Last updated: 11-Feb-2003 Command Feature default route: usually route into the network cloud static route: usually route toward the hub static routes are classless
Stop advertising network To supPRess networks from being advertised in updates router rip network 172.16.0.0 distribute-list 1 out serial 1 Only 1 in list and only 1 out list per routing protocol or per routing/interface
access-list 1 deny 172.16.8.0 0.0.0.255 Stop the network 172.16.8.0 from being advertised by RIP, out of s1 only access-list 1 permit any
Control which network is redistributed & advertised router rip network 172.16.0.0 redistribute ospf 10 metric 4 distribute-list 1 out ospf 10 Do not allow advertising of routes coming from OPSF 10 out: out from OSPF 10 access-list 1 deny 192.168.8.0 0.0.0.255 Stop the network 192.168.8.0 from being redistributed from OPSF to RIP access-list 1 permit any
To filter networks received in updates Only works properly with distance-vector protocols router rip network 172.16.0.0 distribute-list 1 in serial1 Deny 192.168.8.0 if it arrive from Serial1 Won't be processed by RIP access-list 1 deny 192.168.8.0 0.0.0.255 Stop the network 192.168.8.0 from being redistributed from OPSF to RIP access-list 1 permit any
Split horizon Split-horizon is a layer 2 behavior, knows nothing of layer 3 no ip split-horizon Disable split-horizon on multipoint interface when hub & spoke and classful [RIP...], if spokes need to talk to each other/receive routing updated from each others Only affect RIP for not EIGRP, need: NO IP SPLIT-HORIZON EIGRP X Must be disabled on interfaces with secondary addresses or secondary address will not be advertised EIGRP does not use split-horizon when advertising routes learned through redistribution This not affected by ip split-horizon eigrp Split-horizon is DISABLED by default for RIP/IGRP on physical interfaces and point-to-multipoint subinterfaces. Split-horizon is always ENABLED on point-to-point subinterfaces. Split-horizon is NEVER DISABLED by default for EIGRP on any type of Frame Relay interface. Must be eXPlicitly disabled with "no ip split-horizon eigrp ". INTERFACES & MULTIPOINTS & CLASSFUL PROTOCOL NO IP SPLIT-HORIZON EIGRP at the interface: no ip split-horizon eigrp 2001
As soon as the subinterface is configured, split horizon is automatically disabled. This is the default behavior. Only for distance vector protocols [RIP/EIGRP/IGRP]
interface Serial0/1 This is the hub ip address 192.1.1.2 255.255.255.0 encapsulation frame-relay no ip split-horizon eigrp 10 So that both spokes can see each other, only affect eigrp 10 nothing else frame-relay map ip 192.1.1.1 100 broadcast so that the routing goes through frame-relay map ip 192.1.1.3 200 broadcast
Notes Router should not install a summarized major network route from a major network from which it has a subnet
Routing loops Most routing loops occur on distance vector in regards to redistribution and/or Admin Dist issues.. Rip/Igrp - show ip route to look for "possibly down" message would indicate a routing loop For inside to outside, routing should always take place before NAT.
BGP - Show ip bgp to watch if the bgp table # increments would indicate loop show ip traffic to spot incrementing "bad hop counts" would indicate loops. Finally, once you isolate the loop, use the trace command to follow the routing path and through elimination find the source of the loop. Increases routing metric ==> indicates routing loop
Classful protocols: make all other interfaces as passive, including BRIs
Debug and monitor logging buffered 16384 show logg will show the results of the debugs show ip protocol will show the details of each protocols debug ip routing show the routing table activities
debug ip icmp ping 172.16.4.255 Will ping all hosts on subnet
no ip route-cache debug ip packet will show all the packets debug ip packet detail 101 access-list 101 permit icmp any any
debug ip rip debug ip ospf adj debug ip eigrp
Distances and route controls Modify distance when trying to manipulate the choice of one protocol over another. If multiple routes within a protocol, use metric to modify the path. router eigrp 109 network 192.31.7.0 network 128.88.0.0 passive-interface serial 1/1 Always put the non-routing interfaces as passive passive-interface serial 1/1.1 Also place the sub-interfaces as passive + the full interface passive-interface BRI0 distance 255 Sets the default administrative distance to 255, which instrUCts the Cisco IOS software to ignore all routing updates from routers for which an explicit distance has not been set. distance 90 192.31.7.0 0.0.0.255 Sets administrative distance for all routers on the network 192.31.7.0 to 90 distance 120 128.88.1.3 0.0.0.0 Sets administrative distance for the router with the address 128.88.1.3 to 120. distance 75 0.0.0.0 255.255.255.255 Set the distance of all routes under eigrp 109 to 75 metric weights 0 K1 k2 k3 k4 k5 0 is type of service, then the K values All within AS must have same Ks
interface s0 ip address 172.10.10.10 255.255.255.0 bandwidth 64 Changing the bandwidth will also affect OSPF delay 20000 Value from show interface s0, preferred way of changing metrics for load sharing. Does not affect the real delay on the interface To prefer a path v. another, add delay on the other path
Default networks Make sure: ip classless ip default-network 179.10.0.0 RIP/IGRP/EIGRP: must be known to IGRP/EIGRP to be propagated Must be classful
default-information originate If the ASBR already has the default route in its routing table [OSP/RIP] default-information originate always If the ASBR doesn't have a default route [OSPF only]
ip route 0.0.0.0 0.0.0.0 x.x.x.x RIP & static default route ip default-gateway ONLY when ip routing is DISABLED see default section in each routing protocol
Misc When "ip eigrp summary" is configured the summarized routes will not be advertised in EIGRP updates out that interface
policy Route-map to replace static route interface s1 ip address 172.16.10.10 255.255.255.0 ip policy route-map rm-static equivalent to: ip route 172.16.117.0/24 e0 access-list 1 permit 172.16.117.0 255.255.255.0 route-map rm-static permit 10 match ip address 1 set interface e0
Debug/info show ip policy show route-map
Changing metric on specific routes Use offset-list when redundant equal cost path and want to prefer one Router protocol Offset-list are typically not used in RIP offset-list 1 in x serial 0 add x to the routes from access-list 1, when they come in s0. access-list 1 permit 172.17.10.0 0.0.0.255
Prevent routes from showing in routing table "The others cannot see it" router eigrp 2001 network 172.16.0.0 distribute-list acl-no-16-3 out Serial0.1 prevents 172.16.3.0 to be advertised out on S0.1 & S0.2 distribute-list acl-no-16-3 out Serial0.2 ip access-list standard acl-no-16-3 deny 172.16.3.0 0.0.0.255 0.0.0.255 especially important if not /24 but /27 or /28 permit any
Redistribution Redistribution is ONLY for routes in the routing table When ask to advertise on 172.2.0.0 RIP to backbone redistribute connected with a route-map Cannot redistribute multiple protocols on the same router A redistributed route in 1 protocol, will not be redistributed on another protocol on the same router When redistributing to Classful [RIP], if route-map: make the ACL classful for the network When redistribution from OSPF/EIGRP to RIP, summarize to the mask of the RIP interface default-metric x To assign a default value to redistributed routes into this protocol Must include a metric either as default-metric or on distribution statement, router does not know how to xlated 1 metric to the other
Single point of mutual redistribution: no need for route-maps/distribution-lists
Before redistribution, on the redistributing router, issue a command 'sh ip route and write the learned routes. Form an ACL that permits those routes in 1 including the connected subnets that igrp/rip is running between routers. Form 2 route maps: 1st with 2 route-map entry: one that would deny matching the ACL in 2 and the other that would permit anything (this will be used on non-tag capable IGP). 2nd route-map: with only one entry that would permit all the routes matching ACL in 2. Do the necessary redistribution using the route-maps just made
R5#sh ip route eigrp D 150.10.4.0/24 [100/8976] via 150.10.40.4, 00:01:21, Serial0/0.3 D 150.10.45.0/24 [100/8576] via 150.10.40.4, 00:01:21, Serial0/0.3
access-list 1 permit 150.10.4.0 0.0.0.255 access-list 1 permit 150.10.45.0 0.0.0.255 access-list 1 permit 150.10.40.0 0.0.0.255 *** EIGRP is running on this connected subnet
route-map rm-ospf2eigrp deny 10 match ip address 1 route-map rm-ospf2eigrp permit 20 If not everything would be denied !
