IT-FSB Advanced - Noodlez.org Courses PDF...As this external route moves through the OSPF topology,...

CECOM LCMCIT Training - Engineering

Field Support

IT-FSB

Advanced Routing

STUDENT GUIDE WIN-T Inc 1

Version 08.05.20

Property of the United States Government CECOM LCMC

Logistics Readiness Center

Table of Contents Chapter 1 OSPF Open Shortest Path First Multi-Area Operation Chapter 2 EIGRP Enhanced Interior Gateway Routing Protocol Chapter 3 BGP Border Gateway Protocol Chapter 4 Default Routing Chapter 5 Dynamic Multi-Point Virtual Private Networks DMVPN

Insert Tab #1 Here

OSPF (Open Shortest Path First) Multi-Area Operation

3

Area 0

Area 1 Area 2Autonomous System

• Consists of areas within an autonomous system• Minimizes routing update traffic

OSPF Hierarchical Routing

Area – An area is a grouping of contiguous OSPF networks and hosts. OSPF areas are logical subdivisions of OSPF autonomous systems. The topology of each area is invisible to entities in other areas, and each area maintains its own topological database. Autonomous – OSPF autonomous systems are the largest entity within an OSPF internet-work. They consist of a collection of networks that are under a common administration and share a common routing strategy. An autonomous system, sometimes called a domain, is logically subdivided into multiple areas. The hierarchical topology of OSPF has several important benefits. Because the topology of an area is hidden from the rest of the autonomous system, routing update traffic can be reduced through route summarization, and the topological databases and SPF trees remain manageable and more efficient. Within each autonomous system, a central area must be defined as area 0. All others areas are connected off the central, or backbone area. Area 0 is also called the transition area because all other areas communicate through it. The OSPF backbone also distributes routing information between OSPF areas. The OSPF backbone has all the properties of a normal OSPF area. Backbone routers maintain OSPF routing information using the same procedures and algorithms as internal routers. The backbone topology is invisible to routers in other areas, while the topologies of individual areas are invisible to backbone routers.

4

The Link-State Database

Link-State Database

• Each router within an area has exact same database (convergence)• Database contains information to construct entire network topology

Link-State Database

Each router maintains link-state records including information about each of its interfaces and reachable neighbors. Through flooding, each router distributes its state to all other routers in the area/autonomous system. As a result, each router possesses an identical database describing the area/autonomous system. All routers run the SPF algorithm in parallel. Using the link state database, each router then constructs a tree of the shortest paths with itself as the root. Each destination within the AS is contained within the SPF tree. OSPF routers in the same area will have the same link-state database and run the same OSPF algorithm with themselves as the root. The records in this database are used by the SPF algorithm to determine network topology and to compute the shortest path to a destination. The characteristics of the link-state database are as follows:

• All routers belonging to the same area have identical databases. • Calculating routes by using the SPF is performed separately for each

area. • LSA flooding is contained within the area that experienced the change. • The link-state database can be composed of five different types of LSAs. • A router has a separate database for each area to which it belongs.

5

Link State Advertisement (LSA)

e0/0 s0/0

LSA (e0/0 is down)

LSA = Routing Update

• Current LSA DB is exchanged between routers during neighbor establishment• Only changes to DB are exchanged thereafter

Establishing NeighborLSA Database

LSA Database

Link State Advertisement (LSA): OSPF packet containing source, destination, and routing information, which are advertised to all OSPF routers in a hierarchical area. A link is any type of directly connected network on an OSPF router. The state is the condition of the link, whether it is up or down. An advertisement is the method OSPF uses to provide information to other routers. Link State Advertisements are packets OSPF uses to advertise changes in the condition of a specific link to other routers. LSAs are the building blocks of the OSPF database. Individually they act as database records; in combination, they describe the entire OSPF topology. OSPF is a link-state protocol that uses a least-cost algorithm to calculate the best path for each network destination. Once an OSPF-speaking router forms an adjacency with a neighbor, it generates a link-state update and floods this packet into the network. Each update packet contains one or more link-state advertisements (LSA), which contain information the local router is injecting into the network. Each specific LSA type encodes particular data from the viewpoint of the local router. During initial neighbor discovery/establishment, OSPF routers exchange databases. From this point on only changes to the database are exchanged between neighbors. Individual LSAs are periodically resent by the originating

6

router, though. This is referred to as an LSA refresh and by default is 30 minutes. The max age for an LSA is 60 minutes meaning if an LSA has not been updated or refreshed in a 60-minute period, it is deleted from the database.

7

Types of Link-State Updates

Routing Table Codes

O - OSPF Derived Intra-Area (Type 1 Router LSA)O - OSPF Derived Intra-Area (Type 2 Network LSA)IA - Inter-Area (Type 3 & 4 Summary LSA)E1 - Type 1 External Route (Type 5 AS Ext Link)E2 - Type 2 External Route (Type 5 AS Ext Link)

Router(1)

Area 1Area 0

Network(2) External(5)DR

ASBRExternal

AS

Summary(3)

Summary(4)

ABR(1)

There are several factors that determine the type LSA generated from a router. Some of these are the type of router (internal, ABR, ASBR) generating the LSA, its location in the topology, the location within the topology of the network information contained in the LSA, etc. The following are the definitions for each LSA type: Type 1 (Router): Generated by each router for each area to which it belongs.

They describe the states of the router’s directly connected links to the area. These are only flooded within a particular area.

Type 2 (Network): Generated by designated routers (DR). They describe the

set of routers attached to a particular broadcast network. This type of LSA is flooded only in the area that contains the network.

Type 3 & 4 (Summary): Generated by ABRs. They describe inter-area routes.

They are flooded throughout the advertisement’s associated area. Type 3 describes routes to networks, also used for aggregating routes. Type 4 describes routes to ASBRs.

8

Type 5 (External): Originated by ASBRs. They describe routes to destinations external to the AS. Flooded throughout an AS except for stub areas

9

Is entry inlink-state

database? Yes

No

Run SPF to calculate new routing table

Add to database

Flood LSA

Yes

No

Yes

Send LSUwith newer

information to source

End

LSA

LSU

Is seq. #newer?

No

A

Ignore LSA

Send LSAckto Neighbor

Goto A

Processing LSAs

Is seq. # the same?

End

LSAs are handled in a very efficient manner between the source router (attached to the link) and the nearest neighboring router. The incoming LSA is checked against existing entries in the topological database. Each database entry has a sequence number (also called a version number), and only the largest number (indicating the most recent record) is kept. If the entries are identical, then there is no need to forward the LSA to other routers. If the incoming LSA is different from the topological database, then the database is updated and the LSA is forwarded through the network until all databases are synchronized. Associating sequence numbers with LSAs contributes to the efficiency of link-state routing technology.

10

External LSA – Type E1 & E2 Routes

BGPOSPF

Ext LSA

router ospf 100redistribute bgp 1 subnetsnetwork 148.43.0.0 0.0.255.255 area 0

148.43.0.0/16 is variably subnetted.......

O 148.43.200.64/28........Serial0/0O E2 148.43.200.248/29..........Serial0/0

• Type 5 LSA (External) are derived from information beingredistributed into OSPF from another routing information source

• Type 5 LSA are listed in the routing table as O E1 or E2 routes

Type 5 External LSAs are developed by routing information being redistributed from a routing information source into OSPF. Routing information sources are identified by the codes listed in the routing table – connected, static, routing protocol. Redistribution is configured on the router as shown above. In this example, routing information learned via the BGP protocol is redistributed into the OSPF protocol. Once redistribution is configured, the OSPF router becomes an ASBR. When this information is redistributed into OSPF, it is stored in the database as type 5 LSAs. It is then sent to neighboring routers as type 5.

11

OSPF External Routes

• OSPF has two types of external routes: E1 & E2

• E2 routes uses only the external cost (initial cost assigned to it during the redistribution process). It does not add the internal cost as it traverses the OSPF topology

• E1 routes take into account the external and internal cost.

• By default, when routes are redistributed into OSPF they are E2.

• The default metric for external routes (E1 or E2) is 20 except BGP which is 1

OSPF has two types of external routes: E1 & E2. The difference between the two is how the metric (cost) is calculated. An E2 route only utilizes the default or seed metric applied during the redistribution process. As this external route moves through the OSPF topology, the internal cost is not applied. Regardless of where the route is located within the topology, it will only have the seed metric applied. An E1 route on the other hand utilizes both the seed metric (external) and the internal cost. As the route moves through the OSPF topology, the cost is calculated and applied. By default, routes redistributed into OSPF are E2. Both types have a default metric of 20 unless the source is BGP in which case the default metric is 1. As a general rule, if there is only one ASBR, then redistribute the routes as E2. If there are multiple ASBRs, then redistribute them as E1.

12

Show IP OSPF DatabaseOSPF Router with ID (148.43.200.2) (Process ID 100)

Router Link States (Area 1)Link ID ADV Router Age Seq# Checksum Link count

148.43.200.2 148.43.200.2 573 0x80000003 0x004DA7 6148.43.200.3 148.43.200.3 572 0x80000003 0x000AB5 2148.43.200.8 148.43.200.8 573 0x80000003 0x001BA3 2

Summary Net Link States (Area 1)Link ID ADV Router Age Seq# Checksum

148.43.200.112 148.43.200.8 562 0x80000001 0x00E917148.43.200.128 148.43.200.3 572 0x80000001 0x00E451148.43.200.144 148.43.200.8 562 0x80000001 0x00A3BD

Summary ASB Link States (Area 1)

Link ID ADV Router Age Seq# Checksum148.43.200.7 148.43.200.3 572 0x80000001 0x00637D148.43.200.7 148.43.200.8 564 0x80000001 0x004596

Type-5 AS External Link StatesLink ID ADV Router Age Seq# Checksum Tag

148.17.0.0 148.43.200.7 591 0x80000001 0x005516 0148.18.0.0 148.43.200.7 591 0x80000001 0x004921 0

The show IP OSPF database command is used to view the OSPF link-state (topology) database. Each LSA gets an entry into this database and is organized by area and the type of LSA. The database contains six columns: 1) Link ID – will either be the router ID (LSA type 1 &4), the destination

network number (LSA type 3 & 5), or IP of the interface of the DR (LSA type 2).

2) ADV Router – router ID of advertising router. 3) Age – age of LSA in seconds.

4) Seq# – sequence number to determine if LSA updates are newer, older, duplicates.

5) Checksum – used for error detection. 6) Link count – the number of interfaces or links in an area, only available on Router Link States; OSPF adds a “stub link” for each point-to-point interface. Note: the show ip ospf database command does not show all information contained within the database. There is no single show command, which will

13

show all information in the database. There are several extensions to the show ip ospf command. By utilizing each of these extensions individually, it is possible to view the different parts that make up the database.

14

Show IP OSPF Database Router Type 1

Routing Bit Set on this LSALS age: 1385Options: (No TOS-capability, DC)LS Type: Router LinksLink State ID: 148.43.200.8Advertising Router: 148.43.200.8LS Seq Number: 8000000FChecksum: 0xF1C9Length: 84Area Border RouterNumber of Links: 5

(continued on next slide)

A type 1 LSA is also referred to as a Router LSA. Each router within an area generates a Router LSA and it describes each of the router’s directly connected network interfaces). Router LSAs are 3flooded throughout the area from which they originate. When OSPF routers within an area build the topology of that area, they utilize router LSAs. Below are the definitions of the fields in the header of a router LSA: LS Age age in seconds of the LSA LS Type type of LSA (router, summary, external) Link State ID the originating router's router ID Advertising Router advertising router’s router ID LS Seq Number link state sequence number; used for tracking LSAs Checksum checksum of the LSA packet Length number of bytes in the LSA Area Border Router lists type of router (example shows an ABR)

15

Number of Links number of active links on the router within a particular area; OSPF builds an additional stub link for each point-to-point link identifying the subnet on which this point-to-point resides.

16

Link connected to: a Transit Network(Link ID) Designated Router address: 148.43.200.193(Link Data) Router Interface address: 148.43.200.195Number of TOS metrics: 0TOS 0 Metrics: 1

Link connected to: a Stub Network(Link ID) Network/subnet number: 148.43.200.48(Link Data) Network Mask: 255.255.255.240Number of TOS metrics: 0TOS 0 Metrics: 1

Link connected to: another Router (point-to-point)(Link ID) Neighboring Router ID: 148.43.200.7(Link Data) Router Interface address: 148.43.200.17Number of TOS metrics: 0TOS 0 Metrics: 64

Link connected to: a Stub Network(Link ID) Network/subnet number: 148.43.200.16(Link Data) Network Mask: 255.255.255.252Number of TOS metrics: 0TOS 0 Metrics: 64

Show IP OSPF Database Router (cont’d)

Link connected to field: there four possible types of links identified by router LSAs: 1. Point-to-Point: this is a link that interconnects two routers such as a serial link

• Link ID – neighbor router’s router ID • Link Data – address of the local router’s interface directly connected to the

neighbor. 2. Transit Network: a multi-access network (such as Ethernet) interconnecting routers.

• Link ID – designated router address • Link Data – address of the local router’s interface directly connected to the

neighbor. 3. Stub Network: a network that is a dead-end link that only has one router attached.

• Link ID – network IP address of the subnet • Link Data – the subnet mask of the network

4. Virtual Link: identifies a virtual link configured between two routers.

• Link ID – neighbor router’s router ID • Link Data – address of the local router’s interface utilized for the virtual link

17

Also listed with each of the above type links is the metric or cost associated with that network (interface). When utilizing IP Unnumbered, point-to-point link entries do not list the local router’s interface IP address. It utilizes the SNMP MIB II ifIndex value associated with that interface. OSPF does not add a stub network entry for point-to-point unnumbered links.

18

IP OSPF Database Summary (Type 3)

Routing Bit Set on this LSA

LS age: 1653

Options: (No TOS-capability, DC, Upward)

LS Type: Summary Links(Network)

Link State ID: 148.43.200.64 (summary Network Number)

Advertising Router: 148.43.200.3

LS Seq Number: 8000000F

Checksum: 0xC8DF

Length: 28

Network Mask: /28

TOS: 0 Metric: 65

A type 3 LSA is also referred to as a Summary LSA and is generated by an ABR. Summary LSAs advertise networks residing in a specific area to all other areas within the OSPF domain – inter-area networks. Route summarization is not automatic in OSPF and must be manually configured on the ABR. ABRs flood summary LSAs regardless if the routes listed in the LSAs are summarized. Below are the definitions of the fields in a summary LSA: LS Age age in seconds of the LSA LS Type type of LSA (router, summary, external) Link State ID advertised network (subnet) Advertising Router advertising router’s router ID - this is the ABR, not necessarily the owner of the network LS Seq Number link state sequence number; used for tracking LSAs Checksum checksum of the LSA packet Length number of bytes in the LSA Network Mask subnet mask of the advertised network (subnet) Metric metric or cost associated with this network from the advertising router’s perspective

19

Routing Bit Set on this LSA

LS age: 426

Options: (No TOS-capability, DC)

LS Type: AS External Link

Link State ID: 148.17.0.0 (External Network Number )

Advertising Router: 148.43.200.7

LS Seq Number: 80000002

Checksum: 0x5317

Length: 36

Network Mask: /24Metric Type: 2 (Larger than any link state path)TOS: 0Metric: 20Forward Address: 0.0.0.0External Route Tag: 0

IP OSPF Database External (Type 5)

LS age age in seconds of the LSA LS Type LSA type Link State ID IP address of the external network Advertising Router address of the ASBR, which advertised this external route LS Seq Number link state sequence number; used for tracking LSAs Checksum checksum of the LSA packet Length length in bytes of the LSA Network Mask network/subnet mask of the network in the link state ID Metric Type identifies route as OSPF external type 1 or 2 Metric metric or cost associated with this network Forward Address Data traffic for the advertised destination will be forwarded to this address. If the forwarding address is

20

set to 0.0.0.0, data traffic will be forwarded to the originator of the advertisement External Route Tag External route tag, a 32-bit field attached to each external route. This is not used by the OSPF protocol itself but can be used in conjunction with route maps to manipulate an OSPF external route.

21

1 4

7

5

f0/0

f0/0

f0/0

f0/0

Loopback Address148.43.200.2/32



148.43.200.49/28

148.43.200.145/28

148.43.200.65/28

148.43.200.97/28

148.43.200.113/28

s0/0

s0/1

s0/1

s0/0

s0/1

s0/0

6

OSPF Point to Point Unnumbered Network

2

s0/1

s0/0

3148.43.200.81/28

f0/0148.43.200.129/28

s0/0

s0/1

s0/0

s0/1

s0/0

s0/1 s1/0s1/1

f0/0

f0/0

Area 0

Area 0Area 1

Area 1

Area 0

Area 0

Area 2

Area 2

Loopback Addresses148.43.200.1/32148.43.200.8/32




The following two labs are the same except for one utilizes unnumbered links and the other numbered links. One or the other or both labs can be done (time permitting). Regardless, one of labs router configuration files must be saved to a TFTP server for use later in this chapter. Install network above. Use the “show int xx”, “show ip int brief”, “show run”, & “show ip route” commands to assist in troubleshooting. Once all networks are in everyone’s routing table, the installation is complete. Note that the serial interfaces are to be configured as unnumbered. Two loopback addresses have been assigned to each ABR. For the purposes of configuring multiple areas, serials in different areas have to be referenced to different loopback address.

22

1 4

7

5

f0/0

f0/0

f0/0

f0/0

Loopback Addresses148.43.200.1/32





148.43.200.49/28

148.43.200.145/28

148.43.200.65/28

148.43.200.97/28

148.43.200.113/28

s0/0.17

s0/1.21

s0/1.22

s0/0.38 s0/1

.41

s0/0.42

6Loopback Address148.43.200.6/32

2

s0/1.26

s0/0.25


3

148.43.200.81/28 f0/0148.43.200.129/28

s0/0.29

s0/1.45

s0/0.46

s0/1.34

s0/0.18

s0/1.30

s1/0.33

s1/1.37

148.43.200.16/30

148.43.200.20/30

148.43.200.24/30

148.43.200.28/30 148.43.200.32/30

148.43.200.36/30

148.43.200.40/30

148.43.200.44/30

f0/0

f0/0

OSPF Point to Point Numbered Network

Area 0

Area 0

Area 1

Area 1

Area 0

Area 0

Area 2

Area 2

Install network above. Use the “show int xx”, “show ip int brief”, “show run”, & “show ip route” commands to assist in troubleshooting. Once all networks are in everyone’s routing table, the installation is complete.

23

1 4

7

5f0/0

f0/0

f0/0

f0/0

f0/0






148.43.200.49/28

148.43.200.145/28

148.43.200.65/28

148.43.200.97/32

148.43.200.113/28

s0/0.17

s1.21

s0/1.22

s0/0.38 s0/1

.41

s0/0.42

6Loopback Address148.43.200.6/32

2

s0/1 .26

s0/0 .25


3f0/0

148.43.200.81/28 f0/0148.43.200.129/28

s0/0.29

s0/1.45

s0/0.46

s0/1.34

s0/0.18

s0/1.30

s1/0.33

s1/1.37

148.43.200.16/30

148.43.200.20/30

148.43.200.24/30

148.43.200.28/30148.43.200.32/30

148.43.200.36/30

148.43.200.40/30

148.43.200.44/30

Area 1

Area 1Area 1

Area 1

Area 1

Area 1

Area 1

Area 1

e0/1.225 148.43.200.224/30

e0/1.226

Area 2

OSPF Point to Point Numbered Network

Install network above. Use the “show int xx”, “show ip int brief”, “show run”, & “show ip route” commands to assist in troubleshooting. Once all networks are in everyone’s routing table, the installation is complete. Note that in this lab area 2 is not connected to area 0. Once network is built, verify that all routers except for 2 & 5 do not have network 148.43.200.32 in their routing table. Once this complete, define an area 0 on once of the serial links connect to router 2 or 5. Network 148.43.200.32 should now be in everyone’s routing table.

24

• Minimizes number of routing table & database entries

• Localizes impact of a topology change – flooded only in originating area

• Directly affects the amount of bandwidth, CPU, & memory resources consumed by OSPF process

Area 0 Backbone

ABRs

Area 1

Summarization

xx

Route Summarization

Area 2Area 3

Summarizing is the consolidation of multiple routes into one single advertisement. Proper summarization requires contiguous addressing. Route summarization directly affects the amount of bandwidth, CPU, and memory resources consumed by the OSPF process. With summarization, if a network link fails, the topology change will not be propagated into the backbone (and other areas by way of the backbone). As such, flooding outside the area will not occur, so routers outside of the area with the topology change will not have to run the SPF algorithm (also called the Dijkstra algorithm after the computer scientist who invented it). Running the SPF algorithm is a CPU-intensive activity. There are two types of summarization:

• Inter-area route summarization - Inter-area route summarization is done on ABRs and applies to routes from within the autonomous system. It does not apply to external routes injected into OSPF via redistribution. In order to take advantage of summarization, network numbers in areas should be assigned in a contiguous way so as to be able to consolidate these addresses into one range. This graphic illustrates inter-area summarization.

• External route summarization - External route summarization is specific to external routes that are injected into OSPF via redistribution. Here again, it is important to ensure that external address ranges that are being summarized are contiguous. Summarization overlapping ranges from two different routers could cause packets to be sent to the wrong destination.

25

• Inter-area (IA) summary link carries summarized mask• One entry can represent several subnets• Summarization should take place towards the backbone (area 0)

O 131.108.8.0 255.255.252.0O 131.108.12.0 255.255.252.0O 131.108.16.0 255.255.252.0O 131.108.20.0 255.255.252.0O 131.108.24.0 255.255.252.0O 131.108.28.0 255.255.252.0

Routing Table for B LSAs sent to Router C

IA 131.108.16.0 255.255.240.0

Area 1 Area 0ABR

Summarization

BA C

IA 131.108.8.0 255.255.248.0

Route Summarization (cont.)

Route summarization minimizes the number of entries in the routing table and database in the receiving routers. Summarization is done on ABRs and applies to routes within the autonomous system. Although summarization could be configured between any two areas, it is better to summarize in the direction of the backbone. This way, the backbone receives all the aggregate addresses and in turn injects them, already summarized, into other areas. In order to take advantage of summarization, network numbers in areas should be assigned in a contiguous way to be able to group these addresses into one range. Summary routes are advertised with a mask. The mask specifies the range of addresses to be summarized into one route. Because the mask 255.255.240.0 does not use the low-order four bits of the third octet, subnets 131.108.4.0 and 131.108.8.0 cannot be summarized using this mask. Neither can subnet 131.108.12.0 because it creates an invalid zero subnet (discussed on next slide). Even so, route summarization can represent the remaining four subnets with one advertisement.

26

Area 1 Area 0148.43.200.0/25, cost 391

148.43.200.128/26, cost 195

148.43.200.192/26, cost 97

router ospf 100area 1 range 148.43.200.0/24

148.43.200.0/24, cost 391

Summarization Cost

• Cost associated for the summarized route is taken from the highest cost subnet being summarized.

ABR

OSPF RFC 1583 called for calculating the metric for summary routes based on the minimum metric of the component paths available. OSPF RFC 2178 (now obsolete by RFC 2328) changed the specified method for calculating metrics for summary routes so the component of the summary with the maximum (or largest) cost would determine the cost of the summary.

Prior to IOS 12.0, Cisco was compliant with the then-current RFC 1583. As of IOS 12.0, Cisco changed the behavior of OSPF to be compliant with the new standard, RFC 2328. This situation created the possibility of sub-optimal routing if all of the ABRs in an area were not upgraded to the new code at the same time. In order to address this potential problem, a command has been added to the OSPF configuration of Cisco IOS that allows you to selectively disable compatibility with RFC 2328. The new configuration command is under router ospf, and has the following syntax: [no] compatible rfc1583

27

Configure Route Summarization

Router(config-router)#

summary-address address mask

• Consolidates external routes (inter-area) on an ASBR


area area-id range address mask

• Consolidates IA (intra-area) routes on an ABR

The above commands are applied as part of the OSPF configuration. Area-id is the area containing the networks to be summarized. The address & mask portions of the command define the summarized range. Be aware that when utilizing this command, it is possible to advertise networks as part of the summarization that your router does not actually have in its routing table. Any single subnet to be advertised by OSPF that fits within the summarized range causes the summarized address to be advertised and the subnet to be suppressed.

28

1) Configure routers for a multi-area OSPF network or TFTP config files if available.

2) Router 2 & 5 add eight sequential loopback interfaces with IP addresses for each.- Loopback 10 - 17- configure each interface with the command "ip ospf network point-to-point"- Router 2 use IP 150.150.0.1, 150.150.1.1, 150.150.2.1, 150.150.3.1, 150.150.4.1,

150.150.5.1, 150.150.6.1, & 150.150.7.1; use a mask of 255.255.255.0 on all.- Router 5 use IP 150.150.8.1, 150.150.9.1, 150.150.10.1, 150.150.11.1, 150.150.12.1,

150.150.13.1, 150.150.14.1, 150.150.15.1; use a mask of 255.255.255.0 on all.- add network statement of 150.150.0.0 0.0.255.255 area 1 or 2 under OSPF.

3) All routers do sho ip route; loopback addresses from routers 2 & 5 should be in routing table. Also examine the OSPF database for the 150.150.0.0 networks.

4) Routers 1,3,4, & 6 are ABRs. Summarize loopback addresses there.

5) Router 7 do sho ip route; shows two summarized routes, one from each ABR.

6) On one of the ABRs in each area, change the bandwidth on a serial interface.

7) Router 7 should only show one summarized route now.

Route Summarization PE

OSPF treats a loopback interface as a host. Regardless of the mask assigned to the interface, OSPF will advertise it as a /32. By configuring the interface with the command “ip ospf network point-to-point”, OSPF will advertise the assigned mask. Prior to actually configuring the OSPF route summarization, proper address & mask values to be used within the command must be calculated. Note that routers performing summarization do not actually see the affects of it. Which router(s) see the full affects of the summarization taking place within the OSPF topology? Prior to actually configuring the OSPF route summarization, proper address & mask values to be used within the command must be calculated.

29

Types of Areas

Stub Area

Totally Stubby

AreaBackbone

Area 0

Does not acceptexternal LSAs.

Interconnectsareas;

accepts all LSAs.

Does not acceptexternal or summary LSAs.

NSSA Area

Does not acceptexternal LSAs

but allows themto use area as

a transit system to get to backbone.

ExternalAS

Area Restrictions Normal None Stub area No Type 5 AS-external LSA allowed Totally Stub area

No Type 3, 4 or 5 LSAs allowed except the default summary route

NSSA No Type 5 AS-external LSAs allowed, but Type 7 LSAs that convert to Type 5 at the NSSA ABR can traverse

NSSA Totally Stub area

No Type 3, 4 or 5 LSAs except the default summary route, but Type 7 LSAs that convert to Type 5 at the NSSA ABR are allowed

30

Area 2

0.0.0.0

Area 0

R2

BGPStub Area

Stub Areas

• Blocks external routes, reduces database• Consolidate external links - 0.0.0.0

R3

R4R1

ExternalAS

Ext. RoutesExt. Routes

OSPF allows certain areas to be configured as stub areas. Configuring a stub area reduces the size of the topological database inside an area and as a result reduces the memory requirements of routers inside that area. External networks, such as those redistributed from other protocols into OSPF, are not allowed to be flooded into a stub area. Routing from these areas to the outside world is based on a default route (0.0.0.0). This allows routers within the stub area to reduce the size of their routing table because a single default route replaces the many external routes. If your network has no external routes, there is no need to configure a stub area.

31

• Ideally a single exit point in/out of area; if multiple exit points, sub-optimal paths may be selected

• An ASBR cannot be internal to stub

• Area 0 cannot be a stub

• Transit area for virtual links disallowed

Stub Area Restrictions

Single Exit Point

Area 2

0.0.0.0

R4

XXR3

ASBR

ExternalAS

An area could be qualified as a stub when there is a single exit point from that area or if routing to outside of the area does not have to take an optimal path. The latter description is just an indication that a stub area with multiple exit points will have one or more ABRs injecting a default into that area. Routing to the outside world could take a sub-optimal path in reaching the destination by going out of the area via an exit point that is farther to the destination than other exit points. Other stub area restrictions are that a stub area cannot be used as a transit area for virtual links. Also, an ASBR cannot be internal to a stub area. These restrictions are made because a stub area is mainly configured not to carry external routes, and any of the situations described cause external links to be injected in that area. The backbone, of course, cannot be configured as a stub.

32

Area 2 Stub

0.0.0.0

0.0.0.0

256k256k

512k512k64k

T1

Stub Area Multi-Exit Points

• Routers internal to stub area only know of internal cost

• External cost values are hidden

• Sub-optimal paths external to the stub area maybe selected because of this limited knowledge of the overall topology

A

B

C

In the above example, area 2 has been configured as a stub area. It has two ABR routers each advertising a default network into the area. The default routes have an initial metric of 1. As the default networks move through the area to router A, they will pick up the internal cost associated with the path they take. Any cost external to the area associated with these default routes is not factored in. It is “invisible” to router A. Router A makes routing decisions based solely on the cost internal to the area. With this said, to reach an external network, router A would see the path to router C as preferable. But based on the bandwidth values shown on the external links to the cloud, it can be easily seen that this is not the overall preferable path. When configuring a stub area, it is preferable to have a single exit point (ABR). If multiple exit points do exist, keep in mind that all external route metrics (cost) are hidden from routers internal to the stub area.

33

Configuring Stub Areas


area area-id stub

• Creates a stub network


area area-id default-cost cost

• Specifies cost for default route sent into stub area

Each router within the area to include the ABR must enter the command. If a router configures an area as a stub and another router configures the same area not as a stub, then these two routers will not form a neighbor relationship (stub area flag in hello packet). The “area area-id default-cost cost” command is used to apply a seed metric (cost) to the default route prior to it entering the stub area. It is entered only on the ABR. If no default cost is applied, then the default routes advertised by the ABR into the stub area will have an initial metric of 1.

34

Stub Area Configuration Example

192.168.15.2

Area 0 Stub Area 2

192.168.14.1

192.168.15.1S0

S0

E0

R4

R3

R3#

interface Ethernet 0ip address 192.168.14.1 255.255.255.0interface Serial 0 ip address 192.168.15.1 255.255.255.252

router ospf 100network 192.168.14.0 0.0.0.255 area 0network 192.168.15.0 0.0.0.255 area 2area 2 stub

R4#

interface Serial 0 ip address 192.168.15.2 255.255.255.252

router ospf 15network 192.168.15.0 0.0.0.255 area 2area 2 stub

ExternalAS

In this example, area 2 is defined as the stub area. No external routes from the external autonomous system will be forwarded into the stub. The last line in each configuration, area 2 stub, defines the stub area. The area stub default-cost has not been configured on R3, so this router will advertise 0.0.0.0 (the default route) with a default cost metric of 1 plus any internal costs. Each router in the stub must be configured with the area stub command. The only routes that will appear in R4’s routing table are intra-area routes (designated with an O in the routing table), the default route, and inter-area routes (both designated with an IA in the routing table; the default route will also be denoted with an asterisk). Notice that both R3 and R4 are configured with the area stub command. The area stub command determines whether the routers in the stub exchange hello messages and become neighbors. This command must be included in all routers in the stub if they are to exchange routing information.

35

Stub Area PE


2) Router 7 install the following:

- Loopback 17 – 21 with ip address 148.17.0.1, 148.18.0.1, 148.19.0.1, 148.20.0.1, & 148.21.0.1. Use the mask of 255.255.0.0

- configure each interface with the command "ip ospf network point-to-point"

- Under OSPF enter the command “redistribute connected subnets”.

3) Everyone telnet to router 2 or 5 and examine routing table; note “E” routes.Also examine OSPF database for type 5 LSAs.

4) Routers 1, 2, 3, 4, 5, & 6 configure for stub area.

5) Router 2 & 5 should have default route(s) in place of original external routes.OSPF database should now have a default summary LSA(s) and no type 5.

6) Note the cost assigned to the default route. ABRs configure the "area area-id default-cost cost" to set an initial cost for the default route.

The configuration of loopback interfaces on router 7 is just for generating networks for use within the stub area lab. These loopback networks once configured will be redistributed into OSPF, which will create external routes within the OSPF domain. By configuring areas 1 and 2 as stub, these external routes will be blocked by the ABRs and replaced with a default route generated by the ABRs. OSPF treats a loopback interface as a host. Regardless of the mask assigned to the interface, OSPF will advertise it as a /32. By configuring the interface with the command “ip ospf network point-to-point”, OSPF will advertise the assigned mask. Once the stub areas have been configured and are working properly, ping from routers 2 and 5 to the external networks configured on router 7 to show that the default route is providing the necessary network connectivity.

