CCNP Route Study Guide

1.0 Network Principles:

1.1- Identify Cisco Express Forwarding concepts:
Three different types of packet forwarding processes:
Process Switching: The routers CPU is directly
involved when it comes to packet switching decisions and can cause poor
performance. Configuration:
No IP route-cache
Fast Switching: Uses a fast cache that is in the
routers data plane and it contains information about how traffic from
different data flows should be forwarded. The first packet is usually
process switched. This is also CPU intensive and configuration is as
follows:
IP route-cache
Cisco Express Forwarding: CEF is enabled by
default and the FIB is used for the L3 forwarding information and the
adjacency table for L2 information of next-hop IPs in the FIB.
Configuration:
Enable globally by: IP cef
Enable by interface: IP route-cache
cef
Display statistics by: show ip cef,
show adjacency, and show interfaces X x/x.
1.2 - Explain general network challenges:
Unicast flooding or asymmetric routing causes traffic to leave
through one path and return a different way. This cause unknown unicast traffic
for the returning traffic.
Out-of-order packets are caused by having multiple paths to a
destination network and can lead to TCP packets arriving out of order. TCP solves
this by either requesting the retransmission of the packets or by sequencing them.
1.3 - Describe IP operations:
ICMP uses two primary message types:
Destination Unreachable: When a packet arrives at a
router and the router does not have any kind of route for it then the router
can send a destination unreachable message back to the sender.
Redirect: This is used when a different path instead
of the original path (think PBR) is used to reach the destination through a
different next-hop IP address and the original next-hop router can tell the
host about it with a redirect message.
IPv4 uses fragmentation to split up the packet into smaller pieces
so they can pass through a smaller MTU size instead of the original default 1500
bytes.
 IPv6 does not use fragmentation and If it sees a packet larger than
their MTU they will drop the packet.
Time to live (TTL) is used for how long a packet can live on a
network. Default is 30.
1.4 - Explain TCP operations:
IPv4 and v6 both use a the default MTU size of 1500 bytes.
MSS or maximum segment size refers to the amount of data in the
segment.
Latency is time required to travel from its source to its destination.
TCP communication uses windowing which means that one or more
segments are sent at one time and a receiver can acknowledge the receipt of all the
segments in one window.
The bandwidth-delay product is a measurement of a maximum
number of bits that can be on a network segment at any one time, and is calculated
by multiplying the segments bandwidth (bits per second) and the latency packets
experience as they cross the segment.
Global Synchronization happens if a router's output queue fills to
capacity and all the TCP flows are dropped simultaneously and causing all the TCP
flows to slowly start. To solve this issue, CISCO IOS uses a feature called Weighted
Random Early Detection (WRED) and it drops packets from flows based on the the
number of packets in queue or by the QOS markings in the packet and it drops the
packets before the queue fills to capacity.
1.5 - Describe UDP operations:
UDP starvation occurs when there is network congestion and UDP
eats all the bandwidth up and causes TCP to starve.
UDP latency is reduced because it is smaller and uses less headers
than TCP and because of this latency is low.
1.6 - Recognize proposed changes to the network:
When making changes and migrating routing protocols the
following should be considered:
Using AD: Use AD when migrating or changing
from one routing protocol to another so that it can learn all the routes it
needs while still using the current routing protocol. Once it has done so
then you can change the AD to prefer the new routing protocol/
Use Route Redistribution: when migrating between
protocols to lower down time and to redistribute routes into the new
routing protocol until you are ready to roll it out to the rest of the network.
Considerations for IPv6 migration:
Check IPv6 compatibility for equipment.
Run dual-stack routing.
Check ISP support for IPv6.
Configure NAT64.
Use NPTv6
Send IPv6 traffic over an IPv6-v4 tunnel.
2.0 Layer 2 Technologies:
 2.1 - Configure and Verify PPP:
Point-to-Point protocol is an encapsulation protocol used on Serial
links.
Configuring and verifying PPP:
To configure PPP all you need to do is go into
interface configuration mode and use the encapsulation ppp command.
You can also configure authentication using the ppp
authentication [PAP | CHAP] command.
You can verify PPP with the show interfaces
command.
PPPoE is used to configure PPP over Ethernet.
PPPoE configuration:
To configure PPPoE on the client side you need to
configure a dialer pool and the steps are as follows:
Interface Dialer[#]
Dialer pool [#]
Encapsulation ppp
Ip address negotiated
Then you will need to add the interface facing the
ISP to the dialer pool created:
Go into the interface with the
interface x/x command
Add it to the dialer pool with the
pppoe-client dial-pool-number 1
No shut/No IP
Dial pooler number must match
the interface dialer number above.
2.2 - Explain Frame Relay:
Frame Relay is a type of WAN service that allows you to connect
two routers together. It uses DLCI in the frame relay header of the frame to
identify/route packets.
There are types of topologies offered with Frame Relay
Point-to-Point: connects two routers together.
Multipoint: Connects multiple routers together.
Point-to-multipoint: connects one router to multiple
ones.
Remember that for EIGRP split horizon issues can occur when
using Frame Relay as the WAN service.
3.0 Layer 3 Technologies:
3.1- Identify, configure, and verify IPv4 addressing and subnetting:
Address types:
Unicast Address - Belongs to a single device.
Sending Unicast packets occurs between only 2 hosts.
 Broadcast Address - Represents a group of devices
on a subnet. Pinging the broadcast address pings all the devices within that
subnet.
Multicast Address - Represents a group of devices
for a specific function and is commonly used for routing protocols.
VLSM - Variable Length Subnet Masking (VLSM)
allows you to further divide subnets to conserve IP address.
Address Resolution Protocol or ARP allows you to find other host
MAC addresses that is essential for packet switching.
DHCP Relay is used by a router, so it can send/forward DHCP
requests to a DHCP server.
The IP Helper-Address command is used for DHCP
Relay.
A DHCP Server is used for allocating IP addresses and other
information such as DG IP, DNS IP, etc to hosts. The server can be a Router, L3
Switch, or Stand-alone PC and it uses the client/server model. DHCP
Model/Process:
DHCPDiscover: Host uses the IP address of 0.0.0.0
and 255.255.255.255 to search for a DHCP Server.
DHCPOffer: DHCP Server responds to the host and
offers its services.
DHCPRequest: Host requests an IP address.
DHCPAck: DHCP Server acknowledges the hosts
requests and offers it an IP address.
3.2 - Identify IPv6 addressing and subnetting:
IPv6 address types:
Unicast addresses
Multicast addresses
Anycast addresses
IPv6 Addresses:
Global Unicast Addresses: 2000::/3
Unique Local Addresses: FD00::/8
Link-Local Addresses: FE80::/10
Unspecified: ::/128
Loopback: ::1/128
Multicast: FF::/8
Multicast addresses to note:
EIGRP: FF02::A
OSPF: FF02::5 and
FF02::6
All nodes on a link:
FF02::1
All routers on a link:
FF02::2
 IPv6 addressing and subnetting:
Each address is defined by a prefix:
Ex: 2001:ABCD:ABCD:ABCD/64
Above we started off with a /48
prefix and the next 16 bits defined the subnet which is ABCD.
The next 16 bits after it are
considered the subnetting bits.
IPv6 can use EUI-64 to incorporate a
host machine's MAC address into its IPv6 Address.
IPv6 NDP operations:
Neighbor Discovery protocol uses the following
messages to do its work:
Neighbor Advertisement/Solicitation.
Router Advertisement/Solicitation.
DHCPv6 types:
SLAAC - Each host creates its own IPv6 address
and uses stateless DHCP to get the DNS-Server Address.
Stateful: Assigned by a DHCPv6 server and keeps
track of all IPv6 addresses.
Stateless: Used with SLAAC.
Prefix-Delegation: Gives the hosts a predefined
prefix.