route-map rm-eigrp2ospf permit 10 match ip address 1
Redistribution classless to classful summarize to the subnet mask of the classful network ip summary-add eigrp 201 0.0.0.0 0.0.0.0 EIGRP: Advertise default route summary-address 128.300.3.0 255.255.255.0 tag 12 OSPF: done on router ospf 10
Classful routing Class of network, then look for subnet Classless routing Find the longest match
The only routes that can be redistributed are the routes already in the routing table
connected when the loopbacks are not in the routing protocol and they should be available to routing router ospf 10 redisitribute connected subnets network …. Area … distribute-list 99 out connected Needed only if some of the loopbacks are to be accessible through network access-list 99 permit 172.16.40.0 0.0.0.255
RIP - IGRP Use route-maps router rip redistribute igrp 100 metric 5 route-map rm-igrp-to-rip Always, always set the metric or it will be an invalid one or use default-cost passive-interface Serial0/0 Always set passive interface on interface for non-routing network 3.0.0.0 network 194.1.1.0 ! router igrp 100 redistribute rip metric 64 100 255 1 1500 route-map rm-rip-to-igrp passive-interface Dialer0 network 195.1.1.0 ! ip access-list standard acl-netw-igrp Permit the IGRP networks, deny everything else deny 1.0.0.0 3.255.255.255 deny 192.0.0.0 3.255.255.255 permit any ip access-list standard acl-netw-rip Permit the RIP networks, deny everything else permit 1.0.0.0 3.255.255.255 permit 192.0.0.0 3.255.255.255 deny any Usually do a deny any at the end, easier for debugging route-map rm-rip-to-igrp permit 10 match ip address acl-netw-rip route-map rm-igrp-to-rip permit 10 Always defines as positive, what to allow, the rest is denied match ip address acl-netw-igrp
IGRP - EIGRP Automatic if same AS Nothing to do at all Manual if different AS, then need route-maps…
RIP-OSPF RIP distance: 120 vs OSPF distance 110 Summarize everything to the mask of the RIP, before redistributing [ie/24]
summary-address only on ASBR area range only on ABRs
Summarize at the source on the router originating the external address to the /24 so it will propagated to the RIP router 151.100.0.0/15 is not redistributed into RIPv1 because it is not part of a major network. So there is nothing to redistribute
router ospf 10 router-id 33.33.33.33 redistribute rip metric-type 1 subnets tag 123 Set the type to E1 to increment metric through AS, subnets & assign tag 120+R3 network 131.108.5.0 0.0.0.255 area 1 default-metric 10 Only affects the redistributed routes Common default=metric for OSPF router rip Same for RIPv2 redistribute ospf 10 passive-interface default Make all interface passive no passive-interface FastEthernet0 It's much faster than doing each interface network 131.108.0.0 default-metric 6 Only affects the redistributed routes
RIP-OSPF: Multiple redisitribution points RIP distance: 120 vs OSPF distance 110 R4: RIP only interface Loopback0 ip address 172.16.10.4 255.255.255.0 interface Ethernet0 ip address 172.16.234.4 255.255.255.0 router rip network 172.16.0.0 R2 & R3: ASBR: RIP & OSPF Must be done on both ASBR interface Ethernet0 ip address 172.16.234.2 255.255.255.0 interface Serial1 ip address 172.16.12.2 255.255.255.0 router ospf 10 router-id 5.5.5.5 redistribute rip subnets tag 122 network 172.16.12.0 0.0.0.255 area 0 router rip redistribute ospf 10 metric 1 network 172.16.0.0 distance 109 172.16.234.4 0.0.0.0 Distance 109 is less than OSPF Address of the inside router with interface facing this, then no routing loop Must be done even if using route-maps, route-maps will NOT work in this case
RIP-EIGRP Summarize everything to the mask of the RIP, before redistributing [ie/24] router eigrp 10 Single point fo redistribution: no need for distribution-lists/route-maps redistribute rip network 131.108.5.0 0.0.0.255 default-metric 1300 20000 255 1 1500 Need to assign a metric or redistribution will not work, Only affects the redistributed routes no auto-summary eigrp router-id 33.33.33.33 !
router rip version 2 redistribute eigrp 10 passive-interface default no passive-interface FastEthernet0 network 131.108.0.0 default-metric 6 Only affects the redistributed routes no auto-summary
OSPF far end router ASBR for RIP router ospf 10 OSPF does the summarization, if RIP or EIGRP did not and redistributed router-id 201.201.1.1 summary-address 152.1.11.0 255.255.255.0 tag 12 summarize external from/28 to /24 for RIP which is /24 redistribute connected subnets redistribute loopback not in OSPF into OSPF area 1 network 152.1.1.0 0.0.0.255 area 1 network 152.1.10.0 0.0.0.255 area 1
OSPF next router ABR for RIP router ospf 10 router-id 22.22.22.22 area 1 range 152.1.1.0 255.255.255.0 summarize the /30 to /24 for RIP which is /24 Area 1 is the source of the 152.1.1.0 into area 0 [not the area to inject to] area 0 range 152.2.2.0 255.255.255.0 Area 0 will be summarize into area 1 as 152.2.2.0 network 152.1.0.0 0.0.255.255 area 1 network 152.2.0.0 0.0.255.255 area 0
OSPF router ASBR to RIP router ospf 10 router-id 201.201.3.3 redistribute rip metric 65 subnets route-map rm-rip-to-ospf metric-type 1 Actual redistribution: subnets and metrics must be there metric-type 1: route will be E1 & increment cost within AS instead of E2 passive-interface Serial0/0 passive interface to make sure it does not propagate Hellos network 152.1.0.0 0.0.255.255 area 0 ! router rip Redistribute into RIP, summarize to the mask of the RIP interface redistribute ospf 10 metric 7 route-map rm-ospf-to-rip Metric required or invalid routes passive-interface FastEthernet0/0 passive interface to make sure it does not propagate broadcasts network 152.1.0.0 ! ip access-list standard acl-netw-ospf permit 152.1.1.0 0.0.0.255 permit 152.1.10.0 0.0.0.255 permit 152.1.11.0 0.0.0.255 deny any not needed, just for debugs ip access-list standard acl-netw-rip permit 152.1.2.0 0.0.0.255 permit 152.1.3.0 0.0.0.255 deny any not needed, just for debugs route-map rm-rip-to-ospf permit 10 match ip address acl-netw-rip route-map rm-ospf-to-rip permit 10 match ip address acl-netw-ospf
BGP-OSPF For BGP to synchronize with OSPF, the router IDs must match When redistributing BGP into OSPF, it writes AS_PATH of the router into external route tag field of OSPF type 5 LSA. However, when redistribute OSPF into BGP, BGP process doesn't automatically assume tag contains AS_PATH. Need to use "set as_path tag" or "set auto-tag" One of reasons routers to ignore paths is because of paths marked as "not synchronized" in the "show ip bgp " output. If BGP synchronization is enabled, there must be a match for the prefix in the IP routing table in order for an internal (iBGP) path to be considered a valid path. if the matching route is learned from an OSPF neighbor, its OSPF router ID must match the BGP router ID of the iBGP neighbor. Most users prefer to disable synchronization using the no synchronization BGP subcommand when the RR passes BGP routes from one RR client to another, the BGP router id will be the first RR client but OSPF router id will be RR itself, so there will never be a match between them. the solutions to this are: turn off sync on 2nd RR client. use confederation to make prior 2nd RR client "ebgp" peering to prior RR BGP peers will ALWAYS trust eBGP routes
If R2 and R3 are route-reflector clients of R1, ONLY when OSPF is the IGP, BGP routes originated on R2 will NEVER be seen as valid on R3 and vice-versa because: BGP and OSPF router IDs are required to match for BGP routes to be seen as valid BGP and OSPF router IDs will never match on R2 and R3 due to presence of the the R1 route-reflector between the iBGP peers.
