Manoj Reddy – Routing

Document 11

Dynamic Routing: 1
Dynamic routing protocols, as their name suggests, are used to dynamically exchange
routing information between routers. Their implementation allows network topologies to
dynamically adjust to changing network conditions, and to ensure that efficient and
redundant routing continues despite any changes.
Dynamic routing is a mechanism through which routing information is exchanged between
routers to determine the optimal path between network devices. A routing protocol is used
to identify and announce network paths.

Overview of Routing and Routing Tables:

Routers are responsible for receiving IP packets, deciding where to send them, and then
sending them toward their destinations. This process is called IP forwarding or routing.
To accomplish this task, the router examines the routing table to determine the interface
through which the packet will be sent. The routing table resides in each router’s memory; it
contains information about the directly connected network and routes that it knows
statically or learns dynamically.

Routing Protocol Fundamentals:

Dynamic routing involves the use of routing protocols that exchange routing information
between routing devices. Routing protocols perform these functions:

• Discovery of remote networks

• Best path calculation to remote networks
• Updating the routing table
• Recalculating a new best path in the case of failure of the current best path

Types of Routing Protocols:

The dynamic routing protocols fall into one of two categories: Interior gateway protocols
(IGPs) and exterior gateway protocols (EGPs). Generally speaking, an interior gateway
protocol operates within a particular Autonomous System (AS), while an exterior gateway
protocol operates between ASes. An autonomous system is a set of routers under a
common administration with common routing policies.
Interior gateway protocols can be further categorized into distance vector protocols and
link-state protocols based on their operation:

• A router using a “distance vector routing” protocol is unaware of the network

topology. It knows only about its directly connected networks and the remote
networks it can reach via its neighbours.
• “Link-state protocols” are more complex: routers using them are aware of the
network topology.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 12

Interior or Exterior Gateway Distance Vector or Link-State

Protocol Name
Protocol? Protocol?
Routing Information Protocol
Interior Distance Vector
(RIPv2)
Enhanced Interior Gateway
Interior Distance Vector
Routing Protocol (EIGRP)
Open Shortest Path First
Interior Link-State
(OSPF)
Intermediate System to
Interior Link-State
Intermediate System (IS-IS)
Border Gateway Protocol
Exterior Path-Vector
(BGP)

Administrative Distance:
Administrative Distance (AD) is used to rate the trustworthiness of routing information
received from the neighbour router. The route with the least AD will be selected as the
best route to reach the destination remote network and that route will be placed in the
routing table. It defines how reliable a routing protocol is. It is an integer value ranging
from 0 to 255 where 0 shows that the route is most trusted and 255 means that no
traffic will be passed through that route or that route is never installed in the routing
table.
Default admin distances:

Example –
The smaller the value of AD, the more reliable the routing protocol is. For example, if a
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 13

router receives an advertised route to a remote destination network from OSPF and
EIGRP, then the advertised route of EIGRP will be considered as the best route and will
be placed in the routing table as EIGRP has lower AD.
Autonomous System (AS) is a group of routers and networks working under a single
administrative domain. It is a 16-bit value that defines the routing domain of the
routers. These numbers range from 1 to 65535.

• Public Autonomous System Number –

These are 16-bit values that range from 1 to 64512. The service provider will
provide a public AS if the customer is connected to more than one ISPs such as
multihoming. A global autonomous number, which will be unique, is provided
when the customer wants to propagate its BGP routes through 2 ISPs.

•
Private Autonomous system Number –
Private Autonomous System Number are 16-bit values that range from 64512 to
65535. The service provider will provide a private autonomous system number to
the customer when the customer wants multi-connection to a single ISP (single
home or dual home network) but not to more than one ISPs. These are provided
in order to conserve the autonomous system numbers.

• Assigning of AS numbers –
The Autonomous numbers are first assigned by IANA (Internet Assign Number
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 14

Authority) to the respective regional registries. Further, the regional registry

distributes these autonomous numbers (from the block of autonomous numbers
provided by IANA) to entities within their designated area.

RIP (Routing Information Protocol):

Routing Information Protocol (RIP) is a distance-vector routing protocol. Routers
running the distance-vector protocol send all or a portion of their routing tables in
routing-update messages to their neighbours. You can use RIP to configure the hosts as
part of a RIP network.
Routing Information Protocol (RIP) is a dynamic routing protocol that uses hop count as
a routing metric to find the best path between the source and the destination network.
It has an AD value of 120 and works on the Network layer of the OSI model. RIP uses
port number 520.

Hop Count:
Hop count is the number of routers occurring in between the source and destination
network. The path with the lowest hop count is considered as the best route to reach a
network and therefore placed in the routing table. RIP prevents routing loops by limiting
the number of hops allowed in a path from source and destination. The maximum hop
count allowed for RIP is 15 and a hop count of 16 is considered as network unreachable.

Features of RIP: 1. Updates of the network are exchanged periodically.

2. Updates (routing information) are always broadcast.
3. Full routing tables are sent in updates.
4. Routers always trust routing information received from neighbour routers.
RIP Versions:

RIP v1 is known as Classful Routing Protocol because it doesn’t send information of

subnet mask in its routing update.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 15

RIP v2 is known as Classless Routing Protocol because it sends information of subnet

mask in its routing update.

RIP timers:
• Update timer: The default timing for routing information being exchanged by the
router's operating RIP is 30 seconds. Using an Update timer, the routers
exchange their routing table periodically.
• Invalid timer: If no update comes until 180 seconds, then the destination router
considers it invalid. In this scenario, the destination router mark hops count as 16
for that router.
• Hold down timer: This is the time for which the router waits for a neighbour router
to respond. If the router can’t respond within a given time, then it is declared dead.
It is 180 seconds by default.
• Flush time: It is the time after which the entry of the route will be flushed if it
doesn’t respond within the flush time. It is 60 seconds by default. This timer starts
after the route has been declared invalid and after 60 seconds i.e. time will be 180
+ 60 = 240 seconds.

To enable RIP in Router:

Router(config)#router rip
Router(config-router) #network <network ID>
Router(config-router) #version? (1 or 2)

LAB – RIP:

1.Enable the basic IP addressing schema

a. Assign the PCs with the IPs as shown in the diagram

b. In the Switch 1 put a command “ip default-gateway 192.168.1.100”

Switch 2 put a command “ip default-gateway 192.168.2.100”

Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 16

c. Assign the IP to the routers over serial interfaces

d. Enable the “RIP” in both sides.

router2#sh run | sec rip

Router rip

version 2

network 10.0.0.0

network 192.168.1.0

Router3#sh run | sec rip

router rip

version 2

network 10.0.0.0

network 192.168.2.0

Commands to be used for verification:

• Sh ip route
• Sh ip route rip
• Sh ip protocols

Rules to assign the IP address to the router:

1. All the LAN and WAN should be in the different network
2.Router Ethernet IP and the LAN network assigned should be in the same network.
3.Both the interfaces of the router facing each other should be in the same network.
4.All the interfaces of routers should be in different network.

Assigning IP address on Cisco Routers:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 17

Router(config)#interface <interface type> <interface no>

Router(config)#ip address <ip address> <subnet mask>

#no shutdown

Routing Protocol Classification: IGP and EGP

What is a Loopback Address?

A loopback interface is a virtual interface in our network device that is always up and
active after it has been configured. Like our physical interface, we assign a special IP
address which is called a loopback address or loopback IP address.
Loopback interfaces should be supported on all Cisco platforms, and unlike
subinterfaces, loopback interfaces are independent of the state of any physicalinterface.
Most IP implementations support a loopback interface (lo0) to represent the loopback
facility.
The loopback interface can be considered stable because once you enable it, it will
remain up until you issue the shutdown command under its interface configuration
mode. It’s very useful when you want a single IP address as a reference that is
independent of the status of any physical interfaces in the networking device.

Command: lo0 (loopback 0)

EIGRP (Enhanced Internet Gateway Routing Protocol):

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 18

Enhanced Interior Gateway Routing Protocol is an advanced distance-vector routing protocol

that is used on a computer network for automating routing decisions and configuration.
The protocol was designed by Cisco Systems as a proprietary protocol, available on Cisco
routers.
Enhanced Interior Gateway Routing Protocol (EIGRP) is a dynamic routing protocol that
is used to find the best path between any two-layer 3 devices to deliver the packet.
EIGRP works on network layer Protocol of OSI model and uses protocol number 88. It
uses metrics to find out the best path between two layer 3 devices (router or layer 3
switches)
a. Standard Protocol (Initially was Cisco Proprietary)
b. Maximum hop count is 255
c. AD value is 90
d. Classless routing protocol (carry subnet mask and support subnetting)
e. Uses Multicast (224.0.0.10) and Unicast for Initial neighbor discovery process

EIGRP Initial Process to form neighbor:

EIGRP Hello Packets:

Hello packets are sent between EIGRP neighbor for neighbor discovery and recovery. If
you send hello packets and receive them then EIGRP will form a neighbor relationship
with the other router. If you receive hello packets from the other side, EIGRP will believe
that the other router is still there. As soon as you don’t receive them anymore you will
drop the neighbor relationship called adjacency, and EIGRP might have to look for
another path for certain destinations.
Let me show you all the different EIGRP packets:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 19

• Hello
• Update
• Query
• Reply
• ACK (Acknowledgement)

Hello packets are used for neighbor discovery. As soon as you send hello packets and
receive them, your EIGRP routers will try to form the neighbor adjacency. Before sharing
EIGRP updates, EIGRP routers must establish neighbor associations.
The purpose of the hello message is to:
The “Hello” message is meant to find out who your neighbor are.
On whatever sort of link, it is always multicast.
The timer is set to 5 seconds and is transmitted regularly.
15 seconds of hold-down timer is there.
Update packets have routing information and are sent reliably to whatever router that
requires this information. Update packets can be sent to a single neighbor using unicast
or to a group of neighbors using multicast.
Query: When a router does not have a feasible successor for a destination prefix, it
sends a query packet to its neighbours asking if they have a successor to the destination.
It Helps in faster Convergence and uses Multicast/Unicast
Reply: A reply packet is sent in response to a query packet.
It's reliable and Unicast
ACK: Used to acknowledge the receipt of update, Query and reply to messages
ACK packets do not require an acknowledgment. ACK packets are Unicast hello packets.
EIGRP has its own reliability mechanism to acknowledge the receipt of its multiple types of
packets and uses Reliable Transport Protocol (RTP) to deliver or exchange packets between
the neighbors in a guaranteed and ordered way.

EIGRP Basic LAB:

Command to enable EIGRP in a router:
Router(config)#router eigrp 1(any process ID from 1-65535)
Router(config-router) #network a.b.c.d

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 110

No auto-summary is needed because, by default EIGRP will behave like a classful routing
protocol which means it won’t advertise the subnet mask along the routing information.
In this case, that means that 1.1.1.0/24 and 2.2.2.0/24 will be advertised as 1.0.0.0/8
and 2.0.0.0/8. Disabling auto-summary will ensure EIGRP sends the subnet mask along.

EIGRP Tables:
a. Neighbor Table (#sh ip eigrp neighbor)
b. Topology Table (#sh ip eigrp topology)
c. Routing Table (#sh ip route)
Neighbor Table: Contains list of directly connected routers.
In the below example we have 02 routers running on EIGRP.

• H (Handle): Here, you will find the order when the neighbor adjacency was
established. Your first neighbor will have a value of 0, the second neighbor a
value of 1, and so on.
• Hold: (sec): this is the hold-down timer per EIGRP neighbor. Once this timer
expires, we will drop the neighbor adjacency. The default hold-down timer is 15
seconds.
• Uptime: How long the neighbor has been up.
• SRTT (Smooth round-trip time): The number of milliseconds it takes to send an
EIGRP packet to your neighbor and receive an acknowledgment packet back.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 111

• RTO (Retransmission timeout): The amount of time in milliseconds that EIGRP

will wait before retransmitting a packet from the retransmission queue to this
neighbor.
• Q Cnt (Q count): The number of EIGRP packets (Update, Query, or Reply) in the
queue that are awaiting transmission. Ideally, you want this number to be 0.
Otherwise, it might be an indication of congestion on the network.
• Seq Num (Sequence number): This will show you the sequence number of the
last update, query, or reply packet that you received from your EIGRP neighbor.
Topology Table: List of all the best routers that are learned from each neighbor
If you look at the red fonts, you can see that we are looking at the EIGRP topology table
for AS (Autonomous System) number 1. Remember that the AS number has to match on
EIGRP routers to become neighbors.

P: Passive—The router has not received any EIGRP input from a neighbor, and the
network is assumed to be stable.
A: Active—When a route or successor is down, the router attempts to find an
alternative path.
After local computation, the router realizes that it must query the neighbor to see
whether it can find a feasible successor or path.
Update—A value in this field identifies that the router has sent an update packet to a
neighbor.
Query—A value in this field identifies that the router has sent a query packet to a
neighbor.
Reply—A value here shows that the router has sent a reply to the neighbor.
r - This is used in conjunction with the query counter; the router has sent out a query
and is awaiting a reply.
Feasible distance (FD)—This is the metric or cost to the destination from the router.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 112

(46251776/46226176): -The first number is the EIGRP metric that represents the
feasible distance, or the cost to the destination. The number after the slash is the EIGRP
metric that the peer advertised, or the advertised distance.
Routing Table: The best route to the destination will be stored. This Best Routes are
Successors.
EIGRP LAB 2:

EIGRP Convergence: Incremental updates

Periodically send hello packets, sent for every 5 sec, dead - 15 sec
Convergence rate is fast (15 sec)
EIGRP calculates the Successor (best route) and feasible Successor (second best)
How to Calculate Successor and Feasible Successor:
Feasible Successor (FS):
AD (advertised distance) of FS < FD (feasible distance) of successor (0r)
FD of successor > AD of FS
Let’s try understanding with one example on how EIGRP will calculate Successor/
Feasible Successor.
Successor route will be stored in Routing table
Feasible Successor will be stored in Topology table

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 113

One more example showing FD and AD:

EIGRP Stuck in Active State (SIA):

• With EIGRP, if a router loses a route and it does not have an FS in the topology
table, it sends out queries to neighboring routers to recompute a new route. This
process puts the route in what is termed active state.
o A route is considered passive when a router is not recomputing a new
route.
• To recompute a new route, the router sends out queries to all neighbors on
interfaces other than the one used to reach the previous successor. The query
inquires the other routers whether they have a route to a given destination.
o If the receiving router has an alternative route, it replies back to the
sending router letting it know about the alternative route and the query
ends there.
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 114

o If the receiving neighbor does not have a route, it queries all of its own
neighbors asking for an alternative route.
o The queries propagate through the network creating an expanding tree of
queries.
o When a router responds to the query, it stops propagating on that portion
of the network. However, the query can still propagate in other portions
of the network as the other routers attempt to find alternative paths.
• When a route goes active, a reply must be received for every generated queries,
otherwise it stays active the whole time.
Common causes of SIAs:
o Router has high CPU usage or memory problems that results in the router
being too busy to respond or unable to allocate enough memory to
process the query or build the reply packet.
o Bad link between the routers, which allows the two routers just enough to
keep the route connected and receiving packets, but not enough that
some packets or lost therefore some queries and replies are lost.
o Unidirectional link, which results with traffic only flowing in one direction.

Preventing SIA Connections:

• Cisco IOS Software Release 12.1(5) introduced a new feature called Active
Process Enhancement.
o This feature enables an EIGRP router to monitor the progression of the
search for a successor route and ensure that the neighbor is still reachable
by using two new additions to the EIGRP packet header:
▪ SIA – Query
▪ SIA – Reply
o The result is improved network reliability by reducing unintended
termination of neighbor adjacency.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 115

o Before
• Router A sends a query for network 10.1.1.0/24 to Router B
• Router B has no entry for this network, so it queries Router C
• If problem exists beween router B and C, the reply packet from Router C to
Router B might be delayed or lost.
• Router A has no visibility of downstream progress and assumes that no response
indicates problems with Router B
• After Router A’s 3-minute active timer expires, the neighbor relationship with
Router B is reset, along with all known routes from Router B.
o After
• With the Active Process Enhancement feature, Router A queries downstream
Router B (with an SIA-Query) at the midway point of the active timer (one and a
half minutes by default) about the status of the route.
• Router B responds (with an SIA-Reply) that it is searching for a replacement
route.
• Upon receiving this SIA-Reply response packet, Router A validates the status of
Router B and does not terminate the neighbor relationship.
• Meanwhile, Router B will send up to three SIA-Queries to Router C. If they go
unanswered, Router B will terminate the neighbor relationship with Router C.
• Router B will then update Router A with an SIA-Reply indicating that the network
10.1.1.0/24 is unreachable.
• Routers A and B will remove the active route from their topology tables.
• The neighbor relationship between Routers A and B remains intact.
o Query is send when the router losses a route from its routing table.
o SIA timers :
active-time = 3 min by default

Network Summarization:
Summarization means we advertise one summary route that represents multiple
networks.
Route summarization is a method where we create one summary route that represent
multiple networks/subnets. It’s also called route aggregation or supernetting.
Summarization has several advantages:
Saves memory: routing tables will be smaller which reduces memory requirements.
Saves bandwidth: there are less routes to advertise so we save some bandwidth.
Saves CPU cycles: less packets to process and smaller routing tables to work on.
Stability: Prevents routing table instability due to flapping networks.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 116

RIP Summarization:

EIGRP Summarization: (LAB 3)

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 117

EIGRP K Values (Metric Calculation):

One of EIGRP’s main benefits is being able to consider many different attributes
when calculating a route’s cost, or metric. Namely, EIGRP is one of the only routing
protocols that can consider any combination of Bandwidth, Load, Delay, and
Reliability into its cost calculation.

