Monday, July 28, 2014

RFCs CCIE V5

Below you will find some  RFCs related to our CCIE studies.

 L3 technologies
  • Private Addressing      1118
  • NAT                             1631
Multicast
  • IGMPv1                    1112
  • IGMPv2                    2236
  • RTP                           1889

Monday, July 21, 2014

Out of order packets

IP protocol by nature does not guarantee packet delivery in the order in which they were sent, this is a common behavior since we can’t control the entire path of a packet when traversing different carrier’s networks/Paths.

In principle, applications that use a transport protocol such as TCP or SCTP don't have to worry about packet reordering, because the transport protocol is responsible for reassembling the byte stream  into the original ordering. However, reordering can have a severe performance impact on some implementations of TCP.

Real-time media applications such as audio/video conferencing tools often experience problems when run over networks that reorder packets. This is somewhat remarkable in that all of these applications have jitter buffers to eliminate the effects of delay variation on the real-time media streams.

Notes: Packet reordering can lead to retransmissions, delays, and even connection timeouts.

Unicast flooding

It refers to the unintentional behavior of a switch treating a unicast packet as a broadcast packet; The cause of flooding is that the destination MAC address of the packet is not in the L2 forwarding table of the switch. Normally occurs when the router needs to deliver a packet; it has an ARP entry for a destination host, but the switch has no CAM entry.   The result is a packet that needs to be flooded to all of the ports in the VLAN In order to locate that MAC address port/VLAN.

Common reasons for destination MAC address not being known to the switch:

Cause 1: Asymmetric Routing.
With asymmetric routing, transmit and receive packets follow different paths between a host and the peer with which it communicates, at some point in the packet delivery path a Switch may not have that MAC address destination on its CAM table and would need to flood the frame in order to discover which port/MAC address is.

Cause 2: Spanning-Tree Protocol Topology Changes.
Since TCNs are triggered by a port that is transitioning to or from the forwarding state we may remember that what TCN does is to age out the CAM table in order to relearn the Active MAC address, this is not a big deal until TCNs are occurring repeatedly with short intervals. The switches will constantly be fast-aging their forwarding tables so flooding will be nearly constant.
Normally, a TCN is rare in a well-configured network. When the port on a switch goes up or down, there is eventually a TCN once the STP state of the port is changing to or from forwarding. When the port is flapping, repetitive TCNs and flooding occurs.

Cause 3: Forwarding Table Overflow.
Another possible cause of flooding can be overflow of the switch forwarding table. In this case, new addresses cannot be learned and packets destined to such addresses are flooded until some space becomes available in the forwarding table. New addresses will then be learned. This is possible but rare, since most modern switches have large enough forwarding tables to accommodate MAC addresses for most designs.

By default unkown unicast traffic is flooded to all Layer 2 ports in a Vlan. We can use UUFB and UMFB, features to prevent or limit this traffic.

The UUFB and UMFB features block unknown unicast and multicast traffic flooding at a specific port, only permitting egress traffic with MAC addresses that are known to exist on the port. The UUFB and UMFB features are supported on all ports that are configured with the switchport command, including private VLAN (PVLAN) ports.

Router(config-if)# switchport    --> Configures the port for Layer 2 switching.
Router(config-if)# switchport block {unicast | multicast} -->Enables unknown unicast or multicast flood blocking on the port.



Note: Enter the switchport block multicast command only on ports where all unknown multicast flooded traffic needs to be completely blocked. UMFB disrupts protocols that make use of local subnetwork multicast control groups in the 224.0.0.0/24 range, for example:

•ARP
•IPv6 neighbor discovery (IPv6 ND)
•Network Time Protocol (NTP)

Do not enter this command on nonreceiver (router) ports or host ports that rely on dynamic ARP. Use IGMP snooping or other rate-limiting options to restrict, rather than completely block, unknown multicast flooded traffic.


Impact of micro burst

Microbursts are patterns or spikes of traffic that take place in a relatively short time interval(generally sub-second) causing network interfaces to temporarily become oversubscribed and DROP traffic. While bursty traffic is fairly common in networks and in most cases is handled by buffers, in some cases the spike in traffic is more than the buffer and interface can handle. 

 Typical monitoring systems pull interface traffic statistics every one or five minutes by default.  In most cases this gives you a good view into what is going on in your network on the interface level for any traffic patterns that are relatively consistent.  Unfortunately this doesn’t allow you to see bursty traffic that occurs in any short time interval less than the one you are graphing.

The first place you might notice you are experiencing bursty traffic is in the interface statistics on your switch under “Total Output Drops”.

R2#sh int f0/0 | inc Input
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 7228

If you are seeing output drops increment, but the overall traffic utilization of that interface is otherwise low, you are most likely experiencing some type of bursty traffic.

Asymmetric routing

Asymmetric routing in general is a normal, but unwanted situation in an IP network. Asymmetric routing is a situation where for one reason or another packets flowing in i.e. TCP connections flow through different routes to different directions. As a rough example: Host A and B located in different continents are communicating through a TCP connection. Segments sent from host A to host B reach the destination through WAN LINK X link but segments sent from B to A reach the destination through WAN LINK Y link.

ROUTERA----->WAN LINK X----->ROUTERB  Going  path.
ROUTERB----->WAN LINK Y----->ROUTERA  Return path.

Sunday, July 20, 2014

IPv4 and IPv6 fragmentation

IPv4 Fragmentation-

When an IPv4 packet is larger than the network's MTU(default to 1500), and the DF bit within the IP header is clear the packet will be fragmented into smaller pieces so it can be sent to the other end. The maximum size of each piece is the MTU minus the IP header size (20 bytes minimum; 60 bytes maximum).

Fragmentation has a negative impact on router's performance and it should be avoided when possible.

IPv6 Fragmentation-

As opposed to IPv4, fragmentation in IPv6 is performed by the IPv6 enabled nodes not by the routers along the path. If an intermediate node such as a router receives an IPv6 packet that needs to be fragmented, it will discard the packet and send an ICMPv6 Packet Too Big error message back to the source as routers will not attempt to perform fragmentation unless they are the source of the IPv6 packet.

IP MTU

IP Maximum Transmission Unit (MTU)

IPv4 requires that every node must be able to forward an IP packet of 68 bytes without any further fragmentation. This is because an IPv4 header can be as large as 60 bytes in length or have a minimum fragment size of 8 bytes. Every IPv4 node that is the final destination of the IPv4 packet must be able to receive an IPv4 packet of a minimum size of 576 bytes, which can be all or fragments of the original packet.


IPv6 requires that every link have a minimum MTU of 1280 bytes, with a recommended MTU of 1500 bytes, compared to 68 bytes in IPv4. It is recommended that IPv6 devices perform Path Discovery MTU to avoid fragmentation.

IPv6 Header and Extensions

IPv6 Header and Extensions

The IPv6 protocol defines a set of headers, including the basic IPv6 header and the IPv6 extension headers.

Header Format

The below image shows the fields that appear in the IPv6 header and the order in which the elements appear.

Diagram shows that the 128 bit IPv6 header consist of eight fields, including the source and destination addresses.

The basic IPv6 header contains 8 fields, in comparison with 12 fields in IPv4, for a total length of 40 octets. Below a list of the IPv6 header options:

Version(4 bit), This field contains the value 6 for IPv6.

Traffic Class(8 bit), Similar to the DSCP field in IPv4, this field is for being tagged with a DSCP value for special handling.

Flow Label(20 bit), This field is used to tag a flow for IPv6 packets. However the current IETF standard does not specify how to manage and process this field.

Payload Length(16 bit), This field represent the payload's length. The payload being the remaining part of the packet following the Ipv6 header.

Next Header(8 bit), Similar to the protocol field in IPv4, it specifies the type of information following the header. The type of information can be an upper layer protocol such as TCP or UDP or it can be one of the new optional extension headers.

Hop limit(8 bit), Similar to the TTL filed in IPv4, this field specifies the maximum number of hops that the IP packet can pass through.

Source Address(128 bit), This field specifies the IPv6 Source address.

Destination Address (128 bits), This field specifies the IPv6 destination address.



IPv6 Extension Headers


IPv6 extension headers are optional headers that may follow the basic IPv6 header. One Ipv6 packet may include 0, 1, 2 or more extension headers. They form a chained list of headers identified by the Next Header field of the previous header.

Below are some IPv6 defined extension headers:

Hop by Hop Options header(protocol 0)- This field is read and processed by every node and router along the path. The hop by hop header option is used for jumbogram packets and the router alert.

Destination Options header(protocol 60)- This header carries optional information that is specifically targeted to a packet's destination address. The mobile IPv6 protocol specification proposes to use the destination options header to exchange registration messages between mobile nodes and home agents.

Routing header(protocol 43)- This header can be used by an IPv6 source node to force a packet to pass through specific routers on the way to is destination.


IPv4 Options

IPv4 Options

Below a visual description of the Header options found within an IPv4 packet:

IP Header

Here is a description of every option field within the IP header:

Version: Version number of Internet Protocol used. For IPv6 Packet this field will be set to 6.

IHL: Internet Header Length(4 bits field), this value tells how big the packet is. The minimum value allowed is 5 which would be 20 bytes (no options). The maximum value possible is 15, for a packet header length of 60 bytes (allowing a maximum of 40 bytes for "options").

DSCP: Differentiated Services Code Point, this is where you can apply your QoS tags.

ECN: Explicit Congestion Notification, carries information about the congestion seen in the route.

Total Length: Length of entire IP Packet (including IP header and IP Payload). This field (16 bits) contains the total length of the packet, including the packet header, in bytes. The minimum length is 20 (20 bytes of header plus 0 bytes of data), and the maximum is 65,535 bytes (since only 16 bits are available to specify this). All network links must be able to handle packets of at least 576 bytes, but a more typical packet size is 1508 bytes.

Identification: If IP packet is fragmented during the transmission, all the fragments contain same identification number to identify original IP packet they belong to.

Flags: As required by the network resources, if IP Packet is too large to handle these ‘flags’ tell that if they can be fragmented or not. In this 3-bit flag, the MSB is always set to ‘0’. 
 
The next three bits are flags related to fragmentation:

The first bit is reserved and must be zero.
 
The second bit is the DF (Don’t Fragment) flag.  If DF is set, the packet cannot be fragmented. 
 
If a packet with DF set reaches a gateway where the ongoing path can’t handle that fragment size without fragementing it, that packet is dropped (and non-delivery notification is returned to the sender).
 
The third bit is the MF (More Fragments) flag. If MF is set, there are more fragments to come. Unfragmented packets have the MF flag set to zero.


Fragment Offset: This offset field (13 bits) tells the exact position of the fragment in the original IP Packet. It is used in reassembly of fragmented packets. It is measured in 8 byte blocks. The first fragment of a set has an offset of 0. Re-assembly involves putting the fragments together in a buffer, with each new fragment located in the reassembly buffer starting at Fragment Offset * 8 bytes from the beginning of the buffer.

Time to Live: (8 bits field)To avoid looping in the network, every packet is sent with a TTL value set, which tells the network how many hops this packet can cross. At each hop, its value is decremented by one and when the value reaches zero, the packet is discarded. The default TTL value is 64, packets with TTL set to 1 within a network segment are meant to be processed by local router.

Protocol: Tells the Network layer at the destination host, to which Protocol this packet belongs to. For example protocol number of ICMP is 1, TCP is 6 and UDP is 17.

Header Checksum: This field is used to keep checksum value of entire header which is then used to check if the packet is received error-free.

Source Address: 32-bit address of the Sender of the packet.

Destination Address: 32-bit address of the Receiver of the packet.

Options: (o - to 40 Bytes field) This is optional field, which is used if the value of IHL is greater than 5. These options may contain values for options such as Security, Record Route, Time Stamp etc.

ICMP Redirect

ICMP redirect messages are used by the gateway to inform the source host of a better route to the destination is available. For these messages to be sent by the gateway, the below conditions have to be met:

  • The interface on which the packet comes into the router is the same interface on which the packet gets routed out.
  • The subnet or network of the source IP address is on the same subnet or network of the next-hop IP address of the routed packet.
  • The datagram is not source-routed.
  • The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects. The interface subcommand no ip redirects can be used to disable ICMP redirects.) 


    Below an important fact to remember when configuring HSRP on a cisco router:

    ICMP redirects are disabled by default if Hot Standby Router Protocol (HSRP) is configured on the interface. In Cisco IOS Software Release 12.1(3)T and later, ICMP Redirect is allowed to be enabled on interfaces configured with HSRP.

ICMP unreachable

Internet Control Message Protocol (ICMP)is used to communicate to the source host if any errors occured during the routing of packets.

An ICMP unreachable message is generated and sent back to the sender to inform it that the destination is unreachable.

The IP header plus the first 8 bytes of the original data is sent back to the source host, below some situations where this behavior is seen:

If the gateway has no next hop information to match the destination address on the IP packet or the distance to such network is infinte(i.e. 255) the gateway may send a destination unreachable message to the source host. Also, when fragmentation is needed for the do not fragment flag is set in the packet an ICMP unreachable is going to be sent back to the source host.


Below some ICMP code types:


Type Name     Reference
---- -------------------------  ---------
  0 Echo Reply     [RFC792]
  1 Unassigned        [JBP]
  2 Unassigned        [JBP]
  3 Destination Unreachable    [RFC792]
  4 Source Quench      [RFC792]
  5 Redirect     [RFC792]
 
In this case the ICMP code type 3 is used on the returning packet.Below an screenshot of a packet capture
where the ICMP type code 3 is being used by the gateway.
 

Saturday, July 19, 2014

Load balancing Hash


Load balancing Hash

2 equal cost path to a Destination, decision is made by a hashing algorithm , which uses XOR on  lower bits of SIP/DIP to select one link
which turns out the same across all Nodes in the path.

Use of the same hash algorithm and same hash input which results in the use of a single Equal-Cost Multi-Path (ECMP) link for ALL flows


Default IOS load balancing across equal paths 4, BGP 1, others maximum 6

  2 supported   
  •  Per-destination  all packets same path , same packet order   
 Route cache for every destination address, host within the same subnet could use  different paths
  • Per packet :  load balancing guaranteed , packets arrive at different order, the packets are distributed round robin over the available paths
Each SIP/DIP session is assigned to an active path
The session-to-path assignment is done using a hash function that takes the source and destination IP addresses and a unique hash ID that randomizes the assignment across the end-to-end path.

Polarization concept and avoidance


Polarization concept and avoidance

CEF polarization

Its the effect when a hash algorithm chooses a particular path and the redundant paths remain completely unused.
2 equal cost path to a Destination, decision is made by a hashing algorithm , which uses XOR on  lower bits of SIP/DIP to select one link
which turns out the same across all Nodes in the path.

Use of the same hash algorithm and same hash input which results in the use of a single Equal-Cost Multi-Path (ECMP) link for ALL flows

Note: X-OR  matches one or the other but not both when two path are available

Avoid CEF polarization
1.-Alternate between default (SIP and DIP) and full (SIP + DIP + Layer4 ports) hashing inputs configuration at each layer of the network.
6500 provides
Default  SIP/DIP with unequal weights to each link
Simple SIP/DIP with equal weights
Full SIP/DIP + L4 with unequal weights
Full Simple SIP/DIP + L4 with equal weights


To configure

 #mls ip cef load-sharing simple   
 #mls ip cef load-sharing  full simple  


2.- Alternate between even and odd numbers of ECMP links at each layer of the network as
when there is even number of ECMP links, the traffic is not load-balanced

For four equal cost paths, load-sharing is 20%-20%-20%-40% and not 25%-25%-25%-25%

In order to enable anti-polarization weight, enter this command :


 # mls ip cef load-sharing full simple  

3.- Cisco IOS introduced a concept called unique-ID/universal-ID <--- Default in all IOS version

  •    adds a 32-bit router-specific randomly  value to the hash function
   This seeds the hash function on each router with a unique ID, which ensures that the SIP/DIP pair hash have a different value on different routers along the path

 (config)#ip cef load-sharing algorithm universal <id>  




Identify Cisco express forwarding (CEF) concepts


CEF made of

CEF enabled by default IOS 12.0 or later

Types
centralized  CEFF
RP make the EF

How to check

 #ip cef  

Distributed CEF on catalyst 6500

Line Cards make the EF
Configure
#IP cef distributed.
Distributed CEF uses an interprocess communication (IPC) to ensure
synchronization of FIB tables and AdjTables on the RP and Line cards

CEF Support

ATM/AAL5snap, ATM/AAL5mux, and ATM/AAL5nlpid
Ethernet
FDDI
Frame Relay
High-Level Data Link Control (HDLC)
PPP
Spatial Reuse Protocol (SRP)
TokenRing
Tunnels

FIB contains all routes
Adjancency table  all L2 next hops for all FIB entries


CEF features enabled by Default.
Per-destination LB
Distributed Tunnel Switching
MUltipoint GRE


RIB Router Information Base this is the routing table itself
A router may have many separate RIB’s. If you’re running vrfs  then each vrf will have a separate RIB

FIB
The FIB is a mirror image of the IP routing table,Changes to the routing table and next hop ip’s are reflected in the FIB.

LIB
The LIB is an MPLS table. This is the place where the router will keep all known MPLS label

 #sh mpls ldp bindings  

LFIB – Label Forwarding Instance Base
Its the table used to forward labeled packets. It is populated with the incoming and outgoing labels for the LSP
As the RIB uses the FIB to forward traffic, so the LIB uses the LFIB to forward traffic
 #sh mpls forwarding-table  

The adjacency table is populated with l2 next hop addresses for all FIB entries, hence adjacency. When an adjacency is established,
as through ARP, a link layer header for that adjacency is stored in the adjacency table.

Configure

 #ip load-sharing per-packet  

Adjacency Type

Null Adjacency pkts destined to a null0 interface
Glean Adjacency packets destined to a multiaccess medium, Next hop should be directly connected
                but there is no MAc header rewrite information available, when needed CEF request ARP entries for a specific preix
Punt Adjacency  Fwd pkts require special handling,or not supported with CeF to the next higher switching level.(RP)
Discard Adjacency
Drop Adjacency

How to check

 #show ip cef  
 #show adjacency s0/0 detail  








Tuesday, July 15, 2014

CoPP and CPPr

Recently i just looked into what the control plane is and its purpose. I decided to now look into how to protect it. Here is where CoPP(Control Plane Policing) and CPPr come into play.

First let's see what these two things are and what they can do for us. CoPP is a way to control and limit access to the entire Control Plane. On the other hand, CPPr is meant to control access to the individual control plane subinterfaces(host, transit and cef-exception).

Host - Traffic destined for the router itself (management, routing protocols, etc.) 
Transit - Software-switched transit traffic 
CEF exception - Traffic which triggers a CEF exception (ARP, non-IP packets, etc.)

Below, steps to configure CoPP on a router:

 Configure ACL,

R1(config)#access-list 100 permit tcp any any eq 22
R1(config)#access-list 100 permit tcp any eq 22 any


Configure Class-Map,

R1(config)#class-map CM_CLASS_MAP
R1(config-cmap)#match access-group 100
R1(config-cmap)#exit


Configure Policy-Map,

R1(config)#policy-map PM_POLICY_MAP
R1(config-pmap)#class
R1(config-pmap)#class CM_CLASS_MAP
R1(config-pmap-c)#police 16000 conform-action transmit exceed-action drop violate-action drop

R1(config-pmap-c-police)#exit
 

Apply Policy-Map to Control-Plane,

R1(config)#control-plane
R1(config-cp)#service
R1(config-cp)#service-policy in
R1(config-cp)#service-policy input PM_POLICY_MAP


*Mar  1 00:06:08.747: %CP-5-FEATURE: Control-plane Policing feature enabled on Control plane aggregate path
 

The above command confirms CoPP has been enabled on the entire Control Plane.

Verification commands,

R1#sh policy-map control-plane
 Control Plane

  Service-policy input: PM_POLICY_MAP

    Class-map: CM_CLASS_MAP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 100
      police:
          cir 16000 bps, bc 1500 bytes, be 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps, violate 0 bps

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any


 R1#sh access-list
Extended IP access list 100
    10 permit tcp any any eq 22
    20 permit tcp any eq 22 any


When configuring CPPr, the main difference is when you apply the policy to any of the above mentioned control plane subinterfaces (command shown below),

R1(config)#control-plane host
R1(config-cp-host)#service-policy input PM_POLICY_MAP
R1(config-cp-host)#


*Mar  1 00:14:06.227: %CP-5-FEATURE: Control-plane Policing feature enabled on Control plane host path


Above command confirms CPPr has been enabled on the host control subinterface.




Friday, July 11, 2014

Control plane and Forwarding plane

Control Plane-

A collection of processes that run at the process level on the route-processor (RP). These processes collectively provide high-level controls for most IOS functions.

The control plane in general is anything that’s needed in order to get routing working on that device; in other words, it is the “signalling” of the network. Control plane packets are destined to or locally originated by the router itself.

Examples of control plane protocols are CDP, BPDUs, Routing Procolos


There are methods to police traffic meant to the control plane(i.e. CoPP Control Plane Policing)

Forwarding Plane/Data Plane -

Moves packets from input to output, defines the part of the router architecture that decides what to do with packets arriving on an inbound interface. Most commonly, it refers to a table in which the router looks up the destination address of the incoming packet and retrieves the information necessary to determine the path from the receiving element, through the internal forwarding fabric of the router, and to the proper outgoing interface.


Examples, RIB/FIB

Acronyms

  • Forwarding and Feature Manager (FFM)
  • Forwarding Engine Driver (FED)
  • Embedded Services Processor (ESP)
  • Route Processor Cards(RPC)
  • Share interface processor(SIP)
  • Forwarding engine control plan (FECP)
  • Input Output Control processor (IOCP)
  • share port adaptor (SPA)
  • Control plane processor (CPP)
  • Route Processor (RP)
  • Line Card (LC) 
  • SIP source IP 
  • DIP Destination IP
  • LER --label edge router. A router that performs label imposition.
  • LFIB --label forwarding information base. The data structure used by switching functions to switch labeled packets.
  • LIB --label information base. A database used by a label switch router (LSR) to store labels learned from other LSRs, as well as labels assigned by the local LSR. 
  • Equal-Cost Multi-Path (ECMP)
    MLS multilayer switches

Differences between IOS and IOS XE

IOS
  • It is a monolithic OS
  • All features  are on the same file
  • if  One process fail the whole box will crash
  • Reboot Needed to perform an upgrade

IOS XE
  • Modular software updates
  • High Availability
  • Linux  with IOS interface
  • Configuration grouped by Process
  • APIs that will make it programmable
  • Platforms  ASR1k; CAT4500E/SUP7E; ASR 903: CSR1000v

IOS XE
Made of
    Consolidated packages -
  •         RP Base
  •         RP control
  •         RP Access
  •         RP Access
  •         RP IOS  ---> IOS 15 code functionality
  •         ESP base  FW intelligence
  •         SIP Base
  •         SIP SPA Share port Adapater
    Could be updated it in mass
    or individually ,
              if that's the case  you will need a provisioning file to boot it
   
    Optional packaged
        Webex Node <--- Example
       
Individual Processes
  •     Logger
  •     Chassis Manager  HA/RP
  •     IOS
  •     Pluggable Server
  •     SPA driver
  •     Host Manager
  •     Interface Manager
  •     Forwarding Manager
  •     Shell Manager
  •     CPP Driver/HA/SP

Impact to troubleshooting and performances

  •    IOS XE (IOS 15.0) runs as a single daemon within a Linux operating system 
  •   Additional system functions now run as additional, separate processes in the host OS environment
  •    IOSd within the IOS XE environment supports multiple threads and multi-core CPUs
  •   Wireshark and Mediatrace included, runs separately from IOS

Excluding specific platform's architecture

  •  Non-IOS applications can either be tightly integrated with IOS or they could run side-by-side with IOS with very little or no interactions
  •     If an application does require services from IOS, it integrates with IOS through a set of client libraries called "service points"


Sunday, July 6, 2014

Tuesday, July 1, 2014

Complete Blueprint CCIE v5 Written Exam

CIE Routing and Switching Written Exam Version 5.0 (400-101)


Exam Description: The Cisco CCIE® Routing and Switching Written Exam (400-101) version 5.0 is a two-hour test with 90−110 questions that will validate that professionals have the expertise to: configure, validate, and troubleshoot complex enterprise network infrastructure; and, understand how infrastructure components interoperate; and translate functional requirements into specific device configurations. The exam is closed book and no outside reference materials are allowed.
The following topics are general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes, the guidelines below may change at any time without notice.


1.0 Network Principles       10%
2.0 Layer 2 Technologies     15%
3.0 Layer 3 Technologies     40%
4.0 VPN Technologies         15%
5.0 Infrastructure Security  5%
6.0 Infrastructure Services  15%
   
XXXXXXX   10% 1.0 Network Principles

1.1 Network theory
1.1.a Describe basic software architecture differences between IOS and IOS XE
1.1.a (i) Control plane and Forwarding plane
1.1.a (ii) Impact to troubleshooting and performances
1.1.a (iii) Excluding specific platform's architecture
1.1.b Identify Cisco express forwarding concepts
1.1.b (i) RIB, FIB, LFIB, Adjacency table
1.1.b (ii) Load balancing Hash
1.1.b (iii) Polarization concept and avoidance
1.1.c Explain general network challenges
1.1.c (i) Unicast flooding
1.1.c (ii) Out of order packets
1.1.c (iii) Asymmetric routing
1.1.c (iv) Impact of micro burst
1.1.d Explain IP operations
1.1.d (i) ICMP unreachable, redirect
1.1.d (ii) IPv4 options, IPv6 extension headers
1.1.d (iii) IPv4 and IPv6 fragmentation
1.1.d (iv) TTL
1.1.d (v) IP MTU
1.1.e Explain TCP operations
1.1.e (i) IPv4 and IPv6 PMTU
1.1.e (ii) MSS
1.1.e (iii) Latency
1.1.e (iv) Windowing
1.1.e (v) Bandwidth delay product
1.1.e (vi) Global synchronization
1.1.e (vii) Options
1.1.f Explain UDP operations
1.1.f (i) Starvation
1.1.f (ii) Latency
1.1.f (iii) RTP/RTCP concepts
1.2 Network implementation and operation
1.2.a Evaluate proposed changes to a network
1.2.a (i) Changes to routing protocol parameters
1.2.a (ii) Migrate parts of a network to IPv6
1.2.a (iii) Routing protocol migration
1.2.a (iv) Adding multicast support
1.2.a (v) Migrate spanning tree protocol
1.2.a (vi) Evaluate impact of new traffic on existing QoS design
1.3 Network troubleshooting
1.3.a Use IOS troubleshooting tools
1.3.a (i) debug, conditional debug
1.3.a (ii) ping, traceroute with extended options
1.3.a (iii) Embedded packet capture
1.3.a (iv) Performance monitor
1.3.b Apply troubleshooting methodologies
1.3.b (i) Diagnose the root cause of networking issue (analyze symptoms, identify and describe root cause)
1.3.b (ii) Design and implement valid solutions according to constraints
1.3.b (iii) Verify and monitor resolution
1.3.c Interpret packet capture
1.3.c (i) Using Wireshark trace analyzer
1.3.c (ii) Using IOS embedded packet capture

XXXXXXXXXXXXXXXX
15%
XXXXXXXXXXXXXXXX

2.0 Layer 2 Technologies
2.1 LAN switching technologies
2.1.a Implement and troubleshoot switch administration
2.1.a (i) Managing MAC address table
2.1.a (ii) errdisable recovery
2.1.a (iii) L2 MTU
2.1.b Implement and troubleshoot layer 2 protocols
2.1.b (i) CDP, LLDP
2.1.b (ii) UDLD
2.1.c Implement and troubleshoot VLAN
2.1.c (i) Access ports
2.1.c (ii) VLAN database
2.1.c (iii) Normal, extended VLAN, voice VLAN
2.1.d Implement and troubleshoot trunking
2.1.d (i) VTPv1, VTPv2, VTPv3, VTP pruning
2.1.d (ii) dot1Q
2.1.d (iii) Native VLAN
2.1.d (iv) Manual pruning
2.1.e Implement and troubleshoot EtherChannel
2.1.e (i) LACP, PAgP, manual
2.1.e (ii) Layer 2, layer 3
2.1.e (iii) Load-balancing
2.1.e (iv) Etherchannel misconfiguration guard
2.1.f Implement and troubleshoot spanning-tree
2.1.f (i) PVST+/RPVST+/MST
2.1.f (ii) Switch priority, port priority, path cost, STP timers
2.1.f (iii) port fast, BPDUguard, BPDUfilter
2.1.f (iv) loopguard, rootguard
2.1.g Implement and troubleshoot other LAN switching technologies
2.1.g (i) SPAN, RSPAN, ERSPAN
2.1.h Describe chassis virtualization and aggregation technologies
2.1.h (i) Multichassis
2.1.h (ii) VSS concepts
2.1.h (iii) Alternative to STP
2.1.h (iv) Stackwise
2.1.h (v) Excluding specific platform implementation
2.1.i Describe spanning-tree concepts
2.1.i (i) Compatibility between MST and RSTP
2.1.i (ii) STP dispute, STP bridge assurance
2.2 Layer 2 multicast
2.2.a Implement and troubleshoot IGMP
2.2.a (i) IGMPv1, IGMPv2, IGMPv3
2.2.a (ii) IGMP snooping
2.2.a (iii) IGMP querier
2.2.a (iv) IGMP filter
2.2.a (v) IGMP proxy
2.2.b Explain MLD
2.2.c Explain PIM snooping
2.3 Layer 2 WAN circuit technologies
2.3.a Implement and troubleshoot HDLC
2.3.b Implement and troubleshoot PPP
2.3.b (i) Authentication (PAP, CHAP)
2.3.b (ii) PPPoE
2.3.b (iii) MLPPP
2.3.c Describe WAN rate-based ethernet circuits
2.3.c (i) Metro and WAN Ethernet topologies
2.3.c (ii) Use of rate-limited WAN ethernet services


XXXXXXXXXXXXXXXX
40%
XXXXXXXXXXXXXXXX

3.0 Layer 3 Technologies
3.1 Addressing technologies
3.1.a Identify, implement and troubleshoot IPv4 addressing and subnetting
3.1.a (i) Address types, VLSM
3.1.a (ii) ARP
3.1.b Identify, implement and troubleshoot IPv6 addressing and subnetting
3.1.b (i) Unicast, multicast
3.1.b (ii) EUI-64
3.1.b (iii) ND, RS/RA
3.1.b (iv) Autoconfig/SLAAC, temporary addresses (RFC4941)
3.1.b (v) Global prefix configuration feature
3.1.b (vi) DHCP protocol operations
3.1.b (vii) SLAAC/DHCPv6 interaction
3.1.b (viii) Stateful, stateless DHCPv6
3.1.b (ix) DHCPv6 prefix delegation
3.2 Layer 3 multicast
3.2.a Troubleshoot reverse path forwarding
3.2.a (i) RPF failure
3.2.a (ii) RPF failure with tunnel interface
3.2.b Implement and troubleshoot IPv4 protocol independent multicast
3.2.b (i) PIM dense mode, sparse mode, sparse-dense mode
3.2.b (ii) Static RP, auto-RP, BSR
3.2.b (iii) BiDirectional PIM
3.2.b (iv) Source-specific multicast
3.2.b (v) Group to RP mapping
3.2.b (vi) Multicast boundary
3.2.c Implement and troubleshoot multicast source discovery protocol
3.2.c (i) Intra-domain MSDP (anycast RP)
3.2.c (ii) SA filter
3.2.d Describe IPv6 multicast
3.2.d (i) IPv6 multicast addresses
3.2.d (ii) PIMv6
3.3 Fundamental routing concepts
3.3.a Implement and troubleshoot static routing
3.3.b Implement and troubleshoot default routing
3.3.c Compare routing protocol types
3.3.c (i) Distance vector
3.3.c (ii) Link state
3.3.c (iii) Path vector
3.3.d Implement, optimize and troubleshoot administrative distance
3.3.e Implement and troubleshoot passive interface
3.3.f Implement and troubleshoot VRF lite
3.3.g Implement, optimize and troubleshoot filtering with any routing protocol
3.3.h Implement, optimize and troubleshoot redistribution between any routing protocol
3.3.i Implement, optimize and troubleshoot manual and auto summarization with any routing protocol
3.3.j Implement, optimize and troubleshoot policy-based routing
3.3.k Identify and troubleshoot sub-optimal routing
3.3.l Implement and troubleshoot bidirectional forwarding detection
3.3.m Implement and troubleshoot loop prevention mechanisms
3.3.m (i) Route tagging, filtering
3.3.m (ii) Split horizon
3.3.m (iii) Route poisoning
3.3.n Implement and troubleshoot routing protocol authentication
3.3.n (i) MD5
3.3.n (ii) Key-chain
3.3.n (iii) EIGRP HMAC SHA2-256bit
3.3.n (iv) OSPFv2 SHA1-196bit
3.3.n (v) OSPFv3 IPsec authentication
3.4 RIP (v2 and v6)
3.4.a Implement and troubleshoot RIPv2
3.4.b Describe RIPv6 (RIPng)
3.5 EIGRP (for IPv4 and IPv6)
3.5.a Describe packet types
3.5.a (i) Packet types (hello, query, update, and such)
3.5.a (ii) Route types (internal, external)
3.5.b Implement and troubleshoot neighbor relationship
3.5.b (i) Multicast, unicast EIGRP peering
3.5.b (ii) OTP point-to-point peering
3.5.b (iii) OTP route-reflector peering
3.5.b (iv) OTP multiple service providers scenario
3.5.c Implement and troubleshoot loop free path selection
3.5.c (i) RD, FD, FC, successor, feasible successor
3.5.c (ii) Classic metric
3.5.c (iii) Wide metric
3.5.d Implement and troubleshoot operations
3.5.d (i) General operations
3.5.d (ii) Topology table, update, query, active, passive
3.5.d (iii) Stuck in active
3.5.d (iv) Graceful shutdown
3.5.e Implement and troubleshoot EIGRP stub
3.5.e (i) Stub
3.5.e (ii) Leak-map
3.5.f Implement and troubleshoot load-balancing
3.5.f (i) equal-cost
3.5.f (ii) unequal-cost
3.5.f (iii) add-path
3.5.g Implement EIGRP (multi-address) named mode
3.5.g (i) Types of families
3.5.g (ii) IPv4 address-family
3.5.g (iii) IPv6 address-family
3.5.h Implement, troubleshoot and optimize EIGRP convergence and scalability
3.5.h (i) Describe fast convergence requirements
3.5.h (ii) Control query boundaries
3.5.h (iii) IP FRR/fast reroute (single hop)
3.5.8 (iv) Summary leak-map
3.5.h (v) Summary metric
3.6 OSPF (v2 and v3)
3.6.a Describe packet types
3.6.a (i) LSA yypes (1, 2, 3, 4, 5, 7, 9)
3.6.a (ii) Route types (N1, N2, E1, E2)
3.6.b Implement and troubleshoot neighbor relationship
3.6.c Implement and troubleshoot OSPFv3 address-family support
3.6.c (i) IPv4 address-family
3.6.c (ii) IPv6 address-family
3.6.d Implement and troubleshoot network types, area types and router types
3.6.d (i) Point-to-point, multipoint, broadcast, non-broadcast
3.6.d (ii) LSA types, area type: backbone, normal, transit, stub, NSSA, totally stub
3.6.d (iii) Internal router, ABR, ASBR
3.6.d (iv) Virtual link
3.6.e Implement and troubleshoot path preference
3.6.f Implement and troubleshoot operations
3.6.f (i) General operations
3.6.f (ii) Graceful shutdown
3.6.f (iii) GTSM (Generic TTL Security Mechanism)
3.6.g Implement, troubleshoot and optimize OSPF convergence and scalability
3.6.g (i) Metrics
3.6.g (ii) LSA throttling, SPF tuning, fast hello
3.6.g (iii) LSA propagation control (area types, ISPF)
3.6.g (iv) IP FRR/fast reroute (single hop)
3.6.g (v) LFA/loop-free alternative (multi hop)
3.6.g (vi) OSPFv3 prefix suppression
3.7 BGP
3.7.a Describe, implement and troubleshoot peer relationships
3.7.a (i) Peer-group, template
3.7.a (ii) Active, passive
3.7.a (iii) States, timers
3.7.a (iv) Dynamic neighbors
3.7.b Implement and troubleshoot IBGP and EBGP
3.7.b (i) EBGP, IBGP
3.7.b (ii) 4 bytes AS number
3.7.b (iii) Private AS
3.7.c Explain attributes and best-path selection
3.7.d Implement, optimize and troubleshoot routing policies
3.7.d (i) Attribute manipulation
3.7.d (ii) Conditional advertisement
3.7.d (iii) Outbound route filtering
3.7.d (iv) Communities, extended communities
3.7.d (v) Multi-homing
3.7.e Implement and troubleshoot scalability
3.7.e (i) Route-reflector, cluster
3.7.e (ii) Confederations
3.7.e (iii) Aggregation, AS set
3.7.f Implement and troubleshoot multiprotocol BGP
3.7.f (i) IPv4, IPv6, VPN address-family
3.7.g Implement and troubleshoot AS path manipulations
3.7.g (i) Local AS, allow AS in, remove private AS
3.7.g (ii) Prepend
3.7.g (iii) Regexp
3.7.h Implement and troubleshoot other features
3.7.h (i) Multipath
3.7.h (ii) BGP synchronization
3.7.h (iii) Soft reconfiguration, route refresh
3.7.i Describe BGP fast convergence features
3.7.i (i) Prefix independent convergence
3.7.i (ii) Add-path
3.7.i (iii) Next-hop address tracking
3.8 ISIS (for IPv4 and IPv6)
3.8.a Describe basic ISIS network
3.8.a (i) Single area, single topology
3.8.b Describe neighbor relationship
3.8.c Describe network types, levels and router types
3.8.c (i) NSAP addressing
3.8.c (ii) Point-to-point, broadcast
3.8.d Describe operations
3.8.e Describe optimization features
3.8.e (i) Metrics, wide metric

XXXXXXXXXXXXXXXX
15%
XXXXXXXXXXXXXXXX

4.0 VPN Technologies
4.1 Tunneling
4.1.a Implement and troubleshoot MPLS operations
4.1.a (i) Label stack, LSR, LSP
4.1.a (ii) LDP
4.1.a (iii) MPLS ping, MPLS traceroute
4.1.b Implement and troubleshoot basic MPLS L3VPN
4.1.b (i) L3VPN, CE, PE, P
4.1.b (ii) Extranet (route leaking)
4.1.c Implement and troubleshoot encapsulation
4.1.c (i) GRE
4.1.c (ii) Dynamic GRE
4.1.c (iii) LISP encapsulation principles supporting EIGRP OTP
4.1.d Implement and troubleshoot DMVPN (single hub)
4.1.d (i) NHRP
4.1.d (ii) DMVPN with IPsec using pre-shared key
4.1.d (iii) QoS profile
4.1.d (iv) Pre-classify
4.1.e Describe IPv6 tunneling techniques
4.1.e (i) 6in4, 6to4
4.1.e (ii) ISATAP
4.1.e (iii) 6RD
4.1.e (iv) 6PE/6VPE
4.1.g Describe basic layer 2 VPN —wireline
4.1.g (i) L2TPv3 general principals
4.1.g (ii) ATOM general principals
4.1.h Describe basic L2VPN — LAN services
4.1.h (i) MPLS-VPLS general principals
4.1.h (ii) OTV general principals
4.2 Encryption
4.2.a Implement and troubleshoot IPsec with pre-shared key
4.2.a (i) IPv4 site to IPv4 site
4.2.a (ii) IPv6 in IPv4 tunnels
4.2.a (iii) Virtual tunneling Interface (VTI)
4.2.b Describe GET VPN

XXXXXXXXXXXXXXXX
5%
XXXXXXXXXXXXXXXX

5.0 Infrastructure Security
5.1 Device security
5.1.a Implement and troubleshoot IOS AAA using local database
5.1.b Implement and troubleshoot device access control
5.1.b (i) Lines (VTY, AUX, console)
5.1.b (ii) SNMP
5.1.b (iii) Management plane protection
5.1.b (iv) Password encryption
5.1.c Implement and troubleshoot control plane policing
5.1.d Describe device security using IOS AAA with TACACS+ and RADIUS
5.1.d (i) AAA with TACACS+ and RADIUS
5.1.d (ii) Local privilege authorization fallback
5.2 Network security
5.2.a Implement and troubleshoot switch security features
5.2.a (i) VACL, PACL
5.2.a (ii) Stormcontrol
5.2.a (iii) DHCP snooping
5.2.a (iv) IP source-guard
5.2.a (v) Dynamic ARP inspection
5.2.a (vi) port-security
5.2.a (vii) Private VLAN
5.2.b Implement and troubleshoot router security features
5.2.b (i) IPv4 access control lists (standard, extended, time-based)
5.2.b (ii) IPv6 traffic filter
5.2.b (iii) Unicast reverse path forwarding
5.2.c Implement and troubleshoot IPv6 first hop security
5.2.c (i) RA guard
5.2.c (ii) DHCP guard
5.2.c (iii) Binding table
5.2.c (iv) Device tracking
5.2.c (v) ND inspection/snooping
5.2.c (vii) Source guard
5.2.c (viii) PACL
5.2.d Describe 802.1x
5.2.d (i) 802.1x, EAP, RADIUS
5.2.d (ii) MAC authentication bypass

XXXXXXXXXXXXXXXX
15%
XXXXXXXXXXXXXXXX

6.0 Infrastructure Services
6.1 System management
6.1.a Implement and troubleshoot device management
6.1.a (i) Console and VTY
6.1.a (ii) telnet, HTTP, HTTPS, SSH, SCP
6.1.a (iii) (T)FTP
6.1.b Implement and troubleshoot SNMP
6.1.b (i) v2c, v3
6.1.c Implement and troubleshoot logging
6.1.c (i) Local logging, syslog, debug, conditional debug
6.1.c (ii) Timestamp
6.2 Quality of service
6.2.a Implement and troubleshoot end-to-end QoS
6.2.a (i) CoS and DSCP mapping
6.2.b Implement, optimize and troubleshoot QoS using MQC
6.2.b (i) Classification
6.2.b (ii) Network based application recognition (NBAR)
6.2.b (iii) Marking using IP precedence, DSCP, CoS, ECN
6.2.b (iv) Policing, shaping
6.2.b (v) Congestion management (queuing)
6.2.b (vi) HQoS, sub-rate ethernet link
6.2.b (vii) Congestion avoidance (WRED)
6.2.c Describe layer 2 QoS
6.2.c (i) Queuing, scheduling
6.2.c (ii) Classification, marking
6.3 Network services
6.3.a Implement and troubleshoot first-hop redundancy protocols
6.3.a (i) HSRP, GLBP, VRRP
6.3.a (ii) Redundancy using IPv6 RS/RA
6.3.b Implement and troubleshoot network time protocol
6.3.b (i) NTP master, client, version 3, version 4
6.3.b (ii) NTP Authentication
6.3.c Implement and troubleshoot IPv4 and IPv6 DHCP
6.3.c (i) DHCP client, IOS DHCP server, DHCP relay
6.3.c (ii) DHCP options
6.3.c (iii) DHCP protocol operations
6.3.c (iv) SLAAC/DHCPv6 interaction
6.3.c (v) Stateful, stateless DHCPv6
6.3.c (vi) DHCPv6 prefix delegation
6.3.d Implement and troubleshoot IPv4 network address translation
6.3.d (i) Static NAT, dynamic NAT, policy-based NAT, PAT
6.3.d (ii) NAT ALG
6.3.e Describe IPv6 network address translation
6.3.e (i) NAT64
6.3.e (ii) NPTv6
6.4 Network optimization
6.4.a Implement and troubleshoot IP SLA
6.4.a (i) ICMP, UDP, Jitter, VoIP
6.4.b Implement and troubleshoot tracking object
6.4.b (i) Tracking object, tracking list
6.4.b (ii) Tracking different entities (e.g. interfaces, routes, IPSLA, and such)
6.4.c Implement and troubleshoot netflow
6.4.c (i) Netflow v5, v9
6.4.c (ii) Local retrieval
6.4.c (iii) Export (configuration only)
6.4.d Implement and troubleshoot embedded event manager
6.4.d (i) EEM policy using applet
6.4.e Identify performance routing (PfR)
6.4.e (i) Basic load balancing
6.4.e (ii) Voice optimization

Written Topics / Lab Equipment and IOS Software 2014

Lab Equipment and IOS Software by Cisco

LAB equipment

CCIE Routing and Switching Written Exam Topics