R K E

E T W O R S

CCNP Enterprise
Advanced Routing
Services

Arranged by:
Eng. AHMED NABIL
Name:

Eng. AHMED NABIL

DoN
2
Ahmed Nabil
 Course contents

1-Routing principles
2- OSPF in single area
3- OSPF in multiple areas
4- Manipulating Multiple Routing protocols
(Redistribution)
5- Routing updates filters and Route Maps
6- Policy Based Routing (PBR)
7- Border Gateway Protocol (BGP)
8- EIGRP
9- MPLS & MPLS VPN
10-VPN Techologies
11- Network Services

3
Ahmed Nabil
 New Cisco
Certifications model

4
Networks overview

5
Ahmed Nabil
 6
Ahmed Nabil
TCP/IP Model:
Application Layer protocols:
HTTP, FTP, SMTP, POP3, Telnet, SSH, SNMP, DHCP,
RIP1,RIP2, RIPng, BGP
(notice that some routing protocols are in the application layer as
RIP & BGP), BGP needed the help of TCP that’s why its in that
layer, while RIP was in that layer as an old tradition by the
programmers which was any non primary protocol is an
application). Primary protocols as IP, TCP, UDP,…

Note: any protocol in the application layer is called application

and have a port no. (HTTP =80, RIP=520, BGP=179, but
protocols in other layer are just protocols and have a protocol no.
(ICMP is protocol no.1, IPv4 is protocol no.4, TCP no. 6, UDP no.
17, EIGRP is 88, OSPF is 89)

Transport Layer protocols:

TCP, UDP

Internet/Network Layer protocols:

ICMP, OSPF, EIGRP, IPv4, IPv6

Network access Layer protocols:

Ethernet, dot1q, STP, ARP. Frame-relay, ATM, HDLC, PPP,
PPPoA, PPPoE,..

7
Ahmed Nabil
 •Routing protocol:
-It is a set of rules that define how routing works.
-It is the exchange of information between routers so as
every router can has an overview about the existence or
disappearance of networks
-Its final target is to build a routing table for routers

Ex: RIPv1,RIPv2 , IGRP , EIGRP,IS-IS,

OSPF, BGP

•Routed protocol :
- It is responsible for sending users data traffic from end
to end by supporting:
1- logical addressing.
2- Encapsulating data from end to end
(end to end delivery)

Ex: IPv4, IPv6, MPLS.

As MPLS can act as switched and routed protocol, it is

considered Layer 2.5 protocol, that consideration is also due
to MPLS Label is imposed between Layer3 header (Packet)
and Layer 2 Header (Fame), and in the near future MPLS
header is predicted to substitute Layer2 and layer3 headers
and MPLS address (Label) is the address to substitute MAC
& IP.
8
• Router process :

1- Incoming frame to the interface.

2- If the frame has the same L2 address as the receiving

interface, the frame will be accepted otherwise it will be
dropped.

3- The router will remove the frame header and trailer (switching
function).

4- The router will deliver the packet to the routing process to find
the best path for the packet to reach the destination by
checking the routing table.

5- The routing process will find the best path and deliver the
packet to the switching function again.

6-Switching process will create new frame header and trailer (will
make encapsulation) for the packet based on the O/P
interface defined encapsulation (whether it is Ethernet or
Frame Relay or ATM or PPP,…..)

9
 Principles of
Routing Protocols

10
• Routing procedure :
1- Is the protocol stack exist?
That point depend on the IOS supported features (whether desktop features
or enterprise set or service provider set is used)
-Is the Routed protocol S/W exist on the IOS or not
(i.e. do IPX exist (if you need to route IPX packets, IPv6,…. ))
-Is the Routing protocol S/W exist on the IOS or not
(i.e. do IS-IS exist, do BGP exist, ……)

2- Activate the routing features by using

(config)# ip routing
That command is enabled by default to activate routing for IP routed
protocol.
For Ipv6:
(config)#ipv6 unicast-routing

3- Activate the routing protocol on a router interface

(config)# router <protocol>
(config-router)# network <direct connected network id>

4- This will enable sending and receiving routing information (updates) on

the activated interfaces.

5- The forwarding decisions (information in the routing table) are built from
the exchange of the updates

6- Routing table contents:

6.1 The type of routing protocol that created the routing entry
6.2 Destination network prefix and prefix length
6.3 Next hop IP
6.4 Output interface
6.5 Administrative distance and Metric of the routing
entry, Where the Routing table has the path with least admin.
distance and least metric.
6.6 Timer
Gateway oftolast
indicate how much
resort is nottimeset
has been elapsed since the
last update of a specific entry
10.0.0.0/8 is subnetted, 2 subnets,
R 10.1.1.0/24 [120/1] via 10.1.2.2, 00:00:05, Ethernet0
R 10.1.3.0/24 [120/2] via 10.1.2.2, 00:00:05, Ethernet011
Routing generations:

In general, Cisco routers support the following three primary modes of packet
switching:
-Process switching (normal routing)
-Fast switching
-Cisco Express Forwarding (CEF)

The following subsections discuss each of these approaches.

1st generation (process switching):
always route (use normal S/W sequential based search in routing table)

Use
#show ip route
To display the routing table

2nd Generation (Fast Switching):

Route once, switch many
Fast switching uses a fast cache maintained in a router’s data plane. The fast
cache contains information about how traffic from different data flows should be
forwarded.
the first packet in a data flow is process switched by a router’s CPU. After the
router determines how to forward the first frame of a data flow, the forwarding
information is stored in the fast cache.
Subsequent packets in that same data flow are forwarded based on information in
the fast cache, as opposed to being process switched. As a result, fast switching
dramatically reduces a router’s CPU utilization, as compared to process
switching. 12
Ahmed Nabil
Fast switching can be configured in interface configuration mode with the
command ip route-cache.
#show ip cache
to display the cache table .

3rd generation (CEF- Cisco Express Forwarding):

Always switch
Cisco Express Forwarding (CEF) maintains two tables in the data plane.
Specifically, the Forwarding Information Base (FIB) maintains Layer 3
forwarding information, whereas the
adjacency table maintains Layer 2 information for next hops listed in the FIB.
Using these tables, populated from a router’s IP routing table and ARP cache,
CEF can efficiently make forwarding decisions. Unlike fast switching, CEF does
not require the first packet of a data flow to be process switched. Rather, an entire
data flow can be forwarded at the data plane.
FIB is used as L3 forwarding table, match condition is according to longest bit
match, not exact match.
•The search key is the destination IP and the result is next-hop L3 address.
•The L3 engine (Router Processor) maintains routing information & build the
routing table, then the FIB in H/W is derived from routing table & any change in
routing table updates FIB table, this is done using CEF.

To troubleshoot high memory usage:

#show memory allocating-process table
#show memory summary 13
Ahmed Nabil
 CEF (Cisco ExpressForwarding)

To enable CEF, use one of the following commands depending on router platform
on global configuration mode or interface mode:(config) or (config-if)# ip cef
(config) or (-if)# ip route-cache cef
R1# show ip cef
Prefix Next Hop Interface
0.0.0.0/0 no route
0.0.0.0/8 drop
0.0.0.0/32 receive
1.1.1.1/32 receive Loopback0
2.2.2.2/32 10.1.1.2 Serial1/0
10.1.1.0/30 attached Serial1/0
10.1.1.0/32 receive Serial1/0
10.1.1.1/32 receive Serial1/0
10.1.1.3/32 receive Serial1/0
127.0.0.0/8 drop
172.16.1.0/24 attached FastEthernet0/0
172.16.1.0/32 receive FastEthernet0/0
172.16.1.1/32 receive FastEthernet0/0
172.16.1.255/32 receive FastEthernet0/0
192.168.1.0/24 10.1.1.2 Serial1/0
224.0.0.0/4 drop
224.0.0.0/24 receive
240.0.0.0/4 drop
255.255.255.255/32 receive

R1# show adjacency

...displays H/W ARP cache 14
Ahmed Nabil
 Routing protocols
classifications

Static RP
Dynamic RP

IGP/EGP Distance vector /

Classfull /
Link state /
Classless
Advanced
Distance Vector

15
 Static Routing

• Characteristics:
1- If only one path to destination is available, you can use
a static routing .
2- No routing traffic overhead.
3- Could be used in slow WAN links.
4- High administration overhead.

Static Route: Used to define path to Stub networks

(config)# ip route <dst. net.> <mask> {o/p interface / ip

address of next hop} [distance]

Ex: you can configure Router A as in the figure or as below

RouterA# config t
RouterA(config)#ip route 10.2.0.0 255.255.0.0
10.1.1.1

RouterA# show ip route

<output omitted>
S 10.2.0.0/16 [1/0] via 10.1.1.1
16
 Floating Static:
(config)# ip route <dst. net.> <mask> {o/p interface / ip
address of next hop} [ Admin. Dist.]

- Floating static configured by changing the admin. Dist. Of

static route to be least preferred over a dynamic routing
protocol, so the static route will be backup for the
dynamic protocol, in an immediate convergence fashion

17
Default Static Route:
Used to define path to internetworks default Gateway of
last resort
(config)# ip route 0.0.0.0 0.0.0.0 {o/p interface
/ ip address of next hop}

Default Network:
Default Gateway of last resort

(config)#ip default-network <default network>

This command used with EIGRP to advertise default
routes.
The path of the specified network (discovered by any other
routing method) will be the same path that will be chosen
as the default route, which mean that the default route is
linked to the path of the specified network, if that path
changed, so that default route will follow that change

(config-router)# default-information originate

This command used with OSPF, ISIS and RIP2 to advertise
default routes 18
 Dynamic RP
Characteristics:
1- Used if multiple paths exist to the network and an
automatic way for detecting best path or transitioning to
another path in case of primary fail
2-Part of the bandwidth is used for sending routing
updates that will help for the discovery of best routes
3-It has no administrative overhead

IGP / EGP
1- IGP (Interior Gateway Protocol)
• Protocol that works within single AS.
• AS (Autonomous System) is the domain under single
technical administration or in other words that work under
single routing policy
Ex: Rip , OSPF, IS-IS , IGRP , EIGRP.
2- EGP (Exterior Gateway Protocol)
• Protocol that works between different ASs.
Ex: EGP , BGP.

19
 Distance Vector / Link State / Hybrid
Distance Vector:
Ex: RIP and IGRP
At start up:
1- Each router collect its directly connected networks.
2- Each router will add these networks to its routing table.
3- Each router will send its full routing table out of all its active
interfaces on broadcast address 255.255.255.255 every
certain period (30sec for RIP, 90 sec for IGRP)
4-Routers receiving updates will use Bellman Ford Algorithm to
calculate table updates
After convergence :
- Only periodic updates is sent every period to indicate any
changes.
At change :
- Triggered update with full routing table is sent.

- Advantages:
1- Simple Implementation and configuration
2- Need low memory (only routing table)
3- Need low CPU (use Bellman Ford algorithm)

- Disadvantages:
1- Slow convergence
2- Classfull
3- High BW utilization during convergence period
4- Susceptible to routing loops

Solutions for routing loops:

1- Triggered poisoned route with poison reverse (solve slow
convergence problem also)
2- Split horizon (route learned from interface can never be
advertised back on the same interface)
3- Hold down timer (do not learn about a failed network until:
- It returned back
- It is learned with a better metric
- Hold down time expires (180 sec for RIP, 280 for IGRP) 20
Link State :
Ex: OSPF & IS-IS
At start up :
1- Each router will try to discover its neighbors. (using
Hello protocol)
2- Each router will collect information about its interfaces
and send it to its neighbors in a packet called LSA.
3- Each router that receives the LSA will take a copy and
send it as it is to its other neighbors.
4- Each router will form LSDB from all LSAs.
5- Each router will draw a LSDB tree.
6- Each router will apply the SPF algorithm (Dijkstra
algorithm) on the LSDB tree to form SPF tree (RTG
table).

After convergence :
- Periodic updates after long period .
(LSA refreshment)
At change :
1- The router that feels the change will send partial
triggered update.
2- Each router will take a copy of the update then send it to
its neighbors then each router rebuild the tree again.
21
Advantages:
1- Fast convergence
2- Classless
3- Low BW utilization during convergence period (no
periodic
updates)
4- No routing loops
5- Reliable protocol

Disadvantages:
1- Complex Implementation and configuration
2- Need high memory (routing table, neighbor table &
topology database)
3- Need high CPU (use Dijkstra ”SPF” algorithm)

Hybrid /Advanced D.V :

Ex: RIPv2, EIGRP

• EIGRP is considered Hybrid or advanced D.V., while

RIPv2 is not considered hybrid, but it is advanced D.V.
• It groups some advantages from Distance Vector and
others from Link State
• Each router will send its full routing table to its
neighbors at start up.
• At change send partial triggered update.
• Updates are sent on multicast / unicast addresses

22
• Classfull RP C/C’s:
Classlfull RP does not send the subnet mask in its
updates.
1- Can not support VLSM.
2- Discontiguous networks will make routing problems
3- Auto summarization is made on the discontiguous
network boundary and can never be stopped
Ex: RIPv1 & IGRP

This is a Discontiguous network problem

• Classless RP C/C’s:
Classless RP send the subnet mask in its updates.
1- Support VLSM.
2- Support discontiguous networks.
(Auto summarization can be stopped)
3- Support manual
summarization
and CIDR.
Ex: RIPv2, EIGRP, OSPF,
IS-IS & BGP

Auto summary must be disabled in such a case

23
Major differences between protocols

24
• RIP : (Routing Information Protocol)

- RIP v1 is a Distance vector routing protocol.

- RIP v2 is an Advanced Distance vector routing protocol.

- RIP timers:
* Periodic update every 30 sec.
* invalid/hold time is 180 sec (if network not updated for 180
sec, so it is marked as invalid and its route is poisoned).
* flush time 240 sec (route is deleted from all RIP tables after
240 sec).

- By default, when configuring RIP the software receives RIP

Version 1 and Version 2 packets, but sends only Version 1
packets. This is done by configuring:

(config)#router rip

- You can configure the software to receive and send only

Version 1 packets. Alternatively, you can configure the
software to receive and send only Version 2 packets. To do
so, use the following command in router configuration mode:

(config)#router rip
(config-router)# version { 1 / 2 }

25
• Configuration:
(config)# router rip
(config-router)# network <direct connected network>
• Network command activates the interfaces to
1) send updates
2) receive updates
3) Advertise routing
entries learned
on that interface

• If we don’t want to send updates through interface,

make that interface as passive interface, which is
mainly used on Ethernet LAN interfaces, where no
routers exist
(config-router)# passive-interface <interface name>
- Passive interface listen to updates but doesn’t send
updates.

• Because RIP is normally a broadcast protocol, in order

for RIP routing updates to reach non-broadcast
networks.
(config-router)# neighbor <IP address of neighbor>
Which is used to define neighbors statically (next hops,
that updates must be sent to)

26
 Comparing RIPv1 & RIPv2
RIP v.1 RIP v.2
- Classfull - Classless
- Broadcast updates - Multicast updates
(255.255.255.255) (224.0.0.9)
- Metric = hop count - Metric = hop count
(max. =15) (max.=15)
- Admin. Dist. = 120 - Admin. Dist. = 120
- Periodic updates with full routing -Periodic updates with full routing
table every 30sec. table every 30sec.
- Triggered full routing table at -Triggered partial updates (affect
changes part only) at changes
- No authentication. - Support Authentication. (clear
text or MD5)
-Symbol in routing table “R” -Symbol in routing table “R”
-Update cannot contain more than
25 entry, so if more than 25 exist,
so every period more than one
packet is advertised

• RIP v.2 configuration:

(config)# router rip
(config-router)# version 2
To disable auto summary:
(config-router)# no auto-summary
For manual summarization:
(config-if)# ip summary-address rip
<summary address> <mask>

22 27
Auto and Manual Summarization :
Protocol Auto Can be Manual
summarization disabled summarization
RIP v.1 YES NO NO
IGRP YES NO NO
OSPF NO ----- YES
IS-IS NO ----- YES
RIP v.2 YES YES YES
EIGRP YES YES YES

/24 /16

No auto summary effect on RIPv2

28
RIPng (RIP next Generation)
Theory and Comparisons to RIP-2
The RIPng RFC states that the protocol uses many of the
same concepts and conventions as the original RIP-1
specification, also drawing on some RIP-2 concepts.
However, knowing that many of you might not remember a
lot of details about RIP-2.

The overall operation of RIPng closely matches RIP-2. In

both, routers send periodic full updates with all routes,
except for routes omitted due to Split Horizon rules. No
neighbor relationships occur; the continuing periodic
Updates, on a slightly-variable 30 second period,
also serve the purpose of confirming that the neighboring
router still works. 29
The metrics work exactly the same. When a router ceases to see a
route in received updates, ceases to receive updates, or receives a
poisoned (metric 16) route, it reacts to converge, but relatively
slowly compared to EIGRP and OSPF.

Some differences relate specifically to IPv6. First, the update

messages themselves list IPv6 prefixes/ lengths, rather than
subnet/mask. In RIP-1 and RIP-2, RIP encapsulated RIP Update
messages inside an IPv4 and UDP header; with IPv6, the
encapsulation uses IPv6 packets, again with a UDP header.

The last difference of note is that because IPv6 supports

authentication using the Ipsec Authentication Header (AH), RIPng
does not natively support authentication, instead relying on IPsec.

Configuring RIPng
RIPng uses a new command style for the basic configuration, but
most of the optional features and verification commands look much
like the commands used for RIP for IPv4.

This section first takes a look at the basic RIPng configuration,

accepting as many defaults as possible.

The big difference between RIP-2 and RIPng configuration is that

RIPng discards the ageold RIP network command in deference to the
ipv6 rip name enable interface subcommand, which enables RIPng
on the interface. Another difference relates to the routing of
IPv4 and IPv6: IOS routes IPv4 by default (due to a default global
configuration command of ip routing), but IOS does not route IPv6
by default (a default of no ipv6 unicast routing).

Finally, RIPng allows multiple RIPng processes on a single router, so

IOS requires that each RIPng process is given a text name that
identifies each RIPng process for that one router–another difference
compared to RIP-2.
30
The following list shows the basic configuration steps for RIPng,
including steps to enable IPv6 routing and enabling IPv6 on the
interfaces.

Step 1. Enable IPv6 routing with the ipv6 unicast-routing global

command.

Step 2. Enable RIPng using the ipv6 router rip name global
configuration command. The name must be unique on a router but
does not need to match neighboring routers.

Step 3. Enable IPv6 on the interface, typically with one of these two
methods:
Configure an IPv6 unicast address on each interface using the ipv6
address address/prefix-length [eui-64] interface command.
Configure the ipv6 enable command, which enables IPv6 and causes
the router to derive its link local address.

Step 4. Enable RIP on the interface with the ipv6 rip name enable
interface subcommand (where the name matches the ipv6 router rip
name global configuration command).

31
R1# show running-config
! The output is edited to remove lines not pertinent to this example.
! Next, step 1’s task: enable IPv6 routing
ipv6 unicast-routing
!
! Next, on 5 interfaces, steps 3 and 4: configuring an IPv6 address,
! and enable RIPng, process “fred”.
interface FastEthernet0/0.1
ipv6 address 2012::1/64
ipv6 rip fred enable
!
interface FastEthernet0/0.2
ipv6 address 2017::1/64
ipv6 rip fred enable
!
interface FastEthernet0/1.18
ipv6 address 2018::1/64
ipv6 rip fred enable
!
interface Serial0/0/0.3
ipv6 address 2013::1/64
ipv6 rip fred enable
!
interface Serial0/0/0.4
ipv6 address 2014::1/64
ipv6 rip fred enable
!
interface Serial0/0/0.5
ipv6 address 2015::1/64
ipv6 rip fred enable
!
! Next, step 2’s task, creating the RIPng process named “fred”
ipv6 router rip fred

32
Ahmed Nabil
R3# show ipv6 route rip
IPv6 Routing Table - Default - 19 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
R 2005::/64 [120/3]
via FE80::11FF:FE11:1111, Serial0/0/0.1
via FE80::22FF:FE22:2222, Serial0/0/0.2
R 2012::/64 [120/2]
via FE80::11FF:FE11:1111, Serial0/0/0.1
via FE80::22FF:FE22:2222, Serial0/0/0.2
! lines omitted for brevity...
R 2099::/64 [120/3]
via FE80::22FF:FE22:2222, Serial0/0/0.2
via FE80::11FF:FE11:1111, Serial0/0/0.1
! Unlike show ip protocols, show ipv6 protocols displays little info.

R3# show ipv6 protocols

IPv6 Routing Protocol is “connected”
IPv6 Routing Protocol is “rip barney”
Interfaces:
Serial0/0/0.2
Serial0/0/0.1
FastEthernet0/

33
Ahmed Nabil
 OSPF
in
single area

Ahmed Nabil
34
 Overview
OSPF C/C’s

1- Open Standard link state routing protocol

2- Send partial triggered updates called LSA at start up and

at changes

3- Updates is sent on multicast (224.0.0.5 or 224.0.0.6 /

unicast addresses)

4- While convergence period a LSDB (Link State DataBase)

refreshment updates is sent every 30min.

5- LSDB entries expires after 60 min. (maxage) without

refreshment

6- Symbol in routing table is “O”

7- Administrative Distance = 110

8- Metric is cost = 108/BW of interface , BW of interface is

T1(1.54Mbps) by default, and can be controlled using
(config-if)#bandwidth <BW in units of Kbps>
Max hop count for networks is undefined

9- Support equal load sharing with default of 4 paths and

maximum of 16 paths or more

10- Support Hierarchical design

Ahmed Nabil 35
• OSPF tables:
1- Neighbor table (adjacency table)
- List of all neighbors (a neighbor is direct connected &
understands the same protocol)
#show ip ospf neighbors
2- Topology table (Link State Data Base - LSDB)
Contains all routers and their attached links in the area or
network,
or in other way all routes to all destination networks.
All routers within an area has identical copy of it.
#show ip ospf database
3- Routing table (forwarding database)
- Best routes to all destination networks.
#show ip route [ospf]
• OSPF topologies:
1- BMA (Broadcast Multiple Access)
Ex: Ethernet & Token ring links

2- Point to point
A network that joins a single pair of routers.
Ex: Interfaces running PPP or HDLC or point to point
sub interfaces ATM & Frame Relay

3- NBMA (Non Broadcast Multiple Access)

A network that interconnects more than two routers but that
has no broadcast capability.
Ex: Multipoint ATM, Frame Relay & X.25
OSPF autodetects the interface type, so it can
detect how the operation will work.
36
• OSPF packet types:

1- Hello packet:
- Used for neighbor
discovery and
maintenance of neighbor
relationship.
- Sent periodically on
multicast address
224.0.0.5 (all OSPF routers)
every 10sec. on BMA topology,
point to point links and
NBMA point to point links
& every 30sec. on NBMA multipoint topology

2- DDP (DBD): DataBase Description Packet.

- It contains summary of entries inside LSDB.

3- LSR: Link State Request packet.

- To request a part of LSDB from neighbor.

4- LSU: Link State Update (Group of LSAs)

- It is the detailed information for entries inside the LSDB.

5- LSACK: Link State Acknowledgement.

- Acknowledges the reception of LSUs.

37
 • Operation of OSPF :
1- Neighbor discovery (hello protocol) – forming adjacency:
1.1- down state:
- No communication yet.

1.2 - Initial state:

- The first discovery hello is sent.

Conditions of OSPF routers to be neighbors:

1- Same area ID.
2- Same hello & dead intervals.
3- Same authentication password.
4- Same Stub area flag.
So B will never reply with a hello until these conditions matches
With its values
Neighborship Establishment OSPF vs EIGRP

38
• Hello packet:
Version Type packet length
RID
Area ID
Check sum authentication type
Password
Password
Hello interval options (area type) router priority
Router dead interval
DR ID
BDR ID
Neighbor 1
.
.
Neighbor n

• The hello packet is encapsulated into IP packet with

protocol field in IP packet indicating OSPF payload
encapsulated

•The type field = type 1 is Hello packet.

•RID (Router ID): defined by
- command : (config-if)# router-id <ip address>
- The highest loopback ip address.
- If no loopback, the highest ip of active physical interface.
•Authentication type :
- Clear text or MD-5.
• Dead interval :
- Time to wait before considering the neighbor is down.
- Dead interval = 4 * hello interval.

39
 1.3 – Two way state:
- The neighbor relationship is formed.

Note:
The Two way state is the final state between Drothers.

When routers running OSPF initialize, an exchange process using the

Hello protocol is the first procedure. The exchange process that happens
when routers are coming up on the network is illustrated in the example
in the figure:
1. Router A is enabled on the LAN and is in a down state because it has
not exchanged information with any other router. It begins by sending a
hello packet through each of its interfaces participating in OSPF, even
though it does not know the identity of the DR or of any other routers. The
hello packet is sent out using the multicast address 224.0.0.5.
2. All directly connected routers running OSPF receive the hello packet
from router A and add router A to their list of neighbors. This state is the
initial state (init).
3. All routers that received the hello packet send a unicast reply hello
packet to router A with their corresponding information. The neighbor field
in the hello packet includes all neighboring routers and router A.
4. When router A receives these hello packets, it adds all the routers that
had its router ID in their hello packets to its own neighbor relationship
database. This state is referred to as the two-way state. At this point, all
routers that have each other in their lists of neighbors have
established bidirectional communication.
40
5. If the link type is a broadcast network, generally a LAN link
like Ethernet, then a DR and BDR must first be selected. The
DR forms bidirectional adjacencies with all other routers on the
LAN link. This process must occur before the routers can begin
exchanging linkstate
information.