Each of these attributes are controlled by what is known as a K-value. These K-

values each enable the consideration of one of the attributes, as well as the scale to
which the attribute is considered.
K1 = Bandwidth
K2 = Load
K3 = Delay
K4 & K5 = Reliability

The formula for the computation of EIGRP metric is –

EIGRP metric = [K1 * bandwidth + (K2 * bandwidth) / (256 – load) + K3 * delay] * [K5 /
(reliability + K4)]

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 118

We are considering default K-values calculation mechanism i.e., K1 = K3 = 1 and

K2=K4=K5 = 0.

OSPF (Open Shortest Path First):

OSPF (Open Shortest Path First) is a popular link-state routing protocol.
Routers will exchange pieces of information called LSAs (link state advertisement) to build
a complete topology database which we call the LSDB (link state database).

a. It's a link state protocol and Standard Protocol

b. It uses SPF (Shortest Path First)
c. Unlimited hop Count
d. Metric is Cost - 10^8/BW
e. AD (Administrative Distance is 110)
f. Supports equal cost load balancing and it's a classless routing protocol
Link-state routing protocols operate by sending link-state advertisements (LSA) to all
other link-state routers. All the routers need to have these link-state advertisements so
they can build their link-state database or LSDB

LSDB (Link State Data Base) VS LSA:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 119

Basic OSPF Process/ 07 stages of OSPF Process/ OSPF Neighbor Process:

OSPF routers go through the seven states while building neighborship with other routers.
❖ Down state
❖ Attempt/Init state
❖ Two ways state
❖ Exstart state
❖ Exchange state
❖ Loading state
❖ Full state

Down state:

At this point both routers have no information about each other. R1 does not know which
protocol is running on R2. Vice versa R2 have no clue about R1. In this stage OSPF learns
about the local interfaces which are configured to run the OSPF instance.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 120

In down state routers prepares themselves for neighborship process. In this state routers
choose RID (Router ID). RID plays a big role in OSPF process. Before we move in next
state let’s understand what RID is.

RID (Router ID):

RID is a unique identifier of Router in OSPF network. It must be unique within the
autonomous system. Routers identify each other through the RID in AS.
How do routers choose RID?
An OSPF router looks in three places for RID: -
a. Manual configuration
b. Loopback interface IP configuration
c. Active interfaces IP configuration
Manual configuration: (HIGHEST PRIORITY)
Because RID plays a significant role in network, OSPF allows us to configure it manually.
RID is 32 bit long. IP address is also 32 bit in length. We can use IP address as a RID. This
gives us more flexibility over RID. We can assign RID from OSPF sub command mode.
Router(config)#router ospf 1
Router(config-router) #router-id (IP address)
If we have assigned RID manually, OSPF will not look in next two options. Suppose we
did not assign it through the command. In this situation OSPF will look in next option to
find the RID.

Loopback interface IP configuration:

If loopback interface is configured, OSPF will choose its IP address as RID. If multiple
loopback interfaces are configured, highest IP address will be chosen from all loopback
interfaces configuration.
If loopback interface is not configured, OSPF will look in next and last possible place to
choose the RID.

Active interface IP configuration:

OSPF will choose the highest IP address from all operational IP interfaces. We should not
let the OSPF to use this option. This option does not provide a fix RID which is very
necessary for network stability.

Attempt/Init state:
Neighborship building process starts from this state. R1 multicasts first hello packet so
other routers in network can learn about the existence of R1 as an OSPF router. This hello
packet contains Router ID and some essential configuration values such as area ID, hello

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 121

interval, hold down timer, stub flag and MTU. Essential configuration values must be
same on routers who want to build an OSPF neighborship.

What Information must match in OSPF Hello packets to form neighborship?

The following fields in the Hello packets must be the same on both routers for routers to
become neighbors:

• subnet
• area id
• hello and dead interval timers
• authentication
• area stub flag
• MTU

Two-way state:
If essential configuration values match, R2 will add R1 in neighbor table and reply with
its hello packet. As R2 knows the exact address of R1, it will use unicast for reply. Beside
RID and configuration values, this packet also contains the R2’s neighbor table data. As
we know R2 has already added R1 in its neighbor table. So, when R1 will see R2’s
neighbor table data, R1 would also see its name in this data. This will assure R1 that R2
has accepted its neighborship request.
At this point: -

• R2 has checked all essential configuration values listed in hello packet which it
received from R1.
• R2 is ready to build neighborship with these parameters.
• R2 has added R1 in its neighbor table.
• To continue the neighborship process, R2 has replied with its hello packet.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 122

• R1 has received a reply from neighbor, with its own RID listed in R2’s neighbor
table.

OSPF uses different types of exchange process for different types of networks: -

Point to point network:

It is a Cisco specific network type. It connects a single pair of routers. HDLC and PPP are
example of point-to-point network type. In this type of network: -

• All routers form full adjacencies with each other.

• Hello packets are sent using a multicast address 224.0.0.5
• No DR and BDR are required.

Broadcast and NBMA Networks:

• DR and BDR are needed for Broadcast and NBMA (Non-Broadcast Multiple
access)

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 123

We can divide these networks in two types;

Networks which need DR and BDR such as broadcast and NBMA
Networks which do not need DR and BDR such as point to point and point to multipoint

DR and BDR:
OSPF routers in a network which need DR (Designated router) and BDR (Backup
designated router) do not share routing information directly with all each other’s. To
minimize the routing information exchange, they select one router as designated router
(DR) and one other router as backup designated router (BDR). Remaining routers are
known as DROTHERs.
All DROTHERs share routing information with DR. DR will share this information back to
all DROTHERs. BDR is a backup router. In case DR is down, BDR will immediately take place
the DR and would elect new BDR for itself.
Main reason behind this mechanism is that routers have a central point for routing
information exchange. They need not to update each other’s. A DROTHER only need to
update the central point (DR) and other DROTHERs will receive this update from DR.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 124

DR and BDR Election process:

OSPF uses priority value to select DR and BDR. OSPF router with the highest priority
becomes DR. Router with second highest priority becomes BDR. If there is a tie, router
with the highest RID will be chosen.
Priority value is 8 bit in length. Default priority value is 1. We can set any value from range
0 to 255. We can change it from Interface Sub-configuration mode with ip ospf priority
command.
We can force any router to become DR (Highest) or BDR (Second highest) by changing its
priority value. If we set priority value to 0, it will never become DR or BDR.

When the 2-Way state is complete, the DR and DBR routers are elected, considering they
are on a broadcast/NBMA networks.

EXSTART STATE:
This state specifies that DR and BDR have been elected and master-slave relation is
determined. An initial sequence number for adjacency formation is also selected. The
router with the highest router ID becomes the master and begins to exchange Link State
data. Only the Master router can increment the sequence number.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 125

EXCHANGE STATE:
In this state, OSPF routers exchange DataBase Descriptor (DBD) packets co ets. Thntain
Link State Advertisement (LSA) headers describing the content of the entire Link State
Database (LSD). The contents of the DataBase Descriptor (DBD) received by the router
are compared with its own Link State Database (LSD) to check if changes or additional
link-state information is available from its neighbor.

LOADING STATE:
In this state, routers exchange full Link State information based on DataBase Descriptor
(DBD) provided by neighbors, the OSPF router sends Link State Request (LSR) and receives
Link State Update (LSU) containing all Link State Advertisements (LSAs).
Link State Updates (LSU) act as an envelope that contains all the Link State
Advertisements (LSAs) – that have been sent to neighbors with new changes or new
networks learned.

FULL STATE:
Full state is the normal operating state of OSPF that indicates everything is functioning
normally. In this state, routers are fully adjacent with each other, and all the router and
network Link State Advertisements (LSAs) are exchanged, and the routers' databases are
fully synchronized.
For Broadcast and NBMA media, routers will achieve the Full State with their DR and BDR
router only, while for Point-to-point and Point-to-multipoint networks a router should be
in the Full State with every neighbouring router.
OSPF Process (Summarized format):
Down – indicates that no Hellos have been heard from the neighbouring router.
Init – indicates a Hello packet has been heard from the neighbor, but two way
communication has not yet been initialized.
2-Way – indicates that bidirectional communication has been established. Recall that
Hello packets contain a neighbor field. Thus, communication is considered 2-Way once a
router sees its own Router ID in its neighbor’s Hello Packet. Designated and Backup
Designated Routers are elected at this stage.
ExStart – indicates that the routers are preparing to share link state information.
Master/slave relationships are formed between routers to determine who will begin the
exchange.
Exchange – indicates that the routers are exchanging Database Descriptors (DBDs). DBDs
contain a description of the router’s Topology Database. A router will examine a
neighbor’s DBD to determine if it has information to share.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 126

Loading – indicates the routers are finally exchanging Link State Advertisements,
containing information about all links connected to each router. Essentially, routers are
sharing their topology tables with each other.
Full – indicates that the routers are fully synchronized. The topology table of all routers in
the area should now be identical. Depending on the “role” of the neighbor, the state may
appear as:
• Full/DR – indicating that the neighbor is a Designated Router (DR)
• Full/BDR – indicating that the neighbor is a Backup Designated Router (BDR)
• Full/DROther – indicating that the neighbor is neither the DR or BDR On a multi-access
network, OSPF routers will only form Full adjacencies with DRs and BDRs. Non-DRs and
non-BDRs will still form adjacencies, but will remain in a 2-Way State. This is normal OSPF
behavior.

OSPF Tables:
The OSPF process builds and maintains three sees:
• A neighbor table – contains a list of all neighbouring routers.
(#sh ip ospf neighbors)
• A Database table – contains a list of all possible routes to all known networks within an
area. (sh ip ospf database)
• A routing table – contains the best route for each known network. (#sh ip route)

OSPF Hello and Dead Intervals:

By default, Hello packets are sent out OSPF-enabled interfaces every 10 seconds for
broadcast and point-to-point interfaces, and 30 seconds for nonbroadcast and point-to-
multipoint interfaces. OSPF also has a Dead Interval, which indicates how long a router
will wait without hearing any hellos before announcing a neighbor as “down.” Default for
the Dead Interval is 40 seconds for broadcast and point-to-point interfaces, and 120
seconds for non-broadcast and point-to-multipoint interfaces. Notice that, by default, the
dead interval timer is four times the Hello interval. These timers can be adjusted on a per
interface basis:

Router(config-if)# ip ospf hello-interval 15

Router(config-if)# ip ospf dead-interval 60

Introduction of OSPF Areas:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 127

Issues with Maintaining large OSPF Network:

OSPF uses the concept of areas. An area is a logical grouping of contiguous networks
and routers. All routers in the same area have the same topology table, but they don’t
know about routers in the other areas. The main benefits of creating areas is that the
size of the topology and the routing table on a router is reduced, less time is required to
run the SPF algorithm and routing updates are also reduced.
Each area in the OSPF network has to connect to the backbone area (area 0). All router
inside an area must have the same area ID to become OSPF neighbors. A router that has
interfaces in more than one area (area 0 and area 1, for example) is called Area Border
Router (ABR). A router that connects an OSPF network to other routing domains (EIGRP
network, for example) is called Autonomous System Border Router (ASBR).

WildCard Mask:
Wildcard masks are used to specify a range of network addresses. They are commonly
used with routing protocols (like OSPF) and access lists. Just like a subnet mask, a
wildcard mask is 32 bits long. It acts as an inverted subnet mask, but with a wildcard
mask, the zero bits indicate that the corresponding bit position must match the same bit
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 128

position in the IP address. The one bits indicate that the corresponding bit position
doesn’t have to match the bit position in the IP address.

OSPF LAB (LAB – 1):

Output from Router – 1:

Task: Change the area 0 to area 10 in any one router and verify if the neighborship is
forming:
In Router-1 changed the area value to area 100
Router(config)#router ospf 100

Router(config-router)#router-id 2.2.2.2

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 129

Router(config-router)# log-adjacency-changes

Router(config-router)# network 192.168.1.0 0.0.0.255 area 10 ------> changed from area 0 to area10

Router(config-router)# network 2.2.2.0 0.0.0.255 area 10

Router#

%SYS-5-CONFIG_I: Configured from console by console

Router#

00:18:24: %OSPF-4-ERRRCV: Received invalid packet: mismatch area ID, from backbone area must be
virtual-link but not found from 192.168.1.2, GigabitEthernet0/0/0

OSPF Passive Interfaces:

It is possible to control which interfaces to participate in OSPF process.
Passive Interface makes the port not to actively participate on the OSPF Process (same is
possible with EIGRP/RIP).
please note that the passive-interface command works differently with OSPF than with
RIP or IGRP. OSPF will no longer form neighbor relationships out of a “passive” interface,
thus this command prevents updates from being sent or received out of this interface:
Commands:
RouterC(config)# router ospf 1
RouterC(config-router) # network 10.4.0.0 0.0.255.255 area 0
RouterC(config-router) # network 10.2.0.0 0.0.255.255 area 0
RouterC(config-router) # passive-interface s0 (now serial Interface won’t participate in
OSPF Process)
Always remember, that the passive-interface command will prevent OSPF (and EIGRP)
from forming neighbor relationships out of that interface. No routing updates are
passed in either direction.

OSPF LAB – Passive Interfaces Config – LAB 2:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 130

OSPF Area Design Rules:

OSPF LSA Types:

OSPF uses a LSDB (link state database) and fills this with LSAs (link state advertisement).
Instead of using 1 LSA packet OSPF has many
Different types of LSAs:
LSA Type 1: Router LSA
LSA Type 2: Network LSA
LSA Type 3: Summary LSA
LSA Type 4: Summary ASBR LSA
LSA Type 5: Autonomous system external LSA

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 131

LSA Type 6: Multicast OSPF LSA

LSA Type 7: Not-so-stubby area LSA
LSA Type 8: External attribute LSA for BGP

Type 1 = Router LSA: This is generated by every OSPF-enabled router on every

interface that participates in OSPF. Advertises all routers in the area.

• show ip ospf database = “Router Link States”

• Link-state ID = RID of the originating router
Router LSA Stays within the area.

Type 2 = Network LSA: This is flooded by the DR in multi-access networks to notify

routers of who the responsible designated router is for that segment.

• show ip ospf database = “Net Link States”

• Appears as “O” in the routing table
• Link-state ID = IP Address of the DR interface for that multi-access segment
Network LSA Stays within the area.

Type 3 = Summary LSA: This is generated by an ABR to advertise routes from one
area to another (eg., LSA to Area 0 signifying Area outes and vice versa). Summarization
is not on by default.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 132

Type 1 router LSAs always stay within the area. OSPF however works with multiple areas
and you probably want full connectivity within all the areas. R1 is flooding a router LSA
within the area so R2 will store this in its LSDB. R3 and R4 also need to know about the
networks in Area 2.
R2 is going to create a Type 3 summary LSA and flood it into area 0. This LSA will flood
into all the other areas of our OSPF network. This way all the routers in other areas will
know about the prefixes from other areas.
The name “summary” LSA is very misleading. By default, OSPF is not going to summarize
anything for you. If you are looking at the routing table of an OSPF router and see
some O IA entries, you are looking at LSA type 3 summary LSAs. Those are your inter-
area prefixes!

Type 4 = ASBR Summary LSA: This is generated by an ABR to notify routers of the
presence of an ASBR in a particular area.

• show ip ospf database = “Summary ASB Link States”

• Does not appear in the routing table
• Link-state ID = RID of the ASBR in another area

LSA Type 5: Autonomous system external LSA

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 133

This prefix will be redistributed into OSPF. R1 (our ASBR) will take care of this and create
a type 5 external LSA for this. Don’t forget we still need type 4 summary ASBR LSA to
locate R1. If you ever tried redistribution with OSPF you might have seen O E1 or E2
entries. Those are the external prefixes and our type 5 LSAs.
This is generated by an ASBR, one for each route that is redistributed into OSPF. Flooded
everywhere, except for special areas.

• show ip ospf database = “Type-5 AS External Link States”

• Appears as “O E2” in the routing table
• Link-state ID = External network ID that has been redistributed
Type- 7: NSSA – Not So Stuby Area

In the picture R1 is still our ASBR redistributing information from RIP into OSPF.

Since type 5 is not allowed we must think of something else. That’s why we have a type
7 external LSA that carries the exact same information but is not blocked within the
NSSA area. R2 will translate this type 7 into a type 5 and flood it into the other areas.
Let me summarize the LSA types:

• Type 1 – Router LSA: The Router LSA is generated by each router for each area it
is located. In the link-state ID you will find the originating router’s ID.
• Type 2 – Network LSA: Network LSAs are generated by the DR. The link-state ID
will be the interface IP address of the DR.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 134

• Type 3 – Summary LSA: The summary LSA is created by the ABR and flooded
into other areas.
• Type 4 – Summary ASBR LSA: Other routers need to know where to find the
ASBR. This is why the ABR will generate a summary ASBR LSA which will include
the router ID of the ASBR in the link-state ID field.
• Type 5 – External LSA: also known as autonomous system external LSA: The
external LSAs are generated by the ASBR.
• Type 6 – Multicast LSA: Not supported and not used.
• Type 7 – External LSA: also known as not-so-stubby-area (NSSA) LSA: As you can
see area 2 is a NSSA (not-so-stubby-area) which doesn’t allow external LSAs (type
5). To overcome this issue, we are generating type 7 LSAs instead.
OSPF LSA LAB (LAB –3);

1.Create the LAB as per the topology

2.Assign the IP Addressing as per the diagram

3. Enable OSPF on all the routers
4.Create Loopback Interfaces and assign the IP and call them in OSPF
5. Check the outputs as like below

router2#sh ip route ospf

1.0.0.0/32 is subnetted, 1 subnets
O IA 1.1.1.0 [110/3] via 192.168.20.1, 00:15:28, GigabitEthernet0/0/0
5.0.0.0/32 is subnetted, 1 subnets
O IA 5.5.5.0 [110/3] via 192.168.20.1, 00:11:40, GigabitEthernet0/0/0

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 135

O IA 192.168.10.0 [110/2] via 192.168.20.1, 00:15:28, GigabitEthernet0/0/0

------------------------------------------------------------------------------------------------------------------
router2#ping 5.5.5.0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.0, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
----------------------------------------------------------------------------------------------------------

By using the show ip ospf database we can look at the LSDB and we can see the type 1
router LSAs, type 2 network LSAs and the type 3 summary LSAs here. What else do we
find here?

