0% found this document useful (0 votes)

310 views1,305 pages

CCNP Encore and Enarsi Portable Command Guide

Uploaded by

Hein Min Zaw

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

310 views1,305 pages

CCNP Encore and Enarsi Portable Command Guide

Uploaded by

Hein Min Zaw

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1305

1. Cover Page

2. About This eBook

3. Title Page

4. Copyright Page
5. Reader Services
6. Contents at a Glance
7. Table of Contents

8. About the Authors

9. About the Technical Reviewer
10. Dedications

11. Acknowledgments
12. Command Syntax Conventions

13. Introduction
1. Who Should Read This Book?

2. Strategies for Exam Preparation

3. How This Book Is Organized

14. Chapter 1. VLANs

1. Virtual LANs
2. Layer 2 Link Aggregation

15. Chapter 2. Spanning Tree Protocol

1. Spanning Tree Protocol Definition

2. Enabling Spanning Tree Protocol

3. Changing the Spanning-Tree Mode

4. Configuring the Root Switch

5. Configuring a Secondary Root Switch

6. Configuring Port Priority

7. Configuring the Path Cost

8. Configuring the Switch Priority of a VLAN

9. Configuring STP Timers

10. Configuring Optional Spanning-Tree Features

11. Configuring and Verifying Port Error Conditions

12. Enabling Rapid Spanning Tree

13. Rapid Spanning Tree Link Types

14. Enabling Multiple Spanning Tree

15. Verifying the Extended System ID

16. Verifying STP

17. Troubleshooting Spanning Tree Protocol

18. Configuration Example: PVST+

19. Spanning-Tree Migration Example: PVST+ to Rapid-

PVST+
16. Chapter 3. Implementing Inter-VLAN Routing

1. Inter-VLAN Communication Using an External

Router: Router-on-a-Stick

2. Inter-VLAN Communication Tips

3. Inter-VLAN Communication on a Multilayer Switch

Through a Switch Virtual Interface

4. Configuration Example: Inter-VLAN

Communication

5. Configuration Example: IPv6 Inter-VLAN

Communication

17. Chapter 4. EIGRP

1. Enhanced Interior Gateway Routing Protocol

(EIGRP)

2. Enabling EIGRP for IPv4 Using Classic Mode

Configuration

3. Enabling EIGRP for IPv6 Using Classic Mode

Configuration

4. EIGRP Using Named Mode Configuration

5. EIGRP Named Mode Subconfiguration Modes

6. Upgrading Classic Mode to Named Mode

Configuration

7. EIGRP Router ID

8. Authentication for EIGRP

9. Auto-Summarization for EIGRP

10. IPv4 Manual Summarization for EIGRP

11. IPv6 Manual Summarization for EIGRP

12. Timers for EIGRP

13. Passive Interfaces for EIGRP

14. “Pseudo” Passive EIGRP Interfaces

15. Injecting a Default Route into EIGRP: Redistribution

of a Static Route
16. Injecting a Default Route into EIGRP: ip default-
network

17. Injecting a Default Route into EIGRP: Summarize to

0.0.0.0/0
18. Accepting Exterior Routing Information: default-
information

19. Equal-cost Load Balancing: maximum-paths

20. Unequal-cost Load Balancing: variance
21. EIGRP Traffic Sharing

22. Bandwidth Use for EIGRP

23. Stub Routing for EIGRP

24. EIGRP Unicast Neighbors

25. EIGRP Wide Metrics

26. Adjusting the EIGRP Metric Weights

27. Verifying EIGRP

28. Troubleshooting EIGRP

29. Configuration Example: EIGRP for IPv4 and IPv6
Using Named Mode

18. Chapter 5. OSPF

1. Comparing OSPFv2 and OSPFv3
2. Configuring OSPF

3. Configuring Multiarea OSPF

4. Using Wildcard Masks with OSPF Areas

5. Configuring Traditional OSPFv3

6. OSPFv3 Address Families

7. Authentication for OSPF

8. Optimizing OSPF Parameters
9. Propagating a Default Route

10. Route Summarization

11. OSPF Route Filtering

12. OSPF Special Area Types

13. Virtual Links
14. Verifying OSPF Configuration

15. Troubleshooting OSPF

16. Configuration Example: Single-Area OSPF

17. Configuration Example: Multiarea OSPF

18. Configuration Example: Traditional OSPFv3

19. Configuration Example: OSPFv3 with Address

Families
19. Chapter 6. Redistribution and Path Control

1. Defining Seed and Default Metrics

2. Redistributing Connected Networks
3. Redistributing Static Routes

4. Redistributing Subnets into OSPF

5. Assigning E1 or E2 Routes in OSPF

6. Redistributing OSPF Internal and External Routes

7. Configuration Example: Route Redistribution for
IPv4

8. Configuration Example: Route Redistribution for

IPv6
9. Verifying Route Redistribution

10. Route Filtering Using the distribute-list Command

11. Route Filtering Using Prefix Lists
12. Using Route Maps with Route Redistribution

13. Manipulating Redistribution Using Route Tagging

14. Changing Administrative Distance

15. Path Control with Policy-Based Routing

16. Verifying Policy-Based Routing
17. Configuration Example: PBR with Route Maps

18. Cisco IOS IP SLA

19. PBR with Cisco IOS IP SLA

20. Chapter 7. BGP

1. Configuring BGP: Classic Configuration

2. Configuring Multiprotocol BGP (MP-BGP)

3. Configuring BGP: Address Families
4. Configuration Example: Using MP-BGP Address
Families to Exchange IPv4 and IPv6 Routes
5. BGP Support for 4-Byte AS Numbers

6. BGP Timers

7. BGP and update-source

8. IBGP Next-Hop Behavior

9. EBGP Multihop

10. Attributes

11. Verifying BGP

12. Troubleshooting BGP

13. Default Routes

14. Route Aggregation

15. Route Reflectors

16. Regular Expressions

17. Regular Expressions: Examples

18. BGP Route Filtering Using Access Lists and
Distribute Lists

19. Configuration Example: Using Prefix Lists and AS

Path Access Lists
20. BGP Peer Groups

21. Authentication for BGP

21. Chapter 8. IP Services

1. Network Address Translation (NAT)

2. First-Hop Redundancy Protocols

3. Dynamic Host Control Protocol (DHCP)

22. Chapter 9. Device Management

1. Configuring Passwords

2. Password Encryption Algorithm Types

3. Boot System Commands

4. The Cisco IOS File System

5. Viewing the Cisco IOS File System

6. Commonly Used URL Prefixes for Cisco Network

Devices

7. Deciphering IOS Image Filenames

8. Backing Up Configurations to a TFTP Server

9. Restoring Configurations from a TFTP Server

10. Backing Up the Cisco IOS Software to a TFTP Server

11. Restoring/Upgrading the Cisco IOS Software from a
TFTP Server

12. Restoring the Cisco IOS Software Using the ROM

Monitor Environmental Variables and tftpdnld
Command
13. Secure Copy Protocol (SCP)

14. Disabling Unneeded Services

15. Useful Device Management Options

23. Chapter 10. Infrastructure Security

1. IPv4 Access Control Lists (ACLs)

2. Configuring and Applying Extended IPv4 ACLs

3. IPv6 ACLs
4. Implementing Authentication Methods

5. Control Plane Policing (CoPP)

6. Unicast Reverse Path Forwarding (uRPF)

24. Chapter 11. Network Assurance

1. Internet Control Message Protocol Redirect

Messages
2. The ping Command

3. Examples of Using the ping and the Extended ping

Commands
4. The traceroute Command

5. The debug Command

6. Conditionally Triggered Debugs

7. Configuring Secure SNMP

8. Implementing Logging

9. Configuring NetFlow

10. Configuring Flexible NetFlow

11. Verifying NetFlow

12. Implementing Port Mirroring

13. Configuring Network Time Protocol

14. Tool Command Language (Tcl)

15. Embedded Event Manager (EEM)

25. Chapter 12. Wireless Security and Troubleshooting

1. Authenticating Wireless Clients

2. Troubleshooting from the Wireless LAN Controller

3. Troubleshooting Wireless Client Connectivity

26. Chapter 13. Overlay Tunnels and VRF

1. Generic Routing Encapsulation (GRE)

2. Site-to-Site GRE over IPsec

3. Site-to-Site Virtual Tunnel Interface (VTI) over IPsec

4. Cisco Dynamic Multipoint VPN (DMVPN)

5. VRF-Lite

27. Appendix A. Create Your Own Journal Here

28. Index

29. Code Snippets

1. i
2. ii

3. iii

4. iv

5. v
6. vi

7. vii

8. viii
9. ix

10. x

11. xi

12. xii
13. xiii

14. xiv

15. xv
16. xvi

17. xvii

18. xviii

19. xix
20. xx

21. xxi
22. 1

23. 2

24. 3
25. 4

26. 5

27. 6

28. 7
29. 8

30. 9

31. 10
32. 11

33. 12

34. 13

35. 14
36. 15

37. 16

38. 17
39. 18

40. 19
41. 20

42. 21

43. 22

44. 23
45. 24

46. 25

47. 26
48. 27

49. 28

50. 29

51. 30
52. 31

53. 32

54. 33
55. 34

56. 35
57. 36
58. 37

59. 38
60. 39
61. 40
62. 41

63. 42
64. 43

65. 44
66. 45
67. 46

68. 47
69. 48
70. 49

71. 50
72. 51
73. 52

74. 53
75. 54
76. 55

77. 56
78. 57

79. 58
80. 59
81. 60

82. 61
83. 62
84. 63
85. 64

86. 65
87. 66

88. 67
89. 68
90. 69

91. 70
92. 71
93. 72

94. 73
95. 74
96. 75

97. 76
98. 77
99. 78

100. 79
101. 80
102. 81

103. 82
104. 83
105. 84

106. 85
107. 86
108. 87

109. 88
110. 89
111. 90

112. 91
113. 92

114. 93
115. 94
116. 95

117. 96
118. 97
119. 98

120. 99
121. 100
122. 101

123. 102
124. 103
125. 104

126. 105
127. 106
128. 107

129. 108
130. 109
131. 110

132. 111
133. 112
134. 113

135. 114
136. 115

137. 116
138. 117
139. 118

140. 119
141. 120
142. 121

143. 122
144. 123
145. 124
146. 125
147. 126
148. 127

149. 128
150. 129
151. 130

152. 131
153. 132
154. 133

155. 134
156. 135
157. 136

158. 137
159. 138

160. 139
161. 140
162. 141

163. 142
164. 143
165. 144

166. 145
167. 146
168. 147

169. 148
170. 149
171. 150

172. 151
173. 152
174. 153

175. 154
176. 155
177. 156

178. 157
179. 158
180. 159

181. 160
182. 161
183. 162

184. 163
185. 164

186. 165
187. 166
188. 167
189. 168

190. 169
191. 170
192. 171

193. 172
194. 173

195. 174
196. 175
197. 176

198. 177
199. 178
200. 179

201. 180
202. 181
203. 182

204. 183
205. 184
206. 185

207. 186
208. 187
209. 188

210. 189
211. 190
212. 191

213. 192
214. 193
215. 194

216. 195
217. 196

218. 197
219. 198
220. 199

221. 200
222. 201
223. 202

224. 203
225. 204
226. 205

227. 206
228. 207
229. 208
230. 209
231. 210
232. 211

233. 212
234. 213
235. 214

236. 215
237. 216
238. 217

239. 218
240. 219

241. 220
242. 221
243. 222

244. 223
245. 224
246. 225

247. 226
248. 227
249. 228

250. 229
251. 230
252. 231

253. 232
254. 233
255. 234

256. 235
257. 236
258. 237

259. 238
260. 239
261. 240

262. 241
263. 242
264. 243

265. 244
266. 245

267. 246
268. 247
269. 248

270. 249
271. 250
272. 251

273. 252
274. 253
275. 254

276. 255
277. 256
278. 257

279. 258
280. 259
281. 260

282. 261
283. 262
284. 263

285. 264
286. 265
287. 266

288. 267
289. 268

290. 269
291. 270
292. 271
293. 272

294. 273
295. 274
296. 275

297. 276
298. 277

299. 278
300. 279
301. 280

302. 281
303. 282
304. 283

305. 284
306. 285
307. 286

308. 287
309. 288
310. 289

311. 290
312. 291

313. 292
314. 293
315. 294
316. 295

317. 296
318. 297
319. 298
320. 299

321. 300
322. 301
323. 302
324. 303
325. 304
326. 305

327. 306
328. 307
329. 308
330. 309
331. 310

332. 311
333. 312
334. 313
335. 314
336. 315
337. 316

338. 317
339. 318
340. 319
341. 320
342. 321
343. 322

344. 323
345. 324
346. 325
347. 326
348. 327
349. 328

350. 329
351. 330
352. 331
353. 332
354. 333

355. 334
356. 335
357. 336
358. 337
359. 338
360. 339
361. 340

362. 341
363. 342
364. 343
365. 344
366. 345

367. 346
368. 347
369. 348
370. 349
371. 350
372. 351

373. 352
374. 353
375. 354
376. 355
377. 356
378. 357

379. 358
380. 359
381. 360
382. 361
383. 362
384. 363

385. 364
386. 365
387. 366
388. 367
389. 368

390. 369
391. 370
392. 371
393. 372
394. 373
395. 374

396. 375
397. 376
398. 377
399. 378
400. 379
401. 380

402. 381
403. 382
404. 383
405. 384
406. 385
407. 386

408. 387
409. 388
410. 389
411. 390
412. 391

413. 392
414. 393
415. 394
About This eBook
ePUB is an open, industry-standard format for eBooks.
However, support of ePUB and its many features varies
across reading devices and applications. Use your device
or app settings to customize the presentation to your
liking. Settings that you can customize often include
font, font size, single or double column, landscape or
portrait mode, and figures that you can click or tap to
enlarge. For additional information about the settings
and features on your reading device or app, visit the
device manufacturer’s Web site.

Many titles include programming code or configuration

examples. To optimize the presentation of these
elements, view the eBook in single-column, landscape
mode and adjust the font size to the smallest setting. In
addition to presenting code and configurations in the
reflowable text format, we have included images of the
code that mimic the presentation found in the print
book; therefore, where the reflowable format may
compromise the presentation of the code listing, you
will see a “Click here to view code image” link. Click the
link to view the print-fidelity code image. To return to
the previous page viewed, click the Back button on your
device or app.
CCNP and CCIE
Enterprise Core & CCNP
Enterprise Advanced
Routing Portable
Command Guide
All ENCOR (350-401) and ENARSI
(300-410) Commands in One
Compact, Portable Resource

Scott Empson
Patrick Gargano

Cisco Press
CCNP and CCIE Enterprise Core &
CCNP Enterprise Advanced Routing
Portable Command Guide
Scott Empson, Patrick Gargano

Copyright© 2020 Cisco Systems, Inc.

Published by:
Cisco Press

All rights reserved. No part of this book may be

reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying,
recording, or by any information storage and retrieval
system, without written permission from the publisher,
except for the inclusion of brief quotations in
a review.

ScoutAutomatedPrintCode

Library of Congress Control Number: 2019956928

ISBN-13: 978-0-13-576816-7

ISBN-10: 0-13-576816-0
Warning and Disclaimer
This book is designed to provide information about the
CCNP and CCIE Enterprise Core (ENCOR 350-401) and
CCNP Enterprise Advanced Routing (ENARSI 300-410)
exams. Every effort has been made to make this book as
complete and as accurate as possible, but no warranty or
fitness is implied.

The information is provided on an “as is” basis. The

authors, Cisco Press, and Cisco Systems, Inc. shall have
neither liability nor responsibility to any person or
entity with respect to any loss or damages arising from
the information contained in this book or from the use
of the discs or programs that may accompany it.

The opinions expressed in this book belong to the

authors and are not necessarily those of Cisco Systems,
Inc.

Trademark Acknowledgments
All terms mentioned in this book that are known to be
trademarks or service marks have been appropriately
capitalized. Cisco Press or Cisco Systems, Inc., cannot
attest to the accuracy of this information. Use of a term
in this book should not be regarded as affecting the
validity of any trademark or service mark.

Special Sales
For information about buying this title in bulk
quantities, or for special sales opportunities (which may
include electronic versions; custom cover designs; and
content particular to your business, training goals,
marketing focus, or branding interests), please contact
our corporate sales department at
corpsales@pearsoned.com or (800) 382-3419.

For government sales inquiries, please contact

governmentsales@pearsoned.com.

For questions about sales outside the U.S., please

contact intlcs@pearson.com.

Editor-In-Chief
Mark Taub

Alliances Manager, Cisco Press

Arezou Gol

Product Line Manager

Brett Bartow
Senior Editor
James Manly

Managing Editor
Sandra Schroeder

Development Editor
Eleanor Bru

Senior Project Editor

Lori Lyons

Copy Editor
Bill McManus

Technical Editor
Bob Vachon

Editorial Assistant
Cindy Teeters

Cover Designer
Chuti Prasertsith

Production Manager
Vaishnavi Venkatesan/codeMantra

Composition
codeMantra
Indexer
Ken Johnson

Proofreader
Abigail Manheim

Feedback Information
At Cisco Press, our goal is to create in-depth technical
books of the highest quality and value. Each book is
crafted with care and precision, undergoing rigorous
development that involves the unique expertise of
members from the professional technical community.

Readers’ feedback is a natural continuation of this

process. If you have any comments regarding how we
could improve the quality of this book, or otherwise
alter it to better suit your needs, you can contact us
through email at feedback@ciscopress.com. Please
make sure to include the book title and ISBN in your
message.

We greatly appreciate your assistance.

Americas Asia Pacific Europe
Headquarter Headquarters Headquarters
s Cisco Systems Cisco Systems
Cisco Systems, (USA) Pte. Ltd. International BV
Inc. Singapore Amsterdam,
San Jose, CA The Netherlands

Cisco has more than 200 offices worldwide. Addresses,

phone numbers, and fax numbers are listed on the Cisco
Website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered

trademarks of Cisco and/or its affiliates in the U.S. and
other countries. To view a list of Cisco trademarks, go to
this URL: www.cisco.com/go/trademarks. Third party
trademarks mentioned are the property of their
respective owners. The use of the word partner does not
imply a partnership relationship between Cisco and any
other company. (1110R)
Reader Services
Register your copy at
www.ciscopress.com/title/9780135768167 for
convenient access to downloads, updates, and
corrections as they become available. To start the
registration process, go to www.ciscopress.com/register
and log in or create an account*. Enter the product
ISBN 9780135768167 and click Submit. When the
process is complete, you will find any available bonus
content under Registered Products.

*Be sure to check the box that you would like to hear
from us to receive exclusive discounts on future editions
of this product.
Contents at a Glance
About the Authors

Introduction

Part I: Layer 2 Infrastructure

CHAPTER 1 VLANs
CHAPTER 2 Spanning Tree Protocol
CHAPTER 3 Implementing Inter-VLAN Routing

Part II: Layer 3 Infrastructure

CHAPTER 4 EIGRP
CHAPTER 5 OSPF

CHAPTER 6 Redistribution and Path Control

CHAPTER 7 BGP

Part III: Infrastructure Services

CHAPTER 8 IP Services
CHAPTER 9 Device Management

Part IV: Infrastructure Security

CHAPTER 10 Infrastructure Security

Part V: Network Assurance

CHAPTER 11 Network Assurance

Part VI: Wireless

CHAPTER 12 Wireless Security and

Troubleshooting

Part VII: Overlays and Virtualization

CHAPTER 13 Overlay Tunnels and VRF

Part VIII: Appendix

APPENDIX A Create Your Own Journal Here

INDEX
Table of Contents
About the Authors

Introduction

Part I: Layer 2 Infrastructure

CHAPTER 1 VLANs
Virtual LANs
Creating Static VLANs Using VLAN
Configuration Mode
Assigning Ports to Data and Voice
VLANs
Using the range Command
Dynamic Trunking Protocol (DTP)
Setting the Trunk Encapsulation and
Allowed VLANs
VLAN Trunking Protocol (VTP)
Verifying VTP
Verifying VLAN Information
Saving VLAN Configurations
Erasing VLAN Configurations
Configuration Example: VLANs
Layer 2 Link Aggregation
Interface Modes in EtherChannel
Default EtherChannel Configuration
Guidelines for Configuring
EtherChannel
Configuring Layer 2 EtherChannel
Configuring Layer 3 EtherChannel
Configuring EtherChannel Load
Balancing
Configuring LACP Hot-Standby Ports
Monitoring and Verifying
EtherChannel
Configuration Example: EtherChannel
CHAPTER 2 Spanning Tree Protocol
Spanning Tree Protocol Definition
Enabling Spanning Tree Protocol
Changing the Spanning-Tree Mode
Configuring the Root Switch
Configuring a Secondary Root Switch
Configuring Port Priority
Configuring the Path Cost
Configuring the Switch Priority of a VLAN
Configuring STP Timers
Configuring Optional Spanning-Tree
Features
PortFast
BPDU Guard (2xxx/older 3xxx Series)
BPDU Guard (3650/9xxx Series)
BPDU Filter
UplinkFast
BackboneFast
Root Guard
Loop Guard
Unidirectional Link Detection
Configuring and Verifying Port Error
Conditions
Enabling Rapid Spanning Tree
Rapid Spanning Tree Link Types
Enabling Multiple Spanning Tree
Verifying the Extended System ID
Verifying STP
Troubleshooting Spanning Tree Protocol
Configuration Example: PVST+
Spanning-Tree Migration Example: PVST+
to Rapid-PVST+
CHAPTER 3 Implementing Inter-VLAN Routing
Inter-VLAN Communication Using an
External Router: Router-on-a-Stick
Inter-VLAN Communication Tips
Inter-VLAN Communication on a
Multilayer Switch Through a Switch
Virtual Interface
Configuring Inter-VLAN
Communication on an L3 Switch
Removing L2 Switchport Capability of
an Interface on an L3 Switch
Configuration Example: Inter-VLAN
Communication
Configuration Example: IPv6 Inter-VLAN
Communication

Part II: Layer 3 Infrastructure

CHAPTER 4 EIGRP
Enhanced Interior Gateway Routing
Protocol (EIGRP)
Enabling EIGRP for IPv4 Using Classic
Mode Configuration
Enabling EIGRP for IPv6 Using Classic
Mode Configuration
EIGRP Using Named Mode Configuration
EIGRP Named Mode Subconfiguration
Modes
Upgrading Classic Mode to Named Mode
Configuration
EIGRP Router ID
Authentication for EIGRP
Configuring Authentication in Classic
Mode
Configuring Authentication in Named
Mode
Verifying and Troubleshooting EIGRP
Authentication
Auto-Summarization for EIGRP
IPv4 Manual Summarization for EIGRP
IPv6 Manual Summarization for EIGRP
Timers for EIGRP
Passive Interfaces for EIGRP
“Pseudo” Passive EIGRP Interfaces
Injecting a Default Route into EIGRP:
Redistribution of a Static Route
Injecting a Default Route into EIGRP: ip
default-network
Injecting a Default Route into EIGRP:
Summarize to 0.0.0.0/0
Accepting Exterior Routing Information:
default-information
Equal-cost Load Balancing: maximum-
paths
Unequal-cost Load Balancing: variance
EIGRP Traffic Sharing
Bandwidth Use for EIGRP
Stub Routing for EIGRP
EIGRP Unicast Neighbors
EIGRP Wide Metrics
Adjusting the EIGRP Metric Weights
Verifying EIGRP
Troubleshooting EIGRP
Configuration Example: EIGRP for IPv4
and IPv6 Using Named Mode
CHAPTER 5 OSPF
Comparing OSPFv2 and OSPFv3
Configuring OSPF
Configuring Multiarea OSPF
Using Wildcard Masks with OSPF Areas
Configuring Traditional OSPFv3
Enabling OSPF for IPv6 on an
Interface
OSPFv3 and Stub/NSSA Areas
Interarea OSPFv3 Route
Summarization
Enabling an IPv4 Router ID for
OSPFv3
Forcing an SPF Calculation
OSPFv3 Address Families
Configuring the IPv6 Address Family
in OSPFv3
Configuring the IPv4 Address Family
in OSPFv3
Applying Parameters in Address
Family Configuration Mode
Authentication for OSPF
Configuring OSPFv2 Authentication:
Simple Password
Configuring OSPFv2 Cryptographic
Authentication: SHA-256
Configuring OSPFv3 Authentication
and Encryption
Verifying OSPFv2 and OSPFv3
Authentication
Optimizing OSPF Parameters
Loopback Interfaces
Router ID
DR/BDR Elections
Passive Interfaces
Modifying Cost Metrics
OSPF Reference Bandwidth
OSPF LSDB Overload Protection
Timers
IP MTU
Propagating a Default Route
Route Summarization
Interarea Route Summarization
External Route Summarization
OSPF Route Filtering
Using the filter-list Command
Using the area range not-advertise
Command
Using the distribute-list in Command
Using the summary-address not-
advertise Command
OSPF Special Area Types
Stub Areas
Totally Stubby Areas
Not-So-Stubby Areas (NSSA)
Totally NSSA
Virtual Links
Configuration Example: Virtual Links
Verifying OSPF Configuration
Troubleshooting OSPF
Configuration Example: Single-Area OSPF
Configuration Example: Multiarea OSPF
Configuration Example: Traditional
OSPFv3
Configuration Example: OSPFv3 with
Address Families
CHAPTER 6 Redistribution and Path Control
Defining Seed and Default Metrics
Redistributing Connected Networks
Redistributing Static Routes
Redistributing Subnets into OSPF
Assigning E1 or E2 Routes in OSPF
Redistributing OSPF Internal and External
Routes
Configuration Example: Route
Redistribution for IPv4
Configuration Example: Route
Redistribution for IPv6
Verifying Route Redistribution
Route Filtering Using the distribute-list
Command
Configuration Example: Inbound and
Outbound Distribute List Route
Filters
Configuration Example: Controlling
Redistribution with Outbound
Distribute Lists
Verifying Route Filters
Route Filtering Using Prefix Lists
Configuration Example: Using a
Distribute List That References a
Prefix List to Control
Redistribution
Verifying Prefix Lists
Using Route Maps with Route
Redistribution
Configuration Example: Route Maps
Manipulating Redistribution Using Route
Tagging
Changing Administrative Distance
Path Control with Policy-Based Routing
Verifying Policy-Based Routing
Configuration Example: PBR with Route
Maps
Cisco IOS IP SLA
Configuring Authentication for IP SLA
Monitoring IP SLA Operations
PBR with Cisco IOS IP SLA
Step 1: Define Probe(s)
Step 2: Define Tracking Object(s)
Step 3a: Define the Action on the
Tracking Object(s)
Step 3b: Define Policy Routing Using
the Tracking Object(s)
Step 4: Verify IP SLA Operations
CHAPTER 7 BGP
Configuring BGP: Classic Configuration
Configuring Multiprotocol BGP (MP-BGP)
Configuring BGP: Address Families
Configuration Example: Using MP-BGP
Address Families to Exchange IPv4 and
IPv6 Routes
BGP Support for 4-Byte AS Numbers
BGP Timers
BGP and update-source
IBGP Next-Hop Behavior
EBGP Multihop
Attributes
Route Selection Decision Process—The
BGP Best Path Algorithm
Weight Attribute
Using AS Path Access Lists to
Manipulate the Weight Attribute
Using Prefix Lists and Route Maps to
Manipulate the Weight Attribute
Local Preference Attribute
Using AS Path Access Lists with Route
Maps to Manipulate the Local
Preference Attribute
AS Path Attribute Prepending
AS Path: Removing Private
Autonomous Systems
Multi-Exit Discriminator (MED)
Attribute
Verifying BGP
Troubleshooting BGP
Default Routes
Route Aggregation
Route Reflectors
Regular Expressions
Regular Expressions: Examples
BGP Route Filtering Using Access Lists and
Distribute Lists
Configuration Example: Using Prefix Lists
and AS Path Access Lists
BGP Peer Groups
Authentication for BGP
Configuring Authentication Between
BGP Peers
Verifying BGP Authentication

Part III: Infrastructure Services

CHAPTER 8 IP Services
Network Address Translation (NAT)
Private IP Addresses: RFC 1918
Configuring Static NAT
Configuring Dynamic NAT
Configuring Port Address Translation
(PAT)
Configuring a NAT Virtual Interface
Verifying NAT and PAT Configurations
Troubleshooting NAT and PAT
Configurations
Configuration Example: PAT
Configuration Example: NAT Virtual
Interfaces and Static NAT
First-Hop Redundancy Protocols
Hot Standby Router Protocol
Virtual Router Redundancy Protocol
IPv4 Configuration Example: HSRP on
L3 Switch
IPv4 Configuration Example: VRRPv2
on Router and L3 Switch with IP
SLA Tracking
IPv6 Configuration Example: HSRPv2
on Router and L3 Switch
Dynamic Host Control Protocol (DHCP)
Implementing DHCP for IPv4
Implementing DHCP for IPv6
Configuration Example: DHCP for
IPv4
Configuration Example: DHCP for
IPv6
CHAPTER 9 Device Management
Configuring Passwords
Cleartext Password Encryption
Password Encryption Algorithm Types
Configuring SSH
Verifying SSH
Boot System Commands
The Cisco IOS File System
Viewing the Cisco IOS File System
Commonly Used URL Prefixes for Cisco
Network Devices
Deciphering IOS Image Filenames
Backing Up Configurations to a TFTP
Server
Restoring Configurations from a TFTP
Server
Backing Up the Cisco IOS Software to a
TFTP Server
Restoring/Upgrading the Cisco IOS
Software from a TFTP Server
Restoring the Cisco IOS Software Using the
ROM Monitor Environmental Variables
and tftpdnld Command
Secure Copy Protocol (SCP)
Configuring an SCP Server
Verifying and Troubleshooting SCP
Configuration Example: SCP
Disabling Unneeded Services
Useful Device Management Options

Part IV: Infrastructure Security

CHAPTER 10 Infrastructure Security
IPv4 Access Control Lists (ACLs)
Configuring and Applying Standard
IPv4 ACLs
Configuring and Applying Extended IPv4
ACLs
Configuring and Applying Time-based
ACLs
Configuring and Applying VTY ACLs
IPv6 ACLs
Configuring and Applying IPv6 ACLs
Verifying IPv4 and IPv6 ACLs
Implementing Authentication Methods
Simple Local Database Authentication
AAA-based Local Database
Authentication
RADIUS Authentication
TACACS+ Authentication
Configuring Authorization and
Accounting
Troubleshooting AAA
Control Plane Policing (CoPP)
Step 1: Define ACLs to Identify
Permitted CoPP Traffic Flows
Step 2: Define Class Maps for Matched
Traffic
Step 3: Define a Policy Map to Police
Matched Traffic
Step 4: Assign a Policy Map to the
Control Plane
Verifying CoPP
Unicast Reverse Path Forwarding (uRPF)
Configuring uRPF
Verifying and Troubleshooting uRPF

Part VI: Wireless

CHAPTER 12 Wireless Security and
Troubleshooting
Authenticating Wireless Clients
Open Authentication
Authenticating with a Pre-shared Key
Authenticating with EAP
Authenticating with WebAuth
Troubleshooting from the Wireless LAN
Controller
Troubleshooting Wireless Client
Connectivity
Cisco AireOS Monitoring Dashboard
GUI
Cisco IOS XE GUI

Part VII: Overlays and Virtualization

CHAPTER 13 Overlay Tunnels and VRF
Generic Routing Encapsulation (GRE)
Configuring an IPv4 GRE Tunnel
Configuring an IPv6 GRE Tunnel
Verifying IPv4 and IPv6 GRE Tunnels
Configuration Example: IPv4 and IPv6
GRE Tunnels with OSPFv3
Site-to-Site GRE over IPsec
GRE/IPsec Using Crypto Maps
GRE/IPsec Using IPsec Profiles
Verifying GRE/IPsec
Site-to-Site Virtual Tunnel Interface (VTI)
over IPsec
Cisco Dynamic Multipoint VPN (DMVPN)
Configuration Example: Cisco DMVPN
for IPv4
Verifying Cisco DMVPN
VRF-Lite
Configuring VRF-Lite
Verifying VRF-Lite

APPENDIX A Create Your Own Journal Here

INDEX
About the Authors
Scott Empson is an instructor in the Department of
Information Systems Technology at the Northern
Alberta Institute of Technology in Edmonton, Alberta,
Canada, where he has taught for over 21 years. He
teaches technical courses in Cisco routing and
switching, along with courses in professional
development and leadership. Scott created the CCNA
Command Quick Reference in 2004 as a companion
guide to the Cisco Networking Academy Program, and
this guide became the CCNA Portable Command Guide
in 2005. Other titles in the series in the areas of CCNP,
Wireless, Security, Microsoft, and Linux followed
beginning in 2006. Scott has a Master of Education
degree along with three undergraduate degrees: a
Bachelor of Arts, with a major in English; a Bachelor of
Education, again with a major in English/language arts;
and a Bachelor of Applied Information Systems
Technology, with a major in network management.
Scott lives in Edmonton, Alberta, with his wife, Trina,
and two university-attending-but-still-haven’t-moved-
out-yet-but-hope-to-move-out-as-soon-as-possible-
after-graduation-so-Dad-can-have-the-TV-room-back
children, Zachariah and Shaelyn.

Patrick Gargano has been an educator since 1996, a

Cisco Networking Academy Instructor since 2000, and a
Certified Cisco Systems Instructor (CCSI) since 2005.
He is currently based in Australia, where he is a Content
Development Engineer at Skyline ATS, responsible for
CCNP Enterprise course development with
Learning@Cisco. He previously led the Networking
Academy program at Collège La Cité in Ottawa, Canada,
where he taught CCNA/CCNP-level courses, and he has
also worked for Cisco Learning Partners Fast Lane UK,
ARP Technologies, and NterOne.

In 2018 Patrick was awarded the Networking Academy

Above and Beyond Instructor award for leading CCNA
CyberOps early adoption and instructor training in
Quebec, Canada. Patrick has also twice led the Cisco
Networking Academy Dream Team at Cisco Live US.

Patrick’s previous Cisco Press publications include the

CCNP Routing and Switching Portable Command
Guide (2014) and 31 Days Before Your CCNA Security
Exam (2016). His certifications include CCNA (R&S),
CCNA Wireless, CCNA Security, CCNA CyberOps, and
CCNP (R&S). He holds Bachelor of Education and
Bachelor of Arts degrees from the University of Ottawa,
and is completing a Master of Professional Studies in
Computer Networking at Fort Hays State University
(Kansas).
About the Technical Reviewer
Bob Vachon is a professor in the Computer Systems
Technology program at Cambrian College in Sudbury,
Ontario, Canada, where he teaches networking
infrastructure courses. He has worked and taught in the
computer networking and information technology field
since 1984. He has collaborated on various CCNA,
CCNA Security, and CCNP projects for the Cisco
Networking Academy as team lead, lead author, and
subject matter expert. He enjoys playing the guitar and
being outdoors.
Dedications
Scott Empson: As always, this book is dedicated to
Trina, Zach, and Shae. Also, this book is dedicated to
Florence Empson. I couldn’t have asked for a better
mother. I love you. Cancer sucks.

Patrick Gargano: To my wife Kathryn. I am

grateful for your love, patience, and constant —Scott
support, not only during the writing of this book
but always. Thank you for taking us on this Australian
adventure. Je t’aime.

To our son Sam. What a lovely, kind, interesting little

person you are becoming. It is such a pleasure to have
you in our lives and to share in your passions. Je t’aime,
Samu.

—Patrick
Acknowledgments
Anyone who has ever had anything to do with the
publishing industry knows that it takes many, many
people to create a book. Our names may be on the cover,
but there is no way that we can take credit for all that
occurred to get this book from idea to publication.
Therefore, we must thank the following:

Scott Empson: The team at Cisco Press. Once again,

you amaze me with your professionalism and the ability
to make me look good. James and Ellie—thank you for
your continued support and belief in my little
engineering journal. Thanks to the Production team:
Lori, Bill, and Vaishnavi.

To our technical reviewer, Bob Vachon, thanks for

keeping us on track and making sure that what we wrote
is correct and relevant. I brought you on board with me
all those years ago for the CCNA Security Portable
Command Guide, and I have always enjoyed working
with and collaborating with you. This time has been no
different.
A big thank you goes to my co-author Patrick Gargano;
you have made this a better book with your presence
and your knowledge. I am truly honoured to have you as
part of the Portable Command Guide family.

Patrick Gargano: I first want to thank Mary Beth Ray

for welcoming me into the Cisco Press family back in
2013. I hope you enjoy a well-deserved retirement as
you embrace this new, more-relaxed chapter in your life.
Namaste.

James, Ellie, Lori, and Bill at Cisco Press did a fabulous

job keeping the project on the rails and looking its best.

Bob, always a pleasure working with you. Your attention

to detail and technical suggestions were truly
appreciated.

Finally, to my good friend Scott. Like the first book we

worked on together, this one has been fun and engaging.
Thanks for putting up with all those early-morning and
late-night calls as we dealt with the 15-hour time
difference between Edmonton and Perth. For the last
time, no, I don’t have the winning lottery ticket numbers
even though it’s already tomorrow in Australia.
Command Syntax Conventions
The conventions used to present command syntax in
this book are the same conventions used in the IOS
Command Reference. The Command Reference
describes these conventions as follows:

Boldface indicates commands and keywords that are

entered literally as shown. In actual configuration
examples and output (not general command syntax),
boldface indicates commands that are manually input
by the user (such as a show command).

Italic indicates arguments for which you supply actual

values.

Vertical bars (|) separate alternative, mutually

exclusive elements.

Square brackets ([ ]) indicate an optional element.

Braces ({ }) indicate a required choice.

Braces within brackets ([{ }]) indicate a required choice

within an optional element.
Introduction
Welcome to the CCNP and CCIE Enterprise Core &
CCNP Enterprise Advanced Routing Portable
Command Guide, a handy resource that you can use
both on the job and to study for the ENCOR 350-401
and ENARSI 300-410 exams. I truly hope that a
shortened name comes along for this title soon as that is
a real bother to continually type out. In order to increase
sales, I suggested to Cisco Press that we call this one
Harry Potter and the CCNP ENCORE & ENARSI
Portable Command Guide, but I was quickly vetoed—
the title is still too long, I guess. Who can really
understand what lawyers say, anyway?

In June 2019, during his Cisco Live keynote address,

Cisco Systems CEO Chuck Robbins made an
announcement that turned the Cisco certification world
completely around. The entire certification program is
being reinvented—a new vision, new exams, new paths
—including the DevNet pathway that focuses on
programmability expertise and software skills. In
response to this announcement, authors around the
world jumped back into their respective home office/lab
space (some would say we never truly left) and started
the enormous task of updating the content needed to
prepare for these new exams, scheduled to launch in
February 2020. This book is one of many titles (at one
point I heard that over 35 new titles were being worked
on) created over the last 12 months to meet the
demands of industry and academia in both the CCNP
and CCIE certification space. After studying the new
blueprints of all the new CCNP Enterprise exams,
Patrick and I decided to combine outcomes from two
certification exams into a single volume for this latest
edition of our Portable Command Guide. Enterprise
Core and Enterprise Advanced Routing are very closely
related, so it made sense to create this volume for you to
use to prepare for the new exams, and to use as a
reference to accomplish tasks you may be undertaking
in your production networks.

For those of you who have used one or more Portable

Command Guides before, thank you for looking at this
one. For those of you who are new to the Portable
Command Guides, you are reading what is essentially a
cleaned-up version of a personal engineering journal—a
small notebook that can be carried around with you that
contains little nuggets of information; commands that
you use but then forget; IP address schemes for the
parts of the network you work with only on occasion;
and little reminders about concepts that you work with
only once or twice a year but still need to know when
those times roll around.. Having a journal of commands
at your fingertips, without having to search Cisco.com
(or resort to textbooks if the network is down and you
are responsible for getting it back online), can be a real
timesaver.

With the creation of the new CCNP Enterprise exam

objectives, there is always something new to read, a new
podcast to listen to, or a slideshow from Cisco Live that
you want to review. To make this guide even more
practical for you to use, it includes an appendix of blank
pages where you can add details that you glean from
these other resources, as well as add your own
configurations, commands that are not in this book but
are needed in your world, and so on. You can make this
book your personal engineering journal, a central
repository of information that won’t weigh you down as
you carry it from the office or cubicle to the server and
infrastructure rooms in some remote part of the
building or some branch office.

WHO SHOULD READ THIS BOOK?

This book is for those people preparing for the CCNP
and CCIE Enterprise Core (ENCOR 350-401) exam
and/or the CCNP Enterprise Advanced Routing
(ENARSI 300-410) exam, whether through self-study,
on-the-job training and practice, study within the Cisco
Academy Program, or study through the use of a Cisco
Training Partner. There are also many handy notes and
tips along the way to make life a bit easier for you in this
endeavor. This book is also useful in the workplace. It is
small enough that you will find it easy to carry around
with you. Big, heavy textbooks might look impressive on
your bookshelf in your office, but can you really carry
them all around with you when you are working in some
server room or equipment closet somewhere?

STRATEGIES FOR EXAM

PREPARATION
The strategy you use to prepare for the ENCOR and
ENARSI exams might differ from strategies used by
other readers, mainly based on the skills, knowledge,
and experience you already have obtained. For instance,
if you have attended a course offered by a Cisco
Learning Partner or through the Cisco Networking
Academy, you might take a different approach than
someone who learned routing via on-the-job training or
through self-study. Regardless of the strategy you use or
the background you have, this book is designed to help
you minimize the amount of time required to get to the
point where you can pass the exam. For instance, there
is no need for you to practice or read about EIGRP,
OSPF, WLCs, or VLANs if you fully understand the topic
already. However, many people like to make sure that
they truly know a topic and therefore read over material
that they already know. Several book features will help
you gain the confidence that you need to be convinced
that you know some material already, and to also help
you know what topics you need to study more.

HOW THIS BOOK IS ORGANIZED

Although this book could be read cover to cover, we
strongly advise against it, unless you really are having
problems sleeping at night. The book is designed to be a
simple listing of the commands that you need to
understand to pass the ENCOR and ENARSI exams.
Portable Command Guides contain very little theory;
the series is designed to focus on the commands needed
at this level of study.

This book focuses primarily on the configure and

troubleshoot exam topics found in the CCNP and
CCIE Enterprise Core (ENCOR 350-401) and CCNP
Enterprise Advanced Routing (ENARSI 300-410) exam
blueprints. Although this book covers two separate
exams, commands for both are grouped logically
according to this structure:

Part I: Layer 2 Infrastructure

Chapter 1, “VLANs”: Troubleshooting static and

dynamic 802.1Q trunking protocols; troubleshooting
static and dynamic EtherChannels

Chapter 2, “Spanning Tree Protocol”:

Configuring and verifying common Spanning Tree
Protocols—RSPT and MST

Chapter 3, “Implementing Inter-VLAN

Routing”: Configuring inter-VLAN routing

Part II: Layer 3 Infrastructure

Chapter 4, “EIGRP”: Troubleshooting EIGRP, in

both classic and named modes for IPv4 and IPv6

Chapter 5, “OSPF”: Configuring, verifying, and

troubleshooting OSPF environments, using both classic
modes and address families for IPv4 and IPv6

Chapter 6, “Redistribution and Path Control”:

Configuring, verifying, and troubleshooting route
redistribution between protocols; troubleshooting
network performance issues; loop prevention
mechanisms

Chapter 7, “BGP”: Configuring, verifying, and

troubleshooting BGP, both internal and external, for
IPv4 and IPv6

Part III: Infrastructure Services

Chapter 8, “IP Services”: Configuring and verifying

NAT and PAT; configuring and verifying first-hop
redundancy protocols; troubleshooting IPv4 and IPv6
DHCP

Chapter 9, “Device Management”: Configuring

and verifying line and password protection;
troubleshooting device management of console, VTY,
Telnet, HTTP, SSH, TFTP, and SCP

Part IV: Infrastructure Security

Chapter 10, “Infrastructure Security”:

Configuring and verifying device access control;
configuring and verifying authentication/authorization
using AAA; troubleshooting device security using Cisco
IOS AAA; troubleshooting control plane policing

Part V: Network Assurance

Chapter 11, “Network Assurance”: Diagnosing
network problems using different tools such as debug,
traceroute, ping, SNMP, and syslog; configuring and
verifying device monitoring; configuring and verifying
NetFlow and Flexible NetFlow; configuring and
verifying NTP; constructing Tcl scripts; constructing
EEM applets

Part VI: Wireless

Chapter 12, “Wireless Security and

Troubleshooting”: Configuring and verifying
wireless security features such as authentication;
troubleshooting WLAN configurations and wireless
client connectivity issues

Part VII: Overlays and Virtualization

Chapter 13, “Overlay Tunnels and VRF”:

Configuring and verifying DMVPN; configuring and
verifying VRF
Part I: Layer 2 Infrastructure
Chapter 1
VLANs

This chapter provides information about the following

topics:

Virtual LANs

Creating static VLANs using VLAN

configuration mode

Assigning ports to data and voice VLANs

Using the range command

Dynamic Trunking Protocol (DTP)

Setting the trunk encapsulation and allowed

VLANs

VLAN Trunking Protocol (VTP)

Verifying VTP

Verifying VLAN information

Saving VLAN information

Erasing VLAN information

Configuration example: VLANs

Layer 2 link aggregation

Interface modes in EtherChannel

Default EtherChannel configuration

Guidelines for configuring EtherChannel

Configuring Layer 2 EtherChannel

Configuring Layer 3 EtherChannel

Configuring EtherChannel load balancing

Configuring LACP hot-standby ports

Monitoring and verifying EtherChannel

Configuration example: EtherChannel

VIRTUAL LANS
A VLAN is a switched network that logically segments
by function, project teams, or applications, without
regard to the physical locations of the users. VLANs are
the Layer 2 (L2) partitioning of a physical switch into
two or more virtual switches. Ports assigned to one
VLAN are in a single broadcast domain and are L2
forwarded only within that broadcast domain. Each
VLAN is considered its own logical network where any
traffic destined for outside the logical network must be
forwarded by a router. Each VLAN can support its own
instance of spanning tree. VLANs can be extended
across multiple interconnected switches by tagging the
VLAN number on each Ethernet frame transmitted or
received between them. This tagging of frames is
supported by IEEE 802.1Q trunking.

Creating Static VLANs Using VLAN Configuration

Mode
Static VLANs occur when a switch port is manually
assigned by the network administrator to belong to a
VLAN. Each port is associated with a specific VLAN. By
default, all ports are originally assigned to VLAN 1. You
create VLANs using the VLAN configuration mode.

Note
VLAN database mode has been deprecated in IOS Version 15.

Switch(config Creates VLAN 3 and enters VLAN

)# vlan 3 configuration mode for further
definitions

Switch(config Assigns a name to the VLAN. The

-vlan)# name length of the name can be from 1 to
Engineering 32 characters

Switch(config Applies changes, increases the VTP

-vlan)# exit revision number by 1, and returns to
global configuration mode

Note

The VLAN is not created until you exit VLAN

configuration mode

Switch(config
)#

Note
Use this method to add normal-range VLANs (1–1005) or extended-range VLANs (1006–
4094). Configuration information for normal-range VLANs is always saved in the VLAN
database, and you can display this information by entering the show vlan privileged EXEC
command.

Note
The VLAN Trunking Protocol (VTP) revision number is increased by one each time a VLAN
is created or changed.
Note
VTP Version 3 supports propagation of extended-range VLANs. VTP Versions 1 and 2
propagate only VLANs 1–1005.

Note
Transparent mode does not increment the VTP revision number.

Assigning Ports to Data and Voice VLANs

Switch(config)# Moves to interface

interface configuration mode
fastethernet 0/1

Switch(config-if)# Sets the port to access

switchport mode mode
access

Switch(config-if)# Assigns this port to data

switchport access VLAN 10
vlan 10

Switch(config-if)# Assigns this port to include

switchport voice tagged voice frames in
vlan 11 VLAN 11
Note
When the switchport mode access command is used, the port will operate as a
nontrunking single VLAN interface that transmits and receives untagged frames. An access
port can belong to only one VLAN.

Note
When the switchport voice command is used together with the switchport access
command, a pseudo-trunk is created allowing two VLANs on the port, one for voice traffic
and one for all other traffic. The voice traffic is forwarded in 802.1Q tagged frames and the
remaining nonvoice VLAN has no 802.1Q tagging (native VLAN). The internal mini-switch in
a Cisco VoIP phone will pass untagged frames to an attached PC and forward 802.1Q
tagged VoIP traffic with a differentiated services code point (DSCP) quality of service (QoS)
value of EF (or Expedited Forwarding) to the switch port. In this special case, the switch port
can belong to two VLANs, one for data and one for voice traffic.

Using the range Command

Switch(config)# Enables you to set the same

interface range configuration parameters on
fastethernet 0/1 multiple ports at the same time
– 9

Note

Depending on the model of switch,

there is a space before and after the
hyphen in the interface range
command. Be careful with your typing
Switch(config-if- Sets ports 1–9 as access ports
range)#
switchport mode
access

Switch(config-if- Assigns ports 1–9 to VLAN 10

range)#
switchport access
vlan 10

Switch(config-if- Assigns ports 1–9 to include

range)# tagged voice frames in VLAN 11
switchport voice
vlan 11

Dynamic Trunking Protocol (DTP)

Switch(config) Moves to interface configuration

# interface mode
fastethernet
0/1

Switch(config- Makes the interface actively

if)# attempt to convert the link to a
switchport trunk link
mode dynamic
desirable
Note

With the switchport mode dynamic

desirable command set, the interface
becomes a trunk link if the neighboring
interface is set to trunk, desirable, or auto

Switch(config- Makes the interface able to convert

if)# into a trunk link
switchport
mode dynamic
auto Note

With the switchport mode dynamic auto

command set, the interface becomes a trunk
link if the neighboring interface is set to trunk
or desirable

Switch(config- Prevents the interface from

if)# generating DTP frames
switchport
nonegotiate
Note
Use the switchport mode nonegotiate
command only when the interface switchport
mode is access or trunk. You must manually
configure the neighboring interface to
establish a trunk link

Switch(config- Puts the interface into permanent

if)# trunking mode and negotiates to
switchport convert the link into a trunk link
mode trunk

Note

With the switchport mode trunk command

set, the interface becomes a trunk link even if
the neighboring interface is not a trunk link

Note
The default mode is dependent on the platform. For the 2960/9200 series, the default mode
is dynamic auto.

Note
On a 2960/9200 series switch, the default for all ports is to be an access port. However, with
the default DTP mode being dynamic auto, an access port can be converted into a trunk port
if that port receives DTP information from the other side of the link and that other side is set
to trunk or desirable. It is therefore recommended that you hard-code all access ports as
access ports with the switchport mode access command. This way, DTP information will
not inadvertently change an access port to a trunk port. Any port set with the switchport
mode access command ignores any DTP requests to convert the link.
Note
VLAN Trunking Protocol (VTP) domain names must match for a DTP to negotiate a trunk.

Setting the Trunk Encapsulation and Allowed

VLANs
Depending on the series of switch that you are using,
you may have a choice as to what type of trunk
encapsulation you want to use: the Cisco proprietary
Inter-Switch Link (ISL) or IEEE 802.1Q (dot1q).

Caution
Cisco ISL has been deprecated. Depending on the age and model of your Cisco switch, you
may still be able to change the encapsulation type between dot1q and ISL.

Caution
The 2960, 2960-x, and 9200 series of switches support only dot1q trunking. Therefore, some
commands such as switchport trunk encapsulation {isl | dotq1} are not available.

Switch(con Moves to interface configuration mode

fig)#
interface
fastethern
et 0/1
Switch(con Puts the interface into permanent
fig-if)# trunking mode and negotiates to convert
switchport the link into a trunk link
mode trunk

Switch(con Specifies ISL encapsulation on the trunk

fig-if)# link. This command is only available on
switchport switches that support ISL
trunk
encapsulat
ion isl

Switch(con Specifies 802.1Q encapsulation on the

fig-if)# trunk link. This command may not be
switchport required on newer switches
trunk
encapsulat
ion dot1q

Switch(con Specifies that the interface negotiate with

fig-if)# the neighboring interface to become
switchport either an ISL or dot1q trunk, depending
trunk on the capabilities or configuration of the
encapsulat neighboring interface. This command
ion may not be required on newer switches

negotiate
Switch(con Configures the list of VLANs allowed on
fig-if)# the trunk
switchport
trunk
allowed Note

vlan
All VLANs are allowed by default
10,12,18-
22

Switch(con Configures the list of VLANs to add to the

fig-if)# existing VLANs allowed on the trunk
switchport
trunk
allowed
vlan add
44,47-49

Switch(con Configures the list of VLANs to remove

fig-if)# from the existing VLANs allowed on the
switchport trunk
trunk
allowed
vlan Note

remove Do not enter any spaces between comma-separated

44,47-49 VLAN parameters or in hyphen-specified ranges
VLAN Trunking Protocol (VTP)
VTP is a Cisco proprietary protocol that allows for VLAN
configuration (addition, deletion, or renaming of
VLANs) to be consistently maintained across a common
administrative domain.

Swi Changes the switch to VTP client mode

tch
(co
nfi
g)#
vtp
mod
e
cli
ent

Swi Changes the switch to VTP server mode

tch
(co
nfi Note

g)#
By default, all Catalyst switches are in server mode
vtp
mod
e
ser
ver

Swi Changes the switch to VTP transparent mode

tch
(co
nfi
g)#
vtp
mod
e
tra
nsp
are
nt

Swi Returns the switch to the default VTP server mode

tch
(co
nfi
g)#
no
vtp
mod
e

Swi Configures the VTP domain name. The name can

tch be from 1 to 32 characters long and is case
(co sensitive
nfi
g)#
vtp Note

dom All switches operating in VTP server or client mode must have the same
domain name to ensure communication
ain
dom
ain
-
nam
e

Swi Configures a VTP password. In Cisco IOS Software

tch Release 12.3 and later, the password is an ASCII
(co string from 1 to 32 characters long. If you are
nfi using a Cisco IOS Software release earlier than
g)# 12.3, the password length ranges from 8 to 64
vtp characters long

pas
swo
rd Note
To communicate with each other, all switches must have the same VTP
pas password set

swo
rd

Swi Sets the VTP Version to Version 1, Version 2, or

tch Version 3
(co
nfi
g)# Note

vtp VTP versions are not interoperable. All switches must use the same
ver version (with V1 and V2). The biggest difference between Versions 1
and 2 is that Version 2 has support for Token Ring VLANs. Version 3
sio has added new features such as the creation of a VTP primary server,
to prevent the accidental deletion of VLANs that occurred in V1 and V2.
n V3 also supports extended VLANs, private VLANs, Multiple Spanning
Tree Protocol (MSTP), and the ability to be disabled per interface as
num well as globally

ber

Note

VTP Version 3 is compatible with Version 2, but not Version 1

Swi Changes the operation state of a switch from a

tch secondary server (the default state) to a primary
# server and advertises the configuration to the
vtp domain. If the switch password is configured as
pri hidden, you are prompted to reenter the
mar password. This happens only if configured in
y Version 2. This prompt occurs in privileged EXEC
mode but not in global configuration mode

Swi
tch
Note
#
vtp The vtp primary-server [vlan | mst | force] commands are only
available on older model switches. On newer switches running more
pri recent IOS/IOS-XE, use the vtp primary [vlan | mst | force] command
instead
mar
y-
ser
ver

Swi (Optional) Configures the device as the primary

tch VTP server for VLANs
#
vtp
pri
mar
y
vla
n

Swi (Optional) Configures the devices as the primary

tch VTP server for the multiple spanning tree (MST)
# feature
vtp
pri
mar
y
mst

Swi (Optional) Configures the device to not check for

tch conflicting devices when configuring the primary
# server
vtp
pri
mar
y
for
ce

Swi Enables VTP pruning

tch
(co
nfi Note

g)#
By default, VTP pruning is disabled. You need to enable VTP pruning on
vtp only one switch in VTP server mode

pru
nin
g
Note
Only VLANs included in the pruning-eligible list can be pruned. VLANs 2 through 1001 are
pruning eligible by default on trunk ports. Reserved VLANs and extended-range VLANs
cannot be pruned. To change which eligible VLANs can be pruned, use the interface-specific
switchport trunk pruning vlan command:
Click here to view code image

Switch(config-if)# switchport trunk pruning

vlan remove 4,20-30
! Removes VLANs 4 and 20-30
Switch(config-if)# switchport trunk pruning
vlan except 40-50
! All VLANs are added to the pruning list
except for 40-50

Caution
Due to the inherent risk in having VTP servers overwrite each other and cause VLANs to
disappear, Cisco recommends as a best practice deploying VTP in transparent mode. If you
are going to use a client/server model, use Version 3 and the use of a VTPv3 primary server
to prevent accidental database overwrites.

Verifying VTP

Switch# show Displays general information

vtp status about VTP configuration

Switch# show Displays the VTP counters for the

vtp counters switch
Switch# show Displays the VTP passwords
vtp password

Note
If trunking has been established before VTP is set up, VTP information is propagated
throughout the switch fabric almost immediately. However, because VTP information is
advertised only every 300 seconds (5 minutes), unless a change has been made to force an
update, it can take several minutes for VTP information to be propagated.

Verifying VLAN Information

Switch# show Displays VLAN information

vlan

Switch# show Displays VLAN information in brief

vlan brief

Switch# show Displays information of VLAN 2 only

vlan id 2

Switch# show Displays information of VLAN named

vlan name marketing only
marketing
Switch# show Displays trunk ports, trunking modes,
interfaces encapsulation, and native and allowed
trunk VLANs

Switch# show Displays the administrative and

interfaces operational status of trunks,
switchport encapsulation, private VLAN, voice
VLAN, and trunk VLAN pruning

Switch# show Displays the administrative and

interface operational status of a trunking port
fastethernet
0/1 trunk

Saving VLAN Configurations

The stored configurations of VLANs 1 through 1005 are
always saved in the VLAN database; the filename is
vlan.dat and is stored in flash:. After creating or
deleting a VLAN in VLAN configuration mode, the exit
command will apply any new changes to the VLAN
database.

If you are using VTP transparent mode, the

configurations are also saved in the running
configuration, and can be saved to the startup
configuration using the copy running-config
startup-config command.

If the VTP mode is transparent in the startup

configuration, and the VLAN database and the VTP
domain name from the VLAN database matches that in
the startup configuration file, the VLAN database is
ignored (cleared), and the VTP and VLAN
configurations in the startup configuration file are used.
The VLAN database revision number remains
unchanged in the VLAN database.

Erasing VLAN Configurations

Switch# Removes entire VLAN database from flash

delete
flash:vla
n.dat Caution

Make sure that there is no space between the colon (:)

and the characters vlan.dat. You can potentially erase the
entire contents of the flash with this command if the syntax
is not correct. Make sure to read the output from the
switch. If you need to cancel, press Ctrl+C to escape back
to privileged mode:

Switch#

Switch# delete flash:vlan.dat

Delete filename [vlan.dat]?

Delete flash:vlan.dat? [confirm]

Switch#

Switch(co Moves to interface configuration mode

nfig)#
interface
fastether
net 0/5

Switch(co Removes port from VLAN 5 and reassigns

nfig-if)# it to VLAN 1 (the default VLAN)
no
switchpor
t access
vlan 5

Switch(co Moves to global configuration mode

nfig-if)#
exit

Switch(co Removes VLAN 5 from the VLAN

nfig)# no database
vlan 5

Note
When you delete a VLAN from a switch that is in VTP server mode, the VLAN is removed
from the VLAN database for all switches in the VTP domain. When you delete a VLAN from
a switch that is in VTP transparent mode, the VLAN is deleted only on that specific switch.

Note
You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and
FDDI or Token Ring VLANs 1002 to 1005.

Caution
When you delete a VLAN, any ports assigned to that VLAN become inactive. This “inactive”
state can be seen using the show interfaces switchport command for the port or ports in
question. The ports remain associated with the VLAN (and thus inactive) until you assign
those ports to a defined VLAN. Therefore, it is recommended that you reassign ports to a
new VLAN or the default VLAN before you delete a VLAN from the VLAN database.

Configuration Example: VLANs

Figure 1-1 shows the network topology for the
configuration that follows, which demonstrates how to
configure VLANs using the commands covered in this
chapter.
Figure 1-1 Network Topology for VLAN
Configuration Example

3650 Switch

Switch> enable Moves to privileged EXEC mode

Switch# Moves to global configuration

configure mode
terminal

Switch(config)# Sets the host name

hostname
Switch3650

Switch3650(conf Changes the switch to VTP server

ig)# vtp mode mode. Note that server is the
server default setting for a 3650 switch

Switch3650(conf Configures the VTP domain name

ig)# vtp domain to ENCOR
ENCOR

Switch3650(conf Sets the VTP password to Order66

ig)# vtp
password
Order66

Switch3650(conf Creates VLAN 10 and enters VLAN

ig)# vlan 10 configuration mode

Switch3650(conf Assigns a name to the VLAN

ig-vlan)# name
Admin
Switch3650(conf Increases the revision number by 1
ig-vlan)# exit and returns to global configuration
mode

Switch3650(conf Creates VLAN 20 and enters

ig)# vlan 20 VLAN configuration mode

Switch3650(conf Assigns a name to the VLAN

ig-vlan)# name
Accounting

Switch3650(conf Creates VLAN 30 and enters VLAN

ig-vlan)# vlan configuration mode. You do not
30 have to exit back to global
configuration mode to execute this
command

Note

The VTP revision number would be

incremented because VLAN 20 was created

Switch3650(conf Assigns a name to the VLAN

ig-vlan)# name
Engineering

Switch3650(conf Exiting VLAN configuration mode

ig-vlan)# exit adds VLAN 30 to the VLAN
database, which increases the
revision number by 1, and returns
to global configuration mode

Switch3650(conf Enables you to set the same

ig)# interface configuration parameters on
range multiple ports at the same time
gigabitethernet
1/0/1-8

Switch3650(conf Sets ports 1–8 as access ports

ig-if-range)#
switchport mode
access

Switch3650(conf Assigns ports 1–8 to VLAN 10

ig-if-range)#
switchport
access vlan 10

Switch3650(conf Enables you to set the same

ig-if-range)# configuration parameters on
interface range multiple ports at the same time
gigabitethernet
1/0/9-15

Switch3650(conf Sets ports 9–15 as access ports

ig-if-range)#
switchport mode
access

Switch3650(conf Assigns ports 9–15 to VLAN 20

ig-if-range)#
switchport
access vlan 20

Switch3650(conf Enables you to set the same

ig-if-range)# configuration parameters on
interface range multiple ports at the same time
gigabitethernet
1/0/16-24

Switch3650(conf Sets ports 16–24 as access ports

ig-if-range)#
switchport mode
access
Switch3650(conf Assigns ports 16–24 to VLAN 30
ig-if-range)#
switchport
access vlan 30

Switch3650(conf Returns to global configuration

ig-if-range)# mode
exit

Switch3650(conf Moves to interface configuration

ig)# interface mode. Using this interface will
gigabitethernet require the installation of a Gigabit
1/1/1 Ethernet SFP module in the
appropriate uplink port

Switch3650(conf Puts the interface into permanent

ig-if)# trunking mode and negotiates to
switchport mode convert the link into a trunk link
trunk

Switch3650(conf Returns to global configuration

ig-if)# exit mode

Switch3650(conf Enables VTP Version 3

ig)# vtp
version 3
Switch3650(conf Enables VTP pruning on this
ig)# vtp switch
pruning

Switch3650(conf Returns to privileged EXEC mode

ig)# end

Switch3650# vtp Configures the 3650 to be the VTP

primary vlan primary server
force

Switch3650# Saves the configuration in NVRAM

copy running-
config startup-
config

2960 Switch

Switch> enable Moves to privileged EXEC

mode

Switch# configure Moves to global

terminal configuration mode

Switch(config)# Sets the host name

hostname Switch2960

Switch2960(config)# Changes the switch to VTP

vtp mode client server mode

Switch2960(config)# Configures the VTP domain

vtp domain ENCOR name to ENCOR

Switch2960(config)# Sets the VTP password to

vtp password Order66
Order66

Switch2960(config)# Enables you to set the same

interface range configuration parameters on
fastethernet 0/1 - multiple ports at the same
8 time

Switch2960(config- Sets ports 1–8 as access

if-range)# ports
switchport mode
access
Switch2960(config- Assigns ports 1–8 to VLAN
if-range)# 10
switchport access
vlan 10

Switch2960(config- Enables you to set the same

if-range)# configuration parameters on
interface range multiple ports at the same
fastethernet 0/9 - time
15

Switch2960(config- Sets ports 9–15 as access

if-range)# ports
switchport mode
access

Switch2960(config- Assigns ports 9–15 to VLAN

if-range)# 20
switchport access
vlan 20

Switch2960(config- Enables you to set the same

if-range)# configuration parameters on
interface range multiple ports at the same
time
fastethernet 0/16 -
24

Switch2960(config- Sets ports 16–24 as access

if-range)# ports
switchport mode
access

Switch2960(config- Assigns ports 16–24 to

if-range)# VLAN 30
switchport access
vlan 30

Switch2960(config- Returns to global

if-range)# exit configuration mode

Switch2960(config)# Moves to interface

interface configuration mode
gigabitethernet 0/1

Switch2960(config- Puts the interface into

if)# switchport permanent trunking mode
mode trunk and negotiates to convert the
link into a trunk link
Switch2960(config- Returns to global
if)# exit configuration mode

Switch2960(config)# Enables VTP Version 3 on

vtp version 3 this switch

Switch2960(config)# Enables VTP pruning on this

vtp pruning switch

Switch2960(config)# Returns to privileged EXEC

exit mode

Switch2960# copy Saves the configuration in

running-config NVRAM
startup-config

LAYER 2 LINK AGGREGATION

EtherChannel provides fault-tolerant high-speed links
between switches, routers, and servers. An
EtherChannel consists of individual Fast Ethernet or
Gigabit Ethernet links bundled into a single logical link.
If a link within an EtherChannel fails, traffic previously
carried over that failed link changes to the remaining
links within the EtherChannel.

Interface Modes in EtherChannel

M P Description
o r
d o
e t
o
c
o
l

O N Forces the interface into an EtherChannel without

n o Port Aggregation Protocol (PAgP) or Link
n Aggregation Control Protocol (LACP). Channel
e only exists if connected to another interface group
also in On mode

A P Places the interface into a passive negotiating

u A state (will respond to PAgP packets but will not
t g initiate PAgP negotiation)
o P
(
C
i
s
c
o
)

D P Places the interface into an active negotiating

e A state (will send PAgP packets to start
s g negotiations)
i P
r (
a C
b i
l s
e c
o
)

P L Places the interface into a passive negotiating

a A state (will respond to LACP packets but will not
s C initiate LACP negotiation)
s P
i (
v I
e E
E
E
)
A L Places the interface into an active negotiating
c A state (will send LACP packets to start
t C negotiations)
i P
v (
e I
E
E
E
)

Default EtherChannel Configuration

Feature Default Setting

Channel None assigned

groups

Port- None defined

channel
logical
interface

PAgP mode No default

PAgP learn Aggregate-port learning on all ports
method

PAgP 128 on all ports

priority

LACP mode No default

LACP learn Aggregate-port learning on all ports

method

LACP port 32768 on all ports

priority

LACP 32768
system
priority

LACP LACP system priority and the switch (or

system ID switch stack) MAC address

Load Load distribution on the switch is based

balancing on the source MAC address of the
incoming packet
Guidelines for Configuring EtherChannel

PAgP is Cisco proprietary and not compatible with

LACP

LACP is defined in 802.3ad

The number of supported EtherChannels varies by

switch platform model. For instance, you can create up
to 6 EtherChannels on a Cisco Catalyst 2960 access
layer switch, 48 EtherChannels on a Catalyst 3560 L3
switch, or up to 128 EtherChannels on a Catalyst 3650
switch

A single PAgP EtherChannel can be made by combining

anywhere from two to eight parallel links

A single LACP EtherChannel can be made by

combining up to 16 Ethernet ports of the same type. Up
to eight ports can be active and up to eight ports can be
in standby mode

All ports must be identical:

Same speed and duplex

Cannot mix Fast Ethernet and Gigabit Ethernet

Cannot mix PAgP and LACP in a single

EtherChannel
Can have PAgP and LACP EtherChannels on the
same switch, but each EtherChannel must be
exclusively PAgP or LACP

Must all be VLAN trunk or nontrunk

operational status

All links must be either Layer 2 or Layer 3 in a single

channel group

To create a channel in PAgP, sides must be set to one of

the following:

Auto-Desirable

Desirable-Desirable

To create a channel in LACP, sides must be set to

either:

Active-Active

Active-Passive

To create a channel without using PAgP or LACP, sides

must be set to On-On
Do not configure a GigaStack gigabit interface
converter (GBIC) as part of an EtherChannel

An interface that is already configured to be a Switched

Port Analyzer (SPAN) destination port will not join an
EtherChannel group until SPAN is disabled

Do not configure a secure port as part of an

EtherChannel

When using trunk links, ensure that all trunks are in

the same mode—Inter-Switch Link (ISL) or 802.1Q
(dot1q)

Interfaces with different native VLANs cannot form an

EtherChannel

When a group is first created, all ports follow the

parameters set for the first port to be added to the
group. If you change the configuration of one of the
parameters, you must also make the changes to all
ports in the group:

Allowed-VLAN list

Spanning-tree path cost for each VLAN

Spanning-tree port priority for each VLAN

Spanning-tree PortFast setting

Do not configure a port that is an active or a not-yet-
active member of an EtherChannel as an IEEE 802.1X
port. If you try to enable IEEE 802.1X on an
EtherChannel port, an error message will appear, and
IEEE 802.1X is not enabled

For a Layer 3 EtherChannel, assign the Layer 3 address

to the port-channel logical interface, not the physical
ports in the channel

Configuring Layer 2 EtherChannel

Switch(co Specifies the port-channel interface

nfig)#
interface Once in the interface configuration mode,
port- you can configure additional parameters
channel just like for any other physical interface
{number}

Switch(co Moves to interface range configuration

nfig)# mode
interface
range
fastether
net 0/1 -
4
Switch(co Creates channel group 1 as an
nfig-if- EtherChannel and assigns interfaces
range)# FastEthernet 0/1 to 0/4 as part of it. The
channel- other end of the EtherChannel would
group 1 need to be configured the same way for
mode on the link to work correctly

Switch(co Creates channel group 1 as a PAgP

nfig-if- channel and assigns interfaces 01 to 04 as
range)# part of it. The other end of the
channel- EtherChannel would need to be
group 1 configured either as desirable or auto
mode for the link to work correctly

desirable

Switch(co Creates channel group 1 as an LACP

nfig-if- channel and assigns interfaces 01 to 04 as
range)# part of it. The other end of the
channel- EtherChannel would need to be
group 1 configured either as active or passive
mode for the link to work correctly

active

Note
If you enter the channel-group command in the physical port interface mode without first
setting a port channel command in global configuration mode, the port channel will
automatically be created for you.

Configuring Layer 3 EtherChannel

L3Switch( Creates the port-channel logical interface

config)# and moves to interface configuration
interface mode. Valid channel numbers are 1 to 128
port- for a 3650 series switch. For a 2960 series
channel switch with L3 capabilities, the valid
{number} channel numbers are 1 to 6

L3Switch( Puts the port channel into Layer 3 mode

config-
if)# no
switchpor
t

L3Switch( Assigns the IP address and netmask to the

config- port channel
if)# ip
address
172.16.10
.1
255.255.2
55.0

L3Switch( Moves to global configuration mode

config-
if)# exit

L3Switch( Moves to interface range configuration

config)# mode
interface
range
gigabitet
hernet
1/0/20-24

L3Switch( Puts the interface into Layer 3 mode

config-
if)# no
switchpor
t

L3Switch( Ensures that no IP addresses are assigned

config- on the interfaces
if-
range)#
no ip
address

L3Switch( Creates channel group 1 as an

config- EtherChannel and assigns interfaces 20 to
if- 24 as part of it. The other end of the
range)# EtherChannel would need to be
channel- configured the same way for the link to

group 1 work correctly

mode on

L3Switch( Creates channel group 1 as a PAgP

config- channel and assigns interfaces 20 to 24 as
if- part of it. The other end of the
range)# EtherChannel would need to be
channel- configured either as desirable or auto

group 1 for the link to work correctly

mode
desirable

L3Switch( Creates channel group 1 as an LACP

config- channel and assigns interfaces 20 to 24 as
if- part of it. The other end of the
range)# EtherChannel would need to be
channel- configured either as active or passive
group 1 for the link to work correctly
mode
active
Note

The channel group number must match the port channel

number

Configuring EtherChannel Load Balancing

L3Switch(con Configures an EtherChannel load-

fig)# port- balancing method. The default value
channel varies between different switch models
load-balance
src-mac Select one of the following load-
distribution methods:

dst-ip—Specifies destination host IP

address

dst-mac—Specifies destination host

MAC address of the incoming packet

dst-mixed-ip-port—Specifies
destination host IP address and the
TCP/UDP port

dst-port—Specifies destination
TCP/UDP port

extended—Specifies extended load-

balance methods (combination of
source and destination methods
beyond those available with the
standard command)

ipv6-label—Specifies the IPv6 flow

label

l3-proto—Specifies the Layer 3

protocol

src-dst-ip—Specifies the source and

destination host IP address

src-dst-mac—Specifies the source

and destination host MAC address

src-dst-mixed-ip-port—Specifies
the source and destination host IP
address and TCP/UDP port
src-dst-port—Specifies the source
and destination TCP/UDP port

src-ip—Specifies source host IP

address

src-mac—Specifies source host MAC

address (this is the default setting)

src-mixed-ip-port—Specifies the
source host IP address and the
TCP/UDP port

src-port—Specifies the source

TCP/UDP port

Configuring LACP Hot-Standby Ports

When LACP is enabled, by default the software tries to
configure the maximum number of LACP-compatible
ports in a channel, up to a maximum of 16 ports. Only
eight ports can be active at one time; the remaining
eight links are placed into hot-standby mode. If one of
the active links becomes inactive, a link in hot-standby
mode becomes active in its place.

You can overwrite the default behavior by specifying the

maximum number of active ports in a channel, in which
case the remaining ports become hot-standby ports (if
you specify only 5 active ports in a channel, the
remaining 11 ports become hot-standby ports).

If you specify more than eight links for an EtherChannel

group, the software automatically decides which of the
hot-standby ports to make active based on LACP
priority. For every link that operates in LACP, the
software assigns a unique priority made up of the
following (in priority order):

LACP system priority

System ID (the device MAC address)

LACP port priority

Port number

Note
Lower numbers are better.
Switch( Enters interface configuration mode for port
config) channel 2. The range for port channels is 1 to
# 128
interfa
ce
port-
channel
2

Switch( Specifies the maximum number of LACP

config- ports in the port-channel bundle. The range
if)# is 1 to 8
lacp
max-
bundle
3

Switch( Specifies the minimum number of member

config- ports (in this example, 3) that must be in the
if)# link-up state and bundled in the
port- EtherChannel for the port-channel interface
channel to transition to the link-up state. The range
min- for this command is 2 to 8

links 3
Switch( Returns to global configuration mode
config-
if)#
exit

Switch( Configures the LACP system priority. The

config) range is 1 to 65535. The default is 32768.
# lacp The lower the value, the higher the system
system- priority
priorit
y 32000

Switch( Moves to interface configuration mode

config)
#
interfa
ce
gigabit
etherne
t 1/0/2

Switch( Configures the LACP port priority. The range

config- is 1 to 65535. The default is 32768. The lower
if)# the value, the more likely that the port will
lacp be used for LACP transmission
port-
priorit
y 32000

Switch( Returns to privileged EXEC mode

config-
if)#
end

Monitoring and Verifying EtherChannel

Switch# show running- Displays a list of what is

config currently running on
the device

Switch# show running- Displays interface

config interface fastethernet 0/12
fastethernet 0/12 information

Switch# show interfaces Displays EtherChannel

fastethernet 0/12 information for
etherchannel specified interface

Switch# show Displays all

etherchannel EtherChannel
information

Switch# show Displays port channel

etherchannel 1 port- information
channel

Switch# show Displays a summary of

etherchannel summary EtherChannel
information

Switch# show interface Displays the general

port-channel 1 status of EtherChannel
1

Switch# show lacp Shows LACP neighbor

neighbor information

Switch# show pagp Shows PAgP neighbor

neighbor information

Switch# clear pagp 1 Clears PAgP channel

counters group 1 information

Switch# clear lacp 1 Clears LACP channel

counters group 1 information

Configuration Example: EtherChannel

Figure 1-2 shows the network topology for the
configuration that follows, which demonstrates how to
configure EtherChannel using commands covered in
this chapter.

Figure 1-2 Network Topology for EtherChannel

Configuration

DLSwitch (3650)
Switch> enable Moves to privileged EXEC
mode

Switch# configure Moves to global configuration

terminal mode

Switch(config)# Sets the host name

hostname DLSwitch

DLSwitch(config)# Turns off DNS queries so that

no ip domain- spelling mistakes do not slow
lookup you down

DLSwitch(config)# Changes the switch to VTP

vtp mode server server mode

DLSwitch(config)# Configures the VTP domain

vtp domain name to testdomain
testdomain

DLSwitch(config)# Creates VLAN 10 and enters

vlan 10 VLAN configuration mode

DLSwitch(config- Assigns a name to the VLAN

vlan)# name
Accounting

DLSwitch(config- Returns to global configuration

vlan)# exit mode

DLSwitch(config)# Creates VLAN 20 and enters

vlan 20 VLAN configuration mode

DLSwitch(config- Assigns a name to the VLAN

vlan)# name
Marketing

DLSwitch(config- Returns to global configuration

vlan)# exit mode

DLSwitch(config)# Moves to interface range

interface range configuration mode
gigabitethernet
1/0/1-4

DLSwitch(config- Puts the interface into

if)# switchport permanent trunking mode and
mode trunk negotiates to convert the link
into a trunk link
DLSwitch(config- Returns to global configuration
if)# exit mode

DLSwitch(config)# Moves to interface range

interface range configuration mode
gigabitethernet
1/0/1-2

DLSwitch(config- Creates channel group 1 and

if)# channel- assigns interfaces 01 to 02 as
group 1 mode part of it
desirable

DLSwitch(config- Moves to global configuration

if)# exit mode

DLSwitch(config)# Moves to interface range

interface range configuration mode
gigabitethernet
1/0/3-4

DLSwitch(config- Creates channel group 2 and

if)# channel- assigns interfaces 03 to 04 as
group 2 mode part of it
desirable
DLSwitch(config- Moves to global configuration
if)# exit mode

DLSwitch(config)# Configures load balancing

port-channel based on destination MAC
load-balance dst- address
mac

DLSwitch(config)# Moves to privileged EXEC

exit mode

DLSwitch# copy Saves the configuration to

running-config NVRAM
startup-config

ALSwitch1 (2960)

Switch> enable Moves to privileged EXEC

mode

Switch# configure Moves to global configuration

terminal mode
Switch(config)# Sets host name
hostname
ALSwitch1

ALSwitch1(config) Turns off DNS queries so that

# no ip domain- spelling mistakes do not slow
lookup you down

ALSwitch1(config) Changes the switch to VTP

# vtp mode client client mode

ALSwitch1(config) Configures the VTP domain

# vtp domain name to testdomain
testdomain

ALSwitch1(config) Moves to interface range

# interface range configuration mode
fastethernet 0/5
– 8

ALSwitch1(config- Sets ports 05 to 08 as access

if-range)# ports
switchport mode
access
ALSwitch1(config- Assigns ports to VLAN 10
if-range)#
switchport access
vlan 10

ALSwitch1(config- Moves to global configuration

if-range)# exit mode

ALSwitch1(config) Moves to interface range

# interface range configuration mode
fastethernet 0/9
– 12

ALSwitch1(config- Sets ports 09 to 12 as access

if-range)# ports
switchport mode
access

ALSwitch1(config- Assigns ports to VLAN 20

if-range)#
switchport access
vlan 20

ALSwitch1(config- Moves to global configuration

if-range)# exit mode
ALSwitch1(config) Moves to interface range
# interface range configuration mode
gigabitethernet
0/1 – 2

ALSwitch1(config- Puts the interface into

if-range)# permanent trunking mode and
switchport mode negotiates to convert the link
trunk into a trunk link

ALSwitch1(config- Creates channel group 1 and

if-range)# assigns interfaces 01 to 02 as
channel-group 1 part of it
mode desirable

ALSwitch1(config- Moves to global configuration

if-range)# exit mode

ALSwitch1(config) Moves to privileged EXEC

# exit mode

ALSwitch1# copy Saves the configuration to

running-config NVRAM
startup-config
ALSwitch2 (2960)

Switch> enable Moves to privileged EXEC mode

Switch# Moves to global configuration

configure mode
terminal

Switch(config) Sets host name

# hostname
ALSwitch2

ALSwitch2(conf Turns off DNS queries so that

ig)# no ip spelling mistakes do not slow you
domain-lookup down

ALSwitch2(conf Changes the switch to VTP client

ig)# vtp mode mode
client

ALSwitch2(conf Configures the VTP domain name

ig)# vtp to testdomain
domain
testdomain

ALSwitch2(conf Moves to interface range

ig)# interface configuration mode
range
fastethernet
0/5 – 8

ALSwitch2(conf Sets ports 05 to 08 as access ports

ig-if-range)#
switchport
mode access

ALSwitch2(conf Assigns ports to VLAN 10

ig-if-range)#
switchport
access vlan 10

ALSwitch2(conf Moves to global configuration

ig-if-range)# mode
exit

ALSwitch2(conf Moves to interface range

ig)# interface configuration mode
range
fastethernet
0/9 – 12

ALSwitch2(conf Sets ports 09 to 12 as access ports

ig-if-range)#
switchport
mode access

ALSwitch2(conf Assigns ports to VLAN 20

ig-if-range)#
switchport
access vlan 20

ALSwitch2(conf Moves to global configuration

ig-if-range)# mode
exit

ALSwitch2(conf Moves to interface range

ig)# interface configuration mode
range
gigabitetherne
t 0/1 – 2

ALSwitch2(conf Puts the interface into permanent

ig-if-range)# trunking mode and negotiates to
switchport convert the link into a trunk link
mode trunk

ALSwitch2(conf Creates channel group 2 and

ig-if-range)# assigns interfaces 01 to 02 as part
channel-group of it
2 mode
desirable
Note

Although the local channel group number does

not have to match the channel group number
on a neighboring switch, the numbers are
often chosen to be the same for ease of
management and documentation purposes

ALSwitch2(conf Moves to global configuration

ig-if-range)# mode
exit

ALSwitch2(conf Moves to privileged EXEC mode

ig)# exit

ALSwitch2# Saves the configuration to NVRAM

copy running-
config
startup-config
Chapter 2
Spanning Tree Protocol

This chapter provides information and commands

concerning the following topics:

Spanning Tree Protocol definition

Enabling Spanning Tree Protocol

Changing the spanning-tree mode

Configuring the root switch

Configuring a secondary root switch

Configuring port priority

Configuring the path cost

Configuring the switch priority of a VLAN

Configuring STP timers

Configuring optional spanning-tree features

PortFast

BPDU Guard (2xxx/older 3xxx series)

BPDU Guard (3650/9xxx series)

BPDU Filter

UplinkFast

BackboneFast

Root Guard

Loop Guard

Unidirectional link detection

Configuring and verifying port error conditions

Enabling Rapid Spanning Tree (RSTP)

RSTP link types

Enabling Multiple Spanning Tree (MST)

Verifying the extended system ID

Verifying STP

Troubleshooting Spanning Tree Protocol

Configuration example: PVST+

Spanning Tree migration example: PVST+ to Rapid

PVST+

SPANNING TREE PROTOCOL

DEFINITION
The spanning-tree standards offer the same safety that
routing protocols provide in Layer 3 forwarding
environments to Layer 2 bridging environments. A
single best path to a main bridge is found and
maintained in the Layer 2 domain, and other redundant
paths are managed by selective port blocking.
Appropriate blocked ports begin forwarding when
primary paths to the main bridge are no longer
available.

There are several different spanning-tree modes and

protocols:

Per VLAN Spanning Tree (PVST+): This

spanning-tree mode is based on the IEEE 802.1D
standard and Cisco proprietary extensions. The PVST+
runs on each VLAN on the device up to the maximum
supported, ensuring that each has a loop-free path
through the network. PVST+ provides Layer 2 load
balancing for the VLAN on which it runs. You can
create different logical topologies by using the VLANs
on your network to ensure that all of your links are
used but that no one link is oversubscribed. Each
instance of PVST+ on a VLAN has a single root device.
This root device propagates the spanning-tree
information associated with that VLAN to all other
devices in the network. Because each device has the
same information about the network, this process
ensures that the network topology is maintained.

Rapid PVST+: This spanning-tree mode is the same

as PVST+ except that it uses a rapid convergence based
on the IEEE 802.1w standard. Beginning from Cisco
IOS Release 15.2(4)E, the STP default mode is Rapid
PVST+. To provide rapid convergence, Rapid PVST+
immediately deletes dynamically learned MAC address
entries on a per-port basis upon receiving a topology
change. By contrast, PVST+ uses a short aging time for
dynamically learned MAC address entries. Rapid
PVST+ uses the same configuration as PVST+ and the
device needs only minimal extra configuration. The
benefit of Rapid PVST+ is that you can migrate a large
PVST+ install base to Rapid PVST+ without having to
learn the complexities of the Multiple Spanning Tree
Protocol (MSTP) configuration and without having to
reprovision your network. In Rapid PVST+ mode, each
VLAN runs its own spanning-tree instance up to the
maximum supported.

Multiple Spanning Tree Protocol (MSTP): This

spanning-tree mode is based on the IEEE 802.1s
standard. You can map multiple VLANs to the same
spanning-tree instance, which reduces the number of
spanning-tree instances required to support a large
number of VLANs. MSTP runs on top of the Rapid
Spanning Tree Protocol (RSTP) (based on IEEE
802.1w), which provides for rapid convergence of the
spanning tree by eliminating the forward delay and by
quickly transitioning root ports and designated ports to
the forwarding state. In a device stack, the cross-stack
rapid transition (CSRT) feature performs the same
function as RSTP. You cannot run MSTP without RSTP
or CSRT.

Note
Default spanning-tree implementation for Catalyst 2950, 2960, 3550, 3560, and 3750
switches is PVST+. This is a per-VLAN implementation of 802.1D. Beginning from Cisco
IOS Release 15.2(4)E, the STP default mode is Rapid PVST+ on all switch platforms.

ENABLING SPANNING TREE

PROTOCOL

Switch(config)# spanning- Enables STP on

tree vlan 5 VLAN 5

Switch(config)# no spanning- Disables STP on

tree vlan 5 VLAN 5

Note
Many access switches such as the Catalyst 2960, 3550, 3560, 3650, 9200, and 9300
support a maximum 128 spanning trees using any combination of PVST+ or Rapid PVST+.
The 2950 model supports only 64 instances. Any VLANs created in excess of 128 spanning
trees cannot have a spanning-tree instance running in them. There is a possibility of an L2
loop that could not be broken in the case where a VLAN without spanning tree is transported
across a trunk. It is recommended that you use MSTP if the number of VLANs in a common
topology is high.

Caution
Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the
spanning-tree limit. Disable spanning tree only if you are sure there are no loops in the
network topology. When spanning tree is disabled and loops are present in the topology,
excessive traffic and indefinite packet duplication can drastically reduce network
performance. Networks have been known to crash in seconds due to broadcast storms
created by loops.

CHANGING THE SPANNING-TREE

MODE
You can configure different types of spanning trees on a
Cisco switch. The options vary according to the
platform.

Switch(conf Enables PVST+. This is the default

ig)# setting
spanning-
tree mode
pvst

Switch(conf Enters MST mode

ig)#
spanning-
tree mode
mst

Switch(conf Enters MST subconfiguration mode

ig)#
spanning-
tree mst Note

configurati
Use the command no spanning-tree mst
on configuration to clear the MST configuration

Switch(conf Enables Rapid PVST+

ig)#
spanning-
tree mode
rapid-pvst

Switch# If any port on the device is connected to

clear a port on a legacy IEEE 802.1D device,
spanning- this command restarts the protocol
tree migration process on the entire device
detected-
protocols This step is optional if the designated
device detects that this device is
running Rapid PVST+
CONFIGURING THE ROOT SWITCH

Switch(config Modifies the switch priority from the

)# spanning- default 32768 to a lower value to
tree vlan 5 allow the switch to become the
root primary primary root switch for VLAN 5

Note

This switch sets its priority to 24576. If any other

switch has a priority set to below 24576 already,
this switch sets its own priority to 4096 less than
the lowest switch priority. If by doing this the
switch has a priority of less than 1, this
command fails

Switch(config Configures the switch to become the

)# spanning- root switch for VLAN 5
tree vlan 5
root primary
Note

The maximum switch topology width and the

hello-time can be set within this command
Tip

The root switch should be a backbone or

distribution switch

Switch(config Configures the switch to be the root

)# spanning- switch for VLAN 5 and sets the
tree vlan 5 network diameter to 6
root primary
diameter 6
Tip

The diameter keyword defines the maximum

number of switches between any two end
stations. The range is from 2 to 7 switches. The
default value is 7

Tip

The hello-time keyword sets the hello-interval

timer to any amount between 1 and 10 seconds.
The default time is 2 seconds
CONFIGURING A SECONDARY ROOT
SWITCH

Switch(config)# Configures the switch to

spanning-tree vlan become the root switch for
5 root secondary VLAN 5 should the primary
root switch fail

Note

This switch lowers its priority to

28672. If the root switch fails and all
other switches are set to the default
priority of 32768, this becomes the
new root switch

Switch(config)# Configures the switch to be

spanning-tree vlan the secondary root switch for
5 root secondary VLAN 5 and sets the network
diameter 7 diameter to 7

CONFIGURING PORT PRIORITY

Switch(conf Moves to interface configuration mode
ig)#
interface
gigabitethe
rnet 1/0/1

Switch(conf Configures the port priority for the

ig-if)# interface that is an access port
spanning-
tree port-
priority 64

Switch(conf Configures the VLAN port priority for

ig-if)# an interface that is a trunk port
spanning-
tree vlan 5
port- Note

priority 64 If a loop occurs, spanning tree uses the port priority

when selecting an interface to put into the forwarding
state. Assign a higher priority value (lower numerical
number) to interfaces you want selected first and a
lower priority value (higher numerical number) to
interfaces you want selected last

The number can be between 0 and 240

in increments of 16. The default port
priority is 128
Note
The port priority setting supersedes the physical port number in spanning-tree calculations.