3.3 - Configure and verify static routing:

Static routes tell the router how to reach a certain subnet.
Configuration:
IP route [prefix/subnet ID] [subnet mask] [Next-
Hop IP | Outgoing Interface]
Verification:
You can verify the static route in using the show ip
route command. Another way to verify is by using the traceroute
command.
3.4 - Configure and verify default routing:
Default routes tell a router where to send packets If there is no
route to reach the subnet in the routing table.
Configuration:
IP route 0.0.0.0 0.0.0.0 [Next-Hop IP | Outgoing
Interface]
Verification:
Show IP route will show the default route in the IP
routing table.
3.5 - Evaluate routing protocol types:
 Distance Vector routing protocols uses router hops to determine the
best path to a subnet. Examples of Distance Vector routing protocols:
RIPng
RIP
RIPv2
Link State routing protocols build a topology of the network in
their databases. Examples of Link State routing protocols:
OSPF
IS-IS
Path Vector routing protocols uses Path Attributes to determine the
best path (route) to a subnet. Only one Path Vector routing protocol:
BGP
Advanced Distance Vector routing protocols are a mix of Distance
Vector and Link State routing protocols. Example:
EIGRP
3.6 - Describe administrative distance:
Administrative distance is used by a router to see how trustful a
routing protocol is and it uses this to determine which routing protocol to use. The
lower the better!
3.7 - Troubleshoot passive interfaces
Passive interfaces will not send nor receive messages for a
particular routing protocol.
To show passive interfaces use one or more of the
following commands:
Show ip protocols
Show ip interface x/x
Show run
3.8 - Configure and verify VRF lite:
VRF or virtual routing and forwarding allow you to host multiple
virtual routers on one router.
VRF allows the segmentation of traffic and it is commonly used in
Service Provider networks.
Configuration and verification:
Create the VRF network using ip vrf [name]
Enable VRF on an interface using ip vrf [name]
forwarding
To verify use the following commands:
Show ip vrf [name]
Show ip route vrf [name]
Ping vrf [Ip address]

3.9 - Configure and verify filtering with any protocol:

 Configuration and verification:
Configure an ACL, Prefix-list, or a route-map.
Distribute the list with a routing protocol or on an
interface:
Distribute [route map] [acl] [prefix
list] [in|out]
Verification:
Show ip route
Show run
3.10 - Configure and verify redistribution between any routing protocols or routing sources:
Route redistribution allows you to redistribute routes from one
routing protocol into another.
If you have one routing source than route redistribution is pretty
simple, but when you have multiple routing sources than routing loops can occur.
To stop these routing loops you can do either of the following:
Per-Route Administrative Distance settings.
Filtering routes based on Prefix Length.
Route Tags.
Redistributing routes into OSPF:
If taking from BGP then use a default metric of 1.
When taking from other OSPF processes then use
the source route metric.
When taking from other routing protocols then uses
a metric of 20.
Redistributes routes for classful networks unless the
subnets command is used.
Determining routes for Type 2 External routes (E2)
(Intra-Area);
Find the advertising ASBRs listed in
the type 5 LSA(s).
Calculate lowest-cost route to reach
any of the ASBRs based on Intra-Area LSDB.
Use outgoing interface and next hop
based on the best route calculated.
Determining routes for Type 2 External routes (E2)
(Inter-Area):
Calculate cost to ABR based on Type
1 and 2 LSAs.
Add cost from ABR to ASBR, as
listed in the Type 4 LSA.
Determining routes for Type 1 External routes (E1)
(Intra-Area):
 Add internal ospf cost to the external
metric in the Type 5 LSA.
Determining routes for Type 1 External route (E1)
(Inter-Area):
Take the best Intra-Area cost to reach
the ABR.
Cost from ABR to ASBR in the type
4 LSA.
External cost for the route in the type
5 LSA.
OSPF prefers E1 over E2 routes.
Configuration:
Redistribute [Protocol] [Process
number | AS number] [Metric-type type value] [Match {internal |
external 1 | external 2| nssa-external}] [Tag {tag value}] [ route-
map map-tag] [subnets]
Verify by looking at the routing
table.
Redistribution into EIGRP:
Routes needs to have default metrics set before it
can be redistributed into EIGRP (Except for going EIGRP to EIGRP).
Default metrics can be set 1 of 3 ways:
Setting the default for the
redistribute command: Use the default-metric [BW | Delay |
Reliability | load | mtu], but the last 3 are ignored by default for
metric calculation still they need to be set for the command to
work.
Setting the metrics to apply to all
routes: Metric [BW | Delay| Reliability | load | MTU]
Setting different metrics to different
routes using one routing source: use the route-map on the
redistribution command.
Metrics:
Reliability [0-255]
and 255 being the best.
Load [1-255] and 1
being the best.

3.11- Configure and verify manual and auto summarization with any routing protocol:
By default, OSPF and EIGRP both support auto summarization at
the classful boundary.
Configuration for OSPF:
 You can only configure manual summarization at
the ABR and ASBR:
ABR: area # range [IP add] [mask]
[cost]
ASBR: summary-address [IP add]
[prefix-mask]
Configuration for EIGRP:
Configure on the router with the addresses. Use this
command under interface configuration mode:
Ip summary address eigrp [ASN] [IP
add] [Mask/prefix]
Configuration for RIP:
RIPv1 only supports auto summarization at the
classful boundaries.
RIPv2 allows it: Configure on the router with the
addresses. Use this command under interface configuration mode:
Ip summary address rip [IP add]
[Mask/Prefix]
Configuration for BGP:
Use the aggregate-address command or auto
summarization.
Verify that the summarization went through in the routing table.

3.12 - Configure and verify policy-based routing:

PBR allows you to control which path the router uses for a
particular subnet.
Configuration:
Create an ACL.
Map that ACL to a route permitting it and make
sure to include a statement in the route map determining the next-hop IP
address with the set ip next-hop [IP address].
Map the route-map to an interface using the ip
policy route-map [name].
3.13 Identify suboptimal routing:
Suboptimal routing occurs when a packet takes a worse route to a
destination instead of taking a better/shorter route.
This usually occurs with route redistribution and can be handled 3
ways:
Per-Route Administrative Distance settings.
Filtering routes based on Prefix Length.
Route Tags.
3.14 - Explain ROUTE maps:
 Route maps allow us to map ACLs and Prefixes to it and allow
special functions such as:
Setting the next-hop IP
Configuring tags
Metrics
3.15 - Configure and verify loop prevention mechanisms:
Route tagging allows you to create a tag so when a route receives a
route with the tag then they can ignore that route and prevents the loop.
Split-horizon allows EIGRP to receive updates for a prefix on one
interface and It does not send those updates back out that same interface.
Route poisoning prevents a network from sending packets to a
destination that has become invalid. DV protocols, especially RIP, does this with
infinite routes.

3.16 - Configure and verify RIPv2:

RIP version 2 characteristics:
Allows VLSM
Allows Classless addressing.
Uses multicast address of 224.0.0.9 while RIPv1
uses broadcasts.
Max hop count is 15 and 16 is considered infinite.
Configuration:
Router Rip
Version [1|2]
Network a.b.c.d
Verification:
Show IP protocols
Show IP Route
3.17 - Describe RIPng:
RIPng or RIP next generation is RIP for IPV6.
Configuration:
Ipv6 unicast-routing
Ipb6 router rip [name]
Optional:
Use the ipv6 enable command for the
interface to derive its own link-local address.
Enable RIPng on an interface with the IPv6 rip
[name] enable command.
Verification
Show ipv6 interfaces
Show ipv6 protocols
3.18 - Describe EIGRP packet types:
EIGRP uses 5 packet types to do its work:
 Hello: Used for creating and maintaining neighbor
adjacency.
Ack: Used between routers to acknowledge to one
another that they have received the update message.
Update: Used for topology exchange and includes
the following: Prefix, Prefix length, Metric components such as delay and
bandwidth, and nonmetric items such as MTU and hop count.
Query: Uses query messages to find an alternate
route to a subnet if no Feasible successor exists.
Reply: Reply messages are used for query responses
that tell the router that it knows of a loop-free alternate route for the failed
subnet it queried for (The router who gets a reply message uses Ack
messages to reply that it got it).
3.19 - Configure and verify EIGRP neighbor relationship and authentication
You can verify EIGRP neighbor relationships with the following
commands:
Show ip eigrp neighbor [detail]
Show ip protocols
EIGRP authentication configuration and verification:
Supports only MD5
Create a key chain.
Enable MD5 interface on interface with ip
authentication mode eigrp [asn] MD5
Refer to the key chain with ip authentication key-
chain eigrp [asn] [keychain name] and verify with show key chain
EIGRPv6 authentication configuration and verification:
Supports MD5
Configuration and Verification:
Create key chain
Use ipv6 authentication mode eigrp
[asn] md5 command.
Refer to key chain with ipv6
authentication key-chain eigrp [asn] [key-chain name]
Verification: Show interfaces to
verify and show key chains or show run
Named EIGRP authentication configuration and verification:
Supports MD5 and SHA
Configuration and Verification:
Create key chain
Enable authentication with
authentication mode [md5 | sha] command.
Refer to the keychain with
authentication key chain [key chain name.
3.20 - Configure and verify EIGRP stubs:
 EIGRP stub routing does not forward traffic between 2 remote
EIGRP subnets.
This can cause the going active (DUAL) process to
converge quicker and it can help prevent long harmful routes.
Manual summarization can decrease convergence
time of the going active (DUAL) process because: If a router receives a
query for a subnet that it does not have an exact route too, but has a
summary route that includes it then it can reply to that query without
sending the query message on to its neighbors.
Configuration and Verification:
Eigrp stub [connected| receive-only | static |
redistribute] enables the router as a stub router.
The show ip eigrp neighbor detail will list the stub
router(s).
3.21 - Configure and verify EIGRP load balancing:
Two types of EIGRP load balancing (load sharing) are available:
Equal
Unequal
Equal load balancing paths show in the routing table because the
subnet will have more than one route to a subnet.
The amount of equal load balancing paths can be set
by maximum-paths and the default is 4.
Unequal load balancing configuration:
Uses the variance command and it will times the
Feasible Distance metric by the value specified. Any route that has a FD
less than or equal to the actual Feasible Distance will be added to the
routing table.
3.22 - Describe and optimize EIGRP metrics:
EIGRP by default, uses cumulative delay and lowest bandwidth for
metrics to determine routes. It can use load and reliability, but cant use MTU size
as a metric.
You can logically (not actually) change the delay
and speed of the link with the Delay and Bandwidth (kbps) commands.
Default values of links for delay and bandwidth:
Serial = 1544 kbps and 20,000
microseconds.
GigE = 1,000,000 kbps and 10
microseconds.
FastE = 100,000 kbps and 100
microseconds
Ethernet = 10,000 kbps and 1000
microseconds
3.23 - Configure and verify EIGRP for IPv6:
 Configuration is basically the same IPv4 (Except you need to
enable IPv6 on the interface), but couple of notes:
You must enable IPv6 routing
You must configure an EIGRP router-id (If no IPV4
addresses).
You should use the Ipv6 enable to let the router
derive its own link-local address.
3.24 - Describe OSPF packet types:
OSPF Packet Types:
Hello: Used to discover/maintain neighbors and to
confirm If two routers can become neighbors.
Database Description (DBD or DD): Exchanges
brief versions of each LSA types.. This happens on initial topology
exchange and lets a router know the list of LSAs its neighbor knows.
Link-State Request (LSR): A packet that lists the
LSIDs of LSAs that the sender of the LSR would like the receiver of the
LSR to supply for database exchange.
Link-State Update (LSU): A packet that contains
fully detailed LSAs and is sent in response to a LSR.
Link-State Acknowledgement (LSAck): Sent to a
neighbor to confirm that it got its LSU.
OSPF Neighbor States:
Down: No hellos have been received.
Attempt:Used when a neighbor is defined with the
neighbor command.
Init: Hellos have been received, but neighbor
verification was not passed. This remains permanent when Hello
parameters do not match.
2-Way: Hellos received, neighbor verification
checks passed.
ExStart: Negotiating DD sequence numbers and
uses a master/slave logic for DD packets.
Exchange: Finished negotiating DD process
particulars and have began exchanging DD packets.
Loading: All DD packets have been exchanged,
routers currently sending LSR, LSU, and LSAck to exchange full LSAs.
Full: Neighbors fully adjacent, they believe that
their LSDBs are all identical and routing table calculations or
recalculations begin.
3.25 Configure and verify OSPF neighbor relationship and authentication:
OSPF requirements to become neighbors:
Must be in same Area.
Must be in same subnet.
 Must pass all authentication checks.
Must have the same hello and dead timers.
Must not be a passive interface.
Route IDs cannot be the same.
MTU size must be the same in order to exchange
topology information.
Configuration and Verification:
You can configure static neighbors with the
neighbor command or you can use the network [IP/WC mask] and make
sure all requirements match to become neighbors.
Verification of neighbors can be seen with the show
ip ospf neighbor [Router-ID] command and with the show ip protocols
command.
OSPF authentication:
OSPF authentication types:
Type 0: No Authentication
Type 1: Provides plain text
authentication
Type 2: Provides Hashing
Authentication
OSPFv2 plain-text authentication:
Configuration:
Enable PTA per
interface or area:
Ip ospf
authentication
Area #
authentication
Set a key:
Ip ospf
authentication-key [name]
The
max key length is 8.
Verification:
Use the show ip
interface or show ip ospf interface command for
verification.
OSPFv2 MD5 Authentication:
Does not allow time based keys.
Max key length is 6.
Configuration:
 - Enable MD5 per
area or interface:
Ip
authentication message-digest
Area #
authentication message-digest
Configure keys per
interface:
Ip ospf
message-digest-key [id] md5 [name]
Verification:
Show
ip interfaces or show ip ospf interfaces.
OSPFv3 Authentication:
OSPFv3 has no authentication
headers, so IPsec is needed for authentication.
IPsec uses Authentication header
(AH) for authentication, but the Encapsulating security payload
provides authentication and encryption.
Configuration:
Enable AH or ESP:
Ipv6
ospf authentication enables AH.
Ipv6
ospf encryption enables ESP.
Configure per
interface or area:
Ipv6
ospf authentication ipsec spi 256 sha1
Area #
authentication ipsec spi 256 sha1

