Monday, 29 November 2021

Cisco CCNP Enterprise Advanced Routing and Services (300-410 ENARSI) study notes

 

Route manipulation

Goal is connectivity through the network but we don't want loops.

OSPF by default costs fastethernet ports and gigabit ports as 1. It thinks they are the same cost by default

OSPF is cost

EIGRP is bandwidth and delay


Quick EIGRP setup

show ip protocols (check to see what routing protocols are running)

conf t 

router eigrp 100

network 0.0.0.0

show ip route x.x.x.x

show run | s router eigrp 100


How to modify what routes are used

Change administrate distance

Modify metric/cost


Tools for route manipulation

Route-map

ACLs

Distribute lists

Prefix lists

Offset list (change a metric when we)

Redistribution 


Mutual redistribution

With mutual redistribution we can have route flapping

Tag the route. 

We can use a route map if it sees that tag don't bother bringing it in


Prefix-lists

Example below to stop a router advertising certain routes

Check for existing prefix lists

show ip prefix-list


Config your prefix list

conf t

ip prefix-list MYLIST deny 1.1.1.1/32

ip prefix-list MYLIST deny 10.0.0.0/16 le 24 (only /24 routes inside 10.0.0.0/16)

ip prefix-list MYLIST deny 10.2.0.0/16 ge 19 le 31 (anything that starts with 10.2 it has to be between  /19 and /31 inclusive)

ip prefix-list MYLIST permit 0.0.0.0/0 le 32 (match everything else)


Apply the list to routing protocol

conf t 

router eigrp 100

distribute-list prefix MYLIST out


Check routes on both ends

show ip route eigrp 


Route redistribution

Lets say we want mutual redistribution between OSPF and EIGRP.
We should focus on one route at a time.

The issue is the metric are different between the protocols so we need to config the metrics when the route comes in.

Redistributed routes with show up as external. 
The default AD for an external route in EIGRP is 170
The default AD for and internal route in EIGRP is  90 
By details the internal route will be preferred over and external route/redistributed route.

Type 1 the metric can grow as route is propagated 
Type 2 the metric is locked

Routes can also be tagged. This is useful. Lets say we are doing mutual redistributed.
Tag all routes as they come in 999 as they are brought in
If that route has a tag of 999 don't bother bringing it in because we know we already have it.

Don't redistribute a route that was sourced from OSPF into EIGRP back into OSPF. We don't want a routing loop. The same goes for the other way around. We don't want to to EIGRP -> OSPF -> EIGRP.


LAB - Distribute and prefix list

show ip prefix-list
ip prefix-list PFXLIST deny 10.0.0.0/16 le 24
ip prefix-list PFXLIST deny 10.2.0.0/16 ge 19 le 31
ip prefix-list PFXLIST permit 0.0.0.0/0 le 32

router eigrp 1
distribute-list prefix PFXLIST out1

LAB - Route Redistribution

See what routing protocols are running
Show ip protocols

Show what interfaces the protocols are running on
show ip eigrp interface
show ip ospf interface

Redistribute OSPF into EIGRP
We need to go under EIGRP and pull in OSPF routes

router eigrp 1
redistribute ospf 1 metric 100 200 1 1 1 

The metrics we have to define are below only really the first 2 matter
Bandwidth in Kbps (100)
EIGRP delay in 10ms units (200ms)
EIGRP Reliability 255 is 100% reliable (1) 
EIGRP effective bandwidth (1)
EIGRP MTU 65535 is max (1)

We can apply a route map here too
We can also use the "match internal" so only internal routes will be brought in

Type 1 is preferred over Type 2 in OSPF
O > IA > E1 > E2 > N

LAB - Offset list

Offset list can be used to influence a path. For example change the metric.

Needs to be applied under eigrp process

show ip eigrp topology 5.5.5.5/32

Look at FD and FS
FD is 2298112
Other route is 40642560

If we grow our 2mil route by 39 that should make it look worse.

eigrp 1 
offset-list 0 in 39000000 serial 3

The 0 selects all networks
Anything coming in we will offset by 39000000

Shows all the links even if they are not feasible successor
show ip eigrp topology all-links

Show any routes that have no successors (usually because there is a connected route with AD of 0)
show ip eigrp topology zero-successors


LAB - Route-maps

We can use the route-map to do

Confirm what interfaces the protocols are running on
show ip ospf int brief
show ip eigrp int

Check for any existing route maps
show route-map


We need an something to select the traffic we can use ACL or prefix-list
access-list 1 permit 7.7.7.7 
do show access-list 

route-map EIGRP2OSPF permit 10
match ip address 1
match route-type internal
set metric 30
set metric type-1
set tag 90

show route-map

Route-map seq 10 is a permit (any route that doesn't match is denied)
If the route mat matches ACL 1 (which is 7.7.7.7/32)
and it matches that its an internal router
set the metric 30, set it has external type 1 (changes) and tag as 90 (tag can be used later)

The only thing that will be redistributed will be 7.7.7.7 if this route-map is applied.

Good to know on the match you can have multiple ACLs and they are like an OR
match ip address 1 2 3
That like will try mactch any of ACL 1 2 or 3

If you don't set up any match statements on a sequence then it thinks everything matches so thats a gotcha, remove blank seq of config match statments.

You need to apply the route map under the routing protocol

router ospf 1
redistribute eigrp 1 subnets route-map EIGRP2OSPF

Troubleshooting
show route-map

show ip ospf

show ip route

Clear all routes 
clear ip route *


Redistribute EIGRP into OSPF
We need to go under OSPF and pull in EIGRP routes

router ospf 1
redistribute eigrp 1 tag 999 metric 44 metric-type 2 subnets

We can tag our routes with a tag 999
We give it the metric 44
We set the metric to type=2 (doesn't change)
subnets keyword brings in subnets instead of classful networks 
We can apply a route map here too

Show only the routes for specific protocol
show ip route ospf
show ip route eigrp


Route control review

When designing a network from scratch it would be best to select a routing protocol and use that everywhere. This is why OSPF is so popular because it works with all vendors. If you had all cisco gear you could use EIGRP.

However in the real world we can end up with multiple routing protocols from vendors and we need redistribution to move routes between the routing protocols.

As an example say we have 3 protocols A B and C.
If we redistribute a route from routing protocol A -> B -> C then we don't want it to get redistributed back C -> B 

Some options
We can manipulate the AD for a protocol on a router.
eigrp admin disatnce for ext routes 170
eigrp admin distance for1 in 90
We can also do tagging and use route-maps to control what is redistributed and set attributes.
Its good to focus on one network at a time, when you make a change check routing tables on other devices

Route poisoning (make a route look worse). We can use offset lists.

Side note. In DMVPN we have hub and spoke. Because we are coming in to a single point, split horizon needs to be turned off because we want to advertise routes back out the same interface that it was learned on. This is because route comes from remote site A to HUB and we then want to advertise that back out HUB to remote site B. Both site A and B connect to HUB on the same interface.

Route Summarization

In OSPF if we want to do summarization
ABR - area boarder router (summarize between areas)
ASBR -autonomous system boarder router (brings routes in from an ext source but can summarize too)

Between areas and at the ASBR.

EIGRP (and RIP)
We can do summarization on interfaces as we advertise the summary.

BGP
Lots of options here too

We don't want to summarize too much. For example if we have three /24 networks then no need to advertise a /8 network. Make sure you are summarizing routes you actually have routes to.

A discard route will be created (null0)


Auto summarization
Not turned on by default anymore

Lets say we have three routers

R3 - 172.16.3.3/24
R1 - 10.0.0.0.0
R2 - 172.16.2.2/24

show ip route

Check for auto summarization
show ip protocols
Automatic summarization: disabled

Turn on auto summarization
conf t
router eigrp 
auto
end

In this case both the 172.16.x.x networks get auto summarized to /16 networks. This leaves R1 with to equal cost paths to 172.16.0.0/16 and causes a problem.

Manual summarization
We know auto is back so we need to do it manually

conf t
router eigrp 1
net 10.0.0.0 0.0.255.255
net 10.1.0.0 0.0.255.255
net 10.2.0.0 0.0.255.255
no auto (command is there by default)
end

Show eigrp routes
show ip route eigrp

Lets create summaries on both outgoing interfaces

config
interface range gig1/0, fa 4/0
ip summary-address eigrp 1 10.1.0.0/16

show ip route eigrp
Look for the route going to Null0 (discard route)
This is to stop a route loop if for some reason we don't have a more specific route for the route we just summarized the packet might get sent out the default route and create a loop/

Summarization with named EIGRP

router eigrp Our-Named-EIGRP
address-family ipv4 unicast autonomous-system 4 
net 10.0.0.0 0.0.255.255
net 10.1.0.0 0.0.255.255
net 10.2.0.0 0.0.255.255

Our EIGRP process will be "Our-Named-EIGRP"
Our AS number will be "4"
address-family ipv6 would be used for IPv6

The summarization is done under the router config/address family
conf t
router eigrp Our-Named-EIGRP
address-family ipv4 unicast autonomous-system 4 
af-interface gig1/0 
summary-address 10.1.0.0/16
af-interface fa0/4  
summary-address 10.2.0.0/16

sh run | s router eigrp

show ip route eigrp



Policy Based Routing (PBR)

Our default routes will follow a predictable path. There may be use cases where we don't want to follow this path for certain traffic.

Checking a routing path
show ip route
show ip cef 10.1.7.0
traceroute 10.1.7.7

Anything we can identify with an ACL we can PBR it.

Create ACL to identify the traffic
Route-map will match the ACL and SET the next hop
Apply the PBR policy on the interface of the router
Only ingress traffic will be considered by default

Implementing PBR

Create the ACL to match the traffic
conf t
ip access-list extended PBR-ACL
permit icmp 192.168.1.0 0.0.0.255 10.1.7.0 0.0.0.255
exit

Create the route-map to MATCH based on the ACL and SET the next hop

route-map PBR-RM permit 10
match ip address PBR-ACL
set ip next-hop 10.0.34.3

Apply the route-map to the interface
int ser3/1
ip policy route-map PBR-RM
end

Show commands
do show access-list
do show route-map
show ip policy

ping 10.1.7.7 source gig 0/0

Debug
debug ip policy

There are lots of options for the match statement but for PBR we will mostly use ACL.
We want to apply the route map to the interface we expect to receive (ingress)1 the traffic on.


Troubleshooting PBR

ping = icmp
Traceroute on windows uses ICMP
Traceroute on linux/router uses UDP

So your traceroutes from router might not show the traffic is working.

Check the PBR
show route-map
show access-list

Edit ACL and add the UDP traffic
ip access-list extended PBR-ACL 
permit udp 192.168.1.0 0.0.0.255 10.1.7.0 0.0.0.255

traceroute 10.1.7.7 source gig0/0


PBR for locally generated traffic
PBR is for traffic coming in and being forwarded
However we might have traffic generated on the router itself and we want to PBR that as well.

traceroute 8.8.8.8

ACL
access-list 100 permit ip host 7.7.7.7 host 8.8.8.8

RM
route-map DIRECT
match ip address 100
set ip next-hop 10.78.0.8

Apply the RM to the local policy
ip local policy route-map DIRECT

Keep in mind you may PBR traffic and send it out but the router on the other side may send it back another way.



Virtual Routing and Forwarding (VRF)

We can create separate VRF's which are logical routing tables separate to other VRFs on the same router.

This is useful for service providers who are getting multiple routes (same networks) from multiple customers. For example customer A has 192.168.0.0/24 and the same for customer B. VRF is used in MPLS which will be covered later.

1 - Create the VRF (IPv4 only or both IPv4+v6)
2 - Assign interface to the VRF
3 - VRF specific routing protocols 

This way we can also run OSPF with customer A and EIGRP with customer B.


Setting up VRF lite

Checking interfaces
show ip in br

Check for any created VRF
show vrf

Check routing table 
Show ip route

Setup VRFs
conf t
ip vrf green
exit

ip vrf purple
exit

Show vrf
do sh vrf
Notice both will be ipv4 only
No interfaces will be assigned 

Assign VRF to interface
Warning when assigning an interface to a VRF it will clear the IP so make a note of it first
show ip in br
sh run int gig1/0

int gig1/0
ip vrf forwarding green
ip address 172.16.3.4 255.255.255.0

int gig2/0
ip vrf forwarding purple
ip address 172.16.4.4 255.255.255.0

Those routes will no longer appear in the default routing table, they will be moved to their VRF routing tables

Show vrf routing tables
show ip route vrf green
show ip route vrf purple

Ping from vrf
ping vrf green 172.16.3.33
You might see first ping dropped because of arp

show vrf detail

Setting up VRF with address families (IPv6)

Setup VRF (address-family)
conf t
vrf definition green
address-family ipv4
exit
address-family ipv6
exit


vrf definition purple
address-famility ipv4
exit
address-familty ipv6

Assign interfaces for VRF and re-add IP addresses
conf t
int gig1/0
vrf forwarding green
ip address 172.16.3.4 255.255.255.0

*Note* we don't use "ip vrf forwarding" for address-family enabled vrf's
We use "vrf warding"

conf t
int gig2/0
vrf forwarding purple
ip address 172.16.4.4 255.255.255.0

Show global routing table
show ip route

Show vrf routing tables
show ip route vrf green
show ip route vrf purple


VRF lite and routing protocols

ISP side
conf t
ip vrf green
ip vrf purple
do sh ip int br
int gig1/0
ip vrf forwading green
ip add 172.16.3.4 255.255.255.0
int gig2/0
ip vrf forwading purple
ip add 172.16.4.4 255.255.255.0
exit

Check for other running routing protocols
show ip protocols 

router ospf 10 vrf green
net 0.0.0.0 255.255.255.255 area 0

router ospf 20 vrf purple
net 0.0.0.0 255.255.255.255 area 0

show ip ospf int brief

Customer side (green) (don't know anything about the VRFs)
conf t
router ospf 1
net 0.0.0.0 0.0.0.0 area 0
*Note* the subnet 0.0.0.0 flips to 255.255.255.255 wildcard, just saves some times typing keep in mind for the example its a valid command.

do show ip protocols

Customer side (purple) (don't know anything about the VRFs)
conf t
router ospf 1
net 0.0.0.0 0.0.0.0 area 0
exit

show ip protocols

ISP side
show ip ospf nei
show ip route vrf green
show ip route vrf purple
Ping sourced from vrf "purple" to 44.44.44.44
ping vrf purple 44.44.44.44

Bidirectional forwarding detection
OSPF can take 30-40 seconds when a link goes down to converge.

