Category Archives: IP routing

OSPF RFC1583 vs RFC2328 compatibility

Best path selection:
RFC1583 – best path based solely on cost.
RFC2328 – Intra-area paths that use non-backbone areas are always the most preferred.

Can lead to the loops:

Summary metric:
RFC1583 – lowest metric of the componet routes
RFC2328 – highest metric of the components.

OSPF RFC1587 vs RFC3101 NSSA compatibility.

  1. Path selection
    a. Any type 5 LSA.
    b. A type-7 LSA with the P-bit set and the forwarding
    address non-zero.
    c. Any other type-7 LSA
    1. A Type-7 LSA with the P-bit set.
    2. A Type-5 LSA.
    3. The LSA with the higher router ID.
  2. The P-bit default is now defined as cleared.
  3. A new area configuration parameter, NSSATranslatorRole, is defined in Appendix D. It specifies whether or not an NSSA router will unconditionally translate Type-7 LSAs to Type-5 LSAs when acting as an NSSA border router.

BGP syncronization

When this is the case, the router ID of the OSPF router acting as the Autonomous System Boundary Router (ASBR) for the redistributed BGP routes must also be the router ID of the advertising IBGP speaker for the same prefix. The route reflector cluster list should match the two previously mentioned router IDs as well.


uRPF does have additional features. The first one is uRPF exemptions and violation logging. With this feature, you may specify a standard or extended access-list as follows:

ip verify unicast source reachable-via [rx|any] <ACL-NUM>

The uRPF feature consults this access-list for packets violating the uRPF condition. If the ACL permits a packet, it is allowed to pass through. If the ACL denies the packet, the router drops it. You may use the log keyword to log the packets allowed or denied by the uRPF access-list.

BGP dampening

Is an evil! But 😉


Formula (Really Madly Hate! 😉

max-penalty = reuse-limit * 2 (max-suppress-time / half-life )


bgp dampening half-life reuse-limit suppress-limit maximum-suppress-time

The default penalty increase for a route flap is 1000. If the route attributes are the only change, the penalty increase is 500. This value is hard-coded.
The penalty on the route is reduced every 5 seconds.
The router checks for prefixes to unsuppress every 10 seconds.

bgp dampening 15 750 2000 60
(max penalty = 6000)

IPv6 First Hop Security

IPv6 RA Guard rejects fake RA messages coming from host (non-router) ports (not sure whether it handles all possible IPv6 header fragmentation attacks). Interestingly, it can also validate the contents of RA messages (configuration flags, list of prefixes) received through router-facing ports, potentially giving you a safeguard against an attack of fat fingers.

DHCPv6 Guard blocks DHCPv6 messages coming from unauthorized DHCPv6 servers and relays. Like IPv6 RA Guard it also validates the DHCPv6 replies coming from authorized DHCPv6 servers, potentially providing protection against DHCPv6 server misconfiguration.

IPv6 Snooping and device tracking builds a IPv6 First-Hop Security Binding Table (nicer name for ND table) by monitoring DHCPv6 and ND messages as well as regular IPv6 traffic. The binding table can be used to stop ND spoofing (in IPv4 world we’d call this feature DHCP Snooping and Dynamic ARP Inspection).

IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source IPv6 address after dropping the offending packet(s).

IPv6 Prefix Guard is denies illegal off-subnet traffic. It uses information gleaned from RA messages and IA_PD option of DHCPv6 replies (delegated prefixes) to build the table of valid prefixes.



