Icnd230 - Student Guide v4

ICND2
Interconnecting
Cisco Networking
Devices, Part 2
Student Guide Volume
Version 3.0
Part Number:
Welcome Students
Students, this letter describes important course evaluation access information!
Welcome to Cisco Systems Learning. Through the Cisco Learning Partner Program, Cisco is
committed to bringing you the highest-quality training in the industry. Cisco learning products are
designed to advance your professional goals and give you the expertise that you need to build
and maintain strategic networks.
Cisco relies on customer feedback to guide business decisions. Therefore, your valuable input will
help shape future Cisco course curricula, products, and training offerings. Please complete a brief
Cisco online course evaluation of your instructor and the course materials in this student kit. On
the final day of class, your instructor will provide you with a URL, directing you to a short post-
course evaluation. If there is no Internet access in the classroom, please complete the evaluation
within the next 48 hours or as soon as you can access the web.
On behalf of Cisco, thank you for choosing Cisco Learning Partners for your Internet technology
training.
Sincerely,
Cisco Systems Learning
Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV
San Jose, CA Singapore Amsterdam,
The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at
www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To
view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property
of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other
company. (1110R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS” AND AS SUCH MAY INCLUDE TYPOGRAPHICAL,
GRAPHICS, OR FORMATTING ERRORS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE
CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT
OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES,
INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE,
OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
© 2016 Cisco Systems, Inc.

Table of Contents
Course Introduction......................................................................................................... 1
Overview....................................................................................................................................... 1
Course Goal and Objectives ........................................................................................................ 2
Course Flow ................................................................................................................................. 3
Your Training Curriculum ............................................................................................................. 4
Learner Introductions ................................................................................................................... 5
Module 1: Implement Scalable Medium-Sized Networks .............................................. 7
Lesson 1: Troubleshooting VLAN Connectivity ............................................................................... 9
VLAN Overview .......................................................................................................................... 10
Trunk Operation ......................................................................................................................... 16
Dynamic Trunking Protocol ........................................................................................................ 20
VLAN Trunking Protocol............................................................................................................. 22
Discovery 1: Troubleshoot VLANs and Trunks ......................................................................... 26
Self Check .................................................................................................................................. 38
Answer Key ................................................................................................................................ 40
Lesson 2: Building Redundant Switched Topologies .................................................................... 41
Physical Redundancy in a LAN.................................................................................................. 42
Issues in Redundant Topologies ............................................................................................... 44
Loop Resolution with STP .......................................................................................................... 45
Spanning-Tree Operation .......................................................................................................... 46
Spanning-Tree Operation Example ........................................................................................... 48
Types of Spanning-Tree Protocols ............................................................................................ 52
Comparison of Spanning-Tree Protocols .................................................................................. 53
Per VLAN Spanning Tree Plus .................................................................................................. 55
PVST+ Extended Bridge ID ....................................................................................................... 56
Discovery 2: Configure Root Bridge and Analyze STP Topology ............................................. 58
PortFast and BPDU Guard ........................................................................................................ 72
Configuring PortFast and BPDU Guard ..................................................................................... 75
Discovery 3: Troubleshoot STP Issues ..................................................................................... 78
Self Check .................................................................................................................................. 86
Answer Key ................................................................................................................................ 88
Lesson 3: Improving Redundant Switched Topologies with EtherChannel .................................. 89
EtherChannel Overview ............................................................................................................. 90
EtherChannel Protocols ............................................................................................................. 93
Discovery 4: Configure and Verify EtherChannel ...................................................................... 96
Self Check ................................................................................................................................ 111
Answer Key .............................................................................................................................. 113
Lesson 4: Understanding Layer 3 Redundancy .......................................................................... 115
Need for Default Gateway Redundancy .................................................................................. 116
Understanding FHRP ............................................................................................................... 117
Understanding HSRP ............................................................................................................... 119
Discovery 5: Configure and Verify HSRP ................................................................................ 121
Discovery 6: Troubleshoot HSRP ............................................................................................ 132
Self Check ................................................................................................................................ 140
© 2016 Cisco Systems, Inc. Interconnecting Cisco Networking Devices, Part 2 (ICND2) i
Answer Key............................................................................................................................... 142
Module 2: Troubleshooting Basic Connectivity ........................................................ 143
Lesson 1: Troubleshooting IPv4 Network Connectivity ............................................................... 145
Troubleshooting Guidelines ..................................................................................................... 146
Discovery 7: Use Troubleshooting Tools ................................................................................. 147
Troubleshooting Physical Connectivity Issue .......................................................................... 157
Identification of Current and Desired Path ............................................................................... 162
Using SPAN for Troubleshooting ............................................................................................. 166
Configuring SPAN .................................................................................................................... 167
Troubleshooting Default Gateway Issues ................................................................................ 169
Troubleshooting Name Resolution Issue ................................................................................. 171
Discovery 8: Configure and Verify IPv4 Extended Access Lists ............................................. 174
Troubleshooting ACL Issues .................................................................................................... 182
Discovery 9: Troubleshoot IPv4 Network Connectivity ............................................................ 186
Self Check ................................................................................................................................ 195
Answer Key............................................................................................................................... 197
Lesson 2: Troubleshooting IPv6 Network Connectivity ............................................................... 199
IPv6 Unicast Addresses ........................................................................................................... 200
Troubleshooting End-to-End IPv6 Connectivity ....................................................................... 206
Verification of End-to-End IPv6 Connectivity ........................................................................... 207
Identification of Current and Desired IPv6 Path ...................................................................... 214
Troubleshooting Default Gateway Issues in IPv6 .................................................................... 215
Troubleshooting Name Resolution Issues in IPv6 ................................................................... 217
Discovery 10: Configure and Verify IPv6 Extended Access Lists ........................................... 219
Troubleshooting ACL Issues in IPv6 ........................................................................................ 226
Discovery 11: Troubleshoot IPv6 Network Connectivity.......................................................... 229
Self Check ................................................................................................................................ 239
Answer Key............................................................................................................................... 241
Module 3: Implementing an EIGRP-Based Solution .................................................. 243
Lesson 1: Implementing EIGRP................................................................................................... 245
Dynamic Routing Protocols ...................................................................................................... 246
Administrative Distance ............................................................................................................ 249
EIGRP Features ....................................................................................................................... 251
EIGRP Path Selection .............................................................................................................. 253
EIGRP Metric ............................................................................................................................ 255
Discovery 12: Configure and Verify EIGRP ............................................................................. 257
EIGRP Load Balancing ............................................................................................................ 273
Self Check ................................................................................................................................ 276
Answer Key............................................................................................................................... 280
Lesson 2: Implementing EIGRP for IPv6 ..................................................................................... 281
EIGRP for IPv6 ......................................................................................................................... 282
Discovery 13: Configure and Verify EIGRP for IPv6 ............................................................... 285
Self Check ................................................................................................................................ 292
Answer Key............................................................................................................................... 294
Lesson 3: Troubleshooting EIGRP .............................................................................................. 295
Troubleshooting EIGRP Issues ................................................................................................ 296
Troubleshooting EIGRP Neighbor Issues ................................................................................ 299
Troubleshooting EIGRP Routing Table Issues ........................................................................ 306
Troubleshooting EIGRP for IPv6 Issues .................................................................................. 310
ii Interconnecting Cisco Networking Devices, Part 2 (ICND2) © 2016 Cisco Systems, Inc.
Discovery 14: Troubleshoot EIGRP ......................................................................................... 311
Self Check ................................................................................................................................ 326
Answer Key .............................................................................................................................. 329
Module 4: Summary Challenge ................................................................................... 331
Lesson 1: Implementing and Troubleshooting Scalable Medium-Sized Network -1 .................. 333
Self Check ................................................................................................................................ 334
Answer Key .............................................................................................................................. 336
Lesson 2: Implementing and Troubleshooting Scalable Medium-Sized Network -2 .................. 337
Self Check ................................................................................................................................ 338
Answer Key .............................................................................................................................. 340
Module 5: Implement a Scalable OSPF-Based Solution ........................................... 341
Lesson 1: OSPF Overview........................................................................................................... 343
Link-State Routing Protocol Overview ..................................................................................... 344
Link-State Routing Protocol Data Structures ........................................................................... 345
Introducing OSPF ..................................................................................................................... 347
Establishing OSPF Neighbor Adjacencies .............................................................................. 349
OSPF Neighbor States............................................................................................................. 351
SPF Algorithm .......................................................................................................................... 354
Building a Link-State Database................................................................................................ 356
OSPF Packet Types ................................................................................................................. 358
Discovery 15: Configure and Verify Single-Area OSPF .......................................................... 361
Self Check ................................................................................................................................ 374
Answer Key .............................................................................................................................. 376
Lesson 2: Multiarea OSPF IPv4 Implementation ........................................................................ 377
OSPF Area Structure ............................................................................................................... 378
Single-Area vs. Multiarea OSPF .............................................................................................. 381
Discovery 16: Configure and Verify Multiarea OSPF .............................................................. 383
Self Check ................................................................................................................................ 390
Answer Key .............................................................................................................................. 393
Lesson 3: Implementing OSPFv3 for IPv6 .................................................................................. 395
OSPFv3 for IPv6 ...................................................................................................................... 396
Discovery 17: Configure and Verify OSPFv3 .......................................................................... 398
Self Check ................................................................................................................................ 408
Answer Key .............................................................................................................................. 410
Lesson 4: Troubleshooting Multiarea OSPF ............................................................................... 411
Components of Troubleshooting OSPF ................................................................................... 412
Troubleshooting OSPF Neighbor Issues ................................................................................. 414
Troubleshooting OSPF Routing Table Issues ......................................................................... 421
Troubleshooting OSPF Path Selection .................................................................................... 424
Troubleshooting OSPFv3 Issues ............................................................................................. 426
Discovery 18: Troubleshoot Multiarea OSPF .......................................................................... 427
Self Check ................................................................................................................................ 440
Answer Key .............................................................................................................................. 442
Module 6: Wide-Area Networks .................................................................................. 443
Lesson 1: Understanding WAN Technologies............................................................................. 445
Introduction to WAN Technologies .......................................................................................... 446
WAN Topology Options............................................................................................................ 448
WAN Connectivity Options ....................................................................................................... 450
Provider-Managed VPNs ......................................................................................................... 452
© 2016 Cisco Systems, Inc. Interconnecting Cisco Networking Devices, Part 2 (ICND2) iii
Enterprise-Managed VPNs ...................................................................................................... 453
WAN Devices ........................................................................................................................... 457
Self Check ................................................................................................................................ 462
Answer Key............................................................................................................................... 464
Lesson 2: Understanding Point-to-Point Protocols ...................................................................... 465
Serial Point-to-Point Communication Links ............................................................................. 466
Point-to-Point Protocol ............................................................................................................. 468
Discovery 19: Configure Serial Interface and PPP .................................................................. 470
Discovery 20: Configure and Verify MLP ................................................................................. 489
Discovery 21: Configure and Verify PPPoE Client .................................................................. 502
Self Check ................................................................................................................................ 509
Answer Key............................................................................................................................... 511
Lesson 3: Configuring GRE Tunnels ........................................................................................... 513
GRE Tunnel Overview.............................................................................................................. 514
Discovery 22: Configure and Verify GRE Tunnel .................................................................... 516
Self Check ................................................................................................................................ 526
Answer Key............................................................................................................................... 528
Lesson 4: Configuring Single-Homed EBGP ............................................................................... 529
Interdomain Routing ................................................................................................................. 530
Introduction to EBGP ................................................................................................................ 531
Discovery 23: Configure and Verify Single Homed EBGP ...................................................... 532
Self-Check ................................................................................................................................ 542
Answer Key............................................................................................................................... 544
Module 7: Network Device Management and Security .............................................. 545
Lesson 1: Implementing Basic Network Device Management and Security............................... 547
Mitigating Threats at Access Layer .......................................................................................... 548
External Authentication Options ............................................................................................... 551
Discovery 24: Configure External Authentication Using RADIUS and TACACS+ .................. 553
SNMP Overview ....................................................................................................................... 561
Discovery 25: Configure SNMP ............................................................................................... 564
Self Check ................................................................................................................................ 570
Answer Key............................................................................................................................... 572
Lesson 2: Evolution of Intelligent Networks ................................................................................. 573
Switch Stacking ........................................................................................................................ 574
Cloud Computing and Its Effect on Enterprise Network .......................................................... 576
Overview of Network Programmability in Enterprise Network ................................................. 580
Application Programming Interfaces ........................................................................................ 582
Cisco APIC-EM......................................................................................................................... 585
Introducing Cisco Intelligent WAN ........................................................................................... 588
Self-Check ................................................................................................................................ 590
Answer Key............................................................................................................................... 592
Lesson 3: Understanding Quality of Service ............................................................................... 593
Traffic Characteristics............................................................................................................... 594
Need for QoS ............................................................................................................................ 596
QoS Mechanisms Overview ..................................................................................................... 597
Trust Boundary ......................................................................................................................... 598
QoS Mechanisms—Classification and Marking ....................................................................... 599
Classification Tools .................................................................................................................. 601
QoS Mechanisms—Policing, Shaping, and Re-Marking ......................................................... 603
iv Interconnecting Cisco Networking Devices, Part 2 (ICND2) © 2016 Cisco Systems, Inc.
Tools for Managing Congestion ............................................................................................... 605
Tools for Congestion Avoidance .............................................................................................. 608
Self-Check ................................................................................................................................ 609
Answer Key .............................................................................................................................. 611
Module 8: Summary Challenge ................................................................................... 613
Lesson 1: Implementing and Troubleshooting Scalable Multiarea Network -1 .......................... 615
Self Check ................................................................................................................................ 616
Answer Key .............................................................................................................................. 617
Lesson 2: Implementing and Troubleshooting Scalable Multiarea Network -2 .......................... 619
Self Check ................................................................................................................................ 620
Answer Key .............................................................................................................................. 622
Glossary ....................................................................................................................... 623
© 2016 Cisco Systems, Inc. Interconnecting Cisco Networking Devices, Part 2 (ICND2) v
Course Introduction
Overview
The course focuses on understanding redundant topologies, troubleshooting common network issues,
configuring EIGRP and OSPF in both IPv4 and IPv6, understanding WAN technologies, and becoming
familiar with some network management protocols like SNMP.
Learner Skills and Knowledge

This subtopic lists the skills and knowledge that learners must possess to benefit fully from the course. The
subtopic also includes recommended Cisco learning offerings that learners should first complete to benefit
fully from this course.
© 2016 Cisco Systems, Inc. Interconnecting Cisco Networking Devices, Part 2 (ICND2) 1
Course Goal and Objectives
This topic describes the course goal and objectives.
2 Interconnecting Cisco Networking Devices, Part 2 (ICND2) © 2016 Cisco Systems, Inc.
Course Flow
This topic presents the suggested flow of the course materials.
The schedule reflects the recommended structure for this course. This structure allows enough time for the
instructor to present the course information and for you to work through the lab activities. The exact timing
of the subject materials and labs depends on the pace of your specific class.
Your Training Curriculum
You are encouraged to join the Cisco Certification Community, a discussion forum open to anyone holding
a valid Cisco Career Certification (such as Cisco CCIE®, CCNA®, CCDA®, CCNP®, CCDP®, CCIP®,
CCNP® Security and CCNP® Voice, or CCSP™). It provides a gathering place for Cisco certified
professionals to share questions, suggestions, and information about Cisco Career Certification programs
and other certification-related topics. For more information, visit
http://www.cisco.com/web/learning/training-index.html.
Cisco Career Certifications

Cisco provides three levels of general certifications for IT professionals with several different tracks to meet
individual needs.
Cisco also provides focused certifications for designated areas such as cable communications and security.
There are many paths to Cisco certification, but only one requirement—passing one or more exams
demonstrating knowledge and skill. For details, go to http://www.cisco.com/web/learning/training-
index.html.
Course-Specific Training Resources

These are URLs for course-specific training resources:
• https://learningnetwork.cisco.com/community/certifications/ccna
• https://learningnetwork.cisco.com/community/learning_center
Learner Introductions
Module 1: Implement
Scalable Medium-Sized
Networks
Understanding how VLANs and trunks operate and which protocols are associated with them is important
for configuring, verifying, and troubleshooting VLANs and trunks on Cisco access switches. Switched
networks introduce redundancy, so an STP loop-avoidance mechanism is needed to prevent undesirable
loops. The module also explains EtherChannel technology, which groups several physical interfaces into
one logical channel, and the router redundancy process, which solves problems in local networks with
redundant topologies.
Lesson 1: Troubleshooting
VLAN Connectivity
Overview
You are a recently hired network technician with a company named CCS. It is an IT services firm that
specializes in providing managed IT and software services to law firms, among other companies. CCS
provides networking design, implementation, and support services. As you prove yourself, you are assigned
more advanced projects.
A few customers have called CCS with complaints involving network connectivity (due to VLAN and
trunking issues), and trouble tickets have been issued for each complaint. Bob, the senior engineer, is
reviewing the trouble tickets and trying to decide which tickets to dispatch you on.
Bob has created a lab in which he will ask you to troubleshoot VLAN issues before sending you to the
client. If you feel that your VLAN troubleshooting skills are adequate, you can choose to go directly to the
Challenge. Or, you can first do research.
VLAN Overview
A VLAN is a group of end stations with a common set of requirements, independent of their physical
location. A VLAN has the same attributes as a physical LAN, except that it lets you group end stations even
when they are not physically located on the same LAN segment. In other words, it is a logical broadcast
domain that can span multiple physical LAN segments.
VLAN offers you segmentation of broadcast domains and organizational flexibility. You can group stations
that are segmented logically by functions, project teams, and applications regardless of the physical location
of the users. You can assign each switch port to only one VLAN, thus adding a layer of security. Ports in a
VLAN share broadcasts; ports in different VLANs do not. Containing broadcasts in a VLAN improves the
overall performance of the network.
A VLAN can exist on a single switch or span multiple switches. VLANs can include stations in a single
building or multiple-building infrastructures, as illustrated in the figure. If you want to carry traffic for
multiple VLANs across multiple switches, you need a trunk to connect two switches.
VLAN trunks with IEEE 802.1Q tagging facilitate interswitch communication with multiple VLANs.
The process of forwarding network traffic from one VLAN to another VLAN using a router is called inter-
VLAN routing.
Cisco Catalyst switches have a factory default configuration in which various default VLANs are
preconfigured to support various media and protocol types. The default Ethernet VLAN is VLAN 1.
If you want to communicate with the Cisco Catalyst switch remotely for management purposes, the switch
must have an IP address. This IP address must be in the management VLAN, which is by default VLAN 1.
Creating Data VLANs

For many Cisco Catalyst switches, use the vlan global configuration command to create a VLAN and to
enter the VLAN configuration mode. Use the no form of this command to delete the VLAN.
The following example shows how to add vlan 2 to the VLAN database and how to name it data. It also
shows how you can assign the previously created VLAN 2 to the FastEthernet0/2 interface.
The table lists the commands that you should use when adding a VLAN.
Command Description
vlanvlan-id Specifies the ID of the VLAN (or VID) that you want to add and configure. For vlan-id, the range is
1 to 4094. You can enter a single VID, a series of VIDs that are separated by commas, or a range of
VIDs that are separated by hyphens.
namevlan- (Optional) Specifies the VLAN name, an ASCII string from 1 to 32 characters that must be unique
name within the administrative domain.
switchport Sets the VLAN when the interface is in access mode. Use the switchport access vlan command
access in interface configuration mode. To reset the access-mode VLAN to the appropriate default VLAN for
vlanvlan-id the device, use the no form of this command.
switchport Sets the interface to access mode.

mode access
Command Description
interface Enables you to set the same configuration parameters on multiple ports at the same time.
range
To add a VLAN to the VLAN database, assign a number and name to the VLAN. Normal-range VLANs are
identified with a number from 1 to 1001. You can create, use, and delete these VLANs. VLAN numbers
1002 through 1005 are reserved for Token Ring and FDDI VLANs. VLANs 1006–4094 are the extended
range.
VLAN 1 is the factory default VLAN. If you do not assign a VLAN to an access port, VLAN 1 is assigned
automatically.
To add an Ethernet VLAN, you must specify at least a VLAN number. You may also define a name for the
VLAN, but if you do not enter a name, the default is to append the VLAN number to the vlan command.
For example, VLAN0004 would be the default name for VLAN 4 if no name is specified.
When an end system is connected to a switch port, it should be associated with a VLAN, in accordance with
the network design. This process is done by assigning a single data VLAN to the switch port to which the
device is connected. This port is called an access port. A switch port can become an access port through
static or dynamic configuration.
After creating a VLAN, you can manually assign a port or several ports to that VLAN. A port can belong to
only one VLAN at a time. When you assign a switch port to a VLAN using this method, it is known as a
static access port.
On most Cisco Catalyst switches, you can configure the VLAN port assignment from interface
configuration mode using the switchport access vlan command. To configure multiple interfaces to a
VLAN, use the interface range command. Use the vlanvlan_number command to set static access
membership.
The following example shows how you use the interface range global configuration command to enable
FastEthernet interfaces 0/1 to 0/3:
SW1# configure terminal
SW1# interface range FastEthernet0/1 - 3
SW1(config-if-range)# no shutdown
SW1(config-if-range)#
*Oct 6 08:24:35: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Oct 6 08:24:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2,
changed state to up
changed state to up
changed state to up
Creating Voice VLANs
Some Cisco Catalyst switches offer a unique feature that is called voice VLAN, which lets you overlay a
voice topology onto a data network. You can segment phones into separate logical networks, even though
the data and voice infrastructure are physically the same.
With the phones in their own VLANs, network administrators can more easily identify and troubleshoot
network problems. Also, network administrators have the ability to prioritize voice traffic over data traffic.
Voice VLAN feature allows voice traffic from the attached IP phone and data traffic from an end-station to
be transmitted on different VLANs.
You can create voice VLAN in the same way as you create data VLAN, using vlan global configuration
command. The following example shows how to add vlan 3 to the VLAN database and how to assign this
VLAN as a voice VLAN to the FastEthernet0/3 interface.
When an IP phone is connected to a switch port, this port should have a voice VLAN associated with it.
This process is done by assigning a single voice VLAN to the switch port to which the phone is connected.
Command Description
switchport voice vlan vlan-id Set the voice VLAN to an interface. This action will instruct the Cisco IP phone to
forward all voice traffic through the specified VLAN.
You can configure data and voice VLAN on the same interface.
Verifying VLANs
After you configure the VLAN, you should validate the parameters for that VLAN.
Use the show vlan command to display information on all configured VLANs. The command displays
configured VLANs, their names, and the ports on the switch that are assigned to each VLAN. You can
observe in the output all information about voice and data.
To verify VLAN configuration of an interface, use the show interface interface-id switchport command.
The example shows that VLAN 2 (data) and VLAN 3 (telephony) are created on the switch. Both are active
and are assigned to the FastEthernet0/2. All other interfaces are assigned to the default VLAN—VLAN 1.
To display information about a particular VLAN, use the show vlan idvlan_number or the show vlan
namevlan-name command.
Trunk Operation
A port normally carries only the traffic for the single VLAN to which it belongs. For a VLAN to span across
multiple switches, a trunk must connect two switches. A trunk can carry traffic for multiple VLANs as
shown in the following figure.
A trunk allows multiple VLANs to share the port connection.
A trunk is a point-to-point link between an Ethernet switch interface and another networking device, such as
a router or a switch. Ethernet trunks carry the traffic of multiple VLANs over a single link and allow you to
extend the VLANs across an entire network. A trunk does not belong to a specific VLAN. Rather, it is a
conduit for VLANs between switches and routers.
You can configure an interface as trunking or nontrunking. If you configure an interface as trunking, it
supports various trunking modes. You can also have the interface negotiate trunking with the neighboring
interface.
A special protocol is used to carry multiple VLANs over a single link between two devices. Cisco supports
the IEEE 802.1Q trunking protocol. A trunk could also be used between a network device and a server or
another device that is equipped with an appropriate 802.1Q-capable NIC.
When Ethernet frames are placed on a trunk, they need additional information about the VLANs to which
they belong. They get this information by using the 802.1Q encapsulation header. 802.1Q uses an internal
tagging mechanism that inserts a 4-byte tag field into the original Ethernet frame between the Source
Address and Type or Length fields. Because 802.1Q alters the frame, the trunking device recomputes the
FCS on the modified frame. It is the responsibility of the Ethernet switch to look at the 4-byte tag field and
determine where to deliver the frame.
By default, on a Cisco Catalyst switch, all configured VLANs are carried over a trunk interface. On an
802.1Q trunk port, there is one native VLAN, which is untagged (by default, VLAN 1). All other VLANs
are tagged with a VID.
To learn more about how 802.1Q works, watch this 802.1Q Protocol Decode video.
Configuring Trunks
The following example shows the configuration of interface FastEthernet0/1. The switchport mode trunk
command sets port FastEthernet0/1 to trunk mode. The example shows reconfiguration of the native VLAN.
VLAN 99 is configured as the native VLAN; therefore, traffic from VLAN 99 is sent untagged. You must
ensure that the other end of the trunk link is configured the same way.
If you do not explicitly allow VLANs to traverse the trunk, all will be allowed to cross the link. Use the
switchport trunk allowed vlanvlan_list command to allow only certain VLANs on the trunk link. In the
example, only VLAN 2, 3, and 99 are allowed on a trunk link. If you need to add or remove allowed
VLANs, use the switchport trunk allowed vlan {add | remove} vlan_list command.
For 802.1Q trunking, one VLAN is not tagged. This VLAN is called native VLAN. The native VLAN is used
for untagged traffic when the port is in 802.1Q trunking mode. While configuring 802.1Q trunking, it is very
important to keep in mind that the native VLAN must be configured the same on each side of the trunk link.
It is a common mistake not to match the native VLANs while configuring 802.1Q trunking between the
router and the switch.
The table lists commands to use when adding a VLAN.
Configuring Trunk Commands
Command Description
interface interface interface_number Enters interface configuration mode for the specified interface
switch mode trunk Sets the interface to trunk mode
Command Description
switchport trunk native vlan Sets the native VLAN on the trunk to the specified VLAN number. Traffic
vlan_number from this VLAN is sent untagged. You must ensure that the other end of the
trunk link is configured the same way.
switchport trunk allowed vlan Sets allowed VLANs on a trunk link

vlan_list
switchport trunk allowed vlan add Adds specified VLANs to the existing list of allowed VLANs on a trunk link
vlan_list
switchport trunk allowd vlan Removes specified VLANs from the existing list of allowed VLANs on a trunk
remove vlan_list link
Verifying a Trunk
To verify a trunk configuration on many Cisco Catalyst switches, use the show interfaces switchport and
show interfaces trunk commands. These two commands display the trunk parameters and VLAN
information of the port.
Dynamic Trunking Protocol
Many Cisco Catalyst switches support DTP, which manages automatic trunk negotiation. DTP is a Cisco
proprietary protocol. Switches from other vendors do not support DTP.
DTP is automatically enabled on a switch port when certain trunking modes are configured on the switch
port. DTP manages trunk negotiation only if the port on the other switch is configured in a mode that
supports DTP.
You should configure trunk links statically whenever possible. However, Cisco switch ports can run DTP,
which can automatically negotiate a trunk link. This protocol can determine an operational trunking mode
and protocol on a switch port when it is connected to another device that is also capable of dynamic trunk
negotiation.
The default DTP mode depends on the Cisco IOS Software version and on the platform. To determine the
current DTP mode, issue the show dtp interface command.
SW1# show dtp interface FastEthernet0/1
DTP information for FastEthernet0/1:
TOS/TAS/TNS: TRUNK/DESIRABLE/TRUNK
TOT/TAT/TNT: 802.1Q/802.1Q/802.1Q
Neighbor address 1: 001646FA9B01
Neighbor address 2: 000000000000
Hello timer expiration (sec/state): 17/RUNNING
Access timer expiration (sec/state) 287/RUNNING
<... output omitted ...>
You can configure the DTP mode to turn off the protocol or to instruct it to negotiate a trunk link only under
certain conditions, as described in the table.
Command Function
switchport mode dynamic auto Creates the trunk based on the DTP request from the neighboring switch.
switchport mode dynamic Communicates to the neighboring switch via DTP that the interface is
desirable attempting to become a trunk if the neighboring switch interface is able to
become a trunk.
switchport mode trunk Automatically enables trunking regardless of the state of the neighboring switch
and regardless of any DTP requests that the neighboring switch sends.
switchport mode access Trunking not allowed on this port regardless of the state of the neighboring
switch interface and regardless of any DTP requests that the neighboring
switch sends.
switchport nonegotiate Prevents the interface from generating DTP frames. This command can be
used only when the interface switch port mode is access or trunk. You must
manually configure the neighboring interface as a trunk interface to establish a
trunk link.
The switchport nonegotiate interface command specifies that DTP negotiation packets are not sent. The
switch does not engage in DTP negotiation on this interface. This command is valid only when the interface
switchport mode is access or trunk (configured by using the switchport mode access or the switchport
mode trunk interface configuration commands). This command returns an error if you attempt to execute it
in dynamic (auto or desirable) mode. Use the no form of this command to return to the default setting.
When you configure a port with the switchport nonegotiate command, the port trunks only if the other end
of the link is specifically set to trunk. The switchport nonegotiate command does not form a trunk link
with ports in either dynamic desirable or dynamic auto mode.
A general best practice is to set the interface to trunk and nonegotiate when a trunk link is required. On
links where trunking is not intended, you should turn off DTP. Ideally, links that are not indented to be trunks
should be set to access mode and placed in an unused VLAN.
VLAN Trunking Protocol
To minimize misconfiguration and configuration inconsistencies of VLANs in your network, use VTP. VTP
is a data link layer (Layer 2) protocol that facilitates the management of VLANs across several switches in a
network.
Using VTP, you do not need to log into each switch to create and name each VLAN manually. Managing
VLANs manually on each switch in your network works well for a few switches, but VTP is a better
solution in large networks.
You still need to assign ports to each VLAN either manually or automatically.
A VTP domain consists of one switch or several interconnected switches sharing the same VTP
environment. A switch can belong to only one domain.
By default, a Cisco Catalyst switch is in the no-management-domain state until it receives an advertisement
for a domain over a trunk link or until you configure a management domain. The configurations that you
make to a VTP server are propagated across trunk links to all the connected switches in the network.
VTP advertisements are flooded throughout the management domain. VTP advertisements are sent every 5
minutes or whenever there is a change in VLAN configurations.
The default VTP version that is enabled on a Cisco switch is version 1. However, three different VTP
versions exist: 1, 2, and 3. You can change the switch to run VTP version 2 or 3, but these versions are not
compatible. You need to configure the same VTP version on every switch in the domain.
Version 1 and version 2 do not propagate configuration information for extended-range VLANs so you must
configure extended-range VLANs manually.
VTP Modes
VTP operates in one of three modes: server, transparent, or client. You can complete various tasks
depending on the VTP operation mode.
The following are the characteristics of the three VTP modes:

• Server: The default VTP mode is server mode. However, VLANs are not propagated over the network
until a management domain name is specified or learned. When you change (create, modify, or delete)
the VLAN configuration on a VTP server, the change is propagated to all switches in the VTP domain.
VTP messages are transmitted out all the trunk connections. A VTP server synchronizes its VLAN
database file with other VTP servers and clients. Use the vtp mode serverCisco IOS command to
configure a switch to be a VTP server.
• Transparent: When you change the VLAN configuration in VTP transparent mode, the change affects
only the local switch and does not propagate to other switches in the VTP domain. VTP transparent
mode forwards VTP advertisements that it receives within the domain. A VTP transparent device does
not synchronize its database with any other device. Use the vtp mode transparentCisco IOS command
to configure a switch to be transparent.
• Client: You cannot change the VLAN configuration when in VTP client mode. However, a VTP client
can send any VLANs that are currently listed in its database to other VTP switches. VTP advertisements
are forwarded in VTP client mode. A VTP client synchronizes its database with other VTP servers and
clients. You can use the vtp mode client Cisco IOS command to configure a switch to be a VTP client.
VTP Configuration
When creating VLANs, you must decide whether to use VTP in your network. With VTP, you can make
configuration changes on one or more switches, and those changes are automatically communicated to all
other switches in the same VTP domain.
Default VTP configuration values depend on the switch model and the software version. The following are
the default values for Cisco Catalyst switches:
• VTP domain name: Null
• VTP mode: Server
• VTP password: None
• VTP pruning: Enabled or disabled (operating system version-specific)
• VTP version: Version 1
When the VTP pruning option is enabled in a VTP domain, VTP client switches receive VTP update frames
only for VLANs that are enabled on each switch. Thus, VTP pruning saves some bandwidth on trunk ports
and on switches by limiting the number of VTP update transmissions. You should always prune the VLANs
from switches where the VLANs are not used.
The VTP domain name can be specified or learned. By default, the domain name is not set. You can set a
password for the VTP management domain. However, if you do not assign the same password for each
switch in the domain, VTP does not function properly.
VTP pruning eligibility is one VLAN parameter that the VTP protocol advertises. Enabling or disabling
VTP pruning on a VTP server propagates the change throughout the management domain.
Use the vtpglobal configuration command to modify the VTP configuration, domain name, interface, and
mode:
Switch# configure terminal
Switch(config)# vtp mode [server | client | transparent]
Switch(config)# vtp domaindomain-name
Switch(config)# vtp passwordpassword
Switch(config)# vtp pruning
Use the no form of this command to remove the filename or to return to the default settings. When the VTP
mode is transparent, you can save the VTP configuration in the switch configuration file by entering the
copy running-config startup-config privileged EXEC command.
The following example demonstrates how to configure VTP and display VTP status.
In the output of the show vtp status command, "VTP Version capable" identifies the version of VTP that
the switch is capable of running. "VTP version running" indicates which VTP version is being used.
On switches that are configured in VTP client or VTP server mode, you cannot see any configuration
related to VLANs or VTP in the running configuration. To verify VTP configuration, you have to use show
vtp status and show vtp password commands. To verify configured VLANs, you should use show vlan
command.
Discovery 1: Troubleshoot VLANs and Trunks
Introduction
This discovery will guide you through a scenario involving VLAN configuration, Layer 2 connectivity, and
IP connectivity. The topology diagram is intentionally vague and there is no connectivity table. So, you are
on your first day at a new job as a network engineer. You are not yet familiar with the network of your
organization. A member of the security team comes to you because the intrusion prevention system has
flagged malicious traffic from the IP address 10.10.10.182. You are asked to help in isolating this system
and removing it from the network.
This discovery will also guide you through the IP connectivity issue between two hosts.
Topology
Job Aid
There is no Job Aid available for this lab exercise, because one of the objectives of the lab is to map the
connectivity within an unfamiliar network.
PCs in the virtual lab environment are simulated as routers, so you should use Cisco IOS commands to
configure them or make verifications.
Task 1: Troubleshoot VLAN Issues
The following figure shows the flow for troubleshooting VLANs.
To troubleshoot VLAN issues when you have no connection between PCs that belong to the same VLAN,
follow these high-level steps:
1. Use the show vlan command to check whether the port belongs to the expected VLAN. If the port is
assigned to the wrong VLAN, use the switchport access vlan command to correct the VLAN
membership. Use the show mac address-table command to check which addresses were learned on a
particular port of the switch and to which VLAN that port is assigned.
2. If the VLAN to which the port is assigned is deleted, the port becomes inactive. Use the show vlan or
show interfaces switchport command to verify that the VLAN is present in the VLAN database.
– Also note, that you can shut the VLAN using shutdown command, so you may need to verify that
the VLAN is not disabled using the show vlan command.
MAC Address Table Verification
To display the MAC address table, use the show mac address-table command in privileged EXEC mode as
shown in the following example. This command displays the MAC address table for the switch. You can
define specific views by using the optional keywords and arguments. The example shows MAC addresses
that were learned on the FastEthernet0/1 interface. As you can see, MAC address 000c.296a.a21c was
learned on the interface FastEthernet0/1 in VLAN 10. If this number is not the expected VLAN number,
change the port VLAN membership using the switchport access vlan command.
SW1# show mac address-table interface Ethernet0/1

Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports

---- ----------- -------- -----
10 000c.296a.a21c DYNAMIC Fa0/1
10 000f.34f9.9181 DYNAMIC Fa0/1
Total Mac Addresses for this criterion: 2
Troubleshooting Missing VLANs

Each port on a switch belongs to a VLAN. If the VLAN to which the port belongs is deleted, the port
becomes inactive. All ports belonging to the VLAN that was deleted are unable to communicate with the
rest of the network.
As shown in the following example, use the command show interfaceinterfaceswitchport to check
whether the port is inactive. If the port is inactive, it will not be functional until you create the missing
VLAN using the vlanvlan_id command or until you assign the port to a valid VLAN.
SW1# show interfaces Ethernet0/1 switchport

Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 10 (Inactive)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Activity
Complete the following steps:
Your task in this discovery is to find the system using the IP address 10.10.10.182 and to
disconnect it from the network. You might assume that VLANs were configured by a logical
pattern.
Access the console of SW1 and display the VLAN configuration to show how incorrect that
assumption is.
SW1# show vlan
VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active
62 SixtyTwo active Et0/2, Et0/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
This disorganized set of VLANs demonstrates why it can be beneficial to set a standard. For
example, you can have the VLAN ID match the third octet of the IP network running on that
VLAN.
To determine which VLAN supports the network to which 10.10.10.182 belongs, access the
console of R1 and display the brief summary status of its IP interfaces.
When the display output pauses with the --More-- prompt, you can use the space bar to display
the next page of the output.
R1# show ip interface brief

Interface IP-Address OK? Method Status
Protocol
Ethernet0/0 unassigned YES manual up up
Ethernet0/0.21 10.10.1.1 YES manual up up
Ethernet0/0.134 10.10.10.1 YES manual up up
Ethernet0/1 unassigned YES NVRAM administratively down
down
down
down
Serial1/0 unassigned YES NVRAM administratively down
down
down
down
down
Loopback0 10.10.99.1 YES manual up up
The IP address of Ethernet0/0.134 is 10.10.10.1. If you configure it with a 24-bit subnet mask, it
would be on the same subnet as 10.10.10.182. If its subinterface ID matches the VLAN ID, the
VLAN would be 134. Display the running configuration that is associated with this interface to
determine if either of these values are true.
Verify the running configuration on the R1 router:
R1# show run interface Ethernet0/0.134
Building configuration...
Current configuration : 94 bytes

!
interface Ethernet0/0.134
encapsulation dot1Q 62
ip address 10.10.10.1 255.255.255.0
end
The mask is indeed 24 bits. This interface is on the same subnet as 10.10.10.182.
The VLAN, as set by the encapsulation command, is actually 62, not 134.
The security team member gave you the IP address. Determine the system MAC address by first
pinging it from R1 and then finding the entry in the R1 ARP cache.
The system that you are looking for has the MAC address aabb.cc00.5300.
R1# ping 10.10.10.182

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.182, timeout is 2 seconds:
.!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R1# show ip arp 10.10.10.182
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.182 23 aabb.cc00.5300 ARPA Ethernet0/0.134
Note: The MAC address that you will see in your output can be different. Further in the lab, refer
to the MAC address determined in your output.
Access the console of SW1 and view its MAC address table to find the port that is connecting to
aabb.cc00.5300.
You have to search for the MAC address that you discovered in the previous step.
SW1# show mac address-table

Mac Address Table
-------------------------------------------

---- ----------- -------- -----
1 aabb.cc00.5000 DYNAMIC Et0/0
Interface Ethernet0/2 is where the offending system is connected.
Since there were few addresses in the MAC address table, it was pretty easy to pick out the
appropriate entry. If there are thousands of entries in the table, you would want to filter down the
output. Try displaying the MAC address table using the include filter to only include addresses
that have 5300, or whatever the last 4 digits of your MAC address are, as part of their address.
In a larger environment, you might find that the port with the offending MAC address is actually
a link to another switch. In this case, you would have to go to that switch and view its MAC
address table. It might again be on a link to a third switch. You would have to continue the
process until you reached a switch with the address on an end-host port.
SW1# show mac address-table | include 5300

Display the interface status summary on SW1 to observe the status of Ethernet0/2.
One thing that was sensibly configured in this environment is the description on the switch ports.
PC3 is the offending system.
SW1# show interface status
Port Name Status Vlan Duplex Speed Type

Et0/0 Link to R1 connected trunk auto auto unknown
Et0/1 Link to SW2 connected trunk auto auto unknown
Et0/2 Link to PC3 connected 62 auto auto unknown
Verify that the offending system, PC3, has access to the network. Attempt to ping R1
(10.10.10.1) from PC3.
Ping should be successful.
PC3# ping 10.10.10.1

.!!!!
Disable interface Ethernet0/2 on SW1.
On SW1, enter the following commands:
SW1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)# interface Ethernet0/2
SW1(config-if)# shutdown
SW1(config-if)#
*Sep 17 07:22:54.192: %LINK-5-CHANGED: Interface Ethernet0/2, changed state to
administratively down
*Sep 17 07:22:55.196: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Ethernet0/2, changed state to down
SW1(config-if)# end
SW1#
*Sep 17 07:22:57.180: %SYS-5-CONFIG_I: Configured from console by console
SW1#
The offending system is PC3. Access the console of PC3 and verify that it has been isolated from
the network. Attempt to ping R1 (10.10.10.1).
The attempt should fail.
PC3# ping 10.10.10.1
.....
Success rate is 0 percent (0/5)
Task 2: Troubleshoot Trunk Issues

The figure shows the flow for troubleshooting trunks.
To troubleshoot trunk issues when the trunk is not established, follow these high-level steps:
1. Use the show interfaces trunk command to check whether the local and peer native VLANs match. If
the native VLAN does not match on both sides, VLAN leaking occurs.
2. Use the show interfaces trunk command to check whether a trunk has been established between
switches. You should statically configure trunk links whenever possible. However, Cisco Catalyst
switch ports by default run DTP, which tries to negotiate a trunk link.
3. Use the show interface trunk command to check whether the desired VLANs have been allowed on
both the sides of the trunk link.
Verifying Trunk Establishment
To display the status of the trunk and native VLAN that is used on a trunk link and to verify trunk
establishment, use the show interface trunk command in privileged EXEC mode. The following example
shows that the native VLAN on one side of the trunk link was changed to VLAN 2. If one end of the trunk
is configured as native VLAN 1 and the other end is configured as native VLAN 2, a frame that is sent from
VLAN 1 on one side is received on VLAN 2 on the other. VLAN 1 "leaks" into the VLAN 2 segment. This
behavior would never be required, and connectivity issues occur in the network if a native VLAN mismatch
exists. Change the native VLAN to the same VLAN on both sides of the VLAN to avoid this behavior.
SW1# show interfaces Ethernet 0/3 trunk
Port Mode Encapsulation Status Native vlan

Et0/3 auto 802.1q not-trunking 2
<...output omitted...>
Cisco Discovery Protocol notifies you of a native VLAN mismatch on a trunk link with this message:
Aug 31 08:34:48.714: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on

FastEthernet0/3 (2),
with SW2 FastEthernet0/3 (1).
You should statically configure trunk links whenever possible. Cisco Catalyst switch ports by default run
DTP. DTP can determine the operational trunking mode and protocol on a switch port when it is connected
to another device that is also capable of dynamic trunk negotiation. Remember that if both ends of a trunk
are set to dynamic auto trunk mode, a trunk will not be established. The example shows the status of the link
as "not-trunking."
Activity
User that is using PC1 is reporting that PC1 can reach PC2 (10.10.10.20), but cannot reach PC4
(10.10.10.40). Help the user find the issue and resolve it.
Access PC1 and verify IP connectivity to PC2 and PC4 to exclude an IP connectivity issue.
PC1# ping 10.10.10.20

.!!!!
PC1# ping 10.10.10.40
.....
You should find out that there is an IP connectivity issue between PC1 and PC4.
Access the SW2 switch and check which VLAN is set on the interface that PC1 is connected to.
First, you need to use Cisco Discovery Protocol to verify to which port PC1 is connected.
Note: With real PCs, PC would not be seen as CDP neighbor, so you would need to use the same
approach that you used in the first procedure of this discovery.
SW2# show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID

PC2 Eth 0/2 133 R Linux Uni Eth 0/0
SW1 Eth 0/0 170 S I Linux Uni Eth 0/1
SW2# show vlan

---- -------------------------------- --------- -------------------------------
1 default active Et0/3
You will find out that PC1 is connected to Ethernet0/1 and that it is placed into active VLAN 62.
Access the SW1 switch and check which VLAN is set on the interface that PC4 is connected to.
First, you need to use Cisco Discovery Protocol to verify to which port PC4 is connected.
Note: With real PCs, PC would not be seen as CDP neighbor, so you would need to use the same
approach that you used in the first procedure of this discovery.
SW1# show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID

SW2 Eth 0/1 170 S I Linux Uni Eth 0/0
R1 Eth 0/0 163 R Linux Uni Eth 0/0.21
SW1# show vlan

---- -------------------------------- --------- -------------------------------
1 default active
You will find out that both PC1 and PC4 are in the same VLAN.
While troubleshooting, you first noticed the following message on the SW1 console:
*Sep 17 09:09:21.594: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch

discovered on Ethernet0/1 (1), with SW2 Ethernet0/0 (2).
This message indicates that SW1 and SW2 have different native VLANs configured.
On SW1, check which VLAN is used as native on Ethernet0/1:
SW1# show interfaces trunk

Et0/0 on 802.1q trunking 1
On SW2, check which VLAN is used as native on Ethernet0/1:

Et0/0 desirable 802.1q trunking 2
Change the native VLAN configuration on the SW2 switch.
SW2# conf t
SW2(config-if)# switchport trunk native vlan 1
Messages to the console stopped.
Verify if native VLAN was the reason for broken connectivity between PC1 and PC4.
Access PC1 and verify IP connectivity to PC4.
PC1# ping 10.10.10.40

.....
PC1 still has no connectivity to PC4, so you need to investigate further.
You have determined that PC1 and PC4 are both in VLAN 62. Now, you will verify trunk link
between SW1 and SW2.

Et0/0 desirable n-802.1q trunking 2
Port Vlans allowed on trunk

Et0/0 1-4094
Port Vlans allowed and active in management domain

Et0/0 1,62
Port Vlans in spanning tree forwarding state and not pruned

Et0/0 1,62
VLAN 62 is correctly allowed on the link to SW1.

Port Vlans allowed on trunk

Et0/0 1-4094
Et0/1 1-61,63-1000
Port Vlans allowed and active in management domain

Et0/0 1,62
Et0/1 1
Port Vlans in spanning tree forwarding state and not pruned

Et0/0 1,62
Et0/1 1
VLAN 62 is missing from the allowed VLANs on the link toward SW2.
On SW1, verify the interface Ethernet0/1 configuration.
Here, you can confirm that VLAN 62 is excluded from the allowed VLAN list:
SW1# show run interface Ethernet0/1


!
interface Ethernet0/1
description Link to SW2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-61,63-1000
switchport mode trunk
duplex auto
end
On the SW1 interface Ethernet0/1, add VLAN 62 into trunk.
SW1# conf t
SW1(config-if)# switchport trunk allowed vlan add 62
From PC1, verify that the IP connectivity issue to the PC4 is resolved.
Ping should be successful:
PC1# ping 10.10.10.40

.!!!!
Note: It may take a while for the ping to work.
This is the end of the discovery lab.
Self Check
Broadcasts from devices in one VLAN are received by users in other VLANs ?
A. True
B. False
Which command is used to specify that DTP negotiation packets are not sent out of the interface?
A. switchport dynamic disable
B. switchport dynamic desirable
C. switchport nonegotiate
D. dtp disable
What happens if a port belongs to VLAN 5, and VLAN 5 is accidentally deleted?

A. The port goes to the error-disabled state and is not operational.
B. The port becomes inactive and will not be functional until the missing VLAN 5 is created.
C. The port remains operational.
D. The port is shut down.
Which command is used to verify trunk establishment?

A. show interfaces trunk
B. show trunk switchport
C. show trunk interfaces
D. show trunk established
What is the main purpose of DTP?

A. to configure EtherChannel logical ports automatically
B. to configure EtherChannel logical ports and VLAN port trunks automatically
C. to configure VLAN trunk ports automatically
D. None of the above
VTP updates represent the process by which a VTP server does which of the following?
A. distributes information about new MAC addresses that are added to MAC address tables in the VTP
domain using a VTP notification
B. distributes information about new EtherChannel logical ports defined in the VTP domain using a
VTP notification
C. distributes information about new VLAN trunk ports defined in the VTP domain using a VTP
notification
D. distributes information about new VLANs defined in the VTP domain using a VTP notification
Match the switchport mode command parameter to its description.
Configures the port into permanent 802.1Q trunk mode and negotiates
access with the connected device to convert the link to trunk mode.
dynamic Disables port trunk mode and negotiates with the connected device to
desirable convert the link to nontrunk.
Triggers the port to negotiate the link from nontrunk to trunk mode. The
dynamic port negotiates to a trunk port if the connected device is in trunk state,
auto desirable state, or auto state. Otherwise, the port becomes a nontrunk port
Enables a port to become a trunk only if the connected device has the
state set to trunk or desirable. Otherwise, the port becomes a nontrunk
trunk port
Answer Key
Self Check
1. B
2. C
3. B
4. A
5. C
6. D
7.
trunk Configures the port into permanent 802.1Q trunk mode

and negotiates with the connected device to convert the
link to trunk mode.
access Disables port trunk mode and negotiates with the

connected device to convert the link to nontrunk.
dynamic desirable Triggers the port to negotiate the link from nontrunk to
trunk mode. The port negotiates to a trunk port if the
connected device is in trunk state, desirable state, or auto
state. Otherwise, the port becomes a nontrunk port
dynamic auto Enables a port to become a trunk only if the connected

device has the state set to trunk or desirable. Otherwise,
the port becomes a nontrunk port
Lesson 2: Building
Redundant Switched
Topologies
Overview
The law firm's client calls CCS complaining that employees in its international and constitutional law
departments are unable to communicate digitally or share resources on the intranet. Bob has already
determined that the cause of the problem is the failure of a single switch. The law firm has agreed to have
CCS implement and troubleshoot a redundant switched topology and optimize network reliability by
implementing PVST+. Bob wants to know if you are ready to go to the law firm to implement and
troubleshoot the redundant switched topology, or if you need some time to prepare.
Physical Redundancy in a LAN
Loops can affect performance in a switched LAN, and STP is a solution.
Loops may occur in the network as part of a design strategy for redundancy. Adding switches to LANs can
add the benefit of redundancy. Connecting two switches to the same network segments ensures continuous
operation if there are problems with one of the segments. Redundancy can ensure the constant availability of
the network.
However, when switches are used for redundancy in a network, loops are a potential problem. When a host
on one network segment transmits data to a host on another network segment, and the two are connected by
two or more switches, each switch receives the data frames, looks up the location of the receiving device,
and forwards the frame. Because each switch forwards the frame, each frame is duplicated. As a result, a
loop occurs, and the frame circulates between the two paths without being removed from the network. The
MAC address tables may also be updated with incorrect address information, resulting in inaccurate
forwarding.
In the topology that is shown in the figure, suppose that host A sends a frame to host B. Host A resides on
network segment A, and host B resides on network segment B. Redundant connections between hosts
ensure continuous operation if a segment fails. For this example, it is assumed that none of the switches
have learned the address of host B.
Switch 1 receives the frame that is destined for host B and floods it out to switches 2 and 3. Switch 2 and
switch 3 both receive the frame from host A (via switch 1) and correctly learn that host A is on segment 1
and 2. Each switch forwards the frame to switch 4.
Switch 4 receives two copies of the frame from host A, one copy through switch 2 and one copy through
switch 3. Assume that the frame from switch 2 arrives first. Switch 4 learns that host A resides on segment
3. Because switch 4 does not know where host B is connected, it forwards the frame to all its ports (except
the incoming port) and therefore to host B and switch 3. When the frame from switch 3 arrives at switch 4,
switch 4 updates its table to indicate that host A resides on segment 4. It then forwards the frame to host B
and switch 2.
Switches 2 and 3 now change their internal tables to indicate that host A is on segment 3 and 4. If the initial
frame from host A was a broadcast frame, both switches forward the frames endlessly. They would use all
available network bandwidth and block transmission of other packets on both segments. This situation is
called a broadcast storm.
The solution to loops is STP, which manages the physical paths to given network segments. STP provides
physical path redundancy while preventing the undesirable effects of active loops in the network. By
default, STP is turned on in Cisco Catalyst switches.
STP behaves as follows:
• STP forces certain ports into a standby state so that they do not listen to, forward, or flood data frames.
The overall effect is that there is only one path to each network segment that is active at any time.
• If there is a problem with connectivity to any of the segments within the network, STP re-establishes
connectivity by automatically activating a previously inactive path, if one exists.
Issues in Redundant Topologies
Enterprise voice and data networks are designed with physical component redundancy to eliminate the
possibility of any single point of failure causing a loss of function for an entire switched network. However,
redundant OSI Layer 2 switch topologies require planning and configuration to operate without introducing
loops.
OSI Layer 2 LAN protocols, such as Ethernet, lack a mechanism to recognize and eliminate endlessly
looping frames, as illustrated in the figure.
In the absence of a protocol to monitor link forwarding states, a redundant switch topology is vulnerable to
the following conditions:
• Broadcast storms: Without some loop-avoidance process, each switch floods broadcasts endlessly.
This situation is commonly called a broadcast storm.
• Multiple frame transmission: Multiple copies of unicast frames may be delivered to destination
stations. Many protocols expect to receive only a single copy of each transmission. Multiple copies of
the same frame can cause unrecoverable errors.
• MAC database instability: Instability in the content of the MAC address table results from the fact that
different ports of the switch receive copies of the same frame. Data forwarding can be impaired when
the switch consumes the resources that are coping with instability in the MAC address table.
Layer 2 LAN protocols, such as Ethernet, do not have a mechanism to recognize and eliminate endlessly
looping frames. Some Layer 3 protocols implement a TTL mechanism that limits the number of times that a
Layer 3 networking device can retransmit a packet. Lacking such a mechanism, Layer 2 devices continue to
retransmit looping traffic indefinitely.
A loop-avoidance mechanism solves these problems. STP was developed to address them.
Loop Resolution with STP
STP provides loop resolution by managing the physical paths to given network segments. STP allows
physical path redundancy while preventing the undesirable effects of active loops in the network. STP is an
IEEE committee standard, which is defined as 802.1D.
STP behaves as follows:

• STP uses BPDUs for communication between switches.
• STP forces certain ports into a blocked state so that they do not listen to, forward, or flood data frames.
The overall effect is that only one path to each network segment is active at any time.
• If there is a problem with connectivity to any of the segments within the network, STP re-establishes
connectivity by automatically activating a previously inactive path, if one exists (changing blocked port
to forwarding state).
Spanning-Tree Operation
STP and its successor protocols provide loop resolution by managing the physical paths to given network
segments. STP allows physical path redundancy while preventing the undesirable effects of active loops in
the network. STP forces certain ports into a blocking state. These blocking ports do not forward data frames.
The overall effect is that only one path to each network segment is active at any time. If there is a problem
with connectivity to any of the segments within the network, STP re-establishes connectivity by
automatically activating a previously inactive path, if one exists.
The following are the steps of the spanning-tree algorithm:

1. Elects a root bridge. The root bridge becomes the switch with the lowest BID. You can have only one
root bridge per network. Bridge ID is a combination of bridge priority and the MAC address of the
switch. Bridge priority is a number between 0 and 65535 in increments of 4096, and the default is
32768. If one or more bridges have equally lowest bridge priorities, then the bridge with the lowest
MAC address will be elected the root bridge.
2. Elects a root port for each non-root switch based on the lowest root path cost. The root bridge does not
have root ports. Each non-root switch has one root port. The root port shows the direction of the best
path to the root bridge.
3. Elects a designated port for each segment based on the lowest root path cost. Each link will have one
designated port.
4. The root ports and designated ports transition to the forwarding state, and the other ports stay in the
blocking state.
STP path cost depends on the speed of the link. The table shows STP link costs.
Data rate STP Cost (802.1D-1998) STP Cost (802.1D-2004)
4 Mbps 250 5,000,000
10 Mbps 100 2,000,000
16 Mbps 62 1,250,000
100 Mbps 19 200,000
1 Gbps 4 20,000
2 Gbps 3 10,000
10 Gbps 2 2000
STP Port Roles
Port Role Description
Root port This port exists on non-root bridges. It is the switch port with the best path to the root bridge. Root
ports forward traffic toward the root bridge and the source MAC address of the frames received on the
root port that is capable of populating the MAC table. Only one root port is allowed per bridge.
Designated port This port exists on root and non-root bridges. For root bridges, all switch ports are designated ports.
For non-root bridges, a designated port is the switch port that will receive and forward frames toward
the root bridge as needed. Only one designated port is allowed per segment. If multiple switches exist
on the same segment, an election process determines the designated switch, and the corresponding
switch port begins forwarding frames for the segment. Designated ports are capable of populating the
MAC table.
Nondesignated The nondesignated port is a switch port that is not forwarding (blocking) data frames and is not
port populating the MAC address table with the source addresses of frames that are seen on that segment.
Disabled port The disabled port is a switch port that is shut down.
Spanning-Tree Operation Example
The first step in the spanning-tree algorithm is the election of a root bridge. Initially, all switches assume
that they are the root. They start transmitting BPDUs with the Root ID field containing the same value as
the Bridge ID field. Thus, each switch essentially claims that it is the root bridge on the network.
When the switches start receiving BPDUs from the other switches, each switch compares the root ID in the
received BPDUs against the value that it currently has recorded as the root ID. If the received value is lower
than the recorded value (which was originally the BID of that switch), the switch replaces the recorded
value with the received value and starts transmitting this value in the Root ID field in its own BPDUs.
Eventually, all switches learn and record the BID of the switch that has the lowest BID. The switches all
transmit this ID in the Root ID field of their BPDUs.
In the example, Switch B becomes the root bridge because it has the lowest BID. Switch A and switch B
have the same priority, but switch B has a lower MAC value.
When a switch recognizes that it is not the root (because it is receiving BPDUs that have a root ID value that
is lower than its own BID), it marks the port on which it is receiving those BPDUs as its root port.
A switch could receive BPDUs on multiple ports. In this case, the switch elects the port that has the lowest-
cost path to the root as its root port. If two ports have an equal path cost to the root, the switch looks at the
BID values in the received BPDUs to make a decision (where the lowest BID is considered best, similar to
root bridge election). If the root path cost and the BID in both BPDUs are the same because both ports are
connected to the same upstream switch, the switch looks at the Port ID field in the BPDUs and selects its
root port based on the lowest value in that field.
By default, the cost that is associated with each port is related to its speed (the higher the interface
bandwidth, the lower the cost), but the cost can be manually changed.
Switches A, C, and D mark the ports that are directly connected to switch B (which is the root bridge) as the
root port. These directly connected ports on switches A, C, and D have the lowest cost to the root bridge.
After electing the root bridge and root ports, the switches determine which switch will become the
designated bridge for each Ethernet segment. This process is similar to the root bridge and root port
elections. Each switch that is connected to a segment sends BPDUs out of the port that is connected to that
segment, claiming to be the designated bridge for that segment. At this point, it considers its port to be a
designated port.
When a switch starts receiving BPDUs from other switches on that segment, it compares the received values
of the root path cost, BID, and port ID fields (in that order) against the values in the BPDUs that it is
sending out its own port. The switch stops transmitting BPDUs on the port and marks it as a nondesignated
port if the other switch has lower values.
In the example, all ports on the root bridge (switch B) are designated ports. The ports on switch A that are
connecting to switch C and switch D become designated ports, because they have lower root path costs on
each segment.
To prevent bridging loops while STP needs to execute its algorithm, all ports start out in the blocking state.
When STP marks a port as either a root port or a designated port, the algorithm starts to transition this port
to the forwarding state.
Classic (802.1D-1998) and rapid (802.1w and 802.1D-2004) versions of STP both execute the same
algorithm in the decision-making process. However, in the transition of a port from the blocking (or
discarding, in rapid spanning-tree terms) to the forwarding state, there is a big difference between those two
spanning-tree versions. Classic 802.1D would simply take 30 seconds to transition the port to forwarding.
The rapid spanning tree algorithm can leverage additional mechanisms to transition the port to forwarding in
less than a second.
Although the order of the steps that are listed in the diagrams suggests that STP goes through them in a
coordinated, sequential manner, that is not actually the case. If you look back at the description of each step
in the process, you see that each switch is going through these steps in a parallel line. Also, each switch
might adapt its selection of root bridge, root ports, and designated ports as it receives new BPDUs. As the
BPDUs are propagated through the network, all switches eventually have a consistent view of the topology
of the network. When this stable state is reached, BPDUs are transmitted only by designated ports.
There are two loops in the sample topology, meaning that two ports should be in the blocking state to break
both loops. The port on Switch C that is not directly connected to Switch B (root bridge) is blocked, because
it is a nondesignated port. The port on Switch D that is not directly connected to Switch B (root bridge) is
also blocked, because it is a nondesignated port.
Types of Spanning-Tree Protocols
The STP is a network protocol that ensures a loop-free topology. Several varieties of spanning-tree
protocols exist.
• STP (IEEE 802.1D) provides a loop-free topology in a network with redundant links.
– CST assumes one spanning-tree instance for the entire bridged network, regardless of the number of
VLANs.
• PVST+ is a Cisco enhancement of STP that provides a separate 802.1D spanning-tree instance for each
VLAN that is configured in the network.
• MSTP, or IEEE 802.1s, is an IEEE standard that is inspired by the earlier Cisco proprietary MISTP
implementation. MSTP maps multiple VLANs into the same spanning-tree instance.
• RSTP, or IEEE 802.1w, is evolution of STP that provides faster convergence of STP. It redefines port
roles and link costs.
• Rapid PVST+ is a Cisco enhancement of RSTP that uses PVST+. Rapid PVST+ provides a separate
instance of 802.1w per VLAN.
When Cisco documentation and this course refer to implementing RSTP, they are referring to the Cisco
RSTP implementation—Rapid PVST+.
Comparison of Spanning-Tree Protocols
The following are characteristics of various spanning-tree protocols:
• STP assumes one 802.1D spanning-tree instance for the entire bridged network, regardless of the
number of VLANs. Because only one instance exists, the CPU and memory requirements for this
version are lower than for the other protocols. However, because of only one instance, there is only one
root bridge and one tree. Traffic for all VLANs flows over the same patch, which can lead to suboptimal
traffic flows. Because of the limitations of 802.1D, this version is slow to converge.
• PVST+ is a Cisco enhancement of STP that provides a separate 802.1D spanning-tree instance for each
VLAN that is configured in the network. The separate instance supports PortFast, UplinkFast,
BackboneFast, BPDU guard, BPDU filter, root guard, and loop guard. Creating an instance for each
VLAN increases the CPU and memory requirements but allows for per-VLAN root bridges. This design
allows the STP tree to be optimized for the traffic of each VLAN. Convergence of this version is similar
to the convergence of 802.1D. However, convergence is per-VLAN.
• RSTP, or IEEE 802.1w, is evolution of STP that provides faster STP convergence. This version
addresses many convergence issues, but because it still provides a single instance of STP, it does not
address the suboptimal traffic flow issues. To support that faster convergence, the CPU usage and
memory requirements of this version are slightly higher than the requirements of CST but lower than
those of RSTP+.
• Rapid PVST+ is a Cisco enhancement of RSTP that uses PVST+. It provides a separate instance of
802.1w per VLAN. This version addresses both the convergence issues and the suboptimal traffic flow
issues. However, this version has the largest CPU and memory requirements.
• MSTP is an IEEE standard that is inspired by the earlier Cisco proprietary MISTP implementation. To
reduce the number of required STP instances, MSTP maps multiple VLANs that have the same traffic
flow requirements into the same spanning-tree instance. The Cisco implementation of MSTP is MST.
MST provides up to 16 instances of RSTP (802.1w) and combines many VLANs with the same
physical and logical topology into a common RSTP instance. Each instance supports PortFast, BPDU
guard, BPDU filter, root guard, and loop guard. The CPU and memory requirements of this version are
lower than the requirements of Rapid PVST+ but are higher than those of RSTP.
Default Spanning-Tree Configuration
The default spanning-tree mode for Cisco Catalyst switches is PVST+, which is enabled on all ports.
PVST+ has much slower convergence after a topology change than the Rapid PVST but requires less
control plane CPU and memory resources to compute the shortest path tree upon topology changes.
Per VLAN Spanning Tree Plus
The 802.1D standard defines a CST that assumes only one spanning-tree instance for the entire switched
network, regardless of the number of VLANs. A network that is running CST has these characteristics:
• No load sharing is possible. One uplink must block for all VLANs.
• The CPU is spared. Only one instance of spanning tree must be computed.
PVST+ defines a spanning-tree protocol that has several spanning-tree instances running for the network
(one instance of STP per VLAN). Networks that are running several spanning-tree instances have these
characteristics:
• Optimum load sharing can occur. In a Cisco PVST+ environment, you can tune the spanning-tree
parameters so that half the VLANs forward on each uplink trunk. The configuration must define a
different root bridge for each half of the VLANs. Providing different STP root switches per VLAN
creates a more redundant network.
• One spanning-tree instance for each VLAN maintained can mean a considerable waste of CPU cycles
for all the switches in the network (in addition to the bandwidth that is used for each instance to send its
own BPDUs). This situation would only be problematic if many VLANs are configured.
Rapid PVST+ is Cisco proprietary version of the RSTP. It creates a spanning tree for each VLAN, just like
PVST.
PVST+ Extended Bridge ID
Spanning-tree operation requires that each switch has a unique BID. In the original 802.1D standard, the
BID consisted of the bridge priority and the MAC address of the switch, and a CST represented all VLANs.
PVST+ requires that a separate instance of spanning tree that is run for each VLAN and the BID field must
carry VID information. This functionality is accomplished by reusing a portion of the Priority field as the
extended system ID to carry a VID.
To accommodate the extended system ID, the original 802.1D 16-bit bridge priority field is split into two
fields. The BID includes the following fields:
• Bridge priority: A 4-bit field that is still used to carry bridge priority. The priority is conveyed in
discrete values in increments of 4096 rather than discrete values in increments of 1, because only the
four most significant bits are available from the 16-bit field. In other words, in binary, the following
applies: priority 0 = [0000|<sys-id-ext #>], priority 4096 = [0001|<sys-id-ext #>], and so on. Increments
of 1 would be used if the complete 16-bit field was available. The default priority, in accordance with
IEEE 802.1D, is 32768, which is the midrange value.
• Extended system ID: A 12-bit field carrying, in this case, the VID for PVST+. This value is expressed
as the sys-id-ext in Cisco IOS software and elsewhere in this course.
• MAC address: A 6-byte field with the MAC address of a single switch.
By virtue of the MAC address, a BID is always unique. When the priority and extended system ID are
prepended to the switch MAC address, each VLAN on the switch can be represented by a unique BID.
For example, the VLAN 2 default BID would be 32770 (priority 32768 plus the extended system ID of 2).
If no priority is configured, every switch will have the same default priority. In this case, the election of the
root for each VLAN is based on the MAC address. This method is a random means of selecting the ideal
root bridge. For this reason, it is recommended that you assign a lower priority to the switch that should
serve as the root bridge.
In the Cisco PVST+ environment, you can tune the spanning-tree parameters so that half the VLANs
forward on each uplink trunk. The network must be correctly configured. The configuration must define a
different root bridge for each half of the VLANs. Providing different STP root switches per VLAN creates a
more redundant network.
Discovery 2: Configure Root Bridge and Analyze
STP Topology
Introduction
The purpose of this discovery is to demonstrate how to determine the map of a spanning tree across a
topology. The live virtual lab is prepared with the devices that are represented in the topology diagram and
the connectivity table. All devices have their basic configurations in place, including hostnames and IP
addresses.
During the discovery, you will map out the spanning tree for VLAN 20. SRV2 is the server on VLAN 20
and it is connected to SW4. You will observe that the spanning tree does not currently provide optimized
paths from the clients to SRV2. You will then modify the spanning tree and verify the results.
Topology
Job Aid
The configuration is as follows:

• All devices have their basic configurations in place, including hostnames and IP addresses.
Device Information
Device Details
Device Interface Neighbor IP Address
PC1 Ethernet0/0 SW1 10.10.10.5/24
PC2 Ethernet0/0 SW2 10.10.20.5/24
SW1 VLAN 1 — 10.10.1.4/24
SW2 VLAN 1 — 10.10.1.5/24
SW3 VLAN 1 — 10.10.1.6/24
SW4 VLAN 1 — 10.10.1.7/24
SVR1 Ethernet0/0 SW3 10.10.10.10/24
SVR2 Ethernet0/0 SW4 10.10.20.20/24
Device Cabling Details
Switch Port Switch Port
SW1 Ethernet0/1 SW4 Ethernet0/1
PCs and SRVs in the virtual lab environment are simulated as routers, so you should use Cisco IOS
commands to configure them or make verifications.
Task 1: Modify the Bridge ID
By modifying the BID of a switch, you can influence the root bridge election.
Command Description
spanning-tree Forces this switch to be the root bridge for the specified VLAN.
vlanvlan_numberroot
primary
spanning-tree Configures the backup root bridge for the specified VLAN.
vlanvlan_numberroot
secondary
The root bridge is elected based on the BID. Since by default the priority part of the BID is the same for all
switches (32768), the root bridge will be the switch with the lowest MAC address. For load balancing
between switches (for example, if you want one switch to be the root bridge for VLAN 1 and the other
switch to be the root bridge for VLAN 2), you can modify the priority of the bridge. The easiest way that
you can make a switch the root bridge for a VLAN is if you use the spanning-tree vlan vlan_number root
primary command. If the primary root bridge fails, you do not want the slowest, oldest access-layer switch
becoming the root bridge. For this reason, you can configure the backup, secondary root bridge for a VLAN,
if you use the spanning-tree vlan vlan_numberroot secondary command.
Complete the following step:
On all four switches verify, if there is any spanning-tree preconfiguration for the root bridge.
SW1# show running-config | include root

SW1#

SW2#

SW3#

SW4#
There is no configuration for the root bridge on any of the switches, so the root bridge has been
elected automatically.
Task 2: Analyze STP Topology

