Category Archives: Road to CCIE

All about CCIE

OSPF to BGP Redistribution

router bgp 100
redistribute ospf 1
!– This redistributes only OSPF intra- and inter-area routes into BGP.

router bgp 100
redistribute ospf 1 match external 1 external 2
!— This redistributes ONLY OSPF External routes, !— but both type-1 and type-2.

router bgp 100
redistribute ospf 1 match internal external 1 external 2
!— This redistributes all OSPF routes into BGP.

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/5242-bgp-ospf-redis.html

Sham-links

A sham-link overcomes the OSPF default behavior for selecting an intra-area backdoor route between VPN sites instead of an interarea (PE-to-PE) route. A sham-link ensures that OSPF client sites that share a backdoor link can communicate over the MPLS VPN backbone and participate in VPN services.

https://networkinferno.net/ccie-study-ospf-sham-link
https://learningnetwork.cisco.com/thread/99694

4. IS-IS Path Selection

ISIS Path Selection
– All links default to cost of 10. (Can be manually modified).

– Neighbor must agree on metric-style.

– Level 1 path preferred level 2 path. (Like OSPF Intra-Area over Inter-Area)

TLV(Type of length)
– Use to encode not only metric but use to encode IPV6 information & Extention of MPLS TE.

Note: When you form ISIS adjacencies, 99% of cases you want to set the metric style “Wide”.

Metric-style “Wide” gives a larger bit length, which can encode IPV6 and MPLS TE mean by default ISIS will not support TE & IPv6 routing.

IOS CONFIGURATION:
#ROUTER ISIS 1
#METRIC-STYLE WIDE

XRV CONFIGURATION:
#ROUTER ISIS 1
#ADDRESS-FAMILY IPV4
#METRIC-STYLE WIDE
#ADDRESS-FAMILY IPV6
#METRIC-STYLE WIDE

Verification:
IOS – SHOW CLNS PROTOCOL
XR – SHOW ISIS PROTOCOL

This configuration will exchange routes now with other devices that is using wide metric style bec. the device using narrow won’t understand the coding of the attributes.

If you have the device that doesn’t support metric-style “Wide” you can use metric-style “Transition”.

Screenshot from 2018-08-06 11-58-37

** – Means it wasn’t compute the shortest to the destination.

Multi-topology IS-IS
– ISIS supports for both IPv4 & IPv6.
– IPv6 routing can be either

Single Topology
– Share path calculation with IPv4.
– Requires 1:1 correlation of IPv4 and IPv6 interfaces.

Multi Topology
– Independent path calculation from IPv4.
– IPv4 & IPv6 configuration completely independent.

Manually changing the metric:
interface FastEthernet0/0.15
description TO_R6
encapsulation dot1Q 15
ip address 10.1.5.1 255.255.255.0
ip router isis 1
ipv6 address 2001:1:5::1/64
ipv6 router isis 1
isis metric 100 level-2
isis ipv6 metric 200 level-2

Q&A:
1. For ipv4 and ipv6 are we using different transport?
A: neither, we are using CLNS. Protocol directly encapsulated at layer 2.

2. Which would you recommend ISIS or OSPF?
A: Depends if you’re running both ipv4 and ipv6. If youre in a large network ISIS would be preferred because you can run in single topology. There’s are feature difference but in-terms of the core spf calculation they’re barely close to each other in-terms of convergence and scaling.

Reference:
https://ipcisco.com/isis-for-ipv6-configuration-example-on-cisco-ios/
http://wiki.kemot-net.com/is-is-metric
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_isis/configuration/15-sy/irs-15-sy-book/ip6-route-isis.html

Different physical interfaces with same Vlan ID

The VLAN ID specifies where 802.1Q tagged packets are sent and received on a specified subinterface. An 802.1Q VLAN subinterface must have a configured VLAN ID to send and receive traffic; without a VLAN ID, the subinterface remains in the down state. All VLAN IDs must be unique among all subinterfaces configured on the same physical interface. To change a VLAN ID, the new VLAN must not already be in use on the same physical interface. To exchange VLAN IDs, you must remove the configuration information and reconfigure the ID for each device.

NOTE: The subinterface does not pass traffic without an assigned VLAN ID.

/!\ Configuration of multiple subinterfaces of the same main interface with the same VID (1) is not permitted.