2- Election of DR & BDR (if not exist) – in case of BMA and

NBMA:
- DR (Designated Router) is the router having the highest :
a- First router that is ready for OSPF operation (already booted
up & has complete configuration)
b-OSPF priority (0 – 255) on interface facing the BMA segment,
default = 1, priority=0 mean can neither be DR nor BDR
c- Router ID
-Defined value through configuration
-Highest IP address for a logical loopback interface
- Highest IP address for a physical active interface

- BDR is a Backup DR and it has the second highest priority or

RID.
- The remaining routers are called DRothers.
- The DR election is non-preemptive (no one can take DR
place, even if it has a better priority or RID, unless DR fails)

Note: the rest of operation will be completed between each

router and their DR and BDR only

41
3- Routes discovery:
3.1- Exstart state:
- Form the master / slave relationship.
- The master is the router with the highest RID even it isn’t the
DR.
3.2- Exchange state :
- Send the link state ID for entries in the LSDB (The master
router sends a summary for entries in the LSDB “DBD”)
LSID : RID sequence
3.3 - Loading state:
- Requesting details from specific LSDB entries.
3.4 – Full State: (Full adjacency)
- All routers has a common LSDB

Hello
Hello

Ahmed Nabil

42
After the DR and BDR have been selected, the routers are considered to be in
the exstart state, and they are ready to discover the link-state information
about the internetwork and create their LSDBs. The process used to discover
the network routes is the exchange protocol, and it gets the routers to a full
state of communication. The first step in this process is for the DR and BDR to
establish adjacencies with each of the other routers. When adjacent routers
are in a full state, they do not repeat the exchange protocol unless the full state
changes.
As shown in the previous figure, the exchange protocol operates as follows:
Step 1 In the exstart state, the DR and BDR establish adjacencies with each
router in the network. During this process, a master-slave relationship is
created between each router and its adjacent DR and BDR. The router with the
higher router ID acts as the master during the exchange process.
Step 2 The master and slave routers exchange one or more DBD packets. The
routers are in the exchange state.
A DBD includes information about the LSA entry header that appears in the
LSDB of the router. The entries can be about a link or about a network. Each
LSA entry header includes information about the link-state type, the address of
the advertising router, the cost of the link, and the sequence number. The
router uses the sequence number to determine the “newness” of the received
link-state information.
Step 3 When the router receives the DBD, it performs these actions, as shown
in the figure:
1. It acknowledges the receipt of the DBD using the LSAck packet.
2. It compares the information it received with the information it has. If the DBD
has a more up-to-date link-state entry, then the router sends an LSR to the
other router. The process of sending LSRs is called the loading state.
3. The other router responds with the complete information about the
requested entry in an LSU packet. Again, when the router receives an LSU, it
sends an LSAck.
Step 4 The router adds the new link-state entries to its LSDB.
When all LSRs have been satisfied for a given router, the adjacent routers are
considered synchronized and in a full state. The routers must be in a full state
before they can route traffic.

At this point, all the routers in the area should have identical LSDBs.

43
LSA Sequence Numbering
• When a router encounters two instances of an LSA, it must
determine which is more recent. The LSA having the newer
(higher) LS a sequence number is more recent.

• A combination of the maximum age (maxage) and refresh

timers, as well as link-state sequence numbers, helps OSPF
maintain a database of only the most recent link-state records.
The sequence numbering scheme is a 4-byte number that
begins with 0x80000001 and ends with 0x7FFFFFFF.

• To ensure an accurate database, OSPF floods (refreshes) each

LSA every 30 minutes. Each time a record is flooded, the
sequence number is incremented by one. An LSA record will reset
its maximum age when it receives a new LSA update. An LSA will
never remain longer in the
database than the maximum age of one hour without a refresh.
LSA Operation

Ahmed Nabil

44
 Creation of Adjacencies

RouterA# debug ip ospf adj

*Feb 17 18:41:51.242: OSPF: Interface Serial0/0/1 going Up

*Feb 17 18:41:51.742: OSPF: Build router LSA for area 0,
router ID 10.1.1.1, seq 0x80000013
*Feb 17 18:41:52.242: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Serial0/0/1, changed state to up
*Feb 17 18:42:01.250: OSPF: 2 Way Communication to 10.2.2.2 on
Serial0/0/1, state 2WAY
*Feb 17 18:42:01.250: OSPF: Send DBD to 10.2.2.2 on
Serial0/0/1 seq 0x9B6 opt 0x52 flag 0x7 len 32
*Feb 17 18:42:01.262: OSPF: Rcv DBD from 10.2.2.2 on
Serial0/0/1 seq 0x23ED opt0x52 flag 0x7 len 32 mtu 1500 state EXSTART
*Feb 17 18:42:01.262: OSPF: NBR Negotiation Done. We are the SLAVE
*Feb 17 18:42:01.262: OSPF: Send DBD to 10.2.2.2 on
Serial0/0/1 seq 0x23ED opt 0x52 flag 0x2 len 72
*Feb 17 18:42:01.294: OSPF: Rcv DBD from 10.2.2.2 on
Serial0/0/1 seq 0x23EE opt0x52 flag 0x3 len 72 mtu 1500 state EXCHANGE
*Feb 17 18:42:01.294: OSPF: Send DBD to 10.2.2.2 on
Serial0/0/1 seq 0x23EE opt 0x52 flag 0x0 len 32
*Feb 17 18:42:01.294: OSPF: Database request to 10.2.2.2
*Feb 17 18:42:01.294: OSPF: sent LS REQ packet to 192.168.1.102, length
12
*Feb 17 18:42:01.314: OSPF: Rcv DBD from 10.2.2.2 on
Serial0/0/1 seq 0x23EF opt0x52 flag 0x1 len 32 mtu 1500 state EXCHANGE
*Feb 17 18:42:01.314: OSPF: Exchange Done with 10.2.2.2 on Serial0/0/1
*Feb 17 18:42:01.314: OSPF: Send DBD to 10.2.2.2 on
Serial0/0/1 seq 0x23EF opt 0x52 flag 0x0 len 32
*Feb 17 18:42:01.326: OSPF: Synchronized with 10.2.2.2 on
Serial0/0/1, state FULL
*Feb 17 18:42:01.330: %OSPF-5-ADJCHG: Process 10, Nbr 10.2.2.2
on Serial0/0/1 from LOADING to FULL, Loading Done
*Feb 17 18:42:01.830: OSPF: Build router LSA for area 0,
router ID 10.1.1.1, seq 0x80000014

45
 Creation of Adjacencies

RouterA# debug ip ospf adj

Ethernet interface coming up: Election

%LINK-3-UPDOWN: Interface ethernet0, changed state to up
OSPF: Interface ethernet0 going Up
OSPF: Rcv hello from 192.168.0.11 area 0 from Serial1 10.1.1.2
OSPF: End of hello processing
OSPF: Build router LSA for area 0, router ID 192.168.0.10
OSPF: send hello to 192.168.0.11 on ethernet0 seq 0x20C4 opt 0x2
flag 0x7 len 32 state INIT

OSPF: 2 Way Communication to 192.168.0.11 on Ethernet0, state 2WAY

OSPF: end of Wait on interface Ethernet0
OSPF: DR/BDR election on Ethernet0
OSPF: Elect BDR 192.168.0.12
OSPF: Elect DR 192.168.0.12
DR: 192.168.0.12 (Id) BDR: 192.168.0.12 (Id)
OSPF: Rcv DBD from 172.16.1.1 on FastEthernet0/0 seq 0x14B 7 opt
0x52 flag 0x7 len 32 mtu 1500 state EXSTART
OSPF: First DBD and we are not SLAVE

<…>

46
4 – Choosing routes:
• Each router in the area places itself into the root of the tree
that is built.
• The best path is calculated with respect to the lowest total cost
of links to a specific destination.
• Forming the routing table by applying the SPF algorithm
(Dijkstra algorithm) on the LSDB to form the RTG table.

• Operation of OSPF in point to point :

- The same operation of BMA but no DR & BDR exists.

• At convergence :
- No further updates unless the LSDB time expires (30 min.) (LSA
refreshment), periodic keepalive hellos are sent, dead interval is 4*hello,
Hello/dead=10/40 sec for BMA & P-P, 30/120 sec for NBMA multipoint.
- Summaries of individual link-state entries, not the complete link-state
entries, are sent every 30 minutes to ensure LSDB synchronization. Each
link-state entry has a timer to determine when the LSA refresh update
must be sent.
- Each link-state entry also has a maximum age of 60 minutes. If a link-
state entry has not been refreshed within 60 minutes, it is removed from
the LSDB.
47
• At change:
- The router that feels the change send LSU to DR & BDR on
224.0.0.6.
- The DR & BDR will send LSACK to the sender router.
- Then the DR will send LSU to all routers on 224.0.0.5.
- Then all routers will rebuild the SPF tree

Convergence stability :
To solve the flapping link problem, OSPF uses the convergence
stability rules (timers).

1- SPF delay time: (5sec.)

- Time to wait after hearing last update so as the router can
perform the SPF calculation.

2- SPF hold time: (10sec.)

- Delay between two SPF calculations.

48
 - Basic configuration:
(config)# router ospf <process id>
! process id = 1-65535 & can never be 0, a maximum of 32
process could be supported by ospf !
(config-router)#network <net. add.> <w.c.m> area <area
id>
Or
Router(config-if)# ip ospf process-id area area-id
! Optional method to enable OSPF explicitly on an interface

or
0

Ahmed Nabil

49
Optional configuration:
OSPF Router ID
• The router is known to OSPF by the OSPF router ID number.
• LSDBs use the OSPF router ID to differentiate one router from the next.
• By default, the router ID is the highest IP address on an active
interface at the moment of OSPF process startup.
• A loopback interface can override the OSPF router ID. If a loopback
interface exists, the router ID is the highest IP address on any active
loopback interface.
• The OSPF router-id command can be used to override the OSPF
router ID.
• Using a loopback interface or a router-id command is recommended for
stability.
Define the router ID:
(config-router)# router-id <ip address>
Loopback interface:
(config)# int loopback 0
(config-if)# ip address <ip> <mask>

Router#clear ip ospf process

! This command will clear process which will help the router to use the
new RID
- Defining router priority:
(config)# int e0/0
(config-if)# ip ospf priority <no.>
- Defining interface cost:
1- (config-if)# ip ospf cost <no.>
2- (config-if)# bandwidth <no. in kbps>
3- (config-router)# ospf auto-cost reference-bandwidth <no.>
- Ospf timers:
(config-router)# timer spf <spf delay time> <spf hold time>
(config-if)# ip ospf hello-interval <no. in sec>
(config-if)# ip ospf dead-interval <no. in sec>
- Defining the no. of paths for load sharing:
(config-router)# maximum-paths <no.>
50
OSPF Router Authentication
By default, OSPF uses null authentication, which means that routing
exchanges over a network are not authenticated. OSPF supports two
other authentication methods: simple password authentication (also
called plain-text authentication), and MD5 authentication.

Recall that when neighbor authentication has been configured on a

router, the router authenticates the source of each routing update
packet that it receives. This is accomplished by the exchange of an
authenticating key (sometimes referred to as a password) that is
known to both the sending and the receiving router.

Configuring OSPF Password Authentication

Clear text password
Router(config-if)# ip ospf authentication-key password
! Assigns a simple password to be used with neighboring routers
Or
MD5 password
Router(config-if)#ip ospf message-digest-key key-id md5 key
! Assigns a hash based password to be used with neighboring routers

Activate the authentication:

Router(config-if)#ip ospf authentication [message-digest | null]
! Specifies the authentication type for an interface, using that
command with the null option will lead to cancel the password
authentication, using the message-digest option will use MD5
authentication, while using the commands without any options will
lead to use of simple plain text password.

Or activate authentication feature with the area command

Router(config-router)# area area-id authentication [message-
digest]
! Specifies the authentication type for an area
51
Example Simple Password Authentication Configuration

Example MD5 Authentication Configuration

Ahmed Nabil

52
 Troubleshooting
#show ip route
RouterA# show ip route ospf

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile,

B - BGP, D - EIGRP, EX - EIGRP external, O - OSPF,
IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, E - EGP, i - IS-IS, L1 - IS-IS
level-1, L2 - IS-IS level-2, * - candidate default

Gateway of last resort is not set

10.0.0.0 255.255.255.0 is subnetted, 2 subnets
O 10.2.1.0 [110/10] via 10.64.0.2, 00:00:50, Ethernet0

#show ip ospf neighbors

RouterB# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

10.64.0.1 1 FULL/BDR 00:00:32 10.64.0.1 Ethernet0
10.2.1.1 1 FULL/- 00:00:38 10.2.1.1 Serial0

#show ip ospf interface

RouterA# show ip ospf interface e0

Ethernet0 is up, line protocol is up

Internet Address 10.64.0.1/24, Area 0
Process ID 1, Router ID 10.64.0.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 10.64.0.2, Interface address 10.64.0.2
Backup Designated router (ID) 10.64.0.1, Interface address 10.64.0.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:02
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.64.0.2 (Designated Router)
SuppressNabil
Ahmed hello for 0 neighbor(s)

53
#show ip ospf
RouterB# show ip ospf

Routing Process "ospf 1" with ID 10.2.1.1

Supports only single TOS(TOS0) routes
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Number of DCbitless external LSA 0
Number of DoNotAge external LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Area BACKBONE(0) (Active)
Number of interfaces in this area is 2
Area has no authentication
SPF algorithm executed 10 times
Area ranges are
Link State Update Interval is 00:30:00 and due in 0:07:16
Link State Age Interval is 00:20:00 and due in 00:07:15
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0

#show ip ospf database

RouterC# show ip ospf database

OSPF Router with ID (10.2.1.1) (Process ID 10)

Router Link States (Area 1)
Link ID ADV Router Age Seq# Checksum Link
count
10.2.1.1 10.2.1.1 48 0x80000001 0xB112 2
10.64.0.2 10.64.0.2 104 0x80000008 0xB112 2
10.64.0.1 10.64.0.1 212 0x80000006 0x3F44 2

#show ip protocols

- To let any changes appear on the CLI in a live manner:

(config-router)#log-adjacency-changes
#debug ip ospf adjacency
#debug ip ospf packet
RouterC# debug ip ospf packet
Ahmed Nabil
OSPF: rcv. v:2 t:1 l:48 rid:10.64.0.2 aid:0.0.0.0 chk:6AB2
aut:0 auk:

54
 OSPF operation in NBMA networks
Due to based on layer 3 concepts all devices on NBMA segment must
be in the same subnet, so OSPF (layer 3 protocol) need to treat them
as direct neighbors, on the other hand using layer 2 concepts they may
not be directly connected (no PVC between all of them) they are not next
hops to each others, but OSPF can treat them in some cases as direct
neighbors as in the case of NBMA mode.

With Frame Relay, remote sites interconnect in a variety of ways. By

default, interfaces that support Frame Relay are multipoint connection
types. The following examples are types of Frame Relay topologies:
Star topology: A star topology, also known as a hub-and-spoke
configuration, is the most common Frame Relay network topology. In this
topology, remote sites connect to a central site that generally provides a
service or application.
Full-mesh topology: In a full-mesh topology, all routers have virtual
circuits to all other destinations. This method, although costly, provides
direct connections from each site to all other sites and allows for
redundancy. To figure out how many virtual circuits are needed to
implement a fully meshed topology, use the formula n (n – 1) / 2, where n
is the number of nodes in the network.
Partial-mesh topology: In a partial-mesh topology, not all sites may
have direct access to a central site. This method reduces the cost of
implementing a full-mesh topology.

Ahmed Nabil

55
OSPF operation in NBMA networks

or partial mesh

Manual configuration mean statically define neighbors, and may be

Statically define DR/BDR
•In NBMA mode with partial mesh topology, DR/BDR must be
connected to all other routers, and need to be configured statically
•Broadcast mode simulate BMA
•Point- to- multipoint mode simulate multi point to point
•Point- to- multipoint nonbroadcast mode is used in cases where
sending
updates in a replicat unicast fashion is not available as in case of
ATM SVC
•Point-to-point mode is used in case of point-to-point subinterfaces

56
Ahmed Nabil

57
• Configuration for NBMA networks:
(config)# int s0/0
(config-if)# ip ospf network { non-broadcast / broadcast /
point-to-multipoint [non-broadcast]/ point-to-point}

- To define the neighbor statically:

(config-router)# neighbor <ip> [priority <no.>] [database-filter
all]
Default neighbor priority for th above command is 0, which means
neighbor s not a DR or BDR, database-filter option Filters
outgoing LSAs to an OSPF neighbor.
Note :
The default mode for main interface & multipoint
subinterface is non-broadcast and for point to point sub
interface is point to point.

Ex1: Routers in an NBMA mode

RouterA(config)# router ospf 100

RouterA(config-router)# network 130.130.0.0 0.0.255.255 area 0
RouterA(config-router)# network 140.140.0.0 0.0.255.255 area 0
RouterA(config-router)# neighbor 140.140.1.2 priority 0
RouterA(config-router)# neighbor 140.140.1.3 priority 0

Priority 0 , tells the local router that it is the DR (all its

neighbors have 0 priority), this method is used to define DR
statically
RouterA# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

130.130.1.1 1 full/ — 0:00:35 128.12.1.2 s0
201.23.13.1 0 full/drother 0:00:36 140.140.1.2 s1
Ahmed Nabil
192.100.1.1 0 full/drother 0:00:34 140.140.1.3 s1

58
Ex2: Routers in Multipoint mode

130.130.1.2
S0

RouterA(config)# router ospf 100

RouterA(config-router)# network 140.140.0.0 0.0.255.255 area 0
RouterA(config-router)# network 130.130.0.0 0.0.255.255 area 0
RouterA(config)# interface serial 0
RouterA(config-if)# encapsulation hdlc
RouterA(config-if)# ip address 130.130.1.2 255.255.255.0
RouterA(config)# interface serial 1
RouterA(config-if)# encapsulation frame-relay
RouterA(config-if)# ip address 140.140.1.1 255.255.255.0
RouterA(config-if)# ip ospf network point-to-multipoint

RouterB(config)# router ospf 100

RouterB(config-router)# network 140.140.0.0 0.0.255.255 area 0
RouterB(config)# interface serial 0
RouterB(config-if)# ip address 140.140.1.2 255.255.255.0
RouterB(config-if)# encapsulation frame-relay
RouterB(config-if)# ip ospf network point-to-multipoint

RouterA# show ip ospf interface s1

Serial1 is up, line protocol is up

Internet Address 140.140.1.1/24, Area 1
Process ID 100, Router ID 120.120.1.1, Network Type Point-To-Multipoint,
Cost: 64
Transmit Delay is 1 sec, State: Point_To_Multipoint
Timer intervals configured,Hello 30, Dead 120, Wait 120, Retransmit 5
Hello due in 00:00:11
Neighbor count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 140.140.1.2
Adjacent with neighbor 140.140.1.3
Ahmed Nabil

59
Ex3: Routers using point-to-point subinterfaces

130.130.1.2
S0

RouterA(config)# router ospf 100

RouterA(config-router)# network 140.140.0.0 0.0.255.255 area 0
RouterA(config-router)# network 130.130.0.0 0.0.255.255 area 0
RouterA(config)# interface serial 0
RouterA(config-if)# encapsulation ppp
RouterA(config-if)# ip address 130.130.1.2 255.255.255.0
RouterA(config)# interface serial 1.1 point-to-point
RouterA(config-subif)# frame-relay interface-dlci 101
RouterA(config-subif)# ip address 140.140.1.1 255.255.255.0
RouterA(config-subif)#interface serial 1.2 point-to-point
RouterA(config-subif)# frame-relay interface-dlci 102
RouterA(config-subif)# ip address 140.140.2.1 255.255.255.0

RouterA# show ip ospf interface s1

Serial1 is up, line protocol is up

Internet Address 140.140.1.1/24, Area 1
Process ID 100, Router ID 120.120.1.1, Network Type Point-To-point, Cost: 64
Transmit Delay is 1 sec, State: Point_To_point
Timer intervals configured,Hello 30, Dead 120, Wait 120, Retransmit 5
Hello due in 00:00:11
Neighbor count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 140.140.1.2
Adjacent with neighbor 140.140.1.3

60
OSPF
in
Multiple
Areas

61
Ahmed Nabil
Single VS. Multiple Areas OSPF

Problems with OSPF in single area:

1-Frequent calculation of SPF algorithm (in a large sized
topology a single network instability will cause instability to the
whole topology)
2-Large link-state table (due to large network size)
3-Large routing table (due to large network size)

So routers will need high CPU power & big memory size,
The solution if you require to scale your network using OSPF,
is to use hierarchical design.

Multiple Area OSPF

1-Reduced Rate of SPF calculations.
2-Smaller routing and topology table.
3-Reduced LSU overhead by confining network instability.

62
 Types of Routers
• Internal Router:
Router that has all its interfaces in the same area, it has
full LSDB for its area
(config)#router ospf <process id>
(config-router)#network <link id> <wcm> area <area id>
• ABR (Area Border Router):
Router that is responsible for connecting two or more
areas, it must has at least one interface in the backbone
area (area 0), it has full database for all areas to which it
is connected and send summary database updates
between these areas
(config)#router ospf <process id>
(config-router)#network <link id> <wcm> area 0
(config-router)#network <link id> <wcm> area <area id>
• ASBR (Autonomous System Boundary Router):
Router that has at least one interface into an external
internetwork (another AS) or other non-OSPF network
• Backbone Router:
Router that has at least one link in area 0, it could be an
internal router, ABR or ASBR

63
 Types of LSAs
• Type 1 LSA:(router link LSA)
Intra-area LSA "O in routing table"
Every router generate router link advertisements and
flood it to all routers for each area to which it belong,
it describes:
1-directly attached link by its ip
2-mask of link
3-state of link, cost
4-describe whether the router is ABR or
ASBR, Type 1 LSID is the originating router RID
5-Link type (point to point to other router, stub,
multiaccess (transit), virtual link,..)
• Type 2 LSA: (Network Link LSA)
Intra-area "O in routing table"
generated by DR and flooded inside its area, its function is
that DR advertise its existence to all its area, Type2 LSID is
the ip of interface of the DR facing the segment

A type 2 network LSA

lists each of the
attached routers that
make up the transit
network, including the
DR itself, as
well as the subnet
mask used on the link.
64
• Type3 LSA:(Network Link Summary LSA)
inter-area "O-IA in routing table"
generated by ABR, ABR take type1 LSA and type2 LSA from
area and summarize theses LSAs to type3 LSA and flood it to
all AS, it describes network ips and their masks.
Type3 LSA LSID is destination network ip

• Type4 LSA:(ASBR summary LSA)

inter-area "O-IA in routing table"
generated by ABR to advertise how to reach an ASBR inside an
area to all AS, it describe path and cost to reach ASBR, so it
contains RID of ASBR & cost.

