3.

0 IP Connectivity
3.0.1. How a router makes a forwarding decision
We all know when a packet reaches a router interface, the router will send the packet to the
destination. But how can a router determines which route is the best to use to send the packet? In
this tutorial we will learn more about how a router makes the forwarding decision.

To make the routing decision, the router must first build a table which contains all the best
routes. When the packets arrive, the router just needs to check this table to choose the best
match. This is called the routing table.

So what are stored in the routing table of a router? Let’s have a look with the “show ip route”
command which will display the routing table of the local router.

R1# show ip route

--output omitted--
D 192.168.20.0/26 [90/24513456] via 10.10.10.1
R 192.168.20.0/24 [120/5] via 10.10.10.2
O 192.168.0.0/19 [110/219414] via 10.10.10.13
D 192.168.20.0/27 [90/4123710] via 10.10.10.12
D 192.168.20.0/25 [90/14464211] via 10.10.10.11
S* 0.0.0.0/0 [1/0] via 10.10.10.14

There are some notes about this routing table:

1. We see many routes of 192.168.20.0 with different prefix lengths (subnet masks) in this
routing table. For example “/26”, “/24”, “/19″… This is normal because routes with different
prefix lengths are considered different routes.

2. The routes of 192.168.20.0 were learned via different routing protocols, which are
symbolized by different letters at the beginning of each entry. For example, letter “D” means
“EIGRP”; letter “O” means “OSPF”, letter “R” means “RIP”.

3. The next hop of each entry is the IP address after the word “via”. For example we have next
hops of 10.10.10.1, 10.10.10.2, 10.10.10.13…

Suppose R1 received a packet destined to 192.168.20.57. Which next hop will the router choose for
the packet?

The router chooses the best path in the routing table based on this single rule:

Longest Prefix Matching Rule: The longest prefix that matches the route is preferred.

Let’s check from longest prefix down to shortest prefix:

+ 192.168.20.0/27 ranges from 192.168.20.0 – 192.168.31 so the IP address 192.168.20.57 does
not belong to this prefix -> ignore.

+ 192.168.20.0/26 ranges from 192.168.20.0 – 192.168.20.63 so the IP address 192.168.20.57

belongs to this prefix -> router will choose this route to forward packets. We don’t need to check
other shorter prefixes like /25 or /19.
To find out the range of each prefix you need to do subnetting well. If you still cannot do
subnetting in your head then please read our Subnetting Tutorial – Subnetting Made Easy.

Wait, how about Administrative Distance and Metric values?

Maybe you will be surprised when we say “longest prefix match” is the only rule that the router
uses to choose the path. Yes, in fact it is correct for routes that were installed into the
routing table. The Administrative Distance (AD) and Metric values are only used to choose which
prefixes will be installed into the routing table.

Let’s learn more about how these two values are used before a route is chosen to install into the
routing table:

1. Lowest AD value: Same prefixes (which means same routes with same prefix lengths) use the
Administrative Distance to choose the route to install into the routing table. For example, our
router learns of the following networks via different routing protocols as follows:

 192.168.1.0/24 using OSPF (AD = 110) with next hop IP of 10.1.1.1

 192.168.1.0/24 using RIP (AD = 120) with next hop IP of 10.1.2.1
 192.168.1.0/24 using EIGRP (AD = 90) with next hop IP of 10.1.3.1
Then the third route with EIGRP will be installed into the routing table as the AD of EIGRP is
smallest.

2. Lowest Metric value: This value is used as a tie-break when same prefixes have same AD. The
route with the lowest metric is preferred. Use the same example above but with metric values:

 192.168.1.0/24 using OSPF (AD = 110) with next hop IP of 10.1.1.1

 192.168.1.0/24 using RIP (AD = 120) with next hop IP of 10.1.2.1
 192.168.1.0/24 using EIGRP (AD = 90) with metric of 30000 and next hop IP of 10.1.3.1
 192.168.1.0/24 using EIGRP (AD = 90) with metric of 25000 and next hop IP of 10.1.4.1
Then the fourth route (EIGRP with metric of 25000) will be chosen to install into the routing table
because of lowest AD and lowest metric.

With additional configuration then load balancing may take place as EIGRP supports this
feature. But load balancing is out of scope in this tutorial.

Conclusion

In summary, before a prefix is installed into the routing table, two values are compared in this
order:
1. Administrative Distance
2. Metric

After a prefix is installed into the routing table then only the longest prefix match rule is used to
choose the best route as the routing table is already filtered of all but the best routes, regardless of
AD or metric.

A prefix is a network address with a subnet mask. For example 192.68.20.0/26 is a prefix.

3.0.1. RIP Tutorial

In this tutorial we will learn about RIP routing protocol

Routing Information Protocol (RIP) is a distance-vector routing protocol which is based on Bellman-
Ford algorithm. Routers using Distance Vector routing protocols do not posses the topological
information about the network but instead rely on the neighbors information (so this method is
known as routing by rumor). RIP sends the complete routing table out to all active interfaces every
30 seconds. RIP only uses hop count (the number of routers) to determine the best way to a
remote network.

Note: RIP v1 is a classful routing protocol but RIP v2 is a classless routing protocol.

Classful routing protocols do not include the subnet mask with the network address in routing
updates, which can cause problems with discontiguous subnets or networks that use Variable-
Length Subnet Masking (VLSM). Fortunately, RIPv2 is a classless routing protocol so subnet masks
are included in the routing updates, making RIPv2 more compatible with modern routing
environments.

Distance vector protocols advertise routing information by sending messages, called routing
updates, out the interfaces on a router.

RIP Operation

A big problem with distance vector routing protocol is routing loop. Let’s take a look at how a
routing loop occurs.

Here we have routers A, B and C. Notice that at the beginning (when a routing protocol is not
turned on) there are only directly connected networks in the routing tables of these routers. For
example, in the routing table of router A, network 1.0.0.0 has already been known because it is
directly connected through interface E0 and the metric (of a directly connected network)
is 0 (these 3 parameters are shown in the routing tables below).

Also B knows networks 2.0.0.0 & 3.0.0.0 with a metric of 0.

Also C knows networks 3.0.0.0 & 4.0.0.0 with a metric of 0.

Now we turn on RIP on these routers (we will discuss the configuration later. In the rest of this
article, we will call network 1.0.0.0 network 1, 2.0.0.0 network 2 and so on).

RIP sends update every 30 seconds so after 30 sec goes by, A sends a copy of its routing table to
B, B already knew about network 2 but now B learns about network 1 as well. Notice the metric we
have here for directly connected networks, since we’re using RIP, we’re using a metric of hop
count. Remember a hop count (or a hop) is how many routers that these packets will have to go
through to reach the destination. For example, from router A to network 1 & 2 (which are directly
connected) it goes to 0 hop, router B has now learned about network 1 from A via E0 interface so
the metric now will be 1 hop.
Each router receives a routing table from its direct neighbor. For example, Router B receives
information from Router A about network 1 and 2. It then adds a distance vector metric (such as
the number of hops), increasing the distance vector of these routes by 1.

B also exchanges its routing table with A about network 2 and 3.

B then passes the routing table to its other neighbor, Router C.

C also sends its update to B and B sends it to A.

Now the network is converged. Now let’s assume network 4 down suddenly.

When network 4 fails, Router C detects the failure and stops routing packets out its E1 interface.
However, Routers A and B have not yet received notification of the failure. Router A still believes it
can access 4.0.0.0 through Router B. The routing table of Router A still refects a path to network
10.4.0.0 with a distance of 2 and router B has a path with a distance of 1.

There will be no problem if C sends an update earlier than B and inform that network is currently
down but if B sends its update first, C will see B has a path to network 4 with a metric of 1 so it
updates its routing table, thinking that “if B can go to network 4 by 1 hop than I can go to network
4 by 2 hops” but of course this is totally wrong.

The problem does not stop here. In turn, C sends an update to B and informs it can access network
4 by 2 hops. B learns this and think “if C can access network 4 by 2 hops than I can access by 3
hops”.

This same process occurs when B continually sends its update to C and the metric will increase to
infinity so this phenomenon is called “counting to infinity”.

Below lists some methods to prevent this phenomenon:

SPLIT HORIZON:
A router never sends information about a route back in same direction which is original information
came, routers keep track of where the information about a route came from. Means when router A
sends update to router B about any failure network, router B does not send any update for same
network to router A in same direction.

ROUTE POISONING:
Router consider route advertised with an infinitive metric to have failed ( metric=16) instead of
marking it down. For example, when network 4 goes down, router C starts route poisoning by
advertising the metric (hop count) of this network as 16, which indicates an unreachable network.
When router B receives this advertising, it continue advertising this network with a metric of 16.

POISON REVERSE:

The poison reverse rule overwrites split horizon rule. For example, if router B receives a route
poisoning of network 4 from router C then router B will send an update back to router C (which
breaks the split horizon rule) with the same poisoned hop count of 16. This ensures all the routers
in the domain receive the poisoned route update.

Notice that every router performs poison reverse when learning about a downed network. In the
above example, router A also performs poison reverse when learning about the downed network
from B.

HOLD DOWN TIMERS:

After hearing a route poisoning, router starts a hold-down timer for that route. If it gets an update
with a better metric than the originally recorded metric within the hold-down timer period, the
hold-down timer is removed and data can be sent to that network. Also within the hold-down timer,
if an update is received from a different router than the one who performed route poisoning with
an equal or poorer metric, that update is ignored. During the hold-down timer, the “downed” route
appears as “possibly down” in the routing table.

For example, in the above example, when B receives a route poisoning update from C, it marks
network 4 as “possibly down” in its routing table and starts the hold-down timer for network 4. In
this period if it receives an update from C informing that the network 4 is recovered then B will
accept that information, remove the hold-down timer and allow data to go to that network. But if B
receives an update from A informing that it can reach network by 1 (or more) hop, that update will
be ignored and the hold-down timer keeps counting.

Note: The default hold-down timer value = 180 second.

TRIGGERED UPDATE :
When any route failed in network ,do not wait for the next periodic update instead send an
immediate update listing the poison route.

COUNTING TO INFINITY:
Maximum count 15 hops after it will not be reachable.

