Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett

capabilities between subnets and VLANs.

Figure 16.14

HSRP load balancing per VLAN

HSRP Troubleshooting

Besides HSRP verification, the troubleshooting of HSRP is the Cisco

objective hotspot, so let’s go through this.

Most of your HSRP misconfiguration issues can be solved by checking the

output of the

show standby

command. In the output, you can see the

active IP and the MAC address, the timers, the active router, and more, as

shown earlier in the verification section.

There are several possible misconfigurations of HSRP, but these are what

you need to pay attention to for your CCNA:

Different HSRP virtual IP addresses configured on the peers

Console messages will notify you about this, of course, but if you

configure it this way and the active router fails, the standby router takes

over with a virtual IP address, which is different than the one used

previously, and different than the one configured as the default-gateway

address for end devices, so your hosts stop working, which defeats the

purpose of a FHRP.

Different HSRP groups configured on the peers This

misconfiguration leads to both peers becoming active, and you’ll start

receiving duplicate IP address warnings. It seems like this would be easy

to troubleshoot, but the next issue has the same warnings.

Different HSRP versions configured on the peers or ports

blocked HSRP comes in two versions, 1 and 2. If there is a version

mismatch, both routers will become active and you’ll again have duplicate

IP address warnings.

In version 1, HSRP messages are sent to the multicast IP address

224.0.0.2 and UDP port 1985. HSRP version 2 uses the multicast IP

address 224.0.0.102 and UDP port 1985. These IP addresses and ports

need to be permitted in the inbound access lists. If the packets are

blocked, the peers will not see each other and there will be no HSRP

redundancy.

Summary

I started this chapter by discussing how to mitigate security threats at the

access layer and then also discussed external authentication for our

network devices for ease of management.

SNMP is an Application layer protocol that provides a message format for

agents on a variety of devices to communicate to network management

stations (NMSs). I discussed the basic information you need to use syslog

and SNMP, that is, configuration and verification.

Last, I showed you how to integrate redundancy and load-balancing

features into your network elegantly with the routers that you likely have

already. HSRP is Cisco proprietary; acquiring some overpriced load-

balancing device just isn’t always necessary because knowing how to

properly configure and use Hot Standby Router Protocol (HSRP) can

often meet your needs instead.

Exam Essentials

Understand how to mitigate threats at the access layer. You can

mitigate threats at the access layer by using port security, DHCP

snooping, dynamic ARP inspection, and identity-based networking.

Understand TACACS+ and RADIUS. TACACS+ is Cisco proprietary,

uses TCP, and can separate services. RADIUS is an open standard, uses

UDP, and cannot separate services.

Remember the differences between SNMPv2 and SNMPv3.

SNMPv2 uses UDP but can use TCP; however, v2 still sends data to the

NMS station in clear text, exactly like SNMPv1, plus SNMPv2

implemented GETBULK and INFORM messages. SNMPv3 uses TCP and

authenticates users, plus it can use ACLs in the SNMP strings to protect

the NMS station from unauthorized use.

Understand FHRPs, especially HSRP. The FHRPs are HSRP,

VRRP, and GLBP, with HSRP and GLBP being Cisco proprietary.

Remember the HSRP virtual address. The HSRP MAC address has

only one variable piece in it. The first 24 bits still identify the vendor who

manufactured the device (the organizationally unique identifier, or OUI).

The next 16 bits in the address tell us that the MAC address is a well-

known HSRP MAC address. Finally, the last 8 bits of the address are the

hexadecimal representation of the HSRP group number.

Let me clarify all this with an example of what an HSRP MAC address

would look like:

0000.0c07.ac0a

Written Lab 16

You can find the answers to this lab in Appendix A, “Answers to Written

Labs.”

1.  Which operation used by SNMP is the same as a trap but adds an

acknowledgment that a trap does not provide?

2.  Which operation is used by SNMP to get information from the MIB to

an SNMP agent?

3.  Which operation used by the SNMP agent to send a triggered piece of

information to the SNMP manager?

4.  Which operation is used to get information to the MIB from an SNMP

manager?

5.  This operation is used to list information from successive MIB objects

within a specified MIB.

6.  You have different HSRP virtual IP addresses configured on peers.

What is the result?

7.  You configure HSRP on peers with different group numbers. What is

the result?

8.  You configure your HSRP peers with different versions (v1 and v2).

What is the result?