3.26 - Configure and verify network types, area types, and router types
OSPF network types:
Point-to-point:
Elects a DR only if a neighbor is
defined with the neighbor command.
Default Hello timer is 10.
 Dynamically discovers neighbors
and no more than 2 routers involved.
Define the network on the interface
with the ip ospf network [point-to-point, broadcast, etc] command.
The above is also default on FR
point-to-point connections.
Multipoint:
Two types of multipoint networks:
Point-to-Multipoint:
Allows
dynamic discovery of neighbors.
Does
not use a DR.
Default
hello is 30.
Point-to-Multipoint
NBMA:
Does
not use a DR.
Default
hellos is 30.
No
dynamic discovery of neighbors.
Broadcast:
Connects multiple routers to a
switch, so if one packet gets sent out it goes to all routers.
Uses a DR.
Default hello is 10 seconds.
Dynamically discovers neighbors.
NonBroadcast:
These would be Frame Relay
networks.
Uses a DR.
Does not dynamically discover
neighbors.
Default Hello is 30 seconds.
LSA Types:
Type 1:
bKnown as router LSAs.
Each router creates one and floods it
throughout the same area.
 An ABR will create one for each
area.
A type 1 LSA contains the following:
RID
All interface IP
addresses
Represents Stub
Networks
Type 2:
Known as a Network LSA.
Only sent by the DR.
Only one per transit network.
Represents the transit subnet and all
router interfaces connected to that subnet.
Type 3:
Known as a Summary LSA.
Sent by ABRs.
Contains information on how to
reach subnets that are in other areas.
Type 4:
Known as an ASBR Summary LSA.
Tells routers how to reach the ASBR.
Generated by the ABR.
Type 5:
Known as the AS External LSA.
Created by ASBRs.
Represents and contains external
routes injected into OSPF (Route Redistribution).
Type 7:
Knowns as an NSSA External LSA.
Created by ASBRs inside an NSSA
area instead of a type 5.
Also, represents external routes
injected into OSPF.
Types of OSPF areas:
Backbone Area: Is always area 0 and all other areas
must connect to it.
Normal Area: An area that is not a backbone area or
any type of stubby area.
Transit Area: An area where packets travel between
2 distant areas.
 Stub Area: Filers only Type 5 LSAs and does not
allow external routes..
NSSA: Filters only type 5 LSAs, but allows
external routes (Type 7 LSAs).
Totally NSSA: Filters both type 3 and 5 LSAs, but
allows external routes (Type 7 LSAs).
Totally Stubby Areas: Filters type 3 and 5 LSAs and
does not allow external routes.
Types of OSPF routers:
Internal router: A router that only has interfaces
connected to only one area.
Backbone router: Any router that has at least one
interface connected tothe backbone area.
Area Border router: Any router that has one or more
interfaces connected to other areas.
Autonomous System Boundary router: Any router
that injects external routes into OSPF.
Virtual Links:
Used for connecting non-backbone areas to the
backbone area through a virtual link and not through a direct connection.
3.27 - Configure and verify OSPF path preference
Calculating OSPF Intra-Area routes:
Find all subnets in the area based on type 1 and 2
LSAs.
Run SPF to find all paths to the subnet.
Calculate OSPF cost for all outgoing interfaces, and
use the lowest total cost route for each subnet as the best router.
Calculating OSPF Inter-Area routes:
Uses the type 3 LSAs to calculate routes to subnets
in other areas.
Calculate the intra-area cost to the ABR.
Add the cost value from the ABR to a different area
subnet to the local router cost to reach the ABR.
Since ABRs calculate Inter and Intra Area routes they need to
know which route is best for them within multiple areas. They do this by
following these rules:
An Intra-Area router is always better than an Inter-
Area route.
 If an ABR receives a type 3 LSA in a non-backbone
area, It will ignore that LSA for its calculations for routes.
Remember that only type 1 and 2 LSAs affect topology changes
and require SPF calculation.
Configuration and Verification:
Change the default reference bandwidth which is
100,000 kbps by the auto-cost reference-bandwidth command. Remember
that cost is calculated by reference-bandwidth(kbps)/interface bandwidth
(kbps).
Set the cost of the link with ip ospf cost #.
Verify with the show ip ospf interface command.
3.28 Configure and verify OSPF operations:
Exchange without a DR:
Neighbors exchange hellos until they reach 2-way
state.
After a router has received a hello and all
parameters match, the routers will list each others RIDs as being seen in
the next hello packet.
Once the routers see their own RIDs, they reach the
2-way state.
When it reaches the 2-way state they determine If
they want to exchange LSDB entries (When no DR the answer is always
yes).
Once both routers say yes, they will:
Discover LSAs known to it neighbor,
but unknown to itself.
Discover LSAs known to both
routers, but the neighbors LSA is more up-to-date.
Ask a neighbor for copy of all LSAs
identified in the first the steps.
Lastly, full LSAs are exchanged. Acknowledges of
the LSAs are confirmed by sending a LSAck message (Explicit
Acknowledge) or by sending the same LSA that was received back to the
other router in a LSU Message (Implicit Acknowledgement).
Exchange with a DR:
Non-DR routers do not exchange their databases
with neighbors on a subnet.
Exchange with a DR:
 All non-DR routers (or DROther)
perform database exchange with the DR routers multicast address
at 224.0.0.6.
DR performs the exact same
database exchange, but sends it to the 224.0.0.5 address.
LSAs sent to 224.0.0.6 are processed
by the DR & BDR, but only the DR participates while the BDR
stands by.
When the LS topology changes routers have to flood the new LSA
to the DR. By requesting only new versions LSAs, routers prevent LSA
advertisements from looping.
Periodic flooding of LSAs:
OSPF re-floods LSAs every 30 minutes based on
the LSAs age variable.
Ther router will create the LSA and set the age to 0.
Then it will increase the age over time and if no changes are made in 30
minutes then the owning router increase sequence number, reset the timer,
and reflood it.
Remember that the larger the sequence number the
more recent the LSA is.
Verification of it can be seen in the LSDB and to configure it you
need to just set up OSPF on a router
3.29 - Configure and verify OSPF for IPv6:
Differences between OSPFv2 and v3:
Renamed LSAs:
The Type 3 LSA is renamed to
Interarea prefix LSA for ABRs.
Type 4 LSA is renamed as the
interarea prefix LSA for ASBRs.These are used for reaching an
ASBR to routers in a different area than the ASBR.
New LSAs:
The Type 8 LSA is called a Link
LSA and only exist on a local link where they are used by routers
to advertise the router's local-link address to all routers on the same
link.
The Type 9 LSA is called an Intra-
Area LSA and send IPv6 networks attached to a router (Same as a
 type 1 LSA in IPv4 networks); but, it can also send information
about transit IPv6 network segments (same as a type 2 LSA in IPv4
networks).
Configuration:
Configure with the ipv6 router ospf [#] command.
Add the ospfv3 process to an IPv6 interface with
the ipv6 ospf # area # command.
Verification:
Use any of the following commands:
Show ipv6 protocols
Show ipv6 ospf interface brief
3.30 - Describe, configure, and verify BGP peer relationships and authentication:
BGP does not require neighbors to be on the same subnet or same
link to become neighbors because it uses a TCP connection (Port 179) between
routers to pass BGP messages.
BGP States:
Idle: BGP Process is down or awaiting next retry
attempt.
Connect: BGP process is waiting for TCP
connection to complete.
Active: TCP connection is completed, but not BGP
messages sent.
Opensent: TCP connections exists, BGP open
message sent, but waiting for the matching open message from its
neighbors.
Openconfirm: Open message sent and received
from other router. Next step is to sent a BGP keepalive message to make
sure all neighbor parameters match; or a BGP notification message to
make learn If there is a mismatch.
Established: All neighbor parameters match,
relationship works, and peers can now exchange update messages.
BGP Messages:
Open: Used to establish neighborship, exchanges
basic parameters, which include ASN and authentication values.
Keepalive: Sent periodically to maintain neighbor
relationships. If no keepalive messages in the negotiated hold timer then it
will cause the relationship to go down.
 Update: Used to exchange PAs and the associated
prefix/length that use those attributes.
Notification: Used for finding out what parameters
mismatch.
Peer Groups:
Are used to send BGP messages that will go out to a
group of neighbors that are defined in the peer group configuration.
Configuration:
See on page 630 in the OCG.
3.31 - Configure and verify eBGP (IPv4 and IPv6 address families):
eBGP:
Requirements to become neighbors (peers):
RIDs cannot be the same.
Authentication must match if
configure.
The ASN in the remote router's
neighbor statement must match the local ASN.
Configuration for IPv4:
Router BGP [ASN]:
Neighbor [IP-address] remote-as
[ASN]
Configuration for IPv6:
Configuration for routing IPv6 over
IPv4:
Enable ipv6 routing
Create a route map
Set the next hop Ipv6
address in the route map using the set ipv6 next-hop [IPv6
address] command.
Enable bgp with the
Router bgp [asn] command
Enter address
configuration mode for IPv4 with the address-family ipv4
command.
Specify the interfaces
that will participate in BGP with the network [ip address]
mask [subnet mask] command.
 Exit address
configuration mode for IPv4 with the exit address-family
ipv4 command.
Enter IPv6 address
configuration mode with the address-family IPv6
command.
Specify interfaces
with network [ipv6 address] [prefix-length] command.
Activate the bgp
neighbor for the IPv6 address with the neighbor [IPv4
address] activate command.
Associate the router-
map with the neighbor using the neighbor [IPv4 address]
route-map [name] out command.
Configuration for routing IPv6 over
IPv6:
Enable ipv6 routing.
Enable bgp with the
router bgp # command.
Define the IPv6
neighbor with the neighbor [IPv6 address] remote-as
command.
Enter address family
mode with the address-family IPv6 command.
Specify with
interfaces will participate with the network [IPv6 address]
[Prefix length] command.
Activate the BGP
neighbor with the neighbor [IPv6 address] activate
command.
Autonomous system numbers:
ASN 0 is reserved.
1 - 64,495 is used for public use.
64,512 - 65,534 is used for private
use.
65,535 is reserved.
3.32 - Explain BGP attributes and best-path selection:
 BGP uses path attributes as metrics for choosing the best routes.
The order goes as follows:
Next hop: If no route to reach the next_hop IP then
it cannot be used.
Weight (not a PA, Cisco proprietary): The bigger the
better.
Local_Pref: The bigger the better.
Locally injected routers: Better than both eBGP and
iBGP.
AS_Path Length: The smaller the better.
Origin: Prefer I over E and E over ?.
MED: The smaller the better.
Neighbor type: eBGP over iBGP.
IGP Metric to Next Hop: the smaller the better.
If no route has been chosen after going through all
the PAs above the router will take these steps to break the tie:
Oldest (longest-known) eBGP route.
Lowest neighbor BGP RID
Lowest neighbor IP address.
4.0 VPN Technologies:
4.1 - Configure and Verify GRE:
Generic Routing Encapsulation (GRE) is used for creating site-to-
site VPNs. Configuration steps for GRE are as follows:
Configure a tunnel interface with the: interface
tunnel [#] command.
Make sure to put the tunnel interfaces on each side
of the tunnel on the same subnet.
Use the Tunnel Source [Interface X/X] to specify
the source interface and the Tunnel Destination [IP Address/Subnet]
command to specify the destination of the tunnel.
Verifying GRE:
You can verify GRE configuration with the Show
Run and show tunnel interface(s) x/x command.
Remember that if you do a traceroute, the hop
between each router should only be one.
4.2 - Describe DMVPN:
Dynamic Multipoint VPN or DMVPN allows routers to create
VPN tunnels with other routers on an as-needed basis.
It consists of a Hub/Spoke topology and uses the
client/server model. The hub is preconfigured with all the spoke IPs and
the all the spokes are preconfigured with the hubs IP.
Three requirements for DMVPN are:
 mGRE (Only configured on the hub)
NHRP (Uses the Client/Server model
to find next hop IP address)
IPsec
DMVPN has one issue called route flapping and to
resolve the issue, cisco recommends that you check routing protocol
neighborships between the routers.
4.3 - Describe Easy Virtual Networking (EVN)
EVN allows you to create virtual routers on one router for
segmenting traffic from one network to another (ex: Wireless, Voice, Data, etc).
Unlike VRF, EVN creates a Virtual Network Trunk (VNET) that
will carry the traffic for each virtual network and it can identify the different type
of traffic by using a VNET tag. This is only between each virtual router and you
can even use route replication to allow routes between each virtual network to be
known to one another.
5.0 Infrastructure Services:
5.1- Describe IOS AAA using local database:
You can create a local AAA database on a Cisco router using the
following:
Aaa new-model
Aaa authentication login [group name] group
TACACS+ local
Create a username and password.
5.2 - Describe device security using IOS AAA with TACACS+ and RADIUS:
Difference between TACACS+ and RADIUS:
TACACS+:
Uses TCP.
Encrypts the entire packet.
Cisco Proprietary.
Offers basic accounting features and
separate services for AAA.
Radius:
Uses UDP.
Only encrypts the password.
Offers robust accounting feature and
combines authentication and authorization functions.
Open standard.
Configuration:
TACACS/RADIUS-server [Server
Name]
Address ipv4/ipv6 [IP]
Key [key password]
5.3 - Configure and verify device access control:
The VTY lines can be secured with access lists and with an AAA
server.
Management plane security deals with the security of the device and
its management. You can do this with ACLs and AAA servers.
 Password encryptions:
Type 7 password encryption [service-password
encryption] is the weakest form of encryption and can be easily cracked.
The secret command uses the SHA-256 for
encryption passwords and is very strong.
5.4 - Configure and verify router security features
IPv4 access lists can now be time-based. Configuration of time-based
Access Control Lists:
Time-range [name]
Periodic [ M |T| W| TH| F| WD | WE] Beginning Time-
Ending Time
Access-list [number] [permit|deny] [time-range
[name]]
IPv6 Traffic Filtering:
You can create ACLs same as IPv4 ACLs, but they
have 3 implicit instructions at the end of IPv6 ACLS:
Permit icmp any any nd-na
Permit icmp any any nd-na
Deny ipv6 any any
Unicast reverse path forwarding or uRPF is a security mechanism in
Cisco Routers that prevent IP spoofing attacks by matching that the source address
is in the routing table and is reachable.
uRPF has 3 modes:
Loose mode: With loose mode, a
router will only verify that the source IP address of a packet is
reachable based on a routers FIB.
Strict mode: A router checks that the
source IP is reachable and in the routers FIB and it also makes sure
that the packet is arriving on the same interface the router would use
to send the traffic back to the IP address.
VRF mode: same as loose mode, but
it checks the VRF instances routing table.
Configuration:
Ip verify unicast source reachable-via
[rx (strict mode) | any (loose mode)]
6.0 Infrastructure Services:
6.1 - Configure and verify device management:
You can configure remote access to a router with the following
commands:
Line vty [0|15]
Login authentication [Local | AAA]
You can also configure an ACL that will only allow
certain devices in a subnet to connect to the Router.
6.2 - Configure and verify SNMP:
Configuring SNMPv2:
SNMPv2 offers no encryption or authentication, but
you can use community strings.
Configuration:
 Create an access-list to permit the
host who you will be logging the traps too.
Configure the community with snmp-
server community [string] [RO|RW] [ACL]
Configuring SNMPv3:
SNMPv3 allows you to have encryption and
authentication.
Configuration:
Configure the group with this
command: snmp-server group [groupname {v1 | v2c | v3{auth |
noauth | priv}}] [read readview] [write writeview] [notify
notifyview] [access access-list]
Configure the user with this
command: snmp-server user username [groupname remote ip-
address [udp-port port] {v1 | v2c | v3 [encrypted] [auth {md5 |
sha} auth-password [priv des56 priv password]] [access access-
list]
Configure the snmp-host that it will
log traps to: snmp-server host <IP_address> version 3 auth
V3User
Configure to enable traps: snmp-
server enable trap

6.3 - Configure and verify logging:

Logging allows you to track any events that go on in the router.
Logging levels:
0 = Emergencies
1 = Alerts
2 = Critical
3 = Error
4 = Warnings
5 = Notifications
6 = Informational
7 = debugging
Configuration:
Logging [ host | monitor]
Show logging [ history]
6.4 - Configure and verify Network Time Protocol (NTP):
NTP allows routers to get the most accurate time from an outside
source or from itself.
Configuration:
Server:
Ntp master [Stratum Level]
(Optional) Ntp authentication-key [key
id] md5 [key]
(Optional) Ntp authenticate
(Optional) Ntp trusted-key [key id]
Client:
 Ntp server [IP Address]
(Optional) Ntp server [IP Address] key
[Key id]
(Optional) Ntp authentication-key [key
id] md5 [key]
(Optional) Ntp authentication
(Optional) Ntp trusted-key [key id]
Verification:
Show NTP associations
Show NTP status
Key note: Remember the lower the Stratum level the more
trustworthy the ntp device/server is.

6.5 - Configure and verify IPv4 and IPv6 DHCP:

DHCP allows you to automatically assign IP addresses to host.
IPv4 DHCP configuration:
Ip dhcp pool [name]
Network X.X.X.X Mask X.X.X.X
IPv6 DHCP configuration:
Ipv6 dhcp pool [name]
You can configure/use stateless DHCP, Stateful
DHCP, SLACC, or Prefix-delegation.
6.6 - Configure and verify IPv4 Network Address Translation (NAT):
3 Types of NAT:
Static NAT: This allows to map one public ip to one
private ip.
Dynamic NAT: This allows you to use a pool of public
ip address for Private IP to Public IP translation.
Port Address Translation:This allows you to use one
public IP for multiple private IPs and this is accomplished by using different
port numbers for each private IP translated.
6.7 - Describe IPv6 NAT:
NAT64:
Allows IPv6 address to be translated into IPv4
addresses. This allows communication between an IPv4 and IPv6 host.
NPTv6:
Network Prefix Translation allows and performs prefix
translations for IPv6 (Think of NAT for IPv4, Public to Private and Vice versa).
6.8 - Describe SLA architecture:
Service Level Agreement or SLA, allows you to measure the
performance and the behavior of your network.
It can be used with the following:
ICMP for echo and jitter
RTP for Voip
TCP connection
UDP for echo and jitter
DNS
DHCP
HTTP
FTP
6.9 - Configure and verify IP SLA:
Configuration and Verification:
Create the IP SLA operation with ip sla # command.
Define the type of operation type with icmp-echo
[destination IP | Hostname] source-ip [IP address | Hostname] source
interface [interface]
Define a non default frequency, if needed with
frequency [seconds].
Schedule the time for the SLA operation to start with
ip sla schedule # life [forever | seconds] [Start time hh:mm:ss] [Month day |
day month]
6.10 - Configure and verify tracking objects:
You can track SLA operations to influence routing and the
configuration/verification are as follows:
Use the track # ip sla # [State | Reachability]
Configure the delay If you want with delay [ Down
(seconds) | Up (seconds)]
Configure a static route ip route X.X.X.X X.X.X.X
interface track #
6.11 - Configure and verify Cisco NetFlow:
Netflow allows you to monitor your network and see what consumes
bandwidth, track the top-talkers in your network and much more!
Configuration
IP Flow-export version [v5 | v9]
IP flow-export destination [IP]
Show ip flow [Export | Top-Talkers]