Ethernet Technology:

100 Base:
Standard Cable Type Mode Encoding Pairs Require Distance (Meter)
10BaseT Cat 3,4,5 Half Duplex Manchester 2 100
100BaseTX Cat 5 Half Duplex, Full 4B/5B 2 100
Duplex
100BaseT4 Cat 3 Half Duplex 8B/6T 4 100
100BaseT2 Cat 3,4,5 Half Duplex, Full PAM5x5 2 100
Duplex
100BaseFX Multi Mode Half Duplex, Full 1 412(Half Duplex)
Duplex 2000(Full Duplex)
100BaseFX Single Mode Half Duplex, Full 1 10 Km
Duplex

1000 Base (802.z):

Standard Distance (Meter)
1000BaseSX 220 - 550
1000BaseLX 550 - 5000
1000BaseLH 10000
1000BaseZX 90000

Command:
speed [ auto | 10 | 100 | 1000 ]
duplex [nonegotiate | auto | full | half]

CMSA/CD:
1-A device with a frame to send listens until the Ethernet is not busy
2-When the Ethernet is not busy, the sender begin sending the frame
3-The sender listen to make sure no collision occurred
4-If there was a collision all station that send a frame send a jamming signal to ensure that all station
recognize the collision
5-After the jamming is complete, each sender of one of the original collided frame randomizes a timer and
wait that long before re-sending
6-After all timers expire, the original senders can begin again with step 1

Frame Format:
IEEE 802.3 (DIX):
Starting Delimiter Destination Source Address Length LLC header and Information Frame Check
(1 byte) Address (6 bytes) (6 bytes) (2 bytes) field (46 - 1500 bytes) Sequence
(4 bytes)

Original IEEE (802.3):

Starting Destination Source Length DSAP SSAP Control Information field Frame Check
Delimiter Address (6 Address (6 (2 (46 - 1500 bytes) Sequence
(1 byte) bytes) bytes) bytes) (4 bytes)

IEEE with SNAP

 Starting Destination Source Length DSAP SSAP Control OUI TYPE Information field Frame
Delimiter Address Address (80D5) (Length, Padding, Check
LLC header, Data) Sequence

802.3: IEEE standard

802.2: IEEE LLC
802.3u: 100 Mbps standard
802.3z: 1 Gbps over optical cable GigE
803.3ab: 1 Gbps over copper cable

Ether Net Address Format:

1st 2nd 3rd 4th 5th 6th

|----------------------------OUI----------------------------------------|-------------------------------Vendor Assigned-----------------------|

1st byte

1st 2nd 3rd 4th 5th 6th 7th 8th

|-----U/L-----|------I/G----|
SPAN, RSPAN:
This method used to direct all traffic from source port or source VLAN to single port on the same switch
(SPAN) or on the remote switch (RSPAN)

Restriction and Condition:

SPAN overwritten configuration on the destination interface (when it in Ether Channel it removed
or routed interface SPAN override routed interface) Destination port does not support security,
802.1x authentication, private VLAN and any layer 2 protocol STP, CDP, VTP and DTP.
Source port can be either one or more port or VLAN no a mix of port and VLAN
up to 64 SPAN destination port can be configured
Traffic routed from one VLAN to another VLAN on the same switch cannot be monitored
For the traffic received on the port or VLAN it send to the destination port before any
modification by ACL, Security Policy Filter, ...
For the traffic sent from the source port or VLAN is send to the destination port after all
modification on the traffic
A special layer 2 traffic ignores by SPAN and RSPAN by default such as CDP, STP BPDU, VTP,
DTP and PagP
Command:
monitor session [1-66] source [interface [interface] | vlan [#]] [tx | rx | both]
Specify source port or VLAN to be monitored
monitor session [1-66] destination [interface [interface] | remote [vlan #] ] [encapsulation-replica]
Specify destination port or remote VLAN, encapsulation-replica used to include layer 2
traffic to monitor
monitor session [1-66] filter vlan [# or range of vlan]
filter traffic from the VLAN from source trunk port
vlan [#]
remote span
monitor session [1-66] destination remote vlan [#]
Set the VLAN as remote span VLAN to carry traffic to another switch port
And on the switch that have the destination port use
monitor session [1-66] source remote vlan [# of the destination vlan on the other switch]
monitor session [1-66] destination interface [interface]
set the destination interfaces
Show monitor session [#] [detail]

Switching Method:
Method Error Detecting How work
Store and Forward Can detect error Store all frame before switching the
frame and check if there is collision
occurred by run CRC checking
Cut-Through Cannot detect any error Switch the frame as soon as the
destination MAC received
Fragment-Free Detect error in the first 64 byte Switch the frame after the first 64 byte
received

Definition:
Auto Negotiation: it's an Ether net procedure by witch two connected devices choose common parameter,
such as speed and duplex mode
half duplex: half duplex system provides for communication in both directions, but only one direction at a
time
full duplex: allow communication in both direction simultaneously
Cross over cable: it's a type of ether net cable used to connect computing devices together directly
Straight through cable: it's a type of ether net cable used to connect two different type of devices
Uni-cast address: it's a logical address which represent single node or device on the network
Multi-cast address: it's an identifier for a group of host that have joined a multi-cast group
Broad-cast: it's a network address that allow information to be sent to all nodes on the network
Loop-back circuity: it's circuit used to route flow from the originating facility quickly back to the same
source, primary used for testing local transmission.
I/G bit: it's the Least Significant Bit in the first byte of the frame address used to distinguish the frame
address from individual(unicast) address or group (multicast, broadcast) address
U/L bit: it's the second bit in the first byte of the frame address used to distinguish address from Universal
address or Local Address
CSMA/CD: it's a method used for collision detection.