CONFIGURING THE PATH COST

Switc Moves to interface configuration mode

h(con
fig)#
inter
face
gigab
iteth
ernet
1/0/1

Switc Configures the cost for the interface that is an

h(con access port. The range is 1 to 200000000; the
fig- default value is derived from the media speed
if)# of the interface
spann
ing-
tree
cost
10000
0

Switc Configures the VLAN cost for an interface that

h(con is a trunk port. The VLAN number can be
fig- specified as a single VLAN ID number, a range
if)# of VLANs separated by a hyphen, or a series of
spann VLANs separated by a comma. The range is 1 to
ing- 4094. For the cost, the range is 1 to
200000000; the default value is derived from
tree
the media speed of the interface
vlan
5
cost
Note
15000
00 If a loop occurs, STP uses the path cost when trying to determine
which interface to place into the forwarding state. A higher path
cost means a lower-speed transmission

CONFIGURING THE SWITCH PRIORITY

OF A VLAN

Switch(config)# Configures the switch

spanning-tree vlan 5 priority of VLAN 5 to
priority 12288 12288

Note
With the priority keyword, the range is 0 to 61440 in increments of 4096. The default is
32768. The lower the priority, the more likely the switch will be chosen as the root switch.
Only the following numbers can be used as priority values:

0 4096 8192 12288

16384 20480 24576 28672

32768 36864 40960 45056

49152 53248 57344 61440

Caution
Cisco recommends caution when using this command. Cisco further recommends that the
spanning-tree vlan x root primary or the spanning-tree vlan x root secondary command
be used instead to modify the switch priority.

CONFIGURING STP TIMERS

Switch(config)# Changes the hello-delay
spanning-tree vlan 5 timer to 4 seconds on
hello-time 4 VLAN 5

Switch(config)# Changes the forward-

spanning-tree vlan 5 delay timer to 20 seconds
forward-time 20 on VLAN 5

Switch(config)# Changes the maximum-

spanning-tree vlan 5 aging timer to 25 seconds
max-age 25 on VLAN 5

Note
For the hello-time command, the range is 1 to 10 seconds. The default is 2 seconds.
For the forward-time command, the range is 4 to 30 seconds. The default is 15 seconds.

For the max-age command, the range is 6 to 40

seconds. The default is 20 seconds.

CONFIGURING OPTIONAL SPANNING-

TREE FEATURES
Although the following commands are not mandatory
for STP to work, you might find these helpful to fine-
tune your network.

PortFast

Note
By default, PortFast is disabled on all interfaces.

Switch(config)# Moves to interface configuration

interface mode
gigabitethernet
1/0/10

Switch(config- Enables PortFast if the port is

if)# spanning- already configured as an access
tree portfast port

Switch(config- Disables PortFast for the

if)# spanning- interface
tree portfast
disable

Switch(config- Enables the PortFast edge

if)# spanning- feature for the interface
tree portfast
edge

Switch(config- Enables PortFast network for

if)# spanning- the interface
tree portfast
network
Note

Use this command on trunk ports to

enable the Bridge Assurance feature,
which protects against loops by detecting
unidirectional links in the spanning-tree
topology

Note

Bridge Assurance is enabled globally by

default

Switch(config- Enables PortFast on a trunk port

if)# spanning-
tree portfast
trunk Caution
Use the PortFast command only when
connecting a single end station to an
access or trunk port. Using this command
on a port connected to a switch or hub
might prevent spanning tree from
detecting loops

Note

If you enable the voice VLAN feature,

PortFast is enabled automatically. If you
disable voice VLAN, PortFast is still
enabled

Switch(config)# Globally enables PortFast on all

spanning-tree switchports that are
portfast default nontrunking

Note

You can override the spanning-tree

portfast default global configuration
command by using the spanning-tree
portfast disable interface configuration
command

Displays PortFast information

Switch# show on interface GigabitEthernet
spanning-tree 1/0/10
interface
gigabitethernet
1/0/10 portfast

BPDU Guard (2xxx/older 3xxx Series)

Switch(config)# Globally enables BPDU Guard

spanning-tree on ports where portfast is
portfast enabled
bpduguard default

Switch(config)# Enters interface range

interface range configuration mode
fastethernet 0/1
- 5

Switch(config-if- Enables PortFast on all

range)# spanning- interfaces in the range
tree portfast

Note

Best practice is to enable PortFast at the

same time as BPDU Guard
Switch(config-if- Enables BPDU Guard on the
range)# spanning- interface
tree bpduguard
enable
Note

By default, BPDU Guard is disabled

Switch(config- Disables BPDU Guard on the

if)# spanning- interface
tree bpduguard
disable

Switch(config)# Allows port to reenable itself if

errdisable the cause of the error is BPDU
recovery cause Guard by setting a recovery
bpduguard timer

Switch(config)# Sets recovery timer to 400

errdisable seconds. The default is 300
recovery interval seconds. The range is from 30
400 to 86 400 seconds
Switch# show Verifies whether BPDU Guard is
spanning-tree enabled or disabled
summary totals

Switch# show Displays errdisable recovery

errdisable timer information
recovery

BPDU Guard (3650/9xxx Series)

You can enable the BPDU Guard feature if your switch is
running PVST+, Rapid PVST+, or MSTP.

The BPDU Guard feature can be globally enabled on the

switch or can be enabled per port.

When you enable BPDU Guard at the global level on

PortFast-enabled ports, spanning tree shuts down ports
that are in a PortFast-operational state if any BPDU is
received on them. When you enable BPDU Guard at the
interface level on any port without also enabling the
PortFast feature, and the port receives a BPDU, it is put
in the error-disabled state.

Enables BPDU
Switch(config)# spanning- Guard globally
tree portfast bpduguard
default
Note

By default, BPDU
Guard is disabled

Switch(config)# interface Enters into

gigabitethernet 1/0/2 interface
configuration
mode

Switch(config-if)# Enables the

spanning-tree portfast PortFast edge
edge feature

Switch(config-if)# end Returns to

privileged EXEC
mode

BPDU Filter

Switch(config)# Globally enables BPDU

spanning-tree filtering on PortFast-enabled
portfast bpdufilter port; prevents ports in
default PortFast from sending or
receiving BPDUs

Switch(config)# Enters interface range

interface range configuration mode
gigabitethernet
1/0/1-4

Switch(config-if- Enables PortFast on all

range)# spanning- interfaces in the range
tree portfast

Switch(config-if- Enables PortFast on all

range)# spanning- interfaces in the range
tree portfast edge

Note

This is the command for the

3650/9300 series

Switch(config-if- Enables BPDU Filter on all

range)# spanning- interfaces in the range
configured with “PortFast”
tree bpdufilter
enable
Note

By default, BPDU filtering is

disabled. Also, BPDU Guard has no
effect on an interface if BPDU
filtering is enabled

Caution

Enabling BPDU filtering on an

interface, or globally, is the same as
disabling STP, which can result in
spanning-tree loops being created
but not detected

Switch# show Displays global BPDU

spanning-tree filtering configuration
summary totals information

Switch# show Displays detailed spanning-

spanning-tree tree interface status and
interface configuration information of
[interface-type, the specified interface
interface-number]
detail
UplinkFast

Switch(config) Enables UplinkFast. UplinkFast

# spanning- provides fast convergence after a
tree direct link failure
uplinkfast

Switch(config) Enables UplinkFast and sets the

# spanning- update packet rate to 200
tree packets/second
uplinkfast
max-update-
rate 200 Note

UplinkFast cannot be set on an individual

VLAN. The spanning-tree uplinkfast
command affects all VLANs

Note

For the max-update-rate argument, the range

is 0 to 32,000 packets/second. The default is
150. If you set the rate to 0, station-learning
frames are not generated. This will cause STP
to converge more slowly after a loss of
connectivity
Switch# show Verifies whether UplinkFast has
spanning-tree been enabled
summary

Switch# show Displays spanning-tree UplinkFast

spanning-tree status, which includes maximum
uplinkfast update packet rate and
participating interfaces

Note
UplinkFast cannot be enabled on VLANs that have been configured for switch priority.

Note
UplinkFast is most useful in access layer switches, or switches at the edge of the network. It
is not appropriate for backbone devices.

Note
You can configure the UplinkFast feature for Rapid PVST+ or for the MSTP, but the feature
remains disabled (inactive) until you change the spanning-tree mode to PVST+.

BackboneFast
Switch(co Enables BackboneFast. BackboneFast is
nfig)# initiated when a root port or blocked port
spanning- receives an inferior BPDU from its
tree designated bridge
backbonef
ast

Switch# Verifies BackboneFast has been enabled

show
spanning-
tree
summary

Switch# Displays spanning-tree BackboneFast

show status, which includes the number of root
spanning- link query protocol data units (PDUs)
tree sent/received and number of
backbonef BackboneFast transitions
ast

Note
You can configure the BackboneFast feature for Rapid PVST+ or for the MSTP, but the
feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
Note
If you use BackboneFast, you must enable it on all switches in the network.

Root Guard
You can use Root Guard to limit which switch can
become the root bridge. Root Guard should be enabled
on all ports where the root bridge is not anticipated,
such as access ports.

Switch(conf Moves to interface configuration mode

ig)#
interface
gigabitethe
rnet 1/0/1

Switch(conf Enables Root Guard on the interface

ig-if)#
spanning-
tree guard
root

Switch# Indicates whether any ports are in a

show root-inconsistent state
spanning-
tree
inconsisten
tports

Switch# Displays the status and configuration of

show the root bridge
spanning-
tree root
Note

The show spanning-tree root command output

includes root ID for all VLANs, the associated root
costs, timer settings, and root ports

Switch# Displays detailed spanning-tree state

show and configuration for each VLAN on the
spanning- switch, including bridge and root IDs,
tree timers, root costs, and forwarding status

Note
You cannot enable both Root Guard and Loop Guard at the same time.

Note
Root Guard enabled on an interface applies to all VLANs to which the interface belongs.
Note
Do not enable Root Guard on interfaces to be used by the UplinkFast feature.

Loop Guard
Loop Guard is used to prevent alternate or root ports
from becoming designated ports due to a failure that
leads to a unidirectional link. Loop Guard operates only
on interfaces that are considered point to point by the
spanning tree. Spanning tree determines a port to be
point to point or shared from the port duplex setting.
You can use Loop Guard to prevent alternate or root
ports from becoming designated ports because of a
failure that leads to a unidirectional link. This feature is
most effective when it is enabled on the entire switched
network. When Loop Guard is enabled, spanning tree
does not send BPDUs on root or alternate ports.

Note
Both the port duplex and the spanning-tree link type can be set manually.

Note
You cannot enable both Loop Guard and Root Guard on the same port. The Loop Guard
feature is most effective when it is configured on the entire switched network.
Switch# show Shows which ports are alternate or
spanning-tree root ports
active

Switch# show Shows which ports are alternate or

spanning-tree root ports when the switch is
mst operating in MST mode

Switch# Moves to global configuration mode

configure
terminal

Switch(config) Enables Loop Guard globally on the

# spanning- switch for those interfaces that the
tree loopguard spanning tree identifies as point to
default point

Switch(config) Moves to interface configuration

# interface mode
gigabitetherne
t 1/0/1

Switch(config- Enables Loop Guard on all the

if)# spanning- VLANs associated with the selected
interface
tree guard
loop

Switch(config- Returns to privileged EXEC mode

if)# exit

Switch# show Verifies whether Loop Guard has

spanning-tree been enabled
summary

Switch# show Display spanning-tree link type. A

spanning-tree link type of “point to point” is
interface required for Loop Guard
detail

Unidirectional Link Detection

Switch(conf Enables unidirectional link detection

ig)# udld (UDLD) on all fiber-optic interfaces to
enable determine the Layer 1 status of the link

Note
By default, UDLD is disabled

Switch(conf Enables UDLD aggressive mode on all

ig)# udld fiber-optic interfaces
aggressive

Switch(conf Moves to interface configuration mode

ig)#
interface
gigabitethe
rnet 1/0/1

Switch(conf Enables UDLD on this interface

ig-if)# (required for copper-based interfaces)
udld port in normal or aggressive mode
[aggressive
]
Note

On a fiber-optic (FO) interface, the interface command

udld port overrides the global command udld enable.
Therefore, if you issue the command no udld port on
an FO interface, you will still have the globally enabled
udld enable command to deal with

Switch# Displays UDLD information

show udld

Switch# Displays UDLD information for

show udld interface Gigabit Ethernet 1/0/1
interface

gigabitethe
rnet 1/0/1

Switch# Resets all interfaces shut down by

udld reset UDLD

Note

You can also use the shutdown command, followed

by a no shutdown command in interface configuration
mode, to restart a disabled interface

CONFIGURING AND VERIFYING PORT

ERROR CONDITIONS
A port is “error-disabled” when the switch detects any
one of a number of port violations. No traffic is sent or
received when the port is in error-disabled state. The
show errdisable detect command displays a list for
the possible error-disabled reasons and whether
enabled.

The errdisable detect cause command allows the

network device administrator to enable or disable
detection of individual error-disabled causes. All causes
are enabled by default. All causes, except for per-VLAN
error disabling, are configured to shut down the entire
port.

The errdisable recovery command enables the

network device administrator to configure automatic
recovery mechanism variables. This would allow the
switch port to again send and receive traffic after a
configured period of time if the initial error condition is
no longer present. All recovery mechanisms are disabled
by default.

Switch(config)# Enables error detection for all

errdisable error-disabled causes
detect cause all

Switch(config)# Enables per-VLAN error-disable

errdisable for BPDU Guard
detect cause
bpduguard
shutdown vlan

Switch(config)# Enables error detection for

errdisable DHCP snooping
detect cause
dhcp-rate-limit

Switch(config)# Enables error detection for

errdisable Dynamic Trunk Protocol (DTP)
detect cause flapping
dtp-flap

Switch(config)# Enables error detection for

errdisable invalid Gigabit Interface
detect cause Converter (GBIC) module.
gbic-invalid

Note

You can also use the shutdown

command, followed by a no shutdown
command in interface configuration mode,
to restart a disabled interface. This error
refers to an invalid small form-factor
pluggable (SFP) module on the switch
Switch(config)# Enables error detection for inline
errdisable power
detect cause
inline-power

Switch(config)# Enables error detection for link-

errdisable state flapping
detect cause
link-flap

Switch(config)# Enables error detection for

errdisable detected loopbacks
detect cause
loopback

Switch(config)# Enables error detection for the

errdisable Port Aggregation Protocol
detect cause (PAgP) flap error-disabled cause
pagp-flap

Switch(config)# Enables voice-aware 802.1X

errdisable security
detect cause
security-
violation
shutdown vlan
Switch(config)# Enables error detection on an
errdisable SFP configuration mismatch
detect cause
sfp-config-
mismatch

Switch(config)# Configures errdisable recovery

errdisable timer to 3600 seconds
recovery
interval 3600
Note

The same interval is applied to all causes.

The range is 30 to 86,400 seconds. The
default interval is 300 seconds

Switch(config)# Enables the error-disabled

errdisable mechanism to recover from
recovery cause specific cause parameter.
parameter Parameters are shown below

Switch(config)# Enables the timer to recover

errdisable from all error-disabled causes
recovery cause
all
Switch(config)# Enables the timer to recover
errdisable from BPDU Guard error-disabled
recovery cause state
bpduguard

Switch(config)# Enable the timer to recover from

errdisable the EtherChannel
recovery cause misconfiguration error-disabled
channel- state
misconfig

Switch(config)# Enables the timer to recover

errdisable from the DHCP snooping error-
recovery cause disabled state
dhcp-rate-limit

Switch(config)# Enables the timer to recover

errdisable from the DTP-flap error-disabled
recovery cause state
dtp-flap

Switch(config)# Enables the timer to recover

errdisable from the GBIC module error-
recovery cause disabled state
gbic-invalid
Note

This error refers to an invalid SFP error-

disabled state

Switch(config)# Enables the timer to recover for

errdisable inline power
recovery cause
inline-power

Switch(config)# Enables the timer to recover

errdisable from the link-flap error-disabled
recovery cause state
link-flap

Switch(config)# Enables the timer to recover

errdisable from a loopback error-disabled
recovery cause state
loopback

Switch(config)# Enables the timer to recover

errdisable from the PAgP-flap error-
recovery cause disabled state
pagp-flap
Switch(config)# Enables the timer to recover
errdisable from a port security violation
recovery cause disabled state
psecure-
violation

Switch(config)# Enables the timer to recover

errdisable from an IEEE 802.1X-violation
recovery cause disabled state
security-
violation

Switch(config)# Enables the timer to recover

errdisable from an SFP configuration
recovery cause mismatch
sfp-mismatch

Switch# show Displays error-disabled detection

errdisable status
detect

Switch# show Display begins with the line that

errdisable matches the expression
detect | begin
expression
Note
expression is the output to use as a
reference point

Switch# show Display excludes lines that match

errdisable the expression
detect | exclude
expression

Switch# show Display includes lines that match

errdisable the expression
detect | include
expression

Switch# show Displays the error-disabled

errdisable recovery timer status
recovery information

Switch# show Display begins with the line that

errdisable matches the expression
recovery | begin
expression

Switch# show Display excludes lines that match

errdisable the expression
recovery |
exclude
expression

Switch# show Display includes lines that match

errdisable the expression
recovery |
include
expression

ENABLING RAPID SPANNING TREE

Switch(config) Enables Rapid PVST+

# spanning-
tree mode
rapid-pvst

Switch# clear Restarts the protocol migration

spanning-tree process. With no arguments, the
detected- command is applied to every port
protocols of the switch

Switch# clear Restarts the protocol migration

spanning-tree process on interface
detected- GigabitEthernet 1/0/1
protocols
interface
gigabitetherne
t 1/0/1

Switch# clear Restarts the protocol migration

spanning-tree process on interface port-channel 1
detected-
protocols
port-channel 1

Switch# show Displays mode, root and bridge

spanning-tree IDs, participating ports, and their
spanning-tree states

Switch# show Summarizes configured port states,

spanning-tree including spanning-tree mode
summary

Switch# show Displays a detailed summary of

spanning-tree spanning-tree interface
detail information, including mode,
priority, system ID, MAC address,
timers, and role in the spanning
tree for each VLAN and port

RAPID SPANNING TREE LINK TYPES

The link type in RSTP can predetermine the active role
that the port plays as it stands by for immediate
transition to a forwarding state, if certain parameters
are met. These parameters are different for edge ports
and non-edge ports. An edge port is a switch port that is
never intended to be connected to another switch
device. It immediately transitions to the forwarding
state when enabled—similar to an STP port with the
PortFast featured enabled. However, an edge port that
receives a BPDU immediately loses its edge port status
and becomes a normal spanning-tree port. Non-edge
ports are ports that are intended to be connected to
another switch device. Link type is automatically
determined but can be overwritten with an explicit port
configuration. There are two different link types for
non-edge ports, as shown in Table 2-1.

Lin Description
k
Ty
pe

Poi A port operating in full-duplex mode. It is assumed

nt- that the port is connected to a single switch device
to- at the other end of the link
poi
nt

Sha A port operating in half-duplex mode. It is

red assumed that the port is connected to shared
media where multiple switches may exist

TABLE 2-1 RSTP Non-Edge Link Types

Switch(config)# Enables Rapid PVST+

spanning-tree
mode rapid-pvst

Switch(config)# Moves to interface

configuration mode
interface
gigabitethernet
1/0/1

Switch(config- Sets the link type based on the

if)# duplex setting of the interface

spanning-tree link-
type auto

Switch(config- Specifies that the interface is a

if)# point-to-point link

spanning-tree link-
type point-to-point

Switch(config- Specifies that the interface is a

if)# shared medium

spanning-tree link-
type shared

Switch(config- Returns to global configuration

if)# mode
exit

ENABLING MULTIPLE SPANNING

TREE

Switch(config) Enters MST mode

# spanning-
tree mode mst

Switch(config) Enters MST configuration submode

# spanning-
tree mst
configuration

Switch(config- Maps VLAN 4 to Multiple Spanning

mst)# instance Tree (MST) instance 1
1 vlan 4

Switch(config- Maps VLANs 1–15 to MST instance

mst)# instance 1
1 vlan 1-15

Switch(config- Maps VLANs 10, 20, and 30 to

mst)# instance MST instance 1
1 vlan
10,20,30
Note

For the instance x vlan y command, the

instance must be a number between 1 and 15,
and the VLAN range is 1 to 4094

Switch(config- Specifies the name for the MST

mst)# name region. The default is an empty
region12 string

Note

The name argument can be up to 32

characters long and is case sensitive

Switch(config- Specifies the revision number

mst)# revision
4
Note

The range for the revision argument is 0 to

65,535
Note

For two or more bridges to be in the same

MST region, they must have the identical MST
name, VLAN-to-instance mapping, and MST
revision number

Switch(config- Displays the summary of what is

mst)# show currently configured for the MST
current region

Switch(config- Verifies the configuration by

mst)# show displaying a summary of what you
pending have configured for the MST region

Switch(config- Applies all changes and returns to

mst)# exit global configuration mode

Switch(config) Sets the bridge priority for the

# spanning- spanning tree to 4096. The priority
tree mst 1 can be a number from 0–61440 in
priority 4096 increments of 4096

Caution
Changing spanning-tree modes can disrupt
traffic because all spanning-tree instances are
stopped for the old mode and restarted in the
new mode

Note

You cannot run both MSTP and PVST at the

same time

Switch(config) Configures a switch as a primary

# spanning- root switch within MST instance 1.
tree mst 1 The primary root switch priority is
root primary 24,576

Switch(config) Configures a switch as a secondary

# spanning- root switch within MST instance 1.
tree mst 1 The secondary root switch priority
root secondary is 28,672

Switch(config- Configures an interface with a port

if)# spanning- priority of 0 for MST instance 20
tree mst 20

Note
port-priority The priority range is 0 to 240 in increments of
0 16, where the lower the number, the higher the
priority. The default is 128. The range and
increment values are platform and IOS version
dependent

Switch(config- Sets the path cost to 250 for MST

if)# spanning- instance 2 calculations. Path cost is
tree mst 2 1 to 200,000,000, with higher
cost 250 values meaning higher costs

Switch(config- Returns to privileged EXEC mode

if)# end

VERIFYING THE EXTENDED SYSTEM

Switch# show Verifies that the extended system ID is

spanning- enabled
tree summary

Switch# show Displays the extended system ID as

spanning- part of the bridge ID
tree bridge

Note

The 12-bit extended system ID is the VLAN number

for the instance of PVST+ and PVRST+ spanning
tree. In MST, these 12 bits carry the instance
number

VERIFYING STP

Switch# show Displays STP information

spanning-tree

Switch# show Displays STP information on

spanning-tree active interfaces only
active

Switch# show Displays status and

spanning-tree configuration of this bridge
bridge

Switch# show Displays a detailed summary of

spanning-tree interface information
detail

Switch# show Displays STP information for

spanning-tree interface gigabitethernet 1/0/1
interface
gigabitethernet
1/0/1

Switch# show Displays a summary of port

spanning-tree states
summary

Switch# show Displays the total lines of the

spanning-tree STP section
summary totals

Switch# show Displays STP information for

spanning-tree VLAN 5
vlan 5

Switch# show Displays the MST region

spanning-tree configuration
mst
configuration
Switch# show Displays the message digest 5
spanning-tree (MD5) authentication digest
mst included in the current MST
configuration configuration identifier (MSTCI)
digest

Switch# show Displays the MST information

spanning-tree for instance 1
mst 1

Switch# show Displays the MST information

spanning-tree for interface GigabitEthernet
mst interface 1/0/1
gigabitethernet
1/0/1

Switch# show Displays the MST information

spanning-tree for instance 1 on interface
mst 1 interface GigabitEthernet 1/0/1
gigabitethernet
1/0/1

Switch# show Shows detailed information

spanning-tree about MST instance 1
mst 1 detail
TROUBLESHOOTING SPANNING TREE
PROTOCOL

Switch# debug Displays all spanning-tree

spanning-tree all debugging events

Switch# debug Displays spanning-tree

spanning-tree events debugging topology events

Switch# debug Displays spanning-tree

spanning-tree debugging BackboneFast
backbonefast events

Switch# debug Displays spanning-tree

spanning-tree debugging UplinkFast
uplinkfast events

Switch# debug Displays all MST debugging

spanning-tree mstp events
all

Switch# debug Displays spanning-tree port

spanning-tree switch state changes
state

Switch# debug Displays PVST+ events

spanning-tree pvst+

CONFIGURATION EXAMPLE: PVST+

Figure 2-1 shows the network topology for the
configuration of PVST+ using commands covered in this
chapter. Assume that other commands needed for
connectivity have already been configured. For example,
all inter-switch links in this topology are configured as
802.1Q trunks.
Figure 2-1 Network Topology for STP Configuration
Example

Core Switch (3650)

Switch> enable Moves to privileged EXEC mode

Switch# Moves to global configuration
configure mode
terminal

Switch(config)# Sets the host name

hostname Core

Core(config)# no Turns off Domain Name System

ip domain-lookup (DNS) queries so that spelling
mistakes do not slow you down

Core(config)# Changes the switch to VTP server

vtp mode server mode. This is the default mode

Core(config)# Configures the VTP domain

vtp domain name to STPDEMO
STPDEMO

Core(config)# Creates VLAN 10 and enters

vlan 10 VLAN configuration mode

Core(config- Assigns a name to the VLAN

vlan)# name
Accounting
Core(config- Returns to global configuration
vlan)# exit mode

Core(config)# Creates VLAN 20 and enters

vlan 20 VLAN configuration mode

Core(config- Assigns a name to the VLAN

vlan)# name
Marketing

Core(config- Returns to global configuration

vlan)# exit mode

Core(config)# Configures the switch to become

spanning-tree the root switch for VLAN 1
vlan 1 root
primary

Core(config)# Returns to privileged EXEC

exit mode

Core# copy Saves the configuration to

running-config NVRAM
startup-config
Distribution 1 Switch (3650)

Switch> enable Moves to privileged EXEC

mode

Switch# configure Moves to global

terminal configuration mode

Switch(config)# Sets the host name

hostname
Distribution1

Distribution1(config) Turns off DNS queries so

# no ip domain-lookup that spelling mistakes do
not slow you down

Distribution1(config) Configures the VTP

# vtp domain STPDEMO domain name to
STPDEMO

Distribution1(config) Changes the switch to

# vtp mode client VTP client mode
Distribution1(config) Configures the switch to
# spanning-tree vlan become the root switch of
10 root primary VLAN 10

Distribution1(config) Configures the switch to

# spanning-tree vlan become the secondary
10 root secondary root switch of VLAN 20

Distribution1(config) Returns to privileged

# exit EXEC mode

Distribution1# copy Saves the configuration to

running-config NVRAM
startup-config

Distribution 2 Switch (3650)

Switch>enable Moves to privileged

EXEC mode

Switch# configure Moves to global

terminal configuration mode
Switch(config)# Sets the host name
hostname
Distribution2

Distribution2(config) Turns off DNS queries so

# no ip domain-lookup that spelling mistakes do
not slow you down

Distribution2(config) Configures the VTP

# vtp domain STPDEMO domain name to
STPDEMO

Distribution2(config) Changes the switch to

# vtp mode client VTP client mode

Distribution2(config) Configures the switch to

# spanning-tree vlan become the root switch of
20 root primary VLAN 20

Distribution2(config) Configures the switch to

# spanning-tree vlan become the secondary
10 root secondary root switch of VLAN 10

Distribution2(config) Returns to privileged

# exit EXEC mode
Distribution2# copy Saves the configuration to
running-config NVRAM
startup-config

Access 1 Switch (2960)

Switch> enable Moves to privileged EXEC

mode

Switch# configure Moves to global

terminal configuration mode

Switch(config)# Sets the host name

hostname Access1

Access1(config)# no Turns off DNS queries so

ip domain-lookup that spelling mistakes do
not slow you down

Access1(config)# vtp Configures the VTP

domain STPDEMO domain name to
STPDEMO
Access1(config)# vtp Changes the switch to VTP
mode client client mode

Access1(config)# Moves to interface range

interface range configuration mode
fastethernet 0/6 - 12

Access1(config-if- Places all interfaces in

range)# switchport switchport access mode
mode access

Access1(config-if- Assigns all interfaces to

range)# switchport VLAN 10
access vlan 10

Access1(config-if- Places all ports directly

range)# spanning-tree into forwarding mode
portfast

Access1(config-if- Enables BPDU Guard

range)# spanning-tree
bpduguard enable

Access1(config-if- Moves back to privileged

range)# end EXEC mode
Access1# copy Saves the configuration to
running-config NVRAM
startup-config

Access 2 Switch (2960)

Switch> enable Moves to privileged EXEC

mode

Switch# configure Moves to global

terminal configuration mode

Switch(config)# Sets the host name

hostname Access2

Access2(config)# no Turns off DNS queries so

ip domain-lookup that spelling mistakes do
not slow you down

Access2(config)# vtp Configures the VTP

domain STPDEMO domain name to
STPDEMO
Access2(config)# vtp Changes the switch to
mode client VTP client mode

Access2(config)# Moves to interface range

interface range configuration mode
fastethernet 0/6 - 12

Access2(config-if- Places all interfaces in

range)# switchport switchport access mode
mode access

Access2(config-if- Assigns all interfaces to

range)# switchport VLAN 20
access vlan 20

Access2(config-if- Places all ports directly

range)# spanning-tree into forwarding mode
portfast

Access2(config-if- Enables BPDU Guard

range)# spanning-tree
bpduguard enable

Access2(config-if- Moves back to global

range)# exit configuration mode
Access2(config)# Ensures this switch does
spanning-tree vlan not become the root
1,10,20 priority switch for VLAN 10
61440

Access2(config)# exit Returns to privileged

EXEC mode

Access2# copy Saves config to NVRAM

running-config
startup-config

SPANNING-TREE MIGRATION
EXAMPLE: PVST+ TO RAPID-PVST+
The topology in Figure 2-1 is used for this migration
example and adds to the configuration of the previous
example.

Rapid-PVST+ uses the same BPDU format as 802.1D.

This interoperability between the two spanning-tree
protocols enables a longer conversion time in large
networks without disrupting services.
The spanning-tree features UplinkFast and
BackboneFast in 802.1D-based PVST+ are already
incorporated in the 802.1w-based Rapid-PVST+ and are
disabled when you enable Rapid-PVST+. The 802.1D-
based features of PVST+ such as PortFast, BPDU Guard,
BPDU Filter, Root Guard, and Loop Guard are
applicable in Rapid-PVST+ mode and need not be
changed.

Access 1 Switch (2960)

Access1> enable Moves to privileged

EXEC mode

Access1# configure Moves to global

terminal configuration mode

Access1 (config)# Enables 802.1w-based

spanning-tree mode Rapid-PVST+
rapid-pvst

Access1(config)# no Removes UplinkFast

spanning-tree programming line if it
uplinkfast exists
Access1(config)# no Removes BackboneFast
spanning-tree programming line if it
backbonefast exists

Access 2 Switch (2960)

Access2> enable Moves to privileged

EXEC mode

Access2# configure Moves to global

terminal configuration mode

Access2(config)# Enables 802.1w-

spanning-tree mode rapid- based Rapid-PVST+
pvst

Distribution 1 Switch (3650)

Distribution1> enable Moves to

privileged EXEC
mode
Distribution1# configure Moves to global
terminal configuration
mode

Distribution1(config)# Enables 802.1w-

spanning-tree mode rapid- based Rapid-
pvst PVST+

Distribution 2 Switch (3650)

Distribution2> enable Moves to

privileged EXEC
mode

Distribution2# configure Moves to global

terminal configuration
mode

Distribution2(config)# Enables 802.1w-

spanning-tree mode rapid- based Rapid-
pvst PVST+
Core Switch (3650)

Core> enable Moves to privileged

EXEC mode

Core# configure terminal Moves to global

configuration mode

Core(config)# spanning- Enables 802.1w-

tree mode rapid-pvst based Rapid-PVST+
Chapter 3
Implementing Inter-VLAN
Routing

This chapter provides information and commands

concerning the following topics:

Inter-VLAN communication using an external router:

router-on-a-stick

Inter-VLAN communication tips

Inter-VLAN communication on a multilayer switch

through an SVI

Configuring inter-VLAN communication on an

L3 switch

Removing L2 switchport capability of an interface on

an L3 switch

Configuration example: inter-VLAN communication

Configuration example: IPv6 inter-VLAN

communication
INTER-VLAN COMMUNICATION USING
AN EXTERNAL ROUTER: ROUTER-ON-
A-STICK

Router(config)# Moves to interface configuration

interface mode
fastethernet 0/0

Router(config- Enables the interface

if)# no shutdown

Router(config- Creates subinterface 0/0.1 and

if)# interface moves to subinterface
fastethernet configuration mode
0/0.1

Router(config- (Optional) Sets the locally

subif)# significant description of the
description subinterface
Management VLAN
1
Note

Best practices dictate that VLAN 1 should

not be used for management or native
traffic. Also, consider using separate
VLANs for management and native traffic
Router(config- Assigns VLAN 1 to this
subif)# subinterface. VLAN 1 will be the
encapsulation native VLAN. This subinterface
dot1q 1 native uses the 802.1q tagging protocol

Router(config- Assigns the IP address and

subif)# ip netmask
address
192.168.1.1
255.255.255.0

Router(config- Creates subinterface 0/0.10 and

subif)# moves to subinterface
interface configuration mode
fastethernet
0/0.10

Router(config- (Optional) Sets the locally

subif)# significant description of the
description subinterface
Accounting VLAN
10
Router(config- Assigns VLAN 10 to this
subif)# subinterface. This subinterface
encapsulation uses the 802.1q tagging protocol
dot1q 10

Router(config- Assigns the IP address and

subif)# ip netmask
address
192.168.10.1
255.255.255.0

Router(config- Returns to interface

subif)# end configuration mode

Note
Because the VLAN networks are directly connected to the router, routing between these
networks does not require a dynamic routing protocol. However, if the router is configured
with a dynamic routing protocol, then these networks should be advertised or redistributed to
other routers.

Note
Routes to the networks associated with these VLANs appear in the routing table as directly
connected networks.

Note
In production environments, VLAN 1 should not be used as the management VLAN because
it poses a potential security risk; all ports are in VLAN 1 by default, and it is an easy mistake
to add a nonmanagement user to the management VLAN.

Note
Instead of creating a subinterface for the native VLAN (VLAN 1 in the preceding example), it
is possible to use the physical interface for native (untagged) traffic. In other words, the
physical interface (FastEthernet0/0) would get IP address 192.168.1.1 255.255.255 and it
would handle all VLAN 1 native untagged traffic. You would still create a subinterface for
VLAN 10 as previously described.

INTER-VLAN COMMUNICATION TIPS

Although most older routers (routers running IOS 12.2

and earlier) support both ISL and dot1q, some switch
models support only dot1q, such as the 2960, 2960-x,
3650, and 9200 series. Check with the version of IOS
you are using to determine whether ISL or dot1q is
supported.

ISL will probably not be an option, as it has

been deprecated for quite some time.

If you need to use ISL as your trunking protocol,

use the command encapsulation isl x, where
x is the number of the VLAN to be assigned to
that subinterface.

Recommended best practice is to use the same number

as the VLAN number for the subinterface number. It is
easier to troubleshoot VLAN 10 on subinterface
fa0/0.10 than on fa0/0.2.

INTER-VLAN COMMUNICATION ON A
MULTILAYER SWITCH THROUGH A
SWITCH VIRTUAL INTERFACE

Note
Rather than using an external router to provide inter-VLAN communication, a multilayer
switch can perform the same task through the use of a switched virtual interface (SVI).

Configuring Inter-VLAN Communication on an L3

Switch

Switch9300(config)# Creates a virtual interface

interface vlan 1 for VLAN 1 and enters
interface configuration
mode

Switch9300(config- Assigns an IP address and

if)# ip address netmask
172.16.1.1
255.255.255.0

Switch9300(config- Enables the interface

if)# no shutdown

Switch9300(config)# Creates a virtual interface

interface vlan 10 for VLAN 10 and enters
interface configuration
mode

Switch9300(config- Assigns an IP address and

if)# ip address netmask
172.16.10.1
255.255.255.0

Switch9300(config- Enables the interface

if)# no shutdown

Switch9300(config)# Creates a virtual interface

interface vlan 20 for VLAN 20 and enters
interface configuration
mode

Switch9300(config- Assigns an IP address and

if)# ip address netmask
172.16.20.1
255.255.255.0

Enables the interface

Switch9300(config-
if)# no shutdown

Switch9300(config- Returns to global

if)# exit configuration mode

Switch9300(config)# Enables routing on the

ip routing switch

Note
For an SVI to go to up/up and be added to the routing table, the VLAN for the SVI must be
created, an IP address must be assigned, and at least one interface must support it (trunk or
access).

Removing L2 Switchport Capability of an Interface

on an L3 Switch

Switch9300(config)# Moves to interface

interface configuration mode
gigabitethernet 0/1

Switch9300(config- Creates a Layer 3 port on

if)# no switchport the switch
Note

You can use the no switchport

command on physical ports
only on a Layer 3-capable
switch

CONFIGURATION EXAMPLE: INTER-

VLAN COMMUNICATION
Figure 3-1 illustrates the network topology for the
configuration that follows, which shows how to
configure inter-VLAN communication using commands
covered in this chapter. Some commands used in this
configuration are from other chapters.
Figure 3-1 Network Topology for Inter-VLAN
Communication Configuration

ISP Router

Router> enable Moves to privileged

EXEC mode
Router># configure Moves to global
terminal configuration mode

Router(config)# Sets the host name

hostname ISP

ISP(config)# interface Moves to interface

loopback 0 configuration mode

ISP(config-if)# Sets the locally

description simulated significant interface
address representing description
remote website

ISP(config-if)# ip Assigns an IP address

address 198.133.219.1 and netmask
255.255.255.0

ISP(config-if)# Moves to interface

interface serial 0/0/0 configuration mode

ISP(config-if)# Sets the locally

description WAN link significant interface
description
to the Corporate
Router

ISP(config-if)# ip Assigns an IP address

address 192.31.7.5 and netmask
255.255.255.252

ISP(config-if)# clock Assigns a clock rate to

rate 4000000 the interface; DCE cable
is plugged into this
interface

ISP(config-if)# no Enables the interface

shutdown

ISP(config-if)# exit Returns to global

configuration mode

ISP(config-if)# router Creates Enhanced

eigrp 10 Interior Gateway
Routing Protocol
(EIGRP) routing process
10

ISP(config-router)# Advertises directly

network 198.133.219.0 connected networks
0.0.0.255

ISP(config-router)# Advertises directly

network 192.31.7.0 connected networks
0.0.0.255

ISP(config-router)# Returns to privileged

end EXEC mode

ISP# copy running- Saves the configuration

config startup-config to NVRAM

CORP Router

Router> enable Moves to privileged EXEC

mode

Router># Moves to global configuration

configure mode
terminal

Router(config)# Sets the host name

hostname CORP
CORP(config)# no Turns off Domain Name
ip domain-lookup System (DNS) resolution to
avoid wait time due to DNS
lookup of spelling errors

CORP(config)# Moves to interface

interface serial configuration mode
0/0/0

CORP(config-if)# Sets the locally significant

description link interface description
to ISP

CORP(config-if)# Assigns an IP address and

ip address netmask
192.31.7.6
255.255.255.252

CORP(config-if)# Enables the interface

no shutdown

CORP(config)# Moves to interface

interface configuration mode
fastethernet 0/1
CORP(config-if)# Sets the locally significant
description link interface description
to L3Switch1

CORP(config-if)# Assigns an IP address and

ip address netmask
172.31.1.5
255.255.255.252

CORP(config-if)# Enables the interface

no shutdown

CORP(config-if)# Returns to global configuration

exit mode

CORP(config)# Enters interface configuration

interface mode
fastethernet 0/0

CORP(config-if)# Enables the interface

no shutdown

CORP(config-if)# Creates a virtual subinterface

interface and moves to subinterface
configuration mode
fastethernet
0/0.1

CORP(config- Sets the locally significant

subif)# interface description
description
Management VLAN 1
- Native VLAN

CORP(config- Assigns VLAN 1 to this

subif)# subinterface. VLAN 1 is the
encapsulation native VLAN. This subinterface
dot1q 1 native uses the 802.1q protocol

CORP(config- Assigns an IP address and

subif)# ip netmask
address
192.168.1.1
255.255.255.0

CORP(config- Creates a virtual subinterface

subif)# interface and moves to subinterface
fastethernet configuration mode
0/0.10
CORP(config- Sets the locally significant
subif)# interface description
description Sales
VLAN 10

CORP(config- Assigns VLAN 10 to this

subif)# subinterface. This subinterface
encapsulation uses the 802.1q protocol
dot1q 10

CORP(config- Assigns an IP address and

subif)# ip netmask
address
192.168.10.1
255.255.255.0

CORP(config- Creates a virtual subinterface

subif)# interface and moves to subinterface
fastethernet configuration mode
0/0.20

CORP(config- Sets the locally significant

subif)# interface description
description
Engineering VLAN
20

CORP(config- Assigns VLAN 20 to this

subif)# subinterface. This subinterface
encapsulation uses the 802.1q protocol
dot1q 20

CORP(config- Assigns an IP address and

subif)# ip netmask
address
192.168.20.1
255.255.255.0

CORP(config- Creates a virtual subinterface

subif)# interface and moves to subinterface
fastethernet configuration mode
0/0.30

CORP(config- Sets the locally significant

subif)# interface description
description
Marketing VLAN 30

CORP(config- Assigns VLAN 30 to this

subif)# subinterface. This subinterface
encapsulation uses the 802.1q protocol
dot1q 30

CORP(config- Assigns an IP address and

subif)# ip add netmask
192.168.30.1
255.255.255.0

CORP(config- Returns to global configuration

subif)# exit mode

CORP(config)# Creates EIGRP routing process

router eigrp 10 10 and moves to router
configuration mode

CORP(config- Advertises the 192.168.1.0

router)# network network
192.168.1.0
0.0.0.255

CORP(config- Advertises the 192.168.10.0

router)# network network
192.168.10.0
0.0.0.255
CORP(config- Advertises the 192.168.20.0
router)# network network
192.168.20.0
0.0.0.255

CORP(config- Advertises the 192.168.30.0

router)# network network
192.168.30.0
0.0.0.255

CORP(config- Advertises the 172.31.0.0

router)# network network
172.31.0.0
0.0.255.255

CORP(config- Advertises the 192.31.7.0

router)# network network
192.31.7.0
0.0.0.3

CORP(config- Returns to privileged EXEC

router)# end mode

CORP# copy Saves the configuration in

running-config NVRAM
startup-config

L2Switch2 (Catalyst 2960)

Switch> enable Moves to privileged EXEC mode

Switch# Moves to global configuration

configure mode
terminal

Switch(config) Sets the host name

# hostname
L2Switch2

L2Switch2(conf Turns off DNS resolution

ig)# no ip
domain-lookup

L2Switch2(conf Creates VLAN 10 and enters VLAN

ig)# vlan 10 configuration mode

L2Switch2(conf Assigns a name to the VLAN

ig-vlan)# name
Sales

L2Switch2(conf Returns to global configuration

ig-vlan)# exit mode

L2Switch2(conf Creates VLAN 20 and enters VLAN

ig)# vlan 20 configuration mode

L2Switch2(conf Assigns a name to the VLAN

ig-vlan)# name
Engineering

L2Switch2(conf Creates VLAN 30 and enters VLAN

ig-vlan)# vlan configuration mode. Note that you
30 do not have to exit back to global
configuration mode to execute this
command

L2Switch2(conf Assigns a name to the VLAN

ig-vlan)# name
Marketing

L2Switch2(conf Returns to global configuration

ig-vlan)# exit mode
L2Switch2(conf Enters interface range
ig)# interface configuration mode and allows you
range to set the same configuration
fastethernet parameters on multiple ports at the
0/2 - 4 same time

L2Switch2(conf Sets ports 2–4 as access ports

ig-if-range)#
switchport
mode access

L2Switch2(conf Assigns ports 2–4 to VLAN 10

ig-if-range)#
switchport
access vlan 10

L2Switch2(conf Enters interface range

ig-if-range)# configuration mode and allows you
interface to set the same configuration
range parameters on multiple ports at the
fastethernet same time
0/5 - 8

L2Switch2(conf Sets ports 5–8 as access ports

ig-if-range)#
switchport
mode access

L2Switch2(conf Assigns ports 5–8 to VLAN 20

ig-if-range)#
switchport
access vlan 20

L2Switch2(conf Enters interface range

ig-if-range)# configuration mode and allows you
interface to set the same configuration
range parameters on multiple ports at the
fastethernet same time

0/9 - 12

L2Switch2(conf Sets ports 9–12 as access ports

ig-if-range)#
switchport
mode access

L2Switch2(conf Assigns ports 9–12 to VLAN 30

ig-if-range)#
switchport
access vlan 30
L2Switch2(conf Returns to global configuration
ig-if-range)# mode
exit

L2Switch2(conf Moves to interface configuration

ig)# interface mode
fastethernet
0/1

L2Switch2(conf Sets the locally significant interface

ig)# description
description
Trunk Link to
CORP Router

L2Switch2(conf Puts the interface into trunking

ig-if)# mode and negotiates to convert the
switchport link into a trunk link
mode trunk

L2Switch2(conf Returns to global configuration

ig-if)# exit mode

L2Switch2(conf Creates a virtual interface for

ig)# interface VLAN 1 and enters interface
vlan 1 configuration mode

L2Switch2(conf Assigns an IP address and netmask

ig-if)# ip
address
192.168.1.2
255.255.255.0

L2Switch2(conf Enables the interface

ig-if)# no
shutdown

L2Switch2(conf Returns to global configuration

ig-if)# exit mode

L2Switch2(conf Assigns a default gateway address

ig)# ip
default-
gateway
192.168.1.1

L2Switch2(conf Returns to privileged EXEC mode

ig)# exit

L2Switch2# Saves the configuration in NVRAM

copy running-
config
startup-config

L3Switch1 (Catalyst 3650)

Switch> enable Moves to privileged EXEC

mode

Switch# configure Moves to global configuration

terminal mode

Switch(config)# Sets the host name

hostname
L3Switch1

L3Switch1(config) Turns off DNS queries so that

# no ip domain- spelling mistakes do not slow
lookup you down

L3Switch1(config) Changes the switch to VTP

# vtp mode server server mode
L3Switch1(config) Configures the VTP domain
# vtp domain name to testdomain
testdomain

L3Switch1(config) Creates VLAN 10 and enters

# vlan 10 VLAN configuration mode

L3Switch1(config- Assigns a name to the VLAN

vlan)# name
Accounting

L3Switch1(config- Returns to global configuration

vlan)# exit mode

L3Switch1(config) Creates VLAN 20 and enters

# vlan 20 VLAN configuration mode

L3Switch1(config- Assigns a name to the VLAN

vlan)# name
Marketing

L3Switch1(config- Returns to global configuration

vlan)# exit mode

L3Switch1(config) Moves to interface

# interface configuration mode
gigabitethernet
1/0/1

L3Switch1(config- Specifies 802.1Q tagging on the

if)# switchport trunk link (only necessary on
trunk older model switches like the
encapsulation 3560 and 3750)
dot1q

L3Switch1(config- Puts the interface into trunking

if)# switchport mode and negotiates to convert
mode trunk the link into a trunk link

L3Switch1(config- Returns to global configuration

if)# exit mode

L3Switch1(config) Enables IP routing on this

# ip routing device

L3Switch1(config) Creates a virtual interface for

# interface vlan VLAN 1 and enters interface
1 configuration mode

L3Switch1(config- Assigns an IP address and

if)# ip address netmask
172.16.1.1
255.255.255.0

L3Switch1(config- Enables the interface

if)# no shutdown

L3Switch1(config- Creates a virtual interface for

if)# interface VLAN 10 and enters interface
vlan 10 configuration mode

L3Switch1(config- Assigns an IP address and mask

if)# ip address
172.16.10.1
255.255.255.0

L3Switch1(config- Enables the interface

if)# no shutdown

L3Switch1(config- Creates a virtual interface for

if)# interface VLAN 20 and enters interface
vlan 20 configuration mode

L3Switch1(config- Assigns an IP address and mask

if)# ip address
172.16.20.1
255.255.255.0

L3Switch1(config- Enables the interface

if)# no shutdown

L3Switch1(config- Returns to global configuration

if)# exit mode

L3Switch1(config) Enters interface configuration

# interface mode
gigabitethernet
1/0/24

L3Switch1(config- Creates a Layer 3 port on the

if)# no switch
switchport

L3Switch1(config- Assigns an IP address and

if)# ip address netmask
172.31.1.6
255.255.255.252

L3Switch1(config- Returns to global configuration

if)# exit mode
L3Switch1(config) Creates EIGRP routing process
# router eigrp 10 10 and moves to router
configuration mode

L3Switch1(config- Advertises the 172.16.0.0

router)# network network
172.16.0.0
0.0.255.255

L3Switch1(config- Advertises the 172.31.0.0

router)# network network
172.31.0.0
0.0.255.255

L3Switch1(config- Applies changes and returns to

router)# end privileged EXEC mode

L3Switch1# copy Saves configuration in NVRAM

running-config
startup-config

L2Switch1 (Catalyst 2960)

Switch> enable Moves to privileged EXEC mode

Switch# Moves to global configuration

configure mode
terminal

Switch(config)# Sets the host name

hostname
L2Switch1

L2Switch1(confi Turns off DNS queries so that

g)# no ip spelling mistakes do not slow you
domain-lookup down

L2Switch1(confi Configures the VTP domain name

g)# vtp domain to testdomain
testdomain

L2Switch1(confi Changes the switch to VTP client

g)# vtp mode mode
client

L2Switch1(confi Enters interface range

g)# interface configuration mode and allows
range you to set the same configuration
fastethernet parameters on multiple ports at
0/1 - 4 the same time

L2Switch1(confi Sets ports 1–4 as access ports

g-if-range)#
switchport mode
access

L2Switch1(confi Assigns ports 1–4 to VLAN 10

g-if-range)#
switchport
access vlan 10

L2Switch1(confi Enters interface range

g-if-range)# configuration mode and allows
interface range you to set the same configuration
fastethernet parameters on multiple ports at
0/5 - 8 the same time

L2Switch1(confi Sets ports 5–8 as access ports

g-if-range)#
switchport mode
access

L2Switch1(confi Assigns ports 5–8 to VLAN 20

g-if-range)#
switchport
access vlan 20

L2Switch1(confi Returns to global configuration

g-if-range)# mode
exit

L2Switch1(confi Moves to interface configuration

g)# interface mode
gigabitethernet
0/1

L2Switch1(confi Puts the interface into trunking

g-if)# mode and negotiates to convert
switchport mode the link into a trunk link
trunk

L2Switch1(confi Returns to global configuration

g-if)# exit mode

L2Switch1(confi Creates a virtual interface for

g)# interface VLAN 1 and enters interface
vlan 1 configuration mode
L2Switch1(confi Assigns an IP address and
g-if)# ip netmask
address
172.16.1.2
255.255.255.0

L2Switch1(confi Enables the interface

g-if)# no
shutdown

L2Switch1(confi Returns to global configuration

g-if)# exit mode

L2Switch1(confi Assigns the default gateway

g)# ip default- address
gateway
172.16.1.1

L2Switch1(confi Returns to privileged EXEC mode

g)# exit

L2Switch1# copy Saves the configuration in

running-config NVRAM
startup-config
CONFIGURATION EXAMPLE: IPV6
INTER-VLAN COMMUNICATION
Figure 3-2 shows the network topology for the
configuration that follows, which demonstrates how to
configure IPv6 inter-VLAN communication using
commands covered in this chapter. Some commands
used in this configuration are from previous chapters.
Figure 3-2 Network Topology for IPv6 Inter-VLAN
Communication Configuration

Note
This configuration uses traditional OSPFv3 for routing. For more information on OSPFv3,
see Chapter 5, “OSPF.”

ISP Router

Router(config)# Sets the hostname

hostname ISP

ISP(config)# ipv6 Enables IPv6 routing

unicast-routing

ISP(config)# Enters interface configuration

interface loopback mode
0

ISP(config-if)# Assigns an IPv6 address

ipv6 address
2001:db8:0:a::1/64

ISP(config-if)# Enters interface configuration

interface serial mode
0/0/0

ISP(config-if)# Assigns a clock rate to the

clock rate 4000000 interface; DCE cable is
plugged into this interface

ISP(config-if)# Assigns an IPv6 address

ipv6 address
2001:db8:0:8::1/64

ISP(config-if)# no Turns on this interface

shutdown

ISP(config-if)# Exits into global configuration

exit mode

ISP(config)# ipv6 Creates a default static route

route ::/0 serial to return traffic from the
0/0/0 Internet

Note

A dynamic routing protocol can also

be used here
ISP(config)# end Returns to privileged EXEC
mode

CORP Router

Router(config)# Sets the hostname

hostname CORP

CORP(config)# ipv6 Enables global IPv6

unicast-routing forwarding

CORP(config)# ipv6 Enters OSPFv3 programming

router ospf 1 mode

CORP(config-rtr)# Assigns a router ID for the

router-id OSPFv3 process
192.168.1.1

CORP(config-rtr)# Adds any default routing

default- information to the OSPFv3
information updates
originate
CORP(config-rtr)# Exits to global configuration
exit mode

CORP(config)# Enters subinterface

interface programming mode
gigabitethernet
0/0.1

CORP(config- Assigns 802.1Q as the

subif)# trunking protocol and
encapsulation associates VLAN 1 to this
dot1q 1 native subinterface

CORP(config- Assigns an IPv6 address

subif)# ipv6
address
2001:db8:0:2::1/64

CORP(config- Specifies this as an interface

subif)# ipv6 ospf that will participate in
1 area 0 OSPFv3

CORP(config- Enters subinterface

subif)# interface programming mode
gigabitethernet
0/0.30

CORP(config- Assigns 802.1Q as the

subif)# trunking protocol and
encapsulation associates VLAN 30 to this
dot1q 30 subinterface

CORP(config- Assigns an IPv6 address

subif)# ipv6
address
2001:db8:0:30::1/6
4

CORP(config- Specifies this as an interface

subif)# ipv6 ospf that will participate in
1 area 0 OSPFv3

CORP(config- Enters subinterface

subif)# interface programming mode
gigabitethernet
0/0.40

CORP(config- Assigns 802.1Q as the

subif)# trunking protocol and
encapsulation associates VLAN 40 to this
dot1q 40 subinterface

CORP(config- Assigns an IPv6 address

subif)# ipv6
address
2001:db8:0:40::1/6
4

CORP(config- Specifies this as an interface

subif)# ipv6 ospf that will participate in
1 area 0 OSPFv3

CORP(config- Enters subinterface

subif)# interface programming mode
gigabitethernet
0/0.50

CORP(config- Assigns 802.1Q as the

subif)# trunking protocol and
encapsulation associates VLAN 50 to this
dot1q 50 subinterface

CORP(config- Assigns an IPv6 address

subif)# ipv6
address
2001:db8:0:50::1/6
4

CORP(config- Specifies this as an interface

subif)# ipv6 ospf that will participate in
1 area 0 OSPFv3

CORP(config- Enters interface programming

subif)# interface mode
gigabitethernet
0/1

CORP(config-if)# Assigns an IPv6 address

ipv6 address
2001:db8:0:7::2/64

CORP(config-if)# Specifies this as an interface

ipv6 ospf 1 area 0 that will participate in
OSPFv3

CORP(config-if)# Enters interface programming

interface mode
gigabitethernet
0/0
CORP(config-if)# Turns this interface on
no shutdown

CORP(config-if)# Enters interface programming

interface serial mode
0/0/0

CORP(config-if)# Assigns an IPv6 address

ipv6 address
2001:db8:0:8::2/64

CORP(config-if)# Turns this interface on

no shutdown

CORP(config-if)# Exits to global configuration

exit programming mode

CORP(config)# ipv6 Creates a default static route

route ::/0 serial pointing to the ISP
0/0/0

CORP(config)# end Returns to privileged EXEC

mode
L2Switch2 (Catalyst 2960)

Switch(config) Sets the hostname

# hostname
L2Switch2

L2Switch2(conf Configures the Switching Database

ig)# sdm Manager (SDM) on the switch to
prefer dual- optimize memory and operating
ipv4-and-ipv6 system for both IPv4 and IPv6
default Layer 3 forwarding

Note

If this is a change in the SDM settings, the

switch must be reloaded for this change to
take effect

L2Switch2(conf Creates VLANs 30, 40, and 50

ig)# vlan
30,40,50

L2Switch2(conf Exits VLAN configuration mode

ig-vlan)# exit
L2Switch2(conf Enters switchport interface
ig)# interface configuration mode
fastethernet
0/5

L2Switch2(conf Sets this port to trunk

ig-if)# unconditionally
switchport
mode trunk

L2Sw2(config- Enters switchport configuration

if)# interface mode for a range of switch ports
range
fastethernet
0/12 - 14

L2Switch2(conf Sets these ports to be access ports

ig-if-range)#
switchport
mode access

L2Switch2(conf Assigns these ports to VLAN 30

ig-if-range)#
switchport
access vlan 30
L2Switch2(conf Enters switchport configuration
ig-if-range)# mode for a range of switch ports
interface
range
fastethernet
0/15 - 18

L2Switch2(conf Sets these ports to be access ports

ig-if-range)#
switchport
mode access

L2Switch2(conf Assigns these ports to VLAN 20

ig-if-range)#
switchport
access vlan 40

L2Switch2(conf Enters switchport configuration

ig-if-range)# mode for a range of switchports
interface
range
fastethernet
0/19 - 22

L2Switch2(conf Sets these ports to be access ports

ig-if-range)#
switchport
mode access

L2Switch2(conf Assigns these ports to VLAN 50

ig-if-range)#
switchport
access vlan 50

L2Switch2(conf Enters interface configuration

ig-if-range)# mode for the management VLAN
interface
vlan1

L2Switch2(conf Assigns an IPv6 address

ig-if)# ipv6
address
2001:db8:0:2::
/64

L2Switch2(conf Turns this interface on

ig-if)# no
shutdown

L2Switch2(conf Exits to global configuration mode

ig-if)# exit

L2Switch2(conf Assigns a default gateway

ig)# ipv6
route ::/0
2001:db8:0:2::
1

L2Switch2(conf Returns to privileged EXEC mode

ig)# end

L3Switch1 (Catalyst 3650)

Switch(config)# Sets the hostname

hostname L3Switch1

L3Switch1(config)# Enables IPv6 forwarding

ipv6 unicast-routing

L3Switch1(config)# Creates VLANs 10 and

vlan 10,20 20

L3Switch1(config- Exits VLAN

vlan)# exit configuration mode

L3Switch1(config)# Enters interface

interface configuration mode
gigabitethernet 1/0/1

L3Switch1(config-if)# Sets this port to trunk

switchport mode trunk unconditionally

L3Switch1(config-if)# Enters OSPFv3

ipv6 router ospf 1 configuration mode

L3Switch1(config-rtr)# Assigns the OSPFv3

router-id 192.168.1.2 router ID

L3Switch1(config-rtr)# Exits to global

exit configuration mode

L3Switch1(config)# Enters switchport

interface interface configuration
gigabitethernet 1/0/24 mode

L3Switch1(config-if)# Changes this Layer 2

no switchport switch port to a Layer 3
routed port
L3Switch1(config-if)# Assigns an IPv6 address
ipv6 address
2001:db8:0:7::1/64

L3Switch1(config-if)# Specifies this as an

ipv6 ospf 1 area 0 interface that will
participate in OSPFv3

L3Switch1(config-if)# Enters interface

interface vlan1 configuration mode for
VLAN 1

L3Switch1(config-if)# Assigns an IPv6 address

ipv6 address
2001:db8:0:1::1/64

L3Switch1(config-if)# Specifies this as an

ipv6 ospf 1 area 0 interface that will
participate in OSPFv3

L3Switch1(config-if)# Enters interface

interface vlan10 configuration mode for
VLAN 10

L3Switch1(config-if)# Assigns an IPv6 address

ipv6 address
2001:db8:0:10::1/64

L3Switch1(config-if)# Specifies this as an

ipv6 ospf 1 area 0 interface that will
participate in OSPFv3

L3Switch1(config-if)# Enters interface

interface vlan20 configuration mode for
VLAN 20

L3Switch1(config-if)# Assigns an IPv6 address

ipv6 address
2001:db8:0:20::1/64

L3Switch1(config-if)# Specifies this as an

ipv6 ospf 1 area 0 interface that will
participate in OSPFv3

L3Switch1(config-if)# Returns to privileged

end EXEC mode

L2Switch1 (Catalyst 2960)

Switch(config)# Sets the hostname
hostname
L2Switch1

L2Switch1(confi Configures the Switching

g)# sdm prefer Database Manager on the switch
dual-ipv4-and- to optimize memory and operating
ipv6 default system for both IPv4 and IPv6
Layer 3 forwarding

L2Switch1(confi Creates VLANs 10 and 20

g)# vlan 10,20

L2Switch1(confi Exits VLAN configuration mode

g-vlan)# exit

L2Switch1(confi Enters switchport interface

g)# interface configuration mode
gigabitethernet
0/1

L2Switch1(confi Sets this port to trunk

g-if)# unconditionally
switchport mode
trunk
L2Switch1(confi Enters switchport configuration
g-if)# mode for a range of switch ports
interface range
fastethernet
0/12 - 14

L2Switch1(confi Sets these ports to be access ports

g-if-range)#
switchport mode
access

L2Switch1(confi Assigns these ports to VLAN 10

g-if-range)#
switchport
access vlan 10

L2Switch1(confi Enters switchport configuration

g-if-range)# mode for a range of switch ports
interface range
fastethernet
0/15 - 18

L2Switch1(confi Sets these ports to be access ports

g-if-range)#
switchport mode
access

L2Switch1(confi Assigns these ports to VLAN 20

g-if-range)#
switchport
access vlan 20

L2Switch1(confi Moves to interface configuration

g-if-range)# mode
interface vlan1

L2Switch1(confi Assigns an IPv6 address

g-if)# ipv6
address
2001:0:0:4::2/6
4

L2Switch1(confi Returns to global configuration

g-if)# exit mode

L2Switch1(confi Assigns a default gateway

g)# ipv6 route
::/0
2001:db8:0:1::1
L2Switch1(confi Returns to privileged EXEC mode
g)# end
Part II: Layer 3 Infrastructure
Chapter 4
EIGRP

This chapter provides information and commands

concerning the following topics:

Enhanced Interior Gateway Routing Protocol (EIGRP)

Enabling EIGRP for IPv4 using classic mode

configuration

Enabling EIGRP for IPv6 using classic mode

configuration

EIGRP using named mode configuration

EIGRP named mode subconfiguration modes

Upgrading classic mode to named mode configuration

EIGRP router ID

Authentication for EIGRP

Configuring authentication in classic mode

Configuring authentication in named mode

Verifying and troubleshooting EIGRP
authentication

Auto-summarization for EIGRP

IPv4 manual summarization for EIGRP

IPv6 manual summarization for EIGRP

Timers for EIGRP

Passive interfaces for EIGRP

“Pseudo” passive EIGRP interfaces

Injecting a default route into EIGRP

Redistribution of a static route

IP default network

Summarize to 0.0.0.0/0

Accepting exterior routing information: default-

information

Equal-cost load balancing: maximum-paths

Unequal-cost load balancing: variance

EIGRP Traffic Sharing

Bandwidth use for EIGRP

Stub routing for EIGRP

EIGRP unicast neighbors

EIGRP Wide Metrics

Adjusting the EIGRP metric weights

Verifying EIGRP

Troubleshooting EIGRP

Configuration example: EIGRP for IPv4 and IPv6 using

named mode

ENHANCED INTERIOR GATEWAY

ROUTING PROTOCOL (EIGRP)
The Enhanced Interior Gateway Routing Protocol
(EIGRP) is an enhanced version of the Interior Gateway
Routing Protocol (IGRP) developed by Cisco. The
convergence properties and the operating efficiency of
EIGRP have improved substantially over IGRP, and
IGRP is now obsolete.

The convergence technology of EIGRP is based on an

algorithm called the Diffusing Update Algorithm
(DUAL). The algorithm guarantees loop-free operation
at every instant throughout a route computation and
allows all devices involved in a topology change to
synchronize. Devices that are not affected by topology
changes are not involved in recomputations.
ENABLING EIGRP FOR IPV4 USING
CLASSIC MODE CONFIGURATION
Classic mode is the original way of configuring EIGRP.
In classic mode, EIGRP configurations are scattered
across the router and the interface configuration modes.

Route Turns on the EIGRP process. 100 is the

r(con autonomous system (AS) number, which can be
fig)# a number between 1 and 65,535
route
r
eigrp Note

100 All routers must use the same AS number to communicate with
each other

Route Specifies which network to advertise in EIGRP

r(con
fig-
route
r)#
netwo
rk
10.0.
0.0
Route Identifies which interfaces or networks to
r(con include in EIGRP. Interfaces must be
fig- configured with addresses that fall within the
route wildcard mask range of the network statement.
r)# It is possible to enter a subnet mask instead of a
netwo wildcard mask; Cisco IOS is intelligent enough
to recognize the difference and correct the error
rk
for you. The running configuration will only
10.0.
display wildcard masks
0.0
0.255
.255.
255

Route Sets the bandwidth of this interface to 256

r(con kilobits to allow EIGRP to make a better metric
fig- calculation. Value ranges from 1–10 000 000
if)#
bandw
idth Note

256 This command is entered at the interface command prompt (config-

if) and not at the router process prompt (config-router). The setting
can differ for each interface to which it is applied

Tip
The bandwidth command is used for metric calculations only. It
does not change interface performance

Route Changes which neighbors will be displayed

r(con
fig-
route
r)#
eigrp
log-
neigh
bor-
chang
es

Route Configures the logging intervals of EIGRP

r(con neighbor warning messages to 300 seconds.
fig- The default is 10 seconds
route
r)#
eigrp
log-
neigh
bor-
warni
ngs
300

Route Removes the network from the EIGRP process

r(con
fig-
route
r)#
no

netwo
rk
10.0.
0.0
0.255
.255.
255

Route Disables routing process 100 and removes the

r(con entire EIGRP configuration from the running
fig)# configuration
no
route
r
eigrp
100
Tip
There is no limit to the number of network statements (that is, network commands) that you
can configure on a router.

Tip
The use of a wildcard mask or network mask is optional. Wildcard masks should be used
when advertising subnetted networks.

Tip
If you do not use the wildcard mask, the EIGRP process assumes that all directly connected
networks that are part of the overall major network will participate in the EIGRP process and
that EIGRP will attempt to establish neighbor relationships from each interface that is part of
that Class A, B, or C major network.

Tip
If you use the network 172.16.1.0 0.0.0.255 command with a wildcard mask, the command
specifies that only interfaces on the 172.16.1.0/24 subnet will participate in EIGRP. EIGRP
automatically summarizes routes on the major network boundary when in a discontiguous IP
address network topology when the auto-summary command is enabled.

Tip
Since Cisco IOS Software Release 15.0, EIGRP no longer automatically summarizes
networks at the classful boundary by default.

ENABLING EIGRP FOR IPV6 USING

CLASSIC MODE CONFIGURATION
No linkage exists between EIGRP for IPv4 and EIGRP
for IPv6; the two are configured and managed
separately. However, the commands for configuration of
EIGRP for IPv4 and IPv6 using classic mode are similar,
making the transition easy.

Router(conf Enables the forwarding of IPv6 unicast

ig)# ipv6 datagrams globally on the router. This
unicast- command is required before any IPv6
routing routing protocol can be configured

Router(conf Moves to interface configuration mode

ig)#
interface
gigabitethe
rnet 0/0/0

Router(conf Enables EIGRP for IPv6 on the

ig-if)# interface and creates the IPv6 EIGRP
ipv6 eigrp process
100

Router(conf Enters router configuration mode and

ig-if)# creates an EIGRP IPv6 routing process
if it does not already exist
ipv6 router
eigrp 100

Router(conf Creates the EIGRP IPv6 process and

ig)# ipv6 enters router configuration mode
router
eigrp 100

Router(conf Enables the use of a fixed router ID

ig-rtr)#
eigrp
router-id
10.1.1.1

Router(conf Enables the EIGRP routing process.

ig-rtr)# no This is only necessary on older routing
shutdown platforms

Note

It is possible to temporarily disable the EIGRP

process using the shutdown command
Note
The eigrp router-id w.x.y.z command is typically used when an IPv4 address is not defined
on the router or when manual defining is desired.

EIGRP USING NAMED MODE

CONFIGURATION
Named mode is the new way of configuring EIGRP; this
mode allows EIGRP configurations to be entered in a
hierarchical manner under the router configuration
mode. Each named mode configuration can have
multiple address families and autonomous system
number combinations. The two most commonly used
address families are IPv4 unicast and IPv6 unicast.
Multicast for both IPv4 and IPv6 is also supported. The
default address families for both IPv4 and IPv6 are
unicast.

Router(config)# Creates a named EIGRP virtual

router eigrp TEST instance called TEST

Note

The name of the virtual instance is

locally significant only
Note

The name does not need to match

between neighbor routers

Note

This command defines a single EIGRP

instance that can be used for all
address families. At least one address
family must be defined

Router(config- Enables the IPv4 address

router)# address- family and starts EIGRP
family ipv4 autonomous system 1. By
autonomous-system default, this is a unicast
1 address family

Router(config- Enables EIGRP for IPv4 on

router-af)# interfaces in the 172.16.10.0
network network
172.16.10.0
0.0.0.255
Router(config- Enables EIGRP for IPv4 on all
router-af)# IPv4 enabled interfaces
network 0.0.0.0

Note

In address family configuration mode,

you can define other general
parameters for EIGRP, such as router-
id or eigrp stub

Router(config- Moves the router into address

router-af)# af- family interface configuration
interface mode for interface
gigabitethernet GigabitEthernet 0/0/0
0/0/0

Router(config- Configures a summary

router-af- aggregate address
interface)#
summary-address
192.168.10.0/23

Router(config)# Creates a named EIGRP virtual

router eigrp TEST instance called TEST
Router(config- Enables the IPv6 address
router)# address- family and starts EIGRP
family ipv6 autonomous system 1. By
autonomous-system default, this is a unicast
1 address family

Note

All IPv6 enabled interfaces are

automatically included in the EIGRP
process

Router(config- Moves the router into address

router-af)# af- family interface configuration
interface default mode for all interfaces

Router(config- Configures all IPv6 interfaces

router- af- as passive for EIGRP
interface)#
passive-
interface

Router(config- Returns the router to address

router- af- family configuration mode
interface)# exit
Note

The complete command is exit-af-

interface, but the more commonly
used shortcut of exit is presented here

Router(config- Moves the router into address

router-af)# af- family interface configuration
interface mode for interface
gigabitethernet GigabitEthernet 0/0/0
0/0/0

Router(config- Removes the passive interface

router-af- configuration from this
interface)# no interface
passive-
interface

EIGRP NAMED MODE

SUBCONFIGURATION MODES
EIGRP using named mode configuration gathers all
EIGRP options and parameters under specific
subconfiguration modes:
Mode Commands Used in This
Mode

Address family General configuration commands:

configuration mode
eigrp router-id
Router(config-
router-af)# eigrp stub

metric weights

network

Address family Interface-specific configuration

interface commands:
configuration mode

authentication key-chain
Router(config-
router- af- authentication mode
interface)#

bandwidth-percent

hello-interval
hold-time

passive-interface

summary-address

Address family Configuration commands that

topology affect the topology table:
configuration mode

maximum-paths
Router(config-
router- af- redistribute
topology)#

variance

traffic-share

Note

From address family configuration mode,

enter the topology base command to
access topology configuration mode
UPGRADING CLASSIC MODE TO
NAMED MODE CONFIGURATION
The eigrp upgrade-cli command allows you to
upgrade from classic mode to named mode without
causing network or neighbor flaps or requiring the
EIGRP process to restart. After conversion, the running
configuration on the device will show only named mode
configurations; you will be unable to see any classic
mode configurations. This command is available only
under EIGRP classic router configuration mode. You
must use the eigrp upgrade-cli command for every
classic router configuration in order to ensure that this
configuration is upgraded to named mode. Therefore, if
multiple classic configurations exist, you must use this
command per autonomous system number. The new
configurations will be present only in the running
configuration; they will not be automatically saved to
the startup configuration.

Router(config- Upgrades EIGRP configuration

router)# eigrp from classic mode to named mode.
upgrade-cli EIGRP virtual instance is now
TEST named TEST
Note
The eigrp upgrade-cli command allows you to convert only classic mode configurations to
named mode and not vice versa. To revert to classic mode configurations, you can reload
the router without saving the running configurations.

EIGRP ROUTER ID

Router(c Enters EIGRP router configuration mode for

onfig)# AS 100
router
eigrp
100

Router(c Manually sets the router ID to 172.16.3.3.

onfig- Can be any IPv4 address except 0.0.0.0 and
router)# 255.255.255.255. If not set, the router ID
eigrp will be the highest IP address of any
router- loopback interfaces. If no loopback
id interfaces are configured, the router ID will
be the highest IP address of your active local
172.16.3
interface
.3

Router(c Removes the static router ID from the

onfig- configuration
router)#
no eigrp
router-
id
172.16.3
.3

Router(c Creates a named EIGRP virtual instance

onfig)# called TEST
router
eigrp
TEST

Router(c Enables the IPv4 address family and starts

onfig- EIGRP autonomous system 1
router)#
address-
family
ipv4
autonomo
us-
system 1

Router(c Manually sets the router ID to 172.16.3.3

onfig-
router-
af)#
eigrp
router-
id
172.16.3
.3

Note
There is no IPv6 form of the router ID. Even if a router is using IPv6 exclusively, the router ID
will still be in the format of an IPv4 address.

AUTHENTICATION FOR EIGRP

Authentication for routers using EIGRP relies on the use
of predefined passwords.

Note
EIGRP for IPv4 and EIGRP for IPv6 use the same commands for authentication.

Configuring Authentication in Classic Mode

Router(config)# key Identifies a key chain.

chain romeo The name must match
the name configured in
interface configuration
mode
Router(config- Identifies the key
keychain)# key 1 number

Note

The range of keys is from

0 to 2 147 483 647. The
key identification
numbers do not need to
be consecutive. There
must be at least one key
defined on a key chain

Router(config-keychain- Identifies the key

key)# key-string string
shakespeare

Note

The string can contain

from 1 to 80 uppercase
and lowercase
alphanumeric characters,
except that the first
character cannot be a
number

(Optional) Specifies
Router(config-keychain- the period during
key)# accept-lifetime which the key can be
[local] start-time received
{infinite | end-time |
duration seconds} local keyword
specifies time in local
time zone

Note

After the time is entered,

you have the option to
add the specific
day/month/year to this
command

Note

The default start time and

the earliest acceptable
date is January 1, 1993.
The default end time is
an infinite time period

Router(config-keychain- (Optional) Specifies

key)# send-lifetime the period during
[local] start-time
{infinite | end-time | which the key can be
duration seconds} sent

local keyword
specifies time in local
time zone

Note

After the time is entered,

you have the option to
add the specific
day/month/year to this
command

Note

The default start time and

the earliest acceptable
date is January 1, 1993.
The default end time is
an infinite period

Router(config)# Enters interface

interface configuration mode
gigabitethernet 0/0/0
Router(config-if)# ip Enables message
authentication mode digest 5 (MD5)
eigrp 100 md5 authentication in
EIGRP packets over
the interface

Router(config-if)# ip Enables authentication

authentication key- of EIGRP packets
chain eigrp 100 romeo using romeo as the
key chain

Router(config-if)# exit Returns to global

configuration mode

Note
For the start time and the end time to have relevance, ensure that the router knows the
correct time. Recommended practice dictates that you run NTP or some other time-
synchronization method if you intend to set lifetimes on keys.

Configuring Authentication in Named Mode

Note
EIGRP support for SHA was introduced in Cisco IOS 15 together with EIGRP using named
mode configuration.

Note
Both MD5 and SHA can be used in either IPv4 or IPv6. Not all permutations are shown in
the following example.

Router(config)# Creates a named EIGRP

router eigrp TEST virtual instance called TEST

Router(config- Enables the IPv4 address

router)# address- family and starts EIGRP AS 1
family ipv4
autonomous-system
1

Router(config- Moves the router into address

router-af)# af- family interface configuration
interface mode for interface
gigabitethernet GigabitEthernet 0/0/0
0/0/0

Router(config- Identifies a key chain

router-af-
interface)#
authentication
key-chain romeo
Router(config- Enables message digest 5
router- af- (MD5) authentication in
interface)# EIGRP packets over the
authentication interface
mode md5

Router(config- Enables Hashed Message

router-af- Authentication Code
interface)# (HMAC)-Secure Hash
authentication Algorithm (SHA-256)
mode hmac-sha-256 authentication in EIGRP
packets over the interface

Router(config- Exits from address family

router-af- interface configuration mode
interface)# exit-
af- interface

Router(config- Exits address family

router-af)# exit- configuration mode
address-family

Router(config- Enables the IPv6 address

router)# address- family and starts EIGRP AS 1
family ipv6
autonomous-system
1

Router(config- Moves the router into address

router-af)# af- family interface configuration
interface mode for interface
gigabitethernet GigabitEthernet 0/0/0
0/0/0

Router(config- Identifies a key chain

router-af-
interface)#
authentication
key-chain romeo

Router(config- Enables HMAC-SHA-256

router-af- authentication in EIGRP
interface)# packets over the interface
authentication
mode hmac-sha-256 7 – Indicates there is an
0 password1 explicit password encryption.
A 0 indicates that there is no
password encryption. 0 is the
default
The password string used is
password1. The string can
contain 1 to 32 characters,
including white spaces;
however, the first character
cannot be a number

Router(config- Exits from address family

router-af- interface configuration mode
interface)# exit-
af-interface

Router(config- Exits address family

router-af)# exit- configuration mode
address-family

Router(config- Exits routing protocol

router)# exit configuration mode

Router(config)# Identifies a key chain. Name

key chain romeo must match the name
configured in interface
configuration mode

Router(config- Identifies the key number

keychain)# key 1
Router(config- Identifies the key string
keychain-key)#
key-string
shakespeare

Router(config- (Optional) Specifies the

keychain-key)# period during which the key
accept-lifetime can be received
start-time
{infinite | end-
time | duration
seconds}

Router(config- (Optional) Specifies the

keychain-key)# period during which the key
send-lifetime can be sent
start-time
{infinite | end-
time | duration
seconds}

Verifying and Troubleshooting EIGRP

Authentication
Router# Displays EIGRP neighbor table. Incorrect
show ip authentication configuration will prevent
eigrp neighbor relationships from forming
neighbor

Router# Displays EIGRP IPv6 neighbor table.

show ipv6 Incorrect authentication configuration
eigrp will prevent neighbor relationships from
neighbor forming

Router# Displays key chains created on the router

show key
chain

Router# Displays output about EIGRP packets.

debug Incorrect key string configuration will
eigrp cause failures, which will be shown in this
packet output

AUTO-SUMMARIZATION FOR EIGRP

Router(conf Enables auto-summarization for the
ig-router)# EIGRP process
auto-
summary
Note

The behavior of the auto-summary command is

disabled by default for Cisco IOS Software Release
15 and later. Earlier software generally has automatic
summarization enabled by default

Router(conf Disables the auto-summarization

ig-router)# feature
no auto-
summary

IPV4 MANUAL SUMMARIZATION FOR

EIGRP

Router(config Enters interface configuration mode

)# interface
gigabitethern
et 0/0/0
Router(config Enables manual summarization for
-if)# ip EIGRP AS 100 (classic mode) on this
summary- specific interface for the given
address eigrp address and mask. An
100 10.10.0.0 administrative distance of 75 is
255.255.0.0 assigned to this summary route

Note

The administrative-distance argument is optional

in this command. Without it, an administrative
distance of 5 is automatically applied to the
summary route

Router(config Enables manual summarization for

-router-af- EIGRP using named mode
interface)# configuration
summary-
address
192.168.0.0
255.255.0.0

IPV6 MANUAL SUMMARIZATION FOR

EIGRP
Router(config)# Moves to interface
interface serial configuration mode
0/0/0

Router(config-if)# Configures a summary

ipv6 summary-address address for a specified
eigrp 100 interface using classic
2001:db8:0:1::/64 mode

There is an optional
administrative distance
parameter for this
command

This command behaves

similarly to the ip
summary-address
eigrp command

Router(config-router- Enables manual

af-interface)# summarization for EIGRP
summary-address using named mode
2001:db8::/48 configuration
TIMERS FOR EIGRP

Router(config)# Moves to interface

interface serial configuration mode
0/1/0

Router(config-if)# Configures the EIGRP hello

ip hello-interval time interval for AS 100 to 10
eigrp 100 10 seconds

Router(config-if)# Configures the EIGRP hold

ip hold-time eigrp timer interval for AS 100 to
100 30 30 seconds

Note

Hold time should be set to three

times the hello interval

Router(config-if)# Configures the hello interval

ipv6 hello- for EIGRP for IPv6 process
interval eigrp 100 100 to be 10 seconds
10
Router(config-if)# Configures the hold timer for
ipv6 hold-time EIGRP for IPv6 process 100
eigrp 100 30 to be 30 seconds

Router(config- Configures a hello interval of

router-af- 3 seconds for EIGRP using
interface)# hello- named mode configuration
interval 3

Router(config- Configures a hold time of 9

router-af- seconds for EIGRP using
interface)# hold- named mode configuration
time 9

Note
EIGRP hello and hold timers do not have to match between neighbors to successfully
establish a neighbor relationship. However, the reciprocating hello interval should be within
the defined hold time.

Note
The AS number in these commands must match the AS number of EIGRP on the router for
these changes to take effect.

Tip
It is recommended that you match the timers between neighbors; otherwise, you may
experience flapping neighbor relationships or network instability.

PASSIVE INTERFACES FOR EIGRP

Router(config)# Starts the EIGRP routing

router eigrp 110 process

Router(config- Specifies a network to advertise

router)# network in the EIGRP routing process
10.0.0.0
0.0.0.255

Router(config- Prevents the sending of hello

router)# passive- packets out the GigabitEthernet
interface 0/0/0 interface. No neighbor
gigabitethernet adjacency is formed
0/0/0

Router(config- Prevents the sending of hello

router)# passive- packets out all interfaces
interface default

Router(config- Enables hello packets to be sent

router)# no out interface Serial 0/0/1,
passive-interface thereby allowing neighbor
serial 0/1/0 adjacencies to form

Router(config)# Starts the EIGRP for IPv6

ipv6 router eigrp routing process
110

Router(config- Prevents the sending of hello

rtr)# passive- packets out the GigabitEthernet
interface 0/0/0 interface. No neighbor
gigabitethernet adjacency is formed
0/0/0

Router(config- Prevents the sending of hello

rtr)# passive- packets out all interfaces
interface default

Router(config- Enables hello packets to be sent

rtr)# no out interface Serial 0/1/0,
thereby allowing neighbor
adjacencies to form
passive-interface

serial 0/1/0

Router(config- Enters address-family interface

router-af)# af- configuration mode for
interface GigabitEthernet 0/0/0
gigabitethernet
0/0/0

Router(config- Prevents the sending of hello

router-af- packets out of the
interface)# GigabitEthernet 0/0/0
passive- interface
interface

Router(config- Enters address-family default

router-af)# af- interface configuration mode
interface default

Router(config- Prevents the sending of hello

router-af- packets out all interfaces
interface)#
passive-
interface

“PSEUDO” PASSIVE EIGRP

INTERFACES
A passive interface cannot send EIGRP hellos, which
prevents adjacency relationships with link partners. An
administrator can create a “pseudo” passive EIGRP
interface by using a route filter that suppresses all
routes from the EIGRP routing update. A neighbor
relationship will form, but no routes will be sent out a
specific interface.

Router(conf Starts the EIGRP routing process

ig)# router
eigrp 100

Router(conf Specifies a network to advertise in the

ig-router)# EIGRP routing process
network
10.0.0.0
0.0.0.255

Router(conf Creates an outgoing distribute list for

ig-router)# interface Serial 0/1/0 and refers to ACL
distribute- 5
list 5 out
serial
0/1/0
Router(conf Returns to global configuration mode
ig-router)#
exit

Router(conf Matches and drops packets from any

ig)# source. This ACL, when used in the
access-list earlier distribute-list command, will
5 deny any prevent EIGRP 100 routing packets
from being sent out of Serial 0/1/0

INJECTING A DEFAULT ROUTE INTO

EIGRP: REDISTRIBUTION OF A
STATIC ROUTE

Router(config)# Creates a static default route to

ip route 0.0.0.0 send all traffic with a destination
0.0.0.0 serial network not in the routing table
0/1/0 out interface Serial 0/1/0

Note

Adding a static route (for example, ip

route 0.0.0.0 0.0.0.0 gigabitethernet 1/1)
will cause the route to be inserted into the
routing table only when the interface is up
Router(config)# Creates EIGRP routing process
router eigrp 100 100

Router(config- Advertises into EIGRP any static

router)# routes that are configured on the
redistribute router
static

Router(config)# Enters EIGRP using named

router eigrp mode configuration
TEST

Router(config- Enters the IPv4 address family

router)# for AS 10
address-family
ipv4 autonomous-
system 10

Router(config- Enters address-family topology

router-af)# subconfiguration mode
topology base

Router(config- Advertises static routes into the

router-af- EIGRP process
topology)#
redistribute
static

Note
Use this method when you want to draw all traffic to unknown destinations to a default route
at the core of the network.

Note
This method is effective for advertising default connections to the Internet, but it will also
redistribute all static routes into EIGRP.

INJECTING A DEFAULT ROUTE INTO

EIGRP: IP DEFAULT-NETWORK

Router(config) Creates EIGRP routing process 100

# router eigrp
100

Router(config- Specifies which network to

router)# advertise in EIGRP
network
192.168.100.0
0.0.0.255

Router(config- Returns to global configuration

router)# exit mode

Router(config) Creates a static default route to send

# ip route all traffic with a destination network
0.0.0.0 not in the routing table to next-hop
0.0.0.0 address 192.168.100.5
192.168.100.5

Router(config) Defines a route to the 192.168.100.0

# ip default- network as a candidate default
network route
192.168.100.0

Note
For EIGRP to propagate the route, the network specified by the ip default-network
command must be known to EIGRP. This means that the network must be an EIGRP-
derived network in the routing table, or the static route used to generate the route to the
network must be redistributed into EIGRP, or advertised into these protocols using the
network command.

Tip
In a complex topology, many networks can be identified as candidate defaults. Without any
dynamic protocols running, you can configure your router to choose from several candidate
default routes based on whether the routing table has routes to networks other than
0.0.0.0/0. The ip default-network command enables you to configure robustness into the
selection of a gateway of last resort. Rather than configuring static routes to specific next
hops, you can have the router choose a default route to a particular network by checking in
the routing table.

Tip
The network 0.0.0.0 command enables EIGRP for all interfaces on the router.

INJECTING A DEFAULT ROUTE INTO

EIGRP: SUMMARIZE TO 0.0.0.0/0

Router(confi Creates EIGRP routing process 100

g)# router
eigrp 100

Router(confi Specifies which network to advertise

g-router)# in EIGRP
network
192.168.100.
0

Router(confi Returns to global configuration mode

g-router)#
exit
Router(confi Enters interface configuration mode
g)#
interface
serial 0/1/0

Router(confi Assigns the IP address and subnet

g-if)# ip mask to the interface
address
192.168.100.
1
255.255.255.
0

Router(confi Enables manual summarization for

g-if)#ip EIGRP AS 100 on this specific
summary- interface for the given address and
address mask. An optional administrative
eigrp 100 distance of 75 is assigned to this
0.0.0.0 summary route

0.0.0.0 75

Note
Summarizing to a default route is effective only when you want to provide remote sites with a
default route, and not propagate the default route toward the core of your network.
Note
Because summaries are configured per interface, you do not need to worry about using
distribute lists or other mechanisms to prevent the default route from being propagated
toward the core of your network.

ACCEPTING EXTERIOR ROUTING

INFORMATION: DEFAULT-
INFORMATION

Router(c Creates routing process 100

onfig)#
router
eigrp
100

Router(c Allows exterior or default routes to be

onfig- received by the EIGRP process AS 100. This
router)# is the default action; exterior routes are
default- always accepted, and default information is
informat passed between EIGRP processes when
ion in redistribution occurs

Router(c Suppresses exterior or default routing

onfig- information
router)#
no
default-
informat
ion in

EQUAL-COST LOAD BALANCING:

MAXIMUM-PATHS

Router(config) Creates routing process 100

# router eigrp
100

Router(config- Specifies which network to

router)# advertise in EIGRP
network
10.0.0.0

Router(config- Sets the maximum number of

router)# parallel routes that EIGRP will
maximum-paths support to six routes
6
Router(config) Creates routing process 100 for
# ipv6 router EIGRP for IPv6
eigrp 100

Router(config- Sets the maximum number of

rtr)# maximum- parallel routes that EIGRP for IPv6
paths 6 will support to six routes

Router(config- Enters address-family topology

router-af)# subconfiguration mode for EIGRP
topology base using named mode

Router(config- Sets the maximum number of

router-af- parallel routes that EIGRP using
topology)# named mode configuration will
maximum-paths support to six routes
6

Note
With the maximum-paths router configuration command, up to 32 equal-cost entries can be
in the routing table for the same destination. The default is 4.

Note
Setting maximum-path to 1 disables load balancing.
UNEQUAL-COST LOAD BALANCING:
VARIANCE

Router(con Creates EIGRP routing process for AS

fig)# 100
router
eigrp 100

Router(con Specifies which network to advertise in

fig- EIGRP
router)#
network
10.0.0.0
0.0.0.255

Router(con Instructs the router to include routes with

fig- a metric less than or equal to n times the
router)# minimum metric route for that
variance n destination, where n is the number
specified by the variance command

Router(con Creates IPv6 EIGRP routing process for

fig)# ipv6 AS 100
router
eigrp 100
Router(con Instructs the router to include routes with
fig-rtr)# a metric less than or equal to n times the
variance n minimum metric route for that
destination, where n is the number
specified by the variance command

Router(con Sets the variance for EIGRP using named

fig- mode configuration.
router-af-
topology)# This command is entered under address
variance n family topology subconfiguration mode

Note
If a path is not a feasible successor, it is not used in load balancing.

Note
EIGRP variance can be set to a number between 1 and 128.

EIGRP TRAFFIC SHARING

EIGRP not only provides unequal cost path load
balancing, but also intelligent load balancing such as
traffic sharing. To control how traffic is distributed
among routes when there are multiple routes for the
same destination network that have different costs, use
the traffic-share balanced command. With the
balanced keyword, the router distributes traffic
proportionately to the ratios of the metrics that are
associated with different routes. This is the default
setting. Similarly, when you use the traffic-share
command with the min keyword, the traffic is sent only
across the minimum-cost path, even when there are
multiple paths in the routing table. This is identical to
the forwarding behavior without use of the variance
command. However, if you use the traffic-share min
command and the variance command, even though
traffic is sent over the minimum-cost path only, all
feasible routes get installed into the routing table, which
decreases convergence times.

Router(config)# Creates EIGRP routing process

router eigrp 100 for AS 100

Router(config- Sets the EIGRP traffic share

router)# traffic- feature to load balance
share balanced proportionately to the ratios of
the metrics. This is the default
value
Router(config- Sets the EIGRP traffic share
router)# traffic- feature to only send traffic
share min across- across the minimum cost path
interfaces

Router(config- Sets the traffic share feature

router-af- for EIGRP using named mode
topology)# configuration
traffic-share
balanced
Note

Router(config- These commands are entered under

address family topology
router-af- subconfiguration mode

topology)#
traffic-share min
across-interfaces

BANDWIDTH USE FOR EIGRP

Router(config) Enters interface configuration

# interface mode
serial 0/1/0
Router(config- Sets the bandwidth of this interface
if)# bandwidth to 256 kilobits to allow EIGRP to
256 make a better metric calculation

Router(config- Configures the percentage of

if)# ip bandwidth that may be used by
bandwidth- EIGRP on an interface
percent eigrp
50 100 50 is the EIGRP AS number

100 is the percentage value

100% × 256 = 256 kbps

Router(config- Configures the percentage of

if)# ipv6 bandwidth (75%) that may be used
bandwidth- by EIGRP 100 for IPv6 on the
percent eigrp interface
100 75

Router(config- Configures the percentage of

router-af- bandwidth (25%) that may be used
interface)# by EIGRP under the address-family
bandwidth- interface subconfiguration mode
percent 25
Note
By default, EIGRP is set to use only up to 50 percent of the bandwidth of an interface to
exchange routing information. Values greater than 100 percent can be configured. This
configuration option might prove useful if the bandwidth is set artificially low for other
reasons, such as manipulation of the routing metric or to accommodate an oversubscribed
multipoint Frame Relay configuration.

Note
The ip bandwidth-percent command relies on the value set by the bandwidth command.

STUB ROUTING FOR EIGRP

Router(confi Creates routing process 100

g)# router
eigrp 100

Router(confi Configures the router to send updates

g-router)# containing its connected and summary
eigrp stub routes only

Note

Only the stub router needs to have the eigrp stub

command enabled
Router(confi Permits the EIGRP stub routing
g-router)# feature to send only connected routes
eigrp stub
connected
Note

If the connected routes are not covered by a

network statement, it might be necessary to
redistribute connected routes with the redistribute
connected command

Tip

The connected option is enabled by default

Router(confi Permits the EIGRP stub routing

g-router)# feature to send static routes
eigrp stub
static
Note

Without this option, EIGRP will not send static

routes, including internal static routes that normally
would be automatically redistributed. It will still be
necessary to redistribute static routes with the
redistribute static command
Router(confi Permits the EIGRP stub routing
g-router)# feature to send summary routes
eigrp stub
summary
Note

Summary routes can be created manually, or

through automatic summarization at a major
network boundary if the auto-summary command
is enabled

Tip

The summary option is enabled by default

Router(confi Restricts the router from sharing any

g-router)# of its routes with any other router in
eigrp stub that EIGRP autonomous system
receive-only

Router(confi Advertises redistributed routes, if

g-router)# redistribution is configured on the
eigrp stub stub router using the redistribute
command
redistribute
d

Router(confi Enters router configuration mode and

g)# ipv6 creates an EIGRP IPv6 routing process
router eigrp
100

Router(confi Configures a router as a stub using

g-rtr)# EIGRP
eigrp stub

Router(confi Configures the router to send updates

g-router- containing its connected and summary
af)# eigrp routes only
stub

Note

This command is entered under the EIGRP address

family when using named mode configuration

Note
You can use the optional arguments (connected, redistributed, static, and summary) as
part of the same command on a single line:
Click here to view code image

Router(config-router)# eigrp stub connected

static summary
redistributed

You cannot use the keyword receive-only with any

other option because it prevents any type of route from
being sent.

Note
The same keywords in the eigrp stub command that work with EIGRP for IPv4 will also
work with EIGRP for IPv6: connected | summary | static | redistributed | receive-only

EIGRP UNICAST NEIGHBORS

R2(con Enables EIGRP routing for AS 100

fig)#
router
eigrp
100

R2(con Identifies which networks to include in EIGRP

fig-
router
)#
networ
k
192.16
8.1.0
0.0.0.
255

R2(con Identifies a specific neighbor with which to

fig- exchange routing information. Instead of
router using multicast packets to exchange
)# information, unicast packets will now be used
neighb on the interface on which this neighbor
or resides. If there are other neighbors on this
same interface, neighbor statements must
192.16
also be configured for them; otherwise, no
8.1.10
EIGRP packets will be exchanged with them
1
gigabi
tether
net
0/0/0

Router When using EIGRP named mode

(confi configuration, the neighbor command is
g- entered under the address family
router
-af)#
neighb
or
172.16
.1.2
gigabi
tether
net
0/0/1

EIGRP WIDE METRICS

The EIGRP composite metric (calculated using the
bandwidth, delay, reliability, and load) is not scaled
correctly for high-bandwidth interfaces or
EtherChannels, resulting in incorrect or inconsistent
routing behavior. The lowest delay that can be
configured for an interface is 10 microseconds. As a
result, high-speed interfaces, such as 10 Gigabit
Ethernet (GE) interfaces, or high-speed interfaces
channeled together (GE EtherChannel) will appear to
EIGRP as a single GE interface. This may cause
undesirable equal-metric load balancing. To resolve this
issue, the EIGRP Wide Metrics feature supports 64-bit
metric calculations and Routing Information Base (RIB)
scaling that provide the ability to support interfaces
(either directly or via channeling techniques like
EtherChannels) up to approximately 4.2 terabits.

Note
The 64-bit metric calculations work only in EIGRP using named mode configurations. EIGRP
classic mode uses 32-bit metric calculations. With the calculation of larger bandwidths,
EIGRP can no longer fit the computed metric into a 4-byte unsigned long value that is
needed by the Cisco RIB. To set the RIB scaling factor for EIGRP, use the metric rib-scale
command. When you configure the metric rib-scale command, all EIGRP routes in the RIB
are cleared and replaced with the new metric values.

Note
The EIGRP Wide Metrics feature also introduces K6 as an additional K value for future use.

ADJUSTING THE EIGRP METRIC

WEIGHTS
Use the metric weights command to adjust the default
behavior of EIGRP routing and metric computations.

Router(config)# Enables EIGRP routing for

router eigrp 100 AS 100

Router(config- Changes the default K-

router)# metric values used in metric
weights tos k1 k2 k3 calculation.
k4 k5
These are the default
values:

tos=0, k1=1, k2=0, k3=1,

k4=0, k5=0

Router(config)# ipv6 Enters router

router eigrp 100 configuration mode and
creates an EIGRP IPv6
routing process

Router(config- Changes the default K-

router)# metric values used in metric
weights tos k1 k2 k3 calculation.
k4 k5
These are the default
values:

tos=0, k1=1, k2=0, k3=1,

k4=0, k5=0

Router(config)# Enters router

router eigrp CISCO configuration mode and
creates an EIGRP process
using named mode
Router(config- Enters IPv4 unicast
router)# address- address family mode
family ipv4 unicast
autonomous-system
100

Router(config- Changes the default K-

router-af)# metric values used in metric
weights tos k1 k2 k3 calculation.
k4 k5 k6
These are the default
values:

tos=0, k1=1, k2=0, k3=1,

k4=0, k5=0, k6=0

Router(config- Sets scaling value for RIB

router-af)# metric installation. The default
rib-scale 128 value is 128, and the range
is from 1 to 255

Note
tos is a reference to the original Interior Gateway Routing Protocol (IGRP) intention to have
IGRP perform type-of-service routing. Because this was never adopted into practice, the tos
field in this command is always set to zero (0).
Note
With default settings in place, the metric of EIGRP is reduced to the slowest bandwidth plus
the sum of all the delays of the exit interfaces from the local router to the destination
network.

Tip
For two routers to form a neighbor relationship in EIGRP, the K-values must match.

Caution
Unless you are very familiar with what is occurring in your network, it is recommended that
you do not change the K-values.

VERIFYING EIGRP

Router# clear ip Deletes all routes from the IPv4

route * routing table

Router# clear ip Clears this specific route from

route the IPv4 routing table
172.16.10.0

Router# clear Deletes all routes from the IPv6

ipv6 route * routing table
Note

Clearing all routes from the routing table

will cause high CPU utilization rates as the
routing table is rebuilt

Router# clear Clears this specific route from

ipv6 route the IPv6 routing table
2001:db8:c18:3::
/64

Router# clear Resets IPv6 traffic counters

ipv6 traffic

Router# show ip Displays the neighbor table

eigrp neighbors

Router# show ip Displays a detailed neighbor

eigrp neighbors table
detail

Tip

The show ip eigrp neighbors detail

command will verify whether a neighbor is
configured as a stub router
Router# show ip Shows info for each interface
eigrp interfaces

Router# show ip Shows more detailed

eigrp interfaces information for each interface,
detail such as timers and percent
bandwidth

Router# show ip Shows info for a specific

eigrp interface interface
serial 0/0/0

Router# show ip Shows info for interfaces

eigrp interface running process 100
100

Router# show ip Displays the topology table

eigrp topology

Tip

The show ip eigrp topology command

shows where your feasible successors are

Router# show ip Displays all entries in the EIGRP

eigrp topology topology table, including
all-links nonfeasible-successor sources

Router# show ip Shows the number and type of

eigrp traffic packets sent and received

Router# show ip Displays the status of interfaces

interface configured for IPv4

Router# show ip Displays a summarized status of

interface brief interfaces configured for IPv4

Router# show ip Shows the parameters and

protocols current state of the active routing
protocol process

Router# show ip Shows the complete routing

route table

Router# show ip Shows a routing table with only

route eigrp EIGRP entries

Router# show Displays IPv6 info for each

ipv6 eigrp interface
interfaces
Router# show Displays IPv6 info for specific
ipv6 eigrp interface
interface serial
0/0/0

Router# show Displays IPv6 info for interfaces

ipv6 eigrp running process 100
interface 100

Router# show Displays the EIGRP IPv6

ipv6 eigrp neighbor table
neighbors

Router# show Displays a detailed EIGRP IPv6

ipv6 eigrp neighbor table
neighbors detail

Router# show Displays the EIGRP IPv6

ipv6 eigrp topology table
topology

Router# show Displays the status of interfaces

ipv6 interface configured for IPv6
Router# show Displays a summarized status of
ipv6 interface interfaces configured for IPv6
brief

Router# show Displays IPv6 neighbor discovery

ipv6 neighbors cache information

Router# show Displays the parameters and

ipv6 protocols current state of the active IPv6
routing protocol processes

Router# show Displays the current IPv6

ipv6 route routing table

Router# show Displays the current IPv6

ipv6 route eigrp routing table with only EIGRP
routes

Router# show Displays a summarized form of

ipv6 route the current IPv6 routing table
summary

Router# show Displays IPv6 router

ipv6 routers advertisement information
received from other routers
Router# show Displays statistics about IPv6
ipv6 traffic traffic

TROUBLESHOOTING EIGRP

Router# debug Displays events/actions related

eigrp fsm to EIGRP feasible successor
metrics (FSM)

Note

FSM is sometimes referred to as the

Finite State Machine

Router# debug Displays events/actions related

eigrp packets to EIGRP packets

Router# debug Displays events/actions related

eigrp neighbors to your EIGRP neighbors

Router# debug ip Displays events/actions related

eigrp to EIGRP protocol packets
Router# debug ip Displays EIGRP event
eigrp notifications
notifications

Router# debug Displays information about the

ipv6 eigrp EIGRP for IPv6 protocol

Router# debug Displays information about the

ipv6 neighbor specified EIGRP for IPv6
2001:db8:c18:3:: neighbor
1

Router# debug Displays EIGRP for IPv6 events

ipv6 neighbor and notifications in the console
notification of the router

Router# debug Displays a summary of EIGRP

ipv6 neighbor for IPv6 routing information
summary

Router# debug Displays debug messages for

ipv6 packet IPv6 packets
Tip

Send your debug output to a syslog

server to ensure that you have a copy of
it in case your router is overloaded and
needs to reboot

Router# debug Displays debug messages for

ipv6 routing IPv6 routing table updates and
route cache updates

CONFIGURATION EXAMPLE: EIGRP

FOR IPV4 AND IPV6 USING NAMED
MODE
Figure 4-1 shows the network topology for the
configuration that follows, which shows how to
configure EIGRP using commands covered in this
chapter.
Figure 4-1 Network Topology for EIGRP
Configuration

R1 Router

R1> enable Enters privileged EXEC mode

R1# configure Moves to global configuration

terminal mode

R1(config)# Creates a named EIGRP virtual

router eigrp instance called ConfigEG
ConfigEG
R1(config- Enables the IPv4 address family
router)# and starts EIGRP autonomous
address-family system 1
ipv4
autonomous-
system 1

R1(config- Enables EIGRP for IPv4 on

router-af)# interfaces in the 198.133.219.0
network network
198.133.219.0
0.0.0.255

R1(config- Enables EIGRP for IPv4 on

router-af)# interfaces in the 192.168.0.0/24
network network
192.168.0.0
0.0.0.255

R1(config- Enables EIGRP for IPv4 on

router-af)# interfaces in the 192.168.1.0/24
network network
192.168.1.0
0.0.0.255
R1(config- Moves the router into address-
router-af)# af- family interface configuration
interface mode for interface
gigabitethernet GigabitEthernet 0/0
0/0

R1(config- Configures a summary aggregate

router-af- address for the two serial prefixes
interface)#
summary-address
192.168.0.0/23 Note

The command summary-address

192.168.0.0 255.255.254.0 is also a valid
entry here

R1(config- Returns to address-family

router-af- configuration mode
interface)#
exit

R1(config- Returns to EIGRP router

router-af)# configuration mode
exit

Note
The complete command is exit-address-
family

R1(config- Enables the IPv6 address family

router)# and starts EIGRP autonomous
address-family system 1. All IPv6 enabled
ipv6 interfaces are included in the
autonomous- EIGRPv6 process
system 1

R1(config- Returns to EIGRP router

router-af)# configuration mode
exit

R1(config- Returns to global configuration

router)# exit mode

R1(config)# Returns to privileged EXEC mode

exit

R1# copy Copies the running configuration

running-config to NVRAM
startup-config
R2 Router

R2> enable Enters privileged EXEC mode

R2# configure Moves to global configuration

terminal mode

R2(config)# Creates a named EIGRP virtual

router eigrp instance called ConfigEG
ConfigEG

R2(config- Enables the IPv4 address family

router)# and starts EIGRP autonomous
address-family system 1
ipv4
autonomous-
system 1

R2(config- Enables EIGRP for IPv4 on

router-af)# interfaces in the 192.168.0.0
network network
192.168.0.0

R2(config- Returns to EIGRP router

configuration mode
router-af)#
exit
Note

The complete command is exit-address-

family

R2(config- Enables the IPv6 address family

router)# and starts EIGRP autonomous
address-family system 1. All IPv6 enabled
ipv6 interfaces are included in the
autonomous- EIGRPv6 process
system 1

R2(config- Returns to EIGRP router

router-af)# configuration mode
exit

R2(config- Returns to global configuration

router)# exit mode

R2(config)# Returns to privileged EXEC mode

exit

R2# copy Copies the running configuration to

running-config NVRAM
startup-config

R3 Router

R3> enable Enters privileged EXEC mode

R3# configure Moves to global configuration

terminal mode

R3(config)# Creates a named EIGRP virtual-

router eigrp instance called ConfigEG
ConfigEG

R3(config- Enables the IPv4 address family

router)# and starts EIGRP autonomous
address-family system 1
ipv4
autonomous-
system 1

R3(config- Enables EIGRP for IPv4 on

router-af)# interfaces in the 192.168.1.0
network
network
192.168.1.0

R3(config- Returns to EIGRP router

router-af)# configuration mode
exit

Note

The complete command is exit-address-

family

R3(config- Enables the IPv6 address family

router)# and starts EIGRP autonomous
address-family system 1. All IPv6 enabled
ipv6 interfaces are included in the
autonomous- EIGRPv6 process
system 1

R3(config- Returns to EIGRP router

router-af)# configuration mode
exit

R3(config- Returns to global configuration

router)# exit mode
R3(config)# Returns to privileged EXEC mode
exit

R3# copy Copies the running configuration to

running-config NVRAM
startup-config
Chapter 5
OSPF

This chapter provides information about the following

topics:

Comparing OSPFv2 and OSPFv3

Configuring OSPFv2

Configuring multiarea OSPFv2

Using wildcard masks with OSPFv2 areas

Configuring traditional OSPFv3

Enabling OSPFv3 for IPv6 on an interface

OSPFv3 and stub/NSSA areas

Interarea OSPFv3 route summarization

Enabling an IPv4 router ID for OSPFv3

Forcing an SPF calculation

OSPFv3 address families

Configuring the IPv6 address family in OSPFv3

Configuring the IPv4 address family in OSPFv3

Applying parameters in address family

configuration mode

Authentication for OSPF

Configuring OSPFv2 authentication: simple

password

Configuring OSPFv2 cryptographic

authentication: MD5

Configuring OSPFv2 cryptographic

authentication: SHA-256

Configuring OSPFv3 authentication and

encryption

Verifying OSPFv2 and OSPFv3 authentication

Optimizing OSPF parameters

Loopback interfaces

Router ID

DR/BDR elections

Passive interfaces
Modifying cost metrics

OSPF reference bandwidth

OSPF LSDB overload protection

Timers

IP MTU

Propagating a default route

Route summarization

Interarea route summarization

External route summarization

OSPF route filtering

Using the filter-list command

Using the area range not-advertise

command

Using the distribute-list in command

Using the summary-address not-advertise

command

OSPF special area types

Stub areas

Totally stubby areas

Not-so-stubby areas

Totally NSSA

Virtual Links

Configuration example: virtual links

Verifying OSPF configuration

Troubleshooting OSPF

Configuration example: single-area OSPF

Configuration example: multiarea OSPF

Configuration example: traditional OSPFv3

Configuration example: OSPFv3 with address families

COMPARING OSPFV2 AND OSPFV3

Open Shortest Path First (OSPF) was developed in the
1980s and was standardized in 1989 as RFC 1131. The
current version of OSPF, OSPFv2, was standardized in
1998 as RFC 2328. Now that router technology has
dramatically improved, and with the arrival of IPv6,
rather than modify OSPFv2 for IPv6, it was decided to
create a new version of OSPF (OSPFv3), not just for
IPv6, but for other newer technologies as well. OSPFv3
was standardized in 2008 as RFC 5340.

In most Cisco documentation, if you see something refer

to OSPF, it is assumed to be referring to OSPFv2, and
working with the IPv4 protocol stack.

The earliest release of the OSPFv3 protocol worked with

IPv6 exclusively; if you needed to run OSPF for both
IPv4 and IPv6, you had to have OSPFv2 and OSPFv3
running concurrently. Newer updates to OSPFv3 allow
for OSPFv3 to handle both IPv4 and IPv6 address
families.

CONFIGURING OSPF

Router(con Starts OSPF process 123. The process ID

fig)# is any positive integer value between 1
router and 65,535. The process ID is not related
ospf 123 to the OSPF area. The process ID merely
distinguishes one process from another
within the device

Note
The process ID number of one router does not have to
match the process ID of any other router. Unlike
Enhanced Interior Gateway Routing Protocol (EIGRP),
matching this number across all routers does not ensure
that network adjacencies will form

Router(con OSPF advertises interfaces, not networks.

fig- It uses the wildcard mask to determine
router)# which interfaces to advertise. Read this
network line to say, “Any interface with an address
172.16.10. of 172.16.10.x is to run OSPF and be put
0 into area 0”

0.0.0.255
area 0

Router(con Configures the router to send a syslog

fig- message when there is a change of state
router)# between OSPF neighbors
log-
adjacency-
changes Tip

detail Although the log-adjacency-changes command is on

by default, only up/down events are reported unless
you use the detail keyword

Router(con Moves to interface configuration mode

fig)#
interface
gigabiteth
ernet 0/0

Router(con Enables OSPF area 0 directly on this

fig-if)# interface
ip ospf
123 area 0
Note

Because this command is configured directly on the

interface, it takes precedence over the network area
command entered in router configuration mode

Caution
Running two different OSPF processes does not create multiarea OSPF; it merely creates
two separate instances of OSPF that do not communicate with each other. To create
multiarea OSPF, you use two separate network statements and advertise two different links
into different areas. See the following section for examples.

CONFIGURING MULTIAREA OSPF

To create multiarea OSPF, you use two separate
network statements and advertise two different links
into different areas. You can also enable two different
areas on two different interfaces to achieve the same
result.

Router(config)# Starts OSPF process 1

router ospf 1

Router(config- Read this line to say, “Any

router)# network interface with an address of
172.16.10.0 172.16.10.x is to run OSPF and
0.0.0.255 area 0 be put into area 0”

Router(config- Read this line to say, “Any

router)# network interface with an exact address
10.10.10.1 of 10.10.10.1 is to run OSPF and
0.0.0.0 area 51 be put into area 51”

Router(config)# Moves to interface configuration

interface mode
gigabitethernet
0/0

Router(config- Enables OSPF area 0 directly on

if)# ip ospf 1 this interface
area 0
Note

Because this command is configured

directly on the interface, it takes
precedence over the network area
command entered in router configuration
mode

Router(config- Moves to interface configuration

if)# interface mode
gigabitethernet
0/1

Router(config- Enables OSPF area 51 directly

if)# ip ospf 1 on this interface
area 51

USING WILDCARD MASKS WITH OSPF

AREAS
When compared to an IP address, a wildcard mask
identifies what addresses are matched to run OSPF and
to be placed into an area:

A 0 (zero) in a wildcard mask means to check the

corresponding bit in the address for an exact match.
A 1 (one) in a wildcard mask means to ignore the
corresponding bit in the address—can be either 1 or 0.

Example 1: 172.16.0.0 0.0.255.255

172.16.0.0 =
10101100.00010000.00000000.00000000
0.0.255.255 = 00000000.00000000.11111111.11111111

Result = 10101100.00010000.xxxxxxxx.xxxxxxxx
172.16.x.x (anything between 172.16.0.0 and
172.16.255.255 matches the example statement)

Tip
An octet in the wildcard mask of all 0s means that the octet has to match the address
exactly. An octet in the wildcard mask of all 1s means that the octet can be ignored.

Example 2: 172.16.8.0 0.0.7.255

172.16.8.0 =
10101100.00010000.00001000.00000000

0.0.0.7.255 =
00000000.00000000.00000111.11111111
Result =
10101100.00010000.00001xxx.xxxxxxxx
00001xxx = 00001000 to 00001111 = 8–15
xxxxxxxx = 00000000 to 11111111 = 0–255
Anything between 172.16.8.0 and 172.16.15.255 matches
the example statement

Router(config- Read this line to say, “Any

router)# network interface with an exact address
172.16.10.1 of 172.16.10.1 is to run OSPF
0.0.0.0 area 0 and be put into area 0”

Router(config- Read this line to say, “Any

router)# network interface with an address of
172.16.0.0 172.16.x.x is to run OSPF and
0.0.255.255 area be put into area 0”
0

Router(config- Read this line to say, “Any

router)# network interface with any address is to
0.0.0.0 run OSPF and be put into area
255.255.255.255 0”
area 0

Tip
If you have problems determining which wildcard mask to use to place your interfaces into
an OSPF area, use the ip ospf process ID area area number command directly on the
interface.

Router(config)# Moves to interface

interface configuration mode
gigabitethernet 0/0

Router(config-if)# ip Places this interface

ospf 1 area 51 into area 51 of OSPF
process 1

Router(config-if)# Moves to interface

interface configuration mode
gigabitethernet 0/1

Router(config-if)# ip Places this interface

ospf 1 area 0 into area 0 of OSPF
process 1

Tip
If you assign interfaces to OSPF areas without first using the router ospf x command, the
router creates the router process for you, and it shows up in show running-config output.
CONFIGURING TRADITIONAL OSPFV3
OSPFv3 is a routing protocol for IPv4 and IPv6. Much of
OSPFv3 is the same as in OSPFv2. OSPFv3, which is
described in RFC 5340, expands on OSPFv2 to provide
support for IPv6 routing prefixes and the larger size of
IPv6 addresses. OSPFv3 also supports IPv6 and IPv4
unicast address families.

Enabling OSPF for IPv6 on an Interface

Router(co Enables the forwarding of IPv6 unicast

nfig)# datagrams globally on the router
ipv6
unicast-
routing Note

This command is required before any IPv6 routing

protocol can be configured

Router(co Moves to interface configuration mode

nfig)#
interface
gigabitet
hernet
0/0
Router(co Configures a global IPv6 address on the
nfig-if)# interface and enables IPv6 processing on
ipv6 the interface
address
2001:db8:
0:1::1/64

Router(co Enables traditional OSPFv3 process 1 on

nfig-if)# the interface and places this interface into
ipv6 ospf area 0
1 area 0

Note

The OSPFv3 process is created automatically when

OSPFv3 is enabled on an interface

Note

The ipv6 ospf x area y command has to be configured

on each interface that will take part in OSPFv3

Note
If a router ID has not been created first, the router may
return a “NORTRID” warning (no router ID) stating that
the process could not pick a router ID. It will then tell you
to manually configure a router ID

Router(co Assigns a priority number to this interface

nfig-if)# for use in the designated router (DR)
ipv6 ospf election. The priority can be a number
priority from 0 to 255. The default is 1. A router
30 with a priority set to 0 is ineligible to
become the DR or the backup DR (BDR)

Router(co Assigns a cost value of 20 to this

nfig-if)# interface. The cost value can be an integer
ipv6 ospf value from 1 to 65 535
cost 20

Router(co Configures a neighbor for use on

nfig-if)# nonbroadcast multiaccess (NBMA)
ipv6 ospf networks
neighbor
fe80::a8b
b:ccff:fe Note

00:c01 Only link-local addresses may be used in this command

OSPFv3 and Stub/NSSA Areas

Router(config Creates the OSPFv3 process if it has

)# ipv6 not already been created, and moves
router ospf to router configuration mode

Router(config The router is configured to be part of

-rtr)# area 1 a stub area
stub

Router(config The router is configured to be in a

-rtr)# area 1 totally stubby area. Only the ABR
stub no- requires this no-summary keyword
summary

Router(config The router is configured to be in an

-rtr)# area 1 NSSA
nssa

Router(config The router is configured to be in a

-rtr)# area 1 totally stubby, NSSA area. Only the
nssa no ABR requires the no summary
summary keyword
Interarea OSPFv3 Route Summarization

Router(config Creates the OSPFv3 process if it has

)# ipv6 not already been created, and moves
router ospf 1 to router configuration mode

Router(config Summarizes area 1 routes to the

-rtr)# area 1 specified summary address, at an
range area boundary, before injecting them
2001:db8::/48 into a different area

Enabling an IPv4 Router ID for OSPFv3

Router Creates the OSPFv3 process if it has not

(confi already been created, and moves to router
g)# configuration mode.
ipv6
router
ospf 1

Router Creates an IPv4 32-bit router ID for this

(confi router.
g-
rtr)#
router Note

-id
In OSPFv3 for IPv6, it is possible that no IPv4 addresses will be
192.16 configured on any interface. In this case, the user must use the
router-id command to configure a router ID before the OSPFv3
8.254. process will be started. If an IPv4 address does exist when
OSPFv3 for IPv6 is enabled on an interface, that IPv4 address is
255 used for the router ID. If more than one IPv4 address is available,
a router ID is chosen using the same rules as for OSPF Version
2.

Forcing an SPF Calculation

Router# clear The OSPF database is cleared and

ipv6 ospf 1 repopulated, and then the SPF
process algorithm is performed.

Router# clear The OSPF database is not cleared;

ipv6 ospf 1 just an SPF calculation is performed.
force-spf

Caution
As with OSPFv2, clearing the OSPFv3 database and forcing a recalculation of the shortest
path first (SPF) algorithm is processor intensive and should be used with caution.

OSPFV3 ADDRESS FAMILIES

The OSPFv3 address families feature is supported as of
Cisco IOS Release 15.1(3)S and Cisco IOS Release
15.2(1)T. Cisco devices that run software older than
these releases and third-party devices will not form
neighbor relationships with devices running the address
families feature for the IPv4 address family because they
do not set the address family bit. Therefore, those
devices will not participate in the IPv4 address family
SPF calculations and will not install the IPv4 OSPFv3
routes in the IPv6 RIB.

Note
Devices running OSPFv2 will not communicate with devices running OSPFv3 for IPv4.

Note
To use the IPv4 unicast address families (AFs) in OSPFv3, you must enable IPv6 on a link,
although the link may not be participating in IPv6 unicast AF.

Note
With the OSPFv3 address families feature, users may have two processes per interface, but
only one process per AF. If the AF is IPv4, an IPv4 address must first be configured on the
interface, but IPv6 must be enabled on the interface.
Configuring the IPv6 Address Family in OSPFv3

Router(config)# Enables OSPFv3 router

router ospfv3 1 configuration mode for the
IPv4 or IPv6 address family

Router(config- Enters IPv6 address family

router)# address- configuration mode for
family ipv6 OSPFv3
unicast
Notice the prompt change
Router(config-
router-af)#

Router(config)# Enters interface configuration

interface mode for the GigabitEthernet
gigabitethernet 0/0 interface
0/0

Router(config-if)# Places the interfaces in area 0

ospfv3 1 ipv6 area for the IPv6 address family
0
Configuring the IPv4 Address Family in OSPFv3

Router(config)# Enables OSPFv3 router

router ospfv3 1 configuration mode for the
IPv4 or IPv6 address family

Router(config- Enters IPv4 address family

router)# address- configuration mode for
family ipv4 OSPFv3
unicast
Notice the prompt change
Router(config-
router-af)#

Router(config)# Enters interface configuration

interface mode for the GigabitEthernet
gigabitethernet 0/0 interface
0/0

Router(config-if)# Places the interfaces in area 0

ospfv3 1 ipv4 area for the IPv4 address family
0
Applying Parameters in Address Family
Configuration Mode

Router(config- Summarizes area 1 routes to the

router-af)# area specified summary address, at an
1 range area boundary, before injecting
2001:db8:0:0::0/ them into a different area
56

Router(config- Resets OSPFv3 area 1 parameters

router-af)# to their default values
default area 1

Router(config- Summarizes area 0 routes to

router-af)# area specified summary address,
0 range before injecting them into a
172.16.0.0 different area
255.255.0.0

Router(config- Sets default metric values for

router-af)# IPv4 and IPv6 routes
default-metric redistributed into the OSPFv3
10 routing protocol

Router(config- Sets the maximum number of

router-af)# equal-cost routes that a process
maximum-paths 4 for OSPFv3 routing can support

Note

The maximum number of paths you can set

is platform dependent

Router(config- Configures an IPv6 summary

router-af)# prefix. This is done on an
summary-prefix Autonomous System Border
2001:0:0:10::/60 Router (ASBR)

Note
Other commands that are available in AF mode include the following:
area nssa
area stub
passive-interface
router-id

AUTHENTICATION FOR OSPF

Authentication for routers using OSPF relies on the use
of predefined passwords.
Configuring OSPFv2 Authentication: Simple
Password

Router(confi Starts OSPF process 1

g)# router
ospf 1

Router(confi Enables simple authentication;

g-router)# password will be sent in clear text for
area 0 the entire area
authenticati
on

Router(confi Returns to global configuration mode

g-router)#
exit

Router(confi Moves to interface configuration

g)# mode
interface
gigabitether
net 0/0

Router(confi Another way to enable authentication

g-if)# ip if it has not been set up in router
ospf configuration mode shown earlier
authenticati
on

Router(confi Sets key (password) to cleartxt

g-if)# ip
ospf
authenticati Note

on-key
The password can be any continuous string of
cleartxt characters that can be entered from the keyboard,
up to eight characters in length. To be able to
exchange OSPF information, all neighboring
routers on the same network must have the same
password

Configuring OSPFv2 Cryptographic Authentication:

MD5

Router(config)# Starts OSPF process 13

router ospf 13

Router(config- Enables authentication with

router)# area 0 MD5 password encryption for
the entire area
authentication
message-digest
Note

MD5 authentication can also be enabled

directly on the interface using the ip ospf
authentication message-digest
command in interface configuration mode

Router(config- Returns to global configuration

router)# exit mode

Router(config)# Moves to interface configuration

interface mode
gigabitethernet
0/0

Router(config- Provides another way to enable

if)# ip ospf authentication if it has not been
authentication set up in router configuration
message-digest mode shown earlier

Router(config- 1 is the key ID. This value must

if)# ip ospf be the same as that of your
message-digest- neighboring router
key 1 md5 secret
md5 indicates that the MD5
hash algorithm will be used

secret is the key (password) and

must be the same as that of your
neighboring router

Tip
It is recommended that you keep no more than one key per interface. Every time you add a
new key, you should remove the old key to prevent the local system from continuing to
communicate with a hostile system that knows the old key.

Note
If the service password-encryption command is not used when configuring OSPF
authentication, the key will be stored as plain text in the router configuration. If you use the
service password-encryption command, there will be an encryption type of 7 specified
before the encrypted key.

Configuring OSPFv2 Cryptographic Authentication:

SHA-256
Starting with Cisco IOS Release 15.4(1)T, OSPFv2
supports SHA hashing authentication using key chains.
Cisco refers to this feature as OSPFv2 Cryptographic
Authentication. The feature prevents unauthorized or
invalid routing updates in a network by authenticating
OSPFv2 protocol packets using HMAC-SHA-256
algorithms.

Router(config)# Specifies the key chain name

key chain and enters key-chain
samplechain configuration mode

Router(config- Specifies the key identifier

keychain)# key 1 and enters key-chain key
configuration mode. The
range is from 1 to 255

Router(config- Specifies the key string

keychain-key)#
key-string
ThisIsASampleKey54
321

Router(config- Configures the key with the

keychain-key)# specified cryptographic
cryptographic- algorithm.
algorithm hmac-
sha-256 Options for SHA are platform
dependent but can include
SHA-1, SHA-256, SHA-384,
and SHA-512

Router(config- Sets the time period during

keychain-key)# which an authentication key
send-lifetime on a key chain is valid to be
local 10:00:00 15 sent during key exchange with
October 2019 another device
infinite

Router(config- Exits key-chain key

keychain-key)# configuration mode and
exit returns to key-chain
configuration mode

Router(config- Exits key-chain configuration

keychain)# exit mode and returns to global
configuration mode

Router(config)# Enters interface configuration

interface mode
gigabitethernet
0/0

Router(config-if)# Specifies the key chain for the

ip ospf interface
authentication
key-chain
samplechain

Configuring OSPFv3 Authentication and Encryption

Tip
OSPFv3 requires the use of IPsec to enable authentication. Crypto images are therefore
needed for authentication, as they are the only images that include the IPsec application
programming interface (API) needed for use with OSPFv3.

Note
Authentication and encryption do not need to be done on both the interface and on the area,
but rather only in one location. The following section shows both methods.

Note
RFC 7166 adds non-IPsec cryptographic authentication to OSPFv3. It is now possible to use
the SHA encryption method previously described thanks to the addition of a new
Authentication Trailer (AT) to OSPFv3 packets. The command to apply the key chain to an
interface for use with OSPFv3 is ospfv3 x authentication key-chain. The key chain can
also be applied to an entire area with the area x authentication key-chain router
configuration command.

Router(config)# Moves to interface

interface configuration mode
gigabitethernet 0/0
Router(config-if)# Applies authentication
ipv6 ospf policy to the interface.
authentication ipsec
spi 500 md5 spi (security policy index)
1234567890abcdef12345 is analogous to key
67890abcdef numbers in a key chain
but is communicated via
the Authentication
Header (AH). The SPI is a
number between 256 and
4 294 967 295

md5 = using the MD5

hash algorithm. SHA1 is
also an option

Note

The key string length is

precise; it must be 32 hex
digits for MD5 or 40 for SHA1

Router(config-if)# Alternative way of

ospfv3 authentication applying authentication
ipsec spi 500 md5 policy to the interface
1234567890abcdef12345
67890abcdef

Router(config-if)# Specifies the encryption

ipv6 ospf encryption type for the interface to
ipsec spi 256 esp AES-128 and the
aes-cbc 128 authentication type to
123456789012345678901 SHA
234567890AB sha1
123456789012345678901
2345678901234567890

Router(config-if)# Alternative way of

ospfv3 encryption specifying the encryption
ipsec spi 257 esp type for the interface. In
aes-cbc 128 this example, AES-128 is
123456789012345678901 enabled for encryption

234567890AB md5 and MD5 is enabled for

authentication
123456789012345678901
234567890AB

Router(config-if)# Returns to global

exit configuration mode

Router(config)# Moves to routing protocol

configuration mode
router ospfv3 1

Router(config- Applies authentication

router)# area 0 policy to an entire area
authentication ipsec
spi sha1
123456789012345678901
2345678901234567890

Router(config- Enables AES-128

router)# area 0 encryption and SHA
encryption ipsec spi authentication for the
300 esp aes-cbc 128 entire area
123456789012345678901
234567890AB sha1
123456789012345678901
2345678901234567890

Router(config- Returns to global

router)# exit configuration mode

Verifying OSPFv2 and OSPFv3 Authentication

Router# show Displays OSPF neighbor table.
ip ospf Incorrect authentication
neighbor configuration will prevent neighbor
relationships from forming

Router# show Displays the OSPF routes in the

ip route ospf routing table. Incorrect
authentication configuration will
prevent routes from being inserted
into the routing table

Router# show Displays the OSPFv3 neighbor table

ospfv3
neighbor

Router# show Displays the OSPFv3 routes in the

ipv6 route routing table
ospf

Router# show Verifies authentication setup on a

ip ospf specific interface
interface
gigabitethern
et 0/0

Router# show Displays IPsec security associations

crypto ipsec on a specific interface
sa interface
gigabitethern
et 0/0

Router# debug Displays information about OSPF

ip ospf adj adjacencies and authentication for
IPv4

Router# debug Displays information about OSPF

ipv6 ospf adj adjacencies and authentication for
IPv6

OPTIMIZING OSPF PARAMETERS

The following sections are optional but may be required
in your tuning of OSPF for your network.

Loopback Interfaces

Router(config)# Creates a virtual interface

interface named Loopback 0 and then
loopback 0 moves the router to interface
configuration mode
Router(config- Assigns the IP address to the
if)# ip address interface
192.168.100.1
255.255.255.255
Note

Loopback interfaces are always “up and

up” and do not go down unless
manually shut down. This makes
loopback interfaces great for use as an
OSPF router ID

Router ID

Router( Starts OSPF process 1

config)
#
router
ospf 1

Router( Sets the router ID to 10.1.1.1. If this

config- command is used on an OSPF router process
router) that is already active (has neighbors), the
# new router ID is used at the next reload or at
router- a manual OSPF process restart
id
10.1.1.
1

Router( Removes the static router ID from the

config- configuration. If this command is used on an
router) OSPF router process that is already active
# no (has neighbors), the old router ID behavior is
router- used at the next reload or at a manual OSPF
id process restart

10.1.1.
1

Router( Sets the router ID to 10.1.1.1 in address

config- family configuration mode
router-
af)#
router- Note

id This works for either IPv4 or IPv6 address-family configuration

10.1.1. mode, and also under the global OSPFv3 process. When
entered there, the command applies to both address families
1

Note
To choose the router ID at the time of OSPF process initialization, the router uses the
following criteria in this specific order:

1. Use the router ID specified in the router-id w.x.y.z command.

2. Use the highest IP address of all active loopback interfaces on the router.
3. Use the highest IP address among all active nonloopback interfaces.

Note
To have the manually configured router ID take effect, you must clear the OSPF routing
process with the clear ip ospf process command.

Note
There is no IPv6 form of router ID. All router IDs are 32-bit numbers in the form of an IPv4
address. Even if a router is running IPv6 exclusively, the router ID is still in the form of an
IPv4 address.

DR/BDR Elections

Route Enters interface configuration mode

r(con
fig)#
inter
face
gigab
iteth
ernet
0/0
Route Changes the OSPF interface priority to 50
r(con
fig-
if)# Note

ip
The assigned priority can be between 0 and 255. A priority of 0
ospf makes the router ineligible to become a designated router (DR) or
backup designated router (BDR). The highest priority wins the
prior election and becomes the DR; the second highest priority becomes
the BDR. A priority of 255 guarantees at least a tie in the election—
ity assuming another router is also set to 255. If all routers have the
same priority, regardless of the priority number, they tie. Ties are
50 broken by the highest router ID. The default priority setting is 1

Tip

Do not assign the same priority value to more than one router

Route Changes the interface priority to 100 for

r(con traditional OSPFv3
fig-
if)#
ipv6
ospf
prior
ity
100
Route Changes the interface priority to 100 for all
r(con OSPFv3 address families. It is possible to assign
fig- different priority values for each address family
if)# (IPv4 or IPv6)
ospfv
3 1
prior
ity
100

Passive Interfaces

Router(con Starts OSPF process 1

fig)#
router ospf
1

Router(con Read this line to say, “Any interface with

fig- an address of 172.16.10.x is to be put
router)# into area 0”
network
172.16.10.0
0.0.0.255
area 0

Router(con Disables the sending of any OSPF

fig- packets on this interface
router)#
passive-
interface
gigabiteth
ernet 0/0

Router(con Disables the sending of any OSPF

fig- packets out all interfaces
router)#
passive-
interface
default

Router(con When entered following the passive

fig- interface default command, enables
router)# OSPF packets to be sent out interface
no passive- Serial 0/0/1, thereby allowing neighbor
interface adjacencies to form
serial
0/0/1
Router(con Disables the sending of any OSPF
fig-router- packets on this interface for a specific
af)# OSPFv3 address family. It is possible to
passive- apply the passive-interface command
interface under the global OSPFv3 process or
gigabiteth under each address family

ernet 0/0

Modifying Cost Metrics

Router Enters interface configuration mode

(confi
g)#
interf
ace
serial
0/0/0

Router If you change the bandwidth, OSPF will

(confi recalculate the cost of the link
g-if)#
bandwi
dth Note

128
The cost of a link is determined by dividing the reference
bandwidth by the interface bandwidth
Or

Router
(confi Changes the cost to a value of 1564

g-if)#
ip The bandwidth of the interface is a number
ospf between 1 and 10 000 000. The unit of
cost measurement is kilobits per second (Kbps).
1564 The cost is a number between 1 and 65 535.
The cost has no unit of measurement; it is just
a number

Router The OSPFv3 interface cost can be modified

(confi globally for all address families or for a
g-if)# specific address family
ospfv3
1 cost
5000

OSPF Reference Bandwidth

Router(conf Starts OSPF process 1

ig)# router
ospf 1

Router(conf Changes the reference bandwidth that

ig-router)# OSPF uses to calculate the cost of an
auto-cost interface
reference-
bandwidth
1000 Note

The range of the reference bandwidth is 1 to 4 294

967 294. The default is 100. The unit of
measurement is megabits per second (Mbps)

Note

The value set by the ip ospf cost command

overrides the cost resulting from the auto-cost
command

Tip

If you use the command auto-cost reference-

bandwidth reference-bandwidth, you need to
configure all the routers to use the same value.
Failure to do so will result in routers using a
different reference cost to calculate the shortest
path, resulting in potential suboptimum routing
paths
OSPF LSDB Overload Protection

Router(con Starts OSPF process 1

fig)#
router
ospf 1

Router(con Limits the number of non-self-generated

fig- LSAs that this process can receive to 12
router)# 000. This number can be between 1 and 4
max-lsa 294 967 294
12000

Note
If other routers are configured incorrectly, causing, for example, a redistribution of a large
number of prefixes, large numbers of LSAs can be generated. This can drain local CPU and
memory resources. With the max-lsa x feature enabled, the router keeps count of the
number of received (non-self-generated) LSAs that it keeps in its LSDB. An error message is
logged when this number reaches a configured threshold number, and a notification is sent
when it exceeds the threshold number.

If the LSA count still exceeds the threshold after 1

minute, the OSPF process takes down all adjacencies
and clears the OSPF database. This is called the ignore
state. In the ignore state, no OSPF packets are sent or
received by interfaces that belong to the OSPF process.
The OSPF process will remain in the ignore state for the
time that is defined by the ignore-time parameter. If
the OSPF process remains normal for the time that is
defined by the reset-time parameter, the ignore state
counter is reset to 0.

Timers

Router(con Changes the hello interval timer to 20

fig-if)# seconds
ip ospf
hello-
interval
timer 20

Router(con Changes the dead interval timer to 80

fig-if)# seconds
ip ospf
dead-
interval
80
Router(con Changes the hello interval to 3 seconds
fig-if)# for the OSPFv3 IPv4 address family. It is
ospfv3 1 possible to modify the hello interval for
ipv4 the global OSPFv3 process or for
hello- individual address families
interval 3

Router(con Changes the dead interval to 12 seconds

fig-if)# for the OSPFv3 IPv6 address family. It is
ospfv3 1 possible to modify the dead interval for
ipv6 dead- the global OSPFv3 process or for
interval individual address families
12

Note

Hello and dead interval timers must match for routers to

become neighbors

Note
The default hello timer is 10 seconds on multiaccess and point-to-point segments. The
default hello timer is 30 seconds on nonbroadcast multiaccess (NBMA) segments such as
Frame Relay, X.25, or ATM.

Note
The default dead interval timer is 40 seconds on multiaccess and point-to-point segments.
The default hello timer is 120 seconds on NBMA segments such as Frame Relay, X.25, or
ATM.

Note
If you change the hello interval timer, the dead interval timer will automatically be adjusted to
four times the new hello interval timer.

IP MTU
The IP maximum transmission unit (MTU) parameter
determines the maximum size of a packet that can be
forwarded without fragmentation.

Router(config)# Moves to interface configuration

interface mode
gigabitethernet
0/0

Router(config- Changes the MTU size to 1400

if)# ip mtu 1400 bytes. The range of this
command is 68 to 1500 bytes

Caution
The MTU size must match between all OSPF neighbors on a link. If OSPF routers have
mismatched MTU sizes, they will not form a neighbor adjacency.
PROPAGATING A DEFAULT ROUTE

Router(config Creates a default route

)# ip route
0.0.0.0
0.0.0.0
serial 0/0/0

Router(config Starts OSPF process 1

)# router
ospf 1

Router(config Sets the default route to be

-router)# propagated to all OSPF routers
default-
information
originate

Router(config The always option will propagate a

-router)# default “quad-0” route even if this
default- router does not have a default route
information itself
originate
always Note

The default-information originate command or

the default-information originate always
command is usually configured on the “entrance”
or “gateway” router, the router that connects your
network to the outside world—the Autonomous
System Boundary Router (ASBR)

Router(config Sets the default route to be

-router-af)# propagated to all OSPFv3 routers for
default- a specific address family
information
originate
Note

This works for either IPv4 or IPv6 address-family

configuration mode

Router(config Sets the default route to be

-router-af)# propagated to all OSPFv3 routers for
default- a specific address family even if this
information router does not have a default route
originate itself
always

Note
This works for either IPv4 or IPv6 address-family
configuration mode

ROUTE SUMMARIZATION
In OSPF, there are two different types of
summarization:

Interarea route summarization

External route summarization

Interarea Route Summarization

Note
Interarea route summarization is to be configured on an ABR only.

Note
By default, ABRs do not summarize routes between areas.

Router(config)# Starts OSPF process 1

router ospf 1
Router(config- Summarizes area 1 routes to the
router)# area 1 specified summary address, before
range injecting them into a different
192.168.64.0 area
255.255.224.0

Router(config- Summarizes area 1 routes to the

router-af)# specified summary address, before
area 1 range injecting them into a different
192.168.64.0 area using the OSPFv3 IPv4
255.255.224.0 address family

Router(config- Summarizes area 1 routes to the

router-af)# specified summary address, before
area 1 range injecting them into a different
2001:db8:0:10:: area using the OSPFv3 IPv6
/60 address family

External Route Summarization

Note
External route summarization is to be configured on an ASBR only.

Note
By default, ASBRs do not summarize routes.

Router(config Starts OSPF process 1

)# router
ospf 1

Router(config Advertises a single route for all the

-router)# redistributed routes that are covered
summary- by a specified network address and
address netmask
192.168.64.0
255.255.224.0

Router(config Advertises a single route for all the

-router-af)# redistributed routes that are covered
summary- by a specified network address and
prefix netmask in OSPFv3 IPv4 address
192.168.64.0 family configuration mode
255.255.224.0

Router(config Advertises a single route for all the

-router-af)# redistributed routes that are covered
summary- by a specified network address and
prefix
2001:db8:0:10 netmask in OSPFv3 IPv6 address
::/60 family configuration mode

OSPF ROUTE FILTERING

This section covers four methods of applying route
filtering to OSPF:

Using the filter-list command

Using the area range not-advertise command

Using the distribute-list in command

Using the summary-address not-advertise

command

Using the filter-list Command

ABR(config)# ip Defines a prefix list called

prefix-list MyPFList that permits all
MyPFList permit 172.16.0.0 prefixes with a
172.16.0.0/16 le mask between /16 and /32
32

ABR(config)# Enters OSPF process 202

router ospf 202

ABR(config- Uses a prefix list called

router)# area 1 MyPFList to filter Type-3
filter-list prefix LSAs coming out of area 1
MyPFList out

ABR(config- Uses a prefix list called

router)# area 1 MyPFList to filter Type-3
filter-list prefix LSAs going into area 1
MyPFList in

Using the area range not-advertise Command

ABR(config)# router Enters OSPF process 202

ospf 202

ABR(config-router)# Filters the 10.1.1.0/24

area 1 range prefix from being
10.1.1.0 advertised out of area 1 as
255.255.255.0 not- a Type-3 Summary LSA
advertise
Using the distribute-list in Command

ABR(config)# Defines an ACL that permits

access-list 1 the 192.168.1.0/24 prefix
permit 192.168.1.0
0.0.0.255

ABR(config)# router Enters OSPF process 202

ospf 202

ABR(config-router)# Allows the router to only

distribute-list 1 learn the 192.168.1.0/24
in prefix

Note

The inbound logic does not filter

inbound LSAs; it instead filters the
routes that SPF chooses to add to
its own local routing table

Note
It is also possible to use a prefix list or a route map with the distribute-list command instead
of an ACL.

Using the summary-address not-advertise

Command

ASBR(config)# router Enters OSPF process 202

ospf 202

ASBR(config-router)# Filters the 172.17.10/24

summary-address prefix from being
172.17.10 advertised into the OSPF
255.255.255.0 not- network as a Type-5
advertise External LSA

Note

This command is only applied to

an ASBR

Note
Recall that the summary-address command is replaced by the summary-prefix command
under OSPFv3.
OSPF SPECIAL AREA TYPES
This section covers four different special areas with
respect to OSPF:

Stub areas

Totally stubby areas

Not-so-stubby areas (NSSAs)

Totally NSSA

Stub Areas

ABR(config)# Starts OSPF process 1

router ospf 1

ABR(config- Read this line to say, “Any

router)# network interface with an address of
172.16.10.0 172.16.10.x is to run OSPF and
0.0.0.255 area 0 be put into area 0”

ABR(config- Read this line to say, “Any

router)# network interface with an address of
172.16.20.0 172.16.20.x is to run OSPF and
0.0.0.255 area 51 be put into area 51”
ABR(config- Defines area 51 as a stub area
router)# area 51
stub

ABR(config- Defines the cost of a default

router)# area 51 route sent into the stub area.
default-cost 10 Default is 1

Note

This is an optional command

ABR(config- Defines area 51 as a stub area

router-af)# area in OSPFv3 address-family
51 stub configuration mode

Note

The command works for both IPv4 and

IPv6 address families

Internal(config)# Starts OSPF process 1

router ospf 1
Internal(config- Read this line to say, “Any
router)# network interface with an address of
172.16.20.0 172.16.20.x is to run OSPF and
0.0.0.255 area 51 be put into area 51”

Internal(config- Defines area 51 as a stub area

router)# area 51
stub
Note

All routers in the stub area must be

configured with the area x stub
command, including the Area Border
Router (ABR)

Internal(config- Defines area 51 as a stub area

router-af)# area in OSPFv3 address-family
51 stub configuration mode

Note

The command works for both IPv4 and

IPv6 address families
Totally Stubby Areas

ABR(config)# Starts OSPF process 1

router ospf 1

ABR(config- Read this line to say, “Any

router)# network interface with an address of
172.16.10.0 172.16.10.x is to run OSPF and
0.0.0.255 area 0 be put into area 0”

ABR(config- Read this line to say, “Any

router)# network interface with an address of
172.16.20.0 172.16.20.x is to run OSPF and
0.0.0.255 area 51 be put into area 51”

ABR(config- Defines area 51 as a totally

router)# area 51 stubby area
stub no-summary

ABR(config- Defines area 51 as a totally

router-af)# area stubby area in OSPFv3
51 stub no- address-family configuration
summary mode
Note

The command works for both IPv4 and

IPv6 address families

Internal(config)# Starts OSPF process 1

router ospf 1

Internal(config- Read this line to say, “Any

router)# network interface with an address of
172.16.20.0 172.16.20.x is to run OSPF and
0.0.0.255 area 51 be put into area 51”

Internal(config- Defines area 51 as a stub area

router)# area 51
stub
Note

Whereas all internal routers in the area

are configured with the area x stub
command, the ABR is configured with
the area x stub no-summary
command

Internal(config- Defines area 51 as a stub area

router-af)# area in OSPFv3 address-family
51 stub configuration mode
Note

The command works for both IPv4 and

IPv6 address families

Not-So-Stubby Areas (NSSA)

ABR(config)# Starts OSPF process 1

router ospf 1

ABR(config- Read this line to say, “Any

router)# network interface with an address of
172.16.10.0 172.16.10.x is to run OSPF and
0.0.0.255 area 0 be put into area 0”

ABR(config- Read this line to say, “Any

router)# network interface with an address of
172.16.20.0 172.16.20.x is to run OSPF and
0.0.0.255 area 1 be put into area 1”

ABR(config- Defines area 1 as an NSSA

router)# area 1
nssa

ABR(config- Defines area 1 as an NSSA in

router-af)# area OSPFv3 address-family
1 nssa configuration mode

Note

The command works for both IPv4 and

IPv6 address families

Internal(config)# Starts OSPF process 1

router ospf 1

Internal(config- Read this line to say, “Any

router)# network interface with an address of
172.16.20.0 172.16.20.x is to run OSPF and
0.0.0.255 area 1 be put into area 1”

Internal(config- Defines area 1 as an NSSA

router)# area 1
nssa
Note

All routers in the NSSA stub area must

be configured with the area x nssa
command

Internal(config- Defines area 1 as an NSSA in

router-af)# area OSPFv3 address-family
1 nssa configuration mode

Note

The command works for both IPv4 and

IPv6 address families

Totally NSSA

ABR(config)# Starts OSPF process 1

router ospf 1

ABR(config- Read this line to say, “Any

router)# network interface with an address of
172.16.10.0 172.16.10.x is to run OSPF and
0.0.0.255 area 0 be put into area 0”
ABR(config- Read this line to say, “Any
router)# network interface with an address of
172.16.20.0 172.16.20.x is to run OSPF and
0.0.0.255 area 11 be put into area 11”

ABR(config- Defines area 11 as a totally

router)# area 11 NSSA
nssa no-summary

ABR(config- Defines area 11 as a totally

router-af)# area NSSA in OSPFv3 address-
11 nssa no- family configuration mode
summary

Note

The command works for both IPv4 and

IPv6 address families

Internal(config)# Starts OSPF process 1

router ospf 1

Internal(config- Read this line to say, “Any

router)# network interface with an address of
172.16.20.0 172.16.20.x is to run OSPF and
0.0.0.255 area 11 be put into area 11”
Internal(config- Defines area 11 as an NSSA
router)# area 11
nssa
Note

Whereas all internal routers in the area,

including the ASBR, are configured with
the area x nssa command, the ABR is
configured with the area x nssa no-
summary command

Internal(config- Defines area 11 as a totally

router-af)# area NSSA in OSPFv3 address-
11 nssa family configuration mode

Note

The command works for both IPv4 and

IPv6 address families

VIRTUAL LINKS
In OSPF, all areas must be connected to a backbone
area. If there is a break in backbone continuity, or the
backbone is purposefully partitioned, you can establish
a virtual link. The two endpoints of a virtual link are
ABRs. The virtual link must be configured in both
routers. The configuration information in each router
consists of the other virtual endpoint (the other ABR)
and the non-backbone area that the two routers have in
common (called the transit area). A virtual link is a
temporary solution to a topology problem.

Note
Virtual links cannot be configured through stub areas.

Note
One of these two routers must be connected to the backbone.

Note
The routers establishing the virtual link do not have to be directly connected.

Configuration Example: Virtual Links

Figure 5-1 shows the network topology for the
configuration that follows, which demonstrates how to
create a virtual link.
Figure 5-1 Virtual Areas: OSPF

RTA(config)# Starts OSPF process 1

router ospf 1

RTA(config- Sets the router ID to 10.0.0.2

router)# router-
id 10.0.0.2

RTA(config- Read this line to say, “Any

router)# network interface with an address of
192.168.0.0 192.168.0.x is to run OSPF and
0.0.0.255 area 51 be put into area 51”

RTA(config- Read this line to say, “Any

router)# network interface with an address of
192.168.1.0 192.168.1.x is to run OSPF and
0.0.0.255 area 3 be put into area 3”
RTA(config- Creates a virtual link with RTB
router)# area 3
virtual-link
10.0.0.1

RTB(config)# Starts OSPF process 1

router ospf 1

RTB(config- Sets the router ID to 10.0.0.1

router)# router-
id 10.0.0.1

RTB(config- Read this line to say, “Any

router)# network interface with an address of
192.168.1.0 192.168.1.x is to run OSPF and
0.0.0.255 area 3 be put into area 3”

RTB(config- Read this line to say, “Any

router)# network interface with an address of
192.168.2.0 192.168.2.x is to run OSPF and
0.0.0.255 area 0 be put into area 0”

RTB(config- Creates a virtual link with RTA

router)# area 3
virtual-link
10.0.0.2

Note
According to RFC 5838, OSPFv3 only supports virtual links for the IPv6 address family.
Virtual links are not supported for the IPv4 address family.

VERIFYING OSPF CONFIGURATION

Router# show ip Displays parameters for all

protocols protocols running on the
router

Router# show ip Displays a complete IP routing

route table

Router# show ip Displays the OSPF routes in

route ospf the routing table

Router# show ip Displays the OSPFv3 routes in

route ospfv3 the routing table

Router# show ip Displays basic information

ospf about OSPF routing processes

Router# show ip Displays border and boundary

ospf border- router information
routers

Router# show ip Displays the contents of the

ospf database OSPF database

Router# show ip Displays Type-4 LSAs

ospf database
asbr-summary

Router# show ip Displays Type-5 LSAs

ospf database
external

Router# show ip Displays NSSA external link

ospf database states
nssa-external

Router# show ip Displays network LSAs

ospf

database network
Router# show ip Displays locally generated
ospf database LSAs
router self-
originate

Router# show ip Displays a summary of the

ospf database OSPF database
summary

Router# show ip Displays OSPF info as it relates

ospf interface to all interfaces

Router# show ip Displays OSPF information for

ospf interface interface GigabitEthernet 0/0
gigabitethernet
0/0

Router# show ip Lists all OSPF neighbors and

ospf neighbor their states

Router# show ip Displays a detailed list of

ospf neighbor neighbors
detail
Router# show ipv6 Displays the status of
interface interfaces configured for IPv6

Router# show ipv6 Displays a summarized status

interface brief of interfaces configured for
IPv6

Router# show ipv6 Displays IPv6 neighbor

neighbors discovery cache information

Router# show ipv6 Displays general information

ospf about the OSPFv3 routing
process

Router# show ipv6 Displays the internal OSPF

ospf border- routing table entries to an ABR
routers or ASBR

Router# show ipv6 Displays OSPFv3-related

ospf database database information

Router# show ipv6 Displays how many of each

ospf database type of LSA exist for each area
database-summary in the database
Router# show ipv6 Displays OSPFv3-related
ospf interface interface information

Router# show ipv6 Displays OSPFv3-related

ospf neighbor neighbor information

Router# show ipv6 Displays parameters and the

ospf virtual-links current state of OSPFv3 virtual
links

Router# show ipv6 Displays the parameters and

protocols current state of the active IPv6
routing protocol processes

Router# show ipv6 Displays the current IPv6

route routing table

Router# show ipv6 Displays a summarized form of

route summary the current IPv6 routing table

Router# show ipv6 Displays IPv6 router

routers advertisement information
received from other routers

Router# show ipv6 Displays statistics about IPv6

traffic traffic

Router# show ip Displays information about

ospf virtual-links virtual links

Router# show Displays the OSPFv3 database

ospfv3 database

Router# show Displays OSPFv3 neighbor

ospfv3 neighbor information on a per-interface
basis

TROUBLESHOOTING OSPF

Router# clear Clears the entire routing table,

ip route * forcing it to rebuild

Router# clear Clears a specific route to network

ip route a.b.c.d
a.b.c.d

Router# clear Deletes all routes from the IPv6

ipv6 route * routing table
Router# clear Clears this specific route from the
ipv6 route IPv6 routing table
2001:db8:c18:3
::/64

Router# clear Resets IPv6 traffic counters

ipv6 traffic

Router# clear Resets OSPF counters

ip ospf
counters

Router# clear Resets the entire OSPF process,

ip ospf forcing OSPF to re-create
process neighbors, database, and routing
table

Router# clear Resets OSPF process 13, forcing

ip ospf 13 OSPF to re-create neighbors,
process database, and routing table

Router# clear Resets the entire OSPFv3 process,

ipv6 ospf forcing OSPFv3 to re-create
process neighbors, database, and routing
table
Router# clear Resets OSPFv3 process 13, forcing
ipv6 ospf 13 OSPF to re-create neighbors,
process database, and routing table

Router# debug Displays all OSPF events

ip ospf events

Router# debug Displays various OSPF states and

ip ospf DR/BDR election between
adjacency adjacent routers

Router# debug Displays debug messages about the

ipv6 ospf OSPF adjacency process
adjacency

Router# debug Displays debug messages for IPv6

ipv6 packet packets

Router# debug Displays information about each

ip ospf packet OSPF packet received

Router# debug Displays debug messages for IPv6

ipv6 routing routing table updates and route
cache updates
Router# Turns off all debug commands
undebug all

CONFIGURATION EXAMPLE: SINGLE-

AREA OSPF
Figure 5-2 shows the network topology for the
configuration that follows, which demonstrates how to
configure single-area OSPF using the commands
covered in this chapter.
Figure 5-2 Network Topology for Single-Area OSPF
Configuration

Austin Router

Austin(config)# Starts OSPF process 1

router ospf 1

Austin(config- Read this line to say, “Any

router)# network interface with an address of
172.16.10.0 172.16.10.x is to run OSPF and
0.0.0.255 area 0 be put into area 0”

Austin(config- Read this line to say, “Any

router)# network interface with an address of
172.16.20.0 172.16.20.x is to run OSPF and
0.0.0.255 area 0 be put into area 0”

Austin(config- Returns to privileged EXEC

router)# <CTRL> z mode

Austin# copy Saves the configuration to

running-config NVRAM
startup-config

Austin(config)# Moves to interface

interface configuration mode
gigabitethernet
0/0

Austin(config- Enables OSPF area 0 on this

if)# ip ospf 1 interface
area 0

Austin(config- Moves to interface

if)# interface configuration mode
serial 0/0/0

Austin(config- Enables OSPF area 0 on this

if)# ip ospf 1 interface
area 0

Austin(config- Returns to privileged EXEC

if)# <CTRL> z mode

Austin# copy Saves the configuration to

running-config NVRAM
startup-config

Houston Router

Houston(confi Starts OSPF process 1

g)# router
ospf 1
Houston(confi Read this line to say, “Any interface
g-router)# with an address of 172.16.x.x is to
network run OSPF and be put into area 0.”
172.16.0.0 One statement will now advertise all
0.0.255.255 three interfaces
area 0

Houston(confi Returns to privileged EXEC mode

g-router)#
<CTRL> z

Houston# copy Saves the configuration to NVRAM

running-
config
startup-
config

Houston(confi Moves to interface configuration

g)# interface mode
gigabitethern
et 0/0

Houston(confi Enables OSPF area 0 on this

g-if)# ip interface
ospf 1 area 0

Houston(confi Moves to interface configuration

g-if)# mode
interface
serial 0/0/0

Houston(confi Enables OSPF area 0 on this

g-if)# ip interface
ospf 1 area 0

Houston(confi Moves to interface configuration

g)# interface mode
serial 0/0/1

Houston(confi Enables OSPF area 0 on this

g-if)# ip interface
ospf 1 area 0

Houston(confi Returns to privileged EXEC mode

g-if)# <CTRL>
z

Houston# copy Saves the configuration to NVRAM

running-
config
startup-
config

Galveston Router

Galveston(config) Starts OSPF process 1

# router ospf 1

Galveston(config- Read this line to say, “Any

router)# network interface with an exact address
172.16.40.2 of 172.16.40.2 is to run OSPF
0.0.0.0 area 0 and be put into area 0”

This is the most precise way to

place an exact address into the
OSPF routing process

Galveston(config- Read this line to say, “Any

router)# network interface with an exact address
172.16.50.1 of 172.16.50.1 is to be put into
0.0.0.0 area 0 area 0”
Galveston(config- Returns to privileged EXEC
router)# <CTRL> z mode

Galveston# copy Saves the configuration to

running-config NVRAM
startup-config

Galveston(config) Moves to interface

# interface configuration mode
gigabitethernet
0/0

Galveston(config- Enables OSPF area 0 on this

if)# ip ospf 1 interface
area 0

Galveston(config- Moves to interface

if)# interface configuration mode
serial 0/0/1

Galveston(config- Enables OSPF area 0 on this

if)# ip ospf 1 interface
area 0
Galveston(config- Returns to privileged EXEC
if)# <CTRL> z mode

Galveston# copy Saves the configuration to

running-config NVRAM
startup-config

CONFIGURATION EXAMPLE:
MULTIAREA OSPF
Figure 5-3 shows the network topology for the
configuration that follows, which demonstrates how to
configure multiarea OSPF using the commands covered
in this chapter.
Figure 5-3 Network Topology for Multiarea OSPF
Configuration

ASBR Router

Router> Moves to privileged EXEC mode

enable

Router# Moves to global configuration mode

configure
terminal
Router(con Sets the router host name
fig)#
hostname
ASBR

ASBR(confi Enters loopback interface mode

g)#
interface
loopback 0

ASBR(confi Assigns an IP address and netmask

g-if)# ip
address
192.168.1.
1
255.255.25
5.255

ASBR(confi Sets a locally significant description

g-if)#
descriptio
n Router
ID

ASBR(confi Returns to global configuration mode

g-if)#
exit

ASBR(confi Creates default route. Using both an exit

g)# ip interface and next-hop address on a
route GigabitEthernet interface prevents
0.0.0.0 recursive lookups in the routing table
0.0.0.0
10.1.0.2
gigabiteth
ernet 1/1

ASBR(confi Creates a static route to a null interface.

g)# ip In this example, these routes represent a
route simulated remote destination
11.0.0.0
255.0.0.0
null0

ASBR(confi Creates a static route to a null interface.

g)# ip In this example, these routes represent a
route simulated remote destination
12.0.0.0
255.0.0.0
null0

ASBR(confi Creates a static route to a null interface.

g)# ip In this example, these routes represent a
route simulated remote destination
13.0.0.0
255.0.0.0
null0

ASBR(confi Enters interface configuration mode

g)#
interface
gigabiteth
ernet 1/0

ASBR(confi Enables OSPF area 0 on this interface.

g-if)# ip Also creates the OSPF routing process
ospf 1
area 0

ASBR(confi Returns to global configuration mode

g)# exit

ASBR(confi Enters OSPF configuration mode

g)# router
ospf 1

ASBR(confi Sets the default route to be propagated to

g-router)# all OSPF routers
default-
informatio
n
originate

ASBR(confi Redistributes static routes into the OSPF

g-router)# process. This turns the router into an
redistribu ASBR because static routes are not part
te static of OSPF, and the definition of an ASBR is
a router that sits between OSPF and
another routing process—in this case,
static routing

ASBR(confi Returns to global configuration mode

g-router)#
exit

ASBR(confi Returns to privileged EXEC mode

g)# exit

ASBR# copy Saves the configuration to NVRAM

running-
config
startup-
config
ABR-1 Router

Router> enable Moves to privileged EXEC

mode

Router# configure Moves to global configuration

terminal mode

Router(config)# Sets the router host name

hostname ABR-1

ABR-1(config)# Enters loopback interface

interface loopback mode
0

ABR-1(config-if)# Assigns an IP address and

ip address netmask
192.168.2.1
255.255.255.255

ABR-1(config-if)# Sets a locally significant

description Router description
ID

ABR-1(config-if)# Returns to global

exit configuration mode

ABR-1(config)# Enters interface configuration

interface mode
gigabitethernet
0/1

ABR-1(config-if)# Enables OSPF on this

ip ospf 1 area 0 interface and creates the
OSPF routing process

ABR-1(config-if)# Sets the priority for the

ip ospf priority DR/BDR election process.
200 This router will win and
become the DR

ABR-1(config-if)# Returns to global

exit configuration mode

ABR-1(config)# Enters interface configuration

interface mode
gigabitethernet
0/0

ABR-1(config-if)# Enables OSPF on this

ip ospf 1 area 51 interface

ABR-1(config-if)# Returns to global

exit configuration mode

ABR-1(config)# Returns to privileged EXEC

exit mode

ABR-1# copy Saves the configuration to

running-config NVRAM
startup-config

ABR-2 Router

Router> Moves to privileged EXEC mode

enable

Router# Moves to global configuration mode

configure
terminal

Router(config Sets the router host name

)# hostname
ABR-2

ABR- Enters loopback interface mode

2(config)#
interface
loopback 0

ABR-2(config- Assigns an IP address and netmask

if)# ip
address
192.168.3.1
255.255.255.2
55

ABR-2(config- Sets a locally significant description

if)#
description
Router ID

ABR-2(config- Returns to global configuration mode

if)# exit
ABR- Enters interface configuration mode
2(config)#
interface
gigabitethern
et 0/0

ABR-2(config- Places this interface into OSPF area 0

if)# ip ospf and enables the OSPF routing
1 area 0 process

ABR-2(config- Sets the priority for the DR/BDR

if)# ip ospf election process. This router will
priority 100 become the BDR to ABR-1’s DR

ABR- Enters interface configuration mode

2(config)#
interface
serial 0/0/0

ABR-2(config- Places this interface into OSPF area 0

if)# ip ospf and enables the OSPF routing
1 area 1 process

ABR-2(config- Returns to global configuration mode

if)# exit
ABR- Enters OSPF process 1
2(config)#
router ospf 1

ABR-2(config- Makes area 1 a stub area. Type-4 and

router)# area Type-5 LSAs are blocked and not sent
1 stub into area 1. A default route is injected
into the stub area, pointing to the
ABR

ABR-2(config- Returns to global configuration mode

router)# exit

ABR- Returns to privileged EXEC mode

2(config)#
exit

ABR-2# copy Saves the configuration to NVRAM

running-
config
startup-
config
Internal Router

Router> enable Moves to privileged EXEC

mode

Router# configure Moves to global

terminal configuration mode

Router(config)# Sets the router host name

hostname Internal

Internal(config)# Enters loopback interface

interface loopback 0 mode

Internal(config-if)# Assigns an IP address and

ip address netmask
192.168.4.1
255.255.255.255

Internal(config-if)# Sets a locally significant

description Router ID description

Internal(config)# Enters interface

interface serial configuration mode
0/0/0

Internal(config-if)# Places this interface into

ip ospf 1 area 1 OSPF area 1 and enables
the OSPF routing process

Internal(config)# Enters interface

interface configuration mode
gigabitethernet 0/0

Internal(config-if)# Places this interface into

ip ospf 1 area 1 OSPF area 1

Internal(config-if)# Returns to global

exit configuration mode

Internal(config)# Enters OSPF process 1

router ospf 1

Internal(config- Makes area 1 a stub area

router)# area 1 stub

Internal(config- Returns to global

router)# exit configuration mode
Internal(config)# Returns to privileged
exit EXEC mode

Internal# copy Saves the configuration to

running-config NVRAM
startup-config

CONFIGURATION EXAMPLE:
TRADITIONAL OSPFV3
Figure 5-4 shows the network topology for the
configuration that follows, which demonstrates how to
configure traditional OSPFv3 using the commands
covered in this chapter.
Figure 5-4 Network Topology for Traditional
OSPFv3 Configuration

R3 Router

R3(config)# Enables the forwarding of IPv6 unicast

ipv6 datagrams globally on the router. This
unicast- command is required before any IPv6
routing routing protocol can be configured

R3(config)# Moves to OSPFv3 router configuration

ipv6 router mode
ospf 1

R3(config- Sets a manually configured router ID

rtr)#
router-id
3.3.3.3

R3(config- Returns to global configuration mode

rtr)# exit

R3(config)# Moves to interface configuration mode

interface
gigabitethe
rnet 0/0

R3(config- Configures a global IPv6 address on the

if)# ipv6 interface and enables IPv6 processing
address on the interface
2001:db8:0:
1::3/64

R3(config- Enables OSPFv3 on the interface and

if)# ipv6 places this interface into area 1
ospf 1 area
1

R3(config- Enables the interface

if)# no
shutdown

R3(config- Moves to interface configuration mode

if)#
interface
loopback 0

R3(config- Configures a global IPv6 address on the

if)# ipv6 interface and enables IPv6 processing
address on the interface
2001:db8:0:
2::1/64

R3(config- Enables OSPFv3 on the interface and

if)# ipv6 places this interface into area 1
ospf 1 area
1

R3(config- Moves to global configuration mode

if)# exit

R3(config)# Moves to privileged EXEC mode

exit

R3# copy Saves the configuration to NVRAM

running-
config
startup-
config

R2 Router
R2(config)# Enables the forwarding of IPv6 unicast
ipv6 datagrams globally on the router. This
unicast- command is required before any IPv6
routing routing protocol can be configured

R2(config)# Moves to OSPFv3 router configuration

ipv6 router mode
ospf 1

R2(config- Sets a manually configured router ID

rtr)#
router-id
2.2.2.2

R2(config- Returns to global configuration mode

rtr)# exit

R2(config)# Moves to interface configuration mode

interface
gigabitethe
rnet 0/0

R2(config- Configures a global IPv6 address on the

if)# ipv6 interface and enables IPv6 processing
address on the interface
2001:db8:0:
1::2/64

R2(config- Enables OSPFv3 on the interface and

if)# ipv6 places this interface into area 1
ospf 1 area
1

R2(config- Enables the interface

if)# no
shutdown

R2(config- Moves to interface configuration mode

if)#
interface
loopback 0

R2(config- Configures a global IPv6 address on the

if)# ipv6 interface and enables IPv6 processing
address on the interface
2001:db8:0:
3::1/64

R2(config- Enables OSPFv3 on the interface and

if)# ipv6 places this interface into area 1
ospf 1 area
1

R2(config- Enables the interface

if)# no
shutdown

R2(config- Moves to global configuration mode

if)# exit

R2(config)# Moves to privileged EXEC mode

exit

R2# copy Saves the configuration to NVRAM

running-
config
startup-
config

R1 Router

R1(config)# Enables the forwarding of IPv6 unicast

ipv6 datagrams globally on the router. This
unicast- command is required before any IPv6
routing routing protocol can be configured

R1(config)# Moves to OSPFv3 router configuration

ipv6 router mode
ospf 1

R1(config- Sets a manually configured router ID

rtr)#
router-id
1.1.1.1

R1(config- Returns to global configuration mode

rtr)# exit

R1(config)# Moves to interface configuration mode

interface
gigabitethe
rnet 0/0

R1(config- Configures a global IPv6 address on the

if)# ipv6 interface and enables IPv6 processing
address on the interface
2001:db8:0:
1::1/64
R1(config- Enables OSPFv3 on the interface and
if)# ipv6 places this interface into area 1
ospf 1 area
1

R1(config- Enables the interface

if)# no
shutdown

R1(config- Moves to interface configuration mode

if)#
interface
serial
0/0/0

R1(config- Configures a global IPv6 address on the

if)# ipv6 interface and enables IPv6 processing
address on the interface
2001:db8:0:
7::1/64

R1(config- Enables OSPFv3 on the interface and

if)# ipv6 places this interface into area 0
ospf 1 area
0
R1(config- Assigns a clock rate to this interface
if)# clock
rate
4000000

R1(config- Enables the interface

if)# no
shutdown

R1(config- Moves to global configuration mode

if)# exit

R1(config)# Moves to privileged EXEC mode

exit

R1# copy Saves the configuration to NVRAM

running-
config
startup-
config

R4 Router
R4(config)# Enables the forwarding of IPv6 unicast
ipv6 datagrams globally on the router. This
unicast- command is required before any IPv6
routing routing protocol can be configured

R4(config)# Moves to OSPFv3 router configuration

ipv6 router mode
ospf 1

R4(config- Sets a manually configured router ID

rtr)#
router-id
4.4.4.4

R4(config- Returns to global configuration mode

rtr)# exit

R4(config)# Moves to interface configuration mode

interface
serial
0/0/0

R4(config- Configures a global IPv6 address on the

if)# ipv6 interface and enables IPv6 processing
address on the interface
2001:db8:0:
7::2/64

R4(config- Enables OSPFv3 on the interface and

if)# ipv6 places this interface into area 1
ospf 1 area
0

R4(config- Enables the interface

if)# no
shutdown

R4(config- Moves to global configuration mode

if)# exit

R4(config)# Moves to privileged EXEC mode

exit

R4# copy Saves the configuration to NVRAM

running-
config
startup-
config
CONFIGURATION EXAMPLE: OSPFV3
WITH ADDRESS FAMILIES
Figure 5-5 shows the network topology for the
configuration that follows, which demonstrates how to
configure OSPFv3 address families using the commands
covered in this chapter.

Figure 5-5 Network Topology for OSPFv3 Address

Families Configuration

R1 Router

R1(config)# Enables the forwarding of IPv6 unicast

ipv6 datagrams globally on the router. This
unicast- command is required before any IPv6
routing routing protocol can be configured

R1(config)# Moves to interface configuration mode

interface
loopback 0

R1(config- Assigns an IP address and netmask

if)# ip
address
192.168.1.1
255.255.255.
0

R1(config- Configures a global IPv6 address on

if)# ipv6 the interface and enables IPv6
address processing on the interface
2001:db8:0:1
::1/64

R1(config- Moves to interface configuration mode

if)#
interface
gigabitether
net 0/0

R1(config- Assigns an IP address and netmask

if)# ip
address
172.16.1.1
255.255.255.
0

R1(config- Configures a global IPv6 address on

if)# ipv6 the interface and enables IPv6
address processing on the interface
2001:db8:1:1
::1/64

R1(config- Enables the interface

if)# no
shutdown

R1(config- Returns to global configuration mode

if)# exit

R1(config)# Enables OSPFv3 router configuration

router mode for the IPv4 or IPv6 address
ospfv3 1 family

R1(config- Configures the router to send a syslog

router)# message when an OSPFv3 neighbor
log- goes up or down
adjacency-
changes

R1(config- Configures a fixed router ID

router)#
router-id
1.1.1.1

R1(config- Enters IPv6 address family

router)# configuration mode for OSPFv3
address-
family ipv6
unicast

R1(config- Prevents interface loopback 0 from

router-af)# exchanging any OSPF packets,
passive- including hello packets
interface
loopback 0
R1(config- Enters IPv4 address family
router-af)# configuration mode for OSPFv3
address-
family ipv4
unicast

R1(config- Prevents interface loopback 0 from

router-af)# exchanging any OSPF packets,
passive- including hello packets
interface
loopback 0

R1(config- Returns to OSPFv3 router

router-af)# configuration mode
exit

R1(config- Returns to global configuration mode

router)#
exit

R1(config)# Moves to interface configuration mode

interface
loopback 0

R1(config- Enables OSPFv3 instance 1 with the

if)# ospfv3 IPv6 address family in area 0
1 ipv6 area
0

R1(config- Enables OSPFv3 instance 1 with the

if)# ospfv3 IPv4 address family in area 0
1 ipv4 area
0

R1(config- Moves to interface configuration mode

if)#
interface
gigabitether
net 0/0

R1(config- Enables OSPFv3 instance 1 with the

if)# ospfv3 IPv6 address family in area 0
1 ipv6 area
0

R1(config- Enables OSPFv3 instance 1 with the

if)# ospfv3 IPv4 address family in area 0
1 ipv4 area
0
R1(config- Returns to global configuration mode
if)# exit

R1(config)# Returns to privileged EXEC mode

exit

R1# copy Copies the running configuration to

running- NVRAM
config
startup-
config

R2 Router

R2(config)# Enables the forwarding of IPv6 unicast

ipv6 datagrams globally on the router. This
unicast- command is required before any IPv6
routing routing protocol can be configured

R2(config)# Moves to interface configuration mode

interface
loopback 0
R2(config- Assigns an IP address and netmask
if)# ip
address
192.168.2.1
255.255.255.
0

R2(config- Configures a global IPv6 address on

if)# ipv6 the interface and enables IPv6
address processing on the interface
2001:db8:0:2
::1/64

R2(config- Moves to interface configuration mode

if)#
interface
gigabitether
net 0/0

R2(config- Assigns an IP address and netmask

if)# ip
address
172.16.1.2
255.255.255.
0
R2(config- Configures a global IPv6 address on
if)# ipv6 the interface and enables IPv6
address processing on the interface
2001:db8:1:1
::2/64

R2(config- Enables the interface

if)# no
shutdown

R2(config- Returns to global configuration mode

if)# exit

R2(config)# Enables OSPFv3 router configuration

router mode for the IPv4 or IPv6 address
ospfv3 1 family

R2(config- Configures the router to send a syslog

router)# message when an OSPFv3 neighbor
log- goes up or down
adjacency-
changes

R2(config- Configures a fixed router ID

router)#
router-id
2.2.2.2

R2(config- Enters IPv6 address family

router)# configuration mode for OSPFv3
address-
family ipv6
unicast

R2(config- Prevents interface loopback 0 from

router-af)# exchanging any OSPF packets,
passive- including hello packets
interface
loopback 0

R2(config- Enters IPv4 address family

router-af)# configuration mode for OSPFv3
address-
family ipv4
unicast

R2(config- Prevents interface loopback 0 from

router-af)# exchanging any OSPF packets,
passive- including hello packets
interface
loopback 0
R2(config- Returns to OSPFv3 router
router-af)# configuration mode
exit

R2(config- Returns to global configuration mode

router)#
exit

R2(config)# Moves to interface configuration mode

interface
loopback 0

R2(config- Enables OSPFv3 instance 1 with the

if)# ospfv3 IPv6 address family in area 0
1 ipv6 area
0

R2(config- Enables OSPFv3 instance 1 with the

if)# ospfv3 IPv4 address family in area 0
1 ipv4 area
0

R2(config- Moves to interface configuration mode

if)#
interface
gigabitether
net 0/0

R2(config- Enables OSPFv3 instance 1 with the

if)# ospfv3 IPv6 address family in area 0
1 ipv6 area
0

R2(config- Enables OSPFv3 instance 1 with the

if)# ospfv3 IPv4 address family in area 0
1 ipv4 area
0

R2(config- Returns to global configuration mode

if)# exit

R2(config)# Returns to privileged EXEC mode

exit

R2# copy Copies the running configuration to

running- NVRAM
config
startup-
config
R3 Router

R3(config)# Enables the forwarding of IPv6 unicast

ipv6 datagrams globally on the router. This
unicast- command is required before any IPv6
routing routing protocol can be configured

R3(config)# Moves to interface configuration mode

interface
loopback 0

R3(config- Assigns an IP address and netmask

if)# ip
address
192.168.3.1
255.255.255.
0

R3(config- Configures a global IPv6 address on

if)# ipv6 the interface and enables IPv6
address processing on the interface
2001:db8:0:3
::1/64
R3(config- Moves to interface configuration mode
if)#
interface
gigabitether
net 0/0

R3(config- Assigns an IP address and netmask

if)# ip
address
172.16.1.3
255.255.255.
0

R3(config- Configures a global IPv6 address on

if)# ipv6 the interface and enables IPv6
address processing on the interface
2001:db8:1:1
::3/64

R3(config- Enables the interface

if)# no
shutdown

R3(config- Returns to global configuration mode

if)# exit
R3(config)# Enables OSPFv3 router configuration
router mode for the IPv4 or IPv6 address
ospfv3 1 family

R3(config- Configures the router to send a syslog

router)# message when an OSPFv3 neighbor
log- goes up or down
adjacency-
changes

R3(config- Configures a fixed router ID

router)#
router-id
3.3.3.3

R3(config- Enters IPv6 address family

router)# configuration mode for OSPFv3
address-
family ipv6
unicast

R3(config- Prevents interface loopback 0 from

router-af)# exchanging any OSPF packets,
passive- including hello packets
interface
loopback 0

R3(config- Enters IPv4 address family

router-af)# configuration mode for OSPFv3
address-
family ipv4
unicast

R3(config- Prevents interface loopback 0 from

router-af)# exchanging any OSPF packets,
passive- including hello packets
interface
loopback 0

R3(config- Returns to OSPFv3 router

router-af)# configuration mode
exit

R3(config- Returns to global configuration mode

router)#
exit

R3(config)# Moves to interface configuration mode

interface
loopback 0

R3(config- Enables OSPFv3 instance 1 with the

if)# ospfv3 IPv6 address family in area 0
1 ipv6 area
0

R3(config- Enables OSPFv3 instance 1 with the

if)# ospfv3 IPv4 address family in area 0
1 ipv4 area
0

R3(config- Moves to interface configuration mode

if)#
interface
gigabitether
net 0/0

R3(config- Enables OSPFv3 instance 1 with the

if)# ospfv3 IPv6 address family in area 0
1 ipv6 area
0

R3(config- Enables OSPFv3 instance 1 with the

if)# ospfv3 IPv4 address family in area 0
1 ipv4 area
0

R3(config- Returns to global configuration mode

if)# exit

R3(config)# Returns to privileged EXEC mode

exit

R3# copy Copies the running configuration to

running- NVRAM
config
startup-
config
Chapter 6
Redistribution and Path
Control

This chapter provides information about the following

redistribution and path control topics:

Defining seed and default metrics

Redistributing connected networks

Redistributing static routes

Redistributing subnets into OSPF

Assigning E1 or E2 routes in OSPF

Redistributing OSPF internal and external routes

Configuration example: route redistribution for IPv4

Configuration example: route redistribution for IPv6

Verifying route redistribution

Route filtering using the distribute-list command

Configuration example: inbound and outbound

distribute list route filters
Configuration example: controlling
redistribution with outbound distribute lists

Verifying route filters

Route filtering using prefix lists

Configuration example: using a distribute list

that references a prefix list to control
redistribution

Verifying prefix lists

Using route maps with route redistribution

Configuration example: route maps

Manipulating redistribution using route tagging

Changing administrative distance

Path control with policy-based routing

Verifying policy-based routing

Configuration example: PBR with route maps

Cisco IOS IP SLA

Configuring Authentication for IP SLA

Monitoring IP SLA Operations

PBR with Cisco IOS IP SLA

Step 1: Define Probe(s)

Step 2: Define Tracking Object(s)

Step 3a: Define the Action on the Tracking

Object(s)

Step 3b: Define Policy Routing Using the

Tracking Object(s)

Step 4: Verify IP SLA Operations

DEFINING SEED AND DEFAULT

METRICS

Router(config)# Starts the EIGRP routing process

router eigrp
100

Router(config- Specifies which network to

router)# advertise in EIGRP
network
172.16.0.0

Router(config- Redistributes routes learned from

OSPF into EIGRP
router)#
redistribute
ospf 1

Router(config- The metrics assigned to these

router)# learned routes will be calculated
default-metric using the following components:
1000 100 250 1
1500 1000 = Bandwidth in Kbps

Or 100 = Delay in tens of

microseconds

Router(config-
router)# 255 = Reliability out of 255
redistribute
ospf 1 metric 1 = Load out of 255
1000 100 255 1
1500 1500 = Maximum transmission
unit (MTU) size

The metric keyword in the

second option assigns a starting
EIGRP metric that is calculated
using the following components:
1000, 100, 255, 1 1500
Note
The values used in this command constitute the seed metric for these OSPF routes being
redistributed into EIGRP. The seed metric is the initial value of an imported route and it must
be consistent with the destination protocol.

Note
The default seed metrics are as follows:

Connected: 1

Static: 1

RIP: Infinity

EIGRP: Infinity

OSPF: 20 for all except for BGP, which is 1

BGP: BGP metric is set to IGP metric value

Note
If both the metric keyword in the redistribute command and the default- metric command
are used, the value of the metric keyword in the redistribute command takes precedence.

Tip
If a value is not specified for the metric option, and no value is specified using the default-
metric command, the default metric value is 0, except for OSPF, where the default cost is
20. RIP and EIGRP must have the appropriate metrics assigned to any redistributed routes;
otherwise, redistribution will not work. BGP will use the IGP metric, while both connected
networks and static routes will receive an initial default value of 1.
Tip
The default-metric command is useful when routes are being redistributed from more than
one source because it eliminates the need for defining the metrics separately for each
redistribution.

Tip
Redistributed routes between EIGRP processes do not need metrics configured.
Redistributed routes are tagged as EIGRP external routes and will appear in the routing
table with a code of D EX.

REDISTRIBUTING CONNECTED
NETWORKS

Router(conf Starts the OSPF routing process

ig)# router
ospf 1

Router(conf Redistributes all directly connected

ig-router)# networks
redistribut
e connected
Note

It is not necessary to redistribute networks that are

already configured under the routing protocol
Note

The connected keyword refers to routes that are

established automatically by virtue of having IP
enabled on an interface. For routing protocols such as
OSPF, Intermediate System-to-Intermediate System
(IS-IS), and EIGRP, these routes are redistributed as
external to the autonomous system

Router(conf Redistributes all directly connected

ig-router)# networks and assigns them a starting
redistribut metric of 50
e connected
metric 50
Note

The redistribute connected command is not affected

by the default-metric command

REDISTRIBUTING STATIC ROUTES

Router(config)# ip Creates a static route for

route 10.1.1.0 network 10.1.1.0/24 exiting
255.255.255.0 serial out of interface Serial
0/0/0 0/0/0

Router(config)# Starts the EIGRP routing

router eigrp 10 process

Router(config- Redistributes static routes

router)# on this router into the
redistribute static EIGRP routing process

REDISTRIBUTING SUBNETS INTO

OSPF

Router(confi Starts the OSPF routing process

g)# router
ospf 1

Router(confi Redistributes routes learned from

g-router)# EIGRP autonomous system 10. A
redistribute metric of 100 is assigned to all routes.
eigrp 10 Subnets will also be redistributed
metric 100
subnets
Note

Without the subnets keyword, no subnets will be

redistributed into the OSPF domain. (Only routes
that are in the routing table with the default classful
mask will be redistributed.) The subnets keyword
is only necessary for OSPFv2. OSPFv3
automatically redistributes all classless prefixes

ASSIGNING E1 OR E2 ROUTES IN
OSPF

Router(co Starts the OSPF routing process

nfig)#
router
ospf 1

Router(co Redistributes routes learned from EIGRP

nfig- autonomous system 1. Routes will be
router)# advertised as E1 routes
redistrib
ute eigrp
1 metric- Note

type 1 If the metric-type argument is not used, routes will be

advertised by default in OSPF as E2 routes. E2 routes
have a default fixed cost of 20 associated with them, but
this value can be changed with the metric keyword. For
E2 routes, the metric will not change as the route is
propagated throughout the OSPF area. E1 routes will have
internal area costs added to the seed metric

Tip
Use external type 1 (E1) routes when there are multiple Autonomous System Border
Routers (ASBRs) advertising an external route to the same autonomous system to avoid
suboptimal routing (see Figure 6-1).

Figure 6-1 Network Topology with Two ASBRs

Tip
Use external type 2 (E2) routes if only one ASBR is advertising an external route to the AS
(see Figure 6-2).
Figure 6-2 Network Topology with One ASBR

REDISTRIBUTING OSPF INTERNAL

AND EXTERNAL ROUTES

Router(con Starts the EIGRP routing process for

fig)# autonomous system 10
router
eigrp 10

Router(con Redistributes internal and external type 1

fig- routes learned from OSPF process ID 1.
router)# Available keywords are match
redistribu internal, external 1, and external 2.
te ospf 1 These instruct EIGRP to only
match redistribute internal, external type 1 and
internal type 2 OSPF routes
external 1

Note

The default behavior when redistributing OSPF routes is

to redistribute all routes—internal, external 1, and
external 2. The keywords match internal external 1
and external 2 are required only if router behavior is to
be modified

CONFIGURATION EXAMPLE: ROUTE

REDISTRIBUTION FOR IPV4
Figure 6-3 shows the network topology for the
configuration that follows, which demonstrates how to
implement single-point two-way basic redistribution
between EIGRP and OSPF for IPv4, using the
commands covered in this chapter. For this
configuration example, assume that EIGRP and OSPF
routing has been configured correctly on all four
routers.
Figure 6-3 Network Topology for IPv4 Route
Redistribution

Montreal(co Enters EIGRP configuration mode

nfig)#
router
eigrp 10

Montreal(co Redistributes routes from OSPF

nfig- process ID 1 into EIGRP AS 10 and
router)# assigns a seed metric to these routes
redistribut
e ospf 1
metric 1500
10 255 1
1500

Montreal(co Returns to global configuration mode

nfig-
router)#
exit

Montreal(co Enters OSPF configuration mode

nfig)#
router ospf
1

Montreal(co Redistributes classless routes from

nfig- EIGRP AS 10 into OSPF process ID 1 as
router)# external type 2 (E2) with a metric of 20,
redistribut which is fixed and does not change
e eigrp 10 across the OSPF domain

subnets

Note

Omitting the subnets keyword is a common

configuration error. Without this keyword, only
networks in the routing table with a classful mask will
be redistributed. Subnets will not be redistributed
Montreal(co Redistributes classless routes from
nfig- EIGRP AS 10 into OSPF process ID 1 as
router)# external type 1 (E1). Type 1 external
redistribut routes calculate the cost by adding the
e eigrp 10 external cost (20) to the internal cost of
metric-type each link that the packet crosses

1 subnets

CONFIGURATION EXAMPLE: ROUTE

REDISTRIBUTION FOR IPV6
Figure 6-4 shows the network topology for the
configuration that follows, which demonstrates how to
implement single-point two-way basic redistribution
between EIGRP using named mode configuration and
OSPFv3 for IPv6, with the commands covered in this
chapter. For this configuration example, assume that
EIGRP and OSPF routing for IPv6 has been configured
correctly on all four routers.
Figure 6-4 Network Topology for IPv6 Route
Redistribution

Montreal(config Enters EIGRP using named mode

)# router eigrp configuration
DEMO

Montreal(config Enables the IPv6 unicast address

-router)# family for AS 10
address-family
ipv6 unicast
autonomous-
system 10
Montreal(config Enters EIGRP address-family
-router-af)# topology subconfiguration mode
topology base

Montreal(config Redistributes IPv6 routes from

-router-af- OSPF process ID 1 into EIGRP AS
topology)# 10 and assigns a seed metric to
redistribute these routes
ospf 1 metric
1500 10 255 1
1500 include- Note

connected The include-connected keywords instruct

the source routing protocol to redistribute the
connected interfaces if the source routing
protocol is running on them

Montreal(config Enters OSPFv3 process ID 1

-router-af- configuration mode
topology)#
router ospfv3 1

Montreal(config Enters the OSPFv3 IPv6 unicast

-router)# address family
address-family
ipv6 unicast
Montreal(config Redistributes IPv6 routes from
-router-af)# EIGRP AS 10 into OSPFv3 process
redistribute ID 1 as external type 2 (E2) with a
eigrp 10 metric of 20, which is fixed and
include- does not change across the OSPF
connected domain

Montreal(config Redistributes IPv6 routes from

-router-af)# EIGRP AS 10 into OSPFv3 process
redistribute ID 1 as external type 1 (E1). Type 1
eigrp 10 external routes calculate the cost
metric-type 1 by adding the external cost (20) to
include- the internal cost of each link that
the packet crosses
connected

Note

The subnets keyword does not exist in

OSPFv3 redistribution configuration

VERIFYING ROUTE REDISTRIBUTION

Router# show Displays the current state of the
ip route routing table

Router# show
ipv6 route

Router# show Displays the EIGRP topology table

ip eigrp
topology

Router# show
ipv6 eigrp
topology

Router# show Displays parameters and the current

ip protocols state of any active routing process

Router# show
ipv6
protocols

Router# show Displays summary address entries in

ip rip the RIP routing database
database
Router# show
ipv6 rip
database

Router# show Displays the link-state advertisement

ip ospf (LSA) types within the link-state
database database (LSDB)

Router# show
ospfv3
database

ROUTE FILTERING USING THE

DISTRIBUTE-LIST COMMAND

Router(config)# Starts the EIGRP routing

router eigrp 10 process for autonomous system
10

Note

If using EIGRP named mode

configuration with address families, the
distribute-list command is entered
under the topology subconfiguration
mode: Router(config-router-af-
topology)#

Note

If using OSPFv3 with address families,

the distribute-list command is entered
under the specific address family in use
on the router: Router(config-router-af)#

Router(config- Creates an incoming global

router)# distribute list that refers to
distribute-list 1 access control list (ACL) 1
in

Router(config- Creates an outgoing global

router)# distribute list that refers to ACL
distribute-list 2 2
out

Router(config- Creates an incoming distribute

router)# list for interface
distribute-list 3 GigabitEthernet 0/0/0 and
in refers to ACL 3
gigabitethernet
0/0/0

Router(config- Creates an outgoing distribute

router)# list for interface Serial 0/2/0
distribute-list 4 and refers to ACL 4
out serial 0/2/0

Router(config- Filters updates redistributed

router)# from OSPF process ID 1 into
distribute-list 5 EIGRP AS 10 according to ACL
out ospf 1 5

Configuration Example: Inbound and Outbound

Distribute List Route Filters
Figure 6-5 shows the network topology for the
configuration that follows, which demonstrates how to
configure inbound and outbound route filters to control
routing updates using the commands covered in this
chapter. Assume that all basic configurations and
EIGRP routing have been configured correctly.
Figure 6-5 Network Topology for Inbound and
Outbound Distribute List Route Filters

The first objective is to prevent router Aylmer from

learning the 10.0.0.0/8 network using an outbound
distribute list on router Hull.

Hull(config)# Creates a standard ACL

access-list 10 deny number 10 and explicitly
10.0.0.0 denies the 10.0.0.0/8
0.255.255.255 network

Hull(config)# Adds a second line to ACL

access-list 10 10 which permits all other
permit any networks

Hull(config)# Enters EIGRP AS 1 routing

router eigrp 1 process
Hull(config- Creates an outbound global
router)# distribute list that refers to
distribute-list 10 ACL 10
out
Creates an outgoing
Or distribute list for interface
Serial 0/2/0 that refers to
ACL 10
Hull(config-
router)#
distribute-list 10
out serial 0/2/0

The second objective is to prevent router Ottawa from

learning the 192.168.6.0/24 network using an inbound
distribute list on router Ottawa.

Ottawa(config)# Creates a standard ACL

access-list 20 deny number 20 and explicitly
192.168.6.0 denies the 192.168.6.0/24
0.0.0.255 network

Ottawa(config)# Adds a second line to ACL

access-list 20 20 which permits all other
networks
permit any

Ottawa(config)# Enters EIGRP AS 1 routing

router eigrp 1 process

Ottawa(config- Creates an inbound global

router)# distribute list that refers to
distribute-list 20 ACL 20
in
Creates an inbound
Or distribute list for interface
Serial 0/2/0 that refers to
ACL 20
Ottawa(config-
router)#
distribute-list 20
in serial 0/2/0

Configuration Example: Controlling Redistribution

with Outbound Distribute Lists
Figure 6-6 shows the network topology for the
configuration that follows, which demonstrates how to
control redistribution with an outbound distribute list
using the commands covered in this chapter. Assume
that all basic configurations and routing have been
configured correctly. This example uses OSPFv3 with
address families.

Figure 6-6 Network Topology for Controlling

Redistribution with Outbound Distribute Lists

The objective is to prevent networks 172.16.3.0/24 and

172.16.4.0/24 from being redistributed into the OSPF
domain.

Hull(config)# Creates a standard ACL number 30

access-list and explicitly permits the
30 permit 172.16.1.0/24 network
172.16.1.0
0.0.0.255

Hull(config)# Adds a second line to ACL 30 that

access-list explicitly permits the 172.16.2.0/24
30 permit network
172.16.2.0
0.0.0.255

Hull(config)# Enters OSPFv3 process ID 1 routing

router ospfv3 process
1

Hull(config- Enters the OSPFv3 IPv4 address

router)# family
address-
family ipv4
unicast

Hull(config- Redistributes all EIGRP networks

router-af)# into OSPFv3
redistribute
eigrp 10

Hull(config- Creates an outbound distribute list

router-af)# to filter routes being redistributed
distribute- from EIGRP into OSPFv3
list 30 out
eigrp 10
Note

The implicit “deny any” statement at the end of

the access list prevents routing updates about
any other network from being advertised. As a
result, networks 172.16.3.0/24 and
172.16.4.0/24 will not be redistributed into
OSPFv3

Verifying Route Filters

Router# show ip Displays the parameters and

protocols current state of active routing
protocols

Routing Protocol is
"eigrp 10"
Outgoing update
filter list for all
interfaces is 2
Redistributed
ospf 1 filtered by
5
Serial 0/2/0
filtered by 4
Incoming update
filter list for all
interfaces is 1

GigabitEthernet
0/0/0 filtered by 3

Note
For each interface and routing process, Cisco IOS permits the following:

One incoming global distribute list

One outgoing global distribute list

One incoming interface distribute list

One outgoing interface distribute list

One outgoing redistribution distribute list

Caution
For OSPF, route filters have no effect on LSAs or the LSDB. A basic requirement of link-
state routing protocols is that routers in an area must have identical LSDBs.

Note
OSPF routes cannot be filtered from entering the OSPF database. The distribute-list in
command filters routes only from entering the routing table, but it doesn’t prevent link-state
packets (LSPs) from being propagated.

Note
The command distribute-list out works only on the routes being redistributed by the ASBR
into OSPF. It can be applied to external type-2 and external type-1 routes but not to intra-
area and interarea routes.

ROUTE FILTERING USING PREFIX

LISTS
The general syntax for configuring IPv4 and IPv6 prefix
lists is as follows:
Click here to view code image
Router(config)# ip prefix-list list-name [seq seq-
value]
{deny | permit} network/len [ge ge-value] [le le-
value]
Router(config)# ipv6 prefix-list list-name [seq seq-
value]
{deny | permit} network/len [ge ge-value] [le le-
value]

The table that follows describes the parameters for this

command.

Para Description
mete
r

list- The name of the prefix list

name

seq (Optional) Applies a sequence number to the

entry being created or deleted

seq- (Optional) Specifies the sequence number

value

deny Denies access to matching conditions

per Permits access for matching conditions

mit

netw (Mandatory) The IPv4 or IPv6 network number

ork/l and length (in bits) of the netmask
en

ge (Optional) Applies ge-value to the range specified

ge- (Optional) Specifies the lesser value of a range

value (the “from” portion of the range description)

le (Optional) Applies le-value to the range specified

le- (Optional) Specifies the greater value of a range

value (the “to” portion of the range description)

Tip
You must define a prefix list before you can apply it as a route filter.

Tip
There is an implicit deny statement at the end of each prefix list.

Tip
The range of sequence numbers that can be entered is from 1 to 4 294 967 294.
If a sequence number is not entered when configuring this command, a default sequence
numbering is applied to the prefix list. The number 5 is applied to the first prefix entry, and
subsequent unnumbered entries are incremented by 5.

A router tests for prefix list matches from the lowest

sequence number to the highest. By numbering your
prefix-list statements, you can add new entries at any
point in the list.

The following examples show how you can use the

prefix-list command to filter networks using some of
the more commonly used options.

Router(con Creates a prefix list where the prefix

fig)# ip length to be permitted needs to be
prefix- between /8 and /24, inclusive, and
list ROSE where the first octet is 192. Because no
permit sequence number is identified, the
192.0.0.0/ default number of 5 is applied

8 le 24

Router(con Creates a prefix list where the prefix

fig)# ip length to be denied needs to be between
prefix- 25 and 32, inclusive, and where the first
list ROSE octet is 192. Because no sequence
deny number is identified, the number 10 is
192.0.0.0/ applied—an increment of 5 over the
8 ge 25 previous statement

Note

This configuration will permit routes such as

192.2.0.0/16 or 192.2.20.0/24 but will deny a more
specific subnet such as 192.168.10.128/25

Router(con Creates a prefix list that permits all

fig)# ip prefixes that have a length between 16
prefix- and 24 bits (greater than or equal to 16
list TOWER bits, and less than or equal to 24 bits),
permit and where the first octet is 10
10.0.0.0/8
ge 16 le
24

Router(con Creates a prefix list and assigns a

fig)# ip sequence number of 5 to a statement
prefix- that permits only the default route
list TEST 0.0.0.0/0
seq 5
permit
0.0.0.0/0
Router(con Creates a prefix list and assigns a
fig)# ip sequence number of 10 to a statement
prefix- that permits any prefix with a length of
list TEST exactly 30 bits
seq 10
permit
0.0.0.0/0
ge 30 le
30

Router(con Creates a prefix list and assigns a

fig)# ip sequence number of 15 to a statement
prefix- that permits any address or subnet
list TEST (permit any)
seq 15
permit
0.0.0.0/0
le 32

Router(con Removes sequence number 10 from the

fig)# no prefix list
ip prefix-
list TEST
seq 10
0.0.0.0/0
ge 30 le
30

Router(con Creates a prefix list and assigns a

fig)# ipv6 sequence number of 5 to a statement
prefix- that permits only the default route
list
V6TEST seq
5 permit
::/0

Router(con Creates a prefix list and assigns a

fig)# ipv6 sequence number of 10 to a statement
prefix- that permits any address or prefix length
list (permit any)
V6TEST seq
10 permit
::/0 le
128

Configuration Example: Using a Distribute List That

References a Prefix List to Control Redistribution
Figure 6-7 shows the network topology for the
configuration that follows, which demonstrates how to
control redistribution with a prefix list using the
commands covered in this chapter. Assume that all
basic configurations and EIGRP and OSPF routing have
been configured correctly.

Figure 6-7 Network Topology for Distribute List

Configuration with Prefix Lists

The objective is to prevent networks 172.16.3.0/24 and

172.16.4.0/24 from being redistributed into the OSPF
domain.

Hull(config)# Creates a prefix list called FILTER

ip prefix-list with a first sequence number of 5
FILTER seq 5 that explicitly permits the
permit 172.16.1.0/24 network
172.16.1.0/24

Hull(config)# Adds a second line to the FILTER

prefix list that explicitly permits the
ip prefix-list 172.16.2.0/24 network
FILTER seq 10
permit
172.16.2.0/24

Hull(config)# Enters OSPF process ID 1 routing

router ospf 1 process

Hull(config- Redistributes all EIGRP networks

router)# into OSPF. The subnets keyword is
redistribute required for accurate OSPFv2
eigrp 10 redistribution of subnets learned
subnets from the Aylmer router

Hull(config- Creates an outbound distribute list

router)# to filter routes being redistributed
distribute- from EIGRP into OSPF that
list prefix references the prefix list
FILTER out
eigrp 10
Note

The implicit deny any statement at the end of

the prefix list prevents routing updates about
any other network from being advertised. As a
result, networks 172.16.3.0/24 and
172.16.4.0/24 will not be redistributed into
OSPF
Tip
You can attach prefix lists to the redistribution process either via a distribute list or via a
route map.

Verifying Prefix Lists

show ip Displays information on all prefix lists.

prefix-list Specifying the detail keyword includes
[detail | the description and the hit count (the
summary] number of times the entry matches a
route) in the display

show ipv6
prefix-list
[detail |
summary]

clear ip Resets the hit count shown on prefix

prefix-list list entries
prefix-
list-name
[network/le
ngth]
clear ipv6
prefix-list
prefix-
list-name
[network/le
ngth]

USING ROUTE MAPS WITH ROUTE

REDISTRIBUTION

Router(conf Creates a route map called MY_MAP.

ig)# route- This route-map statement will be
map MY_MAP used to permit redistribution based on
permit 10 subsequent criteria. A sequence
number of 10 is assigned

Router(conf Specifies the match criteria (the

ig-route- conditions that should be tested); in
map)# match this case, match addresses filtered
ip address using a standard access list number 5
5

Router(conf Specifies the set action (what action is

ig-route- to be performed if the match criteria is
map)# set met); in this case, set the external
metric 500 metric to 500 (instead of the default
value of 20 for OSPF)

Router(conf Specifies a second set action for the

ig-route- same match criteria. In this case, set
map)# set the external OSPF network type to E1
metric-type
type-1

Router(conf Adds a second statement to the

ig-route- MY_MAP route map that will deny
map)# redistribution based on subsequent
route-map criteria
MY_MAP deny
20

Router(conf Specifies the match criteria (the

ig-route- conditions that should be tested); in
map)# match this case, match addresses filtered
ip address using a prefix list named MY_PFL
prefix-list
MY_PFL

Router(conf Adds a third statement to the MY_MAP

ig-route- route map that will permit
map)# redistribution based on subsequent
route-map criteria
MY_MAP
permit 30
Note

When no “match” criteria are explicitly specified, all

other routes will be redistributed with the following
“set” criteria applied

Router(conf Specifies the set action (what action is

ig-route- to be performed if the match criteria is
map)# set met); in this case, since no match
metric 5000 criteria is defined, it sets the external
metric to 5000 (instead of the default
value of 20) for all other routes

Router(conf Specifies a second set action for the

ig-route- same match criteria; in this case, set the
map)# set external OSPF network type to E2. This
metric-type is optional since the default type for
type-2 redistributed routes into OSPF is
external type 2

Router(conf Enters OSPF process ID 10 routing

ig-route- process
map)#
router ospf
10

Router(conf Redistributes only EIGRP routes into

ig-router)# OSPF that are permitted by route map
redistribut MY_MAP
e eigrp 1
route-map
MY_MAP
subnets

Note
When used to filter redistribution, route map permit or deny statements determine whether
the route will be redistributed. Routes without a match will not be redistributed. Like an
access list or prefix list, a route map stops processing at the first match and there is also an
implicit deny statement at the end.

Configuration Example: Route Maps

Figure 6-8 shows the network topology for the
configuration that follows, which demonstrates how to
control redistribution with a route map using the
commands covered in this chapter. Assume that all
basic configurations and EIGRP and OSPF routing have
been configured correctly.
Figure 6-8 Network Topology for Route Map
Configuration

The objective is to only redistribute networks

172.16.1.0/24 and 172.16.2.0/24 into OSPF and
advertise them as external type 1 (E1) routes with an
external metric of 50.

Hull(config) Creates a standard ACL number 5 and

# access- explicitly permits the 172.16.1.0/24
list 5 network
permit
172.16.1.0
0.0.0.255

Hull(config) Adds a second line to ACL 5 that

# access- explicitly permits the 172.16.2.0/24
list 5 network
permit
172.16.2.0
0.0.0.255

Hull(config) Creates a route map called FILTER.

# route-map This route map will permit traffic
FILTER based on subsequent criteria. A
permit 10 sequence number of 10 is assigned

Hull(config- Specifies the match criteria; match

route-map)# addresses filtered from ACL 5
match ip
address 5

Hull(config- Specifies the set actions (what actions

route-map)# are to be performed if the match
set metric criterion is met); in this case, sets the
50 external metric to 50 and sets the type
to external type 1 (E1)

Hull(config-
route-map)#
set metric-
type type-1

Hull(config- Enters OSPF process ID 1 routing

route-map)# process
router ospf
1

Hull(config) Redistributes only those EIGRP

# networks into OSPF that match the
redistribute route map
eigrp 10
subnets
route-map Note

FILTER Networks 172.16.2.0/24 and 172.16.3.0/24 will not

be redistributed because of the implicit deny any at
the end of the route map

MANIPULATING REDISTRIBUTION
USING ROUTE TAGGING
There are several ways redistribution can be enabled,
including one-way one-point, two-way one-point, one-
way multipoint, and two-way multipoint redistribution.
Two-way multipoint redistribution can introduce
routing loops in the network. One option to prevent
redistribution of already redistributed routes is to use
route tagging. In two-way multipoint redistribution
scenarios, route tags must be applied and filtered in
both directions and on both routers performing
redistribution.

Figure 6-9 shows the network topology for the

configuration that follows, which demonstrates how to
control redistribution with route tags using the
commands covered in this chapter. Assume that all
basic configurations and EIGRP and OSPF routing have
been configured correctly. A tag number of 11 is used to
identify OSPF routes, and a tag of 22 is used to identify
EIGRP routes.

Figure 6-9 Network Topology for Redistribution

Using Route Tagging

The following configuration only shows the commands

entered on the Hull router. For filtering using route
tags, the following configuration would need to be
entered on both the Hull and Wendover routers.
Hull(config)# Creates a route map named
route-map EIGRPtoOSPF and denies
EIGRPtoOSPF redistribution for all routes
deny 10 tagged with the value 11

Hull(config-
route-map)#
match tag 11

Hull(config- Creates a second statement for

route-map)# route map EIGRPtoOSPF
route-map permitting all other routes to be
EIGRPtoOSPF redistributed with a tag of 22
permit 20

Hull(config-
route-map)# set
tag 22

Hull(config- Creates a route map named

route-map)# OSPFtoEIGRP and denies
route-map redistribution for all routes
OSPFtoEIGRP tagged with the value 22
deny 10
Hull(config-
route-map)#
match tag 22

Hull(config- Creates a second statement for

route-map)# route map OSPFtoEIGRP
route-map permitting all other routes to be
OSPFtoEIGRP redistributed with a tag of 11
permit 20

Hull(config-
route-map)# set
tag 11

Hull(config- Enters OSPF configuration mode

route-map)#
router ospf 11

Hull(config- Redistributes all EIGRP routes

router)# with a tag of 22 into the OSPF
redistribute domain
eigrp 22
subnets route-
map EIGRPtoOSPF
Hull(config- Enters EIGRP configuration
router)# router mode
eigrp 22

Hull(config- Redistributes all OSPF routes

router)# with a tag of 11 into the EIGRP
redistribute domain
ospf 11 metric
1500 1 255 1
1500 route-map Note

OSPFtoEIGRP The result here is to ensure that only routes

originating in the OSPF domain are
redistributed into EIGRP, while only routes
originating in the EIGRP domain are
redistributed into the OSPF domain. This
avoids a scenario where a route is
redistributed back into the domain from
which it originated

CHANGING ADMINISTRATIVE
DISTANCE
The commands to change the administrative distance
(AD) for internal and external routes are as follows.

Router(config)# Starts the OSPF routing

router ospf 1 process

Router(config- Changes the AD to 105 for

router)# distance intra-area and interarea
ospf intra-area 105 routes, and changes the AD
inter-area 105 to 125 for external routes
external 125

Router(config)# Starts the EIGRP routing

router eigrp 100 process

Router(config- Changes the AD to 80 for

router)# distance internal EIGRP routes and
eigrp 80 105 to 105 for EIGRP external
routes

Router(config)# Starts the BGP routing

router bgp 65001 process

Router(config- Changes the AD to 30 for

router)# distance external BGP routes, 200
bgp 30 200 220 for internal BGP routes,
and 220 for local BGP
routes
It is also possible to change the AD for certain routes
learned from specific neighbors. These commands can
be used for all routing protocols.

Router(conf Sets an AD of 50 for all routes learned

ig-router)# through a specific routing protocol
distance 50

Router(conf Sets an AD of 255 for all routes learned

ig-router)# through a specific routing protocol. This
distance instructs the router to ignore all routing
255 updates from networking devices for
which an explicit distance has not been
set

Router(conf Sets the AD to 85 for all routes learned

ig-router)# from neighbors on network
distance 85 192.168.40.0/24
192.168.40.
0 0.0.0.255

Router(conf Sets the AD to 125 for all routes

ig-router)# specifically from neighbor
distance 172.16.200.5/32 that match ACL 10
125
172.16.200.
5 0.0.0.0
10

PATH CONTROL WITH POLICY-BASED

ROUTING
Path control is the mechanism that changes default
packet forwarding across a network. It is not quality of
service (QoS) or MPLS Traffic Engineering (MPLS-TE).
Path control is a collection of tools or a set of commands
that gives you more control over routing by extending
and complementing the existing mechanisms provided
by routing protocols. Bypassing the default packet
forwarding decision may be required to obtain better
resiliency, performance, or availability in your network.

Configuring Policy Based Routing (PBR) is a two-step

process. First, a route map is created that specifies the
new forwarding decision to be implemented. Second,
the route map is applied to an incoming interface.

Router(confi Creates a route map named ISP1. This

g)# route- route map will permit traffic based on
map ISP1 subsequent criteria. A sequence
permit 10 number of 10 is assigned

Note

In route maps, the default action is to permit

Note

The sequence-number is used to indicate the

position the route map statement is to have within
the route map. A route map is composed of route
map statements with the same route map name. If
no sequence number is given, the first statement in
the route map is automatically numbered as 10

Router(confi Specifies the match criteria (the

g-route- conditions that should be tested); in
map)# match this case, match addresses using ACL
ip address 1 1

Router(confi Specifies the set action (what action is

g-route- to be performed if the match criteria
map)# set ip are met); in this case, output packets
next-hop
209.165.201. to the router at IP address
1 209.165.201.1

Router(confi Specifies the set action (what action is

g-route- to be performed if the match criteria
map)# set are met); in this case, forward packets
interface out interface Serial 0/2/0
serial 0/2/0

Note

If no explicit route exists in the routing table for the

destination network address of the packet (that is,
the packet is a broadcast packet or destined to an
unknown address), the set interface command has
no effect and is ignored

Note

A default route in the routing table will not be

considered an explicit route for an unknown
destination address

Router(confi Defines where to output packets that

g-route- pass a match clause of a route map for
map)# set ip policy routing and for which the
default
next-hop router has no explicit route to the
209.165.201. destination address
1

Router(confi Defines where to output packets that

g-route- pass a match clause of a route map for
map)# set policy routing and for which the
default router has no explicit route to the
interface destination address
serial 0/2/0

Note

This is recommended for point-to-point links only

Router(confi Returns to global configuration mode

g-route-
map)# exit

Router(confi Moves to interface configuration

g)# mode
interface
gigabitether
net 0/0/0
Router(confi Specifies a route map to use for policy
g-if)# ip routing on an incoming interface that
policy is receiving the packets that need to be
route-map policy routed
ISP1

Router(confi Returns to global configuration mode

g-if)# exit

Router(confi Specifies a route map to use for policy

g)# ip local routing on all packets originating on
policy the router
route-map
ISP1

Tip
Packets that are generated by the router are not normally policy routed. Using the ip local
policy route-map [map-name] command will make these packets adhere to a policy. For
example, you may want packets originating from the router to take a route other than the
best path according to the routing table.

VERIFYING POLICY-BASED ROUTING

Router# show Displays route maps that are

ip policy configured on the interfaces

Router# show Displays route maps

route-map
[map-name]

Router# Enables the display of IP policy

debug ip routing events
policy

Router# Enables the extended traceroute

traceroute command, which allows the
specification of the source address

Router# ping Enables the extended ping command,

which allows for the specification of
the source address

CONFIGURATION EXAMPLE: PBR

WITH ROUTE MAPS
Figure 6-10 shows the network topology for the
configuration that follows, which demonstrates how to
configure PBR with route maps using the commands
covered in this chapter.
Figure 6-10 Network Topology for PBR with Route
Maps

The objective is to forward Internet traffic sourced from

the 10.1.1.0/24 network to ISP 1 and traffic sourced
from the 10.1.2.0/24 network to ISP 2. Assume that all
basic configurations and routing have been configured.

R1(config)# Creates a standard access list that

access-list matches traffic originating from
11 permit network 10.1.1.0/24. The number 11 is
10.1.1.0 used for this ACL
0.0.0.255

R1(config)# Creates a standard access list that

access-list matches traffic originating from
12 permit
10.1.2.0 network 10.1.2.0/24. The number 12
0.0.0.255 is used for this ACL

R1(config)# Creates a route map named PBR. This

route-map route map will permit traffic based on
PBR permit subsequent criteria. A sequence
10 number of 10 is assigned

R1(config- Specifies the match criteria—match

route-map)# addresses permitted by ACL 11
match ip
address 11

R1(config- Specifies the set action (what action is

route-map)# to be performed if the match criteria
set ip next- are met); in this case, forward packets
hop to the router at 192.168.1.1 (ISP1)
192.168.1.1

R1(config- Adds a second statement to the PBR

route-map)# route map. A sequence number of 20
route-map is assigned
PBR permit
20
R1(config- Specifies the match criteria; match
route-map)# addresses permitted by ACL 12
match ip
address 12

R1(config- Specifies the set action (what action is

route-map)# to be performed if the match criteria
set ip next- are met); in this case, forward packets
hop to the router at 192.168.2.1 (ISP 2)
192.168.2.1

R1(config- Adds a third statement to the PBR

route-map)# route map. A sequence number of 30
route-map is assigned
PBR permit
30

R1(config- Specifies that all other traffic not

route-map)# matching ACL 11 or ACL 12 will be
set default sent to the Null0 interface (traffic is
interface dropped)
null0

R1(config- Exits the route map configuration

route-map)# mode
exit
R1(config)# Enters GigabitEthernet 0/0/0
interface interface configuration mode
gigabitether
net 0/0/0

R1(config- Applies the PBR route map to the

if)# ip interface. This is the incoming
policy interface receiving the packets to be
route-map policy-routed
PBR

CISCO IOS IP SLA

Cisco IOS IP service level agreements (SLAs) send data
across the network to measure performance between
multiple network locations or network paths. They
simulate network data and IP services and collect
network performance information in real time. IP SLAs
can also send SNMP traps that are triggered by events
such as these:

Connection loss

Timeout
Round-trip time threshold

Average jitter threshold

One-way packet loss

One-way jitter

One-way mean opinion score (MOS)

One-way latency

Cisco IOS IP SLAs can also test the following services:

DNS

HTTP

DHCP

FTP

Note
Cisco IOS IP SLAs are used to perform network performance measurements within Cisco
Systems devices using active traffic monitoring.

Tip
SLAs use time-stamp information to calculate performance metrics such as jitter, latency,
network and server response times, packet loss, and mean opinion score.

Figure 6-11 is the network topology for the IP SLA

commands.
Figure 6-11 IP SLA Network Topology

DLS1# Enters global configuration mode

configur
e
terminal
DLS1(con Creates an IP SLA operation and enters IP
fig)# ip SLA configuration mode
sla 11

DLS1(con Configures the IP SLA as an ICMP echo

fig-ip- operation and enters ICMP echo
sla)# configuration mode
icmp-
echo
10.1.2.1 Note

source- The ICMP echo operation does not require the IP SLA
responder to be enabled
ip
10.1.1.1

DLS1(con Sets the rate at which the IP SLA operation

fig-ip- repeats. Frequency is measured in seconds.
sla- The default value is 60 seconds
echo)#
frequenc
y 5

DLS1(con Exits IP SLA configuration mode

fig-ip-
sla-
echo)#
exit
DLS1(con Configures the IP SLA operation
fig)# ip scheduling parameters to start now and
sla continue forever
schedule
11
start- Note

time now The start time for the SLA can be set to a particular time and
day, to be recurring, to be activated after a threshold is
life passed, and kept as an active process for a configurable
forever number of seconds

DLS2(con Enables IP SLA responder functionality in

fig)# ip response to control messages from the
sla source. This command is entered on the
responde target device
r

DLS1(con Creates an IP SLA operation and enters IP

fig)# ip SLA configuration mode
sla 12

DLS1(con Configures the IP SLA as an ICMP path-

fig-ip- jitter operation and enters path-jitter
sla)# configuration mode. ICMP path jitter
path- provides hop-by-hop jitter, packet loss, and
jitter delay measurement statistics in an IP
172.19.1 network. Adding the targetOnly keyword
.2 bypasses the hop-by-hop measurements
source- and echo probes are sent to the destination
ip only
10.1.1.1
[targetO
nly] Note

The ICMP path-jitter SLA sends 10 packets per operation

with a 20-ms time interval between them by default. These
values are configurable

DLS1(con Sets the rate at which the IP SLA operation

fig-ip- repeats. The default value is 60 seconds
sla-
path-
jitter)#
frequenc
y 5

DLS1(con Exits path-jitter configuration mode

fig-ip-
sla-
path-
jitter)#
exit
DLS1(con Configures the IP SLA operation
fig)# ip scheduling parameters to start at 7 a.m.
sla and continue for 1 hour every day. 3600
schedule seconds is the default life time for an IP
12 SLA. The switch will require accurate time
recurrin and date to implement the SLA schedule

g start-
time
07:00
life
3600

Tip
When using udp-echo, udp-jitter, or tcp-connect IP SLA operations, you must configure
the target device as an IP SLA responder with either the udp-echo or tcp-connect
commands.

Configuring Authentication for IP SLA

Router(config)# key Identifies a key chain

chain Juliet

Router(config-keychain)# Identifies the key

key 1 number

Router(config-keychain)# Identifies the key

key-string Shakespeare string

Router(config-keychain)# Returns to global

exit configuration mode

Router(config)# ip sla Applies the key chain

key-chain Juliet to the IP SLA process

Note

This must also be done

on the responder

Monitoring IP SLA Operations

Router# show ip Displays global information

sla application about Cisco IOS IP SLAs
Note

The show ip sla application command

displays supported SLA operation types
and supported SLA protocols

Router# show ip Displays configuration values

sla including all defaults for SLA 11
configuration 11

Note

The use of a number in this command is

optional

Router# show ip Displays current or aggregated

sla statistics operational status and statistics

PBR WITH CISCO IOS IP SLA

Figure 6-12 shows the network topology for the
configuration that follows, which shows the use of PBR
with Cisco IOS IP SLA functionality for path control.
Assume that all basic configurations have been
configured.
Figure 6-12 Network Topology for PBR with IOS IP
SLA

Customer requirements:

Customer A is multihoming to ISP 1 and ISP 2.

The link to ISP 1 is the primary link for all traffic.

Customer A is using default routes to the Internet

service providers (ISPs).

Customer A is using these default routes with different

administrative distances to make ISP 1 the preferred
route.

Potential problem: If ISP 1 is having uplink

connectivity problems to the Internet, Customer A will
still be sending all its traffic to ISP 1, only to have that
traffic get dropped by the ISP.
Possible solutions: (1) IOS IP SLA can be used to
conditionally announce the default route, or (2) the IP
SLA can be used to verify availability for PBR.

Follow these steps to configure Cisco IOS IP SLA

functionality:

1. Define probe(s).
2. Define tracking object(s).
3a. Define the action on the tracking object(s).
or
3b. Define policy routing using the tracking object(s).
4. Verify IP SLA operations.

Note
Only the configuration on R1 for neighbor ISP 1 is shown. Typically, in a multihoming
scenario, R1 would be configured with two SLAs, two tracking objects, and two default
routes (one for each ISP) with different AD values.

Step 1: Define Probe(s)

R1(config)# ip Begins configuration for an IP

sla 1 SLA operation and enters SLA
configuration mode. 1 is the
operation number and can be a
number between 1 and 2 147 483
647

R1(config-ip- Defines an ICMP echo operation

sla)# icmp-echo to destination address 192.168.1.1
192.168.1.1 using a source interface of
source-interface GigabitEthernet 0/0/0 and
gigabitethernet enters ICMP echo configuration
0/0/0 mode

Tip

Typically, the address tested is farther

within the ISP network instead of the next
hop

R1(config-ip- Sets the rate at which the

sla-echo)# operation repeats. Measured in
frequency 10 seconds from 1 to 604 800 (7
days)

R1(config-ip- Length of time the operation

sla-echo)# waits to receive a response from
timeout 5000 its request packet, in
milliseconds. Range is 0 to 604
800 000
Tip

It is recommended that the timeout value

be based on the sum of both the
maximum round-trip time (RTT) value for
the packets and the processing time of
the IP SLAs operation

R1(config-ip- Exits IP SLA ICMP echo

sla-echo)# exit configuration mode and returns
to global configuration mode

R1(config)# ip Sets a schedule for IP SLA

sla schedule 1 monitor 1. Packets will be sent
start-time now out immediately and will
life forever continue forever

Step 2: Define Tracking Object(s)

R1(config)# track Configures a tracking object

11 ip sla 1 to track the reachability of IP
reachability SLA 1
R1(config-track)# Returns to global
exit configuration mode

Step 3a: Define the Action on the Tracking Object(s)

R1(config)# ip Adds a default route with a next

route 0.0.0.0 hop of 192.168.1.1 with an AD of
0.0.0.0 2 to the routing table if tracking
192.168.1.1 2 object 11 is up
track 11

Step 3b: Define Policy Routing Using the Tracking

Object(s)

R1(config)# Creates a route map that will use the

route-map tracking object. No match criteria is
IPSLA permit specified so all traffic will be policy
10 routed

R1(config- Configures policy routing to verify

route-map)# the reachability of the next hop
set ip next- 192.168.1.1 before the router
hop verify- performs policy routing to that next
availability hop. A sequence number of 10 is
192.168.1.1 used and tracking object 11 is
10 track 11 referenced

Note

The sequence number is used when tracking the

availability of multiple addresses. Each address
tracked would get its own sequence number (for
example, 10, 20, 30). If the first tracking objects
fails, the next one in the sequence is used. If all
tracking objects fail, the policy routing fails, and
the packets are routed according to the routing
table

R1(config- Enters interface configuration mode

route-map)#
interface
gigabitethern
et 0/0/0

R1(config- Applies the IPSLA route map to the

if)# ip interface. This is the incoming
policy route- interface receiving the packets to be
map IPSLA policy routed
Step 4: Verify IP SLA Operations

R1# show ip Displays configuration values

sla including all defaults for all SLAs
configuration

R1# show ip Displays the current operational

sla status and statistics of all SLAs
statistics

R1# show Displays information about objects

track that are tracked by the tracking
process

Note
Effective with Cisco IOS Releases 12.4(4)T, 12.2(33)SB, and 12.2(33)SXI, the ip sla
monitor command is replaced by the ip sla command.

Note
Effective with Cisco IOS Releases 12.4(4)T, 12.2(33)SB, and 12.2(33)SXI, the type echo
protocol ipIcmpEcho command is replaced by the icmp-echo command.
Note
Effective with Cisco IOS Releases 12.4(20)T, 12.2(33)SXI1, and 12.2(33)SRE and Cisco
IOS XE Release 2.4, the track rtr command is replaced by the track ip sla command.

Note
Effective with Cisco IOS Releases 12.4(20)T, 12.2(33)SXI1, and 12.2(33)SRE and Cisco
IOS XE Release 2.4, the show ip sla monitor configuration command is replaced by the
show ip sla configuration command.

Note
Effective with Cisco IOS Releases 12.4(20)T, 12.2(33)SXI1, and 12.2(33)SRE and Cisco
IOS XE Release 2.4, the show ip sla monitor statistics command is replaced by the show
ip sla statistics command.
Chapter 7
BGP

This chapter provides information about the following

topics:

Configuring BGP: classic configuration

Configuring Multiprotocol BGP (MP-BGP)

Configuring BGP: address families

Configuration example: using MP-BGP address

families to exchange IPv4 and IPv6 routes

BGP support for 4-byte AS numbers

BGP timers

BGP and update-source

IBGP next-hop behavior

EBGP multihop

Attributes
Route selection decision process—the BGP best
path algorithm

Weight attribute

Using AS path access lists to manipulate the

weight attribute

Using prefix lists and route maps to manipulate

the weight attribute

Local preference attribute

Using AS path access lists and route maps to

manipulate the local preference attribute

AS Path attribute prepending

AS Path: removing private autonomous systems

Multi-exit Discriminator (MED) attribute

Verifying BGP

Troubleshooting BGP

Default routes

Route aggregation

Route reflectors

Regular expressions

Regular expressions: examples

BGP route filtering using access lists and distribute lists

Configuration example: using prefix lists and AS path

access lists

BGP peer groups

Authentication for BGP

Configuring authentication between BGP peers

Verifying BGP authentication

CONFIGURING BGP: CLASSIC

CONFIGURATION

Router(conf Starts BGP routing process 100

ig)# router
bgp 100
Note

Cisco IOS Software permits only one Border Gateway

Protocol (BGP) process to run at a time; therefore, a
router cannot belong to more than one autonomous
system (AS)

Router(conf Identifies a peer router with which this

ig-router)# router will establish a BGP session. The
AS number will determine whether the
neighbor neighbor router is an external BGP
192.31.7.1 (EBGP) or internal BGP (IBGP)
remote-as neighbor
200

Tip

If the AS number configured in the router bgp

command is identical to the AS number configured
in the neighbor statement, BGP initiates an internal
session (IBGP). If the field values differ, BGP builds
an external session (EBGP)

Tip

neighbor statements must be symmetrical for a

neighbor relationship to be established

Router(conf Tells the BGP process what locally

ig-router)# learned networks to advertise
network
192.135.250
.0 Note

The networks can be connected routes, static routes,

or routes learned via a dynamic routing protocol, such
as Open Shortest Path First (OSPF)
Note

Configuring just a network statement will not

establish a BGP neighbor relationship

Note

The networks must also exist in the local router’s

routing table; otherwise, they will not be sent out in
updates

Router(conf Used to specify an individual subnet

ig-router)# that must be present in the routing
network table or it will not be advertised by BGP
128.107.0.0
mask
255.255.255
.0

Tip
Routes learned by the BGP process are propagated by default but are often filtered by a
routing policy.
Caution
If you misconfigure a network command, such as the example network 192.168.1.1 mask
255.255.255.0, BGP will look for exactly 192.168.1.1/24 in the routing table. It may find
192.168.1.0/24 or 192.168.1.1/32; however, it may never find 192.168.1.1/24. Because there
is no exact match for the 192.168.1.1/24 network, BGP does not announce it to any
neighbors.

Tip
If you issue the command network 192.168.0.0 mask 255.255.0.0 to advertise a CIDR
block, BGP will look for 192.168.0.0/16 in the routing table. It may find 192.168.1.0/24 or
192.168.1.1/32; however, it may never find 192.168.0.0/16. Because there is no exact match
for the 192.168.0.0/16 network, BGP does not announce it to any neighbors. In this case,
you can configure a static route towards the Null interface so BGP can find an exact match
in the routing table:
Click here to view code image

ip route 192.168.0.0 255.255.0.0 null0

After finding this exact match in the routing table, BGP will announce the 192.168.0.0/16
network to any neighbors.

CONFIGURING MULTIPROTOCOL BGP

(MP-BGP)
Original BGP was designed to carry only IPv4-specific
information. A recent extension was defined to also
support other protocols like IPv6. This extension is
called MP-BGP (Multiprotocol BGP). MP-BGP is the
supported Exterior Gateway Protocol (EGP) for IPv6.
IPv6 enhancements to MP-BGP include support for
IPv6 address family configuration. You can run MP-
BGP over IPv4 or IPv6 transport and can exchange
routes for IPv4, IPv6, or both. BGP uses TCP for
peering, and this has no relevance to the routes carried
inside the BGP exchanges. Both IPv4 and IPv6 can be
used to transport a TCP connection on the network
layer.

R1(config) Enables the forwarding of IPV6 unicast

# ipv6 datagrams globally on the router
unicast-
routing

R1(config) Starts the BGP routing process

# router
bgp 65500

R1(config- Configures a fixed 32-bit router ID as the

router)# identifier of the local device running BGP
bgp
router-id
192.168.99 Note

.70 Configuring a router ID using the bgp router-id

command resets all active BGP peering sessions, if any
are already established
R1(config- Disables the IPv4 unicast address family
router)# for the current BGP routing process
no bgp
default
ipv4- Note

unicast Routing information for the IPv4 unicast address family is

advertised by default for each BGP routing session
configured with the neighbor remote-as command
unless you configure the no bgp default ipv4-unicast
command before configuring the neighbor remote-as
command. This command is optional and only required if
the router is only routing for IPv6

R1(config- Configures an IPv6 BGP neighbor

router)#
neighbor
2001:0db8:
12::2
remote-as
65501

Note
When configuring BGP on a device that is enabled only for IPv6 (that is, the device does not
have an IPv4 address), you must manually configure the BGP router ID for the device. The
BGP router ID, which is represented as a 32-bit value using an IPv4 address syntax, must
be unique to the BGP peers of the device.
CONFIGURING BGP: ADDRESS
FAMILIES

Router(confi Starts BGP routing process 100

g)# router
bgp 100

Router(confi Adds the IPv4 address of the neighbor

g)# neighbor in the specified AS to the IPv4
10.0.0.44 multiprotocol BGP neighbor table of
remote-as the local device
200

Router(confi Adds the IPv6 address of the neighbor

g)# neighbor in the specified AS to the IPv6
2001:db8:0:c multiprotocol BGP neighbor table of
c00::1 the local device
remote-as
200

Router(confi Enters into address-family

g-router)# configuration mode for IPv4. By
address- default, the device is placed in
family ipv4 configuration mode for the IPv4
unicast address family if a keyword is
not specified

Router(confi Enters into address-family

g-router)# configuration mode and specifies only
address- multicast address prefixes for the IPv4
family ipv4 address family
multicast

Router(confi Enters into address-family

g-router)# configuration mode and specifies only
address- unicast address prefixes for the IPv4
family ipv4 address family
unicast

Router(confi Enters into address-family

g-router)# configuration mode and specifies
address- CustomerA as the name of the VRF
family ipv4 instance to associate with subsequent
vrf IPv4 address-family configuration
CustomerA mode commands

Note

Use this form of the command, which specifies a

VRF, only to configure routing exchanges between
provider edge (PE) and customer edge (CE) devices
Router(confi Enables the exchange of information
g-router- with a BGP neighbor
af)#
neighbor
10.0.0.44
activate

Router(confi Disables the exchange of information

g-router- with the specified IPv6 neighbor
af)# no
neighbor
2001:db8:1:1
::1 activate

Router(confi Specifies the network to be advertised

g-router- by the BGP routing process
af)# network
10.108.0.0
mask
255.255.0.0

Router(confi Exits the IPv4 unicast address family

g-router-
af)# exit

Router(confi Enters into address-family

g-router)# configuration mode for IPv6
address-
family ipv6
Note

By default, the device is placed into configuration

mode for the IPv6 unicast address family. The
keyword multicast is also a valid entry here, just like
in IPv4

Router(confi Enables the neighbor to exchange

g-router- prefixes for the IPv6 address family
af)# with the local device
neighbor
2001:db8:0:c
c00::1
activate

Router(confi Specifies the network to be advertised

g-router- by the BGP routing process
af)# network
2001:db8:1:1
::/64
CONFIGURATION EXAMPLE: USING
MP-BGP ADDRESS FAMILIES TO
EXCHANGE IPV4 AND IPV6 ROUTES
In this example, MP-BGP is used to exchange both IPv4
and IPv6 routes. The IPv4 routes will use an IPv4 TCP
connection, and the IPv6 routes will use an IPv6 TCP
connection.

Figure 7-1 shows the network topology for the

configuration that follows, which demonstrates how to
configure MP-BGP using address families to exchange
both IPv4 and IPv6 routes. Assume that all basic
configurations are accurate.

Figure 7-1 Configuring MP-BGP Using Address

Families to Exchange IPv4 and IPv6 Routes

R1(config)# Enables the forwarding of IPv6

ipv6 unicast- unicast datagrams globally on the
router
routing

R1(config)# Starts the BGP routing process

router bgp
65500

R1(config- Configures R2 as an IPv6 BGP

router)# neighbor
neighbor
2001:db8:12::2
remote-as
65501

R1(config- Configures R2 as an IPv4 BGP

router)# neighbor
neighbor
192.168.1.2
remote-as
65501

R1(config- Enters IPv4 address-family

router)# configuration mode for unicast
address-family address prefixes
ipv4 unicast
Tip

Unicast address prefixes are the default

when IPv4 address prefixes are configured

R1(config- Enables the exchange of IPv4 BGP

router-af)# information with R2. The IPv4
neighbor neighbors will be automatically
192.168.1.2 activated, so this command is
activate optional

R1(config- Advertises an IPv4 network into

router-af)# BGP
network
10.1.1.1 mask
255.255.255.25
5

R1(config- Exits the IPv4 address-family

router-af)# configuration mode
exit

R1(config- Enters IPv6 address-family

router)# configuration mode for unicast
address prefixes
address-family
ipv6 unicast
Tip

Unicast address prefixes are the default when

IPv6 address prefixes are configured

R1(config- Enables the exchange of IPv6 BGP

router-af)# information with R2
neighbor
2001:db8:12::2
activate

R1(config- Advertises an IPv6 network into

router-af)# BGP
network
2001:db8:1::1/
64

R2(config)# Enables the forwarding of IPv6

ipv6 unicast- unicast datagrams globally on the
routing router

R2(config)# Starts the BGP routing process

router bgp
65501

R2(config- Configures R1 as an IPv6 BGP

router)# neighbor
neighbor
2001:db8:12::1
remote-as
65500

R2(config- Configures R1 as an IPv4 BGP

router)# neighbor
neighbor
192.168.1.1
remote-as
65500

R2(config- Enters IPv4 address-family

router)# configuration mode for unicast
address-family address prefixes
ipv4 unicast

R2(config- Enables the exchange of IPv4 BGP

router-af)# information with R1. The IPv4
neighbor neighbors will be automatically
192.168.1.1 activated, so this command is
activate optional
R2(config- Advertises an IPv4 network into
router-af)# BGP
network
10.2.2.2 mask
255.255.255.25
5

R2(config- Exits the IPv4 address-family

router-af)# configuration mode
exit

R2(config- Enters IPv6 address-family

router)# configuration mode for unicast
address-family address prefixes
ipv6 unicast

R2(config- Enables the exchange of IPv6 BGP

router-af)# information with R1
neighbor
2001:db8:12::1
activate

R2(config- Advertises an IPv6 network into

router-af)# BGP
network
2001:db8:2::1/
64

BGP SUPPORT FOR 4-BYTE AS

NUMBERS
Prior to January 2009, BGP autonomous system (AS)
numbers that were allocated to companies were two-
octet numbers in the range from 1 to 65 535 as described
in RFC 4271. Due to increased demand for AS numbers,
the Internet Assigned Number Authority (IANA) started
to allocate four-octet AS numbers in the range from 65
536 to 4 294 967 295.

Cisco has implemented the following two methods:

Asplain: Decimal value notation where both 2-byte

and 4-byte AS numbers are represented by their
decimal value. For example, 65 526 is a 2-byte AS
number and 234 567 is a 4-byte AS number.

Asdot: Autonomous system dot notation where 2-byte

AS numbers are represented by their decimal value and
4-byte AS numbers are represented by a dot notation.
For example, 65 526 is a 2-byte AS number and
1.169031 is a 4-byte AS number (this is dot notation for
the 234 567 decimal number).

Cisco implementation of 4-byte autonomous system

(AS) numbers uses asplain—65 538, for example—as the
default regular expression match and output display
format for AS numbers, but you can configure 4-byte AS
numbers in both the asplain format and the asdot
format as described in RFC 5396.

Router(c Changes the default output format of BGP

onfig- 4-byte AS numbers from asplain (decimal
router)# values) to dot notation. Use the no
bgp keyword with this command to revert to
asnotati the asplain format

on dot

Note

4-byte AS numbers can be configured using either asplain

format or asdot format. This command affects only the
output displayed for show commands or the matching of
regular expressions

Router# Clears and resets all current BGP sessions

clear ip
bgp * A hard reset is performed to ensure that
the 4-byte AS number format change is
reflected in all BGP sessions

BGP TIMERS

Router(con Sets BGP network timers. BGP

fig- keepalives will be sent every 70 seconds
router)# and the holdtime for declaring a BGP
timers bgp peer as dead is set to 120 seconds
70 120

Note

By default, the keepalive timer is set to 60 seconds and

the holdtime timer is set to 180 seconds

BGP AND UPDATE-SOURCE

Router(con Starts the BGP routing process

fig)#
router bgp
100

Router(con The update-source keyword informs

fig- the router to use any operational
router)# interface as the source IP address for
neighbor TCP connections. The loopback interface
172.16.1.2 is commonly selected because it never
goes down, which adds stability to the
update-
configuration
source
loopback 0

Tip

Without the neighbor update-source command, BGP

will use the closest IP interface to the peer. This
command provides BGP with a more robust
configuration, because BGP will still operate in the event
the link to the closest interface fails

Note

You can use the neighbor update-source command

with either EBGP or IBGP sessions. In the case of a
point-to-point EBGP session, this command is not
needed because there is only one path for BGP to use
IBGP NEXT-HOP BEHAVIOR
The EBGP next-hop attribute is the IP address that is
used to reach the advertising router. For EBGP peers,
the next-hop address is, in most cases, the IP address of
the connection between the peers. For IBGP, the EBGP
next-hop address is carried into the local AS.

Figure 7-2 shows the network topology for the

configuration that follows, which demonstrates how to
configure the next-hop attribute. The objective here is to
allow R3 to learn the correct next-hop address when
trying to reach networks outside its AS. Assume that all
basic and OSPF configurations are accurate.

Figure 7-2 IBGP Next-Hop Behavior

R2(config) Starts the BGP routing process

# router
bgp 64511
R2(config- Identifies R1 as an EBGP neighbor
router)#
neighbor
209.165.20
2.129
remote-as
64496

R2(config- Identifies R3 as an IBGP neighbor

router)#
neighbor
172.16.1.2
remote-as
64511

R2(config- Informs R2 to use the Loopback 0 IP

router)# address (172.16.1.1) as the source IP
neighbor address for all BGP TCP packets sent to
172.16.1.2 R3
update-
source
loopback 0

R2(config- Allows R2 to advertise itself as the next

router)# hop to its IBGP neighbor for networks
neighbor learned from AS 64496. R3 will then use
172.16.1.2 172.16.1.1 as the next hop to reach
next-hop- network 209.165.201.0/27 instead of
self using the EBGP next hop of
209.165.202.129

EBGP MULTIHOP
By default, EBGP neighbors exchange packets with a
TTL (Time To Live) set to 1. If you attempt to establish
an EBGP session between loopbacks, BGP packets will
be dropped due to an expired TTL.

Figure 7-3 shows the network topology for the

configuration that follows, which demonstrates how to
configure EBGP multihop. Assume that all basic
configurations are accurate.

Figure 7-3 EBGP Multihop

R1(config)# ip Defines a static route to the
route 10.20.20.1 Loopback 0 address on R2
255.255.255.255
209.165.201.2

R1(config)# Starts the BGP routing process

router bgp 64496

R1(config- Identifies a peer router at

router)# neighbor 10.20.20.1
10.20.20.1
remote-as 64511

R1(config- Informs R1 to use the Loopback

router)# neighbor 0 IP address as the source IP
10.20.20.1 address for all BGP TCP
update-source packets sent to R2
loopback 0

R1(config- Allows for two routers that are

router)# neighbor not directly connected to
10.20.20.1 ebgp- establish an EBGP session. A
multihop 2 TTL value of 2 is defined
R2(config)# ip Defines a static route to the
route 10.10.10.1 Loopback 0 address on R1
255.255.255.255
209.165.201.1

R2(config)# Starts the BGP routing process

router bgp 64511

R2(config- Identifies a peer router at

router)# neighbor 10.10.10.1
10.10.10.1
remote-as 64496

R2(config- Informs R2 to use the

router)# neighbor Loopback 0 IP address as the
10.10.10.1 source IP address for all BGP
update-source TCP packets sent to R1
loopback 0

R2(config- Allows for two routers that are

router)# neighbor not directly connected to
10.10.10.1 ebgp- establish an EBGP session. A
multihop 2 TTL value of 2 is defined
Note
The ebgp-multihop keyword is a Cisco IOS option. It must be configured on each peer. The
ebgp-multihop keyword is only used for EBGP sessions, not for IBGP. EBGP neighbors are
usually directly connected (over a WAN connection, for example) to establish an EBGP
session. However, sometimes one of the directly connected routers is unable to run BGP.
The ebgp-multihop keyword allows for a logical connection to be made between peer
routers, even if they are not directly connected. The ebgp-multihop keyword allows for an
EBGP peer to be up to 255 hops away and still create an EBGP session.

Note
If redundant links exist between two EBGP neighbors and loopback addresses are used,
you must configure ebgp-multihop. Otherwise, the router decrements the TTL before giving
the packet to the loopback interface, meaning that the normal IP forwarding logic discards
the packet.

ATTRIBUTES
Routes learned via BGP have associated properties that
are used to determine the best route to a destination
when multiple paths exist to a particular destination.
These properties are referred to as BGP attributes, and
an understanding of how BGP attributes influence route
selection is required for the design of robust networks.
After describing the route selection process, this section
describes the attributes that BGP uses in the route
selection process.

Route Selection Decision Process—The BGP Best

Path Algorithm
Border Gateway Protocol routers typically receive
multiple paths to the same destination. The BGP best
path algorithm decides which is the best path to install
in the IP routing table and to use for traffic forwarding.

Initially, a path is not considered if its next hop cannot

be reached. Afterward, the decision process for
determining the best path to reach a destination is
based on the following:

1. Prefer the path with the highest weight (local to the router).

2. If the weights are the same, prefer the path with the highest
local preference (global within the AS).

3. If the local preferences are the same, prefer the path that
was originated by the local router (next hop = 0.0.0.0).

4. If no route was originated, prefer the route that has the

shortest autonomous system path.

5. If all paths have the same AS path length, prefer the path
with the lowest origin code (where IGP is lower than EGP,
and EGP is lower than Incomplete).

6. If the origin codes are the same, prefer the path with the
lowest Multi-exit Discriminator (MED) attribute.

7. If the paths have the same MED, prefer the external path
(EBGP) over the internal path (IBGP).

8. If the paths are still the same, prefer the path through the
lowest IGP metric to the BGP next hop.
9. Determine if multiple paths require installation in the
routing table for BGP Multipath.

10. For EBGP paths, select the oldest route to minimize the
effects of route flapping.

11. Prefer the route with the lowest neighbor BGP router ID
value.

12. If the originator or router ID is the same for multiple paths,

prefer the path with the minimum cluster list length.

13. If the BGP router IDs are the same, prefer the router with
the lowest neighbor IP address.

Weight Attribute
Weight is a Cisco-specific parameter. The weight is
configured locally on a router and is not propagated to
any other routers. This attribute applies when one
router is used with multiple exit points out of an AS, as
opposed to the local preference attribute, which is used
when two or more routers provide multiple exit points.

Figure 7-4 shows the network topology for the

configuration that follows, which demonstrates how to
configure the weight attribute. Assume that all basic
configurations are accurate.
Figure 7-4 Weight Attribute

Houston(config)# Starts the BGP routing

router bgp 300 process

Houston(config- Identifies a peer router at

router)# neighbor 192.168.7.1
192.168.7.1 remote-as
100
Houston(config- Sets the weight of all
router)# neighbor route updates from
192.168.7.1 weight neighbor 192.168.7.1 to
2000 2000

Houston(config- Identifies a peer router at

router)# neighbor 192.168.219.1
192.168.219.1 remote-
as 200

Houston(config- Sets the weight of all

router)# neighbor route updates from
192.168.219.1 weight neighbor 192.168.219.1 to
1000 1000

The result of this configuration will have Houston

forward traffic to the 172.16.10.0 network through AS
100, because the route entering AS 300 from AS 100 has
a higher weight attribute set compared to that same
route advertised from AS 200.

Note
The weight attribute is local to the router and not propagated to other routers. By default, the
weight attribute is 32 768 for paths that the router originates, and 0 for other paths. Routes
with a higher weight are preferred when there are multiple routes to the same destination.
Using AS Path Access Lists to Manipulate the
Weight Attribute
Refer to Figure 7-4 for the configuration that follows,
which demonstrates how to configure the weight
attribute using AS path access lists.

Houston Starts the BGP routing process

(config
)#
router
bgp 300

Houston Identifies a peer router at 192.168.7.1

(config
-
router)
#
neighbo
r
192.168
.7.1
remote-
as 100

Houston Assigns a weight attribute of 2000 to

(config updates from the neighbor at 192.168.7.1
- that are permitted by access list 5. Access list
router) 5 is defined in the ip as-path access-list 5
# command listed below in global
neighbo configuration mode. Filter list 5 refers to the
r ip as-path access-list 5 command that
defines which path will be used to have this
192.168
weight value assigned to it
.7.1
filter-
list 5
weight
2000

Houston Identifies a peer router at 192.168.219.1

(config
-
router)
#
neighbo
r
192.168
.219.1
remote-
as 200

Houston Assigns a weight attribute of 1000 to updates

(config from the neighbor at 192.168.219.1 that are
- permitted by access list 6. Access list 6 is
router) defined in the ip as-path access-list 5
# command listed below in global
neighbo configuration mode
r
192.168
.219.1
filter-
list 6
weight
1000

Houston Returns to global configuration mode

(config
-
router)
# exit

Houston Permits updates whose AS path attribute

(config shows the update passing through AS 100
)# ip
as-path
access- Note

list 5 The _ symbol is used to form regular expressions. See the

section “Regular Expressions” in this chapter (after the
sections on the different attributes) for more examples
permit
_100_

Houston Permits updates whose AS path attribute

(config shows the update passing through AS 200
)# ip
as-path
access-
list 6
permit
_200_

The result of this configuration will have Houston

forward traffic for the 172.16.10.0 network through AS
100, because it has a higher weight attribute set as
compared to the weight attribute set for the same
update from AS 200. Adding the AS path access list
allows you to filter prefixes based on (1) their
originating AS, (2) the AS they pass through, or (3) the
identity of the connected neighbor AS.

Using Prefix Lists and Route Maps to Manipulate

the Weight Attribute
Refer to Figure 7-4 for the configuration that follows,
which demonstrates how to configure the weight
attribute using prefix lists and route maps. The objective
here is for Houston to prefer the path through Austin to
reach the 172.16.10.0/24 network.

Houston(confi Creates a prefix list that matches the

g)# ip 172.16.10.0/24 network belonging to
prefix-list AS 400
AS400_ROUTES
permit
172.16.10.0/2
4

Houston(confi Creates a route map called

g)# route-map SETWEIGHT. This route map will
SETWEIGHT permit traffic based on the
permit 10 subsequent criteria. A sequence
number of 10 is assigned

Houston(confi Specifies the condition under which

g-route-map)# policy routing is allowed, matching
match ip the AS400_ROUTES prefix list
address
prefix-list
AS400_ROUTES
Houston(confi Assigns a weight of 200 to any route
g-route-map)# update that meets the condition of
set weight prefix list AS400_ROUTES
200

Houston(confi Creates the second statement for the

g-route-map)# route map named SETWEIGHT.
route-map This route map will permit traffic
SETWEIGHT based on subsequent criteria. A
permit 20 sequence number of 20 is assigned

Houston(confi Assigns a weight of 100 to all other

g-route-map)# route updates/networks learned
set weight
100

Houston(confi Returns to global configuration

g-route-map)# mode
exit

Houston(confi Starts the BGP routing process

g)# router
bgp 300

Houston(confi Uses the route map SETWEIGHT to

g-router)# filter all routes learned from
neighbor neighbor 192.168.7.1
192.168.7.1
route-map
SETWEIGHT in

Local Preference Attribute

Local preference is a BGP attribute that provides
information to routers in the AS about the path that is
preferred for exiting the AS. A path with a higher local
preference is preferred. The local preference is an
attribute that is configured on a router and exchanged
among routers within the same AS only.

R1(config-router)# bgp Changes the default local

default local- preference value from
preference 150 100 to 150

Note
The local preference value can be a number between 0 and 429 496 729. Higher is
preferred. If a local-preference value is not set, the default is 100.
Note
The local preference attribute is local to the AS; it is exchanged between IBGP peers but not
advertised to EBGP peers. Use the local preference attribute to force BGP routers to prefer
one exit point over another.

Using AS Path Access Lists with Route Maps to

Manipulate the Local Preference Attribute
Route maps provide more flexibility than the bgp
default local-preference router configuration
command.

Figure 7-5 shows the network topology for the

configuration that follows, which demonstrates how to
configure the local-preference attribute using AS path
access lists with route maps. The objective here is to
prefer Galveston as the exit point out of AS 256 for all
networks originating in AS 300.
Figure 7-5 Using AS Path Access Lists with Route
Maps to Manipulate the Local Preference Attribute

Galveston(confi Starts the BGP routing process

g)# router bgp
256
Galveston(confi Identifies a peer router at
g-router)# 172.17.1.1
neighbor
172.17.1.1
remote-as 300

Galveston(confi Refers to a route map called

g-router)# SETLOCAL. All network updates
neighbor received from neighbor 172.17.1.1
172.17.1.1 will be processed by the route
route-map map
SETLOCAL in

Galveston(confi Identifies a peer router at 10.1.1.1

g-router)#
neighbor
10.1.1.1
remote-as 256

Galveston(confi Returns to global configuration

g-router)# exit mode

Galveston(confi Permits updates whose AS path

g)# ip as-path attribute starts with 300
access-list 7 (represented by the ^) and ends
permit ^300$ with 300 (represented by the $)
Galveston(confi Creates a route map called
g)# route-map SETLOCAL. This route map will
SETLOCAL permit permit traffic based on
10 subsequent criteria. A sequence
number of 10 is assigned

Galveston(confi Specifies the condition under

g-route-map)# which policy routing is allowed,
match as-path 7 matching the BGP ACL 7

Galveston(confi Assigns a local preference of 200

g-route-map)# to any update originating from AS
set local- 300, as defined by ACL 7
preference 200

Galveston(confi Creates the second statement of

g-route-map)# the route map SETLOCAL. This
route-map instance will accept all other
SETLOCAL permit routes
20

Note

Forgetting a permit statement at the end of

the route map is a common mistake that
prevents the router from learning any other
routes
AS Path Attribute Prepending
AS paths can be manipulated by prepending AS
numbers to the existing AS paths. Assuming that the
values of all other attributes are the same, routers will
pick the shortest AS path attribute; therefore,
prepending numbers to the path will manipulate the
decision as to the best path. Normally, AS path
prepending is performed on outgoing EBGP updates
over the undesired return path.

Refer to Figure 7-6 for the configuration that follows,

which demonstrates the commands necessary to
configure the as-path prepend option. Assume that all
basic configurations are accurate.
Figure 7-6 AS Path Attribute Prepending

In this scenario, you want to use the configuration on

Houston to influence the choice of paths in AS 600.
Currently, the routers in AS 600 have reachability
information to the 192.168.219.0/24 network via two
routes: (1) via AS 100 with an AS path attribute of (100,
300), and (2) via AS 400 with an AS path attribute of
(400, 200, 300). Assuming that the values of all other
attributes are the same, the routers in AS 600 will pick
the shortest AS path attribute: the route through AS
100. You will prepend, or add, extra AS numbers to the
AS path attribute for routes that Houston advertises to
AS 100 to have AS 600 select AS 400 as the preferred
path of reaching the 192.168.219.0/24 network.

Houston(confi Starts the BGP routing process

g)# router
bgp 300

Houston(confi Tells the BGP process what locally

g-router)# learned networks to advertise
network
192.168.219.0

Houston(confi Identifies a peer router at

g-router)# 192.168.220.2
neighbor
192.168.220.2
remote-as 200

Houston(confi Identifies a peer router at

g-router)# 192.168.7.2
neighbor
192.168.7.2
remote-as 100
Houston(confi Read this command to say, “All
g-router)# routes sent to neighbor 192.168.7.2
neighbor will have to follow the conditions laid
192.168.7.2 out by the SETPATH route map”
route-map
SETPATH out

Houston(confi Returns to global configuration

g-router)# mode
exit

Houston(confi Creates a route map named

g)# route-map SETPATH. This route map will
SETPATH permit traffic based on subsequent
permit 10 criteria. A sequence number of 10 is
assigned

Houston(confi Read this command to say, “The

g-route-map)# local router will add (prepend) the
set as-path AS number 300 twice to the AS path
prepend 300 attribute before sending updates out
300 to its neighbor at 192.168.7.2”
The result of this configuration is that the AS path
attribute of updates for network 192.168.219.0 that AS
600 receives via AS 100 will be (100, 300, 300, 300),
which is longer than the value of the AS path attribute of
updates for network 192.168.219.0 that AS 600 receives
via AS 400 (400, 200, 300).

AS 600 will choose AS 400 (400, 200, 300) as the

better path. This is because BGP is a path vector routing
protocol that chooses the path with the least number of
ASs that it must cross.

AS Path: Removing Private Autonomous Systems

Private AS numbers (64,512 to 65,535) cannot be passed
on to the Internet because they are not unique. Cisco
has implemented a feature, remove-private-as, to
strip private AS numbers out of the AS path list before
the routes get propagated to the Internet.

Figure 7-7 shows the network topology for the

configuration that follows, which demonstrates the
remove-private-as option. Assume that all basic
configurations are accurate.
Figure 7-7 AS Path: Removing Private Autonomous
Systems

RTB(config)# router Starts the BGP routing

bgp 1 process

RTB(config-router)# Identifies a peer router at

neighbor 172.16.20.2 172.16.20.2
remote-as 65001

RTB(config-router)# Identifies a peer router at

neighbor 198.133.219.1
198.133.219.1 remote-
as 7

RTB(config-router)# Removes private AS

neighbor numbers from the path in
198.133.219.1 remove- outbound routing updates
private-as
Note

The remove-private-as
command is available for
EBGP neighbors only

Multi-Exit Discriminator (MED) Attribute

The MED attribute, also called the BGP metric, can be
used to indicate to EBGP neighbors what the preferred
path is into an AS. Unlike local preference, the MED is
exchanged between ASs. The MED is sent to EBGP
peers. By default, a router compares the MED attribute
only for paths from neighbors in the same AS. The
metric command is used to configure the MED
attribute.

Figure 7-8 shows the commands necessary to configure

the MED attribute. Assume that all basic configurations
are accurate. The objective here is to influence Mazatlan
to choose Houston as the entry point for AS 300 to
reach network 192.168.100.0.
Figure 7-8 MED Attribute

Mazatlan(config Starts the BGP routing process

)# router bgp
100

Mazatlan(config Identifies a peer router at 10.2.0.1

-router)#
neighbor
10.2.0.1
remote-as 300
Mazatlan(config Identifies a peer router at 10.3.0.1
-router)#
neighbor
10.3.0.1
remote-as 300

Mazatlan(config Identifies a peer router at 10.4.0.1

-router)#
neighbor
10.4.0.1
remote-as 400

Acapulco(config Starts the BGP routing process

)# router bgp
400

Acapulco(config Identifies a peer router at 10.4.0.2

-router)#
neighbor
10.4.0.2
remote-as 100

Acapulco(config Refers to a route map named

-router)# SETMEDOUT
neighbor
10.4.0.2 route-
map SETMEDOUT
out

Acapulco(config Identifies a peer router at 10.5.0.2

-router)#
neighbor
10.5.0.2
remote-as 300

Acapulco(config Returns to global configuration

-router)# exit mode

Acapulco(config Creates a route map named

)# route-map SETMEDOUT. This route map
SETMEDOUT will permit traffic based on
permit 10 subsequent criteria. A sequence
number of 10 is assigned

Acapulco(config Sets the metric value for BGP

-route-map)#
set metric 50

Houston(config) Starts the BGP routing process

# router bgp
300
Houston(config- Identifies a peer router at 10.2.0.1
router)#
neighbor
10.2.0.2
remote-as 100

Houston(config- Refers to a route map named

router)# SETMEDOUT
neighbor
10.2.0.2 route-
map SETMEDOUT
out

Houston(config- Identifies a peer router at 10.1.0.2

router)#
neighbor
10.1.0.2
remote-as 300

Houston(config- Returns to global configuration

router)# exit mode

Houston(config) Creates a route map named

# route-map SETMEDOUT. This route map
will permit traffic based on
SETMEDOUT subsequent criteria. A sequence
permit 10 number of 10 is assigned

Houston(config- Sets the metric value for BGP

route-map)# set
metric 120

Galveston(confi Starts the BGP routing process

g)# router bgp
300

Galveston(confi Identifies a peer router at 10.3.0.2

g-router)#
neighbor
10.3.0.2
remote-as 100

Galveston(confi Refers to a route map named

g-router)# SETMEDOUT
neighbor
10.3.0.2 route-
map SETMEDOUT
out

Galveston(confi Identifies a peer router at 10.1.0.1

g-router)#
neighbor
10.1.0.1
remote-as 300

Galveston(confi Identifies a peer router at 10.5.0.1

g-router)#
neighbor
10.5.0.1
remote-as 400

Galveston(confi Returns to global configuration

g-router)# exit mode

Galveston(confi Creates a route map named

g)# route-map SETMEDOUT. This route map
SETMEDOUT will permit traffic based on
permit 10 subsequent criteria. A sequence
number of 10 is assigned

Galveston(confi Sets the metric value for BGP

g-route-map)#
set metric 200
A lower MED value is preferred over a higher MED
value. The default value of the MED is 0. It is possible
to change the default value of the MED using the
default-metric command under the BGP process.

Unlike local preference, the MED attribute is

exchanged between autonomous systems, but a MED
attribute that comes into an AS does not leave the AS.

Unless otherwise specified, the router compares MED

attributes for paths from external neighbors that are in
the same AS.

If you want MED attributes from neighbors in other

ASs to be compared, you must configure the bgp
always-compare-med command.

Note
By default, BGP compares the MED attributes of routes coming from neighbors in the same
external AS (such as AS 300). Mazatlan can only compare the MED attribute coming from
Houston (120) to the MED attribute coming from Galveston (200) even though the update
coming from Acapulco has the lowest MED value. Mazatlan will choose Houston as the best
path for reaching network 192.168.100.0.

To force Mazatlan to include updates for network

192.168.100.0 from Acapulco in the comparison, use the
bgp always-compare-med router configuration
command on Mazatlan:
Click here to view code image
Mazatlan(config)# router bgp 100
Mazatlan(config-router)# neighbor 10.2.0.1 remote-as
300
Mazatlan(config-router)# neighbor 10.3.0.1 remote-as
300
Mazatlan(config-router)# neighbor 10.4.0.1 remote-as
400
Mazatlan(config-router)# bgp always-compare-med

Assuming that all other attributes are the same,

Mazatlan will choose Acapulco as the best next hop for
reaching network 192.168.100.0.

Note
The most recent IETF decision about BGP MED assigns a value of infinity to the missing
MED, making the route that is lacking the MED variable the least preferred. The default
behavior of BGP routers that are running Cisco IOS Software is to treat routes without the
MED attribute as having a MED of 0, making the route that is lacking the MED variable the
most preferred. To configure the router to conform to the IETF standard, use the bgp
bestpath missing-as-worst command.

VERIFYING BGP

Router# show Displays routes for all address

bgp all families belonging to a particular
community BGP community

Router# show Displays information about BGP

bgp all connections to neighbors of all
neighbors address families
Router# show Displays entries in the IPv6 BGP
bgp ipv6 routing table
unicast

Router# show Displays the IPv6 BGP routes that

bgp ipv6 fail to install in the Routing
unicast rib- Information Base (RIB) table
failure

Router# show ip Displays entries in the BGP table

bgp

Router# show ip Displays information about the

bgp neighbors BGP and TCP connections to
neighbors

Router# show ip Displays networks that are not

bgp rib- installed in the RIB and the reason
failure that they were not installed

Router# show ip Displays the status of all IPv4 BGP

bgp summary connections

Router# show Displays the status of all IPv6 BGP

connections
bgp ipv6
unicast
summary

Router# show ip Displays the IPv4 BGP entries

route bgp from the routing table

Router# show Displays the IPv6 BGP entries

ipv6 route bgp from the routing table

TROUBLESHOOTING BGP
Whenever the routing policy changes due to a
configuration change, BGP peering sessions must be
reset by using the clear ip bgp command. Cisco IOS
Software supports the following three mechanisms to
reset BGP peering sessions:

Hard reset: A hard reset tears down the specified

peering sessions, including the TCP connection, and
deletes routes coming from the specified peer.

Soft reset: A soft reset uses stored prefix information

to reconfigure and activate BGP routing tables without
tearing down existing peering sessions. Soft
reconfiguration can be configured for inbound or
outbound sessions.

Dynamic inbound soft reset: The route refresh

capability, as defined in RFC 2918, allows the local
device to reset inbound routing tables dynamically by
exchanging route refresh requests to supporting peers.
To determine if a BGP device supports this capability,
use the show ip bgp neighbors command. This is
the preferred method of refreshing BGP information.

Router# Forces BGP to clear its table and resets

clear ip all BGP sessions
bgp *

Router# Resets BGP connections for the IPv4

clear ip unicast address family session for the
bgp ipv4 specified autonomous-system-number
unicast
autonomous
-system-
number

Router# Resets BGP connections for the IPv6

clear ip unicast address family session for the
specified autonomous-system-number
bgp ipv6
unicast
autonomous
-system-
number

Router# Resets the specific BGP session with the

clear ip neighbor at 10.1.1.1
bgp
10.1.1.1

Router# Forces the remote router to resend all

clear ip BGP information to the neighbor without
bgp resetting the connection. Routes from
10.1.1.2 this neighbor are not lost
soft out

Tip

The clear ip bgp w.x.y.z soft out command is highly

recommended when you are changing an outbound
policy on the router. The soft out option does not help if
you are changing an inbound policy

Tip

The soft keyword of this command is optional; clear ip

bgp out will do a soft reset for all outbound updates
Router(con Causes the router to store all updates
fig- from this neighbor in case the inbound
router)# policy is changed
neighbor
10.1.1.2
soft- Caution

reconfigur The soft-reconfiguration inbound command is

memory intensive
ation
inbound

Router# Uses the stored information to generate

clear ip new inbound updates
bgp
10.1.1.2
soft in

Router# Creates a dynamic soft reset of inbound

clear ip BGP routing table updates. Routes are
bgp {* | not withdrawn. Updates are not stored
10.1.1.2} locally. The connection remains
[soft in | established. See the notes that follow for
in] more information on when this
command can be used
Router# Displays all information related to BGP
debug ip
bgp

Router# Displays all BGP event information

debug ip
bgp events

Router# Displays information about the

debug ip processing of BGP update
bgp
updates

Router# Displays all IPv4 unicast address family

debug ip information
bgp ipv4
unicast

Router# Displays all IPv6 unicast address family

debug ip information
bgp ipv6
unicast
Note
Beginning with Cisco IOS Releases 12.0(2)S and 12.0(6)T, Cisco introduced a BGP soft
reset enhancement feature known as route refresh. Route refresh is not dependent on
stored routing table update information. This method requires no preconfiguration and
requires less memory than previous soft methods for inbound routing table updates.

Note
To determine whether a BGP router supports route refresh capability, use the show ip bgp
neighbors command. The following message is displayed in the output when route refresh
is supported:

Click here to view code image

Received route refresh capability from peer

Note
When a BGP session is reset and soft reconfiguration is used, several commands enable
you to monitor BGP routes that are received, sent, or filtered:
Click here to view code image

Router# show ip bgp

Router# show ip bgp neighbor address
advertised
Router# show ip bgp neighbor address
received
Router# show ip bgp neighbor address routes

Caution
The clear ip bgp * command is both processor and memory intensive and should be used
only in smaller environments. A more reasonable approach is to clear only a specific
network or a specific session with a neighbor with the clear ip bgp specific-network
command. However, you can use this command whenever the following changes occur:
Additions or changes to the BGP-related access lists

Changes to BGP-related weights

Changes to BGP-related distribution lists

Changes in the BGP timer’s specifications

Changes to the BGP administrative distance

Changes to BGP-related route maps

DEFAULT ROUTES

Router(config)# router Starts the BGP routing

bgp 100 process

Router(config-router)# Identifies a peer router

neighbor 192.168.100.1 at 192.168.100.1
remote-as 200

Router(config-router)# States that the default

neighbor 192.168.100.1 route of 0.0.0.0 will only
default-originate be sent to 192.168.100.1
Note
If you want your BGP router to advertise a default to all peers and the 0.0.0.0 route exists in
the routing table, use the network command with an address of 0.0.0.0:
Click here to view code image

R1(config)# router bgp 100

R1(config-router)# neighbor 172.16.20.1
remote-as 150
R1(config-router)# neighbor 172.17.1.1
remote-as 200
R1(config-router)# network 0.0.0.0

ROUTE AGGREGATION

R1(conf Creates an aggregate entry in the BGP

ig- routing table if any more-specific BGP routes
router) are available that fall within the specified
# range. The aggregate route will be advertised
aggrega as coming from your AS and will have the
te- atomic aggregate attribute set. More specific
routes will also be advertised unless the
address
summary-only keyword is added at the
172.16.
end of the command
0.0
255.255
.0.0

R1(conf Creates the aggregate route but also

ig- suppresses advertisements of more-specific
router) routes to all neighbors. Specific AS path
# information to the individual subnets that
aggrega fall within the summary is lost
te-
address
172.16.
0.0
255.255
.0.0
summary
-only

R1(conf Creates an aggregate entry but the path

ig- advertised for this route will be a list of AS
router) paths from where the individual subnets
# originated
aggrega
te-
address
172.16.
0.0
255.255
.0.0
as-set
ROUTE REFLECTORS
By default, a router that receives an EBGP route
advertises it to its EBGP and IBGP peers. However, if it
receives it through IBGP, it does not advertise it to its
IBGP peers, as a loop-prevention mechanism (split
horizon). Because of this behavior, the only way for all
IBGP routers to receive a route after it is originated into
the AS is to have a full mesh of IBGP peers. This can get
complex with a large number of peers. A route reflector
allows a topology to get around the IBGP limitation of
having to have a full mesh.

Figure 7-9 shows the commands necessary to configure

BGP route reflectors. Assume that basic BGP
configurations are accurate. The objective is to allow R2
to advertise to R1 the 209.165.201.0/27 network learned
from R3. Without these commands, R1 will never learn
the 209.165.201.0/27 network unless a full-mesh IBGP
topology is built.
Figure 7-9 Route Reflectors

R2(config)# router Enters BGP routing

bgp 65010 configuration mode

R2(config-router)# Configures the local router as

neighbor 10.1.1.1 a BGP route reflector and the
route-reflector- specified neighbor as a client
client

R2(config-router)# Configures the local router as

neighbor 10.3.3.3 a BGP route reflector and the
route-reflector- specified neighbor as a client
client

REGULAR EXPRESSIONS
A regular expression is a pattern to match against an
input string, such as those listed in the following table.

Ch Description
ara
cte
r

^ Matches the beginning of the input string

$ Matches the end of the input string

_ Matches a space, comma, left brace, right brace, the

beginning of an input string, or the ending of an
input stream

. Matches any single character

* Matches 0 or more single- or multiple-character

patterns

For example, in the case of the ip as-path access-list

command, the input string is the AS path attribute.

Router(con Matches any AS path that includes the

fig)# ip pattern of 2150
as-path
access-
list 1
permit
2150

Router# Matches any AS path that includes the

show ip pattern of 2150
bgp regexp
2150
Note

In both previous commands, not only will AS 2150 be a

match, but so will AS 12 150 or 21 507

Router(con Denies updates whose AS path attribute

fig)# ip starts with 200 (represented by the ^)
as-path and ends with 200 (represented by the $)
access-
list 6
deny ^200$

Router(con Permits updates whose AS path attribute

fig)# ip starts with any character—represented by
as-path the period (.) symbol—and repeats that
access- character—the asterisk (*) symbol means
list 1 a repetition of that character
permit .*
Note

The argument of .* will match any value of the AS path

attribute

REGULAR EXPRESSIONS: EXAMPLES

Refer to the following show ip bgp output to see how
different examples of regular expressions can help filter
specific patterns:
Click here to view code image

R1# show ip bgp

Network Next Hop Metric LocPrf Weight
Path
* i172.16.0.0 172.20.50.1 100 0
65005 65004 65003 i
*>i 192.168.28.1 100 0
65002 65003 i
*>i172.24.0.0 172.20.50.1 100 0
65005 i
* i 192.168.28.1 100 0
65002 65003 65004

65005 i
*>i172.30.0.0 172.20.50.1 100 0
65005 65004 i
* i 192.168.28.1 100 0
65002 65003 65004 i
*>i192.168.3.3/32 0.0.0.0 0 32768 i

To find all subnets originating from AS 65004 (AS path

ends with 65004):
Click here to view code image

R1# show ip bgp regexp _65004$

Network Next Hop Metric LocPrf Weight
Path
*>i172.30.0.0 172.20.50.1 100 0
65005 65004 i
* i 192.168.28.1 100 0
65002 65003 65004 i

To find all subnets reachable via AS 65002 (AS path

begins with 65002):
Click here to view code image

R1# show ip bgp regexp ^65002_

Network Next Hop Metric LocPrf Weight
Path
*>i172.16.0.0 192.168.28.1 100 0
65002 65003 i
* i172.24.0.0 192.168.28.1 100 0
65002 65003 65004

65005 i
* i172.30.0.0 192.168.28.1 100 0
65002 65003

65004 i

To find all routes transiting through AS 65005:

Click here to view code image

R1# show ip bgp regexp _65005_

Network Next Hop Metric LocPrf Weight
Path
* i172.16.0.0 172.20.50.1 100 0
65005 65004

65003 i
*>i172.24.0.0 172.20.50.1 100 0
65005 i
* i 192.168.28.1 100 0
65002 65003 65004

65005 i
*>i172.30.0.0 172.20.50.1 100 0
65005 65004

To find subnets that originate from R1’s AS (AS path is

blank):
Click here to view code image

R1# show ip bgp regexp ^$

Network Next Hop Metric LocPrf Weight
Path
*>i192.168.3.3/32 0.0.0.0 0 32768 i

BGP ROUTE FILTERING USING

ACCESS LISTS AND DISTRIBUTE
LISTS
Figure 7-10 shows the commands necessary to configure
route filters using access lists and distribute lists.
Figure 7-10 BGP Route Filtering Using Access Lists
and Distribute Lists

In this scenario, we want to have Houston filter updates

to Austin so that it does not include the 192.168.10.0/24
network.

Houston(config)# Starts the BGP routing

router bgp 3 process

Houston(config- Identifies a peer router at

router)# neighbor 172.16.1.2
172.16.1.2 remote-
as 3

Houston(config- Identifies a peer router at

router)# neighbor 172.16.20.1
172.16.20.1 remote-
as 1

Houston(config- Applies a filter of ACL 1 to

router)# neighbor updates sent to neighbor
172.16.20.1 172.16.20.1
distribute-list 1
out

Houston(config- Returns to global

router)# exit configuration mode

Houston(config)# Creates the filter to prevent

access-list 1 deny the 192.168.10.0/24
192.168.10.0 network from being part of
0.0.0.255 the routing update

Houston(config)# Creates the filter that allows

access-list 1 all other networks to be part
permit any of the routing update
Tip
A standard ACL offers limited functionality. If you want to advertise the aggregate address of
172.16.0.0/16 but not the individual subnet, a standard ACL will not work. You need to use
an extended ACL.
When you are using extended ACLs with BGP route filters, the extended ACL will first match
the network address and then match the subnet mask of the prefix. To do this, both the
network and the netmask are paired with their own wildcard bitmask:
Click here to view code image

Router(config)# access-list 101 permit ip

172.16.0.0 0.0.255.255
255.255.0.0 0.0.0.0

To help overcome the confusing nature of this syntax, Cisco IOS Software introduced the ip
prefix-list command in Cisco IOS Release 12.0.

CONFIGURATION EXAMPLE: USING

PREFIX LISTS AND AS PATH ACCESS
LISTS
Figure 7-11 shows the network topology for the
configuration that follows, which demonstrates how to
configure prefix lists and AS path access lists. Assume
that all BGP and basic configurations are accurate.
There are two objectives here. The first is to allow CE1
and CE2 to only learn ISP routes with a mask greater
than /15 (ge 16) and less than /25 (le 24). The second is
to ensure that AS 65 000 does not become a transit AS
for ISP1 to reach ISP2 (and vice versa).
Figure 7-11 Configuration Example: Using Prefix
Lists and AS Path Access Lists

CE1(config)# ip Creates a prefix list that only

prefix-list ISP1 permits routes with a mask
permit 0.0.0.0 ge between 16 and 24
16 le 24

CE1(config)# ip Creates an AS path access list

as-path access- matching routes that originate
list 1 permit ^$ only from within AS 65 500

CE1(config)# Starts the BGP routing

router bgp 65000 process

CE1(config- Assigns the ISP1 prefix list to

router)# neighbor neighbor 209.165.202.129
209.165.202.129 (ISP1) for all routes learned
prefix-list ISP1 from that neighbor
in

CE1(config- Assigns the AS path access list

router)# neighbor to neighbor 209.165.202.129
209.165.202.129 (ISP1) for all routes sent to
filter-list 1 out that neighbor

CE2(config)# ip Creates a prefix list that only

prefix-list ISP2 permits routes with a mask
permit 0.0.0.0 ge between 16 and 24
16 le 24

CE2(config)# ip Creates an AS path access list

as-path access- matching routes that originate
list 1 permit ^$ only from within AS 65 500

CE2(config)# Starts the BGP routing

router bgp 65000 process

CE2(config- Assigns the ISP2 prefix list to

router)# neighbor neighbor 209.165.200.225
209.165.200.225 (ISP2) for all routes learned
from that neighbor
prefix-list ISP2
in

CE2(config- Assigns the AS path access list

router)# neighbor to neighbor 209.165.200.225
209.165.200.225 (ISP2) for all routes sent to
filter-list 1 out that neighbor

BGP PEER GROUPS

To ease the burden of configuring a large number of
neighbors with identical or similar parameters (for
example, route maps, filter lists, or prefix lists), the
concept of peer groups was introduced. The
administrator configures the peer group with all the
BGP parameters that are to be applied to multiple BGP
peers. Actual BGP neighbors are bound to the peer
group, and the network administrator applies the peer
group configuration on each of the BGP sessions.

Figure 7-12 shows the network topology for the

configuration that follows, which demonstrates how to
configure peer groups. Assume that all BGP, OSPF, and
basic configurations are accurate.
Figure 7-12 BGP Peer Groups

R1(config)# router bgp Starts the BGP

65500 routing process

R1(config-router)# Creates a BGP peer

neighbor INTERNAL peer- group called
group INTERNAL

R1(config-router)# Assigns a first

neighbor INTERNAL remote- parameter to the
as 65500 peer group
R1(config-router)# Assigns a second
neighbor INTERNAL next- parameter to the
hop-self peer group

R1(config-router)# Assigns a third

neighbor INTERNAL update- parameter to the
source loopback 0 peer group

R1(config-router)# Assigns a fourth

neighbor INTERNAL route- parameter to the
reflector-client peer group

R1(config-router)# Assigns the peer

neighbor 192.168.1.2 peer- group to neighbor
group INTERNAL R2

R1(config-router)# Assigns the peer

neighbor 192.168.1.3 peer- group to neighbor
group INTERNAL R3

R1(config-router)# Assigns the peer

neighbor 192.168.1.4 peer- group to neighbor
group INTERNAL R4

R1(config-router)# Assigns the peer

neighbor 192.168.1.5 peer- group to neighbor
group INTERNAL R5

The result here is that all four IBGP neighbors have the
same basic BGP configuration assigned to them.

Tip
A peer group can be, among others, configured to do the following:

Use the IP address of a specific interface as the source

address when opening the TCP session or use the next-
hop-self feature

Use, or not use, the EBGP multihop function

Use, or not use, MD5 authentication on the BGP

sessions

Filter out any incoming or outgoing routes using a

prefix list, a filter list, and a route map

Assign a specific weight value to the routes that are

received

AUTHENTICATION FOR BGP

Authentication for routers using BGP relies on the use
of predefined passwords and uses MD5.

Configuring Authentication Between BGP Peers

Router(config)# Enters routing protocol

router bgp 65100 configuration mode

Router(config- Defines a BGP peer at IP

router) neighbor address 209.165.202.130
209.165.202.130
remote-as 65000

Router(config- Enables MD5 authentication on

router)# a TCP connection with peer at
neighbor IP address 209.165.202.130.
209.165.202.130 The password is P@55word
password
P@55word

Router(config- Enables MD5 authentication on

router)# a TCP connection with peer at
neighbor IPv6 address 2001:db8:0:10::1.
2001:db8:0:10::1 The password is P@55word
password
P@55word Note

To avoid losing your peer relationship, the

same password must be configured on
your remote peer before the hold-down
timer expires, which has a default setting
of 180 seconds

Verifying BGP Authentication

Router# show ip Displays summary of BGP

bgp summary neighbor status

Router# show ip Displays detailed information

bgp neighbors on TCP and BGP neighbor
connections

Router# show bgp Displays the status of all IPv6

ipv6 unicast BGP connections
summary

Router# show bgp Displays information about

ipv6 unicast IPv6 BGP connections to
neighbors neighbors
Part III: Infrastructure Services
Chapter 8
IP Services

This chapter provides information and commands

concerning the following topics:

Network Address Translation (NAT)

Private IP addresses: RFC 1918

Configuring static NAT

Configuring dynamic NAT

Configuring Port Address Translation (PAT)

Configuring a NAT virtual interface

Verifying NAT and PAT configurations

Troubleshooting NAT and PAT configurations

Configuration example: PAT

Configuration example: NAT virtual interfaces

and static NAT

First-hop redundancy protocols

Hot Standby Router Protocol (HSRP)

Default HSRP configuration settings

Configuring HSRP

Verifying HSRP

HSRP optimization options

Preempt

HSRP message timers

Authentication

Interface tracking

Multiple HSRP groups

HSRP IP SLA tracking

HSRPv2 for IPv6

Debugging HSRP

Virtual Router Redundancy Protocol (VRRP)

Configuring VRRP

VRRP optimization options

Interface tracking
Verifying VRRP

Debugging VRRP

IPv4 configuration example: HSRP on L3 switch

IP SLA tracking: switch DLS1 VLAN 10

IPv4 configuration example: VRRP on router

and L3 switch with IP SLA tracking

IPv6 configuration example: HSRPv2 on router

and L3 switch

Dynamic Host Control Protocol (DHCP)

Implementing DHCP for IPv4

Configuring a DHCP server on a Cisco

IOS router

Configuring DHCP manual assignment

Configuring DHCP replay

Configuring a DHCP client on a Cisco

IOS Software Ethernet interface

Verifying and troubleshooting DHCP

configuration
Implementing DHCP for IPv6

Using SLAAC and configuring a router

as a stateless DHCPv6 server

Configuring a router as a stateful

DHCPv6 server

Configuring a DHCPv6 client

Configuring a DHCPv6 relay agent

Verifying and troubleshooting DHCPv6

Configuration example: DHCP for IPv4

Configuration example: DHCP for IPv6

NETWORK ADDRESS TRANSLATION

(NAT)

Private IP Addresses: RFC 1918

Table 8-1 lists the RFC 1918 private address ranges
available to use within a private network. These will be
your “inside-the-LAN” addresses that will have to be
translated into public addresses that can be routed
across the Internet. Any network can use these
addresses; however, these addresses are not allowed to
be routed onto the public Internet.
TABLE 8-1 RFC 1918 Private Address Ranges

Internal Address CIDR Traditional

Range Prefix Class

10.0.0.0– 10.0.0.0/8 A
10.255.255.255

172.16.0.0– 172.16.0.0/ B
172.31.255.255 12

192.168.0.0– 192.168.0.0 C
192.168.255.255 /16

Configuring Static NAT

Figure 8-1 shows the network topology for the
configuration that follows, which demonstrates how to
configure static Network Address Translation (NAT).
The objective here is to statically translate the address of
the server to a public IP address.
Figure 8-1 Configuring Static NAT

R1(config)# Enters GigabitEthernet 0/0/0

interface interface configuration mode
gigabitgethernet
0/0/0

R1(config-if)# ip Assigns a public IP address to

address the outside interface
209.165.201.2
255.255.255.248

R1(config-if)# ip Defines which interface is the

nat outside outside interface for NAT

R1(config-if)# Enters GigabitEthernet 0/0/1

interface interface configuration mode
gigabitethernet
0/0/1
R1(config-if)# ip Assigns a private IP address to
address the inside interface
192.168.1.1
255.255.255.0

R1(config-if)# ip Defines which interface is the

nat inside inside interface for NAT. You
can have multiple NAT inside
interfaces on a router

R1(config-if)# Returns to global

exit configuration mode

R1(config)# ip nat Permanently translates the

inside source inside address of 192.168.1.10
static to a public address of
192.168.1.10 209.165.201.5
209.165.201.5
Use the command for each of
the private IP addresses you
want to statically map to a
public address

Configuring Dynamic NAT

Figure 8-2 shows the network topology for the
configuration that follows, which demonstrates how to
configure dynamic NAT. The objective here is to
dynamically translate the addresses of the PCs to a
range of public IP addresses.

Figure 8-2 Configuring Dynamic NAT

R1(config)# Defines an access list that identifies

access-list 1 the private network that will be
permit translated
192.168.1.0
0.0.0.255

R1(config)# ip Creates a pool of eight public

nat pool addresses named R1_POOL that
R1_POOL will be used for translation
209.165.201.8
209.165.201.15 On certain IOS devices, you can
include the add-route keyword at
netmask
the end of the command to
255.255.255.24
automatically add a static route in
8
the routing table that points to the
NAT virtual interface (NVI)

R1(config)# Enters GigabitEthernet 0/0/0

interface interface configuration mode
gigabitetherne
t 0/0/0

R1(config-if)# Assigns a public IP address to the

ip address outside interface
209.165.201.2
255.255.255.24
8

R1(config-if)# Defines which interface is the

ip nat outside outside interface for NAT

R1(config-if)# Enters GigabitEthernet 0/0/1

interface interface configuration mode
gigabitetherne
t 0/0/1
R1(config-if)# Assigns a private IP address to the
ip address inside interface
192.168.1.1
255.255.255.0

R1(config-if)# Defines which interface is the

ip nat inside inside interface for NAT. There can
be multiple inside interfaces

R1(config-if)# Returns to global configuration

exit mode

R1(config)# ip Enables translation of addresses

nat inside permitted by ACL number 1 to the
source list 1 addresses in pool R1_POOL
pool R1_POOL

Configuring Port Address Translation (PAT)

Figure 8-3 shows the network topology for the
configuration that follows, which demonstrates how to
configure NAT overload or Port Address Translation
(PAT). The objective here is to translate the PC’s
addresses to the address of the router’s public interface.
Figure 8-3 Configuring Port Address Translation
(PAT)

R1(config) Defines an access list that identifies the

# access- private network that will be translated
list 1
permit
192.168.1.
0
0.0.0.255

R1(config) Enters GigabitEthernet 0/0/0 interface

# configuration mode
interface
gigabiteth
ernet
0/0/0
R1(config- Assigns a public IP address to the outside
if)# ip interface
address
209.165.20
1.2
255.255.25
5.248

R1(config- Defines which interface is the outside

if)# ip interface for NAT
nat
outside

R1(config- Enters GigabitEthernet 0/0/1 interface

if)# configuration mode
interface
gigabiteth
ernet
0/0/1

R1(config- Assigns a private IP address to the inside

if)# ip interface
address
192.168.1.
1
255.255.25
5.0

R1(config- Defines which interface is the inside

if)# ip interface for NAT. There can be multiple
nat inside inside interfaces

R1(config- Returns to global configuration mode

if)# exit

R1(config) Enables translation of addresses

# ip nat permitted by ACL number 1 and uses the
inside interface GigabitEthernet 0/0/0 IP
source address for the NAT process. The
list 1 keyword overload allows multiple inside
devices to share a single public IP address
interface
while keeping track of port numbers to
gigabiteth
ensure sessions remain unique
ernet
0/0/0
overload

Note
It is possible to overload a dynamic pool instead of an interface. This allows the inside private
devices to share multiple public IP address instead of only one. Use the command ip nat
inside source list acl pool pool overload to achieve this. Also, instead of a pool of multiple
addresses, the pool used for overloading could be a pool of only one public address. For
example, the command ip nat pool MyPool 203.0.113.1 203.0.113.1 netmask 255.255.255.0
creates a pool of one public address that can be overloaded.

Configuring a NAT Virtual Interface

A NAT virtual interface, or NVI, removes the
requirements to configure an interface as either inside
or outside. Also, because NVI performs routing,
translation, and routing again, it is possible to route
packets from inside to inside interfaces successfully.

R1(config- Allows the interface to participate in NVI

if)# ip translation processing
nat enable

R1# show Displays the list of active NVI

ip nat nvi translations
translatio
ns
Note

Legacy NAT terminology does not apply because there

are no “inside” or “outside” interfaces. Instead, NVI uses
the source global, source local, destination global, and
destination local terminology

R1# show Displays the interfaces participating in

ip nat nvi NVI translation processing, as well as Hit
statistics and Miss counters

Note
NAT virtual interfaces are not supported in the Cisco IOS XE software.

Verifying NAT and PAT Configurations

Router# show access-list Displays access lists

Router# show ip nat Displays the

translations translation table

Router# show ip nat Displays NAT

statistics statistics

Router# clear ip nat Clears a specific

translation inside 1.1.1.1 translation from
2.2.2.2 outside 3.3.3.3 the table before it
4.4.4.4 times out:

1.1.1.1 = Global IP
address
2.2.2.2 = Local IP
address

3.3.3.3 = Local IP
address

4.4.4.4 = Global IP
address

Router# clear ip nat Clears the entire

translation * translation table
before entries time
out

Note
The default timeout for a translation entry in a NAT table is 24 hours.

Troubleshooting NAT and PAT Configurations

Router# Displays information about every packet

debug ip that is translated
nat
CAUTION: Using this command can
potentially generate a tremendous
amount of output and overwhelm the
router

Router# Displays greater detail about packets

debug ip being translated
nat
detailed

Configuration Example: PAT

Figure 8-4 shows the network topology for the PAT
configuration that follows using the commands covered
in this chapter.
Figure 8-4 Port Address Translation Configuration

ISP Router

Router> enable Moves to privileged EXEC mode

Router# Moves to global configuration

configure mode
terminal

Router(config)# Sets the host name

hostname ISP

ISP(config)# no Turns off Domain Name System

ip domain-lookup (DNS) resolution to avoid wait
time due to DNS lookup of
spelling errors

ISP(config)# Sets the encrypted password to

enable secret cisco
cisco

ISP(config)# Moves to line console mode

line console 0
ISP(config- Sets the console line password
line)# password to class
cisco

ISP(config- Requires user to log in to be able

line)# login to access the console port

ISP(config- Displays unsolicited messages

line)# logging and debug output on a separate
synchronous line than user input.

ISP(config- Returns to global configuration

line)# exit mode

ISP(config)# Moves to interface configuration

interface serial mode
0/0/1

ISP(config-if)# Assigns an IP address and

ip address netmask
198.133.219.2
255.255.255.252

ISP(config-if)# Assigns the clock rate to the

clock rate DCE cable on this side of the
4000000 link

ISP(config-if)# Enables the interface

no shutdown

ISP(config-if)# Creates loopback interface 0

interface and moves to interface
loopback 0 configuration mode

ISP(config-if)# Assigns an IP address and

ip address netmask
192.31.7.1
255.255.255.255

ISP(config-if)# Returns to global configuration

exit mode

ISP(config)# Returns to privileged EXEC

exit mode

ISP# copy Saves the configuration to

running-config NVRAM
startup-config
Company Router

Router> enable Moves to privileged EXEC

mode

Router# configure Moves to global configuration

terminal mode

Router(config)# Sets the host name

hostname Company

Company(config)# Turns off DNS resolution to

no ip domain- avoid wait time due to DNS
lookup lookup of spelling errors

Company(config)# Sets the secret password to

enable secret cisco
cisco

Company(config)# Moves to line console mode

line console 0

Company(config- Sets the console line

line)# password password to class
class

Company(config- Requires user to log in to be

line)# login able to access the console port

Company(config- Causes commands to be

line)# logging appended to a new line
synchronous

Company(config- Returns to global

line)# exit configuration mode

Company(config)# Moves to interface

interface configuration mode
gigabitethernet
0/0

Company(config- Assigns an IP address and

if)# ip address netmask
172.16.10.1
255.255.255.0

Company(config- Enables the interface

if)# no shutdown
Company(config- Moves to interface
if)# interface configuration mode
serial 0/0/0

Company(config- Assigns an IP address and

if)# ip address netmask
198.133.219.1
255.255.255.252

Company(config- Enables the interface

if)# no shutdown

Company(config- Returns to global

if)# exit configuration mode

Company(config)# Sends all packets not defined

ip route 0.0.0.0 in the routing table to the ISP
0.0.0.0 router
198.133.219.2

Company(config)# Defines which addresses are

access-list 1 permitted through; these
permit 172.16.10.0 addresses are those that will
0.0.0.255 be allowed to be translated
with NAT
Company(config)# Creates NAT by combining
ip nat inside list 1 with the interface Serial
source list 1 0/0/0. Overloading will take
interface serial place
0/0/0 overload

Company(config)# Moves to interface

interface configuration mode
gigabitethernet
0/0

Company(config- Specifies location of private

if)# ip nat inside inside addresses

Company(config- Moves to interface

if)# interface configuration mode
serial 0/0/0

Company(config- Specifies location of public

if)# ip nat outside addresses
outside

Company(config- Returns to privileged EXEC

if)# end mode
Company# copy Saves the configuration to
running-config NVRAM
startup-config

Configuration Example: NAT Virtual Interfaces and

Static NAT
Figure 8-5 shows the network topology for the
configuration that follows, which demonstrates how to
configure NAT virtual interfaces with dynamic NAT and
static NAT, using the commands covered in this chapter.
Assume that all basic configurations are accurate. Recall
that this configuration example will not work on a Cisco
IOS XE router.
Figure 8-5 Configuration Example: NAT Virtual
Interfaces and Static NAT

R1(config)# access- Defines an access list

list 1 permit that identifies the private
192.168.1.0 0.0.0.255 network that will be
translated

R1(config)# ip nat Creates a pool of eight

pool R1_POOL public addresses named
209.165.201.8 R1_POOL that will be
209.165.201.15 netmask used for translation
255.255.255.248

R1(config)# ip nat Enables translation of

source list 1 pool addresses permitted by
R1_POOL ACL number 1 to the
addresses in pool
R1_POOL

R1(config)# ip nat Permanently translates

source static the inside address of
172.16.1.100 172.16.1.100 to a public
209.165.201.5 address of 209.165.201.5
R1(config)# interface Enters FastEthernet 0/0
fastethernet 0/0 interface configuration
mode

R1(config-if)# ip nat Enables NVI processing

enable on the interface

R1(config-if)# Enters FastEthernet 0/1

interface fastethernet interface configuration
0/1 mode

R1(config-if)# ip nat Enables NVI processing

enable on the interface

R1(config-if)# Enters FastEthernet 1/0

interface fastethernet interface configuration
1/0 mode

R1(config-if)# ip nat Enables NVI processing

enable on the interface

FIRST-HOP REDUNDANCY
PROTOCOLS
A first-hop redundancy protocol (FHRP) is a networking
protocol that is designed to protect the default gateway
by allowing two or more routers or Layer 3 switches to
provide backup for that address. If one first-hop device
fails, the backup router will take over the address, by
default, within a few seconds. FHRPs are equally at
home on routers as Layer 3 (L3) switches. Hot Standby
Router Protocol (HSRP) and Virtual Router
Redundancy Protocol (VRRP) are implemented for both
IPv4 and IPv6 environments. Platform IOS matrices
should be consulted for next-hop redundancy protocol
support.

Hot Standby Router Protocol

HSRP provides network redundancy for IP networks,
ensuring that user traffic immediately and transparently
recovers from first-hop failures in network-edge devices
or access circuits.

When configuring HSRP on a switch platform, the

specified interface must be a Layer 3 interface and Layer
3 functions must be enabled:

Routed port: A physical port configured as a Layer 3

port by entering the no switchport interface
configuration command
SVI: A VLAN interface created by using the interface
vlan vlan_id global configuration command and by
default a Layer 3 interface

EtherChannel port channel in Layer 3 mode: A

port-channel logical interface created by using the
interface port-channel port-channel-number global
configuration command and binding the Ethernet
interface into the channel group

Default HSRP Configuration Settings

Feature Default Setting

HSRP Version 1
version

Note

HSRPv1 and HSRPv2 have different packet structures. The

same HSRP version must be configured on all devices of an
HSRP group

HSRP None configured

groups
Standby 0
group
number

Standby System assigned as 0000.0c07.acXX, where

MAC XX is the HSRP group number. For HSRPv2,
address the MAC address will be 0000.0c9f.fXXX

Standby 100
priority

Standby 0 (no delay)

delay

Standby 10
track
interface
priority

Standby 3 seconds
hello
time

Standby 10 seconds
holdtime
Configuring Basic HSRP

Switch(confi Moves to interface configuration

g)# mode on the switch virtual interface
interface (SVI)
vlan10

Switch(confi Assigns IP address and netmask

g-if)# ip
address
172.16.0.10
255.255.255.
0

Switch(confi Activates HSRP group 1 on the

g-if)# interface and creates a virtual IP
standby 1 ip address of 172.16.0.1 for use in HSRP
172.16.0.1

Note

The group number can be from 0 to 255. The

default is 0
Switch(confi Assigns a priority value of 120 to
g-if)# standby group 1
standby 1
priority 120
Note

The priority value can be from 1 to 255. The

default is 100. A higher priority will result in that
switch being elected the active switch. If the
priorities of all switches in the group are equal, the
switch with the highest IP address becomes the
active switch

Note
HSRP configuration commands for a router are the same as HSRP configuration commands
on a Layer 3 switch platform.

Verifying HSRP

Switch# show Displays HSRP information

standby

Switch# show Displays a single-line output

standby brief summary of each standby group
Switch# show Displays HSRP information on the
standby vlan 1 VLAN 1 group

HSRP Optimization Options

Options are available that make it possible to optimize
HSRP operation in the campus network. The next
sections explain four of these options: standby preempt,
message timers, authentication, and interface tracking.

Preempt

Switch(confi Moves to interface configuration mode

g)#
interface
vlan10

Switch(confi Configures this switch to preempt, or

g-if)# take control of, the active switch if the
standby 1 local priority is higher than the
preempt priority of the active switch

Switch(confi Causes the local switch to postpone

g-if)# taking over as the active switch for 180
standby 1 seconds since the HSRP process on
preempt that switch was last restarted or 140
delay seconds since the switch was last
minimum 180 reloaded
reload 140

Switch(confi Disables the preemption delay, but

g-if)# no preemption itself is still enabled. Use
standby 1 the no standby x preempt
preempt command to eliminate preemption
delay

Note

If the preempt argument is not configured, the local

switch assumes control as the active switch only if
the local switch receives information indicating that
there is no switch currently in the active state

HSRP Message Timers

Switch(config)# Moves to interface

interface vlan10 configuration mode

Switch(config- Sets the hello timer to 5

if)# standby 1 seconds and sets the hold
timers 5 15 timer to 15 seconds

Note

The hold timer is normally set to be

greater than or equal to three times the
hello timer

Note

The hello timer can be from 1 to 254;

the default is 3. The hold timer can be
from 1 to 255; the default is 10. The
default unit of time is seconds

Switch(config- Sets the hello timer to 200

if)# standby 1 milliseconds and sets the hold
timers msec 200 timer to 600 milliseconds
msec 600

Note

If the msec argument is used, the

timers can be an integer from 15 to
999
Authentication

Switch(config)# Creates an authentication key

key chain chain called MyHSRPChain
MyHSRPChain

Switch(config- Adds a first key to the key chain

keychain)# key 1

Switch(config- Configures a key string of

keychain-key)# australia
key-string
australia

Switch(config- Moves to interface configuration

keychain-key)# mode
interface vlan10

Switch(config- Configures canada as the plain-

if)# standby 1 text authentication string used
authentication by group 1
text canada
Switch(config- Configures england as the MD5
if)# standby 2 authentication key string used
authentication by group 2
md5 key-string
england

Switch(config- Configures MD5 authentication

if)# standby 3 using key chain MyHSRPChain.
authentication HSRP queries the key chain to
md5 key-chain obtain the current live key and
MyHSRPChain key ID

Interface Tracking

Switch(c Moves to interface configuration mode

onfig)#
interfac
e vlan10

Switch(c Causes HSRP to track the availability of

onfig- interface GigabitEthernet 1/0/1. If
if)# GigabitEthernet 1/0/1 goes down, the
standby priority of the switch in group 1 will be
1 track decremented by 25
gigabite
thernet
Note
1/0/1 25
The default value of the track argument is 10

Tip

The track argument does not assign a new priority if the

tracked interface goes down. The track argument assigns a
value that the priority will be decreased if the tracked
interface goes down. Therefore, if you are tracking
GigabitEthernet 1/0/1 with a track value of 25 (standby 1
track gigabitethernet 1/0/1 25) and GigabitEthernet 1/0/1
goes down, the priority will be decreased by 25; assuming a
default priority of 100, the new priority will now be 75

Multiple HSRP Groups

Figure 8-6 shows the network topology for the
configuration that follows, which demonstrates how to
configure multiple HSRP groups using the commands
covered in this chapter. Note that only the commands
specific to HSRP and STP are shown in this example.
Figure 8-6 Network Topology for Multigroup HSRP
Configuration Example

Multigroup HSRP enables switches to simultaneously

provide redundant backup and perform load sharing
across different IP subnets. The objective here is to
configure DLS1 as STP root and HSRP active for VLAN
10, while DLS2 is configured as STP root and HSRP
active for VLAN 20. DLS1 is also configured as backup
root and HSRP standby for VLAN 20, while DLS2 is
configured as backup root and HSRP standby for VLAN
10. Only the configuration for DLS1 is shown here. DLS2
would be configured in the opposite way. Host H1 is in
VLAN 10 and host H2 is in VLAN 20.

DLS1(co Configures spanning-tree root primary for

nfig)# VLAN 10
spannin
g-tree
vlan 10
root
primary

DLS1(co Configures spanning-tree root secondary for

nfig)# VLAN 20
spannin
g-tree
vlan 20 Note

root Load balancing can be accomplished by having one switch be

seconda the active HSRP L3 switch forwarding for half of the VLANs
and the standby L3 switch for the remaining VLANs. The
ry second HSRP L3 switch would be reversed in its active and
standby VLANs. Care must be taken to ensure that spanning
tree is forwarding to the active L3 switch for the correct VLANs
by making that L3 switch the spanning-tree primary root for
those VLANs

DLS1(co Moves to interface configuration mode

nfig)#
interfa
ce vlan
10

DLS1(co Assigns IP address and netmask

nfig-
if)# ip
address
10.1.10
.2
255.255
.255.0

DLS1(co Activates HSRP group 10 on the interface

nfig- and creates a virtual IP address of 10.1.10.1
if)# for use in HSRP
standby
10 ip
10.1.10
.1

DLS1(co Assigns a priority value of 110 to standby

nfig- group 10. This will be the active forwarded
if)# for VLAN 10
standby
10
priorit
y 110

DLS1(co Configures this switch to preempt, or take

nfig- control of, VLAN 10 forwarding if the local
if)# priority is higher than the active switch
standby VLAN 10 priority
10
preempt

DLS1(co Moves to interface configuration mode

nfig-
if)#
interfa
ce
vlan20

DLS1(co Assigns IP address and netmask

nfig-
if)# ip
address
10.1.20
.2
255.255
.255.0
DLS1(co Activates HSRP group 20 on the interface
nfig- and creates a virtual IP address of 10.1.20.1
if)# for use in HSRP
standby
20 ip
10.1.20
.1

DLS1(co Assigns a priority value of 90 to standby

nfig- group 20. This switch will be the standby
if)# device for VLAN 20
standby
20
priorit
y 90

DLS1(co Configures this switch to preempt, or take

nfig- control of, VLAN 20 forwarding if the local
if)# priority is higher than the active switch
standby VLAN 20 priority
20
preempt

HSRP IP SLA Tracking

See Chapter 6, “Redistribution and Path Control,” for a
more detailed explanation of IP service level agreement
(SLA) objects. The objective here is to associate an IP
SLA to the HSRP process, allowing failover to occur by
decrementing the HSRP priority if the object fails.

Switch(config)# Creates SLA process 10

ip sla 10

Switch(config- Configures the SLA as an ICMP

ip-sla)# icmp- echo operation to destination
echo 172.19.10.1

172.19.10.1

Switch(config- Exits SLA configuration mode

ip-sla)# exit

Switch(config)# Configures the scheduling for

ip sla schedule SLA 10 to start now and
10 start-time continue forever
now life forever

Switch(config)# Creates an object, 90, to track

track 90 ip sla the state of SLA process 10
10 state

Switch(config- Moves to interface configuration

track)# mode
interface vlan
10

Switch(config- Assigns IP address and netmask

if)# ip address
192.168.10.1
255.255.255.0

Switch(config- Activates HSRP group 10 on the

if)# standby 10 interface and creates a virtual IP
ip address of 192.168.10.254 for
192.168.10.254 use in HSRP

Switch(config- Assigns a priority value of 110 to

if)# standby 10 standby group 10
priority 110

Switch(config- Configures this switch to

if)# standby 10 preempt, or take control of, the
preempt active switch if the local priority
is higher than the active switch
Switch(config- Tracks the state of object 90 and
if)# standby 10 decrements the device priority if
track 90 the object fails
decrement 20

HSRPv2 for IPv6

HSRP Version 2 must be enabled on an interface before
HSRP for IPv6 can be configured.

Switch( Enables HSRPv2 on an interface

config-
if)#
standby
version
2

Switch( Enables HSRP for IPv6 using a virtual link-

config- local address that will be generated
if)# automatically from the link-local prefix and a
standby modified EUI-64 format interface identifier,
1 ipv6 where the EUI-64 interface identifier is
created from the relevant HSRP virtual MAC
address
autocon
fig

Switch( Enables HSRP for IPv6 using an explicitly

config- configured link-local address to be used as
if)# the virtual IPv6 address for group 1
standby
1 ipv6
fe80::1
:1

Switch( Enables HSRP for IPv6 using a global IPv6

config- address as the virtual address for group 1
if)#
standby
1 ipv6
2001::d
b8:2/64

Note
All other relevant HSRP commands (preempt, priority, authentication, tracking, and so on)
are identical in HSRPv1 and HSRPv2.

Note
When configuring the IPv6 virtual address, if an IPv6 global address is used, it must include
an IPv6 prefix length. If a link-local address is used, it does not have a prefix.

Debugging HSRP

Switch# Displays all HSRP debugging

debug information, including state changes
standby and transmission/reception of HSRP
packets

Switch# Displays HSRP error messages

debug
standby
errors

Switch# Displays HSRP event messages

debug
standby
events

Switch# Displays all HSRP events except for

debug hellos and advertisements
standby
events
terse
Switch# Displays all HSRP tracking events
debug
standby
events
track

Switch# Displays HSRP packet messages

debug
standby
packets

Switch# Displays all HSRP errors, events, and

debug packets, except for hellos and
standby advertisements
terse

Virtual Router Redundancy Protocol

Note
HSRP is Cisco proprietary. Virtual Router Redundancy Protocol (VRRP) is an IEEE
standard.

Note
VRRP might not be completely supported on platforms such as the Catalyst 3750-E, 3750,
3560, or 3550. For example, the Catalyst 3560 supports VRRP for IPv4, but not for IPv6.
The IPv4 implementation supports text authentication, but not message digest 5 (MD5)
authentication key-chain implementation. Also, the Switch Database Management (SDM)
should prefer the routing option for IPv4 or the dual-ipv4-and-ipv6 option for dual-stack or
IPv6 implementations. Only VRRP Version 3 (VRRPv3) is supported on the Catalyst 3650
and Catalyst 9200/9300 platforms. Verify VRRP capabilities by platform datasheets and
appropriate Cisco IOS command and configuration guides.

Note
The VRRPv3 Protocol Support feature provides the capability to support IPv4 and IPv6
address families, while VRRPv2 only supports IPv4 addresses. To enable VRRPv3, use the
fhrp version vrrp v3 command in global configuration mode. When VRRPv3 is in use,
VRRPv2 is disabled by default.

VRRP is an election protocol that dynamically assigns

responsibility for one or more virtual switches to the
VRRP switches on a LAN, allowing several switches on a
multiaccess link to use the same virtual IP address. A
VRRP switch is configured to run VRRP in conjunction
with one or more other switches attached.

Configuring VRRPv2

Switch(config) Moves to interface configuration

# interface mode
vlan10

Switch(config- Assigns IP address and netmask

if)# ip
address
172.16.100.5
255.255.255.0

Switch(config- Enables VRRP for group 10 on this

if)# vrrp 10 interface with a virtual IP address
ip of 172.16.100.1. The group number
172.16.100.1 can be from 1 to 255

Note

VRRP supports using the real interface IP

address as the virtual IP address for the
group. If this is done, the router with that
address becomes the master

Switch(config- Assigns a text description to the

if)# vrrp 10 group
description
Engineering
Group

Switch(config- Sets the priority level for this

if)# vrrp 10 VLAN. The range is from 1 to 254.
priority 110 The default is 100

Configures this switch to preempt,

Switch(config- or take over, as the virtual switch
if)# vrrp 10 master for group 10 if it has a
preempt higher priority than the current
virtual switch master

Note

The switch that is the IP address owner will

preempt, regardless of the setting of this
command

Note

The preempt VRRP option is enabled by

default

Switch(config- Configures this switch to preempt,

if)# vrrp 10 but only after a delay of 60 seconds
preempt delay
minimum 60
Note

The default delay period is 0 seconds

Switch(config- Configures the interval between
if)# vrrp 10 successful advertisements by the
timers virtual switch master
advertise 15

Note

The default interval value is 1 second

Note

All switches in a VRRP group must use the

same timer values. If switches have different
timer values set, the VRRP group will not
communicate with each other

Note

The range of the advertisement timer is 1 to

255 seconds. If you use the msec argument,
you change the timer to measure in
milliseconds. The range in milliseconds is 50
to 999

Switch(config- Configures the switch, when acting

if)# vrrp 10 as a virtual switch backup, to learn
timers learn the advertisement interval used by
the virtual switch master

Switch(config- Disables VRRP on the interface,

if)# vrrp 10 but configuration is still retained
shutdown

Switch(config- Reenables the VRRP group using

if)# no vrrp the previous configuration
10 shutdown

Switch(config- Configures plain-text

if) vrrp 10 authentication for group 10 using
authentication the key ottawa
text ottawa

Switch(config- Configures MD5 authentication for

if)# vrrp 10 group 10 using the key winnipeg
authentication
md5 key-string
winnipeg

Configuring VRRPv3
Switch(confi Enables the ability to configure
g)# fhrp VRRPv3
version vrrp
v3

Switch(confi Moves to interface configuration

g)# mode
interface
vlan 10

Switch(confi Creates a VRRP group number 10 and

g-if)# vrrp enters VRRP configuration mode for
10 address- IPV4
family ipv4

Switch(confi Specifies an IPv4 address for the

g-if-vrrp)# VRRP group
address
10.0.1.10

Switch(confi Specifies the priority value of the

g-if-vrrp)# VRRP group. The priority of a VRRP
priority 150 group is 100 by default
Switch(confi Enables preemption of lower priority
g-if-vrrp)# master device with a 30 second delay
preempt
delay Preemption is enabled by default
minimum 30

Switch(confi Sets the advertisement timer to 5000

g-if-vrrp)# milliseconds. The advertisement timer
timers is set to 1000 milliseconds by default
advertise
5000

Switch(confi Enables support for VRRPv2

g-if-vrrp)# simultaneously, so as to interoperate
vrrpv2 with devices that only support VRRP
v2. VRRPv2 is disabled by default

VRRP Optimization Options

Interface Tracking
VRRP does not have a native interface tracking
mechanism. Instead, it has the ability to track objects.
This allows the VRRP master to lose its status if a
tracked object (interface, IP SLA, and so on) fails.
Switch(config)# Creates a tracked object, where
track 10 the status of the uplink
interface interface is tracked
gigabitethernet
1/0/1 line-
protocol

Switch(config- Moves to interface

track)# interface configuration mode
vlan 10

Switch(config- Configures VRRP to track the

if)# vrrp 1 track previously created object and
10 decrement 30 decrease the VRRP priority by
30 should the uplink interface
fail

Verifying VRRP

Note
The VRRP verification commands are the same for IPv6 and IPv4.

Switch# show vrrp Displays VRRP information

Switch# show vrrp Displays a brief status of all
brief VRRP groups

Switch# show vrrp Displays detailed information

10 about VRRP group 10

Switch# show vrrp Displays information about

interface vlan10 VRRPv2 as enabled on
interface VLAN 10

Switch# show vrrp Displays a brief summary

interface vlan10 about VRRPv2 on interface
brief VLAN 10

Switch# show vrrp Displays information about

ipv4 vlan 10 VRRPv3 as enabled on
interface VLAN 10

Switch# show vrrp Displays a brief summary

brief vlan 10 about VRRPv3 on interface
VLAN 10

Debugging VRRP
Switch# debug Displays all VRRP messages
vrrp all

Switch# debug Displays all VRRP error

vrrp error messages

Switch# debug Displays all VRRP event

vrrp events messages

Switch# debug Displays messages about packets

vrrp packet sent and received

Switch# debug Displays messages about state

vrrp state transitions

IPv4 Configuration Example: HSRP on L3 Switch

Figure 8-7 shows the network topology for the
configuration that follows, which demonstrates how to
configure HSRP using the commands covered in this
chapter. Note that only the commands specific to HSRP
are shown in this example.
Figure 8-7 Network Topology for HSRP
Configuration Example

The network devices are configured as follows:

DLS1 and DLS2 are configured as Layer 3 devices; ALS1

and ALS2 are configured as Layer 2 devices.
Border1, Border2, DLS1, and DLS2 run Enhanced
Interior Gateway Routing Protocol (EIGRP). Border1
and Border2 also provide default routing into the
cloud.

The links from DLS1 and DLS2 to Border1 and Border2

are routed links using the no switchport command
on DLS1 and DLS2.

Four VLANs are configured on DLS1. DLS1 is the VTP

server for DLS2, ALS1, and ALS2.

A Layer 2 EtherChannel trunk connects DLS1 and

DLS2.

All connections towards the access layer are 802.1Q

trunks.

DLS1 is the spanning-tree primary root for VLANs 1

and 10 and DLS1 is the secondary root for VLANs 20
and 30.

DLS2 is the spanning-tree primary root for VLANs 20

and 30 and DLS1 is the secondary root for VLANs 1 and
10.

DLS1 is to be HSRP active for VLANs 1 and 10, and

HSRP standby for VLANs 20 and 30.

DLS2 is to be HSRP active for VLANs 20 and 30, and

HSRP standby for VLANs 1 and 10.
Interface tracking is configured to allow for HSRP
failover to occur if an uplink fails.

Switch DLS1

DLS1(config Moves to interface configuration mode

interface
vlan 1

DLS1(config Activates HSRP group 1 on the interface

-if)# and creates a virtual IP address of
standby 1 192.168.1.254 for use in HSRP
ip
192.168.1.2
54

DLS1(config Assigns a priority value of 105 to

-if)# standby group 1
standby 1
priority
105

DLS1(config Configures this switch to preempt, or

-if)# take control of, VLAN 1 forwarding if
standby 1 the local priority is higher than the
preempt active switch VLAN 1 priority

DLS1(config HSRP will track the availability of

-if)# interface GigabitEthernet 1/0/1. If
standby 1 GigabitEthernet 1/0/1 goes down, the
track priority of the switch in group 1 will be
gigabitethe decremented by 20
rnet 1/0/1
20

DLS1(config HSRP will track the availability of

-if)# interface GigabitEthernet 1/0/2. If
standby 1 GigabitEthernet 1/0/2 goes down, the
track priority of the switch in group 1 will be
gigabitethe decremented by the default value of 10
rnet 1/0/2

DLS1(config Moves to global configuration mode

-if)# exit

DLS1(config Moves to interface configuration mode

)#
interface
vlan 10
DLS1(config Activates HSRP group 10 on the
-if)# interface and creates a virtual IP
standby 10 address of 192.168.10.254 for use in
ip HSRP
192.168.10.
254

DLS1(config Assigns a priority value of 105 to

-if)# standby group 10
standby 10
priority
105

DLS1(config Configures this switch to preempt, or

-if)# take control of, VLAN 10 forwarding if
standby 10 the local priority is higher than the
preempt active switch VLAN 10 priority

DLS1(config HSRP will track the availability of

-if)# interface GigabitEthernet 1/0/1. If
standby 10 GigabitEthernet 1/0/1 goes down, the
track priority of the switch in group 10 will be
gigabitethe decremented by 20
rnet 1/0/1
20
DLS1(config HSRP will track the availability of
-if)# interface GigabitEthernet 1/0/2. If
standby 10 GigabitEthernet 1/0/2 goes down, the
track priority of the switch in group 10 will be
gigabitethe decremented by the default value of 10
rnet 1/0/2

DLS1(config Moves to global configuration mode

-if)# exit

DLS1(config Moves to interface configuration mode

)#
interface
vlan20

DLS1(config Activates HSRP group 20 on the

-if)# interface and creates a virtual IP
standby 20 address of 192.168.20.254 for use in
ip HSRP
192.168.20.
254

DLS1(config Assigns a priority value of 100 to

-if)# standby group 20
standby 20
priority
100

DLS1(config HSRP will track the availability of

-if)# interface GigabitEthernet 1/0/1. If
standby 20 GigabitEthernet 1/0/1 goes down, the
track priority of the switch in group 20 will
gigabitethe be decremented by 20
rnet 1/0/1
20

DLS1(config HSRP will track the availability of

-if)# interface GigabitEthernet 1/0/2. If
standby 20 GigabitEthernet 1/0/2 goes down, the
track priority of the switch in group 20 will
gigabitethe be decremented by the default value of
rnet 1/0/2 10

DLS1(config Moves to global configuration mode

-if)# exit

DLS1(config Moves to interface configuration mode

)#
interface
vlan30
DLS1(config Activates HSRP group 30 on the
-if)# interface and creates a virtual IP
standby 30 address of 192.168.30.254 for use in
ip HSRP
192.168.30.
254

DLS1(config Assigns a priority value of 100 to

-if)# standby group 30
standby 30
priority
100

DLS1(config HSRP will track the availability of

-if)# interface GigabitEthernet 1/0/1. If
standby 30 GigabitEthernet 1/0/1 goes down, the
track priority of the switch in group 30 will be
gigabitethe decremented by 20
rnet 1/0/1
20

DLS1(config HSRP will track the availability of

-if)# interface GigabitEthernet 1/0/2. If
standby 30 GigabitEthernet 1/0/2 goes down, the
track
gigabitethe priority of the switch in group 30 will be
rnet 1/0/2 decremented by the default value of 10

DLS1(config Moves to global configuration mode

-if)# exit

Switch DLS2

DLS2(config Moves to interface configuration mode

)#
interface
vlan1

DLS2(config Activates HSRP group 1 on the interface

-if)# and creates a virtual IP address of
standby 1 192.168.1.254 for use in HSRP
ip
192.168.1.2
54

DLS2(config Assigns a priority value of 100 to

-if)# standby group 1
standby 1
priority
100

DLS2(config HSRP will track the availability of

-if)# interface GigabitEthernet 1/0/1. If
standby 1 GigabitEthernet 1/0/1 goes down, the
track priority of the switch in group 1 will be
gigabitethe decremented by 20
rnet 1/0/1
20

DLS2(config HSRP will track the availability of

-if)# interface GigabitEthernet 1/0/2. If
standby 1 GigabitEthernet 1/0/2 goes down, the
track priority of the switch in group 1 will be
gigabitethe decremented by the default value of 10
rnet 1/0/2

DLS2(config Moves to global configuration mode

-if)# exit

DLS2(config Moves to interface configuration mode

)#
interface
vlan10
DLS2(config Activates HSRP group 10 on the
-if)# interface and creates a virtual IP
standby 10 address of 192.168.10.254 for use in
ip HSRP
192.168.10.
254

DLS2(config Assigns a priority value of 100 to

-if)# standby group 10
standby 10
priority
100

DLS2(config HSRP will track the availability of

-if)# interface GigabitEthernet 1/0/1. If
standby 10 GigabitEthernet 1/0/1 goes down, the
track priority of the switch in group 10 will be
gigabitethe decremented by 20

rnet 1/0/1
20

DLS2(config HSRP will track the availability of

-if)# interface GigabitEthernet 1/0/2. If
standby 10 GigabitEthernet 1/0/2 goes down, the
track priority of the switch in group 10 will be
decremented by the default value of 10
gigabitethe
rnet 1/0/2

DLS2(config Moves to global configuration mode

-if)# exit

DLS2(config Moves to interface configuration mode

)#
interface
vlan20

DLS2(config Activates HSRP group 20 on the

-if)# interface and creates a virtual IP
standby 20 address of 192.168.20.254 for use in
ip HSRP
192.168.20.
254

DLS2(config Assigns a priority value of 105 to

-if)# standby group 20
standby 20
priority
105

DLS2(config Configures this switch to preempt, or

-if)# take control of, VLAN 20 forwarding if
standby 20 the local priority is higher than the
preempt active switch VLAN 20 priority

DLS2(config HSRP will track the availability of

-if)# interface GigabitEthernet 1/0/1. If
standby 20 GigabitEthernet 1/0/1 goes down, the
track priority of the switch in group 20 will
gigabitethe be decremented by 20
rnet 1/0/1
20

DLS2(config HSRP will track the availability of

DLS2(config Moves to global configuration mode

-if)# exit

DLS2(config Moves to interface configuration mode

)#
interface
vlan30

DLS2(config Activates HSRP group 30 on the

-if)# interface and creates a virtual IP
standby 30 address of 192.168.30.254 for use in
ip HSRP
192.168.30.
254

DLS2(config Assigns a priority value of 105 to

-if)# standby group 30
standby 30
priority
105

DLS2(config Configures this switch to preempt, or

-if)# take control of, VLAN 30 forwarding if
standby 30 the local priority is higher than the
preempt active switch VLAN 30 priority

DLS2(config HSRP will track the availability of

-if)# interface GigabitEthernet 1/0/1. If
standby 30 GigabitEthernet 1/0/1 goes down, the
track priority of the switch in group 30 will be
decremented by 20
gigabitethe
rnet 1/0/1
20

DLS2(config HSRP will track the availability of

-if)# interface GigabitEthernet 1/0/2. If
standby 30 GigabitEthernet 1/0/2 goes down, the
track priority of the switch in group 30 will be
gigabitethe decremented by the default value of 10
rnet 1/0/2

DLS2(config Moves to global configuration mode

-if)# exit

IP SLA Tracking: Switch DLS1 VLAN 10

Refer to Figure 8-7. The objective here is to probe the
availability of a web server hosted in the ISP cloud at
address 209.165.201.1. If the server does not respond to
the IP SLA ping, the HSRP priority on interface VLAN
10 will be decremented by 20. This configuration could
be applied to all other VLANs where the HSRP Active
device resides (DLS1 for VLANs 1 and 10; DLS2 for
VLANs 20 and 30).
DLS1(config)# ip Creates SLA process 10
sla 10

DLS1(config-ip- Configures the SLA as an

sla)# icmp-echo ICMP echo operation to
192.168.10.1 destination 192.168.10.1

DLS1(config-ip-sla- Exits SLA configuration

echo)# exit mode

DLS1(config)# ip Configures the scheduling

sla schedule 10 for SLA 10 process to start
start-time now life now and continue forever
forever

DLS1(config)# track Creates an object, 90, to

90 ip sla 10 state track the state of SLA
process 10

DLS1(config-track)# Moves to global

exit configuration mode

DLS1(config)# Moves to interface

interface vlan 10 configuration mode
DLS1(config-if)# Tracks the state of object 90
standby 10 track 90 and decrements the device
decrement 20 priority by 20 if the object
fails

DLS1(config-if)# Moves to global

exit configuration mode

IPv4 Configuration Example: VRRPv2 on Router and

L3 Switch with IP SLA Tracking
Figure 8-8 shows the network topology for the
configuration that follows, which shows how to
configure VRRPv2 using the commands covered in this
chapter. Note that only the commands specific to
VRRPv2 are shown in this example. Full routing and
connectivity are assumed. R1 and DLS-2 are the
participating devices in VRRPv2.
Figure 8-8 VRRP for IPv4 Using Router and L3
Switch
The network devices are configured as follows:

R1 and DLS-2 are VRRP partners.

ALS-1 and ALS-2 are Layer 2 switches, where ALS-1 is

the network switch for 10.1.10.0/24 and ALS-2 is the
network switch for 10.1.11.0/24.

R1, R2, and DLS-2 are OSPF neighbors;

GigabitEthernet 1/0/5 on DLS-2 is a routed port.

VLAN 10 is configured on ALS-1; VLAN 11 is configured

on ALS-2; DLS-2 has both VLAN 10 and 11 configured.

All lines connecting DLS-2, ALS-1, and ALS-2 are

802.1Q trunks.

R1 is the preferred forwarder for network 10.1.10.0/24

and DLS-2 is the preferred forwarder for network
10.1.11.0/24.

R1(config)# ip Enters SLA programming mode

sla 10

R1(config-ip- Has the SLA ping 10.10.10.10

sla)# icmp-echo
10.10.10.10

R1(config-ip- Pings 10.10.10.10 every 5

sla-echo)# seconds

frequency 5

R1(config-ip- Exits SLA programming mode

sla-echo)# exit

R1(config)# ip Specifies the SLA start time and

sla schedule 10 duration
life forever
start-time now

R1(config)# Creates tracking object 100

track 100 ip sla calling SLA 10
10

R1(config)# Creates tracking object 2 to

track 2 monitor line protocol up/down
interface status of interface
gigabitethernet GigabitEthernet 0/0/2
0/0/2 line-
protocol
R1(config- Exits tracking configuration
track)# exit mode

R1(config)# Enters interface configuration

interface mode for GigabitEthernet 0/0/0
gigabitethernet
0/0/0

R1(config-if)# Assigns the physical interface

ip address address of 10.1.11.2/24
10.1.11.2
255.255.255.0

R1(config-if)# Assigns the VRRP virtual IP

vrrp 11 ip address of 10.1.11.1 for VRRP
10.1.11.1 group 11

R1(config-if)# Uses the string CISCO123 for

vrrp 11 authentication between group 11
authentication members
text CISCO123

Note

Authentication by key chain is not

available on some L3 switch platforms
R1(config-if)# Has VRRP group 11 watch
vrrp 11 track 2 tracking object 2, line protocol
up/down on interface
GigabitEthernet 0/0/2

R1(config-if)# Enters interface configuration

interface mode
gigabitethernet
0/0/1

R1(config-if)# Assigns the physical interface

ip address address of 10.1.10.2/24
10.1.10.2
255.255.255.0

R1(config-if)# Assigns the VRRP virtual IP

vrrp 10 ip address of 10.1.10.1 for VRRP
10.1.10.1 group 10

R1(config-if)# Assigns group 10 virtual

vrrp 10 priority forwarder priority of 105. The
105 default is 100
R1(config-if)# Has VRRP group 10 watch
vrrp 10 track 2 tracking object 2, line protocol
up/down on interface
GigabitEthernet 0/0/2

R1(config-if)# Has VRRP group 10 watch a

vrrp 10 track second tracking object. Object
100 decrement 6 100 looks for ICMP ping
connectivity to 10.10.10.10 every
5 seconds

R1(config-if)# Returns to privileged EXEC

end mode

DLS-2

DLS-2(config)# ip Enters SLA 10 programming

sla 10 mode

DLS-2(config-ip- Has the SLA ping 10.10.10.10

sla)# icmp-echo
10.10.10.10

DLS-2(config-ip- Pings 10.10.10.10 every 5

sla-echo)# seconds

frequency 5

DLS-2(config-ip- Exits SLA programming mode

sla-echo)# exit

DLS-2(config)# ip Specifies SLA 10 start time and

sla schedule 10 duration
life forever
start-time now

DLS-2(config)# Creates tracking object 100,

track 100 ip sla which calls SLA 10
10

DLS-2(config)# Creates tracking object 2 to

track 2 interface monitor line protocol up/down
gigabitethernet status of interface
1/0/5 line- GigabitEthernet 1/0/5 (routed
protocol port to R2)

DLS-2(config-if)# Enters interface configuration

interface mode
gigabitethernet
1/0/5

DLS-2(config-if)# Changes GigabitEthernet 1/0/5

no switchport to a Layer 3 port

DLS-2(config-if)# Assigns IPv4 address

ip address 10.3.1.1/30
10.3.1.1
255.255.255.252

DLS-2(config)# Enters interface configuration

interface mode
gigabitethernet
1/0/2

DLS-2(config-if)# Forces trunk mode

switchport mode
trunk

DLS-2(config-if)# Limits VLAN traffic on this

switchport trunk trunk to VLANs 1 and 10
allowed vlan 1,10

DLS-2(config-if)# Enters interface configuration

interface mode
gigabitethernet
1/0/7

DLS-2(config-if)# Forces trunk mode

switchport mode
trunk

DLS-2(config-if)# Limits VLAN traffic on this

switchport trunk trunk to VLANs 1 and 11
allowed vlan 1,11

DLS-2(config-if)# Enters switched virtual interface

interface vlan 10 configuration mode for VLAN
10

DLS-2(config-if)# Assigns IPv4 address

ip address 10.1.10.3/24
10.1.10.3
255.255.255.0

DLS-2(config-if)# Assigns the VRRP virtual IP

vrrp 10 ip address of 10.1.10.1 for VRRP
10.1.10.1 group 10
DLS-2(config-if)# Has VRRP group 10 watch
vrrp 10 track 2 tracking object 2, line protocol
up/down on interface
GigabitEthernet 1/0/5

DLS-2(config-if)# Enters switched virtual interface

interface vlan 11 configuration mode for VLAN 11

DLS-2(config-if)# Assigns IPv4 address

ip address 10.1.11.3/24
10.1.11.3
255.255.255.0

DLS-2(config-if)# Assigns the VRRP virtual IP

vrrp 11 ip address of 10.1.11.1 for VRRP
10.1.11.1 group 11

DLS-2(config-if)# Assigns group 11 virtual

vrrp 11 priority forwarder priority of 105. The
105 default is 100

DLS-2(config-if)# Uses the string CISCO123 for

vrrp 11 authentication between group 11
authentication members
text CISCO123
DLS-2(config-if)# Has VRRP group 11 watch
vrrp 11 track 2 tracking object 2, line protocol
up/down on interface
GigabitEthernet 1/0/5

DLS-2(config-if)# Has VRRP group 11 watch a

vrrp 11 track 100 second tracking object. Object
decrement 6 100 looks for ICMP ping
connectivity to 10.10.10.10 every
5 seconds

DLS-2(config-if)# Returns to privileged EXEC

exit mode

IPv6 Configuration Example: HSRPv2 on Router and

L3 Switch
Figure 8-9 shows the network topology for the IPv6
HSRPv2 configuration that follows. Router R1 and L3
switch DLS-2 are the HSRP pair.
Figure 8-9 HSRPv2 IPv6 with Router and L3
Switch
R1
The network devices are configured similar to those in
the previous example:

R1 and DLS-2 are HSRPv2 partners.

ALS-1 and ALS-2 are Layer 2 switches, where ALS-1 is

the network switch for 2001:0:0:5::0/64 and ALS-2 is
the network switch for 2001:0:0:6::0/64.

R1, R2, and DLS-2 are OSPFv3 neighbors;

GigabitEthernet 1/0/5 on DLS-2 is a routed port.

VLAN 10 is configured on ALS-1; VLAN 11 is configured

on ALS-2; DLS-2 has both VLANs 10 and 11 configured.

All lines connecting DLS-2, ALS-1, and ALS-2 are

802.1Q trunks.

R1 is the preferred forwarder for network

2001:0:0:5::0/64 and DLS-2 is the preferred forwarder
for network 2001:0:0:6::0/64.

R1(config)# ipv6 Enables IPv6 forwarding

unicast-routing

R1(config)# ip Enters SLA programming mode

sla 11 for process 11

R1(config-ip- Has the SLA ping 2001:0:0:8::1

sla)# icmp-echo
2001:0:0:8::1
source-interface
gigabitethernet
0/0/2

R1(config-ip- Pings every 5 seconds

sla-echo)#
frequency 5

R1(config-ip- Exits SLA programming mode

sla-echo)# exit

1(config)# ip Defines the start and duration

sla schedule 11 for SLA 11
life forever
start-time now

R1(config)# Creates tracking object 111 that

track 111 ip sla uses SLA 11
11
R1(config- Exits tracking
track)# exit

R1(config)# Enters interface configuration

interface mode
gigabitethernet
0/0/0

R1(config-if)# Assigns IPv6 unicast address

ipv6 address
2001:0:0:6::2/64

R1(config-if)# Enables HSRPv2

standby version
2
Note

HSRPv2 is required for IPv6

implementation

R1(config-if)# Creates IPv6 HSRP virtual

standby 11 ipv6 address
autoconfig

Note
When you enter the standby ipv6
command, a modified EUI-64 format
interface identifier is generated in which
the EUI-64 interface identifier is created
from the relevant HSRP virtual MAC
address

Note

The standby group ipv6 interface

command can offer different options
when using different platforms. For
example, a 3560 L3 switch will allow an
IPv6 prefix argument, whereas a 2911G2
router will not

R1(config-if)# Configures this device to

standby 11 preempt, or take control of, the
preempt active forwarding if the local
priority is higher than any of the
other members of the HSRP
group

Note

The same preempt command arguments

are available for IPv6 as in IPv4
R1(config-if)# Instructs HSRPv2 to follow the
standby 11 track line protocol of GigabitEthernet
gigabitethernet 0/0/2 and decrement the
0/0/2 12 interface group priority by 12
when the interface goes down

Note

When the preceding tracking command is

entered, the router creates the following
line protocol tracking object:

track x interface GigabitEthernet 0/0/2

line-protocol, where x is the next available
number available for a tracking object. The
IOS then substitutes the tracking command
standby 11 track x decrement 12 at the
interface (as seen below)

R1(config-if)# Has HSRP group 11 watch

standby 11 track tracking object 1, line protocol
1 decrement 12 up/down on interface
GigabitEthernet 0/0/2

R1(config-if)# Enters interface configuration

interface mode
gigabitethernet
0/1
R1(config-if)# Assigns an IPv6 unicast address
ipv6 address
2001:0:0:5::2/64

R1(config-if)# Selects HSRPv2

standby version
2

R1(config-if)# Creates IPv6 HSRP virtual

standby 10 ipv6 address
autoconfig

R1(config-if)# Sets a priority of 105 for standby

standby 10 group 10 on this interface
priority 105

R1(config-if)# Configures this device to

standby 10 preempt, or take control of, the
preempt active forwarding if the local
priority is higher than any of the
other members of the HSRP
group

R1(config-if)# Links tracking object 1 to this

HSRP group and decreases this
standby 10 track device’s priority by 12 when
1 decrement 12 tracking object 1 is asserted

R1(config-if)# Links a second tracking object to

standby 10 track this HSRP group and decreases
111 decrement 7 the device’s priority by 7 when
asserted

DLS-2

DLS-2(config)# Enables IOS Layer 3 functionality

ip routing

DLS-2(config)# Enables IOS IPv6 Layer 3

ipv6 unicast- functionality
routing

DLS-2(config)# Configures the Switching Database

sdm prefer Manager on the switch to optimize
dual-ipv4-and- memory and operating system for
ipv6 both IPv4 and IPv6 Layer 3
forwarding

Caution
This command requires a reload of the switch
to take effect and is not available on the
Catalyst 3650

DLS-2(config)# Creates and enters SLA 11

ip sla 11

Note

The SLAs are added only as an illustration of

capability

Note

There seems to be no distinction between IPv4

and IPv6 in the ip sla command

DLS-2(config- Assigns 2001:0:0:8::1 as the ICMP

ip-sla)# icmp- ping destination for this SLA
echo
2001:0:0:8::1

DLS-2(config- Sends pings every 5 seconds

ip-sla-echo)#
frequency 5

DLS-2(config- Exits SLA configuration mode

ip-sla-echo)#
exit

DLS-2(config)# Assigns the start time and duration

ip sla for SLA 11
schedule 11
life forever
start-time now

DLS-2(config)# Creates tracking object 101, which

track 101 ip uses SLA 11
sla 11

DLS-2(config- Exits tracking configuration mode

track)# exit

DLS-2(config)# Enters interface configuration

interface mode
loopback 0

DLS-2(config- Assigns an IPv6 unicast address

if)# ipv6
address
2001:0:0:3::1/
64

DLS-2(config- Enters interface configuration

if)# interface mode
gigabitetherne
t 1/0/5

DLS-2(config- Changes Layer 2 switch port to a

if)# no Layer 3 routed port
switchport

DLS-2(config- Assigns an IPv6 address to this L3

if)# ipv6 forwarding port
address
2001:0:0:1::1/
64

DLS-2(config- Enters interface configuration

if)# interface mode for L2 interface
gigabitetherne
t 1/0/2

DLS-2(config- Permits traffic from VLANs 1 and

if)# 10 on the trunk
switchport
trunk allowed
vlan 1,10

DLS-2(config- Sets the port to trunk

if)# unconditionally
switchport
mode trunk

DLS-2(config- Enters interface configuration

if)# interface mode
gigabitfasteth
ernet 0/7

DLS-2(config- Permits traffic from VLANs 1 and 11

if)# on the trunk
switchport
trunk allowed
vlan 1,11

DLS-2(config- Sets the port to trunk

if)# unconditionally
switchport
mode trunk
DLS-2(config- Enters interface programming
if)# interface mode for VLAN 10 SVI
vlan 10

DLS-2(config- Specifies HSRPv2

if)# standby
version 2

DLS-2(config- Assigns IPv6 unicast address

if)# ipv6
address
2001:0:0:5::3/
64

DLS-2(config- Creates IPv6 HSRP virtual address

if)# standby
10 ipv6
autoconfig

DLS-2(config- Enables this group’s HSRP

if)# standby forwarder to become active at any
10 preempt time when its group priority is the
highest

DLS-2(config- Links tracking object 111 to this

if)# standby standby group and decreases this
10 track 111 device’s priority by 10 when
decrement 10 tracking object 111 is asserted

DLS-2(config- Enters interface configuration

if)# interface mode for VLAN 11 SVI
vlan 11

DLS-2(config- Assigns IPv6 unicast address

if)# ipv6
address
2001:0:0:6::3/
64

DLS-2(config- Specifies HSRPv2

if)# standby
version 2

DLS-2(config- Creates IPv6 HSRP virtual address

if)# standby
11 ipv6
autoconfig

DLS-2(config- Sets a priority of 105 for standby

if)# standby group 11 on this interface
11 priority
105

DLS-2(config- Enables this group’s HSRP

if)# standby forwarder to transition to active at
11 preempt any time when its group priority is
the highest

DLS-2(config- Links tracking object 111 to HSRP

if)# standby group 11 and decreases this device’s
11 track 111 priority by 10 when tracking object
decrement 10 111 is asserted

Note
HSRP verification and debug commands are the same for IPv4 and IPv6.

DYNAMIC HOST CONTROL

PROTOCOL (DHCP)
DHCP is a network management protocol used on
UDP/IP networks whereby a DHCP server dynamically
assigns an IP address and other network configuration
parameters to each device on a network so that the
devices can communicate with other IP networks.
Implementing DHCP for IPv4
DHCP was first defined in RFC 1531 in October 1993,
but due to errors in the editorial process was almost
immediately reissued as RFC 1541.

Configuring a DHCP Server on a Cisco IOS Router

Router(confi Creates a DHCP pool named

g)# ip dhcp INTERNAL. The name can be
pool anything of your choosing
INTERNAL

Router(dhcp- Defines the range of addresses to be

config)# leased
network
172.16.10.0
255.255.255.
0

Router(dhcp- Defines the address of the default

config) # router for the client. One IP address is
default- required; however, you can specify up
router to eight IP addresses in the command
172.16.10.1 line, listed in order of precedence
Router(dhcp- Defines the address of the DNS server
config)# for the client
dns-server
172.16.10.10

Router(dhcp- Defines the address of the NetBIOS

config)# server for the client

netbios-
name-server
172.16.10.10

Router(dhcp- Defines the domain name for the

config)# client

domain-name
fakedomainna
me.com

Router(dhcp- Defines the lease time to be 14 days,

config)# 12 hours, 23 minutes
lease 14 12
23

Router(dhcp- Sets the lease time to infinity; the

config)# default time is 1 day
lease
infinite

Router(dhcp- Returns to global configuration mode

config)#
exit

Router(confi Specifies the range of addresses not to

g)# ip dhcp be leased out to clients
excluded-
address
172.16.10.1
172.16.10.10

Router(confi Enables the DHCP service and relay

g)# features on a Cisco IOS router

service dhcp

Router(confi Turns off the DHCP service, which is

g)# on by default in Cisco IOS Software

no service
dhcp
Configuring DHCP Manual IP Assignment
It is sometimes desirable to link a specific network
device with a specific IPv4 address using a Cisco device’s
DHCP service. The Cisco device uses a “client ID” to
identify a DHCP client device and is programmed into
the DHCP pool.

Note
The DHCP client device ID can be determined using the show ip dhcp binding command
after the client has successfully obtained the next available IP address from the DHCP pool.

The DHCP pool programming must also include any

other required programming such as default router IP,
DNS, or WINS addresses, and so on.

Router(config)# ip dhcp Creates a DHCP pool

pool POOL1 named POOL1

Router(dhcp-config)# Defines the single IP

host 172.22.12.88/24 address for the DHCP
pool in dotted decimal
with subnet mask or
CIDR notation
Router(dhcp-config)# Specifies the client ID
client-identifier of the network device
0063.6973.636f.2d30.3030 that should receive the
.362e.6636.3962.2e65.333 specific IP
1.312d.4769.302f.31

Router(dhcp-config)# Specifies the gateway

default-router router for the DHCP
172.22.12.1 clients

Router(dhcp-config)# Specifies the IP

dns-server 192.168.22.11 address of the DNS
service

Router(dhcp-config)# Specifies the DHCP

lease 1 0 0 lease length in “days
hours minutes”

Router(dhcp-config)# Leaves DHCP

exit configuration mode

Configuring DHCP Relay

DHCP services can reside anywhere within the network.
The DHCP relay service translates a client broadcast
DHCP service request to a unicast DHCP request
directed to the DHCP server IP address. The command
is added to the Layer 3 interface on the IP segment from
which the DHCP broadcast request originates.

Router(config Moves to interface configuration

)# interface mode
gigabitethern
et 0/0

Router(config Forwards DHCP broadcast messages

-if)# ip as unicast messages to this specific
helper- address instead of having them be
address dropped by the router
172.16.20.2

Note
The ip helper-address command forwards broadcast packets as a unicast to eight different
UDP ports by default:

TFTP (port 69)

DNS (port 53)

Time service (port 37)

NetBIOS name server (port 137)

NetBIOS datagram server (port 138)

Boot Protocol (BOOTP) client and server datagrams (ports 67 and 68)

TACACS service (port 49)

If you want to close some of these ports, use the no ip

forward-protocol udp x command at the global
configuration prompt, where x is the port number you
want to close. Services not forwarded by ip helper-
address can be added using the ip forward-protocol
global command.

Router(config-if)# Forwards the DHCP traffic

ip helper- address to the DHCP server at
10.1.1.1 10.1.1.1

Router(config)# no Prevents forwarding of

ip forward- traffic for UDP time services
protocol udp 37 using port 37

Router(config)# ip Forwards traffic for UDP

forward- protocol services using port 5858
udp 5858
Configuring a DHCP Client on a Cisco IOS Software
Ethernet Interface
Figure 8-10 shows the network topology for the
configuration that follows, which demonstrates how to
configure provider-assigned IPv4 DHCP address.

Figure 8-10 Configure a Provider-Assigned DHCP

IPv4 Address

EDGE(config)# Enters GigabitEthernet 0/0

interface interface configuration mode
gigabitethernet 0/0

EDGE(config-if)# ip Allows the interface to obtain

address dhcp an address dynamically from
the ISP

EDGE(config-if)# no Enables the interface

shutdown
Note
If the default gateway optional parameter is contained within the DHCP reply packet, the
router will install a static default route in its routing table, with the default gateway’s IP
address as the next hop. The default route is installed with the administrative distance of
254, which makes it a floating static route. To disable this feature, use the interface-level
command no ip dhcp client request router.

Verifying and Troubleshooting DHCP Configuration

Router# show ip dhcp Displays a list of all

binding bindings created

Router# show ip dhcp Displays the bindings for

binding w.x.y.z a specific DHCP client
with an IP address of
w.x.y.z

Router# clear ip dhcp Clears an automatic

binding a.b.c.d address binding from the
DHCP server database

Router# clear ip dhcp Clears all automatic

binding * DHCP bindings

Router# show ip dhcp Displays a list of all

conflict address conflicts that the
DHCP server recorded

Router# clear ip dhcp Clears an address conflict

conflict a.b.c.d from the database

Router# clear ip dhcp Clears conflicts for all

conflict * addresses

Router# show ip dhcp Displays recent activity on

database the DHCP database

Router# show ip dhcp Displays information

pool about DHCP address
pools

Router# show ip dhcp Displays information

pool name about the DHCP pool
named name

Router# show ip dhcp Displays interface on

interface which DHCP is enabled

Router# show ip dhcp Displays a list of the

server statistics number of messages sent
and received by the DHCP
server

Router# clear ip dhcp Resets all DHCP server

server statistics counters to 0

Router# debug ip dhcp Displays the DHCP

server {events | process of addresses being
packet | linkage | leased and returned
class}

Router# debug ip dhcp Report address

server events assignments, lease
expirations, and so on

Router# debug ip dhcp Decodes DHCP server

server packets message receptions and
transmissions

Implementing DHCP for IPv6

DHCPv6 can deliver both stateful and stateless
information. Stateful, or centrally managed, information
is used to provide parameters not available through
stateless address autoconfiguration (SLAAC) or
neighbor discovery. SLAAC means that the client picks
their own address based on the router prefix being
advertised. Additional parameters such as a DNS server
address must be provided by stateless DHCPv6 services.

DHCPv6 clients and servers are identified to each other

by a DHCP unique identifier (DUID) using the lowest
number interface MAC address. DHCPv6 exchanges are
either normal four-message (solicit, advertise, request,
reply) exchanges or the rapid commit two-message
(solicit, reply) exchanges.

The DHCPv6 server maintains a binding table in RAM

that maintains configuration parameters.

Note
Unlike DHCPv4, the DHCPv6 service does not give out IP addresses; instead, it gives out
prefixes. The client creates the remaining bits for a valid IPv6 address. The duplicate
address detection (DAD) mechanism ensures the uniqueness of the address. There is no
DHCPv6 excluded-address command.

There are three methods for dynamically allocating IPv6

addressing and configuration information:

1. SLAAC (no DHCPv6 server required)

2. SLAAC and a stateless DHCPv6 server

3. Stateful DHCPv6 server

Using SLAAC and Configuring a Router as a Stateless
DHCPv6 Server
A stateless DHCPv6 server doesn’t allocate or maintain
IPv6 global unicast addressing information. A stateless
server only provides common network information that
is available to all devices on the network, such as a list of
DNS server addresses or a domain name.

The SLAAC with stateless DHCPv6 method involves

setting the Other Configuration flag (O flag) to 1. With
this method the device creates its own global unicast
address (GUA) using SLAAC. It also needs to use
information from other sources, such as the link MTU
contained in the router advertisement (RA). In this
scenario, the three RA flags are as follows:

A flag = 1 – Use SLAAC to create a global unicast

address

O flag = 1 – Communicate with a stateless DHCPv6

server for other addressing information

M flag = 0 – Do not need to communicate with a

stateful DHCPv6 server

Router# configure Enters global configuration

mode
terminal

Router(config)# Creates a DHCPv6 pool

ipv6 dhcp pool named STATELESS
STATELESS

Router(config- Configures a domain name

dhcp)# domain-name for a DHCPv6 client
nodomain.com

Router(config- Specifies the DNS server

dhcp)# dns-server address for the DHCPv6
2001:db8:3000:3000: clients
:42

Router(config- Leaves DHCPv6

dhcp)# exit configuration mode

Router(config)# Specifies an interface type

interface and number, and enters
gigabitethernet 0/0 interface configuration mode

Router(config-if)# Sets the router

ipv6 nd other- advertisement Other
config-flag
Configuration flag (O flag) to
1

Note

The default setting of the O flag is 0

Note

To set the O flag back to the default

setting of 0, use the no ipv6 nd
other-config-flag command

Note

When the O flag is set to 1, this

tells the end client device that other
information is available from a
stateless DHCPv6 server

Router(config-if)# Enables DHCPv6 on an

ipv6 dhcp server interface for the appropriate
STATELESS IPv6 address pool
Router(config-if)# Moves to privileged EXEC
end mode

Configuring a Router as a Stateful DHCPv6 Server

Unlike the other methods used to assign IPv6 addresses
to clients, stateful DHCPv6 does not utilize SLAAC to
generate a global unicast address. Stateful DHCPv6 is
similar to the DHCP services provided for IPv4.

A stateful DHCPv6 server provides IPv6 GUA addresses

to clients and keeps track of which devices have been
allocated IPv6 addresses.

The stateful DHCPv6 method involves modifying two

flags: the Managed Address Configuration flag (M flag)
and the Address Autoconfiguration flag (A flag). In this
scenario, the three RA flags are as follows:

A flag = 0 – Do not use SLAAC to create a global

unicast address

O flag = 0 – No need to communicate with a stateless

DHCPv6 server

M flag = 1 – Obtain the global unicast address and

other information from a stateful DHCPv6 server
Router# Enters global configuration mode
configure
terminal

Router(config)# Creates a DHCPv6 pool named

ipv6 dhcp pool STATEFUL-DHCPv6
STATEFUL-DHCPv6

Router(config- Causes the router to be a stateful

dhcp)# address DHCPv6 server and to allocate
prefix addresses. The prefix length
2001:db8:cafe:1 indicates the number of available
::/64 address in the pool

Router(config- Configures a domain name for a

dhcp)# domain- DHCPv6 client
name
nodomain.com

Router(config- Specifies the DNS server address

dhcp)# dns- for the DHCPv6 clients
server
2001:db8:cafe:1
::8888
Router(config- Leaves DHCPv6 configuration
dhcp)# exit mode

Router(config)# Specifies an interface type and

interface number, and enters interface
gigabitethernet configuration mode
0/0

Router(config- Sets the Managed Configuration

if)# ipv6 nd flag (M flag) to 1
managed-config-
flag
Note

The default setting of the M flag is 0

Note

To set the M flag back to the default setting

of 0, use the no ipv6 nd managed-config-
flag command

Router(config- Assigns an IPv6 address to the

if)# ipv6 nd interface
prefix
2001:db8:cafe:1 The no-autoconfig keyword sets
::/64 no- the A flag to 0. This ensures that
the interface won’t use SLAAC in
autoconfig
its RA messages to clients

Router(config- Enables the DHCPv6 service on

if)# ipv6 dhcp the client-facing interface and
server associates it with the pool
STATEFUL-DHCPv6 STATEFUL-DHCPv6

Note

You can add the rapid-commit keyword at

the of this command to enable the use of the
two-message exchange between server and
client

Router(config- Moves to privileged EXEC mode

if)# end

Configuring DHCPv6 Client

Router# Enters global configuration mode

configure
terminal

Router(config)# Enters interface configuration

interface mode, and specifies the interface
interface-id to configure

Router(config- Enables the interface to acquire an

if)# ipv6 IPv6 address using the four-
address dhcp message exchange from the
DHCPv6 server

Router(config- Enables the interface to acquire an

if)# ipv6 IPv6 address using the two-
address dhcp message exchange from the
rapid-commit DHCPv6 server

Configuring DHCPv6 Relay Agent

Router# configure Enters global configuration

terminal mode

Router(config)# Specifies an interface type and

interface number, and enters interface
gigabitethernet configuration mode
0/0

Router(config-if)# Specifies a destination address

to which client packets are
forwarded and enables
ipv6 dhcp relay
DHCPv6 relay service on the
destination
interface
fe80::250:a2ff:feb
f:a056
gigabitethernet
Note
0/1
It is possible to use a global unicast
IPv6 address as the relay destination
instead of a link-local address

Router(config-if)# Return to privileged EXEC

end mode

Verifying and Troubleshooting DHCPv6

Router# show ipv6 Displays the IPv6 to MAC

dhcp binding address bindings
Router# show ipv6 Displays DHCPv6 pool
dhcp pool statistics

Router# show ipv6 Displays interface on which

dhcp interface DHCPv6 is enabled

Router# debug ipv6 Enables DHCPv6 debugging

dhcp [detail]

Router# debug ipv6 Enables DHCPv6 relay agent

dhcp relay debugging

Configuration Example: DHCP for IPv4

Figure 8-11 illustrates the network topology for the
configuration that follows, which shows how to
configure DHCP services on a Cisco IOS router using the
commands covered in this chapter.
Figure 8-11 Network Topology for DHCP
Configuration

Edmonton Router

Router> Moves to privileged EXEC mode

enable

Router# Moves to global configuration mode

configure
terminal

Router(config Sets the host name

)# hostname
Edmonton

Edmonton(conf Moves to interface configuration

ig)# mode
interface
gigabitethern
et 0/0

Edmonton(conf Sets the local description of the

ig-if)# interface
description
LAN Interface

Edmonton(conf Assigns an IP address and netmask

ig-if)# ip
address
10.0.0.1
255.0.0.0

Edmonton(conf Enables the interface

ig-if)# no
shutdown

Edmonton(conf Moves to interface configuration

ig-if)# mode
interface
serial 0/0/0
Edmonton(conf Sets the local description of the
ig-if)# interface
description
Link to
Gibbons
Router

Edmonton(conf Assigns an IP address and netmask

ig-if)# ip
address
192.168.1.2
255.255.255.2
52

Edmonton(conf Assigns the clock rate to the DCE

ig-if)# clock cable on this side of link
rate 4000000

Edmonton(conf Enables the interface

ig-if)# no
shutdown

Edmonton(conf Returns to global configuration mode

ig-if)# exit
Edmonton(conf Creates a static route to the
ig)# ip route destination network
192.168.3.0
255.255.255.0
serial 0/0/0

Edmonton(conf Verifies that the router can use

ig)# service DHCP services and that DHCP is
dhcp enabled. This command is enabled
by default in Cisco IOS and will not
appear in the running configuration

Edmonton(conf Creates a DHCP pool called

ig)# ip dhcp 10NETWORK
pool
10NETWORK

Edmonton(dhcp Defines the range of addresses to be

-config)# leased
network
10.0.0.0
255.0.0.0

Edmonton(dhcp Defines the address of the default

-config)# router for clients
default-
router
10.0.0.1

Edmonton(dhcp Defines the address of the NetBIOS

-config)# server for clients
netbios-name-
server
10.0.0.2

Edmonton(dhcp Defines the address of the DNS

-config)# server for clients
dns-server
10.0.0.3

Edmonton(dhcp Defines the domain name for clients

-config)#
domain-name
fakedomainnam
e.com

Edmonton(dhcp Sets the lease time to be 12 days, 14

-config)# hours, 30 minutes
lease 12 14
30
Edmonton(dhcp Returns to global configuration mode
-config)#
exit

Edmonton(conf Specifies the range of addresses not

ig)# ip dhcp to be leased out to clients
excluded-
address
10.0.0.1
10.0.0.5

Edmonton(conf Creates a DHCP pool called

ig)# ip dhcp 192.168.3NETWORK
pool
192.168.3NETW
ORK

Edmonton(dhcp Defines the range of addresses to be

-config)# leased
network
192.168.3.0
255.255.255.0

Edmonton(dhcp Defines the address of the default

-config)# router for clients
default-
router
192.168.3.1

Edmonton(dhcp Defines the address of the NetBIOS

-config)# server for clients

netbios-name-
server
10.0.0.2

Edmonton(dhcp Defines the address of the DNS

-config)# server for clients
dns-server
10.0.0.3

Edmonton(dhcp Defines the domain name for clients

-config)#
domain-name
fakedomainnam
e.com

Edmonton(dhcp Sets the lease time to be 12 days, 14

-config)# hours, 30 minutes
lease 12 14
30

Edmonton(dhcp Returns to global configuration mode

-config)#
exit

Edmonton(conf Returns to privileged EXEC mode

ig)# exit

Edmonton# Saves the configuration to NVRAM

copy running-
config
startup-
config

Gibbons Router

Router> enable Moves to privileged EXEC mode

Router# Moves to global configuration

configure mode
terminal
Router(config)# Sets the host name
hostname
Gibbons

Gibbons(config) Moves to interface configuration

# interface mode
gigabitethernet
0/0

Gibbons(config- Sets the local description of the

if)# interface
description LAN
Interface

Gibbons(config- Assigns an IP address and

if)# ip address netmask
192.168.3.1
255.255.255.0

Gibbons(config- Forwards DHCP broadcast

if)# ip helper- messages as unicast messages to
address this specific address instead of
192.168.1.2 having them be dropped by the
router
Gibbons(config- Enables the interface
if)# no
shutdown

Gibbons(config- Moves to interface configuration

if)# interface mode
serial 0/0/1

Gibbons(config- Sets the local description of the

if)# interface
description
Link to
Edmonton Router

Gibbons(config- Assigns an IP address and

if)# ip address netmask
192.168.1.1
255.255.255.252

Gibbons(config- Enables the interface

if)# no
shutdown

Gibbons(config- Returns to global configuration

if)# exit mode
Gibbons(config) Creates a default static route to the
# ip route destination network
0.0.0.0 0.0.0.0
serial 0/0/1

Gibbons(config) Returns to privileged EXEC mode

# exit

Gibbons# copy Saves the configuration to NVRAM

running-config
startup-config

Configuration Example: DHCP for IPv6

Figure 8-12 illustrates the network topology for the
configuration that follows, which shows how to
configure DHCP for IPv6 services on a Cisco IOS router
using the commands covered in this chapter. For this
lab, the DHCPv6 clients are simulated as IOS routers to
show the interface configuration required for stateless
and stateful DHCPv6 to be operational.
Figure 8-12 Network Topology for DHCPv6
Configuration

Edmonton Router

Router> enable Moves to privileged EXEC

mode

Router# configure Moves to global configuration

terminal mode

Router(config)# Sets the host name

hostname Edmonton

Edmonton(config)# Enables IPv6 routing

ipv6 unicast-
routing
Edmonton(config)# Creates a DHCPv6 pool for the
ipv6 dhcp pool Edmonton LAN. Since this
EDMONTONLAN pool is used for stateless
DHCPv6, no prefix is
configured

Edmonton(config- Sets the DNS server address

dhcpv6)# dns-
server
2001:db8:10:1::3

Edmonton(config- Sets the domain name

dhcpv6)# domain-
name cisco.com

Edmonton(config- Exits the EDMONTONLAN

dhcpv6)# exit pool

Edmonton(config)# Creates a DHCPv6 pool for the

ipv6 dhcp pool Gibbons LAN
GIBBONSLAN

Edmonton(config- Defines a prefix for the DHCP

dhcpv6)# address pool
prefix
2001:db8:192:3::/
64

Edmonton(config- Sets the DNS server address

dhcpv6)# dns-
server
2001:db8:10:1::3

Edmonton(config- Sets the domain name

dhcpv6)# domain-
name cisco.com

Edmonton(config- Exits the GIBBONSLAN pool

dhcpv6)# exit

Edmonton(config)# Moves to interface

interface configuration mode
gigabitethernet
0/0

Edmonton(config- Sets the local description of the

if)# description interface
LAN Interface

Edmonton(config- Enables IPv6 functions

if)# ipv6 enable

Edmonton(config- Assigns an IPv6 address and

if)# ipv6 address prefix length
2001:db8:10:1::1/
64

Edmonton(config- Sets the Other Configuration

if)# ipv6 nd flag to 1 for stateless DHCPv6
other-config-flag

Edmonton(config- Assigns the EDMONTONLAN

if)# ipv6 dhcp pool to the local LAN interface
server
EDMONTONLAN

Edmonton(config- Enables the interface

if)# no shutdown

Edmonton(config- Moves to interface

if)# interface configuration mode
serial 0/0/0

Edmonton(config- Sets the local description of the

if)# description interface
Link to Gibbons
Router

Edmonton(config- Enables IPv6 functions

if)# ipv6 enable

Edmonton(config- Assigns an IP address and

if)# ipv6 address prefix length
2001:db8:192:1::2
/64

Edmonton(config- Assigns the GIBBONSLAN

if)# ipv6 dhcp pool to the WAN interface
server GIBBONSLAN since it will be receiving
DHCPv6 relay messages from
Gibbons

Edmonton(config- Assigns the clock rate to the

if)# clock rate DCE cable on this side of link
4000000

Edmonton(config- Enables the interface

if)# no shutdown

Edmonton(config- Returns to global configuration

if)# exit mode

Edmonton(config)# Creates a static route to the

ipv6 route 2001: Gibbons LAN network
db8:192:3::/64
2001:db8:192:1::1

Edmonton# copy Saves the configuration to

running-config NVRAM
startup-config

Gibbons Router

Router> enable Moves to privileged EXEC mode

Router# Moves to global configuration

configure mode
terminal

Router(config)# Sets the host name

hostname Gibbons

Gibbons(config)# Enables IPv6 routing

ipv6 unicast-
routing

Gibbons(config)# Moves to interface configuration

interface mode
gigabitethernet
0/0

Gibbons(config- Sets the local description of the

if)# description interface
LAN Interface

Gibbons(config- Enables IPv6 functions

if)# ipv6 enable

Gibbons(config- Assigns an IP address and prefix

if)# ipv6 length
address
2001:db8:192:3::
1/64

Gibbons(config- Forwards DHCPV6 multicast

if)# ipv6 dhcp messages as unicast messages to
relay this specific address instead of
destination having them be dropped by the
router
2001:db8:192:1::
2

Gibbons(config- Sets the Managed Address

if)# ipv6 nd Configuration flag to 1 for stateful
managed-config- DHCPv6
flag

Gibbons(config- Enables the interface

if)# no shutdown

Gibbons(config- Moves to interface configuration

if)# interface mode
serial 0/0/1

Gibbons(config- Sets the local description of the

if)# description interface
Link to Edmonton
Router

Gibbons(config- Enables IPv6 functions

if)# ipv6 enable

Gibbons(config- Assigns an IP address prefix

if)# ipv6 length
address
2001:db8:192:1::
1/64

Gibbons(config- Enables the interface

if)# no shutdown

Gibbons(config- Returns to global configuration

if)# exit mode

Gibbons(config)# Creates an IPv6 default static

ipv6 route ::/0 route that points to the
2001:db8:192:1:: Edmonton router
2

Gibbons(config)# Returns to privileged EXEC

exit mode

Gibbons# copy Saves the configuration to

running-config NVRAM
startup-config

EdmontonPC Stateless DHCPv6 Client (IOS Router)

EdmontonPC(con Moves to interface configuration
fig)# mode
interface
gigabitetherne
t 0/0

EdmontonPC(con Enables IPv6 functions

fig-if)# ipv6
enable

EdmontonPC(con Sets the interface for SLAAC and

fig-if)# ipv6 installs an IPv6 default route to the
address Edmonton GigabitEthernet 0/0
autoconfig interface link-local address
default

EdmontonPC(con Enables the interface

fig-if)# no
shutdown

EdmontonPC(con Returns to privileged EXEC mode

fig)# exit

EdmontonPC# Saves the configuration to NVRAM

copy running-
config
startup-config

GibbonsPC Stateful DHCPv6 Client (IOS Router)

GibbonsPC(config)# Moves to interface

interface gigabitethernet configuration mode
0/0

GibbonsPC(config-if)# Enables IPv6

ipv6 enable functions

GibbonsPC(config-if)# Sets the interface

ipv6 address dhcp for stateful DHCPv6

GibbonsPC(config-if)# no Enables the

shutdown interface

GibbonsPC# copy running- Saves the

config startup-config configuration to
NVRAM
Chapter 9
Device Management

This chapter provides information about the following topics:

Configuring passwords

Cleartext password encryption

Password encryption algorithm types

Configuring SSH

Verifying SSH

Boot system commands

The Cisco IOS File System

Viewing the Cisco IOS File System

Commonly used URL prefixes for Cisco network devices

Deciphering IOS image filenames

Backing up configurations to a TFTP server

Restoring configurations from a TFTP server

Backing up the Cisco IOS Software to a TFTP server

Restoring/upgrading the Cisco IOS Software from a TFTP server

Restoring the Cisco IOS Software using the ROM Monitor

environmental variables and tftpdnld command

Secure Copy Protocol (SCP)

Configuring an SCP server

Verifying and troubleshooting SCP

Configuration example: SCP

Disabling unused services

Useful device management options

CONFIGURING PASSWORDS
These commands work on both routers and switches.

