tshoot notes radical

8/16/2019 Tshoot Notes Radical

http://slidepdf.com/reader/full/tshoot-notes-radical 1/41

Maintenance ToolsSaving credentials:

confg) ip tp username [name]

confg) ip tp password [pass]

confg) ip http client username [name]

confg) ip http client password [pass]

Automatic archive confg:confg) archive

archive) path [ tp|http|https|t tp]:[ip] !!! destination.

archive) write-memor !!! to have a new archive created whenever memor is written. optional.

archive) time-period [ ] !!! re"uenc .

archive) ma imum [#] !!! i stored locall $ oldest fle will %e overwritten at ma .

sh archive !!! shows ne t fle name$ ma confgured$ list o fles.

archive !!! manuall create a new archive.

A cop command will merge fles$ not alwa s producing the e pected results. confgure replace willoverwrite.

confg) confgure replace [archive|&ash| tp|http|https|nvram|s stem|t tp| modem]:[ip]'name

(total num%er o passes: [#] !!! # o changes made.

Ping : *hec+s ,a ers $ $ and /. Sends 0*12 echo messages to a specifc destination. 3or ever echoreceived rom the destination$ a (! is displa ed. A (4estination host unreacha%le indicates a 2* canreach its 45 %ut the 45 doesn6t +now a%out the dest. networ+. A (77, e pired in transit messageindicates the device can reach the 45$ %ut there is pro%a%l a loop in the networ+.

size num%er o % tes per datagram 8de ault o 99 in ios).

repeat num%er to send.

timeout num%er o seconds to wait or a repl 8de ault o $ 9 to test load).

source specifes source o datagrams.

df-bit do not ragment %it$ use to test mtu si e. router drops instead o ragmenting$ shows m repl .

sweep range o si es: use to determine mtu across a lin+$ set a min$ ma $ and interval to test each.

u destination unreacha%le.

q source "uench 8destination %us ).

m can6t ragment 8ma %e due to d -%it).

& ttl e ceeded.

? un+nown pac+et t pe.

Traceroute : ;eri connectivit as well as the path a pac+et ta+es through the networ+. <epeated 02s =loop. *an source.

* pro%e timed out.

a administrativel prohi%ited 8acl).

q source "uench 8destination %us ).

i user interrupted.

u port unreacha%le.

h host unreacha%le.

n networ+ unreacha%le.

p protocol unreacha%le.

t timeout.

? un+nown pac+et t pe.

Telnet : 3or trou%leshooting ,a ers > and ?. Alternate ports can %e specifed %esides 7elnet 8 /).

telnet [ip] 8port #) 8source [ip])

Filtering Output : @se the (| character ollowed % a command to flter$ can %e multiple$ no spacesaround a second (|$ use 8 ) to include a space. Case sensiti e!

include onl lines including te t.

e"clude all lines %esides ones matching te t.

begin start at line matching te t.

section shows entire section matching te t.

# %egins with te t.

redirect [protocol:''[ip]'[flename.t t]] !!! sends to a fle on a remote device.

tee [protocol:''[ip]'[flename.t t]] !!! will %e %oth displa ed onscreen and saved to a fle.

2elirro oo ' >



append [protocol:''[ip]'[flename.t t]] !!! adds to end o a fle$ does not overwrite.

longer-pref es !!! not a | flter. com%ine with an ip'mas+ 8w'o mas+ is class ul)B shows all su%nets.

*ommands or hardware trou%leshooting:sh proc cpu !!! C sec$ min$ C min cpu interval stats. listing o running processes and their respective utili ation statistics.

sh memor !!! displa s summar in o a%out processor and i'o memor $ ollowed % a more comprehensive report o memorutili ation.

sh inter aces !!! shows la er ' inter ace status$ load in o$ error statistics$ in'output drops and errors.

clear counters !!! will clear stats or a%ove.

sh controllers !!! displa s stats a%out an inter ace$ in o varies or diDerent inter ace t pes.sh plat orm !!! detailed in o a%out a router'switch hardware plat orm.

Euild a diagram:sh ip inter ace %rie !!! local port6s status6$ ips$ and i ena%led.

sh cdp neigh%ors !!! neigh%oring cisco devices with cdp. local'remote inter aces$ model #.

sh cdp neigh%ors detail !!! shows management ips and ios version.

show version !!! shows local model num%er and inter ace t pes.

$etFlow : *an distinguish %etween diDerent traFc &ows. A &ow is a series o pac+ets$ all o which haveshared header in ormation such as source'destination 02s$ protocols$ port num%ers$ and 7GS in o.Het3low can +eep trac+ o the num%er o pac+ets and % tes o%served in each &owB stored in a fowcache . 3low in ormation is removed rom a &ow cache i the &ow is terminated$ times out$ or flls to

capacit . <ather than using a standalone implementation$ ou can e port the entries in a router6s &owcache to a Het3low collector$ which is a so tware application running on a server in our networ+$ used

or anal sis.i ) ip &ow [ingress | egress] !!! select inter aces to collect data on.

confg) ip &ow-e port destination [ip] [port #] !!! identi net&ow collector. match port #.

confg) ip &ow-e port version [#] !!! match collector so tware.

confg) ip &ow-e port source [int] !!! to identi the inter ace the net&ow in o will e port rom.

sh ip cache &ow !!! summar o &ow in o$ t pes o pac+ets'sec$ source inter ace'ip and dest inter ace'ip.

%mbedded % ent anager '%% ( : Ina%les ou to create our own event defnitions and speci customresponses to those events. 3or e ample$ triggered % an event such as a s slog message$ SH12 trap$issuing an 0GS command$ etc. *an ta+e actions such as sending SH12 traps$ write log messages$ e ecute

an 0GS command$ capture output o a show command$ send an email$ or e ecute a 7cl script.confg) event manager applet [name]

applet) event [application'cli'snmp'etc] 8occurs) 8pattern) 8period) 8s+ip [ es|no]) 8s nc [ es|no])

applet) action [name] [cli'mail'polic 'pu%lish-event'reload'snmp-trap's slog]

Switch PerformancePort %rrors : I cessive rames dropped$ 7*2 slow start$ small window si es$ pac+et drops$ ca%ling issues$

etc.sh inter aces !!! detailed in o$ includes errors$ rates$ "ueues$ runts$ etc.

sh inter aces 8 ' ) counters 8errors) !!! shows # o in and out pac+ets. 8errors) shows errors.

)uple" ismatch : Eoth ends should %e le t to auto-negotiate. Auto 140J 81edium-4ependent 0nter ace

*rossover) will detect i a port needs a crossover or straight-through ca%le. <e"uires %oth ends to haveauto speed'duple 8de aults to hal ). argest indicators are high +FC,-%rr 'full-duple" end( and+ ate-Col 'half-duple" end( counters . *hec+ with sh int counters errors.

.igh CP/ : *2@ load is usuall low$ even under high utili ation than+s to the 7*A1. 7he 7*A1 maintainsorwarding logic at the data planeB the *2@ is rarel used to orward traFc. ;eri with sh proc cpu$

second number in 0 sec utilization is +interrupt processing1 *ommon causes are routingupdates$ de%ug commands$ and SH12 polls. 0 high *2@ is due to interrupts$ chec+ the 7*A1 utili ation$otherwise determine what processes are using a high percentage and investigate. S72 ma %e a causeB a

ailure could lead to a loop and a %roadcast storm. Kigh *2@ ma also %e a s mptom o another issue.sh processes cpu !!! shows time intervals o utili ation as well as each process individuall .

2elirro oo ' >



Process ,witching : <outer removes , header$ e amines ,/ address$ and ma+es a orwarding decisionor e er7 pac6et . , header is rewritten 8source'dest. 1A*s$ new 3*S calculated)$ then orwarded out

the appropriate inter ace. *2@ is directl involved.

Fast ,witching : A+a <oute *aching. 3ast cache maintained in data planeB contains in o a%out how traFcrom diDerent &ows 8streams o pac+ets) should %e orwarded. 3irst pac+et is process-switched % the

*2@ 8<outing 2rocessor$ so tware). Gnce that decision is made$ the decision is stored in ast cache.Su%se"uent pac+ets o the same &ow are orwarded % the switching engine 8hardware) %ased on the

ast cached decision$ instead o ma+ing a new decision or ever pac+et. <educes *2@ utili ation.Ina%le % disa%ling *I3 with no ip route-cache ce .sh ip int 8 ' ) !!! shows i ast switching or ce is ena%led 8&ow switching = net&ow).

sh ip cache !!! shows contents o route cache i ast switching is ena%led.

C%F: 7opolog %ased. 1aintains 30E and Ad acenc ta%les or more eFcient ta%le loo+ups. 7a%les arepopulated with in o (gleaned rom the router6s 02 routing ta%le and A<2 cache. 4oes not re"uire frstpac+et o a data &ow to %e process-switched. Intire &ow can %e orwarded at the data plane. Ina%led% de ault. 0 oD$ ena%le glo%all with ip ce or per inter ace with ip route-cache ce . *an per orm eitherper pac+et or per destination 8de ault) load %alancing.

Forward 4nformation 5ase 'F45( : ,/ orwarding in o normall ound in the 02 routing ta%le 8destinationnetwor+s$ mas+s$ ne t-hop 02s)$ in addition to multicast routes and directl connected hosts.

2d:acenc7 Table : , ne t-hop in oB rame header in o re"uired % the router to properl orm rames8egress inter ace and ne t-hop 1A*$ discovered via A<2). 7he 0E re erences entries in the ad acencta%le when per orming a route loo+up.

0 traFc is o%served not con orming to in o in the 02 routing ta%le$ remem%er that the ta%le is maintained% the router6s control plane and is used to %uild the ta%les at the data plane. *I3 operates in thedata plane and uses the 30E.

sh proc cpu | in 02 0nput !!! ma %e high i cpu o router is used to process-switch traFc 8ce oD).

confg) ip routing !!! must %e ena%led or ce to unction.

sh ip ce !!! disp f% contents. pref $ ne t-hop$ and int. receive = process locall $ attached = connected.

sh ip ce [ip] 8mas+) !!! f% in o$ what the outgoing inter ace and ne t-hop are. 8mas+) or su%net.

sh ip ce e act-route [source ip] [dest ip] !!! outgoing int and ne t-hop or pac+et rom source to dest.

sh ip ce ad [egress ' ] [ne t-hop ip] detail !!! displa s destinations reacha%le via int and ip.

sh ad acenc detail !!! shows ce in o used to construct rame headers needed to reach the ne t-hop ip.

sh ip arp !!! shows arp cache 8learned'confgured macs'ips'ints). stored in the control plane.

clear arp-cache !!! to clear the arp cache.

sh rame-rela map !!! shows rame rela int$ dlci$ pvc$ and ne t-hop ip.

sh ip nhrp !!! displa s ne t-hop resolution protocol used with dmvpns.

L2 Trunks, VTP, and VLANsTrun6s : 7wo encapsulation t pes$ P9 . Q 8Standard)$ and 0nter-Switch ,in+ 80S,$ *isco proprietar ). Hot all

switches support %oth.

%ncapsulation ismatch : 7o orm a trun+$ %oth ends must %e using the same encapsulation t pe. 0 aswitch supports %oth$ it will use 472 to negotiate the encapsulation method$ 0S, is pre erred i %othsupport it. sh int trun+ will show the operational encapsulation. sh int [ ' ] switchport will show the(Administrative and (Gperational trun+ing encapsulations. @se switchport nonegotiate to disa%le 472.

4ncompatible Trun6ing odes : 0ssue sh int [ ' ] switchport and loo+ or (Administrative and(Gperational modes. 4e ault varies. ,imited connectivit is possi%le %etween an access port and atrun+ port i the access port matches the native ;,AH.access permanent non-trun+ing$ even i dtp messages are received.

trun6 manuall confgured to %e a trun+.

d7namic desirable activel see+s to %ecome a trun+ through dtp negotiation. i other end agrees$ trun+ is ormed$ i not$remains access.

d7namic auto passivel waits or dtp messages to arrive to orm a trun+. i received$ trun+ is ormed$ i not$ remainsaccess and listens or dtp messages.

2elirro oo ' > >



;TP )omain $ame ismatch : ;72 domain names must match or 472 to d namicall orm a trun+. 7he are case sensitive.

$ati e ; 2$ ismatch : Gnl happen with P9 . Q trun+s. ;,AH is native % de ault. *arries untaggedtraFc across a trun+. 1ust match on %oth ends$ i not$ traFc rom one ;,AH ma lea+ into another.1a also cause S72 issues. *42 will in orm ou o a mismatch. sh inter aces trun+ will show the native;,AH o the trun+ on the local endB chec+ %oth ends.

2llowed ; 2$s : E de ault$ trun+s orward traFc or all ;,AHs. 0t is possi%le to change this % allowingonl specifc ;,AHs manuall with the switchport trun+ allowed vlan 8add|remove|e cept|all|none)

[;,AH] inter ace command$ or d namicall with ;72 2runing 8vtp pruning glo%al command). showinter ace 8 ' ) [switchport | trun+] will show the allowed ;,AHs$ or view the running confg. 0 traFc isnot &owing across a trun+$ ma+e sure the ;,AH is allowed and not pruned!

;TP :

)omain $ame ismatch : Switches sharing ;,AH in o %etween one another using ;72 need to havematching ;72 domain names. 7he are case sensitive. @se sh vtp status to see the current domainname.

;ersion ismatch : 7hree versions: $ $ and /. 4e ault is $ i using it$ all switches need to %e running . and / are inter-compati%le. @se sh vtp status to show the current ;72 version and capa%le versions.

ode ismatch : 3our modes: server$ client$ transparent$ and oD. 7o use the ;,AH in o contained in ;72messages$ a switch must %e a server or a client. Transparent mode will ignore the in ormation %ut still

orward it on. O is the same as 7ransparent$ %ut will not orward 8Gnl e ists in version /). @se sh vtpstatus to see the (Gperating 1ode.

Password ismatch : 0 used$ passwords must match. sh vtp password to see pass. sh vtp status to see14C hash. *ase sensitive!

.igher 3e ision $umber : Advertisements with a higher revision num%er will overwrite the data%ase onswitches with a lower num%er. <eset % toggling the domain name or changing the mode totransparent. 1a+e sure to reset the revision num%er when adding a switch!de%ug sw-vlan vtp [ events | pac+ets | pruning ] !!! to de%ug vtp.

; 2$s :

4ncorrect 4P 2ddressing : 1a+e sure static host$ S;0s$ router inter aces$ and de ault gatewa s havecorrect 02s. Addresses ma have t pos which put the device within the wrong networ+ or the mahave the wrong de ault gatewa .

issing ; 2$ : A ;,AH must %e created on a switch or the switch to pass traFc over a trun+ or that;,AH. sh vlan %rie will give a listing o all created ;,AHs. 0 sh int [ ' ] switchport displa s the access;,AH as (0nactive$ that indicates that the ;,AH is not created$ even though the port ma %e up'up. 0not using ;72$ create the ;,AH on all necessar switches.

4ncorrect Port 2ssignment : Insure that ports are assigned to the correct ;,AH. sh vlan %rie will showassignments. 7run+ ports or ports assigned to none istent ;,AHs will not %e listed!

2C 2ddress Table : 4 namicall learned 1A*s can %e displa ed with sh mac address-ta%le d namic.1A*s$ ;,AHs$ and ports are shown. <eset with clear mac address-ta%le d namic.

Spanning Tree and L2 ther!hannelsS72 prevents , loops while allowing or redundanc . @ses 5P)/s to %uild the topolog $ which contain in o

on ports$ addresses$ priorities$ and costs. I changed ever seconds % de ault.

3oot 5ridge : <e erence point or S72 topolog . ,owest E04 wins election. E04 = priorit 8/ $?RP de ) 1A*. ,owest 1A* is onl used when priorities tie. All other %ridges in the topolog are considerednonroot %ridges.

3oot Ports : Iver nonroot %ridge has a single root port. 0t6s the port on the switch that is closest to theroot %ridge 8lowest root path cost). *ost is inversel proportional to %andwidth. 0 cost is tied onmultiple uplin+s$ the lowest sending E04 is used to %rea+ the tie$ then the lowest sending 2ort 04.

2elirro oo ' > C



)esignated Ports : Iver networ+ segment has a single designated port. 7his is the port on the segmentthat is closest to the root %ridge 8%ased on cost). All ports on the root %ridge are 42s.

5loc6ed : Nondesignated $ ports %loc+ing traFc to create the loop- ree topolog . 4oesn6t orward traFcduring normal operation$ %ut does receive E24@s to determine the state o the S72 topolog . Gnl oneper segment. 3or 42 T 42 election$ lowest path cost$ lowest upstream E04$ then lowest upstream 204.

S72$ *S7$ and 2;S7 use the ollowing states$ cumulative time is C9 seconds:

5loc6ing : 2ort remains here until it needs to transition. 0 it needs to$ it will wait 9 seconds % de ault8ma" age ). 0 a new E24@ is not received %e ore the ma age time e pires$ the ormer E24@ isconsidered stale$ and the port transitions to (,istening.

istening : 2ort remains here or C seconds % de ault 8 forward dela7 ). 2ort sends E24@s to in ormad acent switches o its intent to orward data. Also receives E24@s rom other switches to help %uildthe S72 topolog $ determine the root path cost$ and determine designated ports.

earning : 2ort remains here an additional C seconds 8 forward dela7 ). Adds entries to the 1A* addressta%le$ while also sending'receiving E24@s to ensure that the decisions made in relation to the S72topolog are still accurate.

Forwarding : 2ort moves here and %egins orwarding rames while continuing to learn 1A* addresses aswell as send'receive E24@s. <oot ports and designated ports are in this state.

<S72 and 1S7 use a handsha+ing mechanism$ rather than timers$ as their primar method oconvergenceB usuall in C seconds or less. 0 handsha+ing ails$ the rel on the same timers as *S7 or%ac+up. 0 a neigh%oring switch is using *S7$ timers are used with them or %ac+wards compati%ilit .Eloc+ing and ,istening modes are merged into a single discarding mode.

sh span 8vlan [#]) !!! root %ridge id U current %ridge ids'timers$ ports6 roles'states'costs'priorities'etc.

sh span int [ ' ] detail !!! %pdus t 'r $ port id$ designated'root %ridges priorities and macs. root ports should onl receive %pdusand designated ports should onl send %pdus.

,T : <egion$ revision num%er$ and 1S70 T ;,AH mapping must match %etween all switches. 2recedingin o is sent as a hash.

sh span mst confg !!! shows region name$ revision num%er$ and mapping.

Corruption of 2C 2ddress Table : An S72 ailure ma cause duplicate rames to %e sent around anetwor+$ con using a switch as to where a rame is sourced rom. As a 1A* &aps %etween diDerent portson diDerent segments$ the switch will displa the message (VSWX1A71->-1A*3,A2XHG703: host [1A*]

in vlan [#] is &apping %etween port [ ' ] and port [ ' ].5roadcast ,torms : 4uring an S72 ailure$ since , rame do not have 77, felds$ %roadcast rames

endlessl circulate through the , topolog $ consuming resources on %oth switches and attacheddevices.

PortFast : 0 using 2;S7 $ <2;S7 $ or 1S7$ when a E24@ is received on a 2ort3ast inter ace$ it will revertto normal %ehavior.

i ) spanning-tree port ast 8trun+) !!! 8trun+) can cause a temporar loop.

sh run int [ ' ] !!! to chec+ i ena%led.

sh span int [ ' ] port ast !!! will show i ena%led and on which vlan.

sh span int [ ' ] detail !!! will show (this port is in the port ast mode as well as man other details.

sh spanning-tree 8summar ) !!! under t pe$ will sa (edge. 8summar ) will show i ena%led glo%all .

5P)/ 9uard : @sed to en orce domain %orders % not allowing E24@s to %e received. 0 a E24@ isreceived$ the port is placed in the (err-disa%led state. <evert with err-disa%le recover or %ounce theport.

i ) span %pduguard ena%le !!! per inter ace.

confg) span port ast %pduguard de ault !!! glo%all .

sh int status !!! to fnd err-disa%led ports.

sh span summar !!! shows i glo%all ena%led.

sh span int [ ' ] detail !!! will show (%pdu guard is ena%led 8% de ault) as well as man other details.

(Vspantree- -%loc+X%pduguard: received %pdu on port [ ' ] with %pdu guard ena%led. disa%ling port.

(Vpm->-errXdisa%le: %pduguard error detected on [ ' ]$ putting [ ' ] in err-disa%le state.