Sample Configuration and Verification:
XR Router:
vrf custA
address-family ipv4 unicast
!
vrf custB
address-family ipv4 unicast
!
interface GigabitEthernet0/0/0/0.3320
vrf custA
ipv4 address 1.1.1.1 255.255.255.252
encapsulation dot1q 3320
!
interface GigabitEthernet0/0/0/1.3320
vrf custB
ipv4 address 2.2.2.2 255.255.255.252
encapsulation dot1q 3320

R1 Router:
interface FastEthernet0/0.1
encapsulation dot1Q 3320
ip address 1.1.1.2 255.255.255.252

R1#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/40 ms

R2 Router:
interface FastEthernet0/0.3320
encapsulation dot1Q 3320
ip address 2.2.2.1 255.255.255.252

R2#ping 2.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

Note: VLAN IDs are only locally significant in your specific L3 interfaces, so no problem with or without vrf same encapsulation in different interface will work.

Reference: VLAN Subinterface Commandson the Cisco ASR 9000 Series Router

3. Configuring ISIS

ISISarea127122018x

Configuration:

######## R6 | AREA 01 ########

interface Loopback0
ip router isis 1
interface FastEthernet0/0.15
ip router isis 1
isis circuit-type level-2-only
!
interface FastEthernet0/0.45
ip router isis 1
!
interface FastEthernet0/0.56
ip router isis 1
isis circuit-type level-1

router isis 1
net 01.0000.0000.0006.00

######## R5 | AREA 01 ########
router isis 1
net 01.0000.0000.0006.00

R7(A01) Database:

R7#sh isis database
IS-IS Level-1 Link State Database:
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
R5.00-00 0x00000005 0x9F2D 1081 1/0/0
R6.00-00 0x00000005 0x3501 1089 1/0/0
R6.03-00 0x00000001 0xEC56 1082 0/0/0
R7.00-00 * 0x00000005 0x9C34 1083 0/0/0
R7.01-00 * 0x00000001 0x182C 1084 0/0/0
R7.02-00 * 0x00000001 0xF74C 346 0/0/0

Those to boarder routers have the attached bits set on the links state packets. Attachment bits means we have connection to other area or another level and you can use me as a default destination.

It’s automatically set the attached bits and router R7 now has the default route to reach any destination to outside.

R7#sh ip route isis
i*L1 0.0.0.0/0 [115/10] via 10.5.6.2, FastEthernet0/0.56
[115/10] via 10.4.6.1, FastEthernet0/0.46
1.0.0.0/32 is subnetted, 2 subnets
i L1 1.1.1.6 [115/20] via 10.5.6.2, FastEthernet0/0.56
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
i L1 10.4.5.0/24 [115/20] via 10.5.6.2, FastEthernet0/0.56
[115/20] via 10.4.6.1, FastEthernet0/0.46

We still have full reachability the difference is just we have and using a shorter view to match or find the path to destination.

CCIE SP – OSPF

OSPF – Unicast, Multicast Reachability.

Configuration:
RP/0/0/CPU0:XRV-01#sh run router ospf
Wed Jul 11 00:14:28.130 UTC
router ospf 1
area 0
interface Loopback0
!
interface GigabitEthernet0/0/0/0.12
!
interface GigabitEthernet0/0/0/0.111
!
interface GigabitEthernet0/0/0/0.211
!
RP/0/0/CPU0:XRV-01#sh run router ospfv3
Wed Jul 11 00:14:37.150 UTC
router ospfv3 1
area 0
interface Loopback0
!
interface GigabitEthernet0/0/0/0.12
!
interface GigabitEthernet0/0/0/0.111
!
interface GigabitEthernet0/0/0/0.211
!

Note: Even though we have the same ospf process for OSPFv2 & OSPFv3 with process #1, Router see it independently to each other because they’re advertising different address-family.

Verification IOS:
IPV4 #show ip int brief || IPV6 #show ipv6 interface brief
IPV4 #show ip ospf neighbor || IPV6 #show ipv6 ospf neighbor

For XR
All of the config. for routing protocols is gonna go under “Global Process”, So once we establish link connectivity on link level, then we have v4/v6 addressing configured next step is to go onto the global process and enable the protocol interface link level.

Verification XR:
#show ospf neighbors
#show ospf interface

Note: We can’t see any logging message in XR that the ospf adjacency went up because by default it’s using lower logging message. We need to set it to “debugging”.
71120818coreospfie
Once we configure all the core routers to ospf, all routers will have the same database. The difference will be just the router id.