To allow redistribute iBGP into IGP, need to configure "bgp redistribute-internal".
redistribute ospf 1 match ? All the combination of match are there redistribute ospf 1 match internal external 1 external 2 Redistribute internals and externals E1 & E2 into BGP
If problems with redistribution: Turn off BGP sync Use confederations Change the OSPF router-ID and BGP router-id's on the appropriate routers so that they match. Use another IGP instead, eg EIGRP
RIP broadcasts UDP port 520: 255.255.255.255 Show ip protocol will show the timers Timers basic 30 180 180 240 Change the timers Timers basic update invalid holdown flush, then need to be changed on ALL RIP routers, show ip prot will show the actual times used before the change If adding to much time so that invalid timer is too long, then 3x and flush add another 60sec: ie: timers basic 120 360 360 240 instead of 120 720 720 960 no validate-updates-source If source is not on same subnet as local interface, RIP ignores the update, then the no validate… will allow for the routing update such as other side is: ip unumbered or different subnet If routing table entry has the same classful network and the same subnet mask, it becomes part of the update. If routing table entry has the same classful network and a different subnet mask, it is dropped and does NOT become part of the update If it IS NOT of the same classful network, an update is created using the natural mask of the classful network To redistribute RIP: The interface must be the same classfull & same subnet on all the interfaces RIP cannot accept a classfull update if it already has a classfull connected, use either RIP2 or EIGRP If 192.168.20.33/27 connected to 192.168.20.34/29 The /27 side will know about the /29, but the /29 will not know about the /27 side because /27 encompass the /29 default-metric 4 Metric to be used during redistribution
Basic config interface Loopback0 ip address 10.1.1.1 255.255.255.0 interface Serial0/0 ip address 148.1.1.1 255.255.255.0 interface Serial0/1 ip address 192.168.11.1 255.255.255.0 router rip passive-interface Serial0/1 passive-interface, when router configures more interfaces than wanted [usually a subnet of a classful] If many passives: passive-interface default & no passive-interface s0/2 network 10.0.0.0 Classful only network 148.1.0.0 neighbor 192.168.11.5 Unicast for 1 of the routers on the passive-interface stub or to send updates over NBMA, no network statement for that network or make it as passive interface Must be a second neighbor if there is a secondary address on a different network distribute-list dl-in-rip in Ethernet0 eliminate some routes from coming in thru E0
ip access-list standard dl-in-rip permit 198.172.19.0 0.0.0.255 deny 198.172.13.0 0.0.0.255 permit any
Troubleshoot / info show ip protocols display details of all routing protocols, for bad updates and see if what you think is what Cisco thinks debug ip rip The detailed rip activities
access-list 101 remark only icmp packets access-list 101 permit icmp any any debug ip packets 101 debug only the pings
show ip route rip The last RIP update must be less than timers basic [usally 30sec] or…
RIP discontinuous networks Can be more than 1 secondary per interface interface Serial0 130.1.0.0 network separated by 192.168.10.0 ip address 130.1.2.1 255.255.255.0 interface Serial1 ip address 192.168.10.2 255.255.255.0 ip address 130.1.3.1 255.255.255.0 secondary same classful network as s0, but different network /24, other side: 130.1.3.2, including the routers in the middle to it's a contiguous chain for the secondary addresses router rip Or use static route that points to the discontiguous network network 130.1.0.0 network 192.168.10.0
RIP default routes 1 of the 3 The ip default-network command is configured. The default-information originate command is configured. The default route is learned via another routing protocol or static route and then redistributed into RIP.
RIP frame-relay Must have broadcast on frame-relay map or use neighbor on router rip
RIP DDR router rip When configuring DDR, at minimum "must" disable validation of source address. no validate-update-source
RIP metrics Hops count: 16 = unreachable If requirement = unreachable ==> offset-list router rip incoming vs. outgoing offset-list 1 in 7 Dialer1 add 7 hops to items from access-list coming IN from DI1, could also be out add to 15 so it won't appear to in the routing table [16 hops = unreachable] in: Only the routing table of this router is affected out: All routers downstream of Dialer1 are affected network 10.0.0.0 network 192.168.12.0 access-list 1 permit 192.168.200.0 Which network to add 7 to the hop count, must be in the routing table before applying the new hop count Offset-list only work with standard ACLs Place offset on router that is the FROM router RIP Triggered extensions Increases efficiency on point-to-point, serial links interface Serial1/0 Reduces periodic RIP transmission ip address 172.16.1.2 255.255.255.0 ip rip triggered Needs to be done on both sides, ONLY on SERIAL POINT-TO-POINT router rip network 172.16.0.0 RIP routes are marked as permanent network 172.18.0.0 network 172.19.0.0
RIP v2 v2, mulitcast 224.0.0.9 also do UDP port 520 for v1 Supports TAGs like OSPF no auto-summary When running both RIPv1 & RIPv2 [RFC 1723] no auto-summary When discountiguous networks under RIPv2 no auto-summary The summary route arrives at another router with a different subnet mask that the interface receiving [summary will be dropped] Metric still maximum: 16 interface FastEthernet0/0 Supports authentication ip address 172.25.150.193 255.255.255.240 ip rip send version 1 2 Done at the interface Router also connected to a v1 router. Check with "show ip prot" to see what is sent & received ip summary-address 172.25.192.0 255.255.252.0 Can do manually summarization no ip split-horizon 2 routers & same subnet out of this ethernet router rip Always run sh ip prot to see which interface runs v1 and v2 version 2 Runs under v2, if not default to v1 network 172.25.0.0 v2: default: receive v1 & v2 network 192.168.50.0 distribute-list 101 in access-list 101 permit ip any host 255.255.255.255 If distribute lists, they must allow the broadcasts and/or multicasts access-list 101 permit ip any host 224.0.0.9 ping 224.0.0.9 to make sure they can do through access-list 101 permit ip …
RIP v2 Authentication Authentication only on RIP 2 key chain efghi Name of key is significant only to local router, other side can be whatever key 1 Can be multiple keys, key # must be the same on both sides key-string 123456 Watch for the spaces and cases, key must be the same on both sides accept-lifetime 11:10:00 Nov 6 2002 duration 1080000 When to start receiving send-lifetime 11:10:00 Nov 6 2002 duration 1080000 When to start sending key 2 key-string cisco02 accept-lifetime 00:00:00 Dec 4 2002 infinite When to start receiving send-lifetime 00:00:00 Dec 4 2002 infinite When to start sending interface Serial2 ip address 192.168.50.130 255.255.255.192 ip rip authentication mode md5 If not md5, then passWord sent in clear text ip rip authentication key-chain efghi my keychain router rip version 2 network 192.168.50.0
debug/info show key chain always do on both routers, and will show if there are blanks/spaces and they match debug ip rip Will show if the authentication is valid or not ping 224.0.0.9 To check that multicasts go through
Default route with ip route 0.0.0.0 0.0.0.0 x.x.x.x RIP propagate ip route 0.0.0.0 0.0.0.0 x.x.x.x as the default route through the RIP domain
Default route WITHOUT ip route 0 0 x.x.x.x router rip passive-interface Loopback10 Should always be passive, if loopback included in the network network 7.0.0.0 Which interface to advertise network 172.16.0.0 neighbor 172.16.2.2 because of frame-relay and no NBMA default-information originate Generate default route through out the RIP domain, including it's own. It SHOULD not be a transit router
Split horizon enabled RIP updates with secondary address on different major network than primary: Update contents Primary Subnets of primary (if known through non-source interfaces). Other major networks (including secondary network), known through non-source interface, summarized to major net boundary. Secondary Subnets of secondary (if known through non-source interface). Other major networks (including primary network), known through non-source interface, summarized to major net boundary.