2elirro oo ' > R



5P)/ Filter : Suppresses the sending and receiving o E24@s on an inter ace$ or securit reasons. Honeed to send E24@s to an end station or a router.

confg) span port ast %pduflter de ault !!! ena%les glo%all on all port ast inter aces. i a %pdu is received$ inter ace will transitionthrough the stp states.

i ) span %pduflter ena%le !!! per inter ace$ received %pdus are ignored.

sh span summar !!! shows i ena%led glo%all .

sh span int [ ' ] detail !!! will show (%pdu flter is ena%led 8% de ault) as well as man other details.

3oot 9uard : 2rotects the root %ridge % ensuring that certain ports on non-root %ridges are prevented

rom %ecoming root ports. 0gnores superior E24@s and places port in the (<oot 0nconsistent state. Honeed to %ounce$ ust remove device sending [email protected] ) span guard root !!! ena%le manuall $ per port$ on device'port leading to %ridge ou don6t want as root.

sh span int [ ' ] !!! to see i ena%led.

sh span inconsistentports !!! lists inconsistent ports.

(Vspantree- -rootguardX%loc+: root guard %loc+ing port [ ' ] on vlan [ ].

oop 9uard : 2revents a nondesignated 8%loc+ing) port rom transitioning to orwarding % placing it in the(,oop 0nconsistent %loc+ing state should it stop receiving E24@s. 1a occur i a remote switch is stillrunning %ut stops sending E24@s due to so tware ailure$ unidirectional lin+$ etc. 7ransitioning the port to

orwarding would cause a loop.i ) spanning-tree guard loop !!! per inter ace.

confg) spanning-tree loopguard de ault !!! glo%all $ on all point-to-point lin+s.sh span inconsistent ports !!! see what ports are %loc+ed.

(Vspantree- -loopguardX%loc+: loop guard %loc+ing port [ ' ] on vlan [ ].

2utomatic Pri ate 4P 2dd1 '2P4P2( 2ddress : 0ndicates a 2* is not a%le to receive its own 02 via 4K*2.@ses the RY. C>. . ' R range.

ther!hannels and "nter#VLAN Routing< %therChannels : 1ultiple ports com%ined into a single logical %undle$ also +nown as a port channel.*an %e , or ,/.

i ) channel-group [ ] mode [on|active|passive|auto|desira%le] !!! to assign an inter ace to a port channel.

ismatched Port Con=gurations : *onfg o all ports ma+ing up an Ither*hannel$ on %oth ends$ should

%e identical. Speed$ duple $ trun+ mode$ native ;,AH$ allowed ;,AHs$ and , '/ settings. 2ort channelinherits confg rom the ph sical ports.

ismatched %therChannel Con=gurations : Eoth switches should %e using compati%le protocols andmodes. ,A*2$ 2Ag2$ or (on are not compati%le with one another. P Ag2: a uto' d esira%le$ A*2:a ctive' p assive.sh run int [ ' ] !!! compare confgurations %etween ports and switches$ must %e identical.

sh etherchannel summar !!! &ags$ protocol$ ports$ group. r=l/$ s=l $ u=in use$ p=%undled$ i=stand alone.

4nappropriate )istribution : Kashing algorithm used to distri%ute traFc should %e appropriate or theload. @se powers o .confg) port-channel load-%alance [ L | method ] !!! to change$ glo%al per switch. 8L) or options.

sh etherchannel load-%alance !!! shows confgured method.

sh etherchannel 8#) port-channel !!! to see how lin+s are loaded$ shows in he .> %therChannels : Ho need to worr a%out trun+ mode$ native ;,AH$ or allowed ;,AHs. 2ort channelinherits ph sical attri%utes 8, ',/) rom inter aces when created. Iither issue no switchport to theinter aces %e ore assigning a channel group$ or create the port channel with inter ace port channel$ issueno switchport to the port channel$ then assign inter aces.

3outer-on-a-,tic6 : *ommon issues are: trun+ encapsulation mismatch$ incorrect ;,AH assignments onrouter6s su%inter aces$ incorrect 02 add$ mas+$ or 45 on 2*s$ switchport connected to router confguredas an access port$ switchport connected to router confgured to use 472 8which isn6t supported % therouter)$ or switch ports connected to 2*s %eing in the wrong ;,AH.

confg) inter ace [ ' ].[su%-i #] !!! on router. good practice to match vlan #.

i ) encapsulation dot " [vlan #]

2elirro oo ' > ?



i ) ip add [ip] [mas+]

sh vlans !!! use on router to confrm encapsulation t pe.

sh inter aces trun+ !!! use on switch to confrm encapsulation t pe.

,witched ;irtual 4nterfaces : *reate an S;0 with inter ace vlan [ ]$ assign an 02 to %e the 45$ and ensureip routing is glo%all ena%led. 7he ;,AH the S;0 is created or needs to e ist locall $ the S;0 must %eena%led and not shut down$ and there must %e a switchport 8access or trun+) that is up'up and S72

orwarding or that specifc ;,AH.sh ip int %rie !!! loo+ or up'up state.

sh int vlan [#] !!! shows mac used and ip.sh ip int vlan [#] !!! same as a%ove plus more ip settings.

3outed Ports : 2h sical ports that act as ,/ inter aces. Ho ;,AH association$ S72$ 472$ nor su%ints. @se oruplin+s$ ena%le ip routing!

i ) no switchport !!! how to ena%le. assign an ip!

sh int [ ' ] switchport !!! will displa (switchport: disa%led.

Switch Securit$Port ,ecurit7 : Kelps avoid *A1 ta%le &ooding and ensures that onl specifc devices can connect to

certain switch ports. *ommon pro%lems include %eing confgured %ut not ena%led$ static 1A*s %eingwrong$ ma 1A*s$ violations %loc+ing legit users$ and running confg not saved. Stic+ 1A*s are onl

saved to the running confg$ must write confg to save across re%oots.i ) switchport port-securit !!! must %e ena%led. port must %e in access mode!

i ) switchport port-securit ma imum [ma #] 8vlan) !!! set ma macs allowed. per vlan optional. de = .

i ) switchport port-securit mac-address [8mac) | stic+ ] !!! mac in dotted triple. i Z $ increase ma .

i ) switchport port-securit violation [ shutdown | restrict | protect ]

shutdown de ault. put in (err-disa%led state$ must %e %ounced or err-disa%le recover used.

restrict port sta s up$ pac+ets rom violating macs dropped. switch can send snmp trap and s slog msg.

protect port sta s up$ violating macs have pac+ets dropped$ %ut no notifcations'records.

sh port-securit !!! shows per port counters and securit action.

sh port-securit inter ace [ ' ] !!! lists options and their settings.

sh port-securit address !!! lists static macs 8and stic+ s) confgured. use to veri i static is correct.

sh int status !!! will show (err-disa%led ports.sh errdisa%le detect !!! see i (psecure-violation is ena%led. it is % de ault.

confg) errdisa%le recover cause psecure-violation !!! to ena%le auto recover .

sh errdisa%le recover !!! to see i recover is ena%led or a%ove. disa%led % de ault. %ottom shows ports.

(Vpm->-errXdisa%le: psecure-violation error detected on [ ' ]$ putting [ ' ] in err-disa%le state

(VportXsecurit - -psecureXviolation: securit violation occurred$ caused % mac add [mac] port [ ' ]

).CP ,nooping : 2revents rogue 4K*2 servers. *reates a %inding ta%le to +eep trac+ o which devices areconnected to which inter aces$ %ased on the 02 handed out % the 4K*2 server.

confg) ip dhcp snooping !!! ena%le glo%all .

confg) ip dhcp snooping vlan [#] !!! additionall ena%le or specifc vlans.

i ) ip dhcp snooping trust !!! trust inter aces connected to dhcp servers or uplin+s.

i ) ip dhcp snooping limit rate [ p+ts'sec ] !!! to limit dos attac+s on untrusted ports. optional.confg) no ip dhcp snooping in ormation option !!! disa%le option P i server does not support it.

sh ip dhcp snooping !!! shows i ena%led$ on what vlans$ i P is ena%led$ trusted inter aces$ rate limit.

sh ip dhcp snooping %inding !!! shows %inding ta%le o macs and ips$ lease$ t pe$ vlan$ and inter aces.

)7namic 23P 4nspection : ,a er . 2revents 23P spoofng 81071 attac+s) % using 4K*2 Snooping6s%inding ta%le. When it detects an invalid A<2 re"uest or response incoming on an untrusted inter ace$ itdrops the pac+et and generates the s slog message (VSWX4A0->-4K*2XSHGG20H5X4IH : invalid A<2s8re") on [ ' ]$ vlan [ ]. ;eri with sh ip arp inspection.

confg) ip arp inspection vlan [#] !!! ena%le dai.

i ) ip arp inspection trust !!! inter aces where dai should not %e per ormed. switch uplin+s or static ips.

2elirro oo ' > P



4P ,ource 9uard : ,a er /. 2revents 4P spoofng. @ses 4K*2 Snooping6s %inding ta%le. 0 a source 02 isreceived on an incorrect inter ace$ the switch drops the traFc. I empt static inter aces.

i ) ip veri source 8port-securit ) !!! ena%le. add 8ps) to ena%le chec+ing mac as wellB re"uires port sec!

sh ip veri source !!! shows inter ace$ flter t pe$ mode$ ip$ mac$ and vlan.

Protected Ports : 4en s all traFc rom &owing %etween devices connected to inter aces within the same;,AH$ on the same switch. 2rotected ports can onl communicate with ports that are not protected ports.

i ) switchport protected !!! must %e ena%led on %oth ports.

sh int [ ' ] switchport !!! at end$ (protected: true' alse.

Pri ate ; 2$s : @se a single 02 su%net 8saves 02s) across multiple ;,AHs while still maintaining traFcisolation %oundaries at , . Erea+s up a single 2rimar ;,AH into multiple non-overlapping Secondar;,AHs. ;72 v U v won6t wor+$ use (transparent mode. *onfguration is locall signifcantB confgure oneach switch that is interconnected.

sh int private-vlan mapping !!! inter aces$ secondar #$ t pe.

sh vlan private-vlan !!! primar $ secondar $ t pe$ ports.

sh int [ ' ] switchport !!! admin'operation mode$ access mode vlan$ host association$ operational pvlan.

,econdar7 : *an communicate with ports on the 2rimar ;,AH$ %ut not with an other Secondar ;,AH.Shares the same 02 su%net as the 2rimar $ %ut each uses an individuall assigned ;,AH 04$ which isassociated with the 2rimar ;,AH. 7run+ing Secondar ;,AHs across trun+ lin+s is supported % mostswitches. 7wo t pes:

vlan) private-vlan [ communit | isolated ]Communit7 : 0solates hosts %etween diDerent *ommunit ;,AHs while allowing hosts within the same

*ommunit to communicate with one another$ as well as the 2romiscuous port. Same %ehavior as anormal ;,AH. 1ultiple *ommunit ;,AHs can %e created and associated to the same 2rimar ;,AH.

4solated : Kosts aren6t a%le to communicate with other 0solated'*ommunit ports$ onl the 2romiscuousport. Gnl one 0solated ;,AH can %e associated per 2rimar ;,AHB multiple hosts are assigned to thesame 0solated ;,AH with their traFc separated.

Primar7 : A normal ;,AH used as the %asis or a 2;,AH$ represents the set o Secondar ;,AHs to theoutside world. per 2;,AH$ all Secondar 6s share the same 2rimar and %roadcast domain.vlan) private-vlan primar

vlan) private-vlan association [ nd vlan 8list | add | remove)]

Promiscuous Ports : Special ports assigned to the 2rimar ;,AH that can communicate with an portwithin an 8mapped) Secondar ;,AH. Allows shared devices 8routers$ frewalls$ printers$ or othergatewa devices) to communicate with Secondar ;,AH ports$ usuall connected to the de aultgatewa or an S;0. Assign port as promiscuous and do vlan mapping.i ) switchport mode private-vlan promiscuous !!! ma+e inter ace promiscuous and do mapping %elow.

i ) switchport private-vlan mapping [pri vlan] [ nd vlan 8 list | add | remove )]

i ) private-vlan mapping [ nd vlan 8 list | add | remove )] !!! on primar vlan6s svi.

.ost Ports : 2orts that connect to regular hosts in either 0solated or *ommunit ;,AHs. Gnl communicatewith 2romiscuous ports or ports within the same *ommunit ;,AH. 4on6t use normal access ;,AHconfgB assign port as host and do host-association.i ) switchport mode private-vlan host !!! ma+e inter ace a host and do association %elow.

i ) switchport private-vlan host-association [ pri vlan ] [ nd vlan ]

;2C s : While 2rotected ports and 2rivate ;,AHs restrict all &ow %etween ;,AHs$ ;A*,s allow granularcontrol. A*,s match the traFc$ ;,AH access maps use match'action statements$ and the vlan fltercommand defnes which ;,AHs the access map will appl to. A se"uence without a match statement willmatch all traFc. 7here is an (implicit den at the end.

confg) vlan access-map [ map-name ] 8se"uence #)

access-map) match [ip|mac] address [acl # | acl-name | mac-acl-name] !!! can %e multiple per action.

access-map) action [ drop | orward 8capture) | redirect 8 ' ) ]

confg) vlan flter [ map-name ] vlan-list [ 8#) | 8vlan-list) ]

sh vlan access-map 8name) !!! shows confgured rules.

sh vlan flter 8 access-map [name] | vlan [#] ) !!! shows which vlans the map is applied to.

2elirro oo ' > Y



%&RPsGn a 2*$ arp \a will show ou the 1A* o the v02 8%ut will %e cached during a ailure)$ however traceroute

will show the 02 o the actual router$ which changes during a ailure.

.,3P : 2roprietar protocol. @ses a v02 and v1A* to represent a virtual router within an KS<2 group. v1A*ta+es orm o 9999.9c9?.ac where is the group # in he and 9?.ac indicates KS<2 8Y . = KS<2v ).Gne router is acti e $ another is standb7 $ and an others are in the listen state. Kellos sent ever /seconds$ hold time is 9 seconds. 0 an inter ace is shutdown$ it will send a resign message. 0preemption 'o8 b7 default( is ena%led$ a router with a higher priorit will send a coup message to

ta+e over.sh stand% 8%rie ) !!! inter ace$ group$ priorit $ preempt$ state$ active'stand% addresses$ vip.

sh stand% [ ' ] !!! show active vmac'vip U timers. stand% ip U priorit . local priorit U int trac+ing.

i ) stand% [#] trac+ [8 ' ) | 8trac+ #)] 8dec #) !!! to tac+ an int'o% ect or decrementing priorit .

de%ug stand% 8terse) !!! shows state changes. 8terse) removes hellos and advertisement pac+ets.

;33P : ;irtual <outer 04 8;<04'5roup) is made up o a single master $ with an other routers placed in thebac6up state. Preemption is on b7 default . Kello is second % de ault$ (master down is / seconds.v1A* ta+es orm o 9999.Ce99.9 where is the group # 8;<04) in he and 99.9 indicates ;<<2. v02does not have to %e uni"ue$ it can %e the 02 o a router6s ph sical inter ace 8router with matching 02 will%e the master$ regardless o priorit %ecause it will have a priorit o CC automaticall ). ;<<2 can6ttrac+ inter aces$ onl trac+ o% ects.

sh vrrp !!! will show o% ect trac+ing and decrement.sh vrrp %rie !!! inter ace$ group$ priorit $ timer$ vip owner$ preempt$ state$ master ip$ U group ip.

sh vrrp inter ace [ ' ] !!! state$ vmac$ priorit $ U timers.

sh trac+ !!! will show trac+ o% ects$ their status$ and what is trac+ing them.

9 5P : A;5 and up to > A;3s in a group. A;5 8highest priorit or 02) hands out A;3 1A*s % repl ing toA<2 re"uests or the de ault gatewa 85,E2 v02). A;5 is also an A;3 itsel . A;3s process the rames sentto their 1A* addresses. Preemption is o8 b7 default . v1A* ta+es the orm o 999?.%>99. where

= the group num%er 8in he ) and = the A;3 num%er.sh gl%p %rie !!! inter ace$ group$ av #$ priorit $ address$ active U stand% routers. av o (- = avg. states o active'listen re er to

i an av are orwarding or the virtual macs in the address column.

sh gl%p 8 ' ) !!! huge amount o details a%out state$ mac$ ip$ timers$ weighting$ etc. and orwarder in o.

eighting : @sed to determine which router %ecomes the A;3 per A<2 re"uest. Iach router %egins with ama weight 8 - C>$ de = 99). 0 using trac+ing$ as inter aces go down$ the weight is decreased % thedecrement value. 7hresholds are used to determine i a router can %e an A;3B i the weight alls %elowthe lower$ the router must gi e up the 2;F role $ it can resume i the weight returns 8 enablepreemption! ). Gptionall $ the weight at which the router can return to its A;3 role can %e changed8upper). 0 using the weighted distri%ution method$ weight is used or load-%alancing. 4ecrementingweight will onl reduce traFc &ow i the lower isn6t passed!i ) gl%p [group #] load-%alancing [round-ro%in | weighted | host-dependent]

i ) gl%p [group #] weighting [weight] 8lower [#]) 8upper [#]) !!! no upper = lower.

i ) gl%p [group #] weighting trac+ [o% ect #] 8decrement [#]) !!! dec o 9 % de ault.

confg) trac+ [o% ect #] inter ace [ ' ] 8line-protocol | ip routing)

"P'( Addressing*hec+ 02$ mas+$ and de ault gatewa on a 2* with ipconfg. 1a+e sure all 02s on a segment are within the

same 02 su%net.

).CP : *an also send 7372$ 4HS$ 0nternet 7ime Service 807S)$ HetE0GS name'datagram servers$ Eoot2$ and 7A*A*S in o.

) iscover: Eroadcast$ sourced rom 9.9.9.9 with the host6s 1A*.O Der: Server responds with an unleased 02$ su%net mas+$ and de . gatewa in o.3 e"uest: Eroadcast$ indicates the end host will use the address in the oDer.2 c+nowledge: Server responds that the 02 is now leased and includes an additional 4K*2 options.4ecline: Sent rom client to server to in orm the server that the oDered 02 is alread in use on thenetwor+.HAM: Server to client$ in orms client that the server declines to provide the client with the re"uested 02.

2elirro oo ' > 9



<elease: *lient to server$ in orms server that the client has released its lease$ allowing the server toreassign the 02.0n orm: *lient to server$ re"uesting local confg parameters such as a 4HS server.

Eecause a (4iscover is %roadcasted$ it won6t pass a router %oundar . 0 the 4K*2 server is on a diDerentnetwor+$ use an ip helper-address. Kelpers send 7ime'7A*A*S'4HS'EGG72'7372'HetE0GS % de ault$change with 8no) ip orward-protocol.confg) service dhcp !!! on % de ault$ needed or rela 'server unctions.

i ) ip helper-address [ip] !!! rela . confgure on inter ace receiving discover messages. svi on a switch. multiple commands ormultiple servers$ will send to all.

i ) ip add dhcp !!! to have a router'l/ switch inter ace ac"uire an ip rom a dhcp server.confg) ip dhcp e cluded-address [start] 8end) !!! e clude adds rom pool. router won6t hand out own adds.

confg) ip dhcp pool [name]

dhcp) networ+ [ip] ['## | su%net mas+] !!! su%net must match that o inter ace.

dhcp) de ault-router [ip] 8ip ) 8ip/)... !!! should match the inter ace.

dhcp) lease 8 infnite | [da s] 8hours) 8minutes) ) !!! de ault = da = PR>99 secs.

dhcp) option [option num%er] [value] !!! >/ = lwapB RY = smtpB ?9 = pop/B C9 = voip t tp.

3outer $ot Forwarding 5roadcasts : 1ust confgure as rela i client and server are on diDerentsu%nets. sh ip helper-address.

).CP Pool Out of 2ddresses : When e hausted$ new re"uests are re ected. sh ip dhcp pool.

iscon=g : <ange or e cluded addresses ma %e incorrect. sh ip dhcp pool.

)uplicate 4Ps : Server ma hand out an 02 that is alread staticall assigned to another host. *onfrme cluded addresses.

3edundant ,er ers $ot Communicating : 0 multiple servers are present$ the need to communicatewith one another or else the ma hand out duplicate addresses.

).CP +Pulls : Gnl clients can ma+e re"uests$ servers can6t initiate a change'push in ormation.

