CCIE R&S Advanced Technologies Class v4.5

Transcript

1	Introduction	0h 43m
2	Using the Cisco Documentation	0h 52m
3	Ethernet Overview, Layer 2 Switchports, Trunking, ISL, 802.1q, DTP	0h 47m
4	VTP, VTP Authentication, VTP Pruning	1h 02m
5	VTP Prune Eligible List, VTP Transparent, VTP Troubleshooting, Trunk Allowed List, Extended VLANs	0h 48m
6	VLAN and VTP Review	0h 19m
7	SVIs, Native Routed Interfaces, Router-on-a-Stick	0h 46m
8	Layer 2 EtherChannel, EtherChannel Load Balancing, Layer 3 EtherChannel	0h 57m
9	802.1q Tunneling, Layer 2 Protocol Tunneling, EtherChannel over 802.1q Tunneling	1h 03m
10	STP Root Bridge Election, STP Root Port Election, STP Designated Port Election, STP Priority, STP Cost, STP Port-Priority	1h 46m
11	STP Review	0h 12m
12	STP Timers, STP PortFast	0h 34m
13	STP UplinkFast	0h 11m
14	STP BackboneFast	0h 12m
15	STP BPDU Filter	0h 13m
16	STP BPDU Guard	0h 11m
17	STP Root Guard	0h 11m
18	STP Loop Guard, Unidirectional Link Detection (UDLD)	0h 11m
19	Multiple Spanning-Tree Protocol (MST)	0h 40m
20	Rapid Spanning-Tree Protocol (RSTP), Rapid-PVST	0h 18m
21	MST with Multiple Regions	0h 33m
22	Flex Links	0h 16m
23	Frame Relay	0h 39m
24	Frame Relay Configuration Part 1	0h 34m
25	Frame Relay Configuration Part 2	0h 41m
26	Frame Relay Switching	0h 27m
27	Back-to-Back Frame Relay	0h 08m
28	Frame-Relay End-to-End Keepalives	0h 18m
29	PPP, PPP PAP Authentication, PPP CHAP Authentication	0h 59m
30	PPPoFR, PPPoE	0h 40m
31	Transparent Bridging, IRB	0h 32m
32	Fallback Bridging	0h 14m
33	IP Routing Overview, Switching Paths, Static Routing	0h 42m
34	Static Routing Examples	0h 25m
35	IP Default-Gateway, IP Default-Network	0h 14m
36	On-Demand Routing (ODR)	0h 07m
37	Floating Static Routes	0h 10m
38	Backup Interface	0h 29m
39	Enhanced Object Tracking, IP SLA, Reliable Static Routing	0h 21m
40	Policy Routing	0h 43m
41	GRE Tunneling, GRE Recursive Routing Errors	0h 27m
42	Reliable Backup Interface with GRE	0h 25m
43	RIP Overview, RIP Versions, RIP Auto-Summary	0h 48m
44	RIP Split-Horizon, RIP Timers	0h 22m
45	RIP Broadcast Updates, IP Directed Broadcast, IP Broadcast-Address, Smurf Attacks, Fraggle Attacks	0h 16m
46	RIP Unicast Updates	0h 03m
47	RIP Offset-List	0h 18m
48	RIP Authentication	0h 11m
49	RIP Summarization	0h 10m
50	Prefix-Lists, RIP Distribute-List Filtering, RIP Administrative Distance Filtering	0h 48m
51	RIP Default Routing, RIP Conditional Default Routing	0h 18m
52	RIP Triggered, RIP Validate Update Source,	0h 12m
53	EIGRP Overview	0h 29m
54	EIGRP Auto-Summary	0h 07m
55	EIGRP Split-Horizon	0h 11m
56	EIGRP Update Types, EIGRP Neighbor, EIGRP Passive-Interface	0h 24m
57	EIGRP Hello-Interval, EIGRP Hold-Time	0h 05m
58	EIGRP Authentication	0h 11m
59	EIGRP Time Based Authentication	0h 25m
60	EIGRP Path Selection, EIGRP Metric Weights, EIGRP Traffic Engineering	0h 47m
61	EIGRP Unequal Cost Load Balancing, EIGRP Variance	0h 19m
62	EIGRP QUERY, EIGRP Summarization, EIGRP Leak-Map	0h 28m
63	EIGRP Stub Router Advertisement	0h 22m
64	EIGRP Default Routing	0h 13m
65	EIGRP Route Filtering	0h 11m
66	EIGRP Router-ID	0h 07m
67	Miscellaneous EIGRP Features	0h 02m
68	OSPF Overview	0h 27m
69	Establishing OSPF Adjacencies, Understanding the OSPF Database	0h 43m
70	OSPF Network Type Broadcast, OSPF DR/BDR Election, OSPF over NBMA, OSPF Network Type Non-Broadcast and Point-to-Multipoint	0h 56m
71	OSPF Network Type Point-to-Point, OSPF Network Type Mismatch	0h 13m
72	OSPF Network Type Point-to-Multipoint Non-Broadcast, OSPF Per Neighbor Cost	0h 17m
73	OSPF Network Type Loopback	0h 02m
74	OSPF Path Selection	0h 27m
75	OSPF Convergence Timers	0h 09m
76	OSPF Authentication	0h 12m
77	OSPF Summarization	0h 32m
78	OSPF Stub Areas, OSPF Totally Stubby Areas, OSPF NSSAs, OSPF Totally NSSAs	0h 40m
79	Controlling OSPF NSSA Redistribution	0h 02m
80	OSPF Type 7 to 5 Translator Election, OSPF LSA Type 3 Filter, OSPF Forwarding Address Suppression	0h 24m
81	Route Redistribution Overview	0h 36m
82	Route Redistribution Configuration & Verification, Connected Redistribution	0h 22m
83	OSPF External Path Selection, TCL PING Scripting	0h 33m
84	Routing Loops Overview, EIGRP Route Loop Prevention	0h 55m
85	Metric Based Routing Loops, Route Tagging	0h 46m
86	Administrative Distance Based Routing Loops, Debug IP Routing, IP Route Profile	0h 58m
87	BGP Overview, BGP Peering Types	0h 51m
88	Establishing BGP Peerings, EBGP Multihop, BGP Neighbor Disable Connected Check, BGP TTL Security	0h 49m
89	BGP 4-Byte ASNs	0h 20m
90	BGP Local AS, BGP Peer Groups	0h 30m
91	BGP Next-Hop Self, BGP Next-Hop Processing	0h 30m
92	BGP Route Reflectors	0h 37m
93	Large Scale BGP Route Reflectors with Clusters	0h 34m
94	BGP Confederation	0h 37m
95	BGP NLRI Advertisements, BGP Network Statement, BGP Redistribution	0h 43m
96	BGP Aggregation, BGP Aggregation & Summary-Only, BGP Aggregation & Unsuppress-Map	0h 46m
97	BGP Origin, BGP Aggregation & AS-Set, BGP Aggregation & Advertise-Map	0h 22m
98	BGP Conditional Route Injection	0h 21m
99	BGP Bestpath Selection, BGP Multipath, BGP Weight	0h 53m
100	BGP Local Preference, BGP Local Preference and Communities, BGP AS-Path Prepending,	0h 30m
101	BGP MED, BGP MED Missing As Worst, BGP Deterministic MED	0h 17m
102	BGP Communites, BGP Regular Expressions	0h 43m
103	BGP Filtering, BGP Convergence Timers, BGP Default Routing, Miscellaneous BGP Features	0h 24m
104	MPLS Overview, MPLS Label Distribution Protocol (LDP)	1h 05m
105	MPLS Tunnels, MPLS Penultimate Hop Popping (PHP)	0h 40m
106	MPLS Layer 3 VPNs Overview, VRF Lite	0h 36m
107	MPLS Layer 3 VPNs and VPNv4 BGP	1h 08m
108	MPLS Layer 3 VPN Verification & Troubleshooting	0h 49m
109	MPLS Layer 3 VPN OSPF PE-CE Routing Overview	0h 06m
110	MPLS Layer 3 VPN OSPF PE-CE Routing Path Selection & Sham-Links	2h 01m
111	MPLS Layer 3 VPN OSPF PE-CE Routing Loop Prevention & Down-Bit, OSPF Capability VRF-Lite	0h 40m
112	IPv6 Overview, IPv6 ICMPv6 ND, IPv6 over NBMA	0h 44m
113	IPv6 Routing Overview, IPv6 Static Routing	0h 28m
114	IPv6 RIPng	0h 20m
115	IPv6 EIGRPv6	0h 09m
116	IPv6 OSPFv3	0h 31m
117	MP-BGP for IPv6	0h 26m
118	IPv6 Tunneling	1h 13m
119	Multicast Overview, IGMP	0h 34m
120	PIM Overview	0h 18m
121	PIM Dense Mode	1h 03m
122	PIM Sparse Mode	0h 30m
123	PIM Sparse Mode Configuration	0h 36m
124	PIM Sparse Mode RPF & RP Troubleshooting	0h 27m
125	Auto-RP, Multicast over GRE Tunnels	0h 53m
126	Bootstrap Router (BSR), Bidirectional PIM, Source Specific Multicast (SSM)	0h 40m
127	MSDP, Anycast RP	0h 27m
128	IPv6 Multicast Routing	0h 24m
129	QoS Overview, IntServ QoS, DiffServ QoS, IP Precedence, DSCP, MQC, HQF	0h 41m
130	MQC Classification	0h 44m
131	FIFO, FQ, WFQ, CBWFQ, HQF	0h 50m
132	LLQ	0h 23m
133	WRED	0h 31m
134	Traffic Shaping, Traffic Policing	0h 40m
135	Frame Relay Traffic Shaping (FRTS)	0h 33m
136	RSVP	0h 07m
137	Catalyst 3560 QoS	1h 00m
138	IOS Security Overview, Access Lists (ACLs)	0h 58m
139	Time Based ACLs, Dynamic ACLs	0h 33m
140	Reflexive ACLs	0h 21m
141	TCP Intercept, Content Based Access Control (CBAC)	0h 34m
142	Zone Based Policy Firewall (ZBPF)	1h 09m
143	AAA, Local Authentication, Local Authorization, Role Based CLI Access	0h 43m
144	Port Security, Static CAM Entries, Storm Control, 802.1X Authentication, PACLs, RACLs, VLAN Access Maps (VACLs)	0h 48m
145	DHCP Snooping, Dynamic ARP Inspection (DAI), IP Source Guard	0h 12m
146	Protected Ports, Private VLANs	0h 25m
147	IP Services Overview, HSRP	1h 10m
148	VRRP, GLBP	0h 28m
149	NAT	0h 42m
150	DHCP, DNS	0h 30m
151	NetFlow	0h 09m
152	WCCP, Miscellaneous IP Services	0h 06m
153	System Management Overview, NTP, NTP Authentication	0h 24m
154	SNMP, RMON	0h 38m
155	Syslog, Telnet, SSH, Banners	0h 21m
156	EEM Scripting, Miscellaneous System Management	0h 26m
Total Duration		81h 42m

Slides - Diagrams

Slides - Introduction

Slides - Ethernet Switching

Slides - Advanced Ethernet Switching

Slides - Frame Relay

Slides - PPP

Slides - Transport Bridging

Slides - Redistribution

Slides - IOS Security

Slides - Layer 2 Security

Slides - IP Services

Slides - System Management

0:00:12	The next routing protocol we have for IPv6 is OSPF version 3
0:00:18	where the newest specification is in RFC 5340
0:00:22	You'll see a lot of the topics and a lot of the basic theory
0:00:26	behind OSPF version 2 has now been ported over to OSPF version 3
0:00:33	so like EIGRP it's still using the same transport protocol number
0:00:37	which is protocol number 89, it can use unicast or multicast for
0:00:42	communication where if it's using multicast, it's going to use
0:00:46	FF02::5 or FF02::6
0:00:51	depending on whether we're using the designated router
0:00:54	backup designated router election or we are running
0:00:58	on a point to multipoint segment.
0:01:03	So the normal OSPF rules are still going to apply
0:01:05	the different adjacency parameters like the area, unique router IDs,
0:01:10	unique IPv6 addresses on the interface
0:01:13	then parameters that would need to match would be
0:01:16	the authentication, the stub flags, the MTU
0:01:19	compatible network types, the hello interval, the dead interval
0:01:23	same basic logic as OSPF version 2
0:01:27	We do have the same network type definitions where broadcast
0:01:32	is the default for LAN. It means that we're going to be using
0:01:35	multicasts for updates. We do have the designated router
0:01:38	and backup designated router election.
0:01:42	For multipoint non-broadcast interfaces, we use the
0:01:46	non-broadcast network type which does have the DR and BDR election
0:01:50	but sends its updates as unicasts.
0:01:53	So just like an OSPF version 2 this means that we would then
0:01:57	need to use the neighbor statement in order to
0:02:00	choose who we are unicasting our updates to.
0:02:10	Now similar to EIGRP, OSPFv3 does use an IPv4 formatted router ID
0:02:17	which means that if you are running the protocol in an IPv6
0:02:21	only network, so the router does not have any IPv4 address assigned
0:02:29	it means that we would need to manually specify the router ID
0:02:32	under the process.
0:02:36	Otherwise, the configuration to enable the process is simply
0:02:38	going to be one command
0:02:40	IPv6 OSPF locally significant process ID and then the
0:02:45	particular area.
0:02:48	Same logic with the areas works where area 0 is the
0:02:51	backbone area. All areas have to be attached to zero
0:02:56	and if they become discontiguous, we can then use a virtual
0:02:58	link in order to repair the LSA flooding.
0:03:12	So let's look at an example of this configuration wise in
0:03:15	out topology.
0:03:17	We'll run OSPF on the LAN segment of Switch 2
0:03:21	between Switch 2 and Router 5
0:03:24	over the frame relay between 1 and 4
0:03:27	and between Router 1 and Router 6
0:03:40	so first let's start on Switch 2 we'll go to our interface VLAN 8
0:03:46	and say ip ospf 1 or ipv6 ospf 1
0:03:51	area 0
0:03:54	on the link to Router 5, the same thing ipv6 ospf 1 area 0
0:04:00	so technically, this is our minimum config that we need.
0:04:09	If we were to do the same thing on Router 5 let's go to
0:04:12	our Frame Relay interface
0:04:16	the two separate LAN interfaces
0:04:19	if we look at the show ipv6 ospf interfaces
0:04:29	we see that on Fast Ethernet 0/1
0:04:32	the network type is broadcast
0:04:35	which means that we will have a designated router
0:04:38	and backup designated router election.
0:04:43	The multipoint frame relay interface is running network
0:04:46	type non-broadcast which means that we would need to
0:04:50	manually specify the neighbors.
0:04:53	So now on interface serial 0/0/0
0:04:55	we need to say ipv6 ospf neighbor
0:04:59	and specify the remote address.
0:05:04	Now here I want to specify what is the link local address
0:05:08	of the neighbor so I'll say fe80::1
0:05:13	which is Router 1's address
0:05:15	On Router 1 I'm going to need to do the same thing back to Router 5
0:05:19	so on Router 5 let's look at the show ipv6 route local
0:05:22	I need to know what is the link local address assigned on that interface.
0:05:30	So we see we have the three global unicasts
0:05:33	it says we also have the local address FF00::/8
0:05:40	which is the multicast range.
0:05:42	It doesn't show our link locals here, so I need to look at the
0:05:45	show ipv6 interface serial 0/0/0
0:05:54	so now on Router 1 we need to say under
0:05:59	the serial interface ipv6 ospf 1 area 0
0:06:04	ipv6 ospf neighbor
0:06:09	is Router 5's address.
0:06:11	Notice it says here the neighbor command is only allowed on NBMA and
0:06:14	point-to-multipoint networks.
0:06:19	Why would the parser be complaining here about me trying to enter
0:06:21	the neighbor statement for the OSPF process on this interface?
0:06:33	Because a point-to-point frame relay sub interface
0:06:37	is going to default to network type point-to-point.
0:06:40	So just like an IPv4 OSPF if I wanted to run this as
0:06:44	network type non-broadcast, I'm going to have to tell it.
0:06:46	So ipv6 ospf network is non-broadcast
0:06:51	I have the neighbor to Router 5 and then after
0:06:55	some time eventually we should see Router 1 and Router 5 form the adjacency.
0:07:01	So then on the LAN segment to Router 6
0:07:05	we'll run area 0
0:07:08	same on Router 6
0:07:10	ipv6 ospf 1 area 0
0:07:26	If we look at the show ipv6 ospf neighbors
0:07:31	we see that Router 1 has a router ID that is in the IP version format.
0:07:37	So this is based still on the highest loopback address that
0:07:40	has an IPv4 address. If there was no loopback, we would take
0:07:44	the next highest interface address and if there's no
0:07:49	interfaces running IPv4 at all, then the process is not
0:07:53	going to be able to start, so we would need to manually
0:07:56	specify that.
0:08:06	Next we can see that Router 6 and Router 1 now are
0:08:09	adjacent under the process if we look at the show
0:08:13	ipv6 route ospf
0:08:16	it says we have the route to the link between
0:08:19	Router 1 and Router 5
0:08:25	if we show ipv6 ospf neighbors
0:08:29	it says with Router 5 we're still in the two way state
0:08:34	let's see on Router 5 if we show ipv6 ospf neighbors
0:08:41	Router 5 says we are in ex start
0:08:48	but Router 1 says we're still in two way.
0:08:54	Now this could be an indication of a transport problem
0:08:58	or it could be an indication just that the convergence is slow.
0:09:01	So just like for regular IPv4 OSPF
0:09:06	when we look at the default timers if we show ipv6 ospf interface
0:09:09	serial 0/0/0
0:09:13	the default hello timer is 30 seconds
0:09:16	and the dead timer is 2 minutes
0:09:20	so when we configure the initial adjacency, it may take a
0:09:22	couple minutes for it to actually form.
0:09:26	So if you do have to leave the network type as
0:09:28	non-broadcast with the default timers, you may want to
0:09:31	configure this, move on to something else and then come
0:09:33	back later to verify if it's working or not.
0:09:45	From Switch 2 if we now look at the routing table
0:09:48	we can see that we do have routes to the rest of the
0:09:50	topology. If we send pings towards the loopback of Router 6
0:09:55	connectivity is fine because everywhere in the Layer 2
0:09:59	transit path, we do have the proper Layer 3 to
0:10:02	Layer 2 resolution for all of those individual segments.
0:10:07	Now we know for the LAN segments, the resolution is not
0:10:10	going to be an issue because ICMP neighbor discovery is
0:10:13	automatically going to solve that here
0:10:16	and here.
0:10:17	For the frame relay interface since this is NBMA and it's
0:10:22	multipoint, Router 5 had the mapping for not only
0:10:26	the global address of Router 1, but also
0:10:29	for the link local address.
0:10:43	If we look at the documentation here for OSPF
0:10:49	we'll see that a lot of the features are the same.
0:10:55	One thing that is kind of a big difference here with
0:11:00	the format of the protocol is how the authentication works.
0:11:06	IPv6 OSPF now uses the authentication header
0:11:09	which is part of the IPSec stack
0:11:15	so it basically means that we need to configure the manual
0:11:18	key which is fairly large.
0:11:21	Now a functional difference of this is that not only
0:11:25	can we do the authentication on the payload
0:11:27	but we can also put ESP which is the encapsulating security
0:11:32	payload in order to do encryption.
0:11:36	So this is a key difference in the control plane of the protocol
0:11:40	because with the previous routing authentications whether
0:11:44	this is for RIP or EIGRP
0:11:46	OSPF or BGP
0:11:48	just because the routing adjacency is authenticated
0:11:54	does not means that someone in the middle cannot read the packets.
0:11:59	So if someone is doing a Layer 2 sniffing
0:12:02	of the OSPF communication between two routers
0:12:05	even if it's authenticated, they still would be able to see the LSA
0:12:08	structure and the actual flooding exchange between
0:12:10	the routers.
0:12:13	With OSPFv3 since we support not only authentication, but
0:12:17	encryption, there's no effective way for them to see the payload
0:12:22	unless they did some sort brute force attack against the
0:12:25	ESP key.
0:12:28	So the configuration of this is going to be a little bit different
0:12:31	if we look at the examples here defining authentication
0:12:36	on an interface.
0:12:41	we say ip ospf authentication
0:12:45	the security index basically a number that needs to match
0:12:48	between the neighbors
0:12:51	and then what is the actual key.
0:12:55	So let's say we wanted to do this between Router 1
0:12:58	and Router 6
0:13:00	On Router 1 we would go to the link level
0:13:03	which is Fast Ethernet 0/0
0:13:05	say ipv6 ospf authentication
0:13:12	we want to use ipsec authentication
0:13:14	we give it an index number let's say a 1000
0:13:22	MD5 or SHA which are basically two different hashing algorithms
0:13:26	let's say we'll use SHA
0:13:30	then the hex string of 40 characters
0:13:38	so the key here is that it's not a clear text Ascii string like
0:13:42	we were using for OSPF previously for OSPF version 2
0:13:47	so now I need 40 characters
0:13:50	let's just say 0123456789
0:13:54	so that's ten characters
0:13:58	and we'll do this three more times 1, 2, 3
0:14:05	Now if we show run interface Fast Ethernet 0/0
0:14:13	we can see now that the router is complaining
0:14:16	that it's receiving unencrypted packets in from Router 6
0:14:23	because now it's expecting the authentication to be there.
0:14:27	If we go to the LAN on Router 6 now
0:14:31	and likewise enable the same authentication
0:14:39	it says the neighbor is down and then we should be able to
0:14:40	re-form the adjacency here.
0:14:53	If we were to look at the debug ipv6 ospf adjacency
0:15:00	this of course would then be the equivalent of the debug ip ospf adjacency
0:15:05	we should be able to see the basic exchange between them
0:15:08	so let's say logging console 7
0:15:12	on Router 6
0:15:14	clear ipv6 ospf process
0:15:18	that's going to reset the interface
0:15:40	and to speed up the adjacency here let's change the timers
0:15:43	so that they're a lower value
0:15:46	we'll say ipv6 ospf 1
0:15:50	or ipv6 ospf hello interval
0:15:56	is 3 seconds which is automatically going to update
0:16:00	the dead interval.
0:16:24	So it looks like 1 and 6 are not receiving each other's packets
0:16:28	let's look at the debug ipv6 packet detail
0:16:34	it's possible that the string that I put in has a character
0:16:39	mismatched
0:16:44	Fast Ethernet 0/0 this looks like this is the
0:16:52	let's see 219:56FF let's see if this is Router 6's address
0:16:59	let's say show ipv6 neighbors
0:17:06	Router 6's address is 56DF:F922
0:17:26	so I don't actually see anything coming in from
0:17:34	Router 6 here. Let's make sure that they still have connectivity
0:17:37	let's ping 2001:155:28:146::6
0:17:45	Ok, so there's nothing wrong with the basic connectivity on the
0:17:47	link. Next thing let's show run on the interface.
0:17:50	Ok, most likely what happened is that there's a character that's
0:17:53	mismatched in the actual password.
0:17:59	So this looks good on Router 1
0:18:04	let's see on 6 show run interface Fast Ethernet 0/0.146
0:18:18	it should be the same value there
0:18:21	between the two of them. Let's look at the
0:18:24	let's look back at the documentation here.
0:18:33	And the configuration should only be that one command.
0:18:36	For a lot of this, if you look at the documentation and then look at
0:18:39	the how to configure section or the one that says
0:18:43	the configuration task list
0:18:47	so let's say configuring IPSec for OSPF
0:18:54	it says we can define authentication or define
0:18:58	encryption.
0:19:03	Once you configured OSPF and decided on your authentication
0:19:05	you must define the security policy on each of the routers within the group.
0:19:09	The policy consists of the combination of the key
0:19:11	and the SPI.
0:19:13	To define the security policy you must define the SPI and the key.
0:19:16	You can configure an authentication or encryption policy either on the
0:19:20	interface or for an area.
0:19:23	When you apply it to the area it's applied to all the interfaces
0:19:27	in the area.
0:19:29	So again, it's the similar to OSPF version 2, there's no
0:19:32	packet format difference between interface level authentication
0:19:37	and area authentication. Simply when we enable it under the
0:19:42	global process, it's going to apply to all interfaces at the same time.
0:19:47	Now note this point here, it says you can configure authentication
0:19:50	and encryption on virtual links and the virtual link
0:19:54	is an area 0 interface.
0:19:56	So this means if I were to say area 0 authentication under the
0:20:01	IPv6 OSPF process, the virtual link will inherit that.
0:20:09	So it says we have a couple different steps here.
0:20:10	Define authentication on the interface, define encryption on the interface
0:20:19	so we have IP OSPF authentication and IP OSPF encryption.
0:20:26	Let's try -- let me try changing this to MD5
0:20:53	so we can see now with the authentication off, the
0:20:56	neighbors do form the adjacency, so the problem
0:20:59	is definitely something related to that config.
0:21:02	So let's try this again, let's say ipv6 ospf 1 is in area 0
0:21:10	this should be ipv6 ospf authentication
0:21:15	use ipsec
0:21:19	let's say a new number, let's say 1234
0:21:22	we'll use md5
0:21:28	I'm wondering if I have to say zero first.
0:21:33	In the case of MD5, the characters are or the key is a little bit shorter
0:21:37	so it's 32
0:21:40	I'll say 0123456789
0:21:43	0123456789
0:21:49	12, so that should be 32 characters.
0:21:51	At the end of it that should be our only option.
0:22:03	So basically we need to take the same key
0:22:07	that's on 6
0:22:12	and apply this to Router 1
0:22:38	If we now look at the show ipv6 ospf interface Fast Ethernet 0/0.146
0:22:49	it says the MD5 authentication is on.
0:22:55	The SPI is 1234
0:22:57	let's check this on Router 1 as well.
0:23:00	show ipv6 ospf interface
0:23:34	so there really shouldn't be anything else related to the
0:23:37	configuration here
0:23:39	let's show ipv6 ospf neighbors
0:23:46	so it says we're in the INIT state
0:23:48	if we're not in two way, it means that we're not
0:23:53	receiving each other's packets.
0:23:55	So this means that one is getting 6's hello
0:24:00	but for some reason 6 is not getting 1's hello.
0:24:05	And I'm wondering if a reload is going to fix this.
0:24:09	Sometimes you'll see in the IOS that changing a lot of these
0:24:12	options sometimes the process gets hung
0:24:16	and the only way to fix it is either to remove the process
0:24:18	and apply the configuration again or save and reload.
0:24:24	So within the scope of the exam, make sure not to
0:24:27	exclude rebooting as part of your troubleshooting process.
0:24:32	So if you run into a wall with some troubleshooting process
0:24:34	and you thing that you've done all of the logical options that you can
0:24:38	save and reload, move on to something else, come back a couple
0:24:41	minutes later and see if it has changed anything.
0:24:43	So I'm going to try one more thing before moving on with this
0:24:46	is simply to disable the process at the interface level
0:24:51	and then re-enable it, so no ipv6 ospf 1 area 0
0:24:58	the same thing on Router 6
0:25:06	now the process is off
0:25:08	let's try placing it back on
0:25:38	so Router 1 from the debug ipv6 ospf packet it says
0:25:41	it is receiving a hello in from Router 6
0:25:46	ok, we can see Router 6's router ID there 150.28.6.6
0:25:50	let's look at the same output on Router 6
0:26:06	and we're not receiving anything from 1
0:26:13	so I wonder if this is related to a Layer 2 problem
0:26:17	it could be possibly the switches in the transit path because
0:26:21	Router 1 and Router 6 they're actually not directly connected
0:26:24	on this segment. The updates between them would be going
0:26:31	from 1 out to Switch 1
0:26:35	then there's Layer 2 trunking that goes over to Switch 2
0:26:40	then from Switch 2 down to Router 6
0:26:43	so I'm wondering if the switches are having problems
0:26:47	switching the packets between the interfaces
0:26:52	because we should see at least from the debug here
0:26:54	that the packets are being received on 6
0:26:58	so it's some sort of transport problem, it's not necessarily
0:27:01	related to our configuration, so if this were the actual exam
0:27:05	what I would do is first try a reload, if that didn't work
0:27:09	then I would just configure the -- continue the configuration
0:27:13	on without the authentication.
0:27:21	Now the logic behind that is that technically the
0:27:25	authentication is not really needed in order to get just the
0:27:28	basic network functional.
0:27:31	But if authentication is not working, then we know pretty much
0:27:34	everything else on top of the network is not going to work
0:27:37	because if we don't have our routing adjacencies
0:27:39	and we can't exchange our updates, then it means anything
0:27:42	on top of the network whether it's BGP or multicast
0:27:45	or features later, none of that stuff is going to work without
0:27:48	basic reachability, so if this question in the exam
0:27:52	let's say it was worth two or three points, I'm probably better off
0:27:55	just skipping over the authentication getting the basic
0:27:58	OSPF adjacency working moving on to some other problems
0:28:02	then if I have extra time at the end of the day
0:28:04	I'll come back and try to fix this.
0:28:15	But otherwise, for OSPF I would recommend to spend some time
0:28:17	reading through the configuration guide here and looking at the
0:28:20	command reference. Most of these features should be pretty
0:28:23	self-explanatory if you understand how to use OSPF version 2
0:28:29	so LSA SPF throttling for OSPF for IPv6 fast convergence
0:28:34	so these type of timers if they're going to ask you something like this
0:28:38	within the scope of the exam, it should be pretty self-explanatory
0:28:41	based on the description in the command reference.
0:28:45	So if we were to go to the command reference and
0:28:48	look at anything that starts with IPv6 OSPF
0:28:53	at the interface level
0:28:56	so we see things like the database filter out
0:29:02	which again is like the equivalent of the passive interface
0:29:04	command for OSPF.
0:29:07	We could change the cost
0:29:09	what's the area assignment, we could do the authentication.
0:29:12	Bidirectional forwarding detection again, this is for the fast
0:29:16	Layer 2 convergence.
0:29:21	OSPF dead interval, that's going to be automatically
0:29:24	updated when we change the hello interval.
0:29:26	Demand circuit just like in OSPF version 2
0:29:30	it means that we're not going to send periodic updates
0:29:32	and we're also going to set the do not age flag
0:29:38	so we're not going to increase the age of the LSAs over that particular
0:29:41	link, this means that we're allowed to go past 30 minutes
0:29:46	which normally is the paranoid update interval.
0:29:50	So normally once the LSA gets to 30 minutes,
0:29:53	the originating router is going to have to re-flood it.
0:29:59	The IP OSPF encryption as we saw on the configuration guide
0:30:02	this is different than the authentication
0:30:05	because we're taking the whole payload and encapsulating
0:30:09	it inside of ESP.
0:30:10	So in a real implementation you would want to do both
0:30:14	at the same time. You would want to run AH for the authentication
0:30:18	and ESP for the encryption.
0:30:23	Then IP OSPF flood reduction
0:30:25	this is going to set the do not age flag on its own on the interface
0:30:30	so it's similar to the demand circuit, but it does not
0:30:33	prevent the periodic hellos.
0:30:39	IPv6 OSPF MTU ignore so if there's some reason
0:30:42	that we're mismatching the MTU value.
0:30:44	We did talk about this in IPv4 OSPF
0:30:48	that if there is an MTU mismatch, you do run the
0:30:51	risk of not being able to exchange the database.
0:30:57	So ideally, instead of just doing this hack with the
0:31:00	ignoring the MTU, you really should change the Layer 2 MTU
0:31:03	to make sure that it does match.

Now Viewing

CCIE R&S Advanced Technologies Class v4.5
Title:	CCIE R&S Advanced Technologies Class v4.5
Duration:	81h 42m
The CCIE Routing & Switching Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Routing & Switching lab will be described in detail using an instructor led hands on demonstration. The class consists of over 80 hours of in depth explanations and examples.
Get instant access to our entire library!
	Sign Up
Download this Course
$299.00	Add to Cart

IPv6 OSPFv3

Create Bookmark