Split horizon disabled RIP updates with secondary address on different major network than primary: Update contents Primary All known subnets of primary. Other major networks (including secondary network), summarized to major net boundary. Secondary All known subnets of secondary. Other major networks (including primary network), summarized to major net boundary.
Split horizon enabled RIP updates with secondary address on same major network as primary: Update contents Primary Subnets of primary/secondary (if known through non-source interfaces). Other major networks, known through non-source interface, summarized to major net boundary. Secondary None - no updates sourced from secondary.
Split horizon disabled RIP updates with secondary address on same major network as primary: Update contents Primary All known subnets of primary/secondary. Other major networks summarized to major net boundary. Secondary All known subnets of primary/secondary. Other major networks summarized to major net boundary.
On-Demand routing Hub & Spoke router odr enable on-demand routing router ospf 10 network 10.0.0.0 0.255.255.255 area 10 redistribute odr metric 100 On hub to redistribute the routes learned from the spokes
RIP default routes RIP doesn't advertise the default router if the route is not learned via RIP. Therefore, it may be necessary to redistribute the route into RIP, or use the default-information originate command.
EIGRP Should always use: eigrp log-neighbor-changes For debugs To establish neighbor relationship, the neighbors MUST BE ON THE SAME SUBNET EIGRP does support secondary addresses. But EIGRP always sources data packets from the primary address, configure all routers on a particular subnet with primary addresses that belong to the same subnet. Routers will not form EIGRP neighbors over secondary networks metric weights 0 1 1 1 1 0 K values must be the same for all routers of AS# or no neighbor relationship Static routes are automatically advertised by EIGRP if next hop is interface and the interface is covered by the network statement Need distribute-list to prevent that EIGRP Administrative distance: 110 EIGRP Administrative distance external routes: 170
Basic config With frame-relay NBMA interface Serial0/1.10 multipoint ip address 172.16.2.2 255.255.0.0 no ip split-horizon eigrp 10 NBMA, must disable the split-horizon Split horizon behavior is turned on by default. Changing the EIGRP split horizon setting on an interface resets all adjacencies with EIGRP neighbors reachable over that interface. Split horizon should only be disabled on a hub site in a hub-and-spoke network. Disabling split horizon on the spokes radically increases EIGRP memory consumption on the hub router, as well as the amount of traffic generated on the spoke routers. frame-relay map ip 172.16.5.5 205 frame-relay map ip 172.16.7.7 207 router eigrp 10 network 2.22.0.0 0.0.255.255 Only for the 2.22.0.0/16 network without using passive interface network 172.16.0.0 Defaults to classfull or can use wild cards on network statement neighbor 172.16.7.7 Serial0/1.10 Neighbors because of the NBMA neighbor 172.16.5.5 Serial0/1.10 It should not be used. The neighbor statement does not behave as intended and can have a negative effect on EIGRP neighbors.[BUG] no auto-summary To support discontiguous networks, if not cannot ping [null0]
Basic config interface serial 0 ip add 192.168.1.1 255.255.255.0 ip hello-interval eigrp 64 10 AS#64, hello-interval=10sec must be done on both sides ip hold-time eigrp 64 30 AS#64, hold-time=30sec must be done on both sides, sho ip prot will give defaults bandwidth 64 Always set the bandwidth for serials, to adjust metric change the DELAY ip bandwidth-percent eigrp 50 Limits EIGRP overhead to a maximum of 50% ip summary-address eigrp 64 192.168.10.0 255.255.240.0 120 Send summary address to RIP/IGRP with the correct network mask 64: destination EIGRP as# 120: Administrative distance of summary address Summary address done at interface that advertises out in EIGRP instead of AS in OSPF Cannot do summary-routes on discontiguous networks ==> blackhole Interface MUST exist that covers the summary address Summary address must not cover more than actual addresses or blackhole EIGRP will not auto-summarize external routes unless there is a component of the same major network that is an internal route External EIGRP routes have an administrative distance of 170, should use default metric if secondary address need: no ip split-horizon
router eigrp 64 Same AS # on all routers unless redistribution passive-interface FastEthernet0/0 show ip protocol will show the networks and the passive interfaces The passive-interface command prevents the exchange of routes on the interface It still includes the address of the interface in routing updates sent out of other non-passive interfaces network 10.1.1.0 0.0.63.255 Up to 10.1.64.255 network 172.17.5.0 0.0.0.255 network 192.168.0.0 0.0.255.255 Must be included for the ip summary-address… no auto-summary automatic summarization by default when 2 or more networks configured for the IP EIGRP process, suppress null0 in routing table EIGRP summarize the route only when advertising out an interface that is in a different class
EIGRP Troubleshoot / info show ip protocol Will display the summary info and the summary addresses show ip eigrp neighbor Show the status of the neighbors show ip eigrp topology show ip eigrp topology active shows the route with status active [stuck-in-active] show ip eigrp interfaces detail Displays the neighbors and the interfaces and authentication debug eigrp packets Never use it straight, massive amount of data!
debug ip eigrp Much better to use than debug eigrp packet MAKE SURE THAT IT'S THE RIGHT !@#$%^&* IP ADDRESS Neighbor 137.20.40.17 not on common subnet for E0 The 2 Ethernet interfaces are in the same VLAN but are on 2 different subnets
EIGRP on NBMA interface Serial0/1 This is the hub ip address 192.1.1.2 255.255.255.0 encapsulation frame-relay no ip split-horizon eigrp 10 So that both spokes can see each other, only affect eigrp 10 nothing else frame-relay map ip 192.1.1.1 100 so that the routing goes through frame-relay map ip 192.1.1.3 200 router eigrp 10 network 192.168.0.0 0.0.255.255 neighbor 192.1.1.1 Need the neighbor statement because no broadcast on "frame map ip" neighbor 192.1.1.3
EIGRP misc router eigrp 8200 Distance EIGRP [internal] [external] eigrp router-id 0.0.0.7 Set the router-id for eigrp 2001, must be unique or will not allow extern route redistribute ospf 4000 metric 1500 10 255 10 1500 route-map ospf_2_eigrp eigrp log-neighbor-change Shows why, loss of neighbor network 139.10.103.0 0.0.0.255 network 180.1.1.1 0.0.0.0 distance 2 0.0.0.0 255.255.255.255 99 distance no auto-summary router rip RIP has a LOWER AD than the external EIGRP routes network 172.16.0.0 network 180.1.0.0 distance 190 180.1.2.1 255.255.255.255 Assigns a distance of 190 so router can choose the EIGRP route access-list 99 permit 160.160.0.0 0.0.255.255 access-list 99 deny any
EIGRP summarization Auto-summarization done when redistributing Cannot be disabled Auto-summarization done at class boundary Should be disabled with no auto-summary when discontiguous networks Will not automatically summarize external routes EIGRP cannot make neighbor with routers that fall within the manual or autosummarization address, then no auto-summary
interface Serial0 ip address 172.16.3.3 255.255.255.0 ip summary-address eigrp 201 182.0.0.0 255.0.0.0 ip summary-address eigrp 201 10.0.0.0 255.0.0.0 ! router eigrp 201 eigrp router-id 0.0.0.7 Set the router-id for eigrp 2001, only used on external routes to prevent loops network 10.0.0.0 network 172.16.3.0 0.0.0.255 network 182.0.0.0 0.255.255.255 no auto-summary
EIGRP stub routing No transit, only 1 neighbor, used in Hub & Spokes router eigrp 2001 improves network stability, reduces resource utilization, and simplifies stub router configuration. network 172.16.0.0 network 192.168.14.0 no auto-summary eigrp router-id 0.0.0.7 eigrp stub connected connectedstaticsummaryreceive-only [will not advertise anything]
EIGRP default routes The "default-network" must be on a MAJOR CLASSFUL boundary. router eigrp 10 The "default-network" must be either in the routing table as External-EIGRP or need to be advertised in EIGRP with the network command network 192.168.10.0 0.0.0.255 Must be present
ip default-network 192.168.10.0 Global command, can be more than 1 ip default-network statement For EIGRP to propagate the route, the network specified by the ip default-network command must be known to EIGRP. This means the network must be an IGRP- or EIGRP-derived network in the routing table, or the static route used to generate the route to the network must be redistributed into EIGRP.
ip default-network 192.168.10.0 Must be classful ip default-network 10.0.0.0 Must be classful router eigrp 10 network 192.168.10.0 Must match ip default-network network 10.0.0.0 default-information {inout} {access-listaccess-name} To control the candidate default routing information between IGRP or eIGRP processes
OSPF
Notes Cannot make adjancies over secondary addresses Only over primary addresses Routes of secondary addresses must be in same area as primary to be advertised There can me more than 1 DR per area, there is only 1 DR per broadcast segment OSPF does NOT support unumbered point-to-point links Distribute-list in prevents the OSPF routes from being installed in the routing table [they still come into the database]
Network types that work together Works Point-to-Point =====> Point-to-Point YES Point-to-Point =====> Point-to-Multi YES, if timers (hello) are allow to be modified Point-to-Multi =====> Point-to-Multi YES NON-BROAD =====> NON-BROAD YES, if neighbor statements are allowed. May need to influence DR selection (Priority) non-broad =====> broadcast YES, if timers (hello) are allowed to be modified. May need to influence DR selection (Priority) broadcast =====> broadcast YES, may need to influence DR selection (Priority) Point-to-Point =====> non-broad NO Point-to-Point =====> broadcast NO Point-to-Multi =====> non-broad NO Point-to-Multi =====> broadcast NO
when mixing ospf network types: hello/dead intervals Use or non-use of DR/BDR Non-broadcast and broadcast elect DR/BDR, but have different hello/dead intervals. Point-to-point and multipoint do not elect DR/BDR, and also have different hello/dead intervals. Multipoint may require neighbor statements over NBMA so it knows which router to form an adjacency with.
LSAs and areas & networks Point-to-point networks No DR/BDR :: Only: 224.0.0.5 Broadcast networks DR/BDR :: Hellos: 224.0.0.5, Only DR/BDR listens to 224.0.0.6 & broadcast on 0.5 NBMA networks DR/BDR :: No multicasts :: Neighbors statically defined :: Hub=DR Point-to-multipoint networks No DR/BDR :: IP OSPF network point-to-multipoint :: Hellos: 224.0.0.5 [broadcasts]
IP OSPF network broadcast Full meshed, neighbors: same subnet, BR/DR, adjacency: auto, Priority: set manually Frame-relay NBMA: point-to-multipoint Partial meshed: star, neighbors: same subnet, static, BR/DR, adjacency: manual, priority for setting DR/BDR frame-relay: point-to-point Partial meshed: star, neighbors: different subnet, no BR/DR, adjacency: auto frame-relay: point-to-multipoint Partial meshed: star, neighbors: same subnet, no BR/DR, adjacency: auto, must define manually with IP OSPF network point-to-multipoint
NBMA Point-to-Multipoint DR Election No DR Election, Requires manual neighbor establishment (neighbor command) automatic neighbor establishment In partial mesh ensure HUB is DR (priority command) Provides automatic mapping via routing table [host routes x.x.x.x/32] Need to map spokes to hub, otherwise the spokes will not be able to communicate with each other. Neighbor will not show up when: when the neighbor is out a frame interface that is configured with priority 0 frame map ip [do NOT use broadcast, use neighbor instead] Network type recommended: point-to-multipoint
Area type LSAs & default route Regular area All LSAs allowed, injected: Summary LSAs - Type 3/4 External LSAs - Type 5 External default LSAs - Type 5? Stub area Summary LSA: Type 3 [no type 4 generated by ASBR] Default route as summary route: Type 3 No External LSA: Type 5 no redistribution in stub area only 1 ABR, automatically generates a default route inside the stub toward the ABR: O*IA 0.0.0.0/0 [110/1563] via 192.168.30.10, 00:00:23, Serial0 Gateway of last resort is 192.168.30.10 to network 0.0.0.0 Totally-stubby area No external LSA, No external summary LSAs are allowed, only ABR Not-so-stubby area No external LSA coming in but allow external LSA out default-information originate [always] Default route when redistributing, need an ip route or ip default-network Creates LSA type 5 Does not generate default routes in stubby, totally stubby areas [no 5 allowed] If need default route make area nssa, then type 7 default area x stub Default route as type 3 & no 5-7 area x stub no summary Default route & no 3-4-5 [totally stubby] area x nssa No default route & no 5 [not so stubby] no default route (no 5's but change externals that were redistributed by ASBR to type 7's that will change to 5's by ABR to push to other area that are eligible, use default-information-originate if route is visible in route table, use default-information-originate always if not in routing table) area x nssa no summary Default route + 7 & no 3,4,5 [Totally not-so-stubby-area] no 3,4,5, same type 7 translation as nssa, but default route injected as type 3 On the ASBR, area x nssa on the other routers when defining an area as "stub" and "stub no-summary" in both cases you get 0.0.0.0 injected in Use "default-information-originate" option for "nssa" type area, if you wish to have 0.0.0.0 route propagated within.