65
Ahmed Nabil
• Type5 LSA (AS External link LSA)
"OE1, OE2" in routing table
generated by ASBR and flood to all AS, it describe routes
to destination networks in an external AS

-external type 2 (OE2): doesn’t add internal cost to

external cost (default)
-external type 1(OE1): add internal cost to external cost

• Type6 LSA (Multicast OSPF-Not supported by Cisco)

• Type7 LSA (NSSA (Not-So-Stubby-Area) external LSA)

"ON1, ON2 in routing table“
generated by the ASBR of NSSA, it is similar to type 5 LSA
except they are flooded within the NSSA, ABR will
translate type7 LSA to type5 LSA and flooded to all AS
66
 Link-State Advertisement Types

(Future use)
Interpreting the Routing Table: Types of Routes

Interpreting the OSPF Database

Link count: Total number of directly attached links, used only on router LSAs.
The link count includes all point-to-point, transit, and stub links. Each point-to-
point serial link counts as two; all other links count as one, including Ethernet
links. 67
Ahmed Nabil
RouterA#show ip ospf database
OSPF Router with ID (10.0.0.11) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
10.0.0.11 10.0.0.11 548 0x80000002 0x00401A 1
10.0.0.12 10.0.0.12 549 0x80000004 0x003A1B 1
100.100.100.100 100.100.100.100 548 0x800002D7 0x00EEA9 2
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
172.31.1.3 100.100.100.100 549 0x80000001 0x004EC9
Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
10.1.0.0 10.0.0.11 654 0x80000001 0x00FB11
10.1.0.0 10.0.0.12 601 0x80000001 0x00F516
10.1.1.0 10.0.0.11 7 0x80000009 0x004DC5
10.1.1.0 10.0.0.12 9 0x80000007 0x00E81B
10.1.1.0 172.31.1.1 1111 0x80000003 0x00DD82
10.1.2.0 10.0.0.11 599 0x80000003 0x00EB1C
10.1.2.0 10.0.0.12 603 0x80000001 0x004CCC
10.1.3.0 10.0.0.11 14 0x80000002 0x00E225
10.1.3.0 10.0.0.12 69 0x80000001 0x00DE29
10.200.200.13 172.31.1.1 1108 0x80000001 0x00764E
Router Link States (Area 1)
Link ID ADV Router Age Seq# Checksum Link count
10.0.0.11 10.0.0.11 19 0x80000009 0x00B6C3 3
10.0.0.12 10.0.0.12 601 0x80000005 0x0085F0 3
10.200.200.13 10.200.200.13 20 0x80000003 0x000AB2 3
10.200.200.14 10.200.200.14 62 0x8000004D 0x003C2E 3
Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
10.1.1.1 10.0.0.11 19 0x80000001 0x00D485
10.1.2.4 10.200.200.14 622 0x80000001 0x009F20
Summary Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
172.31.1.0 10.0.0.11 540 0x80000003 0x004108
172.31.1.0 10.0.0.12 542 0x80000003 0x003B0D
172.31.1.0 172.31.1.1 1399 0x80000003 0x00C5CA
172.31.2.0 10.0.0.11 536 0x80000001 0x00D762
172.31.2.0 10.0.0.12 537 0x80000001 0x00D167
172.31.2.0 172.31.1.1 1394 0x80000001 0x005C25
Summary ASB Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
100.100.100.100 10.0.0.11 536 0x80000001 0x007213
100.100.100.100 10.0.0.12 537 0x80000001 0x006C18
100.100.100.100 172.31.1.1 1394 0x80000001 0x00F6D5
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
10.254.0.0 100.100.100.100 1351 0x8000010A 0x00C518 0
68
Ahmed Nabil
 Another Area’s types
AS
6. Not So Totally Stub area: 1. Back bone area: It is area 0, it is
(Totally stub + ASBR) connected to all other areas, and it
On all routers: ( - )# area 5 nssa accepts any type of LSAs except type7
On ABR: ( - )# area 5 nssa no-summery

Another
AS
Area Area
Area 5 1 2. Standard or ordinary area: (not
Type 75 area 0)
(So any area except area 0, by default
O*IA 0.0.0.0/0 is a standard area, it can have ASBR,
Type 5
and it accepts any type of LSAs except
Area 0
Type 3 type7)
Type 5
Area Area
Converted to 4 2

Area 3. Stub area: (it cannot have an ASBR)

5. Not So Stub Area (NSSA): (Stub + 3 It is done by configuration:
ASBR) On ABR and all routers
It is a stub area that contains ASBR 4. Totally Stub area: (it cannot have an ASBR) (config-router)# area 2 stub
Type 3 LSA O*IA 0.0.0.0/0 Type 1 LSA
Another Type 5 LSA O*IA 0.0.0.0/0 Type 2 LSA
AS Type 3 LSA
(If the distention is in another area or another
Type 5 Type 5 LSA O*IA 0.0.0.0/0
autonomous system, just send the packet from
O*IA 0.0.0.0/0 (If the distention is in another
the only exit you have for this area (form the
Autonomous System, just send the
ABR))
packet from the only exit you have for
On all routers: ( - )#area 3 stub
Type 5 this area.)
On ABR: ( - )#area 3 stub no-summary
Type 7
Area
4 Converted to

69
 Types of Areas
• Ordinary or standard area:
Area that accept all types of LSAs (intra area, inter-area and
external), but doesnot accept type7
• Backbone Area (transit area):
It is area 0 and connect all other areas, it accept all types of areas
except type 7

70
• Stub area:
Area that its ABR does not advertise to it type 5 LSA and doesnot
accept type 7 LSA, but its ABR advertise default route instead, so
internal routers in that area type doesnot know any details about
other AS networks but can reach them using default route through
ABR, stub area can never contain an ASBR

IP routing table for router in a stub area

for Stub area: on all area routers

(config-router)#area <id> stub

71
 Totally Stub area:
Area that its ABR does not advertise type 5, type 3, type 4
and does not accept type7, but instead its ABR advertise a
default route, so internal routers does not know details about
other AS networks and other Areas networks, but use default
route to reach them through their ABR.

IP routing table for router in a stub area

• for totally stub area: on ABR:

(config-router)#area <id> stub no-summary
on all other area routers:
(config-router)#area <id> stub
To define injected default route cost
(config-router)#area <area id> default-cost <cost>

72
• NSSA (Not-So-Stubby-Area):
It is a stub area that can contain ASBR, it accepts type7 LSA and
all other types except type 5 LSA and use default route instead
ABR of NSSA convert type 7 to other areain to type 5
Has O, OIA, O*IA, ON1 & ON2 routing entries

On all router in NSSA area

(config-router)# area <id> nssa

•NSSA - totally stub area: has O, O*IA, ON1 & ON2 routing entries
It is a total stub area that can contain ASBR, it accepts type7 LSA and use
default route only
On ABR router in NSSA total stub area
(config-router)# area <id> nssa no-summary

73
 Configuring summarization

– Minimizes number of routing table entries

– Localizes impact of a topology change
– Reduces LSA 3 and 5 flooding and saves CPU resources
• Summary on ABR:
(config-router)#area <id> range <summary address>
<mask>

74
 summary on ASBR:
(config-router)#summary-address <address> <mask>

Advertise default route:

(config-router)#default-information originate [always] [metric value ]

Note that the path

through R1 is
preferred to
Internet until R1
path fail, then R2
will be the
alternative

default-information originate is used to dynamically advertise a

default route, only if a default route exist in the routing table,
otherwise use always keyword which is used to advertise a
default router even if no default route exist in the table
75
 Virtual links
• OSPF rule is that all areas must connect to area 0, but
there are cases that enforce the opposite of that due to
direct physical connections unavailability, or in case of
making redundant link to area 0

The solution is to form a virtual link between the far area and
area 0 through the transit area

(config)#router ospf <process id>

(config-router)#area <transit area id> virtual-link <next-hop RID>

Router# show ip ospf virtual-links

Virtual Link to router 10.2.2.2 is up

Transit area 0.0.0.1, via interface Ethernet0, Cost of using 10
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 0:00:08 Adjacency State FULL
76
Ahmed Nabil
This virtual link is similar to a standard OSPF adjacency;
however, in a virtual link, the routers do not have to be
directly attached to neighboring routers.
The Hello protocol works over virtual links as it does over
standard links, in 10-second intervals. However, LSA updates
work differently on virtual links. An LSA usually refreshes
every 30 minutes; LSAs learned through a virtual link have
the DoNotAge (DNA) option set, so that the LSA does not age
out. This DNA technique is required to prevent excessive
flooding over the virtual link.
RouterA#sh ip ospf virtual-links
Virtual Link OSPF_VL0 to router 10.2.2.2 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 1, via interface Serial0/0/1, Cost of using 781
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Retransmit 5
Hello due in 00:00:07
Adjacency State FULL (Hello suppressed)
Index 1/2, retransmission queue length 0, number of
retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
properly.

RouterA#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.200.200.13 1 FULL/DR 00:00:33 10.1.1.3
FastEthernet0/0
10.2.2.2 0 FULL/ - - 172.16.1.2 OSPF_VL0
10.2.2.2 0 FULL/ - 00:00:32 172.16.1.2 Serial0/0/1
77
 Verification and troubleshooting

• #sh ip protocols
• #sh ip route
• #sh ip ospf neighbors
• #sh ip ospf interface
• #sh ip ospf database
• #sh ip ospf border-routers
• #sh ip ospf virtual-links
• (config-router)#log-adjacency-changes

Design considerations
Cisco recommend the following:
• 50 routers per area (max)
• 60 neighbours per router (max)
• 3 areas per router (max)
• Router can not be a DR or BDR for more than one
network segment

78
Ahmed Nabil
How OSPF for IPv6 Works
•Similar to IPv4

• Same mechanisms, but a major rewrite of the internals of the

protocol.

• Updated features for IPv6

• OSPF for IPv6 currently an IETF proposed standard

• OSPF is a routing protocol for IP. It is a link-state protocol, as

opposed to a distance vector protocol. Think of a link as being an
interface on a networking device. A link-state protocol makes its
routing decisions based on the states of the links that connect
source and destination machines.

• The state of a link is a description of that interface and its

relationship to its neighboring networking devices. The interface
information includes the IPv6 prefix of the interface, the network
mask, the type of network that it is connected to, the routers
connected to that network, and so on.

• This information is propagated in various types of link-state

advertisements (LSAs). A collection of LSA data on a router is stored
in a link-state database (LSDB). The contents of the
database, when subjected to Dijkstra’s algorithm, result in the
creation of the OSPF routing table.

• The difference between the database and the routing table is that
the database contains a complete collection of raw data; the routing
table contains a list of shortest paths to known
destinations via specific router interface ports.

OSPFv3, which is described in RFC 2740, supports IPv6.

79
Ahmed Nabil
OSPFv3—Hierarchical Structure
• Topology of an area is invisible
from outside of the area:
– LSA flooding is bounded by area.
– SPF calculation is performed
separately for each area.
• Backbones must be contiguous.
• All areas must have
a connection to the backbone:
– Otherwise a virtual
link must be used to
connect to the backbone.

OSPFv3—messages
• OSPFv3 uses the same basic packet types as OSPFv2:
– Hello
– Database description (DBD)
– Link state request (LSR)
– Link state update (LSU)
– Link state acknowledgment (ACK)

– Neighbor discovery and adjacency formation mechanism

are identical.

– RFC-compliant NBMA and point-to-multipoint topology

modes are supported. Also supports other modes from
Cisco, such as point-to-point and broadcast, including the
interface.

– LSA flooding and aging mechanisms are identical.

80
Enhanced Routing Protocol Support Differences from OSPFv2

– OSPF packet type

OSPFv3 has the same five packet types, but some fields have
been changed.

All OSPFv3 packets have a 16-byte header vs. the 24-

byte header in OSPFv2.

81
Ahmed Nabil
OSPFv3 vs OSPF v2

82
1- OSPFv3 uses IPv6 link-local addresses to identify the
OSPFv3 adjacency neighbors.

2- OSPFv2 does not define or allow for multiple instances per

link, although similar functionality could be furnished by
other mechanisms, such as subinterfaces. OSPFv3 has
explicit support for instances through the instance field.
• This structure allows separate autonomous systems, each
running OSPF, to use a common link. A single link could
belong to multiple areas.
• Instance ID is a new field that is used to allow multiple
OSPFv3 protocol instances per link.
• In order to have two instances talk to each other, they need
to have the same instance ID. By default, it is 0, and for any
additional instance it is increased.

3- Security and Authentication

• OSPFv3 uses IPv6 AH and ESP extension headers instead
of variety of the mechanisms defined in OSPFv2.

5- Multicast addresses:
• FF02::5—Represents all SPF routers on the link-local
scope; equivalent to 224.0.0.5 in OSPFv2
• FF02::6—Represents all DR routers on the link-local scope;
equivalent to 224.0.0.6 in OSPFv2

6- Removal of address semantics

• IPv6 addresses are no longer present in OSPF packet
header (part of payload information).
• Router LSA and network LSA do not carry IPv6 addresses.
• Router ID, area ID, and link-state ID remain at 32 bits.
• DR and BDR are now identified by their router ID and not by
their IP address. 83
LSA Types for IPv6
LSA Function
LSA Type
Code
Router LSA 1 0x2001
Network LSA 2 0x2002
Interarea prefix LSA 3 0x2003
Interarea router LSA 4 0x2004
AS external LSA 5 0x2005
Group membership LSA 6 0x2006
Type 7 LSA 7 0x2007
Link-LSA 8 0x2008
Intra-area prefix LSA 9 0x2009

OSPFv3 LSA features include the following:

• The LSA is composed of a router ID, area ID, and link-state ID.
They are each 32 bits and are not derived from an IPv4 address.

• Router LSAs and network LSAs contain only 32-bit IDs. They
do not contain prefixes.

• LSAs have flooding scopes that define a diameter that they

should be flooded to:
— Link local: Flood all routers on the link.
— Area: Flood all routers within an OSPF area.
— Autonomous system (AS): Flood all routers within the entire
OSPF AS. useful in an NSSA.

84
The two renamed LSAs are as follows:
• Interarea prefix LSAs for area border routers (ABRs) (type
3):
•Type 3 LSAs advertise internal networks to routers in other areas
(interarea routes). Type 3 LSAs may represent a single network
or a set of networks summarized into one advertisement. Only
ABRs generate summary LSAs. In OSPF for IPv6, addresses for
these LSAs are expressed as prefix, prefix length instead of
address, mask. The default route is expressed as a prefix with
length 0.
• Interarea router LSAs for autonomous system boundary
routers (ASBRs) (type 4):
Type 4 LSAs advertise the location of an ASBR. Routers that are
trying to reach an external network use these advertisements to
determine the best path to the next hop. ASBRs generate type 4
LSAs.

The two new LSAs in IPv6 are as follows:

• Link LSAs (type 8): Type 8 LSAs have link-local flooding
scope and are never flooded beyond the link with which they are
associated. Link LSAs provide the link-local address of the router
to all other routers attached to the link, inform other routers
attached to the link of a list of IPv6 prefixes to associate with the
link, and allow the router to assert a collection of options bits to
associate with the network LSA that will be originated for the link.
• Intra-area prefix LSAs (type 9): A router can originate multiple
intra-area prefix LSAs for each router or transit network, each with
a unique link-state ID. The link-state ID for each intra-area prefix
LSA describes its association to either the router LSA or the
network LSA. The link-state ID also contains prefixes for stub and
transit networks.
* Type 3 and type 9 LSAs carry all IPv6 prefix information,
which, in IPv4, is included in router LSAs and network LSAs.
OSPFv3 Configuration

To configure OSPFv3, first enable IPv6, and then enable OSPFv3

and specify a router ID, using the following commands:
Router(config)#ipv6 unicast-routing
Router(config)#ipv6 router ospf process-id
Enables an OSPF process on the router. The process ID parameter
identifies a unique OSPFv3 process. This command is used on a
global basis.

Router(config-rtr)#router-id router-id
For an IPv6-only router, a router ID parameter must be defined in
the OSPFv3 configuration as an IPv4 address using the router-id
router-id command. You can use any IPv4 address as the router ID
value.

Router(config-if)#ipv6 ospf process-id area area-id [instance

instance-id]
Enables OSPF for IPv6 on an interface.

• Configuring area range: (manual summary)

(config-rtr)# area area-id range prefix/prefix length [advertise
| notadvertise][cost cost]

• Showing new LSAs:

show ipv6 ospf [process-id] database link
show ipv6 ospf [process-id] database prefix

86
Ahmed Nabil
Example:
(config)#ipv6 unicast-routing
(config)# ipv6 router ospf 1
(config-rtr)# router-id 2.2.2.2
Router(config-rtr)#area range 1 2001:0DB8::/48
(config)# interface Ethernet0/0
(config-if)# ipv6 address 3FFE:FFFF:1::1/64
(config-if)# ipv6 ospf 1 area 0
(config-if)# ipv6 ospf priority 20
The priority number is used to in the designated router
election.
(config-if)# ipv6 ospf cost 20
The cost of sending a packet on the interface, expressed
in the link state metric.

The cost of the summarized routes will be the highest cost of

the routes being summarized. For example, if the following
routes are summarized:

OI 2001:0DB8:0:0:7::/64 [110/20]
via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0
OI 2001:0DB8:0:0:8::/64 [110/100]
via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0
OI 2001:0DB8:0:0:9::/64 [110/20]
via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0

They become one summarized route:

OI 2001:0DB8::/48 [110/100]
via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0

87
Ahmed Nabil
OSPFv3 Configuration Example
Router1#
interface S1/1
ipv6 address
2001:410:FFFF:1::1/64
ipv6 ospf 100 area 0

interface S2/0
ipv6 address
3FFE:B00:FFFF:1::2/64
ipv6 ospf 100 area 1

ipv6 router ospf 100

router-id 10.1.1.3

Router2#
interface S3/0
ipv6 address
3FFE:B00:FFFF:1::1/64
ipv6 ospf 100 area 1

ipv6 router ospf 100

router-id 10.1.1.4
Verifying OSPFv3
Router2#show ipv6 ospf int s 3/0
S3/0 is up, line protocol is up
Link Local Address 3FFE:B00:FFFF:1::1, Interface ID 7
Area 1, Process ID 100, Instance ID 0, Router ID 10.1.1.4
Network Type POINT_TO_POINT, Cost: 1
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Retransmit 5
Hello due in 00:00:02
Index 1/1/1, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 3, maximum is 3
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.1.1.3
Suppress hello for 0 neighbor(s) 88
Ahmed Nabil
Router2#show ipv6 ospf neighbor detail
Neighbor 10.1.1.3
In the area 0 via interface S2/0
Neighbor: interface-id 14, link-local address
3FFE:B00:FFFF:1::2
Neighbor priority is 1, State is FULL, 6 state changes
Options is 0x63AD1B0D
Dead timer due in 00:00:33
Neighbor is up for 00:48:56
Index 1/1/1, retransmission queue length 0, number of
retransmission 1
First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec

R3#show ipv6 ospf database database-summary

Area 0 database summary
LSA Type Count Delete Maxage
Router 3 0 0
Network 0 0 0
Link 3 0 0
Prefix 3 0 0
Inter-area Prefix 6 0 0
Inter-area Router 0 0 0
Type-7 External 0 0 0
Subtotal 15 0 0

Process 1 database summary

LSA Type Count Delete Maxage
Router 7 0 0
Network 1 0 0
Link 7 0 0
Prefix 8 0 0
Inter-area Prefix 14 0 0
Inter-area Router 2 0 0
Type-7 External 0 0 0
Type-5 Ext 3 0 0
Total 42 0 0
89
Ahmed Nabil
#show ipv6 ospf database
Router Link States (Area 1)

ADV Router Age Seq# Fragment ID Link count Bits

26.50.0.1 1812 0x80000048 0 1 None
26.50.0.2 1901 0x80000006 0 1 B

Net Link States (Area 1)

ADV Router Age Seq# Link ID Rtr count

26.50.0.1 57 0x8000003B 3 4

Inter-Area Prefix Link States (Area 1)

ADV Router Age Seq# Prefix

26.50.0.2 139 0x80000003 3FFE:FFFF:26::/64
26.50.0.2 719 0x80000001 3FFE:FFF:26::/64

Inter-Area Router Link States (Area 1)

ADV Router Age Seq# Link ID Dest RtrID

26.50.0.2 772 0x80000001 1207959556 72.0.0.4
26.50.0.4 5 0x80000003 1258292993 75.0.7.1

Link (Type-8) Link States (Area 1)

ADV Router Age Seq# Link ID Interface

26.50.0.1 1412 0x80000031 3 Fa0/0
26.50.0.2 238 0x80000003 3 Fa0/0
Intra-Area Prefix Link States (Area 1)

ADV Router Age Seq# Link IDRef-Istype Ref-LSID

26.50.0.1 1691 0x8000002E 0 0x2001 0
26.50.0.1 702 0x80000031 1003 0x2002 3
26.50.0.2 1797 0x80000002 0 0x2001 0

Type-5 AS External Link States

ADV Router Age Seq# Prefix
72.0.0.4 287 0x80000028 3FFE:FFFF:A::/64
72.0.0.4 38 0x80000027 3FFE:FFFF:78::/64
75.0.7.1 162 0x80000007 3FFE:FFFF:8::/64 90
Ahmed Nabil
 IS-IS
(Intermediate System to
Intermediate System)

91
Ahmed Nabil
 IS-IS overview
• Why IS-IS is used?
1-IS-IS is the most popular (RFC 1195) open standard,
scalable and stable IP routing protocol in the ISP industry
& it was developed before OSPF
2-The simplicity and stability of IS-IS make it robust in large
internetworks, so no need to use another protocol instead
3-US government mandated (forced) the support of an OSI
routing protocol (IS-IS, ISO-IGRP, static CLNS routes)
4-Simpler implementation than OSPF, it make efficient use of
bandwidth, memory and processor
5- Well positioned for IPv6, IS-IS updates is not carried within
another routed protocol, so it is routed protocol
independent

• Why IS-IS is not widely spread?

1-Due to new business typically choose OSPF because it is
a widely supported IP protocol, and OSPF has more
options and features.
2-Today it is hard to find information and expertise on IS-IS

• IS-IS/OSI model overview

OSI TCP/IP
ES HOST
IS ROUTER
IS-IS OSPF, Integrated IS-IS
Domain AS
CLNS IP
CLNP IP Header
NSAP IP Address
SNPA L2 Address (MAC/DLCI/…)
ES-IS as ARP 92
Ahmed Nabil
 OSI Layer 3 addressing
(CLNS Addressing)
• CLNS (Connection Less Network Service Protocol), is an
OSI routed protocol that supports both L3 logical
addressing through NSAP & End-to-end data delivery
through CLNP packet, just like IP protocol do.
• unlike IP address, CLNS address apply to entire nodes
and not interfaces.
• CLNS address is called NSAP (Network Service Access
Point).
• NSAP identifies any system in the OSI model.
• NSAP contains:
1-Domain address
2-Area address
3-Device (system) address
4-Link to the upper (higher) layer process (protocol)
• NSAP address:

in
Cisco implementation
(1-13 byte)

93
Ahmed Nabil
 Cisco implementation for NSAP address structure
• a) IDP (Initial Domain Part):
-AFI (Authority Format Identifier):
It is the main domain (authority) id.
i.e.: 49 reserved for locally administered (private) domain
-IDI (Initial Domain Identifier):
It is the sub-domain id.
• b) DSP (Domain Specific Part):
-HODSP (High Order DSP):
It is the area id, unique within domain.
-System id:
It is the device id, unique within area.
-NSEL (Network Selector):
It identifies a process (application) on the device, it
corresponds to a port number in IP environment.

• Note: when dealing with routers we don't target a

higher protocol for the router, so NSEL is identified as
0
• NSAP address with NSEL=0 is called a NET (Network
Entity Title), so every IS must have a NET address, but
an ES can have an NSAP address.
• Cisco does not support ISO routing between different
domains so AFI, IDI and HODSP is considered in
Cisco implementation for NSAP as Area Address

94
Ahmed Nabil
 Rules of ISO addressing
1-The ISO address is assigned to the system, not to the
interface
2-The router has one NET address
3-All routers within an area must use the same area
address
4-System id must be unique within the area
5-System id must have the same length for all ISs and ESs
within the domain (For Cisco implementation system id
is fixed for 6 bytes)
OSI Layer 2 address
SNPA address
• SNPA (Sub Network Point of Attachment) address is
equivalent to layer 2 data-link layer address
corresponding to the Layer 3 NSAP address, it is
identified by:
1-MAC address on LAN interfaces
2-Virtual Circuit id for (X.25, ATM, Frame Relay)
3-Encapsulation type for point to point (ex: HDLC for HDLC)
•Interfaces uniquely identified by circuit ID:
– One octet number on point-to-point interfaces (like 0x00)
– Circuit ID concatenated with 6-octet system ID
of a designated router on broadcast multiaccess
networks to form 7-octet LAN ID (1921.6800.0001.01)

95
Ahmed Nabil
 Basic operation of OSI routing

OSI routing levels

1- OSI Level 0 routing:
• It begins when the ES discovers the nearest IS
• When an ES need to send a packet to another ES, it sends
the packet to its nearest IS, this process known as level 0
routing
2- OSI Level 1 routing:
• Routing between ISs within the same area
• It is called intra-area routing
• System id is used to route within an area, while area id is
not considered

3- OSI level 2 routing:

• Routing between different areas
• It is called inter-area routing
• Area portion in the OSI address is considered, while
system id is not considered
4- OSI L3 routing:
• Routing between separate domains
• It is not supported by Cisco

96
Ahmed Nabil
• Level 0 routing is conducted by ES-IS
• Level 1 routing is performed IS-IS
• Level 2 routing is performed IS-IS
• Level 3 routing is performed IDRP (Inter Domain Routing
Protocol)

97
Ahmed Nabil
 ES-IS discovery protocol operation

• It permits ES and IS to discover one another (form

adjacencies)

ES-IS performs that function:

a) Identifies the area prefix to ES
b) Creates adjacencies between ES & IS
c) Creates data-link to network address mapping (as ARP)

• ES-IS forms adjacencies between end systems (ESs) and

routers (ISs).
• ESs transmit ESHs to IS.
• ISs transmit ISHs to ES.
• ISs transmit IIHs to other ISs.

98
Ahmed Nabil
 IS-IS Features
• Link-state routing protocol based on OSI model
• Use Dijkstra's SPF algorithm
• A router can only exist in one area
• Support two routing levels: Level 1 and level 2 routing
• Level 1 router:(like OSPF internal nonbackbone
routers)
-Router that build a L1 LSDB containing system ids only
and router interface to reach these system id, because it
make routing inside the area only.
• Level 2 router:(like OSPF ABR)
-Router that build a L2 LSDB about areas only and
interfaces to reach these areas, because it make routing
between areas only.
• Level 1 / Level 2 router: (like OSPF backbone routers)
-Router that build both L1 & L2 LSDB, so it support both
intra-area and inter-area routing, each L1/2 router
advertise a default route to all routers inside its area, it
act as Area Border Router (ABR) in a totally stub area.
• The IS-IS Backbone is not an area, it is the continuous
path containing all L2 & L1/L2 routers, so extending it is
very flexible.

99
Ahmed Nabil
 OSI IS-IS routing process

1-When an ES is required to send a packet to another ES,

the packet goes to the nearest L1 router determined by
ES-IS.

2-When a L1 router receive a packet, it compare the area id

of destination with it's area id.
-if they are equal router will use its L1 database to route by
system ids.
-else, route the packet to the nearest L1/L2 router

3-When L1/L2 router receive a packet, it compare the area id

of destination and itself.
-if equal use L1 database to route by system id.
-else, use L2 database to route by area id, and the packet
travels across the L2 backbone till it reach the destination
area.

