a PE-CE protocol at the role of PE.

Multi-Instance

IOS-XR

router isis 1

is-type level-2
net 47.0002.0000.0000.0008.00 address-family ipv4 unicast

metric-style wide !

address-family ipv6 unicast metric-style wide

!
interface GigabitEthernet0/2/2/0

address-family ipv4 unicast

address-family ipv6 unicast !

router isis 2

is-type level-2
net 49.0002.0000.0000.0008.00 address-family ipv4 unicast

metric-style wide !

address-family ipv6 unicast metric-style wide

!
interface GigabitEthernet0/2/1/0

address-family ipv4 unicast address-family ipv6 unicast

67 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

You can configure up to five IS-IS instances (processes).

MPLS can run on multiple IS-IS processes as long as the processes run on different sets of
interfaces. Each interface may be associated with only a single IS-IS instance.

Because RIB treats each of the IS-IS instances as equal routing clients, you must be careful
when redistributing routes between IS-IS instances.

multi-instance vs multi-area

multi-instance
o supported in IOS-XR

o multiple L2 areas
o multiple L1 areas
o redistribution allowed between different processes o multiple IPv6 processes allowed
o use when: run multiple IS-IS processes

multi-area
o supported in IOS

o only one L2 area

o multiple L1 areas
o redistribution not allowed between different processes o only one IPv6 process allowed
o use when: connect multiple L1 areas on the same router
Fast Convergence

 BFD
 tunning of hellos
 ip event dampening
 point-to-point adjacencies
 tuning of SPF/PRC/LSP timers
 tag specific prefixes and give them high priority

Timers

The RIB does not know to prefer Level 1 routes over Level 2 routes from different instances,
so if you are

running Level 1 and Level 2 instances, you must enforce the preference by configuring
different

administrative distances for these two instances.



per process/instance

68

NTS for CCIE SP Lab by chatasos

LSP refresh interval

secondstherouterwillwaitbeforerefreshing(re-creatingandre-flooding)itsown LSPs

recommended:65535sec

o o o

LSP interval

millisecondsbetweenthetransmissionofLSPs LSP retransmit interval

secondsbetweentheretransmissionofanLSPonpoint-to-pointlinks LSP retransmit throttle

interval

millisecondsbetweenalltheretransmittedLSPsonpoint-to-pointlinks

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

o Max LSP lifetime
thelifetimeintheLSPheader(inordertoageoutoldLSPs) recommended:65535sec

o PRC interval (exponential backoff)

 secondsbetweentwoconsecutivePRCs(triggeredwhenchangesthatdonotaffectthe

topology, such as advertised external prefixes or metric changes, are detected)

 recommended:5,1,20

o LSP generation interval (exponential backoff)

secondsbetweencreatingnewversionsofagivenLSPonaper-nodebasis
recommended:5,1,20

o SPF interval (exponential backoff)

secondsbetweentwoconsecutiveSPFcalculations recommended:5,1,20

per interface

The value set for the lsp-refresh-interval should be less than the value of the max-lsp-lifetime
command.

Usually the software will automatically reduce the LSP refresh interval to prevent the LSPs
from timing out.

iSFP can be used to limit the SPF recalculations to specific portions of the topology.

Advertise minimum prefixes

IOS

router isis

advertise passive-only

set-overload-bit suppress interlevel external

!
interface X

no isis advertise prefix

IOS-XR

router isis 100

no set-overload-bit advertise external interlevel

address-family ipv4 unicast

advertise passive-only

!
interface X

suppressed

69 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Summarization

IOS

router isis
summary-address 11.11.11.0 255.255.255.0 address-family ipv6

summary-prefix 11:11:11::/64

IOS-XR

router isis 1
address-family ipv4 unicast

summary-prefix 11.11.11.0/24 !
address-family ipv6 unicast summary-prefix 11:11:11::/64

You can also define the level into which you want to advertise the summary.

70 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

BGP
BGP (Border Gateway Protocol) is defined in RFC 4271.
Uses TCP port 179.
The router with the highest router-id is used as the TCP client.

Best Path Selection

 Applies
# Affects
Attribute Rule Notes to route-
Traffic
Default map
inbound
&
outbound

1
Prefix Length Longest match Always checked

Checked if "set
Lowest Cost extcommunity cost
Community pre- bestpath" is
2 Cost Number 21474836
configured. Skipped if "bgp
Community Lowest Cost 47
bestpath cost-
Community
community ignore" is
ID
configured.
 Local to the router. Local
originated prefixes have
3 Highest
WEIGHT weight 32768 by default.
Weight
Only for Cisco; not
recommended for general use.

32768

LOCAL Used for separating

4 Highest Local
PREFERENC 100 customer/peering/tran sit outbound inbound
Preference
E traffic.

Everything announced
5 Prefer local- through network/aggregate
sourced routes commands or redistribution is
considered as local- sourced.

71 NTS for CCIE SP Lab by chatasos



chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Ignored if "bgp
bestpath as-
6 Shortest as-path inbound outbound
path ignore"is
AS-PATH
configured.

Lowest Origin Type

7 ORIGIN
(IGP<EGP<Incomplete )

8 MED Lowest Multi-Exit 1st AS must be the inbound outbound

Discriminator (MED) same, unless "bgp
always-
compare- med"
 is configured.
9 Prefer eBGP over iBGP
Lowest IGP metric to the
10
BGP next hop
Checked if "set
extcommunity
cost igp"is
Lowest Cost Community
Cost 21474836 configured. Skipped
11 Number Lowest Cost
Community 47 if "bgp bestpath
Community ID
cost-community
ignore" is
configured.

12 Check for BGP Multipath

If both paths are external,

13 prefer the path received
first
14 Lowest BGP router-id
15 If the originator-id or the Only for route
 router-id is the same for
multiple paths, prefer
reflectors
path with minimum
cluster list length
Prefer the path with the
16
lowest neighbor address

MED



bgp deterministic-med

o compare MED when choosing routes advertised by different neighbors in the same
autonomous system

o routes from the same autonomous system are grouped together and the best entries of each
group are compared

bgp always-compare-med

72 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

o compare MED when choosing routes advertised by different neighbors in different

autonomous systems

"bgp deterministic-med"and"bgp always-compare-

med"arerecommendedinordertoalway have a standard best path selection algorithm.
In order to avoid mis-interpreting a missing MED (zero vs infinity), when setting MED on a
peering, it's best tosetitalsoonallotherpeerings.Otherwisethecommand"bgp bestpath
med missing-as- worst" can be used.

