Friday, February 28, 2014

IP Routing, Switching Paths, Static Routing.

Lessons Learned:

IP Routing Overview
Three main Steps

-Routing – find the outgoing interface

-Switching – move the packet between interfaces

-Encapsulation- Build the layer 2 header

Regardless of what you’re running the router will always go through a three step process internally when it’s moving packets between interfaces.

First, when a router receives an IP packet, it’s going to look at the destination address to find the outgoing interface.

This is the routing processes job. (RIB or CEF or FIB) – once the decision is made of where to send the packet it, it’s out of the routing processes hands.

The second of this three step process is the switching path – where the router actually moves the packet between the interfaces.

Note: there is  separation between the routing process and the switching process. The switching process is controlled by the CEF or fast switching process, this is where you could define load-balancing, etc. Also where the router has use its general CPU to move traffic between interfaces or where we use the forwarding table globally or line card/ port.

Third – the encapsulation process. This is where the router will actually build the layer 2 header. Then main diff between L2 switching process and L3 – for a layer 3 routing process is  - for a layer 3 router we are rebuilding the L2 encapsulation in a hop by hop basis. This process allows a packet to be received from a Frame interface and then forward to a Ethernet interface.

All devices L3 and above will be rebuilding the L2 header on a hop-by-hop basis.

The routing process:

-Find the longest match

When the router receives an L3 packet, it first looks at what is the destination address. It will then do a lookup against the routing table of the forwarding table to find the most number of BITS in common,  and the destination of the packet.

EX: route for network

 # s hip route – Router will choose this path because it’s the longest match. The most number of Bits in common for routing entry and also destination

Note: For the longest match – a /32 host route would be the longest as compare to the default route – the last ditch effort.

Note: This is also independent of the AD distance or the metric

Recurse the to the outgoing interface.

What’s the outgoing interface and next hop value associated with the route.

Note: if the router has to look-up the destination more than one time this is a recursive lookup.

Once the routing process has made its decision on the longest match and the outgoing interface, the process is done.

The packet is then sent to the switching process whose job is to move the packet over to the next or exit interface.

Multiple longest matches:

If there’s multiple longest matches for a destination – the router needs to choose which to use. It can also use some sort of load balancing mechanism.

Where do the same lonest matches come from?

-Same protocol (EX: EIGRP)

--choose the lowest metric  - this will be used if the same longest matches are coming from the same routing protocols.

Different protocols (ex: EIGRP to OSPF)

-choose lowest administrative distance. – This will be used if the longest match is coming from different routing protocols.

Distance values:

Internal  Routes:

1.Connected Link – distance = 0. Router will ALWAYS prefer this – there’s no way to preempt a connected link for ANY destination.

2.Static route – Distance = 1

3.EIGRP Summary Route – Distance = 5 (IP summary add at the link level of a router)

4.EIGRP – Distance = 90

5. OSPF – Distance – 110

6. RIP – Distance – 120

7. EIGRP External routes – Distance = 170

Distance values:

External  Routes:

EBGP – distance = 20

iBGP – distance – 200

So a manually configured static router – will always be preferred over any Dynamically learned info.

From an external routing perspective, the router will always prefer any external BGP derived route VS any IGP’s

Note: If you’re learning the route from BGP it means the route is not part of your own autonomous system. If it was part of your own AS – the route should be learned from your own IGP.

The switching process:

Moves the packet between interfaces.

-process, fast, CEF, etc.

-where load balancing occurs.


# ip cef

# (no) ip route-cache (turns the process on or off for on the interface level)

# (no) ip mroute-cache (for multicast switching)


#sh ip interface

#sh ip cef (address) (detail)

#Sh ip cef exact-route (source) (Destination) – can be useful for load distribution based on multiple interface, helps find the outgoing interface. If routing protocol is offering two equal cost paths.

CEF Switching should be the default switching on most all platforms. CEF is preferred because it has a faster internal lookup process.

CEF lookups are deterministic – CEF internally divides its lookups into 4 different tables. Based on the hierarchy of the IP Addressing (IPv4). This is because IPv4 has four different octets - Octets A.B.C.D.

Within the scope of the CEF process there is an internal data structure that represents each Octet.

For example:

Octet A: there is 255 child entries that go from 1 – 255. And so on for each Octet.

What this means from a CEF table’s point of view when trying to figure the outgoing interface – the process has to do 4 individual lookups under each Octet and each child object.

The CEF process the table is always pre-calculated – the cache is built from the routing protocols and longest match information. Note: the CEF or FIB table on larger scale gear like the 6500 – the table actually runs on the line card level. This means that there’s no need to forward to the routing process of SUP, it can be immediately sent and doesn’t need to reference the central copy of the CEF table.


