Q1.

What is stp edge port purpose, when u use edge port, what issue u face
when u use edge port?How to resolve and how to prevent?
What is STP Edge Port:

 Port that can immediately transition into forwarding state without going to listening and
learning (means without STP calculations ).
 No Topology change notification when edge port goes up/down.

Scenarios in which we must use Edge Ports:

 One is switch port connected to the PC and PC cannot get IP from DHCP.
 The port which is connected to the server , so that it can provide non stop service.
 To avoid network change (when the user port goes up/down it will create too much
topology change notification.

Issues When we use Edge port

 Issue is temporary loop issue

 When u edge port receive BPDU , it will lost feature of edge port , it will cause port to
recalculate STP , port will go through listening / forwarding cause network flapping

How to resolve this issue?

 Configure BDPU protection (when the edge port receive BDPU , it will disable the port
 How will we do automatic undo shutdown that when BPDUs are stopped coming, port will
come up.

Q4.Which scenario we must use Edge Port?

Q2. Why we need STP in Layer 2 Networks. Compare IP Networks.

We will say that TTL story. In Layer 2 there is no TTL field so packets gets endlessly looped. In IP
there is TTL field.
Q3.What are protocols like STP? Explain them.
Smark Link
RRPP
SEP
Stacking

Smart Link

 Smart Link improves network reliability by implementing backup between two interfaces.
 The two interfaces constitute a Smart Link group. One interface is called master interface
and the other is called slave interface.
 The master interface is in active state and carries the traffic; the slave interface is in inactive
state.
 When traffic is switched from the active link to the standby link, the slave interface transits
to forwarding state.
 A Smart Link group consists of a maximum of two interfaces.

 Smart Link also uses Flush packet, Smart Link instance, and control VLAN
to implement fast switchover and load balancing.

Flush Packet:
 When a switchover occurs, the existing forwarding entries no longer apply to the new
topology. All the MAC address entries and Address Resolution Protocol (ARP) entries on the
network need to be updated.
 Smart Link group sends Flush packets to request other devices to update their MAC address
tables and ARP tables. As shown in Figure 1, when a switchover occurs, SwitchD sends Flush
packets to request SwitchA, SwitchB, and SwitchC to update their MAC address entries and
ARP entries.
 Flush packets are multicast packets.

Control VLAN

 Control VLAN is used by Smart Link Group for sending Flush packets
As shown in Figure 1, if SwitchD is enabled to send Flush packets, it sends Flush packets in
broadcast mode using a new link when the traffic a switchover occurs.
 Control VLAN for receiving Flush packets
The upstream devices use this control VLAN to receive and process Flush packets. As shown in
Figure 1, the upstream devices (for example, SwitchA, SwitchB, and SwitchC) recognize Flush
packets and are enabled to receive Flush packets. When the traffic is switched on links, the
upstream devices process the received Flush packets and then update the MAC address entries
and ARP entries.
 Flush packets enable upstream devices to update their MAC address entries and ARP entries before
the entries are aged out, which reduces the time required to update the entries. In general, traffic
is switched to the standby link in milliseconds, which minimizes traffic loss.

Note: This method is applicable when the upstream devices support the Smart Link function and can
process Flush packets

When the Active Link Fails: Two mechanisms are available for updating MAC/ARP enteries:

o Send Flush packets to request devices to update entries ( used when devices supports Smart Link/
Flush )
o Automatically update entries based on traffic. This method is applicable when upstream devices
(including non-Huawei devices) do not support the Smart Link function. These devices update MAC
address entries and ARP entries in traffic-based triggering mode.

When the Active Link Recovers: Interface1 remains blocked after the original active link recovers
from the fault. Use following mechanisms to switch the traffic to the original active link:

 Enable the Smart Link revertive switchover function on SwitchD. When the original active link
recovers from the fault, Smart Link automatically switches the traffic back to it after the revertive
switchover timer times out.
 Use a command to forcible switch the traffic back to the original active link.

Smart Link Instance

Smart Link can use Multiple Spanning Tree Protocol (MSTP) instances. Each instance maps a range of
VLANs. Multiple instances can be bound to the inactive link to implement load balancing.

Stacking
If Lan Switch support stacking so if stacking all Lan Switch in L2 network, so it consider only one Lan
Switch, so if only one Lan Switch, then no Loop happen
Rapid Ring Protection Protocol (RRPP):
RRPP is link layer protocol that isused in ring networks for
 Preventing loops &
 Rapid switchover to backup link in case of device/link failure.
Ring network is used by metropolitan area network (MAN) and enterprise network for high
reliability.

One node is main/master node, other node is transit node, there are two ports in
main/master node, one is master port, other is slave port.
Main/master node send hello packet to detect ring node is ok or not, if received
hello packet from slave port, then RING network is ok, so it will block slave port, if
cannot receive hello packet from slave port within stipulated time, slave port
becomes forwarding to ensure uninterrupted flow of traffic in ring.
When link was down, so node will report link down to main node, so main node
consider ring have problem, then it will open slave port and send message to all
transit node to update forwarding table, so it will switch traffic to other normal
link
If link was up, then this port which link was up now will block this port, but this
port still can forward RRPP protocol, so main node received hello packet from
slave port, then it will block slave port immediately, and also send message to
other node to update forwarding table
Compared with other Ethernet ring network technologies, RRPP has the following advantages:

 The topology convergence time is less than 50 ms.

 The convergence time is not related to the number of nodes in the ring network, and
RRPP is applicable to the network that has a relatively large network diameter.
 RRPP can prevent the data loop from causing broadcast storms when the Ethernet ring
is complete.
 RRPP can rapidly start the backup link to restore the communication channels among
nodes on the Ethernet ring, when a link on the ring is disconnected.

SEP: Smart Ethernet protection(SEP is used for loop protection)

SEP was one Ethernet layer ring protocol, unit is SEP, each Lan Switch only two port can add in
one SEP, to avoid loop, it can enable loop protection ,choose port to block, if ring have problem,
then SEP protocol will open port which was block , so it can recovery

 SEP is a ring network protocol dedicated to the Ethernet link layer.

 A SEP segment is the basic unit for SEP.
 Only two interfaces on a switching device can be added to the same SEP segment.
 To prevent loops in a SEP segment, a ring protection mechanism is used to selectively block
interfaces to eliminate Ethernet redundant links.
 When a link on a ring network fails, the device running SEP immediately unblocks the
interface and performs link switching to restore communication between nodes.
Figure shows a typical SEP application. CE1 is connected to Network Provider Edges (NPEs)
through a semi-ring formed by switches. A VRRP group is deployed on the NPEs. Initially, NPE1
serves as the master and NPE2 as backup to NPE1. When the link between NPE1 and LSW5 or a
node on the link becomes faulty, NPE1 becomes the backup to NPE2, which then becomes the
master. The following situations occur depending on whether SEP is deployed. The following
assumes that the link between LSW1 and LSW5 becomes faulty.
 If SEP is not deployed on the semi-ring, CE1 traffic is still transmitted along the original path, but
NPE1 does not forward traffic, causing traffic interruption.
 If SEP is deployed on the semi-ring, the blocked interface on LSW5 is unblocked, enters the
Forwarding state, and sends link state advertisements (LSAs) to instruct other nodes on the SEP
segment to update their LSA databases. Then CE1 traffic is transmitted along backup link LSW5-
>LSW2->LSW4->NPE2, ensuring uninterrupted traffic transmission.
In common SEP networking, a physical ring can be configured with only one SEP segment in
which only one interface can be blocked. If an interface in a complete SEP segment is blocked,
all user data is transmitted only along the path where the primary edge interface is located. The
path where the secondary edge interface is located remains idle, wasting bandwidth.
SEP multi-instance is used to improve bandwidth efficiency and implement traffic load
balancing. SEP multi-instance allows two SEP segments to be configured on a physical ring. Each
SEP segment independently detects the completeness of the physical ring, blocks or unblocks
interfaces without affecting the other.
 SEP segment
A SEP segment consists of interconnected Layer 2 switching devices configured with the same SEP segment
ID and control VLAN ID.
 A SEP segment is the basic unit for SEP.
A SEP segment is a ring or linear Ethernet topology. Each SEP segment has a control VLAN, edge interfaces,
and common interfaces.
 Control VLAN
In a SEP segment, the control VLAN is used to transmit only SEP packets

Different SEP segments can use the same control VLAN.

Different from a control VLAN, a data VLAN is used to transmit data packets.
 Node
Each Layer 2 switching device in a SEP segment is a node. Each node can have at most two interfaces added
to the same SEP segment.
 Interface role
As defined in SEP, there are two interface roles: common interfaces and edge interfaces.
Q5. WLAN have broadcast issue or not?
They have broadcast issue. We need to explain.There is one connectivity with AP we call
AP as root AP. So all AP use wireless to connect to root AP.
Some AP have multiple ways to root AP so this will cause broadcast.We can use WAPP
to avoid this broadcast.
Disadvantages of STP

 STP ensures a loop-free network but has a slow convergence, leading to service deterioration.
o STP algorithm determines topology changes after the time set by the timer expires, which slows
down network convergence.
o STP algorithm requires a stable network topology. After the root bridge sends configuration
BPDUs, other devices process the configuration BPDUs so that the configuration BPDUs are
advertised to the entire network. This also slows down topology convergence.

 Port states or port roles are not clearlydistinguished. Ports in the Listening, Learning, and Blocking states
do not forward user traffic and are not even slightly different to users. Difference lie in the port role.. It is
possible that the root port and designated port are both in the Listening state or Forwarding state.

Advantages of RSTP over STP

 Port states are simplified from five types to three types:

Port State Forwarding of User Traffic MAC Learning

Discarding No No
Learning No Yes
Forwarding Yes Yes

 More port roles ( Alternate & Backup ports ) are defined to simplify the knowledge and deployment of
STP

The functions of the root port and designated port are the same as those defined in STP. The alternate port and
backup port are described as follows:
From the perspective of user traffic
 An alternate port backs up the root port and provides an alternate path from the designated bridge to the
root bridge.
 A backup port backs up the designated port and provides an alternate path from the root bridge to the
related network segment.
From the perspective of configuration BPDU transmission:
 An alternate port is blocked after learning the configuration BPDUs sent by other bridges.
 A backup port is blocked after learning the configuration BPDUs sent by itself.

.
  Configuration BPDUs in RSTP are differently defined. Port roles are described based on the Flags field
defined in STP.

 Configuration BPDUs are processed in a different manner.

Transmission of configuration BPDUs
In STP, after the topology becomes stable, the root bridge sends configuration BPDUs at an interval set by
the Hello timer. A non-root bridge does not send configuration BPDUs until it receives configuration
BPDUs sent from the upstream device. This renders the STP calculation complicated and time-consuming.
In RSTP, after the topology becomes stable, a non-root bridge sends configuration BPDUs at Hello
intervals, regardless of whether it hasreceived the configuration BPDUs sent from the root bridge. Such
operations are implemented on each device independently.
BPDU timeout period

In STP, a device has to wait a Max Age period before determining a negotiation failure. In RSTP, if a port
does not receive configuration BPDUs sent from the upstream device for three consecutive Hello intervals,
the negotiation between the local device and its peer fails.
Processing of inferior BPDUs

In RSTP, when a port receives an RST BPDU from the upstream designated bridge, the port compares the
received RST BPDU with its own RST BPDU.
If its own RST BPDU is superior to the received one, the port discards the received RST BPDU and
immediately responds to the upstream device with its own RST BPDU. After receiving the RST BPDU, the
upstream device updates its own RST BPDU based on the corresponding fields in the received RST BPDU.
In this manner, RSTP processes inferior BPDUs more rapidly, independent of any timer that is used in STP.

Q6.STP and RSTP Convergence Time? Whats the good point about RSTP?
 RSTP have Alternate port.
 Use P/A mechanism for convergence.
 It will detect TC , after topology change it will flood TC BPDU
 3 Hellos are missed it will consider peer down. Fast detect of link.

Q7.RSTP convergence faster than STP? Which kind of mechanism they have?
Rapid convergence is due to P/A mechanism, alternate port mechanism, edge port mechanism.

Proposal/Agreement mechanism:

 In STP, when a port is selected as a designated port, the port does not enter the Forwarding
state until a Forward Delay period expires
 In RSTP, the port enters the Discarding state, and then the P/A mechanism allows the port
to immediately enter the Forwarding state.
 P/A mechanism must be applied on the P2P links in full duplex mode.
The P/A mechanism works in the following process:
1. p0 and p1 become designated ports and send RST BPDUs.

2. After receiving an RST BPDU with a higher priority, p1 determines that it will become a root
port but not a designated port. p1 then stops sending RST BPDUs.

3. p0 enters the Discarding state, and sends RST BPDUs with the Proposal field being 1.

4. After receiving an RST BPDU with the Proposal field being 1, S2 sets the sync variable to 1 for
all its ports.

5. As p2 has been blocked, its status keeps unchanged; p4 is an edge port, and does not
participate in calculation. Therefore, only the non-edge designated port p3 needs to be blocked.

6. After p2, p3, and p4 enter the Discarding state, their synced variables are set to 1. The synced
variable of the root port p1 is then set to 1, and p1 sends an RST BPDU with the Agreement
field being 1 to S1. Except for the Agreement field, which is set to 1, and the Proposal field,
which is set to 0, the RST BPDU is the same as that was received.

7. After receiving this RST BPDU, S1 identifies it as a reply to the proposal that it just sent, and
p0 immediately enters the Forwarding state.
This P/A negotiation process finishes, and S2 continues to perform the P/A negotiation with its
downstream device.
Theoretically, STP can quickly select a designated port. To prevent loops, STP has to wait for a
period of time long enough to determine the status of all ports on the network. All ports can
enter the Forwarding state at least one forward delay later. RSTP is developed to eliminate
this bottleneck by blocking non-root ports to prevent loops. By using the P/A mechanism, the
upstream port can rapidly enter the Forwarding state.
NOTE:
To use the P/A mechanism, ensure that the link between the two devices is a P2P link in full-
duplex mode. Once the P/A negotiation fails, a designated port can be selected by performing
the STP negotiation after the forwarding delay timer expires twice.

Fast switchover of Root port(Alternate Port Mechanism):

If the root port fails, the most superior alternate port on the network becomes the root port
and enters the Forwarding state.
This is because there must be a path from the root bridge to a designated port on the network
segment connecting to the alternate port.
When the port role changes, the network topology accordingly changes.

Edge ports

 In RSTP, a designated port on the network edge is called an edge port.

 An edge port directly connects to a terminal and does not connect to any other switching
devices.
 An edge port does not receive configuration BPDUs, so it does not participate in the RSTP
calculation.
 It can directly change from the Disabled state to the Forwarding state without any delay,
just like an STP-incapable port.
 If an edge port receives bogus configuration BPDUs from attackers, it is deprived of the
edge port attributes and becomes a common STP port. The STP calculation is implemented
again, causing network flapping.

Q8.Why need to design RSTP like this?

 In RSTP , there is DP and RP
 In RSTP, the ports which are connected to PC are considered as Edge port, so switch will
transition the edge port into forwarding quickly.
 Alternate port provides backup to root. When there is no change, this port is not used. But
when there is change, this port will immediately forwarding.This also reduce time to
negotiate P/A.
 Backup port is back up for Designated port. When DP becomes faulty, then BP becomes
active quickly.

Q9.How to tell this port is AP or BP?

We know the answer.

Q10. How AP/BP works?

RSTP have so many rules that Root ID, Root cost,BID, bridge port ID, local port ID.
AP is for backup root port. Explain AP.
BP is backup designated port. Explain that when DP goes down it will forward it quickly.

Q11. Why 802.1W must use point to point?

It use P/A mechanism between two LAN switches But if LAN switches are connected via
HUB it will cause loop.
- You can use half duplex force in this scenario.

Q12.Why we need to wait max age and why we need STP need to float TCN hop by hop?
Root port and non DP port both will receive BPDU and they cache BPDUs. BPDU packet have
maximum age factor which defines their maximum age. Before maximum age this BPDU affect.

In STP only the root bridge can set TCN BPDU that’s why we need to hop by hop BPDUs to travel
to root.

Section: IGP
Overview
IETF developed Open Shortest Path First (OSPF), a link state Internal Gateway Protocol (IGP), as an
enhancement to distance-vector routing protocols in the late 1980s.
OSPF version 1 (OSPFv1) was first defined in RFC 113 but was soon replaced by OSPF version 2 (OSPFv2)
defined in RFC 1247. OSPFv2 made great improvements in stability and functionality, and is used on existing
IPv4 networks.
With advantages of fast convergence, no loop, and good scalability, OSPF as a link state routing protocol
is widely applied.
A link state routing protocol advertises link state information. Each
router on a network sends its own link state information (including the
IP address and subnet mask of the interface, network type, and link cost)
to other routers. After all routers collect all link state information on the
network, they know the entire network topology and use the shortest
path first (SPF) algorithm to calculate the shortest paths to all network
segments.
OSPF allows multiple areas on a network. An area is regarded as a logical group, and each group is
identified by an area ID. A network segment or a link belongs to only one area. That is, you must specific the
area to which each OSPF-enabled interface belongs. Area
0 is the OSPF backbone area
and is responsible for advertising routing information between non-
backbone areas. There is only one backbone area on an OSPF network.
In a single OSPF area, each router needs to collect link state information from all other routers. When a
large number of routers run OSPF, there is much link state information and the sizes of link state databases
(LSDBs) on routers become large accordingly, increasing loads on the routers and complicating maintenance
and management. To resolve this issue, OSPF partitions the Autonomous System (AS) into different areas.
Link state information is flooded only within the local area. Routers advertise only the number of routes
among areas, greatly reducing loads on routers. A router that belongs to different areas is called the Area
Border Router (ABR). The ABR is used to transmit inter-area routing information. The way in which inter-area
routing information is transmitted is similar to the distance-vector algorithm. To prevent loops between
areas, ensure that routing information between non-backbone areas is forwarded through
the backbone area. That is, each non-backbone area is connected to the backbone area, and
routers in non-backbone areas cannot exchange routing information with each other.
Q1.Which factors will affect OSPF peers establish?
(1) Router ID
(2) Area ID
(3) Subnet Mask
(4) Authentication Type
(5) Authentication Key
(6) Network type
(7) OPTION Bits
(8) Hello and dead Interval
(9) MTU mismatch
(10)Frame map broadcast
The routing updates are tunneled, but the data traffic is sent natively. The transit area cannot be a
stub area, because routers in the stub area do not have routes for external destinations.Because data
is sent natively, if a packet destined for an external destination is sent into a stub area which is also a
transit area, then the packet is not routed correctly. The routers in the stub area do not have routes for
specific external destinations.
Q2. Which factors will affect adjacency formation (HELLO) and which
special AREA?
Same things as above.

Two Special AREA.

STUB E=0 N=0

NSSA E=0 N=1

Q3. Where is MTU check, in what packet it exchange MTU value , in

IP networks MTU is not same. What happens?
We can find the answer.. DBD packets

Q4. LSA 3 and Type 5 LSA can be aggregated?

We can do aggregation. On ABR we can summarize type 3 LSA

On ASBR we can do Type 5 LSA

After we do type 3 aggregation we cannot do Type 3 aggregation.

After we do type 5 aggregation we cannot do Type 5 aggregation.

Q5. What is the difference in silent Interface of OSPF and RIP?
In case of OSPF , neighbors will not be formed. But in case of RIP it will receive the update
packets but it will not send the update.

Q6. If MTU is not same , how to make establish peer?

U can configure ignore MTU to not check MTU.

Q7. When OSPF peer full , which scenario route have problem
Network type mismatch

Q8. OSPF how to design to avoid loop?

(1) Inter Area ( distance vector approach)
First ABR will not receive non-backbone routes.
Second All non-backbone routers will transfer routes to backbone area and backbone will
transfer routes to the non-backbone. Not like non backbone to non-backbone.
(2) Intra Area (link state behavior)
All routers will receive LSA by all router advertisements. So All LSDB is same. They use
Dijkstra Alg to avoid loop.

In OSPF domains the area topology is restricted so that there must be a backbone area (area 0)
and all other areas must have either physical or virtual connections to the backbone. The
reason for this star-like topology is that OSPF inter-area routing uses the distance-vector
approach and a strict area hierarchy permits avoidance of the "counting to infinity" problem.

OSPF prevents inter-area routing loops by implementing a split-horizon mechanism, allowing

ABRs to inject into the backbone only Summary-LSAs derived fromthe intra-area routes, and
limiting ABRs' SPF calculation to consider only Summary-LSAs in the backbone area's link-
state database.

Q9. EIGRP protocol how to design to avoid loop?

EIGRP protocol use DUAL algorithm to avoid loop.

Q10. When two network type is different and we modify hello and
dead values so can it establish peer or not
Ans) is It can

P-P and BRAOD can form peer but can’t learn routes

P-P and NBMA same as above

 P-M and NBMA same as above

(NBMA cannot establish peer with other because NBMA interface will not handle OSPF hello
packets

Q11. LSA Type 7 Forward IP address . Why it can’t be zero?

To avoid other area router access NSSA Area via suboptimum path.

In NSSA area ABR will translate Type 7 to Type 5 LSA. After generating Type 5 they will advertise
to other OSPF areas. If don’t set the forward IP address to zero then it will create sub optimal routing.

The real purpose of the forwarding address is to help choose the optimal path towards the external
redistributed network when the traffic comes from or from behind the backbone and is about to
traverse the NSSA area. As you know, only a single ABR translates the LSA-7 to LSA-5. This ABR is chosen
by its Router ID. If there was no forwarding address in the LSA-7 that gets copied into the translated LSA-
5, all traffic for the external network would enter the NSSA area through this single ABR only, even
though the path towards the NSSA ASBR may not be optimal through that ABR. However, because the
internal networks inside an NSSA area are known as inter-area OIA routes to the backbone through all
ABRs the NSSA area has, and because the forwarding address falls into one of these OIA routes, the
backbone can make much better decisions as to which ABR should be used to enter the NSSA area for
this external destination. In fact, the ABR that performs 7-to-5 translation merely works as a route
server - it injects routes but it is not the next hop towards them - rather, the forwarding address
indicates the proper "next hop".

Q12. In NSSA why all ABR can’t translate all routes from type 7 to
Type 5?
(1) If all routers in NSSA (ABR) translate Type 7 to Type 5 LSA then it will have two LSA. One is
Type 7 and one type 5 from Area0. So it will from loop.
(2) Other Routers in non-backbone will receive multiple LSAs of same IP route which will
consume resources of router.

• Bit P. This bit is used in order to tell the NSSA ABR whether to translate type 7 into type 5.

• No Type 7/5 translation means bit P = 0.

• Type 7/5 translation means bit P = 1.

If bit P = 0, then the NSSA ABR must not translate this LSA into Type 5. This happens when NSSA

ASBR is also an NSSA ABR.

• If bit P = 1, then the NSSA ABR must translate this type 7 LSA into a type 5 LSA. If there are

multiple NSSA ABRs, the one with highest router ID.

OSPF AREA 0

Please refer to the topology below:-

Ans:- After AREA0 was partitioned, if ABR D also has the full neighborship in AREA0, then ABR D cannot
access opposite AREA0, if ABR (C)does not have the full syntopy in AREA0, then ABR C may access
opposite AREA0

Q. If C and A peer down but the port is up on C side, can C ping A B or

D?
1、 When C cannot access AREA0? Please explain why AREA0 cannot learn route?
A: when router C establish peer in Area 0, router C cannot access Area 0
Because after peer establish in area 0, it will generate one SPF, in this area 0, all router are in this
path, ABR is backbual router ,it should be on this path, when A-C peer down, router D will generate
LSA3 in area 0 and advertise router C via area 1 ,router C cannot see path of router D,so it will
ignore LSA3 generated by router D ,so it cannot received route from Area 0

2、 A-C peer was down, but A-C interface was up, imagine there is one X
network between A-C, which director router D can access X?
Image add one new router E between C-D, which director can access X from
router E?
A : router C will generate LSA3 via AREA 1 to router D, router D reject received which transfer from
non backbone area, so router D will access network via B-A
Router E will receive summary LSA Type 3 both from router C and D, it will choose path to access X
network according to cost value
Virtual link

How many application of OSPF virtual link? What is shortcoming of

virtual link?
1、 connect area which did not connect with backbone area via other non backbone area;
2、 connect two backbone via non backbone;
3、 provider back up patch for backbone area
4、 generate equal route

virtual-link issues:

1、 area 0 will cause loop after aggregation;

2、 router ID conflict to cause network flapping;
3、 it will cause loop;

Virtual links cannot go through more than one area, nor through stub areas. Virtual links can only
run through standard nonbackbone areas. If a virtual link needs to be attached to the backbone
across two nonbackbone areas, two virtual links are required, one per area.

Also, area ranges (summarization) that are configured for backbone area will be inactive for a
transit area (i.e. networks internal to the backbone will be advertised without summarization into
transit areas even if there are area ranges configured for the backbone).

Virtual link will make network too complex and difficult to troubleshooting, in some scenario also
cause loop, it better to make sure area, especial redurongcy for backbone area, if you need to
configure virtual link, it better only for temporary solution, virtual link is one mark which network
need to design , permeate virtual will be bad network.
RTC will cause loop after route summary in area 2
Virtual link will cause loop scenes 1:
 Solution
R3 and R4 establish virtual link.

Change Virtual link from R1 and R3 to R2 and R3

Or add one virtual link between R2 and R3

Virtual link establish between two non-backbone router, two router have full LSDB non- backbone
area, after SPF, remote end route will exist in this SPF, router will detect remote end status via SPF
If there are some router between virtual link, how to detect status?

Please explain Area 0 how to aggregate?

If router ID conflict cause network flapping, how to avoid?
It should design router ID before implementation, after configure OSPF ID, then configure OSPF process

Normal we did not suggest modify router ID, if modify router ID, then VLINk router ID also need to
modify.

What is ospf rule of choose path?

1、 inter router
2、 intral router
3、 type 1 external route
4、 typed 2 external route

OSPF choose path rule:

Intra area >inter area>ASE TYPE 1>ASE TYPE 2>NSSA TYPE 1>NSSA TYPE2

Intra area route

Inter area route

ASE type 1 route

If carried two same route in type 1 LSA 5 and LSA7, then it will compare cost

ASE type 2 route

If carried same route information in type 2 with LSA5 and LSA7, then compare cost

Two OSPF process,

If one route run two ospf process, and two ospf process learning same route(type and cost both same)

So how many route in router

A: two
OSPF ISIS Section

ISIS:
Overview:
Intermediate System to Intermediate System (IS-IS) is a dynamic routing
protocol initially designed by the International Organization for Standardization
(ISO) for its Connectionless Network Protocol (CLNP).
To support IP routing, the Internet Engineering Task Force (IETF) extended and
modified IS-IS in RFC 1195. This modification enables IS-IS to apply to TCP/IP and
OSI environments. This version of IS-IS is called Integrated IS-IS or Dual IS-IS.
IS-IS is an Interior Gateway Protocol (IGP) that runs within an autonomous
system (AS). IS-IS is a link state protocol and uses the shortest path first (SPF)
algorithm to calculate routes. It is similar to OSPF in many aspects.
IS-IS uses a two-level hierarchy in a routing domain to support large-scale
routing networks. A large routing domain is divided into one or more areas. Level-
1 routers manage intra-area routes. Level-2 routers manage inter-area routes.
The topology of an IS-IS network is similar to the multi-area topology of an
OSPF network. Generally, all devices in the backbone area are Level-2 routers.
Non-backbone areas contain Level-1 routers and connect to the backbone area
through Level-1-2 routers. The backbone area in IS-IS is not a fixed area, that is,
the area ID varies.
The networking is one of the differences between IS-IS and OSPF. In OSPF,
inter-area routes must be forwarded through the backbone area, and only routers
in the same area use the SPF algorithm. In IS-IS, both Level-1 and Level-2 routes
are calculated using the SPF algorithm to generate the shortest path tree (SPT).
Q. What’s the diff between ISIS and OSPF?

 In OSPF, area boundaries are right on the routers…. In ISIS , area bdrys are on the links
 ISIS allows pre-empting of DIS, whereas OSPF does not
 In OSPF, DROTHERS donot form adjacencies with other DROTHERS on BMA networks. While in
ISIS evmt, IS form adjacencies with all.
LAB Question

In Lab VLAN 15 and VLAN 30 connect with each other , the priority first go through VLAN 35.

Why u design like this? What is the purpose?

In Lab vlan 15 and VL30 via 35, how you think in your mind?

A: configured Virtual link between R3 and R5 , so R3 become ABR, so that R5 can learning route from R3
vlan 30

If no configuration of virtual link between R3 and R5, vlan 30 access vlan 15 via R3 and R5, but return
without via R3 and R5 because R5 learning vlan 30 route via Frame relay backbone

Required via 35 between vlan 15 and Vlan 30, so R5 need to learning vlan 30 route via R3

Vlan 15 device choose R5 to access vlan 30

Configure virtual link between R3 and R5, so R5 can learning vlan 30 route via R3,and high priority than
frame route, so it archive request

OSPF AREA 0 AUTHENTIACTION

OSPF Area 0 Auth what should be careful

OSPF area 0 auth should be take care configure virtual link route must be backbone router, even no any
interface running in backbone, also need to configured auth in backbone, otherwise virtual link cannot
establish

Q: What if authentication is enabled on the virtual-link?

A: Authentication only has effect during the initial Hello packet exchange and any
consequent LSAs exchanges. If you apply authentication after the virtual link
went up and become fully adjacent, you will see link remaining in the up state,
even if authentication settings do not match. However, in case of mismatching
authentication the routers would not be able to exchange LSAs – the LS update
packets will never get acknowledged.

OSPF Authentication packet carry key /hash value or not?

OSPF area auth packet carried key or hash value ??

OSPF authentication can either be none (or null), simple, or MD5. The authentication method "none"
means that no authentication is used for OSPF and it is the default method. With simple authentication,
the password/key goes in clear-text over the network. With MD5 authentication, the password/key
does not pass over the network. MD5 is a message-digest algorithm.

MD5 authentication provides higher security than plain text authentication. This method uses
the MD5 algorithm to compute a hash value from the contents of the OSPF packet and a
password (or key). This hash value is transmitted in the packet, along with a key ID and a non-
decreasing sequence number. The receiver, which knows the same password, calculates its
own hash value. If nothing in the message changes, the hash value of the receiver should match
the hash value of the sender which is transmitted with the message.

The key ID allows the routers to reference multiple passwords. This makes password migration
easier and more secure. For example, to migrate from one password to another, configure a
password under a different key ID and remove the first key. The sequence number prevents
replay attacks, in which OSPF packets are captured, modified, and retransmitted to a router. As
with plain text authentication, MD5 authentication passwords do not have to be the same
throughout an area. However, they do need to be the same between neighbors.
When OSPF used MD5 to auth, ospf area auth packet will take key ID ,length of auth data and sequce of
encrypt

Ospf packet do not have key

Information abtrat behind ospf packet ,, auth data length decription ospf information abtrat of length

When OSPF used simple to auth, ospf area auth carried key

BGP

Q. How BGP chose best path

Prefers the manually summarized route, automatically summarized route, route imported using the network
command, route imported using the import-route command, and route learned from peers. These routes are in
descending order of priority
Q. How BGP avoid loop? What mechanism?
IBGP peer via IBGP split horizon to avoid loop

EBGP peer via AS_PATH to avoid loop

After configured RR, RR will avoid loop via CLUSTER_LIST, RR client via Originator_ID to avoid loop

Also explain possible loop after BGP aggregation – solution as-set

Q. Why IBGP will generate routing loop? If don’t have IBGP split horizon how it will generate
loop? If BGP will choose best path how it will cause loop? When it will generate loop? Please
explain.
Route advertise via IBGP ,IBGP did not have mechanism like EBGP to avoid loop, so it will happen

For example, Router A,B,C establish peer, when router advertise one route ,router B and C will learning,
if did not have split horizon ,so router B and C will advertise this route also, so B and C also have same
route from different advertiser, image A network down, so C will choose route from B, router A also
advertise this route via router C, and B router also learning via router A, so loop happed.

BGP Attributes

How many Attributes of BGP Explain?

BGP Attributes
Well-known mandatory attribute : All BGP devices can identify this type of attributes, which
must be carried in Update messages. Without this type of attributes, errors occur in routing
information.
Well-known discretionary attribute : All BGP devices can identify this type of attributes,
which are optional in Update messages. Without this type of attributes, errors do not occur in
routing information.
Optional transitive attribute : BGP devices may not identify this type of attributes but still
accepts them and advertises them to peers.:
Optional non-transitive attribute :BGP devices may not identify this type of attributes. If a
BGP device does not identify this type of attributes, it ignores them and does not advertise
them to peers.
Origin : Origin attribute defines the origin of a route and marks the path of a BGP route. The
Origin attribute is classified into three types:
IGP : A route with IGP as the Origin attribute is of the highest priority. The Origin attribute of
the routes imported into a BGP routing table using the network command is IGP.
EGP : A route with EGP as the Origin attribute is of the secondary highest priority. The Origin
attribute of the routes obtained through EGP is EGP.
Incomplete : A route with Incomplete as the Origin attribute is of the lowest priority. The
Origin attribute of the routes learned by other means is Incomplete. For example, the Origin
attribute of the routes imported by BGP using the import-route command is Incomplete.

AS_Path : It records all the ASs that a route passes through from the source to the destination
in the vector order. To prevent inter-AS routing loops, a BGP device does not receive the routes
of which the AS_Path list contains the local AS number.

When a BGP speaker advertises an imported route:

If the route is advertised to EBGP peers, the BGP speaker creates an AS_Path list containing
the local AS number in an Update message.

If the route is advertised to IBGP peers, the BGP speaker creates an empty AS_Path list in an
Update message.

When a BGP speaker advertises a route learned in the Update message sent by another BGP
speaker:

If the route is advertised to EBGP peers, the BGP speaker adds the local AS number to the
leftmost of the AS_Path list. According to the AS_Path list, the BGP speaker that receives the
route can learn about the ASs through which the route passes to reach the destination. The
number of the AS that is nearest to the local AS is placed on the top of the AS_Path list. The
other AS numbers are listed according to the sequence in which the route passes through ASs.
If the route is advertised to IBGP peers, the BGP speaker does not change the AS_Path
attribute of the route.
 Next_Hop

The Next_Hop attribute records the next hop that a route passes through. The Next_Hop
attribute of BGP is different from that of an IGP because it may not be the neighbor IP address.
A BGP speaker processes the Next_Hop attribute based on the following rules:
When advertising a route to an EBGP peer, a BGP speaker sets the Next_Hop attribute of the
route to the address of the local interface through which the BGP peer relationship is
established with the peer.

When advertising a locally originated route to an IBGP peer, the BGP speaker sets the
Next_Hop attribute of the route to the address of the local interface through which the BGP
peer relationship is established with the peer.

When advertising a route learned from an EBGP peer to an IBGP peer, the BGP speaker does
not change the Next_Hop attribute of the route.

Local_Pref
The Local_Pref attribute indicates the BGP preference of a device and helps determine the
optimal route when traffic leaves an AS. When a BGP device obtains multiple routes to the
same destination address but with different next hops from different IBGP peers, the BGP
device prefers the route with the highest Local_Pref. The Local_Pref attribute is exchanged only
between IBGP peers and is not advertised to other ASs. The Local_Pref attribute can be
manually configured. If no Local_Pref attribute is configured for a route, the Local_Pref
attribute of the route uses the default value 100.
MED

The multi-exit discriminator (MED) attribute helps determine the optimal route when traffic
enters an AS. When a BGP device obtains multiple routes to the same destination address but
with different next hops from EBGP peers, the BGP device selects the route with the smallest
MED value as the optimal route.
The MED attribute is exchanged only between two neighboring ASs. The AS that receives the
MED attribute does not advertise it to any other ASs. The MED attribute can be manually
configured. If no MED attribute is configured for a route, the MED attribute of the route uses
the default value 0.

Community
The Community attribute identifies the BGP routes with the same characteristics, simplifies the
applications of routing policies, and facilitates route maintenance and management.
The Community attribute includes self-defined community attributes and well-known
community attributes. Table 2 lists well-known community attributes.
Originator_ID and Cluster_List
The Originator_ID attribute and Cluster_List attribute help eliminate loops in route reflector
scenarios.
What are optional non transit delivery range attributes
Ans. MED

CLUSTER LIST

ORIGINATOR ID

Q.BGP Community in MPLS VPN

BGP RR

Q. BGP RR How many attributes How to avoid loop , and What IBGP loop avoid mechanism?
BGP RR, have two BGP attribute, one is Cluster_list, one is originator_id

Originator_id :

Router A and B configured as RR,they have same client on router C, RR advertise one route X, so A and B
will advertise this X both,so it will have two resource on this X, when route C was down, A will choose
route via B, and advertise this route to C, when router B archive C via network X, so router C will archive
X via A, then loop cause.
LAB Question

Q.in Lab What configuration issue in BGP and how to resolve? BGP have 13 rules for selecting
best path. How many are well know attributes and what is their concept? In BGP , internal
loop avoid and external loop avoid? What the mechanism and how? CLUSTER LIST and MED
explain them .ORIGINATOR Attrib also explain
Which attribute and rule can achive load balance? And BGP can also generate loop?How?
Multicast:IGMP snooping:What is the mechanism of IGMP snooping & the difference
with IGMP proxy? What is the IGMP shortcoming? Will snooping check all multicast packet or
not? & How to do it?A：After enable IGMP snooping, host in LAN network will listening packet IGMP packet
between L2 and L3 devices, and analysis packet which carried (Packet type, multicast address , received
port ),establish L2 multicast forwarding table, so can guide multicast packet to forward.To reduce IGMP Report
and IGMP leave packet account ,it can enable IGMP SNOOPING PROXY , so it can agent that host report packet
from downlink host to uplink , if configure IGMP snooping proxy on device, then it called IGMP snooping proxy
agent, so in uplink, it mean this is host, on downlink, it mean query device

IGMP snooping
 It is a basic Layer 2 multicast functionthat forwards and controls multicast traffic at Layer 2.
 Switch at the edge of the access layer forwards the multicast packets to receiver hosts. If Switch
does not run IGMP snooping, it broadcasts multicast packets at Layer 2. After IGMP snooping is
configured, Switch forwards multicast packets only to specified hosts.
 With IGMP snooping configured, Switch listens on IGMP messages exchanged between Router
and hosts. It analyzes packet information (such as packet type, group address, and receiving
interface) to set up and maintain a Layer 2 multicast forwarding table, and forwards multicast
packets based on the Layer 2 multicast forwarding table.
 Limitation of IGMP Snooping: IGMP snooping device only analysis received IGMP packet ,so it
can establish MAC and port mapping table to forward data, but L2 device cannot tell which muticast
packet belong to IGMP packet , so it will sent to CPU, it will cause CPU load.
 IGMP Messages
o IGMP General Query message
o IGMP Report message
o IGMP Leave message
o IGMP Group-Specific/Group-Source-Specific Query message
 IGMP Snooping Ports
o Router port, Member port
 IGMP snooping’s purpose to avoid flooding un-necessary multicast traffic,
 IGMP snooping proxy ‘s purpose to reduce packet account from downlink to uplink

IGMP Snooping Proxy:

 When IGMP snooping is configured on Switch, it forwards IGMP Query, Report, and Leave
messages transparently to the upstream Router. When numerous hosts exist on the
network, redundant IGMP messages increase the burden of Router.
 With IGMP snooping proxy configured, Switch can terminate IGMP Query messages sent
from Router and IGMP Report/Leave sent from downstream hosts. Switch functions as a
host for its upstream device and a querier for its downstream hosts. Layer 3 device
considers that it interacts with only one user.
  IGMP snooping proxy function conserves bandwidth by reducing IGMP message
exchanges.
o IGMP snooping proxy functions as a querier to process protocol messages received
from downstream hosts and maintain group memberships. This reduces the load of
the upstream Layer 3 device.
LAB multicast issue:In Lab, R3 cannot learn information from C-BSR, what is the cause of
this issue, and why? And what is the solution?
What issue we faced in R5? Explain & describe. Why R5 multicast packet need go through R1?

R3 have two PIM neighbor, R4 and R5

R3 will received S-BSR message from R4, in diagram, R3’s neighbor was R5, next hop was 10.1.35.1, so
RPF detect will unaffected from R4’s C-BSR message.

R3 wont received C-BSR from R5, because R5 have above issue, R5 cannot learning message ,so it wont
send message to R3,so R3 cannot learn C-BSR message

It can configured multicaststatic to resolve issues

R5 will faced two issues:

First R5 cannot learning C-BSR message

In topology R5’s neighbor was R1, next hop 10.1.145.1. in route table, R5 to C-BSR next hop was
10.1.145.4, so RPF detect fail, you can configure multicast static to resolve it

Second R5 cannot learning RP information

When R5 can learning BSR message, according to BSR message RP-SET, so it can know R2 loopback0 was
multicast 238.10.10.10.’RP, in topology, R5 to RP have two load balance path, so they have two next hop,
10.1.145.1 and 10.1.145.4, so R5 will choose 10.1.145.4 as best path ,so RPF detect fail, you can
configure multicast static route ,next hop is 10.1.145.1

R5’s interface static join multicast 238.10.10.10 , so it will send PIM join message to RP, after SPF
successful to forwarding traffic, R5 can archive RO via R3 and R4, but R5 and R4 was not PIM peer, so R5
only can forwarding traffic via R1
DHCP snooping?
How DHCP snooping work to avoid risks? In topo 8.2, which feature they used?
If one PC get IP first, and then DHCP snooping configured, what will happen?
DHCP snooping provides the trusted interface and listening functions.

Trusted Interface
DHCP snooping supports the trusted interface and untrusted interfaces to ensure that
DHCP clients obtain IP addresses from an authorized DHCP server.
If a private DHCP server exists on a network, a DHCP client may obtain an incorrect IP address
and network configuration parameters from it, leading to communication failure. The trusted
interface controls the source of DHCP Reply messages to prevent bogus or unauthorized
DHCP servers from assigning IP addressesand other configurations to other DHCP clients.

Trusted port only forwards DHCP response packet

Non trusted port will discard packets like DHCP Ack, DHCP NAck, DHCP offer and DHCP decline packet.

The administrator configures the interface directly or indirectly connected to an authorized

DHCP server as the trusted interface, and other interfaces as untrusted interfaces. This
ensures that DHCP clients obtain IP addresses from authorized DHCP servers.

Listening
DHCP snooping listening function records mappings between IP and MAC addresses of DHCP
clients.DHCP snooping binding table is generated by listening to DHCP Request/ Reply messages.
A binding table contains the MAC address, IP address, port number, and VLAN ID of the DHCP
client.

The device can check DHCP messages against the DHCP snooping binding table to prevent
bogus DHCP message attacks.

DHCP snooping binding table is used by functions like IPSG and DAI

If one PC get IP first, then configure DHCP SNOOPING, then DHCP snooping cannot ensure this PC can
get IP from some authenticated DHCP server… it also do not have dhcp snooping binding table, if
configure IPSG and DAI ,then will discard this packet.
VRRP:
What concept of priority zero & 255? When they will used priority zero & 255? Explain VRRP
application?

VRRP priority was 0 used for IP address give up master role , when VRRP route interface down, interface
priority was 0

Priotity was 255 used for when VRRP route interface IP was same Virtual IP address, then priority was
255
With the development of the Internet, people have higher requirements for network reliability. For Local Area Network (LAN) users, it is important to be
in contact with the external network at any time.Generally, all the hosts in an internal network are configured with the same default route. The internal
hosts send all the packets whose destination addresses are not on the local network segment to the default egress gateway. The internal hosts can
thus communicate with the external network. When the egress gateway is Down, all the hosts using this gateway fail to communicate with external
networks

1) What scenario use physical interface working as a master?

IP address not enough
Ensure this route will become master
2) What scenario priority zero will appear?
When master route give up master role, then priority was o
When router VRRP interface down, it was 0

3) Why priority 255 cannot configure manually?

255 mean router was master, if VRRP’s IP was interface IP, so router A is master, if we can
configure 255 priority, then it will cause IP conflict.

4) When must be used 255?

When we want to make one router as VRRP master, then configure interface IP as VRRP IP, then
this interface VRRP priority is 255
5) When we have two backup groups on backup, what should be configured on DHCP server &
what should be careful?

Configure two DHCP servers, and different DHCP server used different gateway OR you can
configure multiple DHCP gateway in DHCP server.
Traffic Shaping:Traffic policing and traffic shaping limit traffic and resource usage by monitoring the traffic
rate.Generally, token buckets are used to assess traffic.

Traffic Shaping Use: When the rate of an interface on a downstream device is slower than that of an
interface on an upstream device or burst traffic occurs, traffic congestion may occur on the downstream
device interface. Traffic shaping can be configured on the interface of an upstream device so that
outgoing traffic is sent at an even rate and congestion is avoided.
Traffic Shaping Process: The traffic shaping technology is used on an interface, a sub-interface, or in an
interface queue, and can limit the rate of all the packets on an interface or the packets of a certain type
passing through an interface
How many ways for traffic shaping? In Lan switch & router, what is the difference b/w traffic policing?

Two ways of Traffic shaping: Interfacebased & Class based

Lan Switch based on hardware, router based on software, Lan Switch have 4 queue, router have 256
queue

GTS: all interface can used, based different traffic classify to shaping,GTS used WFQ mechanism

GTS can used with any queue, like FIFO,PQ,CQ,WFQ

FRTS: only can work in frame interface, it used for PVC shaping, FRTS can used PQ,CQ,WFQ, FRTS only
can used with WFQ

Class Based Traffic Shaping: flexible used

Comparison of Policing & Shaping:

Adaptive Traffic Shaping

Traffic shaping solves the problem of packets discarded on the inbound interface of the downstream
device when the rate of the inbound interface on the downstream device is smaller than the rate of the
outbound interface on the upstream device. In some scenarios, the interface rate of the downstream
device is variable, so the upstream device cannot determine the traffic shaping parameters. Configure
an adaptive traffic profile and associate an NQA test instance with the adaptive traffic profile so that the
device can dynamically adjust traffic shaping parameters based on the NQA result.

1、 traffic policing will direct discard packetwhich not match policing ,traffic shaping will cache packet
first , so when car have enough token ,then forwarding packet which cache before
2、 traffic policing support remark ,but it will discard too many packet, it maybe cause re-transmission-
traffic shaping will discard less packet compare traffic policing, but it will cause delay and jatter.
NAT:Static NAT, Dynamic NAT & PAT. What application & scenario used?
Basic NAT implements one-to-one translation between one private IP address
and one public IP address, whereas Network Address and Port Translation (NAPT)
implements one-to-many translation between one public IP address and
multiple private IP addresses.
From intranet, PC1 192.168.1.1 & PC2 192.168.1.2 send ICMP packet to 202.x.x.x,
then what will happen.
 NAT and NAPT can translate only IP addresses in IP datagram headers and port
numbers in TCP/UDP headers.
 For some special protocols such as ICMP and FTP, IP addresses or port
numbers may be contained in the Data field of the protocol packets.
Therefore, NAT cannot translate the IP addresses or port numbers.
 For example, when an FTP server with a private IP address sets up a session
with a host on the public network, the server may need to send its IP address
to the host. NAT cannot translate this IP address because the IP address is
carried in the Data field. When the host on the public network attempts to use
the received private IP address, it finds that the FTP server is unreachable.
Adding Application Level Gateway (ALG) to NAT, you can solve the above
problem. ALG is the translation proxy. It interacts with the NAT device to
establish states and uses NAT state information to change the specific data in
the IP packets and helps the application protocols to run across private and public
networks.
 ICMP is used as an example to describe the ALG processing mechanism.
 In "destination unreachable" ICMP packet ==== its data part contains the
header of packet A which causes the error (Note because NAT translates the
address before data packet A is sent, the current source address is not the real
address of the internal host).
 If ICMP ALG is enabled, it interacts with NAT device before NAT forwards the
ICMP packet. ICMP ALG translates the IP address in the header of data packet
A in the Data field of the ICMP packet to the IP address of the host on the
private network. Finally, NAT forwards this ICMP packet.
 DNS, FTP, ICMP, SIP, and RTSP support the ALG function.
One native IP network & one IPv6 network, how they communicate each other?
NAT-PT: NAT protocol translation between IPv6 and IPv4, NAT-PT route will transit IPv6 to IPv4 packet,
or IPv4 to IPv6

For example:

One end is pure IPv4, one is pure IPv6, so IPv6 host A need to access IPv4 host D

So first configured edge route IP mapping between IPv4 and IPv6,

When host A access host D via NAP-PT router, NAT-PT router will transit from IPv6 to IPv4 packet ,when
host reply to A via NAT-PT router, router will first transit IPv4 to IPv6 to Host A.
• NAT-PT is another powerful transition technique, but is not a replacement for the other
techniques, such as dual-stack and tunnelling. Rather, it can be used in situations
where direct communication between IPv6-only and IPv4-only networks is
desired. It would not be appropriate in situations where connectivity between two IPv6
networks is required, since two points of translation would be necessary, which would
not be efficient or effective.
• With NAT-PT, all configuration and translation is performed on the NAT-PT router; the
other devices in the network are not aware of the existence of the other protocol’s
network, nor are that translations occurring. The NAT-PT router translates source
and destination addresses and other packet header fields in both directions: from
the IPv4 network to the IPv6 network, and from the IPv6 network to the IPv4 network.
Thus, this router is dual stacked and must have two sets of translation entries for
this bidirectional translation.
• The slide illustrates the NAT-PT architecture. DNS is crucial in real-life NAT-PT
architectures, because applications initiate traffic from hosts, and DNS translates
domain names to IP addresses. Since DNS requests may cross the NAT-PT router, a
DNS application layer gateway (ALG) is typically implemented in NAT-PT routers to
facilitate the name-to-address mapping. The DNS-ALG translates IPv6 addresses in
DNS queries and responses into their IPv4 address bindings, and vice versa, as DNS
packets traverse between IPv6 and IPv4 domains.
• NAT-PT uses a 96-bit IPv6 network prefix to direct all IPv6 traffic that needs to be
translated to the NAT-PT router. This prefix can be any routable prefix within the IPv6
domain; IPv6 routing must be configured such that all IPv6 packets addressed to this
prefix are routed to the NAT-PT device. When the NAT-PT router receives an IPv6
packet destined for the NAT-PT prefix, it translates the packet according to the
configured mapping rules. This prefix is also used in the translation of IPv4 address into
IPv6 addresses.
• Within the IPv6 domain, external IPv4 addresses are mapped to IPv6 addresses. This
mapping is done statically (by means of predefined mapping between IPv4 and IPv6
addresses using the NAT-PT IPv6 prefix) or dynamically (by appending the IPv4
address to the NAT-PT IPv6 prefix). Similarly, static and dynamic mapping can be
configured for translating internal IPv6 addresses to external IPv4 addresses. Thus, the
NAT-PT router performs several bidirectional translations, including DNS, addressing,
packet headers, and so forth.

• When R1 wants to communicate with R3, it sends an IPv6 packet (the only type it
knows) with its own source address (14::4) and a destination address (1144::1)
within the NAT-PT prefix; this prefix guides packets to the NAT-PT router, R1.
• The NAT-PT prefix is configured on R2 and typically advertised by R1 in an IGP
such as RIPng or OSPFv3. The destination IPv6 address (1144::1) is the
representation of the IPv4-only devices in the IPv6 world. When R2
receives the IPv6 packet from R1, it translates this destination IPv6 address to
R3’s IPv4 address. This is one of the static translation entries configured on R2;
it is an IPv4-to-IPv6 mapping that gives the IPv4-only device R3 an address in
the IPv6 world.
• When R2 receives the IPv6 packet from R1, it also translates R1’s IPv6 source
address (14::4) to an IPv4 source address (172.16.123.100). This is the other
static translation entry configured on R2; it is an IPv6-to-IPv4 mapping that
gives the IPv6-only device R1 an address in the IPv4 world. The translated IPv4
address is typically within the destination IPv4 subnet; otherwise, it must be
advertised to the IPv4 routers via static or dynamic routing.
When R3 replies to R1, traffic travels in the other direction and R2 translates the
IPv4source address (172.16.123.2) to IPv6 (1144::1) the IPv4 destination address
(172.16.123.100) to IPv6 (14::4) by using the configured translation
PPP:
How to establish PPP?

1) PAP authentication process

2) CHAP authentication process
3) What different token / password configuration in global & interface view?
4) What is the purpose of interface configuration?
5) What information of username inside in the packet, when authenticator send a message?
6) How to negotiate PPPoE?
PPP protocol have LCP,NCP and authencation protocol , authencation prrotocol protocol include PAP
and CHAP

LCP used to establish, dislcose and monitor PPP link data, NCP used to negation formate and typed,
authecantion used to protect secruity of link data

One PPP have three phase

Phase 1: when physical is up, PPP first LCP negation, include work mode SP or MP, authentication mode,
MTU, LCP status was OPEN, then link establish

Phase 2: authencation, user authentication is option, if you configured user authentication, then enter
authentication pahse, you can choose PAP and CHAP, after authentication, enter network negoation
phase

Phase 3: network protocol phase

After above phase, each network protocol must be passed NCP negoation, NCP protocol support IPCP
negoation ,IPCP negoation include both IP, when one end NCP status was open, then NCP can send
packet via this link .

PAP authentication twice handshake, token was simple without encrypt

1） be authentication will send user name and password to authentication;

2） authentication will judge these information was correct or not, only successful ,then go into phase 3
PAP authentication was not good due to username and password without encrypt in network, it is
easy attack

CHAP authencation:
1)CHAP authentication three time handshake, token encrypt

2)to be Authentication first send challenge packet to be authentication, include packet ID, and router
name

According to router name to choose token(password), then put packet ID ,random number and token
into MD5 to get one hash value, be authentication will send one challenge reply packet, include seq,
hash value and router name;

1) Authentication according to router name ,put PACKET ID, random and tokend into MD5 to get
one hash ,compare hash value between two hash value, if value was same, then enter phase 3
CHAP token was encrpty ,so it more safe than PAP.

What is different of configured token base on interface and global view

To be authentication: first global view, then interface

Authentication: only configured on global view

What is purpose of interface configuration?

Configured user name in interface view:

Authentication: send challenge packet and carried username

To be authentication: send reply packet and carried username

Configured password in interface view:

Authentication: no need

To be authentication: hash value

What is username when authentication send message?

If authentication configured username in interface view, then send challenge packet and carried
username

If did not configured username in interface view, different vendor have different way, some carried.

1.1.1 PPP Link Establishment Process

The following figure shows the PPP link establishment process.

Figure 1 PPP link establishment process
The PPP link establishment process is as follows:
 Once physical link between two communicating devices is UP..(dead phase
finishes), and if one of them initiates PPP connection request…. Establish
phase starts.
 In the Establish phase, the two devices perform an LCP negotiation to
negotiate working mode (SP or MP==single-link PPP), MRU (Maximum
Receive Unit), authentication mode, and magic number. If the LCP
negotiation succeeds, LCP turns Opened, PPP enters next phase..
 The next phase is the Authentication or Network phase, depending on
whether authentication is required.
 Authentication Phase: This phase is optional. By default, PPP does not
perform authentication during PPP link establishment. If authentication is
required, the authentication protocol must be specified in the Establish
phase. PPP authentication is performed on links between hosts and devices
that are connected through PPP network servers, switched circuits or dial-
up lines, or on dedicated links.
 PPP provides two password authentication modes: PAP authentication and
CHAP authentication.
 Two CHAP authentication modes are available: unidirectional CHAP
authentication and bidirectional CHAP authentication. In unidirectional
CHAP authentication, the device on one end functions as the
authenticating device, and the device on the other end functions as the
authenticated device. In bidirectional CHAP authentication, each device
functions as both the authenticating device and authenticated device. In
practice, only unidirectional CHAP authentication is used
 If authentication is configured, the two devices enter the Authenticate phase
and perform CHAP or PAP authentication. If no authentication is configured,
 the two devices enter the Network phase.
 In the Authentication phase, if CHAP or PAP authentication fails, the devices
enter the Terminate phase. The link is removed and LCP turns Down. If CHAP
or PAP authentication succeeds, the devices enter the Network phase and
LCP remains Opened.
 In the Network phase, the two devices perform an NCP negotiation to
select and configure a network protocol and to negotiate network-layer
parameters. After the two devices succeed in negotiating a network protocol,
packets can be sent over this PPP link using the network protocol.
Various control protocols such as IPCP and Multiprotocol Label Switching
Control Protocol (MPLSCP) can be used in NCP negotiation. IPCP mainly
negotiates the IP addresses of the two devices.
 After NCP negotiation succeeds, packets can be sent over the PPP link. If the
PPP connection is interrupted during PPP operation, the two devices enter
the Termination phase, the physical link is disconnected, the PPP
authentication fails, or the negotiation timer expires.
 In the Termination phase, the two devices enter the Dead phase after all
resources are released. The two devices remain in the Dead phase until a
new PPP connection is established between them.

PAP Authentication Process: PAP is a two-way handshake authentication protocol

that transmits passwords in plain text.

 The authenticated device sends the local user name and password to the
authenticating device.
  The authenticating device checks whether the received user name is in the
local user table.
 If the received user name is in the local user table, the authenticating
device checks whether the received password is correct. If so, the
authentication succeeds. If not, the authentication fails.
 If the received user name is not in the local user table, the authentication
fails.

CHAP Authentication Process: CHAP is a three-way handshake authentication

protocol. CHAP transmits only user names but not passwords, so it is more secure
than PAP.
Figure 3 shows the CHAP authentication process.
Unidirectional CHAP authentication is applicable to two scenarios:
 The authenticating device is configured with a user name.
 The authenticating device is not configured with a user name.
It is recommended that the authenticating device be configured with a user name.
 When the authenticating device is configured with a user name:
 The authenticating device initiates an authentication request by sending
a Challenge packet that carries the local user name to the authenticated
device.
 After receiving the Challenge packet at an interface, the authenticated
device checks whether the ppp chap password command is used on the
interface. If this command is used, the authenticated device encrypts the
Challenge packet with the packet ID and password configured by the
command by using the Message Digest 5 (MD5) algorithm. Then the
authenticated device sends a Response packet carrying the generated
cipher text and local user name to the authenticating device. If the ppp
chap password command is not configured, the authenticated device
searches the local user table for the password matching the user name of
the authenticating device in the received Challenge packet, and encrypts
 the Challenge packet with the packet ID and user password by using the
MD5 algorithm. Then the authenticated device sends a Response packet
carrying the generated cipher text and local user name to the
authenticating device.
 The authenticating device encrypts the Challenge packet with the saved
password of the authenticated device by using the MD5 algorithm. Then
the authenticating device compares the generated cipher text with that
carried in the received Response packet,and returns a response based
on the result of the check.
 When the authenticating device is not configured with a user name:
 The authenticating device initiates an authentication request by sending a
Challenge packet.
 After receiving the Challenge packet, the authenticated device encrypts
the Challenge packet with the packet ID and password configured by the
ppp chap password command by using the Message Digest 5 (MD5)
algorithm. Then the authenticated device sends a Response packet
carrying the generated cipher text and local user name to the
authenticating device.
 The authenticating device encrypts the Challenge packet with the saved
password of the authenticated device by using the MD5 algorithm. Then
the authenticating device compares the generated cipher text with that
carried in the received Response packet, and returns a response based on
the result of the check.
Comparison Between CHAP and PAP Authentication Processes
 In PAP authentication, passwords are sent over links in plain text. After a PPP link is established, the
authenticated device repeatedly sends the user name and password until authentication finishes. This mode
cannot ensure high security, so it is used on networks that do not require high security.
 CHAP is a three-way handshake authentication protocol. In CHAP authentication, the authenticated device
sends only the user name to the authenticating device. Compared with PAP, CHAP features higher security
because passwords are not transmitted. On networks requiring high security, CHAP authentication is used to
establish a PPP connection.
Network Phase

In the Network phase, NCP negotiation is performed to select and configure a network protocol and to negotiate
network-layer parameters. Each NCP may be in Opened or Closed state at any time. After an NCP enters the
Opened state, network-layer data can be transmitted over the PPP link.
Termination Phase

PPP can terminate a link at any time. A link can be terminated manually by an administrator, or be terminated due to
the loss of carrier, an authentication failure, or other causes.
PPPoE negotiation:
PPPoE have two phase, discovery and session phase

Discovery have four steps: explain how PADI,PADO,PADR,PADS

IPv6:

If you want to deploy IPv6 in network in native IPv4 network, what

will you do?
No need all router upgrade to IPv6, we have some way to smooth upgrade

You need to support dual stack

IPv6-over-IPv4(6to4)

Nat-PT

IPv6 Transition Techniques

 Manual Tunnels
 GRE IPv6 Tunnels
 6to4 Tunnels
 IPv4-Compatible IPv6 Tunnels
 ISATAP Tunnels
 NAT-PT
Project topic:
One company have 100 routers with different types, which IGP you will used & why?

Now you have 6 routers, 2 core, 2 aggregation, 2 access, how you will design topology & what will be the
difference?

First topo: 日 topo

Upper worked as aggregation layer for internet, inject different cost default route to choose best way to
forwarding traffic

Middle layer worked as core , uplink connect with aggregation in camper, downlink connect with other
router

Down layer connect with aggregation router, worked as gateway;

This type topo si simple, easy managerment, redurency

Second type: cross line in 日 topo

Now you have 6 routers, 2 high performance, 2 min performance, 2 low performance, how you design
the topology & what will be the difference.

Migration
When you do migration, what you need to be take care?

When you prepare implementation plan, when you face problem, how you resolve?

Cutover plan, pre-requisites, step by step configuration, sanity checks, confirmation from customer, roll
back plan, customer information, timings, impact, 24 hours observation etc.

Firewall

How many solution for firewall deployment? What advantages on this solution? &how many working
modes in firewall?

Firewall HRP – active/active & active/standby

Firewall modes – Routed, transparent, hybrid

1. Describe at least two NAT techniques, excluding static nat, dynamic NAT,
and PAT.

6.1.1 Twice NAT

Twice NAT refers to translation of both the source and destination IP addresses of a data packet.
It is applied to the situation where a private IP address is the same as a public IP address.
Figure 1 Networking diagram for twice NAT

The process of twice NAT is described as follows:

1. Host A with the IP address 1.1.1.1 on the private network wants to access host B with the
same IP address on the public network. Host A sends a DNS request to the DNS server on
the public network. The DNS server sends a response packet containing the IP address
1.1.1.1 of host B. When the response packet passes through the router, the router
performs DNS ALG and translates host B's IP address 1.1.1.1 in the response packet to the
unique temporary IP address 3.3.3.1. Then, the router forwards the response packet to
Host A.
2. Host A sends a request packet with the destination IP address as the temporary IP
address 3.3.3.1, for accessing host B. When the request packet passes through the router,
the router detects that the destination IP address is the temporary IP address, and
translates the destination IP address to host B's real IP address 1.1.1.1. Meanwhile, the
router translates the source IP address of the request packet to an address in the
outbound NAT address pool using outbound NAT. Then, the router forwards the request
packet to host B.
3. Host B sends host A a response packet with the destination IP address as the address in
the outbound NAT address pool and the source IP address as the IP address of host B
 1.1.1.1. When the response packet passes through the router, the router detects that the
source IP address is the same as the real IP address of host A, and translates the source IP
address to the temporary IP address 3.3.3.1 using NAT. Meanwhile, the router translates
the destination IP address of the response packet to the private IP address 1.1.1.1 of host
A. Then, the router forwards the response packet to host A.

6.1.1 NAT Associated with VPNs

A NAT-enabled router allows hosts on private networks to access public networks, hosts in
different virtual private networks (VPNs) on a private network to access a public network
through the same outbound interface, and hosts with the same IP address in different VPNs to
access a public network simultaneously. The NAT module of a router also supports NAT server
associated with VPNs. It allows a host on a public network to access hosts in different VPNs on a
private network, and a host on a public network to access hosts with the IP address in different
VPNs on a private network.

2. What is the Advantage and disadvantage of Access layer Gateway and Aggregation layer
Gateway
3. What need to be take care for ospf area 0 authentication in lab.

Zhang Question:
4. Which parameter need to be same for establishing peering and why ? describe in detail
5. What’s the use of Edge port.
6. How many type are shapping, what type we used in lab. Describe in details