36

Area 2Stub Area 0.0.0.0

Area 0

Totally Stub Areas

• Blocks external and summary routes• Knows only intra-area and default routes

Summary & Ext. Routes

ExternalAS

Area 3

R4

R5

Summary

Routes R2

R1

Ext.

Rou

tes

R3

A totally stubby area is a stub area that blocks external routes and summary routes (inter-area routes) from being propagated into the area. This way, intra-area routes and the default of 0.0.0.0 are the only routes known to the stub area. ABRs inject the default summary link of 0.0.0.0 into the totally stubby area. Each router picks the closest ABR as a gateway to everything outside the area. The totally stubby area is a Cisco-specific feature.

37


area area-id stub no-summary


area area-id default-cost cost

Configure Totally Stubby Areas

• Creates a totally stub network• Only performed on ABR

• Specifies cost for default route sent into stub area

All routers with the area must enter the stub command. In addition to this command, the ABRs must enter the no-summary command to define a totally stubby area. If a router configures an area as a stub and another router configures the same area not as a stub, then these two routers will not form a neighbor relationship (stub area flag in hello packet). The “area area-id default-cost cost” command is used to apply a seed metric (cost) to the default route prior to it entering the stub area. It is entered only on the ABR. If no default cost is applied, then the default routes advertised by the ABR into the stub area will have an initial metric of 1.

38

Totally Stubby Configuration Example

192.168.15.2

Area 0 Totally Stubby

Area 2

192.168.14.1192.168.15.1S0

S0

E0

ExternalAS

R4

R4#

router ospf 15network 192.168.15.0 0.0.0.255 area 2area 2 stub

R3#

router ospf 100network 192.168.14.0 0.0.0.255 area 0network 192.168.15.0 0.0.0.255 area 2area 2 stub no-summary

R3

In this example, the keyword no-summary has been added to the area stub command on R3. This keyword causes summary routes (inter-area) to also be blocked from the stub. Each router in the stub picks the closest ABR as a gateway to everything outside the area. The only routes that will appear in R4’s routing table are intra-area routes (designated with an O in the routing table) and the default route. No inter-area routes (designated with an IA in the routing table) will be included. It is only necessary to configure the no-summary keyword on the stub border routers. This is because the area is already configured as a stub.

39

Totally Stub Area PE


2) Everyone telnet to router 2 or 5 and examine routing table; note “IA” routes.Also examine the OSPF database.

3) Routers 2 & 5 configure for stub area.

4) Routers 1,3,4,& 6 configure for totally stub area.

5) Router 2 & 5 should have default route(s) in place of the original “IA” routes.

6) Note the cost assigned to the default route. ABRs configure the "area area-id default-cost cost" to set an initial cost for the default route.

The above lab configures areas 1 and 2 as totally stub areas thereby blocking all external and inter-area (IA) routes at the ABRs and replacing them with a default route. Once the totally stub areas have been configured and are working properly, ping between routers 2 and 5 to show that the default route is providing the necessary network connectivity.

40

• All areas must be physically interconnected to area 0.• Virtual links provide path to backbone if physical connection is

not available.• Avoid configuring virtual links if possible, for temporary fixes only.

Area 3

Area 1 Area 2Virtual Link

Area 0(Backbone)

Transit Area

Virtual Links

Area 3

OSPF has certain restrictions when multiple areas are configured. One area must be defined as area 0. Area 0 is also called the backbone because all communication must go through it. In addition, all areas should be physically connected to area 0. This is because all other areas inject routing information into area 0, which in turn disseminates that information to other areas. In special cases where a new area is added after the OSPF network has been designed and configured, it is not always possible to provide that new area with direct access to the backbone. In these cases, a virtual link will have to be defined to provide the needed connectivity to the backbone. The virtual link provides the disconnected area a logical path to the backbone. The virtual link must be established between two routers that share a common area, and one of these routers must be connected to the backbone.

41

• Link discontiguous backbone– Merged networks– Redundancy

Area 3

Area 0 Area 0

Transit AreaArea 1 Area 2

Virtual Links (2)

Virtual links serve two purposes:

• Linking an area that does not have a physical connection to the backbone.

• Patching the backbone in case discontinuity of area 0 occurs. This slide illustrates the second purpose. Discontinuity of the backbone might occur if, for example, two companies, each running OSPF, are trying to merge the two separate networks into one with a common area 0. The alternative would be to redesign the entire OSPF network and create a unified backbone. Another reason for creating a virtual link is to add redundancy in cases where a router failure causes the backbone to be split into two. In the graphic, the disconnected area 0’s are linked via a virtual link through the common area 3. If a common area does not already exist, one can be created to become the transit area.

42

Configuring Virtual Links

• Creates a virtual link


area area-id virtual-link router-id

remoterouter#show ip ospf interface Ethernet 0Ethernet0 is up, line protocol is up

Internet Address 10.64.0.2/24, Area 0Process ID 1, Router ID 10.64.0.2, Network Type BROADCAST, Cost: 10Transmit Delay is 1 sec, State DR, Priority 1Designated Router (ID) 10.64.0.2, Interface address 10.64.0.2Backup Designated router (ID) 10.64.0.1, Interface address 10.64.0.1

Within the command to configure a virtual link, two pieces of information are required: area-id & router-id. The area-id portion is the area, which is being utilized as the transit areas. The router-id is the OSPF router IDs of the two border routers involved in the virtual link. One border router interconnects the non-0 area to the transit area and the other interconnects the transit area to area 0. You may be required to telnet to the distant border router to obtain the router ID.

43

Router ID10.7.20.123

Area 3

Area 0

Area 1

Router ID10.3.10.5

R2

Virtual Link Configuration Example

R2:router ospf 63network 10.3.0.0 0.0.0.255 area 1network 10.7.0.0 0.0.0.255 area 3area 1 virtual-link 10.3.10.5

R1:router ospf 100network 10.2.3.0 0.0.0.255 area 0network 10.3.2.0 0.0.0.255 area 1area 1 virtual-link 10.7.20.123

R1

In this example, area 3 does not have a direct physical connection to the backbone (area 0). All inter-area traffic must transit the backbone. To provide connectivity to the backbone, a virtual link must be configured between R2 and R1. Area 1 will be the transit area and R1 will be the entry point into area 0. R2 will have a logical connection to the backbone through the transit area. Both sides of the virtual link must be configured. • R2: area 1 virtual-link 192.168.10.5—With this command, area 1 is

defined to be the transit area and the router ID of the other side of the virtual link is configured.

• R1: area 1 virtual-link 192.168.20.123—With this command, area 1 is

defined to be the transit area and the router ID of the other side of the virtual link is configured.

44

1 4

7

e0

e0

e0

e0/0

e0148.43.200.49255.255.255.240

148.43.200.145255.255.255.240

148.43.200.65255.255.255.240

148.43.200.97255.255.255.240

148.43.200.113255.255.255.240

s0

s1

s1

s1

s0

6

Area 1

Area 0

Area 2

OSPF Virtual Link Network

2

s1

s0

3e0

148.43.200.81255.255.255.240

Area 1

e0148.43.200.129255.255.255.240

Area 2

s1

s0

s0/0

e1 e1Area 1

148.43.200.33255.255.255.252

148.43.200.34255.255.255.252

148.43.200.10255.255.255.252

148.43.200.9255.255.255.252

148.43.200.5255.255.255.252

148.43.200.6255.255.255.252

148.43.200.26255.255.255.252

148.43.200.25255.255.255.252

148.43.200.17255.255.255.252

148.43.200.18255.255.255.252

148.43.200.21255.255.255.252

148.43.200.22255.255.255.252

5

Install the above network. Once installed, perform the PE on the next page.

45

Virtual Link PE

1. Configure routers as per diagram or TFTP config files if available.

2. Install Ethernet link between routers 2 & 5.

3. Review all router routing tables; area 1 & 0 should not see routes in area 2 and vise versa.

4. Configure a virtual link between routers 1 & 5.

5. All routers should have connectivity to the entire network.

The objective of this lab is to provide virtual connectivity for area 2 to area 0 utilizing area 1 as the transit area. Once complete utilize ping to insure there is total network connectivity.

46

Multi-Area OSPF Review

Questions

47

1. What are the two primary elements of OSPF hierarchy? a. stub & NSSA b. total stub & virtual link c. area & autonomous system d. area & backbone

2. What is primary purpose of dividing an OSPF topology into areas?

a. to make it more manageable b. to establish ABRs c. to eliminate type 3 LSAs d. to reduce the size of the topology database

3. Routers within the same area have identical link state databases?

a. true b. false

4. A router receives an LSA and already has a matching record in its database

but the sequence number on the received LSA is less (older) than what is currently in the database. What does the router do? a. replaces the current LSA in the database and floods the LSA b. nothing c. sends an LSA with newer info to the source d. recalculates the database using SPF

5. Where do external OSPF routes originate?

a. ASBR b. when OSPF is redistributed into another protocol c. from BGP d. another autonomous system

6. What is the sequence number used for on an LSA?

a. error checking b. to determine if the LSA is already in the database c. to determine if the LSA is newer or older than what is in the database d. all of the above e. b & c

7. How is a summary LSA identified in the routing table?

a. O b. IA c. E1 d. ES

8. What is the difference between an E1 and E2 routing update?

a. were received through different interfaces b. E1 is BGP, E2 is EGP c. E1 is internal and external cost; E2 is external cost only d. E1 is external cost only; E2 is external and internal cost

48

9. What is a type one LSA (router)? a. generated by OSPF routers and flooded within the area b. describes all directly connected networks on an OSPF router c. can contain information about multiple networks d. all the above

10. What are the two types of route summarization?

a. extensive and passive b. inter-area and intra-area c. external and inter-area d. intra-area and external

11. Why do we use route summarization?

a. easier to map network b. minimizes ospf database entries c. provides default route to stub areas d. keeps number of areas in network to a minimum

12. Which of the following are types of OSPF areas?

a. stub, internal, external, & NSSA b. stub, totally stub, NSSA, & external c. stub, backbone, NSSA, & totally stub d. inter-area, intra-area, stub, & totally stub

13. Stub areas_________

a. can only be area 0 b. do not receive external routes c. have only one router d. broadcasts a default route

14. Totally stub areas__________ a. receive only external routes b. do not receive external routes c. do not receive external and summary routes d. have only one router

15. Virtual links serve two purposes:

a. link an area that does not have physical connection to area 0 & patch the backbone in case of discontinuity

b. provide an option when there are not enough physical interfaces & provide more through put on serial interfaces

c. keep hardware costs to a minimum & keep cpu utilization below a prescribed level

d. allow Ethernet interfaces to emulate serial interfaces & serial interfaces to emulate fiber interfaces

49

16. In Open Shortest Path First, what does open refer to? a. the database size is unlimited b. it is a non-proprietary protocol c. the entire protocol has not been defined yet d. the bid to purchase it is still open

17. What does ABR stand for?

a. autonomous border router b. area backup router c. another bad route d. area border router

18. What does ASBR stand for?

a. auxiliary source backup router b. autonomous system border router c. automatic sensing baseband repeater d. asynchronous segment bandwidth reducer

19. In Open Shortest Path First, what does shortest path first refer to? a. the router will always choose the least number of hops b. the router will always choose the shortest physical distance c. an algorithm ran on the topology database d. an algorithm ran on the adjacencies database

20. Which of the following will OSPF utilize first as the router ID?

a. highest active IP address on a physical interface b. lowest active IP address on a physical interface c. loopback address d. MAC of serial 1

21. What is the purpose of designing and installing summary routes, stub areas,

and totally stub areas? a. minimizes the size of the physical topology b. reduces router latency c. reduces the size of the topology database d. decreases the configuration size e. both b & c f. both a & d

22. What must be taken into consideration when a stub area has multiple exit

points? a. it is possible for routes to be dropped b. it is possible for sub-optimal routes to be selected c. external cost of routes is not known to internal routers d. it is only possible to use one e. both a & d f. both b & c

Insert Tab #2 Here

EIGRP Enhanced Interior Gateway

Routing Protocol

3

Characteristics of EIGRP• Cisco Proprietary

• Triggered routing updates and automatic neighbor discovery – Utilizes multicast for updates and hello packets

• Advanced Distance Vector– Uses “Reliable Transport Protocol” to send routing updates– Eliminates the need for periodic full updates

• Maintains a route topology database– Stores all routes received from neighbors

• DUAL – Diffused Update Algorithm (loop free routing)– Has backup route readily available (feasible successor)– Actively queries neighbors if backup not available

• Simple configuration: classless, but programs like classful

• Manual route summarization at any point in the topology

• Load balancing available across unequal metric routes

EIGRP is a Cisco proprietary protocol that combines the advantages of link-state and distance vector routing protocols. As a hybrid protocol, EIGRP includes the following features: Neighbor discovery and maintenance are dynamic through the use of the Hello Protocol. Routing updates are exchanged between neighbors upon changes to the network topology as opposed to periodic updates regardless of changes. EIGRP utilizes multicast addressing as opposed to broadcast for the hello protocol and routing updates. EIGRP is labeled an Advanced Distance Vector routing protocol. When exchanging information with neighbors it utilizes the reliable transport protocol (RTP). This guarantees delivery of information such as updates. It maintains a topology database similar to link state protocols which allow it to make routing decisions without waiting on information from neighboring routers. This also dramatically speeds up the convergence time required for the routers within the EIGRP topology. EIGRP utilizes the Diffusing Update Algorithm (DUAL) to determine the preferred route information within the topology database. Within the topology database are stored backup routes which can be automatically installed in the routing table upon failure of the primary route path. If there is not a back up available, EIGRP actively queries its neighbors for routing information.

4

EIGRP configuration is simple in that it programs like a classful protocol (classful network statements) but has all the advantages of a classless protocol. With it being a distance vector protocol, route filtering is also easy to configure. Route summarization can be installed on any router and/or interface within the EIGRP topology. This is a very powerful tool and simplifies EIGRP topology design and implementation since there is no concept of border routers. EIGRP has the option to load balance across unequal metric paths. This load balancing is proportional to the metric of each link. Other routing protocols have to see equal metrics on routes before load balancing. This causes some links to not be utilized at all while others may become saturated with traffic.

5

EIGRP Comparison

Distance Vector RIP / IGRP

Advanced Distance Vector EIGRP

Metric

Broadcast full table every 30 Seconds

Multicast partial updates only when path or metric

changes and only to neighbors

Neighbor States

Uses “Hello protocol” to dynamically learn of

Neighbors resulting in faster convergence

Link State OSPF

Route Propagation

Backup Routes

Summarization

Hop Count / Bandwidth, Delay by Default

Classful Classless Classless

Multicast partial updates only when path or metric changes to all like routers

in Area

Uses “Hello protocol” to dynamically learn of

Neighbors resulting in faster convergence

DUAL Algorithm based on Bandwidth and Delay of Link

Dijkstra Algorithm based on Bandwidth of Link

Any Router within same network directly

connected and running like Routing Protocol

No, must wait for next broadcast of

routing table

Yes, through topology database. Feasible

successor requires no neighbor queries

Yes, through topology database.

Automatic at network boundaries; no manual summarization available

Manual only on ABR’s; recommended towards the

“Backbone Area”

Automatic at network boundaries; manual

summarization available on all interfaces

You can better understand the technology used in EIGRP by comparing it with other protocols well known to the internetworking industry. Routing protocols have two major approaches:

“Routing by Rumor” Also known as distance-vector. This method is used by protocols, such as IGRP, RIP, and BGP, where each router knows only what its neighbor tells it.

“Routing by Propaganda” Also known as link-state. This method is used by protocols such as OSPF, or IS-IS, where all the routers in a region of the network share a common understanding of the region’s topology.

EIGRP is most similar to a distance vector protocol using only information it receives from its directly connected neighbors for routing decisions, but unlike a pure distance vector where only the best route is stored, EIGRP stores all routes received. Knowledge of more than one route enables the ability to switch quickly to an alternate should the current become unavailable. Additionally EIGRP takes an active role and queries its neighbors when a destination becomes unreachable if an alternate path is not available. Traditional distance vector protocols passively wait for a reported route.

6

Neighbor Table Database

Lists Neighbors

RoutingTable

Lists Best Routes

Topology Database

Lists All Routes(Feasible Successor)

HelloPackets

UpdatesFrom

Neighbors

Calculated by Routerusing info from Topology

Database (DUAL)

EIGRP Databases

The neighbor database tracks and maintains all EIGRP router neighbors. The neighbors are established through the used of hello packets. Once the neighbor relationship is established, the hello packets continue at set intervals to maintain the relationship. The hello packets when used for this purpose are sometimes referred to as keepalives. The neighbor database also tracks and averages the amount of time it takes for neighbors to respond to reliable packets. This averaged time is then used to determine the RTO. The topology database stores all EIGRP updates received from neighboring routers. Backup routes to routes selected for installation in the routing table (referred to as feasible successors) are designated and stored within the topology database. The DUAL algorithm is applied to the topology database. The preferred routes from the topology database are then offered to the routing table as candidates. Two criteria are utilized by the routing table in the selection of entries into the table: administrative distance and metrics.

7

EIGRP Packets

Hello: Used to establish/maintain neighbor relationships

Update: Used to send routing updates

Query: Used to ask neighbors for routing information

Reply: Response to query

ACK: Used to acknowledge a reliable packet

EIGRP supports the following five generic packet types:

Hello: Hello packets are used for neighbor discovery. They are sent as

multicasts and carry a zero acknowledgment number. Update: An update is sent to provide information on the routes that a particular

router has converged. These are sent as multicasts when a new route is discovered, or when convergence has completed (and the route is passive). They are also sent as Unicast when neighbors start up in order to synchronize the topology tables (since updates are not sent periodically as in IGRP).

Queries: When a router is performing route computation, and it does not have a

feasible successor, it will send a query packet to its neighbors asking if they have a feasible successor for the destination. Queries are always multicast.

Replies: A reply packet is sent in response to a query packet. Replies are

Unicast to the originator of the query. ACK: The ACK is used for acknowledging other types of packets described

above. ACKs are hello packets that are sent as unicasts, and contain a nonzero acknowledgment number. Update, query, and reply packets are all sent reliably and require acknowledgement.

8

Neighbor Discovery Process• EIGRP uses Hello protocol (multicast, 224.0.0.10) on every interface

whose address falls within the network statement range.

• Two routers become neighbors when they exchange hello packets- must agree on autonomous system number and K-values.

• Once neighbor discovery is complete, hello’s continue as keepalives.

• Hellos sent once every 5 seconds on LAN’s, point-to-point WANs, and high speed (>T-1) multi-point WANs.

• Hellos are sent once every 60 seconds on multi-point low speed WANs (<T-1).

• Neighbor is declared dead if no EIGRP packets are received within hold interval (default three times the hello interval).

When EIGRP is enabled and an interface is found to be within its network range, the router sends periodic multicast hello packets out that interface. When another router running EIGRP within the same autonomous system receives a hello packet, it establishes a neighbor relationship between the two by responding with an update containing his complete routing information. This update packet will have the “Init bit set, which indicates the initialization process. In response to the update, the first router sends an update with all his route information. Once acknowledged, the neighbors are considered adjacent. The hello mechanism not only dynamically discovers neighbors; it also discovers the loss of neighbors. After neighbor establishment, the hello packet is used as a “keep alive”. If a hello packet is not heard before the expiration of the hold time, then a topology change is detected. The neighbor adjacency is deleted, and all topology table entries learned from that neighbor are removed. This enables the routers to quickly re-converge if an alternate, feasible successor does not exist. The rate at which hello packets are sent is called the hello interval and can be adjusted per interface with the “ip eigrp hello-interval” command. The amount of time a router will consider a neighbor up without receiving a hello or any EIGRP packet is called the hold time, and can be adjusted per interface with the “ip eigrp hold-time” command.

9

Step by Step Neighboring

HelloI am Router A, is anyone here?

Update

Init Bit Set

I am Router B, here are all my routes

ACK Thanks !!!

Update Here are all my routes

ACKThanks !!!

Topology Database

Topology Database

Neighbors have Converged

BA

Neighboring and route discovery occur at the same time in EIGRP. Router A comes up on a link and sends out a hello. Router B or any router on the link receiving the hello replies with an update containing all the routes they have, with the exception of any they may have learned previously on that interface (remember split horizon, “Don’t tell me what I told you!!”). This update will establish a neighbor relationship between the two routers. The update packet includes all information about the routes that the neighbor is aware of, which includes the metric the neighbor is reporting for each route. Additionally this update packet will have the Init bit set, which indicates this is the initialization process. Router A replies to the neighbor with an ACK packet, acknowledging receipt of its update. Router A then installs all received routes from the update packet into its topology database, and sends an update including all of its routes to Router B Router B installs the routes in his topology database and acknowledges the update. Each route will then run the DUAL algorithm with this new information received to determine which primary and backup routes it should store in the topology table.

10

sho ip eigrp neighbor

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq(sec) (ms) Cnt Num

1 148.43.200.105 S0/1 13 01:06:31 12 200 0 110 148.43.200.245 S0/0 12 01:59:01 16 200 0 22

Show IP EIGRP Neighbor

H: Indicates order in which the neighbors were learned.

Neighbor IP address assigned to the directly connected interface of Address: of the neighbor. Interface: Interface on which hello packets are received from that

neighbor. Hold: Indicates the hold-time remaining for that neighbor. If the

hold-time expires, the neighbor is then declared dead and the relationship is reset.

Uptime: Refers to the total time the neighbor relationship has been

established. SRTT: Smooth round trip time, which refers to the average time

from when a packet is transmitted to the neighbor and an ACK is received back from that neighbor.

RTO: Retransmission time out, which refers to the amount of time

the router will wait to retransmit an unacknowledged packet (reliable) from a neighbor. RTO is calculated based on SRTT.

Q Cnt: Indicates the number of packets waiting in queue for that

neighbor. Seq Num: Indicates the sequence number of the last query, reply, or update packet. Sequence numbers are used on reliable packets for tracking purposes to insure delivery.

11

EIGRP Reliability Packets (1)

• EIGRP uses the Reliable Transport Protocol (RTP)

• Updates, Queries, and Replies require explicit acknowledgement.

• Updates & Queries initially use multicast to all neighbors- transport window size is one, follow on packets cease until response (ACK)

- responding neighbors continue to get packets via multicast, no waiting

- if any neighbor fails to respond, packet is retransmitted unicast

- unicast packets will be retransmitted if not acknowledged (RTO reached)

- the neighbor relationship will be reset when retry limit (16) is reached.

RTP is tasked with ensuring that ongoing communication is maintained between neighboring routers. As such, a retransmission list is maintained for each neighbor. This list indicates packets (which require acknowledgement) to which responses have not yet been received. Initially, reliable packets are sent via multi-cast. If an acknowledgment is not received, the packet is resent via Unicast to the non-responsive neighbor. Since the transport window is set to 1, follow on reliable packets will not be sent until an acknowledgement is received for the original packet. The original packet will be resent via Unicast 15 additional times (for a total of 16). If there is no acknowledgement after the 16th attempt, then the neighbor relationship is reset. EIGRP tracks the amount of time it takes for a neighbor to reply each reliable packet. These times are then averaged to compute the smooth round trip time (SRTT). The SRTT is then utilized to compute the retransmission timeout (RTO). The RTO is the amount of time the router will wait for an acknowledgement before resending the original reliable packet. EIGRP reliability ensures delivery of critical route information to neighboring routers. This information is required to ensure a loop-free topology at all times.

12

EIGRP Reliability Packets (2)

A B

224.0.0.10

no ack from B???

Multicast Update/No Ack

A B

148.43.200.9

no ack from B???

Unicast Update/No Ack

A B

148.43.200.9

no ack from B???

Unicast Update 15 times/No Ack

A BReset NeighborConnection

148.43.200.9

148.43.200.9

148.43.200.9

148.43.200.9

update

update

update

An update is sent from router A to router B via multicast addressing; no acknowledgment (ACK) is received by A from B. The amount of time A will wait for the reply is called the retransmission timeout (RTO). The RTO is calculated separately for each neighbor. Once the RTO has expired, router A will retransmit the update to B but this time utilizing Unicast addressing. Router A will repeat this process 15 additional times for a total of 16 Unicast retry attempts. If a response is not received by the expiration of the RTO after the 16th attempt, the neighbor relationship is reset.

13

Administrative Distance Defaults

Connected Interface 0

Static Route 1

RIP 120

IGRP 100

EIGRP 90

OSPF 110

BGP 20

Administrative distance is a value assigned to a route, usually categorized by protocol, which indicates to the IOS the value of trust that should be given. This allows the IOS to choose a route between two protocols in the event they had both learned of a route to the same destination. This should not be confused with a metric, which is used to choose a route learned by the same protocol. Administrative distance is a rating of the trustworthiness of a routing information source, such as an individual router or a group of routers. Distance is an integer from 0 to 255. In general, the higher the value, the lower the trust rating. A distance of 255 means the routing information source cannot be trusted at all and should be ignored. Specifying distance values enables the router to discriminate between sources of routing information. The router always picks the route whose routing protocol has the lowest distance.

14

EIGRP Metrics

A B

Bandwidth 256 kbsDelay 250000 msLoad 147/255Reliability 253/255MTU 1500Hop Count 3

Vector Metrics

Routing Update

[K1xBW + ((K2xBW)/(256-load)) + K3xDelay]x[K5/(reliability + K4)]

Composite MetricCalculation

Composite Metric = 6410000

• EIGRP calculates/utilizes two different metrics: Vector & Composite.• Vector consists of six elements and is advertised to neighbor routers.• Composite is calculated using the vector elements and is not shared.• Composite metric is used to determine the preferred route.

EIGRP utilizes two types of metrics: Vector and Composite. Vector metrics consist of six different components.

1. Bandwidth 2. Delay 3. Load 4. Reliability 5. MTU 6. Hop Count

The vector metric components are utilized to compute the composite metric. Vector metric components are exchanged between EIGRP neighbors. Under normal conditions, the only two components that actually affect the composite metric are bandwidth and delay. Load, reliability, and MTU are components left over from IGRP. Since IGRP sent periodic updates at set intervals, these components had value (load and reliability are averaged over time). But since EIGRP sends triggered updates in relation to network changes, the values for load and reliability are generally not accurate. Therefore, it is recommended that they not be used in the computation of the composite metric. EIGRP has a maximum allowable hop count of 255. If a route to a destination network exceeds this, then it is deemed unreachable. Hop count is not used as a variable unless there is a tie in the composite metric between two routes or all of the other components are “turned off” for the composite metric computation. The composite metric is a value derived by placing the vector metric values in a mathematical formula. The composite metric value is used by the router to determine the preferred routes. The lower the value, the more preferred. Composite metric is not shared with neighbor routers.

15

router2#sho ip eigrp topo 148.18.0.0/17IP-EIGRP (AS 1): Topology entry for 148.18.0.0/17State is Passive, Query origin flag is 1, 1 Successor(s), FD is

2169856Routing Descriptor Blocks:148.18.1.2 (Serial0/0), from 148.18.1.2, Send flag is 0x0

Composite metric is (2169856/256), Route is InternalVector metric:Minimum bandwidth is 1544 KbitTotal delay is 20000 microsecondsReliability is 0/255Load is 1/255Minimum MTU is 1500Hop count is 1

Displaying Vector Metrics

To display the composite and vector metrics associated with a destination network, use the “show ip eigrp topology” command and specify the destination network. Example above: sho ip eigrp topo 148.18.0.0/17

16

Composite Metric Calculation

[K1xBW + ((K2xBW)/(256-load)) + K3xDelay]x[K5/(reliability + K4)]• K-values are numbers used in the conversion from vector to composite metric. By

changing a K-value, preference or weight can be given to a certain vector metric.

• Default K-values: K1=1, K2=0, K3=1, K4=0, K5=0

K1xBW + K3xDelay

BW* + Delay***BW = 107/ minimum BW along path in kbs X 256

**Delay = sum of all delays in the path, in tens of microseconds, X 256

Note: If K5 = 0, the formula reduces to: [K1xBW + ((K2xBW)/(256-load)) + K3xDelay]

The above formula is utilized for computing the composite metric. The vector metric component values are placed in the designated areas of the formula. K-values are numbers used for the conversion of vector metric values to composite metric. By changing the K-value number, preference or weighting can be given to certain vector metrics. By default, only K1 and K3 have a value associated, 1. This in turn means the only two vector metric values that are utilized are bandwidth and delay. All of the other associated vector metric values have a K-value of 0 which has the affect of “zeroing out” their value in the formula. The bandwidth value used in the composite metric formula is not actually the bandwidth value associated with the interface. It is a number derived from the formula 107 divided by (/) the minimum interface bandwidth value along the route in kilo-bits per seconds. This value is then multiplied by 256. Delay is the sum of all the delays in tens of microseconds assigned to each interface in the path to the destination network multiplied by 256. The bandwidth and delay metrics are applied on an outgoing basis.

17

Show IP Protocol

• displays K value settingsnc3#show ip protocolRouting Protocol is "eigrp 1"

Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Default networks flagged in outgoing updatesDefault networks accepted from incoming updatesEIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0EIGRP maximum hop count 100EIGRP maximum metric variance 1Redistributing: eigrp 1Automatic network summarization is in effectRouting for Networks:

148.33.0.0Routing Information Sources:

Gateway Distance Last Update148.33.0.34 90 00:04:34148.33.0.30 90 00:04:35

Distance: internal 90 external 170

The “show ip protocol” command can be utilized to display the “K” value settings within an EIGRP process. Default K value settings are K1=1, K2=0, K3=1, K4=0, K5=0. For two EIGRP routers to become neighbors, the K value settings of each must be the same. As a general rule, the K values for EIGRP should be left at the default value. Enabling the K values associated with reliability and load should never be done. Using these values can cause inconsistencies in the calculation of the composite metric. Reliability and load values are based on calculations averaged over a period of time when the link is in an operational status. These work well with IGRP due to the fact that IGRP sends out periodic updates at set intervals (90 seconds). EIGRP on the other hand sends out triggered updates which are based a network changes. Once the network changes, the value associated with reliability and/or load may not accurately reflect how the link has been operating over a set period of time.

18

Composite Metric Calculation cont.

[ ( ) + Sum of all Delays] x 25610 7Minimum Bandwidth

BW 1544 kbps

Delay 20000

BW 115 kbps

Delay 20000

BW 10000 kbps

Delay 1000

T-1 512 kbs

[ ( ) + 4100] x 256 = 2331046910000000115

Note: Bandwidth of 115 kbps is expressed in formula as 115.

Delay is in tens of microseconds. “Show interface” shows microseconds and must be divided by 10 for use in the formula.

When placing the values in the formula, insure the bandwidth is expressed in kbs; 115kbps would be entered as 115. The delay value shown utilizing the “sho interface” command is in microseconds. This must be converted to tens of microseconds by dividing it by 10 before it is used to calculate the metric. In the above example, 115 kbs is the lowest bandwidth in the path so it is utilized for the bandwidth value in the formula. The value of 115 is divided into 107. The delay values listed in the path are divided by ten and added together for a composite value. These two values are then added together and multiplied by 256. This value is the composite metric.

19

Interface Default Values

Interface Type Bandwidth (kbps) Delay (Microseconds)

Ethernet

Fast Ethernet

Tunnel

Serial Interface

Low Speed Serial Int Below T-1

ISDN BRI

ISDN PRI

Dialer interface

Channelized T1 or E1

Async interface

Loopback

10000

100000

9

1544

115

64

64

56

N * 64

TTY line speed

8000000

1000

100

500000

20000

20000

20000

20000

20000

20000

100000

5000

The default values of bandwidth and delay are usually correct for LAN interfaces but tend to be incorrect for the WAN interfaces. Bandwidth and sometimes delay must be specified for each WAN interface using the “bandwidth” or “delay” commands. The bandwidth and delay specified on an interface affect only the metric calculation and have no impact on the actual speed or time in the transfer of packets.

20

DUAL Algorithm

• Diffusing Update Algorithm (DUAL)

• Tracks all routes advertised by all neighbors

• Selects loop-free path using a successor and feasible successorsIf successor is lost: Use a feasible successorIf no feasible successor: Query all neighbors and recompute new successor

• Once new Successor is selected, update all neighbors of new topology

• All neighbors now must decide if new topology affects their “Best Path” election

The DUAL algorithm embodies the decision process for all route computations. It tracks all routes advertised by all neighbors. The metric information, known as a distance, is used by DUAL to select efficient loop-free paths. The lowest-cost route is calculated by adding the cost between the next-hop router and the destination (reported distance) to the cost between the local router and the next-hop router (the total is referred to as the feasible distance). A successor is a neighboring router used for packet forwarding that has a least-cost path to a destination that is guaranteed not to be part of a routing loop. Multiple successors can exist, if they have the same feasible distance and use different next-hop routers. All successors are added to the routing table. The next-hop router(s) for the backup path is referred to as the FS “feasible successor”. In order to qualify as a feasible successor, a next-hop router must have a RD “reported distance” less than the FD “feasible distance” of the current successor route. If the successor’s route is no longer valid and a suitable feasible successor exists, this feasible successor replaces an invalid successor in the routing table without a recompilation. More than one feasible successor can be kept at one time. When there are no feasible successors but there are neighbors advertising the destination, a recompilation must occur. This is the process where a new successor is determined. The amount of time it takes to recalculate the route affects the convergence time.

21

DUAL - EIGRP Definitions

The metric to reach a destination network as advertised or reported by a router to each of its neighbors.

A neighbor router used for packet forwarding to a destination network that has the lowest metric path, and is guaranteed loop-free.

The metric to a destination network through the successor. The FD is a combination of the successor’s RD and the metric of the local routers interface used to reach the successor.

A neighbor router used as a back-up to the successor and is guaranteed loop-free. In order to become an FS, the router’s RD must be less than the FD of the Successor. Requires no recompilation of topology table upon failure of the successor.

REPORTED DISTANCE

FEASIBLE SUCCESSOR

FEASIBLE DISTANCE

SUCCESSOR

The reported or advertised distance is the metric advertised by each router to a destination network. The router that is determining the best path (performing the DUAL operation) does not add its own interface metrics to compute the reported distance. It is simply the metric for a destination advertised by the neighbor. The feasible distance is the lowest metric route from the router performing the DUAL operation to the destination network. The router uses the reported distance and the metric on the interface it was received to calculate the feasible distance. A successor is the next-hop router (neighbor) for traffic from the current router to a destination. A successor is chosen based on it having the lowest feasible distance to a destination. There can be multiple successors. In this case, the multiple routes would have the same feasible distance and then load balancing would take place. A neighbor router that is not selected as the successor can qualify as a feasible successor if it meets the feasibility condition. The condition is met if a neighbor’s reported distance to a destination is lower than the successor’s feasible distance to that same destination. A feasible successor is simply a backup route within the topology database. There can be multiple feasible successors. When there are feasible successors present and the successor’s route is lost, the process for determining a replacement path is very simple: the feasible successor is immediately chosen without a DUAL process taking place. The concept of feasible condition and feasible successors are central to loop avoidance.

22

Successor & Feasible Successor (1)

Network

148.43.200.128 /28

5

15

5

5

10

5

C

B

A

XZ

RD= 5

FD= 5

5

RD= 5

FD= 10

RD= 5

FD= 10

RD= 5

FD= 20

ROUTER A

RD= 10

FD= 15

ROUTER B

RD= 10

FD= 20

ROUTER C

RD= 20

FD= 25

S

FS

• All RD & FD values are based on network 148.43.200.128 being the destination.• The successor and feasible successor selections are based on router Z’s network perspective.

Router Z has determined that the lowest feasible distance (FD) to network 148.43.200.128/28 is 15. Based on this information, router A is elected as the successor. Candidates for a feasible successor are routers B and C. Router C is not eligible as its reported distance is higher than the feasible distance of the successor. Router B however has a reported distance of 10 which is lower than the feasible distance of 15, so it is chosen as a feasible successor.

23

Successor & Feasible Successor (2)

Network

148.43.200.128 /28

5

15

5

5

10

5

C

B

A

XZ

RD= 5

FD= 5

5

RD= 5

FD= 10

RD= 5

FD= 10

RD= 5

FD= 20

ROUTER A

RD= 10

FD= 15

ROUTER B

RD= 10

FD= 20

ROUTER C

RD= 20

FD= 25

S

• Path from router Z to router A (successor) goes down.• Router B automatically becomes the successor – no DUAL algorithm performed.• Router Z then goes through process to determine if there is a feasible successor available.

The path between routers Z and A fails. Router B immediately becomes the successor. Z then begins the process to determine if there is a feasible successor available. Since router C’s RD is equal to router B’s FD, then C is not eligible to become a FS.

24

Query Process (1)

Network

148.43.200.128 /28

5

15

10

10

10

5

C

B

A

XZ

RD= 5

FD= 5

5

RD= 5

FD= 10

RD= 5

FD= 15

RD= 5

FD= 20

ROUTER A

RD= 10

FD= 15

ROUTER B

RD= 15

FD= 25

ROUTER C

RD= 20

FD= 30

S

• Router A is the successor for router Z for network 148.43.220.128; no feasible successor.• The link from router Z to A goes down.• Router Z sends queries to neighbors asking for route info for 148.43.200.128.

query

Router A is the successor for router Z to forward packets to network 148.43.200.128/28. There is no FS because no other router meets the feasibility condition. The path between routers Z and A fails. Router Z must send queries to each of its remaining neighbors requesting route information for network 148.43.200.128/28.

25

Network

148.43.200.128 /28

5

15

10

10

10

5

C

B

A

XZ

RD= 5

FD= 5

5

RD= 5

FD= 10

RD= 5

FD= 15

RD= 5

FD= 20

ROUTER A

RD= 10

FD= 15

ROUTER B

RD= 15

FD= 25

ROUTER C

RD= 20

FD= 30

S

• Routers B & C respond to the query.• Router B is selected as the successor.• Router C is selected as the feasible successor.

response to query

FS

Query Process (2)

Routers B and C respond to router Z with route information to the requested network. Based on the RD sent by each, router B is selected as the successor based on it having the lowest FD. Router C is then selected as an FS because its RD is lower than the successor’s FD.

26

Configuring EIGRP

router(config)#router eigrp autonomous system number

router(config-router)#network network-number [wildcard-mask]

• enables EIGRP and defines the autonomous system number.

• selects directly connected networks/interfaces that will participate in the EIGRP process.

• the network number can either be classful or can be used in conjunction with a wildcard mask to specify individual networks/interfaces.

Use the “router eigrp as number” command to enable eigrp routing and define an autonomous system number. This does not actually have to be an assigned or valid AS number even though it could be. Each router within the EIGRP topology must use the same number though in order to from neighbor relationships. The network statement defines the interfaces or directly connected networks over which EIGRP will operate. Once a network statement is configured, EIGRP compares the network assigned to each interface to the range defined in the network statement. If the network assigned to an interface is within the range in the network statement, EIGRP will operate through that interface and will advertise the network assigned to the interface. If is not within the range, EIGRP will not operate on that interface. EIGRP network statements can be classful or can be used in conjunction with a wild-card mask. The wild card mask allows administrator to specify individual interfaces for EIGRP operation or in some cases to keep EIGRP from operating on a specific interface.

27

Passive Interface

• Prevents routing protocol packets from being generated on the interface.

• If there is no EIGRP speaking device connected to the interface, there is no need to transmit EIGRP information from the interface.

• Still allows the announcement of the network to the rest of the EIGRP community.

Router(config-router)#passive-interface interface

When a network statement is installed under EIGRP two things take place. EIGRP announces that it has the specified network to all neighbors, and EIGRP begins sending EIGRP packets, such as hello’s and routing updates. There are cases where you need to announce the network but the network itself consists of non-EIGRP speaking devices, such as a LAN with purely host computers. In this case there is no need to send EIGRP packets out this interface as none of the host computers need or understand EIGRP information. The use of the Passive Interface command allows the network to be announced but stops the transmitting of EIGRP packets out the interface.

28

1 4

7

5

e1/0

f0/0

e1/0

e1/1

f0/0

Loopback Addresses148.43.200.1 /32

Loopback Address148.43.200.2 /32




148.43.200.128 /28

148.43.200.80 /28

148.43.200.160 /28

148.43.200.192 /28

148.43.200.224 /28

s0/0

s0/1

s0/1

s0/0

s0/1

s0/0

6Loopback Address148.43.200.6 /32

EIGRP Network Diagram

2

s0/1

s0/0


3148.43.200.144 /28

f0/0148.43.200.208 /28

s0/0

s0/1

s0/0

s0/1

s0/0

s0/1s1/0

s1/1148.43.200.96 /30

148.43.200.100 /30 148.43.200.104 /30

148.43.200.108 /30

148.43.200.180 /30 148.43.200.240 /30

148.43.200.176 /30 148.43.200.244 /30

.97

.98 .101

.102

.105

.106

.109

.110

.181

.182

.177

.178

.241

.242

.245

.246

e1/0148.43.200.64 /28

e1/1148.43.200.184 /29

e1/1148.43.200.248 /29

f0/0

Install the network shown above.

29

router7#sho ip roCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static route

Gateway of last resort is not set

148.43.0.0/16 is variably subnetted, 26 subnets, 4 masksC 148.43.200.7/32 is directly connected, Loopback0D 148.43.200.244/30 [90/2681856] via 148.43.200.106, 00:03:56, Serial0/2D 148.43.200.240/30 [90/2425856] via 148.43.200.110, 00:03:56, Serial0/3D 148.43.200.248/29 [90/2428416] via 148.43.200.110, 00:03:56, Serial0/3D 148.43.200.224/28 [90/2428416] via 148.43.200.110, 00:03:56, Serial0/3D 148.43.200.208/28 [90/2172416] via 148.43.200.106, 00:03:56, Serial0/2D 148.43.200.192/28 [90/2172416] via 148.43.200.110, 00:03:56, Serial0/3D 148.43.200.180/30 [90/2681856] via 148.43.200.98, 00:03:56, Serial0/0D 148.43.200.176/30 [90/2681856] via 148.43.200.102, 00:03:56, Serial0/1D 148.43.200.184/29 [90/2684416] via 148.43.200.102, 00:03:56, Serial0/1

[90/2684416] via 148.43.200.98, 00:03:56, Serial0/0D 148.43.200.160/28 [90/2684416] via 148.43.200.102, 00:03:57, Serial0/1

[90/2684416] via 148.43.200.98, 00:03:57, Serial0/0D 148.43.200.144/28 [90/2172416] via 148.43.200.102, 00:03:57, Serial0/1D 148.43.200.128/28 [90/2172416] via 148.43.200.98, 00:03:57, Serial0/0

Show IP Route

.248 network

.208 network

.184 network

NOTE: the show command displays on pages 26 – 29 are not based on the network just installed on previous page. They are for use to explain the different information provided by each command. The D in the left hand column indicates the route was learned by EIGRP and originated internal to this autonomous system. An EX would indicate that the route was installed by EIGRP but it originated outside the AS and was redistributed into the EIGRP protocol. This is a flag to allow EIGRP to differentiate between internally and externally learned routes. Internal EIGRP routes have a distance of 90 and external have a distance of 170 Whenever two equal costs paths are learned by EIGRP, both will be installed in the routing table and automatic load balancing will take place across the two. Take note of the of the network entries above in red: “.248”, “.208”, & “.184”. On the next slides we will examine these in the topology database.

30

router7#sho ip eigrp topoIP-EIGRP Topology Table for AS(1)/ID(148.43.200.7)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status

P 148.43.200.248/29, 1 successors, FD is 2428416via 148.43.200.110 (2428416/1916416), Serial0/3via 148.43.200.106 (2684416/2172416), Serial0/2

Show IP EIGRP Topology (1)

exit interface to reach this next hopSerial0/2

feasible distance/reported distance of this entry(2684416/2172416)

address of feasible successorvia 148.43.200.106

exit interface to reach this next hopSerial0/3

feasible distance/reported distance of this entry(2428416/1916416)

address of successor (next hop)via 148.43.200.110

the feasible distance (metric) of successorFD is 2428416

number of successors for this network1 successors

destination network148.43.200.248/29

• only lists successors & FS • possible to have multiple successors

The “show ip eigrp topology” command lists all EIGRP known destination networks and the successors and feasible successors for each. It is possible for other next hop routers for listed destination networks to be known by EIGRP but they are not shown when using this command. The table above provides a brief explanation for each of the entries corresponding to destination network entry. The entry lists the number of successors, the feasible distance of the successor(s), and then followed by the next hop addresses of the successor(s) and feasible successor(s) with the FD and RD for each. It is possible to have multiple successors and feasible successors. At a minimum there will always be at least a successor for an entry. It is possible to not have any feasible successors. There are several code listed at the top of the display. These codes are applied to each entry depending on its status: Passive This network is available and installation can occur in the routing table. Passive is the correct state for a stable network. Active Network is currently unavailable; there are outstanding queries for this network.

31

Update Network is being updated or waiting for an acknowledgment for an update sent. Query There is an outstanding query for this network (other than Active state) or waiting for acknowledgment on a reply sent to a query. Reply Router is generating a reply pertaining to this network or waiting for an acknowledgement on a previously sent reply SIA Stuck in Active, a query was generated for this network and a reply was not received within a three minute period.

32

Show IP EIGRP Topology (2)router7#sho ip eigrp topoIP-EIGRP Topology Table for AS(1)/ID(148.43.200.7)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status



P 148.43.200.208/28, 1 successors, FD is 2172416via 148.43.200.106 (2172416/28160), Serial0/2






.184 network

.248 network

.208 network

The sho ip eigrp topology command displays only successors and feasible successors. It is possible to have other network information within the topology database that has not been designated a successor or feasible successor. Now examine the networks noted on the previous page in the routing table: “.248”, “.208”, & “.184”. .248: Listed as having one successor but has two next hop addresses through which it can be reached (via). The first, .110, is the successor and the second, .106, is the feasible successor. When utilizing this show command and it states “1 successor” for a network entry, the first “via” entry is the successor and any follow on entries are feasible successors. This can be verified by comparing the feasible distance of the “.110” entry (2428426) with the reported distance of the “.106” entry (2172416). Since the RD of “.106” is lower than the FD of the successor, then “.106” is a feasible successor. .208: Listed as having one successor. It only lists one next hop address for this destination network. This is the successor and there are no feasible successors. If there is route failure through this successor, there is no backup route and the .208 net will be removed from the routing table.

33

.184: Listed as having two successor followed by two next hop address entries. These are both successors with each having the same FD. There are no feasible successors. Both of these next hop addresses will be entered in the routing table for this destination network and load balancing will take place between the two.

34

Show IP EIGRP Topology All-Linksrouter7#sho ip eigrp topo allIP-EIGRP Topology Table for AS(1)/ID(148.43.200.7)

Codes: P - Passive, A - Active, U - Update, Q - Query, R -Reply, r - reply Status, s - sia Status

P 148.43.200.248/29, 1 successors, FD is 2428416, serno 15via 148.43.200.110 (2428416/1916416), Serial0/3via 148.43.200.106 (2684416/2172416), Serial0/2



P 148.43.200.192/28, 1 successors, FD is 2172416, serno 20via 148.43.200.110 (2172416/28160), Serial0/3




.184 network

.248 network

.208 network

The “show ip eigrp topology all-links” command displays all network routes known by EIGRP, regardless if it is a successor, feasible successor, or a route advertised by a neighbor but did not meet the feasibility condition. To determine if the route is a feasible successor the reported distance must be less than the feasible distance. For network entries .248 and .184 the display above is the same as display for the “show ip eigrp topology” command. The .248 network still has only one successor and a feasible successor listed. The .184 network only has two successors listed. But for network entry .208 it now shows two next hop addresses. The entry indicates it has one successor, which is the .106 next hop address. It then lists a next hop of .110. By comparing the RD of .110 (2428416) with the FD of .106 (2172416), it can be seen that .110 does not meet the feasibility condition and therefore cannot be a feasible successor. Even though the router knows about the route to network .208 through the next hop address of .110, it will not use it as a backup upon failure of the successor, .106. It will go though the process of querying its neighbors for route information to this network to determine a new path.

35

Importance of Feasible Successor

With a feasible successor, when the successor is lost, the feasible successor will be installed as the successor (no query). A simple update packet is sent informing all neighbors of the new “best route”.

Without a feasible successor, when the successor is lost, EIGRPmust query all its neighbors, receive replies from each*, then begin a DUAL process to select the new successor and possible feasiblesuccessors. This process causes all routers involved to utilize processor and memory resources which could otherwise be used for packet forwarding.

Designing Feasible Successors

• The goal of good network design should be to have feasible successors built in for each successor. This may not be obtainable in all situations but there should be as many feasible successors as possible.

• The reported distance of a neighbor must be lower than the feasible distance of the successor for it to become a feasible successor.

• The feasible successor is based on metrics. By default, only bandwidth and delay on interfaces are used to calculate the metric.

• Manipulating the metrics may allow the designation of a feasible successor.

- Note: only the minimum bandwidth in the route is used in the metriccalculation; the sum of all the delays is used. Therefore, changingthe bandwidth on an interface within the route may or may notaffect the overall metric.

36

Manipulating the Metric

• Default bandwidth values are usually correct for LAN interfaces.

• Default bandwidth tends to be incorrect for the WAN interfaces.

• Bandwidth and sometimes delay must be specified for WAN interfaces.

To set interface bandwidth;Router7(config-if)# bandwidth <bw-in-kbps>

To set interface delay;Router7(config-if)# delay <delay-in-tens-of-microseconds>

By manipulating the bandwidth and/or the delay, it is possible to design feasible successors within the EIGRP topology. Once the EIGRP network is operational, by conducting EIGRP show commands, it is possible to determine where feasible successors currently exist and what must be done to place feasible successors in locations where they don’t exist. The bandwidth command value is in kilo-bits per second (kbps). To enter a value of 256 kbps, the command would simply be “bandwidth 256”. The delay command value is in tens of microseconds. To enter a value of 10,000 microseconds, the command would be “delay 1000”. When doing the “show int XX” command for this interface, the value in the delay parameter would be 10,000.

37

Feasible Successor Lab

Using the network built during previous lab, determine all Feasible Successors.

Routers 1,2,3 & 7 will work as a group.

Routers 4,5,6 & 7 will work as a group.

Assign bandwidth on interfaces as shown (both ends of interface).

1 4

240k

240k

254k

236k

240k 254k

236k 240k

Router 7 should now see a FS to routers 2 and 5.

Routers 2 and 5 should see a FS to 7 and all routers on the other side of 7.

Router 1 should now see a FS to 3 and 3 should see a FS to 1.

Router 4 should now see a FS to 6 and 6 should see a FS to 4.

3

2

7

6

5

7

Apply the bandwidth values to the appropriate interfaces. Once completed, conduct a “show run” command to insure changes are correct. If changes are correct, perform a “clear ip route *” command. This flushes the routing table and forces the bandwidth changes to be utilized in recalculating the routing table. Then utilize the “show ip eigrp topo” command to verify that feasible successors have been installed in the topology database.

38

BW 1544kbps

Delay 20000

BW 115kbps

Delay 20000

BW 10000kbps

Delay 1000

T-1 256kbs

Manipulating the Metric

• Changing the above T-1 link bandwidth setting from 1544 kbps to 512 kbps has no affect on the overall link metric value (115 kbps is still minimum on link).

• Changing the delay on any interface in the path will affect the overall metric.

When an EIGRP router calculates the composite metric it only utilizes the minimum bandwidth within the route to a destination network. It is very possible to change the bandwidth value on a router interface in this route and it have no affect on the composite metric. Choosing a value lower than the minimum bandwidth in the route or actually changing the bandwidth on the interface, which already is the minimum, is the only way manipulating the bandwidth will have any affect on the composite metric. The delay on the other hand is cumulative across the route to the destination network. Changing the delay on any interface within the route will have a direct affect on the composite metric.

39

1 4

7

5

e1/0

f0/0

e1/0

e1/1

f0/0




148.43.200.128 /28

148.43.200.80 /28

148.43.200.160 /28

148.43.200.192 /28

148.43.200.224 /28

s0/0

s0/1

s0/1

s0/0

s0/1

s0/0

6

EIGRP Network Diagram

2

s0/1

s0/0


3

148.43.200.144 /28

f0/0148.43.200.208 /28

s0/0

s0/1

s0/0

s0/1

s0/0s0/1

s1/0 s1/1148.43.200.96 /30

148.43.200.180 /30

148.43.200.176 /30

.97

.98.101

.102

.105

.106

.109

.110

.181

.182

.177

.178

.241

.242

.245

.246

e1/0148.43.200.64 /28

e1/1148.43.200.184 /29

e1/1148.43.200.248 /29

f0/0

BW=254 k

BW=240 k

BW=236 k

BW=240 k

NOTE: Once a change is made to the EIGRP configuration, perform a “clear ip route *” command. From router 7, perform a “show ip route”. Route to 148.43.200.5 is via 148.43.200.106 (router 6). Perform a “show ip eigrp topo”. Note to address 148.43.200.5 there is also a feasible successor, 148.43.200.110 (router 4). Annotate the FD & RD for the feasible successor. The goal is by changing the metrics, router 4 becomes the successor for router 7 to IP address 148.43.200.5. On router 7, change the bandwidth on interface s1/1 from 240 to 300. Perform a “show ip route”. Was there any change in the successor? Perform a “show ip eigrp topo. Was there any change to the FD & RD for the feasible successor? Change the delay on interface s1/1 from 2000 to 1000 (tens of microseconds). Perform a “show ip route”. Was there a change to the successor? Perform a “show ip eigrp topo”. Was there a change to the feasible successor? Reset bandwidth and delay on router 7 to original values.

40

Load BalancingAutomatically occurs across equal cost (metric) paths.Shows both paths in routing table.One packet on route A, One packet on route B, etc.

56K (Metric 46226176)

56K (Metric 46226176)

sho ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static route

Gateway of last resort is not set

148.43.0.0/16 is variably subnetted, 15 subnets, 2 masksD 148.43.200.5/32 [90/2297856] via 148.43.200.245, 01:57:03, Serial0D 148.43.200.4/32 [90/46226176] via 148.43.200.105, 01:04:34, Serial0

[90/46226176] via 148.43.200.105, 01:04:34, Serial1D 148.43.200.3/32 [90/2809856] via 148.43.200.105, 01:04:31, Serial1D 148.43.200.2/32 [90/3321856] via 148.43.200.105, 01:04:34, Serial1

A B

Load balancing is a concept that allows a router to take advantage of multiple best paths to a given destination. If a router receives and installs multiple paths with the same administrative distance and metric to a destination, load balancing can occur. Equal cost paths can usually be found by using the show ip route command. As shown in the example above two equal cost paths have been installed and load balancing will take place.

41

Load Balancing Unequal CostsEIGRP supports load balancing across unequal cost paths.Up to 6 paths can share the traffic load. Default is 4.One packet on route A, One packet on route B, etc. Variance command is used to specify allowed difference between two paths.

64K (Metric 40512000)

56K (Metric 46226176)

Variance is based on Feasible Distance.

A Variance of 2 applied to a Feasible Distance of 40512000 would allow loadsharing across any route with a metric less than 81024000 (2 x 40512000).

Variance uses a ratio of the metrics – example: 56k to 64k or 7 to 8.

7 packets would be sent out the 56k link for every 8 packets sent out the 64k link.

A B

EIGRP supports unequal metric route load balancing. The “Variance” command is used to accomplish this. The value expressed in the variance command is a multiplier applied to the feasible distance of the successor. This will make all feasible successors candidates for load balancing if their feasible distance is less than the multiplied feasible distance of the successor. The distribution of packets across unequal cost paths will be a ratio of the metric, for example: using a 56k link and a 64k link would be a 7/8 ratio, meaning for every 7 packets sent out the 56k link 8 packets would be sent out the 64k link. Variance can be specified between the default of 1 through 128 however it is recommended you use no more than a variance of 2 as the processor cycles necessary to calculate the ratio on such unequal metric paths would not be worth the actual benefit of load sharing. The Variance command simply multiplies the feasible distance of the successor by the factor specified in the variance command. Now all feasible successors with a feasible distance of less than the “altered” feasible distance will load balance. It may be that back up routes now have a reported distance of less than the “altered” feasible distance as well, however they will not be candidates for load balancing as they were not originally a feasible successor. Only successors and feasible successors may load balance.

42

Configuring Variance

Router7> en

Router7# config t

Router7 (config)# router eigrp 1

Router7 (config-router)# variance 2

• It is recommended that no more than a variance of 2 beused, however, a value of 1 to 128 is allowed.

43

Variance Lab

1. All routers perform a “show ip route” noting which links are currently load balancing (only equal cost paths).

2. All routers perform a “show ip eigrp topo” and note feasible successors.

3. All routers configure a variance of 2.

4. Perform a “clear ip route *”.

5. Perform another “show ip route” and note which links are now load sharing - only to Feasible Successors.

6. Remove the variance command.

44

Route Summarization

• EIGRP uses two methods of route summarization• Automatic (auto-summary)• Manual (no auto-summary)

• Automatic gives EIGRP same classful behavior as RIP or IGRP• At major network boundaries the subnets will be summarized back to the

Classful network mask when announced across the boundary.

• Manual enables support for discontinuous networks and allows summarization on any interface regardless of network.

EIGRP utilizes two methods of route summarization: automatic and manual.

Automatic summarization is the same type that is utilized by classful routing protocols. When routing updates are advertised across a network that is a different classful network than the update itself, the update is automatically summarized to the classful network. In today’s classless network topologies, this is a feature that is seldom used and can cause serious network routing problems. It is generally “turned off” by utilizing the “no auto-summary” command in the EIGRP configuration. Manual route summarization is designed and configured by a network administrator. In the EIGRP routing protocol, manual summarization can be installed at any point in the network, to any EIGRP router. Unlike OSPF, EIGRP does not employ a hierarchical routing topology by grouping routers into areas and then designated border routers (summarization can only take place on these border routers). EIGRP allows the network administrator to employ summarization as required without drastic network redesign. This is a very important feature in networks that physically change on a regular basis such as those in tactical military communications.

45

Automatic Route Summarization

CBA

10.3.0.4 /30.5 .6

11.3.0.4 /30.5 .6

10.1.0.0 /16

10.2.0.0 /1612.2.0.0 /16

Router A routing table10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 10.2.0.0/16 is directly connected, FastEthernet0/1C 10.1.0.0/16 is directly connected, FastEthernet0/0C 10.3.0.4/30 is directly connected, Serial0/1D 11.0.0.0/8 [90/2681856] via 10.3.0.6, 00:05:35, Serial0/1D 12.0.0.0/8 [90/2684416] via 10.3.0.6, 00:03:19, Serial0/1

Router B routing table10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks

D 10.2.0.0/16 [90/540160] via 10.3.0.5, 00:04:54, Serial0/1D 10.0.0.0/8 is a summary, 00:04:54, Null0D 10.1.0.0/16 [90/540160] via 10.3.0.5, 00:04:54, Serial0/1C 10.3.0.4/30 is directly connected, Serial0/1

11.0.0.0/8 is variably subnetted, 2 subnets, 2 masksD 11.0.0.0/8 is a summary, 00:04:55, Null0C 11.3.0.4/30 is directly connected, Serial0/0D 12.0.0.0/8 [90/540160] via 11.3.0.6, 00:02:38, Serial0/0

Router C routing tableD 10.0.0.0/8 [90/2681856] via 11.3.0.5, 00:00:14, Serial0/1

11.0.0.0/8 is variably subnetted, 2 subnets, 2 masksD 11.0.0.0/8 is a summary, 00:00:14, Null0C 11.3.0.4/30 is directly connected, Serial0/1

12.0.0.0/8 is variably subnetted, 2 subnets, 2 masksD 12.0.0.0/8 is a summary, 00:00:14, Null0C 12.2.0.0/16 is directly connected, FastEthernet0/0

With automatic route summarization enabled (default) in EIGRP, when an update is advertised across a subnet that is within a different classful network from the update, the update is automatically summarized to the classful network. Router A installs a network statement for 10.0.0.0. All directly connected subnets on router A that fall within the 10.0.0.0 /8 range will be announced individually to router B as he is also a member of the 10.0.0.0 /8 network. Router B will install them individually and announce them to C as a summary route because C is not a member of the 10.0.0.0 /8 network. Additionally B will install the summary route locally and point it to null 0. Pointing the 10.0.0.0 /8 to null 0 may lead you to believe B is unable to route traffic to the 10.0.0.0 /8 networks. Realize in the routing table “more specific routes win”, and B will have individual statements for each 10.0.0.0 /8 sub-network, because he is a member. Router C will advertise the subnet 12.2.0.0/16 to router B but because they are interconnected with a subnet from the 11.0.0.0 network, C will auto summarize the advertisement to the classful network 12.0.0.0. From C’s perspective of the topology, it now believes that the whole 10.0.0.0 network resides through router B. From A and B’s perspective they now believe

46

that the 12.0.0.0 network resides through C. In a large routed network this could lead to packets being routed to destinations where subnets don’t actually exist and the packets being discarded.

47

Manual Route Summarization

D 131.108.8.0 255.255.252.0D 131.108.12.0 255.255.252.0D 131.108.16.0 255.255.252.0D 131.108.20.0 255.255.252.0D 131.108.24.0 255.255.252.0D 131.108.28.0 255.255.252.0

Routing Table for A

D 131.108.16.0 255.255.240.0

A

D 131.108.8.0 255.255.248.0

B

Summarization per interface

As well as announcing a summary route to the neighbor, an identical copy pointing to null 0 is installed locally which prevents routing loops.

Summarization must be carefully planned. Proper summarization actually begins before the router is even deployed. It begins with allocation of IP addresses in contiguous blocks within the network topology. If this is not done, then summarization on the router becomes very difficult if not impossible. Contrary to the link state routing protocols such as OSPF or IS-IS, EIGRP enables the network designer to create a deep summarization hierarchy that reflects the designed network hierarchy. Therefore, you are not limited to a star-shaped network consisting of a backbone plus other regions and required to summarize only on the region borders as you are in OSPF. You can configure per-interface IP address summarization with as many summarization ranges as you wish, as long as the ranges don’t overlap. For each summary range configured over any interface belonging to an EIGRP process, the EIGRP process creates a summary route for the summarization range as soon as at least one more specific route falling within the summary range appears in the EIGRP topology table. This summary route points to null zero and has the minimum metric of all the more specific routes covered by the summary route. It is also inserted into the main IP routing table with an administrative distance of 5. This results in the suppression of more specific routes when updates are sent over the interface where the summarization range is configured.

48

Another important factor to remember when summarizing is that there only has to be one subnet within the summarized range for the summarized address to be advertised. It is very possible to advertise subnets within this summarized range, which are not reachable by the router.

49

Creating Summary Routes

This command will cause all route announcements that fall within the <network> <mask> specified to be summarized before being sent out interface s0/0.

•Router7> en•Router7# config t•Router7 (config)# int s0/0•Router7 (config-if)# ip summary-address eigrp <as-number> <network> <mask>

Summarization Lab

All routers do “sho ip route” and count the number of routing entries.

All routers apply summarization as follows:

router 1 s0/0 can use 148.43.200.128 /26

router 2 s0/0 and s0/1 can use 148.43.200.160 /27

router 3 s0/0 can use 148.43.200.128 /26

router 4 s0/0 can use 148.43.200.192 /26

router 5 s0/0 and s0/1 can use 148.43.200.224 /27

router 6 s0/1 can use 148.43.200.192 /26

router 7 all serials can use 148.43.200.64 /27 and 148.43.200.96 /28

All routers now do “sho ip route” and count number of routing entries.

50

1f0/0

148.43.200.128 /28

148.43.200.80 /28

s0/0

s0/1

s0/1

EIGRP Route Summarization Problem

2

s0/1

s0/0

3s0/0

s0/0s0/1

.97

.98 .101

.102

.181

.182

.177

.178

e1/0148.43.200.64 /28

148.43.0.0/16 is variably subnetted, 17 subnets, 5 masksC 148.43.200.100/30 is directly connected, Serial0/1D 148.43.200.96/28 is a summary, 00:01:10, Null0D 148.43.200.6/32 [90/10718720] via 148.43.200.106, 00:01:10, Serial0/3D 148.43.200.5/32 [90/11818496] via 148.43.200.106, 00:01:10, Serial0/3D 148.43.200.4/32 [90/11306496] via 148.43.200.110, 00:01:10, Serial0/2D 148.43.200.3/32 [90/10718720] via 148.43.200.102, 00:01:10, Serial0/1D 148.43.200.2/32 [90/11818496] via 148.43.200.102, 00:01:10, Serial0/1D 148.43.200.1/32 [90/11306496] via 148.43.200.98, 00:01:10, Serial0/0D 148.43.200.192/26

[90/10593280] via 148.43.200.106, 00:01:10, Serial0/3D 148.43.200.128/26

[90/10593280] via 148.43.200.102, 00:01:10, Serial0/1

Routing table.129

Router7#ping 148.43.200.129Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 148.43.200.129, timeout is 2 seconds: !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/28 msRouter7#trace 148.43.200.129Tracing the route to 148.43.200.129

1 148.43.200.102 4 msec 4 msec 8 msec2 148.43.200.177 12 msec 8 msec 8 msec3 148.43.200.181 8 msec * 8 msec

e0/0

7

The above diagram shows the routing table from router 7. Router 7 has route 148.43.200.128/26 via interface serial 0/1 installed in its table. S0/1 is directly connected to router 3. Router 1 and router 3 are both advertising the summary router 148.43.200.128/26 to router 7. But because router 3 is advertising a lower metric than router 1, only the advertisement from 3 is installed in the table. This does not seem to be a problem though because router three has connectivity to all of the summarized subnets. This is proven by conducting a ping and trace route to the address 148.43.200.129, which resides on a subnet directly connected to router 1. By viewing the results of the trace, it can be seen that the path to reach .129 travels from 7, through 3, then 2 and on to 1.