RIP Timers

RIP uses several timers to regulate its operation. These timers are described below:

Update timer: how often the router sends update. Default update timer is 30 seconds
Invalid timer (also called Expire timer): how much time must expire before a route becomes
invalid since seeing a valid update; and place the route into holddown. Default invalid timer is 180
seconds
Holddown timer: When a route is expired, it enters “holddown”, which means the router will not
believe any new updates with a hop count equal to or higher (poorer) than the hop count recording
in the routing table. Hold down is intended to assist in avoiding inaccurate routing by rumor
information while the network converges. Default holddown timer is 180 seconds
Flush timer: how much time since the last valid update, until RIP deletes that route in its routing
table. Default Flush timer is 240 seconds
 Note: From the image above, you can see that when a route expires, in fact the Holddown timer
only works in its first 60 seconds (not 180 seconds), then the route is removed from the routing
table when the Flush timer is expired.

Configuring RIP

Router(config)#router rip Enter router RIP configuration mode

Router(config-router)#network <address> Identify networks that will participate in the router protocol.
Notice that you identify networks, and not interfaces.

NOTE: You need to advertise only the classful network number, not a subnet:
Router(config-router)#network 172.16.0.0
not
Router(config-router)#network 172.16.10.0

If you advertise a subnet, you will not receive an error message, because the router will
automatically convert the subnet to the classful network address.

To learn more about configuring RIP, please read my Configuring RIP GNS3 Lab tutorial

Key points:

+ RIP uses hop counts to calculate optimal routes (a hop is a router).

+ RIP routing is limited to 15 hops to any location (16 hops indicates the network is unreachable).
+ RIP uses the split horizon with poison reverse method to prevent the count-to-infinity problem.
+ RIP uses only classful routing, so it uses full address classes, not subnets.
+ RIP broadcasts updates to the entire network.
+ RIP can maintain up to six multiple paths to each network, but only if the cost is the same.
+ RIP supports load balancing over same-cost paths.
+ The update interval default is 30, the invalid timer default is 180, the holddown timer default is
180, and the flush timer default is 240.
3.0.2. OSPF Tutorial
In this article we will learn about the OSPF Routing Protocol

Open-Shortest-Path-First (OSPF) is the most widely used interior gateway protocol routing protocol
on the world because it is a public (non-proprietary) routing protocol while its biggest rival, EIGRP,
is a Cisco proprietary protocol so other vendors can’t use it (edit: EIGRP has become a public
routing protocol since 2013). OSPF is a complex link-state routing protocol. Link-state routing
protocols generate routing updates only when a change occurs in the network topology. When a
link changes state, the device that detected the change creates a link-state advertisement (LSA)
concerning that link and sends to all neighboring devices using a special multicast address. Each
routing device takes a copy of the LSA, updates its link-state database (LSDB), and forwards the
LSA to all neighboring devices.

Note:

+ OSPF routers use LSA (Link State Advertisement)to describe its link state. LSDB stores all LSAs.

+ A router uses Router LSA to describe its interface IP addresses.

+ After OSPF is started on a router, it creates LSDB that contains one entry: this router’s Router
LSA.

There are five types of OSPF Link-State Packets (LSPs).

+ Hello: are used to establish and maintain adjacency with other OSPF routers. They are also used
to elect the Designated Router (DR) and Backup Designated Router (BDR) on multiaccess networks
(like Ethernet or Frame Relay).

+ Database Description (DBD or DD): contains an abbreviated list of the sending router’s link-
state database and is used by receiving routers to check against the local link-state database

+ Link-State Request (LSR): used by receiving routers to request more information about any
entry in the DBD

+ Link-State Update (LSU): used to reply to LSRs as well as to announce new information. LSUs
contain seven different types of Link-State Advertisements (LSAs)

+ Link-State Acknowledgement (LSAck): sent to confirm receipt of an LSU message

Key points
 + Is a public (non-proprietary) routing protocol.
+ Is the only link-state routing protocol you learn in CCNA
+ This works by using the Dijkstra algorithm
+ Information about its neighbors (local connectivity) is sent to the entire network using
multicasting
+ Routing information is shared through Link-state updates (LSAs)
+ HELLO messages are used to maintain adjacent neighbors. By default, OSPF routers send
Hello packets every 10 seconds on multiaccess and point-to-point segments and every 30
seconds on non-broadcast multiaccess (NBMA) segments (like Frame Relay, X.25, ATM).
+ Is a classless routing protocol because it does not assume the default subnet masks are used.
It sends the subnet mask in the routing update.
+ Supports VLSM and route summarization
+ Uses COST as a metric which CISCO defines as the inverse of the bandwidth
+ Uses AREAs to subdivide large networks, providing a hierarchical structure and limit the
multicast LSAs within routers of the same area — Area 0 is called backbone area and all other
areas connect directly to it. All OSPF networks must have a backbone area
+ Only support IP but it’s not bad as we are all using IP, right? :)

Area Border Routers (ABR) are any routers that have one interface in one area and another
interface in another area

Let’s see an example of OSPF

Suppose OSPF has just been enabled on R1 & R2. Both R1 and R2 are very eager to discover if they
have any neighbors nearby but before sending Hello messages they must first choose an OSPF
router identifier (router-id) to tell their neighbors who they are. The Router ID (RID) is an IP address
used to identify the router and is chosen using the following sequence:

+ The highest IP address assigned to a loopback (logical) interface.

+ If a loopback interface is not defined, the highest IP address of all active router’s physical
interfaces will be chosen.
+ The router ID can be manually assigned

In this example, suppose R1 has 2 loopback interfaces & 2 physical interfaces:

+ Loopback 0: 10.0.0.1
+ Loopback 1: 12.0.0.1
+ Fa0/0: 192.168.1.1
+ Fa0/1: 200.200.200.1
As said above, the loopback interfaces are preferred to physical interfaces (because they are never
down) so the highest IP address of the loopback interfaces is chosen as the router-id -> Loopback 1
IP address is chosen as the router-id.

Suppose R1 doesn’t have any loopback interfaces but it has 2 physical interfaces:
+ Fa0/0: 210.0.0.1 but it is shut down
+ Fa0/1: 192.168.1.2 (is active)
Although Fa0/0 has higher IP address but it is shutdown so R1 will choose Fa0/1 as its router-id.

Now both the routers have the router-id so they will send Hello packets on all OSPF-enabled
interfaces to determine if there are any neighbors on those links. The information in the OSPF Hello
includes the OSPF Router ID of the router sending the Hello packet.

For example, R1 wants to find out if it has any neighbor running OSPF it sends a Hello message to
the multicast address 224.0.0.5. This is the multicast address for all OSPF routers and all routers
running OSPF will proceed this message.

If an OSPF router receives an OSPF Hello packet that satisfied all its requirement then it will
establish adjacency with the router that sent the Hello packet. In this example, if R1 meet R2’s
requirements, meaning it has the same Hello interval, Dead interval and AREA number, R2
will add R1 to its neighbor table.
+ Hello interval: indicates how often it sends Hello packets. By default, OSPF routers send Hello
packets every 10 seconds on multiaccess and point-to-point segments and every 30 seconds on
non-broadcast multiaccess (NBMA) segments (like Frame Relay, X.25, ATM)

+ Dead interval: number of seconds this router should wait between receiving hello packets from
a neighbor before declaring the adjacency to that neighbor down

+ AREA number: the area it belongs to

Now R1 and R2 are neighbors but they don’t exchange LSAs immediately. Instead, they sends
Database Description (DD or DBD) packets which contain an abbreviated list of the sending
router’s link-state database.
The neighbors also determine who will be the master and who will be the slave. The router which
higher router-id will become master and initiates the database exchange. The receiver
acknowledges a received DD packet by sending an identical DD packet back to the sender. Each
DD packet has a sequence number and only the master can increment sequence numbers.

R1 or R2 can send Request to get missing LSA from its neighbors

R2 sends back an LSAck packet to acknowledge the packet

There are 3 type of tables

+ Neighbor

+ Topology

+ Routing

Neighbor table

+ Contain information about the neighbors

+ Neighbor is a router which shares a link on same network

+ Another relationship is adjacency

+ Not necessarily all neighbors

+ LSA updates are only when adjacency is established

Topology table

+ Contain information about all network and path to reach any network

+ All LSA’s are entered into the topology table

+ When topology changes LSA’s are generated and send new LSA’s

+ On topology table an algorithm is run to create a shortest path, this algorithm is known as SPF or
dijkstra algorithm
Routing Table

+ Also knows as forwarding database

+ Generated when an algorithm is run on the topology database

+ Routing table for each router is unique

D: Exchange LSDB’s list

Neighbors use DD (Data Description) to exchange their LSDB catalogs. In this scenario, R1 sends
DD to R2 first. It says: I have a Route LSA from R1. R2 also sends DD to R1: I have a Route LSA
from R2.

Note: DD works like table fo content. It lists what LSDB has, but not details. By reading DD, the
receiving router can determine what it is missing and them ask the sender to transmit required
LSAs..

R1 Request, R2 Update

R1 has learned that R2 has a R2 Router LSA that it does not have.

R1 sends a LS Request to R2. When R2 receives this request, it sends an Update to transmit this
LSA to R1.

R2 Request, R1 Update

R2 also sends request to R1. R1 replies an Update. Upon receiving Update, R2 adds R1 Router LSA
to its LSDB, calculates its routes, and add a new entry (192.168.1.0, S1/0) to its routing tabe.

Note: OSPF works distributely. After routers have synchronized their LSDB, they use the same data
(LSDB) to calculate shortest paths, and updates their routing tables independently.

Ack update : LSAs are received

In order to assure reliable transmission, when a router receives an Update, it sends an Ack to the
Update sender. If the sender does not receivie Ack within a specific peried, it times out and
retransmits Update.

Note: OSPF uses Update-Ack to implemnet relaible transmission. It does not use TCP.

H1 ping H2: succeeded.

Each OSPF router creates a Router LSA to describe its interfaces’ IP addresses and floods its Router
LSA to its neighbors. After a few rounds of flooding, all OSPF routers have the same set of Router
LSAs in their LSDBs. Now routers can use the same LSDB to calculate routes and update routing
tables.

From LSDB, a router learns the entire topology: the number of routers being connected. Router
interfaces and their IP addresses, interface link costs (OSPF metric). With such detail information,
routers are able to calculate routing paths to reach all destinations found in LSDB. For example, in
the OSPF basic simulation (see External links), R1’s LSDB contains two Router LSAs: – A Router LSA
from R1. R1 has two links. Their IP addresses are 192.168.1.0/24,192.168.3.0/30. – A Router LSA
from R2. R2 has two links. Their IP addresses are 192.168.2.0/24,192.168.3.0/30. From these LSA,
R1 can calculate the routing path to reach remote destination 192.11.68.2.2 and adds an entry
(192.168.2.0/24, S1/0) to its routing table.
3.0.3. EIGRP Tutorial
In this article we will mention about the EIGRP protocol.