4-When packet arrive to destination area, level1 routing is

used again to route the packet to its final destination.

100
Ahmed Nabil
 Traffic flow process example

Consider traffic from router R7 to router R9.

1. R7 recognizes that the prefix (49.00CC) of R9 is not the same
as the prefix (49.00BB) of R7. R7 therefore passes the traffic to
the closest Level 1-2 router, R5. R7 uses its Level 1 topology
database to find the best path to R5.
2. R5 uses its Level 2 topology database to pick the best next hop
to reach the prefix 49.00CC: R3. R5 does not use the destination
system ID in this decision.
3. R3 uses its Level 2 topology database to pick the best next hop
to reach the prefix 49.00CC: R1. R3 does not use the destination
system ID in this decision.
4. R1 uses its Level 2 topology database to pick the best next hop
to reach the prefix 49.00CC: R8. R1 does not use the destination
system ID in this decision.
5. R8 recognizes that the prefix (49.00CC) of R9 is the same as
the prefix (49.00CC) of R8. R8 therefore passes the traffic to R9
using its Level 1 topology database to find the best path.
101
 IS-IS network types
1-Point to point
2-BMA (Broadcast Multiple Access)
3-NBMA (Non BMA)
we have only two modes
3.1-Broadcast mode for Full mesh topology for multipoint
interfaces (will simulate BMA)
3.2-Point-to-point mode for Partial mesh point to point sub-
interfaces (will simulate point to point)

IS-IS operation
1)Forming Adjacency (neighbour discovery):
send L1 IIH (IS to IS Hello) or L2 IIH or both for Broadcast
media every 10 sec
Send P2P hello for point to point media every 10 sec
2)Elect DIS (Designated IS) called pseudo node:
-Router having highest priority (0-127) default to 64
-Then highest MAC address or SNPA address
but note that all routers will form adjacencies with DIS and
each others too, but only DIS generate pseudo node LSP
(as type2 LSA in OSPF)
and it also decrease adjacency
overhead, but it is not
guaranteed to stay if a
better IS exists on the LAN,
but there is no Backup DIS
is elected
102
For L1 there is a DIS, and for L2 there may be another DIS or
could be the same DIS for both L1 and L2

All updates is sent on multicast MAC address that is understood

by all ISs and also DIS

Later we will discuss DIS full function after getting knowledge

about the adjacency formation

On a LAN, separate Level 1 and Level 2 IIHs are sent periodically

as multicasts to a multicast MAC address. Level 1
announcements are sent to the AllL1IS multicast MAC address
0180.C200.0014, and Level 2 announcements are sent to the
AllL2IS multicast MAC address
0180.C200.0015.

These values is helpful in troubleshooting commands to distinguish

DIS from other ISs (helps only in show commands):

DIS will have circuit Id =system id +1byte no zero value i.e.(0x01)

others have circuit Id =system id +1byte (0x00)
103
Ahmed Nabil
3)Forming LSDB (route discovery):
Each router exchange IS-IS packets with each other to form L1
and L2 LSDB.

-CSNP (Complete Sequence Number PDU) as DDP or DBD

Used to describe the complete list of LSP in the LSDB of a router
In BMA network DIS send CSNP periodically every 10 seconds to
assure synchronization inside the segment
-PSNP (Partial Sequence Number PDU) as LSR & LSACK
Used to request missing parts of database and also used as
acknowledgement
-Link State Packet (LSP) as LSU
contain full information for certain parts of LSDB described in TLV
(Type/Length/Value) fashion.

ES Neighbors 3

The LSP will contain a

LSP header and
all available TLVs
(which form LSDB)
104
Ahmed Nabil
The figure shows examples of three types of PDUs (all with IEEE 802.2 Logical
Link Control [LLC] encapsulation). IS-IS and ES-IS PDUs are encapsulated
directly in a data-link PDU (frame); there is no Connectionless Network
Protocol (CLNP) header and no IP header. (In
other words, IS-IS and ES-IS do not put routing information in IP or CLNP
packets; rather, they put routing information directly in a data link layer frame.)
True CLNP (data) packets contain a full CLNP header between the data-link
header and any higher-layer CLNS information.
The IS-IS and ES-IS PDUs contain variable-length fields, depending on the
function of the PDU. Each field contains a type code, a length, and the
appropriate values; this information is known as the TLVs.

In IS-IS, characteristics of a router are defined by an LSP. The

router’s LSP contains an LSP header and TLV fields.

An LSP header includes the following:

— The PDU type and length
LSP Header — The LSP ID
— The LSP sequence number, used to identify
duplicate LSPs and to ensure that the
latest LSP information is stored in the topology table
IS Neighbors — The remaining lifetime for the LSP, which is used
TLV to age out LSPs
TLV variable-length fields contain elements
including:
ES Neighbors — The neighbor ISs of the router, which are used to
TLV build the map of the network
— The neighbor ESs of the router
— Authentication information, which is used to
TLV
………….. secure routing updates
— Attached IP subnets (optional for Integrated IS-
IS) 105
Adjacency on Broadcast link
DIS will send periodically CSNP every 10 sec, so any new IS that
enters the segment will hear that CSNP from DIS, then it will compare
CSNP sequence no. with its LSDB, and will request any missing LSDB
parts using PSNP on a multicast MAC, which is heard by all ISs,
but no one will respond, only DIS will respond with LSP,
But if the new IS has more LSDB or a change occur it will send LSPs
on multicast MAC, so all ISs including DIS will hear it and accept it in
LSDB (so all ISs hear LSP at the same time),
that’s why it could be said that all ISs form adjacencies with its others,
and that’s why no need for Backup DIS, cause all ISs are synchronized at
the same time

Adjacency on point to point link

The adjacency in that
case is much
straight forward
due to there are
only two neighbors on the link

4)Form Routing table:

-apply Dijkstra to find best paths to ISs based on metric
(default, delay, expense, error)
Cisco use only the default metric which is a fixed count default
to 10 per interface
-apply PRC (Partial Route Calculation) to find best path to leaf
nodes as ESs
106
 Integrated IS-IS C/C's
• Link-State routing protocol
• Support both IP routing and CLNS routing
• Admin. distance of IS-IS for CLNS=110
• Admin. distance of IS-IS for IP=115
• entry in IP routing table "iL1" or "iL2“
• Send updates on unicast address in case of point-to-point,
but for broadcast medias use multicast 0180.C200.0014 for
L1 announcements & 0180.C200.0015 for L2
announcements, for Integrated ISIS use 224.0.0.19 (all IP
L1 ISs), 224.0.0.20 (all IP L2 ISs), 224.0.0.21 (all IP ISs).
• Classless
• Reliable
• IS can only belong to a single area
• More scalable than OSPF (its backbone is a path that can
easily be extended)
• Less CPU intensive than OSPF (use PRC for IP networks
and subnets)
• Form adjacencies with all neighbors
• Support manual route summarization
• Metric could be (default, delay, expense, error), but Cisco
support by default only the metric called default (referred to
as cost)=10/interface, which can be changed manually (0-
63)
• Each router still need NET address in order to perform
Dijkstra on ISs
• Each interface need unique IP in order to perform PRC on
IP subnets
• Recommended maximum number of routers per area =
1000
• LSP refreshment is done every 15 minutes, maximum age
time for a LSP entry in database is 20 minutes
107
 Configuration
1)Activate routing action
(config)#clns routing
(config)#ip routing
2)Activate routing protocol
(config-if)#ip router isis
(config-if)#clns router isis
3)Define a node address
(config)#router isis [tag]
(config-router)#net <NET address>
! Only one process is support for ISIS !
4)optional
-choose router level:
(config-router)#is-type {level-1/level-1-2/level-2 only}
default is level-1-2, this save memory & CPU for non level-1-2
-choose interface level for L1/L2 router:
(config-if)#isis circuit-type {level-1/level-1-2/level-2 only}
default is level-1-2
-change isis metric:
(config-if)# isis metric metric [delay-metric [expense-metric
[errormetric]]] {level-1 | level-2}
(config-if)#isis metric {1-63} {level-1 | level-2}
,default = 10
Or, Router(config-router)# metric default-value {level-1 | level-2}
• Alternately, configures the metric globally for all interfaces
-Summarization:
(config-router)#summary-address <network address> <mask>
108
 Configuration Example
12.0.0.0/8

11.0.0.0/8
S0

S1

R2# show ip protocols

Routing Protocol is "isis"

Sending updates every 0 seconds
Invalid after 0 seconds, hold down 0, flushed after 0
Outgoing update filter list for all interfaces is
Incoming update filter list for all interfaces is
Redistributing: isis
Address Summarization:
None
Routing for Networks:
Serial0
Serial1 Level-1
Ethernet0
Routing Information Sources:
Gateway Distance Last Update Level-1
11.0.0.1 115 00:11:44
13.0.0.1 115 00:11:44
14.0.0.1 115 00:11:44
Distance: (default is 115)

R1#show ip route isis

i L1 11.0.0.0/8 [115/70] via 13.0.0.2, Sserial0

via 14.0.0.2, Serial1
i L2* 0.0.0.0/0 [115/35] via 13.0.0.2, Serial0

Verification and troubleshooting

In show commands, Cisco replace the system id by the configured
Hostname to make troubleshooting easier, so hostname is an essential
configuration
• #sh ip protocols, #sh clns protocols
• #sh ip route
• #sh isis route !display level 1 routing table!
• #sh clns route !display level 2 routing table!
• #sh isis topology
• #debug isis adj packets 109
 Troubleshooting Example

R1# show clns route

CLNS Prefix Routing Table

49.0001.0000.0000.0001.00, Local NET Entry
R1# show isis route

IS-IS Level-1 Routing Table - version 312

System Id Next-Hop Interface SNPA Metric State
R2 R2 Se0 *HDLC* 10 Up L2-IS
R4 R4 Se1 *HDLC* 10 Up
R1 --
Default route out of area - (via 1 L2-attached IS)
System Id Next-Hop Interface SNPA Metric State
R2 Se0 *HDLC* 10 Up

R2# show clns route

CLNS Prefix Routing Table

49.0001.0000.0000.0002.00, Local NET Entry
49.0002 [110/10]
via R5, IS-IS, Up, Ethernet0
49.0001 [110/0]
via R2, IS-IS, Up

R2# show isis route

IS-IS Level-1 Routing Table - version 47

System Id Next-Hop Interface SNPA Metric State
R4 R4 Se1 *HDLC* 10 Up
R1 R1 Se0 *HDLC* 10 Up
110
Ahmed Nabil
R2# show clns neighbors

System Id Interface SNPA State Holdtime Type Protocol

R1 Se0 *HDLC* Up 28 L1 IS-IS
R4 Se1 *HDLC* Up 22 L1 IS-IS
R5 Et0 0000.0c92.de4c Up 20 L2 IS-IS

R2# show clns interface serial 0

Serial0 is up, line protocol is up

Checksums enabled, MTU 1500, Encapsulation HDLC
ERPDUs enabled, min. interval 10 msec.
RDPDUs enabled, min. interval 100 msec., Addr Mask enabled
Congestion Experienced bit set at 4 packets
CLNS fast switching disabled
CLNS SSE switching disabled
DEC compatibility mode OFF for this interface
Next ESH/ISH in 12 seconds
Routing Protocol: IS-IS
Circuit Type: level-1
Interface number 0x1, local circuit ID 0x101
Level-1 Metric: 10, Priority: 64, Circuit ID: R2.00
Number of active level-1 adjacencies: 1
Next IS-IS Hello in 5 seconds
R2# show clns protocol
IS-IS Router: <Null Tag>
System Id: 0000.0000.0001.00 IS-Type: level-1-2
Manual area address(es):
49.0001
Routing for area address(es):
49.0001
Interfaces supported by IS-IS:
Serial0 - IP
Ethernet0 - IP
Redistribute:
static (on by default)
Distance for L2 CLNS routes: 110
RRR level: level-1
Generate narrow metrics: level-1-2
Accept narrow metrics: level-1-2
Generate wide metrics: none
Accept wide metrics: none

R1# show isis topology

IS-IS paths to level-1 routers

System Id Metric Next-Hop Interface SNPA
R1 --
R2 10 R2 Se0 *HDLC*
R4 10 R4 Se1 *HDLC*

R2# show isis topology

IS-IS paths to level-1 routers

System Id Metric Next-Hop Interface SNPA
R1 10 R1 Se0 *HDLC*
R2 --
R4 10 R4 Se1 *HDLC*
IS-IS paths to level-2 routers
System Id Metric Next-Hop Interface SNPA
R2 --
R5 10 R5 Et0 0010.7bb5.9e20 111
Manipulating Multiple
Routing Protocols

(Redistribution)

112
Ahmed Nabil
 Why we need multiple routing protocols?

A) Migration
-From FLSM to VLSM
-From flat design to hierarchical design (to facilitate route
summarization which enhance network scalability)

B) Boundary between ASs

C) Different departments might require different routing needs
D) Unix host based routing (centre that contain UNIX servers)
run RIP only, but your network require another protocol for
inter routing
E) Mixed router vendor environment (use EIGRP on Cisco
routers, use OSPF on non-Cisco router)
113
Ahmed Nabil
 Redistribution
• It is the mechanism that allow to connect different domains, so
as the different Routing protocol can exchange and advertise
routing updates as if they are a single protocol
• The redistribution is performed on the router that lies at the
boundary between different domains or runs multiple protocols

Methods of redistribution
• One way redistribution:
redistribute networks learned by a certain protocol in a single
direction
• Two way redistribution:
redistributes all routes from a routing process to another and vice-
versa
Redistributing VS. Redistributed protocol
• Redistributing protocol:
It is the native protocol that will transform another protocol to its
form
• Redistributed Protocol:
It is the non-native protocol that will be transformed to another
protocol form
- note: in order for any routes to be redistributed it must exist in
the routing table of the redistributing router 114
 Configuring Redistribution

• Redistribution supports all protocols

RIP, IGRP, EIGRP, OSPF, IS-IS, ISO-IGRP, ODR,
BGP, Static and Connected
RtrA(config-router)# redistribute ?
bgp Border Gateway Protocol (BGP)
connected Connected
egp Exterior Gateway Protocol (EGP)
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
igrp Interior Gateway Routing Protocol (IGRP)
isis ISO IS-IS
iso-igrp IGRP for OSI networks
mobile Mobile routes
odr On Demand stub Routes
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
static Static routes

• But consider the following:

1-Redistribution vary slightly among different protocols
2-Only protocols that support the same stack are redistributed
-IP RIP AND OSPF
-IPX RIP cannot with OSPF
-IP EIGRP cannot with IPX EIGRP or Apple Talk EIGRP
3-Redistribution occur automatically between:
-IGRP & EIGRP if both in same AS
-Static into RIP
-Connected into any protocol using network command
4-Redistribution of classless updates to a classfull protocol
could cause problems 115
Ahmed Nabil
 Redistribution issues
1) Administrative Distance:
The redistributed protocol inherit the admin. distance of
the redistributing protocol
2)Metric:
a seed metric (initial metric) is assigned to a
redistributed route, then that metric is incremented
according to the normal redistributing protocol
policies
• The seed metric is adjusted from:
1-The default-metric command
2-The redistribution command using metric option or
route map option (override the default-metric
command) Default Seed metrics
• If Redistributing is
-RIP metric is infinity
-IGRP/EIGRP metric is infinity
-OSPF metric is
20 (external type2) for all
except 1 (type2) for BGP
& Subnets do not redistribute
by default
-IS-IS metric is 0 (level2)
so RIP/IGRP/EIGRP does not advertise a
redistributed route unless a seed metric is
configured
116
Ahmed Nabil
Redistribution command:
(config)#router <redistributing protocol>
(config-router)#redistribute <redistributed protocol> [process
id]

[metric <seed metric>] ! Initial metric for redistributed routes!

[match {internal/external 1/extenal 2}]

! If OSPF is redistributed: match O, OIA to be redistributed
or match OE1 to be redistributed
or match OE2 to be redistributed !

[metric-type {1/2}] ! Metric type for redistributed routes into OSPF!

[subnets] ! Consider subnets for redistribution into OSPF!

[route-map <map name>] ! use route filter with redistribution !

[tag <tag name>] ! Set tag for routes redistributed !

117
Ahmed Nabil
 Redistributing into RIP

Redistributing into OSPF

• Default metric is 20.

• Default metric type is 2.
• Subnets do not redistribute by default. 118
Ahmed Nabil
 Redistributing into EIGRP

• Bandwidth in kilobytes = 10000

• Delay in 10s of microseconds =
100
• Reliability = 255 (maximum)
• Load = 1 (minimum)
• MTU = 1500 bytes
Redistributing into IS-IS

metric 10

• Routes are introduced as level 2 with a metric of 0 by

default.
119
Ahmed Nabil
 Example: Before Redistribution

B Routing Table

R 10.0.0.8

For
Redistribution
Ospf1

120
Ahmed Nabil
 Example: Routing Tables after Route Redistribution

R 10.0.0.8

Example: Routing Tables after Summarizing Routes and

Redistributions

121
Ahmed Nabil
IPv6 IGP Redistribution
IPv6 routing protocols can perform route redistribution, much like IPv4
route redistribution. The following list summarizes some of those key
similarities between both IPv4 and IPv6 route redistribution:

■ Redistribution takes routes from the IP routing table, not from the
topology tables and databases controlled by the source routing protocol.

■ Route maps can be applied when redistributing for the purpose of

filtering routes, setting metrics, and setting route tags.

■ The same basic mechanisms exist in IPv6 to defeat routing loop

problems: administrative distance, route tags, and filtering.

■ The routing protocols use the same default administrative distance (AD)
settings for internal and external routes.

■ The redistribution configuration uses practically the same syntax with

the same commands.

Some differences do exist, both in configuration and in concept, as

follows:
■ Any matching done with distribution lists or route maps would use IPv6
prefix lists and IPv6 ACLs, which match based on IPv6 prefix and length.

■ The IPv6 version of the redistribute command takes only routes learned
from an IGP but by default does not take connected routes on
interfaces enabled for that IGP. To also redistribute those connected
routes, the redistribute command must include the include-connected
parameter. When an IPv4 routing protocol redistributes from an IGP, it
always attempts to take both the IGP-learned routes and the connected
routes for interfaces enabled for that IGP.

■ Unlike OSPFv2, OSPFv3 does not require a subnets parameter on the

redistribute command, because IPv6 does not maintain the IPv4 concept
of classful networks and the subnets inside those classful networks.
122
Configuration without route map:
R2(config)# ipv6 router rip left
R2(config-rtr)# redistribute ospf 5 include-connected

Configuration with
route map:

R2# show run

ipv6 router ospf 5
router-id 2.2.2.2
redistribute rip left route-map only-RIP-lan include-connected
!
ipv6 router rip left
redistribute ospf 5 metric 3 include-connected
ipv6 prefix-list rip-to-ospf seq 5 permit 2000::/64
ipv6 prefix-list rip-to-ospf seq 10 permit 2000:0:0:4::/64
!
route-map only-RIP-lan permit 10
match ipv6 address prefix-list rip-to-ospf
set metric 200

First, the configuration shows an IPv6 prefix list and a route map that uses
a match ipv6 command that refers to the prefix list. The route map
matches the two LAN subnets in the RIP domain with the first route map
clause and sets the metric to 200. The implied deny clause at the end of
the route map matches all other routes, which makes R2 filter all other
routes from being redistributed into OSPF. As a result, the serial IPv6
subnet, 2000:0:0:1::/64, is filtered by the redistribution process. The show
ipv6 route ospf command on R3 will confirm that R3 learned routes for
both LAN subnets in the RIP domain but no other routes. Of particular
interest, note that OSPFv3 lists the route as OSPF external Type 2,
because just like OSPFv2, OSPFv3 defaults to redistribute routes as
external Type 2 routes. Note also that the output lists metrics for each
route as 200, because R2 set the metric to 200, and OSPF does not add
anything to the metric of E2 routes.
123
Ahmed Nabil
 Controlling routing
updates traffic
&
Policy Based Routing
(PBR)

124
Ahmed Nabil
 Controlling routing updates traffic

1-Default and static routes

2-Passive interfaces
3-Changing admin. distance
4-Route filtering (Distribute list)
5-Route filtering (Prefix List)
6-Route Maps

Passive interfaces
(config-router)#passive-interface <interface name>
(config-router)# passive-interface default

Note:
Passive interface will cause RIP and IGRP to stop sending
updates, But it can receive updates.
Passive interface may be also used with OSPF, ISIS & EIGRP,
but it will prevent also sending updates & hellos,
So no adjacencies could be formed with neighbors on a
passive interface, no updates can be either sent or received.
125
Ahmed Nabil
Using admin. distance to influence the route selection
• For EIGRP & BGP:
(Config-router)#distance eigrp <internal distance> <external distance>
(Config-router)#distance bgp <internal distance> <external distance>
• For OSPF:
(config-router)#distance ospf external <value> inter-area <value>
intra-area <value>
• for all protocols: used with all protocols to specify certain networks
(config-router)#distance <value> [<src of updates address> <wcm>]
[<access-list number or name for advertised routes>]

Remember that changing the admin distance will

help to avoid redistribution problems

126
Ahmed Nabil
 Example: Redistribution Using Administrative Distance

Redistribution using two exit points will cause Sub-Optimal paths,

routing feedback & may be routing loops
Router P3R1 & Router P3R2
router ospf 1
redistribute rip metric 10000 metric-type 1 subnets
network 172.31.0.0 0.0.255.255 area 0
!
router rip
version 2
redistribute ospf 1 metric 5
network 10.0.0.0
no auto-summary

127
Ahmed Nabil
We will perform redistribution and use higher administrative
distance for redistributed routes
hostname P3R1 hostname P3R2
!
router ospf 1
redistribute rip metric 10000 metric-type 1 subnets
network 172.31.0.0 0.0.255.255 area 0
distance 125 0.0.0.0 255.255.255.255 64
!
router rip
version 2
redistribute ospf 1 metric 5
network 10.0.0.0
no auto-summary
!
access-list 64 permit 10.3.1.0
access-list 64 permit 10.3.3.0
access-list 64 permit 10.3.2.0
access-list 64 permit 10.200.200.31
access-list 64 permit 10.200.200.34
access-list 64 permit 10.200.200.32
access-list 64 permit 10.200.200.33

128
Ahmed Nabil
 Distribute List

• It allow to apply access-list to routing updates, due

to ACL does not filter traffic sourced by the router,
but distribute list can do that action
• Distribute list allow update filtering based on:
-incoming interface
-outgoing interface
-redistribution from another routing protocol

Note: If distribute list is used with OSPF on an

incoming update, that update is entered to LSDB
(so as for OSPF to have a detailed database), but
these filtered routes are not entered in the routing
table

Configuring Distribute list

• (config-router)#distribute-list <access-list number
or name>
{out <interface-name/routing protocol process>
/in <interface name>}

129
Ahmed Nabil
 Distribute list action

Is there
filter for that Yes Is there
Routing an entry
interface for
update for this route?
routing
process

no

Permit Deny
no match
process in ACL in ACL
route
normally

Drop route

130
Ahmed Nabil
 Example1
• Hide network 10.0.0.0 from router C using interface
filtering

Eigrp 1

B(config)#router eigrp 1
B(Config-router)#network 172.16.0.0
B(Config-router)#network 192.168.5.0
B(Config-router)#distribute-list 7 out s0
B(config)#access-list 7 deny 10.0.0.0 0.255.255.255
B(config)#access-list 7 permit any
Example2
Controlling Redistribution with Distribute Lists

131
Ahmed Nabil
 Prefix Lists
• Used to filter a range of routes, which is impossible using
normal ACL, also it is impossible to specify the subnet mask
of updates that is required to be filtered using ACL, only prefix
list can match subnet and their masks
(config)#ip prefix-list <list name> description <description statement>
(config)#ip prefix-list <list name>[seq. no.] <deny/permit> <prefix>/<prefix
length> [ge <prefix length>][le <prefix length>]
! Seq. no. is optional and will start with 5 for the first statement
and incremented by 5 for further statements !
Note: implicit deny at the end

The keyword le (less than or equal) indicates that the range of

prefix lengths to be matched is from the length specified, after
the prefix to the length specified after the le keyword. The ge
keyword (greater than or equal) specifies the minimum length
of the prefix in a range of addresses. If it is used with no le
keyword, it is assumed that the maximum length for the range
of prefixes matched is 32 bits, the maximum number of bits in
an IPv4prefix. When used with the le keyword, the maximum
matched length of the range is specified after le.

Activate Prefix list:

(config-router)#neighbor <ip of neighbor> prefix-list name <in/out>

! Mainly used with BGP!

Or using distribute-list ! Used with any routing protocol !

(config-router)#distribute-list prefix-list name {in/out} <interface name>

Or using Route-Map (discussed later) – most commonly used opton

132
 Example 1
• Deny default route
(config)#ip prefix-list ccnp1 deny 0.0.0.0/0
! To deny exactly 0.0.0.0/0 !

(config)#ip prefix-list ccnp1 permit 0.0.0.0/0 le 32

! To permit all routes !

Example 2
• Deny 172.16.0.0/24 from update containing
172.16.0.0/24, 172.16.0.0/20 & 172.16.0.0/16

(config)#ip prefix-list ccnp2 permit 172.16.0.0/16 le 20

(config)#ip prefix-list name deny 0.0.0.0/0 le 32
! To deny all routes ! (no need for the last command
as it exists by default !

