Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
3.11- Configure and verify manual and auto summarization with any routing protocol:
By default, OSPF and EIGRP both support auto summarization at
the classful boundary.
Configuration for OSPF:
You can only configure manual summarization at
the ABR and ASBR:
ABR: area # range [IP add] [mask]
[cost]
ASBR: summary-address [IP add]
[prefix-mask]
Configuration for EIGRP:
Configure on the router with the addresses. Use this
command under interface configuration mode:
Ip summary address eigrp [ASN] [IP
add] [Mask/prefix]
Configuration for RIP:
RIPv1 only supports auto summarization at the
classful boundaries.
RIPv2 allows it: Configure on the router with the
addresses. Use this command under interface configuration mode:
Ip summary address rip [IP add]
[Mask/Prefix]
Configuration for BGP:
Use the aggregate-address command or auto
summarization.
Verify that the summarization went through in the routing table.
3.26 - Configure and verify network types, area types, and router types
OSPF network types:
Point-to-point:
Elects a DR only if a neighbor is
defined with the neighbor command.
Default Hello timer is 10.
Dynamically discovers neighbors
and no more than 2 routers involved.
Define the network on the interface
with the ip ospf network [point-to-point, broadcast, etc] command.
The above is also default on FR
point-to-point connections.
Multipoint:
Two types of multipoint networks:
Point-to-Multipoint:
Allows
dynamic discovery of neighbors.
Does
not use a DR.
Default
hello is 30.
Point-to-Multipoint
NBMA:
Does
not use a DR.
Default
hellos is 30.
No
dynamic discovery of neighbors.
Broadcast:
Connects multiple routers to a
switch, so if one packet gets sent out it goes to all routers.
Uses a DR.
Default hello is 10 seconds.
Dynamically discovers neighbors.
NonBroadcast:
These would be Frame Relay
networks.
Uses a DR.
Does not dynamically discover
neighbors.
Default Hello is 30 seconds.
LSA Types:
Type 1:
bKnown as router LSAs.
Each router creates one and floods it
throughout the same area.
An ABR will create one for each
area.
A type 1 LSA contains the following:
RID
All interface IP
addresses
Represents Stub
Networks
Type 2:
Known as a Network LSA.
Only sent by the DR.
Only one per transit network.
Represents the transit subnet and all
router interfaces connected to that subnet.
Type 3:
Known as a Summary LSA.
Sent by ABRs.
Contains information on how to
reach subnets that are in other areas.
Type 4:
Known as an ASBR Summary LSA.
Tells routers how to reach the ASBR.
Generated by the ABR.
Type 5:
Known as the AS External LSA.
Created by ASBRs.
Represents and contains external
routes injected into OSPF (Route Redistribution).
Type 7:
Knowns as an NSSA External LSA.
Created by ASBRs inside an NSSA
area instead of a type 5.
Also, represents external routes
injected into OSPF.
Types of OSPF areas:
Backbone Area: Is always area 0 and all other areas
must connect to it.
Normal Area: An area that is not a backbone area or
any type of stubby area.
Transit Area: An area where packets travel between
2 distant areas.
Stub Area: Filers only Type 5 LSAs and does not
allow external routes..
NSSA: Filters only type 5 LSAs, but allows
external routes (Type 7 LSAs).
Totally NSSA: Filters both type 3 and 5 LSAs, but
allows external routes (Type 7 LSAs).
Totally Stubby Areas: Filters type 3 and 5 LSAs and
does not allow external routes.
Types of OSPF routers:
Internal router: A router that only has interfaces
connected to only one area.
Backbone router: Any router that has at least one
interface connected tothe backbone area.
Area Border router: Any router that has one or more
interfaces connected to other areas.
Autonomous System Boundary router: Any router
that injects external routes into OSPF.
Virtual Links:
Used for connecting non-backbone areas to the
backbone area through a virtual link and not through a direct connection.
3.27 - Configure and verify OSPF path preference
Calculating OSPF Intra-Area routes:
Find all subnets in the area based on type 1 and 2
LSAs.
Run SPF to find all paths to the subnet.
Calculate OSPF cost for all outgoing interfaces, and
use the lowest total cost route for each subnet as the best router.
Calculating OSPF Inter-Area routes:
Uses the type 3 LSAs to calculate routes to subnets
in other areas.