VLAN:
extended vlan range 1006 – 4094, used with transparent VTP mode a d store in the running configuration
file, and cannot be pruned from the interface and cannot configured using VMPS
Command:
Database mode:
vlan database
vlan [#] name [name]
apply
show current
show proposed
configuration mode
vlan [#]
name [name]
switchport
if the switch is layer 3 set the port as switch port
switchport mode [access | trunk | dynamic [desirable | auto]]
switchport access vlan [#]
assign interface to a vlan
Trunking:
1-dot1q: IEEE support both standard and extended VLAN range and it insert tag in the frame
2-ISL: cisco proprietary trunk add 26 byte on the front of the frame and 4 byte trailer support both stadard
and extended VLAN range
Command:
switchport mode [trunk | dynamic [auto | desirable]]
switchport trunk encapsulation [dot1q | isl | negotiate]
switchport trunk allowed vlan [all | none | add | remove | except | vlan#]
 switchport trunk native [vlan#]
switchport trunk pruning vlan [none | add | remove | except | vlan#]
show interfaces trunk
show interfaces [type] trunk
DTP:
It's a cisco proprietary protocol used to negotiate trunking between to switch's and the type of
encapsulation
Command:
switchport mode trunk
force to enable trunk means trunk on what ever on the other side can made trunking with trunk
desirable auto on the other side
switchport nonegotiate
establish the trunking only when the other side is on trunking
switchport mode dynamic auto
does not send trunking request but if it receive a trunk request it will form trunking so must on the
other side be on or desirable
switchport mode dynamic desirable
sending trunking request to the other side can establish trunking with on auto desirable on the other
side
interface [type].[sub-inteface#]
encapsulation [dot1q | isl] [vlan#]
VTP:
cisco proprietary layer 2 protocol that manage the deletion, creation and renaming of the VLAN on the
network
VTP modes:
1-Server mode can create delete modify VLAN
2-Client mode listen to VTP advertisement cannot create delete modify VLAN
3-Transparent mode when the switch configured for this mode the switch can create delete
modify VLAN locally on the switch but also advertise received VTP messages from to,from the
VTP domain
VTP use revision number to check which VTP update is the most recent and on each update the revision
number is incremented by on when its received to another switch it compare the revision number that has
with the new in the VTP message if it has larger than in the VTP update message it will ignore the update
message if it's lower than local revision number it will update local VLAN as in the update message and
then propagate the messages to another switch's
The switch's in the same domain must share the same VTP domain name, the same password (MD5
hashing) if it configured on the switch 's, and it will run only on the trunk interfaces
Command:
vtp domain [name]
vtp interface [name]
specify the interface to be the ID for the update information
vtp mode [server | client | transparent]
vtp password [password]
vtp pruning
vtp version [1 | 2]
show vtp status
show vtp counter
Private VLAN:
used to split the single vlan into multiple isolated broadcast sub-domain, Type of vlan 1-Promiscuous Vlan
port belong to this vlan can communicate with all ports on the vlan 2- Isolated Vlan can communicate only
with Promiscuous port 3- Community Vlan can communicate with other community port and promiscuous
port.
Command:
vlan [#]
private-vlan primary
private-vlan association [vlan range | add [vlan #] | remove [vlan #]]
vlan [#]
private-vlan isolated
 vlan [#]
private-vlan community
interfaces [type] [#]
switchport mode private-vlan host
switchport private-vlan host-association [primary vlan #] [private vlan #]
interfaces [type] [#]
switchport mode private-vlan promiscuous
switchport private-vlan mapping [primary vlan #] [private vlan range
interfaces vlan [primary vlan #]
private-vlan mapping [secondary vlan #]
for layer 3 routing between PVLAN
Port Channel:
Load balance based on the last bit's or XOR between the last two element of the load balancing method,
load balanced source or destination or both IP address, MAC address, Port number
ether channel mode:
1-on force to enable port channel
2-off disable port channel
3-desirable for cisco PAgP, active LACP, initiate the negotiation to perform port channel
4-auto PAgP, passive LACP, willing to perform port channel if the other end device initiate the request to
perform the port channel
Command:
port-channel load balance [src-ip | src-mac | src-port | dst-ip | dst-mac | dst-port | src-dst-ip | src-dst-
mac | src-dst-port]
channel-protocol [lacp | pagp]
channel-group [1-256] [desirable | auto | active | passive | on]
show etherchannel
STP:
802.1d:
Major Steps:
1-Elect root bridge
2-Determine each switch root port
2-Determine the Designated port for each segment
Electing Root Port:
each switch has an ID combined of 2 byte priority and 6 byte MAC address, the priority
field improved to contain two field 4 bit priority and 12 bit VLAN ID to support per
VLAN STP
Determine Root Port:
The root switch send hello every two second and each switch receive this hello forward
it to another switch's after updating the cost, bridge ID, port priority, and the port number
of the exit interface. The port with the lowest bridge ID and cost on each switch will be
the root port if the cost is equal use the lowest priority of the neighbor if equal use the
lowest port number of the neighbor.
Default Port Cost:
Speed Original IEEE Revised IEEE
10 Mbps 100 100
100 Mbps 10 19
1 Gbps 1 4
10 Gbps 1 2
Determine Designated Port:
The switch that have a lowest cost to the segment will have the designated port if equal
lowest forwarder bridge ID if equal lowest priority port if equal lowest port number
If there is fail on the network each switch wait 10 times of hello time to wait before
begin process of electing of new root bridge
To have a correct MAC address table after occurring an failure on the root bridge each
switch experience on the STP port status changed will send a TCN BPDU to the root and
each switch receive this message sill reply by acknowledgment using TCA
 Then any changing from blocking to forwarding statue will be move through blocking,
listening, learning then forwarding state
PVSTP:
will run a STP instance for each VLAN by using new priority field for VLAN ID which provide a
unique bridge ID for each VLAN
RSTP:
802.1w, waiting only to three missing hello not to ten hello, transition from block state to learning
state bypassing the listening state, add backup designated port
RSTP define port type as:
Link Type Description
Point-to-Point Connect two switch togther
Shared Connect switch to hub
Edge Connect switch to end device
Port state: Discarding, Learning, Forwarding
Port Roles: RP, DP, Alternate RP, Backup DP
RPSTP:
like RSTP but run one instance for each VLAN
MST:
how to:enable MST on the switch, in the MST configuration mode create region name, create
revision number, map VLAN to MST STP instance.
Optimizing STP:
1-Port Fast: put the port into forwarding state immediately, so to be safe use the root guard and
BPDU guard feature with on the port you enable this feature on it.
2-Up-Link Fast: used to perform rapid switching on the root port when a fail occurring on the
main root port to put it immediately on the forwarding state, when enabling this feature on the
switch the switch will take three action: a-increase the port priority to 49,152 b-set the port cost to
3000. when a failure occur the switch does not use TCN BPDU to inform another switch to
update MAC address table for it instead it will send a multi-cast to the all MAC address
2-Backbone Fast: used to detect the indirect link failure in the core section of the network, if the
first missing hello occur the switch send RQL BPDU which ask the neighboring if it still
receiving hello from the root bridge and so on if the switch had a failure and lost the root bridge it
will inform the original switch by another RLQ BPDU which cause the switch to go a head to
convergence without wait to mag age time to expire
Protecting STP:
Root Guard: enable per port, ignore any received superior BPDU to prevent connected port to this
port from becoming root, when it received put the port on inconsistent state, ceasing forwarding
and receiving frame the superior BPDU cease
BPDU Guard: enables per port, err disable the port upon receiving any BPDU
UDLD: use layer 2 messages to decide when the switch no longer receive frames from the
neighbor. Aggressive mode attempt to reconnect with other switch eight time after no messages
have been received if the other switch does not reply to the repeated additional messages both
side become err-disabled
Loop Guard: when normal BPDU are no longer received, the port does not go through normal
STP convergence, but rather falls into loop-inconsistent state
Command:
spanning-tree mode [mst | pvst | rapid-pvst]
spanning-tree vlan [vlan#] root [primary | secondary]
spanning-tree portfast default
spanning-tree uplinkfast [max-update-rate [#]]
spanning-tree backbone
interface [type]
spanning-tree cost [#]
spanning-tree link-type [point-to-point | shared]
spanning-tree port-priority [#]
spanning-tree vlan [vlan#] [cost | port-priority] [#]
spanning-tree portfast
 spanning-tree mst configuration
name [name]
revision [number]
instance [number] vlan [range]
Tunneling:
802.1q tunneling used one VLAN ID to carry all VLAN from the two sides of the tunnel which like
VLAN-in-VLAN
1-Tunnel port cannot be included in the routed port
2-IP routing not supported on a VLAN that include 802.1q port
3-Tunnel port does not support IP ACL
4-L3 QOS ACL and any other QOS feature are not supported on tunnel port
5-DTP is incompatible with 802.1q tunneling because you must manually configure asymmetric link with
tunnel port and trunk port
6-loop back detection is supported on 802.1q tunnel
7-when 802.1q tunnel configured on the port, STP BPDU filtering enabled, CDP disabled automatically
Command:
interface [type] [#]
switchport access vlan [#]
switchport mode dot1q-tunnel
L2TP:
when PDU entered to the L2TP port it over write the destination MAC address to 01-00-0c-cd-cd-d0, and
if the 802.1q tunneling enables will double tagged also, on the egress port the original MAC address will
be used and the entire message will be passed to the other end.
1-L2TP support tunneling of STP, CDP, VTP and these protocol disabled by default
2-Tunneling is not supported on trunk port
3-Only de-encapsulated PDU's are forwarded to the ends
Command:
interface [type] [#]
switchport mode access || switchport mode dot1q-tunnel
l2protocol-tunnel [cdp | stp | vtp]
l2protocol-tunnel threshold [cdp | vtp | stp] [#]