For displaying a prefix-list:

#sh ip prefix-list

133
Ahmed Nabil
 Route Maps
• The common uses of route maps:
1-Redistribution route filtering:
For routing updates filtering ( a more sophisticated
alternative to distribute list) & update modification
(modify metrics, metric types,...)
2-PBR (Policy Based Routing) – called Policy Maps
Routed traffic filtering and shaping
3-NAT
Use route-maps is used with NAT to permit users that
can be translated instead of access-list
4-BGP policy implementation

Route Maps C/Cs

• They work like sophisticated ACL (permit/deny/modify)

- A list of statements compose a route map
- It consists of main statements, where each containing
some conditions
-Top down processing like an access list
-Once there is a match (apply the first match), then leave
the route map
• Lines are sequence-numbered for easier editing (for
insertion of lines and deletion of lines)
• Rout maps are named not numbered
• Match and set criteria is used, they are similar to if-
then scripting language
134
 Route map for Redistribution configuration
1)Create route map
(config)#route-map <map-tag> <permit/deny> [seq. no.]
(config-route-map)#match <condition>
(config-route-map)#set <condition>

• Permit in route map statement means permit route

redistribution and apply set
• Deny Permit in route map statement means deny route
from being redistributed

! If match takes place, and main statement is permit, then

redistribute & apply the set, if main statement is deny then
filter the route (if Route map is used for redistribution), if no
Match, then look for another statement !

! Seq. no. is optional, but if not specified, it will be 10, so form

more than one statement, it must be specified, otherwise
each statement will override the previous statement !

2-Activate route map for redistribution

(config-router)#redistribute <protocol> [route-map <map-tag>]

135
Ahmed Nabil
 Route map configuration
Create route map
(config-route-map)#route-map <map-tag> deny [seq. no.]
(config-route-map)#match <condition>
! If main statement is deny, so no need for Set statement !
(config-route-map)#route-map <map-tag> permit [seq. no.]
(config-route-map)#match <condition>
! If no Set statement exist, that means no change will be applied !
(config-route-map)#route-map <map-tag> permit [seq. no.]
(config-route-map)#set <condition>
! If no Match statement exist, that means match any !
(config-route-map)#route-map <map-tag> permit [seq. no.]
(config-route-map)#match <condition a><condition b><condition c>
(config-route-map)#set <condition>
!If many match conditions exist horizontally that means a logical OR
(match condition a OR b OR c )!
(config-route-map)#route-map <map-tag> permit [seq. no.]
(config-route-map)#match <condition x>
(config-route-map)#match<condition y>
(config-route-map)#match<condition z>
(config-route-map)#set <condition d>
(config-route-map)#set <condition e>
! If many match or Set exist vertically, that mean a logical AND
(match condition x AND y AND z, then Set d AND e)!
(config-route-map)#route-map <map-tag> permit [seq. no.]
! If no match (mean match any) ,no Set (mean don’t modify
anything),the full statement will mean permit any with no changes
(config-route-map)#route-map <map-tag> deny [seq. no.]
! If no match (mean match any), deny in main statement (mean filter
route), so the full statement mean deny any route)!
136
 Route map processing for redistribution
yes

Is there yes Match Is there

Incoming update no
a route map?
criteria Other
statements

yes
no

permit in deny in
no
the main the main
line statement line statement

Process deny update

Route apply set from being
normaly and redistribute redistributed
Match conditions with Route map for redistribution
(config-route-map)#match interface <int. name>
! Match routes learned on certain interface in the routing table of the
redistributing router !
(config-route-map)#match ip address <ACL no.>
! Put Access-list that contain network ids for networks in the routing table
of the redistributing router !
(config-route-map)#match ip next hop <ACL no.>
! Put Access-list that contain next hop IPs for next hops existing in the
routing table of the redistributing router !
(config-route-map)#match metric <value>
! Match certain metric values contained in the routing table of the
redistributing router !
(config-route-map)#match route-type <type>
! Match certain route types in the routing table of the redistributing router
as [external | internal | level-1 | level-2 |local] !
Set conditions with Route map for redistribution
(config-route-map)#set level <1/2> ! Change IS-IS route type !
(config-route-map)#set metric <value> ! Change metric value !
(config-route-map)#set metric-type <internal/type1/type2> ! Change OSPF
route type ! 137
 Example1
Use Route maps to avoid redistribution loops

For the following diagram this will perform routing feedback

and sub-optimal path
use route map to avoid these situations

On A & B we will distribute and use route filters

(config)#access-list 1 permit 192.168.1.0 0.0.255.255
(config)#route-map nofeedback deny 10
(config-route-map)#match ip address 1
Or (config-route-map)#match route-type external
(config-route-map)#route-map nofeedback permit 20
(config-route-map)#exit
(config)#router rip
(config-router)#version 2
(config-router)#redistribute ospf 1 metric 4 route-map
nofeedback
(config-router)#router ospf 1
(config-router)#redistribute rip subnets

138
Ahmed Nabil
 Example2
Use Route map to form redistribution policy

Form the following Policy,

redistribute RIP updates into OSPF using the following
policy:
1.Routes 10.1.0.0/16 &172.16.1.0/24 are redistributed
with an OSPF cost of 500, external type1
2.route 10.0.0.0/16 are not redistributed
3.all other routes are redistributed with an OSPF metric
of 5000

(config)#access-list 1 permit 10.1.0.0 0.0.255.255

(config)#access-list 2 permit 172.16.1.0 0.0.0.255
(config)#access-list 3 permit 10.0.0.0 0.0.255.255

(config)#router ospf 10
(config-router)#redistribute rip subnets route-map
CCNP
(config)#route-map CCNP permit 10
(config-route-map)#match ip address 1 2
(config-route-map)#set metric 500
(config-route-map)#set metric-type type-1
(config-route-map)#route-map CCNP deny 20
(config-route-map)#match ip address 3
(config-route-map)#route-map CCNP permit 30
(config-route-map)#set metric 5000
139
 PBR (Policy Based Routing)
(Policy Map)

• It is used for routed data filtering and shaping, due

to current organizations need freedom to implement
packet forwarding and routing according to their
own policies in a way that goes beyond traditional
routing concerns
• PBR allow for permit traffic/deny traffic/redirect
traffic
• PBR is implemented by Route maps

PBR C/Cs
1-Source based routing
different sources goes through different paths

2-QOS
mark different traffic with different TOS values in IP
packets

3-Load Sharing
distribute traffic on multiple paths

4-Cost saving
by distributing traffic among low-BW, low cost and high-
BW, high cost connections
140
Ahmed Nabil
 Route map for PBR configuration
1)Create route map (policy map)
(config)#route-map <map-tag> <permit/deny> [seq. no.]
(config-route-map)#match <condition>
(config-route-map)#set <condition>

• Permit in route map statement means permit PBR

by applying the set
• Deny Permit in route map statement means deny
PBR and use normal Routing process

2)Activate route map for PBR

(config)#interface <interface name>
(config-if)#ip policy route-map <map-tag>

(config-if)#ip route-cache policy

! To enable route-caching feature to router interface,
this will make routing performance faster !

(config)#ip local policy <map-tag>

! By default packets sourced by the local router is not
affected by a policy map configured on the same
router, that command will force packets sourced by
the local router to be affected by the policy
configured on that router !

141
Ahmed Nabil
 Route-map processing for PBR
yes

Is there yes Match

no Is there
Incoming packet a policy
criteria
Other
map?
statements

yes
no

permit in deny in
the main the main no
line statement line statement

Use
Is there entry no Discard
default packet
in routing table
routing
process yes
(destinatio
n based apply set
routing
table)

Match conditions
(config-route-map)#match ip address [ACL no. or name]
! Put Access-list that contain IP addresses that will be matched with
incoming packets source ip !
(config-route-map)#match length <min> <max>
! Check incoming packet min & max length !
(config-route-map)#match tos <value>
! Match TOS value in an incoming ip packet !
(config-route-map)#match ip-precedence <value>
! Match ip precedence value in an incoming ip packet !
142
Ahmed Nabil
 Set conditions

(config-route-map)#set ip next-hop <ip address>

! Redirect the incoming packet to the next hop ip specified in
the command (only if an exact matching route to the
destination exist in the routing table) !
(config-route-map)#set ip default next-hop <ip address>
! Redirect the incoming packet to the next hop ip specified in
the command (even if an exact matching route to the
destination does not exist in the routing table) !
(config-route-map)#set interface <type>
! Redirect the incoming packet to the output interface
specified in the command (only if an exact matching route
to the destination exist in the routing table) !
(config-route-map)#set ip default interface <type>
! Redirect the incoming packet to the output interface
specified in the command (even if an exact matching route
to the destination does not exist in the routing table) !
(config-route-map)#set ip tos <value>
! Change TOS value in the incoming ip packet (packet
marking or colouring) !
(config-route-map)#set ip precedence <value>
!Change ip precedence value in the incoming ip packet
(packet marking or colouring)!

Notice that default route is not an exact routing entry match

If more than interface or next hop has been specified in

the same command the router will choose the first
active interface or next hop
143
 Example

For the shown exhibit

-all traffic using default route and sources from subnet
1.1.0.0 should go through ISP A
-all traffic using default route and sources from subnet
1.2.0.0 should go through ISP B
-all other traffic must be denied
RouterA(config)# access-list 1 permit ip 1.1.0.0 0.0.255.255
RouterA(config)# access-list 2 permit ip 1.2.0.0 0.0.255.255

RouterA(config)# route-map load-sharing permit 10

RouterA(config-route-map)# match ip address 1
RouterA(config-route-map)# set ip default next-hop 6.6.6.6
RouterA(config-route-map)# route-map load-sharing permit 20
RouterA(config-route-map)# match ip address 2
RouterA(config-route-map)# set ip default next-hop 7.7.7.7
RouterA(config-route-map)# route-map load-sharing permit 30
RouterA(config-route-map)# set default interface null0

RouterA(config)# interface ethernet 0

RouterA(config-if)# ip address 1.1.1.1 255.255.255.0
RouterA(config-if)# ip policy route-map load-sharing

RouterA(config)# interface serial 0

RouterA(config-if)# ip address 6.6.6.5 255.255.255.0

RouterA(config)# interface serial 1

RouterA(config-if)# ip address 7.7.7.6 255.255.255.0

144
 Verifying Policy-Based Routing Examples

RouterA# show ip policy

Interface Route map

Ethernet0 load-sharing

RouterA# show route-map

route-map load-sharing, permit, sequence 10
Match clauses:
ip address (access-lists): 1
Set clauses:
ip default next-hop 6.6.6.6
Policy routing matches: 3 packets, 168 bytes
route-map load-sharing, permit, sequence 20
Match clauses:
ip address (access-lists): 2
Set clauses:
ip default next-hop 7.7.7.7
route-map load-sharing, permit, sequence 30
Set clauses:
default interface null0

RouterA# debug ip policy

Policy routing debugging is on

11:51:25: IP: s=1.1.1.1 (Ethernet0), d=190.168.1.1,

len 100, policy match
11:51:25: IP: route map load-sharing, item 10,
permit
11:51:25: IP: s=1.1.1.1 (Ethernet0), d=190.168.1.1
(Serial0), len 100, policy routed
11:51:25: IP: Ethernet0 to Serial0 6.6.6.6

#traceroute <ip>
#ping <ip> , with record option
145
Ahmed Nabil
 BGP
(Border Gateway Protocol)

146
Ahmed Nabil
 Overview
• BGPv4 is an Exterior Gateway Protocol (EGP) that can
exchange routing updates between different Autonomous
Systems, so it operate mainly at the border of an AS.
• BGP is not designed to choose paths based on bandwidth,
delay and other metrics, but paths are chosen based on policy
attributes.
• AS is a collection of networks under a single technical
administration, AS is identified by a unique number between 1
– 65535.The range 64512 - 65535 is reserved for private use.
• Currently new AS numbering (32 bit) was introduced and AS
23456 is used for interoperability between old numbering (16
bit) and new numbering (32 bit)

IGPs work within AS

When BGP is not appropriate?

1-Single connection to Internet or other AS
2-Lack of memory and processing power to handle updates
3-Low bandwidth between ASs
4-Limited understanding of route filtering & BGP path
selection process
When BGP is most appropriate?
1-An AS allows packets to transit through it to reach
other AS (e.g. Service Provider)
2-An AS has multiple connections to other AS
3-Routing policy & route selection for traffic entering or
leaving the AS must be manipulated 147
 BGP Tables
1-Neighbor table:
List of BGP neighbors "BGP peers" (configured statically
with the neighbor command & can be reachable)

2-BGP forwarding database table:

- List of all networks learned from each neighbor,
- Contain multiple paths to destination networks with attributes
for each path
- Best paths in that table is advertised to neighbors in routing
updates

3-IP routing table

List of best paths to destination networks

BGP messages
1-Open message
It is used to open BGP session with a neighbor
(Includes holdtime and BGP router ID

2-Keepalive message
Periodic message that is sent to keep TCP session
stay still

3-Update message
It contain information about destination networks
and the attributes to reach these networks

4-Notification message
Sent to identify that an error condition is detected
for a certain router (i.e. memory or CPU error) 148
 BGP C/Cs
• BGP is a path vector protocol (advanced distance vector).
(IGPs announce networks and describe the cost to reach
those networks, BGP announces pathways and the networks
that are reachable at the end of the pathway. BGP describes
the pathway by using attributes which are similar to metrics)

• Reliable updates: BGP run on top of TCP port 179.

• BGP has no method for dynamic neighbor discovery, all
neighbors must be discovered manually using the neighbor
command.
• Updates is sent on unicast address to the statically configured
neighbors.
• Full BGP tables is exchanged at start-up.
• Periodic keepalive messages to verify TCP connectivity at
convergence.
• Incremental batched updates every 30 sec at change.
• Its symbol in routing table is B.
• External BGP has admin. distance 20.
• Internal BGP has admin. distance 200.
• Use rich metrics called path attributes.
• Designed to scale huge internetworks.
• Support VLSM & CIDR (classless)
• Loop free (use BGP split-horizon & AS path list to avoid loops
inside AS and between ASs)
• BGP allows administrators to define policies or rules
for how data will flow through the Autonomous Systems. 149
 BGP neighbor states
• A BGP peer, also known as a BGP neighbor, is a specific
term that is used for BGP speakers that have established a
neighbor relationship.
• Any two routers that have formed a TCP connection to
exchange BGP routing information are called peers or
neighbors.

BGP Starts its operation when neighbors are

statically defined, using the neighbor command
External BGP
• When BGP
neighbors belong to
different autonomous
systems they are
called EBGP.
• EBGP neighbors, by
default, need to be
directly connected.
Internal BGP
•IGBP refers to the
presence of BGP
neighbors within the
same AS.
• The neighbors do not
have to be directly
connected, because they
can be reached through
an IGP.
150
 Configuring BGP neighbors

This mean C is configuring A as eBGP

This mean A is configuring B as iBGP

and C as eBGP

This mean B is configuring A as iBGP

151
Ahmed Nabil
 BGP Start up Operation
after neighbor command is written
(config)#router bgp <as#>
(config-router)#neighbor <neighbor ip> remote-as <neighbor as#>
Phase 1: Neighbor discovery:
Idle state:
router is searching IP routing table to see if a route exists to
reach the neighbor
Connect state:
router found route and has completed TCP 3-way handshake
Open sent:
open message is sent
Active state:
waiting confirmation on parameters to establish session
Open confirm:
receive agreement on parameters to establish session
Established state:
peering is formed and routing exchange begins
RouterA# debug ip bgp events
BGP events debugging is on
BGP : 172.16.1.2 passive open
BGP : 172.16.1.2 went from idle to connect
BGP : 172.16.1.2 open rcvd, version 4
BGP : 172.16.1.2 went from connect to open sent
BGP : 172.16.1.2 sending open, version 4
BGP : 172.16.1.2 went from open sent to open confirm
BGP : Scanning routing tables
BGP : 172.16.1.2 went from open confirm to established
Why a router could stuck in active state?
•Neighbor peering with the wrong address
•Neighbor does not have neighbor statement for this router
•Neighbor does not have a route to the source IP address of the
BGP open packet generated by this router 152
BGP Considerations:
Neighborship considerations:
1- Neighbor command in BGP
2- Neighbor reachability (route to neighbor should exist
in routing table, using connected,static or IGP)
3- Fixed source of BGP messages and updates are
required (update-source)
4- Adjusting TTL if neighbor is eBGP (eBGP-multihop)

BGP Update Considerations:

1- Advertise using BGP network command.
2- Use (full mesh, Route Reflectors or Confederation) to
avoid BGP split horizon and data black holes.
3- Disable synchronization.
4- BGP Next hop behavior (next-hop-self on BGP
borders)

153
Ahmed Nabil
 1-Source of updates behaviour
• A router will never receive an update from a source unless that source
address is identified in its neighbor command (in its neighbor list)
• When a BGP packet is received for a new BGP session, the source
address of the packet is compared to the list of neighbor statements.
– If a match is found, a relationship is established.
– If no match is found, the packet is ignored.
• Make sure the source IP address matches the address that the other
router has in its neighbor statement.
• To identify the source of updates for a certain neighbor
(config)#router bgp <as#>
(config-router)#neighbor <neighbor ip> update-source <interface
name>
This command allows the BGP process to use the IP address of a
specified interface as the source IP address of all BGP updates to that
neighbor.
• A loopback interface is usually used, as it will be available as long as
the router is operational.
• The IP address used in this command will be the destination IP
address of all BGP updates and should be the loopback interface of
the other router.
• The update-source command is normally used only with IBGP
neighbors.
• The address of an EBGP neighbor must be directly connected by
default. The loopback of an EBGP neighbor is not directly connected.

154
 2-eBGP multihop
• Due to eBGP neighbors must be directly connected, so using
multiple links between the two neighbors, or using loopback
as source of update will cause a problem for BGP open
message and the advertised updates, as all eBGP messages
by default are sent with TTL=1 (non routable messages)
we can use the following command
(config-router)#neighbor <neighbor ip> ebgp-multihop [no.
of hops]
but to reach that hop there will never be an IGP or connected
that could do that, so a static route is required to reach that
hop , default hop =255 if we used ebgp-multihop, in fact no.
of hops is a TTL, and default hop (TTL)=1 if that command is
not used.

The only acceptable dynamic routing protocol between ASs

is BGP, so for BGP session to be established we need to
reach the neighbor using Static route. 155
 3-Authenticating in BGP
• BGP authentication uses MD5.
• Configure a key (password); router generates a message
digest, or hash, of the key and the message.
• Message digest is sent; key is not sent.
• Router generates and checks the MD5 digest of every
segment sent on the TCP connection. Router authenticates
the source of each routing update packet that it receives

Router(config-router)# neighbor {ip-address | peer-group-

name} password string

156
Ahmed Nabil
 Phase 2: Routes Discovery
BGP considerations for updates
4-Advertise routes in BGP updates (populate BGP table)
4.1-Redistribute IGP routes into BGP
4.2-Use Network command (Recommended)
(config)#router bgp <as#>
(config-router)#network <network address> [mask <subnet
mask>]
Note: If no mask is specified, default masks is assumed
Note: There must be an exact match for that route in IP routing
table learned by IGP (non-BGP) so as for BGP to populate
that route in BGP table and advertise it to eBGP neighbors.

1. RouterB(config)# router bgp 65000

2. RouterB(config-router)# neighbor 10.1.1.2 remote-as 64520

3. RouterB(config-router)# neighbor 192.168.2.2 remote-as 65000

4. RouterB(config-router)# network 172.16.10.0 mask 255.255.255.0

5. RouterB(config-router)# network 192.168.1.0

6. RouterB(config-router)# network 192.168.3.0

7. RouterB(config-router)# no synchronization 157

 5-Advertise summarized routes
(CIDR and Aggregate address)
• With BGP4, routes can be aggregated by any AS on any BGP
router.
• BGP4 is classless, supports VLSM and longest match routing,
and carries a network mask for each network in the update.

• Auto summary is enabled by default at discontiguous network

boundaries.
• To disable auto-summary
(config-router)#no auto-summary
• Manual summarization
Method 1: Recommended method of summarization for BGP
(config)#router bgp <as#>
(config-router)#aggregate-address <summary address> <mask>
[summary-only][as-set]
-Creates an aggregate (summary) entry in the BGP table
-Does not need an exact match in match in the routing table, due to
BGP null route automatically generated, Null static route not
needed, but at least one of the specific routes must exist.
-Uses the summary-only option to advertise only the summary and
not the specific routes
-Adds the as-set option to include a list of all the autonomous system
numbers that the more specific routes have passed through.

158
Method 2:
(config)#router bgp <as#>
(config-router)#network <address> [mask <mask>]
This command was not designed to perform summarization by
itself.
The aggregate-address command was designed for
summarization.
• To use the network statement for summarization, the
network number and mask used must already exist exactly
in the routing table.
• If the route was already summarized by EIGRP or OSPF,
that summarization can be announced into BGP with the
network and mask commands.
• If the route was not already summarized, a null static route
must be created for BGP to announce this summarization.
(config)#ip route <address> <mask> null0

159
Ahmed Nabil
 Cautions about Network Statement
• If a network statement is used for
summarization,
do not use the more specific entries and the
summarized route as shown here.
• If both are used, the
summarized route and the
more specific routes will
be announced.
• 192.168.24.0/22 does not
exist in the IP routing table
without the null route.
• BGP will not announce the network unless
the summarized route
is already present in the
routing table.

routerC# show ip bgp

BGP table version is 28, local router ID is 172.16.2.1

Status codes: s = suppressed, * = valid, > = best, and i = internal
Origin codes : i = IGP, e = EGP, and ? = incomplete

Network Next Hop Metric LocPrf Weight Path

*> 192.168.24.0/22 0.0.0.0 0 32768 i
s> 192.168.24.0 0.0.0.0 0 32768 i
s> 192.168.25.0 0.0.0.0 0 32768 i
s> 192.168.26.0 0.0.0.0 0 32768 i
s> 192.168.27.0 0.0.0.0 0 32768 i

160
 Understanding BGP Requirements for transit AS
1-BGP runs on borders of AS but no IGP

Update
11.0.0.0 About
11.0.0.0

B has E in its neighbor table (using neighbor

command), but for B to send update about 11.0.0.0 to
E the update is encapsulated in a packet with
destination IP of E, but there is no IGP running in the
AS 65102, so B cant find a path for E in its routing
table, so Bwill drop any updates going to E
• Conclude:
IGP must run inside the AS, so as the BGP neighbors
could be reachable

161
Ahmed Nabil
 2-BGP run on borders and IGP inside AS
4-Routing Table
No BGP

8-data with dst ip 11.0.0.1

3-Update 11.0.0.0

1-Update 6-Update 11.0.0.0

About 2-Routing Table 5-Routing Table 7-Routing Table
11.0.0.0 11.0.0.0
B 11.0.0.0 B 11.0.0.0 B 11.0.0.0

4-Routing Table
No BGP

Updates now can pass from A to B to E (C & D will consider it

an IP packet destined to E), update will go from E to F, but any
returning data coming from F will goto E and from E to C or D,
but due to C & D doesnot have an entry for 11.0.0.0 in their
routing table , so packets destined to 11.0.0.0 will be dropped,
so black hole for data exists in AS65102

• Conclude:
BGP must run on all transit AS routers to avoid black holes, or otherwise
redistribution from BGP into IGP must take place
• Synchronization rule: (To avoid Black Holes)
Router cannot advertise routes to eBGP neighbor unless it exist in IP
routing table by an IGP (non-BGP)
To avoid synchronization problems (black holes):
1-redistribute BGP routes into IGP protocol (big headache for IGPs, due
to BGP table is very large and IGP is not designed for that scalable
networks)
2-run BGP on all transit AS routers and disable synchronization
(config-router)#no-synchronization
162
 3-BGP and IGP run on all routers of transit AS

• BGP Split horizon rule: "avoid routing loops inside the

AS"
Route learned by iBGP neighbor can never be advertised
back to another iBGP neighbor

If Router A advertise a route to its eBGP neighbor B, so B

must advertise that routes to all it other neighbors, so B
will advertise it to C & D, but due to split horizon rule, C
or D can never advertise that route again to their iBGP
neighbor as E, so E will never learn about that route.

• Conclude:
BGP must run in full mesh fashion (sessions between all
BGP neighbors) to avoid split horizon rule

163
Ahmed Nabil
 4-BGP must run in full mesh fashion

• Full mesh BGP problem:

This will cause multiple TCP sessions, so a lot of CPU,
memory and bandwidth overhead will take place in the
network
The solution is to use:
1-Confederations:
divide the AS to sub ASs, where each Sub AS act with eBGP with
other sub Ass, so loops is avoided according to the eBGP
rules (the advertised route must contain a list of ASs that the
route traverses, so if a router finds its local AS in the AS path
list it will detect that the update was looped)
2-Route reflector:
to configure certain routers to override split horizon rule (route
reflector router)
Router Reflector configuration
• On Route Reflector only
(config)#router bgp <as#>
(config-router)#neighbor <neighbor ip> route-reflector-client
164
 Next hop behavior
• BGP is an AS by AS routing protocol, not a router
by router routing protocol, so in BGP next hop does
not mean the next hop router, it means the ip
address to reach the next AS

-Router A advertises
network 172.16.0.0 to
router B in EBGP, with
a next hop of 10.10.10.3.
-Router B advertises
172.16.0.0 in IBGP to
router C, keeping 10.10.10.3
as the next-hop address.
-So C see the next hop to reach
172.16.0.0 is 10.10.10.3
(next AS entry point)
To override that behaviour
(config-router)#neighbor <neighbor ip> next-hop-self

Forces all updates for this neighbor to be

advertised with this router as the next hop.
The IP address used for the next-hop-self will be
the same as the source IP address of the BGP
packet.