Calculate the intra-area cost to the ABR.
Add the cost value from the ABR to a different area
subnet to the local router cost to reach the ABR.
Since ABRs calculate Inter and Intra Area routes they need to
know which route is best for them within multiple areas. They do this by
following these rules:
An Intra-Area router is always better than an Inter-
Area route.
If an ABR receives a type 3 LSA in a non-backbone
area, It will ignore that LSA for its calculations for routes.
Remember that only type 1 and 2 LSAs affect topology changes
and require SPF calculation.
Configuration and Verification:
Change the default reference bandwidth which is
100,000 kbps by the auto-cost reference-bandwidth command. Remember
that cost is calculated by reference-bandwidth(kbps)/interface bandwidth
(kbps).
Set the cost of the link with ip ospf cost #.
Verify with the show ip ospf interface command.
3.28 Configure and verify OSPF operations:
Exchange without a DR:
Neighbors exchange hellos until they reach 2-way
state.
After a router has received a hello and all
parameters match, the routers will list each others RIDs as being seen in
the next hello packet.
Once the routers see their own RIDs, they reach the
2-way state.
When it reaches the 2-way state they determine If
they want to exchange LSDB entries (When no DR the answer is always
yes).
Once both routers say yes, they will:
Discover LSAs known to it neighbor,
but unknown to itself.
Discover LSAs known to both
routers, but the neighbors LSA is more up-to-date.
Ask a neighbor for copy of all LSAs
identified in the first the steps.
Lastly, full LSAs are exchanged. Acknowledges of
the LSAs are confirmed by sending a LSAck message (Explicit
Acknowledge) or by sending the same LSA that was received back to the
other router in a LSU Message (Implicit Acknowledgement).
Exchange with a DR:
Non-DR routers do not exchange their databases
with neighbors on a subnet.
Exchange with a DR:
All non-DR routers (or DROther)
perform database exchange with the DR routers multicast address
at 224.0.0.6.
DR performs the exact same
database exchange, but sends it to the 224.0.0.5 address.
LSAs sent to 224.0.0.6 are processed
by the DR & BDR, but only the DR participates while the BDR
stands by.
When the LS topology changes routers have to flood the new LSA
to the DR. By requesting only new versions LSAs, routers prevent LSA
advertisements from looping.
Periodic flooding of LSAs:
OSPF re-floods LSAs every 30 minutes based on
the LSAs age variable.
Ther router will create the LSA and set the age to 0.
Then it will increase the age over time and if no changes are made in 30
minutes then the owning router increase sequence number, reset the timer,
and reflood it.
Remember that the larger the sequence number the
more recent the LSA is.
Verification of it can be seen in the LSDB and to configure it you
need to just set up OSPF on a router
3.29 - Configure and verify OSPF for IPv6:
Differences between OSPFv2 and v3:
Renamed LSAs:
The Type 3 LSA is renamed to
Interarea prefix LSA for ABRs.
Type 4 LSA is renamed as the
interarea prefix LSA for ASBRs.These are used for reaching an
ASBR to routers in a different area than the ASBR.
New LSAs:
The Type 8 LSA is called a Link
LSA and only exist on a local link where they are used by routers
to advertise the router's local-link address to all routers on the same
link.
The Type 9 LSA is called an Intra-
Area LSA and send IPv6 networks attached to a router (Same as a
type 1 LSA in IPv4 networks); but, it can also send information
about transit IPv6 network segments (same as a type 2 LSA in IPv4
networks).
Configuration:
Configure with the ipv6 router ospf [#] command.
Add the ospfv3 process to an IPv6 interface with
the ipv6 ospf # area # command.
Verification:
Use any of the following commands:
Show ipv6 protocols
Show ipv6 ospf interface brief
3.30 - Describe, configure, and verify BGP peer relationships and authentication:
BGP does not require neighbors to be on the same subnet or same
link to become neighbors because it uses a TCP connection (Port 179) between
routers to pass BGP messages.
BGP States:
Idle: BGP Process is down or awaiting next retry
attempt.
Connect: BGP process is waiting for TCP
connection to complete.
Active: TCP connection is completed, but not BGP
messages sent.
Opensent: TCP connections exists, BGP open
message sent, but waiting for the matching open message from its
neighbors.