Common Comparisons

 Prefix Length
 Highest Local Preference
 Shortest as-path
 Lowest Multi-Exit Discriminator (MED)
 Prefer eBGP over iBGP
 Lowest IGP metric to the BGP next hop
 Lowest BGP router-id

origin

The origin attribute indicates how BGP learned about a particular route.





i (IGP)
o interior to the originating AS (i.e. when the network configuration command is used to
inject

the route into BGP) e (EGP)

o learned via EGP (rarely seen) ? (incomplete)

o unknown or learned via some other way (i.e. redistributed into BGP, or from eBGP)
Address Families

AFIs

 1 (IPv4)
 2 (IPv6)
 25 (L2VPN)

SAFIs

 1 (Unicast)
 2 (Multicast)
 4 (NLRI with MPLS labels)
 65 (VPLS)
 128 (VPN with MPLS labels (VRFs))
73 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Configuration

IOS

router bgp 2
no synchronization
bgp log-neighbor-changes
network 5.5.5.5 mask 255.255.255.255 neighbor 20.4.5.4 remote-
as 1
no auto-summary

IOS-XR

router bgp 1
bgp log neighbor changes detail address-family ipv4 unicast

network 4.4.4.4/32 !

neighbor 20.4.5.5
remote-as 2
address-family ipv4 unicast

BGPisdesignedtorefuseasessionwithitselfbecauseoftherouter-idcheck.Youcanusea per-vrf
assignment of BGP router-id in order to have a VRF-to-VRF peering on the same router.
In IOS-XR, every eBGP session requires an explicit route-policy in order to allow
incoming/outgoing updates.

It's good practice to create one named PASS-RPL with default action "pass" and use it when
first activating each eBGP session. Afterwards you can create the required route-policy and
use that instead.

Youcanusethe"network x.x.x.x
backdoor"commandinordertochangetheadmindistanceofan eBGP route (default 20) to that
of iBGP (200), so that the equivalent IGP route can be preferred.

Route Aggregation

 redistribution of static or IGP

 aggregate-address

o summary-only o suppress-map

o unsuppress-map (per neighbor) o advertise-map

inject-map
74 NTS for CCIE SP Lab by chatasos

In IOS-XR, if there is no loopback configured with an ipv4 address, the BGP session won't
come up, until you

explicitly configure the bgp router-id.

When told to advertise a prefix into BGP, prefer to use the "network" statement, unless told
to do otherwise.

Also prefer to do the "network" advertisements to another AS on routers running eBGP to

that AS.
chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

A more specific prefix must exist in the BGP table before doing aggregation.

Communities

Standard Communities (32-bit)

o Used for well-known communities and for specific communities of type $ASN:$TAG in
BGP o send-community (IOS)
o send-community-ebgp (IOS-XR)
Extended Communities (64-bit) are defined in
o Used in MPLS VPNs for RT and SOO
o send-community extended (IOS)
o send-extended-community-ebgp (IOS-XR)

Communities are configured through community lists.

When regular expressions are required, expanded (standard or extended) community lists
must be used. Configuration

 Standard
o ip community-list 1 permit 100:10

o ip community-list standard X-COMMLIST permit 100:10

 Expanded Standard

o ip community-list 100 permit 100:*

o ip community-list expanded X-COMMLIST permit 100:*

 Extended

o ip extcommunity-list 1 permit rt 200:20

o ip extcommunity-list standard X-COMMLIST permit rt

200:20

 Expanded Extended

o ip extcommunity-list 100 permit rt 200:*

o ip extcommunity-list expanded X-COMMLIST permit rt 200:*

In IOS, all communities are not sent by default to iBGP or eBGP sessions.
In IOS-XR, all communities are sent by default on iBGP sessions, but not on eBGP
sessions.

Well-known communities

 internet
 no-export (don't advertise to eBGP neighbor)
 local-as (don't advertise to other confederation sub-AS)
 no-advertise(don't advertise to any neighbor)
75 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Delete communities

IOS

route-map DELCOMM1-ROUTEMAP permit 10

set comm-list 1 delete

!
route-map DELCOMM2-ROUTEMAP permit 10

set community none

!
route-map DELCOM3-ROUTEMAP permit 10

set extcomm-list 1 delete

IOS-XR

route-policy DELCOM1-RPL

delete community in (*:*)

end-policy
!
route-policy DELCOM3-RPL

delete extcommunity rt all

end-policy

Use the "additive" keyword to add communities to existing ones.

Links

 IETF - RFC 1997

 IETF - RFC 4360
 IANA Extended Communities

Synchronization

A BGP router with synchronization enabled does not install iBGP learned routes into
its routing table and propagate them to an eBGP peer, if it is not able to validate those
routes in its IGP first. It's used to ensure that there are no black holes inside the AS
caused by intermediate routers that do not run BGP.

It'sdisabledbydefault("no
synchronization"),becausenowadaysmostnetworksruniBGPorMPLS.

Route Reflectors

Route Reflectors modify iBGP split-horizon rules.

Routes learned on a RR from a RR-Client are propagated to other RR-Clients and

Non-Clients Routes learned on a RR from a Non-Client are propagated only to RR-
Clients
76 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

RRs can be assigned per address-family.

RRs do not modify the next-hop of advertised routes by default.

RRs can be in the forwarding path or not.

Use"no bgp client-to-client

reflection"onRRs,whentheirclientsarealsofullymeshed.

An RR reflecting a route received from an RR-Client adds the following attributes:

Originator ID
o the Router ID of the originator of the route
o if the update comes back to the originator (so the local Router-ID is the same as the
Originator-

ID), the update is ignored

Cluster List
o a list of Cluster IDs that an update has passed through
o when an RR reflects a route from a client to a non-client, the local Cluster ID is appended
to

the Cluster List

o if the update comes back to the RR (so the local Cluster-ID is contained in the prefix
Cluster

List) the update is ignored

Originator and Cluster List are used to prevent loops in RR environments.

By default Cluster-ID = RR Router-ID. In case of two RRs, two different Cluster-IDs will be
used. This increases memory utilization, because the same route is stored multiple times, each
one with a different Cluster-ID.

You can use a common Cluster-ID in redundant RRs (in order to decrease memory
utilisation, although rarely needed), only when you're sure that connectivity for RR clients
won't break if the RR client looses one of its RR connections.

IOS
router bgp 100
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 update-source Loopback 0 neighbor 2.2.2.2
route-reflector-client

IOS-XR

router bgp 100 neighbor 2.2.2.2

remote-as 100
update-source Loopback0 address-family ipv4 unicast

route-reflector-client

Links

77 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IETF - RFC 4456

Confederations

The AS is split into smaller autonomous systems in order to reduce the number of iBGP
sessions.
It's common practice to use the private AS range (64512 – 65535) to denote a sub-
autonomous system. These internal ASNs are hidden and only a single external ASN is
announced to eBGP neighbors. BGP confederations modify iBGP as-path processing
When sending:
updates to iBGP neighbors

o as-path is not changed

updates to intra-confederation eBGP neighbors

o the intra-confederation ASN is prepended to the as-path updates to eBGP neighbors

o the intra-confederation ASNs are removed and the external ASN is prepended to the as-
path

Intra-confederation eBGP session is:

 like eBGP session when establishing the session (ebgp-multihop)

 like iBGP session when sending routing updates (local pref, next-hop, etc.)