51

1f0/0

148.43.200.128 /28

148.43.200.80 /28

s0/0

s0/1

s0/1

2

s0/1

s0/0

3

s0/0

s0/0s0/1

.97

.98 .101

.102

.181

.182

.177

.178

e1/0148.43.200.64 /28

148.43.0.0/16 is variably subnetted, 17 subnets, 5 masksC 148.43.200.100/30 is directly connected, Serial0/1D 148.43.200.96/28 is a summary, 00:01:10, Null0D 148.43.200.6/32 [90/10718720] via 148.43.200.106, 00:01:10, Serial0/3D 148.43.200.5/32 [90/11818496] via 148.43.200.106, 00:01:10, Serial0/3D 148.43.200.4/32 [90/11306496] via 148.43.200.110, 00:01:10, Serial0/2D 148.43.200.3/32 [90/10718720] via 148.43.200.102, 00:01:10, Serial0/1D 148.43.200.2/32 [90/11818496] via 148.43.200.102, 00:01:10, Serial0/1D 148.43.200.1/32 [90/11306496] via 148.43.200.98, 00:01:10, Serial0/0D 148.43.200.192/26

[90/10593280] via 148.43.200.106, 00:01:10, Serial0/3D 148.43.200.128/26

[90/10593280] via 148.43.200.102, 00:01:10, Serial0/1

Routing table.129

e0/0

Router7#ping 148.43.200.129Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 148.43.200.129, timeout is 2 seconds:U.U.USuccess rate is 0 percent (0/5)

Router7#trace 148.43.200.129Tracing the route to 148.43.200.129

1 148.43.200.102 8 msec 4 msec 4 msec2 148.43.200.102 !H * !H

EIGRP Route Summarization Problem

7

Problems can occur though when there are network disruptions within the “summarized area”. In the above example, the network connection between router 1 and 2 fails. But since there are still subnets being advertised by router 3 via interface s0/0 that fall within the summarized network configured on interface s0/0, router 3 continues to advertise the summarized network to router 7. It continues to do this even though it now cannot reach all the subnets that were originally covered by this summarization. Using the ping and trace tools again, the address 148.43.200.129 is unreachable even though there is a network path to this subnet from router 7. EIGRP does not offer this path to the routing table as a candidate because the route through 3 still has a lower metric. As long as there is a single subnet that falls within a summarized range being advertised via an interface that has this summarization configured, the router advertises the summarized network. This can lead to certain subnets within the summarized range not being reachable in certain situations even though there is an operational network path to this subnet. Careful planning must be used when designing and implementing route summarization in an EIGRP topology. The benefits that route summarization provide can sometimes be outweighed by network reach ability issues.

52

Query Response Process (1)

query

BA

• No entry in topology database for route in question, reply with unreachable.

• If querying router is the successor for route in question and feasible successor exists, the queried router replies with this information.

• If querying router is the successor for route in question and feasible successor does not exist, the queried router queries its neighbors.

• If the query was received from a neighbor that is not the successor for this destination, then the queried router replies with its successor information.

??????

When the route to a destination network through a successor fails and there is no feasible successor available, the EIGRP router issues a query to all of its neighbors asking for route information for the network in question. Depending on the status of the querying router and the neighbor, which is queried in relation to the network in question, there are four possible actions that can be taken (listed above). Each is covered in the next four slides.

53

query for network X

A

• No entry in topology database for route in question, reply with unreachable.

B

network x

topo db

no entry for network x

unreachable


In the example above, router A loses connectivity to network X through its successor. There is no feasible successor available. It sends a query to router B asking for route information to network X. Router B checks its topology database and finds it has no entry for network X. It then sends a reply to router A stating that network X is unreachable. Network unreachable is an acceptable response to a query.

54

• If querying router is the successor for route in question and feasible successor exists, the queried router replieswith this information.

query for network X

topo db

x succ. Ax FS C

network x

reply – route to x

C

BA


In the example above, router A loses connectivity to network X through its successor. There is no feasible successor available. It sends a query to router B asking for route information to network X. Router B checks its topology database and finds that router A is the successor and that router C is the feasible successor. Router B then sends a reply to router A stating that its successor to network X is router C.

55

• If querying router is the successor for route in question andfeasible successor does not exist, the queried router queries its neighbors.

query for network X

topo db

x succ. Ano FS x

network x

C

query fo

r

network

X

BA


In the example above, router A loses connectivity to network X through its successor. There is no feasible successor available. It sends a query to router B asking for route information to network X. Router B checks its topology database and finds that router A is the successor and there is no feasible successor. Router B then queries its neighbors for route information to network X.

56

• If the query was received from a neighbor that is not the successor for this destination, then the queried router replies with its successor information.

query for network X

topo db

x succ. C

network x

reply – succ. to x is CA

C

B


In the example above, router A loses connectivity to network X through its successor. There is no feasible successor available. It sends a query to router B asking for route information to network X. Router B checks its topology database and finds that router C is the successor for network X. Router B then sends a reply to router A stating that its successor to network X is router C.

57

Stuck in Active (SIA)

Large Delay

queryA B

C

D

No answer locally, so thisneighbor must query his

neighbors and so on.

query

query

query

query

• SIA occurs when queries are not answered in a timely manner• Can cause sever network disruptions.

When the successor for a destination network is lost and there is no feasible successor, an EIGRP router sends a query to all of its neighbors requesting route information for the network in question. It can take so long time for a query to be answered that the router that issued the query gives up and clears its connection to the router that is not answering, effectively restarting the neighbor session. This is known as a stuck in active (SIA) state. SIA routes occur when it takes too long for a query to reach the end of the network and for a reply to travel back. In the example above, the neighbor relationship between router A and B could be reset simply because neighbor B could not respond to A until it receives a response from C. This is undesirable as traffic between A and D could flow with no problems. An SIA problem usually involves only one route. Routers A and B could be routing for hundreds of other networks with no problems. However, when the neighbor connection is reset, routing for all networks via routers A and B is temporarily disrupted. If SIA problems are occurring routinely within an EIGRP topology, it appears the network is congested. SIA problems are routinely misdiagnosed as other problems like insufficient bandwidth or router latency. The wait time for the answer to a query is three minutes. If any neighbor has not replied to a query within this time, the neighbor connection is reset. It is important to remember that for the query process to be completed, a router must receive replies from all queried neighbors. Example, if a router queries four neighbors and immediately receives replies from three, the router will continue to wait on the fourth neighbor to reply prior to making a routing decision on the queried network. It will wait the three-minute period at which time it will reset the neighbor connection.

58

Limiting the Query Range (1)

1. Route Summarization- keeps individual subnets from being advertised.- if there is not an exact match in topo database, query is

answered immediately as “network unreachable”.- relies on neighbor router to perform summarization.

2. Route Filtering- can provide same benefits as route summarization.- does not rely on neighbor router to implement.

3. EIGRP Stub Option- routers designated as stubs are not sent queries by neighboring routers.

Limiting the query range of an EIGRP topology is an effective way to control SIA route problems. Three techniques which can be implemented to limit the range are route summarization, route filtering, and EIGRP stub option. In all actuality, though, these techniques do not limit queries once they are sent by a router but limit the requirements for the router to send a query in the first place. These techniques limit the overall knowledge of network topology by EIGRP. There is a fine line between letting EIGRP know too much about the network topology so as to cause SIA problems and not know enough to effectively route packets.

59

A B


summarization

summarization

Z

D

C

• Network failure on router Z is localized by the use of summarizationand is not sent to routers A, B, C, & D; query process not started.

Route summarization segments the EIGRP topology by combining multiple subnets from a region within the topology into larger consolidated networks. This basically “hides” various subnets from routers and tells them about a very large network. Any packet within this large range is simply routed to the summarizing router and it is then distributed to the various subnets by it. The way that this limits the query range is that when a single subnet within the summarized network fails, it is hidden from the routers receiving the summarized information. Basically, they do not know about this failure and do not have to go through the query process to find a new route to it. In using route summarization to limit the query range, routers must rely on their neighboring routers to implement it. In other words, the routers performing summarization do not see the affects or get the benefits from it. In situations where an administrator is not in charge of all the routers within the EIGRP topology, he must rely on another entity to perform the summarization. Since this summarization may not provide any direct benefits to them, they may or may not be willing to comply.

60

A B

route filtering

route filtering

Z

D

C

• Network failure on router Z is localized by the use of route filteringand is not received by routers C & D nor forwarded to routers A & B.

• Query process not started.


Route filtering is another technique that can be used to limit the query range. If implemented correctly, it can basically provide the same results as summarization. But unlike summarization, the routers performing the filtering can see the results immediately. Through the use of distribution lists and route maps, a network administrator can control what routing information is received and propagated by a router. Route filtering can be used to “hide” individual subnets from routers but other techniques must then be implemented to describe to them a consolidation of these subnets. Techniques such as static routes and default routing can be used for this function.

61

A

Z

D

C

• Network failure on router Z occurs. Router B only queries neighbors C & D.No queries are sent to routers A, E, or F because they are designated as stubs.

E

stub

F

B

stub

stubqu

ery

query


The EIGRP stub option when configured on a router allows that router to send a flag to neighbor routers essentially telling them not to query it. This technique works very well in hub – spoke topographies or where any router simply has a single network connection to another router. If a router only has a single connection to one EIGRP neighbor, it must route through that neighbor to reach any other subnets within the topology. Why then would the neighbor router query this “single threaded” router for information if it has to rely on the querying router for all of its information? Defining a router as a stub keeps neighboring routers from querying it.

62

EIGRP Stub Command

router(config)#router eigrp autonomous system number

router(config-router)#eigrp stub

Extensions to command: [receive only|connected|static|summary]

• receive only – prevents router from sharing any if its routes with eigrp neighbors• connected – permits the router to send connected routes via eigrp• static – permits the router to send static routes via eigrp• summary – permits the router to send summary eigrp routes

Use the “eigrp stub” command to define a router as a stub within the EIGRP topology. This command is configured to the EIGRP routing protocol. There are four extensions to the command: receive only, connected, static, summary. Receive only restricts the router from sharing any of its routes with any other router in the network. If configured, the other three options cannot be used. Connected permits the sharing of connected routes with EIGRP neighbors. If the connected routes are not covered by a network statement, it is necessary to redistribute the routes into EIGRP. Connected is enabled by default. Static permits the router to share static routes with EIGRP neighbors. These routes must be redistributed into the EIGRP protocol. Summary permits the router to share EIGRP summary routes to neighboring routers. This option is enabled by default.

63

EIGRP Review Questions

64

1. EIGRP is a ___________ protocol.

a. link state b. distance vector c. enhanced d. hybrid

2. EIGRP is Cisco proprietary?

a. true b. false

3. What are triggered updates?

a. updates sent at set times regardless of network changes b. updates that are sent based on criteria within a route map c. updates sent in response to network changes d. there is no such thing as a triggered update

4. The hello protocol is used for:

a. neighbor discovery only b. neighbor discovery and maintenance c. neighbor AS verification d. routing table maintenance

5. What are the 5 types of EIGRP packets?

a. hello, update, query, ACK, resend b. hello, Unicast, query, ACK, reply c. hello, update, quest, ACK, reply d. hello, update, query, ACK, reply

6. These types of EIGRP packets require acknowledgment? a. update, query, reply b. ACK, hello, query c. hello, update, multicast d. multicast, Unicast, broadcast

7. What is the next step if a neighbor doesn’t respond to a packet that

requires acknowledgment? a. resend the packet as multicast b. break the neighbor connection c. resend the packet Unicast d. resend the packet broadcast

8. How many times will a router resend a packet Unicast prior to breaking the neighbor connection? a. 2 b. 14 c. 15 d. 16

65

9. When hello packets are used for link integrity purposes, they are referred to as ___________. a. ACK b. reply c. keepalives e. query

10. The destination address for hello packets is:

a. neighbor’s address b. 224.0.0.1 c. 224.0.0.10 d. 255.255.255.255

11. What are the hello & hold times for EIGRP on a LAN segment?

a. 10/40 seconds b. 5/15 seconds c. 10/20 seconds d. 15/45 seconds

12. For two EIGRP routers to become neighbors they must agree on

________. a. K-values and AS number b. hello interval and area ID c. router ID and dead interval d. delay and bandwidth

13. In the “show ip eigrp nei” command, SRTT is what?

a. refers to the average time it takes for a neighbor to reply b. the amount of time a router will wait for a reply c. amount of time it takes for a host to reply to an echo request d. neighbor router ID

14. Composite metrics are advertised to neighbor routers.

a. true b. false

15. Vector metrics consist of ______ components.

a. 5 b. 4 c. 3 d. 6

16. A route has a minimum BW of 256k & a total delay of 45000. What is the

composite metric? a. 111520000 b. 11152000 c. 1115200 d. 1152

66

17. The successor is ________. a. neighbor with the highest reported distance b. neighbor with highest router ID c. neighbor selected for packet forwarding to a destination network d. neighbor that passed the feasibility condition

18. To become a feasible successor, a router must_________

a. have a reported distance less than the successor’s feasible distance b. have a feasible distance lower than the successors reported distance c. have an SRTT less than the successors RTO d. have a metric less than the successors to the destination network

19. What is the reason for the feasibility condition?

a. minimize the topology database b. minimize router latency c. insure loop free routing d. both a & b

20. DUAL stands for __________.

a. 2 b. diffusing update algorithm c. database UNIX algorithm d. diffusing underlying algorithm

21. If the path to the successor fails, the router will use any matching route in the topology database. a. yes, this speeds up convergence b. yes, all routes are stored in the database c. no, only feasible successors d. no, a query must be sent first

22. EIGRP can be configured as a classful or classless protocol.

a. true b. false

23. The “show ip eigrp topology” command shows all entries in the database.

a. true b. false

24. Changing the bandwidth at any point in a route will change the metric.

a. true b. false

25. Manipulating the metric can be used as a tool to build feasible successors

into a topology. a. true b. false

67

26. The command to change the delay on an interface is _________. a. router(config)#delay xxxxx b. router(config-router)#delay xxxxx c. router(config-if)#delay xxxxx d. router(config-line)#delay xxxxx

27. In EIGRP, load balancing occurs automatically on unequal paths.

a. true b. false

28. The variance command does which of the following?

a. causes all known routes to be candidates for load balancing b. multiples the feasible distance of the successor by the value used in

the command c. varies the metric of the feasible successor d. causes EIGRP to alternate the interface route updates are sent

29. What are the two type of route summarization used in EIGRP? a. internal and external b. auto and manual c. composite and vector d. single and multiple

30. Route summarization is configured at what location on the router? a. within the EIGRP routing protocol b. from the global configuration mode c. on the interface d. none of the above

31. When summarizing, it is possible to advertise subnets that the router has

no knowledge about. a. true b. false

32. What is SIA – stuck in active?

a. a reply has not been received from a hello b. the time to wait for the reply on a query has been exceeded c. a Unicast packet has been sent 16 times d. this is a normal operational state

33. What can be implemented to limit the query range?

a. variance, summarization, filtering b. filtering, feasible successor, filtering c. summarization, filtering variance d. filtering, summarization, stub option

68

34. You are experiencing SIA problems with routes not under your control. What can you implement immediately to correct the problem? a. stub option b. filtering c. summarization d. variance

35. What does configuring an EIGRP router as a stub do?

a. keeps external routing information from being forwarded to it b. can only be used on single homed routers c. keeps queries from being sent to it d. summarizes all routing information

36. A router receives a query and finds no entry for the route in its database.

What does it do next? a. queries its neighbors

b. runs the feasibility condition c. replies with unreachable d. route goes SIA

Insert Tab #3 Here

BGP Border Gateway

Protocol

3

Internet

AS-86AS-36

AS-82

AS-43AS-66

AS-51

AS-7

• An autonomous system is a collection of networks under a singleadministrative control which share a common routing strategy.

• The collection of autonomous systems interconnected using BGP form the backbone of the internet.

BGP 4 Autonomous System

The Internet is formed by the interconnection of many privately owned and autonomous networks, each one run by an independent organization. These organizations often have different policies for routing packets within their own networks and for exchanging packets with other organizations. This fundamental factor of ownership and management control leads to the internal-external distinction. Routing must still take place within an autonomous network, because there will usually be many alternative pathways that packets can travel. Nowadays, this routing is usually done using link-state protocols such as OSPF. An autonomous system is one network or set of networks under a single administrative control. An autonomous system might be the set of all computer networks owned by a company, or a college. Companies and organizations might own more than one autonomous system, but the idea is that each autonomous system is managed independently with respect to BGP. An autonomous system is often referred to as an “AS”. A good example is UUNet, who use one autonomous system as their European network, and a separate autonomous system for their domestic networks in the Americas. If you draw a network map of ASs, three distinct types can be identified:

1. A Stub AS is only connected to one other AS. For routing purposes, it could be regarded as a simple extension of the other AS. In fact, most networks with a single Internet connection don't have a unique AS number

4

assigned, and their network addresses are treated as part of the parent AS.

2. A Transit AS has connections to more than one other AS and allows itself

to be used as a conduit for traffic (transit traffic) between other ASs. Most large Internet Service Providers are transit ASs.

3. A Multihomed AS has connections to more than one other AS, but does

not allow transit traffic to pass, though its interior hosts may route traffic through multiple ASs. This is the typical configuration for a large corporate network with multiple redundant Internet connections, which does not wish to pass traffic for others.

5

AS # Provider701 UUnet (U.S. domestic) (AS 701-705)

1239 Sprintlink U.S. Domestic

3356 Level 3

7018 AT&T WorldNet

209 Qwest

3561 Cable and Wireless

3549 Global Crossing

2914 Verio

702 UUnet (International)

Autonomous System Numbers

The American Registry for Internet Numbers (ARIN) defines Autonomous System Numbers as: "Autonomous System Numbers (ASNs) are globally unique numbers that are used to identify autonomous systems (ASs) and which enable an AS to exchange exterior routing information between neighboring ASs. An AS is a connected group of IP networks that adhere to a single and clearly defined routing policy." To identify each autonomous system, a globally unique number is assigned to each one from a centralized authority (ARIN) so that there are no duplicate numbers. Globally Unique means exactly that – “within the entire Internet all around the globe, the AS number should be unique”. The AS number will be from 1 to 64511, and the next highest unused number is what is generally assigned. These numbers are referred to as AS numbers. The American Registry for Internet Numbers (ARIN) is the authority responsible for tracking and assigning these numbers as well as managing IP address allocations and assignments. ARIN charges a fee to organizations wishing to obtain an AS number to cover the administrative costs associated with managing AS number registrations and assignments. To receive an AS number from ARIN, you must be able to prove you are dual homed to the Internet, which means that you have more than one Internet provider with which you plan to run BGP. You must also

6

have a unique routing policy that differs from your BGP peers. Some companies have difficulty getting an AS number. If it is not necessary to connect to the Internet, or you are part of a special type of BGP configuration, you can use any of the AS numbers 64512 through 65535. However, these numbers should NOT be seen on the global Internet. One example of when you might use private AS numbers is in BGP confederations. The confederation AS number should not be seen on the global Internet. BGP learns and exchanges path information regarding the route to a given destination network by keeping lists of AS numbers and associating them with destination networks. This is why AS numbers should be unique. BGP makes certain that an AS number does not appear in a path more than once, thereby preventing routing loops.

7

Interconnecting Autonomous Systems

BGPAS –1

AS –2

• BGP is designed to interconnect two different ASs.

• If a group of routers share a common AS, use an IGP.

A routing protocol used to connect autonomous systems is referred to as an exterior gateway protocol (EGP). The Border Gateway Protocol (BGP) is an EGP used to make policy based routing decisions between ASs. BGP version 4 (BGP-4) is the latest version of BGP and is defined in RFC 1771. The Exterior Gateway Protocol (EGP) and BGP versions 1 through 3 do not support CIDR and are not used across the public Internet. The main goal of BGP is to provide an inter-domain routing system that guarantees the loop-free exchange of routing information between ASs. Routers exchange information about paths to destination networks. It is important that when two autonomous systems interconnect, that routing information between the two can be controlled. BGP gives the network administrator the capability to implement policies to control and/or manipulate the routing taking place between the two autonomous systems.

• BGP is not designed to operate as an interior gateway protocol (IGP) – internal to an autonomous system.

8

Internal vs. External Routing

Interior Routing• Works within an Autonomous System.• Selects routes based on metrics or cost.

- hop count, bandwidth, delay, reliability

Exterior Routing• Normally works between Autonomous Systems.• Selects routes based on policy, not metrics.

An interior routing protocol or IGP (interior gateway protocol) routes within an autonomous system (AS). An IGP determines the best path within a network topology utilizing variables such as bandwidth, delay, or hop count. RIP uses hop count; the path with the fewest number of layer three devices to reach the destination network is the preferred path. OSPF utilizes bandwidth and EIGRP utilizes bandwidth and delay assigned to an interface. All interior routing protocols use outbound metrics or costs to decide where to send packets. An exterior routing protocol or EGP (exterior gateway protocol) routes between autonomous systems. BGP is an example of an EGP. BGP does not utilize the same type of variables as IGPs to determine the best path. BGP is a policy based routing protocol that allows an administrator of an AS to control traffic based on a multitude of route attributes. It gives the flexibility to establish rules to fit the routing needs of the AS. Traffic entering, exiting or even transiting an AS can have policies established to manipulate the flow. This can allow for all available bandwidth to be utilized effectively.

9

External Routing History

• 1982 – Exterior Gateway Protocol (EGP)

• 1989 – BGP version 1

• 1990 & 91 – BGP versions 2 & 3

• 1995 – BGP version 4 (supports CIDR)

Routing in the early Internet was done using a small number of centralized core routers that maintained complete information about network reachability on the Internet. They exchanged information using the historical interior routing protocol, the Gateway-to-Gateway Protocol (GGP). Around the periphery of this core were located other non-core routers, sometimes standalone and sometimes collected into groups. These exchanged network reachability information with the core routers using the first TCP/IP exterior routing protocol: the Exterior Gateway Protocol (EGP). Like its interior routing counterpart GGP, EGP was developed by Internet pioneers Bolt, Beranek and Newman (BBN) in the early 1980s. It was first formally described in an Internet standard in RFC 827, Exterior Gateway Protocol (EGP), published in October 1982. This draft document was superseded in April 1984 by RFC 904, Exterior Gateway Protocol Formal Specification. Like GGP, EGP is now considered obsolete, having been replaced by the Border Gateway Protocol (BGP). However, also like GGP, it is an important part of the history of TCP/IP routing When the Internet grew and moved to the autonomous system (AS) architecture, EGP was still able to function as the exterior routing protocol for the Internet. However, as the number of autonomous systems in an internetwork grows, the importance of communication between them grows as well. EGP was functional but had several weaknesses that became more problematic as the Internet grew

10

in size. It was necessary to define a new exterior routing protocol that would provide enhanced capabilities for use on the growing Internet. In June 1989, the first version of this new routing protocol was formalized, with the publishing of RFC 1105, A Border Gateway Protocol (BGP). This initial version of the BGP standard defined most of the concepts behind the protocol, as well as key fundamentals such as messaging, message formats and how devices operate in general terms. It established BGP as the Internet's exterior routing protocol of the future. Due to the importance of a protocol that spans the Internet, work continued on BGP for many years after the initial standard was published. The developers of BGP had to correct problems with the initial protocol, refine BGP's operation, improve efficiency, and add features. It was also necessary to make adjustments to allow BGP to keep pace with other changes in the TCP/IP protocol suite, such as the invention of classless addressing and routing. As you might imagine, changing the version of a protocol like BGP is not an easy undertaking. Any modification of the protocol would require the coordination of many different organizations. The larger the Internet grows, the more difficult this would be. As a result, despite frequent version changes in the early 1990s, BGP-4 remains today the current version of the standard, and is the one that is widely used.

11

When & When Not to use BGP

BGP is appropriate when at least one of the following exist:• An AS has multiple connections to other Ass.

• The flow of routing traffic entering or leaving an A.S. must be manipulated.

• An AS allows packets to transit through it to reach another AS.

• The effects and drawbacks of BGP are well understood.

BGP should not be used if one of the following exist:• A single connection to the internet or other AS.

• Routing policy and route selection are not a concern for an AS.

• Lack of memory/processor power on BGP routers to handle constant updates.

• Limited understanding of route filtering and BGP path selection process.

• Low Bandwidth between autonomous systems.

BGP was designed to allow Internet Service Providers (ISPs) to communicate and exchange packets. These ISPs have multiple connections to one another at both public and private peering points. Since the major ISPs have multiple connections to one another, a routing protocol had to be developed to manipulate how and under what conditions a meeting point could be used to exchange packets. BGP is a policy based routing protocol used to implement this peering agreement between two or more autonomous systems. BGP, if not properly controlled and filtered, has the potential to allow an outside AS to affect your routing decisions. If only one entry/exit point exists in an AS, a default route should be considered. BGP is used to select a pathway to leave your AS or to recommend to an outside AS the preferred entry point. With only one point of entry/exit, using BGP would not accomplish anything except to use router CPU and memory resources. The only policy that can be changed is how a packet enters or leaves an AS. Once a packet enters another AS, that AS’s policy will take over and decide how to route the packet.

12

BGP Features

• Open, non-proprietary.

• Supports VLSM.

• Supports route summarization & CIDR.

• Reliable update – utilizes TCP (179).

• Incremental, triggered updates.

• Robust metrics – path vectors/attributes.

• Designed to scale to very large internetworks.

BGP is an open, non-proprietary protocol in the public domain. It is not owned by any one entity and can be used by any vendor. BGP supports variable length subnet masking to allow for the efficient allocation of IP addresses. BGP allows for route summarization and CIDR. This is extremely important when dealing with large networks so as to keep the routing tables at a manageable level and to reduce router latency when routing decisions are being made. It is also extremely important that it supports the implementation of CIDR. Currently there are approximately 120,000 routes in the routing table of Internet core routers. Without CIDR, this number would exceed 2,000,000. BGP utilizes TCP (port 179) as its reliable transport mechanism. T his insures the reliable delivery of update packets so that all routers are converged with the same routing information. Unlike IGPs with built in transport protocols which have a window size of one, BGP’s utilization of TCP allows for a dynamic window which can transmit up to 65,576 bytes before it stops and waits for acknowledgement. This is a must for BGP, which can be responsible for the updating of thousands of routes at any one time. BGP sends updates only during network changes. This allows BGP traffic to be minimized and network bandwidth to be fully utilized for routing user traffic.

13

BGP is a policy based routing protocol. Policies or rules can be implemented based on a variety of routing attributes to manipulate traffic flow patterns. This allows a network administrator to implement policies to fit the needs of the autonomous system in question. BGP is designed to scale to very large internetworks. BGP tracks and utilizes as a routing attribute the autonomous system in the path to reach a destination network. This insures a loop free route, because a BGP router will not accept a route which includes its own AS in its path.

14

BGP Packets

• Open – starts a BGP session between neighbors.

• Keepalive – maintains neighbor connectivity.

• Update – routing update.

• Notification – notifies neighbor of error, connection closed.

The open message opens a BGP communications session between neighbors. It is the first message sent by each side after a transport-protocol connection is established. The receiving neighbor confirms an open message by replying with a keepalive message. The open message must be confirmed before updates, notifications, and keepalives can be exchanged between neighbors. Open messages contain the following information:

- Version Number - AS Number - Holdtime - Router ID - Optional Parameters

The keepalive message notifies BGP peers that a device is active. Keepalives are sent often enough to keep the sessions from expiring. The default for BGP is a keepalive interval of 60 seconds and a hold time of 180 seconds. An update message is used to provide routing updates to other BGP systems, allowing routers to construct a consistent view of the network topology. Updates are sent using TCP to ensure reliable delivery. An update message can advertise a route, withdraw a route, and advertise all associated attributes. An update contains information about one path only; multiple paths require multiple

15

updates. A single update may contain information about numerous networks reachable through that path. The notification message is sent when an error condition is detected. Notifications are used to close an active session and to inform any connected routers of why the session is being closed.

16

BGP Databases

• Neighbor Table- list all BGP neighbors.

• BGP Topology Table- lists all networks learned from neighbors.

• IP Routing Table- lists preferred paths to destination networks.

BGP establishes and/or maintains three different databases: neighbor table, topology table, and the routing table. Unlike IGP, BGP does not have automatic neighbor discovery. Each neighbor must be configured by IP address and AS number. BGP establishes a TCP connection with each neighbor and maintains the relationship by periodically sending keepalive packets. After the neighbor relationship is established, the routers exchange the BGP routes in their routing tables. These routes are then placed into the router’s BGP topology database. All BGP information learned from a router’s neighbors are placed into the BGP topology database. The best routes are then selected from the topology database using the BGP selection process. These routes are then offered to the routing table as candidates. The routing table selects the best routes from all candidate routes offered from all routing information sources. Utilizing the administrative distance and then metrics, the preferred candidates are selected for installation into the routing table.

17

4

7

f0/0

f0/0

f0/0

f0/0

f0/0148.43.200.49/28

148.43.200.145/28

148.43.200.65/28

148.43.200.97/28

148.43.200.113/28

s0/0

s0/1

s0/1

s0/0

s0/1

s0/0

6

2

s0/1

s0/0

3f0/0

148.43.200.81/28

f0/0

148.43.200.129/28

s0/1

s0/0

s0/0 s0/3

.26/30

.6/30

.5/30

.9/30

.10/30 .13/30.14/30

.17/30

.18/30

.21/30

.22/30

AS - 1

AS - 2

AS - 3

AS - 7

AS - 4

AS - 5

AS - 6.25/30

1

5

BGP Network Lab

Install the above directly connected network. The network is complete when the IP routing table shows the directly networks. Do not configure a routing protocol.

18

BGP Commands

Autonomous-system Identifies the local autonomous system

•How do I turn it on?Router(config)#

router bgp autonomous-system

The router bgp command enables the bgp routing protocol. The syntax of basic BGP configuration commands is similar to the syntax for configuring internal routing protocols. However, there are significant differences in the way that an external protocol functions. Use the router bgp command to activate the BGP protocol and identify the local autonomous system. Only one instance of BGP can be enabled on a router – it can only route for one autonomous system.

19

External vs. Internal BGP Neighbors

• External BGP Neighbor

- a router whose administrative and policy control isoutside of your Autonomous System.

• Internal BGP Neighbor

- a router who falls under the administrative control of asingle AS and is assumed to follow a consistent policywith other BGP Speakers of that AS.

BGP supports two types of exchanges of routing information: exchanges between different ASs and exchanges within a single AS.

• When used between ASs, BGP is called external BGP (EBGP) and BGP sessions perform inter-AS routing.

• When used within an AS, BGP is called internal BGP (IBGP) and BGP sessions perform intra-AS routing.

A BGP system shares network reachability information with adjacent BGP systems, which are referred to as neighbors or peers. BGP systems are arranged into groups. In an internal BGP group, all peers in the group—called internal peers—are in the same AS. Internal peers can be anywhere in the local AS and do not have to be directly connected to each other. Internal groups use routes from an IGP to resolve forwarding addresses. They also propagate external routes among all other internal routers running internal BGP, computing the next hop by taking the BGP next hop received with the route and resolving it using information from one of the interior gateway protocols. The address that BGP points at for an internal BGP neighbor must also be reachable. This can be by a directly connected network or static routes, but it also can be reachable by the internal routing protocol. Since other routers

20

in an AS can usually be reached by multiple paths, a loopback address is generally used. In an external BGP group, the peers in the group—called external peers—are in different ASs and normally share a subnet. In an external group, the next hop is computed with respect to the interface that is shared between the external peer and the local router. An internal routing protocol (IGP) is not exchanged with an external BGP neighbor. The address, which your router points to, must be reachable without using a routing protocol. This can be accomplished either by pointing at an address that is reachable by a directly connected network or by using static routes to that IP address. Generally, the neighbor address that is used is a directly connected address of the other router.

