SPNGN1101SG Vol2

SPNGN1
Building Cisco Service

Provider Next-Generation
Networks, Part 1
Volume 2
Version 1.01
Student Guide
Text Part Number: 97-3128-02

Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam,
San Jose, CA Singapore The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1110R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS” AND AS SUCH MAY INCLUDE TYPOGRAPHICAL,
GRAPHICS, OR FORMATTING ERRORS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE
CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT
OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES,
INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE,
OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
Student Guide © 2012 Cisco and/or its affiliates. All rights reserved.
Table of Contents
Volume 2
Basic IP Routing 3-1
Overview 3-1
Module Objectives 3-1
Exploring the Functions of Routing 3-3
Overview 3-3
Objectives 3-3
Router Basics 3-4
Routers 3-6
Router Functions 3-8
Routing Table and Routing Decision 3-9
Routing Table Information 3-10
Routing Update Messages 3-10
Building a Routing Table 3-11
Routing Metrics 3-13
Administrative Distance 3-14
Routing Methods 3-15
Summary 3-17
Introducing the Cisco IOS XR 3-19
Overview 3-19
Objectives 3-19
Classes of Cisco Routers 3-21
Cisco IOS XR Architecture 3-23
Cisco IOS XR Command Line Interface access 3-25
Access and Login 3-26
Command Modes 3-27
CLI Prompt Syntax 3-28
Command Mode Examples 3-29
Cisco IOS XR Configuration 3-30
Command-Line Editing 3-32
Configuration Editing 3-33
Virtual Routing and Forwarding 3-35
Committing a Configuration 3-36
Configuration Management 3-38
Configuration Session Management 3-39
Summary 3-41
Configuring Basic Routing 3-43
Overview 3-43
Objectives 3-43
Router Operations 3-45
Static and Dynamic Routes 3-46
Static Route Configuration 3-47
Default Route Configuration 3-48
Routing Protocols 3-49
Autonomous Systems 3-50
Classes of IGP Routing Protocols 3-52
Maintaining Routing Information 3-53
Converged Routing Table 3-54
Counting to Infinity 3-55
Routing Loops 3-58
Split Horizon 3-59
Route Poisoning and Poison Reverse 3-60
Hold-Down Timers 3-62
Triggered Updates 3-63
Distance Vector Routing Convergence Process 3-64
Routing Information Protocol 3-67
Configuring Routing Protocols 3-70
Summary 3-75
Configuring EIGRP 3-77
Overview 3-77
Objectives 3-77
EIGRP Introduction 3-78
EIGRP Tables 3-80
Path Calculation 3-81
Metric 3-82
EIGRP Configuration 3-83
Autosummarization 3-85
IPv6 Support for EIGRP 3-91
EIGRP Load Balancing 3-93
EIGRP Authentication 3-97
Summary 3-100
Understanding Cisco Router Security 3-101
Overview 3-101
Objectives 3-101
Router Security 3-102
Configuring Router Passwords 3-104
Telnet vs. SSH Access 3-106
Task Groups and User Groups in Cisco IOS XR 3-108
Configuring User Groups and Users in Cisco IOS XR 3-109
Configuring RADIUS and TACACS+ 3-111
Implementing Logging 3-113
Implementing SNMP 3-114
Telnet Connections to Remote Devices 3-116
SSH Connection to Remote Devices 3-119
Connectivity Tests 3-120
Summary 3-121
Module Summary 3-123
Module Self-Check 3-125
Module Self-Check Answer Key 3-133
Connectivity Technologies 4-1
Overview 4-1
Describing Access Technologies 4-3
Overview 4-3
Objectives 4-3
Introducing WANs 4-4
WANs vs. LANs 4-6
WAN—Multiple WANs 4-7
WAN Hardware 4-8
Physical Layer: WANs 4-9
WAN Encapsulation 4-11
WAN Link Options 4-12
WAN Access and the OSI Reference Model 4-13
Carrier Ethernet 4-14
Transport of Carrier Ethernet Services 4-16
CFM and E-LMI 4-17
Summary 4-18
Introducing Service Provider Access, Edge, and Transport Technologies 4-19
Overview 4-19
Objectives 4-19
Service Provider Access and Edge Technologies 4-21
Frame Relay Overview 4-22
ATM Cell Relay Technology 4-24
ii Building Cisco Service Provider Next-Generation Networks, Part 1 (SPNGN1) v1.01 © 2012 Cisco Systems, Inc.
Metro Ethernet 4-25
DSL 4-26
Digital T1, T3, E1, E3 Circuits 4-28
ISDN 4-29
Mobile Networks 4-31
Cable-Based WANs 4-32
GPON 4-33
FTTx 4-34
BRAS 4-35
BNG 4-36
DSL Forum TR-101 4-37
Service Provider Transport Technologies 4-38
SONET/SDH 4-39
DWDM and ROADM 4-40
CES and TDMoIP 4-41
IP over DWDM 4-42
Gigabit Ethernet 4-43
Summary 4-45
Enabling the WAN Internet Connection 4-47
Overview 4-47
Objectives 4-47
Internet Access Basics 4-49
NAT Basics 4-52
Port Address Translation 4-54
NAT Types 4-55
Static NAT 4-56
Example: Translating Inside Source Addresses 4-56
Implementing Static NAT 4-58
Example: Static NAT Address Mapping 4-59
Dynamic NAT and PAT 4-60
Implementing Dynamic Translation 4-61
Example: Dynamic Address Translation 4-62
Implementing PAT 4-63
Example: Overloading an Inside Global Address 4-63
Acquiring Addresses with DHCP 4-67
DHCP Configuration Parameters and Options 4-68
DHCPv4 Sequence of Operations 4-69
DHCPv4 Relay 4-71
DHCPv6 4-72
DHCPv6 Sequence of Operations 4-73
DHCP Server Configuration 4-75
DHCP Relay Configuration 4-77
DHCP Client Configuration 4-78
Summary 4-79
WAN Encapsulation 4-81
Overview 4-81
Objectives 4-81
DOCSIS Overview 4-82
PPP Encapsulation 4-85
PPP Session Establishment 4-87
PPP Authentication Protocols 4-88
Implementing PPP and Authentication 4-90
DSL Encapsulation 4-95
PPPoE Encapsulation 4-96
POS Encapsulation 4-100
PPP in HDLC-Like Framing 4-102
Packet over SONET Frame Information 4-103
Implementing POS 4-104
Summary 4-105
 2012 Cisco Systems, Inc. Building Cisco Service Provider Next-Generation Networks, Part 1 (SPNGN1) v1.01 iii
VPN Overview 4-107
Overview 4-107
Objectives 4-107
Describe VPNs 4-108
Site-to-Site VPNs 4-110
Remote-Access VPNs 4-111
Layer 2 Tunneling Protocol 4-112
IP Security VPN 4-115
IPsec Security Services 4-116
Cisco SSL VPN 4-117
SSL Overview 4-118
SSL Tunnel Establishment 4-119
IPsec vs. SSL 4-120
GET VPN 4-121
Generic Routing Encapsulation 4-124
Default GRE Characteristics 4-125
GRE Routing Considerations 4-126
Configuring a GRE Tunnel 4-127
DMVPN 4-128
Summary 4-131
Module Summary 4-133
Network Management and Security 5-1
Overview 5-1
Collecting Network Device Data 5-3
Overview 5-3
Objectives 5-3
Cisco Discovery Protocol 5-4
Collecting Information with Cisco Discovery Protocol 5-6
Default Cisco Discovery Protocol Configuration 5-7
Configuring Cisco Discovery Protocol 5-8
Simple Network Management Protocol 5-13
Obtaining Data from SNMP Agent 5-14
Configuring SNMP on Cisco Devices 5-16
Syslog 5-18
Syslog Message Format 5-19
Configuring Syslog on Cisco Devices 5-21
NetFlow 5-26
NetFlow Flow Definition 5-28
NetFlow Data Export Versions 5-30
Summary 5-32
Configuring Network Management Tools 5-33
Overview 5-33
Objectives 5-33
Understanding SPAN 5-35
Configuring SPAN on Cisco Switches 5-38
IP Service Level Agreement 5-42
IP SLA Measurements 5-43
IP SLA Operations 5-45
IP SLA Source and Responder 5-46
IP SLA Responder Time Stamps 5-49
Implementing IP SLA 5-50
Network Time Protocol 5-53
NTP Stratum Levels 5-55
NTP Architecture 5-56
iv Building Cisco Service Provider Next-Generation Networks, Part 1 (SPNGN1) v1.01 © 2012 Cisco Systems, Inc.
Configuring NTP on Cisco Devices 5-59
Smart Call Home 5-62
Smart Call Home and Cisco TAC 5-63
Opening a TAC Request 5-65
Summary 5-68
Implementing AAA 5-69
Overview 5-69
Objectives 5-69
AAA Overview 5-70
Implementing Authentication Using Local Authentication 5-72
Implementing Authentication Using External Authentication Servers 5-73
Configuring Authentication Using the Local Database 5-74
vty Pools 5-77
Benefits of using External Authentication Servers 5-82
TACACS+ and RADIUS AAA Protocols 5-83
Configuring Authentication Using an External Authentication Server 5-84
Configuring AAA Authorization and Accounting 5-87
Summary 5-88
Module Summary 5-89
 2012 Cisco Systems, Inc. Building Cisco Service Provider Next-Generation Networks, Part 1 (SPNGN1) v1.01 v
vi Building Cisco Service Provider Next-Generation Networks, Part 1 (SPNGN1) v1.01 © 2012 Cisco Systems, Inc.
Module 3
Basic IP Routing
Overview
Routing is the process by which information moves from one location to another. It is
important to understand dynamic routing and how the various types of routing protocols, such
as distance vector and link-state, determine IP routes.
Classless routing protocols, such as Routing Information Protocol version 2 (RIPv2), Enhanced
Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and
Intermediate System-to-Intermediate System (IS-IS) scale better than classful routing protocols.
The main reason is that they support variable-length subnet masks (VLSMs) and route
summarization.
This module describes the functions of routers in connecting networks and how routers transmit
data through networks using TCP/IP.
Module Objectives
Upon completing this module, you will be able to describe routing concepts and discuss
considerations when implementing routing on the network. This ability includes being able to
meet these objectives:
 Describe the operation of Cisco routers in connecting multiple networks
 Describe the differences between the Cisco IOS operating systems and learn to use the
Cisco IOS XR operating system for basic operation
 Describe the operation, benefits, and limitations of static and dynamic routing
 Describe the operation and configuration of EIGRP, including load balancing and
authentication
 Secure a router-based network
3-2 Building Cisco Service Provider Next Generation Networks, Part 1 (SPNGN1) v1.01 © 2012 Cisco Systems, Inc.
Lesson 1
Exploring the Functions of

Routing
Overview
Routing is the process that forwards data packets between networks or subnetworks by use of a
Layer 3 device—a router. The routing process uses network routing tables, protocols, and
algorithms to determine the most efficient path for forwarding the IP packet. Routers gather
routing information and update other routers about changes in the network. Routers greatly
expand the scalability of networks by terminating Layer 2 collisions and broadcast domains.
Understanding how routers function will help you to understand the broader topic of how
networks are connected and how data is transmitted over networks. This lesson describes the
operation of routing.
Objectives
Upon completing this lesson, you will be able to describe the operation of Cisco routers in
connecting multiple networks. This ability includes being able to meet these objectives:
 Describe the physical characteristics of a router and the functions of a router in the IP
packet delivery process
 Describe common characteristics of routers
 Describe how routers build routing tables and forward packets
 List the characteristics of routing tables and their function in path determination
 Describe how the routing table entries can be populated and the method that is used to
determine the optimal path for forwarding IP packets between networks
 Describe routing protocol metrics
 Describe administrative distance
 Describe distance vector and link-state routing protocols
Router Basics
This topic describes the physical characteristics of a router and the functions of a router in the
IP packet delivery process.
Access
Aggregation
IP Edge
Core
Residential
Mobile Users
Business
IP Infrastructure Layer
Access Aggregation IP Edge Core
Proper Layer 3 routing is essential for building a Cisco IP NGN

infrastructure.
© 2012 Cisco and/or its affiliates. All rights reserved. SPNGN1 v1.01—3-3
• Routers are required to reach hosts that are not in the local LAN.
• Routers use routing tables to route between different networks.
• Switches use MAC address tables to switch between ports.
Host A Switch A Router Switch B Host B

Fa0/1 Fa0/2 Fa0/2 Fa0/1
Fa0/0 Fa0/1
192.168.1.0/24 192.168.2.0/24
MAC address table: Routing table:

Host A Fa0/1 192.168.1.0/24 Fa0/0
Router Fa0/2 192.168.2.0/24 Fa0/1
Routers are required to reach hosts that are not in the local LAN. Routers use routing tables to
route between different networks. Each interface of the router is a different network. Switches
use a MAC address table to switch data frames between segments of the single network.
© 2012 Cisco Systems, Inc. Basic IP Routing 3-5

Routers
This topic describes common characteristics of routers.
Router
• Routers have the following CPU Motherboard

components:
- CPU Memory
- Motherboard RAM ROM Disk Flash
- Memory Ports
Network
• Routers have network adapters to
which IP addresses are assigned. Management
• Routers may have two kinds of ports: (Console, AUX, Ethernet)
- Management: For the connection of a
terminal used for management.
- Network: Different LAN or WAN media
ports.
Routers are essential components of large networks that use TCP/IP, because routers can
accommodate growth across wide geographical areas. The following characteristics are
common to all routers:
 Routers have these components, which are also found in computers and switches:
— CPU: The CPU, or the processor, is the chip that is installed on the motherboard that
carries out the instructions of a computer program.
— Motherboard: The motherboard is the central circuit board, which holds critical
electronic components of the system. The motherboard provides connections to
other peripherals and interfaces.
— Memory: There these types of memory: RAM, ROM, flash, and disk. RAM is
memory on the motherboard that stores data during CPU processing. It is a volatile
type of memory because the information is lost after the power is switched off.
ROM is read-only memory on the motherboard. As opposed to RAM, the content of
the ROM is not lost after the power is switched off. Data that is stored in ROM
cannot be modified, or can be modified only slowly or with difficulty, so it is mainly
used to distribute firmware. Flash memory is a nonvolatile storage chip that can be
electrically erased and reprogrammed. A hard disk drive (HDD) is a nonvolatile,
random-access device for digital data. Data is magnetically read from and written to
the platter.
 Routers have network adapters to which IP addresses are assigned. Network adapters are
used to connect routers to other devices in the network.
 Routers can have these types of ports:
— Management port (console, auxiliary [AUX], and Ethernet): The router uses a
console port to attach to a terminal that is used for management, configuration, and
control. A console port may not exist on all routers. The AUX interface is used for
remote management of the router. Typically, a modem is connected to the AUX
interface for dial-in access. From a security standpoint, enabling the option to
connect remotely to a network device carries with it the responsibility of
maintaining vigilant device management. High-end routers have dedicated Gigabit
Ethernet ports that are used only for management purposes. An IP address is
assigned to the Gigabit Ethernet port, and a router may be accessed from the
management subnet.
— Network port: The router has a number of network ports, including different LAN
or WAN media ports, which may be copper or fiber cable.
 The router uses its routing table to determine the best path on which to forward the packet.
When the router receives a packet, it examines its destination IP address and searches for
the best match to a network address in the routing table.

Router Functions
This topic describes how routers build routing tables and forward packets.
Gathers routing information and

informs other routers about changes
Determines where
to forward packets
RouterA#show ip route
172.17.0.0/24 is subnetted, 9 subnets

B 172.17.46.0 [200/30720] via 10.1.3.1, 1d05h
B 172.17.36.0 [200/0] via 10.1.3.1, 1d05h
D 172.17.24.0 [90/30720] via 172.17.14.4, 2d20h, FastEthernet0/1.14
C 172.17.14.0 is directly connected, FastEthernet0/1.14
B 172.17.114.0 [200/158720] via 10.1.3.1, 1d05h
B 172.17.106.0 [200/156160] via 10.1.3.1, 1d05h
C 172.17.100.0 is directly connected, FastEthernet0/1.100
Routing table from RouterA
Route update
RouterA RouterB
Routers are devices that gather routing information from neighboring routers in the network.
The routing information that is processed locally goes into the routing table. The routing table
contains a list of all known destinations to the router and provides information about how to
reach them. Routers have the following two important functions:
 Path determination: Routers must maintain their own routing tables and ensure that other
routers know about changes in the network. Routers use a routing protocol to communicate
network information to other routers. A routing protocol distributes the information from a
local routing table on the router. Different protocols use different methods to populate the
routing table. From the show ip route output, the first letter in each line of the routing table
indicates which protocol was the source for the information (for example, B = BGP). It is
possible to statically populate the routing tables by use of manual static route
configurations. Statically populating the routing tables does not scale and leads to problems
when the network topology changes. Design changes and outages also result in some
problems.
 Packet forwarding: Routers use the routing table to determine where to forward packets.
Routers forward packets through a network interface toward the destination network. Each
line of the routing table indicates which network interface is used to forward a packet. The
destination IP address in the packet defines the packet destination. Routers use their local
routing table and compare the entries to the destination IP address of the packet. The router
determines which outgoing interface to use. If routers do not have a matching entry in their
routing tables, the packets are dropped.
In this figure, the show ip route command displays the routing table that the Cisco IOS
Software of Router A is currently using to choose the best path to its destination networks.
Routing Table and Routing Decision
This topic lists the characteristics of routing tables and their function in path determination.
• Routing protocols are used to select the best path to the destination.
• Administrative distance defines reliability of the route source.
Should I use RIP or

OSPF best path?
RIP best path
OSPF best path
A router must be able to determine which source (routing protocol) it should use if it has two
identical routes to the same network from two different sources. The routing process that runs
on the router must be able to evaluate all the sources and select the best one to populate the
routing table. Multiple sources come from having multiple dynamic routing protocols running
and from static and default information being available.
The routing protocols use different metrics to measure the distance and desirability of a path to
a destination network. When multiple routing protocols are running at the same time, the
routers must be able to select the best source of information. Administrative distance is the
feature that routers use to select the best path when there are two or more different routes to the
same destination network from two different routing protocols. Administrative distance defines
the reliability of a routing protocol. Each routing protocol is prioritized in order of most to least
reliable (believable) with the help of an administrative distance value.
For example, in the figure, the router on the far left has two paths to the destination network on
the far right. One of the paths is learned via Open Shortest Path First (OSPF) and the other path
is learned via Routing Information Protocol (RIP). Since OSPF has a better (lower)
administrative distance than RIP, the router on the far left will use the OSPF path and only
publish the OSPF path to the destination network in its routing table.

Routing tables list all known destinations and information
about how to reach them.
Routers forward packets by use of the information in the routing table. Each router has its own
local routing table. The routing table is populated from different sources. Routing metrics vary,
depending on the routing protocol that is running in the router. This figure shows how routers
maintain a table of information.
Routing Table Information

The routing table consists of an ordered list of known network addresses. Network addresses
can be learned dynamically by the routing process or by being statically configured. All directly
connected networks are added to the routing table automatically. Routing tables also include
information regarding destinations and next-hop associations. These associations tell a router
that a particular destination is either directly connected to the router or that it can be reached via
another router. This router is the next-hop router and is on the path to the final destination.
When a router receives an incoming packet, it uses the destination address and searches the
routing table to find the best path. If no entry can be found, the router will discard the packet
after sending an Internet Control Message Protocol (ICMP) message to the source address of
the packet.
In this figure, the routing table of the router in the middle shows the forwarding rules. When the
router receives a packet with a destination address on the 10.1.3.0 network, it must forward the
packet to router R2 (the R2 interface with the IP address 10.1.2.2).
Routing Update Messages

Routers communicate with each other and maintain their routing tables. A number of update
messages are transmitted between routers to keep the routing tables updated. Depending on the
particular routing protocol, routing update messages can be sent periodically or only when there
is a change in the network topology. The information that is contained in the routing update
messages includes the destination networks that the router can reach and the routing metric to
reach each destination. By analyzing routing updates from neighboring routers, a router can
dynamically build and maintain its routing table.
Building a Routing Table
This topic describes how the routing table entries can be populated and the method that is used
to determine the optimal path for forwarding IP packets between networks.
Default route:
Directly connected:
Statically or dynamically learned. Used when no
Router attaches to this network. explicit route to the network is known.
RouterA#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.1.1.1 to network 0.0.0.0
R 1.2.2.0 [120/1] via 10.1.1.1, 00:00:15, FastEthernet0/0

C 10.2.2.0 is directly connected, FastEthernet1/0
C 10.1.1.0 is directly connected, FastEthernet0/0
O 172.16.1.0 [110/2] via 10.2.2.3, 00:01:08, FastEthernet1/0
D 192.168.20.0 [90/156160] via 10.1.1.1, 00:01:23, FastEthernet0/0
S 192.168.1.0 is directly connected, Ethernet0/0
S* 0.0.0.0/0 [1/0] via 10.1.1.1
Dynamic routing: Static routing:

Learned by exchange of Entered manually by a system administrator.
routing information.
[Administrative distance / metric]
The routing tables can be populated by the following methods:

 Directly connected networks: This entry comes from having router interfaces that are
directly attached to network segments. This method is the most certain method of
populating a routing table. If the interface fails or is administratively shut down, the entry
for that network will be removed from the routing table. The administrative distance is 0
and, therefore, will preempt all other entries for that destination network. Entries with the
lowest administrative distance are the best, most-trusted sources.
 Static routes: A system administrator manually enters static routes directly into the
configuration of a router. The default administrative distance for a static route is 1;
therefore, the static routes will be included in the routing table unless there is a direct
connection to that network. Static routes can be an effective method for small, simple
networks that do not change frequently. For bigger and unstable networks, the solution with
static routes does not scale.
 Dynamic routes: The router learns dynamic routes automatically when the routing
protocol is configured and a neighbor relationship to other routers is established. The
information is responsive to changes in the network and updates constantly. There is,
however, always a lag between the time that a network changes and when all of the routers
become aware of the change. The time delay for a router to match a network change is
called convergence time. A shorter convergence time is better for users of the network.
Different routing protocols perform differently in this regard. Larger networks require the
dynamic routing method because there are usually many addresses and constant changes.
These changes require updates to routing tables across all routers in the network, or
connectivity is lost.

 Default routes: A default route is an optional entry that is used when no explicit path to a
destination is found in the routing table. The default route can be manually inserted or it
can be populated from a dynamic routing protocol.
This figure displays the show ip route command, which is used to show the contents of the
routing table in a router. The first part of the output explains the codes, presenting the letters
and the associated source of the entries in the routing table.
 Letter C: Reserved for directly connected networks, labels the second and third entries.
 Letter S: Reserved for static routes, labels the last two entries.
 Letter R: Reserved for RIP, labels the first entry.
 Letter O: Reserved for OSPF routing protocol, labels the fourth entry.
 Letter D: Reserved for Enhanced Interior Gateway Routing Protocol (EIGRP), labels the
fifth entry. Letter D stands for Diffusing Update Algorithm (DUAL), the update algorithm
that is used by EIGRP.
The destination address in a packet can result in the following:

 If it does not match an entry in the routing table, the default route is used. If there is not a
default route configured, the packet is discarded.
 If it matches a single entry in the routing table, the packet is forwarded through the
interface that is defined in that route.
 If it matches more than one entry in the routing table, and the routing entries have the same
prefix (network mask), the packets for that destination can be distributed among the routes
that are defined in the routing table.
 If it matches more than one entry in the routing table, and the routing entries have different
prefixes (network mask), the packets for that destination are forwarded out of the interface
that is associated with the route that has the longer prefix match.
Routing Metrics
This topic describes routing protocol metrics.
Host A
Bandwidth 100 Mb/s

Delay
Hop Count 1 Gb/s
Host B
Cost
1 Gb/s
When a routing protocol updates a routing table, the primary objective of the protocol is to
determine the best information to include in the table. The routing algorithm generates a
number, called the metric value, for each path through the network. Sophisticated routing
protocols can base route selection on multiple metrics, combining them in a single metric.
Typically, the smaller the metric number is, the better the path.
Metrics can be based on either a single characteristic or on several characteristics of a path. The
metrics that are most commonly used by routing protocols are as follows:
 Bandwidth: The data capacity of a link (the connection between two network devices).
 Delay: The length of time that is required to move a packet along each link from the source
to the destination. The delay depends on the bandwidth of intermediate links, port queues at
each router, network congestion, and physical distance.
 Hop count: The number of routers that a packet must travel through before reaching its
destination. In this figure, the hop count from Host A to Host B would be two if the path
over the 100-Mb/s link is used, or the hop count would be three if the path over the 1-Gb/s
links is used.
 Cost: An arbitrary value that is assigned by a network administrator, usually based on
bandwidth, administrator preference, or other measurement, such as load or reliability.

Administrative Distance
This topic describes administrative distance.
Routers choose the routing source with the best administrative

distance.
What routing protocol RIP and EIGRP
should I believe?
100 Gb/s
Route source Default AD Trust

EIGRP
Connected 0 More best path
Static route 1 1 Gb/s 100 Gb/s
RIP
EIGRP summary route 5 best path
External BGP 20
X
Internal EIGRP 90
100 Gb/s
OSPF 110
IS-IS 115
RIP 120
External EIGRP 170
Internal BGP 200 Less
Unknown or Not used to
255
unbelievable pass traffic
Multiple routing protocols and static routes may be used at the same time. If there are several
sources for routing information, including specific routing protocols, static routes, and even
directly connected networks, an administrative distance value is used to rate the trustworthiness
of each routing information source. Cisco routers use the administrative distance feature to
select the best path when it learns about the same destination network from two or more routing
sources.
An administrative distance is an integer from 0 to 255. A routing protocol with a lower
administrative distance is more trustworthy than one with a higher administrative distance. As
shown in the figure, the top left router receives a route to network X from EIGRP and RIP at
the same time. The top left router would use the administrative distance to determine that the
EIGRP route is more trustworthy and only add the EIGRP route to the routing table.
If nondefault administrative distance values are necessary, you can change administrative
distance values on a per-router, per-protocol, and per-route basis.
Routing Methods
This topic describes distance vector and link-state routing protocols.
Distance Vector Routing Protocols

• Collect distance and vector to neighboring routers
• Send periodic updates of routing table to neighboring routers
Routing
Routing Updates Routing Routing
table table table
Network A
Link-State
Topology Packets Topology Topology
database database database
SPF
Algorithm
Routing Routing Routing
table table table
Link-State Routing Protocols

• Create the network topology map
• Send event-triggered link-state updates
Many routing protocols are designed around one of the following routing methods:
 Distance vector routing: In distance vector routing, a router does not have to know the
entire path to every network segment. The router only has to know the direction, or vector,
in which to send the packet. The distance vector routing approach determines the direction
(vector) and distance (hop count) to any network in the internetwork. Distance vector
algorithms periodically (such as every 30 seconds) send all or portions of their routing table
to their adjacent neighbors. Routers that are running a distance vector routing protocol will
send periodic updates, even if there are no changes in the network. By receiving the routing
table of a neighbor, a router can verify all the known routes and make changes to its local
routing table if required. The router changes its routing table that is based on updated
information that is received from the neighboring router. This process is also known as
“routing by rumor.” This name comes from the fact that the understanding of the network
topology is based on the perspective of the neighboring router routing table.
An example of a distance vector protocol is RIP, which is a commonly used routing
protocol that uses hop count as its routing metric.
 Link-state routing: In link-state routing, each router builds its own internal map of the
entire network topology in its link-state (topology) database. You can think of a link as
being an interface on the router. The state of the link is a description of that interface and of
its relationship to its neighboring routers. A description of the interface would include, for
example, the IP address of the interface, the subnet mask, the type of network it is
connected to, the routers that are connected to that network, and so on. The collection of all
these link states forms the link-state database.

Each router uses link-state packets to send messages into the network when the router first
becomes active. This message lists the routers to which it is directly connected and provides
information about whether the link to each router is active. The other routers use this
information to build their link state databases and then use the link state database to calculate
the best routes. OSPF uses a Shortest Path First (SPF) algorithm to build and calculate the
shortest path to all known destinations. The shortest path is calculated by use of a complex
Dijkstra algorithm. Link-state routing protocols respond quickly to network changes. Triggered
updates are sent when a network change occurs. Periodic updates (link-state refreshes) are sent
at longer-time intervals, such as every 30 minutes.
When a link state changes, the device that detected the change creates an update message
concerning that link (route). This update message is propagated to all routers that are running
the same routing protocol. Each router takes a copy of the update message, updates its link-state
database, and also updates its routing tables if required, and forwards the update message to all
neighboring routers. This flooding of the update message is required to ensure that all routers
update their link-state databases before creating an updated routing table that reflects the new
topology.
Examples of link-state routing protocols are OSPF and Intermediate System-to-Intermediate
System (IS-IS), which both use cost as their routing metric.
Cisco developed EIGRP, which combines the best features of distance vector and link-state
routing protocols.
Summary
This topic summarizes the key points that were discussed in this lesson.
• The primary functions of a router are path determination and packet

forwarding.
• All routers have the same basic components.
• Routers build routing tables to direct traffic in the right direction.
• Routing tables provide an ordered list of best paths to known networks,
learned via static or dynamic entries.
• The best route is chosen based on metric.
• Commonly used routing metrics include bandwidth, delay, hop count,
and cost.
• Administrative distance is used to prefer one routing protocol to another.
• Two main groups of the routing protocols are distance vector and link-
state.
A router must maintain a routing table and determine the best path to be used to forward
packets.
Routers determine the optimal path for forwarding IP packets between networks. Routing tables
provide an ordered list of best paths to known networks and include information such as
destination, next-hop associations, administrative distances, and routing metrics. Routers can
use different types of routes to reach the destination networks. Routing tables include
connected, static, dynamic, and default routes.
Commonly used routing metrics include bandwidth, delay, hop count, and cost. Two main
groups of the routing protocols are as follows:
 Distance vector routing protocols build and update routing tables automatically by sending
all or some portion of their routing table to neighbors. The distance vector routing approach
determines the direction (vector) and distance to any network in the internetwork.
 Link-state routing protocols build and update routing tables automatically. These protocols
run algorithms against the link-state database to determine the best paths. They also flood
routing information about their own links to all the routers in the network when the router
first becomes active on the network. Link-state routing protocols respond quickly to
network changes. Triggered updates are sent when a network change occurs. Periodic
updates (link-state refreshes) are sent at longer intervals, such as every 30 minutes.

Lesson 2
Introducing the Cisco IOS XR

Overview
A Cisco router goes through its startup procedure when it is first turned on and there is no
configuration that is saved. When the startup is complete, you can enter the initial software
configuration. The router must start successfully and have a valid configuration to operate on
the network. When the hardware installation is complete and the Cisco router has the initial
configuration, you can begin configuring the router for a specific internetwork. You must be
familiar with the Cisco IOS, Cisco IOS XE, and Cisco IOS XR command-line interfaces (CLIs)
and their modes and operation before configuring more advanced features such as IP routing.
Cisco IOS Software running on the switches is almost the same as Cisco IOS Software running
on the routers. From a configuration perspective, both Cisco IOS and Cisco IOS XE syntaxes
are the same. This lesson focuses on the Cisco IOS XR syntax, verification of the initial router
operation, and implementation of a basic router configuration.
Objectives
Upon completing this lesson, you will be able to describe the differences between the Cisco
IOS operating systems and be able to use the Cisco IOS XR operating system for basic
operation. This ability includes being able to meet these objectives:
 List the types of Cisco routers and the differences between Cisco IOS, Cisco IOS XE, and
Cisco IOS XR operating systems
 Describe the Cisco IOS XR architecture
 Describe Cisco IOS XR command line interface access
 Describe how to access and login to a Cisco IOS XR router
 Describe the CLI command modes in Cisco IOS XR Software
 Describe the CLI prompt syntax in Cisco IOS XR
 Show several examples of the different Cisco IOS XR CLI command modes
 Describe how to navigate through different CLI configuration modes and submodes in
Cisco IOS XR
 Describe Cisco IOS XR editing shortcuts
 Describe how to modify Cisco IOS XR configurations
 Describe virtual routing and forwarding
 Describe how to commit a Cisco IOS XR configuration
 Describe how to roll back to a previous configuration
 Describe how to manage Cisco IOS XR configuration sessions
Classes of Cisco Routers
This topic lists the types of Cisco routers and the differences between Cisco IOS, Cisco IOS
XE, and Cisco IOS XR operating systems.
Cisco IOS Cisco IOS XE Cisco IOS XR
Current software version

• Functions: • Improved services • Improved high availability
- Routing integration
• Better scalability
- Switching • Advanced high
availability • A package-based
- Internetworking software distribution
- Telecommunications • Ability to use previous
Cisco IOS management • Ability to install package
• Multitasking operating upgrades and patches
skills
system • A web-based GUI for
• Rapid feature delivery
system management
• Universal image
The Cisco routers are running three different operating systems: IOS, IOS XE, and IOS XR.
Cisco IOS Software is used on the majority of Cisco routers and current Cisco network
switches. Cisco IOS Software on routers is almost the same as Cisco IOS Software that is
running on switches.
Earlier switches ran the Cisco Catalyst operating system. Cisco IOS Software is a package of
routing, switching, internetworking, and telecommunications functions that are tightly
integrated with a multitasking operating system.
Cisco IOS XE provides a modular structure that delivers full-feature functionality. Primary
benefits are improved services integration, advanced high availability, ability to use previous
Cisco IOS management skills, rapid feature delivery, and universal image.
Cisco IOS XR shares very little infrastructure with the other IOS trains and is, instead, built
upon a preemptive, memory-protected, multitasking, microkernel-based operating system. IOS
XR provides advantages over the earlier IOS trains:
 Improved high availability (largely through support for hardware redundancy and fault
containment methods such as protected memory spaces for individual processes and
process restartability)
 Better scalability for large hardware configurations (through a distributed software
infrastructure and a two-stage forwarding architecture)
 A package-based software distribution model (allowing optional features such as multicast
routing and Multiprotocol Label Switching (MPLS) to be installed and removed while the
router is in service)

 The ability to install package upgrades and patches (potentially while the router remains in
service)
 A web-based GUI for system management (making use of a generic, XML management
interface)
Cisco IOS Cisco IOS XE Cisco IOS XR
Cisco ASR 1000 Series

Cisco ISR Series Routers Cisco CRS-1 and CRS-3
Cisco 7200 and 7600 Cisco ASR 9000
Series Routers Cisco XR 12000
These systems run Cisco IOS Software:

 Cisco 800, 1900, 2900 and 3900 Series Integrated Services Routers (ISRs)
 Cisco 7200 and 7600 Series Routers
 Catalyst 6500 Series Switches
Cisco IOS XE is a train of IOS and is used on the Cisco ASR 1000 Series Aggregation Services
Routers (ASR) and Catalyst 4500E Series Switches.
Cisco IOS XR is a train of IOS and is used on high-end, carrier-grade routers such as the Cisco
Carrier Routing System (Cisco CRS-1), CRS-3, Cisco XR 12000, and the ASR 9000 series.
Cisco IOS XR Architecture
This topic describes the Cisco IOS XR architecture.
• Microkernel for basic operation (QNX)

• Multiprocess—Each feature or function is a separate process
• Logical separation of management, control, and data planes
- Supports high availability
- Supports fault tolerance and isolation
- Supports Cisco IOS ISSU
Routing
Protocol Application
modules
modules (IP) modules
(BGP, OSPF)
Runs on
multiple Distributed Infrastructure
CPUs
Cisco IOS XR Kernel
These software features are included in the Cisco IOS XR:

 Operating system infrastructure protection: Cisco IOS XR provides QNX, a
microkernel architecture that forces all but the most critical functions, such as memory
management and thread distribution, outside of the kernel. This architecture prevents
failures in applications and file systems and even prevents device drivers from causing
widespread service disruption. QNX is a commercial, UNIX-like, real-time operating
system that is aimed primarily at the embedded systems market.
 Process and thread protection: Each process—even individual process threads—is
executed in its own protected memory space, and communications between processes are
accomplished through well-defined, secure, and version-controlled application
programming interfaces (APIs), significantly minimizing the effect that any process failure
can have on other processes.
 Modular software design: Cisco IOS XR Software represents a continuation of the Cisco
networking leadership in helping customers realize the power of their networks and the
Internet. It provides unprecedented routing-system scalability, high availability, service
isolation, and manageability to meet the mission-critical requirements of next-generation
networks.
 Cisco IOS In-Service Software Upgrade (ISSU): Cisco IOS XR software modularity
sustains system availability during installation of a software upgrade. Cisco IOS ISSUs or
hitless software upgrades (HSUs) allow you to upgrade most software features without
affecting deployed services. You can target particular system components for upgrades that
are based on software packages or composites that group selected features. Cisco
preconfigures and tests these packages and composites to help ensure system compatibility.

Microkernel architecture enables restart of most processes.
BGP OSPF BGP OSPF
EIGRP IS-IS EIGRP IS-IS
RIP VPN RIP VPN
SSH Telnet server SSH Telnet server
Green areas LDP ACLs LDP ACLs

cannot restart.
TCP/IP IPv4 Forwarding TCP/IP IPv4 Forwarding
Drivers Drivers
Timers Scheduler Timers Scheduler
Monolithic Cisco IOS Microkernel Cisco IOS XR

You can restart critical control-plane processes both manually and automatically in response to
a process failure versus restarting the entire operating system. This feature supports the Cisco
IOS XR goal of continuous system availability and allows for quick recovery from process or
protocol failures with minimal disruption to customers or traffic.
Cisco IOS XR Command Line Interface access
This topic describes Cisco IOS XR command line interface access.
• Console to RP and standby RP (inactive)

• Auxiliary console to RP and standby RP (inactive)
• IP connectivity to active RP on both management interfaces
interface MgmtEth0/RSP0/CPU0/0
ipv4 address 10.10.10.17 255.255.255.0
ipv4 address 10.10.10.18 255.255.255.0
• IP connectivity to active RP on virtual address

ipv4 virtual address 10.10.10.17 255.255.255.0
Management access options that are available to the Cisco IOS XR router are console, auxiliary
console, or IP connectivity to the management interfaces or virtual IP address. The virtual
address should be on the same subnet as the management interfaces.
The Cisco IOS XR prompt on the Cisco ASR 9000 is RP/0/RSP0/CPU0:PE1#, where fields are
as follows:
 RP is for route processor
 0 is for single-rack chassis
 RSP0 is for Route Switch Processor (either RSP0 or RSP1)
 CPU0 is always the same
 PE1 is the router hostname
These are the management interfaces on the Cisco ASR 9000:

 interface MgmtEth0/RSP0/CPU0/0 is the first management port on RSP0
 interface MgmtEth0/RSP0/CPU0/1 is the second management port on RSP0

Access and Login
This topic describes how to access and login to a Cisco IOS XR router.
User Access Verification
Username: cisco
Password: lab
:router#
• Cisco IOS XR router access:

- Direct connection to console port
- Terminal server connected to the console port
- Telnet or SSH (v1 or v2)
• Login
- Root-system user defined at initial installation
- Assigned username and password
Activity
• Log on the lab device
Username: cisco
Password: lab
:router#
To log into the Cisco IOS XR router, enter the assigned username and password. During the
initial setup of the Cisco IOS XR router, a root-system username and password is set. The root-
system user has the authority to create additional users. Cisco IOS XR router security also
involves concepts of user and task groups. The concepts of user group, task group, and
inheritance are important for the understanding of command permissions.
Command Modes
This topic describes the CLI command modes in Cisco IOS XR Software.
Software installations
Login
SDR management
config-register
Admin EXEC EXEC
Admin Configuration
Configuration
sub-config sub-config sub-config sub-config

mode ... mode mode ... mode
The CLI for the Cisco IOS XR is divided into different command modes. Each mode provides
access to a subset of commands that are used to configure, monitor, and manage the router:
 EXEC mode
 Configuration mode and submode
 Admin EXEC mode
 Admin configuration mode and submode
— Configure register setting

— Manage and configure Secure Domain Router (SDR)
— Configure root user setup
— Install software

CLI Prompt Syntax
This topic describes the CLI prompt syntax in Cisco IOS XR.
Management
Cisco ASR 9000 Series Router Ethernet
Connection MGMT
RP/0/RSP0/CPU0:router# ETH 0
MGMT
ETH 1
• RP = Route processor card Con
Console AUX
• 0 = Always the same

Connection BITS 0
• RSP0 = Either RSP0 or RSP1 BITS 1
• CPU0 = Always the same ALARM

PID/VID
• router = Router host name
ACO
Lamp
Reset
Fail Sync
Critical HDD
Major CF
Minor ACO
This figure shows the CLI prompt syntax for the Cisco ASR9000.
Command Mode Examples
This topic shows several examples of the different Cisco IOS XR CLI command modes.
EXEC RP/0/RSP0/CPU0:router#
Global RP/0/RSP0/CPU0:router# configure

config: RP/0/RSP0/CPU0:router(config)#
Interface
RP/0/RSP0/CPU0:router(config)# interface pos 0/2/0/0
submode RP/0/RSP0/CPU0:router(config-if)#
config:
Protocol and RP/0/RSP0/CPU0:router(config)# router bgp 140
submode RP/0/RSP0/CPU0:router(config-bgp)# address-family ipv4
config: RP/0/RSP0/CPU0:router(config-bgp-af)#
RP/0/RSP0/CPU0:router# admin
Admin RP/0/RSP0/CPU0:router#(admin)#
Admin RP/0/RSP0/CPU0:router(admin)# configure

config RP/0/RSP0/CPU0:router#(admin-config)#
This figure shows examples of the CLI commands used to get into the various Cisco IOS XR
CLI command modes.

Cisco IOS XR Configuration
This topic describes how to navigate through different CLI configuration modes and submodes
in Cisco IOS XR.
Login
admin show
exit platform
Admin EXEC EXEC
admin
configure configure
exit/end exit/end
Admin
Configuration
Configuration
do show do show
run run
• Control-Z is equivalent to the end command.
• ? works with do command from within the configuration mode.
The figure shows the various commands to navigate between the different modes in Cisco IOS
XR.
For example, to navigate from EXEC mode into configuration mode, use the configure
command.
To display admin show output from EXEC mode without going into admin EXEC mode first,
use the admin option in front of the show command.
The example shows the output from show platform and admin show platform commands that
are issued from EXEC mode:
RP/0/RSP0/CPU0:PE1#show platform
Tue Jun 28 09:47:57.534 UTC
Node Type State Config State
-----------------------------------------------------------------------------
0/RSP0/CPU0 A9K-RSP-4G(Active) IOS XR RUN PWR,NSHUT,MON
0/0/CPU0 A9K-40GE-L IOS XR RUN PWR,NSHUT,MON
RP/0/RSP0/CPU0:PE1#admin show platform

Tue Jun 28 09:48:05.329 UTC
Node Type State Config State
-----------------------------------------------------------------------------
0/RSP0/CPU0 A9K-RSP-4G(Active) IOS XR RUN PWR,NSHUT,MON
0/FT0/SP FAN TRAY READY
0/FT1/SP FAN TRAY READY
0/0/CPU0 A9K-40GE-L IOS XR RUN PWR,NSHUT,MON
0/PM0/SP A9K-3KW-AC READY PWR,NSHUT,MON
0/PM1/SP A9K-3KW-AC READY PWR,NSHUT,MON
Activity
• Navigation:
- admin mode
- admin configuration mode
- back to exec mode
- configuration mode
- interface configuration mode
- exec mode R1# admin
R1(admin)# configure
R1(admin-config)# end
R1(admin)# exit
R1# config
R1(config)# interface Gi0/0/0/0
R1(config-if)# end
R1#
The figure represents navigation through different Cisco IOS XR configuration modes, which
can be tested on the equipment in the lab.
Note Consult your instructor for more information.

Command-Line Editing
This topic describes Cisco IOS XR editing shortcuts.
• Emacs editing shortcuts

Position of the cursor
• Control (^) escaped sequences
Delete
History Û ^W ^H ^D ^K
^P RP/0/RSP0/CPU0:PE1#show route ipv4 unicast

RP/0/RSP0/CPU0:PE1#show route ipv4 unicast ospf
^N
RP/0/RSP0/CPU0:PE1#show route ipv4 unicast rip
Â ^B ^F Ê
^L = Redisplay the line
Cursor movement
^Y = Paste what was deleted
The Cisco IOS XR uses Emacs editing shortcuts. Emacs is a class of text editors, usually
characterized by their extensibility. It allows the user to combine these commands
into macros to automate work.
The figure shows Emacs editing shortcuts for displaying history, text deletion, and cursor
movements.
 ^P shows previous line from history.
 ^N shows next line from history.
 Û deletes from cursor to the beginning of the line.
 ^W deletes one word before cursor.
 ^H deletes one character before cursor.
 ^D deletes the character at the cursor.
 ^H deletes one character before cursor.
 Â moves cursor to the beginning of the line.
 ^B moves cursor for one character toward the beginning of the line.
 Ê moves cursor to the end of the line.
 ^F moves cursor for one character toward the end of the line.
Configuration Editing
This topic describes how to modify Cisco IOS XR configurations.
• There is no startup-config • Commands to clear

- No write memory command configuration:
- No write erase command - configure
- No write command - commit replace
• Configuration changes
(target config) must be
“committed” to become
persistent between reboots
Config
database
Config agents Commit

Target Running config
config
First Second
stage stage
Running config + Config changes = New running config

Cisco IOS XR has XML API, which can also be used to configure the router. Unlike Cisco IOS
and IOS XE, in the Cisco IOS XR, there is no concept of a startup configuration file and no
concept of copying the running configuration to the startup configuration file. Cisco IOS XR
introduces a two-stage configuration method:
 In the first stage, you make changes to the configuration. The syntax is checked for
correctness and creating a target configuration.
 In the second stage, you need to commit the target configuration. The commit is an all or
nothing acceptance of the configuration changes to the running configuration. During the
commit operation, the active running configuration is automatically locked by the router.
To apply and save configuration changes in the Cisco IOS XR, use the commit command. The
commit command has the following options:
RP/0/RSP0/CPU0:PE1(config)#commit ?
best-effort Commit the configuration changes via best-effort operation
comment Assign a comment to this commit
confirmed Rollback this commit unless there is a confirming commit
force Override the memory checks
label Assign a label to this commit
replace Replace the contents of running configuration
save-running Save running configuration to a file
<cr> Commit the configuration changes via pseudo-atomic operation
To load or save configuration from or to a file, use the load or save commands. The storage
media (file systems) on the Cisco IOS XR include the following components:
 Disk0: Stores installed software packages and active configurations; /usr is the default user
directory for storing saved files
 Disk1: Stores installation PIE files and user files (optional)

 Harddisk: Used primarily for process or kernel dumps
 NVRAM: Stores ROMMON variables and cryptographic files
 Bootflash: Stores ROMMON software; software packages installed
Note To delete the router configuration, use the Cisco IOS XR commit replace command, with a
blank target configuration. Use this command with caution.
Virtual Routing and Forwarding
This topic describes virtual routing and forwarding.
• VPN routing and forwarding
Cust A
Provider
Cust B
Network
Cust C
Virtual routing and forwarding (VRF) is a technology that is employed in IP routing that allows
forwarding of traffic to different customers by segregating the traffic. With this segregation
comes additional security. To implement this technology, distinct routing tables and forwarding
information bases (FIBs) are kept.
The concept of virtual routing and forwarding is employed with the advent of VPNs, which
require the security of segregated networks for route and data protection. Cisco IOS XR
software is delivered with a default VRF definition.
When you initially log into config mode on a Cisco IOS XR platform, you are in the “default
VRF” configuration mode.

Committing a Configuration
This topic describes how to commit a Cisco IOS XR configuration.
• Viewing configuration:
- show config: Show uncommitted configuration
- show config merge: Show future running configuration after commit
- show config changes: Show future running configuration after commit
replace
• Committing:
- commit best-effort: Commit whatever you can (not all or nothing)
- commit confirmed seconds: Commit for the duration of the timer
(unless committed before timer elapses)
- commit replace: Replaces current running configuration with configuration in
the buffer
- commit label: Commits and adds a label to the history
- commit comment: Adds a comment to the committed history entry
The figure lists show config and commit commands that are used for viewing the target
configuration and committing the target configuration to the running configuration.
Configuration commit entry fails. View cause of failures.
RP/0/RSP0/CPU0:PE1(config)#taskgrosup bgp
RP/0/RSP0/CPU0:PE1(config-tg)#hostname P4xyz
RP/0/RSP0/CPU0:PE1(config)#commit
% Failed to commit one or more configuration items during a pseudo-atomic
operation. All changes made have been reverted. Please issue 'show configuration
Partial failed' from this session to view the errors
RP/0/RSP0/CPU0:PE1(config)#commit best-effort
configuration
RP/0/RSP0/CPU0:Jun 30 01:24:54.237 : config[65841]: %MGBL-CONFIG-6-DB_COMMIT :
only Configuration committed by user 'root'. Use 'show configuration commit changes
1000000257' to view the changes.
% Failed to commit one or more configuration items. Please issue 'show
configuration failed' from this session to view the errors
RP/0/RSP0/CPU0:P4xyz(config)#show configuration failed
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
taskgroup bgp
!!% 'LOCALD' detected the 'fatal' condition 'Usergroup/Taskgroup names cannot be
taskid names'
!
End
The default method of committing changes is “atomic.” Atomic signifies an all-or-nothing type
of configuration in which a semantic error in one part of a configuration prevents any
configuration commands from being committed and implemented.
The configuration commands that fail to pass semantic verification during the commit process
are known as failed configurations. When a configuration commit fails, the target configuration
is left intact and nothing is copied to the running configuration. An error message is generated
to indicate that a problem has occurred.
The failed configuration commands can be viewed by entering the show config failed
command.
A second method of committing changes is “best effort.” Best effort implements the parts of
the configuration that are semantically correct but will not implement the part of the
configuration that is incorrect. An error message is generated in this case also, and the failed
part of the configuration can be viewed by use of the show config failed command.