R1#sh ip ospf database

OSPF Router with ID (1.1.1.1) (Process ID 1)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count
1.1.1.1 1.1.1.1 1807 0x80000019 0x000A56 4
1.1.1.2 1.1.1.2 930 0x8000000B 0x0072C3 5
1.1.1.4 1.1.1.4 962 0x8000000B 0x008CC7 4
2.1.1.1 2.1.1.1 1163 0x80000019 0x003403 4
2.1.1.2 2.1.1.2 1014 0x80000020 0x002D5F 6
2.1.1.3 2.1.1.3 1252 0x8000000C 0x0045CC 5

Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum
10.1.2.1 1.1.1.1 1037 0x80000013 0x0011FB
10.1.11.2 1.1.1.1 1299 0x80000013 0x00A062
10.1.12.1 2.1.1.2 1014 0x80000013 0x009E61
10.2.3.2 1.1.1.4 962 0x80000008 0x0012FC
10.2.11.1 2.1.1.1 1163 0x80000016 0x009964
10.2.12.1 2.1.1.2 1265 0x80000016 0x009664
10.3.12.1 2.1.1.2 1014 0x8000000C 0x00B24F
10.3.13.1 2.1.1.3 1252 0x80000008 0x00B74B
10.11.12.1 2.1.1.1 920 0x80000013 0x0033C2
10.12.13.1 2.1.1.2 1782 0x80000008 0x0044B7

RP/0/0/CPU0:XRV-01#sh ospf database
Wed Jul 11 00:23:13.814 UTC

OSPF Router with ID (2.1.1.1) (Process ID 1)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count
1.1.1.1 1.1.1.1 1775 0x80000019 0x000a56 4
1.1.1.2 1.1.1.2 897 0x8000000b 0x0072c3 5
1.1.1.4 1.1.1.4 929 0x8000000b 0x008cc7 4
2.1.1.1 2.1.1.1 1129 0x80000019 0x003403 4
2.1.1.2 2.1.1.2 981 0x80000020 0x002d5f 6
2.1.1.3 2.1.1.3 1219 0x8000000c 0x0045cc 5

The final end result is to check the router routing table, If router do actually know the loopbacks of the devices, Transit interface between device or do router have IP reachability between neighbors.

Ospf version 2 & 3 forming adjacencies
Before we got to any upper layer protocols we want to make sure the core connectivity is there. Both for OSPFv2 and v3 or for IS-IS.

Interms of IPv6 connectivity, Since we are not using ipv6 as the source and destination of the MLS tunnel. The only thing that ipv6 connectivity would affect is if we were doing internet connectivity for IPv6.

If we want to tunnel IPv6 over MPLS we don’t need ipv6 enabled on the core, We can run either the “6PE or 6VPE” Feature in order to tunnel IPv6 over IPv4 based label core.

For the same type of matching route, OSPFv3 is more preffered that OSPFv2.

Note: You cannot run ospfv3 with OSPFv2, Even redistribtion (Selective). XR os will not advertise v3 ipv4 address family to v2.

OSPFv3 is not backwards compatible with V2, you have to be running same version of the protocol between the two neighbors and one of the main reason is that it use separate transport.

So for IPv4 address-family advertised in OSPFv3 it uses IPv6 for transport. We need to enable ipv6 on interface in order to run OSPFv3 IPv4.

Configuration to enable ipv6: (int)ipv6 enable
This command will be use to generate link local address that is based on EUI-64 format (mac-address).

Not all version support redistribution of OSPFv3. Means if the question ask you to run OSPF to PE-CE routing protocol and If your version doesn’t support v3 redistribution, it mean you need to run OSPFv2.

Note: You can redistribute ipv4 v2 to OSPFv3 but not the other way around.

MPLS

# MPLS label protocol ldp
# mpls ldp router-id loopback0 forse
#CORE
providerI#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.2.1 YES NVRAM up up
FastEthernet1/0 10.1.1.1 YES NVRAM up up
FastEthernet1/1 10.10.22.1 YES NVRAM up up
FastEthernet2/0 10.1.0.1 YES NVRAM up up
FastEthernet2/1 unassigned YES NVRAM administratively down down
Loopback0 1.1.1.1 YES NVRAM up up

router isis
mpls ldp autoconfig level-2
net 10.0001.aaaa.aaaa.00

#Enable MPLS and ISIS
interface FastEthernet0/0
ip address 10.1.2.1 255.255.255.252
ip router isis
duplex half
mpls ip