4nt $ot /sing an 4P in the ).CP Pool : 4evice must have an inter ace with an 02 that is part o the poolthat it is handing out 02s or. 4oesn6t appl to helper addresses.sh ip dhcp %inding !!! shows mac \Z ip %inding.

sh ip dhcp con&ict !!! shows issues such as duplicate addresses. clear with clear ip dhcp con&icts ^.

clear ip dhcp %inding [ ^ | 8ip) ] !!! ^ or all$ 8ip) or individual.

de%ug ip dhcp server 8events|pac+ets) !!! 8events) or updates to d%. 8p+ts) or dora and release messages.$2T : 0n'Gutside re ers to which host. ,ocal'5lo%al re ers to sides o the HA7 %oundar 8perspective).

4nside ocal : 7he address o the inside host as seen rom the inside.4nside 9lobal : 7he address o the inside host as seen rom the outside.Outside 9lobal : 7he address o the outside host as seen rom the outside.Outside ocal : 7he address o the outside host as seen rom the inside.

Gutside ,ocal and Gutside 5lo%al usuall match.

4nterfaces $ot Con=gured Correctl7 : *orrectl identi inside and outside inter aces.i ) ip nat [ inside | outside ]

Pool iscon=gured : 1ust correctl identi pu%lic addresses %eing translated to 8 4nside 9lobal ). 0 nopool$ inter ace.

confg) ip nat pool [pool name] [ip start] [ip end] netmas+ [mas+] !!! create pool.Public 2dd in the Pool $ot 3eachable : 3or return traFc$ the pu%lic addresses 8 4nside 9lobal ) must %e

reacha%le rom the 0nternet.

2C $ot 3eferencing Correct 4nside 2ddresses : A*, needs to correctl identi the 4nside ocal addresses that will %e translated.

2C @Pool $ot apped Correctl7 : ip nat inside source lin+s the A*, and pool'inter ace. 0 incorrect$ HA7won6t translate correctl .

O erload issing : Without the overload +e word$ 2A7 won6t %e ena%led.confg) ip nat inside source list [acl] [pool 8name)|inter ace 8 ' )] 8overload)

2elirro oo ' >



;P$s : Some ;2H protocols veri the chec+sum o a pac+et$ which is calculated before HA7$ and mare ect the pac+ets %ecause the appear to have %een altered.

.ides True 4P : 7racing a data &ow rom end-to-end ma %e challenging. @se sh ip nat translations.

,ome 2pplications 4ncompatible : Some apps randoml determine which ports will %e used$ which manot %e compati%leB ;o02 protocols ace this issue since the randoml select @42 port num%ers to %eused or <72 media streams. Gther apps include the 02 in the pa load o a pac+et and the remotedevice ma attempt to return traFc to the em%edded 02$ which is unreacha%le.

$2T )ela7s : Eecause this is an ,/ manipulation 8punted to *2@)$ pac+ets e perience more dela thanthe normall would.sh ip nat translations !!! shows inside'outside local'glo%al addresses.

clear ip nat translations [ ^ | 8inside | outside) | 8tcp | udp) ]

sh ip nat statistics !!! shows inside'outside inter aces and num%er o static'd namic translations.

de%ug ip nat 8detailed) !!! use with caution.

"P') Addressing0n a 'R> address$ the frst R> %its is the su%net pref . 7he last R> %its 8pro%a%l a ter a ::) represent the

inter ace'host 04. 7he 02vR add o a 2* can %e seen with ipconfgB i an address contains a (Va terwards$ that is the inter ace identifer 8used %ecause there ma %e multiple inter aces on the samedevice with the same lin+-local address assigned to them).

confg) ipvR unicast routing !!! to ena%le ipvR on a router.$eighbor )isco er7 Protocol '$)P( : 0 hosts are in diDerent su%nets the will need to communicate

through the de . gatewa using its , 1A* address. 02v> uses A<2 to resolve 1A*s$ %ut since %roadcastsdon6t e ist in 02vR$ H42 is used instead. H42 uses multicastsB it will onl send to devices listening to theH42 multicast group address 8de ault gatewa s).

$eighbor ,olicitation '$,( : 1essages are sourced rom a host6s own 02vR address and 1A*. 7hedestination 02vR address and 1A* are the ( solicited node multicast addresses . 7he destination 02is 339 :: :33 : $ and 1A* is //://:33: : : B where the 6s in %oth represent the last > %its 8Rhe characters) o the destination6s 02vR address. All devices will create their own solicited nodemulticast groups or %oth their lin+-local and glo%al unicast addresses. sh ipvR int [ ' ] will show thedevice6s multicast groups$ glo%al unicast addresses$ and lin+-local addresses.

$eighbor 2d ertisement '$2( : When a device receives an HS$ it will repl with an HA$ which is aunicast. *ontains the source 1A* o the device that received the HS.sh ipvR inter ace !!! veri multicast groups a router is listening to.

%/4-AB : 02vR addresses consist o parts$ the su%net 04 and the host 04. 7o get around having to manuallcreate host 04s$ the hosts can convert their >P %it 1A* into the R> %its needed or the host 04. 3irst$ 333Iis inserted into the middle$ then the ? th %it rom the le t is &ipped. Since each he character is > %its$ thiswould aDect the character second rom the le t. *onvert it to %inar $ then &ip the %it in the position. I :9P99 _ P _ 9 99 _ 9 9 _ 9 _ a _ 9a99. E de ault$ Windows 2*s randoml generate their 02vRaddresses$ %ut that can %e changed. Gn a router$ ou can tell an inter ace to use I@0-R> ormatting withthe command:

i ) ipvR add [ipvR su%net]'[mas+] eui-R>

,tateless 2ddress 2utocon=guration ', 22C( : Allows devices to confgure their own 02vR address$pre=" $ and de ault gatewa $ without a 4K*2vR server. 4evices send <outer Solicitation 8<S) messages8to 339 :: ) to determine i there are an routers connected to the local segment. 7he await <outerAdvertisements 8<A) which identi the pref 8 must be @AB ) used % the router 8de ault gatewa ) or thesegment the 6re on. <outers will use I@0-R> or their inter ace 04 while a 2* will randoml generate one8unless confgured or I@0-R>). 7he lin+-local address o the <A device is used as the de ault gatewa . Arouter must %e confgured with ipvR unicast routing to send <As. 0 the router6s inter ace is confguredwith ipvR address autoconfg$ it will not send <As.

i ) ipvR address autoconfg !!! to tell a device to use slaac to determine its address.

i ) ipvR nd ra suppress all !!! this suppresses ras on a router$ which will cause hosts to not use slaac.

sh ipvR inter ace [ ' ] !!! chec+ (ipvR is ena%led$ su%net is 'R>$ (nd ras are suppressed isn6t present.

sh run | in ipvR unicast routing !!! chec+ i ipvR is ena%led.

2elirro oo ' >



,tateful ).CP A : Although a device can determine its own address'pref '45 with S,AA*$ ou ma wantto use 4K*2 instead to hand out addresses as well as additional in o such as H72$ domain$ 4HS$ 7372server$ etc. *an %e created on a router or an 1,S.

i ) ipvR dhcp server [pool name] !!! assign an inter ace to a pool.

confg) ipvR dhcp pool [pool name] !!! create the pool.

dhcp) address pref [ipvR add'mas+] !!! assign a pref to hand out.

dhcp) dns-server [#] ' domain-name [ .com] !!! assign options li+e in v>.

sh ipvR dhcp %inding !!! shows addresses used % clients.

sh ipvR dhcp inter ace !!! local dhcp pool in o per inter ace.sh ipvR dhcp pool !!! pool name$ pref $ clients$ and options.

,tateless ).CP A : *om%ination o S,AA* and 4K*2vR. S,AA* is used or clients to determine their ownaddress$ pref $ and 45$ %ut <As also include a &ag to tell clients to get additional in o rom a 4K*2vRserver. *reate the 4K*2vR server with necessar options as a%ove 8address pref omitted) and ena%lethe &ag with the command %elow.

i ) ipvR nd other-confg-&ag !!! in addition to dns server$ domain name$ etc.

sh ipvR int [ ' ] !!! at %ottom$ (hosts use slaac or addresses$ (hosts use dhcp to o%tain other confg.

).CP A : 3irst our unctions are similar to 4G<A:

,O 4C4T : *lient sends multicast rom ,in+-,ocal address to 339 :: : 84K*2vR all servers address).2);%3T4,% : Server responds to a%ove with an advertise message$ oDering an address to the client.

@nicast ,, to ,,.3% /%,T : *lient sends re"uest to server 8,, to 339 :: : )$ confrming the address and an other

parameters.3%P D : Server fnali es process. ,, to ,,.CO$F43 : *lient to server$ to confrm i address is still appropriate.3%$% : *lient to server$ e tends li etime o address assigned. 0 no response rom server$ a 3%54$)

is sent.3% %2,% : *lient to server$ in orming address no longer needed.)%C 4$% : *lient to server$ to in orm address is alread in use.3%CO$F49/3% : Server to client$ when server has new'updated in ormation.4$FO3 2T4O$-3% /%,T : *lient to server$ when client needs additional confg without a new 02.3% 2D-FO3 @3% 2D-3%P : 1essages %etween a rela agent and a server.

).CP A 3ela7 2gent : A (SG,0*07 message is a lin+-local multicast 8starts with 339 ). 7o get oD the locallin+$ rela orwards the (SG,0*07 as a unicast to a 4K*2vR server.

i ) ipvR dhcp rela destination [ipvR add]

A!Ls and Prefi* Lists4P B 2C s : 0denti traFc %ased on criteria such as source'dest 02$ source'dest port num%ers$ transport

la er protocols$ QoS mar+ings$ etc. *an also %e used to identi 02 addresses or HA7'2A7$ redistri%ution$2E<$ etc. @se top down processing$ e ecute immediatel upon a match 8rules %elow aren6t considered)$and have an (implicit den at the end. 2lace standard A*,s near the destination and e tended A*,snear the source.

confg) ip access-list [standard|e tended] [#|name] !!! to create either.

e t-nacl) 8no) 8se" #) [statement] 8log) !!! use se"uence num%ers to modi acls.

confg) access-list [#] !!! to create a standard acl.

i ) ip access-group [#|name] [in|out] !!! to use an acl or inter ace fltering. [in|out] is signifcant.

line) access-list [#] [in|out] !!! or lines.

sh access-lists 8#) !!! to see contents and counters.

sh ip int [ ' ] !!! loo+ or (outgoing'in%ound access list is [ ].

Time 5ased 2C s : 7ime range is %ased on values confgured in a time-range command. ,oo+ or (activein sh access-list.

e t-nacl) [permit|den ] [ip|tcp|udp] [ip] [ip] time-range [name] !!! to appl to an acl.

confg) time-range [name]

time-range) periodic [8da )|dail |wee+da s|wee+end] [da ] [start-time] [end-time]

2elirro oo ' > /



sh time-range [name] !!! loo+ or (active and (used in [acl name].

sh cloc+ !!! ma+e sure cloc+ is correct and'or using ntp.

4P A 2C s : 2rocessing is the same as 02v>$ onl addition is the implicit permit or H42 8HAs and H4s:permit icmp an an nd-ns)$ placed ust %e ore the (implicit den . All manuall entered commands will%e placed %e ore this. 0 a manual den ipvR an an 8log) is placed or logging$ it will %rea+ H42. 7here isno standard'e tended A*, diDerence li+e with 02v>B within the A*, entr ou provide as little or as muchin o as ou need. 7here are no wildcard mas+s$ instead use *04< (' notation. A ' P is e"uivalent to anall 96s wildcard mas+$ while a '9 is e"uivalent to an all CC6s wildcard mas+. 7he num%er indicates thenum%er o %its that must match$ rom the le t side.

confg) ipvR access-list [name] !!! no # standard'e tended diDerence li+e ipv>.

ipvR-acl) 8se" #) [permit|den ] [port|ipvRadd'mas+|protocol] 8log)

i ) ipvR traFc-flter [name] [in|out]

sh ipvR access-list [name]

sh ipvR inter ace 8 ' ) !!! loo+ or (input eatures: access list and (in%ound access list [name].

Pre=" ists : A*,s lac+ the a%ilit to identi routes %ased on a su%net mas+$ this isuse ul or matching routes or route fltering. 2ref lists allow ou to defne %oththe route and the pref that ou6d li+e to match. 7he per orm the same or02v>'R. 0 there isnEt a (ge ' (le$ the pref 'mas+ is treated as an address andsubnet mas+$ matched e actl . 0 there is a (ge ' (le$ the pref 'mas+ are treatedas an address and wildcard mas+B the pref 'mas+ indicates a range$ while the(ge ' (le re ers to the si e o the su%net mas+. Eoth (ge and (le can %e used atthe same time. 9.9.9.9'9 is the de ault route. 2rocessed the same as an A*,B topdown$ immediate e ecution$ and an (implicit den at the end 8i den ing specifcroutes$ include permit 9.9.9.9'9 le / ).

confg) ip pref -list [name] 8se" [#]) [ip]'[mas+] 8ge|le [mas+])

sh ip pref -list

sh ip protocols !!! loo+ or (incoming'outgoing update flter list or all inter aces is 8pref -list) [ ].

+asic Routing and R TunnelsPac6et Forwarding : 4etermine where the destination 02 residesB i on a remote su%net$ send pac+ets to

the de ault gatewa . 7o construct the , rame$ ou need the 1A* o the destination 8de gatewa ). 0 the

1A* is not in the A<2 cache 8 > < mapping table )$ use A<2 to resolve it. Gnce in the cache$ pac+etswill %e sent in rames addressed to the de ault gatewa 6s 1A*.

When the rames are received % the router$ the destination 1A* is torn oD the , header. 7he routerinspects the ,/ header$ decrements the 77, 8i 9$ discarded and time-e ceeded 0*12 message is sent)$and chec+s the routing ta%le or the %est path to the 02 address. 7he router adds a new , header andsends it on to the ne t-hop.

Gnce the rames are received at the destination router$ the headers are removed again and the 77, isdecremented again. 7he 02 header is inspected to determine the destination networ+. 0 directl attached$an A<2 re"uest is sent to determine the 1A* address o the destination 02. 7he rame is then sent out thecorrect inter ace attached to the destination networ+.

4P 3outing Table : @sed in routers$ route selected is the one with the longest pref 8%est match)$ thenlowest A4.

3outing Table )ata ,tructure : As a router receives route in ormation rom a neigh%oring router$ the in ois stored in the data structures o the 02 routing protocol and anal ed % the routing protocol todetermine the %est path$ %ased on metrics. 7he routing table can %e populated % the routing protocoldata structure$ directl connected routes$ and static routes. An 02 routing protocol’s data structure itselcan also %e populated % the local routerB route redistri%ution 8in o is redistri%uted rom the routing ta%leinto the 02 routing protocol6s data structure) as well as % inter aces ena%led or the routing protocol andthe protocol itsel .

3outing 4nformation ,ources : <outers can receive route in ormation rom multiple sources at the sametime. 0 the same networ+ is received % diDerent routing sources$ administrative distance 8A4) is used tochoose which is most %elieva%le. 7he lower the A4$ the more pre erred the source o in ormation. 7he

2elirro oo ' > >

,ource 2)*onnected 9

StaticeE52 9

I05<2 Y9GS23

<02I05<2 ?

iE52 9



%est route selected % a routing protocol6s data structure is onl a candidate to %e in ected into therouter6s 02 routing ta%le. 7he route is in ected into the routing ta%le i the router concludes that it came

rom the %est routing source. Su%optimal routing ma occur due to a diDerent routing source with a lowerA4 %eing used. 7o ensure route in ormation is never used$ change the A4 or a source to CC.

sh ip route [ip] [mas+] longer-pref es !!! shows in o or su%nets within a networ+.

sh ip route [ip] [mas+] !!! shows in ormation or entire su%net.

sh ip route [ip] !!! shows ne t-hop ip to reach an [ip]$ inter ace$ routing protocol$ metric$ etc.

Floating ,tatic 3oute : A static route with an A4 higher than the pre erred routeB used as a %ac+up in

case the pre erred route ails. 7he pre erred route is installed in the routing ta%le$ the static will onl %einstalled i the pre erred route is withdrawn. Simpl add the 8A4) to the end o the ip route command.confg) ip route [ip] [mas+] [8ne t-hop ip) | 8e it inter ace)] 8ad)

sh ip route [ip] !!! ad will show as (distance [ ].

sh ip route static !!! flters routing ta%le to show statics. loo+ or s at %eginning. ne t-hop$ ad$ metric.

Static routes can either use a ne t-hop 02 or an e it inter ace. 7he e it inter ace should onl %e used whenthe lin+ is pure point-to-point$ such as 4S, or Serial. 2oint-to-point Ithernet is not reall p p %ecauseIthernet is multi-accessB it re"uires a source and destination 1A*. 0 an Ithernet inter ace is confguredas the ne t-hop instead o an 02$ the router will A<2 or the 1A* o ever destination address$ in everpac+et$ resulting in e cessive processor and memor use 8control plane is used during orwarding).

Pro"7 23P : Gn % de ault on routers. Allows a router to respond to A<2 re"uests with its own 1A* i it has

a route in the routing ta%le or the 02 in the A<2 re"uest. 0n a sh ip arp ou ma see man 02s reacha%leat the same 1A* out the same inter ace. 0 2ro A<2 were not ena%led$ it would result in an(encapsulation ailure 8de%ugging pac+ets would show). sh ip arp would displa the addresses as(0ncomplete.

4P A ,tatic 3outes : An e it inter ace is mandator i using a lin+-local address %ecause the same addressma %e used on multiple router inter aces. 0 the ne t-hop is the lin+-local address o a neigh%oringrouter out a specifed inter ace$ the router will chec+ its 02vR neigh%or ta%le or the 1A*. 0 using a glo%alunicast address$ since 02vR does not use A<2$ H42 is used to determine the 1A* o the neigh%or device.2ro A<2 does not e ist in 02vR$ so the destination must %e directl attached to the router i onl aninter ace is specifed.

confg) ipvR route [ipvR add'len] [ ' ] [lin+-local ne t-hop] 8ad) !!! [lin+-local] needs [inter ace].

confg) ipvR route [ipvR add'len] [8 ' ) 8glo%al unicast ne t-hop)] 8ad) !!! use either or %oth int'ip.

sh ipvR route static

9eneric 3outing %ncapsulation '93%( : 2rotocol used to encapsulate various t pes o networ+ la erpac+ets$ inside a transport protocol$ so that the can %e transported over an 02 networ+. ou can createvirtual point-to-point lin+s %etween remote routers across an 02 networ+$ ma+ing them appear directlconnected. 7he de ault tunnel mode or *isco devices is 5<I'02 8point-to-point). Allows routingin ormation to pass 8since it6s multicast). Adds a 5<I header 8carrier protocol) to encapsulate the originalpac+et 8passenger protocol)$ then adds a new 02 header 8transport protocol).

1a+e sure remote devices are reacha%le across the pu%lic networ+$ tunnel 02s are in the same su%net$ thetunnel source'dest 02s match %etween routers$ and the tunnel mode is correctB or 02v>'R over an 02v>networ+$ (5<I 02 is re"uired. *hec+ or A*,s %loc+ing 02 protocol >?. 7he tunnel inter ace must %eadded to a routing protocol or routes to %e shared across the tunnel.

3ragmentation ma happen due to an insuFcient 17@. 7he 5<I header is > % tes$ which limits theoriginal pac+et to >?R 8 C99 is the standard inter ace 17@). 0 pac+ets Z >?R % tes are sent$

ragmentation occurs$ resulting in processing dela s and high *2@ usage. 0mplement consistent 17@rom end-to-end. ;eri 17@ with sh int tun [#]. *hange with inter ace command ip mtu [#].

7he error (V7@H-C-<I*@<4GWH: 7unnel9 temporaril disa%led due to recursive routing$ indicates therouter is tr ing to route to the tunnel destination using the virtual tunnel inter ace instead o the ph sicalinter ace. 1a %e due to &apping routing or a misconfguration.

confg) int tunnel [#]

i ) ip add [tunnel ip] [mas+]

i ) tunnel source [8 ' ) | source ip o ph sical int]

i ) tunnel dest [ph sical dest ip]

2elirro oo ' > C



i ) tunnel mode [gre 8ip) | ipip | ipsec | ipvRip] !!! change mode$ match on %oth ends. `gre ip is de ault.

sh inter ace tunnel [#]

4Psec : 5<I6s main purpose is to provide simple tunneling or multiple networ+ la er protocols. Kowever$ itlac+s securit B it onl provides %asic plainte t authentication %etween remote devices using a tunnel +e $which is not valid when using 5<I over an untrusted networ+ 80nternet). When doing so$ confdentialit $authentication$ and data integrit can %e accomplished with 02sec. *onfdentialit can %e provided withs mmetric algorithms$ while authentication and integrit can %e provided with hash messageauthentication codes 8K1A*s). When using 02sec with 5<I$ 5<I encapsulates the original pac+et pa loadfrst$ then encr ption occurs with 02sec to protect the 5<I pac+et. Supports other ,/ protocols$ providesmulticast and routing traFc across the ;2H$ and reduces management overhead in a hu%-and-spo+etopolog . 7wo diDerent 02sec modes e ist:

Tunnel ode : Will encapsulate and encr pt the entire 5<I pac+et$ including the 7ransport 2rotocolheader. Eecause o this$ 02sec includes a new 02 header. Kigher overhead.Transport ode : Will onl encapsulate and encr pt the carrier protocol and the passenger protocol. 7ransport 2rotocol header is reused$ reducing overhead.