• Link ID: This is what identifies each LSA.

• ADV router: the router that is advertising this LSA.
• Age: The maximum age counter in seconds. The maximum is 3600 seconds or 1
hour.
• Seq#: Here you see the sequence number which starts at 0x80000001 and will
increase by 1 for each update.
• Checksum: There is a checksum for each LSA.
• Link count: This will show the total number of directly connected links and is only
used for the router LSA.
Task: On router 0, create one more Loopback 1 – 11.11.11.11 and re-distribute into
OSPF: -

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 136

You will now see Type- 5 LSA in the routing table.

The OSPF Hierarchy:

The OSPF Hierarchy OSPF is a hierarchical system that separates an Autonomous System
into individual areas. OSPF traffic can either be intra-area (within one area), inter-area
(between separate areas), or external (from another AS).

OSPF routers build a Topology Database of all links within their area, and all routers
within an area will have an identical topology database. Routing updates between these
routers will only contain information about links local to their area. Limiting the topology
database to include only the local area conserves bandwidth and reduces CPU loads.
Area 0 is required for OSPF to function and is considered the “Backbone” area. As a
rule, all other areas must have a connection into Area 0, though this rule can be
bypassed using virtual links (explained shortly). Area 0 is often referred to as the transit
area to connect all other areas. OSPF routers can belong to multiple areas and will thus
contain separate Topology databases for each area. These routers are known as Area
Border Routers (ABRs). Consider the above example. Three areas exist: Area 0, Area 1,
and Area 2. Area 0, again, is the backbone area for this Autonomous System.
Both Area 1 and Area 2 must directly connect to Area 0. Routers A and B belong fully to
Area 1, while Routers E and F belong fully to Area 2. These are known as Internal
Routers. Router C belongs to both Area 0 and Area 1. Thus, it is an ABR. Because it has
an interface in Area 0, it can also be considered a Backbone Router. The same can be
said for Router D, as it belongs to both Area 0 and Area 2.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 137

Now consider the above example. Router G has been added, which belongs to Area 0.
However, Router G also has a connection to the Internet, which is outside this
Autonomous System. This makes Router G an Autonomous System Border Router
(ASBR).
A router can become an ASBR in one of two ways:
• By connecting to a separate Autonomous System, such as the Internet
• By redistributing another routing protocol into the OSPF process.
ASBRs provide access to external networks. OSPF defines two “types” of external routes:
• Type 2 (E2) – Includes only the external cost to the destination network. External cost
is the metric being advertised from outside the OSPF domain. This is the default type
assigned to external routes.
• Type 1 (E1) – Includes both the external cost, and the internal cost to reach the ASBR,
to determine the total metric to reach the destination network. Type 1 routes are always
preferred over Type 2 routes to the same destination.
Thus, the four separate OSPF router types are as follows: • Internal Routers – all router
interfaces belong to only one Area. • Area Border Routers (ABRs) – contains interfaces in
at least two separate areas • Backbone Routers – contain at least one interface in Area
0 • Autonomous System Border Routers (ASBRs) – contain a connection to a separate
Autonomous System
From the above example, the following can be determined:
• Routers A, B, E, and F are Internal Routers.
• Routers C and D are ABRs, Router G is an ASBR

OSPF Authentication:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 138

OSPF supports authentication to secure routing updates. However, OSPF authentication

is configured differently than RIP or EIGRP authentication. Two forms of OSPF
authentication exist, using either clear-text or an MD5 hash. To configure clear-text
authentication, the first step is to enable authentication for the area, under the OSPF
routing process:
Router A(config)# router ospf 1
Router A(config-router) # network 172.17.0.0 0.0.255.255 area 0
Router A(config-router) # area 0 authentication
Then, the authentication key must be configured on the interface:
Router A(config)# interface s0
Router A(config-if) # ip ospf authentication-key MYKEY
To configure MD5-hashed authentication, the first step is also to enable authentication
for the area under the OSPF process:
Router A(config)# router ospf 1
Router A(config-router) # network 172.17.0.0 0.0.255.255 area 0
Router A(config-router) # area 0 authentication message-digest
Notice the additional parameter message-digest included with the area 0 authentication
command. Next, the hashed authentication key must be configured on the interface:
Router A(config)# interface s0
Router A(config-router) # ip ospf message-digest-key 10 md5 MYKEY
Area authentication must be enabled on all routers in the area, and the form of
authentication must be identical (clear-text or MD5). The authentication keys do not
need to be the same on every router in the OSPF area but must be the same on
interfaces connecting two neighbors. Please note: if authentication is enabled for Area
0, the same

OSPF Area Types:

• Standard Area
• Stub Area
• Totally Stub Area
• Not so Stubby area (NSSA)

Standard Area – A “normal” OSPF area.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 139

• Routers within a standard area will share Router (Type 1) and Network (Type 2) LSAs to
build their topology tables. Once fully synchronized, routers within an area will all have
identical topology tables.
• Standard areas will accept Network Summary (Type 3) LSAs, which contain the
routes to reach networks in all other areas.
• Standard areas will accept ASBR Summary (Type 4) and External (Type 5) LSAs, which
contain the route to the ASBR and routes to external networks respectively
Configuration of standard areas is straight forward:
Router(config)# router ospf 1
Router(config-router) # network 10.1.0.0 0.0.7.255 area 1

Stub Area – Prevents external routes from flooding into an area.

• Like Standard areas, Stub area routers will share Type 1 and Type 2 LSAs to build their
topology tables.
• Stub areas will also accept Type 3 LSAs to reach other areas.
• Stub areas will not accept Type 4 or Type 5 LSAs, detailing routes to external
networks. The purpose of Stub areas is to limit the number of LSAs flooded into the
area, to conserve bandwidth and router CPUs. The Stub’s ABR will automatically inject
a default route into the Stub area, so that those routers can reach the external
networks. The ABR will be the next-hop for the default route.
Configuration of stub areas is relatively simple:
Router(config)# router ospf 1
Router(config-router)# network 10.1.0.0 0.0.7.255 area 1
Router(config-router)# area 1 stub
The area 1 stub command must be configured on all routers in the Stub area. No ASBRs
are allowed in a Stub area.

Totally Stub Area:

Totally Stubby Area – Prevents both inter-area and external routes from flooding into
an area.
• Like Standard and Stub areas, Totally Stubby area routers will share Type 1 and Type 2
LSAs to build their topology tables.
• Totally Stubby areas will not accept Type 3 LSAs to other areas.
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 140

• Totally Stubby areas will also not accept Type 4 or Type 5 LSAs, detailing routes to
external networks.
Again, the purpose of Totally Stubby areas is to limit the number of LSAs flooded into
the area, to conserve bandwidth and router CPUs. The Stub’s ABR will instead
automatically inject a default route into the Totally Stubby area, so that those routers
can reach both inter-area networks and external networks. The ABR will be the next-hop
for the default route.

Configuration of totally stubby areas is relatively simple:

Router(config)# router ospf 1
Router(config-router)# network 10.1.0.0 0.0.7.255 area 1

• Router(config-router)# area 1 stub no-summary

The area 1 stub no-summary command is configured only on the ABR of the Totally
Stubby area; other routers within the area are configured with the area 1 stub
command. No ASBRs are allowed in a Totally Stubby area. In the above example, if we
were to configure Area 1 as a Totally Stubby area, it would not accept any external
routes originating from the ASBR (Router G). It also would not accept any Type 3 LSAs
containing route information about Area 0 and Area 2. Instead, Router C (the ABR) will
inject a default route into Area 1, and all routers within Area 1 will use Router C as
their gateway to all other networks.

Totally Not So Stubby Area (TNSSA) – Like a Totally Stubby area; prevents
both inter-area and external routes from flooding into an area, unless those external
routes originated from an ASBR within the NSSA area. • Like Standard and Stub areas,
TNSSA area routers will share Type 1 and Type 2 LSAs to build their topology tables.
• TNSSA areas will not accept Type 3 LSAs to other areas.
• TNSSA areas will not accept Type 4 or Type 5 LSAs, detailing routes to external
networks. • If an ASBR exists within the TNSSA area, that ASBR will generate Type 7
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 141

LSAs. With the exception of not accepting inter-area routes, TNSSA areas are identical in
function to NSSA areas. Configuration of TNSSA areas is relatively simple:
Router(config)# router ospf 1
Router(config-router) # network 10.1.0.0 0.0.7.255 area 1
Router(config-router) # area 1 nssa no-summary

The area 1 nssa no-summary command is configured only on the ABR of the TNSSA area;
other routers within the area are configured with the area 1 nssa command.

OSPF Virtual Links:

A OSPF virtual link is a connection between two ABRs. The ABR connects the isolated
area to the OSPF backbone area 0 through a transit area or a non-backbone area.
This helps administrators extend their OSPF network while maintaining OSPF design
requirements.
OSPF Virtual link Requirements:
To configure a Virtual link in OSPF, you must meet the following requirements:
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 142

• Must be configured between two ABRs of which one must be connected to area0
• The transit area may not be a stub area and must have full routing information.
• The virtual link will transition to the fully functional point-to-point interface state
when a route to the neighbouring ABR is found in the routing table.
• The maximum path cost in the transit area should not exceed 65535; else, the
virtual link will not come up.
• To see the cost of using the transit area, “show ip OSPF virtual link” and refer to
‘cost of using.

OSPF Virtual Links LAB:

Router1#sh run | sec ospf

router ospf 100
router-id 1.1.1.1
network 192.168.10.0 0.0.0.255 area 20
Router2#sh run | sec ospf
router ospf 100
router-id 2.2.2.2
log-adjacency-changes
area 10 virtual-link 3.3.3.3
network 192.168.10.0 0.0.0.255 area 20
network 192.168.20.0 0.0.0.255 area 10
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 143

------------------------------------------------------------------------
Router3#sh run | sec ospf
router ospf 100
router-id 3.3.3.3
log-adjacency-changes
area 10 virtual-link 2.2.2.2
network 192.168.20.0 0.0.0.255 area 10
network 192.168.30.0 0.0.0.255 area 0

-------------------------------------------------------------------------
Router#sh run | sec ospf
router ospf 100
router-id 4.4.4.4
log-adjacency-changes
network 192.168.30.0 0.0.0.255 area 0
Verification:
R1 is learning the prefixes from area 0

From Router-3, below is the output and the Virtual Link is formed successfully.

Route Re-distribution:
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 144

Redistributing of one routing protocol to another routing protocol.

It’s a process by which one network protocol communicate/speak with another
network protocol (Ex: OSPF to EIGRP, OSPF to RIP, EIGRP to BGP etc.)
Company A runs EIGRP, and Company B runs OSPF, and the two company's merge then
need of re-distributing of the routes

1. Assign the basic IP addressing schema as per the diagram

2. Below is the Routers config:
Router1#sh run | sec eigrp
router eigrp 1
network 192.168.10.0
network 192.168.30.0
Router3#sh run | sec ospf
router ospf 1
network 192.168.20.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
3.Below is the config on Router 2.
Router 2 should know about both the EIGRP/OSPF routes, and it will re-distribute.
router eigrp 1
redistribute ospf 1 metric 1544 100 255 1 100 >--- Redistribution of EIGRP to OSPF
network 192.168.10.0
auto-summary
!
router ospf 1

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 145

log-adjacency-changes
redistribute eigrp 1 subnets >==== Redistribution of OSPF to EIGRP
network 192.168.20.0 0.0.0.255 area 0
Verification:
Router1#sh ip route eigrp (D EX routes are EIGRP External routes learning from OSPF)
The ping will works fine now from OSPF to EIGRP and Vice versa.
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
D EX 192.168.20.0/24 [170/1683712] via 192.168.10.2, 00:01:11, GigabitEthernet0/0/0
192.168.30.0/24 is variably subnetted, 2 subnets, 2 masks
D EX 192.168.40.0/24 [170/1683712] via 192.168.10.2, 00:01:11, GigabitEthernet0/0/0
Router3#sh ip route ospf
OSPF is learning the EIGRP routes now called O E2 in the below table.
O E2 192.168.10.0 [110/20] via 192.168.20.1, 00:01:00, GigabitEthernet0/0/0
O E2 192.168.30.0 [110/20] via 192.168.20.1, 00:01:00, GigabitEthernet0/0/0
Router3#ping 192.168.30.100 (able to ping the LAN Gateway at Router 1 from R3)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms

RIP to OSPF Re-distribution:

Router1#sh run | sec rip

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 146

router rip
version 2
network 192.168.10.0
network 192.168.30.0
------------------------------------------------
Router3#sh run | sec ospf
router ospf 1
log-adjacency-changes
network 192.168.20.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
------------------------------------------------------
Router2#sh run | sec rip
redistribute rip metric 1 /// OSPF to RIP re-distribution
router rip
version 2
redistribute ospf 1 metric 1 ////RIP to OSPF re-distribution
network 192.168.10.0
----------------------------------------------------------
Output from R1 and learning OSPF prefixes.
Router1#sh ip route rip
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
R 192.168.20.0/24 [120/1] via 192.168.10.2, 00:00:01, GigabitEthernet0/0/0
192.168.30.0/24 is variably subnetted, 2 subnets, 2 masks
R 192.168.40.0/24 [120/1] via 192.168.10.2, 00:00:01, GigabitEthernet0/0/

Router3#sh ip route ospf

O E2 192.168.10.0 [110/1] via 192.168.20.1, 01:28:32, GigabitEthernet0/0/0
O E2 192.168.30.0 [110/1] via 192.168.20.1, 01:28:32, GigabitEthernet0/0/0

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 147

------------------------------------------------------------------------------------------------------------------

RIP – Default Route:

• We could configure a static default route on R1 and advertise it in RIP to R2 and
R3.

Let’s configure a static default route on R1 to reach the networks behind the ISP1
router:

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.14.4

R1#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms

Time to advertise it in RIP:

R1(config)#router rip
R1(config-router) #default-information originate

The command above will tell RIP to advertise the static default route.

R2#show ip route rip

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 148

Gateway of last resort is 192.168.12.1 to network 0.0.0.0

R* 0.0.0.0/0 [120/1] via 192.168.12.1, 00:00:26, GigabitEthernet0/1

R 192.168.13.0/24 [120/1] via 192.168.12.1, 00:00:26,
GigabitEthernet0/1R3#show ip route rip

Gateway of last resort is 192.168.13.1 to network 0.0.0.0

R* 0.0.0.0/0 [120/1] via 192.168.13.1, 00:00:18, GigabitEthernet0/1

R 192.168.12.0/24 [120/1] via 192.168.13.1, 00:00:18,
GigabitEthernet0/1

Both routers have a default route, learned from R1. Let’s test these:

R2#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms

ACLs (Access Control Lists):

ACLs is a set of rules which will allow (or) deny the specific traffic moving through the
router
ACLs controls the flow of traffic from one network to other via router
An access control list (ACL) consists of one or more access control entries (ACEs) that
collectively define the network traffic profile.
This profile can then be referenced by Cisco IOS Software features such as traffic
filtering, priority or custom queueing, and dynamic access control.
Reasons why you should use ACLs:
1. Limit network traffic to increase network performance
2. Provide traffic flow control
3. Provide a basic level of security for network access by defining which part of the
network/server/service can be accessed by a host and which cannot
4. Granular control over traffic entering or existing the network

Types of Access Control Lists:

ACLs are primarily divided into two types: standard and extended. We also differentiate
between numbered and named ACLs.
Standard ACLs allow filtering traffic solely based on Layer 3 source address written in
the header of the IP (Internet Protocol) packet.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 149

Standard ACL:
Can be named or numbered ACL
The access-list number range is from 1-99 and 1300-1699
Can block a Network, Host and Subnet and all services are blocked
Filtering is done based on only Source IP address.
The command syntax for configuring a standard numbered ACL:

The first value {1-99 or 1300-1999} specifies the standard ACL number range.
The second value specifies whether to permit or deny the configured source IP address
traffic.
The third value is the source IP address that must be matched.
The fourth value is the wildcard mask to be applied to the previously configured IP
address to indicate the range.

Extended ACL:
Can be named or numbered
The access-list number range is from 100-199 and 2000-2699
We can allow or deny a Network, Host, Subnet and Service
Selected services can be blocked
Filtering is done based on Source IP, Dest IP, Protocol and port no

Extended ACLs filter traffic based on Layers 3 and 4 source and destination
information thus giving greater flexibility and control over network access than standard
ACLs. The command syntax for configuring an extended numbered ACL:

The first value {100-199 or 2000-2699} specifies the extended ACL number range.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 150

The second value specifies whether to permit or deny traffic according to the criteria
that follows.
The third value indicates protocol type, that is, IP, TCP, UDP, ICMP or other IP-sub
protocol
The source and destination IP address and their associated wildcard masks determine
where traffic originates and its destination, respectively.
Numbered ACL - If you refer to the ACL by a numeric ID, you can use 1 - 99 for a
standard ACL or 100 - 199 for an extended ACL.
Named ACL - If you refer to the ACL by a name, you specify whether the ACL is a
standard ACL or an extended ACL, then specify the name.
Functionally there is no difference. Named acl's allows us to give them some descriptive
name for identification. The other differences are the fact that with numbered acl's, the
type (i.e., standard, extended, etc) is identified by the range that the number is in as
opposed to a keyword used as the acl is declared.