Openconfirm: Open message sent and received
from other router. Next step is to sent a BGP keepalive message to make
sure all neighbor parameters match; or a BGP notification message to
make learn If there is a mismatch.
Established: All neighbor parameters match,
relationship works, and peers can now exchange update messages.
BGP Messages:
Open: Used to establish neighborship, exchanges
basic parameters, which include ASN and authentication values.
Keepalive: Sent periodically to maintain neighbor
relationships. If no keepalive messages in the negotiated hold timer then it
will cause the relationship to go down.
Update: Used to exchange PAs and the associated
prefix/length that use those attributes.
Notification: Used for finding out what parameters
mismatch.
Peer Groups:
Are used to send BGP messages that will go out to a
group of neighbors that are defined in the peer group configuration.
Configuration:
See on page 630 in the OCG.
3.31 - Configure and verify eBGP (IPv4 and IPv6 address families):
eBGP:
Requirements to become neighbors (peers):
RIDs cannot be the same.
Authentication must match if
configure.
The ASN in the remote router's
neighbor statement must match the local ASN.
Configuration for IPv4:
Router BGP [ASN]:
Neighbor [IP-address] remote-as
[ASN]
Configuration for IPv6:
Configuration for routing IPv6 over
IPv4:
Enable ipv6 routing
Create a route map
Set the next hop Ipv6
address in the route map using the set ipv6 next-hop [IPv6
address] command.
Enable bgp with the
Router bgp [asn] command
Enter address
configuration mode for IPv4 with the address-family ipv4
command.
Specify the interfaces
that will participate in BGP with the network [ip address]
mask [subnet mask] command.
Exit address
configuration mode for IPv4 with the exit address-family
ipv4 command.
Enter IPv6 address
configuration mode with the address-family IPv6
command.
Specify interfaces
with network [ipv6 address] [prefix-length] command.
Activate the bgp
neighbor for the IPv6 address with the neighbor [IPv4
address] activate command.
Associate the router-
map with the neighbor using the neighbor [IPv4 address]
route-map [name] out command.
Configuration for routing IPv6 over
IPv6:
Enable ipv6 routing.
Enable bgp with the
router bgp # command.
Define the IPv6
neighbor with the neighbor [IPv6 address] remote-as
command.
Enter address family
mode with the address-family IPv6 command.
Specify with
interfaces will participate with the network [IPv6 address]
[Prefix length] command.
Activate the BGP
neighbor with the neighbor [IPv6 address] activate
command.
Autonomous system numbers:
ASN 0 is reserved.
1 - 64,495 is used for public use.
64,512 - 65,534 is used for private
use.
65,535 is reserved.
3.32 - Explain BGP attributes and best-path selection:
BGP uses path attributes as metrics for choosing the best routes.
The order goes as follows:
Next hop: If no route to reach the next_hop IP then
it cannot be used.
Weight (not a PA, Cisco proprietary): The bigger the
better.
Local_Pref: The bigger the better.
Locally injected routers: Better than both eBGP and
iBGP.
AS_Path Length: The smaller the better.
Origin: Prefer I over E and E over ?.
MED: The smaller the better.
Neighbor type: eBGP over iBGP.
IGP Metric to Next Hop: the smaller the better.
If no route has been chosen after going through all
the PAs above the router will take these steps to break the tie:
Oldest (longest-known) eBGP route.
Lowest neighbor BGP RID
Lowest neighbor IP address.
4.0 VPN Technologies:
4.1 - Configure and Verify GRE:
Generic Routing Encapsulation (GRE) is used for creating site-to-
site VPNs. Configuration steps for GRE are as follows:
Configure a tunnel interface with the: interface
tunnel [#] command.
Make sure to put the tunnel interfaces on each side
of the tunnel on the same subnet.
Use the Tunnel Source [Interface X/X] to specify
the source interface and the Tunnel Destination [IP Address/Subnet]
command to specify the destination of the tunnel.
Verifying GRE:
You can verify GRE configuration with the Show
Run and show tunnel interface(s) x/x command.
Remember that if you do a traceroute, the hop
between each router should only be one.
4.2 - Describe DMVPN:
Dynamic Multipoint VPN or DMVPN allows routers to create
VPN tunnels with other routers on an as-needed basis.
It consists of a Hub/Spoke topology and uses the
client/server model. The hub is preconfigured with all the spoke IPs and
the all the spokes are preconfigured with the hubs IP.
