CCNP Route Study Guide

1.0 Network Principles:

1.1- Identify Cisco Express Forwarding concepts:
● Three different types of packet forwarding processes:
○ Process Switching: The router’s CPU is directly involved when it comes
to packet switching decisions and can cause poor performance.
Configuration:
■ No IP route-cache
○ Fast Switching: Uses a fast cache that is in the router’s data plane and it
contains information about how traffic from different data flows should be
forwarded. The first packet is usually process switched. This is also CPU
intensive and configuration is as follows:
■ IP route-cache
○ Cisco Express Forwarding: CEF is enabled by default and the FIB is used
for the L3 forwarding information and the adjacency table for L2
information of next-hop IPs in the FIB. Configuration:
■ Enable globally by: IP cef
■ Enable by interface: IP route-cache cef
■ Display statistics by: show ip cef, show adjacency, and show
interfaces X x/x.
1.2 - Explain general network challenges:
● Unicast flooding or asymmetric routing causes traffic to leave through one path
and return a different way. This cause unknown unicast traffic for the returning
traffic.
● Out-of-order packets are caused by having multiple paths to a destination network
and can lead to TCP packets arriving out of order. TCP solves this by either
requesting the retransmission of the packets or by sequencing them.
1.3 - Describe IP operations:
● ICMP uses two primary message types:
○ Destination Unreachable: When a packet arrives at a router and the router
does not have any kind of route for it then the router can send a destination
unreachable message back to the sender.
○ Redirect: This is used when a different path instead of the original path
(think PBR) is used to reach the destination through a different next-hop
IP address and the original next-hop router can tell the host about it with a
redirect message.
● IPv4 uses fragmentation to split up the packet into smaller pieces so they can pass
through a smaller MTU size instead of the original default 1500 bytes.
● IPv6 does not use fragmentation and If it sees a packet larger than their MTU they
will drop the packet.
 ● Time to live (TTL) is used for how long a packet can “live” on a network. Default
is 30.
1.4 - Explain TCP operations:
● IPv4 and v6 both use a the default MTU size of 1500 bytes.
● MSS or maximum segment size refers to the amount of data in the segment.
● Latency is time required to travel from its source to its destination.
● TCP communication uses windowing which means that one or more segments are
sent at one time and a receiver can acknowledge the receipt of all the segments in
one window.
● The bandwidth-delay product is a measurement of a maximum number of bits that
can be on a network segment at any one time, and is calculated by multiplying the
segments bandwidth (bits per second) and the latency packets experience as they
cross the segment.
● Global Synchronization happens if a router's output queue fills to capacity and all the
TCP flows are dropped simultaneously and causing all the TCP flows to slowly start.
To solve this issue, CISCO IOS uses a feature called Weighted Random Early
Detection (WRED) and it drops packets from flows based on the the number of
packets in queue or by the QOS markings in the packet and it drops the packets
before the queue fills to capacity.
1.5 - Describe UDP operations:
● UDP starvation occurs when there is network congestion and UDP eats all the
bandwidth up and causes TCP to “starve”.
● UDP latency is reduced because it is smaller and uses less headers than TCP and
because of this latency is low.
1.6 - Recognize proposed changes to the network:
● When making changes and migrating routing protocols the following should be
considered:
○ Using AD: Use AD when migrating or changing from one routing
protocol to another so that it can learn all the routes it needs while still
using the current routing protocol. Once it has done so then you can
change the AD to prefer the new routing protocol/
○ Use Route Redistribution: when migrating between protocols to lower
down time and to redistribute routes into the new routing protocol until
you are ready to roll it out to the rest of the network.
● Considerations for IPv6 migration:
○ Check IPv6 compatibility for equipment.
○ Run dual-stack routing.
○ Check ISP support for IPv6.
○ Configure NAT64.
○ Use NPTv6
○ Send IPv6 traffic over an IPv6-v4 tunnel.
2.0 Layer 2 Technologies:
2.1 - Configure and Verify PPP:
 ● Point-to-Point protocol is an encapsulation protocol used on Serial links.
● Configuring and verifying PPP:
○ To configure PPP all you need to do is go into interface configuration
mode and use the encapsulation ppp command.
○ You can also configure authentication using the ppp authentication [PAP |
CHAP] command.
○ You can verify PPP with the show interfaces command.
● PPPoE is used to configure PPP over Ethernet.
● PPPoE configuration:
○ To configure PPPoE on the client side you need to configure a dialer pool
and the steps are as follows:
■ Interface Dialer[#]
■ Dialer pool [#]
■ Encapsulation ppp
■ Ip address negotiated
○ Then you will need to add the interface facing the ISP to the dialer pool
created:
■ Go into the interface with the interface x/x command
■ Add it to the dialer pool with the pppoe-client dial-pool-number 1
■ No shut/No IP
■ Dial pooler number must match the interface dialer number
above.
2.2 - Explain Frame Relay:
● Frame Relay is a type of WAN service that allows you to connect two routers
together. It uses DLCI in the frame relay header of the frame to identify/route
packets.
● There are types of topologies offered with Frame Relay
○ Point-to-Point: connects two routers together.
○ Multipoint: Connects multiple routers together.
○ Point-to-multipoint: connects one router to multiple ones.
● Remember that for EIGRP split horizon issues can occur when using Frame Relay
as the WAN service.
3.0 Layer 3 Technologies:
3.1- Identify, configure, and verify IPv4 addressing and subnetting:
● Address types:
○ Unicast Address - Belongs to a single device. Sending Unicast packets
occurs between only 2 hosts.
○ Broadcast Address - Represents a group of devices on a subnet. Pinging
the broadcast address pings all the devices within that subnet.
○ Multicast Address - Represents a group of devices for a specific function
and is commonly used for routing protocols.
 ○ VLSM - Variable Length Subnet Masking (VLSM) allows you to further
divide subnets to conserve IP address.
● Address Resolution Protocol or ARP allows you to find other host MAC
addresses that is essential for packet switching.
● DHCP Relay is used by a router, so it can send/forward DHCP requests to a
DHCP server.
○ The IP Helper-Address command is used for DHCP Relay.
● A DHCP Server is used for allocating IP addresses and other information such as
DG IP, DNS IP, etc to hosts. The server can be a Router, L3 Switch, or Stand-
alone PC and it uses the client/server model. DHCP Model/Process:
○ DHCPDiscover: Host uses the IP address of 0.0.0.0 and 255.255.255.255
to search for a DHCP Server.
○ DHCPOffer: DHCP Server responds to the host and offers its services.
○ DHCPRequest: Host requests an IP address.
○ DHCPAck: DHCP Server acknowledges the hosts requests and offers it an
IP address.
3.2 - Identify IPv6 addressing and subnetting:
● IPv6 address types:
○ Unicast addresses
○ Multicast addresses
○ Anycast addresses
● IPv6 Addresses:
○ Global Unicast Addresses: 2000::/3
○ Unique Local Addresses: FD00::/8
○ Link-Local Addresses: FE80::/10
○ Unspecified: ::/128
○ Loopback: ::1/128
○ Multicast: FF::/8
■ Multicast addresses to note:
● EIGRP: FF02::A
● OSPF: FF02::5 and FF02::6
● All nodes on a link: FF02::1
● All routers on a link: FF02::2
● IPv6 addressing and subnetting:
○ Each address is defined by a prefix:
■ Ex: 2001:ABCD:ABCD:ABCD/64
■ Above we started off with a /48 prefix and the next 16 bits defined
the subnet which is ABCD.
■ The next 16 bits after it are considered the subnetting bits.
■ IPv6 can use EUI-64 to incorporate a host machine's MAC address
into its IPv6 Address.
 ● IPv6 NDP operations:
○ Neighbor Discovery protocol uses the following messages to do its work:
■ Neighbor Advertisement/Solicitation.
■ Router Advertisement/Solicitation.
● DHCPv6 types:
○ SLAAC - Each host creates its own IPv6 address and uses stateless DHCP
to get the DNS-Server Address.
○ Stateful: Assigned by a DHCPv6 server and keeps track of all IPv6
addresses.
○ Stateless: Used with SLAAC.
○ Prefix-Delegation: Gives the hosts a predefined prefix.