ACL Configuration Guidelines:

• Only one ACL per interface, per protocol, per direction is allowed.
• ACLs are processed top-down; the most specific statements must go at the top of
the list. Once a packet meets the ACL criteria, the ACL processing stops, and the
packet is either permitted or denied.
• ACLs are created globally and then applied to interfaces.
• An ACL can filter traffic going through the router, or traffic to and from the
router.
• All ACLs have an implicit “deny all” statement at the end. Therefore, every ACL
must have at least one permit statement to allow any traffic to pass.

ACL LAB:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 151

❖ Deciding the right Interface to implement the ACL is very important.

❖ Understand the Inbound and Outbound Interfaces:

Below is the example for Inbound Interface from R1 to R3:

Below is the example for Outbound traffic Interface from R3 to R1:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 152

Coming back to our LAB:

#R2 Outbound Interface to be blocked in our lab.

The LAB – Implementing ACLs on 3 Routers:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 153

1. Assign the IP address as per the design

2. In the Switches create: ip default-gateway 192.168.1.100 on switch 1, 192.168.2.100
on switch 2 and so on
3. Enable any routing protocol (RIP, EIGRP, OSPF, STATIC Routing) and make sure all the
LAN should speak each other
4. In my LAB I am using RIP as a dynamic routing protocol.
5. TASK:
192.168.1.1 should not communicate with 192.168.2.0
192.168.1.2 should not communicate with 192.168.2.0

192.168.3.0/24 subnet should not communicate with 192.168.2.0

Permit all the other traffic in the topology.
Router1 - config:
Router# sh run | sec rip

router rip
version 2
network 10.0.0.0
network 192.168.1.0

no auto-summary
Router 3 – Config:
router rip
version 2
network 11.0.0.0
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 154

network 192.168.3.0
no auto-summary

Router 2: router rip

version 2
network 10.0.0.0
network 11.0.0.0

network 192.168.2.0
no auto-summary
Creating the ACL Rules as per the requirement in R2:
access-list 10 deny host 192.168.1.1
access-list 10 deny host 192.168.1.2
access-list 10 deny 192.168.3.0 0.0.0.255
access-list 10 permit any
Implementation:
interface FastEthernet2/3

no switchport
ip address 192.168.2.100 255.255.255.0
ip access-group 10 out ---- > Applying the ACL group 10 to the outbound interface of f2/3
duplex auto

speed auto
Now 192.168.1.1, 19.168.1.2 won’t be able to reach 192.168.2.1, and 192.168.2.2
They will get @Destination host unreachable message as like below:
Output from 192.168.1.1:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 155

Output from 192.168.1.1 where it can reach the other networks (NO ACLs configured for
192.168.3.0 network, and that’s why it’s reachable)

Output from 192.168.3.2, where it’s unable to reach 192.168.2.1 is unable to reach because we
have configured ACL

LAB – Implementing the ACLs on Extended access-list deny FTP/PING service

for one host:

1. Create the topology like above, and assign the basic IP addressing
2. Choose any routing protocol to form the neighbour relationship
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 156

3. In this LAB, I am using RIP as the Dynamic routing protocol.

4. Make sure all the Hosts from R1, R2 should connect with Server.
5. In the Server I am running FTP, and the other services.

TASK:
5. Will make 192.168.10.2, should not ping to Server. - 192.168.40.1
6. 192.168.10.2 should ping all the other neighbours but not to Server.
7. Host – 192.168.20.2 should not be able to get the FTP Services from the server
Let’s get started with the RIP Configs:

Router 0 Config: router rip

version 2
network 10.0.0.0
network 192.168.10.0
no auto-summary

Router 1 Config: router rip

version 2
network 10.0.0.0
network 192.168.20.0

network 192.168.40.0
no auto-summary
Now with the help of RIP we have the connectivity established towards the Server.
The ping from all the LAN Hosts to the server would work.

First check the reachability (PING) then configure the ACLs on the router.
Let’s configure the Extended ACLs:

• we will block the PING from 192.168.10.2 to the server 192.168.40.1

Create the ACL as like below:

access-list 143 deny icmp host 192.168.10.2 host 192.168.40.1 echo
access-list 143 permit ip any any

ACL Implementation on the Interface:

interface GigabitEthernet0/0/1

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 157

ip access-group 143 in ------ > applying the access-group 143 to the Gi0/0/1 interface
Below is the Output from 192.168.10.2, the ping now is not successful because of ACL.

The ping to Server (192.168.40.1) is not working whereas to another any host like
ex.,.192.168.20.2 is working fine.

Moving to Router 1 : FTP services should be blocked to the host: 192.168.20.2

So, from 192.168.40.1(server IP) the FTP Services should be blocked to host 192.168.20.2

NO ACLs configured, and the FTP is successful now from the Host: 192.168.20.1

Let’s configure the ACL to stop this FTP Service:

On Router 1:
access-list 122 deny tcp host 192.168.20.2 host 192.168.40.1 eq ftp
access-list 122 permit ip any any
Implementation:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 158

interface FastEthernet2/3
no switchport

ip address 192.168.20.100 255.255.255.0

ip access-group 122 in
Verification:
FTP is not working now to the Host: 192.168.20.2

So, this proves our extended access-lists are working fine.

NAT (Network Address Translation):

The idea of NAT is to allow multiple devices to access the Internet through a single public
address. To achieve this, the translation of a private IP address to a public IP address is
required. Network Address Translation (NAT) is a process in which one or more local IP
address is translated into one or more Global IP address and vice versa to provide
Internet access to the local hosts. Also, it does the translation of port numbers i.e.,
masks the port number of the host with another port number, in the packet that will be
routed to the destination. It then makes the corresponding entries of IP address and
port number in the NAT table. NAT generally operates on a router or firewall.
Network Address Translation (NAT) working –
Generally, the border router is configured for NAT i.e the router which has one interface
in the local (inside) network and one interface in the global (outside) network. When a
packet traverse outside the local (inside) network, then NAT converts that local
(private) IP address to a global (public) IP address. When a packet enters the local
network, the global (public) IP address is converted to a local (private) IP address.
If NAT runs out of addresses, i.e., no address is left in the pool configured then the
packets will be dropped and an Internet Control Message Protocol (ICMP) host
unreachable packet to the destination is sent.
Why mask port numbers?
Suppose, in a network, two hosts A and B are connected. Now, both request for the
same destination, on the same port number, say 1000, on the host side, at the same
time. If NAT does only translation of IP addresses, then when their packets will arrive at
the NAT, both of their IP addresses would be masked by the public IP address of the
network and sent to the destination. Destination will send replies to the public IP
address of the router. Thus, on receiving a reply, it will be unclear to NAT as to which
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 159

reply belongs to which host (because source port numbers for both A and B are the
same). Hence, to avoid such a problem, NAT masks the source port number as well and
makes an entry in the NAT table.
NAT inside and outside addresses –

• Inside local address – An IP address that is assigned to a host on the Inside (local)
network. The address is probably not an IP address assigned by the service
provider i.e., these are private IP addresses. This is the inside host seen from the
inside network.

• Inside global address – IP address that represents one or more inside local IP
addresses to the outside world. This is the inside host as seen from the outside
network.

• Outside local address – This is the actual IP address of the destination host in the
local network after translation.

• Outside global address – This is the outside host as seen from the outside
network. It is the IP address of the outside destination host before translation.
Network Address Translation (NAT) Types –
There are 3 ways to configure NAT:

❖ Static NAT – In this, a single unregistered (Private) IP address is mapped with a

legally registered (Public) IP address i.e one-to-one mapping between local and
global addresses. This is generally used for Web hosting. These are not used in
organizations as there are many devices that will need Internet access and to
provide Internet access, a public IP address is needed. Suppose, if there are 3000
devices that need access to the Internet, the organization must buy 3000 public
addresses that will be very costly.

❖ Dynamic NAT – In this type of NAT, an unregistered IP address is translated into a

registered (Public) IP address from a pool of public IP addresses. If the IP address
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 160

of the pool is not free, then the packet will be dropped as only a fixed number of
private IP addresses can be translated to public addresses. Suppose if there is a
pool of 2 public IP addresses then only 2 private IP addresses can be translated at
a given time. If 3rd private IP address wants to access the Internet, then the
packet will be dropped therefore many private IP addresses are mapped to a pool
of public IP addresses. NAT is used when the number of users who want to access
the Internet is fixed. This is also very costly as the organization must buy many
global IP addresses to make a pool.

❖ Port Address Translation (PAT) – This is also known as NAT overload. In this,
many local (private) IP addresses can be translated to a single registered IP
address. Port numbers are used to distinguish the traffic i.e., which traffic
belongs to which IP address. This is most frequently used as it is cost-effective as
thousands of users can be connected to the Internet by using only one real global
(public) IP address.

❖ Advantages of NAT –
1.NAT conserves legally registered IP addresses.
2.It provides privacy as the device’s IP address, sending and receiving the traffic,
will be hidden.
3.Eliminates address renumbering when a network evolves.

❖ Disadvantage of NAT –
1. Translation results in switching path delays.
2.Certain applications will not function while NAT is enabled.
3. Complicates tunnelling protocols such as IPsec.
4. Also, the router being a network layer device, should not tamper with port
numbers (transport layer) but it must do so because of NAT.

Dynamic NAT – LAB:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 161

Working:

When the PC sends the server a request via the router, the router will first map the
private IP address of the PC into a public IP address from the pool. The router will then
forward the request to the server, with the public IP address of the PC as the source
address.
When the server responds with a packet destined for the PC, the router will investigate
its dynamic NAT table and translate the public IP of the PC to the private one, then
forward the packet to the PC via the ip NAT inside interface
show ip nat translations command will be used to check the NAT table in the router.

PAT (Port address Translation) LAB:

Tip: You can create an access list of private IP addresses and a pool of public IP addresses
then enable Port Address Translation on a router in a similar way to dynamic NAT
configuration. The only difference in configurations between PAT and dynamic NAT if PAT
configuration is done this way is the word overload.
Output of SH IP NAT TRANSLATIONS:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 162

NTP (Network Time Protocol):

Network Time Protocol (NTP) is a protocol that helps the computers clock times to be
synchronized in a network. This protocol is an application protocol that is responsible for
the synchronization of hosts on a TCP/IP network. NTP was developed by David Mills in
1981 at the University of Delaware. This is required in a communication mechanism so
that a seamless connection is present between the computers.
Features of NTP:
Some features of NTP are –

• NTP servers have access to highly precise atomic clocks and GPU clocks
• It uses Coordinated Universal Time (UTC) to synchronize CPU clock time.
• Avoids even having a fraction of vulnerabilities in information exchange
communication.
• Provides consistent timekeeping for file servers
Working of NTP:
NTP is a protocol that works over the application layer, it uses a hierarchical system of
time resources and provides synchronization within the stratum servers. First, at the
topmost level, there is highly accurate time resources’ ex. atomic or GPS clocks. These
clock resources are called stratum 0 servers, and they are linked to the below NTP server
called Stratum 1,2 or 3 and so on. These servers then provide the accurate date and time
so that communicating hosts are synced to each other.
Architecture of Network Time Protocol:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 163

Advantages of NTP:

• It provides internet synchronization between the devices.

• It provides enhanced security within the premises.
• It is used in the authentication systems like Kerberos.
• It provides network acceleration which helps in troubleshooting problems.
• Used in file systems that are difficult in network synchronization.
Disadvantages of NTP:

• When the servers are down the sync time is affected across a running
communication.
• Servers are prone to error due to various time zones and conflict may occur.
• Minimal reduction of time accuracy.
• When NTP packets are increased synchronization is conflicted.
• Manipulation can be done in synchronization.
How does NTP synchronize?
The following steps implicate the NTP time synchronization:

• It initiates a time-request exchange with the server.

• The client can calculate the link uncertainty and adjust its local clock to match the
clock on the server’s device.
Once synchronized, the client can update the clock every 10 minutes, requiring a single
message exchange in expansion to client-server synchronization. This transaction

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 164

surfaces via User Datagram Protocol (UDP) on port 123 and sustains broadcast
synchronization of peer computer clocks.
NTP Basic LAB for time sync:

Output from R0: Router#sh clock

18:45:18.849 UTC Thu Mar 9, 2023

Cisco IOS Upgrade:

Switch IOS Upgrade:

1. Server in this LAB acting as a TFTP Server and having the valid Cisco IOS files.
2. Configure the IP addressing to the Switch, Server and the reachability should be
there
Switch# interface Vlan1
No shutdown
ip address 192.168.1.2 255.255.255.0
Server IP: 192.168.1.100 and Subnet mask: 255.255.255.0, Gateway is not
needed as both the server and switch are from same /24 network in my LAB.
3. Ping from Switch to Server and it should reachable.
Switch#ping 192.168.1.100
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 165

.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 0/0/0 ms
4. Check the “Sh flash” command from the Switch and identify the free memory.
5. Please note to upload the new IOS image, free memory should be there in the switch
Switch#sh flash
Directory of flash:/
1 -rw- 4670455 <no date> 2960-lanbasek9-mz.150-2.SE4.bin
3 -rw- 4670455 <no date> c2960-lanbase-mz.122-25.SEE1.bin
2 -rw- 4670455 <no date> c2960-lanbasek9-mz.150-2.SE4.bin
4 -rw- 1093 <no date> config.text
64016384 bytes total (50003926 bytes free) //// Free memory available in the switch
6. Upload the new IOS Image to the Switch:
Switch # copy tftp: flash: ------ >We are telling the Switch to copy the new IOS file from
tftp server to Switch flash memory
Address or name of remote host []? 192.168.1.100 -> We need to tell the TFTP ServerIP
Source filename []? c2960-lanbase-mz.122-25.SEE1.bin
Destination filename [c2960-lanbase-mz.122-25.SEE1.bin]?
Accessing tftp://192.168.1.100/c2960-lanbase-mz.122-25.SEE1.bin...
Loading c2960-lanbase-mz.122-25.SEE1.bin from 192.168.1.100:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 4670455 bytes]
4670455 bytes copied in 0.1 secs (3754877 bytes/sec)
Now the new IOS file got added to the Switch flash memory.
7. Set the boot variable and reload the Switch to take the new IOS.
Switch(config)#boot system c2960-lanbase-mz.122-25.SEE1.bin
Switch(config)#reload
Then the new IOS image will be loaded, and you can check with the command “sh ver”

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 166

Real-time: Cisco 9300 IOS upgrade

Step - 1: clean up
Ensure that you have at least 1GB of space in flash to expand the new image. Clean up
old installation files in case of insufficient space.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 167

Step - 2 Copy the new image to the switch

Step - 3 Check the boot variables

Use show boot system command to verify that the boot variable is set to
flash:packages.conf

If not, set the boot variable using the below command.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 168

Step - 4 Start the upgrade

That’s how we need to upgrade the switches in the real time, and check “sh ver” and
you will see the new IOS version in the Switch.

SNMP (Simple Network Management Protocol):

If an organization has 1000 devices, then to check all devices, one by one every day, are
working properly or not is a hectic task. To ease these up, Simple Network Management
Protocol (SNMP) is used.
Simple Network Management Protocol (SNMP) –
SNMP is an application layer protocol that uses UDP port number 161/162.SNMP is used
to monitor the network, detect network faults, and sometimes even used to configure
remote devices.
SNMP components –
There are 3 components of SNMP:

3. SNMP Manager –
It is a centralized system used to monitor network. It is also known as Network
Management Station (NMS)

4. SNMP agent –
It is a software management software module installed on a managed device.
Managed devices can be network devices like PC, routers, switches, servers, etc.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 169

5. Management Information Base –

MIB consists of information on resources that are to be managed. This
information is organized hierarchically. It consists of objects instances which are
essentially variables.

SNMP security levels –

It defines the type of security algorithm performed on SNMP packets. These are used in
only SNMPv3. There are 3 security levels namely:

1. noAuthNoPriv –
This (no authentication, no privacy) security level uses a community string for
authentication and no encryption for privacy.

2. authNopriv – This security level (authentication, no privacy) uses HMAC with

Md5 for authentication and no encryption is used for privacy.

3. authPriv – This security level (authentication, privacy) uses HMAC with Md5 or
SHA for authentication and encryption uses the DES-56 algorithm.
SNMP versions –
There are 3 versions of SNMP:

1. SNMPv1 –
It uses community strings for authentication and uses UDP only.

2. SNMPv2c –
It uses community strings for authentication. It uses UDP but can be configured
to use TCP.

3. SNMPv3 –
It uses Hash-based MAC with MD5 or SHA for authentication and DES-56 for
privacy. This version uses TCP. Therefore, the conclusion is the higher the version
of SNMP, the more secure it will be.
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 170

Strength of SNMP:
1. It is simple to implement.
2. Agents are widely implemented.
3. It is robust and extensible.
4. Polling approach is good for LAN based managed object.
5. It offers the best direct manager agent interface.
6. SNMP meet a critical need

FHRP (First Hop Redundancy Protocols):

Every host within the organization’s network, there should be a need for a router as the
default gateway for every host to connect to the Internet. But what if the gateway
router goes offline or the default gateway IP is changed during configuration?
Replacing the gateway router will cause a longer service interruption to the users within
the organization, and that is not a reactive way to handle the issue. This is where FHRP
will take place.
Network redundancy provides multiple fallback plans in case a network failure occurs
to keep services up and valuable data flowing through the network. Meaning, redundant
networks are synonymous with a reliable network that will greatly benefit the
customers.
Having network redundancy implemented in the network also means that various
network devices and technologies are in place, which means having redundancy also
means having a complex network.
The more complex the design of the network means that it is harder to understand,
and it also increases the risk of human errors and bugs on the software that may cause
new modes of failure. That is why it is very important to plan, design, and implement
network redundancy because once it is done, the benefits outweigh the risks.
Below Diagram is an example for without FHRP Implementation:
There is no redundancy and if the router will go down, all the services will go down.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 171

What is First Hop Redundancy Protocol (FHRP)?

