ROUTE 300-101 Category

Router Questions

August 7th, 2017 digitaltut 18 comments

Question 1

Explanation

To determine which scheme has been used to encrypt a specific password, check the digit preceding the encrypted string in the configuration file. If that digit is a 7, the password has been encrypted using the weak algorithm. If the digit is a 5, the password has been hashed using the stronger MD5 algorithm.

For example, in the configuration command:

enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.

The enable secret has been hashed with MD5, whereas in the command:

username jdoe password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D

The password has been encrypted using the weak reversible algorithm.

When we enter the “enable secret” command with a number after that, the IOS can specify that the password has been encrypted so it will not encrypt any more and accept that password.

In new Cisco IOS (v15+), it seems the device does not recognize “enable secret 7” command as encrypted password. We tried on Cisco IOS v15.4 and see this:

enable_secret.jpg

When we tried to enter the command “enable secret 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D”, the Cisco IOS automatically change the command to “enable secret 5 $1$dLq2$qgzb4bgdsasX8dx1oHOkD.” (in the running-config file). So if you paste an “enable secret 7 …” command from an old Cisco IOS version, you cannot login any more with your password.

Note: In fact, there is an error with the answer D. As we entered the command in answer D, the router denied the encrypted password because it was not a valid encrypted secret password. That means the router also checked if the password was hashed correctly or not. But it is the best answer in this question.

enable_secret_error.jpg

Question 2

Explanation

Excessive debugs to the console port of a router can cause the router to hang. This is because the router automatically prioritizes console output ahead of other router functions. Hence if the router is processing a large debug output to the console port, it may hang. Hence, if the debug output is excessive use the vty (telnet) ports or the log buffers to obtain your debugs.

Note: By default, logging is enabled on the console port. Hence, the console port always processes debug output even if you are actually using some other port or method (such as Aux, vty or buffer) to capture the output. Hence, Cisco recommends that, under normal operating conditions, you have the no logging console command enabled at all times and use other methods to capture debugs.

To enable logging logging on your virtual terminal connection (telnet), use the “terminal monitor” command under Privileged mode (Router#)

Reference: http://www.cisco.com/c/en/us/support/docs/dial-access/integrated-services-digital-networks-isdn-channel-associated-signaling-cas/10374-debug.html

Question 3

Explanation

Per-packet load-balancing means that the router sends one packet for destination1 over the first path, the second packet for (the same) destination1 over the second path, and so on. Per-packet load balancing guarantees equal load across all links. However, there is potential that the packets may arrive out of order at the destination because differential delay may exist within the network -> Answer D is correct.

When searching the routing table, the router looks for the longest match for the destination IP address prefix. This is done at “process level” (known as process switching), which means that the lookup is considered as just another process queued among other CPU processes

Interrupt-level switching means that when a packet arrives, an interrupt is triggered which causes the CPU to postpone other tasks in order to handle that packet.

In general, process switching is faster then interrupt-level switching and can cause out-of-order packets.

Question 4

Explanation

The command “debug condition interface <interface>” command is used to disable debugging messages for all interfaces except the specified interface so in this case the debug output will be shown on Fa0/1 interface only.

Note: If in this question there was another “debug condition interface fa0/0” command configured then the answer should be C (both interfaces will show debugging ouput).

Question 5

Explanation

There are a few simple steps you can follow to ensure your VTY lines are as secure as possible. The easiest way is to enable username / password authentication. Other ways are to include an access-list to prevent unwanted IP addresses from connecting and use SSH to encrypt the traffic connecting to the device.

Question 6

Explanation

An Integrated Services Router(ISR) router can be implemented an Ethernet Switch Module to perform both IP routing and inter-VLAN routing. With this module, an ISR router will contain interface vlan configurations.

Access List

August 6th, 2017 digitaltut 175 comments

Question 1

Explanation

The first answer is not correct because the 10.0.0.0 network range is not correct. It should be 10.0.0.0. to 10.255.255.255.

Question 2

Explanation

Logging-enabled access control lists (ACLs) provide insight into traffic as it traverses the network or is dropped by network devices. Unfortunately, ACL logging can be CPU intensive and can negatively affect other functions of the network device. There are two primary factors that contribute to the CPU load increase from ACL logging: process switching of packets that match log-enabled access control entries (ACEs) and the generation and transmission of log messages.

Process switching is the slowest switching methods (compared to fast switching and Cisco Express Forwarding) because it must find a destination in the routing table. Process switching must also construct a new Layer 2 frame header for every packet. With process switching, when a packet comes in, the scheduler calls a process that examines the routing table, determines which interface the packet should be switched to and then switches the packet. The problem is, this happens for the every packet.

Reference: http://www.cisco.com/web/about/security/intelligence/acl-logging.html

Question 3

Explanation

If you use the “debug ip packet” command on a production router, you can bring it down since it generates an output for every packet and the output can be extensive. The best way to limit the output of debug ip packet is to create an access-list that linked to the debug. Only packets that match the access-list criteria will be subject to debug ip packet. For example, this is how to monitor traffic from 1.1.1.1 to 2.2.2.2

access-list 100 permit ip 1.1.1.1 2.2.2.2
debug ip packet 100

Note: The “debug ip packet” command is used to monitor packets that are processed by the routers routing engine and are not fast switched.

Question 4

Question 5

Question 6

Question 7

Question 8

Explanation

Question about restricting IPv6 access to SSH. Had to pick 2 answers. One that is applied to the fa0/0 and one that is applied to vty lines. Its basically IN or OUT.

Question 9

Explanation

The established keyword is only applicable to TCP access list entries to match TCP segments that have the ACK and/or RST control bit set (regardless of the source and destination ports), which assumes that a TCP connection has already been established in one direction only. Let’s see an example below:

access-list_established.jpgSuppose you only want to allow the hosts inside your company to telnet to an outside server but not vice versa, you can simply use an “established” access-list like this:

access-list 100 permit tcp any any established
access-list 101 permit tcp any any eq telnet
!
interface S0/0
ip access-group 100 in
ip access-group 101 out

Note:

Suppose host A wants to start communicating with host B using TCP. Before they can send real data, a three-way handshake must be established first. Let’s see how this process takes place:

TCP_Three_way_handshake.jpg

1. First host A will send a SYN message (a TCP segment with SYN flag set to 1, SYN is short for SYNchronize) to indicate it wants to setup a connection with host B. This message includes a sequence (SEQ) number for tracking purpose. This sequence number can be any 32-bit number (range from 0 to 232) so we use “x” to represent it.

2. After receiving SYN message from host A, host B replies with SYN-ACK message (some books may call it “SYN/ACK” or “SYN, ACK” message. ACK is short for ACKnowledge). This message includes a SYN sequence number and an ACK number:
+ SYN sequence number (let’s called it “y”) is a random number and does not have any relationship with Host A’s SYN SEQ number.
+ ACK number is the next number of Host A’s SYN sequence number it received, so we represent it with “x+1”. It means “I received your part. Now send me the next part (x + 1)”.

The SYN-ACK message indicates host B accepts to talk to host A (via ACK part). And ask if host A still wants to talk to it as well (via SYN part).

3. After Host A received the SYN-ACK message from host B, it sends an ACK message with ACK number “y+1” to host B. This confirms host A still wants to talk to host B.

Question 10

Question 11

Explanation

Reflexive access lists provide filtering on upper-layer IP protocol sessions. They contain temporary entries that are automatically created when a new IP session begins. They are nested within extended, named IP access lists that are applied to an interface. Reflexive access lists are typically configured on border routers, which pass traffic between an internal and external network. These are often firewall routers. Reflexive access lists do not end with an implicit deny statement because they are nested within an access list and the subsequent statements need to be examined.

Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-1s/sec-access-list-ov.html

Question 12

Explanation

The command “ipv6 traffic-filter access-list-name { in | out }” applies the access list to incoming or outgoing traffic on the interface.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swv6acl.html

Question 13

Question 14

Point-to-Point Protocol

August 5th, 2017 digitaltut 47 comments

If you are not sure about PPP and PPPoE, please read my PPP tutorial and PPPoE tutorial.

Question 1

Explanation

Password Authentication Protocol (PAP) is a very basic two-way process. The username and password are sent in plain text, there is no encryption or protection. If it is accepted, the connection is allowed. The configuration below shows how to configure PAP on two routers:

R1(config)#username R2 password digitaltut1
R1(config)#interface s0/0/0
R1(config-if)#encapsulation ppp
R1(config-if)#ppp authentication PAP
R1(config-if)#ppp pap sent-username R1 password digitaltut2
R2(config)#username R1 password digitaltut2
R2(config)#interface s0/0/0
R2(config-if)#encapsulation ppp
R2(config-if)#ppp authentication PAP
R2(config-if)#ppp pap sent-username R2 password digitaltut1

Note: The PAP “sent-username” and password that each router sends must match those specified with the “username … password …” command on the other router.

Question 2

Explanation

Challenge Handshake Authentication Protocol (CHAP) periodically verifies the identity of the client by using a three-way handshake. The three-way handshake steps are as follows:

1. When a client contacts a server that uses CHAP, the server (called the authenticator) responds by sending the client a simple text message (sometimes called the challenge text). This text is not important and it does not matter if anyone can intercepts it.
2. The client then takes this information and encrypts it using its password which was shared by both the client and server. The encrypted text is then returned to the server.
3. The server has the same password and uses it as a key to encrypt the information it previously sent to the client. It compares its results with the encrypted results sent by the client. If they are the same, the client is assumed to be authentic.

Note: PPP supports two authentication protocols: PAP and CHAP.

Question 3

Question 4

Explanation

PPP supports two authentication protocols: Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). PAP authentication involves a two-way handshake where the username and password are sent across the link in clear text. For more information about PPP Authentication methods, please read Point to Point Protocol (PPP) Tutorial

Question 5

Question 6

PPPoE Questions

August 4th, 2017 digitaltut 5 comments

Question 1

Explanation

PPPoE provides a standard method of employing the authentication methods of the Point-to-Point Protocol (PPP) over an Ethernet network. When used by ISPs, PPPoE allows authenticated assignment of IP addresses. In this type of implementation, the PPPoE client and server are interconnected by Layer 2 bridging protocols running over a DSL or other broadband connection.

PPPoE is composed of two main phases:
+ Active Discovery Phase: In this phase, the PPPoE client locates a PPPoE server, called an access concentrator. During this phase, a Session ID is assigned and the PPPoE layer is established.
+ PPP Session Phase: In this phase, PPP options are negotiated and authentication is performed. Once the link setup is completed, PPPoE functions as a Layer 2 encapsulation method, allowing data to be transferred over the PPP link within PPPoE headers.

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/vpn/asa-vpn-cli/vpn-pppoe.html

Question 2

Explanation

PPP Session Phase: In this phase, PPP options are negotiated and authentication is performed. Once the link setup is completed, PPPoE functions as a Layer 2 encapsulation method, allowing data to be transferred over the PPP link within PPPoE headers.

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/vpn/asa-vpn-cli/vpn-pppoe.html

Question 3

Explanation

The “dialer persistent” command (under interface configuration mode) allows a dial-on-demand routing (DDR) dialer profile connection to be brought up without being triggered by interesting traffic. When configured, the dialer persistent command starts a timer when the dialer interface starts up and starts the connection when the timer expires. If interesting traffic arrives before the timer expires, the connection is still brought up and set as persistent. An example of configuring is shown below:

interface Dialer1
ip address 12.12.12.1 255.255.255.0
encapsulation ppp
dialer-pool 1
dialer persistent

Question 4

Explanation

The “vpdn enable” command is used to enable virtual private dialup networking (VPDN) on the router and inform the router to look for tunnel definitions in a local database and on a remote authorization server (home gateway). The following steps include: configure the VPDN group; configure the virtual-template; create the IP pools.

Question 5

Explanation

There are three authentication methods that can be used to authenticate a PPPoE connection:

+ CHAP – Challenge Handshake Authentication Protocol
+ MS-CHAP – Microsoft Challenge Handshake Authentication Protocol Version 1 & 2
+ PAP – Password Authentication Protocol

In which MS-CHAP & CHAP are two encrypted authentication protocol while PAP is unencrypted authentication protocol.

Note: PAP authentication involves a two-way handshake where the username and password are sent across the link in clear text; hence, PAP authentication does not provide any protection against playback and line sniffing.

With CHAP, the server (authenticator) sends a challenge to the remote access client. The client uses a hash algorithm (also known as a hash function) to compute a Message Digest-5 (MD5) hash result based on the challenge and a hash result computed from the user’s password. The client sends the MD5 hash result to the server. The server, which also has access to the hash result of the user’s password, performs the same calculation using the hash algorithm and compares the result to the one sent by the client. If the results match, the credentials of the remote access client are considered authentic. A hash algorithm provides one-way encryption, which means that calculating the hash result for a data block is easy, but determining the original data block from the hash result is mathematically infeasible.

Question 6

Explanation

A PPPoE session is initiated by the PPPoE client. If the session has a timeout or is disconnected, the PPPoE client will immediately attempt to reestablish the session. The following four steps describe the exchange of packets that occurs when a PPPoE client initiates a PPPoE session:
1. The client broadcasts a PPPoE Active Discovery Initiation (PADI) packet.
2. When the access concentrator receives a PADI that it can serve, it replies by sending a PPPoE Active Discovery Offer (PADO) packet to the client.
3. Because the PADI was broadcast, the host may receive more than one PADO packet. The host looks through the PADO packets it receives and chooses one. The choice can be based on the access concentrator name or on the services offered. The host then sends a single PPPoE Active Discovery Request (PADR) packet to the access concentrator that it has chosen.
4. The access concentrator responds to the PADR by sending a PPPoE Active Discovery Session-confirmation (PADS) packet. At this point a virtual access interface is created that will then negotiate PPP, and the PPPoE session will run on this virtual access.

If a client does not receive a PADO for a preceding PADI, the client sends out a PADI at predetermined intervals. That interval is doubled for every successive PADI that does not evoke a response, until the interval reaches a configured maximum.

If PPP negotiation fails or the PPP line protocol is brought down for any reason, the PPPoE session and the virtual access will be brought down. When the PPPoE session is brought down, the client waits for a predetermined number of seconds before trying again to establish a PPPoE.

Reference: http://www.cs.vsb.cz/grygarek/TPS/DSL/pppoe_client.pdf

Question 7

Question 8

Question 9

Explanation

The picture below shows all configuration needed for PPPoE:

PPPoE_Topology_with_config.jpg

As we can see from the PPPoE Client configuration, to get the IP address assigned from the PPPoE server the command “ip address negotiated” should be used. For more information about PPPoE configuration please read our PPPoE tutorial.

Question 10

Explanation

According to this link: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/xe-3s/bba-pppoe-client.html

The PPPoE client does not support the following:
+ More than ten clients per customer premises equipment (CPE)-> This means a CPE can support up to 10 clients so answer A is correct.
+ Coexistence of the PPPoE client and server on the same device -> answer C is not correct

In the above link there is a topology shows “DMVPN Access to Multiple Hosts from the Same PPPoE Client” -> Answer B is correct.

Question 11

CEF & Fast Switching

August 3rd, 2017 digitaltut 66 comments

Question 1

Explanation

The command “show ip cef” is used to display the CEF Forwarding Information Base (FIB) table. There are some entries we want to explain:
+ If the “Next Hop” field of a network prefix is set to receive, the entry represents an IP address on one of the router’s interfaces. In this case, 192.168.201.2 and 192.168.201.31 are IP addresses assigned to interfaces on the local router.
+ If the “Next Hop” field of a network prefix is set to attached, the entry represents a network to which the router is directly attached. In this case the prefix 192.168.201.0/27 is a network directly attached to router R2’s Fa0/0 interface.

But there are some special cases:
+ The all-0s host addresses (for example, 192.168.201.0/32) and the all-1s host addresses (not have in the output above but for example, 192.168.201.255/32) also show as receive entries.
+ 255.255.255.255/32 is the local broadcast address for a subnet
+ 0.0.0.0/32: maybe it is a reserved link-local address
+ 0.0.0.0/0: This is the default route that matching all other addresses (also known as “gateway of last resort”). In this case it points to 192.168.201.1 -> Answer C is correct.

Reference: CCNP Routing and Switching ROUTE 300-101 Official Cert Guide

Question 2

Explanation

The “show adjacency” command is used to display information about the Cisco Express Forwarding adjacency table or the hardware Layer 3-switching adjacency table.

There are two known reasons for an incomplete adjacency:
+ The router cannot use ARP successfully for the next-hop interface.
+ After a clear ip arp or a clear adjacency command, the router marks the adjacency as incomplete. Then it fails to clear the entry.

Note: Two nodes in the network are considered adjacent if they can reach each other using only one hop.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/express-forwarding-cef/17812-cef-incomp.html

Question 3

Explanation

The “show ip cache” command displays the contents of a router’s fast cache. An example of the output of this command is shown below:

show_ip_cache.jpg

Note: If CEF is disabled and fast switching is enabled, the router begins to populate its fast cache.

Question 4

Question 5

Explanation

Cisco Express Forwarding (CEF) provides the ability to switch packets through a device in a very quick and efficient way while also keeping the load on the router’s processor low. CEF is made up of two different main components: the Forwarding Information Base (FIB) and the Adjacency Table. These are automatically updated at the same time as the routing table.

The adjacency table is tasked with maintaining the layer 2 next-hop information for the FIB.

Question 6

Explanation

The explanation of this question is too lengthy so we recommend to read this article: http://www.cisco.com/c/en/us/support/docs/ip/express-forwarding-cef/26083-trouble-cef.html

Question 7

Explanation

Glean adjacency – in short when the router is directly connected to hosts the FIB table on the router will maintain a prefix for the subnet rather than for the individual host prefix. This subnet prefix points to a GLEAN adjacency.
Punt adjacency – When packets to a destination prefix can’t be CEF Switched, or the feature is not supported in the CEF Switching path, the router will then use the next slower switching mechanism configured on the router.

Question 8

Explanation

Nodes in the network are said to be adjacent if they can reach each other with a single hop across a link layer. In addition to the FIB, CEF uses adjacency tables to prepend Layer 2 addressing information. The adjacency table maintains Layer 2 next-hop addresses for all FIB entries.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/switch/configuration/guide/fswtch_c/xcfcef.html

Frame Relay Questions

August 2nd, 2017 digitaltut 9 comments

Question 1

Explanation

Normal (Ethernet) ARP Request knows the Layer 3 address (IP) and requests for Layer 2 address (MAC). On the other hand, Frame Relay Inverse ARP knows the Layer 2 address (DLCI) and requests for Layer 3 address (IP) so we called it “Inverse”. For detail explanation about Inverse ARP Request please read our Frame Relay tutorial – Part 2.