Configuration Management
This topic describes how to roll back to a previous configuration.
• Every configuration change is stored in history
RP/0/RP1/CPU0:CRS# show configuration history

Tue Sep 28 17:37:20.623 CEDT
Sno. Event Info Time Stamp
~~~~ ~~~~~ ~~~~ ~~~~~~~~~~
{ 1
2
commit
commit
id 1000001648
id 1000001649
Thu Jun 23
Thu Jun 23
21:22:19
21:24:38
2011
2011
3 commit id 1000001650 Thu Jun 23 22:15:27 2011
4 commit id 1000001651 Tue Jun 28 09:05:49 2011
5 backup Periodic ASCII backup Tue Jun 28 09:06:36 2011
6 shutdown sync for potential shutdown Tue Jun 28 09:29:57 2011
rollback configuration last 2
rollback configuration to 4
• No rollback occurs if the configuration is incompatible.

• Rollback succeeds if the configuration passes all compatibility checks.
• For incompatible configuration, the operation fails and an error appears.
After each committing changes operation, the system saves a record of the committed
configuration changes. This record contains only the changes that are made during the
configuration session; it does not contain the complete configuration. Each record is assigned a
unique ID, known as a commitID. When multiple commitIDs are present, you can use a
commitID to identify a previous configuration to which to return, or you can use the commitID
to load the configuration changes that were made during that configuration session. You can
also load configuration changes from multiple commitIDs, and you can clear commitIDs. If you
are thinking about rolling back the configuration to a specific commitID, consider the following
guidelines:
 You cannot roll back to a configuration that was removed because of package
incompatibility.
 Configuration rollbacks can succeed only when the configuration passes all compatibility
checks with the currently active Cisco IOS XR Software release.
 If the system finds an incompatible configuration during rollback, the operation fails and an
error appears.
To perform configuration rollback, use the rollback configuration command.
Configuration Session Management
This topic describes how to manage Cisco IOS XR configuration sessions.
• Using configure exclusive instead of configure [terminal] enters

exclusive the configuration mode.
• show configuration lock: Who used the exclusive mode?
• show configuration sessions: Who is configuring right now?
RP/0/RSP0/CPU0:PE1#show configuration lock
Tue Jun 28 11:22:10.449 UTC
Session Write Lock

00000211-00244133-00000000
RP/0/RSP0/CPU0:PE1#show configuration sessions

Tue Jun 28 11:23:13.269 UTC
Current Configuration Session Line User Date
Lock
00000211-00244133-00000000 vty0 admin Tue Jun 28 11:20:10 2011 *
• Entering configuration mode is possible with a lock, but committing is not

until the lock is released.
The configure exclusive command enables the administrator to configure exclusively from the
administrator terminal, which locks other users from configuring the router.

Username: root
Password: <password>
Login
RP/0/RSP0/CPU0:PE1#show configuration running-config interface MgmtEth0/RSP0/CPU0/0
Tue Jun 28 13:11:41.424 UTC
cdp Verify management Configure IP address
shutdown
! interface configuration. and enable
RP/0/RSP0/CPU0:PE1#configure management interface.
Tue Jun 28 13:11:47.378 UTC
RP/0/RSP0/CPU0:PE1(config)#interface MgmtEth0/RSP0/CPU0/0
RP/0/RSP0/CPU0:PE1(config-if)#ipv4 address 10.10.10.17 255.255.255.0
RP/0/RSP0/CPU0:PE1(config-if)#no shutdown
RP/0/RSP0/CPU0:PE1(config-if)#end
Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:yes
RP/0/RSP0/CPU0:Jun 28 13:12:51.742 : ifmgr[228]: %PKT_INFRA-LINK-3-UPDOWN :
Interface MgmtEth0/RSP0/CPU0/0, changed state to Down
RP/0/RSP0/CPU0:PE1#RP/0/RSP0/CPU0:Jun 28 13:12:57.229 : ifmgr[228]: %PKT_INFRA-
LINK-3-UPDOWN : Interface MgmtEth0/RSP0/CPU0/0, changed state to Up
RP/0/RSP0/CPU0:PE1#show configuration running-config interface MgmtEth0/RSP0/CPU0/0

Tue Jun 28 13:16:22.479 UTC
cdp
ipv4 address 10.10.10.17 255.255.255.0
!
This figure shows how to enable and configure an IP address to the RP0 first management
interface.
To verify the IP address configuration, you can also use the show ipv4 interface brief
command.
Summary
• Cisco routers run three different Cisco IOS versions: IOS, IOS XE, and
IOS XR.
• IOS XR is based on QNX with process separation and protection.
• IOS XR uses command line very similar to IOS.
• Cisco router can be accessed using console or remotely using protocols
like telnet or SSH.
• Cisco IOS XR has a complex prompt that relays several bits of
information.
• Cisco IOS XR uses command modes similar to IOS, with the addition of
admin mode.
• Grouping of IOS XR configuration is more pronounced when compared
to IOS.
• To apply and save all entered configuration to the router, use the commit
command.
• Cisco IOS XR uses Emacs shortcuts.
• Cisco IOS XR configuration is modified in approximately the same way

that Cisco IOS configuration is modified.
• Virtual routing and forwarding allows multiplexing of several MPLS VPN
customers on a single logical link.
• The commit command accepts several parameters which change the
way that commit works.
• To undo a commit, one can simply roll back the configuration.
• Exclusive configuration session prevents anyone else from committing
their changes until the holder of exclusive session closes it.

Lesson 3
Configuring Basic Routing

Overview
Routing is the process of determining where to send data packets that are destined for addresses
outside the local network. Routers gather and maintain routing information to enable the
transmission and receipt of data packets. Routing information takes the form of entries in a
routing table, with one entry for each identified route. The network administrator can statically
configure the entries so that they appear in the routing table, or the router can use a routing
protocol to create and maintain the routing table dynamically to accommodate network changes
whenever they occur.
Distance vector routing protocols include Routing Information Protocol (RIP), which is one of
the most enduring of all routing protocols. RIP is a relatively old, but still commonly used,
interior gateway protocol (IGP) for use in small, homogeneous networks. RIP is a classic
distance vector routing protocol.
This lesson introduces IP static routing, describes the basic features and operation of RIP, and
explains how to enable RIP on an IP network.
Objectives
Upon completing this lesson, you will be able to describe the operation, benefits, and
limitations of static and dynamic routing. You will be able to meet these objectives:
 Describe basic router operations
 Compare static and dynamic routes
 Describe how to configure a static route in Cisco IOS XR
 Describe how to configure a default route in Cisco IOS XR
 Describe the purpose and functions of dynamic routing protocols
 Describe an autonomous system
 Describe the three classes of the IGP routing protocols
 Describe how topology changes are propagated through a network
 Describe a converged routing table
 Describe how slow convergence can produce inconsistent routing
 Describe routing loops
 Describe how to prevent routing loops using split horizon
 Describe how to prevent routing loops using route poisoning and poison reverse
 Describe how to prevent routing loops using hold-down timers
 Describe how to use triggered updates to prevent routing table inconsistencies
 Shows an example of the routing convergence process using a distance vector routing
protocol.
 Describe the features of RIP, and compare RIPv1, RIPv2, and RIPng
 Describe the tasks that are required to enable a dynamic routing protocol on a Cisco router
and how to implement RIP
Router Operations
This topic describes the basic router operations.
• Routers must learn destinations that are not directly connected.

• The routing table is used to determine the best path to the destination.
10.10.10.0/24 172.16.1.0/24
Routing table:
Connected 10.10.10.0/24
Learned 172.16.1.0/24
• Learned routes may be manually configuredor learned automatically.
Routers perform packet forwarding by learning about remote networks and maintaining routing
information. To be able to route packets, a router must determine the destination IP address and
determine from which sources the router can learn the paths to the given destinations. Then, the
router will determine the initial possible routes and select the best path to the intended
destination. The router will determine if the known paths to the destination are the most current.
The routing information that a router obtains from other routers is placed in its routing table.
The routing table is used to find the best match and path between the destination IP of a packet
and a network address in the routing table. The routing table will ultimately determine the exit
interface to forward the packet.
The routing table stores information about connected and remote networks. Connected
networks are directly attached to one of the router interfaces. If the destination network is
directly connected, the router already knows which interface to use when forwarding packets.
Remote networks are networks that are not directly connected to the router. Routes to these
networks can be determined in one of the following ways:
 Manually configured on the router by the network administrator
 Learned automatically by use of the dynamic routing process

Static and Dynamic Routes
This topic compares static and dynamic routes.
• A static route is manually entered into the router.

• A dynamic route is adjusted automatically by a routing protocol.
Static Routing Dynamic Routing
Configuration Increases with network Generally independent
complexity size of network size
Topology Administrator Automatically adapts to
changes intervention required topology changes
Suitable for simple Suitable for simple and
Scaling
topologies complex topologies
Security More secure Less secure
Resource No extra resources Uses CPU, memory,
usage needed link bandwidth
Route to destination is Route depends on the
Predictability
always the same current topology
• Use static routes:

- Small network
- Single connection to the service provider
- Hub- to-spoke topology (on spoke routers)
Based on the router configuration, routers can forward packets over static routes or dynamic
routes. Remote networks are added to the routing table either by configuring static routes or
enabling a dynamic routing protocol:
 Static routes: Routes to remote networks with an associated next hop can be manually
configured on the router. The administrator must manually update a static route entry
whenever an internetwork topology change requires an update.
 Dynamic routes: Remote networks can also be automatically added to the routing table by
using a dynamic routing protocol. The router dynamically learns routes after an
administrator configures a routing protocol that helps determine routes. The routing process
automatically updates route knowledge whenever new topology information is received.
The router learns and maintains routes to the remote destinations by exchanging routing
updates with other routers in the internetwork.
Static routes should be used in the following cases:

 A network consists of only a few routers. Using a dynamic routing protocol in such a case
does not present any substantial benefit. On the contrary, dynamic routing may add more
administrative overhead.
 A network is connected to the Internet only through a single service provider. There is no
need to use a dynamic routing protocol across this link because the service provider
represents the only exit point to the Internet.
 A large network is configured in a hub-and-spoke topology. A hub-and-spoke topology
consists of a central location (the hub) and multiple branch locations (the spokes), with
each spoke having only one connection to the hub. Using dynamic routing would be
unnecessary because each branch has only one path to a given destination: through the
central location.
Static Route Configuration
This topic describes how to configure a static route in Cisco IOS XR.
• Configure a static route to a stub network to allow communications to

occur.
• When configuring a static route, use the IP address of the next-hop
router or the exit interface of the local router.
router static
Stub network address-family ipv4 unicast
10.1.10.0/24 192.168.101.11
10.1.10.0/24 or
10.1.10.0/24 GigabitEthernet0/0/0/0
Default route
Internet
Gi 0/0 Gi 0/0/0/0
192.168.101.11 192.168.101.10
RP/0/RSP0/CPU0:PE1#show route
Thu Apr 13 23:44:39.473 UTC
< text omitted >
Gateway of last resort is not set
L 10.1.1.1/32 is directly connected, 19:09:10, Loopback0

S 10.1.10.0/24 [1/0] via 192.168.101.11, 00:03:08
C 192.168.101.0/24 is directly connected, 16:52:13, GigabitEthernet0/0/0/0
L 192.168.101.10/32 is directly connected, 16:52:13, GigabitEthernet0/0/0/0
or S 10.1.10.0/24 is directly connected, 00:00:04, GigabitEthernet0/0/0/0
Static routes are commonly used when you are routing from a network to a stub network. A
stub network is a network that is accessed by a single route. Static routes can also be useful for
specifying a “gateway of last resort” to which all packets with an unknown destination address
will be sent.
In this figure, the router on the right (running Cisco IOS XR) is configured with a static route to
reach the 10.1.10.0/24 subnet via the GigabitEthernet0/0/0/0 interface.
The Cisco IOS XR syntax to configure static route is shown in the example. To configure a
static route in the Cisco IOS or Cisco IOS XE Software, use the ip route command.
Typically, most routing tables contain a combination of static routes and dynamic routes.
However, as previously stated, the routing table must first contain the directly connected
networks that are used to access the remote networks before any static or dynamic routing can
be used.
A static route includes the network address and subnet mask of the remote network, along with
the IP address of the next-hop router or exit interface. Static routes are denoted with the code
“S” in the routing table as shown in this figure.
The entry in the routing table no longer refers to the next-hop IP address, but refers directly to
the exit interface when the exit interface is used in a static route configuration. This exit
interface is the same one to which the static route was resolved when it used the next-hop IP
address. Now, when the routing table process has a match for a packet and this static route, it
will be able to resolve the route to an exit interface in a single lookup. The static route displays
the route as directly connected. It is important to understand that this does not mean that this
route is a directly connected network or a directly connected route. This route is still a static
route.

Default Route Configuration
This topic describes how to configure a default route in Cisco IOS XR.
A default route allows the stub network to reach all networks in the Internet.
ip route 0.0.0.0 0.0.0.0 192.168.101.10

Stub network or
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
10.1.10.0/24
Static route
Internet
Gi 0/0 Gi 0/0/0/0
192.168.101.11 192.168.101.10
CE1#show ip route
< text omitted >
Gateway of last resort is 192.168.101.10 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.101.10

192.168.101.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.101.0/24 is directly connected, GigabitEthernet0/0
L 192.168.101.11/32 is directly connected, GigabitEthernet0/0
or S* 0.0.0.0/0 is directly connected, GigabitEthernet0/0
Use a default route in situations in which the route from a source to a destination is not known
or when it is not feasible for the router to maintain many routes in its routing table.
A default static route is a route that will match all packets. Default static routes are used when
no other routes in the routing table match the destination IP address of the packet or when a
more specific match does not exist. A common use for a default static route is when connecting
an edge router of a company to the service provider network.
The Cisco IOS or Cisco IOS XE syntax for a default static route is like any other static route.
The network address in the default static route is 0.0.0.0 and the subnet mask is 0.0.0.0. The
Cisco IOS XR syntax is as follows:
router static
address-family ipv4 unicast
0.0.0.0/0 192.168.101.11
Or
router static
address-family ipv4 unicast
0.0.0.0/0 GigabitEthernet0/0/0/0
To verify that you have properly configured static routing, verify the routing table by using the
show ip route command (or show route in Cisco IOS XR) and look for static routes that are
denoted by “S.” The asterisk (*) indicates the last path that was used when a packet was
forwarded.
Routing Protocols
This topic describes the purpose and functions of dynamic routing protocols.
• Routing protocols are used between routers to determine paths and to

maintain routing tables.
• After the path is determined, a router can route a routed protocol
(IP, IPv6, etc.).
Choose the best path to

10.10.10.0/24 destination networks.
Discover remote
networks.
Gi0/1 172.16.2.0/24
Find a new best path if the
Gi0/0 current path is no longer
available.
Gi0/2
Network Destination Exit
protocol Network interface
Connected 10.10.10.0/24 Gi0/0
RIP 172.16.2.0/24 Gi0/1
Maintain up-to-date
172.16.3.0/24
routing information.
EIGRP 172.16.3.0/24 Gi0/2
A routing protocol is a set of processes, algorithms, and messages that is used to exchange
routing information and populate the routing table with the best path to each learned remote
network. Routing protocols are a set of rules by which routers dynamically share their routing
information. As routers become aware of changes to the networks for which they act as the
gateway, or changes to links between routers, this information is passed on to other routers.
When a router receives information about new or changed routes, it updates its own routing
table and, in turn, passes the information to other routers. In this way, all routers have accurate
routing tables that are updated dynamically and can learn about routes to remote networks that
can be many hops away.
The purpose of a routing protocol includes the following functions:
 Discovery of remote networks
 Maintaining up-to-date routing information
 Choosing the best path to destination networks
 Ability to find a new best path if the current path is no longer available

Autonomous Systems
This topic describes an autonomous system.
• An autonomous system is a collection of networks within a common

administrative domain.
• Interior gateway protocols operate within an autonomous system.
• Exterior gateway protocols connect different autonomous systems.
Autonomous System 50100 Autonomous System 50200
EGP (BGP)
IGP (RIP, EIGRP, OSPF, IS-IS) IGP
An autonomous system, otherwise known as a routing domain, is a collection of routers under a

common administration. Typical examples are an internal network of a company and a network
of a service provider. Because the Internet is based on the autonomous system concept, the
following two types of routing protocols are required:
 IGPs: These routing protocols are used to exchange routing information within an
autonomous system. RIP, Enhanced Interior Gateway Routing Protocol (EIGRP),
Intermediate System-to-Intermediate System (IS-IS), and Open Shortest Path First (OSPF)
are examples of IGPs.
 Exterior gateway protocols (EGPs): These routing protocols are used to route between
autonomous systems. Border Gateway Protocol (BGP) is the EGP of choice in modern
networks.
IGPs are used for routing within a routing domain, which consists of those networks within the
control of a single organization. An autonomous system is commonly composed of many
individual networks that belong to companies, schools, and other institutions. An IGP is used to
route within the autonomous system, and it is also used to route within the individual networks
themselves. For example, a fictitious organization operates an autonomous system that includes
schools, colleges, and universities. This organization uses an IGP to route within its
autonomous system to interconnect all of these institutions. Each of the educational institutions
also uses an IGP of its own choosing to route within its own individual network. The IGP that
is used by each entity provides best-path determination within its own routing domains, just as
the IGP that is used by the organization provides best-path routes within the autonomous
system itself.
EGPs, on the other hand, are designed for use between different autonomous systems that are
under the control of different administrations. BGP is the only currently viable EGP and is the
routing protocol that is used by the Internet. BGP is a path vector protocol that can use many
different attributes to measure routes. At the ISP level, there are often more important issues
than just choosing the fastest path. BGP is typically used between service providers and
sometimes between a company and a service provider.

Classes of IGP Routing Protocols
This topic describes the three classes of the IGP routing protocols.
IPv6 enabled
Distance vector
RIP
RIPng
RIPv2
Advanced distance vector
EIGRP
Link-state
OSPF OSPFv3 IS-IS
Within an autonomous system, most IGP routing can be classified as conforming to one of the
following algorithms:
 Distance vector: The distance vector routing approach determines the direction (vector)
and distance (such as hops) to any link in the internetwork. Some distance vector protocols
periodically send complete routing tables to all of the connected neighbors. In large
networks, these routing updates can become enormous, causing significant traffic on the
links. Distance vector protocols use routers as signposts along the path to the final
destination. The only information that a router knows about a remote network is the
distance or metric to reach that network and which path or interface to use to get there.
Distance vector routing protocols do not have an actual map of the network topology. RIP
is an example of a distance vector routing protocol.
 Advanced distance vector or balanced hybrid: The advanced distance vector approach
combines aspects of the link-state and distance vector algorithms. EIGRP is an example of
an advanced distance vector routing protocol.
 Link state: The link-state approach, which uses the Shortest Path First (SPF) algorithm,
creates an abstract of the exact topology of the entire internetwork, or at least of the
partition in which the router is situated. Using an analogy of signposts, using a link-state
routing protocol is like having a complete map of the network topology. The signposts
along the way from the source to the destination are not necessary, because all link-state
routers are using an identical “map” of the network. A link-state router uses the link-state
information to create a topology map and to select the best path to all destination networks
in the topology. OSPF and IS-IS are examples of link-state routing protocols.
There is no single best routing algorithm for all internetworks. All routing protocols provide the
information differently.
Routing Information Protocol next generation (RIPng), EIGRP, IS-IS, and OSPF version 3
(OSPFv3) internal routing protocols are IPv6-enabled.
Maintaining Routing Information
This topic describes how topology changes are propagated through a network.
Updates proceed step-by-step from router to router.
• Failure of a link
• Introduction of a new link
• Failure of a router
• Change of link parameters
Routing Routing Routing

table Routing table Routing table
update update
Process to Process to Process to

Topology update this update this update this Distance
change routing table routing table routing table
causes
Vector
routing
table
update A B C
Routing tables must be updated when the topology of the internetwork changes. Like the
network discovery process, topology-change updates proceed step by step from router to router.
Distance vector algorithms call for each router to send its entire routing table to each of its
neighbors. Distance vector routing updates are sent periodically at regular intervals. The
routing table can also be sent immediately by using trigger updates when the router detects a
topology change. Changes may occur for several reasons, including the following:
 Failure of a link
 Introduction of a new link
 Failure of a router
 Change of link parameters
When a router receives an update from a neighboring router, the router compares the update
with its own routing table. To establish the new metric, the router adds the cost of reaching the
neighboring router to the path cost that is reported by the neighbor. If the router learns from its
neighbor of a better route (a smaller total metric) to a network, it updates its own routing table.
Each routing-table entry includes the following information:
 Information about the total path cost, which is defined by the routing-table metric
 The logical address of the first router on the path to each network that the routing table
knows about (the next-hop)
The age of routing information in a routing table is defined and refreshed each time that an
update is received. Therefore, information in the routing table can be maintained when there is
a topology change.

Converged Routing Table
This topic describes a converged routing table.
Each node maintains the distance from itself to each possible destination
network.
This slide represents a converged network before the 10.4.0.0 subnet goes down.
In the figure, the interface to each directly connected network has a distance of 0.
As the distance vector network discovery process continues, routers discover the best path to
destination networks that are not directly connected, based on accumulated metrics from each
neighbor. Neighboring routers provide information for routes that are not directly connected.
Router A learns about networks that are not directly connected (10.3.0.0 and 10.4.0.0) based on
information that it receives from router B. Each network entry in the routing table has an
accumulated distance vector to show how far away that network is in a given direction. When
all routers have the complete routing information, the network is said to be fully converged.
Router B is one unit of cost from router A. Router B would add one unit of cost to all costs
reported by router A when router B runs the distance vector processes to update its routing
table.
Just before the failure of network 10.4.0.0, all routers have consistent knowledge and correct
routing tables. The network is said to have “converged.” Router C is directly connected to
network 10.4.0.0 with a distance of 0 (hop). The path for router A to network 10.4.0.0 is
through router B, with a hop count of 2.
Counting to Infinity
This topic describes how slow convergence can produce inconsistent routing.
Slow convergence produces inconsistent routing.
When network 10.4.0.0 fails, router C detects the failure and stops routing packets out of its E0
interface. However, routers A and B have not yet received notification of the failure. Router A
still believes it can access 10.4.0.0 through router B. The routing table of router A still reflects a
path to network 10.4.0.0, with a distance of 2.
Router C concludes that the best path to network 10.4.0.0 is through

router B.

Before router C can send an update, router B sends its periodic copy of its routing table to
router C. Router C believes that it now has a viable path to network 10.4.0.0 through router B.
Router C updates its routing table to reflect a path to network 10.4.0.0 through router B with a
hop count of 2.
Router A updates its table to reflect the new but erroneous hop count.
Router B receives a new update from router C and updates its own table to reflect the new cost
(three hops). Router A receives the new routing table from router B, detects the modified
distance vector to network 10.4.0.0, and recalculates its own distance vector to 10.4.0.0 as 4.
The hop count for network 10.4.0.0 counts to infinity.
At this point, the routing tables of all three routers are incorrect, showing that network 10.4.0.0
can be reached by paths that do not exist, with hop counts that are meaningless. Routing-table
updates will continue to be sent out and the hop count will grow larger (a problem “counting to
infinity”). Packets that are destined for network 10.4.0.0 will never reach their destination.
Instead, they will move continuously between the routers, creating a routing loop.
Until some other process can stop the looping, the routers update each other inappropriately,
failing to consider that network 10.4.0.0 is down. Without countermeasures to stop the process,
the hop-count distance vector increments each time a routing-table update is passed to another
router. These updates continue to proliferate because the destination is never marked as
unreachable.
A limit is set on the number of hops to prevent infinite loops.
To eventually stop the endless incrementing of the metric, “infinity” is defined by setting a
maximum metric value. This maximum metric value number refers to a routing metric, such as
a hop count. For example, RIP defines infinity as 16 hops and the metric field shows an
“unreachable” metric. Once the routers “count to infinity,” they mark the route as unreachable.
The figure shows the defined maximum allowed value as 16 hops. When the metric exceeds the
maximum allowed value, network 10.4.0.0 is considered unreachable, stopping the proliferation
of routing updates that increase the metric.

Routing Loops
This topic describes routing loops.
Packets for network 10.4.0.0 bounce (loop) between routers B and C.
Defining a maximum is a solution to stop a continually increasing metric, but you must also
prevent the routing loop. A routing loop is a condition in which a packet is continuously
transmitted within a series of routers without ever reaching its intended destination network. A
routing loop can occur when two or more routers have routing information incorrectly
indicating a valid path to the unreachable destination. A routing loop can have a devastating
effect on a network. It can result in degraded network performance or even network downtime.
A number of techniques, or stability features, are available to eliminate routing loops, including
split horizon, route poisoning, poison reverse, hold-down timers, and triggered updates as well
as maximum hop count.
In the example, a packet that is destined for network 10.4.0.0 arrives at router A. According to
the router A routing table, router A will forward the packet over interface S0. The packet
arrives at router B, which forwards it out of interface S1, as indicated in the routing table of
router B. Router C receives that packet and checks its routing table, which specifies that the
packet should be forwarded out of interface S0. The packet thus arrives back at router B, which
again forwards the packet to router C over interface S1. The packet loops between routers B
and C indefinitely.
Split Horizon
This topic describes how to prevent routing loops using split horizon.
It is never useful to send information about a route back in the direction

from which the original information came.
One way to eliminate routing loops and speed up convergence is through the technique called
split horizon. The rule of split horizon is that it is never useful to send information about a route
back in the direction from which the original information came.
The figure depicts how the split-horizon technique eliminates routing loops:
 Router B has access to network 10.4.0.0 through router C. It makes no sense for router B to
announce to router C that router B has access to network 10.4.0.0 through router C.
 Given that router B passed the announcement of its route to network 10.4.0.0 to router A, it
makes no sense for router A to announce its distance from network 10.4.0.0 to router B.
 When router C announces that its connection to network 10.4.0.0 is down, router B sees
that it has no alternative path to network 10.4.0.0 and concludes that network 10.4.0.0 is
inaccessible. Router C does not use router B to try to reach network 10.4.0.0.

Route Poisoning and Poison Reverse
This topic describes how to prevent routing loops using route poisoning and poison reverse.
Routers advertise the distance of routes that have gone down to infinity.
Route poisoning is another mechanism that can help prevent routing loops. Route poisoning is
used to mark the route as unreachable in a routing update that is sent to other routers.
“Unreachable” is interpreted as a metric that is set to the maximum. For RIP, a poisoned route
has a metric of 16.
When network 10.4.0.0 is no longer available, router C poisons its link to network 10.4.0.0.
Poisoning is done by sending an update for that link indicating that it has an infinite metric and
a hop count of 16. (A hop count of 16 means an unreachable destination.). By poisoning the
route of router C to network 10.4.0.0, router C is no longer susceptible to incorrect updates
about network 10.4.0.0. The updates coming from neighboring routers that might claim to have
a valid alternate path are not used. Route poisoning speeds up the convergence process because
the information about 10.4.0.0 spreads through the network more quickly than waiting for the
hop count to reach “infinity.”
Poison reverse overrides split horizon.
When router B sees the metric for network 10.4.0.0 increase to infinity, router B sends an
update, called a poison reverse, back to router C. A poison reverse states that network 10.4.0.0
is inaccessible. Poison reverse is a specific circumstance that overrides split horizon. It ensures
that router C is not susceptible to incorrect updates about network 10.4.0.0.
Poison reverse can be combined with the split horizon technique. The method is called split
horizon with poison reverse. The rule for split horizon with poison reverse states that when
sending updates out of a specific interface, the router designates as unreachable any network
that is learned on that interface.
The concept of split horizon with poison reverse is telling a router that it is better to ignore a
route than not telling it about the route in the first place.

Hold-Down Timers
This topic describes how to prevent routing loops using hold-down timers.
The router keeps an entry for the “possibly down” state in the network,
allowing time for other routers to recompute for this topology change.
Hold-down timers are used to prevent regular update messages from inappropriately reinstating
a route that may have gone bad. Hold-down timers tell routers to hold any changes that might
affect routes for some period. The hold-down period varies by routing protocol, but is usually
set to three times the periodic update interval for a distance vector routing protocol. In RIP,
however, the update interval is 30 seconds and the hold-down time is 180.
Hold-down timers work as follows:
 When a router receives an update from a neighbor indicating that a previously accessible
network is now inaccessible, the router marks the route as “possibly down” and starts a
hold-down timer.
 If an update arrives from a neighboring router with a better metric than originally recorded
for the network, the router marks the network as “accessible” and removes the hold-down
timer.
 If, at any time before the hold-down timer expires, an update is received from a different
neighboring router with a poorer or the same metric, the update is ignored. Ignoring an
update with a poorer or the same metric when a hold-down timer is in effect allows more
time for the change to propagate through the entire network.
 During the hold-down period, routes appear in the routing table as possibly down. The
router will still attempt to route packets to the possibly down network (in case the network
is having only intermittent connectivity problems, which are referred to as flapping).
Triggered Updates
This topic describes how to use triggered updates to prevent routing table inconsistencies.
The router sends updates when a change in its routing table occurs.
In the previous examples, routing loops were caused by erroneous information that was
calculated as a result of inconsistent updates, slow convergence, and timing. Slow convergence
problems can also occur if routers wait for their regularly scheduled updates before notifying
neighboring routers of network changes.
Routing-table updates normally are sent to neighboring routers at regular intervals. A triggered
update is a routing-table update that is sent immediately in response to some change. The
detecting router immediately sends an update message to adjacent routers, which, in turn,
generate triggered updates notifying their neighbors of the change. This wave of notifications
propagates throughout that portion of the network where routes went through the specific link
that changed.
Triggered updates would be sufficient if there were a guarantee that the wave of updates would
reach every appropriate router immediately. However, there are two problems:
 Packets containing the update message can be dropped or corrupted by a link in the
network.
 The triggered updates do not happen instantaneously. It is possible that a router that has not
yet received the triggered update will issue a regular update at just the wrong time. Wrong
timing will cause the bad route to be reinserted in a neighbor that had already received the
triggered update.
Coupling triggered updates with hold-down timers is designed to prevent these problems. The
hold-down rule specifies that for a specified period, no new route with the same or a worse
metric than a route that is in hold-down (possibly down) will be accepted for the same
destination as the hold-down route. This mechanism gives the triggered update time to
propagate throughout the network.

Distance Vector Routing Convergence Process
This topic shows an example of the routing convergence process when using a distance vector
routing protocol.
Routers A, D, and E have multiple routes to reach network 10.4.0.0. As soon as router B detects
the failure of network 10.4.0.0, router B removes its route to that network. Router B sends a
trigger update to routers A and D, poisoning the route to network 10.4.0.0 by indicating an
infinite metric to that network.
Routers D and A receive the triggered update and set their own hold-down timers, marking the
10.4.0.0 network as possibly down. Routers D and A, in turn, send a triggered update to router
E, indicating the possible inaccessibility of network 10.4.0.0. Router E also sets the route to
10.4.0.0 in the hold-down state.
Routers A and D send a poison reverse update to router B. The update states that network
10.4.0.0 is inaccessible.
Because router E received a triggered update from routers A and D, router E also sends a
poison reverse update to routers A and D.
Routers A, D, and E remain in holddown until one of the following occurs:

 The hold-down timer expires.
 An update is received that indicates a new route with a better metric.
 A flush timer removes the route from the routing table.
During the hold-down period, routers A, D, and E assume that the network status is only
possibly down and will attempt to route packets to network 10.4.0.0. The figure illustrates
router E attempting to forward a packet to network 10.4.0.0. This packet will reach router B.
However, because router B has no route to network 10.4.0.0, router B will drop the packet and
send back an Internet Control Message Protocol (ICMP) “network unreachable” message.

When the 10.4.0.0 network link becomes active, router B sends a triggered update to routers A
and D that notifies them. After the hold-down timer expires, routers A and D change the route
to 10.4.0.0 from the possibly down state to the up state.
Routers A and D send router E a routing update stating that network 10.4.0.0 is up. Router E
updates its routing table after the hold-down timer expires.
Routing Information Protocol
This topic describes the features of RIP, and compares RIP version 1(RIPv1), RIPv2, and
RIPng.
• Hop-count metric selects the path

• Routing updates broadcast every 30 seconds
• Capable of load balancing up to six equal cost paths
(default = 4)
• Used in the small enterprise environment and service provider edge
RIP
100 Gb/s
1G Gb/s
RIP 100 Gb/s
best path
100 Gb/s
Over the years, routing protocols have evolved to meet the increasing demands of complex
networks. The first protocol used was RIP, which still enjoys popularity because of its
simplicity and widespread support.
The key characteristics of RIP include the following:
 RIP is a distance vector routing protocol.
 Hop count is used as the metric for path selection.
 The maximum allowable hop count is 15.
 By default, routing updates are broadcast every 30 seconds.
 RIP is capable of load balancing over as many as six equal-cost paths. The default is four
equal-cost paths. Defining the maximum number of parallel paths that are allowed in a
routing table enables RIP load balancing. With RIP, the paths must be equal-cost paths. If
the maximum number of paths is set to one, load balancing is disabled.
 RIP is used in environments with a small number of routers (small enterprise) and as a
routing protocol between service provider and customer (service provider edge).

RIPv1 RIPv2 RIPng
Subnet mask included in No Yes Yes
routing update (Classful) (Classless) (Classless)
Supports variable-length
No Yes Yes
subnet mask
Broadcast Multicast Multicast
Addressing type
255.255.255.255 224.0.0.9 FF02::9
Defined in RFC 1058 1721,1722 and 2453 2080
Supports manual route
No Yes Yes
summarization?
Authentication support? No Yes Yes
Updated RIPng features:

• Can carry IPv6 prefixes, next-hop IPv6 link-local address, and next-hop
interface
• Uses IPv6 for transport
• Enabled per-interface, not per-network
• Several instances allowed on the router (up to four)
Over the years, RIP has evolved from a classful routing protocol (RIPv1) to a classless routing
protocol (RIPv2). RIPv2 is a standardized routing protocol that works in a mixed vendor router
environment. Routers that are made by different companies can communicate by using RIP. It
is one of the easiest routing protocols to configure, making it a good choice for small networks.
However, RIPv2 still has limitations. Both RIPv1 and RIPv2 have a route metric that is based
only on hop count and is limited to 15 hops.
RIPv2 introduced the following improvements to RIPv1:
 Includes the subnet mask in the routing updates, making it a classless routing protocol
 Has an authentication mechanism to secure routing table updates
 Supports a variable-length subnet mask (VLSM)
 Uses multicast addresses instead of broadcast
 Supports manual route summarization
The core features of RIPng are the same as the features in RIPv2. RIPng remains a distance
vector routing protocol with a maximum radius of 15 hops, and it uses split horizon and poison
reverse to prevent routing loops in the RIPng environment.
RIPng uses native IPv6 packets for transporting routing updates, using a well-known multicast
address and UDP port 521. (RIPv1 and RIPv2 use UDP port 520.) RIPng is not directly
compatible with RIPv2, because RIPng uses a different update message format to be able to
exchange IPv6 routes.
RIPng updates RIP to support IPv6 in these ways:
 IPv6 is used to transport RIPng updates.
 The IPv6 multicast address FF02::9 is used by routers to exchange RIP updates.
 RIPng uses the link-local address of the next-hop interface in its routing table, instead of a
global address.
 RIPng is enabled on a per-interface basis, rather than per-network as in RIPv2.
RIPng is used mostly for labs and small businesses. The restrictions on the maximum network
diameter, the simple metrics (hop count), and the length of time for convergence in any larger
network make it less suitable for large production uses. Still, RIPng is a simple IPv6 routing
protocol for small environments and is excellent for learning about routing operations because
it is simple and straightforward to configure.
RIPng does not need to implement authentication on packets. RIPng relies on standard IPsec
features that are defined for IPv6 to ensure integrity, authentication, and confidentiality of the
routing exchanges.

Configuring Routing Protocols
This topic describes the tasks that are required to enable a dynamic routing protocol on a Cisco
router and how to implement RIP.
• Select routing protocols (RIPv2).

• Specify networks or interfaces.
router rip
version 2 router rip
network 10.0.0.0 interface Loopback0
network 192.168.101.0 !
no auto-summary interface GigabitEthernet0/0/0/0
RIPv2
10.1.10.0/24 10.1.1.0/24
Lo 0
Gi 0/0 Gi 0/0/0/0
192.168.101.11 192.168.101.10
RP/0/RSP0/CPU0:PE1#show route rip

Fri Apr 14 23:22:08.242 UTC
R 10.1.10.0/24 [120/1] via 192.168.101.11, 00:05:50, GigabitEthernet0/0/0/0
CE1#show ip route rip

< text ommited >
R 10.1.1.0/24 [120/1] via 192.168.101.10, 00:00:19, GigabitEthernet0/0
To enable a dynamic routing protocol, you must complete these steps:

Step 1 Select a routing protocol (for example RIP, EIGRP, IS-IS, or OSPF).
Step 2 Assign IP network numbers or interfaces where the routing protocol will run.
The figure shows Cisco IOS and Cisco IOS XR configuration examples. To enable a dynamic
routing protocol, enter the global configuration mode and use the router command. This
command puts you in the router configuration mode and starts the routing process for the
selected routing protocol.
However, the router still needs to know which local interfaces it should use for communication
with other routers. It also needs to know which locally connected networks that it should
advertise to those routers. To enable routing for a network, use the network command on the
Cisco IOS and IOS XE and the interface command on the Cisco IOS XR. The network
command enables selected routing on all interfaces that belong to a specific network. In Cisco
IOS and IOS XE, by default, the router only sends version 1 updates, but it can receive both
version 1 and version 2 updates. To enable RIPv2 on the Cisco IOS and IOS XE, use the
version 2 command.
Only RIPv2is enabled by default on Cisco IOS XR. However, you can configure the Cisco IOS
XR router to send, receive, or both, only version 1 packets or only version 2 packets or both
versions per interface by using the send version 1 2 and receive version 1 2 commands.
The Cisco IOS router automatically summarizes subprefixes to the classful network boundary
when crossing classful network boundaries. To disable the autosummary feature on the Cisco
IOS, IOS XE, and IOS XR, use the no auto-summary command.
To see RIP routes in the routing table, use the Cisco IOS and IOS XE show ip route rip
command, and in Cisco IOS XR, the show route rip command.
26s
Routing 10.1.1.0/24
10.1.10.0/24 table 30s 30s 30s
Lo 0
Gi 0/0 Gi 0/0/0/0
192.168.101.11 192.168.101.10
RP/0/RSP0/CPU0:PE1#show rip
Sat Apr 15 00:45:13.259 UTC
RIP config:
Active: Yes
Added to socket: Yes
Out-of-memory state: Normal How often to
Version: 2 send updates?
Default metric: Not set
Maximum paths: 4
Auto summarize: No
How long to wait for a valid update before
Broadcast for V2: No considering the route as invalid and
Packet source validation: Yes placing the route into hold-down state.
NSF: Disabled
Timers: Update: 30 seconds (26 seconds until next update)
Invalid: 180 seconds
Holddown: 180 seconds
Flush: 240 seconds Time since the last valid update,
until route is thrown in the trash.
How long not to believe any equal or worse route
updates for routes that are in holddown?
(Route remains in routing table.)
The Cisco IOS XR show rip command displays values about the RIP routing protocol and the
routing protocol timer information that is associated with the router.
In the example, RIP is the routing protocol that is running. Updates are sent every 30 seconds,
so the next update will be sent in 26 seconds. Invalid and hold-down timers are 180 seconds,
and the flushed timer is 240 seconds. The flushed timer specifies the time after which the
individual routing information will be thrown out.
To display the interfaces on which RIP is running, use the Cisco IOS XR show protocols rip
default-context command:
RP/0/RSP0/CPU0:PE1#show protocols rip default-context
Sat Apr 15 00:50:54.530 UTC
Routing Protocol RIP
VRF default is Active
2 interfaces configured, 2 active
4 routes, 3 paths allocated
Timers: Update 30s (next in 27s), Invalid 180s, Holddown 180s, Flush 240s
OOM state is "Normal"
Interface Active IP-Address State Send Recv Nbrs
GigabitEthernet0_0_0_0 Active 192.168.101.10/24 Up 2 2 1
Loopback0 Active 10.1.1.1/24 Up 2 2 0
To see similar output on the Cisco IOS Software, use the show ip protocols command:
CE1#show ip protocols
*** IP Routing is NSF aware ***
Routing Protocol is "rip"

Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 11 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2

Interface Send Recv Triggered RIP Key-chain
GigabitEthernet0/0 2 2
Loopback0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
192.168.101.0
Routing Information Sources:
Gateway Distance Last Update
192.168.101.10 120 00:00:17
Distance: (default is 120)
ipv6 unicast-routing ipv6 unicast-routing
! !
interface Loopback0 interface Loopback0
ipv6 address FC00:10:1:10::/64 eui-64 ipv6 address FC00:10:2:1::/64 eui-64
ipv6 enable ipv6 enable
ipv6 rip RIP_lab enable ipv6 rip RIP_lab enable
! !
interface GigabitEthernet0/0 interface GigabitEthernet0/0/0
ipv6 enable ipv6 enable
ipv6 rip RIP_lab enable ipv6 rip RIP_lab enable
RIPng
FC00:10:1:10:1::/64 FC00:10:2:1:1::/64
Lo 0 Lo 0
Gi 0/0 Gi 0/0/0
PE2#show ipv6 route rip

< text omitted >
R FC00:10:1:10::/64 [120/2]
via FE80::EAB7:48FF:FE2C:A180, GigabitEthernet0/0/0
CE1#show ipv6 route rip

< text omitted >
R FC00:10:2:1::/64 [120/2]
via FE80::EAB7:48FF:FEFB:5800, GigabitEthernet0/0
The Cisco IOS XR does not support RIPng. The figure shows an example of configuring RIPng
on the Cisco IOS and Cisco IOS XE routers.
To start RIPng on the Cisco IOS and IOS XE routers, first enable IPv6 unicast routing with the
ipv6 unicast-routing command. The loopbacks on both routers are configured with the IPv6
address from the private address space FC00::/7.
To exchange IPv6 networks (Loopback 0) between routers, do the following:
 Use the ipv6 enable command to enable IPv6 on the Loopback and Gigabit Ethernet
interfaces.
 Use the ipv6 rip tag enable interface command to start the RIPng protocol on the interface.
Enabling RIPng on an interface without first starting the routing process in the global
configuration mode will result in a dynamically created router RIP process in the configuration.
The tag for the RIPng routing process is an alphanumeric string and must be unique to the
routing process.
The first show ipv6 route rip output shows the RIPng route in the routing table of the Cisco
IOS XR router:
R FC00:10:1:10::/64 [120/2]
via FE80::EAB7:48FF:FE2C:A180, GigabitEthernet0/0/0
The network FC00:10:1:10::/64 is reachable via the neighbor link-local address (the
automatically assigned IPv6 address from network space FE80::/10) and local Gigabit Ethernet
interface.
To see RIPng routes in the IPv6 routing table, use the Cisco IOS and IOS XE show ipv6 route
rip command.
In the Cisco IOS and IOS XE, use other show and debug commands to examine RIPng.
The show ipv6 rip command displays the status of the various RIP processes.
CE1#show ipv6 rip
RIP process "RIP_lab", port 521, multicast-group FF02::9, pid 277

Administrative distance is 120. Maximum paths is 16
Updates every 30 seconds, expire after 180
Holddown lasts 0 seconds, garbage collect after 120
Split horizon is on; poison reverse is off
Default routes are not generated
Periodic updates 100, trigger updates 1
Interfaces:
GigabitEthernet0/0
Loopback0
Redistribution:
None
The show ipv6 rip database command displays the RIP database.
CE1#show ipv6 rip database
RIP process "RIP_lab", local RIB
FC00:10:2:1::/64, metric 2, installed
GigabitEthernet0/0/FE80::EAB7:48FF:FEFB:5800, expires in 154 secs
The debug ipv6 rip command displays RIP packets that are sent and received.
CE1#debug ipv6 rip
RIP Routing Protocol debugging is on
CE1#
*Jul 1 13:51:15.651: RIPng: Sending multicast update on GigabitEthernet0/0
for RIP_lab
*Jul 1 13:51:15.651: src=FE80::EAB7:48FF:FE2C:A180
*Jul 1 13:51:15.651: dst=FF02::9 (GigabitEthernet0/0)
*Jul 1 13:51:15.651: sport=521, dport=521, length=32
*Jul 1 13:51:15.651: command=2, version=1, mbz=0, #rte=1
*Jul 1 13:51:15.651: tag=0, metric=1, prefix=FC00:10:1:10::/64
*Jul 1 13:51:15.651: RIPng: Sending multicast update on Loopback0 for RIP_lab
*Jul 1 13:51:15.651: src=FE80::EAB7:48FF:FE2C:A180
*Jul 1 13:51:15.651: dst=FF02::9 (Loopback0)
*Jul 1 13:51:15.651: RIPng: Packet waiting
*Jul 1 13:51:15.651: RIPng: Process RIP_lab received own response on
Loopback0
*Jul 1 13:51:19.979: RIPng: Packet waiting
*Jul 1 13:51:19.979: RIPng: response received from FE80::EAB7:48FF:FEFB:5800
on GigabitEthernet0/0 for RIP_lab
*Jul 1 13:51:19.979: src=FE80::EAB7:48FF:FEFB:5800
(GigabitEthernet0/0)
*Jul 1 13:51:19.979: dst=FF02::9
*Jul 1 13:51:19.979: RIPng: response received from FE80::EAB7:48FF:FEFB:5800
on GigabitEthernet0/0 for RIP_lab
*Jul 1 13:51:19.979: src=FE80::EAB7:48FF:FEFB:5800
(GigabitEthernet0/0)
*Jul 1 13:51:19.979: dst=FF02::9
Summary
• Basic operation of routing is to learn how to forward packets to non-local

networks.
• Static routes are manually configured. Dynamic routes are learned and
automatically adjusted by routing protocols.
• Static routes are configured under router static in IOS XR.
• Default route can also be configured as a static route.
• Only link local addresses are used as next hops with dynamic routing
protocols in IPv6.
• Dynamic routing protocols discover remote networks, maintain up-to-
date routing information, and select the best path to destination
networks.
• Autonomous system is a domain under one autonomous administration.
• Routing protocols are broadly divided in two groups: link state and
distance vector.
• Whenever there is a change in network topology this information is

propagated by routing protocols.
• Without special mechanisms routing can result in inconsistencies which
can be detrimental to performance.
• Slow convergence can produce inconsistent routing.
• Routing loops cause performance degradation, but are not deadly like
switching loops.
• IPv6 header is larger, but has fewer fields and requires less processing.
• Split horizon prevents sending routing information back to the source.
• Route poisoning and poison reverse worsen the metric of unreachable
routes.
• Hold-down timers ignore any additional changes until timer expires after
route goes down.
• Triggered updates reduce convergence time by announcing changes as
soon as they occur.

• Example of the routing convergence process when using a distance
vector routing protocol is shown.
• RIPv2 is a classless routing protocol that supports VLSM, manual route
summarization, and authentication. RIPng has been enhanced for IPv6.
• To enable a dynamic routing protocol. select a routing protocol and
specify networks or interfaces.
Routers can forward packets over static or dynamic routes, based on the router configuration.
Static routers use a route that a network administrator manually enters into the router.
Dynamically learned routes from a routing protocol adjust automatically for topology or traffic
changes.
Dynamic routing requires administrators to configure either a distance vector or link-state
routing protocol. To prevent routing loops, distance vector routing protocols incorporate
solutions such as split horizon, route poisoning, and hold-down timers.
RIP is a distance vector routing protocol that uses hop count as the metric for route selection
and broadcasts updates every 30 seconds. RIPv1 is a classful routing protocol, and RIPv2 is a
classless routing protocol. RIPv2 supports VLSM, manual route summarization, and
authentication, while RIPv1 does not support these features. RIPng for IPv6 retains the key
features of RIPv2 for IPv4, including support for split horizon and poison reverse to prevent
routing loops. RIPng has been enhanced for IPv6 by using a multicast address of a RIP router
for routing updates and link-local addresses for the next-hop interface.
To enable a dynamic routing protocol, first a routing process for the routing protocol is enabled
and then IP network numbers or interfaces are specified under the routing protocol process. The
router command starts the routing process. The network or interface commands allow the
routing process to determine which interfaces will participate in sending and receiving the
routing updates. RIPng is configured per-interface on Cisco IOS and IOS XE routers and
requires a unique route tag to identify the RIPng routing process. RIPng is not supported on
Cisco IOS XR.
Lesson 4
Configuring EIGRP
Overview
Enhanced Interior Gateway Routing Protocol (EIGRP) is an advanced distance vector routing
protocol that was developed by Cisco. EIGRP is suited for many different topologies and
media. In a well-designed network, EIGRP scales well and provides extremely quick
convergence times with minimal overhead. EIGRP is a popular choice for a routing protocol on
Cisco devices. This lesson describes how to configure and monitor EIGRP.
Objectives
Upon completing this lesson, you will be able to describe the operation and configuration of
EIGRP, including load balancing and authentication. You will be able to meet these objectives:
 Describe features of EIGRP
 Describe the EIGRP tables
 Describe how EIGRP calculates the best path to each destination
 Describe the EIGRP metric
 Configure EIGRP
 Describe EIGRP autosummarization, how to configure EIGRP auto-summary and how to
verify EIGRP operations
 Configure EIGRP to support the IPv6 protocol
 Configure load balancing with EIGRP
 Configure MD5 authentication with EIGRP
EIGRP Introduction
This topic describes features of EIGRP.
• Advanced distance vector • Flexible network design

• Rapid convergence • Support for multiple network-layer
protocols
• 100% loop-free classless routing
• Multicast and unicast instead of
• Easy configuration
broadcast address
• Incremental partial bounded updates
• Support for VLSM and discontiguous
• Load balancing across equal- and subnets
unequal-cost pathways
• Manual summarization at any point in
the internetwork
EIGRP is a Cisco proprietary routing protocol that combines the advantages of link-state and
distance vector routing protocols. EIGRP may act like a link-state routing protocol as it uses a
Hello protocol to discover neighbors and form neighbor relationships and only partial updates
are sent when a change occurs. However, it is still based on the key distance vector routing
protocol principle that information about the rest of the network is learned from directly
connected neighbors. EIGRP is an advanced distance vector or hybrid routing protocol that
includes these features:
 Rapid convergence: EIGRP uses the Diffusing Update Algorithm (DUAL) to achieve
rapid convergence. As the computational engine that runs EIGRP, DUAL resides at the
center of the routing protocol, guaranteeing loop-free paths and backup paths throughout
the routing domain. A router that is using EIGRP stores all available backup routes for
destinations so that it can quickly adapt to alternate routes. If the primary route in the
routing table fails, the best backup route is immediately added to the routing table. If no
appropriate route or backup route exists in the local routing table, EIGRP queries its
neighbors to discover an alternate route.
 Reduced bandwidth usage: EIGRP uses the terms “partial” and “bounded” when referring
to its updates. EIGRP does not make periodic updates. The term “partial” means that the
update only includes information about the route changes. EIGRP sends these incremental
updates when the state of a destination changes, instead of sending the entire contents of
the routing table. The term “bounded” refers to the propagation of partial updates that are
sent only to those routers that the changes affect. By sending only the routing information
that is needed and only to those routers that need it, EIGRP minimizes the bandwidth that is
required to send EIGRP updates.
 Multiple network layer support: EIGRP supports AppleTalk, IPv4, IPv6, and Novell
Internetwork Packet Exchange (IPX), all of which use protocol-dependent modules
(PDMs). PDMs are responsible for protocol requirements that are specific to the network
layer.
 Classless routing: Because EIGRP is a classless routing protocol, it advertises a routing
mask for each destination network. The routing mask feature enables EIGRP to support
discontiguous subnetworks and variable-length subnet masks (VLSMs).
 Less overhead: EIGRP uses multicast and unicast rather than broadcast. Multicast EIGRP
packets use the reserved multicast address of 224.0.0.10 or FF02::A. As a result, end
stations are unaffected by routing updates and requests for topology information.
 Load balancing: EIGRP supports unequal metric load balancing as well as equal metric
load balancing, which allows administrators to better distribute traffic flow in their
networks.
 Easy summarization: EIGRP allows administrators to create summary routes anywhere
within the network rather than rely on the traditional distance vector approach of
performing classful route summarization only at major network boundaries. In OSPF, route
summarization can only be configured at specific points in the network—at the ABR or the
ASBR.
The term “hybrid routing protocol” is sometimes used to define EIGRP. However, this term is
misleading because EIGRP is not a hybrid between distance vector and link-state routing
protocols. It is in essence a distance vector routing protocol. Therefore, Cisco no longer uses
the term “hybrid” to refer to EIGRP.

EIGRP Tables
This topic describes the EIGRP tables.
Next-Hop Router Interface

EIGRP neighbor table: List of directly
Router A Gi 0/0/0
connected routers running EIGRP.
Router B Gi 0/0/1
Advertised EIGRP
EIGRP topology table: List Network Feasible Distance
Distance Neighbor
of all routes learned from
10.1.1.0/24 2000 1000 Router A
each EIGRP neighbor.
10.1.1.0/24 2500 1500 Router B
Routing table: List of all
Outbound
best routes from EIGRP Network Metric Next-Hop
Interface
topology table and the
other routing processes. 10.1.1.0/24 2000 Gi 0/0/0 Router A
Metric 1000 Metric 1000 Feasible distance =

advertised distance +
metric to neighbor
10.1.1.0/24
MetricGi 0to reach
network X is 1000.
Advertised distance Network Destination

Metric
= Protocol Network
Reported distance EIGRP Network X 2000
Each EIGRP router maintains a neighbor table. This table includes a list of directly connected
EIGRP routers that have an adjacency with this router. Neighbor relationships are used to track
the status of these neighbors. EIGRP uses a lightweight Hello protocol to monitor connection
status with its neighbors.
Each EIGRP router maintains a topology table for each routed protocol configuration. The
topology table includes route entries for every destination that the router learns from its directly
connected EIGRP neighbors. EIGRP chooses the best routes to a destination from the topology
table and places these routes in the routing table.
To determine the best route (successor) and any backup routes (feasible successors) to a
destination, EIGRP uses the following two parameters:
 Advertised distance (AD): The EIGRP metric for an EIGRP neighbor to reach a particular
network, it is also sometimes referred to as the reported distance.
 Feasible distance (FD): The advertised distance for a particular network that is learned
from an EIGRP neighbor plus the EIGRP metric to reach that neighbor. This sum provides
an end-to-end metric from a router to that remote network.
A router compares all feasible distances to reach a specific network and then selects the lowest
feasible distance and places it in the routing table. The feasible distance for the chosen route
becomes the EIGRP routing metric to reach that network in the routing table.
Path Calculation
This topic describes how EIGRP calculates the best path to each destination.
Metric 1500
Metric 1000
B
10.1.1.0/24 Gi 0/0/1
Metric 1000
A Gi 0/0/0
C
Metric 1000
EIGRP neighbor table Next-Hop Router Interface
Router A Gi 0/0/0
EIGRP topology table Router B Gi 0/0/1
Advertised EIGRP
Network Feasible Distance
Distance Neighbor
Successor
10.1.1.0/24 2000 1000 Router A
Feasible successor 10.1.1.0/24 2500 1500 Router B
Outbound
Routing table Network Metric Next-Hop
Interface
10.1.1.0/24 2000 Gi 0/0/0 Router A
The EIGRP topology database contains all of the routes that are known to each EIGRP
neighbor. As shown in the example, routers A and B sent their routing tables to router C, whose
table is displayed. Both routers A and B have routes to network 10.1.1.0/24, as well as to other
networks that are not shown.
Router C has two entries to reach 10.1.1.0/24 in its topology table. The EIGRP metric for router
C to reach both routers A and B is 1000. Add this metric (1000) to the respective advertised
distance for each router, and the results represent the feasible distances that router C must travel
to reach network 10.1.1.0/24.
Router C chooses the least feasible distance (2000) and installs it in the IP routing table as the
best route to reach 10.1.1.0/24. The route with the least feasible distance that is installed in the
routing table is called the “successor route.”
Router C then chooses a backup route to the successor called a “feasible successor route” if one
or more feasible successor routes exist. To become a feasible successor, a route must satisfy
this feasibility condition: A next-hop router must have an advertised distance that is less than
the feasible distance of the current successor route. (Hence, the route is tagged as a feasible
successor). This rule is used to ensure that the network is loop-free.
If the route via the successor becomes invalid, possibly because of a topology change, or if a
neighbor changes the metric, DUAL checks for feasible successors to the destination route. If
one is found, DUAL uses it, avoiding the need to recompute the route. A route will change
from a passive state to an active state if no feasible successor exists and a recomputation must
occur to determine the new successor.
In this example, values for the EIGRP metric and for feasible and advertised distances are
optimized for explanation purposes. The real metric values are much larger.

Metric
This topic describes the EIGRP metric.
• The criteria that EIGRP uses by default to calculate its metric:

- Bandwidth (minimum along path)
- Delay (cumulative along path) Link_BW
Link_delay
10.1.1.0/24
• Advertised_BW [kilobits] BW = 107/min(Advertised_BW, Link_BW)
• Advertised_delay
[ tens of microseconds] Delay = sum(Advertised_delay, Link_delay)
metric = (BW + delay) * 256
• The optional criteria that EIGRP can be configured to use when

calculating its metric (not recommended):
- Reliability (worst along path)
- Load (worst along path)
• Metric calculation method (K values) as well as AS number must match.
The EIGRP metric can be based on several criteria, but EIGRP uses only two of these criteria
by default:
 Bandwidth: The smallest bandwidth of all outgoing interfaces between source and
destination in kilobits
 Delay: The cumulative (sum) of all interface delay along the path in tens of microseconds
The following criteria can be used but are not recommended, because they typically result in
frequent recalculation of the topology table:
 Reliability: This value represents the worst reliability between the source and destination,
based on keepalives.
 Load: This value represents the worst load on a link between the source and destination,
computed based on the packet rate and the configured bandwidth of the interface.
The composite metric formula is used by EIGRP to calculate metric value. The formula
consists of values K1 through K5, known as EIGRP metric weights. By default, K1 and K3 are
set to 1, and K2, K4, and K5 are set to 0. The result is that only the bandwidth and delay values
are used in the computation of the default composite metric. Metric calculation method (K
values) as well as the EIGRP AS number must match between EIGRP neighbors.
Although a maximum transmission unit (MTU) is exchanged in EIGRP packets between
neighbor routers, MTU is not factored into the EIGRP metric calculation.
EIGRP uses scaled values to determine the total metric: 256 * ((K1* bandwidth) + (K2*
bandwidth) / (256 – Load) + K3 * Delay) * (K5 / (Reliability + K4)) where if K5 = 0, the (K5 /
(Reliability + K4) part is not used (that is, equals to 1). Using the default K values, the metric
calculation simplifies to: 256 * (bandwidth + delay).
EIGRP Configuration
This topic describes how to configure EIGRP.
• Enable the EIGRP routing process for AS 100 (range 1 to 65535).

• Specify networks or interfaces. router eigrp 100
address-family ipv4
router eigrp 100 interface Loopback0
network 10.1.10.0 0.0.0.255 !
network 192.168.101.0 interface GigabitEthernet0/0/0/0
EIGRP AS 100 10.1.1.0/24

10.1.10.0/24
Lo 0
Gi 0/0 Gi 0/0/0/0
192.168.101.11 192.168.101.10
RP/0/RSP0/CPU0:PE1#show route eigrp

Tue Apr 18 03:45:59.044 UTC
D 10.1.10.0/24 [90/153856] via 192.168.101.11, 00:06:58, GigabitEthernet0/0/0/0
CE1#show ip route eigrp

< text omitted >
D 10.1.1.0/24
[90/156160] via 192.168.101.10, 00:06:07, GigabitEthernet0/0
The Cisco IOS, IOS XE, and IOS XR router eigrp command enables the EIGRP. Use the
Cisco IOS and IOS XE network and Cisco IOS XR interface commands to enable an EIGRP
on the attached interface. In the Cisco IOS XR, first enter address-family IPv4 or IPv6; then
enable EIGRP on an appropriate interface. Note that EIGRP requires an autonomous system
(AS) number. The AS parameter is a number between 1 and 65,535 that is chosen by the
network administrator. The AS number does not have to be registered. Although EIGRP refers
to the parameter as an "autonomous-system (AS)" number, it actually functions as a process ID.
The AS number in EIGRP must match on all routers that are involved in the same EIGRP
process.
The network command defines a major network number to which the router is directly
connected. Any interface on this router that matches the network address in the network
command will be enabled to send and receive EIGRP updates. The EIGRP routing process
looks for interfaces that have an IP address that belongs to the networks that are specified with
the network command. The EIGRP process begins on these interfaces.
In the example, EIGRP is enabled on interfaces in networks 10.1.10.0/24, 10.1.1.0/24, and
192.168.101.0/24. To configure EIGRP to advertise specific subnets only in the Cisco IOS and
IOS XE, use the wildcard-mask option with the network command. Think of the wildcard
mask as the inverse of a subnet mask. The inverse of subnet mask 255.255.255.0 is 0.0.0.255.
To advertise the 10.1.10.0/24 subnet, use the Cisco IOS and IOS XE network 10.1.10.0.0
0.0.0.255 command.

When EIGRP is configured on both routers, DUAL sends a notification message to the console
stating that a neighbor relationship with another EIGRP router has been established. This new
adjacency happens automatically because both routers are using the same autonomous system
(100). The following output is displayed by default on the Cisco IOS and IOS XE routers:
*Jul 4 12:09:02.782: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100:
Neighbor 192.168.101.10 (GigabitEthernet0/0) is up: new
adjacency
On the Cisco IOS XR router, to see neighbor change messages, enable the log-neighbor-
changes command in the EIGRP routing process, as shown here:
router eigrp 100
address-family ipv4
log-neighbor-changes
You will see this output on the Cisco IOS XR router when EIGRP adjacency comes up:
RP/0/RSP0/CPU0:Apr 18 04:04:43.139 : eigrp[1022]: %ROUTING-
EIGRP-5-NBRCHANGE : default-v4 100: Neighbor 192.168.101.11
(GigabitEthernet0/0/0/0) is up: new adjacency
The Cisco IOS and IOS XE show ip route eigrp and Cisco IOS XR show route eigrp
commands display the current EIGRP entries in the routing table.
Autosummarization
This topic describes EIGRP autosummarization, how to configure EIGRP auto-summary and
how to verify EIGRP operations.
• EIGRP autosummarization is disabled (discontiguous networks supported):

- Cisco IOS 15.0(1)M, 12.2(33)SRE, 12.2(33)XNE, Cisco IOS XE 2.5, Cisco IOS
12.2(33)SXI4, and later releases
• The auto-summary command enables EIGRP autosummarization.
router eigrp 100
router eigrp 100 address-family ipv4
auto-summary auto-summary
EIGRP AS 100 10.1.1.0/24

10.1.10.0/24
Lo 0
Gi 0/0 Gi 0/0/0/0
192.168.101.11 192.168.101.10
Default 10.1.10.0/24
Autosummarization
enabled 10.0.0.0/8
RP/0/RSP0/CPU0:PE1#show protocols eigrp | include Auto
Tue Apr 18 05:03:01.245 UTC
Auto summarization, Logging neighbor changes
CE1#show ip protocols | include Auto

Automatic Summarization: enabled
Older Cisco IOS releases have EIGRP autosummarization that is enabled by default. The
software does not send subnet mask with routing information across classful network
boundaries. Cisco IOS Release 15.0(1)M, 12.2(33)SRE, 12.2(33)XNE, Cisco IOS XE Release
2.5, Cisco IOS Release 12.2(33)SXI4 and later releases have EIGRP autosummarization that is
disabled by default. In Cisco IOS XR, autosummarization is also disabled by default.
When EIGRP automatically summarizes routes at the classful boundary, you may not want
automatic summarization to occur. For example, if you have discontiguous networks, you need
to disable automatic summarization to minimize router confusion. To disable automatic
summarization, use the no auto-summary command in the EIGRP router configuration mode.
When EIGRP autosummarization is disabled, you may enable it back with the auto-summary
command.
DUAL takes down all neighbor adjacencies and then reestablishes them so that the effect of the
auto-summary command can be fully realized. All EIGRP neighbors will immediately send
out a new round of updates that will be summarized automatically.
The figure shows that automatic summarization has been enabled with the auto-summary
command on all routers (Cisco IOS, IOS XE, and Cisco IOS XR).

The Cisco IOS and IOS XE show ip protocols or the Cisco IOS XR show protocols
commands display the parameters and current state of the active routing protocol process. This
output is taken from the Cisco IOS router:
CE1#show ip protocols
*** IP Routing is NSF aware ***
Routing Protocol is "eigrp 100"

Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
Redistributing: eigrp 100
EIGRP-IPv4 Protocol for AS(100)
Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
NSF-aware route hold timer is 240
Router-ID: 10.1.10.1
Topology : 0 (base)
Active Timer: 3 min
Distance: internal 90 external 170
Maximum path: 4
Maximum hopcount 100
Maximum metric variance 1
Automatic Summarization: enabled

192.168.101.0/24 for Lo0
10.0.0.0/8 for Gi0/0
Summarizing with metric 128256
Maximum path: 4
Routing for Networks:
10.1.10.0/24
192.168.101.0
Routing Information Sources:
Gateway Distance Last Update
(this router) 90 00:00:15
192.168.101.10 90 00:00:15
Distance: internal 90 external 170
This output is taken from Cisco IOS XR router:
RP/0/RSP0/CPU0:PE1#show protocols eigrp
Tue Apr 18 04:57:00.240 UTC
Routing Protocol: EIGRP, instance 100

Default context AS: 100, Router ID: 10.1.1.1
Address Family: IPv4
Auto summarization, Logging neighbor changes
Default networks not flagged in outgoing updates
Default networks not accepted from incoming updates
Distance: internal 90, external 170
Maximum paths: 4
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
EIGRP NSF: enabled
NSF-aware route hold timer is 240s
NSF signal timer is 20s
NSF converge timer is 120s
Time since last restart is 01:18:20
SIA Active timer is 180s
Interfaces:
GigabitEthernet0/0/0/0
Loopback0

EIGRP AS 100 10.1.1.0/24
10.1.10.0/24
Lo 0
Gi 0/0 Gi 0/0/0/0
192.168.101.11 192.168.101.10
RP/0/RSP0/CPU0:PE1#show eigrp interfaces
IPv4-EIGRP interfaces for AS(100) EIGRP
Xmit Queue Mean Pacing Time Multicast Pending interfaces
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Gi0/0/0/0 1 0/0 1 0/10 50 0
Lo0 0 0/0 0 640/640 0 0
RP/0/RSP0/CPU0:PE1#show eigrp neighbors Neighbor

IPv4-EIGRP neighbors for AS(100) vrf default
H Address Interface Hold Uptime SRTT RTO Q Seq
table
(sec) (ms) Cnt Num
0 192.168.101.11 Gi0/0/0/0 13 01:04:00 1 200 0 32
RP/0/RSP0/CPU0:PE1#show eigrp topology

IPv4-EIGRP Topology Table for AS(100)/ID(10.1.1.1)
Topology
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, table
r - reply Status, s - sia Status
P 10.1.10.0/24, 1 successors, FD is 153856
via 192.168.101.11 (153856/128256), GigabitEthernet0/0/0/0
via Connected, Loopback0
via Connected, GigabitEthernet0/0/0/0
Use the Cisco IOS XR show eigrp interfaces command to determine on which interfaces
EIGRP is active and to learn information about EIGRP that relates to those interfaces. To
examine similar information on the Cisco IOS/IOS IOS and IOS XE routers, use the show ip
eigrp interfaces command. The significant fields for the command output are described in the
table.
Significant Fields in the show eigrp interfaces Command Output
Field Description
Interface Interface over which EIGRP is configured
Peers Number of directly connected EIGRP neighbors on the interface
Xmit Queue Un/Reliable Number of packets remaining in the Unreliable and Reliable queues
Mean SRTT Average smoothed round-trip time (SRTT) interval (in milliseconds)
for all neighbors on the interface
Pacing Time Un/Reliable Number of milliseconds to wait after transmitting unreliable and
reliable packets
Multicast Flow Timer Number of milliseconds to wait for acknowledgment of a multicast

packet by all neighbors before transmitting the next multicast packet
Pending Routes Number of routes in the packets in the transmit queue waiting to be
sent
Use the Cisco IOS XR show eigrp neighbors command to display the neighbors that EIGRP
discovered and to determine when neighbors become active and inactive. The command is also
useful for debugging certain types of EIGRP neighbor relationship problems. To examine
similar information on Cisco IOS and IOS XE routers, use the show ip eigrp neighbors
command. The significant fields for the command output are described in the table.
Significant Fields in the show eigrp neighbors Command Output
Field Description
Process 100 Process number that is specified with the router command
Address IP address of the EIGRP peer
Interface Interface on which the router is receiving hello packets from the peer
Holdtime Length of time (in seconds) that Cisco IOS Software waits to hear
from the peer before declaring it down. If the peer is using the
default holdtime, this number is less than 15. If the peer configures a
nondefault holdtime, the nondefault holdtime is displayed.
Uptime Elapsed time (in hours:minutes:seconds) since the local router first
heard from this neighbor
SRTT The number of milliseconds that is required for an EIGRP packet to

be sent to this neighbor and for the local router to receive an
acknowledgment of that packet
RTO Retransmission timeout (RTO), in milliseconds. This value is the

amount of time the software waits before resending a packet from
the retransmission queue to a neighbor.
Q Count Number of EIGRP packets (update, query, and reply) that the
software is waiting to send
Seq Num Sequence number of the last update, query, or reply packet that was
received from this neighbor.
The Cisco IOS XR show eigrp topology command displays the EIGRP topology table, the
active or passive state of routes, the number of successors, and the feasible distance to the
destination. To examine similar information on Cisco IOS and IOS XE routers, use the show ip
eigrp topology command. The significant fields for the command output are described in the
table.
Significant Fields in the show eigrp topology Command Output
Field Description
Codes The state of this topology table entry. Passive and Active refer to the
EIGRP state with respect to this destination; Update, Query, and
Reply refer to the type of packet that is being sent.
P— Passive Indicates that no EIGRP computations are being performed for this
destination
A— Active Indicates that EIGRP computations are being performed for this
destination
U— Update Indicates that an update packet was sent to this destination
Q— Query Indicates that a query packet was sent to this destination
R— Reply Indicates that a reply packet was sent to this destination
r —Reply Status A flag that is set after the software has sent a query and is waiting
for a reply
10.1.10.0 Destination IP network number
/24 Destination subnet mask
Successors Number of successors. This number corresponds to the number of

next hops in the IP routing table. If "successors" is capitalized, then
the route or next hop is in a transition state.

Field Description
FD The feasible distance is the best metric to reach the destination or

the best metric that was known when the route went active. This
value is used in the feasibility condition check. If the reported
distance of the router (the metric after the slash) is less than the
feasible distance, the feasibility condition is met and that path is a
feasible successor. After the software determines that it has a
feasible successor, it does not need to send a query for that
destination.
Replies The number of replies that are still outstanding (have not been
received) with respect to this destination. This information appears
only when the destination is in active state.
State The exact EIGRP state that this destination is in. It can be the
number 0, 1, 2, or 3. This information appears only when the
destination is in the active state.
Via The IP address of the peer that told the software about this
destination. The first n of these entries, where n is the number of
successors, is the current successor. The remaining entries on the
list are feasible successors.
(153856/128256) The first number is the EIGRP metric that represents the cost, or
feasible distance to the destination. The second number is the
EIGRP metric that this peer advertised.
GigabitEthernet0/0/0/0 The interface from which this information was learned
You also use the Cisco IOS XR show eigrp topology all-links and the Cisco IOS and IOS XE
show ip eigrp topology all-links command option to show the entire EIGRP topology table,
which includes successor, feasible successor, and nonsuccessor routes.
IPv6 Support for EIGRP
This topic describes how to configure EIGRP to support the IPv6 protocol.
ipv6 unicast-routing interface Loopback0

! ipv6 enable
interface Loopback0 !
ipv6 enable interface GigabitEthernet0/0/0/0
ipv6 eigrp 100 ipv6 enable
! !
interface GigabitEthernet0/0 router eigrp 100
ipv6 enable address-family ipv6
ipv6 eigrp 100 log-neighbor-changes
! interface Loopback0
Before
ipv6 router eigrp 100 !
Cisco IOS
no shutdown interface GigabitEthernet0/0/0/0
15.0
2001:DB8:10:1:10::1/80 EIGRP AS 100 2001:DB8:10:1:1::1/80

Lo 0 Lo 0
Gi 0/0 Gi 0/0/0/0
RP/0/RSP0/CPU0:PE1#show route ipv6 eigrp

Wed Apr 19 02:17:02.821 UTC
D 2001:db8:10:1:10::/80
[90/153856] via fe80::eab7:48ff:fe2c:a180, 01:15:36, GigabitEthernet0/0/0/0
CE1#show ipv6 route eigrp

< text omitted >
D 2001:DB8:10:1:1::/80 [90/156160]
via FE80::4255:39FF:FE2E:C420, GigabitEthernet0/0
The figure shows an EIGRP configuration to support the IPv6 protocol. To enable IPv6 support
for EIGRP on a Cisco IOS XR router, first enable IPv6 on the interfaces by using the ipv6
enable command. Then, in the router configuration mode, enter the address family for IPv6 by
using the address-family ipv6 command. Then, to enable EIGRP, use the interface command
to specify the interfaces.
In Cisco IOS and IOS XE routers, IPv6 support for EIGRP is enabled under the interface mode
by using the ipv6 enable and ipv6 eigrp commands. On Cisco IOS, IOS XE, and IOS XR
routers, EIGRP for IPv6 is enabled on an interface basis rather than a network basis.
On Cisco IOS and IOS XE, to enable IPv6 routing globally on the router, use the ipv6 unicast-
routing command.
Older versions of Cisco IOS Software (before Release 15.0) have the shutdown feature for IPv6
EIGRP enabled by default. It means that EIGRP for IPv6 will not start until the administrator
enables it by using the no shutdown command:
ipv6 router eigrp 100
no shutdown

Routers will establish EIGRP adjacency over link-local IPv6 addresses. Verify IPv6 EIGRP
operation by using the show eigrp 100 ipv6 interfaces, show eigrp 100 ipv6 neighbors, and
show eigrp 100 ipv6 topology Cisco IOS XR commands:
 show eigrp 100 ipv6 interfaces: Displays the IPv6 EIGRP-enabled interfaces.
RP/0/RSP0/CPU0:PE1#show eigrp 100 ipv6 interfaces
IPv6-EIGRP interfaces for AS(100)
Xmit Queue Mean Pacing Time Multicast Pending

Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Gi0/0/0/0 1 0/0 2 0/10 0 0
Lo0 0 0/0 0 0/10 0 0
 show eigrp 100 ipv6 neighbors: Displays the IPv6 neighbors that are discovered by
EIGRP.
RP/0/RSP0/CPU0:PE1#show eigrp 100 ipv6 neighbors
IPv6-EIGRP neighbors for AS(100) vrf default
H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num
0 Link Local Address: Gi0/0/0/0 11 00:06:36 2 300 0 6
fe80::eab7:48ff:fe2c:a180
 show eigrp 100 ipv6 topology: Displays entries in the EIGRP IPv6 topology table.
RP/0/RSP0/CPU0:PE1#show eigrp 100 ipv6 topology
IPv6-EIGRP Topology Table for AS(100)/ID(10.1.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status
P 2001:db8:10:1:1::/80, 1 successors, FD is 128256

via Connected, Loopback0
P 2001:db8:10:1:10::/80, 1 successors, FD is 153856
via fe80::eab7:48ff:fe2c:a180 (153856/128256), GigabitEthernet0/0/0/0
To display similar outputs on the Cisco IOS and IOS XE, use the show ipv6 eigrp interfaces,
show ipv6 eigrp neighbors, and show ipv6 eigrp topology commands.
EIGRP Load Balancing
This topic describes how to configure load balancing with EIGRP.
By default, EIGRP does equal-metric load balancing.

Outbound
Network Metric
interface
Next-Hop By default, up to four routes with a
metric equal to the minimum metric
10.1.1.0/24 2000 Gi 0/0/0 Router A
are installed in the routing table.
10.1.1.0/24 2000 Gi 0/0/1 Router B
10.1.1.0/24 2000 Gi 0/0/2 Router C
10.1.1.0/24 2000 Gi 0/0/3 Router D
The routing table can
have up to 32 entries for
the same destination.
router eigrp 100

maximum-paths 32 maximum-paths 32
EIGRP AS 100
Gi 0/0 Gi 0/0/0/0
Equal-cost load balancing is the ability of a router to route traffic over different paths that have
the same metric to reach the destination network. Load balancing increases the use of the
different router interfaces and increases the effective network bandwidth.
For IP, Cisco IOS, IOS XE, and IOS XR software applies load balancing across up to four
equal-cost paths by default. With the maximum-paths router configuration command, up to 32
equal-cost routes can be kept in the routing table. If you set the value to 1, you disable load
balancing. When a packet is process-switched, load balancing over equal-cost paths occurs on a
per-packet basis. When packets are fast-switched, load balancing over equal-cost paths occurs
on a per-destination basis.

• EIGRP does unequal-cost load balancing, forwarding packets relative to
the metric.
• The default variance is 1, which means equal-cost load balancing.
Variance 2 means that routes with a
Minimum metric
metric that is the same or lower than 2
Network Metric
Outbound
Next-Hop
times the minimum are installed into
interface theGi 0routing table.
10.1.1.0/24 2000 Gi 0/0/0 Router A O.K.
10.1.1.0/24 3000 Gi 0/0/1 Router B O.K. The variance command allows the
router to load-balance across routes
10.1.1.0/24 4000 Gi 0/0/2 Router C O.K.
with a metric that is smaller than the
10.1.1.0/24 5000 Gi 0/0/3 Router D variance times the minimum metric
route to that destination.
router eigrp 100

variance 2 variance 2
EIGRP AS 100
Gi 0/0 Gi 0/0/0/0
EIGRP can also balance traffic across multiple routes that have different metrics. This type of
balancing is called unequal-cost load balancing. The degree to which EIGRP performs unequal-
cost load balancing is controlled with the Cisco IOS, IOS XE, and IOS XR variance command.
The figure shows the variance of two configurations.
Variance multiplier parameter is a value from 1 to 128. The default is 1, which indicates that
only equal-cost load balancing is being performed. The multiplier defines the range of metric
values that are accepted for load balancing by the EIGRP process.
By default, when unequal cost load balancing is enabled by using variance, traffic is distributed
proportionately among the links with unequal costs, with respect to the metric.
The EIGRP routing process will install the unequal-cost paths into the routing table if the
metric of the alternate route is equal or less than the best (lowest) metric multiplied by the
variance.
For example, in the figure, the best (lowest) metric is 2000. If the variance is set to 2, then if the
alternate paths metric multiplied by 2 is less than 2000, then those alternate paths will also be
installed into the routing table.
In the example, the alternate paths through interfaces Gi0/0/1 and Gi0/0/2 will be installed into
the routing table but the alternate path through interface Gi0/0/3 will not be installed into the
routing table (because 5000 is not less than or equal to 2000 * 2).
• Router E chooses router C to route to network 172.16.0.0 because it has
the lowest feasible distance of 20.
• With a variance of 2, router E also chooses router B to route to network
172.16.0.0 (20 + 10 = 30) < [2 * (FD) = 40].
• Router D is not considered to route to network 172.16.0.0
(because 25 > 20).
20 10
B
Network Neighbor FD AD
10 10
172.16.0.0 B 30 10
172.16.0.0
C 20 10 E C
D 45 25
20 25
D
In the figure, a variance of 2 is configured. The range of the metric values—which are the FDs
for router E to get to network 172.16.0.0—is 20, 30, and 45. This range of values determines
the feasibility of a potential route.
A route is feasible if the next router in the path is closer to the destination than to the current
router and if the metric of the alternate path is within the variance. Load balancing can use only
feasible paths, and the routing table includes only these paths. The two feasibility conditions
are as follows:
 If the AD of the alternate path is less than the lowest FD (that is, the best route), the route is
tagged as a feasible successor; this criterion prevents routing loops.
 The metric of the alternate path (feasible successors) must be less than or equal to the
variance multiplied by the local best metric (the current FD).
If both of these conditions are met, the route is determined to be feasible and can be added to
the routing table.
The figure shows three paths to network 172.16.0.0, with the following metrics:
 Path 1: 30 (via B)
 Path 2: 20 (via C)
 Path 3: 45 (via D)
By default, the router places only path 2 (via C) in the routing table because it is the least-cost
path. To load-balance over paths 1 and 2, use a variance of 2, because 20 * 2 = 40, which is
greater than the metric through path 1.
In the example, router E uses router C as the successor because it has the lowest feasible
distance (20). With the variance 2 command that is applied to router E, the path through router
B meets the criteria for load balancing. In this case, the feasible distance through router B (30)
is less than twice the feasible distance (20 * 2 = 40) for the successor (router C).

Router D is not considered for load balancing with this variance because the feasible distance
through router D (45) is greater than twice the feasible distance (20 * 2 = 40) for the successor
(router C).
In the example, as long as Router C advertised a valid route to Router E for network
172.16.0.0, router D would never be a feasible successor no matter what the variance is. This is
because the advertised distance of router D is 25, and 25 is greater than the router E feasible
distance of 20. To avoid a potential routing loop, router D is not considered a feasible
successor.
EIGRP Authentication
This topic describes how to configure Message Digest 5 (MD5) authentication with EIGRP.
• EIGRP supports MD5 authentication.

• The router identifies itself for every EIGRP packet that it sends.
• The router authenticates the source of each routing update packet that it
receives.
• Each participating neighbor must have the same key configured.
EIGRP AS 100
Authentication
PASSED EIGRP packet:
Routing Update
Gi 0/0 Gi 0/0/0/0
Authentication Use my EIGRP

FAILED default route.
Unauthorized router
You can configure EIGRP neighbor authentication such that routers can participate in routing
based on predefined passwords. By default, no authentication is used for EIGRP packets.
EIGRP can be configured to use MD5 authentication.
Without neighbor authentication, unauthorized or deliberately malicious routing updates could
compromise the security of your network traffic. A security compromise could occur if any
unfriendly party interferes with your network. For example, an unauthorized router could
launch a fictitious routing update to convince your router to send traffic to an incorrect
destination.
When you configure neighbor authentication on a router, the router authenticates the source of
each routing update packet that it receives. For EIGRP MD5 authentication, you must configure
an authenticating key and a key ID on both the sending and the receiving router. The key is
sometimes referred to as a password.

To configure EIGRP MD5 authentication, follow these steps:
1. Create the keychain—a group
key chain chain_name of possible keys (passwords).
key 1
key-string firstkey 2. Assign a key ID to each key.
key 2
key-string secondkey 3. Identify the keys.
4. Enable MD5 authentication on
5. Specify which keychain
the interface (on CiscoGi 0IOS
the interface will use.
only).
router eigrp 100
interface GigabitEthernet0/0 address-family ipv4
ip authentication mode eigrp 100 md5 interface GigabitEthernet0/0/0/0
ip authentication key-chain eigrp 100 CE1chain authentication keychain PE1chain
EIGRP AS 100
Gi 0/0 Gi 0/0/0/0
interface GigabitEthernet0/0 router eigrp 100

ipv6 authentication mode eigrp 100 md5 address-family ipv6
ipv6 authentication key-chain eigrp 100 CE1chain interface GigabitEthernet0/0/0/0
authentication keychain PE1chain
The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false
routing messages from unapproved sources.
Each key has its own key ID, which the router stores locally. The combination of the key ID
and the interface that is associated with the message uniquely identifies the authentication
algorithm and the MD5 authentication key in use.
EIGRP allows you to manage keys by using key chains. Each key definition within the key
chain can specify a time interval for which that key is activated (its lifetime). Then, during the
lifetime of a given key, routing update packets are sent with this activated key. Only one
authentication packet is sent, regardless of how many valid keys exist. The software examines
the key numbers in order, from lowest to highest, and it uses the first valid key that it
encounters.
Keys cannot be used during time periods for which they are not activated. Therefore, it is
recommended that for a given key chain, key activation times overlap to avoid any period for
which no key is activated. If there is a time during which no key is activated, neighbor
authentication cannot occur, and, therefore, routing updates fail.
It is important that the routers know the correct time in order to rotate through keys in
synchronization with the other participating routers. This synchronization ensures that all of the
routers are using the same key at the same moment. It is recommended to use Network Time
Protocol (NTP) to achieve this—NTPv3 offers additional security with authentication from
trusted sources.
Use the key chain command to enter configuration mode for the key chain. Two keys are
defined. Key 1 is set to “firstkey” with the key-string firstkey command. Key 2 is set to
“secondkey” with the key-string secondkey command.
MD5 authentication and the key chain are configured on the Cisco IOS and IOS XE router
GigabitEthernet0/0 interface with the ip authentication mode eigrp 100 md5 and the ip
authentication key-chain eigrp 100 CE1chain commands. On the Cisco IOS XR router, only
the key chain is configured under the router EIGRP configuration mode with the
authentication keychain PE1chain command. Because Cisco IOS XR supports only MD5
authentication, there is no need to define authentication mode.
Routers accept and attempt to verify the MD5 digest of any EIGRP packets with a key ID equal
to 1. Routers will also accept a packet with a key ID equal to 2. All other MD5 packets are
dropped. If a validity timer for key 1 is defined, when the validity expires, routers send all
EIGRP packets by using key 2 because key 1 is no longer valid for use in sending packets.
The figure shows EIGRP authentication examples for IPv4 and IPv6.

Summary
• EIGRP is a classless, advanced distance vector routing protocol.

• EIGRP stores neighbor information in neighbor tables.
• EIGRP uses DUAL to calculate the best path.
• EIGRP uses composite metric usually combining lowest data rate and
cumulative delay along the path
• EIGRP requires you to configure an autonomous system number that
must match on all routers to exchange routes.
• Autosummarization feature was made obsolete by RFC 950 published in
1985.
• IPv6 is supported by EIGRP and is configured under separate address
family.
• EIGRP is capable of load-balancing across unequal-cost paths.
• EIGRP supports MD5 authentication to protect against unauthorized,
rogue routers entering your network.
Lesson 5
Understanding Cisco Router

Security
Overview
After you secure physical access to your network, you must ensure that access to the Cisco
router via the console and vty ports is secure.
This lesson describes how to implement a basic security configuration for a Cisco router and
how to use Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software tools to access a remote
device.
Objectives
Upon completing this lesson, you will be able to secure a router-based network. This ability
includes being able to meet these objectives:
 List the common threats to routers
 Describe how to configure router passwords and banners in Cisco IOS routers
 Compare Telnet vs. SSH and how to enable SSH access on Cisco IOS/IOS XE and IOS XR
routers.
 Describe task groups and user groups in Cisco IOS XR
 Describe how to configure user groups and users in Cisco IOS XR
 Describe how to configure RADIUS and TACACS+ to authenticate users
 Describe how to enable logging to monitor system events
 Describe how to implement SNMP to enable remote monitoring and management of Cisco
IOS XR devices
 Describe how to initiate an Telnet connection to a remote device
 Describe how to initiate an SSH connection to a remote device Describe how to use the
ping command to test connectivity
Router Security
This topic describes the common threats to routers.
Common threats to physical A router is vulnerable to

installations: attacks directed toward:
• Hardware threats • Control plane
• Environmental threats • Management plane
• Electrical threats
• Maintenance threats
Recommended
Configuration • RADIUS or TACACS+ server for
• Out-of-band centralized user management
management • Logging to remote servers
• Use of encrypted management • Hashed passwords
protocols (SSH, HTTPS) (secret instead of password)
• Multiple user accounts with different • SNMPv3
access roles
Improper and incomplete network device installation is an often-overlooked security threat.

Software-based security measures alone cannot prevent network damage due to poor
installation. There are four classes of unsecure installations or physical access threats:
 Hardware threats: Threats of physical damage to the router or router hardware.
 Environmental threats: Threats such as temperature extremes (too hot or too cold) or
humidity extremes (too wet or too dry).
 Electrical threats: Threats such as voltage spikes, insufficient supply voltage (brownouts),
unconditioned power (noise), and total power loss.
 Maintenance threats: Threats such as poor handling of key electrical components (ESD),
lack of critical spare parts, poor cabling, poor labeling, and so on.
A router is vulnerable to attacks directed toward the control and management planes. Cisco IOS
XR Release 3.5 and above provide advanced protection of both planes. In versions before 3.5,
limited protection can be applied with access lists.
When enabling a new router into a network, follow and implement these recommendations:
 Out-of-band management makes it harder for an attacker to connect to the management
services.
 Use of encrypted management protocols (Secure Shell [SSH] and HTTPS) prevents
passwords from being sent in cleartext over the network.
 Multiple user accounts with different privilege levels can be used to assign only necessary
privileges to technical staff.
 Centralized user management makes it easier to disable compromised accounts.
3-102 Building Cisco Service Provider Next-Generation Networks, Part 1 (SPNGN1) v1.01 © 2012 Cisco Systems, Inc.
 Logs on remote servers can be used to analyze events occurring during an attack if servers
themselves are not compromised.
 Hashed passwords significantly increase the time that is needed to crack them if an attacker
gains access to configuration.
 Simple Network Management Protocol version 3 (SNMPv3) increases security with user
accounts and HMAC authentication.

Configuring Router Passwords
This topic describes how to configure router passwords and banners in Cisco IOS routers.
line console 0
login
password cisco
• Set the console password.

line vty 0 4
login
password sanjose
Console • Set the virtual terminal password.

enable password cisco
• Set the enable password.

enable secret sanfran
Telnet
• Set the enable secret password.
service password-encryption
• Set the service password encryption.

banner login #Access for authorized users only. Please enter your username and password.#
banner motd #Router will not be accessible today between 10 and 11 PM for maintenance reasons#
• Define and enable a customized banner to be displayed before the username and
password login prompts (login) and after successful login (motd).
You can use the command-line interface (CLI) to configure the password and other console
commands. Using a password and assigning privilege levels are simple ways to provide
terminal access control in a network. A password can be established on individual lines, such as
the console, and to the privileged EXEC mode.
Each Telnet port on the router is known as a vty terminal. There are a maximum of five default
vty ports on the router, which allows for five concurrent Telnet sessions. On the router, the vty
ports are numbered from 0 through 4. You can activate up to 11 additional optional vty
terminals (5 to 15) if needed.
You can use the line console 0 command, followed by the login and password subcommands,
to require login and establish a login password on a console terminal or a vty port. By default,
login is not enabled on a console or vty port.
You can use the line vty 0 4 Cisco IOS and IOS XE Software command, or the line default
Cisco IOS XR Software command, followed by the login and password subcommands, to
require login and establish a login password on incoming Telnet sessions. To activate and
configure the additional vty lines on the Cisco IOS and IOS XE routers, use the line vty 5 15
command, followed by the login and password subcommands.
Optionally, you can use the login local command to enable password checking on a per-user
basis, using the username and password that is specified with the username global
configuration command. The username command establishes username authentication with
encrypted passwords based on entries in the local user database.
The enable password global configuration command restricts access to the privileged EXEC
mode. You can assign an encrypted form of the enable password command, called the enable
secret password. The enable secret command with the desired password at the global
configuration mode prompt is required for this functionality. If the enable secret password is
configured, it is used rather than the enable password, not in addition to it.
You can also add a further layer of security, which is particularly useful for passwords that
cross the network or are stored on a TFTP server. Cisco provides a feature that allows the use
of encrypted passwords. To set password encryption, enter the service password-encryption
Cisco IOS and IOS XE Software command in global configuration mode.
Passwords that are displayed or set after you configure the service password-encryption
command will be encrypted.
You can use the CLI to configure the message of the day and other console commands. To
define a customized banner to display before the username and password login prompts, you
can use the banner login command in global configuration mode. When you enter the banner
login command, follow the command with one or more blank spaces and a delimiting
character. In this example, the delimiting character is a hash mark (#). After the banner text has
been added, terminate the message with the same delimiting character.
Caution Use caution when selecting the words that are used in the login banner. Words like
“welcome” may imply that access is not restricted and allow hackers to defend their actions.
You can also configure a message-of-the-day (MOTD) banner by using the banner motd
command. The MOTD banner is displayed on all terminals at connection time.

Telnet vs. SSH Access
This topic compares Telnet vs. SSH and how to enable SSH access on Cisco IOS/IOS-XE and
IOS XR routers.
Telnet SSH
• Most common access method • Encrypted
• Unsecure • IP domain must be defined
• Key must be generated
• Telnet access must be disabled for
better security
RP/0/RSP0/CPU0:PE1(config)#username cisco password cisco
RP/0/RSP0/CPU0:PE1(config)#domain name cisco.com
RP/0/RSP0/CPU0:PE1#crypto key generate rsa general-keys
The name for the keys will be: the_default
Choose the size of the key modulus in the range of 512 to 2048 for your General
Purpose Keypair. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [1024]: <Enter>

Generating RSA keys ...
Done w/ crypto generate keypair
[OK]
RP/0/RSP0/CPU0:PE1(config)#ssh server v2
RP/0/RSP0/CPU0:PE1(config)#line default transport input ssh
RP/0/RSP0/CPU0:PE1(config)#commit
Router(config)#line vty 0 4
Cisco IOS/IOS XE Router(config-line)#transport input ssh
Telnet is the most common method of accessing a network device. However, Telnet is an
unsecure way of accessing a network. SSH is a secure replacement for Telnet, which gives the
same type of access. Communication between the client and server is encrypted in both SSH
version 1 (SSHv1) and SSH version 2 (SSHv2). Implement SSHv2, if possible, because it uses
a more enhanced security encryption algorithm. When encryption is enabled, a Rivest, Shamir,
and Adleman (RSA) encryption key must be generated on the router. In addition, an IP domain
must be assigned to the router.
The Cisco IOS XR Software configuration in the example enables SSH and disables Telnet
access to the router.
Enable SSH and Disable Telnet Access to a Router Using the Cisco IOS XR
Software
Step Action Notes
1. username username password Define a username and password for local

password authentication.
2. domain name domain Define a domain name.
3. crypto key generate rsa Generate a crypto key. Choose the size of the
key modulus in the range of 360 to 2048 for
your general-purpose keys.
Note Choosing a key modulus greater than

512 may take a few minutes.
4. ssh server v2 Enable SSHv2.
5. line default transport input Limit the router to SSH connections only.
ssh
The procedure is the same in Cisco IOS and Cisco IOS XE Software. The difference is in some
of the commands used.
Enable SSH and Disable Telnet Access to a Router Using the Cisco IOS or Cisco
IOS XE Software
Step Action Notes
1. username username password Define a username and password for local

password authentication.
2. ip domain-name domain Define a domain name.
3. crypto key generate rsa Generate a crypto key. Choose the size of the
key modulus in the range of 360 to 2048 for
your general-purpose keys.
Note Choosing a key modulus greater than

512 may take a few minutes.
4. ip ssh version 2 Enable SSHv2.
5. transport input ssh Limit the router to SSH connections only.

Task Groups and User Groups in Cisco IOS XR
This topic describes task groups and user groups in Cisco IOS XR.
1. Configuring task groups and user groups

2. Configuring users
3. Configuring RADIUS servers
User
4. Configuring TACAS+ servers User
5. Configuring AAA method lists User
Users belong to user groups. User group
User groups establish relation

between task groups and users. Task group Task group
Task groups can inherit from Task ID Task group Task ID

other task groups.
Task groups define permitted Task ID

Task ID Task ID
tasks (task IDs).
The Cisco IOS XR software ensures security by combining tasks that a user wants to perform
(task IDs) into groups, defining which router configuration and management functions that
users can perform. These definitions enable this policy:
 User groups: Collection of users that share similar authorization rights on a router
 Task groups: Collection of tasks that are identified by unique task IDs for each class of
action
 Task IDs: Permission to perform particular tasks; pooled into a task group that is then
assigned to users.
To implement authentication, authorization, and accounting (AAA) on the Cisco IOS XR
Software, follow these configuration steps:
Step 1 Configure task groups and user groups.
Step 2 Configure users.
Step 3 Configure RADIUS servers.
Step 4 Configure TACAS+ servers.
Step 5 Configure AAA method lists.
When using task groups and user groups on the Cisco IOS XR Software, follow these rules:
 Task groups define permitted tasks (task IDs).
 Task groups can inherit from other task groups.
 User groups establish a relation between task groups and users.
 Users belong to user groups.
Configuring User Groups and Users in Cisco IOS
XR
This topic describes how to configure user groups and users in Cisco IOS XR.
taskgroup OSPF
Predefined user and task groups: task execute ospf
task read ospf
• root-system task write ospf
!
• root-lr taskgroup ISIS
task execute isis
• netadmin task read isis
task write isis
• sysadmin !
taskgroup IGP
inherit taskgroup OSPF
• operator inherit taskgroup ISIS
!
• cisco-support usergroup IGP-admins
taskgroup IGP
username newuser Users are defined by using username command.

group netadmin
group root-lr
secret newpassword Users may belong to one or more groups.
password oldpassword
! Password can be set either by using password or secret
command.
• secret stores the password that MD5 hashed.
• password stores the password obscured using Cisco
algorithm.
• secret always overrides password if both are configured.
The user groups to which you belong define the commands that you can perform. Within the
Cisco IOS XR software, the commands for a particular feature, like access control lists, are
assigned to tasks. A task ID uniquely identifies each task. To use a particular command, your
username must be associated with the appropriate task ID.
The association between a username and a task ID takes place through two intermediate
entities, the user group and task group.
The user group is a logical container that is used to assign the same task IDs to multiple users.
Instead of assigning task IDs to each user, you can assign them to the user group. Then, you can
assign users to that user group. When a task is assigned to a user group, you can define the
access rights for the commands that are associated with that task. These rights include “read,”
“write,” “execute,” and “notify.”
The task group is also a logical container, but it is used to group tasks. Instead of assigning task
IDs to each user group, you assign them to a task group. This allows you to quickly enable
access to a specific set of tasks by assigning a task group to a user group.
To summarize the associations, usernames are assigned to user groups, which are then assigned
to task groups. Users can be assigned to multiple user groups, and each user group can be
assigned to one or more task groups. A user can execute all commands that are assigned to the
tasks within the task groups that are associated with the user groups to which the user belongs.
Users are not assigned to groups by default and must be explicitly assigned by an administrator.
Within task groups, you can define read, write, execute, and debug permission for each task ID.
More task groups allow for greater granularity of assigned permissions.
A set of predefined user and task groups exists on the Cisco IOS XR Software.

Predefined User and Task Groups on Cisco IOS XR Software
User and Task Group Permissions
root-system Display and execute all commands for all RSPs in the system.
root-lr Display and execute all commands within a single RSP.
netadmin Configure network protocols such as Border Gateway Protocol

(BGP) and Open Shortest Path First (OSPF) (usually used by
network administrators).
sysadmin Perform system administration tasks for the router, such as

maintaining where the core dumps are stored or setting up the
Network Time Protocol (NTP) clock.
operator Perform day-to-day monitoring activities and have limited

configuration rights.
cisco-support Debug and troubleshoot features (usually, used by Cisco Technical

Support personnel).
Configuring RADIUS and TACACS+
This topic describes how to configure RADIUS and TACACS+ to authenticate users.
• RADIUS servers can be used to authenticate users.

• TACACS+ server can be used for remote AAA:
- Authenticates users
- Authorizes users
- Logs accounting information
Telnet radius-server host 192.168.1.1

key radiuskey
username/ !
password radius source-interface Gi0/1/0/1
RADIUS TACACS+
tacacs-server host 192.168.1.2
key tacacskey
!
tacacs source-interface Gi0/1/0/1
192.168.1.1 192.168.1.2
RADIUS servers can be used to authenticate users. TACACS+ servers can be used for
authenticating users, authorizing users, and logging accounting information. The figure shows
RADIUS and TACACS+ server configuration on the Cisco IOS XR router.
Use the show radius command to view the configured status of radius servers, or use the show
tacacs command to view the configured status of TACACS+ servers.

Supported methods include:
• group radius
• group tacacs+
• local
• line
• none
aaa group server tacacs+ TACACS Servers can be put in groups
server 192.168.1.2 and referenced by group name.
server 192.168.1.3
!
aaa authentication ppp default local Separate lists can be configured
aaa authentication login LOGIN group radius line for AAA.
aaa authorization exec EXEC group TACACS local
aaa accounting commands default stop-only group tacacs+ TACACS
!
line default
authorization exec EXEC
login authentication LOGIN
!
AAA method lists define the order of preference for different AAA data sources. These are
supported AAA methods:
 group radius: Use RADIUS server for authentication.
 group tacacs+: Use TACACS+ server for AAA.
 local: Use local username and password database.
 line: Use line password.
 none: Do not use any AAA method. This is a less-secure method.
Implementing Logging
This topic describes how to enable logging to monitor system events.
• Logging can be used to monitor system events.

• Four types of logging:
vty
- Console
Monitor
- Monitor buffer Syslog
- Trap (syslog)
- Buffer Console
• Trap and buffer logging types store messages for later retrieval.
logging on
Logging on vty lines (monitor logging) must be logging buffered 200000
enabled individually per session. logging 192.0.2.65
It is recommended to disable logging on console. logging 192.0.2.66
logging trap warnings
logging monitor notifications
logging console disable
logging archive
archive-size 100
archive-length 52 Logging buffer
file-size 1
frequency weekly
device harddisk
System messages that are generated by the Cisco IOS XR software can be logged to various
locations, based on the severity level of the messages. For example, you could direct
information messages to the system console and also log debugging messages to a network
server. There are four logging types: console, monitor, trap, and buffer.
In addition, you can define correlation rules that group and summarize related events, generate
complex queries for the list of logged events, and retrieve logging events through an XML
interface. Alarm logging correlation groups and filters similar messages to reduce the amount
of redundant logs and to isolate the root causes of the messages. For example, the original
message describing the online insertion and removal (OIR) and system state being up or down
can be reported.
All subsequent messages reiterating the same event can be correlated. When you create
correlation rules, a common root event that is generating larger volumes of follow-on error
messages can be isolated and sent to the correlation buffer. An operator can extract all
correlated messages for display later, should the need arise.
A logging buffer can be archived locally. The feature is commonly known as log rotation.
Older files are removed when newer are added. In the logging buffer are following settings that
can be fine-tuned:
 Total archive size
 Number of files in the archive
 Size of individual file
 Frequency of collecting logs in the files
 Device to store the logs

Implementing SNMP
This topic describes how to implement SNMP to enable remote monitoring and management of
Cisco IOS XR devices.
Configuring SNMP v1 and SNMPv2c

ipv4 access-list SNMP Access can be further restricted on
permit 192.0.2.0 0.0.0.255 IP address base with access lists.
!
snmp-server community CommunityString RO SNMP SNMP agent is started.
• SNMPv3 uses user-based authentication.

• User configuration specifies credentials for user authentication and group
membership.
• Group configuration specifies authentication and encryption settings
(and, optionally, views).
• There are three options for authentication and encryption:
- auth (authentication) HMAC-MD5 or HMAC-SHA without encryption
- noauth (no authentication and no encryption)
- priv (authentication and encryption—DES)
snmp-server group group v3 auth
snmp-server user username Group v3 auth sha password
SNMP can be used for remote monitoring and management of network devices. SNMP is an
application-layer protocol that facilitates the exchange of management information between
network devices. By using SNMP-transported data (such as packets per second and network
error rates), network administrators can manage network performance, find and solve network
problems, and plan for network growth. The Cisco IOS XR software supports:
 SNMPv3 (community-string-based access control)
 SNMPv2c (extends v1 with bulk retrieval of data and acknowledged event messaging)
 SNMPv3 (adds user-based authentication, message integrity checks, and packet encryption)
SNMP is part of a larger architecture that is called the Internet Network Management
Framework (NMF), which is defined in Internet documents called RFCs. The SNMPv1 NMF is
defined by RFCs 1155, 1157, and 1212, and the SNMPv2 NMF is defined by RFCs 1441
through 1452. For more information on SNMPv3, see RFC 2272 and 2273.
SNMP is a popular protocol for managing diverse commercial internetworks and internetworks
that are used in universities and research organizations. SNMP-related standardization activity
continues even as vendors develop and release state-of-the-art, SNMP-based management
applications. SNMP is a relatively simple protocol, yet its feature set is sufficiently powerful to
manage the difficult problems that are presented when trying to manage current heterogeneous
networks.
• Version 1 and 2c restrict entire communities.
• Version 3 has per-group restrictions.
snmp-server view IFView IF-MIB included

snmp-server community IFC7 view IFView RO
snmp-server view IFView IF-MIB included

snmp-server group IFGroup v3 noauth read IFView
In the Cisco IOS XR Software, access to the SNMP information may be restricted by using
SNMP views. The View-Based Access Control Model (VACM) enables SNMP users to control
access to SNMP-managed objects by supplying read, write, or notify access to SNMP objects.
It prevents access to objects that are restricted by views. These access policies can be set when
user groups are configured by using the snmp-server group command.

Telnet Connections to Remote Devices
This topic describes how to initiate a Telnet connection to a remote device.
RP/0/RSP0/CPU0:PE1#telnet 192.168.101.11
Trying 192.168.101.11...
Connected to 192.168.101.11.
Escape character is '^^'.

192.168.101.11
Password: <cisco>
TELNET CE1>
CE1
192.168.101.10
PE2
192.168.101.20 PE1
CE1#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
388 vty 0 idle 00:00:08 192.168.101.10
Interface User Mode Idle Peer Address
RP/0/RSP0/CPU0:PE1#show sessions
Thu May 11 22:38:07.543 UTC
Conn Host Address Service Idle Conn Name
* 1 192.168.101.11 192.168.101.11 telnet 19 192.168.101.11
Telnet or SSH applications are useful for connecting to remote devices. Network administrators
can connect to a router or switch locally or remotely. As companies get bigger, and as the
number of routers and switches in the network grows, the workload to connect to all of the
devices locally can become overwhelming.
Telnet and SSH are Virtual Terminal Protocols (VTPs) that are part of the TCP/IP suite. The
protocols allow connections and remote console sessions from one network device to one or
more other remote devices. Remote administrative access is more convenient than local access
for administrators that have many devices to manage. However, if it is not implemented
securely, an attacker could collect valuable confidential information. For example, using Telnet
to implement remote administrative access is unsecure, because Telnet forwards all network
traffic in cleartext. An attacker could capture network traffic while an administrator is logged in
remotely to a router and sniff the administrator passwords or router configuration information.
Therefore, remote administrative access must be configured with additional security
precautions.
To log onto a host that supports Telnet, use the telnet user EXEC command.
Use the show sessions command on the originating router or switch to verify Telnet
connectivity and to display a list of hosts to which a connection has been established. This
command displays the hostname, the IP address, the byte count, the amount of time that the
device has been idle, and the connection name that is assigned to the session. If multiple
sessions are in progress, the asterisk (*) indicates which was the last session and to which
session the user will return if the Enter key is pressed.
Use the show users command to learn whether the console port is active. Use it also to list all
active Telnet or SSH sessions with the IP address or IP alias of the originating host on the local
device. In the output of the show users command, the “con” line represents the local console,
and the “vty” line represents a remote connection. The “388” next to the vty value in the
example indicates the vty line number, not its port number. If there are multiple users, the
asterisk (*) denotes the current terminal session user.

CE1#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
388 vty 0 idle 00:00:14 192.168.101.10
192.168.101.11 Interface User Mode Idle Peer Address

CE1#clear line 388
[confirm]
TELNET [OK]
CE1
Closes the session
opened by a remote
192.168.101.10 device.
PE2
192.168.101.20 PE1
Suspending a Telnet
CE1> <ctrl-Shift-6>,x
RP/0/RSP0/CPU0:PE1#show sessions session.
Thu May 11 23:26:52.105 UTC
Conn Host Address Service Idle Conn Name
* 1 192.168.101.11 192.168.101.11 telnet 11 192.168.101.11
RP/0/RSP0/CPU0:PE1#resume 1
Resuming a Telnet
[Resuming connection 1 to 192.168.101.11...]
session.
CE1>
RP/0/RSP0/CPU0:PE1#disconnect 1 Closes the current

Closing connection 1 to 192.168.101.11 [confirm]? session opened by
Connection closed. the local device.
RP/0/RSP0/CPU0:PE1#
After you are connected to a remote device, you may want to access a local device without
terminating the Telnet session. Telnet allows temporary suspension and resumption of a remote
session.
The figure shows a Telnet session from PE1 to CE1. The key sequence that is shown is entered
to suspend the session. The prompt of the local system indicates that the Telnet session has
been suspended. To suspend a Telnet session and escape from the remote target system back to
a local router, use the command Ctrl-Shift-6 or Ctrl-^ (depending on your keyboard),
followed by the character x.
To reestablish a suspended Telnet session, follow these steps:
Step 1 Press the Enter key.
Step 2 Enter the resume command if there is only one session. Enter the resume session-
number command to reconnect to a specific Telnet session.
Note Enter the show sessions command to find the session number.
Note Entering the resume command without the session number argument will resume the last
active session.
You can end a Telnet session on a Cisco device by using the exit, logout, disconnect, or clear
command. You can close a Telnet session on a Cisco network device by using one of the
following methods:
 From a remote device, use the exit or the logout command to log out of the console session
and return the session to the local device.
 From the local device:
— Use the disconnect command when there are multiple sessions.
— Use the disconnect session-number command to disconnect a single session.
 To close a Telnet session from a foreign host, use the clear line linenumber command.
SSH Connection to Remote Devices
This topic describes how to initiate an SSH connection to a remote.
CE1#ssh -l student 192.168.101.20
Password: <cisco>
PE2>
RP/0/RSP0/CPU0:PE1#ssh 192.168.101.20 username student

Password: <cisco>
192.168.101.11 PE2>
CE1
SSH
SSH 192.168.101.10
PE2
192.168.101.20 PE1
PE2#show ssh
Connection Version Mode Encryption Hmac State Username
0 1.99 IN aes128-cbc hmac-sha1 Session started student
0 1.99 OUT aes128-cbc hmac-sha1 Session started student
1 1.99 IN 3des-cbc hmac-md5 Session started student
1 1.99 OUT 3des-cbc hmac-md5 Session started student
%No SSHv1 server connections running.
The SSH feature has an SSH server and an SSH integrated client, which are applications that
run on the Cisco routers.
To start an encrypted session with a remote networking device, use the ssh user EXEC
command. The example shows two commands:
 The ssh -l username IP-address Cisco IOS and Cisco IOS XE Software command
 The ssh IP-address username username Cisco IOS XR Software command
To display the status of the SSH server connections, use the show ssh command in the
privileged EXEC mode.

Connectivity Tests
This topic describes how to use the ping command to test connectivity.
RP/0/RSP0/CPU0:PE1#ping 192.168.101.11
Thu May 11 23:50:13.538 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Ping
Description
Character
! Receipt of a reply.
Traceroute
. The network server timed out while waiting for a reply. Description
Character
A destination unreachable protocol data unit (PDU) For each node, the round-trip time (RTT) in
U
was received. nn msec milliseconds for the specified number of
Q Source quench (destination too busy). probes
A router along the path could not fragment the * The probe timed out
transmitted packet, and the transmitted packet was Administratively prohibited (for example,
M A
larger than the allowed maximum transmission unit access list)
(MTU) on the affected link.
Q Source quench (destination too busy)
? Unknown packet type.
I User-interrupted test
& Lifetime of the packet was exceeded.
U Port unreachable
RP/0/RSP0/CPU0:PE1#traceroute 10.1.10.1 H Host unreachable
Thu May 11 23:50:22.857 UTC
N Network unreachable
Type escape sequence to abort. P Protocol unreachable
Tracing the route to 10.1.10.1
T Timeout
1 192.168.101.11 2 msec * 0 msec ? Unknown packet type
The ping and the traceroute commands provide information about connectivity to remote
devices and the path to them. You can compile relevant device information about local and
remote networks by using the Cisco Discovery Protocol SSH and Telnet. This information is
useful for creating and maintaining a network topology map. Here are other tools that can aid in
testing and troubleshooting a network topology:
 ping: This command verifies network connectivity. Ping tells the minimum, average, and
maximum times that it takes for ping packets to find the specified system and return. This
information can validate the reliability of the path to a specified system.
 traceroute: This command shows the actual routes that the packets take between network
devices. A device, such as a router or switch, sends out a sequence of User Datagram
Protocol (UDP) datagrams to an invalid port address at the remote host. Three datagrams
are sent, each with a Time to Live (TTL) field value that is set to 1.
The TTL value of 1 causes the datagram to time out as soon as it reaches the first router in
the path. The router then responds with an Internet Control Message Protocol (ICMP) Time
Exceeded Message (TEM) indicating that the datagram has expired. Another three UDP
messages are then sent, each with the TTL value set to 2, which causes the second router to
return ICMP TEMs. The traceroute network diagnostic tool then progressively increments
the TTL field (3, 4, 5, and so on) for each sequence of messages.
This sequence provides a traceroute with the address of each hop as the packets time out
further down the path. The TTL field continues to be increased until the destination is
reached or it is incremented to a predefined maximum. Once the final destination is
reached, the host responds with either an ICMP port unreachable message or an ICMP
echo-reply message instead of the ICMP TEM. The purpose is to record the source of each
ICMP TEM to provide a trace of the path that the packet took to reach the destination.
Summary
• Threats to routers can be broadly divided into physical and network based.
• In IOS XR you cannot configure only a line password – username and
password authentication is required.
• SSH is an evolution of RSH protocol suite and features encryption,
something that telnet lacks.
• IOS XR features task groups which define permitted actions, and user
groups just like those found in other multiuser operating systems.
• Group membership is configured under user settings.
• To use TACACS+ or RADIUS you need to configure authentication host and
key.
• Use monitor logging when you want to see logs while logged in remotely.
• You can use SNMP to see device status and to receive SNMP traps.
• You can use local console or remote protocols to connect to the router.
• A router can also act as a client for SSH or telnet.
• Use ping command to test connectivity.

Module Summary
This topic summarizes the key points that were discussed in this module.
• The primary functions of a router are path determination and packet forwarding
between multiple networks. Routing tables provide an ordered list of best paths
to known networks, learned via static or dynamic entries.
• Cisco routers run three different Cisco IOS versions: IOS, IOS XE, and IOS XR.
Management access options that are available to Cisco routers are console,
auxiliary console, and IP connectivity to management interfaces or virtual
address.
• Dynamic routing protocols discover remote networks, maintain up-to-date
routing information, and select the best path to destination networks. To enable a
dynamic routing protocol, select a routing protocol and specify networks or
interfaces.
• EIGRP is a classless, advanced distance vector routing protocol that runs the
DUAL algorithm. EIGRP requires you to configure an autonomous system
number that must match on all routers to exchange routes.
• The first level of security is physical. Passwords restrict access, and the login
banner displays a message before the user is prompted for a username. SSH is
more secure than Telnet.
Routers gather and maintain routing information to enable the transmission and receipt of
packets. Various classes of routing protocols allow for different features in each network. The
Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and
the Intermediate System-to-Intermediate System (IS-IS) routing protocol each provide different
features and capabilities.
You can further tune these routing protocols by implementing variable-length subnet masks
(VLSMs) and route summarization. Propagating classless interdomain routing (CIDR)
supernets or VLSM subnets requires a classless routing protocol. A classless routing protocol
includes the subnet mask along with the network address in the routing update. It is up to
network administrators to be knowledgeable about each protocol. Consequently, they can
implement the most appropriate routing protocol that is based on the individual needs of their
networks.

Module Self-Check
Use the questions here to review what you learned in this module. The correct answers and
solutions are found in the Module Self-Check Answer Key.
Q1) Which three components are common to routers, switches, and computers? (Choose
