BGP

* Note: Outgoing route advertisements directly affect incoming traffic.

* Note: MED is considered a metric so a lower value is better.

Path Attributes
==> 3 _ 2 _ 2 _ 3 <==

1. Origin (WKM)
2. AS_Path(WKM)
3. Next_Hop (WKM)
4. Local_pref (WKD)
5. Atomic_aggregate (WKD)
6. Aggregate (OT)
7. Community (OT)
8. Originator_ID(ONT)
9. MED (ONT)
10. Cluster_List (ONT)

Origin (WKM)  -

IGP / EGP / Incomplete

IGP - NLRI was learned from a protocol internal to the AS is gets the highest preference.

EGP - NLRI was learned from the exterior gateway protocol and gets medium preference.

Incomplete - NLRI was learned from some other means which could be redistribution but there is no real way to know how it got there and gets the lowest preference.

AS_Path (WKM)-

This uses a sequence of AS paths through which the NLRI was received. Beginning with the most recent and ending with the originating AS. The BGP router will only prepend its AS if it being advertised to an EBGP neighbor and NOT an iBGP neighbor. This is considered a loop avoidance mechinism.

Next_Hop (WKM) -

• If the advertising router and receiving router are in different ASs, the next_hop is the IP address of the advertising routers interface.
• If the advertising router and the recieiving router are in the same AS and the NLRI of the update referes to a destination with the same AS, the next_hop is the IP address of the neighbor that advertised the route.
• If the advertising router and the receiving router are internal peers and the NLRI of the update refers to a destination in a different ASm the nest_hop is the IP address of the external peer from which the route was learned.

Community (OT) -

• Identifies a destination as a member of some community of destinations that share one or more common properties.
• The Community attribute is a set of (4) octet values (AA:NN)
• The first (2) are the AS number.
• The second (2) are the administratively defined identifier.
•  The default is (NN:AA) which can be changed with " ip bgp-community new-format".

1. INTERNET - Doe's not have a value and all routes belong to this community by default.
2. NO_EXPORT - Can not be advertised to an EBGP peer or if a confederation is configured, cant be advertised outside of a confederation.
3. NO_ADVERTISE - Routes received with this attribute cant be advertised at all.
4. LOCAL_AS - Cant be advertised to EBGP peers including peer in other ASs within a Confederation.

Internal BGP - TTL of 255

External BGP - TTL of 1

iBGP and IGP Syncronization

BGP does NOT advertise routes that have been learned from other iBGP peers.

BGP Syncronization: Before a route learned from an iBGP neighbor is entered into the routing table or is advertised to a BGP peer, the route must first be known via an IGP.


Confederations:

AS_Path contains (2) additional attributes:

i. AS_CONFED_SEQUENCE ii. AS_CONFED_SET

Route Selection is as follows inside a confederation.

1. EBGP routes are prefered over member AS then iBGP is last.


NEXT_HOP AND MED can be advertised unchanged along with the ability to send local_pref. Usually peering with an eBGP peer, local_pref means nothing.

Neighbor x.x.x.x default-originate is the same as OSPFs default-information-originate-always in that a default is advertised whether the router has a default route or not.


If only the default is to be sent, you must use a route-filter to suppress all more-specific route's.

neighbor x.x.x.x distribute-list 1 out

access-list 1 per 0.0.0.0
access-list 1 deny any

You can run an IGP to run in passive mode on external eBPG interfaces or can redistribute connected interfaces on AS border routers.


(2) Ways to create an aggregate address under BGP

i. Create a static route and advertise it with the network command.
ii. Use the aggregate-address command

ip route 192.168.192.0 255.255.248.0 null 0

Router BGP 1
network 192.168.192.0 mask 255.255.248.0

The route to null 0 is a safe guard should there not be a more specific match in the routing table.