area 1 stub All routers in Area 1 as stub area area 1 stub no-summary ABR router to make area 1 totally stubby area 1 nssa All routers in Area 1 as Not so stubby area 1 nssa default-information-originate Creates a default-route into area 1 [nssa] on the ABR, ASBR depends on IOS area 1 nssa no-summary NSSA ABR for totally NSSA area area 1 nssa no-redistribution When ASBR is also NSSA ABR, on ASBR, Type 7 will NOT be translated as Type 5 router ospf 10 summary-address 10.10.20.0 255.255.255.0 not-advertise Generates type 7, that won't be xlated to type 5 by NSSA ABR
Originated by: LSAs All routers 1: Router LSA: router interfaces Designated router 2: Network LSA: list of routers connected to network Multi-access segment network link advertisements Single Area only ABR: They are not flooded inter area, but generated anew for each area by relevant ABRs 3: Summary LSA: Summary network prefix of an area Created from information in ABRs routing table: intra-area Routes to networks Area need to be connected to area 0 ABR 4: Summary LSA: when an ASBR exists in the area Routes to ASBR Area Need to be connected to area 0 ASBR 5: AS-External LSA: external network prefixes NSSA - ASBR 7: NSSA AS-External LSA: Network prefixes imported into NSSA area
DR/BDR If priority is the same, then will use Router id for selection Don’t rely on router-id for DR-BDR use ip ospf priority 255 Need: ip ospf priority 255 and ip ospf priority 0 on the other routers in the area
Stub area area 10 stub Best used: Only 1 ABR, could be more than 1 but then should use nssa No ASBR area 2 stub No virtual links Not the backbone Must have: area 10 default-cost 1000 On ABR: If no default-cost, the cost advertised by ABR will be 1 Need: default-information originate No, Automatically generates the default route Allow LSA: 1,2,3 [intra-area & default] Block LSA: 5,7 Allow external summary: Yes Generate summary: No Allow default: Yes Generate default: ABR generates default route for area toward ABR as summary: Type 3 Allow externals: Yes: summaries only Notes: If area is over demad circuit/BRI, make the area stub to reduce flaps No external link flap will bring ip the dialup link
Totally stubby area 10 stub no-summary Best used: Only 1 ABR No ASBR area 2 stub no-summary ! Only on ABR No virtual links area 2 stub ! On all other routers in area Not the backbone Smallest routing table possible Must have: area 10 default-cost 1000 On ABR: If no default-cost, the cost advertised by ABR will be 1 Need: default-information originate No Allow LSA: 1,2,3 [intra-area & default] Block LSA: 4,5,7 [external & summary routes] Allow external summary: No Generate summary: Yes Allow default: Yes Generate default: Yes Allow externals: No Notes: If area is over demad circuit/BRI, make the area stub to reduce flaps No inter-area link flap will bring ip the dialup link
Not so stubby NSSA area 10 nssa Best used: Between ABSR & ABR who is connected to area 0 No virtual links Not the backbone Stubby area, that receives redistributed external routes, but when do not want LSA type 5 in area Must have: area 10 default-cost 1000 On ABR & ASBR: If no default-cost, advertised-cost by ABR & ASBR will be 1 Need: default-information originate Yes Allow LSA: 1,2,7 Block LSA: 3,4,5 [external & summary routes] ???? Allow external summary: No Generate summary: No Allow default: No Generate default: No Allow externals: No
OSPF designated router Broadcast No DR/BDR: Point-to-multipoint NBMA No DR/BDR: Point-to-point
Highest router-id interface s0 ip ospf priority 255 ! On the DR ip ospf priority 0 ! On all the DR/Other
OSPF Troubleshoot / info show ip protocols display details of all routing protocols, for bad updates and see if what you think is what Cisco thinks
debug ip routing The activities/building of the routing table show ip ospf general information about OSPF routing processes. show ip ospf border-routers the internal OSPF routing table entries to the ABR and ASBR show ip ospf flood-list interface-name list of LSAs waiting to be flooded over an interface (to observe OSPF packet pacing). show ip ospf interface Display interface, neighbor, network-type, timers, authentication & areas… show ip ospf neighbor [ interface-name] detail OSPF-neighbor information on a per-interface basis. show ip ospf virtual-links OSPF-related virtual links information. show ip ospf [ process-id [area-id]] database lists of information related to the OSPF database.
debug ip ospf events View all events debug ip ospf adj view the adjencies in progress debug ip ospf monitor hidden command, but shows all activities
No /32 routes with ISDN and OSPF demand-circuit Especially important on ASBRs interface BRI0 encapsulation ppp ip add 10.1.10.1 255.255.255.0 ip ospf demand-circuit no peer neighbor-route ppp remove the /32 routes When using OSPF network type multipoint in a frame relay network the /32 route enables the spokes to reach one another. Need if RIPv1: network 10.0.0.0, then the interface is also owned by RIP and redisitributed into OSPF, when the link goes down [ospf demand-circuit], RIP reports it down, then redisitribute into OPSF, change the database and raise the list to update the other end
OSPF: Physical interface and point-to-point sub interface Serial0/1 Hub ip address 172.16.2.2 255.255.255.0 encapsulation frame-relay ip ospf priority 255 frame-relay map ip 172.16.2.7 207 broadcast No neighbor interface Serial0/1.11 point-to-point ip address 172.16.3.2 255.255.255.0 frame-relay interface-dlci 205 router ospf 10 router-id 22.22.22.22 network 172.16.0.0 0.0.255.255 area 1
interface Serial1 Spoke ip address 172.16.3.5 255.255.255.0 encapsulation frame-relay ip ospf network point-to-point Must match the point-to-point subinterface type ip ospf priority 0 frame-relay map ip 172.16.3.2 502 broadcast No neighbor frame-relay map ip 172.16.7.7 502 no frame-relay inverse-arp router ospf 10 router-id 10.5.5.5 network 172.16.0.0 0.0.255.255 area 1
OSPF: Frame-relay, Hub & spoke Spokes can't be neighbor with each other. The TTL of an OSPF packet is 1 so it'll never make it passed the hub.
Hub Spoke interface Serial0/1 no ip address encapsulation frame-relay !
