Last updated: 11-Feb-2003
Command Feature
default route: usually route into the network cloud
static route: usually route toward the hub
static routes are classless
Stop advertising network To suppress networks from being advertised in updates
router rip
network 172.16.0.0
distribute-list 1 out serial 1 Only 1 in list and only 1 out list per routing protocol or per routing/interface
Access-list 1 deny 172.16.8.0 0.0.0.255 Stop the network 172.16.8.0 from being advertised by RIP, out of s1 only
access-list 1 permit any
Control which network is redistributed & advertised
router rip
network 172.16.0.0
redistribute ospf 10 metric 4
distribute-list 1 out ospf 10 Do not allow advertising of routes coming from OPSF 10
out: out from OSPF 10
access-list 1 deny 192.168.8.0 0.0.0.255 Stop the network 192.168.8.0 from being redistributed from OPSF to RIP
access-list 1 permit any
To filter networks received in updates Only works properly with distance-vector protocols
router rip
network 172.16.0.0
distribute-list 1 in serial1 Deny 192.168.8.0 if it arrive from Serial1
Won't be processed by RIP
access-list 1 deny 192.168.8.0 0.0.0.255 Stop the network 192.168.8.0 from being redistributed from OPSF to RIP
access-list 1 permit any
Split horizon
Split-horizon is a layer 2 behavior, knows nothing of layer 3
no ip split-horizon Disable split-horizon on multipoint interface when hub & spoke and classful [RIP...], if spokes need to talk to each other/receive routing updated from each others
Only affect RIP for not EIGRP, need: NO IP SPLIT-HORIZON EIGRP X
Must be disabled on interfaces with secondary addresses or secondary address will not be advertised
EIGRP does not use split-horizon when advertising routes learned through redistribution This not affected by ip split-horizon eigrp
Split-horizon is DISABLED by default for RIP/IGRP on physical interfaces and point-to-multipoint subinterfaces.
Split-horizon is always ENABLED on point-to-point subinterfaces.
Split-horizon is NEVER DISABLED by default for EIGRP on any type of Frame Relay interface. Must be eXPlicitly disabled with "no ip split-horizon eigrp ".
INTERFACES & MULTIPOINTS & CLASSFUL PROTOCOL NO IP SPLIT-HORIZON
EIGRP at the interface: no ip split-horizon eigrp 2001
As soon as the subinterface is configured, split horizon is automatically disabled. This is the default behavior.
Only for distance vector protocols [RIP/EIGRP/IGRP]
interface Serial0/1 This is the hub
ip address 192.1.1.2 255.255.255.0
encapsulation frame-relay
no ip split-horizon eigrp 10 So that both spokes can see each other, only affect eigrp 10 nothing else
frame-relay map ip 192.1.1.1 100 broadcast so that the routing goes through
frame-relay map ip 192.1.1.3 200 broadcast
Notes
Router should not install a summarized major network route from a major network from which it has a subnet
Routing loops
Most routing loops occur on distance vector in regards to redistribution and/or Admin Dist issues..
Rip/Igrp - show ip route to look for "possibly down" message would indicate a routing loop
For inside to outside, routing should always take place before NAT.
BGP - Show ip bgp to watch if the bgp table # increments would indicate loop
show ip traffic to spot incrementing "bad hop counts" would indicate loops.
Finally, once you isolate the loop, use the trace command to follow the routing path and through elimination find the source of the loop.
Increases routing metric == indicates routing loop
Classful protocols: make all other interfaces as passive, including BRIs
Debug and monitor
logging buffered 16384
show logg will show the results of the debugs
show ip protocol will show the details of each protocols
debug ip routing show the routing table activities
debug ip icmp
ping 172.16.4.255 Will ping all hosts on subnet
encapsulation failed & frame-relay debug frame packet
encapsulation failed & ISDN debug dialer packet
debug ISDN q931
debug ppp encapsulation
encapsulation failed & ATM debug atm packet
encapsulation failed & ethernet debug arp
encapsulation failed & token-ring debug arp
no ip route-cache
debug ip packet will show all the packets
debug ip packet detail 101 access-list 101 permit icmp any any
debug ip rip
debug ip ospf adj
debug ip eigrp
Distances and route controls
Modify distance when trying to manipulate the choice of one protocol over another.
If multiple routes within a protocol, use metric to modify the path.
router eigrp 109
network 192.31.7.0
network 128.88.0.0
passive-interface serial 1/1 Always put the non-routing interfaces as passive
passive-interface serial 1/1.1 Also place the sub-interfaces as passive + the full interface
passive-interface BRI0
distance 255 Sets the default administrative distance to 255, which instrUCts the Cisco IOS software to ignore all routing updates from routers for which an explicit distance has not been set.
distance 90 192.31.7.0 0.0.0.255 Sets administrative distance for all routers on the network 192.31.7.0 to 90
distance 120 128.88.1.3 0.0.0.0 Sets administrative distance for the router with the address 128.88.1.3 to 120.
distance 75 0.0.0.0 255.255.255.255 Set the distance of all routes under eigrp 109 to 75
metric weights 0 K1 k2 k3 k4 k5 0 is type of service, then the K values All within AS must have same Ks
interface s0
ip address 172.10.10.10 255.255.255.0
bandwidth 64 Changing the bandwidth will also affect OSPF
delay 20000 Value from show interface s0, preferred way of changing metrics for load sharing. Does not affect the real delay on the interface
To prefer a path v. another, add delay on the other path
Default networks Make sure: ip classless
ip default-network 179.10.0.0 RIP/IGRP/EIGRP: must be known to IGRP/EIGRP to be propagated
Must be classful
default-information originate If the ASBR already has the default route in its routing table [OSP/RIP]
default-information originate always If the ASBR doesn't have a default route [OSPF only]
ip route 0.0.0.0 0.0.0.0 x.x.x.x RIP & static default route
ip default-gateway ONLY when ip routing is DISABLED
see default section in each routing protocol
Misc
When "ip eigrp summary" is configured the summarized routes will not be advertised in EIGRP updates out that interface
policy Route-map to replace static route
interface s1
ip address 172.16.10.10 255.255.255.0
ip policy route-map rm-static equivalent to: ip route 172.16.117.0/24 e0
access-list 1 permit 172.16.117.0 255.255.255.0
route-map rm-static permit 10
match ip address 1
set interface e0
Debug/info
show ip policy
show route-map
Changing metric on specific routes Use offset-list when redundant equal cost path and want to prefer one
Router protocol Offset-list are typically not used in RIP
offset-list 1 in x serial 0 add x to the routes from access-list 1, when they come in s0.
access-list 1 permit 172.17.10.0 0.0.0.255
Prevent routes from showing in routing table "The others cannot see it"
router eigrp 2001
network 172.16.0.0
distribute-list acl-no-16-3 out Serial0.1 prevents 172.16.3.0 to be advertised out on S0.1 & S0.2
distribute-list acl-no-16-3 out Serial0.2
ip access-list standard acl-no-16-3
deny 172.16.3.0 0.0.0.255 0.0.0.255 especially important if not /24 but /27 or /28
permit any
Redistribution
Redistribution is ONLY for routes in the routing table
When ask to advertise on 172.2.0.0 RIP to backbone redistribute connected with a route-map
Cannot redistribute multiple protocols on the same router A redistributed route in 1 protocol, will not be redistributed on another protocol on the same router
When redistributing to Classful [RIP], if route-map: make the ACL classful for the network
When redistribution from OSPF/EIGRP to RIP, summarize to the mask of the RIP interface
default-metric x To assign a default value to redistributed routes into this protocol
Must include a metric either as default-metric or on distribution statement, router does not know how to xlated 1 metric to the other
Single point of mutual redistribution: no need for route-maps/distribution-lists
Before redistribution, on the redistributing router, issue a command 'sh ip route and write the learned routes.
Form an ACL that permits those routes in 1 including the connected subnets that igrp/rip is running between routers.
Form 2 route maps: 1st with 2 route-map entry: one that would deny matching the ACL in 2 and the other that would permit anything (this will be used on non-tag capable IGP).
2nd route-map: with only one entry that would permit all the routes matching ACL in 2.
Do the necessary redistribution using the route-maps just made
R5#sh ip route eigrp
D 150.10.4.0/24 [100/8976] via 150.10.40.4, 00:01:21, Serial0/0.3
D 150.10.45.0/24 [100/8576] via 150.10.40.4, 00:01:21, Serial0/0.3
router ospf 20
redistribute eigrp 20 metric-type 1 subnets route-map rm-eigrp2ospf
router eigrp 20
redistribute ospf 20 metric 1544 2000 255 1 1500 route-map rm-ospf2eigrp
access-list 1 permit 150.10.4.0 0.0.0.255
access-list 1 permit 150.10.45.0 0.0.0.255
access-list 1 permit 150.10.40.0 0.0.0.255 *** EIGRP is running on this connected subnet
route-map rm-ospf2eigrp deny 10
match ip address 1
route-map rm-ospf2eigrp permit 20 If not everything would be denied
!
route-map rm-eigrp2ospf permit 10
match ip address 1
Redistribution classless to classful summarize to the subnet mask of the classful network
ip summary-add eigrp 201 0.0.0.0 0.0.0.0 EIGRP: Advertise default route
summary-address 128.300.3.0 255.255.255.0 tag 12 OSPF: done on router ospf 10
Classful routing Class of network, then look for subnet
Classless routing Find the longest match
The only routes that can be redistributed are the routes already in the routing table
connected
when the loopbacks are not in the routing protocol and they should be available to routing
router ospf 10
redisitribute connected subnets
network …. Area …
distribute-list 99 out connected Needed only if some of the loopbacks are to be accessible through network
access-list 99 permit 172.16.40.0 0.0.0.255
RIP - IGRP Use route-maps
router rip
redistribute igrp 100 metric 5 route-map rm-igrp-to-rip Always, always set the metric or it will be an invalid one or use default-cost
passive-interface Serial0/0 Always set passive interface on interface for non-routing
network 3.0.0.0
network 194.1.1.0
!
router igrp 100
redistribute rip metric 64 100 255 1 1500 route-map rm-rip-to-igrp
passive-interface Dialer0
network 195.1.1.0
!
ip access-list standard acl-netw-igrp Permit the IGRP networks, deny everything else
deny 1.0.0.0 3.255.255.255
deny 192.0.0.0 3.255.255.255
permit any
ip access-list standard acl-netw-rip Permit the RIP networks, deny everything else
permit 1.0.0.0 3.255.255.255
permit 192.0.0.0 3.255.255.255
deny any Usually do a deny any at the end, easier for debugging
route-map rm-rip-to-igrp permit 10
match ip address acl-netw-rip
route-map rm-igrp-to-rip permit 10 Always defines as positive, what to allow, the rest is denied
match ip address acl-netw-igrp
IGRP - EIGRP
Automatic if same AS Nothing to do at all
Manual if different AS, then need route-maps…
RIP-OSPF RIP distance: 120 vs OSPF distance 110
Summarize everything to the mask of the RIP, before redistributing [ie/24]
summary-address only on ASBR
area range only on ABRs
Summarize at the source on the router originating the external address to the /24 so it will propagated to the RIP router
151.100.0.0/15 is not redistributed into RIPv1 because it is not part of a major network. So there is nothing to redistribute
router ospf 10
router-id 33.33.33.33
redistribute rip metric-type 1 subnets tag 123 Set the type to E1 to increment metric through AS, subnets & assign tag 120+R3
network 131.108.5.0 0.0.0.255 area 1
default-metric 10 Only affects the redistributed routes
Common default=metric for OSPF
router rip Same for RIPv2
redistribute ospf 10
passive-interface default Make all interface passive
no passive-interface FastEthernet0 It's much faster than doing each interface
network 131.108.0.0
default-metric 6 Only affects the redistributed routes
RIP-OSPF: Multiple redisitribution points RIP distance: 120 vs OSPF distance 110
R4: RIP only
interface Loopback0
ip address 172.16.10.4 255.255.255.0
interface Ethernet0
ip address 172.16.234.4 255.255.255.0
router rip
network 172.16.0.0
R2 & R3: ASBR: RIP & OSPF Must be done on both ASBR
interface Ethernet0
ip address 172.16.234.2 255.255.255.0
interface Serial1
ip address 172.16.12.2 255.255.255.0
router ospf 10
router-id 5.5.5.5
redistribute rip subnets tag 122
network 172.16.12.0 0.0.0.255 area 0
router rip
redistribute ospf 10 metric 1
network 172.16.0.0
distance 109 172.16.234.4 0.0.0.0 Distance 109 is less than OSPF
Address of the inside router with interface facing this, then no routing loop
Must be done even if using route-maps, route-maps will NOT work in this case
RIP-EIGRP Summarize everything to the mask of the RIP, before redistributing [ie/24]
router eigrp 10 Single point fo redistribution: no need for distribution-lists/route-maps
redistribute rip
network 131.108.5.0 0.0.0.255
default-metric 1300 20000 255 1 1500 Need to assign a metric or redistribution will not work, Only affects the redistributed routes
no auto-summary
eigrp router-id 33.33.33.33
!
router rip
version 2
redistribute eigrp 10
passive-interface default
no passive-interface FastEthernet0
network 131.108.0.0
default-metric 6 Only affects the redistributed routes
no auto-summary
OSPF far end router ASBR for RIP
router ospf 10 OSPF does the summarization, if RIP or EIGRP did not and redistributed
router-id 201.201.1.1
summary-address 152.1.11.0 255.255.255.0 tag 12 summarize external from/28 to /24 for RIP which is /24
redistribute connected subnets redistribute loopback not in OSPF into OSPF area 1
network 152.1.1.0 0.0.0.255 area 1
network 152.1.10.0 0.0.0.255 area 1
OSPF next router ABR for RIP
router ospf 10
router-id 22.22.22.22
area 1 range 152.1.1.0 255.255.255.0 summarize the /30 to /24 for RIP which is /24
Area 1 is the source of the 152.1.1.0 into area 0 [not the area to inject to]
area 0 range 152.2.2.0 255.255.255.0 Area 0 will be summarize into area 1 as 152.2.2.0
network 152.1.0.0 0.0.255.255 area 1
network 152.2.0.0 0.0.255.255 area 0
OSPF router ASBR to RIP
router ospf 10
router-id 201.201.3.3
redistribute rip metric 65 subnets route-map rm-rip-to-ospf metric-type 1 Actual redistribution: subnets and metrics must be there
metric-type 1: route will be E1 & increment cost within AS instead of E2
passive-interface Serial0/0 passive interface to make sure it does not propagate Hellos
network 152.1.0.0 0.0.255.255 area 0
!
router rip Redistribute into RIP, summarize to the mask of the RIP interface
redistribute ospf 10 metric 7 route-map rm-ospf-to-rip Metric required or invalid routes
passive-interface FastEthernet0/0 passive interface to make sure it does not propagate broadcasts
network 152.1.0.0
!
ip access-list standard acl-netw-ospf
permit 152.1.1.0 0.0.0.255
permit 152.1.10.0 0.0.0.255
permit 152.1.11.0 0.0.0.255
deny any not needed, just for debugs
ip access-list standard acl-netw-rip
permit 152.1.2.0 0.0.0.255
permit 152.1.3.0 0.0.0.255
deny any not needed, just for debugs
route-map rm-rip-to-ospf permit 10
match ip address acl-netw-rip
route-map rm-ospf-to-rip permit 10
match ip address acl-netw-ospf
BGP-OSPF
For BGP to synchronize with OSPF, the router IDs must match
When redistributing BGP into OSPF, it writes AS_PATH of the router into external route tag field of OSPF type 5 LSA. However, when redistribute OSPF into BGP, BGP process doesn't automatically assume tag contains AS_PATH. Need to use "set as_path tag" or "set auto-tag"
One of reasons routers to ignore paths is because of paths marked as "not synchronized" in the "show ip bgp " output. If BGP synchronization is enabled, there must be a match for the prefix in the IP routing table in order for an internal (iBGP) path to be considered a valid path.
if the matching route is learned from an OSPF neighbor, its OSPF router ID must match the BGP router ID of the iBGP neighbor. Most users prefer to disable synchronization using the no synchronization BGP subcommand
when the RR passes BGP routes from one RR client to another, the BGP router id will be the first RR client but OSPF router id will be RR itself, so there will never be a match between them. the solutions to this are:
turn off sync on 2nd RR client.
use confederation to make prior 2nd RR client "ebgp" peering to prior RR
BGP peers will ALWAYS trust eBGP routes
If R2 and R3 are route-reflector clients of R1, ONLY when OSPF is the IGP, BGP routes originated on R2 will NEVER be seen as valid on R3 and vice-versa because:
BGP and OSPF router IDs are required to match for BGP routes to be seen as valid
BGP and OSPF router IDs will never match on R2 and R3 due to presence of the the R1 route-reflector between the iBGP peers.
To allow redistribute iBGP into IGP, need to configure "bgp redistribute-internal".
redistribute ospf 1 match ? All the combination of match are there
redistribute ospf 1 match internal external 1 external 2 Redistribute internals and externals E1 & E2 into BGP
If problems with redistribution:
Turn off BGP sync
Use confederations
Change the OSPF router-ID and BGP router-id's on the appropriate routers so that they match.
Use another IGP instead, eg EIGRP
RIP
broadcasts UDP port 520: 255.255.255.255 Show ip protocol will show the timers
Timers basic 30 180 180 240 Change the timers Timers basic update invalid holdown flush, then need to be changed on ALL RIP routers, show ip prot will show the actual times used before the change
If adding to much time so that invalid timer is too long, then 3x and flush add another 60sec: ie: timers basic 120 360 360 240 instead of 120 720 720 960
no validate-updates-source If source is not on same subnet as local interface, RIP ignores the update, then the no validate… will allow for the routing update
such as other side is: ip unumbered or different subnet
If routing table entry has the same classful network and the same subnet mask, it becomes part of the update.
If routing table entry has the same classful network and a different subnet mask, it is dropped and does NOT become part of the update
If it IS NOT of the same classful network, an update is created using the natural mask of the classful network
To redistribute RIP: The interface must be the same classfull & same subnet on all the interfaces
RIP cannot accept a classfull update if it already has a classfull connected, use either RIP2 or EIGRP
If 192.168.20.33/27 connected to 192.168.20.34/29 The /27 side will know about the /29, but the /29 will not know about the /27 side because /27 encompass the /29
default-metric 4 Metric to be used during redistribution
Basic config
interface Loopback0
ip address 10.1.1.1 255.255.255.0
interface Serial0/0
ip address 148.1.1.1 255.255.255.0
interface Serial0/1
ip address 192.168.11.1 255.255.255.0
router rip
passive-interface Serial0/1 passive-interface, when router configures more interfaces than wanted [usually a subnet of a classful]
If many passives: passive-interface default & no passive-interface s0/2
network 10.0.0.0 Classful only
network 148.1.0.0
neighbor 192.168.11.5 Unicast for 1 of the routers on the passive-interface stub or to send updates over NBMA, no network statement for that network or make it as passive interface
Must be a second neighbor if there is a secondary address on a different network
distribute-list dl-in-rip in Ethernet0 eliminate some routes from coming in thru E0
ip access-list standard dl-in-rip
permit 198.172.19.0 0.0.0.255
deny 198.172.13.0 0.0.0.255
permit any
Troubleshoot / info
show ip protocols display details of all routing protocols, for bad updates and see if what you think is what Cisco thinks
debug ip rip The detailed rip activities
access-list 101 remark only icmp packets
access-list 101 permit icmp any any
debug ip packets 101 debug only the pings
show ip route rip The last RIP update must be less than timers basic [usally 30sec] or…
RIP discontinuous networks Can be more than 1 secondary per interface
interface Serial0 130.1.0.0 network separated by 192.168.10.0
ip address 130.1.2.1 255.255.255.0
interface Serial1
ip address 192.168.10.2 255.255.255.0
ip address 130.1.3.1 255.255.255.0 secondary same classful network as s0, but different network /24, other side: 130.1.3.2, including the routers in the middle to it's a contiguous chain for the secondary addresses
router rip Or use static route that points to the discontiguous network
network 130.1.0.0
network 192.168.10.0
RIP default routes
1 of the 3 The ip default-network command is configured.
The default-information originate command is configured.
The default route is learned via another routing protocol or static route and then redistributed into RIP.
RIP frame-relay
Must have broadcast on frame-relay map
or
use neighbor on router rip
RIP DDR
router rip When configuring DDR, at minimum "must" disable validation of source address.
no validate-update-source
RIP metrics Hops count: 16 = unreachable
If requirement = unreachable == offset-list
router rip incoming vs. outgoing
offset-list 1 in 7 Dialer1 add 7 hops to items from access-list coming IN from DI1, could also be out
add to 15 so it won't appear to in the routing table [16 hops = unreachable]
in: Only the routing table of this router is affected
out: All routers downstream of Dialer1 are affected
network 10.0.0.0
network 192.168.12.0
access-list 1 permit 192.168.200.0 Which network to add 7 to the hop count, must be in the routing table before applying the new hop count
Offset-list only work with standard ACLs
Place offset on router that is the FROM router
RIP Triggered extensions Increases efficiency on point-to-point, serial links
interface Serial1/0 Reduces periodic RIP transmission
ip address 172.16.1.2 255.255.255.0
ip rip triggered Needs to be done on both sides, ONLY on SERIAL POINT-TO-POINT
router rip
network 172.16.0.0 RIP routes are marked as permanent
network 172.18.0.0
network 172.19.0.0
RIP v2 v2, mulitcast 224.0.0.9
also do UDP port 520 for v1 Supports TAGs like OSPF
no auto-summary When running both RIPv1 & RIPv2 [RFC 1723]
no auto-summary When discountiguous networks under RIPv2
no auto-summary The summary route arrives at another router with a different subnet mask that the interface receiving [summary will be dropped]
Metric still maximum: 16
interface FastEthernet0/0 Supports authentication
ip address 172.25.150.193 255.255.255.240
ip rip send version 1 2 Done at the interface
Router also connected to a v1 router.
Check with "show ip prot" to see what is sent & received
ip summary-address 172.25.192.0 255.255.252.0 Can do manually summarization
no ip split-horizon 2 routers & same subnet out of this ethernet
router rip Always run sh ip prot to see which interface runs v1 and v2
version 2 Runs under v2, if not default to v1
network 172.25.0.0 v2: default: receive v1 & v2
network 192.168.50.0
distribute-list 101 in
access-list 101 permit ip any host 255.255.255.255 If distribute lists, they must allow the broadcasts and/or multicasts
access-list 101 permit ip any host 224.0.0.9 ping 224.0.0.9 to make sure they can do through
access-list 101 permit ip …
RIP v2 Authentication Authentication only on RIP 2
key chain efghi Name of key is significant only to local router, other side can be whatever
key 1 Can be multiple keys, key # must be the same on both sides
key-string 123456 Watch for the spaces and cases, key must be the same on both sides
accept-lifetime 11:10:00 Nov 6 2002 duration 1080000 When to start receiving
send-lifetime 11:10:00 Nov 6 2002 duration 1080000 When to start sending
key 2
key-string cisco02
accept-lifetime 00:00:00 Dec 4 2002 infinite When to start receiving
send-lifetime 00:00:00 Dec 4 2002 infinite When to start sending
interface Serial2
ip address 192.168.50.130 255.255.255.192
ip rip authentication mode md5 If not md5, then passWord sent in clear text
ip rip authentication key-chain efghi my keychain
router rip
version 2
network 192.168.50.0
debug/info
show key chain always do on both routers, and will show if there are blanks/spaces and they match
debug ip rip Will show if the authentication is valid or not
ping 224.0.0.9 To check that multicasts go through
Default route with ip route 0.0.0.0 0.0.0.0 x.x.x.x
RIP propagate ip route 0.0.0.0 0.0.0.0 x.x.x.x as the default route through the RIP domain
Default route WITHOUT ip route 0 0 x.x.x.x
router rip
passive-interface Loopback10 Should always be passive, if loopback included in the network
network 7.0.0.0 Which interface to advertise
network 172.16.0.0
neighbor 172.16.2.2 because of frame-relay and no NBMA
default-information originate Generate default route through out the RIP domain, including it's own. It SHOULD not be a transit router
Split horizon enabled RIP updates with secondary address on different major network than primary: Update contents
Primary Subnets of primary (if known through non-source interfaces). Other major networks (including secondary network), known through non-source interface, summarized to major net boundary.
Secondary Subnets of secondary (if known through non-source interface). Other major networks (including primary network), known through non-source interface, summarized to major net boundary.
Split horizon disabled RIP updates with secondary address on different major network than primary: Update contents
Primary All known subnets of primary. Other major networks (including secondary network), summarized to major net boundary.
Secondary All known subnets of secondary. Other major networks (including primary network), summarized to major net boundary.
Split horizon enabled RIP updates with secondary address on same major network as primary: Update contents
Primary Subnets of primary/secondary (if known through non-source interfaces). Other major networks, known through non-source interface, summarized to major net boundary.
Secondary None - no updates sourced from secondary.
Split horizon disabled RIP updates with secondary address on same major network as primary: Update contents
Primary All known subnets of primary/secondary. Other major networks summarized to major net boundary.
Secondary All known subnets of primary/secondary. Other major networks summarized to major net boundary.
On-Demand routing Hub & Spoke
router odr enable on-demand routing
router ospf 10
network 10.0.0.0 0.255.255.255 area 10
redistribute odr metric 100 On hub to redistribute the routes learned from the spokes
RIP default routes
RIP doesn't advertise the default router if the route is not learned via RIP. Therefore, it may be necessary to redistribute the route into RIP, or use the default-information originate command.
EIGRP
Should always use: eigrp log-neighbor-changes For debugs
To establish neighbor relationship, the neighbors MUST BE ON THE SAME SUBNET EIGRP does support secondary addresses. But EIGRP always sources data packets from the primary address, configure all routers on a particular subnet with primary addresses that belong to the same subnet. Routers will not form EIGRP neighbors over secondary networks
metric weights 0 1 1 1 1 0 K values must be the same for all routers of AS# or no neighbor relationship
Static routes are automatically advertised by EIGRP if next hop is interface and the interface is covered by the network statement
Need distribute-list to prevent that
EIGRP Administrative distance: 110
EIGRP Administrative distance external routes: 170
Basic config With frame-relay NBMA
interface Serial0/1.10 multipoint
ip address 172.16.2.2 255.255.0.0
no ip split-horizon eigrp 10 NBMA, must disable the split-horizon
Split horizon behavior is turned on by default.
Changing the EIGRP split horizon setting on an interface resets all adjacencies with EIGRP neighbors reachable over that interface.
Split horizon should only be disabled on a hub site in a hub-and-spoke network. Disabling split horizon on the spokes radically increases EIGRP memory consumption on the hub router, as well as the amount of traffic generated on the spoke routers.
frame-relay map ip 172.16.5.5 205
frame-relay map ip 172.16.7.7 207
router eigrp 10
network 2.22.0.0 0.0.255.255 Only for the 2.22.0.0/16 network without using passive interface
network 172.16.0.0 Defaults to classfull or can use wild cards on network statement
neighbor 172.16.7.7 Serial0/1.10 Neighbors because of the NBMA
neighbor 172.16.5.5 Serial0/1.10 It should not be used. The neighbor statement does not behave as intended and can have a negative effect on EIGRP neighbors.[BUG]
no auto-summary To support discontiguous networks, if not cannot ping [null0]
Basic config
interface serial 0
ip add 192.168.1.1 255.255.255.0
ip hello-interval eigrp 64 10 AS#64, hello-interval=10sec must be done on both sides
ip hold-time eigrp 64 30 AS#64, hold-time=30sec must be done on both sides, sho ip prot will give defaults
bandwidth 64 Always set the bandwidth for serials, to adjust metric change the DELAY
ip bandwidth-percent eigrp 50 Limits EIGRP overhead to a maximum of 50%
ip summary-address eigrp 64 192.168.10.0 255.255.240.0 120 Send summary address to RIP/IGRP with the correct network mask
64: destination EIGRP as#
120: Administrative distance of summary address
Summary address done at interface that advertises out in EIGRP instead of AS in OSPF
Cannot do summary-routes on discontiguous networks == blackhole
Interface MUST exist that covers the summary address
Summary address must not cover more than actual addresses or blackhole
EIGRP will not auto-summarize external routes unless there is a component of the same major network that is an internal route
External EIGRP routes have an administrative distance of 170, should use default metric
if secondary address need: no ip split-horizon
router eigrp 64 Same AS # on all routers unless redistribution
passive-interface FastEthernet0/0 show ip protocol will show the networks and the passive interfaces
The passive-interface command prevents the exchange of routes on the interface
It still includes the address of the interface in routing updates sent out of other non-passive interfaces
network 10.1.1.0 0.0.63.255 Up to 10.1.64.255
network 172.17.5.0 0.0.0.255
network 192.168.0.0 0.0.255.255 Must be included for the ip summary-address…
no auto-summary automatic summarization by default when 2 or more networks configured for the IP EIGRP process, suppress null0 in routing table
EIGRP summarize the route only when advertising out an interface that is in a different class
EIGRP Troubleshoot / info
show ip protocol Will display the summary info and the summary addresses
show ip eigrp neighbor Show the status of the neighbors
show ip eigrp topology
show ip eigrp topology active shows the route with status active [stuck-in-active]
show ip eigrp interfaces detail Displays the neighbors and the interfaces and authentication
debug eigrp packets Never use it straight, massive amount of data!
debug ip eigrp Much better to use than debug eigrp packet
MAKE SURE THAT IT'S THE RIGHT !@#$%^&* IP ADDRESS
Neighbor 137.20.40.17 not on common subnet for E0 The 2 Ethernet interfaces are in the same VLAN but are on 2 different subnets
EIGRP on NBMA
interface Serial0/1 This is the hub
ip address 192.1.1.2 255.255.255.0
encapsulation frame-relay
no ip split-horizon eigrp 10 So that both spokes can see each other, only affect eigrp 10 nothing else
frame-relay map ip 192.1.1.1 100 so that the routing goes through
frame-relay map ip 192.1.1.3 200
router eigrp 10
network 192.168.0.0 0.0.255.255
neighbor 192.1.1.1 Need the neighbor statement because no broadcast on "frame map ip"
neighbor 192.1.1.3
EIGRP misc
router eigrp 8200 Distance EIGRP [internal] [external]
eigrp router-id 0.0.0.7 Set the router-id for eigrp 2001, must be unique or will not allow extern route
redistribute ospf 4000 metric 1500 10 255 10 1500 route-map ospf_2_eigrp
eigrp log-neighbor-change Shows why, loss of neighbor
network 139.10.103.0 0.0.0.255
network 180.1.1.1 0.0.0.0
distance 2 0.0.0.0 255.255.255.255 99 distance
no auto-summary
router rip RIP has a LOWER AD than the external EIGRP routes
network 172.16.0.0
network 180.1.0.0
distance 190 180.1.2.1 255.255.255.255 Assigns a distance of 190 so router can choose the EIGRP route
access-list 99 permit 160.160.0.0 0.0.255.255
access-list 99 deny any
EIGRP summarization
Auto-summarization done when redistributing Cannot be disabled
Auto-summarization done at class boundary Should be disabled with no auto-summary when discontiguous networks
Will not automatically summarize external routes
EIGRP cannot make neighbor with routers that fall within the manual or autosummarization address, then no auto-summary
interface Serial0
ip address 172.16.3.3 255.255.255.0
ip summary-address eigrp 201 182.0.0.0 255.0.0.0
ip summary-address eigrp 201 10.0.0.0 255.0.0.0
!
router eigrp 201
eigrp router-id 0.0.0.7 Set the router-id for eigrp 2001, only used on external routes to prevent loops
network 10.0.0.0
network 172.16.3.0 0.0.0.255
network 182.0.0.0 0.255.255.255
no auto-summary
EIGRP stub routing No transit, only 1 neighbor, used in Hub & Spokes
router eigrp 2001 improves network stability, reduces resource utilization, and simplifies stub router configuration.
network 172.16.0.0
network 192.168.14.0
no auto-summary
eigrp router-id 0.0.0.7
eigrp stub connected connectedstaticsummaryreceive-only [will not advertise anything]
EIGRP default routes
The "default-network" must be on a MAJOR CLASSFUL boundary.
router eigrp 10 The "default-network" must be either in the routing table as External-EIGRP or need to be advertised in EIGRP with the network command
network 192.168.10.0 0.0.0.255 Must be present
ip default-network 192.168.10.0 Global command, can be more than 1 ip default-network statement
For EIGRP to propagate the route, the network specified by the ip default-network command must be known to EIGRP. This means the network must be an IGRP- or EIGRP-derived network in the routing table, or the static route used to generate the route to the network must be redistributed into EIGRP.
ip default-network 192.168.10.0 Must be classful
ip default-network 10.0.0.0 Must be classful
router eigrp 10
network 192.168.10.0 Must match ip default-network
network 10.0.0.0
default-information {inout} {access-listaccess-name} To control the candidate default routing information between IGRP or eIGRP processes
OSPF
Notes
Cannot make adjancies over secondary addresses Only over primary addresses
Routes of secondary addresses must be in same area as primary to be advertised
There can me more than 1 DR per area, there is only 1 DR per broadcast segment
OSPF does NOT support unumbered point-to-point links
Distribute-list in prevents the OSPF routes from being installed in the routing table [they still come into the database]
Media types
Multiaccess Default network type: Broadcast
Recommended network type: Broadcast
Point-to-point Default network type: point-to-point
Recommended network type: point-to-point
Non-Broadcast Multi-Access [NBMA] Default network type: NonBroadcast
Recommended network type: NonBroadcast, point-to-multi, point-to-multi nonbroadcast, point-to-point
Demand circuit Default network type: [None]
Recommended network type: point-to-multipoint, point-to-point
Network types that work together Works
Point-to-Point ===== Point-to-Point YES
Point-to-Point ===== Point-to-Multi YES, if timers (hello) are allow to be modified
Point-to-Multi ===== Point-to-Multi YES
NON-BROAD ===== NON-BROAD YES, if neighbor statements are allowed. May need to influence DR selection (Priority)
non-broad =====
broadcast YES, if timers (hello) are allowed to be modified. May need to influence DR selection (Priority)
broadcast =====
broadcast YES, may need to influence DR selection (Priority)
Point-to-Point ===== non-broad NO
Point-to-Point =====
broadcast NO
Point-to-Multi ===== non-broad NO
Point-to-Multi =====
broadcast NO
when mixing ospf network types: hello/dead intervals
Use or non-use of DR/BDR
Non-broadcast and broadcast elect DR/BDR, but have different hello/dead intervals.
Point-to-point and multipoint do not elect DR/BDR, and also have different hello/dead intervals. Multipoint may require neighbor statements over NBMA so it knows which router to form an adjacency with.
LSAs and areas & networks
Point-to-point networks No DR/BDR :: Only: 224.0.0.5
Broadcast networks DR/BDR :: Hellos: 224.0.0.5, Only DR/BDR listens to 224.0.0.6 & broadcast on 0.5
NBMA networks DR/BDR :: No multicasts :: Neighbors statically defined :: Hub=DR
Point-to-multipoint networks No DR/BDR :: IP OSPF network point-to-multipoint :: Hellos: 224.0.0.5 [broadcasts]
IP OSPF network
broadcast Full meshed, neighbors: same subnet, BR/DR, adjacency: auto, Priority: set manually
Frame-relay NBMA: point-to-multipoint Partial meshed: star, neighbors: same subnet, static, BR/DR, adjacency: manual, priority for setting DR/BDR
frame-relay: point-to-point Partial meshed: star, neighbors: different subnet, no BR/DR, adjacency: auto
frame-relay: point-to-multipoint Partial meshed: star, neighbors: same subnet, no BR/DR, adjacency: auto, must define manually with IP OSPF network point-to-multipoint
NBMA Point-to-Multipoint
DR Election No DR Election,
Requires manual neighbor establishment (neighbor command) automatic neighbor establishment
In partial mesh ensure HUB is DR (priority command) Provides automatic mapping via routing table [host routes x.x.x.x/32]
Need to map spokes to hub, otherwise the spokes will not be able to communicate with each other.
Neighbor will not show up when: when the neighbor is out a frame interface that is configured with priority 0
frame map ip [do NOT use broadcast, use neighbor instead]
Network type recommended: point-to-multipoint
Area type LSAs & default route
Regular area All LSAs allowed, injected:
Summary LSAs - Type 3/4
External LSAs - Type 5
External default LSAs - Type 5?
Stub area Summary LSA: Type 3 [no type 4 generated by ASBR]
Default route as summary route: Type 3
No External LSA: Type 5
no redistribution in stub area
only 1 ABR, automatically generates a default route inside the stub toward the ABR: O*IA 0.0.0.0/0 [110/1563] via 192.168.30.10, 00:00:23, Serial0
Gateway of last resort is 192.168.30.10 to network 0.0.0.0
Totally-stubby area No external LSA, No external summary LSAs are allowed, only ABR
Not-so-stubby area No external LSA coming in but allow external LSA out
default-information originate [always] Default route when redistributing, need an ip route or ip default-network
Creates LSA type 5
Does not generate default routes in stubby, totally stubby areas [no 5 allowed] If need default route make area nssa, then type 7 default
area x stub Default route as type 3 & no 5-7
area x stub no summary Default route & no 3-4-5 [totally stubby]
area x nssa No default route & no 5 [not so stubby]
no default route (no 5's but change externals that were redistributed by ASBR to type 7's that will change to 5's by ABR to push to other area that are eligible, use default-information-originate if route is visible in route table, use default-information-originate always if not in routing table)
area x nssa no summary Default route + 7 & no 3,4,5 [Totally not-so-stubby-area]
no 3,4,5, same type 7 translation as nssa, but default route injected as type 3
On the ASBR, area x nssa on the other routers
when defining an area as "stub" and "stub no-summary" in both cases you get 0.0.0.0 injected in
Use "default-information-originate" option for "nssa" type area, if you wish to have 0.0.0.0 route propagated within.
area 1 stub All routers in Area 1 as stub area
area 1 stub no-summary ABR router to make area 1 totally stubby
area 1 nssa All routers in Area 1 as Not so stubby
area 1 nssa default-information-originate Creates a default-route into area 1 [nssa] on the ABR, ASBR depends on IOS
area 1 nssa no-summary NSSA ABR for totally NSSA area
area 1 nssa no-redistribution When ASBR is also NSSA ABR, on ASBR, Type 7 will NOT be translated as Type 5
router ospf 10
summary-address 10.10.20.0 255.255.255.0 not-advertise Generates type 7, that won't be xlated to type 5 by NSSA ABR
Originated by: LSAs
All routers 1: Router LSA: router interfaces
Designated router 2: Network LSA: list of routers connected to network
Multi-access segment network link advertisements
Single Area only
ABR: They are not flooded inter area, but generated anew for each area by relevant ABRs 3: Summary LSA: Summary network prefix of an area
Created from information in ABRs routing table: intra-area
Routes to networks
Area need to be connected to area 0
ABR 4: Summary LSA: when an ASBR exists in the area
Routes to ASBR
Area Need to be connected to area 0
ASBR 5: AS-External LSA: external network prefixes
NSSA - ASBR 7: NSSA AS-External LSA: Network prefixes imported into NSSA area
DR/BDR
If priority is the same, then will use Router id for selection Don’t rely on router-id for DR-BDR use ip ospf priority 255
Need: ip ospf priority 255 and ip ospf priority 0 on the other routers in the area
Stub area area 10 stub
Best used: Only 1 ABR, could be more than 1 but then should use nssa
No ASBR
area 2 stub No virtual links
Not the backbone
Must have: area 10 default-cost 1000 On ABR: If no default-cost, the cost advertised by ABR will be 1
Need: default-information originate No, Automatically generates the default route
Allow LSA: 1,2,3 [intra-area & default]
Block LSA: 5,7
Allow external summary: Yes
Generate summary: No
Allow default: Yes
Generate default: ABR generates default route for area toward ABR as summary: Type 3
Allow externals: Yes: summaries only
Notes: If area is over demad circuit/BRI, make the area stub to reduce flaps
No external link flap will bring ip the dialup link
Totally stubby area 10 stub no-summary
Best used: Only 1 ABR
No ASBR
area 2 stub no-summary !
Only on ABR No virtual links
area 2 stub ! On all other routers in area Not the backbone
Smallest routing table possible
Must have: area 10 default-cost 1000 On ABR: If no default-cost, the cost advertised by ABR will be 1
Need: default-information originate No
Allow LSA: 1,2,3 [intra-area & default]
Block LSA: 4,5,7 [external & summary routes]
Allow external summary: No
Generate summary: Yes
Allow default: Yes
Generate default: Yes
Allow externals: No
Notes: If area is over demad circuit/BRI, make the area stub to reduce flaps
No inter-area link flap will bring ip the dialup link
Not so stubby NSSA area 10 nssa
Best used: Between ABSR & ABR who is connected to area 0
No virtual links
Not the backbone
Stubby area, that receives redistributed external routes, but when do not want LSA type 5 in area
Must have: area 10 default-cost 1000 On ABR & ASBR: If no default-cost, advertised-cost by ABR & ASBR will be 1
Need: default-information originate Yes
Allow LSA: 1,2,7
Block LSA: 3,4,5 [external & summary routes] ????
Allow external summary: No
Generate summary: No
Allow default: No
Generate default: No
Allow externals: No
OSPF designated router
Broadcast No DR/BDR: Point-to-multipoint
NBMA No DR/BDR: Point-to-point
Highest router-id
interface s0
ip ospf priority 255 ! On the DR ip ospf priority 0 ! On all the DR/Other
OSPF Troubleshoot / info
show ip protocols display details of all routing protocols, for bad updates and see if what you think is what Cisco thinks
debug ip routing The activities/building of the routing table
show ip ospf general information about OSPF routing processes.
show ip ospf border-routers the internal OSPF routing table entries to the ABR and ASBR
show ip ospf flood-list interface-name list of LSAs waiting to be flooded over an interface (to observe OSPF packet pacing).
show ip ospf interface Display interface, neighbor, network-type, timers, authentication & areas…
show ip ospf neighbor [ interface-name] detail OSPF-neighbor information on a per-interface basis.
show ip ospf virtual-links OSPF-related virtual links information.
show ip ospf [ process-id [area-id]] database lists of information related to the OSPF database.
debug ip ospf events View all events
debug ip ospf adj view the adjencies in progress
debug ip ospf monitor hidden command, but shows all activities
No /32 routes with ISDN and OSPF demand-circuit Especially important on ASBRs
interface BRI0
encapsulation ppp
ip add 10.1.10.1 255.255.255.0
ip ospf demand-circuit
no peer neighbor-route ppp remove the /32 routes
When using OSPF network type multipoint in a frame relay network the /32 route enables the spokes to reach one another.
Need if RIPv1: network 10.0.0.0, then the interface is also owned by RIP and redisitributed into OSPF, when the link goes down [ospf demand-circuit], RIP reports it down, then redisitribute into OPSF, change the database and raise the list to update the other end
OSPF: Physical interface and point-to-point sub
interface Serial0/1 Hub
ip address 172.16.2.2 255.255.255.0
encapsulation frame-relay
ip ospf priority 255
frame-relay map ip 172.16.2.7 207 broadcast No neighbor
interface Serial0/1.11 point-to-point
ip address 172.16.3.2 255.255.255.0
frame-relay interface-dlci 205
router ospf 10
router-id 22.22.22.22
network 172.16.0.0 0.0.255.255 area 1
interface Serial1 Spoke
ip address 172.16.3.5 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point Must match the point-to-point subinterface type
ip ospf priority 0
frame-relay map ip 172.16.3.2 502 broadcast No neighbor
frame-relay map ip 172.16.7.7 502
no frame-relay inverse-arp
router ospf 10
router-id 10.5.5.5
network 172.16.0.0 0.0.255.255 area 1
OSPF: Frame-relay, Hub & spoke
Spokes can't be neighbor with each other. The TTL of an OSPF packet is 1 so it'll never make it passed the hub.
Hub Spoke
interface Serial0/1
no ip address
encapsulation frame-relay
!
interface Serial0/1.257 multipoint interface Serial1
ip address 131.108.1.2 255.255.255.0 ip address 131.108.1.5 255.255.255.0
encapsulation frame-relay
ip ospf network broadcast !optional, same network type ip ospf network broadcast !optional, same network type
ip ospf priority 255 ip ospf priority 0 ! Will make the hub the DR
frame-relay map ip 131.108.1.5 25 broadcast frame-relay map ip 131.108.1.2 52 broadcast
frame-relay map ip 131.108.1.7 27 broadcast
!
router ospf 1 router ospf 1
router-id 22.22.22.22 router-id 55.55.55.55
network 131.0.0.0 0.255.255.255 area 1 network 131.0.0.0 0.255.255.255 area 1
Hub Spoke
interface Serial0/1 All spokes have a priority of 0
no ip address There is not BDR on hub & spoke, need full mesh for BDR
encapsulation frame-relay
!
interface Serial0/1.257 multipoint interface Serial1
ip address 131.108.1.2 255.255.255.0 ip address 131.108.1.5 255.255.255.0
encapsulation frame-relay
ip ospf priority 255 ip ospf priority 0 ! Will make the hub the DR
frame-relay map ip 131.108.1.5 25 frame-relay map ip 131.108.1.2 52
frame-relay map ip 131.108.1.7 27
no frame-relay inverse-arp no frame-relay inverse-arp
! !
router ospf 1 router ospf 1
router-id 22.22.22.22 router-id 55.55.55.55
network 131.108.0.0 0.0.255.255 area 1 network 131.108.0.0 0.0.255.255 area 1
neighbor 131.108.1.7 !no neighbor on the spoke, it's automatic
neighbor 131.108.1.5
Hub Spoke
interface BRI0 interface BRI0
ip address 131.108.1.2 255.255.255.0 ip address 131.108.1.5 255.255.255.0
encapsulation ppp encapsulation ppp
ip ospf priority 255 ip ospf priority 0 ! Will make the hub the DR
dialer map ip 131.108.1.5 broadcast name R2 6041234567 dialer map ip 131.108.1.2 broadcast name R1 6047654321
no frame-relay inverse-arp no frame-relay inverse-arp
router ospf 1 router ospf 1
router-id 22.22.22.22 router-id 55.55.55.55
network 131.108.0.0 0.0.255.255 area 1 network 131.108.0.0 0.0.255.255 area 1 !no neighbor needed, it's broadcast
debug/info
ping Before anything else, must be able to ping the neighbors
show ip ospf interface
show ip ospf neighbor
broadcast on frame-relay map or dialer map
broadcast not needed on frame-relay map if neighbor defined
broadcast not needed on dialer interfaces
debug ip ospf adj Debug the forming of the adjencies
Mismatch MTU
Duplicate RID
Wrong DLCI, VPI/VCI
OSPF: Virtual-links No authentication
router ospf 10
router-id 2.2.2.2
area 1 virtual-link 5.5.5.5 area that goes across to connect area 0 and area 2
address: not an address but router id of destination router of virtual link
must be done on both side of link, with pointing to this RID: 2.2.2.2
network 172.16.0.0 0.0.255.255 area 1
network 192.168.10.0 0.0.0.255 area 0
There are two types of authentication in OSPF, area and interface. If area authentication is enabled, all interfaces which have adjacencies on them must authenticate. A virtual-link *is* an area 0 interface, therefore if you have a virtual-link, and are authenticating area 0, you must authenticate the virtual-link
Interface authentication is independent of area authentication, and interface authentication overrides area authentication. This means that you could be using clear-text authentication throughout and area, and implement md5 authentication on a particular link within that area. In the case that you have presented, interface authentication is enabled on the virtual-link. This is a perfectly valid configuration.
If you have 'area 0 authentication', the remote router where the virtual-link terminates would also have to say 'area 0 authentication'. It is not completely necessary that you configure a key on the interface (or virtual-link in this case). OSPF authentication uses a "null" key by default.
Notes
3 types of authentications: Type 0: null authenticatin [no authentication]
Type 1: plain text
Type 2: MD5
How to not have authentication on link but authentication on area
interface s1
ip ospf authentication null Must be done on both sides
router ospf 1
area 1 authentication message-digest Must be done on all routers in area
OSPF: Plain authentication Must be done on both sides
Authentication can either be done on an area basis
Authentication can be done only between 2 interfaces == not on router ospf
interface Serial0
ip address 192.168.10.1 255.255.255.252
ip ospf authentication-key 123456 Could be just at interface w/o area 0 authentication
router ospf 10
router-id 6.6.6.6
area 0 authentication Defines authentication for the area [could be only at interface level]
network 192.168.10.0 0.0.0.255 area 0
OSPF: MD5
interface Serial1
ip address 131.108.1.3 255.255.255.0
ip ospf message-digest-key 1 md5 abcdef MD5 key, must be done on both sides of link
router ospf 10
area 0 authentication message-digest sets authentication for the whole area, must be done on all routers in area
network 131.108.0.0 0.0.255.255 area 0
OSPF Virtual-link: Plain authentication Must be done on both sides
router ospf 10 This is the far end of the virtual-link
router-id 5.5.5.5
area 0 authentication Router not physically connected to area 0,
Router logically connected to area 0
area 1 virtual-link 2.2.2.2 authentication-key 123456 Must be done on both side
Same key on both sides
network 10.1.0.0 0.0.255.255 area 2 Authentication has nothing to do with the transit area, could be none or MD5
network 172.16.0.0 0.0.255.255 area 1 It's only the authentication of the area 0
Debug / info
show ip ospf virtual-links The last line will tell what authentication to use
Both sides must show the same one
OSPF Virtual-link: MD5 authentication Must be done on both sides
router ospf 10 Far end router & same comments as before
router-id 5.5.5.5
area 0 authentication message-digest Must define the area 0 eventhough it's the far end
area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 123456 Same message-digest key number and md5
network 10.1.0.0 0.0.255.255 area 2
network 172.16.0.0 0.0.255.255 area 1
!
Debug / info
show ip ospf virtual-links The last line will tell what authentication to use
Both sides must show the same one
OSPF default routes: Normal areas Then becomes and ASBR
By default, in normal areas OSPF routers don't generate default routes into their routing domains, even if one exists. For OSPF to generate a default route, use the default-information originate [always] [metric metric-value] [metric-type type-value] [route-map map-name]. This generates an external Type-2 link with link-state ID 0.0.0.0 and network mask 0.0.0.0, which makes the router an ASBR.
default-information originate If the ASBR already has the default route in its routing table
default-information originate always If the ASBR doesn't have a default route
OSPF default routes: stub and totally stubby
Do not do anything
Generates default route automatically In stub and totally stub areas, the ABR to the stub area generates a summary LSA with the link-state ID 0.0.0.0. This is true even if the ABR doesn't have a default route of its own. In this case, you don't need to use the default-information originate command.
OSPF default routes: NSSA
Does not generate default route automatically To force the ABR to generate the default route, use the area 1 nssa default-information originate command. The ABR generates a Type 7 LSA with the link-state ID 0.0.0.0 and is advertised inside the NSSA. This default route will be propagated inside the NSSA as Type 7 LSA
Another way to advertise the default route inside NSSA is to use the area nssa no-summary With the no-summary keyword, the NSSA ABR will not advertise the inter-area routes (Type 3 and Type 4 summary routes) inside the NSSA, instead will advertise a default route. This default route will be propagated inside the NSSA as Type 3 LSA.
OSPF timers They must be identicals to establish adjencies, for each 2 facing interfaces
interface Serial0/1 Original timers can been seen with: sho ip ospf interface
ip address 131.108.1.2 255.255.255.0
ip ospf hello-interval 20 automatically changes dead-time & wait by *4
ip ospf dead-interval 45 automatically changes wait-time
ip ospf retransmit-interval 50 All routers in area must have the same value
OSPF Not installing routes in routing table
Before installing external LSA, the forwarding address must be known
OSPF summaries
When router connected to more than 1 area, one of these area must be area 0 The ABR will not generate summary LSAs if they are not connected to area 0 [see virtual links]
Totally stubby areas do NOT generate summary LSAs Just default routes
OSPF & NAT
Do not allow the access-list to permit everything
The access-list permit statement MUST NOT cover the neighbor's IP address
BGP
To advertise a route BGP must know the route through network command/redistribution
Network advertised must be in routing table [unless no sync]
network 192.168.10.0 mask 255.255.255.252 Maximum 200 network statements
If more than 200 routes, routes must be redistributed
bgp router-id 10.2.2.2 The OSPF Router-ID must be the same as the BGP router-ID for redistributing the routes from OSPF to BGP.
No Sync to advertise routes showing with sh ip bgp but not ip route
Turn off whenever possible
not needed if: all router in AS run BGP
AS is not a transit AS [does not forward between other AS]
router bgp 200
no synchronization to advertise routes that are not already in the routing table with IGP
bgp router-id 10.3.3.3
network 192.168.10.0 mask 255.255.255.252
network 192.168.10.4 mask 255.255.255.252
neighbor 192.168.10.1 remote-as 100 i.e.: route from another AS/IGP not redistributed in BGP,
neighbor must be both sides
neighbor 192.168.10.6 remote-as 200
In order for IBGP to work, Peers must be fully meshed or routes must be redistributed into and syncronized with IGP.
If IBGP peers are fully meshed, syncronization must be disabled in order to inject routes learned from EBGP into the routing table as it traverses the IBGP group.
eBGP
peers must define each other as neighbors
ebgp-multihop if not directly connected, only for eBGP [nothing to do with iBGP]
update source tells the neighbor router to observe MY loopback as the source of the peering relationship.
If iBGP between the neighbors then don't use multihop option.
bgp dampening To minimize instability
iBGP
up to 255 hops away
can peer between loopback w/o extra command
usually requires full mesh or route reflectors or confederation
How BGP advertises Next-hop for the destination will be set to:
eBGP == eBGP The interface doing the advertisement unless use: update-source
eBGP == iBGP The interface of the eBGP doing the advertisement unless use: update-source, the iBGP peer must have a route [via IGP] to next-hop subnet, or won't go into BGP routing table
iBGP == eBGP The interface doing the advertisement unless use: update-source
iBGP == iBGP iBGP peers do not advertise routes to other iBGP peers
BGP filtering
distribute-list filter remove route only from the routing table but leave them in the BGP table
neighbor dist-list remove route from BGP table and routing table
neighbor route-map with match ip address remove route from BGP table and routing table
summary-only - advertises summary and suppresses more specific routes
suppress-map - you can choose which prefixes to suppress
advertise-map - you can 'select' which prefixes to use, when creating the aggregate
attribute-map - you can specify specific attributes of the aggregate route (like metric, origin, community etc.)
No-export Send to sub-AS but not other AS's
local-as Don't send to either sub-AS or other AS's
Sub-As's are what is used in confed's
BGP selection process Not the official one, but actual/rational
If next hop unavailable, do not consider it That's why the next-hop address must be in IGP
If internal path & sync enabled & route not in IGP, do not consider it
If routes same weight == Largest local preference Weight = Cisco proprietary
If local preference same == Shortest AS path
If AS path length same == origin code [IGP
If origin code same == lowest MED Only MED use lowest, everything else uses highest
eBGP over iBGP
Route with the lowest IGP metric The shortest internal path within AS to reach destination [shortest path to BGP next-hop]
If no multi-path, route with lowest router ID
BGP Attribute applied
Weight applied to neighbor or route-map IN to influence which router to use to go out
local preference route-map IN to reduce outbound traffic
as-path prepend route-map OUT to reduce inbound traffic
MED route-map OUT to influence which router to use to come in
Distribute-list/route-filters route-map OUT to control which routes come in or go out
Soft-reconfiguration neighbor x.x.x.x soft-reconfiguration INBOUND
Troubleshoot/Info
Next hop must be pingable
Next-HOP must be reachable via IGP Biggest problem, or route will be dropped by BGP
It will be entered in BGP table, but not in IP routing table
iBGP routers must know how to find their peers BEFORE establishing an iBGP session, and passing routes
show ip bgp Show the routes
show ip bgp Will say 'sync' or 'not sync'd', and 'advertising route', or 'not advertising route'
show ip bgp neighbor Show who the neighbors are and connection is established
show ip bgp neighbor 192.1.1.2 advertised-routes Displays all the routes the router has advertised to the neighbor.
show ip bgp neighbor 192.1.1.2 received-routes Displays all received routes (both accepted and rejected) from the neighbor
show ip bgp neighbor 192.1.1.2 routes Displays all routes that are received and accepted. Subset of received-routes
show ip bgp prefix Shows why a route not being place into routing table
show ip as-path-access-list Displays the as-path filter lists
BGP regular expressions
sh ip bgp regexp {pattern} Displays the result of the RegEx
[0-9]* All routes from this AS
^[0-9]*$ This AS only
_.* Matches everything [permit any/all] [a space and anything]
_100_ Match any route going through AS100
_100 200_ Match any route passed through 100 and 200
_100$ Match any route originated in AS100
^100$ Match only routes originated in AS100 that did not pass through any other AS
^100_ Match only routes transiting directly connected AS100, anything else behind
^100 .* Match only routes received from AS100, anything else behind [alternative]
^$ Match only routes originated from this AS
.* Match anything [usually at end as: permit .*]
( .*) matches a space plus a AS.
( .*)* matches a space plus a AS or a null string.
? To type ?: either Ctrl-V or Esq-Q
Prefix to be valid in the bgp table
There can be no AS path loops in the AS Path attribute
The prefix's advertised next-hop must be reachable by the IGP routing table.
By default, the prefix must be in the IGP routing table in order to be advertised to the external bgp peer
unless all iBGP routers disable synchronization with the "no sync" command.
Basic config
router bgp 100
BGP ROUTER-ID 10.1.1.1 Should be the same router id as OSPF
network 1.0.0.0 mask 255.240.0.0 What to advertise, must be exactly in the routing table, unless no sync, mask needed if not classful default [BGP is classful … no auto-summary]
neighbor 192.1.1.2 remote-as 200 Neighbor and which AS# it belongs to:
iBGP: can be same subnet or different subnet
eBGP: must be same subnet
Troubleshoot/Info
iBGP routers must know how to find their peers BEFORE establishing an iBGP session, and passing routes
show ip bgp Show the routes
show ip bgp summary Show summary of neighbors
show ip bgp neighbor Show who the neighbors are and connection is established
show ip bgp neighbor 192.1.1.2 advertised-routes Displays all the routes the router has advertised to the neighbor.
show ip bgp neighbor 192.1.1.2 received-routes Displays all received routes (both accepted and rejected) from the neighbor
show ip bgp neighbor 192.1.1.2 routes Displays all routes that are received and accepted. Subset of received-routes
show ip bgp prefix Shows why a route not being place into routing table
show ip as-path-access-list Displays the as-path filter lists
BGP: Route-reflector In the middle V-shaped & iBGP only
router bgp 200
no synchronization
bgp router-id 10.5.5.5
network 192.168.10.4 mask 255.255.255.252
network 192.168.10.8 mask 255.255.255.252
neighbor 192.168.10.5 remote-as 200
neighbor 192.168.10.5 route-reflector-client Only on iBGP, allows propagation of routes if more than 2 routers
neighbor 192.168.10.10 remote-as 200
neighbor 192.168.10.10 route-reflector-client No config on the route-reflector-client
BGP: Loopbacks Loopback must be reachable via IGP
Loopback must be on it's own subnet
BGP: AS1 sees network as originating from another AS3
route bgp 1 On R2 with AS1
neighbor route-map R3map in
route-map R3map permit 10
match ip add 10
set as_path 3
access-list 10 permit
BGP: Prevent from advertising own AS w/o no-advertise
router bgp 65010
neighbor 10.10.10.1 filter-list 1 out
!
ip as-path access-list 1 deny ^$
ip as-path access-list 1 permit .* need the . and the *
BGP: Redistribution
By default only the eBGP routes are redistributed.
Use the "bgp redistribute-internal" router configuration command to allow the redistribution of iBGP.
iBGP has an AD of 200, which is greater than all IGPs
ISIS
passive-interface lo0 Advertise the loopback0 interface in ISIS, but do not use any ip router isis commands on the loopback interface and do not redistribute the connected route
With IS-IS there is only clear text authentication available
Authentication can be done between Neighbors (done on the interface "isis password xx level-2) Level-1 one is the default. If you wish to configure for level-1 and level-2 you must have 2 entries, under the interface.
Area-wide (done under the router process "area password xx") This authentication is inserted in Level-1 (station router level) LSPs
Domain-wide (under the router process "domain-password xx") This is inserted in Level-2 (the area router level) LSPs.