So if B has written
(config-router)# neighbor 172.20.10.2 next-hop-self
So C will see 172.16.0.0 with next hop 172.20.10.1
165
Next Hop on a Multiaccess Network
The following takes place in a
multiaccess network:
• Router B advertises
network 172.30.0.0 to
router A in EBGP with
a next hop of 10.10.10.2,
not 10.10.10.1. This avoids
an unnecessary hop.
• BGP is being efficient by
informing AS 64520 of the
best entry point into AS 65000
for network 172.30.0.0.
• Router B in AS 65000 also advertises to AS 64520 that
the best entry point for each network in AS 64600 is the
next hop of router C because that is the best pathway to
transit AS 65000 to AS 64600 from AS 64520.
Example: next-hop-self Configuration

166
 BGP Synchronization (old rule – not needed now)
•Synchronization rule:
Do not use or advertise to any BGP neighbor (iBGP or eBGP)
a route learned by iBGP until a matching route has been
learned from an IGP.
• Ensures consistency of information throughout the AS
• Avoids black holes within the AS
• Safe to turn off if all routers in the AS are running full-mesh
IBGP, default.
Router(config-router)# no synchronization
• Disables BGP synchronization so a router can advertise
routes in BGP without learning them in IGP, but make
sure that you make all restrictions to avoid black holes

Example: BGP Synchronization

• If synchronization is on (the default), then:

– Routers A, C, and D would not use or advertise the
route to 172.16.0.0 until they receive the matching
route via an IGP.
– Router E would not hear about 172.16.0.0.
• If synchronization is off, then:
– Routers A, C, and D would use and advertise the
route they receive via IBGP; router E would hear
about 172.16.0.0.
– If router E sends traffic for 172.16.0.0, routers A, C,
and D would route the packets correctly to router B.
167
 BGP peer groups
• If there are multiple neighbors, the configuration will be a big
overhead and configuration mistakes could happen.
• Peer groups is defining a template with configuration parameters
and assign these parameters to a group of neighbors
• Useful when many neighbors have the same outbound policies
• Members can have a different inbound policy
• Its target is to Simplify configuration
• It also help to process one update to all peer group at once
(less processing)

Configuration without peer groups for 15 neighbor

(config)#router bgp <as#>
(config-router)#neighbor <ip> remote-as <as>
*15 times
(config-router)#neighbor <ip> route-reflector-client
*15 times
(config-router)#neighbor <ip> source-update loopback0
*15 times
(config-router)#neighbor <ip> next-hop-self
*15 times
(config-router)#neighbor <ip> route-map <name> <in/out>
*15 times
(config-router)#neighbor <ip> prefix-list <name> <in/out>
*15 times
(config-router)#neighbor <ip> distribute-list <name>
<in/out>
*15 times
• we may need about 105 command on a single router 168
 Configuration with peer groups for 15 neighbor
(config)#router bgp <as>
(config-router)#neighbor <peer group name> remote-as as #
(config-router)#neighbor <peer group name> peer-group
(config-router)#neighbor <ip> peer-group <peer group name> *15 times
(config-router)#neighbor <peer group name> route-reflector-client
(config-router)#neighbor <peer group name> source-update loopback0
(config-router)#neighbor <peer group name> next-hop-self
(config-router)#neighbor <peer group name> ebgp-multihop
(config-router)#neighbor <peer group name> route-map <name> <in/out>
(config-router)#neighbor <peer group name> prefix-list <name> <in/out>
(config-router)#neighbor <peer group name> distribute-list <name> <in/out>
• we may need about 21 command on a single router
Example:

Router C Without a Peer Group

router bgp 65100
neighbor 192.168.24.1 remote-as 65100
neighbor 192.168.24.1 update-source loopback 0
neighbor 192.168.24.1 next-hop-self
neighbor 198.168.24.1 distribute-list 20 out
neighbor 192.168.25.1 remote-as 65100
neighbor 192.168.25.1 update-source loopback 0
neighbor 192.168.25.1 next-hop-self
neighbor 198.168.25.1 distribute-list 20 out
neighbor 192.168.26.1 remote-as 65100
neighbor 192.168.26.1 update-source loopback 0
neighbor 192.168.26.1 next-hop-self
neighbor 198.168.26.1 distribute-list 20 out

Router C Using a Peer Group

router bgp 65100
neighbor internal peer-group
neighbor internal remote-as 65100
neighbor internal update-source loopback 0
neighbor internal next-hop-self
neighbor internal distribute-list 20 out
neighbor 192.168.24.1 peer-group internal
neighbor 192.168.25.1 peer-group internal
neighbor 192.168.26.1 peer-group internal 169
BGP Considerations:
Neighborship considerations:
1- Neighbor command in BGP
2- Neighbor reachability (route to neighbor should exist
in routing table , using connected, static or IGP)
3- Fixed source of BGP messages and updates are
required (update-source)
4- Adjusting TTL if neighbor is eBGP (eBGP-multihop)

BGP Update Considerations:

1- Advertise using BGP network command.
2- Use (full mesh, Route Reflectors or Confederation) to
avoid BGP split horizon & data Black holes.
3- Disable synchronization.
4- BGP Next hop behavior (next-hop-self on BGP
borders)

170
Ahmed Nabil
 BGP Attributes
1-AS path attribute
• The AS path attribute is Well known mandatory, transitive

• It is a list of AS numbers that a route has traversed to reach a

router

• Shortest AS path is prefered

• AS path list is used to avoid loops between ASs

• A list of Autonomous Systems that a route has

traversed
– For example, on router B, the path to 192.168.1.0
is
the AS sequence (65500, 64520).

171
Ahmed Nabil
 2-Next hop attribute

• The next-hop attribute is Well known mandatory,

transitive

• It is the ip address of the next AS to reach a given

network

• Next hop must be reachable so as the route is valid for

use

• For self originated route next hop is 0.0.0.0

The IP address of the next AS to reach a given network:

• Router A advertises network 172.16.0.0 to router B in
EBGP, with a next hop of 10.10.10.3
• Router B advertises172.16.0.0 in IBGP to router C,
keeping 10.10.10.3 as the next-hop address

172
Ahmed Nabil
 3-Origin attribute

• Well known mandatory, transitive

• The origin attribute informs all Autonomous Systems

in the internetwork how the prefixes were introduced
into BGP, It defines the origin of the path
information

• The origin could be:

-IGP(i): the route is interior to the originating AS, this
normally happens when network command is used
to advertise the route
-EGP(e): the route is learned via EGP (old protocol),
this happen when a route was redistributed from
EGP
-incomplete(?): the origin is unknown, this happen
when the route is redistributed from IGP or static
into BGP

• Least origin is preferred (i<e<?)

173
Ahmed Nabil
 4-Local preference attribute

• Well known discretionary, and is passed only within the

AS.

• The local preference is Advertised between iBGP

neighbors

• It provides an indication to routers in the inside of the AS

about which path is preferred to exit the AS (best way to
leave the AS, it influence outbound traffic from AS)

• Higher local preference is preferred

• Default local preference=100

Any router inside the AS 64520 will prefer to exit that

AS using path through A

174
Ahmed Nabil
 5-Weight attribute

• Cisco attribute

• Configured locally on the router and is not

propagated to any BGP neighbor

• It identify a weight for routes from each neighbor

• Highest weight is preferred

• Default weight for self originated routes are 32768,

for other routes default is 0 (weight 0-65535)

A will choose path through B

to reach network 172.20.0.0

175
Ahmed Nabil
 6-Multi Exit Discriminator (MED) attribute

• The MED is an optional, non transitive

• It is called metric
• Advertised between eBGP neighbors
• MED is an indication to eBGP neighbors about the
prefered path to enter an AS (affect how others can
enter your AS, it influence inbound traffic to an AS)
• MED is used to advertise to EBGP neighbors how
to exit their AS to reach networks Owned by this AS.
• Lowest MED is prefered
• Default MED=0
• MED is not compared between neighbors from
different ASs, unless
(config-router)#bgp-always-compare-med

A will choose to exit

AS 65000 through B
To reach 172.20.0.0

176
 7-Atomic aggregate attribute
• Well known discretionary
• It informs the routers that the originating router has
performed aggregation (summarization) for routes,
list of ASs that contain these routes can be
advertised (aggregate-address command)

8-Aggregator attribute
• Optional transitive
• It specifies the BGP router ID & AS no. of the
router that perform the route aggregation

9- Community attribute
• Optional transitive
• It is the grouping of routes and tag them for
filtration actions and applying policies to group
of routes belonging to certain community.
• All routes by default are members in a
community called the Internet
177
 BGP route selection process
• The BGP forwarding table usually has multiple pathways
from which to choose for each network.
• BGP is not designed to perform load balancing:
• Paths are chosen because of policy.
• Paths are not chosen based upon bandwidth.
• The BGP selection process eliminates any multiple
pathways through attrition until a single best pathway is
left.
• That best pathway is submitted to the routing table
manager process and evaluated against the methods of
other routing protocols for reaching that network
(administrative distance).
• The routing protocol with the lowest administrative
distance will be installed in the routing table.

• Consider only synchronized routes, routes with no AS

loops and valid next hop routes, then:
1-Prefer highest weight (local to router)
2-Prefer highest local preference (global within AS)
3-Prefer route originated by the local router (next hop 0.0.0.0)
4-Prefer shortest AS path
5-Prefer lowest origin code (i (IGP) < e (EGP) < ?
(incomplete))
6-Prefer lowest MED (from other AS)
7-For routes from other AS, prefer eBGP path over iBGP path
7*-Prefer oldest route from eBGP path (more stable)
7**-Prefer path through the closest (lowest metric) IGP
neighbors
9-Prefer the path from lowest neighbor BGP router ID
• Finally only a single path is selected, and no load sharing
is available
178
 BGP attributes
• BGP is not designed to choose paths based on bandwidth, delay
and other metrics, but paths are chosen based on policy
attributes
• Attributes are classified as follows:
Well known attributes:
must be recognized by all compliant BGP implementation, Are
propagated to other neighbors
-well known mandatory
must present in all update messages (ex.: as-path, next-hop, origin)
-well known discretionary
may be present in update messages
(ex.: local preference, atomic aggregate)
Optional attributes:
recognised by some implementations (expected not to be
recognised by every router (depend on router position in
AS))
Recognized optional attributes are propagated to other
neighbors based on their meaning
-Optional transitive
if not recognised are marked as partial and propagated to
other neighbors
(ex.: aggregator, community)
-Optional non transitive
discarded if not recognised
(ex.: MED (Multi Exit Discriminator))
-Cisco Attribute:
local attribute on Cisco routers, it is not advertised in any
updates
ex.: weight
179
 Optimize attributes
Local preference is used in the following ways:
• Within an AS between IBGP speakers
• Used to determine the best pathway to leave the
AS to reach an outside network
• Set to 100 by default; higher values are preferred
(config-router)#bgp default local-prefrence <value>
or
(config)#route-map <name> {permit/deny} [<seq no.>]
(config-route-map)#match ip address <acl #>
(config-route-map)#set local-preference <local
preference>
• Changes the default local preference value
• All routes advertised to an IBGP neighbor are set to the
value specified using this command
RouterC# show ip bgp

BGP table version is 7, local router ID is 3.3.3.3

Status codes: s suppressed, d damped, h history, * valid, > best,
i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i172.16.0.0 172.20.50.1 100 0 65005 65004 i
*>i 192.168.28.1 100 0 65002 65003 i
*>i172.24.0.0 172.20.50.1 100 0 65005 i
* i 192.168.28.1 100 0 65002 65003 65004 i
* i172.30.0.0 172.20.50.1 100 0 65005 65004 i
*>i 192.168.28.1 400 0 65002 65003 65004 i

Best (>) pathways for networks 172.16.0.0/16 and 172.24.0.0/16 have not changed.
Best (>) pathway for network 172.30.0.0 has changed to a new next hop of 192.168.28.1
due to the next hop of 192.168.28.1 having a higher local preference, 400.
180
 • MED is used when multiple pathways exist between two ASs
• A lower MED value is preferred.
• The default setting for Cisco is MED = 0.
• The metric is nontransitive.
• By default, MED is shared only between two Autonomous
Systems that have multiple EBGP connections with each other.

(config-router)#default-metric <value>
or
(config)#route-map <name> {permit/deny} [<seq no.>]
(config-route-map)#match ip address <acl #>
(config-route-map)#set metric <MED value>
• MED is considered the metric of BGP.
• All routes advertised to an EBGP neighbor are set to the
value specified using this command.
RouterZ# show ip bgp
BGP table version is 7, local router ID is 122.30.1.1
Status codes: s suppressed, d damped, h history, * valid,
> best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i192.168.24.0 172.20.50.2 100 100 0 65001 i
* i 192.168.28.2 200 100 0 65001 i
* i192.168.25.0 172.20.50.2 200 100 0 65001 i
*>i 192.168.28.2 100 100 0 65001 i
* i192.168.26.0 172.20.50.2 200 100 0 65001 i
*>i 192.168.28.2 100 100 0 65001 i
•For all networks: Weight is equal (0); local preference is equal (100); routes are not originated
in this AS; AS path is equal (65001); origin code is equal (i).
• 192.168.24.0 has a lower metric (MED) through 172.20.50.2 (100) than 192.168.28.2 (200).
• 192.168.25.0 has a lower metric (MED) through 192.168.28.2 (100) than 172.20.50.2 (200).
• 192.168.26.0 has a lower metric (MED) through 192.168.28.2 (100) than 172.20.50.2 (200).
181
 Route maps for BGP policy implementation
1-Create route map:
(config)#route-map <name> <permit/deny> [seq. no.]
(config-route-map)#match <conditions>
(config-route-map)#set <condition>
2-Activate route map:
(config-router)#neigbhor <ip/peer group> route-map <name>
<in/out>
-Match conditions:
match ip address <acl#>
match community <community name>
-Set conditions:
set local-preference <no.>
set weight <no.>
set metric <no.>
set as-prepend <path list>
Set community community id

182
Ahmed Nabil
 Verification and Troubleshooting
#sh ip bgp
#sh ip bgp summary
#sh ip route
#debug ip bgp [events/updates/keepalives]
#clear ip bgp <*/address>
(config-router)#[no] neighbor <ip/peer group> shutdown

RouterA# show ip bgp summary

BGP table version is 23, main routing table version 23

10 network entries and 11 paths using 1242 bytes of memory
4 BGP path attribute entries using 380 bytes of memory
BGP activity 23/13 prefixes, 38/27 paths
0 prefixes revised.

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

10.1.1.100 4 65200 211 211 13 0 0 00:01:53 5
192.168.1.18 4 65101 214 226 23 0 0 00:00:13 1
192.168.1.34 4 65101 214 226 23 0 0 00:00:09 1
192.168.1.50 4 65101 214 225 23 0 0 00:00:06 3

If no state in the state column this indicates an established state

RouterA# show ip bgp

BGP table version is 23, local router ID is 192.168.1.49

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 10.0.0.0 10.1.1.100 0 0 65200 i
*> 172.16.10.0/24 10.1.1.100 0 0 65200 i
*> 172.16.11.0/24 10.1.1.100 0 0 65200 i
*>i172.26.1.16/28 192.168.1.50 0 100 0 i
*>i172.26.1.32/28 192.168.1.50 0 100 0 i
*>i172.26.1.48/28 192.168.1.50 0 100 0 i
*> 192.168.1.0 0.0.0.0 0 32768 i
*> 192.168.2.0 10.1.1.100 0 65200 65102 i
*> 192.168.2.64/28 10.1.1.100 0 65200 65102 i
* i192.168.101.0 192.168.1.34 0 100 0 i
*>i 192.168.1.18 0 100 0 i

The table displays networks from lowest network to highest.

183
 Clearing the BGP Session
• When policies such as access lists, timers, or attributes are
changed, the BGP session must be reset.
• The change takes effect immediately, and the next time a
prefix or pathway is advertised or received, the new policy will
be used. It can take a long time for the policy to be applied to
all networks.
• The session should be reset to ensure the policy is
immediately applied to all affected prefixes and pathways.
• You must trigger an update to ensure that the policy is
immediately applied to all affected prefixes and paths.
• Ways to trigger an update:
– Hard reset
– Soft reset
Router# clear ip bgp {*|neighbor-address}
[soft {in | out}]
• Resets all BGP connections with this router using * or Resets
only a single neighbor
• If not using soft option (hard reset):
- Entire BGP forwarding table is discarded
- BGP session transitions from established to idle; everything
must be relearned
Using Soft Reset option:
• Routes learned from this neighbor are not lost.
• This router resends all BGP information to the neighbor without
resetting the connection.
• The connection remains established.
• This option is highly recommended when you are changing
outbound policy.
• The soft out option does not help if you are changing inbound
policy. 184
 RouterA# show ip bgp neighbors

BGP neighbor is 10.1.1.1, remote AS 65000, external link

Index 1, Offset 0, Mask 0x2
BGP version 4, remote router ID 172.16.10.1
BGP state = Established, table version = 5, up for 00:10:47
Last read 00:00:48, hold time is 180, keepalive interval is
60 seconds
Minimum time between advertisement runs is 30 seconds
Received 16 messages, 0 notifications, 0 in queue
Sent 15 messages, 1 notifications, 0 in queue
Prefix advertised 1, suppressed 0, withdrawn 0
Connections established 1; dropped 0
Last reset 00:16:35, due to Peer closed the session
2 accepted prefixes consume 64 bytes

routerA# debug ip bgp updates

BGP updates debugging is on

RTRA# clear ip bgp *

3w5d: BGP: 10.1.1.1 computing updates, neighbor version 0, table

version 1, starting at 0.0.0.0
3w5d: BGP: 10.1.1.1 update run completed, ran for 0ms, neighbor
version 0, start version 1, throttled to 1, check point net 0.0.0.0
3w5d: BGP: 10.1.1.1 rcv UPDATE w/ attr: nexthop 10.1.1.1, origin i,
aggregated by 65000 172.16.10.1, path 65000
3w5d: BGP: 10.1.1.1 rcv UPDATE about 172.16.0.0/16
3w5d: BGP: nettable_walker 172.16.0.0/16 calling revise_route
3w5d: BGP: revise route installing 172.16.0.0/16 -> 10.1.1.1
3w5d: BGP: 10.1.1.1 rcv UPDATE w/ attr: nexthop 10.1.1.1, origin i,
metric 0, path 65000
3w5d: BGP: 10.1.1.1 rcv UPDATE about 192.168.1.0/24
3w5d: BGP: nettable_walker 192.168.1.0/24 calling revise_route
3w5d: BGP: revise route installing 192.168.1.0/24 -> 10.1.1.1

185
Enhanced Interior
Gateway Routing
Protocol
(EIGRP)

186
Ahmed Nabil
• EIGRP features:
1- Advanced D.V protocol:
Classless, no periodic updates, multicast updates, manual
summarization, triggered partial updates at change

2- Rapid convergence
Use DUAL (Diffusion Update Algorithm) that keep a backup route
for each best route, if available

3- Loop free topology

DUAL sets a conditions for choosing its best routes and backup
routes, which is called the feasibility conditions

4- Easy configuration
Its origin is D.V

5- Seamless connectivity across all data link layer protocols

Work with BMA, NBMA, point-to-point protocols with the operation

6- Reduce B.w waste

No periodic updates

7- Efficient updating
Incremented updates, triggered & partial updates

8- Support multiple network layer protocols

IP, IPX & AppleTalk, EIGRP makes separate routing, neighbor &
topology table for each protocol

9- Use composite metric and compatible with IGRP

Composite metric depends on B.W, delay, load, reliability, MTU)
EIGRP metric (32 bits)= 256 * IGRP metric (24 bits)

10- Load balancing

Across equal and unequal path costs

187
Ahmed Nabil
• EIGRP terminologies :
1- Neighbor table
(list of all neighbors)
#show ip eigrp neighbors
2- Topology table
(list of all routes to all destination network, as a matter of fact, it is
routing tables of all neighbors)
#show ip eigrp topology [all-links]
3- Routing table
(best routes to all destination networks)
#show ip route [eigrp]

4- Successor ‘S’
(the best route)
5- Feasible successor ‘FS’
(the backup route)
6- Feasible distance ‘FD’
(the metric from source to destination)
7- Advertised distance ‘AD’
(the metric from my neighbor to destination)
188
Ahmed Nabil
• EIGRP packet types:

1- Hello packet:
- Used for neighbor discovery and maintains neighbor
relationship
- Sent periodically on 224.0.0.10
- Period of Hello:
5 sec. On fast links ( > 1.54 Mbps) & point to point links
60 sec. On slow links (<or= 1.54 Mbps)
Dead interval = 3 * hello interval (15sec for fast links, 180
sec for slow links)

2- Update packet:
- Contain the RTG table at startup (sent unicast).
- Contain partial update in case of change (sent multicast
on 224.0.0.10)

3- Query packet:
- It is sent if the S is lost and there is no FS in the
topology table on multicast 224.0.0.10, it is used to
declare the failure of a link & requesting information
about another path from the neighbor

4- Reply packet:
- It is the reply for the query, sent on unicast address

5- Ack packet:
- Acknowledges all EIGRP packets except Hello packet

189
Ahmed Nabil
• EIGRP components:

1- PDM (Protocol Dependent Module)

- Depends on the routed protocol (IP, IPX, Appletalk).
- It allows EIGRP to adapt according to the routed protocol.
- Each protocol has its own EIGRP module and operates
independently from any of the others that may be running.
The IP-EIGRP module, for example, is responsible for
sending and receiving EIGRP packets that are encapsulated
in IP. IP-EIGRP is also responsible for parsing. EIGRP
packets and informing DUAL of the new information that has
been received.

2- DUAL (Diffusion Update ALgorithm)

- It is a finite state machine.
- Responsible for maintenance of routing table and topology
table using some conditions

3- RTP (Retransmission Transport Protocol)

- To provide reliability using ACK (like TCP), but with a stop-
and-wait mechanism.
- RTP using 2 timers:
a) SRTT (smooth round trip time)
- Average time between sending a message and receiving
back a reply
b) RTO (retransmission time out)
- RTO is the time waiting for ACK, before retransmitting the
packet
NOTE:
- Neighbor to be dead after:
a) 16 RTO.
b) Dead interval.

190
Ahmed Nabil
• Operation :
At startup:
 Every router discover its neighbors (begin establishing
adjacency) using hello protocol.
 EIGRP routers to be neighbors:
1- they must have the same AS no.
2- they must have the same K-values.

- The routers will form adjacency even if hello & dead

intervals
didn’t match

The debug output below will display that action

RouterA# debug eigrp packets

Mismatched adjacency values

01:39:13: EIGRP: Received HELLO on Serial0/0 nbr 10.1.1.2
01:39:13:AS 200, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 0/0
01:39:13: K-value mismatch

191
Ahmed Nabil
 Then the router exchanges its routing table with its neighbors.
 From the RTG tables of neighbors the router forms
the topology table.