Security 101

aaa authorization console
aaa authorization exec default none
aaa authorization exec CONSOLE group tacacs+ local
aaa authorization exec VTY group tacacs+ if-authenticated
username ADMIN privilege 7 password 0 CISCO
line con 0
authorization exec CONSOLE
line vty 0 4
privilege level 15 password cisco
authorization exec VTY
login authentication VTY

Authorization is a procedure for granting certain rights to a process, or granting a permission to perform a certain action. The authorization procedure is only possible for authenticated entities. The identity of a subject is used to look up the policy and determine the permissions. This is why authentication always precedes authorization. In some cases, it is possible to grant some rights to unidentified subjects.
The goal of exec authorization is assigning a privilege level (0-15) to a logged in user. You configure an exec authorization list using the command:
aaa authorization exec {default|<NAME>} <Method List>
As with authentication, you can define a default list (which is used system wide) or apply a specific list per terminal line. Generally, there are three methods to obtain authorization information:
1) Consult a remote AAA server and download the user attributes. TACACS+ performs this procedure as a separate operation, but RADIUS has no explicit authorization state, and returns authorization information in authentication replies. Here is an example of using TACACS+ as the source of the required information:
aaa authorization exec default group tacacs+
2) Consult the local username database, looking for the privilege level assigned to the authenticated user:
aaa authorization exec default local
3) Use default settings, for example, the default privilege level assigned to the terminal line, if the authorization configuration permits. This is commonly used when you disable authorization (method “none”) or authorize settings for any authenticated users (method “if-authenticated”). Note the difference between the method “none” and “if-authenticated” from the following example:

Scenario 1:
aaa authentication login default tacacs+ none aaa authorization exec default none ! line console 0
privilege level 15


Scenario 2:
aaa authentication login default tacacs+ none aaa authorization exec default if-authenticated ! line console 0
privilege level 15
In the first case, if the TACACS+ server is not available, the router will allow incoming console connections without authentication. Since there is not exec authorization, the user will be granted the exec shell with privilege 15. In the second case, if the TACACS+ server is not available, the system grants access without authentication but fails authorization of exec shell.
Thus, the difference between “none” and “if-authenticated” authorization cases is that the former always applies the desired authorization parameters without any verification. The latter requires the user to be authenticated, but does not consult the user database to check authorization attributes.
By default, exec authorization is set to “none”, so you may need to change it to accomplish your needs. Also, note that IOS routers by default do not authorize exec sessions on the console line. On the contrary, Catalyst IOS always authorizes the exec shell, even on the console line. Therefore, if you disable console authentication in the Catalyst switch, make sure you never apply a AAA authorization list to the console (explicitly or using the default settings). You may enable console exec authorization in IOS routers using the command aaa authorization console.

___________________

privilege exec level 7 configure terminal
privilege exec level 7 undebug all
privilege exec level 7 show running-config
privilege exec level 7 debug ip rip
privilege configure level 7 interface
privilege interface level 7 shutdown
privilege interface level 7 no shutdown
privilege interface all level 7 ip


IOS allows configuring command authorization by using the local configuration database. Command authorization permits specific commands to groups of users. IOS also supports remote command authorization with the TACACS+ protocol, but this is out of the scope of the CCIE R&S lab exam.
Local command authorization uses the concept of privilege levels. There are sixteen levels supported, 0 to 15. Every next level supports the commands found in all previous levels, e.g. privilege 5 includes levels 0-5, and privilege 15 includes levels 0-15. By default, IOS has three privilege levels pre-configured:
Level 0 - just a few basic commands, such as enable, login, and exit Level 1 - the default exec user level; has some show commands available, but no
configuration commands
Level 15 - the maximum privilege level, also known as privileged mode or enable mode; includes all the commands available in IOS

DHCP On-Demand

R1: interface Serial 0/1
encapsulation ppp
ip address negotiated
ppp ipcp mask request
ppp ipcp dns request
no peer neighbor-route
!
!
ip dhcp pool ODAP_POOL
import all
origin ipcp
!
router rip no validate-update-source
____

R3:
interface Serial 1/2
encapsulation ppp
ip address 155.1.13.3 255.255.255.0
peer default ip address 155.1.13.1
ppp ipcp mask 255.255.255.0
ppp ipcp dns 155.1.146.4 155.1.146.6
no peer neighbor-route

OSPFv2 LSA Notes

OSPF-

The router that generated the LSA, floods a new copy with an incremented sequence number and an age of zero.