IOS

router bgp INTERNAL-ASN-100

bgp confederation identifier EXTERNAL-ASN-1
bgp confederation peers INTERNAL-ASN-200 INTERNAL-ASN-300
neighbor 2.2.2.2 remote-as INTERNAL-ASN-200
neighbor 3.3.3.3 remote-as INTERNAL-ASN-300
neighbor 9.9.9.9 remote-as EXTERNAL-ASN-9

IOS-XR

router bgp INTERNAL-ASN-100

bgp confederation

INTERNAL-ASN-200

INTERNAL-ASN-300 !

peers

identifier EXTERNAL-ASN-1 remote-as INTERNAL-ASN-200

!
neighbor 3.3.3.3

remote-as INTERNAL-ASN-300

bgp confederation
!
neighbor 2.2.2.2

78 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

!
neighbor 9.9.9.9

remote-as EXTERNAL-ASN-9

EXTERNAL-ASNs define the ASNs used for eBGP sessions between different ASNs.
INTERNAL-ASNs define the ASNs used for eBGP sessions between different sub-ASNs of
the same ASN. Example

IOS

router bgp 65100

bgp confederation identifier 1
bgp confederation peers 65200 65300 neighbor 2.2.2.2 remote-as
65200 neighbor 3.3.3.3 remote-as 65300 neighbor 9.9.9.9
remote-as 9

IOS-XR

router bgp 65100

bgp confederation peers

65200

65300 !

bgp confederation identifier 1 !

neighbor 2.2.2.2

remote-as 65200 !

neighbor 3.3.3.3 remote-as 65300

!
neighbor 9.9.9.9

remote-as 9
Links

IETF - RFC 5065

Next-Hop

advertisement to eBGP peer

o next-hop changes to self

o use "next-hop-unchanged" to not change advertisement to iBGP peer

79 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

o next-hop doesn't change

o use "next-hop-self" to change

You can't use the next-hop-self for setting the next-hop in reflected iBGP routes. Instead use
an outbound route map.

InIOS-XR,youcanuse"ibgp policy out enforce-

modifications"incombinationwithan outbound route-map in order to force modification
of the routes attributes (including next-hop) when sent to an iBGP neighbor.

keepalive & holdtime

. Keepalive timers are then based on that holdtime value. It's not recommended to have less
than 3 secs as a holdtime.

The fastest convergence on a BGP session that can be achieved by changing the
keepalive/holdtime timers is 3 sec.

In order to protect the control-plane, you can put a limit on the lowest holdtime number
accepted by using the "min-holdtime" command. If the neighbor doesn't comply, then the
BGP session is rejected.

Mass Neighbor Configuration

In order to minimize neighbor configuration regarding the BGP session parameters you can
use the following:
peer groups (IOS)

router bgp 100

neighbor PEER-GROUP peer-group
neighbor PEER-GROUP remote-as 100
neighbor PEER-GROUP update-source Loopback0

!
neighbor 1.1.1.1 peer-group PEER-GROUP

!
address-family vpnv4

neighbor PEER-GROUP send-community extended neighbor 1.1.1.1

activate

neighbor groups (IOS-XR)

router bgp 100 neighbor-group NEI-GROUP

remote-as 100 update-source Loopback0

Neighbor holdtime timers are negotiated while initially setting the BGP session and the
smaller one gets used

by both neighbors
80 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

!
neighbor 1.1.1.1

use neighbor-group NEI-GROUP

peer session templates (IOS)

router bgp 100

template peer-session PEER-TEMPLATE

remote-as 100

update-source Loopback0 !

neighbor 1.1.1.1

eBGP Peerings & TTL

IOS

router bgp 100 neighbor 2.2.2.2 neighbor 3.3.3.3

IOS-XR

router bgp 100 neighbor 2.2.2.2

 ttl-security

neighbor 3.3.3.3 ebgp-multihop Y

IOS

R1#sh bgp nei | i Session: 2.2.2.2

inherit peer-session PEER-TEMPLATE

ttl-security hops X ebgp-multihop Y

TTL|Session

Mininum incoming TTL 255-X, Outgoing TTL 255 Session: 3.3.3.3

Mininum incoming TTL 0, Outgoing TTL Y

eBGP Multihop
It allows a neighbor connection between two external peers that do not have direct
connection. You should also configure an IGP or static routing to allow the neighbors without
direct connection to reach each other.

TTL Security Check

It's a lightweight security mechanism to protect eBGP neighbor sessions from CPU
utilization-based attacks (DoS attacks that flood the network with IP packets that contain
forged source IP addresses).

81 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS

When configured for an eBGP neighbor, the router accepts only IP packets with a TTL count
that is greater or equal to maximum TTL value (255) minus the hop count that is configured
locally for the relevant eBGP session. If the TTL value in the IP packet is less than the
maximum TTL value (255) minus the hops configured value, the incoming packet is silently
discarded.

Supports both directly connected neighbor sessions and multihop eBGP neighbor sessions

IOS-XR
When configured for a directly adjacent eBGP neighbor, the router accepts only IP packets
with a TTL count that is equal to the maximum TTL value (255). If the TTL value in the IP
pakcet is less than the maximum TTL value (255), the incoming packet is silently discarded.

TTL values according to BGP setup: R1 config: neighbor R2

o R1 sends packets to R2 with TTL=1

R1 config: neighbor R2 ttl-security hops X

o R1 sends packets to R2 with TTL=255

R1 config: neighbor R2 ebgp-multihop X

o R1 sends packets to R2 with TTL=X ebgp-mutlihop combined with ttl-security on two

eBGP routers

R1:ebgp-multihop X (<255) R2:ttl-security hops Y (<254)

R1 sends packets to R2 with TTL=X o R2 doesn't reply back

o R2 accepts packets with TTL < 255-Y R2 sends packets to R1 with TTL=255

o R1 replies back
o R1 accepts packets with any TTL

General Rule

If ( X - ActualHops >= 255 - Y ) then the eBGP session can be established.

Interesting Cases R1:ebgp-multihop X

R2:ttl-security hops 254

R1 sends packets to R2 with TTL=X o R2 replies back

R2sends packets to R1 with TTL=255

82 NTS for CCIE SP Lab by chatasos
chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

o R1 replies back R1:ebgp-multihop 255

R2:ttl-security hops Y

R1 sends packets to R2 with TTL=255 o R2 replies back

o R2 accepts packets with TTL < 255-Y R2 sends packets to R1 with TTL=255

o R1 replies back
o R2 accepts packets with any TTL
If ebgp-multihop is set to 255 or ttl-security is set to 254 (aka when at least one of these
parameters is set to its max), then the eBGP session can be established, as long as their
packets can reach each other.

R1:ttl-security hops X R2:ttl-security hops Y

R1 sends packets to R2 with TTL=255 o R2 replies back

o R2 accepts packets with TTL < 255-Y R2 sends packets to R1 with TTL=255

o R1 replies back
o R1 accepts packets with TTL < 255-X

If both routers use ttl-security, then the eBGP session can be established regardless of the hop
values used, as long as their packets can reach each other.

R1:ebgp-multihop X R2:ebgp-multihop Y

R1 sends packets to R2 with TTL=X o R2 replies back

o R2 accepts packets with any TTL R2 sends packets to R1 with TTL=Y

o R1 replies back
o R1 accepts packets with any TTL

If both routers use ebgp-multihop, then the eBGP session can be established regardless of the
hop values used, as long as their packets can reach each other.