21

EBGP neighbors expect to be directly connected

Identify Your Neighbors

AS –1

AS –2 BGP

148.43.200.18

148.43.200.17

EBGP neighbors expect to be directly connected. The neighbor is the IP address of the interface used for the BGP connection. Utilizing the network diagram on page 12, identify the neighbor IPs for your router.

22

BGP Commands - Neighbors

• Activates a BGP session on an interface.

• Used for both external and internal neighbors.

• The ip-address is the IP address of the neighboring router's interface to which you are directly connected.

• The autonomous-system is the AS number to which the neighboring router belongs.

neighbor ip-address remote-as autonomous-system


Two BGP speaking routers trying to become neighbors will first bring up the TCP connection between one another and then send open messages in order to exchange values such as the AS number, the BGP version, the BGP router ID, the keepalive hold time, etc. After these values are confirmed and accepted, the neighbor connection will be established. Any state other than established is an indication that the two routers did not become neighbors and hence the BGP updates will not be exchanged. Two BGP routers become neighbors or peers once they establish a TCP connection between one another. The TCP connection is essential in order for the two peer routers to start exchanging routing updates. The neighbor command used to establish a TCP connection is as follows: neighbor ip-address remote-as number The ip-address is the next hop directly connected address for EBGP and any IP address on the other router, which is reachable via any means (connected, static, or IGP) for IBGP. The remote-as number is the AS number where the neighbor is located. This number must be the same as the one used by the neighbor to enable BGP: external neighbor, different AS; internal neighbor, same AS.

23

In IGP, neighbor discovery is automatic and is initiated by utilizing the network statement. The network statement starts the IGP process on an interface. In BGP, neighbor discovery must be manually configured. The neighbor statement starts the BGP process on an interface.

24

Show IP BGP Summaryrouter7#sho ip bgp sumBGP router identifier 148.43.200.7, local AS number 7BGP table version is 14, main routing table version 147 network entries using 819 bytes of memory7 path entries using 336 bytes of memory8/7 BGP path/bestpath attribute entries using 928 bytes of memory6 BGP AS-PATH entries using 144 bytes of memory0 BGP route-map cache entries using 0 bytes of memory0 BGP filter-list cache entries using 0 bytes of memoryBGP using 2227 total bytes of memoryBGP activity 7/0 prefixes, 7/0 paths, scan interval 60 secs

Neighbor V AS MsgRcv MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

148.43.200.9 4 1 58 58 14 0 0 00:48:02 3148.43.200.1 4 4 14 14 14 0 0 00:03:16 3

The show ip bgp summary command can be utilized to show the status of a BGP neighbor. BGP table version Internal version number of BGP database. Main routing table version Last version of BGP database that was injected into

main routing table. Neighbor IP address of a neighbor. V BGP version number spoken to that neighbor. AS That neighbors autonomous system number. MsgRcvd BGP messages received from that neighbor. MsgSent BGP messages sent to that neighbor. TblVer Last version of the BGP database that was sent to

that neighbor. InQ Number of messages from that neighbor waiting to be

processed.

25

OutQ Number of messages waiting to be sent to that

neighbor. Up/Down The length of time that the BGP session has been in

state Established, or the current state if it is not established.

State Current state of the BGP session. (reference next

page)

26

State/PfxRcd

Idle = The router is looking in the routing table to find a match for theaddress specified in the neighbor statement.

Active = The router is establishing a TCP connection with theneighbor.

Open = The router is exchanging BGP open messages with the neighbor.

Number = The neighbor relationship is established. The number in the column indicates the actual number of networks advertised by the neighbor.

Once the neighbor statement is entered, the router searches for a match for the address specified in the neighbor statement. This allows the router to begin the BGP neighbor establishment on the interface associated with that address. If the state stays in the idle mode, then a common cause is the address specified in the neighbor statement is incorrect. Once a match is found for the address specified in the neighbor statement, the router begins opening a TCP connection to the neighbor (three way handshake). This is the active mode. Once the TCP connection is established, the router begins sending open messages to the neighbor. If no response is received from the neighbor within 5 seconds, then the router returns to the active state. This process will continue until the neighbor responds. A common cause for the router to be stuck in the open state is an incorrect AS number in the neighbor statement. Once each neighbor has confirmed the open messages, the neighbor relationship is established. At this time, there should be a number in the state/prxrcd column, which indicates the number of networks being advertised by the neighbor. The number could very well be zero, though. This still indicates the neighbor relationship is established, just no networks are being advertised.

27

BGP Commands - Network


• Allows BGP to advertise a route if it is in the Routing Table.

- The network command must include all networks you want to advertise, not just those locally connected.

- For the route designated in the network command to be advertised, theremust be an exact match in the routing table.

• This command differs from the network command in IGPs inthat it does not activate the protocol on an interface.

network network-number mask network mask

The network command controls what networks the router advertises. This is a different concept from network commands used to configure IGPs. With this command we are not trying to run BGP on a certain interface (this is done by neighbor statements); rather we are trying to indicate to BGP what networks it should advertise to its neighbors. The mask portion is used because BGP4 supports subnetting/VLSM and super-netting (CIDR). A maximum of 200 entries of the network command are accepted. For the network command to advertise a network there must be an exact match (address & mask) in the routing table. It does not matter the source of this entry (connected, static, IGP, etc.), just that there is a match. Because the BGP network command will advertise a route learned from a source other than BGP, this can be considered a form of redistribution.

28

Show IP BGP

router7#sho ip bgpBGP table version is 14, local router ID is 148.43.200.7Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path*> 148.43.200.48/28 148.43.200.9 0 0 1 i*> 148.43.200.64/28 148.43.200.9 0 1 2 i*> 148.43.200.80/28 148.43.200.9 0 1 2 3 i*> 148.43.200.96/28 148.43.200.14 0 0 4 i*> 148.43.200.112/28 148.43.200.14 0 4 5 i*> 148.43.200.128/28 148.43.200.14 0 4 5 6 i*> 148.43.200.144/28 0.0.0.0 0 32768 i

The show ip bgp command displays the BGP topology database. All routing information learned from BGP neighbors is stored here. BGP table version Internal version number of the table. This number is

incremented whenever the table is updated. local router ID Router ID for BGP process. Status Codes Status of the table entry. The status is displayed at

the beginning of each line in the table. It can be one of the following values:

s---The table entry is suppressed, (usually due to

route summarization). *---The table entry is valid. >---The table entry is the best entry to use for that

network. i----The table entry was learned via an internal BGP

session.

29

Origin codes Indicates the origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values:

i----Entry originated from IGP and was advertised with

a network router configuration command. e---Entry originated from EGP. ?---Origin of the path is not clear. Usually, this is a

route that is redistributed into BGP from an IGP. Network IP address of a network entity. Next Hop IP address of the next system that is used when

forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the router is the owner of that network.

Metric Also called the multi-exit discriminator (MED). If

shown, this is the value of the inter-autonomous system metric. The MED is an indication to external neighbors about the preferred path into an AS. This field is frequently not used.

LocPrf Local preference is an attribute provided to internal

neighbors about the preferred path to exit the AS. The default value is 100.

Weight Weight is an attribute, which is used internal to the

router for path selection. It is not exchanged with other routers in the network.

Path Autonomous system paths to the destination network.

There can be one entry in this field for each autonomous system in the path. Reference the origins codes above.

30

Clear IP BGP * or {address}

• This command should be performed after aconfiguration change to BGP.

• This forces the change to take effect immediately.

• Will interrupt the TCP connection.

• Use * to reset all connections.

• Use {address} to reset individual connection where{address} is the neighbor IP of the connection to reset.

• Discretion must be used when performing this command; allBGP routing information will be lost and may not reconvergefor several minutes.

When configuration changes are made to BGP, these will not necessarily take effect immediately. Configuration changes do not force an update message to be sent. Therefore, to implement these changes, the BGP connection must be reset. There are two options for doing this: reset all connections or reset an individual neighbor connection.

• To reset all neighbor connection, utilize the “*” in conjunction with the clear command.

• To reset a single neighbor connection, utilize the neighbor’s ip address with the clear command.

Special care must be given when utilizing this command. It will interrupt the routing of traffic utilizing BGP derived routing information. Prior to utilizing this command, coordination may have to be made with users to insure an untimely service interruption is not incurred. Also, for routers that are operating with multiple BGP neighbors, resetting all neighbor connections at the same time will cause all neighbor relationships to be reestablished at the same time and all BGP routing information to be exchanged simultaneously. If large amounts of routing information are received from multiple neighbors at the same time, this could overwhelm the router causing extended delays to the service interruption.

31

BGP Summarization Options

• Network command with no mask & auto summary enabled.- command advertises classful network if at least one subnet is

present in routing table; auto summary is on by default.

• Static route pointing to Null 0, network command.- static route forces summarized network into routing allowing it to

be advertised by network command.

• Aggregate address command.- advertises a summary route if a subnet of this exists in routing table.- summary-only extension suppresses subnets from being advertised.- as-set command causes all AS path info from subnets to be included

in summary.

There are three options when summarizing with BGP.

1. The network command can be utilized with no mask. This causes a classful network to be advertised when there is at least one subnet from the classful network in the routing table. This is referred to as automatic summarization (RIP & EIGRP). By default, the command auto-summarization is configured in BGP. To disable this auto summarization feature, utilize the command no auto-summarization. Since classful networks are very rarely (if ever) used in today’s routing, the command “no auto-summ” is a normal part of the BGP configuration.

2. The network command advertises the specified route and mask

configured in the command if there is an exact match in the routing table. An easy way to advertise a summarized network is to force an entry into the routing table and then advertise this with the BGP network command. To force an entry into the routing table, configure a static route pointing to the null0 interface. It must be noted though that any more specific routes to the summarized static route are not automatically suppressed and may still be advertised. Also, the summarized route advertised by BGP shows it originating from that AS. If any of the subnets being summarized by this originated from another AS, this information is not carried forward.

32

3. The BGP aggregate address command summarizes and advertises the

configured address and mask if one subnet of the summarized address exists in the BGP topology database. The summary extension to the command suppresses any subnets within the summarized address from being advertised. The as-set extension causes all as path information from each summarized subnet to be included in the advertised summarized network. This assists in avoiding routing loops. As stated earlier, for the summarized address to be advertised, there must be at least one subnet of this summarized address in the BGP database. It may be necessary to configure network commands for these subnets to install them in the BGP database. Technically, there only has to be one subnet of the summarized address in the BGP database but if for any reason this route is removed from the database, then the summarized address will no longer be advertised. If required, it is a good practice to insure multiple (if not all) of the summarized subnets are installed in the database.

33

BGP Summarization Commands

router(config)# ip route ip address mask null0

router(config-router)# network address mask mask

router(config-router)# aggregate-address ip address mask[summary-only] [as-set]

- configures static route pointed at null0; address & mask are summarized network

• Network Command and Static Route:

• BGP Aggregate Address Command:

- configures BGP to advertise summarized static route

- configures BGP to advertise a summarized network- summary-only suppresses subnets of summarized network from being advertised- as-set causes as path info from subnets to be included in summarized advertisement

To install a summarized static route, from the global configuration mode, use the “ip route address mask interface” command. The address and mask are the summarized network to advertise. The interface utilized is null0. The idea is that the routing table will have subnets or routes with a more exact match installed and the summarized route pointing to null0 will never be utilized. If for any reason it is, the packet is dumped. After the static route is configured, this will force the entry into the routing table. At this point, configure a network statement in BGP that matches the static route installed. This summarized network will then be advertised by BGP to its neighbors. Use the aggregate-address command to advertise a summarized route in BGP. The command is configured as part of BGP. The ip address and mask define the summarized network to be advertised. For this to be advertised, though, there must be at least one subnet of this network in the BGP database. If there are no subnet entries in the BGP database for this summarized network, a network statement for the subnets will have to be configured. With no extensions added to the command, the subnets will be advertised in addition to the summarized network. By adding the summary-only extension to the command, this will suppress any subnets of the summarized network from being advertised. By using the “show ip bgp” command, the suppressed subnets can be viewed. Adding the as-set extension will cause the AS path information from any summarized subnets to be included in the advertised summarized route.

34

BGP Summarization Lab

1. Install network on page 12.

2. Each router install a static route to null0 using the following networks:

- router 1 148.11.0.0 255.255.252.0- router 2 148.12.0.0 255.255.252.0- router 3 148.13.0.0 255.255.252.0- router 4 148.14.0.0 255.255.252.0- router 5 148.15.0.0 255.255.252.0- router 6 148.16.0.0 255.255.252.0- router 7 148.17.0.0 255.255.252.0

3. Configure a network command in BGP to match the static route.

4. Verify that the static route is being advertised to your neighbor(s).

5. Remove static route and network statement.

Install the directly connected network from page 12 with each router in its own AS. Configure BGP neighbor relationships between each of the routers. Install the static routes listed above pointing to null0. Once this route is in the routing table, advertise it with a network statement in BGP. Take note that no subnets of this summarized route actually exist. This summarized route was just “made up”. When summarizing, it is important to insure that all parts of the summarized address are actually reachable.

35

BGP Summarization Lab (cont’d)1. Each router install the following loopback interfaces:

- router 1 loopback 0 – 7 using networks 148.11.0.1 - 148.11.7.1 each with a mask of 255.255.255.0

- router 2 loopback 0 – 7 using networks 148.12.0.1 - 148.12.7.1 each /24- router 3 loopback 0 – 7 using networks 148.13.0.1 - 148.13.7.1 each /24- router 4 loopback 0 – 7 using networks 148.14.0.1 - 148.14.7.1 each /24- router 5 loopback 0 – 7 using networks 148.15.0.1 - 148.15.7.1 each /24- router 6 loopback 0 – 7 using networks 148.16.0.1 - 148.16.7.1 each /24- router 7 loopback 0 – 7 using networks 148.17.0.1 - 148.17.7.1 each /24

2. Configure a network command in BGP for each loopback network. Verify advertisement.

3. Configure aggregate-address command in BGP to summarize all loopback networks.

Verify summarized address along with subnets are being advertised.

4. Add the summary-only extension. Verify subnets are being suppressed.

Each router is installing several loopback interface networks. This is simply to generate networks for the purpose of route summarization. This is a classroom training tool only. Once the loop networks are installed, advertise these to your neighbors using networks commands in BGP. Once complete, use the aggregate-address command to advertise a summarized network to your neighbors. Note that all of the subnets are still being advertised. Add the summary-only extension to the aggregate address command. Note that the subnets are now not being advertised and are listed as suppressed in the BGP database.

36

BGP Summarization Lab (cont’d)

1. Router 3 remove the aggregate route command.

2. All other routers verify that each of the loopback networks from router 3 are being advertised. Also verify that the AS path information is attached.

3. Router 1 install an aggregate address configuration with the summary-only extension for router 3’s loopback networks.

4. Routers 7, 4, 5, & 6 verify the aggregate route is being received. Verify the AS path information. It should show the aggregate route originating from AS 1.

5. Router 1 remove the aggregate route command from BGP and then add the command back with both the summary-only and as-set extensions.

6. Routers 7, 4, 5, & 6 should now show the AS path for the aggregate route originating from AS 3.

Router 3 removes its summarization. This allows the loopback networks to be advertised individually. Router 1 summarizes the loopback networks being advertised by router 3 and uses the summary-only extension. Routers 7, 4, 5, & 6 will see the summarized route with the subnets being suppressed. The AS path shows the summarized route as originating from AS 1. Router 1 removes the aggregate route configuration and then adds it back with the summary-only and the as-set extensions. Routers 7, 4, 5, & 6 should now show the summary route originating from AS 3.

37

AS 1 - 148.43.200.0/24 AS 2 - 148.43.201.0/24

s0/0

s0/2

s0/1

4

s0/0

3s0/0

s0/12

s0/0

s0/1

1s0/1

s0/0

s0/2

s0/1

4

s0/0

3s0/0

s0/12

s0/0

s0/1

s0/11

f0/0

f0/0

f0/0

f0/0f0/0

f0/0

f0/0

f0/0

/26

/26

/27

/27/27

/27

/26

/26

BGP Lab

Install the network above. Allocate and assign IP addresses within each AS. Enable OSPF in AS 1 and EIGRP in AS 2. Establish a BGP connection between the two ASs and perform route summarization. Advertise the summarized BGP route within each AS via the IGP. Ensure all subnets within both AS’s are reachable from the distant AS.

38

BGP Review Questions

39

1. BGP is commonly used as a ____________ routing protocol? a. Interior b. Internal c. Exterior d. a and b

2. A network based on one authority for management is called

________________. a. Known system b. An autonomous system c. Small system d. Singular system

3. What agency controls the distribution of AS numbers?

a. IETF b. ARIN c. AFKN d. Microsoft

4. Two routers that have a direct BGP connection are called

______________________. a. Neighbors b. TCP c. Groups d. Packets

5. BGP uses what Transport protocol to ensure reliability?

a. TCP b. UDP c. CDP d. LDP

6. Which of the following is a BGP message type?

a. Open b. Update c. Notification d. Keepalive e. All of the above

7. Of the four BGP messages, which is used to provide routing updates?

a. Keepalive b. Open c. Notification d. Update

8. When does BGP send the entire routing table to its neighbors? a. During an update b. After the 5th keepalive c. Immediately after the OPEN message d. After destination notification

40

9. What command is used to enable BGP on your router?

a. Router bgp xxx b. Route bgp xxx c. Config Router bgp xxx d. ip Router bgp xxx

10. Neighbor statements are used to enable BGP on an interface.

a. true b. false

11. Internal BGP neighbors have ______________.

a. the same AS number b. a high metric c. must be directly connected d. different AS numbers

12. An Autonomous system that allows packets to transit through it to reach

another AS is considered what? a. A Transit Dynamic System b. A Transit Autonomous System c. A Transit Testing Center d. A Transit Encapsulation

13. BGP is an open protocol.

a. True b. False

14. BGP supports redistribution. a. True b. False

15. BGP does not support route summarization.

a. True b. False

16. Clear IP BGP* is used to do what? a. Reset all protocol connections b. Starts the BGP process during OSPF synchronization c. Stops the BGP process during OSPF synchronization d. Reset all BGP neighbor connections on that router

17. Sho IP BGP displays the IP routing table.

a. True b. False

18. Sho IP route displays the BGP routing table.

a. True b. False

41

19. To display the status of all BGP connections which command would you

use? a. Show IP Router b. Sho IP BGP Sum c. Show BGP Sum d. Sho Router

20. In order to reset only one TCP connection between BGP Neighbors, what

command must be used? a. Clear IP BGP xxx.xxx.xxx.xxx (x=the IP Address of your router) b. Clear IP BGP xxx.xxx.xxx.xxx (x=the Loopback Address of your

neighbor) c. Clear IP BGP xxx.xxx.xxx.xxx (x=the OSPF Address of your router) d. Clear IP BGP xxx.xxx.xxx.xxx (x= the IP address of the neighbor)

21. What is the primary RFC for BGP?

a. RFC 1221 b. RFC 1331 c. RFC 1661 d. RFC 1771

22. When performing a “show IP BGP command”, the “I” in the third column

indicates what? a. An internal OSPF neighbor has old us about this network b. An internal BGP neighbor has told us about this network c. An interior BGP network has told us about this network d. An interior OSPF network has told us about this network

23. If the next hop address is shown as 0.0.0.0 when performing a sho IP

BGP Command, what does this signify? a. The neighbor router is the absolute owner of the network listed b. This router cannot find the network listed beside the 0.0.0.0 c. This router is the absolute owner of the network listed beside the

0.0.0.0 d. The neighbor router cannot find the network listed beside the 0.0.0.0

24. Local Preference is used to determine the best pathway to leave the AS

to reach an outside network in the case that you have more than one exit point. a. True b. False

25. The BGP Multi-Exit Discriminator (MED) is used to inform the distant AS

of the recommended entrance points to your Autonomous System. a. True b. False

42

26. External BGP has an administrative distance of ______. a. 2 b. 20 c. 200 d. 2000

27. Internal BGP has an administrative distance of ______.

a. 2 b. 20 c. 200 d. 2000

28. BGP will not accept updates that have originated from its own AS.

a. True b. False

29. BGP uses what TCP port for establishing its connections?

a. 179 b. 121 c. 800 d. 140

30. What does BGP use for its router ID?

a. Your Subnet Mask b. Highest IP on an Active Interface c. Your Autonomous System Number d. Your BGP Neighbors IP Address e. All of the above

31. What protocol did BGP replace?

a. AGP b. OGP c. EGP d. SGP

32. BGP is a CISCO product

a. True b. False

33. By default, how often does BGP send updates?

a. Every 30 seconds b. Every 60 seconds c. Whenever you change your password d. Whenever network changes occur

34. BGP stands for ________________. a. Baseline Group Process b. Baseline Gateway Process c. Border Group Protocol d. Border Gateway Protocol

43

35. Which of the following is not an appropriate situation to use BGP?

a. When the autonomous system is a transit autonomous system b. When there are multiple exit points c. When there is a single exit point d. When the network engineer understands BGP

36. When there is a single exit point into/out of and autonomous system, what

is the preferred method? a. BGP b. OSPF c. Static d. IBGP

37. What command is used to advertise a network with BGP?

a. ip route b. neighbor c. network d. default

38. You want to establish a BGP connection with directly connected interface 1.1.1.1 in AS 69. Your address is 2.2.2.2 in AS 101. What command should you used for this?

a. network 1.1.1.1 remote-as 69 b. network 2.2.2.2 remote-as 101 c. neighbor 1.1.1.1 mask 69 d. neighbor 1.1.1.1 remote-as 69

39. Autonomous System numbers are __________?

a. arbitrary b. assigned c. classless d. between 1 and 6,535

40. EBGP neighbors expect to be ___________?

a. happy b. directly connected c. interconnected by an IGP d. classless

41. IGPs use ______ to route traffic while BGP uses ______?

a. distance, neighbor b. metric, policy c. cost, metric d. policy, cost

42. BGP supports CIDR?

a. true b. false

44

43. What are three types of BGP route summarization?

a. internal, external, & inter-area b. automatic, static route/network command, & aggregate address

command c. automatic, intra-AS, & inter-AS d. automatic, static route/neighbor command, & aggregate address

command

44. What does the summary-only extension to the aggregate address command do in BGP?

a. suppresses as path information b. suppresses subnets of the summarized route c. will only accept summary routes d. supports CIDR

45. Which is true about the static route/network command summarization

technique? a. the static route must be redistributed into BGP b. the static route distance must be set c. subnets of the summarized static route are not suppressed d. BGP must be redistributed into the static route

46. What is the range for private AS numbers?

a. 6452 through 6535 b. 64512 through 65535 c. 65412 through 65355 d. anything above the assigned range

Insert Tab #4 Here

Default Routing

3

What is a Default Route?

s0s1

s2

148.17.2.0/24

148.17.3.0/24

148.17.1.0/24

s3

Internet

e0

148.20.0.43destination address

Gateway of last resort is 148.18.16.255 to network 0.0.0.0

148.17.0.0/16 is variably subnetted, 23 subnets, 4 masks

D 148.17.1.0/24 Serial0D 148.17.2.0/24 Serial1D 148.17.3.0/24 Serial2D*EX 0.0.0.0/0 Serial3

• Default route in routing table listed as 0.0.0.0/0 (matches all IPs)• Always used as a last resort – longest match rule.

Simply stated, a default route is one that is used when no matching routing table entry is found. It appears in the routing table as a route to network 0.0.0.0 and you know it is set when the output of sho ip route contains an entry similar to the following entry at the top of the routing table: Gateway of last resort is 192.168.4.1 to network 0.0.0.0 Any packet whose destination address is not matched by any specific routing table entry will take the path to the gateway of last resort. The gateway of last resort is a router that has more complete routing information and can hopefully forward the packet to its destination. If there is no default route and the packet’s destination address is not found in the routing table, then the packet is dropped and an ICMP Destination or Network Unreachable is returned to the source IP address. The term gateway originated in the early 1980s, when the world of networking equipment consisted of bridges and gateways. Bridges connect media that use the same (or nearly the same) data-link protocols, such as Ethernet to Ethernet. Gateway is the older term for a router and originated because it was the gateway through which one was able to send packets to a network that used different media and incompatible data-link protocols. In the late 1980s, the term router was coined to reflect the function of routing packets to the proper destination. Today, the term gateway refers to a networking component that converts a

4

higher-level protocol into a different higher-level protocol. An example of this is a mail gateway that converts the OSI X.400 mail protocol into the Internet’s RFC822 protocol format. The older use of the term exists in a variety of places, including older RFCs, networking texts, and software. A review of RFC1009 clearly defines the terms router and gateway.

5

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static route

Gateway of last resort is 148.18.16.255 to network 0.0.0.0

148.18.0.0/16 is variably subnetted, 51 subnets, 6 masksD 148.18.120.252/30 [90/1787392] via 148.18.16.255, 03:46:01, Serial2/0D 148.18.20.132/30 [90/11023872] via 148.18.57.255, 03:46:05, Serial3/0S 148.18.110.244/30 [1/0] via 148.18.110.250

(portions deleted)

D*EX 0.0.0.0/0 [170/2767360] via 148.18.16.255, 03:45:34, Serial2/0

• Default route listed as “gateway of last resort” in routing table• Possible for router to learn of multiple default routes• Same rules apply as for other routes – distance & metrics• Gateway of last result does not have to be 0.0.0.0

Default Routing

Internet hosts use routing tables to compute the next hop for a packet. Routing tables can take many forms, but here is a simple model that can explain most Internet routing. Each entry in a routing table has at least two fields - IP Address Prefix and Next Hop. The Next Hop is the IP address of another host or router that is directly reachable via an Ethernet, serial link, or some other physical connection. The IP Address Prefix specifies a set of destinations for which the routing entry is valid. In order to be in this set, the beginning of the destination IP address must match the IP Address Prefix, which can have from 0 to 32 significant bits. For example, an IP Address Prefix of 128.8.0.0/16 would match any IP Destination Address of the form 128.8.X.X. If no routing table entries match a packet's Destination Address, the packet is discarded as undeliverable (possibly with an ICMP notification to the sender). If multiple routing tables’ entries match, the longest match is preferred. The longest match is the entry with the most 1 bits in its Routing Mask. To avoid needing routing entries for every possible Internet destination, most hosts and routers use a default route (some routing tables contain nothing but a single default route). A default route has a Routing Address/Mask pair of 0.0.0.0/0.0.0.0. In other words, it matches every IP address, but since there are no 1 bits in its Routing Mask, any other match would be selected by the longest match rule. The default route will only be used if there are no other matches in the routing table, thus its name. Default routes are quite common, and are put to best use on networks with only a single link connecting to the global Internet. On

6

such a network, routing tables will have entries for local nets and subnets, as well as a single default route leading to the outbound link. However, remember that all Next Hops must be directly reachable, so the default routes won't necessarily point to the same IP address. In addition, some networks (large Internet service providers, mostly) use defaultless routing tables that must be able to match every IP address in the global network.

7

Why use a Default Route?

• Provides a route for unknown destination networks.

• Packets for unknown destinations are not just “dropped”.

• Decreases the amount of information required to be carried in routing table.

• Decreases router latency due to lengthy route lookup.

• Limits the propagation of route updates.

• If implemented correctly, can dramatically increase the overall performance of a router and a routed network.

Users want access to all parts of the network (Internet) at all times. If a packet is received from a user device with a destination address that does not have a matching network in the routing table, the packet is simply dumped. By having a default route/gateway of last result installed in the routing table, there will always be a match for any packet received. When a router is connected to the Internet (SIPR/NIPR), a default route can be very useful. Without a default route, the router would have to have a route for every destination on the Internet. This could very easily exceed 100,000 entries. With a default route, a router needs to know only about the destinations internal to its autonomous system. The default route will forward packets destined for external addresses to the Internet service provider. An even bigger problem in very large routed networks is topology changes. As the network increases in size, topology changes occur more frequently resulting in an increasing number of updates being propagated through the topology. Each update that is received by the router must be processed, which utilizes CPU cycles and memory. As this increases, the demands on the router also increase. This can cause latency issues to arise in the routing of user information. Very frequently this problem is blamed on lack of bandwidth. Installing a default route effectively hides these changes from the topology utilizing the default route.

8

Implementing a Default Route

1. Static Route

2. IP Default Network Command

3. Propagating into an IGP

- OSPF

- EIGRP

There are different techniques for implementing a default route. The static route and IP default network command place a default route and gateway of last resort in the router these are configured. To share a default route with other routers in the topology, it must be propagated via an IGP. The two discussed in this chapter are OSPF and EIGRP. There is no one best way to configure a default route and then pass it throughout the topology. It is best to understand the different techniques and then utilize the one that best fits your needs.

9

Static Default Route

ip route network mask [address|interface] [distance] [permanent]

Network Destination network for the static route.

Mask Prefix mask for the destination network.

Address IP address of the next hop that can be used to reach that network.

Interface Interface number on router to exit to reach destination network.

distance (Optional) Administrative distance for the static route.

permanent (Optional) Specifies that the route will not be removed .

Router(config)#

Above is the command to configure a static route – ip route. The network is the destination network. The mask is the subnet mask for this destination network. The address is the IP address of the next hop to reach this network. The interface is the interface on the router to exit to reach this network. The distance is used to set the administrative distance of this static route. The permanent command is used to keep the static route in the routing table regardless if the next hop address is reachable of the exit interface is up.

10


148.43.200.10

s0/0

• ip route 0.0.0.0 0.0.0.0 s0/0 (points to exit interface)or

• ip route 0.0.0.0 0.0.0.0 148.43.200.10 (next hop address – connected)

• Either method will install default route into routing table.

When configuring a default static route, it is the same process as any other static route except the network and mask are all 0s (this covers the range of all IPs). The route can be pointed to an exit interface or a next hop address of a directly connected neighbor router. By pointing it to an exit interface or directly connected address, it is possible for a route to not exist to actual Internet destinations, but simply be a layer two connection. This can somewhat be misleading because in the internal topology, the routers believe there is a default destination when in actuality, there isn’t.

11


148.43.200.0/24

• ip route 0.0.0.0 0.0.0.0 148.43.200.0 (next hop address – via protocol)

• Next hop address is learned via a routing protocol and placed into routing table. Static route is then pointed to that network.

BGP

A default static route can also be set up by pointing the route to a destination network being advertised from a neighbor router via a routing protocol. This can be more realistic. If for any reason there are actual routing problems within the ISP networks, the network the static route is being pointed to would stop being advertised. This would lead to the route being removed from the routing table. Once this happens, the default static route would also be removed from the routing table. If the default static route is being advertised to neighbors within the topology, once it is removed from the edge routers table, it is no longer shared with the internal neighbors. A very common practice within DOD networks is when requesting service from the DISN or GIG, they will advertise a default network via BGP. This network is then utilized by the entity requesting service for the installation of a default route by pointing to it.

12

IP Default-Network Command

ip default-network network

• Used to designate a classful network as a default route.

• Classful network must be installed in the routing table.

• When used in conjunction with EIGRP, network must belearned via EIGRP and then is propagated via EIGRP asgateway of last resort.

Router(config)#

The ip default-network command is classful. It is used to designate a classful network to be used as a default network. The classful network must be in the routing table for it to be considered as a gateway of last resort. Multiple default networks can be configured. All those configured that are in the routing table are tagged as candidate default routes. The router goes through the normal process (distance/metric) to determine the selection of the gateway of last resort. If a tagged default network is not chosen as the gateway of last resort, it is then used as a backup. When a classful network is learned by a router via EIGRP and this network number is used in the ip default-network command, the network is then advertised to its EIGRP neighbors as a default network automatically. The network is propagated thoughout the EIGRP topology as a default route.

13

148.43.0.0/16

BGP

IP Default-Network Command

• ip default-network 148.43.0.0

• Command designates classful network as default route and it is set asthe gateway of last resort. Points to next hop address associated withnetwork in routing table.

In the above scenario, a router learns of a classful network via BGP. It is installed in the routing table. Utilizing the command “ip default-network 148.43.0.0” causes the network to be designated as a default route candidate. It will be installed as the gateway of last resort pointing to the next hop associated with the network in the routing table.

14

Propagating a Default Route via an IGP

EIGRPTwo methods to distribute in EIGRP

1. IP default-network command.- network specified in command must be learned by EIGRP for it to share with neighbors as a default route.

2. Static default route- redistribute static into EIGRP.

OSPFDefault-information originate command

- if gateway of last resort is set, causes default route to be redistributed into OSPF.