BFD sends messages back and forth between routers to make sure the link is working.
This can be linked to OSPF so it can failover faster (faster convergence)
It can be linked to multiple things
Static routes
HSRP
BGP
OSFP
EIGRP (although EIGRP has fast convergence on its own)

BFD is not working well in virtual environments if you are testing in a lab.

bfd slow-timers 3000 can help in the lab


Config BFD on ospf

Per interface 
conf t
int g0/0
bfd interval 850 min_rx 950 multiplier 3 (for lab)
bfd interval 50 min_rx 50 multiplier 3 (sample from cisco)

interval is how often we are going send in ms (850ms)
min_rx is 950 
multiplier 3 how many times we miss before we consider it down

Enable bfd on all interface
conf t
router ospf 1
bfd all-interfaces

Show 
Show bfd nei detail

Config BFD on EIGRP
conf t
int g0/0
bfd interval 850 min_rx 950 multiplier 3 

int g0/1
bfd interval 850 min_rx 950 multiplier 3 

router eigrp 1
network 0.0.0.0
bfd all-interfaces


Config BFD on BGP
conf t
router bgp 6783
neighbor 10.24.0.4 remote-as 6783
neighbor 10.24.0.4 fall-over bfd
address-family ipv4
neighbor 10.24.0.4 activate
neighbor 10.24.0.4 next-hop-self
no sync

show ip bgp summary
show bfd nei detail

Config BFD with static routes
If the next hop is not reach able, remove it from the routing table

conf t
int gig0/0
bfd interval 850 min_rx 950 multiplier 3 
exit

ip route static bfd gig0/0 10.24.0.4
ip route 0.0.0.0 0.0.0.0 gig0/0 10.24.0.4

BFD needs to be running on the other side other wise it will think its always down

ip route static bfd gig0/0 10.24.0.2
ip route 0.0.0.0 0.0.0.0 gig0/0 10.24.0.2

show bfd nei
When the failure occurs the static route should drop out of the routing table because it is tied to BFD and it will be showing as a failure

show ip route static

EIGRP

EIGRP vocabulary. 
EIGRP has a few terms which should need to be understood.

Successor (This is the route that one and made it to the routing table)
Feasible Distance - This is the metric(cost) of the successor route. Used by EIGRP process to find the best route. It looks at admin distance first, if there is a tie there, then the metric is used.

Show what protocols (routing) are running on the router
show ip protocols

default admin distance internal EIGRP route 90
default hello timer 5 

show ip eigrp nei

Show the routing table
show ip route

You will see something like this:
D           10.2.68.0/24 [90/200000] via 10.2.46.6 00:50:00 gig0/0
D = Protocol where the route was learned in this case D is EIGRP
10.2.68.0/28 = The network we want to reach
90 = the administrative distance
200000 = the metric
via 10.2.46.6 = the next hop (where to send the traffic)
gig0/0 = the interface to send the traffic out


Reported-Advertised BW and Delay Information
How EIGRP calulcates
1 - Worst bandwidth in the path (learned from neighbor)
2 - Sum of delays. The delay will increase as it passes through multiple routers.

Received distance - Information received from our neighbors
Advertised distance - The information we share out ourselves
Don't confuse distance here with administrative distance

show ip eigrp topology
FD is 2173184
2173184/2172928
Full metric / advertised/reported distance that neighbor shared with use


Feasible successor (backup route)
In IT its great to have a backup. Its the same with EIGRP, if we discover the best route, EIGRP keeps a backup (next best) route and if there is a failure swaps it in quickly

Example some router with feasibly distances
R1 110
R2 105
R3 115
R4 100

Interface speeds
R1 < gig > R2
R2 < gig > R4
R3 < gig > R1
R3 < fa > R4

R5 is connected to R4
R5 where 10.2.68.0/26 is

Feasibility condition 
In a shop you may see a deal if you buy one, get a second one for less price.
You wouldn't buy a second item for more cost.
This is similar in EIGRP

Successor = winning route
feasible successor = backup route that could be used if successor is lost

The advertised distance has to be lower  than our current feasible distance. Otherwise there is no backup route.

advertised distance < feasible distance
or 
reported distance < feasible distance = true

Lets take a look at the routers

R2
R2 has feasible distance for 105
The winning route has a feasible distance/metric of 105
R4 advertised distance of 100 thats why it has won
R2 can look at its neighbor R1 who has advertised distance of 110. This is not lower than R2's feasible distance so no backup route. 110 is not lower than 105.

R1
R1 has successor route via R2 (105 advertised distance)
R1 has feasible distance of 110
Checking R3 advertised distance on R3 (115)
R1 feasible distance (110)  is not lower than 115 R3 advertised distance so no backup route.

R3
R3 has successor route via R1 (110) because its a gig link
R3 -> R4 is fast ethernet
R3 feasible distance 115 
R4 is advertising a distance of 100
So 100 < 115 so this route can be installed as a backup route.

show ip eigrp topology 10.50.68.0/24

successor = winning route
feasible successor = backup route


Unequal cost load balancing 

In EIGRP when we have backup routes we can enable load balancing on them. To do it we need to go into router config and use the variance.

The Feasible Distance (FD) is a metric (number) for distance from the current router to the destination router.

Lets say R3 has FD of 2173184
When we config variance 2
Any backup routes which have a metric of 2173184 or 2173184 x 2
Any backup routes which have a metric of [FD] or [FD] x [variance value]
Those will be acceptable load balancing routes.

conf t
router eigrp 1
variance 2

Check to see if you backup route is now in the routing table
Look for traffic share count value. If both are set to 1 then its equal load cost balancing
show ip route 

if the traffic share count is less, then its being used less. unequal cost load balancing.

Remember routes still need to meet the feasibility condition
advertised distance < feasible distance = true


Passive-interface

When a network statement includes more interfaces then we intended

For example we have 
g2/0 10.0.24.0
g4/1 10.0.34.0
g0/0 10.0.4.0

router eigrp1
network 10.0.0.0 0.0.255.255

This networks statement will cover all 3 interfaces. Lets say we want to exclude one. We could make better network statements but we might have lots of interfaces starting with 10.x.x.x so it can be quicker and easier to exclude it with the passive interface command

router eigrp1
passive-interface g4/1


Another useful command is 
passive-interface default 
This makes all interfaces not take part in EIGRP by default and we have to do a 
no passive-interface g2/0 if we want it to take part in EIGRP

passive-interface makes the interface not take part in EIGRP.

Metric calculations

The calculation will include the  slowest link and the sum of the delays.
(reference bandwidth / slowest BW + delays /10) * 256

Default reference bandwidth for 10 gig = 10,000,000

show ip route
sh ip eigrp topo 10.1.7.0/24

Minimum bandwidth is 1544 Kbit (slowest link)
Total delay is 20250

(10080000/1544 + 20250/10) * 256  = 2176431

Summary routes

Summary routes are used to cover multiple networks with single routes. Why send a load of routes for 10.1.0.0 
10.2.0.0
10.3.0.0 
when we can just send 10.0.0.0/8 in a summary route.

We create a summary on an interface. 
That will suppress the other routes specific routes. 
It also creates a route for 10.0.0.0/8 -> null0 which is the trash can.
This is to stop traffic for routes we don't have being forwarded out that routers the default GW.
But what about our real traffic ? We still have a more specific route for the real networks so they will be forwarded that is why null0 works for us.

Remember by default when we make a summary route it will create a route to null0 for that summary route.

conf t
interface serial3/1
ip summary-address eigrp 1 10.0.0.0/8

show ip route
The route to null0 will catch any strays.


EIGRP review

Successor / winning route
Successor is the winning route. Based on the lowest metric metric it is placed in the routing table. If there are two equal cost routes they will both successors and both in the routing table (by default). 
The metric for successor = feasible distance.
The metric for winning route = feasible distance.

Feasible successor
The successor drops out. The variance is setup. 

EIGRP formula
lowest bandwidth in the path 
sum of all the delays in the path


EIGRP address families

IPv4
conf t
route eigrp 1
network 0.0.0.0

show ip route eigrp
show ip protcols
show ip route 10.0.0.0

IPv6
ipv6 unicast-routing
ipv6 router eigrp 6
no shut
exit
In IPv6 we have to enable it under each interface
int gig0/0
ipv6 eigrp 6
int gig0/1
ipv6 eigrp 6

Named EIGRP and address families
Instead we can create a named EIGRP process and below make address families for IPv4 and IPv6

ipv6 unicast-routing
router eigrp NAMED_EIGRP
address-family ipv4 unicast autonomous-system 4
network 0.0.0.0
exit

address-family ipv6 unicast autonomous-system 6
(in named mode we don't need to enable each interface)
(its switched on for all by default so the passive interface cmd might be useful)
exit

See whats setup
show ip protocols
show ipv6 protocols

Show routes
sh ip route eigrp
sh ipv6 route eigrp

EIGRP relationships and authentication

Must agree of the AS number
Must agree on the K values
Lowest bandwidth in the path and sum of the delays in the path

Things that can cause neighborship to fail
A keychain is used for authentication
The "string" password could be wrong
passive interface could stop it working
An ACL might block the relationship

timers should match but it will come up
subnet mask should match but it will come up

Authentication overview

Setup EIGRP
conf t
router eigrp 4
network 0.0.0.0
exit

Create a keychain
key chain MY-CHAIN
key 6783
key-string PASSWORD
do show key chain

We need to apply to interfaces

interface gig0/1
ip authentication key-chain eigrp 4 MY-CHAIN
ip authentication mode eigrp 4 md5

show ip eigrp interface detail

Look for "authentication mode is md5 key chain is MY-CHAIN"

You can copy/paste your key chain to the other routes.

Named mode is good because we can add the key chain to all interfaces 
Conf t
router eigrp NAMED-EIGRP
address-family ipv4 unicast autonomous-system 4
af-interface default
authentication mode md5
authentication MY-CHAIN
exit
address-family ipv4 unicast autonomous-system 4
af-interface default
authentication mode md5
authentication MY-CHAIN

Review of EIGRP config 

Create a key chain which you can copy/paste
conf t
key chain MY-CHAIN
key 6783
key-string cisco
end

Classic EIGRP IPv4
conf t
router eigrp 4
network 0.0.0.0
exit

Classic EIGRP IPv6
ipv6 unitcast-routing
ipv6 router 6
no shut
exit

Config EIGRP IPv6 and auth for both IPv4 and IPv6 under interfaces
int gig0/0
ipv6 eigrp 6
ip authentication key-chain eigrp 4 MY-CHAIN
ip authentication mode eigrp 4 md5
ip authentication key-chain eigrp 6 MY-CHAIN
ip authentication mode eigrp 6 md5

Named EIGRP mode
conf t
ipv6 unicast-routing
router eigrp NERP

address-family ipv4 unicast autonomous-system 4
network 0.0.0.0
af-interface default
authentication key-chain MY-CHAIN
authentication mode md5
exit

address-family ipv6 unicast autonomous-system 6
af-interface default
authentication key-chain MY-CHAIN
authentication mode md5
end


Show commands
show ip eigrp neighbors
show ipv6 eigrp neighbors


show eigrp address-family ipv4 neighbors
show eigrp address-family ipv6 neighbors

show ip eigrp interfaces
show ipv6 eigrp interfaces

show eigrp address-family ipv4 interfaces
show eigrp address-family ipv6 interfaces

show ip eigrp topology 
show eigrp address-family ipv4 topology 
show eigrp address-family ipv6 topology 

The H column on the left is the order the neighbors were learned. If we wanted to change
conf t
int gig0/1

clear eigrp address-family ipv4 neighbors


EIGRP stub

Lets say we have lots of routes in HQ and we have a branch router 1.1.1.1
Lets say 1.1.1.1 goes down.
Now the HQ router asks everyone if they have a route. If there is a backup route that's good but otherwise we send a messages through the network.
We can tell config routes as stubs so those queries won't go there. 

Show to verify
sh ip eigrp nei detail

Debug command
debug eigrp packets query

On R8 make it stub

router eigrp NERP
address-family ipv4 unicast autonomous-system 4
eigrp stub connected

connected will advertise our connected interfaces
stub means i'm the end of the world there is nothing else behind me

Show command
show ip eigrp neighbors detail

We should see "Stub Peer Advertising (CONNECTED)"

Now none of the other routes will ask R8 about any routes that go missing.

Stub site

Lets say we have 2 (or more routers) in a branch office. We could make them all as stub but we can also use a stub site. This way the routes can do EIGRP with each other but act as stub to any one outside.