interface Serial0/1.257 multipoint interface Serial1 ip address 131.108.1.2 255.255.255.0 ip address 131.108.1.5 255.255.255.0 encapsulation frame-relay ip ospf network broadcast !optional, same network type ip ospf network broadcast !optional, same network type ip ospf priority 255 ip ospf priority 0 ! Will make the hub the DR frame-relay map ip 131.108.1.5 25 broadcast frame-relay map ip 131.108.1.2 52 broadcast frame-relay map ip 131.108.1.7 27 broadcast ! router ospf 1 router ospf 1 router-id 22.22.22.22 router-id 55.55.55.55 network 131.0.0.0 0.255.255.255 area 1 network 131.0.0.0 0.255.255.255 area 1
Hub Spoke interface Serial0/1 All spokes have a priority of 0 no ip address There is not BDR on hub & spoke, need full mesh for BDR encapsulation frame-relay ! interface Serial0/1.257 multipoint interface Serial1 ip address 131.108.1.2 255.255.255.0 ip address 131.108.1.5 255.255.255.0 encapsulation frame-relay ip ospf priority 255 ip ospf priority 0 ! Will make the hub the DR frame-relay map ip 131.108.1.5 25 frame-relay map ip 131.108.1.2 52 frame-relay map ip 131.108.1.7 27 no frame-relay inverse-arp no frame-relay inverse-arp ! ! router ospf 1 router ospf 1 router-id 22.22.22.22 router-id 55.55.55.55 network 131.108.0.0 0.0.255.255 area 1 network 131.108.0.0 0.0.255.255 area 1 neighbor 131.108.1.7 !no neighbor on the spoke, it's automatic neighbor 131.108.1.5
Hub Spoke interface BRI0 interface BRI0 ip address 131.108.1.2 255.255.255.0 ip address 131.108.1.5 255.255.255.0 encapsulation ppp encapsulation ppp ip ospf priority 255 ip ospf priority 0 ! Will make the hub the DR dialer map ip 131.108.1.5 broadcast name R2 6041234567 dialer map ip 131.108.1.2 broadcast name R1 6047654321 no frame-relay inverse-arp no frame-relay inverse-arp
debug/info ping Before anything else, must be able to ping the neighbors show ip ospf interface show ip ospf neighbor broadcast on frame-relay map or dialer map broadcast not needed on frame-relay map if neighbor defined broadcast not needed on dialer interfaces
debug ip ospf adj Debug the forming of the adjencies Mismatch MTU Duplicate RID Wrong DLCI, VPI/VCI
OSPF: Virtual-links No authentication router ospf 10 router-id 2.2.2.2 area 1 virtual-link 5.5.5.5 area that goes across to connect area 0 and area 2 address: not an address but router id of destination router of virtual link must be done on both side of link, with pointing to this RID: 2.2.2.2 network 172.16.0.0 0.0.255.255 area 1 network 192.168.10.0 0.0.0.255 area 0 There are two types of authentication in OSPF, area and interface. If area authentication is enabled, all interfaces which have adjacencies on them must authenticate. A virtual-link *is* an area 0 interface, therefore if you have a virtual-link, and are authenticating area 0, you must authenticate the virtual-link Interface authentication is independent of area authentication, and interface authentication overrides area authentication. This means that you could be using clear-text authentication throughout and area, and implement md5 authentication on a particular link within that area. In the case that you have presented, interface authentication is enabled on the virtual-link. This is a perfectly valid configuration. If you have 'area 0 authentication', the remote router where the virtual-link terminates would also have to say 'area 0 authentication'. It is not completely necessary that you configure a key on the interface (or virtual-link in this case). OSPF authentication uses a "null" key by default.
Notes 3 types of authentications: Type 0: null authenticatin [no authentication] Type 1: plain text Type 2: MD5
How to not have authentication on link but authentication on area interface s1 ip ospf authentication null Must be done on both sides router ospf 1 area 1 authentication message-digest Must be done on all routers in area
OSPF: Plain authentication Must be done on both sides Authentication can either be done on an area basis Authentication can be done only between 2 interfaces ==> not on router ospf interface Serial0 ip address 192.168.10.1 255.255.255.252 ip ospf authentication-key 123456 Could be just at interface w/o area 0 authentication router ospf 10 router-id 6.6.6.6 area 0 authentication Defines authentication for the area [could be only at interface level] network 192.168.10.0 0.0.0.255 area 0
OSPF: MD5 interface Serial1 ip address 131.108.1.3 255.255.255.0 ip ospf message-digest-key 1 md5 abcdef MD5 key, must be done on both sides of link router ospf 10 area 0 authentication message-digest sets authentication for the whole area, must be done on all routers in area network 131.108.0.0 0.0.255.255 area 0
OSPF Virtual-link: Plain authentication Must be done on both sides router ospf 10 This is the far end of the virtual-link router-id 5.5.5.5 area 0 authentication Router not physically connected to area 0, Router logically connected to area 0 area 1 virtual-link 2.2.2.2 authentication-key 123456 Must be done on both side Same key on both sides network 10.1.0.0 0.0.255.255 area 2 Authentication has nothing to do with the transit area, could be none or MD5 network 172.16.0.0 0.0.255.255 area 1 It's only the authentication of the area 0
Debug / info show ip ospf virtual-links The last line will tell what authentication to use Both sides must show the same one
OSPF Virtual-link: MD5 authentication Must be done on both sides router ospf 10 Far end router & same comments as before router-id 5.5.5.5 area 0 authentication message-digest Must define the area 0 eventhough it's the far end area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 123456 Same message-digest key number and md5 network 10.1.0.0 0.0.255.255 area 2 network 172.16.0.0 0.0.255.255 area 1 !
Debug / info show ip ospf virtual-links The last line will tell what authentication to use Both sides must show the same one
OSPF default routes: Normal areas Then becomes and ASBR By default, in normal areas OSPF routers don't generate default routes into their routing domains, even if one exists. For OSPF to generate a default route, use the default-information originate [always] [metric metric-value] [metric-type type-value] [route-map map-name]. This generates an external Type-2 link with link-state ID 0.0.0.0 and network mask 0.0.0.0, which makes the router an ASBR.
default-information originate If the ASBR already has the default route in its routing table default-information originate always If the ASBR doesn't have a default route
OSPF default routes: stub and totally stubby Do not do anything Generates default route automatically In stub and totally stub areas, the ABR to the stub area generates a summary LSA with the link-state ID 0.0.0.0. This is true even if the ABR doesn't have a default route of its own. In this case, you don't need to use the default-information originate command.
OSPF default routes: NSSA Does not generate default route automatically To force the ABR to generate the default route, use the area 1 nssa default-information originate command. The ABR generates a Type 7 LSA with the link-state ID 0.0.0.0 and is advertised inside the NSSA. This default route will be propagated inside the NSSA as Type 7 LSA Another way to advertise the default route inside NSSA is to use the area nssa no-summary With the no-summary keyword, the NSSA ABR will not advertise the inter-area routes (Type 3 and Type 4 summary routes) inside the NSSA, instead will advertise a default route. This default route will be propagated inside the NSSA as Type 3 LSA.
OSPF timers They must be identicals to establish adjencies, for each 2 facing interfaces interface Serial0/1 Original timers can been seen with: sho ip ospf interface ip address 131.108.1.2 255.255.255.0 ip ospf hello-interval 20 automatically changes dead-time & wait by *4 ip ospf dead-interval 45 automatically changes wait-time ip ospf retransmit-interval 50 All routers in area must have the same value
OSPF Not installing routes in routing table
Before installing external LSA, the forwarding address must be known
OSPF summaries When router connected to more than 1 area, one of these area must be area 0 The ABR will not generate summary LSAs if they are not connected to area 0 [see virtual links] Totally stubby areas do NOT generate summary LSAs Just default routes
OSPF & NAT Do not allow the access-list to permit everything The access-list permit statement MUST NOT cover the neighbor's IP address
BGP To advertise a route BGP must know the route through network command/redistribution Network advertised must be in routing table [unless no sync] network 192.168.10.0 mask 255.255.255.252 Maximum 200 network statements If more than 200 routes, routes must be redistributed bgp router-id 10.2.2.2 The OSPF Router-ID must be the same as the BGP router-ID for redistributing the routes from OSPF to BGP.
No Sync to advertise routes showing with sh ip bgp but not ip route Turn off whenever possible not needed if: all router in AS run BGP AS is not a transit AS [does not forward between other AS]
router bgp 200 no synchronization to advertise routes that are not already in the routing table with IGP bgp router-id 10.3.3.3 network 192.168.10.0 mask 255.255.255.252 network 192.168.10.4 mask 255.255.255.252 neighbor 192.168.10.1 remote-as 100 i.e.: route from another AS/IGP not redistributed in BGP, neighbor must be both sides neighbor 192.168.10.6 remote-as 200
In order for IBGP to work, Peers must be fully meshed or routes must be redistributed into and syncronized with IGP. If IBGP peers are fully meshed, syncronization must be disabled in order to inject routes learned from EBGP into the routing table as it traverses the IBGP group.
eBGP peers must define each other as neighbors ebgp-multihop if not directly connected, only for eBGP [nothing to do with iBGP] update source tells the neighbor router to observe MY loopback as the source of the peering relationship.