Three requirements for DMVPN are:
mGRE (Only configured on the hub)
NHRP (Uses the Client/Server model
to find next hop IP address)
IPsec
DMVPN has one issue called route flapping and to
resolve the issue, cisco recommends that you check routing protocol
neighborships between the routers.
4.3 - Describe Easy Virtual Networking (EVN)
EVN allows you to create virtual routers on one router for
segmenting traffic from one network to another (ex: Wireless, Voice, Data, etc).
Unlike VRF, EVN creates a Virtual Network Trunk (VNET) that
will carry the traffic for each virtual network and it can identify the different type
of traffic by using a VNET tag. This is only between each virtual router and you
can even use route replication to allow routes between each virtual network to be
known to one another.
5.0 Infrastructure Services:
5.1- Describe IOS AAA using local database:
You can create a local AAA database on a Cisco router using the
following:
Aaa new-model
Aaa authentication login [group name] group
TACACS+ local
Create a username and password.
5.2 - Describe device security using IOS AAA with TACACS+ and RADIUS:
Difference between TACACS+ and RADIUS:
TACACS+:
Uses TCP.
Encrypts the entire packet.
Cisco Proprietary.
Offers basic accounting features and
separate services for AAA.
Radius:
Uses UDP.
Only encrypts the password.
Offers robust accounting feature and
combines authentication and authorization functions.
Open standard.
Configuration:
TACACS/RADIUS-server [Server
Name]
Address ipv4/ipv6 [IP]
Key [key password]
5.3 - Configure and verify device access control:
The VTY lines can be secured with access lists and with an AAA
server.
Management plane security deals with the security of the device and
its management. You can do this with ACLs and AAA servers.
Password encryptions:
Type 7 password encryption [service-password
encryption] is the weakest form of encryption and can be easily cracked.
The secret command uses the SHA-256 for
encryption passwords and is very strong.
5.4 - Configure and verify router security features
IPv4 access lists can now be time-based. Configuration of time-based
Access Control Lists:
Time-range [name]
Periodic [ M |T| W| TH| F| WD | WE] Beginning Time-
Ending Time
Access-list [number] [permit|deny] [time-range
[name]]
IPv6 Traffic Filtering:
You can create ACLs same as IPv4 ACLs, but they
have 3 implicit instructions at the end of IPv6 ACLS:
Permit icmp any any nd-na
Permit icmp any any nd-na
Deny ipv6 any any
Unicast reverse path forwarding or uRPF is a security mechanism in
Cisco Routers that prevent IP spoofing attacks by matching that the source address
is in the routing table and is reachable.
uRPF has 3 modes:
Loose mode: With loose mode, a
router will only verify that the source IP address of a packet is
reachable based on a routers FIB.
Strict mode: A router checks that the
source IP is reachable and in the routers FIB and it also makes sure
that the packet is arriving on the same interface the router would use
to send the traffic back to the IP address.
VRF mode: same as loose mode, but
it checks the VRF instances routing table.
Configuration:
Ip verify unicast source reachable-via
[rx (strict mode) | any (loose mode)]
6.0 Infrastructure Services:
6.1 - Configure and verify device management:
You can configure remote access to a router with the following
commands:
Line vty [0|15]
Login authentication [Local | AAA]
You can also configure an ACL that will only allow
certain devices in a subnet to connect to the Router.
6.2 - Configure and verify SNMP:
Configuring SNMPv2:
SNMPv2 offers no encryption or authentication, but
you can use community strings.
Configuration:
Create an access-list to permit the
host who you will be logging the traps too.
Configure the community with snmp-
server community [string] [RO|RW] [ACL]
Configuring SNMPv3:
SNMPv3 allows you to have encryption and
authentication.
Configuration:
Configure the group with this
command: snmp-server group [groupname {v1 | v2c | v3{auth |
noauth | priv}}] [read readview] [write writeview] [notify
notifyview] [access access-list]
Configure the user with this
command: snmp-server user username [groupname remote ip-
address [udp-port port] {v1 | v2c | v3 [encrypted] [auth {md5 |
sha} auth-password [priv des56 priv password]] [access access-
list]
Configure the snmp-host that it will
log traps to: snmp-server host <IP_address> version 3 auth
V3User
Configure to enable traps: snmp-
server enable trap