First Hop Redundancy Protocol (FHRP) is a hop redundancy protocol that is designed to
provide redundancy to the gateway router within the organization’s network using a
virtual IP address and virtual MAC address.
To implement FHRP, there should be two or more routers that will be used as a gateway
router. The virtual IP address and virtual MAC address will be used on both the router.
The virtual IP address will be the default gateway IP address for all the devices inside
the organization’s network. One router will be used as an active router (gateway
router), and the other router will be standby. If the active router goes offline, the
standby router will take its place to be the gateway router for all the hosts.
The below diagram is an example of network topology with FHRP implemented:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 172

There are 3 types of protocols in FHRP:

❖ HSRP (Hot Standby Routing Protocol)
❖ VRRP (Virtual Redundancy Routing Protocol)
❖ GLBP (Gateway Load Balancing Protocol)

 Hot Standby Router Protocol (HSRP)

HSRP, or Hot Standby Router Protocol, is a Cisco-proprietary router redundancy
protocol that enables a cluster of routers to cooperate. All the routers within the
cluster will have the same virtual IP address and virtual mac address.
The Two Hot Standby Router Protocol (HSRP) Router States:

• Active Router– the router that actively sends and receives a packet to the host
within the organization. It is the default gateway router. Only one active router
will be selected among the cluster of routers.
• Standby Router– the router/s that in case the incumbent active router will go
offline, among the standby router will be chosen as the active router.
If the active router goes offline, router failover will occur. These changes will not affect
the hosts. The host keeps the same IP address and MAC address setting. The default
gateway IP address will be the same still on all hosts. There will be no changes on the
host’s ARP table as the gateway router’s virtual MAC address will be the same.
Changes in failover only happen on router and switch, and hosts are not affected.
Points to be remembered:
1. We can only have one and only one Active Router in HSRP.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 173

2. We can only have one and only one Standby Router in HSRP.
3. Selection of Active and Standby Router will be done based on PRIORITY.
4. The Range of PRIORITY will be from 0-255.
5. The Default Value of PRIORITY is 100.
6. The Router with Highest PRIORITY will be elected as Primary and the Router
with second PRIORITY will be act as BACKUP Router.
7. If by any chance or anyway two routers have same PRIORITY in that case the
HIGHEST IP ADDRESS on the HSRP’s Interfaces gets elected as Active Router.
8.Preemption in HSRP is not enabled by default, and we need to enable it
Virtual Router role in HSRP:
Remember the Virtual router has its own IP and MAC Address.
The virtual IP Address will be default gateway of all host.
Every time a host sends an ARP Request Virtual MAC Address is Returned.
Hosts machines have no idea which router working for forwarding traffic.

LAB – HSRP :

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 174

1. Prepare the LAB as per above and provide the basic IP addressing to the Routers
and the Computer
2. I am running OSPF in my LAB as a dynamic routing protocol.
3. Below is the OSPF Config from the Routers:
Router1:
Router1#sh run | sec ospf
router ospf 100
network 192.168.1.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
Router0:
Router#sh run | sec ospf
router ospf 100
network 192.168.2.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
Router4:
Router#sh run | s ospf
router ospf 100
network 192.168.2.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
network 110.1.1.0 0.0.0.255 area 0
4. From the Router4 configure a Default route towards ISP, and from ISP one
default route to R4, for reachability.
From R4:
Router4(config)#ip route 0.0.0.0 0.0.0.0 110.1.1.1
From ISP Router:
Router3(config)#ip route 0.0.0.0 0.0.0.0 110.1.1.2
5. Check the reachability, now the Host in the LAN will be able to ping the ISP.
From PC0, able to reach to ISP Network:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 175

Let’s configure the HSRP in the Routers:

From Router0:
Router0#sh run | sec stan
standby 1 ip 192.168.1.1
standby 1 priority 120
standby 1 preempt
standby 1 track GigabitEthernet0/0/0
From R1:
Router#sh run | sec stan // (Not assigned any priority in R1, and so HSRP will take
default priority of 100)
standby 1 ip 192.168.1.1
standby 1 preempt
standby 1 track GigabitEthernet0/0/0
Let’s check the Output from both the Routers:
Router0#sh standby brief --------- > Output from Router0
P indicates configured to preempt.
Interface Grp Pri P State Active Standby Virtual IP
Gig0/0/1 1 120 P Active local 192.168.1.3 192.168.1.1
Router1#sh standby brief ========== > Output from R1
P indicates configured to preempt.
Interface Grp Pri P State Active Standby Virtual IP
Gig0/0/1 1 100 P Standby 192.168.1.2 local 192.168.1.1

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 176

VRRP:
VRRP, Virtual Router Redundancy Protocol, is a vendor-neutral redundancy protocol
that groups a cluster of physical routers (two or more routers) to produce a new single
virtual router. It enables redundancy by assigning the same virtual gateway IP address
and MAC address on all physical routers within the VRRP group. Currently, VRRP is at
version 2. It almost has the same concept as HSRP. The only difference is that
preemption is enabled by default on VRRP, while on HSRP, it needs to be configured
manually.
Two states of Virtual Router Redundancy Protocol (VRRP):

• Master Router– It is the current default gateway of all the hosts within the
organization. It is actively sending and receiving packets to the hosts.
• Backup Router – The backup router will take the role of the master router during
the failover or when the master router goes offline.
We will use the same LAB what we have used for HSRP:
Let’s do the VRRP Configs: (VRRP not supporting in Packet Tracer):

Gateway Load Balancing Protocol (GLBP)

As compared to HSRP and VRRP, Gateway Load Balancing Protocol is a bit different.
With GLBP, routers within the group are allowed to do load balancing. To put it simply,
all the traffic that is transmitted to the default gateway IP address will be load-balanced
one at a time or in a round-robin manner among the routers within the group. GLBP has
the same state as HSRP, which is called active and standby. The mechanism of GLBP’s
active and standby state is the same as HSRP’s active and standby state.

BGP (Border Gateway Protocol):

BGP (Border Gateway Protocol) is the Exterior Gateway Routing protocol underlying the
global routing system of the internet. It manages how packets get routed from network
to network through the exchange of routing and reachability information among edge
routers.
Border Gateway Protocol (BGP) is used to Exchange routing information for the internet
and is the protocol used between ISP which are different ASes.
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 177

The protocol can connect any internetwork of autonomous system using an arbitrary
topology. The only requirement is that each AS have at least one router that is able to
run BGP and that is router connect to at least one other AS’s BGP router. BGP’s main
function is to exchange network reach-ability information with other BGP systems.
Border Gateway Protocol constructs an autonomous systems’ graph based on the
information exchanged between BGP routers.
BGP is the protocol that makes the Internet work by enabling data routing. When a user
in India loads a website with origin servers in USA, BGP is the protocol that enables that
communication to happen quickly and efficiently.
Characteristics of Border Gateway Protocol (BGP):

• Inter-Autonomous System Configuration: The main role of BGP is to provide

communication between two autonomous systems.
• Coordination among multiple BGP speakers within the AS (Autonomous System).
• Path Information: BGP advertisement also include path information, along with
the reachable destination and next destination pair.
• Policy Support: BGP can implement policies that can be configured by the
administrator. For ex: - a router running BGP can be configured to distinguish
between the routes that are known within the AS and that which are known from
outside the AS.
• Runs Over TCP, port 179
• BGP Uses the UPDATE messages to advertise the routes
• A full table exchange is sent out when BGP is first started, and then only
incremental updates are sent when changes occur in the topology.
• It’s a path vector Protocol, and uses MD5 as an authentication
• BGP runs on top of OSI layer I.e., on Application layer and uses TCP/IP as a
protocol
• IBGP AD Value is 200, whereas EBGP AD value is 20
Internal BGP (IBGP): BGP Adjacencies formed within as AS. (Autonomous
System)
External BGP (EBGP): BGP Adjacencies formed between different ASes.
Command to enable BGP in Routers:
Router(config)# router bgp 1
#network 10.0.0.0 mask 255.255.255.0
# neighbor 10.0.0.2 remote-as 1 /// IN BGP IT’S MANDATE TO
DEFINE WHO IS MY NEIGHBOUR AND Its AS NUMBER
#no auto-summary
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 178

LAB (GNS3)TO SHOW IBGP and EBGP:

1. Consider both R1, R2 are in Same AS number 1

On R1:

R1#sh run | sec bgp

router bgp 1
no synchronization
network 10.0.0.0 mask 255.255.255.0

neighbor 10.0.0.2 remote-as 1

no auto-summary
On R2:

You will get the below log, stating adjacency formed between the BGP peers

R2#

*Mar 1 00:02:43.547: %BGP-5-ADJCHANGE: neighbor 10.0.0.1 Up

2. Consider R1 is in AS – 100 and R2 is in AS – 200

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 179

R1#sh run | sec bgp

router bgp 100

bgp log-neighbor-changes

network 10.0.0.0 mask 255.255.255.0

neighbor 10.0.0.2 remote-as 200 /// now 10.0.0.2 is in AS 200 (EBGP)

no auto-summary

--------------------------------------------------------

R2#sh run | sec bgp

router bgp 200

no synchronization

bgp log-neighbor-changes

network 10.0.0.0 mask 255.255.255.0

neighbor 10.0.0.1 remote-as 100 ////now 10.0.0.1 is in AS 100 (EBGP)

no auto-summary

The adjacency came up now between two EBGP Peers.

BGP Neighbour States:

Below is the BGP neighbour states:
1. Idle: Neighbour is not responding
2. Active: Attempting to connect
3. Connect: TCP Sessions established between the peers
4. Open Sent: Open message sent to the peer
5. Open Confirm: Response Received
6. Established: The adjacency between the peers is formed.

BGP forms unicast-based connection to each of its BGP-speaking peers. BGP uses TCP
port 179 as its underlying delivery mechanism. BGP establishes a neighbour adjacency
with other BGP routers before they exchange any routing information.

Idle State:
Idle is BGP’s first state. If BGP detects a start event where a new BGP neighbor is
configured or an established BGP peering is reset, BGP will initialize some resources and
reset the ConnectRetryTimer. Then, it tries to initiate a TCP connection to the BGP peer.
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 180

It will also listen for a new connection established by a BGP peer router. If BGP succeeds
in this stage, it will move to Connect state.
If it fails, BGP will stay in an Idle state. The ConnectRetryTimer is then set to 60 seconds,
and it should decrement to zero for the connection to be initiated again. If it fails again,
the previous ConnectRetryTimer will be doubled and should be decremented to zero for
a new connection to be initiated again.

2. Connect: BGP is waiting for the TCP three-way handshake to complete. When it is
successful, it will continue to the Open Sent state. In case it fails, we continue to the
Active state. If the Connect Retry timer expires then we will remain in this state. The
ConnectRese happens (for example resetting BGP) then we move back to the Idle state.

3. Active: BGP will try another TCP three-way handshake to establish a connection with
the remote BGP neighbor. If it is successful, it will move to the OpenSent state. If the
Connect Retry timer expires then we move back to the Connect state. BGP will also keep
listening for incoming connections in case the remote BGP neighbor tries to establish a
connection. Other events can cause the router to go back to the Idle state (resetting BGP
for example).

4. OpenSent State: (Open message sent to neighbor)

After sending an OPEN message to the peer, BGP waits in this state for the OPEN reply. If
a successful reply comes in, the BGP state moves to Open Confirm and a keepalive is
sent to the peer. Failure can result in sending the BGP state back to Idle or Active.

5. Open Confirm State: (Neighbor replied with open message)

The BGP state machine is one step away from reaching its final state (Established). BGP
waits in this state for keepalives from the peer. If successful, the state moves to
Established; otherwise, the state moves back to Idle based on the errors.

6.Established State: (Connection between neighbors established)

This is the state in which BGP can exchange information between the peers. The
information can be updated, keepalives, or notification.

BGP Packet Types:

There are 4 types of packets in BGP:

• Open
• Update
• Keepalive
• Notification

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 181

The BGP OPEN message is used to set up and establish BGP neighbour adjacency. An
OPEN message includes information on the BGP router, and these must be negotiated
and accepted by both BGP routers before they can exchange routing information. The
BGP router information comprises the following:
BGP Version Number – the BGP version which the router is using. BGP version 4 is the
latest version. If the two BGP routers have a version mismatch, then no BGP session
will be made.
AS Number – the AS number must match the originating BGP router’s AS number. This
specifies if the BGP routers will run iBGP or eBGP as well.
Hold Time – it ensures that the BGP neighbor is ‘alive.’ By default, Cisco routers have
180 seconds hold time value. If the routers’ hold time values are different, the lowest
hold time value will be used. The minimum hold time value is 3 seconds and to disable
KEEPALIVE messages, the hold time value is set to 0.
If the BGP router doesn’t receive any UPDATE or KEEPALIVE messages from the BGP
neighbor during the hold time, then it will claim that the neighbor is ‘dead.’ It will tear
down the BGP session, the routes from the ‘dead’ neighbor are removed, and an
UPDATE message with route withdrawal is sent to the other BGP routers for the affected
prefixes. If the router does receive an UPDATE or KEEPALIVE message, then the hold
timer will be reset to the initial value.
BGP Identifier (RID) – the BGP router ID (RID) identifies the BGP router in the advertised
prefixes. It is a 32-bit unique number, and it can be used to prevent loops for the routers
that are advertised within the autonomous system (AS). The RID value must not be zero
to form a neighbor adjacency. It can be set manually using the ‘bgp router-id’ command.
If the RID is n0t manually defined, it can dynamically use the highest loopback IP
address, and if no loopback interface is configured, it will use the highest IP address on
a physical interface.
Keepalive Message:
KEEPALIVE messages ensure that BGP neighbors are still alive. These messages are sent
every one-third of the negotiated hold time value of the two BGP routers. By default,
Cisco devices have a hold time of 180 seconds. One-third of 180 is 60, so the default
KEEPALIVE message interval is 60 seconds.
If a BGP neighbor misses the three KEEPALIVE intervals, 180 seconds by default (60 x 3 =
180), the routes from that neighbor will be flushed from the other BGP router. If the
hold time value is zero, no KEEPALIVE messages will be sent between the BGP peers.

Update Message:
UPDATE messages are used for advertising and exchanging routing information between
BGP neighbors. The advertised prefix or the Network Layer Reachability Information
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 182

(NLRI) information is included in the UPDATE message. The UPDATE message is also
used in withdrawing advertised BGP routes, and it includes just the prefix only in the
message. UPDATE messages also act as keepalives to lessen unnecessary traffic.

Notification Message:
The last of the BGP message types, NOTIFICATION messages will be sent if errors are
detected in the BGP session. When a NOTIFICATION message is sent, the BGP neighbor
adjacency will be terminated, and the BGP connection will be closed. The TCP session
and the BGP table will be cleared of all entries from the BGP neighbor. Route
withdrawals are done by sending UPDATE messages which will be sent to the other BGP
peer/s.

Single/Dual Homed and Multi-homed Designs in BGP:

When talking about ISPS, BGP, and connections, sometimes you will hear terminology
like “single homed”, “dual homed", "single multi-homed” or “dual multi-homed”. These
are different design topologies where we describe how a customer is connected (using
BGP) to one or more ISPs.

• Single Homed: The single homed design means you have a single connection to
a single ISP. With this design, you don’t need BGP since there is only one exit
path in your network. You might as well just use a static default route that points
to the ISP.
The advantage of a single-homed link is that it’s cost effective, the disadvantage is that
you don’t have any redundancy. Your link is a single point of failure but so is using a
single ISP.

• Dual Homed: The dual homed connection adds some redundancy. You are still
only connected to a single ISP, but you use two links instead of one. There are
some variations for this design. Here’s the first one:

With this design, we use a single router on both ends, but we do have redundant links.
To increase redundancy, we can add a second router:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 183

In the example above, the ISP has a second router. We also could have used a second
router at the customer’s side and a single router at the ISP. For even more redundancy,
add a second router at both sides:

The example above offers the most redundancy when you are connected to a single ISP.
We have two links and two routers on both ends. One disadvantage of this design is
that we are still using a single ISP.