9.  What is the multicast and port number used for both HSRP versions 1

and 2?

10.  The two most popular options for external AAA are what, and which

one of them is Cisco proprietary?

Review Questions

The following questions are designed to test your

understanding of this chapter’s material. For more

information on how to get additional questions, please see

www.lammle.com/ccna

.

You can find the answers to these questions in Appendix B, “Answers to

Review Questions.”

1.  How can you efficiently restrict the read-only function of a requesting

SNMP management station based on the IP address?

A.  Place an ACL on the logical control plane.

B.  Place an ACL on the line when configuring the RO community

string.

C.  Place an ACL on the VTY line.

D.  Place an ACL on all router interfaces.

2.  What is the default priority setting on an HSRP router?

A.  25

B.  50

C.  100

D.  125

3.  Which of the following commands will enable AAA on a router?

A.

aaa enable

B.

enable aaa

C.

new-model aaa

D.

aaa new-model

4.  Which of the following will mitigate access layer threats? (Choose

two.)

A.  Port security

B.  Access lists

C.  Dynamic ARP inspection

D.  AAA

5.  Which of the following is not true about DHCP snooping?

A.  DHCP snooping validates DHCP messages received from

untrusted sources and filters out invalid messages.

B.  DHCP snooping builds and maintains the DHCP snooping binding

database, which contains information about untrusted hosts with

leased IP addresses.

C.  DHCP snooping rate-limits DHCP traffic from trusted and

untrusted sources.

D.  DHCP snooping is a layer 2 security feature that acts like a firewall

between hosts.

6.  Which of the following are true about TACACS+? (Choose two.)

A.  TACACS+ is a Cisco proprietary security mechanism.

B.  TACACS+ uses UDP.

C.  TACACS+ combines authentication and authorization services as a

single process—after users are authenticated, they are also

authorized.

D.  TACACS+ offers multiprotocol support.

7.  Which of the following is not true about RADIUS?

A.  RADIUS is an open standard protocol.

B.  RADIUS separates AAA services.

C.  RADIUS uses UDP.

D.  RADIUS encrypts only the password in the access-request packet

from the client to the server. The remainder of the packet is

unencrypted.

8.  A switch is configured with the

snmp-server community Cisco RO

command running SNMPv2c. An NMS is trying to communicate to

this router via SNMP, so what can be performed by the NMS? (Choose

two.)

A.  The NMS can only graph obtained results.

B.  The NMS can graph obtained results and change the hostname of

the router.

C.  The NMS can only change the hostname of the router.

D.  The NMS can use GETBULK and return many results.

9.  What is true regarding any type of FHRP?

A.  The FHRP supplies hosts with routing information.

B.  The FHRP is a routing protocol.

C.  The FHRP provides default gateway redundancy.

D.  The FHRP is only standards-based.

10.  Which of the following are HSRP states? (Choose two.)

A.  INIT

B.  Active

C.  Established

D.  Idle

11.  Which command configures an interface to enable HSRP with the

virtual router IP address 10.1.1.10?

A.

standby 1 ip 10.1.1.10

B.

ip hsrp 1 standby 10.1.1.10

C.

hsrp 1 ip 10.1.1.10

D.

standby 1 hsrp ip 10.1.1.10

12.  Which command displays the status of all HSRP groups on a Cisco

router or layer 3 switch?

A.

show ip hsrp

B.

show hsrp

C.

show standby hsrp

D.

show standby

E.

show hsrp groups

13.  Two routers are part of a HSRP standby group and there is no priority

configured on the routers for the HSRP group. Which of the

statements below is correct?

A.  Both routers will be in the active state.

B.  Both routers will be in the standby state.

C.  Both routers will be in the listen state.

D.  One router will be active, the other standby.

14.  Which of the following statement is true about the HSRP version 1

Hello packet?

A.  HSRP Hello packets are sent to multicast address 224.0.0.5.

B.  HSRP RP Hello packets are sent to multicast address 224.0.0.2

with TCP port 1985.

C.  HSRP Hello packets are sent to multicast address 224.0.0.2 with

UDP port 1985.

D.  HSRP Hello packets are sent to multicast address 224.0.0.10 with

UDP port 1986.

15.  Routers HSRP1 and HSRP2 are in HSRP group 1. HSRP1 is the active

router with a priority of 120 and HSRP2 has the default priority.