We make a stub site with an identifyer. We also have to select the want interface so it knows which is the WAN interface.

conf t
router eigrp NERP
address-familty ipv4 autonomous-system 4
network 172.16.0.0
eigrp stub-site 101:100
af-interface gig0/1
stub-site wan-interface

For the identified cisco suggest some idea to give the stub site ID some meaning
ASN:nn
IP:nn
4BASN:nn
aa:nn

The stub site ID is applied to all incoming routes on the WAN interface

Show ip eigrp vrf NERP topology 109.1.0.6/32
Look for Extended Comminicty: StubSite:101:100

Troubleshooting EIGRP

IPv4
Good to start with below to see what routing protocols are running
show ip protocols 

Start with checking the neighbors
show ip eigrp neighbors

Next step is to check the routing table for the network you are interested in
show ip route 10.1.7.0

Looks to see was it learned from EIGRP, what interface / neighbour path is it taking ? Is there an FS

If we expect to learn from another place we need to check that router out

If we don't have a neighbor up, check if the interface is enabled
show ip eigrp interfaces
Look at the interfaces that are enabled
Also look at the peers, we expect a router running EIGRP to have some peers


Check the network statement 
sh run | s router eigrp

You may need to make changes to eigrp
conf t
router eigrp NERP
address-family ipv4 unicast autonomous-system 4
network 0.0.0.0 (to add everything)

You may need to debug to see what is wrong
debug eigrp packets 
Looks for k value mismatch
Look fir authentication failure

show ip protocols to see the k values
router eigrp NERP
address-family ipv4 unicast autonomous-system 4
no metric weights (set k values back to default)

no eigrp log-neighbor-changes

IPv6

Check for the ipv6 unicast-routing
show ipv6 int brief
show ipv6 route
show ipv6 eigrp neighbors
show ipv6 eigrp neighbors detail

show ipv6 eigrp interfaces

If a router is a stub you will see
"Receive-Only Peer Advertising (No) Routes
So it may know about an EIGRP router but its not learning routes from it

Watch out for eigrp not enabled on interfaces as well.

Fix stub
conf t
router eigrp NERP
address-family ipv6 unicast autonomous-system 6
no eigrp stub receive-only (remove stub config, take part in EIGRP)

ping xxxx:xxx:xxxx:xx:xx
tracert xxxx:xxx:xxxx:xx:xx

If we are missing an interface
conf t
router eigrp NERP
address-family ipv6 unicast autonomous-system 6
af-interface FastEthernet 4/1
no shut (make sure its not shutdown)
no passive-interface (make sure its not set to passive)


show ipv6 eigrp topology

show ipv6 eigrp topology summary
Shows learned routes, shows pending replies

show ipv6 eigrp topology zero-successors
See if there is any routes with no backups

show ipv6 eigrp events
The eigrp lop

show ipv6 eigrp traffic
status on the queries
We want 0's in SIA replies and queries

show ipv6 eigrp topology active
show any routes its currently looking for


OSPF Address families 

Check for running protocols
show ip protocols
show ipv6 protocols

Traditional ospf setup
IPv4
route ospf 1
network 0.0.0.0 255.255.255.255 area 0
passive-interface gig0/0
do show ip ospf int brief
IPv6
ipv6 router ospf 1 area 0
int gig1/0
ipv6 ospf 1 area 0

Address family config for ospfv3
ospfv3 can run ipv4 or ipv6
No network statements in ospfv3

router ospfv3 1
address-family ipv4 unicast
auto-cost reference-bandwidth 1000

address-family ipv6 unicast
auto-cost reference-bandwidth 1000
exit

int gig0/0
ospfv3 1 are 0 ipv4
ospfv3 1 are 0 ipv6

Show commands
IPv4 commands won't work because we are running ospfv3 IPv6 commands will still work because its still ospfv3

show ospfv3 int brief

show ospfv3 ipv4 int brief
show ospfv3 ipv6 int brief

show ip route ospfv3

show ospfv3 ipv4 database
show ospfv3 ipv4 database route self-originate

Type 8 and type 9 are unique to IPv6

show ospfv3 ipv4 neighbor

show ospfv3 ipv6 neighbor

OSPF authentication and troubleshooting 

Why do OSPF authentication ?
Stop hacking attempts / prevent unauthorized OSPF router joining the routing domain
Stop misconfigs etc by users bringing devices in from home

auth options 

0 - null (no autentication)
1 - simple/plain text (no point in using)
2 - md5 (keys are encrypted)

The auth can be applied to the area and also to the individual interfaces.

conf t
router ospf 1
area 1 authentication (simple auth for area 1)
area 2 authentication message-digest (this specifies MD5 for area 2)

If we setup simple authentication but don't setup passwords neighbors can be formed.

sh ip ospf

Config interface password (null auth)
conf t
interface fa4/1
ip ospf authentication null

Config interface password (simple auth)
conf t
interface fa4/1
ip ospf authentication key Password1
`
Config interface password (md5 auth)
conf t
interface fa4/1
ip ospf message-digest-key 1 md5 Password1
[key-id] [md5] [password]
Needs to be setup on the other side too

Config area authentication
conf t
router ospf 1
area 0 authentication message-digest

Show and debug commands
show ip route ospf
show ip ospf
traceroute x.x.x.x
show ip ospf neighbor 

debug ip ospf adj

trace x.x.x.x source y.y.y.y

OSPF virtual links

show ip ospf int brief
show ip ospf virtual-links
show ip ospf nei
show cdp nei

debug ip ospfj adj

IPv6 OSPF Authentication and Troubleshooting

Uses no security or IPsec (SPI)

Can config on the area or the interface 
2 neighbors using the same settings with take precedence 

Area config
spi [choose number for SPI index 256 and higher] md5 [choose key]
area 1 authentication ipsec spi 678 md5 1234567890ABCDEF1234567890ABCDEF

You can see its quicker to get a whole area up and working with IPsec if all routers in the area have the same config

Interface config

Depending of hardware/software versions it will be wone of these commands
ospfv3 authenticaiton md5 0 1234567890ABCDEF1234567890ABCDEF

ipv6 ospf authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF

Commands
show ipv6 ospf

conf t
ipv6 router ospf 1 
area 0 authenticaiton ipsec spi 1000 md5 0 1234567890ABCDEF1234567890ABCDEF
sha1 has a 40 character key

show ipv6 ospf int gig 2/0
show ipv6 ospf int brief

F is full adjacency 
The 1 is the Neighbors 1/1

show crypto engine connection active
This will show IPsec SA's

show crypto ipsec sa
This will show IPsec SA's

show crypto ipses policy 
Two famility esp and ah 

Enable auth for area 1 (at area level)
Conf t
ipv6 router ospf 1
area 1 authentication ipsec spi 1000 md5 1234567890ABCDEF1234567890ABCDEF

Same config applied to all routers in the area 
If the area is config'd the same the OSPF interfaces will inherit that authentication from the area.

show crypto ipsec policy

Enable interface auth between R2 (area0) and R4 (area2) (at interface level)
conf t
int gig2/0
ipv6 ospf authentication ipsec spi 1000 1234567890ABCDEF1234567890ABCDEF

Apply the same config to interface on the other side

do show cdp neighbor 
show crypto engine connections active


Troubleshooting OSPF Authentication

show ipv6 route
We see a 65bit route sending the traffic to null0 this route is being used because its static and more specific.
no ipv6 route 2001:DB8:6783:8::/65

show ipv6 ospf
Reference bandwidth unit is 1000 mbps
Gigabit will cost 1
Fastethernet will be cost 10


show ipv6 ospf neighbor

show ipv6 ospf int brief
F/C (Full adjacency/count)
1/1  (we have neighbour up)
0/0 (its not working)

Check other side has ospf enabled and in the correct area
show ipv6 ospf int brief
PID shows as 1 and Area shows as 0

debug ipv6 ospf adj

Check authentication on both sides
show ipv6 ospf int gig2/0
MD5 authentication SPI 256, secure socket UP

Check other side
show ipv6 ospf int gig1/0
No auth seen

Show ipv6 ospf

No area auth

The issue here is
No area authentication setup
R1 has interface auth setup
R2 does not

Possible fixes
match the interface authentication config on R1 and R1
remove interface auth from R1
Remove interface auth from R1 and enable area auth on both sides

show crypto ipsec policy
show the SPI number and the key

-------------------------

show ipv6 int brief 
interface is admin down
no shot show

show ipv6 ospf int brief 

Check if there is a virtual link
show ipv6 ospf virtual-links
Looks good

show ipv6 route ospf

show ipv6 ospf int brief

show ipv6 ospf nei

R1 shows it has authentication enabled
The other routers do not

show ipv6 ospf neighbors 

show crypto ipsec policy 

Config area auth on the routers that are missing it (R3 )
conf t
ipv6 route ospf 1
area 0 authenticaiton ipsec spi 1000 sha1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

One route was missing authentication for the backbone area

IPv4 OSPF Network Types

Broadcast (the routers are on the same LAN and will see each other hello packets)
Init 
Two-way
ExStart
Exchange
Loading 
Fully

Non broadcast (not on LAN)
Manually config neighbors 

Point to point (no DR)
Frame relay (point to multi point) (no DR)

The issues that can occur are the default timers are different for these different types and can cause issues.

Show commands
Show ip ospf int brief
See which interfaces have ospf enabled

Show ip ospf neighor
show the current neighborships

show ip ospf
show details of areas, authenticaiton, interfaces in each area

show ip ospf interface gig1/0
show details for that interface, ip, area, networks type BROADCAST, www etc


IPv4 OSPF Network Types TS

Ping + trace from the PC1 to  PC2

see what's running
show ip protocols

Look for learned routes, check for default route as well.
show ip route 
show ip route ospf

Check for neighbours
show ip ospf nei

Check for State (DR/BDR) and F/C (we want 1/1)
show ip ospf int br

We found R6 using broadcast, R8 using p2mulipoint
show ip ospf int fa4/1

Change the config on fa4/1 back to broadcast

conf t
int fa4/1
no ip ospf network-type (no back to default which is broadcast)

Ping is working now but its taking the fa path over the gigbit path which it should take

Check reference unit path, its above area 0.
show ip ospf
Its 1000 in both cases

Check for the adjacency between R1+R2
show ip ospf int brief
show ip ospf nei

Check the network type on the interfaces
show ip ospf int gig1/9
We see NON_BROADCAST is set
This could work if we have a neighbor setup

Check other side
show ip ospf int br
show ip ospf int gig2/0

Both sides are set to non broadcast but don't have neighbor statement so it will never come up.

We should change both to broadcast but it can work with just one of them set as broadcast as he will then send out hello packets.

conf t
int gig2/0
no ip ospf network (set back to default)
show ip ospf int gig2/0

Match the other side
conf t
int gig1/9
no ip ospf network 


Ethernet networks should be both broadcast
Waiting
elect DR and BDR
Then become fully adjacent 
 
Init
2way
exstat
exchange
loading
full

Check if its up
sh ip ospf int br

We see one side thinks the network is /25 and the other /24/ Both think they are DR.

Fix the mask
int gig 2/0
ip address 10.0.12.2. 255.255.225.0

Now one is DR and one BDR

Now our ping works and the trace take the best path.

TS LAB2
ClientPC -> PC7 and PC7

Ping and trace the IP's to see where we are at
ping 10.1.7.10
ping 192.168.1.10
tracert -d 10.1.7.10
tracert -d 192.168.1.10

Test our pings and they don't work (in the client VM)

Area mismatch R1 <-> R3
show ip ospf int brief
We can see PID1 area 0 but full adjacency/count shows as 0/0 (F/C)

show ip protocols 

Interface is in the wrong area, fix that
conf t
router ospf 1
no network 10.0.0.0 0.0.255.255 area 1
network 10.0.0.0 0.0.255.255 area 0

Check the neighbors/adjacency on the path
show ip ospf
show ip ospf int brief
Check the area is correct for interfaces

show ip int br
R6 is on P2MP 
R4 is on P2P

We can change P2MP back to P2P
We can also leave as P2MP and change the timers and that should work as well.

sh ip ospf int ser3/2 (will see the timers here)

conf t
interface 3/2
ip ospf hello-interval 10

Networks types OSPF IPv6

Broadcast  -> DR
Non-Broadcast -> DR
P2P (no DR) same network, same area etc
P2MP (no DR)




Networks types OSPF IPv6 LAB


show ipv6 int brief
trace 2001:DB8:6783:57::5

show ipv6 ospf neighbor

show ipv6 ospf int brief

conf t
ipv6 unicast-routing
int gig0/0
ipv6 ospf 1 area 1
int gig2/0

show ipv6 ospf interface

Check R5
show ipv6 ospf int brief

Check the interface is actually up
show ipv6 int brief

conf t
int gig1/0
ipv6 ospf 1 area 1

show ipv6 ospf nei

show ipv6 route

show ipv6 ospf
conf t
int ser 3/1
no ipv6 ospf int br

Change an interfaces network type
conf t
interface g2/1
ipv6 ospf network point-to-point


Some times we will find the network type is the same but the hello times are off
Some times we will find the network type is different but the hello times are off and you can just fix the hello timers so they match

Hello 40, Dead 160, Wait 160, Retransmit 5
Hello 30, Dead 120, Wait 120, Retransmit 5

TS IPv4 OSPF Areas

OFPF area type review

Type 1 - Router (Generated by every router in the area who is participating in OSPF)
Type 2 - Network (Generated by designated router on a segment if there is another OSPF speaker)
Type 3 - Summary (Generated/injected by ABR's, summary LSA for routes on the other area)
Type 4 - Desc ASBR (ABR injected, describes how to reach the ASBR)
Type 5 - External (Redistributed routes come in as type 5, they go all the way in the network, forwarded by ABRs)
Type 6 - 
Type 7 - Generated by ASBR describe route within a NSSA. They get converted to type 5 as they pass into areas that support type 5 LSA's

Stub area
We can make a stub area and not allow LSA type 5's in. It won't generate type 4 LSAs since it no longer has to tell people how to reach the ASBR

Totally stubby area
Stop LSA type 5's and type 3's. There will be 1 LSA type 3 that is the default route.

NSSA (not so stubby area)
What if we want to redistribute some routes in a stubby area but we want to keep it as stub. We can use LSA type 7 

Totally NSSA 
Allow LSA type 7 
Stop type 5 (Does not inject redistributed routes)
Stop type 3 (Does not inject summary routes)

ABR's are key to deciding if an area is totally X or not.