If loopback interfaces are used to connect single-hop eBGP peers, you can configure the
"neighbor disable-connected-check" command before you can establish the
eBGP peering session.
83 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

PMTUD

IOS

R2#sh bgp vpnv4 unicast all nei 19.19.19.19 | i tcp|segment

Transport(tcp) path-mtu-discovery is enabled

Datagrams (max data segment is 1432 bytes):

If you have BGP PMTUD enabled (by default in most releases), BGP packets will be sent
with DF bit set.

You can disable BGP PMTUD (either for all neighbors or for a specific neighbor) with the
following commands.

IOS

router bgp 100

no bgp transport path-mtu-discovery

neighbor 19.19.19.19 transport path-mtu-discovery disable
Ifglobalcommand"ip tcp path-mtu-
discovery"isdisabled(default)andBGPPMTUDisdisabled too, then the default MSS (536)
is used for BGP neighbors.

If"ip tcp path-mtu-

discovery"isenabledbutBGPPMTUDisdisabled,thenthemaximumMSSis used for BGP
neighbors.

Youcanuse"ip tcp mss X"tochangetheglobalTCPMSS. IOS-XR

tcp path-mtu-discovery

Links

IETF - RFC 1191

84 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Advanced BGP
BGP (Border Gateway Protocol) is defined in RFC 4271. MP-BGP (Multi-Protocol BGP) is
defined in RFC 4760. Labeled BGP (BGP+Label) is defined in RFC 3107.

enforce-first-as

When enabled, updates received from an eBGP peer that does not list its ASN at the
beginning of the as-path in the incoming update are denied (in order to prevent spoofing).

It's enabled by default.

IOS

router bgp 100

no bgp enforce-first-as

IOS-XR

router bgp 65000

bgp enforce-first-as disable

local-as & dual-as

When local-as is enabled for a neighbor, it allows a router to appear to be a member of a
second ASN, in addition to its real ASN.

R4 (IOS) router bgp 1

network 4.4.4.4 mask 255.255.255.255 neighbor 20.4.5.5 remote-

as 2 neighbor 20.4.5.5 local-as 11

R5 (IOS) router bgp 2

network 5.5.5.5 mask 255.255.255.255 neighbor 20.4.5.4 remote-

as 11
This feature can only be used for true eBGP peers (i.e. members of different confederation
sub-ASs are not

supported).

85 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

By default, the new local-as is prepended in incoming and outgoing updates.

IOS

R4#sh bgp ipv4 unicast

BGP table version is 3, local router ID is 4.4.4.4

Status codes:
internal,
external
Origin codes:

Network

 *>  4.4.4.4/32

 *>  5.5.5.5/32


s suppressed, d damped, h history, * r RIB-failure, S Stale, m

multipath, i - IGP, e - EGP, ? - incomplete

valid, > best, b backup-path,

i -
x best-

R5#sh bgp ipv4 unicast

BGP table version is 3, local router ID

is 5.5.5.5
history, *
Status codes:
internal,
external
Origin codes:

Network

 *>  4.4.4.4/32

 *>  5.5.5.5/32


s suppressed, d damped, h
r RIB-failure, S Stale, m
i - IGP, e - EGP, ? - incomplete

valid, > best, b backup-path,

i -
x best-

Next Hop
0.0.0.0 0 32768 i

20.4.5.5

Metric LocPrf Weight Path

0 0112 i

Next Hop

20.4.5.4

0.0.0.0

Metric LocPrf Weight Path

0 0 11 1 i 0 32768 i

Use the "no-prepend" option to avoid prepending the new local-as in the incoming
updates.

multipath,

R4 (IOS) router bgp 1

network 4.4.4.4 mask 255.255.255.255 neighbor 20.4.5.5 remote-

as 2
neighbor 20.4.5.5 local-as 11 no-prepend

IOS

R4#sh bgp ipv4 unicast

BGP table version is 5, local router ID is 4.4.4.4

Status codes:
internal,
external
Origin codes:

Network

 *>  4.4.4.4/32

 *>  5.5.5.5/32


s suppressed, d damped, h history, * r RIB-failure, S Stale, m

multipath, i - IGP, e - EGP, ? - incomplete
valid, > best, b backup-path,

i -
x best-

Next Hop
0.0.0.0
20.4.5.5

Metric LocPrf Weight Path

R5#sh bgp ipv4 unicast

BGP table version is 5, local router ID is 5.5.5.5

0 0

32768 i
0 2 i

86

NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Status codes:
internal,
external
Origin codes:

Network

 *>  4.4.4.4/32

 *>  5.5.5.5/32


s suppressed, d damped, h history, * valid, > best, r RIB-

failure, S Stale, m multipath, b backup-path, i - IGP, e -
EGP, ? - incomplete

i -
x best-

Next Hop

20.4.5.4
0.0.0.0

Metric LocPrf Weight Path

0 0 11 1 i 0 32768 i

Usethe"no-prepend replace-
as"optiontoavoidprependingtherealASNintheoutgoingupdates.

R4 (IOS) router bgp 1

network 4.4.4.4 mask 255.255.255.255

neighbor 20.4.5.5 remote-as 2
neighbor 20.4.5.5 local-as 11 no-prepend replace-as

IOS

R4#sh bgp ipv4 unicast

BGP table version is 7, local router ID is 4.4.4.4

Status codes:
internal,
external
Origin codes:

Network

 *>  4.4.4.4/32

 *>  5.5.5.5/32


s suppressed, d damped, h history, * r RIB-failure, S Stale, m

multipath, i - IGP, e - EGP, ? - incomplete

valid, > best, b backup-path,

i -
x best-

R5#sh bgp ipv4 unicast

BGP table version is 7, local router ID

is 5.5.5.5
history, *
Status codes:
internal,
external
Origin codes:

Network
  *>  4.4.4.4/32

 *>  5.5.5.5/32


s suppressed, d damped, h
r RIB-failure, S Stale, m
i - IGP, e - EGP, ? - incomplete

valid, > best, b backup-path,

i -
x best-

Next Hop
0.0.0.0 0 32768 i

20.4.5.5

Metric LocPrf Weight Path 0 02i

Next Hop

20.4.5.4

0.0.0.0

Metric LocPrf Weight Path 0 0 11 i

0 32768 i

Usethe"no-prepend replace-as dual-as"optiontoavoidprependingthenewlocal-

asinthe incoming updates and the real ASN in the outgoing updates and at the same time
allow eBGP connections with both the real ASN and the new local-as.

multipath,

87 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

R4 (IOS) router bgp 1

network 4.4.4.4 mask 255.255.255.255

neighbor 20.4.5.5 remote-as 2
neighbor 20.4.5.5 local-as 11 no-prepend replace-as dual-as
R5 (IOS) router bgp 2

network 5.5.5.5 mask 255.255.255.255 neighbor 20.4.5.4 remote-

as 11

IOS

R4#sh bgp ipv4 unicast

BGP table version is 9, local router ID is 4.4.4.4

Status codes:
internal,
external
Origin codes:

Network

 *>  4.4.4.4/32

 *>  5.5.5.5/32


s suppressed, d damped, h history, * r RIB-failure, S Stale, m

multipath, i - IGP, e - EGP, ? - incomplete

valid, > best, b backup-path,

i -
x best-

R5#sh bgp ipv4 unicast

BGP table version is 9, local router ID

is 5.5.5.5
history, *
Status codes:
internal,
external
Origin codes:

Network

 *>  4.4.4.4/32

 *>  5.5.5.5/32
 or

R5 (IOS) router bgp 2

s suppressed, d damped, h
r RIB-failure, S Stale, m
i - IGP, e - EGP, ? - incomplete

valid, > best, b backup-path,

i -
x best-

network 5.5.5.5 mask 255.255.255.255 neighbor 20.4.5.4 remote-

as 1

R4#sh bgp ipv4 unicast

BGP table version is 11, local router Status codes: s
suppressed, d damped, internal,

ID is 4.4.4.4
h history, * valid, > best,

m multipath, b backup-path,

i -

x best-

Next Hop
0.0.0.0 0 32768 i

20.4.5.5

Metric LocPrf Weight Path 0 02i

Next Hop

20.4.5.4

0.0.0.0

Metric LocPrf Weight Path

r RIB-failure, S Stale,

multipath,

0 0

0 11 i 32768 i
88

NTS for CCIE SP Lab by chatasos

Network
*> 4.4.4.4/32
*> 5.5.5.5/32
Next Hop
0.0.0.0
20.4.5.5

Metric LocPrf Weight Path 0 32768 i

0 0 2 i

*> 4.4.4.4/32
*> 5.5.5.5/32

PE-CE Routing

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

external
Origin codes: i - IGP, e - EGP, ? - incomplete

R5#sh bgp ipv4 unicast

BGP table version is 11, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, >
best, internal,

r RIB-failure, S Stale, m multipath, b backup-path, Origin

codes: i - IGP, e - EGP, ? - incomplete

i -
x best-

external
Network

Next Hop

20.4.5.4

0.0.0.0

Metric LocPrf Weight Path 0 0 1 i

0 32768 i
In order to allow VPN sites with the same ASN talk to each other, you can use one of the
following:

"neighbor PE allowas-in"intheCE o CE accepts its own ASN

"neighbor CE as-override"inthePE
o PE replaces the common CE ASN with its own

eBGP sessions in IOS-XR require an in/out PASS routing policy under the appropriate
address-family. Alternativelyinsomecasesyoucanuse"bgp unsafe-ebgp-
policy"inordertobypassthis.

IOS-XR
vrf VPN
address-family ipv4 unicast

import route-target 100:1

export route-target 100:1

router bgp 100 address-family ipv4 unicast vrf VPN

rd 100:1

bgp unsafe-ebgp-policy

address-family ipv4 unicast

89 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

neighbor 2.2.2.2
remote-as 200 address-family ipv4 unicast

as-override

Labeled BGP

It's a BGP capability (negotiated between neighbors during session setup) that allows you to
exchange labels together with IPv4/IPv6 unicast prefixes. It's used in Inter-AS, CsC, 6PE
scenarios, and when LDP+IGP or RSVP-TE are not available for label distribution.

Configuration

IOS

router bgp 100 address-family ipv4

neighbor 1.1.1.1 send-label

IOS-XR

router bgp 100 address-family ipv4 unicast

allocate-label all
neighbor 1.1.1.1

address-family ipv4 labeled-unicast

You can also filter the prefixes for which to allocate labels.

Verification

R2#sh bgp ipv4 unicast neighbors 1.1.1.1 | b capabilities

Neighbor capabilities:

Route refresh: advertised and received(new) Four-octets ASN

Capability: advertised and received Address family IPv4
Unicast: advertised and received ipv4 MPLS Label capability:
advertised and received Multisession Capability: advertised
and received
I IOS- , when you activate a new ipv4/ipv6-labeled session for an existing ipv4/ipv6
n XR neighbor, you need
to re-apply all settings (i.e. route-policy, send-community) from the ipv4 session to the ipv4-
labeled session.
90 NTS for CCIE SP Lab by chatasos

L3VPN





first router (start PE)

o Find the VPN label for the prefix
o Find the Transport label(s) for the prefix's next-hop

n router
o Follow the Transport top label swaps until there is a "Pop Label" for next router

n+1 router
o

Find the local VPN label for the prefix If VPN label is "no label", then

routeristheendPE

VPNislocallyattached If VPN label is other, then

?
If VPN label doesn't exist, then

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

"send-community
extended"isusuallyautomaticallyenabledwhenactivatinganeighborunderthe BGP VPNv4
address-family. Since RT is an extended community, without this command VPNv4 routes
won't be advertised in BGP.

In order to see the VPN label to be used by the PEs, you just need to check the relevant BGP
route.

R2#sh bgp vpnv4 unicast all 6.6.6.6/32 ...

5.5.5.5 (metric 4) from 5.5.5.5 (5.5.5.5) ...

mpls labels in/out nolabel/28

In order to see the IGP/Transport label to be used by the PEs and Ps, you just need to find the
label for the route's next-hop. Remember to add the "detail" keyword in order to see the
whole label stack (due to possible route recursion).

R2#sh mpls forwarding-table 5.5.5.5

Local
Label
27

Outgoing Label
26

Prefix
or Tunnel Id
5.5.5.5/32
Bytes Label
Switched
0
Outgoing Next Hop interface
Fa0/0.23 20.2.3.3

In order to see the whole label stack (which includes both the VPN and the IGP label), you
can check the relevant CEF entry (inside the VRF) on the PEs.

R2#sh ip cef vrf VPN 6.6.6.6 det

6.6.6.6/32, epoch 0, flags rib defined all labels

recursive via 5.5.5.5 label 28

nexthop 20.2.3.3 FastEthernet0/0.23 label 26

If you want to follow a Intra-AS L3VPN path (assuming control-plane has been setup
correctly), then you can execute the following algorithm:

?

91

NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

If the route is learned from IGP, the Transport label must be allocated through LDP/RSVP-
TE. If the route is learned from BGP, the Transport label must be allocated through BGP.

Dynamic L3VPN with mGRE Tunnels

If MPLS is not available in a network, you can use GRE (or other types of encapsulation) to
"automatically" build dynamic tunnels in order to provide L3VPN services.

The BGP nexthop is used for tunnel endpoint discovery, but instead of adding a transport
label, VPN traffic is encapsulated into GRE (having as source a local interface and as
destination the neighbor PE).

The L3VPN BGP configuration (regarding VRFs and VPNv4) remains the same as in MPLS
L3VPN. Configuration Steps

 create a new VRF for the mGRE tunnels

 create a mGRE tunnel (with no destination) and assign the above VRF to it
 create a default static route that forwards the above VRF traffic into the mGRE
tunnel
 activate the above VRF under BGP
 apply an inbound route-map that changes the next-hop to the above VRF to all the
PE sessions 
The same tunnels can be used for all L3VPNs between the same PEs.