# sh ip cache

R1#sh ip cache

IP routing cache 0 entries, 0 bytes

   0 adds, 0 invalidates, 0 refcounts

Minimum invalidation interval 2 seconds, maximum interval 5 seconds,

   quiet interval 3 seconds, threshold 0 requests

Invalidation rate 0 in last second, 0 in last 3 seconds

Last full cache invalidation occurred 00:26:33 ago

R1#sh ip cef

Prefix              Next Hop             Interface           drop                 Null0 (default route handler entry)           drop          receive         drop         drop        receive         drop  receive


Process Switching – the entire lookup is done all at once based on a Top down perspective. Depends on how many entries in the routing table / order they’re configured in – has to look though all entries and this happens on a per packet basis.

Fast switching – once the router has found the outgoing interface, it keeps a caching table (route cache)that has the interface mappings. This is driven by the data plane because we don’t have an entry until a packet is sent to a particular destination.

Note: The router will Process switch (process uses the routers Local CPU) locally originated or locally destined traffic. Any transit traffic (packets coming in one interface and going out another) these packets will go to the CEF process by default.

The encapsulation Process:

Build the layer 2 header

Multipoint interfaces require L3 to L2 resolution. Router will ALWAYS have to do an L2 to L3 resolution.

-Ethernet # sh harp

-Frame Relay  #Sh frame-relay map

Point to point interfaces, PPP sub interfaces, PPP or HDLC links, etc. Do not have to go through the L2 to L3 link,  this because the same L2 address is used for every destination reachable out the link.

Note: By definition PPP is a point to point protocol.

Routing to a Next-Hop:

When you route to a next hop value, this means the router doesn’t know the outgoing interface to s destination.

If the router cannot find a next-hop, that means the route cannot be installed in the forwarding table. Once the router finds the next-hop interface it will need to do a layer 3 to Layer 2 resolution on the next-hop value.

Recurse to the interface –

If multipoint, resolve L2 address of next-hop


# ip route

-find interface for

-if multipoint, find L2 address of

Routing to a Multipoint interface

-recursion not required

-resolve L2 address for final destination

….Ethernet Proxy-arp

….NBMA Mappings


-ip route Fastherthernet 0/0

- find layer 2 address of

Note: In this case he router doesn’t need to do a lookup because it already knows the exit interface is FA0/0. What it does not know is what is the L2 neighbor on the link – this is not a good idea for Multipoint interfaces.

Routing to a Point-to-Point interface

-recursion NOT required

L2 resolution not required

EX: ip route Serial 0/0.1

Note: You should only point a route to  an interface on a P2P link. Because not Recursion or L2 lookup is required for this type link.

Monday, February 24, 2014

Transparent Bridging:

Lessons Learned:


IOS can route or bridge a protocol, not both at same time.

-router –IP routed by

-Switch – IP bridged by default


Transparent bridging subject to normal STP rules.

-only one active path

-root bridge election

-root port election

-designated port election


Configuring Transparent bridging

Disable IP routing (if bridging IP)

-No IP routing


Configure transparent bridge group

-bridge 1 protocol ieee


Apply bridge group to the interface

-bridge-group 1


Static resolution over multipoint NBMA

-frame-relay map bridge (as opposed to frame-relay map IP)




Once configured you can issue

# sh bridge 1

 (with 1 being the vlan) this would be the same as showing the MAC address table on a switch.


#Sh bridge 1 group

Shows the interfaces the are running the STP process.


#Sh spanning-tree 1

Will show the detailed output for the STP path selection. Same as # sh spanning-tree vlan detail, etc.


Make sure to disable IP routing -



integrate routing and bridging:

In the bridge domain, creates what is known as the BVI what is used to bridge traffic between and route traffic between the bridge and routed interfaces. When IRB is on, you can support both routing and bridging on the same interfaces.



IRB allows ot route & bridge same protocol stack on same interface.

Uses BVI to connect bridged domain and routed domain.

-same principle as SVI on catalyst.



Configure bridge group

Bridge 1 protocol ieee

Bridge-group 1

Enable IRB (enable globally)
-bridge irb

Enable routing and bridging for the bridge & routing domain

Bridge 1 bridge ip

Bridge 1 route ip

Configure BVI to connect & routed domain



Sunday, February 23, 2014


Lessons learned:

One of the reasons to run PPP over an interface is to be able to take advantage of features like Authentication, Multilink etc. to interfaces that do not normally support these options.

PPP over Frame Relay

Oder of operations:
Anytime in PPP that you’re referencing a virtual template interface or a dialer interface.
You’ll need to make sure to create the interface before you bind it to any process. If applied in the wrong sequence – even though the config is correct – it could not work correctly.

Note: MAKE sure to always configure the logical interfaces before you bind them to the physical link

Define PPP Interface:
-interface virtual-template (num)

Apply logical options:
-Authentication, Multilink, IP Addressing, etc.