Each router will apply DUAL algorithm on its Topology

table to form a routing table
Configuring EIGRP metric K-values

192
Ahmed Nabil
 The command below #debug eigrp packets
Will display that operation
RouterA# debug eigrp packets

Normal Hello Processing

01:38:29: EIGRP: Sending HELLO on Serial0/0
01:38:29: AS 200, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
01:38:31: EIGRP: Received HELLO on Serial0/0 nbr 10.1.2.2
01:38:31: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ
un/rely 0/0
Received EIGRP Update
01:38:33: EIGRP: Received UPDATE on Serial0/0 nbr 10.1.2.2
01:38:33: AS 2100, Flags 0x0, Seq 23/37 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 0/0
01:38:33: EIGRP: Enqueueing ACK on Serial0/0 nbr 10.1.2.2
01:38:33: Ack seq 23 iidbQ un/rely 0/0 peerQ un/rely 1/0
01:38:33: EIGRP: Sending ACK on Serial0/0 nbr 10.1.2.2
01:38:33: AS 200, Flags 0x0, Seq 0/23 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 1/0
01:38:33: EIGRP: Enqueueing UPDATE on Serial0/0 iidbQ un/rely 0/1
serno 75-75
01:38:33: EIGRP: Sending UPDATE on Serial0/0 nbr 10.1.2.2
01:38:33: AS 200, Flags 0x0, Seq 38/23 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 0/1 serno 75-75
01:38:33: EIGRP: Received ACK on Serial0/0 nbr 10.1.2.2
01:38:33: AS 200, Flags 0x0, Seq 0/38 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 0/1

At convergence:
- no periodic updates, only hello packets
• Hellos sent periodically every 5 seconds on the following
links:
- Broadcast media: Ethernet
- Point-to-point serial links: (PPP), (HDLC)
- Point-to-point subinterface: Frame Relay, ATM
- Multipoint circuits with bandwidth greater than T1:
Frame Relay, ATM
• Hellos sent every 60 seconds on the following links:
- Multipoint circuits with bandwidth less than or equal
to T1: Frame Relay, ATM, and X.25
• Hold time by default is three times the hello time 193
Ahmed Nabil
At change:
• 1- If there is a FS:
• If the router has a FS in its topology table, it will use it in case
of the S failure and it will send update to indicate that it uses a
new route.
• 2- If there is no FS:
• The router sends a query packet to ask for another route to
the destination network.
• The other routers will reply the query

The debug command below will show that action

•RouterA# debug eigrp packets

Shut down of a neighbor's interface

•01:38:11: EIGRP: Received QUERY on Serial0/0 nbr 10.1.2.2
•01:38:11: AS 200, Flags 0x0, Seq 24/38 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
•01:38:11: EIGRP: Enqueueing ACK on Serial0/0 nbr 10.1.2.2
•01:38:11: Ack seq 24 iidbQ un/rely 0/0 peerQ un/rely 1/0
•01:38:11: EIGRP: Sending ACK on Serial0/0 nbr 10.1.2.2
•01:38:11: AS 200, Flags 0x0, Seq 0/24 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 1/0
•01:38:11: EIGRP: Sending REPLY on Serial0/0 nbr 10.1.2.2
•01:38:11: AS 200, Flags 0x0, Seq 39/24 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely
0/1 serno 76-76
•01:38:11: EIGRP: Received ACK on Serial0/0 nbr 10.1.2.2
•01:38:11: AS 200, Flags 0x0, Seq 0/39 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

EIGRP operation summary

194
Ahmed Nabil
• Route selection:
- By applying DUAL on the topology table to get the RTG table.
- DUAL:
1- Track all routes advertised by neighbors.
2- Select a loop free path using a successor ‘S’ and ‘FS’.
3- If a S is lost, FS is used.
4- If no FS available, it queries neighbors and recalculate S.
5- It can hold up to 4 routes by default and 16 or more as max. for
the same destination network in the RTG table.
6- It can differentiate between different types of paths :
- internal path (Admin. Dist.=90 & symbol in RTG table is ‘D’.
- summary path (Admin. Dist.=5 & symbol in RTG table is ‘D’
out of interface null 0.
-external path (Admin. Dist. =170 & symbol in RTG table is
‘DEX’.
• How to choose S?
- S is the route that have the least metric.
Metric = 256* [k1*BW + (k2*BW / 256-load) + k3*delay + (k5 /
reliability+k4)]
By default,
7
k1=k3=1 , k2=k4=k5=0
BW=10 /BWi, BWi=Bandwidth of interface in units of Kbps
Delay=delayi * 10, delayi=delay of interface in microseconds
These values can be observed from the #show interface
command
• How to choose FS?
“This is called the feasibility condition”
The route that satisfy that inequality FD (S) > AD ( FS) , is
eligible to be the FS

195
Ahmed Nabil
Example on EIGRP route calculation
Which path from A to D is better when using EIGRP protocol?

All delays
in units of tens of
microseconds

• Delay is the sum of all the delays of the links along the
paths:
Delay = [delay in tens of microseconds] x 256
• BW is the lowest bandwidth of the links along the
paths:
BW = [10,000,000 / (bandwidth in kbps)] x 256
ABCD Least Bandwidth 64 kbps, Total Delay
6,000
7
Metric= [10 /64 + 6000] x 256=41,536,000
A  X  Y  Z  D Least BW 256 kbps, Total Delay 8,000
7
Metric= [10 /256 + 8000] x 256=12,048,000

Least metric is path A  X  Y  Z  D

196
Ahmed Nabil
Dual Example:

Stable Network

Link between B & D fails, so

D lost his best path to
Network 10.1.1.0/24

D sends a query to its existing

Neighbors (C & E) asking for a
new path & announcing the link
failure from its side

C answers with a reply with

a worst path, but valid, while
E queries C.
D cannot take any decisions unless
All queries are replied
197
Ahmed Nabil
 C also replies to E
announcing existence
of the path to 10.1.1.0/24

Replies returns to D,
So D can finally take a decision

Again the network re-converged

Though the DUAL effect

198
Ahmed Nabil
Timers :
Hello & dead timers
(config-if)# ip hello-interval eigrp <AS> <sec>
(config-if)# ip hold-time eigrp <AS> <sec>

Stuck In Active timer

(config-router)# timers active-time {<no. in sec> / disable}
• EIGRP load sharing:
(config-router)# traffic share-balance
To support unequal loadbalancing
(config-router)# variance <multiplier>
, default multiplier = 1, There can be up to four entries in
the routing table for the same destination
(config-router)# maximum-paths maximum-path
Default 4, max 16 or more
.

• Router E chooses router C to get to network Z because

FD = 20
• With a variance of 2, router E chooses router B to get to
network Z (20 + 10 = 30) < [2 x (FD) = 40].
• Router D is not used to get to network Z (45 > 40).
Note: If the variance multiplier matched a path, that does
not mean that it can be used for load-sharing, due to the
new route must satisfy the feasibility condition also
(AD (FS)<FD (S)) 199
Ahmed Nabil
Offset Lists

EIGRP Offset Lists, the final tool for manipulating the EIGRP
metrics , allow an engineer to simply add a value–an offset, if
you will-to the calculated integer metric for a given prefix. To
do so, an engineer can create and enable an EIGRP Offset
List that defines the value to add to the metric, plus some
rules regarding which routes should be matched and
therefore have the value added to their computed FD.
An Offset List can perform the following functions:
■ Match prefixes/prefix lengths using an IP ACL, so that the
offset is applied only to routes matched by the ACL with a
permit clause
■ Match the direction of the Update message, either sent
(out) or received (in)
■ Match int interface on which the Update is sent or received
■ Set the integer metric added to the calculation for both the
FD and RD calculations for the route
The configuration itself uses the following command in
EIGRP configuration mode, in addition to any referenced IP
ACLs:
(config-roiuter)#offset-list {access-list-number | access-list-
name} {in | out} offset [interfacetype interface-number]

Example:
WAN1(config)#access-list 11 permit 10.11.1.0
WAN1(config)#router eigrp 1
WAN1(config-router)#offset-list 11 in 3 Serial0/0/0.1
WAN1(config-router)#end
Mar 2 11:34:36.667: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1:
Neighbor 10.1.1.2
(Serial0/0/0.1) is resync: peer graceful-restart
200
Ahmed Nabil
Before using the offset list
WAN1#show ip eigrp topo 10.11.1.0/24
IP-EIGRP (AS 1): Topology entry for 10.11.1.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is
2172416
Routing Descriptor Blocks:
10.1.1.2 (Serial0/0/0.1), from 10.1.1.2, Send flag is 0x0
Composite metric is (2172416/28160), Route is Internal

After applying offset-list:

WAN1#show ip eigrp topo 10.11.1.0/24
IP-EIGRP (AS 1): Topology entry for 10.11.1.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is
2172416
Routing Descriptor Blocks:
10.1.1.2 (Serial0/0/0.1), from 10.1.1.2, Send flag is 0x0
Composite metric is (2172419/28163), Route is Internal
Vector metric:
Minimum bandwidth is 1544 Kbit
Total delay is 20100 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 1
! output omitted for brevity

The offset-list 11 in 3 s0/0/0.1 command tells Router WAN1 to

examine all EIGRP Updates received on S0/0/0.1,
and if prefix 10.11.1.0 is found, add 3 to the computed FD and
RD for that prefix.

Ahmed Nabil
• Configuration:
(config)# router eigrp <AS no.>
! Up to 32 process (AS) can be configured on the same
router !
(config-router)# network <ip> [<w.c.m>]

Example 1

Example 2

202
Ahmed Nabil
 Auto and Manual summary:
(config-router)# no auto-summary
(config-if)# ip summary-address eigrp <AS> <ip> <mask>
[admin distance]

172.16.2.0

• Summarization is configurable on a per-interface basis

in any router within a network.
• When summarization is configured on an interface, the
router immediately creates a route pointing to null0.
– Loop-prevention mechanism
• When the last specific route of the summary goes away,
the summary is deleted.
• The minimum metric of the specific routes is used as
the metric of the summary route.
RouterC#show ip route
<output omitted>
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:00:04, Null0
D 172.16.1.0/24 [90/156160] via 10.1.1.2, 00:00:04, FastEthernet0/0
D 172.16.2.0/24 [90/20640000] via 10.2.2.2, 00:00:04, Serial0/0/1
C 192.168.4.0/24 is directly connected, Serial0/0/0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.2.2.0/24 is directly connected, Serial0/0/1
C 10.1.1.0/24 is directly connected, FastEthernet0/0
D 10.0.0.0/8 is a summary, 00:00:05, Null0
203
Ahmed Nabil
By default EIGRP uses 50% of the link BW for its updates.
EIGRP supports different WAN links:

• Point-to-point links
Treats bandwidth as T1 by default, so it is better to
manually configure bandwidth as the real BW, using
(config-if)#bandwidth <BW in units of kbps>

• NBMA
- Point-to-point links
Treats bandwidth as T1 by default, so it is better to
manually configure bandwidth as the CIR of the PVC
-Multipoint links (Frame Relay, ATM)
EIGRP uses the bandwidth on the main interface divided
by the number of neighbors on that interface to get the
bandwidth information per neighbor,
So for Multipoint interfaces with non-uniform CIRs
Convert to point-to-point configuration or
manually configure bandwidth by multiplying the lowest
CIR by the number of PVCs
204
Ahmed Nabil
 NBMA point to point links, need to configure BW of PVC
on each subinterface

NBMA multipoint links with non uniform CIRs for PVCs

So
Configure lowest CIR VC as point-to-point,specify BW = CIR
Configure higher CIR VCs as multipoint, combine CIRs

To change BW percentage to be used by updates

(config-if)# ip bandwidth-percent eigrp <AS> <percentage>
, default percent=50 205
Ahmed Nabil
• Convergence /Query problem:
- The router has to get all the replies from the neighbors with
an outstanding query before the router calculates the
successor information
- If any neighbor fails to reply to the query the network will
(Stuck in Active)
- Contrary to popular belief, queries are not bounded by AS
boundaries. Queries from AS 1 are propagated to AS 2
- Finally Query problem can affect convergence (slower)

Solutions (Avoid slow convergence and Query limiting)

SIA timer ( 3 min.)
If the router Stuck In Active by a neighbor, it will wait 3 min. then:
a) Reset its neighbor relationship.
b) Re-establish the neighborship process.
This method in some cases is considered rude.
New EIGRP messages are introduced SIA query & SIA reply.
Active Process Enhancement
Before After
Router A resets relationship to Router A sends an SIA-Query at
router B when the normal half of the normal active timer.
active timer expires. However, Router B acknowledges the
the problem is the link query there by keeping the
between router B and C. relationship up.

206
Ahmed Nabil
The previous figure on the left illustrates what would
happen before this feature was introduced. Router A
sends a query for network 10.1.1.0/24 to router B.
Router B has no entry for this network, so it queries
router C. If problems exist between router B and C, the
reply packet from router C to router B may be delayed
or lost. Router A has no visibility of downstream
progress and
assumes that the lack of response indicates problems
with router B. After the router A 3-minute active timer
expires, the neighbor relationship with router B is
reset, along with all known routes from router B.
By contrast, with the active process enhancement
feature, router A queries downstream router B (with an
SIA-Query) at the midway point of the active timer (1.5
minutes by default) about the status of the route.
Router B responds (with an SIA-Reply) that it is
searching for a replacement route. Upon receiving this
SIA-Reply response packet, router A validates the
status of router B and does not terminate the neighbor
relationship.
Meanwhile router B sends up to three SIA-Queries to
router C. If they go unanswered, router B
terminates the neighbor relationship with router C.
Router B then updates router A with an
SIA-Reply indicating that the network 10.1.1.0/24 is
unreachable. Routers A and B remove the
active route from their topology tables. The neighbor
relationship between routers A and B
remains intact.
207
Ahmed Nabil
 Defining stub networks
If network 10.1.1.0/24 in a topology like the one shown below
fails, all routers will Stuck In waiting for each others replies

Configure the routers as stub, so the queries will send to

non stub only.
(config-router)#eigrp stub [receive only
|connected|static|summary]
• receive-only: Prevents the stub from sending any type of
route.
• connected: Permits stub to send connected routes
(may still need to redistribute).
• static: Permits stub to send static routes (must still
redistribute).
• summary: Permits stub to send summary routes.
• Default is connected and summary.

208
Ahmed Nabil
Example: eigrp stub Parameters

If stub connected is
configured:
• B will advertise
10.1.2.0/24 to A.
• B will not advertise
10.1.2.0/23, 10.1.3.0/23, or
10.1.4.0/24.
If stub summary is
configured:
• B will advertise
10.1.2.0/23 to A.
• B will not advertise
10.1.2.0/24, 10.1.3.0/24,
or 10.1.4.0/24.

If stub static is
configured:
• B will advertise
10.1.4.0/24 to A.
• B will not advertise
10.1.2.0/24, 10.1.2.0/23,
or 10.1.3.0/24.
If stub receive-only is
configured:
• B will not advertise
anything
to A, so A needs to have a
static route to the
networks
behind B to reach them. 209
Ahmed Nabil
Router Authentication
• Many routing protocols support authentication such that a
router authenticates the source of each routing update
packet that it receives.
• Simple password authentication is supported by:
– IS-IS
– OSPF
– RIPv2
• MD5 authentication is supported by:
– OSPF
– RIPv2
– BGP
– EIGRP
Simple Password vs. MD5 Authentication
• Simple password authentication:
– Router sends packet and key.
– Neighbor checks whether key matches its key.
– Process not secure.
• MD5 authentication:
– Configure a key (password) and key ID; router generates a
message digest, or hash, of the key, key ID and message.
– Message digest is sent with packet; key is not sent.
– Process OS secure.
EIGRP MD5 authentication:
• Router generates a message digest, or hash, of the key,
key ID, and message.
• EIGRP allows keys to be managed using key chains.
• Specify key ID (number), key, and lifetime of key.
• First valid activated key, in order of key numbers, is used.

210
Ahmed Nabil
Configuring EIGRP MD5 Authentication
Router(config-if)#
ip authentication mode eigrp autonomous-system md5
• Specifies MD5 authentication for EIGRP packets
Router(config-if)#
ip authentication key-chain eigrp autonomous-system
name-of-chain
• Enables authentication of EIGRP packets using key in the
Keychain

Router(config)# key chain name-of-chain

• Enters configuration mode for the keychain
Router(config-keychain)# key key-id
• Identifies key and enters configuration mode for the keyid
Router(config-keychain-key)# key-string text
• Identifies key string (password)

Router(config-keychain-key)#
accept-lifetime start-time {infinite | end-time | duration
seconds}
• Optional: Specifies when key will be accepted for received
packets
Router(config-keychain-key)#
send-lifetime start-time {infinite | end-time | duration
seconds}
• Optional: Specifies when key can be used for sending packets

Note If the service password-encryption command is not used when

implementing EIGRP authentication, the key string will be stored as
plaintext in the router configuration. If you configure the service
password-encryption command, the key string will be stored and
displayed in an encrypted form; when it is displayed, there will be an
encryption type of 7 specified before the encrypted key string.

211
Ahmed Nabil
EIGRP Authentication Configuration Checklist
The EIGRP authentication configuration process requires several
commands, which are summarized as follows:
Step 1. Create an (authentication) key chain:
Create the chain and give it a name with the key chain name global
command (also puts the user into key chain config mode). The name
does not have to match on the neighboring routers.
Create one or more key numbers using the key number command in
key chain configuration mode. The key numbers do not have to
match on the neighboring routers.
Define the authentication key’s value using the key-string value
command in key configuration mode. The key strings must match on
the neighboring routers.
(Optional) Define the lifetime (time period) for both sending and
accepting each key string.
Step 2. Enable EIGRP MD5 authentication on an interface, for a
particular EIGRP ASN, using the ip authentication mode eigrp asn
md5 interface subcommand.
Step 3. Refer to the correct key chain to be used on an interface
using the ip authentication key-chain eigrp asn name-of-chain
interface subcommand.
The configuration at Step 1 is fairly detailed, but Steps 2 and 3 are
relatively simple. Essentially, IOS configures the key values
separately (Step 1) and then requires an interface subcommand
to refer to the key values. To support the ability to have multiple
keys, and even multiple sets of keys, the configuration includes the
concept of a key chain and multiple keys on each key chain.
Key Chain Time-Based Logic The key chain configuration concept,
as outlined in Step 1, allows the engineer to migrate from one key
value to another over time. Just like a real key chain that has
multiple keys, the IOS key chain concept allows the configuration of
multiple keys—each identified with a number. If no lifetime has been
configured for a key, it is considered to be
valid during all time frames. However, when a key has been
defined with a lifetime, the key is valid only during the valid
lifetime.
The existence of multiple keys in a key chain, and the existence
of valid lifetimes for each key, can cause some confusion about
when the keys are used. The rules can be summarized
as follows:
■ Sending EIGRP messages: Use the lowest key number among
all currently valid keys.
■ Receiving EIGRP message: Check the MD5 digest using ALL
currently valid keys.

For example, consider the case shown in Figure. The figure

represents the logic in a single router, Router R1, both when
receiving and sending EIGRP messages on the right.
The figure shows a key chain with four keys. All the keys have
lifetimes configured. Key 1’s lifetime has passed, making it
invalid. Key 4’s lifetime has yet to begin, making it invalid.
However, keys 2 and 3 are both currently valid.

Figure shows that the EIGRP

message sent by Router R1
uses key 2, and key 2 only.
Keys 1 and 4 are ignored
because they are currently
invalid; R1 then simply
chooses the lowest-
numbered key among the two
valid keys. The figure also
shows that R1 processes the
received EIGRP message
using both key 2 and key 3,
because both are currently
valid.
Example MD5 Authentication Configuration

R1 R2
<output omitted> <output omitted>
key chain R1chain key chain R2chain
key 1 key 1
key-string firstkey key-string firstkey
accept-lifetime 04:00:00 Jan 1 2006 accept-lifetime 04:00:00 Jan 1 2006
infinite infinite
send-lifetime 04:00:00 Jan 1 2006 send-lifetime 04:00:00 Jan 1 2006
04:01:00 Jan 1 2006 infinite
key 2 key 2
key-string secondkey key-string secondkey
accept-lifetime 04:00:00 Jan 1 2006 accept-lifetime 04:00:00 Jan 1 2006
infinite infinite
send-lifetime 04:00:00 Jan 1 2006 send-lifetime 04:00:00 Jan 1 2006
infinite infinite
<output omitted> <output omitted>
interface FastEthernet0/0 interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0 ip address 172.17.2.2 255.255.255.0
! !
interface Serial0/0/1 interface Serial0/0/1
bandwidth 64 bandwidth 64
ip address 192.168.1.101 ip address 192.168.1.102 255.255.255.224
255.255.255.224 ip authentication mode eigrp 100 md5
ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100
ip authentication key-chain eigrp 100 R2chain
R1chain !
! router eigrp 100
router eigrp 100 network 172.17.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255 network 192.168.1.0
network 192.168.1.0 auto-summary
auto-summary
Note: R1 key id 1 will expire after 1 minute for sent updates
R1#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
*Jan 21 16:38:51.745: EIGRP: received packet with MD5 authentication, key id = 1
*Jan 21 16:38:51.745: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.102
*Jan 21 16:38:51.745: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0

R2#debug eigrp packets

EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
R2#
*Jan 21 16:38:38.321: EIGRP: received packet with MD5 authentication, key id = 2
*Jan 21 16:38:38.321: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.101
*Jan 21 16:38:38.321: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0
Note: R1 key id 1 will expired for sent updates so it will use key id 2,
that’s why R2 will deal with key 2 214
 R1#
*Jan 21 16:23:30.517: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.102
(Serial0/0/1) is up: new adjacency

R1#show ip eigrp neighbors

IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.1.102 Se0/0/1 12 00:03:10 17 2280 0 14
R1#show ip route
<output omitted>
Gateway of last resort is not set
D 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:02:22, Serial0/0/1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:31:31, Null0
C 172.16.1.0/24 is directly connected, FastEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.96/27 is directly connected, Serial0/0/1
D 192.168.1.0/24 is a summary, 00:31:31, Null0
R1#ping 172.17.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms

R1(config-if)#key chain R1chain

R1(config-keychain)#key 2
R1(config-keychain-key)#key-string wrongkey

R2#debug eigrp packets

EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
R2#
*Jan 21 16:50:18.749: EIGRP: pkt key id = 2, authentication mismatch
*Jan 21 16:50:18.749: EIGRP: Serial0/0/1: ignored packet from 192.168.1.101, opc
ode = 5 (invalid authentication)
*Jan 21 16:50:18.749: EIGRP: Dropping peer, invalid authentication
*Jan 21 16:50:18.749: EIGRP: Sending HELLO on Serial0/0/1
*Jan 21 16:50:18.749: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Jan 21 16:50:18.753: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.101
(Serial0/0/1) is down: Auth failure

R2#show ip eigrp neighbors

IP-EIGRP neighbors for process 100
R2#

215
Ahmed Nabil
• Troubleshooting:
#show ip route

RouterA# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP,

D - EIGRP, EX - EIGRP external, O - OSPF,
(text omitted)
* - candidate default,
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
D 172.16.1.0 [90/10639872] via 10.1.2.2, 06:04:01, Serial0/0
10.0.0.0/24 is subnetted, 4 subnets
D 10.1.3.0 [90/10514432] via 10.1.2.2, 05:54:47, Serial0/0
D 10.3.1.0 [90/10639872] via 10.1.2.2, 06:19:41, Serial0/0
C 10.1.2.0 is directly connected, Serial0/0
C 10.1.1.0 is directly connected, Ethernet0/0

#show ip eigrp topology [all-links]

RouterA# show ip eigrp topology

IP-EIGRP Topology Table for AS(100)/ID(10.1.2.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 10.1.3.0/24, 1 successors, FD is 10514432
via 10.1.2.2 (10514432/28160), Serial0/0
P 10.3.1.0/24, 1 successors, FD is 10639872
via 10.1.2.2 (10639872/384000), Serial0/0
P 10.1.2.0/24, 1 successors, FD is 10511872
via Connected, Serial0/0
P 10.1.1.0/24, 1 successors, FD is 2190
via Connected, Ethernet0/0
P 172.16.1.0/24, 1 successors, FD is 10639872
via 10.1.2.2 (10639872/384000), Serial0/0

216
Ahmed Nabil
#show ip protocols
RouterA# show ip protocols

Routing Protocol is "eigrp 100"

Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 100
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.1.0.0/16
10.0.0.0
Routing Information Sources:
Gateway Distance Last Update
10.1.2.2 90 05:50:13
Distance: internal 90 external 170

#show ip eigrp neighbors

#show ip eigrp traffic

#debug eigrp packet [query / reply / update]
#debug ip eigrp
217
Ahmed Nabil
 Verifying EIGRP Operations:
Stable Network

RouterA# debug ip eigrp

IP-EIGRP Route Events debugging is on

01:57:23: IP-EIGRP: Processing incoming UPDATE packet

01:57:23: IP-EIGRP: Int 172.16.1.0/24 M 10639872 -
9999872 640000
SM 384000 - 256000 128000

– Router A receives an update packet from router B that

contains internal (int) network 172.16.1.0/24.
– Feasible distance = router A cost to get to 172.16.1.0/24.
10639872 = 9999872 + 640000
– Advertised distance = the metric router B sent to router A
to reach 172.16.1.0/24.
SM (source metric) = 384000 = 256000 + 128000
– EIGRP metric (10639872) = bandwidth (9999872) + delay
(640000).

218
Ahmed Nabil
 Verifying EIGRP Operations:
Unstable Network
RouterA# debug ip eigrp

IP-EIGRP Route Events debugging is on

• Shutdown an EIGRP neighbor interface for network

172.16.1.1/24.
• Router A receives a query looking for a lost pathway from
Router B.

01:56:57: IP-EIGRP: Processing incoming QUERY packet

01:56:57: IP-EIGRP: Int 172.16.1.0/24 M 4294967295 - 0
4294967295 SM 4294967295 - 0 4294967295

• The metric of 42949672295 is the highest possible value for

a metric. It signifies that router B is telling router A that
network 172.16.1.0/24 is no longer reachable through router
B, and checks if router A has an alternate pathway to that
network.

01:56:57: IP-EIGRP: 172.16.1.0/24 routing table not

updated
01:56:57: IP-EIGRP: 172.16.1.0/24 - not in IP
routing table
• Router A realizes that if it cannot use B for 172.16.1.0/24, it
does not have an entry in the routing table to get to that
network.

01:56:57: IP-EIGRP: Int 172.16.1.0/24 metric

4294967295 - 0 4294967295

• Router A sends an update to router B saying it does not know

how to reach that route either.

219
Ahmed Nabil
 Verifying EIGRP Operations:
Unstable Network
RouterA# debug ip eigrp

IP-EIGRP Route Events debugging is on

• Shutdown an EIGRP neighbor interface for network

172.16.1.1/24.
• Router A receives a query looking for a lost pathway from
Router B.

01:56:57: IP-EIGRP: Processing incoming QUERY packet

01:56:57: IP-EIGRP: Int 172.16.1.0/24 M 4294967295 - 0
4294967295 SM 4294967295 - 0 4294967295

• The metric of 42949672295 is the highest possible value for

a metric. It signifies that router B is telling router A that
network 172.16.1.0/24 is no longer reachable through router
B, and checks if router A has an alternate pathway to that
network.