Once an edge router has a default route installed, the next step is to propagate this information to its neighbors. The most effective way to do this is to propagate it via an existing IGP. Two of the more common are OSPF and EIGRP. There are two methods for propagating a default route in EIGRP. The first is to have a classful network, which was learned via EIGRP, and then reference this network in the “ip default- network” command. The network is then propagated through the EIGRP domain as a default route. The second method is to install a default static route. The static route is then redistributed into EIGRP. If there are multiple static routes within the routing table they will also be redistributed. Consideration must be given as to whether these should be filtered from the redistribution process. The method for distributing a default route within OSPF is to utilize the “default-information originate” command. This is configured as part of the OSPF process. If a gateway of last resort is set on the router, the command causes a default route to be redistributed into the OSPF process. This is then propagated throughout the OSPF domain.

15

148.43.0.0/16

EIGRP

Propagating via an IGP - EIGRP

• Classful network is advertised to router 1 via EIGRP.• Router 1 configures “ip default-network 148.43.0.0” command.• Router 1 advertises 148.43.0.0 as default network to neighbors.• Neighbors install 148.43.0.0 as gateway of last resort.

1

148.43.0.0/16

148.43.0.0/16

148.43.0.0/16

In the above example, network 148.43.0.0 is advertised to route 1 via EIGRP. Router 1 enters the configuration “ip default-network 148.43.0.0. This tags the route as a default route candidate and it is entered in router 1 routing table as the gateway of last resort. The network is then advertised to the EIGRP neighbors as a default route candidate and it is entered into their routing tables as the gateway of last resort. The “ip default-network” command is classful. Therefore, it can only be used if there is a classful network to reference it to in the routing table.

16

Redistribute Static

router(config)# router eigrp autonomous system number

router(config-router)# redistribute static

- enables EIGRP and defines the autonomous system number

- redistributes the default static route into the EIGRP routing process

- default route is then shared with EIGRP neighbors

- command will redistribute all static routes in the routing table, not just the default route

Once a static default route is in the edge router’s routing table, by configuring the command redistribute static to the EIGRP routing process, the default route will be shared with the edge router’s EIGRP neighbors. The default route will be shared by all EIGRP neighbors across the topology until all routers have learned it. As it is advertised from neighbor to neighbor, EIGRP will calculate the metric as it would with any other route. If there are multiple paths within the topology to the edge router, the preferred path will be installed I the routing table. The redistribute static command will cause all static routes installed in the routing table to be shared with EIGRP neighbors. If the desired result is to have only the default route shared and not other static routes, routing filtering must be configured.

17

148.43.0.0/16

BGP

Propagating via an IGP – EIGRP

• Network 148.43.0.0 advertised to router 1 via BGP.• Router 1 installs default static route to 148.43.0.0.• Router 1 redistributes static into EIGRP.• Default route propagated to neighbors via EIGRP.

1

0.0.0.0/0

0.0.0.0/0

0.0.0.

0/0

In the above example, network 148.43.0.0 is advertised to router 1 via BGP. It is installed into the routing table with BGP as the source. Router 1 installs a default static route pointing to network 148.43.0.0. The static route is installed in the routing table and is selected as the gateway of last resort. Router 1 then redistributes static into EIGRP. The default route is then advertised to the EIGRP neighbors. Note that during this operation, the default static route does not have to be pointed to a classful network. It can be pointed to an exit interface, connected IP address, or any other route within the routing table.

18

148.43.0.0/16

BGP

Propagating via an IGP – OSPF

• Network 148.43.0.0 advertised to router 1 via BGP.• Router 1 installs default static route to 148.43.0.0 or uses IP

default-network command. • Router 1 uses the default-information originate command within OSPF.• Default route propagated to neighbors via OSPF.

1

0.0.0.0/0

0.0.0.0/0

0.0.0.0/0

Network 148.43.0.0 is advertised to router 1 via BGP. Router 1 then configures a default static route pointing to this network. The static route is then installed in the routing table and selected as the gateway of last resort. Router 1 configures OSPF with the “default-information originate” command. This redistributes a default route into OSPF. This default route is then advertised to the OSPF neighbors. Note that during this operation, the default static route does not have to be pointed to a classful network. It can be pointed to an exit interface, connected IP address, or any other route within the routing table. If there is a gateway of last resort set, then a default route is redistributed into OSPF.

19

Propagating via an IGP – OSPF

default-information originate [always] [metric metric-value] [metric-type type-value] [route-map map-name]

• default-information originate When a gateway of last resort is present in the router, causes a default route to be redistributed into OSPF.

• always (Optional) Always advertises the default route regardless of whether the software has a default route.

• metric (Optional) Metric used for generating the default route.The default metric value is 10.

• metric-type (Optional) External link type: Type 1 or 2 external route.

• route-map (Optional) References the designated route map.

Router(config)#

The “default-information originate” command is configured as part of OSPF. It redistributes a default route into OSPF if the gateway of last resort is set on the router. The always extension configures a default route to be redistributed regardless of whether the gateway of last resort is set or not. The metric extension allows the configuration of a seed metric to be set on the redistributed default route. The metric-type extension allows the redistributed route to be set as a type 1 or type 2 external OSPF route. The default is type 2. The route-map extension tells the redistribution process of the default route to reference a route map. The guidelines established within the route map are then applied to the redistribution process.

20

47f0/0

f0/0

/26

7.7.7.0/24

/26

/27

/26

s0/0

s0/1

s0/1

s0/1

S0/0

s0/0

6

2

s0/1

s0/0

3/27/26

s0/1

s0/0

s0/0 s0/1

AS - 1 148.18.1.0/24

AS - 7

1

5

AS - 4 148.24.1.0/24

f0/0

f0/0

f0/0

f0/0

f0/0

Default Routing Network Lab

Allocate IP addresses within each AS. Utilize IPs from within each block for connections to router 7. Install BGP between routers 1 & 7 and 4 & 7. Routers 1 & 4 perform route summarization to router 7. Advertise the network 140.50.0.0 from router 7 to routers 1 and 4. This will be utilized by routers 1 & 4 as the default network. Configure EIGRP in AS-1 and AS-4. Install a default static route to the classful network. Redistribute static into EIGRP. Routers 1 – 6 should have their gateway of last resort set. Conduct a ping test from router 3 to router 6. In AS-1 and 4, turn off EIGRP and configure OSPF. Install a default static route to the classful network and configure OSPF with the default-information originate command. Routers 1 – 6 should have their gateway of last resort set. Conduct a ping test from router 3 to router 6.

21

47f0/0

f0/0

/26

7.7.7.0/24

/26

/27

/26

s0/0

s0/1

s0/1

s0/1

S0/0

s0/0

6

2

s0/1

s0/0

/27/26

s0/1

s0/0

s0/0

s0/1

AS - 7

1

5f0/0

f0/0

f0/0

f0/0

f0/0

AS - 1 148.16.1.0/24 AS - 4 148.26.1.0/24

s0/2

s0/3

3s0/0 s0/1

Default Routing Network Lab

Configure BGP between the routers as shown above. Advertise the network 140.50.0.0 from router 7 to other BGP routers. Operate each AS with EIGRP and then OSPF. Install default routing within each AS with each protocol. Conduct a ping test from router 2 to router 5. With two edge routers present, there will be multiple default route candidates. Note how each internal router (2 & 5) reacts to the multiple default routes. Make changes to the network – link down, manipulate metrics, etc. - to see how the routers react from a default network standpoint.

23

Default Routing Review Questions

24

1. Which of the following best describes a default route?

a. A backup for internal routes b. A routing table entry that matches all destination IP’s c. A route that points to core internet routers d. A backup route for use if the routing protocol fails

2. What is the difference between a default route and a gateway of last

resort? a. Nothing, they are the same b. Multiple default routes can be candidates for the gateway c. Multiple gateways can be candidates for default routes d. Gateways of last resort are Internet core routers and default routes

are part of this

3. What are the options for pointing a static route? a. interface and next hop b. distance and metric c. ip default-network and default-information originate d. always and metric-type

4. Which of the following is a benefit of default routing?

a. ease of configuration b. limits the spread of routing updates c. increases the amount of bandwidth d. decreases the reliance on ICMP

5. Which of the following is a benefit of default routing?

a. requires no routing protocol configuration b. limits the spread of SNMP c. reduces the size of the routing table d. eliminates the need for routing updates

6. The “ip default-network” command is considered classful.

a. true b. false

7. A router receives a classful network via BGP. This router is also operating

with EIGRP. The router installs the “ip default-network” command with this classful network number. This default network will be shared with its EIGRP neighbors.

a. true b. false

8. The “default-information originate” command within OSPF does what?

a. installs a gateway of last resort into the routing table b. configures that router to become an ASBR c. sets up a default static route d. redistributes a default route into the OSPF process

25

9. It is possible to set the metric of the default route redistributed into OSPF.

a. true b. false

10. Which of following can occur if default routing is not implemented?

a. increased router performance b. decreased routing table size c. additional router configuration d. router latency

11. Within OSPF, the default route must be pointed at a classful network.

a. false b. true

12. The “ip-default network” command redistributes a default route into

EIGRP.

a. true b. false

Insert Tab #5 Here

Dynamic Multi-Point Virtual Private Networks

(DMVPN)

3

JNN Network - Satellite Backbone

Hub Node

BN CPN BN CPN

STEP

Ku TDMA

Ku FDMA

(BCT)

(Battalion level unit)

JNN

(Div/Corps)

DISN/GIG

DISN/GIG(cable)

The JNN network utilizes a Ku Band commercial satellite network for the backbone interconnectivity of its systems. Both Time Division Multiple Access (TDMA) and Frequency Division Multiple Access (FDMA) are utilized. The JNN network architecture is composed of three primary elements:

1. Unit Hub Node (UHN) 2. Joint Network Node (JNN) 3. Battalion Command Post Node (Bn CP N)

These systems provide communications support to the various elements within an Army Division. The UHN is located at the Division and/or the Corps element. It provides connectivity to the Defense Information Systems Network (DISN) and the Global Information Grid (GIG). The UHN utilizes both FDMA and TDMA satellite connectivity. The JNN is located at the Brigade Combat Team (BCT) element. It serves as both a distribution point for the various systems within the BCT and provides direct network services for the Brigade headquarter elements. The JNN can utilize both TDMA and FDMA satellite connectivity. It has a single FDMA link which is usually reserved connectivity to the UHN.

4

The Bn CPN provides direct network access to users within a Battalion element. It utilizes only TDMA satellite connectivity. It has permanent links to the UHN and/or JNN and can establish on demand connections to other CPNs within the BCT.

5

Why Satellite?

• Allows for beyond line of sight (BLOS) extension.

• Accessible from virtually anywhere on the battlefield.

• No need for extensive “link” planning for installation of ground systems at a new location.

• Scales well for maneuver units.

• Current ground equipment readily transportable.

The use of satellite communications by the JNN network allows for the installation and operation of a very flexible intra-network backbone for its users. Tactical line of sight radio systems are normally limited to a maximum range of approximately 40 miles. This limits the area on a battle field that maneuver units can cover. With satellite, two systems can establish a radio link as long as they are within the earth “footprint” of the satellite coverage. This coverage can be rather large allowing systems to be hundreds of miles apart. LOS radio link installation requires extensive planning and engineering utilizing complex computer programs to provide a “profile”. It is not always possible to establish an LOS radio link between two locations. Whenever LOS radio systems are moved to a new location, this link planning must be conducted again prior to the installation of the new radio link. Satellite on the other hand requires initial link planning for the installation of radio links. Once this is done, systems can move almost anywhere within the footprint and reestablish the radio link. Also, there are very virtually no limits to establishing a satellite link as long as there is a clear line of sight path between the earth system and the satellite. With the flexibility noted above, satellite based systems serve well in meeting the needs of Army combat units. As changes occur on the battlefield and units are required to move, satellite based systems provide them the ability to rapidly terminate and reestablish communications in a minimal amount of time.

6

The current satellite systems utilized with the JNN systems are mounted on a tactical two wheeled trailer pulled by a HMMWV. This makes the system readily transportable for tactical maneuver units.

7

FDMA

• Users xmit on one carrier frequency and receive on another.• 2 carriers per full duplex link (point to point).• Scales poorly - inefficient use of space segment.• Does not support ad hoc networking.• Dedicated bandwidth, not shared.• No delay for link connection.

TDMA

• Users share carrier(s) for both xmit and receive.• Additional carriers can be defined to support network growth.• Scales well – efficient use of valuable space resource.• Supports ad hoc networking well.• Bandwidth is a shared resource, not dedicated.• Slight delay in establishing link connection.

Space Segment Usage/Efficiency

* Space segment efficiency directly related to type of modulation/encoding used.

Provided by BCBL(G)

Frequency Division Multiple Access: FDMA is a traditional technique whereby earth stations transmit simultaneously on different pre-assigned frequencies, into a common satellite transponder. In addition, the FDMA carrier is allotted a certain amount of bandwidth. This carrier is constantly being transmitted to the satellite, processed by it, and retransmitted back to earth by it regardless of user traffic. Only the system assigned a certain transmit frequency can use the allocated bandwidth. Time Division Multiple Access: TDMA is a digital transmission technology that allows a number of users to access a single radio-frequency (RF) carrier without interference by allocating unique time slots to each user within each carrier. The type utilized within JNTC-S is referred to as Multi-Frequency TDMA Demand Assigned Multiple Access. This allows for dynamic allocation of time slots based on user requirements and allows multiple carriers on the satellite within the TDMA network. This forms a “bandwidth pool” for the users.

8

FDMA/TDMA Satellite Payload-users present

• Above depicts two users communicating via a satellite link - TDMA or FDMA.• Spectrum analyzer display depicts the radio carrier used between the two systems.• The carrier has a center frequency plus a certain amount of bandwidth.• Amount of bandwidth is dependant upon data rate transfer.

The above diagram displays two ground based satellite systems with a radio link established between the two through a satellite. This could be an FDMA or TDMA link. There are two users communicating through this link with laptop computers. Depicted between the two systems is a display from a spectrum analyzer. The “hump” on the screen is a representation of the radio carrier being received by one of the satellite systems. The carrier has a center frequency and a certain amount of bandwidth being utilized on each side of this center frequency. The amount of bandwidth is determined by the data rate being transmitted by the earth systems.

9

• Above depicts two systems with no user data being transferred.• Satellite resource utilization remains unchanged on an FDMA link.• Carrier can only be utilized by systems with the pre-assigned frequency & bandwidth.• User activity or inactivity has no affect on satellite resource utilization.

FDMA Satellite Payload-no users present

The diagram now shows no user traffic being transmitted through the satellite radio link. From a satellite resource utilization stand point, there would be no change on an FDMA link (as depicted by the spectrum analyzer display). FDMA systems have pre-assigned frequencies and pre-assigned bandwidth allocation; only the systems allocated these resources can utilize them. User activity or inactivity has no affect on satellite resource utilization.

10

• Above depicts two systems with no user data being transferred.• No satellite resources are utilized on a TDMA link.• Once user data transfer is complete, bandwidth is returned to a pool for use by

other systems.• Bandwidth is allocated on demand - based on user requirements.• User activity or inactivity has a direct affect on satellite resource utilization.

TDMA Satellite Payload-no users present

The diagram still shows no user traffic being transmitted through the satellite radio link. From a satellite resource utilization stand point, there would be a change on a TDMA link (as depicted by the spectrum analyzer display). Resources on a TDMA satellite network are allocated based on user requirements. When users communicating through a TDMA satellite link have information to transfer, resources are allocated, a carrier (center frequency and bandwidth), to support the requirement. Once the transfer of this information is complete, the resources are returned to a pool for use by other systems as needed.

11

• Internet Engineering Task Force (IETF): A VPN is “An emulation of a private Wide Area Network (WAN) using shared or public IP facilities, such as the Internet orprivate IP backbones.”

• In simpler terms, a VPN is an extension of a private intranet across a publicnetwork (the Internet) that ensures secure and cost-effective connectivity between the two communicating ends.

Headquarters Home Office

Branch OfficeInternet

Virtual Private Network (VPN)

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. A virtual private network can be contrasted with an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same capabilities, but at a much lower cost. VPNs establish a secure network over insecure or public networks. VPNs can take many different forms and be implemented in various ways. VPNs achieve their security by encrypting the traffic that they transport, preventing eavesdropping or interception. In simplest terms, a VPN is fundamentally a secure tunnel established between two or more endpoints. A VPN can be constructed with or without the knowledge of the network provider, and can span multiple network providers.

12

Tunneling

Data TCP Hdr

IP Hdr original IP packet

IP packet encapsulated w/tunnel protocol

• VPNs are established with the help of private logical tunnels. Tunneling is theencapsulation of one protocol within another.

• Tunnels enable the two ends to exchange data in a manner that resembles point-to-point communications.

• From a routing protocol stand point, the two routers depicted above would act asdirectly connected neighbors through the tunnel even though there may be several other routers physically between them.

TunnelTrailer

Data TCP Hdr

TunnelHdr

Orig IP Hdr

New IP Hdr

The VPNs are established with the help of private logical "tunnels." These tunnels enable the two ends to exchange data in a manner that resembles point-to-point communication. Tunneling technology lies at the core of VPNs. In addition, elaborate security measures and mechanisms can be used to ensure safe passage of sensitive data across an unsecured medium. Tunneling is the technique of encapsulating a data packet in a tunneling protocol, such as IP Security (IPSec), Point-to-Point Tunneling Protocol (PPTP), or Layer 2 Tunneling Protocol (L2TP), and then finally packaging the tunneled packet into an IP packet. The resultant packet is then routed to the destination network using the overlying IP information. Because the original data packet can be of any type, tunneling can support multi-protocol traffic, including IP, ISDN, FR, and ATM.

13

Tunnel Protocols

• Point-to-Point Tunneling Protocol (PPTP)

• Layer 2 Tunneling Protocol (L2TP)

• Internet Security Protocol (IPSec)*

• Generic Routing Encapsulation (GRE)

• Multi-point Generic Routing Encapsulation (mGRE)*

*utilized within the JNN network architecture

Point-to-Point Tunneling Protocol (PPTP) - Developed by Microsoft, 3COM, and Ascend Communications, PPTP was proposed as an alternative to IPSec. However, IPSec still remains the favorite tunneling protocol. PPTP operates at layer 2 (Data Link layer) of the OSI model and is used for secure transmission of Windows-based traffic.

Layer 2 Tunneling Protocol (L2TP) - Developed by Cisco Systems,

L2TP was also intended to replace IPSec as the de facto tunneling protocol. However, IPSec still continues to be the dominant protocol for secure communication over the Internet. L2TP is a combination of Layer 2 Forwarding (L2F) and PPTP and is used to encapsulate Point-to-Point Protocol (PPP) frames to be sent over X.25, FR, and ATM networks.

IP Security (IPSec) - Developed by IETF, IPSec is an open standard that

ensures transmission security and user authentication over public networks. Unlike other encryption techniques, IPSec operates at the Network layer of the seven-layer Open System Interconnect (OSI) model. Therefore, it can be implemented independently of the applications running over the network. As a result the network can be secured without the need to implement and coordinate security for each individual application.

Generic Routing Encapsulation (GRE) - A tunneling protocol developed

by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at

14

remote points over an IP inter-network. GRE allows routing updates to be

sent over links that do not support broadcast and/or multicast.

Multi-Point Generic Routing Encapsulation (mGRE) - mGRE allows a single GRE tunnel interface to support multiple tunnels (GRE is strictly point to point). This greatly simplifies the tunnel configuration and when used in conjunction with NHRP, tunnels can be established dynamically.

15

2.2.2.1/30s0/0s0/0

1.1.1.1/3012.12.12.0/24 11.11.11.0/24

.2 .2

UDPUDP IP HdrIP HdrPayloadPayload Tunn

IP HdrTunnIP Hdr

UDPUDP IP HdrIP

HdrPayloadPayload

GREGREs – 12.12.12.2d – 11.11.11.2

s – 12.12.12.2d – 11.11.11.2

UDPUDP IP HdrIP

HdrPayloadPayload

s – 12.12.12.2d – 11.11.11.2

s – 1.1.1.1d – 2.2.2.1

GRE Tunnel

• Routers 1 & 2 have a GRE tunnel established.

- host 12.12.12.2 sends a packet to host 11.11.11.2- router 1 encapsulates the packet with the IP’s assigned to serial interfaces.- router 2 de-encapsulates and delivers original packet.

• Packet is routed through the Internet based on the tunnel IP header.

1 2Internet

Generic Routing Encapsulation (GRE) is a Cisco proprietary (but published) standard for encapsulating routing protocols. It can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP inter-network. By connecting multi-protocol sub-networks in a single-protocol backbone environment, IP tunneling that uses GRE allows network expansion across a single-protocol backbone environment. GRE, as specified in [RFC2784], is an IETF standard defining multi-protocol encapsulation format that could be suitable to tunnel any network layer protocol over any network layer protocol. GRE is normally used in two classes of applications: the transport of different protocols between IP networks and the provision of VPN services for networks configured with potentially overlapping private address space. The GRE header key field can be used to discriminate the identity of the customer network where encapsulated packets originate. In this way, it provides a way to offer many virtual interfaces to customer networks on a single GRE tunnel endpoint. This feature allows for policy-based routing (that is, when routing decisions are not based only on the destination IP address but on the combination of a virtual interface identifier, and the destination IP address) and relatively easy per-user network accounting. Also, a GRE header allows the identification of the type of the protocol that is being carried over the GRE tunnel, thus allowing IP networks to serve as a bearer service onto which a virtual multi-protocol network can be defined and implemented. Similar to the IP in IP

16

tunneling mechanism, the GRE tunneling technology does not include a tunnel setup protocol. It requires other protocols, such as Mobile IP, or network management to set up the tunnels. It also does not include security mechanisms and must be combined with IPSec to support secure user data delivery.

17

interface Tunnel0 creates a tunnel interface

ip address 10.10.10.1 255.255.255.252 assigns IP address & mask to tunnel

tunnel source Serial0/0 specifies which physical interface tunnel will utilize

tunnel destination 148.43.200.9 specifies the physical address associated with the distant end of the tunnel

GRE Tunnel Configuration

• GRE tunnels are point to point networks.

• GRE is the default tunnel encapsulation on a Cisco router.

• The physical IPs are used for encapsulating & routing the packet.

Above is the configuration commands utilized to establish a simple static GRE tunnel on a router. Once configured, the router treats the virtual tunnel interface the same as a physical interface. interface tunnel0: creates the tunnel interface; the tunnel can be designated with any number. (NOTE: the three following commands are applied to the tunnel interface) ip address: assigns an ip address and mask to the tunnel interface. tunnel source: specifies which physical interface on the router the tunnel interface will utilize to establish a connection to the distant end tunnel interface. tunnel destination: specifies the address of the physical interface the distant end tunnel interface is utilizing as its tunnel source. GRE IP is the default tunnel encapsulation on a Cisco router and therefore does not have to be configured.

18

GRE Tunnel Lab 1

interface Tunnel0ip address 10.10.10.1 255.255.255.252tunnel source Serial0/0tunnel destination 148.43.200.9

interface Tunnel0ip address 10.10.10.2 255.255.255.252tunnel source Serial0/0tunnel destination 148.43.200.10

148.43.200.9/30s0/0s0/0

148.43.200.10/3012.12.12.0/24 11.11.11.0/24

• Install the network as shown above.

• Enable EIGRP, configure network statements for tunnel & Ethernet interfaces.

• Once complete, ping from host computer to host computer.

In the above lab, establish a point to point router network. Then configure tunnel interfaces on each router utilizing the configuration examples above. Once the tunnel interfaces are installed, configure EIGRP with network statements for the tunnel interfaces and the Ethernet segments. Perform a ping test from a host on one Ethernet segment to a host the other. Examine the routing table of each router. What is the next hop address of the networks learned via EIGRP? The above diagram has a tunnel being established between two directly connected routers. It is possible to establish a tunnel between two routers with multiple routers in between. The two tunnel interfaces would act as if they are directly connected. It is a good practice to utilize different routing protocols on the tunnel and physical interfaces to prevent routing loops.

19

f0/0

GRE Tunnel Lab 2

f0/0

f0/0

f0/0

f0/0

f0/0

f0/0.193/28

.194/28

.195/28

.198/28

.197/28

.196/28.199/28

11.11.11.0/24

12.12.12.0/24

13.13.13.0/24

17.17.17.0/2414.14.14.0/24

15.15.15.0/24

16.16.16.0/24

1

2

3

4

5

6

7

The above is a broadcast multi-access network. The goal is to establish tunnels between all the systems. The following is a configuration example for router 1. Based on this example, as a group come up with an addressing & configuration scheme for each router within the tunneled network: Tunnel0 10.10.10.1/30, dest 148.43.200.194 Tunnel1 10.10.10.5/30, dest 148.43.200.195 Tunnel2 10.10.10.9/30, dest 148.43.200.196 Tunnel3 10.10.10.13/30, dest 148.43.200.197 Tunnel4 10.10.10.17/30, dest 148.43.200.198 Tunnel5 10.10.10.21/30, dest 148.43.200.199 How many subnets were created in this topology? By having all of these tunnels permanently in place, what affect would this have on the TDMA satellite network? If a router was added or removed from the topology, what would have to take place within the configurations? If time permits, install the above network within the classroom.

20

DMVPN

CommercialTDMA

Bn CPN Bn CPN

JNN

• DMVPN technology is utilized within the JNN network Architecture.

• Permanent VPNs are established between Hub/JNN & Bn CPN systems.

• Connections between CPN systems are established on an as needed basis utilizing DMVPN technology.

• TDMA satellite bandwidth is a shared resource; DMVPNs allow this to be utilized more efficiently.

The JNN network utilizes satellite radio links as the backbone to interconnect its IP based systems. There are two types of satellite networks within the JNN architecture: Time Division Multiple Access (TDMA) and Frequency Division Multiple Access (FDMA). For the past several years, legacy tactical communications systems have utilized FDMA satellite networks. Within FDMA, individual satellite systems are assigned a frequency and a certain amount of bandwidth. These two resources can then only be utilized by that system even if there is actually no user communications going through this link. TDMA on the other hand pools satellite bandwidth for use by ground systems on an as needed or demand basis. It is somewhat similar to a radio Ethernet network. For IP based systems to effectively utilize this TDMA network, dynamic multi-point virtual private networks (DMVPN) are established. IP Security (IPSec) is utilized to encrypt and authenticate the DMVPN traffic. DMVPN is composed of two protocols: multi-point generic routing encapsulation (mGRE) and next hop resolution protocol (NHRP). A DMVPN network is based on a hub/spoke topology. A system acts as the hub and all the others are considered spokes. Each spoke makes a permanent virtual connection to the hub. Initially, when a spoke system has traffic destined for another spoke system, it is routed through the hub. Utilizing NHRP, the hub provides the appropriate information so that a temporary virtual connection can be made between the two spoke systems. Essentially, connections are made on an as needed basis therefore effectively utilizing the satellite resources.

21

What is a DMVPN?

• DMVPNs allow the dynamic establishment of multiple GRE tunnelsthrough a single tunnel interface.

- based on a hub/spoke network design- tunnels can be established dynamically (as needed)- more efficiently utilizes network resources- minimizes router configuration size- allows routers to be added or removed from the topology without reconfiguring present routers

•Two protocols are utilized within DMVPNs.

- Multi-point GRE (mGRE)- Next Hop Resolution Protocol (NHRP)

The idea behind DMVPNs is that tunnels between certain routers can be established on an as needed basis. This has many benefits. The design is based on a hub/spoke topology with all spoke systems having a permanent tunnel to the hub system. Then as required the spoke systems dynamically establish tunnels between each other with information provided by the hub. This establishing of tunnels as needed and then terminating them once packet transfer is complete is very efficient in that network resources are only utilized when needed. Permanent VPNs (tunnels) utilize network resources even when there is no user traffic being transferred through the tunnel. When utilizing static tunnels with GRE, a separate tunnel interface and sub-net must be configured between the hub and each spoke. Depending on the number of routers involved, the size of the configuration and the numbers of IP’s required can be become quite extensive. DMVPNs by contrast have a simple configuration and the size of the configuration remains the same regardless of the number of routes participating. With DMVPNs as the network topology changes (adding or removing routers), the configurations of the existing routers do not have to be modified. This makes the scaling of a DMVPN network very flexible. Static tunnels by contrast would require configuration changes to all routers within the network topology. To establish DMVPNs, three protocols are utilized: Multi-point GRE (mGRE), Next Hop Resolution Protocol (NHRP), and a dynamic routing protocol (OSPF or EIGRP).

22

Multi-Point Generic Router Encapsulation

• mGRE — allows a single GRE tunnel interface to support multiple tunnels.

• GRE tunnel configuration consists of:- ip address & mask- tunnel source- tunnel destination- optional tunnel key

• mGRE tunnel configuration consists of:- ip address & mask- tunnel source- tunnel key

• With mGRE, the tunnel destination is not defined.

• mGRE relies on NHRP to supply the tunnel destination information which it then utilizes to dynamically establish the tunnel.

Tunneling protocols such as IPSec can only support IP unicast traffic. Routing protocols such as OSPF and EIGRP exchange routing information via multi-cast therefore tunneling protocols such as IPSec cannot support dynamic routing. GRE was created to support multi-protocol traffic (IPX & AppleTalk) and in addition support all types of IP traffic (unicast, broadcast, & multicast). GRE however only supports point to point tunneling in which the source and destination addresses are specified. For each additional tunnel, a separate tunnel interface must be configured with the source and destination specified. mGRE on the other hand allows the establishment of multiple tunnels via a single tunnel interface. It is in a sense a broadcast multi-access tunnel interface. Within the mGRE configuration only the source addressing information is supplied. The destination address is learned dynamically relying on some other protocol such as NHRP.

23

• Client/server protocol: hub is server & spokes are clients.

• Each client registers with server: tunnel address and associatedtunnel source interface address (physical).

• Server maintains an NHRP database of these registrations.

• Clients request next hop information (tunnel to physical addressresolution) from server to establish dynamic tunnel to anotherspoke.

Next Hop Resolution Protocol (NHRP)

Next Hop Resolution Protocol (NHRP) is a client/server protocol that provides the capability for the spoke routers to dynamically learn the exterior physical interface address of other spoke routers within the DMVP network. Spoke routers a considered the clients and the hub router is the server. NHRP is used by a source station (host or router) connected to a Non-Broadcast, Multi-Access (NBMA) subnetwork to determine the internetworking layer address and NBMA subnetwork addresses of the "NBMA next hop" towards a destination station. If the destination is connected to the NBMA subnetwork, then the NBMA next hop is the destination station itself. Otherwise, the NBMA next hop is the egress router from the NBMA subnetwork that is "nearest" to the destination station. NHRP is intended for use in a multiprotocol internetworking layer environment over NBMA subnetworks. NHRP Resolution Requests traverse one or more hops within an NBMA subnetwork before reaching the station that is expected to generate a response. Each station, including the source station, chooses a neighboring NHS to which it will forward the NHRP Resolution Request. The NHS selection procedure typically involves applying a destination protocol layer address to the protocol layer routing table which causes a routing decision to be returned. This routing decision is then used to forward the NHRP Resolution Request to the downstream NHS. The destination protocol layer address previously mentioned is carried within the NHRP Resolution Request packet. Note that even though a protocol layer address was used to acquire a routing decision, NHRP packets are not encapsulated within a protocol layer header but rather are carried at the NBMA layer using the encapsulation described in its own header.

24

• Hub is the NHRP server, spokes are clients.• Clients register to server with address mapping information.• Server replies to clients once registration is complete.

NHRP (1)

tunnel 10.10.10.2/28f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28f0/1 148.43.200.1/29

NHRPRegistration10.10.10.2 148.43.200.10

client 1

serverRegistration

ReplyNHRP

Registration10.10.10.3 148.43.200.20

client 2

TDMATDMA

NHRP Database10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20

The registration request is sent from the client (spoke) to the server (hub) in order to identify or register its NHRP information. The destination protocol address field is set to the server’s IP address or address of the client in the event the client is not specifically configured with next hop server information. If the address field is set with the server’s address or with a client’s address that is within the same subnet as the server, then the server places the client NHRP information in its NHRP database. The server then sends a registration reply to the client informing it is now registered with this server. If the destination protocol address field is not set with the server’s address and the client IP is not within the same subnet as the server, then the server forwards the registration to another next hop server.

25

NHRPResolution

Request10.10.10.3

• Client 1 has packets destined for a network belonging to client 2.• Client 1 sends request to server for resolution of the next hop tunnel address to physical address of client 2.

NHRP Database10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20

tunnel 10.10.10.2/28f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28f0/1 148.43.200.1/29

TDMA TDMA

server

client 1 client 2

NHRP (2)

A resolution request is sent from a client to the server in order to identify the address for the next hop end point in the network. If the requested endpoint belongs to the server that has received the request, then it formulates a reply based on information contained in its database. Otherwise, the request must be forwarded to a next hop server that supports that endpoint. Within the JNN DMVPN network, the request contains the destination router’s tunnel address requesting the destinations associated physical address.

26

NHRPResolution

Reply10.10.10.3 148.43.200.20

• Server replies with the tunnel to physical address resolution.• Client 1 enters this into its NHRP database.

tunnel 10.10.10.2/28f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28f0/1 148.43.200.1/29

TDMA TDMA

NHRP Database

10.10.10.3 148.43.200.20

client 1 client 2

server

NHRP (3)NHRP Database

10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20

A resolution reply is sent from the server to requesting client. The reply provides a mapping of the requested destination tunnel address to the destination physical address. This information is then entered into the client’s NHRP database. This type of reply is termed an authoritative reply. The server that supports the subnet in question generates the reply. In the case where a resolution request was forwarded by an NHRP server to another server, it is possible for a server to receive a resolution reply. Once it has received the reply, it forwards it to the originating client. It also caches this reply for later use. When the same request is received again, it can use this cached information to reply instead of forwarding the request to the server that actually supports that subnet. This type of reply is termed non-authoritative.

27

dynamic tunnel

• Client 1 utilizes received NHRP info to establish a dynamic tunnel to client 2.• Tunnel will be terminated after a predetermined amount of time.

tunnel 10.10.10.2/28f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28f0/1 148.43.200.1/29

TDMA TDMA

NHRP Database10.10.10.3 148.43.200.20

TDMAclient client

UDPUDP IP HdrIP HdrPayloadPayload Tunn

IP HdrTunnIP HdrGREGRE

s – 148.43.200.10d – 148.43.200.20

NHRP (4)NHRP Database

10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20

server

Once the client (spoke) has received the reply from the server and has entered it into its NHRP database, it now has the required information to establish a dynamic tunnel to the other spoke. When configuring mGRE tunnels, the information supplied is the IP address & mask of the tunnel and the source physical interface to be utilized by the tunnel. In addition to packets utilizing the tunnel actually exiting the configured physical interface, the tunneled packet also utilizes the IP address assigned to the physical interface as its source address. NHRP is dynamically supplying the destination tunnel address. The tunnel will be terminated after a predetermined amount of time. By default, the tunnel will stay active for 120 minutes. This value can be changed within the tunnel configuration.

28

DMVPN and Routing Protocols

• For DMVPN to work properly, a routing protocol must be enabled on the tunnel interface.

• Spokes must advertise their supported networks to the hub& the hub must propagate these to all the other spokes.

• Advertisements received by a spoke router must have the subnets originating router listed as the next hop.

• The same routing protocol cannot be enabled on the tunnel & physical interfaces or recursive routing may occur.

For DMVPNs to work properly, a routing protocol must be utilized within the tunnel network so that the spokes can advertise their supported subnets to the hub. The hub then propagates these so that each spoke has knowledge of the subnets within the DMVPN topology. This is a key piece in the establishment of DMVPNs and can be easily overlooked. It is very common for a routing protocol to also be in operation on the physical network in addition to the tunnel network. It is very important that different routing protocols be utilized inside and outside of the tunnel to prevent recursive routing (routing loops). Recursive routing simply means that the routing table has found that the best path to the tunnel destination is through the tunnel. This means that the router cannot send the tunnel protocol’s TCP packets to the destination device because it thinks that they have to be encapsulated in the tunnel protocol again. This is a loop of sorts and the tunnel will be in a constant state of being torn down and rebuilt (up/down status). The other problem that can occur when using the same routing protocol inside and outside the tunnel is that packets can possibly be routed external to the tunnel. This can cause numerous problems and somewhat defeats the purpose of establishing the tunnel. Also, if IPSec is being applied to the tunnel, any packets that should be going through the tunnel but are routed externally will not have IPSec applied.

29

OSPF & EIGRP

• Certain configuration steps must be applied to the tunnel interfacewhen utilizing OSPF and EIGRP.

• OSPF- configure OSPF network type to broadcast (ip ospf network broadcast).- configure OSPF priority so hub is always DR (ip ospf priority).- insure the IP MTU is set the same on all tunnel interfaces (ip mtu).

• EIGRP- split horizons must be disabled on the hub (no ip split-horizons eigrp).- by default, eigrp routers list themselves as the next hop for all advertisedroutes – must be disabled (no ip next-hop-self eigrp).

- configure tunnel interface bandwidth so that EIGRP related traffic can beproperly maintained.

- consideration should also be given to configuring the spoke routers as EIGRP stub routers.

Depending on the routing protocol selected, there are certain configuration steps that must be taken for it to work properly within a DMVPN environment. OSPF:

- OSPF considers a tunnel interface point to point and will not allow it to support multiple connections. Tunnel interface must be set to broadcast within OSPF.

- Once interface is set to broadcast, OSPF treats it as part of a broadcast

multi-access network. The hub router must always be the designated router. A good practice would be to set the priority of all the spokes to “0”.

- Insure that all the ip mtu setting on the tunnel interfaces within the DMVPN

topology are set the same. Two OSPF routers cannot form a neighbor relationship if this setting is different.

EIGRP:

- Split horizons must be disabled on the hub tunnel interface (split horizons is enabled by default with EIGRP). Since the hub is using a single interface to form connections with several spoke routers, EIGRP has to be able to send routing updates received from one to all other spokes. With split horizons enabled, this is not possible.

30

- By default, when an EIGRP router advertises a network, it lists itself as the

next hop even if the network does not originate on that router. For DMVPNs to function properly, this must be disabled on the hub router. Networks advertised from spokes to the hub and then to other spokes must list the originating spoke as the next hop.

- The default bandwidth for a tunnel interface is 9 kbs. EIGRP will only

utilize at a maximum half the interface bandwidth – 4.5 kbs. This is too low for EIGRP to be properly maintained between neighboring routers. Set the bandwidth to a higher value such as 1000.

- Consideration should be given to configuring the EIGRP routers as stub.

By definition, the spokes should only have connections to one router, the hub. Therefore there is no value added by allowing the hub to query the spokes.

31

• By default, OSPF treats a tunnel interface as a point to point network.• All tunnel interfaces on routers within a DMVPN net are on the same subnet.• OSPF must operate as if it is enabled on a broadcast multi-access network.• Tunnel interface must be set to broadcast for proper operation of the DMVPN.

OSPF & DMVPN - Broadcast Network

hub

spoke 1 spoke 2tunnel 10.10.10.2/28 - broadcastf0/1 148.43.200.10/29

tunnel 10.10.10.3/28 - broadcastf0/1 148.43.200.20/29

tunnel 10.10.10.1/28 - broadcastf0/1 148.43.200.1/29

TDMA TDMA

hub

spoke 1 spoke 2

OSPF considers a tunnel interface as a point to point network and will not allow it to support multiple OSPF neighbor connections. For DMVPNs to function properly, the tunnel interface must be set to OSPF broadcast. All tunnel interfaces belonging to routers within the same DMVPN network are configured as part of the same subnet. Configuring the tunnel interface to broadcast will cause all of these routers to function as part of the same OSPF broadcast multi-access network.

32

• Spoke routers have permanent connectivity only to the hub router.• Spoke routers will only form an OSPF neighbor relationship with the hub.• The hub must be elected as the OSPF designated router (DR).• Set all spoke routers' OSPF priority to 0.

OSPF & DMVPN - Hub is DR

TDMA TDMA

hub

spoke 1 spoke 2

tunnel 10.10.10.2/28 - priority 0f0/1 148.43.200.10/29



(DR)

(Drother) (Drother)

Once the DMVPN topology has been configured to function as an OSPF broadcast multi-access network, the OSPF priority must be configured for the designated router (DR) election. The goal is have the hub (NHRP server) always be the DR and the spokes (NHRP clients) never be the DR. To accomplish this, all spokes should have their OSPF priority configured as “0”. If there are going to be multiple hubs (servers) within a single DMVPN topology, the priority should be set according to which of these should be the DR and which should be the backup designated router (BDR).

33

• Within the JNN network, several tunnels along with IPSec are configured.• These functions add additional bytes to the packet.• To limit fragmentation, the MTU settings of the IP packets is reduced. • For two routers to form an OSPF neighbor relationship, the interfaces providing

connectivity for this must have the same IP MTU setting.

OSPF & DMVPN - IP MTU

TDMA TDMA

hub

spoke 1 spoke 2

tunnel 10.10.10.2/28 - ip mtu 1420f0/1 148.43.200.10/29

tunnel 10.10.10.3/28 - ip mtu 1420f0/1 148.43.200.20/29

tunnel 10.10.10.1/28 - ip mtu 1420f0/1 148.43.200.1/29

Within the JNN TDMA topology, several tunnels are created and IPSec is applied to these tunnels at various points. This tunnel creation and application of IPSec causes additional overhead to be added to the original IP packet causing the size (bytes) of the packet to increase. Ethernet based networks have a default maximum transmission unit (MTU) of 1500 bytes. Once the packet exceeds this size, packet fragmentation occurs. This can have detrimental effects on the processing of packets and can interfere with the operation of IPSec. To prevent the fragmentation of packets on the interface, the IP MTU size is adjusted on the tunnel interface. The actual setting can be calculated based on the additional overhead added by the above noted processes. For two routers to form an OSPF neighbor relationship, the interfaces being utilized by the routers must have the same MTU setting.

34

• By default, EIGRP has split horizons enabled - update cannot be sent out theinterface on which it was received.

• The hub must advertise each update received from a spoke to all other spokes.• Hub has only a single interface connected to the DMVPN topology.• Split horizons must be disabled on this interface.

EIGRP & DMVPN - Split Horizons

TDMA TDMA

hub

spoke 1 spoke 2tunnel 10.10.10.2/28 f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28 - no ip split-horizons eigrpf0/1 148.43.200.1/29

f0/0 148.43.200.128/27

EIGRP Update148.43.200.128/27

EIGRP Update148.43.200.128/27

(split horizons disabled)

EIGRP is a distance vector protocol and therefore employs the spit horizons route loop prevention technique. A Split horizon does not allow the advertisement of an update through an interface if that update was received on that interface. For DMVPNs to work properly all spokes must advertise their directly connected subnets to the hub and then the hub must advertise these to all the other spokes. Since the hub has only one interface connected to the DMVPN topology, split horizons must be disabled within the EIGRP process on the hub router.

35

• By default, when an EIGRP router sends an update, it lists itself as the next hop.• For DMVPN operation, the originating router must be listed as the next hop.• The next hop self function must be disabled on the hub router.

EIGRP & DMVPN - Next Hop Self

TDMA TDMA

hub

spoke 1 spoke 2tunnel 10.10.10.2/28 f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28 - no ip next-hop-self eigrpf0/1 148.43.200.1/29

f0/0 148.43.200.128/27

EIGRP Update148.43.200.128/27

via 10.10.10.2

(next hop self disabled)

EIGRP Update148.43.200.128/27

via 10.10.10.2

Routing Table

D 148.43.200.128/27via 10.10.10.2

By default, when an EIGRP router sends an update to a neighbor, it lists itself as the next hop even when on a multi-access network (all routers on the same subnet) and it is not the originating router of the update (subnet not directly connected). For the proper operation of DMVPNs, a spoke router’s routing table must list all subnets within the DMVPN topology with the originating router as the next hop. For this to happen, the EIGRP next hop self function must be disabled on the hub router.

36

• By default, EIGRP will only send its routing related traffic at 50% of the interface bandwidth - tunnel interface has a default bandwidth of 9 kbps.

• This means that EIGRP would limit its traffic to a rate of 4.5 kbps.• Set the tunnel bandwidth to match the actual speed of the physical interface.• This allows the EIGRP process to be properly maintained.

EIGRP & DMVPN Interface Bandwidth

TDMA TDMA

hub

spoke 1 spoke 2

tunnel 10.10.10.2/28 - bandwidth 100,000f0/1 148.43.200.10/29



EIGRP Traffic EIGRP Traffic

By default, EIGRP will only utilize a maximum of 50% of the configured bandwidth on an interface to send EIGRP related information. A tunnel interface by default has its bandwidth set to 9 kbps. This means that EIGRP will only send its routing related traffic at a maximum rate of 4.5 kbps. In most situations, this rate is not sufficient for an EIGRP topology to coverage properly. This could lead to routing loops and packets being dropped because of inaccurate routing information. It is recommended configuring the bandwidth of the tunnel interface to match the physical interface configured as the tunnel source. Within the JNN network, the tunnel interface commonly uses a Fast Ethernet interface as the tunnel source. Therefore, the tunnel bandwidth should be configured as 100,000.

37

• All EIGRP route information received by a spoke is from the hub.• There is no reason for the hub to send a query to a spoke.• Consideration should be given to configuring the spokes as a stub.

EIGRP & DMVPN Set Spokes to Stub

TDMA TDMA

hub

spoke 1 spoke 2

tunnel 10.10.10.2/28 f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28f0/1 148.43.200.1/29

do notquery

do notquery

eigrp stub

Within the DMVPN topology, permanent VPNs are established between the hub and each spoke. EIGRP neighbor relationships only exist between the hub and each spoke. No routing information is exchanged between spoke routers even when a dynamic VPN is established between two spokes. All EIGRP related information received by a spoke router is always from the hub. Therefore, there is no valid reason for the hub to ever query a spoke router for EIGRP route information. Consideration should be given to configuring spoke routers as EIGRP stubs.

38

DMVPN Configuration - Hub

interface Tunnel1ip address 172.21.38.8 255.255.255.128ip mtu 1420ip nhrp authentication 101A6727ip nhrp map multicast dynamicip nhrp network-id 6727ip nhrp holdtime 600ip ospf network broadcastip ospf priority 3tunnel source FastEthernet2/0tunnel mode gre multipointtunnel key 6727

interface tunnel 1: Configures a tunnel interface. ip address : Assigns an IP address & mask to the tunnel interface. ip mtu: Sets the maximum transmission unit size on the tunnel interface. If an IP packet exceeds the MTU set for the interface, the Cisco IOS software will fragment it. All devices on a physical medium must have the same protocol MTU in order to operate. Within the DMVPN network the MTU size for the tunnel interface is set to a smaller size than what is utilized for the physical interface (such as 1500 for Ethernet). This insures that once the packet is encapsulated with mGRE and IPSec that it won’t exceed the physical MTU size and be fragmented once the additional headers & encryption have been applied. ip nhrp authentication: Configure the authentication string for an interface using the Next Hop Resolution Protocol (NHRP). All routers configured with NHRP within one logical NBMA network must share the same authentication string. ip nhrp map multicast dynamic: Configures NBMA addresses for use as destinations for broadcast or multicast packets to be sent over a tunnel network. When multiple NBMA addresses are configured, the system replicates the broadcast packet for each address. When utilized with the key word dynamic, multicast & broadcast packets are sent to all entries within the NHRP database. This is utilized on the hub so that router neighbor relationships can be established with all spoke systems dynamically.

39

ip nhrp network-id: Enables the Next Hop Resolution Protocol (NHRP) on an interface. All NHRP stations within one logical NBMA network must be configured with the same network identifier. ip nhrp hold-time: Changes the number of seconds that NHRP NBMA addresses are advertised as valid in authoritative NHRP responses. The command affects authoritative responses only. The advertised holding time is the length of time the Cisco IOS software tells other routers to keep information that it is providing in authoritative NHRP responses. The cached IP-to-NBMA address mapping entries are discarded after the holding time expires. The NHRP cache can contain static and dynamic entries. The static entries never expire. Dynamic entries expire regardless of whether they are authoritative or non-authoritative. ip ospf network broadcast: Configures the OSPF network type to a type other than the default for a given medium. By default, the router sees a tunnel interface as part of a point to point network. By using the command and the key word broadcast, it causes OSPF to operate in a broadcast multi-access mode. ip ospf priority: Sets the OSPF router priority, which helps determine the designated router for a BMA network. When two routers attached to a network both attempt to become the designated router, the one with the higher router priority takes precedence. If there is a tie, the router with the higher router ID takes precedence. A router with a router priority set to zero is ineligible to become the designated router or backup designated router. In the DMVPN topology, the hub router should always be the designated router and the spokes never be the DR. tunnel source: Designates the router physical interface to be utilized as the source for this tunnel. Any traffic originating from the tunnel will be sent through the tunnel source interface. In addition, the IP address assigned to the tunnel source will be utilized as the source address of the tunneled packets. tunnel mode gre multipoint: Sets the tunnel encapsulation mode to gre multipoint. tunnel key: Enables an ID key for a tunnel interface. This command currently applies to (GRE) only. Tunnel ID keys can be used as a form of weak security to prevent improper configuration or injection of packets from a foreign source. When GRE is used, the ID key is carried in each packet. It is not recommended to be used for security purposes. All routers wishing to establish DMVPNs must have the same key. tunnel protection ipsec profile: Associates a tunnel interface with an IP Security (IPSec) profile. Use the command to specify that IPSec encryption will be performed after the GRE has been added to the tunnel packet. The tunnel protection command can be used with multipoint GRE (mGRE) and point-to-point GRE (p-pGRE) tunnels. With p-pGRE tunnels, the tunnel destination address will be used as the IPSec peer address. With mGRE tunnels, multiple IPSec peers are possible; the corresponding NHRP mapping NBMA destination addresses will be used as the IPSec peer addresses. If you wish to configure two Dynamic

40

Multipoint VPN (DMVPN) mGRE and IPSec tunnels on the same router, you must issue the shared keyword. Note: There are also two commands which apply specifically to the EIGRP routing protocol that are no shown on the above slides. These only have to be configured on the hub router. no ip next-hop-self eigrp: Instructs EIGRP to use the received next hop rather than itself when advertising updates received from neighbors. EIGRP routers by default always list themselves as the next hop for any network advertised even if it is not directly connected. DMVPNs cannot be established between spoke routers if this is not configured on the hub. no ip split-horizon eigrp: Split horizon says that a route cannot be advertised out an interface on which it was received. Hub routers only have one interface connected to the topology and through it make multiple neighbor routing connections. The hub must be able to propagate routing information received from one neighbor to all of its other neighbors. Split horizon therefore must be disabled.

41

interface Tunnel1ip address 172.21.37.16 255.255.255.128ip mtu 1420ip nhrp authentication 101A6725ip nhrp map 172.21.37.1 10.37.1.2ip nhrp map multicast 10.37.1.2ip nhrp network-id 6725ip nhrp holdtime 600ip nhrp nhs 172.21.37.1ip ospf network broadcastip ospf priority 0tunnel source FastEthernet0/0tunnel mode gre multipointtunnel key 6725

DMVPN Configuration - Spoke

Note: commands that are the same for the hub and spoke will not have the explanation duplicated here. ip nhrp map: Statically configures the tunnel IP to a physical IP of a distant end router. This will force a static entry into the NHRP database. This is configured on the spoke and maps the IP’s of the hub router. ip nhrp map multicast: Configures NBMA addresses for use as destinations for broadcast or multicast packets to be sent over a tunnel network. The spokes utilize this command and map the addresses for the hub system. The spokes will only form a router neighbor relationship with the hub. ip nhrp nhs: Configures the virtual IP (tunnel) address of the NHRP server (hub). This address was previously mapped to a physical interface address in the “ip nhrp map” command.

42

router_hub#sho ip nhrp10.10.10.1/32 via 10.10.10.1, Tunnel0 created 03:27:40, expire 00:00:59Type: dynamic, Flags: authoritative unique registered usedNBMA address: 148.43.200.1

10.10.10.2/32 via 10.10.10.2, Tunnel0 created 03:25:28, expire 00:00:51Type: dynamic, Flags: authoritative unique registered usedNBMA address: 148.43.200.5

10.10.10.3/32 via 10.10.10.3, Tunnel0 created 03:18:55, expire 00:00:46Type: dynamic, Flags: authoritative unique registered usedNBMA address: 148.43.200.9

router_spoke#sho ip nhrp10.10.10.6/32 via 10.10.10.6, Tunnel0 created 00:00:02, expire 00:00:51Type: dynamic, Flags: router usedNBMA address: 148.43.200.21

10.10.10.7/32 via 10.10.10.7, Tunnel0 created 03:28:53, never expireType: static, Flags: authoritative usedNBMA address: 148.43.200.25

Show IP nhrp

The “show ip nhrp” command displays the contents of the NHRP database or cache. When using it on the hub router. It shows each spoke that has registered dynamically via NHRP with the hub. When utilizing the command on the spoke router, at a minimum it will show a static NHRP entry to the hub router. This is entered into the database by the configuration command “ip nhrp map”. In addition, it will also show any dynamic tunnels established with other spoke routers. Contained within each entry will be the tunnel IP address, the physical address (NBMA), how long ago the tunnel was created, how long the tunnel has to live, and how the tunnel was created (static or dynamic).

43

DMVPN Lab

TDMA

1 2 3 4 5 6 7

f0/0 148.43.200.1/30tun0 10.10.10.1/24f0/1 11.11.11.1/24

.......hub

s-1

s-2

s-3

s-4

s-5

s-6

f0/0 148.43.200.5/30tun0 10.10.10.2/24f0/1 12.12.12.1/24

f0/0 148.43.200.9/30tun0 10.10.10.3/24f0/1 13.13.13.1/24

f0/0 148.43.200.13/30tun0 10.10.10.4/24f0/1 14.14.14.1/24

f0/0 148.43.200.17/30tun0 10.10.10.5/24f0/1 15.15.15.1/24

f0/0 148.43.200.21/30tun0 10.10.10.6/24f0/1 16.16.16.1/24

f0/0

f0/0

f0/0

f0/0

f0/0

f0/0

f0/0

f0/1

f0/1

f0/1

f0/1

f0/1

f0/1

f0/1

f0/0 148.43.200.25/30tun0 10.10.10.7/24f0/1 17.17.17.1/24

Install the above network as shown. Configure the hub and spoke routers using the configuration information from the two previous pages. Enable either OSPF or EIGRP to operate on the tunnel interface and the interface supporting host computers. Do not configure a routing protocol for the physical interfaces connected to the TDMA cloud. Configure a static route. The TDMA router’s Ethernet interface is configured with all seven physical subnets. Configure the first subnet with “ip address” command and then the other six with “ip address” command and the “secondary” extension. Once complete, test for network connectivity using ping and trace between the user subnets. Utilize the “show ip nhrp” command to view the tunnels in place.

44

IP Security (IPSec)

• Security Architecture for IP- open standard defined in RFC 2401- consists of a suite of security services & protocols- operates at layer 3 of OSI model- provides security for layer 3 and above (4 – 7)

• Three Major Components of IPSec- Modes: Transport & Tunnel - Protocols: AH & ESP - Internet Key Exchange (IKE)

The security architecture for IP (IPSec) is a suite of security services for traffic at the IP layer. It is an open standard, defined in RFC 2401 and several following RFCs. IPSec was developed by the IETF as part of IPv6 and can be implemented in IPv4. IPSec is a framework of open standards that operates at Layer 3 of the OSI model, which means that it can protect communications from the network layer (IP) and up. IPSec protocols can supply access control, authentication, data integrity, and confidentiality for each IP packet between two participating network nodes. IPSec can be used between two hosts (including clients), a gateway and a host, or two gateways. IPSec establishes a secure tunnel between endpoints, and provides authentication and encryption services to protect transported data. IPSec provides two security protocols used for transferring data: Encapsulating Security Payload (ESP) and Authentication Header (AH). AH provides connectionless integrity, data origin authentication, and anti-replay service for the IP packet. AH does not encrypt the data, but any modification of the data would be detected. ESP provides confidentiality through the encryption of the payload. Access control is provided through the use and management of keys to control participation in traffic flows. IKE is a key management protocol used in IPSec to create an authenticated, secure communication channel between two entities and then negotiate the

45

Security associations for IPSec. IKE offers several advantages over manually defined keys (manual keying):

Eliminates manual configuration of keys Allows you to specify a lifetime for IPSec SA Allows encryption keys to change during IPSec sessions Supports the use of public key-based authentication and CAs Allows dynamic authentication of peers

46

IPSec Architecture

Transport Mode Tunnel Mode

AH Protocol

Authentication Algorithm

(MD5, SHA-1)

Encryption Algorithm

(DES, 3DES, AES)

Key Management(IKE)

ESP Protocol

Within the IPSec architecture, there are two modes of operation: transport and tunnel. In the transport mode, the original IP header is left in place and the IPSec process is applied to the remaining portions of the packet. In the tunnel mode, a new IP header is added to the original packet (to include original header). The IPSec process is then applied to the entire original packet. IPSec has two protocols: Authentication Header and Encapsulating Security Payload (ESP). AH provides for authentication and anti-replay services but does not encrypt the packet payload. ESP encrypts the packet payload and offers authentication and anti-replay services. There are certain algorithms that are associated with each protocol. AH only can only utilize the authentication algorithms such as MD5 & SHA-1. ESP utilizes the same authentication algorithms and in addition utilizes a different set of algorithms (DES, 3DES, AES) for the purpose of encrypting the payload. Internet Key Exchange (IKE) is utilized for the purpose of automatically authenticating IPSec peers, negotiating key exchange & security associations, & establishing keys for encryption algorithms.

47

AH & ESP

• Authentication Header (AH)- IP Protocol 51, RFC 2402- provides authentication and anti-replay services- does not encrypt IP packet payload

• Encapsulating Security Payload (ESP)- IP Protocol 50, RFC 2406- provides authentication, optional anti-replay services, &

packet payload encryption- can be used as stand alone or in conjunction with AH

AH (RFC2402) provides packet authentication and anti-replay services. AH can be deployed in either transport or tunnel mode. In transport mode, the AH is inserted after the IP header and before an upper-layer protocol (such as TCP, UDP, and ICMP), or before any other previously inserted IPSec headers. The AH (IP protocol 51) ensures:

Data Integrity Calculates a hash of the entire IP packet, including the original IP header (not including variable fields such as the TTL), the data part of the packet, and the AH (excluding the field that will contain the calculated hash value) [either Message Authentication Code (MAC) or a digital signature]. MD5 or SHA-1 uses an extra value to calculate the hash (known only to the participating parties). The receiver performs calculations and compares to the sender's results: if they match, the packet is declared authentic.

Data Origin Authentication The AH provides source IP authentication. Since the source IP is included in the data, its integrity is guaranteed.

Replay Protection The AH uses an IPSec sequence number to protect against replay attacks.

ESP (RFC2406) provides data encryption, data authentication, and optional anti-replay services. ESP can be used on its own or with AH packet authentication. ESP encapsulates the data and can be deployed in either transport or tunnel mode. In transport mode, ESP is placed after the IP header (and any options that

48

it contains), and before the upper layer protocol. This makes ESP and AH compatible with non-IPSec-compliant routers. Tunnel mode ESP may be employed in either hosts or security gateways. In tunnel mode, ESP protects the entire inner IP packet, including the entire inner IP header. The position of ESP in tunnel mode relative to the outer IP header is the same as for ESP in transport mode. ESP (IP protocol 50) features:

Pads a packet to prevent traffic analysis, and encrypts the result with ciphers such as DES, 3DES, AES, or Blowfish.

Optional authentication using the same algorithms as the AH protocol. Header information is not included in the authenticated data, which allows ESP-protected packets to pass through NAT. Authentication data is calculated after encryption.

Optional antireplay features. ESP can perform most of AH's functions. ESP works on encapsulation principles:

all data is encrypted and then placed between a header and a trailer. This differentiates it from AH, where only a header is created.

49

AH & ESP Modes

• Transport- authenticates/encrypts only data payload- original IP header remains intact

• Tunnel- authenticates/encrypts entire IP packet- adds new IP header

Data TCP Hdr IP Hdr

ESPAuth

ESPTrailer

Data ESPHdr

OrigIP Hdr

New IPHdr

TCPHdr

Data TCP Hdr IP Hdr

ESPAuth

ESPTrailer

Data ESPHdr IP HdrTCP

Hdr

original packet original packet

ESP transport ESP tunnel

encrypted encrypted

IPSec has a transport mode and a tunnel mode. Transport mode only affects the data payload and does not modify the original IP header. In transport mode, the AH or ESP header is inserted after the IP header, but before any upper-layer protocol headers. Tunnel mode encapsulates the entire original packet as the data portion of a new packet with its own IP header. (AH and/or ESP headers are created in both modes.) Transport mode is used when both the receiver and the sender are endpoints of the communication (for example, two hosts communicating directly to each other). Tunnel mode is more convenient for site-to site VPNs because it allows tunneling of traffic through the channel established between two gateways. Transport will place an AH or ESP header right after the original IP header and before upper-layer data (TCP header and application data). If ESP is applied to the packet, only this upper-layer data is encrypted. If optional ESP authentication is used, only upper-layer data, not the IP header, is authenticated. If AH is applied to the packet, both the original IP header and the upper-layer data are authenticated Tunnel mode, the most common mode of operation, allows the establishment of an encrypted and authenticated IP tunnel between two sites. The original packet is encrypted and/or authenticated and encapsulated as the data payload of a

50

new IP packet. The new IP header is added to it with the destination address of the receiving gateway. The ESP and/or AH header is inserted between this new header and the data portion. The receiving gateway performs decryption and authentication of the packet, extracts the original IP packet (including the original source/destination IPs), and forwards it to the destination network.

51

Authentication & Encryption Algorithms

• HMAC-MD5

• HMAC-SHA-1

• DH -

• DES

• 3DES

• AES

authentication

key exchange

payload encryption

Message Digest 5 (MD5) is a hash algorithm used to authenticate packet data. Cisco routers use the MD5 hashed message authentication code (HMAC) variant that provides an additional level of hashing. A hash is a one-way encryption algorithm that takes an input message of arbitrary length and produces a fixed length output message. IKE, AH, and ESP use MD5 for authentication. Secure Hash Algorithm-1 (SHA-1) is a hash algorithm used to authenticate packet data. Cisco routers use the SHA-1 HMAC variant, which provides an additional level of hashing. IKE, AH, and ESP use SHA-1 for authentication. Diffie-Hellman (DH) is a public-key cryptography protocol. It allows two parties to establish a shared secret key used by encryption algorithms (DES or MD5, for example) over an insecure communications channel. DH is used within IKE to establish session keys. 768-bit, 1024-bit, & 1536 bit DH groups (numbered 1, 2, & 5 accordingly) are supported in the Cisco routers. Data Encryption Standard (DES) uses a 56-bit key, ensuring high-performance encryption. DES is used to encrypt and decrypt packet data. DES turns clear text into cipher text with an encryption algorithm. The decryption algorithm on the remote end restores clear text from cipher text. Shared secret keys enable the encryption and decryption.

52

Triple DES (3DES) is also a supported encryption protocol for use in IPSec on Cisco products. The 3DES algorithm is a variant of the 56-bit DES. 3DES operates similarly to DES in that data is broken into 64-bit blocks. 3DES then processes each block three times, each time with an independent 56-bit key. 3DES effectively doubles encryption strength over 56-bit DES. Advanced Encryption Standard (AES) is the successor to DES. AES (Rijndael) is a successor to 3DES that supports variable key lengths from 128-bit, 192-bit, and 256-bit. Like 3DES, it is a symmetric, cipher block algorithm. It can be used to replace 3DES or DES in an IPSec transform set. AES characteristics include:

Private key symmetric block cipher (similar to DES). Stronger and faster then 3DES. Life expectancy of at least 20 to 30 years. Key sizes of 128-bits, 192-bits, and 256-bits. Royalty free, non-proprietary and unpatented.

53

Transform Set

• Defines an acceptable combination of security protocolsand algorithms.

• A transform represents an IPSec protocol plus itsassociated algorithm.

• Up to three transforms can be specified per transform set.- ESP encryption algorithm- AH authentication algorithm - ESP authentication algorithm

A transform set is a combination of individual IPSec transforms designed to enact a specific security policy for traffic. Transform sets combine the following IPSec factors:

• Mechanism for payload authentication — AH transform • Mechanism for payload encryption — ESP transform • IPSec mode — transport versus tunnel

Transform sets equal a combination of an AH transform, an ESP transform, and the IPSec mode (either tunnel or transport mode). Associated with each protocol is an encryption and/or authentication algorithm. A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IP Security protected traffic. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

54

Transforms within Transform Sets

Transform type Transform Description

AH Transform (Pick up to one) ah-md5-hmacah-sha-hmac

AH with the MD5 (HMAC variant) authentication algorithmAH with the SHA (HMAC variant) authentication algorithm

ESP Encryption Transform (Pick up to one)

esp-desesp-3desesp-nullesp-aesesp-seal

ESP with the 56-bit DES encryption algorithmESP with the 168-bit DES encryption algorithm (Triple DES)Null encryption algorithmAES with the 128, 192, or 256-bit encryption algorithmSEAL with the 160-bit encryption algorithm

ESP Authentication Transform (Pick up to one)

esp-md5-hmacesp-sha-hmac

ESP with the MD5 (HMAC variant) authentication algorithmESP with the SHA (HMAC variant) authentication algorithm

A transform set specifies one or two IPSec security protocols (either Encapsulation Security Protocol or Authentication Header or both) and specifies which algorithms to use with the selected security protocol. To define a transform set, you specify one to three "transforms"—each transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer. In a transform set you could specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform. The mode (tunnel or transport) is also configured as part of the transform set but it is not associated with each individual transform. The selection of the mode applies to all the transforms within the set. The table above lists the acceptable transform combination selections for the AH and ESP protocols on a Cisco router.

55

IKE & ISAKMP

• Internet Security Association & Key Management Protocol (ISAKMP)- describes protocol independent authenticated key exchange methods- when implemented with Oakley & SKEME key exchange protocols,

the result is IKE- RFC 2408

• Internet Key Exchange (IKE)- key management protocol utilized within IPSec- authenticates IPSec peers, negotiates key exchange & SA, & establishes keys for encryption algorithms

- RFC 2409

ISAKMP (RFC 2408) describes authenticated key exchange methods. This is a generic protocol and is not tied to IPSec or any other key-using protocol. It can be implemented directly over IP or any transport layer protocol. When partially combined with Oakley (RFC 2412) and Secure Key Exchange Mechanism (SKEME) key exchange protocols, the result is the IKE (RFC 2409). Although not strictly correct, the terms IKE and ISAKMP are often used interchangeably, even in Cisco where IKE is configured with the isakmp command. IKE is a key management protocol used in IPSec to create an authenticated, secure communication channel between two entities and then negotiate the SAs for IPSec. IKE offers several advantages over manually defined keys (manual keying):

• Eliminates manual configuration of keys • Allows you to specify a lifetime for IPSec SA • Allows encryption keys to change during IPSec sessions • Supports the use of public key-based authentication and CAs • Allows dynamic authentication of peers

56

IKE Authentication Methods

• Preshared Keys- key value entered into each peer manually used to authenticate the peer.

• RSA Signatures- utilizes a digital certificate authenticated by an RSA signature.

• RSA Encryption- utilizes RSA encryption to encrypt a nonce value (random number

generated by peer) and other values.

Preshared Keys: the same preshared key is configured on each IPSec peer. IKE peers authenticate each other by computing and sending a keyed hash of data that includes the preshared key. If the receiving peer is able to create the same hash independently using its preshared key, it knows that both peers must share the same secret, thus authenticating the other peer. Preshared keys are easier to configure than manually configuring IPSec policy values on each IPSec peer. However, preshared keys do not scale well because each IPSec peer must be configured with the preshared key of every other peer with which it will establish a session. The RSA Signatures: utilizes a digital signature, where each device digitally signs a set of data and sends it to the other party. RSA signatures use a CA to generate a unique identity digital certificate that is assigned to each peer for authentication. The identity digital certificate is similar in function to the preshared key, but provides much stronger security. RSA is a public-key cryptosystem used by IPSec for authentication in IKE phase 1. RSA was developed in 1977 by Ronald Rivest, Adi Shamir, and Leonard Adelman. The initiator and the responder to an IKE session using RSA signatures send their own ID value (IDi, IDr), their identity digital certificate, and an RSA signature value consisting of a variety of IKE values, all encrypted by the negotiated IKE encryption method (DES or 3DES).

57

RSA Encryption: utilizes the RSA encryption public key cryptography standard. The method requires that each party generates a pseudorandom number (a nonce) and encrypt it in the other party's RSA public key. Authentication occurs when each party decrypts the other party's nonce with a local private key (and other publicly and privately available information) and then uses the decrypted nonce to compute a keyed hash. This system provides for deniable transactions. That is, either side of the exchange can plausibly deny that it took part in the exchange. Cisco IOS software is the only Cisco product that uses RSA encrypted nonces for IKE authentication. RSA encrypted nonces use the RSA public key algorithm.

58

IKE Negotiations – Two Phases

• Phase 1- Algorithms & hashes to secure IKE sessions are negotiated (policy sets).- DH is used to generate required IKE key.- Peer device identity is verified.- Purpose of Phase 1 is to establish a secure communications channel

for phase two.

• Phase 2- Negotiates IPSec session security parameters (transform sets).- Establishes IPSec security associations (SAs).- Periodically renegotiates IPSec SAs to ensure security.- Purpose of Phase 2 is to negotiate the security parameters for the actual

IPSec session.

IKE negotiates in two phases, both of which use UDP port 500.

1. Phase 1 - Peers negotiate and set up a secure, authenticated, bi-directional ISAKMP SA to handle Phase 2 negotiations. One such SA between a pair of peers can handle negotiations for multiple IPSec SAs. The peers agree on the encryption algorithm, hash algorithm, authentication method, and DH group to exchange keys and information. Peers mutually authenticate, agree on encryption and authentication algorithms to protect subsequent IKE traffic, exchange keys via DH, and lastly, establish an IKE SA (SA). IKE SAs are bi-directional; each IKE connection between peers has only one IKE SA associated with it.

2. Phase 2 - Peers negotiate IPSec (ESP and/or AH) as required. IPSec SAs are unidirectional (a different key is used in each direction) and are always negotiated in pairs to handle two-way traffic. There may be more than one pair defined between two peers. They agree on the IPSec protocol, hash algorithm, and encryption algorithm. Multiple SAs will result from Phase 2 negotiations. An SA is created for the inbound and outbound of each protocol used.

59

IKE Phase 1 has two modes: main mode and aggressive mode. Main mode uses three exchanges between peers; each exchange consists of two messages, a request, and a reply for a total of six packets exchanged. IKE Phase 2 negotiates one or more IPSec SAs to be used for the IPSec tunnel between these peers. It uses key material from IKE Phase 1 to derive IPSec keys. The initiating peer identifies what traffic it wants to protect and what encryption/authentication algorithms it supports. The receiving peer then agrees on a single protection set for this traffic and establishes keys needed for this protection set. While having different phases adds some overhead, there are advantages to this approach:

Trust between peers is established in IKE Phase 1 and IKE Phase 2. Key material established in the first phase can be used in the second

phase. Renegotiations of the first phase can be assisted by the second-phase

data.

60

IKE Security Associations (SA)

• Agreement between two systems in establishing an IKE session. - IKE Phase 1

• IKE SA consists of the following:- authentication method used- encryption and hash algorithm- DH group utilized- shared secret key values for the encryption algorithms- SA lifetime (kbs or seconds)

• A single IKE SA is established to handle secure communications bothways between the two peers.

There are two types of security associations utilized in configuring IPSec, just as there are two stages in establishing IPSec. IKE SAs describe the security parameters between two IKE devices, the first stage in establishing IPSec. IPSec SAs pertain to the actual IPSec tunnel, the second stage. At the IKE level, a single IKE SA is established to handle secure communications both ways between the two peers. Do not confuse IPSec SAs with IKE SAs. IKE SAs create the tunnel used by IPSec SAs. There is only one IKE SA between two devices, but there can be multiple IPSec SAs for the same IKE SA. At the end of the first phase, each host has an IKE SA, which specifies all parameters for this IKE tunnel: the authentication method, the encryption and hashing algorithm, the DH group used, the lifetime for this IKE SA, and the key values.

61

IPSec Security Associations (SA)

• Agreement between two systems participating in an IPSec session. - IKE Phase 2

• IPSec SA consists of the following:- destination IP address- security parameter index (SPI)- IPSec transform set- key used in algorithm- IPSec mode - SA lifetime (kbs or seconds)- Anti-replay sequence counters

• IPSec SAs are stored in the Security Association Database (SAD).

• IPSec SAs are unidirectional – four per IPSec sessions, two at each peer, one transmit, one receive.

IPSec SAs define how two or more IPSec peers will use security protocols (AH or ESP) to communicate securely on behalf of a particular flow. SAs contain the shared secret keys used to protect data in a particular flow, as well as their lifetimes. SAs are unidirectional connections and are unique per security protocol (AH or ESP). This means that if both AH and ESP services are required, two or more SAs have to be created. In a two-way communication, each party has at least two IPSec SAs: the sender and receiver each have one outgoing SA and one incoming SA. SAs can be created manually or with IKE. If created manually, the SAs are established as soon as they are created and do not expire. With IKE, SAs are established when needed and expire after a certain amount of time, or after a certain volume of traffic. The default lifetimes are 3600 seconds (one hour) and 4,608,000 kilobytes, and are periodically renegotiated. Each SA can be uniquely identified by three parameters:

SPI Pseudo-arbitrary 32-bit value assigned to a SA at creation. IP Destination Address (The destination endpoint of the SA). Security Protocol Identifier (AH or ESP in transport or tunnel mode).

Each peer maintains a Security Association Database (SAD) of active SAs for each direction (inbound and outbound) on each of its interfaces. SAs from these

62

databases decide which encryption and authentication parameters are applied to packets. SAs may be fixed for the time of traffic flow (manual IPSec). When a key management protocol is used, they are renegotiated many times during the connection flow. For each SA, the SAD entry contains the following data:

63

Five Steps of IPSec

1. Determine Interesting Traffic- ACL determines which traffic is to be encrypted.

2. IKE Phase 1- sets up secure communications channel between peers.

3. IKE Phase 2- establishes SAs between IPSec peers.

4. Data Transfer- data with IPSec protocol(s) applied is transferred between peers.

5. IPSec Tunnel Termination- IPSec SAs terminate through deletion or by timing out.

Step 1—Determine Interesting Traffic Cisco routers use access lists to define the traffic to secure. The access lists are then incorporated in a crypto policy, which causes traffic associated with permit statements to be encrypted, while traffic associated with deny statements is sent unencrypted.

Step 2—IKE Phase One IKE Phase One’s main purpose is to authenticate the IPSec peers and to set up a secure channel between the peers.

Step 3—IKE Phase Two IKE Phase Two occurs after IKE has established the secure tunnel in Phase One. It then performs the following:

• Negotiates a shared IPSec policy • Establishes IPSec SAs • Derives shared secret keys used for the IPSec security algorithms

Step 4—IPSec Data Transfer Information is exchanged via the IPSec session based on the method for defining interesting traffic. Packets are encrypted and decrypted at the IPSec peers using any encryption specified in the IPSec SA.

Step 5—Session Termination The IPSec session can be terminated because the traffic ended and the IPSec SA was deleted or the SA can time –out based on either SA lifetime setting.

64

Step 1 – Interesting Traffic

access-list 1 permit 148.43.200.36access-list 1 permit 148.43.200.43

IPSec profile applied to interface

• Access list determines interesting traffic.• Packets that are a match to the list are encrypted then sent.• Packets that are not a match are sent in the clear. • JNN network does not utilize access lists for this purpose; all traffic is considered interesting & is encrypted.

Determining what type of traffic is deemed interesting is part of formulating a security policy for use of a VPN. The policy is then implemented in the configuration interface for each particular IPSec peer. For example, in Cisco routers and PIX Firewalls, access lists are used to determine the traffic to encrypt. The access lists are assigned to a crypto policy such that permit statements indicate that the selected traffic must be encrypted, and deny statements can be used to indicate that the selected traffic must be sent unencrypted. When interesting traffic is generated or transits the IPSec client, the client initiates the next step in the process, negotiating an IKE phase one exchange. Within the JNN network when is IPSec is utilized, all traffic is deemed “interesting” and therefore encrypted. An access list is not referenced (nor configured) for the purposes of IPSec. All traffic exiting the IPSec tunnel interface is encrypted and all traffic entering the interface is decrypted.

65

Step 2 – IKE Phase 1

negotiate policy set (IKE SA)

DH key exchange

peer identity verified

• Step one - the two peers negotiate the parameters for the IKE SA.

• Step two consists of the two peers developing a key for use in the IPSec authentication and/or encryption algorithms.

• The identity of the peer is authenticated.

The basic purpose of IKE phase one is to: • Authenticate and protect the identities of the IPSec peers • Negotiate a matching IKE SA policy between peers to protect the IKE

exchange • Perform an authenticated Diffie-Hellman exchange to establish matching

shared secret keys • Set up a secure tunnel to negotiate IKE phase two parameters

IKE phase one occurs in two modes: Main mode & Aggressive mode Main mode has three two-way exchanges between the initiator and receiver.

• First exchange—The algorithms and hashes used to secure the IKE communications are agreed upon in matching IKE SAs in each peer.

• Second exchange—This exchange uses a Diffie-Hellman exchange to generate shared secret keying material which generates shared secret keys to pass nonces, which are random numbers sent to the other party, signed, and returned to prove their identity.

• Third exchange—This exchange verifies the other side's identity. The identity value is the IPSec peer's IP address in encrypted form.

The main outcome of main mode is matching IKE SAs between peers to provide a protected pipe for subsequent protected ISAKMP exchanges between the IKE peers. The IKE SA specifies values for the IKE exchange:

66

authentication method, encryption & hash algorithms, and the DH group used, the lifetime of the IKE SA and the shared secret key values for the encryption algorithms.

In the aggressive mode, fewer exchanges are done and with fewer packets. In the first exchange, almost everything is squeezed into the proposed IKE SA values, the Diffie-Hellman public key, a nonce that the other party signs, and an identity packet. The receiver sends everything back that is needed to complete the exchange. The only thing left is for the initiator to confirm the exchange. The weakness of using this mode is that both sides have exchanged information before there is a secure channel. However, aggressive mode is faster than main mode.

67

Step 3 – IKE Phase 2

negotiate transform setstransform set 10

ESPAESMD5

tunnellife

transform set 20ESPAESMD5

tunnellife

• Phase 2 establishes a secure IPSec sessions between peers.

• Peers must have matching transform sets set establish session.

• Only transform sets are compared, not individual protocols/algorithms.

• Transform sets are the basis for building the security association (SA).

The purpose of IKE phase two is to negotiate IPSec SAs to set up the IPSec tunnel. IKE phase two performs the following functions:

• Negotiates IPSec SA parameters protected by an existing IKE SA • Establishes IPSec security associations • Periodically renegotiates IPSec SAs to ensure security • Optionally performs an additional Diffie-Hellman exchange

IKE phase 2 has one mode, called quick mode. Quick mode occurs after IKE has established the secure tunnel in phase one. It negotiates a shared IPSec policy, derives shared secret keying material used for the IPSec security algorithms, and establishes IPSec SAs. Quick mode exchanges nonces that provide replay protection. The nonces are used to generate new shared secret key material and prevent replay attacks from generating bogus SAs. Quick mode is also used to renegotiate a new IPSec SA when the IPSec SA lifetime expires. Base quick mode is used to refresh the keying material used to create the shared secret key based on the keying material derived from the Diffie-Hellman exchange in phase one.

68

Step 4 – Data Transfer

IPSec Session

• Once IKE phase 2 is complete, SAs are established between peers.

• Security services designated within the SAs are applied to traffic between the peers.

After IKE phase two is complete and quick mode has established IPSec SAs, information is exchanged between the two peers via the IPSec tunnel. Packets are authenticated and/or encrypted/decrypted using the protocols, algorithms, and modes specified in the IPSec SA.

69

Step 5 – Tunnel Termination

IPSec Session

• Two reasons for IPSec session termination:- it is deleted- SA lifetime expires

• Once lifetime expires, SAs are renegotiated utilizing IKE phase 2.

IPSec SAs terminate through deletion or by timing out. Once an SA is terminated, the IPSec sessions between the two peers is terminated. An SA can time out when a specified number of seconds have elapsed or when a specified number of bytes have passed through the tunnel. When the SAs terminate, the keys are also discarded. When subsequent IPSec SAs are needed for a flow, IKE performs a new phase two and, if necessary, a new phase one negotiation. A successful negotiation results in new SAs and new keys. New SAs can be established before the existing SAs expire so that a given flow can continue uninterrupted.

70

traffic Matches ACLfor encryption?

yes

no Send trafficout interface.

Is there an IPSecSA for this traffic?

no

yes Encrypt andforward.

Is there an IKE SA?

no

yes

Authenticate peer& negotiate IKE SA

bad authentication

Negotiate IPSec SA.

traffic not encrypted

good authenticationand IKE SA

IPSec SA

IPSec Flow Chart

The router determines traffic must exit an interface to reach a destination network. An IPSec configuration has been applied to that interface. An access list is applied to the outbound traffic. If the traffic is denied by the access list, then the traffic is forwarded without being encrypted. If the traffic is found to match a permit statement in the access list, then the router checks to see if there is an IPSec SA in place to the next hop router for this traffic. If there is then the traffic is encrypted as per the SA and forwarded. If there is no IPSec SA in place for this traffic, then the router checks to see if there is an IKE SA in place. If there is, then the router negotiates and IPSec SA with the destination peer. Once complete, the traffic is encrypted and forwarded. If there is no IKE SA in place, the router attempts to negotiate an IKE SA with the destination peer. If this is accomplished, the two peers then negotiate an IPSec SA, and once complete the traffic is encrypted and forwarded. If an IKE SA cannot be negotiated, then the traffic is not encrypted and discarded.

71

JNN Router IPSec Configuration

crypto isakmp policy 10 defines an IKE key exchange policyencr aes 256 defines encryption algorithm & bit lengthauthentication pre-share defines IKE authentication mode

crypto isakmp key CR6740ik address 0.0.0.0 0.0.0.0 defines pre-shared key & peer IP addresscrypto isakmp keepalive 60 10 defines IKE peer keepalive interval & retry period

!!crypto ipsec transform-set aes_set esp-aes 256 esp-md5-hmac defines transform set; combinationmode transport defines IPSec mode of protocols & associated algorithms!crypto ipsec profile jnn allows the grouping of several IPSec commands into a single profileset transform-set aes_set applies the transform set named “aes_set” to this profile

interface Tunnel0 configuration for interface tunnel0

tunnel protection ipsec profile jnn applies IPSec profile “jnn” to tunnel1

To define an Internet Key Exchange policy, use the crypto isakmp policy command in global configuration mode. IKE policies define a set of parameters to be used during the IKE negotiation. The priority uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest. You can configure multiple IKE policies on each peer participating in IPSec. When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer. To specify the encryption algorithm within an Internet Key Exchange (IKE) policy, use the encryption command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. The default is The 56-bit DES encryption algorithm. To specify the authentication method within an Internet Key Exchange (IKE) policy, use the authentication command in ISAKMP policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. There are three options: Pre-share, RSA signature, & RSA encrypted. To configure a preshared authentication key, use the crypto isakmp key command in global configuration mode. You must use this command to configure a key whenever you specify preshared keys in an Internet Key Exchange (IKE)

72

policy; you must enable this command at both peers. If an IKE policy includes preshared keys as the authentication method, these preshared keys must be configured at both peers—otherwise the policy cannot be used (the policy will not be submitted for matching by the IKE process). The address portion of this command identifies the IP address of the remote IPSec peer. To allow the gateway to send dead peer detection (DPD) messages to the peer, use the crypto isakmp keepalive command in global configuration mode. DPD is a keepalives scheme that allows the router to query the liveliness of its Internet Key Exchange (IKE) peer. The seconds value indicates the number of seconds between DPD messages; the range is from 10 to 3600 seconds. If you do not specify a time interval, you will receive an error message. The retries value is optional and indicates the number of seconds between DPD retries if the DPD message fails; the range is from 2 to 60 seconds. If unspecified, the default is 2 seconds. To define a transform set—an acceptable combination of security protocols and algorithms—use the crypto ipsec transform-set command in global configuration mode. The transform-set-name portion of command specifies the name of the transform set. You may specify up to four "transforms": one Authentication Header (AH), one Encapsulating Security Payload (ESP) encryption, one ESP authentication, and one compression. These transforms define the IP Security (IPSec) security protocols and algorithms. You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec SA negotiation to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peer's IPSec SAs. When Internet Key Exchange (IKE) is not used to establish SAs, a single transform set must be used. The transform set is not negotiated. To change the mode for a transform set, use the mode command in crypto transform configuration mode. This setting is only used when the traffic to be protected has the same IP addresses as the IPSec peers (this traffic can be encapsulated either in tunnel or transport mode). This setting is ignored for all other traffic (all other traffic is encapsulated in tunnel mode). If the traffic to be protected has the same IP address as the IP Security peers and transport mode is specified, during negotiation the router will request transport mode but will accept either transport or tunnel mode. If tunnel mode is specified, the router will request tunnel mode and will accept only tunnel mode. After you define a transform set, you are put into the crypto transform configuration mode. While in this mode you can change the mode to either tunnel or transport. This change applies only to the transform set just defined. If you do not change the mode when you first define the transform set, but later decide you want to change the mode for the transform set, you must re-enter the transform set (specifying the transform name and all its transforms) and then change the mode. If you use this command to change the mode, the change will only affect the negotiation of subsequent IPSec security associations via crypto map entries that specify this

73

transform set. (If you want the new settings to take effect sooner, you can clear all or part of the security association database. See the clear crypto sa command for more details. To define the IPSecurity (IPSec) parameters that are to be used for IPSec encryption between two IPSec routers, use the crypto ipsec profile command in global configuration mode. An IPSec profile abstracts the IPSec policy settings into a single profile that can be used in other parts of the Cisco IOS configuration. The IPSec profile shares most of the same commands with the crypto map configuration, but only a subset of the commands are valid in an IPSec profile. Only commands that pertain to an IPSec policy can be issued under an IPSec profile; you cannot specify the IPSec peer address or the access control list (ACL) to match the packets that are to be encrypted. To specify which transform sets can be used within an IPSec profile, use the set transform-set command in IPSec profile configuration mode. To associate a tunnel interface with an IP Security (IPSec) profile, use the tunnel protection command in interface configuration mode. The tunnel protection command can be used with multipoint GRE (mGRE) and point-to-point GRE (p-pGRE) tunnels. With p-pGRE tunnels, the tunnel destination address will be used as the IPSec peer address. With mGRE tunnels, multiple IPSec peers are possible; the corresponding Next Hop Resolution Protocol (NHRP) mapping nonbroadcast multi-access (NBMA) destination addresses will be used as the IPSec peer addresses. If you wish to configure two Dynamic Multipoint VPN (DMVPN) mGRE and IPSec tunnels on the same router, you must issue the shared keyword.

74

IPSec Lab

• Configure the DMVPN network on page 23 of the student guide.

• Once completed, apply IPSec utilizing the IPSec commands on the previous page.

• Once network is installed, test connectivity using ping and trace.

• Perform the show commands on the following pages.

75

IPSec Show Commands

router7#sho crypto isakmp ? *Cisco uses the term ISAKMP for IKE

key Show ISAKMP preshared keyspeers Show ISAKMP peer structurespolicy Show ISAKMP protection suite policyprofile Show ISAKMP profilessa Show ISAKMP Security Associations

router7#sho crypto ipsec ?

client Show Client Statuspolicy Show IPSEC client policiesprofile Show ipsec profile informationsa IPSEC SA tablesecurity-association Show parameters for IPSec security associationstransform-set Crypto transform sets

Shown above are the options available within the show crypto isakmp command and the show crypto ipsec command.

76

router7#sho crypto isakmp sa

dst src state conn-id slot status148.43.200.9 148.43.200.10 QM_IDLE 3 0 ACTIVE

router7#sho crypto isakmp policy

Global IKE policyProtection suite of priority 10

encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).

hash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman group: #1 (768 bit)lifetime: 86400 seconds, no volume limit

Default protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys).hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #1 (768 bit)lifetime: 86400 seconds, no volume limit

Show crypto isakmp sa & policy

To display all current Internet Key Exchange (IKE) security associations (SAs) at a peer, use the show crypto isakmp sa command in EXEC mode. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exist, it will most likely be in its quiescent state (QM_IDLE). The ISAKMP SA is idle. It remains authenticated with its peer and may be used for subsequent quick mode exchanges. It is in a quiescent state. For long exchanges, some of the MM_xxx states may be observed. To display the parameters for each Internet Key Exchange (IKE) policy, use the show crypto isakmp policy command in EXEC mode. Shown are the variables utilized within an IKE SA: encryption algorithm, hash algorithm, authentication method, DH group, & life of SA in seconds. Although the output shows "no volume limit" for the lifetimes, you can currently configure only a time lifetime (such as 86,400 seconds); volume limit lifetimes are not used. There is always a default SA included as shown above. This allows two Cisco routers to form an IKE SA if no other can be found.

77

Show crypto ipsec transform & sarouter7#sho crypto ipsec transTransform set aes_set: { esp-256-aes esp-md5-hmac }

will negotiate = { Transport, },

router7#sho crypto ipsec sainterface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 148.43.200.10protected vrf: (none)local ident (addr/mask/prot/port):

(148.43.200.10/255.255.255.255/47/0)remote ident (addr/mask/prot/port):

(148.43.200.9/255.255.255.255/47/0)current_peer 148.43.200.9 port 500

PERMIT, flags={origin_is_acl,}#pkts encaps: 801, #pkts encrypt: 801, #pkts digest: 801#pkts decaps: 629, #pkts decrypt: 629, #pkts verify: 629#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 148.43.200.10, remote crypto endpt.:

148.43.200.9path mtu 1500, ip mtu 1500current outbound spi: 0x609EBE60(1621016160)

(continued on next slide)

To display the configured transform sets, use the show crypto ipsec transform-set command in EXEC mode. This command shows all IPSec transform sets configured and shows the individual values within each set. To display the settings used by current security associations (SAs), use the show crypto ipsec sa command in EXEC mode. Displays all SAs on the platform. Keywords can be added to this command to show specific SAs based on certain variable.

78

inbound esp sas:spi: 0x29F9040(44011584)

transform: esp-256-aes esp-md5-hmac ,in use settings ={Transport, }conn id: 3001, flow_id: SW:1, crypto map: Tunnel0-head-0sa timing: remaining key lifetime (k/sec): (4386114/767)IV size: 16 bytesreplay detection support: YStatus: ACTIVE

inbound ah sas:inbound pcp sas:outbound esp sas:spi: 0x609EBE60(1621016160)

transform: esp-256-aes esp-md5-hmac ,in use settings ={Transport, }conn id: 3002, flow_id: SW:2, crypto map: Tunnel0-head-0sa timing: remaining key lifetime (k/sec): (4386100/758)IV size: 16 bytesreplay detection support: YStatus: ACTIVE

outbound ah sas:outbound pcp sas:

Show crypto ipsec sa (cont)

79

DMVPN Review Questions

81

1. A virtual private network is _____________________. a. a network that uses encryption b. an extension of a private intranet across a public network c. a network that is utilizing an OSPF virtual network d. a loopback interface

2. What is the main technology used to establish a VPN? a. NHRP b. tunneling c. IPSec d. BGP

3. Tunneling _____________?

a. adds additional header(s) to the original IP packet b. can occur at layer 2 or 3 c. can support multi-protocol environments d. all the above

4. GRE was developed by Cisco?

a. true b. false

5. GRE sets up a point to point tunnel?

a. true b. false

6. The source and destination address must be configured when using GRE? a. true b. false

7. In a GRE configuration, the tunnel source is specified with a _______________. a. IP address b. router ID c. interface d. grid square

8. In a fully meshed tunnel network consisting of 4 routers utilizing GRE, how many subnets would be required to support the tunnels? a. 4 b. 5 c. 6 d. 8

9. What two protocols are utilized to establish DMVPNs? a. GRE and NHRP b. NHRP and mGRE c. IPSec and GRE d. mGRE and CDP

82

10. Which of following is true concerning DMVPNs?

a. based on a hub/spoke design b. minimizes router configs c. allows tunnels to be established dynamically d. all the above

11. What is the major difference in the configuration of GRE and mGRE? a. mGRE is much more detailed b. mGRE does not specify the destination address c. GRE does not specify the source address d. there is no IP address assigned in mGRE

12. GRE and mGRE support multicast traffic? a. true b. false

13. What is the purpose of NHRP in a DMVPN network? a. it provides resolution for the next hop b. it provides the destination address for mGRE c. it eliminates the requirement for a routing protocol d. ATM cannot function without it

14. NHRP ____________________. a. assists EIGRP in determining the next hop b. provides resolution of MAC to IP c. maps a tunnel IP to a physical interface IP d. is embedded into the mGRE protocol

15. NHRP is made up of _______________ a. routers and switches b. workstations and servers c. clients and servers d. PVCs and SVCs

16. An NHRP registration is sent from a _________________. a. server to a client b. client to a server c. tunnel to a physical interface d. router to a switch

17. An NHRP resolution request is sent from a _________________. a. server to a client b. client to a server c. tunnel to a physical interface d. router to a switch

83

18. An NHRP resolution reply is sent from a _________________. a. server to a client b. client to a server c. tunnel to a physical interface d. router to a switch

19. Running the same routing protocol on the tunnel and physical interfaces is a good practice. a. true b. false

20. When utilizing EIGRP in a DMVPN network, what two things must be disabled? a. next hop resolution and split horizons b. composite metric and K values c. router aggregation and stub areas d. next hop self and split horizons

21. When utilizing OSPF in a DMVPN network, the hub should always be the _________________. a. broadcast b. highest router ID c. designated router d. ABR

22. What mGRE tunnel configuration command allows the hub to send OSPF hello packets to all the spokes? a. tunnel mode gre multipoint b. ip nhrp authentication c. ip nhrp map multicast dynamic d. ip ospf network broadcast

23. What command enables NHRP on an interface? a. ip nhrp nhs b. ip nhrp authentication c. ip nhrp network-id d. ip nhrp

24. What command places a static entry into the NHRP database? a. ip nhrp static b. ip nhrp map c. ip nhrp nhs d. ip nhrp authentication

25. The show ip nhrp command displays __________________. a. static entries in the nhrp database b. dynamic entries in the nhrp database c. nhrp configuration on the router d. all entries in the nhrp database

84

26. What are the three major components of IPSec? a. ESP, AH, IKE b. tunnel, transport, IKE c. RFC’s, ISAKMP, IKE d. mode, protocol, IKE

27. IPSec operates at what layer of the OSI model? a. 1 b. 2 c. 3 d. 4

28. Authentication Header (AH) protocol encrypts the packet payload? a. true b. false

29. Encapsulating Security Payload (ESP) can provide the same services as AH? a. true b. false

30. IPSec transport mode adds a new IP header to the packet. a. true b. false

31. The Diffie-Hellman (DH) algorithm is used for _________________. a. authentication b. payload encryption c. key exchange d. making Kool-Aid

32. An IPSec transform set consists of ___________________________. a. an IPSec SA b. an IPSec protocol and associated algorithm c. an IPSec SPI and its associated protocol d. an IKE SA

33. Which of the following is the key management protocol used in IPSec? a. ISAKMP b. DH c. AES d. IKE

34. Which of following is an IKE authentication method? a. Pre-shared keys b. AH c. DH d. transform sets

85

35. IKE negotiates in how many phases? a. 37 b. 2 c. 3 d. 1

36. What is the purpose of IKE phase two? a. negotiate keys b. negotiate security associations c. establish a secure tunnel d. AES

37. In establishing an IPSec sessions, how many steps are there? a. 5 b. 3 c. 7 d. 2

38. In which IPSec step is DH used? a. 1 b. 2 c. 3 d. 4

39. If traffic to be sent has been deemed interesting by an IPSec configuration and there is an SA in place, what is the next step? a. negotiate keys b. encrypt the traffic c. decrypt the traffic d. establish an IKE SA

40. In the JNN router IPSec configuration, the command “crypto isakmp key” does what? a. configures a key for this IPSec session b. defines a pre-shared key and peer address c. defines the algorithm used for IKE d. isakmp is not used with IPSec

41. What is an IPSec profile? a. designates services for IPSec session b. allows the grouping of several IPSec commands into a single profile c. sets the priority of the IPSec session d. sets the type of IKE utilized in the IPSec session

42. When configuring a Cisco router the term ISAKMP actually refers to what? a. ISAKMP b. AES c. IPSec d. IKE

CECOM LCMCIT Training - Engineering

Field Support

IT-FSB

CECOM LCMC Logistics Readiness Center

Force Modernization Division

Information Technology Field Services Branch

IT-FSB

Fort Gordon Office Com: 706-791-6150 DSN: 780-6150

IT-FSB Advanced - Noodlez.org Courses PDF...As this external route moves through the OSPF topology,...

Documents

Transcript of IT-FSB Advanced - Noodlez.org Courses PDF...As this external route moves through the OSPF topology,...