Assign DLCI:
-frame-relay interface-dlci (dlci) ppp virtual template (num)



Configure basic frame-relay between two routers.


interface Serial0/0
 ip address
 encapsulation frame-relay
 clock rate 2000000


interface Serial0/0
 ip address
 encapsulation frame-relay
 clock rate 2000000

Verify the FR Mapping  - we need to verify layer 1 and 2 reach ability. That way once we configure PPP on top, if there’s any issues, then we’ll know its PPP related and not basic connectivity

R1#sh frame-relay map
Serial0/0 (up): ip dlci 120(0x78,0x1C80), dynamic,
              broadcast,, status defined, active

Serial0/0 (up): ip dlci 210(0xD2,0x3420), dynamic,
              broadcast,, status defined, active

Now let’s remove the IP addresses form the serial interfaces. The link level is going to run  PPP and not IP. The IP header will be carried inside the PPP encapsulation.

Next configure the virtual template.
Note: a virtual template is always a PPP encapsulated link.

We can verify this by:

R1#sh interfaces virtual-template 1
Virtual-Template1 is down, line protocol is down
  Hardware is Virtual Template interface
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Closed, loopback not set

Next we need to configure the virtual interface

R1(config)#interface virtual-template 1
R1(config-if)#ip add
R1(config-if)#ip address

Then under the serial interface to add the virt – template:

interface Serial0/0
 no ip address
 encapsulation frame-relay
 clock rate 2000000
 frame-relay interface-dlci 102 ppp Virtual-Template1

interface Serial0/0
 no ip address
 encapsulation frame-relay
 clock rate 2000000
 frame-relay interface-dlci 210 ppp Virtual-Template1

If the config is working – if we show ip int brief. We should see that the virtual template is down, but the virtual access – which is the virtual instance of the ppp session is up.

R1#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES unset  administratively down down   
Serial0/0                  unassigned      YES manual up                    up     
FastEthernet0/1            unassigned      YES unset  administratively down down   
Serial0/1                  unassigned      YES unset  administratively down down   
Virtual-Access1            unassigned      YES unset  down                  down   
Virtual-Template1        YES manual down                  down   
Virtual-Access2          YES TFTP   up                    up     

We can even now see an instance in the routing table

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set is variably subnetted, 2 subnets, 2 masks
C is directly connected, Virtual-Access2
C is directly connected, Virtual-Access2


Note: This logic also is used for Multilink PPP interfaces. Accept the IP address would go on the Multilink INT and not het virtual-template.


PPP over Ethernet Server:
The first part is to configure the server. The device that will be aggregating multiple sessions.

Basically from a DSL point of view the modems that are going to the access layer are the clients. Then the upstream links – normally ATTM PVCs – to the DSLAM are aggregated to the PPPoE server.

Define PPP interface:
-interface virtual-template (num)

Apply logical options:
-authentication, multilink IP address…..

Define BBA group:
-bba-group pope (name | global)
-virtual-template (num)

Bind to Link:
PPPoE enable group (name | global)

Note: Once again before you configure PPP, make sure you have basic connectivity to the neighbors.

R1 (PPPoE SVR)-------------R2 (PPPoE Client)

Server –
Define virt-template and logical options on Virt-tem
Define BBA group – to bind to Interface level.

Config Virt Int:

R1(config)#interface virtual-template 1
R1(config-if)#ip address

Remove IP from Physical address:

Define BBA group:
R1(config)#bba-group pppoe group1
*Mar  1 00:07:27.351: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Mar  1 00:07:28.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up

Apply the virt-template:
R1(config-bba-group)#virtual-template 1

Then under the physical interface – enable PPPoe and apply the group:
R1(config-bba-group)#int fa0/0
R1(config-if)#pppoe enable group 1

Then we need to configure the Client. The client used a dial-in logic where we need to use the Dialer interface. Which then applies that we need to either configure interesting traffic (ACL) to control what is going to actually initiate the actual pppoe call. Or user dialer persistent feature – which basically says keep the interface always up….

Define PPP interface:
-interface dialer (num)
-encapsulation ppp
-dialer pool (pool)
-dialer group | dialer persistent

Apply Logic options:

Bind to Link:

Note: Dialer interface by default do not run PPP –it HDLC

R2(config)#interface dialer 1
R2(config-if)#encapsulation ppp
R2(config-if)#ip address
R2(config-if)#dialer pool 2
R2(config-if)#dialer persistent

Then at the interface level –

R2(config-if)#no ip address
R2(config-if)#pppoe-client dial-pool-number 2 (this matches the dialer pool on the dialer int)

Putting it all together:

interface Virtual-Template1
 ip address

bba-group pppoe group1
 virtual-template 1

interface FastEthernet0/0
 no ip address
 speed 100
 pppoe enable group group1

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set is variably subnetted, 2 subnets, 2 masks
C is directly connected, Virtual-Access2.1
C is directly connected, Virtual-Access2.1


interface FastEthernet0/0
 no ip address
 speed 100
 pppoe enable
 pppoe-client dial-pool-number 2

 interface Dialer1
 ip address
 encapsulation ppp
 dialer pool 2
 dialer idle-timeout 0
 dialer persistent

PPP, PPP PAP Authentication, PPP CHAP Authentication.