Edmonton(config)# Sets the enable password. This password

enable password cisco is stored as cleartext

Edmonton(config)# Sets the enable secret password. This

enable secret class password is stored using a cryptographic
hash function (MD5)

Edmonton(config)# Sets the enable secret password using

enable algorithm-type the SHA-256 algorithm, which is a
sha256 secret class stronger hashing algorithm than MD5

Edmonton(config)# Sets the enable secret password using

enable algorithm-type the scrypt algorithm, which is a stronger
scrypt secret class hashing algorithm than MD5

Edmonton(config)# Enters console line configuration mode

line console 0

Edmonton(config- Sets the console line mode password to

line)# password cisco12345
cisco12345

Edmonton(config- Enables password checking at login

line)# login

Edmonton(config- Enters vty line configuration mode for all

line)# line vty 0 4 five vty lines

Edmonton(config- Sets the vty password to cisco12345

line)# password
cisco12345

Edmonton(config- Enables password checking at login

line)# login

Edmonton(config- Enters auxiliary line configuration mode

line)# line aux 0

Edmonton(config- Sets the auxiliary line mode password to

line)# password backdoor
backdoor

Edmonton(config- Enables password checking at login

line)# login

Edmonton(config- Disables access to the AUX port when it

line)# no exec is not in use

Caution
The enable secret password is encrypted by default using the MD5 cryptographic hash function. The enable
password password is not; it is stored as cleartext. For this reason, recommended practice is that you never use the
enable password command. Use only the enable secret command in a router or switch configuration. The enable
secret command password takes precedence over the enable password command password. For instance, if
enable secret class and enable password cisco are both configured, Cisco IOS will only grant privileged EXEC
mode access when the enable secret password class is entered.

Tip
You can set both enable secret password and enable password password to the same password. However, doing
so defeats the use of encryption.

Caution
Line passwords are stored as cleartext. They should be encrypted using the service password-encryption
command as a bare minimum. However, this encryption method is weak and easily reversible.

Tip
The best place to store passwords is an external AAA (authentication, authorization, and accounting) server.

Cleartext Password Encryption

Edmonton(config)# service Applies a Vigenère cipher (type 7)
password-encryption weak encryption to passwords

Edmonton(config)# no Turns off password encryption

service password-
encryption

Caution
If you have turned on service password encryption, used it, and then turned it off, any passwords that you have
encrypted will stay encrypted. New passwords will remain unencrypted.

Tip
The service password-encryption command will work on the following cleartext passwords:

Username

Authentication key

Console

Virtual terminal line access

BGP neighbors

Passwords using this encryption are shown as type 7 passwords in the

router configuration:

Edmonton# show run | include secret | line con 0 | password | line vty 0 | password 5
s
no service password-encryption
i
enable secret 5 g
n
Rv4kArhts7yA2xd8BD2YTVbts
i
line con 0 f
i
password 7 00271A5307542A02D22842
e
line vty 0 4 s
M
password 7 00271A5307542A02D22842
D
5
h
a
s
h

7
s
i
g
n
i
f
i
e
s
V
i
g
e
n
è
r
e
c
i
p
h
e
r

PASSWORD ENCRYPTION ALGORITHM TYPES

There are different algorithm types available to hash a password in
Cisco IOS:

Type 4: Specified a SHA-256 encrypted secret string

Deprecated due to a software bug that allowed this password

to be viewed in plaintext under certain conditions

Type 5: Specifies a message digest algorithm 5 (MD5) encrypted

secret

Type 8: Specifies a Password-Based Key Derivation Function 2 with

SHA-256 hashed secret (PBKDF2 with SHA-256)

Type 9: Specifies a scrypt hashed secret (SCRYPT)

Tip
MD5 is no longer considered to be secure. Therefore, it is recommended that type 8 or type 9 always be configured.
Edmonton(config)# username Either option generates
demo5 secret cisco password encrypted with a
type 5 algorithm

Edmonton(config)# username
demo5 algorithm-type md5
secret cisco

Edmonton(config)# username Generates password

demo8 algorithm-type sha256 encrypted with a type 8
secret cisco algorithm

Edmonton(config)# username Generates password

demo9 algorithm-type scrypt encrypted with a type 9
secret cisco algorithm

Note
Type 5, type 8, and type 9 passwords are not reversible.

Caution
If you configure type 8 or type 9 passwords and then downgrade to a Cisco IOS Software release that does not
support type 8 and type 9 passwords, you must configure the type 5 passwords before downgrading. If not, you will
be locked out of the device and a password recovery is required. Type 8 and type 9 passwords have been supported
since 15.3(3)M.

Configuring SSH
Telnet and Secure Shell (SSH) are two remote access methods to
connect to a device. Although popular, Telnet is not secure because
Telnet traffic is forwarded in cleartext. Therefore, its content can
easily be read if intercepted.

Secure Shell (SSH) encrypts all traffic between source and

destination and is therefore the recommended remote access
method. SSH should always be used if available.

Caution
SSH Version 1 implementations have known security issues. It is recommended to use SSH Version 2 whenever
possible.

Note
SSH provides encryption services using private and public cryptographic keys that are created using the crypto key
generate rsa global configuration command. However, the crypto key command requires that a device host name
(i.e., hostname name) and a fully qualified domain name (i.e., ip domain-name name) first be configured. SSH
cannot use the default host names (e.g., Switch or Router).

Note
The Cisco implementation of SSH requires Cisco IOS Software to support Rivest, Shamir, Adleman (RSA)
authentication and minimum Data Encryption Standard (DES) encryption (a cryptographic software image).

Edmonton(c Creates a locally significant username/password

onfig)# combination. These are the credentials you must enter
username when connecting to the router with SSH client software
BabyYoda
password
mandaloria
n

Edmonton(c Creates a locally significant username of BabyYoda

onfig)# with privilege level 15. Assigns a secret password of
username mandalorian
BabyYoda
privilege
15 secret
mandaloria
n

Edmonton(c Creates a host domain for the router

onfig)# ip
domain-
name
test.lab

Edmonton(c Enables the SSH server for local and remote

onfig)# authentication on the router and generates an RSA key
crypto key pair. The number of modulus bits on the command line
generate is 2048 bits. The size of the key modulus is 360 to 4096
rsa bits. If a crypto key already exists on the router, use the
modulus crypto key zeroize rsa command to remove it
2048

Edmonton(c Enables SSH version 2 on the device

onfig)# ip
ssh
version 2 Note

To work, SSH requires a local username database, a local IP domain, and an

RSA key to be generated

Edmonton(c Sets the maximum number of password prompts

onfig)# ip provided to the user to 2. The default is 3
ssh
authentica
tion-
retries 2

Edmonton(c Sets the time interval that the router waits for the SSH
onfig)# ip client to respond to 90 seconds. The default is 120
ssh time-
out 90

Edmonton(c Forces the SSH client to use the IP address of the

onfig)# ip Loopback 1 interface as the source address for SSH
ssh packets
source-
interface
loopback 1

Edmonton(c Moves to vty configuration mode for all five vty lines of
onfig)# the router
line vty 0
4
Note

Depending on the Cisco IOS Software release and platform, there may be more
than 5 vty lines

Edmonton(c Enables password checking on a per-user basis.

onfig- Username and password will be checked against the
line)# data entered with the username global configuration
login command. Ensure that a local username database has
local been configured before entering this command

Edmonton(c Limits remote connectivity to SSH connections

onfig- only−disables Telnet. It is possible to specify other
line)# input methods, but the most common ones are SSH
transport and Telnet
input ssh

Verifying SSH

Edmonton# show ip ssh Verifies that SSH is enabled

Edmonton# show ssh Checks the SSH connection to the device

BOOT SYSTEM COMMANDS

Router(config)# boot Loads the Cisco IOS Software with

system flash image- image-name
name

Router(config)# boot Loads the Cisco IOS Software with

system image-name from a TFTP server
tftp://172.16.10.3/im
age-name
Router(config)# boot Loads the Cisco IOS Software from ROM
system rom

Router(config)# exit Returns to privileged EXEC mode

Router# copy running- Saves the running configuration to

config startup-config NVRAM. The router executes commands
in their order on the next reload

Tip
If you enter boot system flash first, that is the first place the router goes to look for the Cisco IOS Software. If you
want to go to a TFTP server first, make sure that the boot system tftp command is the first command you enter.

Tip
If the configuration has no boot system commands, the router defaults to loading the first valid Cisco IOS image in
flash memory and running it. If no valid Cisco IOS image is found in flash memory, the router attempts to boot from a
network TFTP server. After six unsuccessful attempts of locating a network TFTP server, the router loads into
ROMmon mode.

THE CISCO IOS FILE SYSTEM

The Cisco IOS File System (IFS) provides a single interface to all the
file systems available on a routing device, including the flash memory
file system; network file systems such as TFTP, remote copy protocol
(rcp), and FTP; and any other endpoint for reading and writing data,
such as NVRAM, or the running configuration. The Cisco IFS
minimizes the required prompting for many commands. Instead of
entering in an EXEC-level copy command and then having the
system prompt you for more information, you can enter a single
command on one line with all necessary information.

Cisco IOS Software IFS Commands

Commands

copy tftp running- copy tftp: system:running-

config config
copy tftp startup- copy tftp: nvram:startup-
config config

show startup-config more nvram:startup-config

erase startup-config erase nvram:

copy running-config copy system:running-config

startup-config nvram:startup-config

copy running-config copy system:running-config

tftp tftp:

show running-config more system:running-config

VIEWING THE CISCO IOS FILE SYSTEM

Router# show file Displays all the available file systems on

systems the device

Note
The Cisco IOS File System uses a URL convention to specify files on network devices and the network. Many of the
most commonly used URL prefixes are also available in the Cisco IOS File System.

COMMONLY USED URL PREFIXES FOR CISCO

NETWORK DEVICES
The URL prefix specifies the file system. The list of available file
systems differs by platform and operation. Refer to your product
documentation or use the show file systems command in
privileged EXEC mode to determine which prefixes are available on
your platform. File system prefixes are listed in Table 9-1.
TABLE 9-1 File System Prefixes

Prefix File System

bootflas Boot Flash memory

flash: Flash memory. Available on all platforms. An alias for the

flash: prefix is slot0

ftp: FTP and secure FTP network server

sftp:

http: HTTP server

https: HTTPS server

null: Null destination for copies

Note

You can copy a remote file to null to determine its size

nvram: NVRAM

rcp: Remote copy protocol network server

scp: Secure Copy

system: Contains system memory, including the current running

configuration
tar: For creating TAR files

tftp: TFTP network server

xmodem: Obtains the file from a network machine using the

Xmodem protocol

ymodem: Obtains the file from a network machine using the

Ymodem protocol

usbflash Universal Serial Bus (USB) flash

0:,

usbflash
1:,

usb0:,

usb1:

DECIPHERING IOS IMAGE FILENAMES

Although it looks long and complex, there is a reason that Cisco
names its IOS images the way that it does. It is important to
understand the meaning behind an IOS image name so that you can
correctly choose which file to work with.

There are different parts to the image filename, as shown in the

following example and described in the table:

isr4300-universalk9.16.09.04.SPA.bin

i Indicates the platform on which the image runs. In this case, it is a

s Cisco ISR 4300 series router
r
4
3
0
0

u Specifies the feature set. Universal on a 4300 would include IP Base,

n Security, Unified Communication, and Data feature sets. Each router
i is activated for IP Base; the others need software activation
v
e
r Note
s
k9 in an image name means that strong encryption, such as 3DES/AES, is included
a
l

1 Identifies the version number of the software. In this case, it is major

6 release 16, minor release 9, new feature release 4
.
0
9
.
0
4

S Indicates this software is digitally signed. There are two file

P extensions possible: SPA and SSA. The first character S stands for
A digitally signed software. The second character P in SPA means that
this release is meant for production. A second character S in SSA
means it is a special image and has limited use or special conditions.
The third character A indicates the key version used to digitally sign
the image

. Represents the file extension. .bin shows that this file is a binary
b executable file
i
n

Note
The Cisco IOS naming conventions, meanings, content, and other details are subject to change.
BACKING UP CONFIGURATIONS TO A TFTP
SERVER

Denver# copy running- Saves the running configuration

config startup-config from DRAM to NVRAM (locally)

Denver# copy running- Copies the running configuration

config tftp to the remote TFTP server

Address or name of remote The IP address of the TFTP server

host[ ]? 192.168.119.20

Destination Filename The name to use for the file saved

[Denver-confg]? on the TFTP server

!!!!!!!!!!!!!!! Each bang symbol (!) = 1 datagram

of data

624 bytes copied in 7.05

secs

Denver# File has been transferred

successfully

Note
You can also use the preceding sequence for a copy startup-config tftp command sequence.

RESTORING CONFIGURATIONS FROM A TFTP

SERVER

Denver# copy tftp running- Merges the configuration file from

config the TFTP server with the running-
config file in DRAM

Address or name of remote The IP address of the TFTP server

host[ ]?

192.168.119.20

Source filename [ ]? Enter the name of the file you

Denver-confg want to retrieve

Destination filename Pressing the Enter key will begin

the copy process
[running- config]?

Accessing
tftp://192.168.119.20/
Denver-confg...

Loading Denver-confg from

192.168.119.02 (via
GigabitEthernet 0/0):

!!!!!!!!!!!!!!

[OK-624 bytes]

624 bytes copied in 9.45

secs

Denver# File has been transferred

successfully

Note
You can also use the preceding sequence for a copy tftp startup-config command sequence.
Note
When copying a file into a configuration file, the no shutdown command does not carry over into the configuration
file. You must enable the interfaces with the no shutdown command.

BACKING UP THE CISCO IOS SOFTWARE TO A

TFTP SERVER

Denver# copy flash: tftp: Copies from flash to a remote

TFTP server

Source filename [ ]? Name of the Cisco IOS Software

isr4300- image
universalk9.16.09.04.SPA.bi
n

Address or name of remote Address of the TFTP server

host [ ]? 192.168.119.20

Destination filename The destination filename is the

[isr4300- same as the source filename, so
universalk9.16.09.04.SPA.bi
just press
n]?

!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!
!!!!!!!!

8906589 bytes copied in

263.68 seconds

Denver#
RESTORING/UPGRADING THE CISCO IOS
SOFTWARE FROM A TFTP SERVER

Denver# copy tftp: flash: Copies from a

remote TFTP
server to
flash

Address or name of remote host [ ]?

192.168.119.20

Source filename [ ]? isr4300-

universalk9.16.09.04.SPA.bin

Destination filename [isr4300-

universalk9.16.09.04.SPA.bin]?

Accessing tftp://192.168.119.20/ isr4300-

universalk9.16.09.04.SPA.bin

Erase flash: before copying? [confirm] If flash

memory is
full, erase it
first

Erasing the flash file system will remove

all files

Press Ctrl-C
Continue? [confirm]
if you want to
cancel

Erasing device Each e

eeeeeeeeeeeeeeeeee...erased represents
data being
erased

Loading isr4300-
universalk9.16.09.04.SPA.bin from
192.168.119.20

(via GigabitEthernet 0/0): Each bang

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! symbol (!) = 1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! datagram of
!!!!!!!!! data

Verifying Check sum .................. OK

[OK - 8906589 Bytes]

8906589 bytes copied in 277.45 secs

Denver# Success

RESTORING THE CISCO IOS SOFTWARE

USING THE ROM MONITOR ENVIRONMENTAL
VARIABLES AND TFTPDNLD COMMAND

rommon 1> Indicates the IP address for

IP_ADDRESS=192.168.100.1 this unit

rommon 2> Indicates the subnet mask

IP_SUBNET_MASK=255.255.255.0 for this unit

rommon 3> Indicates the default

DEFAULT_GATEWAY=192.168.100.1 gateway for this unit

rommon 4> Indicates the IP address of

TFTP_SERVER=192.168.100.2 the TFTP server

rommon 5> TFTP_FILE= c2900- Indicates the filename to

universalk9-mz.SPA. 152- fetch from the TFTP server
4.M1.bin

rommon 6> tftpdnld Starts the process

...<output cut>...

Do you wish to continue? y/n:

[n]:y

...<output cut>...

rommon 7> i Resets the router. The i

stands for initialize

Caution
Commands and environmental variables are case sensitive, so be sure that you do not accidentally add spaces
between variables and answers.

SECURE COPY PROTOCOL (SCP)

The Secure Copy Protocol (SCP) feature provides a secure and
authenticated method for copying device configurations or device
image files. SCP relies on Secure Shell (SSH). SCP allows a user with
appropriate authorization to copy any file that exists in the Cisco IOS
File System (IFS) to and from a device by using the copy command.

Note
Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the device and replace
Telnet with SSH on the vty ports. See the section “Configuring SSH” earlier in this chapter for the commands needed
to configure SSH.

Note
Because SCP relies on SSH for its secure transport, the device must have a Rivest, Shamir, and Adelman (RSA) key
pair.

Configuring an SCP Server

Denver# configure Moves to global configuration mode

terminal

Denver(config)# Sets AAA authentication at login

aaa new-model

Denver(config)# Enables the AAA access control system. In

aaa authentication this example, authentication comes from a
login default local username
local

Denver(config)# Sets parameters that restrict user access to a

aaa authorization network. In this example, authorization
exec default local comes from a local database

Denver(config)# Creates a local username/password

username superuser combination. In this example, the username
privilege 15 is superuser, the privilege level is 15, and the
secret MD5 password is superpassword
superpassword

Denver(config)# ip Enables SCP server-side functionality

scp server enable

Verifying and Troubleshooting SCP

Denver# show Shows the current configuration in DRAM. The IP

running- SCP server is enabled and visible in the running
config config
Denver# debug Displays output related to SCP authentication
ip scp problems

Configuration Example: SCP

The following example shows the commands for using SCP to
transfer a Cisco IOS image from flash to a remote host that supports
SSH.

Note
Your router does not need to be set up as an SCP server for this transfer to work. You only need to have SSH
configured.

Denver# copy flash: scp: Initiates secure copy from

flash: to a remote host

Source filename []? isr4300- Enter the name of the file

universalk9.16.09.04.SPA.bin you want to transfer

Address or name of remote The IP address of the

host[]? remote host

192.168.119.20

Destination username [Denver]? The username needed for

superuser the connection

Destination filename [isr4300- Press Enter, as the

universalk9.16.09.04.SPA.bin]? filename is already
prompted

Writing isr4300- Connection is being

universalk9.16.09.04.SPA.bin created and verified

Password: Enter the password when

prompted

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Each bang symbol (!) = 1

!!!!! datagram of data
!!!!!!

Denver# File has been transferred

successfully

Note
As with any use of the copy command, you can enter some of the specific details into the command itself:
Click here to view code image

Denver# copy flash:isr4300-universalk9.16.09.04.SPA.bin

scp://superuser@192.168.119.20/

DISABLING UNNEEDED SERVICES

Services that are not being used on a router can represent a potential
security risk. If you do not need a specific service, you should disable
it.

Tip
If a service is off by default, disabling it does not appear in the running configuration.

Tip
Do not assume that a service is disabled by default; you should explicitly disable all unneeded services, even if you
think they are already disabled.

Tip
Depending on the Cisco IOS Software release, some services are on by default; some are off. Be sure to check the
IOS configuration guide for your specific software release to determine the default state of the service.

Table 9-2 lists the services that you should disable if you are not
using them.

TABLE 9-2 Disabling Unneeded Services

Service Commands Used to Disable
Service

DNS name resolution Edmonton(config)# no ip

domain-lookup

Edmonton(config)# no ip domain
lookup

Cisco Discovery Protocol Edmonton(config)# no cdp run

(CDP) (globally)

CDP (on a specific interface) Edmonton(config-if)# no cdp

enable

Network Time Protocol Edmonton(config-if)# ntp

(NTP) disable

BOOTP server Edmonton(config)# no ip bootp

server

DHCP Edmonton(config)# no service

dhcp

Proxy Address Resolution Edmonton(config-if)# no ip

Protocol (ARP) proxy-arp

IP source routing Edmonton(config)# no ip

source-route

IP redirects Edmonton(config-if)# no ip
redirects
HTTP service Edmonton(config)# no ip http
server

HTTPS service Edmonton(config)# no ip http

secure-server

USEFUL DEVICE MANAGEMENT OPTIONS

The following commands are useful options available when using
FTP and HTTP/HTTPS for device management.

Perth(config)# Specifies the source IP address for FTP

ip ftp source- connections
interface
loopback 1

Perth (config)# Specifies the username to be used for FTP

ip ftp username connections
admin

Perth (config)# Specifies the password to be used for FTP

ip ftp password connections
cisco

Perth (config)# Specifies the authentication method to be used

ip http for login when a client connects to the HTTP
authentication server. In this case, the local database is used for
local authentication

Perth (config)# Specifies that access list 10 should be used to

ip http access- allow access to the HTTP server
class 10

Perth (config)# Sets the base HTTP path for HTML files
ip http path
flash:/GUI

Router(config)# Sets the maximum number of allowed concurrent

ip http max- connections to the HTTP server. The default value
connections 10 is 5
Part IV: Infrastructure Security
Chapter 10
Infrastructure Security

This chapter provides information about the following

topics:

IPv4 access control lists (ACLs)

Configuring and applying standard IPv4 ACLs

Configuring and applying extended IPv4 ACLs

Configuring and applying time-based ACLs

Configuring and applying vty ACLs

IPv6 ACLs

Configuring and applying IPv6 ACLs

Verifying IPv4 and IPv6 ACLs

Implementing authentication methods

Simple local database authentication

AAA-based local database authentication

RADIUS authentication

Legacy configuration for RADIUS

servers

Modular configuration for RADIUS

servers

TACACS+ authentication

Legacy configuration for TACACS+

servers

Modular configuration for TACACS+

servers

Configuring authorization and accounting

Authorization

Accounting

Troubleshooting AAA

Control Plane Policing (CoPP)

Define ACLs to identify permitted CoPP traffic
flows

Define class maps for matched traffic

Define a policy map to police matched traffic

Assign a policy map to the control plane

Verifying CoPP

Unicast Reverse Path Forwarding (uRPF)

Configuring uRPF

Verifying and troubleshooting uRPF

Caution
Your hardware platform or software release might not support all the commands
documented in this chapter. Please refer to the Cisco website for specific platform and
software release notes.

IPV4 ACCESS CONTROL LISTS (ACLS)

When configuring IPv4 ACLs, many options are
available. You can configure either standard (numbered
or named) or extended (numbered or named) IPv4
ACLs, and you also can configure time-based or vty
ACLs. These options are all explored in the following
sections.
Configuring and Applying Standard IPv4 ACLs
It is possible to configure numbered or named standard
IPv4 ACLs. Standard IPv4 ACLs, whether numbered (1
to 99 and 1300 to 1999) or named, filter packets that are
based on a source address and mask, and they permit or
deny the entire TCP/IP protocol suite.

Numbered Standard IPv4 ACL

Router(config)# Permits traffic that matches the

access-list 1 source address 192.168.1.5
permit host
192.168.1.5

Router(config)# Permits traffic that matches

access-list 1 any source address that starts
permit with 192.168.2.x
192.168.2.0
0.0.0.255

Router(config)# Permits traffic that matches

access-list 1 any source address
permit any
Router(config)# Denies traffic that matches any
access-list 1 source address that starts with
deny 10.0.0.0 10.x.x.x
0.255.255.255

Router(config)# Removes the entire numbered

no access-list 1 ACL 1

Router(config)# Moves to interface

interface configuration mode
gigabitethernet
0/0/0

Router(config- Applies ACL 1 on the interface

if)# ip access- as an inbound filter
group 1 in

Router(config- Applies ACL 1 on the interface

if)# ip access- as an outbound filter
group 1 out

Named Standard IPv4 ACL

Router(config)# Creates a named standard ACL

ip access-list called MyFilter and moves to
standard MyFilter standard named ACL
configuration mode

Router(config- Denies traffic that matches the

std-nacl)# deny source address 172.16.50.12
host 172.16.50.12

Router(config- Permits traffic that matches

std-nacl)# permit any source address that starts
172.16.50.0 with 172.16.50.x
0.0.0.255

Router(config- Permits traffic that matches

std-nacl)# permit any source address
any

Router(config- Moves to interface

std-nacl)# configuration mode
interface
gigabitethernet
0/0/0

Router(config- Applies ACL MyFilter on the

if)# ip access- interface as an inbound filter
group MyFilter in
Router(config- Applies ACL MyFilter on the
if)# ip access- interface as an outbound filter
group MyFilter
out

Router(config)# From global configuration

no ip access-list mode, removes the entire
standard MyFilter named ACL MyFilter

CONFIGURING AND APPLYING

EXTENDED IPV4 ACLS
It is possible to configure numbered or named extended
IPv4 ACLs. Extended IPv4 ACLs, whether numbered
(100 to 199, or 2000 to 2699,) or named, provide a
greater range of control. In addition to verifying packet
source addresses, extended ACLs also check destination
addresses, protocols, and port numbers.

Numbered Extended IPv4 ACL

Router(config) Permits HTTP traffic that matches

# access-list any source that starts with
192.168.1.x to any destination
120 permit tcp
192.168.1.0
0.0.0.255 any
eq www

Router(config) Permits DNS traffic that matches

# access-list any source address that starts with
120 permit udp 192.168.1.x to any destination
192.168.1.0
0.0.0.255 any
eq domain

Router(config) Permits all IPv4 traffic that

# access-list matches any source address to any
120 permit ip destination address
any any

Router(config) Denies FTP traffic that matches any

# access-list source address and is destined to
120 deny tcp address 209.165.201.1
any host
209.165.201.1
eq ftp

Router(config) Permits HTTPS replies from any

source to any destination in the
# access-list 10.0.0.0/24 network. The
120 permit tcp established keyword option can
any eq 443 be used with the TCP protocol only.
10.0.0.0 It indicates an established
0.0.0.255 connection

established

Router(config) Removes the entire numbered ACL

# no access- 120
list 120

Router(config) Moves to interface configuration

# interface mode
gigabitetherne
t 0/0/0

Router(config- Applies ACL 120 on the interface as

if)# ip an inbound filter
access-group
120 in

Router(config- Applies ACL 120 on the interface as

if)# ip an outbound filter
access-group
120 out
Named Extended IPv4 ACL

Router(config) Creates a named extended ACL

# ip access- called MyExtFilter and moves to
list extended extended named ACL configuration
MyExtFilter mode

Router(config- Permits all IPv4 traffic that

ext-nacl)# matches any address in the
permit ip 192.168.1.0/24 network to any
192.168.1.0 destination
0.0.0.255 any

Router(config- Permits SSH traffic that matches

ext-nacl)# any source address to any
permit tcp any destination
any eq 22

Router(config- Permits SNMP traffic that matches

ext-nacl)# any source address destined to
permit udp any 172.16.100.100
host
172.16.100.100
eq snmp
Router(config- Moves to interface configuration
ext-nacl)# mode
interface
gigabitetherne
t 0/0/0

Router(config- Applies ACL MyExtFilter on the

if)# ip interface as an inbound filter
access-group
MyExtFilter in

Router(config- Applies ACL MyExtFilter on the

if)# ip interface as an outbound filter
access-group
MyFilter out

Router(config) From global configuration mode,

# no ip removes the entire named ACL
access-list MyExtFilter
extended
MyExtFilter

Note
You may add the log keyword at the end of any standard or extended access list entry.
Doing so causes an informational logging message about the packet matching the entry to
be sent to the console.

Configuring and Applying Time-based ACLs

A time-based ACL permits or denies traffic based on a
configurable time range. Therefore, access can be
restricted selectively at different times, without any
systems administrator action. Unlike most ACLs, which
are always active, time-based ACLs allow the
specification of periodic time ranges to enable or disable
specific packet flows.

Router(config)# Defines a time range called

time-range LUNCHACCESS
LUNCHACCESS

Router(config-time- Defines a recurring period

range)# periodic of time from 12:00 to 13:00
weekdays 12:00 Monday to Friday
to 13:00 (weekdays)

Note

Other periodic keywords

available include daily,
weekends, Monday, Tuesday,
Wednesday, Thursday, Friday,
Saturday, and Sunday
Router(config-time- Defines a recurring 48-
range)# periodic hour period of time from
Saturday 0:00 to midnight Saturday to 23:59
Sunday 23:59 Sunday (weekend)

Note

It is also possible to use the

following with the same result:
periodic weekend 0:00 to
23:59

Router(config-time- Exits time-range

range)# exit configuration mode

Router(config)# ip Creates a named extended

access-list extended IPv4 access list called
MyTimeACL MyTimeACL

Router(config-ext- Permits HTTP traffic from

nacl)# permit tcp any source to any
any any eq 80 time- destination according to
range LUNCHACCESS the predefined time ranges
Note

Outside the defined time ranges,

this access list entry is ignored
by the router when processing
packets

Router(config-ext- Denies HTTP traffic from

nacl)# deny tcp any any source to any
any eq 80 destination

Router(config-ext- Permits all IP traffic from

nacl)# permit ip any any source to any
any destination

Router(config-ext- Exits named ACL

nacl)# exit configuration mode

Router(config)# Enters interface

interface configuration mode
gigabitethernet
0/0/0

Router(config-if)# Applies the time-based

ACL outbound on the
ip access-group GigabitEthernet 0/0/0
MyTimedACL out interface

Note
The time period is based on the router’s clock. Either manually set the correct time on the
router or use a centralized NTP server to synchronize the router’s clock to the correct time
and date.

Configuring and Applying VTY ACLs

To control traffic into and out of the router (not through
the router), you must protect the router virtual ports. A
virtual port is called a vty. By default, the traditional
virtual terminal lines are numbered vty 0 through vty 4.
Note that some Cisco devices can even support up to 98
vty lines (0 to 97). The examples that follow will use the
range from 0 to 4.

Restricting vty access is primarily a technique for

increasing network security and defining which
addresses are allowed remote terminal access to the
router EXEC process.

Filtering Telnet or SSH traffic is typically considered an

extended IP ACL function because it filters a higher-
level protocol. Because you are filtering incoming or
outgoing Telnet or SSH sessions by source addresses
and applying the filter using the access-class
command to the vty lines, you can use standard IP ACL
statements to control vty access.

Router(config)# Permits any traffic with a

access-list 10 source address of
permit 172.16.100.0 172.16.100.x
0.0.0.255

Router(config)# Enters vty line configuration

line vty 0 4 mode

Router(config- Applies the standard ACL

line)# access-class number 10 to traffic entering
10 in (in) any of the five vty lines

Note

Notice that identical restrictions

have been set on every vty line (0
to 4) because you cannot control
on which vty line a user will
connect
Note

The implicit deny any statement

still applies to the ACL when it is
used as an access class entry

IPV6 ACLS
In contrast to IPv4 ACLs, all IPv6 ACLs are named and
extended. Some commands are slightly different, but all
the basic concepts remain the same. Note that instead of
a wildcard mask, IPv6 access list entries use the prefix
length. Also, the implicit deny ipv6 any any at the end
of the ACL has changed to permit critical ICMPv6
Neighbor Discovery (ND) messages. IPv6 ACLs can
filter packets based on source and destination address,
as well as port and protocol information. Also note that
you can use IPv6 ACLs for time-based or vty ACL
filtering.

Configuring and Applying IPv6 ACLs

Router(config)# Creates an IPv6 ACL called

ipv6 access- v6Filter and enters IPv6 ACL
list v6Filter configuration mode
Router(config- Permits HTTP traffic to return to
ipv6-acl)# the 2001:db8:10:1::/64 network
permit tcp any from any source if that traffic was
eq www originally sourced from the
2001:db8:10:1:: 2001:db8:10:1::/64 network
/64 established

Router(config- Permits HTTPS traffic to return

ipv6-acl)# to the 2001:db8:10:1::/64
permit tcp any network from any source if that
eq 443 traffic was originally sourced
2001:db8:10:1:: from the 2001:db8:10:1::/64

/64 established network

Router(config- Permits DNS responses from any

ipv6-acl)# source to any destination
permit udp any
eq domain any

Router(config- Permits ICMP ping responses

ipv6-acl)# from any source to any
permit icmp any destination
any
echo-reply
Router(config- Inserts a new ACL entry at line 5
ipv6-acl)# that denies all IPv6 traffic from
sequence 5 deny device 2001:db8:10:1::100 to any
ipv6 host destination
2001:db8:10:1::
100 any

Router(config- Returns to global configuration

ipv6-acl)# exit mode

Router(config)# Enters GigabitEthernet 0/0/0

interface interface configuration mode
gigabitethernet
0/0/0

Router(config- Applies the IPv6 access list

if)# ipv6 named v6Filter to the interface in
traffic-filter the inbound direction
v6Filter in

Router(config)# From global configuration mode,

no ipv6 access- removes the entire named ACL
list v6Filter v6Filter
Note
The implicit deny ipv6 any any rule has changed for IPv6 access lists to consider the
importance of the Neighbor Discovery protocol. ND is to IPv6 what Address Resolution
Protocol (ARP) is to IPv4, so naturally the protocol should not be disrupted. That is the
reason two additional implicit statements have been added before the implicit deny ipv6 any
any statement at the end of each IPv6 ACL.

These three new implicit rules are as follows:

permit icmp any any nd-na

permit icmp any any nd-ns
deny ipv6 any any

It is important to understand that any explicit deny

ipv6 any any statement overrides all three implicit
statements, which can lead to problems because ND
traffic is blocked.

Verifying IPv4 and IPv6 ACLs

Router# show ip Displays any IPv4 ACL applied

interface inbound or outbound to an
interface-type interface
interface-number

Router# show ipv6 Displays any IPv6 ACL applied

interface inbound or outbound to an
interface-type interface
interface-number
Router# show Displays the contents of all
access-lists ACLs on the router, including
any matches and sequence
numbers

Router# show ip Displays the contents of all

access-lists IPv4 ACLs on the router,
including any matches and
sequence numbers

Router# show ipv6 Displays the contents of all

access-lists IPv6 ACLs on the router,
including any matches and
sequence numbers

Router# show Displays the contents of ACL 1

access-lists 1 only

Tip
Sequence numbers are used to allow for easier editing of your ACLs. Each entry in an ACL
is automatically given a number, unless you specify one during configuration. Numbers start
at 10 and increment by 10 for each line. This allows for simple editing of ACLs. You can add
or remove an entry by referencing its line number. This applies to standard (numbered or
named) and extended (numbered or named) IPv4 ACLs, as well as to IPv6 ACLs.
IMPLEMENTING AUTHENTICATION
METHODS
Authentication, authorization, and accounting (AAA) is
a standards-based framework that you can implement
to control who is permitted to access a network
(authenticate), what they can do while they are there
(authorize), and audit what actions they performed
while accessing the network (accounting). AAA can be
deployed in two models: local database authentication
and sever-based authentication. Server-based
authentication utilizes either RADIUS or TACACS+
protocols and offers a more scalable approach to
network authentication.

Simple Local Database Authentication

Router(config) Creates an entry in the local

# username database with a message digest 5
ADMIN secret (MD5) authentication encrypted
cisco123 password

Router(config) Enters line console configuration

# line console mode
0
Router(config- Enables username and password
line)# login checking from the local database
local when a user attempts to log into the
router

Note
The preceding example demonstrates the use of a locally defined username database
without enabling AAA.

AAA-based Local Database Authentication

Router(confi Creates an entry in the local database

g)# username with a privilege level of 15 and a
ADMIN message digest 5 (MD5)
privilege 15 authentication encrypted password
secret
cisco123

Router(confi Enables AAA access control mode

g)# aaa new-
model

Router(confi Defines the default authentication

g)# aaa method list to authenticate to the
authenticati case-sensitive local database first. If
on login there are no entries, it should use the
default enable password second
local-case
enable

Router(confi Defines the authentication method list

g)# aaa VTY-Lines to authenticate to the local
authenticati database first. If there are no entries,
on login it should use the line configured
VTY-Lines password
local line

Router(confi Enters the vty line configuration mode

g)# line vty
0 4

Router(confi Specifies the AAA service to use the

g-line)# authentication method list VTY-Lines
login when a user logs in via the vty lines
authenticati
on VTY-Lines

Router(confi Returns to global configuration mode

g-line)#
exit

Router(confi Enters Console 0 configuration mode

g)# line
console 0

Router(confi Specifies the AAA service to use the

g-line)# default method list when a user logs in
login via the console. This command is
authenticati optional because the default list would
on default automatically apply to the line

Note
A method list describes the sequence and authentication methods to be queried to
authenticate a user. The software uses the first method listed to authenticate users; if that
method fails to respond, the software selects the next authentication method in the method
list. This process continues until there is successful communication with a listed
authentication method or until all defined methods are exhausted. If authentication fails at
any point in this cycle, the authentication process stops, and no other authentication
methods are attempted.

RADIUS Authentication
RADIUS is a fully open standard protocol (RFCs 2865
and 2866). According to the RFCs, RADIUS uses UDP
port 1812 for the authentication and authorization, and
port 1813 for accounting. However, Cisco
implementations default to UDP ports 1645 and 1646
(authentication and accounting, respectively).

Legacy Configuration for RADIUS Servers

The traditional approach to configure a RADIUS server
on a Cisco IOS device would be with the radius-server
global configuration command.

Router(config) Creates user with username admin

# username and encrypted password cisco
admin secret
cisco

Router(config) Enables AAA access control mode

# aaa new-
model

Router(config) Specifies a RADIUS server at

# radius- 192.168.55.12 with S3CR3TKEY as
server host the authentication key using UDP
192.168.55.12 port 1812 for authentication
auth-port 1812 requests and UDP port 1813 for
acct-port accounting requests

1813 key
S3CR3TKEY
Router(config) Sets login authentication for the
# aaa default method list to authenticate
authentication to the RADIUS server first, locally
login default defined users second, and use the
group radius line password as the last resort
local line

Router(config) Specifies the authentication method

# aaa list NO_AUTH to require no
authentication authentication
login
NO_AUTH none

Router(config) Moves to vty line configuration

# line vty 0 4 mode

Router(config- Specifies the AAA service to use the

line)# login default method list when a user logs
authentication in via vty
default

Router(config- Specifies a vty line password on

line)# lines 0 through 4
password
S3cr3Tw0Rd
Router(config- Moves to console 0 configuration
line)# line mode
console 0

Router(config- Specifies the AAA service to use the

line)# login authentication method list
authentication NO_AUTH when a user logs in via
NO_AUTH the console port

Note

If authentication is not specifically set for a line,

the default is to deny access and no
authentication is performed

Modular Configuration for RADIUS Servers

The legacy configuration method outlined in the
previous section will soon be deprecated. The new
approach brings modularity and consistency when
configuring RADIUS in both IPv4 and IPv6
environments. The new method is configured in three
steps: (1) set the RADIUS server parameters, (2) define
the RADIUS server group, and (3) define the AAA
commands that use RADIUS.

Router(config Enables AAA access control mode

)# aaa new-
model

Router(config Specifies the name RADSRV for the

)# radius RADIUS server configuration and
server RADSRV enters RADIUS server configuration
mode

Router(config Configures the IPv4 address for the

-radius- RADIUS server, as well as the
server)# accounting and authentication
address ipv4 parameters
192.168.100.1
00 auth-port
1812 acct-
port 1813

Router(config Defines the shared secret key

-radius- configured on the RADIUS server.
server)# key Depending on the Cisco IOS
C1sc0
software release, this command
might trigger a warning message:

WARNING: Command has been

added to the configuration
using a type 0 password.
However, type 0 passwords
will soon be deprecated.
Migrate to a supported
password type.

See the Note following this table for

an explanation

Router(config Returns to global configuration

-radius- mode
server)# exit

Router(config Forces RADIUS to use the IP address

)# ip radius of a specified interface for all
source- outgoing RADIUS packets
interface
gigabitethern
et 0/0/0

Router(config Defines a RADIUS server group

)# aaa group called RADSRVGRP
server radius
RADSRVGRP

Router(config Adds the RADIUS server RADSRV to

-sg-radius)# the RADSRVGRP group
server name
RADSRV

Router(config Returns to global configuration

-sg-radius)# mode
exit

Router(config Configures login authentication

)# aaa using a method list called
authenticatio RAD_LIST, which uses
n login RADSRVGRP as the primary
RAD_LIST authentication option and local user
group database as a backup

RADSRVGRP
local

Router(config Moves to vty line configuration

)# line vty 0 mode
4
Router(config Applies the RAD_LIST method list
)# to the vty lines
authenticatio
n RAD_LIST

Note
The warning message produced by the router appears after you enter a cleartext RADIUS or
TACACS server key. This message says that at some point in the future Cisco IOS will no
longer store plaintext passwords in either the running-config or startup-config. Instead, it will
store only hashed passwords (MD5/SHA/scrypt) and securely encrypted passwords (AES).
This requires either that the password is already hashed/encrypted at the time you enter it at
the CLI or that the router is configured with strong password encryption so that after you
enter the password in plaintext, IOS is immediately able to encrypt and store it in the
configuration in the encrypted form. Although IOS will still accept plaintext passwords
entered at the CLI, it will not store them as plaintext in the configuration. To enable strong
password encryption using AES, you need to enter two commands. The first, key config-
key password-encryption [master key], allows you to configure a master key that will be
used to encrypt all other keys in the router configuration. The master key is not stored in the
router configuration and cannot be seen or obtained in any way while connected to the
router. The second command, password encryption aes, triggers the actual password
encryption process.

For more on this security feature, see “Encrypt Pre-

shared Keys in Cisco IOS Router Configuration
Example” at
https://www.cisco.com/c/en/us/support/docs/security
-vpn/ipsec-negotiation-ike-protocols/46420-pre-sh-
keys-ios-rtr-cfg.html.

TACACS+ Authentication
TACACS+ is a Cisco proprietary protocol that is not
compatible with the older versions such as TACACS or
XTACACS, which are now deprecated. TACACS+ allows
for greater modularity, by total separation of all three
AAA functions. TACACS+ uses TCP port 49, and thus
reliability is ensured by the transport protocol itself.
Entire TACACS+ packets are encrypted, so
communication between Network Access Server (NAS)
and the TACACS+ server is completely secure.

Legacy Configuration for TACACS+ Servers

The traditional approach to configure a TACACS+
server on a Cisco IOS device would be with the tacacs-
server global configuration command.

Router(confi Creates user with username admin

g)# username and encrypted password cisco
admin secret
cisco

Router(confi Enables AAA access control mode

g)# aaa new-
model

Router(confi Specifies a TACACS+ server at

g)# tacacs- 192.168.55.13 with an encryption key
server host of C1sc0. The single-connection
192.168.55.1 keyword maintains a single open TCP
3 connection between the switch and
single- the server
connection
key C1sc0

Router(confi Sets login authentication for the

g)# aaa TACSRV method list to authenticate
authenticati to the TACACS+ server first, and the
on login locally defined username and
TACSRV group password second
tacacs+
local

Router(confi Moves to console 0 configuration

g)# line mode
console 0

Router(confi Specifies the AAA service to use the

g-line)# TACSRV authentication method list
login when users connect to the console
authenticati port
on TACSRV
Modular Configuration for TACACS+ Servers
Similar to the RADIUS modular configuration shown in
the previous section, it is possible to use a modular
approach when configuring TACACS+. The same three
steps apply (define TACACS+ server parameters, define
TACACS+ server group, and define AAA commands).

Router(config Enables AAA access control mode

)# aaa new-
model

Router(config Specifies the name TACSRV for the

)# tacacs TACACS+ server configuration and
server TACSRV enters TACACS+ server
configuration mode

Router(config Configures the IPv4 address for the

-server- TACACS+ server
tacacs)#
address ipv4
192.168.100.2
00
Router(config Defines the shared secret key that is
-server- configured on the TACACS+ server
tacacs)# key
C1sc0

Router(config Enables all TACACS+ packets to be

-server- sent to the same server using a single
tacacs)# TCP connection
single-
connection

Router(config Returns to global configuration mode

-server-
tacacs)# exit

Router(config Defines a TACACS+ server group

)# aaa group called TACSRVGRP
server
tacacs+
TACSRVGRP

Router(config Adds the TACACS+ server TACSRV

-sg-tacacs+)# to the TACSRVGRP group
server name
TACSRV
Router(config Returns to global configuration mode
-sg-tacacs+)#
exit

Router(config Configures login authentication

)# aaa using a method list called TAC_LIST,
authenticatio which uses TACSRVGRP as the
n login primary authentication option and
TAC_LIST the local user database as a backup
group
TACSRVGRP
local

Router(config Moves to vty line configuration mode

)# line vty 0
4

Router(config Applies the TAC_LIST method list to

-line)# login the vty lines
authenticatio
n TAC_LIST

Configuring Authorization and Accounting

After AAA has been enabled on a Cisco IOS device and
AAA authentication has been configured, you can
optionally configure AAA authorization and AAA
accounting.

Authorization
Configuring authorization is a two-step process. First
define a method list, and then apply it to a
corresponding interface or line.

Router(config)# Defines the default EXEC

aaa authorization method list, which
authorization uses the RADIUS servers first,
exec default the TACACS+ servers second,
group radius and the local user database as
group tacacs+ backup

local

Router(config- Moves to vty line configuration

line)# line vty mode
0 4

Router(config- Applies the default authorization

if)# list to the vty lines
authorization
exec default

Accounting
Configuring accounting is also a two-step process. First
define a method list, and then apply it to a
corresponding interface or line.

Router(confi Defines the default EXEC accounting

g)# aaa method list to send to the RADIUS
accounting server, a start accounting notice at the
exec default beginning of the requested event, and
start-stop a stop accounting notice at the end of
group radius the event

Router(confi Moves to vty line configuration mode

g)# line vty
0 4

Router(confi Applies the default accounting list to

g-line)# the vty lines
accounting
exec default
Troubleshooting AAA

Router# debug aaa Enables debugging of the AAA

authentication authentication process

Router# debug aaa Enables debugging of the AAA

authorization authorization process

Router# debug aaa Enables debugging of the AAA

accounting accounting process

CONTROL PLANE POLICING (COPP)

To prevent a Cisco device from denial of service (DoS)
attacks to the control plane, Cisco IOS employs Control
Plane Policing (CoPP). CoPP increases security on the
device by protecting the system from unnecessary or
DoS traffic and gives priority to important control-plane
and management traffic. CoPP uses a dedicated control-
plane configuration through Cisco Modular QoS CLI
(MQC) to provide filtering and rate-limiting capabilities
for control-plane packets. Configuring CoPP is a four-
step process:

1. Define ACLs to identify permitted CoPP traffic flows

2. Define class maps for matched traffic

3. Define a policy map to police matched traffic

4. Assign a policy map to the control plane

In the CoPP configuration example that follows, routing

protocols (OSPF, EIGRP, BGP), management traffic
(Telnet, SSH, SNMP), and ICMP traffic destined to the
router’s control plane are policed.

Step 1: Define ACLs to Identify Permitted CoPP

Traffic Flows

Router(config)# ip Creates an extended

access-list extended ACL called copp-
copp-routing-acl routing-acl

Router(config-ext-nacl)# Permits OSPF traffic

permit ospf any host for CoPP inspection
224.0.0.5

Router(config-ext-nacl)# Permits OSPF traffic

for CoPP inspection
permit ospf any host
224.0.0.6

Router(config-ext-nacl)# Permits EIGRP traffic

permit eigrp any host for CoPP inspection
224.0.0.10

Router(config-ext-nacl)# Permits BGP traffic

permit tcp any any eq for CoPP inspection
bgp

Router(config-ext-nacl)# Permits BGP traffic

permit tcp any eq bgp for CoPP inspection
any

Router(config-ext-nacl)# Exits named ACL

exit configuration mode

Router(config)# ip Creates an extended

access-list extended ACL called copp-
copp-management-acl management-acl

Router(config-ext-nacl)# Permits Telnet traffic

permit tcp any any eq for CoPP inspection
telnet
Router(config-ext-nacl)# Permits SSH traffic
permit tcp any any eq 22 for CoPP inspection

Router(config-ext-nacl)# Permits SNMP traffic

permit udp any any eq for CoPP inspection
snmp

Router(config-ext-nacl)# Exits named ACL

exit configuration mode

Router(config)# ip Creates an extended

access-list extended ACL called copp-
copp-icmp-acl icmp-acl

Router(config-ext-nacl)# Permits ICMP echo

permit icmp any any echo request traffic for
CoPP inspection

Router(config-ext-nacl)# Permits ICMP echo

permit icmp any any reply traffic for CoPP
echo-reply inspection

Step 2: Define Class Maps for Matched Traffic

Router(config)# class- Creates a class map
map match-all copp- called copp-routing-
routing-map map

Router(config-cmap)# Assigns the CoPP

match access-group routing ACL to the CoPP
name copp-routing-acl routing class map

Router(config-cmap)# Creates a class map

class-map match-all called copp-
copp-management-map management-map

Router(config-cmap)# Assigns the CoPP

match access-group management ACL to the
name copp-management- CoPP management class
acl map

Router(config-cmap)# Creates a class map

class-map match-all called copp-icmp-map
copp-icmp-map

Router(config-cmap)# Assigns the CoPP ICMP

match access-group ACL to the CoPP ICMP
name copp-icmp-acl class map
Step 3: Define a Policy Map to Police Matched
Traffic

Router(config)# Creates a CoPP policy called

policy-map copp- copp-policy
policy

Router(config- Assigns the CoPP routing

pmap)# class copp- class map to the policy map
routing-map

Router(config-pmap- Polices up to 1 Mbps any

c)# police 1000000 routing protocol traffic sent
conform-action to the control plane. Packets
transmit exceed- exceeding 1 Mbps are
action drop dropped

Router(config-pmap- Assigns the CoPP

c-police)# class management class map to
copp-management-map the policy map

Router(config-pmap- Polices up to 100 Kbps any

c)# police 100000 management traffic sent to
conform-action the control plane. Packets
transmit exceed- exceeding 100 Kbps are
action drop dropped

Router(config-pmap- Assigns the CoPP ICMP

c-police)# class class map to the policy map
copp-icmp-map

Router(config-pmap- Polices up to 50 Kbps any

c)# police 50000 ICMP traffic sent to the
conform-action control plane. Packets
transmit exceed- exceeding 50 Kbps are
action drop dropped

Router(config-pmap- Assigns the CoPP default

c-police)# class class map to the policy map
class-default

Router(config-pmap- Polices up to 8 Kbps any

c)# police 8000 ICMP traffic sent to the
conform-action control plane. Packets
transmit exceed- exceeding 8 Kbps are
action drop dropped
Note
When more than one class of traffic is defined within a policy map, the order of classes is
important, as traffic is compared against successive classes, top-down, until a match is
recorded. Once a packet has matched a class, no further comparisons are made. If no
match is found after processing all classes, packets automatically match the always-defined
class, class-default. The class class-default is special in MQC because it is always
automatically placed at the end of every policy map. Match criteria cannot be configured for
class-default because it automatically includes an implied match for all packets. Only a
traffic policy can be configured for class-default.

Step 4: Assign a Policy Map to the Control Plane

Router(config Enters control-plane configuration

)# control- mode
plane

Router(config Assigns the CoPP policy map to the

-cp)# input interface of the router’s control
service- plane
policy input
copp-policy

Verifying CoPP

Router# Displays all configured ACLs

show
access-
lists

Router# Displays all configured class maps

show
class-
map

Router# Displays all configured policy maps

show
policy-
map

Router# Displays the dynamic information about the

show actual policy applied, including rate
policy- information and the number of bytes (and
map packets) that conformed to or exceeded the
control configured policies
-plane

UNICAST REVERSE PATH

FORWARDING (URPF)
Network administrators can deploy Unicast Reverse
Path Forwarding (uRPF) as an antispoofing mechanism
to help limit malicious traffic on an enterprise network.
This security feature works by enabling a router to verify
the reachability of the source address in packets being
forwarded. This capability can limit the appearance of
spoofed addresses on a network. If the source IP
address is not valid, the packet is discarded. uRPF
works in one of two modes: strict mode or loose mode.
When administrators use uRPF in strict mode, the
packet must be received on the interface that the router
would use to forward the return packet. When
administrators use uRPF in loose mode, the source
address must appear in the routing table.

Configuring uRPF

Router(config)# Moves to interface

interface configuration mode
gigabitethernet 0/0/0

Router(config-if)# ip Enables uRPF strict

verify unicast source mode
reachable-via rx

Router(config-if)# ip Enables uRPF loose

verify unicast source mode
reachable-via any

Router(config-if)# ip Enables uRPF strict

verify unicast source mode with ACL applied
reachable-via rx 120 to bypass the drop
function

Router(config-if)# ip Enables uRPF strict

verify unicast source mode with permission to
reachable-via rx use a default route for
allow-default the uRPF check

Note

It is possible to add the

allow-self-ping option, but
this is not recommended by
Cisco. It could lead to a DoS
condition on the router

Verifying and Troubleshooting uRPF

Router# debug ip Displays information about

cef drops rpf dropped packets caused by uRPF
Router# show ip Displays information about uRPF
traffic drops

Router# show cef Shows if uRPF is configured on

interface an interface
Part V: Network Assurance
Chapter 11
Network Assurance

This chapter provides information and commands

concerning the following topics:

Internet Control Message Protocol redirect messages

The ping command

Examples of using the ping and the extended ping

commands

The traceroute command

The debug command

Conditionally triggered debugs

Configuring secure SNMP

Securing SNMPv1 or SNMPv2

Securing SNMPv3

Verifying SNMP
Implementing logging

Configuring syslog

Syslog message format

Syslog severity levels

Syslog message example

Configuring NetFlow

Configuring Flexible NetFlow

Verifying NetFlow

Implementing port mirroring

Default SPAN and RSPAN configuration

Configuring local SPAN

Local SPAN guidelines for configuration

Configuration example: Local SPAN

Configuring remote SPAN

Remote SPAN guidelines for configuration

Configuration example: Remote SPAN

Configuring Encapsulated RSPAN (ERSPAN)

Verifying and troubleshooting local and remote

SPAN
Configuring Network Time Protocol

NTP configuration

NTP design

Securing NTP

Verifying and troubleshooting NTP

Setting the clock on a router

Using time stamps

Configuration example: NTP

Tool Command Language (Tcl)

Embedded Event Manager (EEM)

EEM configuration examples

EEM and Tcl scripts

Verifying EEM

INTERNET CONTROL MESSAGE

PROTOCOL REDIRECT MESSAGES
Internet Control Message Protocol (ICMP) is used to
communicate to the original source the errors
encountered while routing packets and to exercise
control on the traffic. Routers use ICMP redirect
messages to notify the hosts on the data link that a
better route is available for a particular destination.

Router(config-if)# Disables ICMP redirects from

no ip redirects this specific interface

Router(config-if)# Reenables ICMP redirects

ip redirects from this specific interface

THE PING COMMAND

Router# ping Checks for Layer 3 connectivity with

w.x.y.z the device at IPv4 address w.x.y.z

Router# ping Checks for Layer 3 connectivity with

aaaa:aaaa: the device at IPv6 address
aaaa:aaaa:aaa aaaa:aaaa:aaaa:aaaa:aaaa:aaaa:
a:aaaa: aaaa:aaaa
aaaa:aaaa

Router# ping Checks for Layer 3 connectivity with

172.16.20.1 the device at IPv4 address
source 172.16.20.1 with the packets
loopback 1 originating from source interface
loopback 1

Router# ping Checks for Layer 3 connectivity with

2001::1 the device at IPv6 address 2001::1
source with the packets originating from
loopback 1 source interface loopback 1

Router# ping Enters extended ping mode, which

provides more options

Table 11-1 describes the possible ping output

characters.

TABLE 11-1 ping Output Characters

Cha Description
ract
er

! Each exclamation point indicates receipt of a reply

. Each period indicates that the network server

timed out while waiting for a reply

? Unknown error

@ Unreachable for unknown reason

A Administratively unreachable. Usually means that

an access control list (ACL) is blocking traffic

B Packet too big

H Host unreachable

N Network unreachable (beyond scope)

P Port unreachable

R Parameter problem

T Time exceeded

U No route to host
EXAMPLES OF USING THE PING AND
THE EXTENDED PING COMMANDS

Router# ping 172.16.20.1 Performs a basic

Layer 3 test to IPv4
address 172.16.20.1

Router# ping paris Same as above but

through the IP host
name

Router# ping Checks for Layer 3

2001:db8:d1a5:c900::2 connectivity with the
device at IPv6
address
2001:db8:d1a5:c900
::2

Router# ping Enters extended ping

mode; can now
change parameters
of ping test

Protocol [ip]: Press

to use ping for IP

Target IP address: Enter the target IP

172.16.20.1 address

Repeat count [5]: 100 Enter the number of

echo requests you
want to send. The
default is 5

Datagram size [100]: Enter the size of

datagrams being
sent. The default is
100

Timeout in seconds [2]: Enter the timeout

delay between
sending echo
requests

Extended commands [n]: Allows you to

yes configure extended
commands
Source address or Allows you to
interface: 10.0.10.1 explicitly set where
the pings are
originating from. An
interface name may
also be used here

Type of Service [0] Allows you to set the

TOS field in the IP
header

Set DF bit in IP header Allows you to set the

[no] DF bit in the IP
header

Validate reply data? [no] Allows you to set

whether you want
validation

Data Pattern [0xABCD] Allows you to change

the data pattern in
the data field of the
ICMP echo request
packet

Loose, Strict, Record, Offers IP header

options. This prompt
Timestamp, Verbose[none]: offers more than one
of the following
options to be
selected:

Verbose is
automatically
selected along with
any other option

Record is a very
useful option
because it displays
the address(es) of
the hops (up to nine)
the packet goes
through

Loose allows you to

influence the path by
specifying the
address(es) of the
hop(s) you want the
packet to go through

Strict is used to
specify the hop(s)
that you want the
packet to go through,
but no other hop(s)
are allowed to be
visited

Timestamp is used
to measure
roundtrip time to
particular hosts

Sweep range of sizes Allows you to vary

[no]: the sizes of the echo
packets that are sent

Type escape sequence to

abort
Sending 100, 100-byte ICMP
Echos to 172.16.20.1,
timeout is 2 seconds:
Packet sent with a source
address of 10.0.10.1

!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!
Success rate is 100 percent
(100/100) round-trip min/
avg/max = 1/1/4 ms

Tip
If you want to interrupt the ping operation, use the Ctrl-Shift-6 keystroke combination. This
ends the operation and returns you to the prompt.

THE TRACEROUTE COMMAND

The traceroute command (or tracert in Microsoft
Windows) is a utility that allows observation of the path
between two hosts.

Router# Discovers the route taken to

traceroute travel to the IPv4 destination of
172.16.20.1 172.16.20.1

Router# Shows command with IP host

traceroute name rather than IP address
paris

Router# Discovers the route taken to

travel to the IPv6 destination of
traceroute 2001:db8:d1a5:c900::2
2001:db8:d1a5:c
900::2

Router# trace Shows common shortcut spelling

172.16.20.1 of the traceroute command

Note
In Microsoft Windows operating systems, the command to allow observation between two
hosts is tracert:
Click here to view code image

C:\Windows\system32>tracert 172.16.20.1
C:\Windows\system32>tracert
2001:db8:c:18:2::1

THE DEBUG COMMAND

The output from debug privileged EXEC commands
provides diagnostic information that includes a variety
of internetworking events related to protocol status and
network activity in general.

Caution
Using the debug command may severely affect router performance and might even cause
the router to reboot. Always exercise caution when using the debug command, and do not
leave it on. Use debug long enough to gather needed information, and then disable
debugging with the undebug all or no debug all command.
Tip
Send your debug output to a syslog server to ensure that you have a copy of it in case your
router is overloaded and needs to reboot. Use the no logging console command to turn off
logging to the console if you have configured a syslog server to receive debug output.

Route Turns on all possible debugging

r#
debug
all Caution

This is just an example. Do not use this command in a production

network

Route Turns off all possible debugging

r# u
all

(shor
t
form
of
undeb
ug
all)
Route Lists what debug commands are on
r#
show
debug

Route Turns on IPv4 packet debugging that matches

r# the criteria defined in ACL 10
debug
ip
packe Note

t 10
The debug ip packet command helps you to better understand the
IP packet forwarding process, but this command only produces
information on packets that are process-switched by the router.
Packets generated by a router or destined for a router are process-
switched and are therefore displayed with the debug ip packet
command

Route Displays debug output through a Telnet/SSH (a

r# vty line connection) session (default is to only
termi send output on the console screen)
nal
monit
or
CONDITIONALLY TRIGGERED
DEBUGS
When the Conditionally Triggered Debugging feature is
enabled, the router generates debugging messages for
packets entering or leaving the router on a specified
interface; the router does not generate debugging
output for packets entering or leaving through a
different interface.

Use the debug condition command to restrict the

debug output for some commands.

If any debug condition commands are enabled,

output is generated only for interfaces associated with
the specified keyword. In addition, this command
enables debugging output for conditional debugging
events. Messages are displayed as different interfaces
meet specific conditions.

If multiple debug condition commands are enabled,

output is displayed if at least one condition matches. All
the conditions do not need to match. The no form of
this command removes the debug condition specified by
the condition identifier.

The condition identifier is displayed after you use a

debug condition command or in the output of the
show debug condition command. If the last
condition is removed, debugging output resumes for all
interfaces. You will be asked for confirmation before
removing the last condition or all conditions.

Not all debugging output is affected by the debug

condition command. Some commands generate
output whenever they are enabled, regardless of
whether they meet any conditions.

Router# debug condition Filters output on the

interface interface-type basis of the
interface number specified interface

Router# debug condition Filters output on the

ip basis of the
specified IP address

Router# debug condition Filters messages on

mac-address the specified MAC
address

Router# debug condition Filters output on the

username basis of the
specified username
Router# debug condition Filters output on the
vlan basis of the
specified VLAN ID

Router# show debug Displays which

condition conditional debugs
are enabled

CONFIGURING SECURE SNMP

Simple Network Management Protocol (SNMP) is the
most commonly used network management protocol. It
is important to restrict SNMP access to the routers on
which it is enabled.

Tip
If SNMP is not required on a router, you should turn it off by using the no snmp-server
global configuration command:
Click here to view code image

Edmonton(config)# no snmp-server

Note
Beginning with SNMPv3, methods to ensure the secure transmission of data between
manager and agent were added. You can now define a security policy per group, or limit IP
addresses to which its members can belong. You now have to define encryption and
hashing algorithms and passwords for each user.
Table 11-2 shows the different SNMP security models.

TABLE 11-2 SNMP Security Models

SNMP Access Authentica Encryption

Version Mode tion

SNMPv1 noAuthNo Community No

Priv string

SNMPv2c noAuthNo Community No

Priv string

SNMPv3 noAuthNo Username No

Priv

MD5 or No
authNoPri SHA-1
v DES, 3DES,
MD5 or or AES
authPriv SHA-1

Tip
The SNMP security levels are as follows:
noAuthNoPriv: Authenticates SNMP messages using
a community string. No encryption provided.

authNoPriv: Authenticates SNMP messages using

either HMAC with MD5 or SHA-1. No encryption
provided.

authPriv: Authenticates SNMP messages by using

either HMAC-MD5 or SHA. Encrypts SNMP messages
using DES, 3DES, or AES.

priv: Does not authenticate SNMP messages. Encrypts

only using either DES or AES.

Tip
SNMPv3 provides all three security level options. It should be used wherever possible.

Tip
If SNMPv3 cannot be used, then use SNMPv2c and secure it using uncommon, complex
community strings and by enabling read-only access.

Tip
If community strings are also used for SNMP traps, they must be different from community
strings for get and set methods. This is considered best practice.

Securing SNMPv1 or SNMPv2c

Edmonton( Sets a community string named
config)# C0mpl3xAdmin. It is read-only and refers
snmp- to ACL 98 to limit SNMP access to the
server authorized hosts
community
C0mpl3xAd
min ro 98 Note

A named ACL can be used as well

Edmonton( Creates an ACL that will limit the SNMP

config)# access to the specific host of 192.168.10.3
access-
list 98
permit
host
192.168.1
0.3

Edmonton( Sets the Network Management System

config)# (NMS) IP address of 192.168.10.3 and the
snmp- community string of AdminC0mpl3x,
server which will be used to protect the sending
host of the SNMP traps. The community string

192.168.1 is also used to connect to the host

0.3
AdminC0mp
l3x

Securing SNMPv3

Edmonton(config Creates an ACL that will be used to

)# access-list limit SNMP access to the local
99 permit device from SNMP managers
10.1.1.0 within the 10.1.1.0/24 subnet
0.0.0.255

Edmonton(config Defines an SNMP view named

)# snmp-server MGMT to include an OID name of
view MGMT sysUpTime
sysUpTime
included

Edmonton(config Defines an SNMP view named

)# snmp-server MGMT to include an OID name of
view MGMT ifDescr
ifDescr
included
Edmonton(config Defines an SNMP view named
)# snmp-server MGMT and an OID name of
view MGMT ifAdminStatus. This OID is
ifAdminStatus included in the view
included

Edmonton(config Defines an SNMP view named

)# snmp-server MGMT and an OID name of
view MGMT ifOperStatus. This OID is included
ifOperStatus in the view
included

Edmonton(config Defines an SNMPv3 group called

)# snmp-server groupAAA and configures it with
group groupAAA the authPriv security level. SNMP
v3 priv read read and write access to the
MGMT write MGMT MGMT view is limited to devices

access 99 defined in ACL 99

Edmonton(config Configures a new user called

)# snmp-server userAAA to the SNMPv3 group
user userAAA groupAAA with authentication
groupAAA v3 and encryption. Authentication
auth sha uses SHA with a password of

itsa5ecret priv itsa5ecret. Encryption uses AES-

aes 256 256 with a password of
another5ecret another5ecret

Edmonton(config Enables SNMP traps

)# snmp-server
enable traps

Edmonton(config Defines a receiving manager for

)# snmp-server traps at IP address 10.1.1.50. The
host 10.1.1.50 user userAAA is used to
traps version 3 authenticate the host. The traps
priv userAAA sent relate to CPU and port

cpu port- security events

security

Edmonton(config Prevents index shuffle

)# snmp-server
ifindex persist
Note

SNMP does not identify object instances by

names but by numeric indexes. Index number
may change due to instance changes, such
as a new interface being configured. This
command will guarantee index persistence
when changes occur
Verifying SNMP

Edmonton# show Provides basic information about

snmp SNMP configuration

Edmonton# show Provides information about

snmp view SNMP views

Edmonton# show Provides information about

snmp group configured SNMP groups

Edmonton# show Provides information about

snmp user configured SNMP users

IMPLEMENTING LOGGING
It is important for network administrators to implement
logging to get insight into what is occurring in their
network. When a router reloads, all local logs are lost, so
it is important to implement logging to an external
destination. The following sections deal with the
different mechanisms that you can use to configure
logging to a remote location.
Configuring Syslog

Edmonton(con Enables logging to all supported

fig)# destinations
logging on

Edmonton(con Sends logging messages to a syslog

fig)# server host at address 192.168.10.53
logging
192.168.10.5
3

Edmonton(con Sends logging messages to a syslog

fig)# server host named sysadmin
logging
sysadmin

Edmonton(con Sets the syslog server logging level to

fig)# value x, where x is a number between
logging trap 0 and 7 or a word defining the level.
x Table 11-3 provides more details

Edmonton(con Stamps syslog messages with a

fig)# sequence number
service
sequence-
numbers

Edmonton(con Causes a time stamp to be included in

fig)# syslog messages
service
timestamps
log datetime

Syslog Message Format

The general format of syslog messages generated on
Cisco IOS Software is as follows:
Click here to view code image

seq no:timestamp: %facility-severity-

MNEMONIC:description

Item Definition
in
Syslog
Messa
ge

seq no Sequence number. Stamped only if the service

sequence- numbers global configuration
command is configured

timest Date and time of the message. Appears only if

amp the service timestamps log datetime
global configuration command is configured

facili The facility to which the message refers

ty (SNMP, SYS, and so on)

severi Single-digit code from 0 to 7 that defines the

ty severity of the message. See Table 11-3 for
descriptions of the levels

MNEMON String of text that uniquely defines the message

descri String of text that contains detailed

ption information about the event being reported

Syslog Severity Levels

Table 11-3 outlines the eight levels of severity in logging
messages.
TABLE 11-3 Syslog Severity Levels

Level Level Description

# Name

0 Emergencie System is unusable

1 Alerts Immediate action needed

2 Critical Critical conditions

3 Errors Error conditions

4 Warnings Warning conditions

5 Notification Normal but significant conditions

6 Informatio Informational messages (default

nal level)

7 Debugging Debugging messages

Setting a level means you will get that level and
everything numerically below it; for example, setting
level 6 means you will receive messages for levels 0
through 6.

Syslog Message Example

The easiest syslog message to use as an example is the
one that shows up every time you exit from global
configuration mode back to privileged EXEC mode. You
have just finished entering a command and you want to
save your work, but after you type exit you see
something like this (your output will differ depending
on whether you have sequence numbers and/or
time/date stamps configured):
Click here to view code image

Edmonton(config)# exit
Edmonton#
*Oct 23:22:45:20.878: %SYS-5-CONFIG_I: Configured
from console by
console
Edmonton#

So, what does this all mean?

No sequence number is part of this message

The message occurred on October 23, at 22:45:20.878
(or 10:45 PM, and 20.878 seconds)

It is a SYS message, and it is level 5 (a notification)

It is a CONFIG message, and the configuration

occurred from the console

CONFIGURING NETFLOW
NetFlow is an application for collecting IP traffic
information. It is used for network accounting and
security auditing.

Caution
NetFlow consumes additional memory. If you have limited memory, you might want to preset
the size of the NetFlow cache to contain a smaller amount of entries. The default cache size
depends on the platform of the device.

Edmonton(conf Moves to interface configuration

ig)# mode
interface
gigabitethern
et 0/0/0

Edmonton(conf Enables NetFlow on the interface.

ig-if)# ip Captures traffic that is being received
flow ingress by the interface

Edmonton(conf Enables NetFlow on the interface.

ig-if)# ip Captures traffic that is being
flow egress transmitted by the interface

Edmonton(conf Returns to global configuration mode

ig-if)# exit

Edmonton(conf Defines the IP address of the

ig)# ip flow- workstation to which you want to
export send the NetFlow information as well
destination as the UDP port on which the
ip_address workstation is listening for the

udp_port information

Edmonton(conf Specifies the version format that the

ig)# ip flow- export packets used
export
version x

Note
NetFlow exports data in UDP in one of five formats: 1, 5, 7, 8, 9. Version 9 is the most
versatile, but is not backward compatible with versions 5 or 8. The default is version 1.
Version 5 is the most commonly used format, but version 9 is the latest format and has some
advantages for key technologies such as security, traffic analysis, and multicast.

CONFIGURING FLEXIBLE NETFLOW

Flexible NetFlow improves on original NetFlow by
adding the capability to customize the traffic analysis
parameters for your specific requirements. Flexible
NetFlow facilitates the creation of more complex
configurations for traffic analysis and data export
through the use of reusable configuration components.
Flexible NetFlow is an extension of NetFlow v9.

Configuring Flexible NetFlow is a four-step process:

Step 1. Configure a flow record.

Step 2. Configure a flow exporter.
Step 3. Configure a flow monitor.
Step 4. Apply the flow monitor to an interface.

Step 1: Configure a Flow Record

R1(config)# flow Creates a new flow

record R1-FLOW-RECORD record called R1-FLOW-
RECORD
R1(config-flow- Includes the source IPv4
record)# match ipv4 address to the flow
source address record

R1(config-flow- Includes the destination

record)# match ipv4 IPv4 address to the flow
destination address record

R1(config-flow- Includes statistics on the

record)# collect number of bytes in the
counter bytes flow record

Step 2: Configure a Flow Exporter

R1(config)# flow Creates a flow exporter

exporter R1-FLOW- called R1-FLOW-
EXPORTER EXPORTER

R1(config-flow- Specifies the IP address

exporter)# destination of the NetFlow collector
10.250.250.25
Step 3: Configure a Flow Monitor

R1(config)# flow Creates a flow monitor

monitor R1-FLOW-MONITOR called R1-FLOW-
MONITOR

R1(config-flow- Assigns the flow

monitor)# exporter R1- exporter to the flow
FLOW-EXPORTER monitor

R1(config-flow- Assigns the flow record

monitor)# record R1- to the flow monitor
FLOW-RECORD

Step 4: Apply the Flow Monitor to an Interface

R1(config)# interface Enters interface

gigabitethernet 0/0/0 configuration mode

R1(config-if)# ip Applies the flow monitor

flow monitor R1-FLOW- to the interface in the
MONITOR input input direction
VERIFYING NETFLOW

Edmonton# show Displays information about the

ip interface interface, including NetFlow as
gigabitethernet being either ingress or egress
0/0/0 enabled

Edmonton# show Verifies status and statistics for

ip flow export NetFlow accounting data export

Edmonton# show Displays a summary of NetFlow

ip cache flow statistics on a Cisco IOS router

Edmonton# show Displays a summary of the

flow monitor Flexible NetFlow configuration

Edmonton# show Displays information about the

flow exporter Flexible NetFlow exporter
configuration

Edmonton# show Displays information about the

flow record configured Flexible NetFlow
records
Note
The show ip cache flow command is useful for seeing which protocols use the highest
volume of traffic and between which hosts this traffic flows.

IMPLEMENTING PORT MIRRORING

Using a traffic sniffer can be a valuable tool to monitor
and troubleshoot a network. In the modern era of
switches, using the Switched Port Analyzer (SPAN)
feature enables you to instruct a switch to send copies of
packets seen on one port to another port on the same
switch.

Default SPAN and RSPAN Configuration

Table 11-4 shows the default SPAN and remote SPAN
(RSPAN) settings.

TABLE 11-4 SPAN and RSPAN Default Settings

Feature Default Setting

SPAN state (SPAN Disabled

and RSPAN)
Source port traffic Both received and sent traffic (both
to monitor SPAN and RSPAN)

Encapsulation type Native form (untagged packets)

(destination port)

Ingress forwarding Disabled

(destination port)

VLAN filtering On a trunk interface used as a

source port, all VLANs are
monitored

RSPAN VLANs None configured

Configuring Local SPAN

Local SPAN supports a SPAN session entirely within
one switch; all source ports or source VLANs and
destination ports are in the same switch or switch stack.
Local SPAN copies traffic from one or more source ports
in any VLAN or from one or more VLANs to a
destination port for analysis.

Local SPAN Guidelines for Configuration

When configuring SPAN, follow these guidelines:

For SPAN sources, you can monitor traffic for a single

port or VLAN or a series or range of ports or VLANs for
each session. You cannot mix source ports and source
VLANs within a single SPAN session.

The destination port cannot be a source port; a source

port cannot be a destination port.

You cannot have two SPAN sessions using the same

destination port.

When you configure a switch port as a SPAN

destination port, it is no longer a normal switch port;
only monitored traffic passes through the SPAN
destination port.

Entering SPAN configuration commands does not

remove previously configured SPAN parameters. You
must enter the no monitor session
{session_number | all | local | remote} global
configuration command to delete configured SPAN
parameters.

For local SPAN, outgoing packets through the SPAN

destination port carry the original encapsulation
headers (untagged or IEEE 802.1Q) if the
encapsulation replicate keywords are specified. If
the keywords are not specified, the packets are sent in
native form. For RSPAN destination ports, outgoing
packets are not tagged.

You can configure a disabled port to be a source or

destination port, but the SPAN function does not start
until the destination port and at least one source port
or source VLAN are enabled.

You can limit SPAN traffic to specific VLANs by using

the filter vlan keywords. If a trunk port is being
monitored, only traffic on the VLANs specified with
these keywords are monitored. By default, all VLANs
are monitored on a trunk port.

You cannot mix source VLANs and filter VLANs within

a single SPAN session.

Configuration Example: Local SPAN

Figure 11-1 is the network topology for local SPAN
commands.
Figure 11-1 Local SPAN

Switch(config)# no Removes any existing

monitor session 1 SPAN configuration on
session 1. The session
number is a number
between 1 and 66

Switch(config)# no Removes all SPAN

monitor session all sessions
Switch(config)# no Removes all local SPAN
monitor session sessions
local

Switch(config)# no Removes all remote SPAN

monitor session sessions
remote

Switch(config)# Sets a new SPAN session

monitor session 1 where the source of the
source interface traffic will be interface
gigabitethernet 0/1 GigabitEthernet 0/1

Switch(config)# Configures session 2 to

monitor session 2 monitor received traffic on
source interface GigabitEthernet
gigabitethernet 0/2 0/2
rx

Switch(config)# Options for this command

monitor session include the following:
session_number
source {interface session_number: Any
interface-id | vlan number between 1 and 66
vlan-id} [, | -]
[both | rx | tx]
interface-id: Specifies the
source port to monitor.
Can be any valid physical
interface or port channel
logical interface

vlan-id: Specifies the

source VLAN to monitor.
The range is 1 to 4094

, | - (optional): To be used
to help specify a series or
ranges of interfaces. There
must be a space both
before and after the
comma or hyphen

both (optional): Monitors

both received and sent
traffic. This is the default
setting

rx (optional): Monitors
received traffic

tx (optional): Monitors
sent traffic
Note

A single session can include

multiple sources (ports or
VLANs), defined in a series of
commands, but you cannot
combine source ports and
source VLANs in one session

Note

You can use the monitor

session session_number
source command multiple
times to configure multiple
source ports

Switch(config)# Limits the SPAN source

monitor session 1 traffic to VLANs 6 to 10
filter vlan 6 - 10

Switch(config)# Options for this command

monitor session include the following:
session_number
filter vlan vlan-id session_number: Must
[, | -] match the session number
used in the monitor
session source
command

vlan-id: Specifies the

source VLAN to monitor.
The range is 1 to 4094

, | - (optional): To be used
to help specify a series or
ranges of interfaces. There
must be a space both
before and after the
comma or hyphen

Switch(config)# Sets a new SPAN session

monitor session 1 where the destination for
destination the traffic will be interface
interface GigabitEthernet 0/24. The
gigabitethernet 0/24 encapsulation method will
encapsulation be retained

replicate

Switch(config)# Monitored traffic from

monitor session 2 session 2 will be sent to
destination interface GigabitEthernet
0/24. It will have the same
interface egress encapsulation type
gigabitethernet 0/24 as the source port, and will
encapsulation enable ingress forwarding
with IEEE 802.1Q
encapsulation and VLAN 6
replicate ingress
as the default ingress
dot1q vlan 6
VLAN

Switch(config)# Options for this command

monitor session include the following:
session_number
destination session_number: Enter
{interface the session number used
interface-id [, | -] in the source command
[encapsulation earlier in this example. For
{dot1q | local SPAN, you must use
replicate}]} the same session number
[ingress {dot1q vlan for the source and

vlan-id | destination interfaces

untaggedvlan vlan-id
| vlan vlan-id}]} interface-id: Specifies the
destination port. This
must be a physical port; it
cannot be an
EtherChannel, and it
cannot be a VLAN
, | - (optional): To be used
to help specify a series or
ranges of interfaces. There
must be a space both
before and after the
comma or hyphen

encapsulation dot1q:
Specifies that the
destination interface use
the IEEE 802.1Q
encapsulation method

encapsulation
replicate: Specifies that
the destination interface
replicate the source
interface encapsulation
method

Note

If no encapsulation method is
selected, the default is to send
packets in native form
(untagged)
ingress dot1q vlan vlan-
id: Accept incoming
packets with IEEE 802.1Q
encapsulation with the
specified VLAN as the
default VLAN

ingress untagged vlan

vlan-id: Accept incoming
packets with untagged
encapsulation with the
specified VLAN as the
default VLAN

ingress vlan vlan-id:

Accept incoming packets
with untagged
encapsulation with the
specified VLAN as the
default VLAN

Note

You can use the monitor

session session_number
destination command multiple
times to configure multiple
destination ports
Configuring Remote SPAN
While local SPAN supports source and destination ports
only on one switch, a remote SPAN supports source and
destination ports on different switches. RSPAN consists
of an RSPAN VLAN, an RSPAN source session, and an
RSPAN destination session. You separately configure
RSPAN source sessions and destination sessions on
different switches.

Remote SPAN Guidelines for Configuration

When configuring RSPAN, follow these guidelines:

All the items in the local SPAN guidelines for

configuration apply to RSPAN.

Because RSPAN VLANs have special properties, you

should reserve a few VLANs across your network for
use as RSPAN VLANs; do not assign access ports to
these VLANs.

You can apply an output access control list (ACL) to

RSPAN traffic to selectively filter or monitor specific
packets. Specify this ACL on the RSPAN VLAN in the
RSPAN source switches.
For RSPAN configuration, you can distribute the source
ports and the destination ports across multiple
switches in your network.

RSPAN does not support bridge protocol data unit

(BPDU) packet monitoring or other Layer 2 switch
protocols.

The RSPAN VLAN is configured only on trunk ports

and not on access ports. To avoid unwanted traffic in
RSPAN VLANs, make sure that the VLAN Remote
SPAN feature is supported in all the participating
switches.

Access ports (including voice VLAN ports) on the

RSPAN VLAN are put in the inactive state.

RSPAN VLANs are included as sources for port-based

RSPAN sessions when source trunk ports have active
RSPAN VLANs. RSPAN VLANs can also be sources in
SPAN sessions. However, because the switch does not
monitor spanned traffic, it does not support egress
spanning of packets on any RSPAN VLAN identified as
the destination of an RSPAN source session on the
switch.

You can configure any VLAN as an RSPAN VLAN as

long as these conditions are met:

The same RSPAN VLAN is used for an RSPAN

session in all the switches.
All participating switches support RSPAN.

Configure an RSPAN VLAN before you configure an

RSPAN source or a destination session.

If you enable VTP and VTP pruning, RSPAN traffic is

pruned in the trunks to prevent the unwanted flooding
of RSPAN traffic across the network for VLAN IDs that
are lower than 1005.

Configuration Example: Remote SPAN

Figure 11-2 is the network topology for remote SPAN
commands.
Figure 11-2 Remote SPAN

Switch1(config)# vlan Creates VLAN 901 on

901 Switch1

Switch1(config-vlan)# Makes this VLAN an

remote span RSPAN VLAN

Switch1(config-vlan)# Returns to global

end configuration mode

Switch2(config)# vlan Creates VLAN 901 on

901 Switch2

Switch2(config-vlan)# Makes this VLAN an

remote span RSPAN VLAN

Switch2(config-vlan)# Returns to global

end configuration mode

Note
You must create the RSPAN VLAN in all switches that will participate in RSPAN.
Note
If the RSPAN VLAN ID is in the normal range (lower than 1005) and VTP is enabled in the
network, you can create the RSPAN VLAN in one switch, and VTP propagates it to the other
switches in the VTP domain. For extended-range VLANs (greater than 1005), you must
configure the RSPAN VLAN on both source and destination switches and any intermediate
switches.

Tip
Use VTP pruning to get an efficient flow of RSPAN traffic, or manually delete the RSPAN
VLAN from all trunks that do not need to carry the RSPAN traffic.

Switch1(config)# no Removes any previous

monitor session 1 configurations for
session 1

Switch1(config)# Configures session 1 to

monitor session 1 monitor transmitted
source interface traffic on interface
gigabitethernet 0/1 tx GigabitEthernet 0/1

Switch1(config)# Configures session 1 to

monitor session 1 monitor received traffic
source interface on interface
gigabitethernet 0/2 rx GigabitEthernet 0/2
Switch1(config)# Configures session 1 to
monitor session 1 have a destination of
destination remote RSPAN VLAN 901
vlan 901

Switch2(config)# no Removes any previous

monitor session 1 configurations for
session 1

Switch2(config)# Configures session 1 to

monitor session 1 have a source of VLAN
source remote vlan 901 901

Switch2(config)# Configures session 1 to

monitor session 1 have a destination
destination interface interface of
gigabitethernet 0/24 GigabitEthernet 0/24

Note
The commands to configure incoming traffic on a destination port and to filter VLAN traffic
are the same for remote SPAN as they are for local SPAN.

Configuring Encapsulated RSPAN (ERSPAN)

The Cisco ERSPAN feature allows you to monitor traffic
on one or more ports or one or more VLANs, and send
the monitored traffic to one or more destination ports.
ERSPAN sends traffic to a network analyzer such as a
Switch Probe device or other Remote Monitoring
(RMON) probe. ERSPAN supports source ports, source
VLANs, and destination ports on different routers,
which provides remote monitoring of multiple routers
across a network. The traffic is encapsulated in Generic
Routing Encapsulation (GRE) and is, therefore, routable
across a Layer 3 network between the “source” switch
and the “destination” switch. ERSPAN consists of an
ERSPAN source session, routable ERSPAN GRE
encapsulated traffic, and an ERSPAN destination
session.

Note
ERSPAN is a Cisco proprietary feature and is available only to Catalyst 6500, 7600, 9200,
9300, Nexus, and ASR 1000 platforms to date. The ASR 1000 supports ERSPAN source
(monitoring) only on FastEthernet, GigabitEthernet, and port-channel interfaces.

ERSPAN Source Configuration

Router-1(config)# Creates an ERSPAN

monitor session 1 source session
type erspan-source
Router-1(config-mon- Assigns the
erspan-src)# source GigabitEthernet 0/0/1
interface interface as the source
gigabitethernet 0/0/1 interface for the ERSPAN
session

Router-1(config-mon- Enters ERSPAN

erspan-src)# destination configuration
destination mode

Router-1(config-mon- Assigns an ERSPAN ID of

erspan-src-dst)# 1
erspan-id 1

Router-1(config-mon- Defines the ERSPAN

erspan-src-dst)# ip destination IP address
address 2.2.2.2

Router-1(config-mon- Defines the ERSPAN

erspan-src-dst)# source IP address
origin ip address
1.1.1.1
ERSPAN Destination Configuration

Router-2(config)# Creates an ERSPAN

monitor session 1 destination session
type erspan-
destination

Router-2(config-mon- Assigns the

erspan-dst)# GigabitEthernet 0/0/1
destination interface interface as the
gigabitethernet 0/0/1 destination interface for
the ERSPAN session

Router-2(config-mon- Enters ERSPAN source

erspan-dst)# source configuration mode

Router-2(config-mon- Assigns an ERSPAN ID of

erspan-dst-src)# 1
erspan-id 1

Router-2(config-mon- Defines the ERSPAN

erspan-dst-src)# ip source IP address
address 2.2.2.2
Verifying and Troubleshooting Local and Remote
SPAN

Switch# show Displays output for SPAN session

monitor session 1
1

Note

On some platforms the command is show

monitor

Switch# show Displays configuration of sessions

running-config running in active memory

Switch# show Displays information about

vlan remote- VLANs configured as RSPAN
span VLANs

Switch# debug Displays all SPAN debugging

monitor all messages

Switch# debug Displays SPAN port and VLAN list

monitor list tracing
Switch# debug Displays SPAN requests
monitor
requests

CONFIGURING NETWORK TIME

PROTOCOL
Most networks today are being designed with high
performance and reliability in mind. Delivery of content
is, in many cases, guaranteed by service level
agreements (SLAs). Having your network display an
accurate time is vital to ensuring that you have the best
information possible when reading logging messages or
troubleshooting issues.

NTP Configuration

Edmonton(co Configures the Edmonton router to

nfig)# ntp synchronize its clock to a public NTP
server server at address 209.165.200.254
209.165.200
.254
Note

This command makes the Edmonton router an NTP

client to the external NTP server
Note

A Cisco IOS router can be both a client to an external

NTP server and an NTP server to client devices
inside its own internal network

Note

When NTP is enabled on a Cisco IOS router, it is

enabled on all interfaces

Caution

NTP is slow to converge. It can take up to 5 minutes

before an NTP client synchronizes with an NTP
server

Edmonton(co Specifies a preferred NTP server if

nfig)# ntp multiple servers are configured
server
Tip
209.165.200
.234 prefer It is recommended to configure more than one NTP
server

Edmonton(co Disables the NTP server function on a

nfig-if)# specific interface. The interface will still
ntp disable act as an NTP client

Tip

Use this command on interfaces connected to

external networks

Edmonton(co Configures the router to be an NTP

nfig)# ntp master clock to which peers
master synchronize when no external NTP
stratum source is available. The stratum is an
optional number between 1 and 15.
When enabled, the default stratum is 8

Note

A reference clock (for example, an atomic clock) is

said to be a stratum-0 device. A stratum-1 server is
directly connected to a stratum-0 device. A stratum-2
server is connected across a network path to a
stratum-1 server. The larger the stratum number
(moving toward 15), the less authoritative that server
is and the less accuracy it will have

Edmonton(co Configures the maximum number of

nfig)# ntp NTP peer-and-client associations that
max- the router will serve. The range is 0 to 4
association 294 967 295. The default is 100
s 200

Edmonton(co Creates an access list statement that

nfig)# will allow NTP communication for the
access list NTP server at address a.b.c.d. This ACL
101 permit should be placed in an inbound
udp any direction
host
a.b.c.d eq
ntp

Note
When a local device is configured with the ntp master command, it can be identified by a
syntactically correct but invalid IP address. This address will be in the form of 127.127.x.x.
The master will synchronize with itself and uses the 127.127.x.x address to identify itself.
This address will be displayed with the show ntp associations command and must be
permitted via an access list if you are authenticating your NTP servers.
NTP Design
You have two different options in NTP design: flat and
hierarchical. In a flat design, all routers are peers to
each other. Each router is both a client and a server with
every other router. In a hierarchical model, there is a
preferred order of routers that are servers and others
that act as clients. You use the ntp peer command to
determine the hierarchy. Figure 11-3 is a topology
showing a hierarchical design.

Figure 11-3 NTP Hierarchical Design

Tip
Do not use the flat model in a large network, because with many NTP servers it can take a
long time to synchronize the time.

Edmonton(c Configures the source interface for all

onfig)# NTP packets
ntp
source-
interface
loopback 0

Edmonton(c Configures an IOS device to synchronize

onfig)# its software clock to a peer at 172.16.21.1
ntp peer
172.16.21.
1

Edmonton(c Configures an IOS device to synchronize

onfig)# its software clock to a peer at 172.16.21.1
ntp peer using version 2 of NTP. There are three
172.16.21. versions of NTP (versions 2–4)
1 version
2
Edmonton(c Configures the options for broadcasting
onfig-if)# or multicasting NTP traffic on a specified
ntp interface. You can include the
broadcast authentication key and version options
with this command

Edmonton(c Configures a device to receive NTP

onfig-if)# broadcast or multicast messages on a
ntp specified interface. You can include the
broadcast authentication key and version options
client with this command

Note
Although Cisco IOS recognizes three versions of NTP, versions 3 and 4 are most commonly
used. Version 4 introduces support for IPv6 and is backward compatible with version 3.
NTPv4 also adds DNS support for IPv6.

Note
NTPv4 has increased security support using public key cryptography and X.509 certificates.

Note
NTPv3 uses broadcast messages. NTPv4 uses multicast messages.
Edmonton(confi Configures an IOS device to
g)# ntp peer synchronize its software clock to a
172.16.21.1 peer at 172.16.21.1. The source IP
source loopback address is the address of interface
0 Loopback 0

Tip

Choose a loopback interface as your source

for NTP, because it will never go down. ACL
statements will also be easier to write as you
will require only one line to allow or deny
traffic

Edmonton(confi Makes this peer the preferred peer

g)# ntp peer that provides synchronization
172.16.21.1
source loopback
0 prefer

Securing NTP
You can secure NTP operation using authentication and
access lists.

Enabling NTP Authentication

NTPServer(con Defines an NTP authentication key
fig)# ntp
authenticatio 1 = number of authentication key.
n-key 1 md5 Can be a number between 1 and 4
NTPpa55word 294 967 295

md5 = using MD5 hash. This is the

only option available on Cisco devices

NTPpa55word = password
associated with this key

NTPServer(con Defines which keys are valid for NTP

fig)# ntp authentication. The key number here
trusted-key 1 must match the key number you
defined in the ntp authentication-
key command

NTPServer(con Enables NTP authentication

fig)# ntp
authenticate

NTPClient(con Defines an NTP authentication key

fig)# ntp
authenticatio
n-key 1 md5
NTPpa55word

NTPClient(con Defines the NTP server that requires

fig)# ntp authentication at address
server 192.168.200.1 and identifies the peer
192.168.200.1 key number as key 1
key 1

NTPClient(con Defines which keys are valid for NTP

fig)# ntp authentication. The key number here
trusted-key 1 must match the key number you
defined in the ntp authentication-
key command

NTPClient(con Enables NTP authentication

fig)# ntp
authenticate

Note
You can configure the device to authenticate the time sources to which the local clock is
synchronized. When you enable NTP authentication, the device synchronizes to a time
source only if the source carries one of the authentication keys specified by the ntp trusted-
key command. The device drops any packets that fail the authentication check and prevents
them from updating the local clock. NTP authentication is disabled by default.
You can also control access to NTP services by using
access lists. Specifically, you can decide the types of
requests that the device allows and the servers from
which it accepts responses. If you do not configure any
ACLs, NTP access is granted to all devices. If you
configure ACLs, NTP access is granted only to the
remote device whose source IP address passes the
access list criteria.

Note
Once a device is synchronized to an NTP source, it becomes an NTP server to any device
that requests synchronization.

Limiting NTP Access with Access Lists

Edmonton Defines an access list that permits only

(config)# packets with a source address of 10.1.x.x
access-
list 1
permit
10.1.0.0
0.0.255.
255

Edmonton Creates an access group to control NTP

access and applies access list 1. The peer
(config)# keyword enables the device to receive time
ntp requests and NTP control queries and to
access- synchronize itself to servers specified in the
group access list
peer 1

Edmonton Creates an access group to control NTP

(config)# access and applies access list 1. The serve
ntp keyword enables the device to receive time
access- requests and NTP control queries from the
group servers specified in the access list but not
serve 1 to synchronize itself to the specified servers

Edmonton Creates an access group to control NTP

(config)# access and applies access list 1. The serve-
ntp only keyword enables the device to receive
access- only time requests from servers specified in
group the access list
serve-
only 1

Edmonton Creates an access group to control NTP

(config)# access and applies access list 1. The query-
ntp only keyword enables the device to receive
access- only NTP control queries from the servers
group specified in the access list
query-
only 1

Note
NTP access group options are scanned from least restrictive to most restrictive in the
following order: peer, serve, serve-only, query-only. However, if NTP matches a deny ACL
rule in a configured peer, ACL processing stops and does not continue to the next access
group option.

Verifying and Troubleshooting NTP

Edmonton# Displays the status of NTP associations

show ntp
associatio
ns

Edmonton# Displays detailed information about each

show ntp NTP association
associatio
ns detail

Edmonton# Displays the status of the NTP

show ntp configuration. This command shows
status whether the router’s clock has
synchronized with the external NTP
server

Edmonton# Checks to see whether NTP packets are

debug ip received and sent
packets

Edmonton# Limits debug output to ACL 1

debug ip
packet 1

Edmonton# Displays debug output for NTP clock

debug ntp adjustments
adjust

Edmonton# Displays all NTP debugging output

debug ntp
all

Edmonton# Displays all NTP debugging events

debug ntp
events

Edmonton# Displays NTP packet debugging; lets you

debug ntp see the time that the peer/server gives
packet you in a received packet

Edmonton# Displays detailed NTP packet dump

debug ntp
packet
detail

Edmonton# Displays debugging from NTP peer at

debug ntp address a.b.c.d
packet
peer
a.b.c.d

Setting the Clock on a Router

Note
It is important to have your routers display the correct time for use with time stamps and
other logging features.

If the system is synchronized by a valid outside timing

mechanism, such as an NTP server, or if you have a
router with a hardware clock, you do not need to set the
software clock. Use the software clock if no other time
sources are available.
Edmonton# calendar Manually sets the system
set 16:30:00 23 hardware clock. Time is set
October 2019 using military (24-hour)
format. The hardware clock
runs continuously, even if the
router is powered off or
rebooted

Edmonton# show Displays the hardware

calendar calendar

Edmonton(config)# Configures the system as an

clock calendar- authoritative time source for a
valid network based on its hardware
clock

Note

Because the hardware clock is not as

accurate as other time sources (it runs
off of a battery), you should use this
only when a more accurate time
source (such as NTP) is not available

Edmonton# clock Manually reads the hardware

read-calendar clock settings into the
software clock

Edmonton# clock Manually sets the system

set 16:30:00 23 software clock. Time is set
October 2019 using military (24-hour)
format

Edmonton(config)# Configures the system to

clock summer-time automatically switch to
zone recurring summer time (daylight saving
[week day month time)
hh:mm week day
month hh:mm
[offset]] Note

Summer time is disabled by default

Edmonton(config)#
clock summer-time
zone date date
Arguments for the command
month year hh:mm
are as follows:
date month year
hh:mm [offset]
zone: Name of the time zone
(see Tables 11-5 and 11-6 for
Edmonton(config)# alternative ways to specify the
clock summer-time time zone)
zone date month
date year hh:mm recurring: Indicates that
month date year summer time should start and
hh:mm [offset] end on the corresponding
specified days every year

date: Indicates that summer

time should start on the first
specific date listed in the
command and end on the
second specific date in the
command

week: (Optional) Week of the

month (1 to 4 or last)

day: (Optional) Day of the

week (Sunday, Monday, and
so on)

date: Date of the month (1 to

31)

month: (Optional) Month

(January, February, and so
on)
year: Year (1993 to 2035)

hh:mm: (Optional) Time

(military format) in hours and
minutes

offset: (Optional) Number of

minutes to add during
summer time (default is 60)

Edmonton(config)# Configures the time zone for

clock timezone display purposes. To set the
zone hours-offset time to Coordinated Universal
[minutes-offset] Time (UTC), use the no form
of this command

zone: Name of the time zone

to be displayed when standard
time is in effect

hours-offset: Hours difference

from UTC

minutes-offset: (Optional)
Minutes difference from UTC
Edmonton(config)# Configures the time zone to
clock timezone PST Pacific Standard Time, which
-8 is 8 hours behind UTC

Edmonton(config)# Configures the time zone to

clock timezone NL Newfoundland time for
-3 30 Newfoundland, Canada, which
is 3.5 hours behind UTC

Edmonton# clock Updates the hardware clock

update-calendar from the software clock

Edmonton# show Displays the time and date

clock from the system software
clock

Edmonton# show Displays the clock source

clock detail (NTP, hardware) and the
current summer-time setting
(if any)

Table 11-5 shows the common acronyms used for setting

the time zone on a router.

TABLE 11-5 Common Time Zone Acronyms

Region/Acronym Time Zone Name and UTC Offset

Europe

GMT Greenwich Mean Time, as UTC

BST British Summer Time, as UTC +1 hour

IST Irish Summer Time, as UTC +1 hour

WET Western Europe Time, as UTC

WEST Western Europe Summer Time, as UTC +1

hour

CET Central Europe Time, as UTC +1

CEST Central Europe Summer Time, as UTC +2

EET Eastern Europe Time, as UTC +2

EEST Eastern Europe Summer Time, as UTC +3

MSK Moscow Time, as UTC +3

MSD Moscow Summer Time, as UTC +4

United
States and
Canada

AST Atlantic Standard Time, as UTC –4 hours

ADT Atlantic Daylight Time, as UTC –3 hours

ET Eastern Time, either as EST or EDT,

depending on place and time of year

EST Eastern Standard Time, as UTC –5 hours

EDT Eastern Daylight Time, as UTC –4 hours

CT Central Time, either as CST or CDT,

depending on place and time of year

CST Central Standard Time, as UTC –6 hours

CDT Central Daylight Time, as UTC –5 hours

MT Mountain Time, either as MST or MDT,
depending on place and time of year

MST Mountain Standard Time, as UTC –7 hours

MDT Mountain Daylight Time, as UTC –6 hours

PT Pacific Time, either as PST or PDT,

depending on place and time of year

PST Pacific Standard Time, as UTC –8 hours

PDT Pacific Daylight Time, as UTC –7 hours

AKST Alaska Standard Time, as UTC –9 hours

AKDT Alaska Standard Daylight Time, as UTC –8

hours

HST Hawaiian Standard Time, as UTC –10

hours

Australia
WST Western Standard Time, as UTC +8 hours

CST Central Standard Time, as UTC +9.5 hours

EST Eastern Standard/Summer time, as UTC

+10 hours (+11 hours during summer time)

Table 11-6 lists an alternative method for referring to

time zones, in which single letters are used to refer to
the time zone difference from UTC. Using this method,
the letter Z is used to indicate the zero meridian,
equivalent to UTC, and the letter J (Juliet) is used to
refer to the local time zone. Using this method, the
international date line is between time zones M and Y.

TABLE 11-6 Single-Letter Time Zone Designators

Letter Word Difference from

Designator Designator UTC

Y Yankee UTC –12 hours

X X-ray UTC –11 hours

W Whiskey UTC –10 hours

V Victor UTC –9 hours

U Uniform UTC –8 hours

T Tango UTC –7 hours

S Sierra UTC –6 hours

R Romeo UTC –5 hours

Q Quebec UTC –4 hours

P Papa UTC –3 hours

O Oscar UTC –2 hours

N November UTC –1 hour

Z Zulu Same as UTC

A Alpha UTC +1 hour

B Bravo UTC +2 hours

C Charlie UTC +3 hours

D Delta UTC +4 hours

E Echo UTC +5 hours

F Foxtrot UTC +6 hours

G Golf UTC +7 hours

H Hotel UTC +8 hours

I India UTC +9 hours

K Kilo UTC +10 hours

L Lima UTC +11 hours

M Mike UTC +12 hours

Using Time Stamps

Edmonton(config)# Adds a time stamp to all
service timestamps system logging messages

Edmonton(config)# Adds a time stamp to all

service timestamps debugging messages
debug

Edmonton(config)# Adds a time stamp along

service timestamps with the total uptime of the
debug uptime router to all debugging
messages

Edmonton(config)# Adds a time stamp

service timestamps displaying the local time
debug datetime and the date to all
localtime debugging messages

Edmonton(config)# no Disables all time stamps

service timestamps

Configuration Example: NTP

Figure 11-4 shows the network topology for the
configuration that follows, which demonstrates how to
configure NTP using the commands covered in this
chapter.

Figure 11-4 Network Topology for NTP

Configuration

Core1 Router
Core1(config)# ntp Configures router to
server synchronize its clock to a
209.165.201.44 public NTP server at address
209.165.201.44

Core1(config)# ntp Configures router to

server synchronize its clock to a
209.165.201.111 public NTP server at address
209.165.201.111

Core1(config)# ntp Configures router to

server synchronize its clock to a
209.165.201.133 public NTP server at address
209.165.201.133

Core1(config)# ntp Configures router to

server synchronize its clock to a
209.165.201.222 public NTP server at address
209.165.201.222

Core1(config)# ntp Configures router to

server synchronize its clock to a
209.165.201.233 public NTP server at address
prefer 209.165.201.233. This is the
preferred NTP server
Core1(config)# ntp Configures the maximum
max-associations number of NTP peer-and-
200 client associations that the
router will serve

Core1(config)# Sets time zone to Eastern

clock timezone EST Standard Time
-5

Core1(config)# Configures the system to

clock summer-time automatically switch to
EDT recurring 2 summer time and to repeat on
Sun Mar 2:00 1 Sun the same day
Nov 2:00

Core1(config)# ntp Configures the router to serve

master 10 as a master clock if the
external NTP server is not
available

Core1(config)# ntp Sets the source of all NTP

source Loopback 0 packets to 192.168.223.1,
which is the address of
Loopback 0

Core1(config)# Sets access 1 list to permit

access-list 1 packets coming from
permit 127.127.1.1 127.127.1.1

Core1(config)# Sets access list 2 to permit

access-list 2 packets coming from
permit 192.168.0.0 192.168.x.x
0.0.255.255

Core1(config)# ntp Configures Core1 to peer with

access-group peer any devices identified in
1 access list 1

Core1(config)# ntp Configures Core1 to receive

access-group only time requests from
serve-only 2 devices specified in the ACL

Core2 Router

Core2(config)# ntp Configures router to

server synchronize its clock to a
209.165.201.44 public NTP server at address
209.165.201.44
Core2(config)# ntp Configures router to
server synchronize its clock to a
209.165.201.111 public NTP server at address
209.165.201.111

Core2(config)# ntp Configures router to

server synchronize its clock to a
209.165.201.133 public NTP server at address
209.165.201.133

Core2(config)# ntp Configures router to

server synchronize its clock to a
209.165.201.222 public NTP server at address
209.165.201.222

Core2(config)# ntp Configures router to

server synchronize its clock to a
209.165.201.233 public NTP server at address
prefer 209.165.201.233. This is the
preferred NTP server

Core2(config)# ntp Configures the maximum

max-associations number of NTP peer-and-
200 client associations that the
router will serve

Core2(config)# Sets time zone to Eastern

clock timezone EST Standard Time
-5

Core2(config)# Configures the system to

clock summer-time automatically switch to
EDT recurring 2 summer time and to repeat on
Sun Mar 2:00 1 Sun the same day
Nov 2:00

Core2(config)# ntp Configures the router to serve

master 10 as a master clock if the
external NTP server is not
available

Core2(config)# ntp Sets the source of all NTP

source Loopback 0 packets to 192.168.224.1,
which is the address of
Loopback 0

Core2(config)# Sets ACL 1 to permit packets

access-list 1 coming from 127.127.1.1
permit 127.127.1.1

Core2(config)# Sets ACL 2 to permit packets

access-list 2 coming from 192.168.x.x
permit 192.168.0.0
0.0.255.255

Core2(config)# ntp Configures Core2 to peer with

access-group peer any devices identified in ACL 1
1

Core2(config)# ntp Configures Core2 to receive

access-group only time requests from
serve-only 2 devices specified in the ACL

DLSwitch1

DLSwitch1(config)# ntp Sets the source of all NTP

source Loopback 0 packets to 192.168.225.1,
which is the address of
Loopback 0

DLSwitch1(config)# ntp Configures DLSwitch1 to

server 192.168.223.1 synchronize its clock to
an NTP server at address
192.168.223.1

DLSwitch1(config)# ntp Configures DLSwitch1 to

server 192.168.224.1 synchronize its clock to
an NTP server at address
192.168.224.1

DLSwitch1(config)# Sets time zone to Eastern

clock timezone EST -5 Standard Time

DLSwitch1(config)# Configures the system to

clock summer-time EDT automatically switch to
recurring 2 Sun Mar summer time and to
2:00 1 Sun Nov 2:00 repeat on the same day

DLSwitch2

DLSwitch2(config)# ntp Sets the source of all NTP

source Loopback 0 packets to 192.168.226.1,
which is the address of
Loopback 0

DLSwitch2(config)# ntp Configures DLSwitch2 to

server 192.168.223.1 synchronize its clock to
an NTP server at address
192.168.223.1
DLSwitch2(config)# ntp Configures DLSwitch2 to
server 192.168.224.1 synchronize its clock to
an NTP server at address
192.168.224.1

DLSwitch2(config)# Sets time zone to Eastern

clock timezone EST -5 Standard Time

DLSwitch2(config)# Configures the system to

clock summer-time EDT automatically switch to
recurring 2 Sun Mar summer time and to
2:00 1 Sun Nov 2:00 repeat on the same day

ALSwitch1

ALSwitch1(config)# ntp Sets the source of all NTP

source Loopback 0 packets to 192.168.227.1,
which is the address of
Loopback 0

ALSwitch1(config)# ntp Configures ALSwitch1 to

server 192.168.223.1 synchronize its clock to
an NTP server at address
192.168.223.1
ALSwitch1(config)# ntp Configures ALSwitch1 to
server 192.168.224.1 synchronize its clock to
an NTP server at address
192.168.224.1

ALSwitch1(config)# Sets time zone to Eastern

clock timezone EST -5 Standard Time

ALSwitch1(config)# Configures the system to

clock summer-time EDT automatically switch to
recurring 2 Sun Mar summer time and to
2:00 1 Sun Nov 2:00 repeat on the same day

ALSwitch2

ALSwitch2(config)# ntp Sets the source of all NTP

source Loopback 0 packets to 192.168.228.1,
which is the address of
Loopback 0

ALSwitch2(config)# ntp Configures ALSwitch2 to

server 192.168.223.1 synchronize its clock to
an NTP server at address
192.168.223.1

ALSwitch2(config)# ntp Configures ALSwitch2 to

server 192.168.224.1 synchronize its clock to
an NTP server at address
192.168.224.1

ALSwitch2(config)# Sets time zone to Eastern

clock timezone EST -5 Standard Time

ALSwitch2(config)# Configures the system to

clock summer-time EDT automatically switch to
recurring 2 Sun Mar summer time and to
2:00 1 Sun Nov 2:00 repeat on the same day

TOOL COMMAND LANGUAGE (TCL)

Tcl shell is a feature that is built into Cisco routers and
switches that allows engineers to interact directly with
the device by using various Tcl scripts. Tcl scripting has
been around for quite some time and is a very useful
scripting language. Tcl provides many ways to
streamline different tasks that can help with day-to-day
operations and monitoring of a network. Some of the
following are tasks that can be automated by using these
scripts:

Verify IP and IPv6 reachability, using ping

Verify IP and IPv6 reachability, using traceroute

Check interface statistics

Retrieve SNMP information by accessing Management

Information Base (MIB) objects

Send email messages containing CLI outputs from Tcl

script

Most often, basic Tcl scripts are entered line by line

within the Tcl shell, although, for some of the more
advanced scripting methods, you can load the script into
the flash of the device you are working on and execute
the script from there using a command like source
flash:ping.tcl from the Tcl shell.

A classic use case for Tcl scripting is when you need to

perform network testing using ping. The following
example shows the general syntax for a Tcl script:

Router# tclsh This simple Tcl script automates a

Router(tcl)# ping test to the 172.16.10.1,
foreach 172.16.10.2, and 172.16.10.3
address { addresses. Notice that the test
+>(tcl)# executes as soon as you enter the
172.16.10.1 closing brace
+>(tcl)#
172.16.10.2 The tclsh command grants you
+>(tcl)# access to the Tcl shell
172.16.10.3
+>(tcl)# } { The tclquit command returns you
ping $address to privileged EXEC mode
+>(tcl)# }
Type escape
sequence to
abort.
Sending 5,
100-byte ICMP
Echos to
172.16.10.1,
timeout is 2
seconds:
!!!!!
Success rate
is 100 percent
(5/5), round-
trip
min/avg/max =
1/2/6 ms
Type escape
sequence to
abort.
Sending 5,
100-byte ICMP
Echos to
172.16.10.2
timeout is 2
seconds:
!!!!!
Success rate
is 100 percent
(5/5), round-
trip
min/avg/max =
1/3/5 ms
Type escape
sequence to
abort.
Sending 5,
100-byte ICMP
Echos to
172.16.10.3,
timeout is 2
seconds:
!!!!!
Success rate
is 100 percent
(5/5), round-
trip
min/avg/max =
1/2/6 ms
Router(tcl)#
tclquit
Router#

EMBEDDED EVENT MANAGER (EEM)

Embedded Event Manager is a flexible system designed
to customize Cisco IOS, XR, and NX-OS. EEM allows
you to automate tasks, perform minor enhancements,
and create workarounds. Applets and scripting are two
pieces of EEM. Applets are a collection of CLI
commands, while scripts are actions coded in Tcl. Event
detectors are used by EEM, and actions provide
notifications of the events. EEM event detectors include
SNMP object monitoring, syslog message monitoring,
interface counter monitoring, CLI event monitoring,
and IP SLA and NetFlow event monitoring.

EEM actions can include sending an email, executing a

CLI command, generating an SNMP trap, reloading a
device, and generating specific syslog messages.

Note
The following examples assume that the first command is typed in global configuration
mode.

EEM Configuration Examples

EEM Example 1
The first EEM example shows an applet that monitors
the GigabitEthernet 0/0/0 interface. If a syslog message
indicates that its state has changed to administratively
down, the applet is triggered, the interface is re-enabled,
and an email is sent containing a list of users currently
logged into the router.

Notice the use of the $_cli_result keyword in the

email configuration. This means that the email body will
include the output of any CLI commands that were
issued in the applet. In this case, the output of the show
users command will be included in the debug and the
email message.
Click here to view code image

event manager applet interface_Shutdown

event syslog pattern "Interface GigabitEthernet
0/0/0, changed state
to administratively down"
action 1.0 cli command "enable"
action 1.5 cli command "config terminal"
action 2.0 cli command "interface
gigabitethernet0/0/0"
action 2.5 cli command "no shutdown"
action 3.0 cli command "end"
action 3.5 cli command "show users"
action 4.0 mail server 209.165.201.1 to
engineer@cisco.com from EEM@
cisco.com subject "ISP1 Interface
GigabitEthernet0/0/0 SHUT." body
"Current users $_cli_result"
end

EEM Example 2
The second EEM example shows an applet that
monitors the CLI for the debug ip packet command.
When this pattern is matched, the applet will skip the
command so that it does not take effect. The action list
first enters the enabled mode and issues the show
users | append flash:Debug command. This
command will append the output from the show users
command to the end of a file in flash called Debug. The
next action will then append the current time stamp to
the end of the file in flash named Debug_clock. By
matching the order of the entries in both files you will
have a list of the users that tried to enter the debug
command and the date and time that the user attempted
it.
Click here to view code image
event manager applet Stop_Debug
event cli pattern "debug ip packet" sync no skip
yes
action 1.0 cli command "enable"
action 2.0 cli command "show users | append
flash:Debug"
action 3.0 cli command "show clock | append
flash:Debug_clock"
end

EEM Example 3
The third EEM example shows an applet that matches a
CLI pattern that starts with “wr”. When a match is
detected, the applet is triggered. Cisco IOS prompting is
disabled and a copy of the new startup-configuration file
is backed up to a TFTP server. A syslog message is
triggered confirming a successful TFTP file transfer.
Notice that two environment variables were created and
are used within the applet, one for the file name and one
for the IP address.
Click here to view code image

event manager environment filename router.cfg

event manager environment tftpserver
tftp://10.99.1.101/
event manager applet SAVE-to-TFTP
event cli pattern "wr.*" sync yes
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "file prompt quiet"
action 4.0 cli command "end"
action 5.0 cli command "copy start
$tftpserver$filename"
action 6.0 cli command "configure terminal"
action 7.0 cli command "no file prompt quiet"
action 8.0 syslog priority informational msg
"Running-config saved
to NVRAM! TFTP backup successful."

EEM Example 4
The final example is more complex but demonstrates
how powerful EEM applets can be. This example is
based on the latest version of EEM (version 4). In this
scenario, an IP SLA is configured to send an ICMP echo
request every 10 seconds to address 209.165.201.1. IP
SLA reaction alerts are enabled, which allows the IP SLA
to send an alert after three consecutive timeouts. This
triggers the EEM applet and a syslog message is
displayed. Notice the use of the $_ipsla_oper_id
variable. This is a built-in environment variable and
returns the IP SLA number, which in this case is 1.
Click here to view code image

ip sla 1
icmp-echo 209.165.201.1
frequency 10
ip sla schedule 1 life forever start-time now
ip sla reaction-configuration 1 react timeout
threshold-type consecutive 3
ip sla enable reaction-alerts
!

event manager applet IPSLA

event ipsla operation-id 1 reaction-type timeout
action 1.0 syslog priority emergencies msg "IP
SLA operation
$_ipsla_oper_id to ISP DNS server has timed out"

EEM and Tcl Scripts

Using an EEM applet to call Tcl scripts is another very
powerful aspect of EEM. This example shows how to
manually execute an EEM applet that will, in turn,
execute a Tcl script that is locally stored in the device’s
flash memory. It is important to understand that there
are many ways to use EEM and that manually triggered
applets are also a very useful tool. The following
example depicts an EEM script that is configured with
the event none command. This means that there is no
automatic event that the applet is monitoring, and that
this applet will only run when it is triggered manually.
To manually run an EEM applet, the event manager
run command must be used, as illustrated at the router
prompt. In this example, the ping_script.tcl file is a Tcl
script similar to the one described earlier in this
chapter.
Click here to view code image

event manager applet myping

event none
action 1.0 cli command "enable"
action 1.1 cli command "tclsh
flash:/ping_script.tcl"
Router# event manager run myping
Router#

Verifying EEM

Router# debug Displays actual actions taking

event manager place when an applet is
action cli running

Router# show event Displays all configured

manager policy applets, their triggers and
registered actions

Router# show event Displays the version of EEM

manager version that is supported in the Cisco
IOS software
Part VI: Wireless
Chapter 12
Wireless Security and
Troubleshooting

This chapter provides information and commands

concerning the following topics:

Authenticating wireless clients

Open authentication

Authenticating with a pre-shared key

Authenticating with EAP

Configuring EAP-based authentication

with external RADIUS servers

Configuring EAP-based authentication

with local EAP

Verifying EAP-based authentication

configuration

Authenticating with WebAuth

Troubleshooting from the Wireless LAN Controller

Cisco AireOS Monitoring Dashboard GUI

Cisco AireOS Advanced GUI

Cisco IOS XE GUI

Cisco AireOS/IOS XE CLI

Troubleshooting client connectivity problems

Cisco AireOS Monitoring Dashboard GUI

Cisco IOS XE GUI

AUTHENTICATING WIRELESS
CLIENTS
Before a wireless client device can communicate on your
network through the access point, the client device must
authenticate to the access point by using open or
shared-key authentication. Networks can leverage many
technologies and protocols to protect information sent
wirelessly. This section explores different methods to
authenticate wireless clients before they are granted
access to the wireless network. Note that the figures
used throughout this client authentication section are
from the Cisco AireOS Advanced configuration GUI.

Open Authentication
Open authentication allows any device to authenticate
and then attempt to communicate with the access point.
Open authentication is true to its name; it offers open
access to a WLAN. The only requirement is that a client
must use an 802.11 authentication request before it
attempts to associate with an AP. No other credentials
are needed.

To create a WLAN with open authentication, first create

a new WLAN. From the Advanced Monitor Summary
screen, click WLANs in the top menu bar. You will see
a list of already configured WLANs. Figure 12-1 shows
one WLAN already created, named CCNPPCG. Click the
Go button to create a new WLAN.

Figure 12-1 Creating a New WLAN

On the next screen, choose WLAN from the Type drop-
down menu, enter the profile name and SSID, and
choose your ID. The typical configuration, but not
required, is to have the same profile name and SSID.
Figure 12-2 shows this completed page, using 10 as the
ID, to match with VLAN 10. Your choices for ID number
range from 1 to 512. Click Apply when finished.

Figure 12-2 New WLAN Created

The next screen shows you what you entered on the

previous screen. Verify that the information is correct
and ensure that the Enabled check box for this new
WLAN is checked, as shown in Figure 12-3.
Figure 12-3 Enabling the New WLAN

Note
If you do not enable the WLAN, you will not be able to join the Cisco Wireless LAN Controller
(WLC) from your wireless client.

Next, click the Security tab to configure the WLAN

security and user authentication parameters. Click the
Layer 2 subtab, then choose None from the Layer 2
Security drop-down menu to configure open
authentication, as shown in Figure 12-4.
Figure 12-4 Configuring Open Authentication for a
WLAN

When you are finished configuring the WLAN, click the

Apply button. Return to the General tab and verify
that the Security Policies field is set to None, as shown
in Figure 12-5. Click the Apply button when finished.
Figure 12-6 confirms that the new WLAN has been
created and that there is no authentication set when
showing the list of created WLANs.
Figure 12-5 Verifying Open Authentication in the
WLAN Configuration

Figure 12-6 Verifying Open Authentication from

the List of WLANs

Authenticating with a Pre-shared Key

When the Wired Equivalent Privacy (WEP) standard
was found to be weak and easily breakable, both the
Electrical and Electronics Engineers (IEEE) 802.11
committee and the Wi-Fi Alliance worked to replace it.
Two generations of solutions emerged: Wi-Fi Protected
Access (WPA) in 2003 and its successor, WPA2, in
2004. These solutions offer a security framework for
authentication and encryption. In 2018, the Wi-Fi
Alliance announced the release of WPA3 with several
security improvements over WPA2.

WPA2 is the current implementation of the 802.11i

security standard and deprecates the use of WEP and
WPA. WPA2, being 802.11i compliant, is the current
standard for enterprise networks. Unlike WPA, WPA2
provides support for IEEE 802.11n/ac. WPA2 provides
either 802.1X or PSK authentication, and determines
two modes of wireless protected access.

WPA2 Personal Mode

Uses WPA2-PSK (Pre-Shared Key) authentication; a

common key is statically configured on the client and
the AP.

Designed for environments where there is no RADIUS

authentication server.

Provides inadequate security for an enterprise wireless

network; if attackers break the WPA2 PSK, they can
access all device data.
WPA2 Enterprise Mode

Uses IEEE 802.1X and EAP authentication; each user

or device is individually authenticated.

Incorporates a RADIUS authentication server for

authentication and key management.

Used by enterprise-class networks.

802.1X
You can configure WPA2 Personal mode and the pre-
shared key in one step. Figures 12-7 and 12-8 show the
screen in which this can occur. Click the WLANs tab
and either click Go to create a new WLAN, or select the
WLAN ID of an existing WLAN to edit. Make sure that
the parameters on the General tab are set
appropriately. Click the Security tab followed by the
Layer 2 subtab. Here you can choose the Layer 2
security option you require. Figure 12-7 shows
WPA+WPA2 being selected for the WLAN named
CCNPPCG. In the WPA+WPA2 Parameters section,
WPA Policy is unchecked, leaving only WPA2 Policy and
WPA2 Encryption AES selected.
Figure 12-7 Selecting WPA2 Personal Security for a
WLAN

The bottom portion of the Layer 2 subtab is the

Authentication Key Management section. Check the
Enable check box to enable PSK, and then enter the
pre-shared key string in the box next to PSK Format, as
shown Figure 12-8.
Figure 12-8 Selecting the Authentication Key
Management Options

Tip
The controller will allow you to check both the WPA Policy and WPA2 Policy check boxes. You
should do this only if you have legacy equipment that requires WPA support.

You can verify the security settings from the General

tab for the WLAN. Click Apply to commit the changes.
Figure 12-9 shows the Security Policies for the
CCNPPCG WLAN have seen set to [WPA2][Auth(PSK)].
This is also shown in Figure 12-10.
Figure 12-9 Verifying PSK Authentication in WLAN
Configuration

Figure 12-10 Verifying PSK Authentication in

WLAN Summary Page

Authenticating with EAP

Rather than build additional authentication methods
into the 802.11 standard, the Extensible Authentication
Protocol (EAP) offers a more flexible and scalable
authentication framework. As its name implies, EAP is
extensible and does not consist of any one
authentication method. Instead, EAP defines a set of
common functions that actual authentication methods
can use to authenticate users.

EAP has another interesting quality: It can integrate

with the IEEE 802.1X port-based access control
standard. When 802.1X is enabled, it limits access to a
network media until a client authenticates. This means
that a wireless client might be able to associate with an
AP, but will not be able to pass data to any other part of
the network until it successfully authenticates.

With open and PSK authentication, wireless clients are

authenticated locally at the AP without further
intervention. The scenario changes with 802.1X; the
client uses open authentication to associate with the AP,
and then the actual client authentication process occurs
at a dedicated authentication server.

The authentication server functionality in the EAP

process can be provided by the following:

Locally by a Cisco Wireless LAN Controller (referred to

as local EAP)

Local EAP can use either the local user database

or a Lightweight Directory Access Protocol
(LDAP) database to authenticate users. Local
EAP can also be used as a backup for RADIUS
authentication. This approach allows wireless
clients to authenticate even if the controller
loses connectivity to the RADIUS server.

Globally by a RADIUS server such as:

Cisco Identity Services Engine (ISE)

Microsoft Server that is configured for RADIUS-

NPS

Any RADIUS-compliant server

802.1X and EAP address authentication but not

encryption. 802.1X and EAP can be used with or
without encryption. For 802.1X and EAP
authentication, all packets must be relayed between the
client and the authentication server. The content of the
EAP messages is of no importance to the controller and
AP, which simply relay the information.

There are multiple types of EAP. The three current most

commonly used are EAP-TLS, PEAP, and EAP-FAST.
PEAP is currently the most prominently used, as it is
used with Microsoft servers; however, EAP-TLS is
gaining in popularity because it can be supported by
Cisco ISE.

Configuring EAP-based Authentication with External

RADIUS Servers
Begin by configuring one or more external RADIUS
servers on the controller. Navigate to Security > AAA
> RADIUS > Authentication. Click the New button
to define a new server or select the Server Index number
to edit an existing server definition. In Figure 12-11, a
new RADIUS server is being defined. Navigate to
Security > AAA > RADIUS > Authentication and
enter the appropriate information, and make sure the
RADIUS port number is correct and that the Server
Status is set to Enabled. Click Apply when you are
finished.
Figure 12-11 Defining a RADIUS Server for WPA2
Enterprise Authentication

Next, you need to enable 802.1X authentication on the

WLAN. Navigate to WLANs and either click Go to
create a new WLAN or click the number of an existing
WLAN in the WLAN ID column to edit it. As an
example, configure the WLAN security to use WPA2
Enterprise. Under the Security > Layer 2 subtab,
select WPA+WPA2 and make sure that the WPA2
Policy check box is checked and that the WPA Policy
check box is not checked. Beside WPA2 Encryption,
check the box next to AES to use the most robust
encryption. In the Authentication Key Management
section, check the Enable check box next to 802.1X to
enable the Enterprise mode. Make sure that the Enable
check box next to PSK is not checked so that Personal
mode will remain disabled. Figures 12-12 and 12-13
illustrate the settings that are needed to configure
WPA2 Enterprise mode with 802.1X authentication.

Figure 12-12 Enabling WPA2 Enterprise Mode with

802.1X Authentication
Figure 12-13 Enabling WPA2 Enterprise Mode with
802.1X Authentication, Part 2

By default, a controller will use the global list of

RADIUS servers in the order you have defined under
Security > AAA > RADIUS > Authentication. You
can override that list from the AAA Servers tab, where
you can define which RADIUS servers will be used for
802.1X authentication. You can define up to six
RADIUS servers that will be tried in sequential order,
designated as Server 1, Server 2, and so on. Choose a
predefined server by clicking the drop-down menu next
to one of the server entries. In Figure 12-14, the
RADIUS server at 192.168.100.9 will be used as Server
1. After selecting your servers, you can edit other
parameters or click Apply to make your configuration
changes operational.

Figure 12-14 Selecting RADIUS Servers to

Authenticate Clients in the WLAN

Configuring EAP-based Authentication with Local EAP

If your environment is relatively small or you do not
have a RADIUS server in production, you can use an
authentication server that is built in to the Wireless LAN
Controller. This is called local EAP, which supports
LEAP, EAP-FAST, PEAP, and EAP-TLS.

First, you need to define and enable the local EAP

service on the controller. Navigate to Security > Local
EAP > Profiles and click the New button. Enter a
name for the local EAP profile, which will be used to
define the authentication server methods. In Figure 12-
15, a new profile called LocalEAP has been defined.
Click the Apply button to create the profile. Now you
should see the new profile listed, along with the
authentication methods it supports, as shown in Figure
12-16. From this list, you can check or uncheck the
boxes to enable or disable each method. In this example,
LocalEAP has been configured to use PEAP.

Figure 12-15 Defining a Local EAP Profile on a

Controller
Figure 12-16 Displaying Configured Local EAP
Profiles

Next, you need to configure the WLAN to use the local

EAP server rather than a regular external RADIUS
server. Navigate to WLANs, click the WLAN’s number
in the WLAN ID column, and then select the Security
> Layer 2 subtab and enable WPA2, AES, and 802.1X
as before.

If you have defined any RADIUS servers in the global

list under Security > AAA > RADIUS >
Authentication or any specific RADIUS servers in the
WLAN configuration, the controller will use those first.
Local EAP will then be used as a backup method.

To make local EAP the primary authentication method,

you must make sure that no RADIUS servers are defined
on the controller. Click the AAA Servers tab and make
sure that all three RADIUS servers are set to None in
the drop-down menus, as shown in Figure 12-17.
Figure 12-17 Removing RADIUS Servers for
Authentication

On the bottom of the same screen, in the Local EAP

Authentication section, check the Enabled check box to
begin using the local EAP server. Select the EAP profile
name that you have previously configured. In Figure 12-
18, the local EAP authentication server is enabled and
will use the LocalEAP profile, which was configured for
PEAP.
Figure 12-18 Enabling Local EAP Authentication
for a WLAN

Because the local EAP server is local to the controller,

you will have to maintain a local database of users or
define one or more LDAP servers on the controller. You
can create users by navigating to Security > AAA >
Local Net Users. In Figure 12-19, a user named
testuser has been defined and authorized for access to
the Support_Staff WLAN.
Figure 12-19 Creating a Local User for Local EAP
Authentication

Verifying EAP-based Authentication Configuration

You can verify the WLAN and its security settings from
the list of WLANs by selecting WLANs > WLAN, as
shown in Figure 12-20. For EAP-based authentication,
the Security Policies field should display
[Auth(802.1X)]. You can also verify that the WLAN
status is enabled and active.

Figure 12-20 Verifying EAP Authentication on a

WLAN

Authenticating with WebAuth

WebAuth is a process that allows users, typically guests,
to authenticate to the network through a web portal via
a browser interface. Clients that attempt to access the
WLAN using HTTP are automatically redirected to a
login page where they are prompted for their
credentials. Their credentials are then passed to an
authentication server, which then assigns the
appropriate VLAN and ACLs for guest access to the
Internet.

Tip
Web authentication can be handled locally on the WLC for smaller environments through
local web authentication (LWA). When there are many controllers providing web
authentication, it makes sense to use LWA with an external database on a RADIUS server
such as Cisco ISE, keeping the user database centralized.

To configure WebAuth on a WLAN, first create the new

WLAN and map it to the correct VLAN. Go to the
General tab and enter the SSID string, apply the
appropriate controller interface, and change the status
to Enabled.

On the Security tab, click the Layer 2 subtab to

choose a wireless security scheme to be used on the
WLAN. In Figure 12-21, the WLAN is named
Guest_webauth, the SSID is Guest_webauth, and open
authentication will be used because the None method
has been selected.
Figure 12-21 Configuring Open Authentication for
WebAuth

Next, click the Security > Layer 3 subtab and choose

the Layer 3 Security type Web Policy, as shown in
Figure 12-22. When the Authentication radio button
is selected (the default), web authentication will be
performed locally on the WLC by prompting the user for
credentials that will be checked against RADIUS, LDAP,
or local EAP servers. In Figure 12-22, Passthrough has
been selected, which will display web content such as an
acceptable use policy to the user and prompt for
acceptance. Through the other radio buttons, WebAuth
can redirect the user to an external web server for
content and interaction. Click the Apply button to
apply the changes to the WLAN configuration.
Figure 12-22 Configuring WebAuth with
Passthrough Authentication

You will need to configure the WLC’s local web server

with content to display during a WebAuth session.
Navigate to Security > Web Auth > Web Login
Page, as shown in Figure 12-23. By default, internal
WebAuth is used. You can enter the web content that
will be displayed to the user by defining a text string to
be used as the headline, as well as a block of message
text.
Figure 12-23 Configuring the WebAuth Page
Content

Figure 12-24 shows the web content that is presented to

a user that attempts to connect to the WLAN. The user
must click the Submit button to be granted network
access.
Figure 12-24 Example Web Content Presented by
WebAuth Passthrough

You can verify the WebAuth security settings from the

list of WLANs by selecting WLANs > WLAN. Figure
12-25 shows that WLAN 100 with SSID Guest_webauth
uses the Web-Passthrough security policy. You can also
verify that the WLAN status is enabled and active.

Figure 12-25 Verifying WebAuth Authentication on

a WLAN
TROUBLESHOOTING FROM THE
WIRELESS LAN CONTROLLER
The Cisco Wireless LAN Controller (WLC) interface can
be accessed using either of two modes: the command-
line interface (CLI) or the graphical user interface
(GUI). Unless you are using a network management
system, the Cisco WLC GUI is where you will typically
monitor your system. Here, you have access to overall
health and specific issues in your WLAN. Depending on
the model of WLC that you are using, you will see
different GUIs. The following sections introduce, in
turn, the Cisco AireOS Monitoring Dashboard GUI, the
Cisco AireOS Advanced GUI, the Cisco IOS XE GUI, and
the Cisco AireOS/IOS XE CLI.

Cisco AireOS Monitoring Dashboard GUI

The Cisco AireOS controller GUI has a new monitoring
dashboard that gives a single-window overview of the
network devices that are connected to the controller.
The Monitoring Dashboard screen is the default screen
when you log in to the GUI of the AireOS controller.
This screen is split into sections: numerical statistics
and graphical widgets, as shown in Figure 12-26 and
described next. From there it is possible to access the
Advanced GUI (introduced in the next section) by
clicking the Advanced menu item in the top right of
the Monitoring Dashboard screen, as highlighted in
Figure 12-26.

Figure 12-26 Cisco AireOS Monitoring Dashboard

Numerical Statistics
The top section of the dashboard (see Figure 12-27) is
where you get a quick view of what is found on the
network:

Wireless Networks: Shows the number of WLANs

enabled and disabled on this WLC
Wired Networks: Shows the number of remote LANs
and clients that are associated to the network (not
displayed in Figure 12-27)

Access Points: Shows the number of active Cisco APs

in the network

Active Clients: Shows the number of 2.4- and 5-GHz

clients in the network

Rogues: Shows the number of

unauthorized/unclassified APs and clients found in
your network

Interferers: Shows the number of detected

interference devices on the 2.4- and 5-GHz bands

Figure 12-27 Cisco WLC Network Summary

Statistics

Graphical Widgets
These graphical widgets (see Figure 12-28) present the
numbers in the form of graphs. You can select the
widgets to display from the available list:

Access Points

Operating Systems
Clients

Applications

Top WLANs (not displayed in Figure 12-28)

Figure 12-28 Cisco WLC Network Summary

Widgets

From the Monitoring navigation pane along the left side

of the dashboard (refer to Figure 12-26), you have the
following options that are useful for troubleshooting:

Network Summary > Access Points: Displays the

list of Cisco APs connected to the controller

Network Summary > Clients: Displays the list of

clients connected to the controller (partially shown in
Figure 12-28)
This Monitoring Dashboard is quite limited. For further
troubleshooting options, access the Cisco AireOS
Advanced GUI by clicking the Advanced button.

Cisco AireOS Advanced GUI

The Cisco AireOS WLC Advanced GUI includes the
following troubleshooting options and menus:

Monitor tab Summary screen (shown in Figure 12-29)

Controller Summary: Overall health of the

WLC

Most Recent Traps: Quick view of the trap

logs

Access Point Summary: How many APs or

radios are up or down

Client Summary: How many clients (plus any

issues)

Wireless tab All APs screen

Displays the physical AP uptime and sorts by

WLC associated time

Check the bottom of the AP list for any recent

AP disruptions
Select the AP to see controller associated time
(duration)

Management tab

Message Logs: Message information on

system conditions (for example, mobility group
connection failure)

Trap Logs: Show rogues, AP and channel

changes, and invalid settings

Tech Support: Information that the Cisco

Technical Assistance Center (TAC) may require

Monitor tab Cisco CleanAir screen

Check for interference devices per radio and AP

(are they severe, and what is the duty cycle?)

Examine the Worst Air Quality Report to get a

quick summary

Run the AQI report to get details on what the

effect is to the WLAN
Figure 12-29 Cisco WLC Advanced GUI Page

Cisco IOS XE GUI

The Cisco IOS XE WLC GUI offers a new monitoring
dashboard when you first log in. Like the AireOS GUI, it
has a series of menus and widgets, as shown in Figure
12-30. The options available from the navigation pane
on the left are as follows:

Dashboard: This is the home screen for the IOS XE

GUI. This page offers numerical information about
WLANs, APs, Clients, Rogue APs, and Interferers, as
well as graphical widgets relating to APs, clients, and
system statistics. This is very similar to what is found in
the AireOS Monitoring Dashboard GUI.
Monitoring: This menu includes options to view
information about general controller details, network
services, and wireless APs and clients.

Configuration: This menu includes options for

configuring controller interfaces, routing protocols,
security, RF, network services, tags, profiles, and
WLANs.

Administration: This menu includes options for

accessing the CLI, and configuring DNS parameters,
DHCP pools, licensing, software upgrades, and
administrative users.

Troubleshooting: This screen enables you to access

troubleshooting tools such as syslog and debug, as well
as packet capture, ping, and traceroute.
Figure 12-30 Cisco IOS XE GUI Dashboard

Cisco AireOS/IOS XE CLI

You may not always have access to the GUI of your
Cisco Wireless LAN Controller, so it is good to know a
few CLI commands to quickly access important
troubleshooting information.

The Wireless LAN Controller CLI show commands to

monitor the WLAN are listed in the following table.
When the show commands differ between AireOS and
IOS XE, both commands are listed in that order.
Clients

(Cisco Displays a summary of clients

Controller) > associated with a Cisco lightweight
show client access point
summary [ssid
| ip |
username |
devicetype]

IOSXE# show
wireless
client summary

(Cisco Displays client information learned

Controller) > through DNS snooping, including
show client client username, associated AP,
detail mac- SSID, IP address, supported data
address rates, mobility state, security, and
VLAN

IOSXE# show
wireless
client mac-
address mac-
address detail

(Cisco Displays the clients on a radio for

Controller) > an AP
show client ap
{802.11a |
802.11b} ap-
name

IOSXE# show
wireless
client ap name
ap-name dot11
{24ghz | 5ghz}

Logs

(Cisco Displays the latest SNMP trap log

Controller) > information
show traplog

(Cisco Displays the syslog facility logging

Controller) > parameters, current log severity
show logging level, and buffer contents
Radios

(Cisco Displays radio networking settings

Controller) > (status, rates, supported, power,
show {802.11a and channel)
| 802.11b |
802.11h}

IOSXE# show ap
dot11 {24ghz |
5ghz} network

WLANs

(Cisco Displays WLAN information

Controller) > (name, security, status, and all
settings). Keywords include

IOSXE#
apgroups: Displays access point
group information
show wlan
{apgroups |
summary | summary: Displays a summary of
all WLANs
wlan-id |
foreignAp |
lobby- admin- wlan_id: Displays the
access} configuration of a WLAN. The
WLAN identifier range is from 1 to
512

foreignAp: Displays the

configuration for support of foreign
access points

lobby-admin-access: Displays
all WLANs that have lobby-admin-
access enabled

APs

(Cisco Displays AP detailed configuration

Controller) > settings by radio
show ap config
{802.11a |
802.11b}
[summary] ap-
name

IOSXE# show ap
dot11 {24ghz |
5ghz} summary
(Cisco Displays general AP configuration
Controller) > information
show ap config
general ap-
name

IOSXE# show ap
name ap-name
config general

(Cisco Displays MAC, IP address, name,

Controller) > and join status of all APs joined
show ap join
stats summary
ap-mac

IOSXE# show ap
mac-address
mac-

address join
stats
{detailed |
summary}
WLC# show ap
join stats
summary

(Cisco Displays APs (model, MAC, IP

Controller) > address, country, and number of
clients)

IOSXE#

show ap
summary [ap-
name]

(Cisco Displays WLAN IDs, interfaces,

Controller) > and BSSID
show ap wlan
{802.11a |
802.11b} ap-
name

IOSXE# show ap
name ap-name
wlan dot11
{24ghz | 5ghz
}
Note
When logging output from the Wireless LAN Controller, enter the config paging disable
command first to stop page breaks.

Just as with routers and switches, debug commands

are available on the Cisco WLC. One particular debug
command that may be useful for troubleshooting
wireless client connectivity is debug client
mac_address. It is a macro that enables eight debug
commands, plus a filter on the MAC address that is
provided, so only messages that contain the specified
MAC address are shown. The eight debug commands
show the most important details about client association
and authentication. The filter helps with situations
where there are multiple wireless clients and too much
output is generated, or the controller is overloaded
when debugging is enabled without the filter.

TROUBLESHOOTING WIRELESS
CLIENT CONNECTIVITY
If clients are reporting problems, a good place to start
troubleshooting is at the Cisco Wireless LAN Controller.
This section shows the output from two different GUIs:
the Cisco AireOS Monitoring Dashboard GUI and the
Cisco IOS XE GUI.

Cisco AireOS Monitoring Dashboard GUI

From the Monitoring pane along the left side of the
AireOS Dashboard GUI, select Network Summary >
Access Points to check if the APs are functioning
correctly.

The Access Point View page, shown in Figure 12-31, is

displayed when an AP is selected. The AP details section
provides tabs with information on the clients, RF
Troubleshooting with neighboring and rogue APs (2.4
and 5 GHz) found in the surroundings, Clean Air with
active interferers, and the tool tab to restart the AP.
Figure 12-31 Cisco AireOS WLC Access Point View
Details

Next, navigate to Network Summary > Clients. The

Client View page is displayed when a client is selected.
On this page, the client’s general details are shown.
There are two infographic representations on the Client
View page. The first infographic (see Figure 12-32)
shows the connection stage of the client.
Figure 12-32 Cisco AireOS WLC Client View Details
Connectivity Stage

The second infographic (see Figure 12-33) shows the

connectivity roadmap between the controller and the
client. It also shows the types of connection and the path
that is used in the network from the controller to the
client.
Figure 12-33 Cisco AireOS WLC Client View Details
Connectivity Roadmap

The Client View page also offers the following debugging

tools, as shown in Figure 12-34, to assess the
connectivity from the client with the controller:

Ping Test: Helps to determine the connectivity status

and the latency between the two systems in a network

Connection: Shows the connection logs for a client

Event Log: Records the events and the option to save

the logs to a spreadsheet

Packet Capture: Provides various options to get

precise information about the flow of packets to help
resolve issues
Figure 12-34 Cisco AireOS WLC Client Test Tools

You can also go to the top right side of the Monitor

Dashboard screen and click Advanced to be taken to
the Monitor screen in the controller. From there you can
drill down on any of the issues from that screen and
menus. Click Clients from the menu on the left to
display a list of all wireless clients associated with the
WLC. From there, clicking a MAC address displays
detailed information for that client, as shown in Figure
12-35.
Figure 12-35 Verifying Client Details

The Clients > Detail page displays the IP address, the

VLAN ID, the Policy Manager State, the type of security
that client is using, the AP name and WLAN profile, as
well as the client Reason Code and client Status Code.

The Policy Manager State will display one of these

messages relating to the authentication state of the
client:

START: Initializing the authentication process

802.1X-REQD: 802.1X (L2) authentication pending

DHCP_REQD: IP learning state

WEBAUTH_REQD: Web (L3) Authentication

pending

RUN: Client traffic forwarding

The client Reason Code can be one of the following:

no reason Indicates normal operation

code (0)

unspecified Indicates that the client associated but is

reason (1) no longer authorized

previousAuth Indicates that the client associated but

NotValid (2) was not authorized

deauthenticat Indicates that the AP went offline,

ionLeaving deauthenticating the client
(3)

disassociation Indicates that the client session was

DueToInactivi timeout exceeded
ty (4)
disassociation Indicates that the AP is busy, for
APBusy (5) example, performing load balancing

class2FrameF Indicates that the client attempted to

romNonAuth transfer data before it was authenticated
Station (6)

class2FrameF Indicates that the client attempted to

romNonAssSt transfer data before it was associated
ation (7)

disassociation Indicates that the operating system

StaHasLeft moved the client to another AP using
(8) nonaggressive load balancing

staReqAssoci Indicates that the client is not authorized

ationWithout yet and is still attempting to associate
Auth (9) with the AP

missingReaso Indicates that the client is momentarily

nCode (99) in an unknown state

The client Status Code may be one of the following:

idle (0) Indicates normal operation; no rejections of
client association requests

aaaPen Indicates that a AAA transaction completed

ding
(1)

authen Indicates that 802.11 authentication completed

ticated
(2)

associa Indicates that 802.11 association completed

ted (3)

powers Indicates that the client is in power-save mode

ave (4)

disasso Indicates that the 802.11 disassociation

ciated completed
(5)

tobedel Indicates that the client should be deleted after

eted disassociation
(6)

probin Indicates that the client is not associated or

g (7) authorized yet

disable Indicates that the operating system

d (8) automatically disabled the client for an
operator-defined time

Cisco IOS XE GUI

When troubleshooting client connectivity from the IOS
XE controller GUI, you can use the Monitoring menu.
First, navigating to Monitoring > AP Statistics will
list all APs associated with the WLC. Clicking a specific
AP will display general information about that AP,
including AP name, IP address, model, power status,
number of clients, and RF utilization, as shown in
Figure 12-36.
Figure 12-36 Verifying AP Details in IOS XE WLC

For specific client information, navigate to Monitoring

> Clients and select a client from the list of all clients
associated with the WLC. As shown in Figure 12-37, you
can observe general client properties, AP properties,
security information, and client statistics.
Figure 12-37 Verifying Client Details in IOS XE
WLC
Part VII: Overlays and Virtualization
Chapter 13
Overlay Tunnels and VRF

This chapter provides information about the following

topics:

Generic Routing Encapsulation (GRE)

Configuring an IPv4 GRE tunnel

Configuring an IPv6 GRE tunnel

Verifying IPv4 and IPv6 GRE tunnels

Configuration example: IPv4 and IPv6 GRE

tunnels with OSPFv3

Site-to-site GRE over IPsec

GRE/IPsec using crypto maps

GRE/IPsec using tunnel IPsec profiles

Verifying GRE/IPsec

Site-to-site virtual tunnel interface (VTI) over IPsec

Cisco Dynamic Multipoint VPN (DMVPN)

Configuration example: Cisco DMVPN for IPv4

Verifying Cisco DMVPN

VRF-Lite

Configuring VRF-Lite

Verifying VRF-Lite

Caution
Your hardware platform or software release might not support all the commands
documented in this chapter. Please refer to Cisco.com for specific platform and software
release notes.

GENERIC ROUTING ENCAPSULATION

(GRE)
GRE, defined in RFC 2784, is a carrier protocol that can
be used with a variety of underlying transport protocols
and that can carry a variety of passenger protocols. RFC
2784 also covers the use of GRE with IPv4 as the
transport protocol and the passenger protocol. Cisco
IOS Software supports GRE as the carrier protocol with
many combinations of passenger and transport
protocols such as:
GRE over IPv4 networks: GRE is the carrier
protocol, and IPv4 is the transport protocol. This is the
most common type of GRE tunnel.

GRE over IPv6 networks: GRE is the carrier

protocol, and IPv6 is the transport protocol. Cisco IOS
Software supports IPv4 and IPv6 as passenger
protocols with GRE/IPv6.

Configuring an IPv4 GRE Tunnel

Perform the following configuration steps to configure a
GRE tunnel. A tunnel interface is used to transport
protocol traffic across a network that does not normally
support the protocol. To build a tunnel, a tunnel
interface must be defined on each of two routers and the
tunnel interfaces must reference each other. At each
router, the tunnel interface must be configured with a
Layer 3 address. The tunnel endpoints, tunnel source,
and tunnel destination must be defined, and the type of
tunnel must be selected. Optional steps can be
performed to customize the tunnel.

Router(co Moves to interface configuration mode

nfig)#
interface
tunnel 0
Router(co Specifies the encapsulation protocol to be
nfig-if)# used in the tunnel. By default, the tunnel
tunnel protocol is GRE and the transport protocol
mode gre is IPv4; therefore entering this command is
ip optional and won’t appear in the device’s
running configuration

Router(co Assigns an IP address and subnet mask to

nfig-if)# the tunnel interface
ip
address
192.168.1
.1
255.255.2
55.0

Router(co Identifies the local source of the tunnel.

nfig-if)# You can use either an interface name or the
tunnel IP address of the interface that will
source transmit tunneled packets
209.165.2
01.1
Note

Or The tunnel source can be a physical interface or a loopback

interface
Router(co
nfig-if)#
tunnel
source
gigabitet
hernet
0/0/0

Router(co Identifies the remote destination IP

nfig-if)# address
tunnel
destinati
on
198.51.10
0.1

Router(co Defines the tunnel bandwidth for use with

nfig-if)# a routing protocol or QoS in kilobits per
bandwidth second. In the example, the bandwidth is
8192 set to 8192 Kbps

Router(co Sets the tunnel keepalives to 3 seconds and

nfig-if)# the number of retries to five to ensure that
keepalive bidirectional communication exists
3 5 between tunnel endpoints. The default
timer is 10 seconds, with three retries
Router(co Set the maximum transmission unit (MTU)
nfig-if)# size of IP packets sent on an interface to
ip mtu 1400 bytes. The default MTU is 1500 bytes
1400

Note

The GRE tunnel adds a minimum of 24 bytes to the packet

size

Configuring an IPv6 GRE Tunnel

The same process that is described for IPv4 is used to
configure an IPv6 GRE tunnel.

Router(con Moves to interface configuration mode

fig)#
interface
tunnel 1

Router(con Specifies the encapsulation protocol to

fig-if)# be used in the tunnel
tunnel
mode gre
ipv6

Router(con Assigns an IPv6 address and subnet

fig-if)# mask to the tunnel interface
ip address
2001:db8:1
92:100::1/
64

Router(con Identifies the local source of the tunnel.

fig-if)# You can use either an interface name or
tunnel the IPv6 address of the interface that will
source transmit tunneled packets
2001:db8:2
09:201::1
Note

Or The tunnel source can be a physical interface or a

loopback interface

Router(con
fig-if)#
tunnel
source
gigabiteth
ernet
0/0/0
Router(con Identifies the remote destination IPv6
fig-if)# address
tunnel
destinatio
n
2001:db8:1
98:51::1

Router(con Defines the tunnel bandwidth for use

fig-if)# with a routing protocol or QoS in kilobits
bandwidth per second. In the example, the
4096 bandwidth is set to 4096 Kbps

Router(con Sets the tunnel keepalives to 3 seconds

fig-if)# and the number of retries to five to
keepalive ensure that bidirectional communication
3 5 exists between tunnel endpoints. The
default timer is 10 seconds, with three
retries

Router(con Set the maximum transmission unit

fig-if)# (MTU) size of IPv6 packets sent on an
ipv6 mtu interface to 1400 bytes. The default MTU
1400 is 1500 bytes
Note

The GRE tunnel adds a minimum of 24 bytes to the

packet size

Verifying IPv4 and IPv6 GRE Tunnels

Router# show Displays general

interfaces tunnel information about the
number tunnel interface

Router# show ip Displays IPv4 information

interface tunnel about the tunnel interface
number

Router# show ipv6 Displays IPv6 information

interface tunnel about the tunnel interface
number

Configuration Example: IPv4 and IPv6 GRE Tunnels

with OSPFv3
Figure 13-1 shows the network topology for the
configuration that follows, which demonstrates how to
configure IPv4 and IPv6 GRE tunnels to allow for
OSPFv3 connectivity between two customer edge
routers that peer with separate ISP routers. This
example assumes that ISP1 and ISP2 are configured to
route traffic across the underlay network between CE1
and CE2. Tunnel 0 is used for IPv4 and Tunnel 1 is used
for IPv6.

Figure 13-1 Network Topology for IPv4/IPv6 GRE

Example

The example is built following these steps:

Step 1. Underlay configuration (physical/logical
interfaces, default routing).
Step 2. Overlay configuration (tunnel interfaces).

Step 3. Overlay routing with OSPFv3.

Step 1: Underlay Configuration

CE1(config)# ipv6 Enables routing for

unicast-routing IPv6 packets

CE1(config)# interface Enters interface

gigabitethernet 0/0/0 configuration mode

CE1(config-if)# ip Applies an IPv4

address 209.165.201.1 address to the interface
255.255.255.252

CE1(config-if)# ipv6 Applies an IPv6

address address to the interface
2001:db8:209:201::1/64

CE1(config-if)# no Enables the interface

shutdown
CE1(config-if)# exit Exits interface
configuration mode

CE1(config)# interface Enters interface

loopback 0 configuration mode

CE1(config-if)# ip Applies an IPv4

address 10.1.1.1 address to the interface
255.255.255.0

CE1(config-if)# ipv6 Applies an IPv6

address address to the interface
2001:db8:10:1::1/64

CE1(config-if)# exit Exits interface

configuration mode

CE1(config)# ip route Defines an IPv4 default

0.0.0.0 0.0.0.0 route to send all
209.165.201.2 packets to ISP1

CE1(config)# ipv6 route Defines an IPv6 default

::/0 route to send all
2001:db8:209:201::2 packets to ISP1
CE2(config)# ipv6 Enables routing for
unicast-routing IPv6 packets

CE2(config)# interface Enters interface

gigabitethernet 0/0/0 configuration mode

CE2(config-if)# ip Applies an IPv4

address 198.51.100.1 address to the interface
255.255.255.252

CE2(config-if)# ipv6 Applies an IPv6

address address to the interface
2001:db8:198:51::1/64

CE2(config-if)# no Enables the interface

shutdown

CE2(config-if)# exit Exits interface

configuration mode

CE2(config)# interface Enters interface

loopback 0 configuration mode

CE2(config-if)# ip Applies an IPv4

address 10.2.2.1 address to the interface
255.255.255.0

CE2(config-if)# ipv6 Applies an IPv6

address address to the interface
2001:db8:10:2::1/64

CE2(config-if)# exit Exits interface

configuration mode

CE2(config)# ip route Defines an IPv4 default

0.0.0.0 0.0.0.0 route to send all
198.51.100.2 packets to ISP1

CE2(config)# ipv6 route Defines an IPv6 default

::/0 2001:db8:198:51::2 route to send all
packets to ISP1

Step 2: Overlay Configuration

CE1(config)# Enters interface configuration

interface mode
tunnel 0
CE1(config- Applies an IPv4 address to the
if)# ip interface
address
192.168.1.1
255.255.255.0

CE1(config- Defines the physical source of the

if)# tunnel tunnel
source
gigabitetherne
t 0/0/0

CE1(config- Defines the tunnel destination

if)# tunnel across the underlay network
destination
198.51.100.1

CE1(config- Enables GRE tunnel mode for IPv4.

if)# tunnel This is the default value and won’t
mode gre ip appear in the running
configuration

CE1(config- Lowers the MTU to 1400 bytes

if)# ip mtu from its default of 1500
1400
CE1(config- Enables IPv6 on the interface. This
if)# ipv6 is required for OSPFv3 routing in
enable the next step since there is no IPv6
address on Tunnel 0

CE1(config- Enters interface configuration

if)# interface mode
tunnel 1

CE1(config- Applies an IPv6 address to the

if)# ipv6 interface
address
2001:db8:192:1
00::1/64

CE1(config- Defines the physical source of the

if)# tunnel tunnel
source
gigabitetherne
t 0/0/0

CE1(config- Defines the tunnel destination

if)# tunnel across the underlay network
destination
2001:db8:198:5
1::1
CE1(config- Enables GRE tunnel mode for IPv6
if)# tunnel
mode gre ipv6

CE2(config)# Enters interface configuration

interface mode
tunnel 0

CE2(config- Applies an IPv4 address to the

if)# ip interface
address
192.168.1.2
255.255.255.0

CE2(config- Defines the physical source of the

if)# tunnel tunnel
source
gigabitetherne
t 0/0/0

CE2(config- Defines the tunnel destination

if)# tunnel across the underlay network
destination
209.165.201.1
CE2(config- Enables GRE tunnel mode for IPv4.
if)# tunnel This is the default value and won’t
mode gre ip appear in the running
configuration

CE2(config- Lowers the MTU to 1400 bytes

if)# ip mtu from its default of 1500
1400

CE2(config- Enables IPv6 on the interface. This

if)# ipv6 is required for OSPFv3 routing in
enable the next step since there is no IPv6
address on Tunnel 0

CE2(config- Enters interface configuration

if)# interface mode
tunnel 1

CE2(config- Applies an IPv6 address to the

if)# ipv6 interface
address
2001:db8:192:1
00::2/64

CE2(config- Defines the physical source of the

tunnel
if)# tunnel
source
gigabitetherne
t 0/0/0

CE2(config- Defines the tunnel destination

if)# tunnel across the underlay network
destination
2001:db8:209:2
01::1

CE2(config- Enables GRE tunnel mode for IPv6

if)# tunnel
mode gre ipv6

Step 3: Overlay Routing with OSPFv3

CE1(config)# Starts OSPFv3 with a process

router ospfv3 1 ID of 1

CE1(config- Creates the IPv4 unicast

router)# address- address family
family ipv4
unicast

CE1(config-router- Defines a router ID of 1.1.1.1

af)# router-id
1.1.1.1

CE1(config-router- Creates the IPv6 unicast

af)# address- address family
family ipv6
unicast

CE1(config-router- Defines a router ID of 1.1.1.1

af)# router-id
1.1.1.1

CE1(config-router- Enters interface

af)# interface configuration mode
tunnel 0

CE1(config-if)# Assigns the Tunnel 0

ospfv3 1 ipv4 area interface to area 0 for the
0 OSPFv3 IPv4 address family

CE1(config-if)# Enters interface

interface tunnel 1 configuration mode

CE1(config-if)# Assigns the Tunnel 1 interface

ospfv3 1 ipv6 area to area 0 for the OSPFv3 IPv6
0 address family

CE1(config-router- Enters interface

af)# interface configuration mode
loopback 0

CE1(config-if)# Assigns the Loopback 0

ospfv3 1 ipv4 area interface to area 1 for the
1 OSPFv3 IPv4 address family

CE1(config-if)# Assigns the Loopback 0

ospfv3 1 ipv6 area interface to area 1 for the
1 OSPFv3 IPv6 address family

CE2(config)# Starts OSPFv3 with a process

router ospfv3 1 ID of 1

CE2(config- Creates the IPv4 unicast

router)# address- address family
family ipv4
unicast
CE2(config-router- Defines a router ID of 2.2.2.2
af)# router-id
2.2.2.2

CE2(config-router- Creates the IPv6 unicast

af)# address- address family
family ipv6
unicast

CE2(config-router- Defines a router ID of 2.2.2.2

af)# router-id
2.2.2.2

CE2(config-router- Enters interface

af)# interface configuration mode
tunnel 0

CE2(config-if)# Assigns the Tunnel 0

ospfv3 1 ipv4 area interface to area 0 for the
0 OSPFv3 IPv4 address family

CE2(config-if)# Enters interface

interface tunnel 1 configuration mode
CE2(config-if)# Assigns the Tunnel 1 interface
ospfv3 1 ipv6 area to area 0 for the OSPFv3 IPv6
0 address family

CE2(config-router- Enters interface

af)# interface configuration mode
loopback 0

CE2(config-if)# Assigns the Loopback 0

ospfv3 1 ipv4 area interface to area 1 for the
1 OSPFv3 IPv4 address family

CE2(config-if)# Assigns the Loopback 0

ospfv3 1 ipv6 area interface to area 1 for the
1 OSPFv3 IPv6 address family

SITE-TO-SITE GRE OVER IPSEC

In GRE over IPsec (usually written GRE/IPsec for
short), data packets are first encapsulated within
GRE/IP, which results in a new IP packet being created
inside the router. This packet is then selected for
encryption (the traffic selector being GRE from local to
remote endpoint IP address), and encapsulated into
IPsec. Since a new IP header has already been added,
IPsec transport mode is generally used to keep the
overhead to a minimum. There are two different ways to
encrypt traffic over a GRE tunnel:

Using crypto maps (old method)

Using tunnel IPsec profiles (newer method)

Note
Even though crypto maps are no longer recommended for tunnels, they are still widely
deployed and should be understood.

The two GRE configuration scenarios that follow build

on the previous GRE example but focus only on IPv4.
You would configure one of the two scenarios, not both.
Refer to Figure 13-1 for addressing information.

GRE/IPsec Using Crypto Maps

After the GRE tunnel has been configured, follow these
steps to enable IPsec using crypto maps:

Step 1. Define a crypto ACL.

Step 2. Configure an ISAKMP policy for IKE SA.
Step 3. Configure pre-shared keys (PSKs).
Step 4. Create a transform set.
Step 5. Build a crypto map.
Step 6. Apply the crypto map to the outside interface.

Step 1: Define a Crypto ACL

CE1(config)# access- Defines the crypto ACL that

list 101 permit gre identifies traffic entering
host 192.168.1.1 the GRE tunnel. This traffic
host 192.168.1.2 is encrypted by IPsec

CE2(config)# access- The crypto ACL on CE2 is a

list 101 permit gre mirror image of the ACL on
host 192.168.1.2 CE1
host 192.168.1.1

Step 2: Configure an ISAKMP Policy for IKE SA (repeat

on CE2)

CE1(config)# Creates an ISAKMP policy number

crypto isakmp 1. Numbers range from 1 to 1000
policy 1

CE1(config- Enables the use of PSKs for

isakmp)# authentication. Option to use RSA
authentication signatures instead
pre-share

CE1(config- Enables SHA-256 for hashing.

isakmp)# hash Options are MD5, SHA, SHA-256,
sha256 SHA-384, and SHA-512

CE1(config- Enables AES-256 for encryption.

isakmp)# Options are DES, 3DES, and AES
encryption aes (128, 192, 256 bit)
256

CE1(config- Enables Diffie-Hellman group 14

isakmp)# group for key exchange. Options are
14 group 1, 2, 5, 14, 15, 16, 19, 20, 21,
or 24

Step 3: Configure PSKs

CE1(config)# crypto isakmp Defines a PSK

key secretkey address for neighbor
198.51.100.1 peer CE2
CE2(config)# crypto isakmp Defines a PSK
key secretkey address for neighbor
209.165.201.1 peer CE1

Step 4: Create a Transform Set (repeat on CE2)

CE1(config)# Defines an IPsec transform set

crypto ipsec called GRE-SEC that uses ESP
transform-set with AES-256 for encryption and
GRE-SEC esp-aes SHA-256 for authentication.
256 esp-sha256- Options are AH and MD5
hmac

CE1(cfg-crypto- Enables transport mode to avoid

trans)# mode double encapsulation from GRE
transport and IPsec. The other option
available is tunnel mode

Step 5: Build a Crypto Map (repeat on CE2 except for

the peer configuration)

CE1(config)# Creates an IPsec crypto map

crypto map called GREMAP with a sequence
GREMAP 1 ipsec- number of 1. Range is from 1 to
isakmp 65535

Note

A message will appear at the console

indicating that the crypto map will remain
disabled until a peer and a valid ACL have
been configured

CE1(config- Applies the previously configured

crypto-map)# crypto ACL to the crypto map
match address
101

CE1(config- Applies the previously configured

crypto-map)# set transform set to the crypto map
transform-set
GRE-SEC

CE1(config- Sets the remote peer, which in

crypto-map)# set this case is CE2
peer
198.51.100.1
CE2(config- Sets the remote peer, which in
crypto-map)# set this case is CE1
peer
209.165.201.1

Step 6: Apply the Crypto Map to Outside Interface

(repeat on CE2)

CE1(config)# Enters interface configuration

interface mode
gigabitethernet
0/0/0

CE1(config-if)# Applies the crypto map to the

crypto map GREMAP outside interface connected to
the ISP router

GRE/IPsec Using IPsec Profiles

After the GRE tunnel has been configured, follow these
steps to enable IPsec using IPsec profiles:

Step 1. Configure an ISAKMP policy for IKE SA.

Step 2. Configure PSKs.
Step 3. Create a transform set.
Step 4. Create an IPsec profile.
Step 5. Apply the IPsec profile to the tunnel interface.

Step 1: Configure an ISAKMP Policy for IKE SA (repeat

on CE2)

CE1(config)# Creates an ISAKMP policy number

crypto isakmp 1. Numbers range from 1 to 1000
policy 1

CE1(config- Enables the use of PSKs for

isakmp)# authentication. Option to use RSA
authentication signatures instead
pre-share

CE1(config- Enables SHA-256 for hashing

isakmp)# hash
sha256 Options are MD5, SHA, SHA-256,
SHA-384, SHA-512

CE1(config- Enables AES-256 for encryption

isakmp)#
encryption aes Options are DES, 3DES, and AES
256 (128, 192, 256 bit)

CE1(config- Enables Diffie-Hellman group 14

isakmp)# group for key exchange. Options are
14 group 1, 2, 5, 14, 15, 16, 19, 20, 21,
or 24

Step 2: Configure PSKs

CE1(config)# crypto isakmp Defines a PSK

key secretkey address for neighbor
198.51.100.1 peer CE2

CE2(config)# crypto isakmp Defines a PSK

key secretkey address for neighbor
209.165.201.1 peer CE1

Step 3: Create a Transform Set (repeat on CE2)

CE1(config)# Defines an IPsec transform set

called GRE-SEC that uses ESP
crypto ipsec with AES-256 for encryption and
transform-set SHA-256 for authentication.
GRE-SEC esp-aes Options are AH and MD5
256 esp-sha256-
hmac

CE1(cfg-crypto- Enables transport mode to avoid

trans)# mode double encapsulation from GRE
transport and IPsec. The other option is
available is tunnel mode

Step 4: Create an IPsec Profile (repeat on CE2)

CE1(config)# crypto Creates an IPsec profile

ipsec profile GRE- named GRE-PROFILE
PROFILE

CE1(ipsec-profile)# Applies the previously

set transform-set configured transform set to
GRE-SEC the IPsec profile
Step 5: Apply the IPsec Profile to Tunnel Interface
(repeat on CE2)

CE1(config)# Enters interface configuration

interface tunnel mode
0

CE1(config-if)# Applies the IPsec profile to the

tunnel tunnel interface, allowing IPsec
protection ipsec to encrypt traffic flowing
profile GRE- between CE1 and CE2
PROFILE

Verifying GRE/IPsec

CE1# show Displays current Internet Key

crypto isakmp Exchange (IKE) security associations
sa (SAs)

CE1# show Displays the settings used by IPsec

crypto ipsec security associations
sa
SITE-TO-SITE VIRTUAL TUNNEL
INTERFACE (VTI) OVER IPSEC
The use of IPsec virtual tunnel interfaces (VTIs)
simplifies the configuration process when you must
provide protection for site-to-site VPN tunnels. A major
benefit of IPsec VTIs is that the configuration does not
require a static mapping of IPsec sessions to a physical
interface. The use of IPsec VTIs simplifies the
configuration process when you must provide protection
for site-to-site VPN tunnels and offers a simpler
alternative to the use of Generic Routing Encapsulation
(GRE) tunnels for encapsulation and crypto maps with
IPsec.

The steps to enable a VTI over IPsec are very similar to

those for GRE over IPsec configuration using IPsec
profiles. The only difference is the addition of the
command tunnel mode ipsec {ipv4 | ipv6} under
the GRE tunnel interface to enable VTI on it and to
change the packet transport mode to tunnel mode. To
revert to GRE over IPsec, the command tunnel mode
gre {ip | ipv6} is used.

Assuming that the GRE tunnel is already configured for

IPsec using IPsec profiles as was described in the
previous configuration example, you would need to
make the following changes to migrate to a VTI over
IPsec site-to-site tunnel using pre-shared keys:

CE1

CE1(config)# Defines an IPsec transform set

crypto ipsec called GRE-SEC that uses ESP
transform-set with AES-256 for encryption and
GRE-SEC esp-aes SHA-256 for authentication.
256 esp-sha256- Options are AH and MD5
hmac

CE1(cfg-crypto- Enables tunnel mode for VTI

trans)# mode support
tunnel

CE1(cfg-crypto- Exits the transform set

trans)# exit

CE1(config)# Enters interface configuration

interface tunnel mode
0

CE1(config-if)# Enables IPsec for IPv4 on the

tunnel mode tunnel interface
ipsec ipv4

CE2

CE2(config)# Defines an IPsec transform set

crypto ipsec called GRE-SEC that uses ESP
transform-set with AES-256 for encryption and
GRE-SEC esp-aes SHA-256 for authentication.
256 esp-sha256- Options are AH and MD5
hmac

CE2(cfg-crypto- Enables tunnel mode for VTI

trans)# mode support
tunnel

CE2(cfg-crypto- Exits the transform set

trans)# exit

CE2(config)# Enters interface configuration

interface tunnel mode
0
CE2(config-if)# Enables IPsec for IPv4 on the
tunnel mode tunnel interface
ipsec ipv4

CISCO DYNAMIC MULTIPOINT VPN

(DMVPN)
Cisco DMVPN is a solution that leverages IPsec and
GRE to enable enterprises to establish a secure
connection in a hub-and-spoke network or spoke-to-
spoke network easily and effectively. All of the spokes in
a DMVPN network are configured to connect to the hub
and, when interesting traffic calls for it, each spoke can
connect directly to another spoke as well.

DMVPN uses two primary technologies:

Multipoint GRE (mGRE) with IPsec, which allows the

routers in the solution to establish multiple GRE
tunnels using only one configured tunnel interface

Next Hop Resolution Protocol (NHRP), which is

similar to ARP on Ethernet

There are three different deployment options for

DMVPN, which are called phases:
Phase 1: This phase can be deployed only as a hub-
and-spoke tunnel deployment. In this deployment the
hub is configured with an mGRE tunnel interface and
the spokes have point-to-point GRE tunnel interface
configurations. All traffic, including inter-spoke traffic,
must traverse the hub.

Phase 2: This phase improves on Phase 1 by

establishing a mechanism for spokes to build dynamic
spoke-to-spoke tunnels on demand. Spokes in this
deployment type have mGRE tunnel interfaces and
learn of their peer spoke addresses and specific
downstream routes using a routing protocol.

Phase 3: This phase is very similar to Phase 2, but the

routing table must have the spoke address and all
specific downstream routes propagated to all other
spokes. This means that the hub cannot use
summarization of routes in the routing protocol. The
hub uses NHRP redirect messages to inform the spoke
of a more effective path to the spoke’s network, and the
spoke will accept the “shortcut” and build the dynamic
tunnel to the peer spoke.

Configuration Example: Cisco DMVPN for IPv4

Figure 13-2 shows the network topology for the
configuration that follows, which demonstrates how to
configure Cisco DMVPN for IPv4. The example shows
you how to configure all three DMVPN phases and
assumes that the physical interfaces are already
configured with IP addresses.

Figure 13-2 Network Topology for Cisco DMVPN

for IPv4 Example

When configuring Cisco DMVPN, follow these steps:

1. Configure an ISAKMP policy for IKE SA.

2. Configure pre-shared keys (PSKs).

3. Create a transform set.

4. Create a crypto IPsec profile.

5. Define an mGRE tunnel interface.

6. Enable NHRP on the tunnel interface.

7. Apply the IPsec security profile to the tunnel interface.

8. Enable dynamic routing across the tunnel interface.

DMVPN Phase 1: Hub Router

Hub(config Creates an ISAKMP policy with the

)# crypto number 10
isakmp
policy 10

Hub(config Enables AES-256 encryption

-isakmp)#
encryption
aes 256

Hub(config Enables SHA-256 hashing

-isakmp)#
hash
sha256

Enables PSK authentication

Hub(config
-isakmp)#
authentica
tion pre-
share

Hub(config Enables Diffie-Hellman group 16 (4096-

-isakmp)# bit)
group 16

Hub(config Exits the ISAKMP policy

-isakmp)#
exit

Hub(config Defines a PSK to be used for any

)# crypto ISAKMP neighbor
isakmp key
CiscoDMVPN
Key
address
0.0.0.0

Hub(config Creates an IPsec transform set called

)# crypto DMVPNset that uses AES-256 and SHA-
ipsec 256 for ESP
transform-
set
DMVPNset
esp-aes
256 esp-
sha256-
hmac

Hub(cfg- Enables tunnel mode for the IPsec

crypto- tunnel
trans)#
mode
transport

Hub(cfg- Exits the transform set

crypto-
trans)#
exit

Hub(config Creates an IPsec profile called

)# crypto DMVPNprofile
ipsec
profile
DMVPNprofi
le
Hub(ipsec- Applies the DMVPNset transform set
profile)#
set
transform-
set
DMVPNset

Hub(ipsec- Exits the IPsec profile

profile)#
exit

Hub(config Enters interface configuration mode

)#
interface
tunnel 0

Hub(config Applies an IP address to the tunnel

-if)# ip interface
address
10.99.1.1
255.255.25
5.0

Hub(config Disables ICMP redirects, because NHRP

-if)# no will be responsible for sending redirect
messages
ip
redirects

Hub(config Reduces the IP MTU from 1500 to 1400

-if)# ip bytes
mtu 1400

Hub(config Reduces the TCP maximum segment size

-if)# ip to 1360
tcp
adjust-mss
1360

Hub(config Configures a password of cisco for

-if)# ip NHRP authentication
nhrp
authentica
tion cisco

Hub(config Allows NHRP to automatically add

-if)# ip spoke routers to the multicast NHRP
nhrp map mappings when these spoke routers
multicast initiate the mGRE tunnel and register
dynamic their unicast NHRP mappings
Hub(config Defines an NHRP network ID
-if)# ip
nhrp
network-id
123

Hub(config Specifies a tunnel source

-if)#
tunnel
source
gigabiteth
ernet
0/0/0

Hub(config Enables mGRE on the Hub router0

-if)#
tunnel
mode gre
multipoint

Hub(config Uniquely identifies the tunnel within the

-if)# router
tunnel key
12345

Applies the IPsec security profile to

Hub(config secure the DMVPN packet exchange
-if)#
tunnel
protection
ipsec
profile
DMVPNprofi
le

Hub(config Exits interface configuration mode

-if)# exit

Hub(config Enables EIGRP using named mode

)# router configuration
eigrp
CISCO

Hub(config Creates an IPv4 address family for AS 10

-router)#
address-
family
ipv4
unicast
autonomous
-system 10
Hub(config Advertises network 172.16.1.1/32
-router-
af)#
network
172.16.1.1
0.0.0.0

Hub(config Advertises network 10.99.1.0/24 (the

-router- tunnel interface network)
af)#
network
10.99.1.0
0.0.0.255

Hub(config Enters address-family interface

-router- configuration mode for Tunnel 0
af)# af-
interface
tunnel 0

Hub(config Disables split horizon to allow the hub to

-router- retransmit routes learned from the peers
af- to the other peers. Because all the routes
interface) are being learned through the tunnel
# no interface, EIGRP will not by default
split- advertise routes learned from an
horizon interface back out the same interface

DMVPN Phase 1: Spoke1 Router (similar configuration

required on Spoke2)

Spoke1(config)# Creates an ISAKMP policy with

crypto isakmp the number 10
policy 10

Spoke1(config- Enables AES-256 encryption

isakmp)#
encryption aes
256

Spoke1(config- Enables SHA-256 hashing

isakmp)# hash
sha256

Spoke1(config- Enables PSK authentication

isakmp)#
authentication
pre-share
Spoke1(config- Enables Diffie-Hellman group 16
isakmp)# group (4096-bit)
16

Spoke1(config- Exits the ISAKMP policy

isakmp)# exit

Spoke1(config)# Defines a PSK to be used for any

crypto isakmp ISAKMP neighbor
key
CiscoDMVPNKey
address 0.0.0.0

Spoke1(config)# Creates an IPsec transform set

crypto ipsec called DMVPNset that uses AES-
transform-set 256 and SHA-256 for ESP
DMVPNset esp-
aes 256 esp-
sha256-hmac

Spoke1(cfg- Enables tunnel mode for the IPsec

crypto-trans)# tunnel
mode transport

Exits the transform set

Spoke1(cfg-
crypto-trans)#
exit

Spoke1(config)# Creates an IPsec profile called

crypto ipsec DMVPNprofile
profile
DMVPNprofile

Spoke1(ipsec- Applies the DMVPNset transform

profile)# set set
transform-set
DMVPNset

Spoke1(ipsec- Exits the IPsec profile

profile)# exit

Spoke1(config)# Enters interface configuration

interface mode
tunnel 0

Spoke1(config- Applies an IP address to the

if)# ip address tunnel interface
10.99.1.101
255.255.255.0
Spoke1(config- Disables ICMP redirects, because
if)# no ip NHRP will be responsible for
redirects sending redirect messages

Spoke1(config- Reduces the IP MTU from 1500 to

if)# ip mtu 1400 bytes
1400

Spoke1(config- Reduces the TCP maximum

if)# ip tcp segment size to 1360
adjust-mss 1360

Spoke1(config- Configures a password of cisco for

if)# ip nhrp NHRP authentication
authentication
cisco

Spoke1(config- Maps the hub tunnel interface and

if)# ip nhrp physical interface together. This
map 10.99.1.1 instructs the router that NHRP
10.99.0.1 messages to the Hub router
should be sent to the physical IP
address

Spoke1(config- Maps NHRP multicast traffic to

if)# ip nhrp the physical address of the Hub
map multicast router
10.99.0.1

Spoke1(config- Defines an NHRP network ID

if)# ip nhrp
network-id 123

Spoke1(config- Defines the NHRP server address

if)# ip nhrp
nhs 10.99.1.1

Spoke1(config- Specifies a tunnel source

if)# tunnel
source
gigabitethernet
0/0/0

Spoke1(config- Defines the Hub router’s physical

if)# tunnel address as the tunnel destination
destination
10.99.0.1

Spoke1(config- Enables standard GRE on the

if)# tunnel Spoke1 router
mode gre ip

Spoke1(config- Uniquely identifies the tunnel

if)# tunnel key within the router
12345

Spoke1(config- Applies the IPsec security profile

if)# tunnel to secure the DMVPN packet
protection exchange
ipsec profile
DMVPNprofile

Spoke1(config- Exits interface configuration

if)# exit mode

Spoke1(config)# Enables EIGRP using named

router eigrp mode configuration
CISCO

Spoke1(config- Creates an IPv4 address family for

router)# AS 10
address-family
ipv4 unicast
autonomous-
system 10
Spoke1(config- Advertises network
router-af)# 172.16.101.1/32
network
172.16.101.1
0.0.0.0

SPOKE1(config- Advertises network 10.99.1.0/24

router-af)# (the tunnel interface network)
network
10.99.1.0
0.0.0.255

For DMVPN Phase 2, you need to change the tunnel

mode on the spokes and modify the routing
configuration on the hub. Contrary to Phase 1, this
configuration will allow the routers to build dynamic
spoke-to-spoke tunnels based on traffic needs. The
tunnel to the hub will be persistent.

DMVPN Phase 2: Hub Router

Hub(confi Enters EIGRP using named mode

g)# configuration
router
eigrp
CISCO

Hub(confi Enters the IPv4 address family for AS 10

g-
router)#
address-
family
ipv4
unicast
autonomou
s-system
10

Hub(confi Enters address-family interface

g-router- configuration mode for Tunnel 0
af)# af-
interface
tunnel 0

Hub(confi Disables the EIGRP next-hop self feature.

g-router- By default, the router will insert its IP
af- address as the next hop on the updates
interface sent to the peers. In Phase 2 DMVPN the
)# no spokes must see the tunnel interface IP
next-hop- address of the other spokes as the next hop
self for the remote networks, instead of the hub

DMVPN Phase 2: Spoke1 Router (identical

configuration required on Spoke2)

Spoke1(config)# Enters interface

interface tunnel 0 configuration mode

Spoke1(config-if)# no Removes the tunnel

tunnel destination destination
10.99.0.1 command

Spoke1(config-if)# Changes the tunnel

tunnel mode gre mode to mGRE
multipoint

Phase 3 DMVPN is designed for the hub to only

advertise a summary address to the spokes, and only
when there is a better route to the destination network
will the hub tell the spoke about it. This is done using an
NHRP traffic indication message to signal the spoke
that a better path exists. To do this, you need to make a
few configuration changes.

DMVPN Phase 3: Hub Router

Hub(config)# Enters interface configuration

interface tunnel mode
0

Hub(config-if)# NHRP Redirect is configured

ip nhrp redirect on the hub, instructing it to
send the NHRP traffic
indication message if a better
route exists

Hub(config-if)# Exits interface configuration

exit mode

Hub(config)# Enters EIGRP using named

router eigrp mode configuration
CISCO

Hub(config- Enters the IPv4 address family

router)# address- for AS 10
family ipv4
unicast
autonomous-system
10

Hub(config- Enters address-family interface

router-af)# af- configuration mode for Tunnel
interface tunnel 0
0

Hub(config- Advertises a summary address.

router-af- In this case the summary
interface)# advertised is an EIGRP default
summary-address route (D*)
0.0.0.0 0.0.0.0

DMVPN Phase 3: Spoke1 Router (identical

configuration required on Spoke2)

Spok Enters interface configuration mode

e1(c
onfi
g)#
inte
rfac
e
tunn
el 0

Spok Enables NHRP shortcut switching on the

e1(c interface. This allows the spoke router to
onfi discover shorter paths to a destination network
g- after receiving an NHRP redirect message from
if)# the hub. The spokes can then communicate
ip directly with each other without the need for an
intermediate hop
nhrp
shor
tcut

Verifying Cisco DMVPN

Router# show Displays DMVPN-specific

dmvpn session information

Router# show ip Displays NHRP mapping

nhrp information

Router# show ip Displays NHRP NHS

nhrp nhs detail information

Router# debug Displays real-time information

dmvpn about DMVPN sessions

Router# debug Displays real-time information

nhrp about NHRP

Note
Running OSPF over a DMVPN network has some of the same challenges as running OSPF
over other types of networks. Because only the hub is in direct communication with all of the
branches, it should be configured as the designated router (DR) on the DMVPN subnet.
There is not typically a backup DR (BDR) for this type of configuration. A BDR is possible if a
second hub is placed on the same subnet.
In strict hub-and-spoke DMVPNs, you should include the tunnel interface in the OSPF
routing process and configure the tunnel interface as a point-to-multipoint OSPF network
type on the hub router, and as a point-to-point network type on the branch routers. In this
case, there is no need to elect a DR on the DMVPN subnet.
To create a partially meshed or fully meshed DMVPN, configure the mGRE tunnel on the
hub router as an OSPF broadcast network. Each spoke router should be configured with an
OSPF priority of 0 to prevent a spoke from becoming a DR or BDR.

VRF-LITE
Virtual routing and forwarding (VRF) is a technology
that creates separate virtual routers on a physical
router. Router interfaces, routing tables, and forwarding
tables are completely isolated between VRFs, preventing
traffic from one VRF from forwarding into another VRF.
All router interfaces belong to the global VRF until they
are specifically assigned to a user-defined VRF. The
global VRF is identical to the regular routing table of
non-VRF routers.

The use of Cisco VRF-Lite technology has the following

advantages:

Allows for true routing and forwarding separation

Simplifies the management and troubleshooting of the

traffic belonging to the specific VRF, because separate
forwarding tables are used to switch that traffic

Enables the support for alternate default routes

Configuring VRF-Lite
Follow these steps when configuring a Cisco router for
VRF-Lite support:

Step 1. Create the VRF(s).

Step 2. Assign interface(s) to the VRF.

Step 3. Enable routing for the VRF.

Step 1: Create the VRFs

Router(config)# Creates an IPv4 VRF called

ip vrf GUEST GUEST using the old VRF CLI
format

Router(config- Exits VRF configuration mode

vrf)# exit

Router(config)# Creates a VRF called STAFF using

vrf definition the new VRF CLI format
STAFF

Router(config- Enables the IPv4 address family

vrf)# address- for the STAFF VRF using the new
family ipv4 VRF CLI format

Router(config- Exits the IPv4 address family

vrf-af)# exit

Router(config- Enables the IPv6 address family

vrf)# address- for the STAFF VRF using the new
family ipv6 VRF CLI format

Router(config- Exits the IPv6 address family

vrf-af)# exit

Router(config- Exits VRF configuration mode

vrf)# exit

Step 2: Assign an Interface to the VRF

Router(config)# Enters interface configuration

interface mode
gigabitethernet
0/0/0

Router(config- Assigns the GigabitEthernet

if)# ip vrf 0/0/0 interface to the GUEST
forwarding GUEST VRF using the old CLI format

Router(config- Enters interface configuration

if)# interface mode
gigabitethernet
0/0/1

Router(config- Assigns the GigabitEthernet

if)# vrf 0/0/1 interface to the STAFF
forwarding STAFF VRF using the new CLI format
Step 3: Enable Routing for the VRF
The following configuration examples demonstrate how
IPv4 VRFs can be associated with a routing process. The
same commands would apply for IPv6 VRFs.

Router(config)# ip route Defines a default

vrf GUEST 0.0.0.0 0.0.0.0 route for the GUEST
172.16.16.2 VRF

Router(config)# router Enables OSPFv2 for

ospf 1 vrf STAFF the STAFF VRF

Router(config)# router Enables OSPFv3

ospfv3 1

Router(config-router)# Assigns the STAFF

address-family ipv4 VRF to the IPv4
unicast vrf STAFF unicast address
family

Router(config)# router Enables EIGRP

eigrp CISCO using named mode
configuration
Router(config-router)# Assigns the GUEST
address-family ipv4 VRF to the IPv4
unicast vrf GUEST unicast address
autonomous-system 100 family for AS 100

Router(config)# router Enables BGP for AS

bgp 65001 65001

Router(config-router)# Assigns the STAFF

address-family ipv4 vrf VRF to the IPv4
STAFF address family

Note
Cisco IOS supports the old and new VRF CLI formats. Old Cisco IOS VRF configuration style
supports IPv4 only. New multiprotocol VRF CLI now supports both IPv4 and IPv6. Cisco IOS
offers a migration tool that upgrades a VRF instance or all VRFs configured on the router to
support multiple address families under the same VRF. The vrf upgrade-cli multi-af-mode
{common-policies | non-common-policies} [vrf vrf-name] command is issued in global
configuration mode.

Verifying VRF-Lite

Router# show Displays a list of all configured

vrf VRFs, their address families, and
their interfaces
Router# show Provides detailed information about
vrf detail a specific VRF
vrf-name
Part VIII: Appendix
Appendix A
Create Your Own Journal Here

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
______________________________________
____________________

______________________________________
____________________

______________________________________
____________________
Index
NUMBERS
0.0.0.0/0 summarization, EIGRP, 74–75
802.1Q (dot1q) trunking, 4–5
802.1x, 307–308

A
AAA (Authentication, Authorization,
Accounting)
accounting, configurations, 257
authentication, 251–252
AAA-based local database authentication, 252–
253
RADIUS authentication, 253–255
simple local database authentication, 252
TACACS+ authentication, 255–256
authorization, configurations, 256–257
servers, password storage, 232
troubleshooting, 257
access lists
BGP route filtering, 180–182
NTP security, 285
accounting, configurations, 257
ACL (Access Control Lists)
CoPP traffic flows (permitted), 258
IPv4
extended ACL configurations, 247–248
standard ACL configurations, 246–247
time-based ACL configurations, 248–249
verifying, 251
VTY ACL configurations, 249–250
IPv6
configurations, 250–251
verifying, 251
AD (Administrative Distance)
EIGRP IPv4 manual summarization, 71
internal/external routes, 143–144
AireOS
Advanced GUI, WLCs, troubleshooting, 318–319
CLI, WLCs, troubleshooting, 320–322
Monitoring Dashboard GUI, troubleshooting
wireless client connectivity, 322–326
WLCs, 316–318
AF (Address Families)
BGP, 158–160
configuration mode, 94–95
MP-BGP, 159–160
OSPFv3, 93
configurations, 120–125
IPv4, 94
IPv6, 94
aggregating routes, BGP, 177
AH (Authentication Headers), spi, 97
allowed VLANs, 4–5
applets, EEM, 295, 298
area range not-advertise command, OSPF route
filtering, 104
area x authentication key-chain router
configuration command, 97
AS (Autonomous Systems)
AS path attribute prepending (BGP), 169–170
path access lists, BGP, 181–182
local preference attribute manipulation, 167–169
weight attribute manipulation, 166
private AS removal, 171
ASBR (Autonomous System Border Routers)
network topologies, 130–131
OSPFv3 AF, 94
routers, multiarea OSPF configurations, 114–115
Asdot, 160
Asplain, 160
attributes (BGP), 164
local preference attribute, 167–169
MED attribute, 171–174
AS path attribute prepending, 169–170
weight attribute, 164–165
AS path access lists, 166
prefix lists, 166–167
route maps, 166–167
authentication, 251–252
802.1x, 307–308
AAA-based local databases, 252–253
AH, spi, 97
area x authentication key-chain router configuration
command, 97
authentication key-chain command, 66
authentication mode command, 66
BGP
between peers, 184
verifying, 184
EAP, 308–309
localEAP, 311–314
RADIUS servers (external), 308–309
EIGRP, 67
classic mode authentication, 67–68
named mode authentication, 68–70
troubleshooting, 70
verifying, 70
HSRP, 197
IP SLAs, 149–150
MD5, 97, 233
EIGRP named mode authentication, 68–70
OSPFv2 authentication, 95–96
NTP, 284–285
OSPFv2
cryptographic authentication, 95–96
ip ospf authentication message-digest command,
95
MD5, 95–96
service password-encryption command, 96
SHA-256, 96
simple password authentication, 95
verifying, 98
OSPFv3, 97–98
area x authentication key-chain router
configuration command, 97
ospfv3 x authentication key-chain command, 97
verifying, 98
pre-shared keys, 306–308
RADIUS, 253, 309–314
key config-key password-encryption command,
254–255
legacy authentication, 253
modular authentication, 253–255
password encryption aes command, 254–255
RSA, 234
SHA, 68–70, 97
simple local databases, 252
TACACS+, 255
legacy authentication, 255
modular authentication, 255–256
WebAuth, 314–316
wireless clients, 303
802.1x, 307–308
EAP, 308–314
LWA, 314
open authentication, 304–306
pre-shared keys, 306–308
WebAuth, 314–316
WPA2, 306–307
WLANs, open authentication, 304–306
WPA2, 306–307
MD5 authentication, 97, 233
EIGRP named mode authentication, 68–70
OSPFv2 authentication, 95–96
authNoPriv security level, SNMP, 267
authorization, configurations, 256–257
authPriv security level, SNMP, 267
auto-cost command, 101
auto-cost reference-bandwidth command, 101
AS (Autonomous System) numbers
4-byte AS numbers and BGP, 160–161
Asdot, 160
Asplain, 160
auto-summary command, 63, 70, 78

B
BackboneFast
PVST+, 44
Rapid PVST+, 31, 44
STP configurations, 31
backups
Cisco IFS
configurations, 238
to TFTP servers, 238
IOS software to TFTP servers, 239
bandwidth
bandwidth command, 77
bandwidth-percent command, 66, 77
EIGRP, 77
reference bandwidth
auto-cost command, 101
auto-cost reference-bandwidth command, 101
ip ospf cost command, 101
OSPF, 101
BDR (Backup Designated Routers)
OSPFv2, BDR elections, 99–100
OSPFv3
BDR elections, 99–100
enabling IPv6 on an interface, 92
BGP (Border Gateway Protocol)
4-byte AS numbers, 160–161
access lists, 180–182
AS path access lists, 181–182
attributes, 164
local preference attribute, 167–169
MED attribute, 171–174
AS path attribute prepending, 169–170
weight attribute, 164–167
authentication
between peers, 184
verifying, 184
best path algorithm, 164
bgp bestpath missing-as-worst command, 174
bgp default ipv4-unicast command, 157
bgp router-id command, 157
bgp-always-compare-med command, 173–174
clear ip bgp command, 175–176
configurations
AF, 158–159
classic configurations, 156–157
default routes, 177
distribute lists, 180–181
EBGP
multihop, 162–163
next-hop behavior, 162
IBGP, next-hop behavior, 162
ip as-path access-list command, 178
MP-BGP
AF, exchanging IPv4/IPv6 routes, 159–160
configurations, 157
neighbor remote-as command, 157
neighbor update-source command, 161–162
network command, 156–157, 177
peer groups, 182–183
prefix lists, 181–182
private AS removal, 171
redistribution, default metrics, defining, 128
regular expressions, 178–180
route aggregation, 177
route filtering, 180–181
route reflectors, 177–178
route refresh, 176
route selection process, 164
router bgp command, 156
router IDs, 157
show ip bgp command, 179–180
show ip bgp neighbor command, 176
soft-reconfiguration inbound command, 175
timers, 161
troubleshooting, 175–176
verifying, 174
boot system, SSH commands, 235–236
bootflash, 237
BPDUs (Bridge Protocol Data Units)
BPDU Filter, 30, 44
BPDU Guard, 29–30, 44
Rapid PVST+, 43

C
channel-group command, port channels, 14
Cisco AireOS
Advanced GUI, troubleshooting WLCs, 318–319
CLI, troubleshooting WLCs, 320–322
Monitoring Dashboard GUI
wireless client connectivity, troubleshooting,
322–326
WLCs, troubleshooting, 316–318
Cisco IFS (IOS File System), 236
configurations
backing up to TFTP servers, 238
copy startup-config tftp command, 238
copy tftp startup-config command, 239
no shutdown command, 239
restoring from TFTP servers, 238–239
IOS image filenames, 237–238
IOS software
backing up to TFTP servers, 239
restoring from TFTP servers, 239–240
restoring using ROM monitor environmental
variables, 240–241
upgrading from TFTP servers, 239–240
SCP, 241
configurations, 241–242
troubleshooting, 241
verifying, 241
show file systems command, 236
unneeded services, disabling, 242–243
URL prefixes (commonly-used), 236–237
viewing, 236
Cisco IOS
image filenames, 237–238
IP SLAs, 147–149
software
backing up to TFTP servers, 239
restoring, 239–241
upgrading, from TFTP servers, 239–240
XE CLI, WLCs, troubleshooting, 320–322
XE GUI, troubleshooting
wireless client connectivity, 326–327
WLCs, 319–320
class maps for matched traffic (CoPP), 258–259
classic mode (EIGRP)
authentication, 67–68
IPv4 configurations, 62–63
auto-summary command, 63
wildcard masks, 63
IPv6 configurations, 63–64
upgrading configurations to named mode, 66–67
clear ip bgp command, 175, 176
clear ip ospf process command, 99
cleartext password encryption, 232–233
client mode (VTP), 5
company routers, PAT configurations, 192–193
conditionally triggered debugs, 266
configuration mode
AF, 94–95
static VLANs, 2
configuring
accounting, 257
ACL
extended ACL configurations, 247–248
IPv4 configurations, 246–250
IPv6 configurations, 250–251
standard ACL configurations, 246–247
time-based ACL configurations, 248–249
VTY ACL configurations, 249–250
authorization, 256–257
BackboneFast, STP configurations, 31
BGP
AF, 158–159
classic configurations, 156–157
MP-BGP, 157, 159–160
BPDU Filter, STP configurations, 30
BPDU Guard, STP configurations, 29–30
DHCP, IPv4 configurations, 224–229
IOS router configurations, 217–218
IOS software Ethernet interfaces, 219–220
manual IP assignments, 218
relays, 219
troubleshooting, 220
verifying, 220
DHCP, IPv6 configurations
DHCPv6 clients, 223
DHCPv6 relay agents, 223
EdmontonPC Stateless DHCPv6 Client (IOS
routers), 229
GibbonsPC Stateful DHCPv6 Client (IOS routers),
229
no ipv6 nd managed-config-flag command, 223
routers as stateful DHCPv6 servers, 222–223
routers as stateless DHCPv6 servers, 221–222
SLAAC, 221–222
troubleshooting configurations, 223
verifying configurations, 224
dynamic NAT, 188
EEM, 296–297
EIGRP
IPv4 classic mode configurations, 62–63
IPv6 classic mode configurations, 63–64
named mode configurations, 64–65, 83
named mode subconfiguration modes, 66
upgrading classic mode configurations to named
mode, 66–67
ERSPANs
destination configuration, 281
source configuration, 280
EtherChannel configurations
configuration guidelines, 12–14
default configurations, 12
example of, 18
Layer 2 configurations, 14
Layer 3 configurations, 14–15
network topology, 18
Flexible NetFlow, 272–273
GRE
IPv4 configurations, 330, 331–335
IPv6 configurations, 330–335
overlay configurations, 333–334
underlay configurations, 332–333
verifying, IPv4, 331
HSRP
basic configurations, 195
settings, 195
IFS
backing up configurations to TFTP servers, 238
copy startup-config tftp command, 238
copy tftp startup-config command, 239
no shutdown command, 239
restoring configurations from TFTP servers,
238–239
inter-VLAN routing, 47–48
IP SLA authentication, 149–150
IPv4 configurations
EIGRP classic mode configurations, 62–63
GRE, 331–335
IPv6 configurations
EIGRP classic mode configurations, 63–64
GRE, 331–335
inter-VLAN routing, 55–60
ISAKMP policies, site-to-site GRE over IPsec, 336,
338
local SPANs configurations, 274–277
logging, 271
Loop Guard, STP configurations, 32–33
MP-BGP, 157, 159–160
multiarea OSPF configurations, 89–90, 114–117
NAT
troubleshooting, 191
verifying, 190
virtual interfaces, 190, 193–194
NTP, 281–282
network topologies, 290
OSPFv2, 89
log-adjacency-changes command, 89
multiarea OSPF, 89–90, 114–117
network area command, 89
single-area configurations, 111–114
verifying configurations, 109–110
virtual links, 108–109
OSPFv3, 89
with AF, 120–125
enabling IPv6 on an interface, 91–92
log-adjacency-changes command, 89
multiarea OSPF, 89–90, 114–117
network area command, 89
single-area configurations, 111–114
traditional configurations, 91, 117–120
verifying configurations, 109–110
virtual links, 108–109
passwords, 231–232
PAT, 189–190
company routers, 192–193
example of, 191–193
ISP routers, 191–192
troubleshooting, 191
verifying, 190
PBR with route maps, 146–147
port error conditions, STP configurations, 33–36
PortFast, STP configurations, 28–29
PSK, site-to-site GRE over IPsec, 337, 338
PVST+, 41–43
network topologies, 40
Rapid PVST+, 36
Root Guard, STP configurations, 31–32
route maps, 141–142
RSPANs
configuration examples, 278–280
configuration guidelines, 277–278
SCP, 241–242
single-area OSPF configurations, 111–114
SNMP, 267
no snmp-server global command, 267
security levels, 267
security models, 267
SNMPv1, 267–268
SNMPv2c, 267–268
SNMPv3, 267–269
SPANs
default configurations, 273–274
local SPANs, 274–277, 281
RSPANs, 277–281
SSH, 234–235
static NAT, 187, 193–194
STP configurations
BackboneFast, 31
BPDU Filter, 30
BPDU Guard, 29–30
changing modes, 25
Loop Guard, 32–33
path costs, 27
port error conditions, 33–36
port priority, 26
PortFast, 28–29
PVST+, 40–43
Rapid PVST+, 36
Root Guard, 31–32
root switches, 25–26
secondary root switches, 26
timers, 27–28
UDLD, 33
UplinkFast, 30–31
VLAN switch priority, 27
Syslog, 269
UDLD, STP configurations, 33
UplinkFast, STP configurations, 30–31
uRPF, 260
virtual links, OSPF, 108–109
VLAN configurations
2960 series switches, 10–11
3650 series switches, 9–10
erasing, 7–8
example of, 8
network topology, 8
saving, 7
VRF-Lite, 347–348
VRRPv2, 201–202, 209–212
VRRPv3, 202–203
connected networks, redistributing, 129
connectivity (wireless clients), troubleshooting
Cisco AireOS Monitoring Dashboard GUI, 322–326
Cisco IOS XE GUI, 326–327
CoPP (Control Plane Policing), 257
ACL and permitted CoPP traffic flows, 258
class maps for matched traffic, 258–259
policy maps
control plane assignments, 259
policing matched traffic, 259
verifying, 260
copy startup-config tftp command, 238
copy tftp startup-config command, 239
cost metrics, OSPF, 100
crypto key generate rsa global configuration
command, 234
crypto key zeroize rsa command, 234
crypto maps, GRE/IPsec, 336–337
cryptographic authentication, OSPFv2
MD5, 95–96
SHA-256, 96
CSRT (Cross-Stack Rapid Transition), 24

D
data VLAN port assignments, 2
default mode, 3–4
DTP, 3–4
interface range command, 3
range command, 3
switchport mode access command, 2–4
switchport mode dynamic auto command, 3
switchport mode dynamic desirable command, 3
switchport mode nonegotiate command, 3
switchport mode trunk command, 3
switchport voice command, 2–3
database mode (VLANs), 2
dead interval timers, 101–102
debugging
debug command, 111, 217, 265–266
debug condition command, 266
debug ip packet command, 266
HSRP, 200–201
VRRP, 204
default information-originate always command,
102
default information-originate command, 102
default-metric command, 129
default metrics (redistribution), defining, 128–
129
default routes
BGP, 177
propagating, OSPF, 102–103
DES (Data Encryption Standard), 234
device management
FTP options, 243
HTTP options, 243
HTTPS options, 243
IFS, 236
backing up configurations to TFTP servers, 238
copy startup-config tftp command, 238
copy tftp startup-config command, 239
disabling unneeded services, 242–243
IOS image filenames, 237–238
IOS software, backing up to TFTP servers, 239
IOS software, restoring from TFTP servers, 239–
240
IOS software, restoring using ROM monitor
environmental variables, 240–241
IOS software, upgrading from TFTP servers,
239–240
no shutdown command, 239
restoring configurations from TFTP servers,
238–239
SCP, 241–242
show file systems command, 236
URL prefixes (commonly-used), 236–237
viewing, 236
passwords
cleartext password encryption, 232–233
configurations, 231–232
enable secret password command, 232
encryption types, 233–234
MD5, 233
service password-encryption command, 232–233
storage, 232
SSH
boot system commands, 235–236
configurations, 234–235
crypto key generate rsa global configuration
command, 234
crypto key zeroize rsa command, 234
verifying, 235
Telnet, 234
unneeded services, disabling, 242–243
URL prefixes for Cisco network devices, 236–237
DHCP (Dynamic Host Configuration Protocol),
217
IPv4
configuration examples, 224–229
IOS router configurations, 217–218
IOS software Ethernet interfaces, 219–220
ip forward-protocol command, 219
ip helper-address command, 219
manual IP assignments, 218
network topologies, 224, 226–227
no ip forward-protocol udp x command, 219
relays, 219
show ip dhcp binding command, 218
troubleshooting configurations, 220
verifying configurations, 220
IPv6, 221
DHCPv6 clients, 223
DHCPv6 relay agents, 223
no ipv6 nd managed-config-flag command, 223
routers as stateful DHCPv6 servers, 222–223
routers as stateless DHCPv6 servers, 221–222
SLAAC, 221–222
troubleshooting configurations, 224
verifying configurations, 224
no ip dhcp client request router command, 220
disabling unneeded services, 242–243
distribute lists
BGP route filtering, 180–181
distribute-list command, 73, 105
distribute-list in command, OSPF route filtering,
104–105
inbound distribute list route filters, 134–135
outbound distribute list route filters, 134–136
prefix lists and redistribution, 139–140
DMVPNs (Dynamic Multipoint VPNs), 340
IPv4 configurations
hub routers, 341–343, 345–346
spoke1 routers, 343–346
OSPF, 346–347
verifying, 346
domain names, VTP, 4–5
DoS, (Denial of Service) attacks, CoPP, 257
dot1q
encapsulation dot1q, local SPANs, 277
ingress dot1q vlan, local SPANs, 277
trunking, 4–5, 46
DR (Designated Routers)
BDR, OSPFv3, enabling IPv6 on an interface, 92
OSPFv2, DR elections, 99–100
OSPFv3
DR elections, 99–100
enabling IPv6 on an interface, 92
dst-ip load distribution method, 15
dst-mac load distribution method, 15
dst-mixed-ip-port load distribution method, 15
dst-port load distribution method, 15
DTP (Dynamic Trunking Protocol)
VLAN port assignments, 3–4
VTP domain names, 4
DUAL (Diffusing Update Algorithm), 62
dynamic NAT, configurations, 188

E
E1 routes, OSPF assignments, 130–131
E2 routes, OSPF assignments, 130–131
EAP (Extensible Authentication Protocol), 308–
309
localEAP, 311–314
RADIUS servers (external), 309–311
EBGP (External Border Gateway Protocol)
multihop, 162–163
next-hop behavior, 162
edge ports, Rapid PVST+, 36
EEM (Embedded Event Manager), 295–296
applets, 295, 298
configurations, 296–297
event manager run command, 298
event none command, 298
scripts, 295
TCL scripting, 298
verifying, 298
EF (Expedited Forwarding), 2–3
EIGRP (Enhanced Interior Gateway Protocol)
0.0.0.0/0 summarization, 74–75
authentication, 67
authentication key-chain command, 66
authentication mode command, 66
classic mode authentication, 67–68
named mode authentication, 68–70
troubleshooting, 70
verifying, 70
auto-summarization, 70
auto-summary command, 63, 70, 78
bandwidth
bandwidth command, 77
usage, 77
bandwidth-percent command, 66, 77
ip bandwidth-percent command, 77
classic mode
authentication, 67–68
IPv4 configurations, 62–63
IPv6 configurations, 63–64
upgrading configurations to named mode, 66–67
distribute-list command, 73
DUAL, 62
eigrp router-id command, 66
eigrp router-id w.x.y.z. command, 64
eigrp stub command, 66, 77, 79
eigrp upgrade-cli command, 66–67
exit-address-family command, 84, 85
exterior routing, accepting information, 75
hello-interval command, 66
hold-time command, 66
injecting default routes
0.0.0.0/0 summarization, 74–75
ip-default networks, 74
static route redistribution, 73
ip bandwidth-percent command, 77
ip default-network command, 74
load balancing
equal-cost, maximum paths, 75
unequal-cost, variance, 76
manual summarization
administrative-distance, 71
IPv4 summarization, 70–71
IPv6 summarization, 71
maximum-paths command, 66, 75
metric weights command, 66
metrics
metric rib-scale command, 79
metric weights command, 80
weight adjustments, 80
Wide Metrics, 79
named mode
authentication, 68–70
configurations, 64–65, 83
subconfiguration modes, 66
neighbor command, 79
network 0.0.0.0 command, 74
network command, 66
network summaries, 63
network topologies, 83
passive interfaces, 72
passive-interface command, 66
“pseudo” passive interfaces, 72–73
redistribution
default metrics, defining, 128–129
IPv4 routes, 131–132
IPv4 routes, verifying, 134
IPv6 routes, 132–133
IPv6 routes, verifying, 134
redistribute command, 66, 78
redistribute connected command, 78
redistribute static command, 78
route filtering, 134
route tagging, 142–143
seed metrics, defining, 128–129
route tagging, 142–143
router IDs, 67
SHA and named mode authentication, 68–70
show ip eigrp neighbors detail command, 81
show ip eigrp topology command, 81
static route redistribution, 73
stub routing, 77–79
summary-address command, 66, 84
timers, 71
topology base command, 66
traffic sharing, 76–77
traffic-share command, 66, 76–77
troubleshooting, 82–83
unicast neighbors, 79
variance
load balancing, 76
variance command, 66, 76
verifying, 80–82
Wide Metrics, 79
wildcard masks, 63
enable secret password command, 232
encapsulation dot1q, local SPANs, 277
encapsulation isl x command, 46
encapsulation replicate, local SPANs, 277
encryption
cleartext password encryption, 232–233
DES, 234
key config-key password-encryption command, 254–
255
OSPFv3, 97–98
passwords
password encryption aes command, 254–255
types of encryption, 233–234
SSH
boot system commands, 235–236
configurations, 234–235
crypto key generate rsa global configuration
command, 234
crypto key zeroize rsa command, 234
verifying, 235
enterprise mode (WPA2), 307
equal-cost load balancing, EIGRP, 75
erasing VLAN configurations, 7–8
ERSPANs (Encapsulated RSPANs), 280
destination configuration, 281
source configuration, 280
EtherChannel, 11–12
configurations
default configurations, 12
example of, 18
guidelines, 12–14
Layer 2 configurations, 14
Layer 3 configurations, 14–15
network topology, 18
GBIC, 13
LACP, 12–13, 16–17
load balancing, 12, 15–16
monitoring, 17
PAgP, 12–13
port channel in Layer 3 mode, HSRP, 194
SPANs, 13
verifying, 17
VLANs, 13
Ethernet interfaces (IOS software), DHCP and
IPv4 configurations, 219–220
event manager run command, 298
event none command, 298
exit command, VLAN configurations, 7
exit-address-family command, 84–85
extended ACL configurations, 247–248
extended load distribution method, 15
extended ping commands, 263–264
extended system ID (STP), verifying, 39
extended-range VLANs, 2
external routers, inter-VLAN routing, 45–46
external routes
AD, changing, 143–144
OSPF
redistribution, 131
summarization, 103–104

F
FHRP (First-Hop Redundancy Protocol), 194
fhrp version vrrp v3 command, 201
HSRP, 194
authentication, 197
basic configurations, 195
configuration settings, 195
debugging, 200–201, 217
EtherChannel port channel in Layer 3 mode, 194
HSRPv2 for IPv6, 200, 212–217
interface port channel global configuration
command, 194
interface tracking, 197
interface vlan vlan_id global configuration
command, 194
IP SLA tracking, 199–200, 208–209
IPv4, Layer 3 switches, 204–209
message timers, 196
multiple HSRP groups, 197–199
no switchport interface configuration command,
194
optimization options, 196–197
preempt, 196
routed ports, 194
SVIs, 194
verifying, 195, 217
VRRP, 201
debugging, 204
fhrp version vrrp v3 command, 201
interface tracking, 203
optimization options, 203
verifying, 203
VRRPv2 configurations, 201–202, 209–212
VRRPv3, 201–203
filenames (image), Cisco IOS, 237–238
filtering (route)
BGP, 180–181
EIGRP, 134
inbound distribute list route filters, 134–135
LSAs, 137
LSDBs, 137
OSPF, 104, 137
distribute-list command, 105
distribute-list in command, 104–105
filter-list command, 104
summary-address not-advertise command, 105
outbound distribute list route filters, 134–136
prefix lists, 137–140
verifying, 136–137
flash, 237
Flexible NetFlow
configurations, 272–273
flow exporter, 272
flow monitors, 272–273
flow records, 272
flow exporter, Flexible NetFlow, 272
flow monitors, Flexible NetFlow, 272–273
flow records, Flexible NetFlow, 272
forwarding VRF-Lite, 347
configurations, 347–348
verifying, 349
forward-time command, 27, 28
FTP (File Transfer Protocol), 237, 243

G
GBIC (Gigabit Interface Converters),
EtherChannel, 13
GRE(Generic Route Encapsulation), 329
configurations
overlay configurations, 333–334
underlay configurations, 332–333
DMVPNs, 340
IPv4 configurations, 341–346
OSPF, 346–347
verifying, 346
IPv4
configurations, 330
configurations with OSPFv3, 331–335
verifying, 331
IPv6
configurations, 330–331
configurations with OSPFv3, 331–335
verifying, 331
site-to-site GRE over IPsec, 335
crypto maps, 336–337
IPsec profiles, 337–339
verifying, 339
site-to-site VTI over IPsec, 339

H
hello-interval command, 66
hello-time command, 27–28
hello timers
EIGRP, 71
OSPF, 101–102
hold-time command, 66
hold timers, EIGRP, 71
hot-standby ports, LACP, 16–17
HSRP (Hot Standby Router Protocol), 194
authentication, 197
configurations
basic configurations, 195
IPv4, Layer 3 switches, 204–209
settings, 195
debugging, 200–201, 217
EtherChannel port channel in Layer 3 mode, 194
HSRPv2 for IPv6, 200, 212–217
interface port channel global configuration
command, 194
interface tracking, 197
interface vlan vlan_id global configuration command,
194
IP SLA tracking, 199–200, 208–209
message timers, 196
multiple HSRP groups, 197–199
no switchport interface configuration command, 194
optimization options, 196–197
preempt, 196
routed ports, 194
SVIs, 194
verifying, 195, 217
HTTP (Hypertext Transfer Protocol), 237, 243
HTTPS (HTTP Secure), 237, 243

I
IBGP (Internal Border Gateway Protocol), next-
hop behavior, 162
ICMP (Internet Control Message Protocol)
icmp-echo command, 153
redirect messages, 262
IFS (IOS File System), 236
configurations
backing up to TFTP servers, 238
copy startup-config tftp command, 238
copy tftp startup-config command, 239
no shutdown command, 239
restoring from TFTP servers, 238–239
IOS image filenames, 237–238
IOS software
backing up to TFTP servers, 239
restoring from TFTP servers, 239–240
restoring using ROM monitor environmental
variables, 240–241
upgrading from TFTP servers, 239–240
SCP, 241
configurations, 241–242
troubleshooting, 241
verifying, 241
show file systems command, 236
unneeded services, disabling, 242–243
URL prefixes (commonly-used), 236–237
viewing, 236
ignore state, OSPF, 101
IGRP (Interior Gateway Routing Protocol), 80
IKE SAs (Internet Key Exchange, Security
Associations), ISAKMP policies and site-to-site
GRE over IPsec, 336, 338
image filenames, Cisco IOS, 237–238
inbound distribute list route filters, 134–135
infrastructure security
AAA
configurations, 256–257
troubleshooting, 257
accounting, configurations, 257
ACL
CoPP traffic flows (permitted), 258
extended ACL configurations, 247–248
IPv4, verifying, 251
IPv4 configurations, 246–250
IPv6, verifying, 251
IPv6 configurations, 250–251
standard ACL configurations, 246–247
time-based ACL configurations, 248–249
VTY ACL configurations, 249–250
authentication, 251–252
AAA-based local database authentication, 252–
253
RADIUS authentication, 253–255
simple local database authentication, 252
TACACS+ authentication, 255–256
authorization, configurations, 256–257
CoPP, 257
ACL and permitted CoPP traffic flows, 258
class maps for matched traffic, 258–259
policy maps, control plane assignments, 259
policy maps, policing matched traffic, 259
verifying, 260
uRPF
configurations, 260
loose mode, 260
strict mode, 260
troubleshooting, 260
verifying, 260
ingress dot1q vlan, local SPANs, 277
ingress untagged vlan, local SPANs, 277
ingress vlan, local SPANs, 277
interarea route summarization, OSPF, 103
interface modes, EtherChannel, 12
interface port channel global configuration
command, 194
interface range command, 3
interface tracking
HSRP, 197
VRRP, 203
interface vlan vlan_id global configuration
command, 194
internal routers, multiarea OSPF
configurations, 117
internal routes
AD, changing, 143–144
OSPF redistribution, 131
inter-VLAN routing
best practices, 46
configurations, 47–48
encapsulation isl x command, 46
IPv6 configurations, 55
Layer 3 switches, 46–47
multilayer switches, 46–47
network topologies, 47–48
routers-on-a-stick, 45–46
switch virtual interfaces, 46–47
IOS software
backing up to TFTP servers, 239
Ethernet interfaces, DHCP, IPv4 configurations, 219–
220
restoring
from TFTP servers, 239–240
using ROM monitor environmental variables,
240–241
upgrading, from TFTP servers, 239–240
IOS XE CLI, troubleshooting WLCs, 320–322
IOS XE GUI, troubleshooting
wireless client connectivity, 326–327
WLCs, 319–320
ip as-path access-list command, BGP regular
expressions, 178
ip bandwidth-percent command, 77
ip-default networks
EIGRP, 74
ip default-network command, 74
ip helper-address command, 219
ip local policy route-map command, 145
IP MTU (Internet Protocol Maximum
Transmission Units), OSPF, 102
ip ospf authentication message-digest
command, 95
ip ospf cost command, 101
ip ospf process id area area number command,
91
IPSec (IP Security)
DMVPNs, 340
IPv4 configurations, 341–346
OSPF, 346–347
verifying, 346
site-to-site GRE over IPsec, 335
crypto maps, 336–337
IPsec profiles, 337–339
verifying, 339
site-to-site VTI over IPsec, 339–340
IP SLAs (Internet Protocol Service Layer
Agreements)
authentication, 149–150
Cisco IOS IP SLAs, 147–149
HSRP IP SLA tracking, 199–200, 208–209
icmp-echo command, 153
ip sla command, 150
ip sla monitor command, 150
monitoring, 150
network topologies, 148
PBR with IP SLAs, 150–151
probes, 151
tracking objects, 152
verifying, 152–153
show ip sla application command, 150
show ip sla configuration command, 153
show ip sla monitor configuration command, 153
show ip sla monitor statistics command, 153
show ip sla statistics command, 153
tcp-connect command, 149
track ip sla command, 153
track rtr command, 153
type echo protocol ipIcmpEcho command, 153
upd-echo command, 149
verifying, 152–153
VRRPv2 IP SLA tracking, routers/L3 switches, 209–
212
ISAKMP (Internet Security Association and Key
Management Protocol) policies, site-to-site
GRE over IPsec, 336, 338
ISL (Inter-Switch Linking), 4
ISP (Internet Service Provider) routers
inter-VLAN routing, 48–49, 56
PAT configurations, 191–192

J-K
keepalive timers, BGP, 161
K-values, EIGRP metric weight adjustments, 80

L
LACP (Link Aggregation Control Protocol), 12–
13, 16–17
Layer 3 mode, EtherChannel port channel in,
194
Layer 3 switches
inter-VLAN routing, 46–47
L2 switchport capability, removing, 47
VRRPv2 IP SLA tracking, 209–212
legacy RADIUS authentication, 253
legacy TACACS+ authentication, 255
load balancing
EIGRP
equal-cost, maximum paths, 75
unequal-cost, variance, 76
EtherChannel, 12, 15–16
local database authentication
AAA-based authentication, 252–253
simple authentication, 252
local preference attribute (BGP), 167–169
local SPANs
configurations
example of, 274–277
guidelines, 274
encapsulation dot1q, 277
encapsulation replicate, 277
ingress dot1q vlan, 277
ingress untagged vlan, 277
ingress vlan, 277
monitor session destination command, 277
monitor session source command, 276–277
no monitor session global configuration command,
274
show ip cache flow command, 273
troubleshooting, 281
verifying, 281
localEAP, 311–314
log-adjacency-changes command, 89
logging
EEM, 295–296
applets, 295, 298
configurations, 296–297
event manager run command, 298
event none command, 298
TCL scripting, 295, 298
verifying, 298
Flexible NetFlow
flow exporter, 272
flow monitors, 272–273
flow records, 272
NetFlow
Flexible NetFlow configurations, 272–273
verifying, 273
NTP
configurations, 281–282, 290–294
design, 282–284
ntp authentication-key command, 284
ntp master command, 282
ntp peer command, 282
ntp trusted-key command, 285
NTPv3, 283–284
NTPv4, 283–284
security, 284–285
setting router clocks, 286–289
show ntp associations command, 282
time stamps, 290
troubleshooting, 286
verifying, 286
Syslog
configurations, 269
message example, 270–271
message format, 269–270
security levels, 270
TCL scripting, 294–295
Loop Guard
PVST+, 44
Rapid PVST+, 44
STP configurations, 32–33
loopback addresses, OSPF, 98
loose mode (uRPF), 260
loose option, ping command, 264
LSAs (Link-State Advertisements)
LSDB overload protection, 101
route filtering, 137
LSDBs (Link-State Databases)
overload protection, OSPF, 101
route filtering, 137
LWA (Local Web Authentication), 314

M
manual summarization, EIGRP
IPv4, 70–71
IPv6, 71
max-age command, 27, 28
maximum-paths command, 66, 75
MD5 authentication, 97, 233
EIGRP named mode authentication, 68–70
OSPFv2 authentication, 95–96
MED (Multi-Exit Discriminator) attribute, BGP,
171–174
message timers, HSRP, 196
metrics
default metrics (redistribution), defining, 128–129
default-metric command, 129
EIGRP
weight adjustments, 80
Wide Metrics, 79
metric command, MED attribute (BGP), 171
metric rib-scale command, 79
metric weights command, 66, 80
seed metrics (redistribution), defining, 128–129
migrating from PVST+ to Rapid PVST+, 43–44
modular RADIUS authentication, 253–255
modular TACACS+ authentication, 255–256
monitor session destination command, 277
monitor session source command, 276–277
monitoring
EtherChannel, 17
IP SLAs, 150
MP-BGP (Multiprotocol-BGP), 157, 159–160
MST (Multiple Spanning Tree), 6
MSTP (Multiple Spanning Tree Protocol), 24–25
BackboneFast, 31
enabling, 37–38
UplinkFast, 31
multiarea OSPF configurations, 89–90 114
multicast addressing
IPv4, 64
IPv6, 64
multihop, EBGP, 162–163
multilayer switches, inter-VLAN routing, 46–47

N
named mode (EIGRP)
authentication, 68–70
configurations, 64–66, 83
NAT (Network Address Translation)
configurations
troubleshooting, 191
verifying, 190
dynamic NAT, 188
RFC 1918 private address ranges, 186–187
static NAT, 187, 193–194
virtual interfaces, 190, 193–194
native VLANs, 2–3
NBMA (Nonbroadcast Multiaccess) networks
hello timers, 102
OSPFv3, enabling IPv6 on an interface, 92
neighbor command, 79
neighbor remote-as command, 157
neighbor update-source command, BGP, 161–
162
NetFlow
configurations, 271
Flexible NetFlow configurations, 272–273
verifying, 273
network 0.0.0.0 command, 74
network area command, 89–90
network assurance
conditionally triggered debugs, 266
debug command, 265–266
EEM, 295–296
applets, 295, 298
configurations, 296–297
event manager run command, 298
event none command, 298
TCL scripting, 295, 298
verifying, 298
Flexible NetFlow
flow exporter, 272
flow monitors, 272–273
flow records, 272
ICMP redirect messages, 262
logging, configurations, 271
NetFlow
Flexible NetFlow configurations, 272–273
verifying, 273
NTP
configurations, 281–282, 290–294
design, 282–284
ntp authentication-key command, 284
ntp master command, 282
ntp peer command, 282
ntp trusted-key command, 285
NTPv3, 283–284
NTPv4, 283–284
security, 284–285
setting router clocks, 286–289
show ntp associations command, 282
time stamps, 290
troubleshooting, 286
verifying, 286
ping command, 262
examples, 262
extended ping commands, 262
interrupting ping operations, 264
loose option, 264
output characters, 263
record option, 264
strict option, 264
timestamp option, 264
verbose option, 264
port mirroring
ERSPANs, 280–281
local SPANs, 274–277, 281
RSPANs, 273–274, 277–281
SPANs, 273–277
SNMP
no snmp-server global command, 267
security levels, 267
security models, 267
SNMPv1, 267–268
SNMPv2c, 267–268
SNMPv3, 267–269
verifying, 269
Syslog
configurations, 269
message example, 270–271
message format, 269–270
security levels, 270
TCL scripting, 294–295
traceroute command, 265
network command
BGP
configurations, 156–157
default routes, 177
EIGRP named mode configurations, 66
network topologies
ASBR, 130–131
DHCP, IPv4, 224, 226–227
EIGRP, 83
EtherChannel configurations, 18
inbound distribute list route filters, 134–135
inter-VLAN routing configurations, 47–48, 55
IP SLAs, 148
IPv4 route redistribution, 131–132
IPv6 route redistribution, 132–133
NTP configurations, 290
OSPF
with AF, 120–121
multiarea OSPF configurations, 114
single-area OSPF configurations, 108
traditional OSPF configurations, 117–118
virtual links, 108
outbound distribute list route filters, 134–136
PBR with route maps, 146
PVST+, 40
route tagging and redistribution, 142
VLAN configurations, 8
networks
connected networks, redistributing, 129
DMVPNs, 340
IPv4 configurations, 341–346
OSPF, 346–347
verifying, 346
ip-default networks, EIGRP, 74
NBMA networks
hello timers, 102
OSPFv3, enabling IPv6 on an interface, 92
summaries, EIGRP, IPv4 classic mode
configurations, 63
timers, BGP, 161
WLANs
EAP, 312–314
open authentication, 304–306
WebAuth, 314–316
next-hop behavior
EBGP, 162
IBGP, 162
no debug all command, 265
no ip dhcp client request router command, 220
no ip forward-protocol udp x command, 219
no ipv6 nd managed-config-flag command, 223
no logging console command, 265
no monitor session global configuration
command, 274
no shutdown command, 33, 239
no snmp-server global command, 267
no switchport interface configuration
command, 194
noAuthNoPriv security level, SNMP, 267
non-edge link types, Rapid PVST+, 37
non-edge ports, Rapid PVST+, 36
normal-range VLANs, 2
NORTRID (No Router ID) warnings, 92
NSSA (Not-So-Stubby-Areas)
OSPF, 106–107
OSPFv3, 92
totally NSSA, 107–108
NTP (Network Time Protocol)
configurations, 281–282
network topologies, 290
design, 282–284
ntp authentication-key command, 284
ntp master command, 282
ntp peer command, 282
ntp trusted-key command, 285
NTPv3, 283–284
NTPv4, 283–284
router clocks, setting, 286–287
time zone acronyms, 288–289
time zone designators, 289
security
access lists, 285
authentication, 284–285
show ntp associations command, 282
time stamps, 290
troubleshooting, 286
verifying, 286

O
OSPFv2 (Open Shortest Path First version 2)
authentication
cryptographic authentication, 95–96
ip ospf authentication message-digest command,
95
MD5, 95–96
service password-encryption command, 96
SHA-256, 96
simple password authentication, 95
verifying, 98
auto-cost command, 101
auto-cost reference-bandwidth command, 101
BDR elections, 99–100
configurations, 89
log-adjacency-changes command, 89
multiarea OSPF, 89–90
multiarea OSPF configurations, 114–117
network area command, 89–90
single-area configurations, 111–114
verifying, 109–110
virtual links, 108–109
cost metrics, 100
DMVPNs, 346–347
DR elections, 99–100
E1 route assignments, 130–131
E2 route assignments, 130–131
ignore state, 101
IP MTU, 102
ip ospf cost command, 101
ip ospf process id area area number command, 91
IPv4, 89
IPv6, 89
loopback addresses, 98
LSDB overload protection, 101
multiarea OSPF, 89–90
network topologies
multiarea OSPF configurations, 114
single-area OSPF configurations, 108
traditional OSPF configurations, 117–118
virtual links, 108
OSPFv3 comparisons, 88–89
passive interfaces, 100
redistribution
connected networks, 129
default metrics, defining, 128–129
external routes, 131
internal routes, 131
IPv4 routes, 131–132, 134
IPv6 routes, 132–134
route tagging, 142–143
seed metrics, defining, 128–129
subnets, 130
reference bandwidth, 101
route filtering, 104, 137, 142–143
area range not-advertise command, 104
distribute-list command, 105
distribute-list in command, 104–105
filter-list command, 104
summary-address not-advertise command, 105
route summarization
external route summarization, 103–104
interarea route summarization, 103
router IDs, 99
router ospf x command, 91
router-id w.x.y.z. command, 99
routing, propagating default routes, 102–103
stub areas, 105–106
NSSA, 106–107
totally NSSA, 107–108
totally stubby areas, 106
timers, 101–102
troubleshooting, 111
virtual links, 108–109
wildcard masks, 90–91
OSPFv3 (Open Shortest Path First version 3)
AF, 93
IPv4, 94
IPv6, 94
parameters in configuration mode, 94–95
authentication, 97–98
area x authentication key-chain router
configuration command, 97
ospfv3 x authentication key-chain command, 97
verifying, 98
auto-cost command, 101
auto-cost reference-bandwidth command, 101
BDR elections, 99–100
configurations, 89
with AF, 120–125
enabling IPv6 on an interface, 91–92
log-adjacency-changes command, 89
multiarea OSPF, 89–90
multiarea OSPF configurations, 114–117
network area command, 89–90
single-area configurations, 111–114
traditional configurations, 91, 117–120
verifying, 109–110
virtual links, 108–109
cost metrics, 100
DMVPNs, 346–347
DR elections, 99–100
E1 route assignments, 130–131
E2 route assignments, 130–131
encryption, 97–98
ignore state, 101
interarea route summarization, 92
IP MTU, 102
ip ospf cost command, 101
ip ospf process id area area number command, 91
IPv4, 89
AF, 94
router IDs, 93
tunneling configurations, 331–335
IPv6, 88–89
AF, 94
ipv6 ospf x area y command, 92
traditional configurations, 91–92
tunneling configurations, 331–335
loopback addresses, 98
LSDB overload protection, 101
multiarea OSPF, 89–90
network topologies
multiarea OSPF configurations, 114
OSPF with AF, 120–121
single-area OSPF configurations, 108
traditional OSPF configurations, 117–118
virtual links, 108
NSSA areas, 92
OSPFv2 comparisons, 88–89
ospfv3 x authentication key-chain command, 97
passive interfaces, 100
redistribution
connected networks, 129
default metrics, defining, 128–129
external routes, 131
internal routes, 131
IPv4 routes, 131–132
IPv4 routes, verifying, 134
IPv6 routes, 132–133
IPv6 routes, verifying, 134
route tagging, 142–143
seed metrics, defining, 128–129
subnets, 130
reference bandwidth, 101
RFC 5838, 109
route filtering, 104, 137
area range not-advertise command, 104
distribute-list command, 105
distribute-list in command, 104–105
filter-list command, 104
summary-address not-advertise command, 105
route summarization
external route summarization, 103–104
interarea route summarization, 103
route tagging, 142–143
router IDs, 99
router ospf x command, 91
router-id w.x.y.z. command, 99
routing, propagating default routes, 102–103
SPF calculations, 93
stub areas, 92, 105–106
NSSA, 106–107
totally NSSA, 107–108
totally stubby areas, 106
summary-address command, 105
summary-prefix command, 105
timers, 101–102
troubleshooting, 111
virtual links, 108–109
wildcard masks, 90–91
outbound distribute list route filters, 134–136
overlay tunnels
GRE, 329
DMVPNs, 340–347
IPv4 configurations, 330–335
IPv6 configurations, 330–335
overlay configurations, 333–334
site-to-site GRE over IPsec, 335–339
site-to-site VTI over IPsec, 339–340
underlay configurations, 332–333
verifying, IPv4, 331
VTI, site-to-site VTI over IPsec, 339–340
overload protection (LSDBs), OSPF, 101

P
PAgP (Port Aggregation Protocol), 12, 13
passive interfaces
EIGRP, 72
OSPF, 100
passive interface default command, 100
passive-interface command, 66, 100
passwords
cleartext password encryption, 232–233
configurations, 231–232
enable secret password command, 232
encryption types, 233–234
key config-key password-encryption command, 254–
255
MD5, 233
OSPFv2 authentication, 95
password encryption aes command, 254–255
service password-encryption command, 232–233
storage, 232
VTP, 5, 6
PAT (Port Address Translation), configurations,
189–190
example of, 191–193
troubleshooting, 191
verifying, 190
path access lists (AS), BGP, 181–182
local preference attribute manipulation, 167–169
weight attribute manipulation, 166
path control
defined, 144
PBR, 144–145
IP SLAs, 150–153
route maps, 146–147
verifying, 145–146
set interface command, 145
path costs, STP configurations, 27
PBR (Policy-Based Routing)
IP SLAs, 150–151
probes, 151
tracking objects, 152
verifying, 152–153
path control, 144–145
configurations, 146–147
network topologies, 146
route maps, 146–147
verifying, 145–146
peer groups, BGP, 182–183
personal mode (WPA2), 306
ping command, 262
examples, 262
extended ping commands, 262
interrupting ping operations, 264
loose option, 264
output characters, 263
record option, 264
strict option, 264
TCL scripting, 295
timestamp option, 264
verbose option, 264
point-to-point links, Rapid PVST+, 37
policy maps (CoPP)
control plane assignments, 259
policing matched traffic, 259
port mirroring
ERSPANs, 280
destination configuration, 281
source configuration, 280
local SPANs, 273–277, 281
RSPANs, default configurations, 273–274, 277–281
PortFast
PVST+, 44
Rapid PVST+, 44
STP configurations, 28–29
ports
channel-group command, 14
edge ports, Rapid PVST+, 36
EF values, 2–3
error conditions, STP configurations, 33–36
EtherChannel port channel in Layer 3 mode, 194
LACP, hot-standby ports, 16–17
non-edge ports, Rapid PVST+, 36
PAgP, 12–13
port channel command, 14
priority, STP configurations, 26
routed ports, HSRP, 194
SPANs, EtherChannel, 13
VLANs
data VLAN port assignments, 2–4
voice VLAN port assignments, 2–4
preempt, HSRP, 196
prefix lists
BGP, 166–167, 181–182
route filtering, 137–140
verifying, 140
pre-shared keys, authentication, wireless
clients, 306–308
primary servers, VTP, 6
priv security level, SNMP, 267
private AS (Autonomous Systems), removing,
171
private IP addresses, 186–187
probes, PBR with IP SLAs, 151
pruning VTP, 6
“pseudo” passive interfaces, EIGRP, 72–73
PSK (Pre-Shared Key) configurations, site-to-
site GRE over IPsec, 337–338
PVST+(Per VLAN Spanning Tree Plus), 24–25
BackboneFast, 44
BPDU Filter, 44
BPDU Guard, 44
configurations
network topologies, 40
Loop Guard, 44
migrating to Rapid PVST+, 43–44
PortFast, 44
Rapid PVST+, 24, 25
Root Guard, 44
UplinkFast, 44

Q-R
RADIUS authentication, 253, 309–314
key config-key password-encryption command, 254–
255
legacy authentication, 253
modular RADIUS authentication, 253–255
password encryption aes command, 254–255
range command, 3
Rapid PVST+, 24–25
BackboneFast, 31, 44
BPDUs, 43
BPDU Filter, 44
BPDU Guard, 44
edge ports, 36
enabling, 36
Loop Guard, 44
non-edge link types, 37
non-edge ports, 36
point-to-point links, 37
PortFast, 44
PVST+ migration to, 43–44
Root Guard, 44
shared links, 37
UplinkFast, 31, 44
rcp (Remote Copy Protocol), 237
record option, ping command, 264
redirect messages (ICMP), 262
redistribution
AD, changing, 143–144
BGP, default metrics, defining, 128
connected networks, 129
default metrics, defining, 128–129
distribute lists, route filtering, 139–140
E1 routes, OSPF assignments, 130–131
E2 routes, OSPF assignments, 130–131
EIGRP
default metrics, defining, 128–129
IPv4 routes, 131–132
IPv4 routes, verifying, 134
IPv6 routes, 132–133
IPv6 routes, verifying, 134
route filtering, 134
seed metrics, defining, 128–129
IPv4 routes, 131–132, 134
IPv6 routes, 132–134
OSPF
connected networks, 129
default metrics, defining, 128–129
E1 route assignments, 130–131
E2 route assignments, 130–131
external routes, 131
internal routes, 131
IPv4 routes, 131–132, 134
IPv4 routes, verifying,
IPv6 routes, 132–134
seed metrics, defining, 128–129
subnets, 130
prefix lists
route filtering, 137–140
verifying, 140
redistribute command, 66, 78, 129
redistribute connected command, 78, 129
redistribute static command, 78
RIP, default metrics, defining, 128
route filtering
EIGRP, 134
inbound distribute list route filters, 134–135
outbound distribute list route filters, 134–136
prefix lists, 137–140
verifying, 136–137
route maps, 140–142
route tagging, 142–143
seed metrics, defining, 128–129
static routes, 129
subnets into OSPF, 130
reference bandwidth
auto-cost command, 101
auto-cost reference-bandwidth command, 101
ip ospf cost command, 101
OSPF, 101
regular expressions, BGP, 178–180
relays (DHCP), 219
remove-private-as command, 171
restoring
IFS configurations from TFTP servers, 238–239
IOS software
from TFTP servers, 239–240
using ROM monitor environmental variables,
240–241
RFC 1918, 186–187
RFC 2784, 329
RFC 5340, 88
RFC 5838, 109
RIP (Routing Information Protocol),
redistribution, 128
ROM monitor environmental variables,
restoring IO software, 240–241
Root Guard
PVST+, 44
Rapid PVST+, 44
STP configurations, 31–32
UplinkFast, 32
VLANs, 32
root switches, STP configurations, 25–26
RSA authentication, 234
RSPANs (Remote SPANs)
configurations
default configurations, 273–274
example of, 278–280
guidelines, 277–278
ERSPANs, 280
destination configuration, 281
source configuration, 280
show monitor command, 281
troubleshooting, 281
verifying, 281
RSTP (Rapid Spanning Tree Protocol), 24
S
saving VLAN configurations, 7
SCP (Secure Copy Protocol), 237, 241
configurations, 241–242
troubleshooting, 241
verifying, 241
seed metrics (redistribution), defining, 128–129
sequence numbers, route maps, 144
server mode (VTP), 5
servers
AAA servers, password storage, 232
primary servers, VTP, 6
RADIUS server authentication, 253
key config-key password-encryption command,
254–255
legacy authentication, 253
modular authentication, 253–255
password encryption aes command, 254–255
SCP servers, configurations, 241, 242
TACACS+ server authentication, 255
legacy authentication, 255
modular authentication, 255–256
TFTP servers
backing up IFS configurations to TFTP servers,
238
backing up IOS software, 239
copy startup-config tftp command, 238
copy tftp startup-config command, 239
restoring IFS configurations from TFTP servers,
238–239
restoring IOS software, 239–240
upgrading IOS software, 239–240
VTP servers, overwriting, 6
service password-encryption command, 96,
232–233
set interface command, 145
sftp (Secure FTP), 237
SHA (Secure Hash Algorithm)
EIGRP named mode authentication, 68–70
SHA1, 97
SHA-256, OSPFv2 authentication, 96
shared links, Rapid PVST+, 37
show debug condition command, 266
show file systems command, 236
show ip bgp command, BGP regular
expressions, 179–180
show ip bgp neighbor command, 176
show ip cache flow command, 273
show ip dhcp binding command, 218
show ip eigrp neighbors detail command, 81
show ip eigrp topology command, 81
show ip sla application command, 150
show ip sla configuration command, 153
show ip sla monitor configuration command,
153
show ip sla monitor statistics command, 153
show ip sla statistics command, 153
show monitor command, 281
show ntp associations command, 282
show vlan privileged EXEC command, 2
shutdown command, UDLD, 33
simple local database authentication, 252
simple password authentication, OSPFv2, 95
single-area OSPF configurations, 111–112
site-to-site GRE over IPsec, IPSec, 335–337
site-to-site VTI over IPsec, 339–340
SLAAC (Stateless Autoconfiguration), DHCP
and IPv6 configurations, 221–222
SLAs (Service Level Agreements), IP SLAs
authentication, 149–150
Cisco IOS IP SLAs, 147–149
icmp-echo command, 153
ip sla command, 150
ip sla monitor command, 150
monitoring, 150
PBR with IP SLAs, 150–153
show ip sla application command, 150
show ip sla configuration command, 153
show ip sla monitor configuration command, 153
show ip sla monitor statistics command, 153
show ip sla statistics command, 153
tcp-connect command, 149
track ip sla command, 153
track rtr command, 153
type echo protocol ipIcmpEcho command, 153
upd-echo command, 149
verifying, 152–153
SNMP (Simple Network Management Protocol),
267
no snmp-server global command, 267
security levels, 267
security models, 267
SNMPv1, 267–268
SNMPv2c, 267–268
SNMPv3, 267–269
verifying, 269
soft-reconfiguration inbound command, 175
software (IOS)
ROM monitor environmental variables, restoring
using, 240–241
TFTP servers
backing up to, 239
restoring from, 239–240
upgrading from, 239–240
source flash:ping.tcl command, 294
SPANs (Switched Port Analyzers)
configurations
default configurations, 273–274
local SPANs, 274–277, 281
RSPANs, 277–281
ERSPANs, 280
destination configuration, 281
source configuration, 280
EtherChannel, 13
local SPANs
configuration examples, 274–277
configuration guidelines, 274
encapsulation dot1q, 277
encapsulation replicate, 277
ingress dot1q vlan, 277
ingress untagged vlan, 277
ingress vlan, 277
monitor session destination command, 277
monitor session source command, 276, 277
no monitor session global configuration
command, 274
show ip cache flow command, 273
troubleshooting, 281
verifying, 281
RSPANs
configuration example, 278–280
configuration guidelines, 277–278
show monitor command, 281
troubleshooting, 281
verifying, 281
SPF (Shortest Path First) calculations, OSPFv3,
93
spi (Security Policy Index), 97
src-dst-ip load distribution method, 16
src-dst-mac load distribution method, 16
src-dst-mixed-ip-port load distribution method,
16
src-dst-port load distribution method, 16
src-ip load distribution method, 16
src-mac load distribution method, 16
src-mixed-ip-port load distribution method, 16
src-port load distribution method, 16
SSH (Secure Shell)
boot system commands, 235–236
configurations, 234–235
crypto key generate rsa global configuration
command, 234
crypto key zeroize rsa command, 234
verifying, 235
standard ACL configurations, 246–247
static NAT configurations, 187, 193–194
static route redistribution, 73, 129
static VLANs, creating, 2
storage, passwords, 232
STP (Spanning Tree Protocol)
changing modes, 25
configurations
BackboneFast, 31
BPDU Filter, 30
BPDU Guard, 29–30
changing modes, 25
Loop Guard, 32–33
path costs, 27
port error conditions, 33–36
port priority, 26
PortFast, 28–29
Rapid PVST+, 36
Root Guard, 31–32
root switches, 25–26
secondary root switches, 26
timers, 27–28
UDLD, 33
UplinkFast, 30–31
VLAN switch priority, 27
defined, 24
enabling, 24–25
extended system ID, verifying, 39
forward-time command, 27–28
hello-time command, 27–28
max-age command, 27–28
MSTP, 24–25
BackboneFast, 31
enabling, 37–38
UplinkFast, 31
PVST+, 24–25
BackboneFast, 44
BPDU Filter, 44
BPDU Guard, 44
configurations, 40–43
Loop Guard, 44
migrating to Rapid PVST+, 43–44
PortFast, 44
Root Guard, 44
UplinkFast, 44
Rapid PVST+, 24–25
BackboneFast, 31, 44
BPDUs, 43
BPDU Filter, 44
BPDU Guard, 44
edge ports, 36
enabling, 36
Loop Guard, 44
non-edge link types, 37
non-edge ports, 36
point-to-point links, 37
PortFast, 44
PVST+ migration to, 43–44
Root Guard, 44
shared links, 37
UplinkFast, 31, 44
RSTP, 24
timers, 27–28
troubleshooting, 40
verifying, 39
VLANs, 25
strict mode (uRPF), 260
strict option, ping command, 264
stub areas, 105–106
NSSA, 106–107
OSPFv3, 92
totally NSSA 107–108
totally stubby areas, OSPF, 106
stub routing, EIGRP, 77–79
subnets, redistribution into OSPF, 130
summarization
EIGRP
auto-summarization, 70
manual summarization, 70–71
OSPF
external route summarization, 103–104
interarea route summarization, 103
summary-address command, 66, 84, 105
summary-address not-advertise command,
OSPF route filtering, 105
summary-prefix command, 105
SVIs (Switch Virtual Interfaces), HSRP, 194
switchport mode access command, 2–4
switchport mode dynamic auto command, 3
switchport mode dynamic desirable command,
3
switchport mode nonegotiate command, 3
switchport mode trunk command, 3
switchport mode trunk encapsulation
command, 4
switchport voice command, 2–3
Syslog
configurations, 269
logging, configurations, 271
message example, 270–271
message format, 269–270
security levels, 270
system (URL prefix), 237

T
TACACS+ authentication, 255
legacy authentication, 255
modular authentication, 255–256
tar, 237
TCL scripting, 294–295, 298
tclquit command, 295
tclsh command, 295
tcp-connect command, 149
Telnet, 234
tftp, 237
TFTP servers
Cisco IFS
backing up configurations to TFTP servers, 238
restoring configurations from TFTP servers,
238–239
copy startup-config tftp command, 238
copy tftp startup-config command, 239
IOS software
backing up, 239
restoring, 239–240
upgrading, 239–240
time stamps
NTP, 290
timestamp option, ping command, 264
time zones, router clock setups
time zone acronyms, 288–289
time zone designators, 289
time-based ACL configurations, 248–249
timers
BGP, 161
dead interval timers, 101–102
EIGRP, 71
forward-time command, 27–28
hello timers, 101–102
hello-time command, 27–28
keepalive timers, BGP, 161
max-age command, 27–28
message timers, HSRP, 196
network timers, BGP, 161
OSPF, 101–102
STP configurations, 27–28
tos, EIGRP metric weight adjustments, 80
totally NSSA, OSPF, 107–108
totally stubby areas, OSPF, 106
traceroute command, 265
track ip sla command, 153
track rtr command, 153
tracking
interface tracking
HSRP, 197
VRRP, 203
IP SLA tracking, HSRP, 199–200
objects, PBR with IP SLAs, 152
traffic-share command, 66, 76–77
transform sets, site-to-site GRE over IPsec, 337,
338
transparent mode
VLANs, 2
VTP, 5, 6, 7
troubleshooting
AAA, 256–257
BGP, 175–176
debug commands, 111
DHCP
IPv4 configurations, 220
IPv6 configurations, 223
EIGRP, 70, 82–83
local SPANs, 281
NAT configurations, 191
NTP, 286
OSPF, 111
PAT configurations, 191
RSPANs, 281
SCP, 241
STP, 40
uRPF, 260
wireless client connectivity
Cisco AireOS Monitoring Dashboard GUI, 322–
326
Cisco IOS XE GUI, 326–327
WLCs, 316
Cisco AireOS Advanced GUI, 318–319
Cisco AireOS CLI, 320–322
Cisco AireOS Monitoring Dashboard GUI, 316–
318
Cisco IOS XE CLI, 320–322
Cisco IOS XE GUI, 319–320
trunking
dot1q trunking, 4–5, 46
DTP
VLAN port assignments, 3–4
VTP domain names, 4
VLANs
dot1q trunking, 4–5
DTP, 3–4
port assignments, 3–4
trunk encapsulation, 4–5
VTP, 2, 4, 5–6
VTP, 2
client mode, 5
domain names, 4–5
DTP trunk negotiations, 4
overwriting servers, 6
passwords, 5–6
primary servers, 6
pruning, 6
server mode, 5
transparent mode, 5
verifying, 6
versions, 5
VLAN configuration, 5–6
VTP primary server command, 6
tunneling
GRE, 329
DMVPNs, 340–347
IPv4 configurations, 330
IPv4 configurations with OSPFv3, 331–335
IPv6 configurations, 330–331
IPv6 configurations with OSPFv3, 331–335
overlay configurations, 333–334
site-to-site GRE over IPsec, 335–339
site-to-site VTI over IPsec, 339–340
underlay configurations, 332–333
verifying, IPv4, 331
VTI, site-to-site VTI over IPsec, 339–340

U
UDLD (Unidirectional Link Detection)
no shutdown command, 33
shutdown command, 33
STP configurations, 33
undebug all command, 265
underlay configurations, GRE, 332–333
unequal-cost load balancing, EIGRP, 76
unicast addressing
EIGRP unicast neighbors, 79
IPv4, 64
IPv6, 64
universal IOS image filename, 237
unneeded IFS services, disabling, 242–243
upd-echo command, 149
upgrading
EIGRP
eigrp upgrade-cli command, 66–67
upgrading classic mode configurations to named
mode, 66–67
IOS software from TFTP servers, 239–240
UplinkFast
PVST+, 44
Rapid PVST+, 31, 44
Root Guard, 32
STP configurations, 30–31
URL prefixes for Cisco network devices, 236–
237
uRPF (Unicast Reverse Path Forwarding)
configurations, 260
loose mode, 260
strict mode, 260
troubleshooting, 260
verifying, 260

V
variance
EIGRP load balancing, 76
variance command, 66, 76
verbose option, ping command, 264
verifying
ACL
IPv4, 251
IPv6, 251
BGP, 174, 184
CoPP, 260
DHCP
IPv4 configurations, 220
IPv6 configurations, 224
DMVPNs, 346
EEM, 298
EIGRP, 70, 80–82
EtherChannel, 17
extended system ID (STP), 39
GRE, 331, 339
HSRP, 195, 217
IP SLAs, 152–153
IPSec, site-to-site GRE over IPsec, 339
IPv4 route redistribution, 134
IPv6 route redistribution, 134
local SPANs, 281
NAT configurations, 190
NetFlow, 273
NTP, 286
OSPF, 109–110
OSPFv2 authentication, 98
OSPFv3 authentication, 98
PAT configurations, 190
PBR, path control, 145–146
port error conditions, STP configurations, 33–36
prefix lists, 140
route filtering, 136–137
RSPANs, 281
SCP, 241
SNMP, 269
SPANs
local SPANs, 281
RSPANs, 281
STP, 39
uRPF, 260
VLAN information, 7
VRF-Lite, 349
VRRP, 203
VTP, 6
virtual interfaces
NAT interfaces, configurations, 190, 193–194
switch virtual interfaces, inter-VLAN routing, 46–47
virtual links, OSPF, 108–109
VLANs (Virtual Local Area Networks)
2960 series switches, 10–11
3650 series switches, 9–10
allowed VLANs, 4–5
configuration mode, static VLANs, 2
configurations
2960 series switches, 10–11
3650 series switches, 9–10
erasing, 7–8
example of, 8
network topology, 8
saving, 7
copy running-config startup-config command, 7
creating, 2
data VLANs, port assignments, 2–4
database mode, 2
defined, 1–2
dot1q trunking, 4–5
DTP, 3–4
EtherChannel configurations, 13
exit command, 7
extended-range VLANs, 2
ingress dot1q vlan, local SPANs, 277
ingress untagged vlan, local SPANs, 277
ingress vlan, local SPANs, 277
interface range command, 3
inter-VLAN routing
best practices, 46
configurations, 47–48
encapsulation isl x command, 46
external routers, 45–46
IPv6 configurations, 55–60
multilayer switches, 46–47
network topologies, 47–48
routers-on-a-stick, 45–46
switch virtual interfaces, 46–47
MSTP, 24
native VLANs, 2–3
normal-range VLANs, 2
port assignments
data VLANs, 2–4
voice VLANs, 2–4
PVST+, 24
range command, 3
Root Guard, 32
show vlan privileged EXEC command, 2
SPANs
local SPANs, 274–277
RSPANs, 278–280
static VLANs, creating, 2
STP, 25
path costs, 27
switch priority, 27
timers, 27–28
switchport mode access command, 2–4
switchport mode dynamic auto command, 3
switchport mode dynamic desirable command, 3
switchport mode nonegotiate command, 3
switchport mode trunk command, 3
switchport mode trunk encapsulation command, 4
switchport voice command, 2–3
transparent mode, 2
trunk encapsulation, 4–5
verifying information, 7
voice VLANs
port assignments, 2–4
switchport voice command, 2–3
VTP, 2, 5–6
client mode, 5
domain names, 4–5
DTP trunk negotiations, 4
overwriting servers, 6
passwords, 5–6
primary servers, 6
pruning, 6
server mode, 5
transparent mode, 5–7
verifying, 6
versions, 5
VTP primary server command, 6
VPNs (Virtual Private Networks), DMVPNs, 340
IPv4 configurations, 341–346
OSPF, 346–347
verifying, 346
vrf upgrade-cli multi-af-mode command, 348
VRF-Lite, 347
configurations, 347–348
verifying, 349
VRF
creating, 347–348
interface assignments, 347–348
routing, 348
VRRP (Virtual Router Redundancy Protocol),
201
debugging, 204
fhrp version vrrp v3 command, 201
interface tracking, 203
optimization options, 203
verifying, 203
VRRPv2
configurations, 201–202
routers/L3 switches with IP SLA tracking, 209–
212
VRRPv3, 201, 202–203
VTI (Virtual Tunnel Interface), site-to-site VTI
over IPsec, 339–340
VTY ACL configurations, 249–250

W
WebAuth, 314–316
weight attribute (BGP), 164–165
AS path access lists, 166
prefix lists, 166–167
route maps, 166–167
WEP (Wired Equivalent Privacy) standard, 306
Wide Metrics (EIGRP), 79
wildcard masks
EIGRP IPv4 classic mode configurations, 63
OSPF, 90–91
wireless clients
authentication, 303
802.1x, 307–308
EAP, 308–314
LWA, 314
open authentication, 304–306
pre-shared keys, 306–308
WebAuth, 314–316
WPA2, 306–307
connectivity, troubleshooting
Cisco AireOS Monitoring Dashboard GUI, 322–
326
Cisco IOS XE GUI, 326–327
WLCs, troubleshooting, 316
Cisco AireOS Advanced GUI, 318–319
Cisco AireOS CLI, 320–322
Cisco AireOS Monitoring Dashboard GUI, 316–
318
Cisco IOS XE CLI, 320–322
Cisco IOS XE GUI, 319–320
wireless security, 307–308
WEP standard, 306
wireless client authentication, 303
802.1x, 307–308
EAP, 308–314
LWA, 314
open authentication, 304–306
pre-shared keys, 306–308
WebAuth, 314–316
WPA2, 306–307
WLANs (Wireless Local Area Networks)
EAP, 312–314
open authentication, 304–306
WebAuth, 314–316
WLCs (Wireless LAN Controllers),
troubleshooting, 316
Cisco AireOS
Advanced GUI, 318–319
CLI, 320–322
Monitoring Dashboard GUI, 316–318
Cisco IOS XE
CLI, 320–322
GUI, 319–320
WPA2 (Wired Protected Access 2), 306
enterprise mode, 307
personal mode, 306

X-Y-Z
xmodem, 237
ymodem, 237
Code Snippets
Many titles include programming code or configuration
examples. To optimize the presentation of these
elements, view the eBook in single-column, landscape
mode and adjust the font size to the smallest setting. In
addition to presenting code and configurations in the
reflowable text format, we have included images of the
code that mimic the presentation found in the print
book; therefore, where the reflowable format may
compromise the presentation of the code listing, you
will see a “Click here to view code image” link. Click the
link to view the print-fidelity code image. To return to
the previous page viewed, click the Back button on your
device or app.

Symantec SSL Visibility Appliance: Data Sheet
No ratings yet
Symantec SSL Visibility Appliance: Data Sheet
6 pages
Cisco Wireless LAN Controller Configuration Guide, Release 7.2
No ratings yet
Cisco Wireless LAN Controller Configuration Guide, Release 7.2
1,070 pages
Computer Networks Notespptxpdf Lyst1752818690161
No ratings yet
Computer Networks Notespptxpdf Lyst1752818690161
515 pages
CCNP Enterprise Core Networking Encor Product Overview
No ratings yet
CCNP Enterprise Core Networking Encor Product Overview
21 pages
CCNA Manual 200-125
100% (5)
CCNA Manual 200-125
93 pages
Managing - Secure.cisco - SD WAN - Branch.with - SASE
No ratings yet
Managing - Secure.cisco - SD WAN - Branch.with - SASE
295 pages
Cisco Identity Services Engine User Guide, Release 1.2
No ratings yet
Cisco Identity Services Engine User Guide, Release 1.2
786 pages
(Epub) .+Page+.Review CCNA Routing and Switching 200-125 Official Cert Guide Library F.R.E.E Ebook Hardcover
100% (1)
(Epub) .+Page+.Review CCNA Routing and Switching 200-125 Official Cert Guide Library F.R.E.E Ebook Hardcover
2 pages
Cisco Security PDF
No ratings yet
Cisco Security PDF
678 pages
CCNP 1
No ratings yet
CCNP 1
100 pages
HSRP VRRP GLBP
100% (1)
HSRP VRRP GLBP
1 page
LTE Transmission Mode Definition
100% (1)
LTE Transmission Mode Definition
4 pages
'Docslide - Us - Infoblox Cli Guide 612 PDF
No ratings yet
'Docslide - Us - Infoblox Cli Guide 612 PDF
182 pages
7 - InterVLAN - Routing SRX
No ratings yet
7 - InterVLAN - Routing SRX
28 pages
Assignment: Submitted By: Pankaj Yadav
No ratings yet
Assignment: Submitted By: Pankaj Yadav
128 pages
Zhone Dslam
No ratings yet
Zhone Dslam
410 pages
CCNA 200-301 Chapter 18 - Troubleshooting IPv4 Routing
No ratings yet
CCNA 200-301 Chapter 18 - Troubleshooting IPv4 Routing
25 pages
Cisco+300-715 001
No ratings yet
Cisco+300-715 001
55 pages
CCNP - BSCI.Quick - Reference.Sheets - Exam.642901 Ebook - Ipmanager.ir PDF
100% (1)
CCNP - BSCI.Quick - Reference.Sheets - Exam.642901 Ebook - Ipmanager.ir PDF
73 pages
Sample SWITCH Labs
No ratings yet
Sample SWITCH Labs
24 pages
BRKRST 2096
No ratings yet
BRKRST 2096
137 pages
Cisco Email Security Solutions 11 Lab v1.2: About This Demonstration
100% (1)
Cisco Email Security Solutions 11 Lab v1.2: About This Demonstration
98 pages
CCNP Tshoot PDF
100% (1)
CCNP Tshoot PDF
24 pages
PAN-OS 2.1 CLI Reference Guide
No ratings yet
PAN-OS 2.1 CLI Reference Guide
258 pages
Deploying DNSSEC v3
No ratings yet
Deploying DNSSEC v3
31 pages
CCNP Security 300-725 SWSA Dumps
No ratings yet
CCNP Security 300-725 SWSA Dumps
11 pages
Ccna Icnd1 Labs PDF
No ratings yet
Ccna Icnd1 Labs PDF
99 pages
642-637 Cisco - Press.SNRS - StudentGuide.v2.0.Vol3
No ratings yet
642-637 Cisco - Press.SNRS - StudentGuide.v2.0.Vol3
218 pages
How-To 103 Implement Cisco ISE Server Side Certificates
No ratings yet
How-To 103 Implement Cisco ISE Server Side Certificates
29 pages
1-Build A Fortinet FW Lab Using Eve-NG: Skill
No ratings yet
1-Build A Fortinet FW Lab Using Eve-NG: Skill
24 pages
Configure VRF Route Leak On Cisco Nexus Switches
No ratings yet
Configure VRF Route Leak On Cisco Nexus Switches
12 pages
FortiAnalyzer 6.2 Cookbook
No ratings yet
FortiAnalyzer 6.2 Cookbook
62 pages
Fortigate Cookbook
No ratings yet
Fortigate Cookbook
393 pages
NAT For FTD
No ratings yet
NAT For FTD
108 pages
CCNP Security Exams and Training - Cisco
No ratings yet
CCNP Security Exams and Training - Cisco
8 pages
ICND1 Assesment Lab: Scenario
No ratings yet
ICND1 Assesment Lab: Scenario
22 pages
Module 5 ACLs
No ratings yet
Module 5 ACLs
69 pages
CCIE Voice Lab Workbook
No ratings yet
CCIE Voice Lab Workbook
30 pages
PASSLEADER BY aNTON DUMP CCNA SEC
No ratings yet
PASSLEADER BY aNTON DUMP CCNA SEC
36 pages
CCNP and CCIE Enterprise Core & CCNP Advanced Routing Portable Command Guide All ENCOR (350-401) and ENARSI (300-410) PDF
100% (9)
CCNP and CCIE Enterprise Core & CCNP Advanced Routing Portable Command Guide All ENCOR (350-401) and ENARSI (300-410) PDF
950 pages
Cli Commands Cisco Vs Juniper
100% (1)
Cli Commands Cisco Vs Juniper
4 pages
PassLeader 200-125 Exam Dumps
No ratings yet
PassLeader 200-125 Exam Dumps
5 pages
Cisco Nexus Layer 2
No ratings yet
Cisco Nexus Layer 2
78 pages
Prep For CCIE SP Lab Exam v3-0 Part - 3 of 7 PDF
No ratings yet
Prep For CCIE SP Lab Exam v3-0 Part - 3 of 7 PDF
39 pages
What Is A Firewall CCIE
No ratings yet
What Is A Firewall CCIE
34 pages
Wi-Fi Capacity Analysis WP PDF
No ratings yet
Wi-Fi Capacity Analysis WP PDF
21 pages
CLI Access Modes:: Operational Mode
No ratings yet
CLI Access Modes:: Operational Mode
3 pages
Fortinet Fortigate Infrastructure Lab Guide For Fortios 72
100% (1)
Fortinet Fortigate Infrastructure Lab Guide For Fortios 72
126 pages
CCIE Wireless v3 Preparation Tips
No ratings yet
CCIE Wireless v3 Preparation Tips
7 pages
Ccie Entreprise SW
100% (1)
Ccie Entreprise SW
282 pages
300 725 SWSA v1.1
No ratings yet
300 725 SWSA v1.1
3 pages
3 Steps To Tuning A Cisco WLAN Controller From Default Settings
No ratings yet
3 Steps To Tuning A Cisco WLAN Controller From Default Settings
19 pages
Lab 7.2.2 Configuring RIP - Instructor Version 2500: Objective
No ratings yet
Lab 7.2.2 Configuring RIP - Instructor Version 2500: Objective
14 pages
Fortinet Testking NSE4 v2016-16-20 by Andy 167q
No ratings yet
Fortinet Testking NSE4 v2016-16-20 by Andy 167q
87 pages
Week 7
No ratings yet
Week 7
43 pages
MS 700T00A ENU TrainerHandbook
100% (2)
MS 700T00A ENU TrainerHandbook
371 pages
CN Lab Manual RNSFGC
No ratings yet
CN Lab Manual RNSFGC
45 pages
Path Mechanism To Reduce Packet Data Loss in Wireless Mesh Networks
No ratings yet
Path Mechanism To Reduce Packet Data Loss in Wireless Mesh Networks
8 pages
ACN Micro Project-1
No ratings yet
ACN Micro Project-1
23 pages
CCIE Security Book List - Cisco Systems
100% (1)
CCIE Security Book List - Cisco Systems
2 pages
Guia de Usuario e Instalacao - Switch TP-Link - TL-SG1008D - 8 Portas - Gigabit
No ratings yet
Guia de Usuario e Instalacao - Switch TP-Link - TL-SG1008D - 8 Portas - Gigabit
25 pages
300-420 ENSLD Designing Cisco Enterprise
No ratings yet
300-420 ENSLD Designing Cisco Enterprise
3 pages
All CBT Courses by Path
No ratings yet
All CBT Courses by Path
7 pages
Nfs With Sso
No ratings yet
Nfs With Sso
21 pages
Vendor: Cisco Exam Code: 350-401 Exam Name: Implementing and Operating Cisco Enterprise
No ratings yet
Vendor: Cisco Exam Code: 350-401 Exam Name: Implementing and Operating Cisco Enterprise
6 pages
F5 Administering BIG-IP Datasheet V15
No ratings yet
F5 Administering BIG-IP Datasheet V15
3 pages
Wireshark Filters Cheat Sheet
No ratings yet
Wireshark Filters Cheat Sheet
6 pages
CCNA Security, Final Exam
100% (1)
CCNA Security, Final Exam
22 pages
Renewal Application Adult01
No ratings yet
Renewal Application Adult01
15 pages
Unit 1: Overview of Digital Communication Systems
No ratings yet
Unit 1: Overview of Digital Communication Systems
28 pages
Network Function Virtualization
No ratings yet
Network Function Virtualization
26 pages
Juniper Networks Technical Documentation
No ratings yet
Juniper Networks Technical Documentation
11 pages
Lab 2 Handout
No ratings yet
Lab 2 Handout
7 pages
DHCP Option 43 00
No ratings yet
DHCP Option 43 00
15 pages
Juniper Networks Technical Documentation
No ratings yet
Juniper Networks Technical Documentation
9 pages
SIM7080 Series at Command Manual V1.02-Trang-2
No ratings yet
SIM7080 Series at Command Manual V1.02-Trang-2
19 pages
ZTE UMTS Load Balance Feature Guide U9.2
No ratings yet
ZTE UMTS Load Balance Feature Guide U9.2
32 pages
OfficeServ 7200 Data Server User Manual PDF
No ratings yet
OfficeServ 7200 Data Server User Manual PDF
180 pages
Juniper Networks Technical Documentation
No ratings yet
Juniper Networks Technical Documentation
3 pages
SIP Transport: All Mediatrix Units
No ratings yet
SIP Transport: All Mediatrix Units
11 pages
Dell EMC Networking S4048 On Spec Sheet
No ratings yet
Dell EMC Networking S4048 On Spec Sheet
4 pages
Nokia Multiantenna White Paper
No ratings yet
Nokia Multiantenna White Paper
16 pages
1.0 Implementing Layer 2 Technologies - Configuring and Troubleshooting Layer 2 Technologies
No ratings yet
1.0 Implementing Layer 2 Technologies - Configuring and Troubleshooting Layer 2 Technologies
21 pages
Modulation
No ratings yet
Modulation
7 pages
Ccna Commande 3
No ratings yet
Ccna Commande 3
5 pages
ZF2942 Datasheet PDF
No ratings yet
ZF2942 Datasheet PDF
4 pages
Integracion CISCO E ISSABELA-PBX KEVIN PARRA CME-K
No ratings yet
Integracion CISCO E ISSABELA-PBX KEVIN PARRA CME-K
10 pages
5) PSK
No ratings yet
5) PSK
20 pages
Mobile Adhoc Networks QP
No ratings yet
Mobile Adhoc Networks QP
2 pages
950.IMS - Restoration.procedures
No ratings yet
950.IMS - Restoration.procedures
16 pages
1.01.1 Frame Relay Multipoint Links On A Physical Interface Using Inverse ARP
No ratings yet
1.01.1 Frame Relay Multipoint Links On A Physical Interface Using Inverse ARP
14 pages
CCNP ENCOR v8 Scope and Sequence
No ratings yet
CCNP ENCOR v8 Scope and Sequence
11 pages
Cisco Exploration 2
No ratings yet
Cisco Exploration 2
8 pages
Cisco Router Configuration Commands
No ratings yet
Cisco Router Configuration Commands
2 pages
Checkpoint Actualtests 156-215 75 v2012-04-08
No ratings yet
Checkpoint Actualtests 156-215 75 v2012-04-08
178 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.