R"P'2 and R"Png<02 does not esta%lish neigh%or ad acencies. 1ost issues are related to routing updates.

sh ip rip data%ase !!! displa s rip data%aseB directl connected networ+s in ected into rip$ and learned networ+s rom a neigh%or8ip)$ with hop count.

sh ip route rip !!! flters routing ta%le to show onl rip routes. ([ad'hopcount] via neigh%or 8ip).

sh ip protocols !!! veri route flters$ timers$ redistri%ution$ rip version sent'received$ autosummari ation$ ma paths$ address innetwor+ command$ passive inter aces$ who routes are learned rom$ and the ad.

,hut )own 4nterface : @se sh ip int %rie to chec+ i an inter ace is up'up.

rong ,ubnet : 0 routers e changing updates are not in the same su%net$ the will ignore the updates.Eoth the 02 and su%net mas+ assigned to an inter ace must %e correct.

5ad@ issing $etwor6 ,tatement : <02 is ena%led on an inter ace using the networ+ command. 7heactual networ+ associated with the specifed inter ace is in ected into the <02 process and advertised todirectl connected routers out <02-ena%led inter aces. ;eri ena%led inter aces with sh ip protocols$ shrun | s rip$ and sh ip int %ri.

Passi e 4nterface : <educes <02 traFc on a ,AH and improves securit . 4isa%les the sending o <02updates out o an inter ace$ eliminating <02-related traFc. 0mproves securit %ecause the router is notadvertising <02 in ormation out an inter ace that could %e captured. Kowever$ the interface will stillrecei e updates and use them B a rogue router'routes ma %e introduced. When an inter ace ispassive$ the networ+'su%net associated with the inter ace is still in ected into the <02 routing process andadvertised to other <02 routers. *an %e made de ault in router mode with passive-inter ace de ault$ andindividual inter aces can %e changed with 8no) passive-inter ace [ ' ].

rong ;ersion : <02v is ena%led % de ault$ to ena%le <02v $ issue the router command version . 0versions don6t match %etween directl connected routers$ the will not share routing in ormation. sh ipprotocols will displa the version sent'received per inter ace. ;ersion num%ers can %e changed perinter ace via the commands ip rip send version [ ] and ip rip receive version [ ]. de%ug ip rip will displathe output (<02: ignored v pac+et rom [02] 8illegal version).

a" .op Count : <02 has a ma hop count o CB routes with a count R are considered unreacha%le. 7he topolog ma %e too large$ the seed metric rom redistri%ution ma %e set too high$ or an oDset list

ma %e manipulating the metric. An oDset list can %e verifed via sh ip protocols$ loo+ or (incomingroutes in [ ' ] will have [ ] added to the metric i on list [ ]. 0t is a router command with a s nta ooDset-list [A*,#] 8in'out) [#] 8inter ace).

2utosummarization : <02 autosummari es automaticall when sending updates that are part o adiDerent class ul networ+ than the route %eing advertised. 7his is an issue i networ+s are discontiguous.Sent updates can %e seen with de%ug ip rip. ou will usuall need to disa%le$ use no auto-summar . 7overi i auto-summar is ena%led$ use sh ip protocols.

2uthentication : When authentication is confgured on an inter ace$ it will onl accept updates that passauthentication. 0 misconfgured$ de%ug ip rip will displa (<02: ignored v pac+et rom [02] 8invalidauthentication). 0ssue ma %e due to a +e chain confguration'association$ or the authentication mode.sh +e chain can %e used to veri the +e string. 7he +e 04 AH4 the +e strings have to match

2elirro oo ' > R



%etween routers$ however$ the name does not have to match. E de ault$ +e s never e pire$ howeverli etimes can %e added to modi when +e s will %e usedB rotating multiple +e s enhances securit . Mechains are assigned to an inter ace via ip rip authentication +e -chain [+e chain name] and mode isspecifed with ip rip authentication mode [te t|mdC]. sh ip protocols allows ou to veri the +e %eingused$ %ut sh run int [ ' ] is needed to veri the mode.

3oute Filtering : A distri%ute list can %e applied to the <02 process$ either in%ound or out%ound$ to controlwhich routes are advertised to neigh%ors or which routes are received rom neigh%ors. <outessent'received are controlled % A*,s$ pref lists$ or route maps. Insure the distri%ute list is placed in thecorrect direction and on the correct inter ace. 0 using an A*,'pref list'route map$ chec+ them as well.sh ip protocols will displa something similar to ([ ' ] fltered % 8pref -list) [name] 8per-user)$ de ault isnot set.

,plit .orizon : <ule stating that an routes learned in%ound on an inter ace will not %e advertised %ac+out the same inter aceB to prevent routing loops. sh ip inter ace will displa i ena%led$ it is % de ault.Eecomes an issue in multi-access hu%-and-spo+e topologies such as 3rame <ela . 4isa%le on the hu%router6s multi-access inter ace with the no ip split-hori on inter ace command$ or use point-to-pointsu%inter aces.

5etter ,ource of 4nfo : Eecause the routing ta%le trusts sources with lower A4s$ <02 routes ma not win.<026s A4 is 9 % de ault. 0 a neigh%or router +nows o a route via a %etter 8lower A4 i.e. static route)method$ it ma not pass the route on.

2C s : <02 uses the destination @42 port C 9 as well as the destination multicast address >.9.9.Y. 0there is an A*, fltering traFc that is not permitting that port$ <02 updates will %e denied. Iither addpermit ip an an at the end o the A*,$ or add permit udp an an e" C 9 to the A*,.

oad 5alancing : <02 will load %alance on > e"ual cost paths % de ault. ;eri the num%er with sh ipprotocols. *hange with router command ma imum-paths [ ]$ ma o R.

issing )efault 3oute : <02 routers need to +now what to do with pac+ets that the do not have aspecifc match or$ that6s what a de ault route does. 7he 6re t picall confgured on an edge device witha ne t-hop address o the 0S26s router. A de ault route needs to %e in ected into <02 so that it can %eadvertised to other <02 routers. 7o do this$ use the command de ault-in ormation originate on the edgedevice. With <02$ ou do not need a static de ault route confgured to generate a de ault route %ac+ tothe edge device$ it ma come rom another routing protocol. Kowever$ i there is no +nown de aultgatewa on the edge device$ it will drop the pac+ets. ;eri confguration on the edge router with sh run |

s router rip and loo+ or the originate command. *an also %e seen in sh ip rip data%ase.3oute ,ummarization : 1anual route summari ation is ena%led on a per-inter ace %asis with the

command ip summar -address rip [ip] [mas+]. 1a+e sure ou use the correct inter ace$ speci <02$ anduse the correct summar route. ;eri with sh ip protocols. A route to (Hull9 is not automaticallcreatedB i a de ault route is also confgured$ a routing loop ma occur i a match is not ound in therouting ta%le. 7o f $ either create a static route to (Hull9 or the summar route or create a morespecifc summar route.

34Png '$e"t 9eneration( : 4esigned or 02vRB it unctions the same as <02v . Inhancements include anall-<02-devices multicast group o 339 ::Y$ a named process$ the removal o the networ+ command8replaced with an inter ace command)$ and the use o lin+-local addresses as the ne t-hop 02vRaddresses. ;eri that ipvR unicast routing is ena%led! 2ermit @42 C in A*,s.

confg) ipvR router rip [name] !!! to ena%le ripng.

router) ma imum-paths [#] !!! de ault o R e"ual metric paths or ripng.

router) distri%ute-list [#] [in'out]

i ) ipvR rip [name] ena%le !!! to ena%le an inter ace.

i ) ipvR rip [name] de ault-in ormation originate !!! inter ace command. re"uires static de ault ipvR route.

sh ipvR rip data%ase !!! the local data%ase$ (installed indicates routes in the routing ta%le.

sh ipvR route rip !!! veri ripng routes installed in routing ta%le. ne t-hop is a lin+-local address.

sh ipvR protocols !!! not as much in o as v>. onl shows inter aces ena%led or ripng and redistri%ution.

sh ipvR rip [name] !!! timers$ ma paths$ port num%er$ multicast group$ inter aces$ de ault route.

sh ipvR rip ne t-hops !!! veri the num%er o routes a router is learning rom a connected ripng router.

de%ug ipvR rip !!! see updates %eing sent out an inter ace or a process$ lin+-local source$ multicast destination$ and included

2elirro oo ' > ?



routes.

traceroute ipvR [add]

4e ault route is ena%led per-inter ace with ipvR rip [name] de ault-in ormation [originate|onl ]. Griginatewill send a de ault route as well as the other routes. Gnl will send onl a de ault route and suppressthe other routes. sh ipvR rip [name] will show i a de ault route is %eing sent$ %ut onl a sh run | s ripwill show what t pe o de ault route$ and what inter aces.

7o veri i there are A*,s den ing pac+ets in an inter ace$ ou can use de%ug ipvR pac+ets. Alternativel $sh run | in inter ace|traFc will show an inter ace that has the inter ace command ipvR traFc-flter

[A*,] [in'out]. 7hen issue sh ipvR access-list [name] to view the A*, rules. @42 port C needs to %epermitted with permit udp an an e" C .

" RPIsta%lishes neigh%orships % sending hello pac+ets to the multicast address >.9.9. 9 out inter aces

participating in the I05<2 process. A ter esta%lishing a neigh%orship$ the router per orms a ull e changeo routing in ormation with the newl esta%lished neigh%or. A ter the ull e change$ onl updates to routein ormation are e changed with that neigh%or. <outing in ormation learned rom I05<2 neigh%ors isinserted into the I05<2 topolog ta%le. 0 the I05<2 in ormation or a specifc route happens to %e the%est source o in ormation$ it is installed in the routing ta%le.

router) networ+ [ip] [mas+] !!! to select the router inter aces to run eigrp on.

sh ip eigrp int !!! veri participating inter aces. passive inter aces will not show!

sh ip eigrp events !!! shows event log.

sh ip eigrp topolog 8all-lin+s) !!! see +nown routes. 8all-lin+s) will show non easi%le successors.

sh ip eigrp neigh%ors !!! codes %elow.

. handle$ per neigh%or$ starting with 9.

2ddress ipv> add o neigh%or int sending hello.

4nterface local int use to reach neigh%or.

.old n%r valid timer. reach 9 w'o hello = dead.

/ptime how long routers have %een neigh%ors.

,3TT smooth 8avg) round trip time.

3TO retransmit time out 8R srtt).

the num%er o eigrp pac+ets in "ueue.

,eq $um +eeps trac+ o eigrp pac+ets rcvd rom n%r.

2elirro oo ' > P



issing $eighborsG

4nterface )own : Insure inter ace is up'up with sh ip int %rie .

ismatched 2, : Eoth routers must %e in same AS or a neigh%orship to orm. Specifed in the router eigrp[AS] command. 1ost commands show AS$ including sh ip protocols. ou can also use de%ug eigrppac+et which will show the local router sending hellos %ut not receiving an .

)i8erent ,ubnets : <outer inter aces must %e in the same su%net. 0 not$ and s slog is set at severit R$ou will receive the message (V4@A,-R-HE<0H3G: I05<2-02v> [AS]: Heigh%or [02] [ ' ] is %loc+ed: not

on common su%net [02].

4ncorrect $etwor6 ,tatement : 0 the networ+ statement is misconfgured$ I05<2 ma not %e ena%led onthe proper inter aces. 7hese statements use wildcard mas+s. @se sh ip eigrp int to veri whichinter aces are participating. ,oo+ or the num%er o (2eers as well as (2ending routes. 9 is e pected$an other value indicates there is an issue preventing the inter ace rom sending the necessarupdates to the neigh%or. sh ip protocols will show inter aces participating under (<outing or networ+s.

7hese are not the networ+s$ ust the networ+ statements! sh run | s router eigrp will show the actualnetwor+ statements. de%ug eigrp pac+et will show hello pac+ets e iting the incorrect inter ace.

ismatched H ;alues : M values must match %etween neigh%ors to orm an ad acenc . show ip protocolswill show values. 0 the are changed$ ma+e them match on ever router in the AS. 0 logging messagesat level C$ a message will displa (V4@A,-C-HE<*KAH5I: I05<2-02v> [AS]: Heigh%or [02] [ ' ] is down:M-value mismatch. *hange with metric weights [+ ][+ ][+/][+>][+C].

Passi e 4nterface : <educes traFc and increases securit . 7urns oD sending and receiving I05<2 pac+etson an inter ace while still in ecting the inter ace6s networ+ into I05<2 and advertising it to neigh%ors.2revents rogue routers rom orming an ad acenc . 0 confgured on the wrong inter ace$ will preventlegitimate relationships. @se sh ip protocols to see i ena%led 80 none$ the section does not appear). 0using de%ug eigrp pac+et ou will notice that hellos are not %eing sent out the e pected inter ace.

Timers : While I05<2 timers do not have to match$ i the are oD % enough$ the ad acenc will &ap. Iachrouter must send hello pac+ets at a rate that is lower than the hold timer. ;eri timers with sh ip eigrpinter aces detail.

2C s : 0 there is an A*, applied to an inter ace and the A*, is den ing I05<2 pac+ets$ a neigh%orship willnot orm. @se sh ip int [ ' ] to see i there is an in'out%ound A*,$ f with permit eigrp an an .2rotocol PP.

2uthentication : 0nter ace %ased. Eoth routers must agree on the settings or a neigh%orship to orm.Spot-the-diDerence when loo+ing at sh run int [ ' ] or sh ip eigrp int detail [ ' ]. 7o see the actual +ein a +e -chain$ use sh +e chain. Me s ma have a valid time %e ore the e pire 8chec+ cloc+). 4e%ugeigrp pac+ets will displa (missing i neigh%or doesn6t have authentication confgured and (invalid ithe neigh%or6s +e 04 or string don6t match.i ) ip authentication mode eigrp [as] mdC

i ) ip authentication +e -chain eigrp [as] [+e -chain-name]

issing 3outes :

4nt ,hut )own : 0nter ace must %e up'up or routes to %e advertised or neigh%orships to orm.

issing $etwor6 Command : Iven inter aces not orming neigh%orships need an applica%le networ+statement to ena%le I05<2 to in ect the networ+s on those inter aces into the process and advertise

them out. 0n sh ip protocols the (<outing or networ+s segment identifes the networ+statements'inter aces$ not the networ+s that are actuall advertised. sh ip eigrp inter aces will identiinter aces participating.

)efault 3oute : Iither use redistri%ute static 8metric)$ setting a 8metric) or set de ault-metric [+ ][+ ][+/][+>][+C]). 0 re erring a networ+ that6s not 9.9.9.9$ set with ip de ault-networ+. Gr$ send a summaraddress with the inter ace command ip summar -address eigrp [AS] 9.9.9.9 9.9.9.9.

5etter ,ource of 4nfo : I05<2 has an A4 o Y9 or internall learned routes and ?9 or e ternal routes. 0there is a route rom another source with a %etter A4$ it is pre erred. 1a cause su%optimal routing%ecause another routing protocol ma have a lower A4$ %ut longer'slower path. sh ip eigrp topolog8all-lin+s) will identi all +nown I05<2 routes$ while sh ip route eigrp will displa onl I05<2 routesinserted into the routing ta%le. sh ip route [ip] [mas+] will identi the routing source %eing used.



)iscontiguous $etwor6s@2utosummarization : I05<2 supports ;,S1B in older versions o 0GS$autosummari ation was ena%led % de ault and no auto-summar had to %e used. 0n C.9 and newer$ itis disa%led % de ault. ;eri with sh ip protocols.

3oute Filtering : 4istri%ute lists applied to I05<2 control which routes are advertised to$ or received rom$neigh%ors. *hec+ that the distri%ute list is applied to the correct inter ace and in the correct direction.*hec+ the A*,$ pref list$ or route map. sh ip protocols will identi i there is a distri%ute list applied toall o I05<2$ or to individual inter aces.

,plit-.orizon : An routes learned in%ound on an inter ace will not %e advertised out the same inter ace.

4esigned to prevent routing loops. Eecomes an issue in HE1A hu%-and-spo+e topologies as well as41;2Hs$ which %oth use multipoint inter aces on the hu% router. ;eri i ena%led with sh ip int [ ' ].4isa%le per inter ace with no ip split-hori on or specifcall or I05<2 with no ip split-hori on eigrp [AS#]. 0 the latter command is used$ it will still show as ena%led in sh ip int$ need to veri with sh ip eigrpint det [ ' ].

Feasible ,uccessors : 7he %est route or a specifc networ+ in the I05<2 topolog ta%le %ecomes acandidate to %e in ected into the router6s routing ta%le. 7he %est route is the one with the lowest

easi%le distance 834). 0 that candidate route has the %est A4 or the networ+ and thus is in ected intothe routing ta%le$ it %ecomes +nown as the successor route. sh ip eigrp topolog will show the topologta%le$ including redistri%uted and local networ+s participating in I05<2. 7his will onl displa successorsand easi%le successorsB to veri the 34'<4 o other paths that aren6t easi%le successors$ add all-lin+sto the end o the command. A ter each ne t-hop 02 is the 8 easi%le distance'reported distance). 7he

reported 8advertised) distance '3)( is the distance rom the neigh%or at the ne t-hop address to thedestination networ+. 7he feasible distance 'F)( is the <4 plus the metric to reach the neigh%or atthe ne t-hop 02. I05<2 precalculates paths that could %e used i the successor ailed$ +nown as easiblesuccessors . 7o %e a easi%le successor$ the <4 o the path must %e less than the 34 o the successor.

oad 5alancing : E de ault$ I05<2 will load %alance across > e"ual metric paths. 7his can %e changedwith the ma imum-paths [#] command. I05<2 can also load %alance across une"ual pathsB this is notena%led % de ault$ it6s changed with the variance [#] command$ which is % de ault set to . 7henum%er acts as a multiplier to the successor6s metric 834). 7his will allow routes rom a neigh%or with a34 %elow the resulting value 8successor6s 34 ^ variance) to %e installed in the routing ta%le. Iven withthe variance command$ ou are limited % the ma imum-paths setting. 3easi%ilit is also importantB ialternate paths are not easi%le successors 8<4 34 o successor)$ the will not %e considered. ;eriwith sh ip protocols. clear ip route ^ to ta+e eDect.

Passi e 3outes : 0 the successor route is removed and no easi%le successors e ist$ a router will sendquer7 messages to fnd alternate routes. 7he route will change rom passive to active while the "uerprocess is ongoing. 0 another router has a route$ it will repl $ i not$ it will send "ueries to each o itsneigh%ors and wait or replies %e ore it will repl to the original router. All "uer messages must %ereplied to %e ore a new route is calculated on the original router. 0 all "ueries are not replied to$ theroute is considered Stuck in Active . 0GS can limit the time spent waiting with the router commandtimers active-time [#] 8in minutes). Avoid the S0A situation % ma+ing sure there are easi%lesuccessors or each route. Gtherwise$ use stu%s or summari ation to limit the "uer scope. Glderversions o 0GS %rought down neigh%ors. Hewer 0GS versions send S0A Quer messages hal wathrough the active timeB i the message is replied to$ the neigh%or will %e +ept up$ %ut i no repl isreceived$ the neigh%or will %e %rought down. S0A reasons: too %us $ "uer pac+et lost$ unidirectionallin+$ or not enough memor . 7he command eigrp log-neigh%or-changes will send a s slog messagewhen S0A.

,tub : @sed to control the scope o "ueries$ which ma %e a waste o resources should a remote routerhave no other e it points. @se ul with hu%-and-spo+e WAH lin+s to reduce traFc and also reducechances o a stuc+-in-active situation. *onfgure the actual stu% router 8not hu%) with eigrp stu%. oucan control the routes the stu% will advertise to its neigh%or. E de ault$ it6s connected and summarroutesB other options are redistri%uted$ static$ a com%ination$ or receive-onl 8no routes). ;eri on stu%with sh ip protocols$ veri on neigh%or with sh ip eigrp neigh%ors detail. 7o limit the si e o the routingta%le$ ou must create a de ault route on the stu%$ or send a summar address on the hu% with theinter ace command ip summar -address eigrp [AS] [02] [W* mas+]$ as well as flter out an unwantedroutes$ unli+e GS23 which does this automaticall .