LSA Aging time - 60 Minutes

LSA Refresh -     30 minutes

LSA Group Pacing (240 seconds) - This solves the problem of a single timer expiring and a massive update is flooded through the network.

Router OSPF 1 (Depends on the IOS in use)
#timers lsa-group-pacing / #timers pacing lsa-group

_________

LSA TYPES -

Type 1 - Router LSA - Lists all of the routers links, interfaces, the state, the cost of each link and any known OSPF neighbors on the link. These are flooded only within the area in which they were originated. (#show ip ospf database router)

Type 2 - Network LSA - They are produced by the DR and lists all attached routers including the DR itself. These are only flooded with the originating area. Notice there is no metric as the cost to the DR is always (0) (#show ip ospf database network)

Type 3 - Network Summary LSA - These are originated by ABRs. They are sent into a single area to advertise destinations outside that area. In essence, these are the destinations that the ABR can reach. Default routes external to the area but internal to the OSPF process are also advertised by this LSA type. (#show ip ospf data summary) When an ABR originates an Network Summary LSA, it includes the cost from itself to the destination the LSA is advertising. The ABR will only generate (1) LSA for a given network even if it knows of multiple ways to get there. Although OSPF is a link-state routing protocol within an area, it uses distance vector algorythm to find inter-area routes.

Type 4 - ASBR Summary LSA - These are also generated by the ABR. These are identical to Network LSAs except that the destination that they advertise is an ASBP. (#show ip ospf database asbr-summary) The destination advertised will always be a host route as its a route to a router.

Type 5 - AS External LSA - These are originated by ASBRs. They advertise either a destination external to the OSPF AS or a default-route external to the OSPF AS. AS external are flooded throughout the entire AS. (#show ip ospf database external)

Type 7 - NSSA External LSA - These are originated by ASBRs within a NSSA. These are almost identical to AS external but these are not flooded throughout the entire AS, only the NSSA. (#show ip ospf database nssa-external)

"Routing Bit Set on this LSA" - This is not part of the LSA but an internal maintenance bit indicating that the destination is valid / Is in the routing table.

STUB Areas - A stub area is an area in which no AS External LSAs are flooded. Type (4 - 5) LSAa are not neccasary. ABRs at the edge of a stub area, use Network LSAs or Type - 3 to advertise a single default route into the area.

There are (4) restrictions on "STUB" areas.

1. All stub routers will set a flag (E - Bit) in there hello packets to zero (0) . They will not accept any hellos from a router with the (E - Bit) set to one (1).

2. VLs cant be configured within or transit through a stub area.

3. No router within a stub area can be a ASBR. ASBRs produce type - 5 LSAs and those are not allowed in a stub area.

4. A stub area may have more than one ABR.

Totally Stubby Area - 

These use a default-route to reach destinations external to the AS but also external to the area. Only (1) type 3 LSA is allowed into the area and thats a default route.

Not-So-Stubby Area -

Allows external routes to be advertised into the AS but still retain the characteristics of the stub area. This ASBR will generate Type - 7 LSAs and are flooded throughout the NSSA and blocked by the ABR.

The NSSA External LSA has a flag set known as the (P - Bit). If the NSSAs ABR recieves a type - 7 LSA with the P - Bit set to one (1), it will translate the Type 7 to a Type 5 and flood it throughout the AS. If the (P - Bit) is set to zero (0), no translation will take place and the destinations will not be advertised outside of the NSSA.

Spanning Tree Notes

This note below is from creating (200) Vlans and using the default PVSTP+

%SPANTREE_VLAN_SW-2-MAX_INSTANCE: Platform limit of 128                                 instances exceeded. No instance created for VLAN128


MST essentially takes the best features of IEEE 802.1D Spanning-Tree, AKA Common Spanning-Tree, and the Cisco extensions to STP, PVST, PVST+, Rapid PVST+, and combines them.

##### MST0    vlans mapped:   201-4094
Bridge        address 000c.ceab.bc80  priority      32768 (32768 sysid 0)
Root          this switch for the CIST
Operational   hello time 2 , forward delay 15, max age 20, txholdcount 6
Configured    hello time 2 , forward delay 15, max age 20, max hops    20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/9            Desg FWD 200000    128.9    P2p
Fa0/10           Desg FWD 200000    128.10   P2p
Fa0/13           Desg FWD 200000    128.13   P2p
Fa0/14           Desg FWD 200000    128.14   P2p

##### MST1    vlans mapped:   1-100
Bridge        address 000c.ceab.bc80  priority      32769 (32768 sysid 1)
Root          this switch for MST1

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/9            Desg FWD 200000    128.9    P2p
Fa0/10           Desg FWD 200000    128.10   P2p
Fa0/13           Desg FWD 200000    128.13   P2p
Fa0/14           Desg FWD 200000    128.14   P2p

##### MST2    vlans mapped:   101-200
Bridge        address 000c.ceab.bc80  priority      24578 (24576 sysid 2)
Root          this switch for MST2

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/9            Desg FWD 200000    128.9    P2p
Fa0/10           Desg FWD 200000    128.10   P2p
Fa0/13           Desg FWD 200000    128.13   P2p
Fa0/14           Desg FWD 200000    128.14   P2p

Similar to CST and PVST, MST uses a cost value derived from the inverse bandwidth of the interface (higher bandwidth means lower cost). The root port is chosen based on the lowest end-to-end cost to the root bridge. The show spanning-tree mst command shows the local cost values of the outgoing ports on the local switch.

sw2#sh spanning-tree mst 0 detail

##### MST0    vlans mapped:   1-4094
Bridge        address 0017.5900.fe80  priority      32768 (32768 sysid 0)
Root          address 000c.ceab.bc80  priority      32768 (32768 sysid 0)
              port    Fa0/13          path cost     200000  
Regional Root address 0013.1a06.6580  priority      32768 (32768 sysid 0)
                                      internal cost 400000    rem hops 18
Operational   hello time 2 , forward delay 15, max age 20, txholdcount 6
Configured    hello time 2 , forward delay 15, max age 20, max hops    20

FastEthernet0/9 of MST0 is alternate blocking
Port info             port id         128.11  priority    128  cost      200000
Designated root       address 000c.ceab.bc80  priority  32768  cost           0
Design. regional root address 000c.ceab.bc80  priority  32768  cost           0
Designated bridge     address 000c.ceab.bc80  priority  32768  port id    128.9
Timers: message expires in 4 sec, forward delay 0, forward transitions 2
Bpdus sent 16, received 444
When MST is enabled, Rapid Spanning-Tree Protocol (RSTP) is automatically enabled. RSTP is an IEEE standard defined in 802.1w that speeds up convergence through a reliable handshaking process. RSTP defines new port “roles” to automatically allow for the functionality built into Cisco proprietary features such as PortFast and UplinkFast.
RSTP “edge” ports behave the same as PVST PortFast enabled ports. However, in order to maintain backwards compatible configurations Cisco’s implementation of RSTP does not automatically elect edge ports as the standard suggests. Instead a port must be configured as an edge port with the spanning-tree portfast command.

_______


Protected ports - are used to prevent traffic from being exchanged at layer 2 between two or more ports that are in the same VLAN. Traffic received in a protected port cannot be sent out another protected port, however traffic received in a protected port can be sent out a non-protected port. This feature is a much smaller subset of the Private VLAN feature, and cannot span between multiple physical switches.
________


Storm control is used to limit the amount of unicast, multicast, or broadcast traffic received in a port. The most common application of this feature is to prevent broadcast storms, but it can also be used to police individual ports not to exceed a desired rate.
_________


Another static feature of the CAM table is the ability to Null route MAC addresses. Since static entries always override dynamically learned entries, if the drop keyword or an unused interface is used in the mac-address-table static command traffic destined to that MAC address will be dropped.