In the past, Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco-proprietary routing
protocol but from March-2013 Cisco opens up EIGRP as an open standard in order to help
companies operate in a multi-vendor environment. EIGRP is a classless routing protocol, meaning
that it sends the subnet mask of its interfaces in routing updates, which use a complex metric
based on bandwidth and delay.

EIGRP is referred to as a hybrid routing protocol because it has the characteristics of both
distance-vector and link-state protocols but now Cisco refers it as an advanced distance vector
protocol.

Notice: the term “hybrid” is misleading because EIGRP is not a hybrid between distance vector and
link-state routing protocols. It is a distance vector routing protocol with enhanced features.

EIGRP is a powerful routing protocol and it is really standout from its ancestor IGRP. The main
features are listed below:

+ Support VLSM and discontiguous networks

+ Use Reliable Transport Protocol (RTP) to delivery and reception of EIGRP packets
+ Use the best path selection Diffusing Update Algorithm (DUAL), guaranteeing loop-free
paths and backup paths throughout the routing domain
+ Discover neighboring devices using periodic Hello messages to discover and monitor
connection status with its neighbors
+ Exchange the full routing table at startup and send partial* triggered updates thereafter (not
full updates like distance-vector protocols) and the triggered updates are only sent to routers that
need the information. This behavior is different from the link-state protocol in which an update will
be sent to all the link-state routers within that area. For example, EIGRP will send updates when a
new link comes up or a link becoming unavailable
+ Supports multiple protocols: EIGRP can exchange routes for IPv4, IPv6, AppleTalk and
IPX/SPX networks
+ Load balancing: EIGRP supports unequal metric load balancing, which allows administrators to
better distribute traffic flow in their networks.

* Notice: The term “partial” means that the update only includes information about the route
changes.

EIGRP use metrics composed of bandwidth, delay, reliability, and load. By default, EIGRP uses only
bandwidth and delay.

EIGRP use five types of packets to communicate:

+ Hello: used to identify neighbors. They are sent as periodic multicasts

+ Update: used to advertise routes, only sent as multicasts when something is changed
+ Ack: acknowledges receipt of an update. In fact, Ack is Hello packet without data. It is always
unicast and uses UDP.
+ Query: used to find alternate paths when all paths to a destination have failed
+ Reply: is sent in response to query packets to instruct the originator not to recompute the route
because feasible successors exist. Reply packets are always unicast to the originator of the query

EIGRP sends every Query and Reply message using RTP, so every message is acknowledged using
an EIGRP ACK message.

EIGRP Route Discovery

Suppose that our network has 2 routers and they are configured to use EIGRP. Let’s see what will
happen when they are turned on.

Firstly, the router will try to establish a neighboring relationships by sending “Hello” packets to
others running EIGRP. The destination IP address is 224.0.0.10 which is the multicast address of
EIGRP. By this way, other routers running EIGRP will receive and proceed these multicast packets.
These packets are sent over TCP.
After hearing “Hello” from R1, R2 will respond with another “Hello” packet.

R2 will also send its routing table to R1 by “Update” packets. Remember that R2 will send its
complete routing table for the first time.

R1 confirms it has received the Update packet by an “ACK” message.

R1 will also send to R2 all of its routing table for the first time

R2 sends a message saying it has received R1’s routing table.

Now both R1 & R2 learn all the paths of the neighbor and the network is converged. But there
are some notices you should know:
+ After the network converged, “Hello” messages will still be sent to indicate that the it is still
alive.
+ When something in the network changes, routers will only send partial updates to routers which
need that information.
+ Hellos are sent as periodic multicasts and are not acknowledged directly.
+ The first hellos are used to build a list of neighbors; thereafter, hellos indicate that the neighbor
is still alive
 To become a neighbor, the following conditions must be met:
+ The router must hear a Hello packet from a neighbor.
+ The EIGRP autonomous system must be the same.
+ K-values must be the same.

EIGRP builds and maintains three tables:

+ Neighbor table: lists directly connected routers running EIGRP with which this router has an
adjacency
+ Topology table: lists all routes learned from each EIGRP neighbor
+ Routing table: lists all best routes from the EIGRP topology table and other routing processes

Configuring EIGRP

Router(config)#router eigrp 1 Syntax: router eigrp <AS number>

Turn on the EIGRP process

1 is the Autonomous System (AS) number. It can be from 1 to

65535.

All routers in the same network must use the same AS number.

Router(config-router)#network 192.168.1.0 Router will turn on EIGRP 1 process on all the interfaces belonging to
192.168.1.0/24 network.

In the next part we will learn about the Feasible Distance & Administrative Distance of EIGRP

Feasible Distance (FD) and Advertised Distance (AD)

In the next part, we will define these terms and take an example to make them clear.

Advertised distance (AD): the cost from the neighbor to the destination.
Feasible distance (FD): The sum of the AD plus the cost between the local router and the next-
hop router
Successor: The primary route used to reach a destination. The successor route is kept in the
routing table. Notice that successor is the best route to that destination.
Feasible successor: The backup route. To be a feasible successor, the route must have an AD
less than the FD of the current successor route

Maybe it’s a bit confused with these terms so below is an example to make it clear.

Suppose you are in NEVADA and want to go to IOWA. From NEVADA you need to specify the best
path (smallest cost) to IOWA.

In this topology, suppose router A & B are exchanging their routing tables for the first time. Router
B says “Hey, the best metric (cost) from me to IOWA is 50 and the metric from you to IOWA is 90”
and advertises it to router A. Router A considers the first metric (50) as the Advertised distance.
The second metric (90), which is from NEVADA to IOWA (through IDAHO), is called the Feasible
distance.
NEVADA also receives the cost path from NEVADA -> OKLAHOMA -> IOWA advertised by router C
with the Advertised distance of 70 and Feasible distance of 130.

All of these routes are placed in the topology table of router A:

Route Advertised Feasible

distance distance
NEVADA -> IDAHO -> IOWA 50 90
NEVADA -> OKLAHOMA -> IOWA 70 130

Router A will select the route to IOWA via IDAHO as it has the lowest Feasible distance and put it
into the routing table.

The last thing we need to consider is if the route NEVADA -> OKLAHOMA -> IOWA will be
considered as a feasible successor. To achieve this, it must satisfy the feasibility condition:

“To qualify as a feasible successor, a router must have an AD less than the FD of the
current successor route“

Maybe you will ask “why do we need this feasibility condition?” Well, the answer is because it
guarantees a loop-free path to the destination; in other words, it must not loop back to the current
successor.

If the route via the successor becomes invalid (because of a topology change) or if a neighbor
changes the metric, DUAL checks for feasible successors to the destination route. If one is found,
DUAL uses it, avoiding the need to recompute the route as the re-computation can be processor-
intensive. If no suitable feasible successor exists, a re-computation must occur to determine the
new successor.

EIGRP calls these alternative, immediately usable, loop-free routes feasible successor routes,
because they can feasibly be used as a new successor route when the current successor route
fails. The next-hop router of such a route is called the feasible successor.

In this case, the route NEVADA -> OKLAHOMA -> IOWA has an AD (70) less than the FD of the
successor route (90) so it becomes the feasible successor route.

Of course in some cases the feasibility condition will wrongly drop loop-free paths. For example, if
the metric between OKLAHOMA and IOWA is greater than 90 then the route NEVADA -> OKLAHOMA
-> IOWA will not be considered as a feasible successor route although it is loop-free. But this
condition is necessary because it can guarantee the feasible successor routes are loop-free.

Notice that the feasible successors are placed in the topology table, not in the routing table.

Now router A has 3 complete tables as follows (we only consider route to IOWA network)
Now you have a basic concept of EIGRP, in the next part we will dig into the 3 tables of EIGRP – the
neighbor, topology & routing tables as understanding them is a requirement for a CCNA-taker and
learn how to calculate the metric of EIGRP.

Calculate EIGRP metric

In this part we will continue to learn about the EIGRP Routing Protocol

I built the topology with Packet Tracer to illustrate what will be mentioned. You can download the
lab file here: https://www.9tut.com/download/EIGRP_CCNA_self_study.zip (please unzip & use at
least Packet Tracer v5.3 to open it)

Check the neighbor table of Router0 with the show ip eigrp neighbors command

Let’s analyze these columns:

+ H: lists the neighbors in the order this router was learned

+ Address: the IP address of the neighbors
+ Interface: the interface of the local router on which this Hello packet was received
+ Hold (sec): the amount of time left before neighbor is considered in “down” status
+ Uptime: amount of time since the adjacency was established
+ SRTT (Smooth Round Trip Timer): the average time in milliseconds between the transmission of
a packet to a neighbor and the receipt of an acknowledgement.
+ RTO (Retransmission Timeout): if a multicast has failed, then a unicast is sent to that particular
router, the RTO is the time in milliseconds that the router waits for an acknowledgement of that
unicast.
+ Queue count (Q Cnt): shows the number of queued EIGRP packets. It is usually 0.
+ Sequence Number (Seq Num): the sequence number of the last update EIGRP packet received.
Each update message is given a sequence number, and the received ACK should have the same
sequence number. The next update message to that neighbor will use Seq Num + 1.

As CCNA level, we only care about 4 columns: Address, Interface, Hold & Uptime. Other columns
will be discussed in CCNP so you don’t need to remember them now!
Notice that you can see a line “IP-EIGRP neighbors for process 100”. “Process 100” here means “AS
100”.

Next we will analyze the EIGRP topology with the show ip eigrp topology command. The output of
Router0 is shown below

The letter “P” as the left margin of each route entry stands for “Passive”. Passive state indicates
that the route is in quiescent mode, implying that the route is known to be good and that no
activities are taking place with respect to the route.

Each route shows the number of the successor it has. For example, the network 192.168.2.0,
192.168.1.0,192.168.3.0 & 192.168.4.0 have only 1 successor (and no feasible successor). Only
network 192.168.5.0 has 2 successors.

We notice that there are 2 numbers inside the brackets (30720/28160). The first one is the metric
from Router0 to the destination, the second is the AD of this route, advertised by the neighbor. For
example, the third route entry has:

Let’s see how to calculate them!