AreaRestriction
NormalNone
StubNo Type 5 AS-external LSA allowed, stops sending type 4
Totally StubNo Type 3, 4 or 5 LSAs allowed except a single type 3 (the default summary route)
NSSANo Type 5 AS-external LSAs allowed, but Type 7 LSAs that convert to Type 5 at the NSSA ABR can traverse
Totally NSSANo Type 3, 4 or 5 LSAs except the default summary route, but Type 7 LSAs that convert to Type 5 at the NSSA ABR are allowed

TS IPv4 OSPF Areas LAB

show ip ospf
Look for the lines below
It is an autonomous system boundary router (Tells us it is ASBR)
Redistributing External Routes from, (its redistributing)
 Static, includes subnets in redistribution
.
.
.
Area BACKBONE (0) 
       Number of interfaces in this area is X
       Area has no authentication 

From the client ping/trace to get an idea
ping 192.168.1.8
This should show is which router to start at or we can start at the router connected to our host
trace 192.168.1.8

Good idea to check what's running, is OSPF off do we have IPv6 etc
show ip proto

On the router see if we have learned OSPF routes at all
Also check for default GW
show ip route ospf

Check the interfaces running OSPF, are they in the correct PID and Area ?
Check the state and the F/C status
show ip ospf int br

Check the router ID
Check what authentication is setup
Check the interfaces in the area
show ip ospf

Checking other side

show ip protocols
We see "ospf 1" running
We can see "1 normal" area no stub or nssa

We can ping 
We see the routes in cdp neighbors
Still not coming up
We see they are stuck in exstart

Check the interface MTU on both side
show interface gig2/0

We could also see a MTU error if we did ran a debug
debug ip ospf adj

Interface gig1/0
no ip mtu


---------------------------

We notice R6 has an interface in area 1, but should have all in area 2
show ip ospf int br

Check the network statement
show ip protocols

We see all networks are added to area 2 but area 1 has been manually configured on an interface
Routing on Interface Configured explicitly  (area1):
FastEthernet 4/0
 
Remove the command from the interface to bring it back into area 2
conf t
interface fa4/0
no ip ospf 1 area 1

---------------------------

Now we have connectivity but not optimal path

Check neighbors
show ip ospf nei

We find a missing one on R2

Check interface    
show ip ospf int br

We see gig1/0 says its DR but 0/0 for F/C

We check MTU
Check the interface is up
Can ping
The IP and subnet mask are correct

On R2 we see passive interface is setup
show ip ospf int gig1/0
No Hellos (Passive Interface)

Fix the issue, remove passive-interface command
conf t
int gig 1/0
no passive-interface


TS IPv4 OSPF Areas LAB2

Verify the issues
R7
trace 192.168.1.8

R8
sh ip route ospf


Start on R7

Check ospf
show ip ospf
Routing process "ospf 1" with ID 3.3.3.3

We found R7 router ID was 3.3.3.3, this should be 7.7.7.7

Fix the router ID
no router ospf 1
router ospf 1 
router-id 7.7.7.7
network 0.0.0.0 255.255.255.255 area 1
area 1 stub

R8 we want to see the R5 routes 10.1.55.x on R8

First stop lets check its working on R5 because if its no there it can't be shared out

Check ospf 
show ip ospf
We see its redistributing external routes from static

Check the static routes
show ip route static

We see the routes setup there static

Check the LSA database
show ip ospf database external

Its not there, so its not sending them out.

Lets check ospf in detail
show ip ospf

We see the following:
It is an autonomous system boundary router (ASBR)
Redistributing external routes from,
 Static, includes subnets in redistribution (setup for redistribution)
Reference bandwidth unit is 1000 mbps (Has been modified to 1000 but looks good)
Area 1 we have 4 interfaces in it
It is a stub area (the area is stub, this is the issue doesn't allow LSA type 5)
Area has no Authentication (No auth, not the issue but worth checking on both sides)

Lets change to a NSSA
Change needs to be made on all routes in the area R1, R3,R7
conf t
router ospf 1
no area 1 stub
area 1 nssa

R5 brings routes in as LSA type 7
R3 converts to LSA type 5 and propagates into the area

R8 is also in a stub area now the LSA is type 5 so we have to make area 2 no longer a stub.

Change area 2 to be a normal area, needs to be applied to all routers in the area R4,R6,R8
conf t
router ospf 1
no area 1 stub
area 1 nssa


TS IPv6 OSPF Areas LAB

This is for IPV6 OSPFv3

Check the IP on the interface
show ipv6 int br

Check of IPv6 OSPF routes
show ipv6 route ospf

Check for IPv6 OSPF neighbors 
show ipv6 ospf nei

Looks good, lets check the ABR (R3)

Check of IPv6 OSPF routes
show ipv6 route ospf

Check for IPv6 OSPF neighbors 
show ipv6 ospf nei

We find ospf is not working

Check ipv6 OSPF
show ipv6 OSPF

We see
Area 0 (BACKBONE) inactive
Number of interface in this area is 2

Check the ipv6 protocols
show ipv6 protocols

Check ospf interfaces
show ipv6 ospf int br 

We see the areas are correct but the F/C is 0/0
Things to check interface MTU, authentication, timers

Check OSPF
show ipv6 OSPF

We see MD authentication
When we check router 1, its not setup

Fix the issue on R3 by removing the MD5 authentication 
conf t
ipv6 router ospf 1
no area 0 authentication ipsec spi 256


R4 thinks area 2 is Stub
Area 2
Number of interface in this area is 1
It is a stub area

R6 does not think the area is stub
Area 2
Number of interface in this area is 2
SPF algorithm executed 5 times

All routers in the area must agree on the area type

Fix the issue on R6 by making area 2 a stub under the ipv6 router ospf 1 process
conf t
ipv6 router ospf 1
area 2 stub

TS IPv6 OSPF Areas LAB2

We got an error saying Receive packet with incorrect area from FE80::C806:15FF:FE78:6, Serial3/1, area 0.0.0.1, packet area 0.0.0.2

This indicates we have an area mismatch. Area 1 is being used instead of Area 2.

Check ospvfv3 (ipv6)
sh ipv6 ospf 

Check the interfaces 
sh ipv6 ospf int br

We see Serial3/1 is in area 1, this should be area 2.

Fix the issue by changing Serial3/1 to area 2
Conf t
interface Ser3/1
ipv6 ospf 1 area 2

We still we not learning the 8 network from router 8

Check the interface
sh ipv6 int br

Check the router
sh ipv6 ospf

Check the ospf interfaces
sh ipv6 ospf int br

We see gig0/0 is in area 8. Area 8 does not have an ABR. We can fix by connecting Area 8 to the backbone via an ABR or just change the area.

Fix the issue by switching gig0/0 back to area 2 on R8
conf  t
ipv6 ospf1 area 2
exit


TS Virtual links IPv4

Area 1 <-> Area 0 <-> Area 2

Area 0 is the backbone
Other areas need to be connected via ABRs

Area 1 <-RA-> Area 0 <-RB-> Area 2

If we have an area not connected to an ABR/backbone then it won't work. There are a few solutions
1 Connect a router connected to the new area back to the backbone, this then becomes an ABR and your new area will work. However there might be costs in doing that or we can't run a physical link.

Another solution is to extend the area that its attached to ie Area1 or 2, those areas are already connected to ABRs via RA and RB

We can connect these non backbone areas with a virtual link. This is like a bandaid, a tempory back to logically (not physically)

Connect the virtual link between the router-id's

Area 8 <- RC -> Area 1 < - RA-> Area 0

We create the virtual link between RC and RA. Now RC becomes an ABR connecting area 8 to the backbone. This link is known as the transit area. Now routes will be advertise

Only to solve a temporary problem, never design a network like this and push towards removing them for existing environments 

Implement a virtual link

R7 (when virtual link is setup, R7 will essentially become an ABR)
conf t
router ospf 1
area 1 virtual-link 3.3.3.3 (router ID)

Config the other side

R3 (the real ABR)
conf t
router ospf 1
area 1 virtual-link 7.7.7.7

show ip ospf int br
VL0 (is the virtual link)

F/C (full/count) we want to see a 1/1 
State will usually be P2P

show ip ospf
We will see the new area

We can change the AD (administrative distance) on routes to make sure the route uses the best path.

conf t
ip route 10.47.0.0 255.255.255.0 10.2.68.8 (make sure to make a specific route)

TS virtual link lab 1

Can't create a virtual link in a stub area

show ip ospf int br

First put the new area into the correct area
conf t
int ser 3/1
ip ospf area 2

Config vitual link between both routers, but its did not come up.

Check if ospf is connected
show ip ospf nei

Check debugs
debug ospf adj
debug ospf hello

R6
conf t
int ser 3/2
no ip ospf network


show ip ospf nei

TS virtual link lab 2

Create loopback on R7 in area 7

show ip int br

conf t
int loopback 7
ip add 77.77.77.77 255.255.255.255
ip ospf 1 area 7


R7
conf t
router ospf 1 
area 1 virtual-link 3.3.3.3

R3
conf t
router ospf 1 
area 1 virtual-link 7.7.7.7

Link didn't come up checkl
show ip ospf virtual-links

check router ID's
show ip protocols

check routes
show ip route ospf

Check for neighbors
show ip ospf nei

On R5 we see two neighbors with the same router ID configured

R3

conf t
no router ospf 1
router ospf 1
net 3.3.3.3 0.0.0.0 area 0
net 10.0.0.0 0.0.255.255 area 0
net 10.1.0.0 0.0.255.255 area 1
auto-cost reference-bandwidth 1000


show ip ospf 
Router ID was changed to 3.3.3.3 now

Config virtual link
conf t
router ospf 1
area 1 virtual-link 7.7.7.7

Check 
show ip ospf nei
show ip ospf virtual-links


TS virtual links in OSPFv3 / IPv6

R7
show ipv6 int br

Add that interface into OSPF area 78
conf t
interface ser 3/1
ipv6 ospf 1 area 78

Area 78 doesn't have an ABR

Four options
1 - Include link between R3 <-> R8 in area 78 this would mean area 78 would have an ABR
2 - Create a virtual link
3 - Change area 78 to area 1 or 2 so its connected to backbone
4 - Create a GRE tunnel R7 <-> R3, R7 becomes ABR

Can't make virtual link in NSSA or Stub area 

add the interfaces into area 78 on both sides
int Ser3/2
ipv6 ospf 1 area 78

Area 78 needs an ABR so it can connect to the backbone area otherwise it won't work.

Area 1 is a NSSA
show ipv6 ospf
Under Area 1 we see
"It is a NSSA area"


Remove NSSA area from ospf process 1
conf t
ipv6 router ospf 1
no area 1 nssa

Config the virtual-link on both sides
R7
Conf t
ipv6 router ospf 1
area 1 virtual-link 3.3.3.3

R3
Conf t
ipv6 router ospf 1
area 1 virtual-link 7.7.7.7

Show commands to check
show ipv6 ospf brief
show ipv6 ospf nei
show ipv6 ospf virtual-link
show ipv6 route ospf


TS virtual links in OSPFv3 / IPv6 LAB1

Check IPv6 interfaces
show ipv6 int br

Config interfaces into IPv6 ospf process 1 area 78
int ser 3/1
ipv6 ospf 1 area 78

Config the same on the other side

In this case we didn't have to use a virtual link, just needed to put the interface into the correct area

TS virtual links in OSPFv3 / IPv6 LAB2

GRE tunnel setup (working config)

R3
interface tunnel0
no ip address
ipv6 address 2001:DB8:6783:37::3/64
ipv6 ospf 1 area 0
tunnel source 2001:DB8:6783:35:3
tunnel mode ipv6
tunnel destination 2001:DB8:6783:57::7
tunnel path-mtu-discovery

R7
interface tunnel0
no ip address
ipv6 address 2001:DB8:6783:37:7/64
ipv6 ospf 1 area 0
tunnel source 2001:DB8:6783:57::7
tunnel mode ipv6
tunnel destination 2001:DB8:6783:35::3
tunnel path-mtu-discovery

We get a topology thats not working and we need to check

Verify the IPv6 address on tunnel0
show ipv6 int br

Check both sides

Check if we have OSPF neighborships
show ipv6 ospf nei

One side of the tunnel says up/up the other says up/down

Check tunnel interface on problem router
show ipv6 int tunnel0
sh int tun0
We see the wrong destination on the tunnel is configured

Fix the issue on R3
conf t
int tun0
tunnel destination  2001:DB8:6783:57::7
end

Check if the neighborship has come up
show ipv6 ospf nei

Check R7
Show ipv6 ospf int brief
We see Serial3/1 is not enabled for ospfv3 on the right area

Fix the issue on R7
conf t
int Ser 3/1
ipv6 ospf 1 area 78

Check connectivity
ping 2001:DB8:6783:78::8
traceroute 2001:DB8:6783:78::8


OSPF path preference

Lets say a router receives multiple routes for the same network. How will OSPF will choose which one to place in the routing table

By default 
O - Intra area route
IA O - Inter area route

It depends for the external type 1 (E1) and type2 (E2) NSSA type 1 (N1) and NSSA type 2 (N2)

Setup a loop back interface and put it into ospf 1 area 0
conf t
int loop 123
ip add 123.0.0.1 255.0.0.0.0
ip ospf network point-to-point (we need this command otherwise the loop back will advertise as /32 bit route and we want /8 bit route)
ip ospf 1 area 0

Setup a loop back interface and put it into ospf 1 area 123
conf t
int loop 123
ip add 123.0.0.2 255.0.0.0.0
ip ospf network point-to-point (we need this command otherwise the loop back will advertise as /32 bit route and we want /8 bit route)
ip ospf 1 area 123

Set up NSSA and redistribute static routes as type 1 (E1)
conf t
ip route 123.0.0.0 255.0.0 null 0
router ospf 1 
redist static subnet metric-type 1

Set up NSSA and redistribute static routes as type 2 (E2)
conf t
ip route 123.0.0.0 255.0.0 null 0
router ospf 1 
redist static subnet metric-type 2

Make area 1 under ospf process 1 a not so stubby area (NSSA) and redistribute (E1)
conf t
router ospf 1
area 1 nssa 
exit

conf t
ip route 123.0.0.0 255.0.0 null 0
router ospf 1 
redist static subnet metric-type 1

Make area 1 under ospf process 1 a not so stubby area (NSSA) and redistribute (E2)
conf t
router ospf 1
area 1 nssa 
exit

conf t
ip route 123.0.0.0 255.0.0 null 0
router ospf 1 
redist static subnet metric-type 2

Debug routing table, let me know if the routing table changes
debug ip routing

Stop a router from redistributing static routes
conf t
router ospf 1
no redistribute static

You can stop a router sharing routes by removing its interface
conf t
no int loop 123


Show commands
show ip route ospf
show ip route ospf | i  123.

1st - O (intra area route, even if it has a huge cost)
2nd - O IA (Inter Area route, even if it has a huge cost)
3rd - E1
4th - N1
5th - E2
6th - N2

After 1st / 2nd the order can change for 3rd - 6th depending on the software version.
O
O IA
Then depends on the software but 15.2 is as seen above.

Mnemonic device
One
Other Idiot And
Evan 1
Never 1
Eating 2
Nachos 2


Beginning BGP

BGP is the protocol of the internet, used by service providers / telecoms connecting routers which are  exchanging routes between each other.

If we take Verizon they have their external routers running BGP. Behind those they have routers running OSPF or EIGRP down to your home router.

Routes in Romania are shared across Europe over to the USA.

There are about 800,000 routes that make up the current internet.

The ISP network and everything inside it is know as an autonomous system. Usually referred to as an "AS number". The way BGP works we advertise if you want to reach 100.0.0.0/8 which is inside our AS number then just send it to R1 and he will look after the rest. R1 would route that internally, it could use iBGP or EIGRP, OSPF or a combination. We don't care BGP has sent it to the right AS number.

Service providers/Carriers want to avoid specific subnets. Many carries would use BGP filtering to not allow you to advertise anything larger than a /24. They want to be working with /24's /16's and /8's. This will change carrier to carrier. They would not like a /30 or /27 for example, its too specific, let the ISP IGP look after that. They are just concerned with delivering the traffic to the correct AS number router and let them look after it from there.

BGP is a deliberate protocol. There is no automatic/dynamic discovery of neighbors. The config needs to be done manually on both sides. It uses TCP port 179 so its reliable and can be routed. So there can be routers in-between BGP routers.

R1 (AS100) <-> Rx <-> Ry <-> Rz <-> (AS200) R2

BGP basic config

Carrier1 AS100 
Carrier2 AS200

Carrier1 has a customer with a public IP behind AS100 and wants to share that out to carrier 2 (AS200)

In our config 
R2 (AS100)
R4 (AS200)

router bgp [AS Number], this is AS number not a process instance. Once we've configured as one AS number we can't be running BGP as another AS number. A router can only represent one AS.

Enter config
router bgp [AS numer]
Define our neighbor's IP x.x.x.x followed by their remote-as xxx
The neighbour must have the same config done on the other side.
Advertise networks
network 2.2.2.2 mask 255.255.255.255 
We must include the exact mask, we can only advertise networks that we do know about

R2
conf t
router bgp 100
neighbor 100.100.24.4 remote-as 200
network 2.2.2.2 mask 255.255.255.255
network 172.16.12.0 mask 255.255.255.0

R4
conf t
router bgp 200
neighbor 100.100.24.2 remote-as 100


To bring up the BGP
R2 needs to send a TCP packet on port 179 to R4 100.100.24.4
It looks up its routing table (routing information database RID)
It saw a locally connected interface to that network.
It was sourced based on the IP 
We can then add networks to advertise. We must provide the exact mask of the network we have attached in "sh ip int br"

When R4 got the packet it checked the source address
Checked its BGP table to see if it had any neighbors configured with that address
We had made that config so it matched
Then check the AS number matches

When R4 sent a packet back to R2 the same process happened, checking the source IP and AS number

Show commands
show ip bgp neighbors

BGP neighbor is 100.100.24.4, Remote AS 200, external link
BGP version 4, remote router ID 4.4.4.4

holdtime is 100, keep interval is 60 seconds

Some of the items above to look for. We can see the neighbor IP, the remote AS, we can also see if its external or internet to identify if we are using eBGP or iBGP. We can also see the router ID

By default BGP will select the highest loopback address, otherwise the highest physical address will be used.

Timers are also important to check. Neighbour relationship will be valid for 180 seconds. If we don't get a keep alive the connection is torn down. The keep alives are sent every 60 seconds 1/3 of the hold timer. Its slow on purpose because things are always changing on the internet.

The output of "show ip bgp neigh" is very large but needed for ISPs.

When we just want to check if neighbors are up we can use
show ip bgp summary

Here we see the neighbor IP
BGP version
AS number
How many messages received 
How many messages sent
Table versions
InQ
OutQ
Up/Down (00:18:47)
State/PfxRcd (state / prefix received) 2 will be shown if 2 networks were shared so we are looking to have a number there.

show ip route
We can the route in the routing table denoted by a "B"

eBGP vs iBGP

We saw external BGP connecting across the internet but we might have internal BGP connections inside out own AS. eBGP behaves a bit differently to iBGP.

iBGP
Here we use our internal AS number as the remote AS

R1
router bgp 100
nei 172.16.12.2 remote-as 100

R2
conf t
router bgp 100
nei 172.16.12.1 remote-as 100 

show ip bgp nei
We will see: remote AS 100, internal link

R4
Has a loop back of 4.4.4.4
router bgp 200
network 4.4.4.4 mask 255.255.255.255

Check R2
show ip bgp
We see 4.4.4.4 
ping 4.4.4.4 is working

show ip route
We see 4.4.4.4 learned from BGP (B) and with an administrative distance of 20 which is the AD for external BGP

Check R1
show IP route
But we didn't learn about 4.4.4.4
R1 -> R2 -> R4 (4.4.4.4)

show ip bgp
We actually see 4.4.4.4 is in there but not a best route. Missing the ">"


This is because the route was learned throuh eBGP on R2 where it changed the next hop address to be itself but iBGP does not do this, it keeps the next hop as is.

The only way for R1 to install the route if it could reach the next hop address 4.4.4.4 which its not connected to. 

eBGP, iBGP and next-hop-self

eBGP changes the next hop address
iBGP does not do this by default

When R4 advertised 4.4.4.4 to R2 it changed its next hop IP to be the address connected to R2
R2 got the route and had not issue because it can can reach the next hop address on R4
R2 sent it to R1 but didn't change the next hop address
R1 didn't install it into its routing table

We can change this

R2
conf t
router bgp 100
nei 172.16.12.1 next-hop-self

Now the routes sent to R1 will have an address of our exiting address 

How BGP chooses the best path
There are a lot of factors that go into BGP selecting the best path but by default it will be looking at the path which is like the AS hop count. Path could look like 200 100 i.

When the networks statement is made we advertise the prefix + path attributes (metric, local preference, weight, path)

That combination of prefix + path is known as NLRI 
Network Layer Reachability Information

NLRI's are sent and received on routers running BGP.

The BGP process

There is a lot happening in the BGP process but  in summary BGP:

  • Brings routes in (Adj-RIB-IN or RIB IN)
  • Processes those routes (loc-RIB or BGP database)
  • Sends routes out (Adj-RIB-OUT or RIB OUT)

There are 3 databases for this 

RIB  IN
No show command to see this because so many routes come in and get processed. After they are process this table is constantly emptied

Routes that come in from iBGP/eBGP peer. 
The peer has sent us a NLRI (prefix + path attributes)
Inbound route policies are applied to the RIB IN
These can be (route maps, prefix lists, distribute lists, AS acl's)
These policies may filter routes out or edit attributes like cost/next hop etc

BGP database
We can see the contents with show command
show ip bgp

Next hop + validity check
Remember 4.4.4.4 wasn't placed in the routing table because the next hop wasn't valid.
When we fixed it

Identify BGP Best path
In our case there was only one path to 4.4.4.4

Install routes in global RIB (routing table)

For outbound we have a similar application of policies
Outbound route policies

RIB OUT
Adj-RIB-out
We can see the contents with show command
show bgp ipv4 unicast neighbors 100.100.24.4 advertised-routes
This will show us the outbound DB for a specific neighbors and there will be one for each neighbor

The routes are then forwarded to peers

BGP update-source interface

Lets say we have 4 routers all connected to each other in a ring by and IGP OSPF. We are going to put them in iBGP AS100

R1 1.1.1.1 <-> R2 172.16.12.0
R1 1.1.1.1 <-> R3 172.16.13.0
R2 2.2.2.2 <-> R4 172.16.24.0
R2 2.2.2.2 <-> R1 172.16.12.0
R3 3.3.3.3 <-> R1 172.16.13.0
R3 3.3.3.3 <-> R4 172.16.34.0
R4 4.4.4.4 <-> R3 172.16.34.0
R4 4.4.4.4 <-> R2 172.16.24.0

R1 config (R2 needs to match)

Bring up OSPF process 1 area 0 and bring in all networkls
conf t
router ospf 1 
network 0.0.0.0 0.0.0.0 area 0
end

conf t
router bgp 100
neighbor 2.2.2.2 remote-as 100 

debug command
debug bgp ipv4 unicast

We see in the debug active when from Idle to Active
open active, local address 172.16.12.1
Open failed: connection refused by remote host

We sourced from 172.16.12.x but we need to source from our loop back addresses, we need to make some changes in BGP

R1
conf t
router bgp 100
neighbor 2.2.2.2 update-source loopback 1

R2
conf t
router bgp 100
neighbor 1.1.1.1 update-source loopback 1

Here we sourced from our loop back address. Now the BGP neighbor came up.

So why do this ? If we configured with the 172.16.12.x BGP could work but when that link between R1 + R2 goes down the BGP neighbor would be down. 

However if we setup via loopbacks then if the 172.16.12.x link went down then BGP could find another path via R1 -> R3 -> R4. We would have to wait for OSPF to converge but this would probably be faster than BGP hold time expires.

BGP address families

By default everything in BGP will go in under IPv4. Newer versions of code will split them out into address families.

Command to stop the default of putting all in IPv4
no bgp default ipv4-unicast

R2 config
conf t
router bgp 100
address-family ipv4 unicast
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 activate
networks 2.2.2.2 mask 255.255.255.255
neighbor 100.100.24.4 remote-as 200
neighbor 100.100.24.4 activate


neighbor x.x.x.x activate
Makes neighbor relationships come to life when not using the default IPv4 unicast family

What if we wanted to share routes from other VRFs ?
address-family ipv6 unicast vrf MyVRF

IPv6

To use IPv6 we need to make sure its enabled
conf t
ipv6 unicast-routing

router bgp 100
address-family ipv6

Show the section now we will see each address family
show run | s bgp

BGP scale issues

BGP is the protocol of the internet. It can scale very well but by default out of the box it doesn't scale too well. We need to understand that so we can config to scale well. eBGP vs iBGP.

eBGP advertising networks
network statement
received a valid NLRI (prefix + path attributes)

iBGP
network statement to all peers
only send routes out to eBGP peers sent for valid NLRI's

We can do it with route reflectors, more on that later.

We can establish neighbors through routers
(neighbor) R1 -> R2 -> R3 (neighbor)
R2 is just a transit router but it will decrement the TTL
So we have to be aware about number of TLL/hops

iBGP TTL: 225
eBGP TTL: 0 (by default eBGP sessions need to be directly connected

More that one hop is called multihop
iBGP multihop is allowed
eBGP by default multi hop is not allowed

Show command 
show ip bgp ipv4 unicast summary

Config eBGP multihop
conf t
router bgp 100
neighbor 4.4.4.4 disable-connected-check
This allows 4.4.4.4 to be one hop away peer using loopback address 

This sets the number of hops allowed, the value is the TTL
neighbor 4.4.4.4 ebgp-multihop 10

Formula to calculate the number of BGP sessions:
N = number of routers
N(N-1) / 2

If we have 4 routers N = 4
4(4-1) / 2
12/2 = 6
There are 6 BGP sessions

What happens when we have 10,000 routers ? That's a lot of BGP sessions.
This fix for iBGP full mesh is not scalable for service providers. We can fix it with route reflectors.


BGP route reflectors 

Multiple routers can send routes to R2. iBGP won't forward those on. We can't use OSPF/full mesh because it doesn't scale. We can use route reflectors to forward them on.

R2 is the router sending on the routes is the router reflector
R1 is the route reflector client 
R3 is not route reflector client 
R11 is not route reflector client 

R2 will forward routes to the client but not to non-clients.


From the route reflector (R2) config 1.1.1.1 as a client
conf t
router bgp 100
nei 1.1.1.1 route-reflector-client

The BGP session will go down/up

Route reflectors are configured for each address family

We got the route over on R1 but it wasn't installed in the routing table because the next hop is 3.3.3.3 and R1 can't reach that.

We tried to set the next-hop-self but it didn't work. This is because the route is reflected as is from R3 where the next hop is set to 3.3.3.3

The way to fix this is a route-map to change the next hop as the route is coming in

BGP route reflectors part 2

What happens when NLRI comes in from a client.
R1 (client) -> comes into R2 (route reflector)
The route will be sent everywhere
Even bounced back to R1
R1 recognises this and discards it so it does not cause a loop

non reflector clients routes -> clients
clients -> everywhere

show bgp ipv4 unicast summary

Make 1
conf t
router bgp 100 
nei 1.1.1.1 router-reflector-client 

loopback 0 
ip add 15.15.15.15 255.255.255.255

router bgp 100
network 15.15.15.15 mask 255.255.255.255

Check we are advertising 15.15.15.15 out
show bgp ipv4 unicast nei 2.2.2.2

On R2
show bgp ipv4 unicast
r = rib faiilure
r>i 15.15.15.15

We see RIB failure, we used OSPF to grab all network so the OSPF route is winning

Lets change the AD on the ospf
router ospf 1
distance 201
edn

Now we can run show bgp ipv4 unicast
* = valid
> = best
i = internal 
*>i 15.15.15.15/32

Under show ip route we see the route appearing as a BGP "B" route now

Routes from a client will be reflected everywhere including non clients.

BGP route reflectors part 3

What happens when advertisements comes in from eBGP neighbor  

When route comes in from eBGP it goes to all iBGP neighbors
When route comes from iBGP neighbor it is advertised out to eBGP neighbors


BGP Confederations

With confederations we can split an AS number into two private AS numbers. The numbers we can use are in two ranges:

16 bit / 2 byte
64512 - 65535

32bit / 4 byte
4,200,000 - 4,294,967,295

The AS numbers on each side of the confederation of no idea they are passing through the confederation. In summary most routers are using eBGP connections and we have a route reflector in the middle where needed so all routes will pass.


Configuring the confederation
Our goal is to have routes flow from AS200 to AS400, it will pass through AS300 and the confederation 65100 and 65200 member AS's.

R4 (AS 200)

Inside AS300
Member AS 65100
R5 (65100)
R6 (65100)
R7 (65100)

Member AS 65200
R8  (65200)
R9  (65200)

R10 (AS400)


Setup the eBGP links on the edge of the AS's
R4 (AS200) -> R5 (AS400)
R10  (AS400) -> R9 (AS300)

Note that remote-as 300 is used since the outside routers will not know anything about the confederation

The outside routers 
R4 
router bgp 200
nei 100.200.45.5 remote-as 300


R10  
router bgp 400
nei 150.150.90.9 remote-as 300


Now config the confederation inside AS300
Config routers inside AS 300 and config the confederation AS numbers

R5 will be member AS 65100
It will appear as AS300 to its eBGP peers
It will peer eBGP with R4 on AS 200
It will iBGP peer with R6 on 65100
It will iBGP peer with R8 on 65200

R5
router bgp 65100
bgp confederation identifier 300
bgp confederation peers 65200
nei 100.200.45.4 remote-as 200
nei 10.0.56.6 remote-as 65100
nei 10.0.58.8 remote-as 65200


R8
router bgp 65200
bgp confederation identifier 300
bgp confederation peers 65100
nei 10.0.58.5 remote-as 65100
nei  10.0.89.9 remote-as 65200


R6 is in member AS 65100
It will appear as AS300 to its eBGP peers
It will reflect routes to R5 and R7

R6 
router bgp 65100
bgp confederation identifier 300
nei 10.0.56.5 remote-as 65100
nei  10.0.67.7 remote-as 65100
nei 10.0.56.5 route-reflector-client
nei 10.0.67.7 route-reflector-client


We know that iBGP won't forward the prefixes by default unless we use a route reflector, we can set them as route-reflector clients
R5 <-> R6 <-> R7

R7
router bgp 65100
bgp confederation identifier 300
bgp confederation peers 65200
nei  10.0.67.6 remote-as 65100
nei  10.0.79.9 remote-as 65200


R9 is on the edge connecting to R10 (AS400)
R9 
router bgp 65200
bgp confederation identifier 300
bgp confederation peers 65100
nei  150.150.90.10 remote-as 400
nei  10.0.89.8 remote-as 65200
nei  10.0.79.7 remote-as 65100


Check the results on R9
show bgp ipv6 unicast summary

We should see the eBGP  connection to AS 400
iBGP connection to 10.0.89.8 (65200)
iBGP connection to 10.0.79.7 (65100)

Bring a route in to test on R10

conf t
loopback1 
ip add 10.10.10.10 255.255.255.255

router bgp 400
network 10.10..10.10 mask 255.255.255.255

Check results on R9
show bgp ipv6 unicast

The route made it into the routing table with a next hop of R10
*> 10.10.10.10/32 150.150.90.10

Check results on R7
It hasn't changed the next hop address
*> 10.10.10.10/32 150.150.90.10

Set next-hop-self on R9
R9
conf t
router bgp 25200
nei 10.0.79.7 next-hop-self

Check results on R7
Now we see the route with the next hop changed
*> 10.10.10.10/32 10.0.79.9

Now we have the route coming in from R10 -> R9 -> R7, R6 we have set as route reflector  

R10 <-> R9 <-> R7 <-> R6 <-> R5

R7, R6, R5 are all in the same AS 65100. Its likly they will have an IGP running like OSPF

Enable OSPF on R7, R6, R5 and bring in all networks
conf 
router ospf 1
network 0.0.0.0 0.0.0.0 area 0

Check results on R6
show bgp ipv4 unicast
We see the route there and next hop set because it knows about the network from OSPF
*> 10.10.10.10/32 10.0.79.9

This route should also have been reflected to R5 
nei 10.0.56.5 route-reflector-client

Check results on R5
show bgp ipv4 unicast
We see the route as expected
*> 10.10.10.10/32 10.0.79.9

R5 should have advertised this route out to its eBGP peer R4 but changed the next hop address

Check results on R5
show bgp ipv4 unicast
We see the route with the next hop set to R5
*> 10.10.10.10/32 100.200.45.5


BGP filtering

Usually for service providers and carriers
Most SP's won't let you advertise more than a /24

We need to summarise routes before we send them out

Verify we are advertiseing
show bgp ipv4 unicast

* = valid
> = best 
The next hop of 0.0.0.0 means we are the ones advertising it
*> 1.1.1.1/32 0.0.0.0

Below we see 10.10.10.10/32 is advertised by he next hop 10.100.24.4
We also see i for internal 
*>i 10.10.10.10/32 10.100.24.4

We will also see the AS path on the right hand side
300 200 100 i

If we send 
1.1.1.1
1.1.1.2
1.1.1.3
1.1.1.4

And they all take the same path then why don't we summarise it

conf t
router bgp 100
aggregate-address 1.1.1.0 255.255.255.240

Now we see and 1.1.1.0/28 being advertised
It will create a route to null0
The most specific address will win so if traffic arrives to 1.1.1.1 the traffic won't be dropped because we have a more specific route for that.

We are now sending the four networks and the summary network. We need to get rid of that others.

conf t
router bgp 100
aggregate-address 1.1.1.0 255.255.255.240 summary-only

The summary-only will supress the other prefixes.

We can hit an issue where our AS path is taken out. We can add as-set which keeps the as-path intact
conf t
router bgp 100
aggregate-address 1.1.1.0 255.255.255.240 summary-only as-set

LAB

show bgp ipv4 unicast

Distribute list

Create ACL to select the traffic to filter
Remember there is an implicit deny so we need a permit at the bottom to allow other traffic
ip access-list extended FILTER4
deny ip 1.1.1.4 0.0.0.0 host 255.255.255.255
permit ip any any

1.1.1.4 0.0.0.0 is a host address that matches 1.1.1.4

In distribute list we can use the destination part to say how specifically the subnet mask has to match
so host 255.255.255.255 means it has to match a /32 exactly

Another example
deny ip 1.1.1.0 0.0.0.255 host 255.255.255.255
This would match anything 1.1.1.0 - 255 and their subnet mask is /32

So distribute lists can use the destination fields of ACL 

Apply distrubute list under BGP router process and use the ACL we created to select the traffic. We can apply it inbound or outbound depending if we want to block routes coming in or leaving us. In this case we want to stop outbound traffic

conf t
router bgp 100
nei 100.100.24.4 distribute-list FILTER4 out

Now the 1.1.1.4 would be blocked on the way out of this router. We might have other exit points from out networks for example a secondary router. We would need to block it over there as well

Same config except for out BGP NEIGHBOR

ip access-list extended FILTER4
deny ip 1.1.1.4 0.0.0.0 host 255.255.255.255
permit ip any any

conf t
router bgp 100
nei 100.100.34.4 distribute-list FILTER4 out


Prefix lists

Select the traffic, don't forget the permit at the end
ip prefix-list FILTER1 deny 1.1.1.0/24 ge 32
ip prefix-list FILTER1 permit 0.0.0.0/0 le 32

Filters all networks 1.1.1.0/24 but have a mask that is greater than or equal to 32. So 1.1.1.1/32 etc 

Apply the prefix-list under the BGP router process
conf t
router bgp 100
nei 100.100.24.4 prefix-list FILTER1 out

AS ACLs
We can filter routes that come in/out from certain AS numbers

show bgp ipv4 unicast

Best path is chosen by the least number of hops

RegEx (regular expressions)
We can select AS using RegEx (regular expression)
We can test it out with the following command

That will find anything that contains 100
show bgp ipv4 unicast regexp 100

Similar
show bgp ipv4 unicast regexp 200
Notice we see AS200 but also AS65200 because 65200 also has a 200 in it

We can be more specific 

show bgp ipv4 unicast regexp ^200

The ^ means the line begins with 200. The first characters  of the AS path begin with 200
So it will find as paths starting with 200 and 2001 

If we look for 
show bgp ipv4 unicast regexp ^300
But 300 is the second hop it won't show up because the line starts 200 300

We can use _ is a space,

show bgp ipv4 unicast regexp _300
We will find routes with a space

We can make it more specific
show bgp ipv4 unicast regexp _300_

We can use the underscore with the carrot
show bgp ipv4 unicast regexp ^200_
Now we will only find as paths starting with 200 only 2001 will not be selected

We can also identify the end of the string with $
show bgp ipv4 unicast regexp _300$
Here we will found routes that end in 300 only, 3001 will not be selected

show bgp ipv4 unicast regexp [14]00
This one will match 100 or 400. The brackets [14] mean 1 or 4

show bgp ipv4 unicast regexp [1-4]00
We can use a range too 1 - 4 so 100 200 300 400 would be selected

show bgp ipv4 unicast regexp .
full stop or period matches any character 

show bgp ipv4 unicast regexp _...$
This one will select the AS that is the last hop in the path and is only 3 characters (3 dot)

So we use Regex to select the traffic and then use it in an AS ACL

conf t
ip as-path access-list 1 deny ^400$
router bgp 65200
nei 150.150.90.10 filter-list 1 in

show bgp ipv4 unicast 

Now we no longer see routes coming in from AS400

Route maps

route maps will probably the tool you will use the most as a BGP engineer.

show bgp ipv4 unicast 

Lets take the situation where R2 and R3 are both connected to R1. 
R2 has a fastEthernet (slow) port
R3 has a gigabit (faster) port

We can to control our routes so they take the faster path via R3 -> R1

Make prefix list to select the traffic
conf t
ip prefix-list FILTER4 permit 1.1.1.4/32
ip prefix-list SET3 permit 1.1.1.3/32

Make route-maps to perform the action (deny 1.1.1.4)
route-map R2route deny 10
match ip address prefix-list FILTER4
exit
route-map R2route permit 20

seq 10 will deny the traffic matched by FILTER4 (1.1.1.4)
seq 20 will allow everything else
There is an implicit deny

Apply route-map to neighbors
Route-maps are applied on a neighbor by neighbor basis

conf t
router bgp 200
nei 100.100.24.2 route-map R2route in
exit

Make another route-map to set the weight on 1.1.1.3
route-map R3route deny 10
match ip address prefix-list FILTER4
exit
route-map R3route permit 20
match ip address  prefix-list SET3
set weight 100
exit
route-map R3route permit 30

Weight is 0 on learned route so 100 is higher so higher preference
Dont forget your permit all at the end
There is an implicit deny

Apply route-map to neighbors

conf t
router bgp 200
nei 100.100.34.3 route-map R3route in
end

Check results
show bgp ipv4 unicast

Sometimes you will see the routes still in there after applying route-maps. We can do a soft reset.

Hard reset - tears down the adjacency 
clear bgp ipv4 uni 100.100.24.2

Soft reset - just re-applies policies
clear bgp ipv4 uni 100.100.34.4 in


BGP decision making process

BGP uses a series of factors to choose the best path

Remember the NLRI (Network Layer Reachability Index ) is the prefix + attributes. It's these attributes that BGP uses to select the best path

Weight
Can only be set on the router it comes in on. So set inbound from eBGP neighbors.
Higher weight is better
Default weight is 0 so anything bigger is better

Lets go back to the issue of R2 being the slow path

ip prefix-list FILTER1 permit 1.1.1.0/24 ge 32
route-map R3WEIGHT  permit 10
match ip address prefix-list FILTER1
set weight 100
exit
route-map R3WEIGHT  permit 20
exit

conf t
router bgp 200
nei 100.100.34.3 route-map R3WEIGHT in
end

Do soft reset 
clear bgp ipv4 unicast 100.100.34.3 in

Check results
show bgp ipv4 unicast
Now we see all the 1.1.1..x routes are preferring the next hop R3 100.100.34.3 because weight is 100.


Local preference 
The weight is set on each router. That could get complex doing lots of config. In iBGP the default weight will be 0 so next thing for BGP to look at is local preference.

We can set on the way out which path to take. Local preference is never sent to an eBGP peer.
By default local preference is 100
To set something better it needs to greater than 100

conf t
interface loopback1
ip add 4.4.4.4 255.255.255.255

router bgp 200
network 4.4.4.4 mask 255.255.255.255
end

No local preference comes from eBGP. iBGP will default it to 100.

ip prefix-list 4ROUTE permit 4.4.4.4/32
route-map R4ROUTE permit 10
match ip add prefix-list 4ROUTE
set local-preference 200
exit
route-map R4ROUTE permit 20

router bgp 100
nei 100.100.34.4 route-map R4ROUTE in

Do soft reset 
clear bgp ipv4 unicast 100.100.34.4 in

Now R4 prefers the route next hop to R3 100.100.34.4 LocPrf 200
R1 4.4.4.4 is not being set to R3 100.100.34.4

R2 is serving as a route reflector 
R1 is route reflector client 
R3 is sending preferred route 
R2 withdraws its route and then sends the preferred route to all the route reflector clients

Originator and AIGP

Look at inbound NLRI, if its it originated the advertisement it will pick its own patch with next hop 0.0.0.0.

If we originated this advertisement with a network prefix, redistribution, aggregate-address(summary) or inbound NLRI

AIGP (Accumulated Interior Gateway Protocol attribute)

If we are a service provider and we control multiple AS numbers like AS 100, 200, 300 we can control the IGP that is running inside them

Each router in the path needs to agree to use AIGP
For example we will have all our routers running OSPF
They can pass this metric on from one AS to the next

conf t 
router bgp 100
neighbor 100.100.34.4 aigp

We would see "AIGP enabled" in the capabilities

AS Path

This might be the most important. If we don't change anything else the AS Path will be used. The AS Path hop count

Sample paths
200 600 500 i
300 500 i
800 400 700 500 i

In this case 300 500 i will be chosen as the best patch because its the shortest hop count

We can make an AS path worse by using a route-map to add AS HOPs outbound.

Origin Code and MED

There are three origins

1 i = internally (IGP, network statement)
2 e = externally learned NLRI (almost to impossible to find)
3 ? = incomplete, redistribute occurred somewhere along the way

Normally we would not want to redistribute our OSPF internal routes into BGP but for a lab exercise 

route bgp 100
redistribute ospf 1 metric 30 200 1 1 1
end

show bgp ipv4 unicast we see the incomplete paths ?

i would win over ?

MED (Multi exit discriminator)

the 30 metric came out when it was redistributed. The next hop route will not carry your metric into its own advertisements.

You can have a router learn two routes one with a metric and one without.

The rule of thumb is to prefer routes that do not have a metric.

If both have a metric the lowest wins.

Redistributed routes will show with the ?

eBGP vs iBGP

eBGP vs iBGP learned routes

R4 has eBGP connections to R2 and R3 (R4 is the service provider)
R2 and R3 have eBGP connections to R4 (the SP)
R2 and R3 have iBGP to each other

If R4 advertises its loopback 4.4.4.4 down to R2 and R3
R2 will learn about 4.4.4.4 from R4 (eBGP) and R3 (iBGP)
R3 will also learn about 4.4.4.4 from R4 (eBGP) and R2 (iBGP)

eBGP always wins over iBGP

R4 (advertise loopback)
conf t
router bgp 200
network 4.4.4.4 mask 255.255.255.255

sh bgp ipv4 unicast 

* i 4.4.4.4/32 100.100.34.4  0   100  0
*>  4.4.4.4/32 100.24.4        0           0

Here we see the internal route i via R3 did not get the > for the best path. 
We see the best path > but no i seen, this is the eBGP path to R4
Notice in the other metrics
metric is 0 (matches both)
Local pref is 100 on R3 route
Local pref is blank on R4 route but this is defaulted to 100 so they actually match
Weight is 0 for both

eBGP beats iBGP so thats why the R4 path won

Remaining attributes

There are 5 attributes remaining, they are really used as tiebreakers

Lowest IGP metric
OSPF will chose its shortest path

Oldest eBGP learned route (probably most stable)

Lowest nei router-ID 

How to see the router ID
show bgp ipv4 uni nei 172.16.12.1
We will see "remote router ID 1.1.1.4"

Highest addressed loopback
Highest addressed physical interface

Best practice to set your router ID

router bgp 100
bgp router-id 2.2.2.4

Changing the router-id will cause a hard reset on your BGP sessions

Minimum cluster list length

Set on a route reflector as its reflecting a route
If it takes too many bounces it will use the path with less bounces

Lowest neighbor address
If there is nothing else to decide the tiebreak BGP will use the lowest neighber address. 1.1.1.1 wins over 2.2.2.2

BGP attributes and best path selection summary

  • Weight (used inbound on that specific router)
  • Local preference (use outbound, travels through the AS)
  • Originator and AIGP (If we sent it, use our path, AIGP can be controlled by SPs)
  • AS Path (AS hop count)
  • Origin Code and MED (metric used in redistribution)
  • eBGP vs iBGP (eBGP wins by default)

(tiebreakers)
  • Lowest IGP metric (OSPF best path for example)
  • Oldest eBGP learned route (probably the most stable)
  • Lowest neighbor router-ID  (setting router-id is best practice and can cause resets when changed)
  • Minimum cluster list length (route reflector hops)
  • Lowest neighbor address (Final decider is simple lowest neighbor address)

BGP troubleshooting

Goal is to ping from 10.10.10.10 (AS 400) to 1.1.1.4 (AS 100)
This will pass through AS 300 which has a confederation and AS 200
We want it to take the most optimal path too

Basic connectivity checks
show ip int br
ping 1.1.1.4 source loopback1
traceroute 1.1.1.4
show ip route

We can't ping, trace fails and we have no route for 1.1.1.4

Check R1 is advertising the route
show ip int br
loopback1 is up

Check if we are advertising to our neighbor
show bgp ipv4 uni nei 172.16.12.2 advertised-routes
We are not

sh run | sec bgp
We don't have a network statement

Advertise the router on R1 (AS 100)
conf t 
router bgp 100
network 1.1.1.4 mask 255.255.255.255

We now see it flowing, try the traceroute again.

We made it to R9 and it stops

Check R9 

show bgp ipv4 uni summary
We don't see it

Check the BGP config we see 
no bgp default ipv4 unicast

That stops commands going into ipv4 by default
So we need to configure the neighbor and also go under the address-family ipv4 and activate it

Fix the issue on R9

We have this command existing
no bgp default ipv4 unicast

conf t
router bgp 65100 
neighbor 10.0.79.9 remote-as 65200

address-family ipv4
neighbor 10.0.79.9 activate

Check the trace again
We made it but didn't take the optimal path

Path we want
R1 -> R2 -> R3 -> R4

R3 didn't get the routes
R2 need to be route reflector 

Make R2 a route reflector by setting R1 as reflector client
conf t
router bgp 100
nei 172.16.12.1 route-reflector-client

Check the trace again
traceroute 1.1.1.4 source loopback1
Looks good now


BGP troubleshooting LAB2

Same goal but direction is reversed from 1.1.1.4 to 10.10.10.10
There would be a different set of issues

Basic connectivity checks
show ip int br
ping 10.10.10.10 source loopback1
traceroute 10.10.10.10
show ip route

Check we are advertising it with neighbor
show bgp ipv4 unicast nei 150.150.90.10 advertised-routes
We see we are advertising 10.10.10.10/32 with next hop of 0.0.0.0

Check show ip route
We see we do have a route towards 1.1.1.4 from R10

Trace from R4
traceroute 1.1.1.4 source loopback1

Connection is stopping at R8

Not making it through the confederation

R9 has errors for wrong AS
R9 config looks good
Check R7 

sh run | sec bgp
router bgp 65100
bgp confederation identifier 300
neighbor 10.0.67.6 remote-as 65100
neighbor 10.0.79.9 remote-as 65100

We are missing the bgp confederation peers statement, fix it on R7
conf t
router bgp 65100
bgp confederation peers 65200

Trace from R10 again
Trace makes it but still doesn't take the optimal path

Check R4
show bgp ipv4 unicast
We see R2 is preferred

We don't see any metric, local pref, or weight set.
Path is 100 i for both

Looks like it came down to the lowest router ID 2.2.2.2 beats 3.3.3.3

We can fix it with a route-map but lets check R2, we see a local preference set there. We can do the same on R3

R3

Create prefix list
conf t
ip prefix-list 10LOCPREF permit 10.10.10.10/32

Create route map, attach prefix list, set local pref, permit rest
route-map R3LOCLPREF permit 10
match ip address prefix-list 10LOCPREF
set local-preference 200
route-map R3LOCLPREF permit 20
exit

Apply route-map to neighbor in BGP config
router bgp 100
nei 100.100.34.4 route-map R3LOCPREF in

Soft reset
clear bgp ipv4 uni 100.100.34.4 in


Trace from R1 -> R10 as this was the original goal
traceroute 10.10.10.10 source loopback1
Traffic flows as we want now

Bonus trace from R10 -> R1 we see it takes a different path on the way back
We can use AS path to make it go the way we want on R4

Make as-path with regex to select as starting with 100 and a space
conf t
ip as-path access-list 1 permit ^100_

Make a route map to select the traffic with the regex and then set the weight to 100
Allow the rest
route-map PREF3 permit 10
match ip address 1
set weight 100
route-map PREF3 permit 20
exit

Soft inbound clear
clear bgp ipv4 uni 100.100.34.3 in

R10 -> R1 is now working how we want.



MPLS operations

Multi Protocol Label Switching (MPLS)

Lets focus on service provider networks in side their network

Enable MPLS
conf t
mpls ip

Enable MPLS on the interfaces connected to neighbors
interface gig0/0 
mpls ip

Routers will look at the routes and it will make local lables. Lable 200 isn't use i'll use it.
Each router will have routes and its local lables via LDP

Label Distribution Protocol (LDP)
Shared with directly connected neighbors 

R1 and R2 know about each other routes + labels
R2 and R3 know about each other routes + labels
R3 and R4 know about each other routes + labels
and so on

Lets take R4 has a network 4.4.4.4 
route network label
R1 4.4.4.4 167
R2 4.4.4.4 209
R3 4.4.4.4 325
R4 4.4.4.4 

If R1 wants to send to 4.4.4.4 he create a layer 2.5 packet that attaches the label 209
R2 gets that, takes off 209 and puts on label 325 and forwards the packet
R3 forwards it to R4

When we enable MPLS routers
  • Generate local labels
  • Share labels
  • Build LFIB so all the information is ready to go
  • Forwarding based on labels
LSP label switching path
Router are LSR label switch routers


MPLS troubleshooting

For MPLS to work we need IP router to be up and working first

Enable globally
conf t
mpls ip

Enable under interface (provider network)
interfae gig0/0
mpls ip

We can control the range of labels to make it easier to TS. In the real world you can find routers using the same local labels

R1
conf t
mpls label range 100-199

R2
conf t
mpls label range 200-299

R3
conf t
mpls label range 300-399

R4
conf t
mpls label range 400-499

Show local labels 
show mpls ldp bindings
show mpls ldp bindings 4.4.4.4 32

We will see local binding label 202 (our label)
and 
remote binding: lsr 1.1.1.1:0, label: 102 (other routers label)

On R4 who is directly connected to 4.4.4.4 we run 
show mpls ldp bindings 4.4.4.4 32
We don't see a local label we see imp-null
This is implicit null it won't generate a normal label, generates a special label imp-null.

show mpls forwarding-table

pop off label
impose or push label (put label on)

On R3 we see it just needs to pop off the label and then just forward the naked IP packet to 4.4.4.4 R4

PHP - Penultimate hop pop

In the tracerotue we can see the labels
tracerotue 10.44.44.44
The final packet doesn't have a label and that is because R3 took it off and sent IP packet

MPLS best path

We have two routers advertising local lables for 4.4.4.4. How do we decided which to choose.

Show all lables
show mpls ldb bindings

Lets look at 4.4.4.4
show mpls ldb bindings 4.4.4.4 32

We see local binding label: 202
remote binding label lsr: 1.1.1.1:0, label: 102
remote binding label lsr: 3.3.3.3:0, label: 302

Which one will we use ? R1 or R3 ?

Its based on the IP routing table
So if we shot IP route for 4.4.4.4

Check the IP route
show ip route 4.4.4.4
we see next hop 10.23.0.3

show mpls ldp neighbor
here we see both neighbors
we will see the same next hop 10.23.0.3 which belongs to 3.3.3.3 or R3

We can confirm this check the winners table
show mpls forwarding-table

For the 4.4.4.4 networks we see the following
Local Label 202
Outgoing label to impose (push) 302 (R3's label)
The network prefix 4.4.4.4/32
The outgoing interface gig1/0
The next hop 10.23.0.3 (which we know belongs to R3)

LL   OL  Prefix    OI   Next hop
202  302 4.4.4.4/32 0 Gi1/0 10.23.0.3

In a packet capture of the traffic we can see in wireshark in the MPLS header
MPLS Label:

Label switching packets are forwarded based of the MPLS label.


MPLS layer 3 VPNs

These solve a problem for service providers. We have customers on our customer edge / provider edge. Then we have our provider network. Customers have 2 sites and they want connectivity between two sites. When this scales to 1000's of customers it can get complicated.

We want to provide access for out customers but we don't want to share routes or access between our customers.

Layer3 VPNs are a group of routes, we generally want to keep customer 1 and customer 2 separate 

All the customer needs to do is peer with provider and all the routes show up.

CE = customer edge
PE = provider edge

Customer will have their own IGP or static routes
CE <-> PE neighborship customer will peer with us usually BGP

Provider router is a router in the provider network but doesn't communicate with customers on an edge.

We can provide a peering protocol inside a VRF

So the VRF gets tied to a customer.


What we need to make it all work
Routing PE <-> CE
Routing internally
VRF's to put our customers in
iBGP for PE for customer1 on its two PE's
Provider routers need MPLS / LDP setup to do label switching
The provider routers don't need to run BGP because they are forwarding on labels


LAB

Show the winners table
show mpl forwarding-table

Push / impose = put a label on
Swap = take a label off and put another on
pop = take a label off

imp-null = no implicit label 

We can see the labels in the trace route
Traceroute 4.4.4.4

Highest IP on a loopback is used for LDP router ID

VRFs (Virtual Routing and Forwarding)
These are a mini routing table which we assign to each customer

VRF1 = Customer1
VRF2 = Customer2

We assign the VRF's to the interfaces on the edge with the customer
VRF1 = R4 gig0/0
VRF2 = R3 gig0/1

There is a process export out of the VRF into MP-BGP
Multiprotocol BGP

All the routes get on the bus and become VPNv4 routes.
Two customers could be using 192.168.10.0/24
We need a route distinguisher so we know which routes belong to customer.

The route distinguisher ties the route to a customer / 

When CE on the other side wants to take routes off the bus its not the RD.
Route target is associated with a VRF

Each time we take a route out of a VRF we attach a route target 33:33 that same target is used to bring it in.

Config

RD: 11@:330
RT import 11:11 / 33:33
RT export 33:33 / 11:11

ip vrf is just ipv4
vrf definition lets you do ipv4 or ipv6 with address-families 

Cust 1 R1
Conf t
vrf definition cust1
rd 11:33
address-family ipv4
route-target export 11:11
route-target import 33:33

Cust 1 R3
Conf t
vrf definition cust2
rd 11:33
address-family ipv4
route-target export 22:22
route-target import 44:44

int gig1/0
vrf forwarding cust1
ip address 172.16.1.1 255.255.255.0

int gig 2/0
vrf forwarding cust2
ip address 172.16.4.4 255.255.255.0

Show commands
show ip vrf
show ip route
show ip route vrf cust1
show ip route vrf cust2
ping and trace are also vrf specific
ping vrf cust1 172.16.4.4
show ip vrf detail

MPLS L3 VPNs
100's of routes from cust1 site 1 and site2
100's of routes from cust2 site 1 and site2

We need to exchange the routes and keep the customers separate.

On the CE they can use what they want (OSPF,RIP,EIGRP,IS-IS,BGP)
Can be different at both sites but makes sense to use the same everywhere.

We get them from the customer and bring them into a VRF on the PE router.

Show vrfs
show ip vrf
Name and Default RD Interfaces
cust1   11:33 gi1/0
cust1   22:44 gi2/0

Config EIGRP on the customers VRF on the PE
Customer will think the AS is 1

Setup eigrp
router eigrp 100
address-family ipv4 vrf cust1
redistribute bgp 6783 metric 1 1 1 1 1 
net 0.0.0.0
autonomous-system 1
exit

The 6783 is the MP-BGP
autonomous-system 1 needs to match on the customer edge (CE)


Customer edge (CE) will need to peer with the provider edge (PE)

conf t
router eigrp 1
net 0.0.0.0
exit

show ip proto
sh ip eigrp nei
sh ip route eigrp


Ping from PE VRF
sh ip route vrf cust1
ping vrf cust 1 3.3.3.3



MP-BGP

Think of it as the bus, the routes get on the bus with a route distinguishers (RD) and route targets (RT)

The VPNv4 routes will be communicated via iBGP peering
In our example our MP-BGP AS 6783

Need to enable extended communities 

Import/export relates to the VRF

We redistribute VRF eigrp routes into BGP is an export of the routes from that VRF

iBGP in the provider network

We assume we have VRF setup for customers
CE and PE's are connected with VRF and routing protocol on CE side
We have full IP reachability across our provider network

iBGP config
router bgp 6783
nei 4.4.4.4 remote-as 3783
nei 4.4.4.4 update-source loop
nei 4.4.4.4 next-hop-self
address-family vpnv4
nei 4.4.4.4 activate
nei 4.4.4.4 send-community extended
exit
address-family ipv4 vrf cust1
redistribute eigrp 1
exit
address-family ipv4 vrf cust2
redistribute rip

PE
router eigrp 100
address-family ipv4 vrf cust1
redistribute bgp 6783 metric 1 1 1 1 1 
net 0.0.0.0
autonomous-system 1
exit

How to see all the VPNv4 routes
show ip bgp vpnv4 all

Same as above
show bgp vpnv4 unicast all

Show all routes in the bus with RD 11:33
show bgp vpnv4 unicast rd 11:33

  • Summary of how it works
  • Routes from the customer CE are advertised to the PE vrf
  • PE VRF exports them into MP-BGP, the routes become VPNv4 routes with RD and RT added
  • Those are advertised via the iBGP neighbor ship between the PE routers
  • The other side looks at its route targets RT and imports routes with 33:33
  • Import them into the VRF on the PE
  • That VRF on PE advertises the route to the CE on the other side
  • When we send the ping the packet is traveling over the label switch network
  • routes are advertised via MP-BGP
  • traffic flows via the MPLS/LDP/IP network
Show all the npnv4 labels
show bgp vpnv4 unicast vrf cust1 labels

network next-hop label
11.11.11.11/32 172.16.1.11 105/nolabel
33.33.33.33/32 4.4.4.4 nolabel/405
172.16.1.0/24 0.0.0.0 106/nolabel (cust1)

Label switching path (R1) 1.1.1.1 -> R2 -> R3 -> (R4) 4.4.4.4

R1   
202 (transit label to travel between one PE and another PE)
405 (VPN routes that are assigned inside the VRFs)

Based on show bgp vpnv4 unicast vrf cust 1 labels
We want to reach 33.33.33.33/32

First we apply the 405

To reach R4 (4.4.4.4)
Check show mpls forwarding-table 4.4.4.4 32
We see outgoing label 202

Thats how we get top label 202, bottom label 405

R2 - just looks at the top label and swap 202 for 302,
202 -> 302
405 (leaves VPN label)

R3
302 -> pop off
405 (leaves VPN label)

R4
no label -> send out to customer edge
405 -> strip off VPN label

Forward out to CE 172.16.3.33
33.33.33.33/32 172.16.3.33 405/nolabel

End to end config
CE needs IGP running 
PE needs VRF running with matching protocol for CE
PE needs iBGP to advertise routes
PE needs MPLS+LDP label switching setup
We need to config RD and RT to import/export routes
When a route is exported from a VRD RD is added to make the route a unique VPNv4 route
Provider network needs IP reachability working





Enabling iBGP load sharing
maximum-paths ibgp 4

The last hop in the label switching R3 will pop the label off and forward to 4.4.4.4 on R4 which he is directly connected to

Cisco DNA centre

SD-Access

Software defined access so you can move around buildings and be on the same network, uses LISP, VxLAN and TrustSec
IS-IS

This changes the focus on to users and endpoints, instead of designing the network and looking after connectivity.

1 - Design (design the physical layout)
2 - Policy (Identify users and endpoints and ACLs)
3 -Provision (Discover network devices and create SD-Access fabric)
4 - Assurance (Monitor and trouble shoot)
5 - Platform (you may also have an API here depending on your

IOS-XE - Cat 3850/3650, 9k series, ISR-4400
Protocols used Netconf and Restconf gets the telemety data from the network devices
it comes back and is stored in a log.

We now have a historical record of the network devices.
We can see when a user came online where they moved etc
Uses machine learning to build a baseline, if something bad happens it will create an alert

You can demo assurance on dcloud 
https://dcloud-dna-center-inst-rtp.cisco.com/dna/home
Cisco DNS Center Automation and Assurance - Instant Demo
demo/demo

This demo has simulated traffic

We see the work flows at the top

Assurance score gives health scores

On the assurance tab by default the filter in top right is in last 24 hours. This can be changed to last 7 days or go to the exact date. We can drill down onto issues.

If a user calls about an issue you can search the username and then click on User360.

Path trace is like packet tracer we give a src+dst IP and it will tell us if an ACL on a certain device blocked the traffic.

Intelligent capture - we can see their traffic live and we can get a pcap with start live capture

Troubleshooting network health
Assurance -> Dashboards -> Network health
Check on the time range filter
We can look at routers, access switch etc.

Any big red spike in the graphs would be bad.
Devices is streaming data into DNA centre 
We can drill down on devices and get the device 360
We can change the bars to have a look

There are recommended actions we can click run to fix issues.



========================================================

Quick questions

While working with software images, an engineer observes that Cisco DNA Center cannot upload its software image directly from the device. Why is the image not uploading?
The software image for the device is in install mode

An engineer configured the wrong default gateway for the Cisco DNA center enterprise interface during the install. Which command must the engineer run to correct the configuration?
Sudo maglev-config update

When provisioning a device in Cisco DNA Center, the engineer sees the error message “Cannot select the device. Not compatible with template.”. What is the reason for the error?
The tag that was used to filter the templates does not match the device tag

What is the advertised distance of directly connected route
0

What is the advertised distance of static route
1

What is the advertised distance of eBGP
20

What is the advertised distance of EIGRP internal route
90

What is the advertised distance of OSPF
110

What is the advertised distance of EIGRP external route
170

What is the advertised distance of iBGP
200

What is the advertised distance of Next Hop Resolution Protocol (NHRP)
250

Reset the bgp with a neighbor
clear bgp ipv4 unicast 150.150.90.10

What versions of OSPF are used in each version of IP
IPv6 = OSPFv3
IPv4 = OSPFv2

Stub areas and default routes
Stubby area gets default route
Totally stubby area keeps default route
NSSA areas don't get a default route by default
Totally not so stubby areas get a default route by default

NSSA area is the one who doesn't get a default route, the other s do.

How to change a NSSA to totally NSSA (so it gets a default route)
conf t
router ospf 1
area 1 nssa no-summary (make totally nssa area)

MPLS header is 32bit length.
[ label value (20 bits) ] [QoS (3bit)   ] [BoS (1bit)] [    TTL (8 bits)    ]
HEX: 0x00 0x00 0x7B 0x01

First 20 bits represent the label value
The following 3 bits is the Exp value used in QoS
The following 1 bit is bottom of stack value (BoS)
The last 8 bit is TTL (used to prevent routing loops when its 0 drop the packet)

What is the multicast address for EIGRP
244.0.0.10

Convert HEX to binary
A9

You need to know the values for the letters. Also hex values usually start with with 0x. eg 0xA9
A=10
B=11
C=12
D=13
E=14
F=15

For numbers we work like below
Put numbers at top 8 4 2 1
To get 9 we want 8 + 1
8421
1001

Now lets do the same for A, we know A is 10 so that's 8+2.
8421
1010

Put them together
A = 1010
9 = 1001

A9 = 10101001
0xA9 = 10101001

Something you might see is 0x00 
0x tell us its hex
The two 0's give us all zeros
0000 0000

Some more examples binary -> HEX
00000000 = 0
00000010 = 2
01010101 = 55
11110010 = F2
11111110 = FE
11111111 = FF


Bidirectional Forwarding Detection (BFD)
It is negotiated between the two devices. The slower rate will be chosen
R1 local desired TX interval = 100 ms
R1 local required RX receive rate = 200 ms
R2 local desired TX interval = 400 ms
R2 local required RX receive rate = 300 ms

R1
int gig1/0/1
bfd interval 100 min_rx 200 multiplier 3

R2
int gig1/0/1
bfd interval 300 min_rx 400 multiplier 4

Time between BFD packets send from R1 is 400 ms. This is because its sending to R2 and R2's slower value of 400 ms is used.

Floating static route (backup route)
ip route 0.0.0.0 0.0.0.0 10.2.12.2 254

The value of 254 is the largest admin distance. This means the router will only be used if there is no other matching routes. This means its a backup route.

Routes will a value of 255 are ignored / no installed in routing table.

0 is the most preferred value
1 is the same as standard static route so should not be used for floating route.


IP SLA operation types
show ip sla application 
Shows what kind of SLA's you can use like
  • icmpEcho
  • tcpConnect
  • dhcp
show ip sla opertaions
shows what operations are currently configured

show ip sla configuration
shows what operations are configured with their timeout/threshold values

show ip sla summary
shows currently configured operations, type, return code, destination and last run

BGP 
neighbor 2.2.2.2 update-source loopback0
Uses the loopback address as the source, useful when we have two physical links but want to use a single IP

neighbor 2.2.2.2 ebgp-multihop
Needs to be configured otherwise TTL will be set to 1 and dropped when received by the other side
An alternative is to disabled-connected-check

Config of eBGP between loopback addresses gives the advantage of using the available paths for backup or load balancing that will be achieved by the underlying IGP (eigrp/ospf) or static routes with the same admin distance

IPv6 relay destination

Must be placed on the interface where the DHCP request will be received

Destination IP of DHCP server is included but not egress interface

fa0/0 is the interface where the DHCP request will be received

2001::2 is the IPv6 address of the DHCP server

Interface fa0/0 

ipv6 dhcp relay destination 2001::2


What port does BGP use

TCP 179


Service provider protocols used by MPLS TE4

LDP - Label distribution Protocol 

RSVP - Resource reservation protocol

Both are essential for Multiprotocol Label Switching Traffic Engineering (MPLS TE)

MPLS TE uses LDP to build and exchange labels between provider edge PE routers that define the entry/exit points for the MPLS cloud.

RSVP protocol is used to reserve predefined resources for a specific customer as per the agreed service level. RSVP is considered a signalling protocol that allocates bandwidth for a specific sender or group of senders. Using these reservations and linking them with routeing calls can be called traffic engineering

Front door virtual routing and forwarding (FVRF)

You may see an error like "Tunnel10 temporarily disabled due to recursive routing"

FVRF prevents route recursion since transport and overlay networks remain in separate routing tables. This will ensure that the packets will always use the correct exit interface.

TFTP Server info from DHCPDISCOVER

The DHCPDISCOVER is sent from the IP phone to DHCP server with source port of 68 and destination port of 67

Clients listens on port 68 for DHCP replies

DHCP server uses port 67 to listen for DHCP requests

The DHCPDISCOVER messages will use option 66 to request TFTP server info

Server will reply TFTP server name and IP address

IP phones need to connect to the TFTP server to download device config so they can talk to the call manager.

Option 66 is the standard option

Option 150 is cisco proprietary

Option 82 is not used for TFTP, its used for DHCP relay agent


Calculate maximum acceptable time gap in seconds between two BFD packets received by the remote peer

BFD failure detection formula: remote multiplier * MAX (local Rx, remote Tx)

Remote multiplier = 5 (always use remote muiltiplier)

For the next value we need to look at local Rx and Remote Tx and see which ones is bigger.

Remote Tx is larger  = 20000

5*20000 = 100000 ms = 1000 seconds


Filtering routes

Config used to only filter routes to 5.5.5.5/32

access-list 1 permit 5.5.5.5 0.0.0.0

route-map F1 deny

match ip address 1

route-map F1 permit

router eigrp 1

distribute-list route-map F1 in fastethernet0/0


Distribute list should be used to filter routes

Distribute list is applied under a routing protocol

The distribute list can match a route-map or a prefix list 

A prefix list can be used to filter network prefixes

Configuring an ACL will drop traffic destinated to that IP rather than filtering routes

PBR will filter traffic based on source

Prefix lists cannot be applied to internfaces only to distribute list, route-map or in redistribution statement. Prefix lists are used for routes, ACLs can be used for both routes and traffic.

No comments:

Post a Comment