IOS

vrf definition L3VPN-VRF rd 1:99

!
interface Tunnel 1

tunnel mode gre multipoint l3vpn

tunnel source loopback0

ip vrf forwarding L3VPN-VRF
ip address 99.99.99.1 255.255.255.255 tunnel key 99

!
ip route vrf L3VPN-VRF 0.0.0.0 0.0.0.0 Tunnel1 !
router bgp 1

neighbor 2.2.2.2 remote-as 1

neighbor 2.2.2.2 update-source Loopback0 !

address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended neighbor 2.2.2.2
route-map L3VPN-ROUTEMAP in

exit-address-family !

address-family ipv4 vrf L3VPN-VRF

92 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

exit-address-family !

route-map L3VPN-ROUTEMAP permit 10 set ip next-hop in-vrf

L3VPN-VRF

In latest releases you can also use multipoint L2TPv3 tunnels instead of the default mGRE
ones.

You can also define l3vpn encapsulation profiles for fully automatic tunnel provisioning.
IOS

l3vpn encapsulation ip L3VPN-PROFILE transport source loopback

0 protocol gre key 99

!
router bgp 1

neighbor 2.2.2.2 remote-as 1

neighbor 2.2.2.2 update-source Loopback0 !

address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended neighbor 2.2.2.2
route-map L3VPN-ROUTEMAP in

exit-address-family !

route-map L3VPN-ROUTEMAP permit 10

set ip next-hop encapsulate L3VPN-PROFILE

Link Bandwidth
It is used with BGP multipath to configure load balancing over links with unequal bandwidth.

When enabled, routes learned from directly connected external neighbors are propagated
through the iBGP network with the bandwidth of the source external link stored in an
extended community.

The link bandwidth extended community attribute is used as a traffic sharing value relative to
other paths while forwarding traffic.

Two or more paths are designated as equal for load balancing if weight, local-preference, as-
path length, MED and IGP costs are the same.

BGP can originate the link bandwidth community only for directly connected links to eBGP
neighbors.
93 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Configuration Steps

 "dmzlink-bw" must be enabled on all BGP routers that need to process the link
bandwidth community
 "dmzlink-bw" must be enabled on all eBGP neighborships from where the
bandwidth will be acquired
  "send-community
extended"mustbeenabledonalliBGPpeeringswherethelinkbandwidth community
must be propagated to
 multipath must be enabled where more than one path is expected

R2 (IOS) router bgp 1

bgp dmzlink-bw

neighbor 3.3.3.3 remote-as 1 neighbor 3.3.3.3 update-source

neighbor 4.4.4.4 remote-as 1 neighbor 4.4.4.4 update-source
maximum-paths ibgp 4

R3 (IOS) router bgp 1

bgp dmzlink-bw

neighbor 2.2.2.2 remote-as 1

neighbor 2.2.2.2 update-source
neighbor 2.2.2.2 next-hop-self
neighbor 2.2.2.2 send-community extended neighbor 4.4.4.4
remote-as 1

neighbor 4.4.4.4 update-source Loopback0 neighbor 4.4.4.4

next-hop-self
neighbor 4.4.4.4 send-community extended neighbor 20.3.6.6
remote-as 2

neighbor 20.3.6.6 dmzlink-bw maximum-paths 4 maximum-paths

ibgp 4

!
interface FastEthernet0/0.36
 bandwidth 36000

R4 (IOS) router bgp 1

bgp dmzlink-bw

neighbor 2.2.2.2 remote-as 1

neighbor 2.2.2.2 update-source Loopback0 neighbor 2.2.2.2
next-hop-self
neighbor 2.2.2.2 send-community extended neighbor 3.3.3.3
remote-as 1

Loopback0
Loopback0

Loopback0

94 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

neighbor 3.3.3.3 update-source Loopback0 neighbor 3.3.3.3

next-hop-self
neighbor 3.3.3.3 send-community extended neighbor 20.4.5.5
remote-as 2

neighbor 20.4.5.5 dmzlink-bw neighbor 20.4.6.6 remote-as 2

neighbor 20.4.6.6 dmzlink-bw maximum-paths 4

maximum-paths ibgp 4 !

interface FastEthernet0/0.45 bandwidth 45000

!
interface FastEthernet0/0.46

bandwidth 46000

IOS

R2#sh bgp
BGP table version is 5, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, >
best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-
Origin codes: i - IGP, e - EGP, ? - incomplete

external
Network
Next Hop
4.4.4.4
3.3.3.3

Metric LocPrf Weight Path 2 100 0 2 i 2 100 02i

*mi19.19.19.19/32 *>i

R2#sh bgp ipv4 unicast 19.19.19.19/32

BGP routing table entry for 19.19.19.19/32, version 5 Paths:
(2 available, best #2, table default) Multipath: iBGP

Not advertised to any peer 2

4.4.4.4 (metric 5) from 4.4.4.4 (4.4.4.4)

Origin IGP, metric 2, localpref 100, valid, internal,
multipath DMZ-Link Bw 11375 kbytes

2
3.3.3.3 (metric 5) from 3.3.3.3 (3.3.3.3)

Origin IGP, metric 2, localpref 100, valid, internal,

multipath, best

DMZ-Link Bw 4500 kbytes

Although BGP multipath is enabled, the BGP selection algorithm still chooses one path as the
best (based on

the standard BGP selection criteria), but both paths are tagged with the "multipath" keyword
and appear in the

routing table for forwarding.

95 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

R2#sh ip route 19.19.19.19 Routing entry for 19.19.19.19/32

Known via "bgp 1", distance 200, metric 2 Tag 2, type internal
Last update from 3.3.3.3 00:04:36 ago Routing Descriptor
Blocks:

* 4.4.4.4, from 4.4.4.4, 00:04:36 ago

Route metric is 2, traffic share count is 5 AS Hops 1
Route tag 2
MPLS label: none

3.3.3.3, from 3.3.3.3, 00:04:36 ago

Route metric is 2, traffic share count is 2 AS Hops 1
Route tag 2
MPLS label: none

Dividethebandwidthentry(Kbps)by8tofindouttheDMZ-LinkBw(KBps)inthe"sh bgp"output.

IOS-XR

router bgp 2
address-family ipv4 unicast

maximum-paths ibgp 4

maximum-paths ebgp 4 !

neighbor 6.6.6.6

dmz-link-bandwidth

The above (old-style) configuration is not recommended. In later IOS-XR releases (>4.3.2)
you can set the bandwidth extcommunity in a route-policy towards the iBGP neighbor in
order to achieve the same thing.

Links

IETF - draft-ietf-idr-link-bandwidth

RT Constrain (RTC)

The default behavior is for the PEs to filter out the unwanted RTs, after they receive the
prefixes from the RR. After enabling this feature on the PE and the RR, the PE informs the
RR what RTs it actually needs and the RR sends only those.