Lessons learned:

PPP (point-to-point protocol)

Media independent encapsulation – also very lightweight
-serial, Ethernet, Frame Relay, ATM.
-encapsulation PPP
Adds features that other layer 2 medias don’t natively support.

Note: Ethernet doesn’t support authentication, fragmentation or multilink of other interfaces together outside if etherchannel features on switches.

With PPP, you could take an Ethernet interface, a Multilink interface or ATM interface and multilink all them together by basically using the layer 2 ½ features that ride between the physical framing and the upper layer protocols.

PPP Negotiation:
Once enabled on the interface – the interface will go through the LCP (link control protocol) to negotiate higher layer protocols as well as authentication. MTU, etc.
-internet protocol control protocol (IPCP)
-CDPCP, etc.

Can be used to negotiate
-address assignment – in IPV4
-routing information – if both ends are not on the same subnet. This is a feature also known as the PPP Peer neighbor route.

-debug ppp negotiation
Will tell if they’re any Authentication issues, MTU errors or IP address assignments

Config PPP:

R1 -------------------------R2
Both routers have Serial 0/0 connected together.

interface Serial0/0
 ip address
 encapsulation ppp

interface Serial0/0
 ip address
 encapsulation ppp
 clock rate 64000


Note: PPP by default will learn the address assigned to the neighbor and put an exact match host route pointing to the neighbor interface.

Gateway of last resort is not set is variably subnetted, 2 subnets, 2 masks
C is directly connected, Serial0/0
C is directly connected, Serial0/0

Verify via debug PPP negotiation
Then shut down the serial 0/0 interface.

%LINK-5-CHANGED: Interface Serial0/0, changed state to administratively down
*Mar  1 00:11:41.959: Se0/0 PPP: Sending Acct Event[Down] id[4]
*Mar  1 00:11:41.959: Se0/0 CDPCP: State is Closed
*Mar  1 00:11:41.963: Se0/0 IPCP: State is Closed
*Mar  1 00:11:41.963: Se0/0 PPP: Phase is TERMINATING
*Mar  1 00:11:41.967: Se0/0 LCP: State is Closed
*Mar  1 00:11:41.967: Se0/0 PPP: Phase is DOWN
*Mar  1 00:11:41.967: Se0/0 IPCP: Remove route to

Then no shut the interface:
This shows the individual process the neighbors go through the negotiation.

R2(config-if)#no shutdown
*Mar  1 00:12:10.159: Se0/0 PPP: Outbound cdp packet dropped
*Mar  1 00:12:12.151: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar  1 00:12:12.155: Se0/0 PPP: Using default call direction ( This says this is a dedicated line, no call direction)
*Mar  1 00:12:12.155: Se0/0 PPP: Treating connection as a dedicated line

Note: PPP  doesn’t care about this as much as an analog call would.

*Mar  1 00:12:12.155: Se0/0 PPP: Session handle[D4000003] Session id[3]

*Mar  1 00:12:12.159: Se0/0 PPP: Phase is ESTABLISHING, Active Open – The next stage is OPEN, you can see the next lines start the LCP negotiations.

*Mar  1 00:12:12.159: Se0/0 LCP: O CONFREQ [Closed] id 3 len 10
*Mar  1 00:12:12.159: Se0/0 LCP:    MagicNumber 0x01388022 (0x050601388022)

Next – is the PPP MagicNumbe which is a sequence number.

*Mar  1 00:12:12.255: Se0/0 LCP: I CONFREQ [REQsent] id 19 len 10
*Mar  1 00:12:12.255:

R2(config-if)# Se0/0 LCP:    MagicNumber 0x0038860A (0x05060038860A)
*Mar  1 00:12:12.259: Se0/0 LCP: O CONFACK [REQsent] id 19 len 10

Here router 2 sends an outbound request -

*Mar  1 00:12:12.259: Se0/0 LCP:    MagicNumber 0x0038860A (0x05060038860A)
*Mar  1 00:12:12.259: Se0/0 LCP: I CONFACK [ACKsent] id 3 len 10

Here router 1 responds with a ACK response. And ok to use the sequence numner.

*Mar  1 00:12:12.259: Se0/0 LCP:    MagicNumber 0x01388022 (0x050601388022)
*Mar  1 00:12:12.263: Se0/0 LCP: State is Open
*Mar  1 00:12:12.263: Se0/0 PPP: Phase is FORWARDING, Attempting Forward
*Mar  1 00:12:12.267: Se0/0 PPP: Phase is ESTA

You would also see any AUTH protocol types negotiated here, the devices would not proceed to the next phase if the cant agree.