If iBGP between the neighbors then don't use multihop option.
bgp dampening To minimize instability
iBGP up to 255 hops away can peer between loopback w/o extra command usually requires full mesh or route reflectors or confederation
How BGP advertises Next-hop for the destination will be set to: eBGP ==> eBGP The interface doing the advertisement unless use: update-source eBGP ==> iBGP The interface of the eBGP doing the advertisement unless use: update-source, the iBGP peer must have a route [via IGP] to next-hop subnet, or won't go into BGP routing table iBGP ==> eBGP The interface doing the advertisement unless use: update-source iBGP ==> iBGP iBGP peers do not advertise routes to other iBGP peers
BGP filtering distribute-list filter remove route only from the routing table but leave them in the BGP table neighbor dist-list remove route from BGP table and routing table neighbor route-map with match ip address remove route from BGP table and routing table
summary-only - advertises summary and suppresses more specific routes suppress-map - you can choose which prefixes to suppress advertise-map - you can 'select' which prefixes to use, when creating the aggregate attribute-map - you can specify specific attributes of the aggregate route (like metric, origin, community etc.)
No-export Send to sub-AS but not other AS's local-as Don't send to either sub-AS or other AS's Sub-As's are what is used in confed's
BGP selection process Not the official one, but actual/rational If next hop unavailable, do not consider it That's why the next-hop address must be in IGP If internal path & sync enabled & route not in IGP, do not consider it If routes same weight ==> Largest local preference Weight = Cisco proprietary If local preference same ==> Shortest AS path If AS path length same ==> origin code [IGP < EGP < Incomplete] If origin code same ==> lowest MED Only MED use lowest, everything else uses highest eBGP over iBGP Route with the lowest IGP metric The shortest internal path within AS to reach destination [shortest path to BGP next-hop] If no multi-path, route with lowest router ID
BGP Attribute applied Weight applied to neighbor or route-map IN to influence which router to use to go out local preference route-map IN to reduce outbound traffic as-path prepend route-map OUT to reduce inbound traffic MED route-map OUT to influence which router to use to come in Distribute-list/route-filters route-map OUT to control which routes come in or go out Soft-reconfiguration neighbor x.x.x.x soft-reconfiguration INBOUND
Troubleshoot/Info Next hop must be pingable Next-HOP must be reachable via IGP Biggest problem, or route will be dropped by BGP It will be entered in BGP table, but not in IP routing table iBGP routers must know how to find their peers BEFORE establishing an iBGP session, and passing routes show ip bgp Show the routes show ip bgp Will say 'sync' or 'not sync'd', and 'advertising route', or 'not advertising route' show ip bgp neighbor Show who the neighbors are and connection is established show ip bgp neighbor 192.1.1.2 advertised-routes Displays all the routes the router has advertised to the neighbor. show ip bgp neighbor 192.1.1.2 received-routes Displays all received routes (both accepted and rejected) from the neighbor show ip bgp neighbor 192.1.1.2 routes Displays all routes that are received and accepted. Subset of received-routes
show ip bgp prefix Shows why a route not being place into routing table
show ip as-path-access-list Displays the as-path filter lists
BGP regular expressions sh ip bgp regexp {pattern} Displays the result of the RegEx [0-9]* All routes from this AS ^[0-9]*$ This AS only _.* Matches everything [permit any/all] [a space and anything] _100_ Match any route going through AS100 _100 200_ Match any route passed through 100 and 200 _100$ Match any route originated in AS100 ^100$ Match only routes originated in AS100 that did not pass through any other AS ^100_ Match only routes transiting directly connected AS100, anything else behind ^100 .* Match only routes received from AS100, anything else behind [alternative] ^$ Match only routes originated from this AS .* Match anything [usually at end as: permit .*] ( .*) matches a space plus a AS. ( .*)* matches a space plus a AS or a null string. ? To type ?: either Ctrl-V or Esq-Q
Prefix to be valid in the bgp table There can be no AS path loops in the AS Path attribute The prefix's advertised next-hop must be reachable by the IGP routing table. By default, the prefix must be in the IGP routing table in order to be advertised to the external bgp peer unless all iBGP routers disable synchronization with the "no sync" command.
Basic config router bgp 100 BGP ROUTER-ID 10.1.1.1 Should be the same router id as OSPF network 1.0.0.0 mask 255.240.0.0 What to advertise, must be exactly in the routing table, unless no sync, mask needed if not classful default [BGP is classful … no auto-summary] neighbor 192.1.1.2 remote-as 200 Neighbor and which AS# it belongs to: iBGP: can be same subnet or different subnet eBGP: must be same subnet
Troubleshoot/Info iBGP routers must know how to find their peers BEFORE establishing an iBGP session, and passing routes show ip bgp Show the routes show ip bgp summary Show summary of neighbors show ip bgp neighbor Show who the neighbors are and connection is established show ip bgp neighbor 192.1.1.2 advertised-routes Displays all the routes the router has advertised to the neighbor. show ip bgp neighbor 192.1.1.2 received-routes Displays all received routes (both accepted and rejected) from the neighbor show ip bgp neighbor 192.1.1.2 routes Displays all routes that are received and accepted. Subset of received-routes
show ip bgp prefix Shows why a route not being place into routing table
show ip as-path-access-list Displays the as-path filter lists
BGP: Route-reflector In the middle V-shaped & iBGP only router bgp 200 no synchronization bgp router-id 10.5.5.5 network 192.168.10.4 mask 255.255.255.252 network 192.168.10.8 mask 255.255.255.252 neighbor 192.168.10.5 remote-as 200 neighbor 192.168.10.5 route-reflector-client Only on iBGP, allows propagation of routes if more than 2 routers neighbor 192.168.10.10 remote-as 200 neighbor 192.168.10.10 route-reflector-client No config on the route-reflector-client
BGP: Loopbacks Loopback must be reachable via IGP Loopback must be on it's own subnet
BGP: AS1 sees network as originating from another AS3 route bgp 1 On R2 with AS1 neighbor route-map R3map in
route-map R3map permit 10 match ip add 10 set as_path 3
access-list 10 permit
BGP: Prevent from advertising own AS w/o no-advertise router bgp 65010 neighbor 10.10.10.1 filter-list 1 out !
ip as-path access-list 1 deny ^$ ip as-path access-list 1 permit .* need the . and the *
BGP: Redistribution By default only the eBGP routes are redistributed. Use the "bgp redistribute-internal" router configuration command to allow the redistribution of iBGP. iBGP has an AD of 200, which is greater than all IGPs
ISIS
passive-interface lo0 Advertise the loopback0 interface in ISIS, but do not use any ip router isis commands on the loopback interface and do not redistribute the connected route
With IS-IS there is only clear text authentication available Authentication can be done between Neighbors (done on the interface "isis password xx level-2) Level-1 one is the default. If you wish to configure for level-1 and level-2 you must have 2 entries, under the interface. Area-wide (done under the router process "area password xx") This authentication is inserted in Level-1 (station router level) LSPs Domain-wide (under the router process "domain-password xx") This is inserted in Level-2 (the area router level) LSPs.