l2protocol-tunnel cos [#]
ACL:
Two type standard and extended applied on the inbound or outbound direction on the inteface
standard use source address only for matching the ACL
extended ACL use source and destination address and L4 protocol and port number for matching the
traffic
named ACL like both standard and extended ACL but with name associated with each ACL
Inbound ACL proceed before any routing or any thing else
reflexive ACL allow packet filter based on session information using extended named IP ACL
time ACL used to apply ACL in specific time
Command:
access-list [#] [permit | deny] [host ip | source-address wildcard | any]
access-list [#] [dynamic [name] timeout [time]] [permit | deny] [ip protocol | icmp | udp | tcp]
[source-address] [wildcard] [destination-address] [wildcard] [port]
ip access-list [standard | extended] [name]
[permit | deny] ......
ip access-list extended [name]
evaluate [string]
ip access-list extended [name]
permit, deny ......... reflect [string]
time-range [name]
periodic dof hh:mm to dof hh:mm
absolute [start] [end]
ip access-list [name | number] ......... time-range [name]
Firewall:
Types of firewalls: 1- packet filter firewall work at L3 + L4. 2- Application Firewall work from L3 to L7
3- state-full packet filtering firewall like packet filter but can track application layer information. 4-
 Application Inspection firewall
Command:
ip inspect tcp synwait-time [#]
ip inspect tcp finwait-time [#]
ip inspect tcp idle-time[#]
ip inspect udp idle-time [#]
ip inspect dns-maxtime [#]
ip inspect max-incomplete high [#]
ip inspect max-incomplete low [#]
ip inspect one-minute high [#]
ip inspect one-minute low [#]
ip inspect tcp max-incomplete host [#] block-time [#]
ip port-map [name] port [list of port] [list [ACL]]
ip inspect [rule name] [protocol] [tcp | udp] [timeout [#]]
interface [type] [#]
ip inspect [name] [in | out]
ZBF:
divide router interfaces into zones.
A traffic can pass through the interfaces of the same zone by default but cannot pass from one zone to
another zone without allowing it, traffic cannot pass from interfaces of zone to interface without zone so to
allow traffic pass in this case create a dummy zone for this interfaces and allow all traffic to this zone
All traffic from the router interfaces or to it i permitted by default
NEED: define zone, define zone-pair, define class-map, policy-map, apply policy-map to zone and apply
zone to interface
Command:
zone security [zone-name]
zone-pair security [pair-name] source [zone-name | self] destination [zone-name | self]
service-policy type inspect [policy-name]
class-map type inspect [match-any | match-all] [class-name]
match access-group [[#] | name [ACL-name]]
match class-map [class-name]
match protocol [protocol-name]
policy-map type inspect [policy-name]
class-map [class-name | class-default | type inspect [class-name]]
drop | inspect | pass | police
interface [type] [number]
zone-member security [zone-name]
URPF:
it check the incoming packet if it received from the interface that will use as exit interface for the return
packet, enabled if the CEF switching is enabled
Command:
interface [type] [#]
ip verify unicast reverse-path
IP Source Guard:
enable traffic forwarding on the interface if only if the IP or MAC match the binding address
Command:
ip source binding [ip] [mac] vlan [#] interface [type] [#]
interface [type] [#]
ip verify source dhcp-snooping-vlan
AAA:
PAP, CHAP, EAP Authentication:
PAP use two way handshake with user name and password sent across the link in clear text
CHAP use three way handshake and securing transfer of user name and password and
periodically check the credential to make sure about
EAP is an authentication protocol run on L2 without requiring IP
Authentication:
used to validate the user name and password, like local authentication remote access server
database like cisco access control server or radius server or tacacas+
 Authorization:
determine which resource the user permitted to access
Accounting:
Logging the activity that the user performed while he access system
Command:
aaa new-model
enable AAA on the router or switch
aaa authentication login [defualt | list-name] method1 method2 ......
determine the authentication method for the default or custom list
aaa authentication enable default method1 method2 .......
used for determine the authentication method used to authenticate access to privilege mode
aaa authentication ppp [default | list-name] method1 method2 .......
used to determine the authentication method for ppp
aaa authentication attempts login [#]
set number of allowed authentication attempts
aaa authorization [auth-proxy | network | cache | exec | config-command | console | reverse-access |
configuration | ipmobile | template] [default | list-name] method1, method2 ........
aaa accounting [auth-proxy | system | network | connection | exec | commands] [default | list-name]
[start-stop | stop-only | none] broadcast group [tacacas+ | raduis]
tacacs-server host [ip or name server]
tacacs-server port [#]
tacacs-server single-connection
tacacs-server timeout [#]
tacacs-server key [key]
radius-server host [ip or name server]
radius-server auth-port [#]
radius-server acct-port [#]
radius-server timeout [#]
radius-server key [key]
IPS:
IPS contain two main component SDF, SME. SDF it's a file located on the cisco router flash or TFTP,
FTP, SCP, RCP contain signature about the attach to matching. SME load the SDF file to use it in
matching the traffic
Command:
ip ips notify [log | ssde | nr-director (for pop)]
ip ssde event [#]
set the number of queue event
ip ips po max-events [#]
set the queue size for pop
ip ips protected [start] to [end]
ip ips sdf location [path]
set the path for SDF file
ip ips sdf built-in
copy [/erase] [url] ips-sdf
ip ips fail closed
used to stop passing any traffic until the SME finish loading the signature
ip ips signature [name] delete
ip ips signature [name] disable
ip ips signature [name] list [ACL]
ip ips name [name]
interface [type] [num]
ip ips name [in | out] [list [ACL]]
IBSN and 802.1x:
use only EAP for authentication between the authenticator and the authentication server.
EAP-MD5 use the MD5 to hashing the password
Cisco lightweight
EAP-TLS use transport layer protocol for the authentication process
PEAP
Command:
aaa authentication dot1x [default | [list-name]] methods
aaa authorization network [default | [list-name]] methods
dot1x system-auth-control
interface [type] [#]
dot1x port-control [auto | force-authorization | force-unauthorized]
dot1x reauthentication
dot1x timeout reauth-period [#]
dot1x timeout quiet-period [#]
dot1x guest-vlan [vlan#]
CoPP:
used to police usage of the control plane
Command:
controle-plane
service-policy [input | output] [policy-name]
HSRP:
cisco Proprietary protocol allow multiple router appear as one gateway, one router is elected as
primary or active the other is standby and the router send hello packet to maintain its state using
mutlicast address 224.0.02 (all-router) every 3 Sec by default
active router elected based on the priority
HSRP port state: Disables – Init – Listen – Speak – Standby – Active
could use plain text or MD5 authentication between the routers
MAC address for the HSRP is 0000.0c07.acXX where XX is the group number
Command:
interface [type] [#]
standby [#] priority [#]
standby [#] timer [msec] [hello#] [msec] [holdtime]
standby [#] preempt [delay [minimum [#] | reload [#]]
standby [#] authentication [string]
standby [#] md5 key-string [0 | 7] [string]
key chain [name]
key [#]
key-string [0 | 7] [string]
standby [#] track [interface type] [#] [decremented #]
standby [#] ip [ip] [secondary]
VRRP:
IETF standard
MAC address for the VRRP is 0000.5e00.01XX where XX is the group number
Command:
interface [type] [#]
vrrp [#] priority [#]
vrrp [#] timer advertise [msec] [#]
vrrp [#] preempt [delay [#]]
vrrp [#] authentication [string]
vrrp [#] ip [ip] [secondary]
GLBP:
used to overcome the limitation of the HSRP and VRRP protocols in the balancing by perform
the balancing on the MAC address of the router in the GLBP group, the router who is responsible
to the MAC address answer to the ARP messages called AVG
AVG elected by highest priority or IP address
up to five virtual MAC address can assigned in the group to a routers these router called AVF
load-balancing method:round-robin, weighted or host-dependent
Command:
interface [type] [#]
glbp [#] priority [#]
glbp [#] preempt [delay minimum #]
glbp [#] timers [msec] [hello#][msec] [holdtime#]
glbp [#] timer redirects [redirects#] [timeout]
 glbp [#] weighting [max] [lower [#]] [upper [#]]
glbp [#] weighting track [#] [decrements [#]]
glbp [#] load-balancing [round-robin | weighted | host-dependent]
glbp [#] ip [ip] [secondary]
track [#] interface [type] [#] [line-protocol | ip routing]
NAT:
used to map private address to public address.
Command:
interface [type] [#]
ip nat outside
interface [type] [#]
ip nat inside
ip nat inside source static [inside-ip] [outside-ip]
ip nat pool [name] [start-ip] [end-ip] [netmask [mask] | prefix-length ]
access-list [#] permit [subnet] [wildcard-mask]
ip nat inside source list [ACL] pool [pool] [overload] [vrf [name]]
ip nat translation timeout [#]
ip nat source route-map [name] pool [name] [reversible]
DHCP:
used to automatically assign IP to client's
DHCP process: Discover – Offer – Request – Acknowledgment – Gratuitous ARP
helper address forward the following port by default DNS, TACACS, NTP, DHCP, TFTP,
NETBIOS name, NETBIOS datagrame
Command:
ip dhcp pool [name]
netwotk [subnet/prefix-length]
lease [day's]
dns-server [dns]
default-router [ip]
import all
interface [type] [#]
ip helper-address [ip]
ip forward-protocol [tcp | udp] [#]
interface [type] [#]
ip address dhcp
WCCP:
used to redirect packet to cache engine.
Command:
ip wccp version [1 | 2]
ip wccp [web-cache | [service#] [accelerated] [group-address [ip]] [redirect-list [ACL]]
[group-list [ACL]] [password [string]]
interface [type] [#]
ip wccp redirect [web-cache | service#] redirect [in | out]
ip wccp redirect [web-cache | service#] group-listen
NTP:
used to synchronize time between network device.
Broadcast NTP server mean that the server periodically broadcast the time of the day
stratum used to describe how many hop away to the NTP server
peering mean that the server might be set or synchronize time with the other server
Command:
ntp authentication
ntp authentication-key [#] md5 [str]
ntp trust-key [#]
ntp peer [ip] [key [#]] [source [interface]]
ntp server [ip] [key [#]] [source [interface]]
ntp master [stratum#]
interface [type] [num]
ntp broadcast [client] | ntp mullticast [ip] [client]
 ntp [enable | disable]
ntp max-association [#]
ntp access-group [peer | serve-only] [ACL]
Logging:

Command:
logging buffered [#]
logging [ip]
logging source-interface [type] [#]
logging count
SLA:
It's an active probing and monitoring. Used through SNMP or CLI, Measure end to end IP layer,
used to verify and monitor QOS
A destination router configured as IP SLA res-ponder
Command:
ip sla monitor 1
type [type] dest-address [ip] dest-port [port] num-packet [#]
ip sla monitor schedule 1 life [#] start-time [time] after [time]
ip sla key-chain [#]
Net Flow:
divide into cache and transport
Command:
ip flow-export source [interface-type] [#]
ip flow-export destination [interface-type] [#]
ip flow-export version [#]
interface [type] [#]
ip route-cache flow
ip flow-export [ip] [port] [version [1| 5]]
ip flow-cache entries [#]
ip route-cache distributed
ip flow [egress | ingress]
RITE:
used to export IP traffic.
Command:
ip traffic-export profile [name]
interafce [type] [#]
bidirectional
mac-address [mac]
incoming [access-list [ACL]] [sample one-in-every [#]]
outgoing [access-list [ACL]] [sample one-in-every [#]]
interface [type] [#]
ip traffic-export-export apply [name]
SNMP:

Command:
snmp-server view [name]
snmp-server community [name] [ro | rw]
snmp-server engineID local [name]
snmp-server engineID remote [ip] [name] [udp-port [#]]
snmp-server group [name] [v1 | v2c | v3] [auth | noauth| priv] [read [view-name]] [write
[view-name]] [notify [view-name]] [access [ACL]]
snmp-server host [ID] [trap | inform] [version [1 | 2c | 3]] [auth | noauth | priv] [community-
name] [udp-port [#]]
snmp-server user [name] [group] [remote [ip] [udp-port [#]]] [v1 | v2c | v3 auth [md5 | sha]
[password]] [access [ACL]]
snmp-server system-shutdown
EEM:
 Command:
event manager environment [var-name] [string]
event manager policy [name] [type | system | user] [trap]
RMON:

Command:
interface [type] [#]
rmon [active | promiscuous]
rmon collection [history | host | matrix | rmon1] [controlEntry [#]] [owner [name]
[buckets [name]] [interval [#]]
rmon queuesize [#]
rmon alarm [#] [var] [sec] [delta | absolute] rising-threshold [#] falling-threshold [#] [event-
#] [owner [name]]
rmon event [#] [log] [trap [com-name]] [description [name]] [owner [name]]
FTP, TFTP, SCP, HTTP, HTTPS, TELNET:

Command:
ftp-server enable
ftp-server topdit [dir]
ip scp server enable
ip http server
ip http secure-server
ip http port [#]
ip http secure-port [#]
ip http authentication [local | tacacs]
QoS:
QoS feature used to address Delay, Jitters, Packet Loss:
1- Queuing:(PQ, CQ, MRR, WFQ, CBWFQ, LLQ)
2- Compression (CRTP)
QoS deployment:
1- CLI 2- MQC 3- AutoQoS 4-QoS policy manager
QoS categories:
1- Best effort
2- Integrated Service: guarantee bandwidth by reservation it (RSVP)
3- Differentiated Service: marking traffic and apply some policy on the marked traffic
for marking traffic can be done using IP precedence bit from TOS int the IP header or using
DSCP
IP precedence use three bit of TOS byte in the IP header to mark traffic.
DSCP user six bit of TOS byte in the IP header, IETF select subset of the DSCP and categories is
into four categories:
1- Best Effort:which have all zero bit in the DSCP
2- Expedited Forwarding (EF): have value if 46 used for latency sensitive application like voice
and video streaming
3- Assured Forwarding (AF): consist of 12 categories used to determine the preferences for
dropping packet's for the traffic flows
PHP Low Drop Medium Drop High Drop
Class 1 AF11(10) AF12(12) AF13(14)
Class 2 AF21(18) AF22(20) AF23(22)
Class 3 AF31(24) AF32(26) AF33(28)
Class 4 AF41(32) AF42(34) AF43(36)
4- Class Selector (CS): used by set 4-6th bit in the DSCP to zero for back ward compatibility with
IP precedence
QoS Tools:
1- Classification: used to classify traffic into categories not alter traffic
2- Marking: used to alter TOS or DSCP of the traffic
3- Congestion Management: queuing
 4- Congestion Avoidance:used to avoid overloading the bandwidth through dropping some packet
5- Traffic shaping and policing
6- Link Efficiency: via compressing or LFI
AutoQoS used to create QoS automatically using NBAR to classify traffic and create appropriate
policy for each class, for L2 use COS bit, L3 use (TOS, DSCP), Frame Relay (DE), ATM (CLP)
NBAR can be used to identify from L3-L7 for state full marking of traffic and using signature file
to recognize the protocol using PDLM.
For VPN tunneling cisco introduce pre-classification by copping the TOP field of the original
packet to the tunnel header
mapping COS to DSCP code done by COS * 8
on catalyst switch their is four wrr queue
RED an WRED used for queue avoidance by dropping some packet when the threshold reach to
decrease the window size, WRED use ECN explicit congestion notification to notify that the
traffic between the minimum and maximum threshold so if the two end router capable of the
ECN and the queue depth between the minimum and maximum threshold the ECT and CE bit of
the ECN set to one indicating to reduce the transmission rate
Policing traffic used to limit the bandwidth by discarding the traffic that exceed the limit or
marking it, can b applied on the input or output direction of the interface. This is suitable for the
high speed interface. Cisco support one bucket for CIR policing and two bucket one for CIR and
the other for PIR
Shaping unlike policing it limit the bandwidth and the exceeded traffic buffering it, applied only
in the output directio of then interface, suitable for the low speed interface, used for limit to CIR
or PIR
On frame-relay when congestion occur the router begin discarding frame with DE set bit and the
route will send BECN to notify the neighbor to slow the transmission speed when the neighbor
receive the BENC it will slow the speed by 25 percent. If the traffic with the congestion goes to
the receiver the router send FECN to the receiver which cause the receiver to generate Q.922 test
frame to the sender and the router mark this frame with BECN to notify the sender to throttle the
transmission speed
CRTP used to improve the WAN throughput by compressing the header of the packet which
could be 40 byte to 5 byte
LFI used to fragment the large packet size to small to reduce the serialization delay to allow the
small packet live voice that arrive after the large one forwarding between the fragmented packet,
cisco support LFI in the Multi PPP interface and frame-relay interface
NBAR used to identify protocol up to L7 used commonly for classifying traffic based on the
application port number
Priority Queue PQ create four queue and the traffic is service from the high priority queue un-till
it finish go to the other low priority and each time fetch packet it will check if the higher priority
have packet in it, this may have a problem called queue starvation when the higher priority have a
lot of packet which cause the lower priority queue to wait un-till it may full without serving it
Custom Queuing CQ create 16 queue run as round-robin fashion
Weighted Fair Queue WFQ used by default for low speed interface 2048 and below, work by
create by default 256 queue each one will assigned to flow of traffic and each queue will be
weighted ab-on it IP precedence by adding one to it
RED used for congestion management by dropping packet after the queue reach specific
threshold which cause the sender to throttle the transmission speed. Not work with PQ,CQ,WFQ
RSVP used to reserve bandwidth to provide QoS for the flow of traffic. When the sender want to
begin transmission it first send PATH message to the receiver when this message reach the
receiver it will respond with reservation message Resv to the sender. Type of RSVP controlled-
load, guaranteed-rate. Controlled-load used for application expect low latency implemented with
RED and WRED. Guaranteed-rate used to guarantee the bandwidth and for delay sensitive
application implemented with WFQ. Reservation has two class shred and distinct shared mean
the reservation shared with multiple sender but distinct each sender have its own reservation, and
the reservation has two scope explicit and wild-card which will define three reservation style
wild-card filter WF, shared explicit SE and Fixed Filter FF. RSVP flow descriptor is flowspec and
filterspec flowspec is the QoS requested and the filterspec is a set of packet to receive this QoS
LLQ add priority to queue to provide a low delay to some traffic
Command:
class-map [match-all | match-any] [name]
match .........
policy-map [name]
class-map [name]
[action]
interface [type] [#]
service-policy [input | output] [policy-name]
ip nbar pdlm [path]
interface [type] [#]
ip nbar protocol-discovery
interface [type] [#]
auto qos viop [trust] [fr-atm]
interface tunnel [#]
qos pre-classify
interface [type] [#]
fair-queue [#cdt [#queue [#reserved-queue]]]
interface [type] [#]
wrr-queue cos-map [queue#] [cos#1] [cos#2] ...
wrr-queue bandwidth [weight#1] [weight#2] [weight#3] [weight#4]
policy-map [name]
random-detect [dscp-based | prec-based]
random-detect precedence [#] [min#] [max#] [mark-probability-denominator#]
random-detect dscp [#] [min#] [max#] [mark-probability-denominator#]
random-detect ecn
policy-map [name]
police cir [cir] [bc# be#] [conform-action [action] exceed-action [action] violate-
action [action]
police cir [cir] [bc#] pir [#] be#] [conform-action [action] exceed-action [action]
violate- action [action]
police cir percent [#] [bc#] pir percent [#] be#] [conform-action [action] exceed-
action [action] violate- action [action]
policy-map [name]
shape [average | peak] [#] [bc# be#]
shape [average | peak] percent [#] [bc# be#]
policy-map [name]
shape average [#] [bc# be#]
shape adaptive [#]
policy-map [name]
compression header ip [tcp | rtp]
interface multilink [#]
ppp multilink interleave
ppp fragment-delay [#]
map-class frame-raly [name]
frame-relay fragment [size]
interface [type] [#]
frame traffic-shaping
frame-relay class [name]
interface [type] [#]
rate-limit [input | output] [access-group [#]] [bps] [normal-burst] [exceed-burst]
conform-action [action] exceed-action [action]
access-list rate-limit [# 100-199] [mac]
access-list rate-limit [# 0-99] [prec]
interface [type] [#]
ip nbar protocol-discovery
interface [type] [#]
random-detect
priority-list [#] protocol .....
priority-list [#] interface .....
 priority-list [#] default .....
priority-list [#] queue-limit [#] [#] [#] [#]
interface [type] [#]
priority-group [#]
queue-list [#] interface ...
queue-list protocol .....
queue-list default [#]
queue-list [#] queue [#] byte-count [#]
queue-list [#] queue [#] limit [#]
interface [type] [#]
custom-queue-list [#]
interface [type] [#]
fair-queue [threshold] [queue#] [# of reserved for RSVP]
interface [type] [#]
ip rsvp bandwidth [#] [# for each flow]
TCP/IP:
IP header

version identify the IP version 4 or 6

header identify the IP header length. The minimum length for IP header is 20 byte to maximum
60 byte
TOS used to identify the method for handling the packet used for QoS
total length used to specify the total length of packet by subtracting the header length from the
total packet length
identifier used to identify the fragment packet to allow receiver to identify each packet
flags three bit first not used the second don't fragment DF the last one of more fragment used by
receiver to know if the fragmentation of packet ends or not
fragment offset used to identify the offset of the fragmented packet from the begging
TTL used now for hop count generated from the sender to identify the hop count of the packet
protocol used to identify this packet for which protocol belong set by host-to-host layer
header check-sum used to identify if there is an error on the packet
source and destination address identify its IP 's
option include some field to packet especially used for testing link:
loose source routing used to identify some of the router that the packet must visit
strict source routing used to list the router that must the packet visit in the way to reach
the destination
record router used to tell router that the packet enter it to list the out going interface ip
address of it
time-stamp used to tell router to record the time-stamp when the packet arrive to it
ARP used to identify the MAC address of the destination IP
hardware type used to identify the media type
protocol identify the network layer protocol
protocol length used to identify the length of the network layer address length
operation used to identify the ARP type if it ARP, ARP reply, Inverse ARP, Inverse ARP
reply, ....etc
Proxy ARP is method used by router to make them self available to the host that does not
configured for the gateway
Gratuitous ARP used by send ARP request for the MAC address of the sender, uses to
check if the MAC address duplicates, to update the new MAC for the sender to the other
hosts, in HSRP used to update the new active router in the group. Disabled by default on
Cisco router
Reverse ARP used to identify the IP address from the known MAC address
ICMP classified in to error messages or query and response messages.

Type used to identify the the purpose for the ICMP message like echo reply, destination
unreachable, redirect, time exceeded, .... etc
code used to identify which information will contain based on the type message
ICMP redirect used by router to inform the host to transmit the packet to another router
in the sub-net id the router sees that the destination reachable via the other router
 TCP used reliable connection oriented services. TCP use the sequence number to insure
the orders of the packet. TCP use the windowing mechanism to regulate the traffic flow

source and destination number specify the application information

sequence number specify where the data of the packet fit.
Acknowledgment used to acknowledge the receiving data from the receiver to the sender
thus the sender can know if their is any loos of packet
header length used to identify the length of the TCP header
flags are used to control the flow which is congestion window reduce (CWR), ECN-echo
(ECE), urgent (URG), acknowledgment (ACK), push (PSH), reset (RST), synchronize
(SYN) and final (FIN)
window size specify the number of octet
check-sum used to check if there is error on the packet
urgent pointer
option used to some information on the packet link set maximum segment size
UDP used for connection-less service typically used for streaming application
static route used to create manual route in the router
CEF witch create two table FIB and adjacency table for L3 and L2 information. Load
balancing may be equal or unequal depending on the routing protocol and can be either
per destination for equal load balancing or per packet for unequal load sharing
Command:
arp [ip] [mac] [type]
clear arp
interface [type] [#]
arp timeout [#]
ip route [src] [mask] [interface | next-hop-ip] [metric] [permanent]
ip cef
ip cef load-balancing [per-destination | per-packet]
RIP:
operate from UDP port 520, RIP use two messages Request message used to request update from
neighbor and Response message that carry the updates, RIP use hop count as metric for its
calculation
RIP timer: Update timer by default RIP send update every 30 second but to avoid synchronization
route update cisco router send update every 25.5 – 30 second, Invalid timer 180 second used to
how long the route should stay in the routing table without refresh, Flush 240 second if their is no
refresh update to the route occur before this time is expire the router will remove the route from
the routing table
Message format
 command specify the message is update or request message
version specify the RIP version
address family identifier used to specify the logical address
IP address specify route destination
metric specify the metric which is hop count for the route
RIP could be enabled in silent mode just listen to RIP messages only
trigger update available on serial interface allowed the router to send update only when a trigger
occur thus reducing the bandwidth consumed by the routing protocol
RIPv2 use multi-cast address 224.0.0.9 for messages between neighbor
RIPv2 message format

route tag used to a carry information route like external route AS

RIPv2 support authentication between router, when authentication implemented the first route
will used to carry the authentication information so the address family identifier set to 0xFFFf ant
the route tag used as authentication type for simple password set to 2 an Cisco support MD5
authentication using the first and last route information
Command:
router rip
 network [ip]
passive-interface [type] [#]
neighbor [ip]
offset [acl# | name] [in | out] [#] [type] [#]
timer basic [update#] [invalid#] [hold-down#] [flush#]
version ]1 | 2]
auto-summary
interface [type] [#]
ip rip triggered
ip [send | receive] version [1 | 2]
ip split-horizon
key chain [name]
key [#]
key-string [string]
accept-lifetime [hour month day year [duration second# | infinite]]
send-lifetime [hour month day year [duration second# | infinite]]
interface [type] [#]
ip rip authentication key-chain [name]
ip rip authentication mode md5
IGRP & EIGRP:
provide unequal load-sharing, metric based on composite variable, support not only IP protocol
but also another like IPX and other, IGRP operate at IP layer as protocol 9. IGRP classify route
into three categories interior (connected) system (summarized) exterior(default route). IGRP
timers is update 90 second and to provide stability without having update synchronization each
router will send update every 72-90 second, Invalid timer is 270 second, flush timer is 630
second, hold-down timer is 280 second, sleeping timer used to delay the update from trigger
composite metric include band-width delay load reliability MTU
BW=10^7/bandwidth
DLY=10/delay
Metric = 256*([K1*Bw + K2*Bw/(256-Load) + K3*Delay]*[K5/(Reliability + K4)])
by default k1=k3=1, k2=k4=k5=0
so
Metric = 256*(Bw +Delay) for EIGRP without 256 for IGRP
EIGRP component is 1- protocol independent module 2- diffusing update algorithm DUAL 3-
neighbor discovery and recovery 4- reliable transport protocol RTP
1- protocol dependent module EIGRP have a module for exchanging IP, IPX, Apple Talk
2-DUAL: successor is the neighbor or next hop with best metric for the destination, feasible
successor who will met the feasibility condition if the advertise distance less than the feasible
distance, feasibility condition met if the advertised distance from the neighbor is less than the
feasibility distance, when an update occur the router send that to its neighbor and wait for a reply
for each update if the neighbor does not reply with the router will send three messages if no one
have been replied the router will be remain in the active state which call stuck in active state SIA
for three minute if the router is still in this state the router will declare this neighbor as dead
3- neighbor discovery EIGRP use hello packet for neighbor discovery which send every 5 second
on high speed interface and every 60 second on low speed interface, EIGRP will wait for hellow
time 15 or 180 before declare neighbor as unreachable.
4- RTP EIGRP use multicast address 224.0.0.10 with guarantee delivery with IP protocol number
88, EIGRP use multiple packet type: 1- Hello used for neighbor discovery (unreliable delivery) 2-
Acknowledgment (unreliable delivery) 3- update used to send update to a router using unicat or
multiples using multi-cast (unreliable delivery) 4- queries and replies (reliable delivery) 5-
request (reliable delivery)
if the reliable packet send without ACK for 16 times the neighbor will declare as dead
EIGRP message format
 Version EIGRP version
op code specify the EIGTP message type
sequence number used by RTP
ACK used for acknowledgment
autonomous system number specify the AS number for the EIGRP
Stub router could help the EIGRP process to eliminate the unnecessary queries to send to those
router
Command:
interface [type] [#]
bandwidth [#]
delay [#]
router eigrp [[AS#]
network [ip] [wildcard]
variance [#]
maximum-path [#]
no auto-summary
eigrp stub [connected | redistributed | static | summary | receive-only]
interface [type] [#]
ip summary-address eigrp [AS] [ip] [mask]
key chain [name]
key [#]
key-string [string]
interface [type] [#]
ip authentication mode eigrp [AS] md5
ip authentication key-chain eigrp [AS] [name]
OSPF:
OSPF create neighbor adjacency using router ID which will be:
1- the IP address specified I the OSPF configuration mode else
2- if the loop-back interface configured on the router the highest IP of the loop-back interfaces
else
3- the highest IP address on the configured on the router
OSPF use hello protocol to discover and maintain neighbor relation ship and used for the first
time to negotiate the parameter for the relation and finally used to elect the DR and BDR. Hello
packet exchange every 10 sec on broadcast network and 30 non-broadcast network and the router
will declare the router as dead router
network type:
P2P OSPF will send the packet using the multicast address 224.0.0.5 all SPF router
Broadcast network or broadcast multi access network in this network will elect an DR and BDR
using hello packet with destination address 224.0.0.5 and the update packets LSA sends via DR
and BDR with destination address 224.0.0.6 all DR routers
NBMA elect DR and BDR and the update sends using uni-cast address
Point-to-Multi point its special case of NBMA and like a collection of P2P link connected to
gather in this network no DR and BDR elected and the updates send using uni-cast
Virtual Link used to create virtual link to connect an area to backbone area using another area
DR and BDR in the multi access network act as the representer of the network to the OSPF area
and maintain the relationship between the routers in the networks to eliminate the unnecessary
flooding of the LSA in the network. In the broadcast network or multi access network this
represent an pseudo-node that appear as router but this router does not effect the overall cost of
the path. Each router in the broadcast link form the adjacency with DR router. DR and BDR
elected based on the priority and router ID first all router that claim to be DR send hello with
itself as DR router after the way communication established when all packet received the each
router create a list of all router those claim to be BDR the one of the highest priority will be the
BDR in tie the highest router ID if no router claim to be the BDR the router with highest router
ID will be the BDR if on or more claims to be the DR the highest priority will be in tie the
highest router ID will be the DR if no one want to be the DR the newly BDR will the DR and
new BDR election repeated
OSPF interface state:
1- Down state is the initial state.
2 P2P this state applicable only on the P2P P2MP network and virtual link
3- Waiting state applicable only in Broadcast and NBMA network when the interface changed to
this state it will begin sending hello and the router will attempt to identify the DR and BDR
4 -DR state in this state the router is the DR on the attached network
5- BDR state in this state the router is the BDR on the attached network
6- DRouter state in this state the router is neither the DR or BDR router in the network
7- Loop-back state which apply on the loop-back interfaces
OSPF neighbors: the adjacency is established in four phases:
1- neighbor discovery
2- bidirectional communication
3- database synchronization
4- full adjacency
OSPF use hello packet for neighbor discovery, on Broadcast and P2P send hello using 224.0.0.5
destination IP on NBMA and P2MP use unicast IP address
In the NBMA network neighbor will send hello packet every poll interval when the neighbor state
is down
Neighbor states is:
1- Down
2- Attempt in NBMA network occur on the first time the router become active or in the DR
election
3- Init state begin sending hello messages
4- 2-way the router will see it it own ID in the hello packet which indicate the bi-directional
communication established
5- ExStart establishing the master/slave relationship and determine the DD sequence number the
highest router ID become the master router
6- exchange the router send database description packet describing the link-state database to
neighbor and may also send link state request
7- loading the router will send more link state request packet
8- full the adjacency established and the database synchronized
when the neighbor discover each other the DD packet send by each one with setting each one is
the master when the master election successfully occur the slave router reply with DD MS-bit set
to 0 and the sequence number of the master router after this the router will change it state from
ex-start to exchange state then the LSA synchronization between done by link state request and
link state update and each update must be acknowledged either by explicit acknowledgment by
containing LSA header of received packet or implicit acknowledgment by including the entire
LSA received packet
Router type:
1- Internal Router all interfaces in single area and have single link state database
2- ABR Router connect one or more area to backbone area and act as gateway for the inter area
traffic
3- Backbone Router locate in the backbone area
4- ASBR Router the gateway for the external route and inject the external route into the OSPF
domain
Virtual Link is a link used to link to the backbone area through non-backbone area and could be
used to connect two part of the partitioned backbone area through non-backbone area, the virtual
is a tunnel created between two ABR, the cost of the virtual link is the cost of the route in the
routing table in the ABR
Link State Database refreshed every 30 minute with entire database early Cisco introduce pacing
which mean each LSA has its LS-Refresh time and after 30 minute can be delay to group a LSA
together by default 4 minute
LSA type:
1- Router LSA used to describe each router about number of interfaces and state of the link
TYPE-1
2- Network LSA produced by DR TYPE-2
3- Network Summary LSA originated by ABR TYPE-3
4- ASBR summary LSA originated by ABR TYPE-4
5- AS External LSA originated by ASBR router TYPE-5
6- NSSA External LSA originated by ASBR router in the NSSA area TYPE-7
7- Opaque LSA s used to add extensions to OSPF network to especially for MPLS
Stub area block received of TYPE-4 and TYPE-5 LSA and use default route originated bt ABR to
reach the external route
Totally Stubby Area block also LSA TYPE-3
NSSA area it's stub area have a ASBR router originate external route using LSA TYPE-7 when it
reach the ABR router it convert it to LSA TYPE-5
Route TYPE:
1- intra-route is the route within the same area
2- inter-route is the route to another area in the same OSPF domain
3- external route type 1 route to external route originated by ASBR and the cost of it will be the
sum of external route plus the cost to ASBR router
4- external route type 2 route to external route but the cost of it id the cost of the external route
OSPF over demand circuit can be implement with don't aged the LS database which reduce the
need to hello packet and the LSA refresh every 30 minute
OSPF use IP protocol number 89
Packet Header:

Type: 1- Hello 2- DD 3- LS Request 4- LS update 5- LS Acknowledgment

Authentication type = 0 none 1 simple 2 MD5
Hello packet

DD packet

LS request
LS update

LA ACK
LSA header

Router LSA

link type: 1 P2P 2 connect to transit network 3 connect to stub network 4 virtual link
Network LSA
External and Summary External LSA

AS external LSA
NSSA External LSA

option field

DN used with MPLS layer 3 VPN

O set to indicate the originating router support opaque
DC set to indicate that the router OSPD over demand circuit
EA set to indicate that the router can send and receive the external attribute
 N/P N mean support NSSA
MC set when the router capable to multi-cast forwarding
E set to capable of accepting external AS LSA
MT set to indicate the router support multi topology OSPF
OSPF can be run on the secondary IP address if the primary run OSPF and can't make make
neighbor adjacency so it sees as stub network
Command:
router ospf [#]
network [subnet] [wild-card] area [#]
area [#] stub [no-summary]
area [#] default-cost [#]
area [#] nssa [no-summary] [no-redistribution] [default-information-originate]
area [#] range [sub-net] [mask] [no-advertise]
area [#] filter-list prefix [name] [in | out]
area [#] authentication [message-digest]
area [#] virtual-link [destination IP]
neighbor [ip] [priority [#]] cost [#]
ospf auto-cost reference-bandwidth [#]
ip route [sub-net] [mask] null0
ip ospf name-lookup
interface [type] [#]
ip ospf authentication-key [str]
ip ospf message-digest-key [#] md5 [name]
ip ospf network [broadcast | point-to-multipoint [non-broadcast]]
ip ospf priority [#]
ip ospf demand-circuit
IS-IS:
this routing protocol for CLNP, the area border of the IS-IS is the links not the router itself, a IS
can be L1 or L2 or L1/L2, L1 router like non-backbone area router, L2 in backbone area and
L1/L2 maintain two link state database
NET is an ISO address the length of it 8 to 20 bytes which describe the area and system id, in the
cisco platform the system id 6 byte if the SEL part of the ISO address equal 0 the address
represent the NET
the network layer of the ISO consist two sublayer:
1- Subnetwork dependent layer: function to transmission and reception of PDU, exchanging of
hello packet and establish neighbor adjacency and maintain it
Network types are broadcast or P2P
neighbor adjacency: build using hello packet which send by default every 10 second
L1 build adjacency if the AID match's
L2 build adjacency even the AID match's
and the default hold-time equal three time hello interval
the circuit IS is the ID set to the ISIS router interface in broadcast network it combined of DR
router ID and the LAN interface number know as LAN ID
on multi access network the ISIS elect an DR router but unlike OSPF the adjacency will build
between all router and the DR will ensure the reliable of flooding the LSP using messages called
SNP sequence number PDU
ISIS will elect DR based on higher priority in tie the router interface of high MAC address will be
the DR
2- subnetwork Independent layer define how to deliver packet through the CLNP network.
Update process: used to construct L1, L2
LS Refresh time is 15 minute minus jitter time to avoid synchronization and the maximum life
time is 20 minute, ISIS use SNP to maintain database synchronization and for each update must
be acknowledgment, there is two type of acknowledgment: PSNP used on P2P network use
explicit acknowledgment, CSNP used on broadcast network using multi cast using
0180.c200.0014 MAC address for L1 and 0180.c200.0015 MAC address for L2
ISIS router can send signal to other router about it memory overload using LSP called OL and
this OL used to synchronize the convergence of IGP and BGP when implemented
Decision: after the LS database flooded to all router in the area ISIS begin calculation to the
 shortest path for each destination based on the metric of the subnet's, ISIS support metric: default,
delay, expense, error. cisco only support default metric default of 10 in each interface
PDU format