3oute ,ummarization : Automatic summari ation is not suggested$ manual is. With I05<2$ this is ena%ledper inter ace with the command ip summar -address eigrp [AS] [02] [1as+]. 1a+e sure that it is ena%ledon the correct inter ace$ with the correct AS$ using the correct summar route. ;eri with sh ipprotocols. ,imits the scope o "uer messagesB i a "uer received or a networ+ matches a summarroute 8not an e act match)$ the router will repl to the "uer with a no and not send out its own "uermessages. When a summar route is created on a router$ so is a summar route to (Hull9$ in order toprevent routing loops. 7his ensures that i a pac+et is received % the router destined to a networ+ that

alls within the summar route$ %ut the router does not actuall +now how to reach it$ the pac+et will %edropped 8instead o sent %ac+ out the de ault route$ causing a loop). 7he route to (Hull9 has an A4 oC$ ma+ing it more trustworth than most other sources o routing in o.

4P A: I05<2 or 02vR can %e confgured and verifed ver similarl to normal I05<2:confg) ipvR router eigrp [as]

router) router-id [ . . . ] !!! i no ipv> addresses e ist on device or eigrp to use.

router) no shutdown !!! must ena%le!

i ) ipvR eigrp [as] !!! to ena%le on an inter ace.

sh ipvR inter ace 8%rie | detail) !!! 8%rie ) to veri inter ace is up'up. 8detail) or authentication.

sh ipvR route !!! to ensure there isn6t a %etter source o in ormation.

sh ipvR protocols !!! to veri as num%ers$ +-values$ stu%$ and participating'passive inter aces.

sh ipvR eigrp inter aces 8detail) !!! veri i an inter ace is participating$ timers$ and split-hori on.

sh ipvR eigrp neigh%ors 8detail) !!! will veri neigh%ors % their lin+-local addresses. 8detail) or stu%.

de%ug ipvR [ eigrp | neigh%or NipO 8notifcation) | summar ]

I05<2 or 02vR uses the multicast address (339 ::A to orm neigh%or ad acencies$ ensure that it is not%loc+ed % an A*,.

sh run | s ipvR router eigrp !!! chec+ or a (distri%ute-list [acl | pref -list | route-map].

$amed %493P : 7he purpose is to provide ou with a central location on the router to per orm all I05<2 or02v>'R confgurations. *onfgurations include %oth an 02v> unicast address amil as well as a vR address

amil $ using the same or diDerent autonomous s stems. Started with a named router eigrp command$then select an A3 to add commands to.

confg) router eigrp [name] !!! start the process with a name instead o as.

router) address- amil [ipv>|ipvR] unicast 8vr ) autonomous-s stem [as] !!! enter the v> or vR a .

router-a ) e it-address- amil !!! to e it the a .

0nside the A3$ ou can add t pical commands:router-a ) networ+ [ip] ' eigrp router-id [rid] ' metric [#]

@se a -inter ace de ault to control all inter aces$ or speci an inter ace to control ust one.router-a ) a -inter ace de ault !!! change inter ace de aults.

router-a ) a -inter ace [ ' ] !!! change individual inter aces.

router-a -inter ace) passive-inter ace ' authentication ' summar -address

router-a -inter ace) e it-a -inter ace

@se the topolog %ase or operations that aDect the topolog ta%le such as redistri%ution$ distance$ oDsetlists$ variance$ etc:

router-a ) topolog %ase !!! enter the mode.

router-a -topolog ) variance [#] ' no auto-summar ' distance [#]router-a -topolog ) e it-a -topolog

sh eigrp protocols !!! displa s %oth the v> and vR address amilies. as #$ +-values$ router id$ stu%$ ad$ ma paths$ variance.missing inter aces participating'passive$ use sh ip protocols to see them.

sh eigrp address- amil [ipv>|ipvR] inter aces !!! to veri inter aces participating$ %ut not passive.

sh eigrp address- amil [ipv>|ipvR] inter aces detail !!! timers$ split-hori on$ authentication$ stats.

sh eigrp address- amil [ipv>|ipvR] neigh%ors 8detail) !!! neigh%ors. 8detail) shows stu%s.

sh eigrp address- amil [ipv>|ipvR] topolog !!! topolog ta%le.



-SP%,in+-State protocol. Ista%lishes neigh%orships % sending hellos out participating inter aces. <outers

receive ,SAs rom ever router within the same area$ learning a%out routes directl rom the sourcewithin the same area. Iver router in an area must have the e act same ,S4E or that area. ,S4Es aree changed in ull$ then onl updates are sent. Summar ,SAs are sent ever /9 mins.

i ) ip osp [#] area [#] !!! inter ace command to ena%le.

router) networ+ [ip] [mas+] area [#] !!! router command to match inter aces.

router) auto-cost re erence-%andwidth [#] !!! or lin+s aster than astetherenet$ increase!

sh ip osp neigh%or !!! to see neigh%ors 8rid)$ priorit $ state$ dead time$ address$ and inter ace.sh ip osp %order routers !!! rid$ via$ inter ace$ a%r'as%r$ area.

(Vosp -C-ad chg: process $ n%r [ip] or [ ' ] rom loading to ull$ loading done.

2d:acenc7 Transition ,tates :

)own : Ho hellos received rom a neigh%or.2ttempt : <outer sent a unicast hello to a confgured neigh%or and has not received a return hello et.4nit : 7he router that has received a hello did not see its own <04 in the received hello. Something is

preventing that router rom receiving hello pac+ets rom the neigh%or.< a7 : 7wo GS23 routers have received hellos rom one another$ and each saw its own <04 in the hello

message. Accepta%le state to %e in among (4<Gthers on an Ithernet ,AH.%"start : Gccurs when the routers orming a (3ull ad acenc decide who will send their routing

in ormation frst. <outer with the higher <04 %ecomes the master$ the other the slave. 7he mastersends in o frst. 0n a multi-access networ+$ the 4<'E4< have to %e elected frst %e ore this state %egins.

7he 4< does not have to %e the master %ecause each master'slave election is on a per-neigh%or %asis.0 a router remains in this state or a long period$ there ma %e an 17@ mismatch or duplicate <04s.

%"change : When two routers orming an ad acenc send one another 4E4 pac+ets. 0 a router remainsin this state or a long period$ an 17@ mismatch ma e ist.

oading : Eased on the missing ,S4E entries identifed in the (I change state$ each neigh%oring routerre"uests the other router to send over missing entries. 0 a router remains in this state or long$ apac+et ma %e corrupted$ there ma %e a memor issue$ or an 17@ mismatch.

Full : Heigh%oring routers have success ull e changed their lin+-state in o and an ad acenc has %eenormed.

,2 T7pes : <HSSA.

I 3outer All routers send these$ %ut not sent out o the local area. ,ist in o a%out: directl connectedsu%netsB GS23 connection t pes o a routerB and the +nown GS23 ad acencies o a router.

< $etwor6 4< in a multi-access networ+ sends these or the networ+ i the networ+ contains at least routers$ constrained to the local area. *ontains a listing o routers connected to themulti-access networ+.

> ,ummar7 Sourced % an AE<. *ontains in o a%out networ+s reacha%le in a other areas. Hetwor+in o is onl e changed %etween the %ac+%one area and a non-%ac+%one area.

B ,um1 2,53 Sourced % an AE<. *ontains in o stating how to reach an ASE<.0 2, %"ternal Sourced % an ASE<. *ontains in o a%out networ+s e ternal to the GS23 domain. Sent to

all GS23 areas e cept or stu%s 8the receive a de ault route rom an AE< rather thanspecifc 7 pe Cs).

J $,,2 Sourced rom an ASE< within an HSSA area$ onl e ist within the HSSA area. *ontain in oa%out e ternal networ+s$ ust li+e 7 pe Cs. I ternal routes are sent'converted % the AE<o the HSSA into the %ac+%one as 7 pe Cs. I ternal routes +nown to other areas are notsent into an HSSA since 7 pe Cs are not permitted in an HSSA.

3oute ,ummarization : GS23 is strict a%out where summari ation can occur. 1anual route summari ationis either ena%led on a per-area %asis 8on an AE< to summari e routes as the enter or leave an area) oron an ASE< 8to summari e e ternal routes %eing in ected into an area). ;eri that summari ation is%eing per ormed on the correct router$ in the correct area$ using an appropriate summar route. ;eriwith sh ip osp $ and loo+ or (0t is an area %order router$ and urther down under the area section (Arearanges are. 0nterarea summaries are created on AE<s with the area [#] range [02] [mas+] routercommand while e ternal summaries are created on ASE<s with the summar -address [02] [mas+] routercommand. When a summar route is created$ so is a route to (Hull9$ used to prevent routing loops %



dropping pac+ets destine to networ+s not in the routing ta%le 8instead o sending them out the de aultroute). 0t is important to create accurate summar routes to ensure that our router is not advertisingnetwor+s within the summar address that it does not +now how to reach. ;eri with sh ip route | in Hull.While I05<2 gives the null route an A4 o C$ GS23 gives it an A4 o 9$ which does not ensure that it ismore %elieva%le than most other sources. 7his ma allow another route source to end up orwardingtraFc or routes included in the summar route to (Hull9.

)iscontiguous 2reas : A %ac+%one area 89) must e ist$ with all other areas directl connected to it. 0 anarea is not ph sicall ad acent to area 9$ routes will not %e success ull learned % all routers in the GS23domain. A virtual lin+ can %e used to logicall connect the nonad acent area to area 9. 7he area thevirtual lin+ is created %etween is +nown as the transit area $ %ecause it will transmit ,SAs rom thediscontiguous area$ to area 9$ and vice versa. 7he transit area cannot %e a stu%. ;irtual lin+s are created%etween the routers at the edge o the transit area$ using their <04s and the transit area num%er$ usingthe command area [ ] virtual-lin+ [<04]. Gnce the virtual lin+ is esta%lished$ the router connecting to thediscontiguous area %ecomes an AE< since it has a 8virtual) inter ace in area 9. ;eri with sh ip ospneigh%or to see the new AE<B it will show with an (GS23X;, inter ace. Also$ veri with sh ip osp virtual-lin+s and confrm that the lin+ is up and the state is (3ull. 0 area 9 is using authentication$ theauthentication is appended to the virtual-lin+ command with ...[authentication-+e N+e O | message-digest-+e N#O mdC N+e O.

oad 5alancing : GS23 onl supports e"ual-cost load %alancing. *onsider the overall end-to-end cost andthe ma imum num%er o paths permitted or load %alancing. 7o veri the ma paths$ use sh ip protocols$

de ault is >. *hange with ma imum-paths [#].)efault 3oute : With GS23$ a static route is in ected into the routing process using the de ault-in ormation

originate 8alwa s) command$ not the redistri%ute static command. @se a sh run | s router osp to confrmthe presence o the correct command.

issing $eighbors : 2rocess 04 does not have to match. ;eri ad acencies with sh ip osp neigh%or and ship osp int 8 ' ).

4nterface )own : 0nter ace must %e up'up or ad acenc to orm. sh ip int %ri to confrm.

4nterface $ot 3unning O,PF : 0 the router networ+ or inter ace ip osp area commands aremisconfgured$ GS23 ma not %e ena%led on the proper inter aces or in the correct areas. @se sh iposp int %rie to confrm inter aces$ area$ 02'mas+$ state$ and a count o (3ormed vs. (*onfgured 83'*)neigh%ors. sh ip protocols will also displa confgured inter aces under (<outing or Hetwor+s: Hote:

these are not the networ+s %eing advertised$ onl the statements used to match inter aces! 0 aninter ace is confgured with %oth t pes o commands$ the inter ace ip osp area command ta+esprecedence. ;eri neigh%or connectivit with sh cdp neigh%ors.

ismatched Timers : GS23 timers have to match %etween neigh%ors. 4e aults or %roadcast and point-to-point networ+s are a hello o 9s and a dead o >9s$ while HE1A'point-to-multipoint 8%roadcast andnon%roadcast) networ+s have a hello o /9s and a dead o 9s. 7o veri $ use sh ip osp int [ ' ] orde%ug ip osp hello which will displa the received 8<) and confgured 8*) values. *hange per inter acewith ip osp [hello|dead]-interval [#]$ i dead isn6t set$ it6s > hello. ou ma also change the inter ace6snetwor+ t pe with ip osp networ+ [ ].

ismatched $etwor6 T7pes : 4iDerent networ+ t pes have diDerent de ault values. Hon-%roadcastnetwor+s must have neigh%ors staticall confgured$ 4<'E4< elections are diDerent$ and timers arediDerent. 7o determine the networ+ t pe associated with an inter ace$ use sh ip osp int [ ' ] and loo+

or (Hetwor+ 7 pe and the timer values.ismatched 2rea $umbers : Heigh%oring inter aces must %e in the same area. sh ip osp int [ ' ] or sh

ip osp int %ri will displa the area used or each inter ace. de%ug ip osp ad will displa (GS23- A4b[ ' ]: <cv p+t rom [02]$ area [area]$ mismatched area [area] in the header.

ismatched 2rea T7pe : 7he de ault area t pe is (normal. A normal area can %e converted into a stu% orHSSA area to control the t pes o ,SAs sent into the area rom an AE<. 3or routers within an area to

orm ad acencies$ the must agree on the area t pe. Within the hello pac+et$ there is a stu% area &ag$which indicates the t pe o area the neigh%or is in. ;eri with sh ip protocols$ which displa s thenum%er and t pes o areas the router is in$ %ut not which area is what t pe. 0 there are multiple areasconnected$ veri with sh ip osp to displa the area t pe per area. de%ug ip osp hello will displa(GS23- KI,,G [ ' ]: <cv hello rom [02] with mismatched Stu%'7ransit area option %it.



)i8erent ,ubnets : 7o orm a neigh%orship$ %oth inter aces must %e on the same su%net. sh run or sh ipint %ri.

Passi e 4nterface : <educes GS23 traFc and improves securit . 4isa%les sending'receiving o GS23pac+ets on an inter ace while still in ecting the inter ace6s networ+ into GS23 and advertising it to GS23neigh%ors. Insures that rogue devices that attach to the networ+ will not %e a%le to orm an ad acenc .;eri with sh ip protocols. 8no) passive-inter ace [de ault | ' ]

T/ ismatch : Iach router6s inter ace orming an ad acenc must have the e act same 17@. 0mismatched$ each router will see the other %ut get stuc+ in the (I start '(I change states. ;eri

state with sh ip osp neigh%or$ veri routes %eing e changed with sh ip osp int %ri and loo+ in the(3'* column$ 3 should = *. ;eri 17@ with sh run int [ ' ]. Iither change the 17@ to match or applip osp mtu-ignore to the inter ace.

2C s : 0 an A*, is applied to an inter ace and the A*, is not permitting GS23 pac+ets$ the neigh%orship willnot orm. ;eri A*, with sh ip int [ ' ]. Add permit osp an an . 2rotocol PY.

ismatched 2uthentication : Eoth routers must agree on authentication settings or a neigh%orship. *an%e ena%led per inter ace or or all inter aces within an area. Supports three t pes:

$ull : 7 pe 9$ no authentication.Plain Te"t : 7 pe $ sends credentials in plain te t.

)0 : 7 pe $ sends a hash o the credentials.i ) ip osp authentication 8message-digest | null) !!! per inter ace. 8null) = none$ %lan+ = plain te t.

i ) ip osp authentication-+e [+e ] !!! plain te t.

i ) ip osp message-digest-+e [#] mdC [+e ] !!! mdC.

router) area [#] authentication 8message-digest) !!! optional. set t pe per area. set +e on int. %lan+=t t.

sh ip osp !!! to see setting or an entire area.

sh ip osp int [ ' ] !!! see i auth set U +e used with mdC. i no auth$ section is missing.

sh run int [ ' ] !!! to veri string.

de%ug ip osp ad !!! (mismatched authentication t pe$ input pac+et specifed t pe [ ]$ we use t pe [ ].

)uplicate 34) : <04s must me uni"ue to orm neigh%ors$ i not$ a s slog message will read (GS23->-4@2X<7<04XHE<: GS23 detected duplicate router-id [#] rom [02] on inter ace [ ' ]. ;eri <04 withan GS23 show command. 0 <04 is manuall changed with the router-id command$ reset the GS23process with the clear ip osp process command %e ore it ta+es eDect$ or set <04 %e ore ena%ling. <04pre erence is router-id command$ highest loop%ac+ inter ace 02$ then highest ph sical inter ace 02.

issing 3outes :

4nt ,hut : 1a+e sure the inter ace is up'up or routes to %e advertised or a neigh%orship to %e ormed.

4nterface $ot 3unning O,PF : When the networ+ area or ip osp area commands are used$ GS23 isena%led on the inter aces. GS23 ta+es the associated networ+'mas+ and in ects it into the ,S4E. Iveninter aces that will not orm neigh%orships with other routers need to %e participating in the GS23process or the inter aces6 networ+s to %e advertised. sh ip protocols will displa the networ+statements and inter aces ena%led.

5etter ,ource of 4nfo : 3or an GS23-learned route to %e installed in the routing ta%le$ it has to have the%est A4. GS23 has an A4 o 9 % de ault or intra$ inter$ and e ternal routes. @se sh ip route [02][mas+] to veri the routing source. 7o veri i a networ+ is in the ,S4E$ issue sh ip osp data%aserouter [02]. sh ip osp data%ase will onl displa a summar o 7 pe 8<outer) ,SAs$ the router additionwill displa the contents o a specifc router6s ,SA.

3oute Filtering : A distri%ute list applied to the GS23 process controls which routes are installed into therouting ta%le rom the ,S4E. 7his is diDerent rom I05<2$ which controls which routes are sent'received%etween neigh%ors. 7his is %ecause all GS23 routers within an area must have the same ,S4E. 7o verii a route is in the ,S4E$ issue sh ip osp data%ase 8router [02]). 7o appl a route flter to GS23$ thedistri%ute list is applied in%ound 8into the routing ta%le)$ and the matching is done with A*,s$ preflists$ or route maps. 1a+e sure the distri%ute list is in the correct direction and that the A*,'preflist'route map is correct. sh ip protocols will veri i a distri%ute list is applied to the GS23 process.

,tub : Eecause all routers in an area need identical ,S4Es$ the ,SAs within an area cannot %e manipulated.Kowever$ ou can manipulate the ,SAs that go between areas % using stu%s. Hormal stu% areas willnot receive 7 pe C 8I ternal) ,SAs rom an AE<. Total stu%s and total HSSA areas will not learn 7 pe /



80nter-Area Summar ) ,SAs nor 7 pe CsB onl a single de ault route is learned. 4ue to the de ault route$visi%ilit o the overall networ+ is lost$ potentiall producing su%optimal routing. NSSA areas allowe ternal routes to %e in ected into the HSSA areaB this is done % using 7 pe ? 8HSSA I ternal) ,SAs orthe e ternal routes within the HSSA area$ %ut converting them to 7 pe Cs at the AE<. 7he HSSA routerconnected to the e ternal networ+s %ecomes an ASE<. Hormal HSSA areas will not receive a de aultroute$ %ut total HSSA areas will. ;eri with sh ip osp .

rong )3 %lected : Gn a multi-access networ+$ rather than having all routers orm a ull mesh oad acencies$ a 4< is elected and all other routers on the segment orm an ad acenc with the 4< 8the4< is actuall a pseudonode ). 7he rest o the routers 84<Gthers) will orm ( Wa ad acencies with oneanother$ and i a E4< e ists$ the will orm ull ad acencies with it as well. A 4< is elected %ased onpriorit $ higher is pre erred. 0 priorities are e"ual$ the 4< is elected % the highest GS23 <04. E4<election uses the same criteria. Gn a multi-access Ithernet topolog or a ull-mesh 3rame-<elatopolog $ the 4< placement doesn6t matter. Gver hu%-and-spo+e HE1A networ+s such as 3rame <elaor a 41;2H$ the 4< placement does matterB the 4< needs to %e reacha%le via a single hop. Kellos areesta%lished with the multicast address >.9.9.C$ and the 4< is reacha%le at the multicast address

>.9.9.RB pac+ets destined to these two multicast addresses will not %e rela ed % other routers. 7overi 4< placement$ use sh ip osp int [ ' ] on each router. 3orce the hu% to %e the 4< % preventingthe spo+es rom participating in the 4< election with the inter ace command ip osp priorit 9.

)uplicate 34)s : <04s are used during the ormation o neigh%orships and to determine which router isadvertising a specifc ,SA. 0n the same area$ the routers are going to see 7 pe 8<outer) ,SAs a%out

networ+s the do not +now a%out$ rom a <04 the same as their own$ ma+ing them thin+ thegenerated the ,SA. A router will not use in ormation contained in an ,SA the receive that thegenerated themselves$ %ecause it indicates there is a loop. 7his leads to missing routes. 4uplicate <04sin diDerent areas would cause the ph sical GS23 topolog to %e diDerent rom what the S23 algorithmsees it as. 7his can cause routing issues %ecause some routes ma not %e passed %etween areas$causing the ,S4E and the routing ta%les to %e incomplete. ;eri <04s with sh ip protocols.

O,PF > for 4P A : @ses the multicast group addresses o 339 ::C 8all GS23v/ routers) and 339 ::R8GS23v/ 4<'E4<).

confg) ipvR router osp [#] !!! to ena%le the process.

router) router-id [ . . . ] !!! assign an rid i no ipv> addresses are on the router.

i ) ipvR osp [#] area [#] !!! to ena%le per inter ace.

sh ipvR protocols !!! process id$ rid$ a%r'as%r$ # o areas$ stu%'nssa areas$ ints$ redistri%ution$ etc.

sh ipvR osp !!! glo%al osp v/ settings$ pid$ rid$ a%r'as%r$ timers$ areas$ t pe o area$ stu%$ re erence %andwidth$ authentication$etc.

sh ipvR osp int 8%rie ) 8 ' ) !!! networ+ t pe$ cost$ authentication$ dr'%dr$ priorit $ timers.

sh ipvR osp nei !!! veri ad acenc $ neigh%or6s rid$ priorit $ state$ dead timer$ local inte ace.

sh ipvR osp data%ase !!! veri lsas collected and placed in lsd%.

sh ipvR route osp !!! veri osp v/ routes installed in the routing ta%le.

sh ipvR int [ ' ] !!! veri whether the inter ace is listening to the multicast group address$ mtu$ acls.

O,PF > 2ddress Families : Ina%le ou to confgure a single process that will support %oth 02v>'R. Asingle data%ase is maintained or %oth. Eoth GS23 or 02v> and GS23 or 02vR will use 02vR to e changerouting in oB ipvR unicast routing must %e ena%led! GS23v and GS23v/ A3s are not compati%le.

sh ip route osp v/ !!! to veri the ipv> osp v/ entries.

sh ipvR route osp !!! to veri the ipvR osp v/ entries.

sh [ip|ipvR] protocols !!! will show the usual in ormation.

sh osp v/ !!! displa s the same in o as (sh ip osp and (sh ipvR osp . separated per a .

sh osp v/ int %ri !!! displa s inter aces participating or each a .

sh osp v/ int [ ' ] !!! detailed int confg with rid$ networ+ t pe$ cost$ dr'%dr$ timers. separated per a .

sh osp v/ nei !!! normal displa $ separated per a .

sh osp v/ data%ase !!! normal displa $ separated per a .

de%ug osp v/ 8a ) 8events|pac+ets|hellos|ad ) !!! address amil is optional$ as well as options.

Ad acencies are esta%lished individuall or each A3 and settings can %e confgured per A3. An parameterconfgured under the main router GS23v/ confguration mode will appl to all address amilies. 0 there



are con&icts %etween confgurations in router and A3 modes$ the A3 mode ta+es precedence. GS23v/ isena%led per inter ace with osp v/ [204] 8ipv>|ipvR) area [#]. 0nter ace parameters are still confgured ininter ace mode as well. 0 ou do not speci the A3 8ipv>|ipvR)$ the parameter will appl to all A3s. 0 theconfg is applied to the A3$ it will appl onl to that A3.

confg) router osp v/ [pid]

router) area [#] stu% !!! applies to all a s.

router) address- amil [ipv>|ipvR] unicast 8vr ) !!! enter into a single a .

router-a ) passive-inter ace de ault !!! change settings per a .

router-a ) e it-address- amil !!! e it.i ) osp v/ [pid] 8ipv>|ipvR) area [#] !!! ena%le per inter ace.

Route Maps and Polic$#+ased Routing<oute maps provide a more granular level o control than A*,s'pref lists etc. When used with

redistri%ution$ ou can treat each route$ or group o routes$ diDerentl 8metric cost't pe manipulation$tagging). Keavil used with E52 or path manipulation. 4riving orce %ehind 2E<$ allowing ou to control

orwarding 8ne t-hop 02'inter ace) %ased on source$ tag$ ports$ etc.

*an %e displa ed with sh run | s route-map or sh route-map 8name). 0dentifed % a name. 7here ma %e or more se"uences$ defned % a num%er. Se"uences can %e permit or den $ i not stated$ permit is thede ault. 3or redistri%ution$ permit means to redistri%ute the route$ while den means to not redistri%utethe route. 3or 2E<$ permit means to 2E< route the pac+et$ while den means to route the pac+etnormall with the routing ta%le. Within a se"uence there ma %e match and set clauses. 0 there aremultiple match criteria in a single match statement$ the unction with (G< logic$ while multiple separate match statements unction with (AH4 logic. 0 there is no match clause in a se"uence$ it willmatch all 8there can %e a set clause added).

Top-)own Processing : ,owest se"uence to highest.4mmediate %"ecution /pon atch : 0 a match clause matches the traFc in "uestion$ the process

stops and the actions in the set clause is e ecuted. 0 no match is ound$ the ne t se"uence ischec+ed.

4mplicit )en7 2n7 : 0 no se"uence matches the traFc$ an remaining traFc is treated as though itmatched a den $ li+e an A*,.P53 : ou can create user-defned policies that manipulate how traFc will %e routed through a networ+$

using route maps. E de ault$ traFc is routed %ased on the destination 02 o a pac+et. With 2E< ou canoverride this %ehavior and have traFc routed %ased on diDerent parameters 8matched per A*, 8with port#s)'pref list'in%ound inter ace). When trou%leshooting$ veri the traFc6s path with a traceroute. shroute-map will indicate the num%er o pac+ets that have %een matched at the end. 2E< can %e monitoredin real time with de%ug ip polic . Gutput will show a (polic match$ the (route map$ the (item #$(permit ' (den $ and (polic routed '(polic re ected - - normal orwarding.

.ow the Polic7 is 2pplied : 2E< is onl applied to in%ound pac+ets on an inter ace 8ip polic route-map[name])$ or locall generated pac+ets % the router 8ip local polic [name]). ou must ensure that thecorrect 2E< route map is applied to the correct inter ace'router. ;eri with sh ip polic to see the routemap name and inter ace. sh ip local polic will veri 2E< applied to the router.

3oute ap Order : ;eri that permit se"uences are used to match traFc ou do want to 2E<. <emem%erthe (implicit den . @se sh route-map to veri contents.

hat TraKc is 5eing atched : ou can match with A*,s$ pref lists$ in%ound inter aces$ and others.;eri match statements with sh route-map and contents with sh ip access-list or sh ip pref -list. 0there is no match clause$ match all!

hat 2ction Performed : ;eri the set clause with sh route-map. 2E< can %e used to set the ne t-hop 02or e it inter ace. 0 the de ault +e word is used$ the router will route the pac+et normall $ %ut i there isno non-de ault route$ it will 2E< route the pac+et.

Redistri.utionAllows routes learned via one source to %e in ected into a routing protocol. 0 two routing protocols are

mutuall redistri%uted$ the routes learned via each are in ected into the other. A router that connects twoor more routing domains and will %e the point o redistri%ution is +nown as a boundary router .<edistri%ution occurs rom the routing ta%le into a routing protocol6s data structure 8topologta%le',S4E). 7he two prere"uisites or routes to %e redistri%uted are or the route to %e installed in the



%order router6s routing ta%le % the protocol %eing redistri%uted and or the destination routing protocolto have a reacha%le metric to assign to the redistri%uted routes.

Eecause diDerent routing protocols use diDerent t pes o metrics$ routes %eing redistri%uted into adiDerent routing protocol need a seed metric assigned. 7he seed metric is needed to communicaterelative levels o reacha%ilit %etween dissimilar routing protocols6 metrics. 7he can %e assigned inthree wa sB a route map added to the redistri%ute commandB the metric parameter in the redistri%utecommandB or the de ault-metric router command. 7he are listed in the order o pre erence should there%e multiple values assigned. 0 there is no seed assigned$ the de ault is usedB <02 and I05<2 have ade ault seed metric that is considered unreacha%le while GS23 has a de ault seed o 9 8unless it6s a E52route %eing redistri%uted$ which would have a seed o ). When redistri%uting into E52$ E52 will use thee act metric o the 052. 3or I05<2 and <02$ ou do not need to speci a metric when redistri%uting staticor connected routes. 3or I05<2 T I05<2$ ou do not have to specifc a metric as the original metric ispreserved.

I05<2 and GS23 can tag routes as either internal or e ternal and give priorit to internal routes. 7hecapa%ilit to distinguish %etween %oth t pes can help prevent routing loops 8when two routing protocolscontinuall redistri%ute the same routes into one another at multiple redistri%ution points).

0 ou are redistri%uting rom E52 into GS23$ I05<2$ or <02$ onl eE52 routes will %e redistri%uted %de ault. 0 ou want iE52 routes to %e redistri%uted$ the router command %gp redistri%ute-internal must%e issued.

,ource 3outing Protocol : ;eri that a route %eing redistri%uted rom a routing protocol has %eenlearned % that routing protocol. ;eri topolog ta%le or routing data%ase.

3oute ,election : Insure that the routes rom the source routing protocol are %eing in ected into therouter6s routing ta%le. sh ip route [02] [mas+].

3edistribution Con=guration : *hec+ the metric %eing applied$ chec+ or route fltering$ and chec+ thes nta o the redistri%ution command or the correct process 04$ AS #$ and route-map name.

)estination 3outing Protocol : *hec+ the destination routing protocol. A redistri%uted route ma %emar+ed as e ternalB chec+ the destination routing protocol to determine i it treats e ternal routesdiDerentl than internal routes.

3edis1 into 34P : Gptions are limited$ when redistri%uting rom I05<2$ E52$ static$ or connected$ the onloptions are metric and route-map. 7he most common issue is related to the metricB % de ault$ the seedis set to infnit . 0 ou don6t set one$ routes will not %e advertised to other routers in the <02 domain. 0

ou confgure the metric too high at the redistri%ution point$ the route ma %ecome unreacha%le a ter aew hops within the <02 domain. *hec+ or a route-map %eing applied to see i there are an issues there.

When redistri%uting GS23 into <02$ there is the additional option to match internal$ e ternal 8 or )$nssa-e ternal$ or a com%ination o t pes. With <02ng$ the issues are the same$ with the addition oconnected networ+s not %eing redistri%uted % de ault without the include-connected +e word. ;eriredistri%ution on the %oundar router with sh ip protocols$ and the routes that were redistri%uted with ship rip data%ase. ;eri other routers in the domain are learning with sh ip route as well as sh ip ripdata%ase. ;eri <02ng with sh ipvR protocols.

3edis1 into %493P : Similar to <02$ ou have the metric and route-map options$ as well as match whenredistri%uting rom GS23 8internal$ e ternal$ nssa-e ternal$ or a mi ). E de ault$ the seed metric is set toinfnit B i the metric 8+-values) is not manuall set$ routes will not %e advertised. ou do not have toworr a%out setting the metric too high as in <02$ however$ consider i high metrics will cause su%optimaltraFc &ow i there are multiple redistri%ution points in the routing domain. Again$ when using 02vR$connected routes are not advertised % de ault without including the include-connected parameter. ;eriredistri%ution is ena%led with sh ip protocols$ review the topolog ta%le with sh ip eigrp topolog 8(via<edistri%uted )$ and veri routes'metrics with sh ip route [02]. Gn routers within the I05<2 domain thatare not the %oundar router$ sh ip route will displa the routes with a code o (4 IJ and an A4 o ?9. 7overi with 02vR$ use sh ipvR protocols$ sh ipvR eigrp topolog $ and sh ipvR route.

3edis1 into O,PF : When redistri%uting into GS23$ there are more options:etric : 7here as usual$ %ut not necessar as there is a de ault o 9.etric-T7pe : Allows ou to defne the t pe o e ternal routeB de ault is 7 pe 8I )$ which preservesthe seed metric or e ternal routes. 7 pe 8I ) allows each router to ta+e the seed metric and add toit all the other lin+s costs to reach the redistri%ution point in the domain.



$,,2-Onl7 : Allows ou to limit redistri%uted routes to the HSSA area onl .3oute- ap : Allows ou to use a route map to granularl control routes.,ubnets : I tremel important as without it$ onl class ul networ+s will %e distri%uted 8'P$ ' R$ ' >).Tag : Allows ou to add tags to the routes so the routes can %e re erenced % the tag at a later point or

fltering or manipulation.4nclude-ConnectedG 3or 02vR'GS23v/$ will redistri%ute local inter aces$ which isn6t done % de ault on

GS23v/ as it is in GS23v .

;eri with sh ip protocols. <outes redistri%uted into a normal area will %e advertised with a 7 pe C8I ternal) ,SA$ while routes redistri%uted into a HSSA or totall HSSA area will %e advertised with a

7 pe ? 8HSSA) ,SA$ then converted to a 7 pe C at an AE<. ;iew the routes %eing in ected into the ,S4Ewith sh ip osp data%ase and scroll down to the 7 pe C'? areas. Gn the %oundar router'ASE<$ sh iproute [02] will veri how the route is +nown$ how it is redistri%uted$ and how it is advertised. Gn otherrouters$ sh ip route will$ % de ault$ have an A4 o 9 and a code o (G I . 0 the metric t pe ischanged$ the code will %e (G I $ and HSSA areas will appear as (G H ' . ;eri GS23v/ with sh ipvRprotocols and sh ipvR osp data%ase on the ASE<.

3edis1 into 59P : Same options as <02'I05<2B metric and route-map % de ault$ and i in ecting GS23$match. Gnl internal GS23 routes will %e redistri%uted % de ault! metric is not re"uired %ecause E52 willuse the 052 metric % de ault. 3or 02vR$ the same include-connected +e word is applica%le. ;eri with ship protocols$ and sh ipvR protocols. 0n sh %gp all$ the E52 ta%le will show redistri%uted routes with a (Lunder the (2ath column.

,uboptimal 3outing : *an lead to users e periencing slow connectivit . When redistri%uting$ the originalrouting source6s in ormation is lost when the seed metric is in in ected at the redistri%ution pointB overallnetwor+ visi%ilit is lost. 7his is not an issue when there is onl point o redistri%ution$ %ut i there aremultiple points %etween two sources$ a su%optimal path ma %e chosen. ou can recogni e this issue

rom a topological diagram in addition to using traceroute. ou can solve this issue % providing diDerentseed metrics on the %oundar routers that will ensure a certain path is pre erred %ecause it has a loweroverall metric.

When redistri%uting I05<2 _ GS23$ routes will have a de ault seed metric o 9 and %e classifed as I8metric won6t %e incremented). ou can simpl ma+e the pre erred ASE< advertise a lower seed metric toensure that optimal routing is achieved. 0 using t pe I $ the cost o lin+s within networ+ are added to theseed metric. Eased on the topolog $ ou need to %e a%le to recogni e mutual redistri%ution and thediDerent speeds o the lin+s. Eased on the routing protocols used$ identi how the seed metric is

determined and how it %ehaves. Mnow how to f issues % manipulating metrics on the %oundar routerswith the de ault-metric command$ the metric parameter in the redistri%ute command$ or with a routemap.

0nternal pref in ormation should alwa s %e pre erred over e ternal in ormation. 2ref es should never %eredistri%uted %ac+ into a routing domain that the were originall distri%uted rom. A topological diagramis mandator i ou e pect to solve issues "uic+l and eFcientl .

3oute ap 4ssues : When appl ing a route map$ veri that ou are using the correct route map$ istatements are correctl a permit'den 8permit matches what will %e redistri%uted)$ i A*,s'pref -listsare correct$ and i the set statement is appl ing the correct values. I tended A*,s with redistri%ution use[8host) 02 8W*Xmas+) 8host) hostXmas+ 8W*Xmas+)] logic! 0 a route does not match an matchstatements$ it hits the (implicit den and will not %e redistri%uted. 0 a route map is applied to aredistri%ute command and doesn6t e ist$ no routes will %e redistri%uted. ;eri with sh route-map and shrun | s route-map.



9 9?9

3outing oop %"ample : When the <02 9. . .9 networ+ is redistri%uted into I05<2$ it is classifed as ane ternal route with the code (4 IJ and an A4 o ?9. When < and < redistri%ute the same routeinto GS23 8using a 7 pe C I ternal ,SA)$ it will have code (G I and an A4 o 9. 7heseadvertisements are &ooded throughout the GS23 area$ there ore$ < and < will hear one another6sadvertised ,SAs. Iach router is now receiving two advertisements or the 9. . .9 networ+$ one rom theI05<2 area with an A4 o ?9$ and one rom the GS23 area with an A4 o 9. 7he lower A4 o GS23

routes causes the routers to point to one another to get to the 9. . .9 networ+$ causing a routing loop.

0n addition$ the 9. . .9 networ+ was originall in < and < as an I05<2 e ternal route with an A4 o ?9.

How that < and < are learning a%out the same networ+ rom one another rom the GS23 domain$ theGS23 route will %e pre erred with an A4 o 9. 7his causes the GS23 route to replace the I05<2 route on< and < $ in turn$ ma+ing the I05<2 route no longer eligi%le or redistri%ution into GS23. How that theroute is no longer in GS23$ the original I05<2 e ternal route rom <02 will %e reinstalled$ and once againsent into GS23. 7his &apping will c cle repeatedl and can %e seen with de%ug ip routing.

7he root o this issue is the diDerences in A4B GS236s 9 is %etter than I ternal I05<26s ?9. 7o f this$ou6ll either have to lower the A4 o the e ternal I05<2 routes on < and < %elow 9$ or increase the

A4 o the GS23 learned routes on < and < a%ove ?9. 7he goal is to ma+e the e ternal I05<2 learnedroutes pre erred. 7his is achieved with the distance command on %oth < and < to change A4 values.

7he router distance [eigrp|osp |A4$02$W*$8A*,)] command can either appl to all internal and e ternalroutes$ or a specifc 02 8with an optional A*,). 0 ou choose to lower I ternal I05<26s A4$ it will need to%e 9Y or lowerB i ou raise GS236s A4$ it will need to %e ? or higher.

Another wa to solve this issue is with a distri%ute list on the GS23 process on < and < . 7his will denthe 9. . .9 route in the GS23 data%ase rom %eing installed in the routing ta%le$ allowing the I05<2route to sta .

A third wa to solve this is with route tags. < and < can add a tag when the route is redistri%uted viaroute maps. 2ermit the route via match A*,'pref -list statement$ set a tag$ and permit an other route.Appl this route map to the I05<2 _ GS23 redistri%ution command. 7his will onl tag the route$ toprevent the tagged GS23 route rom entering %ac+ into I05<2B ou need to den the route at theopposite router rom entering I05<2. 7his is also done via another route map with a den se"uencematching the respective tag 8permitting all else!)$ applied to the GS23 _ I05<2 redistri%ution command.4o on %oth < and < !

+ PE52 esta%lishes neigh%or ad acencies manuall $ ma+ing it more prone to human error. 7here are twot pes$ iE52 8internal) and eE52 8e ternal). Meeps a route ta%le separate rom the 02 routing ta%le. Sends

ull updates$ then partial.sh %gp ipv> unicast summar !!! same as %elow.

sh ip %gp summar !!! use or initial verifcation o neigh%ors. neigh%or$ version$ as$ state$ pref es etc.

sh %gp ipv> unicast neigh%or 8ip) 8advertised-routes|routes) !!! same as %elow.

sh ip %gp neigh%or 8ip) 8advertised-routes|routes) !!! ver ver%ose$ add flters.

(V%gp-C-ad change: neigh%or [ip] up !!! e s slog message.

$eighbor 2d:acenc7 4ssues :



4nterface 'Peer( )own : 0nter ace must %e up'up$ including ph sical or logical inter aces 8loop%ac+).,oop%ac+s are used when there are redundant paths. 0 one path ails$ the neigh%orship will still %eavaila%le using another local ph sical inter ace since the loop%ac+ is the source and destination opac+ets. ;eri with sh ip int %rie .

> Connecti it7 5ro6en : While ou don6t have to %e directl connected to orm a E52 neigh%orship$ oreven %e in the same su%net$ ou need to have ,/ connectivit to the neigh%or. 0n sh %gp ipv> unicastsum$ the (State'2 <cd will displa (0dle. 7his happens when the local router is una%le to ma+e a 7*2connection with the neigh%or. <eview the routing ta%le with$ sh ip route [02] CC. CC. CC. CC and ping8using a source) the remote router.

Path to $eighbor is ia )efault 3oute : ou ma %e a%le to ping the neigh%or via a de ault route$however E52 re"uires a route other than the de ault route to orm an ad acenc . sh %gp ipv> unicastsum will displa a state o (0dle$ indicating that it cannot rom a 7*2 connection.

$eighbor )oesnEt .a e 2 3oute To ocal 3outer : Eoth routers orming a E52 peering must haveroutes to one another 8or loop%ac+s). 0 a neigh%or doesn6t have a route %ac+ to the local router$ theneigh%or will %e (0dle in sh %gp ipv> unicast sum.

4ncorrect $eighbor ,tatement : 7he 02 and AS # in the neigh%or [02] remote-as [#] statement must %eaccurate. 0 AS #s match$ there will %e an iE52 peering. 0 a route is ound and a three-wa 7*2handsha+e is completed$ an open message is sent. 0 there is no response to the open message$ thestate will %e (Active. ;eri 7*2 sessions with sh tcp %rie all. 0 the AS # does not match the peer6s AS#$ the state will &ap %etween (0dle and (Active. A s slog message is generated reading (VE52-/-HG7030*A70GH: sent to neigh%or [02] passive ' 8peer in wrong AS) % tes 3344.

2C s : 1a+e sure ou6re not %loc+ing 7*2 port ?Y. Heigh%ors will have a state o (0dle i the can6testa%lish a 7*2 session. 0 an A*, is %loc+ing port ?Y in onl one direction$ a neigh%orship will still

orm %ecause E52 sessions are server'client. 7he server uses port ?Y while the client uses anephemeral port. E de ault$ %oth routers will tr to esta%lish a 7*2 session % sourcing a pac+et rom anephemeral port$ with a destination port o ?Y. 7his causes two session when there can onl %e one$called a (E52 connection collision. E52 solves this automaticall 8higher E52 <04 will win). ou cancontrol the client'server with neigh%or [02] transport connection-mode [active | passive]. Active 8initiate

7*2 session) or client$ passive 8passivel wait or 7*2 session) or server. sh %gp ipv> unicast neigh%orwill show the local and remote ports$ to flter$ append i E52 neigh%or|,ocal port|3oreign port.

TT of 59P Pac6et %"pired : Kappens i a peer is urther awa than permitted. E de ault$ eE52 peering

is %etween directl connected routers 8within hop) while iE52 can %e up to CC hops awa . sh %gpipv> unicast nei |in E52 neigh%or|77, will show (I ternal E52 neigh%or ma %e up to [#] hops awa . 0 the 77, isn6t large enough to support the distance re"uired$ the E52 pac+et will %e discarded. Sinceloop%ac+s are not directl connected$ the will ma+e an eE52 peering ail % de ault. sh %gp ipv>unicast sum will displa the confgured neigh%or with a state o (0dle. 7he 77, o eE52 pac+ets can %echanged using the command neigh%or [02] e%gp-multihop [77,]. Gnce f ed$ sh %gp ipv> unicast sumshould have a (State'2 <cd with a num%er.

59P Pac6ets ,ourced From rong 4P : 7he source 02 o an in%ound E52 pac+et must match the localneigh%or statement. 0n redundant topologies$ a E52 router will have multiple active 02s across itsinter aces. When ou confgure a neigh%or$ the 02 specifed is used to determine i the open messagecame rom a router it should esta%lish a E52 peering with. A E52 open message will contain a source02$ which is compared against the 02 in the neigh%or commandB onl i the match will a E52 peering

orm. 7he source 02 is %ased on the e it inter ace o the router sending the E52 open message. 7ocontrol the 02 that is used when sending E52 messages$ use the neigh%or [02] update-source [ ' ]command. G ten set to a loop%ac+ inter ace. 0t is important that %oth ends %e confgured appropriatel .1a+e sure e%gp-multihop is confgured as well.

ismatched 2uth : Eoth routers must agree on authentication parameters. E52 supports 14Cauthentication. 0 s slog messages are ena%led$ a message will read (V7*2-R-EA4A@7K: Ho 14C digest

rom [02]8 ?Y) to [02]8port#) ta%leid \ 9. 7he state will %e (0dle as well.

Timers : 4on6t have to matchB E52 will use the lowest set %etween neigh%ors. Kowever$ i the (minimumholddown rom neigh%or option is set$ this ma prevent a neigh%or ad acenc . 0 the neigh%or sends atimer that is %elow the minimum$ the will not orm a neigh%orship. *ommand appears as neigh%or [02][hello] [holddown] 8min. holddown).



iscon=gured Peer 9roup : When a E52-ena%led router sends updates$ it %uilds a separate update oreach neigh%or. A large num%er o neigh%ors can have a signifcant impact on the *2@. 2eer groups helpwith this since the router will onl need to run an update or an entire group instead o per neigh%or.Although the update is onl run once$ the 7*2 transmission will occur per neigh%or. Also allows or lesst ping'confguration. *reate with neigh%or [name] peer-group. *ommon issues are:

$ot 2ssociating the $eighbor with the P9 . A ter the peer group is created$ the neigh%or still needsto %e manuall defned as well as associated with the peer group with the command neigh%or [02]peer-group [25 Hame].

$ot Con=guring the P9 Correctl7 : What wor+s or one neigh%or ma not wor+ or another. 0.e.$ anupdate source o a loop%ac+ ma wor+ or an iE52 peer %ut not an eE52 peer.

2 3oute Filter 2pplied to the 9roup is $ot 2ppropriate for all Peers .

Order of Operations : 0 there are con&icts %etween the 25 confguration and a specifc neigh%orstatement$ the neigh%or statement wins.

issing 3outes : <outes can %e verifed with sh %gp ipv> unicast 8sh ip %gp). 7his will include E52-learnedroutes or routes locall in ected into E52 8with the networ+ mas+$ redistri%ute$ or summar -addresscommands). 0ncludes codes indicating a route6s validit $ %est path$ <0E- ailure$ etc. as well as eachroute6s individual ne t-hop$ metric$ local pre erence$ weight$ and AS path 8right to le t). 7he source othese routes is not ull clear$ however a networ+ with a (He t hop o (9.9.9.9 indicates it was

originated % the local router$ otherwise it was learned rom a peer. 0 the 2ath column ends in a (L itwas redistri%uted into E52 at some point and i it ends in an (i$ the route was in ected with thesummar -address or networ+ mas+ command. sh ip route %gp will displa E52 routes in the routingta%le$ each %eginning with a (E. Append longer-pref es to see su%nets.

issing@5ad $etwor6 as6 Command : 7his command is used to advertise routes into E52. 7henetwor+'pref %eing advertised has to %e in the routing ta%le rom another source. Additionall $ thecommand must %e an e act match to the networ+'pref listed in the routing ta%le. Summar addresseswill not wor+! ;eri with sh run | s router %gp and ensure statements e actl match networ+s in sh iproute. 7he mas+ is not actuall re"uired$ %ut networ+ is class ul without it.

3oute Filtering : 4etermine whether there is a route flter applied$ and i it is the cause o the missingroutes. sh %gp ipv> unicast will show ou i E52 +nows o a route. 7o determine i a router is receiving aroute$ use sh %gp ipv> unicast neigh%or [02] routesB this displa s routes learned a ter local flters have%een applied. 7o chec+ i the other router is sending a route$ use sh %gp ipv> unicast neigh%or [02]advertised-routes. @se sh ip protocols to veri an incoming flter. 3ilters listed there will appl to theentire E52 process. 3ilters can additionall %e added directl to a neigh%or 8not inter ace!) using theneigh%or [02] [distri%ute-list | pref -list | route-map | flter-list] [in | out] commands. 7hese can also %everifed with sh ip protocols$ ust lower$ with the e ception o a pref list. 7his will onl show in a sh runor sh %gp ipv> unicast neigh%ors [02] | in pref |flter|<oute map.

$e"t-.op 3outer $ot 3eachable : 0 ou are seeing E52 routes in the E52 ta%le %ut the are notappearing in the routing ta%le$ the router ma not %e a%le to reach the ne t-hop. <un sh %gp ipv> unicastand loo+ at the status codes on the le t. Eelow$ <C has the 9. . .9' R networ+ listed as valid 8^) andinternal 8i)$ %ut not the %est path 8Z). 7his is %ecause a path to the ne t-hop 02 o . . . is not +nown %<C. Appending the ne t-hop 02 to the command would displa the route with (no %est path and as(inaccessi%le. A ping to the ne t-hop would ail as well.

<C# sh %gp ipv> unicast

* indicates a networ+ is valid.

L indicates a networ+ is the %est path and will end up in the routing ta%le.

i indicates the route was learned via i%gp.

Hetwor+ He t Kop 1etric ,oc2r Weight 2ath

^ i 9. . .9' R . . . 9 99 9 RCC9 i

7his is due to the act that the ne t-hop or E52 routes outside o an AS should %e the 02 o the routerlearning the route rom the e ternal AS 8< ) and advertising it to the internal AS. Kowever$ % de ault$E52 will not change the ne t-hop since E52 is %ased on AS hops$ not router hops. 7here ore$ % de ault$the ne t-hop is the 02 o the router advertising the networ+ rom the ne t-hop AS 8< ). 7o get <C to



learn how to reach < ou could create a static de ault route on < and </ to < and advertise theroute into the 052$ advertise < 6s address directl into the 052$ or create a static'static de ault route on<C to < . 7he easiest'%est wa to solve this is with the neigh%or [02] ne t-hop-sel command on < and</. 7his allows an edge router to change the ne t-hop address to its own address %e ore advertising aroute to a peer.

Pri ate 2, $umbers : E52 AS num%ers also have a private range. 0n the -% te AS range$ it is R>$C toRC$C/> and in the >-% te AS range$ it is >$ 99$999$999 to >$ Y>$YR?$ Y>. 7hese can %e used or networ+sthat are single-homed or dual-homed to the same 0S2 to preserve pu%lic AS num%ers or networ+s thatare multi-homed to multiple 0S2s. 7hese should %e used in customer networ+s and must not %e in theASX2A7K when routes are advertised to the 0nternet since multiple AS6s could %e using the same privateAS num%ers. 0 private AS num%ers are sent into the glo%al E52 ta%le$ this can %e stopped with neigh%or[02] remove-private-as.



5etter ,ource of 4nfo : <outes learned rom eE52 peers have an A4 o 9 while routes learned rom iE52peers have an A4 o 99. 7his is %ecause E52 is designed to share routes %etween diDerent AS6s. 0 oulearn a route rom another AS via multiple routing sources$ ou want the eE52 learned route to %e thepre erred source over all other d namic routing protocols. < %elow advertises its networ+s to %oth <and </ using eE52. < and </ will advertise the same routes to one another due to their iE52 peering.

Additionall $ </ ma redistri%ute its eE52 learned routes into I05<2. How$ < will +now a%out the samenetwor+s via three diDerent sources$ eE52 8 9)$ iE52 8 99)$ and I ternal I05<2 8 ?9). eE52 will win %

de ault and traFc will %e routed directl rom < _ < $ instead o detouring through </$ which wouldcause su%optimal routing.

7he command sh %gp ipv> unicast will displa the E52 routes a router +nows. Gn <C$ the networ+s in ASRCC9 have a code o (^Zi when going through < and a code o (^ i when going through </. Hetwor+swithin AS RCC9 have code o either (rZi or paths through < $ or (r i or routes through </. 7he (r inplace o the (^ indicates that the routes are not valid and there is a <0E ailure 8even though the ma%e the %est NZO)$ meaning that the E52 route could not %e installed in the routing ta%le. 0n this case$ theroutes actuall are in the routing ta%le$ %ut rom another source. 0 ou were to issue sh ip route [02][mas+] or the networ+s with an (r$ ou would see the winning sources 8connected$ 9 A4 or I05<2$ 99A4). Additionall $ sh %gp ipv> unicast [02] would show that the routes are iE52 8 99 A4). ou can confrm<0E ailures with sh %gp ipv> unicast ri%- ailure.

59P ,plit-.orizon : A E52 router that learns E52 routes through an iE52 per will not share those routeswith another iE52 peer. 3or <C to learn a%out networ+s in AS RCC9 $ it has to %e a direct iE52 peer withthe router that learned a%out the routes rom an eE52 peer 8< '</)$ or it has to %e a peer with a routere&ector. *reating a ull mesh o iE52 peers also has the added %eneft o additional redundanc . @se sh

%gp ipv> unicast sum on all routers to identi peers.

,7nchronization : iE52 routes must %e s nced with 052 routes %e ore the can %e used or advertised toan e ternal neigh%or. 7his ma+es sure all routers in an AS +now all routes$ preventing transit routers thataren6t running E52 8non- ull-mesh deplo ment) rom dropping pac+ets with un+nown destinations. Hewerrouters have this disa%led % de ault$ turn oD with the router command 8no) s nchroni ation.



< # show %gp ipv> unicast 9. . . PE52 routing ta%le entr or 9. . . P' R$ version R2aths: 8 availa%le$ %est # $ ta%le de ault) Advertised to update-groups: <e resh Ipoch RCC9 /./././ 8metric / 9? ) rom /./././ 8/./././) Grigin 052$ metric 9$ localpre 9$ weight 9$ valid$ internal r pathid: 9$ t pathid: 9 ocal 2re erence

<042 S 2ath 452 1etric 02

I4 eightO rigin *ode $ etwor+ 7 pe

ocal

2ggregation : E52 routers can per orm aggregation o networ+s. 7his is done with the router aggregate-address [02] [ W* mas+] command. When doing so$ the atomic aggregate attri%ute is added to the route$which indicates to downstream routers that aggregation was per ormed. 7he aggregator attri%uteindicates what router the aggregation was per ormed % and what AS the aggregation was done in. Ede ault$ E52 sends a summar route in addition to the specifc routesB to send onl a summar andwithdraw the specifc routes$ append summar -onl to the aggregate command. When summari ation isdone % a router that6s not the originator o the route$ the originating AS in ormation is lost. 7o includethis originating AS in the path$ append as-set to the aggregate command. Gn the router per orming theaggregation$ i using the summar -onl option$ sh %gp ipv> unicast [02] [mas+] longer-pref es wouldshow the summari ed routes with a code o (s or suppressed.

Path ,election : E52 does not consider a lin+6s %andwidth when ma+ing route decisions. 0nstead$ it usesvarious attri%utes when deciding which path is %est. 7o view all attri%utes per route$ per neigh%or$ use sh%gp ipv> unicast [02]$ the are listed newest to oldest$ H W,,A G1H0:

$ e t-hop reacha%leL

Kighest eight. 4e 9.

Kighest ocal 2re erence. 4e 99.

Griginated % ocall . 8i 9.9.9.9)

Shortest 2 S path.

O rigin code. 052 Z I52 Z L

,owest I4.

$ etwor+ t pe. e ternal Z internal.

,owest 452 metric.

Gldest route or eE52 paths.

,owest neigh%or E52 <04.

,owest neigh%or 02 address.

sh %gp ipv> unicast will show a summar o each route$ its ne t-hop$ metric$ ,ocalX2re $ weight$ andAS path 1

eight : 2roprietar eature to *isco. Gnl locall signifcant 8not advertised to other routers). Kigher ispre erred. 4e ault is 9 or learned routes$ / $?RP or locall originated routes$ goes up to RC$C/C. @sed ona single router to in&uence its choice o out%ound routes. When E52 @pdates are received$ the router canset the weight or all routes rom a neigh%or 8neigh%or [02] weight [#]) or selectivel set weights using aroute map with a set wight [#] statement and applied with neigh%or [02] route-map [name] in.

ocal Preference : Well-+nown attri%ute. Kigher is pre erred. @sed or when there are multiple paths%etween AS6s. Acts as the opposite o the 1I4. ,ocall signifcant to an AS. 4ecides which path to use toe it the AS. Gnl passed %etween iE52 peers. Set with the router command %gp de ault local-pre erence[#] or all routes advertised rom a router$ or selectivel with a route map with a set local-pre [#]statement$ applied with neigh%or [02] route-map [name].

ulti-%"it )iscriminator ' %)( : Gptional$ lower is pre erred. 4ispla s as (1etric. When there aremultiple entrance points into an AS 8dual homing)$ the 1I4 tells a neigh%or AS which lin+ into the AS touse. 7he metric will pass to a neigh%oring AS$ %ut no urther. *onfgure using a route map with a setmetric [#] statement and appl with neigh%or [02] route-map [name] out. 7o compare metrics rommultiple AS6s use the router command alwa s-compare-med.

3eset : 0GS does not cause a newl confgured E52 flter to ta+e eDect until a neigh%orship is cleared. Aneigh%or can %e disa%led with the command neigh%or [02] shutdown. A simpler wa is with the commandclear ip %gp [ 802) | ^ ]$ which will reset a E52 connectionB considered a hard reset %ecause it ta+es downthe neigh%orship$ 7*2 connection$ and clears E52 ta%le entries. 7o %e less disruptive$ clear ip %gp [ 802) |^ ] so t will maintain the neigh%orship and 7*2 connection$ %ut will resend outgoing @pdates with the newflter applied as well as reprocess incoming @pdates$ again with the new flter applied.

)efault 3oute : 7o send a neigh%or a de ault route originating rom the local router use the commandneigh%or [02] de ault-originate.

Passwords : 2asswords can %e set or neigh%ors with the command neigh%or [02] password 89|?) [pass].

)ebugging : 7he ma orit o changes that occur with E52 will generate s slog messages. de%ug ip routing$while not specifc to E52$ will show updates to the router6s 02 routing ta%le. de%ug ip %gp shows real-time



state changes or E52 peering$ %ut does not show the contents o updates. de%ug ip %gp updates is moredetailed and will show the content o updates.

59P for 4P A : E52 or 02v> and 02vR are confgured in the same address amil 8A3) confg mode$ +nownas 1ultiprotocol E52 812-E52). 7his re"uires the use o A3s and the activation o neigh%ors or those A3s.

7here are two A3sB one or 02v> unicast and another or 02vR unicast. Heigh%ors and remote AS num%ersare identifed outside the A3 confg. Heigh%ors are then additionall activated within the A3 with theneigh%or [02] activate command.

confg) router %gp [as]

router) neigh%or [ip] remote-as [as]router) address- amil ipv>

router-a ) neigh%or [ip] activate

router-a ) e it-address- amil

router) address- amil ipvR

router-a ) neigh%or [ip] activate



7here are two diDerent wa s to e change 02vR routes with E52B the can %e e changed via 02v> or 02vR 7*2 sessions. 0 the 02vR A3 is using an 02v> neigh%or address to esta%lish a 7*2 session$ the 7*2 sessionwill %e 02v> %ased. sh %gp ipvR unicast sum will displa the neigh%or ad acenc with an 02v> 02. 7o veri02vR routes learned$ use sh %gp ipvR unicast. A route with a ne t-hop o (:: is locall originated. Whenneigh%oring with a router using its 02v> address$ the ne t-hop or learned networ+s will read (3333:[02v>Add]. 7his address is d namicall generated and will not have a (Z %ecause it is not reacha%le. 7hisoccurs %ecause an 02vR route cannot have an 02v> ne t-hop address$ caused % the 02v> ad acenc orthe 02vR A3.

< # show %gp ipvR unicast summar

Heigh%or ; AS 1sg<cvd 1sgSent 7%l;er 0nQ GutQ @p'4own State'2 <cd

. . . > RCC9 C C 9 9 99: :9

< # show %gp ipvR unicast

Hetwor+ He t Kop 1etric ,oc2r Weight 2ath

^Z 99 :4EP: ::'R> :: 9 / ?RP i

^ 99 :4EP: ::'R> ::3333: . . . 9 9 RCC9 i

7he solution or this issue is to create a route map that will change the ne t-hop to a valid 02vR addressand attach it to a neigh%or statement. 7his has to %e done on the advertising router.

confg) route-map [rm name] permit 9

route-map) set ipvR ne t-hop 99 :d%P: ::


router) address- amil ipvR unicast

router-a ) neigh%or . . . route-map [rm name] out

0 ou were to now loo+ at sh %gp ipvR unicast summar $ the remote networ+ should now displa thecorrect ne t-hop 02vR address$ 99 :d%P: :: $ and have a (Z. When orming 02vR 7*2sessions'neigh%orships$ this issue doesn6t e ist. ou simpl have to defne the 02vR neigh%or and activateit 8%oth an 02v> and vR neigh%or entr or the same router is o+!). sh %gp ipvR unicast sum will displa aneigh%or with an 02vR address and sh %gp ipvR unicast will displa an 02vR ne t-hop.


router) neigh%or 99 :d%P: :: remote-as [as]

router) address- amil ipvR

router-a ) neigh%or 99 :d%P: :: activate

Management Protocols and ToolsS slog and SH12 help monitor the health o the networ+. 0t is important to +now what time events

occurred. Accurate time can %e +ept with H72 so log message have accurate time stamps across multipledevices.

Cloc6 : 4e ault is 1arch $ YY/.cloc+ set [hh:mm:ss] [month] [da ] [ ear] !!! this is an ena%le mode command!

sh cloc+ 8detail) !!! 8detail) states (time source is ntp i ntp is confgured.

$TP : @sed to s nchroni e cloc+s among various networ+ devices. 0t is a client'server protocol.

Time ,er er $ot 3eachable : @se a ping to veri connectivit . Insure the ping is sourced rom the

correct inter ace i using a loop%ac+ 8ntp source [ ' ]).2C s : H72 uses @42 port /. ;eri with sh ip int [ ' ] and sh access-list.

2uthentication : While not re"uired$ client and server need to %e confgured with the correctauthentication +e and +e string. ;eri with sh run | s ntp and sh ntp association detail.

rong ,er er : A client can %e confgured with multiple H72 servers. E de ault$ H72 will choose the %estserver. ou can orce a pre erred server with the +e word pre er in the ntp server command. ;eri theserver %eing used with sh ntp status 8detail).

.igh CP/ : 7he *2@ processes H72 pac+etsB i it is under a high load$ it will ail to process pac+ets ands nchroni ation will ail. ;eri with sh proc cpu.



Time O8set Too .igh : 0 the oDset %etween the server and client is e treme$ it can ta+e a long time orthe cloc+s to s nc or the ma not s nc at all. 1anuall set the cloc+ with the ena%le mode commandcloc+ set$ and allow H72 to fne-tune the cloc+ rom there. ;eri the cloc+ with sh cloc+.

,tratum Too .igh : Kierarch %ased on stratum levels - C$ %eing the %est$ R indicating a server isunreacha%le. 0 a device is s ncing with another device that itsel has a stratum o C$ it will ail. ;eriwith sh ntp status.

,er er has an 2C : An H72 access-group on the server can control where clients can source pac+etsrom. ;eri the A*,.

confg) ntp server [ip] 8pre er) 8version [/|>]) 8+e [#]) !!! client$ i multiple$ pic+ a 8pre er)red.confg) ntp authenticate !!! ena%le authentication.

confg) ntp authentication-+e [+e -num%er] mdC [+e -string] !!! defne an authori ation +e .

sh ntp status !!! veri i the cloc+ has s nchroni ed$ the stratum level$ and the ip o the ntp server.

sh ntp association !!! veri servers. i multiple confgured$ all listed here. (^ indicates the local device is s nced with that server.( indicates a server is a candidate or s nchroni ation.

sh ntp association 8detail) !!! additional details$ including authentication.

de%ug ntp all !!! events$ core messages$ cloc+ ad ustments$ re erence cloc+s$ and pac+ets.

(ntp core 8notice): ntpXreceive: dropping message: resXdontserve restriction !!! de%ug$ indicates acl.

,7slog : E de ault$ console$ monitor$ and %uDer logging displa messages with a severit o ? 8de%ugging)and lower. 7he %uDer has a de ault si e o P$ Y % tes$ once ull it will overwrite old entries. 0ncrease the

si e with logging %uDered [#]. ;iew s slog messages in the console i connected to vty lines withterminal monitor. @se sh logging to veri $ ensure logging is ena%led$ severit levels or each t pe arecorrect$ %uDer si e is suFcient$ and chec+ logs.

,ogging to a server is disa%led % de ault$ %ut once ena%led$ all severit levels are sent to the server. 7hecorrect server 02 has to %e specifed and must %e reacha%le. S slog uses @42 port C >$ which must not%e %loc+ed % an A*,.terminal monitor !!! view console messages when connected to vt lines.

confg) logging %uDered 8si e >9YR-huge) 8 [severit #] | [name] ) !!! to ena%le %uDer and change si e.

confg) logging console 8 [severit #] | [name] ) !!! on % de ault$ use to change severit .

confg) logging 8host) [ ip | hostname ] !!! 8host) is optional$ same. sends messages to s slog server.

confg) logging trap [ 8severit #) | 8name) ] !!! what level o messages to send to s slog server.

confg) 8no) logging on !!! ena%le'disa%le.line) logging s nchronous !!! stop console messages rom %eing overwritten.

sh logging

clear logging

Kaving log and de%ug messages time stamped is critical. 0 the 6re not present$ it6s due to the commandno service time-stamps. 7o confgure$ use service time-stamps [de%ug|log] [datetime|uptime].

,e erit7 : 9-? indicates how important. ,ower # is higher priorit $ selecting a num%er includesselected and those lower in #.

%ver 2 wesome Cisco %ngineer ill $ eed 4cecream ) ail

9 emergencies : crashes$ stopped processes.

alerts : plat orm errors.

critical : hardware issues$ port securit $ stp./ errors : acl$ tcam$ pagp$ ethernet controller$ inter ace up'down.

> warnings : dhcp snooping.

C noti=cations : P9 . $ dtp$ etherchannel$ inline power$ stp$ inter ace line protocol.

R informational : stac+ events$ port securit $ d namic arp inspection$ vtp$ udld$ stp$ hardware diagnostics.

? debugging : de ault.

,$ P : ou must %e a%le to ping the server rom the agent. 0 ,/ connectivit does not e ist$ the SH12server can6t access in o in the 10E on the agent. SH12 uses @42 port R or general messages and @42port R or traps and in orms.



anager : S stem that uses SH12 to poll and receive data rom an num%er o networ+ devices. @suall acentral application. 1anager sends poll'"uer to the switch with the G04 o a specifc varia%le %eingre"uested.

2gent : 2rocess that runs on the networ+ device %eing monitored. 4ata is gathered % the device itsel andstored locall . Agent responds to SH12 polls and "ueries with in o rom the data$ and can sendunsolicited traps'in orms to the manager.

anagement 4nformation 5ase ' 45( : 4ata%ase on an agent containing varia%les a%out itsel .Grgani ed in a structured hierarchical ashion. Iach 10E is re erenced % an G04.

Ob:ect 4denti=er 'O4)( : ,ong string o inde es that ollows the path rom the root o the tree all the wato the varia%le6s location.

I : Simple get 8ne t)'set re"uests$ traps$ and unsolicited alert messages. Access is %ased on a communitstring$ which is sent in plain te t 8@se read onl !).confg) snmp-server communit [comm.-string] 8 ro | rw ) 8acl #)

confg) snmp-server host [host ip] [comm.-string] 8trap t pe) !!! manager where traps will %e sent.

<C : Adds AB-bit ariable counters 8allows or higher values)$ %ul+ re"uests$ and informrequests . Same frst commands as a%ove.

confg) snmp-server host [host ip] 8in orms) version c [comm.-string] !!! use 8in orms) instead o traps.

Trap : Hews o an event that is sent without an ac+nowledgment that the trap has %een received.confg) snmp-server ena%le traps 8trap name) !!! ena%le traps. %lan+ is or all.

4nform 3equest : Same as a trap$ %ut manager is re"uired to ac+nowledge the receipt % echoingthe re"uest %ac+ to the agent.

4ssuesG

Communit7 ,trings atching : Strings must match %etween the server and client.

2C s : 0 an A*, is used to defne the source o servers on the client$ it must include the correct 02s.

Con=g of $oti=cations : 0 the agent is confgured to send traps or in orms$ veri that traps are ena%led$the server 02 is correct$ the SH12 version is correct$ in orms is chosen$ and the correct traps arespecifed. @se the command snmp-server ena%le traps [t pe] to select what t pe o in orms'traps tosend. 7raps'in orms are ena%led in the snmp-server host [02] 8in orms) command.

4nde"es ,huMing : 7o prevent inde shu ing and guarantee inde persistence during re%oots or minorso tware upgrades$ use snmp-server ifnde persist. 7his shows as snmp i mi% ifnde persist in therunning confg.

,$ P > : Adds user authentication $ securit7 le els $ data integrit $ encr ption$ and groups withread'write access.

/sers are created with authentication and encr ption parameters. 7he are what the SH12 manager willuse to communicate with the switchB create with the command %elow. 1ust match confg on server!;eri with sh users.confg) snmp-server user [user-name] [group name] v/ auth [mdC|sha] [auth pass] priv [des|/des|aes8#)] [priv pass] 8access

[acl#])

@sers are nested into groups $ which set the securit policies 8not passwords'+e s) or users that areassigned to the group. 0 using a view$ it is assigned here as well. ;eri with sh snmp group.

confg) snmp-server group [group name] v/ [noauth|auth|priv] 8read [view]) 8write [view]) 8noti [view]) 8access [acl#])

;iew s defne what G04s ou6re a%le to see'access. Gptional$ i unused$ ull access. ;eri with sh snmpview.confg) snmp-server view [view name] [oid tree] [included | e cluded]

$oti=cation Con=g : 0 the agent is confgured to send traps or in orms$ veri that the are ena%led in thehost command$ with the correct 02$ SH12 version$ securit $ and t pe 8de ault is traps). ;eri with shsnmp host.confg) snmp-server host [ip] 8in orms) version [ | |/] [noauth|auth|priv] [username] 8trap-t pe)

rong ,ecurit7 e el : 7he securit level set in the group$ user$ and host commands must match what isused on the server.



noauth no pac+et authentication or encr ption.

auth pac+ets are authenticated %ut not encr pted.

pri pac+ets are authenticated and encr pted !!! onl i ios is cr ptographic.

rong .ash@%ncr7ption@Password : When using authentication and'or encr ption$ %oth the algorithmand password have to match %etween the device and the server.

rong O4)s : 7he view identifes the o% ects within the 10E that the server will %e a%le to access. Insurethe are accurate. 2revent inde es rom shu ing with the snmp-server ifnde persist command.

4P , 2 : @sed to measure networ+ per ormance and test availa%ilit % generating a continuous$ relia%lepro%e 8simulated traFc) in a predicta%le manner. *an measure pac+et loss$ one-wa latenc $ responsetime$ itter$ networ+ resource availa%ilit $ application per ormance$ server response times$ and voice"ualit . A source is re"uired %ut a responder is optional. <esponders are used to gather more accuratestatistics or services that are not oDered % an specifc destination device$ such as itter. A respondercan repl with more accurate measurements ta+ing into account its own processing time o a pro%e.

;eri that ou are using the correct operation$ the destination 02 is correct and reacha%le$ the source 02 isreacha%le rom the destination$ necessar ports are not %loc+ed$ the S,A pro%e is started$ and i aresponder is re"uired$ it is confgured. @se sh ip sla application to veri supported operation t pes aswell as the num%er o confgured and active entries. @se sh ip sla confg to veri the specifcconfguration o a pro%e including the timeout$ source'destination addresses'ports$ 7GS value$ pac+etsi e'interval$ and the schedule. <esults can %e viewed with sh ip sla statistics to see the t pe$ time laststarted$ latest return code$ various values$ and a count o success' ailures. <esponders can %e verifedwith sh ip sla responder to see the control port num%er$ num%er o pro%es received$ num%er o errors$and recent sources o pro%es. 4e%ugging can %e done with de%ug ip sla trace [#] to see the operationrunning.

Ob:ect Trac6ing : Ina%les ou to d namicall control what will occur i the result o a trac+ing o% ect isup'down. 3or e ample$ it can %e attached to a static route 8ip route [ip][mas+] [ne t-hop] trac+ [#]) todetermine i it will %e placed in the routing ta%le. Also$ 3K<2s can use them to change priorit values.G% ect trac+ing can trac+ 02 routes$ 02 S,A instances$ inter aces$ and groups o o% ects. ;eri with shtrac+ 8#).

,P2$ : Ina%les ou to ta+e ingress'egress rames on a switchport$ cop them$ and send them to anotherport. 7he source can %e: one or more ph sical switch ports on the same$ or a diDerent$ ;,AHB trun+ portsBports that are a mem%er o an Ither*hannelB an entire port-channel inter aceB or an entire ;,AH 8;S2AH).

*annot monitor S;0s nor mi source t pes. 0 monitoring multiple ports$ repeat the source command$ oruse (- or ($ or a list. Source traFc is never aDected$ %ut i source and dest. ports operate at diDerentspeeds$ some destination traFc ma %e dropped. 4iDerent S2AH sessions cannot share a commondestination$ onl destination per session. Session num%ers must %e uni"ue. Session source Udestination num%ers must match.

;eri that the source'destination session num%ers match$ the source inter ace';,AH and destinationinter aces are correct$ the direction is correct 8%oth % de ault)$ and inter aces are (up'up. ;eri with shrun | s monitor and sh monitor 8detail). ;eri the destination inter ace with sh inter ace status$ which willdispla (monitoring.

confg) monitor session [session #] source [inter ace 8 ' ) | vlan 8#)] 8r | t | %oth) !!! %oth is de .

confg) monitor session [session #] destination inter ace [ ' ] 8encap. replicate) 8ingress)

confg) no monitor session [ 8#) | range 8range) | local | all ] !!! to delete.

sh monitor 8session [ 8#) | all | local | remote | range 8list) ] 8detail) !!! sh run or tshooting too.

3emote ,pan '3,P2$( : A S2AH session split across two independent switchesB mirrored data istransported over a special purpose <S2AH ;,AH %etween switches and'or intermediate switches8provided an intermediate switches are <S2AH ena%led'capa%le).

<S2AH ;,AHs have 1A* address learning disa%led to prevent an intermediate switches rom orwardingpac+ets to their real dest. Switches &ood <S2AH pac+ets out all ports %elonging to the <S2AH ;,AH. ,imit<S2AH ;,AH to appropriate lin+s. <S2AH must allow S72 to prevent loopsB as a result$ E24@s cannot %emonitored. *reate one <S2AH ;,AH per <S2AH session. 4o not allow an normal hosts to oin. ;72 willduplicate an <S2AH ;,AH. 0 ;72 is not %eing used$ create the <S2AH ;,AH on each intermediate switchand add to trun+s. ;72 will prune unnecessar lin+s.



vlan) remote-span

*onfgure source AH4 dest on EG7K end points. Gn the mirroring side$ use a source [ inter ace or ;,AH ]and a destination [ remote ;,AH]. Gn the receiving end$ use a source [ remote ;,AH] and a destination[inter ace].

confg) monitor session [session #] destination remote vlan [rspan-vlan] 8ingress) 8re&ector-port [ ' ])

confg) monitor session [session #] source remote vlan [rspan-vlan]

3eNector Port : Some switches need to sacrifce a port6s AS0* to per orm remote mirroring. Appended todestination command.

;eri that the source'destination num%ers match locall $ the do not have to match the remote switch. 7he <2SAH ;,AH must %e confgured and identifed as remote-span$ and added to trun+ lin+s. S72 cannot%e %loc+ing the <S2AH ;,AH. ;eri with the same commands as a%ove. ;eri the <S2AH ;,AH with shvlan remote-span.

Management AccessConsole : @sed when there is ph sical access to the device$ or through an access server.

CO Port : Insure that on the terminal program$ the correct *G1 port is selected$ usuall the last one. 7rial-and-error.

Cable and )ri ers : Hewer devices use a mini @SE port$ re"uiring drivers. Glder devices use a serial to <b->C rollover console ca%le.

ine Password : 0 a line password is %eing used$ the login command needs to %e confgured.ocal /sername : 0 local auth. is used$ a user'pass must e ist in the local data%ase and the login local

command is needed.

222 ,er er : 0 AAA auth. is used$ a method list needs to %e defned with login authentication [de ault |8list name) ].

t7 : Supports 7elnet and SSK or remote access.

Telnet : Hot recommended %ecause all traFc is sent in plain te t.

4P 3eachable : Insure the remote device is reacha%le with a ping.

Correct Transport Protocol : E de ault$ 7elnet and SSK are allowed. 7he transport input command canchange what protocols are allowed. ;eri with sh line vt [#] | in Allowed or sh run | s vt .

/ser Credentials : E de ault$ the login command tells the line to prompt the user or a password. 7o usethe local data%ase use login local. 7o use AAA use login authentication [de ault | 8list name) ].

Password : 0 using the de ault simple login$ a password is re"uired on the line. 0 none is set$ a connectinguser will get the message (2assword re"uired$ %ut none set. 0 using login local or login authentication$

ou will %e prompted or a user'pass. 0 there is none in the data%ase$ the login will ail.

2ccess-Class : Access can %e fltered with the access-class [#] in command. An e plicit den an at theend can +eep trac+ o the num%er o denied remote access attempts 8add log to generate a s slogmessage with the 02 address). ,og message will displa as (VSI*-R-02A**ISS,G5S: list [#] denied [02]

pac+et.

2C : Insure there is no A*, along the path %loc+ing port / 8telnet).

t7 ines : E de ault$ there are C vt lines num%ered 9->. Some devices ma have more. 0 all lines haveesta%lished connections$ a new connection cannot %e made. 4enied users will get the (2asswordre"uired$ %ut none set message. sh users will list active connections. ou can manuall clear a linewith the clear line [line #] command.

,,. : <ecommended$ pac+ets will %e encr pted. ;eri current SSK sessions with sh ssh: lists version$encr ption$ hash$ and user name. Same issues as 7elnet$ in addition:

;ersion : E de ault$ versions and are ena%led. 7he command ip ssh version [ | ] can manuall setone. 7o veri $ use sh ip ssh. ;ersion .YY indicates %oth versions and . 7he error message(*onnection to [02] a%orted: error status 9 usuall indicates that the remote device does not useSSKv .



ogin : 7he login command will not wor+ since SSK re"uires a user'pass. Iither use login local or login author AAA.

He7 : SSKv uses an <SA +e si e o ?RP or greater. 0 a smaller +e was used with SSKv $ or ouaccidentall generated a +e si e less than ?RP$ SSKv connections won6t %e allowed. ou will need tocreate a new +e with cr pto +e generate rsa modulus [#]. <e"uires ou to set the ip domain-name[#]. ;eri +e with sh ip ssh.

2C : SSK uses port $ ensure no A*,s are %loc+ing it along the path.

Password %ncr7ption : E de ault$ all passwords are stored in clear te t. 7he can %e encr pted withthree levels o encr ption:

9 clear te t username [name] password 9 [pass] .

> 8sha CR) username [name] secret [pass]. strongest.

C 8mdC) username [name] secret C [hash]. paste in actual mdC hash or password.

? t pe-? username [name] password ? [pass]. also$ service password-encr ption. wea+est.

222 : Authentication$ Authori ation$ and Accounting.

%nable : AAA is disa%led % de ault$ ena%le with aaa new-model. 0mmediatel $ local authentication isapplied to all lines$ e cept the console. Gnce activated$ lines will no longer have the login local option.Insure there is a user'pass in the local data%ase or ou won6t %e a%le to access the device.

ocal )atabase : E de ault$ the local data%ase is used$ i it is empt $ authentication will ail. 0 using anAAA server$ it is a good practice to confgure a user'pass in the local data%ase or all%ac+ incase theAAA server is unavaila%le.

ethod ist : 4efnes what methods o authentication will %e used$ and in what order. When no methodlist e ists$ the vty lines use the local data%ase % de ault. Successive methods are onl used as a

ailover$ not upon denial.confg) [radius|tacacs]-server host [hostname | ip] 8+e [9|?] [string]) !!! to defne a server.

confg) aaa authentication login [ de ault | 8name) ] [method ] 8method )... !!! defne method list.

group tacacs Q radius Q 'name( R : use servers o that t pe or in named group$ in order confgured.

local : uses local user data%ase.

local-case : same as a%ove$ %ut case-sensitive.

line : line passwords.

none : no authori ation$ alwa s succeeds.

7o Appl :line) login authentication [ de ault | 8list-name) ] !!! appl to lines.

E de ault$ man devices use ports R>C and R>R or <A40@S and port >Y or 7A*A*S. <A40@S ports werechanged and since use P and P /. ;eri the are not %eing %loc+ed % an A*,.de%ug aaa authentication !!! to veri the authentication process.

de%ug radius authentication !!! view the radius authentication.

de%ug aaa protocol local !!! view the local authentication.

tshoot notes radical

Documents