01:56:57: IP-EIGRP: 172.16.1.0/24 routing table not

updated
01:56:57: IP-EIGRP: 172.16.1.0/24 - not in IP
routing table
• Router A realizes that if it cannot use B for 172.16.1.0/24, it
does not have an entry in the routing table to get to that
network.

01:56:57: IP-EIGRP: Int 172.16.1.0/24 metric

4294967295 - 0 4294967295

• Router A sends an update to router B saying it does not know

how to reach that route either.

220
Ahmed Nabil
EIGRP for IPv6
Cisco originally created EIGRP to advertise routes for IPv4, IPX, and
AppleTalk. This original EIGRP architecture easily allowed for yet
another Layer 3 protocol, IPv6, to be added. As a result, Cisco did
not have to change EIGRP significantly to support IPv6, so
many similarities exist between the IPv4 and IPv6 versions of EIGRP.

Note: Many documents, including this chapter, refer to the IPv6

version of EIGRP as EIGRP for IPv6. However, some documents at
www.cisco.com also refer to this protocol as EIGRPv6, not because
it is the sixth version of the protocol, but because it implies a
relationship with IPv6.

As with the previous section “RIP Next Generation (RIPng),” this

section begins with a discussion of the similarities and differences
between the IPv4 and IPv6 versions of EIGRP. The remaining
coverage of EIGRP focuses on the changes to EIGRP configuration
and verification in support of IPv6.

EIGRP for IPv4 and IPv6–Theory and Comparisons

For the most part, EIGRP for IPv4 and for IPv6 have many
similarities. The following list outlines some of the key differences:
■ EIGRP for IPv6 advertises IPv6 prefixes/lengths, rather than IPv4
subnet/mask information.
■ EIGRP for IPv6 uses the neighbor’s link local address as the next-
hop IP address.
■ EIGRP for IPv6 encapsulates its messages in IPv6 packets, rather
than IPv4 packets.
■ Like RIPng and OSPFv3, EIGRP for IPv6 authentication relies on
IPv6’s built-in authentication and privacy features.
■ EIGRP for IPv6 has no concept of classful networks, so EIGRP for
IPv6 cannot perform any automatic summarization.
■ EIGRP for IPv6 does not require neighbors to be in the same IPv6
subnet as a requirement to become neighbors.
Other than these differences, most of the details of EIGRP for IPv6
works like EIGRP for IPv4.
221
 FF02::A

Configuring EIGRP for IPv6

EIGRP for IPv6 follows the same basic configuration style as for
RIPng, plus a few additional steps, as follows:
Step 1. Enable IPv6 routing with the ipv6 unicast-routing global
command.
Step 2. Enable EIGRP using the ipv6 router eigrp {1 – 65535} global
configuration command.
Step 3. Enable IPv6 on the interface, typically with one of these two
methods:
Configure an IPv6 unicast address on each interface, using the ipv6
address address/prefix-length [eui-64] interface command.
Configure the ipv6 enable command, which enables IPv6 and causes
the router to derive its link local address.
Step 4. Enable EIGRP on the interface with the ipv6 eigrp asn
interface subcommand (where the name matches the ipv6 router
eigrp asn global configuration command).
Step 5. Enable EIGRP for IPv6 with a no shutdown command while in
EIGRP configuration mode.
Step 6. If no EIGRP router ID has been automatically chosen, due to
not having at least one working interface with an IPv4 address,
configure an EIGRP router ID with the eigrp router-id rid command in
EIGRP configuration mode.
222
Ahmed Nabil
R1# show running-config
! output is edited to remove lines not pertinent to this example
! Configuration step 1: enabling IPv6 routing
ipv6 unicast-routing
! Next, configuration steps 3 and 4, on 5 different interfaces
interface FastEthernet0/0.1
ipv6 address 2012::1/64
ipv6 eigrp 9
!
interface FastEthernet0/0.2
ipv6 address 2017::1/64
ipv6 eigrp 9
!
interface FastEthernet0/1.18
ipv6 address 2018::1/64
ipv6 eigrp 9
!
interface Serial0/0/0.3
ipv6 address 2013::1/64
ipv6 eigrp 9
!
interface Serial0/0/0.4
ipv6 address 2014::1/64
ipv6 eigrp 9
!
interface Serial0/0/0.5
ipv6 address 2015::1/64
ipv6 eigrp 9
!
! Configuration steps 2, 5, and 6
ipv6 router eigrp 9
no shutdown
router eigrp 10.10.34.3

223
#sh ip route
D 2005::/64 [90/2684416]
via FE80::11FF:FE11:1111, Serial0/0/0.1
via FE80::22FF:FE22:2222, Serial0/0/0.2
D 2012::/64 [90/2172416]
via FE80::22FF:FE22:2222, Serial0/0/0.2
via FE80::11FF:FE11:1111, Serial0/0/0.1
D 2014::/64 [90/2681856]
via FE80::11FF:FE11:1111, Serial0/0/0.1
D 2015::/64 [90/2681856]
via FE80::11FF:FE11:1111, Serial0/0/0.1
! lines omitted for brevity...
D 2099::/64 [90/2174976]
via FE80::22FF:FE22:2222, Serial0/0/0.2
via FE80::11FF:FE11:1111, Serial0/0/0.1

! show ipv6 protocols displays less info than its IPv4 cousin.
R3# show ipv6 protocols
IPv6 Routing Protocol is “eigrp 9”
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Interfaces:
FastEthernet0/0
Serial0/0/0.1
Serial0/0/0.2
Redistribution:
None
Maximum path: 16
Distance: internal 90 external 170

R3# show ipv6 eigrp neighbors

IPv6-EIGRP neighbors for process 9
H Address Interface Hold Uptime SRTT RTO Q Seq
1 Link-local address: Se0/0/0.2 14 01:50:51 3 200 0 82
FE80::22FF:FE22:2222
224
Label Switching Overview

Service providers today are faced with many challenges in

terms of customer demand, including an ongoing need for
value-added services. Conventional IP packet forwarding has
several limitations, and more and more service providers
realize that something else is needed.
Not only must service providers be concerned with protecting
their existing infrastructure, but service providers must also
find ways to generate new services that are not currently
supportable using existing technologies.

Multiprotocol Label Switching (MPLS) is a high-performance

method for forwarding packets through a network. MPLS
enables routers at the edge of a network to apply simple
labels to packets. This practice allows the edge devices—
ATM switches or existing routers in the center of the service
provider core—to switch packets according to labels, with
minimal lookup overhead. MPLS integrates the
performance and traffic management capabilities of data
link Layer 2 with the scalability and flexibility of network
Layer 3 routing.

When used in conjunction with other standard technologies,

MPLS allows service providers the ability to support value-
added features that are critical for their networks.
 Virtual Networks Technology

Network Infrastructure virtualization became challenging

nowadays because it can save resources and help in
easier network implementation and management .

It started with LAN virtualization using VLANs, then similar

approach appeared in WAN called WAN virtualization
(VWAN) using VRF (Virtual Routing and Forwarding)
technology in private WAN and VPN (virtual private
Networks) in public WAN.

VLAN:Implemented using Ethernet IEEE802.1q

VRF: Implemented using routing protocols and MP-BGP
(Multi Protocol BGP)
VPN: Implemented usig GRE, IPSec and DMVPN

243
Ahmed Nabil
VRF-Lite/EVN

Service providers often need to allow their customers’ traffic to pass through
their cloud without one customer’s traffic (and corresponding routes) exposed to
another customer. Similarly, enterprise networks might need to segregate various
application types, such as keeping voice and video traffic separate from data.

These are just a couple of scenarios that could benefit from the Cisco Virtual
Routing and Forwarding (VRF) feature. VRF allows a single physical router to
host multiple virtual routers, with those virtual routers logically isolated from one
another, each with its own IP routing table.

Note: Benefit is traffic separation & improve network efficiency

Easy Virtual Networking (EVN): (implement VLAN concept on WAN)

A traditional way to configure VRF on Cisco routers was to use an approach
called VRF-Lite. A newer approach to virtualized network configuration, called
Cisco Easy Virtual Network (EVN), dramatically simplifies the relatively
complex configuration required by VRF-Lite.

EVN Compnents:
-EVN tag (as route-target in vrf), but use dot1q tag .
-EVN Trunk
- Route replication (for cpmplex VRFs or Shared Services VRF as DHCP, DNS
and Server farm that required multiple VRF to use the servers VRF)

An EVN uses a Virtual Network Trunk (VNET Trunk) to carry traffic for each
virtual network, and eliminates the need to manually configure a subinterface for
each virtual network on all routers (which was a requirement with VRF-Lite).

Traffic flowing over a VNET Trunk is tagged with a VNET tag, identifying the
virtual network to which the traffic belongs. An EVN router connects to a Cisco
Catalyst switch through an 802.1Q trunk, with the different VLANs on the
802.1Q trunk carrying traffic for the different virtual networks.

EVN routing is only supported on OSPF and EIGRP.

244
Ahmed Nabil
R1 (config)#vrf definition data
(config-vrf)#vnet tag 100
R1 (config)#vrf definition voice
(config-vrf)#vnet tag 200

R1 (config)#interface Gi0/0.1
(config-subif)# encapsulation dot1q 100
(config-subif)# vrf forwarding data
(config-subif)#ip address ip mask
R1 (config)#interface Gi0/0.2
(config-subif)# encapsulation dot1q 200
(config-subif)# vrf forwarding voice
(config-subif)#ip address ip mask

R1(config)#interface Serial 0/0

(config-if)#vnet trunk ........ instead of adding a new header VNET used
dot1q tag
(config-if)#ip address 10.1.1.1 255.255.255.0 ....... only one IP and no need
for subinterfaces

EVN routing is only supported on OSPF and EIGRP.

245
Ahmed Nabil
VRF (Virtual Routing and Forwarding):
a new technology used for network infrastructure virtualization
In recent years, virtualization has become a hot topic in the IT industry. Today’s
data centers commonly use virtualization technologies (for example, VMware
and Hyper-V) to allow multiple server instances (possibly running different
operating systems) to run on a single physical server. This can make for a much
more efficient use of hardware resources.
Interestingly, in addition to virtualizing server instances, you can virtualize
networks. Cisco supports a technology called Virtual Routing and Forwarding
(VRF), which allows a single router to run multiple virtual router instances. Each
virtual router instance can have its own configuration and its own IP routing
process.
VRF is therefore able t o segment networks and isolate paths as needed. The
capability to completely isolate one network from another (even though the
networks use the same infrastructure devices) has obvious security benefits.
Note: Finally VRF allow single physical router tohost multiple virtual
routers with those virtual routers logically isolated with their own routing
tables.
This is mainly used by providers to separate customers data and routes.
so, VRF benefits are:
- Simplified L3 network Virtualization
- Improve shared service
- enhance management and troubleshooting

246
Ahmed Nabil
VRF Configuration:
(config)#ip vrf A
(config-vrf)#route-target 1:1
(config)#int S0/1
(config-if)#ip vrf forwarding A
(config-if)#ip address ip mask
(config)#ip vrf B
(config-vrf)#route-target 1:2
(config)#int S0/2
(config-if)#ip vrf forwarding B
(config-if)#ip address ip mask

Route-target manages the import and export of routes between VRF

instances

to run routing protocol per vrf:

(config)#router ospf 1 vrf A
(config-router)#network area 0
or
(config)#router eigrp 100
(config-router)#address-family ipv4 vrf A
(config-router)#autonomous-system 1
(config-router)#network x.x.x.x
#show ip vrf
#show ip route vrf A

Route targets can me mapped with either MPLS Label or dot1q Ethernet tag
for incoming data to the required VRF

247
Ahmed Nabil
Remote Connectivity Overview
The voice, video, and data commonly sent between remote offices and
central sites often demand low latency and easy provisioning, all while
maintaining a low cost. Traditional WAN solutions (for example, leased
lines, Frame Relay, and ATM) typically fail to simultaneously meet all these
requirements. Fortunately, a variety of VPN technologies fit nicely into such
a design.
This section categorizes various VPN technologies. Then, the remainder of
this chapter examines these technologies in a bit more detail.
MPLS-Based Virtual Private Networks
Multiprotocol Label Switching (MPLS) is a technology commonly used by
service providers, although many large enterprises also use MPLS for their
backbone network. MPLS makes forwarding decisions based on labels rather
than IP addresses. Specifically, a 32-bit label is inserted between a frame’s
Layer 2 and Layer 3 headers. As a result, an MPLS header is often called a
shim header, because it is stuck in between two existing headers.
MPLS-based VPNs can be grouped into one of two primary categories:
Layer 2 MPLS VPNs
Layer 3 MPLS VPNs
These two approaches are discussed in another course :)

Tunnel-Based Virtual Private Networks

A tunnel is a virtual connection that can physically span multiple router
hops. However, from the perspective of the traffic flowing through the
tunnel, the transit from one end of a tunnel to the other appears to be a single
router hop.

Multiple VPN technologies make use of virtual tunnels.

A few examples discussed in this chapter include
-Generic Routing Encapsulation (GRE)
-Multipoint GRE
-IPsec
-Dynamic Multipoint VPN (DMVPN)
248
Ahmed Nabil
Hybrid Virtual Private Networks
Rather than just using a single MPLS-based VPN technology or a single
tunnel-based VPN technology, you can use select VPN technologies in
tandem. For example, you might want to extend an MPLS network at one
corporate location to MPLS networks at remote corporate locations, while
having a requirement that traffic traveling through a service provider’s
cloud be encrypted.
You could meet the requirements of such a design by having a Layer 3
MPLS VPN set up over a DMVPN. The DMVPN technology carrying the
Layer 3 MPLS VPN traffic allows you to efficiently set up direct links
between corporate locations, and it also allows you to use IPsec, which can
encrypt the traffic flowing through the service provider’s cloud.
When it comes to hybrid VPNs, a significant design consideration is
overhead. Every time you add an
encapsulation, you are adding to the total header size of the packet. With
more headers, the amount of data you can carry inside a single packet is
decreased. As a result, you might have to configure a lower maximum
transmission unit (MTU) size for frames on an interface.

GRE
As its name suggests, a Generic Routing Encapsulation (GRE) protocol
number 47, tunnel can encapsulate nearly every type of data that you could
send out of a physical router interface. In fact, GRE can encapsulate any
Layer 3 protocol, which makes it very flexible.
GRE by itself does not provide any security for the data it transmits;
however, a GRE packet can be sent over an IPsec VPN, causing the GRE
packet (and therefore its contents) to be protected. Such a configuration is
commonly used, because IPsec can only protect unicast IP packets. This
limitation
causes issues for routing protocols that use IP multicasts. Fortunately, a
GRE tunnel can encapsulate IP multicast packets. The resulting GRE
packet is an IP unicast packet, which can then be protected by an IPsec
tunnel.
249
Ahmed Nabil
As an example, consider Routers R1 and R2 need to form an Open
Shortest Path First (OSPF) neighborship across the service provider’s
cloud. Additionally, traffic between these two routers needs to be
protected. While IPsec can protect unicast IP traffic, OSPF
communicates through IP multicasts. Therefore, all traffic between
Routers R1 and R2 (including the OSPF multicasts) is encapsulated
inside of a GRE tunnel. Those GRE packets, which are unicast IP
packets, are then sent across, and protected by, an IPsec tunnel.

R1
interface Tunnel1
ip address 192.168.0.1 255.255.255.252
tunnel source Loopback0
tunnel destination 4.4.4.4
tunnel mode gre ...default tunnel mode
R4
interface Tunnel1
ip address 192.168.0.2 255.255.255.252
tunnel source Loopback0
tunnel destination 1.1.1.1
tunnel mode gre

250
Ahmed Nabil
DMVPN

Consider a hub-and-spoke VPN topology in which multiple remote sites have a

site-to-site VPN connection to a headquarters location. In such a topology, if one
remote site wanted to communicate securely with another remote site, the traffic
would travel between the sites through the headquarters location, rather than
directly between the sites. One fix for this suboptimal pathing issue would be to
create a full mesh of IPsec site-to-site VPN connections, which would provide a
direct IPsec VPN connection between any two remote sites. Such a solution,
however, could be complex and expensive to configure and maintain.

A more economical solution to providing optimal pathing without necessitating a

full-mesh topology is the Dynamic Multipoint VPN (DMVPN) feature. DMVPN
allows a VPN tunnel to be dynamically created and torn down between two
remote sites on an as-needed basis. Consider Figure which
shows a hub-and-spoke topology, with the headquarters acting as the hub. Branch
B and Branch C want to communicate with one another. Therefore, a DMVPN
tunnel is created between these two locations.

From a troubleshooting perspective, a common issue experienced with DMVPN

networks is flapping (that is, the DMVPN tunnel is repeatedly torn down and
reestablished). When experiencing such an issue, Cisco recommends that you
check the routing protocol neighborship between the routers at each end of the
DMVPN. If the neighborship is not always up, the DMVPN might flap.
Note
Multipoint GRE, Next Hop Resolution Protocol (NHRP), and IPsec are required
to support a DMVPN topology.
251
Ahmed Nabil
Multipoint GRE
(in configuration (config-if)#tunnel mode gre multipoint )
The scalability offered by DMVPN is made possible, in part, by multipoint GRE
(mGRE), which allows a router to support multiple GRE tunnels on a single GRE
interface.

Some of mGRE’s characteristics are as follows:

Like traditional GRE, mGRE can transport a wide variety of protocols (for
example, IP unicast, multicast, and broadcast).
In a hub-and-spoke topology, a hub router can have a single mGRE interface, and
multiple tunnels can use that single interface.
An interface configured for mGRE is able to dynamically form a GRE tunnel by
using Next Hop Resolution Protocol (NHRP) to discover the IP address of the
device at the far end of the tunnel.

252
Ahmed Nabil
NHRP

DMVPNs require that routers run Next Hop Resolution Protocol (NHRP), which
uses a client-server model. A router designated as a hub router acts as a server.
The remaining routers, designated as spokes, act as clients. NHRP spokes are
configured with the IP address of the NHRP hub, and when a spoke comes
online, it informs the hub of both a physical IP address (assigned to its physical
interface) and a logical IP address (assigned to its virtual tunnel interface) that are
going to be used for its tunnels.

the Headquarters router is acting as the hub, and the Branch A, Branch B, and
Branch C routers are acting as spokes. When the spokes come online, they
each advertise the IP address of their physical interface that is going to be used
for tunnel formation, along with the IP address of the virtual tunnel interface.
For example, the Branch A router informs the Headquarters router that the IP
address of its virtual tunnel interface is 10.0.0.1, and it is available at a
physical interface’s IP address of 192.0.2.1. The Branch B and Branch C
routers send similar advertisements to the Headquarters router. As a result, the
Headquarters router populates its NHRP database.
253
Ahmed Nabil
the Branch C router needs to dynamically form a GRE tunnel with the Branch B
router. The Branch C router knows that the other end of the tunnel it wants to
form has an IP address of 10.0.0.2. However, the Branch C router does not know
the IP address of the physical interface on the Branch B router that corresponds to
the virtual tunnel’s IP address. The process of discovering the remote physical IP
address and the formation of the tunnel is as follows:
Step 1. The Branch C router sends an NHRP query to the hub router asking what
physical interface’s IP address is associated with a tunnel interface’s IP address of
10.0.0.2.
BR(config)int tunnel 0
BR(Config-if)#ip nhrp nhs 10.0.0.100 ip of nhrp server
BR(config-if)#ip nhrp map 10.0.0.100 private tunnel IP 100.1.1.1 real IP
BR (config-if )#ip nhrp map multicast 100.1.1.1 real IP ..to collect rest of
enteries from server
Step 2. The hub router (that is, the Headquarters router) checks its NHRP
database and responds to the query, telling the Branch C router that the physical
interface’s IP address corresponding to the tunnel interface IP address of 10.0.0.2
is 203.0.113.1, which is the IP address of the Branch B router.
HQ (config-if )#ip nhrp map multicast dynamic
Step 3. Having dynamically learned the IP address of the physical interface in the
Branch B router, the Branch C router sets up a GRE tunnel with the Branch B .
Router# show ip nhrp
192.168.0.2 255.255.255.255, tunnel 100 created 0:00:44 expire 1:59:15
Type: dynamic Flags: authoritative
NBMA address: 192.168.0.1 255.255.255.255, Tunnel10 created 0:10:04 expire
1:49:56
Type: static Flags: authoritative 254
Ahmed Nabil
IPsec
Security in a DMVPN is provided by IPsec.
(config)int tunnel 0
(config-if)#tunnel protection ipsec crypto map name
The following four security features are offered by IPsec:
Confidentiality: Data confidentiality is provided by encrypting data. If an
intruder intercepts the encrypted data, he would not be able to interpret the data.
Integrity: Data integrity ensures that data is not modified in transit. For example,
routers at each end of a tunnel could calculate a checksum value or a hash value
for the data, and if both routers calculate the same value, the data has most likely
not been modified in transit.
Authentication: Data authentication allows parties involved in a conversation to
verify that the other party is the party it claims to be.
Antireplay: IPsec uses antireplay protection to ensure that packets being sent are
not duplicate packets. For example, an attacker might capture packets that make
up a valid login to a host and attempt to play those packets back, so that he can
gain access to the host. However, IPsec uses sequence numbers to determine
whether a packet is to be considered a duplicate packet, and any duplicate
packets are not transmitted.
Of these IPsec services, encryption and authentication are particularly helpful in
a DMVPN network.

For example, encryption can help protect traffic flowing between sites (either over the
Internet or through a service provider’s cloud). Also, authentication can make sure that
GRE tunnels are not dynamically set up with undesired spokes.
IPsec uses a collection of protocols to provide its features. One of the primary
protocols used by IPsec is the Internet Key Exchange (IKE) protocol. Specifically,
IPsec can provide encryption between authenticated peers using encryption keys,
which are periodically changed. IKE does, however, allow an administrator to
manually configure keys.
There are two phases to establish an IPsec tunnel. During IKE Phase 1, a secure
Internet Security Association and Key Management Protocol (ISAKMP) session is
established. As part of this phase, the IPsec endpoints establish transform sets (that is, a
collection of encryption and authentication protocols), hash methods, and other
parameters needed to establish a secure ISAKMP session (sometimes called an
ISAKMP tunnel or an IKE Phase 1 tunnel). This collection of parameters is called a
security association (SA). With IKE Phase 1, the SA is bidirectional, meaning that the
255
same key exchange is used for data flowing across the tunnel in either direction. Ahmed Nabil
IKE Phase 2 occurs within the protection of an IKE Phase 1 tunnel. A session
formed during IKE Phase 2 is sometimes called an IKE Phase 2 tunnel, or simply
an IPsec tunnel. However, unlike IKE Phase 1, IKE Phase 2 performs
unidirectional SA negotiations, meaning that each data flow uses a separate key
exchange.
In addition to IKE, which establishes the IPsec tunnel, IPsec also relies on either
the Authentication Header (AH) protocol (IP protocol number 51) or the
Encapsulating Security Payload (ESP) protocol (IP protocol number 50). Both
AH and ESP offer origin authentication and integrity services, which ensure that
IPsec peers are who they claim to be and that data was not modified in transit.
The main distinction between AH and ESP, however, is encryption support. ESP
encrypts the original packet, while AH does not offer any encryption. As a result,
ESP is far more popular on today’s networks.

Step 1. PC1 sends traffic destined for PC2. Router1 classifies the traffic as
“interesting” traffic, which initiates the creation of an IPsec tunnel.
Step 2. Router1 and Router2 negotiate a security association (SA) used to form
an IKE Phase 1 tunnel, which is also known as an ISAKMP tunnel.
Step 3. Within the protection of the IKE Phase 1 tunnel, an IKE Phase 2 tunnel is
negotiated and set up. An IKE Phase 2 tunnel is also known as an IPsec tunnel.
Step 4. After the IPsec tunnel is established, interesting traffic (for example,
traffic classified by an ACL) flows through the protected IPsec tunnel. Note that
traffic not deemed interesting can still be sent between PC1 and PC2. However,
the noninteresting traffic is transmitted outside of the protection of the IPsec
tunnel.
Step 5. After no interesting traffic has been seen for a specified amount of time,
or if the IPsec SA is deleted, the IPsec tunnel is torn down. 256
Ahmed Nabil
R1# show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: test, local addr. 30.1.1.1
local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 30.1.1.2
PERMIT, flags=
{origin_is_acl,}
#pkts encaps: 7647918, #pkts encrypt: 7647918, #pkts digest 7647918
#pkts decaps: 7640382, #pkts decrypt: 7640382, #pkts verify 7640382
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0,
#pkts decompress failed: 0, #send errors 1, #recv errors 0
local crypto endpt.: 30.1.1.1, remote crypto endpt.: 30.1.1.2
path mtu 1500, media mtu 1500
current outbound spi: 3D3
inbound esp sas:
spi: 0x136A010F(325714191)
transform: esp-3des esp-md5-hmac
,
in use settings ={Tunnel, }
slot: 0, conn id: 3442, flow_id: 1443, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3D3(979)
transform: esp-3des esp-md5-hmac

257
Ahmed Nabil
 The End
Finally I would like to thank all of my beloved
friends whom read that book and I hope you all
get the full benefit from that training, you are
the future, please make our future reaches its
best, don't forget our famous rule “one is none,
two are one”, by respect & keeping morals we
will be all together over the top.
Always Remember me with the best
God bless you All

Ahmed Nabil
DoN
Cisco ip routing
(Route Course)

Eng.Ahmed Nabil
DoN

259
Ahmed Nabil