R2(config-if)#BLISHING, Finish LCP

Here the devices have finished the negotiation and are moving on to the upper layer protocols.

*Mar  1 00:12:12.267: Se0/0 PPP: Phase is UP
*Mar  1 00:12:12.271: Se0/0 IPCP: O CONFREQ [Closed] id 1 len 10
*Mar  1 00:12:12.271: Se0/0 IPCP:    Address (0x03060D000002)

Here router 2 says I’m running IP and here’s my address.

*Mar  1 00:12:12.271: Se0/0 CDPCP: O CONFREQ [Closed] id 1 len 4
*Mar  1 00:12:12.275: Se0/0 PPP: Process pending ncp packets
*Mar  1 00:12:12.303: Se0/0 IPCP: I CONFREQ [REQsent] id 1 len 10
*Mar  1 00:12:12.303: Se0/0 IPCP:    Address (0x03060D000001)

Here router 1 says I’m also running IP and here is my IP

*Mar  1 00:12:12.307: Se0/0 IPCP: O CO
R2(config-if)#NFACK [REQsent] id 1 len 10
*Mar  1 00:12:12.307: Se0/0 IPCP:    Address (0x03060D000001)
*Mar  1 00:12:12.307: Se0/0 IPCP: I CONFACK [ACKsent] id 1 len 10
*Mar  1 00:12:12.307: Se0/0 IPCP:    Address (0x03060D000002)
*Mar  1 00:12:12.311: Se0/0 IPCP: State is Open
*Mar  1 00:12:12.311: Se0/0 CDPCP: I CONFREQ [REQsent] id 1 len 4
*Mar  1 00:12:12.311: Se0/0 CDPCP: O CONFACK [REQsent] id 1 len 4
*Mar  1 00:12:12.319: Se0/0 IPCP: Install route to

They have successfully negotiated IPV4 and will now install a host route. PPP is now done and the line protocol comes up.

*Mar  1 00:12:13.267: %LINE
R2(config-if)#PROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
*Mar  1 00:12:14.259: Se0/0 CDPCP: Timeout: State ACKsent
*Mar  1 00:12:14.259: Se0/0 CDPCP: O CONFREQ [ACKsent] id 2 len 4
*Mar  1 00:12:14.263: Se0/0 CDPCP: I CONFACK [ACKsent] id 2 len 4
*Mar  1 00:12:14.263: Se0/0 CDPCP: State is Open

Note: you can also send the logging to the buffer instead of the console and increase the buffer size. Then just issue the sh log command to view the logs.

So what if router 1 and router 2 are not on the same subnet?

I now remove the IP off router 2 and create a loopback with the IP / 32
Now under the PPP interface, I need to unnumber the interface to the loopback interface:

R2(config)#interface serial 0/0
R2(config-if)#ip unnumbered loopback 0
*Mar  1 00:36:20.011: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up

The idea is that if I have a bunch of serial interfaces that are running PPP I don’t have to assign them separate addresses.
Now the PPP host route will tell how to get to particular destinations.

I will now do the same on router 1.

interface Serial0/0
 ip unnumbered Loopback0
 encapsulation ppp
 clock rate 2000000


I have also added router 3 with a Loopback IP of
Also encap PPP and unnumbered.

Now I’ll turn on my debug again – this time on router 3:
R3(config)#logging console 7
R3(config)#do term mon
R3#debug ppp negotiation
PPP protocol negotiation debugging is on

Then shut and no shut the other routers links….

Now the routing table has routes to all 3 routers but the traffic will be generated from the loopback.
This is because of the IPCP negotiation. is subnetted, 1 subnets
C is directly connected, Serial0/0 is subnetted, 1 subnets
C is directly connected, Loopback1 is subnetted, 1 subnets
C is directly connected, Serial0/1


PPP Authentication:

Password authentication protocol (PAP)
-clear text username
-clear test password

Challenge handshake authentication protocol (CHAP)
-clear text username
-MD5 hashed password

MSCHAP / MCHAPv2 / EAP/ etc….


Note: Both username and pass are sent in clear text, which means the other ends can be completely independent of what I’m using.  

PPP Auth is a three step process:

Auth request
# ppp authnticaiotn pap

Auth response:
#no ppp pap refuse
# ppp pap sent-username password
Note: by default the router will have these two commands configured.

Auth acceptance

#debug ppp negotiation
#debug ppp auth

Router 1 want to auth with router 2:

Router one configures its interface for:
#PPP auth pap
R1 – then sends its request.

R2: will then sends a response –
It will send – PPP PAP sent -username and password.

Once R1 get the response it needs to validate this against something, local DB, AD, Etc…
If the username and pass matches – R1 will respond with Auth is fine and then can proceed with higher level protocols.

Note: If PPP auth PAP cmd on R1 is independent of the same cmd on R2: You don’t need to configure this on both sides. As long as the auth is successful one way – that’s all we’re looking for.

R2(config)#interface serial 0/0
R2(config-if)#ppp authentication p
R2(config-if)#ppp authentication pap

Router 1

Need to configure PPP sent username.

PPP protocol negotiation debugging is on
*Mar  1 01:13:51.539: Se0/0 LCP: Timeout: State Listen
*Mar  1 01:13:51.539: Se0/0 LCP: O CONFREQ [Listen] id 241 len 10
*Mar  1 01:13:51.543: Se0/0 LCP:    MagicNumber 0x0070F2EE (0x05060070F2EE)
*Mar  1 01:13:53.555: Se0/0 LCP: Timeout: State REQsent
*Mar  1 01:13:53.555: Se0/0 LCP: O CONFREQ [REQsent] id 242 len 10
*Mar  1 01:13:53.559: Se0/0 LCP:    MagicNumber 0x0070F2EE (0x05060070F2EE)
*Mar  1 01:13:55.571: Se0/0 LCP: Timeout: State REQsent
*Mar  1 01:13:55.571: Se0/0 LCP: O CONFREQ [REQsent] id 243 len 10
*Mar  1 01:13:55.571: Se0/0 LCP:    MagicNumber 0x0070F2EE (0x05060070F2EE)

Configure PPP sent-username

If using local DB there must be a username match in the local DB

R1(config)#interface serial 0/0
R1(config-if)#ppp pap sent-username ?
R1(config-if)#ppp pap sent-username mike password cisco


Authentication request
-ppp auth chap

Auth response
-No ppp chap refuse
Usernames & Passwords
-Global vs interface

-debug ppp negotiation

-debug ppp authentication 

Advanced STP: MST with multiple regions.

Lessons learned:

MST region is defined by:
-Vlan to instance mapping
-Region name
-Region number

Inter-Region path selection uses a CST (common spanning tree)
-intra-region MSTI’s are collapsed into a CIST

Note: multiple MST regions are collapsed into a CIST (common internal spanning-tree) – this is represented by instance #0

MST is backward compatible with legacy CST (802.1d) and PVST+
Behaves like Inter-regions MST

CST root MUST be within the MST Domain
The MST basically spoofs a single CST if doing backwards compatibility Or spoof an individual instance on a per-vlan basis

From a PVST perspective if you have a 100 vlans, you’d have 100 instances of STP.  When the MST domain talks to the PVST + domain, The MST instance 0 will replicate the same information over and over into the PVST instances.

Basically the root have to be elected within the MST domain, if elected in the CST or PVST – the interchangeability will not work.

Configuration -
Only best to configure regions in MST in a large environments.

On Switch 1 – I have the following config:

My MST region 1 has instances One and Two.  

Switch01#sh run | b spanning-tree
spanning-tree mode mst
spanning-tree extend system-id
spanning-tree mst configuration
 name MST1
 revision 1
 instance 1 vlan 10, 20, 40, 50
 instance 2 vlan 60, 70, 80

For Switch 2:

I’m going to configure a new MST

spanning-tree mst configuration
 name MST2
 revision 2
 instance 3 vlan 10, 20, 40, 50
 instance 4 vlan 60, 70, 80

I will still need the same vlans overall, because the job of L2 is still to span the broadcast domains.

Switch01#sh spanning-tree mst

Notice now we have what’s know as , “Regional Root this switch”

##### MST0    vlans mapped:   1-9,11-19,21-39,41-49,51-59,61-69,71-79
Bridge        address 000c.303b.ba80  priority      32768 (32768 sysid 0)
Root          address 0003.e347.b900  priority      32768 (32768 sysid 0)
              port    Fa0/1           path cost     200000  
Regional Root this switch
Operational   hello time 2 , forward delay 15, max age 20, txholdcount 6
Configured    hello time 2 , forward delay 15, max age 20, max hops    20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Root FWD 200000    128.1    P2p Bound(STP)
Fa0/24           Desg FWD 200000    128.24   P2p Pre-STD-Rx

Notice on SW2: it says “IST master  this switch” This is the internal STP

Switch-02#sh spanning-tree mst

###### MST00        vlans mapped:   1-9,11-19,21-39,41-49,51-59,61-69
Bridge      address 0013.60bb.4980  priority  32768 (32768 sysid 0)
Root        address 0003.e347.b900  priority  32768 (32768 sysid 0)
            port    Fa0/24          path cost 400000  
IST master  this switch
Operational hello time 2, forward delay 15, max age 20
Configured  hello time 2, forward delay 15, max age 20, max hops 20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/24           Root FWD 200000    128.24   P2p Bound(RSTP)


Basically with regions you’re collapsing a bunch of switches into one virtual instance. So you could have a thousand switches in each region represented by a single virtual bridge ID for Inter-Region communication.

This is the region root. His job is to talk to all the other regions.

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/24           Boun FWD 200000    128.24   P2p Bound(RSTP) – this shows this link is a boundary link that is connecting to another RSTP Domain. Since we’re talking from MST to MST this is a RSTP interaction.

Inside the the individual regions – any type of path selection that we do is not going to go outside the region. You cannot change the path selection between the Inter-region on a per-instance basis, for example traffic between vlan 10 and vlan 20 form the Inter-region perspective.

If you want to modify the path section inside the each region, you need to change the MST cost.

Config between the MST and Inter-region MST is relatively similar, the key-point is that the common spanning-tree root which is for all the regions.  Densest matter where it is, it only matters that it’s NOT in the legacy STP domain or the PVST domain.

Advanced STP: Rapid Spanning tree protocol.

Lessons Learned:


Rapid convergence based on sync process.
 Enabled through
-spanning tree mode mst
- spanning-tree mode rapid-pvst

Sync process only occurs on point-to-point non-edge ports.
-implies link-type must be accurate.
-spanning-tree link-type (point-to-point | shared)
- spanning tree portfast.

When you’re running mst or rpvst, the switches are using a sync process to see if they agree who is the root bridge is, and what should be the rot, vs designate back up or alternate ports.

How the process works:

A device is elected as the root: the root bridge then tell the downstream neighbor the it is the Root.
Is the downstream neighbor agrees – it automatically transitions to root port status and starts forwarding.
Once the downstream switch does that, every other downstream interface goes into the blocking mode.

Once the interfaces are in the blocking mode. The downstream switch then sends its own proposals downstream to the other neighbors.

It tells the downstream neighbors the I know of a root port through me, so the downstream neighbors will transition their ports to root ports and send an acknowledgement – the proposal response. Then each downstream switch will continue this process.

The key – is we start at the root bridge and work our way down the tree with the proposal an proposal response. It makes the switches agree quickly.

Note: the proposal process will only happen if each switches downstream interfaces are point-to-point and non-edge links.

A p2p link essentially means “full-duplex”. If the link negotiates to half-duplex or is plugged into a hub, then it cannot be part of the proposal process

For Non- P2P links, the normal STP algorithm is run.

An Edge port in RPVST is equivalent of an portfast port on PVST.
If at the edge of the network you do not configure the links as portfast or edge ports, you will NOT have rapid convergence.

Note: basically the links between the switches are configure as p2p non-edge ports and end host ports are configured as edge ports.

Configure globally
# spanning-tree mode rapid-pvst
Note: When you have rapid-pvst on – you don’t need to configure UplinkFast or BackboneFast.

Advanced STP: Multiple Spanning-tree protocol & PVST/PVST+

Lessons Learned:

IEEE (802.1s) – is the open standard response to PVST and PVST+
It supports Rapid STP (802.1w)

Note: With RVST – uplinkfast and backbone fast are enabled by default.

Instances are separate from VLANs
-          PVST+ uses one instance per vlan
-          MST use definable instances

MST is highly scalable
-switches with same instances, config revision number, and name form a “region”
-different regions see each other as virtual bridges.

Note: Common STP features are integrated into Rapid STP (uplink fast . backboneFast, portfast, etc)

The Major difference between MST and PVST – is that with PVST There is one instance of STP per every vlan you have.
The issue with PVST is that if there are a number of vlans that are sharing the same physical forwarding path.  You still have
Still need to do a separate root bridge and root port election on a per instance basis.

MST – is generally less overhead than PVST – because you can define which particular vlans map to the MST instances.
With MST – you have a concept known as Intra-region vs inter-region scalability

With Intra-region operability, devices share the same instances of MST. This is the vlan to instance mapping – they share the config rev # and the name. Any switches that share the cfg revision and name will be in the same region.
Any switches that do not share that information will be in different regions. There will a different path selection pre region.

The goal of MST is that between regions – we hide not only the reachability information but the failure information. 
Basically if a link goes down on one region it will not affect the other regions.

MST Path Selection:

Same election process as CST/PVST
-Root bridge
                Lowest bridge ID
(made up of priority / system ID ext / and  MAC Add)
-          Priority will by 32768 by default
Root Port
-lowest cost
-lowest upstream BID
-lowest port ID
Note: with the lowest port ID – this will only be used if there’s multiple connections to the same upstream bridge.

Changing MST root Bridge election:

Manually change BID:
Spanning-tree mst (instance ) priority (lower is better)

Use root bridge macro
-spanning-tree mst (instance) root (primary | secondary)
-sets local priority based on currently root bridge

Sh spaning-tree mst (instance)
Sh spanning-tree root

Note: you basically are changing the Vlan key word with the MST keyword then vlan # with MST instance number

Before you change anything – you need to verify:
What are the instance numbers
What are the vlans that belong to those instance numbers
What are the cfg numbers and names of the region.