CAT2(config)# ipv6 access-list ACCESS_PORT
CAT2(config-ipv6-acl)# remark Block all traffic DHCP server -> client
CAT2(config-ipv6-acl)# deny udp any eq 547 any eq 546
CAT2(config-ipv6-acl)# remark Block Router Advertisements
CAT2(config-ipv6-acl)# deny icmp any any router-advertisement
CAT2(config-ipv6-acl)# permit any any
CAT2(config-ipv6-acl)# !
CAT2(config-ipv6-acl)# interface gigabitethernet 1/0/1
CAT2(config-if)# switchport
CAT2(config-if)# ipv6 traffic-filter ACCESS_PORT in

RA Guard

Switch(config)# ipv6 nd raguard policy POLICY-NAME
! Defines the RA Guard policy name
Switch(config-ra-guard)# device-role {host | router}
Switch(config)# interface INTERFACE
Switch(config-if)# ipv6 nd raguard attach-policy POLICY-NAME

DHCPv6 Guard

CAT1(config)# ipv6 access-list acl1
CAT1(config-ipv6-acl)# permit host FE80::A8BB:CCFF:FE01:F700 any
CAT1(config-ipv6-acl)# ipv6 prefix-list abc permit 2001:0DB8::/64 le 128
CAT1(config-ipv6-acl)# ipv6 prefix-list abc permit 2001:0DB8::/64 le 128
CAT1(config)# ipv6 dhcp guard policy pol1
CAT1(config-dhcp-guard)# device-role server
CAT1(config-dhcp-guard)# match server access-list acl1
CAT1(config-dhcp-guard)# match reply prefix-list abc
CAT1(config-dhcp-guard)# preference min 0
CAT1(config-dhcp-guard)# preference max 255
CAT1(config-dhcp-guard)# trusted-port
CAT1(config-dhcp-guard)# interface GigabitEthernet 1/0/1
CAT1(config-if)# switchport
CAT1(config-if)# ipv6 dhcp guard attach-policy pol1 vlan add 1
CAT1# show ipv6 dhcp guard policy pol1



LPref, MED and next-hop are kept across sub-AS eBGP!

network backup – set distance 200

MED, Local-pref, NLRI are sent as TLVs.

When an IGP (in this example OSPF) route is redistributed in to BGP it is considered locally generated by BGP and gets assigned a weight of 32768.

Best Path Selection

AIGP – optiona notransitive 8 octet. If AIGP is configured AND the bgp bestpath aigp ignore command is not configured, the decision process considers the AIGP metric.

An AS_SET counts as 1, no matter how many ASs are in the set.

AIGP after Local Preference. AIGP metric reflects IGP cost. Lowest wins.
BGP prefers the path with the AIGP attribute by default.


The default BGP ConnectRetry timer is 120 seconds. Only after this time passes does the BGP process check to see if the passive TCP session is established. If the passive TCP session is not established, then the BGP process starts a new active TCP attempt to connect to the remote BGP speaker. During this idle 120 seconds of the ConnectRetry timer, the remote BGP peer can establish a BGP session to it. Presently, the Cisco IOS ConnectRetry timer cannot be changed from its default of 120 seconds.

Internet == 0:0 == match all; no such community in RFC

Redistribute & MED
— If the injected BGP route, using the network or redistribute command, is
from an IGP, the BGP MED is derived from the IGP metric.
— If the injected BGP route (using the network or redistribute command) is
from a connected route, the BGP MED is set to 0.
— If the route is injected by the aggregate-address command, MED is not set.

Capability 64
For IPv4, the end-of-RIB marker is a BGP Update message with no reachable NLRI and
empty withdrawn NLRI. Additional address families indicate the end-of-RIB with a BGP
Update containing only the MP_UNREACH_NLRI attribute with no withdrawn routes for
that AFI/SAFI.
Restart Time indicates how long a peer of the restarting router should maintain prefix
information received from the restarting router. The restart time should be less than the holdtime for the BGP peer.
The reception of a BGP-GR capability with no AFI/SAFI information indicates that the sending peer supports the end-of-RIB marker and can support peers that can maintain forwarding state and that want to utilize BGP-GR. The reception of a BGP-GR capability with AFI/SAFI information indicates that the sending peer wants to perform BGP-GR for the included AFI/SAFIs.
Mark all prefixes as stale.
After restart:
The receiving BGP router sends the BGP-GR capability to the restarting BGP router, with
the Restart State set to 0, unless the receiving BGP router also is reset. The receiving BGP
router receives a BGP-GR capability from the restarting BGP router with a Restart State of 1.
This triggers the receiving BGP router to send the initial routing update, followed by the
end-of-RIB marker.

Performance Routing (PfR)

Phases wheel:

  1. Profile/Learning Phase – learn flows with high latency and throughput = monitored traffic classes (MTC).
  2. Measure Phase – Collect and compute performance metrics for MTC.
  3. Apply Policy Phase – create low and high thresholds defining in-policy and out-of-policy (OOP) categories.
  4. Control Phase – influence by manipulating routing or PBR.
  5. Verify Phase – verify OOP event to make adjustmets to bring back in-policy.

Inrefaces types:

  1. Internal – connect to the internal network with Master Controller
  2. External – used to transmit packets out of the local network. Interfaces that monitored. At least 2.
  3. Local – used in the formation of the control plane mechanism. Source to communicate with Master Controller.

Operational Roles

Mandatory authentication – key-chains!

Master Controller (MC) and Border router (BR).

A single MC can support up to ten individual border routers
or up to 20 managed exit interfaces (external interfaces).


Passive monitoring: Measuring the performance metrics of interesting prefixes while the traffic is flowing through the device using NetFlow technology

Active monitoring: Creating a stream of synthetic traffic replicating the interesting traffic classes as closely as possible to measure the performance metrics of the synthetic traffic; uses Cisco integrated IP SLAs technology

Both active and passive monitoring: Combining both active and passive monitoring to generate a more complete picture of traffic flows within the network

Route redistribution and summarization

Order of metric operations:

  1. Call a route map from the redistribute command, with the route map using the set
    metric command. This method allows different metrics for different routes.
  2. Use the metric option on the redistribute command. This sets the same metric for
    all routes redistributed by that redistribute command.
  3. Use the default-metric command under the router command. This command sets the
    metric for all redistributed routes whose metric was not set by either of the other
    two methods.
IGP Default Metric Default (and Possible) Metric Types
EIGRP External
OSPF 20/1 E2 (E1 or E2)
IS-IS 0 L1 (L1, L2, L1/L2, or external)


distance { distance-value neigh-ip-address { wildcard-mask } [ ip-standard-list ]
[ ip-extended-list ]
distance distance
distance eigrp internal-distance external-distance
distance ospf {[ intra-area dist1 ] [ inter-area dist2 ] [ external dist3 ]}
distance bgp external internal local

Default routing

redistribute static Yes Yes No
default-information originate Yes No Yes
ip default-network Yes Yes No
Summary routes No Yes No

If a static route to is in the local routing table, the default-information originate command does NOT cause RIP to inject a default. Redistribute static should be used in that case.

Cisco documentation advises against using route summarization to create a default route.




Change the cost of the default route advertised into a stub or NSSA area.

area 1 default-cost 123


Type7 to Type5 by ABR with highest RID.
Forwarding-address not ZERO in Type7 and Type7 to Type5. Recurse to Type3 and not Type4.
The ABR connected to the NSSA takes the type 7 LSAs and converts them into type 5 LSAs, which makes it an ASBR as well. Therefore this ABR doesn’t generate a type 4 LSAs for itself. The type 4 LSA is rather generated by the other ABRs connected to other areas.
Per the NSSA area RFC, the use of FA is mandatory with these LSAs. The reason is that there is only one 7-to-5 translating ABR and this might result in suboptimal routing without the use of FA.
FA SHOULD be reachable via OSPF.

(config-router)#area 2 nssa translate type7 ?
  always       Always translate LSAs on this ABR
  suppress-fa  Suppress forwarding address in translated LSAs

area 1 nssa default-information-originate – generates Type7 default with metric 1

default-information originate [always] – generates Type5 default with metric 1


Optional subnets. Metric 1 for BGP, 20 for others.

  default-metric         Set metric of redistributed routes



Hidden commands

sh ip ospf delete
show ip ospf maxage-list





K values and Classic and Wide metrics

K1 trough K5. By default K1 and K3 == 1; all others – 0 (only BW and Delay re taken into account).