First you should learn the formula to calculate the metric. It’s a bit complex conditional formula, I
think :)

metric = [K1 * bandwidth + (K2 * bandwidth)/(256 – load) + K3 * delay] * [K5/(reliability + K4)] if

K5 > 0
metric = [K1 * bandwidth + (K2 * bandwidth)/(256 – load) + K3 * delay] if K5 = 0

Note: you can check these K values with the “show ip protocols” command. Below is an example of
this command on Router0.
To change these values, use the “metric weights tos k1 k2 k3 k4 k5” in the EIGRP router mode.

By default, K1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0 which means that the default values use only

bandwidth & delay parameters while others are ignored. The metric formula is now reduced:

metric = bandwidth + delay

But the bandwidth here is defined as the slowest bandwidth in the route to the destination & delay
is the sum of the delays of each link. Here is how to calculate the EIGRP metric in detail:

EIGRP uses the slowest bandwidth of the outgoing interfaces of the route to calculate the metric.
In this case we need to find out the bandwidth of Fa0/0 of Router0 & Fa0/1 of Router1 as the
destination network is 192.168.3.0/24.
Find the bandwidth

We can find the bandwidth of each interface by the “show interfaces “. Below is an output of the
“show interfaces fa0/0” on Router0.

All the interfaces in this topology have the bandwidth of 100,000 Kbps so we will get the same
result on interface Fa0/1 of Router1 -> The slowest bandwidth here is 100,000 Kbps. Now we can
calculate the first portion of the formula:

Notice that if the result is not an integer then the result will be rounded down. For example,
10,000,000 divided by 1024 (the speed of T1) equals 9765.625. The result will be rounded down to
9765.

Find the delay

EIGRP also used the delay of the outgoing interfaces and it can also be found with the “show
interfaces “, the delay lies next to the bandwidth value (for example, DLY 100usec). In this case,
the delay value of both Fa0/0 of Router0 & Fa0/1 of Router1 is 100 usec (microsecond) so the sum
of delay is 100 + 100 = 200 usec. The second portion of the formula is:

Note: “usec” here means microsecond (which is 1/1000 miliseconds). According to this
link: http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a0080094cb7.shtml#
eigrpmetrics: “The delay as shown in the show ip eigrp topology or show interface commands
is in microseconds”. We have to divide by 10 to get the “ten of microsecond” unit used in the
metric formula above.
Get the metric

Now just sum up two portions of the formula and multiplied by 256 to get the result:

The result is 30720 and it matches the value shown in the topology table of the route to
192.168.3.0/24

Using the formula above, we can easily calculate the AD of that route (with slowest bandwidth =
100,000Kpbs; sum of delay = 10)

metric = (100 + 10) * 256 = 28160

This metric matches with the second parameter of the above route.

Note: The output of “show ip eigrp topology” command shows only feasible successors while the
output of “show ip eigrp topology all-links” shows all neighbors, whether feasible successors or not.
To learn more about the “show ip eigrp topology all-links” please
read http://www.digitaltut.com/route-eigrp-simlet. Although it belongs to CCNP exam but CCNA
level can read it too.

EIGRP Routing table

The last table we will discuss is the routing table. This is the most used table to check the
operation of EIGRP. Here is the output of the show ip route command on Router0:
The routing table has two parameters [90/30720] but the first one is the administrative distance of
EIGRP. EIGRP has a default administrative distance of 90 for internal routes and it is often the most
preferred routing protocol because it has the lowest administrative distance.

Administrative distance is the measure used by Cisco routers to select the best path when there
are two or more different routes to the same destination from two different routing protocols.

Below is the administrative distances of the most popular routing protocols used nowadays. Notice
that the smaller is the better.

So, if a network running two routing protocols at the same time, for example EIGRP and OSPF,
which routing protocol will the router choose? Well, the answer is EIGRP as it has lower
Administrative Distance than OSPF ( 90 < 110).

The second parameter, as you can guess, is the metric of that route as we discussed above.

“no auto-summary” with EIGRP

One of the features of EIGRP is “support VLSM and discontiguous networks”. Discontiguous
networks are networks that have subnets of a major network separated by a different major
network. Below is an example of discontiguous networks where subnets 10.10.1.0/24 and
10.10.2.0/24 are separated by a 2.0.0.0/8 network.

Now let’s see what will happen when we turn on EIGRP on both of the routers. To turn on EIGRP you
will use these commands:

R1(config)#router eigrp 1
R1(config-router)#network 2.0.0.0
R1(config-router)#network 10.10.1.0 (or network 10.0.0.0)

R2(config)#router eigrp 1
R2(config-router)#network 2.0.0.0
R2(config-router)#network 10.10.2.0 (or network 10.0.0.0)

You can try to use the more specific “network 10.10.1.0” instead of “network 10.0.0.0”, hoping that
EIGRP will understand it is a sub-network. But if we check the configuration with the “show running-
config” command we will notice that EIGRP has auto-summarized our network.

R1#show running-config
-> Network 10.10.1.0 has been summarized to network 10.0.0.0 because it knows 10.x.x.x network
belongs to class A.

The same thing happens for R2. Now we should check the routing table of R1 with the “show ip
route” command

R1#show ip route

From the output above we learn that R1 only knows about the directly connected 10.10.1.0/24
network but it doesn’t have any information about the far-away 10.10.2.0/24 network and a ping to
10.10.2.1 cannot be successful (but notice that we can ping to that directly connected network,
10.10.1.2, for example).

So we can conclude that if a router receives the same route with what it is advertising then it will
not learn that route. In the above example, the “collision” occurs because both of the routers
summarize into network 10.0.0.0/8 and advertise it to other router. The neighboring router realizes
that it is also advertising this network so it drops this network information.

Now if we use the “no auto-summary” command on both routers then the problem will surely be
solved but first let’s try to use that command only on R1 router.

R1(config)#router eigrp 1
R1(config-router)#no auto-summary

R1#show ip route

-> Nothing changes!

R2#show ip route

-> R2 has just learned about the new “10.10.1.0/24” network which is advertised from R1 so R2
can ping this network

In conclusion when we enable “no auto-summary” on R1 then R1 will advertise its network with
their subnet mask so R2 can learn them correctly.

Note: Hello timers, hold timers do not need to match between two EIGRP routers to establish
neighbor relationship.

3.0.4. Hot Standby Router Protocol HSRP Tutorial

In this tutorial we will learn what is HSRP and the need of HSRP in a network.
Most of the company in the world has a connection to the Internet. The picture below shows a most
simple topology of such a company:

To make above topology work we need to:

+ Configure IP addresses on two interfaces of the Router. Suppose the IP address of Fa0/0 interface
(the interface connecting to the switch) is 192.168.1.1.
+ Assign the IP addresses, default gateways and DNS servers on all PCs. In this case we have to
set the default gateways to Fa0/0 interface (with the IP address 192.168.1.1) of the router. This can
be done manually or automatically via DHCP.

After some time, your boss wants to implement some redundant methods so that even the Router
fails, all PCs can still access the Internet without any manual configuration at that time. So we need
one more router to connect to the Internet as the topology below:

But now we have a problem: There is only one default gateway on each host, so if Router1 is down
and we want to access the Internet via Router2, we have to change the default gateway (to
192.168.1.2). Also, when Router1 comes back we have to manually change back to the IP address
on Router1. And no one can access to the Internet in the time of changing the default gateway.
HSRP can solve all these problems!

HSRP Operation

With HSRP, two routers Router1 and Router2 in this case will be seen as only one router. HSRP uses
a virtual MAC and IP address for the two routers to represent with hosts as a single default
gateway. For example, the virtual IP address is 192.168.1.254 and the virtual MAC is
0000.0c07.AC0A. All the hosts will point their default gateway to this IP address.
One router, through the election process, is designated as active router while the other router is
designated as standby router. Both active and standby router listen but only the active router
proceeds and forwards packets. Standby router is backup when active router fails by monitoring
periodic hellos sent by the active router (multicast to 224.0.0.2, UDP port 1985) to detect a failure
of the active router.

When a failure on the active router detected, the standby router assumes the role of the
forwarding router. Because the new forwarding router uses the same (virtual) IP and MAC
addresses, the hosts see no disruption in communication. A new standby router is also elected at
that time (in the case of there are more than two routers in a HSRP group).

Note: All routers in a HSRP group send hello packets. By default, the hello timer is set to 3 seconds
and the dead timer is set to 10 seconds. It means that a hello packet is sent between the HSRP
standby group devices every 3 seconds, and the standby device becomes active when a hello
packet has not been received for 10 seconds
Note: The virtual MAC address of HSRP version 1 is 0000.0C07.ACxx, where xx is the HSRP group
number in hexadecimal based on the respective interface. For example, HSRP group 10 uses the
HSRP virtual MAC address of 0000.0C07.AC0A. HSRP version 2 uses a virtual MAC address of
0000.0C9F.FXXX (XXX: HSRP group in hexadecimal). But please notice that the virtual MAC
address can be configured manually.

HSRP version 1 hello packets are sent to multicast address 224.0.0.2 while HSRP version 2 hello
packets are sent to multicast address 224.0.0.102. Currently HSRPv1 is the default version when
running HSRP on Cisco devices.

HSRP States

HSRP consists of 6 states:

State Description

Initial This is the beginning state. It indicates HSRP is not running. It happens when the
configuration changes or the interface is first turned on

Learn The router has not determined the virtual IP address and has not yet seen an
authenticated hello message from the active router. In this state, the router still
waits to hear from the active router.

Listen The router knows both IP and MAC address of the virtual router but it is not the
active or standby router. For example, if there are 3 routers in HSRP group, the
router which is not in active or standby state will remain in listen state.

Speak The router sends periodic HSRP hellos and participates in the election of the active
or standby router.

Standby In this state, the router monitors hellos from the active router and it will take the
active state when the current active router fails (no packets heard from active
router)

Active The router forwards packets that are sent to the HSRP group. The router also sends
periodic hello messages

Please notice that not all routers in a HSRP group go through all states above. In a HSRP group,
only one router reaches active state and one router reaches standby state. Other routers will stop
at listen state.
Now let’s take an example of a router passing through these states. Suppose there are 2 routers A
and B in the network; router A is turned on first. It enters the initial state. Then it moves to listen
state in which it tries to hear if there are already active or standby routers for this group. After
learning no one take the active or standby state, it determines to take part in the election by
moving to speak state. Now it starts sending hello messages containing its priority. These
messages are sent to the multicast address 224.0.0.2 (which can be heard by all members in that
group). When it does not hear a hello message with a higher priority it assumes the role of active
router and moves to active state. In this state, it continues sending out periodic hello messages.