When HSRP1 reboots, HSRP2 will become the active router. Once

HSRP1 comes back up, which of the following statements will be true?

(Choose two.)

A.  HSRP1 will become the active router.

B.  HSRP2 will stay the active router.

C.  HSRP1 will become the active router if it is also configured to

preempt.

D.  Both routers will go into speak state.

16.  What is the multicast address and port number used for HSRP

version 2?

A.  224.0.0.2, UDP port 1985

B.  224.0.0.2, TCP port 1985

C.  224.0.0.102, UDP port 1985

D.  224.0.0.102, TCP port 1985

17.  Which is true regarding SNMP? (Choose two.)

A.  SNMPv2c offers more security than SNMPv1.

B.  SNMPv3 uses TCP and introduced the GETBULK operation.

C.  SNMPv2c introduced the INFORM operation.

D.  SNMPv3 provides the best security of the three versions.

18.  You want to configure RADIUS so your network devices have external

authentication, but you also need to make sure you can fall back to

local authentication. Which command will you use?

A.

aaa authentication login local group MyRadiusGroup

B.

aaa authentication login group MyRadiusGroup fallback local

C.

aaa authentication login default group MyRadiusGroup external

local

D.

aaa authentication login default group MyRadiusGroup local

19.  Which is true about DAI?

A.  It must use TCP, BootP, and DHCP snooping in order to work.

B.  DHCP snooping is required in order to build the MAC-to-IP

bindings for DAI validation.

C.  DAI is required in order to build the MAC-to-IP bindings, which

protect against man-in-the-middle attacks.

D.  DAI tracks ICMP-to-MAC bindings from DHCP.

20.  The IEEE 802.1x standard allows you to implement identity-based

networking on wired and wireless hosts by using client/server access

control. There are three roles. Which of the following are these three

roles?

A.  Client

B.  Forwarder

C.  Security access control

D.  Authenticator

E.  Authentication server

Chapter 17

Enhanced IGRP

THE FOLLOWING ICND2 EXAM TOPICS ARE

COVERED IN THIS CHAPTER:

2.0 Routing Technologies

2.2 Compare and contrast distance vector and link-state routing

protocols

2.3 Compare and contrast interior and exterior routing protocols

2.6 Configure, verify, and troubleshoot EIGRP for IPv4

(excluding authentication, filtering, manual summarization,

redistribution, stub)

2.7 Configure, verify, and troubleshoot EIGRP for IPv6

(excluding authentication, filtering, manual summarization,

redistribution, stub

Enhanced Interior Gateway Routing Protocol

(EIGRP) is a Cisco protocol that runs on Cisco routers and on some Cisco

switches. In this chapter, I’ll cover the many features and functions of

EIGRP, with an added focus on the unique way that it discovers, selects,

and ​advertises routes.

EIGRP has a number of features that make it especially useful within

large, complex networks. A real standout among these is its support of

VLSM, which is crucial to its ultra-efficient scalability. EIGRP even

includes benefits gained through other common protocols like OSPF and

RIPv2, such as the ability to create route summaries at any location you

choose.

I’ll also cover key EIGRP configuration details and give you examples of

each, as well as demonstrate the various commands required to verify

that EIGRP is working properly. Finally, I’ll wrap up the chapter by

showing you how to configure and verify EIGRPv6. I promise that after

you get through it, you’ll agree that EIGRPv6 is truly the easiest part of

this chapter!

To find up-to-the-minute updates for this chapter, please see

www.lammle.com/

ccna

or the book’s web page at

www.sybex.com/go/ccna

.

EIGRP Features and Operations

EIGRP is a classless, distance-vector protocol that uses the concept of an

autonomous system to describe a set of contiguous routers that run the

same routing protocol and share routing information; it also includes the

subnet mask in its route updates. This is a very big deal because by

advertising subnet information, this robust protocol enables us to use

VLSM and permits summarization to be included within the design of

EIGRP networks.

EIGRP is sometimes referred to as a hybrid routing protocol or an

advanced distance-vector protocol because it has characteristics of both

distance-vector and some link-state protocols. For example, EIGRP

doesn’t send link-state packets like OSPF does. Instead, it sends

traditional distance-vector updates that include information about

networks plus the cost of reaching them from the perspective of the

advertising router.