To analyze the STP topology, follow these steps:
1. Discover the physical Layer 2 topology. You could use network documentation, if it exists, or use the
show cdp neighbors command to discover the physical topology.
2. After you have discovered the physical topology, use your knowledge of STP to determine the expected
Layer 2 path. You will need to know which switch is the root bridge.
3. Use the show spanning-tree vlan command to determine which switch is the root bridge.
4. Use the show spanning-tree vlan command on all switches to find out which ports are in the blocking
or forwarding state, and thus confirm your expected Layer 2 path.
In many networks, the optimal STP topology is determined as part of the network design and then
implemented through manipulation of STP priority and cost values. You might run into situations where
STP was not considered in the design and implementation, or where it was considered initially, before the
network underwent significant growth and change. In such situations, it is important that you to know how
to analyze the actual STP topology in the operational network.
In addition, a part of troubleshooting also consists of comparing the actual state of the network against the
expected state of the network. This way, you can spot the differences to gather clues about the problem that
you are troubleshooting. You should be able to examine the switches and determine the actual topology, in
addition to knowing what the spanning-tree topology is supposed to be.
Using the show spanning-tree command without specifying any additional options is a good way to get a
quick overview of the status of STP for all VLANs that are defined on a switch. If you are interested only in
a particular VLAN, you can limit the scope of this command by specifying that VLAN as an option.
Use the show spanning-tree vlanvlan_id command to obtain STP information for a particular VLAN. Use
this command to get information about the role and status of each port on the switch. The example output on
Switch A shows all three ports in the forwarding state (FWD) and the role of the three ports as either
designated ports or root ports. Any ports that are being blocked have the status "BLK" in the output.
The output also gives information about the BID of the local switch and the root ID. If Switch A is the root
bridge, the root ID and bridge ID MAC addresses listed would be the same.
Activity
Begin to map out the spanning tree for VLAN 20. Start by accessing the console of SW1 and
displaying the spanning-tree status for VLAN 20.
SW1# show spanning-tree vlan 20
VLAN0020
Spanning tree enabled protocol ieee
Root ID Priority 32788
Address aabb.cc00.5400
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32788 (priority 32768 sys-id-ext 20)

Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- -------------------------------
-
Et0/1 Desg FWD 100 128.2 Shr
SW1 is the root switch for VLAN 20. The reason for this is the lowest Bridge ID. All switches
have default priority set, so the MAC address decides which switch becomes the root bridge.
SW1 has the lowest MAC address, hence resulting in SW1 becoming the root bridge.
Both Ethernet0/1 and 0/2 are designated (the port on the link that is closest to the root).
Designated ports always forward.
Note: The MAC address might differ in your output.
The topology, as you currently understand it, looks like the following example:
Access the console of SW2 and display the spanning-tree status for VLAN 20.
Ethernet0/1 is the root port for SW2. That is the port that provides the lowest-cost path back to
the root bridge. Root ports always forward.
VLAN0020
Cost 200
Port 2 (Ethernet0/1)

Aging Time 300 sec

------------------- ---- --- --------- -------- -------------------------------
-
Et0/1 Root FWD 100 128.2 Shr
Et0/2 Altn BLK 100 128.3 Shr
Ethernet0/2 is an alternate port for the link. There is another switch that provides forwarding
back to the root for this link. Alternate ports are always in a blocking status. If they forwarded, it
would cause a loop.
Ethernet1/0 is designated and forwarding. This is the port to which PC2 connects.
Ethernet0/0 and 0/1 are designated and forwarding. Ethernet0/2 is the SW3 root port and is
forwarding.
VLAN0020
Cost 100

Aging Time 300 sec

------------------- ---- --- --------- -------- -------------------------------
-
You will not see the interface Ethernet1/0, the one connecting to the server, listed because it is
on a different VLAN.
Ethernet0/1 provides the best path back to the root switch. Therefore, it is the root port and is
forwarding.
VLAN0020
Cost 100

Address aabb.cc00.5a00
Aging Time 300 sec

------------------- ---- --- --------- -------- -------------------------------
-
Ethernet0/2 and 1/0 are both designated and forwarding. Ethernet1/0 is the port to which SRV2
connects.
Ethernet0/0 is alternate and blocking.
With SW1 as the root switch, the spanning-tree topology is optimized for all switches to provide
a best path back to SW1.
PC2 is attached to SW2 and SRV2 is attached to SW4. With the spanning tree in this state, the
link between SW2 and SW4 is blocked. Traffic from PC2 to SRV2 must travel through SW2,
then SW3, then SW1, and then finally to SW4.
The single most important spanning-tree tuning operation that you should do is to set the root
switch for a VLAN to be the switch where most of the traffic on that VLAN is destined. Usually,
this is a switch to which routers or servers are connected. Configure SW4 to be the root switch
for VLAN 20.
Enter the following commands to the SW4 switch:
SW4# conf t
SW4(config)# spanning-tree vlan 20 root primary
SW4(config)# end
SW4#
SW4#
Display the spanning-tree status for VLAN 20 on SW4.
The Forward Delay is 15 seconds, by default. A blocking port must transition through listening
for 15 seconds and learning for 15 seconds before proceeding to forwarding.
VLAN0020

Aging Time 300 sec

------------------- ---- --- --------- -------- -------------------------------
-
Et0/0 Desg LRN 100 128.1 Shr
If all four ports are not yet in the forwarding state, continue to execute the show spanning-tree
command until they are forwarding.
VLAN0020

Aging Time 300 sec

------------------- ---- --- --------- -------- -------------------------------
-
For the backup purposes, also configure SW3 as the secondary root bridge for VLAN 20.
SW3# conf t
SW3(config)# spanning-tree vlan 20 root secondary
SW3(config)# end
SW3#
SW3#
Optionally, you can view the spanning tree details for VLAN 20 on the other three switches. The
topology that would emerge would look like the following.
The spanning tree for VLAN 20 is now optimized to provide an optimal path from all switches
to SW4, where SRV2 on VLAN 20 is connected.
PortFast and BPDU Guard
You will explore two features that called PortFast and BPDU guard. Before you can fully appreciate the
benefits of these features, you will review the STP initialization process that a switch port transitions
through when it is enabled.
Because STP is responsible for maintaining a loop-free topology, precautions are required each time that
you enable a switch port. If the port is connected to another switch, BPDUs are exchanged to ensure that a
loop is not introduced into the topology. The following are the stages that a port goes through when it is
enabled.
1. Blocking: For up to 20 seconds, the port remains in the blocking state.
2. Listening: For 15 seconds, the port listens to BPDUs that it received and listens for new topology
information that would cause it to transition back to the blocking state. It does not populate the MAC
address table with the addresses it learns and it does not forward any frames.
3. Learning: For up to 15 seconds, the port updates the MAC address forwarding table, but it does not
begin forwarding.
4. Forwarding: Once the switch port is certain it will not form a loop by forwarding frames, it enters the
forwarding state. It still monitors for topology changes that could require it to transition back to the
blocking state to prevent a loop.
If a switch port connects to another switch, the STP initialization cycle must transition from state to state to
ensure a loop-free topology.
However, for access devices such as PCs, laptops, servers, and printers, the delays that incurred with STP
initialization can cause problems such as DHCP timeouts. Cisco designed the PortFast and BPDU features
as enhancements to STP to reduce the time that is required for an access device to enter the forwarding
state.
STP is designed to prevent loops. Because there can be no loop on a port that is connected directly to a host
or server, the full function of STP is not needed for that port. PortFast is a Cisco enhancement to STP that
allows a switchport to begin forwarding much faster than a switchport in normal STP mode.
When the PortFast feature is enabled on a switch port that is configured as an access port, that port bypasses
the typical STP listening and learning states. This feature allows the port to transitions from the blocking to
the forwarding state immediately. You can use PortFast on access ports that are connected to a single
workstation or to a server to allow those devices to connect to the network immediately rather than waiting
for spanning tree to converge.
In a valid PortFast configuration, configuration BPDUs should never be received, because access devices do
not generate BPDUs. A BPDU that a port receives would indicate that another bridge or switch is connected
to the port. This event could happen if a user plugged a switch on their desk into the port where the user PC
was already plugged into.
Assuming that users decide they want more bandwidth. Since there are two network access connections in
their office, they decide to use both of them. To use them both, they unplug their individual PCs from the
network switches and plug it into their own switch. They then plug the new switch into both of the network
access ports. If portfast is enabled on both ports of the network switch, this action could cause a loop and
bring the network to a halt.
If the users in the example have realized they are causing network issues. If the users only disconnect one of
the links from their switch to network switch—have they eliminated all the issues they were causing? What
would be the result if their switch had a lower BID than the root bridge in the network? Wouldn't their
switch become the root bridge?
The STP PortFast BPDU guard enhancement allows network designers to enforce the STP domain borders
and keep the active topology predictable. The devices behind the ports that have STP PortFast enabled are
not able to influence the STP topology. At the reception of BPDUs, the BPDU guard operation disables the
port that has PortFast configured. The BPDU guard transitions the port into errdisable state, and a message
appears on the console. For example, the following message might appear:
2000 May 12 15:13:32 %SPANTREE-2-RX_PORTFAST:Received BPDU on PortFast enable port.
Disabling 2/1
2000 May 12 15:13:32 %PAGP-5-PORTFROMSTP:Port 2/1 left bridge port 2/1
Because the purpose of PortFast is to minimize the time that access ports that are connecting to user
equipment and servers must wait for spanning tree to converge, you should use it only on access ports. If
you enable PortFast on a port that is connecting to another switch, you risk creating a spanning-tree loop.
Configuring PortFast and BPDU Guard
PortFast and BPDU guard can be configured on a port-by-port basis, or globally for all ports on a switch.
The spanning-tree bpduguard enable interface configuration command configures BPDU guard on an
interface. The spanning-tree portfast bpduguard default global configuration command enables BPDU
guard globally for all PortFast-enabled ports.
The spanning-tree portfast interface configuration command configures PortFast on an interface. The
spanning-tree portfast default global configuration command enables PortFast on all nontrunking
interfaces.
Verifying PortFast and BPDU Guard
Use the show running-config interface command to validate the PortFast and BPDU guard configuration
for a given interface.
The table lists the commands that you use to implement and verify PortFast and BPDU guard.
PortFast and BPDU Guard Commands
Command Description
spanning-tree portfast Enables PortFast on a Layer 2 access port and forces it to enter the forwarding
state immediately.
spanning-tree portfast Globally enables the PortFast feature on all nontrunking ports. When the PortFast
default feature is enabled, the port changes from a blocking state to a forwarding state
without making the intermediate spanning-tree state changes.
spanning-tree bpduguard Enables BPDU guard on a Layer 2 access port.

enable
spanning-tree portfast Globally enables the BPDU guard feature.

bpduguard default
show running-config Indicates whether PortFast and BPDU guard have been configured on a port.
interfacetypeslot/port
show spanning-tree Indicates whether PortFast has been configured on a port. The command verifies
interfacetypeslot/portportfast both global and interface configuration.
show spanning-tree summary Indicates whether PortFast and BPDU guard have been configured globally.
When you enable the PortFast feature globally, you will not see it under the interface configuration using
show running-config interfacetype slot/port command. For this case, you should use show spanning-
tree interfacetype slot/portportfast command or show spanning-tree summary command.
Discovery 3: Troubleshoot STP Issues
Introduction
The biggest problem with STP is not the fact that it can fail, because any protocol can. In fact, STP is one of
the most reliable protocols available. The main concern is that when a problem that is related to STP exists,
there are usually major negative consequences. Unlike with many protocols, where the only thing that
happens when a malfunction occurs is that you lose some of the functionality that you gained through this
protocol. For instance, if the routing protocol is malfunctioning on one of your routers, you might lose
connectivity to networks that are reachable through that particular router. However, this loss generally does
not affect the rest of your network. If you have some way to connect to that router, you can still perform
your troubleshooting routines to diagnose and fix the problem.
In this discovery, you will demonstrate how to use different commands to troubleshoot STP.
Topology
Job Aid

Device Information
Device Details
PC1 Ethernet0/0 SW1 10.10.10.5/24
PC2 Ethernet0/0 SW2 10.10.20.5/24
SW1 VLAN 1 — 10.10.1.4/24
SW2 VLAN 1 — 10.10.1.5/24
SW3 VLAN 1 — 10.10.1.6/24
SW4 VLAN 1 — 10.10.1.7/24
SVR1 Ethernet0/0 SW3 10.10.10.10/24
SVR2 Ethernet0/0 SW4 10.10.20.20/24
Task 1: Spanning-Tree Failure Consequences

With STP, you can observe two different types of failures:
• The first one is similar to the routing problem that was just described. STP may erroneously block
certain ports that should have gone to the forwarding state. This block will cause problems that are
similar to the routing problem: You might lose connectivity to certain parts of your network, but the rest
of the network is unaffected. If you are able to access the switch, you can troubleshoot and attempt to
resolve the issue.
• The second type of failure is when STP erroneously moves one or more ports to the forwarding state.
This type of failure can be very disruptive.
An Ethernet frame header does not include a TTL field. Therefore, any frame that enters a bridging loop
will continue to be forwarded by the switches indefinitely. The only exceptions are the frames whose
destination addresses are recorded in the MAC address table of the switches. These frames will be
forwarded to the port that the MAC address is associated with and will not go into an endless loop.
However, any frame that is flooded by a switch (such as broadcasts, multicasts, and unicasts) with an
unknown destination MAC address, will go into an endless loop.
• The figure shows how the load on all links in the switched LAN quickly starts increasing as more
frames enter the loop. This problem is not limited to the links that form the loop. The problem also
affects any other links in the switched domain, because the frames are flooded on all links. When the
spanning-tree failure is limited to a single VLAN, only links in that VLAN are affected. Switches and
trunks that do not carry that VLAN operate normally.
• If the spanning-tree failure has caused more than one bridging loop, traffic increases exponentially,
because frames not only start circling but also start getting duplicated. This problem happens because
when you have multiple loops, you will also have switches that receive a frame on a port and then flood
it out on multiple ports, essentially creating a copy of the frame every time they forward it.
• The switches will experience frequent MAC address table changes. This problem happens because
frames usually start looping in both directions. This action causes a switch to see a frame with a certain
source MAC address coming in on a port and then see a frame with the same source MAC address
coming in on a different port just a fraction of a second later.
• Because of the combination of a very high load on all links and the switch CPUs running at maximum
load, these devices typically become unreachable. As a result, diagnosing this problem while it is
happening is nearly impossible.
A viable approach is to take over the role of the failing spanning tree by manually removing redundant links
in the switched network, either physically or through configuration (if that is still possible), until all loops
are eliminated from the topology. When you have broken the loops, the traffic and CPU loads should
quickly drop to normal levels, and you should regain connectivity to your devices.
Although this intervention restores connectivity to the network, you cannot consider it the end of your
troubleshooting process. You have removed all redundancy from your switched network, and you need to
restore the redundant links.
Of course, if the underlying cause of the spanning-tree failure has not been fixed, chances are that restoring
the redundant links will trigger a new broadcast storm. Before you restore the redundant links, you should
spend sufficient time to investigate what happened at the moment when the broadcast storm started. When
you eventually start restoring the redundant links, you should carefully monitor the network and have an
emergency plan to fall back on if you see a new broadcast storm developing.
Since it is difficult to simulate a STP failure, you will only verify the operation of STP for VLAN 10.
Activity
Map out the spanning tree for VLAN 10.
Start by accessing the console of SW1 and displaying the spanning-tree status for VLAN 10.
VLAN0010
Cost 200

Aging Time 300 sec

------------------- ---- --- --------- -------- -------------------------------
-
VLAN0010

Aging Time 300 sec

------------------- ---- --- --------- -------- -------------------------------
-
VLAN0010
Cost 100

Aging Time 300 sec

------------------- ---- --- --------- -------- -------------------------------
-
VLAN0010
Cost 100

Aging Time 300 sec

------------------- ---- --- --------- -------- -------------------------------
-
Note: The MAC addresses might differ in your output.
You can determine that the spanning tree is functioning as it should—each switch has only one
path to the root bridge.
Self Check
Which risk is posed by operating a switched network with redundant paths?

A. loops
B. CRC Errors
C. late collisions
D. interface input errors
Which feature of PVST+ is not available in RSTP?

A. fast convergence on topology changes
B. per-port STP
C. per-VLAN STP instance
D. edge ports
Place the phases of normal Spanning Tree initialization into the correct order.
Listening 1st
Blocking 2nd
Forwarding 3rd
Learning 4th
Which item represents a problem solved by PortFast?

A. DHCP Timeout
B. Bandwidth Throttling
C. Duplex Mismatch
D. Native VLAN Mismatch
Which two symptoms indicate that a loop might exist in the network? (Choose two.)
A. The CPU load of the switches approaches 100 percent utilization.
B. MAC addresses flap frequently between ports of the switches.
C. Expired messages are received by the hosts.
D. The load on the WAN links in the network approaches 100 percent utilization.
Which BID would win election as the root, assuming that the switches with these BIDs were in the
same network?
A. 32769:0200.1111.1111
B. 32769:0200.2222.2222
C. 4097:0200.1111.1111
D. 4097:0200.2222.2222
Which of the following is true?

A. None of the switches are root switch until the election.
B. All switches operate as the root switch when they boot up.
C. The root bridge is the switch with the highest BID.
D. The root bridge is the switch which has bridge priority 65535.
When an access port is enabled with Portfast feature, which STP states are bypassed ? (Choose two )
A. Learning
B. Blocking
C. Forwarding
D. Listening
Answer Key
Self Check
1. A
2. C
3.
Blocking 1st
Listening 2nd
Learning 3rd
Forwarding 4th
4. A
5. A, B
6. C
7. B
8. A, D
Lesson 3: Improving
Redundant Switched
Topologies with
EtherChannel
Overview
The law firm calls CCS complaining of very slow data transfer and asks if there is something you can do to
help. You and Bob tell them that the solution lies in a technology called EtherChannel. They agree to the
implementation of EtherChannel, and Bob asks if you are ready to go onsite with him to perform the
implementation.
EtherChannel Overview
With the proliferation of bandwidth-intensive applications such as video and interactive messaging, comes a
need for greater network speeds and scalable bandwidth. You can increase network speed by using faster
links, but faster links are more expensive. Furthermore, this solution cannot scale indefinitely and finds its
limitation where the fastest possible port is no longer fast enough.
You can also increase network speeds by using more physical links between switches. One downside of this
method is that you must be strictly consistent in the configuration of each physical link. The second one is
that STP will block one of the links.
EtherChannel technology provides a solution. EtherChannel technology was originally developed by Cisco
as a means of increasing speed between switches by grouping several FastEthernet or GigabitEthernet ports
into one logical EtherChannel link, as shown in the following figure. Since the two physical links are
bundled into a single EtherChannel, STP no longer sees the two physical links. Instead it sees a single
EtherChannel. As a result, STP does not need to block one of the physical links to prevent a loop. Because
all physical links in the EtherChannel are active, bandwidth is increased. EtherChannel provides the
additional bandwidth without upgrading links to a faster and more expensive connection, because it relies
on existing switch ports.
Some devices other than switches support link aggregation into an EtherChannel link. In any case,
EtherChannel creates a one-to-one relationship. You can create an EtherChannel link between two switches
or between an EtherChannel-enabled server and a switch. However, you cannot send traffic to two different
switches through the same EtherChannel link. One EtherChannel link always connects only two devices.
You can group from two to eight physical ports into a logical EtherChannel link, but you cannot mix port
types within a single EtherChannel. For example, you could group four Fast Ethernet ports into one logical
Ethernet link, but you could not group two FastEthernet ports and two GigabitEthernet ports into one logical
Ethernet link.
You can also configure multiple EtherChannel links between two devices. When several EtherChannels
exist between two switches, STP may block one of the EtherChannels to prevent redundant links. When
STP blocks one of the redundant links, it blocks one entire EtherChannel, thus blocking all the ports
belonging to that EtherChannel link.
In addition to higher bandwidth, EtherChannel provides several other advantages:
• You can perform most configuration tasks on the EtherChannel interface instead of on each individual
port, which ensures configuration consistency throughout the links.
• Because EtherChannel relies on the existing switch ports, you do not need to upgrade the link to a faster
and more expensive connection to obtain more bandwidth.
• Load balancing is possible between links that are part of the same EtherChannel. Depending on your
hardware platform, you can implement one or several load balancing methods, such as source MAC-to-
destination MAC or source IP-to-destination IP load balancing, across the physical links.
• EtherChannel creates an aggregation that is seen as one logical link. When several EtherChannel
bundles exist between two switches, STP may block one of the bundles to prevent redundant links.
When STP blocks one of the redundant links, it blocks one EtherChannel, thus blocking all the ports
belonging to that EtherChannel link. Where there is only one EtherChannel link, all physical links in the
EtherChannel are active because STP sees only one (logical) link.
• EtherChannel provides redundancy. The loss of a physical link within an EtherChannel does not create a
change in the topology, and you don't need a spanning-tree recalculation. As long as at least one
physical link is active, the EtherChannel is functional, even if its overall throughput decreases.
EtherChannel Protocols
You can use two different protocols for link aggregation. These protocols allow ports with similar
characteristics to form a channel through dynamic negotiation with adjoining switches.
PAgP is a Cisco proprietary protocol that aids in the automatic creation of EtherChannel links. When you
configure an EtherChannel link using PAgP, PAgP packets are sent between EtherChannel-capable ports to
negotiate the forming of a channel. When PAgP identifies matched Ethernet links, it groups the links into an
EtherChannel. The EtherChannel is then added to the spanning tree as a single bridge port.
When enabled, PAgP also manages the EtherChannel. PAgP packets are sent every 30 seconds. PAgP
checks for configuration consistency and manages link additions and failures between two switches. It
ensures that when you create an EtherChannel, all ports have the same type of configuration. In
EtherChannel, it is mandatory that all ports have the same speed, duplex setting, and VLAN information.
Any port-channel modification after the creation of the channel will also change the configuration on the
physical interfaces.
LACP is part of an IEEE specification (802.3ad) that allows several physical ports to be bundled to form a
single logical channel. LACP allows a switch to negotiate an automatic bundle by sending LACP packets to
the peer. It performs a function that is similar to PAgP with Cisco EtherChannel. Because LACP is an IEEE
standard, you can use it to facilitate EtherChannels in multivendor environments. Cisco devices support
both protocols.
PAgP helps create the EtherChannel link by detecting the configuration of each side and making sure that
they are compatible so that the EtherChannel link can be enabled when needed. The table shows the settings
for PAgP.
Mode Purpose
PAgP auto This PAgP mode places an interface in a passive negotiating state
in which the interface responds to the PAgP packets that it
receives but does not initiate PAgP negotiation.
PAgP desirable This PAgP mode places an interface in an active negotiating state
in which the interface initiates negotiations with other interfaces by
sending PAgP packets.
On This mode forces the interface to channel without PAgP. Interfaces

that you configure in the on mode do not exchange PAgP packets.
The modes must be compatible on each side. If you configure one side to be in auto mode, it will be placed
in a passive state, waiting for the other side to initiate the EtherChannel negotiation. If the other side is also
set to auto, the negotiation never starts and the EtherChannel does not form. If you disable all modes by
using the no command or if no mode is configured, then the interface is placed in the off mode and
EtherChannel is disabled.
Note that the on mode manually places the interface in an EtherChannel, without any negotiation. It works
only if the other side is also set to on. If the other side is set to negotiate parameters through PAgP, no
EtherChannel will form, because the side that is set to on mode will not negotiate.
LACP provides the same negotiation benefits as PAgP. LACP helps create the EtherChannel link by
detecting the configuration of each side and making sure that they are compatible, so that the EtherChannel
link can be enabled when needed. The table shows the settings for LACP.
Mode Purpose
LACP passive This LACP mode places a port in a passive negotiating state. In this
state, the port responds to the LACP packets that it receives but does
not initiate LACP packet negotiation.
LACP active This LACP mode places a port in an active negotiating state. In this
state, the port initiates negotiations with other ports by sending LACP
packets.
On This mode forces the interface to channel without LACP. Interfaces that
you configure in the on mode do not exchange LACP packets.
Like PAgP, modes must be compatible on both sides for the EtherChannel link to form. The on mode is
mentioned here again because it creates the EtherChannel configuration unconditionally, without PAgP or
LACP dynamic negotiation.
Discovery 4: Configure and Verify EtherChannel
Introduction
The purpose of this discovery is to provide you with some experience working with EtherChannel. The live
virtual lab is prepared with the switches represented in the topology diagram and the connectivity table. All
devices have their basic configurations in place, including hostnames and IP addresses. Note that all the
links between the switches use pairs of connections. You will see that this fact does not lead to doubling the
bandwidth by default. You will configure EtherChannel on some of the links and verify the results.
Topology
Job Aid

Device Information
Device Details
PC1 Ethernet0/0 SW1 10.10.10.5/24
PC2 Ethernet0/0 SW2 10.10.20.5/24
SW1 VLAN 1 — 10.10.1.4/24
SW2 VLAN 1 — 10.10.1.5/24
SW3 VLAN 1 — 10.10.1.6/24
SW4 VLAN 1 — 10.10.1.7/24
SVR1 Ethernet0/0 SW3 10.10.10.10/24
SVR2 Ethernet0/0 SW4 10.10.20.20/24
Task 1: Configure and Verify EtherChannel
Follow these guidelines and restrictions when configuring the EtherChannel interfaces:
• EtherChannel support: All Ethernet interfaces on all modules support EtherChannel (maximum of
eight interfaces), with no requirement that the interfaces should be physically contiguous, or on the
same module.
• Speed and duplex: Configure all interfaces in an EtherChannel to operate at the same speed and in the
same duplex mode.
• VLAN match: All interfaces in the EtherChannel bundle must be assigned to the same VLAN or be
configured as a trunk.
• Range of VLAN: An EtherChannel supports the same allowed range of VLANs on all the interfaces in
a trunking Layer 2 EtherChannel.
If you have to change these settings, configure them in the port-channel interface configuration mode. After
you configure the port-channel interface, any configuration that you apply to the port-channel interface
affects individual interfaces as well. The opposite does not apply and will cause interface incompatibility in
the EtherChannel.
The configuration of an EtherChannel is based on two steps, as described in the table.
Command Description
interface rangeinterface Specifies the interfaces that will compose

the EtherChannel group. The range
keyword allows you to select several
interfaces and configure them all together.
A good practice is to start by shutting down
those interfaces, so that incomplete
configuration will not start to create activity
on the link.
channel-groupidentifiermode active Creates the port-channel interface, if

necessary, and assigns the specified
interfaces to it. The identifier specifies a
channel group number.
The channel-group identifier does not need to match on both sides of the port channel. However, it is a
good practice to do so because it makes it easier to manage the configuration.
In the example, FastEthernet0/1 and FastEthernet0/2 are bundled into EtherChannel interface port channel
1. To change Layer 2 settings on the EtherChannel interface, enter the EtherChannel interface configuration
mode using the interface port-channel command, followed by the interface identifier. In the example,
EtherChannel is configured as a trunk interface with allowed VLANs as specified.
Activity
Start by accessing the console of SW1 and displaying the interface status summary on SW1.
SW1# show interfaces status

Et1/1 connected 1 auto auto unknown
Both Ethernet0/2 and 0/3 are connected to SW3.

Ethernet1/0 is assigned to VLAN 10. The show spanning-tree examples that are used in this
discovery arbitrarily specify VLAN 10, so Ethernet1/0 will be listed in a later example output.
Display the spanning tree for VLAN 10 on SW1.
Both Ethernet0/2 and 0/3 connect to SW3, but only Ethernet0/2 is forwarding. The spanning tree
is blocking on Ethernet0/3 to prevent a bridging loop. Only half of the potential bandwidth in
this pair of links is in use.
VLAN0010
Address aabb.cc00.0d00
Cost 100

Address aabb.cc00.0b00
Aging Time 300 sec

------------------- ---- --- --------- -------- -------------------------------
-
With a little more exploration, you could determine that the root switch for VLAN 10 is SW3.
Shut down interfaces Ethernet0/2 and 0/3 on switch SW1.
SW1# conf t
SW1(config)# interface range Ethernet0/2 - 3
SW1(config-if-range)# shutdown
*Dec 28 09:09:31.692: %LINK-5-CHANGED: Interface Ethernet0/2, changed state to
*Dec 28 09:09:32.693: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Shut down interfaces Ethernet0/2 and 0/3 on switch SW3.
SW3# conf t
SW3(config)# interface range Ethernet0/2 - 3
SW3(config-if-range)# shutdown
Assign Ethernet0/2 and 0/3 to port channel 1 on the switch SW1. Use LACP protocol.
SW1(config-if-range)# channel-group 1 mode active

Creating a port-channel interface Port-channel 1
Assign Ethernet0/2 and 0/3 to port channel 1 on switch SW3. Use LACP protocol.
SW3(config-if-range)# channel-group 1 mode active

Creating a port-channel interface Port-channel 1
Enable interfaces Ethernet0/2 and 0/3 on switch SW1.
Enable interfaces Ethernet0/2 and 0/3 on switch SW3.
*Dec 28 09:13:11.268: %LINK-3-UPDOWN: Interface Ethernet0/2, changed state to
up
*Dec 28 09:13:11.268: %LINK-3-UPDOWN: Interface Ethernet0/3, changed state to
up
Ethernet0/2, changed state to up
*Dec 28 09:13:18.543: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-
channel1, changed state to up
Line protocol for physical interfaces Ethernet 0/2 and Ethernet 0/3 goes up. Logical interface
Port-channel 1 also transitions to up state.
Assign the description "EChannel to SW3" to port channel 1 on SW1.
SW1(config-if-range)# exit
SW1(config)# interface port-channel 1
SW1(config-if)# description EChannel to SW3
SW1(config-if)# end
SW1#
Assign the description "EChannel to SW1" to port channel 1 on SW3.
SW3(config-if-range)# exit
SW3(config-if)# interface port-channel 1
SW3(config-if)# description EChannel to SW1
SW3(config-if)# end
SW3#
Display the interface status summary on SW1.
The port channel is up on SW1.

Po1 EChannel to SW3 connected trunk auto auto
Ethernet0/2 and 0/3 are still recognized as physical interfaces in Cisco IOS commands.
Display the interface status summary on SW3.
The port channel is up on SW3.

Et1/0 Link to SRV1 connected 10 auto auto unknown
Po1 EChannel to SW1 connected trunk auto auto
Ethernet0/2 and 0/3 are still recognized as physical interfaces in Cisco IOS commands.
Display the spanning tree for VLAN 10 on SW1. This will be revealing.
Ethernet0/2 and 0/3 are no longer visible to the spanning tree. Instead, they have been replaced
with the virtual port channel 1 interface.
VLAN0010
Cost 56
Port 65 (Port-channel1)

Aging Time 15 sec

------------------- ---- --- --------- -------- -------------------------------
-
Po1 Root FWD 56 128.65 Shr
If you are quick, Ethernet0/0 and 0/1 may be listening or learning. If so, repeat the command
until all interfaces are forwarding. The cost of the port channel is 56, which is much lower than
the cost of 100 that is assigned to individual interfaces.
The port channel is forwarding. The forwarding state implies that the port channel is forwarding
on all member interfaces. Remember that at the beginning of this discovery both Ethernet0/0 and
0/1 were blocking. They are now forwarding. These interfaces connect to SW4. Since the SW1
path back to the root now costs less due to the port channel, its ports have been selected as the
designated ports for these two links. SW4 is now alternate and blocking on these two links.
Verifying EtherChannel
You can use several commands to verify an EtherChannel configuration. You can first use the show
interface port-channel command to display the general status of the EtherChannel interface. In the
example, the port channel 1 interface is up.
When several port channel interfaces are configured on the same device, you can use the show
etherchannel summary command to simply display one line of information per port channel. In this
example, the switch has one EtherChannel configured; group 1 uses LACP. The interface bundle consists of
the FastEthernet0/1 and FastEthernet0/2 interfaces. You can see that the group is Layer 2 EtherChannel and
that it is in use (shown by the letters SU next to the port channel number).
Use the show etherchannel port-channel command to display information about the specific port channel
interface. In the example, the port channel 1 interface consists of two physical interfaces: FastEthernet0/1
and FastEthernet0/2. It uses LACP in active mode. It is properly connected to another switch with a
compatible configuration, which is why the port channel is said to be in use.
Load does not actually indicate the load over an interface. It is meant to be a hexadecimal value that
decodes which interface will be chosen for a specific flow of traffic.
Display the full status of the port channel 1 interface on SW1.
From this output, you can determine that the port channel is made up of Ethernet0/2 and 0/3 and
that the logical bandwidth on the channel is 20 Mbps.
SW1# show interfaces Port-channel 1
Port-channel1 is up, line protocol is up (connected)
Hardware is Ethernet, address is aabb.cc00.0530 (bia aabb.cc00.0530)
Description: EChannel to SW3
MTU 1500 bytes, BW 20000 Kbit/sec, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed, media type is unknown
input flow-control is off, output flow-control is unsupported
Members in this channel: Et0/2 Et0/3
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
2041 packets input, 162930 bytes, 0 no buffer
Received 1858 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
2069 packets output, 158394 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Display the full EtherChannel status on SW1.
From this output, you can determine that the number of ports in this port channel is two. The
members are the Ethernet0/2 and Ethernet0/3 interfaces. The protocol that was used to build the
bundle is LACP.
SW1# show etherchannel port-channel
Channel-group listing:
----------------------
Group: 1
----------
Port-channels in the group:
---------------------------
Port-channel: Po1 (Primary Aggregator)
------------
Age of the Port-channel = 0d:01h:11m:56s

Logical slot/port = 16/0 Number of ports = 2
HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = LACP
Port security = Disabled
Ports in the Port-channel:
Index Load Port EC state No of bits

------+------+------+------------------+-----------
0 00 Et0/2 Active 0
0 00 Et0/3 Active 0
Time since last port bundled: 0d:01h:11m:39s Et0/2
Display the summary of EtherChannel status on SW1.
From this output, you can determine that the Layer 2 port channel 1 is made up of Ethernet0/2
and 0/3.
SW1# show etherchannel summary

Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met

u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1

Number of aggregators: 1
Group Port-channel Protocol Ports

------+-------------+-----------+----------------------------------------------
-
1 Po1(SU) LACP Et0/2(P) Et0/3(P)
Self Check
You have just configured two EtherChannels between two switches. Each EtherChannel contains four
physical links. Which option describes how STP will react?
A. It will block one physical link within one of the EtherChannels.
B. It will block one entire EtherChannel.
C. It will block one physical link within each EtherChannel.
D. It will not block any links.
Which of the following is not true about "on" mode in Etherchannel ?

A. On mode manually places the interface in an EtherChannel, without any negotiation.
B. It works only if the other side is also set to on.
C. If the other side is set to negotiate parameters through PAgP, EtherChannel will form, because the
side that is set to on mode will negotiate by default.
Which option describes the primary purpose of LACP?

A. to enable switch ports with similar characteristics to form an EtherChannel through dynamic
negotiation with adjoining switches
B. to maintain EtherChannels that are configured by PAgP
C. to tear down EtherChannels that are created by PAgP after they are no longer needed
D. to work with PAgP to combine switch ports with similar characteristics into EtherChannels
E. to dynamically configure ports that have the same trunking status and trunk type with identical
speed, duplex, and VLAN settings so that they can be combined into an EtherChannel link
Refer to the figure. Which combination will result in an EtherChannel being established between the
two switches, which are running PAgP?
A. switch 1 DESIRABLE, switch 2 AUTO

B. switch 1 AUTO, switch 2 AUTO
C. switch 1 ACTIVE, switch 2 PASSIVE
D. switch 1 ACTIVE, switch 2 ACTIVE
You are about to configure one EtherChannel link between two switches. The EtherChannel will consist
of four physical links. Which option describes how STP will interoperate with this configuration?
A. STP will block all but one of the physical links.
B. STP will enable links to meet the traffic bandwidth requirements.
C. STP will prevent load balancing among the four links.
D. STP will not block any links.
Which option describes the primary purpose of EtherChannel?
A. enabling you to mix AC and DC power supply units in the same switch chassis
B. enabling network devices to send and receive data across shared networks with all the functionality
and security of a private network
C. providing additional bandwidth without the expense of link upgrades
D. enabling you to provide preferential treatment to high-priority traffic
Refer to the figure. Which two combinations will result in an EtherChannel being established between
the two switches, which is running LACP? (Choose two.)
A. switch 1 DESIRABLE, switch 2 AUTO

B. switch 1 ACTIVE, switch 2 ACTIVE
C. switch 1 DESIRABLE, switch 2 DESIRABLE
D. switch 1 ACTIVE, switch 2 PASSIVE
E. switch 1 PASSIVE, switch 2 PASSIVE
Answer Key
Self Check
1. B
2. C
3. A
4. A
5. D
6. C
7. B, D
Lesson 4: Understanding
Layer 3 Redundancy
Overview
The law firm calls CCS to ask about default gateway redundancy. Although the law firm has dual redundant
routers that connect to the Internet, none of the PCs at the firm can access the Internet because the primary
router went down due to a UPS failure. Bob asks if you are ready to go onsite with him to explain the
various FHRP options and then implement one.
Need for Default Gateway Redundancy
When the host determines that a destination IP network is not on its local subnet, it forwards the packet to
the default gateway. Although an IP host can run a dynamic routing protocol to build a list of reachable
networks, most IP hosts rely on a locally configured or dynamically learned through DHCP default gateway.
Having redundant equipment alone does not guarantee uptime. In this example, both router A and router B
are responsible for routing packets for the 10.1.10.0/24 subnet. Because the routers are deployed as a
redundant pair, if router A becomes unavailable, the IGP can quickly and dynamically converge and
determine that router B will now transfer packets that would otherwise have gone through router A. Most
workstations, servers, and printers, however, do not receive this dynamic routing information.
Each end device is configured with a single default gateway IP address that does not dynamically update
when the network topology changes. If the default gateway fails, the local device is unable to send packets
off the local network segment. As a result, the host is isolated from the rest of the network. Even if a
redundant router exists that could serve as a default gateway for that segment, there is no dynamic method
by which these devices can determine the address of a new default gateway.
Even though the example is illustrated on routers, it is equally valid on Layer 3 switches.
Understanding FHRP
The figure represents a generic router FHRP with a set of routers working together to present the illusion of
a single router to the hosts on the LAN. By sharing an IP (Layer 3) address and a MAC (Layer 2) address,
two or more routers can act as a single "virtual" router.
Hosts that are on the local subnet configure the IP address of the virtual router as their default gateway.
When a host needs to communicate to another IP host on a different subnet, it will use ARP to resolve the
MAC address of the default gateway. The ARP resolution returns the MAC address of the virtual router.
The packets that devices send to the MAC address of the virtual router can then be routed to their
destination by any active or standby router that is part of that virtual router group.
You use an FHRP to coordinate two or more routers as the devices that are responsible for processing the
packets that are sent to the virtual router. The host devices send traffic to the address of the virtual router.
The actual (physical) router that forwards this traffic is transparent to the end stations.
The redundancy protocol provides the mechanism for determining which router should take the active role
in forwarding traffic and determining when a standby router should take over that role. The transition from
one forwarding router to another is also transparent to the end devices.
Cisco routers and switches commonly use three FHRPs. A common feature of FHRPs is to provide a default
gateway failover that is transparent to hosts.
1. HSRP:HSRP is an FHRP that Cisco designed to create a redundancy framework between network
routers or switches in order to achieve default gateway failover capabilities. Only one router forwards
traffic. HSRP is defined in RFC 2281.
2. VRRP:VRRP is an open FHRP standard that offers the ability to add more than two routers for
additional redundancy. Only one router forwards traffic. VRRP is defined in RFC 5798.
3. GLBP:GLBP is an FHRP that Cisco designed to allow multiple active forwarders to load-balance
outgoing traffic.
When a route fails, the following steps take place:

1. The standby router stops seeing hello messages from the forwarding router.
2. The standby router assumes the role of the forwarding router.
3. Because the new forwarding router assumes both the IP and MAC addresses of the virtual router, the
end stations see no disruption in service.
Understanding HSRP
HSRP is an FHRP that allows for transparent failover of the first-hop IP device (default gateway). Most IP
hosts have an IP address of a single router configured as the default gateway. When you use HSRP, the
HSRP virtual IP address is configured as the default gateway for the host instead of the IP address of the
router.
HSRP defines a standby group of routers, with one router that is designated as the active router. HSRP
provides gateway redundancy by sharing IP and MAC addresses between redundant gateways. The protocol
consists of virtual MAC and IP addresses that two routers that belong to the same HSRP group share
between each other.
Hosts on the IP subnet that are protected by HSRP configure their default gateway with the HSRP group
virtual IP address. The packets that are received on the virtual IP address are forwarded to the active router.
HSRP Terminology
Term Definition
Active router The router that is currently forwarding packets for the virtual router
Standby router The primary backup router
Standby group The set of routers participating in HSRP that jointly emulate a virtual router
The function of the HSRP standby router is to monitor the operational status of the HSRP group and to
quickly assume the packet-forwarding responsibility if the active router becomes inoperable.
HSRP is a Cisco proprietary protocol, and VRRP is a standard protocol. Beyond this fact, the differences
between HSRP and VRRP are very slight.
Besides the default behavior, you can configure some other HSRP features to increase you network
availability and performance:
• Interface tracking: When a tracked interface becomes unavailable, the HSRP tracking feature ensures
that a router with an unavailable key interface will relinquish the active router role.
• Load Balancing: Routers can simultaneously provide redundant backup and perform load sharing across
various subnets and VLANs.
Discovery 5: Configure and Verify HSRP
Introduction
In this guided discovery, you will work with HSRP. Hosts on IP networks usually only have a single IP
address that is configured as their default gateway. HSRP allows two physical routers to work together in an
HSRP group to provide a virtual IP address and an associated virtual MAC address.
The end hosts use the virtual IP address as their default gateway and learn the virtual MAC address via
ARP. One of the routers in the group is active and responsible for the virtual addresses. The other router is
in a standby state and monitors the active router.
If there is a failure on the active router, the standby router assumes the active state. The virtual addresses
are always functional, regardless of which physical router is responsible for them. The end hosts are not
aware of any changes in the physical routers.
Consult the topology diagram. The live virtual lab is prepared with the devices that are represented in the
topology diagram and the connectivity table. All devices have their basic configurations in place, including
hostnames and IP addresses. RIP is configured on the three routers, making both R1 and R2 aware of the
10.10.99.0 subnet that is connected to R3.
The two PCs are configured with 10.10.1.1 as their default gateway. Note that this address does not yet exist
in the topology. R1 uses 10.10.1.2 and R2 uses 10.10.1.3. In this discovery, you will configure and verify
HSRP on R1 and R2, using 10.10.1.1 as the virtual IP address.
You will start by verifying the initial state on PC1 and R1. You will then configure and verify HSRP on R1.
It only takes one functional router in an HSRP group to provide forwarding services for the end hosts on the
network. You will then configure and verify HSRP on R2. Finally, you will cause a fault in R1 and then
verify that R2 takes over the HSRP active role.
Topology
Job Aid

• RIP is configured on the three routers, making both R1 and R2 aware of the 10.10.99.0 subnet that is
connected to R3.
• The two PCs are configured with 10.10.1.1 as their default gateway. Note that this address does not yet
exist in the topology
Device Details
PC1 Ethernet0/0 SW1 10.10.1.10/24
PC2 Ethernet0/0 SW2 10.10.1.20/24
R1 Ethernet0/0 SW1 10.10.1.2/24
R1 Ethernet0/1 R3 10.1.1.2/30
R2 Ethernet0/0 SW2 10.10.1.3/24
R2 Ethernet0/1 R3 10.1.1.6/30
R3 Ethernet0/0 R1 10.1.1.1/30
R3 Ethernet0/1 R2 10.1.1.5/30
R3 Loopback0 — 10.10.99.1/24
Task 1: Configure and Verify HSRP

Activity
Access the console of PC1. View its routing table to verify that 10.10.1.1 is indeed its default
gateway. Also, attempt to ping 10.10.1.1 to verify that it does not yet exist on the network.
Enter these commands on PC1:
PC1# show ip routeDefault gateway is 10.10.1.1
Host Gateway Last Use Total Uses Interface

ICMP redirect cache is empty
PC1# ping 10.10.1.1

.....
PC1 is not running any dynamic routing protocols. Default gateway is configured with IP
address 10.10.1.1, which does not yet exist. This is why ping operation fails.
Access the console of R1 and verify that the IP address of its Ethernet0/0 interface is 10.10.1.2.
Enter this command on the R1 router:

Prot ocol
Ethernet0/010.10.1.2 YES NVRAM up up
Ethernet0/1 10.1.1.2 YES NVRAM up up
down
down
Access the console of R2 and verify that the IP address of its Ethernet0/0 interface is 10.10.1.3.
Protocol
down
down
HSRP Configuration
All basic HSRP configuration is performed in the interface configuration mode by using the standby
command. The standby ip interface configuration command activates HSRP on the configured interface. If
an IP address is specified, that address is used as the designated address for the Hot Standby group.
A router in an HSRP group can be any routed interface that supports HSRP, including routed ports on Layer
3 switches and SVIs.
Command Description
standby[group-number]ip[ip- Establishes the HSRP group ID and the virtual router IP address. The
address] group number on the interface specifies the group for which HSRP is being
enabled. The range is 0 to 255; the default is 0. If there is only one HSRP
group, you do not need to enter a group number. The IP address specifies
the virtual IP address of the hot standby router interface.
Command Description
standby [group- Set a priority value used in choosing the active router. The range is 1 to
number]prioritypriority 255; the default priority is 100. The highest number represents the highest
priority.
standby [group-number] preempt Configure the router to preempt , which means that when the local router
has a higher priority than the active router, the local router becomes the
active router.
standby version { 1 | 2 } Configure the HSRP version on the interface. If you do not enter this
command or do not specify a keyword, the interface runs the default HSRP
version, HSRPv1.
Assigning a priority allows you to select the active and standby routers. If preemption is enabled, the router
with the highest priority becomes the active router. If priorities are equal, the current active router does not
change. The highest number (1 to 255) represents the highest priority (most likely to become the active
router).
Configure HSRP for R1 on Ethernet0/0. Assign the virtual IP address 10.10.1.1 and the HSRP
group number 1.
Enter these commands on the R1 router:
R1# conf t
R1(config)# interface Ethernet0/0
R1(config-if)# standby 1 ip 10.10.1.1
R1(config-if)# end
R1#
*Nov 20 07:57:10.405: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 1 state Standby ->
Active
Wait for the syslog message that indicates that R1 has transitioned to the active HSRP state
before continuing. It will take 20 seconds from the time that you enabled HSRP.
Once HSRP is enabled on R1, it listens for HSRP Hello messages to determine if there is another
HSRP device on the subnet. Since R1 is currently the only HSRP device, it becomes the active
HSRP node and then begins sending Hello messages.
HSRP Verification
The show standby command is used to monitor the HSRP state on each router in the standby group.
Display the HSRP status on R1.
R1# show standby

Ethernet0/0 - Group 1
State is Active
2 state changes, last state change 00:17:49
Virtual IP address is 10.10.1.1
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.240 secs
Preemption disabled
Active router is localStandby router is unknown
Priority 100 (default 100)
Group name is "hsrp-Et0/0-1" (default)
R1 is the active HSRP router and the standby router is unknown. R2 has not yet been configured,
so there is no standby router.
A virtual MAC address 0000.0c07.ac01 is associated with the virtual IP address 10.10.1.1. Both
the MAC address and the IP address will be shared by the HSRP routers.
The Active virtual MAC address is formed from the well-known 5-byte prefix 0000.0c07.ac and
the HSRP group number is encoded into the 1-byte suffix.
Verify the real MAC address that is assigned to Ethernet0/0 on R1.
R1# show interfaces Ethernet0/0
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is aabb.cc00.0300 (bia aabb.cc00.0300)
Description: Link to SW1
Internet address is 10.10.1.2/24
This MAC address is associated with the real IP address 10.10.1.2 on R1. The MAC address
might differ in your output.
Access the console of PC1. Verify that you can now ping 10.10.1.1, which is the default gateway
configured on PC1. Also ping 10.10.99.1, which should only be reachable from PC1 if its default
gateway is available.
Enter these commands on the PC1 router:
PC1# ping 10.10.1.1

.!!!!
PC1# ping 10.10.99.1

!!!!!
View the ARP cache on PC1.
Enter this command on the PC1 router:
PC1# show arp

Internet 10.10.1.1 0 0000.0c07.ac01 ARPA Ethernet0/0
Note that the MAC address that is associated with 10.10.1.1 is the HSRP virtual MAC address
and not the Ethernet0/0 physical MAC address for R1.
Access the console of R2. Configure HSRP on Ethernet0/0. Assign the virtual IP address
10.10.1.1 and the HSRP group number to 1.
R2# conf t
R2(config-if)# end
R2#
*Nov 20 09:05:13.312: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 1 state Speak ->
Standby
Because R1 is already in the active state, R2 will transition to the standby state. Wait for the
syslog message that indicates this transition.
R2 receives a Hello message from R1 and assumes the standby state. If R2 detects three missed
Hello messages from R1, R2 will promote itself to the active state.
R2# show standby

State is Standby
1 state change, last state change 00:06:34
Preemption disabled
Active router is 10.10.1.2, priority 100 (expires in 11.152 sec)
Standby router is local
R2 is in the standby state and uses the same virtual IP address and virtual MAC address that R1
uses. R2 is aware that R1 (10.10.1.2) is the active router.
The virtual MAC address is shared by active and standby HSRP devices. When an IP host sends
an ARP request for its default gateway, the active HSRP router responds with the virtual MAC
address. If the active HSRP router fails, the MAC address of the default IP address does not
change.
Access the console of R1 and display the status of HSRP again.
R1# show standby

State is Active
Preemption disabled
Active router is localStandby router is 10.10.1.3, priority 100 (expires in
9.456 sec)
As it was before, R1 is in the active state and is using the virtual IP address and virtual MAC
address. R1 is now aware of R2 (10.10.1.3) as the standby router in the HSRP group.
Cause a fault on R1 by disabling its Ethernet0/0 interface. Observe the syslog messages
indicating the state changes.
R1# conf t
R1(config-if)# shutdown
*Nov 20 10:06:52.369: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 1 state Active ->
Init
R1(config-if)#
*Nov 20 10:06:54.375: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to
*Nov 20 10:06:55.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface
HSRP reacts even before the interface changes state.
View the status of HSRP on R1.
R1(config-if)# end
R1# show standby
State is Init (interface down)
Active virtual MAC address is unknown
Preemption disabled
Active router is unknownStandby router is unknown
R1 goes to HSRP state "Init."
Observe the syslog messages on R2 that were produced in association with the HSRP activity.
Also display the status of HSRP, verifying that R2 is now in the active state.
R2#
Active
R2# show standby

State is Active
Preemption disabled
R2 is now the active HSRP router. The standby router is unknown because R1 is offline. The
virtual IP address and the virtual MAC address remain unchanged.
Access the console of PC1. Verify that, even though there has been a change in the physical
routers, PC1 still has access to the 10.10.99.1 IP address.
PC1# ping 10.10.99.1

!!!!!
View the ARP cache on PC1.
PC1# show arp

Internet 10.10.1.1 18 0000.0c07.ac01 ARPA Ethernet0/0
Note that the MAC address that is associated with 10.10.1.1 is still the HSRP virtual MAC
address.
Return to R1. Enable the Ethernet0/0 interface. Wait for the link and HSRP status messages.
R1# conf t
R1(config-if)# no shutdown
*Nov 20 10:41:54.804: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to
up
*Nov 20 10:41:55.804: %LINEPROTO-5-UPDOWN: Line protocol on Interface
*Nov 20 10:42:17.140: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 1 state Speak ->
Standby
R1 goes to HSRP standby state.
View the status of HSRP on R1.
R1(config-if)# end
R1# show standby
State is Standby
Preemption disabledActive router is 10.10.1.3, priority 100 (expires in 9.456
sec)
You may have expected R1 to return to the active state. This change does not happen by default.
HSRP does support the concept of priority-based preemption but it is disabled by default. Even if
preemption was enabled, both R1 and R2 have the same (default) priority of 100.
Discovery 6: Troubleshoot HSRP
Introduction
In this guided discovery, you will work with typical HSRP configuration issues. You will see a duplicated
IP address issue on both R1 and R2 routers. The reason for this issue is HSRP misconfiguration.
The desired HSRP configuration uses 10.10.1.1 as the virtual IP address in the HSRP group 1, and R1 is the
active HSRP router. This is not the case, so you will perform troubleshooting steps to isolate the
configuration issues.
Topology
Job Aid

• RIP is configured on the three routers, making both R1 and R2 aware of the 10.10.99.0 subnet that is
connected to R3.
• The two PCs are configured with 10.10.1.1 as their default gateway.
• HSRP is preconfigured but it does not behave as expected. The desired behavior is as follows:
– Virtual IP address should be 10.10.1.1.
– The used HSRP group should be 1.
– The used HSRP version should be 1.
– R1 should be the active HSRP router, while the R2 should be in the standby state.
Device Details
PC1 Ethernet0/0 SW1 10.10.1.10/24
PC2 Ethernet0/0 SW2 10.10.1.20/24
R1 Ethernet0/0 SW1 10.10.1.2/24
R1 Ethernet0/1 R3 10.1.1.2/30
R2 Ethernet0/0 SW2 10.10.1.3/24
R2 Ethernet0/1 R3 10.1.1.6/30
R3 Ethernet0/0 R1 10.1.1.1/30
R3 Ethernet0/1 R2 10.1.1.5/30
R3 Loopback0 10.10.99.1/24
Task 1: Troubleshoot HSRP

Activity
There are several possible misconfigurations of HSRP:
• Different HSRP virtual IP addresses could be configured. Console messages will notify you about this
situation. With such a configuration, when the active router fails, the standby router takes over with a
virtual IP address, which is different to the one used previously, and different to the one configured as
the default-gateway address for end devices.
• If a wrong HSRP group is configured on the peers, this misconfiguration leads to both peers becoming
active. This issue will manifest as a duplicate IP address problem.
• HSRP comes in 2 versions, 1 and 2. If there is a version mismatch, both routers will become active.
This mismatch results in duplicate IP addresses.
Most of the HSRP misconfiguration problems can be solved by checking the output of the show standby
command. In the output, you can notice the active IP and the MAC address, the timers, the active router,
and several others parameters.
HSRP messages are sent to the multicast IP address 224.0.0.2 and UDP port 1985 in version 1 and the
multicast IP address 224.0.0.102 and UDP port 1985 in version 2. These IP addresses and ports need to be
permitted in the inbound access lists. If the packets are blocked, the peers will not see each other and there
will be no HSRP redundancy. To check the interface access list, use the show ip interface command.
Assigning a priority allows you to select the active and standby routers. If preemption is enabled, the router
with the highest priority becomes the active router. If priorities are equal, the current active router does not
change. The highest number (1 to 255) represents the highest priority (most likely to become the active
router).
Access the console of R1 and observe the output.
Observe the output on R1 router:
R1#
*Nov 30 17:04:40.901: %IP-4-DUPADDR: Duplicate address 10.10.1.1 on
Ethernet0/0, sourced by 0000.0c9f.f002
The console messages indicate that there is a duplicate IP address problem in the network.
Source of the duplicate address is device R2 with the MAC address 0000.0C9F.F002, which is
an HSRP version 2 format MAC address. HSRP version 2 uses a new MAC address range
0000.0C9F.F0XX, where XX is the group number.
Access the console of R2 and observe the output.
Observe the output on R2 router:
R2#
*Nov 30 17:05:06.904: %IP-4-DUPADDR: Duplicate address 10.10.1.1 on
Ethernet0/0, sourced by 0000.0c07.ac01
The console messages indicate that there is a duplicate IP address problem in the network.
Source of the duplicate address is device R1 with MAC address 0000.0C07.AC01, which is an
HSRP version 1 format MAC address. HSRP version 1 uses MAC addresses 0000.0c07.acXX,
where XX is the HSRP group number.
R1# show standbyEthernet0/0 - Group 1

State is Active
Preemption enabled
Priority 99 (configured 99)
HSRP was configured on the Ethernet0/0 interface for HSRP group 1. This router is the active
router for this group, but the standby router is unknown. The HSRP version in use is 1.
Also note that the virtual MAC address equals the source MAC address of the duplicated IP
address that is received on the R2 router.
R2# show standbyEthernet0/0 - Group 2 (version 2)

State is Active
Active virtual MAC address is 0000.0c9f.f002
Local virtual MAC address is 0000.0c9f.f002 (v2 default)
Preemption disabled
HSRP was configured on the Ethernet0/0 interface for HSRP group 2. This router is the active
router for this group, but the standby router is unknown. R1 and R2 are not HSRP aware of each
other, as they are configured for different HSRP groups.
The HSRP version that R2 uses is 2. The R1 router uses version 1.
Also note that the virtual MAC address equals the source MAC address of the duplicated IP
address received on the R2 router.
Verify the configuration of the Ethernet0/0 interface on R1.
R1# show running-config interface Ethernet0/0

!
ip address 10.10.1.2 255.255.255.0
standby 1 ip 10.10.1.1
standby 1 priority 99
standby 1 preempt
end
The virtual IP address 10.10.1.1 is configured for HSRP group 1. The default HSRP version is 1.
Verify the configuration of the Ethernet0/0 interface on R2.


!
ip address 10.10.1.3 255.255.255.0
standby version 2
standby 1 preempt
standby 2 ip 10.10.1.1
The virtual IP address 10.10.1.1 is configured for HSRP group 2. The HSRP version in use is 2.
There is clearly a mismatch in HSRP group and version configuration between routers R1 and
R2.
Access the console of the R2 router and fix the configuration.
R2# conf t
R2(config-if)# no standby version 2
R2(config-if)#
*Nov 30 18:40:41.389: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 2 state Active ->
Init
R2(config-if)# no standby 2 ip 10.10.1.1
R2(config-if)#
*Nov 30 18:41:11.629: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 1 state Listen ->
Active
R2(config-if)# end
R2#
You need to change the HSRP version from 2 to 1 on the R2 router. The default HSRP version is
1.
You also need to change the HSRP group from 2 to 1 for virtual IP address 10.10.1.1.
After you perform these two changes, routers R1 and R2 become HSRP-aware of each other. R2
becomes the active router.
R1# show standbyEthernet0/0 - Group 1State is Standby

Preemption enabledActive router is 10.10.1.3, priority 100 (expires in 10.976
sec)
Routers are now aware of each other as they are both configured for the same HSRP group with
matching HSRP versions. R1 is the standby router because of the lower priority.
R2# show standbyEthernet0/0 - Group 1State is Active

1 state change, last state change 00:16:59
Preemption enabledActive router is localStandby router is 10.10.1.2, priority
99 (expires in 7.872 sec)
R2 is the active router because the configured priority is higher.
Access the console of R1 and increase the HSRP priority, so that R1 will become HSRP-active.
R1# conf t
R1(config-if)# standby 1 priority 101
R1(config-if)#
Active
R1(config-if)# end
R1#
As preemption is enabled on both routers R1 and R2, HSRP state changes. R1 becomes the
active HSRP router.
R1# show standby
State is Active
Preemption enabledActive router is localStandby router is 10.10.1.3, priority
100 (expires in 9.312 sec)
R1 is the active router with priority 101, R2 is the standby router with priority 100.
Also note that preemption is enabled.
R2# show standby

State is Standby
Preemption enabledActive router is 10.10.1.2, priority 101 (expires in 8.720
sec)
Standby router is localPriority 100 (default 100)
R2 is the standby router with priority 100, R1 is the active router with priority 101.
Also note that preemption is enabled.
Self Check
What is the function of an FHRP?

A. The FHRP supplies hosts with routing information.
B. The FHRP is a routing protocol.
C. The FHRP provides default gateway redundancy.
D. The FHRP is standards-based.
Which of the following is not an HSRP state ? (Choose two)

A. INIT
B. ACTIVE
C. ESTABLISHED
D. IDLE
Which command configures an interface to enable HSRP with the virtual router IP address 10.10.1.1?
A. standby 1 ip 10.10.1.1
B. ip hsrp 1 standby 10.10.1.1
C. hsrp 1 ip 10.10.1.1
D. standby 1 hsrp ip 10.10.1.1
Which command displays the status of all HSRP groups on a Cisco router or Layer 3 switch?
A. show ip hsrp
B. show hsrp
C. show standby hsrp
D. show standby
E. show hsrp groups
Two routers are part of HSRP standby group. There was no priority configured on the routers for the
HSRP group. Which of the statements below is correct ?
A. Both routers will be in ACTIVE state.
B. Both routers will be in STANDBY state.
C. Both routers will be in LISTEN state.
D. One router will be ACTIVE and other STANDBY state
E. None of the above.
Which of the following statement is true about the HSRP version 1 hello packet ?
A. HSRP hello packets are sent to multicast address 224.0.0.2 with UDP port 1985.
B. HSRP hello packets are sent to multicast address 224.0.0.5.
C. HSRP hello packets are sent to multicast address 224.0.0.2 with TCP port 1985
D. HSRP hello packets are sent to multicast address 224.0.0.10 with UDP port 1986.
R1 and R2 are in HSRP group 1. R1 is the active router with a priority of 120 and R2 has the default
priority. Now, R1 reboots and so R2 becomes the active router. Once R1 is back up , which of the
following statement will be true ?
A. R1 will become the active router.
B. R1 will become the active router again if preempt is enabled.
C. Both routers will be in active state.
D. Both routers will be in standby state.
Answer Key
Self Check
1. C
2. C, D
3. A
4. D
5. D
6. A
7. B
Module 2: Troubleshooting
Basic Connectivity
Here you will learn how to troubleshoot end-to-end connectivity in an IPv4 network and connectivity in an
IPv6 network.
IPv4 Network Connectivity
Overview
Various customers have called CCS with complaints involving network connectivity problems, and several
trouble tickets have been created. Bob has assigned all the network connectivity trouble tickets to you.
Troubleshooting Guidelines
It is impossible to write a set of troubleshooting procedures that will solve any IP connectivity problem. The
troubleshooting process can be guided by structured methods, but the exact steps that are taken at each point
along the way cannot be prescribed because they depend on many different factors. Each network is
different, each problem is different, and the skill set and experience of each engineer that is involved in a
troubleshooting process are different.
When end-to-end connectivity is not operational, the user will inform the network administrator. The
administrator will start the troubleshooting process, as shown in the figure.
When there is no end-to-end connectivity, the following are some items that you should investigate:
• Check the cables, because there might be a faulty cable or interface. This is a link by link test. You may
need to check each cable that lies in the packet path (the path between the source and destination
devices that are experiencing connectivity problems).
• Make sure that the devices are determining the correct path from the source to the destination.
Manipulate the routing information, if needed.
• Verify that the default gateway is correct.
• Verify that the name resolution settings are correct.
• Verify that there are no ACLs that are blocking traffic.
After every failed troubleshooting step, you should provide a solution to make the step successful. The
outcome of this process is operational end-to-end connectivity.
Discovery 7: Use Troubleshooting Tools
Introduction
In this discovery, you will learn how to use some basic commands for verifying end-to-end connectivity in
an IP network. The live virtual lab is prepared with the devices that are represented in the topology diagram
and the connectivity table. All devices have their basic configurations in place, including hostnames and IP
addresses. RIP is configured on the routers. There are no issues to troubleshoot with the network. The goal
of this discovery is not to complete troubleshooting tasks but to become familiar with some basic
troubleshooting tools.
Topology
Job Aid

• RIP is configured on R1 and R2.
Device Details
PC1 Ethernet0/0 SW1 10.10.1.10/24
SRV1 Ethernet0/0 R2 10.10.3.30/24
SW1 VLAN 1 — 10.10.1.4/24
SW1 Ethernet0/0 PC1 —
SW1 Ethernet1/1 R1 —
R1 Ethernet1/1 SW1 10.10.1.1/24
R1 Ethernet1/0 R2 10.1.1.2/30
R2 Ethernet1/0 R1 10.1.1.1/30
R2 Ethernet0/0 SRV1 10.10.3.1/24
The PC and SRV in the virtual lab environment are simulated as routers, so you should use Cisco IOS
Task 1: Use Troubleshooting Tools

Activity
Access the console of PC1. Ping SRV1 by its IP address.
The IP address of SRV1 is 10.10.3.30. You can verify this information in the Job Aid section.
PC1# ping 10.10.3.30

.!!!!
It is common for the first one or two probes of a ping attempt to time out if there are devices in
the path that do not currently have ARP cache entries for their peers. When all ARP caches are
properly populated, the ping attempts should be consistently successful.
Attempt to ping the address 10.10.3.40. This address is on a valid subnet, but there is no host that
is using the address.
Remember to take advantage of the IOS command history feature. It is easier to press the Page
Up key and edit the previous command than it is to type this command.
PC1# ping 10.10.3.40

.....
If there is no response to the ICMP echo request within the timeout interval, the IOS ping
displays the period (.) character.
Attempt to ping the address 10.10.4.40. This address is on a nonexistent subnet.
PC1# ping 10.10.4.40

U.U.U
In this case, because the network did not exist in the routing table of R1, R1 returned an ICMP
unreachable error message to PC1. As a result, the ping command displays the "U" character.
The difference between a timeout and an explicit unreachable message can be significant for
troubleshooting.
Using IP SLA for Troubleshooting
Instead of using ping manually, you can use an IP SLA ICMP echo test to test the availability of far-end
devices. The far-end device can be any device with IP capabilities—a router, switch, PC, server, and so on.
There are several common functions for the IP SLA measurements:

• Edge-to-edge network availability monitoring
– For example, packet loss statistics
• Network performance monitoring and network performance visibility
– For example, network latency and response time
• Troubleshooting of network operation
– For example, end-to-end network connectivity
The ICMP Echo is only one of the available IP SLA tests. You can have multiple IP SLA operations
(measurements) running in a network at any given time.
The following table describes the commands that you can use to configure an IP SLA ICMP Echo test.
Command Description
ip slaoperation-number Creates an IP SLAs operation and enters the IP SLAs configuration mode.
icmp-echodestination-ip-address Configures an ICMP Echo test for the specified destination.
frequency seconds (Optional) Sets the rate at which a specified IP SLAs operation repeats. The
range is from 1 to 604800 seconds; the default is 60 seconds.
ip sla scheduleoperation-number [life Configures the scheduling parameters for an individual IP SLAs operation.
{forever | seconds}] [start-time • With the life keyword, you set how long the IP SLA test will run. If you
{hh:mm[:ss] [monthday | daymonth] | choose forever, the test will run until you manually remove it. By
pending | now | afterhh:mm:ss}] default, the IP SLA test will run for 1 hour.
[ageoutseconds] [recurring]
• With the start-time keyword, you will set when the IP SLA test
should start. You can start the test right away by issuing the now
keyword, or you can configure a delayed start.
• With the ageout keyword, you can control how long the collected data
is kept.
• With the recurring keyword, you can schedule a test to run

periodically—for example, at the same time each day.
After an IP SLA test is scheduled to run, you will not be able to modify it.
Access the console of R1 and configure an IP SLA ICMP Echo test to the SRV1 IP address
(10.10.3.30).
Define the IP SLA with the number 1 and set the frequency to 10 seconds.
R1# conf t
R1(config)# ip sla 1
R1(config-ip-sla)# icmp-echo 10.10.3.30
R1(config-ip-sla-echo)# frequency 10
R1(config-ip-sla-echo)# exit
Schedule IP SLA 1 on R1 to perform an ICMP Echo test forever and to start running now.
R1(config)# ip sla schedule 1 life forever start-time now

R1(config)# exit
Verifying IP SLA Operation
Use the show ip sla configuration command to verify the configured parameters. If you want to investigate
the results of the test, you should use the show ip sla statistics command.
On R1, verify the IP SLA configuration.
R1 should have an ICMP Echo test configured to the SRV1 IP address. The test should run every
10 seconds and should be scheduled to run forever.
R1# show ip sla configuration

IP SLAs Infrastructure Engine-III
Entry number: 1
Owner:
Tag:
Operation timeout (milliseconds): 5000
Type of operation to perform: icmp-echoTarget address/Source address:
10.10.3.30/0.0.0.0
Type Of Service parameter: 0x0
Request size (ARR data portion): 28
Verify data: No
Vrf Name:
Schedule:
Operation frequency (seconds): 10 (not considered if randomly scheduled)
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
On R1, verify the IP SLA statistics to verify that SRV1 is reachable.
R1# show ip sla statistics

IPSLAs Latest Operation Statistics
IPSLA operation id: 1

Latest RTT: 1 milliseconds
Latest operation start time: 15:08:23 PST Thu Nov 5 2015
Latest operation return code: OKNumber of successes: 91
Number of failures: 0
Operation time to live: Forever
The IP SLA 1 test on R1 has been successfully performed 91 times and the test never failed.
Note that these numbers may differ in your output.
Execute a traceroute command that targets the SRV1 IP address.
PC1# traceroute 10.10.3.30

Tracing the route to SRV1 (10.10.3.30)
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.1.1 1 msec 0 msec 0 msec
2 10.1.1.1 1 msec 0 msec 1 msec
3 SRV1 (10.10.3.30) 0 msec * 1 msec
The traceroute displays the "near-side" IP address of every router in the path to the destination IP
address.
The traceroute attempts to display both the DNS hostname and the IP address of each hop in the
path. This information is evident in the last line in the example output. There is no DNS service
in the virtual lab environment, but a static IP host entry for SRV1 has been set in the PC1
configuration.
Note: In the emulated virtual lab environment, it is normal for the middle probe to the final
destination to time out.
Attempt a traceroute to the nonexistent address 10.10.3.40. Because the destination cannot be
reached, the traceroute will continue to send probes with consistently higher TTL values.
The traceroute will terminate after 30 hops. However, you can interrupt it at any time by pressing
the Ctrl-Shift-6 keys simultaneously.

Tracing the route to 10.10.3.40
1 10.10.1.1 1 msec 0 msec 1 msec
2 10.1.1.1 0 msec 0 msec 0 msec
3 * * *
4 * * <Ctrl-Shift-6>
A traceroute sends a series of IP probe packets. It first sends three probes with a TTL = 1. The
probes will reach the first hop, which will decrement the TTL to 0. Because the first hop is not
allowed to forward the packet with an expired TTL, it returns ICMP unreachable messages,
which the traceroute program processes. The traceroute will then send three probes with a TTL =
2, which will make it to the second hop. It continues to increase the TTL until the final
destination responds.
Verify Telnet reachability for SRV1. Verify that the prompt shows SRV1, then terminate the
Telnet session with the exit command.
Log in with the password Cisco123.
PC1# telnet 10.10.3.30

Trying 10.10.3.30 ... Open
User Access Verification
Password:
SRV1>exit
[Connection to 10.10.3.30 closed by foreign host]

PC1#
Verify that SRV1 is running an HTTP service on the TCP port 80 by using the telnet command.
Because you cannot mimic the behavior of a web browser from the TelnetCLI, enter a few
random characters and press Enter. SRV1 returns an error message and terminates the
connection.
PC1# telnet 10.10.3.30 80
Trying 10.10.3.30, 80 ... Openaaa <Enter>
HTTP/1.1 400 Bad Request
Date: Thu, 05 Nov 2015 12:42:11 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request

PC1#
Remember that Telnet uses TCP to test connectivity. By default, it will connect to port 23, but
you can also specify other ports.
Demonstrate that SRV1 is not running an FTP service on TCP port 21 by using the telnet
command.
PC1# telnet 10.10.3.30 21

Trying 10.10.3.30, 21 ...
% Connection refused by remote host
PC1#
Display the ARP cache on PC1, verifying that it has an entry that associates the IP address and
MAC address of its default gateway.
The default gateway is the IP address of the Ethernet1/1 interface (10.10.1.1) of R1.
PC1# show arp

Internet 10.10.1.1 19 aabb.cc00.4511 ARPA Ethernet0/0
Internet 10.10.1.10 - aabb.cc00.4200 ARPA Ethernet0/0
Display the ARP cache on R1, verifying that it has an entry that associates the IP address and
MAC address of PC1.
R1# show arp

Access the console of SW1 and display its MAC address table. Observe the switch ports that are
associated with the MAC addresses of PC1 and R1.
SW1# show mac address-table
Mac Address Table
-------------------------------------------

---- ----------- -------- -----
Troubleshooting Physical Connectivity Issue
Inevitably, troubleshooting processes involve a component of hardware troubleshooting. There are three
main categories of issues that could be the cause of a failure on the network: hardware failures, software
failures (bugs), and configuration errors. A fourth category might be performance problems, but
performance problems are more a symptom than a cause of a problem.
After you have used the ping and traceroute utilities to determine that a network connectivity problem
exists and where it exists, check to see if there are physical connectivity issues before you get involved in
more complex troubleshooting. You could spend hours troubleshooting a situation only to find that a
network cable is loose or malfunctioning.
If you have physical access to devices that you suspect are causing network problems, you can save
troubleshooting time by looking at the port LEDs. The port LEDs show the link status and can indicate an
error condition. If a link light for a port is not on, make sure that both ends of the cable are plugged into the
correct ports.
The interfaces that the traffic passes through are another component that is always worth verifying when
you are troubleshooting performance-related issues and you suspect the hardware to be at fault. Usually, the
interfaces are one of the first things that you would verify while tracing the path between devices.
The output of the show interface command lists these important statistics that should be checked. The first
line of the output from this command tells you whether an interface is up or down.
The output of the show interface command also displays the following important statistics:
• Input queue drops: Input queue drops (and the related ignored and throttle counters) signify the fact
that at some point more traffic was delivered to the router than it could process. This situation does not
necessarily indicate a problem because it could be normal during traffic peaks. However, it could be an
indication that the CPU cannot process packets in time. So if this number is consistently high, you
should try to determine at which moments these counters are increasing and how this increase relates to
the CPU usage.
• Output queue drops: Output queue drops indicate that packets were dropped due to a congestion on
the interface. Seeing output drops is normal at any point where the aggregate input traffic is higher than
the output traffic. During traffic peaks, the packets are dropped if traffic is delivered to the interface
faster than the interface can send it out. However, although this setting is considered normal behavior, it
leads to packet drops and queuing delays, so applications that are sensitive to packet drops and queuing
delays, such as VoIP, might suffer from performance issues. Consistent output drops might indicate that
you need to implement an advanced queuing mechanism to provide good QoS to each application.
• Input errors: Input errors indicate errors that are experienced during the reception of the frame, such as
CRC errors. High numbers of CRC errors could indicate cabling problems, interface hardware
problems, or, in an Ethernet-based network, duplex mismatches.
• Output errors: Output errors indicate errors, such as collisions, during the transmission of a frame. In
most Ethernet-based networks, full-duplex transmission is the norm and half-duplex transmission is the
exception. In full-duplex transmission, operation collisions cannot occur. Therefore, collisions,
especially late collisions, often indicate duplex mismatches.
A common cause of interface errors is mismatched duplex setting between two ends of an Ethernet link.
Most Ethernet links today operate in the full-duplex mode. Also, point-to-point Ethernet links should always
run in the full-duplex mode. While collisions were formerly seen as normal occurrences for an Ethernet
link, collisions today often indicate that duplex negotiation has failed and that the link is not operating in the
correct duplex mode. The half-duplex mode is relatively rare today and you can typically see it in
environments that use hubs. However, half duplex on both ends of a connection still performs better than a
duplex mismatch.
The IEEE 802.3ab Gigabit Ethernet standard mandates the use of autonegotiation for speed and duplex.
Also, although autonegotiation is not mandatory, practically all Fast Ethernet NICs also use it by default.
The use of autonegotiation for speed and duplex is the current recommended practice for ports that are
connected to noncritical endpoints. You should manually set the speed and duplex on links between
networking devices and ports that are connected to critical endpoints, such as servers.
However, if duplex negotiation fails for some reason, you might have to set the speed and duplex manually
on both ends. Typically, it would mean setting the duplex mode to full duplex on both ends of the
connection.
The table summarizes possible settings of speed and duplex for a connection between a switch port and an
end-device NIC. The table gives just a general idea about speed and duplex misconfiguration combinations.
Speed and Duplex Settings for End-Device NIC and Switch Connections
Configuration NIC Configuration Resulting NIC Resulting Switch Comments

(Speed, Duplex) Switch (Speed, (Speed, Duplex) (Speed, Duplex)
Duplex)
AUTO AUTO 1000 Mbps, 1000 Mbps, Assuming that the maximum
full duplex full duplex capability of a Cisco Catalyst
switch and NIC is 1000 Mbps,
full duplex.
Duplex)
1000 Mbps, AUTO 1000 Mbps, 1000 Mbps, A link is established, but the
full duplex full duplex full duplex switch does not see any
autonegotiation information from
the NIC. Because Cisco Catalyst
switches support only a full-
duplex operation with 1000
Mbps, they default to full duplex.
This change happens only when
operating at 1000 Mbps.
AUTO 1000 Mbps, 1000 Mbps, 1000 Mbps, Assuming that the maximum
full duplex full duplex full duplex capability of a NIC is 1000
Mbps, full duplex.
1000 Mbps, 1000 Mbps, 1000 Mbps, 1000 Mbps, Correct manual configuration.
full duplex full duplex full duplex full duplex
100 Mbps, 1000 Mbps, No link No link Neither side establishes a link
full duplex full duplex due to a speed mismatch.
100 Mbps, AUTO 100 Mbps, 100 Mbps, A duplex mismatch can result in
full duplex full duplex half duplex performance issues, intermittent
connectivity, and loss of
communication.
AUTO 100 Mbps, 100 Mbps, 100 Mbps, A duplex mismatch can result in
full duplex half-duplex full duplex performance issues, intermittent
connectivity, and loss of
communication.
100 Mbps, 100 Mbps, 100 Mbps, 100 Mbps, Correct manual configuration.
full duplex full duplex full duplex full duplex
100 Mbps, AUTO 100 Mbps, 100 Mbps, half A link is established, but the
half duplex half duplex duplex switch does not see any
autonegotiation information from
the NIC and defaults to half
duplex when operating at 10/100
Mbps.
10 Mbps, half duplex AUTO 10 Mbps, half duplex 10 Mbps, half duplex A link is established, but the
switch does not see FLP. It
defaults to 10 Mbps, half duplex.
10 Mbps, half duplex 100 Mbps, half No link No link Neither side establishes a link
duplex due to a speed mismatch.
AUTO 100 Mbps, half 100 Mbps, half 100 Mbps, half A link is established, but the NIC
duplex duplex duplex does not see any
autonegotiation information. It
defaults to 100 Mbps, half
duplex.
Duplex)
AUTO 10 Mbps, half duplex 10 Mbps, half duplex 10 Mbps, half duplex A link is established, but the NIC
does not see FLP. It defaults to
10 Mbps, half duplex.
Identification of Current and Desired Path
When you are sure that you have eliminated any physical connectivity issues, you can move on to more in-
depth troubleshooting, such as troubleshooting routing and switching issues.
To troubleshoot Layer 3 connectivity, you need to have a good understanding of the processes that are
involved in routing a packet from a host across multiple routers to the final destination.
Consider the scenario in which you are unable to send an email through the SMTP server at 172.16.1.100.
As you study the network that the figure shows, you should ask yourself these questions:
• Which decisions will PC1 make, which information does it need, and which actions will it perform to
successfully send a packet that is destined for the Server to the first-hop router Branch?
• Which decisions will the router Branch make, which information does it need, and which actions will it
perform to successfully send the packet from PC1 that is destined for the Server to the router
Headquarters?
On the router, use the show ip route command to examine the routing table. In the example, the problem is
that the routing table on the Branch router does not have the route to Server (172.16.1.100).
Routing Table
The routing tables can be populated by these methods:

• Directly connected networks: This entry comes from having router interfaces that are directly attached
to network segments. This method is the most certain method of populating a routing table. If the
interface fails or is administratively shut down, the device will remove the entry for this network from
the routing table. The administrative distance is 0 and will therefore pre-empt all other entries for this
destination network. Entries with the lowest administrative distance are the best, most-trusted sources.
• Local host routes: This entry comes from the local IP address on the router interface. The subnet mask
represents the host route.
• Static routes: A system administrator manually enters static routes directly into the configuration of a
router. The default administrative distance for a static route is 1. Therefore, the static routes will be
included in the routing table, unless there is a direct connection to this network. Static routes can be an
effective method for small, simple networks that do not change frequently. For larger and unstable
networks, the solution with static routes does not scale.
• Dynamic routes: The router learns dynamic routes automatically when you configure the routing
protocol and a neighbor relationship to other routers is established. The information is responsive to
changes in the network and updates constantly. There is, however, always a lag between the time that a
network changes and when all the routers become aware of the change. The time delay for a router to
match a network change is called the convergence time. A shorter convergence time is better for users
of the network. Different routing protocols perform differently in this regard. Larger networks require
the dynamic routing method because there are usually many addresses and constant changes. These
changes require updates to routing tables across all routers in the network, or connectivity is lost.
• Default routes: A default route is an optional entry that is used when no explicit path to a destination is
found in the routing table. You can manually insert the default route, or it can be populated from a
dynamic routing protocol.
The show ip route command displays the routing table in a router. The first part of the output explains the
codes, presenting the letters and the associated sources of the entries in the routing table.
• L: Reserved for the local host route.
• C: Reserved for directly connected networks.
• S: Reserved for static routes.
• R: Reserved for RIP.
• O: Reserved for the OSPF routing protocol.
• D: Reserved for EIGRP. The letter "D" stands for DUAL, which is the update algorithm that EIGRP
uses.
These scenarios show the different actions that a router takes if the destination address in a packet matches
or does not match a routing table entry:
• If the destination address in a packet does not match an entry in the routing table, then the device uses
the default route. If no default route is configured on the router, the device discards the packet.
• If the destination address in a packet matches a single entry in the routing table, the router forwards the
packet through the interface that is defined in this route.
• If the destination address in a packet matches more than one entry in the routing table and the routing
entries have the same prefix (network mask), the router can distribute the packets for this destination
among the routes that are defined in the routing table.
• If the destination address in a packet matches more than one entry in the routing table and the routing
entries have different prefixes (network masks), the router forwards the packets for this destination out
of the interface that is associated with the route that has the longer prefix match.
Using SPAN for Troubleshooting
A traffic sniffer can be a valuable tool for monitoring and troubleshooting a network. Properly placing a
traffic sniffer to capture a traffic flow but not interrupt it can prove challenging.
When local area networks were based on hubs, connecting a traffic sniffer was simple. When a hub receives
a packet on one port, the hub sends out a copy of that packet on all ports except on the one where the hub
received the packet. Therefore, the traffic sniffer that is connected a hub port could receive all traffic in the
network.
Modern local networks are essentially switched networks. After a switch boots, it starts to build up a Layer
2 forwarding table based of the source MAC addresses of the different packets that the switch receives.
After the switch builds this forwarding table, it then forwards traffic that is destined for a MAC address
directly to the corresponding port. This way, it prevents a traffic sniffer that is connected to another port to
receive the unicast traffic. The SPAN feature was therefore introduced on switches.
The SPAN feature allows you to analyze network traffic passing through the port and sending a copy of the
traffic to another port on the switch that has been connected to a network analyzer or other monitoring
device. SPAN copies the traffic that the device receives and/or sends on source ports to a destination port
for analysis. SPAN does not affect the switching of network traffic on the source ports.
If you would like to analyze the traffic flowing from PC1 to PC2 on the figure, you need to specify a source
port. You can either configure the interface Ethernet0/1 to capture the ingress traffic or the interface
Ethernet0/2 to capture the egress traffic. Second, specify the interface Ethernet0/3 as a destination port. The
traffic flowing from PC1 to PC2 will then be copied to that interface, and you will be able to analyze it with
a traffic sniffer.
Configuring SPAN
With SPAN, the switch is instructed to copy all the traffic that it sends and receives on a source port to a
destination port by configuring a SPAN session.
The SPAN session is identified by a session number. The first step is that you associate a SPAN session
with source ports by using the monitorsessionnumbersourceinterfaceinterface command. You can
optionally specify which traffic you want to monitor on the source interface—if you want to monitor only
received traffic, use rx keyword, if you want to monitor only transmitted traffic then use the tx command. If
you want to monitor both, received and transmitted traffic, use the both keyword. If you do not specify
anything, received and transmitted traffic is captured on an interface.
Similarly, you associate a destination port with a SPAN session number by using the
monitorsessionnumberdestinationinterfaceinterface command.
At the end, you can verify that you specified the correct source and destination ports by using the show
monitor command.
When configuring a SPAN, you have to take notice of the following facts:
• A destination port cannot be a source port, or vice versa.
• The destination port is no longer a normal switch port—only monitored traffic passes through that port.
In the example that is shown in the figure, the objective is to capture all the traffic that is sent between PC1
and PC2, both connected to the SW1. A packet sniffer is connected to port FastEthernet0/0. The switch is
instructed to copy all the traffic that it sends and receives on port FastEthernet0/2 to port FastEthernet0/0 by
configuring a SPAN session.
Troubleshooting Default Gateway Issues
In the absence of a detailed route on the router or an incorrect default gateway on the host, communication
between two endpoints in different networks will not work.
In the example, PC1 needs connectivity to the Server. The figure shows the configuration of default
gateways on the PC and the Branch router. For communication between the PC and the Server to work, the
PC and the Branch router must have one of the following:
• Specific routes to the network 172.16.1.0
• Correctly configured default gateways
To verify the default gateway on a Cisco IOS device, use the show ip route command. To verify the default
gateway on a Windows host, use the route print command.
In the example, the Branch router has the correct default gateway, which is the IP address of the HQ router.
PC1 has the wrong default gateway. PC1 should have the default gateway of the Branch router 10.1.10.1.
Troubleshooting Name Resolution Issue
The next troubleshooting step on the troubleshooting flow chart involves determining whether there is a
name resolution issue on the network. Name resolution is the mapping of IP addresses to names, and vice
versa. Name resolution is very important for networks because you often use names instead of IP addresses
in order to access resources. For example, you typically access websites by using their names, such as
www.somedomain.com, instead of their IP addresses because it is much easier to remember names.
The IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain.
Domain names are formed with periods (.) as the delimiting characters. For example, Cisco is a commercial
organization that IP identifies by the ".com" domain name, so its domain name is cisco.com. A specific
device in this domain, for example, the FTP system, is identified as ftp.cisco.com.
The mapping of computer names to IP addresses can be done in two ways:
• Static: The system administrator creates a text file, which is called the hosts file, and enters each
computer name and IP address. The file is then distributed on the network. When a user makes a request
for a connection to another computer, the system uses the file to resolve the name to the correct IP
address. This system works well for simple networks that change infrequently.
• Dynamic: The DNS protocol controls the DNS—a distributed database with which you can map host
names to IP addresses.
When you configure name resolution on the device, you can substitute the host name for the IP address with
all IP commands, such as ping or telnet.
To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache
(or database) of names that is mapped to IP addresses. To map domain names to IP addresses, you must first
identify the host names, specify the name server that is present on your network, and enable the DNS.
It is possible for IP connectivity to work but for the name resolution to fail. If you are unable to access a
website by its name, you might still be able to access it by its IP address. To determine if you are
experiencing a name resolution problem, ping the destination by its IP address and then by its name. If you
can ping the device by its IP address but not its name, there is a name resolution problem.
If you discover that you have a name resolution issue on your network, you can create or modify the
mappings between names and IP addresses in three different places:
• In the hosts file on a PC: The hosts file is simply a text file that maps names to IP addresses. In a
Windows operating system, the file is located at C:\Windows\System32\drivers\etc. Other operating
systems might have the hosts file in a different location, they might use a different file, or may not have
it at all. You can open and edit the hosts file with a text editor such as Notepad. This file works well for
simple networks that change infrequently.
• In your DNS: The DNS protocol controls the DNS, a distributed database in which you can map
hostnames to IP addresses.
– You can configure DNS server information within DHCP pool, using the dns-serverip_address
command. Make sure that you specify the correct IP address for the DNS server.
• On a Cisco switch or router: You can create static name resolution entries on a switch or a router by
using the ip hostname ip_address command. For example, if you want to add an entry that is named
"Server" that will resolve to the IP address 172.16.1.100, the syntax would be ip host Server
172.16.1.100.
In the example, PC1 is configured with static a mapping of the name and IP address, then the name
resolution is verified using the ping command.
Discovery 8: Configure and Verify IPv4 Extended
Access Lists
Introduction
A common mechanism that is used for traffic filtering is ACL. ACLs enable you to control access based on
Layer 3 packet-header information. Standard ACLs cannot fulfill all traffic-filtering requirements, they
provide only limited options for network traffic filtering.
A standard ACL can specify only source IP addresses and source networks, so it is not possible to filter to a
specific destination. For more precise traffic filtering, you should use extended ACLs.
Extended ACLs provide a greater range of control. In addition to verifying packet source addresses,
extended ACLs also check destination addresses, protocols, and port numbers, as shown in the figure. They
provide more criteria on which to base the ACL. For example, an extended ACL can simultaneously allow
email traffic from a network to a specific destination and deny file transfers and web browsing for a specific
host.
The ability to filter on a protocol and port number allows you to build very specific extended ACLs. Using
the appropriate port number, you can specify an application by configuring either the port number or the
name of a well-known port.
You have two types of extended ACLs:
• Named: More common.
• Numbered: Ranges from 100 to 199, and from 2000 to 2699 (providing a total of 800 possible
extended ACLs).
This discovery will guide you through the extended IPv4 ACL configuration. The virtual lab environment is
prepared with the devices that are represented in the topology diagram and the connectivity table. All
devices have their basic configurations in place including hostnames and IP addresses. The configuration of
both ACL will be on R1 and it will be applied inbound on the interface Ethernet0/0 to influence the traffic
from PC1.
The policy that is defined in the ACL was chosen to demonstrate how ACLs work. The policy does not
reflect any real world application.
Topology
Job Aid

• All devices have their basic configurations in place including hostnames, IPv4, and IPv6 addresses.
• RIP is configured on R1 and R2 to provide IPv4 routing.
• Static routes are configured on R1 and R2 to provide IPv6 routing.
Device Details
Device Interface Neighbor IPv4 Address IPv6 Address
PC1 Ethernet0/0 SW1 10.10.1.10/24 2001:DB8:0:10::/64 Auto
SRV1 Ethernet0/0 R2 10.10.3.30/24 2001:DB8:0:3::30/64
SW1 VLAN 1 10.10.1.4/24 2001:DB8:0:10::/64 Auto
SW1 Ethernet0/1 PC1 — —
SW1 Ethernet1/1 R1 — —
R1 Ethernet1/1 SW1 10.10.1.1/24 2001:DB8:0:10::1/64
R1 Ethernet1/0 R2 10.1.1.2/30 2001:DB8:0:2::1/64
R2 Ethernet1/0 R1 10.1.1.1/30 2001:DB8:0:2::2/64
R2 Ethernet0/0 SRV1 10.10.3.1/24 2001:DB8:0:3::1/64
PCs and SRV in the virtual lab environment are simulated as routers, so you should use Cisco IOS
Task 1: Configure and Verify IPv4 Extended Access

Lists
The previous examples show the steps to configure an extended named ACL. The following table explains
the commands that you will use and their parameters.
Command Description
ip access-list extended name Defines an extended IP access list using a name and enters extended
named access list configuration mode.
{permit | deny} protocol • Permits or denies all packets that match all conditions that the remark
{sourcesource-wildcard | any | host specifies.
{address | name}} [operator port]
• You can specify either the name or the number of the protocol. The
{destinationdestination-wildcard | most commonly used keywords are ip, tcp, udp, and icmp.
any | host {address | name}}
[operatorport] • The operator is an optional parameter that compares source and
destination ports when TCP or UDP is specified as the protocol.
Possible operands include lt (less than), gt (greater than), eq (equal),
neq (not equal), and range (inclusive range).
• The port is an optional decimal number or name of a TCP or UDP port.
ip access-group name {in | out} Applies the specified access list to the interface in the inbound or
outbound direction.
Activity
Access the console on R1 and configure a named extended IPv4 ACL. The ALC should be
named "Example4".
ACL should have these four statements:

• The first should deny all UDP traffic.
• The second should permit TCP from PC1 to any destination as long as the destination port is
23 (Telnet).
• The third should deny all other TCP traffic from PC1.
• The last should explicitly permit all IP traffic.
Note: At the end of every created ACL is an implicit deny statement.
R1# conf t
R1(config)# ip access-list extended Example4
R1(config-ext-nacl)# deny udp any any
R1(config-ext-nacl)# permit tcp host 10.10.1.10 any eq 23
R1(config-ext-nacl)# deny tcp host 10.10.1.10 any
R1(config-ext-nacl)# permit ip any any
R1(config-ext-nacl)# exit
Apply the ACL to the interface Ethernet1/1 in the inbound direction.
At the end, leave the configuration mode.
R1(config-if)# ip access-group Example4 in
R1(config-if)# end
Display the ACL.
Look over the ACL definition—any slight variation in its definition can lead to large differences
in its behavior.
R1# show ip access-lists Example4

Extended IP access list Example4
10 deny udp any any20 permit tcp host 10.10.1.10 any eq telnet30 deny tcp
host 10.10.1.10 any40 permit ip any any
The access list has all four statements in the correct order as you configured. Note that the output
does not display the implicit deny statement that is at the end of every ACL.
Now test the ACL performance by executing all the types of traffic that you specified in the
ACL statements.
The first line of the ACL will block all UDP traffic. SRV1 is configured as the NTP server, but
because NTP uses the UDP protocol, the first line in the ACL should block access for PC1.
To verify this case, access the console of PC1 and configure it to use the SRV1 IPv4 address as
an NTP server and then display the status of NTP on PC1.
PC1# conf t
PC1(config)# ntp server 10.10.3.30
PC1(config)# end
Because NTP traffic from PC1 is blocked, you should find that it has not synchronized to SRV1.
PC1# show ntp statusClock is unsynchronized, stratum 16, no reference clock

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 3500 (1/100 of seconds), resolution is 4000
reference time is 00000000.00000000 (00:00:00.000 PST Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.52 msec, peer dispersion is 0.00 msec
loopfilter state is 'FSET' (Drift set from file), drift is 0.000000000 s/s
system poll interval is 8, never updated.
The second line in the ACL explicitly permits Telnet traffic from PC1.
Verify that PC1 can successfully telnet to SRV1. Use the username "admin" and password
"Cisco123".
At the SRV1 system prompt, use the exit command to terminate the connection.
PC1# telnet 10.10.3.30
Trying 10.10.3.30 ... Open
Username: admin
Password:
SRV1>exit

PC1#
The third line in the ACL is denying all other TCP traffic from PC1. Verify that PC1 cannot use
SSH to reach SRV1.
The –l is a dash and a capital "L", not a numeral 1. Think of "L" to specify the login ID for the
SSH session.
PC1# ssh -l admin 10.10.3.30% Destination unreachable; gateway or host down
The fourth line in the ACL, which explicitly permits all IP traffic, should permit any non-UDP
traffic from PC1. Verify that PC1 can ping the server.
PC1# ping 10.10.3.30

!!!!!
The first three lines do not explicitly specify the ICMP protocol. Hence, any ICMP traffic should
be permitted by the fourth line in the ACL which explicitly permits all IP traffic that did not
match any previous line.
The ACL only applies to traffic coming from PC1. Access the console of PC2 and attempt the
same test sequence that you did from PC1.
The test uses ICMP and TCP, not UDP. All the tests should succeed.
PC2# telnet 10.10.3.30
Trying 10.10.3.30 ... Open
Username: admin
Password:
SRV1>exit

PC2# ssh -l admin 10.10.3.30
Password:
SRV1>exit

PC2# ping 10.10.3.30
!!!!!
Notice that PC2 can both telnet and SSH to the server, whereas PC1 could not. This is because
no ACL is applied toward the PC2.
Display the ACL again and observe the updated hit counters that are associated with the activity
that you just initiated.
R1# show ip access-lists Example4

Extended IP access list Example4
10 deny udp any any (6 matches)
20 permit tcp host 10.10.1.10 any eq telnet (58 matches)
30 deny tcp host 10.10.1.10 any (1 match)
40 permit ip any any (89 matches)
Due to the dynamic nature of the lab environment, the hit counters that you observe are likely to
differ from what the example shows.
Troubleshooting ACL Issues
If you have eliminated physical connectivity, routing, and name resolution issues and you are still
experiencing network connectivity problems, your next step is to troubleshoot ACLs.
The routers may have ACLs configured that prohibit a protocol to pass the interface in the inbound or
outbound direction.
In the example, PC1 in unable to use Telnet to connect to the Server.
To begin, you might want to use the show ip access-lists command to display the contents of all ACLs that
are configured on the router. By entering the ACL name or number as an option for this command, you can
display a specific ACL.
In this example, there is an ACL that is named "Outbound." It is implicitly denying Telnet and all other
traffic except ICMP.
When you discover that an ACL on a router is blocking traffic that you want to permit, you can use the
show ip interface command to determine where the ACL is applied.
In the following example, the IP ACL that is named "Outbound" has been configured on the interface
GigabitEthernet0/1 as an outbound ACL.
To have the Branch router permit Telnet, you would need to add an ACL entry that allows Telnet.
Currently, the Outbound ACL permits only the ICMP protocol. In order to allow a Telnet connection from
PC1 to the server, add an entry in the Outbound ACL to allow the TCP protocol and port 23 for Telnet as
follows:
After correcting the Outbound ACL, a Telnet connection from PC1 to the server should be successful.
Discovery 9: Troubleshoot IPv4 Network
Connectivity
Introduction
This discovery will guide you through troubleshooting connectivity in an IPv4 network. The virtual lab is
prepared with the devices that are represented in the topology diagram and the connectivity table. All
devices have their basic configurations in place, including hostnames and IP addresses. RIP has been
configured as the dynamic routing protocol.
Four issues have been introduced on different devices in the live virtual lab environment. Your job is to find
and fix these issues. There are only four steps in this discovery. The step describes the complaint that you
must address. To get the feeling of troubleshooting activities, try to uncover and resolve the problems before
you use the Answer Key for each step.
Resolve each issue before moving to the next issue. Sometimes, you will need to resolve the issue to be able
to go to the following issue.
Topology
Job Aid

• RIP is configured on all four routers.
• Four issues, related to the PCs connectivity to the SRVs, exist in the network.
Device Information
Device Interface Neighbor IPv4 Address
PC1 Ethernet0/0 SW1 10.10.1.10/24
PC2 Ethernet0/0 SW2 10.10.2.20/24
SRV1 Ethernet0/0 R3 10.10.3.30/24
SRV2 Ethernet0/0 R4 10.10.4.40/24
SW1 VLAN 1 — 10.10.1.4/24
SW2 VLAN 1 — 10.10.2.4/24
R1 Ethernet0/0 SW1 10.10.1.1/24
R1 Ethernet1/0 R3 10.1.1.2/30
Device Interface Neighbor IPv4 Address
R1 Ethernet1/1 R4 10.1.1.10/30
R2 Ethernet 0/0 SW2 10.10.2.1/24
R2 Ethernet1/0 R3 10.1.1.6/30
R2 Ethernet1/1 R4 10.1.1.14/30
R3 Ethernet2/0 R1 10.1.1.1/30
R3 Ethernet2/1 R2 10.1.1.5/30
R3 Ethernet0/0 SRV1 10.10.3.1/24
R4 Ethernet2/0 R1 10.1.1.9/30
R4 Ethernet2/1 R2 10.1.1.13/30
R4 Ethernet0/0 SRV2 10.10.4.1/24
Task 1: Troubleshoot IPv4 Network Connectivity

Activity
The user at PC1 is complaining of not being able to connect to SRV1. The user is using Telnet
for connectivity.
PC1# telnet 10.10.3.30

Trying 10.10.3.30 ...
% Destination unreachable; gateway or host down
PC1 will take the path through R1 and R3 to reach the SRV1, so you should investigate those
two routers on the path.
Here are some steps that you might take in the troubleshooting process. Sometimes, the steps
show that an item is in a normal working order. This data is valuable to have when
troubleshooting. In other cases, the step may point out something that is out of order and gets
you closer to determining the root cause:
• On R1, verify the following:
– You have a valid route to the SRV1—use the show ip route command.
– Ethernet0/0 and Ethernet1/0 interfaces are in the admin "up/up" state—use the show ip
interface brief command.
– No access list is applied to the Ethernet0/0 and Ethernet1/0 interfaces—use the show
run | section interface or show ip interface command.
Notice that R3 has the interface toward SRV1 (Ethernet0/0) administratively disabled.

Protocol
Ethernet0/0 10.10.3.1 YES NVRAM administratively down
down
down
down
down
down
down
down
down
down
down
You can resolve the problem by enabling the Ethernet0/0 interface on R3.
R3# conf t
R3(config-if)# no shut
R3(config-if)# end
When you fix the configuration on R3, you should now be able to telnet to SRV1 from PC1. Use
"admin" for the username and "Cisco123" for the password.
PC1# telnet 10.10.3.30
Trying 10.10.3.30 ... Open
Username: admin
Password:
SRV1>exit
The user at PC1 is complaining of not being able to connect to SRV2. In fact, if the user attempts
to ping SRV2, the ping shows that the server is unreachable.
PC1# ping SRV2

.....
The IP address of SRV2 that PC1 is pinging is 10.10.1.40. However, this address is not the IP
address of the server. You can verify it by showing the interface status on SRV2. You can also
do verify it by comparing the address to the information in the topology diagram and the
connectivity table.
SRV2# show interfaces Ethernet0/0

Hardware is AmdP2, address is aabb.cc00.2100 (bia aabb.cc00.2100)
Description: Link to R4
If you ping the SRV2 using the IP address instead of its host name, you will see that the server is
reachable.
PC1# ping 10.10.4.40

!!!!!
The problem is an incorrect entry for SRV2 in the local host configuration on PC1.
PC1# show running-config | include host

hostname PC1
ip host SRV2 10.10.1.40
ip host SRV1 10.10.3.30
You can resolve the problem by configuring the host entry properly.
PC1# conf t
PC1(config)# ip host SRV2 10.10.4.40
PC1(config)# end
When you configure the entry properly, you should be able to ping SRV2 by hostname from
PC1.
PC1# ping SRV2

!!!!!
The user at PC2 is complaining of not being able to connect to SRV1. If the user attempts to ping
SRV1 IP address, the ping shows that the server is unreachable.
PC2# ping 10.10.3.30

.....
PC2 will take the path through R2 and R3 to reach SRV1, so you should investigate those two
routers on the path.
Here are some steps that you might take in the troubleshooting process:
run | section interface or show ip interface command.
– You can ping the SRV1 IP address.
– You have a valid route to SRV1—use the show ip route command.
run | section interface command.
– You can ping the SRV1 IP address.
Because SRV1 is up, and R2 and R3 are properly configured, you can determine that the
problem lies on PC2. You can verify that PC2 has the interface toward the SRV1 enabled.
Using the show ip route command, determine if PC2 has a valid route to the SRV1.
PC2# show ip routeDefault gateway is 10.0.2.1
Host Gateway Last Use Total Uses Interface

ICMP redirect cache is empty
PC2 has been configured with an incorrect default gateway—the default gateway is set to some
nonexisting IP address in the network.
You can resolve the problem by configuring the default gateway on PC2. The R2 Ethernet0/0 IP
address should be set as the default gateway on PC2.
PC2# conf t
PC2(config)# ip default-gateway 10.10.2.1
PC2(config)# end
When you configure PC2 with the correct default gateway, you should be able to ping SRV1
from PC2
PC2# ping 10.10.3.30

.!!!!
The user on PC2 is complaining of not being able to connect to SRV2. The user is using Telnet
for connectivity.
PC2# telnet 10.10.4.40

Trying 10.10.4.40 ...
PC2# ping 10.10.4.40

!!!!!
Telnet uses TCP to test connectivity. By default it will connect to port 23. SRV2 on port 23 is
not reachable; however, you can see that the ping which uses ICMP to test connectivity to SRV2
is successful.
Using the traceroute command, you can determine that PC2 takes the path via R1 and R4 to
reach SRV2.

Tracing the route to 10.10.4.40
1 10.10.2.1 1 msec 0 msec 1 msec
2 10.1.1.13 0 msec 0 msec 0 msec
3 * !A *
Note that "!A" indicates that there is an ACL applied, that is blocking access to the SRV2.
You can determine, that packet comes through R1 to the R4, where it gets blocked:
• On R1, you can still verify that there is no ACL configured—use the show ip access-lists
command,
• On R4, verify if there is an ACL configured.
R4# show ip access-lists

Extended IP access list Server
10 deny udp any any
20 deny tcp any any eq telnet (1 match)
30 deny tcp any any eq www
40 permit ip any any (5 matches)
R4 has an IP ACL configured that is blocking the telnet access to SRV2. Verify if this ACL is
applied on the Ethernet0/0 or Ethernet2/1 interface on R4.
R4# show ip interface Ethernet0/0

Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is Server
Inbound access list is not set

Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is not set
The IP access list is applied in the outbound direction to the Ethernet0/0 interface, the one
connecting to the SRV2.
Solve the problem, by either removing the statement or changing it from "deny" to "permit." The
example shows the second option.
R4# conf t
R4(config)# ip access-list extended Server
R4(config-ext-nacl)# no 20
R4(config-ext-nacl)# 20 permit tcp any any eq 23
R4(config-ext-nacl)# end
PC1 should now be able to connect to SRV2 using telnet, with the "admin" username and
"Cisco123" password.
PC2# telnet 10.10.4.40
Trying 10.10.4.40 ... Open
Username: admin
Password:
SRV2>exit
Note: The traceroute will still not work, because the ACL is denying UDP, which is what the
traceroute uses.
Self Check
Which command would you use to determine whether there are any input or output errors on a
GigabitEthernet0/0 interface?
A. show ip route GigabitEthernet0/0
B. show ip interfaces GigabitEthernet0/0
C. show interfaces GigabitEthernet0/0
D. show mac-address-table
Which command would you use to identify the current path to a given destination on a router?
A. show ip route
B. route print
C. show ip interfaces brief
D. show arp
Which Cisco IOS command will enable you to see the path that packets are taking on a hop-by-hop
basis?
A. path
B. traceroute
C. ping
D. show route
Which of the following statements that are related to configuring SPAN is true ? ( Choose two)
A. The destination port cannot be a source port, or vice versa.
B. The destination port can be same as source port.
C. Destination port is no longer a normal switch port—only monitored traffic passes through that port.
D. Source port is no longer a normal switch port—only monitored traffic passes through that port.
Which command would show you whether an ACL is applied to an interface, GigabitEthernet 0/1 ?
A. show access lists GigabitEthernet 0/1
B. show access lists
C. show ip interface GigabitEthernet 0/1
D. show interface brief
Which of the following commands will you use to deny telnet access from IP address 10.1.1.1 into
10.1.1.2 ?
A. access-list 90 deny tcp 10.1.1.1 0.0.0.0 10.1.1.2 0.0.0.0 eq 21
B. access-list 99 deny telnet 10.1.1.1 0.0.0.0 10.1.1.2 0.0.0.0
C. access-list 101 deny ip 10.1.1.1 0.0.0.0 10.1.1.2 0.0.0.0 telnet
D. access-list 101 deny tcp 10.1.1.1 0.0.0.0 10.1.1.2 0.0.0.0 eq 23
Where should extended ACLs be placed in a network ?
A. As close to the packet's destination as possible
B. As close to the default gateway as possible
C. As close to the source of the packet as possible
D. As close to a border gateway router as possible
Answer Key
Self Check
1. C
2. A
3. B
4. A, C
5. C
6. D
7. C
IPv6 Network Connectivity
Overview
A customer has called CCS with a complaint involving IPv6 network connectivity problems. A trouble
ticket has been issued.
After reviewing the trouble ticket, decide whether you are ready to go onsite to solve the problem or
whether you first need to do research on troubleshooting IPv6 network connectivity.
IPv6 Unicast Addresses
IPv6 unicast addresses are assigned to each node (interface). Their uses are discussed in RFC 4291. The five
types of unicast addresses are listed below.
Global Addresses
RFC 4291 specifies the 2000::/3 prefix to be the global unicast address space that the IANA may allocate to
the RIRs. A global unicast address is an IPv6 address that is created from the global unicast prefix. The
structure of global unicast addresses enables the aggregation of routing prefixes, which limits the number of
routing table entries in the global routing table. Global unicast addresses that are used on links are
aggregated upward through organizations and eventually to the ISPs.
The IANA assigns a global address. The global address starts with 2000::/3. The /3 prefix length implies
that only the first 3 bits are significant in matching the prefix 2000. The first 3 bits of the first hexadecimal
value 2 are 001x. The fourth bit, x, is insignificant and can be either a 0 or a 1. It results in the first hextet
being a 2 (0010) or a 3 (0011). The remaining 24 bits in the hextet (16-bit segment) can be a 0 or a 1.
The figure shows how address space can be allocated to the RIR and ISP. These values are minimum
allocations, which means that an RIR will get a /23 or shorter, an ISP will get a /32 or shorter, and a site will
get a /48 or shorter. A shorter prefix length allows more available address space. For example, a site could
get a /40 instead of a /48, giving it more addresses if it can justify it to its ISP. The figure shows a provider
aggregatable model where the end customer obtains its IPv6 address from the ISP. The end customer can
also choose a provider-independent address space by going straight to the RIR. In this case, it is not
uncommon for an end customer to be able to justify a /32 prefix.
The ICANN, the operator for IANA, allocates IPv6 address blocks to the five RIRs. The current global
unicast address assignment from IANA begins with the binary value 001 or the prefix 2000::/3. This value
allocation results in a range of global unicast addresses of 2000::/3 through 3FFF::/3
Local Addresses
A block of IPv6 addresses is set aside for local addresses, just as is done with private addresses in IPv4.
These local addresses are local only to a particular link or site; therefore, they are never routed outside of a
particular company network. There are two kinds of local addresses:
• Unique local addresses: These addresses are similar to RFC 1918, Address Allocation for Private
Internets, in IPv4 today. The scope of these addresses is an entire site or organization. They allow
addressing within an organization without needing to use a public prefix. Routers forward datagrams
using site-local addresses within the site, but not outside the site, to the public Internet.
In hexadecimal, site-local addresses begin with FE and then "C" to "F" for the third hexadecimal digit.
So, these addresses begin with FEC, FED, FEE, or FEF.
• Link-local addresses: The concept of the link-local scope is new to IPv6. These addresses have a
smaller scope than site-local addresses—they refer only to a particular physical link (physical network).
Routers do not forward datagrams using link-local addresses, not even within the organization; they are
only for local communication on a particular physical network segment.
These addresses are used for link communications such as automatic address configuration, neighbor
discovery, and router discovery. Many IPv6 routing protocols also use link-local addresses. A link-local
address typically begins with FE80::/10.
Technically speaking, an address within the prefix FE80::/10 is considered a link-local address. This scope
includes addresses beginning with FE80:: through FEBF::.—this last address prefix bumps up next to the
fec0::/10 range that is assigned to the deprecated site-local address scope. In common practice though,
link-local addresses will typically begin with 0xFE80.
Loopback Addresses
Just as with IPv4, a provision has been made for a special loopback IPv6 address for testing. Datagrams that
are sent to this address "loop back" to the sending device. However, in IPv6, there is just one address, not a
whole block, for this function. The loopback address is 0:0:0:0:0:0:0:1, which is normally expressed as
"::1".
Unspecified Addresses
In IPv4, an IP address containing all zeroes has a special meaning—it refers to the host itself and is used
when a device does not know its own address. In IPv6, this concept has been formalized, and the all-zeros
address is named the unspecified address. It is typically used in the source field of a datagram that a device
that seeks to have its IP address configured sends. You can apply address compression to this address.
Because the address is all zeroes, the address becomes just "::".
Reserved Addresses
The IETF reserved a portion of the IPv6 address space for various uses, both present and in the future.
Reserved addresses represent 1/256th of the total IPv6 address space. The lowest address within each subnet
prefix (the interface identifier set to all zeroes) is reserved as the subnet-router anycast address. The 128
highest addresses within each /64 subnet prefix are reserved to be used as anycast addresses.
Assigning IPv6 Addresses

Interface identifiers in IPv6 addresses are used to identify interfaces on a link. They can also be thought of
as the "host portion" of an IPv6 address. Interface identifiers need to be unique on a specific link. Interface
identifiers are always 64 bits and can be dynamically derived from a Layer 2 media and encapsulation.
There are several ways to assign an IPv6 address to a device:
• Static assignment using a manual interface ID: One way to statically assign an IPv6 address to a
device is to manually assign both the prefix (network) and interface ID (host) portions of the IPv6
address. To configure an IPv6 address on a Cisco router interface and enable IPv6 processing on that
interface, use the ipv6 addressipv6-address/prefix-length command in the interface configuration mode.
• Static assignment using an EUI-64 interface ID: Another way to statically assign an IPv6 address is
to configure the prefix (network) portion of the IPv6 address and derive the interface ID (host) portion
from the Layer 2 MAC address of the device, which is known as the EUI-64 interface ID.
To configure an IPv6 address for an interface and enable IPv6 processing on the interface using an EUI-
64 interface ID in the low order 64 bits of the address (host), use the ipv6 addressipv6-prefix/prefix-
lengtheui-64 command in the interface configuration mode.
• Stateless autoconfiguration: As the name implies, autoconfiguration is a mechanism that
automatically configures the IPv6 address of a node. In IPv6, it is assumed that non-PC devices, and
also computer terminals, will be connected to the network. The autoconfiguration mechanism was
introduced to enable plug-and-play networking of these devices to help reduce administration overhead.
• DHCPv6: DHCP for IPv6 enables DHCP servers to pass configuration parameters such as IPv6 network
addresses to IPv6 nodes. It offers the capability of automatic allocation of reusable network addresses
and additional configuration flexibility. This protocol is a stateful counterpart to IPv6 stateless address
autoconfiguration (RFC 2462). Devices can use it separately or concurrently with IPv6 stateless address
autoconfiguration to obtain configuration parameters.
Use of EUI-64 Format in IPv6 Addresses
The 64-bit interface identifier in an IPv6 address identifies a unique interface on a link. A link is a network
medium over which network nodes communicate using the link layer. The interface identifier can also be
unique over a broader scope. Often, an interface identifier is the same as or is based on the link layer (MAC)
address of an interface. As in IPv4, a subnet prefix in IPv6 is associated with one link.
The EUI-64 standard explains how to stretch IEEE 802 MAC addresses from 48 to 64 bits. The following
figure illustrates this process.
Interface identifiers in the global unicast and other IPv6 address types must be 64 bits long and can be
constructed in the 64-bit EUI-64 format. The EUI-64 format interface ID is derived from the 48-bit link
layer (MAC) address by inserting the hexadecimal number FFFE between the upper 3 bytes (OUI field) and
the lower 3 bytes (serial number) of the link layer address.
Troubleshooting End-to-End IPv6 Connectivity
As with troubleshooting IPv4 connectivity, the troubleshooting process for IPv6 can be guided by structured
methods. The overall troubleshooting procedure is the same as troubleshooting IPv4, with differences that
are related to IPv6 specifics.
When end-to-end connectivity is not operational, the user will inform the network administrator. The
administrator will start the troubleshooting process, as the figure shows.
When there is no end-to-end connectivity, you would want to investigate some of the following items:
• If there is an issue with the physical connectivity, solve it by adjusting the configuration or changing the
hardware.
• Make sure that devices are determining the correct path from the source to the destination. Manipulate
the routing information if needed.
• Verify that the default gateway is correct.
• Check if everything is correct about the name resolution settings. There should be a name resolution
server that is accessible over IPv4 or IPv6.
• Verify that there are no ACLs blocking traffic.
After every failed troubleshooting step, a solution should be provided to make the step successful. The
outcome of this process is operational, end-to-end connectivity.
Verification of End-to-End IPv6 Connectivity
You can use several verification tools to verify end-to-end IPv6 connectivity:
• Ping: A successful ping means that the device endpoints are able to communicate. This result does not
mean that there are no problems, but it simply proves that the basic IP connectivity is working.
• Traceroute: The results of traceroute can help you determine how far along the path data can
successfully reach. Knowing at what point the data fails can help you determine where the issue is.
• Telnet: Used to test the transport layer connectivity for any TCP port over IPv6.
• Neighbor discovery: Does the same as ARP in IPv4.
In the following scenario, a PC1 wants to access applications on the server. The figure shows the desirable
path.
You can use the ping utility to test end-to-end IPv6 connectivity by providing the IPv6 address as the
destination address. The utility recognizes the IPv6 address when one is provided and uses IPv6 as a
protocol to test connectivity.
Use the ping utility on the PC to test IPv6 connectivity:
C:\Windows\system32> ping 2001:DB8:172:16::100
Pinging 2001:db8:172:16::100 with 32 bytes of data:

Reply from 2001:db8:172:16::100: time=19ms
Ping statistics for 2001:db8:172:16::100:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 19ms, Average = 5ms
You can also use the ping utility on the router to test IPv6 connectivity:
Branch# ping 2001:DB8:172:16::100
Sending 5, 100-byte ICMP Echos to 2001:DB8:172:16::100, timeout is 2 seconds:
!!!!!
Traceroute is a utility that allows observation of the path between two hosts and supports IPv6. Use the
traceroute Cisco IOS command or tracert Windows command, followed by the IPv6 destination address,
to observe the path between two hosts. The trace generates a list of IPv6 hops that are successfully reached
along the path. This list provides important verification and troubleshooting information.
The traceroute utility on the PC allows you to observe the IPv6 path:
C:\Windows\system32> tracert 2001:DB8:172:16::100
Tracing route to 2001:db8:172:16::100 over a maximum of 30 hops
1 1 ms 1 ms <1 ms 2001:db8:101:1::1
2 10 ms 1 ms 1 ms 2001:db8:209:165::2
3 10 ms 1 ms 1 ms 2001:db8:172:16::100
Trace complete.
You can also use the traceroute utility on the router to observe the IPv6 path:
Branch# traceroute 2001:DB8:172:16::100
Tracing the route to 2001:DB8:172:16::100
1 2001:DB8:209:165::2 0 msec 0 msec 0 msec

2 2001:DB8:172:16::100 0 msec 0 msec 0 msec
Similar to IPv4, you can use Telnet to test end-to-end transport layer connectivity over IPv6 using the telnet
command from a PC, router, or a switch. When you provide the IPv6 destination address, the protocol stack
determines that the IPv6 protocol has to be used. If you omit the port number, the client will connect to port
23. You can also specify a specific port number on the client and connect to any TCP port that you want to
test.
In the example, you can see two connections from a PC to the Server. The first one connects to port 23 and
tests Telnet over IPv6. The second connects to port 80 and tests HTTP over IPv6.
When troubleshooting end-to-end connectivity, it is useful to verify mappings between destination IP
addresses and Layer 2 Ethernet addresses on individual segments. In IPv4, ARP provides this functionality.
In IPv6, the neighbor discovery process and ICMPv6 replace the ARP functionality. The neighbor discovery
table caches IP addresses and their resolved Ethernet physical (MAC) addresses. As shown in the figure, the
netsh interface ipv6 show neighbor Windows command lists all devices that are currently in the neighbor
discovery table cache. The information that the CLI displays for each device includes the IP address,
physical (MAC) address, and the type of addressing. By examining the neighbor discovery table, you can
verify that the destination IPv6 addresses map to the correct Ethernet addresses.
The figure also shows an example of the neighbor discovery table on the Cisco IOS router. The table
includes the IPv6 address of the neighbor, age in minutes because the address was confirmed as reachable,
and the state. The states are explained in the table:
State Description
INCMP Address resolution is being performed on the entry. The source has sent a neighbor solicitation
(Incomplete) message to the solicited-node multicast address of the target, but it has not received the
corresponding neighbor advertisement message.
REACH The source has received positive confirmation within the last ReachableTime milliseconds that the
(Reachable) forward path to the neighbor was functioning correctly. While in the REACH state, the device takes
no special action as it is sending packets.
STALE More than ReachableTime milliseconds have elapsed since the device received the last positive
confirmation that the forward path was functioning properly. While in the STALE state, the device
takes no action until a packet is sent.
DELAY More than ReachableTime milliseconds have elapsed since the device received the last positive
confirmation that the forward path was functioning properly. A packet was sent within the last
DELAY_FIRST_PROBE_TIME seconds. If the device receives no reachability confirmation within
DELAY_FIRST_PROBE_TIME seconds of entering the DELAY state, send a neighbor solicitation
message and change the state to PROBE.
State Description
PROBE The device actively seeks a reachability confirmation by resending neighbor solicitation messages in
RetransTimer milliseconds until a reachability confirmation is received.
You can use several other commands to verify that IPv6 is configured correctly on routers:
• Verify that IPv6 routing has been enabled on the router. In the show running-config command look for
the ipv6 unicast-routing command.
• Verify that the interfaces have been configured with the correct IPv6 addresses. You can use the show
ipv6 interface command to display the statuses and configurations for all IPv6 interfaces.
• Verify the IPv6 routing protocols that are running on the router using the show ipv6 protocols
command.
Identification of Current and Desired IPv6 Path
To verify that the current IPv6 path matches the desired path to reach destinations, use the show ipv6 route
command on a router to examine the routing table.
The routing table on the Branch router in the example has a default route that is configured. The router will
use it to route packets to the server (2001:db8:172:16::100).
Troubleshooting Default Gateway Issues in IPv6
In the absence of the default gateway on a host, communication between two endpoints in a different
network will not work.
If a PC needs access to other networks in addition to the directly connected network, a correct configuration
of the default gateway is very important. If a PC has to send a packet to a network that is not directly
connected, it has to send the packet to the default gateway, which is the first router on the path to the
destinations. The default gateway then forwards the packet toward the destination.
You will see a percent sign (%), followed by a number, at the end of the IPv6 link-local address and at the
end of the default gateway. The number that follows the percent sign identifies an interface on the PC and
is not part of the IPv6 address. It should be ignored when determining the IPv6 address of the default
gateway.
In IPv6, you can manually configure the default gateway or use stateless autoconfiguration.
• In the case of stateless autoconfiguration, the default gateway is advertised to PCs that are using route
advertisements. In IPv6, the IPv6 address that the device advertises inside route advertisements as a
default gateway is the link-local IPv6 address of a router interface.
• If you decide to configure the default gateway, which is unlikely, you can set the default gateway either
to the global IPv6 address or to the link-local IPv6 address.
A link-local address is intended only for communications within the segment of a local network or a point-to-
point connection that a host is connected to. The link-local IPv6 addresses are assigned with the fe80::/64
prefix.
To verify that a PC has the default gateway set, you can use the ipconfig command on a Microsoft
Windows PC or the ifconfig command on Linux and Mac OS X. In the example, the PC has the IPv6
default gateway set to the link-local address of the Branch router.
Troubleshooting Name Resolution Issues in IPv6
Because IPv6 networks are long and difficult to remember, DNS is even more important for IPv6 than for
IPv4.
The hosts file serves the function of translating human-friendly host names into IPv6 addresses that identify
and locate a host in an IPv6 network. In some operating systems, the hosts file content is preferred over
other methods, such as the DNS. Unlike the DNS, the hosts file is under the direct control of the local
computer administrator.
For a Windows operating system, the file is located at C:\Windows\System32\drivers\etc\hosts. Other
operating systems may have the hosts file in a different location, or they may use a different file, or may not
have it at all. You can open the hosts file in a text editor such as Notepad.
To verify the static name resolution, verify the connectivity to the server using the host name Server6
instead of its IPv6 address. The ping should be successful.
Discovery 10: Configure and Verify IPv6 Extended
Access Lists
Introduction
This discovery will guide you through the extended IPv6 ACLs configuration. The virtual lab environment
is prepared with the devices that are represented in the topology diagram and the connectivity table. All
devices have their basic configurations in place including hostnames and IPv6 addresses. The configuration
of ACL will be on R1 and it will be applied inbound on the interface Ethernet0/0, to influence traffic from
PC2.
The policy that is defined in the ACL was chosen to demonstrate how ACLs work. The policy does not
reflect any real world application.
Topology
Job Aid

• RIP is configured on R1 and R2 to provide IPv4 routing.
• Static routes are configured on R1 and R2 to provide IPv6 routing.
Device Details
SRV1 Ethernet0/0 R2 10.10.3.30/24 2001:DB8:0:3::30/64
SW1 VLAN 1 10.10.1.4/24 2001:DB8:0:10::/64 Auto
SW1 Ethernet1/1 R1 — —
R1 Ethernet1/1 SW1 10.10.1.1/24 2001:DB8:0:10::1/64
R1 Ethernet1/0 R2 10.1.1.2/30 2001:DB8:0:2::1/64
R2 Ethernet1/0 R1 10.1.1.1/30 2001:DB8:0:2::2/64
R2 Ethernet0/0 SRV1 10.10.3.1/24 2001:DB8:0:3::1/64
Task 1: Configure and Verify IPv6 Extended Access

Lists
The examples show the steps to configure IPv6 ACL. The following table explains the commands that you
will use in the configuration.
Command Description
ipv6 access-list name Defines an IPv6 access list using a name and enters the IPv6 access list
configuration mode.
{permit | deny} protocol {source- Specifies permit or deny conditions for an IPv6 ACL.
ipv6-prefix/prefix-length | any |
hostsource-ipv6-address}
[operatorport] {destination-ipv6-
prefix/prefix-length | any |
hostdestination-ipv6-address}
[operatorport]
ipv6 traffic-filter name {in | out} Applies the specified access list to the interface in the inbound or
outbound direction.
Each IPv6 ACL has implicit permit rules to enable IPv6 neighbor discovery (permit icmp any any nd-na
and permit icmp any any nd-ns). IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent
and received on an interface. At the end of this implicit permit there is an implicit deny any rule (deny ipv6
any any).
Activity
Access the console on R1 and configure a named extended IPv6 ACL. The ACL should be
named "Example6".
The ACL should have the following four statements:

• The first should deny all UDP traffic.
• The second should permit TCP from PC2 to any destination as long as the destination port is
23 (Telnet).
• The third should deny all other TCP traffic from PC2.
• The last should explicitly permit all IPv6 traffic.
First, you need to access the console of PC2 and obtain its IPv6 address.
PC2# show ipv6 interface brief

Ethernet0/0 [up/up]
FE80::A8BB:CCFF:FE00:1900
2001:DB8:0:10:A8BB:CCFF:FE00:1900
Ethernet0/1 [administratively down/down]
unassigned
unassigned
unassigned
Note: The IPV6 address in your output may differ, so make sure you will use your IPv6 address,
not the one provided in this output!
Now configure the specified ACL on R1.
R1# conf t
R1(config)# ipv6 access-list Example6
R1(config-ipv6-acl)# deny udp any any
R1(config-ipv6-acl)# permit tcp host 2001:DB8:0:10:A8BB:CCFF:FE00:1900 any eq
23
R1(config-ipv6-acl)# deny tcp host 2001:DB8:0:10:A8BB:CCFF:FE00:1900 any
R1(config-ipv6-acl)# permit ipv6 any any
R1(config-ipv6-acl)# exit
Apply the ACL to the interface Ethernet1/1 in the inbound direction.
At the end, leave the configuration mode.

R1(config-if)# ipv6 traffic-filter Example6 in
R1(config-if)# end
Display the configured IPv6 ACL.
R1# show ipv6 access-list Example6

IPv6 access list Example6
deny udp any any sequence 10permit tcp host
2001:DB8:0:10:A8BB:CCFF:FE00:1900 any eq telnet sequence 20deny tcp host
2001:DB8:0:10:A8BB:CCFF:FE00:1900 any sequence 30permit ipv6 any any sequence
40
The access list has all four statements in the correct order as you have configured them. Note that
the output does not display the implicit permit statements for neighbor discovery, and deny any
statement that is at the end of every ACL.
The first line of the ACL will block all UDP traffic. SRV1 is configured as the NTP server, but
because NTP uses the UDP protocol, the first line in the ACL should block IPv6 access for PC2.
To verify it, access the console of PC2 and configure it to use the SRV1 IPv6 address as an NTP
server. Then display the status of NTP on PC2.
PC2# conf t
PC2(config)# ntp server 2001:DB8:0:3::30
PC2(config)# end
Because NTP traffic from PC2 is blocked, you should find that it has not synchronized to SRV1.
PC2# show ntp statusClock is unsynchronized, stratum 16, no reference clock

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 6500 (1/100 of seconds), resolution is 4000
reference time is 00000000.00000000 (00:00:00.000 PST Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.99 msec, peer dispersion is 0.00 msec
loopfilter state is 'FSET' (Drift set from file), drift is 0.000000000 s/s
system poll interval is 8, never updated.
The second line in the ACL explicitly permits Telnet traffic from PC2. Verify that PC2 can
successfully telnet to the SRV1 IPv6 address. Use the username "admin" and password
"Cisco123".
At the SRV1 system prompt, use the exit command to terminate the connection.
PC2# telnet 2001:DB8:0:3::30

Trying 2001:DB8:0:3::30 ... Open
Username: admin
Password:
SRV1>exit
[Connection to 2001:DB8:0:3::30 closed by foreign host]

PC2#
The third line in the ACL denies all other TCP traffic from PC2. Verify that PC2 cannot use SSH
to reach the SRV1 IPv6 address.
PC2# ssh -l admin 2001:DB8:0:3::30% Destination unreachable; gateway or host

down
The fourth line in the ACL, which explicitly permits all IPv6 traffic, should permit any non-UDP
traffic from PC2. Verify that PC2 can ping the server.
PC2# ping 2001:DB8:0:3::30

!!!!!
The first three lines do not explicitly specify the ICMP protocol. So, any ICMP traffic should be
permitted by the fourth line in the ACL which explicitly permits all IPv6 traffic that did not
match any of the previous lines.
The ACL only applies to traffic coming from PC2. Access the console of PC1 and attempt the
same test sequence that you did from PC1.
The test uses ICMP and TCP, not UDP. All the tests should succeed.
PC1# telnet 2001:DB8:0:3::30
Trying 2001:DB8:0:3::30 ... Open
Username: admin
Password:
SRV1>exit

PC1# ssh -l admin 2001:DB8:0:3::30
Password:
SRV1>exit

PC1# ping 2001:DB8:0:3::30
!!!!!
Notice that PC1 can both telnet and SSH to the server, whereas PC2 could not because no ACL
is applied toward the PC1.
Display the ACL again and observe the updated hit counters that are associated with the activity
that you just initiated.
R1# show ipv6 access-list Example6

IPv6 access list Example6
deny udp any any (9 matches) sequence 10
permit tcp host 2001:DB8:0:10:A8BB:CCFF:FE00:1900 any eq telnet (39
matches) sequence 20
deny tcp host 2001:DB8:0:10:A8BB:CCFF:FE00:1900 any (1 match) sequence 30
permit ipv6 any any (173 matches) sequence 40
Due to the dynamic nature of the lab environment, the hit counters that you observe are likely to
differ from what the example shows.
Troubleshooting ACL Issues in IPv6
Another cause of a malfunction of an IPv6 network can be an ACL misconfiguration.
In the given scenario, the Telnet connection to the server is not working and you need to investigate the
ACLs that are configured on the router.
First, you can verify whether there are any IPv6 ACLs configured on a router. You can use the show ipv6
access-list command. In the example, an ACL that is named Outbound is configured on the router.
Next, verify if an ACL is attached to an interface. Use the show ipv6 interface command.
In the example, an ACL that is named Outbound is configured on the router. The ACL is applied to the
GigabitEthernet0/1 interface in the outbound direction.
In the example, you verified that an ACL that is named Outbound is configured on the router. The ACL is
applied to the GigabitEthernet0/1 interface in the outbound direction. The ACL permits only ICMP
protocol, which is why ping will work. In order to allow Telnet from PC1 to the server, you need to add an
entry in the Outbound ACL to allow the protocol TCP and port 23 for Telnet.
After correcting the ACL, a Telnet connection from PC1 to the server will be successful.
Discovery 11: Troubleshoot IPv6 Network
Connectivity
Introduction
This discovery will give you a chance to do some troubleshooting in an IPv6 environment. The live virtual
lab is prepared with the devices that are represented in the topology diagram and the connectivity table. All
devices have their basic configurations in place, including hostnames and IP addresses. IPv4 and IPv6
coexist in this network in a dual stack environment. RIP is configured on the routers to provide IPv4
routing. For IPv6, static routes are configured.
Four issues have been introduced on different devices. Your job is to find and fix these issues. There are
only four steps in this discovery. A step describes the complaint that you must address. To get the feeling of
troubleshooting activities, try to uncover and resolve the problems before you use the Answer Key for each
step.
Resolve each issue before moving to the next issue. Sometimes, you may have to resolve a previous issue so
that the following issues are demonstrated.
Topology
Job Aid

• All devices have their basic configurations in place, including hostnames, IPv4, and IPv6 addresses.
• RIP is configured on all four routers to provide IPv4 routing.
• Static routes are configured on all four routers to provide IPv6 routing.
• Four issues, related to the PCs connectivity to the SRVs, exist in the network.
Device Information
SRV1 Ethernet0/0 R3 10.10.3.30/24 2001:DB8:0:3::30/64
SRV2 Ethernet0/0 R4 10.10.4.40/24 2001:DB8:0:4::40/64
SW1 VLAN 1 — 10.10.1.4/24 2001:DB8:0:1::/64 Auto
SW2 VLAN 1 — 10.10.2.4/24 2001:DB8:0:2::/64 Auto
R1 Ethernet0/0 SW1 10.10.1.1/24 2001:DB8:0:1::1/64
R1 Ethernet1/0 R3 10.1.1.2/30 2001:DB8:0:13::1/64
R1 Ethernet1/1 R4 10.1.1.10/30 2001:DB8:0:14::1/64
R2 Ethernet 0/0 SW2 10.10.2.1/24 2001:DB8:0:2::1/64
R2 Ethernet1/0 R3 10.1.1.6/30 2001:DB8:0:23::1/64
R2 Ethernet1/1 R4 10.1.1.14/30 2001:DB8:0:24::1/64
R3 Ethernet2/0 R1 10.1.1.1/30 2001:DB8:0:13::2/64
R3 Ethernet2/1 R2 10.1.1.5/30 2001:DB8:0:23::2/64
R3 Ethernet0/0 SRV1 10.10.3.1/24 2001:DB8:0:3::1/64
R4 Ethernet2/0 R1 10.1.1.9/30 2001:DB8:0:14::2/64
R4 Ethernet2/1 R2 10.1.1.13/30 2001:DB8:0:24::2/64
R4 Ethernet0/0 SRV2 10.10.4.1/24 2001:DB8:0:4::1/64
Task 1: Troubleshoot IPv6 Network Connectivity

Activity
The user at PC1 is complaining of not being able to connect to SRV1. In fact, if the user attempts
to ping SRV1, the ping shows that the server is unreachable.
PC1# ping SRV1

.....
The IPv6 address of SRV1 that PC1 is pinging is 2001:DB8:0:4::30. However, this address is not
the IPv6 address of the server. You can verify it by showing the interface status on SRV1 or by
comparing the address to the information in the topology diagram and the connectivity table.
SRV1# show ipv6 interface Ethernet0/0
IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:4500
No Virtual link-local address(es):
Description: Link to R3
Global unicast address(es):
2001:DB8:0:3::30, subnet is 2001:DB8:0:3::/64
Joined group address(es):
FF02::1
FF02::1:FF00:30
FF02::1:FF00:4500
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND NS retransmit interval is 1000 milliseconds
Default router is FE80::A8BB:CCFF:FE00:2100 on Ethernet0/0
If you ping the SRV1 using the IPv6 address, you will see that the server is reachable.
PC1# ping 2001:DB8:0:3::30

!!!!!
So, the problem is an incorrect entry for SRV1 in the local host configuration on PC1.
PC1# show running-config | include host

hostname PC1
ipv6 host SRV2 2001:DB8:0:4::40
ipv6 host PC1 2001:DB8:0:1:A8BB:CCFF:FE00:100
ipv6 host PC2 2001:DB8:0:2:A8BB:CCFF:FE00:200
ipv6 host SRV1 2001:DB8:0:4::30
You can resolve the problem by configuring the host entry properly.
PC1# conf t
PC1(config)# ipv6 host SRV1 2001:DB8:0:3::30
PC1(config)# end
When you configure the entry properly, you should be able to ping SRV1 by hostname from
PC1.
PC1# ping SRV1

!!!!!
The user on PC2 is having trouble getting to most network resources. In particular, the user
needs to access SRV1.
PC2# ping SRV1
% No valid route for destination

The ping command indicates that there is no route to the destination. That is, PC2 does not have
a route, not that its gateway indicates that the gateway lacks a route.
PC2# show ipv6 route

IPv6 Routing Table - default - 1 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
L FF00::/8 [0/0]
via Null0, receive
The only entry in the IPv6 routing table for PC2 is the multicast for Null0.
PC2# show ipv6 interface Ethernet0/0

Stateless address autoconfig enabledNo global unicast address is configured
FF02::1
FF02::2
FF02::1:FF00:2600
MTU is 1500 bytes
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
PC2 is configured for stateless autoconfiguration. It needs to see a router advertisement to

properly configure its own IPv6 address and gateway assignment. Why does R2 not send the
advertisements?
R2# show ipv6 interface Ethernet0/0Ethernet0/0 is administratively down, line
protocol is down
IPv6 is tentative, link-local address is FE80::A8BB:CCFF:FE00:2000 [TEN]
Global unicast address(es):
2001:DB8:0:2::1, subnet is 2001:DB8:0:2::/64 [TEN]
FF02::1
FF02::2
MTU is 1500 bytes
The cause is that the Ethernet0/0 interface on R2 (the one facing PC2) is administratively down.
R2# conf t
R2(config-if)# end*Oct 29 09:51:24.134: %LINK-3-UPDOWN: Interface Ethernet0/0,
changed state to up
*Oct 29 09:51:25.139: %LINEPROTO-5-UPDOWN: Line protocol on Interface
When you enable the Ethernet0/0 interface, stateless autoconfiguration works properly on PC2.
Note that IPv6 address in your output may be different.
PC2# show ipv6 interface Ethernet0/0

Stateless address autoconfig enabled
Global unicast address(es):2001:DB8:0:2:A8BB:CCFF:FE00:2600, subnet is
2001:DB8:0:2::/64 [EUI/CAL/PRE]
valid lifetime 2591988 preferred lifetime 604788
FF02::1
FF02::2
FF02::1:FF00:2600
MTU is 1500 bytes
PC2 should now have access to network resources (SRV1 in this case).
PC2# ping SRV1

!!!!!
The user at PC2 is much happier now because of being able to access SRV1. However, the user
is still having difficulty reaching SRV2. Connectivity is terrible. When the user attempts to ping
SRV2, half of the packets time out.
PC2# ping SRV2

.!.!.
When the packets consistently alternate between success and timeout, it indicates that there is
load balancing going on at a point where one of the paths is valid and the other path is not.
Where might this be? You know that the path from PC2 to SRV2 should traverse R2 and R4.
Observe R2 to determine if R2 is the point where load balancing occurs.
R2# show ipv6 route

C 2001:DB8:0:2::/64 [0/0]
via Ethernet0/0, directly connected
S 2001:DB8:0:4::/64 [1/0]
via 2001:DB8:0:24::2, Ethernet1/1
There is no load balancing going on for the SRV2 subnet on R2. R2 is directly connected to
2001:DB8:0:2::/64 (the PC2 network) and it forwards all traffic for that network directly from
Ethernet0/0. R2 also forwards all traffic that is destined to 2001:DB8:0:4::/64 (the SRV2
network) to R4 via Ethernet/1.
Move to R4 and observe if R4 is the point where load balancing occurs.
R4# show ipv6 route
S 2001:DB8:0:2::/64 [1/0]
via 2001:DB8:0:24::1, Ethernet2/1
C 2001:DB8:0:4::/64 [0/0]
The situation is the same on R4. It is directly connected to the SRV2 network and it forwards all
traffic to the PC2 network to R2 via Ethernet2/1.
If the problem is not on the routers, it may be on the endpoints.
SRV2# show ipv6 route

S ::/0 [1/0]
via 2001:DB8:0:4::1
via 2001:DB8:0:4::2
C 2001:DB8:0:4::/64 [0/0]
L 2001:DB8:0:4::40/128 [0/0]
via Ethernet0/0, receive
L FF00::/8 [0/0]
via Null0, receive
Two static default routes are configured on SRV2. One points to R4 and the other points to a
nonexistent address. You have to remove the invalid route.
SRV2# conf t
SRV2(config)# no ipv6 route ::/0 2001:DB8:0:4::2
SRV2(config)# end
This should ensure consistent communication between PC2 and SRV2.
PC2# ping SRV2

!!!!!
Even though you have successfully solved the problems that the user at PC2 had with access to
SRV2, now the user at PC1 is complaining about access to the SRV2. SRV2 is running HTTP
services on port 80; however, the user is complaining that the web access to the server is not
working.
PC1# telnet SRV2 80

Translating "SRV2"...domain server (255.255.255.255)
Trying 2001:DB8:0:4::40, 80 ...
PC1# ping SRV2

!!!!!
Remember that Telnet uses TCP to test connectivity. By default, it will connect to port 23, but
you can also specify other ports. SRV2 on port 80 is not reachable; however, you can see that
ping, which uses ICMP to test connectivity, to SRV2 is successful.
SRV2 is reachable, so you have to determine who in the network is blocking the connectivity.
Using the traceroute command, you can determine which path does the PC1 take to reach
SRV2. This action will give you the list of routers to investigate.
PC1# traceroute SRV2

Tracing the route to SRV2 (2001:DB8:0:4::40)
1 2001:DB8:0:1::1 1 msec 1 msec 0 msec

2 2001:DB8:0:14::2 1 msec 1 msec 1 msec
3 SRV2 (2001:DB8:0:4::40) 0 msec 1 msec 0 msec
PC1 takes the path via R1 and R4 to reach SRV2. Investigate if any of these two routers are
blocking the web access to SRV2.
R1# show ipv6 access-list

R1#
There is no IPv6 access list configured on R1. What about R4?
R4# show ipv6 access-list

IPv6 access list Outbound
deny tcp any host 2001:DB8:0:4::40 eq www (2 matches) sequence 10
deny tcp any host 2001:DB8:0:4::40 eq 443 sequence 20
permit tcp any host 2001:DB8:0:4::40 sequence 30
permit icmp any any (32 matches) sequence 40
permit tcp any any eq telnet sequence 50
permit ipv6 any any (3 matches) sequence 60
R4 has an IPv6 access list configured that is blocking the www access to SRV2. Verify where
this access list is applied.

!
description Link to R1
ip address 10.1.1.9 255.255.255.252
ipv6 address 2001:DB8:0:14::2/64
end


!
description Link to SRV2
ip address 10.10.4.1 255.255.255.0
ipv6 address 2001:DB8:0:4::1/64
ipv6 traffic-filter Outbound out
end
The IPv6 access list is applied in the outbound direction to the Ethernet0/0 interface, the one
connecting to the SRV2.
Note: To see if an access-list is applied to an interface, you could also use the show ipv6
interface command. However, the output for IPv6 is not the same as for IPv4—the access-list
part appears only if there is an access-list applies to this interface.
To solve the problem, you have to options. You can either remove the first statement in the
access list completely, or you can change it to "permit." The first option is shown here.
R4# conf t
R4(config)# ipv6 access-list Outbound
R4(config-ipv6-acl)# no sequence 10
Note: The command to add or remove the specific rule from the access-list is not the same as for
IPv4 access-lists. You also have to specify the sequence keyword before the sequence-number.
PC1 should now be able to connect to SRV2 on port 80—the user should have web access to the
server.
PC1# telnet SRV2 80

Translating "SRV2"...domain server (255.255.255.255)
Trying 2001:DB8:0:4::40, 80 ... Open
Self Check
Which command verifies end-to-end transport layer connectivity for SMTP from a PC over an IPv6
path?
A. pingIPv6_address 25
B. telnetIPv4_address 23
C. telnetIPv6_address 25
D. tracertIPv6_address
Based on this output, the router is able to send a packet to the server at 2001:db8:172:16::100.
A. True
B. False
Which three options are valid representations of the IPv6 address

2035:0001:2BC5:0000:0000:087C:0000:000A? (Choose three.)
A. 2035:0001:2BC5::087C::000A
B. 2035:1:2BC5::87C:0:A
C. 2035:0001:2BC5::087C:0000:000A
D. 2035:1:2BC5:0:0:87C::A
E. 2035:1:2BC5::087C:A
Which statement is true about the EUI-64 address format of the system ID for stateless
autoconfiguration that is used by Cisco?
A. It is the MAC address plus the Site-Level Aggregator
B. It is the MAC address plus the ISO OUI
C. It expands the 48-bit MAC address to 64 bits by inserting FFFE into the middle 16 bits.
D. It does not follow IEEE standards for uniqueness of the address.
E. It is only used by Cisco
Which command will show that the current IPv6 path matches the desired path to reach destinations?
A. show ipv6 address
B. show ipv6 route
C. show ipv6 interface
D. show ipv6 inspect
Which type of IPv6 address is advertised inside route advertisements as a default gateway?
A. global unicast
B. loopback
C. reserved
D. link-local
Which command verifies whether any IPv6 ACLs are configured on a router?
A. showipv6 configuration
B. show ipv6 interface
C. show ipv6 access-list
D. show ipv6 route
Answer Key
Self Check
1. C
2. B
3. B, C, D
4. C
5. B
6. D
7. C
Module 3: Implementing an
EIGRP-Based Solution
Introduction
EIGRP is an advanced distance vector routing protocol. EIGRP was a Cisco proprietary protocol, so all
routers in a network that is running EIGRP had to be Cisco routers. Partial functionality of EIGRP was
converted to an open standard in 2013. EIGRP is often considered a hybrid protocol because it also sends
link state updates when link states change. EIGRP is an interior gateway protocol that is suited for many
different topologies and media. In a well designed network, EIGRP scales well and provides extremely
quick convergence times with minimal network traffic.
In this module, you will learn how to implement basic EIGRP configuration both for IPv4 and IPv6 and
how to verify the operation of this routing protocol. You will also perform basic troubleshooting steps for
common EIGRP issues and configuration mistakes.
Lesson 1: Implementing
EIGRP
Overview
A new client calls CCS and reports slow network response. After speaking with the network administrator,
Bob decides that the network issues can be resolved by moving this customer from RIP to a more robust
routing protocol. Bob explains the benefits of EIGRP to the customer and they agree to an onsite
engagement. You will need to go onsite to the new company, shut down RIP, and configure EIGRP. You
should know the technology behind EIGRP before you go onsite so you can answer any customer inquiries
while on the job.
Dynamic Routing Protocols
A routing protocol is a set of processes, algorithms, and messages that are used to exchange routing
information. Routing information is used to populate the routing table with the best paths to destinations on
the network. As routers learn of changes to network reachability, this information is dynamically passed
onto other routers.
All routing protocols have the same purpose: to learn about remote networks and to quickly adapt whenever
there is a change in the topology. The method that a routing protocol uses to accomplish this purpose
depends upon the algorithm that it uses and the operational characteristics of this protocol. The operations of
a dynamic routing protocol vary, depending on the type of routing protocol and on the routing protocol
itself.
Although routing protocols provide routers with up-to-date routing tables, there are costs that put additional
demands on the memory and processing power of the router. First, the exchange of route information adds
overhead that consumes network bandwidth. This overhead can be a problem, particularly for low-
bandwidth links between routers. Second, after the router receives the route information, protocols such as
EIGRP and OSPF process it extensively to make routing table entries. So, the routers that use these
protocols must have sufficient processing capacity to implement the algorithms of the protocol and to
perform timely packet routing and forwarding.
An AS, otherwise known as a routing domain, is a collection of routers under a common administration,
such as an internal company network or an ISP network. Because the Internet is based on the AS concept,
the following two types of routing protocols are required:
• IGP: The IGP routing protocol is used to exchange routing information within an AS. EIGRP, IS-IS,
OSPF, and RIP are examples of IGPs.
• EGP: The EGP routing protocol is used to route between autonomous systems. BGP is the EGP of
choice in networks today.
Within an AS, most IGP routing can be classified as distance vector or link-state routing:
• Distance vector: The distance vector routing approach determines the direction (vector) and distance
(such as hops) to any link in the internetwork. Some distance vector protocols periodically send
complete routing tables to all of the connected neighbors. In large networks, these routing updates can
become very large, causing significant traffic on the links. The only information that a router knows
about a remote network is the distance or metric to reach this network and which path or interface to use
to get there. Distance vector routing protocols do not have an actual map of the network topology. RIP
is an example of a distance vector routing protocol while EIGRP is an advanced distance vector routing
protocol.
• Link state: The link-state approach, which uses the SPF algorithm, creates an abstract of the exact
topology of the entire internetwork, or at least of the partition in which the router is situated. A link-
state routing protocol is like having a complete map of the network topology. A link-state router uses
the link-state information to create a topology map and to select the best path to all destination networks
in the topology. The OSPF and IS-IS protocols are examples of link-state routing protocols.
Also, there is classful and classless routing:

• Classful routingprotocol: Classful routing protocol is a consequence of the fact that subnet masks are
not advertised in the routing advertisements that most distance vector routing protocols generate. When
a classful routing protocol is used, all subnetworks of the same major network (Class A, B, or C) must
use the same subnet mask, which is not necessarily a default major class subnet mask. Routers that are
running a classful routing protocol perform automatic route summarization across network boundaries.
Classful routing protocols are obsolete in networks today.
• Classless routingprotocol: Classless routing protocols can be considered second-generation protocols
because they are designed to address limitations of classful routing protocols such as RIPv1 and IGRP.
A prime limitation of classful routing protocols is that the subnet mask is not exchanged during the
routing update process. This limitation means that the same subnet mask must be used on all
subnetworks within the same major network. When you consider point-to-point serial WAN
connections, using a 24-bit network prefix is very wasteful when all that is required is a 30-bit network
prefix to accommodate the two endpoints.
Another limitation of the classful approach is the need to automatically summarize to the classful network
number at all major network boundaries. As an example, using 172.16.0.0/16 as the classful network allows
only a single, flat network. If the class B network is subnetted into /24 networks, there are now 255 subnets
available. If the company connects to another network, it must advertise the 172.16.0.0/16 summary,
because the classful routing protocol does not have the capability to provide subnet-specific routes.
In the classless environment, the summarization process is controlled manually and can usually be invoked
at any bit position within the address. Because subnet routes are propagated throughout the routing domain,
manual summarization may be required to keep the size of the routing tables manageable. Classless routing
protocols include RIPv2, EIGRP, OSPF, and IS-IS.
Administrative Distance
In an enterprise network, it is not uncommon to encounter multiple dynamic routing protocols and static
routes configured on Layer 3 devices. If there are several sources for routing information, such as specific
routing protocols, static routes, and even directly connected networks, a method is required to rate the
trustworthiness of each routing information source in order to select the best path.
Cisco IOS Software uses the concept of administrative distance to select the best path when it learns about
the same destination network from two or more routing sources.
Administrative distance ranks the reliability of a routing protocol. Each routing protocol is prioritized in
order of most to least reliable (believable) with the help of an administrative distance value.
The administrative distance is an integer from 0 to 255. A routing protocol with a lower administrative
distance is considered more trustworthy than the one with a higher administrative distance.
As illustrated in the figure, the router has a packet to deliver from network A to network B. The router must
choose between the routes advertised by EIGRP and RIP. Given that there are fewer hops to the destination
network via RIP, it appears to be the better choice. However, the EIGRP route has a lower administrative
distance than RIP, so the router will choose the route that was advertised by EIGRP and install it in the
routing table. If for some reason the path that was advertised by EIGRP goes down, the route that was
advertised by RIP will be entered into the routing table.
The table shows the default administrative distance for selected routing information sources.
The default administrative distances can be tuned for each routing protocol.
Route Source Default Distance
Connected interface 0
Static route 1
EBGP 20
EIGRP 90
OSPF 110
IS-IS 115
RIP 120
External EIGRP 170
IBGP 200
Unreachable 255 (will not be used to pass traffic)
EIGRP Features
EIGRP is a Cisco proprietary routing protocol that combines the advantages of link-state and distance vector
routing protocols. EIGRP may act like a link-state routing protocol, because it uses a Hello protocol to
discover neighbors and form neighbor relationships, and only partial updates are sent when a change occurs.
However, EIGRP is based on the key distance vector routing protocol principle, in which information about
the rest of the network is learned from directly connected neighbors.
Look into the EIGRP features in more detail:

• Rapid convergence: EIGRP uses DUAL to achieve rapid convergence. As the computational engine
that runs EIGRP, DUAL resides at the center of the routing protocol, guaranteeing loop-free paths and
backup paths throughout the routing domain. A router that uses EIGRP stores all available backup
routes for destinations so that it can quickly adapt to alternate routes. If the primary route in the routing
table fails, the best backup route is immediately added to the routing table. If no appropriate route or
backup route exists in the local routing table, EIGRP queries its neighbors to discover an alternate route.
• Load balancing: EIGRP supports unequal metric load balancing and equal metric load balancing,
which allows administrators to better distribute traffic flow in their networks.
• Loop-free, classless routingprotocol: Because EIGRP is a classless routing protocol, it advertises a
routing mask for each destination network. The routing mask feature enables EIGRP to support
discontiguous subnetworks and VLSMs.
• Reduced bandwidth usage: EIGRP updates can be thought of as either "partial" or "bounded." EIGRP
does not make periodic updates. The term "partial" means that the update only includes information
about the route changes. EIGRP sends these incremental updates when the state of a destination
changes, instead of sending the entire contents of the routing table. The term "bounded" refers to the
propagation of partial updates that are sent only to those routers that the changes affect. By sending only
the routing information that is needed and only to those routers that need it, EIGRP minimizes the
bandwidth that is required to send EIGRP updates. EIGRP uses multicast and unicast rather than
broadcast. Multicast EIGRP packets use the reserved multicast address of 224.0.0.10. As a result, end
stations are unaffected by routing updates and requests for topology information.
EIGRP Path Selection
In the context of dynamic IP routing protocols like EIGRP, the term path selection refers to the method by
which the protocol determines the best path to a destination IP network.
Each EIGRP router maintains a neighbor table. This table includes a list of directly connected EIGRP
routers that have formed an adjacency with this router. Neighbor relationships are used to track the status of
these neighbors. EIGRP uses a lightweight Hello protocol to monitor the connection status with its
neighbors.
Each EIGRP router maintains a topology table for each routed protocol configuration. The topology table
includes route entries for every destination that the router learns from its directly connected EIGRP
neighbors. EIGRP chooses the best routes to a destination from the topology table and places these routes in
the routing table.
A router compares all FDs to reach a specific network and then selects the lowest FD and places it in the
routing table. The FD for the chosen route becomes the EIGRP routing metric to reach this network in the
routing table.
The EIGRP topology database contains all the routes that are known to each EIGRP neighbor. As shown in
the example above, routers A and B sent their routing tables to router C, whose table is displayed. Both
routers A and B have routes to network 10.1.1.0/24, as well as to other networks that are not shown.
Router C has two entries to reach 10.1.1.0/24 in its topology table. The EIGRP metric for router C to reach
both routers A and B is 1000. Add this metric (1000) to the respective AD for each router, and the results
represent the FDs that router C must travel to reach network 10.1.1.0/24.
Router C chooses the smallest FD (2000) and installs it in the IP routing table as the best route to reach
10.1.1.0/24. The route with the smallest FD that is installed in the routing table is called the "successor
route."
Router C then chooses a backup route to the successor that is called a "feasible successor route," if one or
more feasible successor routes exist. To become a feasible successor, a route must satisfy this feasibility
condition: A next-hop router must have an AD that is less than the FD of the current successor route
(therefore, the route is tagged as a feasible successor). This rule is used to ensure that the network is loop-
free.
If the route via the successor becomes invalid, possibly because of a topology change, or if a neighbor
changes the metric, DUAL checks for feasible successors to the destination route. If a feasible successor is
found, DUAL uses it, avoiding the need to recompute the route. A route will change from a passive state to
an active state if no feasible successor exists, and a recomputation must occur to determine the new
successor.
In this example, values for the EIGRP metric and for FDs and ADs are optimized for explanation purposes.
The real metric values are much larger.
EIGRP Metric
Unlike other routing protocols (such as RIP and OSPF), EIGRP does not use a single attribute to determine
the metric of its routes. EIGRP uses a combination of four different features to determine its metric. These
features are all physical characteristics of an interface.
The EIGRP metric can be based on four criteria, but by default, EIGRP uses only two:
• Bandwidth: The smallest bandwidth of all outgoing interfaces between the source and destination, in
kilobits.
• Delay: The cumulative (sum) of all interface delay along the path, in tens of microseconds.
Two additional criteria can be used, but are not recommended because they typically result in frequent
recalculation of the topology table:
• Reliability: This value represents the worst reliability between the source and destination, which is
based on keepalives.
• Load: This value represents the worst load on a link between the source and destination, which is
computed based on the packet rate and the configured bandwidth of the interface.
The composite metric formula is used by EIGRP to calculate metric value. The formula consists of values
K1 through K5, which are known as EIGRP metric weights. By default, K1 and K3 are set to 1, and K2, K4,
and K5 are set to 0. The result is that only the bandwidth and delay values are used in the computation of the
default composite metric. The metric calculation method (K values) and the EIGRP AS number must match
between EIGRP neighbors.
Although an MTU is exchanged in EIGRP packets between neighbor routers, the MTU is not factored into
the EIGRP metric calculation.
EIGRP uses scaled values to determine the total metric: 256 * ([K1 * bandwidth] + [K2 * bandwidth] / [256
– Load] + K3 * Delay) * (K5 / [Reliability + K4]), where if K5 = 0, the (K5 / [Reliability + K4]) part is not
used (that is, equals 1). Using the default K values, the metric calculation simplifies to 256 * (bandwidth +
delay).
EIGRP metric K values are carried in EIGRP hello packets. Therefore a mismatched K value will cause a
neighbor to be reset even if that value is unused. The values must be consistently configured throughout
the network, and only changed under the recommendation of Cisco.
By using the show interface command, you can examine the actual values that are used for bandwidth,
delay, reliability, and load in the computation of the routing metric. The output in the figure shows the
values that are used in the composite metric for the Serial0/0/0 interface.
You can influence the EIGRP metric by changing bandwidth and delay on an interface, using
bandwidthkbps and delaymicroseconds interface configuration commands.
Discovery 12: Configure and Verify EIGRP
Introduction
This discovery will guide you through the configuration and verification of EIGRP on a Cisco IOS router.
The virtual lab is prepared with the devices represented in the topology diagram and the connectivity table.
All devices have their basic configurations in place, including hostnames and IP addresses. R2 and R3 are
also configured with EIGRP using AS number 1. In this discovery, you will configure EIGRP on R1 and
verify the results.
Topology
Job Aid

• EIGRP is preconfigured on R2 and R3:
– AS number 1 is used.
– Both routers are announcing Loopback interface network.
Device Information
Device Details
Device Interface IP Address Neighbor
R1 Ethernet0/0 10.10.1.1/24 R2
R1 Loopback0 10.10.11.1/24 —
R2 Ethernet0/0 10.10.1.2/24 R1
R2 Ethernet0/1 10.10.2.1/24 R3
R2 Loopback0 10.10.12.1/24 —
R3 Ethernet0/0 10.10.2.2/24 R2
R3 Loopback0 10.10.13.1/24 —
Task 1: Configure and Verify EIGRP

Activity
Access the console of R2 and display EIGRP configuration.
R2# show running-config | section eigrp

router eigrp 1
network 10.0.0.0
You should see that EIGRP is preconfigured for AS number 1 and network 10.0.0.0/8 is
included.
Access the console of R3 and display EIGRP configuration.
R3# sh running-config | section eigrp

router eigrp 1
network 10.0.0.0
You should see that EIGRP is preconfigured for AS number 1 and network 10.0.0.0/8 is
included.
Configuring EIGRP
Command Description
router eigrpas_number Enables the EIGRP routing process for the AS that is specified.
networknetwork_number Associates the network with the EIGRP routing process. Use of the wildcard
[wildcard_mask] mask is optional.
no shutdown EIGRP has a shutdown feature. The routing process should be in the no
shutdown mode in order to start running. The default behavior is different
between Cisco IOS Software versions.
The router eigrp global configuration command enables EIGRP.
Use the router eigrp and network commands to create an EIGRP routing process. Note that EIGRP
requires an AS number. The AS parameter is a number between 1 and 65,535 that is chosen by the network
administrator.
The network command is used in the router configuration mode.
The AS number that EIGRP refers to in the parameter can be assigned any 16-bit value. As opposed to
OSPF, the AS number in EIGRP must match on all routers that are involved in the same EIGRP process.
The network command in EIGRP has the same function as in other IGP routing protocols:
• The network command defines a major network number to which the router is directly connected. Any
interface on this router that matches the network address in the network command will be enabled to
send and receive EIGRP updates. The EIGRP routing process looks for interfaces that have an IP
address that belongs to the networks that are specified with the network command. The EIGRP process
begins on these interfaces.
• This network (or subnet) will be included in EIGRP routing updates.
To configure EIGRP to advertise specific subnets only, use the wildcard-mask option with the network
command. For example, for subnet 255.255.255.0 the wildcard mask will be 0.0.0.255.
You can also use the subnet mask with EIGRP, however the IOS will automatically correct it to be the
wildcard mask.
Access the console of R1. Enable EIGRP AS number 1 and include the network 10.0.0.0/8 on
R1.
Enter the following commands to the R1 router:
R1# conf t
R1(config)# router eigrp 1
R1(config-router)# network 10.0.0.0
*Oct 6 08:14:41.002: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.10.1.2
(Ethernet0/0) is up: new adjacency
R1(config-router)# end
R1#
Since 10.0.0.0 is the base address of the full Class A network 10.0.0.0/8, you do not need to
include a subnet mask in the network statement.
The EIGRP neighbor relationship with R2 was established immediately after entering the
network statement that included the IP address of R1’s Ethernet0/0 interface.
Verifying EIGRP Neighbors
Use the show ip eigrp neighbors command to display the neighbors that EIGRP discovered and to
determine when neighbors become active and inactive. The command is also useful for debugging transport
problems.
Field Description
AS(100) Process number that is specified with the router command
Address IP address of the EIGRP peer
Interface Interface on which the router is receiving hello packets from the peer
Hold (sec) Length of time (in seconds) that Cisco IOS Software waits to hear from the peer before declaring it
down. If the peer is using the default hold time, this number is less than 15. If the peer configures a
nondefault hold time, the nondefault hold time is displayed.
Uptime Elapsed time (in the hours:minutes:seconds format) since the local router first heard from this
neighbor
Q Cnt Number of EIGRP packets (update, query, and reply) that the software is waiting to send
Seq Num Sequence number of the last update, query, or reply packet that was received from this neighbor
Display the EIGRP neighbor table on R1.
R2 is an EIGRP neighbor of R1.
R1# show ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q
Seq
(sec) (ms) Cnt
Num
0 10.10.1.2 Et0/0 13 00:01:04 1599 5000 0 7
Verifying EIGRP Interfaces
Use the show ip eigrp interfaces command to determine on which interfaces EIGRP is active and to learn
information about EIGRP that relates to those interfaces. If you specify an interface (for example, show ip
eigrp interfaces GigabitEthernet0/0), only this interface is displayed. Otherwise, all interfaces on which
EIGRP is running are displayed. If you specify AS (for example, show ip eigrp 100 interfaces), only the
routing process for the specified AS is displayed. Otherwise, all EIGRP processes are displayed.
Field Description
Interface Interface over which EIGRP is configured
Peers Number of directly connected EIGRP neighbors on the interface
Xmit Queue Unreliable/Reliable Number of packets remaining in the Unreliable and Reliable queues
Mean SRTT Average SRTT interval (in milliseconds) for all neighbors on the interface
Pacing Time Unreliable/Reliable Number of milliseconds to wait after transmitting unreliable and reliable packets
Multicast Flow Timer Number of milliseconds to wait for acknowledgment of a multicast packet by all
neighbors before transmitting the next multicast packet
Pending Routes Number of routes in the packets in the transmit queue waiting to be sent
Display the interfaces on R1 that are participating in EIGRP.
Both Ethernet0/0 and Loopback0 are participating in EIGRP.
R1# show ip eigrp interfaces
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue PeerQ Mean Pacing Time
Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable
Flow Timer Routes
Et0/0 1 0/0 0/0 1599 0/2
7992 0
Lo0 0 0/0 0/0 0 0/0
0 0
Verifying EIGRP Routes
The show ip route command displays the current entries in the routing table. EIGRP has a default
administrative distance of 90 for internal routes and 170 for routes that are imported from an external
source, such as default routes. When compared to other IGPs, EIGRP is preferred by Cisco IOS Software
because it has the lowest administrative distance.
Display the routing table on R1.
"D" indicates a route that was provided by EIGRP.
R1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks

C 10.10.1.0/24 is directly connected, Ethernet0/0
L 10.10.1.1/32 is directly connected, Ethernet0/0
D 10.10.2.0/24 [90/307200] via 10.10.1.2, 00:01:25, Ethernet0/0
C 10.10.11.0/24 is directly connected, Loopback0
L 10.10.11.1/32 is directly connected, Loopback0
D 10.10.12.0/24 [90/409600] via 10.10.1.2, 00:01:25, Ethernet0/0
D 10.10.13.0/24 [90/435200] via 10.10.1.2, 00:01:25, Ethernet0/0
R1 has learned about the network between R2 and R3 as well as the networks of the loopback
interfaces on both R2 and R3.
Verifying EIGRP Topology
The show ip eigrp topology command displays the EIGRP topology table, the active or passive state of
routes, the number of successors, and the FD to the destination. Use the show ip eigrp topology all-links
command to display all paths, even the ones that are not feasible.
Field Description
Codes The state of this topology table entry. Passive and active refer to the EIGRP state regarding
this destination; update, query, and reply refer to the type of packet that is being sent.
P – passive Indicates that no EIGRP computations are being performed for this destination.
A – active Indicates that EIGRP computations are being performed for this destination.
U – update Indicates that an update packet was sent to this destination.
Q – query Indicates that a query packet was sent to this destination.
R – reply Indicates that a reply packet was sent to this destination.
R – reply status A flag that is set after the software has sent a query and is waiting for a reply.
172.16.1.0 Destination IP network number.
/24 Destination subnet mask.
Successors Number of successors. This number corresponds to the number of next hops in the IP
routing table. If "successors" is capitalized, then the route or next hop is in a transition state.
FD The FD is the best metric to reach the destination or the best metric that was known when
the route went active. This value is used in the feasibility condition check. If the reported
distance of the router (the metric after the slash) is less than the FD, the feasibility condition
is met and this path is a feasible successor. After the software determines that it has a
feasible successor, it does not need to send a query for this destination.
Replies The number of replies that are still outstanding (have not been received) regarding this
destination. This information appears only when the destination is in active state.
State The exact EIGRP state that this destination is in. It can be 0, 1, 2, or 3. This information
appears only when the destination is in the active state.
Via The IP address of the peer that told the software about this destination. The first n of these
entries, where n is the number of successors, are the current successors. The remaining
entries on the list are feasible successors.
(156160/128256) The first number is the EIGRP metric that represents the cost, or FD, to the destination. The
second number is the EIGRP metric that this peer advertised.
Serial0/0/0 The interface from which this information was learned.
You can also see the router ID in the output. Each router in an EIGRP routing domain is identified by its
router ID. It is used by a router each time that it communicates with its EIGRP neighbors. The EIGRP router
ID is also used for validating the origin of external routes. If an external route is received with a local router
ID, the route is discarded.
You can set the router ID manually using the eigrp router-id router-id command. The router ID can be
configured with any IP address except 0.0.0.0 and 255.255.255.255. A unique value should be configured
for each router. If the router ID is not explicitly configured, the router will select the highest address of its
loopback interfaces. If there is no loopback interface on the router, it will select the highest IP address of
any other active local interface. The router ID is not changed unless the EIGRP process is cleared, or if the
router ID is manually configured
Display the EIGRP topology database on R1.
You will see five networks in the topology and the router ID for the EIGRP process.
R1# show ip eigrp topology

EIGRP-IPv4 Topology Table for AS(1)/ID(10.10.11.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 10.10.12.0/24, 1 successors, FD is 409600

via 10.10.1.2 (409600/128256), Ethernet0/0
via Connected, Loopback0
via 10.10.1.2 (435200/409600), Ethernet0/0
via 10.10.1.2 (307200/281600), Ethernet0/0
via Connected, Ethernet0/0
There are five networks in the virtual lab topology: the networks associated with the Loopback
interface on each router, the network between R1 and R2, and the network between R2 and R3.
All five of these networks will be represented in the EIGRP topology database on each of the
three routers.
Note that the current router ID is 10.10.11.1, which is the IP address of the Loopback0 interface.
Access the console of R1. Change the EIGRP router ID to 11.11.11.11.
R1# conf t
R1(config-router)# eigrp router-id 11.11.11.11
R1#
Display the EIGRP topology database on R1 to verify the EIGRP router ID.
The EIGRP router ID is set to 11.11.11.11.

via 10.10.1.2 (409600/128256), Ethernet0/0
via 10.10.1.2 (435200/409600), Ethernet0/0
via 10.10.1.2 (307200/281600), Ethernet0/0
Using Passive Interfaces
R1 and R2 have no neighbors that are available over the FastEthernet0/0 interface; therefore, there is no
need to try to establish adjacency over the interfaces. Moreover, the packets that are sent are overhead to the
link bandwidth and also consume CPU resources of the router. To stop sending hello packets over the
interface without neighbors, use the passive-interface command on the specified interface. In the example,
the passive-interface command is used in both routers for the FastEthernet0/0 interface. EIGRP will not
bring up adjacencies on a passive interface.
Configuring the passive-interface command suppresses all incoming and outgoing routing updates and
hello messages.
The passive-interface command has the following properties:
• Prevents a neighbor relationship from being established over the passive interface
• Stops routing updates from being received or sent over the passive interface
• Allows a subnet on the passive interface to be announced in an EIGRP process
Within ISPs and large enterprise networks, distribution routers may have more than 100 interfaces, so
manual configuration of the passive-interface command on interfaces where adjacency is not desired may
create a problem. So, in some networks, you would need to enter 100 or more passive interface statements.
With the default passive interface feature, this issue is solved by allowing all interfaces to be set as passive
by default using a single passive-interface default command. Where adjacencies are desired, the individual
interfaces are configured using the no passive-interface command.
In the figure, R1 and R2 are configured with the passive-interface default command, and all interfaces are
refusing the establishment of EIGRP adjacency by default. The Serial0/0/1 interface on each router is then
configured to allow EIGRP adjacency, because neighbors are expected. The passive-interface command is
disabled for these interfaces.
Access the console of R1. Configure interface Loopback0 as EIGRP passive interface.
R1# conf t
R1(config-router)# passive-interface Loopback0
R1#
Usually, you would configure physical interfaces that are connected to end devices as passive.
Verifying Operation with Passive Interfaces
The most important questions to ask when verifying operation with passive interfaces are as follows:
• Do you see all the neighbors?
• Which interfaces in the routing process are passive?
To see all the available EIGRP neighbors, use the show ip eigrp neighbors command.
To see the passive interfaces in the routing protocol, use show ip protocols command. In the figure, the
command output for R1 shows that the FastEthernet0/0 interface is defined as a passive interface.
Use the show ip protocols command to verify which interfaces are configured as passive.
You should see the Loopback0 interface on the list of passive interfaces.
R1# show ip protocols
*** IP Routing is NSF aware ***
Routing Protocol is "eigrp 1"

Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP-IPv4 Protocol for AS(1)
Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
NSF-aware route hold timer is 240
Router-ID: 11.11.11.11
Topology : 0 (base)
Active Timer: 3 min
Distance: internal 90 external 170
Maximum path: 4
Maximum hopcount 100
Maximum metric variance 1
Automatic Summarization: disabled

Maximum path: 4
Routing for Networks:
10.0.0.0
Passive Interface(s):
Loopback0
Routing Information Sources:
Gateway Distance Last Update
10.10.1.2 90 00:23:41
You will also see that EIGRP routing is enabled for 10.0.0.0 network. Also note that only metric
values K1 and K3 are enabled by default, meaning that metric value is calculated based on
bandwidth and delay only.
EIGRP Load Balancing
In general, load balancing is the capability of a router to distribute traffic over all the router network ports
that are within the same distance from the destination address. Load balancing increases the utilization of
network segments, and this way increases effective network bandwidth. EIGRP supports both equal and
unequal cost path load balancing.
Equal-Cost Load Balancing
Given that good network design involves Layer 3 path redundancy, it is a common customer expectation
that if there are multiple devices and paths to a destination, all paths should be utilized. Mostly, the paths to
a destination have equal costs. In the figure, networks A and B are connected with two equal-cost paths. For
this example, assume that the links are GigabitEthernet.
Equal-cost load balancing is the ability of a router to distribute traffic over all its network ports that are the
same metric from the destination address. Load balancing increases the use of network segments and
increases effective network bandwidth.
By default, Cisco IOS Software applies load balancing across up to four equal-cost paths for a certain
destination IP network, if such paths exist. With the maximum-paths router configuration command, you
can specify the number of routes that can be kept in the routing table. If you set the value to 1, you disable
load balancing.
The actual number of maximum-paths that can be configured varies from device to device.
The maximum-paths command is entered in routing protocol configuration mode. In the example, this
Cisco router supports up to 16 paths.
If you adjust the maximum-paths value, it must be the same on both sides of the path.
HQ(config)#router eigrp 100

HQ(config-router)#maximum-paths ?
<1-16> Number of paths
Unequal-Cost Load Balancing
EIGRP can also balance traffic across multiple routes that have different metrics. This type of balancing is
called unequal-cost load balancing. In the figure, you are presented with a cost difference of almost 4:1. A
real-network example of such situation is the case of a WAN connection from HQ to a branch. The primary
WAN link is a 6 Mb/s MPLS link with a T1 (1.544 Mb/s) backup link.
The default variance is equal to 1. EIGRP will normally only install additional routes (paths) to a destination
when there is zero variance in cost. You can use the variance command to tell EIGRP to install routes in the
routing table, as long as they are less than the current cost multiplied by the variance value. In the example
in the figure, setting the variance to 4 would allow EIGRP to install the backup path and send traffic over it.
The backup path is now performing work instead of just idling.
HQ(config-router)# router eigrp 100
HQ(config-router)# variance ?
<1-128> Metric variance multiplier
HQ(config-router)# variance 4
HQ(config-router)#
Self Check
Which two of the following are classified as link-state routing protocols? (Choose two.)
A. IS-IS
B. OSPF
C. EIGRP
D. RIPv2
E. BGP
A router has learned three possible routes that could be used to reach a destination network. One route is
from EIGRP and has a composite metric of 20584570. Another route is from OSPF with a metric of
842. The last is from RIPv2 and has a metric of 3. Which route or routes will the router install in the
routing table?
A. EIGRP route
B. OSPF route
C. RIPv2
D. All three routes.
E. None of the above.
Refer to the figure and the output of the show ip protocols command. Which two EIGRP metrics are
being used to affect the calculation that selects the best path to add to the EIGRP routing table? (Choose
two.)


Router-ID: 172.16.1.1
Topology : 0 (base)
Active Timer: 3 min
Maximum path: 4
Maximum path: 4
A. Bandwidth
B. Delay
C. load
D. Reliability
E. MTU
Which command should you use to determine whether the EIGRP router ID has been configured in the
EIGRP process? (Choose two)
A. show ip eigrp neighbor
B. show ip eigrp interface
C. show ip protocols
D. show ip eigrp topology
What does passive interface command do in EIGRP?

A. Router cannot form neighbor adjacencies on that interface
B. Router cannot send routing updates on that interface.
C. Router cannot receive routing updates on that interface.
D. All the above.
Here is the show ip route command from router R1. R1 is load- balancing to 10.80.13.0/30 network.
R1>show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
* - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

D 10.80.13.0/30 [90/2681856] via 10.80.234.3, 01:13:17, Serial0/0
[90/2681856] via 10.80.234.2, 01:13:17, Serial1/0
D 10.80.23.2/32 [90/2681856] via 10.80.234.2, 01:13:17, Serial0/0
<output omitted>
On R1, following change was made. How will it affect the EIGRP routing table and topology table ?
(Choose two)

R1(config-router)# maximum-paths 1
A. There will be no change in the routing table for the route 10.80.13.0/30.
B. EIGRP topology table will have both the routes to the network 10.80.13.0/30
C. Only one route will be there is the routing table for 10.80.13.0/30.
D. EIGRP topology table will have only one route for 10.80.13.0/30.
Refer to the output of the show ip protocols command. According to the output, this router is configured
to load-balance over unequal-cost paths. True or false ?


Router-ID: 172.16.1.1
Topology : 0 (base)
Active Timer: 3 min
Maximum path: 4

Maximum path: 4
A. True
B. False
Answer Key
Self Check
1. A, B
2. A
3. A, B
4. C, D
5. D
6. B, C
7. B
EIGRP for IPv6
Overview
You are about to go to a customer site to implement EIGRP for IPv6. You should know the operational
theory behind EIGRP for IPv6 before you go onsite so that you can answer any customer inquiries.
Decide if you are ready to go onsite now to upgrade the network or if you first need to research how to
implement EIGRP for IPv6.
EIGRP for IPv6
Although the configuration and management of EIGRP for IPv4 and EIGRP for IPv6 are similar, they are
configured and managed separately.
EIGRP is inherently a multiprotocol routing protocol because it has supported non-IP IPX and AppleTalk
for some time. IPv6 support is added as a separate module. IPv6 EIGRP is configured and managed
separately from IPv4 EIGRP, but the mechanisms and configuration techniques will be familiar to people
who are skilled with EIGRP for IPv4.
For example, both the IPv4 and IPv6 EIGRP implementations include a shutdown feature that allows the
routing protocol to be configured but also easily disabled. Both use the DUAL to optimize the routing path.
Both are scalable to large networks. There are also a few differences in the IPv4 and IPv6 features. For
example, in contrast with IPv4 EIGRP, IPv6 EIGRP is configured over a link—there is no network
statement as there is for IPv4. Also EIGRP for IPv6 adjacencies use link-local addresses to communicate
and router next-hop attributes are neighboring router link-local addresses.
The basic components of EIGRP for IPv6 remain the same as the IPv4 version.
EIGRP uses a small hello packet to discover other EIGRP-capable routers on directly attached links and
forms durable neighbor relationships. Updates may be acknowledged by using a reliable transport protocol,
or they may be unacknowledged—depending on the specific function that is being communicated. The
protocol provides the flexibility that is needed to unicast or multicast updates, whether acknowledged or
unacknowledged.
Hello packets and updates are set to the well-known, link-local multicast address FF02::A, which Cisco
obtained from the IANA. This multicast distribution technique is more efficient than the broadcast
mechanism that is used by earlier, more primitive routing protocols, such as RIPv1. EIGRP for IPv4 also
uses multicast for update distribution.
EIGRP sends incremental updates when the state of a destination changes, instead of sending the entire
contents of the routing table. This feature minimizes the bandwidth that is required for EIGRP packets.
DUAL, which is an EIGRP algorithm for determining the best path through the network, uses several
metrics to select efficient, loop-free paths. When multiple routes to a neighbor exist, DUAL determines
which route has the lowest metric (named the FD) and enters this route into the routing table. Other possible
routes to this neighbor with larger metrics are received, and DUAL determines the reported distance to this
network. The reported distance is defined as the total metric that is advertised by an upstream neighbor for a
path to a destination. DUAL compares the reported distance with the FD, and if the reported distance is less
than the FD, DUAL considers the route to be a feasible successor and enters the route into the topology
table. The feasible successor route that is reported with the lowest metric becomes the successor route to the
current route if the current route fails. To avoid routing loops, DUAL ensures that the reported distance is
always less than the FD for a neighbor router to reach the destination network; otherwise, the route to the
neighbor may loop back through the local router.
When there are no feasible successors to a route that has failed, but there are neighbors advertising the
route, a recomputation must occur. This process is where DUAL determines a new successor. The amount
of time that is required to recompute the route affects the convergence time. Recomputation is processor-
intensive. It is advantageous to avoid unneeded recomputation. When a topology change occurs, DUAL will
test for feasible successors. If there are feasible successors, DUAL will use them in order to avoid
unnecessary recomputation.
EIGRP updates contain five metrics: minimum bandwidth, delay, load, reliability, and MTU. Of these five
metrics, by default, only minimum bandwidth and delay are used to compute the best path. Unlike most
metrics, minimum bandwidth is set to the minimum bandwidth of the entire path, and it does not reflect how
many hops or low-bandwidth links are in the path. Delay is a cumulative value that increases by the delay
value of each segment in the path.
EIGRP for IPv6, like EIGRP for IPv4, is able to do load balancing. Load balancing is the capability of a
router to distribute traffic over all the router network ports that are within the same distance from the
destination address. Load balancing increases the utilization of network segments and this way increases
effective network bandwidth. There are two types of load balancing:
• Equal-cost path: Applicable when different paths to a destination network report the same routing
metric value.
• Unequal-cost path: Applicable when different paths to a destination network report different routing
metric values.
When a router discovers a new neighbor, it records the neighbor address and interface as an entry in the
neighbor table. One neighbor table exists for each protocol-dependent module. When a neighbor sends a
hello packet, it advertises a hold time, which is the time that a router treats a neighbor as reachable and
operational. If a hello packet is not received within the hold time, the hold time expires and DUAL is
informed of the topology change.
The topology table contains all destinations that are advertised by the neighboring routers. Each entry in the
topology table includes the destination address and a list of neighbors that have advertised the destination.
For each neighbor, the entry records the advertised metric, which the neighbor stores in its routing table. An
important rule that distance vector protocols must follow is that if the neighbor advertises this destination,
the neighbor must use the route to forward packets.
Discovery 13: Configure and Verify EIGRP for
IPv6
Introduction
This discovery will guide you through the configuration and verification of EIGRP for IPv6 on an IOS
router. The virtual lab is prepared with the devices that are represented in the topology diagram and the
connectivity table. All devices have their basic configurations in place, including hostnames and IP
addresses. Both IPv4 and IPv6 are configured in this dual-stack environment. R2 and R3 are also configured
with EIGRP for IPv6 using the autonomous system number 100. In this discovery, you will configure
EIGRP for IPv6 on R1 and verify the results.
Topology
Job Aid

• EIGRP for IPv6 is configured on R2 and R3:
Device Information
Device Details
Device Interface IPv4 Address IPv6 Address Neighbor
R1 Ethernet0/0 10.10.1.1/24 2001:DB8:0:1::2/64 R2
R1 Loopback0 10.10.11.1/24 2001:DB8:0:11::1/64 —
R2 Ethernet0/0 10.10.1.2/24 2001:DB8:0:1::1/64 R1
R2 Ethernet0/1 10.10.2.1/24 2001:DB8:0:2::1/64 R3
R2 Loopback0 10.10.12.1/24 2001:DB8:0:12::1/64 —
R3 Ethernet0/0 10.10.2.2/24 2001:DB8:0:2::2/64 R2
Device Interface IPv4 Address IPv6 Address Neighbor
R3 Loopback0 10.10.13.1/24 2001:DB8:0:13::1/64 —
Task 1: Configure and Verify EIGRP for IPv6

Activity
Access the console of R2 and display EIGRP for IPv6-related configuration.
R2# show running-config

ipv6 unicast-routing
interface Loopback0
ip address 10.10.12.1 255.255.255.0
ipv6 address 2001:DB8:0:12::1/64
ipv6 eigrp 100
!
ip address 10.10.1.2 255.255.255.0
ipv6 address 2001:DB8:0:1::1/64
ipv6 eigrp 100
!
!
ip address 10.10.2.1 255.255.255.0
ipv6 address 2001:DB8:0:2::1/64
ipv6 eigrp 100
!
ipv6 router eigrp 100
You should see that these configuration parts are preconfigured:

• IPv6 routing is globally enabled.
• EIGRP for IPv6 is enabled with AS 100 on interfaces Ethernet0/0 (towards router R1),
Ethernet0/1 (towards router R3), and on Loopback0.
Access the console of R3 and display EIGRP for IPv6-related configuration.
R3# show running-config

ipv6 unicast-routing
interface Loopback0
ip address 10.10.13.1 255.255.255.0
ipv6 address 2001:DB8:0:13::1/64
ipv6 eigrp 100
!
ip address 10.10.2.2 255.255.255.0
ipv6 address 2001:DB8:0:2::2/64
ipv6 eigrp 100
!
ipv6 router eigrp 100
You should see that these configuration parts are preconfigured:

• IPv6 routing is globally enabled.
• EIGRP for IPv6 is enabled with AS 100 on interfaces Ethernet0/0 (towards router R2), and
on Loopback0.
Configuring EIGRP for IPv6
Command Description
ipv6 unicast-routing By default, IPv6 traffic forwarding is disabled. This command enables it.
Command Description
ipv6 router eigrp as-number To place the router in the router configuration mode, create an EIGRP routing
process in IPv6, configure this process, and use the ipv6 router eigrp
command in the global configuration mode.
no shutdown EIGRP for IPv6 has a shutdown feature. The routing process should be in the
no shutdown mode in order to start running. The default behavior is different
between Cisco IOS Software versions.
[no] ipv6 eigrp as-number To enable EIGRP for IPv6 on a specified interface, use the ipv6 eigrp
command in the interface configuration mode. To disable EIGRP for IPv6, use
the no form of this command.
These commands are some common configuration commands for EIGRP for IPv6. The syntax for these
commands is similar, if not identical, to their IPv4 counterparts.
Access the console of R1 and enable IPv6 unicast routing on R1.
R1# conf t
R1(config)# ipv6 unicast-routing
Enable EIGRP for IPv6 on AS 100 for R1.
R1(config)# ipv6 router eigrp 100

R1(config-rtr)# exit
To activate AS 100, you must execute the ipv6 router eigrp 100 configuration command. By
default, this command defines the AS and enables it.
Assign both the Ethernet0/0 and Loopback0 interfaces to AS 100.

R1(config-if)# ipv6 eigrp 100
R1(config-if)# exit*Oct 8 08:43:50.642: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100:
Neighbor FE80::A8BB:CCFF:FE00:3C00 (Ethernet0/0) is up: new adjacency
R1(config)# interface Loopback0
R1(config-if)# end
As soon as EIGRP for IPv6 was enabled on Ethernet0/0, a syslog message indicated the
formation of a new neighbor relationship.
Verifying EIGRP for IPv6
The three show commands that are listed have the same role that they have in EIGRP for IPv4.
To display entries in the EIGRP for IPv6 topology table, use the show ipv6 eigrp topology command in
privileged EXEC mode.
To display the neighbors that are discovered by EIGRP for IPv6, use the show ipv6 eigrp neighbors
command.
The show ipv6 route eigrp command shows the content of the IPv6 routing table that includes the routes
specific to EIGRP.
Display the IPv6 EIGRP neighbors for R1.
R2 is an EIGRP IPv6 neighbor of R1 on interface Ethernet0/0.
R1# show ipv6 eigrp neighbors

Seq
(sec) (ms) Cnt
Num
0 Link-local address: Et0/0 14 00:01:39 17 102 0
8
FE80::A8BB:CCFF:FE00:3C00
Note: The link local IPv6 address in your output may be different.
Display the IPv6 routing table on R1 for networks learned through EIGRP.
R1 should learn about the network between R2 and R3 as well as the two networks that are
associated with the Loopback interfaces on R2 and R3.
R1# show ipv6 route eigrp

D 2001:DB8:0:2::/64 [90/307200]
via FE80::A8BB:CCFF:FE00:3C00, Ethernet0/0
D 2001:DB8:0:12::/64 [90/409600]
D 2001:DB8:0:13::/64 [90/435200]
Note: The link local IPv6 addresses in your output may be different.
Display the topology table on R1 for EIGRP IPv6 and verify entries.
R1 should learn about the network between R2 and R3 as well as the two networks that are
associated with the Loopback interfaces on R2 and R3.
R1# show ipv6 eigrp topology

P 2001:DB8:0:2::/64, 1 successors, FD is 307200

via FE80::A8BB:CCFF:FE00:3C00 (307200/281600), Ethernet0/0
There should be five networks in the EIGRP topology table. There is the network between R1
and R2, the network between R2 and R3, and the three networks that are associated with the
three loopback interfaces on the routers.
Note: The link local IPv6 addresses in your output may be different.
Self Check
Which multicast address does EIGRP for IPv6 use?

A. FF01::2
B. FF01::10
C. FF02::5
D. FF02::A
E. EIGRP for IPv6 does not use multicast addressing
Which of the following is a feature of IPv4 EIGRP but not IPv6 EIGRP?
A. includes a shutdown feature
B. uses DUAL
C. scalable to large networks
D. requires a network statement
Which command can turn off EIGRP for the IPv6 routing process?
A. enable
B. enable router
C. shutdown
D. enable router shutdown
Match the following:
ipv6 router
eigrp enables IPv6 routing
places the router in router configuration mode and creates and
no shutdown configures an EIGRP routing process in IPv6
ipv6 unicast-
routing enables EIGRP for the IPv6 routing process
ipv6 eigrp enables EIGRP for IPv6 on a specified interface
Which of the following commands shows the content of the IPv6 routing table that includes the routes
that are specific to EIGRP.
A. show ipv6 route
B. show ipv6 eigrp topology
C. show ipv6 eigrp neighbors
D. show ipv6 route eigrp
Which command produced the configuration output that is shown?

P 2001:DB8:D1A5:C900::/64, 1 successors, FD is 28160

via connected, GigabitEthernet0/165
P 2001:DB8:AC10:100::/64, 1 successors, FD is 156160
via FE80::FE99:47FF:FEE5:2671 (156160/128256), GigabitEthernet0/1
A. show ipv6 eigrp interfaces

B. show ipv6 eigrp neighbors
C. show ipv6 eigrp topology
D. show ipv6 route eigrp
By default, which two metrics does EIGRP use to compute the best path? (Choose two.)
A. minimum bandwidth
B. reliability
C. delay
D. load
E. MTU
Answer Key
Self Check
1. D
2. D
3. C
4.
ipv6 unicast-routing enables IPv6 routing
ipv6 router eigrp places the router in router configuration mode and creates
and configures an EIGRP routing process in IPv6
no shutdown enables EIGRP for the IPv6 routing process
ipv6 eigrp enables EIGRP for IPv6 on a specified interface
5. D
6. C
7. A, C
EIGRP
Overview
Two different customers have called CCS with complaints about the loss of network connectivity since
EIGRP has been implemented. Trouble tickets have been created for both customers. Bob has assigned the
trouble tickets to you.
Troubleshooting EIGRP Issues
You have just finished configuring EIGRP, and you tested connectivity to a remote network with a ping, but
the ping failed. As you begin to troubleshoot the situation, keep in mind that EIGRP problems usually fall
into one of the following categories:
• Neighbor adjacency issues
• Routing issues
When you encounter an EIGRP problem, first use the show ip eigrp neighbors command to check for
neighbor adjacency issues.
The following issues can prevent neighbor adjacencies from being established:
• The interface between the devices is down.
• The routers have mismatching EIGRP autonomous systems.
• The EIGRP process is not enabled on one of the interfaces that connects the devices.
• One of the interfaces that connects the devices is configured as a passive interface.
Aside from these issues, there are several other, more advanced issues that can cause neighbor relationships
to not be formed. For example, mismatched K values can prevent neighbor relationships from being formed.
When you have eliminated EIGRP neighbor relationship issues as the cause of the problem, check to see if
there is a routing problem. In the example in the next figure, the pings from the network 172.16.1.0 to the
hosts on 10.2.2.0 or 172.16.2.0 will fail because router A does not have routes to those networks.
Issues that may prevent a routing table from learning the appropriate routes from EIGRP include the
following:
• Networks are not being advertised on remote routers.
• An access list is blocking advertisements of remote networks.
• Automatic route summarization is causing confusion in your discontiguous network.
Although there are also debug commands that provide excellent diagnostic information, you should use the
debug commands with caution. In general, it is recommended that you use these commands only under the
direction of your router technical support representative when you are troubleshooting specific problems.
Troubleshooting EIGRP Neighbor Issues
If the output of the show ip eigrp neighbors command indicates that neighbor relationships are not being
formed after you configure EIGRP, your next troubleshooting step, of course, is to determine what is
preventing these adjacencies from forming.
A prerequisite for the establishment of neighbor adjacencies is the OSI Layer 3 connectivity, so you want to
perform basic connectivity troubleshooting steps on the link between router B and router C, starting at the
physical layer.
Are All Interface Statuses "Up/Up"?
Use the show ip interface brief command to make sure that the interfaces that connect the two routers are
"up."
When EIGRP is configured, you may receive a "not on common subnet" message on your router console.
This message indicates that there is an incorrect IP address on one of the EIGRP neighbor interfaces. For a
neighbor adjacency to be formed between two routers, the interfaces that connect the routers must be on
the same subnet.
Is There an AS Mismatch?
Another prerequisite for the establishment of neighbor adjacencies is the matching of AS numbers. You
could use the show ip protocols command to determine whether the routers have the same AS number. This
command displays the name and AS number of the currently running routing protocol.
To correct a mismatched AS number situation, do the following commands to reconfigure the router that has
the wrong AS number:
• Remove the old EIGRP routing process that has wrong AS number.
• Enable the EIGRP routing process with the correct AS number.
• Include the networks into the newly created EIGRP process.
The example above should be corrected in the following manner:

RouterA(config)# no router eigrp 11
RouterA(config)# router eigrp 1
RouterA(config-router)# network 10.1.1.0
RouterA(config-router)# network 172.16.1.0
Is EIGRP Enabled on the Interface?
The "Routing for Networks" section of the show ip protocols command output indicates which networks
have been configured. Any interfaces in those networks participate in EIGRP.
RouterB# show ip protocols
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 11
Maximum path: 4
Routing for Networks:10.1.1.010.2.2.0
(this router) 90 00:01:08
10.2.2.2 90 00:01:08
As shown in the command output above, you can also use the show ip protocols command to verify the
"K" values that are being used in EIGRP metric calculations.
Neighbor adjacencies will be established between two routers only if the connecting interfaces on the two
routers are enabled for the EIGRP process. You can use the show ip eigrp interfaces command to
determine on which interfaces EIGRP is enabled and to learn the information about EIGRP relating to those
interfaces. If an interface is not listed in the output of this command, the router is not using EIGRP on that
interface.
The table further explains the output of the show ip eigrp interfaces command.
Parameter Description
AS(1) The AS number that is specified with the router command
Interface The interface over which EIGRP is configured
Peers The number of directly connected EIGRP neighbors on the interface
Xmit Queue The number of packets remaining in the Unreliable and Reliable queues
Unreliable and
Reliable
Mean SRTT The average SRTT interval (in milliseconds) for all the neighbors on the interface
Pacing Time The number of milliseconds to wait after transmitting unreliable and reliable packets
Unreliable and
Reliable
Multicast Flow The number of milliseconds to wait for acknowledgment of a multicast packet by all the neighbors
Timer before transmitting the next multicast packet
Pending Routes The number of routes in the packets in the transmit queue that are waiting to be sent
To correct a situation in which an interface that should be enabled for EIGRP is not enabled for EIGRP, use
the network command. This command, which is configured under the EIGRP routing process, specifies
which networks will participate in the EIGRP process. Only the interfaces that fall within the range of
addresses that are defined by the network entries will participate in the EIGRP process.
Is Passive Interface Configured?

Another situation in which neighbor adjacencies may fail to form occurs when an interface that should form
a neighbor adjacency is configured as passive. You can use the passive-interface command in an EIGRP
configuration to specify that certain interfaces are passive. This result means that those interfaces will not
send or receive hello packets and will not form neighbor adjacencies. To determine whether any interface on
a router is configured as passive, use the show ip protocols command.
To return an interface to a nonpassive state, use the no passive-interface command.
Is Access List Blocking Route Advertisements?
However, if the desired routes still do not appear in the routing tables, an access-list configured on an
interface could be blocking EIGRP route advertisements.
To block EIGRP traffic, you can configure an access-list, blocking this type of the traffic and apply it on the
interface in desired direction. If you applied the access-list on the interface only in one direction, the
neighborship will be flapping between those two routers, since EIGPR traffic will be blocked only in one
direction.
The show ip access-list and show ip interface interface slot/number commands will give you this
information. In the next figure, the output of these two commands indicates that an outgoing access-list has
been set on the RouterB. The access-list is set on the interface FastEthernet0/1 in the outgoing direction and
is blocking all EGIRP traffic.
Troubleshooting EIGRP Routing Table Issues
Consider this scenario. Router A and router B have established a neighbor adjacency. Router B has also
established a neighbor adjacency with router C. However, a ping test from router A to a host in the
172.16.2.0/24 network is still not successful. You issue the show ip route command on router A and notice
that router A has no route to the destination network of 172.16.2.0/24.
You issue the same command on router B and discover that the router is missing the route to 172.16.2.0.
Are All Required EIGRP Networks Being Advertised?
In this situation, it is a good idea to use the show ip protocols command to determine the reason for the
missing routes. This command will tell you whether the 172.16.2.0/24 network is being advertised by its
directly connected router, which is router C. The figure shows that, in this example, router C is not
advertising the network 172.16.2.0/24 to its EIGRP neighbors.
After you use the network command in the router configuration mode to configure router C to advertise this
network, issue the show ip protocols command again on router C to verify that the network 172.16.2.0 is
now included in the EIGRP process. Then use the show ip route command on router A and router B to
confirm that they now have routes to the 172.16.2.0 network. If the routes exist in the routing tables on these
routers, all is well.
Is There a Discontiguous Network?
Now consider a different scenario. In the figure, the networks 10.1.1.0 and 10.2.2.0 separate the subnets of
the network 172.16.0.0/16: 172.16.1.0/24 and 172.16.2.0/24. The automatic route summarization feature of
the EIGRP routing process summarizes the routes on the network number boundaries. Both router A and
router B summarized the subnets to the 172.16.0.0/16 classful boundary. As shown in the example, router B
is not receiving individual routes for the 172.16.1.0/24 and 172.16.2.0/24 subnets. The result is that router B
has two routes to 172.16.0.0/16 in the routing table, which can result in an inaccurate routing and packet
loss. This issue is referred to as a discontiguous network issue. A discontiguous network comprises a major
network that is separated by another major network. You can address this issue by disabling the auto-
summarization feature under the EIGRP process.
Automatic route summarization (causing a discontiguous network issue) is enabled by default in the Cisco
IOS Software before Release 15 (for example, Cisco IOS Release 12). In this case, you would have to use
the no auto-summary command. If you are using Cisco IOS Software Release 15 or later, you do not need
to use the no auto-summary command to disable automatic route summarization. Automatic route
summarization is disabled by default in Cisco IOS Software Releases 15 or later.
To solve the discontiguous network issue, make sure that all the routers in the figure, that have interfaces
connected to multiple different classful networks have the automatic route summarization option disabled
(the no auto-summary command).
You can verify, if route summarization is enabled, using the show ip protocols command.
RouterB# show ip protocols


Maximum path: 4
10.0.0.0
10.1.1.1 90 00:00:31
10.2.2.2 90 00:00:29
Troubleshooting EIGRP for IPv6 Issues
Configuring EIGRP for IPv6 is very similar to configuring EIGRP for IPv4. The main difference is that
EIGRP is enabled on the interface for IPv6 with the ipv6 eigrp as-number command. Therefore,
troubleshooting EIGRP for IPv6 is very similar to troubleshooting EIGRP for IPv4.
To check the IPv6 routing protocols on the router, use the show ipv6 protocols command. The output will
show the IPv6 routing protocols that are enabled on the router. The EIGRP section shows metric weights,
router ID, EIGRP interfaces, redistribution information, and so on.
To display the neighbors that are discovered by EIGRP for IPv6, use the show ipv6 eigrp neighbors
command.
The show ipv6 route eigrp command shows the content of the IPv6 routing table that includes the routes
that are specific to EIGRP.
To verify the topology table, use the show ipv6 eigrp topology command. You can see all routing updates
that the router received, with AD and FD information, next-hop, and so on.
There are also other things to check, that are not directly related to EIGRP configuration. To check whether
IPv6 addresses have been assigned on the interfaces, use the show ipv6 interface brief. To verify if there
are any access-lists configured, use show ipv6 access-lists command.
Discovery 14: Troubleshoot EIGRP
Introduction
This discovery will guide you through the troubleshooting of various EIGRP configuration issues. The
virtual lab is prepared with the devices that are represented in the topology diagram and the "Device
Information" table. All devices have their basic configurations in place, including hostnames and IP
addresses. EIGRP AS 10 has been configured on all seven routers, but there are problems with the router
configurations. Each router has a loopback interface with the IP address 192.168.R.1/24 (where R is the
router number). The routing table on R1 is missing routes to the loopback interface networks for each of its
peers. In this discovery, you will troubleshoot and fix the problems that are associated with the routing of
each of these networks.
You will start with the R2 loopback network and proceed one at a time, finishing with R7, which is also
configured for EIGRP IPv6 routing. In each case, you will first determine the root cause. You will then fix
the issue and verify that the route is properly defined in the routing table of R1.
Topology
Job Aid

• All devices have their basic configurations in place including hostnames, and IP addresses. R1 and R7
also have IPv6 addresses configured.
• EIGRP AS 10 has been configured on all seven routers, but there are problems with the router
configurations.
– The routing table on R1 is missing routes to the loopback interface networks for each of its peers.
• R1 and R7 are also configured for EIGRP IPv6 routing, using AS 10.
Device Information
Device Details
R1 Loopback0 — 192.168.1.1/24
R1 Ethernet1/0 R2 10.1.1.1/30
R1 Loopback0 — 2001:DB8:0:1::1/64
R1 Ethernet2/2 R7 2001:DB8:0:2::1/64
R1 Ethernet1/1 R3 10.1.1.5/30
R1 Ethernet1/2 R4 10.1.1.9/30
R1 Ethernet2/0 R5 10.1.1.13/30
R1 Ethernet2/1 R6 10.1.1.17/30
R1 Ethernet2/2 R7 10.1.1.21/30
R2 Ethernet2/0 R1 10.1.1.2/30
R2 Loopback0 — 192.168.2.1/24
R3 Ethernet2/0 R1 10.1.1.6/30
R3 Loopback0 — 192.168.3.1/24
R4 Ethernet2/0 R1 10.1.1.10/30
R4 Loopback0 — 192.168.4.1/24
R5 Ethernet1/0 R1 10.1.1.14/30
R5 Loopback0 — 192.168.5.1/24
R6 Ethernet1/0 R1 10.1.1.18/30
R6 Loopback0 — 192.168.6.1/24
R7 Ethernet1/0 R1 10.1.1.22/30
R7 Loopback0 — 192.168.7.1/24
R7 Ethernet1/0 R1 2001:DB8:0:2::7/64
R7 Loopback0 — 2001:DB8:0:7::1/64
Task 1: Troubleshoot EIGRP

Activity
The network 192.168.2.0/24 does not exist in the routing table of R1. This network is associated
with the Loopback0 interface of R2. Try to determine the root cause for this issue.
Note: There is no single best procedure for troubleshooting any network issue. The goal is to
isolate the root cause. One strategy is to work from the application layer down. If there are
aspects of the application that are working, it implies that there must be IP connectivity and link
layer connectivity below the application. If the application does not function, check the IP
connectivity next.
You might use the following commands on R1 and observe these results:
• show ip eigrp neighbor—R2 (10.1.1.2) is not in the EIGRP neighbor table.
• show ip interface brief—The interface Ethernet1/0 is "up/up."
• ping 10.1.1.2—R2 responds to the ping.
These results indicate that there is Layer 2 and Layer 3 connectivity, but there is an issue with
EIGRP communication.
On R2, virtually all show commands that are associated with EIGRP will provide the hint. The
AS number 10 is used across the network, but R2 is configured with AS 100.




You can see the root cause in the configuration.

router eigrp 100
network 10.0.0.0
network 192.168.2.0
With the root cause determined, fix the problem and verify that the route to 192.168.2.0/24 now
exists in the routing table of R1.
Enter the following configuration on the R2 router:
R2# conf t
R2(config)# no router eigrp 100
(Ethernet2/0) is up: new adjacencyR2(config-router)# network 192.168.2.0
The neighbor adjacency is initiated when the network 10.0.0.0 is enabled under the EIGRP AS
10.
R1# show ip route 192.168.2.0
Routing entry for 192.168.2.0/24
Known via "eigrp 10", distance 90, metric 409600, type internal
Redistributing via eigrp 10
Last update from 10.1.1.2 on Ethernet1/0, 00:03:31 ago
Routing Descriptor Blocks:
* 10.1.1.2, from 10.1.1.2, 00:03:31 ago, via Ethernet1/0
Route metric is 409600, traffic share count is 1
Total delay is 6000 microseconds, minimum bandwidth is 10000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
R1# show ip route eigrp

D 192.168.2.0/24 [90/409600] via 10.1.1.2, 00:03:49, Ethernet1/0
• ping 10.1.1.6—R3 responds to a ping from R1.
• show ip eigrp interfaces—Only Loopback0 is included (Ethernet2/0 is missing).
• show ip protocols—Only the network for Loopback0 is included (10.0.0.0 is missing).

ticast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable w
Timer Routes
Lo0 0 0/0 0/0 0 0/0 0
0


Router-ID: 192.168.3.1
Topology : 0 (base)
Active Timer: 3 min
Maximum path: 4

Maximum path: 4
192.168.3.0
EIGRP must include 10.1.1.6 (the IP address for Ethernet2/0) among its routed networks.

router eigrp 10
network 192.168.3.0
R3# conf t
The neighbor relationship is initiated between R3 and R1 when the missing network statement is
added to the configuration.


D 192.168.3.0/24 [90/409600] via 10.1.1.6, 00:01:38, Ethernet1/1
• ping 10.1.1.10—R4 does not respond to the ping.
These results indicate that there is no connectivity between R1 and R4, leading to problems with
EIGRP on top of IP.
If your exploration on R1 indicates a Layer 2 problem, you might start with looking at Layer 2
on R4 with the show ip interface brief command. The output shows that the interface
Ethernet2/0 is administratively down. "Administratively down" indicates that the interface is
shut down in the running configuration. In real-life situations, Layer 2 problems are more likely
caused by a cable issue, a faulty interface, or a faulty piece of equipment in the path to the
service provider. In the virtual lab environment, administratively shutting down interfaces is the
only reliable way to implement a Layer 2 problem.

Protocol
Ethernet2/0 10.1.1.10 YES manual administratively down
down
You can see the root cause can be seen in the configuration.


!
ip address 10.1.1.10 255.255.255.252
shutdown
end
R4# conf t
R4(config-if)#
*Oct 14 07:49:23.416: %LINK-3-UPDOWN: Interface Ethernet2/0, changed state to
up
R4(config-if)# end
After the interface is enabled, an EIGRP neighbor relationship gets formed between R4 and R1.


D 192.168.4.0/24 [90/409600] via 10.1.1.10, 00:00:44, Ethernet1/2
with the Loopback0 interface with R5. Try to determine the root cause for this issue.
• show ip eigrp neighbor—R5 (10.1.1.14) is in the EIGRP neighbor table.
From this situation, apparently EIGRP is working between R1 and R5, so IP and the data link
layers must be working as well. Why is R5 not advertising 192.168.5.0/24?
• show ip eigrp neighbor—R1 (10.1.1.13) is in the neighbor table.
• show ip eigrp interfaces—Only Ethernet1/0 is in the interface table.
• show ip protocols—EIGRP is routing only for network 10.0.0.0, not the network of
Loopback0 interface.
Seq
(sec) (ms) Cnt
Num
0 10.1.1.13Et1/0 13 21:03:06 421 2526 0 17

Multicast Pending
Flow Timer Routes
Et1/0 1 0/0 0/0 421 0/2
2616 0


Router-ID: 192.168.5.1
Topology : 0 (base)
Active Timer: 3 min
Maximum path: 4

Maximum path: 4
10.0.0.0
10.1.1.13 90 00:14:59
You can see the root cause in the configuration. Including the network 10.0.0.0 will allow
EIGRP to run on Ethernet1/0. Hence R1 and R5 are neighbors, and R5 can learn routes from R1.
But missing the network 192.168.5.0 prevents R5 from advertising that route to R1.

router eigrp 10
network 10.0.0.0
R5# conf t
R5#
The neighbor relationship was already functional between R1 and R5, so there was no syslog
message to indicate any changes in EIGRP. Before verifying routes on R1, it makes sense to
verify that the Loopback0 interface is now included among the EIGRP interfaces on R5.

Multicast Pending
Flow Timer Routes
Et1/0 1 0/0 0/0 336 0/2
1684 0
Lo0


D 192.168.5.0/24 [90/409600] via 10.1.1.14, 00:03:10, Ethernet2/0
• show ip eigrp neighbor—R1 is not in the EIGRP neighbor table of R6.
• show ip eigrp interfaces—Only Loopback0 is in the interface table.
• show ip protocols—The interface that is linking R6 to R1 (Ethernet1/0) is configured as a
passive interface.

Multicast Pending
Flow Timer Routes
Lo0 0 0/0 0/0 0 0/0
0 0


Router-ID: 192.168.6.1
Topology : 0 (base)
Active Timer: 3 min
Maximum path: 4

Maximum path: 4
10.0.0.0
192.168.6.0
Passive Interface(s):
Ethernet1/0
There is a lot of information in the output of the show ip protocols command. It is probably the
single best command for providing troubleshooting information for dynamic routing protocols.
The downside is that it can be difficult to pick out the one piece of inconsistency in the large
amount of output. You develop this skill through experience.

router eigrp 10
network 10.0.0.0
network 192.168.6.0
passive-interface Ethernet1/0
R6# conf z
R6(config-router)# no passive-interface Ethernet1/0
R6(config-router)#
R6#
The neighbor relationship between R6 and R1 was initiated when the passive-interface
statement was removed from the running configuration.


D 192.168.6.0/24 [90/409600] via 10.1.1.18, 00:03:31, Ethernet2/1
The EIGRP IPv6 neighbor relationship is not established between R1 and R7. Try to determine
the root cause for this issue.
• show ipv6 eigrp neighbor—R7 (outgoing interface Ethernet2/2) is not in the EIGRP
neighbor table.
• show ipv6 interface brief—The interface Ethernet2/2 is "up/up."
• ping 2001:DB8:0:2::7—R7 responds to the ping.
On R7, virtually all the show commands that are associated with EIGRP will provide the hint.
The AS number 10 is used across the network, but R7 is configured with AS 100.
R7# show ipv6 protocols
IPv6 Routing Protocol is "connected"
IPv6 Routing Protocol is "ND"
IPv6 Routing Protocol is "eigrp 100"
R7# show ipv6 eigrp interfaces

Multicast Pending
Flow Timer Routes
Et1/0 0 0/0 0/0 0 0/0
0 0

R7# show running-config | section ipv6 eigrp

ipv6 eigrp 100

!
ip address 10.1.1.22 255.255.255.252
ipv6 address 2001:DB8:0:2::7/64
ipv6 eigrp 100
end
With the root cause determined, fix the problem and verify that EIGRP for IPv6 neighbor
relationship now exists between R1 and R7 routers.
R7# conf t
R7(config)# no ipv6 router eigrp 100
R7(config-if)# no ipv6 eigrp 100
*Oct 15 08:10:09.874: %DUAL-5-NBRCHANGE: EIGRP-IPv6 10: Neighbor
FE80::A8BB:CCFF:FE00:2322 (Ethernet1/0) is up: new adjacencyR2(config-if)# end
The neighbor adjacency is initiated when EIGRP AS gets changed from 100 to 10 on R7.
Seq
(sec) (ms) Cnt
Num
0 Link-local address: Et2/2 12 00:03:26 14 100 0
2
FE80::A8BB:CCFF:FE00:2E01
Note: The link local IPv6 address may be different in your output.
The network 2001:DB8:0:7::/64 still does not exist in the IPv6 routing table of R1. This network
is associated with the Loopback0 interface of R7. Try to determine the root cause for this issue.
There is no single best procedure for troubleshooting any network issues. The goal is to isolate
the root cause.
• show ipv6 eigrp interfaces—Only the interface Ethernet1/0 is included (Loopback0 is
missing).
• show ipv6 protocols—Only the interface Ethernet1/0 is included (Loopback0 is missing).
R7# show ipv6 eigrp interfaces

Multicast Pending
Flow Timer Routes
Et1/0 1 0/0 0/0 8 0/2
50 0

IPv6 Routing Protocol is "eigrp 10"
Router-ID: 192.168.7.1
Topology : 0 (base)
Active Timer: 3 min
Maximum path: 16
Interfaces:
Ethernet1/0
Redistribution:
None
You need to add interface Loopback0 to EIGRP IPv6 process.

R7# show running-config interface Loopback0
interface Loopback0
description Logical loopback interface
ip address 192.168.7.1 255.255.255.0
ipv6 address 2001:DB8:0:7::1/64
end
With the root cause determined, fix the problem and verify that the route to 2001:DB8:0:7::/64
now exists in the IPv6 routing table of R1.
R7# conf t
The route to 2001:DB8:0:7::/64 now exists in the IPv6 routing table of R1.
R1# show ipv6 route eigrp

D 2001:DB8:0:7::/64 [90/409600]
via FE80::A8BB:CCFF:FE00:2E01, Ethernet2/2
Note: The link local IPv6 address may be different in your output.
Self Check
Which command can determine whether two routers have formed an EIGRP IPv6 neighbor adjacency?
A. show ipv6 eigrp interface
B. show ipv6 eigrp neighbor
C. show cdp neighbor
D. show ipv6 eigrp traffic
Refer to the figure. PC1 is unable to communicate with PC2. Which action could correct this problem?
A. Issue the no auto-summary command on router A.

B. Add the network statement network 172.16.1.0 0.0.0.255 to router A.
C. Remove the passive-interface command from router B.
D. Change the AS number on router A to 10.
Refer to the figure. You configured EIGRP on your network, and you determined that all routers have
formed neighbor adjacencies as expected. However, you still cannot access PC2 from PC1. Which two
commands should you use next to troubleshoot this issue? (Choose two.)
A. show ip eigrp neighbors

B. show ip route
D. show ip eigrp traffic
Which of the following will not allow EIGRP neighbors to be formed ? (Choose two)
A. K value mismatch
B. Auto summary enabled
C. Access-list denying multicast on interface forming EIGRP neighbors
D. Enabling load-balancing using variance command in EIGRP process.
Which command should you use to determine the hello and hold timers for the EIGRP neighbors?
A. Show ip eigrp interface
B. Show ip eigrp interface detail
C. show ip eigrp neighbor
D. show ip eigrp neighbor detail
What could be the reason for the following error message in EIGRP ?
IP-EIGRP: Neighbor ip address not on common subnet for interface
A. The network command is misconfigured in EIGRP process.

B. The AS numbers in EIGRP don't match.
C. The interface has been made passive in EIGRP.
D. The IP address has been misconfigured on interfaces.
From the show output below, is auto summarization disabled ?


Router-ID: 172.16.1.1
Topology : 0 (base)
Active Timer: 3 min
Maximum path: 4

Maximum path: 4
A. Yes
B. No
Answer Key
Self Check
1. B
2. D
3. B, C
4. A, C
5. B
6. D
7. A
Module 4: Summary
Challenge
Introduction
This is a Summary Challenge Module. It consists of two lessons on Implementing and Troubleshooting
Scalable medium-Sized Network. These lessons will test your skills on various topics covered in the course.
Each lesson consists of self-check questions and lab.
Lesson 1: Implementing and
Troubleshooting Scalable
Medium-Sized Network -1
Overview
In this lesson, there is a Proof Of Concept lab that has been designed to test your skills on implementation
and troubleshooting of a medium-sized network. You need to implement and troubleshoot the issues in the
given lab.
Self Check
Which of the following commands will you use to check if the interface has been configured as trunk?
(Choose two)
A. show ip interface brief
B. show vlan
C. show interface interface-IDswitchport
D. show interface trunk
DTP is Cisco proprietary protocol. True or False ?

A. True
B. False
Which of the following VTP modes allows VLAN configuration changes but does not propagate it to
other switches in the VTP domain ?
A. Transparent
B. Client
C. Server
D. None of the above.
The IPv4 access-list that you create end with what is called the "implicit" deny all. Is this statement true
or false.
A. True
B. False
Which of the following is an Etherchannel feature ?

A. Load sharing across links.
B. Redundancy.
C. Higher bandwidth
D. All the above.
You see the following error message when you enable IPv6 EIGRP routing. Which of the following will
fix the issue?

% IPv6 routing not enabled
R1(config)#
A. Enable IPv6 EIGRP on the interface.

B. Enable IPv6 CEF.
C. Enable IPv6 unicast routing first.
D. It is an IOS-related issue and you need to upgrade the IOS.
EIGRP does not support unequal-cost load balancing by default. True or False.
A. True
B. False
Answer Key
Self Check
1. C, D
2. A
3. A
4. A
5. D
6. C
7. A
Medium-Sized Network -2
Overview
You work for DENTIC Networking. Your colleague, Andy did some maintenance on the network over the
weekend and now, they are seeing some issues. You need to troubleshoot and resolve the network issues.
Self Check
Which of the following table is not used for route selection in EIGRP ?
A. EIGRP Neighbor Table
B. EIGRP Topology Table
C. EIGRP Interface Table
D. EIGRP Route Table
You are assigning VLANs to the ports of a switch. What VLAN number value is assigned to a port by
default ?
A. VLAN 1023
B. VLAN 99
C. No VLANs
D. VLAN 1
Which of the following two statements are true about default HSRP configuration? (Choose two)
A. The Standby priority is 100.
B. The Standby hello time is 2 seconds.
C. Two HSRP groups are configured.
D. Standby group number is 1.
E. The Standby hold time is 10 seconds
Which of the following is true about VLANs in a network ?

A. End hosts use DHCP to request their VLAN.
B. End hosts are unaware of any VLANs.
C. End hosts are assigned to VLANs based on their MAC addresses.
D. End hosts are all in the same VLAN regardless of which port they attach to.
Which two states are the port states when RSTP has converged? (Choose two)
A. Blocking
B. Learning
C. Disabled
D. Forwarding
Which of the following is true about source port used in SPAN ? (Choose two)
A. It can be a destination port as well for SPAN.
B. It can be any port type, such as EtherChannel, Fast Ethernet, Gigabit Ethernet and so on.
C. All source ports can only be configured for ingress traffic.
D. Source ports can be in the same or different VLANs.
Which three components are combined to form STP bridge ID?
A. Bridge Priority
B. MAC address
C. Port Cost
D. Extended System ID
E. Port ID
Answer Key
Self Check
1. C
2. D
3. A, E
4. B
5. A, D
6. B, D
7. A, B, D
Module 5: Implement a
Scalable OSPF-Based
Solution
Introduction
This module examines OSPF, which is one of the most commonly used IGPs in IP networking. OSPF is a
complex protocol, and therefore configuration and verification of OSPF on a Cisco router is the primary
learning objective.
The module discusses the primary configuration commands for a multiarea OSPF and explains the benefits
of a multiarea OSPF solution compared to a single-area solution. Specifically, it covers link-state protocols,
OSPF components, the OSPF metric, the way in which OSPF operates, and how to configure multiarea
OSPF. This module also describes several OSPF show commands for verification purposes.
Lesson 1: OSPF Overview
Overview
Your first deployment at CCS was at the Small Law Firm (in further text—SLF). Since the multinational
law firm Big Law Firm (in further text—BLF) purchased SLF, it has standardized on OSPF as its IGP at the
corporate office and at all branches. You and your team leader Bob successfully implemented OSPF at SLF.
BLF has been very satisfied with the results that CCS has delivered. BLF corporate has decided to award
CCS the contract to provide network infrastructure, management, and security services for all BLF
corporate and its branch offices.
The strong growth at BLF has put a strain on the existing flat network design. You and Bob have decided to
implement a hierarchical design to optimize routing using multiarea OSPF. You will be deployed soon to
implement the change, but before you go, you should have a solid understanding of OSPF functions, packet
types, and the LSDB. As before, you can take the training to gain the OSPF knowledge or take the test
instead.
Link-State Routing Protocol Overview
The two basic types of routing protocols are distance vector and link state. OSPF is an example of a link-
state routing protocol.
When a failure occurs in a network, routing protocols should detect the failure as soon as possible and find
another path across the network. Only link-state protocols support fast convergence with support for
scalability and multivendor environments, so they are the only type of IGP that is found in large network
environments.
Link-state protocols have the following advantages when compared to distance vector routing protocols:
• They are more scalable: Link-state protocols use a hierarchical design and can scale to very large
networks, if properly designed.
• Each router has a full picture of the topology: Because each router contains full information about
the routers and links in a network, each router is able to independently select a loop-free and efficient
pathway, which is based on cost, to reach every neighbor in the network.
• Updates are sent when a topology change occurs and are reflooded periodically: Link-state
protocols send updates of a topology change by using triggered updates. Also, updates are made
periodically—by default every 30 minutes.
• They respond quickly to topology changes: Link-state protocols establish neighbor relations with the
adjacent routers. The failure of a neighbor is detected quickly, and this failure is communicated by using
triggered updates to all routers in the network. This immediate reporting generally leads to fast
convergence times.
• More information is communicated between routers: Routers that are running a link-state protocol
have a common view on the network. This means that each router has full information about other
routers and links between them, including the metric on each link.
Link-State Routing Protocol Data Structures
A router that is running a link-state routing protocol must first recognize other routers and establish a
neighbor adjacency with its neighboring routers. A router achieves this neighbor adjacency by exchanging
hello packets with the neighboring routers. After a router establishes a neighbor adjacency by using the
hello packets, a neighbor is put into the neighbor database.
In the example, router A recognizes routers B and D as neighbors.
After a neighbor relationship is established between routers, the routers synchronize their topology
databases (LSDBs) by reliably exchanging LSAs. An LSA describes a router and networks that are
connected to this router. LSAs are stored in the LSDB. By exchanging all LSAs, routers learn the complete
topology of the network. Each router will have the same topology database within an area.
After the topology database is built, each router applies the SPF algorithm to the topology map. The SPF
algorithm uses the Dijkstra algorithm to calculate the shortest path to each destination.
The best (shortest) paths to destinations are then put into the routing table. The routing table includes a
destination network and the next-hop IP address. In the example, the routing table on router A states that a
packet should be sent to router D to reach network X.
Whenever there is a change in a topology, new LSAs are created and sent throughout the network. All
routers change their LSDB when they receive the new LSA, and the SPF algorithm is run again on the
updated LSDB to verify new paths to destinations.
Introducing OSPF
OSPF is a link-state routing protocol. You can think of a link as an interface on a router. The state of the
link is a description of that interface and of its relationship to its neighboring routers. A description of the
interface would include, for example, the IP address of the interface, the subnet mask, the type of network to
which it is connected, the routers that are connected to that network, and so on. The collection of all these
link states forms a link-state database.
OSPF was developed based on an open standard and is supported by several router manufacturers. OSPF
is widely used as an IGP, especially in large network environments. OSPF was developed as a
replacement for the distance vector routing protocol RIP. The major advantages of OSPF over RIP are its
fast convergence and its ability to scale to much larger networks.
A router sends LSA packets immediately to advertise its state when there are state changes. The router
sends the packets periodically as well (every 30 minutes by default). The information about the attached
interfaces, the metrics that are used, and other variables are included in OSPF LSAs. As OSPF routers
accumulate link-state information, they use the SPF algorithm to calculate the shortest path to each node.
A topological (link-state) database is, essentially, an overall picture of the networks in relation to the
routers. The topological database contains the collection of LSAs that all routers in the same area sent.
Because the routers within the same area share the same information, they have identical topological
databases.
OSPF can operate within a hierarchy. The largest entity within the hierarchy is the AS, which is a collection
of networks under a common administration that share a common routing strategy. An AS can be divided
into several areas, which are groups of contiguous networks and attached hosts. The figure shows an
example of an OSPF hierarchy.
OSPF uses a two-layer network hierarchy that has two primary elements:
• AS: An AS consists of a collection of networks under a common administration that share a common
routing strategy. An AS, which is sometimes called a domain, can be logically subdivided into multiple
areas.
• Area: An area is a grouping of contiguous networks. Areas are logical subdivisions of the AS.
Within each AS, a contiguous backbone area must be defined. In the multiarea design, all other
nonbackbone areas are connected off the backbone area.
Multiarea design is more effective since the network is segmented to limit the propagation of LSAs inside
an area. It is especially useful for large networks.
Establishing OSPF Neighbor Adjacencies
Neighbor OSPF routers must recognize each other on the network before they can share information
because OSPF routing depends on the status of the link between two routers. This process is done using the
Hello protocol. OSPF routers send hello packets on all OSPF-enabled interfaces to determine if there are
any neighbors on those links.
The Hello protocol establishes and maintains neighbor relationships by ensuring bidirectional (two-way)
communication between neighbors.
An OSPF neighbor relationship, or adjacency, is formed between two routers if they both agree on the area
ID, hello and dead intervals, and authentication. Of course, the routers must be on the same IP subnet.
Bidirectional communication occurs when a router recognizes itself in the neighbors list that is held in the
hello packet that it receives from a neighbor.
Each interface that is participating in OSPF uses the multicast address 224.0.0.5 to periodically send hello
packets. A hello packet contains the following information:
• Router ID: The router ID is a 32-bit number that uniquely identifies the router. The router ID is, by
default, the highest IP address on a loopback interface, if configured. If the router ID is not configured,
it is the highest IP address on any interface. You can also manually configure the router ID using the
router-id command. It is recommended that you always use a loopback IP address for the router ID or
to set the router ID manually. In this way, the router ID is stable and will not change.
• Hello and dead intervals: The hello interval specifies the frequency in seconds at which a router sends
hello packets. The default hello interval on multiaccess networks is 10 seconds. The dead interval is the
time in seconds that a router waits to hear from a neighbor before declaring the neighboring router out
of service. By default, the dead interval is four times the hello interval. These timers must be the same
on neighboring routers; otherwise, an adjacency will not be established.
• Neighbors: The Neighbors field lists the adjacent routers with an established bidirectional
communication. This bidirectional communication is indicated when the router recognizes itself as it is
listed in the Neighbors field of the hello packet from the neighbor.
• Area ID: To communicate, two routers must share a common segment and their interfaces must belong
to the same OSPF area on this segment. The neighbors must also share the same subnet and mask.
These routers in the same area will all have the same link-state information for that area.
• Router priority: The router priority is an 8-bit number that indicates the priority of a router. OSPF uses
the priority to select a DR and BDR. In certain types of networks, OSPF elects DRs and BDRs. The DR
acts as a hub to reduce traffic between routers.
• DR and BDR IP addresses: These addresses are the IP addresses of the DR and BDR for the specific
network, if they are known.
• Authentication data: If router authentication is enabled, two routers must exchange the same
authentication data. Authentication is not required, but if it is enabled, all peer routers must have the
same key configured.
• Stub area flag: A stub area is a special area. Designating a stub area is a technique that reduces routing
updates by replacing them with a default route. Two routers have to also agree on the stub area flag in
the hello packets in order to become neighbors.
OSPF Neighbor States
When routers that are running OSPF are initialized, an exchange process using the Hello protocol is the first
procedure.
The figure illustrates the exchange process that happens when routers appear on the network:
1. A router is enabled on the LAN and is in a down state because it has not exchanged information with
any other router. The router begins by sending a hello packet through each of its interfaces that are
participating in OSPF, although it does not know the identity of any other routers.
2. All directly connected routers that are running OSPF receive the hello packet from the first router and
add the router to their lists of neighbors. After adding the router to the list, other routers are in the INIT
state.
3. Each router that received the hello packet sends a unicast reply hello packet to the first router with its
corresponding information. The neighbor field in the hello packet includes all neighboring routers and
the first router.
4. When the first router receives the hello packets, it adds all the routers that had its router ID in their hello
packets to its own neighbor relationship database. After this process, the first router is in the two-way
state. At this point, all routers that have each other in their lists of neighbors have established a
bidirectional communication.
If the link type is a broadcast network (for example, a LAN link like Ethernet), a DR and BDR must first be
selected. The DR acts as a central exchange point for routing information and reduces the amount of routing
information that the routers have to exchange. The DR and BDR are selected after routers are in the two-
way state. The router with the highest priority will become the DR. If there is a tie, the router with the
highest router ID will become the DR. Among the routers on a LAN that were not elected as the DR or
BDR, the exchange process stops at this point, and the routers remain in the two-way state. Routers then
communicate only with DR (or BDR) router using multicast IP address 224.0.0.6. The DR router uses
224.0.0.5 multicast IP address to communicate with all other non-DR routers.
After the DR and BDR have been selected, the routers are considered to be in the exstart state. The routers
are then ready to discover the link-state information about the internetwork and create their LSDBs. The
exchange protocol is used to discover the network routes, and it brings all the routers from the exchange
state to a full state of communication. The first step in this process is for the DR and BDR to establish
adjacencies with each of the other routers.
As shown in the figure, the exchange protocol continues as follows:
1. In the exstart state, the DR and BDR establish adjacencies with each router in the network. During this
process, a primary-subordinate relationship is created between each router and its adjacent DR and
BDR. The router with the higher router ID acts as the primary during the exchange process. The
primary-subordinate election dictates which router will start the exchange of routing information. This
step is not shown in the figure.
2. The primary and subordinate routers exchange one or more DBD packets. The routers are in the
exchange state.
3. A router compares the DBD that it received with the LSAs that it has. If the DBD has a more up-to-date
link-state entry, the router sends an LSR to the other router. When routers start sending LSRs, they are
in the loading state.
4. When all LSRs have been satisfied for a given router, the adjacent routers are considered synchronized
and are in the full state.
You should be aware that all states except two-way and full are transitory, and routers should not remain in
these states for extended periods of time.
SPF Algorithm
The SPF algorithm places each router at the root of a tree and calculates the shortest path to each node. The
path calculation is based on the cumulative cost that is required to reach that destination. LSAs are flooded
throughout the area by using a reliable algorithm, which ensures that all the routers in an area have the same
topological database. Each router uses the information in its topological database to calculate a shortest path
tree, with itself as the root. The router then uses this tree to route network traffic.
The figure represents the R1 view of the network, where R1 is the root and calculates the pathways by
assuming this view.
Each router has its own view of the topology, even though all the routers build the shortest path trees by
using the same link-state database.
A metric is an indication of the overhead that is required to send packets across a certain interface. OSPF
uses cost as a metric. A smaller cost indicates a better path than a higher cost. By default on Cisco devices,
the cost of an interface is inversely proportional to the bandwidth of this interface, so a higher bandwidth
indicates a lower cost. There is more overhead, a higher cost, and more time delays that are involved in
crossing a 10-Mbps Ethernet line than in crossing a 100-Mbps Ethernet line.
The formula that you use to calculate OSPF cost is cost = reference bandwidth / interface bandwidth (in
bits per second).
The default reference bandwidth is 108, which is 100,000,000 or the equivalent of the bandwidth of
FastEthernet. Therefore, the default cost of a 10-Mbps Ethernet link will be 108 / 107 = 10, and the cost of a
100-Mbps link will be 108 / 108 = 1. The problem arises with links that are faster than 100 Mbps. Because
the OSPF cost has to be an integer, all links that are faster than FastEthernet will have an OSPF cost of 1.
The cost to reach a distant network from a router is the cumulative cost of all links on the path from the
router to the network. In the example, the cost from router R1 to the destination network via R3 is 40 (20 +
10 + 10), and the cost via router R2 is 30 (10 + 10 + 10). The path via R2 is better because it has a lower
cost.
LSAs are flooded through the area by using a reliable algorithm, which ensures that all routers in an area
have the same topological database. Because of the flooding process, R1 has learned the link-state
information for each router in its routing area. Each router uses the information in its topological database to
calculate a shortest path tree, with itself as the root. The tree is then used to populate the IP routing table
with the best paths to each network.
For R1, the shortest path to each LAN and its cost are shown in the table. The shortest path is not
necessarily the best path. Each router has its own view of the topology, even though the routers build
shortest path trees by using the same link-state database.
Building a Link-State Database
When two routers discover each other and establish adjacency using hello packets, they use the exchange
protocol to exchange information about the LSAs.
As shown in the figure, the exchange protocol operates as follows:

1. The routers exchange one or more DBD packets. A DBD includes information about the LSA entry
header that appears in the LSDB of the router. Each LSA entry header includes information about the
link-state type, the address of the advertising router, the cost of the link, and the sequence number. The
router uses the sequence number to determine the "newness" of the received link-state information.
2. When the router receives the DBD, it acknowledges the receipt of the DBD that is using the LSAck
packet.
3. The routers compare the information that they receive with the information that they have. If the
received DBD has a more up-to-date link-state entry, the router sends an LSR to the other router to
request the updated link-state entry.
4. The other router responds with complete information about the requested entry in an LSU packet. The
other router adds the new link-state entries to its LSDB.
5. When the router receives an LSU, it sends an LSAck.
Four types of update packets are used when building and synchronizing LSDBs:
• DBD packet: A DBD packet is used to describe the network routes of each neighbor.
• LSR packet: After DBD packets are exchanged, the routers request the missing information by using
LSR packets.
• LSU packet: All missing information is sent to the neighbors by sending LSU packets that contain
different LSAs.
• LSAck packet: Every packet receives an LSAck to ensure a reliable transport and a reliable exchange
of information.
OSPF Packet Types
OSPF uses five types of routing protocol packets that share a common protocol header. The Protocol field in
the IP header is set to 89. All five packet types are used in a normal operation of OSPF.
OSPF Packet Header Format
All five OSPF packet types are encapsulated directly into an IP payload, as shown in the figure. OSPF
packets do not use TCP or UDP. OSPF requires a reliable packet transport, but because it does not use TCP,
OSPF defines an acknowledgment packet (OSPF packet type 5) to ensure reliability.
In the Protocol field of the IP header, the value of 89 is set for all OSPF packet types. Each of the five OSPF
packet types begins with the same header format. This header includes the following fields:
• Version number: Version 2 for OSPF with IPv4 and version 3 for OSPF with IPv6
• Type: Differentiates the five OSPF packet types
• Packet length: The length of the OSPF packet in bytes
• Router ID: Defines which router is the source of the packet
• Area ID: Defines the area where the packet originated
• Checksum: Used for packet-header error detection to ensure that the OSPF packet was not corrupted
during transmission
• Authentication type: An OSPF option that describes either the no authentication, cleartext passwords,
or passwords protected by an MD5 hash formats for router authentication
• Authentication: Used in the authentication scheme
• Data: Each of the five packet types includes different data:
– Hello packets: Contains a list of known neighbors
– DBD packet: Contains a summary of the LSDB, which includes all known router IDs and their last
sequence numbers, among several other fields
– LSR packet: Contains the type of LSU that is needed and the router ID that has the needed LSU
– LSU packet: Contains the complete LSA entries. Multiple LSA entries can fit in one OSPF update
packet.
– LSAck packet: Empty
Discovery 15: Configure and Verify Single-Area
OSPF
Introduction
This discovery will guide you through the configuration and verification of OSPF for IPv4 on a Cisco IOS
router. The virtual lab is prepared with the devices that are represented in the topology diagram and the
connectivity table. All devices have their basic configurations in place, including hostnames and IP
addresses. R2 and R3 are also configured with OSPF. You will configure OSPF on R1 and verify the
results.
Topology
Job Aid

• OSPF is preconfigured on R2 and R3:
Device Information
Device Details
R1 Ethernet0/0 10.0.1.1/24 R2
R1 Ethernet0/1 10.1.1.1/24 R3
R1 Loopback0 10.10.11.1/24 —
R2 Ethernet0/0 10.1.1.2/24 R1
R2 Ethernet0/2 10.2.1.2/24 R3
R2 Loopback0 10.10.12.1/24 —
R3 Ethernet0/1 10.1.1.3/24 R1
R3 Ethernet0/2 10.2.1.3/24 R2
R3 Loopback0 10.10.13.1/24 —
Task 1: Configure and Verify Single-Area OSPF
The router ospf command uses a process identifier as an argument. The process ID is a unique, arbitrary
number that you select to identify the routing process. The process ID is locally significant and does not
need to match the OSPF process ID on other OSPF routers.
The network command identifies which IP networks on the router are part of the OSPF network. For each
network, you must also identify the OSPF area to which the networks belong. The network that is identified
in the network command does not tell the router which network to advertise; instead, it indicates the
interfaces on which OSPF will be enabled.
The table defines the commands that you use to configure OSPF.
Command and Variable Description
router ospf process_id Enters into the OSPF routing configuration mode. The network administrator
chooses the process ID, which is a number between 1 and 65,535. The process
ID is locally significant, which means that it does not have to match other OSPF
routers to establish adjacencies with those neighbors.
network ip-address Uses a combination of the network address and wildcard mask and serves as the
wildcard_mask area area_id criteria to match when identifying the interfaces that can send and receive OSPF
packets. The network address, along with the wildcard mask, identifies which IP
networks are part of the OSPF network and are included in OSPF routing
updates. The area ID identifies the OSPF area to which the network belongs.
When all the routers are within the same OSPF area, the network commands
must be configured with the same area ID on all routers. Even if no areas are
specified, there must be an area 0. In a single-area OSPF environment, the area
is always 0.
ip ospf process_id area As an alternative to a network command, you can use this interface
area_id configuration mode command that enables OSPF explicitly on the selected
interface.
To be able to perform routing toward external networks or toward the Internet, the router must either know
all the destination networks or have a default route. You can statically configure a default route, but it can
also be learned dynamically via the OSPF routing protocol. The router that announces the default route
needs to be configured with the default-information originate command in the routing protocols
configuration mode. You can also add the always keyword at the end of the command (default-
information originate always) to always advertise the default route regardless of whether the route table
has a default route.
Activity
Access the console of R2 and display the OSPF configuration.
You can verify the OSPF configuration using the show running-config command.
R2# show running-config | section ospfrouter ospf 1

router-id 2.2.2.2
network 10.0.1.0 0.0.0.255 area 0network 10.2.1.0 0.0.0.255 area 0network
10.10.12.0 0.0.0.255 area 0
You should see that the OSPF with the process ID 1 is preconfigured with the following
networks:
• 10.0.1.0/24
• 10.2.1.0/24
• 10.10.12.0/24
If you refer to the Job Aids section, you can quickly determine that the configured OSPF
networks are associated with each of the active interfaces on R2. All networks, meaning all
active interfaces on the router, belong to the same area—area 0.
At this point, note that the router is configured with the router ID 2.2.2.2. The router ID will be
discussed later on.
Access the console of R3 and display the OSPF configuration.
Another way to verify the OSPF configuration is by using the show ip protocols command. This
command will display the status of the configured dynamic routing protocols.

Routing Protocol is "ospf 1"

Router ID 3.3.3.3
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:10.1.1.0 0.0.0.255 area 010.2.1.0 0.0.0.255 area
010.10.13.0 0.0.0.255 area 0
2.2.2.2 110 17:04:48
Distance: (default is 110)
You should see that only the OSPF routing protocol is configured on R3. OSPF is using the
process ID 1 and is preconfigured with the following networks:
• 10.1.1.0/24
• 10.2.1.0/24
• 10.10.13.0/24
If you refer to the Job Aids section, you can quickly determine that OSPF on R3 is enabled on all
enabled interfaces. All networks, meaning all interfaces on the router, belong to the same area—
area 0.
The Router is preconfigured with the router ID 3.3.3.3.
Router ID
The OSPF router ID is used to uniquely identify each router in the OSPF routing domain. A router ID is
simply a label and is expressed as an IP address. Cisco routers derive the router ID based on three criteria
and with this precedence:
1. The router uses the IP address (or dotted decimal number) that is configured with the OSPF router-id
command.
2. If the router ID is not configured, the router chooses the highest IP address of its loopback interfaces.
3. If no loopback interfaces are configured, the router chooses the highest active IP address of its physical
interfaces.
The router ID looks like an IP address, but it is not routable and therefore not included in the routing table,
unless the OSPF routing process chooses an interface (physical or loopback) that is appropriately defined
by a network command or ip ospfo interface command.
If an OSPF router is not configured with an OSPF router-id command and no loopback interfaces are
configured, the OSPF router ID will be the highest active IP address on any of its interfaces. The interface
does not need to be enabled for OSPF, meaning that it does not need to be included in one of the OSPF
network commands. However, the interface must be active—it must be in the "up" state.
Access the console of R1 and configure the OSPF process ID 1. Include all the networks that are
associated with each of the three active interfaces for R1 in area 0. Also configure the router ID
to 1.1.1.1.
R1# conf t
R1(config)# router ospf 1
R1(config-router)# router-id 1.1.1.1
R1(config-router)# network 10.0.1.0 0.0.0.255 area 0
During configuration, a syslog message will indicate that new adjacencies have been initiated
with two neighbors, R2 and R3. Note that the R2 and R3 routers are represented using the
preconfigured router ID.
*Oct 13 07:24:35.278: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Ethernet0/0

from LOADING to FULL, Loading Done
from LOADING to FULL, Loading Done.
Verifying Single-Area OSPF
You can use several commands to verify the configuration of single-area OSPF:
• The show ip protocols command shows a summary of the configured routing protocol information.
You can see which protocols are enabled and which networks these protocols are routing for. You can
also see on which interfaces the routing protocols were enabled explicitly.
• Using the show ip ospf interface interface slot/number you can verify all OSPF related configuration
on an interface.
• Using the show ip ospf interface brief command, you can verify which interfaces are enabled for
OSPF. It is useful to determine if your network statements were correctly composed.
• Using the show ip ospf neighbor you can display the OSPF neighbor information on a per-interface
basis.
• The show ip route command displays the routes that are known to the router and how they were
learned. This command is one of the best ways to determine connectivity between the local router and
the rest of the internetwork.
Display the interfaces on R1 that are participating in OSPF.
R1# show ip ospf interface brief

Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo010 10.10.11.1/24 1 LOOP 0/0
Et0/110 10.1.1.1/24 10 BDR 1/1
Et0/010 10.0.1.1/24 10 BDR 1/1
Ethernet0/0, Ethernet0/1, and Loopback0 are participating in OSPF in area 0, under the process
ID 1.
Display the list of the OSPF neighbors for R1.
R1# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface

3.3.3.3 1 FULL/DR 00:00:38 10.1.1.3Ethernet0/12.2.2.2
1 FULL/DR 00:00:34 10.0.1.2Ethernet0/0
R1 has two neighbors:

• 3.3.3.3 (R3) that can be reached via the Ethernet0/1 interface. The interface IP address of the
interface to which the neighbor is directly connected is 10.1.1.3.
• 2.2.2.2 (R2) that can be reached via the Ethernet0/0 interface. The interface IP address of the
interface to which the neighbor is directly connected is 10.0.1.2.
Notice that the neighbor state is "FULL/DR", indicating that the OSPF adjacency is established
and both of the neighbors are DR routers. Instead of DR, you could also see BDR state,
indicating that the router is BDR, or DROTHER. DROTHER would indicate that the router has
priority set to 0 and cannot become DR or BDR.
Display the routing table on R1.
The routes that the router has learned via OSPF are tagged with an "O."
R1# show ip route

O 10.2.1.0/24 [110/20] via 10.1.1.3, 00:04:50, Ethernet0/1
[110/20] via 10.0.1.2, 00:05:00, Ethernet0/0
O 10.10.12.0/24 [110/11] via 10.0.1.2, 00:05:00, Ethernet0/0
O 10.10.13.0/24 [110/11] via 10.1.1.3, 00:04:50, Ethernet0/1
R1 has learned about the following networks:

• Network between R2 and R3, which has two equal paths—via the Ethernet0/0 and
Ethernet0/1 interfaces
• Network of the Loopback interface on R2
• Network of the Loopback interface on R3
OSPF Metric
You can apply realistic cost, influencing the following:
• Reference bandwidth, using the ospf auto-cost reference bandwidth reference-bandwidth command
• Interface cost, using the ip ospf cost cost command
• Interface bandwidth, using the bandwidth command
OSPF uses path costs as a metric. The limitation is that all links that are faster than FastEthernet will have
an OSPF cost of 1. There are three approaches you can take to apply realistic costs to your high-speed links.
• Reference Bandwidth: You can set the reference bandwidth on the router globally to provide granular
link costs.
By default, reference bandwidth is 100 Mbps. To adjust the reference bandwidth for a link, use the ospf
auto-cost reference-bandwidthreference-bandwith command that is configured in the OSPF routing
process configuration mode.
• Interface Cost: You can choose to use arbitrary cost numbers on every interface.
To override the cost that is calculated for an interface for OSPF routing process, use the ip ospf cost cost
interface configuration command.
• Interface Bandwidth: You can configure the bandwidthkilobits-per-second command on an interface

to override the default bandwidth. This has the effect of adjusting the cost of the link regarding routing
protocols.
Whether you choose the reference bandwidth method, interface cost method, or interface bandwidth
method for adjusting OSPF link costs, it is imperative that you consistently configure adjustments on every
router in the OSPF network. Inconsistent application of OSPF link costs can lead to suboptimal path
selection.
R1 has two paths to the 10.2.1.0/24 network, because both paths have equal cost. Influence the
interface cost on R1, so that only the path via Ethernet0/0 will be chosen as the best one.
First, verify the cost of the Ethernet0/0 and Ethernet0/1 interfaces.

Lo0 1 0 10.10.11.1/24 1 LOOP 0/0
Et0/1 1 0 10.1.1.1/24 10 BDR 1/1
Et0/0 1 0 10.0.1.1/24 10 BDR 1/1
Both interfaces have the same cost—10. If you want the path via interface Ethernet0/0 to be
chosen, you have to change its cost to a lower value.
R1# conf t
R1(config-if)# ip ospf cost 1
R1(config-if)# end
Alternatively, you could also change the cost of Ethernet0/1 to a higher value.
Again, display the routing table of R1.
Verify that there is only one path, the path via Ethernet0/0, to reach the 10.2.1.0/24 network.
R1# show ip route


O 10.2.1.0/24 [110/11] via 10.0.1.2, 00:00:02, Ethernet0/0
O 10.10.12.0/24 [110/2] via 10.0.1.2, 00:00:02, Ethernet0/0
O 10.10.13.0/24 [110/11] via 10.1.1.3, 00:06:44, Ethernet0/1
The total cost to reach the 10.2.1.0/24 network is 11, which is the sum of all the links to reach
the network (including the cost of the links that R2 needs to reach this network).
• R1 can reach this network via R2. The cost of the link for R1 to reach R2 is 1. (This is the
cost that you configured.)
• The cost of the link for R2 to reach the network is 10.
Passive Interfaces in OSPF
With OSPF running on a network, the passive-interface command stops both outgoing and incoming
routing updates because the effect of the command causes the router to stop sending and receiving hello
packets over an interface. For this reason, the routers will not become neighbors. Use the passive interface
configuration only on the interfaces where you do not expect the router to form any OSPF neighbor
adjacency.
You can configure either a specific interface as passive, or turn on a passive interface setting as default.
Then mark the interfaces which should not be configured as passive with the no passive-interface
configuration command.
On R1, set all interfaces as passive, except the interface connecting to R3.
The easiest way is to use the passive-interface default command.
R1# conf t
R1(config-router)# passive-interface default*Oct 13 11:30:01.326: %OSPF-5-
ADJCHG: Process 1, Nbr 2.2.2.2 on Ethernet0/0 from FULL to DOWN, Neighbor Down:
Interface down or detached
from FULL to DOWN, Neighbor Down: Interface down or detached
R1(config-router)# no passive-interface Ethernet0/1*Oct 13 11:31:07.174: %OSPF-
5-ADJCHG: Process 1, Nbr 3.3.3.3 on Ethernet0/1 from LOADING to FULL, Loading
Done
Note that during configuration, a syslog message will indicate that existing adjacencies have
been terminated. After you specify that Ethernet0/1 should not be configured as passive, the new
adjacency is initiated with R3.
Display the list of the OSPF neighbors on R1.

3.3.3.3 1 FULL/DR 00:00:31 10.1.1.3 Ethernet0/1
Because only Ethernet0/1 has been excluded from the passive-interface configuration, R1 has
formed adjacency only with R3.
Self Check
How can link-state protocols limit the scope of route changes?

A. by supporting classless addressing
B. by sending the mask along with the address
C. by sending only updates of a topology change
D. by segmenting the network into area hierarchies
Which two data structures do the link-state routing protocols use? (Choose two.)
A. the LSU database
B. the neighbors database
C. the link-state interfaces database
D. the topology database
E. the next-hop database
What is the purpose of link-state advertisements?

A. constructing a topological database
B. specifying the cost to reach a destination
C. determining the best path to a destination
D. verifying that a neighbor is still functioning
Match the OSPF packet type with the correct description.
DBD sends specifically requested link-state records
LSR acknowledges the other packet types
Hello checks for database synchronization
LSU requests specific link-state records from another router
LSAck discovers neighbors
The SPF algorithm uses a value that is inversely proportional to the bandwidth. What is this value
called?
A. link cost
B. hop count
C. link state
D. MTU
Match the OSPF neighbor states with their correct positions in the right order.
5 down
6 init
1 two-way
3 exstart
7 exchange
4 loading
2 full
Refer to the figure. Which path will OSPF install in the routing table to reach the 10.10.1.0/24 network
from router A?
A. the path A-B-C

B. the path A-D-C
What is a concern of the default OSPF metric?

A. Link with speeds greater than 10 Gbps will not be supported until the release of OSPF v4.
B. Link with speeds greater than 1 Gbps are converted to 10 Mbps for the purposes of OSPF cost
calculation.
C. Link with speeds greater than 100 Mbps have a cost of 1.
D. Link with speeds greater than 1 Gbps require additional memory in the OSPF router or switch to
calculate the larger costs.
Answer Key
Self Check
1. D
2. B, D
3. A
4.
LSU sends specifically requested link-state records
LSAck acknowledges the other packet types
DBD checks for database synchronization
LSR requests specific link-state records from another router
Hello discovers neighbors
5. A
6.
1 down
2 init
3 two-way
4 exstart
5 exchange
6 loading
7 full
7. B
8. C
Lesson 2: Multiarea OSPF
IPv4 Implementation
Overview
CCS has recently started providing IT services for a startup company that is growing at an unusually rapid
pace. The company was so small when they hired CCS that it was still using static routing on its network.
Shortly after taking over the IT services for this company, Bob explained to its management that a routing
protocol was absolutely necessary. After much discussion, OSPF was selected as the routing protocol. Also,
because of the rapid growth of the company, they made the decision to implement multiarea OSPF.
As you are leaving for the customer site to perform the implementation, Bob stops you. He reminds you that
not only must you be able to perform the configuration, you must also be able to answer any questions about
OSPF that arise from the customer who knows little about it.
OSPF Area Structure
In small networks, the web of router links is not complex, and paths to individual destinations are easily
deduced. However, in large networks, the web is highly complex, and the number of potential paths to each
destination is large. Therefore, the Dijkstra calculations that compare all these possible routes can be very
complex and can take a significant amount of time to complete.
Link-state routing protocols usually reduce the size of the Dijkstra calculations by partitioning the network
into areas. The number of routers in an area and the number of LSAs that flood within the area are small,
which means that the link-state or topology database for an area is small. So, the Dijkstra calculation is
easier and takes less time. The routers that are inside an area maintain detailed information about the links
and only general or summary information about the routers and links in other areas. However,
summarization is not done by default; it must be configured. Another advantage of using a multiarea OSPF
design is that a topology change in an area causes LSA flooding only within the area. SPF recalculations
therefore occur only in an area where a topology change has happened.
Link-state routing protocols use a two-layer area hierarchy:
• Backbonearea: The primary function of this OSPF area is to quickly and efficiently move IP packets.
Backbone areas interconnect with other OSPF area types. The OSPF hierarchical area structure requires
that all areas connect directly to the backbone area. In the figure, the links between Area 1 and Area 2
routers are not allowed. Generally, end users are not found within a backbone area, which is also known
as OSPF Area 0.
• Normal or nonbackbone area: The primary function of this OSPF area is to connect users and
resources. Normal areas are usually set up according to functional or geographical groupings. By
default, a normal area does not allow traffic from another area to use its links to reach other areas. All
traffic from other areas must cross a transit area such as Area 0. Normal areas can be of different types.
Normal area types affect the amount of routing information that is propagated into the normal area. For
example, instead of propagating all routes from the backbone area into a normal area, you could
propagate only a default route.
OSPF has special restrictions when multiple areas are involved. One of the areas has to be Area 0, the
backbone. All other areas have to be connected to the backbone, which is responsible for distributing
routing information between nonbackbone areas.
An OSPF area is identified using a 32-bit Area ID. It can be expressed as either a decimal number or a
dotted decimal. You can use both formats at the same time. For example, Area 0 and Area 0.0.0.0 are
equivalent. The same goes for Area 14 and Area 0.0.0.14. Area 300 would be the same as 0.0.1.44.
The maximum number of routers per area depends on several factors, however in general it is recommended
to minimize the number of routers in one area. Also, you should consider the number of neighbors. Areas
with unstable links should be smaller. In general, to maximize stability, one router should not be in more
than three areas.
All OSPF areas and routers that are running the OSPF routing protocol comprise the OSPF AS.
Within each AS, a contiguous backbone area, Area 0, must be defined. OSPF hierarchical networking
defines Area 0 as the core. All other areas connect directly to backbone. The backbone area is the transition
area because all other areas communicate through it.
The routers that make up Area 0 are known as backbone routers. The routers that make up nonbackbone
(normal) areas are known as internal routers; they have all interfaces only in one area.
An ABR connects Area 0 to the nonbackbone areas. An OSPF ABR plays a very important role in the
network design and has interfaces in more than one area. An ABR has the following characteristics:
• It separates LSA flooding zones.
• It becomes the primary point for area address summarization.
• It functions regularly as the source for default routes.
• It maintains the LSDB for each area with which it is connected.
The ideal design is to have each ABR connected to only two areas, the backbone and another area, with
three areas being the upper limit.
An ASBR connects any OSPF area to a different routing administration. The ASBR is the point where
external routes can be introduced into the OSPF AS.
In the example, R1 is the backbone router, R2 is an ABR between Areas 0 and 1. R4 acts as the ASBR
between the OSPF routing domain and an external domain.
Single-Area vs. Multiarea OSPF
The single-area OSPF design puts all routers into a single OSPF area. This design results in many LSAs
being processed on every router and in larger routing tables. The OSPF configuration follows a single-area
design in which all the routers are treated as being internal routers to the area and all the interfaces are
members of this single area.
As you know, OSPF uses flooding to exchange link-state updates between routers. Any change in the
routing information is flooded to all routers in an area. For this reason, the single-area OSPF design can
become undesirable as the network grows. The number of LSAs that are processed on every router will
increase, and the routing tables may grow quite large.
For large or growing networks especially, a multiarea design is a better solution than a single-area design. In
a multiarea design, the network is segmented to limit the propagation of LSAs inside an area and to make
the routing tables smaller by utilizing summarization.
There are two types of routers from the configuration point of view:
• Routers with single-area configuration: Internal routers, backbone routers, and ASBRs that are
residing in one area
• Routers with a multiarea configuration:ABRs and ASBRs that are residing in more than one area
While multiarea OSPF is a scalable and powerful routing protocol, it requires much knowledge to properly
design, implement, or troubleshoot.
Multiarea OSPF offers the following advantages over single-area OSPF:
• It can make routing tables smaller if you use route summarization.
• It divides routers into separate areas to limit the propagation and processing of LSAs.
Discovery 16: Configure and Verify Multiarea
OSPF
Introduction
This discovery will guide you through the configuration of an ABR in a multiarea OSPF environment. The
virtual lab is prepared with the devices that are represented in the topology diagram and the connectivity
table. All devices have their basic configurations in place, including hostnames and IP addresses. R1 has
also been configured as an internal router in Area 0, while R3 has been configured as an internal router in
Area 1. Area 0 spans subnets of 10.0.0.0/16, while Area 1 spans subnets of 10.1.0.0/16. Your job in this
discovery is to configure R2 as an ABR between Area 0 and Area 1. After R2 is configured, you will verify
the results.
Topology
Job Aid

• OSPF is preconfigured on R1 and R3:
• R1 has been configured as an internal router in Area 0.
• R3 has been configured as an internal router in Area 1
• You will configure R2 as an ABR between Area 0 and Area 1.
Device Information
Device Details
R1 Ethernet0/0 10.0.1.1/24 R2
R1 Loopback0 10.0.11.1/24 —
R2 Ethernet0/0 10.0.1.2/24 R1
R2 Ethernet0/1 10.1.1.2/24 R3
R3 Ethernet0/0 10.1.1.3/24 R2
R3 Loopback0 10.1.13.1/24 —
Task 1: Configure and Verify Multiarea OSPF
To configure a multiarea OSPF, use the same commands that you would use to configure a single-area
OSPF.
Command Description
ip ospf cost cost Specifies the OSPF cost of sending a packet on an

interface. The cost can be a value in the range from 1 to
65,535.
router ospfprocess_id Configures an OSPF routing process. The process-id

parameter is an internally used identification parameter for
the OSPF routing process. It is locally assigned and can be
any positive integer. A unique value is assigned for each
OSPF routing process in the router.
networknetwork wildcard_maskareaarea_id Defines the interfaces on which OSPF runs and defines
the area IDs for those interfaces. The wildcard_mask
parameter determines how to interpret the IP address. The
mask has wildcard bits in which 0 is a match and 1
indicates that the value is not significant. For example,
0.0.255.255 indicates a match in the first two octets.
ip ospfprocess-idareaarea-id Used in the interface configuration mode to enable

OSPFv2 on an interface. The process-id parameter is a
decimal value in the range from 1 to 65535 that identifies
the process ID. The area-id parameter is a decimal value
in the range from 0 to 4,294,967,295, or an IP address.
Activity
Access the console of R2. Initialize the OSPF process number 10 and set R2’s OSPF router ID to
0.0.0.2.
R2# conf t
Include the interfaces with IP addresses in the 10.0.0.0/16 address range in Area 0. Wait for a
syslog message that indicates that a neighbor relationship with R1 has been established.
R2(config-router)# network 10.0.0.0 0.0.255.255 area 0*Oct 15 09:10:26.381:

%OSPF-5-ADJCHG: Process 10, Nbr 0.0.0.1 on Ethernet0/0 from LOADING to FULL,
Loading Done
Include the interfaces with IP addresses in the 10.1.0.0/16 address range in Area 1. Wait for a
syslog message that indicates that a neighbor relationship with R3 has been established.
R2(config-router)#
R2#
Verifying Multiarea OSPF
To verify multiarea OSPF configuration, use the same commands that you would use to verify the single-
area OSPF.
• show ip protocols—to verify the OSPF status, router ID, number of areas in the router, and the
networks for which the router routes.
• show ip ospf interface—to display OSPF-related information on OSPF-enabled interface. This
command will reveal the OSPF process ID to which the interface is assigned, the area that the interfaces
are in, and the cost of the interfaces
• show ip ospf neighbor—to verify the OSPF neighbors.
• show ip route ospf—to verify the OSPF routes in the IP routing table.
Display the OSPF neighbors of R2.

0.0.0.1 1 FULL/BDR 00:00:38 10.0.1.1 Ethernet0/0
0.0.0.3 1 FULL/DR 00:00:37 10.1.1.3 Ethernet0/1
R2 has two neighbors:
• 0.0.0.1 (R1) that can be reached via the Ethernet0/0 interface. The IP address of the interface
to which the neighbor is directly connected is 10.0.1.1.
• 0.0.0.3 (R3) that can be reached via the Ethernet0/1 interface. The IP address of the interface
to which the neighbor is directly connected is 10.1.1.3.
Note: Your router may show a different DR/BDR neighbor state.
Display the status of the dynamic routing protocols that are running on R2.
You will find the show ip protocols command useful when verifying the configuration and
status of all IPv4 dynamic routing protocols.


Router ID 0.0.0.2It is an area border routerNumber of areas in this router is
2. 2 normal 0 stub 0 nssa
Maximum path: 4
10.0.0.0 0.0.255.255 area 010.1.0.0 0.0.255.255 area 1
0.0.0.1 110 00:54:21
0.0.0.3 110 00:54:11
All OSPF settings that you configured on R2 are apparent in this output: the process ID, the
router ID, and the network definitions. The dynamic status information, such as its ABR status
and its OSPF peers, are also apparent in the output.
R2 is configured for OSPF with the process ID 10. Its router ID is 0.0.0.2 and it is an area border
router. R2 is routing for the 10.0.0.0/16 networks in area 0 and for 10.1.0.0./16 networks in area
1. It has two neighbors, 0.0.0.1 and 0.0.0.3.
Display the summary of information about the OSPF configuration and status on the interfaces
of R2.

Et0/0100 10.0.1.2/24 10 DR 1/1
Et0/1101 10.1.1.2/24 10 BDR 1/1
This command makes it clear which interfaces are participating in the OSPF process. If any
expected interfaces are missing in the output, it can provide a direction for further
troubleshooting.
Besides interface participation, other pertinent information is displayed in the output, including
area designation, cost, and neighbor count.
R2 has two interfaces that are participating in OSPF. Ethernet0/0 is in area 0 nad Ethernet0/1 is
in area 1.
Display the routes from the R2 routing table that were populated via OSPF.
R2# show ip route ospf

O 10.0.11.0/24 [110/11] via 10.0.1.1, 01:15:59, Ethernet0/0O
10.1.13.0/24 [110/11] via 10.1.1.3, 01:15:49, Ethernet0/1
R2 has two entries for OSPF in its routing table. These two entries are associated with the
Loopback interfaces on R1 and R3. Note the code in front of the routes is "O," which indicates
OSPF routes.
The presence of OSPF routes indicates that OSPF is operational. If there are expected OSPF
routes that are missing from the route table, it can provide a direction for further troubleshooting.
Access the console of R1 and display the routes in the routing table that were populated via
OSPF.


O IA 10.1.1.0/24 [110/20] via 10.0.1.2, 00:00:09, Ethernet0/0
O IA 10.1.13.0/24 [110/21] via 10.0.1.2, 00:00:09, Ethernet0/0
R1 has two entries for OSPF in its routing table. These two entries are associated with the
Loopback interface on R3 and the link between R2 and R3. Note that the code in front of the
routes is "O IA," which indicates that the routes are interarea routes. This means that the routes
originated in another area. Recall that R1 is in Area 0 and R3 is in Area 1, so in this case, both
routes originated in Area 1.
The show ip protocols, show ip ospf interface brief, and show ip route ospf commands are three useful
commands to quickly summarize the OSPF status on a Cisco IOS router. The most important information is
available in an easy-to-read format.
Self Check
Which two statements about single-area and multiarea OSPF are true? (Choose two.)
A. Single-area OSPF has one advantage over multiarea OSPF: smaller routing tables.
B. When multiarea design is used, one of the areas should be Area 0.
C. In multiarea OSPF, Area 1 must be physically connected to the backbone, and all other areas must be
connected to area 1.
D. Multiarea OSPF is more scalable than single-area OSPF, and easier to implement.
E. In single-area OSPF, all routers inject routing information into the backbone router, and in turn the
backbone router disseminates that information to other routers.
F. Multiarea OSPF can be used to limit the propagation and processing of LSAs.
Which command is most efficient for determining the number of areas that are configured on a router?
A. show ip protocols
B. show ip ospf interface
C. show ip ospf neighbor
D. show ip route ospf
What does "[110/11]" represent in the command output below?
<output omitted>
172.19.0.0/32 is subnetted, 3 subnets

C 172.19.0.1 is directly connected, Loopback0
O IA 172.19.0.3 [110/129] via 192.168.44.2, 00:05:00, Serial1/0
O IA 172.19.0.2 [110/11] via 192.168.44.2, 00:05:00, Serial1/0
<Output omitted>
A. the Administrative Distance that is assigned to OSPF (110) and the hop count to subnet 172.19.0.2
(hop count of 11)
B. the hop count to subnet 172.19.0.2 (hop count of 110) and the Administrative Distance that is
assigned to OSPF (11)
C. the Administrative Distance that is assigned to OSPF (110) and the total cost of the route to subnet
172.19.0.2 (cost of 11)
D. the total cost of the route to subnet 172.19.0.2 (cost of 110) and the Administrative Distance that is
assigned to OSPF (11)
Refer to the output of show ip route below. What does "IA" indicate regarding the destination network?
R2>show ip route
O IA 141.108.1.128/25 [110/846] via 141.108.10.2, 00:08:05, Serial1/0
O IA 141.108.9.128/25 [110/782] via 141.108.10.2, 00:26:20, Serial1/0
O IA 141.108.1.0/25 [110/846] via 141.108.10.2, 00:08:15, Serial1/0
O IA 141.108.9.0/25 [110/782] via 141.108.10.2, 00:26:20, Serial1/0
C 141.108.10.0/30 is directly connected, Serial1/0
O IA 141.108.12.0/24 [110/782] via 141.108.10.2, 00:26:20, Serial1/0
O IA 141.108.10.4/30 [110/845] via 141.108.10.2, 00:26:20, Serial1/0
O 131.108.4.129/32 [110/11] via 131.108.1.1, 00:46:09, Ethernet0/0
A. It's in the same area as the local router.

B. It's in another area.
C. It will be reached via a default route.
D. The route was learned via another routing protocol.
Which type of router is specific to multiarea OSPF design?

A. Backbone router
B. Internal Router
C. ASBR
D. ABR
Refer to the output of show ip route command from R1.
R1# show ip route

<output omitted>

O IA 10.90.50.1/32 [110/64767] via 10.90.245.5, 01:12:43, Serial0/0
O IA 10.90.145.0/24 [110/65766] via 10.90.245.4, 00:18:43, Serial0/0
O IA 10.90.45.0/30 [110/129532] via 10.90.245.5, 01:12:32, Serial0/0
[110/129532] via 10.90.245.4, 01:12:33, Serial0/0
O IA 10.90.20.1/32 [110/64767] via 10.90.245.2, 01:12:43, Serial0/0
Following configuration change was made on R1. After this change will R1 still load balance to
10.90.45.0/30 network ?

R1(config-router)# maximum-paths 1
A. Yes
B. No
Which of the following command will tell you if the router is an ABR ?
A. show ip ospf neighbor
B. show ip ospf interface brief
D. show ip route ospf
Answer Key
Self Check
1. B, F
2. A
3. C
4. B
5. D
6. B
7. C
OSPFv3 for IPv6
Overview
A customer has contacted CCS inquiring about OSPFv3 implementations. The customer wants to
implement OSPFv3 but will more than likely want to ask you some questions about OSPFv3 before you
configure it. In addition to being able to perform the configuration, you must be able to explain the OSPFv3
enhancements and differences between OSPF for IPv4 and IPv6.
Decide if you are ready to go on site to solve the problem or if you want to do some research first.
OSPFv3 for IPv6
Many concepts of OSPF version 3 are the same as in OSPF version 2. The foundation mostly remains the
same as in OSPFv2. OSPFv3 only expands on OSPFv2 to provide support for IPv6 routing prefixes and
128-bit IPv6 addresses.
OSPFv3 and OSPFv2 can coexist on the same router, but they run independently in separate processes.
As in OSPFv2, the OSPFv3 metric is still based on interface costing. The default metric remains 100 Mbps.
The packet types and neighbor discovery mechanisms are the same in OSPFv3 as they are in OSPFv2.
LSAs are still flooded throughout an OSPF domain.
In OSPFv2, the router ID is a 32-bit number, derived from the "highest" IPv4 address of an existing router.
It is a general practice to set a loopback interface on the router for maintaining the router ID or setting it
administratively in the routing process configuration.
In OSPFv3, the OSPF process still requires a 32-bit number to be set. However, if you do not have any IPv4
configuration on the router, you have to enter this 32-bit number manually. This 32-bit number has the same
form, as in OSPFv2—four octets that are separated by dots [.]. You set the router ID using the router-
idrouter_id command. If you don't set it manually, and you have IPv4 configuration on the router, the router
ID will be the same as the highest configured loopback IPv4 address. If there is also no loopback configured
on the device, then it will use the highest IPv4 address of a physical interface.
OSPFv3 adjacencies use link-local addresses to communicate. Router next-hop attributes are neighboring
router link-local addresses. Because link-local addresses have the same prefix, OSPF needs to store the
information about the outgoing interface.
OSPFv3 uses IPv6 for the transport of LSAs. The IPv6 protocol number 89 is used. OSPFv3 takes
advantage of IPv6 multicasting by using FF02::5 for all OSPF routers and FF02::6 for the OSPF DR and
OSPF BDR.
OSPFv3 is enabled per link and identifies which networks (prefixes) are attached to this link for
determining prefix reachability propagation and the OSPF area. This feature is different from OSPFv2, in
which you can indirectly enable interfaces using the device configuration mode.
One of the most noticeable changes in OSPFv3 is that you don't have to explicitly create a routing process.
If you enable OSPFv3 on an interface, a routing process, and its associated configuration, will be created.
However, note that you also have to have IPv4 configuration on a router so that the router can obtain the
router ID. Otherwise, you have to manually create an OSPV3 routing process.
Discovery 17: Configure and Verify OSPFv3
Introduction
This discovery will guide you through the configuration and verification of OSPFv3 on a Cisco IOS router.
The virtual lab is prepared with the devices that are represented in the topology diagram and the
connectivity table. All devices have their basic configurations in place, including the hostnames and IP
addresses. R2 and R3 are also configured with OSPFv3. In this discovery, you will configure OSPFv3 on
R1 and verify the results.
Topology
Job Aid

• OSPFv3 is configured on R2 and R3:
Device Information
Device Details
R1 Ethernet0/0 2001:0DB8:0:2::1 R2
R1 Ethernet0/1 2001:0DB8:0:1::1 R3
R1 Loopback0 2001:0DB8:0:11::1 —
R2 Ethernet0/0 2001:0DB8:0:2::2 R1
R2 Ethernet0/2 2001:0DB8:0:3::2 R3
R2 Loopback0 2001:0DB8:0:21::1 —
R3 Ethernet0/1 2001:0DB8:0:1::3 R1
R3 Ethernet0/2 2001:0DB8:0:3::3 R2
R3 Loopback0 2001:0DB8:0:31::1 —
Task 1: Configure and Verify OSPFv3
You need to take the following steps to configure OSPFv3 on a router:

1. Because IPv6 routing is not enabled by default, you must first enable it using the ipv6 unicast-routing
command.
2. Next you have to enable the OSPFv3 routing process with the selected process-id parameter.
3. If there are no IPv4 addresses configured on the router, the OSPFv3 routing process requires that you
manually configure the router ID.
4. Optionally, you can configure passive-interfaces.
5. All that remains then is for you to enable OSPFv3 routing on the interface. Of course, the interface must
have an IPv6 address assigned and it has to be administratively enabled.
The table defines the commands that you use to configure OSPFv3.
Configuring OSPFv3 Commands
Command Description
ipv6 unicast-routing Enables the forwarding of IPv6 unicast datagrams and is used in the global
configuration mode. To disable the forwarding of IPv6 unicast datagrams,
use the no form of this command.
ipv6 router ospf process-id Enables OSPF for the IPv6 router configuration mode. The process-id
value is an internal identification. It is locally assigned and can be a positive
integer from 1 to 65,535.
router-id router-id Executed in the OSPF router configuration mode to statically configure a
router ID, which is the name for the router within the OSPFv3 process.
ipv6 ospf process-id area area-id Enables OSPFv3 on an interface and assigns it to the specified area.
passive-interface default Configures all interfaces as passive for OSPFv3 process.
passive-interface interface Configures specified interface as passive for OSPFv3 process.

slot/number
Activity
Access the console of R2 and display the dynamic IPv6 routing protocols that are running on it.
Use the show ipv6 protocols command to display the status of the configured dynamic IPv6
protocols.

IPv6 Routing Protocol is "ospf 10"Router ID 2.2.2.2
Number of areas: 1 normal, 0 stub, 0 nssa
Interfaces (Area 0):Loopback0Ethernet0/2Ethernet0/0
Redistribution:
None
This command verifies the OSPFv3 process ID and the interfaces that are configured, along with
the area ID to which they were assigned.
R2 is running OSPFv3 with the process ID 10. Its router ID is 2.2.2.2, and it has three interfaces
assigned to Area 0—Loopback0, Ethernet0/0, and Ethernet0/2.
Access the console of R3 and display the dynamic IPv6 routing protocols that are running on it.

IPv6 Routing Protocol is "ospf 10"Router ID 3.3.3.3
Number of areas: 1 normal, 0 stub, 0 nssa
Interfaces (Area 0):Loopback0Ethernet0/2Ethernet0/1
Redistribution:
None
R3 is running OSPFv3 with the process ID 10. Its router ID is 3.3.3.3, and it has three interfaces
assigned to Area 0—Loopback0, Ethernet0/1, and Ethernet0/2.
Access the console of R1 and first enable IPv6 routing on it.
R1# conf t
Define the OSPv3 process ID 10 on R1, and assign to it the router ID 1.1.1.1.
R1(config)# ipv6 router ospf 10

R1(config-rtr)# router-id 1.1.1.1
The OSPF process ID doesn't have to match among peers in an OSPFv3 network, but
standardizing on a process ID across a deployment minimizes potential administrative confusion.
Enable OSPFv3 on the R1 Ethernet0/0, Ethernet0/1, and Loopback0 interfaces. All interfaces
should be assigned to Area 0.
R1(config-rtr)# interface Loopback0

R1(config-if)# ipv6 ospf 10 area 0
R1(config-if)# interface Ethernet0/0
R1(config-if)#
*Oct 16 11:25:05.346: %OSPFv3-5-ADJCHG: Process 10, Nbr 2.2.2.2 on Ethernet0/0
R1(config-if)# interface Ethernet0/1
R1(config-if)# end*Oct 16 11:25:15.912: %OSPFv3-5-ADJCHG: Process 10, Nbr
3.3.3.3 on Ethernet0/1 from LOADING to FULL, Loading Done
Note that when you enabled OSPFv3 on Ethernet0/0, the neighbor relationship between R1 and
R2 was initiated. The same goes for enabling OSPFv3 on Ethernet0/1 and the neighbor
relationship between R1 and R3.
Verifying OSPFv3
There are some important commands that you should be familiar with in order to validate your OSPFv3
configurations. These commands are similar to the ones that you used to verify OSPF for IPv4.
• show ipv6 protocols—shows a summary of the configured IPv6 routing protocol information. You can
see which protocols are enabled and which networks these protocols are routing for.
• show ipv6 ospf interface brief—shows the interfaces that are enabled with OSPFv3 and OSPF-related
interface information.
• show ipv6 ospf interface interface slot/number—shows the all OSPFv3 information on an interface.
You can also see if the interface is configured as passive.
• show ipv6 ospf neighbor—shows OSPFv3 neighbors on per-interface basis.
• show ipv6 route—shows IPv6 routers that this router learns.
• show ipv6 ospf—shows general information about the OSPF routing process, such as OSPFv3 process
ID, router ID, timers, areas that are configured, and reference bandwidth.
Display the summary of the interface status about OSPFv3 on R1.
R1# show ipv6 ospf interface brief

Interface PID Area Intf ID Cost State Nbrs F/C
Lo0100 10 1 LOOP 0/0
Et0/1100 4 10 BDR 1/1
Et0/0100 3 10 BDR 1/1
The output verifies that OSPFv3 is running on the three interfaces, as expected. They are also all
associated with the process ID 10 and with Area 0.
Ethernet0/0 and Ethernet0/1 have a neighbor count of 1. R2 and R3 are peers on those interfaces.
Display the IPv6 routing table on R1.
The routes that have been learned via OSPF are tagged with an "O."
R1# show ipv6 route

C 2001:DB8:0:1::/64 [0/0]
L 2001:DB8:0:1::1/128 [0/0]
C 2001:DB8:0:2::/64 [0/0]
L 2001:DB8:0:2::1/128 [0/0]
O 2001:DB8:0:3::/64 [110/20]
via FE80::A8BB:CCFF:FE00:1D10, Ethernet0/1
C 2001:DB8:0:11::/64 [0/0]
via Loopback0, directly connected
L 2001:DB8:0:11::1/128 [0/0]
via Loopback0, receive
O 2001:DB8:0:21::/64 [110/11]
O 2001:DB8:0:31::/64 [110/11]
via FE80::A8BB:CCFF:FE00:1D10, Ethernet0/1
L FF00::/8 [0/0]
via Null0, receive
R1 has learned, via OSPFv3, the routes to the networks that are associated with the loopback
interfaces on R2 and R3 and also the networks that connect R1 to R2, and R1 to R3.
The next-hop IPv6 addresses are link-local addresses and not global unicast addresses. Note that
the IPv6 addresses in your output may be different.
Display the list of OSPFv3 neighbors for R1.
R1# show ipv6 ospf neighbor
OSPFv3 Router with ID (1.1.1.1) (Process ID 10)
Neighbor ID Pri State Dead Time Interface ID Interface

3.3.3.3 1 FULL/DR 00:00:35 4
Ethernet0/12.2.2.2 1 FULL/DR 00:00:30 3
Ethernet0/0
This command verifies that R2 is a neighbor on the interface Ethernet0/0 and that R3 is a
neighbor on the interface Ethernet0/1. Both neighbors are represented using the configured
router ID.
Display the detailed information that is available about the R1 OSPFv3 neighbors.
R1# show ipv6 ospf neighbor detail OSPFv3 Router with ID (1.1.1.1) (Process ID
10)Neighbor 3.3.3.3
In the area 0 via interface Ethernet0/1
Neighbor: interface-id 4, link-local address FE80::A8BB:CCFF:FE00:2F10
Neighbor priority is 1, State is FULL, 6 state changes
DR is 3.3.3.3 BDR is 1.1.1.1
Options is 0x000013 in Hello (V6-Bit, E-Bit, R-bit)
Options is 0x000013 in DBD (V6-Bit, E-Bit, R-bit)
Dead timer due in 00:00:31
Neighbor is up for 00:07:05
Index 1/2/2, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
Neighbor 2.2.2.2
In the area 0 via interface Ethernet0/0
Neighbor: interface-id 3, link-local address FE80::A8BB:CCFF:FE00:2E00
Neighbor priority is 1, State is FULL, 6 state changes
DR is 2.2.2.2 BDR is 1.1.1.1
Options is 0x000013 in Hello (V6-Bit, E-Bit, R-bit)
Options is 0x000013 in DBD (V6-Bit, E-Bit, R-bit)
Dead timer due in 00:00:39
Neighbor is up for 00:07:05
Index 1/1/1, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
OSPFv3 neighbors are identified by their IPv6 link-local addresses, not by their IPv6 global
unicast addresses. Again, note that the IPv6 addresses in your output may be different.
Display a robust set of data that is associated with the global status and configuration of OSPFv3
on R1.
Use the show ipv6 ospf command.
R1# show ipv6 ospfRouting Process "ospfv3 10" with ID 1.1.1.1

Event-log enabled, Maximum number of events: 1000, Mode: cyclic
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 0. Checksum Sum 0x000000
Graceful restart helper support enabled
Reference bandwidth unit is 100 mbps
RFC1583 compatibility enabled
Area BACKBONE(0)
Number of interfaces in this area is 3
SPF algorithm executed 1 times
Number of LSA 16. Checksum Sum 0x05FF18
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
Note that you can also see the reference bandwidth in the output.
Self Check
Which of the following is a characteristic that is unique to OSPFv3 compared to OSPFv2 ? (Choose
two.)
A. LSA flooding distributes link information.
B. Adjacencies are formed with link-local addresses.
C. The IP protocol is 89.
D. OSPF process IDs must be uniform on all routers to allow neighbor discovery.
You are configuring OSPFv3 on a new router and you are presented with the following logging
message. What does this message indicate?
*Apr 3 08:14:59.727: %OSPFv3-4-NORTRID: OSPFv3 process 99 could not pick a router-

id, please configure manually
A. OSPF process 99 is not within the valid range of 1 to 64.

B. No IPv4 addresses are configured on this router.
C. No loopback interfaces are configured on this router.
D. IPv6 routing is not enabled on this router.
What interface speed does OSPFv3 use in the default cost metric calculation?
A. 100 Mbps
B. 1000 Mbps
C. 10 Gbps
D. 100 Gbps
Which command includes the router IDs of all peers and the link-local addresses of the local router and
its peers in its output?
A. show ipv6 ospf
B. show ipv6 route ospf
C. show ipv6 ospf neighbor
D. show ipv6 ospf interface
When implementing OSPFv3 for IPv6, which statement describes the configuration of OSPF areas?
A. In interface configuration mode, the OSPFv3 area ID combination assigns interfaces to OSPFv3
areas.
B. In router configuration mode, the network wildcard area ID combination assigns networks to
OSPFv3 areas.
C. In interface configuration mode, the IPv6 OSPF process area ID combination assigns interfaces to
OSPFv3 areas.
D. In router configuration mode, the IPv6 OSPF interface area ID combination assigns interfaces to
OSPFv3 areas.
Which field is specific to the OSPFv3 packet header, as opposed to the OSPFv2 packet header?
A. instance ID
B. router ID
C. area ID
D. checksum
You are configuring OSPFv3 on a router and you see the following logging message. What needs to be
configured before these commands are entered on the router ?
Router(config)# interface ethernet0/0

Router(config-if)# ipv6 ospf 1 area 2
% OSPFv3: IPv6 routing not enabled
A.
Router(config)# ipv6 router ospf 1
B.
Router(config)# ipv6 unicast-routing
C.Router(config)# interface e0/0

Router(config-if)# ipv6 enable
D.
Router(config)# ipv6 multicast-routing
Answer Key
Self Check
1. B
2. B
3. A
4. D
5. C
6. A
7. B
Multiarea OSPF
Overview
Two different customers have called CCS with complaints involving OSPF routing issues. Trouble tickets
have been issued for both complaints. Bob is reviewing the trouble tickets and trying to decide which ones
to dispatch you on.
Components of Troubleshooting OSPF
Troubleshooting OSPF requires an understanding of the operation of the protocol and also of a specific
approach methodology. The figure shows the major components of OSPF troubleshooting and the order in
which the process flows.
Troubleshooting OSPF Issues
When you are notified that there are connectivity issues in your network, you should first test connectivity
by using the ping and traceroute commands. If there are connectivity issues and your network uses OSPF
as the routing protocol, then follow these high-level steps to troubleshoot it.
1. Verify that your router established an adjacency with a neighboring router by using the show ip ospf
neighbors command. If an adjacency between two routers is not established, the routers cannot
exchange routes. If the adjacency is not established, you should first verify that the interfaces are
operational and enabled for OSPF. If the interfaces are operational and enabled for OSPF, you should
also make sure that the interfaces on both routers are configured for the same OSPF area and the
interfaces are not configured as passive interfaces.
2. If an adjacency between two routers is established, but you see no routes in the routing table when you
use the show ip route command, you should first verify if there is another routing protocol with a lower
administrative distance running in the network. In this case, OSPF routes would not be considered and
will not be placed into the routing table. If no other routing protocols are configured, verify that all the
required networks are advertised into OSPF. In the case of multiarea OSPF, you should also verify
whether all regular nonbackbone areas are connected directly to area 0 or to the backbone area. If a
regular area is not connected to the backbone area, routers in this area will not be able to send and
receive updates to and from other areas.
3. If you see all the required routes in the routing table but the path that the traffic takes is not correct, you
should verify the OSPF cost on the interfaces on the path. You should also be careful in cases where
you have interfaces that are faster than 100 Mbps, because all interfaces above this bandwidth will have
the same OSPF cost, by default.
Troubleshooting OSPF Neighbor Issues
The first component to troubleshoot and verify is the OSPF neighbor adjacency. The troubleshooting and
verification components for neighbor adjacencies are as follows:
1. Verify that links on routers are Layer 2 operational.
2. Verify Layer 3 connectivity between routers.
3. Verify that the interfaces on both routers are enabled for OSPF.
4. Verify that the OSPF area and other required parameters matches on both ends.
5. Verify that the interfaces on both routers are not configured as passive.
In the example, you will investigate a neighbor issue between the Branch and HQ router.
A prerequisite for the neighbor relationship to form between the Branch and HQ routers is the OSI Layer 3
connectivity. By investigating the show ip interface brief output, you can verify that the status and protocol
are both "up" for the Serial0/0/0 interface that is connected to the Branch router. This instance confirms that
the link is operational on Layer 2.
A ping from the Branch to the HQ router will confirm IP connectivity between the devices. If the ping is
not successful, check the cabling and verify that the interfaces on connected devices are operational and that
they are on a common subnet with the same subnet mask.
In the example, the Serial0/0/0 interface is enabled on both routers and there is connectivity between the
Branch and HQ routers.
The OSPF router ID for Branch is 2.2.2.2 and the OSPF router ID for HQ is 1.1.1.1.
If interfaces are operational, and there is IP connectivity between the devices, you have to verify that the
interfaces on both routers are enabled for OSPF. If the interfaces on both router are not enabled for OSPF,
the adjacency will not form. The network command that you configure under the OSPF routing process
indicates which router interfaces will participate in OSPF. You can use the show ip ospf interface
command to verify which interfaces are enabled for OSPF. The output will also show you which interface is
functional and the OSPF-related parameters. If connected interfaces on two routers are not enabled for
OSPF, the neighbors will not form an adjacency.
You can also use the show ip protocols command to verify which interfaces are configured for OSPF. The
output will show you IP addresses or networks that are enabled using the network command. If an IP
address on an interface falls within a network that has been enabled for OSPF, the interface will be enabled
for OSPF. The output of this command will also show you if OSPF is enabled on an interface, using the ip
ospf area command. The following is an example of the show ip protocols command:
HQ# show ip protocols

Router ID 1.1.1.1
Maximum path: 4
172.16.1.0 0.0.0.255 area 0
192.168.1.0 0.0.0.255 area 0
Routing on Interfaces Configured Explicitly (Area 0):
Loopback0
In the example, OSPF is enabled on the Serial0/0/0 interfaces on both routers.
When you specify networks that will be advertised using OSPF, you have to provide the OSPF area number.
The OSPF area numbers on two directly connected interfaces have to be the same, or the adjacency will not
form. You can verify the area that an interface has been enabled for by using the show ip protocols
command.
In the example, OSPF is enabled for the same area on both routers.
With OSPF running on a network, the passive-interface command stops both outgoing and incoming
routing updates because the effect of the command causes the router to stop sending and receiving hello
packets over an interface. For this reason, the routers will not become neighbors.
To verify if any interface on a router is configured as passive, use the show ip protocols command in the
privileged mode.
An example in which you want to configure the interface as passive is handing off a link to a third-party
organization that you have no control over (for example, an ISP). In this case, you would need to advertise
this particular link through your own network but not allow the third party to receive hellos or send hellos to
your device. This would be a security risk.
To configure an interface as a passive interface in OSPF, you will use the passive-interfaceinterface
command in the OSPF router configuration mode. To disable the interface as passive, use the no passive-
interfaceinterface command.
When you disable the passive interface, the routers should become adjacent, as indicated by the show ip
ospf neighbor command output. Recall that two routers should be in the FULL state in order to exchange
LSAs.
HQ# show ip ospf neighbor

2.2.2.2 0 FULL/ - 00:00:31 192.168.1.1 Serial0/0/0
Routers will establish the FULL state only with the DR and BDR, while the established state will be two-
way with other routers.
Troubleshooting OSPF Routing Table Issues
After you have verified that the adjacencies are correct, the next step is to verify the routing tables. The
troubleshooting and verification components are as follows:
• If there is no route to a destination network in the routing table, verify that the OSPF neighbor is
advertising the correct networks.
• If there is no OSPF route to a destination network in the routing table, verify if there is a routing
protocol with a lower administrative distance configured in the network.
In the example, you will investigate why the Branch router cannot reach the networks that the HQ router is
advertising.
The Branch and HQ routers have their neighbor adjacency set up, but a ping test from the Branch router to a
host in the 172.16.1.0/24 network is not successful. Checking the routing table of the Branch router leads
you to the conclusion that there is a route missing to the destination network of 172.16.1.0/24.
You can use the show ip protocols command on the HQ router to verify if the 172.16.1.0/24 network is
being advertised to the OSPF neighbors.
In the example, the HQ router is not configured to advertise the 172.16.1.0/24 network to the neighbor. To
solve this issue, you have to start advertising this network on the HQ router.
Now, consider another scenario where several routing protocols are configured on a router. If several
routing protocols are configured on routers, the administrative distance will decide which protocol the router
will use.
When you have more than one routing protocol configured in a network, you may receive routing
information about a network through an undesired routing protocol. Recall that the routing protocol
administrative distance influences which routes will be installed in the routing table. Although it does not
affect connectivity, you may want to receive all routing information through the same routing protocol for
the sake of easier troubleshooting and management. To verify which routing protocols are configured and
their administrative distances, use the show ip protocols command:
Branch# show ip protocols Routing Protocol is "ospf 1"
Router ID 2.2.2.2
It is an area border router
Maximum path: 4
10.1.1.0 0.0.0.255 area 1
192.168.1.0 0.0.0.255 area 0
1.1.1.1 80 00:02:37
Distance: (default is 110)Routing Protocol is "eigrp 1"
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 1
EIGRP NSF-aware route hold timer is 240s
Automatic network summarization is not in effect
Maximum path: 4
10.0.0.0
192.168.1.0
(this router) 90 00:12:09
192.168.1.2 90 00:02:39
In the example, the device received the route for 172.16.1.0/24 through EIGRP and OSPF. However,
because EIGRP with the administrative distance of 90 is more trustworthy than OSPF with the
administrative distance of 110, the device will install the EIGRP route in the routing table.
Troubleshooting OSPF Path Selection
Incorrect path selection doesn't usually lead to a loss of connectivity. However, certain links in a network
should not be used, if possible. This case applies, for example, to backup WAN links, which can be charged
by the amount of transferred data and can be expensive.
When you have redundant paths that are available in a network, you have to make sure that traffic takes the
desired path through the network. For example, you could have two locations that are connected via the
primary, high-speed link and via the dial-up, low-speed link for backup purposes. In this case, you have to
make sure that the devices use the backup link only when the primary link fails.
Troubleshooting and verification components of OSPF path selection are as follows:
• If there are two OSPF paths to the destination network, verify the OSPF cost on both interfaces.
In the example, you will investigate the Branch router having two paths to the destination network on the
HQ site.
In the example, network 172.16.0.0/24 is reachable from the Branch router via the GigabitEthernet0/1
interface and the Serial0/0/0 interface. Because both interfaces have the same OSPF cost, load balancing
across both links will be used. The reason for the same OSPF cost on both interfaces could be that someone
manually changed the cost on the interfaces, or that there is incorrect reference bandwidth when managing
interfaces that are faster than 100 Mbps. Recall that the OSPF cost is calculated as the interface bandwidth
divided by the reference bandwidth, which is 100 Mbps by default. For example, with two interfaces—a
1000-Mbps and a 100-Mbps interface, both will have the same OSPF cost with a value of 1. In this case,
you either need to increase the reference bandwidth to 1000 Mbps or manually change the OSPF cost on an
interface to reflect the actual bandwidth of the interface.
Use the show ip ospf interface command to verify the OSPF cost on an interface:
Branch# show ip ospf interface GigabitEthernet0/1 is up, line protocol is up
Internet Address 209.165.201.2/27, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Serial0/0/0 is up, line protocol is up
Internet Address 192.168.1.2/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 1
When you increase the OSPF cost on the Serial0/0/0 interfaces on both routers, only the preferred route will
be installed in the routing table:
Branch(config)# interface Serial0/0/0
Branch(config-if)# ip ospf cost 10
Branch# show ip route ospf

172.16.0.0/24 is subnetted, 1 subnets
O 172.16.1.0 [110/2] via 209.165.201.2, 00:14:31, GigabitEthernet0/1
The reference bandwidth can be changed from the default of 100 Mbps. You can verify what the reference
bandwidth is by using the show ip ospf command:
Branch# show ip ospf
Cisco NSF helper support enabled
Area BACKBONE(0)
Number of interfaces in this area is 4
Area has no authentication
A changed reference bandwidth means a changed cost on the link. Make sure that all the routers within the
OSPF AS have the same reference bandwidth. Change it by using the auto-cost reference-
bandwidthbandwidth_in_Mbits_per_second command from the router OSPF configuration mode.
Troubleshooting OSPFv3 Issues
The OSPFv3 runs on IPv6 and it uses IPv6 link-local addresses as the source of hello packets and next-hop
calculations. Configuring OSPFv3 is very similar to configuring OSPF for IPv4. The main difference is that
OSPFv3 is enabled on the interface for IPv6 with the ipv6 ospfprocess-idareaarea-id command. Therefore,
troubleshooting OSPFv3 is very similar to troubleshooting OSPF for IPv4.
To check the IPv6 routing protocols on the router, use the show ipv6 protocols command. The output will
show the IPv6 routing protocols that are enabled on the router. The OSPF section shows the router ID,
OSPF interfaces, and so on.
To display the neighbors that OSPFv3 discovers, use the show ipv6 ospf neighbors command. If you want
to display the interfaces that are enabled for OSPFv3 and their costs, issue the show ipv6 ospf interfaces
command.
The show ipv6 route ospf command will show you the content of the IPv6 routing table, which includes the
routes that are specific to OSPF.
Remember that for OSPFv3 to work, IPv6 routing must be enabled.
Remember that if no IPv4 is configured configured on the router, you need to manually configure the router
ID for the OSPFv3 routing process.
Discovery 18: Troubleshoot Multiarea OSPF
Introduction
This discovery will guide you through the troubleshooting of various OSPF configuration issues. The virtual
lab is prepared with the devices that are represented in the topology diagram and the connectivity table. All
devices have their basic configurations in place, including their hostnames and IP addresses. OSPF has been
configured on all seven routers, but there are problems with the router configurations. Each router has a
loopback interface with the IP address 192.168.R.1/24 (where R indicates the router number). The routing
table on R1 is missing routes to the loopback interface networks for each of its peers. In this discovery, you
will troubleshoot and fix the problem that is associated with the routing of each of these networks.
You will start with the R2 loopback network, and then proceed one at a time, finishing with R7, which is
also configured for OSPFv3. In each case, you will first determine the root cause and then you will fix the
issue and verify that the route is properly defined in the routing table of R1.
Topology
Job Aid

• All devices have their basic configurations in place including hostnames, and IP addresses. R1 and R7
also have IPv6 addresses configured.
• OSPF AS 100 has been configured on all seven routers, but there are problems with the router
configurations.
– The routing table on R1 is missing routes to the loopback interface networks for each of its peers.
• R1 and R7 are also configured for OSPv3 routing, using AS 100.
Device Information
Device Details
R1 Loopback0 — 192.168.1.1/24
R1 Ethernet1/0 R2 10.1.1.1/30
R1 Loopback0 — 2001:DB8:0:1::1/64
R1 Ethernet2/2 R7 2001:DB8:0:2::1/64
R1 Ethernet1/1 R3 10.1.1.5/30
R1 Ethernet1/2 R4 10.1.1.9/30
R1 Ethernet2/0 R5 10.1.1.13/30
R1 Ethernet2/1 R6 10.1.1.17/30
R1 Ethernet2/2 R7 10.1.1.21/30
R2 Ethernet2/0 R1 10.1.1.2/30
R2 Loopback0 — 192.168.2.1/24
R3 Ethernet2/0 R1 10.1.1.6/30
R3 Loopback0 — 192.168.3.1/24
R4 Ethernet2/0 R1 10.1.1.10/30
R4 Loopback0 — 192.168.4.1/24
R5 Ethernet1/0 R1 10.1.1.14/30
R5 Loopback0 — 192.168.5.1/24
R6 Ethernet1/0 R1 10.1.1.18/30
R6 Loopback0 — 192.168.6.1/24
R7 Ethernet1/0 R1 10.1.1.22/30
R7 Loopback0 — 192.168.7.1/24
R7 Ethernet1/0 R1 2001:DB8:0:2::7/64
R7 Loopback0 — 2001:DB8:0:7::1/64
Task 1: Troubleshoot Multiarea OSPF

Activity
with the Loopback0 interface of R2. Try to determine the root cause of this issue.
There is no single best process to troubleshoot the problem. Use the show running-config
command only after you have a good idea of where the problem is.
Note: There is no single best procedure for troubleshooting any network issue. The goal is to
isolate the root cause. One strategy is to work from the application layer down. If there are
aspects of the application that are working, it implies that there must be an IP connectivity and
link layer connectivity below the application. If the application does not function, check the IP
connectivity next. If the IP connectivity appears to be working, look at the link layer
connectivity.
• show ip ospf neighbor—R2 (0.0.0.2) is in the OSPF neighbor table. Given that the OSPF
neighbor relationship is established, you can assume that both Layer 2 and Layer 3
connectivity is functioning properly below OSPF.
Given the results on R1, you might skip troubleshooting Layer 2 (with the show cdp neighbor
and show ip interface brief commands, and so on) and Layer 3 connectivity (with the ping and
show ip interface brief commands, and so on) by going straight to looking more closely at the
OSPF configuration.
• show ip protocols—Everything looks like it is appropriately configured.

Lo0 100 0 192.168.2.1/24 1 DOWN 0/0
Et2/0 100 0 10.1.1.2/30 10 BDR 1/1

Protocol
Loopback0 192.168.2.1 YES manual administratively down
down
There was no Layer 3 issue between R1 and R2, but a Layer 2 issue is associated with the
Loopback0 interface.
• The show running-configuration interface Loopback0 command will show you the root
cause.


!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
ip ospf network point-to-point
shutdown
end
R2# conf t
R2(config-if)#
*Oct 26 13:54:34.236: %LINK-3-UPDOWN: Interface Loopback0, changed state to up
Loopback0, changed state to up
The network is present in the routing table of R1 after you enable the loopback interface.

Known via "ospf 100", distance 110, metric 11, type intra area
• show ip ospf neighbor—R3 is not an OSPF neighbor of R1.
• show ip ospf interface brief—Ethernet1/1 is running OSPF in area 0.
• show cdp neighbor—R3 is a neighbor on Ethernet1/1 (there is Layer 2 connectivity).
• ping 10.1.1.6—There is Layer 3 connectivity between R1 and R3.
From this information, it is apparent that there are no problems with the link layer or the IP layer,
but that something is not working with OSPF.
When your investigation moves to R3, the syslog messages that are waiting for you make the
root cause quite apparent.
*Oct 26 14:06:20.811: %OSPF-4-ERRRCV: Received invalid packet: mismatched area

ID, from backbone area must be virtual-link but not found from 10.1.1.5,
Ethernet2/0
All R1 interfaces are configured for area 0. All the directly neighboring interfaces on the peer
routers must also be configured for area 0.

Router ID 0.0.0.3
Maximum path: 4
10.0.0.0 0.255.255.255 area 1
192.168.3.0 0.0.0.255 area 1
R3# show running-config | section router ospf

router ospf 100
router-id 0.0.0.3
network 10.0.0.0 0.255.255.255 area 1
network 192.168.3.0 0.0.0.255 area 1
If you want the route to 192.168.3.0/24 to be distributed through the entire virtual lab topology,
you can either move both network statements to area 0 (making R3 a backbone router), or you
can move the network 10.0.0.0 to area 0 (making R3 an area border router). The following
output shows the second option:
R3# conf t
R3(config-router)#
*Oct 26 14:09:48.274: %OSPF-6-AREACHG: 10.0.0.0/8 changed from area 1 to area 0
R3(config-router)#
The neighbor relationship is initiated between R3 and R1 when the OSPF area is configured to
match.
Known via "ospf 100", distance 110, metric 11, type inter area

O 192.168.2.0/24 [110/11] via 10.1.1.2, 00:17:22, Ethernet1/0

O IA 192.168.3.0/24 [110/11] via 10.1.1.6, 00:02:01, Ethernet1/1
O 192.168.7.0/24 [110/11] via 10.1.1.22, 00:33:47, Ethernet2/2
Because 192.168.3.0/24 was left in area 1 on R3, the route in the routing table of R1 is an OSPF
interarea route.
The network 192.168.4.0/24 does not exist in the R1 routing table. This network is associated
You might use the following commands on R1 and observe the results:
• show ip ospf neighbor—R4 is not an OSPF neighbor.
• show cdp neighbor—R4 is a Cisco Discovery Protocol neighbor on Ethernet1/2 (there is
Layer 2 connectivity).
From these results, you might conclude that there are no issues at the IP layer or the data link
layer and that R1 is properly configured for OSPF. You might then investigate the OSPF
configuration on R4.


Router ID 0.0.0.4
Maximum path: 4
10.1.1.0 0.0.0.3 area 0
192.168.4.0 0.0.0.255 area 0
It may not be immediately obvious, but there is a problem with the networks that are included
under OSPF.

Lo0 100 0 192.168.4.1/24 1 P2P 0/0
Note: The IP address of Ethernet2/0 is not included in the 10.1.1.0/30 subnet.
R4# conf t
R4(config-router)# no network 10.1.1.0 0.0.0.3 area 0
R4(config-router)#
When the network statements are updated to include 10.1.1.10, the neighbor relationship with R1
is established.

• show ip ospf neighbor—R5 is not an OSPF neighbor.
layer and that R1 is properly configured for OSPF. You might then move to investigate the
OSPF configuration on R5.
You might use the following command on R5 and observe these results:
• show ip ospf interface (potentially with the brief argument added)—Both Ethernet1/0 and
Loopback0 are participating in OSPF.

Router ID 0.0.0.5
Maximum path: 4
10.0.0.0 0.255.255.255 area 0
192.168.5.0 0.0.0.255 area 0
Passive Interface(s):Ethernet1/0
The root cause of the issue is that Ethernet1/0 is configured as a passive interface, preventing the
OSPF neighbor relationships from forming on that interface.

router ospf 100
router-id 0.0.0.5
passive-interface Ethernet1/0
network 10.0.0.0 0.255.255.255 area 0
network 192.168.5.0 0.0.0.255 area 0
R5# conf t
R5(config-router)# no passive-interface Ethernet1/0
R5(config-router)#
Immediately after you remove the passive interface restriction, the neighbor relationship is
established between R5 and R1.

• show ip ospf neighbor—R6 is an OSPF neighbor.
From this result, you can see that there is some OSPF functionality, which implies that Layer 3
and Layer 2 are working to support the OSPF communication. You might discount further
investigation on R1 and focus on R6.


Router ID 0.0.0.6
Maximum path: 4
10.0.0.0 0.255.255.255 area 0
0.0.0.1 110 03:25:41
0.0.0.2 110 03:08:11
0.0.0.3 110 02:52:40
0.0.0.4 110 02:17:48
0.0.0.5 110 02:05:55
0.0.0.7 110 03:24:26
OSPF is not routing for the network 192.168.6.0/24. So, it is not willing to advertise this network
to the OSPF area.

Et1/0 100 0 10.1.1.18/30 10 BDR 1/1

router ospf 100
router-id 0.0.0.6
network 10.0.0.0 0.255.255.255 area 0
R6# conf t
Because the neighbor relationship is already in place, there were no syslog messages to indicate
an OSPF state change. Before examining the R1 routing table, you may want to verify that the
OSPF interface list on R6 now includes Loopback0.

Lo0 100 0 192.168.6.1/24 1 P2P 0/0
Et1/0 100 0 10.1.1.18/30 10 BDR 1/1
The OSPFv3 neighbor relationship is not established between R1 and R7. Try to determine the
root cause of this issue.
• show ipv6 ospf neighbor—R7 is not an OSPFv3 neighbor.
• show ipv6 ospf interface brief—Ethernet2/2 is running OSPFv3 100 in area 0.
• ping 2001:db8:0:2::7—There is Layer 3 connectivity between R1 and R7.
layer and that R1 is properly configured for OSPFv3. You might then move to investigate the
OSPFv3 configuration on R7.
You might use the following command on R7 and observe these results:
• show ipv6 ospf interface (potentially with the brief argument added)—No interfaces are
participating in OSPFv3.

R7#
The root cause of the issue is that R7 is missing OSPFv3 configuration.
R7# show running-config | include ipv6 unicast-routing

R7#
IPv6 routing is not enabled on R7. Someone could have configured IPv6 routing and OSPFv3,
but when the IPv6 routing was disabled, all OSPFv3 configuration was removed.
With the root cause determined, fix the problem and verify that OSPFv3 neighbor relationship
now exists between R1 and R7 routers.
R7# conf t
R7(config)# ipv6 router ospf 100
R7(config-rtr)# router-id 0.0.0.7
R7(config-if)# end*Oct 27 08:20:10.544: %OSPFv3-5-ADJCHG: Process 100, Nbr
0.0.0.1 on Ethernet1/0 from LOADING to FULL, Loading Done
The neighbor adjacency is initiated when you enable IPv6 routing on R7 and configure OSPFv3
on the interface facing R1 (Ethernet1/0).
R1# show ipv6 ospf neighbor
OSPFv3 Router with ID (0.0.0.1) (Process ID 100)
Neighbor ID Pri State Dead Time Interface ID Interface

0.0.0.7 1 FULL/BDR 00:00:37 7 Ethernet2/2
The network 2001:DB8:0:7::/64 still does not exist in the IPv6 routing table of R1. This network
is associated with the Loopback0 interface of R7. Try to determine the root cause of this issue.
• show ipv6 ospf interface brief—Only Ethernet1/0 is included (Loopback0 is missing).
R7# show ipv6 ospf interface brief

Interface PID Area Intf ID Cost State Nbrs F/C
Et1/0 100 0 7 10 BDR 1/1
This part is the root cause of the issue. However, it is also expected because you configured only
Ethernet1/0 on R7 for OSPFv3. You can also verify this part in the running configuration.


!
interface Loopback0
ip address 192.168.7.1 255.255.255.0
ip ospf network point-to-point
ipv6 address 2001:DB8:0:7::1/64
end


!
ip address 10.1.1.22 255.255.255.252
ipv6 address 2001:DB8:0:2::7/64
ipv6 ospf 100 area 0
end
With the root cause determined, fix the problem and verify that the route to 2001:DB8:0:7::/64
now exists in the IPv6 routing table of R1.
R7# conf t
The route to 2001:DB8:0:7::/64 now exists in the IPv6 routing table of R1.
R1# show ipv6 route ospf
O 2001:DB8:0:7::1/128 [110/10]
via FE80::A8BB:CCFF:FE00:4701, Ethernet2/2
Note: The link-local IPv6 address in your output may be different.
Self Check
Two OSPF neighbors are stuck in EXCHANGE/EXSTART state. What could be possible reason for it ?
A. Access-list blocking OSPF hellos on the interface.
B. MTU issue
C. OSPF interface is made passive on one router.
D. Multicast is broken on the link connecting two routers.
Which of the following in not a parameter that must be matched for routers to become OSPF neighbors
?
A. Hello and Dead interval
B. Area ID
C. Stub Area flag
D. OSPF cost
E. Subnet ID and Subnet mask
Which OSPF neighbor state indicates that two neighbors have exchanged routes?
A. INIT
B. EXCHANGE
C. LOADING
D. FULL
You need to check if there is mismatch in hello and dead intervals on two connected routers. Which
command will you use ?
A. show ipv6 ospf neighbor
B. show ipv6 protocols
C. show ipv6 interface brief
D. show ipv6 ospf interface
Below is the show ip ospf neighbor output from R1.

170.170.3.4 1 2WAY/DROTHER 00:00:34 170.170.3.4 Ethernet0
170.170.3.3 1 2WAY/DROTHER 00:00:34 170.170.3.3 Ethernet0
170.170.3.8 1 FULL/DR 00:00:32 170.170.3.8 Ethernet0
170.170.3.2 1 FULL/BDR 00:00:39 170.170.3.2 Ethernet0
Notice that R1 establishes full adjacency only with the Designated Router (DR) and the Backup
Designated Router (BDR). All other routers have a two-way adjacency established. These routers are in
broadcast network. Is this normal expected OSPF behavior ?
A. Yes
B. No
Which command is used to verify the OSPF cost on an interface?

A. show ip protocols
B. show ip route
C. show ip ospf
D. show ip ospf interface
Susan is troubleshooting an OSPF neighbor issue between two routers. OSPF has been enabled on the
interfaces and the configuration looks good. She enters the following command on one of the routers.
Router# ping 224.0.0.5

.
Router#
From the output, what could be the reason for OSPF not forming neighbor.
A. The unicast is broken on the link.
B. Multicast is broken.
C. OSPF hello and dead timers do not match
Answer Key
Self Check
1. B
2. D
3. D
4. D
5. A
6. D
7. B
Module 6: Wide-Area
Networks
Introduction
WANs are most often fee-for-service networks, providing the means for users to access resources across a
wide geographical area. Some services are considered Layer 2 connections between your remote locations,
typically provided by a telco over its WAN switches. Some of these technologies include a serial point-to-
point (leased line) connection and Frame Relay connections.
Other connections leverage the Internet infrastructure, a Layer 3 alternative, to interconnect the remote
locations of an organization. To provide security across the public Internet, you can implement a VPN
solution.
WAN Technologies
Overview
In order to continue to advance in your career, you have asked Bob if you can get more involved in WAN
deployments. Although Bob is glad that you want to expand your skills and knowledge, he wants to assess
your level of preparedness before taking you with him on WAN deployment jobs. To gauge your level of
preparedness for WAN deployments, CCS provides a test. Bob tells you that the test will require you to
demonstrate your knowledge of WAN devices, WAN cabling, WAN protocols, and WAN technologies.
Introduction to WAN Technologies
A WAN is a data communications network that operates beyond the geographic scope of a LAN. WANs use
facilities that a service provider or carrier, such as a telephone or cable company, provide. They connect the
locations of an organization to each other, to locations of other organizations, to external services, and to
remote users. WANs carry various traffic types such as voice, data, and video.
The following are three major characteristics of WANs:

• WANs generally connect devices that are separated by a broader geographic area than a LAN can serve.
• WANs use the services of carriers such as telcos, cable companies, satellite systems, and network
providers.
• WANs use connections of various types to provide access to bandwidth over large geographic areas.
There are several reasons why WANs are necessary in a communications environment.
LAN technologies provide speed and cost efficiency for the transmission of data in organizations in
relatively small geographic areas. You need WANs in a communications environment because some
business needs require communication among remote sites for many reasons, including the following:
• People in the regional or branch offices of an organization need to be able to communicate and share
data.
• Organizations often want to share information with other organizations across large distances.
• Employees who travel on company business frequently need to access information that resides on their
corporate networks.
Because it is not feasible to connect computers across a country or around the world in the same way that
computers are connected in a LAN environment with cables, different technologies have evolved to support
this need. Increasingly, the Internet is being used as an inexpensive alternative to an enterprise WAN for
some applications.
WAN Topology Options
A physical topology describes the physical arrangement of network devices that allow for data to move
from a source to a destination network. There are three basic topologies for a WAN design.
Star or hub-and-spoketopology: This topology features a single hub (central router) that provides access
from remote networks to a core router. All communication among the networks goes through the core
router. The advantages of a star approach are simplified management and minimized tariff costs. However,
the disadvantages are significant:
• The central router (hub) represents a single point of failure.
• The central router limits the overall performance for access to centralized resources. The central router
is a single pipe that manages all traffic that is intended either for the centralized resources or for the
other regional routers.
Fully meshed topology: In this topology, each routing node on the periphery of a given packet-switching
network has a direct path to every other node on the cloud. The key rationale for creating a fully meshed
environment is to provide a high level of redundancy. A fully meshed topology is not viable in large packet-
switched networks. The following are the key issues of a fully meshed topology:
• Many virtual circuits are required (one for every connection between routers).
• Configuration is complex for routers without multicast support in nonbroadcast environments.
Partially meshed topology: This topology reduces the number of routers within a region that have direct
connections to all other nodes in the region. All nodes are not connected to all other nodes. There are many
forms of partially meshed topologies. In general, partially meshed approaches provide the best balance for
regional topologies, which are based on the number of virtual circuits, redundancy, and performance.
Large networks usually deploy a layered combination of these technologies—for example, a partial mesh in
the network core, redundant hub-and-spoke for larger branches, and simple hub-and-spoke for noncritical
remote locations.
Network downtime can be very expensive in terms of decreased productivity and potential loss of revenue.
To increase network availability, many organizations deploy a dual-carrier WAN design to increase
redundancy and path diversity.
Single-carrier WANs are simpler and easier to support and manage. However, network outages can be
catastrophic. You should perform an analysis of the downtime cost. You should make sure that there are
adequate penalties in the contract with the service provider to cover the cost of downtime.
Dual-carrier WANs provide better path diversity with better fault isolation between providers. The cost of
downtime to your organization usually exceeds the additional cost of the second provider and the
complexity of managing redundancy.
WAN Connectivity Options
You have many options for implementing WAN solutions currently available. They differ in technology,
speed, and cost. WAN connections can be either over a private infrastructure or over a public infrastructure
such as the Internet.
Private WAN connections include dedicated and switched communication link options:
• Dedicated communication links: When permanent dedicated connections are required, point-to-point
lines are used with various capacities that are limited only by the underlying physical facilities and the
willingness of users to pay for these dedicated lines. A point-to-point link provides a pre-established
WAN communications path from the customer premises through the provider network to a remote
destination. You usually lease point-to-point lines from a carrier, so they are also called leased lines.
Leased lines were more popular in the past. Now companies rather use provider-managed VPN or
enterprise-managed VPN over Internet. Companies prefer enterprise- or provider-managed VPNs
because leased lines are by far the most expensive solution.
• Switched communication links: Switched communication links can be either circuit-switched or
packet-switched.
– Circuit-switched communication links: Circuit switching dynamically establishes a dedicated
virtual connection for voice or data between a sender and a receiver. Before communication can
start, the connection through the network of the service provider must be established. Examples of
circuit-switched communication links are analog dialup (PSTN) and ISDN.
– Packet-switched communication links: Many WAN users do not make efficient use of the fixed
bandwidth that is available with dedicated, switched, or permanent circuits because the data flow
fluctuates. Communications providers have data networks that are available to more appropriately
service these users. In packet-switched networks, the data is transmitted in labeled frames, cells, or
packets. Packet-switched communication links include Frame Relay, ATM, and X.25.
Public connections use the global Internet infrastructure. Now companies use provider-managed VPNs or
enterprise-managed VPNs over Internet. Until recently, the Internet was not a viable networking option for
many organizations because of the significant security risks and lack of adequate performance guarantees in
an end-to-end Internet connection. With the development of the VPN technology, however, the Internet is
now an inexpensive and secure option for connecting to teleworkers and remote offices where performance
guarantees are not critical. Internet WAN connection links go through broadband services such as DSL,
cable modem, and broadband wireless, and they are combined with VPN technologies (for example,
DMVPN, GET VPN) to provide privacy across the Internet. Broadband connection options are typically
used to connect telecommuting employees to a corporate site over the Internet.
Service providers build networks using different underlying technologies, the most popular being MPLS.
Examples of provider-managed VPNs are Layer 3 MPLS VPN and Layer 2 MPLS VPNs (VPWS and
VPLS). MPLS is an IETF standard that defines a packet label-based switching technique, which was
originally devised to perform fast switching in the core of IP networks. This technique helped carriers and
large enterprises scale their networks as increasingly large routing tables become more complex to manage.
The industry began using MPLS over a decade ago as a way to allow enterprises to create end-to-end
circuits across any type of transport medium using any available WAN technology.
ISPs use several different WAN technologies to connect their subscribers. The connection type that is used
on the local loop, or last mile, may not be the same as the WAN connection type that the ISP employs
within the ISP network or between various ISPs.
Each of these technologies provides advantages and disadvantages for the customer. Not all technologies are
available at all locations. When a service provider receives data, it must forward this data to other remote
sites for final delivery to the recipient. These remote sites connect either to the ISP network or pass from
ISP to ISP and to the recipient. Long-range communications are usually those connections between ISPs or
among branch offices in very large companies.
Provider-Managed VPNs
Provider-managed VPNs can either offer Layer 2 or Layer 3 connectivity. MPLS is a technology that was
designed to support efficient forwarding of packets across the network core that is based on a simplified
header.
Layer 2 MPLS VPN is useful for customers who run their own Layer 3 infrastructure and require Layer 2
connectivity from the service provider. In this case, the customer manages its own routing information. One
advantage that Layer 2 VPN has over its Layer 3 counterpart is that some applications do not work if nodes
are not in the same Layer 2 network.
Some typical examples of Layer 2 VPN are VPLS and VPWS. If you look from the customer's perspective,
with Layer 2 MPLS VPN, you can imagine a whole service provider network as one big virtual switch.
Layer 3 MPLS VPN provides Layer 3 service across the backbone. A separate IP subnet is used on each
customer site. When you deploy a routing protocol over this VPN, the service provider needs to participate
in the exchange of routes. Neighbor adjacency is established between your CE router and PE router (which
the service provider owns). Within the service provider network, there are many P routers (service provider
core routers). The job of P routers is to provide connectivity between PE routers. What this situation means
is that the service provider becomes the backbone of your (customer) network.
Layer 3 VPN is appropriate for customers who prefer to outsource their routing to a service provider. The
service provider maintains and manages routing for the customer sites. If you look from the customer's
perspective, with Layer 3 MPLS VPN, you can imagine whole service provider network as one big virtual
router.
Enterprise-Managed VPNs
Organizations need secure, reliable, and cost-effective ways to connect corporate headquarters, branch
offices, and teleworkers working in home offices and other remote locations. A VPN is usually a bridge
between two private networks. You build that bridge over a public network, typically the Internet. VPN
enables headquarters and branch office devices to send and receive data as if they were directly connected.
A VPN is a virtual private network that is constructed within a public network infrastructure, such as the
global Internet. VPNs provide an inexpensive alternative to private WAN connections. They are particularly
helpful in organizations whose workforce is highly mobile and frequently needs to connect remotely to the
corporate network and access sensitive data.
As shown in the figure, there are two types of VPN networks:
• Site-to-site VPN: A site-to-site VPN is an extension of a classic WAN network. End hosts send and
receive traffic through a VPN device, which could be a router or Cisco Adaptive Security Appliance
(Cisco ASA). This device is responsible for encapsulating and encrypting outbound traffic for all traffic
from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN device on the
target site. Upon receipt, the peer VPN gateway strips the headers, decrypts the content if it was
encrypted, and relays the packet toward the target host that is inside its private network. There are many
site-to-site VPN options available.
• Remote-access VPN: Remote-access VPNs can support the needs of telecommuters, mobile users, and
extranet, consumer-to-business traffic. In a remote-access VPN, each host typically has Cisco
AnyConnect VPN Client software that is installed. Whenever the host tries to send any traffic, the Cisco
AnyConnect VPN Client software encapsulates the traffic before sending it over the Internet to the VPN
gateway at the edge of the target network. The VPN client may also encrypt the traffic before sending it
over the Internet to the VPN gateway. Upon receipt, the VPN gateway behaves as it does for site-to-site
VPNs.
VPNs provide the following benefits:
• Cost savings: VPNs enable organizations to use cost-effective, third-party Internet transport to connect
remote offices and remote users to the main corporate site. The use of VPNs therefore eliminates
expensive, dedicated WAN links. Furthermore, with the advent of cost-effective, high-bandwidth
technologies such as DSL, organizations can use VPNs to reduce their connectivity costs while
simultaneously increasing remote connection bandwidth.
• Scalability: VPNs enable corporations to use the Internet infrastructure, which makes new users easy to
add. Therefore, corporations can add large amounts of capacity without adding significant
infrastructure. For example, a corporation with an existing VPN between a branch office and the
headquarters can securely connect new offices by simply making a few changes to the VPN
configuration and ensuring that the new office has an Internet connection. Scalability is a major benefit
of VPNs.
• Compatibility with broadband technology: VPNs allow mobile workers, telecommuters, and people
who want to extend their work day to take advantage of high-speed, broadband connectivity, such as
DSL and cable, to gain access to their corporate network. This ability provides workers with significant
flexibility and efficiency. Furthermore, high-speed, broadband connections provide a cost-effective
solution for connecting remote offices.
• Security: VPNs can provide the highest level of security by using advanced encryption and
authentication protocols that protect data from unauthorized access. The two available options are IPsec
and SSL.
There are many site-to-site VPN options available. However, each option is a little bit different than the
other.
IPsec Tunnel
IPsec provides a tunnel mode of operation that enables you to use it as a standalone connection method.
This option is the most fundamental IPsec VPN design model. IPsec provides four important security
services:
• Confidentiality (encryption): The sender can encrypt the packets before transmitting them across a
network. By doing so, nobody can eavesdrop on the communication. If another device intercepts the
communication, it cannot read it.
• Data integrity: The receiver can verify that the data was transmitted through the path without being
changed or altered in any way. IPsec ensures data integrity by using checksums, which is a simple
redundancy check.
• Authentication: Authentication makes sure that the connection is made with the desired
communication partner. The receiver can authenticate the source of the packet by guaranteeing and
certifying the source of the information. IPsec uses IKE to authenticate users and devices that can carry
out communication independently. IKE uses several types of authentication including username and
password, one-time password, biometrics, PSKs, and digital certificates.
• Antireplay protection: Antireplay protection verifies that each packet is unique and not duplicated.
IPsec packets are protected by comparing the sequence number of the received packets with a sliding
window on the destination host. A packet that has a sequence number that is before the sliding window
is considered either a late or duplicate packet. Late and duplicate packets are dropped.
GRE over IPsec

Although IPsec provides a secure method for tunneling data across an IP network, it has limitations. IPsec
does not support IP broadcast or IP multicast, preventing the use of protocols that rely on these features,
such as routing protocols. IPsec also does not support the use of the multiprotocol traffic. GRE is a protocol
that can be used to "carry" other passenger protocols, such as IP broadcast or IP multicast, and non-IP
protocols. Using GRE tunnels with IPsec will give you the ability to run a routing protocol, IP multicast, or
multiprotocol traffic across the network between the head end or head ends and branch offices.
With a generic hub-and-spoke topology, you can typically implement static tunnels (typically GRE over
IPsec) between the central hub and remote spokes. When you want to add a new spoke to the network, you
need to configure it on the hub router. Also, the traffic between spokes has to traverse the hub, where it must
exit one tunnel and enter another. Static tunnels may be an appropriate solution for small networks, but this
solution becomes unacceptable as the number of spokes grows larger and larger.
Cisco DMVPN
The Cisco Dynamic Multipoint Virtual Private Network (DMVPN) feature enables you to better scale large
and small IPsec VPNs. The Cisco DMVPN feature provides simple provisioning of many VPN peers. It also
easily supports dynamically addressed spoke routers by its design, if you use an appropriate peer
authentication method, such as PKI-enabled peer authentication. The DMPVN feature enables you to
configure a single mGRE tunnel interface and a single IPsec profile on the hub router to manage all spoke
routers. Thus, the size of the configuration on the hub router remains constant even if you add more spoke
routers to the network. DMVPN also allows IPsec to be immediately triggered to create point-to-point GRE
tunnels without any IPsec peering configuration.
Cisco IPsec VTI

The VTI mode of an IPsec configuration simplifies a VPN configuration. There are two types of VTI—
static and dynamic. With VTI, you implement the IPsec session as an interface. Simple configuration and
routing adjacency directly over the virtual interface are great benefits. But keep in mind that all traffic is
encrypted and that it supports, like standard IPsec, only one protocol (IPv4 or IPv6). The IPsec tunnel
protects the routing protocol and multicast traffic, like with GRE over IPsec. The only difference is that with
VTI, you do not need GRE and the overhead that it brings.
WAN Devices
Several types of devices are specific to WAN environments, including CSU/DSU devices, modems, and
certain types of routers and switches.
The following are common WAN devices and their descriptions.

• Router: A router provides internetworking and WAN access interface ports that are used to connect to
the service provider network. These interfaces may be serial connections or other WAN interfaces. With
some types of WAN interfaces, you need an external device such as a CSU/DSU or modem (analog,
cable, or DSL) to connect the router to the local POP of the service provider.
• Core router: A core router resides within the middle or backbone of the WAN, rather than at its
periphery. To fulfill the role of core router, a router must be able to support multiple
telecommunications interfaces of the highest speed in use in the WAN core. It must also be able to
forward IP packets at wire speed on all these interfaces. The router must support the routing protocols
that are being used in the core.
• CPE: Devices on subscriber premises are referred to as CPE. A subscriber to a service provider owns
the CPE or leases the CPE from the service provider. A copper or fiber cable connects the CPE to the
nearest exchange or CO of the service provider. This cabling is often called the local loop or "last mile."
CSU/DSU devices, DSL modems, and optical fiber converters are just three of many WAN connection
types.
• CSU/DSU: A CSU/DSU is a device that is used to connect a DTE to a digital circuit, such as a T1
carrier line. A device is considered DTE if it is either a source or destination for digital data. Examples
of DTE include PCs, servers, and routers. In the following figure, the router is considered DTE because
it is passing data to the CSU/DSU, which will forward the data to the service provider. Although the
CSU/DSU connects to the service provider infrastructure using a telephone or coaxial cable, such as a
T1 or E1 line, it connects to the router with a serial cable. A CSU/DSU is actually two devices in one
box. The CSU provides termination for the digital signal and ensures connection integrity through error
correction and line monitoring. The DSU converts the T-carrier line frames into frames that the LAN
can interpret and vice versa. You can also implement a CSU/DSU as a module within a router, in which
case, a serial cable is not necessary. A CSU/DSU is sometimes referred to as a DCE because it provides
a path for communication. DCE is a more general label for devices that provide interfaces for DTE into
communication links on the WAN cloud. When the links are digital, the DCE is a CSU/DSU. When
analog telephone lines are the communication media, the DCE is a modem.
• Modem: A modem is a device that interprets digital and analog signals, enabling data to be transmitted
over voice-grade telephone lines. At the source, digital signals are converted to a form that is suitable
for transmission over analog communication facilities. At the destination, these analog signals are
returned to their digital form. There are various types of modems. In the following figure, a DSL
modem (which is used in DSL broadband environments) is connected to a router with an Ethernet cable
and is connected to the service provider network with a telephone cable. You can also implement a
modem as a router module.
• Optical fiber converters: Optical fiber converters are used where a fiber-optic link terminates to
convert optical signals into electrical signals and vice versa. You can also implement the converter as a
router or switch module.
• Wireless router: Wireless routers are used when you are using wireless medium for WAN
connectivity. You can also use an access point instead of wireless router.
Self Check
Which two statements about WANs are true? (Choose two.)

A. WANs generally connect devices that are located over a broader geographical area.
B. WANs generally connect devices that are close to each other.
C. WAN stands for World Around Networks.
D. WANs use connections of various types to provide access to bandwidth over large geographical
areas.
Which WAN topology option provides the highest level of redundancy?

A. hub-and-spoke
B. partially meshed
C. fully meshed
D. point-to-point
Which two VPNs are examples of service provider-managed VPNs? (Choose two.)
A. remote-access VPNs
B. Layer 2 MPLS VPN
C. Layer 3 MPLS VPN
D. DMVPN
Which two technologies are examples of Layer 2 MPLS VPN technologies? (Choose two.)
A. VPLS
B. DMVPM
C. GETVPN
D. VPWS
Which protocol should be used with IPsec to give you the ability to run a routing protocol or IP
multicast across the network between two site-to-site VPN peers?
A. GRE
B. IPsec tunnel
C. WAN
D. MPLS
Which protocol provides confidentiality, data integrity, authentication, and antireplay protection?
A. GRE
B. IPsec
C. ISDN
D. MPLS
Which service ensures that data being transmitted has not been changed or altered in any way?
A. confidentiality
B. data integrity
C. authentication
D. antireplay protection
Answer Key
Self Check
1. A, D
2. C
3. B, C
4. A, D
5. A
6. B
7. B
Point-to-Point Protocols
Overview
A CCS customer is adding two new branch offices. At one branch, the customer is running HDLC for the
WAN protocol for the connection back to the corporate site. At the other branch, it is running PPPoE. You
will be the primary technician for the deployment. Would you like to go on site now to complete the job or
study the training before the deployment?
Serial Point-to-Point Communication Links
A point-to-point (or serial) communication link provides a single, established WAN communication path
from the customer premises through a carrier network to a remote network.
When permanent dedicated connections are required, a point-to-point link is used to provide a pre-
established WAN communications path from the customer premises through the provider network to a
remote destination. A serial line can connect two geographically distant sites, such as a corporate office in
New York and a regional office in London. Point-to-point lines are usually leased from a carrier and are
therefore often called leased lines. For a point-to-point line, the carrier dedicates fixed transport capacity
and facility hardware to the line that the customer is leasing. However, the carrier will still use multiplexing
technologies within the network.
Point-to-point links are usually more expensive than shared services such as Frame Relay. The cost of
leased-line solutions can become significant if you use them to connect many sites over increasing
distances. However, there are times when the benefits outweigh the cost of the leased line. The dedicated
capacity removes latency or jitter between the endpoints. Constant availability is essential for some
applications such as VoIP or video over IP.
You need a router serial port for each leased-line connection. If the underlying network is based on the
North American (T-carrier) or European (E-carrier) technologies, the leased line connects to the network of
the carrier through a CSU/DSU. The purpose of the CSU/DSU is to provide a clocking signal to the
customer equipment interface from the DSU and terminate the channelized transport media of the carrier on
the CSU. The CSU also provides diagnostic functions such as a loopback test. Most T1 or E1TDM
interfaces on current routers include approved CSU/DSU capabilities.
Leased lines provide permanent dedicated capacity and are used extensively for building WANs. They have
been the traditional choice of connection but have several disadvantages. Leased lines have a fixed capacity.
However, WAN traffic is often variable and leaves some of the capacity unused. In addition, each endpoint
needs a separate physical interface on the router, which increases equipment costs. Any change to the leased
line generally requires a site visit by the carrier personnel.
Bandwidth
Bandwidth refers to the rate at which data is transferred over the communication link. The underlying
carrier technology depends on the bandwidth that is available. There is a difference in bandwidth points
between the North American T-carrier specification and the E-carrier system, as shown in the table.
Leased lines are available in different capacities and are generally priced based on the bandwidth that is
required and the distance between the two connected points.
Point-to-Point Protocol
PPP originally emerged as an encapsulation protocol for transporting IP traffic over point-to-point links.
PPP also established a standard for the assignment and management of IP addresses, asynchronous (start
and stop bit) and bit-oriented synchronous encapsulation, network protocol multiplexing, link configuration,
link quality testing, error detection, and option negotiation for such capabilities as network layer address
negotiation and data compression negotiation.
PPP provides router-to-router and host-to-network connections over both synchronous and asynchronous
circuits. An example of an asynchronous connection is a dialup connection. An example of a synchronous
connection is a leased line.
There are many advantages to using PPP, including the fact that it is not proprietary. Moreover, it includes
many features that are not available in HDLC, including the link-quality management feature that monitors
the quality of the link. If too many errors are detected, PPP takes down the link. PPP also supports PAP and
CHAP authentication.
Cisco High-Level Data Link Control (Cisco HDLC) is a data-link layer protocol that can be used on leased
lines between two Cisco devices. For communicating with a device from another vendor, synchronous PPP
is a better option.
PPP provides a standard method for transporting multiprotocol datagrams (packets) over point-to-point
links.
PPP includes these three main components:

• A method for encapsulating multiprotocol datagrams.
• Extensible LCP to establish, configure, and test the WAN data-link connection.
• A family of NCPs for establishing and configuring different network layer protocols. PPP allows the
simultaneous use of multiple network layer protocols.
LCP provides versatility and portability to a wide variety of environments. LCP is used to automatically
determine the encapsulation format option, to manage varying limits on sizes of packets, and to detect a
loopback link, and terminate the link. Other optional facilities that LCP provides are authentication of the
identity of its peer on the link and the determination of when a link is functioning correctly or failing.
The authentication phase of a PPP session is optional. After the link has been established and the
authentication protocol is chosen, the peer can be authenticated. If the authentication option is used,
authentication takes place before the network layer protocol configuration phase begins.
Cisco offers CHAP and PAP for PPP authentication.
Discovery 19: Configure Serial Interface and PPP
Introduction
This discovery will guide you through the configuration of the clock rate on the DCE side of a serial link
and the configuration of PPP encapsulation on both sides of a serial link between two Cisco IOS routers.
The virtual lab is prepared with two routers as depicted in the topology diagram and the connectivity table.
R1 has the DCE side of the serial link, while R2 has the DTE side. Both routers have their basic
configurations in place, including hostnames, IP addresses, and EIGRP as the routing protocol.
First you will configure and verify a serial interface to use PPP encapsulation, and then you will configure
PAP and CHAP authentication for PPP.
Topology
Job Aid

• Both routers have their basic configurations in place, including hostnames and IP addresses.
• EIGRP is configured on both routers, making them aware of each other's loopback interfaces networks.
Device Details
R1 Serial1/1 R2 10.1.1.1/24
R1 Loopback0 — 192.168.1.1/24
R1 Loopback1 — 172.16.1.1/24
R2 Serial1/1 R1 10.1.1.2/24
R2 Loopback0 — 192.168.2.1/24
R2 Loopback1 — 172.16.2.1/24
Task 1: Configure Serial Interface for PPP
Activity
To configure a serial interface, follow these steps:

1. Enter the global configuration mode—use the configure terminal command.
2. When in you are in the global configuration mode, enter the interface configuration mode. In this
example, you would use the interface serial 0/0/0 command.
3. If a DCE cable is attached, use the clock ratebps interface configuration command to configure the
clock rate for the hardware connections on serial interfaces, such as network interface modules and
interface processors, to an acceptable bit rate. Be sure to enter the complete clock speed. For example, a
clock rate of 64000 cannot be abbreviated to 64. On serial links, one side of the link acts as the DCE,
and the other side of the link acts as the DTE. By default, Cisco routers are DTE devices, but you can
configure them as DCE devices. In a "back-to-back" router configuration in which a modem is not used,
you must configure one of the interfaces as the DCE to provide a clocking signal. You must specify the
clock rate for each DCE interface that is configured in this type of environment. The clock rates in bits
per second are as follows: 1200, 2400, 4800, 9600, 19200, 38400, 56000, 64000, 72000, 125000,
148000, 500000, 800000, 1000000, 1300000, 2000000, and 4000000.
Some of the routers do not require clock rate configuration anymore.
• Enter the specified bandwidth for the interface. The bandwidthkbps command overrides the default
bandwidth that the show interfaces command displays. It is used by some routing protocols, such as the
EIGRP, for routing metric calculations. The router also uses the bandwidth for other types of
calculations, such as those calculations that are required for the RSVP. The default bandwidth for serial
lines is the T1 speed (1.544 Mbps). The entered bandwidth has no effect on the actual speed of the line.
The attached serial cable determines the DTE or DCE mode of the Cisco router. Choose the cable to match
the network requirement.
The table provides a description of the commands that you use to configure a serial interface.
Command Description
interface serial interface_number Enters the serial interface configuration mode for the specified interface.
bandwidth bandwidth Sets the interface bandwidth metric in kilobits per second (kbps).
clock rate clock_rate Sets the interface clock rate in bits per second (bps). You use this command
on DCE interfaces only.
encapsulation ppp Sets the interface encapsulation to PPP.
A common misconception for students that are new to networking and Cisco IOS Software is to assume
that the bandwidth command changes the physical bandwidth of the link. The bandwidth command
modifies only the bandwidth metric that routing protocols such as EIGRP and OSPF use. Sometimes, a
network administrator changes the bandwidth value to have more control over the chosen outgoing
interface.
The encapsulation ppp command has no arguments, but you must first configure the router with an IP
routing protocol to use the PPP encapsulation. If you do not configure PPP on a Cisco router, the default
encapsulation for serial interfaces is HDLC.
Access the console of R1. The Serial1/1 interface on R1 has DCE cable. Configure it for a clock
rate of 64,000 bps and define the bandwidth as 64 kbps.
On R1, enter the following commands:
R1# conf t
R1(config)# interface Serial1/1
R1(config-if)# clock rate 64000
R1(config-if)# bandwidth 64
R1(config-if)# end
R1#
The clock rate command controls the actual speed at which the serial link runs. The bandwidth
command does not affect the running speed of the interface, but instead sets the information
which is provided to dynamic routing protocols for determining metrics associated with the link.
The clock rate command expects its argument in bits per second, while the bandwidth
command expects its argument in kilobits per second.
Verifying Serial Interface
The show controller command displays information about the physical interface itself. This command is
useful with serial interfaces to determine the type of cable that is connected without the need to physically
inspect the cable itself.
Use the show interfaces command to verify that the proper encapsulation is enabled on the serial interface.
The output shows which encapsulation is enabled on the serial interface.
Use the show controllers command to verify the configuration of Serial1/1 and to verify that the
status indicators are all "up."
On R1, enter the following command:
R1# show controllers Serial1/1
M4T: show controller:
PAS unit 1, subunit 1, f/w version 1-45, rev ID 0xFFFF, version 1
idb = 0xECF450D8, ds = 0xECF463F0, ssb=0xECF467A8
Clock mux=0x0, ucmd_ctrl=0x1C, port_status=0x3B
Serial config=0x8, line config=0x200
maxdgram=1608, bufpool=78Kb, 120 particles
DCD=up DSR=up DTR=up RTS=up CTS=upline state: up
cable type : V.11 (X.21) DCE cable, received clockrate 64000
running=1, port id=0x117F0688
base0 registers=0xECF2B038, base1 registers=0xECF2D038

mxt_ds=0xEEAEEEC0, rx ring entries=78, tx ring entries=128
rxring=0xECF46B98, rxr shadow=0xECF46E40, rx_head=73
txring=0xECF47220, txr shadow=0xECF47658, tx_head=101, tx_tail=101, tx_count=0
throttled=0, enabled=0
halted=0, last halt reason=0
Microcode fatal errors=0
rx_no_eop_err=0, rx_no_stp_err=0, rx_no_eop_stp_err=0
rx_no_buf=0, rx_soft_overrun_err=0, dump_err= 0, bogus=0, mxt_flags=0x0
tx_underrun_err=0, tx_soft_underrun_err=0, tx_limited=0(128)
tx_fullring=0, tx_started=1336, mxt_flush_count=0
rx_int_count=1338, tx_int_count=1340
Use the show interfaces command to verify the bandwidth setting that the routing protocols will
use, along with the current serial encapsulation method.
R1# show interfaces Serial1/1

Serial1/1 is up, line protocol is up
Hardware is M4T
Encapsulation HDLC, crc 16, loopback not set
Restart-Delay is 0 secs
Last input 00:00:01, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Received 492 broadcasts (1 IP multicasts)
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up
Both R1 and R2 are using the default HDLC encapsulation method.
EIGRP has been preconfigured on both routers R1 and R2. Verify the content of the routing
table on R1.
R1# show ip route


L 10.1.1.1/32 is directly connected, Serial1/1
D 172.16.2.0/24 [90/40640000] via 10.1.1.2, 00:23:31, Serial1/1
D 192.168.2.0/24 [90/40640000] via 10.1.1.2, 00:23:31, Serial1/1
The marked networks have been learned via the EIGRP protocol.
From R1, ping the Loopback0 interface (192.168.2.1) of R2.
R1# ping 192.168.2.1

!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 21/21/21 ms
The ping should succeed.
Set the encapsulation protocol on the R1 Serial1/1 interface to PPP.
R1# conf t
R1(config-if)# encapsulation ppp
R1(config-if)#
Serial1/1, changed state to down
R1(config-if)#
*Dec 3 13:28:18.198: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.1.1.2
(Serial1/1) is down: holding time expired
R1(config-if)# end
R1#
Now, R1 is using PPP for encapsulation while R2 is using HDLC. These encapsulation protocols
are incompatible, which is why the protocol on the R1 Serial1/1 interface went down and the
EIGRP neighbor relationship with R2 has timed out.
Display the status of the Serial1/1 interface on R1 with the show ip interface brief command.
R1# show ip interface brief Serial1/1

Interface IP-Address OK? Method Status Protocol
Serial1/1 10.1.1.1 YES manual up down
The administrative status of the interface is "up," but the protocol is "down."
Access the console of R2. Configure its Serial1/1 interface to use PPP encapsulation and
configure its bandwidth setting to 64.
R2# conf t
R2(config-if)# bandwidth 64
R2(config-if)#
Serial1/1, changed state to up
R2(config-if)#
(Serial1/1) is up: new adjacency
R2(config-if)# end
R2#
When the encapsulation protocol is compatible with its peer, the line protocol state changes to
"up." With the line protocol up, the EIGRP neighbor relationship with R1 is able to re-establish.
You did not need the clock rate command on R2 because the router it is connected with the DTE
side of the cable.
Use the show interface command on R2 to verify the serial encapsulation method.
R2# show interfaces Serial1/1Serial1/1 is up, line protocol is up
Hardware is M4T
Encapsulation PPP, LCP Open
Open: IPCP, CDPCP, crc 16, loopback not set
Restart-Delay is 0 secs
Last input 00:00:02, output 00:00:03, output hang never
Last clearing of "show interface" counters 17:57:30
Received 0 broadcasts (0 IP multicasts)
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up
Both R1 and R2 are using the PPP encapsulation method.
For one last verification of connectivity, from R2, ping the Loopback0 interface (192.168.1.1) of
R1.
R2# ping 192.168.1.1

Task 2: Configure PAP Authentication for PPP

Activity
To improve security mitigation, the PPP protocol suite was designed to offer the optional feature of user
authentication. Devices that initiate a PPP session must pass a strict identity verification before the link
establishment is approved. The link is activated only after the proper credentials have been given and
accepted. If PPP authentication fails for any reason, access is denied and the link is promptly terminated.
Although you may configure proprietary authentication methods to work with PPP, the two main types of
PPP authentication methods are PAP and CHAP.
PAP is a two-way handshake that provides a simple method for a remote node to establish its identity. PAP
is performed only upon initial link establishment. There is no encryption. The username and password are
sent in plaintext. After the PPP link establishment phase is complete, the remote node repeatedly sends a
username and password pair to the router until authentication is acknowledged or the connection is
terminated.
PAP is not a strong authentication protocol, but it may be adequate in environments that use token-type
passwords that change with each authentication. PPP is not secure in most environments. Also, there is no
protection from playback or repeated trial-and-error attacks—the remote node is in control of the frequency
and timing of the login attempts.
In the example, the Branch router first sends its PAP username and password to the Headquarter (HQ)
router. The HQ router evaluates the Branch router credentials against its local database. If the Branch router
credentials match, the HQ router accepts the connection. If not, the HQ router rejects the connection. This is
the two-way handshake in which the Branch router authenticates to the HQ router. Then the reverse process
occurs with the HQ router authenticating to the Branch router.
The router that the ppp authentication pap command is configured on will use PAP to verify the identity
of the other side (peer). It means that the other side (peer) must present its username and password to the
local device for verification
Usernames and passwords that the local router uses to authenticate the PPP peer are defined using the
username password command . When the peer sends its PAP username and password, the local router will
check whether that username and password are configured locally. If there is a successful match, the peer is
authenticated.
The ppp pap sent-username<username> password <password> command enables outbound PAP
authentication. The local router uses the username and password that the ppp pap sent-username command
specifies to authenticate itself to a remote device. The other router must have this same username/password
configured using the username command described above.
On R1, define the username "User2" using the "cisco" password.
R1# conf t
R1(config)# username User2 password cisco
The username value is not case-sensitive, but the password value is case-sensitive.
On R2, define the username "User1" using the "cisco" password.
R2# conf t
R2(config)# username User1 password cisco
Configure PAP authentication on the Serial1/1 interface on R1. Set "User1" as the sent username
and "cisco" as the password.

R1(config-if)# ppp authentication pap
R1(config-if)#
(Serial1/1) is down: interface down
R1(config-if)# ppp pap sent-username User1 password cisco
R1(config-if)# end
R1#
The line protocol for interface Serial1/1 goes down because R2 is not configured for PAP
authentication yet. The consequence is lost EIGRP neighbor relationship.
Configure PAP authentication on the Serial1/1 interface on R2. Set "User2" as the sent username
and "cisco" as the password.

R2(config-if)# ppp authentication pap
R2(config-if)# ppp pap sent-username User2 password cisco
R2(config-if)#
R2(config-if)#
R2(config-if)# end
R2#
The PPP session gets re-established using PAP authentication. The consequence is that the line
protocol on the interface Serial1/1 goes up and the EIGRP neighbor relationship is re-
established.
Verifying PPP Session
The show ppp all command verifies that the PPP session is established. Is also displays the information of
authentication used, peer name, and IP address.
On R2, verify that the PPP session is established.
R2# show ppp all

Interface/ID OPEN+ Nego* Fail- Stage Peer Address Peer Name
------------ --------------------- -------- --------------- -------------------
-
Se1/1 LCP+ PAP+ IPCP+ CDPC> LocalT 10.1.1.1 User1
The PPP session is established using PAP authentication on the Serial1/1 interface to the peer
that is named R1 using the peer IP address 10.1.1.1.
Task 3: Configure CHAP Authentication for PPP
Activity
CHAP is the preferred authentication method and is considered superior to PAP. CHAP involves a three-
way exchange of a shared secret. When authentication is established with PAP, it essentially stops working,
which leaves the network vulnerable to attacks. Unlike PAP, which only authenticates once, CHAP
conducts periodic challenges to make sure that the remote node still has a valid password value. CHAP,
which uses a three-way handshake, occurs at the startup of a link and periodically thereafter to verify the
identity of the remote node.
After the PPP link establishment phase is complete, the local router sends a challenge message to the remote
node. The remote node responds with a value that is calculated using a one-way hash function, typically
MD5, based on the password and challenge message. The local router checks the response against its own
calculation of the expected hash value. If the values match, the authentication is acknowledged. Otherwise,
the connection is terminated immediately.
CHAP provides protection against a playback attack by using a variable challenge value that is unique and
unpredictable. Because the challenge is unique and random, the resulting hash value will also be unique and
random. The use of repeated challenges is intended to limit exposure to any single attack. The local router
or a third-party authentication server is in control of the frequency and timing of the challenges.
In the example, the HQ router sends a challenge message to the Branch router. The Branch router responds
to the HQ router by sending its CHAP username and password. The HQ router evaluates the Branch router
credentials against its local database. If the credentials match, it accepts the connection. If they do not, it
rejects the connection. This process is a three-way handshake of the HQ router authenticating the Branch
router. A three-way handshake of the Branch router authenticating the HQ router follows.
To configure PPP authentication, you must configure the interface for PPP encapsulation. Follow these
steps to enable CHAP authentication:
• Verify that each router has a hostname assigned to it. To assign a hostname, enter the hostnamename
command in the global configuration mode. This name must match the username that the authenticating
router expects at the other end of the link.
• On each router, define the username and password to expect from the remote router with the
usernamename passwordpassword global configuration command. Add a username entry for each
remote system that the local router communicates with and that requires authentication. Note that the
remote device must have a corresponding username entry for the local router with a matching password.
• Configure PPP authentication with the ppp authentication {chap | chap pap | pap chap | pap}
interface configuration command.
– If you configure ppp authentication chap on an interface, all incoming PPP sessions on that
interface are authenticated using CHAP.
– Likewise, if you configure ppp authentication pap, all incoming PPP sessions on that interface are
authenticated using PAP.
– If you configure ppp authentication chap pap, the router attempts to authenticate all incoming
PPP sessions using CHAP. If the remote device does not support CHAP, the router tries to
authenticate the PPP session using PAP. If the remote device does not support either CHAP or PAP,
the authentication fails, and the PPP session is dropped.
– If you configure ppp authentication pap chap, the router attempts to authenticate all incoming
PPP sessions using PAP. If the remote device does not support PAP, the router tries to authenticate
the PPP session using CHAP. If the remote device does not support either protocol, the
authentication fails and the PPP session is dropped.
If you enable both methods, the first method that you specify is requested during link negotiation. If the peer
suggests using the second method or refuses the first method, the second method is tried.
The table provides a description of the commands that you use to configure CHAP authentication.
Command Description
hostname hostname Sets a device hostname.
username username password password Configures a new user to the device.
interface interface_name Enters the interface configuration mode for the specified interface.
encapsulation ppp Configures a link with the PPP-type encapsulation.
ppp authentication chap Enables CHAP authentication on the interface with PPP
encapsulation.
On R1, define the username "R2" using the "cisco" password.
R1# conf t
R1(config)# username R2 password cisco
The username value is not case-sensitive, but the password value is case-sensitive.
On R2, define the username "R1" using the "cisco" password.
R2# conf t
R2(config)# username R1 password cisco
Change the PPP authentication type to CHAP on the Serial1/1 interface on R1. You also need to
remove all configuration related to PAP authentication.
R1# conf t
R1(config-if)# no ppp authentication pap
R1(config-if)# no ppp pap sent-username User1 password cisco
R1(config-if)# ppp athentication chap
R1(config-if)# exit
R1(config)#
Change the PPP authentication type to CHAP on the Serial1/1 interface on R2. You also need to
remove all configuration related to PAP authentication.
R2# conf t
R2(config-if)# no ppp authentication pap
R1(config-if)# no ppp pap sent-username User2 password cisco
R2(config-if)# ppp authentication chap
R2(config-if)# exit
R2(config)#
Enable debugging of PPP authentication on R2. Then disable and reenable the interface Serial1/1
to reinitiate PPP session establishment. Observe the debug messages associated with the CHAP
authentication process.
R2(config)# interface Serial 1/1
R2(config-if)# do debug ppp authentication
PPP authentication debugging is on
R2(config-if)#
*Dec 7 09:37:40.093: %LINK-5-CHANGED: Interface Serial1/1, changed state to
R2(config-if)#
*Dec 7 09:40:57.897: %LINK-3-UPDOWN: Interface Serial1/1, changed state to up
*Dec 7 09:40:57.897: Se1/1 PPP: Using default call direction
*Dec 7 09:40:57.897: Se1/1 PPP: Treating connection as a dedicated line
*Dec 7 09:40:57.897: Se1/1 PPP: Session handle[F000011] Session id[16]
*Dec 7 09:40:57.923: Se1/1 CHAP: O CHALLENGE id 1 len 23 from "R2"
*Dec 7 09:40:57.927: Se1/1 CHAP: I CHALLENGE id 1 len 23 from "R1"
*Dec 7 09:40:57.927: Se1/1 PPP: Sent CHAP SENDAUTH Request
*Dec 7 09:40:57.927: Se1/1 PPP: Received SENDAUTH Response PASS
*Dec 7 09:40:57.927: Se1/1 CHAP: Using hostname from configured hostname
*Dec 7 09:40:57.927: Se1/1 CHAP: Using password from AAA
*Dec 7 09:40:57.927: Se1/1 CHAP: O RESPONSE id 1 len 23 from "R2"
*Dec 7 09:40:57.933: Se1/1 CHAP: I RESPONSE id 1 len 23 from "R1"
*Dec 7 09:40:57.933: Se1/1 PPP: Sent CHAP LOGIN Request
*Dec 7 09:40:57.933: Se1/1 PPP: Received LOGIN Response PASS
*Dec 7 09:40:57.938: Se1/1 CHAP: O SUCCESS id 1 len 4
*Dec 7 09:40:57.943: Se1/1 CHAP: I SUCCESS id 1 len 4
R2(config-if)#
R2(config-if)#
R2(config-if)# end
R2#
The debug output shows the bidirectional CHAP authentication procedure. Both sides challenge
each other, respond to each other, and pass each other. After successful authentication, the line
protocol comes back up and EIGRP neighbor relationship gets established.
For one last verification of connectivity, from R2, ping the R1 Loopback0 interface
(192.168.1.1).
R2# ping 192.168.1.1

On R2, verify that the PPP session gets established.
R2# show ppp all
Interface/ID OPEN+ Nego* Fail- Stage Peer Address Peer Name
------------ --------------------- -------- --------------- -------------------
-
Se1/1 LCP+ CHAP+ IPCP+ CDP> LocalT 10.1.1.1 R1
The PPP session is established using the CHAP authentication method on the Serial1/1 interface
to the peer that is named R1 using the peer IP address 10.1.1.1.
Discovery 20: Configure and Verify MLP
Introduction
This discovery will guide you through the configuration of the Multilink PPP, also known as MLP. MLP
provides a method for spreading traffic across multiple distinct PPP connections. You can use it, for
example, to connect a home computer to an Internet Service Provider using two traditional modems, or to
connect a company through two leased lines.
You will configure an MLP bundle on the R1 and R2 routers, which are connected using two serial
interfaces.
Topology
Job Aid

• PPP encapsulation is configured on all Serial interfaces.
Device Details
R1 Serial1/1 R2 10.1.1.1/24
R1 Serial1/2 R2 10.1.2.1/24
R1 Loopback0 — 192.168.1.1/24
R1 Loopback1 — 172.16.1.1/24
R2 Serial1/1 R1 10.1.1.2/24
R2 Serial1/2 R1 10.1.2.2/24
R2 Loopback0 — 192.168.2.1/24
R2 Loopback1 — 172.16.2.1/24
Task 1: Configure and Verify MLP
Activity
The MLP feature provides a load-balancing functionality over multiple WAN links while providing
multivendor interoperability and support for packet fragmentation, proper sequencing, and load calculation
on both inbound and outbound traffic. The MLP feature supports the fragmentation and packet sequencing
specifications that are described in RFC 1990.
MLP allows packets to be fragmented and fragments to be sent at the same time over multiple point-to-point
links to the same remote address. Multiple links come up in response to a defined dialer load threshold. The
load can be calculated on inbound or outbound traffic, as required, for the traffic between specific sites.
MLP provides bandwidth on demand and reduces transmission latency across WAN links.
MLP can work over synchronous and asynchronous serial types of single or multiple interfaces that have
been configured to support both dial-on-demand rotary groups and PPP encapsulation.
MLP combines multiple physical links into a logical bundle that is called an MLP bundle. An MLP bundle
is a single, virtual interface that connects to the peer system. Having a single interface (MLP bundle
interface) provides a single point to apply hierarchical queueing, shaping, and policing to traffic flows.
Individual links in a bundle do not perform any hierarchical queueing. None of the links have any
knowledge about the traffic on parallel links. Hierarchical queueing and QoS cannot be applied uniformly to
the entire aggregate traffic between a system and its peer system. A single, virtual interface also simplifies
the task of monitoring traffic to the peer system (for example, all traffic statistics run on one interface).
MLP works with fully functional PPP interfaces. An MLP bundle can have multiple links connecting peer
devices. These links can be serial links or broadband links (Ethernet or ATM). As long as each link behaves
like a standard serial interface, mixed links work properly in a bundle.
The MLP over serial interfaces feature enables you to bundle interfaces into a single, logical connection
called an MLP bundle. The MLP over serial interfaces feature also provides the following functionalities:
• Load balancing: MLP provides bandwidth on demand and uses load balancing across all member links
(up to ten) to transmit packets and packet fragments. MLP mechanisms calculate the load on inbound or
outbound traffic between specific sites. Because MLP splits packets and fragments across all member
links during transmission, MLP reduces transmission latency across WAN links. Ideally, all member
links in a bundle would be of the same bandwidth (for example, T1s). Load balancing and
fragmentation and interleaving also allow for a mix of unequal cost member links for situations where a
small increment in the bundle bandwidth is required.
• Increased redundancy: MLP allows traffic to flow over remaining member links when a port fails.
When you configure an MLP bundle that consists of T1 lines from more than one line card and if one
line card stops operating, a part of the bundle on other line cards continues to operate.
• Link fragmentation and interleaving: The MLP fragmenting mechanism fragments large, nonreal-
time packets and sends fragments at the same time over multiple point-to-point links to the same remote
address. Smaller, real-time packets remain intact. The MLP interleaving mechanism sends real-time
packets between fragments of nonreal-time packets, thus reducing real-time packet delay.
Access the console of R1 and verify the status of serial interfaces that are connected to R2.

Hardware is M4T

Hardware is M4T
Interfaces Serial1/1 and Serial1/2 are connected to R2. Both interfaces are "up" and have an IP
addresses assigned. Encapsulation is set to PPP on serial interfaces connecting R1 and R2.
EIGRP has been preconfigured on both routers R1 and R2. Verify the content of the routing
table on R1.
R1# show ip route

D 172.16.2.0/24 [90/2297856] via 10.1.2.2, 20:06:22, Serial1/2
[90/2297856] via 10.1.1.2, 20:06:22, Serial1/1
D 192.168.2.0/24 [90/2297856] via 10.1.2.2, 20:06:22, Serial1/2
[90/2297856] via 10.1.1.2, 20:06:22, Serial1/1
The marked networks have been learned via EIGRP. Traffic to these networks is load-balanced
via Serial1/1 and Serial1/2 links.
From R1, ping the Loopback0 interface (192.168.2.1) on R2.
R1# ping 192.168.2.1

The ping should be successful.
Configuring a Multilink Bundle
When configuring MLP, you need to first configure a multilink bundle by creating a multilink interface.
You need to assign an IP address to this multilink interface, enable the MLP feature, and restrict a physical
link to join only the designated multilink group interface.
Create a multilink interface on R1 with the following specified characteristics:
• Group number: 1
• IP address: 10.1.1.1/24
• Enable the MLP feature.
• Restrict physical links with the multilink group 1 only to join this bundle.
R1# conf t
R1(config)# interface Multilink1
R1(config-if)#
*Dec 9 10:28:40.548: %LINK-3-UPDOWN: Interface Multilink1, changed state to
down
R1(config-if)# ip address 10.1.1.1 255.255.255.0
R1(config-if)# ppp multilink
R1(config-if)# ppp multilink group 1
R1(config-if)# end
R1#
Create a multilink interface on R2 with the following specified characteristics.
• Group number: 1
• IP address: 10.1.1.2/24
• Enable the MLP feature.
• Restrict physical links with the multilink group 1 only to join this bundle.
R2# conf t
R2(config)# interface Multilink1
R2(config-if)#
*Dec 9 10:31:38.411: %LINK-3-UPDOWN: Interface Multilink1, changed state to
down
R2(config-if)# end
R2#
Assigning an Interface to a Multilink Bundle
After you have created the multilink interface, you need to assign a serial interface to a multilink interface.
To designate a link to a specified bundle, use the ppp multilink group command for configuring the link.
This command restricts the link to join only the specified bundle. When a link negotiates to join an MLP
bundle, the link must provide proper identification that is associated with the MLP bundle. If the negotiation
is successful, the link is assigned to the requested MLP bundle. If the link provides identification that
coincides with the identification that is associated with a different MLP bundle in the system or if the link
fails to match the identity of an MLP bundle that is already active on the multilink group interface, the
connection terminates.
A link joins an MLP bundle only if it negotiates to use the bundle when a connection is established and the
identification information that is exchanged matches that of an existing bundle.
When you configure the ppp multilink group command on a link, the command applies the following
restrictions on the link:
• The link is not allowed to join any bundle other than the indicated group interface.
• The PPP session must be terminated if the peer device attempts to join a different bundle.
Remove the IP addresses from Serial1/1 and Serial1/2 interfaces on both R1 and R2.
On R1 and R2, enter the following commands:
R1# conf t
R1(config-if)# no ip address
R1(config-if)#
R1(config-if)# exit
R1(config-if)#
*Dec 9 10:22:13.474: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100:Neighbor 10.1.2.2
R1(config-if)# end
R1#
R2# conf t
R2(config-if)# exit
R2(config-if)# end
R1#
Immediately after you remove the IP address from the interfaces on R1 router, the EIGRP
neighbor goes down.
Assign interfaces Serial1/1 and Serial1/2 to the interface Multilink1 on R1.
R1# conf z
R1(config-if)#
R1(config-if)# exit
R1(config-if)#
R1(config-if)#
R1(config-if)# end
R1#
Assign interfaces Serial1/1 and Serial1/2 to the interface Multilink1 on R2.
R2# conf t
*Dec 9 10:35:13.555: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state
to up
*Dec 9 10:35:13.555: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-
Access1, changed state to up
R2(config-if)#
Access1, changed state to down
to down
*Dec 9 10:35:31.087: %LINK-3-UPDOWN: Interface Multilink1, changed state to up
R2(config-if)#
Multilink1, changed state to up
(Multilink1) is up: new adjacency
R2(config-if)# exit
Verifying Multilink Bundle
The show ppp multilink command verifies that all the desired interfaces are bundled into multilink PPP
bundle.
Verify the multilink PPP bundle information using the show ppp multilink command on R1.
R1# show ppp multilinkMultilink1

Bundle name: R2
Remote Endpoint Discriminator: [1] R2
Local Endpoint Discriminator: [1] R1
Bundle up for 01:32:05, total bandwidth 3088, load 1/255
Receive buffer limit 24000 bytes, frag timeout 1000 ms
0/0 fragments/bytes in reassembly list
0 lost fragments, 53 reordered
0/0 discarded fragments/bytes, 0 lost received
0x56E received sequence, 0x572 sent sequence
Member links: 2 active, 0 inactive (max 255, min not set)
Se1/1, since 01:32:05
Se1/2, since 01:31:31
No inactive multilink interfaces
The physical interfaces Serial1/1 and Serial1/2 are members of the logical interface bundle
Multilink 1.
Shut down the interface Serial1/1 on R1 to simulate a failure on this link.
R1# conf t
*Dec 9 13:13:34.223: %LINK-5-CHANGED: Interface Serial1/1, changed state to
R1(config-if)# end
R1#
Verify the status of the interface Multilink1 on R1 router.
R1# show interfaces Multilink1Multilink1 is up, line protocol is up

Hardware is multilink group interface
Encapsulation PPP, LCP Open, multilink Open
Open: IPCP, CDPCP, loopback not set
The logical interface Multilink1 is still up, even though one of the members of the bundle was
shut down.
Verify the content of the routing table on R1 again.
R1# show ip route


C 10.1.1.0/24 is directly connected, Multilink1
L 10.1.1.1/32 is directly connected, Multilink1
C 10.1.1.2/32 is directly connected, Multilink1
D 172.16.2.0/24 [90/2297856] via 10.1.1.2, 00:14:24, Multilink1
D 192.168.2.0/24 [90/2297856] via 10.1.1.2, 00:14:24, Multilink1
The outgoing interface in the routing table for networks learned via EIGRP points to the logical
interface Multilink 1.
R1# ping 192.168.2.1

The ping should be successful despite the interface Serial1/1 on R1 being shut down. Note: You
may have to wait couple of seconds, for a ping to work.
Discovery 21: Configure and Verify PPPoE Client
Introduction
This discovery will guide you through the configuration of PPPoE client. PPoE provides an emulated (and
optionally authenticated) point-to-point link across a shared medium, typically a broadband aggregation
network such as the ones that you can find in DSL service providers. A very common scenario is to run a
PPPoE client on the customer side, which connects to and obtains its configuration from the PPPoE server
(head-end router) at the ISP side.
You will configure R1 as PPPoE client, while the R2 has been preconfigured as the PPPoE server.
Topology
Job Aid

• R2 has been preconfigured as the PPPoE server.
Device Details
R1 Ethernet0/1 R2 —
R1 Loopback0 — 192.168.1.1/24
R1 Loopback1 — 172.16.1.1/24
R2 Ethernet0/1 R1 10.1.1.2/24
R2 Loopback0 — 192.168.2.1/24
R2 Loopback1 — 172.16.2.1/24
Task 1: Configure and Verify PPPoE Client
Activity
The PPPoE client feature provides PPPoE client support on routers on customer premises. Before the
introduction of this feature, Cisco IOS software supported PPPoE on the access server side only. The figure
shows a typical network topology for PPPoE client deployment.
PPPoE is a commonly used application in the deployment of DSL. The PPPoE client feature expands the
PPPoE functionality by providing support for PPPoE on both the client and on the server.
ISPs often provide their customers with a DSL modem that has one Ethernet interface to connect to the
customer Ethernet segment, and another interface for DSL line connectivity. ATM is typically run between
the customer's modem and the DSLAM. In such a case, the DSL modem acts only as a bridge if the CPE is
not configurable for any IP connectivity or enhanced features over DSL. This situation limits your
connectivity to only one PPPoE client PC. With the addition of a Cisco IOS router that connects to the
Ethernet of the DSL modem, you can run the PPPoE client IOS feature on the Cisco router. This way, you
can connect multiple PCs on the Ethernet segment that is connected to the Cisco IOS router. With the use of
the Cisco IOS router, you can enhance your DSL connectivities and all IOS features, such as Security, NAT,
and DHCP to internal hosts.
The PPPoE client initiates a PPPoE session. If the session has a timeout or is disconnected, the PPPoE client
will immediately attempt to re-establish the session. The following four steps describe the exchange of
packets that occurs when a PPPoE client initiates a PPPoE session:
1. The client broadcasts a PADI packet.
2. When the access concentrator receives a PADI that it can serve, it replies by sending a PADO packet to
the client.
3. Because the PADI was broadcast, the host may receive more than one PADO packet. The host looks
through the PADO packets that it receives and chooses one. The choice can be based on the access
concentrator name or on the services that are offered. The host then sends a single PADR packet to the
access concentrator that it has chosen.
4. The access concentrator responds to the PADR by sending a PADS packet. At this point, a virtual
access interface is created that will then negotiate the PPP, and the PPPoE session will run on this
virtual access.
If a client does not receive a PADO for a preceding PADI, the client sends out a PADI at predetermined
intervals. That interval length is doubled for every successive PADI that does not evoke a response, until the
interval reaches a configured maximum. If PPP negotiation fails or the PPP line protocol is brought down
for any reason, the PPPoE session and the virtual access will be brought down. When the PPPoE session is
brought down, the client waits for a predetermined number of seconds before trying again to establish a
PPPoE.
Configuring Dialer Interface on PPPoE Client
The PPPoE client configuration is relatively simple. You need to create a dialer interface to handle the
PPPoE connection, and tie it later to a physical interface that provides the transport.
To create a dialer interface and to enter the interface configuration mode, use the interface dialer number
command. When you are in the interface configuration mode, you need to specify that the IP address for a
dialer interface is obtained via PPP/IPCP address negotiation. Also, set the encapsulation mode to PPP. The
last task requires of you to specify the dialing pool that the dialer interface uses to connect to a specific
destination subnetwork.
Create a dialer interface to handle the PPPoE connection:
• Instruct the client to use an IP address provided by the PPPoE server.
• Set the encapsulation type to PPP.
• Specify the dialing pool that the dialer interface uses to connect to a specific destination
subnetwork to "1."
R1# conf t
R1(config)# interface Dialer1
R1(config-if)# ip address negotiated
R1(config-if)# dialer pool 1
R1(config-if)# end
R1#
Assigning Physical Interface to PPPoE Dial Group
You need to tie the dialer interface configuration to a physical interface using the pppoe-client dial-pool-
numbernumber command. You also need to make sure that no IP address is manually assigned to the
physical interface.
Assign the interface Ethernet0/1 to a newly created PPPoE dial group 1. Also make sure that no
IP address is manually assigned to the Ethernet0/1 interface.
R1# conf t
R1(config-if)# pppoe-client dial-pool-number 1
*Dec 11 12:49:17.540: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
to up
R1(config-if)#
Access2, changed state to up
(Dialer1) is up: new adjacency
R1(config-if)# end
R1#
You should see a notification indicating the PPPoE session has successfully formed. EIGRP
neighbor relationship also gets established between R1 and R2 immediately after an IP address is
assigned to the R1 router (PPPoE client) from R2 router (PPPoE server).
Verifying PPPoE Client
When verifying a PPPoE client, first make sure that Dialer interface is up and running. Then also make sure
that the PPPoE session gets established using the show pppoe session command.
On R1, verify that the interface Dialer1 has negotiated an IP address from R2.
Protocol
Ethernet0/0 unassigned YES NVRAM up up
Ethernet0/1 unassigned YES manual up up
Dialer1 10.10.10.3 YES IPCP up up
Loopback0 192.168.1.1 YES NVRAM up up
Loopback1 172.16.1.1 YES NVRAM up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
R1 gets the IP address from PPPoE server R2, from the pool of IP addresses starting with
10.10.10.3 and ending with 10.10.10.10. Notice that the IP address is on the dialer interface, not
the physical, Etheernet0/1 interface.
Verify that PPPoE session gets established on R1.
R1# show pppoe session1 client session
Uniq ID PPPoE RemMAC Port VT VA State

SID LocMAC VA-st Type
N/A 4 aabb.cc00.2010 Et0/1 Di1 Vi2 UP
aabb.cc00.1f10 UP
You should see that the PPPoE session gets established on the interface Ethernet0/1.
Note: The MAC addresses in your output may be different.
R1# ping 192.168.2.1

The ping should be successful because EIGRP has been preconfigured on both routers.
Self Check
Which of the following PPP authentication protocols authenticates a device on the other end of a link
with an encrypted password?
A. MD5
B. PAP
C. CHAP
D. DES
Which two commands are the minimum that must be configured on two routers that have their serial
links directly connected using DTE and DCE cables to ping each other? (Choose two.)
A. encapsulation ppp
B. ip address
C. clockrate
D. no encapsulation hdlc
Which of the following PPP protocols controls the layer 2 operation of PPP?
A. IPCP
B. LCP
C. CDPCP
D. IPXCP
Two routers, R1 and R2, have a leased line between them. Each router had its configuration erased and
was then reloaded. R1 was then configured with the commands shown below:
R1(conf)# hostname R1
R1(conf)# interface s0/0
R1(conf-if)# encapsulation ppp
R1(conf-if)# ppp authentication chap
Which configuration command can complete the configuration on R1 so that CHAP can work correctly?
Assume that R2 has been configured correctly and that the password is "fred."
A. No other configuration is needed.
B. ppp chap (global command)
C. username R1 password fred
D. username R2 password fred
E. ppp chap password fred
Shown below is the output of a show command. Which two statements about this router's S0/0/1
interface are true? (Choose two.)
R1# show interfaces serial 0/0/1

Serial0/0/0 is up, line protocol is up
Hardware is GT96K Serial
Open: IPCP,CDPCP, loopback not set
CRC checking enabled
<Output omitted for brevity>
A. The interface is using HDLC.

B. The interface is using PPP.
C. The link should be able to pass PPP frames.
D. The interface currently cannot pass IPv4 traffic.
R1# show interfaces serial 0/0/1

Serial0/0/0 is up, line protocol is down
Hardware is GT96K Serial
Shown above is excerpt from the output of a show interfaces command on an interface that is
configured to use PPP. A ping of the IP address on the other end of the link fails. Which two of the
following are reasons for the failure, assuming that the problem that is listed in that answer is the only
problem with the link? (Choose two.)
A. The CSU/DSU connected to the other router is not powered on.
B. The IP address on the router at the other end of the link is not in subnet 192.168.2.0/24.
C. CHAP authentication failed.
D. The router on the other end of the link has been configured to use HDLC.
Which username must be configured on routers for PPP CHAP authentication?

A. a username that matches the hostname of the local router
B. a username that matches the hostname of the remote router
C. a username that matches neither hostname
D. There is no restriction on usernames.
Answer Key
Self Check
1. C
2. A, B
3. B
4. D
5. B, C
6. C, D
7. B
Lesson 3: Configuring GRE
Tunnels
Overview
A customer wants to connect a branch office to its headquarters. Because the connection is over the Internet
and running a routing protocol, CCS has determined that the customer needs a GRE tunnel. You are the
technician who is assigned to do the deployment and need to know how to establish a GRE tunnel and
verify its proper operation. Would you like to go onsite now to complete the job or study the training
"Configuring GRE Tunnels"?
GRE Tunnel Overview
Generic Routing Encapsulation, also known as GRE, is a tunneling protocol which provides a secure path
for transporting packets over a public network by encapsulating packets inside a transport protocol. GRE
supports multiple Layer 3 protocols such as IP, IPX, and AppleTalk. It also enables the use of multicast
routing protocols across the tunnel.
GRE adds a 20-byte IP header and a 4-byte GRE header, hiding the existing packet headers. The GRE
header contains a flag field and a protocol type field to identify the Layer 3 protocol being transported. It
may contain a tunnel checksum, tunnel key, and tunnel sequence number. GRE does not encrypt traffic or
use any strong security measures to protect the traffic.
GRE can be used along with IPsec to provide data source authentication and data confidentiality and ensure
data integrity. GRE over IPsec tunnels are typically configured in a hub-and-spoke topology over an
untrusted WAN to minimize the number of tunnels that each router must maintain.
GRE, developed by Cisco, is designed to encapsulate arbitrary types of network layer packets inside
arbitrary types of network layer packets, as defined in RFC 1701, Generic Routing Encapsulation (GRE);
RFC 1702, Generic Routing Encapsulation over IPv4 Networks; and RFC 2784, Generic Routing
Encapsulation (GRE).
A tunnel interface supports a header for each of the following:

• A passenger protocol or encapsulated protocol such as IPv4 or IPv6. This protocol is the one that is
being encapsulated.
• A carrier or encapsulation protocol (GRE, in this case).
• A transport delivery protocol, such as IP, which is the protocol that carries the encapsulated protocol.
GRE has these characteristics:
• It uses a protocol-type field in the GRE header to support the encapsulation of any OSI Layer 3
protocol.
• It is stateless. It does not include any flow-control mechanisms, by default.
• It does not include any strong security mechanisms to protect its payload.
• The GRE header, together with the tunneling IP header, creates at least 24 bytes of additional overhead
for tunneled packets.
You may have to adjust MTU on GRE tunnels, using ip mtu interface configuration command. This MTU
must match on both sides.
Discovery 22: Configure and Verify GRE Tunnel
Introduction
This discovery will guide you through the configuration, verification, and usage of a GRE tunnel to connect
IP networks using a completely different IP network as a transit link. The live virtual lab is prepared with
the devices represented in the topology diagram and the connectivity table. All devices have their basic
configurations in place, including hostnames and IP addresses on the Ethernet and loopback interfaces.
EIGRP has been configured on R2 and R3 for the 10.0.0.0/8 network. R2 and R3 are not aware of any of the
172.16.0.0/16 networks that exist on R1 and R4. The tunnel interfaces have not yet been configured.
Configuring them is one of your tasks during this discovery. Once the tunnel interfaces are up and
operational, you will verify connectivity between the 172.16.0.0/16 networks through the GRE tunnel.
Topology
Job Aid

• EIGRP is configured on R2 and R3.
• A static route is configured for 10.0.0.0/8 on R1 and R4.
• OSPF is configured on R1 and R4 after the tunnel is configured.
Device Information
Device Details
R1 Ethernet 0/0 R2 10.10.1.1/24
R1 Ethernet 0/1 — 172.16.1.1/24
R1 Loopback 0 — 172.16.11.1/24
R1 Tunnel 0 R4 172.16.99.1
R2 Ethernet 0/0 R1 10.10.1.2/24
R2 Ethernet 0/1 R3 10.10.2.1/24
R2 Loopback — 10.10.12.1/24
R3 Ethernet 0/0 R4 10.10.3.1/24
R3 Ethernet 0/1 R2 10.10.2.2/24
R3 Loopback 0 — 10.10.13.1/24
R4 Ethernet 0/0 R3 10.10.3.2/24
R4 Ethernet 0/1 — 172.16.4.1/24
R4 Loopback 0 — 172.16.14.1/24
R4 Tunnel 0 R1 172.16.99.2
Task 1: Configure and Verify GRE Tunnel

Activity
In the first few steps of this discovery, you will verify the status of the network as it has been
prepared. Start by accessing the console of R1 and displaying its routing table.
R1# show ip route


S 10.0.0.0/8 [1/0] via 10.10.1.2
R1 is not running any dynamic routing protocols. Other than the locally connected routes, the
only other route is a static route for the 10.0.0.0/8 network. R4 is configured in a similar fashion.
Verify that R1 can ping the R4 Ethernet0/0 interface (10.10.3.2).
R1# ping 10.10.3.2

R1 and R4 can reach each other using the 10.0.0.0/8 network.
Access the console of R2 and display its routing table.
R2# show ip route


D 10.10.3.0/24 [90/307200] via 10.10.2.2, 21:40:41, Ethernet0/1
D 10.10.13.0/24 [90/409600] via 10.10.2.2, 21:40:41, Ethernet0/1
R2 is running EIGRP and is peering with R3. Between them, they are aware of the entire
10.0.0.0/8 address space within the topology. R2 has no awareness of the 172.16.0.0/16 address
space that is behind R1 and R4. Neither does R3.
Configuring GRE Tunnel
The minimum GRE tunnel configuration requires specification of the tunnel source and destination
addresses. You must also configure an IP subnet to provide IP connectivity across the tunnel link.
At each end of the tunnel, you must use symmetrical, reachable addresses. You can use loopback
addresses if they are reachable.
Command Description
tunnel source ip-address Specifies the tunnel source IP address in interface tunnel configuration
mode. This IP address is the one that is assigned to the local interface.
tunnel destinationip-address Specifies the tunnel destination IP address in interface tunnel configuration
mode. This IP address is the one that is assigned to the local interface or
the remote router.
ip addressip-address mask Specifies the IP address of the tunnel interface.
tunnel mode gre ip Specifies the GRE tunnel mode as the tunnel interface mode in interface
tunnel configuration mode. The GRE tunnel mode is the default tunnel
mode on Cisco routers, so you do not need to enter this command.
Access the console of R1 and define the interface Tunnel0. Assign it the IP address
172.16.99.1/24. The R1 Ethernet0/0 interface (10.10.1.1) should be the source and the R4
Ethernet 0/0 interface (10.10.3.2) should be the destination.
R1# conf t
R1(config)# interface tunnel0
R1(config-if)#
*Nov 3 14:14:43.002: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0,
changed state to down
R1(config-if)# tunnel source 10.10.1.1
R1(config-if)# tunnel destination 10.10.3.2
R1(config-if)#
changed state to up
R1(config-if)# end
R1#
The Tunnel0 interface was administratively up immediately after being defined, and its line
protocol came up immediately after being fully configured.
Access the console of R4 and define the peer Tunnel0 interface. Assign it the IP address
172.16.99.2/24. The R4 Ethernet0/0 interface (10.10.3.2) should be the source and the R1
Ethernet 0/0 interface (10.10.1.1) should be the destination..
R4# conf t
R4(config)# interface tunnel0
R4(config-if)#
changed state to down
R4(config-if)# tunnel source 10.10.3.2
R4(config-if)# tunnel destination 10.10.1.1
R4(config-if)#
changed state to up
R4(config-if)# end
R4#
Again, the Tunnel0 interface was administratively up immediately after being defined, and its
line protocol came up immediately after being fully configured.
Verifying GRE Tunnel
To determine whether the tunnel interface is up or down, use the show ip interface brief command.
You can verify the state of a GRE tunnel by using the show interface tunnel command. The line protocol
on a GRE tunnel interface is up as long as there is a route to the tunnel destination.
By issuing the show ip route command, you can identify the route between the GRE-tunnel-enabled
routers. Because a tunnel is established between the two routers, the path is seen as directly connected.
Verify that the Tunnel0 interface on R1 is up.
R1# show ip interface brief Tunnel 0

Protocol
Tunnel0 172.16.99.1 YES manual up up
The status and line protocol for the Tunnel0 interface are "up."
Verify that the Tunnel0 interface on R4 is up.
Instead of using show ip interface brief command on R4, use show interface command:
R4# show interface Tunnel 0Tunnel0 is up, line protocol is up
Hardware is Tunnel
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.10.3.2, destination 10.10.1.1Tunnel protocol/transport
GRE/IP
The status and line protocol for the Tunnel0 interface are "up." You can also see the IP address
of the tunnel interface, source and destination IP address, as well as tunnel mode.
Display the routing table on the R1 router.
R1# show ip route

S 10.0.0.0/8 [1/0] via 10.10.1.2
C 172.16.99.0/24 is directly connected, Tunnel0
L 172.16.99.1/32 is directly connected, Tunnel0
As you can see, the traffic that is destined for 172.16.99.0/24 enters the GRE tunnel interface.
Ping the IP address of the R4 Tunnel0 interface from R1.
R1# ping 172.16.99.2

The ping was successful through the GRE tunnel. The ICMP echo and echo reply packets were
encapsulated in the GRE tunnel. That is, from R1 to R4, the IP packet sourced from 172.16.99.1
and destined for 172.16.99.2 was encapsulated with a second IP header sourced from 10.10.1.1
and destined to 10.10.3.2. This packet was sent out the R1 Ethernet 0/0 interface and was
forwarded by R2 and R3 to the R4 Ethernet0/0 interface. R4 then stripped the outer IP header to
reveal the encapsulated IP packet that is destined for 172.16.99.2.
R3 and R2 did not know that that other IP packets were embedded in the packets that they
forwarded. The 10.0.0.0/8 network was used to forward packets for 172.16.0.0/16 even though
the transit routers had no awareness of 172.16.0.0/16.
Being able to forward packets between the two tunnel interfaces is good. But you can also run
dynamic routing protocol through the tunnel. Configure OSPF process ID 1 on R4. Assign R4
the router ID 0.0.0.4. Include the network 172.16.0.0/16 (which includes the interfaces
Ethernet0/1, Loopback0, and Tunnel0) in Area 0.
R4# conf t
R4#
Access the console of R1 to configure it for OSPF. Configure OSPF process ID 1. Assign the
router ID 0.0.0.1. Include the network 172.16.0.0/16 (which includes the interfaces Ethernet0/1,
Loopback0, and Tunnel0) in Area 0.
R1# conf t
R1(config-router)#
*Nov 4 11:41:51.093: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.0.4 on Tunnel0 from
LOADING to FULL, Loading Done
Display the routing table on the R1 router.
R1# show ip route

S 10.0.0.0/8 [1/0] via 10.10.1.2
O 172.16.4.0/24 [110/1010] via 172.16.99.2, 00:19:23, Tunnel0
O 172.16.14.1/32 [110/1001] via 172.16.99.2, 00:19:23, Tunnel0
C 172.16.99.0/24 is directly connected, Tunnel0
L 172.16.99.1/32 is directly connected, Tunnel0
R1 has learned about the networks running behind the R4 Loopback0 and Ethernet0/1 interfaces
via OSPF routing protocol. The traffic that is destined to the R4 Loopback0 and Ethernet0/1
interfaces will enter the GRE Tunnel0 interface.
Ping the R4 Ethernet0/1 interface (172.16.4.1) from R1.
R1# ping 172.16.4.1

Again, this traffic and all other 172.16.0.0/16 traffic between R1 and R4 traverses the GRE
tunnel. This traffic is forwarded by R2 and R3, but they are unaware of it. They see it as traffic
between the R1 Ethernet0/0 interface (10.10.1.1) and the R4 Ethernet0/0 interface (10.10.3.2).
Display the OSPF neighbors of R1.

0.0.0.4 0 FULL/ - 00:00:37 172.16.99.2Tunnel0
R4 is an OSPF neighbor of R1, using the GRE tunnel.
Self Check
GRE tunnel mode is the default tunnel interface mode in Cisco IOS Software. True or False ?
A. True
B. False
Which two of the following are GRE characteristics? (Choose two.)

A. GRE encapsulation uses a protocol-type field in the GRE header to support the encapsulation of any
OSI Layer 3 protocol.
B. GRE itself is stateful. It includes flow-control mechanisms, by default.
C. GRE includes strong security mechanisms to protect its payload.
D. The GRE header, together with the tunneling IP header, creates at least 24 bytes of additional
overhead for tunneled packets.
GRE tunnel is flapping with the following error message below:
01:11:39: %LINEPROTO-5-UPDOWN:
Line protocol on Interface Tunnel0, changed state to up
01:11:48: %TUN-5-RECURDOWN:
Tunnel0 temporarily disabled due to recursive routing
Line protocol on Interface Tunnel0, changed state to down
What could be the reason for the tunnel flapping ?

A. IP routing has not been enabled on tunnel interface.
B. MTU issue on the tunnel interface.
C. The router is trying to route to the tunnel destination address using the tunnel interface itself.
D. Access-list blocking traffic on the tunnel interface.
Is GRE tunnel considered secure ?

A. Yes
B. No
Which of the following commands will not tell you if the GRE tunnel X is in "up/up" state ?
A. show ip interface brief
B. show interface tunnel X
C. show ip interface tunnel X
D. show run interface tunnel X
Can you have a Loopback address as the tunnel source IP address ?
A. Yes
B. No
Does GRE tunnel support multicast ?

A. No
B. Yes
Answer Key
Self Check
1. A
2. A, D
3. C
4. B
5. D
6. A
7. B
Lesson 4: Configuring
Single-Homed EBGP
Overview
BGP is the routing protocol that is one of the underlying foundations of the Internet. This protocol is
complex and scalable, but it is also reliable and secure. EBGP is a part of the BGP that you use for
exchanging routes between different autonomous systems.
Interdomain Routing
The Internet is a collection of autonomous systems that are interconnected to allow communication between
them. An autonomous system is by definition a collection of networks under a single technical
administration domain. BGP provides the routing between these autonomous systems.
To understand BGP, you must first understand how it differs from other routing protocols.
One way you can categorize routing protocols is whether they are interior or exterior.
• IGP is a routing protocol that exchanges routing information within an AS. RIP, OSPF, and EIGRP are
examples of IGPs.
• EGP is a routing protocol that exchanges routing information between different autonomous systems.
BGP is an example of an EGP.
Introduction to EBGP
BGP is an important building block of the Internet as you know it today. The Internet is a set of many
autonomous systems and a set of an even higher number of routes that have to be reachable any time.
BGP uses TCP as the transport mechanism, which provides reliable connection-oriented delivery. BGP uses
TCP port 179. Two routers that are using BGP form a TCP connection with one another. These two BGP
routers are called "peer routers," or "neighbors."
When BGP is running between routers in different autonomous systems, it is called EBGP. When BGP is
running between routers in the same autonomous system, it is called IBGP. IBGP is used between routers in
the same autonomous system mostly for redundancy and load balancing purposes.
Different customers are using EBGP for route exchange between their local environments and their ISPs.
The IANA is responsible for the global coordination and assignment of AS numbers and public IP addresses
(usually through a local ISP). Each customer has to place a request for their AS number and a set of public
space IP prefixes. The customer then establishes an EBGP session with its ISP and they exchange routing
information.
Internet Service Providers are also interconnected. Each ISP has his own AS number. ISPs can
communicate directly or they can use IXP for route distribution.
The Internet is expanding with high speed and the size of all routing information is extremely large. In
2015, more than 570,000 routes exist in full BGP table and the number of routes is still expending greatly.
Therefore, scalability is a very important feature of BGP. BGP enables reliable information exchange and is
capable of batching the routing updates. These two characteristics allow BGP to scale to large, Internet-
sized networks.
BGP also has security features. You can configure peer authentication and route filtering.
For more advanced networks, BGP also provides routing policies for route update manipulations.
Discovery 23: Configure and Verify Single Homed
EBGP
Introduction
In this discovery, you will learn how to configure external BGP between the service provider and customer.
The service provider (ISP1 router) has two different customers (R1 and R2 routers). It has to establish a
separate EBGP session with each of the customers. All devices have their basic configurations in place,
including hostnames and IP addresses. R1 and R2 have also been preconfigured with BGP.
Topology
Job Aid

• R1 and R2 have been preconfigured with BGP:
– R1 has BGP AS 100.
– R2 has BGP AS 200.
Device Information
Device Details
Device Interface IP Address Description
ISP1 Ethernet0/1 192.168.1.10/24 Connection to R1
ISP1 Ethernet0/2 192.168.2.10/24 Connection to R2
ISP1 Loopback0 10.0.0.1/24 Loopbacks simulate LAN

networks
R1 Ethernet0/1 192.168.1.11/24 Connection to ISP1
R1 Loopback0 10.0.1.1/24 Loopbacks simulate LAN

networks
Device Interface IP Address Description
R2 Ethernet0/2 192.168.2.11/24 Connection to ISP1
R2 Loopback0 10.0.2.1/24 Loopbacks simulate LAN

networks
Device AS Information
Device AS Number
ISP1 AS 1
R1 AS 100
R2 AS 200
Task 1: Configure and Verify Single Homed EBGP
The requirements to configure basic EBGP include the following details:

• AS numbers (your own and all remote AS numbers, which must be different)
• All the neighbors (peers) that are involved in BGP, and IP addressing that is used among the BGP
neighbors
• Networks that need to be advertised into BGP
IGP is the routing protocol that runs inside an AS. An IGP is not run between the EBGP neighbors that are
residing in different autonomous systems. Therefore, the IP address that is used in the BGP neighbor
command must be reachable without using an IGP, which can be accomplished by pointing at an address
that is reachable through a directly connected network or by using static routes to that IP address.
A typical BGP configuration involves configuring BGP between a customer network and an ISP. This
process is called EBGP.
The basic BGP configuration requires three main steps:

1. Define the BGP process.
2. Establish one or more neighbor relationships.
3. Advertise the networks into BGP.
1. To start BGP process on a router, use the router bgp command. Each process must be assigned the
local AS number. There can be, at most, one BGP process in a router which means that each router can
only be in one AS at any given time.
AS number is a 16-bit integer in the range from 1 to 65,534. When the AS-number pool from IANA
approached exhaustion, also new 32-bit AS numbers were created.
2. Since BGP does not automatically discover neighbors like other routing protocols do, you have to
explicitly configure them using the neighborpeer-ip-addressremote-aspeer-as-number command. The
external neighbor has to be reachable on the indicated IP address.
3. To specify the networks to advertise into BGP, you can use the network command with the optional
mask keyword and the subnet mask specified. If an exact match of the advertised network is not found
in the IP routing table, the network will not be advertised.
The network command with no mask option uses the classful approach to insert a major network into the
BGP table.
If you have, for example, a 10.10.10.0/24 network on the router that you want to announce it in the BGP,
you have to announce it using the mask keyword (network 10.10.10.10 255.255.255.0). If you do not
specify the mask, BGP will take the whole Class A network (10.0.0.0/8) to announce it. Because this exact
class A network cannot be found in the routing table, it cannot be announced in the BGP.
The meaning of the network command in BGP is radically different from the meaning of this command in
other routing protocols. In all other routing protocols, the network command indicates interfaces over which
the routing protocol will be run. In BGP, it indicates only which routes should be injected into the BGP table
on the local router.
Activity
BGP has been preconfigured on the customers side. Access the console of R1 and display the
BGP configuration.
R1# show running-config | section bgprouter bgp 100

bgp log-neighbor-changes
network 10.0.1.0 mask 255.255.255.0neighbor 192.168.1.10 remote-as 1
• R1 has been configured in the BGP AS 100.

• Network 10.0.1.0/24 has been announced to all configured BGP neighbors.
• The external neighbor with IP address 192.168.1.10 has been configured. Note that this IP
address belongs to the ISP1 router.
You will find a similar configuration on the R2 router.
For a BGP session to be established, both sites have to be configured. Configure the service
provider site.
Enable BGP routing process on ISP1 and configure both external neighbors, the R1 and R2
routers. Use the following information:
• ISP1 is in AS 1.
• R1 is in AS 100 and has IP address 192.168.1.11.
• R2 is in AS 200 and has IP address 192.168.2.11.
ISP1# conf t
ISP1(config)# router bgp 1
ISP1(config-router)# neighbor 192.168.1.11 remote-as 100
ISP1(config-router)# neighbor 192.168.2.11 remote-as 200
ISP1(config-router)# end
After you configure the external BGP neighbors on ISP1, you will see that external BGP
sessions between R1 and ISP1, and R2 and ISP1 are successfully established.
*Oct 6 11:36:01.393: %BGP-5-ADJCHANGE: neighbor 192.168.1.11 Up

*Oct 6 11:36:12.364: %BGP-5-ADJCHANGE: neighbor 192.168.2.11 Up
You will now announce ISP1 Loopback0 network with the IP address 10.0.0.0/24 in the BGP.
Before advertising it, verify that there is an exact match of this network in the ISP1 routing table.
ISP1# show ip route


If the route was missing from the routing table, it would not be advertised into the BGP.
Configure ISP1 to announce the Loopback0 network with the IP address 10.0.0.0/24 in the BGP
process.
Use the network router configuration command to announce the network.
ISP1# conf t
ISP1(config)# router bgp 1
ISP1(config-router)# network 10.0.0.0 mask 255.255.255.0
ISP1(config-router)# end
Verifying EBGP
The show ip bgp summary command gives you an overview of the BGP status. Each configured neighbor
is listed in the output of the command. The output will display the IP address and AS number of the
neighbor, along with the status of the session. You can use this information to verify that BGP sessions are
up and established, or to verify the IP address and AS number of the configured BGP neighbor.
The show ip bgp neighbors command supplies additional information about BGP connections to
neighbors. This command can be used for two purposes. First one is to get information about the TCP
sessions and the BGP parameters of the sessions. All BGP session parameters are displayed. In addition,
TCP timers and counters are also displayed.
To display the entire BGP table, use the show ip bgp command. This command gives you an overview of
all routing information that is received from all neighbors. It displays basic information about each route on
a single link.
If multiple paths to reach the same network exist, all are displayed. The router selects only one of the
alternatives as the best path toward the destination and marks it with the ">" sign.
On the ISP1 router, verify the state of BGP session.
Use the show ip bgp summary command to examine the external BGP sessions.
ISP1# show ip bgp summaryBGP router identifier 10.0.0.1, local AS number 1
BGP table version is 3, main routing table version 3
2 network entries using 296 bytes of memory
2 path entries using 128 bytes of memory
3/2 BGP path/bestpath attribute entries using 408 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 880 total bytes of memory
BGP activity 5/3 prefixes, 5/3 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down

State/PfxRcd
192.168.1.11 4 100 5 6 3 0 0 00:00:10
1192.168.2.11 4 200 5 6 3 0 0 00:00:10 1
The first section of the show ip bgp summary command output describes the BGP table and its
content:
• The router ID of the router and local AS number
• The BGP table version is the version number of the local BGP table. This number is
increased every time that the table is changed
The second section of the show ip bgp summary command output is a table in which the
current neighbor statuses are shown. There is one line of text for each neighbor that has been
configured. The information that is displayed:
• IP address of the neighbor.
• BGP version number that is used by the router when communicating with the neighbor
• AS number of the remote neighbor.
• Number of messages and updates that have been received from the neighbor since the
session was established
• Number of messages and updates that have been sent to the neighbor since the session was
established
• Version number of the local BGP table that has been included in the most recent update to
the neighbor
• Number of messages that are waiting to be processed in the incoming queue from this
neighbor
• Number of messages that are waiting in the outgoing queue for transmission to the neighbor
• How long the neighbor has been in the current state and the name of the current state (the
state "Established" is not printed out, so no state name indicates "Established")
• Number of received prefixes from the neighbor.
ISP1 has two established sessions with the following neighbors:
• 192.168.1.11, which is the IP address of R1 router and is in AS 100.
• 192.168.2.11, which is the IP address of R2 router and is in AS 200.
From each of the neighbors, ISP1 has received one prefix (one network).
On ISP1, use the show ip bgp neighbors command to verify that BGP state is established with
both neighbors.
Optionally you can add the IP address of the neighbor at the end of the command.
ISP1# show ip bgp neighbors 192.168.1.11
BGP neighbor is 192.168.1.11, remote AS 100, external link
BGP version 4, remote router ID 10.0.1.1
BGP state = Established, up for 00:01:16
Last read 00:00:24, last write 00:00:05, hold time is 180, keepalive interval
is 60 seconds
Neighbor sessions:
1 active, is not multisession capable (disabled)
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Enhanced Refresh Capability: advertised and received
Multisession Capability:
Stateful switchover support enabled: NO for session 1
ISP1# show ip bgp neighbors 192.168.2.11

BGP neighbor is 192.168.2.11, remote AS 200, external link
BGP version 4, remote router ID 10.0.2.1
BGP state = Established, up for 00:02:31
Last read 00:00:42, last write 00:00:11, hold time is 180, keepalive interval
is 60 seconds
Neighbor sessions:
1 active, is not multisession capable (disabled)
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Enhanced Refresh Capability: advertised and received
Multisession Capability:
Stateful switchover support enabled: NO for session 1
Notice that the external BGP connection is identified as an external link in the show ip bgp
neighbor command output.
On ISP1 router, verify the received prefixes.
Use the show ip bgp command, that will display all the routing information.
ISP1# show ip bgp

BGP table version is 4, local router ID is 10.0.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path

*> 10.0.0.0/24 0.0.0.0 0 32768 i
*> 10.0.1.0/24 192.168.1.11 0 0 100 i
*> 10.0.2.0/24 192.168.2.11 0 0 200 i
With the show ip bgp command, the entire BGP table is displayed. An abbreviated list of
information about each route is displayed, one line per prefix. The output is sorted in network
number order. Therefore, if the BGP table contains more than one route to the same network, the
alternative routes are displayed on successive lines. The network number is printed on the first of
these lines only. The following lines, which refer to the same network, have the network number
field left blank. Also some, but not all, of the BGP attributes that are associated with the route
are displayed on the line.
The BGP path selection process selects one of the available routes to each of the networks as the
best. This route is pointed out by the ">" character in the left column.
ISP1 has the following networks in the BGP table:
• 10.0.0.0/24, which has been locally configured on ISP1.
• 10.0.1.0/24, which has been announced from 192.168.1.11 (R1) neighbor.
• 10.0.2.0/24, which has been announced from 192.168.2.11 (R2) neighbor.
Since the command displays all routing information, note that also network 10.0.0.0/24, with the
next hop attribute set to 0.0.0.0, is displayed. The next hop attribute is set to 0.0.0.0 when you
view the BGP table on the router that originates the route in BGP. The 10.0.0.0/24 network is the
network that you locally announced on ISP1 into BGP.
Note that each path is marked as the best path, since there is only one path to each of the
networks.
Self-Check
Which of the following are an Exterior Gateway Protocol ?

A. EIGRP
B. OSPF
C. RIP
D. BGP
When BGP runs between two peers in the same autonomous system (AS), it is referred to as External
BGP (EBGP).
A. True
B. False
In the following command, the AS number, 65200 is for which router ?
R1(config-router)# neighbor 10.108.200.1 remote-as 65200
A. The local router R1

B. The neighbor router with IP address 10.108.200.1.
C. Both
Which TCP port does BGP use to establish BGP session.

A. 179
B. 21
C. 81
D. 441
Refer to the output below. Is the BGP session established between the peers ?
R1#show ip bgp summary

BGP router identifier 10.1.1.1, local AS number 64
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

10.1.5.70 4 64 0 0 0 0 0 never Active
A. Yes
B. No
Which command can you use to know the hold time on the two BGP peers ?
A. show ip bgp
B. show ip bgp summary
C. show ip bgp all
D. show ip bgp neighbor
What does a next hop of 0.0.0.0 mean in the show ip bgp command output?
Router# show ip bgp
For address family: IPv4 Unicast *****

BGP table version is 27, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path

*> 10.1.1.0/24 0.0.0.0 0 32768 ?
*> 10.13.13.0/24 0.0.0.0 0 32768 ?
*> 10.15.15.0/24 0.0.0.0 0 32768 ?
A. The router does not know the next hop.

B. Network is locally originated via network command in BGP.
C. It is not a valid network.
D. The next hop is not reachable.
Answer Key
Self-Check
1. D
2. B
3. B
4. A
5. B
6. D
7. B
Module 7: Network Device
Management and Security
Introduction
The network staff is responsible for managing each device on the network according to industry best
practices and in an effort to reduce device downtime. This module describes the commands and processes to
determine network operational status, gather information about remote devices, and manage Cisco IOS
Software images, configuration files, and devices on a network. The module also explains how to enable
Cisco IOS Software feature sets by obtaining and validating a Cisco software license.
Basic Network Device
Management and Security
Overview
A CCS customer would like some advice on how to mitigate the threats at the access layer of their network.
They are also considering implementing RADIUS or TACACS+ servers for authentication to their network
devices. The customer also heard that using NMS in their network can help them quickly determine the
operation of different network devices.
CCS has been contracted to configure the devices to support external authentication and access and
information collection by the remote NMS. Your task is to set up the Cisco devices for external
authentication using RADIUS and TACACS+ servers. You will also set up Cisco devices for SNMP so that
they will communicate with the NMS.
Mitigating Threats at Access Layer
The access layer is the point at which user devices connect to the network and is therefore the connection
point between the network and client device. So, protecting the access layer plays an important role in
protecting other users, applications, and the network itself from human errors and malicious attacks.
Different security features exist to protect the access layer of your network. Port security, DHCP snooping,
Dynamic ARP Inspection, also known as DAI, are only some of them. Besides those features, you can
configure identity-based networking, which will provide additional security and protection of your network
resources even in the case of user mobility.
The configuration of mentioned techniques is beyond the scope of this course (with the exception of port
security, which you are already familiar with).
DHCP Snooping and DAI
DHCP snooping is a Layer 2 security feature that acts like a firewall between untrusted hosts and trusted
DHCP servers. The primary function of the DHCP snooping is to prevent rogue DHCP servers in the
network. Interfaces on the switches are configured as trusted or untrusted. Trusted interfaces allow all types
of DHCP messages, while untrusted interfaces allow only requests. Trusted interfaces are interfaces that
connect to a DHCP server or are an uplink towards the DHCP server.
With DHCP snooping enabled, a switch also builds a DHCP snooping binding database. Each entry in the
database includes the MAC address of the host, the leased IP address, the lease time, the binding type, the
VLAN number, and the interface information that is associated with the host. Other security features, such
as Dynamic ARP Inspection, also use this DHCP snooping binding database.
Dynamic ARP Inspection intercepts all ARP requests and all replies on the untrusted ports. It verifies each
intercepted packet for a valid IP-to-MAC binding based on the database that DHCP snooping builds. The
device either drops or logs ARP replies coming from invalid devices. This way, it prevents ARP poisoning
attacks.
Identity-Based Networking
Identity-based networking is a concept that unites several authentication, access control, and user policy
components with the aim to provide users with the network services that they are entitled to.
Traditional LAN security depends on physical security of the network ports. In order to gain access to the
accounting VLAN, a user has to walk into the accounting department and plug the device in an Ethernet
port. With user mobility as one of the core requirements of modern enterprise networks, this dependency is
no longer practical, and it does not provide sufficient security.
Identity-based networking allows you to verify users when they connect to a switch port. Identity-based
networking authenticates users and places them in the right VLAN based on their identity. Should any users
fail to pass the authentication process, their access can be rejected, or they might be simply put in a guest
VLAN.
The IEEE 802.1x standard allows you to implement the identity-based networking based on the client-server
access control. These three roles are defined by the standard:
• Client: Also known as the supplicant. It is the workstation with 802.1x-compliant client software.
• Authenticator: Usually the switch, which controls the physical access to the network. It acts as a proxy
between the client and authentication server.
• Authentication server (RADIUS): The server that authenticates each client that connects to a switch
port before making available any services that the switch or the LAN behind offer.
External Authentication Options
Administrative access to a specific network device should be secured so that only authenticated users can
access the device.
In a small network, local authentication is often used. When you have more than a few user accounts in a
local device database, managing those user accounts becomes more complex. For example, if you have 100
network devices, adding one user account means that you have to add this user account on all 100 devices in
the network. Also, when you add one network device to the network, you have to add all user accounts to
the local device database to enable all users to access that device.
Because maintaining the local database for each network device for the size of the network is usually not
feasible, you can use an external AAA server that will manage all user and administrative access needs for
an entire network.
AAA commonly stands for authentication, authorization, and accounting. It refers to a security architecture
for distributed systems that enables control over which users are allowed access to which services and how
much resources they have used.
The two most popular options for external AAA are as follows:
• RADIUS: RADIUS is an open standard that combines authentication and authorization services as a
single process—after users are authenticated, they are also authorized. It uses UDP for the
authentication and authorization service.
• TACACS+:TACACS+ is a Cisco proprietary security mechanism that separates AAA services.
Because it has separated services, you can use TACACS+ only for authorization and accounting, while
using another method of authentication. It uses TCP for all three services.
By using the RADIUS or TACACS+ authentication, all authentication requests are relayed to the external
server, which allows or denies the user according to its user database. The server then instructs the network
device to allow or deny access.
The previous figure shows the external authentication process:
1. A host connects to the network. It can use any communication protocol, depending on the host. At this
point, the host is prompted for a username and password.
2. The network device passes a RADIUS/TACACS+ access request, along with user credentials, to the
authentication server.
3. The authentication server uses an identity that is stored to validate user credentials.
4. The authentication server sends a RADIUS/TACACS+ response (Access-Accept or Access-Reject) to
the network device that will apply the decision.
Discovery 24: Configure External Authentication
Using RADIUS and TACACS+
Introduction
This discovery will guide you through the configuration of external authentication using RADIUS and
TACACS+. The live virtual lab is prepared with the router, PC, and server that are represented in the
topology diagram and the connectivity table. The devices have their basic configurations in place, including
hostnames and IP addresses. In the discovery, you will configure a console and vty access on the router
using RADIUS and TACACS+ servers.
Topology
Job Aid
Device Information

Device Details
PC1 Ethernet0/0 R1 10.0.0.10/24
R1 Ethernet0/0 PC1 10.0.0.1/24
R1 Ethernet0/1 SRV1 10.1.1.1/24
SRV1 Ethernet0/0 R1 10.1.1.10/24
PC and SRV in the virtual lab environment are simulated as routers, so you should use Cisco IOS
Task 1: Configure RADIUS for Console and VTY Access
Before starting with the RADIUS configuration, you need to enable AAA services and configure local
username and password to avoid being locked out.
Router(config)# aaa new-model

Router(config)# username usernamepassword password
The RADIUS AAA configuration then starts with the configuration of a RADIUS server:
Router(config)# radius server configuration-name

Router(config-radius-server)# address ipv4 hostname [auth-port integer] [ acct-port
integer]
Router(config-radius-server)# key string
You need to specify the hostname, or the IP address of the server. Optionally, you can specify a custom port
number for the UDP communication, if your RADIUS server is listening on nondefault ports. Port numbers
for authentication and accounting differ. The key string specifies the authentication and encryption key that
is used between the access device and the RADIUS server. This value must match on both devices.
Next, you need to add the RADIUS server to a server group. You can add multiple RADIUS servers to a
group, as long as they were previously defined using the radius server command.
Router(config)# aaagroupserverradiusgroup-name
Router(config-sg-radius)# servernameconfiguration-name
Then you have to configure the device to actually use RADIUS server group for login authentication.
Optionally, you can also specify to fallback to local authentication.
Router(config)# aaa authentication login [default | list-name] group group-name local
The default method list is automatically applied to all interfaces, except those interfaces that have a named
method list that is explicitly defined.
You can also specify multiple authentication method lists, using different combinations of server groups and
options of local fallback. If you decide to use method lists, you must then apply a specific list also to the
console or vty lines.
Activity
On R1, configure local user "admin" that will have the "Cisco123" password.
R1(config)# username admin password Cisco123
You can then use this same locally created user if the external authentication server fails.
You need to enable AAA services to unhide all AAA commands. Access the console of R1 and
configure the aaa new-model command in the global configuration mode.
R1# conf t
R1(config)# aaa new-model
The aaa new-model command immediately applies local authentication to all lines and
interfaces (except console line line con 0). To avoid being locked out of the router, you should
define a local username and password before starting the AAA configuration.
On R1, configure SRV1 as a RADIUS server. Use "radiusPassword" as a shared key.
The configuration name of the server can be anything, but you have to specify the SRV1 IP
address as the IPv4 address of the server.
R1(config)# radius server myRadiusSRV1

R1(config-radius-server)# address ipv4 10.1.1.10
R1(config-radius-server)# key radiusPassword
R1(config-radius-server)# exit
On R1, add this newly created RADIUS server to the group.
The configuration name of the group can be anything.
R1(config)# aaa group server radius MyRadiusGroup

R1(config-sg-radius)# server name myRadiusSRV1
R1(config-sg-radius)# exit
Now you have to specify the router to use this RADIUS group for login authentication.
On R1, configure this newly created group to be used for AAA login authentication. If the
RADIUS server fails, the fallback to local authentication should be set.
R1(config)# aaa authentication login default group MyRadiusGroup local

R1(config)# exit
Access the console of PC1 and try to connect to R1. Use the "admin" username and "Cisco123"
password for login credentials.
Remember that SRV1 is listed as a RADIUS server. Because SRV1 is a virtual server, which is
simulated as router in this example, it does not have actual RADIUS capabilities. So, when you
try to connect to R1, the RADIUS authentication will not work. Authentication will fall back to
the local authentication, and you will be able to use local credentials that you created earlier.
PC1# telnet 10.0.0.1

Trying 10.0.0.1 ... Open
Username: admin
Password:
R1#exit

PC1#
Note: Because R1 first tries to authenticate you on the RADIUS server and then falls back to the
local database, the authentication process may take a bit longer.
Task 2: Configure TACACS+ for Console and VTY
Access
TACACS+ AAA configuration is nearly identical to the RADIUS configuration. Before starting with the
TACACS+ configuration, you need to enable AAA services and configure local username and password to
avoid being locked out.
Router(config)# aaa new-model
Router(config)# usernameusernamepasswordpassword
Then, you can configure the TACACS+ server.
Router(config)# tacacsserverconfiguration-name
Router(config-server-tacacs)# addressipv4hostname
Router(config-server-tacacs)# portport-number
Router(config-server-tacacs)# keystring
You need to specify the hostname, or the IP address of the server. Optionally, you can specify a custom port
number for the TCP communication, if your TACACS+ server is listening on nondefault ports. The key
string specifies the encryption key that is used for encrypting all traffic between the access device and
TACACS+ server. This value must match on both devices.
Next, you need to add the TACACS+ server to a server group. You can add multiple TACACS+ servers to a
group, as long as they were previously defined using the tacacs server command.
Router(config)# aaa group server tacacs+group-name

Router(config-sg-tacacs+)# servernameconfiguration-name
Then you have to configure the device to actually use the TACACS+ server group for login authentication.
Optionally, you can also specify to fall back to local authentication.
Router(config)# aaaauthenticationlogin [default | list-name] groupgroup-namelocal
The default method list is automatically applied to all interfaces except those interfaces that have a named
method list that is explicitly defined.
Activity
You first need to enable AAA services and create a local user.
Because you have already configured this part in the previous procedure, you can proceed to the
next step.
Access the console of R1 and configure SRV1 as a TACACS+ server. Use "tacacsPassword" as
a shared key.
The configuration name of the server can be anything, but you have to specify the SRV1 IP
address as the IPv4 address of the server.
R1# conf t
R1(config)# tacacs server myTacacsSRV1
R1(config-server-tacacs)# address ipv4 10.1.1.10
R1(config-server-tacacs)# key tacacsPassword
R1(config-server-tacacs)# exit
On R1, add this newly created TACACS+ server to the group.
The configuration name of the group can be anything.
R1(config)# aaa group server tacacs+ MyTacacsGroup

R1(config-sg-tacacs+)# server name myTacacsSRV1
R1(config-sg-tacacs+)# exit
Now you have to specify the router to use this TACACS+ group for login authentication.
On R1, configure this newly created group to be used for AAA login authentication. If the
TACACS+ server fails, the fallback to local authentication should be set.
R1(config)# aaa authentication login default group MyTacacsGroup local

R1(config)# exit
Note that this configuration will overwrite the previously specified authentication method using
the RADIUS server because you can specify only one group (RADIUS or TACACS+) with the
default method list.
Access the console of PC1 and try to connect to R1. Use "admin" and "Cisco123" login
credentials.
Remember that SRV1 is listed as the TACACS+ server. Because SRV1 is a virtual server, which
is simulated as a router in this example, it does not have actual TACACS+ capabilities. So, when
you try to connect to R1, the TACACS+ authentication will not work. Authentication will fall
back to local authentication, and you will be able to use local credentials that you created earlier.
PC1# telnet 10.0.0.1

Trying 10.0.0.1 ... Open
Username: admin
Password:
R1#exit

PC1#
Note: Because R1 first tries to authenticate you on the TACACS+ server and then falls back to
the local database, the authentication process may take a bit longer.
SNMP Overview
In the complex network of routers, switches, and servers today, it can seem like a daunting task to manage
all devices on your network and make sure that they are not only up and running but also performing
optimally. This area is where SNMP can help. SNMP was introduced to meet the growing need for a
standard of managing IP devices.
SNMP exposes environment and performance parameters of a network device, allowing an NMS to collect
and process data.
SNMP is an application layer protocol that defines how SNMP managers and SNMP agents exchange
management information. SNMP uses the UDP transport mechanism to retrieve and send management
information, such as MIB variables.
SNMP is broken down into these three components:
• SNMP manager: Periodically polls the SNMP agents on managed devices by querying the device for
data. The SNMP manager can be part of an NMS such as Cisco Prime Infrastructure.
• SNMP agent: Runs directly on managed devices, collects device information, and translates it into a
compatible SNMP format according to the MIB.
• MIB: Represents a virtual information storage location that contains collections of managed objects.
Within the MIB, there are objects that relate to different defined MIB modules (for example, the
interface module).
Routers and other network devices keep statistics about the information of their processes and interfaces
locally. SNMP on a device runs a special process that is called an agent. This agent can be queried, using
SNMP. SNMP is typically used to gather environment and performance data such as device CPU usage,
memory usage, interface traffic, interface error rate, and so on. By periodically querying or "polling" the
SNMP agent on a device, an NMS can gather or collect statistics over time. The NMS polls devices
periodically to obtain the values of the MIB objects that it is set up to collect. It then offers a look into
historical data and anticipated trends. Based on SNMP values, NMS triggers alarms to notify network
operators.
To obtain information from the MIB on the SNMP agent, you can use several different operations:
• Get: This operation is used to get information from the MIB to an SNMP agent.
• Get-next: This operation is used to get the next object from the MIB to and SNMP agent.
• Get-bulk: This operation allows a management application to retrive a large section of a table at once.
• Set: This operation is used to get information to the MIB from an SNMP manager.
• Trap: This operation is used by the SNMP agent to send a triggered piece of information to the SNMP
manager.
• Inform: This operation is the same as a trap, but it adds an acknowledgment that a trap does not
provide.
SNMP Versions
New functionalities were added to SNMP through time. There are currently three versions of SNMP.
The following are different versions of SNMP:
• SNMP Version 1:SNMPv1 is the initial version of SNMP. SNMPv1 security is based on communities
that are nothing more than passwords: plaintext strings that allow any SNMP-based application that
knows the strings to gain access to the management information of a device. There are typically three
communities in SNMPv1: read-only, read-write, and trap.
A key security flaw in SNMPv1 is that the only authentication available is through a community string.
Anyone who knows the community string is allowed access. Adding to this problem is the fact that all
SNMPv1 packets pass across the network unencrypted. Therefore, anyone who can sniff a single SNMP
packet now has the community string that is needed to get access.
• SNMP Version 2c:SNMPv2 was the first attempt to fix SNMPv1 security flaws. However, SNMPv2
never really took off. The only prevalent version of SNMPv2 today is SNMPv2c, which contains
SNMPv2 protocol enhancements but leaves out the security features that no one could agree on. The "c"
designates v2c as being "community based," which means that it uses the same authentication
mechanism as v1—community strings.
• SNMP Version 3:SNMPv3 is the latest version of SNMP. It adds support for strong authentication and
private communication between managed entities. You can define a secure policy for each group, and
optionally limit IP addresses to which its members can belong. You have to define encryption and
hashing algorithms and passwords for each user. The key security additions to SNMPv3 are as follows:
– Can use MD5 or SHA hashes for authentication
– Can encrypt the entire packet
– Can guarantee message integrity
SNMPv3 introduces three levels of security:

• noAuthNoPriv: No authentication is required, and no privacy (encryption) is provided.
• authNoPriv: Authentication is required, but no encryption is provided.
• authPriv: In addition to authentication, encryption is also used.
Neither SNMPv1 nor SNMPv2c offer security features. Specifically, SNMPv1 and SNMPv2c can neither
authenticate the source of a management message nor provide encryption.
Discovery 25: Configure SNMP
Introduction
This discovery will provide you with some experience with the syntax of basic SNMP configuration
facilitating the management of Cisco IOS devices. The live virtual lab is prepared with the router and server
that are represented in the topology diagram and the connectivity table. The devices have their basic
configurations in place, including hostnames and IP addresses. In the discovery, you will configure the
router SNMP system contact and location variables. You will also define a read-only and a read-write
community string and an SNMP server as the destination for SNMP traps.
Topology
Job Aid
Device Information

Device Details
R1 Ethernet0/0 SRV1 10.1.1.1/24
SRV1 Ethernet0/0 R1 10.1.1.10/24
PC and SRV in the virtual lab environment are simulated as routers, so you should use Cisco IOS
Task 1: Configure SNMP

To implement SNMP access to the router, you must do the following:
• On the router, set the system contact and location of the SNMP agent on the router.
• Configure a community access string with a read-write privilege to permit access to the SNMP.
Configuration of SNMP is based on the steps that are described in the table.
Command Description
snmp-server contact contact_name Sets the system contact string.
snmp-server locationlocation Sets the system location string.
snmp-server communitystring [ro | rw] Defines the community access string with a read-only or
read-write privilege.
The first snmp-server command that you issue enables SNMP on the device.
A community string authenticates access to MIB objects and can have one of these attributes:
• Read-only: Gives read access to authorized management stations to all objects in the MIB, except the
community strings, but it does not allow write access.
• Read-write: Gives read and write access to authorized management stations to all objects in the MIB,
but it does not allow access to the community strings.
The system contact and the location of the SNMP agent is also set on the router so that you can access these
descriptions through the configuration file. Configuring the basic information is recommended because it
may be useful when troubleshooting your configuration.
Activity
Access the R1 console. Set the R1 SNMP system contact to "admin@icnd2.lab” and set the R1
SNMP system location to Remote Lab Facility.”
R1# conf t
R1(config)# snmp-server contact admin@icnd2.lab
R1(config)# snmp-server location Remote Lab Facility
Note: All devices that support SNMP management must support MIB-2. MIB-2 stores data that
is generically applicable to all IP devices. The three basic objects in MIB-2 are the system name,
system contact, and system location. You just defined the latter two. The SNMP system name
automatically inherits the value of the hostname setting on a Cisco IOS device, so the R1 SNMP
system name was already R1.
Define "Cisco1" as a read-only community string and "Cisco2" as a read-write community

string.
R1(config)# snmp-server community Cisco1 ro

R1(config)# snmp-server community Cisco2 rw
SNMP community strings should be treated with the same care as passwords. The read-only
community string has privileges that are similar to a login password, and the read-write
community string has privileges that are similar to the enable secret. The strings that are used in
this example are too easy to guess to use in a production environment.
Define SRV1 (10.1.1.10) as the SNMP destination for traps that R1 generates. Specify "Cisco3"
as the community string to be included in the traps.
To specify the recipient of the SNMP notification operation, use the snmp-server hostip-
address community command.
R1(config)# snmp-server host 10.1.1.10 Cisco3

R1(config)# exit
Traps provide the facility for the managed device to send unsolicited alerts to the SNMP system.
It allows for faster response times than would be practical with periodic polling by the
management system.
Verifying SNMP
The following tables represents the commands used to verify SNMP.
Command Description
show snmp community Displays SNMP community access strings.
show snmp location Displays SNMP system location string.
show snmp contact Displays SNMP system contact information.
show snmp host Displays the recipient details for SNMP notification
operations.
Use the show snmp community command to verify that the three community strings that you
just defined are active.
R1# show snmp community
Community name: ILMI

Community Index: cisco0
Community SecurityName: ILMI
storage-type: read-only active
Community name: Cisco1

Community SecurityName: Cisco1
storage-type: nonvolatile activeCommunity name: Cisco2
storage-type: nonvolatile activeCommunity name: Cisco3
storage-type: nonvolatile active
The ILMI community string is defined within Cisco IOS Software. You cannot not configure it.
It is a read-only community string that is associated with the LMI protocol running between a
router and an ATM switch.
Self Check
Which of the following will mitigate access layer threats ? (Choose two)
A. Port Security
B. Layer 3 IP Access Lists
C. Dynamic ARP Inspection
D. AAA
Which of the following is not true about DHCP snooping ?

A. Validates DHCP messages received from untrusted sources and filters out invalid messages
B. Builds and maintains the DHCP snooping binding database, which contains information about
untrusted hosts with leased IP addresses.
C. Rate-limits DHCP traffic from trusted and untrusted sources.
D. DHCP snooping is a Layer 2 security feature that acts like a firewall between hosts.
Which of the following command will enable AAA on router ?

A. aaa enable
B. enable aaa
C. new-model aaa
D. aaa new-model
Which of the following are true about TACACS+ ? (Choose two)

A. TACACS+ is a Cisco proprietary security mechanism.
B. TACACS+ uses UDP.
C. TACACS+ combines authentication and authorization services as a single process—after users are
authenticated, they are also authorized.
D. TACACS+ uses TCP.
Which of the following is not true about RADIUS ?

A. RADIUS is an open standard protocol
B. RADIUS separates AAA services.
C. RADIUS uses UDP.
D. RADIUS encrypts only the password in the access-request packet, from the client to the server. The
remainder of the packet is unencrypted.
A router is configured with the snmp-server community Cisco RO command. An NMS is trying to
communicate to this router via SNMP. Which actions can be performed by the NMS?
A. The NMS can only read obtained results.
B. The NMS can read obtained results and change the hostname of the router.
C. The NMS can only change the hostname of the router.
D. None of the above is correct.
Match the operations used by SNMP agent to their explanation.
Get This operation is used to get information from the MIB to an SNMP agent
This operation is used by the SNMP agent to send a triggered piece of
Trap information to the SNMP manager.
Set This operation is used to get information to the MIB from an SNMP manager.
This operation is the same as a trap, but it adds an acknowledgment that a trap
Inform does not provide.
Answer Key
Self Check
1. A, C
2. D
3. D
4. A, D
5. B
6. A
7.
Get This operation is used to get information from the MIB to an SNMP agent
Trap This operation is used by the SNMP agent to send a triggered piece of
information to the SNMP manager.
Set This operation is used to get information to the MIB from an SNMP manager.
Inform This operation is the same as a trap, but it adds an acknowledgment that a trap
does not provide.
Lesson 2: Evolution of
Intelligent Networks
Overview
Bob, the senior engineer at CSS, came to you and asked you for a favor. He is really busy this week, so he
would like you to explain to one of the customers what switch stacking is and how they would benefit from
it. Bob also informs you that the management heard that intelligent networks are becoming increasingly
popular, so they are wondering if you can use them in the corporate networks. Bob asks you to sit down
with the manager and explain to them what the intelligent network really means—including cloud
computing, SDN, and IWAN.
You can decide when during this week you will finish these two tasks—you can either do it today, or you
can first do some research about the topics that are about to be discussed.
Switch Stacking
A typical switch topology on the access and the distribution layers has two (or more) access switches that
are placed next to each other in the same rack to provide enough access ports for all network devices. Each
access switch has two redundant connections to each of the distribution switches. This topology introduces
certain overhead in terms of management, resiliency, and performance.
The Cisco StackWise technology is typically used to unite access switches that are mounted in the same
rack. Multiple switches are used to provide enough access ports. The stack, which consists of up to nine
switches, is managed as a single unit, reducing the number of units you have to manage in your network. All
switches in the stack share configuration and routing information, creating a single switching unit. You can
add switches to and deleted them from a working stack without affecting the performance.
You unite switches into a single logical unit using special stack interconnect cables that create a
bidirectional closed-loop path. The network topology and routing information are updated continuously
through the stack interconnect. All stack members have full access to the stack interconnect bandwidth. A
master switch manages the stack as a single unit. The master switch is elected from one of the stack member
switches. You can join up to nine separate switches.
Each stack of switches has a single IP address and is managed as a single object. This single IP management
applies to activities such as fault detection, VLAN creation and modification, security, and QoS controls.
Each stack has only one configuration file, which is distributed to each member in the stack.
When you add a new switch to the stack, the master switch automatically configures the unit with the
currently running IOS image and the configuration of the stack. You do not have to do anything to bring up
the switch before it is ready to operate.
Multiple switches in a stack can create an EtherChannel connection. You might therefore avoid STP,
doubling the available bandwidth of the uplinks of the existing distribution switches.
Cloud Computing and Its Effect on Enterprise
Network
Cloud computing is a general term that describes a way of using resources: processing, storage, network,
and so on. The term "cloud" and its deployment are somewhat new concepts, but the base concepts have
been used for decades.
Deploying a cloud means deploying a computer system, or a network of systems, from which computing
resources are offered to remote users. Therefore, from a user perspective, the resources are transparently
available, regardless of the user point of entry. For example, a user can use a personal computer at home, an
office computer at work, a borrowed computer, or a computer on a school campus. When accessing cloud
resources, these resources will seem the same. Also, the data that the user stores is always available when
users are connected to the cloud.
The cloud is available remotely via network connectivity, usually through the Internet. You can also use
virtual private networks—also running over the Internet—or cloud-dedicated physical networks.
Computer resources that a cloud offers can vary greatly. The resources can include storage resources,
computing resources, or applications. The user experience of using remote resources might be somewhat
different than using local resources. The user experience depends on the capacity of the network access that
is used to connect to the cloud. Therefore, a low-capacity network link might be sufficient only for services
that require minimal data transfer or are not interactive, while high-capacity links could, theoretically, allow
remote graphic rendering.
Cloud computing has several advantages over the traditional use of computer resources.
First, for operators, the way that clouds are deployed provides several advantages. Consolidation,
virtualization, and automation are often mentioned in the context of cloud computing. These concepts, while
very good for IT and data center management, do not necessarily apply to all cloud deployments.
Even if a company does not plan to deploy a cloud, consolidation, virtualization, and automation will
improve the company data center setup.
With consolidation and virtualization, resources are used more efficiently. A classic example is the
virtualization of servers. Two physical servers will use twice the amount of electricity as one server. With
virtualization, however, one physical server can usually host two virtual machines. If there is a demand for
more CPU power, you can, for example, invest in a new CPU. The other components—memory, storage,
network interface, data bus, peripherals, and so on—can now be shared more efficiently.
A more efficient use of resources has a cost benefit, as less physical equipment means less cost. What
minimizes the spending is the fact that the customer pays only for the services or infrastructure that the
customer uses. From another side, the customer is offered a fixed price for each service that the customer
uses. This fixed price means that the customer is now able to plan any future spending. Certainly, additional
staff or staff education will cost more, but with added automation, staff increases may not be necessary.
Administration will be easier and less complex, which will free staff to do other tasks.
Second, there are benefits for users of cloud services. The obvious benefit is the centralization of resources.
Although you do not need to centralize resources—you can and should distribute resources for better
resiliency—, the resources will appear centralized to the cloud user. This benefit means that a user can move
from computer to computer and always experience a familiar environment.
All data that the cloud stores will always be available. This availability means that users do not need to back
up their data. Before the cloud, users could lose important documents because of an accidental deletion,
misplacement, or computer breakdown. In the cloud, backups and data management are centralized, so users
and IT staff no longer need to be concerned about backing up data on individual computers. If a computer
fails, you can replace it with a generic system. As long as the cloud is up and running, the data is available.
If cloud computing offers CPU- or memory-intensive services as part of the cloud, you manage these
resources at the data center. User computers may not need as many resources as before the introduction of
cloud services, which may cut equipment costs. Also, resources are now managed in the data center rather
than at each workstation, so performance of an application is not subject to a user workstation configuration.
Cloud Computing Services

The cloud offers various resources. For example, resources can be storage resources, computing resources,
network resources, applications, and so on. The cloud service models define which services the cloud
service providers offer.
Depending on which types of service you can get from a cloud, the following three service models exist:
• Infrastructure as a Service (IaaS): Provides only the network.
– Delivers computer infrastructure (platform virtualization environment).
• Platform as a Service (PaaS): Provides the operating system and the network.
– Delivers a computing platform and solution stack.
• Software as a Service (SaaS): Provides the required software, operating system, and network.
• Provides ready-to-use applications or software
Also, service providers have an important building block for delivering IT as a service. Service providers
offer resources, such and broadband network traffic, public IP addresses, and other services—for example,
DHCP, NAT, and firewalls.
There are other "as-a-service" offerings from various cloud providers on the market, but those services
focus on specific applications or platforms—such offerings can be classified under one of the three major
"as-a-service" models.
Some examples of cloud computing are Google Docs, Salesforce, Amazon Web Services, Microsoft Office
365, British Telecom, Hosting provider, and so on. Some of these examples are services that providers
offer to meet different business needs. Others are designed mainly for private use (such as Microsoft
OneDrive, Google Docs, and so on). It does not matter if the cloud services are targeted towards
companies or individuals, they are still cloud services.
Overview of Network Programmability in
Enterprise Network
Traditional networks comprise several devices (for example, routers and switches) that are equipped with
software and networking functionality:
• The data (or forwarding) plane is responsible for the forwarding of frames or packets.
• The control plane is responsible for controlling the forwarding tables that the data plane uses.
The SDN architecture changes the networking paradigm by removing "intelligence" from individual devices
and transferring it to a central controller and enabling management of networks through software.
SDN separates the control plane of the network from the forwarding plane. It automates processes such as
provisioning, configuration, and remediation allowing for flexibility, agility, and scalability.
SDN offers a centralized view of the network, giving an SDN controller the ability to act as the "brains" of
the network. The control layer of the SDN is usually a software solution that is called the SDN controller.
Using APIs, business applications tell the SDN controller what they need from the network. Then the
controller uses the APIs to pass instructions to network devices, such as routers and switches. However,
those two sets of APIs are very different. The controller uses southbound API to control individual devices
and provide an abstracted network view to upstream applications using a northbound API.
SDN is not NFV. Researchers created SDN to easily test and implement new technologies and concepts in
networking, but a consortium of service providers created NFV. Their main motivation was to speed up
deployment of new services, and reduce costs. NFV accomplishes these facts by virtualizing network
devices that were previously sold only as a separate box (such as the switch, router, firewall, and IPS) and
by enabling them to run on any server. It is perfectly possible to use both technologies at the same time to
complement each other. In other words, SDN decouples the control plane and data plane of network
devices, and NFV decouples network functions from proprietary hardware appliances.
Application Programming Interfaces
The SDN architecture slightly differs from the architecture of traditional networks. It comprises three
stacked layers (from the bottom up):
• Data (or forwarding) plane: Contains network elements (any physical or virtual device that deals with
customer traffic)
• Control plane: Represents the core layer of the SDN architecture. It contains SDN controllers, which
provide centralized control of the devices in the data plane.
• Application plane: Contains SDN applications that communicate their network requirements toward
the controller.
The SDN controller uses APIs to communicate with the application and data plane.
Communication with the data plane is defined with southbound interfaces, while services are offered to the
application plane using the northbound interface.
Southbound APIs
Southbound APIs (or device-to-control-plane interfaces) are used for communication between the
controllers and network devices.
• OpenFlow: Describes an industry-standard API, which the ONF defines. It configures white label
switches, and as a result defines the flow path through the network. The actual configuration of the
devices is accomplished with the use of NETCONF.
• NETCONF: It is a network management protocol that the IETF standardized. It provides mechanisms
to install, manipulate, and delete the configuration of network devices via RPC mechanisms. The
messages are encoded by using XML. Not all devices support NETCONF, the ones that do, advertise
their capabilities via the interface.
• onePK: It is Cisco attempting to provide a high-level proprietary API that allows you to inspect or
modify the network element configuration without hardware upgrades. Cisco provides software
development kits for Java, C, and Python, making it really simple to integrate with an existing controller
or even write your own version.
• OpFlex: It is an open-standard protocol that provides a distributed control system that is based on a
declarative policy information model. The big difference between OpFlex and OpenFlow lies with their
respective SDN models. OpenFlow uses an imperative SDN model, where a centralized controller sends
detailed and complex instructions to the control plane of the network elements in order to implement a
new application policy. In contrast, OpFlex uses a declarative SDN model. The controller, which, in this
case, is called by its marketing name APIC, sends a more abstract policy to the network elements. The
controller trusts the network elements to implement the required changes using their own control planes.
NETCONF is a protocol that allows you to modify the configuration of a networking device, whereas
OpenFlow is a protocol that allows you to modify its forwarding table. If you need to reconfigure a device,
NETCONF is the way to go. If you want to implement a new functionality that is not easily configurable
within the software that your networking device is running, you should be able to modify the forwarding
plane directly using OpenFlow.
Northbound APIs
Northbound APIs or northbound interfaces are responsible for the communication between the SDN
controller and the services running over the network. Northbound APIs enable your applications to manage
and control the network. So rather than adjusting and tweaking your network repeatedly to get a service or
application running correctly, you can set up a framework that allows the application to demand the network
setup that it needs. These applications range from network virtualization and dynamic virtual network
provisioning to more granular firewall monitoring, user identity management, and access policy control.
Unfortunately, currently there is no single northbound interface that you can use for communication
between the controller and all applications. Instead, you use various different northbound APIs, each
working only with a specific set of applications.
Cisco APIC-EM
Lately, many different SDN controller platforms have emerged. Cisco Application Policy Infrastructure
Controller Enterprise Module (Cisco APIC-EM) is one of them. It is a Cisco SDN controller for enterprise
networks—access, campus, and WAN.
With Cisco APIC-EM, you can program the network in an automated fashion that is based on the
application requirements. The policies are applied with the use of OpFlex, OpenFlow, NETCONF, or
onePK. Besides APIC-EM, there is also a controller for the data center environment (Cisco Application
Policy Infrastructure Controller Data Center [Cisco APIC-DC]).
With Cisco APIC-EM, you can use open programmability APIs for policy-based management and security
through a single controller. It provides you with abstraction of the network, further simplifying the
management of network services. This approach automates what has typically been a tedious manual
configuration.
The controller provisions network services consistently and provides rich network information and analytics
across all network resources: both LAN and WAN, wired and wireless, and physical and virtual
infrastructures. This visibility allows you to optimize services and support new applications and business
models. The controller bridges the gap between open, programmable network elements and the applications
that communicate with them, automating the provisioning of the entire end-to-end infrastructure.
Cisco APIC-EM simplifies and streamlines network operations while also reducing cost. It frees the IT
department to focus on business innovation by deploying new network devices and applications rapidly. The
following are some of the benefits of Cisco APIC-EM:
• Consistency across the enterprise network keeps downtime to a minimum and lowers operational
complexity and associated cost.
• Automated end-to-end provisioning and configuration enable rapid deployment of applications and
services. Provisioning times drop from months to hours.
• Open and programmable network devices, policy, data, and analytics drive business innovation by
providing easy access to network intelligence.
• Support for greenfield and brownfield deployments lets you implement programmability and
automation with the infrastructure that you already have.
Cisco APIC-EM Features
The following are some features of Cisco APIC-EM:

• Network Information Database: Scans the network and provides the inventory, including all network
devices.
• Network topology visualization: Autodiscovers and maps network devices to a physical topology with
detailed device-level data (including the discovered hosts).
• Zero-touch deployment: When the controller scanner discovers a new network device, it creates a
network information database entry for it and then automatically configures it.
• Identity Manager: You can track user identities and endpoints by exchanging the information with the
Cisco Identity Service Engine (Cisco ISE).
• Policy Manager: The controller translates a business policy into a network device-level policy. It can
enforce the policy for a specific user at various times of the day, across wired and wireless network.
• ACL analysis: Accelerates ACL management by querying and analyzing ACLs on each network
device. It can quickly identify ACL misconfiguration.
• QoS deployment and change management: You can quickly set and enforce QoS priority policies.
• Cisco Intelligent WAN application: Simplifies the provisioning of IWAN network profiles with
simple business policies.
Using APIC-EM for Path Tracing

Using the path trace service of ACL analysis allows you to examine the path that a specific type of packet
travels as it makes its way across the network from a source to a destination node.
The path takes into account not only the source and destination IP addresses, but it can also consider the
TCP or UDP source and destination ports. This way, if there are specific configuration settings that are
related to these packet fields that would impact forwarding behavior, then APIC-EM will take these factors
into account (for example, by showing where the specific traffic gets blocked).
The result of a path trace will be a visual and textual representation of the path that a packet takes across all
the devices and links between the source and destination.
When you fill in the fields for the source, destination, and optionally the application, the path trace is
initiated. The output for a path trace consists of two elements:
• The graphical display of the path between the hosts
• The list of each device along the path, with details about the interfaces.
In the example, you can see that the traffic for the Apple QuickTime application gets blocked on the SDN-
BRANCH-ASR1002 router in the ingress direction.
Introducing Cisco Intelligent WAN
Media-rich applications, an increased number of devices connecting to the network, guest access, IoT, and
other factors are causing a higher demand for bandwidth at the branch location. Cheaper Internet
connections have become more reliable, and they are more economical compared to dedicated links. The
Cisco Intelligent WAN (Cisco IWAN) solution gives you a way to take advantage of cheaper bandwidth at
branch locations, without compromising application performance, availability, or security.
Cisco IWAN enables organizations to deliver an uncompromised experience over any connection. With
Cisco IWAN, IT organizations can provide more bandwidth to their branch office connections by using less
expensive WAN transport options without affecting performance, security, or reliability. With the Cisco
IWAN solution, traffic is dynamically routed based on the application SLA, endpoint type, and network
conditions in order to deliver the best-quality experience. The realized savings from Cisco IWAN not only
pay for the infrastructure upgrades, but also free resources for business innovation.
The following are the components of Cisco IWAN:
• Transport Independent Connectivity: Cisco IWAN provides a DMVPN-based overlay across all
available connectivity. This solution provides one network with a single routing domain. You can easily
multihome the network across different types of connections including MPLS, broadband, and cellular.
You gain the flexibility to use any available connectivity and to add or replace network connections
without having to modify your network architecture.
• Intelligent Path Control: By using Cisco Performance Routing (Cisco PfR), Cisco IWAN improves
delivery and WAN efficiency of applications. Cisco PfR dynamically controls data packet forwarding
decisions by looking at the application type, performance, policies, and path status.
• Application Optimization: Cisco Application Visibility and Control (Cisco AVC) and Cisco Wide
Area Application Services (Cisco WAAS) give you the visibility of and help you optimize application
performance over WAN links.
• Highly Secure Connectivity: When traffic is sent over the public Internet, you must make sure that it is
secure. By taking advantage of the varying VPN, firewall, network segmentation, and security features,
Cisco IWAN helps make sure that the solution provides the security you need.
Self-Check
Match the switch stacking terms with their descriptions.

used to connect the switches to create a bidirectional
StackWise closed-loop path
StackWise interconnect up to 9 individual switches joined in a single logical

cable switching unit
How is cloud computing defined?

A. a classic data center
B. an on-demand computing model
C. a computing model with data at the service provider
D. a computing model with data in a local data center
In which cloud service model is the customer responsible for managing the operating system, software,
platforms, and applications?
A. PaaS
B. SaaS
C. IaaS
D. applications
Which three layers are part of the SDN architecture? (Choose three.)
A. data
B. control
C. presentation
D. session
E. application
F. transport
Between which two planes are SDN southbound interfaces used?

A. control plane
B. switching plane
C. data plane
D. routing plane
E. application plane
F. OpenFlow
What does using SDN in your network mean?
A. Network engineers will be out of a job because everything will be automated.
B. You will have to replace all existing software.
C. You will have to replace all existing hardware.
D. You will be able to react faster when a new business requirement arises.
Which statement about IWAN is correct?

A. The IWAN allows transport-independent connectivity.
B. The IWAN allows only static routing.
C. The IWAN does not provide application visibility because only encrypted traffic is transported.
D. The IWAN needs special encrypting devices to provide an acceptable security level.
Answer Key
Self-Check
1.
StackWise interconnect cable used to connect the switches to create a bidirectional

closed-loop path
StackWise up to 9 individual switches joined in a single logical

switching unit
2. B
3. C
4. A, B, E
5. A, C
6. D
7. A
Quality of Service
Overview
QoS can be defined as the measure of transmission quality and service availability of a network (or
internetwork). Another definition of QoS is that it refers to the ability of a network to provide improved
service to the selected network traffic over various underlying technologies. The common theme here is that
QoS ensures quality service to network traffic.
A network where no QoS strategy, tools, or techniques have been implemented, treats all traffic the same
way. This kind of network offers a best-effort service. It does its best to send all packets and treats all
packets equally. If a company CEO is on a voice call with an important client and someone starts to
download a movie to watch over the weekend, the network treats both types of traffic equally. The network
does not consider voice traffic any differently if contention for network resources exists. This experience is
probably not how the CEO imagined that the network should work.
Traffic Characteristics
In today's networks, you will find a mix of data, voice, and video traffic. Each traffic type has different
properties.
Data traffic is not real-time traffic. It comprises bursty (or unpredictable) and widely varying packet arrival
times. Many types of application data exist within an organization. For example, some are relatively
noninteractive and therefore not delay-sensitive (such as email). Other applications involve users entering
data and waiting for responses (such as database applications) and are therefore very delay-sensitive. You
can also classify data according to its importance to the overall corporate business objectives. For example,
a company that provides interactive, live e-learning sessions to its customers would consider that traffic to
be mission-critical. On the other hand, a manufacturing company might consider that same traffic important,
but not critical to its operations.
Voice traffic is real-time traffic and comprises constant and predictable bandwidth and packet arrival times.
Video traffic comprises several traffic subtypes, including passive streaming video, real-time interactive
video, and video conferences. Video traffic can be real time, but not always. Video has varied bandwidth
requirements, and comprises different types of packets with different delay and tolerance for loss within the
same session.
Interactive video, or video conferencing, has the same delay, jitter, and packet loss requirements as voice
traffic. The difference is the bandwidth requirements—voice packets are small while video conferencing
packet sizes can vary, as can the data rate. A general guideline for overhead is to provide 20 percent more
bandwidth than the data currently requires. Streaming video has different requirements than interactive
video. An example of the use of streaming video is when an employee views an online video during an e-
learning session. As such, this video stream is not nearly as sensitive to delay or loss as interactive video is.
Requirements for streaming video include a loss of no more than 5 percent and a delay of no more than 4 to
5 seconds. Depending on how important this traffic is to the organization, it can be given precedence over
other traffic.
When you start watching a recording on the Internet, you might see messages such as "Buffering 50%"
before the video starts in the application that you are running. This buffering is to compensate for any
transmission delays that might occur.
You must also consider the traffic that is related to the operation of the network itself. One example of this
type of traffic is routing protocol messages—the size and frequency of these messages vary, depending on
the specific protocol that the network uses and the stability of the network. Network management data is
another example, including SNMP traffic between network devices and the network management station.
Need for QoS
The fundamental purpose of QoS is to manage contention for network resources to maximize the end-user
experience of a session. Because not all packets are equal, you should not treat them equally.
QoS gives priority to some sessions over other sessions. Packets of delay-sensitive sessions bypass queues
of packets belonging to non-delay-sensitive sessions. When queue buffers overflow, packets are dropped on
the session that can recover from the loss or those sessions that can be eliminated with minimal business
impact.
In order to make space for applications that are important and cannot tolerate loss without affecting the end-
user experience, QoS manages other sessions based on QoS policy decisions that you implemented in the
network. Managing refers to selectively delaying or dropping packets when contention arises.
QoS describes technical network performance and you can measure QoS. Measurements are numerical:
jitter, latency, bandwidth, and so on. QoE measures end-user perception of the network performance. QoE
is not a technical metric, it is a subjective metric. You deploy QoS features to maximize QoE for the end
user. When you have a session between two users, QoE is what these two users experience, regardless of
how the network between them works. QoS is almost meaningless when you implement it on only a
segment of your network, because the QoE perception is equal to the impairment that is imposed by the
worst-performing segment of the network.
QoS Mechanisms Overview
Generally, you can place QoS tools into different categories as presented in the figure.
Classification and marking tools: These tools analyze sessions to determine which traffic class they
belong to and therefore which treatment the packets in the session should be given. Classification should
happen as few times as possible, because it takes time and uses up resources. For that reason, packets are
marked after classification, usually at the ingress edge of a network. A packet might travel across different
networks to its destination. Reclassification and re-marking are common at the hand-off points upon entry to
a new network.
Policing, shaping, and re-marking tools: These tools assign different classes of traffic to certain portions
of network resources. When traffic exceeds available resources, some traffic might be dropped, delayed, or
re-marked in order to avoid a congestion on a link. Each session is monitored to ensure that it does not use
more than the allotted bandwidth. If a session uses more than the allotted bandwidth, traffic is dropped
(policing), slowed down (shaped), or re-marked (markdown) to conform.
Congestion management or scheduling tools: When traffic exceeds network resources that are available,
traffic is queued. Queued traffic will await available resources. Traffic classes that do not handle delay well
are better off being dropped unless there is delay-free guaranteed bandwidth for that traffic class.
Link-specific tools: There are certain types of connections such as WAN links, that can be provisioned with
special traffic handling tools. One such example is fragmentation.
Trust Boundary
The trust boundary is a point in the network where packet markings are not necessarily trusted. You can
create, remove, or rewrite markings at that point. The borders of a trust domain are the network locations
where packet markings are accepted and acted upon.
Untrusted domains are usually devices with user access—such as PCs and printers. The trusted part of the
network includes devices that only the network administrators have access to, such as routers and switches.
A trust boundary may also be established between an enterprise network and a service provider network.
Trust boundaries are also common in governmental and educational networks between different
departments, ministries, institutes, schools, or organizations. In an enterprise campus network, the trust
boundary is almost always at the edge switch.
QoS markings in traffic coming from an untrusted domain are usually ignored. Traffic at the trust boundary
is classified and marked, before being forwarded to the trusted domain. Ignoring markings that come from
untrusted networks prevents end-user-controlled markings from taking unfair or disastrous advantage of the
network QoS treatments.
QoS Mechanisms—Classification and Marking
A classifier is a tool that inspects packets within a field to identify the type of traffic that the packet is
carrying. Traffic is then directed to a policy-enforcement mechanism for that type of traffic. Policy
enforcement mechanisms include marking, queuing, policing, shaping, or any combination of those
mechanisms. A marker is a tool that writes a value in the header of the packet, frame, cell, tag, or label. The
aim of marking is to preserve the classification decision that the classifier tool reached. Devices that follow
the device where marking was done do not have to do classification and analysis (which are resource-
consuming tasks) to determine how to treat the packet.
CoS, ToS, DSCP, Class Selector, and TID are different terms to describe designated fields in a frame or
packet header. How devices treat packets in your network depends on the field values.
• CoS is usually used with Ethernet frames and contains 3 bits.
• ToS is generally used to indicate the Layer 3 IPv4 packet field and comprises 8 bits, 3 of which are
designated as the IP precedence field. IPv6 changes the terminology for the same field in the packet
header to "Traffic Class."
• DSCP is a set of 6-bit values that are used to describe the meaning of the Layer 3 IPv4 ToS field. While
IP precedence is the old way to mark ToS, DSCP is the new way. Transition from IP precedence to
DSCP was made because IP precedence only offers 3 bits, or eight different values, to describe different
classes of traffic. DSCP is backwards-compatible with IP precedence.
• Class Selector is a term that is used to indicate a 3-bit subset of DSCP values. Class Selector designates
the same 3 bits of the field as IP precedence.
• TID is a term that is used to describe a 3-bit field in the QoS control field of wireless frames
(802.11MAC frame). Values correspond approximately, but not exactly, to Ethernet CoS values and
meanings. TID is used for wireless Ethernet connections, CoS is used for wired Ethernet connections.
Ultimately, there are various Layer 2 and Layer 3 mechanisms that are used in the network for marking
traffic. In addition to the mentioned marking fields, there are also numerous other technologies that allow
marking. Such examples are GRE, MPLS, and IPsec.
Layer 3 packet marking with IP precedence and DSCP is the most widely deployed marking option because
Layer 3 packet markings have end-to-end significance. Layer 3 markings can also be easily translated to and
from Layer 2 markings.
Classification Tools
Classification of traffic determines which type of traffic the packets or frames belong to. Only after you
identify the traffic can you apply policies to it (marking, shaping, policing, and so on).
The best practice when it comes to classification is to identify and mark traffic as close to the trust boundary
as possible. One example is within trusted devices such as IP phones. If marking is applied correctly, all
devices that follow do not need to repeat the same in-depth classification. These devices can apply policies,
such as scheduling, that is based on marking made previously.
Three most common ways to classify traffic are:

• Markings: Classification is done on existing Layer 2 or Layer 3 settings.
• Addressing: Classification is done based on source/destination interface, or Layer 2 destination
address, or Layer 3 source/destination address, or source/destination Layer 4 port. Using an IP address
classifies traffic by a group of devices. Using a port number classifies traffic by traffic type.
• Application signatures: Classification is done based on application content inside the packet payload.
This classification is also called deep packet inspection.
Different devices have QoS mechanisms implemented in different ways. MQC is a platform-independent
and flexible configuration interface to simplify configuration of QoS features on Cisco IOS-based platforms.
MQC abstracts the QoS behavioral model to the extent that the network administrator does not have to
know the details of the platforms where the syntax is executed.
NBAR is a Layer 4 to Layer 7 deep-packet inspection classifier. NBAR is more CPU-intensive than
marking that is done by the existing markings, addresses, or ACLs.
Mostly, data applications can be identified using Layer 3 or Layer 4 criteria (like IP addresses and well-
known TCP/UDP port numbers). However, classifiers cannot identify all applications by these criteria
alone. For example, some peer-to-peer applications negotiate ports dynamically.
NBAR recognizes packets by examining the data payload and identifying the application layer protocols by
matching them against a PDLM. PDLM is an application signature database.
NBAR has two different modes of operation:
• Passive mode: Provides real-time statistics on applications per protocol or per interface and gives
bidirectional statistics such as bit rate, packet, and byte counts.
• Active mode: Classifies applications for traffic marking, so that QoS policies can be applied.
NBAR2 is the most recent version of the NBAR tool and is also commonly referred to as the Next
Generation NBAR. NBAR2 can classify very large set protocols, including non-TCP and non-UDP protocols,
protocols using statically or dynamically assigned TCP and UDP port numbers, protocols using dynamically
assigned TCP, and UDP port numbers. NBAR2 is backwards-compatible with NBAR. NBAR2 is not
available on all Cisco platforms.
QoS Mechanisms—Policing, Shaping, and Re-
Marking
After you have identified and marked traffic, you can treat it by a set of actions. These actions include
bandwidth assignment, policing, shaping, queuing, and dropping decisions.
Policers and shapers are tools that identify and respond to traffic violations. They usually identify traffic
violations in a similar manner, but they differ in their response:
• Policers perform checks for traffic violations against a configured rate. The action that they take in
response is either dropping or re-marking the excess traffic. Policers do not delay traffic; they only
check traffic and take action if needed.
• Shapers are traffic-smoothing tools that work in cooperation with buffering mechanisms. Shaper does
not drop traffic, but it smooths it out so it never exceeds the configured rate. Shapers are usually used to
meet SLAs. Whenever the traffic spikes above the contracted rate, the excess traffic is buffered and thus
delayed until the offered traffic goes below the contracted rate.
Policers make instantaneous decisions and are thus optimally deployed as ingress tools. The logic is that if
you are going to drop the packet, you might as well drop it before spending valuable bandwidth and CPU-
cycles on it. However, policers can also be deployed at egress in order to control the bandwidth that a
particular class of traffic uses. Such decisions sometimes cannot be made until the packet reaches the egress
interface.
When traffic exceeds the allocated rate, the policer can take one of two actions. It can either drop traffic or
re-mark it to another class of service. The new class usually has a higher drop probability.
Shapers are commonly deployed on enterprise-to-service provider links on the enterprise egress side.
Shapers ensure that traffic going to the service provider does not exceed the contracted rate. If the traffic
exceeds the contracted rate, it would get policed by the service provider and likely dropped.
While policers can cause a significant number of TCP resends, when traffic is dropped, shaping involves
fewer TCP resends. Policing does not cause delay or jitter in a traffic stream, but shaping does.
Regulating real-time traffic such as voice and video with policing and shaping is generally
counterproductive. You should use CAC strategies to prevent real-time traffic from exceeding the capacity
of the network. Policing and shaping tools are best employed to regulate TCP-based data traffic.
Tools for Managing Congestion
Whenever a packet enters a device faster than it can exit, the potential for congestion occurs. If there is no
congestion, packets are sent as soon as they arrive. If congestion occurs, congestion management tools are
activated. Queuing is temporary storage of backed-up packets. You perform queuing in order to avoid
dropping packets.
Different scheduling mechanisms exist. The following are three basic examples:
• Strict priority: The queues with lower priority are only served when the higher-priority queues are
empty. There is a risk with this kind of scheduler that the lower-priority traffic will never be processed.
This situation is commonly referred to as traffic starvation.
• Round-robin: Packets in queues are served in a set sequence. There is no starvation with this scheduler,
but delays can badly affect the real-time traffic.
• Weighted fair: Queues are weighted, so that some are served more frequently than others. This method
thus solves starvation and also gives priority to real-time traffic. One drawback is that this method does
not provide bandwidth guarantees. The resulting bandwidth per flow instantaneously varies based on the
number of flows present and the weights of each of the other flows.
The scheduling tools that you use for QoS deployments therefore offer a combination of these algorithms
and various ways to mitigate their downsides. This combination allows you to best tune your network for
the actual traffic flows present.
Queuing can happen at different levels. Most complex queuing can be done at Layer 3. There is also
queuing at Layer 2, for certain interface types. When Layer 2 queues fill up, they, in turn, push back packets
into the Layer 3 queues. A final queue, also called the transmit ring, or Tx-ring, is a Layer 1 queue. When
the Tx-ring fills up, the higher-level queues are pressed into service and this situation is essentially when
QoS becomes active on the device.
There are many different queuing mechanisms. Older methods are insufficient for modern rich-media
networks. However, you need to understand these older methods in order to comprehend the newer
methods:
• FIFO: A single queue with packets that are sent in the exact order that they arrived.
• PQ: A set of four queues that are served in strict-priority order. By enforcing strict priority, the lower-
priority queues are served only when the higher-priority queues are empty. This method can starve
traffic in the lower priority queues.
• CQ: A set of 16 queues with a round-robin scheduler. In order to prevent traffic starvation, it provides
traffic guarantees. The drawback of this method is that it does not provide strict priority for real-time
traffic.
• WFQ: An algorithm that divides the interface bandwidth by the number of flows, thus ensuring proper
distribution of the bandwidth for all applications. This method provides a good service for the real-time
traffic, but there are no guarantees for a particular flow.
Two examples of newer queuing mechanisms that are recommended for rich-media networks:
• CBWFQ: A combination of bandwidth guarantee with dynamic fairness of other flows. It does not
provide latency guarantee and is only suitable for data traffic management.
• LLQ: This method is essentially CBWFQ with strict priority. This method is suitable for mixes of data
and real-time traffic. LLQ provides both latency and bandwidth guarantees.
In the figure, you can see the LLQ queuing mechanism, which is suitable for networks with real-time traffic.
If you remove the low-latency queue (at the top, in yellow), what you are left with is CBWFQ, which is only
suitable for data-traffic networks.
Tools for Congestion Avoidance
Queues are finite on any interface. Devices can either wait for queues to fill up and then start dropping
packets, or drop packets before the queues fill up. Dropping packets as they arrive is called tail drop.
Selective dropping of packets during the time queues are filling up is called congestion avoidance. Queuing
algorithms manage the front of the queue and congestion mechanisms manage the back of the queue.
TCP has built-in flow-control mechanisms that operate by increasing the transmission rates of traffic flows
until packet loss occurs. When packet loss occurs, TCP drastically slows down the transmission rate and
then again begins to increase the transmission rate. Because of TCP behavior, tail drop of traffic can result
in suboptimal bandwidth utilization. TCP global synchronization is a phenomena that can happen to TCP
flows during periods of congestion because each sender will reduce their transmission rate at the same
time when packet loss occurs.
Randomly dropping packets instead of dropping them all at once, as it is done in a tail drop, avoids global
synchronization of TCP streams. One such mechanism that randomly drops packets is random early
detection or RED. RED monitors the buffer depth and performs early discards (drops) on random packets
when the minimum defined queue threshold is exceeded.
Cisco IOS Software does not support pure RED, but WRED. The principle is the same as with RED, except
that the traffic weights skew the randomness of packet drop. In other words, traffic that is more important
will be less likely dropped than less important traffic.
Self-Check
Which three features are properties and one-way requirements for voice traffic? (Choose three.)
A. Voice traffic is bursty.
B. Voice traffic is smooth.
C. Latency should be below 400 ms.
D. Latency should be below 150 ms.
E. The required bandwidth is roughly between 30 and 128 kbps.
F. The required bandwidth is roughly between 0.5 and 20 Mbps.
Which statement about QoS trust boundaries or domains is true?

A. The trust boundary is always a router.
B. PCs, printers, and tablets are usually part of a trusted domain.
C. The service provider and the enterprise network need to be one single trust domain; otherwise,
routing will not work.
D. The IP phone is a common trust boundary.
Which advanced classification tool can be used to classify data applications?

A. NBAR
B. PDLM
C. ToS
D. DSCP
How many bits constitute the DSCP field of the IP header?

A. 3 bits
B. 4 bits
C. 6 bits
D. 8 bits
Which option is a Layer 2 QoS marking?

A. CoS
B. DSCP
C. EXP
D. QoS group
Which QoS mechanism will drop traffic if a session uses more than the allotted bandwidth?
A. marking
B. policing
C. shaping
D. congestion management
Which option is a congestion-avoidance mechanism?
A. LFI
B. QPM
C. MRF
D. WRED
Answer Key
Self-Check
1. B, D, E
2. D
3. A
4. C
5. A
6. B
7. D
Module 8: Summary
Challenge
Introduction
The Summary Challenge Module consists of two lessons on Implementing and Troubleshooting Scalable
Multiarea Network. These lessons will test your skills on various topics covered in the course. Each lesson
consists of self-check questions and lab.
Multiarea Network -1
Overview
You work for RMZ Networking. Your colleague, Peter did some improvements on the network over the
weekend and now you are seeing certain network issues. In this lesson, you will be working on resolving
these issues.
Self Check
Which of the following is not correct about OSPF?

A. Allow extensive control of routing updates
B. Support VLSM
C. Confine network instability to one area of the network.
D. Increase routing overhead on the network.
Which of the following authentication protocol does not use encryption ?

A. PAP
B. CHAP
C. MD5
Which of the following are MLP over Serial interface features ?

A. Load Balancing
B. Link fragmentation and interleaving (LFI)
C. Increased redundancy
D. All the above.
What is the default encapsulation protocol on a Serial interface on a Cisco router ?

A. PPP
B. HDLC
C. Frame Relay
What is the main difference between SNMPv3 and SNMPv2 ?

A. management
B. integration
C. classification
D. enhanced security
GRE tunneling can transport multicast and IPv6 traffic between networks. True or False ?
A. True
B. False
Which commands will you use to check if BGP session is established ? (Choose two)
A. show ip bgp summary
B. show ip bgp
C. show ip bgp neighbor
D. show ip route bgp
Answer Key
Self Check
1. D
2. A
3. D
4. B
5. D
6. A
7. A, C
Multiarea Network -2
Overview
You work for TMC Networking. Your colleague, Peter did some improvements on the network over the
weekend and now you are seeing certain network issues. In this lesson, you will be working on resolving
these issues.
Self Check
Can you form IPv6 OSPF neighbors over a GRE tunnel ?

A. Yes
B. No
What is the OSPF router ID in a DR/BDR election used for?

A. It is used with the OSPF priority values to determine which interface will be used to form a neighbor
relationship with another OSPF router.
B. It is used with the OSPF priority values to determine which OSPF router will become the DR or
BDR in a point-to-point network.
C. It is used with the OSPF priority values to determine which router will become the DR or BDR in a
multiaccess network.
D. It is used to determine which interfaces will send Hello packets to neighboring OSPF routers.
Which of the following are components of an OSPF hello packet ? (Choose two)
A. Router ID
B. Bandwidth
C. Area ID
D. OSPF cost
Which of the following are key security additions to SNMPv3 ?

A. Uses MD5 or SHA hashes for authentication
B. Can encrypt the entire packet
C. Can guarantee message integrity
D. All the above
Which of the following statements are true?

A. Northbound APIs are used for communication between the controllers and network devices.
B. Southbound APIs are used for communication between the controllers and network devices.
C. OnePK is Cisco proprietary.
D. The control plane is responsible for the forwarding of frames or packets.
Which of the following is true about APIC-EM ACL analysis?

A. Allows fast and easy comparison of ACLs between devices to visualize differences and identify
misconfigurations.
B. Ability to trace application-specific paths between end devices to quickly identify ACLs in use and
problem areas.
C. Enables inspection, interrogation, and analysis of network access control policies.
D. All the above
Which of the following command will you use to get information about the TCP session in BGP ?
A. show ip bgp
B. show ip bgp summary
C. show ip bgp neighbor
D. show bgp
Answer Key
Self Check
1. A
2. C
3. A, C
4. D
5. B, C
6. D
7. C
Glossary
AAA
authentication, authorization, and accounting. Pronounced "triple a."
ABR
Area Border Router. Router located on the border of one or more OSPF areas that connects those areas to
the backbone network. ABRs are considered members of both the OSPF backbone and the attached areas.
They therefore, maintain routing tables describing both the backbone topology and the topology of the other
areas.
ACL
access control list. A list kept by routers to control access to or from the router for a number of services (for
example, to prevent packets with a certain IP address from leaving a particular interface on the router).
AD
advertised distance.
AD
administrative distance. Rating of the trustworthiness of a routing information source. Administrative
distance often is expressed as a numerical value between 0 and 255. The higher the value, the lower the
trustworthiness rating.
API
application programming interface. The means by which an application program talks to communications
software. Standardized APIs allow application programs to be developed independently of the underlying
method of communication. A set of standard software interrupts, calls, and data formats that computer
application programs use to initiate contact with other devices (for example, network services, mainframe
communications programs, or other program-to-program communications). Typically, APIs make it easier
for software developers to create the links that an application needs to communicate with the operating
system or with the network.
APIC
Cisco Application Policy Infrastructure Controller.
ARP
Address Resolution Protocol. Internet protocol that is used to map an IP address to a MAC address. Defined
in RFC 826.
AS
autonomous system. A collection of networks under a common administration sharing a common routing
strategy. Autonomous systems are subdivided by areas. An autonomous system must be assigned a unique
16-bit number by the IANA.
ASBR
Autonomous System Boundary Router. An ABR located between an OSPF autonomous system and a non-
OSPF network. ASBRs run both OSPF and another routing protocol, such as RIP. ASBRs must reside in a
nonstub OSPF area.
ASCII
American Standard Code for Information Interchange. An 8-bit code for character representation (7 bits plus
parity).
ATM
Asynchronous Transfer Mode (common term). The international standard for cell relay in which multiple
service types (such as voice, video, or data) are conveyed in fixed-length (53-byte) cells. Fixed-length cells
allow cell processing to occur in hardware, thereby reducing transit delays. ATM is designed to take
advantage of high-speed transmission media, such as E3, SONET, and T3.
BDR
backup designated router.
BGP
Border Gateway Protocol. Interdomain routing protocol that replaces EGP. BGP exchanges reachability
information with other BGP systems. It is defined by RFC 1163.
BID
bridge ID.
BPDU
bridge protocol data unit. Spanning Tree Protocol hello packet that is sent out at configurable intervals to
exchange information among bridges in the network.
CAC
Call Admission Control.
CBWFQ
class-based weighted fair queuing. Extends the standard WFQ functionality to provide support for user-
defined traffic classes.
CE
customer edge. Identifies the network devices, connected to a provider network, that are under the
administrative control of the customer.
CHAP
Challenge Handshake Authentication Protocol. Security feature supported on lines using PPP encapsulation
that prevents unauthorized access. CHAP does not itself prevent unauthorized access, but merely identifies
the remote end. The router or access server then determines whether that user is allowed access.
CLI
Command Language Interpreter. The basic Cisco IOS configuration and management interface.
CO
central office. The local telephone company office to which all local loops in a given area connect and in
which circuit switching of subscriber lines occurs.
connected interface
The network prefix associated with an interface on the router is considered 100% reliable and is represented
with an administrative distance of zero.
CoS
class of service. An indication of how an upper-layer protocol requires a lower-layer protocol to treat its
messages. In SNA subarea routing, CoS definitions are used by subarea nodes to determine the optimal
route to establish a given session. A CoS definition comprises a virtual route number and a transmission
priority field. Also called ToS.
CPE
customer premises equipment. Terminating equipment such as terminals, telephones, and modems supplied
by the telephone company, installed at customer sites, and connected to the telephone company network.
Can also refer to any telephone equipment residing on the customer site.
CQ
custom queuing.
CRC
cyclic redundancy check. Error-checking technique in which the frame recipient calculates a remainder by
dividing frame contents by a prime binary divisor and compares the calculated remainder to a value stored
in the frame by the sending node.
CST
Common Spanning Tree.
CSU
channel service unit. Digital interface device that connects end-user equipment to the local digital telephone
loop. Often referred to together with DSU, as CSU/DSU.
DAI
Dynamic ARP Inspection.
DBD
database description.
DCE
data communications equipment (EIA expansion) (common term).
DCE
data communications equipment (EIA expansion) (common term).
DHCP
Dynamic Host Configuration Protocol (common term). Provides a mechanism for allocating IP
addresses dynamically so that addresses can be reused when hosts no longer need them.
DHCPv6
Dynamic Host Configuration Protocol version 6.
DMVPN
Dynamic Multipoint VPN.
DNS
Domain Name System. System used on the Internet for translating names of network nodes into addresses.
DR
designated router.
DSL
digital subscriber line (common term). Public network technology that delivers high bandwidth over
conventional copper wiring at limited distances. There are four types of DSL: ADSL, HDSL, SDSL, and
VDSL. All are provisioned via modem pairs, with one modem located at a central office and the other at the
customer site. Because most DSL technologies do not use the whole bandwidth of the twisted pair, there is
room remaining for a voice channel.
DSLAM
DSL access multiplexer.
DSU
data service unit. Device used in digital transmission that adapts the physical interface on a DTE device to a
transmission facility, such as T1 or E1. The DSU also is responsible for such functions as signal timing.
Often referred to together with CSU, as CSU/DSU.
DTE
data terminal equipment (common term). Device at the user end of a user-network interface that serves as a
data source, destination, or both. DTE connects to a data network through a DCE device (for example, a
modem) and typically uses clocking signals that are generated by the DCE. DTE includes devices such as
computers, protocol translators, and multiplexers.
DTE
data terminal equipment (common term). Device at the user end of a user-network interface that serves as a
data source, destination, or both. DTE connects to a data network through a DCE device (for example, a
modem) and typically uses clocking signals that are generated by the DCE. DTE includes devices such as
computers, protocol translators, and multiplexers.
DTP
Dynamic Trunking Protocol.
DUAL
Diffusing Update Algorithm. Convergence algorithm used in EIGRP that provides loop-free operation at
every instant throughout a route computation. Allows routers involved in a topology change to synchronize
at the same time, while not involving routers that are unaffected by the change.
E1
Wide-area digital transmission scheme used predominantly in Europe that carries data at a rate of 2.048
Mbps. E1 lines can be leased for private use from common carriers.
EBGP
Exterior Border Gateway Protocol
E-carrier
E-carrier is a European digital transmission format. It is the equivalent of the North American T-carrier
system format.
EGP
exterior gateway protocol.
EIGRP
Enhanced Interior Gateway Routing Protocol. It's the advanced version of IGRP developed by Cisco. It
provides superior convergence properties and operating efficiency, and it combines the advantages of link-
state protocols with those of distance vector protocols.
EtherChannel
Developed and copyrighted by Cisco Systems. It's the logical aggregation of multiple Ethernet interfaces
used to form a single higher bandwidth routing or bridging endpoint.
Ethernet
Baseband LAN specification invented by Xerox Corporation and developed jointly by Xerox, Intel, and
Digital Equipment Corporation. Ethernet networks use CSMA/CD and run over a variety of cable types at
10 Mbps. Ethernet is similar to the IEEE 802.3 series of standards. It is the most commonly used LAN
technology because its protocol is easy to understand, implement, manage, and maintain. It allows low-cost
network implementations, provides extensive topological flexibility for network installation, and guarantees
successful interconnection and operation of standards-compliant products, regardless of manufacturer.
EUI-64
EUI 64-bit format
external EIGRP
EIGRP marks routes redistributed into an AS with an administrative distance of 170. External routes are
less authoritative than internal EIGRP routes.
Fast Ethernet
Any of a number of 100-Mbps Ethernet specifications. Fast Ethernet offers a speed increase 10 times that of
the 10BaseT Ethernet specification while preserving such qualities as frame format, MAC mechanisms, and
MTU. Such similarities allow the use of existing 10BaseT applications and network management tools on
Fast Ethernet networks. Based on an extension to the IEEE 802.3 specification.
FCS
frame check sequence. Extra characters added to a frame for error control purposes. Used in HDLC, Frame
Relay, and other data link layer protocols.
FD
feasible distance.
FHRP
First Hop Redundancy Protocol. A general category of protocols that includes GLBP, HSRP, and VRRP.
FIFO queuing
first-in, first-out queuing (common term). Involves buffering and forwarding of packets in the order of
arrival. FIFO embodies no concept of priority or classes of traffic. There is only one queue, and all packets
are treated equally. Packets are sent out an interface in the order in which they arrive.
FLP
Fast Link Pulse. A type of link pulse that encodes information used in autonegotiation.
Frame Relay
Industry-standard, packet-switched data link layer protocol that handles multiple virtual circuits between
connected devices.
FTP
File Transfer Protocol. Protocol for exchanging files over the Internet.
GET VPN
GET VPN or Group Encrypted Transport VPN is a tunnel-less VPN technology. GET VPN is the Cisco
implementation of GDOI (Group Domain of Interpretation), specified in RFC 6407.
Gigabit Ethernet
Standard for a high-speed Ethernet, approved by the IEEE (Institute of Electrical and Electronics Engineers)
802.3z standards committee in 1996.
GLBP
Gateway Load Balancing Protocol
GRE
Generic Routing Encapsulation. It's a tunneling protocol that was developed by Cisco that can encapsulate a
variety of protocol packet types inside IP tunnels. This process creates a virtual point-to-point link to Cisco
routers at remote points over an IP network.
HDLC
High-Level Data Link Control. Bit-oriented synchronous data link layer protocol developed by ISO.
Derived from SDLC, HDLC specifies a data encapsulation method on synchronous serial links using frame
characters and checksums.
Hello protocol
Protocol used by OSPF systems for establishing and maintaining neighbor relationships.
HSRP
Hot Standby Router Protocol. Provides high network availability and transparent network topology changes.
HSRP creates a hot standby router group with a lead router that services all packets sent to the hot standby
address. The lead router is monitored by other routers in the group. If it fails, one of the standby routers
inherits both the lead position and the hot standby address.
HSRPv1
Hot Standby Router Protocol version 1.
HTTP
Hypertext Transfer Protocol (common term). The protocol that is used by web browsers
and web servers to transfer files, such as text and graphic files.
IANA
Internet Assigned Numbers Authority. Organization operated under the auspices of the ISOC as a part of the
IAB. IANA delegates authority for IP address-space allocation and domain-name assignment to the
InterNIC and other organizations. IANA also maintains a database of assigned protocol identifiers that is
used in the TCP/IP stack, including autonomous system numbers.
IBGP
Internal Border Gateway Protocol.
ICANN
Internet Corporation for Assigned Names and Numbers. Nonprofit, private corporation that assumed
responsibility for IP address-space allocation, protocol parameter assignment, domain name system
management, and root server system management functions that formerly were performed under a U.S.
government contract by IANA and other entities.
ICMP
Internet Control Message Protocol. Network layer Internet protocol that reports errors and provides other
information that is relevant to IP packet processing. Documented in RFC 792.
ICMPv6
Internet Control Message Protocol version 6 is the implementation of ICMP for IPv6. It is defined in RFC
4443.
ID
identifier (common term).
IEEE
Institute of Electrical and Electronics Engineers. Professional organization whose activities include the
development of communications and network standards. IEEE LAN standards are the predominant LAN
standards today.
IEEE 802.11
A set of standards for implementing WLAN computer communications in the 2.4-, 3.6-, and 5-GHz
frequency bands.
IEEE 802.1D
Electrical and Electronics Engineers (IEEE) 802.1D is the MAC Bridges standard which includes Bridging,
Spanning Tree and others. It is standardized by the 802.1 working group.
IEEE 802.1Q
The IEEE 802.1Q specification establishes a standard method for tagging Ethernet frames with VLAN
membership information and defines the operation of VLAN bridges that permit the definition, operation,
and administration of VLAN topologies within a bridged LAN infrastructure.
IEEE 802.1s
Electrical and Electronics Engineers (IEEE) 802.1s is an IEEE standard that is inspired by the earlier Cisco
proprietary MISTP implementation.
IEEE 802.1w
Electrical and Electronics Engineers (IEEE) 802.1w is an IEEE standard that is inspired by the earlier
802.1D standard. It is also known as Rapid Spanning Tree Protocol (RSTP). It provides faster convergence
of STP.
IEEE 802.1X
An IEEE standard for port-based network access control.
IEEE 802.3ab
IEEE 802.3ab is a IEEE standard, that defines physical layer and data link layer's media access control of
wired 1000BASE-T (GigabitEthernet transmission over UTP cat 5, 5e, or 6 cabling).
IEEE 802.3ad
The IEEE standard for link aggregation for parallel links, since moved to IEEE 802.1AX.
IETF
Internet Engineering Task Force. Task force consisting of over 80 working groups responsible for
developing Internet standards. The IETF operates under the auspices of ISOC.
IGP
interior gateway protocol. Internet protocol used to exchange routing information within an autonomous
system. Examples of common Internet IGPs include IGRP, OSPF, and RIP.
IGRP
Interior Gateway Routing Protocol. Developed by Cisco to address the issues associated with routing in
large, heterogeneous networks.
IKE
Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services (such as
IPsec) that require keys. Before any IPsec traffic can be passed, each router, firewall, or host must verify the
identity of its peer. Verification can be done by manually entering pre-shared keys into both hosts or by a
CA service.
ILMI
Integrated Local Management Interface.
INIT state
initial state.
IoT
Internet of Things.
IP
Internet Protocol. Network layer protocol in the TCP/IP stack offering a connectionless internetwork
service. IP provides features for addressing, type-of-service specification, fragmentation and reassembly,
and security. Defined in RFC 791.
IP address
A 32-bit address assigned to hosts using TCP/IP. An IP address belongs to one of five classes (A, B, C, D,
or E) and is written as 4 octets separated by periods (dotted decimal format). Each address consists of a
network number, an optional subnetwork number, and a host number. The network and subnetwork
numbers together are used for routing, and the host number is used to address an individual host within the
network or subnetwork. A subnet mask is used to extract network and subnetwork information from the IP
address. CIDR provides a new way of representing IP addresses and subnet masks. Also called an Internet
address.
IPCP
IP Control Protocol. This network control protocol establishes IP over PPP.
IPsec
IP Security. A framework of open standards that provides data confidentiality, data integrity, and data
authentication between participating peers. IPsec provides these security services at the IP layer. IPsec uses
IKE to handle the negotiation of protocols and algorithms based on local policy and to generate the
encryption and authentication keys to be used by IPsec. IPsec can protect one or more data flows between a
pair of hosts, between a pair of security gateways, or between a security gateway and a host.
IPv4
IP version 4 (common term). Internet Protocol version 4 is the fourth version in the
development of IP and the first version of the protocol to be widely deployed. Along with IPv6, IPv4 is at
the core of standards-based internetworking methods of the Internet. IPv4 is still used to route most traffic
across the Internet. IPv4 is a connectionless protocol for use on packet-switched link layer networks (for
example, Ethernet). It operates on a best-effort delivery model in that it does not guarantee delivery and
does not assure proper sequencing or avoidance of duplicate delivery.
IPv6
IP version 6 (common term). Replacement for the current version of IP (version 4). IPv6
includes support for flow ID in the packet header, which can be used to identify flows. Formerly called IPng
(next generation).
IPX
Internetwork Packet Exchange. NetWare network layer (Layer 3) protocol used for transferring data from
servers to workstations. IPX is similar to IP and XNS.
ISDN
Integrated Services Digital Network. Communication protocol offered by telephone companies that permits
telephone networks to carry data, voice, and other source traffic.
IS-IS
Intermediate System-to-Intermediate System. OSI link-state hierarchical routing protocol based on DECnet
Phase V routing, whereby ISs (routers) exchange routing information based on a single metric to determine
network topology.
ISP
Internet service provider. Company that provides Internet access to other companies and individuals.
IWAN
Intelligent WAN
IXP
Internet exchange point.
LACP
Link Aggregation Control Protocol.
LAN
local-area network. A high-speed, low-error data network covering a relatively small geographic area (up to
a few thousand meters). LANs connect workstations, peripherals, terminals, and other devices in a single
building or other geographically limited area. LAN standards specify cabling and signaling at the physical
and data link layers of the OSI model. Ethernet, FDDI, and Token Ring are widely used LAN technologies.
LCP
link control protocol. a protocol that establishes, configures, and tests data-link connections for use by PPP.
LED
light emitting diode. A semiconductor device that emits light produced by converting electrical energy.
Status lights on hardware devices are typically LEDs.
LLQ
low latency queuing. provides a strict priority queue mechanism to CBWFQ.
LSA
link-state advertisement. A broadcast packet used by link-state protocols that contains information about
neighbors and path costs. LSAs are used by the receiving routers to maintain their routing tables. Sometimes
called an LSP.
LSAck
link-state acknowledgment.
LSDB
link-state database.
LSR
label switch router.
LSR
link-state request.
LSU
link-state update.
MAC
Media Access Control. The lower of the two sublayers of the data link layer that is defined by the IEEE.
The MAC sublayer handles access to shared media, such as whether token passing or contention will be
used.
MAC address
a standardized data link layer address that is required for every port or device that connects to a LAN. Other
devices in the network use these addresses to locate specific ports in the network and to create and update
routing tables and data structures. A MAC address is 6 bytes long and is controlled by the IEEE. It is also
known as a hardware address, MAC layer address, and physical address.
MD5
Message Digest 5. A one-way hashing algorithm that produces a 128-bit hash. Both MD5 and Secure Hash
Algorithm (SHA) are variations on MD4 and are designed to strengthen the security of the MD4 hashing
algorithm. Cisco uses hashes for authentication within the IPsec framework. Also used for message
authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and
checks for timeliness.
MIB
Management Information Base. A database of network management information that is used and maintained
by a network management protocol, such as SNMP or CMIP. The value of an MIB object can be changed or
retrieved using SNMP or CMIP commands, usually through a GUI network management system. MIB
objects are organized in a tree structure that includes public (standard) and private (proprietary) branches.
MISTP
Multi-Instance STP.
MLP
Multilink PPP. A method of splitting, recombining, and sequencing datagrams across multiple logical data
links.
MPLS
Multiprotocol Label Switching. a switching method that forwards IP traffic using a label. This label
instructs the routers and the switches in the network where to forward the packets based on pre-established
IP routing information.
MQC
modular QoS CLI. A command line structure that allows modular configuration of QoS configuration
elements to provide independence between classification and policy.
MST
Multiple Spanning Tree.
MSTP
Multiple Spanning Tree Protocol.
MTU
maximum transmission unit. The maximum packet size, in bytes, that a particular interface can handle.
multicast
single packets that are copied by the network and sent to a specific subset of network addresses. These
addresses are specified in the Destination Address field.
NAT
Network Address Translation. A mechanism for reducing the need for globally unique IP addresses. NAT
allows an organization with addresses that are not globally unique to connect to the Internet by translating
these addresses into globally routable address space. Also known as Network Address Translator.
NBAR
Network-Based Application Recognition. A Cisco protocol discovery and classification mechanism that
performs Layers 4 through 7 classification of IP packets.
NBAR2
Next-generation Network-Based Application Recognition.
NCP
Network Control Protocol. A series of protocols for establishing and configuring different network layer
protocols, such as for AppleTalk over PPP.
NETCONF
Network Configuration Protocol.
NFV
Network Function Virtualization.
NIC
network interface card. A board that provides network communication capabilities to and from a computer
system. A NIC is also called an adapter.
NMS
network management system. A system that is responsible for managing at least part of a network. An NMS
is generally a reasonably powerful and well-equipped computer, such as an engineering workstation. NMSs
communicate with agents to help keep track of network statistics and resources.
NTP
Network Time Protocol. A protocol that is built on top of TCP that ensures accurate local timekeeping with
reference to radio and atomic clocks that are located on the Internet. This protocol is capable of
synchronizing distributed clocks within milliseconds over long time periods.
ONF
Open Networking Foundation.
OSI
Open Systems Interconnection. International standardization program created by ISO and ITU-T to develop
standards for data networking that facilitate multivendor equipment interoperability.
OSPF
Open Shortest Path First. Link-state, hierarchical IGP routing algorithm proposed as a successor to RIP in
the Internet community. OSPF features include least-cost routing, multipath routing, and load balancing.
OSPF was derived from an early version of the IS-IS protocol.
OSPFv2
Open Shortest Path First version 2.
OSPFv3
Open Shortest Path First version 3.
OUI
Organizational Unique Identifier. Three octets that are assigned by the IEEE in a block of 48-bit LAN
addresses.
P router
provider router.
PADI
PPPoE Active Discovery Initiation.
PADO
PPPoE Active Discovery Offer.
PADR
PPPoE Active Discovery Request.
PADS
PPPoE Active Discovery Session-confirmation.
PAgP
Port Aggregation Protocol.
PAP
Password Authentication Protocol. Authentication protocol that allows PPP peers to authenticate one
another. The remote router attempting to connect to the local router is required to send an authentication
request. Unlike CHAP, PAP passes the password and the host name or username in the clear (unencrypted).
PAP does not itself prevent unauthorized access but merely identifies the remote end. The router or access
server then determines whether that user is allowed access. PAP is supported only on PPP lines.
PDLM
Packet Description Language Module. A file that can be installed on an NBAR-capable device to extend the
list of protocols that NBAR can recognize.
PE
provider edge. Identifies the network devices, under the administrative control of the provider, that connect
to CE devices.
POP
point of presence. In OSS, a physical location where an interexchange carrier installed equipment to
interconnect with a local exchange carrier (LEC).
PPP
Point-to-Point Protocol. Successor to SLIP that provides router-to-router and host-to-network connections
over synchronous and asynchronous circuits. Whereas SLIP was designed to work with IP, PPP was
designed to work with several network layer protocols, such as IP, IPX, and ARA. PPP also has built-in
security mechanisms, such as CHAP and PAP. PPP relies on two protocols: LCP and NCP.
PPPoE
PPP over Ethernet.
PQ
priority queuing. A queuing algorithm in which queues are serviced in a strict order based on priority. A
lower priority queue is not serviced until all higher priority queues are empty.
PSK
preshared key. Shared secret key that is used during IKE authentication.
PSTN
public switched telephone network. General term referring to the variety of telephone networks and services
in place worldwide. Sometimes called POTS.
PVST+
Per VLAN Spanning Tree Plus. Support for dot1q trunks to map multiple spanning trees to a single
spanning tree.
QoE
quality of experience.
QoS
quality of service. Measure of performance for a transmission system that reflects its transmission quality
and service availability.
RADIUS
Remote Authentication Dial-In User Service. Database for authenticating modem and ISDN connections
and for tracking connection time.
Rapid PVST+
Rapid Per VLAN Spanning Tree Plus.
RED
random early detection.
RFC
Request for Comments. Document series that is used as the primary means for communicating information
about the Internet. Some RFCs are designated by the IAB as Internet standards. Most RFCs document
protocol specifications, such as Telnet and FTP, but some RFCs are humorous or historical. RFCs are
available online from numerous sources.
RIP
Routing Information Protocol. A distance-vector routing protocol that uses hop count as a routing metric.
RIP
Request in Progress.
RIPv1
Routing Information Protocol version 1.
RIPv2
Routing Information Protocol version 2.
RIR
regional Internet registry.
root bridge
Exchanges topology information with designated bridges in a spanning-tree implementation to notify all
other bridges in the network when topology changes are required. This prevents loops and provides a
measure of defense against link failure.
RPC
remote-procedure call. Technological foundation of client/server computing. RPCs are procedure calls that
are built or specified by clients and are executed on servers, with the results returned over the network to the
clients.
RSTP
Rapid Spanning Tree Protocol.
RSTP+
Rapid Spanning Tree Protocol Plus.
RSVP
Resource Reservation Protocol. A network-control protocol that allows endpoints to request specific QoS
for their data flows.
SDN
software-defined networking.
SHA
Secure Hash Algorithm.
SLA
service level agreement.
SMTP
Simple Mail Transfer Protocol. Internet protocol providing email services.
SNMP
Simple Network Management Protocol. Network management protocol used almost exclusively in TCP/IP
networks. SNMP provides a means to monitor and control network devices, and to manage configurations,
statistics collection, performance, and security.
SNMPv1
Simple Network Management Protocol Version 1.
SNMPv2
SNMP Version 2. Version 2 of the popular network management protocol. SNMP2 supports centralized as
well as distributed network management strategies, and includes improvements in the SMI, protocol
operations, management architecture, and security.
SNMPv2c
SNMPv2c is the community string-based administrative framework for SNMPv2. Community string is a
type of password, which is transmitted in cleartext. SNMPv2c is an update of the protocol operations and
data types of party-based Simple Network Management Protocol Version 2 (SNMPv2p) and uses the
community-based security model of SNMPv1.
SNMPv3
Simple Network Management Protocol Version 3.
SPAN
Switched Port Analyzer. SPAN is a feature that is available on switches based on Cisco IOS and NX-OS
Software that allows traffic received on a port or VLAN to be copied to another port for analysis. It is also
referred to as "port mirroring."
SPF
Shortest Path First. Routing algorithm that iterates on the length of path to determine a shortest-path
spanning tree. Commonly used in link-state routing algorithms. Sometimes called Dijkstra's algorithm.
SRTT
smoothed round-trip time.
SSH
Secure Shell Protocol. Protocol that provides a secure remote connection to a route through a TCP
application.
SSL
Secure Socket Layer. Encryption technology for the Web used to provide secure transactions, such as the
transmission of credit card numbers for e-commerce.
static route
Route that is explicitly configured and entered into the routing table. Static routes take precedence over
routes chosen by dynamic routing protocols.
STP
Spanning Tree Protocol. Bridge protocol that uses the spanning-tree algorithm, enabling a learning bridge to
dynamically work around loops in a network topology by creating a spanning tree. Bridges exchange BPDU
messages with other bridges to detect loops, and then remove the loops by shutting down selected bridge
interfaces. Refers to both the IEEE 802.1 Spanning Tree Protocol standard and the earlier Digital Equipment
Corporation Spanning Tree Protocol upon which it is based. The IEEE version supports bridge domains and
allows the bridge to construct a loop-free topology across an extended LAN. The IEEE version generally is
preferred over the Digital version.
STP
shielded twisted-pair. Two-pair wiring medium used in a variety of network implementations. STP cabling
has a layer of shielded insulation to reduce EMI.
SVI
switch virtual interface.
syslog
system logging.
T1
digital WAN carrier facility. T1 transmits DS-1-formatted data at 1.544 Mbps through the telephone-
switching network, using AMI or B8ZS coding.
TACACS+
Terminal Access Controller Access Control System Plus. Proprietary Cisco enhancement to TACACS.
Provides additional support for authentication, authorization, and accounting.
T-carrier
TDM transmission method, usually referring to a line or a cable carrying a DS-1 signal.
TCP
Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-
duplex data transmission. TCP is part of the TCP/IP protocol stack.
TDM
time-division multiplexing. Technique in which information from multiple channels can be allocated
bandwidth on a single wire based on preassigned time slots. Bandwidth is allocated to each channel
regardless of whether the station has data to transmit.
Telnet
standard terminal emulation protocol in the TCP/IP protocol stack. Telnet is used for remote terminal
connection, enabling users to log into remote systems and use resources as if they were connected to a local
system. Telnet is defined in RFC 854.
TID
Traffic Identifier
ToS
type of service.
TTL
Time to Live. A mechanism that limits the lifespan or lifetime of data in a computer or network.
Tx
transmit or transmitting.
UDP
User Datagram Protocol. Connectionless transport layer protocol in the TCP/IP protocol stack. UDP is a
simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery, requiring that
error processing and retransmission be handled by other protocols. UDP is defined in RFC 768.
unreachable
If a route is received with an administrative distance of 255, it is considered unreachable.
VID
VLAN ID. The identification of the VLAN, which is used by the standard IEEE 802.1Q. Being 12 bits, it
allows for the identification of 4096 VLANs.
VLAN
virtual LAN. Group of devices on one or more LANs that are configured (using management software) so
that they can communicate as if they were attached to the same wire, when in fact they are located on a
number of different LAN segments. Because VLANs are based on logical instead of physical connections,
they are extremely flexible.
VLSM
variable-length subnet mask. Capability to specify a different subnet mask for the same network number on
different subnets. VLSM can help optimize available address space.
VoIP
Voice over IP. The capability to carry normal telephony-style voice over an IP-based internet with POTS-
like functionality, reliability, and voice quality. VoIP enables a router to carry voice traffic (for example,
telephone calls and faxes) over an IP network. In VoIP, the DSP segments the voice signal into frames,
which then are coupled in groups of two and stored in voice packets. These voice packets are transported
using IP in compliance with ITU-T specification H.323. A primary attraction of VoIP is its ability to reduce
expenses, because phone calls travel over the data network rather than over the phone company network.
VPLS
Virtual Private LAN Service.
VPN
virtual private network. Enables IP traffic to travel securely over a public TCP/IP network by encrypting all
traffic from one network to another. A VPN uses tunneling to encrypt all information at the IP level.
VPWS
Virtual Private Wire Service.
VRRP
Virtual Router Redundancy Protocol.
VTP
VLAN Trunking Protocol.
vty
virtual type terminal. Commonly used as virtual terminal lines.
WAN
wide-area network. Data communications network that serves users across a broad geographic area and
often uses transmission devices provided by common carriers. Frame Relay, SMDS, and X.25 are examples
of WANs.
WFQ
weighted fair queuing. Congestion management algorithm that identifies conversations (in the form of
traffic streams), separates packets that belong to each conversation, and ensures that capacity is shared fairly
between these individual conversations. WFQ is an automatic way of stabilizing network behavior during
congestion and results in increased performance and reduced retransmission.
WRED
weighted random early detection. Queuing method that ensures that high-precedence traffic has lower loss
rates than other traffic during times of congestion.
X.25
ITU-T standard that defines how connections between DTE and DCE are maintained for remote terminal
access and computer communications in PDNs. X.25 specifies LAPB, a data link layer protocol, and PLP, a
network layer protocol. Frame Relay has to some degree superseded X.25.

Icnd230 - Student Guide v4

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Icnd230 - Student Guide v4

Hochgeladen von

Copyright:

Verfügbare Formate

ICND2

© 2016 Cisco Systems, Inc.

Learner Skills and Knowledge

Cisco Career Certifications

Course-Specific Training Resources

Creating Data VLANs

switchport Sets the interface to access mode.

A trunk allows multiple VLANs to share the port connection.

The table lists commands to use when adding a VLAN.

Configuring Trunk Commands

switch mode trunk Sets the interface to trunk mode

switchport trunk allowed vlan Sets allowed VLANs on a trunk link

The following are the characteristics of the three VTP modes:

SW1# show mac address-table interface Ethernet0/1

Vlan Mac Address Type Ports

Troubleshooting Missing VLANs

SW1# show interfaces Ethernet0/1 switchport

Complete the following steps:

VLAN Name Status Ports

R1# show ip interface brief

Verify the running configuration on the R1 router:

Current configuration : 94 bytes

R1# ping 10.10.10.182

SW1# show mac address-table

Vlan Mac Address Type Ports

Interface Ethernet0/2 is where the offending system is connected.

SW1# show mac address-table | include 5300

SW1# show interface status

Port Name Status Vlan Duplex Speed Type

Ping should be successful.

PC3# ping 10.10.10.1

Disable interface Ethernet0/2 on SW1.

On SW1, enter the following commands:

The attempt should fail.

Task 2: Troubleshoot Trunk Issues

SW1# show interfaces Ethernet 0/3 trunk

Port Mode Encapsulation Status Native vlan

Aug 31 08:34:48.714: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on

Complete the following steps:

PC1# ping 10.10.10.20

SW2# show cdp neighbors

Device ID Local Intrfce Holdtme Capability Platform Port ID

VLAN Name Status Ports

SW1# show cdp neighbors

Device ID Local Intrfce Holdtme Capability Platform Port ID

VLAN Name Status Ports

*Sep 17 09:09:21.594: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch

SW1# show interfaces trunk

Port Mode Encapsulation Status Native vlan

On SW2, check which VLAN is used as native on Ethernet0/1:

SW2# show interfaces trunk

Port Mode Encapsulation Status Native vlan

Change the native VLAN configuration on the SW2 switch.

On SW2, enter the following commands:

Messages to the console stopped.

Access PC1 and verify IP connectivity to PC4.

PC1# ping 10.10.10.40

PC1 still has no connectivity to PC4, so you need to investigate further.

Port Mode Encapsulation Status Native vlan

Port Vlans allowed on trunk

Port Vlans allowed and active in management domain

Port Vlans in spanning tree forwarding state and not pruned

VLAN 62 is correctly allowed on the link to SW1.