Wednesday, May 23, 2018

Majorbacon's Study Guide for the CCNP ROUTE Exam

Planning on taking the ROUTE exam 300-101? Here's a rundown on some of the things you may or may not have already committed to memory that I would certainly want to know before sitting down in front of a computer with a timer and camera! This study guide is NOT to teach you, but to remind you of what you should know! Please comment with any questions you have and I'd be glad to help fill in the answer for you.

ACLs: Know how to read an extended ACL: 

stance (permit/deny) protocol (ip, ipv6, tcp) source (any, host IP, IP & wildcard mask) [optional operator and protocol of source (gt 1024, eq http)] destination (any, host IP, IP & wildcard mask) [optional operator and protocol of destination (gt 1024, eq http)] [optional log]


permit ipv6 host 2001:DB8:0:1::102A any eq http
permit tcp host gt 1024 host ssh

don't forget stand ACLs too though


Remember that Access Control Lists have the following properties.

  1. Top-down processing
  2. Immediate Execution on a matching item
  3. An implicit deny all at the end of the list
And remember an ACL doesn't DO anything - it is just a filter tool. Only by applying can you get results (ie: interface, line vty, NAT source, redistribution list, route map, debug ip packet command)

Int gi 0/5
ipv6 access-group 123 out

Line VTY 0 4
ipv6 access-class 123 in

distribute list 234 out Fa 0/0

debug ip packet 123 detail

ACLs can have the "log" entry added at the end which triggers informational syslog messages after trigger (and repeating every 5 minutes) - these packets that match with the logging keyword are process switched instead of fast switched, and can use a great deal of CPU utilization if there is a broad scope.

TTL: Default is 255, when it reaches 0 packet is dropped, decremented by 1 per router to prevent routing loops, slightly different in MPLS where the TTL triggers drops at a value of 1 rather than 0

HTTPS: If the Router supports web traffic it should be accessed securely using HTTPS. For further security it can be a secure webserver on a non-default (443) port by using the ip http secure-port <new port# above 1024> command.

Distribution List: Routers can have a filter  that controls which routes they will share and/or learn. An ACL can be created that enumerates trusted network IDs and then they can be applied using the distribute list command

access-list 2 permit

router rip
distribute list 2 out
distribute list 2 out Fa 0/0

Prefix Lists: A tool used for filtering which routes will be learned or shared. 

Prefix lists can be very specific:

ip prefix-list ONE_NET_PFXLIST Permit 

or allow for flexibility

ip prefix-list ONE_NET_PFXLIST Permit ge 23 le 25
This example means that any route with an ID from to that is announced with a subnet mask from /23 ( to /25 ( will be allowed. 

CRASH Collection: after a router has crashed without warning a crash collection of log data (usually for Cisco support) can be collected using "core dumps" - a full copy of the memory image, generated using TFTP, FTP, RCP, or Flash Disk

SNMPv2 Security: You should setup read-only level access and a complex community string. snmp-server host <IP> traps version 2c <c-string>

SNMPv3: SNMP access modes determine if the connection is authenticated (AUTH) and if desired Encrypted (PRIV). Modes include: Auth/NoPriv, authPriv, NoAuth,NoPriv. 

  • NoAuth,NoPriv still checks the username, 
  • Auth/NoPriv checks username and password, 
  • AuthPriv checks username and password and generates an encryption key. 

AES encryption and SHA-1 Authentication are used by SNMPv3. snmp-server host <IP> traps v3 auth <username>

OSPF Neighbors: Must have matching timers (hello/dead), Area Numbers, subnet. You do NOT have to match Process ID, wait interval, or MTU size

OSPF Neighbor Types:

  • Point to Point - PPP, HDLC, Ethernet (if configured) - No DR/BDR, 10 sec hello
  • Broadcast - Ethernet, Uses DR/BDR, 10 sec hello
  • Loopback - no neighbors

Frame relay is the reason for all of the other types:

  • Non-Broadcast - Frame Relay, Uses DR/BDR 30 sec hello - manual neighbor config
  • Point to MultiPoint - Frame Relay, no DR/BDR, 30 sec hello 
  • Point to MultiPoint Non-Broadcast - Frame relay, No DR/BDR, 30 sec hello, manual neighbor config

OSPF addresses: Multicast, (DR/BDR upload), updates on change (plus the "paranoid" update every 30 minutes because the LSAs age out after 60 minutes)

Basic OSPF LSA Types:

  1. Router LSA - local area LSA every router generates - All Router Info!
  2. Network LSA - local area LSA for multiaccess DR/BDR network info 
  3. Summary LSA - interarea LSA sent by ABR regarding other areas including the backbone area 0
  4. ASBR Summary LSA - interarea LSA sent by ABR to identify the ASBR of a remote area
  5. Autonomous System LSA - local and interarea LSA generated by ASBR

OSPF network command: network <IP base> <wildcard delimiter>
for best practices and security you should make sure your wildcard matches an IP address of the specific interface or the subnet ID of the IP address on a specific interface. In either case the network command by default enables hello messages and injects that interface into the OSPF database. 
IP address 
"most specific" wildcard mask: network area 0
"matching subnet" wildcard mask: network area 0
These commands will have EXACTLY the same effect, to enable one and only one interface to start participating in OSPF. That is why it is a best practice.
Although you could enter network area 0, it would enable OSPF for any current and future interfaces with any IP address assigned out of the class A network. This is not a good practice since there can be unintended consequences in both routing performance and security.

OSPF at the interface level: The OSPF network command is entered under the routing process. The entire issue of wildcard masks can be ignored by using the ip ospf <process ID> area <area #> command at the interface 

OSPF Areas:

  • Backbone Area: Area 0 to connect all other areas (All LSA types)
  • Normal Area: Contains intra-area and inter-area routes (All LSA Types)
  • Stub Area: Contains it's own intra-area (Type 1 & 2) and inter-area summary LSAs (3), but not external LSAs (Type 4 & 5) and adds a type 3 summary default route with a cost of 1 (area default-cost command to change). router context: area <#> stub on the Stub Area routers and ABR
  • Totally Stubby Area: Cisco only: Same as stub area but let's remove the type 3 LSAs too and just use the default route. Router context: area <#> stub on all Stub Area routers but area <#> stub no-summary on the ABR ONLY!!!
  • Not-So-Stubby Area (NSSA) - What if your stub area contains an ASBR? Not so stubby after all, are you? That info can't break out of a stub area! So the NSSA was created Contains area and external routing info area <#> nssa. Like a stub area but ASBR external routes are sent as a type 7 (a type 5 in disguise). Industry standard, so it still allows type 3 LSAs like a stub. Default route is NOT injected (good chance that's why we have an external info source, right?) unless you say area <#> nssa default-information-originate
  • Totally Not So Stubby Area (Totally NSSA) - Cisco only: same as NSSA but let's remove the type 3 LSAs too! area <#> nssa no-summary. Also includes the default route automatically

OSPF Virtual Links: OSPF requires that ALL areas be directly connected to the backbone area. if this is not true then the TRANSIT area must be declared as a virtual link on the ABR and the area router connected to the disconnected area.
Command on ABR: area <transit area #>, virtual-link <router ID of remote router off transit area>

Command on ABR: area <transit area #>, virtual-link <router ID of ABR of transit area>

EIGRP Redistribution: inject other sources into EIGRP topology for sharing with other EIGRP routers. In router EIGRP context, redistribute <protocol, such as RIP, OSPF process#, static> 1000 100 250 100 1500. Also, Default-metric 1000 100 250 100 1500 sets the default Bandwidth, Delay, Reliability, Load, and MTU for EIGRP processing of redistributed info. 

OSPF Redistribution:  inject other sources into OSPF topology for sharing with other OSPF routers. In router OSPF context, redistribute <protocol, such as RIP, EIGRP AS#, static> metric <if not used there is a seed value of 20> subnets (otherwise only classful networks will be redistributed)

IP SLA in 3 steps: 

  1. First define a probe type (ip sla monitor 11, icmp-echo source-interface fa 0/0), 
  2. Then define tracking objects (track 1 ip sla 11 reachability), 
  3. Then define an action per object (ip route … track 1)
IP SLA and UDP: IP SLA can measure UDP performance. UDP stats can include latency (delay in a particular direction) and Round Trip Time (overall delay)

Identify an OSPF ABR: If you see interfaces OSPF enabled in area 0 and another area # then that router is an Area Border Router. If you show ip ospf database and you see Summary Net Link States (Type 3) LSAs then you are an ABR – summary links between areas

Identify an OSPF ASBR: If you see redistribution or default-origninate commands then you are looking at an Autonomous System Boundary Router.  If you show ip ospf database and you see Summary ASB Link States (Type 4) LSAs then you are an ASBR – injecting external info into OSPF

Path MTU (P-MTU) Discovery: Path MTU determines the true MTU over a set of links by sending a large packet with the “don’t fragment” (DF) flag set. When a router with a smaller MTU cannot fragment the packet it will drop it and send an ICMP message. The sender tries again with smaller and smaller initial packets until it is able to send the data to the destination. This may be enabled on VPN links, for example.

ISP Connection: You can obtain your IP through DHCP from your ISPF, but prevent a default route from being installed by using no ip dhcp client request router

Verifying Tracking: show track – verify configured tracking objects

Passive Interfaces: Prevent forming neighborships on an interface (passive-interface default, passive-interface gig 1/0)

EIGRP Packet Types: Queries are sent to all neighbors on interfaces other than the one used to reach a previous successor when a route is lost. Queries require Replies. Updates are sent out when there is a change in the EIGRP topology. Hello messages are sent to find and verify neighbors
EIGRP Stub Routers: identify that they should not be queried if an EIGRP route is removed from an adj. router's topology table. 

DHCP Options: (3) Router, 6 (DNS), 15 (Domain Name), 4 (Time Server) 1 (Subnet Mask)

DHCP Snooping: A task performed on switches to DROP suspicious traffic in the following situations

  1. A DHCP server packet (Reply, ACK, etc) is received from an untrusted interface or server
  2. Any packet is received on an untrusted interface where the source MAC doesn't match the DHCP client MAC assigned in the DHCP process and stored in the DHCP snooping table., 
  3. A DHCPRELEASE or DHCPDECLINE message is received on an interface which does not match the DHCP snooping table. 
  4. A DHCP packet is received that includes a relay agent IP address that is not

Broadcast: all available destinations. (one to all). In IPv4 the largest IP address in a subnet is known as the directed broadcast address.

Multicast: multiple destinations that share a common group address. (one to many). In IP special addresses are used to recognize multicasts. In IPv4 the class D addresses from to are reserved for multicasting. 

Anycast: A single destination based on a common shared unicast address. Based on distance metrics the nearest interface is used. (one to nearest one)

Convergence: Means that all routing information has been propagated through the network.

Split Horizon: A loop prevention mechanism that prevents sending a specific network route ID downstream to a router that previously sent that same route ID upstream. Split Horizon rules can be an issue in a Frame Relay Non-broadcast multiple access topology.

Route Poisoning: A loop prevention mechanism that will, upon link failure advertise a metric that is higher than the maximum value (and therefore is poison to adjacent routers, immediately removing the route from the routing tables)

Poison Reverse: A loop prevention mechanism that ensures that when a poison route is learned a router will override the split horizon rule and immediately “confirm” the poison route by sending the poisoned route back to the sender.

Route Summarization: Using a subnet mask for a route that encompasses multiple subnets. A dynamic routing protocol may advertise the summary to simplify the routing process and decrease the amount of traffic going to a particular router or router area.

Protocol Catagorization:

Distance Vector Protocols: RIP, RIPv2, IGRP, EIGRP
Enhanced Distance Vector Protocol: EIGRP
Path Vector Protocol: BGP 
Link State Protocol: OSPF, IS-IS
Interior Gateway Protocols: RIP, RIPv2, IGRP, EIGRP, OSPF, IS-IS
Exterior Gateway Protocol: BGP

TCP MSS: Maximum Segment Size - the total application data size in a TCP segment, minus the TCP header itself.

TCP Selective ACKnowledgments: improves performance when multiple packets are lost in a window of data transmission (remember TCP tries to be efficient and not ACK every segment). Selective ACKs can request individual segments, rather than resending all segments beginning with the first lost segment. IP TCP selective-ack enables.  Selective ACKs can be used with TCP Keepalive Timer, the TCP ECN, and TCP Timestamps.

  • The TCP keepalive timer identifies dead connections. 
  • The TCP Explicit Congestion Notification (ECN) feature enables routers to notify hosts regarding congestion. IP TCP ECN enables ECN. 
  • The TCP Timestamp option supports better TCP round trip time information. IP TCP Timestamp to enable TCP Timestamps.

TCP starvation/UDP dominance: occurs if TCP-based data is assigned to
the same service-provider class as UDP-based data and the class experiences

sustained congestion. Mission critical TCP transmissions might be starved out by a streaming video, for example.

Hold-down Timer: A loop prevention mechanism that ensures that routers will not send or accept advertisements for a route for a period of time. This is typically done after a route fails.

BGP Neighbors: BGP neighborships are manually defined using the neighbor command. The neighbors must agree on the nature or their relationship – matching AS = IBGP, different (but correct) AS = EBGP. Neighbors do NOT have to be physically adjacent, but if not must be able to route to each other using another dynamic routing protocol or through static routing. The show ip bgp summary shows local and neighbor settings. Show IP BGP Neighbor gives detailed neighbor info. If the neighbor bgp state is “established” then BGP peers can exchange routing information because peering is complete.  If the state is “active” then there is no open message response from the neighbor which means no routing information can pass yet. If the state is “idle” then the routing table is being searched for reachability. If the state is “connect” then the TCP handshake has completed.

BGP routing: When determining a preferred route BGP usually picks the path with the fewest Autonomous Systems (AS) to cross. This is the 4th step in determination, but the most often selected.

PPP Authentication: PPP can support multiple authentication types such as CHAP with failover to PAP. If the interface is set with encapsulation ppp then you can issue the command ppp authentication chap pap

Data Plane traffic: describes the traffic being forwarded by a device. (client to server traffic while it is being handled by a router, switch, firewall, etc) 

Management Plane traffic: connects to the device to manage it using protocols such as SNMP, SSH, Telnet, HTTP, or HTTPS

Control Plane traffic: is sent by the device to other devices for supporting or building the network infrastructure. (CDP, LLDP, OSPF, EIGRP, etc)

Protecting the Management Plane: You can implement AAA authentication to control who can connect with a VTY Line. You can also implement RBAC views to define who has access to what.

Bandwidth Delay Product (BDP): A value that is calculated by multiplying the Round Trip Time (RTT) (visible with a PING) by the available bandwidth (slowest link in a path) between two nodes. This value is the maximum amount of data that can traverse the network at any particular time.

Stub Networks: A network with a single link to the rest of the networks – may use a static default route to get out and possibly a static route to get in.

StateLess Address AutoConfiguration (SLAAC): A device learns of a network via RA (router announcements) which include the IPv6 network ID in the router’s own IP address. 

EUI-64: One method where clients of a router can then assign a unique IPv6 

host suffix using a method by expanding their 48-bit mac address into a 64-bit value, inserting FFFE in the middle. Fill Factor of Fluff Everytime

IPv6 Routing: IPv6 routing is disabled until you enable it with IPv6 unicast routing and configure IPv6 addresses on an interface. The show ipv6 traffic message "Not a Router" will show up if this hasn't been configured.

IPv6 Host Assignment: IPv6 Hosts send a multicast "router solicitation" messages to FF02::2 (all routers on a segment) which then receives a Router Advertisement (RA message) that provides the network prefix (Network ID) and a path to get off the subnet (default gateway). The advertisement could also tell the Host whether to autoconfigure their unique suffix (stateless) or to find a DHCPv6 server (stateful)

IPv6 ACLs: To limit traffic requires that you define and apply IPv6 ACLS. The command to apply the IPv6 ACL is very different than IPv4, however. It is ipv6 traffic-filter <ACL name> <IN|OUT>

Bandwidth-delay product: The bandwidth multiplied by the latency:
4 Mbps with 100 ms delay
4,000,000 bits/sec * 0.1 sec = 400,000 bits

Stateless DHCPv6: SLAAC configured clients can receive configuration parameters without a lease, such as the location of the IPv6 DNS server.

Stateful DHCPv6: assignment of IPv6 addresses using a DHCP method similar to IPv4

DHCPv6-PD: An extension to DHCPv6 in which the client receives a set of subnets which can then be segmented and dynamically applied to client interfaces (the client usually being a CPE device relative to a service provider

OPSFv3 “VPN routing and forwarding customer edge” (VRF CE): aka, VRF-lite. Let’s OSPFv3 run on non-default VPN routing and forwarding interfaces. Multi-VRF enables multiple routing tables on a single router (Customer Edge or CE). This enables OSPF to run between the Provider Edge (PE) and the customer edge (CE) when you run capability vrf-lite in the OSPF routing process

"AnyConnect" SSL VPN: A user accesses a web browser and connects to a security appliance using https://IP address and logs in - a client is then securely downloaded according to the user's OS and the client establishes a secure SSL VPN session that then allows encapsulated access for other protocols, such as file share access. The downloaded VPN client may be transient or permanent.

DMVPN: Dynamic Multipoint VPN uses mGRE, NHRP, IPSEC to allow a hub router to automatically build new VPN tunnels with new Spoke routers that connect up to it using proper authentication. Dynamic Mesh (spoke to spoke) tunnels can be built on demand if needed.

PPPoE client config: The PPPoE configuration with an ADSL interface will require referencing the correct dialer interface. This is done with the pppoe enable command and the pppoe-client dial-pool-number command which binds the Ethernet interface to a dialer interface. 

PPPoE dialer persistent:allows for the connection to be brought up without being triggered by "interesting" traffic. PPPoE can be secured by the PPP options of CHAP (encrypted or hashed authentication) and PAP - cleartext authentication.  
PPPoE Phases:

  1. Active Discovery Phase— the PPPoE client locates a PPPoE server (access concentrator) and receives a Session ID  
  2. PPP Session Phase— the PPPoE client and server negotiate options and perform authentication. 
  3. PPPoE now functions as Layer 2 encapsulation to allow data to be sent over the PPP link encapsulated within the PPPoE headers.

DMVPN: Dynamic Multipoint Virtual Private Network: Autoconfigs new spoke routers by using Next Hop Resolution Protocol (NHRP) to map the tunnel IP address to the IP address of the physical interface of the hub router and automatically create a GRE with IPSEC tunnel. The spoke points to the static address of the hub router that enables the multipoint Generic Routing Encapsulation (mGRE) interface to build a dynamic tunnel back to the branch router without having to configure the hub by hand.

EIGRP Metric: The Diffusing Update Algorithm (DUAL) uses enabled “1” K values for Lowest Bandwidth and Cumulative Delay by default, with disabled “0” K values for Reliability and Load. Note that MTU is included in the EIGRP routing update but is not used by default in the DUAL calculation.

IPv6 Global Addresses: 2000::/3 refers to Global Addresses which are Internet routable, ie: Google’s IPv6 DNS server is on 2001:4860:4860::8888

IPv6 Link Local Addresses: FE80::/10 refers to Link-Local Addresses which are used for local communication and are autoconfigured on all IPv6 interfaces, such as a router with FE80::C001:1DFF:FEE0:0

IPv6 Multicast Addresses:  FF00::/9 refers to Multicast address which are shared by all multicast group members, such as OSPFv3 hellos on FF00::5

IPv6 Unique Local Addresses: FC00::/7 refer to Unique Local Addresses which are globally unique and are not expected to be internet routable, but only routed internally.

NAT64: Use this IPv6 transition technology if you want to allow IPv6 devices to be able to communicate with IPv4 servers. Nat64 can be setup in a stateless or stateful configuration. Separates DNS64 and NAT64 functionality

NPTv6:  Network PREFIX Translation, performs a stateless static, one-to-one IPv6 to IPv6 translation in both directions. Because it doesn't have to translate transport layer headers (TCP/UDP ports) it is checksum-neutral and doesn't interfere with the payload of IP, even when encrypted. 

NAT-PT: NAT Protocol Translation is an older technology for IPv4 devices to communicate with IPv6 devices via transparent router translation. It does not support Cisco Express Forwarding and only supports DNS, FTP, ICMP Application Layer Gateways.

GRE Configuration: When setting up a GRE tunnel you will need to create a tunnel interface and specify the tunnel source interface and the tunnel destination IP address, as well as the tunnel’s ip address (which should be a local point-to-point address to the other tunnel endpoint). Also specify the tunnel mode as being gre ip

Service password-encryption: encrypts all user passwords in the router’s account database

Multipoint two-way redistribution: can lead to suboptimal routing and/or routing loops.

Unicast reverse path forwarding RSF: enables a router to verify the reachability of the source address in packets being forwarded. Enable on an interface with ip verify unicast source reachable-via rx (strict) or all (loose). Verify with show cef interface <int>. This feature helps mitiage against forged IP packets. It can be run in strict (RX on same interface), Loose (ANY interface can route to it), and VRF mode.

Validating the Update Source: By default all RIP updates are discarded if the source address is not valid. No validate-update-source prevents this process from occurring.

Easy Virtual Network: end-to-end virtualization of multiple networks where a single IP infrastructure provides multiple (up to 32) virtual networks who’s paths are isolated from each other. 802.1Q encapsulation is used to support EVN interfaces. It is exclusive of VRF-Lite, OSPF v2 & OSPF v3. All of the associated subinterfaces can share a unique IP address, routing table and forwarding table. NAT, ACLs and Netflow are not supported with EVN.

HSRP: Because HSRP is a First Hop Redundancy Protocol (FHRP) routers will failover if their shared network link goes down. However they can be told to perform switchover based on tracking an IP SLA state of a remote router via ICMP or through the enabling or disabling of any interface, including a loopback (for manual switchover).

NetFlow: Identify traffic causing bandwidth performance issues - source and destination IP/Protocol/Port (aka socket) can be verified. NetFlow requires Cisco Express Forwarding to be configured globally in order to see both in and out traffic. If random sampling mode is selected it will choose 1 packet out of a hundred to test. The flow monitor is applied to an interface to perform monitoring. The exporter sends the data to a collector. 

NetFlow Commands:
show flow exporter <NAME> will show the current status of the flow exporter. show flow monitor <NAME> will show the status and statistics of a flow monitor.
show flow sampler <NAME> will show if random sampling mode where 1/n number of packets are used for statistical analysis
ip flow-export destination <IP> <PORT> will export cache flow information to a destination IP address on a specified UDP port.

NTP: Has a client/server relationship for maintaining correct time. The interface level  NTP client broadcast command enables receiving NTP broadcasts on that particular interface.

Logging: Increase logging accuracy by enabling service time stamps (service timestamps debug datetime msec), increasing the logging history size (logging history size <1-500>), or increasing the logging history level (logging history <level# 1-7>) Note that higher numbers = higher detail
Table 3 Message Logging Level Keywords 

Level Keyword



Syslog Definition



System unstable




Immediate action needed




Critical conditions




Error conditions




Warning conditions




Normal but significant condition




Informational messages only




Debugging messages