This feature causes two exchanges to happen:

 The PE sends an RT Constraint (RTC) NLRI to the RR

 The RR installs an outbound route filter
The rtfilter address-family must be activated on both the RR and the PE.
96 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS

router bgp 100

neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source Loopback0 !
address-family vpnv4

neighbor 1.1.1.1 activate

neighbor 1.1.1.1 send-community extended exit-address-family

!
address-family rtfilter unicast

neighbor 1.1.1.1 activate

neighbor 1.1.1.1 send-community extended exit-address-family

IOS-XR

router bgp 100

address-family vpnv4 unicast !
address-family ipv4 rt-filter !
neighbor 1.1.1.1
remote-as 100
update-source Loopback0 address-family vpnv4 unicast !
address-family ipv4 rt-filter

It requires IOS-XR > 4.3 or IOS > 15.1.

Links

IETF - RFC 4684

Fast Convergence

 Different RD per PE
 BGP Multipath
 BGP Best-external
 BGP PIC
 Two RRs (one for primary, one for secondary) Multipath
97 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

It allows installation of multiple BGP paths to the same destination into the IP routing table.
These paths are installed in the table together with the best path for load sharing. BGP
Multipath does not affect best-path selection. For example, a router still designates one of the
paths as the best path, according to the algorithm, and advertises this best path to its
neighbors.

eBGP multipath
o maximum-paths

o maximum-paths iBGP multipath

x (IOS)
ebgp x (IOS-XR)

ibgp x (IOS, IOS-XR) o maximum-paths eibgp x (IOS, IOS-XR)

In IOS-XR, you can also use the "selective" keyword in order to restrict multipath to
specific neighbors (the ones with "multipath" configured).

CEF load-sharing might need to be tuned also.

"bgp bestpath as-path multipath-relax"canbeusedtoskipcheckingtheas-

pathcontentsand check only its length.

Best-External Path

When configured, enables the advertisement of the best-external path to iBGP/RR peers, if
the locally selected best-path is from an internal peer. That way routers internal to the AS
have knowledge of more exit paths from the AS.

Usually it's configured on the backup router.

IOS

router bgp 100 address-family vpnv4

bgp advertise-best-external

IOS-XR

router bgp 100 address-family ipv4 unicast

advertise best-external

o maximum-paths
eiBGP multipath (under ipv4 vrf address-family)
98 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

PIC (Prefix Independent Convergence)

When configured, provides a capability to install a backup path into the forwarding table to
provide prefix independent convergence in case of PE-CE link failure

Core/Edge

IOS

router bgp 100 address-family vpnv4

bgp additional-paths install

bgp recursion host

IOS-XR (3.9)

router bgp 100

address-family vpnv4 unicast

additional-paths install backup

Forfasterconvergenceyoumightneedtoremovethecommand"bgp recursion host".

Links

IETF - draft-ietf-idr-best-external
QPPB (QoS Policy Propagation via BGP)

It allows you to match BGP routes based on attributes (i.e. community, as-path), mark these
with ip prec or qos-group (or other attributes depending on software version) and then mark
appropriately the relevant source/destination packets matching the above routes. Further
actions (i.e. policing, queuing) can be performed on the marked packets afterwards.

IOS

ip community-list 1 permit 100:1

!
ip as-path access-list 1 permit _200$ !
route-map QPPB-ROUTEMAP permit 10

match community 1
set ip precedence 2
!

route-map QPPB-ROUTEMAP permit 20 match as-path 1

set ip precedence 5

!
router bgp 100
99 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

table-map QPPB-ROUTEMAP !

interface FastEthernet0/0 bgp-policy source ip-prec-map

IOS-XR

route-policy QPPB-ROUTEPOLICY
if community matches-any (100:1) then
 set qos-group 2
endif

if as-path originates-from '200' then set qos-group 5

endif
end-policy
!
router bgp 100

address-family ipv4 unicast table-policy QPPB-ROUTEPOLICY

!
interface GigabitEthernet0/0/0/0

ipv4 bgp policy propagation input qos-group source IOS-XR has

various limitations depending on hw used.

RTBH (Remotely Triggered Black Hole) routing/filtering

It allows you to quickly "block" various attacks on your edge routers, by advertising a null
route from a single router to all edge routers.

Configuration Steps

 configure null static route with dummy next-hop on your edge routers
 configure route-map that matches a tag and sets a dummy next-hop (plus whatever
else) on your rtbh

router

 configure redistribution of static routes into BGP using the above route-map on
your rtbh router
 in case of attack, configure a null static route with the appropriate tag for the
destination on the rtbh

router
i.e. for destination-based RTBH:

edge (IOS)
ip route 192.168.1.1 255.255.255.255 Null0

rtbh router (IOS) router bgp 100

redistribute static route-map RTBH-ROUTEMAP

100 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

!
route-map RTBH-ROUTEMAP

match tag 99
set ip next-hop 192.168.1.1
set community no-export no-advertise additive

When attack to 10.10.10.10 happens: rtbh router (IOS)

ip route 10.10.10.10.10 255.255.255.255 Null0 tag 99

It is assumed that the rtbh router has BGP connectivity with all edge routers (either directly,
or through RRs).

If you combine loose uRPF + RTBH, you can use it for blocking source ips too.
101 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

VRF
VRF Basic Configuration

IOS

ip vrf VPN-A
rd 100:1
route-target export 100:1 route-target import 100:1
!

vrf definition VPN-B rd 100:2 address-family ipv4

route-target export

route-target import

exit-address-family address-family ipv6

route-target export

route-target import

exit-address-family
IOS-XR

100:2 100:2

100:2 100:2

vrf VPN-C
address-family ipv4 unicast

import route-target

100:3

export route-target

100:3
address-family ipv6 unicast

import route-target

100:3

export route-target

100:3 !

router bgp 100

vrf VPN-C

rd 100:3

You can have different import/export RTs per address family. If you have common ones, then
you can define them directly under the vrf definition.

Prefertousethe"vrf definition"commandtoconfigureVRFs.Alwaysincludeanaddress-
family,

most probably the ipv4 one.

102 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS-XR requires the VRF RD config under the BGP process.
Youcanusethe"rd auto"commandinIOS-
XRinordertoautomaticallycreateuniqueRDsperVRF.

IOS-XR

router bgp 100

vrf VPN

rd auto

If you don't define any export RTs for a VRF on the local PE, then the prefixes will by
default get dropped when they are transferred to the remote PE.

Youcanviewallroutingtables(globalandVRFones)byusingthecommand"sh ip route vrf

*". On a router that acts as a default gateway, the following can be configured if the next-hop
is in the global

routing table and you want to have the static route inside the VRF but pointing to the global
routing table.

IOS

ip route vrf VPN 0.0.0.0 0.0.0.0 1.1.1.1 global

You can change the default label allocation (if you want to decrease label usage) for all VRFs
or a specific

VRF using the following command:

IOS

R1(config)#mpls label mode vrf VPN protocol bgp-vpnv4 ?

per-prefix Per prefix label (default)
per-vrf Per VRF label for entire VRF
vrf-conn-aggr Per VRF label for connected and BGP aggregates
in VRF

Export RT per Prefix

You can use an export map in order to set different export RTs per prefix.

IOS

vrf definition VPN-A rd 100:1

!
address-family ipv4

export map R1-MAP exit-address-family

!
route-map R1-MAP permit 10

match ip address R1-ACL

set extcommunity rt 2.2.2.2:11 2.2.2.2:111 !