Now router B is turned on. It also goes through initial and listen state. In listen state, it learns
that router A has been already the active router and no other router is taking standby role so it
enters speak state to compete for the standby router -> it promotes itself as standby router.

Suppose router A is in active state while router B is in standby state. If router B does not hear hello
messages from router A within the holdtime (10 seconds by default), router B goes into speak state
to announce its priority to all HSRP members and compete for the active state. But if at some time
it receives a message from the active router that has a lower priority than its priority (because the
administrator change the priority in either router), it can take over the active role by sending out a
hello packet with parameters indicating it wants to take over the active router. This is called a coup
hello message.

Quick summarization:

+ HSRP is Cisco proprietary which allows several routers or multilayer switches to appear as a
single gateway IP address.
+ HSRP has 6 states: Initial, learn, listen, speak, standby and active.
+ HSRP allows multiple routers to share a virtual IP and MAC address so that the end-user hosts do
not realize when a failure occurs.
+ The active (or Master) router uses the virtual IP and MAC addresses.
+ Standby routers listen for Hellos from the Active router. A hello packet is sent every 3 seconds by
default. The hold time (dead interval) is 10 seconds.
+ HSRP version 1 uses the MAC address range 0000.0C07.ACxx while HSRP version 2 uses the MAC
address range 0000.0C9F.Fxxx , where xxx is the hexadecimal number of HSRP group.
+ The group numbers of HSRP version 1 range from 0 to 255. HSRP does support group number of
0 (we do check it and in fact, it is the default group number if you don’t enter group number in the
configuration) so HSRP version 1 supports up to 256 group numbers. HSRP version 2 supports 4096
group numbers.

(Reference and good

resource: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a9
1.shtml)

We wrote a GNS3 lab of HSRP and you can read it here: http://www.networktut.com/hsrp-ip-route-
tracking.

3.0.5. Gateway Load Balancing Protocol GLBP Tutorial

The main disadvantage of HSRP and VRRP is that only one gateway is elected to be the active
gateway and used to forward traffic whilst the rest are unused until the active one fails. Gateway
Load Balancing Protocol (GLBP) is a Cisco proprietary protocol and performs the similar function to
HSRP and VRRP but it supports load balancing among members in a GLBP group. In this tutorial, we
will learn how GLBP works.

Note: Although we can partially configure load balancing via HSRP or VRRP using multiple
groups but we have to assign different default gateways on the hosts. If one group fails, we
must reconfigure the default gateways on the hosts, which results in extra administrative
burden.

GLBP Election

When the routers are configured to a GLBP group, they first elect one gateway to be the Active
Virtual Gateway (AVG) for that group. The election is based on the priority of each gateway
(highest priority wins). If all of them have the same priority then the gateway with the highest real
IP address becomes the AVG. The AVG, in turn, assigns a virtual MAC address to each member of
the GLBP group. Each gateway which is assigned a virtual MAC address is called Active Virtual
Forwarder (AVF). A GLBP group only has a maximum of four AVFs. If there are more than 4
gateways in a GLBP group then the rest will become Standby Virtual Forwarder (SVF) which will
take the place of a AVF in case of failure. The virtual MAC address in GLBP is 0007.b400.xxyy
where xx is the GLBP group number and yy is the different number of each gateway (01, 02, 03…).

Note:
+ In this tutorial, the words “gateway” and “router” are use interchangeable. In fact, GLBP can
run on both router and switch so the word “gateway”, which can represent for both router and
switch, is better to describe GLBP.
+ For switch, GLBP is supported only on Cisco 4500 and 6500 series.

The gateway with the highest priority among the remaining ones is elected the Standby AVG (SVG)
which will take the role of the AVG in the case it is down.

For example in the topology above suppose all of the gateways have the same priority and GLBP is
turned on at the same time on all gateways (or they are configured with the preempt feature), R4
will be elected AVG because of its highest IP address 10.10.10.4. R3 will be elected SVG because of
its second highest IP address (10.10.10.3). The AVFs are elected based on the weight so the four
highest weight values would win for the four AVFs. In this case we only have four gateways so
surely they are all elected AVFs. With GLBP, there is still one virtual IP address which is assigned by
the administrator via the “glbp ip …” command (for example glbp 1 ip 10.10.10.100).

How GLBP works

After the election ends, R4 is both the AVG and AVF; R3 is SVG and AVF; R2 & R1 are pure AVFs. R4
assigned the MAC addresses of 0007.b4000101, 0007.b4000102, 0007.b4000103, 0007.b4000104
to R1, R2, R3, R4 respectively; we will abbreviate the MAC addresses as 01, 02, 03 and 04. Let’s
see how GLBP works!

The default gateway of PC1, PC2 and PC3 were set to 10.10.10.100 so if they want to send traffic
outside they have to send ARP Request first to their default gateway. They broadcast an ARP
Request to ask “Hey, I need to know the MAC address of the guy 10.10.10.100!”. R4, which is the
AVG, is responsible for answering the ARP Request. But the trick here is it does not always give the
same answer to that question:

For PC1, R4 will answer “The MAC address of the guy 10.10.10.100 is 01!”.
For PC2, R4 will answer “The MAC address of the guy 10.10.10.100 is 02!”.
For PC3, R4 will answer “The MAC address of the guy 10.10.10.100 is 03!”.
For PC4, R4 will answer “The MAC address of the guy 10.10.10.100 is 04!”.

As the result of this, PC1 will send the traffic to R1; PC2 will send traffic to R2; PC3 will send traffic
to R3 and PC4 will send traffic to R4! And load balancing is achieved!

When AVG fails

Everything is working smoothly then suddenly R4 (AVG) is down. What will happen now?

As we know R3 was chosen as SVG because of its second highest priority so when R4 is down, R3
becomes the new AVG and is responsible for forwarding traffic sent to the virtual MAC address of
R4. In other words, R3 is now responsible for traffic from PC3 & PC4 with two MAC addresses 03,
04. Communication between R4 continues without disruption or change at the host side.

Wait! Maybe you have a question to ask here. So how about the Switch? How can the switch
forward the frames to the new SVG on another port? Remember that Switch saved the MAC 04 for
the port connecting to R4. Well, the answer here is when the standby becomes the active it will
send a gratuitous ARP reply to flush the CAM tables of the switches and the ARP cache of the hosts.
So the switch will learn the new port for MAC 04.

Each AVF listens to others, if one AVF can no more forward traffic, all listening AVFs will compete to
take the responsibility of the failed AVF vMAC along with its own (AVF with higher weighting wins).

To detect a gateway failure, GLBP members communicate between each other through hello
messages sent every 3 seconds to the multicast address 224.0.0.102, User Datagram Protocol
(UDP) port 3222.

GLBP supports up to 1024 virtual routers (GLBP groups) per physical interface of a router.

Load balancing algorithm

GLBP load sharing is done in one of three ways:

Round-robin load-balancing algorithm: Each router MAC is used sequentially to respond to

ARP requests. This is the default load balancing mode in GLBP and is suitable for any number of
end hosts.
Weighted load-balancing algorithm: Traffic is balanced proportional to a configured weight.
Each GLBP router in the group will advertise its weighting and assignment; the AVG will act based
on that value. For example, if there are two routers in a group and R1 has double the forwarding
capacity of router B, the weighting value of router A should be configured to be double the amount
of R2.
Host-dependent load-balancing algorithm: A given host always uses the same router.

Interface Tracking

Like HSRP, GLBP can be configured to track interfaces. For example, if the WAN link from Router R4
is lost, GLBP detects the failure and decrements the router priority (when a tracked interface fails).
The second router then becomes primary. This transition is transparent for the hosts.

GLBP Authentication
GLBP has three authentication types:
+ No authentication
+ MD5 authentication
+ Plain text authentication

MD5 is the most security method so far. With this method, the same keys are configured on both
ends. One end will send the encrypted key (called hash, using MD5) to the other. At the other side,
the same key is also encrypted and compared with the receiving encrypted key. If the two
encrypted keys are the same then authentication is approved. The advantage of this method is
only the encrypted key is sent through the link. The key for the MD5 hash can either be given
directly in the configuration using a key string or supplied indirectly through a key chain.

3.0.6. Basic MPLS Tutorial

MPLS is a new forwarding mechanism called “label switching” in which packets are forwarded
based on labels. However, hosts are unaware about labeled packets so routers will need to add a
label when entering “MPLS area” and remove that label after leaving there.

The idea of label switching is to have only the first router do an IP lookup and assign a label, then
all future routes in the network can “cheat” by doing exact match “switching” based on a label.
This would reduce load on the core routers, where high-performance was the most difficult to
achieve, and distribute the routing lookups across lower speed edge routers.

In a traditional IP network:
* Each router performs an IP lookup (“routing”), determines a next-hop based on its routing table,
and forwards the packet to that next-hop.
* Rinse and repeat for every router, each making its own independent routing decisions, until the
final destination is reached.

MPLS does “label switching” instead:

* The first device does a routing lookup, just like before.
* But instead of finding a next-hop, it finds the final destination router.
* And it finds a pre-determined path from “here” to that final router.
* The router applies a “label” (or “shim”) based on this information.
* Future routers use the label to route the traffic without needing to perform any additional IP
lookups.
* At the final destination router, the label is removed and the packet is delivered via normal IP
routing.

Therefore in an MPLS network, data packets are assigned labels. Packet-forwarding

decisions are made solely on the contents of this label, without the need to examine the
packet itself.

Cisco Express Forwarding (CEF) table

To enable MPLS on a Cisco router, we must turn on CEF first so let’s analyze what lies inside a CEF
table.

As you know, router uses routing protocols (like OSPF, EIGRP, RIP…), static routes and connected
routes to create the Routing table (or Routing Information Base – RIB). When CEF is enabled, the
router uses this table to create a more optimized table, called Forwarding Information Base (FIB),
which contains the next hop and outgoing interfaces of specific routes. Although FIB table does not
differ much from RIB table but the router only spends very little time to find the correct entry,
resulting in a smaller forwarding delay and more packets can be proceeded per second.

Below shows the topology of a small network and the output of the “show ip cef” command on R1
router.
 CEF (FIB) table of R1

Of course CEF table is clearer than Routing table as you can see below

Routing table of R1

How MPLS forward packets

MPLS forwards packets based on the Forwarding Information Base (FIB) and Label Forwarding
Information Base (LFIB) tables. FIB and LFIB have all necessary label information as well as the
outgoing interface and next-hop information.

FIB: As said above, router uses CEF to create this table. In most cases, the ingress router uses this
table for incoming unlabeled packets. The router matches the destination IP address to the best
prefix (network) it has in the FIB. It then injects a label and forwards that packet.

LFIB: Used by the core MPLS routers (which are not ingress and egress MPLS routers). They
compare the label in the incoming packet with the label they have in their LFIB. If a match is found,
the routers forward that packet based on that match. If not, the packet will be dropped. The LFIB is
created by the LIB and FIB tables.

Note: All routers in MPLS domain have both FIB and LFIB tables but only edge routers use FIB
(ingress router uses FIB, egress router uses LFIB and FIB)
The LIB table holds all the labels known to the LSR and associated information that could possibly
be used to forward packets. However, each LSR must choose the best label to use so FIB and LFIB
contain only labels of best paths. To choose the best label, LSRs rely on the routing protocol’s
decision about the best route.

Label Switch Router (LSR) refers to any router that has awareness of MPLS labels, for example
routers R1, R2, R3 and R4 in the below example. The entry and exit routers of an MPLS network are
called edge LSR (or label edge routers – LER), which, respectively, inject (push) an MPLS label
onto an incoming packet (label assignment) and remove (pop) it off the outgoing packet (label
removal). An edge LSR is often a high-speed router device in the core of an MPLS network that
participates in the establishment of Label Switched Paths (LSP) using the appropriate label
signaling protocol and high-speed switching of the data traffic based on the established paths. In
the below example, R1 and R4 are edge LSRs (LERs).

When a network’s inbound router receives traffic, it inserts an MPLS label between the IP packet
and the appropriate Layer 2 header for the physical link. The label contains an index value that
identifies a next-hop address for the particular LSP. When the next-hop transit router receives the
packet, it uses the index in the MPLS label to determine the next-hop address for the packet and
forwards the packet to the next router in the LSP.

In this example, when R1 receives a packet with a destination of 1.1.1.1 it first performs a routing
lookup and assigns “label 2” to this destination and forwards it to R2. R2 checks its Label
Forwarding Information Base (LFIB) table and sees that the “outgoing” label of label 2 is label 7. It
swaps label 2 with label 7 and forwards it to R3. R3 acts similarly to R2 and swaps label 7 with label
4 and forwarding it to R4. The edge router R4 removes that label and does a routing lookup to find
and forward that packet to its next hop. The whole process is summarized below:

1. After OSPF convergence, all routers have information about network 1.0.0.0/8 and this
information is placed in the RIB.

2. On R1, the label distribution protocol (LDP) assigns the label 11 to the network 10.0.0.0/8 and
advertises the label to its neighbors.

3. Other routers running OSPF also have information about this network so they use their own LDP
to assign a label to this network. They also advertise it to other neighbors by using LDP. For
example, R2 advertises to R1 (and R3) that it uses label 2 for the network 1.0.0.0/8. R1 receives
this information and marks it as the outing label. R3 does not use this label but it also save this
label in its LIB. R3 also advertises to R2 (and R4) it uses label 7 for this network. R4 advertises to
R3 it uses label 4 for this network. Notice that labels are stored in the LIB.

4. Each router uses information about the network, local label and outgoing label to build the LFIB.

Now when an incoming packet to the destination 1.1.1.1/8 arrives, the ingress router lookup in the
FIB table and it learns this packet should be labeled 2. The router pushes lable 2 to that packet and
forwards it to the outgoing interface to the downstream router (R2 in this case).

R2 receives a labeled packet so it lookups in the LFIB, swaps the label 2 with label 7 and forwards it
to the outgoing interface. Other core LSRs proceed incoming labeled packet in the same way as
R2.

The packet continues traveling to the egress LER. Because egress LER receives a labeled packet so
it lookups in its LFIB table too. In the LFIB, router R4 learns that label 4 is assigned to an implicit-
null (or pop label) so the router removes (pop) the label and forwards that packet to the network
10.0.0.0/8.

That is all the theory. Now let’s return to our simple example with 3 routers to see what are
actually inside these tables.

LIB table of R1
 LFIB table of R1

MPLS key points

 Assignment of a particular packet to a particular FEC is done just once, as the packet
enters the network.
 Packets are “labeled” before they are forwarded to the next hop.
 All forwarding is driven by labels.
 No further analysis of the packet’s network layer header at subsequent hops.
 Label is used as an index into a table which specifies the next hop and a new label. The old
label is swapped with the new label and the packet is forwarded to its next hop.
It’s important to think of MPLS as having two components, the control plane and data plane. LDP is
mainly used for the control plane to exchange labels. From the control plane we can build the data
plane. On cisco routers this is CEF table.

Control plane: Exchanges Layer 3 routing information and labels; contains complex mechanisms to
exchange routing information, such as OSPF, EIGRP, IS-IS, and BGP, and to exchange labels; such
as LDP, and RSVP

Data plane: Forwards packets based on labels; has a simple forwarding engine

4.0. IP Services
4.0.1. DHCP Tutorial
In IP environment, before a computer can communicate to another one, they need to have their
own IP addresses. There are two ways of configuring an IP address on a device:
+ Statically assign an IP address. This means we manually type an IP address for this computer
+ Use a protocol so that the computer can obtain its IP address automatically (dynamically). The
most popular protocol nowadays to do this task is called Dynamic Host Configuration Protocol
(DHCP) and we will learn about it in this tutorial.

A big advantage of using DHCP is the ability to join a network without knowing detail about it. For
example you go to a coffee shop, with DHCP enabled on your computer, you can go online without
doing anything. Next day you go online at your school and you don’t have to configure anything
either even though the networks of the coffee shop and your school are different (for example, the
network of the coffee shop is 192.168.1.0/24 while that of your company is 10.0.0.0/8). Really nice,
right? Without DHCP, you have to ask someone who knows about the networks at your location
then manually choosing an IP address in that range. In bad situation, your chosen IP can be same
as someone else who is also using that network and an address conflict may occur. So how can
DHCP obtain an suitable IP address for you automatically? Let’s find out.

How DHCP works

1. When a client boots up for the first time (or try to join a new network), it needs to obtain an IP
address to communicate. So it first transmits a DHCPDISCOVER message on its local subnet.
Because the client has no way of knowing the subnet to which it belongs, the DHCPDISCOVER is an
all-subnets broadcast (destination IP address of 255.255.255.255, which is a layer 3 broadcast
address) and a destination MAC address of FF-FF-FF-FF-FF-FF (which is a layer 2 broadcast
address). The client does not have a configured IP address, so the source IP address of 0.0.0.0 is
used. The purpose of DHCPDISCOVER message is to try to find out a DHCP Server (a server that
can assign IP addresses).

2. After receiving the discover message, the DHCP Server will dynamically pick up an unassigned
IP address from its IP pool and broadcast a DHCPOFFER message to the client(*). DHCPOFFER
message could contain other information such as subnet mask, default gateway, IP address lease
time, and domain name server (DNS).

(*)
Note: In fact, the DHCPOFFER is a layer 3 broadcast message (the IP destination is
255.255.255.255) but a layer 2 unicast message (the MAC destination is the MAC of the DHCP
Client, not FF-FF-FF-FF-FF-FF). So in some books they may say it is a broadcast or unicast message.
3. If the client accepts the offer, it then broadcasts a DHCPREQUEST message saying it will take
this IP address. It is called request message because the client might deny the offer by requesting
another IP address. Notice that DHCPREQUEST message is still a broadcast message because the
DHCP client has still not received an acknowledged IP. Also a DHCP Client can receive DHCPOFFER
messages from other DHCP Servers so sending broadcast DHCPREQUEST message is also a way to
inform other offers have been rejected.

4. When the DHCP Server receives the DHCPREQUEST message from the client, the DHCP Server
accepts the request by sending the client a unicast DHCPACKNOWLEDGEMENT message
(DHCPACK).

In conclusion there are four messages sent between the DHCP Client and DHCP Server:
DHCPDISCOVER, DHCPOFFER, DHCPREQUEST and DHCPACKNOWLEDGEMENT. This process is
often abbreviated as DORA (for Discover, Offer, Request, Acknowledgement).

After receiving DHCPACKNOWLEDGEMENT, the IP address is leased to the DHCP Client. A client will
usually keep the same address by periodically contacting the DHCP server to renew the lease
before the lease expires.

If the DHCP Server is not on the same subnet with the DHCP Client, we need to configure the router
on the DHCP client side to act as a DHCP Relay Agent so that it can forward DHCP messages
between the DHCP Client & DHCP Server. To make a router a DHCP Relay Agent, simply put the “ip
helper-address <IP-address-of-DHCP-Server>” command under the interface that receives the
DHCP messages from the DHCP Client.

As we know, router does not forward broadcast packets (it drops them instead) so DHCP messages
like DHCPDISCOVER message will be dropped. But with the “ip helper-address …” command, the
router will accept that broadcast message and cover it into a unicast packet and forward it to the
DHCP Server. The destination IP address of the unicast packet is taken from the “ip helper-address
…” command.

When a DHCP address conflict occurs

 During the IP assignment process, the DHCP Server uses ping to test the availability of an IP before
issuing it to the client. If no one replies then the DHCP Server believes that IP has not been
allocated and it can safely assign that IP to a client. If someone answers the ping, the DHCP Server
records a conflict, the address is then removed from the DHCP pool and it will not be assigned to a
client until the administrator resolves the conflict manually.

Configure a DHCP Server on Cisco router

Instead of using a separate computer/server as a DHCP Server, we can save the cost and configure
a Cisco router (even a Layer 3 Cisco switch) to work as a DHCP Server. The following example
configuration will complete this task:

Configuration Description
Router(config)#ip dhcp pool CLIENTS Create a DHCP Pool named CLIENTS
Router(dhcp-config)#network 10.1.1.0 /24 Specifies the subnet and mask of the DHCP
address pool
Router(dhcp-config)#default-router 10.1.1.1 Set the default gateway of the DHCP Clients
Router(dhcp-config)#dns-server 10.1.1.1 Configure a Domain Name Server (DNS)
Router(dhcp-config)#domain-name 9tut.com Configure a domain-name
Router(dhcp-config)#lease 0 12 Duration of the lease (the time during which a
client computer can use an assigned IP address).
The syntax is “lease {days[hours] [minutes] |
infinite}”. In this case the lease is 12 hours. The
default is a one-day lease.
Before the lease expires, the client typically needs
to renew its address lease assignment with the
server
Router(dhcp-config)#exit
Router(config)# ip dhcp excluded-address 10.1.1.1 10.1.1.10 The IP range that a DHCP Server should not assign
to DHCP Clients. Notice this command is
configured under global configuration mode

4.0.2. Simple Network Management Protocol SNMP

Tutorial
Building a working network is important but monitoring its health is as important as building it.
Luckily we have tools to make administrator’s life easier and SNMP is one among of them. SNMP
presents in most of the network regardless of the size of that network. And understanding how
SNMP works is really important and that what we will learn in this tutorial.

Understand SNMP

SNMP consists of 3 items:

+ SNMP Manager (sometimes called Network Management System – NMS): a software runs on
the device of the network administrator (in most case, a computer) to monitor the network.
+ SNMP Agent: a software runs on network devices that we want to monitor (router, switch,
server…)
+ Management Information Base (MIB): is the collection of managed objects. This components
makes sure that the data exchange between the manager and the agent remains structured. In
other words, MIB contains a set of questions that the SNMP Manager can ask the Agent (and the
Agent can understand them). MIB is commonly shared between the Agent and Manager.
For example, in the topology above you want to monitor a router, a server and a Multilayer Switch.
You can run SNMP Agent on all of them. Then on a PC you install a SNMP Manager software to
receive monitoring information. SNMP is the protocol running between the Manager and Agent.
SNMP communication between Manager and Agent takes place in form of messages. The
monitoring process must be done via a MIB which is a standardized database and it contains
parameters/objects to describe these networking devices (like IP addresses, interfaces, CPU
utilization, …). Therefore the monitoring process now becomes the process of GET and SET the
information from the MIB.

SNMP Versions

SNMP has multiple versions but there are three main versions:

+ SNMP version 1
+ SNMP version 2c
+ SNMP version 3

SNMPv1 is the original version and is very legacy so it should not be used in our network. SNMPv2c
updated the original protocol and offered some enhancements. One of the noticeable enhancement
is the introduction of INFORM and GETBULK messages which will be explain later in this tutorial.

Both SNMPv1 and v2 did not focus much on security and they provide security based
on community string only. Community string is really just a clear text password (without
encryption). Any data sent in clear text over a network is vulnerable to packet sniffing and
interception. There are two types of community strings in SNMPv2c:

+ Read-only (RO): gives read-only access to the MIB objects which is safer and preferred to other
method.
+ Read-write (RW): gives read and write access to the MIB objects. This method allows SNMP
Manager to change the configuration of the managed router/switch so be careful with this type.

The community string defined on the SNMP Manager must match one of the community strings on
the Agents in order for the Manager to access the Agents.

SNMPv3 provides significant enhancements to address the security weaknesses existing in the
earlier versions. The concept of community string does not exist in this version. SNMPv3 provides a
far more secure communication using entities, users and groups. This is achieved by implementing
three new major features:
+ Message integrity: ensuring that a packet has not been modified in transit.
+ Authentication: by using password hashing (based on the HMAC-MD5 or HMAC-SHA
algorithms) to ensure the message is from a valid source on the network.
+ Privacy (Encryption): by using encryption (56-bit DES encryption, for example) to encrypt the
contents of a packet.

Note: Although SNMPv3 offers better security but SNMPv2c however is still more common. Cisco
has supported SNMPv3 in their routers since IOS version 12.0.3T.

In the next part we will learn the SNMP messages used in each version.
SNMP Messages

SNMP Messages are used to communicate between the SNMP Manager and Agents. SNMPv1
supports five basic SNMP messages:

+ SNMP GET
+ SNMP GET-NEXT
+ SNMP GET-RESPONSE
+ SNMP SET
+ SNMP TRAP

In general, the GET messages are sent by the SNMP Manager to retrieve information from the
SNMP Agents while the SET messages are used by the SNMP Manager to modify or assign the value
to the SNMP Agents.

Note: GET-NEXT retrieves the value of the next object in the MIB.

The GET-RESPONSE message is used by the SNMP Agents to reply to GET and GET-NEXT messages.

Unlike GET or SET messages, TRAP messages are initiated from the SNMP Agents to inform the
SNMP Manager on the occurrence of an event. For example, suppose you want to be alarmed when
the CPU usage of your server goes above 80%. But it would be very annoying if the administrator
has to actively use the GET message to check the CPU usage from time to time. In this case, the
TRAP message is very suitable for that purpose because the administrator would only be informed
from the CPU itself when that event occurs. The figure below shows the direction of SNMP
messages:

From SNMPv2c, two new messages were added: INFORM and GETBULK.

INFORM: An disadvantage of TRAP message is unreliable. SNMP communicates via UDP so it is

unreliable because when the SNMP Agents send TRAP message to the SNMP Manager it cannot
know if its messages arrive to the SNMP Manager. To amend this problem, a new type of message,
called INFORM, was introduced from SNMPv2. With INFORM message, the SNMP Manager can now
acknowledge that the message has been received at its end with an SNMP response protocol data
unit (PDU). If the sender never receives a response, the INFORM can be sent again. Thus, INFORMs
are more likely to reach their intended destination.

GETBULK: The GETBULK operation efficiently retrieve large blocks of data, such as multiple rows
in a table. GETBULK fills a response message with as much of the requested data as will fit.

Note: There is no new message types on SNMPv3 compared to SNMPv2c.

SNMP Configuration
In the last part we will go through a simple SNMP configuration so that you can have a closer look
at how SNMP works. SNMPv2c is still more popular than SNMPv3 so we will configure SNMPv2c.

1. Configure a community string

Router(config)#snmp-server community 9tut ro

In this case our community string named “9tut”. The ro stands for read-only method.

2. Configure the IP address of a host receiver (SNMP Manager) for SNMPv2c TRAPs or
INFORMs

Router(config)#snmp-server host 10.10.10.12 version 2c TRAPCOMM

“TRAPCOMM” is the community string for TRAP.

3. Enable the SNMP Traps

Router(config)#snmp-server enable traps

If we don’t want to enable all trap messages we can specify which traps we want to be notified. For
example, if you only want to receive traps about link up/down notification type then use this
command instead:

Router(config)#snmp-server enable traps link cisco

Of course we have to configure an SNMP Manager on a computer with these community strings so
that they can communicate.

Good resource and reference: http://docwiki.cisco.com/wiki/Simple_Network_Management_Protocol.

4.0.3. Syslog Tutorial

As an administrator of a network, you have just completed all the configuration and they are
working nicely. Now maybe the next thing you want to do is to set up something that can alert you
when something goes wrong or down in your network. Syslog is an excellent tool for system
monitoring and is almost always included in your distribution.

Places to store and display syslog messages

There are some places we can send syslog messages to:

Place to store syslog messages Command to use

Internal buffer (inside a switch or router) logging buffered [size]
Syslog server logging
Flash memory logging file flash:filename
Nonconsole terminal (VTY connection…) terminal monitor
Console line logging console

Note: If sent to a syslog server, messages are sent on UDP port 514.

By default, Cisco routers and switches send log messages to the console. We should use a syslog
server to contain our logging messages with the logging command. Syslog server is the most
popular place to store logging messages and administrators can easily monitor the wealth of their
networks based on the received information.
Syslog syntax

A syslog message has the following format:

seq no:timestamp%FACILTY-SEVERITY-MNEMONIC: message text

Each portion of a syslog message has a specific meaning:

+ Seq no: a sequence number only if the service sequence-numbers global configuration
command is configured
+ Timestamp: Date and time of the message or event. This information appears only if
the service timestamps global configuration command is configured.
+ FACILITY: This tells the protocol, module, or process that generated the message. Some
examples are SYS for the operating system, IF for an interface…
+ SEVERITY: A number from 0 to 7 designating the importance of the action reported.

The Syslog levels are:

Leve Keyword Description

l
0 emergencies System is unusable
1 alerts Immediate action is needed
2 critical Critical conditions exist
3 errors Error conditions exist
4 warnings Warning conditions exist
5 notification Normal, but significant, conditions exist
6 informationa Informational messages
l
7 debugging Debugging messages

Note: You can remember the order above with the sentence: “Eventually All Critical Errors
Will Not Involve Damage”.

The highest level is level 0 (emergencies). The lowest level is level 7. To change the minimum
severity level that is sent to syslog, use the logging trap level configuration command. If you
specify a level, that level and all the higher levels will be displayed. For example, by using
the logging console warnings command, all the logging of emergencies, alerts, critical, errors,
warnings will be displayed. Levels 0 through 4 are for events that could seriously impact the
device, whereas levels 5 through 7 are for less-important events. By default, syslog servers receive
informational messages (level 6).

+ MNEMONIC: A code that identifies the action reported.

+ message text: A plain-text description of the event that triggered the syslog message.

Let’s see an example of the syslog message:

39345: May 22 13:56:35.811: %LINEPROTO-5-UPDOWN: Line protocol on Interface

Serial0/0/1, changed state to down

+ seq no: 39345

+ Timestamp: May 22 13:56:35.811
+ FACILTY: LINEPROTO
+ SEVERITY level: 5 (notification)
+ MNEMONIC: UPDOWN
+ message text: Line protocol on Interface Serial0/0/1, changed state to down

Note: Facility levels and syslog levels are different. The facility represents the machine process
that created the syslog event. Therefore the Facility value is a way of determining which process of
the machine created the message. For example, is the event created by the kernel, by the mail
system, by security/authorization processes, etc.
 Facility Description
Auth Authorization system
Cron Cron/at facility
Daemon System daemons
Kern Kernel
local0 to Local use
local7
Lpr Line printer system
Mail Mail system
News USENET news
sys9 to sys14 System use
Syslog Syslog itself
User User process
Uucp Unix-to-Unix copy system

The default syslog facility setting is local7.

Syslog Configuration

The following example tells the device to store syslog messages to a server on 10.10.10.150 and
limit the messages for levels 4 and higher (0 through 4):

Router(config)#logging 10.10.10.150
Router(config)#logging trap 4

Of course on the server 10.10.10.150 we have to use a syslog software to capture the syslog
messages sent to this server.