Note: the default instance is always going to be zero.

Configuring MST:
From global mode:

Switch01(config)#spanning-tree mst configuration
(define the instance mappings / name of the region / and cfg revision number – These ALL have to match for he switches to be in the same region.

Note: to find out what features are supported on a specific platform go to:
MST Features – comparison

Set the required parameters:
Switch01(config-mst)#name MST1
Switch01(config-mst)#revision 1

Next we need to configure the instance mappings. What are the vlan the SW and what vlans to map the instance:

Switch01(config-mst)#instance 1 vlan 10,20,40,50
Switch01(config-mst)#instance 2 vlan 60,70,80

Note: any vlan not explicitly listed will fall back to Instance zero.

spanning-tree mst configuration
name MST1
revision 1
instance 1 vlan 10, 20, 40, 50
instance 2 vlan 60, 70, 80

to keep the other switches in the same region – basically copy and paste the config into your other switches.
This will stage the configs until you enable MST.

Enable MST:

Once all switches agree on the configuration then you can enable the configuration by enabling the mode.

From Global mode.
Switch01(config)#spanning-tree mode mst

This must be enabled on all switches in the MST domain.

Note: If you have not configured the MST perquisites- you’ll most likely get an error like this:

%SPANTREE-3-PRESTD_NEIGH: pre-standard MST interaction not configured (FastEthernet0/24). Please, configure: 'spanning-tree mst pre-standard' on ports connected to MST pre-standard switches.

MST is backwards compatible with CST and PVST.

To verify the MST config:

Switch01#sh spanning-tree mst 1

##### MST1    vlans mapped:   10,20,40,50
Bridge        address 000c.303b.ba80  priority      32769 (32768 sysid 1)---- local bridge
·         Root          this switch for MST1                                                                          -------Root bridge

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/24           Desg FWD 200000    128.24   P2p Pre-STD-Rx

Notice the cost value – is more granular to accommodate for higher speed interfaces, ex: Gig anf ten gigE.

Note: Rapid STP is automatically enabled when you enable MST. This means ports will transition to either DESg or BLK / ALT.  must faster than CST.

Now – let’s modify the Root bridge. Currently I have Switch one as the root for my MST instance 1. So instead of doing this on a perVLAN – we’re now going to do it on a per instance basis.


  Spanning tree enabled protocol mstp
  Root ID    Priority    32769
             Address     000c.303b.ba80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     000c.303b.ba80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/24              Desg FWD 200000    128.24   P2p Pre-STD-Rx

This can be accomplished two way:
The legacy way of: Spanning-tree root primary or on the other switch we can say
#spanning-tree MST 1 priority (lower #)

  Spanning tree enabled protocol mstp
  Root ID    Priority    4097  - I changed the priority to 4096.
             Address     0013.60bb.4980
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    4097   (priority 4096 sys-id-ext 1)
             Address     0013.60bb.4980
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/24           Desg FWD 200000    128.24   P2p

There’s no root port – because SW2 is not the root.
Note: All VLAN’s that are not configured in an MST instance – will be put into MST instance 0.
Switch-02#sh spanning-tree root

                                        Root Hello Max Fwd
MST Instance           Root ID          Cost  Time Age Dly  Root Port
---------------- -------------------- ------ ----- --- ---  ----------------
MST00            32768 0003.e347.b900 200000    2   20  15  Fa0/24              
MST01             4097 0013.60bb.4980      0    2   20  15                      
MST02            32770 000c.303b.ba80 200000    2   20  15  Fa0/24  


Note: VTP still plays a part in MST. VTP will still advertise the instance of the MST between the neighbors.
VTP Version 3 will advertise the MST instance information if you add and remove a VLAN from the instance. This is in available in release 12.33

Note: The following command shows the instance mappings.

Switch01#sh spanning-tree mst configuration
Name      [MST1]
Revision  1     Instances configured 3

Instance  Vlans mapped
--------  ---------------------------------------------------------------------
0         1-9,11-19,21-39,41-49,51-59,61-69,71-79,81-4094
1         10,20,40,50
2         60,70,80

Note: The vlan brief command – shows all vlans. There could a case where the MST instance does not define all vlans are not defines in an MST config. The vlans not in an instance will all back to the default MST instance 0.

Sh vlan brief –
Switch01#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Gi0/1
10   VLAN0010                         active   
20   VLAN0020                         active   
40   VLAN0040                         active   
50   VLAN0050                         active   
60   VLAN0060                         active   
70   VLAN0070                         active   
80   VLAN0080                         active   
90   VLAN0090                         active   
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup

1005 trnet-default                    act/unsup