three.) (Source: Exploring the Functions of Routing)
A) RAM
B) CPU
C) motherboard
D) keyboard
Q2) Which two types of ports do routers have? (Choose two.) (Source: Exploring the
Functions of Routing)
A) printer
B) console
C) network
D) CD-ROM
Q3) What are two functions of a router in a network? (Choose two.) (Source: Exploring the
Functions of Routing)
A) maintain their routing tables and ensure that other routers know of changes in
the network
B) use the routing table to determine where to forward packets
C) strengthen the signal over large distances in a network
D) create larger collision domains
E) use ICMP to communicate network information from their own routing table
with other routers
Q4) Which three statements about the path determination process are accurate? (Choose
A) Routers evaluate the available paths to a destination.
B) The routing process uses metrics and administrative distances when evaluating
network paths.
C) Dynamic routing occurs when the network administrator configures
information on each router.
D) Dynamic routing occurs when information is learned by using routing
information that is obtained from routing protocols.
E) A default route holds an explicit route to every network.
F) The routing table holds multiple entries per network.
Q5) What contains routing information that helps a router determine the routing path?
(Source: Exploring the Functions of Routing)
A) IP address
B) MAC address
C) routing table
D) routing protocol

Q6) Which three statements describe the function of routing tables? (Choose three.)
A) Routing tables provide an ordered list of known network addresses.
B) Routing tables are maintained through the transmission of MAC addresses.
C) Routing tables contain metrics that are used to determine the desirability of the
route.
D) Routing table associations tell a router that a particular destination is either
directly connected to the router or that it can be reached via another router (the
next-hop router) on the way to the final destination.
E) When a router receives an incoming packet, it uses the source address and
searches the routing table to find the best path for the data from that source.
F) Routing tables are used to compare which routing protocols allow reaching the
destination network.
Q7) Match each method of populating a routing table to its definition. (Source: Exploring
the Functions of Routing)
_____ 1. This route comes from having interfaces that are attached to network
segments. This entry is obviously the most certain; if the interface fails or
is administratively shut down, the entry for that network will be removed
from the routing table.
_____ 2. This optional route is used when no explicit path to a destination is found
in the routing table. This entry can be manually inserted or can be
populated from a dynamic routing protocol.
_____ 3. This route is entered manually by a system administrator directly into the
configuration of a router.
_____ 4. This route is learned by the router, and the information is responsive to
changes in the network so that the router is constantly being updated.
A) static routing
B) dynamic routing
C) default route
D) directly connected network
Q8) Which three metrics are most commonly used by routing protocols to determine a
network path? (Choose three.) (Source: Exploring the Functions of Routing)
A) hop count
B) bandwidth
C) delay
D) packet length
E) distance
F) quantity
Q9) Which three statements accurately describe a distance vector protocol? (Choose three.)
A) RIP was developed by Cisco to address the issues that are associated with
routing in medium-size LANs.
B) Examples of this protocol include RIP.
C) This protocol determines the direction (vector) and distance (hop count) to any
network in the internetwork.
D) Using this protocol, a router needs to know the entire path to every network
segment.
E) This process is also known as “routing by rumor.”
F) Routers that are running the distance vector routing protocol send periodic
updates only when there are changes in the network.
Q10) Which three statements accurately describe a link-state routing protocol? (Choose
A) The link-state database is used to calculate the paths with the highest
bandwidths on the network.
B) Link-state routing protocols respond quickly to network changes.
C) In link-state routing protocols, each router periodically sends messages to the
network, listing the routers to which it is directly connected and also
information about whether the link to each router is active.
D) Link-state routing protocols send periodic updates (link-state refreshes) at long
time intervals, approximately once every 30 minutes.
E) In link-state routing protocols, every router tries to build its own internal map
of the network topology.
F) Link-state routing protocols send periodic detailed routing tables even if no
network changes have occurred.
Q11) Which three operating systems run on Cisco routers? (Choose three.) (Source:
Introducing the Cisco IOS XR)
A) Cisco IOS
B) Cisco IOS XR
C) CatOS
D) Cisco IOS XE
Q12) Which three routers run the Cisco IOS XR operating system? (Choose three.) (Source:
A) Cisco CRS-1 and CRS-3
B) Cisco XR 12000 Series Routers
C) Cisco ASR 9000 Series Routers
D) Cisco ASR 1000 Series Routers
E) Cisco ISR Series Routers
Q13) Which four management access options are available to the Cisco IOS XR router?
(Choose four.) (Source: Introducing the Cisco IOS XR)
A) console
B) auxiliary console
C) IP connectivity to the management interfaces
D) IP connectivity to a virtual IP address
E) Cisco Configuration Professional tool

Q14) Cisco IOS XR Software allows an administrator to access admin mode. What are the
three general purposes of using the administrator mode? (Choose three.) (Source:
A) viewing different show outputs from the router
B) software installations to the router
C) managing SDR
D) changing the configuration register
E) debug router operation
Q15) Which three Cisco IOS XR Software commands are used to return from configuration
mode to the EXEC mode? (Choose three.) (Source: Introducing the Cisco IOS XR)
A) exit
B) end
C) Control-Z
D) configure
E) admin
Q16) Which Cisco IOS XR Software command applies and saves all entered configuration?
(Source: Introducing the Cisco IOS XR)
A) put
B) save
C) load
D) commit
E) admin
Q17) Which statement most accurately describes static and dynamic routes? (Source:
Configuring Basic Routing)
A) Dynamic routes are manually configured by a network administrator, whereas
static routes are automatically learned and adjusted by a routing protocol.
B) Static routes are manually configured by a network administrator, whereas
dynamic routes are automatically learned and adjusted by a routing protocol.
C) Static routes tell the router how to forward packets to networks that are not
directly connected, whereas dynamic routes tell the router how to forward
packets to networks that are directly connected.
D) Dynamic routes tell the router how to forward packets to networks that are not
directly connected, whereas static routes tell the router how to forward packets
to networks that are directly connected.
Q18) What does the command ip route 186.157.5.0 255.255.255.0 10.1.1.3 specify?
(Source: Configuring Basic Routing)
A) Both 186.157.5.0 and 10.1.1.3 use a mask of 255.255.255.0.
B) The router should use network 186.157.5.0 to get to address 10.1.1.3.
C) You want the router to trace a route to network 186.157.5.0 via 10.1.1.3.
D) The router should use address 10.1.1.3 to get to devices on network
186.157.5.0/24.
Q19) Which command displays information about static route configuration on a Cisco IOS
router? (Source: Configuring Basic Routing)
A) show route ip
B) show ip route
C) show route static
D) show chap authentication will be used unless the remote routers reject PAP
Q20) Which protocol is an example of an exterior gateway protocol? (Source: Configuring
Basic Routing)
A) RIP
B) BGP
C) IGRP
D) EIGRP
Q21) In which situation is an administrative distance required? (Source: Configuring Basic
Routing)
A) when static routes are defined
B) when dynamic routing is enabled
C) when the same route is learned via multiple routing protocols
D) when multiple paths are available to the same destination and they are all
learned via the same routing protocol
Q22) How does a distance vector router learn about paths for networks that are not directly
connected? (Source: Configuring Basic Routing)
A) from the source router
B) from neighboring routers
C) from the destination router
D) learns only about directly connected networks
Q23) What does a distance vector router send to its neighboring routers as part of a periodic
routing table update? (Source: Configuring Basic Routing)
A) the entire routing table
B) information about new routes
C) information about routes that have changed
D) information about routes that no longer exist
Q24) What is the maximum allowable hop count for RIP? (Source: Configuring Basic
Routing)
A) 6
B) 15
C) 30
D) 60
Q25) With RIP, load balancing is performed over multiple paths that have which
characteristic? (Source: Configuring Basic Routing)
A) equal cost
B) equal weight
C) equal distance
D) equal bandwidth

Q26) Which Cisco IOS command specifies RIP as the routing protocol? (Source:
Configuring Basic Routing)
A) Router(config)#rip
B) Router(config)#router rip
C) Router(config-router)#rip AS_number
D) Router(config-router)#router rip AS_number
Q27) What is the default value of the RIP hold-down timer? (Source: Configuring Basic
Routing)
A) 30 seconds
B) 60 seconds
C) 90 seconds
D) 180 seconds
Q28) With distance vector routing, a count to infinity can be prevented by setting a
maximum for which value? (Source: Configuring Basic Routing)
A) metric
B) update time
C) hold-down time
D) administrative distance
Q29) What does “split horizon” specify? (Source: Configuring Basic Routing)
A) that information about a route should not be sent in any direction
B) that information about a route should not be sent back in the direction from
which the original information came
C) that information about a route should be sent back in the direction from which
the original information came
D) that information about a route should be sent back only in the direction from
which the original information came
Q30) When a router sets the metric for a down network to the maximum value, what is it
doing? (Source: Configuring Basic Routing)
A) triggering the route
B) poisoning the route
C) applying split horizon
D) putting the route in holddown
Q31) If a route for a network is in holddown and an update arrives from a neighboring router
with the same metric as was originally recorded for the network, what does the router
do? (Source: Configuring Basic Routing)
A) ignores the update
B) increments the hold-down timer
C) marks the network as “accessible” and removes the hold-down timer
D) marks the network as “accessible” but keeps the hold-down timer on
Q32) If a router has a network path in holddown and an update arrives from a neighboring
router with a better metric than was originally recorded for the network, which two
things does it do? (Choose two.) (Source: Configuring Basic Routing)
A) removes the holddown
B) continues the holddown
C) marks the route as “accessible”
D) marks the route as “inaccessible”
E) marks the route as “possibly down”
Q33) How do you minimize the bandwidth requirement for EIGRP packets? (Source:
Configuring EIGRP)
A) by propagating only data packets
B) by propagating only hello packets
C) by propagating only routing table changes and hello packets
D) by propagating the entire routing table only to those routers that are affected by
a topology change
Q34) Which command displays the amount of time since the router heard from an EIGRP
neighbor? (Source: Configuring EIGRP)
A) show ip eigrp traffic
B) show ip eigrp topology
C) show ip eigrp interfaces
D) show ip eigrp neighbors
Q35) Which command must you configure for EIGRP to pass the subnet mask with the
route? (Source: Configuring EIGRP)
A) ip classless
B) no auto-summary
C) no summary
D) ip subnet vlsm
Q36) Which command displays whether route filtering has been enabled? (Source:
Configuring EIGRP)
A) show interface
B) show access-list
C) show ip protocols
D) show route-filter
Q37) On the Cisco IOS XR, which form of an EIGRP authentication is supported? (Source:
Configuring EIGRP)
A) plaintext
B) 3DES
C) MD5
D) both A and C
Q38) Which two would be considered a physical threat? (Choose two.) (Source:
Understanding Cisco Router Security)
A) a user leaving the password in the desk
B) someone turning off the power to the switch to block network access
C) someone turning off the air conditioning system in the network closet
D) someone breaking into the cabinet that contains the network documentation

Q39) Which four of the following can be protected with a password? (Choose four.) (Source:
A) console access
B) vty access
C) tty access
D) user-level access
E) EXEC-level access
F) routing process access
G) interface addresses access
H) backed up configuration access
Q40) Which customized text is displayed before the username and password login prompts?
(Source: Understanding Cisco Router Security)
A) message-of-the-day banner
B) login banner
C) access warning
D) user banner
E) warning message
Q41) Which is the most secure method of remotely accessing a network device? (Source:
A) HTTP
B) Telnet
C) SSH
D) RMON
E) SNMP
Q42) What is a Cisco IOS XR tool that can be used for secure remote access to another
device? (Source: Understanding Cisco Router Security)
A) SSH
B) SDM
C) ping
D) Telnet
E) traceroute
Q43) Which command would you use to see who has Telnet sessions to your router?
(Source: Understanding Cisco Router Security)
A) show user
B) show telnet
C) show sessions
D) show connections
Q44) What would you use to suspend a Telnet session? (Source: Understanding Cisco Router
Security)
A) end keyword
B) suspend keyword
C) Ctrl-Shift-6 key sequence
D) Ctrl-Shift-Del key sequence
Module Self-Check Answer Key
Q1) A, B, C
Q2) B, C
Q3) A, B
Q4) A, B, D
Q5) C
Q6) A, C, D
Q7) 1 = D, 2 = C, 3 = A, 4 = B
Q8) A, B, C
Q9) B, C, E
Q10) B, D, E
Q11) A, B, D
Q12) A, B, C
Q13) A, B, C, D
Q14) B, C, D
Q15) A, B, C
Q16) D
Q17) B
Q18) D
Q19) B
Q20) B
Q21) C
Q22) B
Q23) A
Q24) B
Q25) A
Q26) B
Q27) D
Q28) A
Q29) B
Q30) B
Q31) A
Q32) A, C
Q33) C
Q34) D
Q35) B
Q36) C
Q37) C
Q38) B, C
Q39) A, B, C, E
Q40) B
Q41) C

Q42) A
Q43) A
Q44) C
Module 4
Connectivity Technologies
Overview
When sites are located at different geographic locations, a WAN provides interconnections
between the sites. WANs are most often charge-for-service networks that enable you to access
resources across a wide geographic area. There are several types of WANs, including point-to-
point leased lines, circuit-switched networks, and packet-switched networks. There are also
many physical network devices that are used in the WAN and many access and encapsulation
technologies such as DSL, cable, ATM, PPP, and Fiber to the x (FTTx).
As organizations merge, addresses sometimes become limited or addressing conflicts arise. One
of the most common addressing issues occurs when a network that uses private addressing is
connected to the Internet, which uses public addressing. Network Address Translation (NAT)
and Port Address Translation (PAT) are two protocols that you can use to address these issues.
It is becoming common to interconnect small sites via the Internet. In these implementations, it
is a usual practice for the ISP to dynamically assign the interface address by using DHCP. To
be compatible with this implementation, a router can act as a DHCP client.
An IP Security (IPsec) VPN uses the Internet to connect branch offices, remote employees, and
business partners to the resources of your company. It is a reliable way to maintain your
company privacy while streamlining operations, reducing costs, and allowing flexible network
administration.
Module Objectives
Upon completing this module, you will be able to define the characteristics, functions, and
components of a service provider WAN network. This ability includes being able to meet these
objectives:
 Describe the functions and characteristics of a WAN
 Define service provider access and transport technologies
 Enable the WAN Internet connection
 Describe various encapsulation types and how to configure them
 Describe the uses and benefits of VPNs for site-to-site and remote-user access
Lesson 1
Describing Access
Technologies
Overview
As an enterprise grows beyond a single location, it becomes necessary to interconnect LANs in
various locations to form a WAN. Several technologies are involved in the functioning of
WANs, including hardware devices and software functions. Carrier Ethernet enables service
providers to offer Ethernet services to customers. This lesson describes the functions and
characteristics of WANs and Carrier Ethernet.
Objectives
Upon completing this lesson, you will be able to describe the functions and characteristics of a
WAN. You will be able to meet these objectives:
 Describe fundamental differences between WAN and LAN
 Compare WANs and LANs
 Describe how WANs connect geographically dispersed LANs
 Describe the functions the hardware devices that are typically found in the more traditional
WAN environments
 Describe the WAN physical layer
 List the major protocols that operate in a WAN environment
 Describe the link options available to access the WANs
 Describe the WANs function in relation to the OSI reference model
 Describe Carrier Ethernet
 Describe the various technologies that can transport Ethernet services across the WAN
 Describe the protocols that are used to manage services in a carrier Ethernet environment
Introducing WANs
A WAN is a data communications network that operates beyond the geographic scope of a
LAN. This topic describes fundamental differences between WAN and LAN.
WANs use facilities that are provided by a service provider, or carrier, such as a telephone or
cable company. They connect the locations of an organization to each other, to locations of
other organizations, to external services, and to remote users. WANs generally carry various
traffic types, such as voice, data, and video.
Here are the three major characteristics of WANs:
 WANs connect devices that are separated by wide geographical areas.
 WANs use the services of carriers, such as telephone companies, cable companies, satellite
systems, and network providers.
 WANs use various connection types to provide access to bandwidth over large geographic
areas.
There are several reasons why WANs are necessary in a communications environment. LAN
technologies provide both speed and cost-efficiency for the transmission of data in
organizations in relatively small geographic areas. However, there are other business needs that
require communication among remote users, including the following:
 People in the regional or branch offices of an organization need to be able to communicate
and share data.
 Organizations often want to share information with other organizations across large
distances. For example, software manufacturers routinely communicate product and
promotion information to distributors that sell their products to end users.
 Employees who travel on company business frequently need to access information that
resides on their corporate networks.
In addition, home computer users need to send and receive data across increasingly larger
distances. Here are some examples:
 It is now common in many households for consumers to communicate via computers with
banks, stores, and providers of goods and services.
 Students do research for classes by accessing library indexes and publications that are
located in other parts of the country and in other parts of the world.
Since it is obviously not feasible to connect computers across a country or around the world
with cables, different technologies have evolved to support this need. WANs allow
organizations and individuals to meet their wide-area communication needs.
© 2012 Cisco Systems, Inc. Connectivity Technologies 4-5

WANs vs. LANs
This topic compares WANs and LANs.
WANs LANs
Area Wide geographic Single building or
area small geographic
area
Ownership Subscription to Owned by
outside service organization
provider
WANs are different from LANs in several ways. The most significant differences are
geographical area and ownership. While a LAN connects computers, peripherals, and other
devices in a single building or other small geographic area, a WAN allows the transmission of
data across broad geographic distances. In addition, a company or organization must subscribe
to an outside WAN service provider to use WAN carrier network services. LANs are typically
owned by the company or organization that uses them.
WAN—Multiple WANs
This topic describes how WANs connect geographically dispersed LANs.
An enterprise WAN is actually a collection of separate but connected LANs, and routers play a
central role in transmitting data through this interconnected network. Routers have both LAN
and WAN interfaces, and while a router is used to segment LANs, it is also used as the WAN
access connection device. The functions and role of a router in accessing the WAN can be best
understood by looking at the types of connections that are available on the router.
There are three basic types of connections on a router: LAN interfaces, WAN interfaces, and
management ports. LAN interfaces allow the router to connect to the LAN media through
Ethernet or some other LAN technology such as Token Ring or ATM.
WAN connections are made through a WAN interface on a router to a service provider to a
distant site or to the Internet. These may be serial connections or any number of other WAN
interfaces. With some types of WAN interfaces, an external device such as a DSU/CSU or
modem (such as an analog modem, cable modem, or DSL modem) is required to connect the
router to the local point of presence (POP) of the service provider. The physical demarcation
point is the place where the responsibility for the connection changes from the user to the
service provider. This is very important because when problems arise, both sides of the link
need to prove that the problem either resides with them or not.
The management ports provide a text-based connection that allows for configuration and
troubleshooting of a router. The common management interfaces are the console and auxiliary
ports. These ports are connected to a communications port on a computer. The computer must
run a terminal emulation program to provide a text-based session with the router, which enables
you to manage the device.

WAN Hardware
This topic describes the functions of the hardware devices that are typically found in the more
traditional WAN environments.
• Routers
• Access servers
• Modems
• CSU/DSU
• WAN switches
• Core routers
Several devices operate at the physical layer in a WAN. The following devices are used for
WAN access:
 Routers: Routers provide internetworking and WAN access interface ports.
 Communication servers: Communication servers concentrate dial-in and dial-out user
communications.
 Modems or DSUs/CSUs: In analog lines, modems convert the digital signal of the sending
device into analog format for transmission over an analog line and then convert this digital
signal back to digital form so that it can be received and processed by the receiving device
on the network. For digital lines, a CSU and a DSU are required. The two are often
combined into a single piece of equipment called the DSU/CSU. The DSU/CSU may also
be built into the interface card in the router.
 WAN networking devices: Other devices such as ATM switches, Frame Relay switches,
public switched telephone network (PSTN) switches, optical switches, and aggregation
routers are also used within the cloud to support the access services.
 Core routers: Routers that reside in the backbone of the WAN.
Physical Layer: WANs
This topic describes the WAN physical layer.
Serial
Interface
Protocols
Devices on the subscriber premises are referred to as customer premises equipment (CPE). The
subscriber owns the CPE or leases the CPE from the service provider. A copper or fiber cable
connects the CPE to the nearest exchange or central office (CO) of the service provider. This
cabling is often called the local loop or last mile. Transmission of analog data (such as a
telephone call) is connected locally to other local loops, or nonlocally through a trunk to a
primary center. Analog data then goes to a sectional center and on to a regional or international
carrier center as the call travels to its destination.
For the local loop to carry data, however, a device such as a modem or DSU/CSU is needed to
prepare the data for transmission. Devices that put data on the local loop are called DCEs. The
customer devices that pass the data to the DCE are called DTE. The DCE primarily provides an
interface for the DTE into the communication link on the WAN cloud.
The WAN access physical layer describes the interface between the DTE and the DCE.

Cisco routers support the EIA/TIA-232, EIA/TIA-449, V.35, X.21, and EIA/TIA-530 standards
for serial connections.
When you order the cable, you receive a shielded serial transition cable that has the appropriate
connector for the standard that you specify. The router end of the shielded serial transition
cable has a DB-60 connector, which connects to the DB-60 port on a serial WAN interface card
(WIC). Because five different cable types are supported with this port, the port is sometimes
called a five-in-one serial port. The other end of the serial transition cable is available with the
connector that is appropriate for the standard that you specify. The documentation for the
device to which you want to connect should indicate the standard for that device.
Your CPE, in this case a router, is the DTE. The data DCE, commonly a modem or a
DSU/CSU, is the device that is used to convert the user data from the DTE into a form that is
acceptable to the WAN service provider. The synchronous serial port on the router is
configured as DTE or DCE (except EIA/TIA-530, which is DTE only), depending on the
attached cable, which is ordered as either DTE or DCE to match the router configuration. If the
port is configured as DTE (the default setting), it will require external clocking from the DCE
device.
Note To support higher densities in a smaller form factor, Cisco introduced a smart serial cable.
The serial end of the smart serial cable is a 26-pin connector. It is much smaller than the
DB-60 connector that is used to connect to a five-in-one serial port. These transition cables
support the same five serial standards, are available in either DTE or DCE configuration,
and are used with two-port serial connections and two-port asynchronous and synchronous
WICs.
WAN Encapsulation
In addition to physical layer devices, WANs require data-link layer protocols to establish the
link across the communication line from the sending to the receiving device. This topic lists the
major protocols that operate in a WAN environment.
• HDLC
• PPP
• Frame Relay
• ATM
• Packet over SONET/SDH
• Gigabit Ethernet
Data link layer protocols define how data is encapsulated for transmission to remote sites and
the mechanisms for transferring the resulting frames. A variety of different technologies such
as ISDN, Frame Relay, or ATM are used. Many of these protocols use the same basic framing
mechanism, High-Level Data Link Control (HDLC), an ISO standard, or one of its subsets or
variants. ATM is the most different, because it uses small fixed-size cells of 53 bytes (48 bytes
for data).
The WAN data-link protocols are as follows:
 HDLC
 PPP
 Frame Relay
 ATM
 Packet over SONET/SDH
 Gigabit Ethernet

WAN Link Options
This topic describes the link options available to access the WANs.
WAN
Dedicated Switched Internet
Leased Circuit- Packet- Broadband

Lines Switched Switched VPN
T1 or E1 PTSN ATM DSL

T3 or E3 ISDN FR Cable
MPLS Wireless
WANs are accessed in a number of ways, depending on the data transmission requirements for
the WAN.
WANs have two major categories of communication links: dedicated and switched. Within
each category are individual types of communication link options, as follows:
 Dedicated communication links: When permanent dedicated connections are required,
point-to-point lines are used with various capacities that are limited only by the underlying
physical facilities and the willingness of users to pay for these dedicated lines. A point-to-
point link provides a pre-established WAN communications path from the customer
premises through the provider network to a remote destination. Point-to-point lines are
usually leased from a carrier and are also called leased lines.
 Circuit-switched communication links: Circuit switching dynamically establishes a
dedicated virtual connection for voice or data between a sender and a receiver. Before
communication can start, users must establish the connection through the network of the
service provider.
 Packet-switched communication links: Many WAN users do not make efficient use of
the fixed bandwidth that is available with dedicated, switched, or permanent circuits,
because the data flow fluctuates. Communications providers have data networks available
to more appropriately service these users. In packet-switched networks, the data is
transmitted in labeled cells, frames, or packets.
WAN Access and the OSI Reference Model
This topic describes the WANs function in relation to the OSI reference model.
OSI Layers
Application
Presentation
Session
Transport WAN Services
Network
MPLS
Data Link Frame Relay, ATM, HDLC, Ethernet
Physical Electrical, Mechanical, Operational Connections
WANs function in relation to the Open Systems Interconnection (OSI) reference model
primarily on Layer 1 and Layer 2.
WAN access standards typically describe both physical layer delivery methods and data link
layer requirements, including physical addressing, flow control, and encapsulation. WAN
access standards are defined and managed by several recognized authorities including the ISO,
the TIA, and the EIA.
The physical layer (OSI Layer 1) protocols describe how to provide electrical, mechanical,
operational, and functional connections to the services of a communications service provider.
The data link layer (OSI Layer 2) protocols define how data is encapsulated for transmission
toward a remote location and the mechanisms for transferring the resulting frames. A variety of
different technologies are used, such as Frame Relay and ATM. Some of these protocols use
the same basic framing mechanism: HDLC, which is an ISO standard, or one of its subsets or
variants.

Carrier Ethernet
This topic describes Carrier Ethernet.
• Scalability
• Reliability Scalability
• QoS
• Service management
• Standardized services Standardized

Reliability
Services
Service
QoS
Management
Ethernet is the most dominant LAN technology today mainly because of its simplicity, cost-
efficiency, and ease of deployment. Most current network-capable devices have Ethernet as a
standard interface. Ethernet was initially developed as a LAN standard for connecting at 10-
Mb/s speeds but was later upgraded to offer 100-Mb/s, 1-Gb/s, 10-Gb/s, 40-Gb/s, and now 100-
Gb/s speeds.
In recent years, service providers are deploying Ethernet as a WAN technology for transport
purposes. Disadvantages of traditional WAN technologies like Frame Relay, ATM, and
SONET/SDH include high cost and lack of flexibility and scalability.
Carrier Ethernet is a term for Ethernet extensions that enable service providers to offer Ethernet
services to customers and to use Ethernet technology in their networks. The Metro Ethernet
Forum (MEF) is a global industry alliance that was formed in 2001 to develop services for
enterprise users to connect their enterprise LANs. The main concept was to bring the simplicity
and cost model of Ethernet to the WAN.
MEF defines Carrier Ethernet as “A ubiquitous, standardized, carrier-class Service and
Network defined by five attributes that distinguish [it] from familiar LAN based Ethernet.”
These are the five attributes:
 Scalability
 Reliability
 Quality of service (QoS)
 Service management
 Standardized services
Three types of services
• E-Line (point-to-point)
• ELAN (multipoint)
• E-Tree (point-to-multipoint)
CE EVC
WAN
CE CE
UNI
Carrier Ethernet connections from an enterprise or residential customer terminate at a customer

edge. The customer edge (CE) device (can be a router or a switch) is then connected to the
User-Network Interface (UNI) with typically a standard 10/100/1000-Mb/s or 10-Gb/s
interface. From a customer perspective, the network connection from customer side of the UNI
is Ethernet. UNI is the demarcation between the CE and the WAN. Services inside the WAN
cloud can be supported by a wide range of technologies including SONET/SDH, dense
wavelength-division multiplexing (DWDM), Gigabit Ethernet, Multiprotocol Label Switching
(MPLS), and so on.
The Ethernet Virtual Connections (EVC) is another Ethernet service attribute. EVC is an
association of two or more UNIs. EVC performs two main functions:
1. The EVC connects two or more UNIs enabling the transfer of Ethernet frames between
them.
2. The EVC prevents the transfer of data from sites that are not part of the EVC; that is, the
EVC isolates traffic between two UNIs.
EVC forms the basis for any Ethernet service type to be defined, depending on the number and
the way the customer sites (UNIs) are connected. The MEF defines three types of Carrier
Ethernet services:
 E-Line: Based on a point-to-point EVC.
 ELAN: Based on a multipoint-to-multipoint EVC. Service multiplexing (more than one
EVC at the same UNI) is permitted.
 E-Tree: A point-to-multipoint ELAN service in which the spoke "leaves" can communicate
with the hub or "root" location but not with each other.

Transport of Carrier Ethernet Services
This topic describes the various technologies that can transport Ethernet services across the
WAN.
• Ethernet over SONET/SDH

• Ethernet over DWDM
• Ethernet over fiber
• Ethernet over MPLS
• Provider Bridges (802.1ad)
• PBB-TE
Various technologies can transport Ethernet services across the WAN:

 Ethernet over SONET/SDH: Typically used for private-line applications. It is a point-to-
point service with a native Ethernet interface.
 Ethernet over DWDM: Used when carriers need to offer ultrahigh bandwidth services
over gigabits per second to connect customer data centers and allow large file transfers
between corporate sites such as storage network applications.
 Ethernet over fiber: Primarily deployed in a point-to-point or mesh network technology
and used to deliver packet services over fibers. It is a connectionless technology, used
mainly for LAN or Internet access connectivity.
 Ethernet over MPLS: Ethernet links are transported as “pseudowires” that
use MPLS label switched paths inside an outer MPLS “tunnel.”
 Provider Bridges (802.1ad): Also known as queue-in-queue (QinQ) or stacked VLANs.
With Provider Bridging, service providers have their own set of VLANs that are
completely separate and independent of the provisioned customer VLANs.
 Provider Backbone Bridge (PBB) (802.1ah) PBB-Traffic Engineering (TE): PBB is
also referred to as MAC-in-MAC. The goal of MAC-in-MAC is to allow clear separation
between the customer MAC layer control plane from the service provider MAC layer
control plane and to increase service scalability. PBB-TE extends the functionality of PBB
to deliver resiliency and a configurable performance level.
CFM and E-LMI
This topic describes the protocols that are used to manage services in a carrier Ethernet
environment.
Customer Service Provider Customer
Operator CFM Domains
CE1 PE1 PE2 PE3 PE4 CE2
E-LMI Domain
Service providers in particular require a certain management capability within the context of
the overall Ethernet infrastructure. Ethernet Operation, Administration, and Maintenance
(OAM) refers to a set of tools and protocols that are used to install, monitor, and troubleshoot a
network.
Ethernet Connectivity Fault Management (CFM) is an end-to-end per-service-instance Ethernet
layer OAM protocol that includes proactive connectivity monitoring, fault verification, and
fault isolation. End-to-end can be a provider edge (PE)-to-PE device or a CE-to-CE device.
Ethernet CFM, as specified by the IEEE 802.1ag, is the standard for Layer 2 ping, Layer 2
traceroute, and end-to-end connectivity check of the Ethernet network.
Ethernet Local Management Interface (E-LMI) is a protocol between the CE and PE device. It
runs only on the PE-CE UNI link and notifies the CE of connectivity status and configuration
parameters of Ethernet services that are available on the CE port. E-LMI interoperates with an
OAM protocol, such as CFM, that runs within the provider network to collect OAM status.
CFM runs at the provider maintenance level (user provider edge [UPE]-to-UPE with inward-
facing maintenance end points (MEPs) at the UNI). E-LMI relies on the OAM Ethernet
Infrastructure to interwork with CFM for end-to-end status of EVCs across CFM domains.

Summary
• A WAN allows the transmission of data across broad geographic

distances.
• The most significant difference between WANs and LANs is
geographical area.
• An enterprise WAN is actually a collection of separate but connected
LANs.
• Several technologies are involved in the functioning of WANs—
hardware devices such as routers, communication servers, and
modems—and software functions.
• The WAN access physical layer describes the interface between the
DTE and the DCE.
• Data link layer protocols define how data is encapsulated for
transmission to remote sites and the mechanisms for transferring the
resulting frames.
• The physical connection to an ISP is usually provided by using either

DSL or cable technology with packet switching.
• WANs function in relation to the Open Systems Interconnection (OSI)
reference model primarily on Layer 1 and Layer 2.
• Carrier Ethernet enables service providers to offer Ethernet services to
customers.
• Various technologies can carry Ethernet services across the WAN.
• CFM and E-LMI provide management capability within the context of the
overall Ethernet infrastructure.
Lesson 2
Introducing Service Provider

Access, Edge, and Transport
Technologies
Overview
This lesson describes service provider access and transport technologies.
Objectives
Upon completing this lesson, you will be able to describe various access and transport
technologies. You will be able to meet these objectives:
 Describe various IP NGN access and edge technologies
 Describe Frame Relay
 Describe ATM cell relay
 Describe Metro Ethernet
 Describe DSL
 Describe digital T1, T3, E1, E3 circuits
 Describe ISDN
 Describe mobile networks
 Describe cable-based WANs
 Describe GPON
 Describe the use of fiber-optic cable directly to the customer premises
 Describe BRAS
 Describe BNG
 Describe the DSL Forum TR-101 standard
 Describe service provider transport technologies
 Describe SONET/SDH
 Describe DWDM and ROADM
 Describe CES and TDMoIP
 Describe IP over DWDM
 Describe Gigabit Ethernet
Service Provider Access and Edge Technologies
This topic describes various IP NGN access and edge technologies.
Access
Aggregation
IP Edge
Core
Residential
Mobile Users
Business
Access and edge

Frame Relay, ATM, Metro Ethernet, DSL, T1 or E1 and technologies
T3 or E3, ISDN, mobile networks, cable-based WANs,
GPON, FTTx, BRAS, BNG, TR-101
Service Provider’s access and edge technologies focus on the Access IP Edge portion of the
Cisco IP NGN model.

Frame Relay Overview
This topic describes Frame Relay.
DCE or
Frame Relay
DTE CSU/DSU Switch
DTE
DTE
Frame Relay works here.
• Connections made by virtual circuits

• Connection-oriented service
Frame Relay is a connection-oriented data-link technology that is streamlined to provide high

performance and efficiency. For error protection, it relies on upper-layer protocols and
dependable fiber and digital networks. The core aspects of Frame Relay function at the lower
two layers of the Open System Interconnection (OSI) reference model. Reachability issues may
occur when a single interface is used to interconnect multiple sites. The Local Management
Interface (LMI) is responsible for managing the connection and maintaining the status between
the router and the Frame Relay switch.
Frame Relay defines the interconnection process between the router and the service provider
local access switching equipment. It does not define how the data is transmitted within the
Frame Relay service provider cloud.
Devices that are attached to a Frame Relay WAN fall into these two categories:
 DTE: Generally considered to be terminating equipment for a specific network. DTE
devices are typically located on the customer premises and the customer may own it.
Examples of DTE devices are Frame Relay Access Devices (FRADs), routers, and bridges.
 DCE: Carrier-owned internetworking devices. DCE devices provide clocking and
switching services in a network and transmit data through the WAN. Most switches in a
WAN are Frame Relay switches.
Frame Relay provides a means for statistically multiplexing many logical data conversations
(referred to as virtual circuits [VCs]) over a single physical transmission link by assigning
connection identifiers to each pair of DTE devices. The service provider switching equipment
constructs a switching table that maps the connection identifier to outbound ports. When a
frame is received, the switching device analyzes the connection identifier and delivers the
frame to the associated outbound port. The complete path to the destination is established
before the transmission of the first frame.
The terms that are described here may be the same or slightly different from the terms your
Frame Relay service provider uses. These terms are used frequently when discussing Frame
Relay:
 Local access rate: Clock speed (port speed) of the connection (local loop) to the Frame
Relay cloud. It is the rate at which data travels into or out of the network, regardless of
other settings.
 VC: A logical circuit, uniquely identified by a data-link connection identifier (DLCI) that
is created to ensure bidirectional communication from one DTE device to another. A
number of VCs can be multiplexed into a single physical circuit for transmission across the
network. This capability can often reduce the complexity of equipment and the network
that is required to connect multiple DTE devices. A VC can pass through any number of
intermediate DCE devices (Frame Relay switches). A VC can be either a permanent virtual
circuit (PVC) or a switched virtual circuit (SVC).
 PVC: Provides permanently established connections that are used for frequent and
consistent data transfers between DTE devices across the Frame Relay network.
Communication across a PVC does not require the call setup and call teardown that is used
with an SVC.
 SVC: Provides temporary connections that are used in situations requiring only sporadic
data transfer between DTE devices across the Frame Relay network. SVCs are dynamically
established on demand and are torn down when transmission is complete. Frame Relay
SVC is not covered in this course.
 DLCI: Contains a 10-bit number in the address field of the Frame Relay frame header that
identifies the VC. DLCIs have local significance because the identifier references the point
between the local router and the local Frame Relay switch that the DLCI is connected to.
Therefore, devices at opposite ends of a connection can use different DLCI values to refer
to the same virtual connection.

ATM Cell Relay Technology
This topic describes ATM cell relay.
Router
Switch Router
Cell switching
Workstation
Cells
DSU/CSU
ATM endpoints ATM network
The ATM cell relay technology is designed for high-speed transfer of voice, video, and data
through public and private networks.
A cell switching and multiplexing technology, ATM combines the benefits of circuit switching
(constant transmission delay, guaranteed capacity) with those of packet switching (flexibility,
efficiency for intermittent traffic). To achieve these benefits, ATM uses the following features:
 Fixed-size cells, permitting more efficient switching in hardware than is possible with
variable-length packets
 Connection-oriented service, permitting routing of cells through the ATM network over
virtual connections, sometimes called virtual circuits, using simple connection identifiers
 Asynchronous multiplexing, permitting efficient use of bandwidth and interleaving of data
of varying priority and size
The combination of these features allows ATM to provide different categories of service for
different data requirements and to establish a service contract at the time a connection is set up.
This means that a virtual connection of a given service category can be guaranteed a certain
bandwidth, as well as other traffic parameters, for the life of the connection. An ATM network
is made up of one or more ATM switches and ATM endpoints. An ATM endpoint (or end
system) contains an ATM network interface adapter. Workstations, routers, DSUs, LAN
switches, and video coder-decoders (codecs) are examples of ATM end systems that can have
an ATM interface.
Metro Ethernet
This topic describes Metro Ethernet.
CE
CE
Service Provider
Network PE
P
PE
PE PE
P P
CE
CE
Access
Aggregation
Core
A Metro Ethernet is an Ethernet-based computer network that covers a metropolitan area. It is

commonly used as a metropolitan access network to connect subscribers to a larger service
network or the Internet. Businesses can also use Metro Ethernet to connect branch offices to
their intranet.
A typical service provider Metro Ethernet network is a collection of Layer 2 and 3 switches and
routers that are connected through optical fiber. The topology could be a ring, hub-and-spoke
(star), or full or partial mesh.
Ethernet also supports high bandwidths and is relatively inexpensive compared with
Synchronous Digital Hierarchy (SDH) or Multiprotocol Label Switching (MPLS) systems of
similar bandwidth. Another distinct advantage of an Ethernet-based access network is that it is
easily connected to the customer network, due to the prevalent use of Ethernet in corporate and
residential networks. Therefore, bringing Ethernet into the Metropolitan Area Network (MAN)
introduces numerous advantages to both the service provider and the customer.
The following terms are defined:
 Customer edge (CE) router or switch: The CE device connects to routers and switches at
the campus or headend location as well as the branch locations. Because the enterprise
owns and manages this device, intelligent features such as encryption, firewall, access
control lists (ACLs), and so on, are enabled by the network manager to provide these
needed services.
 Provider edge (PE) router: The PE router functions as an aggregation point for CPE
devices, or an interconnection between other service providers or other networks of the
same service provider.
 Provider (P) router: The P router offers reliable, high-speed backbone connectivity in the
service provider core network.

DSL
This topic describes DSL.
• Technology for delivering high bandwidth over regular copper lines

• Uses high transmission frequencies (up to 1 MHz)
• Connection between subscriber and CO
DSL technology is an always-on connection technology that uses existing twisted-pair

telephone lines to transport high-bandwidth data and provides IP services to subscribers. A
DSL modem is used to convert an Ethernet signal from users to a DSL signal to the central
office (CO).
In the early 1950s, Bell Labs discovered that although the physical cabling was capable of
supporting frequencies from 300 Hz to 1 MHz, a typical voice conversation over a local loop
required bandwidth of only 300 Hz to 3 kHz. For many years, the telephone networks were
designed to use this lower bandwidth. Advances in technology allowed DSL to use the
additional bandwidth from 3 kHz up to 1 MHz to deliver high-speed data services over ordinary
copper lines.
Service providers deploy DSL connections in the last step of a local telephone network, called
the local loop or last mile. The connection is set up between a pair of modems on either end of
a copper wire that extends between the customer premises equipment (CPE) and the DSL
access multiplexer (DSLAM). A DSLAM is the device that is located at the CO of the provider
and concentrates connections from multiple DSL subscribers, incorporating time-division
multiplexing (TDM) technology.
This figure shows the key equipment that is needed to provide a DSL connection to a small
office, home office (SOHO). The two key components are the DSL transceiver (modem) and
the DSLAM.
 DSL Transceiver: Connects the computer of the teleworker to the DSL line. Usually the
transceiver is a DSL modem that is connected to the computer by use of a USB or Ethernet
cable. Newer DSL transceivers can be built into small routers with multiple 10/100 switch
ports that are suitable for home office use.
 DSLAM: Located at the CO of the carrier, the DSLAM combines individual DSL
connections from users into one high-capacity link to an ISP and to the Internet.
These are the two basic types of DSL technologies:

 Asymmetric DSL (ADSL): Provides higher download bandwidth than upload bandwidth
 Symmetric DSL (SDSL): Provides the same capacity of bandwidth in both directions
All forms of DSL service are categorized as asymmetric or symmetric, but there are several
varieties of each type. ADSL includes these forms:
 ADSL, ADSL2, ADSL2+
 Consumer DSL, also called G.Lite or G.992.2
 Very-high-data-rate DSL (VDSL, VDSL2)
SDSL includes the following forms:

 SDSL
 High-data-rate DSL (HDSL)
 ISDN DSL (IDSL)
 Symmetric high-bit-rate DSL (G.SHDSL)
Current DSL technologies use sophisticated coding and modulation techniques to achieve high
data rates. ADSL reaches greater distances than other DSL types, but the achievable speed of
ADSL transmissions degrades as the distance increases. The maximum distance is limited to
approximately 18,000 feet (5.5 km) from the CO. ADSL2 and ADSL2+ are enhancements to
basic ADSL and provide a downstream bandwidth of up to 24 Mb/s and an upstream bandwidth
of up to 1.5 Mb/s.
VDSL2 offers the highest operational speed but has the shortest achievable distance. VDSL2
deteriorates quickly from a theoretical maximum of 250 Mb/s at the source to 100 Mb/s at 1640
feet (0.5 km) and 50 Mb/s at 3280 feet (1 km).

Digital T1, T3, E1, E3 Circuits
This topic describes digital T1, T3, E1, E3 circuits.
• The original mechanism used for converting analog voice to a digital

signal is called PCM.
• In the United States, the DS1 standard defines a single line that
supports 24 DS0, and in Europe and Japan, an E1 line hold 32 DS0s.
Name of Bit Rate

Line
DS0 64 kb/s
DS1(T1) 1.544 Mb/s (24 DS0s, plus 8 kb/s overhead)
DS3 (T3) 44.736 Mb/s (28 DS1s, plus management overhead)
E1 2.048 Mb/s (32 DS0s)
E3 34.064 Mb/s (16 E1s, plus management overhead)
The original mechanism that is used for converting analog voice to a digital signal is called
pulse code modulation (PCM). PCM defines that an incoming analog voice signal should be
sampled 8000 times per second, and each sample should be represented by an 8-bit code. So,
64,000 bits were needed to represent 1 second of voice. This speed was chosen as a baseline
transmission speed because that was the necessary bandwidth for a single voice call. The term
digital signal level 0 (DS0) refers to the standard for a single 64-kb/s line.
Today, telecom companies offer leased lines in multiples of 64 kb/s. In the United States, the
digital signal level 1 (DS1) standard defines a single line that supports 24 DS0s, plus an 8-kb/s
overhead channel, for a speed of 1.544 Mb/s. A DS1 is also called a T1 line. Another option is
a digital signal level 3 (DS-3) service, also called a T3 line, which holds 28 DS1s. Other parts
of the world use different standards, with Europe using standards that hold 32 DS0s, called an
E1 line, with an E3 line holding 16 E1s.
ISDN
This topic describes ISDN.
Small Office
Digital
PBX
Provider Telecommuter
Network
Home Office
Central Site
Voice, data, video, and special services
ISDN provides dial-up connectivity to a service provider network similar to standard modem
connectivity, but uses digital technology end to end. End-to-end digital technology allows
various digital transport uses and decreases call setup time.
ISDN refers to a collection of standards that define a digital architecture that provides
integrated voice and data capability through the public switched network. The ISDN standards
define the interface specifications. Before ISDN, many telephone companies used digital
networks within their clouds, but they used analog lines for the local access loop between the
cloud and the actual customer site.
Some of the advantages of bringing digital connectivity via ISDN to the local loop are as
follows:
 The ability to carry various user-traffic feeds. ISDN provides access to all-digital facilities
for video, telex, packet-switched data, and enriched telephone network services.
 Faster call setup than modem connections by using out-of-band (D, or delta, channel)
signaling. For example, ISDN calls can often be set up and completed in less than a second.
 Faster data transfer rate using bearer-channel (B-channel) services at 64 kb/s per channel as
opposed to common modem rates up to 56 kb/s. With multiple B channels, ISDN offers
users more bandwidth on WANs than they receive with a leased line at 56 kb/s in North
America or 64 kb/s in much of the rest of the world. The two B channels of a BRI, for
example, equal 128 kb/s.
In general, ISDN has become the transport of choice in many parts of the world for applications
using remote connectivity and for access to the Internet.

Channel Capacity Primary Use
B 64 kb/s Circuit-switched data (HDLC, PPP)
D 16/64 kb/s Signaling information (LAPD)
NT1
BRI
Service
D 2B Provider
CSU/DSU Network
PRI
D 23 or 30B
ISDN specifies two standard access methods:

 BRI: BRI, sometimes written as 2B+D, operates with many Cisco routers and provides two
bearer (B) channels at 64 kb/s and an additional 16-kb/s data (D)-signaling channel.
The B channels can be used for digitized speech transmission or for relatively high-speed
data transport. Narrowband ISDN is circuit-switching oriented. The B channel is the
elemental circuit-switching unit.
The D channel carries signaling information (call setup) to control calls on B channels.
Traffic over the D channel employs the Link Access Procedure on the D-Channel (LAPD)
data-link protocol level. LAPD is based on High-Level Data Link Control (HDLC).
 PRI: In North America and Japan, PRI offers twenty-three 64-kb/s B channels and one 64-
kb/s D channel (a T1/DS1 facility).
In Europe and much of the rest of the world, PRI offers 30 B channels and a D channel (an E1
facility). PRI uses a DSU or CSU, or both, for T1/E1 connection.
Mobile Networks
This topic describes mobile networks.
Cisco Cisco Cisco Mobile

DNS/DHCP AAA Wireless Center
2G RAN
BTS
Content Switching
Mobile Content Billing
Station Content Caching
BSC
Firewall
2G-SGSN Cisco
BTS
GGSN
RAN GPRS-IP MPLS-IP To Services
SLB Service Control

SSG Service Selection
3G-SGSN Cisco
GGSN VPN Concentration
3G RAN
BG
Node B
Mobile
Station
RNC
Partner Postpaid
Prepaid Billing System
Node B
BSC = base station controller

RAN = radio access network
RNC = radio network controller
A mobile network is a radio network that is distributed over land areas that are called cells,
each served by at least one fixed-location transceiver that is known as a cell site or base station.
When joined, cells provide coverage over a wide geographic area. This enables portable
devices like mobile phones, smartphones, tablets, PDAs, and laptops to communicate via base
stations, even if some of those devices are moving through more than one cell during
transmission.
Technological development, which describes the progress in the mobile technology usually
uses the term "Generation (G)":
 2G: Digital systems. The main standard is Global System for Mobile Communications
GSM, originally described as a digital, circuit-switched network that is optimized for full-
duplex voice telephony. The standard was expanded over time to include first, circuit-
switched data transport, then packet data transport via General Packet Radio Service
(GPRS). Packet data transmission speeds were later increased via Enhanced Data rates for
GSM Evolution (EDGE). 2G technologies can be divided into Time Division Multiple
Access (TDMA)- and Code Division Multiple Access (CDMA)-based standards.
 3G: Packet-switched networks replaced circuit-switched networks and enabled high-speed
IP data networks and mobile broadband. 3G technologies are Universal Mobile
Telecommunications Service (UMTS), Wideband Code Division Multiple Access (W-
CDMA), Time Division Synchronous Code Division Multiple Access (TD-SCDMA,)
High-Speed Downlink Packet Access (HSDPA), and High Speed Packet Access Plus
(HSPA+).
 4G: All-IP network. WiMax and line terminating equipment (LTE) are the main
technologies.

Cable-Based WANs
This topic describes cable-based WANs.
• Data service runs between the cable modem and the cable headend.
• Users on a segment share upstream and downstream bandwidth.
Another technology that has become increasingly popular as a WAN communications access
option is the IP-over-Ethernet Internet service that cable networks deliver.
Coaxial cable is widely used in urban areas to distribute television signals. Network access is
available from some cable television networks. This technology allows for greater bandwidth
than the conventional telephone local loop. Data-over-Cable Service Interface Specifications
(DOCSIS) is a standard that defines data transfer over a coaxial network. The latest version of
DOCSIS, version 3.0, is a breakthrough technology for cable operators and consumers. It
allows data speeds of more than 100 Mb/s.
Cable modems provide an always-on connection and a simple installation. A subscriber
connects a computer or LAN router to the cable modem, which translates the digital signals
into the broadband frequencies that are used for transmitting on a cable television network. The
local cable TV office, which is called the cable headend, contains the computer system and
databases that are needed to provide Internet access. The most important component that is
located at the headend is the cable modem termination system (CMTS). It sends and receives
digital cable modem signals on a cable network and is necessary for providing Internet services
to cable subscribers.
Cable modem subscribers must use the ISP that is associated with the service provider. All the
local subscribers share the same cable bandwidth. As more users join the service, available
bandwidth may be below the expected rate.
GPON
This topic describes GPON.
Central RF Video
Office Equipment GPON
Up to 32 ONT
GPON
OLT WDM Splitter GPON
ONT
GPON
ONT
20 km max
1550 nm RF video
1490 nm GPON downstream (2.5 Gb/s)
1310 nm GPON upstream (1.25 Gb/s)
A passive optical network (PON) is a form of fiber-optic access network. PON is a point-to-
multipoint, fiber-to-the-premises network architecture in which unpowered optical splitters are
used to enable a single optical fiber to serve multiple premises, typically 16 to 128. Because an
optical network is passive and requires no field electronics, PON reduces or eliminates field
equipment and maintenance costs. A gigabit PON (GPON) consists of an optical line terminal
(OLT) at the service provider's central office and a number of optical network units (ONUs) or
optical network terminals (ONTs) near the end users. A GPON reduces the amount of fiber and
central office equipment that is required compared with point-to-point architectures. PON takes
advantage of wavelength division multiplexing (WDM), using one wavelength for downstream
traffic and another for upstream traffic on a single optical fiber. Downstream signals are
broadcast to all premises that share a single fiber. Encryption is used to prevent eavesdropping.
Upstream signals are combined by using a multiple access protocol, usually TDMA. The OLTs
"range" the ONUs to provide time slot assignments for upstream communication.
There are different PON flavors, including GPON. Data rates for GPON subscribers are up to
10 Gb/s.

FTTx
This topic describes the use of fiber-optic cable directly to the customer premises.
Fttx is the deployment of fiber (optical) cable to a specific

location:
• FTTB: Fiber to the building
• FTTH: Fiber to the home
• FTTP: Fiber to the premises
• FTTC: Fiber to the curb
• FTTN: Fiber to the node
Fiber to the x (FTTx) is the deployment of fiber (optical) cable to a specific location regarding
the customer premises. The “x” is used to describe the specific application of the service:
 FTTB: Fiber to the building is the deployment of fiber (optical) cable to a specific
location within a building, then connection to the building’s existing copper cable
facilities.
 FTTH: Fiber to the home is the complete deployment of fiber to the customer home,
specifically to a device called an ONT (optical network terminator).
 FTTP: Fiber to the premises can be the definition of FTTB or FTTH, depending on how
the context is used.
 FTTC: Fiber to the curb is the deployment of fiber close to the customer but not fully to
the customer residence. In this deployment, the existing copper plant is still used to deliver
service to the actual customer.
 FTTN: Fiber to the node is architecture that extends the fiber link as close as possible to
the neighborhood’s existing optical node (distributes individual cable pairs to each
customer residence) for triple-play service.
BRAS
This topic describes BRAS.
Subscriber Subscriber line Transport Service provider Internet

premises xDSL network IP network
xDSL DSLAMs BRAS Internet

modems router
A broadband remote access server (BRAS, B-RAS, or BBRAS) serves as an aggregation point
for subscriber traffic (IP, PPP, and ATM) and provides session termination and subscriber
management functions such as authentication, authorization, and accounting (AAA), and IP
address assignment. Service providers inject policy management and IP Quality of Service
(QoS) parameters into BRAS.
The complexity of BRAS devices increased significantly. To simplify the BRAS evolution and
ensure intervendor interoperability, the DSL Forum released the Technical Report 092 (TR-
092), which defines functional requirements toward BRAS devices in modern triple-play-
enabled DSL network environments.
These are specific tasks:
 ATM and Ethernet aggregation
 Session termination—ATM permanent virtual connection (PVC), PPP
 AAA, using Password Authentication Protocol (PAP), Challenge Handshake
Authentication Protocol (CHAP), RADIUS, and DHCP Option 82
 IP routing—Border Gateway Protocol (BGP), Open Shortest Path First (OSPF), Routing
Information Protocol (RIP)
 IP address management—DHCP server, relay, proxy services
 Integrated Layer 2 switching—ATM, Ethernet, MPLS
 Policy management and dynamic per-session QoS
 IP multicast routing—Protocol Independent Multicast (PIM), Multicast Border Gateway
Protocol (MBGP), Internet Group Management Protocol (IGMP)

BNG
This topic describes BNG.
Residential Access Aggregation Edge Core
IP or MPLS
IPv6
BNG
IPv4
The Broadband Network Gateway (BNG) is primarily responsible for residential high-speed
Internet subscriber management and wholesale services. It implements an Intelligent Services
Gateway (ISG) function for residential Internet access and VoIP telephony services. Subscriber
traffic is transported across the Ethernet access and aggregation network and terminated on the
broadband remote access router.
The broadband network gateway provides these functions:
 Termination of residential high-speed Internet services
 Termination, routing, or tunneling of wholesale high-speed Internet by using Layer 2
Tunneling Protocol (L2TP) or MPLS VPN
 RADIUS, AAA, and dynamic subscriber and policy control for PPP over Ethernet (PPPoE)
and IP-over-Ethernet (IPoE) sessions
DSL Forum TR-101
This topic describes the DSL Forum TR-101 standard.
• Broadband forum standard

• Migration to IP Ethernet access aggregation
• IPTV and VoIP
• DSL network transition to ADSL2+ and VDSL2
DSL Forum TR-101 is a standard that defines migration to IP Ethernet access aggregation.
TR-101 provides a blueprint for how to build a multiservice, triple-play broadband network and
includes the functional requirements of all the key network elements (residential gateway and
DSL router, access node and DSLAM, aggregation network and BNG).
It uses Ethernet technology to build systems architectures with the bit rates and quality that is
needed for advanced services such as IPTV and VoIP. TR-101 also enables service providers to
evolve their DSL access networks to better support faster rate technologies such as ADSL2+
and VDSL2. TR-101 builds on key features of Ethernet such as VLANs and multicast and the
widespread availability of Ethernet equipment. The benefits include reduced access aggregation
network and equipment port costs, as well as reduced network bandwidth requirements.

Service Provider Transport Technologies
This topic describes service provider transport technologies.
Access
Aggregation
IP Edge
Core
Residential
Mobile Users
Business
Transport SONET/SDH, DWDM and

CES = Circuit emulation service
technologies ROADM, CES and TDMoIP,
DWDM = Dense wavelength division multiplexing IP over DWDM , 10/40/100
ROADM = Reconfigurable optical add-drop multiplexer Gigabit Ethernet
TDMoIP = Time-division multiplexing over IP
The transport networks are deployed by using different technologies in the different parts of the
network.
SONET/SDH
This topic describes SONET/SDH.
• SONET Synchronous Transport Signal - STS-<n>

• SDH Synchronous Transport Module - STM-<n>
SONET SDH Abbrev.
Bit Rate Signal Channels Signal Channels speed

(Mb/s) DS1 DS3 E1 E4 (Gb/s)
51.84 STS-1 28 1 STM-0 21 0
155.52 STS-3 84 3 STM-1 63 1
622.08 STS-12 336 12 STM-4 252 4
2488.32 STS-48 1344 48 STM-16 1008 16 2.5
9953.28 STS-192 5376 192 STM-64 4032 64 10
39813.1 STS-768 21504 768 STM-256 16128 256 40
SONET/SDH was initially designed to carry 64-KB PCM voice channels that are commonly
used in telecommunication. Synchronous TDM is the basic technology that is used in the
SONET/SDH system.
The major difference between SONET and SDH is the terminology that is used to describe
them. A SONET optical carrier (OC)-3 signal, for example, is called an SDH STM-1 signal by
the ITU-T.
The SONET/SDH standard specifies standards for communication over fiber optics as well as
electrical carriers for lower-speed signaling rates (up to 155 Mb/s). The standard describes the
frame format that should be used to carry the different types of payload signals as well as the
control signaling that is needed to keep a SONET/SDH connection operational.
The SONET standard is mainly used in the United States, while the SDH standard is found in
Europe. In the United States, the SDH standard is used for international connections.

DWDM and ROADM
This topic describes DWDM and ROADM.
Filter Filter
EDFA ROADM EDFA
EDFA EDFA
EDFA = Erbium-doped fiber amplifier
The WDM technology multiplexes several optical carrier signals into a single optical fiber by
using different wavelengths of laser light. Dense WDM (DWDM) refers to optical signals that
are multiplexed within the 1550-nm band.
Intermediate optical amplification sites in DWDM systems may allow for the dropping and
adding of certain wavelength channels. In earlier systems, adding or dropping wavelengths
required manually inserting or replacing wavelength-selective cards. This is costly and, in some
systems, requires that all active traffic is removed from the DWDM system, because inserting
or removing the wavelength-specific cards interrupts the multiwavelength optical signal.
A reconfigurable optical add-drop multiplexer (ROADM) is a form of optical add-drop
multiplexer that adds the ability to remotely switch traffic from a WDM system at the
wavelength layer. This allows individual or multiple wavelengths carrying data channels to be
added or dropped from a transport fiber without having to convert the signals on all of the
WDM channels to electronic signals and back again to optical signals.
With a ROADM, network operators can remotely reconfigure the multiplexer by sending soft
commands. The architecture of the ROADM is such that dropping or adding wavelengths does
not interrupt the “pass-through” channels. Numerous technological approaches are used for
various commercial ROADMs, the trade-off being between cost, optical power, and flexibility.
CES and TDMoIP
This topic describes CES and TDMoIP.
Circuit emulation service:

• Allows DS and E circuits to be transparently extended across an ATM
network
• Used for communication between non-ATM and ATM devices
TDM over IP:

• Optimized for trunking T1 or E1, T3 or E3 across PSNs
• Simple
• Efficient
Circuit emulation service (CES) is typically used to transfer voice or video traffic across an
ATM network. Voice and video, unlike data traffic, is very sensitive to delay and delay
variance. CES uses VCs of the CBR ATM service category, which guarantees acceptable delay
and delay variation. CES is typically implemented on ATM switches, but it can be
implemented on ATM edge devices (such as routers) as well. CES is mostly used for
communication between non-ATM telephony devices like PBXs and TDM or video devices
such as codecs and ATM devices.
TDM over IP (TDMoIP) is a transport technology that is optimized for trunking T1 or E1, T3
or E3, and multiline voice and serial data across packet-switched networks (PSNs). TDMoIP
uses a PVC concept in which a PVC is set up to carry multiple voice and data channels in the
same trunk. With PVCs, the source and destination addresses are statically assigned for
multiple channels and, therefore, only a single IP header is needed. Increased simplicity and
efficiency are achieved since a bundle of channels can share a single header. This results in a
larger frame that cuts down on bandwidth requirements because less overhead is needed. It also
reduces performance requirements since larger frames require fewer packets per second from
routers and bridges. Furthermore, packetizing delay is reduced because each packet includes
small voice samples from multiple channels as opposed to a large voice sample from a single
voice channel.

IP over DWDM
This topic describes IP over DWDM.
Integrated
transponders
XC ROADM
O-E E-O
conversion conversion
Cross- No O-E-O
connect conversion
(XC)
IPoDWDM = IP-over-DWDM
Service providers continue to look for the best value when increasing network capacity to
accommodate the continued growth in IP traffic that is driven by data, voice, and especially
video traffic. The reasons for integrating IP and DWDM are simply to deliver a significant
reduction in capital expenditures and improve the operational efficiency of the network.
IP-over-DWDM (IPoDWDM) is a technology that integrates DWDM on routers. Routers must
support ITU-T G.709 standard so that they can monitor optical paths. Element integration refers
to the ability to take multiple, separate elements that operate in the network and collapse them
into a single device without losing any of the desired functions for continued operation.
The integration of core routers with optical transport platforms eliminates the need for optical-
electrical-optical (OEO) modules (transponders) in those platforms.
Gigabit Ethernet
This topic describes Gigabit Ethernet.
• Support full-duplex operation only

• Preserve the 802.3 Ethernet frame format using the 802.3 MAC
• Preserve minimum and maximum frame size of current 802.3 standard
• Support a BER better than or equal to 10-12 at the MAC and PLS service
interface
• Provide appropriate support for OTN
• Support a MAC data rate of 40/100 Gb/s
• Provide physical layer specifications which support 40- and 100 Gb/s-
operation over various pluggable modules
IEEE 802.3ba is an IEEE standard of the 802.3 family of data link layer standards for Ethernet
LAN and WAN applications, whose objective is to support speeds faster than 10 Gb/s. The
standard supports 40- and 100-Gb/s transfer rates. The decision to include both speeds comes
from the demand to support the 40-Gb/s rate for local server applications and the 100-Gb/s rate
for Internet backbones.
The 40/100 Gigabit Ethernet standards include several different Ethernet physical layer (PHY)
specifications so that networking devices can support different pluggable modules.
These are the main objectives:
 Support full-duplex operation only
 Preserve the 802.3 Ethernet frame format using the 802.3 MAC
 Preserve the minimum and maximum frame size of the current 802.3 standard
 Support a bit error ratio (BER) better than or equal to 10-12 at the MAC and Packet Label
Switching PLS service interface
 Provide appropriate support for the Optical Transport Network (OTN)
 Support a MAC data rate of 40 Gb/s
 Provide PHY specifications that support 40-Gb/s operation over these physical layers:
— At least 10 km on single-mode optical fiber (SMF)
— At least 100 m on OM3 multimode optical fiber (MMF)
— At least 7 m over a copper cable assembly
— At least 1 m over a backplane

 Support a MAC data rate of 100 Gb/s
 Provide PHY specifications that support 100 Gb/s operation over these physical layers:
— At least 40 km (24.85 miles) on SMF
— At least 10 km (6.21 miles) on SMF
— At least 100 m (328 feet) on OM3 MMF
— At least 7 m (23 feet) over a copper cable assembly
Summary
• Service Provider’s access and edge technologies are used in the access
and IP edge networks of the Cisco IP NGN.
• Frame Relay is a connection-oriented data-link technology that is
streamlined to provide high performance and efficiency.
• The ATM cell relay technology is designed for high-speed transfer of
voice, video, and data through public and private networks.
• A Metro Ethernet is an Ethernet-based computer network that covers a
metropolitan area.
• DSL technology is an always-on connection technology that uses
existing twisted-pair telephone lines to transport data.
• Bit rate of DS0 is 64 kbps.
• ISDN provides dial-up connectivity to a service provider network similar
to standard modem connectivity, but uses digital technology.
• A mobile network is a radio network that is distributed over land areas

that are called cells.
• Cable-based WANs use existing coaxial television signal distribution
network to offer IP connectivity.
• GPON is a gigabit fiber-optic access network.
• FTTx is the deployment of optical fiber cable to a specific location
regarding the customer premises.
• BRAS is as an aggregation point for subscriber traffic and provides
session termination and subscriber management functions.
• The BNG is primarily responsible for residential high-speed Internet
subscriber management and wholesale services.
• DSL Forum TR-101 provides a blueprint for how to build a multiservice,
triple-play broadband network and includes the functional requirements
of all the key network elements.

• Service Provider’s transport technologies are used in the core networks
of the Cisco IP NGN.
• The SONET standard is mainly used in the United States, while the SDH
standard is found in Europe.
• The WDM technology multiplexes several optical carrier signals into a
single optical fiber by using different wavelengths of laser light.
• TDM over IP (TDMoIP) is a transport technology that is optimized for
trunking T1 or E1, T3 or E3, and multiline voice and serial data across
packet-switched networks.
• IP-over-DWDM is a technology that integrates DWDM on routers.
• IEEE 802.3ba is an IEEE standard of the 802.3 family of data link layer
standards for Ethernet LAN and WAN applications, whose objective is to
support speeds faster than 10 Gb/s.
Lesson 3
Enabling the WAN Internet

Connection
Overview
Small sites commonly use the Internet to connect to other sites. Internet service is obtained
through an ISP. Choosing the appropriate access network technology and ensuring the
availability of suitable bandwidth are the first considerations to address when connecting small
sites. DSL, cable, or fiber to the x (FTTx) technology often provides the physical connection.
Two scalability challenges that face the Internet are the depletion of the registered IPv4 address
space and scaling in routing. Cisco IOS Network Address Translation (NAT) and Port Address
Translation (PAT) are mechanisms for conserving registered IP addresses in large networks,
and they also simplify IP addressing tasks. NAT and PAT translate IP addresses within private
internal networks to legal IP addresses for transport over public external networks, such as the
Internet, without requiring a registered subnet address.
In some cases, the ISP provides a static IP address for the interface that is connected to the
Internet. In other cases, this IP address is provided by the use of DHCP.
This lesson describes the basic concepts of Internet connectivity.
Objectives
Upon completing this lesson, you will be able to configure Internet access by using the DHCP
client, NAT, and PAT on Cisco routers. This ability includes being able to meet these
objectives:
 Define requirements for Internet connection at the customer site
 Describe Network Address Translation
 Describe Port Address Translation
 Describe the types of NAT
 Describe static NAT
 Describe how to configure and verify static NAT on Cisco IOS routers
 Describe dynamic NAT and PAT
 Describe how to configure and verify dynamic NAT on Cisco IOS routers
 Describe how to configure and verify PAT on Cisco IOS routers
 Describe using DHCP to acquire the IP address
 Describe DHCP configuration options
 Describe the sequence of operations for dynamically assigning IP addresses using DHCPv4
 Describe DHCPv4 relay
 Describe DHCPv6
 Describe the sequence of operations for dynamically assigning IP addresses using DHCPv6
 Describe how to configure a Cisco IOS router to function as a DHCP server
 Describe how to configure DHCP relay on a Cisco IOS router
 Describe how to configure a Cisco IOS device to obtain an IP address via DHCP
Internet Access Basics
This topic describes requirements for an Internet connection at the customer site.
The Internet has grown into the largest network on Earth, providing access to information and
communication for business and home users. The Internet can be seen as a network of
networks, consisting of a worldwide mesh of hundreds of thousands of networks that are owned
and operated by millions of companies and individuals all over the world, all connected to
thousands of ISPs.

ISPs use several different WAN technologies to connect their subscribers. The connection type
that is used on the local loop, or last mile, may not be the same as the WAN connection type
that is employed within the ISP network or between various ISPs.
Each of these technologies provides advantages and disadvantages for the customer. Not all
technologies are available in all locations. When a service provider receives data, it must
forward this data to other remote sites for final delivery to the recipient. These remote sites
connect either to the ISP network or pass from ISP to ISP to the recipient. Long-range
communications are usually those connections between ISPs or between branch offices in very
large companies.
Some of the most popular connection types include:
 DSL
 Cable
 Wireless
 Leased lines
 Satellite
CPE
Router
CSU/DSU
Cable modem
Media converter
Service Provider
Network
LAN DSL modem
Wireless
Router
Demarcation Point
While functions within the service provider network are not usually of concern to the customer,
there are still some terms and concepts relating to them that you should be familiar with.
The service providers install a connection point (usually in the form of an RJ-45 jack) that
physically connects a circuit to their nearest switching office. This is known as the demarcation
point and represents the point at which the service provider’s responsibility is said to end. In
order words, the service provider will ensure that the link functions correctly up to that point.
The other end of this link connects to the service provider network. These links are part of what
is known as the local loop or last mile. The local loop may consist of a variety of technologies,
including DSL, cable, fiber optics, traditional twisted-pair wiring, and more.
On the customer side of the demarcation point is the location of the customer premises
equipment (CPE). The term CPE is often used quite loosely, but traditionally refers to
equipment that is owned and managed by the customer for the purpose of connecting to the
service provider network. However, many companies lease CPE from their service providers,
and this equipment is still considered to be CPE. Before physically connecting to a service
provider network, a company needs to determine the type of WAN service or connectivity that
it requires.

NAT Basics
This topic describes Network Address Translation.
• Address pool usage introduced conservation and optimization efforts:

- PPP and DHCP address sharing, and endpoints behind NAT
- Subscriber-grade and carrier-grade NAT
• Theoretical limit of 32-bit space is approximately 4.3 billion devices.
• Practical limit of 32-bit space is approximately 250 million devices.
• Neither of these can accommodate one IP address per person.
1981: IPv4 published 100,00%

1985: ~1/16 of total space used 90,00%
80,00%
1990: ~ 1/8 of total space used 70,00%
60,00%
40,00%
10,00%
1980 1990 2000 2010
2010: ~ 9/10 of total space used
The 32-bit address space of IPv4 accommodates more than 4 billion devices, which is
insufficient for current needs. NAT was the proposed temporary workaround. NAT introduced
a model in which a device facing outward to the Internet would have a globally routable IPv4
address, while the internal network would be configured with private addresses. These private
addresses could never leave the site, so they could be identical in many different enterprise
networks.
NAT is like the receptionist in a large office. Assume that you have left instructions with the
receptionist not to forward any calls to you unless you request it. Later on, you call a potential
client and leave a message for them to call you back. You tell the receptionist that you are
expecting a call from this client, and you ask the receptionist to put them through to your
telephone. The client calls the main number to your office, which is the only number that the
client knows. When the client tells the receptionist who they are looking for, the receptionist
checks a lookup table that matches your name to your extension. The receptionist knows that
you requested this call; therefore, the receptionist forwards the caller to your extension.
NAT offers these benefits:
 Eliminates the need to readdress all hosts that require external access, saving time and
money.
 Conserves addresses through application port-level multiplexing. With PAT, multiple
internal hosts can share a single registered IPv4 address for all external communication. In
this type of configuration, relatively few external addresses are required to support many
internal hosts; thus conserving IPv4 addresses.
 Protects network security. Because private networks do not advertise their addresses or
internal topology, they remain reasonably secure when they gain controlled external access
in conjunction with NAT.
• An IP address is either local or global.
• Local IP addresses are seen in the inside network.
• Global IP addresses are seen in the outside network.
NAT operates on a Cisco router and is designed for IPv4 address simplification and
conservation. NAT enables private IPv4 internetworks that use nonregistered IPv4 addresses to
connect to the Internet. Usually, NAT connects two networks and translates the private (inside
local) addresses in the internal network into public addresses (inside global) before packets are
forwarded to another network. As part of this functionality, you can configure NAT to advertise
only one address for the entire network to the outside world. Advertising only one address
effectively hides the internal network from the world; thus providing additional security.
Any device that is between an internal network and the public network—such as a firewall, a
router, or a computer—uses NAT, which is defined in RFC 1631.
In NAT terminology, the “inside network” is the set of networks that are subject to translation.
The range of the IP addresses (as defined in RFC 1918) is reserved for private addressing and is
not routable on the Internet. The NAT translates these private addresses to globally routable
addresses. The “outside network” refers to all other addresses. Usually, these are valid
addresses that are located on the Internet.
Cisco defines the following list of NAT terms:
 Inside local address: The IPv4 address that is assigned to a host on the inside network.
The inside local address is likely not an IPv4 address that is assigned by the network
information center or service provider.
 Inside global address: A legitimate IPv4 address that is assigned by the network
information center or service provider that represents one or more inside local IPv4
addresses to the outside world.
 Outside local address: The IPv4 address of an outside host as it appears to the inside
network. Not necessarily legitimate, the outside local address is allocated from a routable
address space on the inside.
 Outside global address: The IPv4 address that is assigned to a host on the outside network
by the host owner. The outside global address is allocated from a globally routable address
or network space.

Port Address Translation
This topic describes Port Address Translation.
10.6.1.6:1311
One of the main features of NAT is static PAT, which is also referred to as overload in the
Cisco IOS configuration. PAT allows you to translate multiple internal addresses into a single
external address, essentially allowing the internal addresses to share one external address.
 PAT uses unique source port numbers on the inside global IPv4 address to distinguish
between translations. Because the port number is encoded in 16 bits, the total number of
internal addresses that NAT can translate into one external address is, theoretically, as
many as 65,536.
 PAT attempts to preserve the original source port. If the source port is already allocated,
PAT attempts to find the first available port number. It starts from the beginning of the
appropriate port group, 0 to 511, 512 to 1023, or 1024 to 65535. For TCP and UDP, the
ranges are: 1 to 511, 512 to 1023, and 1024 to 65535. For Internet Control Message
Protocol (ICMP), the first group starts at 0. If PAT does not find an available port from the
appropriate port group and if more than one external IPv4 address is configured, PAT
moves to the next IPv4 address and tries to allocate the original source port again. PAT
continues trying to allocate the original source port until it runs out of available ports and
external IPv4 addresses.
NAT Types
This topic describes the types of NAT.
Three types of NAT:

• Static NAT: One-to-one address mapping
• Dynamic NAT: Many-to-many address mapping
• NAT overloading: Many-to-one address mapping
NAT has many forms and can work in the following ways:
 Static NAT: Maps an unregistered IPv4 address to a registered IPv4 address (one to one).
Static NAT is particularly useful when a device must be accessible from outside the
network.
 Dynamic NAT: Maps an unregistered IPv4 address to a registered IPv4 address from a
group of registered IPv4 addresses.
 NAT overloading: Maps multiple unregistered IPv4 addresses to a single registered IPv4
address (many to one) by using different ports. Overloading is also known as PAT and is a
form of dynamic NAT.

Static NAT
This topic describes how to translate inside source addresses by using static translation.
You can translate your own IPv4 addresses into globally unique IPv4 addresses when you are
communicating outside your network. You can configure static or dynamic inside
source translation.
Example: Translating Inside Source Addresses

The figure illustrates a router that is translating a source address inside a network into a source
address outside the network. The steps for translating an inside source address are as follows:
Step 1 The user at host 1.1.1.1 opens a connection to host B.
Step 2 The first packet that the router receives from host 1.1.1.1 causes the router to check
its NAT table.
 If a static translation entry was configured, the router goes to Step 3.
 If no static translation entry exists, the router determines that the source address
1.1.1.1 (SA 1.1.1.1) must be translated dynamically. The router then selects a
legal, global address from the dynamic address pool and creates a translation
entry (in the example, 2.2.2.2). This type of entry is called a simple entry.
Step 3 The router replaces the inside local source address of host 1.1.1.1 with the
translation entry global address and forwards the packet.
Step 4 Host B receives the packet and responds to host 1.1.1.1 by using the inside global
IPv4 destination address 2.2.2.2 (DA 2.2.2.2).
Step 5 When the router receives the packet with the inside global IPv4 address, the router
performs a NAT table lookup by using the inside global address as a key. The router
then translates the address back to the inside local address of host 1.1.1.1 and
forwards the packet to host 1.1.1.1.
Step 6 Host 1.1.1.1 receives the packet and continues the conversation. The router performs
Steps 2 through 5 for each packet.
The order in which the router processes traffic is dependent upon whether the NAT translation
is a global-to-local translation or a local-to-global translation. The following table illustrates the
order in which a router processes traffic, depending upon the direction of the translation.
Local-to-Global Global-to-Local
1. If using IP Security (IPsec), check the 1. If using IPsec, check the input access list.
input access list. 2. Perform decryption—for Cisco Encryption
2. Perform decryption—for Cisco Encryption Technology or IPsec.
Technology or IPsec. 3. Check the inbound access list.
3. Check the inbound access list. 4. Check the input rate limits.
4. Check the input rate limits. 5. Perform input accounting.
5. Perform input accounting. 6. Perform NAT outside-to-inside (global-to-local
6. Perform policy routing. translation).
7. Route the packet. 7. Perform policy routing.
8. Redirect to the web cache. 8. Route the packet.
9. Perform NAT inside-to-outside (local-to- 9. Redirect to the web cache.
global translation). 10. Check the crypto map and mark for encryption
10. Check the crypto map and mark it for if appropriate.
encryption if appropriate. 11. Check the outbound access list.
11. Check the outbound access list. 12. Inspect the Context-Based Access Control
(CBAC).
13. Perform TCP Intercept.
14. Perform encryption.
15. Perform queuing.

Implementing Static NAT
This topic describes how to configure and verify static NAT on Cisco IOS routers.
RouterX(config)# ip nat inside source static local-ip global-ip

• Establishes static translation between an inside local address and an
inside global address
RouterX(config-if)# ip nat inside

• Marks the interface as connected to the inside
RouterX(config-if)# ip nat outside

• Marks the interface as connected to the outside
RouterX# show ip nat translations

• Displays active translations
To configure static inside source address translation on Cisco IOS and IOS XE, follow these
steps.
Configure Static Inside Source Address Translation Procedure
Step Action Notes
1. Establish static translation between an inside local Enter the no IP NAT inside source
address and an inside global address. static global command to remove the
RouterX(config)# ip nat inside source static source translation.
static local-ip global-ip
2. Specify the inside interface. After you enter the interface
RouterX(config)# interface type command, the CLI prompt changes
number from (config)# to (config-if)#.
3. Mark the interface as connected to the inside.

4. Specify the outside interface.
RouterX(config-if)# interface type
number
5. Mark the interface as connected to the outside.
Use the command show IP NAT translations in EXEC mode to display active translation
information.
E0 S0
Internet
10.1.1.1 192.168.1.1
10.1.1.2 SA SA
10.1.1.2 192.168.1.2
interface s0
ip address 192.168.1.1 255.255.255.0
ip nat outside
!
interface e0
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
ip nat inside source static 10.1.1.2 192.168.1.2

Pro Inside global Inside local Outside local Outside global
--- 192.168.1.2 10.1.1.2 --- ---
Example: Static NAT Address Mapping

The example shows the use of discrete address mapping with static NAT translations. The
router translates packets from host 10.1.1.2 to a source address of 192.168.1.2.

Dynamic NAT and PAT
This topic describes dynamic NAT and PAT.
Web Server FTP Server

172.16.1.9 172.16.1.10
Fixed 10.0.1.11
Fixed
Internet
Static Outside Inside 10.0.1.12
• Used for NAT “permanent” address assignments

• Used mostly for server connections
Inside
10.0.1.11
Outside
Internet
Global 10.0.1.12
Dynamic Pool
• Used for both NAT and PAT address assignments

• Inside end user receives an address from a pool of available addresses
• Used mostly for outbound end-user connections
Dynamic NAT is a type of NAT in which private IP addresses are mapped to a pool of
registered public IP addresses. The NAT device in a network keeps a table of registered IP
addresses, and when a private IP address requests access to the Internet, the NAT device
chooses an IP address from the table that is currently not in use.
With dynamic NAT, a NAT device can be configured with more IP addresses in the inside local
address list than in the inside global address pool. The NAT device allocates addresses from the
inside global address pool until all are allocated. If a new packet arrives, and it needs a NAT
entry, but all the pooled IP addresses are already allocated, the router discards the packet. The
user must try again until a NAT entry times out.
Dynamic NAT is most commonly used within enterprise networks in combination with PAT. It
provides more efficient usage of registered IPv4 addresses than static NAT.
Implementing Dynamic Translation
This topic describes how to configure and verify dynamic NAT on Cisco IOS routers.
RouterX(config)# ip nat pool name start-ip end-ip

{netmask netmask | prefix-length prefix-length}
• Defines a pool of global addresses to be allocated as needed
RouterX(config)# access-list access-list-number permit

source [source-wildcard]
• Defines a standard IP ACL permitting those inside local addresses

that are to be translated
RouterX(config)# ip nat inside source list

access-list-number pool name
• Establishes dynamic source translation, specifying the ACL that was

defined in the previous step

To configure dynamic inside source address translation on the Cisco IOS and IOS XE, follow
these steps.
Configure Dynamic Inside Source Address Translation Procedure
Step Action Notes
1. Define a pool of global addresses to be allocated as Enter the no IP NAT pool global
needed. command to remove the pool of
RouterX(config)# ip nat pool name global addresses.
start-ip end-ip {netmask netmask |
prefix-length prefix-length}
2. Define a standard access control list (ACL) that permits Enter the no access-list access-list-
the addresses that are to be translated. number global command to remove
RouterX(config)# access-list access- the ACL.
list-number permit source [source-
wildcard]
3. Establish dynamic source translation, specifying the Enter the no IP NAT inside source
ACL that was defined in the prior step. global command to remove the
RouterX(config)# ip nat inside source dynamic source translation.
list access-list-number pool name
5. Mark the interface as connected to the inside.


Step Action Notes

number
7. Mark the interface as connected to the outside.
Caution The ACL must permit only those addresses that are to be translated. Remember that there
is an implicit “deny any” statement at the end of each ACL. An ACL that is too permissive
can lead to unpredictable results. Using “permit any” can result in NAT consuming too many
router resources, which can cause network problems.
information.

--- 171.69.233.209 192.168.1.100 --- ---
--- 171.69.233.210 192.168.1.101 --- ---
Example: Dynamic Address Translation

In the example, dynamic address translation translates all source addresses that are permitted by
ACL 1—source addresses from the 192.168.1.0/24 network—into one address from the net-208
pool. The pool contains addresses from 171.69.233.209/28 to 171.69.233.222/28.
Implementing PAT
This topic describes how to configure and verify PAT on Cisco IOS routers.
You can conserve addresses in the inside global address pool by allowing the router to use one
inside global address for many inside local addresses. When this overloading (PAT) is
configured, the router maintains enough information from higher-level protocols—for example,
TCP or UDP port numbers—to translate the inside global address back into the correct inside
local address. When multiple inside local addresses map to one inside global address, the TCP
or UDP port numbers of each inside host distinguish between the local addresses.
Example: Overloading an Inside Global Address

The figure illustrates NAT operation when one inside global address represents multiple inside
local addresses. The TCP port numbers act as differentiators. Both host B and host C think they
are talking to a single host at address 2.2.2.2. They are actually talking to different hosts; the
port number is the differentiator. In fact, many inside hosts could share the inside global IPv4
address by using many port numbers.
The router performs the following process when it overloads inside global addresses:
Step 1 The user at host 1.1.1.1 opens a connection to host B.
Step 2 The first packet that the router receives from host 1.1.1.1 causes the router to check
its NAT table.
If no translation entry exists, the router determines that address 1.1.1.1 must be
translated and sets up a translation of inside local address 1.1.1.1 into a legal inside
global address. If overloading is enabled and another translation is active, the router
reuses the inside global address from that translation and saves enough information
to be able to translate back. This type of entry is called an extended entry.
Step 3 The router replaces the inside local source address 1.1.1.1 and port 1024with the
selected inside global address 2.2.2.2 and port 1024 and forwards the packet.

Step 4 Host B receives the packet and responds to host 1.1.1.1 by using the inside global
IPv4 address 2.2.2.2 and port 1024.
Step 5 When the router receives the packet with the inside global IPv4 address, the router
performs a NAT table lookup. Using the inside global address and port and outside
global address and port as a key (2.2.2.2:1024), the router translates the address back
into the inside local address 1.1.1.1 and port 1024 and forwards the packet to host
1.1.1.1.
Step 6 Host 1.1.1.1 receives the packet and continues the conversation. The router performs
Steps 2 through 5 for each packet.
Similar steps will occur when the user at host 1.1.1.2 opens a connection to host C.
RouterX(config)# access-list access-list-number permit
source source-wildcard
• Defines a standard IP ACL that will permit the inside local addresses
that are to be translated
RouterX(config)# ip nat inside source list

access-list-number interface interface overload
• Establishes dynamic source translation, specifying the ACL that was
defined in the previous step

To configure overloading of inside global addresses on the Cisco IOS and IOS XE, follow the
steps in the table.
Configure Overloading (PAT) of Inside Global Addresses Procedure
Step Action Notes
1. Define a standard ACL that permits the addresses that Enter the no access-list access-list-
are to be translated. number global command to remove
RouterX(config)# access-list access- the ACL.
list-number permit source [source-
wildcard]
2. Establish dynamic source translation, specifying the ACL Enter the no IP NAT inside source
that was defined in the prior step. global command to remove the
RouterX(config)# ip nat inside source dynamic source translation. The
list access-list-number interface keyword overload enables PAT.
interface overload
number
information.

hostname RouterX
!
interface Ethernet0
ip address 192.168.3.1 255.255.255.0
ip nat inside
!
interface Ethernet1
ip address 192.168.4.1 255.255.255.0
ip nat inside
!
interface Serial0
description To ISP
ip address 172.17.38.1 255.255.255.0
ip nat outside
!
ip nat inside source list 1 interface Serial0 overload
!
ip route 0.0.0.0 0.0.0.0 Serial0
!
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
!

TCP 172.17.38.1:1050 192.168.3.7:1050 10.1.1.1:23 10.1.1.1:23
TCP 172.17.38.1:1776 192.168.4.12:1776 10.2.2.2:25 10.2.2.2:25
In the example, PAT overloading translates all source addresses that are permitted by ACL 1—
source addresses from the 192.168.3.0/24 and 192.168.4.0/24 networks—to the serial 0
interface IP address as the inside global address.
Acquiring Addresses with DHCP
This topic describes using DHCP to acquire the IP address.
Service provider dynamically provides IP address through DHCP
DHCP Clients
DHCP
Server
Service Provider
Access Network Internet
The DHCP service enables devices on a network to obtain IP addresses and other information
from a DHCP server. This service automates the assignment of IP addresses, subnet masks,
gateways, and other IP networking parameters.
A service provider will sometimes provide a static address for an interface that is connected to
the Internet. In other cases, this address is provided by using DHCP. On larger local networks,
or where the user population changes frequently, DHCP is preferred. New users may arrive
with laptops and need a connection. Others have new workstations that need to be connected.
Rather than have the network administrator assign IP addresses for each workstation, it is more
efficient to have IP addresses assigned automatically by using DHCP.
If the ISP uses DHCP to provide interface addressing, no manual address can be configured.
Instead, the interface is configured to operate as a DHCP client. This configuration means that
when the router is connected to a cable modem, for example, it is a DHCP client and requests
an IP address from the ISP.

DHCP Configuration Parameters and Options
This topic describes DHCP configuration options.
• It is much more than an IP address.

• It is described in RFC 2131.
• The DHCP server provides a persistent storage of parameters and
options for DHCP clients.
• Parameters configure values that are not optional and control how the
DHCP server behaves.
• Options describe the network configuration.
DHCP configuration options are currently defined in the RFCs. Options describe the network
configuration and various services that are available on the network and can be identified by its
decimal option code. All options are assigned a decimal option code, either in the RFC that
describes the option or in the vendor documentation if it is vendor-specific.
Some of the most used DHCP options are listed in the table:
Tag Name Description
1 Log Server Subnet mask value
2 Time Offset Time offset in seconds from UTC
3 Router Router addresses
4 Time Server Time server addresses
6 Domain Server DNS server addresses
12 Hostname Hostname string
15 Domain Name DNS domain name of the client
23 Default IP TTL Default IP Time to Live (TTL)
28 Broadcast Address Broadcast address
51 Address Time IP address lease time
67 Bootfile-Name Boot filename
81 Client FQDN Fully qualified domain name
82 Relay Agent Information Relay agent Information
DHCPv4 Sequence of Operations
This topic describes the sequence of operations for dynamically assigning IP addresses using
DHCPv4.
1 Discover
2 Offer
DHCPv4
3 Request Server
MAC Address: 4 Acknowledge

00:2c:04:00:fe:56
DHCP uses UDP port 67 for sending data to the server and UDP port 68 for sending data to the
client. DHCP operations fall into four basic phases: DHCP discovery, DHCP offer, DHCP
request, and DHCP acknowledgement.
DHCP clients and servers on the same subnet communicate via UDP broadcasts. If the client
and server are on different subnets, DHCP discovery and DHCP request messages are sent via
UDP broadcasts, but DHCP offer and DHCP acknowledgement messages are unicast.
These are process steps for dynamic IP address allocation:
1. DHCP discover: A client broadcasts a DHCP discover message with its own hardware
MAC address to discover available DHCP servers.
2. DHCP offer: When a DHCP server receives a DHCP discovery from a client, it reserves
an IP address for the client and sends a DHCP offer to the client. This message contains the
client's MAC address, the IP address that the server is offering, the subnet mask, the lease
duration, and the IP address of the DHCP server that is making the offer.

3. DHCP request: A client can receive DHCP offers from multiple servers, but it will accept
only one DHCP offer and broadcast a DHCP request message. A DHCP request message is
broadcast because the DHCP client has still not received an IP address. Also, this way, one
message can let all other DHCP servers know that another server will be supplying the IP
address so they can withdraw any offers. In that way, they can return the offered address to
the pool of available addresses. A DHCP request is also used for lease extensions. After the
half-lease duration elapses, the DHCP client will send the DHCP request unicast message
to extend the lease duration. Upon availability of the IP address, the DHCP server returns a
DHCP acknowledgement message confirming that the client’s lease duration has been
extended, or a DHCP not-acknowledged message denying the request.
4. DHCP acknowledgement: A DHCP server sends a DHCP acknowledgement packet to the
client. This packet includes the lease duration and any other configuration information that
the client requested. At this point, the IP configuration process is completed.
DHCP protocol expects the DHCP client to configure its network interface with the negotiated
parameters.
DHCPv4 Relay
This topic describes DHCPv4 relay.
1 Discover (b’cast)
2 Discover (u’cast)
3 Offer
4 Offer
5 Request (b’cast) 6 Request (u’cast) DHCPv4

7 Server
8 Acknowledge
Acknowledge
MAC Address:
00:2c:04:00:fe:56
Router acting as
relay agent
MAC Address:
00:02:14:10:ac:e6
In small networks, where only one IP subnet is being managed, DHCP clients communicate
directly with DHCP servers. However, DHCP servers can also provide IP addresses for
multiple subnets. To allow DHCP clients on subnets that are not directly served by DHCP
servers to communicate with DHCP servers, DHCP relay agents can be installed on these
subnets.
The DHCP client broadcasts on the local link. A relay agent receives the broadcast and uses
unicast to transmit it to one or more DHCP servers. The relay agent stores its own IP address in
the GIADDR (Gateway IP address) field of the DHCP packet. The DHCP server uses the
GIADDR to determine the subnet on which the relay agent received the broadcast and allocates
an IP address on that subnet. When the DHCP server replies to the client, it sends the reply to
the GIADDR address, again using unicast. The relay agent then retransmits the response on the
local network.

DHCPv6
This topic describes DHCPv6.
DHCPv6 is an updated version of DHCP for IPv4:

• Supports new addressing
• Enables more control than stateless autoconfiguration
• Can be used for renumbering
• Can be used for automatic domain name registration of hosts by using
DDNS
• Described in RFC 3315
Acquiring configuration data for a client in DHCPv6 is like the process in IPv4 but with a few
exceptions. The client can sometimes detect the presence of routers on the link by using
neighbor discovery messages. If at least one router is found, the client examines the router
advertisements to determine if DHCP should be used. If the router advertisements allow use of
DHCP on that link or if no router is found, the client starts a DHCP process to find a DHCP
server.
DHCPv6 is an updated version of DHCP for use with IPv6. It supports the addressing model of
IPv6 and benefits from new IPv6 features.
These are some features:
 Enables more control than serverless or stateless autoconfiguration
 Can function in a routerless environment, using only servers
 Can be used concurrently with stateless autoconfiguration
 Can be used for renumbering
 Can be used for automatic domain name registration of hosts by using the Dynamic
Domain Name System (DDNS)
 Was ratified in RFC 3315 (July 2003)
DHCPv6 Sequence of Operations
This topic describes the sequence of operations for dynamically assigning IP addresses using
DHCPv6.
5 Reply
4 Request
DHCPv6
3 Advertise Server
MAC Address: 2 Solicit

00:2c:04:00:fe:56
1 Router advertisement
with “use DHCPv6” option
DHCPv6 uses UDP port 546 for sending data to the server and UDP port 547 for sending data
to the client. DHCPv6 operations fall into five basic phases: router advertisement, DHCP
solicit, DHCP advertise, DHCP request, and DHCP reply.
DHCPv6 uses multicast for many messages. When the client sends a solicit message, it sends
the message to the all-DHCP-agents multicast address with a link-local scope. Agents include
both servers and relays.
When a DHCP relay forwards a message, it can forward it to the all-DHCP-servers multicast
address with a site-local scope. This means that a relay does not need to be configured with all
the static addresses of the DHCP servers, as in IPv4. If needed by policy, a relay can contain a
static list of DHCP servers.
Here is the IPv6 address allocation process:
 Router announcement—indicate to hosts whether additional configuration parameters are
available via DHCPv6.
 DHCPv6 Solicit: A DHCPv6 client sends a DHCPv6 Solicit message to the
All_DHCP_Relay_Agents_and_Servers multicast address that is specified in RFC 3315 to
discover the available DHCPv6 servers.
 DHCPv6 Advertise: All DHCPv6 servers that receive the DHCPv6 Solicit message from
the client send a DHCPv6 Advertise message to the DHCPv6 client. The DHCPv6 servers
optionally include other configuration information for the client in the DHCPv6 Advertise
message, in case the client wants to select the specific configuration information it requires.

 DHCPv6 Request: The DHCPv6 client sends a DHCP Request message to the selected
DHCPv6 server by using the Server Identifier option requesting the use of the selected
configuration. The DHCPv6 Request message identifies the server that sent the offer that
the DHCPv6 client selected. The DHCPv6 servers for which the Server Identifier sent by
the client in DHCPv6 Request does not match the Server Identifier put the offered IPv6
address back into the available pool of addresses.
 DHCPv6 Reply: The selected DHCPv6 server assigns the IPv6 address configuration to
the DHCPv6 client and sends a DHCPv6 Reply message with no Status code option or with
a Status code option with the value Success to the DHCPv6 client. The DHCPv6 servers
include the configuration information—including any specific standard options or vendor-
specific options—that is based on the vendor class information that is sent by the client in
the DHCPv6 Request message.
The DHCPv6 process is successfully completed if the DHCPv6 server sends the DHCPv6
client a DHCPv6 Reply message with no Status code option or with a Status code option with
the value Success. Otherwise, the DHCPv6 client then restarts the initialization process by
sending the DHCPv6 Solicit message again.
DHCP Server Configuration
This topic describes how to configure a Cisco IOS router to function as a DHCP server.
Exclude range of IP addresses:

Router(config)# ip dhcp excluded-addresses start_ip end_ip
Create a pool of addresses to assign to clients:

Router(config)# ip dhcp pool name
Assign a network to the pool:

Router(config-dhcp)# network network/mask
Tell the client how long it can keep the address:

Router(config-dhcp)# lease days
Identify the DNS server:

Router(config-dhcp)# dns-server address
Identify the default gateway:

Router(config-dhcp)# default-router ip-address
These are tasks for configuring a Cisco IOS DHCP server:

 Configuring a DHCP database agent or disabling DHCP conflict logging
 Configuring a DHCP address pool (required)
 Excluding IP addresses
 Enabling the Cisco IOS DHCP server and relay agent features
 Configuring manual bindings
 Configuring a DHCP server boot file
 Configuring the number of ping packets and timeout
 Enabling the Cisco IOS DCHP client on Ethernet interfaces
 Performing a DHCP server options import and autoconfiguration
 Configuring the relay agent information option in BOOTREPLY messages
 Configuring a relay agent information reforwarding policy
 Enabling the DHCP smart-relay feature
Not all of the optional features are covered in detail. Additional information on these optional
features is available on Cisco.com.

Cisco IOS DHCP Server Commands and Parameters
This table identifies the major commands to implement Cisco IOS DHCP server and options.
Command and Parameter Description
Router(config)#service Enables DHCP features on router; it is on by default.

dhcp
Router(config)#ip dhcp Configures the database agent and the interval between
database url [timeout database updates and database transfers.
seconds | write-delay
seconds]
Router(config)#no ip dhcp Disables DHCP conflict logging. (Used if a DHCP database agent
conflict logging is not configured.)
Router(config)#ip dhcp Specifies the IP address that the DHCP server should not assign
excluded-address low- to DHCP clients.
address [high address]
Router(config)#ip dhcp Creates a name for the DCHP server address pool and places
pool name you in DHCP pool configuration mode.
Router(config- Specifies the subnet network number and mask of the DHCP
dhcp)#network network- address pool.
number [mask | prefix-
length]
Router(config- Specifies the domain name for the client.

dhcp)#domain-name domain
Router(config-dhcp)#dns- Specifies the IP address of a Domain Name System (DNS) server

server address that is available to a DHCP client. One is required, but up to eight
[address2...address8] can be specified.
Router(config- Same as DNS, but for Windows Internet Name Service (WINS).
dhcp)#netbios-name-server
address
[address2...address8]
Router(config- Specifies the IP address of the default router for a DHCP client.
dhcp)#default-router
address [address2...
address8]
Router(config-dhcp)#lease Specifies the duration of the lease. The default is a one-day

{days [hours] [minutes] | lease.
infinite}
Router(config- Used to import DHCP option parameters into the DHCP server
dhcp)#import all database. Used for remote DHCP pools.
Additional commands are available to customize manual bindings for individual clients,
including MAC addresses. Additional options are also available with implementation of the
DHCP relay agent function.
DHCP Relay Configuration
This topic describes how to configure DHCP relay on a Cisco IOS router.
• A Cisco IOS server allows routers to forward broadcasts through the

ip helper-address command.
• A router will forward broadcasts to select UDP ports to predetermined
remote locations.
• A router that is enabled to forward DHCP requests is called a DHCP
relay.
- To use helper-address, enter this command in interface configuration mode:
Router(config-if)# ip helper-address address
- To change default behavior to which ports broadcast will be sent, use this
command:
Router(config-if)# ip forward-protocol udp port
DHCP clients use UDP broadcasts to send their initial DHCPDISCOVER message, because
they do not have information about the network to which they are attached.
If the client is on a network that does not include a server, UDP broadcasts are normally not
forwarded by the attached router.
The ip helper-address command causes the UDP broadcast to be changed to a unicast and
forwarded out another interface to a unicast IP address that is specified by the command.
The relay agent sets the gateway address (GIADDR field of the DHCP packet) and, if
configured, adds the relay agent information option (option 82) in the packet and forwards it to
the DHCP server. The reply from the server is forwarded back to the client after removing
option 82.
The figure illustrates the use of the ip helper-address command to implement the DHCP relay
agent.
The command, however, enables forwarding of all of the well-known UDP ports that may be
included in an UDP broadcast message. The ip forward-protocol udp command can be used
to customize this feature to network requirements.

DHCP Client Configuration
This topic describes how to configure a Cisco IOS device to obtain an IP address via DHCP.
• Command is supplied in interface configuration mode

• Setting up router interface as DHCP client:
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip address dhcp
• Default gateway can be obtained from DHCP response:

Router(config)# ip route 0.0.0.0 0.0.0.0 dhcp
A Cisco IOS device can be configured to be a DHCP client and obtain an interface address
dynamically from a DHCP server with the command ip address dhcp. This command is
implemented in interface mode and is specific to an individual interface.
Summary
• The physical connection to the Internet is usually provided by using DSL,

cable, or fibertechnology with packet switching.
• NAT enables private IPv4 internetworks that use nonregistered IPv4
addresses to connect to the Internet.
• NAT overloading (PAT) allows you to map many inside addresses to one
outside address.
• There are three types of NAT: static, dynamic, and overloading (PAT).
• Static NAT is one-to-one address mapping.
• To implement static NAT, use the ip nat inside source static command.
• Dynamic NAT addresses are picked from a pool.

• To implement dynamic NAT, use the ip nat inside source list command.
• To implement PAT, use the overload keyword.
• DHCP is used to assign IP addresses automatically as well as to set
configuration parameters such as the subnet mask, default router, and DNS
servers.
• DHCP Options describe the network configuration and various services that
are available on the network.
• DHCP uses UDP port 67 for sending data to the server and UDP port 68 for
sending data to the client.

• To allow DHCP clients on subnets that are not directly served by DHCP
servers, DHCP relay agents can be installed on these subnets.
• DHCPv6 is an updated version of DHCP for use with IPv6. It supports the
addressing model of IPv6.
• DHCPv6 uses UDP port 546 for sending data to the server and UDP port
547 for sending data to the client.
• To configure DHCP server on the Cisco IOS router, you have to create a
pool of IP addresses.
• To configure DHCP relay on the Cisco IOS router, use the ip helper-
address command.
• To enable DHCP client on the Cisco IOS router, use the ip address dhcp
command.
Lesson 4
WAN Encapsulation
Overview
Encapsulation is a concept that enables one network to send its data over another network's
connections. For example, a TCP/IP-formatted data packet can be encapsulated within an
Ethernet frame. Within the context of transmitting and receiving the Ethernet frame, the
encapsulated packet is simply a stream of bits between the Ethernet header and trailer.
Each WAN solution has an encapsulation type. Encapsulations wrap an information envelope
around data that is used to transport data traffic. If a leased line is used as a WAN solution,
encapsulation is usually a High-Level Data Link Control (HDLC) or a PPP frame. For packet-
switched networks, you can encapsulate or package your data in ATM frames.
One of the most common types of WAN connection is point-to-point. Understanding how
point-to-point communication links function to provide access to a WAN is important to an
overall understanding of how WANs function.
This lesson describes the protocols that are used to encapsulate both data-link layer and
network layer information.
Objectives
Upon completing this lesson, you will be able to describe the functions and characteristics of a
WAN. You will be able to meet these objectives:
 Describe DOCSIS
 Describe the functions of PPP
 Describe the PPP session establishment process
 Describe and compares the PPP authentication protocols
 Describe how to configure and verify PPP
 Describe DSL encapsulation
 Describe PPPoE encapsulation
 Describe POS encapsulation
 Describe encapsulating PPP in an HDLC frame
 Describe the POS frame format
 Describe how to configure and verify a POS interface on a Cisco IOS XR router
DOCSIS Overview
This topic describes DOCSIS.
Data-over-Cable Service Interface Specifications

• 1997—DOCSIS 1.0 gives standards-based interoperability, which
means “certified” cable modems from multiple vendors work with
“qualified” CMTSs from multiple vendors.
• 1999—DOCSIS 1.1 adds a number of features, including QoS, more
robust scheduling, packet classification, and other enhancements that
facilitate voice services.
• 2001—DOCSIS 2.0 improves robustness against interference and
introduces two new models of upstream operation (ATDMA and
SCDMA), which extend upstream speeds up to 30 Mb/s.
• 2006—DOCSIS 3.0 introduces downstream and upstream channel
bonding with a maximum speed up to 400/120 Mb/.s.
Data-over-Cable Service Interface Specifications (DOCSIS) was certified as a standard in 1999

to allow high-speed data transfer over an existing cable television (CATV) system; that is,
hybrid fiber-coaxial (HFC) infrastructure.
DOCSIS architecture includes two primary components: a cable modem that is located at the
customer premises and a cable modem termination system (CMTS) that is located at the CATV
headend.
Currently, there are four different version specifications for DOCSIS:
 DOCSIS 1.0 gives standards-based interoperability, which means that “certified” cable
modems from multiple vendors work with “qualified” CMTSs from multiple vendors.
 DOCSIS 1.1 adds a number of features, including quality of service (QoS), more robust
scheduling, packet classification, and other enhancements that facilitate voice services.
 DOCSIS 2.0 improves robustness against interference and introduces two new models of
upstream operation (ATDMA and S-CDMA) that extends upstream speeds up to 30 Mb/s.
 DOCSIS 3.0 introduces downstream and upstream channel bonding with a maximum
speed up to 400 /120 Mb/s. DOCSIS 3.0 also adds IPv6 support.
The payload of any 802.3 packet can contain either data that is destined for
the customer PC or DOCSIS management and control messages for the
cable modem.
IP | TCP | Data
IP data could also be

remote management
through SNMP. 802.3 | Payload
DOCSIS
Mgmt
and
DOCSIS 802.3 Header
Control
MAC
| and Payload
MPEG MPEG MPEG MPEG
The figure describes the downstream data flow where the data is traveling from the CMTS at
the headend to the customer’s cable modem.
IP, TCP, and data are all representations of upper-layer protocols that are combined (the
payload) and presented to the data link layer.
The payload is then combined with the 802.3 headers (similar to the 802.3 standard, with a few
variations).
The DOCSIS MAC headers are then added. These include frame control and identification so
that the cable modem will know how to decode the packet. The cable modem then knows if the
packet is data for the customer premises equipment (CPE) that is attached or is a management
and control message for the cable modem itself.
The combined DOCSIS MAC headers, 802.3 headers, and the payload are then fragmented into
188-byte MPEG packets for transmission to the cable modems on the HFC plant.

The payload of any 802.3 packet can contain either data that is destined for
the Internet on behalf of the customer or DOCSIS management and control
messages from the cable modem.
IP | TCP | Data
IP data could also be

remote management
through SNMP traps. 802.3 | Payload
DOCSIS
Mgmt
and
Control DOCSIS | 802.3 Header
MAC and Payload
or
Concatenation Fragmentation
The figure describes the upstream data flow in which the data is traveling from the customer’s
cable modem to the CMTS at the headend.
IP, TCP, and data are all representations of upper-layer protocols that are combined (the
payload) and presented to the data link layer, 802.2 Logical Link Control (LLC).
Then the payload is combined with the 802.3 headers (similar to the 802.3 standard, with a few
variations).
Next, the DOCSIS MAC headers are added. These include frame control and identification so
that the CMTS is able to decode the packet. The CMTS then determines if the packet is data
that is destined for the Internet or is management and control messages for the CMTS itself.
In the upstream, the packets may be fragmented into smaller pieces if the cable modem
supports fragmentation and if the CMTS allows a small bandwidth to transmit the packets.
Also, the packets may be concatenated; thus allowing multiple DOCSIS MAC frames to be
transmitted in the same burst.
PPP Encapsulation
A point-to-point (or serial) communication link provides a single, established WAN
communications path from the customer premises through a carrier network, such as a
telephone company, to a remote network. This topic describes the functions of PPP.
• PPP can carry packets from several protocol suites vy using NCP.
• PPP controls the setup of several link options by using LCP.
Developers designed PPP to make the connection for point-to-point links. PPP, described in
RFCs 1661 and 1332, encapsulates network layer protocol information over point-to-point
links. RFC 1661 is updated by RFC 2153, PPP Vendor Extensions.
You can configure PPP on the following types of physical interfaces:
 Asynchronous serial: plain old telephone service (POTS) dial-up
 Synchronous serial: ISDN or point-to-point leased lines
The Link Control Protocol (LCP) is the real working part of PPP. The LCP works at the data
link layer and, in addition, to the physical. The LCP establishes the point-to-point link and has a
role in configuring and testing the data-link connection. The LCP also negotiates and sets up
control options on the WAN data link. PPP offers a rich set of services.
The LCP provides automatic configuration of the interfaces at each end, while providing these
features:
 Managing varying limits on packet size
 Detecting common misconfiguration errors
 Terminating the link
 Determining when a link is functioning properly or when it is failing
PPP also uses the LCP to agree automatically on encapsulation formats (authentication,
compression, error detection) as soon as the link is established.

With its higher-level functions, PPP can carry packets from several network layer protocols by
using Network Control Protocols (NCPs). The NCPs include functional fields that contain
standardized codes to indicate the network layer protocol type that is encapsulated in the PPP
frame. The various NCP components encapsulate and negotiate options for multiple network
layer protocols. PPP permits multiple network layer protocols to operate on the same
communications link. For every network layer protocol used, PPP uses a separate NCP. For
example, IP uses the IP Control Protocol (IPCP) and the Internetwork Packet Exchange (IPX)
uses the Novell IPX Control Protocol (IPXCP).
PPP Session Establishment
This topic describes the PPP session establishment process.
PPP session establishment:

1. Link establishment phase
2. Authentication phase (optional)
Two PPP authentication protocols: PAP and CHAP
3. Network layer protocol phase
There are three phases of a PPP session establishment. The table describes these three phases.
PPP Session Establishment Phases
Phase Description
1. Link establishment phase In this phase, each PPP device sends LCP packets to configure
and test the data link. LCP packets contain a configuration option
field that allows devices to negotiate the use of options such as
the maximum receive unit, the compression of certain PPP fields,
and the link authentication protocol. If a configuration option is not
included in an LCP packet, the default value for that configuration
option is assumed.
2. Authentication phase After the link has been established and the authentication protocol
(optional) has been decided, the peer goes through the authentication
phase. Authentication, if used, takes place before the network
layer protocol phase begins.
PPP supports two authentication protocols: Password
Authentication Protocol (PAP) and Challenge Handshake
Authentication Protocol (CHAP). Both of these protocols are
discussed in RFC 1334, PPP Authentication Protocols. However,
RFC 1994, PPP Challenge Handshake Authentication Protocol
(CHAP), renders RFC 1334 obsolete.
3. Network layer protocol In this phase, the PPP devices send NCP packets to choose and
phase configure one or more network layer protocols such as IP. After
each of the chosen network layer protocols is configured,
datagrams from each network layer protocol can be sent over the
link.

PPP Authentication Protocols
This topic describes and compares the PPP authentication protocols.
Username RouterX ; Password : cisco123

• Passwords sent in plaintext
PAP
2-Way Handshake
• Peer in control of attempts
Username RouterX
Password: cisco123
X Y
Accept/Reject
Central-Site Remote
Router Router
Username: RouterX Username RouterX; Password : cisco123

Password : cisco123
CHAP
• Hash values, not actual passwords, 3-Way Handshake
are sent across the link. Challenge
• The local router or external server is Response

in control of authentication attempts. X Y
Central-Site Remote
Router Accept/Reject Router
PPP defines an extensible LCP that allows negotiation of an authentication protocol for
authenticating its peer before allowing network layer protocols to transmit over the link. RFC
1334 defines two protocols for authentication, PAP and CHAP.
PAP is a two-way handshake that provides a simple method for a remote node to establish its
identity. PAP is performed only upon initial link establishment. There is no encryption. The
username and password are sent in plaintext. After the PPP link establishment phase is
complete, the remote node repeatedly sends a username and password pair to the router until
authentication is acknowledged or the connection is terminated.
Because PAP is not a strong authentication protocol, there is no protection from playback or
repeated trial-and-error attacks. The remote node is in control of the frequency and timing of
the login attempts.
CHAP is more secure than PAP. It involves a three-way exchange of a shared secret. Unlike
PAP, which only authenticates once, CHAP conducts periodic challenges to make sure that the
remote node still has a valid password value.
CHAP, which uses a three-way handshake, occurs at the startup of a link and periodically
thereafter to verify the identity of the remote node using a three-way handshake.
After the PPP link establishment phase is complete, the local router sends a challenge message
to the remote node. The remote node responds with a value that is calculated by using a one-
way hash function, typically Message Digest 5 (MD5), based on the password and challenge
message. The local router checks the response against its own calculation of the expected hash
value. If the values match, the authentication is acknowledged. Otherwise, the connection is
terminated immediately.
CHAP provides protection against a playback attack by using a variable challenge value that is
unique and unpredictable. Because the challenge is unique and random, the resulting hash value
will also be unique and random. The use of repeated challenges is intended to limit exposure to
any single attack. The local router or a third-party authentication server is in control of the
frequency and timing of the challenges.

Implementing PPP and Authentication
This describes how to configure and verify PPP.
To enable PPP encapsulation with PAP or CHAP authentication on an interface, complete the
following checklist:
 Enable PPP encapsulation as the Layer 2 protocol of an interface.
 (Optional) Enable PPP authentication by performing these steps:
1. Configure the router hostname to identify itself.
2. Configure the username and password to authenticate the PPP peer.
3. Choose the authentication technique to use on the PPP link: PAP or CHAP.
Router(config)#hostname RouterX
• Assign a hostname RouterX to your router.
RouterX(config)#username RouterY password B007!I

• Identify the username (RouterY) and password (B007!I) of the remote router.
RouterX(config-if)#encapsulation ppp
• Enable PPP encapsulation.
RouterX(config-if)#ppp authentication chap

• Optionally, enable CHAP authentication.
Or
RouterX(config-if)#ppp authentication pap
• Optionally, enable PAP authentication.
CHAP authentication is recommended.

To enable PPP encapsulation, use the encapsulation PPP command in interface

configuration mode.
To configure PPP authentication, the interface must be configured for PPP encapsulation.
Follow these steps to enable PAP or CHAP authentication:
Step 1 Verify that each router has a hostname that is assigned to it. To assign a hostname
RouterX, enter the hostname RouterX command in global configuration mode.
This name must match the username that the authenticating router at the other end of
the link expects.
Step 2 On each router, define the username and password to expect from the remote router
with the username global configuration command.
Add a username entry for each remote system that the local router communicates
with and that requires authentication. Note that the remote device must have a
corresponding username entry for the local router with a matching password.
The username RouterY password B007!I command in the figure configures
username RouterY and password B007!I.
Step 3 Enable PPP encapsulation on the serial interface by using the encapsulation ppp
interface configuration command.
Step 4 Configure PPP authentication with the ppp authentication interface configuration
command.
If you configure ppp authentication chap on an interface, all incoming PPP
sessions on that interface are authenticated by using CHAP. Likewise, if you
configure ppp authentication pap, all incoming PPP sessions on that interface are
authenticated by using PAP.

If you configure ppp authentication chap pap, the router attempts to authenticate
all incoming PPP sessions by using CHAP. If the remote device does not support
CHAP, the router tries to authenticate the PPP session by using PAP. If the remote
device does not support either CHAP or PAP, the authentication fails and the PPP
session is dropped.
If you configure ppp authentication pap chap, the router attempts to authenticate all
incoming PPP sessions by using PAP. If the remote device does not support PAP, the
router tries to authenticate the PPP session by using CHAP. If the remote device does
not support either protocol, the authentication fails and the PPP session is dropped.
Note If you enable both methods, the first method that you specify is requested during link
negotiation. If the peer suggests using the second method, or refuses the first method, the
second method is tried.
hostname RouterX hostname RouterY
username RouterY password sameone username RouterX password sameone
! !
interface serial 0 interface serial 0
ip address 10.0.1.1 255.255.255.0 ip address 10.0.1.2 255.255.255.0
encapsulation ppp encapsulation ppp
ppp authentication chap ppp authentication chap
In the figure, a two-way challenge occurs. The hostname on one router must match the
username that the other router has configured. The passwords must also match. The same
password must be configured on both routers. Both routers must be configured for the same
PPP authentication type.

RouterX#show interface s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.0.1.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
Last input 00:00:05, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
38021 packets input, 5656110 bytes, 0 no buffer
Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
38097 packets output, 2135697 bytes, 0 underruns
0 output errors, 0 collisions, 6045 interface resets
0 output buffer failures, 0 output buffers swapped out
482 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
• Verify the PPP encapsulation configuration on the Serial 0 interface.

Use the show interface command to verify proper configuration. The figure shows that PPP
encapsulation has been configured and LCP has established a connection, as indicated by “LCP
Open” in the command output.
IPCP is control protocol for IP, and Cisco Discovery Protocol Control Protocol is control
protocol for Cisco Discovery Protocol.
DSL Encapsulation
This topic describes DSL encapsulation.
PPPoA
PPPoE
DSL
PC Router DSLAM BRAS
CPE Service
Provider
Network
ATM
Network
DSL implementation often encapsulates PPP packets inside ATM cells. It sends the packets
over the phone lines to the DSL access multiplexer (DSLAM) in the central office. The packets
then go over an ATM backbone to a Layer 3 aggregation router like a broadband remote access
server (BRAS). PPP allows DSL service providers to manage access to accounts via usernames
and passwords and is a convenient technical solution for converting subscribers from dial-up
Internet.
There are several common DSL PPP encapsulation methods, including PPP over ATM
(PPPoA) and PPP over Ethernet (PPPoE).
PPPoA, specified in RFC 2364, is a protocol for encapsulating PPP frames in ATM adaptation
layer 5 (AAL5). AAL5 is an ATM adaptation layer that is used to send variable-length packets
across an ATM network. PPPoA offers standard PPP features such as authentication,
encryption, and compression.
With PPPoA, the PPP session terminates on the DSL CPE device. Configuration of a PPPoA
requires PPP configuration and ATM configuration on the DSL CPE device. These data are
generally stored in a DSL modem or router and can be transparent to a user. PPP configuration
generally includes user credentials that are unique to each user. ATM configuration includes
VPI/VCI, modulation type, multiplexing method (virtual channel [VC] multiplexing [VC-
MUX] or LLC).
PPPoE is more commonly used than PPPoA. PPPoE lets users connect a network of hosts over
a simple bridging DSL CPE device. With PPPoE, the PPPoE client function, which terminates
the PPP session, can be located in the end-user PC or in the DSL CPE device. More PPPoE
concepts are described within the next topic.
Both PPPoA and PPPoE configurations are beyond the scope of this class.

PPPoE Encapsulation
This topic describes PPPoE encapsulation.
PPPoE Client
Corporation
AAA
IP, ATM
PPPoE or
IP + ATM
ISP
SSG
CPE DSLAM
RFC1483
Bridged Aggregation
Device
PPPoE is a protocol for encapsulating PPP frames inside Ethernet frames. Service providers
that do not use serial links to connect their users use PPPoE, mainly with DSL services in
which individual users connect to the DSL modem over Ethernet and in Metro Ethernet
networks. PPPoE lets users connect a network of hosts over a simple bridging DSL modem to
an aggregation router.
By using PPPoE, users can virtually "dial" from one machine to another over an Ethernet
network, establish a point-to-point connection between them, and then securely transport data
packets over the connection.
PPPoE allows service providers to use their existing AAA system like a RADIUS server.
Access control, billing, and other types of service can be done on a per-user, rather than a per-
site, basis. RADIUS was developed to authenticate dialup users and can easily be modified to
support additional capabilities. RADIUS can be used to set nearly every aspect of a PPPoE
session; that is, IP address, DNS servers, filters, rate limits, time limits, transfer limits, and so
on.
ATM
DSL Network
PC Router DSLAM Aggregator
CPE Service
Provider
Network
Step1: PADI
Step 2: PADO
Step 3: PADR
Step 4: PADS (Session ID)
Step 5: LCP/IPCP
As specified in RFC 2516, PPPoE has two distinct stages, the discovery stage and the PPP
session stage.
When a host (the end-user PC or the DSL modem or router) wants to start a PPPoE session, it
must first perform discovery to identify which server can meet this client request; then identify
the Ethernet MAC address of the peer and establish a PPPoE SESSION_ID. Although PPP
defines a peer-to-peer relationship, discovery is inherently a client-server relationship. In the
discovery process, a host (the client) discovers the aggregator router (BRAS). Based on the
network topology, more than one BRAS can communicate with the host. The discovery stage
allows the host to discover all the BRASs and then select one. When discovery is completed,
both the host and the selected BRAS have the necessary information to build a point-to-point
connection over Ethernet. After a PPP session is established, both the host and the BRAS must
allocate the resources for a PPP virtual interface. This, however, might not be the case for all
implementations. Finally, to be in compliance with RFC 2516, the IP Maximum Transmission
Unit (MTU) must be specified as 1492 for PPPoE.
When the host receives the confirmation packet, it proceeds to the PPP session stage, and when
the BRAS sends the confirmation packet, it proceeds to the PPP session stage. At the
completion of the discovery stage, both peers know the PPPoE SESSION_ID and the peer
Ethernet address, which together define the PPPoE session uniquely.
The negotiation process consists of five steps:
Step 1 The host sends the PPPoE Active Discovery Initiation (PADI) packet with the
DESTINATION_ADDR set to the broadcast address. The PADI consists of one tag
that indicates what service type it is requesting.
Step 2 When the BRAS receives a PADI that it can serve, it replies by sending a PPPoE
Active Discovery Offer (PADO) packet. The DESTINATION_ADDR is the unicast
address of the host that sent the PADI. If the BRAS cannot serve the PADI, it must
not respond with a PADO. Because the PADI was broadcast, the host can receive
more than one PADO.

Step 3 The host reviews the PADO packets that it receives and chooses one. The choice can
be based on the services that are offered by each BRAS.
The host then sends one PPPoE Active Discovery Request (PADR) packet to the
BRAS that it has chosen. The DESTINATION_ADDR field is set to the unicast
Ethernet address of the BRAS, or the router that sent the PADO.
Step 4 When the BRAS receives a PADR packet, it prepares to begin a PPP session. It
generates a unique SESSION_ID for the PPPoE session and replies to the host with
a PPPoE Active Discovery Session-confirmation (PADS) packet. The
DESTINATION_ADDR field is the unicast Ethernet address of the host that sent
the PADR.
Step 5 LCP/IPCP negotiations
Advantages of PPPoE:
• Per-session authentication based on PAP or CHAP
• Per-session accounting
• Business friendly
• Multiple PPPoE sessions per PVC
• Reduces broadcast traffic on the network
Disadvantages of PPPoE:
• Requires PPPoE client function in the CPE or in the user end host
• Susceptible to broadcast storms and possible DoS attacks.
• High overhead.
These are PPPoE advantages:

 Per-session authentication that is based on PAP or CHAP overcomes the security hole in a
bridging architecture.
 Per-session accounting is possible, which allows the service provider to charge the
subscriber, based on session time for various services offered.
 The network access provider (NAP) or network service provider (NSP) can provide secure
access to a corporate gateway without the management of end-to-end permanent virtual
connections (PVCs) and without the use of Layer 3 routing or Layer 2 Tunneling Protocol
(L2TP) tunnels. This makes the business model of the sale of wholesale services and virtual
private networks (VPNs) scalable.
 It can provide a host (PC) access to multiple destinations at a given time. You can have
multiple PPPoE sessions per PVC.
 It reduces broadcast traffic on the network.
These are PPPoE disadvantages:

 The user requires a PPPoE client function in the CPE or in the user end host.
 Since PPPoE implementation uses RFC 1483 bridging, it is susceptible to broadcast storms
and possible denial-of-service (DoS) attacks.
 PPPoE has the highest overhead DSL delivery method, especially for VoIP and online
games applications.

POS Encapsulation
This topic describes the Packet over SONET (POS) encapsulation.
IP
Backbone
POS POS
Access
Network
POS is a highly scalable protocol that overcomes many of the inefficiencies of ATM, while
providing legacy support to internetworks with existing SONET architectures.
POS provides a mechanism to carry packets directly within the SONET synchronous payload
envelope (SPE) by using a small amount of HDLC or PPP framing. The POS interface supports
SONET level alarm processing, performance monitoring, synchronization, and protection
switching. This support enables POS systems to interoperate seamlessly with existing SONET
infrastructures and provides the capability to migrate to Optical IP networks without the need
for legacy SONET infrastructures. POS is used in a point-to-point environment, much like the
legacy T-carrier architectures, but without the need for time-division multiplexing (TDM).
POS efficiently encapsulates IP traffic with a low-overhead PPP header. When encapsulated,
the traffic is placed inside an HDLC-delimited SONET SPE and transported across SONET.
Voice, video, and data can be carried within the IP packets by using Layer 3 QoS mechanisms
to control priority when bandwidth contention occurs.
IP Datagram
Protocol Encapsulation
PPP Frame Link Initialization
HDLC Frame PPP Packet Delineation

Error Control
SONET/SDH Frame Byte Delineation
End stations at customer sites are predominantly TCP/IP-enabled devices. At the edge of the
customers network, the IP packet is encapsulated into a Layer 2 format that will be supported
on the service provider network. The Layer 2 protocols that Cisco supports are PPP and Cisco
HDLC, while the POS standards specify PPP encapsulation for POS interfaces. The Layer 2
PPP or Cisco HDLC frame information is encapsulated into a generic HDLC header (not Cisco
proprietary HDLC) and placed into the appropriate SPE frame. This can be a confusing concept
at first. Although HDLC and PPP are different, mutually exclusive Layer 2 protocols, HDLC is
used as a SPE delimiter in the SONET frame.

PPP in HDLC-Like Framing
This topic describes encapsulating PPP in an HDLC frame.
Protocol Information
PPP Frame Padding
16 bits 0-65000 Bytes
HDLC Frame Address Control HDLC Information Field FCS
The figure illustrates the PPP in an HDLC frame format in which the PPP frame is
encapsulated inside the HDLC information field.
The PPP frame contains three components:
 Protocol field
 Information field
 Padding field
The Protocol field is used because PPP is multiprotocol in nature. Multiprotocol encapsulations
transport multiple protocols, including IP and IPX. The Information field is the protocol data
unit (PDU) that is transmitted and can be from 0 to 64,000 bytes. The Padding field is used to
pad the PPP frame if the Information field does not contain enough data. The Padding field
might receive padding up to the maximum receive unit (MRU), which will fill the Information
field. The default value for the MRU is 1500 octets but can be up to 64,000 octets if negotiated
in the PPP implementation. It is the responsibility of the protocol to determine which bits are
used as padding. You can find more information about the PPP protocol in RFC 1548 and RFC
1661 at http://www.ietf.org.
Packet over SONET Frame Information
This topic describes the POS frame format.
PPP Frame
Flag Address Control Flag

Information FCS
7E 0xFF 0x03 7E
8 8 8 Variable 16 or 32 8
FCS Calculation Area
Frame delimiters of hexadecimal 0x7E are used to denote the beginning and ending of the
HDLC frame. The transmitting device also generates flags as a time fill when there are no data
packets.
The Address field is always set to 0xFF because every frame is a broadcast frame in POS.
There are only two ends of the point-to-point connection, and the frame always needs to get to
the other side. There is no reason to have more than one address because there are no other
addressable destinations. The Layer 2 mechanism is terminated at the other end of the link
because POS interfaces are Layer 3-enabled.
A Control field of 0x03 is used to denote an HDLC frame.
The Information field is where the PPP frame is inserted and is variable in nature due to MRU
variability. A 16- or 32-bit frame check sequence (FCS) is used as a trailer to the frame. The
FCS can be 16 or 32 bits long, but 32-bit cyclic redundancy checks (CRCs) are highly
recommended because of the enhanced error recovery that is available by using 32 bits. Most
interfaces that run at speeds greater than optical carrier (OC)-12 use FCS-32 as the default. The
FCS is a configurable option, and FCS 32 is always recommended. The FCS field needs to
match on both ends of the connection; otherwise, the Layer 2 protocol will never come up.

Implementing POS
This topic describes how to configure and verify a POS interface on a Cisco IOS XR router.
interface pos 0/2/0

clock source {internal | line}
crc 32
PE2#show controllers pos 0/2/0

POS0/2/0
< text omitted >
Framing: SONET
APS
COAPS = 0 PSBF = 0
State: PSBF_state = False
Rx(K1/K2): 00/00 Tx(K1/K2): 00/00
Rx Synchronization Status S1 = 00
S1S0 = 00, C2 = CF
Remote aps status (none); Reflected local aps status (none)
CLOCK RECOVERY
RDOOL = 0
State: RDOOL_state = False
PATH TRACE BUFFER: STABLE
Remote hostname : PE4
Remote interface: POS0/2/0
Remote IP addr : 0.0.0.0
Remote Rx(K1/K2): 00/00 Tx(K1/K2): 00/00
BER thresholds: SF = 10e-3 SD = 10e-6

TCA thresholds: B1 = 10e-6 B2 = 10e-6 B3 = 10e-6
Clock source: internal
To configure the POS interface clock source and CRC, use the clock source {internal|line} and
crc {value} Cisco IOS XR interface commands. To verify POS interface operation, use the
Cisco IOS XR show controllers command.
Summary
• DOCSIS uses MPEG frames to transmit data.

• There are several common DSL PPP encapsulation methods including
PPPoA and PPPoE.
• PPP is a common Layer 2 protocol for the WAN. There are two
components of PPP: LCP, which negotiates the connection and NCP,
which encapsulates traffic.
• PPP uses two protocols for authentication: PAP and CHAP.
• To enable PPP encapsulation, use the encapsulation PPP command in
interface configuration mode.
• There are several common DSL PPP encapsulation methods, including

PPP over ATM (PPPoA) and PPP over Ethernet (PPPoE).
• PPPoE is used with broadband remote access technologies that provide
a bridged Ethernet topology when service providers wish to maintain the
session abstraction that is associated with PPP.
• POS carries packets directly within the SONET SPE.
• In POS, PPP is encapsulated inside HDLC.
• In POS, PPP frame is inserted into the Information field of the HDLC
frame.
• To configure the POS interface clock source and CRC, use the clock
source and crc Cisco IOS XR interface commands.

Lesson 5
VPN Overview
Overview
Virtual private networks (VPNs) allow secure access to corporate resources by establishing an
encrypted tunnel across the Internet. The ubiquity of the Internet, combined with current VPN
technologies, allows organizations to cost-effectively and securely extend the reach of their
networks to anyone, anywhere, anytime. This lesson introduces you to IP Security (IPsec)
services and Generic Routing Encapsulation (GRE). It also examines the Layer 2 Tunneling
Protocol (L2TP), Group Encrypted Transport VPN (GET VPN), and Secure Sockets Layer
(SSL) VPN.
Objectives
Upon completing this lesson, you will be able to describe the functions and characteristics of
VPNs. You will be able to meet these objectives:
 Describe basic characteristics of VPNs
 Describe site-to-site VPNs
 Describe remote-access VPNs
 Describe L2TP architecture
 Describe IPSec
 Describe the security services provided by IPsec
 Describe Cisco SSL VPNs
 Provide an overview of SSL
 Describe how an SSL tunnel is established between two devices
 Compare IPsec and SSL
 Describe Cisco GET VPNs
 Describe GRE
 Describe the default characteristics of GRE
 Describe how GRE can be used to address routing issues
 Describe how to configure a GRE tunnel
 Describe the Cisco DMVPN feature
Describe VPNs
This topic describes the basic characteristics of virtual private networks.
Main Site
Business Partner
IPsec
POP
Regional Office
Mobile Worker
Corporate
SOHO
• Virtual: Information within a private network is transported over a public

network.
• Private: The traffic is encrypted to keep the data confidential.
The usual meaning of a VPN includes encryption. With a VPN, the information from a private
network is transported over a public network such as the Internet to form a virtual network
instead of using a dedicated, Layer 2 connection. To remain private, the traffic is encrypted to
keep the data confidential. In this lesson, a VPN will be defined as an encrypted connection
between private networks over a public network, usually the Internet.
Traditional
Branch
Layer 2
Office
WAN
VS.
Mobile
User Central
Internet Site
• Cost
SOHO
• Security
• Scalability
VPNs have many benefits:

 Cost savings: VPNs enable organizations to use cost-effective third-party Internet transport
to connect remote offices and remote users to the main corporate site, thus eliminating
expensive dedicated WAN links and modem banks. Furthermore, with the advent of cost-
effective high-bandwidth technologies such as DSL, organizations can use VPNs to reduce
their connectivity costs while simultaneously increasing remote connection bandwidth.
 Security: VPNs provide the highest level of security by using advanced encryption and
authentication protocols that protect data from unauthorized access.
 Scalability: VPNs enable corporations to use the Internet infrastructure ISPs and devices,
which makes it easy to add new users. Therefore, corporations are able to add large
amounts of capacity without adding significant infrastructure.
 Compatibility with broadband technology: VPNs allow mobile workers, telecommuters,
and people who want to extend their workday to take advantage of high-speed broadband
connectivity such as DSL and cable to gain access to their corporate networks. Workers
gain significant flexibility and efficiency. Furthermore, high-speed broadband connections
provide a cost-effective solution for connecting remote offices.

Site-to-Site VPNs
This topic describes site-to-site VPNs.
Remote Site Central Site
DSL or
Cable POP Internet
Router or
Extranet
Intranet Business-to-Business
Site-to-Site VPN—extension of classic WAN
There are two basic types of VPN networks:

 Site-to-site
 Remote-access
A site-to-site VPN is an extension of a classic WAN network. Site-to-site VPNs connect entire
networks to each other; for example, they can connect a branch office network to a company
headquarters network. In the past, a leased line or Frame Relay connection was required to
connect sites. Because most corporations now have Internet access, they can replace these
connections with site-to-site VPNs.
In a site-to-site VPN, hosts do not have Cisco VPN Client software. They send and receive
normal TCP/IP traffic through a VPN “gateway,” which could be a router or a Cisco ASA 5500
Series Adaptive Security Appliance. The VPN gateway is responsible for encapsulating and
encrypting outbound traffic for all of the traffic from a particular site and sending it through a
VPN tunnel over the Internet to a peer VPN gateway at the target site. Upon receipt, the peer
VPN gateway strips the headers, decrypts the content, and relays the packet toward the target
host inside its private network.
Remote-Access VPNs
This topic describes remote-access VPNs.
Remote-Access Client Central Site

DSL
Cable
POP or
Internet
Telecommuter
Router or
POP
Mobile Extranet
Consumer-to-Business
Remote-access VPN—evolution of dialup networks and ISDN
Remote access is an evolution of circuit-switching networks such as plain old telephone service
(POTS) or ISDN. Remote-access VPNs can support the needs of telecommuters, mobile users,
and extranet consumer-to-business traffic. Remote-access VPNs connect individual hosts who
must access their company network securely over the Internet.
In the past, corporations supported remote users by using dial-in networks and ISDN. With the
advent of VPNs, a mobile user simply needs access to the Internet to communicate with the
central office. For telecommuters, their Internet connectivity is typically a broadband, DSL or
cable connection.
In a remote-access VPN, each host typically has Cisco VPN Client software. Whenever the
host tries to send any traffic, the Cisco VPN Client software encapsulates and encrypts that
traffic before sending it over the Internet to the VPN gateway at the edge of the target network.
Upon receipt, the VPN gateway behaves as it does for site-to-site VPNs.

Layer 2 Tunneling Protocol
This topic describes the L2TP architecture.
Dial Client
PPP Peer LAC
ISP LNS
PTSN or ISDN Corporate

L2TP Tunnel Network
AAA Server AAA server

(RADIUS/TACACS+) (RADIUS/TACACS+)
L2TP is an emerging IETF standard that combines the best features of two existing tunneling
protocols: the Cisco Layer 2 Forwarding (L2F) and the Microsoft Point-to-Point Tunneling
Protocol (PPTP). L2TP is an extension of the PPP, which is an important component for VPNs.
Traditional dial-up networking services only support registered IP addresses, which limit the
types of applications that are implemented over VPNs. L2TP supports multiple protocols and
unregistered and privately administered IP addresses over the Internet. It allows the existing
access infrastructure, such as the Internet, modems, access servers, and ISDN terminal adapters
(TAs), to be used.
The two main L2TP components are the L2TP network server (LNS) and the L2TP access
concentrator (LAC). LNS is a termination point for the L2TP tunnel and access point where
PPP frames are processed and passed to higher layer protocols. LNS operates on any platform
that is capable of PPP termination. The LNS manages the server side of the L2TP protocol.
LAC is an L2TP device that the client directly connects to and by which PPP frames are
tunneled to the LNS. An LAC only needs to implement the media over which L2TP operates in
order to pass traffic to one or more LNSes. It may tunnel any protocol that is carried within
PPP. The LAC is the initiator of incoming calls and the receiver of outgoing calls.
With L2TP, the remote user connects to the Internet via a local ISP or by using one of the
national ISPs that have local dial-up numbers throughout the country. Native PPP runs over the
dial-up link between the user and the CO. An L2TP access concentrator (LAC) then virtually
extends PPP across the Internet to an L2TP network server (LNS), which is located at the
corporate network. This is where the PPP session officially terminates.
This is the procedure of L2TP tunnel establishment:
1. The client dials the ISP using an analog phone or ISDN. In this case, the client computer is
configured with PPP, although a client may also run L2TP directly.
2. When the call arrives at the LAC of the ISP, the LAC performs a call check by contacting a
RADIUS or TACACS server. The RADIUS or TACACS server responds with an accept or
reject message. If accepted, the reply will also specify that an L2TP tunnel is needed.
3. The LAC creates a tunnel to the LNS at the client corporate site. This is done by sending a
message to UDP port 1701. An authentication procedure takes place between the LAC and
the LNS.
4. A tunnel is set up and the client begins communicating with the corporate LCP using PPP.
The client first sends PPP authentication information to the LCP, which in turn
authenticates the client.
RADIUS is a networking protocol that provides centralized Authentication, Authorization, and

Accounting (AAA) management for computers to connect and use a network service.
TACACS is a remote authentication protocol that is used to communicate with an
authentication server, commonly used in UNIX networks. TACACS allows a remote access
server to communicate with an authentication server in order to determine if the user has access
to the network.

Corporate
PTSN Internet Network
Dial Client LAC LNS

PPP Peer
ISP
L2TP
PPP
IP
Service providers use L2TP tunneling to create a virtual tunnel to link remote customer sites or
remote users with corporate home networks. The LAC is located at the ISP point of presence
(POP), and it exchanges PPP messages with remote users. To set up tunnels, it uses L2TP
requests and responses to communicate with the customer's LNS. L2TP passes protocol-level
packets through the virtual tunnel between endpoints of a point-to-point connection.
Frames from remote users are accepted by the ISP POP, stripped of any linked framing or
transparency bytes, encapsulated in L2TP, and forwarded over the appropriate tunnel. The
customer's home gateway accepts these L2TP frames, strips the L2TP encapsulation, and
processes the incoming frames for the appropriate interface.
IP Security VPN
This topic describes IPsec.
Main Site
Business Partner
IPsec
POP
Regional Office
Mobile Worker
Corporate
SOHO
IPsec works at the network layer, protecting and authenticating IP packets.

• It is a framework of open standards that is algorithm-independent.
• It provides data confidentiality, data integrity, and origin authentication.
IPsec is an IETF standard (RFC 2401 to 2412) that is designed to provide interoperable,
cryptographically based security for IPv4 and IPv6. The set of security services that is offered
includes access control, data integrity, data origin authentication, protection against replays,
and data confidentiality (encryption).
IPsec works at the network layer, protecting and authenticating IP packets between
participating IPsec devices (peers). IPsec is not bound to any specific encryption,
authentication, security algorithms, or keying technology. IPsec is a framework of open
standards.
By not binding IPsec to specific algorithms, IPsec allows newer and better algorithms to be
implemented without patching the existing IPsec standards. IPsec provides data confidentiality
data integrity, and origin authentication between participating peers at the IP layer. IPsec
secures a path between a pair of gateways, a pair of hosts, or a gateway and host.

IPsec Security Services
This topic describes the security services provided by IPsec.
• Confidentiality
- IPsec uses encryption to ensure confidentiality.
• Data integrity
- Your IPsec policy must use a hashing algorithm to provide data integrity.
• Authentication
- Tunnel establishment includes peer authentication.
• Antireplay protection
- Verifies that each packet is unique and not duplicated.
IPsec provides these essential security functions:

 Confidentiality: IPsec ensures confidentiality by using encryption. Data encryption
prevents third parties from reading the data, especially data that is transmitted over public
or wireless networks.
 Integrity: IPsec ensures that data arrives unchanged at the destination; that is, that the data
has not been manipulated at any point along the communication path. IPsec ensures data
integrity by using checksums, which are a simple redundancy check. The IPsec protocol
adds up the basic components of a message, typically the number of bytes, and stores the
total value. IPsec performs a checksum operation on received data and compares the result
to the authentic checksum. If the sums match, it is believed that the data has not been
manipulated.
 Authentication: Authentication ensures that the connection is made with the desired
communication partner. IPsec uses Internet Key Exchange (IKE) to authenticate users and
devices that can carry out communication independently.
 Antireplay protection: Antireplay protection verifies that each packet is unique and is not
duplicated. IPsec packets are protected by comparing the sequence number of the received
packets with a sliding window on the destination host or security gateway. A packet that
has a sequence number that comes before the sliding window is considered either late or a
duplicate packet. Late and duplicate packets are dropped.
Cisco SSL VPN
This topic describes Cisco SSL VPNs.
• Integrated security and routing

• Browser-based full network SSL VPN access
Clientless SSL VPN

or
Full Tunnel SSL VPN SSL VPN
Internet
Headquarters
SSL VPN
Tunnel
Workplace
Resources
Cisco SSL VPN is an emerging technology that provides remote-access connectivity from
almost any Internet-enabled location by using a web browser and its native SSL encryption.
Cisco SSL VPN provides the flexibility to support secure access for all users, regardless of the
endpoint host from which they establish a connection. If application access requirements are
modest, Cisco SSL VPN does not require preinstallation of a software client on the endpoint
host. This ability enables companies to extend their secure enterprise networks to any
authorized user by providing remote-access connectivity to corporate resources from any
Internet-enabled location.
SSL VPN currently delivers two modes of SSL VPN access: Clientless SSL VPN or Full
Tunnel SSL VPN. SSL VPNs allow users to access web pages and services. Users can access
files, send and receive email, and run TCP-based applications without IPsec VPN Client
software. SSL VPNs are appropriate for user populations that require per-application or per-
server access control, or access from nonenterprise-owned desktops.
In many cases, IPsec and SSL VPN are complementary because they solve different problems.
This complementary approach allows a single device to address all remote-access user
requirements.

SSL Overview
This topic provides an overview of SSL.
• SSL is a cryptosystem that was created by Netscape in the

mid-1990s.
- Symmetric algorithms are used for bulk encryption.
- Asymmetric algorithms are used for authentication and key exchange.
- Hashing is used as part of the authentication process.
• SSL has many parallels to IPsec.
• E-commerce sites worldwide use SSL.
• SSL is a popular way to secure plaintext email protocols.
• It is gaining increased popularity as a remote-access VPN technology.
• TLS is a standards-based replacement for SSL.
Transport Layer Security (TLS) and its predecessor, SSL, are cryptographic protocols that
provide secure communications on the Internet for such things as web browsing, email, Internet
faxing, instant messaging, and other data transfers. There are slight differences between SSL
and TLS, but the protocol remains largely the same. Originally developed by Netscape, SSL
has been universally accepted on the World Wide Web.
The SSL and TLS protocols support the use of various cryptographic algorithms, or ciphers.
These ciphers are used in operations such as authenticating the server and client to each other,
transmitting certificates, and establishing session keys.
Asymmetric algorithms are used for authentication and the exchange of keys, and hashing is
used as part of the authentication process.
SSL-based VPNs provide remote-access connectivity from almost any Internet-enabled
location by using a standard web browser and its native SSL encryption. They do not require
the preinstallation of any special-purpose client software on the system. Thus, Cisco SSL VPNs
are capable of "anywhere" connectivity from company-managed desktops and noncompany-
managed desktops, such as employee-owned PCs, contractor or business partner desktops, and
Internet kiosks. All of the software that is required for application access across the SSL VPN
connection is dynamically downloaded as needed, minimizing the maintenance of desktop
software.
Cisco SSL VPNs and IPsec VPNs are complementary technologies that you can deploy
together to better address the unique access requirements of diverse user communities. Both
offer access to virtually any network application or resource. Cisco SSL VPNs offer additional
features such as easy connectivity from desktops outside your company management, little or
no desktop software maintenance, and user-customized web portals upon login.
SSL Tunnel Establishment
This topic describes how an SSL tunnel is established between two devices.
SSL VPN Tunnel
1. User makes a connection to TCP port 443.
3. User 2. Router replies with a digitally signed public key.

software
creates a
shared-secret 4. Shared-secret key, encrypted with public key of
key. the server, is sent to the router.
5. Bulk encryption occurs by using the shared-secret

key with a symmetric encryption algorithm.
The figure gives a simplified explanation of the key steps in establishing an SSL session:
1. The user makes an outbound connection to TCP port 443.
2. The router responds with a digital certificate, which contains a public key that is digitally
signed by a trusted certificate authority (CA).
3. The user computer-generates a shared-secret, symmetric key that both parties will use.
4. The shared secret is encrypted with the public key of the router and transmitted to the
router. The router software is able to easily decrypt the packet by using its private key.
Now both participants in the session know the shared-secret key.
5. The key is used to encrypt the SSL session.

IPsec vs. SSL
This topic compare IPsec and SSL.
SSL IPsec
Web-enabled
Applications applications, file sharing, All IP-based applications
email
Moderate—key lengths Stronger—key lengths
Encryption range from 40 bits range from 56 bits
to 128 bits to 256 bits
Strong—two-way
Moderate—one-way or
Authentication authentication using shared
two-way authentication
secrets or digital certificates
Moderate—can be
Ease of Use Very high challenging to nontechnical
users
Strong—only specific
Moderate—any device
Overall Security devices with specific
can connect
configurations can connect
IPsec exceeds SSL in many significant ways: the number of applications that are supported, the
strength of its encryption, the strength of its authentication, and its overall security. The one
area in which SSL excels is its ease of use and ease of deployment. When security is the issue,
IPsec is the superior choice. If support and ease of deployment are the primary issues, then you
should consider SSL. Cisco VPN products support both technologies to satisfy the largest
number of customer requirements.
GET VPN
This topic describes Cisco GET VPNs.
• Large-scale any-to-any
encrypted communications
• Native routing without tunnel
overlay (tunnel-free) Any-to-Any
Connectivity
• Optimal for QoS and
multicast support, which
improves application
Cisco GET
performance
• Transport agnostic VPN
Scalable Real Time
Introduced in Cisco IOS Software Release 12.4(11)T, GET provides connectionless, tunnel-free
encryption that leverages the existing routing infrastructure. GET VPN offers simplified
encryption for both subscribers and providers. Although the versatility of GET VPNs qualifies
them for various Multiprotocol Label Switching (MPLS), IP, Frame Relay, and ATM networks,
it is an ideal encryption solution for MPLS VPNs that require site-to-site encryption.
With the introduction of GET VPN, Cisco delivers a new category of VPN that eliminates the
need for point-to-point tunnels. Without tunnels, distributed branch networks can increase in
scale while maintaining network intelligence features that are critical to voice and video quality
such as QoS, routing, and multicast. GET VPN offers a new standards-based IPsec security
model that is based on the concept of “trusted” group members. Trusted member routers use a
common security methodology that is independent of any point-to-point IPsec tunnel
relationship.
You can use GET VPN-based networks in various WAN environments, including IP and
MPLS. MPLS VPNs that use this encryption technology are highly scalable, manageable, and
cost-effective and meet regulatory-mandated encryption requirements. The flexible nature of
GET VPN enables security-conscious enterprises to manage their own network security over a
service provider WAN service or to offload encryption services to their providers. GET VPN
simplifies securing large Layer 2 or MPLS networks that require partial or full-mesh
connectivity.

Before: IPsec Tunnels After: Tunnel-Free VPN
WAN
Multicast
• Scalability issue • Scalable architecture for any-to-any

• Overlay routing connectivity and encryption
• No any-to-any instant connectivity • No overlays—native routing

to scale • Any-to-any instant connectivity
• Limited advanced QoS • Advanced QoS
• Inefficient multicast replication • Efficient multicast replication
Tunnel-based IPsec has scaling issues, which can be a problem for enterprises. Instant any-to-
any connectivity is limited, resulting in suboptimal routing because of the tunnel overlay. This
suboptimal routing renders quality of service (QoS) difficult and multicast replication
inefficient.
By removing the tunnels, the scaling problem is eliminated. By removing the tunnel overlay, all
of the problems that are linked to tunnel-based IPsec—suboptimal routing and problems with
QoS and multicast—are gone.
• Key distribution
mechanism—GDOI
- RFC 3547 Data Protection
- Group keys between peers Secure
Multicast
- Encrypted control plane
• Routing continuity—no overlay
routing
- Preserves IP header Routing
Key Distribution IP Header
• Multicast data protection GDOI Preservation
- Encrypts multicast with IP

header preservation
• Unicast data protection
Data Protection
- Encrypts unicast with IP header Secure
preservation Unicast
GET VPN is an enhanced IPsec solution that supports secure unicast and multicast—the Cisco
solution for enabling encryption for “native” multicast packets—and unicast over a private
WAN. Secure multicast and GET VPN are based on Group Domain of Interpretation (GDOI)
as defined in RFC 3547, The Group Domain of Interpretation. In addition, GET VPN has
enhancements to IPsec in the area of header preservation and security association (SA) lookup.
Dynamic distribution of IPsec SAs has been added to GET VPN, and the tunnel overlay
properties of IPsec have been removed.
With GET VPN, IPsec-protected data packets carry the original source and destination
addresses in the outer IP header rather than replacing them with tunnel endpoint addresses. This
technique is known as IPsec Tunnel Mode with Address Preservation.
Address preservation allows routing to deliver the packets to any router in the network that
advertises a route to the destination address. Note that any source and destination address
matching the policy for the group is treated in a similar manner. In the situation in which a link
between IPsec peers is unavailable, address preservation also helps combat traffic “black-hole”
situations.
The header preservation that GET VPN provides also maintains routing continuity throughout
the enterprise address space as well as in the WAN.
In extending GDOI by encrypting and authenticating both multicast and unicast traffic, the
GET VPN provides benefits to various applications:
 Provides data security and transport authentication, helping to meet security compliance
and internal regulation by encrypting all WAN traffic
 Enables high-scale network meshes and eliminates complex peer-to-peer key management
with group encryption keys
 Maintains the network intelligence, such as full-mesh connectivity, natural routing path,
and QoS for MPLS networks
 Uses a centralized key server to provide easy membership control

Generic Routing Encapsulation
This topic introduces the GRE protocol.
• Defined in RFCs 1701, 1702, and 2784

• Uses IP protocol 47
• Allows routing information to be passed between connected networks
GRE Tunnel
Internet
Tunneling provides a way to encapsulate packets inside of a transport protocol. Tunneling is

implemented as a virtual interface to provide a simple interface for configuration. The tunnel
interface is not tied to specific passenger or transport protocols. It is an architecture that
provides the services necessary to implement any standard point-to-point encapsulation
scheme. Because tunnels are point-to-point links, you must configure a separate tunnel for each
link.
Tunneling allows for the encryption and transportation of multiprotocol traffic across the VPN,
because the tunneled packets appear to the IP network as an IP unicast frame between the
tunnel endpoints. If all connectivity must go through the home gateway router, tunnels also
enable the use of private network addressing across a service provider backbone without the
need for running the Network Address Translation (NAT) feature.
GRE is a tunneling protocol that is designed to encapsulate arbitrary types of network layer
packets inside of arbitrary types of network layers. Cisco developed GRE, which can
encapsulate a wide variety of protocol packet types inside of IP tunnels.
GRE uses IP protocol 47 and can be used with IPsec VPNs to pass routing information between
connected networks.
As an alternative to using only IPsec, you can forward traffic that needs encryption onto a GRE
interface that you configure to use IPsec encryption. Packets that the GRE-interface-forward
are encapsulated and routed out of the physical interface. GRE can manage the transportation of
multiprotocol and IP multicast traffic between two sites that have only IP unicast connectivity.
Default GRE Characteristics
This topic describes the default characteristics of GRE.
IP GRE IP TCP Data
Identifies the type of payload:

Ethertype 0x800 is used for IPv4.
Protocol
Flags
Type
Identifies the presence of optional

header fields.
• Its primary goal is to tunnel the arbitrary OSI Layer 3 payload.

• It is stateless (no flow control mechanisms).
• It provides no security (no confidentiality, data authentication, or integrity
assurance).
• It has a 24-byte overhead by default (20-byte IP header and 4-byte GRE
header).
GRE creates a virtual point-to-point link to Cisco routers at remote points over an IP
internetwork. By connecting multiprotocol subnetworks in a single-protocol backbone
environment, IP tunneling by use of GRE enables network expansion across a single-protocol
backbone environment.
GRE has these characteristics:
 GRE encapsulation uses a protocol type field in the GRE header to support the
encapsulation of any Open Systems Interconnection (OSI) Layer 3 protocol.
 GRE itself is stateless; it does not include any flow control mechanisms by default.
 GRE does not include any strong security mechanisms to protect its payload.
 The GRE header, together with the tunneling IP header, creates at least 24 bytes of
additional overhead for tunneled packets.
A network layer packet, known as the payload packet, is encapsulated in a GRE packet, which
might also include source route information. The resulting GRE packet is then encapsulated in
some other network layer protocol, known as the delivery protocol, and then forwarded.
There are three primary components of tunneling:
 The passenger or payload protocol, which is the protocol that you are encapsulating
(AppleTalk, Banyan Virtual Integrated Network Service [VINES], Connectionless Network
Service [CLNS], DECnet, IP, or Internetwork Packet Exchange [IPX])
 The carrier or encapsulation protocol, such as GRE or IPsec
 The transport or delivery protocol, such as IP, which is the protocol that carries the
encapsulated protocol

GRE Routing Considerations
This topic describes how GRE can be used to address routing issues.
• IPsec does not support multicast or broadcast traffic.

• Routing protocols use mostly multicast and broadcast.
• GRE supports both multicast and broadcast traffic.
You can use GRE with IPsec to pass routing updates between sites on an IPsec VPN. GRE
encapsulates the plaintext packet; then IPsec (in transport mode or tunnel mode) encrypts the
packet. This packet flow of IPsec over GRE enables routing updates, which are generally
multicast or broadcast packets, to be passed over an encrypted link. IPsec alone cannot achieve
enabling of routing updates to be passed over an encrypted link, because it does not support
multicast or broadcast traffic. The benefit of using GRE tunnels in a VPN environment is that
IPsec encryption works only on IP unicast frames.
Configuring a GRE Tunnel
This topic describes how to configure a GRE tunnel.
GRE Tunnel
Site 1 10.0.1.0 10.0.2.0 Site 2
S0/0/0 S0/0/0
Internet
r1 r2
10.0.1.11 10.0.2.11
192.168.1.2 192.168.2.2
r1(config)#interface tunnel 0
r1(config-if)#ip address 172.16.1.1 255.255.255.0
r1(config-if)#tunnel source Serial 0/0/0
r1(config-if)#tunnel destination 192.168.2.2
r1(config-if)#no shutdown
r1(config-if)#exit
r1(config)#ip route 10.0.2.0 255.255.255.0 tunnel 0
Follow these steps to configure a basic GRE tunnel by using the CLI:
Step 1 Specify a tunnel interface number and enter the interface configuration mode.
r1(config)#interface tunnel number
Step 2 Configure an IP address and subnet mask on the tunnel interface.
r1(config-if)#ip address ip-address net-mask
Step 3 Specify the tunnel interface source address or interface.
r1(config-if)#tunnel source {ip-address | interface-type
interface-number}
Step 4 Specify the tunnel interface destination address.
r1(config-if)#tunnel destination dest-ip
Step 5 Bring up the tunnel interface.
r1(config-if)#no shutdown
Step 6 Exit back to global configuration mode.
r1(config-if)#exit
Step 7 Configure a static route to route traffic that is destined for the remote office
network to route through the tunnel.
r1(config)#ip route remote-network remote-mask tunnel numb

DMVPN
This topic describes the Cisco DMVPN feature.
• DMVPN is a Cisco IOS solution for building IPsec-over-GRE VPNs in an

easy, dynamic, and scalable manner.
• DMVPN relies on two proven technologies:
- NHRP
• Creates a distributed (NHRP) mapping database of the public interface
addresses of each spoke.
- mGRE
• Allows a single GRE interface to support multiple
GRE-over-IPsec tunnels.
• Simplifies the size and complexity of the configuration.
The Cisco DMVPN feature enables users to better scale large and small IPsec VPNs. The Cisco
DMVPN feature combines Multipoint GRE (mGRE) tunnels, IPsec encryption, and Next Hop
Resolution Protocol (NHRP) routing. This feature combination provides an easier
configuration via crypto profiles, which override the requirement for defining static crypto
maps and dynamic discovery of tunnel endpoints.
The Cisco DMVPN feature relies on two technologies:
 NHRP: A client/server protocol in which the hub is the server and the spokes are the
clients. The hub maintains an NHRP database of the public interface addresses of each
spoke. Each spoke registers its real address when it boots and queries the NHRP database
for the real addresses of the destination spokes to build direct tunnels.
 mGRE: Enables a single GRE interface to support multiple IPsec tunnels and simplifies
the size and complexity of the configuration.
There are two DMVPN deployment models:
 Hub-and-spoke: Requires configuration of each branch with a point-to-point GRE
interface in which all of the spoke-to-spoke traffic must flow through the hub router.
 Spoke-to-spoke: Requires configuration of each branch with an mGRE interface in which
dynamic spoke-to-spoke tunnels are used for the spoke-to-spoke traffic.
These are the primary benefits of DMVPNs:
 Hub router configuration reduction: Currently, a separate block of configuration lines on
the hub router defines the crypto map characteristics, the crypto access control list (ACL),
and the GRE tunnel interface for each spoke router. The DMPVN feature enables users to
configure a single mGRE tunnel interface, a single IPsec profile, and does not require
crypto ACLs on the hub router to manage all spoke routers. Thus, the size of the
configuration on the hub router remains constant even if spoke routers are added to the
network.
 Automatic IPsec encryption initiation: GRE has the peer destination address configured
or resolved via NHRP. Thus, this feature allows IPsec to be immediately triggered for the
point-to-point GRE tunneling or when the GRE peer address is resolved via NHRP for the
mGRE tunnel.
 Support for dynamically addressed spoke routers: When you use point-to-point GRE
and IPsec hub-and-spoke VPN networks, you must know the physical interface IP address
of the spoke routers when you are configuring the hub router. The IP address must be
configured as the GRE tunnel destination address. DMVPN enables spoke routers to have
dynamic physical interface IP addresses and uses NHRP to register these spoke router
addresses with the hub router.
Hub-and-Spoke Spoke-to-Spoke
Hub-and-Spoke Tunnels
Spoke-to-Spoke Tunnels
A DMVPN cloud topology can support either a hub-and-spoke or a spoke-to-spoke deployment

model. In a hub-and-spoke deployment model, each hub router contains an mGRE interface,
and each branch router contains a point-to-point GRE interface. In a spoke-to-spoke
deployment model, both the hub and the branch router contain mGRE interfaces.
A DMVPN cloud is a collection of routers that are configured with either an mGRE interface or
a point-to-point GRE interface (or a combination of the two) and that share the same subnet.

A DMVPN cloud topology can support two deployment models:
 Hub-and-spoke: This is the most common deployment model. A hub-and-spoke
deployment model requires the configuration of each branch with a point-to-point GRE
interface in which all of the spoke-to-spoke traffic must flow through the hub router. This
model is the most scalable, and it predominately mimics traditional Layer 2 leased line,
Frame Relay, or ATM hub-and-spoke networks. The hub is configured with an mGRE
interface and the branch with a point-to-point GRE interface.
In this deployment model, no tunnels connect one branch to another branch. Traffic
between branches passes through the hub router.
 Spoke-to-spoke: This deployment model enables branches to dynamically create tunnels to
other branches within the same DMVPN cloud for intercommunication. This deployment
model is a fully meshed topology and requires the configuration of mGRE interfaces on
both the hub and all branches.
In a spoke-to-spoke deployment model, all branch-to-branch unicast communication
transits through the hub until the dynamic spoke-to-spoke tunnel is created. The dynamic
spoke-to-spoke tunnels must be within a single DMVPN cloud or subnet. It is not possible
to dynamically create a spoke-to-spoke tunnel between two DMVPN clouds.
The spoke-to-spoke deployment model is similar to the hub-and-spoke deployment model,
with the exception that all GRE interfaces in the hub and the branch are mGRE interfaces.
Branch routers can initiate and accept dynamic tunnels from other branch offices.
The primary DMVPN deployment model is a hub-and-spoke model in which the primary
enterprise resources are located in a large central site. Additionally, a number of smaller sites or
branch offices are connected directly to the central site over a VPN. However, in some
scenarios, you can use a spoke-to-spoke deployment model to create temporary connections
between branch sites directly by using IPsec encryption.
Because VPNs are used for secure enterprise communications across a shared public
infrastructure such as the Internet, you must consider two distinct IP address domains:
 The enterprise addressing space, sometimes referred to as the private or inside addresses
 The infrastructure addressing space, also referred to as the service provider, public, or
outside addresses
In most DMVPN designs, the outside interface of the router is addressed in the infrastructure
(or public) address space that the service provider assigns. The tunnel interface belongs to the
enterprise private network address space. A branch router public IP address is either a statically
defined or a dynamically assigned IP address.
For a hub-and-spoke deployment model, both the point-to-point GRE and crypto tunnels are
sourced from the public IP address. For a spoke-to-spoke deployment model, the mGRE and
crypto tunnels are also sourced from the public IP address. This public IP address is registered
with the hub router by using NHRP.
Summary
• VPNs allow secure access to private networks by establishing an

encrypted tunnel across the public network.
• Site-to-site VPNs connect entire networks to each other; for example,
they can connect a branch office network to a company headquarters
network.
• Remote-access VPNs connect individual hosts who must access their
company network securely over the Internet.
• L2TP does not provide any encryption or confidentiality by itself; it relies
on an encryption protocol that it passes within the tunnel to provide
privacy.
• IPsec is designed to provide VPN by using the IP addressing protocol.
• IPsec provides confidentiality, data intergrity, authentication and

antireplay protection.
• SSL VPNs offer easy connectivity from desktops outside company
management, little or no desktop software maintenance, and user-
customized web portals upon login.
• Transport Layer Security (TLS) and its predecessor, SSL, are
cryptographic protocols that provide secure communications on the
Internet.
• SSL operates using TCP on port 443.
• IPsec exceeds SSL in many significant ways: the number of applications
that are supported, the strength of its encryption, the strength of its
authentication, and its overall security. The one area in which SSL
excels is its ease of use and ease of deployment.

• GET VPN provides connectionless, tunnel-free encryption that leverages
the existing routing infrastructure.
• GRE is a tunneling protocol developed by Cisco that can encapsulate a
wide variety of protocol packet types inside IP tunnels.
• GRE by itself does not include any strong security mechanisms to
protect its payload.
• You can use GRE with IPsec to pass routing updates between sites on
an IPsec VPN.
• To configure a GRE tunnel, you have to create a tunnel interface first.
• The Cisco DMVPN feature relies on the following two technologies:
NHRP and mGRE.
Module Summary
• A WAN allows the transmission of data across broad geographic

distances. Several technologies are involved in the functioning of
WANs—hardware devices such as routers, communication servers, and
modems—and software functions.
• The Internet service is obtained through an ISP. The physical connection
is usually provided by using either DSL, cable, or fiber technology with
packet switching. In some cases, the ISP provides a static address for
the interface. In other cases, this address is provided by using DHCP.
• NAT and PAT are used for converting private IP addressing to public
addressing.
• A point-to-point (or serial) communication link provides a single,

established WAN communications path from the customer premises
through a carrier network, such as a telephone company, to a remote
network. HDLC and PPP protocols are two major data-link protocols
commonly used with point-to-point WAN connections.
• Site-to-site VPNs secure traffic between intranet and extranet peers.
Remote-access VPNs secure communications from the telecommuter to
the central office.

This module covered the characteristics, functions and components of a service provider WAN
network. It then presented service provider access and transport technologies. This module also
covered requirements for Internet connections at customer sites, starting from connection types
and equipment to NAT, PAT, and DHCP configuration on provider edge (PE) and customer
edge (CE) routers. This module presented encapsulation types and how to configure them.
Finally, the module presented VPNs for site-to-site and remote-user access.
Module Self-Check
Q1) Which three statements accurately describe WANs? (Choose three.) (Source:
Describing Access Technologies)
A) The companies in which WANs are implemented usually own the WANs.
B) WANs connect devices that are separated by wide geographic areas.
C) WANs use the services of carriers such as telephone companies, cable
companies, satellite systems, and network providers.
D) WANs generally carry limited types of data at high speeds.
E) WANs use serial connections of various types to provide access to bandwidth.
F) WANs connect devices that are in a small geographic area.
Q2) Match each type of WAN device to its function. (Source: Describing Access
Technologies)
_____ 1. In analog lines, they convert the digital signal of the sending device into
analog format for transmission over an analog line and then convert the
signal back to digital form so that the receiving device can receive and
process the network signal.
_____ 2. They concentrate dial-in and dial-out user communications.
_____ 3. They provide internetworking and WAN access interface ports.
_____ 4. WANs use these to provide access.
A) routers
B) communication servers
C) modems (DSU/CSU)
D) other networking devices
Q3) Match each type of communication link to its function in a WAN. (Choose three.)
(Source: Describing Access Technologies)
_____ 1. time-division multiplexing
_____ 2. frequency-division multiplexing
_____ 3. statistical multiplexing
A) It creates and combines multiple channels on a single line. Bandwidth is
allocated for information from each data channel based on the signal frequency
of the traffic.
B) Information from each data channel is allocated bandwidth, based on short,
preassigned time slots, regardless of whether there is data to transmit.
C) Bandwidth dynamically allocates to any data channel that transmits
information.

Q4) What are three types of Carrier Ethernet services? (Choose three.) (Source: Describing
Access Technologies)
A) E-Line
B) ELAN
C) E-WAN
D) E-Circuit
E) E-Tree
Q5) What are two types of DSL? (Choose two.) (Source: Introducing Service Provider
Access, Edge, and Transport Technologies)
A) ADSL
B) IDSL
C) LDSL
D) D-lite
E) GDSL
Q6) SONET/SDH is which kind of technology? (Source: Introducing Service Provider
Access, Edge, and Transport Technologies)
A) packet-based
B) cell-based
C) circuit-based
D) segment-based
Q7) Which three devices are connected at the customer side of the demarcation point?
(Choose three.) (Source: Enabling the WAN Internet Connection)
A) router
B) switch
C) CSU/DSU
D) CPE
E) cable modem
F) DSL modem
Q8) Match each NAT term with its definition. (Source: Enabling the WAN Internet
Connection)
_____ 1. static NAT
_____ 2. dynamic NAT
_____ 3. inside local
_____ 4. inside global
A) address that is subject to translation with NAT
B) address of an inside host as it appears to the outside network
C) maps an unregistered IPv4 address to a registered IPv4 address on a one-to-one
basis
D) maps an unregistered IPv4 address to a registered IPv4 address from a group of
registered IPv4 addresses
Q9) What does the ip nat inside source static command do? (Source: Enabling the WAN
Internet Connection)
A) selects the inside static interface
B) marks the interface as connected to the outside
C) creates a pool of global addresses that can be allocated as needed
D) establishes permanent translation between an inside local address and an inside
global address
Q10) Match each of these commands, which are used to configure NAT overloading, with its
function. (Source: Enabling the WAN Internet Connection)
_____ 1. ip nat inside
_____ 2. ip nat outside
_____ 3. access-list 1 permit 10.1.1.0 0.0.0.255
_____ 4. ip nat inside source list 1 pool nat-pool overload
_____ 5. ip nat pool nat-pool 192.1.1.17 192.1.1.20 netmask 255.255.255.240
A) marks an interface as connected to the inside
B) marks an interface as connected to the outside
C) defines a pool of inside global addresses that can be allocated as needed
D) establishes dynamic PAT by using the defined ACL
E) defines a standard ACL that will permit the addresses that are to be translated
Q11) Which two port numbers does DHCPv6 use? (Choose two.) (Source: Enabling the
WAN Internet Connection)
A) 67
B) 68
C) 667
D) 668
E) 547
F) 548
Q12) In which traffic direction is MPEG used in cable technology? (Source: WAN
Encapsulation)
A) only upstream
B) only downstream
C) both upstream and downstream
Q13) Which three statements describe the function of PPP? (Choose three.) (Source: WAN
Encapsulation)
A) The authentication phase of a PPP session is required.
B) PPP provides router-to-router and host-to-network connections over
asynchronous circuits.
C) PPP originally emerged as an encapsulation protocol for transporting IP traffic
over point-to-point links.
D) PPP established a standard for the management of TCP sessions.
E) PPP provides router-to-router and host-to-network connections over
synchronous and asynchronous circuits.
F) The LCP in PPP is used for establishment, configuration, and testing the data-
link connection.

Q14) Which type of frame is encapsulated into a SONET frame? (Source: WAN
Encapsulation)
A) Ethernet frame
B) PPP frame
C) Cisco HDLC frame
D) generic HDLC frame
Q15) What are two types of VPNs? (Choose two.) (Source: VPN Overview)
A) remote-access
B) remote-to-site
C) remote-to-remote
D) site-to-site
Q16) Which security mechanism does GRE include to protect its payload? (Source: VPN
Overview)
A) IPsec
B) AH
C) ESP
D) none
Q17) What are two main L2TP components? (Choose two.) (Source: VPN Overview)
A) LAC
B) BNG
C) AAA
D) LNS
Q18) At which OSI layer does IPsec operate? (Source: VPN Overview)
A) physical layer
B) data link layer
C) network layer
D) transport layer
E) session layer
F) presentation layer
G) application layer
Q1) B, C, E
Q2) 1 = C, 2 = B, 3 = A, 4 = D
Q3) 1 = B, 2 = A, 3 = C
Q4) A, B, E
Q5) A, B
Q6) C
Q7) A, B, D
Q8) 1 = C, 2 = D, 3 = A, 4 = B
Q9) D
Q10) 1 = A, 2 = B, 3 = E, 4 = D, 5 = C
Q11) E, F
Q12) B
Q13) C, E, F
Q14) D
Q15) A, D
Q16) D
Q17) A, D
Q18) C

Module 5
Network Management and

Security
Overview
Network management refers to the activities, methods, procedures, and tools that pertain to the
operation, administration, maintenance, and provisioning of networked systems. This module
describes various network management tools and protocols.
The module describes how to collect device data in a service provider network using Cisco
Discovery Protocol. The module also describes the basic configuration of Simple Network
Management Protocol (SNMP) and syslog on Cisco devices. This module also describes
NetFlow network protocol, which was developed by Cisco for collecting IP traffic information.
This module also discusses how to use the Switched Port Analyzer (SPAN) to analyze network
traffic on a switch and the basic configuration of an IP Service Level Agreement (SLA) on
Cisco devices. Network Time Protocol (NTP) provides time synchronization between network
devices, while Call Home provides an email-based notification for critical system policies.
This module also introduces the authentication, authorization, and accounting (AAA) model,
which is widely supported on Cisco devices as an additional security service available for
securing access to network devices and networks.
Module Objectives
Upon completing this module, you will be able to describe network management concepts and
discuss considerations when implementing network management tools and features on the
network. This ability includes being able to meet these objectives:
 Describe basic device data collection tools
 Describe configuration of the network management tools
 Discuss advanced management tools for managing Cisco devices
Lesson 1
Collecting Network Device

Data
Overview
A Cisco device frequently has other Cisco devices as neighbors on the network, and being able
to obtain information about those other devices is important to assist with network design
decisions, troubleshooting, and completing equipment changes. This lesson describes how to
collect device data in a service provider network using Cisco Discovery Protocol. The lesson
will also describe the basic configuration of Simple Network Management Protocol (SNMP) on
Cisco devices. SNMP is an application layer protocol that provides a message format for
communication between SNMP managers and agents. Syslog is another protocol that will be
described in this lesson, which allows a machine to send event notification messages across IP
networks to event message collectors. The lesson also describes NetFlow network protocol,
which was developed by Cisco for collecting IP traffic information.
Objectives
Upon completing this lesson, you will be able to describe basic device data collection network
management tools. This ability includes being able to meet these objectives:
 Describe the purpose and function of the Cisco Discovery Protocol
 Describe the information that is collected by the Cisco Discovery Protocol
 Describe the default Cisco Discovery Protocol configuration on Cisco IOS and Cisco IOS
XR devices
 Configure and verify Cisco Discovery Protocol on Cisco IOS and Cisco IOS XR devices
 Describe basic SNMP operations.
 Describes how to obtain data from an SNMP agent
 Configure SNMP on Cisco devices
 Describe basic syslog operations.
 Configure and verify syslog on Cisco devices
 Describe basic NetFlow operations
 Describe how packets are grouped into a NetFlow flow
 Describe the different NetFlow versions
Cisco Discovery Protocol
This topic describes the purpose and function of Cisco Discovery Protocol.
• Network management and security are part of the IP NGN infrastructure

layer
Mobile Residential Business
Access Access Access
Application Layer
Services Layer
Mobile Video Cloud
Services Services Services
IP Infrastructure Layer
Access Aggregation IP Edge Core
Policy and Service Control Plane (per subscriber)
• Cisco Discovery Protocol is a proprietary utility that provides a summary

of directly connected switches, routers, and other Cisco devices.
• Cisco Discovery Protocol discovers neighboring devices, regardless of
which protocol suite they are running.
• Physical media must support the SNAP encapsulation.
Cisco Discovery Protocol is a proprietary tool that enables you to access protocol and address
information about other Cisco devices that are directly connected to the Cisco device initiating
the Cisco Discovery Protocol commands.
Cisco Discovery Protocol runs over the data link layer connecting the physical media to the
upper-layer protocols (ULPs). Because Cisco Discovery Protocol operates at the data link layer,
two or more Cisco network devices, such as routers that support different network layer
protocols (for example, IP and Novell IPX) can learn about each other.
Physical media connecting Cisco Discovery Protocol devices must support Subnetwork Access
Protocol (SNAP) encapsulation. This media can include all LANs, Frame Relay, other WANs,
and ATM networks.
When a Cisco device boots, Cisco Discovery Protocol starts, by default, and automatically
discovers neighboring Cisco devices running Cisco Discovery Protocol, regardless of which
protocol suite is running.
Each device that is configured for Cisco Discovery Protocol sends periodic messages, known as
advertisements, to a multicast address. Each device advertises at least one address at which it
can receive SNMP messages. The advertisements also contain Time to Live, or holdtime
information, which indicates the length of time that a receiving device holds Cisco Discovery
Protocol information before discarding it. Each device also listens to the periodic Cisco
Discovery Protocol messages sent by others to learn about neighboring devices and determine
when their interfaces to the media go up or down.
Cisco Discovery Protocol Version 2 is the most recent release of the protocol and provides
more intelligent device tracking features. These features include a reporting mechanism that
allows for more rapid error tracking, which reduces costly downtime. Reported error messages
can be sent to the console or to a logging server, and can cover instances of unmatching native
VLAN IDs (IEEE 802.1Q) on connecting ports and unmatching port duplex states between
connecting devices.
© 2012 Cisco Systems, Inc. Network Management and Security 5-5

Collecting Information with Cisco Discovery
Protocol
This topic describes the information that is collected by Cisco Discovery Protocol.
• Cisco Discovery Protocol runs on all Cisco devices.

• Summary information includes:
– Device identifiers (hostnames)
– Address list (IP addresses)
– Port identifier (name of the local
port and remote port)
– Capabilities list
– Platform
CDP = Cisco Discovery Protocol

The figure shows an example of how Cisco Discovery Protocol exchanges information with its
directly connected neighbors. You can display the results of this information exchange on a
console that is connected to a network device configured to run Cisco Discovery Protocol on its
interfaces.
Cisco Discovery Protocol provides the following information about each neighbor device:
 Device identifiers: For example, the configured hostname of the switch
 Address list: Up to one network layer address for each protocol supported
 Port identifier: The name of the local port and remote port—in the form of an ASCII
character string such as Fast Ethernet 0/0
 Capabilities list: Supported features, such as the device acting as a source-route bridge and
also as a router
 Platform: The hardware platform of the device, such as Cisco 7200 Series Router
Notice that the upper router in the figure is not connected directly to the console of the
administrator. To obtain Cisco Discovery Protocol information about this upper router from the
console of the administrator, network staff could use Telnet to connect to a switch connected
directly to this target device.
Default Cisco Discovery Protocol Configuration
This topic describes the default Cisco Discovery Protocol configuration on Cisco IOS Software
and Cisco IOS XR Software.
• Default CDP configuration for Cisco IOS Software:

- CDP global state: enabled
- CDP interface state: enabled
• On Cisco ME Switches running Cisco IOS Software, enabled only
on NNI ports, disabled on ENI ports, and CDP is not supported on
UNI ports
• Default CDP configuration for Cisco IOS XR Software:
- CDP global state: disabled
- CDP interface state: disabled
• Default CDP configuration for Cisco IOS Software and Cisco IOS XR
Software:
- CDP timer: 60 seconds
- CDP holdtime: 180 seconds
- CDP Version 2 advertisements: enabled

Cisco Discovery Protocol can be enabled globally on the device and on a per-interface basis.
Cisco Discovery Protocol global state and Cisco Discovery Protocol interface state are, by
default, enabled on Cisco IOS Software, while disabled on Cisco IOS XR Software.
Note On Cisco ME Switches Cisco Discovery Protocol is enabled only on NNI ports, while
disabled on ENI ports (should be manually enabled). Cisco Discovery Protocol is not
supported on UNI ports.
To enable Cisco Discovery Protocol on Cisco IOS XR Software, you must first enable Cisco
Discovery Protocol globally on the router and then enable Cisco Discovery Protocol on a per-
interface basis.
Cisco Discovery Protocol advertisements are sent, by default, every 60 seconds, and the
holdtime is set to 180 seconds. Cisco Discovery Protocol characteristics can be manually
configured.

Configuring Cisco Discovery Protocol
This topic describes how to configure Cisco Discovery Protocol.
Configuration Scenario
• Enable CDP globally on SW1 and PE1, if it is not enabled yet
• Make sure that on SW1:
- CDP is enabled on interface Fast Ethernet 0/2
- CDP is disabled on interface Fast Ethernet 0/3
• Make sure that on PE1:
- CDP is enabled on interface Gigabit Ethernet 0/0/0/0
- CDP is disabled on interface Gigabit Ethernet 0/0/0/1
CDP
SW1 PE1
Fa 0/2 Gi 0/0/0/0
Fa 0/3 Gi 0/0/0/1
CDP CDP
Fa 0/0 Fa 0/6
Fa 0/1 Fa 0/5
R1 SW2

The figure shows an example of a configuration scenario. On SW1 and PE1, Cisco Discovery
Protocol will be configured globally.
On SW1, only interface Fast Ethernet 0/2 will have Cisco Discovery Protocol enabled while
Cisco Discovery Protocol on interface Fast Ethernet 0/3 will be disabled. On PE1, only
interface Gigabit Ethernet 0/0/0/0 will have Cisco Discovery Protocol enabled while Cisco
Discovery Protocol on interface Gigabit Ethernet 0/0/0/1 will be disabled.
Devices SW1 and PE1 should be able to see each other as neighbors in verification steps.
Configurations on SW1 running Cisco IOS Software and on PE1 running Cisco IOS XR
Software will be shown.
Configuration CDP
SW1 PE1
Fa 0/2 Gi 0/0/0/0
Fa 0/3 Gi 0/0/0/1
CDP CDP
Fa 0/0 Fa 0/6
Fa 0/1 Fa 0/5
R1 SW2
SW1 (IOS): PE1 (IOS XR):

cdp run Enables CDP globally. cdp Enables CDP globally.
! !
interface FasEthernet0/2 interface GigabitEthernet0/0/0/0
cdp enable Enables CDP on interface. cdp Enables CDP on interface.
! !
interface FasEthernet0/3 interface GigabitEthernet0/0/0/1
no cdp enable no cdp
Disables CDP Disables CDP on interface.
! !
on interface.

The figure shows a configuration for Cisco Discovery Protocol on Cisco IOS Software and
Cisco IOS XR Software. Use the cdp run (Cisco IOS Software) or cdp (Cisco IOS XR
Software) global configuration commands to enable Cisco Discovery Protocol globally. Use the
no form of these two commands to disable Cisco Discovery Protocol globally.
Note On Cisco IOS Software, you will not see the cdp run command in configuration because
Cisco Discovery Protocol is enabled by default.
Use the cdp enable (Cisco IOS Software) or cdp (Cisco IOS XR Software) interface
configuration mode commands to enable Cisco Discovery Protocol on a specific interface. Use
the no form of these two commands to disable Cisco Discovery Protocol on a specific interface.
Note For a complete command reference, refer to Cisco IOS Command Reference guides on
http://www.cisco.com.

Verification
• Displays CDP information, including:
- Timer
- Holdtime
- CDP version 2 advertisements information
RP/0/RSP0/CPU0:PE1# show cdp

Tue Aug 9 12:52:54.828 UTC
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
To display global Cisco Discovery Protocol information, including timer and holdtime
information, use the show cdp command in privileged EXEC mode.
Verification
• Displays information about traffic between devices gathered using CDP:
- the number of CDP advertisements sent by the local device
- the number of CDP advertisements received by the local device
RP/0/RSP0/CPU0:PE1# show cdp traffic

Tue Aug 9 08:33:49.588 UTC
CDP counters :
Packets output: 346923, Input: 341530
Hdr syntax: 0, Chksum error: 4, Encaps failed: 0
No memory: 0, Invalid packet: 0, Truncated: 0
CDP version 1 advertisements output: 0, Input: 0
CDP version 2 advertisements output: 346923, Input: 341530
Unrecognize Hdr version: 0, File open failed: 0
To display information about traffic between devices that are gathered using Cisco Discovery
Protocol, use the show cdp traffic command in privileged EXEC mode.
Packets output number shows the number of Cisco Discovery Protocol advertisements sent by
the local device. Note that this value is the sum of the Cisco Discovery Protocol Version 1
advertisements output and Cisco Discovery Protocol Version 2 advertisements output fields.
Input number indicates the number of Cisco Discovery Protocol advertisements received by the
local device. Note that this value is the sum of the Cisco Discovery Protocol Version 1
advertisements input and Cisco Discovery Protocol Version 2 advertisements input fields.
Verification
• Displays information about neighboring devices discovered using CDP:
- Device ID, local and neighboring device interface, platform of neighboring
device, capability of neighboring device
RP/0/RSP0/CPU0:PE1# show cdp neighbors

Tue Aug 9 08:29:50.994 UTC
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID

SW1 Gi0/0/0/0 123 S I ME-3400E- Fa0/2
SW1# show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID

PE1 Fas 0/2 176 R ASR9K Ser Gig 0/0/0/0

To display detailed information about neighboring devices discovered using Cisco Discovery
Protocol, use the show cdp neighbors command in privileged EXEC mode.
The information that is displayed includes the following:
 Device ID: The name of the neighbor device and either the MAC address or the serial
number of this device
 Local Interface: The local interface through which this neighbor is connected
 Holdtime: The remaining amount of time (in seconds) that the current device will hold the
Cisco Discovery Protocol advertisement from a sending router before discarding it
 Capability: The type of the device that is listed in the Cisco Discovery Protocol Neighbors
table
 Platform: The product number of the device
 Port ID: The interface and port number of the neighboring device

Verification
• Displays additional information about neighboring devices discovered
using CDP:
- IP address
- Duplex mode
SW1# show cdp neighbors detail

-------------------------
Device ID: PE1
Entry address(es):
IP address: 192.168.101.10
Platform: cisco ASR9K Series, Capabilities: Router
Interface: FastEthernet0/2, Port ID (outgoing port): GigabitEthernet0/0/0/0
Holdtime : 149 sec
Version :
Cisco IOS XR Software, Version 4.1.0[Default]
Copyright (c) 2011 by Cisco Systems, Inc.
advertisement version: 2
Duplex: full
Management address(es):

To display additional details about neighbors, including network addresses, enabled protocols,
and software version, use the show cdp neighbors detail command in privileged EXEC mode.
The information that is displayed includes the following:
 IP address: The network address of the neighbor device
 Duplex mode: The duplex state of connection between the current device and the neighbor
device
Simple Network Management Protocol
This topic describes basic SNMP operations.
• NMS polls SNMP agent on network device to obtain statistics

• Agent on network device can send unsolicited traps to the manager:
- Traps are messages alerting the SNMP manager to a condition on the
network, such as the following:
• improper user authentication
• link status (up or down)
• Analyzing and representing the results:
- Graphing
- Reporting
• Thresholds can be set to trigger a notification process when exceeded
SNMP
SNMP Agents
Manager
NMS SNMP
SNMP is an application-layer protocol that provides a message format for communication

between managers and agents. The SNMP system consists of an SNMP manager, an SNMP
agent, and an MIB. The SNMP manager can be part of a network management system (NMS),
such as CiscoWorks. The agent and MIB reside on the network device. To configure SNMP on
the device, you define the relationship between the manager and the agent.
Routers and other network devices keep statistics about the information of their processes and
interfaces locally. The SNMP protocol runs a special process that is called an agent on a device.
This agent can be queried, by use of the SNMP protocol, to obtain the values of statistics or
parameters. By periodically querying or “polling” the SNMP agent on a device, statistics can be
gathered and collected over time by an NMS. This data can then be processed and analyzed in
various ways. Averages, minimums, or maximums can be calculated, the data can be graphed
or thresholds can be set to trigger a notification process when they are exceeded. NMS polls
devices periodically to obtain the values of the MIB objects that it is set up to collect.
The SNMP agent contains MIB variables and the SNMP manager can request or change the
values. A manager can get a value from an agent or store a value in the agent. The agent gathers
data from the MIB, the repository for information about device parameters and network data.
The agent can also respond to manager requests to get or set data.
An agent can send unsolicited traps to the manager. Traps are messages alerting the SNMP
manager to a condition on the network. Traps can mean improper user authentication, restarts,
link status (up or down), MAC address tracking, closing of a TCP connection, loss of
connection to a neighbor, or other significant events.
The SNMP is implemented in versions 1, 2c, and 3. SNMP version 3 supports encryption.

Obtaining Data from SNMP Agent
This topic describes how to obtain data from an SNMP agent.
• SNMP graphing tool periodically polls SNMP agent (router) and graphs
obtained values:
• MIB is a collection of information organized hierarchically.

• OIDs uniquely identify managed objects in MIB.
- 5-minute exponentially moving average of the CPU busy percentage:
1.3.6.1.4.1.9.2.1.58.0
version community
[13:22][cisco@NMS~ ]$ snmpget –v2c -c community 10.250.250.14 .1.3.6.1.4.1.9.2.1.58.0

SNMPv2-SMI::enterprises.9.2.1.58.0 = INTEGER: 11
obtained IP address OID number

CPU value
Because the CPU is one of the key resources, it should be measured continuously. You should
gather CPU statistics at NMS and graph the statistics. You should observe CPU utilization for a
long time and define which values are still acceptable. You can set thresholds to these values,
so that when CPU utilization exceeds this threshold, notifications are sent.
The figure shows a 5-minute CPU utilization graph of a router that was taken using the open
source tool called Cacti. The SNMP graphing tool periodically polls the SNMP agent, in this
case, a router, and graphs obtained values.
MIB is a collection of information that is organized hierarchically. The information is then
accessed using a protocol such as SNMP. Object IDs (OIDs) uniquely identify managed objects
in an MIB hierarchy. OIDs can be depicted as a tree, the levels of which are assigned by
different organizations. Top-level MIB OIDs belong to different standard organizations.
Vendors define private branches, including managed objects for their own products.
OIDs belonging to Cisco, as shown in the figure, are numbered as follows:
.iso (1).org (3).dod (6).internet (1).private (4).enterprises (1).cisco (9).
The example in the figure shows the output of an SNMP application called snmpget, issued on
the network management station. Using the snmpget application, you can manually obtain
values for the 5-minute exponentially moving average of the CPU busy percentage, as the
output in the figure shows. You must specify the SNMP version, the correct community, the IP
address of the network device that you want to query, and the OID number.
SNMP community strings authenticate access to MIB objects and function as embedded
passwords. In order for the NMS to access the switch, the community string definitions on the
NMS must match at least one of the three community string definitions on the network device.
A community string can have one of these attributes:
 Read-only (RO): Gives read access to authorized management stations to all objects in the
MIB except the community strings, but does not allow write access.
 Read-write (RW): Gives read and write access to authorized management stations to all
objects in the MIB, but does not allow access to the community strings.

Configuring SNMP on Cisco Devices
This topic describes how to configure SNMP on Cisco devices.
• On PE1, configure community access string, cisco, to permit access to
the SNMP, for NMS to be able to:
- Retrieve MIB objects from PE1 to generate graphs
- Modify MIB objects
• PE1 should send traps regarding BGP protocol to NMS at 10.1.1.254.
• SNMP version 2c should be used.
NMS needs read-

write SNMP access PE1
permission to PE1.
Sent SNMP traps
regarding BGP
protocol to NMS
NMS SNMP
at 10.1.1.254.
10.1.1.254
The figure shows an example configuration scenario. SNMP will be configured on PE1.
Community access string cisco should be configured to permit read-write SNMP access to PE1.
This means that NMS will be able retrieve and modify MIB objects from PE1. NMS would
retrieve MIB objects, for example, for generating graphs of CPU usage.
PE1 should send traps regarding BGP protocol to NMS, which is reachable at IP address
10.1.1.254. The version of the SNMP used to send the traps should be version 2c.
Configuration
NMS needs read-
write SNMP access PE1
permission to PE1.
Sent SNMP traps
regarding BGP
protocol to NMS
NMS SNMP
at 10.1.1.254.
Configures the community

10.1.1.254
access string “cisco” to
permit read-write access
PE1 (IOS XR): to the SNMP.
snmp-server community cisco RW Enables SNMP trap notifications

snmp-server traps bgp regarding BGP protocol.
snmp-server host 10.1.1.254 version 2c cisco
Specifies the recipient of an SNMP

notification operation, version, and
community to be used.
The figure shows a configuration for SNMP on Cisco IOS XR Software. Configuration on
Cisco IOS Software is the same.
To configure the community access string to permit access to the SNMP, use the snmp-server
community command in global configuration mode. You can also, optionally, specify read-
only or read-write access:
snmp-server community [clear | encrypted ] community-string [ view view-name ] [ RO |
RW ]
To enable Border Gateway Protocol (BGP) state-change SNMP notifications, use the snmp-
server traps bgp command in global configuration mode.
To specify the recipient of an SNMP notification operation, use the snmp-server host
command in global configuration mode. You can also, optionally, specify the version of the
SNMP used to send the traps and password-like community string that is sent with the
notification operation. It is recommended that you define this string using the snmp-server
community command before using the snmp-server host command:
snmp-server host address [ clear | encrypted ] [traps] [ version { 1 | 2c | 3 { auth | noauth |
priv } } ] community-string

Syslog
This topic describes basic syslog operations. .
• Syslog is a protocol that allows a network device to send event

notification messages across IP networks to event message collectors.
• A device can be configured so that it generates a syslog message and
forwards it to various destinations:
- logging buffer
- console line
- terminal lines
- syslog server
LC/0/0/CPU0:Aug 12 08:42:56.306 : ifmgr[189]: %PKT_INFRA-LINK-3-UPDOWN : Interface

GigabitEthernet0/0/0/8, changed state to Down
node-id: timestamp: process-name [pid]: % message-group-severity-message_code : message-text
Syslog is a protocol that allows a machine to send event notification messages across IP
networks to event message collectors. By default, a network device sends the output from
system messages and debug privileged EXEC commands to a logging process. The logging
process controls the distribution of logging messages to various destinations, such as the
logging buffer, terminal lines, or a syslog server, depending on your configuration. The process
also sends messages to the console. Logging services provide a means to gather logging
information for monitoring and troubleshooting, to select the type of logging information that is
captured, and to specify the destinations of captured system logging (syslog) messages.
When the logging process is disabled, messages are sent only to the console. The messages are
sent as they are generated, so message and debug output are interspersed with prompts or
output from other commands. Messages appear on the console after the process that generated
them has finished.
You can set the severity level of the messages to control the type of messages that are displayed
on the consoles and each of the destinations. You can time-stamp log messages or set the syslog
source address to enhance real-time debugging and management.
You can access logged system messages by using the device CLI or by saving them to a
properly configured syslog server. The switch or router software saves syslog messages in an
internal buffer.
You can remotely monitor system messages by viewing the logs on a syslog server or by
accessing the device through Telnet, Secure Shell (SSH), or through the console port.
Syslog Message Format
This topic describes the format of syslog messages.
• General format of syslog messages generated by the syslog process on

the Cisco IOS XR Software:
node-id: timestamp: process-name [pid]: % message-group-severity-message_code : message-text
• General format of syslog messages generated by the syslog process on

the Cisco IOS Software:
*Apr 22 11:05:55.423: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/22,
changed state to up
seq no:timestamp: %facility-severity-MNEMONIC:description
By default, the general format of syslog messages that are generated by the syslog process on
the Cisco IOS XR Software is as follows:
node-id : timestamp : process-name [pid] : % message -group -
severity -message -code : message-text
The items contained in the Cisco IOS XR Software syslog message are as follows:
 node-id: Node from which the syslog message originated
 timestamp: Time stamp in the form month day HH:MM:SS, indicating when the message
was generated
 process-name: Process that generated the syslog message
 pid: Process ID (PID) of the process that generated the syslog message
 %message -group- severity -message –code: Message group name, severity, and message
code that is associated with the syslog message
 message-text: Text string describing the syslog message
By default, the general format of syslog messages that are generated by the syslog process on
the Cisco IOS Software is as follows:
seq no:timestamp: %facility-severity-MNEMONIC:description

The items contained in the Cisco IOS Software syslog message are as follows:
 seq no: Stamps log messages with a sequence number only if the service sequence-
numbers global configuration command is configured
 timestamp: Date and time of the message or event, which appears only if the service
timestamps log [datetime | log] global configuration command is configured
 facility: The facility to which the message refers (for example, SNMP, SYS, and so on)
 severity: Single-digit code from 0 to 7 that is the severity of the message
 MNEMONIC: Text string that uniquely describes the message.
 description: Text string containing detailed information about the event being reported.
The eight message severity levels from the most severe level to the least severe level are as
follows:
 Emergency (severity 0): System is unusable
 Alert (severity 1): Immediate action needed
 Critical (severity 2): Critical condition
 Error (severity 3): Error condition
 Warning (severity 4): Warning condition
 Notification (severity 5): Normal but significant condition
 Informational (severity 6): Informational message
 Debugging (severity 7): Debugging message
Error messages about software or hardware malfunctions are displayed at levels warnings
through emergencies. These types of messages mean that the functionality of the device is
affected.
Output from the debug commands is displayed at the debugging level. Interface up or down
transitions and system restart messages are displayed at the notifications level, which is only for
information—device functionality is not affected.
Configuring Syslog on Cisco Devices
This topic describes how to configure syslog on Cisco devices.
• Configure logging to the console if it is disabled (messages with all
severities).
• Specify the logging buffer as a destination for syslog messages, but do
not send messages with debugging severity.
• Specify terminal lines other than the console (such as vty lines) as
destinations for syslog messages with all severities.
• Specify a syslog server host at 10.1.1.253 as a destination for syslog
messages, and send only messages with severities emergency and
alert.
SW1 PE1
Cisco IOS Cisco IOS XR

Software Software
The figure shows an example configuration scenario. On SW1 and PE1, logging is configured
to various destinations:
 Configure logging of syslog messages with all severities to the console, if it is disabled.
 Specify the logging buffer as a destination for syslog messages and make sure not to send
messages with debugging severity to the buffer.
 Specify terminal lines other than the console (such as vty lines) as destinations for syslog
messages with all severities.
 Specify a syslog server host at 10.1.1.253 as a destination for syslog messages, and send
only messages with severities emergency and alert.
Syslog messages should be seen on the console and in the logging buffer of both devices.
Syslog messages should be also seen on all Telnet sessions to both devices and on the syslog
server that is configured with IP address 10.1.1.253. Configurations on SW1 running Cisco IOS
Software and on PE1 running Cisco IOS XR Software will be shown.

Configuration
IOS IOS XR
SW1 PE1
Limits messages sent Specifies the logging Limits messages sent Specifies the logging
to the console terminal buffer as a destination to the console terminal buffer as a destination
based on severity for syslog messages based on severity for syslog messages
! !
logging console debugging logging console debugging
logging
logging
buffered informational
monitor debugging
= logging
logging
buffered informational
monitor debugging
logging 10.1.1.253 Specifies vty lines logging 10.1.1.253 Specifies vty lines
logging trap alerts as a destination for logging trap alerts as a destination for
! syslog messages ! syslog messages
Limits the syslog messages sent to Limits the syslog messages sent to
syslog servers based on severity syslog servers based on severity
Specifies a syslog server Specifies a syslog server

host as a destination for host as a destination for
syslog messages syslog messages
The figure shows configurations for logging syslog messages to different locations on Cisco
IOS Software and Cisco IOS XR Software.
Syslog message logging to the console terminal is enabled, by default. To disable logging to the
console terminal, use the logging console disable command in global configuration mode. To
reenable logging to the console terminal, use the logging console command in global
configuration mode.
Syslog messages can be sent to destinations other than the console, such as the logging buffer,
syslog servers, and terminal lines other than the console (such as vty lines).
The logging buffered command copies logging messages to the logging buffer. The buffer is
circular, so newer messages overwrite older messages after the buffer is full. To display the
syslog messages that are logged in the logging buffer, use the show logging command. The
first message that is displayed is the oldest message in the buffer. To clear the current contents
of the logging buffer, use the clear logging command. To disable logging to the logging buffer,
use the no logging buffered command in global configuration mode. You can limit the syslog
messages sent to the logging buffer based on severity, using the logging buffered [severity]
command.
The logging command identifies a syslog server host to receive logging messages. By issuing
this command more than once, you build a list of syslog servers that receive logging messages.
To delete the syslog server with the specified IP address or hostname from the list of available
syslog servers, use the no logging command in global configuration mode. You can limit the
syslog messages sent to the syslog server based on severity using the logging trap command.
logging {hostname | ip-address}
logging trap [severity]
The logging monitor command globally enables the logging of syslog messages to terminal
lines other than the console, such as vty lines. To disable logging to terminal lines other than
the console, use the no logging monitor command in global configuration mode. The logging
monitor command globally enables the logging of syslog messages to terminal lines other than
console terminal. When the logging monitor command is enabled, use the terminal monitor
command to display syslog messages during a terminal session. You can limit the syslog
messages sent to terminal lines based on severity, using the logging monitor [severity]
command.
Note For a complete command reference, refer to Cisco IOS and Cisco IOS XR Command
Reference guides on http://www.cisco.com.

Verification
• Displays the state of system logging (syslog) and the contents of the
standard system logging buffer
RP/0/RSP0/CPU0:PE1# show logging

Fri Aug 12 12:32:47.825 UTC
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 2547 messages logged
Monitor logging: level debugging, 0 messages logged
Trap logging: level alert, 2 messages logged
Logging to 10.1.1.253, 2 message lines logged
Buffer logging: level informational, 8 messages logged
Log Buffer (307200 bytes):
LC/0/0/CPU0:Aug 12 12:32:26.949 : ifmgr[189]: %PKT_INFRA-LINK-5-CHANGED : Interface

GigabitEthernet0/0/0/0, changed state to Administratively Down
RP/0/RSP0/CPU0:Aug 12 12:32:43.483 : config[65765]: %MGBL-SYS-5-CONFIG_I : Configured from
console by root
To display the state of system logging (syslog) and the contents of the standard system logging
buffer, use the show logging command in privileged EXEC mode.
This command displays the state of syslog error and event logging, including host addresses,
and to which logging destinations (console, monitor, buffer, or host) logging is enabled. This
command also displays SNMP logging configuration parameters and protocol activity.
This command will also display the contents of the standard system logging buffer, if logging
to the buffer is enabled. Logging to the buffer is enabled or disabled using the [no] logging
buffered command. The number of system error and debugging messages in the system
logging buffer is determined by the configured size of the syslog buffer. This size of the syslog
buffer is also set using the logging buffered command.
To enable and set the format for syslog message time stamping, use the service timestamps log
command.
Significant fields that are shown in the output of show logging command are as follows:
 Syslog logging: Shows the general state of system logging (enabled or disabled), the status
of logged messages (number of messages that are dropped, rate-limited, or flushed), and
whether XML formatting or Embedded Syslog Manager (ESM) filtering is enabled.
 Console logging: Shows logging to the console port. Shows "disabled" or, if enabled, the
severity level limit, number of messages that are logged, and whether XML formatting or
ESM filtering is enabled. Corresponds to the configuration of the logging console, logging
console xml, or logging console filtered commands.
 Monitor logging: Shows logging to the monitor (all tty lines). Shows "disabled" or, if
enabled, the severity level limit, number of messages that are logged, and whether XML
formatting or ESM filtering is enabled. Corresponds to the configuration of the logging
monitor, logging monitor xml, or logging monitor filtered commands.
 Buffer logging: Shows logging to the standard syslog buffer. Shows "disabled" or, if
buffered, logging buffered xml, or logging buffered filtered commands.
 Trap logging: Shows logging to a remote host (syslog collector). Shows "disabled" or, if
command. The severity level limit is set using the logging trap command.
 Log Buffer (307200 bytes): The value in parentheses corresponds to the configuration of
the logging buffered buffer-size command. If no messages are currently in the buffer, the
output ends with this line. If messages are stored in the syslog buffer as in the example,
they appear after this line.

NetFlow
This topic describes the basics NetFlow operations.
• Provides high-level diagnostics to classify and identify network

anomalies.
• Detects attacks because behavioral changes are obvious with NetFlow.
• Packet capture is like a wiretap.
• NetFlow is like a phone bill.
- You can learn a lot from studying the phone bill: Who is talking to whom, over
which protocols and ports, for how long, at what speed, for what duration, and
so on.
- NetFlow is a form of telemetry pushed from the routers and switches—each
one can be a sensor.
NetFlow-Enabled Router
10.1.1.1
ip flow-export destination 10.1.1.1 9991
ip flow-export version 9
NetFlow
interface FastEthernet 0/0/0 Collector
ip flow {ingress | egress}
NetFlow is a network protocol developed by Cisco for collecting IP traffic information.

NetFlow has become an industry standard for traffic monitoring and is supported by platforms
other than Cisco.
NetFlow is an embedded feature that you can use to characterize network operation by enabling
the collection of network traffic telemetry. In response to new requirements and threats,
network operators are finding it critical to understand how the network is behaving, including
the following information:
 Application and network usage
 Network productivity and utilization of network resources
 The impact of changes to the network
 Network anomaly and security vulnerabilities
NetFlow technology fulfills those needs, creating an environment in which you have the tools
to understand who, what, when, where, and how network traffic is flowing. When you
understand the network behavior, business processes improve and an audit trail of how the
network is used is available. This increased awareness reduces the vulnerability of the service
provider network to outages and allows the network to operate efficiently. Improvements in
network operation lower costs and encourage higher business revenues by enabling better
utilization of the network infrastructure.
NetFlow is not like a sniffer that captures all traffic that flows through it. To use an analogy
from the telephone industry, NetFlow is like a phone bill, from which you can learn a lot. You
can deduce who is talking to whom, how frequently, how long, and so on. With this
information, you can use an analysis engine to determine much of what is going on in the
network.
The ip flow-export destination command specifies the IP address or hostname of the NetFlow
collector, and the UDP port that the NetFlow collector is listening on. The ip flow-export
version 9 command specifies that the export packet uses the Version 9 format. The ip flow
{ingress | egress} command enables NetFlow on the interface. “Ingress” captures traffic that is
being received by the interface, and “egress” captures traffic that is being transmitted by the
interface.
NetFlow configuration on Cisco IOS XR Software is beyond the scope of this course. Refer to
the Cisco IOS XR configuration guide for more information at http://www.cisco.com.

NetFlow Flow Definition
This topic describes how packets are grouped into a NetFlow flow.
Flow is defined by seven keys

in standard NetFlow:
• Source IP address
• Destination IP address
• Source port
• Destination port
• Layer 3 protocol type
• CoS or ToS byte Export packets:
• Input logical interface (ifIndex) • Approximately 1500 bytes
• Typically contain 20–50 flow records
• Sent more frequently if traffic
increases on NetFlow-enabled
interfaces
Each packet that is forwarded within a router or switch is examined for a set of IP packet
attributes. These attributes are the IP packet identity or fingerprint of the packet, and they
determine if the packet is unique or similar to other packets. Traditionally, an IP flow is based
on a set of five, and as many as seven, IP packet attributes. The following are the IP packet
attributes that NetFlow can use:
 IP source address
 IP destination address
 Source port
 Destination port
 Layer 3 protocol type
 Class of service (CoS)
 Router or switch interface
All packets with the same source and destination IP address, source and destination ports,
protocol, interface, and CoS are grouped into a flow and then packets and bytes are tallied. This
methodology of fingerprinting or determining a flow is scalable because a large amount of
network information is condensed into a database of NetFlow information that is called the
NetFlow cache.
A NetFlow flow is a unidirectional sequence of packets that arrive on a single interface (or
subinterface), and have the same values for key fields.
NetFlow is useful for the following:
 Accounting and billing: NetFlow data provides fine grained metering for highly flexible
and detailed resource utilization accounting.
 Network planning and analysis: NetFlow data provides key information for strategic
network planning.
 Network monitoring: NetFlow data enables near real-time network monitoring
capabilities.

NetFlow Data Export Versions
This topic describes the different NetFlow versions.
Version Description
1 Original
5 Standard and most common on Cisco IOS Software
Specific to Cisco Catalyst 6500 Series Switches and Cisco
7 7600 Series Routers. Similar to version 5, but does not include
AS, interface, TCP flag, and ToS information
8 Choice of 11 aggregation schemes, reduces resource usage
Flexible, extensible file export format to enable easier support
9 of additional fields and technologies. Cisco IOS XR Software
supports export format Version 9 only.
NetFlow version 1 was the original format that was supported in Cisco IOS Software releases
containing NetFlow functionality, but it is rarely used today. NetFlow version 5 is a later
enhancement that adds Border Gateway Protocol (BGP) autonomous system (AS) information
and flow sequence numbers. NetFlow version 7 is an enhancement that adds NetFlow support
for Cisco Catalyst switches that use hybrid or native mode. NetFlow version 8 is the NetFlow
export format to use when you enable router-based NetFlow aggregation on Cisco IOS router
platforms.
Note NetFlow versions 2, 4, and 6 were not released and are not supported.
NetFlow version 9 is a flexible and extensible means to carry NetFlow records from a network
node to a collector. NetFlow version 9 has definable record types and is self-describing for
easier NetFlow collection engine configuration. The following are characteristics of NetFlow
version 9:
 Templates define record formats.
 The router sends the template descriptions to the NetFlow Collection Engine.
 The router sends flow records to the NetFlow Collection Engine with minimal template
information so that the NetFlow Collection Engine can relate the records to the appropriate
template.
 Version 9 is independent of the underlying transport protocol (UDP, TCP, Stream Control
Transmission Protocol [SCTP], and so on).
Note Cisco IOS XR Software supports export format version 9 only.
NetFlow services provide access to information about IP flows within their data networks. You
can use exported NetFlow data for various purposes, including network management and
planning, enterprise accounting and departmental charge-backs, ISP billing, data warehousing,
and marketing.
The main feature of the NetFlow version 9 export format is that it is template-based. A template
describes a NetFlow record format and the attributes of the fields (such as type and length)
within the record. The router assigns each template an ID, which is communicated to the
NetFlow Collection Engine along with the template description. The template ID is used for all
further communication from the router to the NetFlow Collection Engine.
The basic output of NetFlow is a flow record. In NetFlow version 9, a flow record follows the
same sequence of fields as specified by the template definition. The template to which NetFlow
records belong is determined by adding the template ID to the group of NetFlow records.

Summary
• Cisco Discovery Protocol provides a summary of directly connected

Cisco devices, regardless of which protocol suite they are running.
• CDP gives you several pieces of information about neighboring devices,
including IP address, capabilities, software version, etc.
• CDP is enabled by default on IOS devices and disabled on IOS XR
devices.
• You can disable or enable CDP on individual interfaces or globally.
• With SNMP you can poll the data from devices, configure devices and
receive notifications of events via traps.
• To get the data from an agent (router) you need to ask it for data by OID
which is part of a MIB.
• To configure SNMP v1 or v2 on a Cisco IOS device, you must configure
SNMP community string and type of access.
• Syslog is one of the ways that Cisco devices can send or store logging
information.
• Cisco devices use predefined syslog message format which makes it

easier to parse the messages.
• To configure syslog simply specify the host to which the messages must
be sent.
• NetFlow provides high-level diagnostics to classify and identify network
anomalies.
• A single NetFlow packet typically contains 20-50 flow records.
• Netflow comes in several versions: 1, 5, 7, 8, 9.
Lesson 2
Configuring Network
Management Tools
Overview
There are often situations in which you have to analyze network traffic passing through certain
switch ports. The Switched Port Analyzer (SPAN) feature on Cisco switches enables you to
copy traffic from one or more source ports to a destination port for analysis. This lesson
describes how to use SPAN to analyze network traffic. The lesson will also describe the basic
configuration of an IP service level agreement (SLA) on Cisco devices. The SLA is a contract
between the provider and its customers that provides a guarantee of service level. This lesson
also describes Network Time Protocol (NTP), which provides time synchronization between
network devices. Call Home is a feature on Cisco devices that provides an email-based
notification for critical system policies. Call Home can also be used to generate a case with the
Cisco Technical Assistance Center (TAC). The procedure to open a TAC request is also
described in the lesson.
Objectives
Upon completing this lesson, you will be able to describe the basic configuration of network
management tools. This ability includes being able to meet these objectives:
 Describe basic SPAN operations
 Configure SPAN on Cisco Catalyst switches
 Describe IP SLA
 Describe IP SLA measurement functionality
 Describe IP SLA operations
 Describe the function of the IP SLA source and responder
 Describe how time stamps are used by the IP SLA responder to enhance the accuracy of
measurements
 Describe how to configure and verify IP SLA on Cisco devices
 Describe basic NTP operations
 Describe NTP stratum levels
 Describe the NTP architecture
 Describe how to configure and verify NTP on Cisco devices
 Describe Smart Call Home on Cisco devices
 Describe the procedure for opening a TAC request
Understanding SPAN
This topic describes basic SPAN operations.
• SPAN copies traffic from one or more source ports to a destination port
for analysis.
• All traffic on port Fast Ethernet 0/5 (the source port) is mirrored to port
Fast Ethernet 0/10 (the destination port).
• Network Analyzer resides on SPAN destination port Fa 0/10 to analyze
traffic received or sent (or both) on source port Fa 0/5
Fa 0/5 Fa 0/10 Network Analyzer

(Laptop with network
protocol analyzer installed)
© 2012 Cisco and/or its affiliates. All rights reserved. SPNG1 v1.01—5-3
You can analyze network traffic passing through ports or VLANs by using SPAN or Remote
SPAN (RSPAN) to send a copy of the traffic to another port on the switch or to another switch
that has been connected to a network analyzer or other monitoring or security device. SPAN
copies (or mirrors) traffic received or sent (or both) on source ports or source VLANs to a
destination port for analysis. SPAN does not affect the switching of network traffic on the
source ports or VLANs. You must dedicate the destination port for SPAN use. Except for
traffic that is required for the SPAN or RSPAN session, destination ports do not receive or
forward traffic.
Note Only configuration for SPAN will be shown in this course.
Only traffic that enters or leaves source ports or traffic that enters or leaves source VLANs can
be monitored by using SPAN. Traffic routed to a source VLAN cannot be monitored. For
example, if incoming traffic is being monitored, traffic that gets routed from another VLAN to
the source VLAN cannot be monitored. However, traffic that is received on the source VLAN
and routed to another VLAN can be monitored.
Note The concept of VLANs is explained in the Building Cisco Service Provider Next-Generation
Networks, Part 2 (SPNGN2) course.
You can analyze network traffic passing through ports or VLANs by using SPAN or RSPAN to
send a copy of the traffic to one of the following:
 Another port on the switch (SPAN)
 Another switch that has been connected to a network analyzer or other monitoring or
security device (RSPAN)

You can use the SPAN or RSPAN destination port to inject traffic from a network security
device. For example, if you connect a Cisco Intrusion Prevention System (IPS) sensor
appliance to a destination port, the IPS device can send TCP reset packets to close down the
TCP session of a suspected attacker.
Local SPAN supports a SPAN session entirely within one switch. All source ports or source
VLANs and destination ports reside in the same switch. Local SPAN copies traffic from one or
more source ports in any VLAN or from one or more VLANs to a destination port for analysis.
In the figure, all traffic on port Fast Ethernet 0/5 (the source port) is mirrored to port Fast
Ethernet 0/10 (the destination port). A network analyzer on port Fast Ethernet 0/10 receives all
network traffic from port Fast Ethernet 0/5 without being physically attached to port Fast
Ethernet 0/5.
Encapsulated Remote SPAN (ERSPAN) allows the source and destination to be in different
chassis separated by a Layer 3 routed network. Unlike RSPAN, which requires the source and
destination chassis to be in the same Layer 2 domain, ERSPAN uses the Policy Feature Card 3
(PFC3) hardware to encapsulate the mirrored traffic within a Layer 3 routable Generic Routing
Encapsulation (GRE) tunnel.
SPAN sessions can monitor these traffic types:

• Receive (Rx)
- Monitors, as much as possible, all the packets received by the source
interface before any modification or processing is performed by the switch
• Transmit (Tx)
- Monitors, as much as possible, all the packets sent by the source interface
before any modification or processing is performed by the switch
• Both Rx and Tx
- Monitors a port for both received and sent packets
- The default
SPAN sessions allow you to monitor traffic on one or more ports, or one or more VLANs, and
send the monitored traffic to one or more destination ports.
A local SPAN session is an association of a destination port with source ports or source
VLANs, all on a single network device. Local SPAN does not have separate source and
destination sessions. Local SPAN sessions gather a set of ingress and egress packets specified
by the user and form them into a stream of SPAN data, which is directed to the destination port.
SPAN sessions can monitor these traffic types:
 Receive (Rx) SPAN: The goal of receive (or ingress) SPAN is to monitor, as much as
possible, all the packets received by the source interface or VLAN before any modification
or processing is performed by the switch. A copy of each packet received by the source is
sent to the destination port for that SPAN session. Packets that are modified because of
routing or quality of service (QoS)—for example, modified differentiated services code
point (DSCP)—are copied before modification. Features that can cause a packet to be
dropped during receive processing have no effect on ingress SPAN. The destination port
receives a copy of the packet even if the actual incoming packet is dropped. These features
include IP standard and extended input access control lists (ACLs), ingress QoS policing,
VLAN ACLs, and egress QoS policing.
 Transmit (Tx) SPAN: The goal of transmit (or egress) SPAN is to monitor, as much as
possible, all the packets sent by the source interface after all modification and processing is
performed by the switch. A copy of each packet sent by the source is sent to the destination
port for that SPAN session. The copy is provided after the packet is modified. Packets that
are modified because of routing—for example, with modified Time to Live (TTL), MAC-
address, or QoS values—are duplicated (with the modifications) at the destination port.
Features that can cause a packet to be dropped during transmit processing also affect the
duplicated copy for SPAN. These features include IP standard and extended output ACLs
and egress QoS policing.
 Both Rx and Tx SPAN: In a SPAN session, you can also monitor a port or VLAN for both
received and sent packets, which is the default.
Switch congestion can cause packets to be dropped at ingress source ports, egress source ports,
or SPAN destination ports. In general, these characteristics are independent of each other.
Some examples are as follows:
 A packet might be forwarded normally but dropped from monitoring due to an
oversubscribed SPAN destination port.
 An ingress packet might be dropped from normal forwarding but still appear on the SPAN
destination port.
An egress packet dropped because of switch congestion is also dropped from egress SPAN.
Traffic monitoring in a SPAN session has these restrictions:
 Sources can be ports or VLANs, but you cannot mix source ports and source VLANs in the
same session.
 The switch supports up to two source sessions (local SPAN and RSPAN source sessions).
You can run both a local SPAN and an RSPAN source session in the same switch. The
switch supports a total of 66 source and RSPAN destination sessions.
 You can have multiple destination ports in a SPAN session, but no more than 64
destination ports.
 SPAN sessions do not interfere with the normal operation of the switch. However, an
oversubscribed SPAN destination, for example, a 100-Mb/s port monitoring a 1000-Mb/s
port can result in dropped or lost packets.
 You can configure SPAN sessions on disabled ports. However, a SPAN session does not
become active unless you enable the destination port and at least one source port or VLAN
for that session.

Configuring SPAN on Cisco Switches
This topic describes how to configure SPAN on Cisco Catalyst switches.
Configuration Guidelines
• You can have a total of 66 SPAN sessions on a Cisco ME 3400 Series
Ethernet Access switch.
• The destination port cannot be a source port.
• You cannot have two SPAN sessions using the same destination port.
• When you configure a switch port as a SPAN destination port, it is no
longer a normal switch port—only monitored traffic passes through the
SPAN destination port.
• Entering SPAN configuration commands does not remove previously
configured SPAN parameters.
Follow these guidelines when configuring SPAN:

 You can configure a total of two local SPAN sessions or RSPAN source sessions on each
switch. You can have a total of 66 SPAN sessions (local, RSPAN source, and RSPAN
destination) on a Cisco ME 3400 Series Ethernet Access switch.
 For SPAN sources, you can monitor traffic for a single port or VLAN or a series or range
of ports or VLANs for each session. You cannot mix source ports and source VLANs
within a single SPAN session.
 The destination port cannot be a source port and a source port cannot be a destination port.
 You cannot have two SPAN sessions using the same destination port.
 When you configure a switch port as a SPAN destination port, it is no longer a normal
switch port—only monitored traffic passes through the SPAN destination port.
 Entering SPAN configuration commands does not remove previously configured SPAN
parameters. You must enter the no monitor session {session_number | all | local | remote}
global configuration command to delete configured SPAN parameters.
 You can configure a disabled port to be a source or destination port, but the SPAN function
does not start until the destination port and at least one source port or source VLAN are
enabled.
• Delete any existing SPAN configuration for sessions 1 and 2.
• Configure SPAN session 1 to monitor received traffic on Fa 0/1 and send
it to destination Fa 0/2.
• Configure SPAN session 2 to monitor received and sent traffic on Fa 0/3
and send it to destination Fa 0/4.
Fa 0/2
Fa 0/1 Fa 0/3
Fa 0/4
The figure shows an example configuration scenario. Two SPAN sessions will be configured
on the Switch.
First, any existing SPAN configuration for sessions 1 and 2 should be deleted. After that,
SPAN session 1 will be configured, which will monitor received traffic on interface Fast
Ethernet 0/1 and send it to destination interface Fast Ethernet 0/2. On the other hand, SPAN
session 2 will be configured, which will monitor received and sent traffic on interface Fast
Ethernet 0/3 and send it to destination interface Fast Ethernet 0/4.

Configuration
Fa 0/2
Fa 0/1 Fa 0/3
Fa 0/4
IOS: Removes any existing SPAN

no monitor session 1 configuration for sessions 1 and 2
no monitor session 2
! Sets up SPAN session 1 to monitor
monitor session 1 source interface Fa0/1 rx received traffic on Fa 0/1 and send
monitor session 1 destination interface Fa0/2 it to destination Fa 0/2
!
Sets up SPAN session 2 to monitor
monitor session 2 source interface Fa0/3
received and sent traffic on Fa 0/3 and
monitor session 2 destination interface Fa0/4
send it to destination Fa 0/4
!
The figure shows a configuration for SPAN on Cisco switches running Cisco IOS Software.
Use the no monitor session global configuration command to remove any existing SPAN
configuration for the session.
To specify the SPAN session and the source port (monitored port), use this command:
monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx
| tx],
If you do not specify a traffic direction, the SPAN monitors both sent and received traffic.
There are three options:
 Rx and Tx: Monitor both received and sent traffic. This is the default.
 Rx: Monitor received traffic.
 Tx: Monitor sent traffic.
For the source interface-id, specify the source port to monitor. Valid interfaces include physical
interfaces and port-channel logical interfaces.
For the (Optional) [, | -], specify a series or range of interfaces. Enter a space before and after
the comma, and enter a space before and after the hyphen. (Example: vlan 1 – 3).
To specify the SPAN session and the destination port, use this command:
monitor session session_number destination {interface interface-id}
Verification
• Displays information about the SPAN sessions
Switch# show monitor session 1

Session 1
---------
Type : Local Session
Source Ports :
RX Only : Fa0/1
Destination Ports : Fa0/2
Encapsulation : Native
Ingress : Disabled
Switch# show monitor session 2

Session 2
---------
Type : Local Session
Source Ports :
Both : Fa0/3
Destination Ports : Fa0/4
Encapsulation : Native
Ingress : Disabled
To display information about the SPAN sessions, use the show monitor session command in
user EXEC mode.

IP Service Level Agreement
This topic describes IP service level agreement (SLA).
• Companies need predictability in IP services as networks become

increasingly important.
• An SLA is a contract between the provider and its customers:
- Provides a guarantee of service level
- Specifies connectivity and performance agreements for an
end-user service
- Supports problem isolation and network planning
The network has become increasingly critical for customers, and any downtime or degradation
can adversely impact revenue. Companies need some form of predictability with IP services.
An SLA is a contract between the service provider and its customers, or between a network
department and internal corporate customers. It provides a form of guarantee to customers
about the level of user experience.
An SLA specifies connectivity and performance agreements for an end-user service from a
service provider. The SLA will typically outline the minimum level of service and the expected
level of service. The networking department can use the SLAs to verify that the service
provider is meeting its own SLAs or to define service levels for critical business applications.
An SLA can also be used as the basis for planning budgets and justifying network expenditures.
You can ultimately reduce the mean time to repair (MTTR) by proactively isolating network
issues. You can change the network configuration based on optimized performance metrics.
Typically, the technical components of an SLA contain a guaranteed level for network
availability, network performance in terms of round-trip time (RTT), and network response in
terms of latency, jitter, and packet loss. The specifics of an SLA vary, depending on the
applications that an organization is supporting in the network.
IP SLA Measurements
This topic describes IP SLA measurement functionality.
The IP SLA measurement functionality in Cisco IOS Software, IOS XE Software, and IOS XR
Software allows the configuration of a router to send synthetic traffic to a host computer or to a
router that has been configured to respond. One-way travel times and packet loss data is
gathered. Certain measurements also allow jitter data to be collected.
There are several common functions for IP SLA measurements:
 Edge-to-edge network availability monitoring
 Network performance monitoring and network performance visibility
 VoIP, video, and virtual private network (VPN) monitoring
 IP service network health readiness or assessment
 Multiprotocol Label Switching (MPLS) network monitoring
 Troubleshooting of network operation
IP SLA measurement uses a variety of operations and actively generated traffic probes to
gather many types of measurement statistics:
 Network latency and response time
 Packet loss statistics
 Network jitter and voice quality scoring
 Statistical end-to-end matrix of performance information
 End-to-end network connectivity

Multiple IP SLA operations (measurements) can be running in a network at one time. Reporting
tools use Simple Network Management Protocol (SNMP) to extract the data into a database and
then report on it.
IP SLA measurements allow you to verify service guarantees, which increase network
reliability by validating network performance, proactively identifying network issues, and
easing the deployment of new IP services.
IP SLA Operations
This topic describes IP SLA operations.
• Operation is a measurement including protocol, frequency, traps, and

thresholds.
• Network manager defines UDP or TCP port for each IP SLA
measurement operation.
• IP SLAs can send traffic with different DSCP values.
• IP SLA control protocol is used between source and responder.
• MD5 authentication is supported between source and responder.
• Results are stored on IP SLA source in the IP SLA MIB.
The network manager configures a target device, protocol, and UDP or TCP port number on the
IP SLA source for each operation. The source uses the IP SLA control protocol to communicate
with the responder before sending test packets. To increase security on IP SLA measurement
control messages, the responder can utilize Message Digest 5 (MD5) authentication to secure
the control protocol exchange. After the operation is finished and the response is received, the
results are stored in the IP SLA MIB on the source, and are retried using SNMP.
IP SLA operations are defined to target devices. If the operation is something like Domain
Name System (DNS) or HTTP, the target device might be any suitable computer. For
operations such as testing the port that is used by a database, an organization might not want to
risk unexpected effects and would use the IP SLA responder functionality to have a router
respond in place of the actual database server. You can enable responder functionality in a
router with only one command, and no complex or per-operation configuration is required.

IP SLA Source and Responder
This topic describes the function of the IP SLA source and responder.
IP SLA source:
• Cisco IOS Software, IOS XE Software, or IOS XR Software device that
sends data for operations.
- Target device may or may not be a Cisco IOS or IOS XE Software device.
- Some operations require an IP SLA responder.
• IP SLA source stores results in MIB.
IP SLA responder:
• Greater measurement accuracy is available between an IP SLA source
and responder.
• IP SLA responder is a Cisco IOS Software, IOS XE Software, or IOS XR
Software device that is configured to respond to IP SLA packets.
The IP SLA source is where all IP SLA measurement probe operations are configured, either
by the CLI or through an SNMP tool that supports IP SLA operation. The source is also the
Cisco IOS Software, IOS XE Software, or IOS XR Software device that sends probe packets.
The destination of the probe may be another Cisco router or another network target such as a
web server or IP host.
Although the destination of the probe can be any IP device, the measurement accuracy is
improved with an IP SLA responder. An IP SLA responder is a device that runs Cisco IOS
Software, IOS XE Software, or IOS XR Software, and is configured as an IP SLA
measurement responder.
The network manager configures an IP SLA operation by defining a target device, protocol,
and port number on the IP SLA source. The network manager can also configure reaction
conditions. The IP SLA operation is scheduled to be run for a period of time to gather statistics.
The following sequence of events occurs for each IP SLA operation that requires a responder
on the target:
1. At the start of the control phase, the IP SLA source sends a control message with the
configured IP SLA operation information to IP SLA control port UDP 1967 on the target
router. The source also notifies the target to start listening on a new port number for the
actual IP SLA test operation. The control message carries information such as protocol,
port number, and duration.
— If MD5 authentication is enabled, MD5 checksum is sent with the control message.
— If the authentication of the message is enabled, the responder verifies it. If the
authentication fails, the responder returns an authentication failure message.
— If the IP SLA measurement operation does not receive a response from a responder,
but tries to retransmit the control message and eventually times out.
2. If the responder processes the control message, it sends an OK message to the source router
and listens on the port that is specified in the control message for a specified duration. If the
responder cannot process the control message, it returns an error. In the figure, UDP port
2020 is used for the IP SLA test packets.
Note The responder is capable of responding to multiple IP SLA measurement operations that try
to connect to the same port number.
3. If the return code of the control message is OK, then the IP SLA operation moves to the
probing phase, where it will send one or more test packets to the responder for response-
time computations. In the figure, these test messages are sent on control port 2020.

4. The responder accepts the test packets and responds. Based on the type of operation, the
responder may add an “in” time stamp and an “out” time stamp in the response packet
payload to account for CPU time that is spent in measuring unidirectional packet loss,
latency, and jitter to a Cisco device. These time stamps help the IP SLA source to make
accurate assessments on one-way delay and the processing time in the target routers. The
responder disables the user-specified port after it responds to the IP SLA measurements
packet or when a specified time expires.
IP SLA Responder Time Stamps
This topic describes how time stamps are used by the IP SLA responder to enhance the
accuracy of measurements.
• IP SLA responder takes two time stamps (T2 and T3).

• IP SLA responder factors out destination processing time, making
results highly accurate.
• IP SLA responder allows for one-way measurements for latency, jitter,
and packet loss.
The figure illustrates the use of IP SLA responder time stamps in round-trip calculations. The
IP SLA source will use four time stamps for the round-trip time (RTT) calculation. The IP SLA
source sends a test packet at time T1.
The IP SLA responder includes both the receipt time (T2) and the transmitted time (T3).
Because of other high-priority processes, routers can take tens of milliseconds to process
incoming packets. The delay affects the response times because the reply to test packets might
be sitting in a queue while waiting to be processed. This time stamping is made with a
granularity of submilliseconds. At times of high network activity, an Internet Control Message
Protocol (ICMP) ping test often shows a long and inaccurate response time, while an IP SLA–
based responder shows an accurate response time. The IP SLA source subtracts T2 from T3 to
produce the time spent processing the test packet in the IP SLA responder. This time is
represented by a delta value.
The delta value is then subtracted from the overall RTT. The same principle is applied by the IP
SLA source where the incoming T4 is also taken at the interrupt level to allow for greater
accuracy, as compared with T5, when the packet is processed.
An additional benefit of two time stamps at the IP SLA responder is the ability to track one-
way delay, jitter, and directional packet loss. These statistics are critical, because a great deal of
network behavior is asynchronous. To capture one-way delay measurements, you must
configure both the IP SLA source and the IP SLA responder with the Network Time Protocol
(NTP).
Both the source and the target must be synchronized to the same clock source. The IP SLA
responder provides enhanced accuracy for measurements, without the need for dedicated third-
party external probe devices. It also provides additional statistics, which are not otherwise
available via standard ICMP-based measurements.

Implementing IP SLA
This topic describes how to configure and verify IP SLA on Cisco devices.
• Monitor IP connections on a server at 10.10.10.253, using the IP SLA
ICMP echo operation with number 432.
• Set that IP SLA operation 432 will take place every 5 minutes from now
on.
IOS IOS XR
CE1 PE1
Test reachability of Test reachability of

server with IP SLA server with IP SLA
every 5 minutes every 5 minutes
10.10.10.253
Server
The figure shows an example configuration scenario. IP SLA will be configured on CE1
(running Cisco IOS Software) and PE1 (running Cisco IOS XR Software).
IP SLA will be used to monitor IP connections on a device at 10.10.10.253 using the IP SLA
ICMP echo operation with number 432. IP SLA ICMP echo probes should be sent every 5
minutes to the 10.10.10.253 server.
Configuration
IOS IOS XR
CE1 PE1
Server
10.10.10.253 Specifies the operation number
CE1 (IOS):
PE1 (IOS XR):
Specifies the Defines an ICMP
operation number Defines an ICMP echo ipsla
operation 432 echo operation type
operation type with
ip sla monitor 432 destination IP address type icmp echo
! destination address 10.10.10.19
path-echo 10.10.10.253 frequency 300
! Specifies the IP address
frequency 300
Frequency in ! Frequency in of the destination
!
seconds ! seconds
!
ip sla monitor schedule 432 life forever schedule operation 432
start-time now start-time now
Schedules the operation Schedules the operation
life forever
to run indefinitely, to run indefinitely,
!
starting immediately starting immediately
!
To monitor IP connections on a device, use the IP SLA ICMP echo operation. An ICMP echo
operation measures end-to-end response times between a Cisco router and remote devices using
IP. ICMP echo is used to troubleshoot network connectivity issues. The figure shows
configuration both on Cisco IOS Software and on Cisco IOS XR Software.
Note The ICMP echo operation does not require the IP SLA responder to be enabled.
To enter IP SLA configuration mode on a device running Cisco IOS XR Software and
configure IP SLAs, use the ipsla command in global configuration mode. To configure an IP
SLA operation, use the operation command in IP SLA configuration mode:
operation operation-number
To use the ICMP echo operation type, use the type icmp echo command in IP SLA operation
configuration mode. To identify the address of the target device, use the destination address
command in the appropriate configuration mode. To set the frequency for probing, use the
frequency command in the appropriate configuration mode:
frequency seconds
To enter schedule configuration mode, use the schedule operation command in IP SLA
configuration mode. To specify a time for the operation to start, use the start-time command in
the appropriate configuration mode. Use the now keyword to indicate that the operation should
start immediately. To schedule the lifetime of the operation, use the life command in the
appropriate configuration mode. The forever keyword schedules the operation to run
indefinitely:
life {forever | seconds}
Cisco IOS Software and Cisco IOS XE Software IP SLA configurations use slightly different
command syntax, as shown in the figure.

• Displays the operational data and the latest statistics for the IP SLA
operation in tabular format
RP/0/RSP0/CPU0:PE1# show ipsla statistics 432
Thu Aug 18 13:23:43.958 UTC
Entry number: 432
Modification time: 13:10:47.725 UTC Thu Aug 18 2011
Start time : 13:10:47.729 UTC Thu Aug 18 2011
Number of operations attempted: 13
Number of operations skipped : 0
Current seconds left in Life : Forever
Operational state of entry : Active
Connection loss occurred : FALSE
Timeout occurred : FALSE
Latest RTT (milliseconds) : 3
Latest operation start time : 13:22:47.936 UTC Thu Aug 18 2011
Latest operation return code : OK
RTT Values:
RTTAvg : 3 RTTMin: 3 RTTMax : 3
NumOfRTT: 1 RTTSum: 3 RTTSum2: 9
To display the operational data and the latest statistics for the IP SLA operation in tabular
format, use the show ipsla statistics Cisco IOS XR command (or show ip sla statistics on
Cisco IOS/IOS XE) in EXEC mode:
show ipsla statistics [operation-number]
The significant fields shown in the display are as follows:
 Number of operations attempted: Number of operation cycles that were issued
 Current seconds left in Life: Time remaining until the operation stops execution
 Operational state of entry: State of the operation, such as active state, pending state, or
inactive state
 Connection loss occurred: Whether or not a connection-loss error happened
 Timeout occurred: Whether or not a timeout error happened
Network Time Protocol
This topic describes basic Network Time Protocol operations.
• Network Time Protocol (NTP) provides time synchronization between

network devices.
• NTP can get the correct time from an internal or external time source:
- Local master clock
- Master clock in the Internet
- Global Positioning System (GPS) or atomic clock
• A router can act as a time server for dependent routers. (NTP uses a
hierarchical model.)
• NTP uses UDP port 123 as its transport layer.
• Cisco IOS XR Software implements NTPv4.
• NTPv4 retains backwards compatibility with the older versions of NTP.
The NTP is a protocol for synchronizing the clocks of computer systems over packet-switched,
variable-latency data networks. NTP allows routers on your network to synchronize their time
settings with an NTP server. A group of NTP clients that obtains time and date information
from a single source will have more consistent time settings.
The operational details of NTP are illustrated in RFC 778, RFC 891, RFC 956, RFC 958, and
RFC 1305.
The current reference implementation is NTP version 4 (NTPv4). However, as of 2005, only
versions up to version 3 have been documented in RFCs. Cisco IOS Software and IOS XE
Software implements the NTP protocol version 3 (NTPv3), while Cisco IOS XR Software
implements NTPv4. NTPv4 retains backwards compatibility with the older versions of NTP,
including NTPv3 and NTPv2, but excluding NTPv1, which has been discontinued due to
security vulnerabilities.
NTP uses the UDP as its underlying transport layer mechanism. The UDP port that has been
assigned to NTP is 123.

• Correct time allows tracking of events in the network in the correct order.
• Clock synchronization is critical for the correct interpretation of events
within syslog data.
• Clock synchronization is critical for digital certificates.
Networks use NTP to synchronize the clocks of various devices across a network. Clock
synchronization within a network is critical for digital certificates and for correct interpretation
of events within syslog data. A secure method of providing clocking for the network is for
network administrators to implement their own private network master clocks, synchronized to
Coordinated Universal Time (UTC), using satellite or radio. However, if network
administrators do not wish to implement their own master clocks because of cost or other
reasons, other clock sources are available through the Internet.
NTP Stratum Levels
This topic describes the NTP stratum levels.
• NTP uses a hierarchical system.

• Stratum levels distinguish quality of sources (levels 0–16).
• Stratum levels define the distance from the reference clock and the
associated accuracy:
- Stratum-0: A reference clock
- Stratum-1: Directly linked (no NTP) to a stratum-0 device
- Stratum-2: Gets its time via NTP from a stratum-1 server
- Stratum-3: Gets its time via NTP from a stratum-2 server
NTP uses a hierarchical system of “clock strata.” The stratum levels define the distance from
the reference clock and the associated accuracy.
In the world of NTP, stratum levels define the distance from the reference clock. A reference
clock is a stratum-0 device that is assumed to be accurate, and has little or no delay associated
with it. Stratum-0 servers cannot be used in the network—instead, they are directly connected
to computers, which then operate as stratum-1 servers.
A server that is directly linked to a stratum-0 device is called a stratum-1 server. This includes
all time servers with built-in stratum-0 devices and those with direct links to stratum-0 devices,
such as over an RS-232 connection or via an IRIG-B (the most common version of Inter Range
Instrumentation Group [IRIG]) time code. The basic definition of a stratum-1 time server is that
it is directly linked (not over a network path) to a reliable source of UTC time, such as Global
Positioning System (GPS), WWV (radio station), or Code Division Multiple Access (CDMA)
transmissions. A stratum-1 time server acts as a primary network time standard.
Higher stratum levels are distanced from the stratum-1 server over a network path. Thus, a
stratum-2 server gets its time over a network link, via NTP, from a stratum-1 server. A stratum-
3 server gets its time over a network link, via NTP, from a stratum-2 server, and so on.
Note As you progress through different strata, there are network costs involved that reduce the
accuracy of the NTP server in relation to UTC. A stratum-1 time server will typically have
less than 1 ms accuracy to UTC, depending on its reference clock. On the Internet, because
of network delays, a stratum-2 time server will have anywhere from 10 to 100 ms accuracy
to UTC, and each subsequent time server will add an additional 10 to 100 ms of inaccuracy.

NTP Architecture
This topic describes the NTP architecture.
These three structures are available for NTP architecture:

• Flat peer structure (symmetric active/passive)
• Hierarchical structure (client/server)
• Star structure (client/server and symmetric active/passive)
In a flat peer structure, all routers peer with each other, with a few geographically separate
routers configured to point to external systems. The convergence of time becomes longer with
each new member of the NTP mesh.
In a hierarchical structure, the routing hierarchy is copied for the NTP hierarchy. Core routers
have a client/server relationship with external time sources, the internal time servers have a
client/server relationship with the core routers, the internal customer routers (non-time servers)
have a client/server relationship with the internal time servers, and so on down the tree. These
relationships are called hierarchy scales.
In a star structure, all the routers have a client/server relationship with a few peer-to-peer time
servers in the core. The dedicated time servers are the center of the star and are usually UNIX
systems synchronized with external time sources or their own GPS receiver.
• Client is synchronized with the master server client
• Dependent server is synchronized with server that is higher in hierarchy
Atomic
Clock
(Stratum-0)
NTP Server
(Stratum-1)
NTP NTP
Client/Server Client/Server
(Stratum-2) (Stratum-2)
NTP NTP
Client Client
NTP is hierarchical in nature such that the lower stratum numbers are closer to the source of the
time authority.
Client/Server Mode
Dependent clients and servers normally operate in client/server mode, in which a client or
dependent server can be synchronized to a server that is higher in the hierarchy. In some
contexts, this would be described as a poll operation, in that the client polls the time and
authentication data from the server. In a common client/server model, a client sends an NTP
message to one or more servers, and processes the replies as received.
Servers that provide synchronization to a sizeable population of clients normally operate as a
group of two or more mutually redundant servers. This provides protection against
malfunctions in which one or more servers fail to operate or provide incorrect time.

• Peers are synchronized with server that is higher in hierarchy.
• Peers operate as mutual backups for each other.
• Clients are synchronized with servers that are higher in hierarchy
(peers)
Atomic
Clock
(Stratum-0)
NTP Server
(Stratum-1)
NTP Peer NTP Peer

(Stratum-2) (Stratum-2)
NTP NTP
Client Client
In a star structure, the routers have a client/server relationship with a few peer-to-peer time
servers in the core. Devices that are at the same stratum can be configured as peers so that they
can work together to determine the correct time by making minute adjustments.
Symmetric Active/Passive Mode

Symmetric active/passive mode is intended for configurations in which a group of low stratum
peers operate as mutual backups for each other. Each peer operates with one or more primary
reference sources. If one of the peers loses all reference sources or simply ceases operation, the
other peers automatically reconfigure so that time values can flow from the surviving peers to
all the others in the group. In some contexts, this is described as a push-pull operation, in which
the peer either pulls or pushes the time and values, depending on the particular configuration.
Symmetric modes are most often used between two or more servers operating as a mutually
redundant group. If one or more of the group members fails, the remaining members
automatically reconfigure as required.
Note Where the requirements in accuracy and reliability are modest, clients can be configured to
use broadcast or multicast modes instead of the client/server mode. The clients do not need
to be configured for a specific server, allowing all operating clients to use the same
configuration file. Broadcast mode requires a broadcast server on the same subnet.
Because broadcast messages are not propagated by routers, only broadcast servers on the
same subnet are used.
Configuring NTP on Cisco Devices
This topic describes how to configure NTP on Cisco devices.
• Make router PE1 an authoritative NTP server as stratum 1
• Disable NTP services on router PE1 Gi 0/0/0/1 interface
• Make router CE1 form a server association with router PE1
• Verify that CE1 clock is synchronized with PE1 clock
IOS IOS XR
Gi 0/0 Gi 0/0/0/0
CE1 PE1
10.11.11.1 10.11.11.2
Gi 0/0/0/1
The figure shows an example configuration scenario. Router CE1 (running Cisco IOS
Software) will be configured as an NTP client, while router PE1 (running Cisco IOS XR
Software) will serve as an authoritative NTP server.
NTP services will be disabled on the PE1 interface, GigabitEthernet 0/0/0/1. Configuration will
be shown for PE1 and CE1.

Configuration
IOS IOS XR
Gi 0/0 Gi 0/0/0/0
CE1 PE1
10.11.11.1 10.11.11.2
Gi 0/0/0/1
10.10.10.253
Enters NTP
CE1 (IOS): PE1 (IOS XR): configuration mode
ntp server 10.11.11.2 ntp Makes the router an

master 1 authoritative NTP server
Forms a server interface GigabitEthernet 0/0/0/1 disable
association with another !
system, PE1 in this case
Disables NTP services on
the specified interface
The figure shows the configuration for NTP both on Cisco IOS Software and on Cisco IOS XR
Software. Router CE1 (running Cisco IOS Software) is configured as an NTP client, while
router PE1 (running Cisco IOS XR Software) is configured as an NTP server.
To configure PE1 as an NTP server, use the ntp global command to enter NTP configuration
mode. To form a server association with another system, use the server ip-address command in
NTP configuration mode. This step can be repeated as necessary to form associations with
multiple devices. To disable NTP services on the specified interface, use this command in NTP
configuration mode:
interface type interface-path-id disable .
To configure router CE1 as an NTP client, use the ntp server ip-address command in global
configuration mode.
This is the configuration for the NTP client on the device that is running Cisco IOS Software:
ntp
server 10.11.11.2
!
Verification
CE1# show ntp associations
address ref clock st when poll reach delay offset disp

*~10.11.11.2 .LOCL. 1 32 64 377 2.374 -7.110 2.611
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
• Displays the status of NTP associations
CE1# show ntp status

Clock is synchronized, stratum 2, reference is 10.11.11.2
nominal freq is 250.0000 Hz, actual freq is 250.0001 Hz, precision is 2**24
reference time is D1FC9EAF.6E26E4CE (09:23:59.430 UTC Mon Aug 22 2011)
clock offset is -7.1106 msec, root delay is 2.37 msec
root dispersion is 14.64 msec, peer dispersion is 2.61 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000000334 s/s
system poll interval is 64, last update was 64 sec ago.
• Displays the status of NTP
To display the status of NTP associations, use the show ntp associations command in
privileged EXEC mode.
Significant fields shown in the display are as follows:
 *: Peer is synchronized to this peer
 ~: Indicates that peer is statically configured
 address: Address of the peer
 st: Stratum setting for the peer
To display the status of NTP, use the show ntp status command in EXEC mode.
Significant fields shown in the display are as follows:
 synchronized: Synchronized system to an NTP peer
 stratum: NTP stratum of this system
 reference: Address of the peer to which clock is synchronized

Smart Call Home
This topic describes the Smart Call Home feature on Cisco devices.
Customer Cisco TAC

Interactive Technical Services
• Customer Notification
Customer • Device and Message Reports
• Exceptions/Fault Analysis
! Messages Received:
 Diagnostics
Automated
Diagnosis
Capability
1
Service Request
Tracking System


Environmental
Syslog
2
Call Home  Inventory and
Configuration Call
Home DB
The Smart Call Home feature enables Cisco devices to send diagnostic information directly to
Cisco TAC, significantly reducing the time to solve minor hardware problems and shortening
the Return Materials Authorization (RMA) cycle.
Smart Call Home provides the capability for a customer to configure call home profiles that
define:
 Destination
 Transport
 Events of interest
For example, a customer might configure a profile to allow an individual to be paged at home
via short text email when a major diagnostic failure occurs. Or, all syslog events might be sent
via HTTPS to a network management station.
Smart Call Home and Cisco TAC
Certain events can send Call Home messages via HTTPS (or email) to Cisco TAC. These cases
are covered in the Smart Call Home feature by including a default Call Home profile for Cisco
TAC.
The events of interest are:
 Diagnostics
 Environmental
 High severity syslog
 Inventory and configuration
Note Any of these message types can be removed by customers. In addition, if customers choose
to send configurations, sensitive details such as passwords will be removed.
Upon receipt of a Smart Call Home message at Cisco, the first step is entitlement processing.
Customers need to have a standard Cisco SMARTnet support contract to be entitled to the
Smart Call Home service.
Next, the message is passed to the rules processor that will inspect the message and determine
what next steps to take. If the situation is serious enough (module failure or fan failure, for
example), a service request will be raised directly with the Cisco TAC and routed to the correct
team to handle the problem.
If a service request is not raised, then the message is stored along with the associated analysis
of the problem for a customer or TAC engineer to use as part of their troubleshooting. Smart
Call Home then has the option of proactively notifying the customer of problems which are
likely to be emerging issues rather than issues with which the TAC can deal (for example, high
temperature alarms, independent of any fan failures, or accumulating single-bit memory errors).
If Smart Call Home does not notify the customer, then the customer or TAC engineer will be
able to access all messages, along with Cisco analysis, on the Smart Call Home web
application. Also available on the Smart Call Home web application are reports on the device
hardware, software, and configurations that are cross-referenced against any field notices,
security alerts, and end-of-life notifications.

• Provides an email-based notification for critical system policies
• You can use this feature to do the following:
- Page a network support engineer
- Email a Network Operations Center
- Generate a case with the TAC
• Delivers alert messages containing information about diagnostics and
environmental faults and events
• Delivers alerts to multiple recipients, referred to as Call Home
destination profiles:
- Each profile includes configurable message formats and content categories.
- A predefined destination profile is provided for sending alerts to the Cisco
TAC, but you also can define your own destination profiles.
Smart Call Home provides an email-based notification for critical system policies. A range of
message formats is available for compatibility with pager services or XML-based automated
parsing applications. You can use this feature to page a network support engineer, email a
Network Operations Center, or to generate a case with the Cisco TAC.
The Smart Call Home feature can deliver alert messages containing information about
diagnostics and environmental faults and events.
The Smart Call Home feature can deliver alerts to multiple recipients, referred to as Call Home
destination profiles. Each profile includes configurable message formats and content categories.
A predefined destination profile is provided for sending alerts to the Cisco TAC, but you also
can define your own destination profiles.
When you configure Smart Call Home to send messages, the appropriate CLI show command
is executed and the command output is attached to the message.
Smart Call Home messages are delivered in the following formats:
 Short text format: Provides a one- or two-line description of the fault that is suitable for
pagers or printed reports
 Full text format: Provides a fully formatted message with detailed information that is
readable.
 XML machine readable format: Uses Extensible Markup Language (XML) and Adaptive
Messaging Language (AML) XML schema definition (XSD). The AML XSD is published
on the Cisco.com website at http://www.cisco.com/. The XML format enables
communication with the Cisco TAC.
Opening a TAC Request
This topic describes the procedure of opening a Cisco TAC case request.
• Cisco Technical Support provides 24-hour-a-day technical assistance.

- Cisco Technical Support website provides online documents and tools for
troubleshooting and resolving technical issues with Cisco products and
technologies at http://www.cisco.com/techsupport.
• TAC Service Request Tool is the fastest way to open service requests.
- If your issue is not resolved by using the recommended resources, your
service request will be assigned to a Cisco TAC engineer.
- Find the TAC Service Request Tool at this URL:
http://www.cisco.com/techsupport/servicerequest
• For a complete list of Cisco TAC contacts :
- http://www.cisco.com/techsupport/contacts
Customers, partners, resellers, and distributors who hold valid Cisco service contracts can use
Cisco TAC for 24-hour-a-day technical assistance. The Cisco Technical Support website
provides online documents and tools for troubleshooting and resolving technical issues with
Cisco products and technologies. The URL of the website is as follows:
http://www.cisco.com/techsupport
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service
requests. (S3 and S4 service requests are those requests in which your network is minimally
impaired or for which you require product information.) After you describe your situation, the
TAC Service Request Tool automatically provides recommended solutions. If your issue is not
resolved by using the recommended resources, your service request will be assigned to a Cisco
TAC engineer. Find the TAC Service Request Tool at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by
telephone. (S1 or S2 service requests are those requests in which your production network is
down or severely degraded.) Cisco TAC engineers are immediately assigned to S1 and S2
service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
U.S.: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts

• When you open a case with the Cisco TAC, you must provide
preliminary information to better identify and qualify the issue.
• For all issues, always provide the following information to TAC:
- Network layout
- Problem description
- General information
• Opening a case online gives it priority over cases opened in other ways.
- High-priority cases (P1 and P2) provide an exception to this rule
• You may resolve issues quickly by allowing the TAC engineer remote
access to the devices.
When you open a case with the Cisco TAC, you must provide preliminary information to
identify and qualify the issue. You may need to provide additional information, depending on
the nature of the issue.
For all issues, always provide the following information to TAC. Collect and save this
information for use upon opening a TAC case and update it regularly with any changes:
 Network Layout: Provide a detailed description of the physical and logical setup, as well
as all network elements involved in the network. Ideally, submit a Visio or other detailed
diagram, such as JPG file.
 Problem Description: Provide step-by-step detail of actions that the user performed when
the issue occurs. Ensure that the detailed information includes expected behavior and
detailed observed behavior.
 General Information
Opening a case online through Cisco.com gives it initial priority over all other case-opening
methods. High-priority cases (P1 and P2) provide an exception to this rule. Provide an accurate
problem description when you open a case. That description of the problem might return web
links that may provide you with an immediate solution. If you do not find a solution to your
problem, continue the process of sending your case to a TAC engineer.
You may resolve many issues quickly by allowing the TAC engineer remote access to the
devices. Ensure that firewalls do not obstruct traffic during engineer intervention and that all
necessary services, such as Terminal Services, start on the servers.
To open a TAC request, navigate to the TAC Service Request Tool at this URL:
http://www.cisco.com/techsupport/servicerequest.
Navigate through guided steps and fill in the required fields.

Summary
for analysis.
• SPAN can monitor receive, transmit, or both traffic types.
• An SLA is a contract between the provider and its customers to provide
a guarantee of service level.
• IP SLA is a tool in Cisco IOS to verify network operation.
• IP SLA periodically checks availability of a service and reports failures.
• IP SLA checks run between two nodes: source and responder.
• Role of the IP SLA responder is to provide better measurements.
• IP SLA tasks must first be defined and then scheduled.
• NTP provides time synchronization between network devices.
• NTP is hierarchically organized into stratum levels.
• The lower the level of the stratum the closer the server is to the clock
source.
• Cisco IOS devices can function as NTP servers and NTP clients.
• The Smart Call Home feature enables Cisco devices to send diagnostic
information directly to Cisco TAC.
• Using the online TAC Service Request Tool is the fastest way to open
service requests.
Lesson 3
Implementing AAA
Overview
Authentication, authorization, and accounting (AAA) is widely supported in Cisco IOS
Software, IOS XE Software, and IOS XR Software as an additional security service available
for securing administrative access to network devices and user access to network resources.
One of the options that you have available when you configure your network device to work
with AAA is to use a local username-password database on the network device to provide more
security than a simple password. It is likely that smaller organizations will configure AAA to
operate locally. On the other hand, Cisco Secure Access Control Server (ACS) provides a
centralized identity networking solution and simplified user management experience across all
Cisco devices and security management applications. This lesson will focus on using the local
database on the Cisco routers for implementing AAA services. Cisco Secure ACS coverage is
outside the scope of this course.
Objectives
Upon completing this lesson, you will be able to describe the basic configuration AAA. This
ability includes being able to meet these objectives:
 Describe the AAA framework
 Describe implementing AAA using local authentication
 Describe implementing AAA using external authentication servers
 Describe how to configure a Cisco router to perform AAA using a local database for
authentication
 Describe the benefits of implementing AAA services using external authentication servers
 Describe and compares the TACACS+ and RADIUS AAA protocols
 Describe how to configure a Cisco router to perform AAA using an external authentication
server
 Describe how to configure AAA authorization and accounting
AAA Overview
This topic describes the AAA framework, which makes it possible to configure access control
in a consistent manner. Each of these functions is configured independently and they are able to
use standard, widely supported methods.
• Authentication
- Who are you?
- “I am user administrator and my password admin proves it.”
• Authorization
- What can you do? What can you access?
- “User administrator can access host serverXYZ using Telnet.”
• Accounting
- What did you do? How long did you do it?
How often did you do it?
- “User administrator accessed host serverXYZ using Telnet for
15 minutes.”
Access control enables you to control access to network devices and the services that are
available when access is granted. AAA network security services provide the primary
framework through which you set up access control on your routers and switches. AAA
services provide a higher degree of scalability than the line-level and privileged EXEC
authentication commands alone.
Unauthorized access in service provider environments creates the potential for network
intruders to gain access to sensitive network equipment and services. Cisco AAA architecture
enables systematic and scalable access security.
Network and administrative access security in the Cisco environment, whether it involves
campus, dial-up, IP security (IPsec), or Secure Sockets Layer (SSL) virtual private network
(VPN) access, is based on a modular architecture that has three functional components:
 Authentication: Authentication requires users and administrators to prove that they really
are who they say they are. Authentication is established using a username and password,
challenge and response, token cards, and other methods. A user may say, for example, “I
am user administrator and my password admin proves it.”
 Authorization: After authenticating the user and administrator, authorization services
decide which resources the user and administrator are allowed to access and which
operations the user and administrator are allowed to perform, such as “User administrator
can access host server XYZ using Telnet.”
 Accounting and auditing: Accounting records what the user and administrator actually
did, what they accessed, and for how long they accessed it. Accounting keeps track of how
network resources are used, such as “User administrator accessed host server XYZ using
Telnet for 15 minutes.”
• AAA provides the primary framework to set up access control on your
network device.
• Authentication, authorization, and accounting can be configured
independently and consistently.
• AAA services may be self-contained in the network device.
• You can use standard protocols for security (RADIUS, TACACS+,
Kerberos).
• AAA supports multiple backup systems if primary AAA fails.
Authentication is the way that a user is identified before being allowed access to the network
and network services. There are several ways to determine this, the simplest and most
straightforward being a username and password dialog. Among more advanced methods, the
challenge and response method provides authentication and increased security, because it does
not exchange user identification data across the connection. Users can authenticate using
certificates as well—using something they have (the certificate) and something that they know
(the PIN or other passphrase).
Authorization provides a method for remote access control. AAA authorization works by
providing each user with a set of attributes that describe actions that the user is allowed to
perform. These attributes are stored in a database, which can be local on the router or stored on
a remote security server, such as RADIUS or TACACS+.
Accounting enables you to track the services that the users are accessing and how much
resource use that they consume. This information can be used for billing, auditing, and
reporting (for example, user identities, start and stop time, executed commands, as well as
numbers of packets and bytes transferred).
When AAA accounting is activated, the network devices report all user activities to the
RADIUS or TACACS+ security server, depending on the security method implemented.
AAA uses protocols, such as RADIUS, TACACS+, or Kerberos, to handle security functions.
AAA is meant as the primary and recommended method for access control on Cisco devices.
However, Cisco IOS Software and IOS-XE Software have additional features for simple access
control, in case you do not need or want to configure AAA:
 Local username authentication
 Console and line password authentication
 Enable password authentication
These features do not provide the same level of access control as AAA, but you can use them,
depending on your needs.

Implementing Authentication Using Local
Authentication
This topic describes how to implement AAA using local authentication.
1. The client establishes a connection with the router.

2. The router prompts the user for a username and password.
3. The router authenticates the username and password in the local
database. The user is authorized to access the network based on
information in the local database
Remote
client
1
2
3
If you have one or two routers providing access to your network for a limited number of users,
you may store username and password security information locally on the Cisco routers. This is
referred to as local authentication on a local security database. Local authentication is
characterized as follows:
 It is used for small networks.
 It stores the username and password in the Cisco router.
 The user authenticates against the local security database on the Cisco router.
 It does not require an external database.
The system administrator must populate the local security database by specifying username and
password profiles for each user that might log in. The figure shows how local authentication
typically works:
3. The router authenticates the username and password in the local database. The user is
authorized to access the router (administrative access) or the network based on information
in the local database.
Implementing Authentication Using External
Authentication Servers
This topic describes how to implement AAA using external authentication servers.

3. The router passes the username and password to the Cisco Secure
Access Control Server (ACS) (server or engine).
4. The Cisco Secure ACS authenticates the user. The user is authorized
to access the router (administrative access) or the network based on
information found in the Cisco Secure ACS database.
Remote 4
client
Cisco
Secure ACS
1
3
The problem with local implementations of AAA is that they do not scale well. Service
provider environments have multiple Cisco routers. Maintaining local databases for each Cisco
router for this size of network is not feasible. One or more Cisco Secure ACS systems (servers
or engines) can manage the entire user and administrative access needs for an entire corporate
network using one or more databases. External AAA systems, such as the Cisco Secure ACS
for Windows or Cisco Secure ACS Solution Engine, communicate with Cisco routers using the
TACACS+ or RADIUS protocols to implement AAA functions.
The figure shows how local authentication typically works:
1. The user establishes a connection with the router.
3. The router passes the username and password to the Cisco Secure ACS (server or engine).
4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router
(administrative access) or the network based on information that is found in the Cisco
Secure ACS database.

Configuring Authentication Using the Local
Database
This topic describes how to configure a Cisco IOS XR router to perform AAA using a local
database for authentication.
• Users are defined using username command

• Users may belong to one or more groups
• Password can be set using password or secret command
- secret stores the password md5 hashed
- password stores the password obscured using Cisco algorithm
- secret always overrides password if both are configured
Enter admin
Creates a name for a config mode
IOS XR:
new user
#admin configure
(admin-config)#username user1
(admin-config-un)#group netadmin Assigns the user to a user
(admin-config-un)#group root-lr group that has already
(admin-config-un)#secret newpassword been defined through the
Specifies a password
(admin-config-un)#password oldpassword usergroup command
for the user
!
AAA is part of the Cisco IOS XR Software base package and is available by default. The first
step to configure AAA services for local authentication is to create users in the local database
of the Cisco device.
Cisco IOS XR Software operates in two planes: administration (admin) and secure domain
router (SDR). Basic prerequisites, such as a root-system user and SDR users, along with task
and user groups, are required.
The admin plane has complete responsibility (administrative and nonadministrative) for the
physical and owner SDR, and some administrative responsibilities for all other non-owner
SDRs.
The admin plane is accessible to only the root-system user. Each user is identified by a
username that is unique across the administrative domain. Each user should be made a member
of at least one user group. Deleting a user group may orphan the users that are associated with
that group.
Users are defined with the username command in global admin configuration mode in Cisco
IOS XR Software. Use the group command to assign the user to a user group that has already
been defined through the usergroup command. To specify a password for the user, use the
secret command.
To configure a user on Cisco IOS Software, use this command:
username user1 password newpassword
• AAA configuration uses method lists to define an order of preference for
the source of AAA data.
• Configure authentication by defining a named list of authentication
methods.
- The list defines the type of authentication methods and the sequence in which
they are preferred
• Apply method list to applications that use those services:
- Console
- vty
AAA
Authenticate
Access
Network
Local AAA
Database
AAA configuration uses method lists to define an order of preference for the source of AAA
data. AAA may define more than one method list and applications (such as login). For
example, console and auxiliary ports may use one method list and the vty ports may use
another. If a method list is not specified, the application tries to use a default method list.
There are three possible method lists:
 Authentication method list
 Authorization method list
 Accounting method list
On Cisco routers, you configure AAA authentication by defining a named list of authentication
methods and then applying that list to applications that use those services. The method list
defines the types of authentication to be performed and the sequence in which they will be
performed. The method list must be applied to a specific application before any of the defined
authentication methods will be performed. The only exception is the default method list.
Note The default method list is automatically applied to all applications if no other method list is
defined. A defined method list overrides the default method list.
You can also configure method lists for authorization and accounting services and apply those
method lists for applications that use those services (console, vty, auxiliary, and so on).

• Creates a series of authentication methods, or a method list:
In Cisco IOS XR Software, use this command:
aaa authentication {login | ppp} {default | list-name | remote} method-list
• Use the login keyword to set authentication for login.

• Use the ppp keyword to set authentication for PPP.
• Use the default keyword to cause the listed authentication methods that
follow this keyword to be the default list of methods for authentication
• Enter a list-name character string to identify the authentication method
list.
• Enter method-list types in the preferred sequence.
To create a method list for authentication, use the aaa authentication command in global
configuration mode or administration configuration mode. To disable this authentication
method, use the no form of this command.
aaa authentication {login | ppp} {default | list-name | remote} method-list
Follow these guidelines when you configure authentication method lists:
 Using the login keyword sets authentication for login. Using the ppp keyword sets
authentication for PPP.
 Entering the default keyword causes the listed authentication methods that follow this
keyword to be the default list of methods for authentication.
 Entering a list-name character string identifies the authentication method list.
Enter a method-list argument following the method list type. Method list types are entered in
the preferred sequence. The listed method types are any one of the following options:
 group tacacs+: Use a server group or TACACS+ servers for authentication
 group radius: Use a server group or RADIUS servers for authentication
 group named-group: Use a named subset of TACACS+ or RADIUS servers for
authentication
 local: Use a local username or password database for authentication
 line: Use line password or user group for authentication
• The authentication can be applied to tty lines through use of the login
authentication line configuration submode command:
In Cisco IOS XR Software:
line template template-name
login authentication list-name
!
vty-pool {default | pool-name | eem} first-vty last-vty [line-template
{default | template-name}]
• Modify the template for virtual lines by configuring a user-defined

template with the line template template-name command.
• Apply the line template to a range of virtual terminal lines using the vty
pool command.
You can apply the authentication to tty lines by using the login authentication line
configuration submode command.
The following guidelines apply to modifying the console template and to configuring a user-
defined template:
 Modify the templates for the physical terminal lines on the router (the console port) from
the line template configuration mode. Use the line console command from global
configuration mode to enter line template configuration mode for the console template.
 Modify the template for virtual lines by configuring a user-defined template with the line
template template-name command, configuring the terminal attributes for the user-defined
template from line template configuration, and applying the template to a range of vty lines
using the vty pool command.
Attributes not defined in the console template, or any virtual template, are taken from the
default template.
Note Before creating or modifying the vty pools, enable the Telnet server by using the telnet
server command in global configuration mode.
vty Pools
Each virtual line is a member of a pool of connections using a common line template
configuration. Multiple vty pools may exist, each containing a defined number of vty lines as
configured in the vty pool. The Cisco IOS XR Software supports the following vty pools, by
default:
 Default vty pool: The default vty pool consists of five vty lines (vty 0 through 4) that each
reference the default line template.
 Default fault manager pool: The default fault manager pool consists of six vty lines (vty
lines 100 through 105) that each reference the default line template.

In addition to the default vty pool and default fault manager pool, you can also configure a
user-defined vty pool that can reference the default template or a user-defined template.
When configuring vty pools, follow these guidelines:
 The vty range for the default vty pool must start at vty 0 and must contain a minimum of
five vty lines.
 The vty range from 0 through 99 can reference the default vty pool.
 The vty range from 5 through 99 can reference a user-defined vty pool.
 The vty range from 100 is reserved for the fault manager vty pool.
 The vty range for fault manager vty pools must start at vty 100 and must contain a
minimum of six vty lines.
 A vty can be a member of only one vty pool. A vty pool configuration will fail if the vty
pool includes a vty that is already in another pool.
 If you attempt to remove an active vty from the active vty pool when configuring a vty
pool, the configuration for that vty pool will fail.
• Enable Telnet service on PE1
• Create username user with password user in local database of PE1 and
put user in sysadmin group
• Configure authentication method list vty-authen, which uses the local
username database method for vty (Telnet) authentication
• Configure line user-defined template, named Template, which allows
only inbound Telnet connections for vty lines 5 to 50
IOS IOS XR
CE1 Telnet
PE1
AAA Local
Database
The figure shows an example configuration scenario. AAA will be configured on PE1, running
Cisco IOS XR Software.
Any user accessing PE1 via Telnet will be authenticated against the PE1 local database using
AAA. First, the Telnet service will be enabled and the user will be created in the local database
of PE1 and put into the sysadmin group. Authentication method list will be configured.
Authentication method list should use the local username database method for vty (Telnet)
authentication. In addition to that, a line template will be configured, which allows only
inbound Telnet access to PE1 for vty lines 5 to 50.

Configuration
IOS IOS XR
CE1 Telnet
PE1
Enter admin AAA Local

config mode Database
PE1 (IOS XR):
admin configure
username user
group sysadmin Specifies a method list that
password user uses the local database for
Enters line template ! authentication
configuration mode aaa authentication login vty-authen local
! Applies authentication method
line template Template list to the line template
login authentication vty-authen
Allows only Telnet Applies the line template to a
transport input telnet
inbound connections range of virtual terminal lines
!
vty-pool my-pool 5 50 line-template Template
!
The figure shows a configuration of AAA on router PE1. Authentication method list, named
vty-authen, is configured, which uses the local database for authentication. Username user is
created in the local database of router PE1.
The authentication method is applied to the line template using the login authentication
command. Only Telnet inbound connections to PE1 are allowed inside the line template
configuration. This line template is applied to a range of vty lines from 5 to 50.
To configure the Cisco router (running Cisco IOS Software and IOS XE Software) to perform
AAA using a local database for authentication, use this as part of the configuration:
username user password user
aaa new-model
aaa authentication login vty-authen local
line vty 0 4
Verification
IOS IOS XR
CE1 Telnet AAA Local

Database
192.168.101.50
PE1
CE1# telnet 192.168.101.50

Trying 192.168.101.50 ... Open
Username: user
Password:****
RP/0/RSP0/CPU0:PE1# show users

Mon Aug 29 11:24:45.102 UTC
Line User Service Conns Idle Location
aux0/RSP0/CPU0 hardware 0 9w5d
con0/RSP0/CPU0 root hardware 0 02:26:18
* vty0 user telnet 0 00:00:00 192.168.101.51
To verify AAA configuration on PE1, use Telnet to connect to PE1 from CE1, using the
username user that is specified in the local database of router PE1. Use the show users
command to verify that the user with username “user” is logged in to router PE1 from IP
address 192.168.101.50.

Benefits of using External Authentication Servers
This topic describes the benefits of implementing AAA services using external authentication
servers.
• Using the local database for AAA implementation on a Cisco router does
not scale well.
• Cisco Secure ACS systems can manage the user and administrative
access for an entire network.
• Cisco Secure ACS systems can work with external databases to
authenticate users to leverage the work already invested in building the
external database.
Remote 4
client
Cisco
3 Secure ACS
1
RADIUS or
TACACS+
2
Local implementations of AAA do not scale well. Most service provider environments have
multiple Cisco routers and other network devices.
Maintaining local databases for each Cisco router for this size of network is not feasible. To
solve this challenge, you can use one or more Cisco Secure ACS systems (servers or engines)
to manage the entire user and administrative access needs for an entire service provider
network, using one or more databases. External AAA systems, such as the Cisco Secure ACS
for Windows, communicate with Cisco routers using the TACACS+ or RADIUS protocols to
implement AAA functions. This allows you to make changes to user accounts and passwords in
one place (the Cisco Secure ACS server), and have all of the Cisco routers in your network
access this information.
RADIUS and TACACS+ authentication provides that all authentication requests are relayed to
the RADIUS or TACACS+ access server, which allows or denies the user according to its user
database, and instructs the router to allow or disallow access. These authentication methods use
the AAA structured approach—you define a method list and apply it to an interface.
TACACS+ and RADIUS AAA Protocols
This topic describes and compares the TACACS+ and RADIUS AAA protocols.
• TACACS+ and RADIUS are used Security Server

to communicate between the
AAA security servers and Cisco Secure ACS
authenticating devices.
• Cisco Secure ACS supports both
TACACS+ and RADIUS: TACACS+ RADIUS
- TACACS+ is more secure than
RADIUS.
- RADIUS has a robust application
programming interface and strong
accounting.
Switch Firewall Router Router
The Cisco Secure ACS family of products supports both TACACS+ and RADIUS protocols,
which are the two predominant AAA protocols that are used by Cisco security appliances,
routers, and switches for implementing AAA.
TACACS+ is a Cisco enhancement to the original TACACS protocol. Despite its name,
TACACS+ is an entirely new protocol that is incompatible with any previous version of
TACACS. TACACS+ has been submitted to the Internet Engineering Task Force (IETF) as a
draft proposal.
TACACS+ provides separate AAA services. Because TACACS+ separates authentication and
authorization, it is possible to use TACACS+ for authorization and accounting while using
another method of authentication.
The extensions to the TACACS+ protocol provide more types of authentication requests and
response codes than were in the original specification. TACACS+ offers multiprotocol support,
such as IP and AppleTalk. Normal TACACS+ operation encrypts the entire body of the packet
for more secure communications and utilizes TCP port 49.
RADIUS is an open IETF standard AAA protocol for applications such as network access or IP
mobility that was developed by Livingston Enterprises. RADIUS works in both local and
roaming situations and is commonly used for accounting purposes. RADIUS is currently
defined by RFCs 2865, 2866, 2867, and 2868.
The RADIUS protocol hides the passwords during transmission between the router and
RADIUS server, even with Password Authentication Protocol (PAP), using a rather complex
operation that involves Message Digest 5 (MD5) hashing and a shared secret. However, the rest
of the packet is sent in plaintext.
RADIUS combines authentication and authorization as one process. After a user is
authenticated, they are authorized as well. RADIUS uses UDP ports 1645 or 1812 for
authentication and UDP ports 1646 or 1813 for accounting.

Configuring Authentication Using an External
Authentication Server
This topic describes how to configure a Cisco router to perform AAA using an external
authentication server.
• Specify a TACACS+ host server at 192.168.1.254 and use key
my_password shared between the PE1and the TACACS+ server (ACS).
• Configure authentication method list vty-authen, which uses the
configured TACACS+ server for authentication. If that method fails, the
local username database method is used for authentication.
• Configure a line user-defined template, named Template, which allows
only inbound Telnet connections for vty lines 5 to 50.
• Cisco Secure ACS is preconfigured!
PE1
IOS IOS XR 1
CE1 Telnet Cisco

2 Secure ACS
AAA Local 192.168.1.254

Database
The figure shows an example configuration scenario. AAA will be configured on PE1 running
Cisco IOS XR Software.
Any user accessing PE1 via Telnet will be authenticated against the database of Cisco Secure
ACS. If a TACACS+ server is not available, a local username database of PE1 will be used.
Communication between router PE1 and Cisco Secure ACS (with IP address 192.168.1.254)
will use TACACS+, using the key my_password.
The authentication method list should use the database of Cisco Secure ACS for vty (Telnet)
authentication. If a TACACS+ server is not available, a local username database of PE1 will be
used. In addition, a line template will be configured, which allows only inbound Telnet access
to PE1 for vty lines 5 to 50.
Cisco Secure ACS is configured with the username ACS_user, which uses the ACS_user
password. Cisco Secure ACS is also configured with an AAA client added, router PE1 in this
case, with the key my_password.
Configuration
PE1
IOS IOS XR 1
CE1 Telnet Cisco
Secure ACS
2
AAA Local 192.168.1.254
PE1 (IOS XR): Database
admin configure
username user
Specifies a TACACS+ host server and
group sysadmin
authentication key shared between
password user
PE1 and the TACACS+ server (ACS)
!
tacacs-server host 192.168.1.254 key my_password
aaa authentication login vty-authen group tacacs+ local
!
line template Template Specifies a method list that uses the
login authentication vty-authen TACACS+ server for authentication. If that
transport input telnet method fails, the local username database
! method is used for authentication.
vty-pool my-pool 5 50 line-template Template
The figure shows a configuration of AAA on router PE1. The authentication method list,
named vty-authen, is configured, which uses the database of Cisco Secure ACS for vty (Telnet)
authentication. If a TACACS+ server is not available, the local username database of PE1 will
be used.
To specify the TACACS+ server IP address, encrypted key, destination port, and other options,
use the tacacs-server host command in global configuration mode:
tacacs-server host ip_address [key [0 | 7] shared_secret ]
To configure a Cisco router (running Cisco IOS Software and IOS XE Software) to perform
AAA using a remote authentication server for authentication, use this as part of the
configuration:
username user password user
aaa new-model
tacacs-server host 192.168.1.254 key my_password
aaa authentication login vty-authen group tacacs+ local
line vty 0 4

Verification
CE1# telnet 192.168.101.50
Trying 192.168.101.50 ... Open
Username: ACS_user
Password:********
RP/0/RSP0/CPU0:PE1# show users

Mon Aug 29 11:24:45.102 UTC
Line User Service Conns Idle Location
aux0/RSP0/CPU0 hardware 0 9w5d
con0/RSP0/CPU0 root hardware 0 02:26:18
* vty0 ACS_user telnet 0 00:00:00 192.168.101.51
To verify AAA configuration on PE1, use Telnet to connect to PE1 from CE1, using the
username ACS_user, which is specified in the database of Cisco Secure ACS. Use the show
users command to verify that the user with username “user” is logged in to router PE1 from IP
address 192.168.101.50.
Configuring AAA Authorization and Accounting
This topic describes how to configure AAA authorization and accounting.
IOS XR platform using

PE1 remote AAA server for
authorization and accounting
IOS XR
Telnet Cisco
Secure ACS
User 192.168.1.254
AAA authorization using

TACACS+ server as primary
and local authorization as
PE1 (IOS XR): second method
aaa authorization network vty-authen group tacacs+ local

!
aaa accounting network vty-authen start-stop group tacacs+ local
AAA accounting using

TACACS+ server as primary
and local accounting as
second method
The figure shows a configuration of AAA authorization and accounting on router PE1.

Summary

network device.
• If you have one or two routers providing access to your network for a
limited number of users, you may store username and password
security information locally on the Cisco routers.
• The problem with local implementations of AAA is that they do not scale
well. In case of a network with many routers and many users,
authentication using external authentication servers is recommended.
• To configure authentication using local database, you have to create a
user in the local user database.
• When using external authentication server, the router and authentication

server communicate using TACACS+ or RADIUS.
• TACACS+ separates authentication and authorization, while RADIUS
combines authentication and authorization as one process.
• To configure authentication using external database, you have to
configure authentication server on the Cisco router.
• To configure AAA authorization and accounting, use the aaa
authorization and aaa accounting commands.
Module Summary
• A device can generate syslog messages and forward to various

destinations (logging buffer, console line, terminal lines, syslog server).
for analysis. An SLA is a contract between the provider and its
customers. NTP provides time synchronization between network
devices. The Call Home feature enables Cisco devices to send
diagnostic information directly to Cisco TAC.
network device.
This module covers the network management tools, features, and protocols. The module first
presents the network management protocols such as Cisco Discovery Protocol, SNMP, and
NetFlow. The module then describes SPAN, which can be used to analyze network traffic, NTP
protocol, which provides time synchronization between network devices, and Call Home,
which provides email-based notification for critical system policies. Finally, the module
describes AAA, which is widely supported on Cisco devices as an additional security service.

Module Self-Check
Q1) Which two statements are true of Cisco Discovery Protocol? (Choose two.) (Source:
Collecting Network Device Data)
A) is a proprietary protocol
B) is an open protocol standard
C) discovers information about directly connected Cisco devices
D) discovers information about all devices on the network
E) runs over the network layer
Q2) How could you obtain Cisco Discovery Protocol information about a remote device
that is not directly connected? (Source: Collecting Network Device Data)
A) Use the command show cdp neighbors address.
B) Use the command show cdp neighbors hostname.
C) Use SSH or Telnet to access a Cisco device connected to the target device.
D) It is not possible to obtain Cisco Discovery Protocol information about a
remote device.
Q3) The SNMP system consists of which three components? (Choose three.) (Source:
Collecting Network Device Data)
A) SNMP manager
B) SNMP agent
C) SNMP trap
D) MIB
E) threshold
Q4) Devices can be configured to forward syslog messages to which four destinations?
(Choose four.) (Source: Collecting Network Device Data)
A) web server
B) syslog server
C) terminal lines
D) SNMP manager
E) logging buffer
F) console line
Q5) Which network protocol provides fine-grained metering for highly flexible and detailed
resource utilization accounting? (Source: Collecting Network Device Data)
A) EtherChannel
B) STP
C) NetFlow
D) SNMP
E) RMON

Q6) Which command is used to display information about the SPAN sessions? (Source:
Configuring Network Management Tools)
A) show session monitor
B) show session
C) show span session
D) show monitor session
Q7) An SLA is a contract between _______ and its customers. (Source: Configuring
Network Management Tools)
Q8) Which two statements are true regarding NTP? (Choose two.) (Source: Configuring
Network Management Tools)
A) NTP uses UDP port 123 as its transport layer.
B) NTP provides time synchronization between network devices.
C) NTP uses TCP port 132 as its transport layer.
D) NTP provides configuration and time synchronization between network
devices.
Q9) Which command is used to display the status of NTP associations? (Source:
Configuring Network Management Tools)
A) show associations
B) show ntp associations
C) show associations ntp
D) show ntp
Q10) An alert group is a predefined subset of alerts or events that Call Home detects and
reports to one or more destinations. Which three of these are supported alert groups?
(Choose three.) (Source: Configuring Network Management Tools)
A) mechanical
B) environmental
C) syslog
D) inventory
E) security
F) control plane
Q11) Match each term related to the AAA model to its description. (Source: Implementing
AAA)
_____ 1. What did you do? How long did you do it?
_____ 2. Who are you?
_____ 3. What can you do? What can you access?
A) Authentication
B) Authorization
C) Accounting
Q12) Which three statements describe characteristics of implementing authentication using
local services? (Choose three.) (Source: Implementing AAA)
A) It stores username and password in the Cisco router.
B) It requires an external database.
C) User authenticates against the local security database on the Cisco router.
D) The router passes the username and password to the Cisco Secure Access
Control Server.
E) It does not require an external database.
Q13) Which two protocols are used to communicate between external AAA systems, such as
the Cisco Secure ACS for Windows, and Cisco routers? (Choose two.) (Source:
Implementing AAA)
A) AAA
B) RADIUS
C) TACACS+
D) TCP
E) OSPF

Q1) A, C
Q2) D
Q3) A, B, D
Q4) B, C, E, F
Q5) D
Q6) D
Q7) Provider
Q8) A, B
Q9) B
Q10) B, C, D
Q11) 1= C, 2=A, 3=B
Q12) A, C, E
Q13) B, C

SPNGN1101SG Vol2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SPNGN1101SG Vol2

Uploaded by

Copyright:

Available Formats

SPNGN1

Building Cisco Service

Text Part Number: 97-3128-02

Exploring the Functions of

Access Aggregation IP Edge Core

Proper Layer 3 routing is essential for building a Cisco IP NGN

Host A Switch A Router Switch B Host B

MAC address table: Routing table:

© 2012 Cisco Systems, Inc. Basic IP Routing 3-5

• Routers have the following CPU Motherboard

© 2012 Cisco Systems, Inc. Basic IP Routing 3-7

Gathers routing information and

172.17.0.0/24 is subnetted, 9 subnets

Routing table from RouterA

Should I use RIP or

RIP best path

OSPF best path

© 2012 Cisco Systems, Inc. Basic IP Routing 3-9

Routing Table Information

Routing Update Messages

Gateway of last resort is 10.1.1.1 to network 0.0.0.0

R 1.2.2.0 [120/1] via 10.1.1.1, 00:00:15, FastEthernet0/0

Dynamic routing: Static routing:

[Administrative distance / metric]

The routing tables can be populated by the following methods:

© 2012 Cisco Systems, Inc. Basic IP Routing 3-11

The destination address in a packet can result in the following:

Bandwidth 100 Mb/s

© 2012 Cisco Systems, Inc. Basic IP Routing 3-13

Routers choose the routing source with the best administrative

Route source Default AD Trust

Distance Vector Routing Protocols

Link-State Routing Protocols

© 2012 Cisco Systems, Inc. Basic IP Routing 3-15

• The primary functions of a router are path determination and packet

© 2012 Cisco Systems, Inc. Basic IP Routing 3-17

Introducing the Cisco IOS XR

Cisco IOS Cisco IOS XE Cisco IOS XR

Current software version

© 2012 Cisco Systems, Inc. Basic IP Routing 3-21

Cisco IOS Cisco IOS XE Cisco IOS XR

Cisco ASR 1000 Series

These systems run Cisco IOS Software:

• Microkernel for basic operation (QNX)

Cisco IOS XR Kernel

These software features are included in the Cisco IOS XR:

© 2012 Cisco Systems, Inc. Basic IP Routing 3-23

BGP OSPF BGP OSPF

EIGRP IS-IS EIGRP IS-IS

RIP VPN RIP VPN

SSH Telnet server SSH Telnet server

Green areas LDP ACLs LDP ACLs

Timers Scheduler Timers Scheduler

Monolithic Cisco IOS Microkernel Cisco IOS XR

• Console to RP and standby RP (inactive)

• IP connectivity to active RP on virtual address

These are the management interfaces on the Cisco ASR 9000:

© 2012 Cisco Systems, Inc. Basic IP Routing 3-25

User Access Verification

• Cisco IOS XR router access:

User Access Verification

Admin EXEC EXEC

sub-config sub-config sub-config sub-config