4.0.4. Network Address Translation NAT Tutorial

To go to the Internet we need to get an public IP address and it is unique all over the world. If each
host in the world required a unique public IP address, we would have run out of IP address years
ago. But by using Network Address Translation (NAT) we can save tons of IP addresses for later
uses. We can understand NAT like this:

“NAT allows a host that does not have a valid registered IP address to communicate with other
hosts through the Internet”

For example your computer is assigned a private IP address of 10.0.0.9 and of course this address
can not be routed on the internet but you can still access the internet. This is because your router
(or modem) translates this address into a public IP address, 123.12.23.1 for example, before
routing your data into the internet.

Of course when your router receives a reply packet destined for 123.12.23.1 it will convert back to
your private IP 10.0.0.9 before sending that packet to you.
Maybe you will ask “hey, I don’t see any difference of using NAT to save tons of IP addresses
because you still need a public IP address for each host to access the Internet and it doesn’t save
you anything, why you need to use NAT?”

Ok, you are right :), in the above example we don’t see its usefulness but you now understand the
fundamental of NAT!

Let’s take another example!

Suppose your company has 500 employees but your Internet Service Provider (ISP) only gives you
50 public IP addresses. It means that you can only allow 50 hosts to access the internet at the
same time. Here NAT comes to save your life!

One thing you should notice that in real life, not all of your employees uses internet at the same
time. Say, maybe 50 of them use internet to read newspaper at the morning; 50 others use
internet at noon for checking mail… By using NAT you can dynamically assign these 50 public IP
addresses to those who really need them at that time. This is called dynamic NAT.

But the above NAT solution does not solve our problem completely because in some days there can
be more than 50 people surfing web at the morning. In this case, only the first 50 people can
access internet, others must wait to their turns.

Another problem is, in fact, your ISP only gives you much lesser IP addresses than the number 50
because each public IP is very precious now.

To solve the two problems above, another feature of NAT can be used: NAT Overload or
sometimes called Port Address Translation (PAT)

PAT permits multiple devices on a local area network (LAN) to be mapped to a single public IP
address with different port numbers. Therefore, it’s also known as port address translation (PAT).
When using PAT, the router maintains unique source port numbers on the inside global IP address
to distinguish between translations. In the below example, each host is assigned to the same public
IP address 123.1.1.1 but with different port numbers (from 1000 to 1002).

Note: Cisco uses the term inside local for the private IP addresses and inside global for the
public IP addresses replaced by the router.

The outside host IP address can also be changed with NAT. The outside global address represents
the outside host with a public IP address that can be used for routing in the public Internet.

The last term, outside local address, is a private address of an external device as it is referred to
by devices on its local network. You can understand outside local address as the inside local
address of the external device which lies at the other end of the Internet.

Maybe you will ask how many ports can we use for each IP? Well, because the port number field
has 16 bits, PAT can support about 216 ports, which is more than 64,000 connections using one
public IP address.

Now you has learned all the most useful features of NAT but we should summary all features of
NAT:

There are two types of NAT translation: dynamic and static.

Static NAT: Designed to allow one-to-one mapping between local and global addresses. This flavor
requires you to have one real Internet IP address for every host on your network.

Dynamic NAT: Designed to map an unregistered IP address to a registered IP address from a pool
of registered IP addresses. You don’t have to statically configure your router to map an inside to an
outside address as in static NAT, but you do have to have enough real IP addresses for everyone
who wants to send packets through the Internet. With dynamic NAT, you can configure the NAT
router with more IP addresses in the inside local address list than in the inside global address pool.
When being defined in the inside global address pool, the router allocates registered public IP
addresses from the pool until all are allocated. If all the public IP addresses are already allocated,
the router discards the packet that requires a public IP address.

PAT (NAT Overloading): is also a kind of dynamic NAT that maps multiple private IP addresses to
a single public IP address (many-to-one) by using different ports. Static NAT and Dynamic NAT both
require a one-to-one mapping from the inside local to the inside global address. By using PAT, you
can have thousands of users connect to the Internet using only one real global IP address. PAT is
the technology that helps us not run out of public IP address on the Internet. This is the most
popular type of NAT.

Besides NAT gives you the option to advertise only a single address for your entire network to the
outside world. Doing this effectively hides the internal network from the public world really well,
giving you some additional security for your network.

NAT terms:

* Inside local address – The IP address assigned to a host on the inside network. The address is
usually not an IP address assigned by the Internet Network Information Center (InterNIC) or service
provider. This address is likely to be an RFC 1918 private address.
* Inside global address – A legitimate IP address assigned by the InterNIC or service provider
that represents one or more inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as it is known to the hosts on the
inside network.
* Outside global address – The IP address assigned to a host on the outside network. The owner
of the host assigns this address.

To learn how to configure NAT please read my Configure NAT GNS3 Lab tutorial

4.0.5. Forwarding per-hop behavior (PHB) for QoS

Tutorial
Quality of Service (QoS) is a tool that allows our network to prioritize certain types of traffic. QoS
defines the actions that a device can apply to a message between the time it enters the device
until it exits the device. These actions are called per-hop behaviors (PHBs). With PHBs, we can
discard, delay, or even change the header field of each packet. The goal of a PHB is to provide a
specified amount of network resources to a class of traffic on a contiguous network.

PHB uses a set of codepoints to mark packets with different levels of priority. These codepoints are
embedded in the Differentiated Services Code Point (DSCP) field of the Type Of Service (ToS) field
of the IP header.

The key components of PHB are listed below:

+ Classification: When receiving a packet, the first thing a networking device does is to examine
the packet’s header to determine what kind of data is inside. This is called classification and
involves categorizing network traffic into different groups based on specific criteria like IP address,
protocol, port, or application type. An example of classification is shown below:

class-map match-all CLASSIFICATION_HTTP

match access-group 100
!
access-list 100 permit tcp any any eq 80

In this example, we have created a class map named “CLASSIFICATION_HTTP” that matches all
traffic matching access-group 100. Access-group 100 permits TCP traffic with destination port 80.

+ Marking: A packet can be classified when entering or leaving a device but there may be many
other devices on its journey to the destination and this repeated process is time-consuming. A
more efficient way is to classify the packets once as close to the source as possible and mark them
to a QoS standard. This is called marking, which is the process of changing the packet’s header so
that other devices know which level (quality) of service should be applied to the packets by just
reading the marking. With IP packets, we can mark with either a precedence or DSCP value.

An example of marking is shown below:

policy-map MARKING_HTTP
class CLASSIFICATION_HTTP
set dscp af21
!

In this example, we have created a policy map named “MARKING_HTTP” that marks all traffic
matching the “CLASSIFICATION_HTTP” class with DSCP value of “af21”.

Apply (activate) the policy-map to an interface:

interface FastEthernet0/1
service-policy output MARKING_HTTP
!
In this example, we have applied the “MARKING_HTTP” policy map to FastEthernet0/1 interface for
outbound traffic.

+ Queuing: the process of holding packets in a queue and scheduling their transmission based on
priority. Utilizing algorithms such as Weighted Fair Queuing (WFQ), this process ensures high-
priority packets are transmitted before their low-priority counterparts.

An example of configuring queuing is shown below:

interface FastEthernet0/1
priority-queue out

+ Congestion: occurs when network bandwidth is insufficient to accommodate all traffic. PHB
includes mechanisms like Random Early Detection (RED) to manage congestion by discarding low-
priority packets before higher-priority ones.

+ Policing: involves monitoring network traffic and enforcing predetermined traffic rate limits.
Packets exceeding specified rate limits may be discarded or marked with a lower priority.

+ Shaping: Shaping is the control of the rate at which packets enter the network, preventing
congestion and ensuring timely transmission of all packets. Excess traffic is stored in a buffer and
released at a controlled rate, shaping the traffic to conform to the desired profile. Shaping is a
more gentle approach that attempts to smooth out bursts of traffic. Traffic shaping is applicable
only on outbound interfaces as buffering and queuing happens only on outbound interfaces

The figure above shows the difference between Policing and Shaping. With traffic policing, excess
traffic is usually dropped while with traffic shaping, excess traffic is buffered and sent again with a
little delay.
4.0.6. Configure SSH for Remote Access on Cisco Router
One of the most popular way to access a Cisco router remotely is using Telnet but it is an
unsecured method as the data is sent unencrypted. If a bad person grabs data from a Telnet
session, he can see details like a user’s username and password, giving them access to your
router.

SSH (Secure Shell) is a secure method for remote access as it includes authentication and
encryption. To do this, it uses a RSA public/private keypair. In this tutorial we are going to learn
how to configure SSH for R1 to accept remote SSH access with the topology below.

Configuration

The first thing we need to do is generating a RSA keypair. The name of the RSA keypair will be
the hostname and domain name of the router so we have to configure these two things first.

1. Configure a hostname for the router

Router(config)#hostname R1

2. Configure a domain name

R1(config)#ip domain-name 9tut.com

3. Generate the RSA keypair

This RSA keypair will be used to encrypt the SSH packets with the crypto key generate
rsa command.
R1(config)#crypto key generate rsa
The name for the keys will be: R1.9tut.com
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 2048

% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)

The message that is displayed right after we enter this command: “The name for the keys will be:
R1.9tut.com”, which combines the hostname of the router along with the domain name we
configured to get the name of the encryption key generated; this is why we have to configure
hostname and domain name first.

The router also asks to choose a size of modulus for the key we are about to generate. The higher
the modulus, the stronger the encryption of the key. For our example, we’ll use a modulus of 2048
which is safe nowadays.

4. Configure VTY lines to use SSH only (Telnet will be refused)

R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#login local

If for some reasons we still want to allow Telnet along with SSH then we can use the “transport
input ssh telnet” instead.

5. Create a username/password in local database on the router

R1(config)#username admin password password_SSH

Verification

1. SSH from another Cisco device

Cisco routers also support a simple SSH client via CLI so we can connect to R1 easily. On R2 we can
use the “ssh” command to SSH to R1:

R2#ssh -l admin 192.168.12.1

Password: ************ //type "password_SSH' here
R1>

“-l” means we will provide the username (“admin” in this case) along with this parameter.

Yes! we can now SSH to R1!

2. SSH from a computer

A normal computer usually has not supported SSH Client so we need to install one. One of the most
popular and free SSH Client software is Putty so we should download and use it.
Suppose we replace R2 with a configured PC. Open Putty and type “192.168.12.1” for the “Host
Name” field, Port 22 (SSH) and click “Open” to connect to the router via SSH.