  • metric = [k1 * BW + (k2 * BW)/(256 – load) + k3 * delay]
  • If k5 != 0, metric = metric * [k5/(reliability + k4)]

Scaled Bandwidth = 10^7/minimum interface bandwidth (in kilobits per second) * 256
Delay is in tens of microseconds * 256. hexadecimal FFFFFFFF (decimal 4294967295) – unreachable.
Reliability is given as a fraction of 255. That is, 255 is 100 percent reliability or a perfectly stable link.
Load is given as a fraction of 255. A load of 255 indicates a completely saturated link.

  • metric = [k1 * Throughput + (k2 * Troughput)/(256 – load) + k3 * Latency + k6 * ExtM]
  • If k5 != 0, metric = metric * [k5/(reliability + k4)]

BW is now Throughput * 65536
DLY is now Latency * 65536
ExtM are the extended metrics (Jitter, Energy, and Quiescent Energy).

RIB is capable of handling only 32-bit metrics. Default is to scale * 1/128

metric rib-scale [1-255]

 Packet format

Encapsulated directly to IP with proto number 88;

|Header Version | Opcode        |           Checksum            |
|                             Flags                             |
|                        Sequence Number                        |
|                    Acknowledgement number                     |
|  Virtual Router ID              | Autonomous system number    |

Flags – 32-bit field indicating specific flags: 0x1 = Init (used during initial adjacency buildup), 0x2 = Conditional Receive (used by RTP to allow this message to be received only by a subset of receivers), 0x4 = Restart (indicates that a router has restarted), 0x8 = End-of-Table (indicates that the transmission of the entire EIGRP database is complete).

Opcode – 4 bit field. 1 = Update, 3 = Query, 4 = Reply, 5 = Hello/Ack, 10 = SIA Query, 11 = SIA Reply.

Virtual router ID – 0x1 = Unicast Address Family, 0x2 = Multicast Address Family, 0x8000 = Unicast Service Address Family

0x0001 EIGRP Parameters (General TLV Types)
0x0002 Authentication Type (General TLV Types)
0x0003 Sequence (General TLV Types)
0x0004 Software Version (General TLV Types)
0x0005 Next Multicast Sequence (General TLV Types)
0x0102 IPv4 Internal Routes (IP-Specific TLV Types)
0x0103 IPv4 External Routes (IP-Specific TLV Types)
0x0402 IPv6 Internal Routes (IP-Specific TLV Types)
0x0403 IPv6 External Routes (IP-Specific TLV Types)
0x0602 Multi Protocol Internal Routes (AFI-Specific TLV Types)
0x0603 Multi Protocol External Routes (AFI-Specific TLV Types)

Packet types

  • Hello in IPv4, and FF02::A in IPv6. 5 seconds; 60 seconds for NBMA with the bandwidth setting of 1544 kbps and less;

  • Acknowledgement

    always unicasted to the sender of the acknowledged packet. Hello packet with an empty body (that is, no TLVs) and having a non-zero Acknowledgment number field.

  • Update
     Multicast or unicast. During a new adjacency buildup – unicast, then – multicast. Might choose to use multicast for efficiency (DMVPN). On point-to-point interfaces and for statically configured neighbors – always unicast. Retransmit the Update as unicast to the unresponsive neighbor.
  • Query

    Involve neighbors in the task of searching for the best route toward a destination. ACK does not constitute a response to the Query message, only an acknowledgment that the Query has been received. Multicast on multiaccess, unicast on point-to-point and static neighbors; unicast to unresponsive neighbor.

  • Reply

    Response to Query. Always unicasted to the originator.

  • SIA-Query
  • SIA-Reply

    If the neighbor is reachable and is still engaged in the diffusing computation for the destination specified in the SIA-Query, it will immediately respond with an SIA-Reply packet. As a result, the timer that governs the maximum time a diffusing computation is allowed to run is reset, giving the computation extra time to finish. Both are unicast.

Update, Query, Reply, SIA-Query, and SIA-Reply packets are also called reliable packets.

Next Multicast Sequence TLV contains the upcoming sequence number of the next reliable multicasted message. The Sequence TLV contains a list of all lagging neighbors by their IP address.  A neighbor receiving this Sequenced Hello packet and not finding itself in the Sequence TLV will know that it is expected to receive the upcoming multicast packet, and will put itself into a so-called Conditional Receive mode (CR-mode).  Sending router will send the next multicast packet with the CR flag set in its Flags field. Routers in CR-mode will process this packet as usual and then exit the CR-mode; routers not in CR-mode will ignore it.

multicast flow timer – time to wait for ACK
retransmission timeout (RTO) – time between the sub- sequent unicasts. Typically 6 times the SRTT. Min 100ms, max 5000 ms.
smooth round-trip time (SRTT) –  average elapsed time, measured in milliseconds, between the transmission of a reliable packet to the neighbor and the receipt of an acknowledgment

If a reliable packet is not acknowledged before 16 retransmissions and the Hold Timer duration has passed, re-initialize the neighbor.

Router Adjacencies

Parameters to match:

  • EIGRP Authentication Parameters (if configured)
  • EIGRP K-Values
  • EIGRP Autonomous System (AS) Number
  • Use of primary addresses for EIGRP neighbor relationships
  • Use of the common IP network address on a single subnet

Timers (do not need to match):
Hello – 5 seconds60 seconds for NBMA with the bandwidth setting of 1544 kbps and less;
Hold – 15 or 180 seconds, depending on the interface type. Changing Hello does NOT result recalculation of Hold.

add image from page 377 here.


  • Reported Distance (RD) (or Advertised Distance) corresponds to the current best distance of the particular neighbor to the destination.
  • Computed Distance (CD) shows the total metric of reaching the destination over the particular neighbor. RD of the neighbor + the cost of the link to the neighbor.
  • FD is a record of the lowest known distance since the last transition from the Active to Passive state. FD is a historical record, or a historical copy, of the smallest known CD toward a particular destination, with the history starting anew with the last Active-to-Passive transition. Not necessarily equal to CD. Internal value. Not advertised.
  • Feasibility condition – any neighbor whose Reported Distance is strictly smaller than this router’s Feasible Distance cannot form a routing loop. RD < FD. Sometimes called the Source Node Condition.

Feasible Successors – neighbors that pass the FC.
Successors – neighbors that report the least CD.

Local & diffusing computations.

After a failure:
1. Choose the neighbor that provides the least CD.
2. If it meets FCstart using it right away; if it does notput route into Active .

Stuck-In-Active – torn down all neighbors that did not reply. Consider that they responded with an infinite metric.
Active timer – 3 min; 1 – 65535.

(config-router)#timers active-time

If a neighbor does not respond to a Query message with its Reply within half of the Active timer time, the router will send the neighbor a SIA-Query message. Wait for SIA-Reply within the next half of the Active timer. Receiving an SIA-Reply allows the Active timer to be reset.  Three SIA-Queries can be sent, each after half of the Active timer.

Named Mode

Starting from 15.0(1)M.
Multiple processes named and classic mix.
All EIGRP-related commands outside the named mode (such as per-interface commands) will be ignored if configured.

  • Address Family (AF) section: the AS is part of AF definition
  • Per-AF-interface section:  af-interface default holds settings for all IFs.
    • passive-interface – do not form adj
    • shutdown – completely ignore
  • Per-AF-topology section: Multi Topology Routing (MTR) in EIGRP. topology base is always present.

Router ID

4 Byte. Manually or highest IP of Lo.
Can be different for each AF.
External routes tagged by RID. Dropped if own RID received.
Recent IOSs tag internal routes also. and disallowed.

(config-router)#eigrp router-id

Unequal-Cost Load Balancing

variance multiplier


topology base
     variance multiplier

Defines how many times worse than the best path a route through a Feasible Successor can be.

Add-Path Support

Since IOS 15.3.2(T)
Must be installed in touting table (maximum-path , metric ).
Split Horizon must  be deactivated on the multipoint tunnel interface (DMVPN).
Only in named mode. Range 1 – 4.

R1-Hub(config)# router eigrp CCIE
R1-Hub(config-router)# address-family ipv4 unicast autonomous-system 1 
R1-Hub(config-router-af)# topology base 
R1-Hub(config-router-af-topology)# variance 1 
R1-Hub(config-router-af-topology)# maximum-paths 6 
R1-Hub(config-router-af-topology)# exit
R1-Hub(config-router-af)# af-interface Tunnel0 
R1-Hub(config-router-af-interface)# no split-horizon 
R1-Hub(config-router-af-interface)# no next-hop-self 
R1-Hub(config-router-af-interface)# add-paths 4

The Variance (Unequal Cost Load Balancing) and Add-Path features are not compatible with each other.

no next-hop-self no-ecmp-mode is recommended with the Add-Path feature if the hub uses multiple tunnel interfaces to reach the spoke sites (avoid setting NHS when the route is reachable via other tunnel if any of these routes’ Successors can be reached over the interface on which the route is going to be readvertised).

Stub Routing

RIP and RIPng

RIPv2 UDP port 520
No hello, RIPv2 relies on the regular full routing updates instead
Update interval 30 seconds
Full updates each interval. For on-demand circuits, allows RIPv2 to
send full updates once, and then remain silent until changes occur, per
RFC 2091
When route changes – triggered update.
Auth: plain-text + MD5
Route tags
Next-hop field

Update 30 s
Invalid after timer per route default 180 s
Holddown timer begins after a route has been declared invalid; default 180 s. The router starts advertising that route as unreachable, does not accept any updated information, and does not modify the routing table entry for that route.
Flushed after timer per route default 240 seconds; If the updates about the route from its next hop cease to be received and the Flushed after timer reaches its limit, the router removes the route from the routing table entirely.
The default timer setting actually does not allow the Holddown timer to completely expire. As a result, the effective Holddown period is only 60 seconds.

  router rip
      timers basic update invalid holddown flush

The RIP packet format is:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      |  command (1)  |  version (1)  |       must be zero (2)        |
      |                                                               |
      ~                         RIP Entry (20)                        ~
      |                                                               |

RIP Entry :

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      | address family identifier (2) |      route tag    (2)         |
      |                        IPv4 address (4)                       |
      |                        Subnet Mask  (4)                       |
      |                        Next-hop addr (4)                      |
      |                           metric (4)                          |

A RIP message consists of a 4B-long header containing the command field (set to 1 for
Request, 2 for Response) and the version field (2 for RIPv2). The remaining two octets
are unused. The remainder of the message consists of routing entries, with each routing
entry occupying 20 octets in total. At most 25 routing entries can be placed into a single
RIP message. Each routing entry contains the address family identifier identifying the
format of the address information carried in the routing entry (only the value 2, IPv4—
also known as AF_INET—is commonly supported), route tag, and the route itself—its
address, netmask, recommended next hop, and metric.

A Request message is used to ask a neighbor to send a partial or a full RIP update immediately,
rather than waiting for the Update timer to expire, speeding the convergence. A
full RIP update is requested by a Request message containing exactly one routing entry
with the address family ID set to 0 and metric set to 16. Otherwise, if a Request message
lists one or more particular networks, only the update on these networks is requested.

RIPv2 increments the metric when sending updates; RIPng and EIGRP increment metrics when receiving updates.

RIPv2 uses autosummarization at classful network boundaries by default.

Cisco IOS enables the RIPv2 (and EIGRP) authentication process on a per-interface basis

interface Fa0/1
   ip rip authentication key-chain name
   ip rip authentication mode { text | md5 }

When authentication is enabled, the maximum number of prefixes that can be advertised
in a RIPv2 message is reduced by 1 to a value of 24. The first route entry in each RIPv2
message would be carrying 20 bytes of authentication data.


FF02::9 UDP port 521
No multiproto capability, so no address-family field.
Version field set to 1

Packet format:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      |  command (1)  |  version (1)  |       must be zero (2)        |
      |                                                               |
      ~                Route Table Entry 1 (20)                       ~
      |                                                               |
      |                                                               |
      ~                         ...                                   ~
      |                                                               |
      |                                                               |
      ~                Route Table Entry N (20)                       ~
      |                                                               |

Route Table Entry:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      |                                                               |
      ~                        IPv6 prefix (16)                       ~
      |                                                               |
      |         route tag (2)         | prefix len (1)|  metric (1)   |

The number of route entries in a RIPng message is limited only by the IPv6 MTU on the link, and the protocol itself poses no limitations on their count.

A next-hop RTE is identified by 0xFF in the metric field. The IPv6 prefix field contains the IPv6 address of the next-hop. The route-tag and prefix-len fields are set to 0.

  • Authentication or encryption by IPsec is not supported.
  • Split Horizon can be activated or deactivated only on a per-process basis
  • Passive interfaces are not supported.
  • Static (manual) neighbors cannot be configured (no neighbor command).
  • Per-process offset lists are not supported.


  • Multiple RIPng processes can be run on a router
  • Route Poisoning, as an enhancement of the Split Horizon mechanism, can be activated
    on a per-process basis.
  • Interfaces can be configured with a metric-offset value
  • The default route can be originated on a per-interface basis, including an option of
    suppressing all other updates over that interface.


NAT order of operations


Inside-to-Outside Outside-to-Inside
  • If IPSec then check input access list
  • decryption – for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • policy routing
  • routing
  • NAT inside to outside (local to global translation)
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect (Context-based Access Control (CBAC))
  • TCP intercept
  • encryption
  • Queueing
  • If IPSec then check input access list
  • decryption – for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • NAT outside to inside (global to local translation)
  • policy routing
  • routing
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect CBAC
  • TCP intercept
  • encryption
  • Queueing

Note that the process is merely the same. But for inside process the NAT is performed after routing. As for outside the NAT if performed before routing. Which seems pretty logical 😉

BGP order of preference

For inbound updates the order of preference is:
1. route-map
2. filter-list
3. prefix-list, distribute-list

For outbound updates the order of preference is:
1. filter-list
2. route-map | unsuppress-map
3. advertise-map (conditional-advertisement)
4. prefix-list|distribute-list
5. ORF prefix-list (a prefix-list the neighbor sends us)


Name Location of Host  IP Address Space in Which Address Exists
Inside local Inside the network  Part of the enterprise IP address space – private IP
Inside global Inside the network  Part of the public IP address space
Outside local In the public Inet  Part of the enterprise IP address space – private IP
Outside global In the public Inet  Part of the public IP address space

These are key terms to help you understand static NAT:

  • NAT inside interface—The Layer 3 interface that faces the private network.
  •  NAT outside interface—The Layer 3 interface that faces the public network.
  •  Local address—Any address that appears on the inside (private) portion of the network.
  •  Global address—Any address that appears on the outside (public) portion of the network.
  •  Legitimate IP address—An address that is assigned by the Network Information Center (NIC) or service provider.
  •  Inside local address—The IP address assigned to a host on the inside network. This address does not need to be a legitimate IP address.
  •  Outside local address—The IP address of an outside host as it appears to the inside network. It does not have to be a legitimate address, because it is allocated from an address space that can be routed on the inside network.
  •  Inside global address—A legitimate IP address that represents one or more inside local IP addresses to the outside world.
  •  Outside global address—The IP address that the host owner assigns to a host on the outside network. The address is a legitimate address that is allocated from an address or network space that can be routed.


  • source
  • destination
  • protocol type
  • incoming interface
  • length


  • incoming – link level (ip policy route-map)
  • locally originated (ip local policy route-map)

set ip|ipv6 default next-hop|interface – attempts to route based on the routing table, and only if no match is found in the routing table, the packet will be handled by PBR