EIGRP has link-state characteristics as well—it synchronizes network

topology information between neighbors at startup and then sends

specific updates only when topology changes occur (bounded updates).

This particular feature is a huge advancement over RIP and is a big

reason that EIGRP works so well in very large networks.

EIGRP has a default hop count of 100, with a maximum of 255, but don’t

let this confuse you because EIGRP doesn’t rely on hop count as a metric

like RIP does. In EIGRP-speak, hop count refers to how many routers an

EIGRP route update packet can go through before it will be discarded,

which limits the size of the autonomous system (AS). So don’t forget that

this isn’t how metrics are calculated with EIGRP!

There are a bunch of powerful features that make EIGRP a real standout

from other protocols. Here’s a list of some of the major ones:

Support for IP and IPv6 (and some other useless routed protocols) via

protocol-dependent modules

Considered classless (same as RIPv2 and OSPF)

Support for VLSM/CIDR

Support for summaries and discontiguous networks

Efficient neighbor discovery

Communication via Reliable Transport Protocol (RTP)

Best path selection via Diffusing Update Algorithm (DUAL)

Reduced bandwidth usage with bounded updates

No broadcasts

Cisco refers to EIGRP as a distance-vector routing protocol

but also as an advanced distance-vector or even a hybrid routing

protocol.

Neighbor Discovery

Before EIGRP routers can exchange routes with each other, they must

become neighbors, and there are three conditions that must be met

before this can happen, as shown in

Figure 17.1

.

FIGURE 17.1

EIGRP neighbor discovery

And these three things will be exchanged with directly connected

neighbors:

Hello or ACK received

AS numbers match

Identical metrics (K values)

Link-state protocols often use Hello messages to establish who their

neighbors are because they usually don’t send out periodic route updates

but still need a way to help neighbors know when a new peer has arrived

or an old one has gone down. And because Hellos are also used to

maintain neighbor relationships, it follows that EIGRP routers must also

continuously receive Hellos from their neighbors.

But EIGRP routers that belong to different ASs don’t automatically share

routing information and, therefore, don’t become neighbors. This factor

is really helpful operating in larger networks because it reduces the

amount of route information propagated through a specific AS. But it also

means that manual redistribution can sometimes be required between

different ASs as a result. Because metrics play a big role in choosing

between the five possible factors to be evaluated when choosing the best

possible route, it’s important that all EIGRP neighbors agree on how a

specific route is chosen. This is vital because the calculations on one

router depend upon the calculations of its neighbors.

Hellos between EIGRP routers are set to 5 seconds by default. Another

timer that’s related to the hello timer is the hold timer. The hold timer

determines the amount of time a router is willing to wait to get a Hello

from a neighbor before declaring it dead. Once a neighbor is declared

dead, it’s removed from the neighbor table and all routes that depended

upon it are recalculated. Interestingly, the hold timer configuration

doesn’t determine how long a router waits before it declares neighbors

dead; it establishes how long the router will tell others to wait before they

can declare it dead. This means that the hold timers on neighboring

routers don’t need to match because they only tell the others how long to

wait.

The only time EIGRP advertises its entire information is when it

discovers a new neighbor and forms a relationship or adjacency with it by

exchanging Hello packets. When this happens, both neighbors then

advertise their complete information to one another. After each has

learned its neighbor’s routes, only changes to the routing table will be

propagated.

During each EIGRP session running on a router, a neighbor table is

created in which the router stores information about all routers known to

be directly connected neighbors. Each neighboring router’s IP address,

hold time interval, smooth round-trip timer (SRTT), and queue

information are all kept in this table. It’s an important reference used to

establish that topology changes have occurred that neighboring routers

need to know about.

To sum this all up, remember that EIGRP routers receive their neighbors’

updates and store them in a local topology table that contains all known

routes from all known neighbors and serves as the raw material from

which the best routes are selected.

Let’s define some terms before we move on:

Reported/advertised distance (RD/AD) This is the metric of a

remote network, as reported by a neighbor. It’s also the routing table

metric of the neighbor and is the same as the second number in

parentheses as displayed in the topology table. The first number is the

administrative distance, and I’ll discuss more about these values in a

minute. In

Figure 17.2

, routers SF and NY are both advertising the path to

network 10.0.0.0 to the Corp router, but the cost through SF to network

10.0.0.0 is less than NY.

Yüklə 22,5 Mb.

Dostları ilə paylaş: