CCNA SP 640-878 SPNGN2 Study Notes

Cisco IP NGN Architecture

Application Layer: interface between the user and the service, Mobile, Residential, Business Access.
Services Layer: Mobile Services, Video Services, Cloud Services
IP Infrastructure Layer: Access, Aggregation, IP Edge, Core

Internet Service Provider Basics

-3 important entities: Customers, Peers (two ISPs establishing a connecting and exchange traffic for free),
and -Transit Partners (SPs that charge other SPs for transit traffic through their network)

_
-Internet Exchange Point (IXP) the common physical infrastructure that ISPs use to exchange Internet

cs
traffic, usually used for peering, but transit links can be established as well
-Tier 1 ISP: The largest SPs, they peer with each other and establish the core of the Internet. Their
customers are often lower tiered ISPs.
ia
-Tier 2 ISP: Purchase transit links from Tier 1, peer with other for cost cutting. Provide access to:
business customers (main focus), Tier 3 ISPs, and those willing to pay a high price for high speed access
n
-Tier 3 ISP: Purchase transit links from Tier 1 and 2, peer with regional partners for cutting cost. Focus
ma

on region specific, low price and low speed access (home users)
rt

Global IP Address Space Management

ce

Internet Assigned Numbers Authority (IANA) > Regional Internet Registries (RIRs) > National/Local
Internet Registries or ISPs (NIR/LIR) > ISP > End user (end users can receive assignments from RIRs or
LIRs as well, especially large businesses/universities)

Top Level Domains highest level in the hierarchical Domain Name System of the Internet
ccTLDs Country Code Top Level Domains (.us, .ca)
gTLDs - Generic Top Level Domains (.com, .org, .net)

-IPs tend to be assigned in contiguous blocks for route summarization

-Provider Independent (PI): Assigned from RIR, used for network multihoming (across multiple ISPs),
results in big routing tables
-Provider Assigned (PA): -from ISPs reserved space, end user needs to renumber when changing IPs
Autonomous Systems (AS)
-2 byte number (4 bytes in RFC 4893)
-AS 1 56319: Public use
-AS 0, 563210-64511: Reserved by IANA
-AS 64512 65534: Private user

Stub AS: only connected to one AS

Multihomed AS: connected to 2 or more AS, redundant connection to the internet
Transit AS: provides connection through itself to other networks, ISPs use them

_
cs
n ia
ma

Cisco Routers, Switches, and Other Devices

VLANs
rt

Network Design
-Issues of a poorly designed network: Failure domains (need to be limited), broadcast domains (also
ce

should be limited in size), and large amounts of unknown MAC unicast traffic (lots of flooding), multicast
traffic on unintended ports, difficulty in management and support, possible security vulnerabilities
-a VLAN is a broadcast domain (logical network or subnet)
-should use hierarchical addressing (contiguous addressing): ease of management/troubleshooting,
fewer errors, reduced routing table entries

Network Traffic Types

Network management: BPDUs, CDP, SNMP, remote monitoring
IP Telephony
IP Multicast
Normal Data: HTTP, SMTP, SQL
Scavenger Class Data: all traffic with protocols or patterns that exceed their normal data flows (i.e.: peer-
to-peet traffic)

VLAN Creation
-many Cisco access-level switches can support up to 250 VLANs
-most have default VLAN 1 already created, all ports will be on it, CDP and Virtual Terminal Protocol (VTP)
advertisements are sent on VLAN 1 by default

VLAN Creation Config

IOS/IOS XR
#configure terminal

_
(config)#vlan 2

cs
(conf-vlan)#name switchlab 99
show vlan (shows info on ALL VLANs) ia
show vlan id <vlan number> (shows info about a particular VLAN)
Assigning Ports to a VLAN
(config)#interface range fastethernet 0/2 4
n
(config-if-range)#switchport access vlan 2
ma

#show vlan (verify VLAN assignments)\

#show interface fa0/2 switchport (verify VLAN membership and status)
rt

Trunking
ce

-transportation of frames from multiple VLANs on the same physical port

-each from has a tag that specifies to which VLAN it belongs, frames are forwarded to the proper VLAN
based on this tag info
-Cisco only supports 802.1Q on current devices
-Traffic on the native VLAN is NOT tagged, by default this is VLAN 1

802.1Q Frames and Class of Service (CoS)

-the 802.1Q tag is a 4byte field, it consists of the tag protocol ID (ethertype, set to 0x8100), the Priority fiel
d (using the 802.1p standard, values shown below), and the VLAN ID of 12 bits

Route 000
Priority 001
Important 010
Flash 011
Flash Override 100
Critical - 101
Internetwork Control 110
Network Control 11

Configuring 802.1Q Trunking

(config)#interface fa0/1
(config-if)#switchport trunk allowed vlan 1,10,99
(config-if)#switchport mode trunk

_
(config-if)switchport trunk native vlan 99

cs
(config-if)#switchport nonegotiate (this is considered the best practice, must be enabled AFTER switchpor
t mode is set) ia
#show interface fa0/11 switchport (verify trunk configuration, also below command)
#show interface fa0/11 trunk
n
Q in Q Tunneling
ma

-defined as IEEE 802.1ad (also known as 802.1QinQ), allows dual-tagging and transportation of customer
VLANs over the core network
rt

-C-Tag for customer VLAN will be placed behind a S-Tag for the service provider VLAN
ce

Configuring Q in Q
(config)#vlan dot1q tag native (forces tags even on native VLAN)
(config)#int fa0/2
(config-if)#switchport mode dot1q-tunnel

Spanning Tree Protocol

-Cisco Catalyst switches support 4 types: PVST+, PVRST+, CST (Common STP, one root bridge regardl
ess of number of VLANs) and MSTP
PVST+ (Per VLAN Spanning Tree Plus)
-802.1D standard defines only a CST, no load sharing is possible
-PVST+ allows multiple spanning tree instances (one per VLAN), allows load sharing, but can mean a
considerable waste of CPU cycles, many BPDUs are sent
-each switch has a unique Bridge ID (BID), it includes the following fieds:
-Bridge priority: conveyed in discrete values in increments of 4096, default priority is 32768 (
lower value means higher priority)
-Extended system ID (VLAN #)
-MAC Address of the switch
-Some PVST+ rules: elect one root bridge per broadcast domain, elect one root port per non-root switch,

_
elect one designated port per segment

cs
Spanning Tree Path Cost (as per current IEEE cost specifications)
ia
10 Gbps 2
1 Gbps 4
100 Mbps 19
n
10 Mbps - 100
ma

Spanning Tree Decision Process

rt

1) Lowest Bridge ID
2) Lowest aggregate root path cost
ce

3) Lowest senders Bridge ID

4) Lowest port ID

-spanning tree recalculation occurs when the root bridge fails and does not send a BPDU to another
switch within the max_age time (default 20 seconds, 10 missed BPDUs)
-convergence in a spanning tree is when all the switch ports have transitioned to either forwarding or
blocking states

Rapid Spanning Tree

-specified in 802.1w standard, backwards compatible with 802.1D (original STP standard)
-negates the need for delay timers, requires full-duplex point-to-point communications
-each bridge sends BPDUs

Operational State STP Port State RSTP Port State Port Included in Active
Topology
Enabled Blocking Discarding No
Enabled Listening Discarding No
Enabled Learning Learning Yes
Enabled Forwarding Forwarding Yes
Disabled Disabled Discarding No

-rapid-pvst is the default mode on ME3400 switches, but only on NNIs (not UNIs)

_
cs
Configuring Spanning Tree
(config)#spanning-tree mode rapid-pvst (sets STP mode to PVRST+)
ia
(config)#spanning-tree vlan 10 root primary (manually set the root bridge for a spanning tree)
#show spanning-tree (verify root bridge, priority values, and status of ports in each spanning tree) (
n
protocol ieee = PVST+, rstp = PVRST+)
ma
rt
ce

MSTP
-main purpose is to reduce the total number of spanning-tree instances (reduce CPU load of switches)
-must be enabled on each individual participating switch (not scaleable) EXACTLY THE SAME
-MST config on each switch includes: Name, revision number, VLAN association table (if these differ, the
two switches will be part of different MST regions)

Configuring MSTP
(config)#spanning-tree mst configuration
(config-mst)#name <name>
(config-mst)#revision <revision #> (any unassigned 16 bit integer)
(config-mst)#instance <instance #> vlan <vlan range> (maps VLANs to an MSTP instance)
(config-mst)#show pending (display the MSTP config to be applied)
(config-mst)#end (apply the config and exit the MSTP subconfiguration mode)
(config-mst)#show current (show the current MSTP config)
(config)#spanning-tree mst <instance #> root primary|secondary
(config)#spanning-tree extend system-id (enabled extended System ID feature)

Example:
(config)#spanning-tree mode mst
(config)#spanning-tree mst configuration
(config-mst)#name XYZ
(config-mst)#revision 1

_
(config-mst)#instance 1 vlan 11,21,31

cs
(config-mst)#instance 2 vlan 12,22,32
(config-mst)#end ia
(config)# spanning-tree mst 2 root primary
#show spanning-tree mst configuration
n
PortFast
ma

-skips regular STP port state transitions

-puts port directly into forwarding state
rt

-If enabled globally: if port receives a BPDU it loses PortFast status and reverts to normal STP operation
-if enabled on an interface: stays in PortFast unconditionally, regardless of BPDUs received
ce

-useful for end nodes

-safest to execute on a per VLAN basis

Per interface:
(config)#interface fa0/1
(config-if)#spanning-tree portfast
Globally:
(config)#spanning-tree portfast default

BPDU Guard
-shuts down a port if a BPDU is received
-useful for end nodes with PortFast
-prevents connection of an STP-enabled switch,
-prevents loops with switches unaware of STP
-recommendation is to enable BPDU guard globally

Per interface:
(config)#interface fa0/1
(config-if)#spanning-tree bpduguard enable
Globally:
(config)#spanning-tree portfast bpduguard default
BPDU Filter
-disabled STP on a port

_
-no BPDUs are sent, none are processed (except globally, where they will send a couple of BPDU are

cs
sent when they become active, in global mode if a port receives a BPDU it will revert OUT of PortFast mo
de) ia
Per Interface:
(config)#int fa0/11
n
(config-if)#spanning-tree bpdufilter enable
ma

Globally:
(config)#spanning-tree portfast bpdufilter default
rt

Resilient Ethernet Protocol (REP)

ce

-new technology for fast convergence of simple ring networks (<250ms convergence)
-NOT a replacement for STP
-VLAN load balancing
-Manual configuration for predictable failover behaviour
-Segment protocol, ports are explicitly configure to be part of a segment
-when all links in the segment are operational, a blocked port is determined so that there is no
connectivity between edge switches
-redundancy: each segment has two exits, each edge switch

Configuring REP
(config)#interface fa0/11
(config-if)#port-type nni
(config-if)#switchport mode trunk
(config-if)#rep segment 1 (this must be done for every port in the segment)

Routing Between VLANS

-Traffic cannot be switched between VLANs, which will often have different IP subnets, so routing is
necessary
-inter-VLAN routing occurs between multiple directly connected interfaces

Inter-VLAN Routing via a Router

-used when there is no Layer 3 capable switch or when centralized routing from several switches is
needed, all VLANs must pass to the router

_
-there must be a separate logical connection on the router for each VLAN and VLAN trunking (802.1Q)

cs
must be enabled on those connections, this is done by creating subinterfaces on one physical interface

Configuring Inter-VLAN Routing

ia
Switch
(config)#interface gi0/24
n
(config-if)#switchport mode trunk
ma

Router (IOS)
(config)#int gi0/0/0/0.3 (will create this interface if it doesnt already exist)
rt

(config-if)dot1q vlan 3 (enables 802.1Q encapsulated trunking on this subinterface to the specified VLAN)
(config-if)ip address 192.168.3.1 255.255.255.0
ce

(config)#int gi0/0/0/0.4
(config-if)#dot1q vlan 4
(config-if)ip address 192.168.4.1
#show ip route (to verify work)

Inter-VLAN Routing via Layer 3 Switch

-a MLS can make forwarding decision on both Layer 2 and 3 headers, so it knows when to switch and
when to route
-switches will need switch virtual interfaces (only one can be created per VLAN) via the (config)#interface
vlan <vlan number>
-creating a VLAN does NOT create a SVI, and vice versa
-a SVI is down if there is no port in a corresponding VLAN in an Up state

Configuring Layer 3 Switch for Inter-VLAN routing

(config)#ip|ipv6 routing (must be enabled)
(config)#vlan 3,4 (creates these VLANs)
(config)#int gi0/3
(config-if)#switchport access vlan 3
(config)#int gi0/4
(config-if)#switchport access vlan 4

_
(config)#int vlan 3

cs
(config-if)#ip address 192.168.3.1 255.255.255.0
(config-if)#no shut ia
(config)#int vlan 4
(config-if)ip address 192.168.4.1. 255.255.255.0
(config-if)#no shut
n
#show ip route
ma

#show interfaces status (shows status of physical interfaces and the VLAN they are configure for)
#show ip interface brief (show physical and logical interfaces, status, and IP addresses)
rt

First Hop Redundancy Protocols

ce

-generally only one gateway is configure, if this fails it results in a loss of network availability
-two gateways cannot be configured on end nodes, so it must be done on routers
-the solution is to use multiple physical gateways configured to one virtual gateway and the end nodes
use the virtual gateway
-one actual physical gateway is forwarding traffic, the others are on standby
-the standbys use the same IP and MAC address so end nodes do not detect the change

FHRP Cisco IO/IOS XE Software Cisco IOS XR Software

HSRP IPv4, IPv6 (with Version 2) IPv4
VRRP IPv4 IPv4, IPv6
GLBP IPv4, IPv6 Not supported

Hot Standby Router Protocol (HSRP)

-Cisco proprietary
-virtual router (VR) has separate IP and Mac address
-the active router handles the traffic for the virtual router
-supports priority, pre-emption (by default, router with higher priority will not pre-empt a lower priority if it is
already active), and object tracking (dynamically alter the priority of a router)
-Redundancy groups: many virtual IP addresses on the same interface, load balancing
-Active Router, Standby Router (primary backup), Standby Group (set of routers participating in HSRP

_
that jointly emulate a VR)

cs
-by default hello messages are sent every 3 seconds, 10 second hold time
ia
-if decrement amounts are not set, they will decrement by 10
n
ma

Configuring HSRP on IOS XR (primary router for 2, standby for 1)

(config)#int gi0/0/0/0
(config-if)#ip address 192.0.2.3 255.255.255.0
rt

(config)#router-hrsp
(config-router)#int gi0/0/0/0
ce

(config-router-if)#hsrp 1 ipv4 192.0.2.1 (this is the VR IP address)

(config-router-if)#hsrp 1 priority 95
(config-router-if)#preempt
(config-router-if)#track gi0/0/0/1
(config-router-if)#hsrp 2 ipv4 192.0.2.254
(config-router-if)#hsrp 2 priority 105
(config-router-if)#hsrp 2 preempt
#show hsrp (verify HSRP configuration)
IOS (standby router on 2, primary on 1)
(config)#int ethernet 0/0
(config-if)#ip address 192.0.2.2 255.255.255.0
(config-if)#standby 1 ip address 192.0.2.1 (notice the IP matches the IOS XR config)
(config-if)#standby 1 priority 105 (IOS XR router takes priority because its lower)
(config-if)#standby 1 preempt
(config-if)#standby 1 track ethernet 0/1
(config-if)#standby 2 ip 192.0.2.254
(config-if)#standby 2 priority 95
(config-if)#standby 2 preempt
#show standby brief (verify HSRP configuration)

Virtual Router Redundancy Protocol

-VR has: IP address and MAC address, IP address can be shared with physical router (HSRP cannot do

_
this)

cs
-active router handles traffic for VR
-VRRP MAC format: 00005E.000001 (second half is VR ID) ia
-has one master router and one or more backup routers, uses VRRP messages to advice that it is the
master
-supports priority, pre-emption (enabled by default), and object tracking
n
-same redundancy groups as HSRP: many virtual IPs on same interface, load balancing
ma

Configuring VRRP IOS XR

rt

(config#int gi0/0/0/0
ip address 192.0.2.2 255.255.255.0
ce

(config)#int
address-family
vrrp
address
priority
track
1 gi0/0/0/0
interface
95192.0.2.1
ipv4 gi0/0/0/0 10 (decrements priority by 0)
#show vrrp
IOS
(config)#interface
ip address
vrrp 1 ip 192.0.2.1
192.0.2.1
fa0/0
(priority
255.255.255.0
set to 255 automatically because the virtual IP matches the interface IP)
#show vrrp brief

Gateway Load Balancing Protocol (GLBP)

-Cisco proprietary
-VR has an IP address
-Active forwarder handles traffic for VR
-Active gateway answers ARP and ND requests from clients
-MAC address sent to clients:
-chosen from a list of active forwards
-assigned in round robin fashion
-achieves load balancing
-relieves administrative burden of configuring multiple groups and default gateway configurations that is
required with HSRP and VRRP

_
cs
Configuring GLBP IO S (NOT supported on IOS XR)
#int
ipv6
glbp
fa0/0
address
1 ipv6
preempt
autoconfig
2001:db8:1:1::/64
(link localeui-64
address format is used for gateway address)
ia
Note: This config would need to be applied on all participating routers
#show glbp brief
n
Internal Service Provider Traffic Forwarding
ma

-SP core network must meet following requirements:

-high speed of forwarding packets
rt

-high availability
-fast convergence (Link State Routing Protocols)
ce

-optimized bandwidth consumption and support for different real-time services (multicast, QoS)
-integrated security

Administrative Distance
0 - Directly Connected Interface
1 - Static Route out an interface
5 - EIGRP summary route
20 - External BGP
90 - Internal EIGRP
100 - IGRP (obsolete protocol)
110 - OSPF
115 - IS-IS
120 - RIP
170 - External EIGRP
200 - Internal BGP
255 - Unknown

Link-State Routing Protocols

-link state IGPs such as OSPF and IS-IS are used in SP environments instead of distance vector due to:
-scalability
-each router has a full picture of the topology
-updates are only sent when a topology change occurs
-LSPs react quickly to topology changes occur

_
-more info is communicated between routers

cs
-LSPs use a hierarchical design (allows summarization)ia
-routers create neighbour relationship by exchanging hello packets
-LSP propagates LSAs (link state advertisements) rather than routing table updates
-each router floods LSAs to all routers in the area
n
-each router pieces together LSAs received to create link-state database (topology)
ma

-each router uses SPF algorithm to find shortest path to each destination and places it in the routing table
rt

Link-State Adjacency Process:

1) router sends and receives hello packets from/to neighboring router, typically multicast
ce

2) Exchange hello packets that are subject to protocol specific parameters (same AS and area, etc.).
Routers then declare the neighbour is up when the exchange is complete
3) After adjancency formed, neighbour is put into neighbour DB, neighbors then synch LSDBs by
exchanging LSAs and confirming receipt of sent LSAs

OSPF vs IS-IS

OSPF IS-IS
-IETF standard (1988) -ISO Standard (1987)
-IPv4: OSPFv2, IPv6: OSPFv3 -supports IPv4 and IPv6
-IP ONLY as transport -Layer 2 Multicast as transport
OSPF: Hellos > Neighbor Table > LSAs > Topology Table > SPF > Routing Table
IS-IS: Hellos >Adj. DB > LSPs > LSDB > SPF > Forwarding DB

Implementing OSPF
-two layer hierarchy: area (group of contiguous networks), which are logical subdivisions of an
autonomous system (AS)
-Within each AS, a contiguous backbone area must be defined, all non-backbone areas are connected
through the backbone. The backbone always uses area 0
-Non-backbone areas: stub areas, totally stubby areas, not-so-stubby areas (NSSA)

_
-Routers in the backbone area are Backbone Routers, routers on the edge of an area are Area Border

cs
Routers (ABRs), others are non-backbone, internal routers. A Backbone Router connecting to another
AS is an Autonomous System Boundary Router (ASBR) ia
n
ma
rt
ce

-OSPFv3 uses link-local addresses to communicate (fe80::/10)

-OSPFv3 is enabled per link and identifies which networks (or prefixes) are attached to this link
-OSPFv3 requires the router to run Cisco Express Forwarding (CEF)
-OSPFv3 is NOT backwards compatible with OSPFv3
-OSPF router ID is a 32 bit number that uniquely identifies the router, by default this is the highest IPv4
address on an active interface when OSPF starts, can be overridden by a loopback interface or set
manually (router-id command)
-Hello and dead intervals must match between routers
-Areas and must match
-Multicast addresses IPv4: 224.0.0.5, IPv6: FF02::5

Configuring OSPF IOS XR

(config)#interface
ipv4 address 10.2.1.1
Loopback0
255.255.255.255

(config)#router
router-id 10.2.1.1
ospf|ospfv3 1 (enables the OSPF process)

_
cs
Configuring OSPF Interfaces in a Single Area (IOS XR)
(config)#router
area
interface
0 Loopback0
gi0/0/0/0
ospf 1 (begins OSPF participation on these two interfaces)
ia
n
IOS IPv4
(config)#router
router-id 10.2.1.1
network 192.168.102.0
10.2.1.1
ospf 0.0.0.0
1 0.0.0.255
area 0 area 0
ma

IOS IPv6
(config)#ipv6 unicast-routing
rt

router
router-id
ipv6 ospf
10.2.10.1
1
(config if)#ipv6 ospf 1 area 0
ce

show protocols IOS XR verification)

show ospf|ospfv3 interface
show route|router ipv6 (IOS XR verification)

show ospf neighbor (IOS verification)

show ip|ipv6 route (IOS verification)

OSPF Load Balancing

-Can select several (must be equal cost) paths to destinations for load balancing, this can be ensured by
manually changing cost of certain links
-maximum number of paths is platform specific

Configuring OSPF Load Balancing IOS XR

(config)#router
maximum
area
int cost
0gi0/0/0/1
gi0/0/0/0
10
paths
ospf21
Note: IPv6 config is the same, initiate with router ospfv3 1

_
IOS IPv4

cs
(config)#router
maximum-paths
network 192.168.101.0
192.168.112.0
ospf21 0.0.0.255 area 0

(config)#int
ip ospf cost
gi0/0/0
10
ia
(config)#int
ip ospf cost
gi0/0/1
10
n
IOS IPv6
ma

(config)#router
maximum-pathsipv62ospf 1
(config)#int
ipv6 ospf gi0/0/0
1 area
cost 100
(config)#int
ipv6 ospf gi0/0/1
1 area
cost 100
rt

OSPF Authentication
ce

-used to prevent undesired adjacencies and thus rogue routes being inserted
-OSPFv2: plaintext (avoid!) or MD5 authentication, authentication is inserted into OSPF header of every
OSPF packet is and checked by the other router
-OSPFv3 has no authentication mechanism, relies on IPSec

-In IOS XR the authentication type and key can be set at different levels (high to low): routing process,
area, interface. If authentication not configured on a lower level, it is inherited from a higher level
-In IOS/IOS XE, authentication type can be configured per area or per interface. If not configured per
interface,
it is inherited from the area config
-Authentication key is ONLY configured per interface
-OSPFv3 uses IPSec Authentication Header for authentication and integrity check, uses Encapsulating
Security Payload (ESP) for encrypting the payload (the routing updates themselves and AH)

OSPF Troubleshooting
-verify OSPF adjacencies via show ospf neighbors
-If no neighbors: verify int status, MTU, authentication, use debug ospf adj

_
cs
Implementing IS-IS ia
IS-IS Basics
-link-state routing protocol, uses the Dijkstra algorithm the same as OSPF
n
-part of the OSI standard, originally used with Connectionless Network Service (CLNS), router = an
ma

Intermediate System
-An IS-IS AS can be divided into several areas, when using multiarea design there are two levels of
routing:
rt

-Level 1: occurs within an IS-IS area, recognizes the location of routers and builds a routing table to
reach all of them. All devices in a Level 1 area share the same area address. Routing with an area is
ce

done by looking at the locally significant address portion (known as System ID) and choosing the lowest
cost path.
-Level 2: routers learn the location of other routing areas and build an inter-area routing table. All
routers in a level 2 routing area use the destination area address to route traffic using the lowest cost path.

IS-IS definite 3 types of routers:

-Level 1: learn abut paths within the areas they connect to (intra-area)
-Level 2: learn about paths between areas (inter-area)
-Level 1-2: learn both intra-area and inter-area paths (all routers are this by default)
-the path of connected Level 2 and Level 1-2 routers is called the backbone. All areas and the backbone
must be contiguous.
IS-IS Features
-originally designed as the IGP for Connectionless Network Service (CLNS), part of the OSI protocol suite
-uses CLNS addresses to identify routers and build the LSDB
-does not use IP for transport
-carries IPv4 and v6 routing information in its updates

CLNS Addresses
-integrated IS-IS always requires them
-NSEL is equivalent to the combination of an IP address and the upper-layer protocol in an IP header
-Most common format:

_
-Authority and Format Identifier (AFI) set to 49 (private address: 2 bytes)

cs
-Area ID (4 bytes)
-SystemSelector,
-NSAP ID (6 bytes)
or NSEL (2 bytes) should be 00 ia
-CLNS address with the NSEL set to 00 is called the Network Entity Title (NET) address
n
-The loopback IP address (or pseudo router ID) can be encoded into the system ID
Example:
ma

49.0001.1921.6800.1001.00
rt

49 .0001 .1921. .6800 .1001 .00

AFI Area System ID ------------- NSEL
ce

IS-IS Metrics
-by default uses a narrow-style metric, limited to a 6 bit interface and a 10-bit path metric
-wide-style metrics allow a 24-bit interface and a 32-bit path metric
-metric is not bound to interface bandwidth, all the metric of all interfaces is set to 10 by default
-path metric is a cumulated metric of all links on the path to destinations

IS-IS Advantages
-Transport Multiple Protocols
-Distributed Backbone
Disadvantages
-must build SPF DB, but the default metric is fixed to 10, so it needs to be modified
Configuring IS-IS IOS XR
(config)#router
netmetric-style
is-type
address-family
49.0000.0100.0200.1001.00
level-2-only
isis
wide
ipv4|ipv6
1 (enable
(changes
unicast
therouter
ISIS
(configures
process)
type to Level
the NET
2) address)
IOS
(config)#router
net 49.0000.0100.0201.0001.00
is-type
metric-style
level-2-only
wide
isis 1

Adding Interfaces to IS-IS

-interfaces must be explicitly enabled for the IS-IS process, when done, they will advertise a network on
the interface
IOS XR
(config)#router
int gi0/0/0/0
address-family
Loopback0 isisipv4
1 unicast

_
#show protocols isis (verify ISIS configuration)

cs
#show isis neighbors
#show isis interfaces ia
IOS
(config)#int
ip|ipv6 router
gi0/0/0
isis 1
n
Configuring ISIS Load Balancing IOS XR
ma

-like OSPF, can select several equal cost paths to destinations, this maximum number is platform
dependent
rt

(config)#router
address-family
maximum-paths
isisipv4
1 2unicast
(select the amount of paths you wish to use)
(config)#interface
address-family
metric 100 ipv4
gi0/0/0/0
unicast
ce

(config)#int
address-family
metric gi0/0/0/1
100 (for
ipv4
load
unicast
balancing to occur, the weight must match)
IOS IPV4
(config)#router
maximum-pathsisis 2
1
(config)#int
isis metricgi0/0
100 (further interfaces would need to be configured with the IS-IS process and the same
metric)
IOS IPv6
(config)#router
address-family
maximum-paths
isisipv6
1 2unicast
(config)#int
isis ipv6 metric
gi0/0 100

-verify by viewing the routing tables

IS-IS Authentication
-like OSPF, authentication is used to prevent undesired adjacencies and rogue routes, also to prevent
changes in routing information when not desired
-plaintext (AVOID!) and MD5 authentication
-IS-IS authentication can be separately configure for two types of packets:
-authentication of hello packets at interface level
-authentication of LSP -configured at routing process level

IS-IS Troubleshooting
-verify IS-IS adjacencies with show isis neighbors, if no neighbors: verify if interfaces are up, MTU
matches

_
-use debug isis packet-errors

cs
Route Redistribution ia
-some networks use more than one routing protocol at the same time
-different routing protocols cannot exchange information about networks directly, this redistribution has to
be explicitly configured, one router is configured for both routing protocols (redistribution point)
n
-when redistributing routes, they are marked with a special tag that they are external routes (EIGRP uses
ma

the EX tag, OSPF uses the E1 or E2 tag)

rt

-since each protocol uses its own metric, an initial seed metric has to be configured for external networks
from the redistribution point
ce

-when a seed metric is established, the metric increases as specified by a routing protocols

Default Seed Metrics:

RIP/EIGRP: 0 (but infinite)
OSPF: 20 (metric-type E2)
IS-IS: 0 (but NOT infinite)
BGP: set to IGP max value

Route Redistribution into OSPF

-the following protocols can be redistributed into OSPF (and v3): BGP, connected routes, EIGRP, IS-IS,
OSPF (another process), RIP, static routes
-default seed metric is 20 (from IGO) and 1 (from BGP)
-default external metric type is E2
-on IOS/IOS XE, classless subnets are NOT redistributed into OSPF by default

Configuring OSPF Route Redistribution on IOS XR

(config)#router
netaddress-family
int gi0/0/0/0
49.0000.0100.0300.1001.00
isis 1ipv4 unicast

(config)#router
redistribute
area
int 0gi0/0/0/1
isis
ospf
(enables
1 metric
1 OSPF
30 subnets
on an(for
interface
Ithis will
soredistribute
routes can IS-IS
be redistributed)
into OSPF)
IOS/IOS XE
(config)#router
redistribute isis
ospf1 metric 30 metric-type 1 subnets (subnets command will ensure that classless subnets
are redistributed)

_
cs
Route Redistribution into IS-IS ia
-the following protocols can be redistributed into IS-IS: BGP, connected routes, EIGRP, IS-IS (another
process), OSPF(v3), RIP, static routes
n
-default seed metric is 0
-redistribution for IPv4 and IPv6 is configured under an appropriate address family
ma

Configuring ISIS Route Redistribution on IOS XR

rt

(config)#router
netaddress-family
address-family
int redistribute
gi0/0/0/0
49.0000.0100.0300.1001.00
isis
ospf
ipv4
1ipv4
1unicast
metric
unicast
20(enables
(enablesISIS
redistribution
on this interface)
from OSPF into IS-IS)
IOS/IOS XE
ce

(config)#router
redistribute ospf
isis 1 metric 30 (the address-family ipv6 unicast command would need to precede this for
IPv6)

Multiprotocol Label Switching MPLS

-switching mechanism in which packets are switched based on labels (usually correspond to a destination
IP network)
-an additional header, the MPLS label, is inserted and used for MPLS switching
-Cisco Express Forwarding (CEF) is an advanced layer 3 switching technology used within a router,
defines the fastest method by which a Cisco router forwards packets from ingress to egress interfaces

-MPLS for service providers:

-being phased out, in the past it provided faster forwarding
-now a platform to engineer traffic and VPN service
-works on a core and edge layer

-MPLS for traffic engineering:

-allows ISPs to optimize network utilization
-can be used to increase fault tolerance
-MPLS VPNS:
-allows separation of customers into VPNs
-similar to virtual circuits (for example, from Frame Relay)
-allows Layer 2 or 3 VPNs

_
cs
MPLS Labels
-uses a 32 bit label header inserted between Layer 2 and 3, can be used regardless of the Layer 2
ia
protocol

MPLS Label Switch Routers

n
-Label Switch Routers (LSRs) forward packets based on labels and swap labels
ma

-the last LSR in the path also removes the label and forwards the IP packet
-Edge LSR:
rt

-labels IP packet (or imposes label) and forwards them into the MPLS domain
-forwards IP packets out of the MPLS domain
ce

-a sequence of labels used to reach a destination is called a label-switched path (LSP)

-the penultimate LSR removes the label and forwards the IP packet to the outgress edge LSR, which
routes the packet based on its routing lookup

The diagram above shows a simple example of forwarding IP packets using MPLS, where the forwarding
is based only on packet destination IP address. LSR (Label Switched Router) A uses the destination IP
address on each packet to select the LSP, which determines the next hop and initial label for each packet
(21 and 17). When LSR B receives the packets, it uses these labels to identify the LSPs, from which it
determines the next hops (LSRs D and C) and labels (47 and 11). The egress routers (LSRs D and C)
strip off the final label and route the packet out of the network.

-the data plane on a router is responsible for forwarding packets based on decisions by routing protocols,
the MPLS data plane consists of two forwarding structured
-Forwarding Information Base (FIB): used with CEF, the FIB is populated from a routing protocol and
includes destination networks, next hops, outgoing interfaces, and pointers to Layer 2 devices, and on
MPLS will also have an outgoing label it applies when it needs to be
-Label Forwarding Information Base (LFIB): used when a labeled packet is received, in general
contains and incoming and outgoing label, outgoing interface, and next-hop router

Label Distribution Protocol

-forwarding structures that are used by MPLS have to be populated
-the FIB is populated by: routing tables and the MPLS label is added to the FIB by LDP
-the LFIB is populated by LDP, which is responsible for advertisement and redistribution of MPLS labels

_
between MPLS routers

cs
-LDP is like a dynamic routing protocol for MPLS
-Adjacent routers establish a LDP session: ia
-MPLS routers discover neighbours using hello packets sent to 224.0.0.2 (IPv6: FF02::2) using UDP
port 646
-a MPLS enabled neighbour will respond to hello packets by established a TCP session on port 656 to
n
a peer router ID
ma

-once the session is established, labels can be exchanged

rt

Label Allocation and Advertisement

-each router generates a label for each network in a routing table, this is asynchronous and labels are
ce

only locally significant

-for path discovery and loop avoidance, LDP relies on routing protocols
-networks originating on the outside of the MPLS domain are not assigned any label on the edge LSR,
instead the pop label is advertised (remove label and forward based on IP)
-when a router receives a label from the next hop it stores that label in the FIB, even if that neighbour is
not the next hop for a destination
-the steady state is when all of the labels are exchanged and the LIB, LFIB, and FIB are completely
populated
-it takes longer for the LDP to exchange labels than it takes a routing protocol to converge
-there is no network downtime before LDP fully exchanges labels, packets can be forwarded using the
FIB if labels are not yet available
MPLS Configuration
-In IOS XR, forwarding is enabled by enabling LDP on an interface under the MPLS LDP configuration
mode
-in IOS/IOS XE, forwarding is enabled by enabling MPLS on an interface under the interface configuration
mode
IOS
(config)#mpls
intXR
gi0/0/0/0ldp
gi0/0/0/1
#show mpls ldp neighbour (view TCP connection information about MPLS neighbours)
#show mpls ldp bindings (show local labels for destination networks)
#show mpls ldp forwarding (displays contents of the LFIB table)
#show cef 192.168.101.0/24 (displays the FIB table)

_
MPLS Troubleshooting

cs
-if labels are not redistributed, verify LDP neighbour discovery using #show mpls ldp discovery, verify that
MPLS is enabled on the adjacent router on the respective interface (use show mpls ldp interface)
ia
-if a neighbour is discovered, verify whether the TCP sessions are established using show mpls ldp neigh
bour. If there is no session, reachability between router Loopback interfaces might be an issue (LDP
requires router IDs)
n
ma

Border Gateway Protocol (BGP)

-BGP is placed in the Edge in the IP NGN Infrastructure Layer
rt

-Autonomous System (AS): collection of networks under a single technical administration, identified by an
AS number
ce

1-56319 Public Use (Allocated to RIRs by IANA)

53620-64511 reserved by IANA
64512 65534 Private Use

-Design goals for interdomain routing: scalability, secure routing information exchange, support for routing
policies
-BGP is a distance vector protocol
-exchanges routing information between peers
-neighbors in the same AS (internal BGP) or a different AS (external BGP)
-reliable updates (TCP), only when triggered, and only info that has changed is transmitted
-designed to scale to huge internetwork for SPs to route traffic in the Internet
-BGP is a layer 7 application (using TCP)

Statically Defined Neighbours > Neighbours Table > Updates > BGP Table > BGP Scanner (based on
attributes > Routing Table

AS Types and Redundancy

_
-Transit AS: provides transit service of customer data to other autonomous systems

cs
-Non-transit AS: a customer AS that is not allowed to transit traffic from other autonomous systems
-Stub AS: Only one link to a transit AS ia
-Single-homed Customers: For residential/small business, BGP is used when customers need dynamic
routing protocol, static routes used when dynamic routing not required
n
-Multi-homed customers: For customers that need provider-independent address space and their own AS
ma

number, BGP is used, customers/ISPs should use filters for routing updates (avoid becoming a transit AS)

BGP Characteristics and Usage

rt

-Reliable updates: TCP used for transport, no periodic updates (just changes), periodic keepalives to
verify connectivity, batches updates and sends them at configured intervals (avoids uncontrolled floods
ce

when links are flapping)

-Multiprotocol support: IPv4, IPv6, multicast, MPLS VPN, and more
-designed for huge networks: supports complex routing processes, interdomain routing
-common uses: -customers connected to more than on SP, interconnect SP networks (transit links),
exchange traffic using exchange points, network core of large enterprise customers
-limitation: cannot influence the routing policies of a downstream AS, forwarding decision is based on
destination IP, source IP address does not influence the routing decision

MP-BGP
-BGP was originally only IPv4, Multiprotocol (MP) BGP establishes TCP peer sessions on both IPv4 and
v6 and can exchange MP traffic between peers: IPv4, IPv6, multicast, MPLS VPN (using address-family t
o configure protocol-specific parameters)
-Address Families: IPv4 (Unicast), IPv6 (unicast, multicast address prefix), CLNS, VPNv4 (distributes
VPNv4 prefixes for each layer 3 VPN), L2VPN

BGP Path Attributes

-path attributes are BGPs metrics, route selection depends on these
-can be transitive (forwarded to other neighbours) or nontransitive
-can be well-known (recognized by all compliant implementations BGPv1 v4)
-mandatory, must be present in all update messages, i.e.: next hop, AS path, origin
-discretionary, where presence in update messages is optional, i.e.: local preference
-or can be optional (recognized by only some implementations):

_
-Multi-exit discriminator (MED)

cs
Path Attributes Weight ia
-local to the router
-Cisco defined (and Cisco proprietary)
-highest weight wins when multiple routes exist
n
-applied to routes from neighbour: either to all routes or routes defined in a filter
ma

Path Attributes Local Preference

rt

-local to an AS, exchanged between IBGP peers

-well-known, optional
ce

-influences BGP path selection for outbound traffic

-highest local preference is preferred, 100 is the default value

Path Attributes AS Path

-sequence of autonomous systems a route has travelled
-well-known, mandatory
-primarily used for loop detection, if the path contains your AS number, the route is dropped
-also used for best path manipulation
-your AS number is prepended to the existing AS path when sent to external neighbours

Attribute Name Attribute Purpose Attribute Type

Weight Local (to router), path Cisco, local to router only
selection
Next Hop How to reach the prefix Well-known, mandatory
Origin Path selection based on origin Well-known, mandatory
AS Path Loop prevention Well-known, mandatory
Local Preference Local (to AS) path selection Well-known, discretionary

_
Community Additional prefix information Optional, transitive

cs
MED Inter-AS path selection Optional, nontransitive
Originator Path selection (who originated
ia Optional, nontransitive
prefix)
n
ma

BGP Sessions
-BGP uses TCP for establishing a BGP session, port 179 is used and can be IPv4 or IPv6, these sessions
rt

are established between two BGP peers (IBGP: in the same AS, EBGP, different AS)
-EBGP peers are usually reachable through a directly connected link
-IBGP peers are typically established through loopback interfaces
ce

-BGP Session neighbour states:

-Idle: starting BGP process, initiates BGP connection with configured peers, changes to Connected
Call state
-Active: router tries to establish another TCP session, if successful goes to OpenSent state, if
unsuccessful goes to idle state
-Established: peer sends update messages, on error goes to idle state
-if stuck in an idle state, its likely due to: no route to neighbour, or peering with the wrong neighbour
-BGP keepalives are sent every 60 seconds by default
EBGP
-an EBGP session can form any topology
-received updates are sent to all neighbours, who are normally directly connected
-by default, EBGP peers can be only one hop away, but EBGP multihop can be configured per neighbour

IBGP
-AS path is NOT changed in BGP updates
-updates from IBGP peers are sent only to EBGP neighbours: prevents routing loops, BGP Split Horizon,
IBGP full mesh is mandatory

BGP Security
-neighbour authentication via MD5 authentication using key chains (password is hashed and then the
hash is sent, not the password)

_
-both routers must have the same password, used mostly for EBGP peers

cs
-authentication BGP peers prevents DoS attacks
n ia
ma

BGP Updates
rt

-BGP update packet carries information:

-Network Layer Reachability Information (NLRI): prefix length, prefix (the route)
ce

-Path attributes: Origin, AS path, next hop, local preference

-optional attributes
-MP-BGP carries additional info: IPv6 routes, VPN MPLS

BGP Path Selection

1) Highest Weight
2) Highest Local Preference
3) Route originated by Local Router (next hop: 0.0.0.0)
4) Shortest AS path
5) Lowest Origin Code (i (IBGP)< e (EBGP) < ? (incomplete, redistributed))
6) Lowest MED
7) EBGP over IBGP
8) Closest IGP neighbour
9) Oldest Date
10) Lowest Neighbour Router ID
11) Lowest Neighbour IP Address

BGP Route Propagation

-only the best routes are advertised to BGP peers
-Split horizon in effect: router never sends a route back through the same BGP session from which the
route was received
-route poisoning can be used

_
cs
Advertising Local Networks (BGP)
-routers originate BGP routes in 2 different ways: ia
-via network config command (only if network is in routing table, prefix and mask must match)
-redistribution from another routing protocol (redistribute connected routes, routes from IGP, origin set
to incomplete)
n
-BGP periodically checks if originated routes are also in the routing table
ma
rt
ce

BGP Config Scenario

Configuring BGP IOS XR
A(config)#router
address-family
neighbor
neighbour
remote-as
address-family
192.168.107.71
2001:db8:192:168:107::71
64507
bgp
ipv4
ipv6
ipv4
ipv6
64500
unicast
unicast

neighbor
neighbour
update
remote-as
update-source
address-family
10.0.1.1
source
2001:db8:10:0:1::1
64500Loopback0
ipv4
ipv6
(this
unicast
is an(this
IBGPis Router
peer) Bs loopback)

B(config)#router
address-family
neighbor
remote-as
update-source
address-family
10.7.1.1
2001:db8:10:7:1::1
64500
bgp
ipv4
ipv6
Loopback0
ipv4
ipv6
64500
unicast
(IBGP
unicast
peer)
(Router As loopback)

#sh bgp table ipv4|ipv6 unicast (verify BGP peers)

IOS

(config)#router
neighbor
address-family
no neighbor
neighbor
2001:db8:192:168:107::70
192.168.107.70
192.168.107.70
bgp
2001:db8:192:168:107::70
ipv4
64507 remote-as
activate remote-as
64500
(theseactivate
commands
64500 (configs
ensure an
onlyEBGP
the IPv4
peer)
neighbor is active in the IPv4 address

family)

_
address-family
neighbor 2001:db8:102.168.107::70
ipv6 (the router and unicast
activate
commands are needed for enabling basic BGP)

cs
#show bgp summary (verify BGP peers)

ia
Disable a BGP Peer
n
-disabling a neighbour shuts down communication with them, this is used for debugging, troubleshooting,
ma

and during extensive modification of routing policies

(config-router)#neighbor <ip address> shutdown
rt

Advertising Local Routes

ce

-use the network command or redistribute routes from other IGPs (OSPF, etc.)
-route policy for EBGP peers is mandatory

IOS XR
(config)#int
ip address
no shut Looback10
172.16.8.1 255.255.255.0
(config)#router
address-family
network 10.10.10.0/24
bgp
ipv4
64500
unicast

IOS
(config)#int
ip address
no shut Loopback10
172.16.7.1 255.255.255.0

(config)#router
neighbor 192.168.107.70
address-family
bgp
ipv4
64507 remote-as 64500

-remember that a network must be present in the routing table to be advertised to other BGP peers

Route Manipulation: Route Policy

-performed in IOS, route policies are a powerful tool for route manipulation:
-prepend AS to AS path
-replace AS from AS path
-set origin

_
-set weight

cs
-set local-preference
-reject route
-and more
ia
-IOS does not use RPL, BUT can use route map and ACLs, applied to interfaces to neighbours
n
Configuring Route Policies
ma
rt
ce

A(config)#route-policy
pass pass (names the route policy)

end-policy

A(config)#router
address-family
neighbor
remote-as
address-family
route-policy
2001:db8:192:168:107::71
64507
bgp
ipv6
pass
ipv6
64500
unicast
unicast
in
out

-when configuring an EBGP peer, route policy configuration is mandatory under the neighbour address
family, if you do not configure route policy, no updates are sent to the EBGP peer

Verifying BGP Routes IOS

#show route ipv4|ipv6 bgp (show BGP routes)

#show bgp ipv4|ipv6 all (show BGP prefixes)

Access Control Lists

-used for filtering (allow/deny IP traffic either in/out) and classification (IDs traffic for special handling,
such as for QofS)
-without filters, all IP traffic in/out is allowed
-ACL filter is applied to an interface either inbound or outbound
-ACLs are consulted in a top-down fashion, executes the FIRST match
-There is an IMPLICIT DENY ALL at the bottom of each ACL

_
Wildcard Masks

cs
-follow an IP address in an ACL entry, specifies which bits in an IP address will be checked against the
statement
-0 means to check the corresponding bit
ia
-1means to ignore the corresponding bit
i.e.: 192.168.146.0 0.0.0.255 means to ignore ONLY the final octet of the IP
n
-single IP examples: 172.16.1.1 0.0.0.0
ma

ACL Types
rt

-Standard ACL:
-checks source address
ce

-not supported for IPv6 and on Cisco IOS XR

-Extended ACL:
-checks source AND destination address
-checks Layer 4 protocol
-checks source and destination port (in the case of TCP or UDP)
-ACLs can be identified by number (legacy and not for IPv6 and IOS XR), or name (recommended)

-only one ACL per interface, per protocol, and per direction is allowed
-most specific statement should be at the top, most general should be at the bottom
-due to implicit deny, ACL requires at least one permit statement
-When placing an ACL in a network:
-place standard ACLs close to the destination
-place extended ACLs close to the source
-An ACL applied to an interface does not filter traffic originating from a router (management traffic, routing
protocol traffic), you should apply an ACL to vty lines to limit admin access (Telnet, SSH) to the router

Standard ACLs
-based on source IPv4 address, only used on IOS/IOS XE
-wildcard mask used to match individual IPs or subnets
-config is done in two steps:
1) create the ACL and specific statements
2) apply to the access list to an interface

_
cs
Standard ACL Configuration ia
(config)#ip
10 permitaccess-list
172.16.0.0standard
0.0.255.255
FILTER (creates a standard ACL with a name)

20 deny any

(config)#int
ip access-group
gi0/1 FILTER in
n
ma

#show access lists

#show ip int gi0/1 (will display IP access lists applied to the interface)
rt

Extended ACLs
ce

-filters traffic based on:

-source and destination IPv4/v6 address
-Layer 4 protocol
-source and destination port (UDP or TCP)
-wildcard mask used to match individual IP addresses or subnets (IPv4 only)
-config is done in two steps:
-create an access list and specify statements
-apply the access list to an interface

Well Known Port Numbers and IP Protocols

Well Known Port Number IP Protocol

20 (TCP) FTP data
21 (TCP) FTP control
22 (TCP) SSH
23 (TCP) Telnet
35 (TCP) Simple Mail Transfer Protocol (SMTP)
53 (TCP/UDP) Domain Name System (DNS)
69 (UDP) TFTP
80 (TCP) HTTP

Configuring IPv4 Extended ACLS IOS XR

(config)#ipv4 access-list FILTER

_
10 permit tcp host 172.16.1.1 ge 1023 host 192.168.1.1 eq www

cs
20 deny ipv4 any any

(config)#int
ipv4 access-group
gi0/0/0/1 FILTER ingress ia
-Operators: ge = greater than, le = less than, eq = equal, neq = not equal, range
#show access-lists ipv4|ipv6

#show ipv4|ipv6 interface (verified what ACLs are applied to interfaces)

n
ma

Configuring IPv6 Extended ACLS IOS XR

(config)#ipv6 access-list FILTER
rt

10 permit tcp 2001:db8:172:16::1/128 2001:db8:192:168::1/128 eq www

20 deny ipv6 any any

ce

(config)#int
ipv6 access-group
gi0/0/0/1 FILTER ingress

Service Provider Edge Filtering

-used to filter specific traffic on the edge of the network to protect it as well as the customers
-in general, IP addresses that should not been seen in a certain part of the network should be filtered
-Filtering Types
-Infrastructure ACLs: protect the infrastructure and block traffic to the router interfaces of the SP
-Antispoofing ACLs: in the inbound direction (from the SP point of view) to protect from a customer. In
the outbound direction, to protect a customer
-RFC 1918 address filtering: packets destined to or from private IP addresses should not be seen in
the Internet and should be filtered
-Filtering based on security packages: a SP can provide residential users with different security
packages, where traffic to the customer can be restricted in order to protect that customer

Configuring Inbound Antispoofing ACLs IOS XR

(config)#ipv4 access-list ANTI_SPOOF_FILTER_IN

10 permit ipv4 209.165.202.128/28 any

20 deny ipv4 any any

(config)#int
ipv6 access-group
gi0/0/0/1 ANTI_SPOOF_FILTER_IN ingress

-in this example, the public IPs assigned by the IP do not accept traffic back rom outside the network, as
though IPs would have been spoofed

Configuring Outbound Antispoofing ACLs IOS XR

_
(config)#ipv4 access-list ANTI_SPOOF_FILTER_OUT

cs
10 deny ipv4 209.165.202.128/28 any

20 permit ipv4 any 209.165.202.128/28

(config)#int
ipv6 access-group
gi0/0/0/1 ANTI_SPOOF_FILTER_IN egress
ia
-in this example, the customer is assigned the 209.165.101.128/28 subnet (and resides outside the SP
network), the outbound ACL is configured to deny traffic originating from IP addresses that have been
n
assigned to the customer, and allows any other traffic destined to customer-assigned address space.
ma

This protects the customer from attacks where an attacker tries to penetrate the customer network by
spoofing IP addresses of the customers. The ACL is applied outbound on an SP edge interface
rt
ce

Configuring RFC 1918 IP Address Filtering IOS XR

-prevents IP packets with private IP destination addresses from being seen in the network of the SP, it is
applied inbound on an edge interface on the SP network
(config)#ipv4 access-list ADDRESS_FILTER_IN

10 deny ipv4 any 10.0.0.0 0.255.255.255

20 deny ipv4 any 172.16.0.0 0.15.255.255

30 deny ipv4 any 192.168.0.0 0.0.255.255

80 permit ipv4 any any

(config)#int
ipv6 access-group
gi0/0/0/1 ADDRESS_FILTER_IN ingress

Transitioning to IPv6
-Types of transition mechanisms:
-Static IPv6 Tunnels: manual IPv6 tunnels across IPv4 networks, they need to connect to tunnel
brokers that provide IPv6 tunnels and globally routed addresses
-6to4 Tunneling uses automatic IPv6 tunnels across the IPv4 network. This technology, however, is
OBSOLETE
-IPv6 Rapid Deployment (6rd) tunnelling similar to 6to4 tunneling, the 6rd is recommended because
it solves the issues of 6to4 tunneling
-Carrier Grade NAT (CGN) Dual Stack (DS) Lite IPv6 traffic goes natively over the core network,
IPv4 traffic is tunnelled over the IPv6 network of the SP, this traffic has private IPv4 addresses and must
be translated to public IPv4 via CGN devices
-NAT64 SP that only has IPv6 services uses a NAT 64 device on the edge of their network to

_
translate IPv6 to IPv4 to allow access to IPv4 conetent

cs
-Teredo Tunneling where neither customer nor SP have IPv6, the Teredo Tunnel establishes on a
customer endpoint (PC) to Teredo Relay (a service), IPv6 is encapsulated inside UDP on top of IPv4,
however it has significant security concerns
ia
Carrier Grade NAT (CGN)
n
Inside Local Address: private address assigned to a host on the inside network
ma

Inside Global Address: A public IP address that is assigned by a SP that represents one or more inside
local address to the outside world
rt

Outside Local Address: IP address of an outside host as it appears on the inside network, the outside
local address could be a private IP if the outside host is subject to NAT
ce

Outside Global Address: IP address assigned to a host on the outside network by the host owner

-CGN shifts NAT function from customer premises to the SP network

-Caveats of CGN: breaks end-to-end connectivity, has potential scalability and performance issues,
makes record-keeping operations more difficult, makes hosting of services on customer side impossible

-NAT444: translating IPv4 addresses to IPv4 addresses traverses 3 IPv4 addressing domains, packet
is translated twice
-DS-Lite: -provides tunnelling of IPv4 traffic over IPv6, and then CGN operation is performed, IPv6 traffic
travels natively
-NAT 64: assigning IPv6 addresses to customers and then translating IPv6 packets to IPv4 on the SP
edge, comes in two flavors
-Stateless NAT64: translates IPv4 header into IPv6 header (and vice versa) uses algorithmic bindings
between IPv4/IPv6 addresses. Disadvantage is that it only translates one-to-one
-Stateful NAT64: multiplexes many IPv6 devices into a single IPv4 address using PAT. A state is
created in the NAT64 device for every flow
-both are used with DNS64, which allows IPv6 hosts to retrieve the IPv6 address of IPv4 only hosts
-DNS-64: synthesizes a AAAA record, based on a received A record and on a well-known SP-assigned
translation prefix

Dual Stack
-both IPv4 and IPv6 stacks are concurrently enabled, applications can talk to both stacks, IPv6 path is
preferred

_
-Dual Stack IPv4 and IPv6: if an application and destination support both it chooses one address and

cs
connects to it

Dual Stack Configuration

ia
(config)#ipv6 unicast routing (enables IPv6 routing on the router)

(config)#int
ip address
ipv6 address
gi0/0
192.168.0.1
2001:db8:c10:1::3/64
n
ma

IPv6-in-IPv4 Tunneling
-tunneling is used to transport one network protocol over another by encapsulating packets
rt

-routing inside the transport network is performed based on the outer IP header
-an example is Generic Routing Encapsulation (GRE)
ce

Tunneling Solutions
-during transition, all devices can be dual stack (not all devices are under common administration, almost
twice as much admin burder)
-Manual Tunneling between 2 sites: 6in4 encapsulation, GRE encapsulation
-Dynamic tunnelling between sites and/or the rest of IPv6 internet: 6to4 (outdated), 6rd (desirable)

Manual - 6in4 Tunneling

-IPv6 traffic is sent over IPv4 via explicitly configured tunnels
-uses protocol number 41 in the IPv4 header
-tunnel interface is IPv6 stack only
-the only overhead is the IPv4 header:
IPv4 Header IPv6 Packet

Manual GRE
-IPv6 traffic is sent over IPv6 via explicitly configured GRE tunnels
-uses protocol number 47 in the IPv4 header
-tunnel interface can be dual-stack
-overhead is the IPv4 header + GRE header
-NOT supported in IOS XR!

IPv4 Header GRE Header (20 IPv6 Packet

bytes)

_
cs
6in4 Tunneling Configuration
-setting up 6in4 manual tunnel between two routers with customers using IPv6
ia
A(config)#int
ipv6 address
tunnel source
destination
mode Tunnel
ipv6ip
2001:db8:3::1/64
gi0/00
209.165.201.6
(sets
(outbound
the 6in4
interface
tunneling
to other
mode)router)

A(config)#ipv6 route 2001:db8:2::/64 Tunnel0 2001:db8:3::2/64 (creates a static IPv6 route to reach the other router
n
s subnet via the tunnel)
ma

B(config)#int
ipv6 addressTunnel0
2001:db8:3::2/64

tunnel source gi0/0 (outbound interface to other router)

rt

tunnel destination 209.165.201.1

tunnel mode ipv6ip

ce

B(config)#ipv6 route 2001:db8:1::/64 Tunnel0 2001:db8:3::1

Automatic 6to4 (IPv6 in IPv4)

-uses 6in4 encapsulation to tunnel IPv6 in IPv4
-to access native IPv6 networks, relay routers have to be established
-relay router should be available on reserved IP address 192.88.9.1
-IPv6 addresses must use specifically assigned prefixes 2002: :/16
-the well-known prefix is concatenated (linked together)with the IPv4 address that is assigned to the
customer, the resulting IPv6 network is assigned to the customer
-for traffic between IPv6 islands, tunnel destination is determined from IPv6 destination prefix
-for traffic to IPv6 internet, 6to4 relay router IPv4 address is known
-NO LONGER USED DUE TO: -predefined IPv6 addressing, caused problems with readdressing when
migrating to native IPv6, no guarantees for the existence of 6to4 relay routers

Automatic 6rd
-similar to the obsolete 6to4:
-uses 6in4 encapsulation to tunnel
-customers use the assigned prefix of the server router
-border relay router is under SP control and the SP is responsible to route traffic from customers to
native IPv6 addresses
-the SP selects a GLOBALLY routable IPv6 prefix from its address psace
-the 6rd prefix is concatenated with IPv4 address that is assigned to the customer, the resulting IPv6
network is assigned to the customer

_
-traffic between customers: destination address falls within 6rd prefix and tunnel destination is

cs
determined from IPv6 prefix
-Traffic to IPv6 internet: destination address does not fall within 6rd prefix and traffic is sent to
ia
preconfigured 6rd border
-allows SPs to instantly offer IPv6 services without migrating the core network
-CE routers should be under SP administration
n
-supported on Cisco ISR series and Cisco ASR 1000 Series routers
ma

Cisco IOS XR Software Architecture

rt

-modular OS where each module provides a set of capabilities

-core bundle of modules provides the basic functionality to operate a router, optional packages may be
ce

installed for additional functionality

Routing Modules ( Protocol Application Runs on

BGP, OSPF) Modules (IP) Modules multiple CPUs
<--

I
Distributed <--
Infrastructure
I

I
Cisco IOS XR <--
Kernel

_
cs
-each layer performs a separate set of tasks
-layers communicate with each other through the kernel
ia
IOS XR Software capabilities
n
-protected memory access:
ma

-each process has a virtual memory space

-one process cannot corrupt the memory of another
rt

-in comparison to IOS, where all processes shared the same virtual space
-limited use of shared memory
-preemptive multitasking
ce

-Dynamically Linked Libraries (DLLs)

-only loads active libraries
-processes share the library code
-DLLs unloaded when no longer needed
-no virtual memory/swapping
-the following platforms use IOS XR:
-CRS-1, CSR -3, ASR 9000, XR 12000 (can also use IOS)
-IOS XR High Availability Components: kernel, plane separation, fault tolerance and isolation, checkpoint
support for process restart, process-level redundancy

-Control Plane: distributes routing tasks and management of the routing information base (RIB) in
participating RPs, different routing processes can be running on different physical units
-Data Plane: -maintains the forwarding information base (FIB) changes across the participating nodes,
letting the router perform at a single forwarding entity
-Management Plane: controls the operation of the router as a single networking element

Cisco IOS XR Software Packages

-Unicast Routing Core Bundle: OS and minimum boot image, base, infra, routing, forwarding, line card
drivers
-optional packages: multicast, manageability, MPLS, security, diagnostics, field-programmable device,
documentation
-Installation of packages

_
-Package Installation Envelope (PIE) files are uploaded to the device

cs
-PIE files need to be added to the system and unpackaged
-package then needs to be unpacked ia
-installation of new package must be committed to make it persistent across reboots
n
ma

Rolling Back to a Previous Installation Operation

-rollback feature allows rollback to a specific point before the installation of new software packages
rt

-points can be listed with show install rollback

-detailed info about a rollback: show install rollback <rollback-number> detailed
ce

-rollback with install rollback to <rollback-number>

Installation of Software Packages

-a PIE file for multicast software is located on disk1:
#admin
install(enters
add disk1:asr9k-mcast-p.pie-4.0.1
administration EXEC mode)(unpacks a PIE file from the local storage device and adds the package

fileinstall
to thecommit
activate
boot device
(commits
disk1:asr9k-mcast-p.pie-4.0.1
of thethe
router)
current set of packages
(activates
on the
the router
multicast
so that
package
thesethat
packages
was added
are used
to theif router)
the router is

restarted)

#show install active (displays the active software on the router)

Uninstallation of Software Packages

(admin)#Install deactivate <package name>

install remove <package name>

install remove inactive (alternate command to remove all inactive packages)

IOS XR Software Upgrades

-upgrades can be delivered without rebasing the entire image, one component upgrade does not force an
upgrade of another component
-uses same commands as installing packages
-use the optional test parameter to preview the effects of the upgrade
-downgrades are performed the same way as upgrades, add and activate an older version
-when a new package is activated, the old one is deactivated
-Software Maintenance Updates: emergency fix, installed using the same procedure as a PIE file

_
Installing IOS XR from the Beginning

cs
-done because: The route processor (RP) is unable to boot IOS XR, or you want to completely replace
the existing software ia
-installation from the beginning is done from the ROM monitor
-special installation files with the extension .vm are used
-sometimes referred to as Turboboot, can be done from a TFTP server or from a file stored on a local disk
n
ma

Turboboot
-an environmental variable that:
rt

-automates the software installation process in the ROM monitor

-determines installation settings
ce

-4 variable options:
-on: installs and activates IOS XR software package
-boot-device: selects the destination disk
-format | clean: specifies whether or not the files on the disk are preserved
-nodisablebreak: specifies if installation process can be prematurely terminated
-files installed from the ROMMon have a .vm extension, they include the software that is included in the
IOS XR Unicast Routing Core Bundle
Committing Configuration
-IOS XR has a two-state configuration: 1)make config changes 2)make changes persistent
-there is no difference startup or running config on IOS XR, just committed and uncommitted change
-commit (atomic): commits changes only if all changes in the target config are valid, if errors are found,
no changes take place
-commit best-effort: configures only the changes that are possible (error free)

#show running-config: contents of the active (committed) configuration

#show configuration: changes made to the target config, they have been entered but not yet committed
#show configuration merge: combined contests of the target and running config without committing the

_
changes

cs
#show configuration failed: reasons for a config commit error

Config Rollback Points

ia
-each commit generates a record with a CommitID or label
n
-each CommitID is a rollback point
-the commit database stores up to 100 rollback points
ma

#show configuration commit list: view the CommitIDs for the available rollback points
rt

#show configuration commit change <change #>

#rollback configuration to 1000000042 (rolls back to selected CommitID)
ce