103 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

ip access-list standard R1-ACL permit 1.1.1.1

!

IOS-XR

vrf VPN-A
address-family ipv4 unicast

export route-policy R1-RPOLICY !

route-policy R1-RPOLICY
if destination in (1.1.1.1/32) then

set extcommunity rt (2.2.2.2:11, 2.2.2.2:111) endif

end-policy

In the IOS-XR route-policy you must use destination in order to match the required prefix.
Also you can use parenthesis whenever you need to group parameters, like the multiple RTs.

If you initially have no export RTs and later decide to add some through an export map, then
you must reset the VPNv4 BGP sessions in order to have the BGP routes get the new RTs
immediately.

Import global routes into VRF

You have the option of importing various global routes into a specific VRF, while at the same
time limiting the number of them.
IOS

vrf definition VPN_A rd 100:1 route-target export route-target

import !

100:1 100:1

address-family ipv4
import ipv4 unicast 5 map GLOBAL-TABLE-ROUTEMAP

exit-address-family !

route-map GLOBAL-TABLE-ROUTEMAP permit 10 match ip address

prefix-list PREFIX-LIST

!
ip prefix-list PREFIX-LIST seq 5 permit 4.4.4.4/32

match ip address prefix-list PREFIX-LIST

IOS

R2#sh bgp vpnv4 unicast all

BGP table version is 8, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, >
best, i -

104 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

internal,

r RIB-failure, S Stale, m multipath, b backup-path, x best-

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path Route

Distinguisher: 100:1 (default for vrf VPN_A)
Import Map: GLOBAL-TABLE-ROUTEMAP, Address-Family: IPv4
Unicast, Pfx Count/Limit: 1/5

external

*> 1.1.1.1/32
*> 4.4.4.4/32
*> 10.1.2.0/24 *>i10.19.20.0/24 *>i20.20.20.20/32

10.1.2.1 0 20.2.4.4 10 0.0.0.0 0 19.19.19.19 0 19.19.19.19 0

32768 i
32768 i
32768 i

100 0i 100 0i

R2#sh bgp vpnv4 unicast all 4.4.4.4/32

BGP routing table entry for 100:1:4.4.4.4/32, version 8 Paths:
(1 available, best #1, table VPN_A)

Not advertised to any peer

Local, imported path from 4.4.4.4/32

20.2.4.4 from 0.0.0.0 (2.2.2.2)

Origin IGP, metric 10, localpref 100, weight 32768, valid,

external, no-import, best

The global route to be imported must exist in the global BGP table (existence in RIB doesn't
matter).

No RTs or other attributes will be assigned to the imported prefixes. Use the route-map set
commands to configure those.

In latest IOS releases (>15.x) you have to option of doing the opposite too, export prefixes
from a VRF into the global BGP table.

Thecommands"import/export
map"(whicharedifferentfromtheabove)areusedtofiltertheVRF <=>MP-
BGPprefixes,whilethecommands"import/export ipv4 unicast"areusedtoleakroutes
between the VRF and the global BGP table.

Inbound VPN Prefix Filtering due to RTs

In VPNv4/v6 BGP setups, all BGP VPN prefixes are checked against the local RT import
policies and if

there is no match found, then the prefix is discarded (in order to keep the BGP table small).
Route-Reflectors have this filter disabled by default, because they need all the prefixes to
accommodate all

possible PEs. In order to disable it manually on other routers, you can use the following
commands.
105 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS

router bgp 100

no bgp default route-target filter

IOS-XR

router bgp 100

address-family vpnv4 unicast

retain route-target all

IOS-XR supports also the selective filtering of RTs by using a policy that matches specific
RTs.

IOS-XR

router bgp 100

address-family vpnv4 unicast

retain route-target route-policy RT-POLICY !

route-policy RT-POLICY
if extcommunity rt matches-any (100:1, 100:2) then

pass else

drop endif

Multi-VRF (VRF-Lite)

It allows a logical separation of a CE router into multiple VRFs, without the need for
MPLS/MP-BGP. Using MPLS Multi-VRF you can extend the LSPs to the CE and all routing
domains that the CE supports.

Usually, a router with Multi-VRF is shared by several customers and each customer has their
own routing table.

Characteristics

 one or more VRFs configured and assigned to interfaces

 no MPLS configured
 no BGP VPNv4 configured
 no RTs under "vrf definition" required on IOS
 no RDs under "bgp vrf" required on IOS-XR Configuration Steps

 Configure VRFs on the PE and the CE

 Configure the routing protocol for each VRF on the CE towards each customer
 Configure BGP or IGP as PE-CE protocol for each VRF
 Configure labeling either with BGP+Label or IGP+LDP (if required)
106 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

Special care must be taken in case of using OSPF as PE-CE protocol, because due to setting
the DN bit by

default on specific routes advertised from PE to CE, these routes wouldn't be installed in the
Multi-VRF CE's

routing table.

Always prefer to use BGP as PE-CE, due to its simpler configuration and better filtering.

Traffic classification into a VRF

One VRF per interface

o Classic method (IOS, IOS-XR)

Multiple VRFs per interface

o Multi-VRF Selection Using Policy-Based Routing (IOS)

matchanipaccess-list
o VRF Selection Based on Source IP Address (IOS)
matchthesourceipaddress o VRF-Autoclassify (IOS)

matchthedirectlyconnectedprefix
o ACL Based Forwarding with VRF Next-Hop (IOS-XR)

matchanipaccess-list
Classic Method

IOS

interface X
ip vrf forwarding VPN-A

!
interface X

vrf forwarding VPN-B

IOS-XR

interface X
 vrf VPN-C

Multi-VRF Selection Using Policy-Based Routing

It allows a specific interface on a PE router to route packets to different VPNs based on
various match

criteria defined in an ip access list or on packet length.

107 NTS for CCIE SP Lab by chatasos

chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab

IOS

interface X
ip vrf receive VPN-A
ip vrf receive VPN-B
ip vrf receive VPN-C
ip address 1.1.1.1 255.255.255.0
ip policy route-map VRF-SELECTION-PBR

ip access-list standard VPN-A-ACL permit 1.1.2.2

ip access-list standard VPN-B-ACL permit 1.1.3.3

ip access-list standard VPN-C-ACL permit 1.1.4.4

!
route-map VRF-SELECTION-PBR

match ip address VPN-A-ACL

set vrf VPN-A

!

route-map VRF-SELECTION-PBR match ip address VPN-B-ACL set vrf

VPN-B

!
route-map VRF-SELECTION-PBR

match ip address VPN-C-ACL set vrf VPN-C

permit 10

permit 20

permit 30

Limitations
multicast is not usually supported by PBR

VRF Selection Based on Source IP Address

It allows a specific interface on a PE router to route packets to different VPNs based upon the
source IP

address of the packets. It's supported only on very specific hardware.

IOS
vrf selection source 1.1.1.0 255.255.255.0 vrf VPN-A vrf
selection source 2.2.2.0 255.255.255.0 vrf VPN-B !
int X