Question 2

Explanation

When saying “Frame Relay point-to-point” network, it means “Frame Relay subinterfaces” run “point-to-point”. Notice that Frame Relay subinterfaces can run in two modes:
+ Point-to-Point: When a Frame Relay point-to-point subinterface is configured, the subinterface emulates a point-to-point network and OSPF treats it as a point-to-point network type
+ Multipoint: When a Frame Relay multipoint subinterface is configured, OSPF treats this subinterface as an NBMA network type.

And there are 4 network types which can be configured with OSPF. The hello & dead intervals of these types are listed below:

Network Type Hello Interval (secs) Dead Interval (secs)
Point-to-Point 10 40
Point-to-Multipoint 30 120
Broadcast 10 40
Non-Broadcast 30 120

Therefore the default OSPF hello interval on a Frame Relay point-to-point network is 10 seconds.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13693-22.html

Question 3

Explanation

Traffic shaping should be used when:
+ Hub site (headquarter) has much faster speed link than the spokes (remote sites). In this case we need to rate-limit the hub site so that it does not exceed the remote side access rate
+ Hub site has the same speed link as the spokes. For example both the headquarter and the spokes use T1 links. In this case, we need to rate-limit the remote sites so as to not overrun the hub.

An example of configuring traffic shaping is shown below:

interface Serial0/1
encapsulation frame-relay
frame-relay traffic-shaping
!
interface Serial0/1.10 point-to-point
ip address 10.10.10.10 255.255.255.0
frame-relay interface-dlci 10 class my_traffic_shaping
!
map-class frame-relay my_traffic_shaping
frame-relay adaptive-shaping becn //Configure the router to respond to frame relay frames that have the BECN bit set
frame-relay cir 128000 //Specify the committed information rate (CIR) for a Frame Relay virtual circuit
frame-relay bc 8000 //Specify the committed burst size (Bc) for a Frame Relay virtual circuit.
frame-relay be 8000 // Specify the excess burst size (Be) for a Frame Relay virtual circuit.
frame-relay mincir 64000 // Specify minimum acceptable CIR for a Frame Relay virtual circuit.

Reference: http://www.cisco.com/c/en/us/support/docs/wan/frame-relay/6151-traffic-shaping-6151.html

Question 4

Question 5

Question 6

Question 7

Explanation

Each subinterface is treated like a physical interface so split horizon issues are overcome.

Question 8

Explanation

Frame-relay uses data-link connection identifiers (DLCIs) to build up logical circuits. The identifiers have local meaning only, that means that their values are unique per router, but not necessarily in the other routers. For example, there is only one DLCI of 23 representing for the connection from HeadQuarter to Branch 1 and only one DLCI of 51 from HeadQuarter to Branch 2. Branch 1 can use the same DLCI of 23 to represent the connection from it to HeadQuarter. Of course it can use other DLCIs as well because DLCIs are just local significant.

Frame_Relay_DLCI.jpg

By including a DLCI number in the Frame Relay header, HeadQuarter can communicate with both Branch 1 and Branch 2 over the same physical circuit.

Question 9

Explanation

An example of configuring Frame Relay point-to-multipoint connections is described at: http://www.9tut.com/frame-relay-gns3-lab. Frame Relay point-to-multipoint requires inverse ARP (which is enabled by default). It requires the frame-relay mapping command to be configured also. For example: R1(config-if)#frame-relay route 102 interface Serial0/1 201.

GRE Tunnel

August 1st, 2017 digitaltut 52 comments

Question 1

Explanation

GRE packets are encapsulated within IP and use IP protocol type 47

Question 2

Explanation

A GRE interface definition includes:

+ An IPv4 address on the tunnel
+ A tunnel source
+ A tunnel destination

Below is an example of how to configure a basic GRE tunnel:

interface Tunnel 0
ip address 10.10.10.1 255.255.255.0
tunnel source fa0/0
tunnel destination 172.16.0.2

In this case the “IPv4 address on the tunnel” is 10.10.10.1/24 and “sourced the tunnel from an Ethernet interface” is the command “tunnel source fa0/0”. Therefore it only needs a tunnel destination, which is 172.16.0.2.

Note: A multiple GRE (mGRE) interface does not require a tunnel destination address.

Question 3

Explanation

The tunnel interface is configured in default mode means the tunnel has been configured as a point-to-point (P2P) GRE tunnel. Normally, a P2P GRE Tunnel interface comes up (up/up state) as soon as it is configured with a valid tunnel source address or interface which is up and a tunnel destination IP address which is routable.

Under normal circumstances, there are only three reasons for a GRE tunnel to be in the up/down state:
+ There is no route, which includes the default route, to the tunnel destination address.
+ The interface that anchors the tunnel source is down.
+ The route to the tunnel destination address is through the tunnel itself, which results in recursion.

Therefore if a route towards the tunnel destination has not been configured then the tunnel is stuck in up/down state.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-00.html

Question 4

Explanation

In this question only answer A is a reasonable answer. When the state of the tunnel interface is continuously moving between up and down we must make sure the route towards the tunnel destination address is good. If it is not good then that route may be removed from the routing table -> the tunnel interface comes down.

Question 5

Explanation

The IP protocol was designed for use on a wide variety of transmission links. Although the maximum length of an IP datagram is 65535, most transmission links enforce a smaller maximum packet length limit, called an MTU. The value of the MTU depends on the type of the transmission link. The design of IP accommodates MTU differences since it allows routers to fragment IP datagrams as necessary. The receiving station is responsible for the reassembly of the fragments back into the original full size IP datagram.

Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) is a standardized technique to determine the maximum transmission unit (MTU) size on the network path between two hosts, usually with the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in IPv4. However, all modern operating systems use it on endpoints.

The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a host is willing to accept in a single TCP/IP datagram. This TCP/IP datagram might be fragmented at the IP layer. The MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a TCP connection reports its MSS value to the other side. Contrary to popular belief, the MSS value is not negotiated between hosts. The sending host is required to limit the size of data in a single TCP segment to a value less than or equal to the MSS reported by the receiving host.

TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does not handle the case where there is a smaller MTU link in the middle between these two endpoints. PMTUD was developed in order to avoid fragmentation in the path between the endpoints. It is used to dynamically determine the lowest MTU along the path from a packet’s source to its destination.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html (there is some examples of how TCP MSS avoids IP Fragmentation in this link but it is too long so if you want to read please visit this link)

Note: IP fragmentation involves breaking a datagram into a number of pieces that can be reassembled later.

Question 6

Explanation

A valid tunnel destination is one which is routable (which means the destination is present or there is a default route in the routing table). However, it does not have to be reachable -> Answer B is correct.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-00.html

For a tunnel to be up/up, the source interface must be up/up, it must have an IP address, and the destination must be reachable according to your own routing table.

Question 7

Question 8

Question 9

Explanation

GRE tunnel provides a way to encapsulate any network layer protocol over any other network layer protocol. GRE allows routers to act as if they have a virtual point-to-point connection to each other. GRE tunneling is accomplished by creating routable tunnel endpoints that operate on top of existing physical and/or other logical endpoints. Especially, IPsec does not support multicast traffic so GRE tunnel is a good solution instead (or we can combine both).

Question 10

Question 11

Explanation

When running GRE tunnel over IPSec, a packet is first encapsulated in a GRE packet and then GRE is encrypted by IPSec -> C is correct.

Question 12

Explanation

Four steps to configure GRE tunnel over IPsec are:

1. Create a physical or loopback interface to use as the tunnel endpoint. Using a loopback rather than a physical interface adds stability to the configuration.
2. Create the GRE tunnel interfaces.
3. Add the tunnel subnet to the routing process so that it exchanges routing updates across that interface.
4. Add GRE traffic to the crypto access list, so that IPsec encrypts the GRE tunnel traffic.

An example of configuring GRE Tunnel is shown below:

interface Tunnel0
ip address 192.168.16.2 255.255.255.0
tunnel source FastEthernet1/0
tunnel destination 14.38.88.10
tunnel mode gre ip

Note: The last command is enabled by default so we can ignore it in the configuration)

(Reference: CCNP Routing and Switching Quick Reference)

Question 13

Explanation

The address of the crypto isakmp key (line “crypto isakmp key ******* address 172.16.1.2”) should be 192.168.2.1, not 172.16.1.2 -> A is correct.

Question 14

Explanation

The access-list must also support GRE traffic with the “access-list 102 permit gre host 192.168.1.1 host 192.168.2.1” command -> B is correct.

Below is the correct configuration for GRE over IPsec on router B1 along with descriptions.

Configure_GRE_tunnel_over_IPsec.jpg

The interface tunnel configuration is rather simple so I don’t post it here.

Question 15

Explanation

The “tunnel destination” in interface tunnel should be 192.168.2.1, not 172.16.1.2 -> D is correct.

DMVPN Questions

July 31st, 2017 digitaltut 36 comments

Note: If you are not sure about DMVPN, please read our DMVPN tutorial first.

Question 1

Explanation

From the output we learn that the logical address 10.2.1.2 is mapped to the NBMA address 10.12.1.2. Type “dynamic” means NBMA address was obtained from NHRP Request packet. Type “static” means NBMA address is statically configured. The “authoritative” flag means that the NHRP information was obtained from the Next Hop Server (NHS).

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html

Question 2

Explanation

When DMVPN tunnels flap, check the neighborship between the routers as issues with neighborship formation between routers may cause the DMVPN tunnel to flap. In order to resolve this problem, make sure the neighborship between the routers is always up.

Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-dcmvpn.html#Prblm1

Question 3

Explanation

DMVPN is not a protocol, it is the combination of the following technologies:

+ Multipoint GRE (mGRE)
+ Next-Hop Resolution Protocol (NHRP)
+ Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP…) (optional)
+ Dynamic IPsec encryption (optional)
+ Cisco Express Forwarding (CEF)

For more information about DMVPN, please read our DMVPN tutorial.

Question 4

Explanation

To allow communication to multiple sites using only one tunnel interface, we need to configure that tunnel in “multipoint” mode. Otherwise we have to create many tunnel interfaces, each can only communicate to one site.

DMVPN_Topo_mGRE.jpg

 

Question 5

Explanation

An mGRE tunnel inherits the concept of a classic GRE tunnel but an mGRE tunnel does not require a unique tunnel interface for each connection between Hub and spoke like traditional GRE. One mGRE can handle multiple GRE tunnels at the other ends. Unlike classic GRE tunnels, the tunnel destination for a mGRE tunnel does not have to be configured; and all tunnels on Spokes connecting to mGRE interface of the Hub can use the same subnet.

DMVPN_Topo_mGRE.jpg

For more information about DMVPN, please read our DMVPN tutorial.

Question 6

Explanation

GRE tunnels are the first thing we have to configure to create a DMVPN network so we should start troubleshooting from there. NHRP can only work properly with operating GRE tunnels.

Question 7

Question 8

Explanation

The “show crypto isakmp sa” command displays all current Internet Key Exchange (IKE) security associations (SAs) at a peer.

QM_IDLE state means this tunnel is UP and the IKE SA key exchange was successful, but is idle and may be used for subsequent quick mode exchanges. It is in a quiescent state (QM) -> Answers A, C, D are incorrect so answer B is the only suitable answer left.

Question 9

Explanation

The DMVPN is comprised of IPsec/GRE tunnels that connect branch offices to the data center. DMVPN troubleshooting requires the network engineer to verify neighbor links, routing and VPN peer connectivity. The GRE protocol is required to support routing advertisements. The VPN peer connection is comprised of IKE and IPsec security association exchanges.

The command “show crypto ipsec sa” is used to verify IPsec connectivity between branch office and data center router. We can also use this command to display the statistics of an active tunnel on a DMVPN network.

DMVPN_show_crypto_ipsec_sa.jpg

Note:
+ The command “show crypto isakmp sa” is used on DMVPN to verify IKE connectivity status to branch offices. The normal IKE state = QM IDLE for branch routers and data center routers.
+ The command “show crypto engine connection active” displays the total encrypts and decrypts per SA.

Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-dcmvpn.html

Question 10

Question 11

Question 12

Explanation

Both DMVPN Phase 2 and phase 3 support spoke to spoke communications (spokes talk to each other directly). In this case there is only an option of phase 2 (not phase 3) so it is the only correct answer.

Question 13

Explanation

Some documents say RIPv2 also supports DMVPN but EIGPR, OSPF and BGP are the better choices so we should choose them.

Question 14

Explanation

DMVPN is not a protocol, it is the combination of the following technologies:
+ Multipoint GRE (mGRE)
+ Next-Hop Resolution Protocol (NHRP)
+ Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP…) (optional)
+ Dynamic IPsec encryption (optional)
+ Cisco Express Forwarding (CEF)

DMVPN combines multiple GRE (mGRE) Tunnels, IPSec encryption and NHRP (Next Hop Resolution Protocol) to perform its job and save the administrator the need to define multiple static crypto maps and dynamic discovery of tunnel endpoints.

TCP UDP Questions

July 30th, 2017 digitaltut 23 comments

Question 1

Explanation

It is a general best practice to not mix TCP-based traffic with UDP-based traffic (especially Streaming-Video) within a single service-provider class because of the behaviors of these protocols during periods of congestion. Specifically, TCP transmitters throttle back flows when drops are detected. Although some UDP applications have application-level windowing, flow control, and retransmission capabilities, most UDP transmitters are completely oblivious to drops and, thus, never lower transmission rates because of dropping.
When TCP flows are combined with UDP flows within a single service-provider class and the class experiences congestion, TCP flows continually lower their transmission rates, potentially giving up their bandwidth to UDP flows that are oblivious to drops. This effect is called TCP starvation/UDP dominance.
TCP starvation/UDP dominance likely occurs if TCP-based applications is assigned to the same service-provider class as UDP-based applications and the class experiences sustained congestion.
Granted, it is not always possible to separate TCP-based flows from UDP-based flows, but it is beneficial to be aware of this behavior when making such application-mixing decisions within a single service-provider class.

Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoS-SRND-Book/VPNQoS.html

Question 2

Question 3

Explanation

TCP Selective Acknowledgement (SACK) prevents unnecessary retransmissions by specifying successfully received subsequent data. Let’s see an example of the advantages of TCP SACK.

TCP_ACK.jpgTCP (Normal) Acknowledgement TCP_SACK.jpg
TCP Selective Acknowledgement

For TCP (normal) acknowledgement, when a client requests data, server sends the first three segments (named of packets at Layer 4): Segment#1,#2,#3. But suppose Segment#2 was lost somewhere on the network while Segment#3 stills reached the client. Client checks Segment#3 and realizes Segment#2 was missing so it can only acknowledge that it received Segment#1 successfully. Client received Segment#1 and #3 so it creates two ACKs#1 to alert the server that it has not received any data beyond Segment#1. After receiving these ACKs, the server must resend Segment#2,#3 and wait for the ACKs of these segments.

For TCP Selective Acknowledgement, the process is the same until the Client realizes Segment#2 was missing. It also sends ACK#1 but adding SACK to indicate it has received Segment#3 successfully (so no need to retransmit this segment. Therefore the server only needs to resend Segment#2 only. But notice that after receiving Segment#2, the Client sends ACK#3 (not ACK#2) to say that it had all first three segments. Now the server will continue sending Segment #4,#5, …

The SACK option is not mandatory and it is used only if both parties support it.

The TCP Explicit Congestion Notification (ECN) feature allows an intermediate router to notify end hosts of impending network congestion. It also provides enhanced support for TCP sessions associated with applications, such as Telnet, web browsing, and transfer of audio and video data that are sensitive to delay or packet loss. The benefit of this feature is the reduction of delay and packet loss in data transmissions. Use the “ip tcp ecn” command in global configuration mode to enable TCP ECN.

The TCP time-stamp option provides improved TCP round-trip time measurements. Because the time stamps are always sent and echoed in both directions and the time-stamp value in the header is always changing, TCP header compression will not compress the outgoing packet. Use the “ip tcp timestamp” command to enable the TCP time-stamp option.

The TCP Keepalive Timer feature provides a mechanism to identify dead connections. When a TCP connection on a routing device is idle for too long, the device sends a TCP keepalive packet to the peer with only the Acknowledgment (ACK) flag turned on. If a response packet (a TCP ACK packet) is not received after the device sends a specific number of probes, the connection is considered dead and the device initiating the probes frees resources used by the TCP connection.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/xe-3s/asr1000/iap-xe-3s-asr1000-book/iap-tcp.html

Question 4

Explanation

Global synchronization occurs when multiple TCP hosts reduce their transmission rates in response to congestion. But when congestion is reduced, TCP hosts try to increase their transmission rates again simultaneously (known as slow-start algorithm), which causes another congestion. Global synchronization produces this graph:

TCP_Global_Synchronization.jpg

 

Global synchronization reduces optimal throughput of network applications and tail drop contributes to this phenomenon. When an interface on a router cannot transmit a packet immediately, the packet is queued. Packets are then taken out of the queue and eventually transmitted on the interface. But if the arrival rate of packets to the output interface exceeds the ability of the router to buffer and forward traffic, the queues increase to their maximum length and the interface becomes congested. Tail drop is the default queuing response to congestion. Tail drop simply means that “drop all the traffic that exceeds the queue limit. Tail drop treats all traffic equally and does not differentiate among classes of service.

Question 5

Explanation

When TCP is mixing with UDP under congestion, TCP flows will try to lower their transmission rate while UDP flows continue transmitting as usual. As a result of this, UDP flows will dominate the bandwidth of the link and this effect is called TCP-starvation/UDP-dominance. This can increase latency and lower the overall throughput.

Question 6

Question 7

Question 8

Explanation

If the speed of an interface is equal or less than 768 kbps (half of a T1 link), it is considered a low-speed interface. The half T1 only offers enough bandwidth to allow voice packets to enter and leave without delay issues. Therefore if the speed of the link is smaller than 768 kbps, it should not be configured with a queue.

Question 9

Question 10

Explanation

First we need to understand about bandwidth-delay product.

Bandwidth-delay product (BDP) is the maximum amount of data “in-transit” at any point in time, between two endpoints. In other words, it is the amount of data “in flight” needed to saturate the link. You can think the link between two devices as a pipe. The cross section of the pipe represents the bandwidth and the length of the pipe represents the delay (the propagation delay due to the length of the pipe).

Therefore the Volume of the pipe = Bandwidth x Delay (or Round-Trip-Time). The volume of the pipe is also the BDP.

Bandwidth-delay_Product.jpg

For example if the total bandwidth is 64 kbps and the RTT is 3 seconds, the formula to calculate BDP is:

BDP (bits) = total available bandwidth (bits/sec) * round trip time (sec) = 64,000 * 3 = 192,000 bits

-> BDP (bytes) = 192,000 / 8 = 24,000 bytes

Therefore we need 24KB to fulfill this link.

For your information, BDP is very important in TCP communication as it optimizes the use of bandwidth on a link. As you know, a disadvantage of TCP is it has to wait for an acknowledgment from the receiver before sending another data. The waiting time may be very long and we may not utilize full bandwidth of the link for the transmission.

Bandwidth-delay_Product_Wasted.jpg

Based on BDP, the sending host can increase the number of data sent on a link (usually by increasing the window size). In other words, the sending host can fill the whole pipe with data and no bandwidth is wasted.Bandwidth-delay_Product_Optimized.jpg

In conclusion, if we want an optimal end-to-end delay bandwidth product, TCP must use window scaling feature so that we can fill the entire “pipe” with data.

TCP UDP Questions 2

July 30th, 2017 digitaltut No comments

Question 1

Explanation

Unlike TCP which uses the sequence numbers to rearrange the segments when they arrive out of order, UDP just passes the received datagrams to the next OSI layer (the Session Layer) in the order in which they arrived.

Question 2

Question 3

Explanation

In Asymmetric routing, a packet traverses from a source to a destination in one path and takes a different path when it returns to the source. This is commonly seen in Layer-3 routed networks.

Issues to Consider with Asymmetric Routing

Asymmetric routing is not a problem by itself, but will cause problems when Network Address Translation (NAT) or firewalls are used in the routed path. For example, in firewalls, state information is built when the packets flow from a higher security domain to a lower security domain. The firewall will be an exit point from one security domain to the other. If the return path passes through another firewall, the packet will not be allowed to traverse the firewall from the lower to higher security domain because the firewall in the return path will not have any state information. The state information exists in the first firewall.

Reference: http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/archives/200903.html

Specifically for TCP-based connections, disabling stateful TCP checks can help mitigate asymmetric routing. When TCP state checks are disabled, the ASA can allow packets in a TCP connection even if the ASA didn’t see the entire TCP 3-way handshake. This feature is called TCP State Bypass.

Reference: https://supportforums.cisco.com/document/55536/asa-asymmetric-routing-troubleshooting-and-mitigation

Note: The active/active firewall topology uses two firewalls that are both actively providing firewall services.

Question 4

Explanation

A device that sends UDP packets assumes that they reach the destination. There is no mechanism to alert senders that the packet has arrived -> Answer A is not correct.

UDP throughput is not impacted by latency because the sender does not have to wait for the ACK to be sent back -> Answer B is not correct.

UDP does not negotiate how the connection will work, UDP just transmits and hopes for the best -> D is not correct.

Therefore only answer C is left.

Question 5

Explanation

The command “show tcp brief numeric” displays a concise description of TCP connection endpoints.

Question 6

Question 7

Explanation

TCP starvation/UDP dominance likely occurs if TCP-based applications is assigned to the same service-provider class as UDP-based applications and the class experiences sustained congestion.

TFTP (run on UDP port 69) and SNMP (runs on UDP port 161/162) are two protocols which run on UDP so they can cause TCP starvation.

Note: SMTP runs on TCP port 25; HTTPS runs on TCP port 443; FTP runs on TCP port 20/21

 

RIP Questions

July 29th, 2017 digitaltut 5 comments

Question 1

Question 2

Question 3

Question 4

Explanation

RIP can only be turned on under router sub command (in Router(config-router)# mode). Unlike OSPF or EIGRP, RIP cannot be enabled from interface sub command (Router(config-if)# mode)

OSPF Questions

July 28th, 2017 digitaltut 6 comments

Question 1

Explanation

LSA Type 7 is generated by an ASBR inside a Not So Stubby Area (NSSA) to describe routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it leaves the NSSA. These routes appear as N1 or N2 in the routing table inside the NSSA. Much like LSA 5, N2 is a static cost while N1 is a cumulative cost that includes the cost upto the ASBR -> LSA Type 7 only exists in an NSSA area.

Question 2

Question 3

Explanation

Answer B is not correct because using “passive-interface” command on ASW1 & ASW2 does not prevent DSW1 & DSW2 from sending routing updates to two access layer switches.

Question 4

Explanation

From the output above, we see the following LSAs:

+ Router Link States (Area 0): LSA Type 1 (Area 0)
+ Net Link States (Area 0): LSA Type 2 (Area 0)
+ Summary Net Link States (Area 0): LSA Type 3 (Area 0)
+ Router link States (Area 4): LSA Type 1 (Area 4)
+ Net Link States (Area 4): LSA Type 2 (Area 4)
+ Summary Net Link States (Area 4): LSA Type 3 (Area 4)

There are two areas represented on this router, which are Area 0 & Area 4. So we conclude this is an ABR router.

Just for your information, from the Router Link States (Area 0) part, we only see one entry 15.15.15.33. It is both the Link ID and ADV Router so we can conclude this is an IP address of one of the interfaces on the local router.

Question 5

Question 6

Questions 7

Explanation

When OSPF is run on a network, two important events happen before routing information is exchanged:
+ Neighbors are discovered using multicast hello packets.
+ DR and BDR are elected for every multi-access network to optimize the adjacency building process. All the routers in that segment should be able to communicate directly with the DR and BDR for proper adjacency (in the case of a point-to-point network, DR and BDR are not necessary since there are only two routers in the segment, and hence the election does not take place).
For a successful neighbor discovery on a segment, the network must allow broadcasts or multicast packets to be sent.

In an NBMA network topology, which is inherently nonbroadcast, neighbors are not discovered automatically. OSPF tries to elect a DR and a BDR due to the multi-access nature of the network, but the election fails since neighbors are not discovered. Neighbors must be configured manually to overcome these problems -> C is not correct while D is correct.

In Point-to-Multipoint network: This is a collection of point-to-point links between various devices on a segment. These networks also allow broadcast or multicast packets to be sent over the network. These networks can represent the multi-access segment as multiple point-to-point links that connect all the devices on the segment. -> A is correct.

Question 8

Explanation

OSPF forms neighbor relationship with other OSPF routers on the same segment by exchanging hello packets. The hello packets contain various parameters. Some of them should match between neighboring routers. These include:

+ Hello and Dead intervals
+ Area ID
+ Authentication type and password
+ Stub Area flag
+ Subnet ID and Subnet mask

So there are three correct answers in this question. Maybe in the exam you will see only two correct answers.

Question 9

Explanation

Let’s have a quick review of LSAs Type 4 & 5:

Summary ASBR LSA (Type 4) – Generated by the ABR to describe an ASBR to routers in other areas so that routers in other areas know how to get to external routes through that ASBR. For example, suppose R8 is redistributing external route (EIGRP, RIP…) to R3. This makes R3 an Autonomous System Boundary Router (ASBR). When R2 (which is an ABR) receive this LSA Type 1 update, R2 will create LSA Type 4 and flood into Area 0 to inform them how to reach R3. When R5 receives this LSA it also floods into Area 2.

OSPF_LSAs_Types_4.jpg

In the above example, the only ASBR belongs to area 1 so the two ABRs send LSA Type 4 to area 0 & area 2 (not vice versa). This is an indication of the existence of the ASBR in area 1.

Note:
+ Type 4 LSAs contain the router ID of the ASBR.
+ There are no LSA Type 4 injected into Area 1 because every router inside area 1 knows how to reach R3. R3 only uses LSA Type 1 to inform R2 about R8 and inform R2 that R3 is an ASBR.

External Link LSA (LSA 5) – Generated by ASBR to describe routes redistributed into the area and point the destination for these external routes to the ASBR. These routes appear as O E1 or O E2 in the routing table. In the topology below, R3 generates LSAs Type 5 to describe the external routes redistributed from R8 and floods them to all other routers and tell them “hey, if you want to reach these external routes, send your packets to me!”. But other routers will ask “how can I reach you? You didn’t tell me where you are in your LSA Type 5!”. And that is what LSA Type 4 do – tell other routers in other areas where the ASBR is!

OSPF_LSAs_Types_5.jpg

Each OSPF area only allows some specific LSAs to pass through. Below is a summarization of which LSAs are allowed in each OSPF area:

Area Restriction
Normal None
Stub No Type 5 AS-external LSA allowed
Totally Stub No Type 3, 4 or 5 LSAs allowed except the default summary route
NSSA No Type 5 AS-external LSAs allowed, but Type 7 LSAs that convert to Type 5 at the NSSA ABR can traverse
NSSA Totally Stub No Type 3, 4 or 5 LSAs except the default summary route, but Type 7 LSAs that convert to Type 5 at the NSSA ABR are allowed

Reference: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13703-8.html

Therefore there are two OSPF areas that prevent LSAs Type 4 & 5: Totally Stub & NSSA Totally Stub areas

OSPF Questions 2

July 28th, 2017 digitaltut 13 comments

Question 1

Explanation

Exstart: Once the DR and BDR are elected, the actual process of exchanging link state information can start between the routers and their DR and BDR. In this state, the routers and their DR and BDR establish a master-slave relationship and choose the initial sequence number for adjacency formation. The router with the higher router ID becomes the master and starts the exchange, and as such, is the only router that can increment the sequence number. Note that one would logically conclude that the DR/BDR with the highest router ID will become the master during this process of master-slave relation.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13685-13.html

Question 2

Question 3

Question 4


Question 5

Explanation

+ Standard areas can contain LSAs of type 1, 2, 3, 4, and 5, and may contain an ASBR. The backbone is considered a standard area.
+ Stub areas can contain type 1, 2, and 3 LSAs. A default route is substituted for external routes.
+ Totally stubby areas can only contain type 1 and 2 LSAs, and a single type 3 LSA. The type 3 LSA describes a default route, substituted for all external and inter-area routes.
+ Not-so-stubby areas implement stub or totally stubby functionality yet contain an ASBR. Type 7 LSAs generated by the ASBR are converted to type 5 by ABRs to be flooded to the rest of the OSPF domain.

Reference: http://packetlife.net/blog/2008/jun/24/ospf-area-types/

Question 6

Explanation

NSSA External LSA (Type 7) – Generated by an ASBR inside a Not So Stubby Area (NSSA) to describe routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it leaves the NSSA. These routes appear as N1 or N2 in the routing table inside the NSSA. Much like LSA 5, N2 is a static cost while N1 is a cumulative cost that includes the cost upto the ASBR.

OSPF_LSAs_Types_7.jpg

Question 7

Explanation

OSPFv3 uses the well-known IPv6 multicast addresses, FF02::5 to communicate with neighbors.

Note: All other routers (non DR and non BDR) establish adjacency with the DR and the BDR and use the IPv6 multicast address FF02::6 to send LSA updates to the DR and BDR.

Question 8

Explanation

NSSA External LSA (Type 7) – Generated by an ASBR inside a Not So Stubby Area (NSSA) to describe routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it leaves the NSSA. These routes appear as N1 or N2 in the routing table inside the NSSA. Much like LSA 5, N2 is a static cost while N1 is a cumulative cost that includes the cost upto the ASBR.

OSPF_LSAs_Types_7.jpg

Question 9

Question 10

OSPF Questions 3

July 28th, 2017 digitaltut 3 comments

Question 1

Explanation

LSAs Type 8 (Link LSA) have link-local flooding scope.  A router originates a separate link-LSA for each attached link that supports two or more (including the originating router itself) routers.  Link-LSAs should not be originated for virtual links.

Link-LSAs have three purposes:
1.  They provide the router’s link-local address to all other routers attached to the link.
2.  They inform other routers attached to the link of a list of IPv6 prefixes to associate with the link.
3.  They allow the router to advertise a collection of Options bits in the network-LSA originated by the Designated Router on a broadcast or NBMA link.

LSAs Type 9 (Intra-Area Prefix LSA) have area flooding scope. An intra-area-prefix-LSA has one of two functions:
1.  It either associates a list of IPv6 address prefixes with a transit network link by referencing a network-LSA…
2.  Or associates a list of IPv6 address prefixes with a router by referencing a router-LSA.  A stub link’s prefixes are associated with its attached router.

LSA Type 9 is breaking free of LSA Type 1 and LSA Type 2 as they were used in IPv4 OSPF to advertise the prefixes inside the areas, giving us a change in the way the OSPF SPF algorithm is ran.

Reference (and for more information): http://packetpushers.net/a-look-at-the-new-lsa-types-in-ospfv3-with-vyatta-and-cisco/

Question 2

Question 3

Explanation

The wildcard mask should be 0.0.0.255 instead of the subnet mask 255.0.0.0.

Question 4

Explanation

Route aggregation can be performed on the border routers to reduce the LSAs advertised to other areas. Route aggregation can also minimize the influences caused by the topology changes.

Question 5

Question 6

Explanation

IS-IS is an interior gateway protocol (IGP), same as EIGRP and OSPF so maybe they are the best answers. Although RIP is not a wrong choice but it is not widely used because of many limitations (only 15 hops, long convergence time…).

Question 7

Explanation

This command affects all the OSPF costs on the local router as all links are recalculated with formula: cost = reference-bandwidth (in Mbps) / interface bandwidth 

Note: The default reference bandwidth for OSPF is 10^8 bps or 100Mpbs so the “auto-cost reference-bandwidth 100” is in fact the default value so answer A may be  a correct answer.

Question 8

Explanation

NSSA External LSA (Type 7) – Generated by an ASBR inside a Not So Stubby Area (NSSA) to describe routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it leaves the NSSA. These routes appear as N1 or N2 in the routing table inside the NSSA. Much like LSA 5, N2 is a static cost while N1 is a cumulative cost that includes the cost upto the ASBR.

OSPF_LSAs_Types_7.jpg

EIGRP Questions

July 27th, 2017 digitaltut 38 comments

Question 1

Explanation

By default, EIGRP load-shares over four equal-cost paths. EIGRP also support unequal-cost load balancing via the “variance” command.

Question 2

Explanation

The table below lists the default administrative distance values of popular routing protocols:

Routing Protocols Default Administrative Distance
EIGRP 90
OSPF 110
RIP 120
eBGP 20
iBGP 200
Connected interface 0
Static route 1

Question 3

Question 4

Explanation

The following list of parameters must match between EIGRP neighbors in order to successfully establish neighbor relationships:

+ Autonomous System number.
+ K-Values.
+ If authentication is used both: the key number, the password, and the date/time the password is valid must match.
+ The neighbors must be on common subnet (all IGPs follow this rule).

Question 5

Explanation

When EIGRP is configured in a point-to-multipoint Frame Relay network, although the Hub can receive routing updates sent from its Spoke routers but split horizon rule forbids the Hub from relaying advertisements back out the interface on which they were received. For example in the topology below, Hub can receive routing updated from two Spokes but it cannot relay them out of S0/0 interface again (as it is the interface where it received the updates). To solve this problem we need to disable split horizon on S0/0 interface of Hub.

Frame_Relay_Point_to_multipoint.jpg

The command should be (suppose EIGRP 1 is running):

Hub(config)#interface serial0/0
Hub(config-if)#no ip split-horizon eigrp 1

Therefore answer A is correct.

In Non-broadcast networks (such as Frame-Relay), multicast (and broadcast) are not allowed while EIGRP (and OSPF, RIPv2) uses multicast to send Hello and Update messages. Therefore these dynamic routing protocols would not work well under Frame-Relay. To overcome this issue we usually add the keyword “broadcast” at the end of the frame-relay map statement (for example, “frame-relay map ip 10.1.1.1 403 broadcast“). This makes EIGRP to send update via unicast instead of multicast.

Another way to resolve above issue is to use the “neighbor” command. This command also make EIGRP to communicate with its neighbors via unicast -> B is correct.

Note: Although we can use the “neighbor” command to set up EIGRP neighbor relationship but the routes cannot be advertised from the Hub to the Spoke because of split horizon rule.

Question 6

Explanation

Although we can use the “neighbor” command to set up EIGRP neighbor relationship but the routes cannot be advertised from the Hub to the Spoke because of split horizon rule -> Answer D is not correct.

To overcome the split horizon rule we can use subinterface as each subinterface is treated like a separate physical interface so routing updates can be advertised back from Hub to Spokes.  -> Answer C is correct.

Note: The split horizon rule states that routes will not be advertised back out an interface in which they were received on

Question 7

Explanation

The “ip summary-address eigrp” command is used to configure interface-level address summarization. EIGRP summary routes are given an administrative distance value of 5. The administrative distance metric is used to advertise a summary without installing it in the routing table.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/iproute_eigrp/command/reference/ire_book/ire_i1.html

Question 8

Question 9

Explanation

An example of how to configure EIGRP authentication on two routers that are connected to each other is shown below:

R1,R2(config)#key chain MYKEYS
R1,R2(config-keychain)#key 1
R1,R2(config-keychain-key)#key-string SecRetThing!
R1,R2(config-keychain-key)#end

R1,R2(config)#interface serial 0/0
R1,R2(config-subif)#ip authentication mode eigrp 10 md5
R1,R2(config-subif)#ip authentication key-chain eigrp 10 MYKEYS

Question 10

Explanation

When redistributing into RIP, EIGRP (and IGRP) we need to specify the metrics or the redistributed routes would never be learned. In this case we need to configure like this:

router eigrp 1
redistribute ospf 100 metric 10000 100 255 1 1500

Question 11

EIGRP Questions 2

July 27th, 2017 digitaltut 4 comments

Question 1

Explanation

The “eigrp stub” command is equivalent to the “eigrp stub connected summary” command which advertises the connected routes and summarized routes.

Note: Summary routes can be created manually with the summary address command or automatically at a major network border router with the auto-summary command enabled.

Question 2

Question 3

Question 4

Note: Maybe SATx is the name of a router

Question 5

Explanation

If an older version of code is deployed on the hub router, it will ignore the stub TLV and continue to send QUERY packets to the stub router. However, the stub router will immediately reply “inaccessible” to any QUERY packets, and will not continue to propagate them. Thus, the solution is backward-compatible and does not necessarily require an upgrade on the hub routers.

Reference: http://www.cisco.com/en/US/technologies/tk648/tk365/technologies_white_paper0900aecd8023df6f.html

Question 6

Question 7

Explanation

To become a neighbor, the following conditions must be met:
+ The router must hear a Hello packet from a neighbor.
+ The EIGRP autonomous system (AS) must be the same.
+ K-values must be the same.

Question 8

Question 9

Question 10

Explanation

Below is an example of the “show ip eigrp neighbors” output.

EIGRP_show_ip_eigrp_neighbors_2.jpg

Let’s analyze these columns:

+ H: lists the neighbors in the order this router was learned
+ Address: the IP address of the neighbors
+ Interface: the interface of the local router on which this Hello packet was received
+ Hold (sec): the amount of time left before neighbor is considered in “down” status
+ Uptime: amount of time since the adjacency was established
+ SRTT (Smooth Round Trip Timer): the average time in milliseconds between the transmission of a packet to a neighbor and the receipt of an acknowledgement.
+ RTO (Retransmission Timeout): if a multicast has failed, then a unicast is sent to that particular router, the RTO is the time in milliseconds that the router waits for an acknowledgement of that unicast.
+ Queue count (Q Cnt): shows the number of queued EIGRP packets. It is usually 0.
+ Sequence Number (Seq Num): the sequence number of the last update EIGRP packet received. Each update message is given a sequence number, and the received ACK should have the same sequence number. The next update message to that neighbor will use Seq Num + 1.

In this question we have to check the RTO and Q cnt fields.

Question 11

Explanation

By default, EIGRP uses only the bandwidth & delay parameters to calculate the metric (metric = bandwidth + delay). In particular, EIGRP uses the slowest bandwidth of the outgoing interfaces of the route to calculate the metric as follows:

EIGRP_fomula.jpg

For an example of how EIGRP calculates the metric, please read our EIGRP tutorial (part 3).

Question 12

Question 13

Distribute List

July 26th, 2017 digitaltut 10 comments

Question 1

Question 2

Explanation

A distribute list is used to filter routing updates either coming to or leaving from our router. In this case, the “out” keyword specifies we want to filter traffic leaving from our router. Access-list 2 indicates only routing update for network 1.2.3.0/24 is allowed (notice that every access-list always has an implicit “deny all” at the end).

Question 3

Explanation

With EIGRP or OSPF running on a network, the “passive-interface” command stops both outgoing and incoming routing update (while RIP passive interface command will prevent RIP updates from being sent on the interface). Therefore “passive-interface” is not a good answer.

Distribute-list is used to control routing updates either coming to your router or leaving from our router so this is a better choice. For example we can prevent routing updates from sending out Fa0/0 with this command:

Router(config)#access-list 2 deny any
Router(config)#router ospf 1
Router(config-router)#distribute-list 2 out fa0/0

Policy Based Routing

July 25th, 2017 digitaltut 2 comments

Question 1

Explanation

Normal policy based routing (PBR) is used to route packets that pass through the device. Packets that are generated by the router (itself) are not normally policy-routed. To control these packets, local PBR should be used. For example: Router(config)# ip local policy route-map map-tag (compared with normal PBR: Router(config-if)# ip policy route-map map-tag)

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html

Question 2

Explanation

The set command specifies the action(s) to take on the packets that match the criteria. You can specify any or all of the following:

* precedence: Sets precedence value in the IP header. You can specify either the precedence number or name.
* df: Sets the “Don’t Fragment” (DF) bit in the ip header.
* vrf: Sets the VPN Routing and Forwarding (VRF) instance.
* next-hop: Sets next hop to which to route the packet.
* next-hop recursive: Sets next hop to which to route the packet if the hop is to a router which is not adjacent.
* interface: Sets output interface for the packet.
* default next-hop: Sets next hop to which to route the packet if there is no explicit route for this destination.
* default interface: Sets output interface for the packet if there is no explicit route for this destination.

route_map_set_command1.jpg

route_map_set_command.jpg

(Reference: http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html)

Question 3

Explanation

The “show route-map “route-map name” displays the policy routing match counts so we can learn if PBR reacts to packets sourced from 172.16.0.0/16 or not.

show_route-map_divert.jpg

Question 4

Explanation

First we should check the access-list log, if the hit count does not increase then no packets are matched the access-list -> the policy based routing match counts will not increase.

BGP Questions

July 24th, 2017 digitaltut 32 comments

Question 1

Explanation

Private autonomous system (AS) numbers which range from 64512 to 65535 are used to conserve globally unique AS numbers. Globally unique AS numbers (1 – 64511) are assigned by InterNIC. These private AS number cannot be leaked to a global Border Gateway Protocol (BGP) table because they are not unique (BGP best path calculation expects unique AS numbers).

Reference: http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13756-32.html

Question 2

Explanation

If MTU on two interfaces are mismatched, the BGP neighbors may flap, the BGP state drops and the logs generate missing BGP hello keepalives or the other peer terminates the session.

For more information about MTU mismatched between BGP neighbors please read: http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/116377-troubleshoot-bgp-mtu.html

Question 3

Explanation

Notice that the Administrative Distance (AD) of External BGP (eBGP) is 20 while the AD of internal BGP (iBGP) is 200.

Question 4

Explanation

Private autonomous system (AS) numbers which range from 64512 to 65535 are used to conserve globally unique AS numbers. These private AS number cannot be leaked to a global BGP table because they are not unique.

Question 5


Explanation

BGP Neighbor states are: Idle – Connect – Active – Open Sent – Open Confirm – Established

Question 6


Explanation

BGP peers are established by manual configuration between routing devices to create a TCP session on (destination) port 179.

Question 7


Explanation

Below is the list of BGP states in order, from startup to peering:

1 – Idle: the initial state of a BGP connection. In this state, the BGP speaker is waiting for a BGP start event, generally either the establishment of a TCP connection or the re-establishment of a previous connection. Once the connection is established, BGP moves to the next state.
2 – Connect: In this state, BGP is waiting for the TCP connection to be formed. If the TCP connection completes, BGP will move to the OpenSent stage; if the connection cannot complete, BGP goes to Active
3 – Active: In the Active state, the BGP speaker is attempting to initiate a TCP session with the BGP speaker it wants to peer with. If this can be done, the BGP state goes to OpenSent state.
4 – OpenSent: the BGP speaker is waiting to receive an OPEN message from the remote BGP speaker
5 – OpenConfirm: Once the BGP speaker receives the OPEN message and no error is detected, the BGP speaker sends a KEEPALIVE message to the remote BGP speaker
6 – Established: All of the neighbor negotiations are complete. You will see a number (2 in this case), which tells us the number of prefixes the router has received from a neighbor or peer group.

Question 8

Question 9

Redistribution Questions

July 23rd, 2017 digitaltut 7 comments

Question 1

Question 2

Question 3

DHCP & DHCPv6 Questions

July 22nd, 2017 digitaltut 10 comments

Question 1

Explanation

DHCP options 3, 66, and 150 are used to configure Cisco IP Phones. Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it does not have both the IP address and TFTP server IP address preconfigured, it sends a request with option 150 or 66 to the DHCP server to obtain this information.
+ DHCP option 150 provides the IP addresses of a list of TFTP servers.
+ DHCP option 66 gives the IP address or the hostname of a single TFTP server.

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/basic_dhcp.pdf

Question 2

Explanation

Most vendor’s routers/switches have the ability to function as:
+ A DHCP client and obtain an interface IPv4 address from an upstream DHCP service
+ A DHCP relay and forward UDP DHCP messages from clients on a LAN to and from a DHCP server
+ A DHCP server whereby the router/switch services DHCP requests directly

Question 3

Explanation

Extended Unique Identifier (EUI) allows a host to assign itself a unique 64-Bit IPv6 interface identifier (EUI-64). This feature is a key benefit over IPv4 as it eliminates the need of manual configuration or DHCP as in the world of IPv4. The IPv6 EUI-64 format address is obtained through the 48-bit MAC address. The MAC address is first separated into two 24-bits, with one being OUI (Organizationally Unique Identifier) and the other being NIC specific. The 16-bit 0xFFFE is then inserted between these two 24-bits for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an EUI-48 MAC address.

Question 4

Question 5

Explanation

A DHCPv6 configuration information pool is a named entity that includes information about available configuration parameters and policies that control assignment of the parameters to clients from the pool. A pool is configured independently of the DHCPv6 service and is associated with the DHCPv6 service through the command-line interface (CLI).
Each configuration pool can contain the following configuration parameters and operational information:
Prefix delegation information, which could include:
+ A prefix pool name and associated preferred and valid lifetimes
+ A list of available prefixes for a particular client and associated preferred and valid lifetimes
– A list of IPv6 addresses of DNS servers
– A domain search list, which is a string containing domain names for DNS resolution

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2mt/ipv6-15-2mt-book/ip6-dhcp.html

This is how to configure a DHCPv6 pool:

ipv6 unciast-routing
ipv6 dhcp pool <pool name>
address prefix <specify address prefix> lifetime <infinite> <infinite>
dns-server <specify the dns server address>
domain-name <specify the domain name>

For example:

ipv6 dhcp pool test
address prefix 2010:AA01:10::/64 lifetime infinite infinite
dns-server AAAA:BBBB:10FE:100::15
dns-server 2010:AA01::15
domain-name example.com

Reference: https://supportforums.cisco.com/document/116221/part-1-implementing-dhcpv6-stateful-dhcpv6

So we can see DHCPv6 pool supports address prefix and domain search list, DNS servers.

Question 6

Explanation

Note: A DHCPv6 relay agent is used to relay (forward) messages between the DHCPv6 client and server.

Servers and relay agents listen for DHCP messages on UDP port 547 so if a DHCPv6 relay agent cannot receive DHCP messages (because of port 547 is blocked) then the routers (clients) will not obtain DHCPv6 prefixes.

We are not sure about answer D but maybe it is related to the (absence of) “Reload Persistent Interface ID” in DHCPv6 Relay Options. This feature makes the interface ID option persistent. The interface ID is used by relay agents to decide which interface should be used to forward a RELAY-REPLY packet. A persistent interface-ID option will not change if the router acting as a relay agent goes offline during a reload or a power outage. When the router acting as a relay agent returns online, it is possible that changes to the internal interface index of the relay agent may have occurred in certain scenarios (such as, when the relay agent reboots and the number of interfaces in the interface index changes, or when the relay agents boot up and has more virtual interfaces than it did before the reboot). This feature prevents such scenarios from causing any problems.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-e/dhcp-15-e-book/dhcp-15e-book_chapter_010.html

Question 7

Explanation

In this topology DSW1 is the DHCPv6 Relay agent so it should relay (forward) the DHCPv6 Request packets (from the clients) out of its Gi1/2 interface to the DHCPv6 server. The command “ipv6 dhcp relay destination …” is used to complete this task.

Note: There is no “default-router” command for DHCPv6. The “ipv6 dhcp relay destination” is not required to configure on every router along the path between the client and server. It is ONLY required on the router functioning as the DHCPv6 relay agent.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/whitepaper_c11-689821.html

Question 8

Explanation

The “ip helper-address” command is only configured in interface mode so it is not the correct answer.

Note: The Cisco IOS software provides the global configuration command “ip forward-protocol” to allow an administrator to forward any UDP port in addition to the eight default UDP Services. For example, to forward UDP on port 517, use the global configuration command “ip forward-protocol udp 517”. But the eight default UDP Services include DHCP services so it is not the suitable answer.

Reference and good resource: http://www.ciscopress.com/articles/article.asp?p=330807&seqNum=9

A DHCP relay agent may receive a message from another DHCP relay agent that already contains relay information. By default, the relay information from the previous relay agent is replaced. If this behavior is not suitable for your network, you can use the ip dhcp relay information policy {drop | keep | replace} global configuration command to change it -> Therefore this is the correct answer.

Reference: https://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpre.html

Question 9

Explanation

If the DHCP Server is not on the same subnet with the DHCP Client, we need to configure the router on the DHCP client side to act as a DHCP Relay Agent so that it can forward DHCP messages between the DHCP Client & DHCP Server. To make a router a DHCP Relay Agent, simply put the “ip helper-address <IP-address-of-DHCP-Server>” command under the interface that receives the DHCP messages from the DHCP Client.

Question 10

EVN & VRF Questions

July 21st, 2017 digitaltut 29 comments

Quick review:

Easy Virtual Network (EVN) is an IP-based network virtualization solution that helps enable network administrators to provide traffic separation and path isolation on a shared network infrastructure. EVN uses existing Virtual Route Forwarding (VRF)-Lite technology to:
+ Simplify Layer 3 network virtualization
+ Improve shared services support
+ Enhance management, troubleshooting, and usability

Question 1

Explanation

All the subinterfaces and associated EVNs have the same IP address assigned. In other words, a trunk interface is identified by the same IP address in different EVN contexts. EVN automatically generates subinterfaces for each EVN. For example, both Blue and Green VPN Routing and Forwarding (VRF) use the same IP address of 10.0.0.1 on their trunk interface:

vrf definition Blue
vnet tag 100
vrf definition Green
vnet tag 200
!
interface gigabitethernet0/0/0
vnet trunk
ip address 10.0.0.1 255.255.255.0

-> A is correct.

In fact answer B & C are not correct because each EVN has separate routing table and forwarding table.

Note: The combination of the VPN IP routing table and the associated VPN IP forwarding table is called a VPN routing and forwarding (VRF) instance.

Question 2

Explanation

EVN is supported on any interface that supports 802.1q encapsulation, for example, an Ethernet interface. Instead of adding a new field to carry the VNET tag in a packet, the VLAN ID field in 802.1q is repurposed to carry a VNET tag. The VNET tag uses the same position in the packet as a VLAN ID. On a trunk interface, the packet gets re-encapsulated with a VNET tag. Untagged packets carrying the VLAN ID are not EVN packets and could be transported over the same trunk interfaces.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/layer-3-vpns-l3vpn/whitepaper_c11-638769.html

Question 3

Explanation

An example of using “autonomous-system {autonomous-system-number}” command is shown below:

router eigrp 100
address-family ipv4 vrf Cust
net 192.168.12.0
autonomous-system 100
no auto-summary

This configuration is performed under the Provide Edge (PE) router to run EIGRP with a Customer Edge (CE) router. The “autonomous-system 100” command indicates that the EIGRP AS100 is running between PE & CE routers.

Question 4

Question 5

Question 6

Explanation

EVN builds on the existing IP-based virtualization mechanism known as VRF-Lite. EVN provides enhancements in path isolation, simplified configuration and management, and improved shared service support

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-xe-3s-book/evn-overview.html

Maybe the “improved shared services support” term here implies about the support of sharing between different VRFs (through route-target, MP-BGP)

Question 7

Explanation

This question is not clear because we have to configure a static route pointing to the global routing table while it stated that “all interfaces are in the same VRF”. But we should understand both outside and inside interfaces want to ping the loopback interface.

Question 8

Explanation

EVN supports IPv4, static routes, Open Shortest Path First version 2 (OSPFv2), and Enhanced Interior Gateway Routing Protocol (EIGRP) for unicast routing, and Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) for IPv4 Multicast routing. EVN also supports Cisco Express Forwarding (CEF) and Simple Network Management Protocol (SNMP).

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-xe-3s-book/evn-overview.html

Question 9

Explanation

Route-target is is tagged to each VPN when it is exported. In other words, when a prefix is exported with a route-target, an extended BGP community is attached to that prefix. If this community is matched with the (import) route-target of the receiving side then the prefix is imported to the receiving VRF.

Question 10

Explanation

Easy Virtual Network (EVN) is an IP-based virtualization technology that provides end-to-end virtualization of two or more Layer-3 networks. You can use a single IP infrastructure to provide separate virtual networks whose traffic paths remain isolated from each other.

An EVN trunk interface connects VRF-aware routers together and provides the core with a means to transport traffic for multiple EVNs. Trunk interfaces carry tagged traffic. The tag is used to de-multiplex the packet into the corresponding EVN. A trunk interface has one subinterface for each EVN. The vnet trunk command is used to define an interface as an EVN trunk interface.

In other words, EVN trunk interfaces allow multiple VRFs to use the same physical interfaces for transmission but the data of each VRF is treated separately. Without EVN trunk interfaces we need to create many subinterfaces. Therefore virtual network trunk (VNET) decreases the network configuration required.

Note: There is no “Easy Trunk” component or technology.

EVN & VRF Questions 2

July 21st, 2017 digitaltut No comments

Question 1

Explanation

Route replication allows shared services because routes are replicated between virtual networks and clients who reside in one virtual network can reach prefixes that exist in another virtual network.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-xe-3s-book/evn-shared-svcs.html

Question 2

Question 3

Explanation

Path isolation can be achieved by using a unique tag for each Virtual Network (VN) -> Answer A is correct.

Instead of adding a new field to carry the VNET tag in a packet, the VLAN ID field in 802.1q is repurposed to carry a VNET tag. The VNET tag uses the same position in the packet as a VLAN ID. On a trunk interface, the packet gets re-encapsulated with a VNET tag. Untagged packets carrying the VLAN ID are not EVN packets and could be transported over the same trunk interfaces -> Answer E is correct.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/layer-3-vpns-l3vpn/whitepaper_c11-638769.html

Question 4

Explanation

We are trying to ping the 192.168.1.2 in vrf Yellow but the Serial0/0 interfaces of both routers do not belong to this VRF so the ping fails. We need to configure S0/0 interfaces with the “ip vrf forwarding Yellow” (under interface S0/0) in order to put these interfaces into VRF Yellow.

Question 5

Question 6

Question 7

Explanation

In the link http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/vrf.html there is a notice about route-target command: “Note: This command is effective only if BGP is running.” -> C is correct.

Answer A & F are not correct as only route distinguisher (RD) identifies the customer routing table and “allows customers to be assigned overlapping addresses”.

Answer E is not correct as “When BGP is configured, route targets are transmitted as BGP extended communities”

Question 8

Explanation

With VRF-Lite, if you want to send traffic for multiple virtual networks (that is, multiple VRFs) between two routers you need to create a subinterface for each VRF on each router -> VRF-Lite requires subinterfaces. However, with Cisco EVN, you instead create a trunk (called a Virtual Network (VNET) trunk) between the routers. Then, traffic for multiple virtual networks can travel over that single trunk interface, which uses tags to identify the virtual networks to which packets belong.

Note: Both Cisco EVN and VRF-Lite allow a single physical router to run multiple virtual router instances, and both technologies allow routes from one VRF to be selectively leaked to other VRFs. However, a major difference is the way that two physical routers interconnect. With VRF-Lite, a router is configured with multiple subinterfaces, one for each VRF. However, with Cisco EVN, routers interconnect using a VNET trunk, which simplifies configuration.

Reference: CCNP Routing and Switching ROUTE 300-101 Official Cert Guide

All EVNs within a trunk interface share the same IP infrastructure as they are on the same physical interface -> Answer C is correct.

With EVNs, a trunk interface is shared among VRFs so each command configured under this trunk is applied by all EVNs -> Answer E is correct.

Question 9

IPv6 Questions

July 20th, 2017 digitaltut 12 comments

Question 1

Explanation

Dual-stack method is the most common technique which only requires edge routers to run both IPv4 and IPv6 while the inside routers only run IPv4. At the edge network, IPv4 packets are converted to IPv6 packets before sending out.

6to4 tunnel is a technique which relies on reserved address space 2002::/16 (you must remember this range). These tunnels determine the appropriate destination address by combining the IPv6 prefix with the globally unique destination 6to4 border router’s IPv4 address, beginning with the 2002::/16 prefix, in this format:

2002:border-router-IPv4-address::/48

For example, if the border-router-IPv4-address is 64.101.64.1, the tunnel interface will have an IPv6 prefix of 2002:4065:4001:1::/64, where 4065:4001 is the hexadecimal equivalent of 64.101.64.1. This technique allows IPv6 sites to communicate with each other over the IPv4 network without explicit tunnel setup but we have to implement it on all routers on the path.

NAT-PT provides IPv4/IPv6 protocol translation. It resides within an IP router, situated at the boundary of an IPv4 network and an IPv6 network. By installing NAT-PT between an IPv4 and IPv6 network, all IPv4 users are given access to the IPv6 network without modification in the local IPv4-hosts (and vice versa). Equally, all hosts on the IPv6 network are given access to the IPv4 hosts without modification to the local IPv6-hosts. This is accomplished with a pool of IPv4 addresses for assignment to IPv6 nodes on a dynamic basis as sessions are initiated across IPv4-IPv6 boundaries.

Question 2

Explanation

Overlay tunneling encapsulates IPv6 packets in IPv4 packets for delivery across an IPv4 infrastructure (a core network or the Internet). By using overlay tunnels, you can communicate with isolated IPv6 networks without upgrading the IPv4 infrastructure between them. Overlay tunnels can be configured between border routers or between a border router and a host; however, both tunnel endpoints must support both the IPv4 and IPv6 protocol stacks.

IPv6_tunneling.jpg

Reference: http://www.cisco.com/c/en/us/td/docs/ios/ipv6/configuration/guide/12_4t/ipv6_12_4t_book/ip6-tunnel.html

Question 3

Explanation

In Stateless Configuration mode, hosts will listen for Router Advertisements (RA) messages which are transmitted periodically from the router (DHCP Server). This RA message allows a host to create a global IPv6 address from:
+ Its interface identifier (EUI-64 address)
+ Link Prefix (obtained via RA)
Note: Global address is the combination of Link Prefix and EUI-64 address

Question 4

Explanation

The IPv6 EUI-64 format address is obtained through the 48-bit MAC address. The Mac address is first separated into two 24-bits, with one being OUI (Organizationally Unique Identifier) and the other being NIC specific. The 16-bit 0xFFFE is then inserted between these two 24-bits to for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an EUI-48 MAC address.

In this question, the MAC address C601.420F.0007 is divided into two 24-bit parts, which are “C60142” (OUI) and “0F0007” (NIC). Then “FFFE” is inserted in the middle. Therefore we have the address: C601.42FF.FE0F.0007.

Then, according to the RFC 3513 we need to invert the Universal/Local bit (“U/L” bit) in the 7th position of the first octet. The “u” bit is set to 1 to indicate Universal, and it is set to zero (0) to indicate local scope. In this case we don’t need to set this bit to 1 because it is already 1 (C6 = 11000110).

Therefore with the subnet of 2001:DB8:0:1::/64, the full IPv6 address is 2001:DB8:0:1:C601:42FF:FE0F:7/64

Question 5

Question 6

Explanation

NPTv6 stands for Network Prefix Translation. It’s a form of NAT for IPv6 and it supports one-to-one translation between inside and outside addresses

Question 7

Explanation

The command “ipv6 flowset” allows the device to track destinations to which the device has sent packets that are 1280 bytes or larger.

Question 8

Explanation

NAT64 is used to make IPv4-only servers available to IPv6 clients.

Note:
NAT44 – NAT from IPv4 to IPv4
NAT66 – NAT from IPv6 to IPv6
NAT46 – NAT from IPv4 to IPv6
NAT64 – NAT from IPv6 to IPv4

Question 9

Explanation

The IPv6 EUI-64 format address is obtained through the 48-bit MAC address. The Mac address is first separated into two 24-bits, with one being OUI (Organizationally Unique Identifier) and the other being NIC specific. The 16-bit 0xFFFE is then inserted between these two 24-bits to for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an EUI-48 MAC address.

Question 10

Explanation

IPv6 allows devices to configure their own IP addresses and other parameters automatically without the need for a DHCP server. This method is called “IPv6 Stateless Address Autoconfiguration” (which contrasts to the server-based method using DHCPv6, called “stateful”). In Stateless Autoconfiguration method, a host sends a router solicitation to request a prefix. The router then replies with a router advertisement (RA) message which contains the prefix of the link. Host will use this prefix and its MAC address to create its own unique IPv6 address.

Note:
+ RA messages are sent periodically and in response to device solicitation messages
+ In the absence of a router, a host can generate only link-local addresses. Link-local addresses are only sufficient for allowing communication among nodes that are attached to the same link

IPv6 Questions 2

July 20th, 2017 digitaltut 10 comments

Question 1

Question 2

Question 3

Explanation

Address Family Translation (AFT) using NAT64 technology can be achieved by either stateless or stateful means:
+ Stateless NAT64 is a translation mechanism for algorithmically mapping IPv6 addresses to IPv4 addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it does not maintain any bindings or session state while performing translation, and it supports both IPv6-initiated and IPv4-initiated communications.
+ Stateful NAT64 is a stateful translation mechanism for translating IPv6 addresses to IPv4 addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it is called stateful because it creates or modifies bindings or session state while performing translation. It supports both IPv6-initiated and IPv4-initiated communications using static or manual mappings.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-676278.html

Question 4

Question 5

Explanation

When a change is made to one of the IP header fields in the IPv6 pseudo-header checksum (such as one of the IP addresses), the checksum field in the transport layer header may become invalid. Fortunately, an incremental change in the area covered by the Internet standard checksum [RFC1071] will result in a well-defined change to the checksum value [RFC1624]. So, a checksum change caused by modifying part of the area covered by the checksum can be corrected by making a complementary change to a different 16-bit field covered by the same checksum.

Reference: https://tools.ietf.org/html/rfc6296

Question 6

Question 7

Explanation

Link-local addresses are always configured with the FE80::/64 prefix. Most routing protocols use the link-local address for a next-hop.

Question 8

Explanation

A link-local address is an IPv6 unicast address that can be automatically configured on any interface using the link-local prefix FE80::/10 (1111 1110 10) and the interface identifier in the modified EUI-64 format. Link-local addresses are not necessarily bound to the MAC address (configured in a EUI-64 format). Link-local addresses can also be manually configured in the FE80::/10 format using the ipv6 address link-local command.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/ip-version-6-ipv6/113328-ipv6-lla.html

Question 9

Explanation

Stateless Address Auto Configuration (SLAAC) is a method in which the host or router interface is assigned a 64-bit prefix, and then the last 64 bits of its address are derived by the host or router with help of EUI-64 process.

Question 10

Question 11

Explanation

The components of IPv6 header is shown below:

IPv6_header.jpg

The Traffic Class field (8 bits) is where quality of service (QoS) marking for Layer 3 can be identified. In a nutshell, the higher the value of this field, the more important the packet. Your Cisco routers (and some switches) can be configured to read this value and send a high-priority packet sooner than other lower ones during times of congestion. This is very important for some applications, especially VoIP.

The Flow Label field (20 bits) is originally created for giving real-time applications special service. The flow label when set to a non-zero value now serves as a hint to routers and switches with multiple outbound paths that these packets should stay on the same path so that they will not be reordered. It has further been suggested that the flow label be used to help detect spoofed packets.

The Hop Limit field (8 bits) is similar to the Time to Live field in the IPv4 packet header. The value of the Hop Limit field specifies the maximum number of routers that an IPv6 packet can pass through before the packet is considered invalid. Each router decrements the value by one. Because no checksum is in the IPv6 header, the router can decrease the value without needing to recalculate the checksum, which saves processing resources.

IPv6 Questions 3

July 20th, 2017 digitaltut 2 comments

Question 1

Explanation

We need to summarize three IPv6 prefixes with /64 subnet mask so the summarized route should have a smaller subnet mask. As we can see all four answers have the same summarized route of 2001:DB8:: so /48 is the best choice.

Note: IPv6 consists of 8 fields with each 16 bits (8×16 = 128).

Question 2

Question 3

Question 4

Explanation

DHCPv6 can be implemented in two ways : Rapid-Commit and Normal Commit mode. In Rapid-Commit mode , the DHCP client obtain configuration parameters from the server through a rapid two message exchange (solicit and reply).

The “solicit” message is sent out by the DHCP Client to verify that there is a DHCP Server available to handle its requests.

The “reply” message is sent out by the DHCP Server to the DHCP Client, and it contains the “configurable information” that the DHCP Client requested.

Just for your information, in Normal-Commit mode, the DHCP client uses four message exchanges (solicit, advertise, request and reply). By default normal-commit is used.

Question 5

Explanation

The IPv6-to-IPv6 Network Prefix Translation (NPTv6) provides a mechanism to translate an inside IPv6 source address prefix to outside IPv6 source address prefix in IPv6 packet header and vice-versa. In other words, NPTv6 is simply rewriting IPv6 prefixes. NPTv6 does not allow to overload. It does not support mismatching prefix allocations sizes (so the network/host portion remains intact. For example you cannot cover /64 to /48).

Question 6

Question 7

Question 8

Question 9

Explanation

The automatic tunneling mechanism uses a special type of IPv6 address, termed an “IPv4-compatible” address. An IPv4-compatible address is identified by an all-zeros 96-bit prefix, and holds an IPv4 address in the low-order 32-bits. IPv4-compatible addresses are structured as follows:

ipv6toIPv4structure

Therefore, an IPv4 address of 10.67.0.2 will be written as ::10.67.0.2 or 0:0:0:0:0:0:10.67.0.2 or ::0A43:0002 (with 10[decimal] = 0A[hexa] ; 67[decimal] = 43[hexa] ; 0[hexa] = 0[decimal] ; 2[hexa] = 2[decimal])

Question 10

IPv6 Questions 4

July 20th, 2017 digitaltut 1 comment

Question 1

Question 2

Question 3

Explanation

An automatic 6to4 tunnel allows isolated IPv6 domains to be connected over an IPv4 network to remote IPv6 networks. The key difference between automatic 6to4 tunnels and manually configured tunnels is that the tunnel is not point-to-point; it is point-to-multipoint -> it allows multiple IPv4 destinations -> B is correct.

A is not correct because manually 6to4 is point-to-point -> only allows one IPv4 destination.

Configuring 6to4 (manually and automatic) requires dual-stack routers (which supports both IPv4 & IPv6) at the tunnel endpoints because they are border routers between IPv4 & IPv6 networks.

(Reference: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-tunnel_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1055515)

Question 4

Question 5

Explanation

In fact this question has no correct answer. The IPv6 EUI-64 format address is obtained through the 48-bit MAC address. The MAC address is first separated into two 24-bits, with one being OUI (Organizationally Unique Identifier) and the other being NIC specific. The 16-bit 0xFFFE is then inserted between these two 24-bits to for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an EUI-48 MAC address.

For example, the MAC address C601.420F.0007 is divided into two 24-bit parts, which are “C60142” (OUI) and “0F0007” (NIC). Then “FFFE” is inserted in the middle. Therefore we have the address: C601.42FF.FE0F.0007.

Question 6

Explanation

6to4 tunnel is a technique which relies on reserved address space 2002::/16 (you must remember this range). These tunnels determine the appropriate destination address by combining the IPv6 prefix with the globally unique destination 6to4 border router’s IPv4 address, beginning with the 2002::/16 prefix, in this format:

2002:border-router-IPv4-address::/48

For example, if the border-router-IPv4-address is 192.168.99.1, the tunnel interface will have an IPv6 prefix of 2002:C0A8:6301::/64, where C0A8:6301 is the hexadecimal equivalent of 192.168.99.1.

RIPng Questions

July 19th, 2017 digitaltut 3 comments

Question 1

Explanation

The default timers of RIP and RIPng are the same. The meanings of these timers are described below:

Update: how often the router sends update. Default update timer is 30 seconds
Invalid (also called Expire): how much time must expire before a route becomes invalid since seeing a valid update; and place the route into holddown. Default invalid timer is 180 seconds
Holddown: if RIP receives an update with a hop count (metric) higher than the hop count recording in the routing table, RIP does not “believe in” that update. Default holddown timer is 180 seconds
Flush: how much time since the last valid update, until RIP deletes that route in its routing table. Default Flush timer is 240 seconds

RIPng_timer.jpg

Question 2

Question 3

Question 4

Question 5

Question 6

Explanation

This is how to disable split horizon processing for the IPv6 RIP routing process named digitaltut:

Router(config)# ipv6 router rip digitaltut
Router(config-rtr)#no split-horizon

Note: For RIP (IPv4), we have to disable/enable split horizon in interface mode. For example: Router(config-if)# ip split-horizon

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/command/ipv6-cr-book/ipv6-s6.html

Question 7

Explanation

This is how to change the timers for RIPng:

R1(config)#ipv6 router rip digitaltut
R1(config-rtr)#timers 5 15 10 30 (5: Update period; 15: Route timeout period; 10: Route holddown period; 30: Route garbage collection period)

Note: For IPv4 RIP, we have to change the timers in “(config-router)#”.

Security Questions

July 18th, 2017 digitaltut 2 comments

Question 1

Explanation

RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.

TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.

During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.

Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html

Question 2

Explanation

Both RADIUS (Remote Authentication Dial-in User Service) and TACACS+ (Terminal Access Controller Access-Control System) Plus) are the main protocols to provide Authentication, Authorization, and Accounting (AAA) services on network devices.

Both RADIUS and TACACS+ support accounting of commands. Command accounting provides information about the EXEC shell commands for a specified privilege level that are being executed on a network access server. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.

For example, to send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode

Note: TACACS+ was developed by Cisco from TACACS.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.html

Question 3

Explanation

TACACS+ encrypts the entire body of the packet (but leaves a standard TACACS+ header).

TACACS+ is an AAA protocol developed by Cisco.

Question 4

Unicast Reverse Path Forwarding

July 17th, 2017 digitaltut 28 comments

Question 1

Explanation

The Unicast Reverse Path Forwarding feature (Unicast RPF) helps the network guard against malformed or “spoofed” IP packets passing through a router. A spoofed IP address is one that is manipulated to have a forged IP source address. Unicast RPF enables the administrator to drop packets that lack a verifiable source IP address at the router.

Unicast RPF is enabled on a router interface. When this feature is enabled, the router checks packets that arrive inbound on the interface to see whether the source address matches the receiving interface. Cisco Express Forwarding (CEF) is required on the router because the Forwarding Information Base (FIB) is the mechanism checked for the interface match.

Unicast RPF works in one of three different modes:
+ Strict mode: router will perform two checks for all incoming packets on a certain interface. First check is if the router has a matching entry for the source in the routing table. Second check is if the router uses the same interface to reach this source as where it received this packet on.
+ Loose mode: only check if the router has a matching entry for the source in the routing table
+ VRF mode: leverage either loose or strict mode in a given VRF and will evaluate an incoming packet’s source IP address against the VRF table configured for an eBGP neighbor.

Reference: CCIE Routing and Switching v4.0 Quick Reference, 2nd Edition

Question 2

Explanation

When Unicast Reverse Path Forwarding is enabled, the router checks packets that arrive inbound on the interface to see whether the source address matches the receiving interface.

Question 3

Explanation

First we need to understand the “allow-default” keyword here:

Normally, uRPF will not allow traffic that only matches the default route. The “allow-default” keyword will override this behavior and uRPF will allow traffic matched the default route to pass through.

In answer A, The “ip verify unicast source reachable-via rx allow-default” command under interface Fa0/0 enables uRPF strict mode on Fa0/0. Therefore traffic from the 172.16.1.0/24 network (and any traffic) can go through this interface except the 10.0.0.0/8 network because this network is matched on Fa0/1 interface only. The network 10.0.0.0/8 can only enter TUT router from Fa0/1, thus “limiting spoofed 10.0.0.0/8 hosts that could enter router”.

Question 4

Explanation

Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming packets. If it matches with the interface used to reach this source IP then the packets are allowed to enter (strict mode).

uRPF.jpg

The syntax of configuring uRPF in interface mode is:

ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-list-number]
 
The any option enables a Loose Mode uRPF on the router. This mode allows the router to reach the source address via any interface.
The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router reaches the source address only via
the interface on which the packet was received.
You can also use the allow-default option, so that the default route can match when checking source address -> Answer “allow default route” is a valid option
The allow-self-ping option allows the router to ping itself -> Answer “allow self ping to router” is a valid option.
Another feature of uRPF is we can use an access-list to specify the traffic we want or don’t want to check -> Answer “allow based on ACL match” is a valid option. An example is shown below:
Router(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 any
Router(config)#interface fa0/1
Router(config-if)#ip verify unicast source reachable-via any 110
 
Note: Access-list “permit” statements allow traffic to be forwarded even if they fail the Unicast RPF check, access list deny statements will drop traffic matched that fail the Unicast RPF check. In above example, 192.168.1.0/24 network is allowed even if it failed uRPF check.
The last option is “source reachable via both” is not clear and it is the best answer in this case. Although it may mention about the uRPF loose mode.

Question 5

Explanation

Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming packets. If it matches with the interface used to reach this source IP then the packets are allowed to enter (strict mode).

uRPF.jpg

Unicast RPF is enabled on a router interface. When this feature is enabled, the router checks packets that arrive inbound on the interface to see whether the source address matches the receiving interface. Cisco Express Forwarding (CEF) is required on the router because the Forwarding Information Base (FIB) is the mechanism checked for the interface match.

Unicast RPF works in one of three different modes:
+ Strict mode: router will perform two checks for all incoming packets on a certain interface. First check is if the router has a matching entry for the source in the routing table. Second check is if the router uses the same interface to reach this source as where it received this packet on.
+ Loose mode: only check if the router has a matching entry for the source in the routing table
+ VRF mode: leverage either loose or strict mode in a given VRF and will evaluate an incoming packet’s source IP address against the VRF table configured for an eBGP neighbor.

Reference: CCIE Routing and Switching v4.0 Quick Reference, 2nd Edition

This question only mentioned about “the network to which the packet’s source IP address belongs is found in the router’s FIB” so surely loose mode will accept this packet.

Question 6

Explanation

When a packet is received at the interface where Unicast RPF and ACLs have been configured, the following actions occur:
Step 1: Input ACLs configured on the inbound interface are checked.
Step 2: Unicast RPF checks to see if the packet has arrived on the best return path to the source, which it does by doing a reverse lookup in the FIB table.
Step 3: CEF table (FIB) lookup is carried out for packet forwarding.
Step 4: Output ACLs are checked on the outbound interface.
Step 5: The packet is forwarded.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrpf.html

Question 7

Question 8

Explanation

The command “ip verify unicast source reachable-via any” enables uRFP in loose mode, which only checks if the router has a matching entry for the source in the routing table.

Question 9

IP Services Questions

July 16th, 2017 digitaltut 8 comments

Question 1

Explanation

The switch validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case the packet is dropped):
+ The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
+ The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
+ The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
+ The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html#wp1101946

Question 2

Explanation

We can test the action of HSRP by tracking the loopback interface and decrease the HSRP priority so that the standby router can take the active role.

Question 3

Explanation

The “ip http secure-port

” is used to set the secure HTTP (HTTPS) server port number for listening.

Question 4

Explanation

This command shows IPsec Security Associations (SAs) built between peers. An example of the output of above command is shown below:

Router#show crypto ipsec sa
interface: FastEthernet0
    Crypto map tag: test, local addr. 12.1.1.1
   local  ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   current_peer: 12.1.1.2
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
    #pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, 
    #pkts decompress failed: 0, #send errors 1, #recv errors 0
     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 12.1.1.2
     path mtu 1500, media mtu 1500
     current outbound spi: 3D3
     inbound esp sas:
      spi: 0x136A010F(325714191)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3442, flow_id: 1443, crypto map: test
        sa timing: remaining key lifetime (k/sec): (4608000/52)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
inbound pcp sas:
outbound esp sas:
   spi: 0x3D3(979)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 3443, flow_id: 1444, crypto map: test
    sa timing: remaining key lifetime (k/sec): (4608000/52)
    IV size: 8 bytes
    replay detection support: Y
outbound ah sas:
outbound pcp sas:

The first part shows the interface and cypto map name that are associated with the interface. Then the inbound and outbound SAs are shown. These are either AH or ESP SAs. In this case, because you used only ESP, there are no AH inbound or outbound SAs.

Note: Maybe “inbound crypto map” here mentions about crypto map name.

Question 5

Explanation

The Management Plane Protection (MPP) feature in Cisco IOS software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces. Device management traffic is permitted to enter a device only through these management interfaces. After MPP is enabled, no interfaces except designated management interfaces will accept network management traffic destined to the device.

In the command management-interface interface allow protocols we can configure these protocols (to allow on the designated management interface):

+ BEEP
+ FTP
+ HTTP
+ HTTPS
+ SSH, v1 and v2
+ SNMP, all versions
+ Telnet
+ TFTP

Therefore these are also the protocols that can be affected by MPP.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html

SNMP Questions

July 15th, 2017 digitaltut 13 comments

Note: If you are not sure about SNMP, please read our SNMP tutorial.

Question 1

Explanation

“The engineer is not concerned with authentication or encryption” so we don’t need to use SNMP version 3. And we only use “one-way SNMP notifications” so SNMP messages should be sent as traps (no need to acknowledge from the SNMP server) -> A is correct.

Question 2

Explanation

There are three SNMP security levels (for SNMPv1, SNMPv2c, and SNMPv3):

+ noAuthNoPriv: Security level that does not provide authentication or encryption.
+ authNoPriv: Security level that provides authentication but does not provide encryption.
+ authPriv: Security level that provides both authentication and encryption.

For SNMPv3, “noAuthNoPriv” level uses a username match for authentication.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_0_1a/CLIConfigurationGuide/sm_snmp.html

Question 3

Explanation

The SNMPv3 Agent supports the following set of security levels:
+ NoAuthnoPriv: Communication without authentication and privacy.
+ AuthNoPriv: Communication with authentication and without privacy. The protocols used for Authentication are MD5 and SHA (Secure Hash Algorithm).
+ AuthPriv: Communication with authentication and privacy. The protocols used for Authentication are MD5 and SHA ; and for Privacy, DES (Data Encryption Standard) and AES (Advanced Encryption Standard) protocols can be used. For Privacy Support, you have to install some third-party privacy packages.

Question 4

Explanation

The SNMPv3 Agent supports the following set of security levels:
+ NoAuthnoPriv: Communication without authentication and privacy.
+ AuthNoPriv: Communication with authentication and without privacy. The protocols used for Authentication are MD5 and SHA (Secure Hash Algorithm).
+ AuthPriv: Communication with authentication and privacy. The protocols used for Authentication are MD5 and SHA ; and for Privacy, DES (Data Encryption Standard) and AES (Advanced Encryption Standard) protocols can be used. For Privacy Support, you have to install some third-party privacy packages.

In the CLI, we use “priv” keyword for “AuthPriv” (“noAuth” keyword for “noAuthnoPriv”; “auth” keyword for “AuthNoPriv”). The following example shows how to configure a remote user to receive traps at the “priv” security level when the SNMPv3 security model is enabled:
Router(config)# snmp-server group group1 v3 priv
Router(config)# snmp-server user PrivateUser group1 remote 1.2.3.4 v3 auth md5 password1 priv access des56

Question 5

Explanation

The “snmp-server manager” command is used to start the SNMP manager process. In other words, it allows the SNMP manager to begin sending and receiving SNMP requests and responses to the SNMNP agents.

SNMP_Components.jpg

Note: SNMP Manager (sometimes called Network Management System – NMS) is a software runs on the device of the network administrator (in most case, a computer) to monitor the network.

Question 6

Explanation

Both SNMPv1 and v2 did not focus much on security and they provide security based on community string only. Community string is really just a clear text password (without encryption). Any data sent in clear text over a network is vulnerable to packet sniffing and interception.

SNMPv3 provides significant enhancements to address the security weaknesses existing in the earlier versions. The concept of community string does not exist in this version. SNMPv3 provides a far more secure communication using entities, users and groups. This is achieved by implementing three new major features:
+ Message integrity: ensuring that a packet has not been modified in transit.
+ Authentication: by using password hashing (based on the HMAC-MD5 or HMAC-SHA algorithms) to ensure the message is from a valid source on the network.
+ Privacy (Encryption): by using encryption (56-bit DES encryption, for example) to encrypt the contents of a packet.

Note: Although SNMPv3 offers better security but SNMPv2c however is still more common.

Question 7

Question 8

Explanation

The command “show snmp user” displays information about the configured characteristics of SNMP users. The following example specifies the username as abcd with authentication method of MD5 and encryption method of 3DES.

Router#show snmp user abcd
User name: abcd
Engine ID: 00000009020000000C025808
storage-type: nonvolatile active access-list: 10
Rowstatus: active
Authentication Protocol: MD5
Privacy protocol: 3DES
Group name: VacmGroupName
Group name: VacmGroupName

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t2/snmpv3ae.html

Question 9

Question 10

Explanation

The snmp-server host global configuration command is used to specify the recipient of an SNMP notification operation, in this case 192.168.1.3. In other words, traps of the local router will be sent to 192.168.1.3. Therefore this command is often used to manage the device.

Question 11

Explanation

The SNMP Manger can send GET, GET-NEXT and SET messages to SNMP Agents. The Agents are the monitored device while the Manager is the monitoring device. In the picture below, the Router, Server and Multilayer Switch are monitored devices.

SNMP_Messages_Flow.jpg

Syslog Questions

July 14th, 2017 digitaltut No comments

Question 1

Explanation

The Message Logging is divided into 8 levels as listed below:

Level Keyword Description
0 emergencies System is unusable
1 alerts Immediate action is needed
2 critical Critical conditions exist
3 errors Error conditions exist
4 warnings Warning conditions exist
5 notification Normal, but significant, conditions exist
6 informational Informational messages
7 debugging Debugging messages

The highest level is level 0 (emergencies). The lowest level is level 7. If you specify a level with the “logging console level” command, that level and all the higher levels will be displayed. For example, by using the “logging console warnings” command, all the logging of emergencies, alerts, critical, errors, warnings will be displayed.

Question 2

Explanation

Syslog can be configured to send messages to an external server for storing. The storage size does not depend on the router’s resources and is limited only by the available disk space on the external Syslog server. For example, to instruct our router to send Syslog messages to 192.168.1.2 we can simply use only this command (all parameters are at default values):

R1(config)#logging 192.168.1.2

We cannot send other options (terminal, buffer, console) to external server.

Question 3

Explanation

The “service timestamps log uptime” enables timestamps on log messages, showing the time since the system was rebooted. For example:

00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up

Question 4

Explanation

Syslog levels are listed below:

Level Keyword Description
0 emergencies System is unusable
1 alerts Immediate action is needed
2 critical Critical conditions exist
3 errors Error conditions exist
4 warnings Warning conditions exist
5 notification Normal, but significant, conditions exist
6 informational Informational messages
7 debugging Debugging messages

Number “5” in “%LINEPROTO-5- UPDOWN” is the severity level of this message so in this case it is “notification”.

Question 5

Explanation

Maybe this question wants to mention about this Syslog message:

00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up

-> The log secerity level of this warning is 3 – errors

Question 6

Question 7

Question 8

Explanation

“Increase the logging history” here is same as “increase the logging buffer”. The default buffer size is 4096 bytes. By increasing the logging buffer size we can see more history logging messages. But do not make the buffer size too large because the access point could run out of memory for other tasks. We can write the logging messages to a outside logging server instead.

NTP Questions

July 13th, 2017 digitaltut 19 comments

Question 1

Explanation

The command “ntp master [stratum]” is used to configure the device as an authoritative NTP server. You can specify a different stratum level from which NTP clients get their time synchronized. The range is from 1 to 15.

The stratum levels define the distance from the reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.

ntp-stratum.jpg

A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a stratum-2 server… A stratum server may also peer with other stratum servers at the same level to provide more stable and robust time for all devices in the peer group (for example a stratum 2 server can peer with other stratum 2 servers).

Question 2

Explanation

The “ntp broadcast client” command is used under interface mode to allow the device to receive Network Time Protocol (NTP) broadcast packets on that interface

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf012.html#wp1123148

Question 3

Question 4

Explanation

The stratum levels define the distance from the reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.

A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a stratum-2 server. Therefore the lower the stratum level is, the more accurate the NTP server is. When multiple NTP servers are configured, the client will prefer the NTP server with the lowest stratum level.

NTP uses User Datagram Protocol (UDP) port 123.

Question 5

Explanation

First we need to understand some basic knowledge about NTP. There are two types of NTP messages:
+ Control messages: for reading and writing internal NTP variables and obtain NTP status information. It is not used for time synchronization so we will not care about them in this question.
+ Request/Update messages: for time synchronization. Request messages ask for synchronization information while Update messages contains synchronization information and may change the local clock.

There are four types of NTP access-groups exist to control traffic to the NTP services:
+ Peer: controls which remote devices the local device may synchronize. In other words, it permits the local router to respond to NTP request and accept NTP updates.
+ Serve: controls which remote devices may synchronize with the local device. In other words, it permits the local router to reply to NTP requests, but drops NTP update. This access-group allows control messages.
+ Serve-only: controls which remote devices may synchronize with the local device. In other words, it permits the local router to respond to NTP requests only. This access-group denies control messages.
+ Query-only: only accepts control messages. No response to NTP requests are sent, and no local system time synchronization with remote system is permitted.

From my experience, you just need to remember:
+ Peer: serve and to be served
+ Serve: serve but not to be served

Therefore in this question:
+ The “ntp access-group peer 2” command says “I can only accept NTP updates and respond to NTP (time) requests from 192.168.1.4“. -> Answer F is correct while answer D is not correct.
+ The “ntp access-group serve 1” command says “I can only reply to time requests (but cannot accept time update) from 192.168.1.1 ” -> Answer A is correct*

The “ntp master 4” indicates it is running as a time source with stratum level of 4 -> Answer B is not correct while answer C is correct.

Answer E is not correct because it can accept time requests from both 192.168.1.1 and 192.168.1.4.

*Note: In fact answer A is incorrect too because the local router can accept time requests from both 192.168.1.1 and 192.168.1.4 (not only from 192.168.1.1). Maybe this is an mistake of this question.

Question 6

Explanation

To control access to Network Time Protocol (NTP) services on the system, use the ntp access-group command in global configuration mode.

NTP supports “Control messages” and “Request/Update messages”.

+ Control messages are for reading and writing internal NTP variables and obtaining NTP status information. Not to deal with time synchronization itself.
+ NTP request/Update messages are used for actual time synchronization. Request packet obviously asks for synchronization information, and update packet contains synchronization information, and may change local clock.

When synchronizing system clocks on Cisco IOS devices only Request/Update messages are used. Therefore in this question we only care about “NTP Update message”.

Syntax:

ntp access-group [ipv4 | ipv6] {peer | query-only | serve | serve-only} {access-list-number | access-list-number-expanded | access-list-name} [kod]

+ Peer: permits router to respond to NTP requests and accept NTP updates. NTP control queries are also accepted. This is the only class which allows a router to be synchronized by other devices -> not correct. In other words, the peer keyword enables the device to receive time requests and NTP control queries and to synchronize itself to the servers specified in the access list.
+ Serve-only: Permits router to respond to NTP requests only. Rejects attempt to synchronize local system time, and does not access control queries. In other words, the serve-only keyword enables the device to receive only time requests from servers specified in the access list.
+ Serve: permits router to reply to NTP requests, but rejects NTP updates (e.g. replies from a server or update packets from a peer). Control queries are also permitted. In other words, the serve keyword enables the device to receive time requests and NTP control queries from the servers specified in the access list but not to synchronize itself to the specified servers -> this option is surely correct.

In summary, the answer “serve” is surely correct but the answer “serve-only” seems to be correct too (although the definition is not clear).

An example of using the “ntp access-group” command is shown below:

R1(config)#ntp server 178.240.12.1
R1(config)#access-list 2 permit 165.16.4.1 0.0.0.0
R1(config)#access-list 2 deny any
R1(config)#ntp access-group peer 2 // peer only to 165.16.4.1
R1(config)#access-list 3 permit 160.1.0.0 0.0.255.255
R1(config)#access-list 3 deny any
R1(config)#ntp access-group serve-only 3 //provide time services only to internal network 160.1.0.0/16

Reference:

+ http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html
+ http://blog.ine.com/2008/07/28/ntp-access-control/

Question 7

Question 8

Explanation

The output indicates that the local device did not receive the NTP update successfully so something went wrong during the transmission.

Question 9

Question 10

Explanation

An example of the output of this command is shown below:

Router#show ntp associations
      address         ref clock     st  when  poll reach  delay  offset    disp
*~10.1.2.65        10.1.2.33        11    36    64  377    27.9   25.17    30.0
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

If there’s an asterisk (*) next to a configured peer, then you are synced to this peer and using them as the master clock. As long as one peer is the master then everything is fine. However, the key to knowing that NTP is working properly is looking at the value in the reach field.

The reach field is a circular bit buffer. It gives you the status of the last eight NTP messages (eight bits in octal is 377, so you want to see a reach field value of 377). If an NTP response packet is lost, the missing packet is tracked over the next eight NTP update intervals in the reach field. For more information about this field please read http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-110/15171-ntpassoc.html

Question 11

Question 12

Explanation

The command “ntp master [stratum]” is used to configure the device as an authoritative NTP server. You can specify a different stratum level from which NTP clients get their time synchronized. The range is from 1 to 15.

The stratum levels define the distance from the reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.

ntp-stratum.jpg

A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a stratum-2 server… A stratum server may also peer with other stratum servers at the same level to provide more stable and robust time for all devices in the peer group (for example a stratum 2 server can peer with other stratum 2 servers).

NAT Questions

July 12th, 2017 digitaltut 37 comments

Question 1

Question 2

Explanation

First we will not mention about the effect of the “extendable” keyword. So the purpose of the command “ip nat inside source static tcp 192.168.1.50 80 209.165.201.1 8080” is to translate packets on the inside interface with a source IP address of 192.168.1.50 and port 80 to the IP address 209.165.201.1 with port 8080. This also implies that any packet received on the outside interface with a destination address of 209.165.201.1:8080 has the destination translated to 192.168.1.50:80. Therefore answer C is correct.

Answer A is not correct this command “allows host 192.168.1.50 to access external websites using TCP port 80”, not port 8080.

Answer B is not correct because it allows external clients to connect to a web server at 209.165.201.1. The IP addresses of clients should not be 209.165.201.1.

Answer D is not correct because the configuration is correct.

Now we will talk about the keyword “extendable”.

Usually, the “extendable” keyword should be added if the same Inside Local is mapped to different Inside Global Addresses (the IP address of an inside host as it appears to the outside network). An example of this case is when you have two connections to the Internet on two ISPs for redundancy. So you will need to map two Inside Global IP addresses into one inside local IP address. For example:

nat_extendable.jpg

NAT router:
ip nat inside source static 192.168.1.1 200.1.1.1 extendable
ip nat inside source static 192.168.1.1 200.2.2.2 extendable
//Inside Local: 192.168.1.1 ; Inside Global: 200.1.1.1 & 200.2.2.2

In this case, the traffic from ISP1 and ISP2 to the Server is straightforward as ISP1 will use 200.1.1.1 and ISP2 will use 200.2.2.2 to reach the Server. But how about the traffic from the Server to the ISPs? In other words, how does NAT router know which IP (200.1.1.1 or 200.2.2.2) it should use to send traffic to ISP1 & ISP2 (this is called “ambiguous from the inside”). We tested in GNS3 and it worked correctly! So we guess the NAT router compared the Inside Global addresses with all of IP addresses of the “ip nat outside” interfaces and chose the most suitable one to forward traffic.

This is what Cisco explained about “extendable” keyword:

“They might also want to define static mappings for a particular host using each provider’s address space. The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as “extendable”. For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation”.

(Reference: http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html)

But it is unclear, what will happen if we don’t use a route-map?

Question 3

Explanation

The command “ip nat inside source list 1 int s0/0 overload” translates all source addresses that pass access list 1, which means all the IP addresses, into an address assigned to S0/0 interface. Overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different ports.

Question 4

Explanation

The command “ip nat inside source list 10 interface FastEthernet0/1 overload” configures NAT to overload on the address that is assigned to the Fa0/1 interface.

Question 5

Explanation

This is a static NAT command which translates all the packets received in the inside interface with a source IP address of 172.16.10.8:8080 to 172.16.10.8:80. The purpose of this NAT statement is to redirect TCP Traffic to Another TCP Port.

Question 6

Explanation

NAT64 provides communication between IPv6 and IPv4 hosts by using a form of network address translation (NAT). There are two different forms of NAT64, stateless and stateful:

+ Stateless NAT64: maps the IPv4 address into an IPv6 prefix. As the name implies, it keeps no state. It does not save any IP addresses since every v4 address maps to one v6 address. Stateless NAT64 does not conserve IP4 addresses.
+ Stateful NAT64 is a stateful translation mechanism for translating IPv6 addresses to IPv4 addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it is called stateful because it creates or modifies bindings or session state while performing translation (1:N translation). It supports both IPv6-initiated and IPv4-initiated communications using static or manual mappings. Stateful NAT64 converses IPv4 addresses.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-676278.html

Question 7

Explanation

The “ip nat allow-static-host” command enables static IP address support. Dynamic Address Resolution Protocol (ARP) learning will be disabled on this interface, and NAT will control the creation and deletion of ARP entries for the static IP host.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/12-4/nat-12-4-book/iadnat-addr-consv.html

Question 8

Explanation

Network Address Translation-Protocol Translation (NAT-PT) has been deemed deprecated by IETF because of its tight coupling with Domain Name System (DNS) and its general limitations in translation. IETF proposed NAT64 as the viable successor to NAT-PT.

NAT64 technology facilitates communication between IPv6-only and IPv4-only hosts and networks (whether in a transit, an access, or an edge network). This solution allows both enterprises and ISPs to accelerate IPv6 adoption while simultaneously handling IPv4 address depletion. All viable translation scenarios are supported by NAT64, and therefore NAT64 is becoming the most sought translation technology.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-676278.html

Question 9

Question 10

Explanation

The syntax should be: ipv6 nat prefix ipv6-prefix / prefix-length (for example: Router# ipv6 nat prefix 2001:DB8::/96)

Question 11

Explanation

From the link: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat64-stateful.pdf

Restrictions for configuring Stateful Network Address:

+ Virtual routing and forwarding (VRF)-aware NAT64 is not supported -> Answer A is correct.
+ IP Multicast is not supported -> Answer B is correct.
+ Application-level gateways (ALGs) FTP and ICMP are not supported -> Answer C is not correct.
+ Only TCP and UDP Layer 4 protocols are supported for header translation -> Answer E is not correct.
+ For Domain Name System (DNS) traffic to work, you must have a separate working installation of DNS64 -> This statement means stateful NAT64 supports DNS64 but we cannot conclude it is the only one supported by NAT64. We are not sure but maybe stateful NAT64 also supports DNS ALG.

Question 12

Explanation

NAT use four types of addresses:

* Inside local address – The IP address assigned to a host on the inside network. The address is usually not an IP address assigned by the Internet Network Information Center (InterNIC) or service provider. This address is likely to be an RFC 1918 private address.
* Inside global address – A legitimate IP address assigned by the InterNIC or service provider that represents one or more inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as it is known to the hosts on the inside network.
* Outside global address – The IP address assigned to a host on the outside network. The owner of the host assigns this address.

NAT_terms_explained.jpg

Question 13

IP SLA Questions

July 11th, 2017 digitaltut 35 comments

Question 1

Question 2

Explanation

IP SLA PBR (Policy-Based Routing) Object Tracking allows you to make sure that the next hop is reachable before that route is used. If the next hop is not reachable, another route is used as defined in the PBR configuration. If no other route is present in the route map, the routing table is used.

An example of configuring PBR based on tracking object is shown below:

//Configure and schedule IP SLA operations
ip sla 1
icmp-echo 10.3.3.2
ip sla schedule 1 life forever start-time now
!
// Configure Object Tracking to track the operations
track 1 ip sla 1 reachability
!
//Configure ACL
ip access-list standard ACL
permit ip 10.2.2.0/24 10.1.1.1/32
!
//Configure PBR policing on the router
route-map PBR
match ip address ACL
set ip next-hop verify-availability 10.3.3.2 track 1
set ip next-hop verify-availability 10.3.3.2 track 2 -> Track 2 is not shown here but it is used if track 1 fails
!
//Apply PBR policy on the incoming interface of the router.
interface ethernet 0/0
ip address 10.2.2.1 255.255.255.0
ip policy route-map PBR

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/IPSLA/configuration/guide/b_Cisco_Nexus_7000_Series_NX-OS_IP_SLAs_Configuration_Guide_rel_6-x/b_Cisco_Nexus_7000_Series_NX-OS_IP_SLAs_Configuration_Guide_rel_6-x_chapter_01000.html

Question 3

Explanation

The keyword “tcp-connect” enables the responder for TCP connect operations. TCP is a connection-oriented transport layer protocol -> C is correct.

Question 4

Explanation

The “num-packets” specifies the number of packets to be sent for a jitter operation.

The “frequency” is the rate (in seconds) at which this IP SLA operation repeats. The “tos” defines a type of service (ToS) byte in the IP header of this IP SLA operation.

Question 5

Explanation

When enabled, the IP SLAs Responder allows the target device to take two time stamps both when the packet arrives on the interface at interrupt level and again just as it is leaving, eliminating the processing time. At times of high network activity, an ICMP ping test often shows a long and inaccurate response time, while an IP SLAs test shows an accurate response time due to the time stamping on the responder.

An additional benefit of the two time stamps at the target device is the ability to track one-way delay, jitter, and directional packet loss. Because much network behavior is asynchronous, it is critical to have these statistics. However, to capture one-way delay measurements the configuration of both the source device and target device with Network Time Protocol (NTP) is required. Both the source and target need to be synchronized to the same clock source. One-way jitter measurements do not require clock synchronization.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-15-mt-book/sla_overview.html

Question 6

Question 7

Question 8

Explanation

Depending on the specific Cisco IOS IP SLAs operation, statistics of delay, packet loss, jitter, packet sequence, connectivity, path, server response time, and download time are monitored within the Cisco device and stored in both CLI and SNMP MIBs.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_sla/configuration/guide/hsla_c/hsoverv.html

Question 9

Explanation

IP SLAs supports proactive threshold monitoring and notifications for performance parameters such as average jitter, unidirectional latency, bidirectional round-trip time (RTT), and connectivity for most IP SLAs operations. The proactive monitoring capability also provides options for configuring reaction thresholds for important VoIP related parameters including unidirectional jitter, unidirectional packet loss, and unidirectional VoIP voice quality scoring.

IP SLAs reactions are configured to trigger when a monitored value exceeds or falls below a specified level or when a monitored event, such as a timeout or connection loss, occurs. If IP SLAs measures too high or too low of any configured reaction, IP SLAs can generate a notification (in the form of SNMP trap) to a network management application or trigger another IP SLA operation to gather more data.

Cisco IOS IP SLAs can send SNMP traps that are triggered by events such as the following:
+ Connection loss
+ Timeout
+ Round-trip time threshold
+ Average jitter threshold
+ One-way packet loss
+ One-way jitter
+ One-way mean opinion score (MOS)
+ One-way latency

Question 10

Explanation

Round-trip time (RTT), also called round-trip delay, is the time required for a packet to travel from a specific source to a specific destination and back again.

An ICMP Path Echo operation measures end-to-end (full path) and hop-by-hop response time (round-trip delay) between a Cisco router and devices using IP. ICMP Path Echo is useful for determining network availability and for troubleshooting network connectivity issues.

Note: ICMP Echo only measures round-trip delay for the full path.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/xe-3s/sla-xe-3s-book/sla_icmp_pathecho.html

Question 11

Explanation

The default route command (at the last line) must include the “track” keyword for the tracking feature to work.

ip route 0.0.0.0.0 0.0.0.0 172.20.20.2 track 10

Question 12

IP SLA Questions 2

July 11th, 2017 digitaltut 5 comments

Question 1

Explanation

User Datagram Protocol (UDP) Jitter for VoIP is the most common operation for networks that carry voice traffic, video, or UDP jitter-sensitive applications. Requires Cisco endpoints.

Note: The ICMP jitter operation is similar to the IP SLAs UDP jitter operation but does not require a Cisco endpoint (maybe only Cisco router has been designated to reply to Cisco IOS IP SLA test packets).

The config below shows an example of configuring UDP Jitter for VoIP:

Router(config)# ip sla 10
//Configures the operation as a jitter (codec) operation that will generate VoIP scores in addition to latency, jitter, and packet loss statistics. Notice that it requires an endpoint.
Router(config-ip-sla)# udp-jitter 209.165.200.225 16384 codec g711alaw advantage-factor 10
//The below configs are only optional
Router(config-ip-sla-jitter)# frequency 30
Router(config-ip-sla-jitter)# history hours-of-statistics-kept 4
Router(config-ip-sla-jitter)# owner admin
Router(config-ip-sla-jitter)# tag TelnetPollServer1
Router(config-ip-sla-jitter)# threshold 10000
Router(config-ip-sla-jitter)# timeout 10000
Router(config-ip-sla-jitter)# tos 160

Reference: http://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_qas0900aecd8017bd5a.html & http://www.cisco.com/c/en/us/td/docs/ios/ipsla/configuration/guide/15_s/sla_15_0s_book/sla_udp_jitter_voip.pdf

Question 2

Explanation

There is no problem with the Fa0/0 as the source interface as we want to check the ping from the LAN interface -> A is not correct.

Answer B is not correct as we must track the destination of the primary link, not backup link.

In this question, R1 pings R2 via its LAN Fa0/0 interface so maybe R1 (which is an ISP) will not know how to reply back as an ISP usually does not configure a route to a customer’s LAN -> C is correct.

There is no problem with the default route -> D is not correct.

For answer E, we need to understand about how timeout and threshold are defined:

Timeout (in milliseconds) sets the amount of time an IP SLAs operation waits for a response from its request packet. In other words, the timeout specifies how long the router should wait for a response to its ping before it is considered failed.Threshold (in milliseconds too) sets the upper threshold value for calculating network monitoring statistics created by an IP SLAs operation. Threshold is used to activate a response to IP SLA violation, e.g. send SNMP trap or start secondary SLA operation. In other words, the threshold value is only used to indicate over threshold events, which do not affect reachability but may be used to evaluate the proper settings for the timeout command.

For reachability tracking, if the return code is OK or OverThreshold, reachability is up; if not OK, reachability is down.

Therefore in this question, we are using “Reachability” tracking (via the command “track 10 ip sla 1 reachability”) so threshold value is not important and can be ignored -> Answer E is correct. In fact, answer E is not wrong but it is the best option left.

This tutorial can help you revise IP SLA tracking topic: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html and http://www.ciscozine.com/using-ip-sla-to-change-routing/

Note: Maybe some of us will wonder why there are these two commands:

R1(config)#ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10
R1(config)#no ip route 0.0.0.0 0.0.0.0 172.20.20.2

In fact the two commands:

ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10
ip route 0.0.0.0 0.0.0.0 172.20.20.2

are different. These two static routes can co-exist in the routing table. Therefore if the tracking goes down, the first command will be removed but the second one still exists and the backup path is not preferred. So we have to remove the second one.

Question 3

Explanation

A primary benefit of Cisco IOS IP SLAs is accuracy, embedded flexibility, and cost-saving, a key component of which is the Cisco IOS IP SLAs responder enabled on the target device. When the responder is enabled, it allows the target device to take two timestamps: when the packet arrives on the interface at interrupt level and again just as it leaves. This eliminates processing time. This timestamping is made with a granularity of sub-millisecond (ms). The responder timestamping is very important because all routers and switches in the industry will prioritize switching traffic destined for other locations over packets destined for its local IP address (this includes Cisco IOS IP SLAs and ping test packets). Therefore, at times of high network activity, ping tests can reveal an inaccurately large response time; conversely, timestamping on the responder allows a Cisco IOS IP SLAs test to accurately represent the response time due.

Reference: http://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white_paper0900aecd8017f8c9_ps6602_Products_White_Paper.html

Note: The ICMP echo operation is used to cause ICMP echo requests to be sent to a destination to check connectivity

Question 4

Explanation

The “show ip sla statistics” command displays the current operational status and statistics of all IP SLAs operations or a specified operation so the answer “operation availability” is the best choice here.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/ipsla/command/reference/sla_book/sla_04.html

Question 5

Explanation

You can configure a tracked list of objects with a Boolean expression, a weight threshold, or a percentage threshold.

The example configures track list 1 to track by weight threshold.

Switch(config)# track 1 list threshold weight
Switch(config-track)# object 1 weight 15
Switch(config-track)# object 2 weight 20
Switch(config-track)# object 3 weight 30
Switch(config-track)# threshold weight up 30 down 10

If object 1, and object 2 are down, then track list 1 is up, because object 3 satisfies the up threshold value of up 30. But, if object 3 is down, both objects 1 and 2 must be up in order to satisfy the threshold weight.

This configuration can be useful if object 1 and object 2 represent two small bandwidth connections and object 3 represents one large bandwidth connection. The configured down 10 value means that once the tracked object is up, it will not go down until the threshold value is equal to or lower than 10, which in this example means that all connections are down.

The below example configures tracked list 2 with three objects and a specified percentages to measure the state of the list with an up threshold of 70 percent and a down threshold of 30 percent:

Switch(config)# track 2 list threshold percentage
Switch(config-track)# object 1
Switch(config-track)# object 2
Switch(config-track)# object 3
Switch(config-track)# threshold percentage up 51 down 10

This means as long as 51% or more of the objects are up, the list will be considered “up”. So in this case if two objects are up, track 2 is considered “up”.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/blades/3020/software/release/12-2_58_se/configuration/guide/3020_scg/swhsrp.pdf

Question 6

Question 7

Question 8

Question 9

Explanation

Maybe this question wants to ask “which location IP SLAs are usually used to monitor the traffic?” then the answer should be WAN edge as IP SLA is usually used to track a remote device or service (usually via ping).

NetFlow Questions

July 10th, 2017 digitaltut 10 comments

If you are not sure about NetFlow, please read our NetFlow tutorial.

Quick review:

NetFlow is a network protocol to report information about the traffic on a router/switch or other network device. NetFlow collects and summaries the data that is carried over a device, and then transmitting that summary to a NetFlow collector for storage and analysis. An IP flow is based on a set of five, and up to seven, IP packet attributes, which may include the following:
+ Destination IP address
+ Source IP address
+ Source port
+ Destination port
+ Layer 3 protocol type
+ Class of Service (optional)
+ Router or switch interface (optional)

Question 1

Explanation

The “show ip flow export” command is used to display the status and the statistics for NetFlow accounting data export, including the main cache and all other enabled caches. An example of the output of this command is shown below:

Router# show ip flow export
Flow export v5 is enabled for main cache
Exporting flows to 10.51.12.4 (9991) 10.1.97.50 (9111)
Exporting using source IP address 10.1.97.17
Version 5 flow records
11 flows exported in 8 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
0 export packets were dropped due to output drops

The “output drops” line indicates the total number of export packets that were dropped because the send queue was full while the packet was being transmitted.

Reference: http://www.cisco.com/en/US/docs/ios/12_3t/netflow/command/reference/nfl_a1gt_ps5207_TSD_Products_Command_Reference_Chapter.html#wp1188401

Question 2

Explanation

In general, NetFlow requires CEF to be configured in most recent IOS releases. CEF decides which interface the traffic is sent out. With CEF disabled, router will not have specific destination interface in the NetFlow report packets. Therefore a NetFlow Collector cannot show the OUT traffic for the interface.

Question 3

Explanation

This command is used to display the current status of the specific flow exporter, in this case Flow_Exporter-1. For example

N7K1# show flow export
Flow exporter Flow_Exporter-1:
    Description: Fluke Collector
    Destination: 10.255.255.100
    VRF: default (1)
    Destination UDP Port 2055
    Source Interface Vlan10 (10.10.10.5)
    Export Version 9
    Exporter Statistics
        Number of Flow Records Exported 726
        Number of Templates Exported 1
        Number of Export Packets Sent 37
        Number of Export Bytes Sent 38712
        Number of Destination Unreachable Events 0
        Number of No Buffer Events 0
        Number of Packets Dropped (No Route to Host) 0
        Number of Packets Dropped (other) 0
        Number of Packets Dropped (LC to RP Error) 0
        Number of Packets Dropped (Output Drops) 0
        Time statistics were last cleared: Thu Feb 15 21:12:06 2015

Question 4

Explanation

The sampling mode determines the algorithm that selects a subset of traffic for NetFlow processing. In the random sampling mode, incoming packets are randomly selected so that one out of each n sequential packets is selected on average for NetFlow processing. For example, if you set the sampling rate to 1 out of 100 packets, then NetFlow might sample the 5th, 120th, 299th, 302nd, and so on packets. This sample configuration provides NetFlow data on 1 percent of total traffic. The n value is a parameter from 1 to 65535 packets that you can configure.

In the above output we can learn the number of packets that has been sampled is 10. The sampling mode is “random sampling mode” and sampling interval is 100 (NetFlow samples 1 out of 100 packets).

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/nfstatsa.html

Question 5

Explanation

The “ip flow-export destination 10.10.10.1 5858” command is used to export the information captured by the “ip flow-capture” command to the destination 10.10.10.1. “5858” is the UDP port to which NetFlow packets are sent (default is 2055). The syntax of this command is:

ip flow-export destination ip-address [udp-port] [version 5 {origin-as | peer-as}]

Question 6

Explanation

Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic monitoring. Flow monitors consist of a record and a cache. You add the record to the flow monitor after you create the flow monitor. The flow monitor cache is automatically created at the time the flow monitor is applied to the first interface. Flow data is collected from the network traffic during the monitoring process based on the key and nonkey fields in the record, which is configured for the flow monitor and stored in the flow monitor cache.
For example, the following example creates a flow monitor named FLOW-MONITOR-1 and enters Flexible NetFlow flow monitor configuration mode:
Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)#

(Reference: http://www.cisco.com/c/en/us/td/docs/ios/fnetflow/command/reference/fnf_book/fnf_01.html#wp1314030)

Question 7

Question 8

Explanation

The following is an example of configuring an interface to capture flows into the NetFlow cache. CEF followed by NetFlow flow capture is configured on the interface:

Router(config)# ip cef
Router(config)# interface ethernet 1/0
Router(config-if)# ip flow ingress
or
Router(config-if)# ip route-cache flow

Note: Either ip flow ingress or ip route-cache flow command can be used depending on the Cisco IOS Software version. Ip flow ingress is available in Cisco IOS Software Release 12.2(15)T or above.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html

Question 9

Question 10

Explanation

There are two primary methods to access NetFlow data: the Command Line Interface (CLI) with show commands or utilizing an application reporting tool. If you are interested in an immediate view of what is happening in your network, the CLI can be used. The other choice is to export NetFlow to a reporting server or what is called the “NetFlow collector”.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html

Question 11

Explanation

NetFlow collects statistics about traffic that flows through the router. NetFlow Data Export (NDE) enables you to export those statistics to an external data collector for analysis.

An example of configuring NetFlow data exporting is shown below:

Router(config)#interface fa0/1
Router(config-if)#ip route-cache flow
Router(config-if)#exit
Router(config)#ip flow-export destination 10.1.1.1 2055
Router(config)#ip flow-export source fa0/2 //NetFlow will use Fa0/2 as the source IP address for the UDP datagrams sent to the NetFlow Collector
Router(config)#ip flow-export version 5
Router(config)#ip flow-cache timeout active 1 //export flow records every minute.

The most important parameter when configuring NetFlow is the destination where NetFlow sends data to. Other parameters can be ignored and they will use default values (except the command “ip route-cache flow” to enable NetFlow).

Question 12

Explanation

Below is an example of the “show ip cache flow” output:

show_ip_cache_flow.jpg

Information provided includes packet size distribution (the answer says “IP packet distribution” but maybe it is “IP packet size distribution”); basic statistics about number of flows and export timer setting, a view of the protocol distribution statistics and the NetFlow cache.

Also we can see the flow samples for TCP and UDP protocols (including Total Flows, Flows/Sec, Packets/Flow…).

Question 13

Explanation

NetFlow_example.jpg

NetFlow Collector: collects flow records sent from the NetFlow exporters, parsing and storing the flows. Usually a collector is a separate software running on a network server. NetFlow records are exported to a NetFlow collector using User Datagram Protocol (UDP).

Question 14

Explanation

To configure multiple NetFlow export destinations to a router, use the following commands in global configuration mode:

Step 1: Router(config)# ip flow-export destination ip-address udp-port
Step 2: Router(config)# ip flow-export destination ip-address udp-port

The following example enables the exporting of information in NetFlow cache entries:

ip flow-export destination 10.42.42.1 9991
ip flow-export destination 10.0.101.254 1999

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/12s_mdnf.html

Question 15

Explanation

The distinguishing feature of the NetFlow Version 9 format is that it is template based -> Answer A is correct.

Reference: https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html

Export bandwidth increases for version 9 (because of template flowsets) versus version 5 -> Answer D is correct.

Version 9 slightly decreases overall performance, because generating and maintaining valid template flowsets requires additional processing -> Answer E is not correct.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/nfexpfv9.html

Troubleshooting Questions

July 9th, 2017 digitaltut 1 comment

Question 1

Explanation

The “show memory allocating-process table” command displays statistics on allocated memory with corresponding allocating processes. This command can be also used to find out memory leaks. A memory leak occurs when a process requests or allocates memory and then forgets to free (de-allocate) the memory when it is finished that task.

Note: In fact the correct command should be “show memory allocating-process totals” (not “table”)

The “show memory summary” command displays a summary of all memory pools and memory usage per Alloc PC (address of the system call that allocated the block). An example of the output of this command is shown below:

show_memory_summary.jpg

Legend:

+ Total: the total amount of memory available after the system image loads and builds its data structures.
+ Used: the amount of memory currently allocated.
+ Free: the amount of memory currently free.
+ Lowest: the lowest amount of free memory recorded by the router since it was last booted.
+ Largest: the largest free memory block currently available.

Note: The show memory allocating-process totals command contains the same information as the first three lines of the show memory summary command.

An example of a high memory usage problem is large amount of free memory, but a small value in the “Lowest” column. In this case, a normal or abnormal event (for example, a large routing instability) causes the router to use an unusually large amount of processor memory for a short period of time, during which the memory has run out.

The show memory dead command is only used to view the memory allocated to a process which has terminated. The memory allocated to this process is reclaimed by the kernel and returned to the memory pool by the router itself when required. This is the way IOS handles memory. A memory block is considered as dead if the process which created the block exits (no longer running).

The command show memory events does not exist.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf013.html and http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-121-mainline/6507-mallocfail.html

Question 2

Explanation

A core dump is a file containing a process’s address space (memory) when the process terminates unexpectedly to identify the cause of the crash

Question 3

Question 4

Miscellaneous Questions

July 8th, 2017 digitaltut 2 comments

Question 1

Explanation

The command “clear ip route” clears one or more routes from both the unicast RIB (IP routing table) and all the module Forwarding Information Bases (FIBs).

Question 2

Explanation

The prefix-list “ip prefix-list name permit 10.8.0.0/16 ge 24 le 24” means
+ Check the first 16 bits of the prefix. It must be 10.8
+ The subnet mask must be greater or equal 24
+ The subnet mask must be less than or equal 24

-> The subnet mask must be exactly 24

Therefore the suitable prefix that is matched by above ip prefix-list should be 10.8.x.x/24

Question 3

Explanation

This is a new user (client) that has not been configured to accept SSL VPN connection. So that user must open a web browser, enter the URL and login successfully to be authenticated. A small software will also be downloaded and installed on the client computer for the first time. Next time the user can access file shares on that network normally.

Question 4

Explanation

Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) is a standardized technique to determine the maximum transmission unit (MTU) size on the network path between two hosts, usually with the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in IPv4. However, all modern operating systems use it on endpoints.

Note: IP fragmentation involves breaking a datagram into a number of pieces that can be reassembled later.

Question 5

Explanation

Bandwidth-delay product (BDP) is the maximum amount of data “in-transit” at any point in time, between two endpoints. In other words, it is the amount of data “in flight” needed to saturate the link. You can think the link between two devices as a pipe. The cross section of the pipe represents the bandwidth and the length of the pipe represents the delay (the propagation delay due to the length of the pipe).

Therefore the Volume of the pipe = Bandwidth x Delay. The volume of the pipe is also the BDP.

Bandwidth-delay_Product.jpg

Return to our question, the formula to calculate BDP is:

BDP (bits) = total available bandwidth (bits/sec) * round trip time (sec) = 64,000 * 3 = 192,000 bits

-> BDP (bytes) = 192,000 / 8 = 24,000 bytes

Therefore we need 24KB to fulfill this link.

For your information, BDP is very important in TCP communication as it optimizes the use of bandwidth on a link. As you know, a disadvantage of TCP is it has to wait for an acknowledgment from the receiver before sending another data. The waiting time may be very long and we may not utilize full bandwidth of the link for the transmission.

Bandwidth-delay_Product_Wasted.jpg

Based on BDP, the sending host can increase the number of data sent on a link (usually by increasing the window size). In other words, the sending host can fill the whole pipe with data and no bandwidth is wasted.Bandwidth-delay_Product_Optimized.jpg

Question 6

Question 7

Explanation

Asymmetric routing is the scenario in which outing packet is through a path, returning packet is through another path. VRRP can cause asymmetric routing occur, for example:

R1 and R2 are the two routers in the local internal LAN network that are running VRRP. R1 is the master router and R2 is the backup router.

These two routers are connected to an ISP gateway router, by using BGP. This topology provides two possible outgoing and incoming paths for the traffic.

Suppose the outgoing traffic is sent through R1 but VRRP failover occurs, R2 becomes the new master router -> traffic passing through R2 instead -> asymmetric routing occurs.

Question 8

Question 9

Drag and Drop

July 7th, 2017 digitaltut 71 comments

Question 1

Explanation

NAT64 provides communication between IPv6 and IPv4 hosts by using a form of network address translation (NAT). NAT64 requires a dedicated prefix, called NAT64 prefix, to recognize which hosts need IPv4-IPv6 translation. NAT64 prefix can be a Network-specific prefix (NSP), which is configured by a network administrator, or a well-known prefix (which is 64:FF9B::/96). When a NAT64 router receives a packet which starts with NAT64 prefix, it will proceed this packet with NAT64.

NAT64 is not as simple as IPv4 NAT which only translates source or destination IPv4 address. NAT64 translates nearly everything (source & destination IP addresses, port number, IPv4/IPv6 headers… which is called a session) from IPv4 to IPv6 and vice versa. So NAT64 “modifies session during translation”.

Question 2

Explanation

The order of the BGP states is: Idle -> Connect -> (Active) -> OpenSent -> OpenConfirm -> Established

+ Idle: No peering; router is looking for neighbor. Idle (admin) means that the neighbor relationship has been administratively shut down.
+ Connect: TCP handshake completed.
+ Active: BGP tries another TCP handshake to establish a connection with the remote BGP neighbor. If it is successful, it will move to the OpenSent state. If the ConnectRetry timer expires then it will move back to the Connect state. Note: Active is not a good state.
+ OpenSent: An open message was sent to try to establish the peering.
+ OpenConfirm: Router has received a reply to the open message.
+ Established: Routers have a BGP peering session. This is the desired state.

Reference: http://www.ciscopress.com/articles/article.asp?p=1565538&seqNum=3

Question 3

Explanation

The Challenge Handshake Authentication Protocol (CHAP) verifies the identity of the peer by means of a three-way handshake. These are the general steps performed in CHAP:
1) After the LCP (Link Control Protocol) phase is complete, and CHAP is negotiated between both devices, the authenticator sends a challenge message to the peer.
2) The peer responds with a value calculated through a one-way hash function (Message Digest 5 (MD5)).
3) The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is successful. Otherwise, the connection is terminated.

This authentication method depends on a “secret” known only to the authenticator and the peer. The secret is not sent over the link. Although the authentication is only one-way, you can negotiate CHAP in both directions, with the help of the same secret set for mutual authentication.

Reference: http://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-ppp/25647-understanding-ppp-chap.html

For more information about CHAP challenge please read our PPP tutorial.

Question 5

Explanation

AAA offers different solutions that provide access control to network devices. The following services are included within its modular architectural framework:
+ Authentication – The process of validating users based on their identity and predetermined credentials, such as passwords and other mechanisms like digital certificates. Authentication controls access by requiring valid user credentials, which are typically a username and password. With RADIUS, the ASA supports PAP, CHAP, MS-CHAP1, MS-CHAP2, that means Authentication supports encryption.
+ Authorization – The method by which a network device assembles a set of attributes that regulates what tasks the user is authorized to perform. These attributes are measured against a user database. The results are returned to the network device to determine the user’s qualifications and restrictions. This database can be located locally on Cisco ASA or it can be hosted on a RADIUS or Terminal Access Controller Access-Control System Plus (TACACS+) server. In summary, Authorization controls access per user after users authenticate.
+ Accounting – The process of gathering and sending user information to an AAA server used to track login times (when the user logged in and logged off) and the services that users access. This information can be used for billing, auditing, and reporting purposes.

Question 6

Question 7

Question 8

Explanation

NAT64 provides communication between IPv6 and IPv4 hosts by using a form of network address translation (NAT). There are two different forms of NAT64, stateless and stateful:

+ Stateless NAT64: maps the IPv4 address into an IPv6 prefix. As the name implies, it keeps no state. It does not save any IP addresses since every v4 address maps to one v6 address. Stateless NAT64 does not conserve IP4 addresses.
+ Stateful NAT64 is a stateful translation mechanism for translating IPv6 addresses to IPv4 addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it is called stateful because it creates or modifies bindings or session state while performing translation (1:N translation). It supports both IPv6-initiated and IPv4-initiated communications using static or manual mappings. Stateful NAT64 converses IPv4 addresses.

NPTv6 stands for Network Prefix Translation. It’s a form of NAT for IPv6 and it supports one-to-one translation between inside and outside addresses

Question 9

Question 10

Question 11

Question 12

Question 13

 

Drag and Drop 2

July 7th, 2017 digitaltut 14 comments

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Note:

Reflexive ACLs allow IP packets to be filtered based on upper-layer session information. They are generally used to allow outbound traffic and to limit inbound traffic in response to sessions that originate inside the router. Reflexive ACLs can be defined only with extended named IP ACLs. They cannot be defined with numbered or standard named IP ACLs, or with other protocol ACLs. Reflexive ACLs can be used in conjunction with other standard and static extended ACLs. Outbound ACL will have the ‘reflect’ keyword. It is the ACL that matches the originating traffic. Inbound ACL will have the ‘evaluate’ keyword. It is the ACL that matches the returning traffic.

Lock and key, also known as dynamic ACLs, was introduced in Cisco IOS Software Release 11.1. This feature is dependent on Telnet, authentication (local or remote), and extended ACLs.
Lock and key configuration starts with the application of an extended ACL to block traffic through the router. Users that want to traverse the router are blocked by the extended ACL until they Telnet to the router and are authenticated. The Telnet connection then drops and a single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a particular time period; idle and absolute timeouts are possible.

Reference: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

ROUTE FAQs & Tips

August 1st, 2015 digitaltut 650 comments

In this article, I will try to summarize all the Frequently Asked Questions in the ROUTE 300-101 Exam. Hope it will save you some time searching through the Internet and asking your friends & teachers.

1. Please tell me how many questions in the real ROUTE exam, and how much time to answer them?

There are 50 questions, including 4 lab-sims. You have 120 minutes to answer them but if your native language is not English, Cisco allows you a 30-minute exam time extension (150 minutes in total).

2. How much does the ROUTE 300-101 cost? And how many points I need to pass the exam?

This exam costs $300. You need at least 790/1000 points to pass this exam.

3. I passed the ROUTE exam, will I get a certificate for it?

No, Cisco does not ship ROUTE Exam certificate, it only ships you a certificate after completing the full CCNP track of 3 exams (ROUTE, SWITCH & TSHOOT) within three years. Once again we have to notice that you need to finish these three exams within three years (not nine years). Many candidates misunderstand this and think they have nine years to complete three exams.

4. Which sims will I see in the ROUTE exam?

The popular sims now are Policy Based routing sim, EIGRP OSPF Redistribution sim, OSPF Evaluation Sim and EIGRP Evaluation Sim and please notice that the IP addresses, router names may be different (it is also true for Drag and Drop questions)

5. How many points will I get for one sim?

Maybe you will get about 80 to 100 points for each sim, just like the CCNA exam.

6. In the real exam, I clicked “Next” after choosing the answer, can I go back for reviewing?

No, you can’t go back so you can’t re-check your answers after clicking the “Next” button.

7. What is the difference between the old BSCI & the new ROUTE exam?

In the new ROUTE exam, there are no IS-IS, DHCP, Multicast questions so you can ignore them if you are reading old BSCI books. In fact, DHCP & Multicast are good topics and maybe you will have a chance to learn about them in other Cisco exams.

8. Can I use short commands, for example “conf t” instead of “configure terminal”? Will I get full mark for short commands?

From the comments on this site, maybe you will get full mark for short commands. But sometimes short commands don’t work so please be careful with them. We highly recommend you should learn the full commands.

9. What are your recommended materials for ROUTE?

There are many materials for learning ROUTE but below are popular materials that many candidates recommend.

Books

CCNP ROUTE Official Certification Guide

ROUTE Student Guide

CCNP ROUTE Portable Command Guide

CCNP Route Quick Reference Sheet

Video training

CBT Nuggets

Simulator (all are free)

 

GNS3 – the best simulator for learning ROUTE

Packet Tracer

10. How much time should I spend on each sim?

You should not spend more than 15 minutes for each sim. Recall that you only have 90 minutes so if you spend 15 minutes for each sim x 4 sims = 60 minutes. The 30 minutes left is for solving 46 multiple choice & drag-and-drop questions. If you are not a native English speaker and have 30-minute expansion (ask the mentor to confirm) than you can spend 20 minutes for each sim.

11. Can I pass without doing sims?

As mentioned above, each sim will cost you from 80 to 100 points. In the real exam you will have to solve 4 sims that give from 320 to 400 points. Suppose you answer all other questions perfectly then you will get 600 to 680 points but the passing score is 790. It means that you surely fail if ignore them.

From the calculation above, if you miss only one sim the chance to pass is average but if you miss two, the chance to pass is very, very low.

12. Are the exam questions the same in all the geographical locations?

Yes, the exam questions are the same in all geographical locations. But notice that Cisco has a pool of questions and each time you take the exam, a number of random questions will show up so you will not see all the same questions as the previous exam.

13. I don’t want to lose points so should I use the “copy running-config startup-config” after finishing each lab-sim?

In the ROUTE exam, we can’t use that command so surely you will not lose any points if not using that command.

14. I passed the ROUTE exam. Do you have any site similar for CCNP exams?
We have certprepare.com for SWITCH, networktut.com for TSHOOT, voicetut.com for CCNA Voice, securitytut.com for CCNA Security, rstut.com for CCIE Written & Lab, dstut.com for CCDA. Hope you enjoy these sites too!

15. Why don’t I see any questions and answers on digitaltut.com? I only see the explanation…

Because of copyrighted issues, we had to remove all the questions and answers. You can download a PDF file to see the questions at this link: http://www.digitaltut.com/route-questions-and-answers

Is there anything you want to ask, just ask! All of us will help you.

OSPF Evaluation Sim

February 9th, 2015 digitaltut 738 comments

You have been asked to evaluate an OSPF network and to answer questions a customer has about its operation. Note: You are not allowed to use the show running-config command.

OSPF.jpg

Read more…

EIGRP Evaluation Sim

February 9th, 2015 digitaltut 219 comments

You have been asked to evaluate how EIGRP is functioning in a network.

EIGRP_Topology.jpg

Read more…

Policy Based Routing Sim

February 8th, 2015 digitaltut 355 comments

Question

Company TUT has two links to the Internet. The company policy requires that web traffic must be forwarded only to Frame Relay link if available and other traffic can go through any links. No static or default routing is allowed.

BGP_Policy_Based_Routing_Sim.jpg

 

Answer and Explanation:

Read more…

Share your ROUTE v2.0 Experience

January 22nd, 2015 digitaltut 19,461 comments

The ROUTE 300-101 (ROUTE v2.0) exam has been used to replace the old ROUTE 642-902 exam so this article is devoted for candidates who took this exam sharing their experience.

Please tell with us what are your materials, the way you learned, your feeling and experience after taking the ROUTE v2.0 exam… But please DO NOT share any information about the detail of the exam or your personal information, your score, exam date and location, your email…

Note: Posting email is not allowed in the comment section.

Your posts are warmly welcome!

EIGRP OSPF Redistribution Sim

January 8th, 2015 digitaltut 439 comments

Question

OSPF_EIGRP_Redistribution.jpg

Answer and Explanation:

Read more…

OSPF Sim

January 8th, 2015 digitaltut 156 comments

Question

OSPF is configured on routers Amani and Lynaic. Amani’s S0/0 interface and Lynaic’s S0/1 interface are in Area 0. Lynaic’s Loopback0 interface is in Area 2.

OSPFSim

Your task is to configure the following:

Portland’s S0/0 interface in Area 1
Amani’s S0/1 interface in Area 1
Use the appropriate mask such that ONLY Portland’s S0/0 and Amnani’s S0/1 could be in Area 1.
Area 1 should not receive any external or inter-area routes (except the default route).

Answer and Explanation:

Read more…

Practice Real ROUTE Labs with GNS3

May 8th, 2014 digitaltut 185 comments

Well, the title said it all. Here are some screenshots of the labs in GNS3:

+ OSPF Sim:

OSPF_Sim.jpg

Read more…

IPv6 OSPF Virtual Link Sim

May 8th, 2014 digitaltut 117 comments

Question

TUT is a small company that has an existing enterprise network that is running IPv6 OSPFv3. However, R4’s loopback address (FEC0:4:4) cannot be seen in R1. Identify and fix this fault, do not change the current area assignments. Your task is complete when R4’s loopback address (FEC0:4:4) can be seen in the routing table of R1.

OSPFv3_IPv6_VirtualLink

Special Note: To gain the maximum number of points you must remove all incorrect or unneeded configuration statements related to this issue.

Answer and Explanation:

Read more…

EIGRP Stub Sim

May 8th, 2014 digitaltut 101 comments

Question

TUT Corporation has just extended their business. R3 is the new router from which they can reach all Corporate subnets. In order to raise network stableness and lower the memory usage and broadband utilization to R3, TUT Corporation makes use of route summarization together with the EIGRP Stub Routing feature. Another network engineer is responsible for this solution. However, in the process of configuring EIGRP stub routing connectivity with the remote network devices off of R3 has been missing.

EIGRPStubSim

Presently TUT has configured EIGRP on all routers in the network R2, R3, and R4. Your duty is to find and solve the connectivity failure problem with the remote office router R3. You should then configure route summarization only to the distant office router R3 to complete the task after the problem has been solved.

The success of pings from R4 to the R3 LAN interface proves that the fault has been corrected and the R3 IP routing table only contains two 10.0.0.0 subnets.

Answer and Explanation:

Read more…

EIGRP Simlet

May 5th, 2014 digitaltut 285 comments

EIGRP – SHOW IP EIGRP TOPOLOGY ALL-LINKS

 

Here you will find answers to EIGRP Simlet question

Question

Refer to the exhibit. BigBids Incorporated is a worldwide auction provider. The network uses EIGRP as its routing protocol throughout the corporation. The network administrator does not understand the convergence of EIGRP. Using the output of the show ip eigrp topology all-links command, answer the administrator’s questions.

simlet_show_ip_eigrp_topology_all_links

Read more…