3.3 - Configure and verify static routing:

● Static routes tell the router how to reach a certain subnet.
● Configuration:
○ IP route [prefix/subnet ID] [subnet mask] [Next-Hop IP | Outgoing
Interface]
● Verification:
○ You can verify the static route in using the show ip route command.
Another way to verify is by using the traceroute command.
3.4 - Configure and verify default routing:
● Default routes tell a router where to send packets If there is no route to reach the
subnet in the routing table.
● Configuration:
○ IP route 0.0.0.0 0.0.0.0 [Next-Hop IP | Outgoing Interface]
● Verification:
○ Show IP route will show the default route in the IP routing table.
3.5 - Evaluate routing protocol types:
● Distance Vector routing protocols uses router hops to determine the best path to a
subnet. Examples of Distance Vector routing protocols:
○ RIPng
○ RIP
○ RIPv2
● Link State routing protocols build a topology of the network in their databases.
Examples of Link State routing protocols:
○ OSPF
○ IS-IS
● Path Vector routing protocols uses Path Attributes to determine the best path
(route) to a subnet. Only one Path Vector routing protocol:
○ BGP
 ● Advanced Distance Vector routing protocols are a mix of Distance Vector and
Link State routing protocols. Example:
○ EIGRP
3.6 - Describe administrative distance:
● Administrative distance is used by a router to see how trustful a routing protocol
is and it uses this to determine which routing protocol to use. The lower the
better!
3.7 - Troubleshoot passive interfaces
● Passive interfaces will not send nor receive messages for a particular routing
protocol.
○ To show passive interfaces use one or more of the following commands:
■ Show ip protocols
■ Show ip interface x/x
■ Show run
3.8 - Configure and verify VRF lite:
● VRF or virtual routing and forwarding allow you to host multiple virtual routers
on one router.
● VRF allows the segmentation of traffic and it is commonly used in Service
Provider networks.
● Configuration and verification:
○ Create the VRF network using ip vrf [name]
○ Enable VRF on an interface using ip vrf [name] forwarding
○ To verify use the following commands:
■ Show ip vrf [name]
■ Show ip route vrf [name]
■ Ping vrf [Ip address]

3.9 - Configure and verify filtering with any protocol:

● Configuration and verification:
○ Configure an ACL, Prefix-list, or a route-map.
○ Distribute the list with a routing protocol or on an interface:
■ Distribute [route map] [acl] [prefix list] [in|out]
○ Verification:
■ Show ip route
■ Show run
3.10 - Configure and verify redistribution between any routing protocols or routing sources:
● Route redistribution allows you to redistribute routes from one routing protocol
into another.
● If you have one routing source than route redistribution is pretty simple, but when
you have multiple routing sources than routing loops can occur. To stop these
routing loops you can do either of the following:
○ Per-Route Administrative Distance settings.
○ Filtering routes based on Prefix Length.
○ Route Tags.
● Redistributing routes into OSPF:
○ If taking from BGP then use a default metric of 1.
○ When taking from other OSPF processes then use the source route metric.
○ When taking from other routing protocols then uses a metric of 20.
○ Redistributes routes for classful networks unless the subnets command is
used.
○ Determining routes for Type 2 External routes (E2) (Intra-Area);
■ Find the advertising ASBRs listed in the type 5 LSA(s).
■ Calculate lowest-cost route to reach any of the ASBRs based on
Intra-Area LSDB.
■ Use outgoing interface and next hop based on the best route
calculated.
○ Determining routes for Type 2 External routes (E2) (Inter-Area):
■ Calculate cost to ABR based on Type 1 and 2 LSAs.
■ Add cost from ABR to ASBR, as listed in the Type 4 LSA.
○ Determining routes for Type 1 External routes (E1) (Intra-Area):
■ Add internal ospf cost to the external metric in the Type 5 LSA.
○ Determining routes for Type 1 External route (E1) (Inter-Area):
■ Take the best Intra-Area cost to reach the ABR.
■ Cost from ABR to ASBR in the type 4 LSA.
■ External cost for the route in the type 5 LSA.
○ OSPF prefers E1 over E2 routes.
○ Configuration:
■ Redistribute [Protocol] [Process number | AS number] [Metric-
type type value] [Match {internal | external 1 | external 2| nssa-
external}] [Tag {tag value}] [ route-map map-tag] [subnets]
■ Verify by looking at the routing table.
● Redistribution into EIGRP:
○ Routes needs to have default metrics set before it can be redistributed into
EIGRP (Except for going EIGRP to EIGRP).
○ Default metrics can be set 1 of 3 ways:
■ Setting the default for the redistribute command: Use the default-
metric [BW | Delay | Reliability | load | mtu], but the last 3 are
ignored by default for metric calculation still they need to be set
for the command to work.
 ■ Setting the metrics to apply to all routes: Metric [BW | Delay|
Reliability | load | MTU]
■ Setting different metrics to different routes using one routing
source: use the route-map on the redistribution command.
■ Metrics:
● Reliability [0-255] and 255 being the best.
● Load [1-255] and 1 being the best.

3.11- Configure and verify manual and auto summarization with any routing protocol:
● By default, OSPF and EIGRP both support auto summarization at the classful
boundary.
● Configuration for OSPF:
○ You can only configure manual summarization at the ABR and ASBR:
■ ABR: area # range [IP add] [mask] [cost]
■ ASBR: summary-address [IP add] [prefix-mask]
● Configuration for EIGRP:
○ Configure on the router with the addresses. Use this command under
interface configuration mode:
■ Ip summary address eigrp [ASN] [IP add] [Mask/prefix]
● Configuration for RIP:
○ RIPv1 only supports auto summarization at the classful boundaries.
○ RIPv2 allows it: Configure on the router with the addresses. Use this
command under interface configuration mode:
■ Ip summary address rip [IP add] [Mask/Prefix]
● Configuration for BGP:
○ Use the aggregate-address command or auto summarization.
● Verify that the summarization went through in the routing table.

3.12 - Configure and verify policy-based routing:

● PBR allows you to control which path the router uses for a particular subnet.
● Configuration:
○ Create an ACL.
○ Map that ACL to a route permitting it and make sure to include a
statement in the route map determining the next-hop IP address with the
set ip next-hop [IP address].
○ Map the route-map to an interface using the ip policy route-map [name].
3.13 Identify suboptimal routing:
● Suboptimal routing occurs when a packet takes a worse route to a destination
instead of taking a better/shorter route.
● This usually occurs with route redistribution and can be handled 3 ways:
 ○ Per-Route Administrative Distance settings.
○ Filtering routes based on Prefix Length.
○ Route Tags.
3.14 - Explain ROUTE maps:
● Route maps allow us to map ACLs and Prefixes to it and allow special functions
such as:
○ Setting the next-hop IP
○ Configuring tags
○ Metrics
3.15 - Configure and verify loop prevention mechanisms:
● Route tagging allows you to create a tag so when a route receives a route with the
tag then they can ignore that route and prevents the loop.
● Split-horizon allows EIGRP to receive updates for a prefix on one interface and It
does not send those updates back out that same interface.
● Route poisoning prevents a network from sending packets to a destination that
has become invalid. DV protocols, especially RIP, does this with infinite routes.

3.16 - Configure and verify RIPv2:

● RIP version 2 characteristics:
○ Allows VLSM
○ Allows Classless addressing.
○ Uses multicast address of 224.0.0.9 while RIPv1 uses broadcasts.
○ Max hop count is 15 and 16 is considered infinite.
● Configuration:
○ Router Rip
○ Version [1|2]
○ Network a.b.c.d
● Verification:
○ Show IP protocols
○ Show IP Route
3.17 - Describe RIPng:
● RIPng or RIP next generation is RIP for IPV6.
● Configuration:
○ Ipv6 unicast-routing
○ Ipb6 router rip [name]
○ Optional:
■ Use the ipv6 enable command for the interface to derive its own
link-local address.
○ Enable RIPng on an interface with the IPv6 rip [name] enable command.
● Verification
○ Show ipv6 interfaces
 ○ Show ipv6 protocols
3.18 - Describe EIGRP packet types:
● EIGRP uses 5 packet types to do its work:
○ Hello: Used for creating and maintaining neighbor adjacency.
○ Ack: Used between routers to acknowledge to one another that they have
received the update message.
○ Update: Used for topology exchange and includes the following: Prefix,
Prefix length, Metric components such as delay and bandwidth, and
nonmetric items such as MTU and hop count.
○ Query: Uses query messages to find an alternate route to a subnet if no
Feasible successor exists.
○ Reply: Reply messages are used for query responses that tell the router
that it knows of a loop-free alternate route for the failed subnet it queried
for (The router who gets a reply message uses Ack messages to reply that
it got it).
3.19 - Configure and verify EIGRP neighbor relationship and authentication
● You can verify EIGRP neighbor relationships with the following commands:
○ Show ip eigrp neighbor [detail]
○ Show ip protocols
● EIGRP authentication configuration and verification:
○ Supports only MD5
○ Create a key chain.
○ Enable MD5 interface on interface with ip authentication mode eigrp
[asn] MD5
○ Refer to the key chain with ip authentication key-chain eigrp [asn]
[keychain name] and verify with show key chain
● EIGRPv6 authentication configuration and verification:
○ Supports MD5
○ Configuration and Verification:
■ Create key chain
■ Use ipv6 authentication mode eigrp [asn] md5 command.
■ Refer to key chain with ipv6 authentication key-chain eigrp [asn]
[key-chain name]
■ Verification: Show interfaces to verify and show key chains or
show run
● Named EIGRP authentication configuration and verification:
○ Supports MD5 and SHA
○ Configuration and Verification:
■ Create key chain
■ Enable authentication with authentication mode [md5 | sha]
command.
 ■ Refer to the keychain with authentication key chain [key chain
name.
3.20 - Configure and verify EIGRP stubs:
● EIGRP stub routing does not forward traffic between 2 remote EIGRP subnets.
○ This can cause the going active (DUAL) process to converge quicker and
it can help prevent long harmful routes.
○ Manual summarization can decrease convergence time of the going active
(DUAL) process because: If a router receives a query for a subnet that it
does not have an exact route too, but has a summary route that includes it
then it can reply to that query without sending the query message on to its
neighbors.
● Configuration and Verification:
○ Eigrp stub [connected| receive-only | static | redistribute] enables the
router as a stub router.
○ The show ip eigrp neighbor detail will list the stub router(s).
3.21 - Configure and verify EIGRP load balancing:
● Two types of EIGRP load balancing (load sharing) are available:
○ Equal
○ Unequal
● Equal load balancing paths show in the routing table because the subnet will have
more than one route to a subnet.
○ The amount of equal load balancing paths can be set by maximum-paths
and the default is 4.
● Unequal load balancing configuration:
○ Uses the variance command and it will times the Feasible Distance metric
by the value specified. Any route that has a FD less than or equal to the
actual Feasible Distance will be added to the routing table.
3.22 - Describe and optimize EIGRP metrics:
● EIGRP by default, uses cumulative delay and lowest bandwidth for metrics to
determine routes. It can use load and reliability, but can’t use MTU size as a
metric.
○ You can logically (not actually) change the delay and speed of the link
with the Delay and Bandwidth (kbps) commands.
○ Default values of links for delay and bandwidth:
■ Serial = 1544 kbps and 20,000 microseconds.
■ GigE = 1,000,000 kbps and 10 microseconds.
■ FastE = 100,000 kbps and 100 microseconds
■ Ethernet = 10,000 kbps and 1000 microseconds
3.23 - Configure and verify EIGRP for IPv6:
● Configuration is basically the same IPv4 (Except you need to enable IPv6 on the
interface), but couple of notes:
 ○ You must enable IPv6 routing
○ You must configure an EIGRP router-id (If no IPV4 addresses).
○ You should use the Ipv6 enable to let the router derive its own link-local
address.
3.24 - Describe OSPF packet types:
● OSPF Packet Types:
○ Hello: Used to discover/maintain neighbors and to confirm If two routers
can become neighbors.
○ Database Description (DBD or DD): Exchanges brief versions of each
LSA types.. This happens on initial topology exchange and lets a router
know the list of LSAs its neighbor knows.
○ Link-State Request (LSR): A packet that lists the LSIDs of LSAs that the
sender of the LSR would like the receiver of the LSR to supply for
database exchange.
○ Link-State Update (LSU): A packet that contains fully detailed LSAs and
is sent in response to a LSR.
○ Link-State Acknowledgement (LSAck): Sent to a neighbor to confirm
that it got its LSU.
● OSPF Neighbor States:
○ Down: No hellos have been received.
○ Attempt:Used when a neighbor is defined with the neighbor command.
○ Init: Hellos have been received, but neighbor verification was not passed.
This remains permanent when Hello parameters do not match.
○ 2-Way: Hellos received, neighbor verification checks passed.
○ ExStart: Negotiating DD sequence numbers and uses a master/slave logic
for DD packets.
○ Exchange: Finished negotiating DD process particulars and have began
exchanging DD packets.
○ Loading: All DD packets have been exchanged, routers currently sending
LSR, LSU, and LSAck to exchange full LSAs.
○ Full: Neighbors fully adjacent, they believe that their LSDBs are all
identical and routing table calculations or recalculations begin.
3.25 Configure and verify OSPF neighbor relationship and authentication:
● OSPF requirements to become neighbors:
○ Must be in same Area.
○ Must be in same subnet.
○ Must pass all authentication checks.
○ Must have the same hello and dead timers.
○ Must not be a passive interface.
 ○ Route IDs cannot be the same.
○ MTU size must be the same in order to exchange topology information.
● Configuration and Verification:
○ You can configure static neighbors with the neighbor command or you
can use the network [IP/WC mask] and make sure all requirements match
to become neighbors.
○ Verification of neighbors can be seen with the show ip ospf neighbor
[Router-ID] command and with the show ip protocols command.
● OSPF authentication:
○ OSPF authentication types:
■ Type 0: No Authentication
■ Type 1: Provides plain text authentication
■ Type 2: Provides Hashing Authentication
○ OSPFv2 plain-text authentication:
■ Configuration:
● Enable PTA per interface or area:
○ Ip ospf authentication
○ Area # authentication
● Set a key:
○ Ip ospf authentication-key [name]
○ The max key length is 8.
■ Verification:
● Use the show ip interface or show ip ospf interface
command for verification.
○ OSPFv2 MD5 Authentication:
■ Does not allow time based keys.
■ Max key length is 6.
■ Configuration:
● - Enable MD5 per area or interface:
○ Ip authentication message-digest
○ Area # authentication message-digest
● Configure keys per interface:
○ Ip ospf message-digest-key [id] md5 [name]
 ● Verification:
○ Show ip interfaces or show ip ospf interfaces.
○ OSPFv3 Authentication:
■ OSPFv3 has no authentication headers, so IPsec is needed for
authentication.
■ IPsec uses Authentication header (AH) for authentication, but the
Encapsulating security payload provides authentication and
encryption.
■ Configuration:
● Enable AH or ESP:
○ Ipv6 ospf authentication enables AH.
○ Ipv6 ospf encryption enables ESP.
● Configure per interface or area:
○ Ipv6 ospf authentication ipsec spi 256 sha1
○ Area # authentication ipsec spi 256 sha1

3.26 - Configure and verify network types, area types, and router types
● OSPF network types:
○ Point-to-point:
■ Elects a DR only if a neighbor is defined with the neighbor
command.
■ Default Hello timer is 10.
■ Dynamically discovers neighbors and no more than 2 routers
involved.
■ Define the network on the interface with the ip ospf network
[point-to-point, broadcast, etc] command.
■ The above is also default on FR point-to-point connections.
○ Multipoint:
■ Two types of multipoint networks:
● Point-to-Multipoint:
○ Allows dynamic discovery of neighbors.
○ Does not use a DR.
○ Default hello is 30.
 ● Point-to-Multipoint NBMA:
○ Does not use a DR.
○ Default hellos is 30.
○ No dynamic discovery of neighbors.
○ Broadcast:
■ Connects multiple routers to a switch, so if one packet gets sent out
it goes to all routers.
■ Uses a DR.
■ Default hello is 10 seconds.
■ Dynamically discovers neighbors.
○ NonBroadcast:
■ These would be Frame Relay networks.
■ Uses a DR.
■ Does not dynamically discover neighbors.
■ Default Hello is 30 seconds.
● LSA Types:
○ Type 1:
■ bKnown as router LSAs.
■ Each router creates one and floods it throughout the same area.
■ An ABR will create one for each area.
■ A type 1 LSA contains the following:
● RID
● All interface IP addresses
● Represents Stub Networks
○ Type 2:
■ Known as a Network LSA.
■ Only sent by the DR.
■ Only one per transit network.
■ Represents the transit subnet and all router interfaces connected to
that subnet.
○ Type 3:
■ Known as a Summary LSA.
■ Sent by ABRs.
 ■ Contains information on how to reach subnets that are in other
areas.
○ Type 4:
■ Known as an ASBR Summary LSA.
■ Tells routers how to reach the ASBR.
■ Generated by the ABR.
○ Type 5:
■ Known as the AS External LSA.
■ Created by ASBRs.
■ Represents and contains external routes injected into OSPF (Route
Redistribution).
○ Type 7:
■ Knowns as an NSSA External LSA.
■ Created by ASBRs inside an NSSA area instead of a type 5.
■ Also, represents external routes injected into OSPF.
● Types of OSPF areas:
○ Backbone Area: Is always area 0 and all other areas must connect to it.
○ Normal Area: An area that is not a backbone area or any type of stubby
area.
○ Transit Area: An area where packets travel between 2 distant areas.
○ Stub Area: Filers only Type 5 LSAs and does not allow external routes..
○ NSSA: Filters only type 5 LSAs, but allows external routes (Type 7
LSAs).
○ Totally NSSA: Filters both type 3 and 5 LSAs, but allows external routes
(Type 7 LSAs).
○ Totally Stubby Areas: Filters type 3 and 5 LSAs and does not allow
external routes.
● Types of OSPF routers:
○ Internal router: A router that only has interfaces connected to only one
area.
○ Backbone router: Any router that has at least one interface connected tothe
backbone area.
 ○ Area Border router: Any router that has one or more interfaces connected
to other areas.
○ Autonomous System Boundary router: Any router that injects external
routes into OSPF.
● Virtual Links:
○ Used for connecting non-backbone areas to the backbone area through a
virtual link and not through a direct connection.
3.27 - Configure and verify OSPF path preference
● Calculating OSPF Intra-Area routes:
○ Find all subnets in the area based on type 1 and 2 LSAs.
○ Run SPF to find all paths to the subnet.
○ Calculate OSPF cost for all outgoing interfaces, and use the lowest total
cost route for each subnet as the best router.
● Calculating OSPF Inter-Area routes:
○ Uses the type 3 LSAs to calculate routes to subnets in other areas.
○ Calculate the intra-area cost to the ABR.
○ Add the cost value from the ABR to a different area subnet to the local
router cost to reach the ABR.
● Since ABRs calculate Inter and Intra Area routes they need to know which route
is best for them within multiple areas. They do this by following these rules:
○ An Intra-Area router is always better than an Inter-Area route.
○ If an ABR receives a type 3 LSA in a non-backbone area, It will ignore
that LSA for its calculations for routes.
● Remember that only type 1 and 2 LSAs affect topology changes and require SPF
calculation.
● Configuration and Verification:
○ Change the default reference bandwidth which is 100,000 kbps by the
auto-cost reference-bandwidth command. Remember that cost is
calculated by reference-bandwidth(kbps)/interface bandwidth (kbps).
○ Set the cost of the link with ip ospf cost #.
○ Verify with the show ip ospf interface command.
3.28 Configure and verify OSPF operations:
● Exchange without a DR:
 ○ Neighbors exchange hellos until they reach 2-way state.
○ After a router has received a hello and all parameters match, the routers
will list each others RIDs as being seen in the next hello packet.
○ Once the routers see their own RIDs, they reach the 2-way state.
○ When it reaches the 2-way state they determine If they want to exchange
LSDB entries (When no DR the answer is always yes).
○ Once both routers say yes, they will:
■ Discover LSAs known to it neighbor, but unknown to itself.
■ Discover LSAs known to both routers, but the neighbor’s LSA is
more up-to-date.
■ Ask a neighbor for copy of all LSAs identified in the first the steps.
○ Lastly, full LSAs are exchanged. Acknowledges of the LSAs are
confirmed by sending a LSAck message (Explicit Acknowledge) or by
sending the same LSA that was received back to the other router in a LSU
Message (Implicit Acknowledgement).
● Exchange with a DR:
○ Non-DR routers do not exchange their databases with neighbors on a
subnet.
○ Exchange with a DR:
■ All non-DR routers (or DROther) perform database exchange with
the DR routers multicast address at 224.0.0.6.
■ DR performs the exact same database exchange, but sends it to the
224.0.0.5 address.
■ LSAs sent to 224.0.0.6 are processed by the DR & BDR, but only
the DR participates while the BDR stands by.
● When the LS topology changes routers have to flood the new LSA to the DR. By
requesting only new versions LSAs, routers prevent LSA advertisements from
looping.
● Periodic flooding of LSAs:
○ OSPF re-floods LSAs every 30 minutes based on the LSAs age variable.
○ Ther router will create the LSA and set the age to 0. Then it will increase
the age over time and if no changes are made in 30 minutes then the
owning router increase sequence number, reset the timer, and reflood it.
 ○ Remember that the larger the sequence number the more recent the LSA
is.
● Verification of it can be seen in the LSDB and to configure it you need to just set
up OSPF on a router
3.29 - Configure and verify OSPF for IPv6:
● Differences between OSPFv2 and v3:
○ Renamed LSAs:
■ The Type 3 LSA is renamed to Interarea prefix LSA for ABRs.
■ Type 4 LSA is renamed as the interarea prefix LSA for
ASBRs.These are used for reaching an ASBR to routers in a
different area than the ASBR.
○ New LSAs:
■ The Type 8 LSA is called a Link LSA and only exist on a local
link where they are used by routers to advertise the router's local-
link address to all routers on the same link.
■ The Type 9 LSA is called an Intra-Area LSA and send IPv6
networks attached to a router (Same as a type 1 LSA in IPv4
networks); but, it can also send information about transit IPv6
network segments (same as a type 2 LSA in IPv4 networks).
● Configuration:
○ Configure with the ipv6 router ospf [#] command.
○ Add the ospfv3 process to an IPv6 interface with the ipv6 ospf # area #
command.
● Verification:
○ Use any of the following commands:
■ Show ipv6 protocols
■ Show ipv6 ospf interface brief
3.30 - Describe, configure, and verify BGP peer relationships and authentication:
● BGP does not require neighbors to be on the same subnet or same link to become
neighbors because it uses a TCP connection (Port 179) between routers to pass
BGP messages.
● BGP States:
○ Idle: BGP Process is down or awaiting next retry attempt.
 ○ Connect: BGP process is waiting for TCP connection to complete.
○ Active: TCP connection is completed, but not BGP messages sent.
○ Opensent: TCP connections exists, BGP open message sent, but waiting
for the matching open message from its neighbors.
○ Openconfirm: Open message sent and received from other router. Next
step is to sent a BGP keepalive message to make sure all neighbor
parameters match; or a BGP notification message to make learn If there is
a mismatch.
○ Established: All neighbor parameters match, relationship works, and peers
can now exchange update messages.
● BGP Messages:
○ Open: Used to establish neighborship, exchanges basic parameters, which
include ASN and authentication values.
○ Keepalive: Sent periodically to maintain neighbor relationships. If no
keepalive messages in the negotiated hold timer then it will cause the
relationship to go down.
○ Update: Used to exchange PAs and the associated prefix/length that use
those attributes.
○ Notification: Used for finding out what parameters mismatch.
● Peer Groups:
○ Are used to send BGP messages that will go out to a group of neighbors
that are defined in the peer group configuration.
○ Configuration:
■ See on page 630 in the OCG.
3.31 - Configure and verify eBGP (IPv4 and IPv6 address families):
● eBGP:
○ Requirements to become neighbors (peers):
■ RIDs cannot be the same.
■ Authentication must match if configure.
■ The ASN in the remote router's neighbor statement must match the
local ASN.
○ Configuration for IPv4:
■ Router BGP [ASN]:
 ■ Neighbor [IP-address] remote-as [ASN]
○ Configuration for IPv6:
■ Configuration for routing IPv6 over IPv4:
● Enable ipv6 routing
● Create a route map
● Set the next hop Ipv6 address in the route map using the set
ipv6 next-hop [IPv6 address] command.
● Enable bgp with the Router bgp [asn] command
● Enter address configuration mode for IPv4 with the
address-family ipv4 command.
● Specify the interfaces that will participate in BGP with the
network [ip address] mask [subnet mask] command.
● Exit address configuration mode for IPv4 with the exit
address-family ipv4 command.
● Enter IPv6 address configuration mode with the address-
family IPv6 command.
● Specify interfaces with network [ipv6 address] [prefix-
length] command.
● Activate the bgp neighbor for the IPv6 address with the
neighbor [IPv4 address] activate command.
● Associate the router-map with the neighbor using the
neighbor [IPv4 address] route-map [name] out command.
■ Configuration for routing IPv6 over IPv6:
● Enable ipv6 routing.
● Enable bgp with the router bgp # command.
● Define the IPv6 neighbor with the neighbor [IPv6 address]
remote-as command.
● Enter address family mode with the address-family IPv6
command.
● Specify with interfaces will participate with the network
[IPv6 address] [Prefix length] command.
● Activate the BGP neighbor with the neighbor [IPv6
address] activate command.
 ○ Autonomous system numbers:
■ ASN 0 is reserved.
■ 1 - 64,495 is used for public use.
■ 64,512 - 65,534 is used for private use.
■ 65,535 is reserved.
3.32 - Explain BGP attributes and best-path selection:
● BGP uses path attributes as metrics for choosing the best routes. The order goes
as follows:
○ Next hop: If no route to reach the next_hop IP then it cannot be used.
○ Weight (not a PA, Cisco proprietary): The bigger the better.
○ Local_Pref: The bigger the better.
○ Locally injected routers: Better than both eBGP and iBGP.
○ AS_Path Length: The smaller the better.
○ Origin: Prefer I over E and E over ?.
○ MED: The smaller the better.
○ Neighbor type: eBGP over iBGP.
○ IGP Metric to Next Hop: the smaller the better.
○ If no route has been chosen after going through all the PAs above the
router will take these steps to break the tie:
■ Oldest (longest-known) eBGP route.
■ Lowest neighbor BGP RID
■ Lowest neighbor IP address.
4.0 VPN Technologies:
4.1 - Configure and Verify GRE:
● Generic Routing Encapsulation (GRE) is used for creating site-to-site VPNs.
Configuration steps for GRE are as follows:
○ Configure a tunnel interface with the: interface tunnel [#] command.
○ Make sure to put the tunnel interfaces on each side of the tunnel on the
same subnet.
○ Use the Tunnel Source [Interface X/X] to specify the source interface and
the Tunnel Destination [IP Address/Subnet] command to specify the
destination of the tunnel.
● Verifying GRE:
○ You can verify GRE configuration with the Show Run and show tunnel
interface(s) x/x command.
 ○ Remember that if you do a traceroute, the hop between each router should
only be one.
4.2 - Describe DMVPN:
● Dynamic Multipoint VPN or DMVPN allows routers to create VPN tunnels with
other routers on an as-needed basis.
○ It consists of a Hub/Spoke topology and uses the client/server model. The
hub is preconfigured with all the spoke IPs and the all the spokes are
preconfigured with the hub’s IP.
○ Three requirements for DMVPN are:
■ mGRE (Only configured on the hub)
■ NHRP (Uses the Client/Server model to find next hop IP address)
■ IPsec
○ DMVPN has one issue called route flapping and to resolve the issue, cisco
recommends that you check routing protocol neighborships between the
routers.
4.3 - Describe Easy Virtual Networking (EVN)
● EVN allows you to create virtual routers on one router for segmenting traffic from
one network to another (ex: Wireless, Voice, Data, etc).
● Unlike VRF, EVN creates a Virtual Network Trunk (VNET) that will carry the
traffic for each virtual network and it can identify the different type of traffic by
using a VNET tag. This is only between each virtual router and you can even use
route replication to allow routes between each virtual network to be known to one
another.
5.0 Infrastructure Services:
5.1- Describe IOS AAA using local database:
● You can create a local AAA database on a Cisco router using the following:
○ Aaa new-model
○ Aaa authentication login [group name] group TACACS+ local
○ Create a username and password.
5.2 - Describe device security using IOS AAA with TACACS+ and RADIUS:
● Difference between TACACS+ and RADIUS:
○ TACACS+:
■ Uses TCP.
■ Encrypts the entire packet.
■ Cisco Proprietary.
■ Offers basic accounting features and separate services for AAA.
○ Radius:
■ Uses UDP.
■ Only encrypts the password.
■ Offers robust accounting feature and combines authentication and
authorization functions.
■ Open standard.
○ Configuration:
 ■ TACACS/RADIUS-server [Server Name]
■ Address ipv4/ipv6 [IP]
■ Key [key password]
5.3 - Configure and verify device access control:
● The VTY lines can be secured with access lists and with an AAA server.
● Management plane security deals with the security of the device and its
management. You can do this with ACLs and AAA servers.
● Password encryptions:
○ Type 7 password encryption [service-password encryption] is the weakest
form of encryption and can be easily cracked.
○ The secret command uses the SHA-256 for encryption passwords and is
very strong.
5.4 - Configure and verify router security features
● IPv4 access lists can now be time-based. Configuration of time-based Access
Control Lists:
○ Time-range [name]
○ Periodic [ M |T| W| TH| F| WD | WE] Beginning Time-Ending Time
○ Access-list [number] [permit|deny] [time-range [name]]
● IPv6 Traffic Filtering:
○ You can create ACLs same as IPv4 ACLs, but they have 3 implicit
instructions at the end of IPv6 ACLS:
■ Permit icmp any any nd-na
■ Permit icmp any any nd-na
■ Deny ipv6 any any
● Unicast reverse path forwarding or uRPF is a security mechanism in Cisco Routers
that prevent IP spoofing attacks by matching that the source address is in the routing
table and is reachable.
○ uRPF has 3 modes:
■ Loose mode: With loose mode, a router will only verify that the source
IP address of a packet is reachable based on a router’s FIB.
■ Strict mode: A router checks that the source IP is reachable and in
the router’s FIB and it also makes sure that the packet is arriving on
the same interface the router would use to send the traffic back to the
IP address.
■ VRF mode: same as loose mode, but it checks the VRF instances’
routing table.
○ Configuration:
■ Ip verify unicast source reachable-via [rx (strict mode) | any (loose
mode)]
6.0 Infrastructure Services:
6.1 - Configure and verify device management:
● You can configure remote access to a router with the following commands:
○ Line vty [0|15]
○ Login authentication [Local | AAA]
○ You can also configure an ACL that will only allow certain devices in a subnet
to connect to the Router.
6.2 - Configure and verify SNMP:
● Configuring SNMPv2:
○ SNMPv2 offers no encryption or authentication, but you can use community
strings.
○ Configuration:
■ Create an access-list to permit the host who you will be logging the
traps too.
■ Configure the community with snmp-server community [string] [RO|
RW] [ACL]
● Configuring SNMPv3:
○ SNMPv3 allows you to have encryption and authentication.
○ Configuration:
■ Configure the group with this command: snmp-server group
[groupname {v1 | v2c | v3{auth | noauth | priv}}] [read readview]
[write writeview] [notify notifyview] [access access-list]
■ Configure the user with this command: snmp-server user
username [groupname remote ip-address [udp-port port] {v1 | v2c
| v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv
password]] [access access-list]
■ Configure the snmp-host that it will log traps to: snmp-server host
<IP_address> version 3 auth V3User
■ Configure to enable traps: snmp-server enable trap

6.3 - Configure and verify logging:

● Logging allows you to track any events that go on in the router.
● Logging levels:
○ 0 = Emergencies
○ 1 = Alerts
○ 2 = Critical
○ 3 = Error
○ 4 = Warnings
○ 5 = Notifications
○ 6 = Informational
○ 7 = debugging
● Configuration:
○ Logging [ host | monitor]
○ Show logging [ history]
6.4 - Configure and verify Network Time Protocol (NTP):
● NTP allows routers to get the most accurate time from an outside source or from
itself.
● Configuration:
○ Server:
■ Ntp master [Stratum Level]
■ (Optional) Ntp authentication-key [key id] md5 [key]
■ (Optional) Ntp authenticate
 ■ (Optional) Ntp trusted-key [key id]
○ Client:
■ Ntp server [IP Address]
■ (Optional) Ntp server [IP Address] key [Key id]
■ (Optional) Ntp authentication-key [key id] md5 [key]
■ (Optional) Ntp authentication
■ (Optional) Ntp trusted-key [key id]
● Verification:
○ Show NTP associations
○ Show NTP status
● Key note: Remember the lower the Stratum level the more trustworthy the ntp
device/server is.

6.5 - Configure and verify IPv4 and IPv6 DHCP:

● DHCP allows you to automatically assign IP addresses to host.
● IPv4 DHCP configuration:
○ Ip dhcp pool [name]
○ Network X.X.X.X Mask X.X.X.X
● IPv6 DHCP configuration:
○ Ipv6 dhcp pool [name]
○ You can configure/use stateless DHCP, Stateful DHCP, SLACC, or Prefix-
delegation.
6.6 - Configure and verify IPv4 Network Address Translation (NAT):
● 3 Types of NAT:
○ Static NAT: This allows to map one public ip to one private ip.
○ Dynamic NAT: This allows you to use a pool of public ip address for Private
IP to Public IP translation.
○ Port Address Translation:This allows you to use one public IP for multiple
private IPs and this is accomplished by using different port numbers for each
private IP translated.
6.7 - Describe IPv6 NAT:
● NAT64:
○ Allows IPv6 address to be translated into IPv4 addresses. This allows
communication between an IPv4 and IPv6 host.
● NPTv6:
○ Network Prefix Translation allows and performs prefix translations for IPv6
(Think of NAT for IPv4, Public to Private and Vice versa).
6.8 - Describe SLA architecture:
● Service Level Agreement or SLA, allows you to measure the performance and the
behavior of your network.
● It can be used with the following:
○ ICMP for echo and jitter
○ RTP for Voip
○ TCP connection
○ UDP for echo and jitter
○ DNS
 ○ DHCP
○ HTTP
○ FTP
6.9 - Configure and verify IP SLA:
● Configuration and Verification:
○ Create the IP SLA operation with ip sla # command.
○ Define the type of operation type with icmp-echo [destination IP | Hostname]
source-ip [IP address | Hostname] source interface [interface]
○ Define a non default frequency, if needed with frequency [seconds].
○ Schedule the time for the SLA operation to start with ip sla schedule # life
[forever | seconds] [Start time hh:mm:ss] [Month day | day month]
6.10 - Configure and verify tracking objects:
● You can track SLA operations to influence routing and the configuration/verification
are as follows:
○ Use the track # ip sla # [State | Reachability]
○ Configure the delay If you want with delay [ Down (seconds) | Up (seconds)]
○ Configure a static route ip route X.X.X.X X.X.X.X interface track #
6.11 - Configure and verify Cisco NetFlow:
● Netflow allows you to monitor your network and see what consumes bandwidth, track
the top-talkers in your network and much more!
● Configuration
○ IP Flow-export version [v5 | v9]
○ IP flow-export destination [IP]
○ Show ip flow [Export | Top-Talkers]