################ PE
PEX#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.10.22.2 YES NVRAM up up
FastEthernet1/0 172.10.10.1 YES NVRAM up up
FastEthernet1/1 unassigned YES NVRAM administratively down down
FastEthernet2/0 unassigned YES NVRAM administratively down down
FastEthernet2/1 61.1.1.1 YES NVRAM up up
Loopback9 9.9.9.9 YES NVRAM up up

router isis
mpls ldp autoconfig level-2
net 10.0001.bbbb.dddd.00

# ENABLE MPLS AND ISIS
interface FastEthernet0/0
ip address 10.10.22.2 255.255.255.252
ip router isis
duplex full
mpls ip

router bgp 111
no synchronization
bgp log-neighbor-changes
neighbor 10.10.10.10 remote-as 111
neighbor 10.10.10.10 update-source Loopback9
neighbor 10.10.10.10 soft in
no auto-summary
!
address-family vpnv4
neighbor 10.10.10.10 activate
neighbor 10.10.10.10 send-community extended
exit-address-family
!
address-family ipv4 vrf c1
no synchronization
neighbor 61.1.1.2 remote-as 3939
neighbor 61.1.1.2 activate
exit-address-family

ip vrf c1
rd 3491:908290290
route-target export 3491:1002873
route-target export 111:1888
route-target import 3491:1002873
route-target import 3491:3491

############################### PE 2
PE-R2#sh run | sec ip vrf
ip vrf custx
rd 111:900902
route-target export 111:555
route-target import 111:9119
route-target import 111:3333
route-target import 1888:1001
ip vrf forwarding custx

PE-R2#sh run | sec router
ip router isis
ip router isis
router isis
mpls ldp autoconfig level-2
net 10.0001.cccc.cccc.00
router bgp 111
no synchronization
no bgp default route-target filter
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 111
neighbor 3.3.3.3 update-source Loopback0
neighbor 3.3.3.3 next-hop-self
neighbor 3.3.3.3 soft-reconfiguration inbound
neighbor 9.9.9.9 remote-as 111
neighbor 9.9.9.9 next-hop-self
neighbor 9.9.9.9 soft-reconfiguration inbound
neighbor 10.10.10.10 remote-as 111
neighbor 129.1.2.1 remote-as 1888
no auto-summary
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
neighbor 3.3.3.3 next-hop-self
neighbor 9.9.9.9 activate
neighbor 9.9.9.9 send-community extended
neighbor 9.9.9.9 next-hop-self
neighbor 10.10.10.10 activate
neighbor 10.10.10.10 send-community extended
neighbor 10.10.10.10 next-hop-self
neighbor 129.1.2.1 activate
neighbor 129.1.2.1 send-community extended
exit-address-family
!
address-family ipv4 vrf custx
no synchronization
neighbor 172.16.2.2 remote-as 555
neighbor 172.16.2.2 activate
exit-address-family

CCIE v5 Convergence Optimization

CCIE v5 Convergence Optimization

Routing protocol failure detection

Failure detective with link events

Failure detection with timers

Modifying timers

  1. EIGRP
  2. OSPF
  3. BGP

IP Event Dampening

Failure Detection with timer

What if the devices aren’t layer 1 adjacent?

Even your dark fiber might not be truly P2P

Link up/down becomes unreliable

Solution is failure detection at an upper layer

                E.g. IGP/BGP Hello/Dead timer ( Can be misleading sometimes, They can be slow)

EIGRP Timers

Do not have to match for adjacency to occur(ex. R1 can be set to 10 and R2 can be set to 20)

Hold time is your hold time for me ( How long can I consider you down)

Reverse direction of OSPF dead time

Defaults based on media type
Capture12

Classic mode as interface

Ip hello-interval eigrp

Ip hold-time eigrp

Named mode as af-Interface

Hello-interval

Hold-time

Configuration:

R1#

Router eigrp 10 (Traditional Configuration)

Network 10.1.1.0 0.0.0.255

No auto-summary 

R2#

Router eigrpccie (Name Mode configuration)

Address-family ipv4 unicast autonomous-system 10

Network 0.0.0.0 0.0.0.0

Af-interface f0/0

                Hello-interval 15

                Hold-time 30

https://supportforums.cisco.com/blog/11939146/glimpse-eigrp-name-mode-configuration

Verify:

Show ipeigrp neighbor

Show ipeigrp

Show address-family ipv4 interface

OSPF Timer

Do have to match for adjacency to occur

Defaults based on media type
Capture13

Configure as…

Ipospf hello-interval

Ipospf dead-interval

OSPF fast hellos

OSPF support sub-second hellos as..

Ipospf dead-interval minimal hello-multiplier multiplier

Not recommended because of CPU load (Fast hello’s could be resource extensive on the box)

Configuration:

R1#

Int f0/0

Ipospf network point-to-point

 

R2#

Int f0/0

Ipospf network point-to-point

Note: Different OSPF network type can cause lost of adjacency.

Suppress hello (For low end device)

OSPF Fast Hello

R1 & R2#

Ipospf dead-interval minimal hello-multiplier 3

Debug timestamp: service timestamps debug datetimemsec

Verify:

Show proccpu sorted (OSPF)
Capture14

Layer 3 Keepalive:

  1. IPSLA
  2. BFD

Note: Juniper Track IP, Can track /29 subnets.
Capture15

IP sla ping 8.8.8.8

Track object

This command is great for indirect failure.

Understanding CEF?

Cisco Express Forwarding (CEF) is advanced, Layer 3 IP switching technology. CEF optimizes network performance and scalability for networks with large and dynamic traffic patterns, such as the Internet, on networks characterized by intensive Web-based applications, or interactive sessions.

Layer 3 switch process

a. Process switching
– Requires the CPU to be personally involved with every forwarding decision.
– Whenever any packet enters the router, Router will do a layer 3 lookup(software based) change the destination Ip and check the next-hop then finds the exit interface.

b. Fast switching
– Still uses the CPU, but after a packet has been forwarded information about how to reach the destination is stored in a fast-switching cache.
– Same process with process switching, lookup then locate the destination IP and check the nexthop and exit interface..but we save the the detail on cache.

This two method no longer used by our routers.

c. Cisco Express Forwarding (CEF)
– Optimizing the router to it be able to forward mode packets faster.
– Before packet arrive to the router,

FYI

RIB – IP Protocols populate the RIB
– A control plane
– show ip route

CEF – RIB populates CEF and its FIB
– Data Plane
– show ip cef

LIB – LDP polupulates the LIB
– Control plance
– show mpls ldp binding

LFIB – LDP and RIB populates the LFIB
– Data plane
– show mpls forwarding-table

How to Verify Cisco Express Forwarding Switching
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-120-mainline/47205-cef-whichpath.html

Virtual LAN

VLan falls in 3 categories:

  1. Standard
  • Range 1-1005
  • Vlan 1
  • Default Ethernet access vlan & Default 802.1q Native Vlan.
  • Cannot be deleted, but can be normally pruned from trunks.
  • Cannot be pruned by VTP.
  • Should not be used for actual port assignment.
  • Vlan 1002 – 1005
    • Default Legacy token Ring / FDDI Vlans.
    • Cannot be deleted, but can be manually pruned from trunks.
    • Cannot be pruned by VTP.
    • Should not be used for actual port assignment.
  1. Extended
  • Range 1006 – 4096
  • Can normally only used in one of two Access.
    • VTP is configured in transparent mode.
    • VTP version 3.
  • Not all extended vlans can be used.
    • Some are reserved for “Internal” usage.
  1. Internal Vlans (Reserved for internal Application).
  • E.g. Native layer 3 switchport.
  • Show vlan internal usage.
  • Not all platform agree on the internal usage.

Configuration & Verification?

!!! Ways in creating Vlan.
1. Globally.
2. Vlan Database.
3. At the time of assignment.

Note: Creating Vlan automatically creates stp instance and MAC address table.

Verification:
#show vlan brief
#show spanning-tree vlan
Output:
“Spanning-tree instances for vlan 10 does not exist”
– Means there is no allocated port on vlan 10

!!! Configuring Extended Vlans
#Configure terminal
#vtp version 3 or vtp mode transparent

#vlan 3000
#name Extended_Vlan

Verification:
#show vlan brief
#show spanning-tree vlan

!!! Configuring Internal Vlans
#interface f1/1
#no switchport

Note: After configuring L3 Interface, It automatically allocate specific internal vlan.

!!! Changing Allocation
#vlan internal allocation policy descending

Verification:
#show vlan internal usage
Output:
VLAN Usage
—- ——————–
1006 FastEthernet1/1
1007 FastEthernet1/2
#show run | inc vlan|internal
Output:
“Vlan internal allocation policy ascending“ (Default)
– Ascending – Start to allocate from up – down (1006 – 4096).
– Descending – Start to allocate from up – down (1006 – 4096).

Note: Better to use descending so that the allocation will start from bottom which is vlan 4096. Also this vlan internal feature is per platform basis.

Q’S:
1. Does SPT or CDP runs on vlan 1?
A: It depends on what individual control plane is, In short Yes. But, Even we removed vlan 1 from Vlan allowed list you will not break the control plane of the switches.

2. Is it possible to use the extended vlan that was already allocated on internal vlan?
A: No, Vlan assigned to internal vlan will not be available.
Test Out:
#vlan 1006
#name TEST_IN
#Exit
% Failed to create VLANs 1026
VLAN(s) not available in Port Manager.
%Failed to commit extended VLAN(s) changes.