Single Multi-homed
Multihomed means we are connected to at least two different ISPs. The simplest design
looks like this:

Above you see that we have a single router at the customer, connected to two different
ISPs. The single point of failure in this design is that you only have one router at the
customer. When it fails, you won’t be able to connect to any ISP. We can improve this by
adding a second router:
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 184

Dual Multihomed:
The dual multihomed designs means we are connected to two different ISPs, and we use
redundant links. There are some variations, here’s the first one:

Above you can see that we are connected to two different ISPs, using one router and
two links to each ISP. We have redundant ISPs and links, but the router is still a single
point of failure. We can improve this by adding a second router:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 185

The design above is better; it has two customer routers. One disadvantage, however, is
that once one of your routers fails, you will lose the connection to one of the ISPs. Using
the same number of routers and links, the following design might be better:

This design has redundant ISPs, routers, and links. Both customer routers are connected
to both ISPs. This design does offer the highest redundancy but it’s also an expensive
option.
Conclusion:
• Single homed: you are connected to a single ISP using a single link.
• Dual homed: you are connected to a single ISP using dual links.
• Single multi-homed: you are connected to two ISPs using single links.
• Dual multi-homed: you are connected to two ISPs using dual links.

eBGP Multi-hop Feature:

EBGP has a TTL value of 1 and should be directly connected.
eBGP (external BGP) by default, requires two Cisco IOS routers to be directly connected
to each other to establish a neighbor adjacency. This is because eBGP routers use a TTL
of one for their BGP packets. When the BGP neighbor is more than one hop away, the
TTL will decrement to 0 and it will be discarded.
LAB FOR eBGP multihop Working:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 186

1. Configure the LAB as per the topology and assign the basic IP addressing to all the
Interfaces and create the Loopback IPs. R1 – 1.1.1.1 is a loopback IP etc.,
2. Create one Static route from R1 to R3, and from R3 to R1
router1#sh run | i ip route
ip route 192.168.23.3 255.255.255.255 192.168.12.2
router3#sh run | i ip route
ip route 192.168.12.1 255.255.255.255 192.168.23.2
3. From R1 ping the R3 Interface IP and it should be reachable because Static route
is configured.
router1#ping 192.168.23.3
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/59/92 ms
4. Let’s configure the BGP in R1 and R3
Use the ebgp-multihop command to increase the TTL. Using a value of 5 in our
example. R2 will receive a packet with a TTL of 5, decrements it by 1 and forwards it to
R3. We can verify this change by looking at the show ip bgp neighbors command:

Verification:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 187

So, here in my LAB I am specifying the BGP that the eBGP is 5 hops away, and the TTL
Valus will change to 5 and it will try to reach the router.

How to advertise the networks in BGP:

There are two methods how we can do this:

• Network command
• Redistribution
BGP doesn’t care about interfaces, it doesn’t even look at them. When we use the
network command in BGP then BGP will only look at the routing table. When it finds the
network that matches the network command, it will install it in the BGP table.
Let me show you some examples to explain what I’m talking about. We will use the
following two routers:

R1 and R2 are in different autonomous systems so we use eBGP. Here is the BGP
configuration:

R1#show running-config | section bgp

router bgp 1
bgp log-neighbor-changes
neighbor 192.168.12.2 remote-as 2

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 188

R2#show running-config | section bgp

router bgp 2
bgp log-neighbor-changes
neighbor 192.168.12.1 remote-as 1

Nothing special here, just plain eBGP between R1 and R2. Let’s advertise some networks
in BGP…

Network Command
Let’s create a loopback interface with a network and advertise it in BGP:

R1(config)#interface loopback 1
R1(config-if) #ip address 1.1.1.1 255.255.255.0

R1(config)#router bgp 1
R1(config-router) #network 1.1.1.0 mask 255.255.255.0

Above we have created a loopback interface with network 1.1.1.0 /24, this is what
we will advertise in BGP. Since we created a loopback interface, this network will
be directly connected for R1:

R1#show ip route 1.1.1.0

Routing entry for 1.1.1.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Advertised by bgp 1
Routing Descriptor Blocks:
* directly connected, via Loopback1
Route metric is 0, traffic share count is 1

Since it’s in the routing table, BGP will be able to install this network in the BGP
table:

R1#show ip bgp
BGP table version is 2, local router ID is 192.168.12.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-
external, f RT-Filter
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 1.1.1.0/24 0.0.0.0 0 32768 i

Since R1 has it in its BGP table it will be able to advertise it to R2:

R2#show ip bgp 1.1.1.1

BGP routing table entry for 1.1.1.0/24, version 2
Paths: (1 available, best #1, table default)
Not advertised to any peer
1

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 189

192.168.12.1 from 192.168.12.1 (192.168.12.1)

Origin IGP, metric 0, localpref 100, valid, external, best

That’s all there is to it. Just use the network command to put the networks you want in
the BGP table. One thing you have to be aware of is that you must use the exact
network and subnet mask for the network command.

Let me give you an example:

R1(config)#interface loopback 2
R1(config-if) #ip address 11.11.11.11 255.255.255.255
R1(config)#router bgp 1
R1(config-router) #network 11.11.11.0 mask 255.255.255.0

I created a loopback interface with network 11.11.11.11 /32. BGP uses the network
command to advertise 11.11.11.0 /24. This network will never be placed in the BGP
table since the subnet mask doesn’t match:

R1#show ip bgp 11.11.11.11

% Network not in table

Be aware of this. Make sure you type the exact network address and subnet mask when
advertising something in BGP. Let’s fix this:

R1(config)#router bgp 1
R1(config-router) #no network 11.11.11.0 mask 255.255.255.0
R1(config-router) #network 11.11.11.11 mask 255.255.255.255

With the correct network command, BGP will be able to advertise this network in the
BGP table:

R1#show ip bgp 11.11.11.11

BGP routing table entry for 11.11.11.11/32, version 5
Paths: (1 available, best #1, table default)
Advertised to update-groups:
1
Local
0.0.0.0 from 0.0.0.0 (192.168.12.1)
Origin IGP, metric 0, localpref 100, weight 32768, valid, sourced,
local, best

And because R1 has it in its BGP table, R2 will be able to learn it:

R2#show ip bgp | begin Network

Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.0/24 192.168.12.1 0 0 1 i
*> 11.11.11.11/32 192.168.12.1 0 0 1 I

BGP Next-hop-Self:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 190

iBGP is that it doesn’t change the next hop IP address. Sometimes this can cause
reachability issues.
The next-hop-self-command will allow us to force BGP to use a specified IP
address as the next hop rather than letting the protocol choose the next hop.

Let’s understand the iBGP next-hop-self behaviour with a LAB:

1. Create the topology as like above and assign the basic IP addressing.
2. Router R1 and R2 are in AS10(iBGP) and R3 is running in AS20(EBGP)
3. R3 is in AS 20 and we use eBGP between R2 and R3. Once we advertise network
3.3.3.0 /24 on R3 in BGP then R2 will learn this prefix and stores it in its BGP
table, the next hop IP address will be 192.168.23.3.
4. Once R1 learns about prefix 3.3.3.0 /24 then the next hop IP address will remain
192.168.23.3. When R1 doesn’t know how to reach this IP address then it will fail
to install 3.3.3.0 /24 in its routing table.
Configuration from the Routers:
R1#sh run | sec bgp
router bgp 10
no synchronization
neighbor 192.168.12.2 remote-as 10
no auto-summary
------------------------------------------
R2#sh run | sec bgp
router bgp 10
no synchronization
neighbor 192.168.12.1 remote-as 10
neighbor 192.168.23.3 remote-as 20
no auto-summary
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 191

------------------------------------------------------

Now R2 will get the route 3.3.3.3/24 from R3, and R2 will be able to reach it.

Now let’s check the R1 Routing table:

R1 learns the prefix but it’s unable to install it in the routing table, The problem here is
that the next hop IP address is 192.168.23.3.
The R1 don’t know how to reach the IP - 192.168.23.3 because it’s not in the routing
table

Now in R2 let’s change the next-hop- self to R1:

R2(config-router) #neighbor 192.168.12.1 next-hop-self

On R2 configuring this command so that while sending any updates to R1- 192.168.12.1, please
mark your IP as the next-hop IP.

Let’s check the R1 Routing table now:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 192

Troubleshooting BGP Neighbor Adjacency:

Let’s look at the Output of a one sample router:

When two EBGP routers that are directly connected do not form a working BGP
neighbour adjacency there could be several things that are wrong:

• Layer 2 down preventing us from reaching the other side.

• Layer 3 issue: wrong IP address on one of the routers.
• Access-list blocking TCP port 179 (BGP).
• Wrong IP address configured for BGP neighbour router.
• Is the IP address of the BGP neighbour reachable? might have any routing issues.
• The TTL of IP packets that we use for external BGP is 1. This works for directly
connected networks but if it’s not directly connected, we need to change this
behaviour.
BGP Prefix-list:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 193

We can filter the neighbours with the help of prefix-lists and let me tell you with an
example.
1. Prepare the LAB as per the above topology, R1 is in AS1 and having a Loopback IP of
1.1.1.1/24 and R2nd R2 is in AS2.
2. Below is the R1 Config:

R1#sh run | sec bgp

router bgp 1

no synchronization

bgp log-neighbor-changes

network 1.1.1.0 mask 255.255.255.0

neighbor 192.168.12.2 remote-as 2

no auto-summary

3. Below is the R2 Config:

4. Let’s verify the R2 routing table, and it should learn about 1.1.1.1

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 194

5. Now I don’t want R2 to learn the 1.1.1.0 network, R1 should not send the 1.1.1.0/24 to R2.

6. For that create one Prefix-list in R1, and advertise it to BGP

Creating a prefix list in R1:

R1(config)#ip prefix-list 5 deny 1.1.1.0/24

R1(config)#router bgp 1

# neighbor 192.168.12.2 prefix-list 5 out

5. Let’s check the Routing and BGP table in R2 Router and it shouldn’t get that prefix:

6.
That’s how the prefix-list will work in the BGP.

BGP Split-Horizon Rule:

Any update received by one IBGP neighbour should not be sent to other IBGP
Neighbours preventing the routing loops in IBGP.
BGP Split horizon rule states that: Routes learned via iBGP will never be sent to
another iBGP peer. To put it in another way, an iBGP router will not pass on routes it
received from another iBGP peer to another iBGP peer.
BGP split-horizon rule mostly applies to iBGP interactions within an Autonomous
System.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 195

R2 is receiving the Prefix from R1 – 1.1.1.1/32 and R2 won’t advertise it to R3 as all the
routers are in iBGP sessions.

To fix this problem either we can make:

1. Full mesh Topology
2. Route Reflector.
Full Mesh Topology:
we have a network with 6 IBGP routers. Using the full mesh formula, we can calculate
the number of IBGP peering:
N(N-1)/2
So that will be:
6(6-1=5) / 2 = 15 IBGP peering.
All the below 06 routers are in same AS (AS 100 for example) and need 15 IBGP Peering
sessions and what if we have 100 routers? It’s not possible to run those many IBGP
Sessions, let’s check out Route Reflector Option now.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 196

Route Reflector (RR):

We still have 6 routers under the same AS, but each router only has an IBGP peering
with the route reflector on top. When one of those IBGP routes advertises a route to
the route reflector, it will be “reflected” to all other IBGP routers:

This simplifies our IBGP configuration a lot but there’s also a downside. What if the route
reflector crashes? It’s a single point of failure when it comes to IBGP peering's. Of
course, there’s a solution to this, we can have multiple route reflectors in our network.
The route reflector can have three types of peerings:

• EBGP neighbor
• IBGP client neighbor
• IBGP non-client neighbor

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 197

When you configure a route reflector you must tell the router whether the other IBGP
router is a client or non-client. A client is an IBGP router that the route reflector will
“reflect” routes to, the non-client is just a regular IBGP neighbor.
Rules:
When a route reflector forwards a route, there are a couple of rules:

• Rule – 1: A route learned from a non-RR client is advertised to RR clients but

not to non-RR clients.
• Rule – 2: A route learned from a RR client is advertised to both RR clients and
non-RR clients. Even the RR client that advertised the route will receive a copy
and discards it because it sees itself as the originator.
• Route-3: A route learned from an EBGP neighbor is advertised to both RR
clients and non-RR clients.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 198

Let’s do a LAB now so that you will understand the behaviour of IBGP and Route
Reflector:

1. Configure the LAB topology as like above and assign the IP addresses to the
Interfaces.
2. All the routers are running in same AS – 100
3. So R1, R2, R3 will form IBGP relationship, as all are in same AS
4. Let’s check the BGP config of the routers:
R1:

R2:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 199

On R3:

Let’s check now the BGP routing tables in R2, and R3:
R2 is learning the prefix 1.1.1.1/32 from the R1 router, and it’s stored in BGP Routing
table and from R2 we can ping 1.1.1.1 and below is the output:

Let’s check the Output from R3:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1100

R2 is learning the Prefix 1.1.1.1 from R1, and not sending it to R3 as it’s a default
behaviour of IBGP.
Any update/route received from IBGP neighbour should not be sent back to other
IBGP Neighbour and that’s what we called it’s a Split-Horizon Rule

To fix this problem either we can go with Full-Mesh relationship (it’s not feasible if you
have more routers) and possible solution is making the RR (Route Reflectors)

Let’s make R2 as RR, and R1 and R3 as the RR Clients.

Below is the config from R2:

Now R3 has learnt the prefixes from R1, and in R3 routing table the routes
are available.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1101

So, this proves for IBGP we can use Route Reflectors to learn all the router Prefixes.

BGP Attributes and Path Selection Process:

There are so many Attributes that BGP is having:

• Attributes:
o Weight (Highest Weight will be preferred)
o Local Preference (Highest will be preferred)
o Originate (Prefer paths that are locally Originated)
o AS path length (Shortest AS path)
o Origin code (IGP will be preferred over EGP)
o MED (Multi-Exit Discriminator) - Lowest MED is preferred
o eBGP path over iBGP path
o Shortest IGP path to BGP next hop
o Oldest Path
o Router ID (Lowest will be preferred)
o Neighbor IP address

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1102

IGPs select the path with the lowest metric. For example:

• RIP selects the path with the lowest hop count.

• OSPF selects the path with the lowest cost.
• EIGRP selects the path with the highest bandwidth and lowest delay (unless you
change the K values).
BGP however, selects the best path based on a list of attributes. On the Internet, it’s
more important that you have granular control over how you forward your traffic and to
which autonomous systems instead of just going for the shortest path based on a
metric.

Weight:
Prefer the path with the highest weight. This is a value that is local to the router and it’s
Cisco proprietary. The default value is 0 for all routes that are not originated by the
local router.

Local Preference:
The local preference is used within an autonomous system and exchanged between
iBGP routers. We prefer the path with the highest local preference. The default value is
100.

Originate:
Prefer the path that the local router originated. In the BGP table, you will see next hop
0.0.0.0. You can get a path in the BGP table through the BGP network command,
aggregation, or redistribution. A BGP router will prefer routes that it installed into BGP
itself over a route that another router installed in BGP.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1103

AS path length:
Prefer the path with the shortest AS path length. For example, AS path 1 2 3 is preferred
over AS path 1 2 3 4 5.

Origin code:
Prefer the lowest origin code. There are three origin codes:

• IGP
• EGP
• INCOMPLETE
IGP is lower than EGP and EGP is lower than INCOMPLETE

MED:
Prefer the path with the lowest MED. The MED is exchanged between autonomous
systems. For a detailed explanation, look at the MED lesson.

eBGP path over iBGP path:

Prefer eBGP (external BGP) over iBGP (internal BGP) paths.

Shortest IGP path to BGP next hop:

Prefer the path within the autonomous system with the lowest IGP metric to the BGP
next hop.

Oldest Path:
Prefer the path that we received first, in other words, the oldest path.

Router ID:
Prefer the path with the lowest BGP neighbor router ID. The router ID is based on the
highest IP address. If you have a loopback interface, then the IP address on the loopback
will be used. The router ID can also be manually configured.

Neighbor IP address:
Prefer the path with the lowest neighbor IP address. If you have two eBGP routers and
two links in between then the router ID will be the same. In this case, the neighbor IP
address is the tiebreaker.

BGP WEIGHT Attribute:

Weight is a Cisco proprietary BGP attribute that can be used to select a certain path.

• Weight is the first BGP attribute in the list.

• Cisco proprietary so you won’t find it on other vendor routers.
• Weight is not exchanged between BGP routers.
• Weight is only local on the router.
• The path with the highest weight is preferred.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1104

LAB:

1. Configure the topology as like above and assign the basic IP addressing.
2. R1 is running in AS100, R2 – AS200, R3- AS300 and R4 – AS400
3. Configure the BGP configs as per diagram.
4. R4 is having 2 LOOPBACK IPs and from R1 we should ping/reach that R4 loopback
IPs.
R1 BGP Config:

R2 BGP Config:

R3 BGP Config:
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 1105

R4 BGP Config:

Let’s check out the R1 Routing and BGP table:

We are learning the loopback IPs from R4 in R1 routing table.

Now if we see R1 is learning 192.168.100.0 network from 192.168.30.2 (ISP-2).

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1106

Because both ISP1/ISP2 now have same Weight and so BGP considered highest IP address as a
metric, so our ISP2 has a highest IP address compared with ISP1, so ISP2 is preferred by default.

Let’s configure the WEIGHT BGP Protocol and make ISP1 as the preferred traffic partner from R1
router.

Let’s check the R1 BGP Routing table:

BGP LOCAL PREFERENCE Attribute:

BGP attribute local preference is the second BGP attribute and it can be used to choose
the exit path for an autonomous system. Here are the details:

• Local preference is the second BGP attribute.

• You can use local preference to choose the outbound external BGP path.
• Local preference is sent to all internal BGP routers in your autonomous system.
• Not exchanged between external BGP routers.
• Local preference is a well-known and discretionary BGP attribute.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1107

• The default value is 100.

• The path with the highest local preference is preferred

LAB:

1. Assign the IP addressing as per the diagram and initiate BGP

2. R1, R2 and R3 are running in AS100, and 44 is running in AS400
3. Below is the BGP configurations from the router.
R1:

R2:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1108

R3:

R4:

Let’s quickly check the R3 routing table and will see the prefix 8.8.8.0 is learning from R4
or not:
In R3 BGP Routing table we can see it’s learning 8.8.8.0 prefix from both 192.168.10.1 and
from 192.168.20.1(thru R2) but BGP Considered 192.168.10.1 (thru R1) is the best path

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1109

Let’s configure the LOCAL PREFERENCE Attribute in BGP and make sure all the traffic will
pass through R2:

Let’s see the R3 Routing table:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1110

Now all the traffic is passing through R2: 192.168.40.1 is the R2 IP address.

So, this proves we LOCAL PREFERENCE BGP ATTRIBUTE we can influence the Outbound external
BGP path.

BGP AS PATH Attribute:

• AS-PATH prepending is a way to manipulate the AS-PATH attribute of a BGP

route.
• It allows prepending multiple entries of AS to a BGP route.
• BGP prefers the shortest AS path to get to a destination. Less is more!

LAB:
AS- PATH ATTRIBUTE

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1111

1. Assign the IP addressing as per the LAB

2. R1 and R2 are in AS100, and R3 is in AS200.
3. Now to reach the loopback IP 10.1.1.1 in R3, R1 is using connected Interface
192.168.10.2, and R2 is using 192.168.20.2 because it’s the directly connected Interface.
4. Let’s check the BGP Configs:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1112

Let’s check the R1, R2 Routing tables, and we can see they both are preferring to reach the loopback
IP to the connected Interfaces.

Now we will do AS-PATH Prepending so that R2 should to R1 and then it should

reach R3.
In R3, first we will create one route-map:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1113

Apply the route-map on BGP towards the Router – R2:

Now, let’s see the R2 Routing table:

So, to reach the R3 Prefix 10.1.1.0, now the R2 is going to R1 first and reaching the R3.
Because from R3, it’s advertising the highest AS-PATH (200 200 200 200) and latest AS-PATH
is preferred.

So, this is our AS-PATH Attribute LAB in BGP.

MED: Multi- Exit Discriminator:

Also called as Metric in BGP Table.
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 1114

MED (or metric) is the BGP attribute:

• MED can be used to advertise to your neighbors how they should enter your AS.
• MED is exchanged between autonomous systems.
• The lowest MED is the preferred path.
• MED is propagated to all routers within the neighbor AS but not passed along to any
other autonomous systems.
MED (also called metric) is exchanged between autonomous systems, and you can use it to
let the other AS know which path they should use to enter your AS. R2 is sending a MED of
200 towards AS 3. R3 is sending a MED of 300 to AS 3. AS 3 will prefer the lower metric and
send all traffic for AS 1 through R2.

LAB: We will re-use the same LAB what we have used for AS-PATH, and we will do now
MED.

1. Setup the LAB as per the above topology, and assign the basic IP addressing as per the setup

2. R1, R2 is running OSPF and running on IBGP also.

3. Let’s see the config of OSPF from R1, and R2

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1115

Now R2 will learn the Prefix 20.1.1.1 from R1 as they both are configured for OSPF.

Now R3 won’t receive that prefix it’s not advertised yet to R3:

That’s how the OSPF configs will be, and let’s configure the BGP Configs and re-distribute the OSPF
prefix 20.1.1.1 to BGP so that R3 will learn the network.

R1, R2 in AS100 and R3 in AS200

BGP to OPSF redistribution in R1:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1116

Let’s check the R3 BGP Routing table and see from which path it’s learning the R1 loopback Prefix –
20.1.1.1.

So R3 is learning the prefix 20.1.1.1 from R1 because of lowest Router – ID.

Let’s use the MED protocol and influence the traffic so that R3 should use R2 to enter to the AS 100

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1117

MED uses latest value, so from R1 to R3 I will advertise high MED value, so that R3 will choose the
path to R2, as it’s having the less MED Value.

Config from R1:

Create one Access list allowing 20.1.1.1

Let’s create the Route-map now:

R1(config)#route-map MED permit 10

R1(config-route-map) #match ip address 1

R1(config-route-map) #set metric 500 // Now from R1 I have advertised the MED500
R1(config-route-map) #exit
Apply the Route-map to the BGP neighbour:

R1(config)#router bgp 100

R1(config-router) #neighbor 192.168.10.2 route-map MED out
(So, I have applied the MED value of 500 from R1 to R3, so remember lowest MED is
preferred, so automatically now R3 will choose the R2 route than R1)
Let’s check the BGP table in R3;

So, with the help of MED we can influence the Incoming traffic to enter AS.

Difference between the IBGP and EBGP:

Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 1118

BGP Peer-Groups:
When you configure BGP on a router it’s possible that some of the BGP neighbors share the
exact same configuration. This can be annoying since you must type in the exact same
commands for each of these neighbors. Also, when BGP prepares updates, it does this
separately for each neighbor. This means that it must use CPU resources to prepare the
update for each neighbor.
To simplify the configuration of BGP and to reduce the number of updates BGP must create,
we can use peer groups. We can add neighbors to a peer group and then apply all our
configurations to the peer group. BGP will prepare the updates for the peer group which
requires less CPU resources than preparing them for each neighbor separately.
In my LAB, if you see from R1, the configurations for R2,R3 and R4 are almost same
From R1 :

Remote-as 100 // make all the devices in AS 100

Password Cisco // I want to configure the password as Cisco
Route-reflector-Client /// I want to make all R2,R3 and R4 as RR Clients
Next-hop-self /// telling the IBGP neighbours to update the nexthop IP.
So, from R1 the commands will be same for R2, R3 and R4

Now instaed of writing to all the routes we can make all the commands in one PEER GROUP
and advertise that PEERGROUP to neighbours.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1119

Let’s see the R1 BGP Configs:

Now R1 formed the IBGP relationship with all the other routers.

So, that’s the use of your PEER GROUPS.

Have a look into R2:

Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 1120

From R3, R4 also you will see the same commands, and I don’t want to add again.

BGP Synchronization Rule:

• BGP synchronization rule states that: A route learned via BGP will not be used nor
advertised to an external neighbor unless that same prefix is learned via an IGP as
well. To put it in another way, A BGP border router will not propagate a BGP-
learned prefix to an eBGP peer unless that same IP prefix has been learned via an
IGP
• Do not use or advertise to an external neighbour a route learned by IGP neighbour
until a matching route has been learned from an IGP (OSPF, RIP, EIGRP)
• Synchronization is disabled by default on Cisco Routers (and it’s recommended to
do so)

•
• Let’s understand quickly with one LAB:

By default. No sync is enabled on the routers and if you have configured the BGP correctly
the prefix from R2 – 8.8.8.8/32 will be seen on R3 Routing table.
Check the R3 Routing table now for verification.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1121

BGP ORIGIN CODE ATTRIBUTE:

BGP Origin Attribute informs the Autonomous Systems (AS) about the originator of that route.
It is a Well-Known Mandatory BGP Path attribute like AS Path Attribute and Next Hop
Attribute. BGP Origin Attribute is supported in all BGP implementations and in all BGP Update
packets it must exist.
There are three different Origin types. These are:

• i (IGP)
• e (EGP)
• ? (Incomplete)

i (IGP) routes are the routes which are originated from a routing protocol, like RIP, OSPF,
EIGRP etc. Generally, this is done via network command under the BGP process.

e (EGP) routers are the routes which are originated from External Gateway Protocol (EGP).
Now the only EGP is BGP, so this is the routes originated from BGP.

? (Incomplete) routes are the routes which are Redistributed from static, IGP etc. into the
BGP.
Let’s quickly understand BGP ORIGIN CODE ATTRIBUTE with one LAB:
1. Create the IP addressing as per the below LAB topology
2. I am running R1, R2 in AS100 and R3 in AS200
3. Create the BGP config as per the below config

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1122

R1 Config:

R2 Config:

R3 Config:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1123

Let’s check the R3 BGP Routing table:

VPN (Virtual Private Network):

A virtual private network is a mechanism for creating a secure connection between a
computing device and a computer network, or between two networks, using an insecure
communication medium such as the public Internet.
How does a virtual private network (VPN) work?
A VPN extends a corporate network through encrypted and the network, traffic remains
private as it travels. An employee can work outside the connections made over the Internet.
Because the traffic is encrypted between the device e office and still securely connect to the
corporate network. Even smartphones and tablets can connect through a VPN.
What is secure remote access?
Secure remote access provides a safe, secure way to connect users and devices remotely to
a corporate network. It includes VPN technology that uses strong ways to authenticate the
user or device. VPN technology is available to check whether a device meets certain
requirements, also called a device’s posture, before it is allowed to connect remotely.
Is VPN traffic encrypted?
Yes, traffic on the virtual network is sent securely by establishing an encrypted connection
across the Internet known as a tunnel. VPN traffic from a device such as a computer, tablet,
or smartphone is encrypted as it travels through this tunnel. Offsite employees can then use
the virtual network to access the corporate network.

Types of VPNs:
• Remote Access and
• Site-to-Site VPN

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1124

Remote Access VPN: A remote access VPN securely connects a device outside the
corporate office. These devices are known as endpoints and may be laptops, tablets, or
smartphones. Advances in VPN technology have allowed security checks to be conducted on
endpoints to make sure they meet a certain posture before connecting. Think of remote
access as computer to network.

Remote access VPNs are also sometimes called client-based VPNs or client-to-server VPNs.

There are different ways a remote access VPN can be used, for example:

• A business traveller could use a remote access VPN to connect to their company’s
network from the Wi-Fi in the hotel lobby. They can access all the same files and
software they would have in the office. The VPN also protects the data from anyone
snooping on the public Wi-Fi.
• Somebody working from home could use a remote access VPN to access the
company’s network from home. Their computer works as if it was connected to the
company network in the office, and data is protected as it goes through the public
internet.
Here’s how it works:

• First, the VPN server checks that the user is allowed to access the network.
• Once the user is authenticated, the client and server establish an encrypted tunnel
between them.

- encryption tunnel: IPsec and SSL are two that are often used.

• The user can now access resources through the VPN server.
This gives them access to a company’s internal network to access files or software.

• Examples of remote access VPNs:

• Access Server by OpenVPN, which is free for up to two simultaneous VPN
connections.
• Cisco AnyConnect, which integrates with Cisco’s enterprise security solutions.
Site-to-Site VPN:

A site-to-site VPN connects the corporate office to branch offices over the Internet. Site-to-
site VPNs are used when distance makes it impractical to have direct network connections

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1125

between these offices. Dedicated equipment is used to establish and maintain a connection.
Think of site-to-site access as network to network.

A site-to-site VPN joins together two networks on different sites.

If a company had two offices on the east coast and west coast, for example, a site-to-site
VPN could be used to combine them into a single network.

In Site-to-Site we have GRE (Generic Routing Encapsulation), and IPsec will be used.
Different technologies can be used to implement a site-to-site VPN. These include IPsec,
Dynamic MultiPoint VPN (DMVPN), and L3VPN.

VPN Working:
VPN software establishes an encrypted virtual tunnel between your device and a remote
VPN server. This creates a secure connection between you and the public internet, hiding
your IP address, disguising your location, and protecting your web activity from outside
monitoring.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1126

Quick Summary: How VPNs Work

A VPN works by encrypting your internet connection and re-routing it through a remote VPN
server.
Here’s what happens to your web traffic when you use a VPN:
• You download, install and turn on the VPN app on your computer, smartphone, or
TV.
• In your browser, you type in a website to access (e.g., example.com).
• The VPN software on your device encrypts the connection request. This makes the
location and content of your request unintelligible to anyone looking at it.
• Your connection data is sent to your chosen VPN server, where it is decrypted.
• The VPN server connects to the website on your behalf, and the website sends your
requested information back to the VPN server.
• This information is encrypted by the VPN server and forwarded to your device.
• Your VPN app decrypts the information, and the requested website appears in your
browser.
By following the process above, a VPN lets you mask your IP address from the websites
you’re visiting.
Also, VPN software lets you hide your online activity from your ISP, WiFi administrator,
government or anyone else monitoring your connection.
Though all VPN software is somewhat similar, this process applies specifically to personal or
“consumer” VPN services.

What Is a VPN Tunnel?

A ‘VPN tunnel’ is a common way of describing what happens when you set up a VPN
connection. In simple terms, it’s the encrypted communication between your device and the
VPN server.
This communication is referred to as a tunnel because your original traffic is encrypted and
wrapped in a layer of unencrypted traffic.
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 1127

It’s like taking an envelope with a written letter inside and putting it inside a second
envelope with a new address on. Your actual message becomes completely hidden from the
outside world – as if it was inside of a tunnel.
This process is known as encapsulation and is performed by dedicated tunnelling protocols.
IPsec tunnel
An IPsec tunnel can be used to join sites together, in much the same way it connects
individuals to a private network within remote access VPNs.
In this case, however, the VPN is implemented by routers at the two or more sites that are
connecting to each other. For this reason, it’s sometimes also called a router-to-router VPN.
Whereas a remote access VPN creates a tunnel for one device to connect to the private
network, with a site-to-site VPN, the IPsec tunnel encrypts the traffic between the
connected networks. This can take two forms:

• A route-based IPsec tunnel allows any traffic between the networks through. It’s like
wiring the networks together.
• A policy-based IPsec tunnel sets up rules that decide what traffic is allowed through,
and which IP networks can talk to which other IP networks.
• IPsec tunnels can be built using most firewalls and network routers.

Dynamic MultiPoint VPN (DMVPN)

The problem with IPsec tunnels is that IPsec connects two points to each other. In a site-to-site
network, for example, IPsec could be used to connect two routers to each other.

That doesn’t scale well in large companies with thousands of sites, where thousands of connections
might need to be established.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1128

Instead, Cisco’s Dynamic MultiPoint VPN (DMVPN) technology offers a solution. It enables sites to
connect to the DMVPN hub router using dynamic IP addresses.

The network architecture is a hub-and-spoke design, which reflects the fact that most traffic goes
between branch sites (spokes) and the main site (hub), rather than between one branch and
another.

That said, it’s still possible for branch sites to connect to each other using a DMVPN. It just takes a
little additional configuration.

Cisco® Dynamic Multipoint VPN (DMVPN) is a Cisco IOS® Software-based security solution for
building scalable enterprise VPNs that support distributed applications such as voice and video
(Figure 1).

Cisco DMVPN is widely used to combine enterprise branch, teleworker, and extranet connectivity.
Major benefits include:

● On-demand full mesh connectivity with simple hub-and-spoke configuration

● Automatic IP Security (IPsec) triggering for building an IPsec tunnel

● “Zero-touch” deployment for adding remote sites

● Reduced latency and bandwidth savings

LAB for DMVPN:

1. Prepare the LAB as per the above topology and assign the basic IP addressing

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1129

2. Enable BGP and make R4, R3 able to reach R1

3. Below are the BGP configs from the routers.

R1:

R1#sh run | sec bgp

router bgp 1

no synchronization

bgp log-neighbor-changes

network 192.168.1.0

neighbor 192.168.1.1 remote-as 2

neighbor 192.168.1.1 allowas-in

no auto-summary

R2:

R3:

Now R3 (Dubai) and R4 (Sweden) will be able to reach the Bangalore HO Routers.

Let’s quicky check the configs and ping:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1130

Now both routers can reach the HO network router.

It’s time for us to configure the Tunnels/ VPN configs.

Below are the tunnel configs from R1, R3 and R4:

We won’t do any changes for the tunnel config on R2 because it’s an ISP router, and we are
using ISP router to connect our Branch offices to HO and Vice versa.

R3:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1131

R4:

Now R1 will build the dynamic tunnels towards the Branch Routers, and let’s just verify it.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1132

Let’s enable OSPF on all the routers.

Once you enable you will get the neighbor logs like below, the reason being is OSPF by
default considering the topology as P2P (like only 2 routers), and this a 3-router topology
and it’s not a P2P, it could a P2 multipoint network.

So, to solve the issue we need to issue a P2 Multipoint Command in OSPF on all the routers.

Let’s also enable IPSEC on the routers for more encryption on the tunnels:

WAN (Wide Area Network):

A wide area network (also known as WAN) is a large network of information that is not tied
to a single location. WANs can facilitate communication, the sharing of information and
much more between devices from around the world through a WAN provider.

WANs can be vital for international businesses, but they are also essential for everyday use,
as the internet is considered the largest WAN in the world.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1133

The term wide area network is used to describe a network that spans multiple geographic
locations. Consider an example. A company has two offices, one in London and one in
Berlin. Both offices have a LAN. If the company connects these two LANs together using
WAN technology, a WAN is created.
The key difference between LANs and WANs is that the company usually doesn’t own WAN
infrastructure. A company usually leases WAN services from a service provider. A WAN
spanning multiple cities could look something like this:

WAN Components and Equipment:

CPE (Customer Premises Equipment) refers to all devices, wiring, and hardware installed at
the customer's location. These devices are linked to the WAN service provider's WAN.
The customer may own the CPE or lease it from the service provider.

Typical equipment used to setup WAN connections include:

Routers (classed as CPEs)- Offer routing between LAN and WAN networks. Equipped with
WAN and LAN interface cards, routers route IP packets between the LAN and WAN
broadcast domains.
CSU (Channel Service Unit)/DSU (Data Service Unit) - Converts data from the LAN into a
WAN appropriate frame and vice versa

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1134

Modem - Converts the digital signals produced by a computer into analog signals to be
transmitted over the public telephone network. Another modem turns the analog signals
into digital signals on the other end of the connection.
Connectivity media - Such as Fiber, Wireless, Microwave or satellite
WAN Switch: A multiport device in the provider network, operating at L2 of the OSI model.
This device typically switches traffic such as Frame Relay.

The term "Service Provider Equipment" refers to all hardware and devices owned by the
service provider. Other equipment and terminology often used in WAN include:

WAN Connection Types:

Leased Line Connection Example:

Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 1135

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1136

Switched Connections-

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1137

WAN Connection Speeds:

WAN Protocols:
• Defines how the data to be send on WAN links, also called as WAN encapsulation.
• PPP & HDLC are WAN protocols.

What is HDLC:
HDLC stands for High-Level Data Link Control. It is a bit-oriented code transparent
synchronous data link layer protocol. The International Organization for Standardization (ISO)
developed it. Moreover, it supports both connection-oriented and connectionless services.

What is PPP:
PPP stands for Point to Point Protocol.

It is a data link layer; a byte-oriented communication protocol. It can connect two routers
directly without any host or networking device in the middle. Furthermore, the PPP frame
consists of one or more bytes. It has bytes for flag, address, control, payload and FCS.
Moreover, PPP provides services such as connection authentication, transmission encryption,
and compression. It is possible to use PPP over various physical networks like serial cable,
phone lines, trunk lines and cellular telephone, radio links, fibre optic links (SONET).
Moreover, Internet Service Provider (ISP) uses PPP for customer dial-up access to the internet.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1138

PPP Authentication:
PPP supports two Authentication Protocols. These Authentication Protocols are:

• PAP (Password Authentication Protocol)

• CHAP (Challenge Handshake Authentication Protocol)

PAP (Password Authentication Protocol) is the simplest Authentication method. It uses 2-

way handshake. Both end send the passwords in “clear text” in this method. And passwords
are exchanged only at the beginning.

CHAP (Challenge Handshake Authentication Protocol) is the more complex Authentication

method. CHAP uses 3-way handshake and with this mechanism it checks the remote node

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1139

periodically. CHAP uses MD5 hash. One end sends “Hash” to other node and the other node
also sends a hash. If the hashes are same, then the communication starts.

PPP Session Establishment:

PPP Session Establishment has three main steps. These steps are:

• Link Establishment (LCP Messages)

• Authentication (CHAP, PAP)
• Network Layer Phase (NCP Messages)

Below, you can find the detailed PPP Session Establishment schema:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1140

As you can see here, for the session establishment, firstly LCP Packets have sent each other.
The first message of LCP is Configure-Request LCP Message. If it is accepted, the other end
sends Configure-Ack LCP Message. If not, it sends Configure-Nak. Then, the first router sends
a second modified Configure-Request LCP Message.
After this LCP messaging step, Authentication step comes with PAP or CHAP Authentication
Protocols. Here, if we use PAP, we will use 2-way handshake. If we use, CHAP, then we will
use 3-way handshake mechanism like above. These messages are Challenge, Response and
Accept/Reject Messages.
Then, a successful Authentication step, in Network Layer Phase, NCP messaging starts. Here
again, there are two messages: Configure-Request and Configure-Ack. If one end does not
accept the request, it is rejected with Configure-Nak Messages. Here, for IP, IPCP (Internet
Protocol Control Protocol) is used as NCP.

Other PPP Characteristics

PPP is fully Standard protocol. It supports all the vendor devices.
PPP supports Multilink PPP and provide Multilink connection. By doing this it provides a single
function link.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1141

PPP uses LCP (Link Control Protocol) and NCP (Network Control Protocol). LCP is responsible
of the establishment of the link. NCP is responsible from the transmission of IP and other
protocols across the PPP link.

LAB:
CHAP Configurations on R1/R2;

On both Routers R1/R2 enable encapsulation as PPP:

Now R1, R2 will be able to ping each other.

On the same LAB, let’s configure the PAP WAN protocol:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1142

Now both the routers will be able to ping each other.

Introduction to MPLS:
Multi-Protocol Label Switching (MPLS): It is a technique that is used for the routing of
network packets. It is called a Multiprotocol as it supports multiple protocols like Internet
Protocol (IP), Asynchronous Transport Mode (ATM) and Frame Relay protocols. Moreover,
in MPLS technique the network packet forwarding is done based on the label present on the
packet, that’s why it is called Label Switching.

Multi-Protocol Label Switching (MPLS) is a layer 2 communication switching protocol that

relies on compact switching labels to relay payloads to the next hop as opposed to the layer
3 IP addressing that is used in the common IP routing protocols. In theory, MPLS should
provide quicker lookups and therefore should have lower latency.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1143

The MPLS Network consists of LSR (Label Switch Routers). These are named so as they can
understand the MPLS labels. There are 3 types of LSR –

• Ingress LSR: The Ingress LSR receive unlabelled IP packet and PUSH the label on it.
Ingress LSR are present at the beginning of the network.
• Egress LSR: Egress LSR POP the label from the incoming packet and forward it as an
IP packet. Egress LSR are present at the end of the network.
• Intermediate LSR: Intermediate LSR are present in between Ingress and Egress
routers, that is why they are called intermediate routers. These routers receive the
labelled packet, SWAP the label of the packet and forward it to the next hop. Thus,
carrying out MPLS forwarding of the packet.
• MPLS is a L2.5 Protocol.

MPLS CORE LAB:

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1144

1. Assign the basic IP addressing as per the LAB and run the OSPF on all the routers.

OSPF neighbour adjacencies are formed like below:

You should now have full ip connectivity between R1, R2, R3 to verify this we need to see
if we can ping between the loopbacks of R1 and R3
R1#ping 3.3.3.3 source lo0

Type escape sequence to abort.

Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 1145

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/52/64 ms

Step 2 – Configure LDP (Label Distribution Protocol) on all the interfaces in

the MPLS Core:
To run MPLS you need to enable it, there are two ways to do this.

• At each interface enter the mpls ip command

• Under the ospf process use the mpls ldp autoconfig command

For this tutorial we will be using the second option, so go int the ospf process and enter
mpls ldp autoconfig – this will enable mpls label distribution protocol on every interface
running ospf under that specific process.

R1
router ospf 1
mpls ldp autoconfig

R2
router ospf 1
mpls ldp autoconfig

R3
router ospf 1
mpls ldp autoconfig

You should see log messages coming up showing the LDP neighbors are up.
R2#
*Mar 1 00:31:53.643: %SYS-5-CONFIG_I: Configured from console
*Mar 1 00:31:54.423: %LDP-5-NBRCHG: LDP Neighbor 1.1.1.1:0 (1) is UP
R2#
*Mar 1 00:36:09.951: %LDP-5-NBRCHG: LDP Neighbor 3.3.3.3:0 (2) is UP
To verify the mpls interfaces the command is very simple – sh mpls interface
This is done on R2, and you can see that both interfaces are running mpls and using LDP
R2#sh mpls interface
Interface IP Tunnel Operational
FastEthernet0/0 Yes (ldp) No Yes
FastEthernet0/1 Yes (ldp) No Yes
R2#sh mpls ldp neigh
Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
TCP connection: 1.1.1.1.646 - 2.2.2.2.37909
State: Oper; Msgs sent/rcvd: 16/17; Downstream

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1146

Up time: 00:07:46
LDP discovery sources:
FastEthernet0/0, Src IP addr: 10.0.0.1
Addresses bound to peer LDP Ident:
10.0.0.1 1.1.1.1
Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 2.2.2.2:0
TCP connection: 3.3.3.3.22155 - 2.2.2.2.646
State: Oper; Msgs sent/rcvd: 12/11; Downstream
Up time: 00:03:30
LDP discovery sources:
FastEthernet0/1, Src IP addr: 10.0.1.3
Addresses bound to peer LDP Ident:
10.0.1.3 3.3.3.3
One more verification to confirm LDP is running ok is to do a trace between R1 and R3 and
verify if you get MPLS Labels show up in the trace.
R1#trace 3.3.3.3
Type escape sequence to abort.
Tracing the route to 3.3.3.3

1 10.0.0.2 [MPLS: Label 17 Exp 0] 84 msec 72 msec 44 msec

2 10.0.1.3 68 msec 60 msec

The next step is to configure MP-BGP between R1 and R3

This is when you start to see the layer 3 vpn configuration come to life
Step 3 – MPLS BGP Configuration between R1 and R3
We need to establish a Multi-Protocol BGP session between R1 and R3 this is done by
configuring the vpnv4 address family as below
R1#
router bgp 1
neighbor 3.3.3.3 remote-as 1
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 3.3.3.3 activate

R3#
router bgp 1
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
no auto-summary
!
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 1147

address-family vpnv4
neighbor 1.1.1.1 activate

*Mar 1 00:45:01.047: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up

You should see log messages showing the BGP sessions coming up.
To verify the BGP session between R1 and R3 issue the command sh bgp vpnv4 unicast all
summary

What is a IPV6:
Internet Protocol Version 6 is a network layer protocol that allows communication to
take place over the network. IPv6 was designed by Internet Engineering Task Force
(IETF) in December 1998 with the purpose of superseding the IPv4 due to the global
exponentially growing internet users.
The IPv4 uses a 32-bit address scheme allowing to store 2^32 addresses which is more
than 4 billion addresses. To date, it is considered the primary Internet Protocol and
carries 94% of Internet traffic. Initially, it was assumed it would never run out of
addresses, but the present situation paves a new way to IPv6, let’s see why? An IPv6
address consists of eight groups of four hexadecimal digits. Here’s an example IPv6
address:
3001:0da8:75a3:0000:0000:8a2e:0370:7334
This new IP address version is being deployed to fulfil the need for more Internet
addresses. It was aimed to resolve issues which are associated with IPv4. With 128-bit
address space, it allows 340 undecillion unique address space. IPv6 also called IPng
(Internet Protocol next generation).
Types of IPv6 Address:
Now that we know about what is IPv6 address let’s look at its different types.

• Unicast addresses It identifies a unique node on a network and usually

refers to a single sender or a single receiver.
• Multicast addresses It represents a group of IP devices and can only be
used as the destination of a datagram.
• Anycast addresses It is assigned to a set of interfaces that typically belong to
different nodes.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1148

Advantages of IPv6:
• Reliability
• Faster Speeds: IPv6 supports multicast rather than broadcast in IPv4.This feature
allows bandwidth-intensive packet flows (like multimedia streams) to be sent to
multiple destinations all at once.
• Stronger Security: IPSecurity, which provides confidentiality, and data integrity, is
embedded into IPv6.
• Routing efficiency
• Most importantly it’s the final solution for growing nodes in Global network.
Disadvantages of IPv6:
• Conversion: Due to widespread present usage of IPv4 it will take a long period to
completely shift to IPv6.
• Communication: IPv4 and IPv6 machines cannot communicate directly with each
other. They need an intermediate technology to make that possible.

IPv6 Neighbor Discovery Protocol:

One of the differences between IPv4 and IPv6 is that we no longer use ARP (Address
Resolution Protocol). ND (Neighbor Discovery Protocol) replaces the functionality of
ARP.
ND uses ICMP and solicited-node multicast addresses to discover the layer two address
of other IPv6 hosts on the same network (local link). It uses two messages to accomplish
this:

• Neighbor solicitation message

• Neighbor advertisement message
Let’s take a closer look at these two messages.
IPv6 Neighbor Solicitation Message:
The neighbor solicitation message is used primarily to find the layer two address of
another IPv6 address on the local link. It’s also used for DAD (Duplicated Address
Detection). In this packet, the source address will be the source address of the host
sending the neighbor solicitation. The destination address will be the solicited-node
multicast address of the remote host. This message also includes the layer two address
of the host sending it. In the ICMP header of this packet, you will find a type of value of
135.

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1149

Using solicited-node multicast addresses as the destination is far more efficient than
IPv4’s ARP requests broadcast to all hosts.
Every IPV6 device will compute a solicited-node multicast address by taking the
multicast group address (FF02::1: FF /104) and adding the last six hexadecimal
characters from its IPv6 address. It will then join this multicast group address and
“listens” to it.
When one host wants to find the layer two address of another host, it will send the
neighbor solicitation to the remote host’s solicited node multicast address. It can
calculate the solicited-node multicast address of the remote host since it knows about
the multicast group address, and it knows the IPv6 address that it wants to reach.
The result will be that only the remote host will receive the neighbor solicitation. That’s
far more efficient than a broadcast that everyone receives.
IPv6 Neighbor Advertisement Message:
Once the remote host receives the neighbor solicitation, it will reply with the neighbor
advertisement message. The source address is the IPv6 address of the host, and the
destination address is the IPv6 address of the remote host that sent the neighbor
solicitation. The most important part is that this message includes the layer two address
of the host. The neighbor advertisement message uses type 136 in the ICMPv6 packet
header.

Once R1 receives the neighbor advertisement, these two IPv6 hosts will be able to
communicate with each other.
Manoj Reddy – Routing
Document
Manoj Reddy – Routing
Document 1150

Configuration:
Now you have an idea of how IPv6 neighbor discovery works.

First, we will configure some IPv6 addresses on our routers:

R1 & R2
(config)#interface FastEthernet 0/0
(config-if) #ipv6 enable
Using ipv6 enable is enough to generate some link-local addresses, which is all we need
for this exercise. Here are the IPv6 addresses that the routers created:
R1#show ipv6 interface FastEthernet 0/0 | include FE80
IPv6 is enabled, link-local address is FE80::C001:2FF:FE40:0
[TEN]R2#show ipv6 interface FastEthernet 0/0 | include FE80
IPv6 is enabled, link-local address is FE80::C002:3FF:FEE4:0 [TEN]

Shortening IPv6 Addresses:

IPv6 addresses are hexadecimal and since they are 128-bit, they are quite long.
2041:0000:140F:0000:0000:0000:875B:131B
To make our lives a bit better, IPv6 addresses can be shortened. Let’s look at some
examples and I’ll show you how it works:
• Original: 2041:0000:140F: 0000:0000:0000:875B:131B
• Short: 2041:0000:140F: :875B:131B

If there is a string of zeros, then you can remove them once. In the example above I
removed the entire 0000:0000:0000 part. You can only do this once, your IPv6 device
will fill up the remaining space with zeros until it has a 128-bit address.
There is more however, the address can be shortened even more:
• Short: 2041:0000:140F:875B:131B
• Shorter: 2041:0:140F: 875B:131B

If you have a “hextet” with 4 zeros, then you can remove those and leave a single zero.
Your IPv6 device will add the remaining 3 zeros.
Leading zeros can also be removed, here’s another address to demonstrate this:
• Original: 2001:0001:0002:0003:0004:0005:0006:0007
• Short: 2001:1:2:3:4:5:6:7

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1151

By removing these zeros, we get a nice short IPv6 address.

To summarize these rules:

• An entire string of zeros can be removed, you can only do this once.
• 4 zeros can be removed, leaving only a single zero.
• Leading zeros can be removed.

Stateless autoconfiguration for IPv6 (IPV6 SLAAC):

Stateless autoconfiguration for IPv6 is like a “mini-DHCP” server for IPv6. Routers
running IPv6 can give the prefix of the network and a gateway address to clients looking
for an IPv6 address. IPv6 uses the NDP (Neighbor Discovery Protocol), and one of the
things this protocol offers is RS (Route Solicitation and (RA) Router Advertisement
messages that help an IPv6 device configure an IPv6 address automatically.
What happens however when we have more than one router on the subnet? Which
router advertisement will our host then use? To figure this out, we’ll use the following
topology:
We have two routers, R1 and R2 who will send router advertisements. Our host will be
configured for SLAAC so that it will configure its own IPv6 address. With two router
advertisements, our host will have to decide which one to use.

Configuration
First, we will enable IPv6 unicast routing on R1 and R2, otherwise they won’t send any
router advertisements:
R1 & R2
(config)#ipv6 unicast-routing

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1152

Let’s configure a global unicast address on each router so that they can advertise a
prefix in the RA:
R1(config)#interface GigabitEthernet 0/1
R1(config-if) #ipv6 address 2001:DB8:123:123::1/64
R2(config)#interface GigabitEthernet 0/1
R2(config-if) #ipv6 address 2001:DB8:123:123::2/64

Now we will configure the host to use the router advertisements for autoconfiguration:
Host(config)#interface GigabitEthernet 0/1
Host(config-if) #ipv6 address autoconfig
H1#show ipv6 routers default
Router FE80::F816:3EFF:FE19:6D0 on GigabitEthernet0/1, last update 1 min
Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
HomeAgentFlag=0, Preference=Medium, trustlevel = 0
Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
Prefix 2001:DB8:123:123::/64 onlink autoconfig
Valid lifetime 2592000, preferred lifetime 604800

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1153

Great, as you can see our host is using R2 as the default router. Why? all parameters in
the router advertisements from our routers are equal so there’s nothing in the RA that
the host will use to select. It decided to use R2 since that’s the first RA that it received.

IPV6 Routing:
Static and Default Routing in IPV6.
Configuration:
To demonstrate this topology, I will use the following topology:

R1 and R2 are connected with a serial link. R2 has a loopback interface with IPv6 address
2001:DB8:2:2::2/64. Let’s see if we can reach this address.

Static route for a prefix – outgoing interface

Like with IPv4, it is possible to use an interface as the next hop. This will only work with
point-to-point interfaces:
R1(config)#ipv6 route 2001:DB8:2:2::/64 Serial 0/0/0
R1#show ipv6 route static

S 2001:DB8:2:2::/64 [1/0]
via Serial0/0/0, directly connected

Let’s see if it works:

R1#ping 2001:DB8:2:2::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:2:2::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

Static route for a prefix – global unicast next hop

Instead of an outgoing interface, we can also specify the global unicast address as the
next hop:
R1(config)#ipv6 route 2001:DB8:2:2::/64 2001:DB8:12:12::2

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1154

Here’s what the routing table looks like:

R1#show ipv6 route static

S 2001:DB8:2:2::/64 [1/0]
via 2001:DB8:12:12::2

Let’s see if it works:

R1#ping 2001:DB8:2:2::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:2:2::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

Static default route – global unicast next hop

Instead of an outgoing interface, let’s try a global unicast next-hop address:
R1(config)#ipv6 route ::/0 2001:DB8:12:12::2

Here’s the routing table:

R1#show ipv6 route static

S ::/0 [1/0]
via 2001:DB8:12:12::2

Let’s try a quick ping:

R1#ping 2001:DB8:2:2::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:2:2::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

Manoj Reddy – Routing

Document
Manoj Reddy – Routing
Document 1155

Manoj Reddy – Routing

Document