Command:
router isis
net [ISO-address]\
is-type [level-1 | level-2 | level1/2]
summary-address [ip] [mask]
authentication mode text [level-1 | level-2]
authentication key-chain [key-name] [level1 | level2]
interface [type] [#]
ip router isis
clns router isis
isis password [string]
EGP:
AS number private range 64512 – 65535
EGP has no algorithm to choose optimal path but it has language for the different AS to talk
together, has not mechanism to discover neighbor so they must manually configured
-Neighbor acquisition protocol: used to discover neighbor manually by sending Neighbor
Acquisition Request and the neighbor reply with Neighbor Acquisition Confirm or drop the
neighbor relationship by replying with Neighbor Acquisition Refuse and the neighbor can drop
the neighbor relationship by sending Neighbor Cease message and the other router rep;y with
Neighbor Cease Acknowledgment after the neighbor established on will be the active and the
other will be the passive cisco implement that using AS number the lowest AS will be the active
-Neighbor Reachability Protocol by using hello which send every 60 second after three message s
the the neighbor transit from down to up state and if three hello not responds from the neighbor
the state changed to cease state then sends three cease messages and if there is no response from
the neighbor the state changed to idle and after 5 minute retry the neighbor discover again for the
passive router it will send poll message and wait for 180 second two time if there is no response
changed to dead and to cease and send three cease messages wait for three if there is no response
 change state to idle
-Network Reachability Protocol: the EGP increase the sequence number by 1 every poll interval
180 second, it send update contain a list of network reachable via the network. The AD of EGP is
140 and the cost increment by three
Command:
autonomous-number [#]
router egp [#]
neighbor [#]
neighbor [#] third-party [#]
default-information originate
BGP:
work on TCP port 179, and before establish the peering the three handshake must be performed,
all BGP messages are unicast.
BGP Messages:
-Open message: after the BGP neighbor establish the TCP session use this message to identify
each other and to exchange the parameter of each one include the BGP version, AS number, Hold
time, BGP identifier
-Keep alive message: send every 60 second to check the neighbor health
-Update message used to carry the route information such NLRI, path attribute, withdrawn status
-Notification message: send if there is error occurred that need to close the connection of BGP
session
BGP state:
-Idle state
-Connect state the BGP wait for the TCP connection to be established, send open message then it
transition to open sent state, the continue listen from the neighbor if it created move to active
state , if the connection retry timer expire without success any input event cause transition to idle
state
-Active state the BGP initiate to create TCP connection (wait 4 minute) if it success transit to
open sent state, if failed to create the connection will try again, if the connection retry timer
expire without success any input event cause transition to idle state
-Open Sent the open sent message sent and the BGP wait for open message from the neighbor
when it received the message check if there is error the notification sent. If there is no error the
keep alive message sent and the hold time negotiate and the type of connection determine if it
internal or external then transit to open confirm state. If an TCP disconnect message received then
close the BGP connection and try listen to another connection if any input event transit to active
state
-Open Confirm state: wait for the keep alive message or notification if keep alive the state
transition to established if notification received the state transition to idle
-Established state: in this state the neighbor establish the BGP peering and begin sending update
keep alive and notification messages if update or keep alive message received the hold time and
reset, if the notification received the state transition to idle
Path Attribute: divided into four categories well-know mandatory which must be included in any
updates, well-know discretionary which may or not included in the updates, optional-transitive
BGP process should accept the which it is included even if it's does not support the attribute and
must be advertise to the peer, optional non-transitive BGP process that not recognize this attribute
could ignore it and does not advertise to the peers
1-Origin well-know mandatory specify the origin of the routing update IGP → EGP →
Incomplete
2- AS path well-know mandatory used to carry the inter AS path to reach the destination
3- Next hop well-know mandatory specify the next hop IP of the route if the neighbor in the
deferent AS the next help is the IP of the update router and if in the same AS and the route in the
AS the next hop will be the updater router if the route is external and the update router in the
same AS next hop will be the external router
4- Local Preference well-known discretionary used only between IBGP peer
5- MED optional non transitive effect the traffic leaving the AS between EBGP peers to select
income traffic from where, the MED does not traverse to another AS other than the two
connected
6- Atomic Aggregate & Aggregator: used with overlapping route especially with summarization
 by advertise the both route, advertise the more specific route, advertise the none overlapping part
of the route, aggregate the two route, advertise the less specific or don't advertise.
Atomic Aggregate well-know discretionary to alert the other router that the route was aggregate
Aggregator optional transitive specify where the aggregation performed
7- Community optional transitive used for policy management by marking the route or tag it to
work with this tag not for the all route individually
8- Originator ID and Cluster List used by route-reflector and for loop detection
both are optional non-transitive
9- weight
10- AS set contain two type AS sequence list the ordered AS number in the path, AS set list the
AS number in the path but in the ordered, used when the aggregation performed to save the
original AS number in the path of the route to prevent the loop to occur
BGP decision process: BGP routing information database contain three part 1- Adjacency RIB-In
store the route from the peers 2- Local RIB store the route after the local policy on the route
applied 3- Adjacency RIB-Out store the advertise route to the peers
Procedure:
1- high weight
2- high local preference
3- prefer the route learned from the IGP in the same router
4- Shortest AS path
5- IGP → EGP → Incomplete lowest origin code
6- lowest MED
7- EBGP → confederation EBGP → IBGP
8- shortest path to the NEXT_HOP
9- if still tie and maximum-path command applied the perform load balancing for th route
10 if not select route from the lowest BGP router ID
Route Dampening used to control flapping routes by assign a penalty to the route each flapping
occur , there is half life period, the penalty decreased at rate that reduces it to the half at the end
of half life time, if the penalty exceed the predefined threshold know as suppress limit the route
suppress and the route will be suppress until the half life reduce the penalty to less than threshold
called reuse limit
IBGP and IGP synchronization: when implement the IBGP peers must be fully meshed to avoid
routing loop, IBGP need IGP know the route to know how to reach the routes from IBGP, so the
IBGP to work correctly must be implemented either by redistribute the external route into the IGP
or by create fully meshed IBGP network and disable the synchronization
Peer Group and Community used to simplify the policy implementation on peers using group or
on routes using Community
Route Reflector used for managing the IBGP peering by reducing the fully meshed peering in the
IBGP network to set one router as route reflector and this router will maintain the peering with
other router as client for it to update the routes to those client, for more stability could make more
than one router as RR and each client peers with these RR, RR work with updates as follow: 1- if
the update from non client the router send update to the clients only. 2- if the update from client
the router update the other client and the non client. 3- if the update comes from the external
router the update sends to the client and non client. The RR use two attribute to functionality
ORGINATOR_ID CLUSTER_LIST
Confederation used to manage IBGP network by dividing the AS domain into sub domain mainly
using private AS range and these sub domains appear to the external peers as single AS by doing
this each routers in the single sub domain run IBGP between each other and EBGP between other
sub domain this will prevent routing loop and provide fully meshed network for IBGP,
confederation use two new attribute AS_CONF_SEQUENCE which list the ordered AS of the
route and AS_CONF_SET list unordered list of AS of the route
Command:
router bgp [AS]
neighbor [ip] remote-as [AS]
no auto-summary
network [subnet] mask [mask] [backdoor]
neighbor [ip] default-origine
neighbor [ip] distribute-list [ACL#] [out | in]
 neighbor [ip] source-update [type] [#]
neighbor [ip] ebgp-multihop [#]
aggregate-address [ip] [mask] [summary-only] suppress-map [route-map]
attribute-map [route-map] [as-set] advertise-map [route-map]
neighbor [ip] description [string]
neighbor [ip] password [pass]
neighbor [ip] advertisement-interval [#]\
neighbor [ip] version [#]
bgp bestpath as-path ignore
neighbor [ip] maximum-prefix [#] [percentage] [warning-only]
neighbor [ip] filter-list [AS_ACL] weight [#]
neighbor [ip] weight [#]
distance [edp#] [ibgp#] [local-ibgp#]
bgp always-compare-med
table-map [route-map]
bgp dampening
neighbor [group-name] peer-group
neighbor [ip] peer-group [name]
neighbor [ip] send-community
neighbor [ip] remove-private-as
bgp confederation identifier [original-AS#]
bgp confederation peer [list-of-confederation-peer-AS#]
bgp deterministic-med
neighbor [ip] route-reflector-client
bgp cluster-id [#]
no bgp client-to-client reflection
ip community-list [1-99] [permit | deny] [community#]
ip community-list [100-199] [permit | deny] [community# | regexp]
ip bgp-community new-format
Multi-casting:
to implement multi-casting multi-cast IP must be identified and mechanism to joining and
removing from the multi-cast group and a routing protocol multi-casting
Command: