SubnetLab Pro — Built by Chaithanya Kumar Katari

Input Beginner Friendly

💡 Type an IP address like 192.168.1.0 and a prefix like /24 — or use the examples below.

IP Address

Invalid IP address — enter 4 numbers 0–255 separated by dots

Prefix

Prefix must be /0 to /32

Quick Examples

32-Bit Visual Map

Network bits

Host bits

Step-by-Step Explanation

Enter an IP above to see the working shown step by step...

Results

Network Address

—

Broadcast Address

—

First Usable Host

—

Last Usable Host

—

Usable Hosts

—

Total IPs

—

Subnet Mask

—

Wildcard Mask

—

IP Class

—

CIDR Notation

—

Network (Binary)

—

Mask (Binary)

—

Address Type Checker

Check if an IP is in this subnet

💡 What is VLSM? Instead of splitting a network into equal subnets, VLSM lets you carve out different sizes. Great for real networks where a WAN link needs only 2 hosts but a user VLAN needs 100.

Base Network

Network Address

Invalid IP address

Prefix

Invalid prefix

Subnet Requirements

Allocation Result

Fill in requirements and click Plan Subnets...

IPv6 Address Analyzer

💡 IPv6 = 128 bits, written as 8 groups of 4 hex digits (e.g. 2001:0db8::1). The :: replaces one or more groups of all zeros.

IPv6 Address

Invalid IPv6 address

128-Bit Visual Map

Blue = network prefix bits · Pink = interface identifier bits (last 64)

Address Compressor / Expander

💡 RFC 5952 compression rules: leading zeros removed per group, longest run of all-zero groups → ::

Any IPv6 (compressed or expanded)

PTR Record Builder

💡 Reverse DNS for IPv6 reverses every hex nibble and appends .ip6.arpa

IPv6 Address

Address Validator

Test any IPv6 (one per line)

IPv6 Address Type Reference
Prefix	Type	Scope / Use
::1/128	Loopback	Same as 127.0.0.1 in IPv4
::/128	Unspecified	Source before address assigned
2000::/3	Global Unicast	Publicly routable (like public IPv4)
fc00::/7	Unique Local (ULA)	Private, not globally routed (RFC 4193)
fe80::/10	Link-Local	Auto-assigned, single link only
ff00::/8	Multicast	One-to-many delivery
::ffff:0:0/96	IPv4-Mapped	IPv4 addresses in IPv6 apps
2002::/16	6to4	Automatic IPv4 tunnel (deprecated)
64:ff9b::/96	NAT64	IPv6→IPv4 translation gateway
100::/64	Discard	Traffic sink, RFC 6666

Well-Known Multicast Addresses
Address	Name	Use
ff02::1	All Nodes	All link-local nodes
ff02::2	All Routers	All link-local routers
ff02::5	OSPFv3	All OSPF routers
ff02::6	OSPFv3 DR	Designated routers
ff02::9	RIPng	RIPng routers
ff02::a	EIGRP	All EIGRP routers
ff02::1:2	DHCPv6	All DHCP relay agents
ff02::1:ff00::/104	Solicited-Node	NDP neighbor discovery

IPv4 vs IPv6 Header Comparison
Field	IPv4	IPv6
Address size	32 bits	128 bits
Header size	20–60 bytes	Fixed 40 bytes
Fragmentation	Routers + hosts	Hosts only
Checksum	Header checksum	None (upper layer)
Broadcast	Yes	No (Multicast)
ARP	Yes	NDP (ICMPv6)
NAT required	Usually	Not needed
IPsec	Optional	Built-in
Config	Manual/DHCP	SLAAC / DHCPv6
Flow label	No	Yes (QoS)

Standard Prefix Sizes & Uses
Prefix	Typical Use
/23, /24	Allocated to Regional Internet Registries
/32	Minimum ISP allocation from RIR
/48	Standard customer/site allocation
/56	Small customer (some ISPs)
/64	Standard LAN segment (required for SLAAC)
/80	Uncommon, breaks SLAAC
/127	Point-to-point links (RFC 6164)
/128	Single host / loopback

Networks to Check

💡 Enter multiple networks (one per line, CIDR format). We'll check every pair for overlap.

Network List (CIDR, one per line)

Results

Enter networks and click Check All...

💡 Why supernet? Instead of advertising 4 routes (192.168.0.0/24, .1.0/24, .2.0/24, .3.0/24), you advertise one: 192.168.0.0/22. This reduces routing table size and convergence time.

Networks to Summarize

CIDR Blocks (one per line)

Summary Route

Enter networks and click Summarize...

💡 Why binary? IP addresses are actually 32-bit binary numbers. Subnet masks work by using AND operations on these bits. Once you understand binary, subnetting becomes straightforward.

Live Decimal ↔ Binary Converter

Decimal (0–255)

⇄

Binary (8 bits)

Interactive Bit Builder

Click the bits to toggle them ON/OFF. Watch the decimal value update!

0

Decimal value (0–255)

AND Operation — How Subnetting Works

Finding the network address = IP address AND subnet mask. Each bit pair: 1 AND 1 = 1, anything else = 0.

IP Address

Subnet Mask

Result (Network)

—

Mask Builder Slider

Prefix /24

255.255.255.0

Host Bits

8

Total IPs

256

Usable Hosts

254

What This Means

💡 CIDR replaced classful addressing in 1993. Instead of Class A/B/C having fixed masks, CIDR lets you use any prefix length. 10.0.0.0/8 means "first 8 bits are the network."

CIDR Block Explorer

Enter CIDR Block

Subnet Division Calculator

How many subnets of size /X fit into your network?

Base Network

Divide into prefix

⚠️ Classful addressing is largely historical — modern networks use CIDR. But you still need to know classes for CCNA exams and understanding legacy configs.

Class Lookup

Enter any IP

Class	First Octet	Range	Default Mask	Private Range	Use
A	0xxx xxxx	1.0.0.0 – 126.x.x.x	/8 (255.0.0.0)	10.0.0.0/8	Large enterprises, ISPs
B	10xx xxxx	128.0.0.0 – 191.255.x.x	/16 (255.255.0.0)	172.16.0.0/12	Medium/large networks
C	110x xxxx	192.0.0.0 – 223.255.255.x	/24 (255.255.255.0)	192.168.0.0/16	Small networks (≤254 hosts)
D	1110 xxxx	224.0.0.0 – 239.x.x.x	N/A	None	Multicast groups
E	1111 xxxx	240.0.0.0 – 255.x.x.x	N/A	None	Research / Reserved

Special Addresses

Address	Meaning
0.0.0.0	This network / default route
127.0.0.0/8	Loopback (127.0.0.1 = localhost)
169.254.0.0/16	Link-local / APIPA (no DHCP)
255.255.255.255	Limited broadcast
x.x.x.0	Network address (not usable)
x.x.x.255	Broadcast address (not usable)

RFC 1918 Private Ranges

Range	CIDR	Addresses
10.x.x.x	10.0.0.0/8	16.7 million
172.16–31.x.x	172.16.0.0/12	1.05 million
192.168.x.x	192.168.0.0/16	65,536

0

Score

0

Streak 🔥

0

Answered

—

Accuracy

Level:

Question 1

Loading...

IPv4 Subnet Reference
CIDR	Subnet Mask	Hosts	Block Size	Subnets/C
/32	255.255.255.255	1 (host)	1	256
/31	255.255.255.254	2 (P2P)	2	128
/30	255.255.255.252	2	4	64
/29	255.255.255.248	6	8	32
/28	255.255.255.240	14	16	16
/27	255.255.255.224	30	32	8
/26	255.255.255.192	62	64	4
/25	255.255.255.128	126	128	2
/24	255.255.255.0	254	256	1
/23	255.255.254.0	510	512	—
/22	255.255.252.0	1,022	1024	—
/21	255.255.248.0	2,046	2048	—
/20	255.255.240.0	4,094	4096	—
/19	255.255.224.0	8,190	8192	—
/18	255.255.192.0	16,382	16384	—
/16	255.255.0.0	65,534	65536	—
/8	255.0.0.0	16,777,214	16M	—

Powers of 2 (Host Calculation)
2^n	Usable Hosts (n>1)
2^1 = 2	0 (P2P only)
2^2 = 4	2
2^3 = 8	6
2^4 = 16	14
2^5 = 32	30
2^6 = 64	62
2^7 = 128	126
2^8 = 256	254
2^10 = 1024	1,022
2^16 = 65536	65,534
2^24 = 16,777,216	16,777,214

Common Subnet Math Tips
Hosts needed → prefix	Find smallest 2^n ≥ hosts+2, prefix = 32-n
Block size	256 - last octet of mask
Subnets in /24	2^(new prefix - 24)
Network addr	IP AND subnet mask
Broadcast addr	Network OR wildcard mask

Wildcard Mask Calculator Intermediate

Wildcard masks are the inverse of subnet masks. Used in ACLs and OSPF to match address ranges.

Subnet Mask or /prefix

Host Range Lister

Subnet (use /28 or smaller)

Decimal ↔ Hex ↔ Binary Converter

Decimal

Hex

Binary

Subnet Size Finder

How many hosts do you need? We'll find the right prefix.

Number of Hosts Required

💡 Start with any network (e.g. 192.168.0.0/24). Hit Divide to split a subnet into two equal halves. Hit Join to merge two siblings back. Like the davidc.net Visual Subnet Calculator — but built right in.

Starting Network

Network Address / Prefix

💡 Add routers and their connected subnets, if required use routing protocols like EIGRP, OSPF, bgp (ASN), then trace a packet from a source IP to a destination IP. See exactly which router forwards it and why.

Network Topology

Packet

Source IP

Destination IP

Trace Results

Configure routers and click Trace Packet to simulate forwarding...

Network Diagram

Standard ACL (1–99)

Extended ACL (100–199)

⚙ Standard ACL — Source IP Filtering

ACL Type

Numbered Named

ACL Number (1–99)

ACL Name

Action

Remark Text

Source Address

Source IP

Wildcard Mask

📖 Quick Reference

Standard (1–99): Filters on Source IP only — place close to destination

Extended (100–199): Src/Dst IP + Protocol + Port — place close to source

host keyword = /32 mask (0.0.0.0 wildcard)

any keyword = 0.0.0.0 255.255.255.255

⚠ Implicit deny all at end of every ACL

📄 ACL Entries

No entries yet — add a rule using the form on the left

💻 Generated Config

Vendor

Add entries to generate config...

🔌 Apply to Interface

Cisco IOS

Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip access-group <ACL-ID/NAME> in|out

# Verify:
Router# show ip access-lists
Router# show ip interface Gi0/1

Juniper JunOS

set interfaces ge-0/0/1 unit 0 family inet filter input <FILTER-NAME>
set interfaces ge-0/0/1 unit 0 family inet filter output <FILTER-NAME>

# Commit and verify:
commit check
show firewall filter <FILTER-NAME>
show interfaces ge-0/0/1 detail | match filter

⚡ ACL Simulator — Packet Walk

Define a test packet below. The simulator walks your ACL entries top-down and highlights the first matching rule.

Source IP

Destination IP

Protocol

Destination Port

Add ACL entries first, then run the simulator.

Chaithanya Kumar Katari

Network Implementation Manager

🌐 Akamai Technologies · Bengaluru, India 🇮🇳

🌐 IPv4 / IPv6 🛡️ CCNA Certified 💻 Network Infra ⚡ 8+ Years Exp 🏢 Akamai · Microland · Synophic

8+

Years Experience

3

Companies

🌍

Global Deployments

CCNA

Certified

3K+

Lines of Code

About Me

Hi! I'm Chaithanya Kumar Katari, a Network Implementation Manager at Akamai Technologies based in Bengaluru, India. With over 8 years in networking, I specialize in server and switch deployments and configurations worldwide — working directly with ISPs, Accelerated Network Partners, and global infrastructure teams.

My day-to-day involves troubleshooting escalated network, hardware, and performance issues; managing new hardware deployments; and designing, configuring, and maintaining Akamai installations globally. I've worked closely with network partners on racking, cabling, and configuration of Akamai hardware at scale.

I built SubnetLab Pro to give networking students, engineers, and CCNA/CCNP candidates a free, offline, fully-featured subnetting and protocol toolkit — no ads, no logins, no server needed. Now at v15.0 with 60+ interactive simulators spanning ARP, NAT, MTU, TLS, ICMP, TCP, DHCP Relay, and more. Everything I wish I had when I was learning networking myself.

Work Experience

Manager, Network Implementation

🌐 Akamai Technologies

📅 2023 – Present · Bengaluru, India

Leading global server and switch deployments. Managing network implementation projects, coordinating with ISPs and partners worldwide to expand and maintain Akamai's global edge network.

Network Infrastructure Engagement Consultant

🌐 Akamai Technologies

📅 2020 – 2023 · Bengaluru, India

Worked with Akamai Accelerated Network Partners and ISPs globally. Troubleshot escalated network, hardware, and performance issues. Managed new hardware deployments — racking, cabling, configuration. Analyzed network trends and maintained Akamai installations.

Network Administrator

🏢 Microland Limited

📅 2020 · India

Provided network administration services for enterprise clients, managing custom software and IT infrastructure deployments.

Network Engineer

🏢 Synophic Systems Pvt. Ltd.

📅 2017 – 2020 · India

Network design, engineering, and NOC services for leading OEMs, ISVs, and enterprises. Built a strong foundation in routing, switching, and network infrastructure.

Education

Bachelor of Science — Computer Science

🎓 MTDS College

📅 Graduated 2017

Certifications

🛡️

CCNA — Routing & Switching

Cisco Systems · Cisco Certified Network Associate

🌐

Network Implementation Specialist

Akamai Technologies · Internal Certification

Technical Skills

IPv4 / IPv6 Networking

97%

Subnetting & VLSM

97%

Network Implementation

95%

Routing & Switching (CCNA)

93%

ISP / CDN Infrastructure

90%

Network Troubleshooting

92%

Hardware Deployment & Config

95%

Web Dev / JavaScript / SVG

78%

Get In Touch

💼

chaithanya-katari-58a4189a

🏢

Current Employer

Akamai Technologies

Email

[email protected]

Chat directly

📍

Location

Bengaluru, Karnataka, India 🇮🇳

🧰 About SubnetLab Pro

v15.0 100% Offline

SubnetLab Pro is a fully offline, single-file networking toolkit built by Chaithanya Kumar Katari — a Network Implementation Manager at Akamai Technologies with 8+ years of hands-on global network deployments. No ads. No login. No internet needed. Open the HTML file and everything works instantly.

🌐 IP Tools

IPv4 Calculator & VLSM Planner
Visual Subnet Tree Builder
IPv6 Full Suite (EUI-64, SLAAC, NAT64, 6to4)
IP Classes & CIDR Deep Dive
Binary / Hex / Octet Converter
Subnet Masks Reference

🔀 Switching / Routing

STP / RSTP Topology Simulator
↳ Multi-link & Parallel Cable Support
↳ Step-by-Step Election Walkthrough
VLAN 802.1Q Tag Visualizer
BGP Path Selection Simulator
Prefix-List & Route-Map Builder

📡 Protocols & Labs

DHCP DORA & DHCP Relay Agent (Option 82)
DNS Recursive / Iterative Chain Animator
BGP Animations Hub (FSM, Best Path, RR)
TCP / TLS Handshake Deep Dive (6 scenarios)
ICMP · Traceroute · PMTUD Simulator
CCNA / CCNP / CCIE Course (30+ modules)

🔬 New in v15.0

ARP Simulator (Basic, GARP, Spoofing, Proxy)
NAT / PAT Simulator (Static, Dynamic, PAT)
MTU / Fragmentation & PMTUD Black Hole
TLS 1.3 / 1.2 / mTLS / Session Resumption
ACL v2 — Rule Editor & Packet Builder
DHCP Relay Agent · GRE Tunnel MTU Overhead

60+

Interactive Tools

35K+

Lines of Code

0

Dependencies

Free

Forever · No Ads

📋 Version History

v15.0

Protocol Labs Mega-Drop — ARP Simulator (Basic, GARP, ARP Spoofing, Proxy ARP) · NAT/PAT Simulator (Static NAT, Dynamic NAT, PAT/Overload with live translation table) · MTU/Fragmentation Deep Dive (IP Fragmentation, PMTUD, PMTUD Black Hole, GRE Tunnel overhead) · TLS Handshake Animator (TLS 1.3, TLS 1.2, Session Resumption, Certificate Validation, mTLS, Alerts) · ICMP/Traceroute Simulator (Ping, Traceroute TTL walk, PMTUD) · TCP Segment Deep Dive (6 scenarios: Handshake, Data Transfer, Congestion, Teardown, Retransmit, RST) · DHCP Relay Agent (Basic, Option 82, Multi-server, Renewal, Decline/NAK) · ACL Simulator v2 Enhanced (Custom Packet Builder, Rule Editor, Hit Counter Dashboard, Quiz Mode, Packet Log)

v14.0

DHCP & DNS Simulators + BGP Animations Hub — Full DORA process animator with packet fields & DHCP option numbers · Complete DNS recursive/iterative resolution chain (browser cache → root → TLD → authoritative) · 8-animation BGP Hub (FSM, Message Types, Best Path, Route Reflector, Hijack Sim, MPLS Walker, Tunnel Builder, Convergence Calc)

v13.0

STP Multi-Link + Step Walkthrough · Add parallel/redundant links between any switches with custom costs · Full 6-step election walkthrough with BPDU internals, RP/DP/AP/BP logic, STP vs RSTP convergence · Real developer photo · About page overhaul

v12.0

STP/RSTP Topology Simulator · VLAN 802.1Q Visualizer · TCP Handshake · Prefix-List & Route-Map Builder · BGP Path Selection

v10.0

CCNA/CCNP/CCIE Course modules (30+ topics) · OSPF SPF & LSA Explorer · Network Security Reference · Quiz Mode · Flashcard Engine

v6.0

IPv6 full suite · EUI-64 · SLAAC · NAT64 · 6to4 tunnel calculator

v1.0

Initial release — IPv4 Calculator, VLSM Planner, Subnet Tree, Binary Basics

Built with ❤️ by Chaithanya Kumar Katari

Network Implementation Manager · Akamai Technologies · Bengaluru, India 🇮🇳

SubnetLab Pro v15.0

100% offline · No ads · Free forever

🧱 OSI Model & TCP/IP — Every Layer, Every Header, Every Bit

Packet encapsulation from application to wire · PDU names · protocol mapping · real Wireshark field values · CCIE-level interview traps

OSI 7-Layer Model — Complete Reference with Protocols, PDUs & Real Examples

💡 The OSI model was created by ISO in 1984. Real networks use TCP/IP stack, but OSI is the language of troubleshooting. Every vendor, every exam, every NOC uses "Layer 2 issue" or "Layer 3 problem" — this is why you must know it cold.

#	Layer Name	PDU Name	Key Protocols	Addressing	Devices	Real-World Job
7	Application	Data	HTTP/S, DNS, FTP, SMTP, SSH, Telnet, SNMP, NTP, DHCP	URL / hostname	Hosts, servers	User-facing data exchange. WHERE the data is born and consumed.
6	Presentation	Data	TLS/SSL, JPEG, MPEG, ASCII, EBCDIC, XDR	—	Hosts	Translate, encrypt, compress data. TLS lives HERE — not in Application.
5	Session	Data	NetBIOS, RPC, PPTP, SQL sessions, NFS	Session ID	Hosts	Open / maintain / close sessions. Half-duplex vs full-duplex control.
4	Transport	Segment (TCP) / Datagram (UDP)	TCP (reliable), UDP (fast), SCTP	Port number (16-bit: 0-65535)	Hosts, firewalls	End-to-end delivery. Multiplexing apps via ports. Reliability (TCP) or speed (UDP).
3	Network	Packet	IP (v4/v6), ICMP, IGMP, OSPF, BGP, EIGRP, IS-IS	IP address (32-bit IPv4 / 128-bit IPv6)	Routers, L3 switches	Logical addressing + path selection (routing). INTER-network delivery.
2	Data Link	Frame	Ethernet, Wi-Fi (802.11), PPP, HDLC, Frame-Relay, ARP, STP	MAC address (48-bit)	Switches, bridges, NICs, APs	INTRA-network delivery. MAC addressing. Frame delimiting. CRC error detection.
1	Physical	Bits	Ethernet (cable spec), Wi-Fi (RF), RS-232, USB, Fiber (SONET/SDH)	No addressing (raw bits)	Hubs, repeaters, cables, fiber, NICs (PHY chip)	Bits to signal conversion. Voltage levels, timing, connectors, wavelengths.

⚠️ CCIE Trap: ARP operates at Layer 2 (MAC addresses in payload) but resolves Layer 3 (IP) addresses. It's typically classified as a Layer 2/2.5 protocol. Interviewers LOVE this question. Also: OSPF is a Layer 3 protocol that runs DIRECTLY over IP (protocol number 89) — not over TCP or UDP.

Encapsulation — What Happens to Data at Each Layer

Imagine you're sending "Hello" (5 bytes) via HTTP over Ethernet. By the time it leaves the NIC as bits, it's carrying 68+ bytes of headers. This is what Wireshark shows you — headers wrapping headers wrapping your data.

TCP/IP 4-Layer vs OSI 7-Layer Mapping

Protocol Numbers You Must Know

IP Protocol #	Protocol	Port(s)	Transport
6	TCP	80,443,22,23,25,21,53	—
17	UDP	53,67,68,69,123,161,514	—
1	ICMP	—	Directly over IP
89	OSPF	—	Directly over IP
88	EIGRP	—	Directly over IP
47	GRE	—	Directly over IP
50	ESP (IPSec)	—	Directly over IP
51	AH (IPSec)	—	Directly over IP
58	ICMPv6	—	Directly over IPv6

IPv4 Header — Every Field Explained (20 bytes minimum, 60 bytes maximum)

This is the most important diagram in all of networking. The IPv4 header has 13 fields. Each CCIE candidate must know what every field does, its size in bits, and what goes wrong when it's misconfigured.

🔬 IP Fragmentation — Complete Worked Example (From Gate Smashers + RFC 791)

Fragmentation happens when a packet is larger than the MTU of the next link. The router SPLITS the IP payload into fragments, each with its own IP header. Reassembly ALWAYS happens at the destination host — NEVER at intermediate routers. This is a critical point!

WORKED PROBLEM (Gate Smashers style):

Original IP datagram: 4000 bytes total

└─ IP Header: 20 bytes

└─ Data: 3980 bytes

Link MTU: 1500 bytes

Max data per fragment: 1500 - 20 = 1480 bytes

Must be multiple of 8: 1480 ÷ 8 = 185 ✅ (already OK)

Fragment 1:

Total = 1500B | Data = 1480B | Offset = 0 | MF = 1

Fragment 2:

Total = 1500B | Data = 1480B | Offset = 1480/8 = 185 | MF = 1

Fragment 3 (last):

Total = 1040B | Data = 1020B | Offset = 2960/8 = 370 | MF = 0

ID field: SAME value in all 3 fragments

Destination reassembles using: ID + Offset + MF flag

Field	Frag 1	Frag 2	Frag 3
ID	0x1234	0x1234	0x1234
DF flag	0	0	0
MF flag	1	1	0
Offset (÷8)	0	185	370
Data	1480B	1480B	1020B
Total	1500B	1500B	1040B

⚠️ Path MTU Discovery (PMTUD): Modern TCP sets the DF bit=1 on all packets, then uses ICMP "Frag Needed" messages to discover the smallest MTU along the path. This avoids fragmentation entirely. If a firewall BLOCKS ICMP Type 3 Code 4, PMTUD breaks — a very common production issue called "black hole routing."

! Detect MTU issues with Wireshark:

ip.flags.df == 1 and icmp.type==3 and icmp.code==4

! Linux: test PMTUD manually

ping -M do -s 1472 8.8.8.8 ← 1472+28=1500 byte packet with DF

tracepath 8.8.8.8 ← discovers path MTU

🏗️ EVE-NG Lab — Packet Walk: PC → Internet Step by Step

🎯 CCIE-Level Interview Q&A — OSI & IPv4

Q: A router receives a packet with TTL=1. What happens, step by step?▶

The router decrements TTL from 1 to 0. When TTL reaches 0, the router DISCARDS the packet — it does NOT forward it. Then it sends an ICMP Type 11 Code 0 (Time Exceeded) message back to the original source IP. This is exactly how traceroute works — it sends packets with incrementally increasing TTLs (1, 2, 3...) to collect the ICMP Time Exceeded responses from each hop. One critical exception: if the packet is destined FOR the router itself (e.g., a management packet), the router DOES process it even with TTL=1. TTL decrements only when FORWARDING, not when receiving packets addressed to yourself.

Q: What's in the IP header that changes at every hop vs. what stays the same?▶

Changes at every hop: TTL (decremented by 1), Header Checksum (must be recalculated because TTL changed). Stays the same: Source IP, Destination IP, Protocol, Identification, Flags, Fragment Offset, DSCP. L2 frame (always changes): Source MAC, Destination MAC — completely rewritten at every router hop. This is the fundamental difference between routing (L3, IP addresses stable) and switching (L2, MACs change at each hop). In Wireshark you can verify this by capturing on multiple interfaces along the path — IP header fields (except TTL+checksum) will be identical.

Q: Explain the difference between MTU, MSS, and PMTUD. When does each matter?▶

MTU (Maximum Transmission Unit): The maximum IP packet size a link can carry. Ethernet = 1500 bytes. This is a Layer 2/3 boundary concept. MSS (Maximum Segment Size): The maximum amount of DATA in a TCP segment — NOT including TCP or IP headers. Default MSS = MTU - IP header (20B) - TCP header (20B) = 1500-40 = 1460 bytes. MSS is exchanged as a TCP option in the SYN/SYN-ACK handshake. PMTUD (Path MTU Discovery): The mechanism where a TCP sender sets DF=1 on all packets, then uses ICMP Frag-Needed messages (Type 3 Code 4) to discover the smallest MTU along the entire path, and adjusts its MSS accordingly. Classic production problem: If a firewall blocks ICMP Type 3 Code 4 messages, PMTUD fails. Large TCP connections (HTTPS, FTP, etc.) fail silently — the handshake works (small packets) but data transfers hang. Fix: TCP MSS clamping on the router — ip tcp adjust-mss 1452

Q: What is the difference between unicast, multicast, broadcast, and anycast? Give IP range examples for each.▶

Unicast: One sender, one specific receiver. IP: any standard address (1.0.0.0-223.255.255.255 except multicast/broadcast ranges). Broadcast: One sender, ALL receivers on segment. IP: 255.255.255.255 (limited broadcast, stays on subnet) or x.x.x.255 (directed broadcast, routable). MAC: FF:FF:FF:FF:FF:FF. OSPF Hello uses 224.0.0.5, NOT broadcast. Multicast: One sender, SUBSCRIBED receivers only. IP: 224.0.0.0 - 239.255.255.255 (Class D). MAC: 01:00:5E:xx:xx:xx (lower 23 bits from IP multicast). IGMP manages group membership. Anycast: One sender, NEAREST receiver (in routing terms). Used in IPv6, DNS root servers (all 13 root server IPs are anycasted to hundreds of physical locations). A single IP is announced from multiple locations — BGP routing chooses nearest. Very common in CDN architecture — Akamai uses this extensively!

🔗 Ethernet & ARP — Frames, MACs, Collisions, Gratuitous ARP

Ethernet II frame field-by-field · ARP request/reply Wireshark · Proxy ARP · GARP · RARP · MAC address structure · EtherType values

Ethernet II Frame Format — Every Byte

ARP — Address Resolution Protocol (RFC 826)

ARP resolves Layer 3 (IP) to Layer 2 (MAC). It is broadcast on the local segment. ARP is encapsulated directly in Ethernet (EtherType 0x0806) — not in IP!

Field	ARP Request	ARP Reply
Eth Dst MAC	FF:FF:FF:FF:FF:FF (broadcast)	AA:BB:CC:DD:EE:FF (requester)
Eth Src MAC	AA:BB:CC:DD:EE:FF (requester)	11:22:33:44:55:66 (responder)
ARP Opcode	1 (Request)	2 (Reply)
Sender MAC	AA:BB:CC:DD:EE:FF	11:22:33:44:55:66
Sender IP	192.168.1.10	192.168.1.1
Target MAC	00:00:00:00:00:00 (unknown!)	AA:BB:CC:DD:EE:FF
Target IP	192.168.1.1 (who has this?)	192.168.1.1

ARP Types You Must Know

Type	Purpose	When Seen
ARP Request	"Who has IP X? Tell Y"	New L3 communication
ARP Reply	"X is at MAC Y"	Response to request
Gratuitous ARP	Sender=Target IP, announce own MAC	Host boot, IP change, HSRP failover
Proxy ARP	Router responds with ITS own MAC for IPs on another subnet	When clients have no default gateway set
ARP Poisoning	MITM: send fake ARP replies to poison cache	Attack — Dynamic ARP Inspection prevents this

! ARP verification commands

show arp ← router ARP table

show ip arp 192.168.1.1 ← specific ARP entry

clear arp-cache ← flush ARP table

arp -a ← Windows/Linux ARP table

ip arp inspection vlan 10 ← Dynamic ARP Inspection

🎯 Interview Q&A — Ethernet & ARP

Q: A host sends an ARP request but receives no reply. What are the possible causes?▶

①Target host is DOWN or unreachable at L1/L2. ②Target IP doesn't exist on the local subnet. ③Proxy ARP disabled on the router — host has wrong/no gateway configured. ④Firewall blocking ARP (rare but possible in some environments). ⑤VLAN mismatch — host is in VLAN 10 but target is in VLAN 20, and inter-VLAN routing not configured. ⑥IP conflict — if the IP is statically assigned to another device, that device may ignore ARP requests to avoid conflict. Diagnosis: ping 192.168.1.X → if fails, show arp on the local switch — if no entry, the target is unreachable at L2. Use Wireshark to confirm ARP request goes out and verify no reply comes back.

Q: What is a Gratuitous ARP and what are its uses in enterprise networking?▶

A Gratuitous ARP is an ARP reply (or request) where the sender and target IP fields are BOTH set to the sender's own IP. There's no request preceding it — it's "unsolicited." Uses: ①Host boot — announces its MAC to update neighbors' ARP caches. ②IP conflict detection — if another device sends a GARP reply for the same IP, a conflict exists. ③HSRP/VRRP/GLBP failover — when a new Active router takes over, it sends GARP to update all hosts' ARP caches with the virtual MAC, without hosts needing to ARP again. ④Virtual machine migration (vMotion) — when a VM moves to a new hypervisor host, a GARP updates the physical switch MAC table so traffic goes to the new location. In Wireshark: filter arp.isgratuitous == 1

Ethernet Standards — Physical Layer Deep Dive

Standard	Speed	Cable	Max Distance	Signal
10BASE-T	10 Mbps	Cat3/Cat5	100m	Manchester encoding
100BASE-TX	100 Mbps	Cat5e	100m	MLT-3, 4B5B
1000BASE-T	1 Gbps	Cat5e/Cat6	100m	PAM-5, all 4 pairs
10GBASE-T	10 Gbps	Cat6a/Cat7	100m	PAM-16 (DSQ128)
1000BASE-SX	1 Gbps	MMF (OM1-OM4)	550m	850nm laser, fiber
1000BASE-LX	1 Gbps	SMF / MMF	10km (SMF)	1310nm laser
10GBASE-SR	10 Gbps	MMF OM3/OM4	300m OM4	850nm VCSEL
10GBASE-LR	10 Gbps	SMF	10km	1310nm DFB laser
100GBASE-SR4	100 Gbps	MMF OM4	100m	4-lane, 25G per lane

⚠️ Auto-negotiation failure = duplex mismatch: One side sets 100/full-duplex manually, the other auto-negotiates and falls back to half-duplex. Half-duplex side sees collisions, generates runts and CRC errors. Symptoms: show interface shows high input errors, CRC, runts. Fix: always hard-code both sides or leave both on auto.

CSMA/CD — Why It Matters for Legacy Networks

CSMA/CD (Carrier Sense Multiple Access / Collision Detection) was the original Ethernet MAC method for shared hubs. Modern switches use full-duplex point-to-point links — NO collisions possible. But half-duplex legacy connections (hub, old switch ports) still use CSMA/CD.

CSMA/CD Process:

1. Carrier Sense: listen before transmitting

2. Multiple Access: all devices share the medium

3. Collision Detect: detect if two sent simultaneously

4. Jam signal: 32-bit jam sent to alert all

5. Backoff: wait random time (binary exponential)

6. Retry: attempt retransmission

Slot time = 512 bits (64 bytes) = min frame size reason

A frame must be at least 64 bytes so the sender is

still transmitting when a collision propagates back.

Frames < 64 bytes = runts (collision fragment).

Interface Error Counters — What Each Means

Counter	Root Cause	Fix
Runts	Frames <64B — collision fragments or duplex mismatch	Fix duplex/speed; check cable
Giants	Frames >1518B — misconfigured MTU or jumbo frames	Enable jumbo frames or fix MTU
CRC errors	Bit errors in frame — bad cable, duplex mismatch, EMI	Replace cable; fix duplex
Input errors	Sum of runts+giants+CRC+frame+overrun	Investigate sub-counters
Output drops	Egress queue full — link too slow for traffic rate	QoS queuing; upgrade link
Collisions	Normal on half-duplex; never on full-duplex	If on full-duplex: duplex mismatch!

ARP Deep Dive — Process, Cache, Proxy, Security

Complete ARP Process — What Happens When PC-A Pings 192.168.1.1

PC-A (192.168.1.10) → ping 192.168.1.1

Step 1: Is 192.168.1.1 on my subnet? YES (/24)

Step 2: Check ARP cache → not found

Step 3: Send ARP Request (broadcast):

Eth Dst: FF:FF:FF:FF:FF:FF

"Who has 192.168.1.1? Tell 192.168.1.10"

Step 4: R1 receives, replies (unicast):

"192.168.1.1 is at AA:BB:CC:DD:EE:FF"

Step 5: PC-A caches: 192.168.1.1 → AA:BB...

Step 6: PC-A sends ICMP Echo in Eth frame

What if destination is on DIFFERENT subnet?

PC-A ARPs for the DEFAULT GATEWAY (not the dst)

IP layer says "not local" → use gateway IP

Router forwards at L3, rewrites L2 each hop

ARP Cache Behavior & Security

Behavior	Detail
Cache timeout	Windows: 2min dynamic, 10min for active entries. Cisco IOS: 4 hours. Linux: 60s reachable, garbage collect after 30s stale.
Unsolicited update	Routers update ARP cache even from unrequested ARP replies — this is the vulnerability exploited in ARP poisoning.
Dynamic ARP Inspection	Switch validates ARP packets against DHCP snooping binding table (MAC+IP+port+VLAN). Drops ARP replies with mismatched IP/MAC.
ARP poisoning (MITM)	Attacker sends GARP replies: "192.168.1.1 is at ATTACKER:MAC". Victims send traffic to attacker, who forwards to real gateway. Wireshark filter: `arp.duplicate-address-detected`
Static ARP entry	`arp 192.168.1.1 AA:BB:CC:DD:EE:FF arpa` — permanent, cannot be poisoned. Used for critical devices.

! Wireshark ARP filters

arp ← all ARP

arp.opcode == 1 ← ARP requests only

arp.opcode == 2 ← ARP replies only

arp.isgratuitous == 1 ← Gratuitous ARP

arp.duplicate-address-detected ← MITM warning

! Cisco show commands

show arp ← full ARP table

show ip arp 192.168.1.1 ← specific IP

clear arp-cache ← flush all

🎯 Advanced Interview Q&A — Ethernet & ARP

Q: You see high CRC errors on an interface but no duplex mismatch. What else do you check?▶

CRC errors = frame arrived with bad checksum. Duplex mismatch is the #1 cause, but if that's ruled out: ①Physical cable: Cable too long (>100m copper), damaged cable, bent fiber, wrong fiber type (SMF vs MMF connector mismatch). Test with show interfaces detail | include CRC|error. ②Bad SFP/transceiver: Dirty fiber connector, wrong wavelength SFP. Clean connectors with fiber cleaner pen. ③EMI/RFI interference: Unshielded cable near electrical equipment (motors, generators, fluorescent lights). Use shielded STP cable. ④Speed mismatch: One side 100M half, other 1G full — while not strictly "duplex," auto-negotiation failure can cause framing errors that show as CRC. ⑤Flapping NIC: show log for link up/down messages. If NIC is resetting mid-frame, you get partial frames → CRC errors. Key metric: CRC errors incrementing on INPUT only suggest cable/layer1 issue. CRC errors on both in/out suggest something at the software or buffer level.

Q: What is Proxy ARP and when can it cause problems in production?▶

Proxy ARP is when a router responds to an ARP request on behalf of a host on another network — it replies with its OWN MAC address for the target IP, essentially "proxying" the ARP. This lets hosts communicate without a configured default gateway. The router accepts the traffic and routes it normally. When it's dangerous: ①Route summarization errors — if a router has a summary route 10.0.0.0/8 but is on the 192.168.1.0/24 segment, it may proxy ARP for IPs in 10.0.0.0/8 that don't actually exist behind it, causing blackholing. ②Security — an attacker can proxy ARP for any IP to become a MITM. ③Excessive ARP traffic — hosts without gateways send constant ARPs; if the proxy router is processing all of them, it adds CPU load. ④Host migration — if you move a host to a new subnet but forget to update its gateway, proxy ARP can mask the misconfiguration for weeks. Best practice: disable proxy ARP (no ip proxy-arp on interfaces) and always configure default gateways correctly. Cisco enables proxy ARP by default on all IOS interfaces.

🔀 Spanning Tree Protocol — STP, PVST+, RSTP & MSTP

Why loops destroy networks · BPDU frame structure · Root Bridge election step-by-step with real MAC addresses · Root Port / Designated Port / Blocked Port with network diagrams · Port states & 30s timer · Full show spanning-tree decoded line-by-line · Changing cost & port-priority · PVST+ load balancing per VLAN · PortFast & BPDU Guard · Rapid-PVST+ vs classic STP · MSTP

Why Spanning Tree Exists — Ethernet Loops Are Fatal

In a switched network we need redundancy so one cable failure does not kill the network. But adding redundant links between switches creates loops. Unlike IP packets, Ethernet frames have no TTL field — a broadcast frame caught in a loop circulates forever, consuming all bandwidth and crashing every switch within seconds.

Broadcast storm — what actually happens:
1. Computer A sends ARP broadcast looking for Computer B
2. SwitchA floods it out ALL ports except the source
3. SwitchB and SwitchC both receive it and flood again
4. SwitchA receives the frame back — and floods again
5. Repeats infinitely — no TTL to stop it
6. Switches crash from CPU overload within seconds

STP blocks exactly ONE port to break the loop while keeping all switches reachable. If the active link fails STP automatically unblocks the blocked port — redundancy is preserved.

BPDU — Bridge Protocol Data Unit (The Message STP Uses)

All switches exchange special frames called BPDUs every 2 seconds. Each switch starts by claiming to be the Root Bridge — it puts its own Bridge ID in the Root Bridge ID field. When it receives a BPDU with a better (lower) Bridge ID, it stops claiming root and forwards the better BPDU instead. After convergence, consensus forms around the one switch with the best Bridge ID.

BPDU Timer	Default	Purpose
Hello Time	2 sec	How often BPDUs are sent out each port
Max Age	20 sec	If no BPDU received for 20s → topology change detected
Forward Delay	15 sec	Time spent in Listening AND Learning states each

How the election happens step by step:

1. Every switch sends BPDUs claiming "I am the Root Bridge" with its own Bridge ID
2. Switch receives a BPDU with a lower Bridge ID → stops claiming root
3. Switch forwards the better BPDU out all other ports
4. After BPDUs propagate: ONE switch has the lowest Bridge ID — it wins
5. All others become non-root bridges

Bridge ID = Priority + MAC Address
Default priority = 32768 on all switches
→ MAC address is the tiebreaker (lowest wins)

Step 1 — Root Bridge Election: Lowest Bridge ID Wins

Force a Specific Switch to be Root

Never leave root bridge election to chance. Your oldest switch has the lowest burned-in MAC and will become root by default — likely the worst candidate. Always set priority manually.

! Method 1: macro (auto-sets priority below current root)

SwitchA(config)#spanning-tree vlan 1 root primary

! Sets priority to 24576 automatically

! Method 2: manual priority (must be multiple of 4096)

SwitchA(config)#spanning-tree vlan 1 priority 4096

! Valid: 0, 4096, 8192, 12288, 16384... 61440

! Secondary root (will take over if primary fails)

SwitchB(config)#spanning-tree vlan 1 root secondary

! Sets priority to 28672

SwitchA#show spanning-tree vlan 1

Root ID Priority 4097

Address 0011.bb0b.3600

This bridge is the root

⚠️ Priority shown in output = base priority + VLAN number. Priority 32768 on VLAN 1 shows as 32769. The "sys-id-ext" is the VLAN number added automatically by Cisco's Extended System ID feature.

Steps 2 & 3 — Root Ports, Designated Ports, and the Blocked Port

Once the Root Bridge is elected, every non-root switch finds its best (lowest cost) path to root — that port becomes the Root Port. On each link segment, the switch closer to root has the Designated Port. The remaining port loses the tiebreaker and becomes Non-Designated (Blocked) — the loop is broken.

Port Cost — Speed Determines Path

Link Speed	STP Cost
10 Mbit (Ethernet)	100
100 Mbit (FastEthernet)	19
1 Gbit (GigabitEthernet)	4
10 Gbit	2

Three Port Roles

Role	State	Where it appears
Designated	Forwarding	All ports on Root Bridge; best port on each segment toward root
Root Port	Forwarding	One per non-root switch — lowest cost path to root
Non-Designated	Blocking 🔴	The port that loses the tiebreaker — breaks the loop

💡 Tiebreaker order when costs are equal:
1. Lowest Root Bridge ID
2. Lowest Sender Bridge ID
3. Lowest Sender Port Priority
4. Lowest Sender Port Number

STP Port States — Why Your Switch LED is Orange for 30 Seconds

PortFast — Skip 30 Seconds for Access Ports

Ports connected to PCs or servers never send BPDUs. There is no reason to run through 30 seconds of Listening/Learning. PortFast jumps straight to Forwarding. It does NOT disable STP — if the port receives a BPDU it immediately reverts to normal STP operation.

! Enable PortFast on one interface

SwitchA(config)#interface fa0/1

SwitchA(config-if)#spanning-tree portfast

%Warning: portfast should only be enabled on ports

connected to a single host. Use with CAUTION

! Enable PortFast on ALL access ports globally

SwitchB(config)#spanning-tree portfast default

! BPDU Guard — err-disable port if any BPDU arrives

SwitchA(config-if)#spanning-tree bpduguard enable

! Enable BPDU Guard globally for all PortFast ports

SwitchB(config)#spanning-tree portfast bpduguard default

! If err-disabled: fix root cause then:

SwitchA(config-if)#shutdown

SwitchA(config-if)#no shutdown

⚠️ Never enable PortFast on a port connected to another switch. The 30-second delay exists precisely to prevent loops during topology changes on switch-to-switch links.

show spanning-tree — Real Output from All 3 Switches, Every Field Decoded

SwitchA#show spanning-tree

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 32769

Address 000f.34ca.1000

Cost 19

Port 19 (FastEthernet0/17)

Hello 2s Max Age 20s Fwd Delay 15s

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 0011.bb0b.3600

Interface Role Sts Cost Prio.Nbr Type

Fa0/14 Desg FWD 19 128.16 P2p

Fa0/17 Root FWD 19 128.19 P2p

SwitchB#show spanning-tree

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 32769

Address 000f.34ca.1000

Cost 19

Port 18 (FastEthernet0/16)

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 0019.569d.5700

Interface Role Sts Cost Prio.Nbr Type

Fa0/14 Altn BLK 19 128.16 P2p

Fa0/16 Root FWD 19 128.18 P2p

SwitchC#show spanning-tree

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 32769

Address 000f.34ca.1000

This bridge is the root

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 000f.34ca.1000

Interface Role Sts Cost Prio.Nbr Type

Fa0/14 Desg FWD 19 128.14 P2p

Fa0/16 Desg FWD 19 128.16 P2p

! Root bridge: ALL ports are Designated

Output Field	Meaning
`This bridge is the root`	This switch IS the root bridge ✅
`Priority 32769`	32768 + VLAN 1 = 32769 (sys-id-ext)
`Cost 19`	FastEthernet cost to reach root bridge
`Port 19 (Fa0/17)`	Which local port is the Root Port
`Desg FWD`	Designated, Forwarding ✅
`Root FWD`	Root Port, Forwarding ✅
`Altn BLK`	Alternate (blocked) 🔴
`Prio.Nbr 128.16`	Port priority 128, port number 16

Manipulating STP — Changing Cost and Port Priority

Change Port Cost to Force a Different Root Port

! SwitchB currently uses fa0/14 as root port (cost 19)

! Force it to use fa0/16 instead via SwitchC

SwitchB(config)#interface fa0/14

SwitchB(config-if)#spanning-tree cost 500

SwitchB#show spanning-tree | begin Interface

Fa0/14 Altn BLK 500 128.16 P2p ← blocked!

Fa0/16 Root FWD 19 128.18 P2p ← new root port

SwitchB#show spanning-tree

Root ID Cost 38 ← 19+19 (now via SwitchC)

! Remove the cost change

SwitchB(config-if)#no spanning-tree cost 500

Change Port Priority (Set on the UPSTREAM Switch)

! SwitchB has 2 links to SwitchA: fa0/13 and fa0/14

! Same cost → tiebreak on port number → fa0/13 wins

! To make fa0/14 win: lower priority on SwitchA fa0/14

! KEY: change port-priority on the NEIGHBOR not local!

SwitchA(config)#interface fa0/14

SwitchA(config-if)#spanning-tree port-priority 16

! Default = 128. Lower = better. Must be multiples of 16.

SwitchB#show spanning-tree | begin Interface

Fa0/13 Altn BLK 19 128.15 P2p ← now blocked

Fa0/14 Root FWD 19 16.16 P2p ← new root port!

SwitchA#show spanning-tree | begin Interface

Fa0/13 Desg FWD 19 128.15 P2p

Fa0/14 Desg FWD 19 16.16 P2p ← priority changed

PVST+ — Per-VLAN Spanning Tree Plus (Load Balance Your Uplinks)

Classic STP runs ONE instance for all VLANs. PVST+ runs a separate STP instance per VLAN and lets you have a different Root Bridge per VLAN. This means uplinks that would otherwise be blocked can carry traffic for different VLANs — true load balancing.

! Create VLANs on all switches

SwitchA(config)#vlan 10

SwitchA(config-vlan)#vlan 20

SwitchA(config-vlan)#vlan 30

! Repeat on SwitchB and SwitchC

! Set inter-switch links to trunk

SwitchA(config)#interface fa0/14

SwitchA(config-if)#switchport trunk encapsulation dot1q

SwitchA(config-if)#switchport mode trunk

! Repeat for all inter-switch interfaces

! Make each switch root for a different VLAN

SwitchA(config)#spanning-tree vlan 10 priority 4096

SwitchB(config)#spanning-tree vlan 20 priority 4096

SwitchC(config)#spanning-tree vlan 30 priority 4096

! Verify per-VLAN

SwitchA#show spanning-tree vlan 10 | include root

This bridge is the root

SwitchA#show spanning-tree summary | begin Name

Name Blocking Listening Learning Forwarding

VLAN0010 0 0 0 2

VLAN0020 1 0 0 1

VLAN0030 1 0 0 1

RSTP (Rapid-PVST+) and MSTP — Faster Convergence & Scaling

Enable Rapid-PVST+ (One Command Per Switch)

! Enable Rapid-PVST+ on ALL switches

SwitchA(config)#spanning-tree mode rapid-pvst

SwitchB(config)#spanning-tree mode rapid-pvst

SwitchC(config)#spanning-tree mode rapid-pvst

! Must enable on ALL switches together

SwitchA#show spanning-tree

Spanning tree enabled protocol rstp

SwitchA#show spanning-tree summary

Switch is in rapid-pvst mode

MSTP — Group VLANs into Instances

MSTP (802.1s) maps multiple VLANs to a single STP instance. If you have 500 VLANs but only 2 physical topologies, PVST+ wastes CPU on 500 calculations. MSTP does it in 2.

Assign VLANs 1-250 → Instance 1, VLANs 251-500 → Instance 2. Each instance can have its own root bridge for load balancing.

Version	Instances	Speed	Use
PVST+ (default)	1 per VLAN	30–50s	Legacy
Rapid-PVST+	1 per VLAN	<1s	Recommended
MSTP (802.1s)	Groups of VLANs	<1s	Large DC/SP

🎯 Interview Q&A — STP, PVST+, RSTP & MSTP

Q: Walk me through STP step by step in a 3-switch triangle — which port gets blocked and why?▶

Step 1 — Root Bridge election: All switches start sending BPDUs claiming "I am root" with their Bridge ID (Priority+MAC). When a switch receives a BPDU with a lower Bridge ID, it stops claiming root. After BPDUs propagate, the switch with lowest Bridge ID wins. Priority is compared first (lower = better). If tied (default 32768 everywhere), the lowest MAC address wins. In our example SwitchC wins with MAC 000f.34ca.1000. Step 2 — Root Ports: Every non-root switch finds its lowest-cost path to root. That port becomes the Root Port (Forwarding). Link cost: 10M=100, 100M=19, 1G=4. If costs tie, compare sender Bridge ID, then port priority, then port number. SwitchA's fa0/17 leads directly to SwitchC (cost 19) → Root Port. SwitchB's fa0/16 leads directly to SwitchC (cost 19) → Root Port. Step 3 — Designated Ports: On each segment, the switch closest to root becomes Designated. Root bridge has all ports Designated. On the SwitchA–SwitchB link: both are equal distance from root (cost 19 each). Tiebreak on Bridge ID → SwitchA (lower MAC 0011 vs 0019) wins → SwitchA fa0/14 = Designated, SwitchB fa0/14 = Non-Designated (BLOCKED). Loop broken.

Q: What is the difference between PVST+ and Rapid-PVST+? Which should you use?▶

PVST+ runs one classic STP (802.1D) instance per VLAN. Convergence = 30-50 seconds (15s Listening + 15s Learning + up to 20s Max Age). It relies entirely on timers — the network waits even if the topology change is already complete. Rapid-PVST+ runs 802.1w RSTP per VLAN. Convergence is under 1 second. Instead of waiting for timers, it uses a Proposal/Agreement handshake: a designated port sends a Proposal BPDU, the neighbor immediately syncs (blocks its own non-edge ports) and replies with Agreement. The port transitions to Forwarding immediately. RSTP also generates its own BPDUs every 2 seconds rather than just forwarding the root's BPDUs, so a failure is detected in 6 seconds (3 missed hellos) instead of 20 seconds. Always use Rapid-PVST+ on modern networks. Command: spanning-tree mode rapid-pvst on every switch. It is backward compatible — if one switch still runs classic STP, RSTP detects this and falls back to classic STP behavior on just that port.

Q: What is PortFast and BPDU Guard? Why do you need both and what happens if you enable PortFast on a switch-to-switch link?▶

PortFast makes a port skip Listening and Learning and jump straight to Forwarding the moment the link comes up. It does NOT disable STP — STP is still active on PortFast ports. If a BPDU arrives on a PortFast port the switch immediately exits PortFast and returns to normal STP. Use it on access ports connected to PCs, servers, printers — devices that never send BPDUs and never need the 30-second wait. BPDU Guard is a safety mechanism that goes with PortFast. If any BPDU arrives on a PortFast port, BPDU Guard immediately err-disables (shuts down) that port. This prevents a rogue switch from being plugged into a PC port and disrupting the STP topology or causing a loop. You need both because: PortFast alone means the port goes straight to forwarding but stays up even if a switch is plugged in — the rogue switch can then start sending BPDUs and potentially become root. BPDU Guard closes that loophole completely. If you enable PortFast on a switch-to-switch link: the port jumps to Forwarding immediately, skipping the 30-second check. If STP has not yet blocked the redundant path, a temporary loop forms — this can cause a broadcast storm lasting 30+ seconds. Never do this on trunk ports.

🗺️ IP Routing — Subnetting, Static Routes, Dynamic Protocols & Packet Forwarding

VLSM subnetting with full binary math · Administrative Distance · Longest Prefix Match · Static routes · CEF forwarding · Route redistribution · CCIE-level interview traps

🔢 Subnetting from First Principles — Binary Math You Must Own

Subnetting is dividing a large IP block into smaller networks by borrowing bits from the host portion. The subnet mask tells routers and hosts which part of the address is network and which is host. Every networking interview at CCIE level will test this under time pressure — you need it instant.

THE FORMULA:

Subnets = 2ⁿ where n = bits borrowed

Hosts = 2^h - 2 where h = host bits remaining

(-2 for network address + broadcast address)

CIDR QUICK REFERENCE TABLE:

/24 → 256 addr · 254 hosts · mask: 255.255.255.0

/25 → 128 addr · 126 hosts · mask: 255.255.255.128

/26 → 64 addr · 62 hosts · mask: 255.255.255.192

/27 → 32 addr · 30 hosts · mask: 255.255.255.224

/28 → 16 addr · 14 hosts · mask: 255.255.255.240

/29 → 8 addr · 6 hosts · mask: 255.255.255.248

/30 → 4 addr · 2 hosts · mask: 255.255.255.252

/31 → 2 addr · 2 hosts · RFC3021 point-to-point

/32 → 1 addr · 0 hosts · host route (loopback)

WORKED EXAMPLE — INTERVIEW STYLE:

Q: Given 172.16.0.0/16, create subnets

for 500, 200, 100, 50 hosts. Use VLSM.

Step 1: Sort LARGEST to SMALLEST first!

500 hosts → need 9 bits (2^9-2=510≥500) → /23

172.16.0.0/23 hosts: .0.1–.1.254

200 hosts → need 8 bits (2^8-2=254≥200) → /24

172.16.2.0/24 hosts: .2.1–.2.254

100 hosts → need 7 bits (2^7-2=126≥100) → /25

172.16.3.0/25 hosts: .3.1–.3.126

50 hosts → need 6 bits (2^6-2=62≥50) → /26

172.16.3.128/26 hosts: .3.129–.3.190

VLSM = no wasted space. /30s for router links.

Router link: 172.16.3.192/30 (.193 & .194)

Binary Math — What the Subnet Mask Actually Means

Administrative Distance — When Multiple Protocols Know the Same Route

AD is ONLY relevant when two different routing protocols both have a route to the same destination. The router installs the one from the protocol with the lowest AD. If both have the same AD, the metric (cost) breaks the tie. AD is local to the router — it is NOT advertised to neighbors.

Route Source	AD	Why This Value
Connected interface	0	You are physically on this network — most trusted possible
Static route	1	Admin explicitly configured — almost as trusted as connected
EIGRP summary route	5	Cisco auto-summary route — very specific, highly trusted
eBGP	20	External BGP — ISP routes, highly preferred for internet routing
EIGRP internal	90	Cisco proprietary, fast convergence, metric includes BW+delay
IGRP	100	Legacy Cisco protocol (obsolete)
OSPF	110	Open standard, link-state, most common IGP in enterprise
IS-IS	115	Preferred by ISPs (runs on L2, not IP — survives IP failures)
RIP v1/v2	120	Distance vector, hop count only — no bandwidth awareness
EIGRP external	170	Route redistributed INTO EIGRP from another protocol
iBGP	200	Internal BGP — trusted less than IGPs to prevent routing loops
Unreachable	255	Never installed. Used internally by IOS.

AD CONFLICT EXAMPLE:

Both OSPF and EIGRP know 10.1.1.0/24:

EIGRP internal: 10.1.1.0/24 [90/...]

OSPF: 10.1.1.0/24 [110/...]

→ EIGRP wins (AD 90 < AD 110)

OSPF route sits in background — "backup"

FLOATING STATIC ROUTE TRICK:

ip route 0.0.0.0 0.0.0.0 10.1.1.1 1 ← primary

ip route 0.0.0.0 0.0.0.0 10.2.2.1 5 ← backup

Both have same prefix but AD 1 vs 5.

AD-5 route only installs if AD-1 disappears.

Use AD 5–254 for floating static (above primary)

FLOATING STATIC BEHIND DYNAMIC ROUTING:

ip route 10.0.0.0 255.0.0.0 Null0 254

AD 254 — only installs if ALL dynamic routes

to 10.x.x.x are gone. Prevents black holes.

⚠️ AD vs Metric: AD decides WHICH protocol's route wins. Metric decides WHICH PATH within the same protocol wins. You cannot compare OSPF metric (110) to EIGRP metric (90) — those numbers mean completely different things.

Longest Prefix Match — The Fundamental Routing Algorithm

When a router receives a packet, it compares the destination IP against every route in its table using bitwise AND. The route with the most matching bits (longest prefix = highest /N) wins. This is how specific routes override general routes, and how default routes work as a catch-all.

Routing table (show ip route):

C 192.168.1.0/24 directly connected Gi0/0

S 10.0.0.0/8 [1/0] via 192.168.1.254

O 10.10.0.0/16 [110/20] via 192.168.1.2

O 10.10.10.0/24 [110/30] via 192.168.1.3

S 10.10.10.5/32 [1/0] via 192.168.1.4

S* 0.0.0.0/0 [1/0] via 192.168.1.1

Packet Dst	Matches	Best Match	Next Hop
10.10.10.5	/8, /16, /24, /32	/32 ← most specific	192.168.1.4
10.10.10.99	/8, /16, /24	/24	192.168.1.3
10.10.50.1	/8, /16	/16	192.168.1.2
10.99.0.1	/8 only	/8	192.168.1.254
8.8.8.8	/0 only (default)	/0 (default)	192.168.1.1
172.16.0.1	none (no default if removed)	no match → DROP	ICMP Unreachable

CEF — Cisco Express Forwarding (How It Actually Happens)

Process switching (original): every packet interrupts the CPU. Route-cache switching: first packet CPU, rest fast-switch. CEF (default since IOS 12.x): pre-builds two tables in hardware — FIB (Forwarding Information Base) mirrors routing table, Adjacency Table has pre-built L2 headers for each next-hop. Packets never touch the CPU.

Table	Contains	Built From
FIB	Dest prefix → next-hop IP + outgoing interface	Routing table (RIB)
Adjacency Table	Next-hop IP → pre-built L2 header (src+dst MAC)	ARP table

! CEF verification

show ip cef ← FIB table

show ip cef 10.10.10.0 detail ← specific prefix

show adjacency detail ← pre-built L2 headers

show ip cef exact-route src dst ← trace exact path

! If CEF disabled (troubleshoot high CPU):

show ip interface | include CEF ← check per-interface

ip cef ← enable globally

ip route-cache cef ← enable per-interface

Static Routes — Every Type with When to Use Each

Type	Syntax	Use Case	Risk
Standard static	ip route 10.0.0.0 255.0.0.0 192.168.1.1	Small networks, specific path	No auto-failover
Recursive static	ip route 10.0.0.0 255.0.0.0 1.2.3.4	Next-hop not directly connected	Recursive lookup overhead
Directly attached	ip route 10.0.0.0 255.0.0.0 Gi0/0	Point-to-point links only	On Ethernet: sends ARP for every destination IP!
Fully specified	ip route 10.0.0.0 255.0.0.0 Gi0/0 192.168.1.1	Best practice on Ethernet	None — specify both interface AND next-hop
Default route	ip route 0.0.0.0 0.0.0.0 192.168.1.1	Gateway of last resort	All unknown traffic goes this way
Null route (blackhole)	ip route 10.0.0.0 255.0.0.0 Null0	Drop traffic, prevent routing loops	Silently drops — no ICMP unreachable by default
Floating static	ip route 0.0.0.0 0.0.0.0 10.2.2.1 200	Backup path when primary fails	AD must be higher than primary protocol

⚠️ CCIE trap — directly attached static on Ethernet: ip route 10.0.0.0/8 Gi0/0 causes the router to send an ARP request for EVERY destination IP in 10.0.0.0/8 — the ARP table explodes (called an "ARP flooding" or "proxy ARP storm"). Always use fully specified static routes on multi-access Ethernet segments.

Route Redistribution — Moving Routes Between Protocols

Redistribution injects routes from one routing protocol into another. Common at network boundaries — e.g. redistributing OSPF routes into BGP for Internet advertisement, or RIP into OSPF when migrating legacy networks.

! Redistribute connected routes into OSPF

router ospf 1

redistribute connected subnets

! Redistribute OSPF into BGP (for advertisement)

router bgp 65001

redistribute ospf 1 route-map OSPF_TO_BGP

! Redistribute with metric — EIGRP requires 5-tuple

router eigrp 1

redistribute ospf 1 metric 10000 100 255 1 1500

↑BW ↑delay ↑rel ↑load ↑MTU

! Check redistributed routes

show ip route | include E (EIGRP ext = EX)

show ip route | include E 2 (OSPF ext E2)

⚠️ Redistribution loop danger: If you redistribute OSPF→EIGRP on Router A and EIGRP→OSPF on Router B, routes can bounce back and forth infinitely. Always use route-maps with tags to mark redistributed routes and filter them from being redistributed back.

Reading show ip route — Every Field Decoded

🔬 EVE-NG Lab — Multi-Router Topology with Static + OSPF

🎯 CCIE-Level Interview Q&A — IP Routing

Q: What is the difference between the routing table (RIB), the forwarding table (FIB), and the CEF adjacency table? Why does Cisco separate them?▶

RIB (Routing Information Base) = show ip route: The full routing table maintained by the control plane. Contains routes from all protocols, organized by AD and metric. Multiple routes to the same prefix may exist (e.g. OSPF and EIGRP both have 10.0.0.0/8) — only the best is installed. This runs on the route processor (RP) CPU. FIB (Forwarding Information Base) = show ip cef: A compiled, hardware-optimized copy of the best routes from the RIB. Built for fast lookup — uses a trie (prefix tree) structure for O(log n) or O(1) lookup. Lives in line card ASICs or shared memory, not the CPU. Updated whenever RIB changes. Adjacency Table = show adjacency: Contains pre-built Layer 2 headers (src MAC, dst MAC, EtherType) for each next-hop. When CEF forwards a packet, it looks up the FIB for the outgoing interface and next-hop, then stamps the pre-built L2 header from the adjacency table onto the packet — no ARP lookup needed. Why separate: Decoupling control plane (RIB, routing protocols, CPU) from data plane (FIB, ASIC forwarding) is fundamental to modern networking. Route processor can be busy running BGP but packets still forward at line rate. This is also the foundation of SDN — you can centralize the control plane while keeping distributed forwarding.

Q: R1 has two routes to 10.0.0.0/8 — one via OSPF (AD 110) and one via EIGRP (AD 90). EIGRP wins and is installed. Now a more specific OSPF route 10.10.0.0/16 appears. Which route is used for 10.10.5.1?▶

For destination 10.10.5.1, the router performs longest prefix match first — before considering AD. It has two candidate routes: EIGRP 10.0.0.0/8 (/8 = 8 matching bits) and OSPF 10.10.0.0/16 (/16 = 16 matching bits). The OSPF /16 route wins because it is MORE SPECIFIC — it matches more bits of the destination address. AD is only compared between routes of the SAME prefix length. So even though EIGRP has AD 90 and OSPF has AD 110, the OSPF /16 route wins because longest prefix match happens FIRST, before AD comparison. This is a critical distinction: prefix length always beats AD. The EIGRP /8 route is still used for 10.99.x.x destinations (where only /8 matches).

Q: How do you verify that a packet from 192.168.1.10 to 8.8.8.8 is taking the expected path through your router? Walk me through the commands.▶

Step-by-step verification: ①show ip route 8.8.8.8 — identifies which route matches (longest prefix). Shows next-hop IP and egress interface. ②show ip cef 8.8.8.8 detail — shows the FIB entry and which adjacency is being used for forwarding. ③show adjacency [interface] detail — shows the pre-built L2 header (which MAC addresses will be stamped on the outgoing frame). ④traceroute 8.8.8.8 source 192.168.1.10 — verifies the actual hop-by-hop path and round-trip times. ⑤show ip cef exact-route 192.168.1.10 8.8.8.8 — the most specific command, shows exact FIB lookup for this src→dst pair (useful with load balancing). ⑥debug ip packet detail — last resort in production, shows per-packet forwarding decisions. Use with access-list filter to limit output, and always undebug all after.

Q: What is a null route and why is it used in production networks? Give two real-world use cases.▶

A null route (ip route x.x.x.x y.y.y.y Null0) sends matching traffic to Null0 — a virtual interface that silently drops packets. No ICMP unreachable is generated by default (though you can enable it with ip icmp rate-limit unreachable). Use case 1 — Summary route black-holing: If R1 advertises a summary 10.0.0.0/8 to neighbors but only has specific /24 routes internally, what happens for 10.99.0.1 (a hole in the summary)? Without a null route, R1 has no specific route, falls through to default, which may send the packet back toward the neighbor — a routing loop. Solution: ip route 10.0.0.0 255.0.0.0 Null0 254. Any destination not matched by a specific route inside 10.0.0.0/8 hits the null route and is dropped, preventing the loop. Use case 2 — DDoS mitigation (RTBH): Remotely Triggered Black Hole filtering. When under DDoS attack on IP 1.2.3.4, inject a /32 null route for 1.2.3.4 via BGP community to all edge routers. Traffic destined for that IP is dropped at the network edge instead of overwhelming your server. Akamai and all major ISPs use this technique operationally.

🏷️ ACLs & Route Filtering — Prefix Lists, Route-Maps & Traffic Policy

Standard vs Extended ACLs · Named ACLs · Prefix Lists with ge/le · Route-maps · BGP community · PBR · real production examples

ACL Types — Complete Comparison

Type	Number Range	Match On	Granularity
Standard IP	1-99, 1300-1999	Source IP only	Low
Extended IP	100-199, 2000-2699	Src+Dst IP, Port, Protocol	High
Named Standard	Any name	Source IP only	Low
Named Extended	Any name	Full 5-tuple	High

📌 ACL Placement Rule: Standard ACLs: place CLOSE TO DESTINATION (they match only src IP — placing near source blocks too much). Extended ACLs: place CLOSE TO SOURCE (they match src+dst — more specific, don't need to cross network).

! Standard ACL example

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 10 deny any ← implicit deny already at end

! Extended ACL — permit HTTP only from .1 to server

ip access-list extended PERMIT_WEB

permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.10 eq 80

permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.10 eq 443

deny ip any any log ← explicit deny with log

! Apply to interface

interface Gi0/0

ip access-group PERMIT_WEB in ← inbound

Prefix Lists — More Powerful than ACLs for Routes

Prefix lists match IP prefixes by exact or range match using ge/le operators. They are processed in sequence order — first match wins. Implicit deny all at end.

! Prefix list operators:

ge = "greater than or equal to" (prefix length)

le = "less than or equal to" (prefix length)

! Examples:

ip prefix-list EXACT seq 5 permit 10.0.0.0/8

← matches ONLY 10.0.0.0/8 exactly

ip prefix-list HOSTS seq 5 permit 10.0.0.0/8 ge 32

← matches /32 host routes inside 10.0.0.0/8

ip prefix-list SUBNETS seq 5 permit 10.0.0.0/8 ge 24 le 28

← matches /24, /25, /26, /27, /28 within 10.x

ip prefix-list DEFAULT seq 5 permit 0.0.0.0/0

← matches ONLY the default route 0.0.0.0/0

ip prefix-list ALL seq 5 permit 0.0.0.0/0 le 32

← matches ALL prefixes (any length)

Route-Maps — Match + Set Logic

Component	Purpose	Example
match	Define what to select	match ip address prefix-list MYLIST
set	What action to take	set local-preference 200
permit	Apply set actions	Route-map clause permits = applies policy
deny	Reject matching routes	Route-map clause deny = drop route
No match	If no match clause	permit=ALL routes match; deny=NO routes match

! Route-map for BGP local-preference

route-map SET_LOCALPREF permit 10

match ip address prefix-list PREFERRED

set local-preference 200

route-map SET_LOCALPREF permit 20

← empty = match all, set nothing (pass through)

! AND/OR logic:

Multiple match statements in ONE clause = AND

Multiple route-map clauses with same name = OR

🎯 Interview Q&A — ACLs & Route Filtering

Q: What is the difference between an ACL, a prefix list, and a route-map? When do you use each?▶

ACL: Used primarily to FILTER TRAFFIC (permit/deny packets based on headers). Can be used for traffic filtering (interface in/out), NAT, VPN crypto maps, QoS class-maps, or for matching routes in redistribution/route-maps. When used to filter routes, they match only on the network address portion. Prefix List: Designed SPECIFICALLY for route matching/filtering. More efficient than ACLs for routes. Supports ge/le operators for flexible prefix length matching. Used in BGP neighbor filtering, OSPF distribute-lists, redistribution. Cannot filter traffic — only route prefixes. Route-Map: A swiss-army knife — it can MATCH routes using ACLs, prefix-lists, community lists, AS-path, and then SET attributes (local-pref, MED, next-hop, community, weight). Used for BGP policy, redistribution manipulation, Policy-Based Routing (PBR). A route-map WITHOUT a match clause matches everything. A route-map deny clause drops matched routes.

ACL Processing — How the Router Evaluates Each Entry

ACL entries are processed TOP TO BOTTOM, FIRST MATCH WINS. The router stops evaluating as soon as it finds a match. Every ACL has an invisible implicit deny all at the end — if nothing matches, the packet is dropped. This means: always put more specific entries before less specific ones.

Wildcard Mask — The Inverse of Subnet Mask

Wildcard mask (used in ACLs, OSPF network statements): 0 = must match, 1 = ignore. It's the INVERSE of the subnet mask. Quick calculation: 255.255.255.255 - subnet mask = wildcard mask.

Subnet Mask	Wildcard Mask	What It Matches
255.255.255.255	0.0.0.0	Exact host match (host keyword)
255.255.255.0	0.0.0.255	Entire /24 subnet
255.255.255.192	0.0.0.63	Entire /26 subnet
255.255.0.0	0.0.255.255	Entire /16 block
0.0.0.0	255.255.255.255	Any IP (any keyword)
255.255.255.0 (odd trick)	0.0.0.254	All EVEN IPs in subnet (unusual)

! Verify ACL hits in real time

show ip access-lists PERMIT_WEB

→ shows each ACE with match count

show ip interface Gi0/0 | include access

→ shows which ACL applied in/out

ip access-list extended PERMIT_WEB

10 permit tcp any host 10.0.0.1 eq 443

20 deny ip any any log

→ "log" keyword: generates syslog per match

! NEVER add "log" to high-traffic deny rules

! in production — logs flood the buffer

Extended ACL — Every Match Condition with Real Examples

Match Field	Keyword	Example	Notes
Protocol	tcp / udp / icmp / ip / ospf / eigrp	permit tcp ...	"ip" matches ALL protocols
Source IP	host X.X.X.X / network wildcard / any	10.1.1.0 0.0.0.255	host = exact IP, any = 0.0.0.0 255.255.255.255
Source Port	eq / lt / gt / range / neq	eq 1024 / range 1024 65535	TCP/UDP only
Dest IP	same as source	host 8.8.8.8	—
Dest Port	eq / lt / gt / range	eq 80 / eq www / eq 443	Named ports: www=80, domain=53, ssh=22
TCP Flags	established / syn / fin / rst / ack	permit tcp any any established	established = ACK or RST bit set (return traffic)
ICMP Type	echo / echo-reply / unreachable / traceroute	permit icmp any any echo-reply	Permits return pings without opening full ICMP
DSCP	dscp value	permit ip any any dscp ef	Match QoS-marked traffic (EF=46)

REAL-WORLD ACL SCENARIO — Stateless Firewall:

! Allow internal hosts to browse web, block everything else

! Applied OUTBOUND on the external interface (toward internet)

ip access-list extended OUTBOUND_INTERNET

permit tcp 192.168.0.0 0.0.255.255 any eq 80

permit tcp 192.168.0.0 0.0.255.255 any eq 443

permit udp 192.168.0.0 0.0.255.255 any eq 53

deny ip any any log

! Applied INBOUND — allow return traffic (established TCP)

ip access-list extended INBOUND_INTERNET

permit tcp any 192.168.0.0 0.0.255.255 established

permit udp any 192.168.0.0 0.0.255.255 gt 1023

permit icmp any any echo-reply ← allow ping replies back

permit icmp any any unreachable ← allow PMTUD ICMP

deny ip any any log

⚠️ Stateless vs Stateful: IOS ACLs are STATELESS — they don't track TCP connection state. The established keyword only checks the ACK/RST bit, which can be spoofed. Cisco ASA/Firepower uses stateful inspection — automatically permits return traffic for established sessions. For production firewalls, always use stateful inspection.

🎯 Advanced Interview Q&A — ACLs

Q: You apply an ACL inbound on Gi0/0 and all traffic stops, even traffic you expected to permit. What happened?▶

Most common causes: ①Implicit deny hit before your permit: Your ACL has the correct permit statement but it's ordered BELOW a broader deny. Remember: first match wins. Run show ip access-lists [name] — look at match counts. If your permit has 0 matches and the deny above it has matches, the deny is too broad and is catching your traffic first. Reorder: put specific permits before general denies. ②Wrong direction: Applied inbound but traffic flows outbound (or vice versa). Inbound = traffic entering the interface FROM outside. Outbound = traffic leaving the interface. Run show ip interface Gi0/0 | include access to confirm direction. ③ACL applied to wrong interface: You put it on Gi0/0 but traffic enters via Gi0/1. ④Forgot to permit return traffic: Outbound HTTP is permitted but return traffic (established TCP) has no permit rule — use permit tcp any any established for inbound. ⑤Routing protocol traffic blocked: OSPF hello uses 224.0.0.5 multicast — if your ACL doesn't explicitly permit permit ospf any any, OSPF adjacencies drop when ACL is applied to a router interface participating in OSPF.

Q: What is the difference between an ACL applied inbound vs outbound, and how does it affect performance?▶

Inbound ACL: Evaluated BEFORE the routing lookup. If the packet is denied, it's dropped immediately — no routing table lookup, no CEF lookup, no L2 rewrite. This is the most CPU-efficient placement for blocking traffic. The packet never enters the router's forwarding path. Outbound ACL: Evaluated AFTER the routing lookup, just before the packet leaves the interface. The router has already done the full FIB lookup, found the egress interface, looked up the adjacency, prepared the L2 header — THEN the ACL check happens. If denied, all that work was wasted. Use inbound ACLs when you want to filter at the entry point (edge filtering). Use outbound when you need to filter based on routing decisions (e.g., "don't send certain routes out this specific interface" — though for routes, use distribute-lists or route-maps instead). Performance: Modern Cisco platforms implement ACLs in TCAM (Ternary Content Addressable Memory) — hardware lookup at line rate regardless of ACL size. On software-forwarded platforms, inbound ACLs are slightly faster because no routing lookup overhead for dropped packets.

🔁 OSPF — Complete Reference: Neighbors, DR/BDR, LSAs & Troubleshooting

Neighbor states · DR/BDR election · LSA types · area types · cost calculation · multi-vendor config · troubleshooting workflow

OSPF Neighbor States — The 8-State Machine

Neighbors must go through all states to reach FULL adjacency. Only FULL neighbors exchange LSAs and build the LSDB. 2-WAY is acceptable for DROther routers on multi-access segments.

#	State	What's happening	Stuck here = problem
1	Down	No hellos received. Initial state.	Dead interval expired (4× hello)
2	Attempt	Sending Hello to configured neighbor (NBMA)	NBMA neighbor unreachable
3	Init	Hello received but MY router-id not in it	Hello heard but not bidirectional — check firewall blocking 224.0.0.5
4	2-Way	MY router-id IS in neighbor's Hello. DR/BDR election happens here.	Normal for DROther↔DROther on broadcast segments
5	ExStart	Master/Slave election by Router-ID. Negotiating DBD sequence numbers.	MTU MISMATCH — most common cause! Check: show int, ip ospf mtu-ignore
6	Exchange	Exchanging DBD (Database Description) packets with LSDB summary	Corrupt DBD packets, authentication mismatch
7	Loading	Requesting full LSAs via LSR (Link State Request)	LSA database inconsistency
8	Full	LSDB synchronized. Only state with working adjacency.	N/A — this is the goal!

OSPF DR/BDR Election

DR/BDR election happens on BROADCAST and NBMA networks to reduce OSPF traffic. On a 5-router segment, without DR: 10 adjacencies. With DR: 4 adjacencies (each router to DR+BDR only). DR floods LSAs so others don't have to.

OSPF Troubleshooting — Structured Diagnostic Workflow

Symptom	Root Cause	Command to Verify	Fix
Neighbor stuck INIT	Unidirectional hello (firewall blocking 224.0.0.5, wrong area)	show ip ospf neighbor; debug ip ospf hello	Fix firewall; verify same area; check network statement
Neighbor stuck EXSTART	MTU mismatch (most common)	show interfaces — compare MTU both sides	ip ospf mtu-ignore OR fix MTU to match
Neighbor flapping	Hello/Dead timer mismatch OR unstable link	show ip ospf interface — verify timers	Align timers (must match on both sides)
No adjacency at 2-WAY	Network type mismatch (e.g. broadcast vs p2p)	show ip ospf interface — check "Network Type"	ip ospf network broadcast/point-to-point
Routes missing	Summarization filtering, area type restriction, redistribute missing	show ip ospf database; show ip route ospf	Check LSA types for area type; add redistribution
Wrong DR elected	Priority not set; pre-existing DR (non-preemptive)	show ip ospf neighbor; show ip ospf interface	Set priority, clear ospf process on segment

🎯 CCIE Interview Q&A — OSPF

Q: Two OSPF routers are neighbors but stuck in EXSTART. You've verified timers and authentication match. What else do you check?▶

EXSTART is where Master/Slave election happens using DBD packets. If stuck here: ①MTU mismatch (most common): Run show interfaces Gi0/0 on both routers — if MTUs differ (e.g. 1500 vs 1476 due to tunnel), DBD packets are dropped. Fix: ip ospf mtu-ignore as temporary fix, or align MTU. ②Duplicate Router-IDs: Two routers with same router-id — check show ip ospf | include Router ID on both. ③DBD options mismatch: E-bit (external capability) differences — rare but check with debug ip ospf adj. ④Authentication type mismatch: One side uses MD5, other uses clear text. Verify with show ip ospf interface detail | include auth. The debug command debug ip ospf adj will show the exact error message causing the EXSTART loop.

Q: Explain OSPF cost and why you must change the reference bandwidth for modern networks.▶

OSPF cost = Reference Bandwidth / Interface Bandwidth (bps). Default reference bandwidth = 100 Mbps (100,000,000 bps). This gives: FastEthernet = 100M/100M = 1, and Gigabit = 100M/1000M = 0.1 → rounded to 1. GigE and FastEthernet have the SAME cost = 1! OSPF can't distinguish between them. For 10GbE: 100M/10000M = 0.01 → rounded to 1. Same cost again. Fix: auto-cost reference-bandwidth 10000 (in Mbps = 10 Gbps reference). Now: FE=1000, GbE=100, 10GbE=10, 100GbE=1. ALWAYS set this consistently on ALL OSPF routers — inconsistent reference bandwidth leads to suboptimal routing because costs won't be comparable across the domain. Cost table with default 100M reference: FE=1, Eth=10, E1=64, T1=64, 64K=1562.

🔌 TCP & UDP — Complete Packet-Level Deep Dive

Every TCP header field · 3-way handshake with real sequence numbers · SACK · FIN vs RST · Wireshark filters · connection states · common interview traps

TCP Header — All 10 Fields at the Bit Level (20 bytes minimum)

TCP is defined in RFC 793 (1981) and updated by many RFCs. The header is 20 bytes minimum (with no options), up to 60 bytes max. Every reliable connection you've ever made on the internet has had this header — your browser, SSH sessions, BGP peers — all TCP.

🤝 TCP 3-Way Handshake — With Real Sequence Number Math

Scenario: Browser (Client 192.168.1.10:52431) connecting to Web Server (93.184.216.34:80). Real ISNs are 32-bit random numbers — Wireshark shows relative (0-based) for readability.

Why Is the Initial Sequence Number (ISN) Random?

The ISN is randomly generated (RFC 6528) for security. If predictable, an attacker could inject spoofed TCP segments into an existing connection — a "TCP session hijacking" attack. The random ISN makes it computationally infeasible to guess valid sequence numbers.

TCP Options Exchanged in SYN/SYN-ACK

Option (Kind)	Size	Purpose	SYN only?
MSS (2)	4B	Tell peer max segment size to send me. Default = 1460 for Ethernet.	Yes
SACK-Permitted (4)	2B	I support Selective ACKs.	Yes
Window Scale (3)	3B	Multiply window size by 2^n. Needed for fast networks (high BDP)	Yes
Timestamps (8)	10B	RTT measurement + PAWS (protect against old segments)	No
SACK (5)	Variable	Selective ACK: "I got bytes 1-500 and 800-1000, missing 501-799"	No

Window Size & Flow Control — Why It Matters

Window Size = receive buffer size

SYN shows Win=64240 bytes (typical Linux default)

With Win Scale option 2^7=128: actual window = 64240 × 128 = 8,222,720 bytes (~8MB)

This means the sender can have 8MB of data "in flight"

before needing an ACK — critical for high-latency links

! Zero Window = receive buffer full — sender STOPS

Wireshark: [TCP ZeroWindow] alert = receiver overwhelmed

Fix: check application processing speed on receiver

TCP SACK — Selective Acknowledgment Explained

Without SACK: if packet 5 is lost in a sequence 1-10, receiver must re-send ALL 10 packets. With SACK: receiver says "I have 1-4 and 6-10, only resend 5."

🔚 TCP Connection Teardown — FIN vs RST

FIN — Graceful 4-Way Teardown

⏳ TIME_WAIT (2×MSL = 60–240s): After sending final ACK, client waits in TIME_WAIT to handle any delayed packets. Prevents old segment from interfering with a new connection on same 5-tuple. High-traffic servers can exhaust ports due to TIME_WAIT — fix with SO_REUSEADDR.

RST — Abrupt Reset

RST scenario	Who sends it?	Wireshark alert
Port not listening	Server kernel (OS)	[TCP RST, ACK]
Firewall block	Firewall or load-balancer	[TCP RST]
Connection timeout	Sender times out	[TCP RST]
Invalid segment	Either side	[TCP RST]
App crash	OS on behalf of app	[TCP RST, ACK]

TCP vs UDP Comparison

Feature	TCP	UDP
Connection	Connection-oriented (3WHS)	Connectionless
Reliability	Guaranteed delivery + ordering	Best effort, no ordering
Header Size	20-60 bytes	8 bytes fixed
Flow Control	Window size mechanism	None
Congestion	Slow start, AIMD, CUBIC	None (app responsible)
Use Cases	HTTP, HTTPS, FTP, SSH, BGP, SMTP	DNS, DHCP, VoIP, gaming, SNMP
Latency	Higher (handshake + ACK overhead)	Lower (fire and forget)

Wireshark TCP Filters Cheat Sheet

tcp.flags.syn==1 and tcp.flags.ack==0 ← SYN only

tcp.flags.reset==1 ← all RSTs

tcp.flags.fin==1 ← all FINs

tcp.analysis.retransmission ← retransmits

tcp.analysis.zero_window ← zero window

tcp.analysis.dup_ack ← duplicate ACKs

tcp.analysis.lost_segment ← gaps in stream

tcp.port==80 or tcp.port==443 ← HTTP/HTTPS

🎯 CCIE-Level Interview Q&A — TCP Deep Dive

Q: Explain TCP slow start and congestion avoidance. What happens when a packet is lost?▶

Slow Start: When a new TCP connection starts, the sender's Congestion Window (CWND) begins at 1 MSS (or 10 MSS on modern systems per RFC 6928). After each ACK, CWND doubles — exponential growth. This continues until: (a) CWND reaches Slow Start Threshold (ssthresh), OR (b) a packet loss is detected. Congestion Avoidance: Once CWND ≥ ssthresh, growth becomes linear: +1 MSS per RTT (Additive Increase). On packet loss: If loss detected by 3 duplicate ACKs (fast retransmit): ssthresh = CWND/2, CWND = ssthresh (TCP Reno) or ssthresh only (TCP CUBIC). If loss by timeout: ssthresh = CWND/2, CWND = 1 MSS (severe back-off). TCP CUBIC (default Linux kernel): uses a cubic function for CWND growth — less aggressive than Reno, optimized for high-BDP networks (long-fat pipes like Akamai CDN connections).

Q: You see TCP RSTs in Wireshark. How do you determine the root cause?▶

First question: WHO sent the RST? Check the source IP in the RST packet. Then determine WHAT triggered it: ①RST immediately after SYN → port closed/not listening on server. ②RST after SYN from a different IP than server → firewall/proxy is sending RSTs. ③RST in mid-stream → application crash, idle timeout, stateful firewall asymmetric routing issue. ④RST with out-of-window sequence number → security appliance injecting RSTs (IDS/IPS, load balancer). Commands to investigate on Cisco: show conn (ASA) to see connection table, show tcp brief, debug ip tcp transactions. In production at Akamai scale: RSTs from edge routers usually indicate MSS mismatch or asymmetric routing where the return path goes through a different device that doesn't have connection state.

Q: What is the difference between TCP FIN and TCP RST at the application and protocol level?▶

FIN (Graceful close): Initiated by application calling close() or shutdown(). Means "I'm done SENDING, but I can still RECEIVE." The 4-way handshake allows the other side to finish sending data before it also closes. Half-close is possible (one side closes TX, other side can still send). All data already in-flight is delivered before connection closes. RST (Abrupt close): Either an error condition or deliberate abort. When sent: connection immediately terminates — no more data delivery guaranteed, any pending data is DISCARDED. The receiver's application gets an error (connection reset by peer). No TIME_WAIT state needed. Application-level difference: FIN = HTTP response sent completely, then graceful close. RST = connection aborted mid-response — client browser shows "connection reset" error. In Wireshark: FIN has FIN flag set (usually FIN+ACK). RST has RST flag set (often RST+ACK in response to data, or plain RST for port-closed).

TCP Congestion Control — Slow Start, AIMD, CUBIC, BBR

TCP congestion control is how the Internet avoids collapse. Without it, every sender would transmit at maximum speed until routers drop everything. RFC 5681 defines the modern algorithms. Understanding this is critical for diagnosing slow file transfers, VPN throughput issues, and CDN performance.

Algorithm	OS/Version	How It Grows CWND	Best For
Reno	Classic	+1 MSS/RTT in CA. On loss: CWND=ssthresh (halved)	Low BDP, high-loss paths
NewReno	RFC 6582	Reno + better recovery from multiple losses in one window	General
CUBIC	Linux default since 2.6.19	Cubic function — aggressive on fast links, conservative near loss point	High-BDP (WAN, CDN)
BBR	Google 2016, Linux 4.9+	Model-based: measures BtlBW and RTprop, ignores queue delay	Long-fat pipes, lossy wifi
RACK	RFC 8985	Time-based loss detection instead of dup-ACK counting	Reordered packets

BBR vs CUBIC — Key Difference: CUBIC reacts to packet loss (a queue signal). BBR measures actual bottleneck bandwidth and minimum RTT directly — it doesn't wait for loss. BBR fills the pipe at exactly the bottleneck rate without building large queues. This is why Google sees 2–25× better throughput on lossy paths with BBR. Akamai and most CDNs use BBR for origin-to-edge delivery.

! Check TCP congestion algorithm (Linux)

sysctl net.ipv4.tcp_congestion_control

cat /proc/sys/net/ipv4/tcp_available_congestion_control

! Set BBR globally

sysctl -w net.ipv4.tcp_congestion_control=bbr

! Wireshark: see congestion in action

tcp.analysis.retransmission ← loss events

tcp.analysis.dup_ack ← 3 dup ACKs = fast retransmit trigger

Statistics → TCP Stream Graph → Time-Sequence (tcptrace)

TCP Connection State Machine — All 11 States

State	Side	Meaning	Transition
CLOSED	Both	No connection	→ LISTEN (server) or SYN_SENT (client)
LISTEN	Server	Waiting for SYN	→ SYN_RCVD on SYN received
SYN_SENT	Client	SYN sent, awaiting SYN-ACK	→ ESTABLISHED on SYN-ACK
SYN_RCVD	Server	SYN received, SYN-ACK sent	→ ESTABLISHED on ACK
ESTABLISHED	Both	Data flowing. Normal state.	→ FIN_WAIT_1 (active close)
FIN_WAIT_1	Active close	FIN sent, waiting for ACK	→ FIN_WAIT_2
FIN_WAIT_2	Active close	ACK received, waiting for FIN	→ TIME_WAIT on FIN
CLOSE_WAIT	Passive close	FIN received, app still has data	→ LAST_ACK when app closes
LAST_ACK	Passive close	FIN sent, waiting for final ACK	→ CLOSED
TIME_WAIT	Active close	Waiting 2×MSL (60–240s)	→ CLOSED after 2MSL timeout
CLOSING	Simultaneous close	Both sides FIN at same time	→ TIME_WAIT

TIME_WAIT — Why It Exists & Production Impact

Why 2×MSL wait? (MSL = Maximum Segment Lifetime = 30s)

Reason 1: Final ACK might be lost → server resends FIN

Client must still be able to re-send the final ACK

Reason 2: Old duplicate segments from this connection

must expire before new connection uses same 5-tuple

Production problem: High-traffic web servers (Nginx,

HAProxy) accumulate thousands of TIME_WAIT sockets.

Port range 49152-65535 = 16,383 ephemeral ports.

If all ports in TIME_WAIT → "cannot bind" errors!

! Linux fixes:

net.ipv4.tcp_tw_reuse = 1 ← reuse TW sockets for outbound

net.ipv4.ip_local_port_range = 1024 65535 ← wider port range

SO_REUSEADDR socket option in server apps

! Diagnose on Linux

ss -s ← socket statistics summary

ss -tan | grep TIME-WAIT | wc -l ← count TW sockets

netstat -an | grep TIME_WAIT

UDP — When Simplicity Wins

UDP Header — 8 Bytes Total

UDP has NO: sequence numbers, ACKs, flow control, congestion control, connection state. It just stamps src/dst port + length + optional checksum and fires. The application layer handles reliability if needed (e.g., QUIC, SCTP, custom protocols).

Why UDP is the Right Choice for These Protocols

Protocol	Why UDP not TCP?
DNS	Single query/response fits in one packet. TCP overhead (3WHS) for every DNS lookup would be catastrophically slow. DNS uses TCP only for large responses (>512B) or zone transfers.
DHCP	Client has no IP yet — can't establish TCP session. UDP broadcast allows server discovery without pre-existing connection.
VoIP (RTP)	Retransmitting late audio is useless — a retransmitted packet arriving 200ms late creates worse artifacts than no packet. UDP + jitter buffer gives better results than TCP retransmits.
SNMP	Polling-based monitoring. Lost poll = just miss one data point. TCP overhead per poll unnecessary. SNMP traps are fire-and-forget by design.
QUIC (HTTP/3)	UDP-based but adds reliability, ordering, and multiplexing at the application layer — best of both worlds. Avoids TCP head-of-line blocking.
TFTP	Simple file transfer used for router/switch IOS upgrades. Implements its own basic ACK mechanism over UDP.

🎯 Advanced TCP Interview Q&A

Q: A large file transfer between two servers is running at only 10 Mbps on a 1 Gbps link. Both servers show no errors. What do you investigate?▶

10 Mbps on a 1G link with no errors is a TCP throughput problem, not a physical layer issue. Investigate in order: ①TCP Window Size / BDP: Max throughput = Window Size / RTT. If window = 64KB and RTT = 50ms: 65536B / 0.05s = 1.3 Mbps theoretical max. Check ss -tin dst [server_ip] — look at "rcvbuf" and "sndbuf". On Linux, auto-tuning should handle this but may be misconfigured. ②TCP Window Scaling disabled: If window scale option was not negotiated (older OS, firewall stripping TCP options), window stays at 64KB. Run Wireshark — check SYN/SYN-ACK for Window Scale option (Kind=3). If missing, max throughput is limited. ③Firewall/middlebox stripping TCP options: Some firewalls strip all TCP options including SACK and Window Scale. Bypass the firewall and test directly. ④Jumbo frames mismatch: Servers may have jumbo frames (MTU 9000) enabled but intermediate switches don't. This causes fragmentation or PMTUD failure → TCP falls back to tiny MSS. ⑤CPU bottleneck: Check CPU on both servers — high CPU (especially softirq/kernel network processing) can rate-limit TCP. ⑥Nagle's algorithm + delayed ACK interaction: For many small writes, Nagle + 200ms delayed ACK can cause 200ms delays per RTT. Disable with TCP_NODELAY on the application socket. ⑦netstat -s | grep -i retransmit — even low retransmit rates (1%) can halve throughput with some congestion algorithms.

Q: What is TCP head-of-line blocking and how does HTTP/3 solve it?▶

In TCP, all data is delivered in-order. If packet N is lost, ALL subsequent packets (N+1, N+2...) are buffered and withheld from the application until N is retransmitted and received — even if those later packets arrived perfectly. This is TCP head-of-line blocking. In HTTP/2 over TCP, multiple streams are multiplexed over ONE TCP connection. If a single packet is lost, ALL streams stall waiting for retransmission — even streams that have no data loss. A single 0.01% packet loss rate can cause significant performance degradation across all browser resources. HTTP/3 (RFC 9114) is built on QUIC which runs over UDP. QUIC implements its own reliable delivery PER STREAM. If stream 3's packet is lost, streams 1,2,4,5 continue flowing — QUIC only blocks stream 3 until retransmission. No head-of-line blocking across streams. QUIC also combines TLS 1.3 handshake with connection establishment (0-RTT or 1-RTT connection vs TCP+TLS which needs 3WHS + TLS handshake = 3 round trips). This is especially impactful on mobile networks with 2–5% packet loss.

🌐 DHCP & DNS — Every Packet Field, Every Option, Every State

DHCP DORA process with real Wireshark field values · All DHCP options · DHCP relay · DNS hierarchy · recursive vs iterative · record types · Wireshark analysis

DHCP Packet Format — Built on BOOTP (RFC 2131/2132)

DHCP uses UDP — server port 67, client port 68. It's built on top of BOOTP (Bootstrap Protocol). In Wireshark, filter with bootp or dhcp. All 4 DORA messages are UDP broadcasts or unicasts — no TCP!

Field	Size	Discover Value	Offer Value	Request Value	ACK Value
OP (Op Code)	1 byte	1 (BOOTREQUEST)	2 (BOOTREPLY)	1 (BOOTREQUEST)	2 (BOOTREPLY)
HTYPE	1 byte	1 = Ethernet (all 4 messages)
HLEN	1 byte	6 = MAC address length (all 4 messages)
HOPS	1 byte	0	0	0 (or N if relayed)	0
XID (Transaction ID)	4 bytes	0x3903F326 *	0x3903F326 *	0x3903F326 *	0x3903F326 *
SECS	2 bytes	0	0	0	0
FLAGS	2 bytes	0x8000 (broadcast)	0x0000	0x8000 (broadcast)	0x0000
CIADDR (Client IP)	4 bytes	0.0.0.0 (no IP yet)	0.0.0.0	0.0.0.0	192.168.1.100
YIADDR (Your IP)	4 bytes	0.0.0.0	192.168.1.100	0.0.0.0	192.168.1.100
SIADDR (Server IP)	4 bytes	0.0.0.0	192.168.1.1	0.0.0.0	192.168.1.1
CHADDR (Client MAC)	16 bytes	00:0c:29:xx:xx:xx (client MAC, same in all 4)
SNAME	64 bytes	Server hostname (usually empty)
FILE	128 bytes	Boot filename (used for PXE boot)
OPTIONS	Variable	Magic cookie + Option 53 (Discover)	Opt 53(Offer)+54+51+1+3+6	Opt 53(Request)+54+50	Opt 53(ACK)+54+51+1+3+6

* XID is identical across all 4 DORA packets — links the transaction end-to-end

🔬 DORA Process — Step-by-Step with Real Field Values

Key DHCP Options — Complete Reference (RFC 2132)

Option #	Name	Sent in	Example Value
53	DHCP Message Type	All	1=Disc 2=Offer 3=Req 5=ACK 6=NAK
54	Server Identifier	Offer, ACK	192.168.1.1 (DHCP server IP)
51	IP Lease Time	Offer, ACK	86400 = 24 hours
58	Renewal Time (T1)	ACK	43200 = 50% of lease (12hrs)
59	Rebinding Time (T2)	ACK	75600 = 87.5% of lease (21hrs)
1	Subnet Mask	Offer, ACK	255.255.255.0
3	Default Gateway	Offer, ACK	192.168.1.1
6	DNS Servers	Offer, ACK	8.8.8.8, 8.8.4.4
15	Domain Name	Offer, ACK	example.com
50	Requested IP	Discover, Request	192.168.1.100 (client prefers)
55	Parameter Request List	Discover	List of options client wants (1,3,6,15...)
82	Relay Agent Info	Discover, Request	Circuit-ID, Remote-ID (added by relay)

DHCP Relay — How It Works Across Subnets

DHCP broadcasts don't cross router boundaries. DHCP Relay Agent (ip helper-address) converts the local broadcast into a unicast to the DHCP server and adds Option 82.

🌍 DNS — Domain Name System Complete Deep Dive

DNS uses UDP port 53 for queries (≤512 bytes), TCP port 53 for responses >512 bytes or zone transfers. DNS over HTTPS (DoH) and DNS over TLS (DoT) use port 443/853 respectively. There are 13 root server clusters (a.root-servers.net through m.root-servers.net) — actually hundreds of physical servers using anycast.

DNS Hierarchy

Recursive vs Iterative Resolution

Client → Resolver: RECURSIVE ("don't come back until you have the answer")
Resolver → Root/TLD/Auth: ITERATIVE ("give me the next hop or the final answer")

DNS Record Types — Complete Reference

Record	Full Name	Purpose	Example
A	Address	Hostname → IPv4	www.cisco.com → 72.163.4.185
AAAA	IPv6 Address	Hostname → IPv6	www.google.com → 2607:f8b0::200e
CNAME	Canonical Name	Alias → another hostname	www.example.com → example.com
MX	Mail Exchange	Email server for domain	@cisco.com → mail.cisco.com (prio 10)
PTR	Pointer	Reverse DNS: IP → hostname	8.8.8.8 → dns.google
NS	Name Server	Authoritative NS for zone	google.com → ns1.google.com
SOA	Start of Auth.	Zone metadata, primary NS, serial	Zone's master record
TXT	Text	SPF, DKIM, DMARC, domain verification	v=spf1 include:google.com
SRV	Service	Service location (SIP, LDAP)	_sip._tcp.example.com
CAA	Cert Authority Auth.	Which CAs can issue certs	issue "letsencrypt.org"

DNS Wireshark Analysis — What to Look For

! Wireshark DNS filter

dns ← all DNS

dns.flags.response == 0 ← queries only

dns.flags.response == 1 ← responses only

dns.flags.rcode != 0 ← errors (NXDOMAIN etc)

! DNS response codes (RCODE):

0 = NOERROR ← success

1 = FORMERR ← bad query format

2 = SERVFAIL ← server failure

3 = NXDOMAIN ← name doesn't exist

5 = REFUSED ← policy refuse

! CLI verification:

nslookup www.google.com ← basic lookup

dig www.google.com A ← specific record

dig +trace www.google.com ← full resolution trace

dig -x 8.8.8.8 ← reverse lookup (PTR)

dig @8.8.8.8 www.cisco.com ← query specific server

⚠️ DNS TTL Interview Trap: A low DNS TTL (e.g. 60s) means frequent re-resolution — more DNS traffic but faster failover. A high TTL (e.g. 86400s=24hr) means faster responses (caching) but slow failover if IP changes. Akamai CDN uses low TTLs (1-20s) for traffic steering and fast geographic failover.

🎯 CCIE Interview Q&A — DHCP & DNS

Q: Why does a DHCP client broadcast the REQUEST even though it already received an OFFER from one server?▶

In a real network, multiple DHCP servers may respond to the DISCOVER broadcast — each one reserves an IP address and waits. The client broadcasts REQUEST because it needs to: ①Inform ALL servers which server's offer it accepted. ②Allow the servers whose offers were NOT chosen to release the reserved IPs back to their pools. If the REQUEST were unicast to the chosen server only, the other servers would hold those IPs reserved indefinitely (until a timeout). The broadcast ensures all servers on the segment see the selection. Only the selected server sends a DHCP ACK. This is also why Option 54 (Server Identifier = server's IP) is critical in the REQUEST — it tells all servers which one won.

Q: DHCP snooping — what is it and why does it matter?▶

DHCP snooping is a Layer 2 security feature on switches that prevents "rogue DHCP server" attacks. Without it: an attacker can plug in their own device running a DHCP server, and legitimate clients get fake gateway/DNS IPs pointing to the attacker (MITM attack). How it works: Switch ports are configured as "trusted" (uplink to real DHCP server) or "untrusted" (client ports). DHCP OFFER and ACK messages arriving on untrusted ports are DROPPED — only trusted ports can send offers. Additionally, snooping builds a binding table (MAC → IP → port → VLAN) used by Dynamic ARP Inspection (DAI) and IP Source Guard for further validation. Config: ip dhcp snooping globally, ip dhcp snooping vlan 10, ip dhcp snooping trust on uplink ports only. CRITICAL: Don't forget to configure rate-limit on untrusted ports to prevent DHCP exhaustion attacks.

Q: What is DNSSEC and why is it important? What problem does it solve?▶

DNS by default has NO authentication — a resolver accepts any response. This enables DNS cache poisoning (Kaminsky attack): an attacker floods a resolver with fake responses, eventually getting one accepted and cached. The resolver then returns the attacker's IP for a legitimate domain. DNSSEC adds cryptographic signatures (RSA or ECDSA) to DNS records. The chain of trust: IANA signs the root zone with a root KSK → TLD zones sign with their KSK → authoritative zones sign their records. A validating resolver checks the chain before accepting responses. Limitations: DNSSEC only validates authenticity — it does NOT encrypt DNS traffic (DNSSEC responses are public). For privacy, DNS over TLS (DoT) port 853 or DNS over HTTPS (DoH) port 443 are used. Many CDNs including Akamai support both DNSSEC and DoH.

🔄 NAT & PAT — Network Address Translation Deep Dive

Static · Dynamic · PAT/Overload · NAT table mechanics · NAT64 · Troubleshooting · ALG · NAT-T for VPN

NAT Types — Complete Comparison

NAT (RFC 3022) was invented as a stopgap for IPv4 exhaustion. It maps private RFC 1918 addresses to public routable addresses. Every enterprise uses NAT — understanding it at packet level is mandatory for CCNA through CCIE.

Type	Mapping	Use Case	Ports Translated?	Config Command
Static NAT	1 private ↔ 1 public (fixed)	Servers needing permanent public IP (web, mail)	No	ip nat inside source static 10.1.1.1 203.0.113.1
Dynamic NAT	1 private → 1 pool public (rotates)	Pools of users needing temporary public IPs	No	ip nat inside source list 1 pool MYPOOL
PAT / Overload	Many private → 1 public (port-differentiated)	Typical home/enterprise internet access	YES — TCP/UDP port	ip nat inside source list 1 interface Gi0/0 overload
Static PAT	1 private:port ↔ 1 public:port	Port forwarding (e.g. DMZ web server)	YES — static mapping	ip nat inside source static tcp 10.1.1.10 80 203.0.113.1 80
NAT64	IPv6 client → IPv4 server	IPv6-only clients reaching IPv4 internet	Optional	nat64 prefix stateful 64:ff9b::/96

PAT Mechanics — How Overload Really Works

PAT (Port Address Translation) is the reason one public IP can serve 65,535 simultaneous connections. The router adds a unique source port to differentiate sessions.

OUTBOUND (private → public):

PC-A (10.1.1.10:1024) sends to 8.8.8.8:53

Router translates: 10.1.1.10:1024 → 203.0.113.1:10001

PC-B (10.1.1.20:1024) sends to 8.8.8.8:53

Router translates: 10.1.1.20:1024 → 203.0.113.1:10002

NAT TABLE ENTRY:

Proto Inside Local Inside Global Outside Global

UDP 10.1.1.10:1024 203.0.113.1:10001 8.8.8.8:53

UDP 10.1.1.20:1024 203.0.113.1:10002 8.8.8.8:53

INBOUND (public → private):

8.8.8.8:53 replies to 203.0.113.1:10001

Router looks up 10001 → translates BACK to 10.1.1.10:1024

Key: same public IP, DIFFERENT ports = different sessions

⚠️ CCIE trap: PAT runs out of ports at ~65,535 simultaneous sessions per public IP. With NAT pool + overload, each pool IP gets its own 65K port space. CGNAT (Carrier-Grade NAT) stacks multiple public IPs.

NAT Configuration — Full Cisco IOS

! Step 1: Define inside/outside interfaces

interface GigabitEthernet0/0

ip address 10.1.1.1 255.255.255.0

ip nat inside ← mark as inside

interface GigabitEthernet0/1

ip address 203.0.113.1 255.255.255.252

ip nat outside ← mark as outside

! Step 2: Define what to translate (ACL)

ip access-list standard NAT-INSIDE

permit 10.1.1.0 0.0.0.255

! Step 3: PAT (overload on outside interface)

ip nat inside source list NAT-INSIDE interface Gi0/1 overload

! Or Dynamic NAT with a pool

ip nat pool MYPOOL 203.0.113.2 203.0.113.10 netmask 255.255.255.0

ip nat inside source list NAT-INSIDE pool MYPOOL overload

! Static port forward (DMZ web server)

ip nat inside source static tcp 10.1.1.100 80 203.0.113.1 80

! Verification

show ip nat translations ← active sessions

show ip nat statistics ← hit/miss counters

debug ip nat ← per-packet (use carefully!)

clear ip nat translation * ← flush all entries

NAT Translation Table — Four Address Types

Cisco uses four specific terms. Confusing them is the #1 NAT exam mistake.

Term	Meaning	Example
Inside Local	Private IP of inside host (as seen inside)	10.1.1.10:1024
Inside Global	Public IP of inside host (as seen outside)	203.0.113.1:10001
Outside Global	Public IP of outside server (as seen outside)	8.8.8.8:53
Outside Local	IP of outside server as seen by inside hosts (same as Outside Global unless Twice NAT)	8.8.8.8:53

⚠️ Twice NAT (double NAT): translates BOTH source AND destination. Used when two overlapping IP spaces communicate (e.g. two merged companies with same RFC 1918 range). Extremely complex to troubleshoot.

NAT ALG — Protocol-Specific Helpers

Some protocols embed IP addresses INSIDE the payload (not just headers). NAT must inspect and rewrite the payload too — this is the ALG (Application Layer Gateway) function.

Protocol	Problem	ALG Action
FTP (Active mode)	Client sends private IP in PORT command	NAT rewrites PORT command payload with public IP
SIP/VoIP	Private IP in SDP body (media RTP address)	NAT rewrites SDP c= and m= lines
H.323	Private IP embedded in H.323 PDUs	H.323 ALG rewrites gatekeeper registrations
PPTP	GRE protocol has no ports — NAT-T needed	NAT tracks GRE call IDs instead of ports
IPSec ESP (tunnel)	Encrypted — NAT can't see ports. Breaks ESP.	NAT-T: encapsulate ESP in UDP 4500

! NAT-T for IPSec (critical for site-to-site VPN behind NAT)

crypto isakmp nat-traversal 20 ← enable NAT-T, keepalive 20s

IKE detects NAT in path via RFC 3947 vendor ID

If NAT detected: switch from UDP 500 → UDP 4500

ESP wrapped in UDP 4500 — PAT can track it

🎯 NAT/PAT Interview Q&A

Q: A user can ping 8.8.8.8 but cannot browse to google.com. NAT is configured. What do you check?▶

DNS is UDP/TCP port 53. If ping works, ICMP translation is fine. The issue is likely DNS. Check: ①show ip nat translations — do you see UDP:53 entries? If no DNS entries, the DNS packet is not being NATted. ②Check ACL — does the NAT ACL permit the DNS server's response path? The ACL is checked on the inside interface for outbound traffic. ③Check if DNS server is reachable (try nslookup from a PC). ④If using PAT with overload, check show ip nat statistics for "misses" — misses mean no translation was found (packet dropped). ⑤Check if ip nat inside / ip nat outside are on the correct interfaces — common mistake is putting ip nat inside on the wrong interface. ⑥If using an ACL that only permits the internal subnet, verify the DNS server IP isn't being used as a source (shouldn't be, but check). Fix attempt: clear ip nat translation * and retry.

Q: What happens to an IPSec VPN tunnel when both sides are behind NAT?▶

Without NAT-T: IKE (UDP 500) works fine through PAT, but ESP (protocol 50) has NO ports — it cannot be tracked by PAT. The ESP packets are dropped by the NAT device. With NAT-T (RFC 3948): ①Both peers send vendor ID payloads during IKE Phase 1 to signal NAT-T support. ②Each peer detects NAT in path using RFC 3947 (hashes of IP:port compared — if they mismatch, NAT is present). ③If NAT detected: IKE moves from UDP 500 to UDP 4500 for all subsequent IKE and ESP traffic. ④ESP is encapsulated inside UDP 4500 — PAT can now track it using port numbers. ⑤NAT keepalives (typically every 20s) maintain the PAT entry. Without keepalives, the PAT timer expires and the tunnel breaks silently. CCIE note: if you have two VPN devices behind the same PAT router, they both try to use UDP 4500 — the PAT router differentiates by assigning different outside ports. This works for most but some ISPs do Deep Packet Inspection and break it.

📡 Wireless LAN — 802.11 Standards, RF, Security & Enterprise Wi-Fi

802.11ax/Wi-Fi 6 · 2.4/5/6GHz RF · WPA3/SAE · 4-way handshake · CAPWAP · Roaming (802.11r/k/v) · Channel planning

802.11 Standards Evolution — Speed, Frequency & Technology

Standard	Wi-Fi Name	Max Speed	Frequency	Key Technology	Year
802.11b	—	11 Mbps	2.4 GHz	DSSS, 3 non-overlapping channels	1999
802.11a	—	54 Mbps	5 GHz	OFDM, 23 non-overlapping channels	1999
802.11g	—	54 Mbps	2.4 GHz	OFDM, backward compat with b	2003
802.11n	Wi-Fi 4	600 Mbps	2.4 + 5 GHz	MIMO (4×4), channel bonding (40MHz), STBC	2009
802.11ac	Wi-Fi 5	6.9 Gbps	5 GHz only	MU-MIMO (DL), 8 spatial streams, 80/160MHz, 256-QAM	2013
802.11ax	Wi-Fi 6	9.6 Gbps	2.4 + 5 GHz	OFDMA, MU-MIMO (UL+DL), BSS Coloring, TWT, 1024-QAM	2019
802.11ax	Wi-Fi 6E	9.6 Gbps	2.4+5+6 GHz	Adds 6GHz band (1.2GHz spectrum), 14 new 80MHz channels	2021
802.11be	Wi-Fi 7	46 Gbps	2.4+5+6 GHz	320MHz channels, 4K-QAM, Multi-Link Operation	2024

⚠️ CCIE trap: 802.11ac is 5GHz ONLY — it cannot connect 2.4GHz devices. Many enterprises run 802.11n on 2.4GHz for legacy IoT devices. Wi-Fi 6 supports both bands simultaneously via dual-band concurrent radios.

WPA2 4-Way Handshake — Byte-Level Detail

The 4-way handshake derives the PTK (Pairwise Transient Key) used to encrypt unicast traffic. It uses EAPOL (EAP over LAN) frames on top of 802.11.

PRE-REQUISITE: PMK (Pairwise Master Key)

WPA2-Personal: PMK = PBKDF2(passphrase, SSID, 4096 iterations)

WPA2-Enterprise: PMK derived from 802.1X EAP authentication

MESSAGE 1: AP → Client (ANonce)

AP sends: ANonce (AP Nonce — random 256-bit value)

Client now has: ANonce + own SNonce + PMK → derives PTK

MESSAGE 2: Client → AP (SNonce + MIC)

Client sends: SNonce + RSNE (security capabilities) + MIC

MIC = HMAC-SHA1 of msg2 using KCK (part of PTK)

AP verifies MIC → confirms client has correct PMK

MESSAGE 3: AP → Client (Install PTK + GTK)

AP sends: Encrypted GTK (group key for broadcast) + MIC

Client installs PTK, prepares to use it

MESSAGE 4: Client → AP (ACK)

Client confirms: "PTK installed, GTK installed"

AP installs PTK → encrypted data can now flow

PTK = PRF-512(PMK + "Pairwise key expansion" + min(AA,SA) + max(AA,SA) + min(ANonce,SNonce) + max(ANonce,SNonce))

PTK split into: KCK(128b) + KEK(128b) + TK(128b) = 384 bits

WPA3 & SAE — Why WPA2 Was Broken

WPA2 has KRACK vulnerability (2017) — Key Reinstallation Attack. Attacker replays message 3 to reset nonce counters, enabling decryption. WPA3-SAE eliminates this.

Feature	WPA2	WPA3
Key exchange	PSK (pre-shared key direct)	SAE (Dragonfly handshake — perfect forward secrecy)
Offline dict attack	Vulnerable — capture 4-way, crack offline	Not possible — each auth needs online interaction
PMF (Mgmt Frame Protection)	Optional	Mandatory — prevents deauth/disassoc flooding
Open network encryption	None	OWE (Opportunistic Wireless Encryption)
Enterprise	802.1X + RADIUS	192-bit security suite (GCMP-256)

Enterprise Wi-Fi — WLC, CAPWAP & Autonomous vs Lightweight APs

Enterprise Wi-Fi uses a split-MAC architecture: lightweight APs (LAPs) handle real-time 802.11 functions, the WLC (Wireless LAN Controller) handles management and forwarding decisions.

Function	Autonomous AP	Lightweight AP (CAPWAP)
Configuration	Per-AP (CLI/web)	Centralized on WLC
802.11 beacons/probe	Local	Local (real-time)
Client auth	Local	Forwarded to WLC
Data forwarding	Local bridging	CAPWAP tunnel to WLC (or FlexConnect local)
Roaming	Manual re-assoc	Seamless Layer 2 / Layer 3 roaming via WLC
Updates	Per-device	Mass push from WLC

CAPWAP (RFC 5415) — Control and Provisioning of WAPs

UDP 5246 (control) + UDP 5247 (data)

DTLS (Datagram TLS) encrypts control plane by default

AP discovery: broadcast → multicast → DHCP option 43 → DNS

AP state machine: Discovery → DTLS Setup → Join → Config → Run

FlexConnect: AP can forward locally when WLC unreachable

Connected mode: CAPWAP tunnel active, WLC centralized

Standalone mode: AP uses cached config, local switching

Channel Planning & RF Fundamentals

2.4 GHz — 11 channels (US), only 3 non-overlapping:

Ch 1: 2.412 GHz ←── 22 MHz wide

Ch 6: 2.437 GHz ←── does NOT overlap ch1 or ch11

Ch 11: 2.462 GHz ←── does NOT overlap ch1 or ch6

Ch 2-5, 7-10: OVERLAP → co-channel interference!

5 GHz — 25 non-overlapping 20MHz channels (US):

UNII-1: 36,40,44,48 UNII-2: 52-64 UNII-3: 149-165

DFS channels (52-144): radar detection req'd, can cause disruption

RF Path Loss fundamentals:

Free Space Path Loss = 20log(d) + 20log(f) + 32.44 (dB)

2× distance = +6dB loss · 2× frequency = +6dB loss

Walls: drywall ~3dB · concrete ~15dB · elevator ~20dB

RSSI thresholds (practical):

≥ -65 dBm = Excellent (HD video, VoIP)

-65 to -75 = Good (normal browsing)

≤ -80 dBm = Poor (connection drops likely)

802.11 Roaming — Fast BSS Transition (802.11r/k/v)

Standard	Name	What it does
802.11r	Fast BSS Transition (FT)	Pre-authenticates client to target AP BEFORE roam. Reduces roam time from ~400ms to <50ms — critical for VoIP
802.11k	Radio Resource Management	Client requests neighbor report — AP provides list of nearby APs + their channel/RSSI → client can make informed roam decision
802.11v	BSS Transition Management	AP can suggest or force client to roam to a better AP — critical for load balancing and sticky client management

STICKY CLIENT PROBLEM:

Client stays associated to far-away AP (-80dBm)

when a closer AP (-55dBm) is available.

Clients control roaming — APs can only deauthenticate.

SOLUTIONS:

1. 802.11v BSS Transition Management Request → ask nicely

2. Deauthenticate client (forceful — causes brief disconnect)

3. Band steering → move to 5GHz (less congested)

Layer 3 roaming (different subnet):

WLC uses mobility tunnel to maintain client IP address

Anchor WLC holds the client IP, foreign WLC tunnels traffic

🔃 HSRP / VRRP / GLBP — First Hop Redundancy Protocols

Virtual IP/MAC · Active/Standby election · Preemption · Object tracking · GARP on failover · GLBP load balancing

FHRP Comparison — HSRP vs VRRP vs GLBP

Feature	HSRP v1/v2	VRRP v2/v3	GLBP
Standard	Cisco proprietary	RFC 3768 / RFC 5798	Cisco proprietary
Roles	Active / Standby / Listen	Master / Backup	AVG + AVF (up to 4)
Virtual MAC	0000.0c07.acXX (v1) 0000.0c9f.fXXX (v2)	0000.5e00.01XX	0007.b400.XXYY
Multicast addr	224.0.0.2 (v1) / 224.0.0.102 (v2)	224.0.0.18	224.0.0.102
Load balancing	No (only failover)	No (only failover)	YES — round-robin, weighted, host-dependent
Preemption	Off by default	On by default	Off by default (AVG)
Auth support	Plain text / MD5	Plain text (v2) / None (v3)	MD5
IPv6 support	HSRPv2 only	VRRPv3	Yes

HSRP State Machine — All 6 States

State	Role	Behavior
Initial	Starting up	HSRP process just started, no hellos sent yet
Learn	Discovering	Waiting for hello from Active to learn virtual IP
Listen	Passive	Knows virtual IP, not Active/Standby, monitors hellos
Speak	Candidate	Sending hellos, participating in election
Standby	Backup	Monitoring Active, ready to take over in holddown timer
Active	Forwarding	Responding to virtual MAC, forwarding packets

Election: highest priority wins (default 100). Tie → highest real IP wins. Preemption must be explicitly enabled for a higher-priority router to take over when it recovers.

HSRP/VRRP Configuration with Object Tracking

! HSRP v2 with preemption and tracking

interface GigabitEthernet0/0

ip address 192.168.1.2 255.255.255.0

standby version 2

standby 1 ip 192.168.1.1 ← virtual IP

standby 1 priority 110 ← higher = preferred

standby 1 preempt delay minimum 30 ← wait 30s after recovery

standby 1 authentication md5 key-string SECRET

standby 1 track 10 decrement 20 ← if WAN fails, priority -20

! Track object for WAN uplink

track 10 interface GigabitEthernet0/1 line-protocol

! Verification

show standby brief ← Active/Standby state + priority

show standby ← detailed: timers, virtual MAC

debug standby events ← election/failover events

GARP on Failover — Why It's Critical

When a Standby router becomes Active, it sends a Gratuitous ARP (GARP) for the virtual IP. This updates all hosts' ARP caches and the upstream switch's MAC table to point to the new Active router's physical port.

FAILOVER SEQUENCE:

1. Active router fails (link down / process crash)

2. Standby doesn't receive hellos for holdtime (3× hello = 10s)

3. Standby transitions Speak → Active

4. New Active sends GARP (ARP reply, src=virtual IP, src MAC=virtual MAC)

5. All hosts update ARP cache: VIP → virtual MAC (unchanged!)

6. Switch updates CAM: virtual MAC → new physical port

7. Traffic resumes — hosts never changed their default gateway IP/MAC!

WHY VIRTUAL MAC MATTERS:

If we used the physical MAC as virtual MAC, hosts would need to

re-ARP after failover (slow). With a fixed virtual MAC (0000.0c07.acXX),

hosts never re-ARP — only the switch CAM needs updating via the GARP.

FAILOVER TIMING:

Default hello: 3s · Default holdtime: 10s → ~10s failover

Tuned: hello 200ms · holdtime 600ms → <1s failover

BFD integration: sub-100ms detection (HSRP over BFD)

GLBP — Load Balancing Across Multiple Gateways

GLBP is unique: one virtual IP, but multiple virtual MACs. Each gateway (AVF) answers ARP requests with a DIFFERENT virtual MAC. Hosts get load-balanced at the gateway level without knowing it.

GLBP ROLES:

AVG (Active Virtual Gateway): ONE per group

→ Answers ARP requests, distributes virtual MACs

AVF (Active Virtual Forwarder): UP TO 4 per group

→ Each assigned a unique virtual MAC (0007.b400.XXYY)

→ Forwards traffic for hosts assigned its virtual MAC

ARP RESPONSE DISTRIBUTION (default: round-robin):

Host-A ARPs for 192.168.1.1 → gets 0007.b400.0101 (R1 MAC)

Host-B ARPs for 192.168.1.1 → gets 0007.b400.0102 (R2 MAC)

Host-C ARPs for 192.168.1.1 → gets 0007.b400.0101 (R1 MAC)

Result: traffic split between R1 and R2 — true load balancing!

LOAD BALANCING METHODS:

round-robin : default, rotates MAC responses equally

weighted : based on weight value (higher = more traffic)

host-dependent: same host always gets same gateway MAC

🔒 Network Security — Layer 2 Attacks & Defenses

Port security · DHCP snooping · Dynamic ARP Inspection · IP Source Guard · 802.1X · VLAN hopping · Private VLANs · Storm control

Layer 2 Attack Vectors — What Attackers Do & How to Stop Them

Attack	Method	Impact	Defense
MAC flooding	Send millions of frames with fake MACs to fill switch CAM table	Switch fails open → floods ALL frames → attacker sees all traffic (like a hub)	Port security (max MAC per port)
ARP poisoning	Send gratuitous ARPs with attacker's MAC for victim's IP	MITM: all traffic for victim IP goes to attacker	Dynamic ARP Inspection (DAI)
DHCP starvation	Send thousands of DISCOVER with fake MACs to exhaust pool	Legitimate clients can't get IP — DoS	DHCP snooping + rate limiting
Rogue DHCP	Attacker runs own DHCP server → gives clients attacker as gateway	MITM for all new clients	DHCP snooping (trusted ports only)
VLAN hopping (double-tag)	Attacker sends 802.1Q frame with outer VLAN=native VLAN → switch strips it, forwards inner VLAN tag to target VLAN	Access VLAN you're not supposed to be in	Change native VLAN to unused VLAN 999
STP attack	Attacker sends superior BPDUs to become root bridge	Traffic redirected through attacker → MITM or loop	BPDU Guard + Root Guard

Port Security — Configuration & Violation Modes

! Basic port security

interface GigabitEthernet0/1

switchport mode access

switchport access vlan 10

switchport port-security

switchport port-security maximum 2 ← max 2 MACs

switchport port-security mac-address sticky ← auto-learn

switchport port-security violation restrict ← violation mode

! VIOLATION MODES (critical for exam):

shutdown ← port goes err-disabled (default) — MOST SECURE

restrict ← drops violating frames, logs, increments counter

protect ← silently drops violating frames, NO log

! Recovery from err-disabled

show interfaces Gi0/1 status ← err-disabled?

show port-security interface Gi0/1

errdisable recovery cause psecure-violation

errdisable recovery interval 300

DHCP Snooping — Building the Binding Table

DHCP snooping builds a binding table: MAC → IP → VLAN → Interface → Lease time. This table is used by DAI and IP Source Guard. Only trusted ports can send DHCP OFFER/ACK.

! Enable DHCP snooping

ip dhcp snooping

ip dhcp snooping vlan 10,20,30

no ip dhcp snooping information option ← if no option 82 relay

! Mark uplink to real DHCP server as trusted

interface GigabitEthernet0/24 ← uplink to DHCP server

ip dhcp snooping trust

! Rate-limit client ports (anti-starvation)

interface range GigabitEthernet0/1-20

ip dhcp snooping limit rate 15 ← 15 DHCP pkts/sec max

! Verify binding table

show ip dhcp snooping binding

show ip dhcp snooping statistics

Dynamic ARP Inspection (DAI) — ARP Packet Validation

DAI intercepts all ARP requests and replies on untrusted ports and validates them against the DHCP snooping binding table. If IP:MAC don't match → drop the ARP → ARP poisoning impossible.

! Enable DAI on VLANs

ip arp inspection vlan 10,20,30

! Trust uplink ports (switch-to-switch links)

interface GigabitEthernet0/24

ip arp inspection trust

! Add rate limiting on untrusted ports

interface range Gi0/1-20

ip arp inspection limit rate 100 burst interval 1

! Static ARP ACL for hosts with static IPs (no DHCP binding)

arp access-list STATIC-HOSTS

permit ip host 192.168.1.100 mac host aabb.ccdd.eeff

ip arp inspection filter STATIC-HOSTS vlan 10

! Verification

show ip arp inspection vlan 10

show ip arp inspection statistics

Dropped ARPs listed — attacker activity visible here

802.1X Port Authentication — EAP, RADIUS & NAC

802.1X creates a three-party authentication: Supplicant (client), Authenticator (switch), Authentication Server (RADIUS). The port stays in an unauthorized state until authentication succeeds.

Role	Device	Protocol
Supplicant	End device (PC, phone)	EAP over LAN (EAPOL)
Authenticator	Switch / WAP	EAPOL (toward supplicant) + RADIUS (toward server)
Auth Server	RADIUS (Cisco ISE, FreeRADIUS)	RADIUS (UDP 1812/1813)

! 802.1X switch config

aaa new-model

aaa authentication dot1x default group radius

dot1x system-auth-control

radius-server host 10.0.0.1 key SECRET

interface Gi0/1

dot1x port-control auto ← requires auth

authentication host-mode multi-auth ← multiple devices

authentication order dot1x mab ← try 802.1X first, then MAB

MAB (MAC Auth Bypass): for IoT devices without 802.1X supplicant

⛓️ EtherChannel (Link Aggregation)

Why EtherChannel · PAgP Cisco modes & compatibility · LACP IEEE modes · Full real-router configurations · show etherchannel outputs · Load balancing — the router MAC problem solved

The Problem — Bandwidth Bottleneck & Why More Cables Don't Help

💡 Two switches, computers connected at 1000 Mbit each, but the inter-switch link is only 100 Mbit. Adding more cables hits a wall: STP (Spanning Tree Protocol) detects the extra links as potential loops and blocks all but one. Four cables, four times the cost — but still only 100 Mbit. EtherChannel is the solution: bundle all physical links into ONE logical link. STP sees one fat pipe and never blocks anything.

Why EtherChannel works where extra cables don't:

The cool thing about EtherChannel is that it bundles all physical links into a logical link with the combined bandwidth. By combining 4×100 Mbit I now have a 400 Mbit link.

EtherChannel does load balancing among the different physical links, and it takes care of redundancy — once one link fails it keeps working using the remaining links. Maximum: 8 physical interfaces per EtherChannel.

Requirements — ALL ports MUST match or EtherChannel fails:
• Same duplex (full/half)
• Same speed
• Same native VLAN
• Same allowed VLANs list
• Same switchport mode (all access OR all trunk)

PAgP and LACP verify these automatically. Static "on" does NOT check — silent failure possible.

Two Negotiation Protocols

Protocol	Standard	Use When
PAgP	Cisco proprietary	Cisco-to-Cisco ONLY
LACP (802.3ad)	IEEE standard	Any vendor combination

PAgP — Port Aggregation Protocol (Cisco Proprietary)

PAgP can only form EtherChannels between Cisco devices. If you want to configure PAgP you have a number of options to choose from per interface:

Mode	What It Does
Desirable	Interface actively asks the other side to become an EtherChannel. It initiates PAgP negotiation.
Auto	Interface waits passively for the other side to ask. It will respond but never initiate.
On	Interface becomes a member of the EtherChannel but does NOT negotiate. Other side must also be On.
Off	No EtherChannel configured on this interface.

PAgP Compatibility Matrix

Side A \ Side B	On	Desirable	Auto	Off
On	✅	❌ Err	❌ Err	❌
Desirable	❌ Err	✅	✅	❌
Auto	❌ Err	✅	❌ No	❌
Off	❌	❌	❌	❌

⚠️ On + Desirable = ERROR. "On" uses no negotiation. The other side sends PAgP packets which "On" ignores. Both sides end up confused. Only use "On" when BOTH sides are "On".

! === SwitchA: PAgP Desirable (actively negotiates) ===

SwitchA(config)#interface fa0/13

SwitchA(config-if)#channel-group 1 mode desirable

Creating a port-channel interface Port-channel 1

SwitchA(config)#interface fa0/14

SwitchA(config-if)#channel-group 1 mode desirable

! === SwitchB: PAgP Auto (waits passively) ===

SwitchB(config)#interface fa0/13

SwitchB(config-if)#channel-group 1 mode auto

SwitchB(config)#interface fa0/14

SwitchB(config-if)#channel-group 1 mode auto

! Both switches show:

%LINK-3-UPDOWN: Interface Port-channel1, changed state to up

! === Configure the port-channel interface ===

SwitchA(config)#interface port-channel 1

SwitchA(config-if)#switchport trunk encapsulation dot1q

SwitchA(config-if)#switchport mode trunk

SwitchB(config)#interface port-channel 1

SwitchB(config-if)#switchport trunk encapsulation dot1q

SwitchB(config-if)#switchport mode trunk

! The port-channel interface is what you configure —

! VLANs, mode, etc. Physical ports inherit these settings

LACP — Link Aggregation Control Protocol (IEEE 802.3ad)

LACP is the IEEE standard, identical in function to PAgP but works between any vendor. PAgP can only be used between Cisco devices while LACP works with Cisco, HP, Aruba, Juniper, and any 802.3ad-compliant switch. The modes mirror PAgP but use different names:

LACP Mode	PAgP Equivalent	What It Does
Active	Desirable	Actively sends LACP PDUs, initiates the EtherChannel
Passive	Auto	Waits for LACP PDUs, responds but never initiates
On	On	Static — no LACP negotiation, no verification

LACP Compatibility Matrix

Side A \ Side B	On	Active	Passive	Off
On	✅	❌	❌	❌
Active	❌	✅	✅	❌
Passive	❌	✅	❌	❌
Off	❌	❌	❌	❌

⚠️ Passive + Passive = no channel. Neither side initiates. Always have at least ONE side as Active. Best practice: Active/Active on both — self-healing if one side loses configuration.

! First clean up any existing PAgP config:

SwitchA(config)#default interface fa0/13

Interface FastEthernet0/13 set to default configuration

SwitchA(config)#default interface fa0/14

SwitchA(config)#no interface port-channel1

SwitchB(config)#default interface fa0/13

SwitchB(config)#default interface fa0/14

SwitchB(config)#no interface port-channel1

! === SwitchA: LACP Active ===

SwitchA(config-if)#interface fa0/13

SwitchA(config-if)#channel-group 1 mode active

Creating a port-channel interface Port-channel 1

SwitchA(config-if)#interface fa0/14

SwitchA(config-if)#channel-group 1 mode active

! === SwitchB: LACP Passive ===

SwitchB(config)#interface fa0/13

SwitchB(config-if)#channel-group 1 mode passive

SwitchB(config)#interface fa0/14

SwitchB(config-if)#channel-group 1 mode passive

Verification — Real show etherchannel Output Decoded

SwitchA#show etherchannel 1 port-channel

Port-channels in the group:

Port-channel: Po1 (Primary Aggregator)

Age of the Port-channel = 0d:00h:03m:04s

Logical slot/port = 2/1

Number of ports = 2

HotStandBy port = null

Port state = Port-channel Ag-Inuse

Protocol = LACP

Port security = Disabled

Ports in the Port-channel:

Index Load Port EC state No of bits

-------+------+--------+--------+----------

0 00 Fa0/13 Active 0

0 00 Fa0/14 Active 0

Time since last port bundled: 0d:00h:00m:54s

SwitchA#show etherchannel summary

Flags: D - down P - bundled in port-channel

I - stand-alone s - suspended

H - Hot-standby (LACP only)

R - Layer3 S - Layer2

U - in use f - failed to alloc aggregator

M - not in use, min links not met

u - unsuitable for bundling

w - waiting to be aggregated

d - default port

Number of channel-groups in use: 1

Group Port-channel Protocol Ports

------+-------------+-----------+-----

1 Po1(SU) LACP Fa0/13(P) Fa0/14(P)

! Decode flags:

SU = S(Layer2) U(in-use) → channel is active ✅

P = port is bundled in channel ✅

D = port is down → check physical layer

s = suspended → config mismatch detected!

Load Balancing — The Router MAC Problem & How to Fix It

EtherChannel load balancing is NOT round-robin per packet. It hashes a key attribute (src/dst MAC or IP) and always sends the same conversation down the same physical link — this preserves TCP packet ordering. The default is source MAC address. This works well when you have many source MACs, but creates a problem when one side has only one device:

SwitchA#show etherchannel load-balance

EtherChannel Load-Balancing Configuration:

src-mac ← DEFAULT

Non-IP: Source MAC address

IPv4: Source MAC address

IPv6: Source MAC address

SwitchA(config)#port-channel load-balance ?

dst-ip Dst IP Addr

dst-mac Dst Mac Addr

src-dst-ip Src XOR Dst IP Addr

src-dst-mac Src XOR Dst Mac Addr

src-ip Src IP Addr

src-mac Src Mac Addr

! Fix SwitchB: 1 router sending to 4 computers

! Use dst-mac so different computer MACs go to different links

SwitchB(config)#port-channel load-balance dst-mac

Method	Best Scenario
src-dst-ip	Layer 3 routed — many unique IP flows (best general choice)
src-mac	Many source devices (computers → switch)
dst-mac	One source device, many destinations (router → computers)
src-dst-mac	Mixed L2 traffic, many unique pairs

🎯 Interview Q&A — EtherChannel

Q: What is EtherChannel and what problem does it solve? Why can't you just add extra cables between switches?▶

EtherChannel bundles multiple physical links into one logical port-channel, combining bandwidth and providing link-level redundancy. The problem with adding extra cables without EtherChannel is Spanning Tree Protocol — STP detects the extra links as potential loops and blocks all but one. You could have 4×100 Mbit cables but only 1 is active. EtherChannel makes STP see ONE logical link so it never blocks any physical member. The result: 4×100 Mbit = 400 Mbit aggregate bandwidth, all links active. If one fails, the port-channel stays up and traffic redistributes across the remaining links — no 30-50 second STP reconvergence delay. Max 8 physical interfaces per EtherChannel. The port-channel interface itself is what you configure (VLANs, trunking) and physical ports inherit those settings.

Q: When would you choose LACP over PAgP? Is there ever a reason to use static "On" mode?▶

Use LACP in any environment with non-Cisco equipment (HP/Aruba switches, data center ToR switches from other vendors) since LACP is the IEEE 802.3ad standard that every vendor implements. Even in all-Cisco environments, LACP is the better choice because it is future-proof and supports 16-link bundles (8 active + 8 hot-standby). LACP Active/Active on both sides is the recommended best practice — both sides actively negotiate and if one side loses its config, the other detects the failure immediately. Static "On" mode should only be used when you need to form an EtherChannel with a device that doesn't support PAgP or LACP negotiation, or in specific lab/testing scenarios. The risk: "On" skips configuration verification — speed, duplex, or VLAN mismatches won't be detected and will cause silent traffic drops or flapping.

⚡ EIGRP — Enhanced Interior Gateway Routing Protocol

Why EIGRP is called hybrid · 3-table architecture · Advertised Distance vs Feasible Distance · Successor & Feasible Successor worked step-by-step · DUAL loop-free guarantee · 4-router full lab config · Real show command output decoded · Variance for unequal load balancing · Summarization with Null0 · MD5 authentication

What is EIGRP and Why is it Called a "Hybrid" Protocol?

EIGRP stands for Enhanced Interior Gateway Routing Protocol and is a routing protocol created by Cisco. It is called a hybrid or advanced distance vector protocol — it behaves like a distance vector (only shares routes with directly-connected neighbors) but uses the DUAL algorithm which gives it link-state-like properties: loop-free paths, fast convergence, and topology awareness.

The same loop-prevention rules from distance vector apply to EIGRP: split horizon, route poisoning, and poison reverse. But unlike RIP, EIGRP only sends triggered updates when something changes — no periodic 30-second floods of the full routing table.

Feature	EIGRP Value
Protocol type	Hybrid (Advanced Distance Vector)
Algorithm	DUAL — Diffusing Update Algorithm
Metric	Composite: Bandwidth + Delay (by default)
Administrative Distance	90 (internal) / 170 (external)
Transport	IP Protocol 88 (not TCP or UDP)
Multicast address	224.0.0.10
Updates	Triggered ONLY — no 30s periodic floods
Load balancing	Equal AND unequal cost (unique!)
Vendor support	Cisco (opened in RFC 7868 in 2016)

Advertised Distance and Feasible Distance — Step by Step

This is the core concept of EIGRP. Every student struggles with this at first. Let's walk through it exactly as it works using simple numbers. Three routers: KingKong, Ann, and Carl. We want to find the best path to the destination behind Carl.

💡 Two terms to memorize:
Advertised Distance (AD): How far the destination is for YOUR NEIGHBOR — they tell you this.
Feasible Distance (FD): YOUR total distance to the destination — AD + cost of your link to that neighbor.

Successor & Feasible Successor — The Full Worked Example

Now let's find the Successor (best path) and check if we have any Feasible Successors (backup paths). We are on the unnamed router on the left. Link costs: to KingKong=5, to Ann=5, to Carl=100.

! ======================================

! Topology: our router has 3 neighbors

! ======================================

link cost AD from neighbor FD = AD + link

KingKong: 5 10 10 + 5 = 15

Ann: 5 5 5 + 5 = 10 ← LOWEST FD

Carl: 100 9 9 + 100 = 109

SUCCESSOR = Ann (FD = 10, lowest total cost)

→ Goes into routing table

! Feasibility Condition check:

! AD of candidate < FD of Successor

KingKong: AD=10, Successor FD=10 → 10 is NOT < 10 → FAIL

KingKong is NOT a Feasible Successor

Carl: AD=9, Successor FD=10 → 9 IS < 10 → PASS ✅

Carl IS a Feasible Successor (backup path)

! Note: Carl's FD=109 is FAR worse than KingKong's FD=15

! Yet Carl is the backup, not KingKong. Why?

! Because AD=9 < 10 mathematically PROVES Carl has

! an independent path — it cannot be routing via us!

💡 Why the Feasibility Condition guarantees loop-free: If Carl's cost to reach the destination is 9 (less than my total path of 10), then Carl cannot be reaching it by going through me. If it were routing via me, Carl's cost would be at least 10+100=110, not 9. The math proves Carl has a separate, independent path.

Full Configuration — 4-Router EIGRP Lab

Let's configure EIGRP on 4 routers: KingKong, Ann, Carl, and Preston. All links are FastEthernet except KingKong↔Carl which is Ethernet (10 Mbit). Preston has a loopback 4.4.4.0/24 behind it.

! AS number MUST match on ALL routers!

! no auto-summary prevents classful behavior

KingKong(config)#router eigrp 1

KingKong(config-router)#no auto-summary

KingKong(config-router)#network 192.168.12.0

KingKong(config-router)#network 192.168.13.0

Carl(config)#router eigrp 1

Carl(config-router)#no auto-summary

Carl(config-router)#network 192.168.12.0

Carl(config-router)#network 192.168.24.0

Ann(config)#router eigrp 1

Ann(config-router)#no auto-summary

Ann(config-router)#network 192.168.13.0

Ann(config-router)#network 192.168.34.0

Preston(config)#router eigrp 1

Preston(config-router)#no auto-summary

Preston(config-router)#network 192.168.24.0

Preston(config-router)#network 192.168.34.0

Preston(config-router)#network 4.0.0.0

! After config you will see:

%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1:

Neighbor 192.168.13.3 (FastEthernet0/0)

is up: new adjacency

KingKong#show ip eigrp neighbors

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO

1 192.168.12.2 Et1/0 14 00:20:08 12 200

0 192.168.13.3 Fa0/0 11 00:43:34 428 2568

KingKong#show ip route eigrp

4.0.0.0/24 is subnetted, 1 subnets

D 4.4.4.0 [90/158720] via 192.168.13.3, Fa0/0

D 192.168.24.0 [90/33280] via 192.168.13.3, Fa0/0

D 192.168.34.0 [90/30720] via 192.168.13.3, Fa0/0

! Decode: D 4.4.4.0 [90/158720] via 192.168.13.3

D = EIGRP (D = DUAL, E was taken by old EGP)

90 = Administrative Distance

158720 = Metric (the Feasible Distance)

via ... = next hop (= Ann router)

KingKong#show ip eigrp topology

P 4.4.4.0/24, 1 successors, FD is 158720

via 192.168.13.3 (158720/156160), Fa0/0 ← SUCCESSOR

via 192.168.12.2 (412160/156160), Et1/0 ← FEASIBLE S.

! (158720/156160) = (FD / AD)

! Carl's AD=156160 < Successor FD=158720 → FC met! ✅

! P = Passive (stable), A = Active (querying neighbors)

Variance — Unequal Load Balancing (EIGRP's Unique Feature)

OSPF can only load balance on equal-cost paths. EIGRP can load balance over unequal-cost paths using the variance multiplier. A Feasible Successor is included in the routing table for load balancing if its FD ≤ (Successor FD × variance).

! From topology table:

Successor FD (Ann): 158720

Feasible Successor FD (Carl): 412160

! Try variance 2:

158720 × 2 = 317440

412160 > 317440 → NOT load balanced

! Try variance 3:

158720 × 3 = 476160

412160 < 476160 → LOAD BALANCED ✅

KingKong(config)#router eigrp 1

KingKong(config-router)#variance 3

KingKong#show ip route eigrp

D 4.4.4.0 [90/158720] via 192.168.13.3, Fa0/0

[90/412160] via 192.168.12.2, Et1/0

! Both entries in routing table!

! Traffic proportionally distributed:

! Ann carries ~2.6× more than Carl

Summarization & MD5 Authentication

! === EIGRP Summarization ===

! Spade has 172.16.0.0/24 and 172.16.1.0/24

! Summarize to /23 on the outgoing interface

Spade(config)#interface fastEthernet 2/0

Spade(config-if)#ip summary-address eigrp 1 172.16.0.0 255.255.254.0

! Hearts now sees one /23 instead of two /24s

! Spade gets: D 172.16.0.0/23 is a summary → Null0

! Null0 = loop prevention. Traffic for unknown

! sub-prefixes dropped, not looped.

! === MD5 Authentication ===

KingKong(config)#key chain MYCHAIN

KingKong(config-keychain)#key 1

KingKong(config-keychain-key)#key-string BANANA

Ann(config)#key chain MYCHAIN

Ann(config-keychain)#key 1

Ann(config-keychain-key)#key-string BANANA

! Apply to interface on both routers:

KingKong(config)#interface fastEthernet 0/0

KingKong(config-if)#ip authentication mode eigrp 1 md5

KingKong(config-if)#ip authentication key-chain eigrp 1 MYCHAIN

! Note: key chain NAME can differ per router

! key NUMBER (1) MUST match on both routers

! key-string (BANANA) MUST match on both routers

🎯 Interview Q&A — EIGRP

Q: Decode this topology table entry: P 4.4.4.0/24, 1 successors, FD is 158720 / via 192.168.13.3 (158720/156160), Fa0/0 / via 192.168.12.2 (412160/156160), Et1/0▶

P = Passive state — the route is stable, no active queries being sent. If it showed A (Active), the router lost its Successor and is querying all neighbors for an alternative path. 4.4.4.0/24 = destination network. 1 successors = one best path exists. FD is 158720 = the total Feasible Distance from this router to 4.4.4.0/24. First entry via 192.168.13.3 (158720/156160): this is the Successor through Ann. 158720 = FD (total distance), 156160 = AD (what Ann told us her cost is to reach 4.4.4.0/24). Fa0/0 = outgoing interface. Second entry via 192.168.12.2 (412160/156160): this is a Feasible Successor through Carl on the slow Ethernet link. 412160 = Carl's FD. 156160 = Carl's AD. Why is Carl a Feasible Successor? Because Carl's AD (156160) is strictly less than the Successor's FD (158720) — the Feasibility Condition is met. This mathematically proves Carl has a loop-free backup path. If Ann's link fails, EIGRP instantly promotes Carl to Successor without any queries — sub-second convergence.

Q: What does it mean when an EIGRP route goes Active? How do you prevent it?▶

Active state means the router lost its Successor AND has no Feasible Successor available. EIGRP sends QUERY packets to ALL neighbors asking if they have a path to the destination. Every neighbor must reply. If a neighbor doesn't reply within the SIA (Stuck-in-Active) timer (default 90 seconds), EIGRP tears down the neighbor relationship to that router. Active state is EIGRP's convergence worst-case. Prevention strategies: (1) Ensure you have Feasible Successors by designing redundant topologies where the Feasibility Condition can be met. (2) Use route summarization to limit query scope — when a query hits a summary boundary, the router replies immediately rather than propagating the query further. (3) Use stub routing on spoke sites — stub routers advertise they have no alternative paths, so the hub never queries them. To diagnose: show ip eigrp topology active, debug eigrp fsm.

🌍 IPv6 — 128-bit Addressing, EUI-64, NDP & Routing

Why IPv4 ran out · Address format & 3 shortening rules with examples · Prefix calculation including binary math · Global unicast hierarchy IANA→ISP→Customer · Unique local · Link-local · Multicast · EUI-64 step by step · Full config & show output · NDP replaces ARP · DAD debug output · SLAAC explained · DHCPv6 relay · IPv6 routing table decoded

Why IPv6? — The IPv4 Address Exhaustion Problem

IPv4 has 32 bits which gives us 4,294,967,296 IP addresses. When the Internet was born companies received entire Class A (16 million addresses), B (65,535 addresses), or C (256 addresses) networks. Large companies like Apple, Microsoft, IBM got one or more Class A networks — but did they really need 16 million IP addresses? Many were just wasted.

We started using VLSM so we could create smaller subnets, and we have NAT/PAT so many private IP addresses can hide behind a single public IP. Nevertheless, the Internet grew in a way nobody expected. Despite VLSM and NAT/PAT we ran out of IPv4 addresses and IPv6 was born.

What happened to IPv5? IP version 5 was used for an experimental project called "Internet Stream Protocol" (RFC 1819). It was never deployed as a general-purpose protocol, so we went straight from IPv4 to IPv6.

IPv6 has 128-bit addresses compared to 32-bit IPv4. Every additional bit doubles the number of addresses:

IPv6 gives us: 340,282,366,920,938,463,463,374,607,431,768,211,456
That's 340 undecillion addresses — enough for every device on Earth, the Moon, Mars, and the rest of the universe.

Feature	IPv4	IPv6
Address size	32 bits	128 bits
Total addresses	~4.3 billion	340 undecillion (2¹²⁸)
Format	Decimal dotted	8 groups of hex
Broadcast	Yes	No — use multicast
ARP	Yes	No — replaced by NDP
DHCP	DHCPv4	DHCPv6 or SLAAC (new!)
Header size	Variable 20-60 bytes	Fixed 40 bytes
OSPF version	OSPFv2	OSPFv3
RIP version	RIPv1/v2	RIPng
BGP	BGP-4	MP-BGP4
EIGRP	EIGRP	EIGRPv6

⚠️ IPv4 and IPv6 are NOT compatible. Running both on the same network is called dual stack. You need separate routing protocol instances for IPv4 and IPv6. The migration is happening now but will take years to complete.

IPv6 Address Format — Hex, 8 Groups, and the 3 Shortening Rules

IPv6 addresses are written in hexadecimal with 8 groups of 4 hex characters separated by colons: 2041:0000:140F:0000:0000:0000:875B:131B. Typing this is painful, so there are three rules to shorten it.

Hex Reference Table

Hex	Binary	Dec	Hex	Binary	Dec
0	0000	0	8	1000	8
1	0001	1	9	1001	9
2	0010	2	A	1010	10
3	0011	3	B	1011	11
4	0100	4	C	1100	12
5	0101	5	D	1101	13
6	0110	6	E	1110	14
7	0111	7	F	1111	15

The 3 Shortening Rules

#	Rule	Before	After
1	Replace the longest consecutive run of all-zero groups with :: (only ONCE)	2041:0000:140F:0000:0000:0000:875B:131B	2041:0000:140F::875B:131B
2	Remove 4-zero groups leaving a single zero	2041:0000:140F::875B:131B	2041:0:140F::875B:131B
3	Remove leading zeros within any group	2001:0001:0002:0003::1	2001:1:2:3::1

⚠️ You can only use :: ONCE per address. The device expands it by counting how many groups are missing to reach 8 total. Two :: would make this ambiguous — the device can't know how many zeros each represents. Invalid example: 2001::1::2

Prefix Calculation — Including Binary Math for /53

IPv6 uses prefix length (/64 etc.) like CIDR, not subnet masks. When the prefix length is a multiple of 16, it's easy — the boundary falls exactly on a group separator. When it's not (like /53), you need binary.

! Easy example: /64

Address: 2001:1234:5678:1234:5678:ABCD:EF12:1234/64

First 16 hex chars = first 64 bits = prefix:

Prefix: 2001:1234:5678:1234::/64

! Hard example: /53

Address: 2001:1234:abcd:5678:9877:3322:5541:aabb/53

53 ÷ 16 = 3 full groups (48 bits) + 5 more bits

53rd bit is in the 4th group (5678):

5678 in binary: 0101 0110 0111 1000

53rd bit = 5th bit of this group (counting from left)

Split at bit 5: 01010 | 110 0111 1000

Host bits → zero: 0101 0000 0000 0000

= 5000 in hex

Result: 2001:1234:abcd:5000::/53

IPv6 Address Types — Global Unicast, Unique Local, Link-Local, Multicast

IANA reserved certain IPv6 ranges for specific purposes. There are no "classes" like IPv4 had, but there are well-defined scopes:

Type	Prefix	Routable?	Description
Global Unicast	2000::/3 (starts 2 or 3)	Yes	IPv6 public addresses. IANA → Regional Registry → ISP → Customer → /64 subnets. Everyone can get a prefix.
Unique Local	FC00::/7 (FD prefix)	No	Like RFC1918 private. FD + 40-bit Global ID + 16-bit Subnet + 64-bit Interface ID. Make Global ID unique in case you ever merge networks.
Link-Local	FE80::/10 (FE80-FEBF)	No — link only	Auto-generated on EVERY IPv6 interface. Used by NDP, routing protocol adjacencies, and as next-hop. Always FE80::0000:0000:0000 prefix + interface ID.
Loopback	::1/128	No	Same as IPv4 127.0.0.1
Multicast	FF00::/8	Scope-dependent	Replaces ALL broadcast. FF02::1=all nodes, FF02::2=all routers, FF02::5=OSPF, FF02::A=EIGRP, FF02::1:2=all DHCP agents

💡 Global Unicast hierarchy example: IANA assigns 2001:800::/23 to RIPE (Europe). RIPE gives ISP 2001:828::/32. ISP gives customer 2001:828:105::/48. Customer subnets that into /64s: 2001:828:105:0000::/64, 2001:828:105:0001::/64 etc. — 65,536 possible subnets from that /48!

EUI-64 — Generating Interface ID from MAC Address

Instead of manually typing all 128 bits, you can give the router just the 64-bit prefix and let it generate the 64-bit interface ID from its MAC address automatically. A MAC address is 48 bits, interface ID is 64 bits — we need 16 more bits.

! === Configure EUI-64 ===

! Give only the /64 prefix — router generates interface ID

Router(config)#interface fastEthernet 0/0

Router(config-if)#ipv6 address 2001:1234:5678:abcd::/64 eui-64

Router#show interfaces fa0/0 | include Hardware

Hardware is Gt96k FE, address is c200.185c.0000

Router#show ipv6 interface fa0/0

IPv6 is enabled, link-local address is FE80::C000:18FF:FE5C:0

Global unicast address(es):

2001:1234:5678:ABCD:C000:18FF:FE5C:0, [EUI]

subnet is 2001:1234:5678:ABCD::/64

! === Manual IPv6 address ===

Router(config-if)#ipv6 address 2001:1234:5678:abcd::1/64

! === MUST enable IPv6 routing! ===

Router(config)#ipv6 unicast-routing

! Without this, router won't forward IPv6 packets

! or build an IPv6 routing table!

! === Enable IPv6 on interface (creates link-local) ===

Router(config-if)#ipv6 enable

NDP — Neighbor Discovery Protocol (Replaces ARP and More)

NDP (Neighbor Discovery Protocol) uses ICMPv6. It replaces IPv4 ARP completely and adds several new features that IPv4 didn't have. There are no broadcasts in IPv6 — NDP uses multicast to only reach relevant devices.

NDP Message	ICMPv6	IPv4 Equivalent	Purpose
Router Solicitation (RS)	Type 133	No equivalent	Host asks "Any routers here?" to FF02::2 (all routers multicast)
Router Advertisement (RA)	Type 134	No equivalent	Router announces: its link-local address, subnet prefix, MTU. Sent periodically to FF02::1 (all nodes) and on demand to RS sender.
Neighbor Solicitation (NS)	Type 135	ARP Request	Who has this IPv6 address? Sent to Solicited-Node multicast (FF02::1:FF + last 24 bits of target address)
Neighbor Advertisement (NA)	Type 136	ARP Reply	Here's my MAC address! Also used for DAD response.
Redirect	Type 137	ICMP Redirect	Router tells host to use a better first hop for a destination

DAD — Duplicate Address Detection (with debug output)

Before using ANY IPv6 address (link-local or global unicast), every host performs DAD — it sends a Neighbor Solicitation for its own tentative address. If anyone replies, the address is already taken.

R1#debug ipv6 nd

ICMP Neighbor Discovery events debugging is on

R1(config)#interface fa0/0

R1(config-if)#ipv6 address autoconfig

! DAD for link-local address:

ICMPv6-ND: Sending NS for FE80::C000:6FF:FE7C:0 on Fa0/0

ICMPv6-ND: DAD: FE80::C000:6FF:FE7C:0 is unique.

! RS/RA exchange for SLAAC:

ICMPv6-ND: Sending RS on FastEthernet0/0

ICMPv6-ND: Received RS on Fa0/0 from FE80::C000:6FF:FE7C:0

ICMPv6-ND: Sending solicited RA on FastEthernet0/0

ICMPv6-ND: prefix = 2001:2:3:4::/64 onlink autoconfig

ICMPv6-ND: Received RA from FE80::C001:6FF:FE7C:0 on Fa0/0

ICMPv6-ND: Selected new default router FE80::C001:6FF:FE7C:0

! DAD for global unicast address:

ICMPv6-ND: Sending NS for 2001:2:3:4:C000:6FF:FE7C:0

ICMPv6-ND: Autoconfiguring 2001:2:3:4:C000:6FF:FE7C:0 on Fa0/0

ICMPv6-ND: DAD: 2001:2:3:4:C000:6FF:FE7C:0 is unique.

SLAAC + DHCPv6 Relay

SLAAC (Stateless Address Autoconfiguration):
1. Host sends RS to FF02::2 (all routers)
2. Router replies with RA containing subnet prefix
3. Host combines prefix + EUI-64 or random interface ID
4. Host runs DAD to verify uniqueness
5. Host has address + default gateway — no DHCP server needed!

What SLAAC is missing: DNS server. Use stateless DHCPv6 just for DNS info.

! === DHCPv6 Relay Configuration ===

! Client sends Solicit to FF02::1:2 (link-local multicast)

! Router on fa0/0 must relay to DHCPv6 server:

Router(config)#interface fa0/0

Router(config-if)#ipv6 dhcp relay destination 2001:5:6:7::2

! Router forwards using its fa1/0 address as SOURCE

! (unlike IPv4 relay which uses receiving interface address)

! === IPv6 Routing Table ===

Router#show ipv6 route

C 2001:2:3:4::/64 [0/0] via ::, FastEthernet0/0

L 2001:2:3:4::1/128 [0/0] via ::, FastEthernet0/0 ← host route

C 2001:5:6:7::/64 [0/0] via ::, FastEthernet0/1

L 2001:5:6:7::1/128 [0/0] via ::, FastEthernet0/1

L FF00::/8 [0/0] via ::, Null0 ← multicast

! IPv6 static route:

ipv6 route 2001:5:6:7::/64 2001:2:3:4::2

! Default route:

ipv6 route ::/0 FE80::1 fa0/0 ← use link-local next-hop!

! Neighbor table (replaces ARP table):

Router#show ipv6 neighbors

FE80::C000:6FF:FE7C:0 21 c200.067c.0000 STALE Fa0/0

🎯 Interview Q&A — IPv6

Q: IPv6 removes broadcasts entirely. How does it handle what IPv4 used broadcasts for — ARP, DHCP discover, routing hellos?▶

IPv6 replaces all broadcasts with targeted multicast. For MAC address resolution (ARP in IPv4): NDP sends a Neighbor Solicitation to the Solicited-Node multicast address FF02::1:FF + last 24 bits of the target IPv6 address. Only devices sharing those 24 bits process it — typically just 1-2 devices instead of the entire subnet waking up. For DHCP: DHCPv6 Solicit goes to FF02::1:2 (all DHCP agents), not a broadcast. Only DHCP servers/relays process it. For router discovery: Router Solicitation goes to FF02::2 (all routers). Routing protocol hellos: OSPF uses FF02::5 and FF02::6. EIGRP uses FF02::A. The efficiency gain is significant — an IPv4 ARP broadcast interrupts every host's CPU on the subnet; a Solicited-Node multicast typically interrupts only 1-2 hosts.

Q: What is SLAAC? What can it provide and what does it need DHCPv6 for?▶

SLAAC (Stateless Address Autoconfiguration) lets a host configure its own IPv6 address with zero DHCP server infrastructure. Process: Host sends RS to FF02::2. Router replies with RA containing subnet prefix (e.g., 2001:DB8:1::/64). Host combines prefix + EUI-64 or random 64-bit interface ID = unique 128-bit address. Host runs DAD. Host uses router's link-local address as default gateway. SLAAC provides: IPv6 address, subnet prefix, default gateway, MTU. What SLAAC cannot provide: DNS server address. You still need either stateless DHCPv6 (provides only options like DNS, no address assignment — no state kept) or stateful DHCPv6 (full assignment like IPv4 DHCP). The RA includes M flag (Managed — use stateful DHCPv6) and O flag (Other info — use stateless DHCPv6 for DNS). No flags = pure SLAAC only. Running both SLAAC and DHCP together is valid and common.

🌐 WAN Technologies & Distance Vector Routing

Distance vector concept — routing table exchange every 30s · Counting to infinity problem step by step with routing tables · Split horizon · Route poisoning & poison reverse · Hold-down timer 180s · RIPv1 vs v2 classful/classless difference · Full RIP config with real show outputs · debug ip rip · HDLC vs PPP · PAP vs CHAP configuration

Distance Vector — Routing by Rumor

Distance vector routing protocols work like signs on a road. You only know the direction (vector) and how far away (distance) a destination is. Routers share their entire routing table with directly-connected neighbors at regular intervals. You only know what your neighbors tell you — like hearing news second or third hand.

Full RIPv2 Configuration with Real Output

Spade(config)#router rip

Spade(config-router)#version 2

Spade(config-router)#no auto-summary ← CRITICAL for VLSM!

Spade(config-router)#network 192.168.12.0

Spade(config-router)#network 172.16.1.0

Hearts(config)#router rip

Hearts(config-router)#version 2

Hearts(config-router)#no auto-summary

Hearts(config-router)#network 192.168.12.0

Hearts(config-router)#network 192.168.23.0

Spade#show ip route rip

R 192.168.23.0/24 [120/1] via 192.168.12.2, Fa1/0

R 172.16.2.0/24 [120/2] via 192.168.12.2, Fa1/0

! Decode: R 192.168.23.0/24 [120/1] via 192.168.12.2

R = Learned via RIP

120 = Administrative Distance for RIP

1 = metric (hop count — 1 hop away)

via... = next hop IP address

Hearts#debug ip rip

RIP: received v2 update from 192.168.12.1 on Fa0/0

172.16.1.0/24 via 0.0.0.0 in 1 hops

RIP: sending v2 update to 224.0.0.9 via Fa0/0

172.16.2.0/24 via 0.0.0.0, metric 2, tag 0

Counting to Infinity — Why Distance Vector Causes Routing Loops

This is the fundamental weakness of distance vector protocols. When a network goes down, routers may actually increase the hop count indefinitely until they hit the maximum (16 for RIP = unreachable). This causes a routing loop where packets bounce between routers until their TTL expires.

5 Loop Prevention Mechanisms

Mechanism	How It Works
Maximum hop count	RIP: metric 16 = unreachable. Caps the counting at 15 max hops. Limits damage but doesn't prevent the loop from forming.
Split Horizon	"Don't advertise a route back out the interface you learned it on." Hearts learned 3.3.3.0 from Clubs via fa1/0 — split horizon prevents Hearts from advertising it back out fa1/0. Like telling someone a joke they just told you.
Route Poisoning	When 3.3.3.0 goes down on Clubs, Clubs immediately sends a triggered update (doesn't wait 30s) with metric=16 (infinity). Faster convergence — neighbors know immediately, don't wait for timeout.
Poison Reverse	When Hearts receives the poison (metric=16), it immediately sends metric=16 back to Clubs. Overrides split horizon. Ensures Clubs knows Hearts agrees the route is dead — no stale helpful-but-wrong update possible.
Hold-down Timer (180 seconds)	After learning 3.3.3.0 is down, Hearts ignores any update claiming 3.3.3.0 is reachable with same or worse metric for 180 seconds. Prevents accepting stale "good news" from routers that haven't converged yet. Only a clearly BETTER metric from a new path stops the timer.

WAN Technologies — Serial Links, HDLC, PPP, and Modern WAN

💡 WAN connects geographically dispersed sites using a service provider's infrastructure. Unlike a LAN where you own all the cables, WAN uses leased lines, MPLS circuits, or the Internet. The encapsulation type on serial interfaces determines frame formatting.

Technology	Standard	Layer	Key Facts
HDLC	Cisco proprietary	L2	Default on Cisco serial interfaces. Cisco added a proprietary "type" field — incompatible with non-Cisco. No authentication. Both sides must be Cisco for HDLC to work.
PPP	IETF (RFC 1661)	L2	Multi-vendor compatible. Supports PAP/CHAP authentication, compression, multilink. Use when Cisco connects to non-Cisco.
PPPoE	Standard	L2+L2	PPP over Ethernet — used by DSL providers. Home router connects to ISP via PPPoE.
MPLS	Standard	L2.5	Provider WAN. Label-switched (not IP-routed). Fast, QoS support, private. Customer traffic isolated in VRFs. Provider-managed.
Frame Relay	Standard (legacy)	L2	Packet-switched legacy. PVCs identified by DLCI numbers. LMI keepalives. Mostly replaced by MPLS and internet VPNs.
Internet VPN	Various	L3+	Use internet as WAN transport. Cost-effective. GRE, IPSec, SSL VPN. No guaranteed SLA. Dominant in modern enterprise.

PAP vs CHAP Authentication

⚠️ Cisco's HDLC default is NOT compatible with non-Cisco devices because of the proprietary type field. When connecting to any non-Cisco device, change to PPP: encapsulation ppp

Feature	PAP	CHAP (preferred)
Password	Sent in plaintext!	MD5 hash — never sent
Handshake	2-way	3-way (challenge/response/ACK)
Re-authentication	One-time at startup	Periodic during session
Replay attacks	Vulnerable	Protected (random challenge)

Full PPP CHAP Configuration

! CHAP uses the router's HOSTNAME to authenticate

! Username on each side = hostname of the OTHER router

RouterA(config)#username RouterB password cisco

RouterA(config)#interface Serial0/0

RouterA(config-if)#encapsulation ppp

RouterA(config-if)#ppp authentication chap

RouterB(config)#username RouterA password cisco

RouterB(config)#interface Serial0/0

RouterB(config-if)#encapsulation ppp

RouterB(config-if)#ppp authentication chap

! Both sides MUST have the same password

! RouterA's hostname MUST match RouterB's username entry

! Verify:

show interfaces Serial0/0

Encapsulation PPP, LCP Open, multilink Open

debug ppp authentication ← watch CHAP handshake

🎯 Interview Q&A — WAN & Distance Vector

Q: Explain counting to infinity step by step and describe how each loop prevention mechanism individually helps.▶

Counting to infinity: Router Clubs has 3.3.3.0 directly connected. The interface goes down. Before Clubs can send a triggered update, it is Hearts' turn to send its regular 30-second update. Hearts advertises "I can reach 3.3.3.0 in 1 hop" (via Clubs). Clubs receives this and thinks "Hearts has an alternate path!" and updates to 2 hops via Hearts. Hearts then receives from Clubs "3.3.3.0 is 2 hops" and updates to 3 hops. They increment each other — Hearts says 3, Clubs says 4, Hearts says 5, indefinitely — this is a routing loop. IP packets bounce between Hearts and Clubs, TTL decrements at each hop, eventually all dropped. Split Horizon prevents this specific scenario: Hearts learned 3.3.3.0 FROM Clubs (via fa1/0). Split horizon prevents Hearts from advertising it BACK out fa1/0. If split horizon had been active, Hearts would never advertise 3.3.3.0 toward Clubs, so Clubs would never get the "alternative path" update. Route Poisoning: When Clubs detects 3.3.3.0 is down, it immediately sends a triggered update (not waiting 30s) advertising 3.3.3.0 with metric=16 (infinity). Hearts hears this fast, before its own 30s update fires. Poison Reverse: Hearts receives metric=16 from Clubs. Even though split horizon would normally prevent Hearts from advertising this back, Poison Reverse overrides split horizon: Hearts sends metric=16 back to Clubs, confirming "I also have no path to 3.3.3.0." Hold-down Timer: Both routers start a 180-second timer. During this time, any update claiming 3.3.3.0 is reachable at the same or worse metric is IGNORED. This prevents a third router (Spade) from accidentally advertising a stale route to 3.3.3.0 and causing partial reconvergence.

Q: Why does Cisco's default HDLC not interoperate with other vendors, and what do you change?▶

Standard HDLC (ISO 13239) has no field to identify the payload protocol. Cisco modified HDLC to add a proprietary 2-byte type field after the address field that identifies whether the payload is IP, IPX, or another protocol. A non-Cisco device (Juniper, Checkpoint, Linux) receiving a Cisco HDLC frame cannot parse this extra field and drops all frames. The serial interface comes up at Layer 1 (you see "Serial0/0 is up") but Layer 2 never opens ("line protocol is down"). Fix: change encapsulation to PPP on both sides using encapsulation ppp. PPP is defined in RFC 1661, implemented identically across all vendors. PPP also provides benefits HDLC lacks: authentication (CHAP or PAP), compression, multilink bundling, and LCP/NCP negotiation for protocol options. Verify success: show interfaces Serial0/0 should show "Encapsulation PPP, LCP Open" — LCP Open means Layer 2 PPP negotiation succeeded.

🔁 Advanced OSPF — LSA Types, Areas, Redistribution & OSPFv3

Complete OSPF reference — multi-area, LSAs 1-7, vendor configs, OSPFv3

OSPF Hello Packet — What's Inside & Why It Matters

The OSPF Hello packet is how routers find each other and maintain adjacencies. It is sent to the multicast address 224.0.0.5 (AllOSPFRouters) every Hello Interval (default 10s on broadcast links, 30s on NBMA). If a neighbor's Hello is not received for the Dead Interval (4× Hello = 40s), the neighbor is declared down and routes are recalculated.

Hello Field	Must Match?	Value/Purpose
Area ID	YES	Both routers must be in same area
Authentication	YES	Type + password must match exactly
Hello Interval	YES	Default 10s broadcast, 30s NBMA
Dead Interval	YES	Default 40s (4× hello)
Subnet mask	YES (broadcast)	Must match on same segment
Stub area flag	YES	Both must agree on stub area
Router ID	No (unique)	Identifies this router — must be unique!
DR / BDR	No	Current DR/BDR IPs on this segment
Neighbor list	No	IPs of routers this router has seen — used for 2-way check
Options (E bit)	No (but noted)	E=1: external routing capable (cleared in stub areas)

⚠️ Router ID Selection (automatic): ①Highest loopback IP, ②Highest interface IP (if no loopback). Problem: if a loopback comes up AFTER OSPF starts, the Router ID doesn't change — restarting OSPF process is needed. Best practice: always manually set: router-id 1.1.1.1

OSPF Network Types — Critical for Adjacency Formation

Network Type	DR/BDR?	Default on	Hello/Dead
Broadcast	YES	Ethernet	10/40s
Point-to-Point	NO	Serial (HDLC/PPP), GRE tunnels	10/40s
NBMA	YES	Frame Relay hub-spoke	30/120s
Point-to-Multipoint	NO	Frame Relay (manual)	30/120s
Loopback	NO	Loopback interface	Advertised as /32

⚠️ Classic production issue: Connecting two routers via an Ethernet link but the far side uses a GRE tunnel. Ethernet defaults to Broadcast network type (needs DR), but GRE defaults to Point-to-Point (no DR). They're on different network types → adjacency forms at 2-WAY but never reaches FULL. Fix: manually set matching network type: ip ospf network point-to-point on the Ethernet side.

! Key OSPF show commands

show ip ospf neighbor ← state + DR/BDR

show ip ospf interface brief ← type, cost, state

show ip ospf interface Gi0/0 ← detailed: timers, DR, cost

show ip ospf database ← LSDB summary

show ip ospf database router 1.1.1.1 ← specific LSA

debug ip ospf hello ← hello send/receive

debug ip ospf adj ← adjacency events

OSPF Cost Calculation — End-to-End Path Selection

OSPF COST FORMULA:

Cost = Reference Bandwidth / Interface Bandwidth

Default Reference BW = 100 Mbps

DEFAULT COSTS (problematic for modern networks!):

GigabitEthernet : 100M/1000M = 0.1 → rounded to 1

FastEthernet : 100M/100M = 1.0 → 1

GbE = FE = same cost! OSPF can't distinguish!

Ethernet (10M) : 100M/10M = 10

T1 (1.544M) : 100M/1.544M = 64

64 Kbps : 100M/0.064M = 1562

FIX: auto-cost reference-bandwidth 10000 (= 10G)

10GbE : 10000M/10000M = 1

1GbE : 10000M/1000M = 10

100Mbps: 10000M/100M = 100

10Mbps : 10000M/10M = 1000

MUST set on ALL OSPF routers or costs are inconsistent!

PATH COST EXAMPLE (corrected reference-bandwidth):

R1 --[GbE,cost 10]-- R2 --[GbE,cost 10]-- R3

R1 --[100M,cost 100]------------- R3

Total cost via R2: 10+10 = 20

Total cost direct: 100

→ OSPF prefers R1→R2→R3 (cost 20 < 100)

This is correct — GbE path is faster!

Without fix (all cost=1):

Both paths = cost 2. OSPF picks arbitrarily.

! Override per-interface cost

interface Gi0/0

ip ospf cost 50 ← manual override

Useful for traffic engineering

OSPF uses Dijkstra's SPF algorithm (Shortest Path First) on the LSDB. Every router runs SPF independently. The LSDB must be IDENTICAL on all routers in an area — if routers have different LSDBs, they compute different topologies → routing loops or black holes. show ip ospf database on two routers should show identical output.

🎯 Advanced CCNA OSPF Interview Q&A

Q: Two routers are connected and OSPF is configured but you see neighbors stuck at 2-WAY instead of FULL. Neither is the DR. What is the issue?▶

2-WAY is the NORMAL and expected state between two DROther routers on a broadcast segment. DROther routers only form FULL adjacency with the DR and BDR — NOT with each other. So if you have 5 routers on a segment and 3 are DROthers, those 3 will all show 2-WAY with each other, and FULL only with the DR and BDR. This is by design — it reduces the number of adjacencies from n(n-1)/2 to 2(n-2). If you expect FULL between two specific routers, verify: (a) Is one of them the DR or BDR? (b) Is the network type point-to-point? On a P2P link, there's no DR election and both sides go directly to FULL. (c) If these are the only two routers on the segment, one MUST be DR and one MUST be BDR — they should reach FULL. Check: show ip ospf neighbor — the state column will show 2WAY or FULL plus their role (DR/BDR/DROTHER). If two routers that should be DR/BDR are showing 2-WAY, check that the interface network type matches on both sides.

Q: What is OSPF summarization and where can you configure it? What are the risks?▶

OSPF summarization reduces LSA flooding by replacing multiple specific routes with a single summary route. Two points where it can be configured: ①ABR (Area Border Router) — inter-area summarization: area 1 range 10.1.0.0 255.255.0.0 under router ospf. This summarizes all routes from Area 1 into a single Type-3 LSA advertised into Area 0. ②ASBR — external route summarization: summary-address 10.0.0.0 255.0.0.0 under router ospf. Summarizes redistributed external routes. Risks: (a) Discontiguous subnets — if you summarize 10.1.0.0/16 but 10.1.50.0/24 doesn't actually exist behind the ABR, traffic for that subnet hits the summary, the ABR has no specific route, falls to default or drops → black hole. Fix: the ABR automatically installs a Null0 route for the summary to prevent this. (b) Suboptimal routing — a summary hides topology detail. A remote router may see one path to 10.1.0.0/16 but the optimal path to 10.1.50.0/24 might be different. (c) Slow convergence — if a component subnet fails, the summary stays up, and traffic keeps going to the ABR until the ABR notices the specific prefix is gone.

OSPF LSA Types — Complete Reference

Type	Name	Generated by	Scope	Areas
1	Router LSA	Every router	Intra-area	All
2	Network LSA	DR only	Intra-area	All
3	Network Summary	ABR	Inter-area	All except stub
4	ASBR Summary	ABR	Inter-area	All except stub
5	External LSA	ASBR	AS-wide	Not stub/NSSA
6	Multicast LSA	MOSPF router	Intra-area	—
7	NSSA External	ASBR in NSSA	NSSA only	NSSA; converted to Type5 at ABR

OSPF Area Types — LSA Flood Scope

Area Type	LSAs Allowed	Has ASBR?	Config
Backbone Area 0	1,2,3,4,5	✅ Yes	#area 0
Standard/Normal	1,2,3,4,5	✅ Yes	#area N
Stub Area	1,2,3	❌ No	#area N stub
Totally Stub (Cisco)	1,2	❌ No	#area N stub nosummary
NSSA	1,2,3,7	✅ Yes (LSA7)	#area N nssa
Totally NSSA	1,2,7	✅ Yes	#area N nssa no-summary

🔬 Multi-Area OSPF — EVE-NG Lab Topology

OSPF Configuration — Multi-Vendor

! Cisco IOS — Basic OSPF

R1(config)#router ospf 1

R1(config-router)#router-id 1.1.1.1

R1(config-router)#network 1.1.1.1 255.255.255.255 area 0

R1(config-router)#network 12.12.12.0 0.0.0.255 area 0

R1(config-router)#auto-cost reference-bandwidth 1000 ← FIX GbE cost!

! Area type configs

area 2 stub ← Stub area

area 2 stub no-summary ← Totally Stub (Cisco only)

area 3 nssa ← NSSA

area 3 nssa no-summary ← Totally NSSA

! Summarization at ABR

area 1 range 10.0.0.0 255.0.0.0 ← summarize area 1 routes

! Verification

show ip ospf neighbor

show ip ospf interface

show ip route ospf

show ip ospf database

show ip ospf database router ← Type 1 LSAs

show ip ospf database summary ← Type 3 LSAs

show ip ospf database external ← Type 5 LSAs

OSPFv3 vs OSPFv2 (IPv6) — Key Differences

Feature	OSPFv2	OSPFv3
IP Version	IPv4	IPv6 (RFC5340)
Adjacency Address	IPv4 address	IPv6 Link-Local (FE80::/10)
All OSPF Routers	224.0.0.5	FF02::5
All DR Routers	224.0.0.6	FF02::6
Header Size	24 bytes	16 bytes
Auth	MD5/clear text	IPv6 IPSec
Per-link support	Per-subnet	Per-link

🎯 CCIE Interview Questions — Advanced OSPF

Q: What is the difference between E1 and E2 external routes and when do you use each?▶

E2 (default): The metric is ONLY the external cost set at the ASBR — it does NOT accumulate internal OSPF cost as the route propagates through the domain. All routers see the same E2 metric. E1: Metric = external cost + internal OSPF cost to reach the ASBR. More accurate for path selection. Use E1 when you have multiple ASBRs redistributing the same external routes — E1 allows routers to pick the ASBR that's closest internally. With E2, all paths to the same external destination look identical (same external cost) and the tie-breaker becomes the cost to the ASBR, which may give suboptimal results. Production rule: E1 for multi-ASBR scenarios; E2 when only one ASBR.

Q: OSPF neighbor is stuck in EXSTART/EXCHANGE. How do you diagnose?▶

EXSTART/EXCHANGE is almost always an MTU mismatch. Diagnosis: show interfaces Gi0/0 on both sides → compare MTU values. Fix: ip ospf mtu-ignore (temporary) or align MTUs (permanent). EXSTART is where Master/Slave election happens based on Router ID. If MTU mismatch exists, the larger MTU side sends DBD packets that exceed the smaller MTU side's buffer → packets dropped → EXSTART stuck in loop. Debug: debug ip ospf adj → you'll see "Mismatched MTU" messages. Other EXSTART causes: duplicate Router IDs (rare), corrupted packets.

OSPF LSA Deep Dive — Type 1 through Type 7 with Real Examples

LSAs are the building blocks of the OSPF LSDB. Every router builds its own view of the network topology by collecting and analyzing LSAs. Understanding exactly which router generates which LSA type, and which area types restrict which LSAs, is a core CCIE topic.

LSA TYPE 1 — Router LSA:

• Generated by: EVERY router in the area

• Flooded within: the originating area only

• Contains: Router ID, all interface states, costs,

connected subnets, link types (p2p/broadcast/stub)

• Key: R flag = ABR, B flag = ASBR in Type 1

LSA TYPE 2 — Network LSA:

• Generated by: DR only (on multi-access segments)

• Flooded within: the area only

• Contains: All routers attached to the segment,

subnet mask. Represents the multi-access link.

• If no DR (P2P link): no Type 2 generated

LSA TYPE 3 — Network Summary LSA:

• Generated by: ABR for routes from one area to another

• Flooded: between areas (NOT the originating area)

• Contains: Destination network + cost to reach it

• Blocked by: Stub areas (no Type 3 except default)

LSA TYPE 4 — ASBR Summary LSA:

• Generated by: ABR when ASBR is in a different area

• Purpose: Tells routers in other areas HOW to reach

the ASBR (so they can reach external routes)

• Not needed if ASBR is in same area as the router

LSA TYPE 5 — External LSA:

• Generated by: ASBR for redistributed external routes

• Flooded: AS-wide (all OSPF areas)

• Contains: External network, metric (E1 or E2), fwd addr

• BLOCKED by: Stub areas, Totally Stub, NSSA

LSA TYPE 7 — NSSA External LSA:

• Generated by: ASBR inside an NSSA area

• Flooded within: NSSA area only

• At ABR: converted to Type 5 and flooded into backbone

• Why: allows external routes in area that blocks Type 5

AREA TYPE SUMMARY — What LSAs Are Allowed:

Backbone/Standard: 1,2,3,4,5 (all types)

Stub: 1,2,3 (no external: 4,5)

Totally Stub: 1,2 (no summary 3, no external)

→ ABR injects ONE Type 3 default route (0.0.0.0/0)

NSSA: 1,2,3,7 (has LSA7 instead of 5)

Totally NSSA: 1,2,7 (LSA7 only, default via ABR)

⚠️ Verify LSA database:
show ip ospf database router → Type 1
show ip ospf database network → Type 2
show ip ospf database summary → Type 3
show ip ospf database asbr-summary → Type 4
show ip ospf database external → Type 5
show ip ospf database nssa-external → Type 7

OSPF Authentication & Virtual Links

OSPF Authentication Types

Type	Security	Config
Type 0 — None	No auth (default)	Default
Type 1 — Clear text	Password in plain text — sniffable!	ip ospf authentication ip ospf authentication-key PASS
Type 2 — MD5	HMAC-MD5 hash — recommended	ip ospf authentication message-digest ip ospf message-digest-key 1 md5 KEY
SHA (IOS 15.4+)	HMAC-SHA256/SHA512 — best	ospf authentication ipsec spi ... or key-chain

⚠️ Common mistake: Auth configured on the AREA but not the interface — or vice versa. Interface auth overrides area auth. Always verify with show ip ospf interface detail | include auth. Mismatched auth = neighbor stays at Init state.

OSPF Virtual Links — Connecting a Discontiguous Area

OSPF Rule: ALL non-backbone areas MUST connect to Area 0 directly. Virtual links allow an area that doesn't physically touch Area 0 to connect through a transit area. They create a logical link through the transit area.

🎯 CCNP Advanced OSPF Interview Q&A

Q: You have an OSPF network where all routers have full adjacency, but some routers are missing certain routes from their routing table. The LSDB appears complete. What do you check?▶

Full adjacency + complete LSDB + missing routes = SPF calculation issue or route filtering. Check in order: ①Distribute-list filtering: show run | include distribute-list — a distribute-list can filter routes from being installed in the routing table even if they're in the LSDB. ②Summarization black hole: An ABR summary is covering a hole — traffic to a subnet covered by the summary but not actually existing hits the Null0 route at the ABR. Check show ip route | include Null. ③Route type preference: OSPF intra-area (O) > inter-area (O IA) > external (O E1) > (O E2). If a router has both an intra-area and inter-area path to the same destination, OSPF prefers intra-area even if the inter-area path is lower cost. ④Passive interface: If the interface toward the destination is passive (passive-interface Gi0/1), OSPF won't advertise it but it also won't send/receive Hellos → no adjacency. But check if the SUBNET is missing from the LSDB. ⑤network statement missing: The specific subnet isn't covered by any network statement under OSPF → not advertised. ⑥Area mismatch for redistribution: External routes (Type 5) don't enter stub areas — routers in stub areas only have a default route for external destinations.

Q: What is OSPF graceful restart (NSF/NSR) and why does it matter in production?▶

Graceful restart allows a router to survive a control-plane restart (OSPF process crash, RP failover, software upgrade) without losing its forwarding state or causing neighbors to reconverge. Without graceful restart: when the OSPF process restarts, all adjacencies drop → neighbors flood LSAs advertising the links are down → entire domain reconverges → traffic is blackholed or rerouted for 30–60 seconds. Cisco NSF (Non-Stop Forwarding): Works with hardware redundancy (dual supervisors). During RP switchover, the standby RP takes over control plane while the forwarding ASICs continue forwarding using cached CEF tables. OSPF neighbors are told the router is restarting via a "grace LSA" and they maintain the neighbor relationship for a grace period (typically 120s). NSR (Non-Stop Routing): More advanced — both RPs maintain synchronized OSPF state. Switchover is transparent to neighbors. They don't even know a switchover happened. Why it matters: In carrier/enterprise networks, any routing reconvergence causes packet loss. For 100G+ links with thousands of prefixes, even a 5-second reconvergence can drop millions of packets. NSF/NSR enables maintenance windows (software upgrades) without service interruption.

🌍 BGP — Complete Deep Dive

BGP Finite State Machine, path selection (13 steps), UPDATE packets & attributes

BGP Finite State Machine — 6 States

State	What's happening	Interview Line
1. Idle	BGP process starts, no TCP yet. Verifies neighbor IP reachable, AS configured.	"Idle = initialized, no TCP session"
2. Connect	Attempting TCP 3-way handshake to port 179. SYN sent.	"Connect = trying to establish TCP"
3. Active	TCP failed, retrying. Listens for incoming TCP from peer. NOT "working"!	"Active = retrying, NOT working"
4. OpenSent	TCP up. OPEN message sent with: version, AS#, Hold Time, BGP Router ID.	"OpenSent = TCP up, params exchanged"
5. OpenConfirm	Both OPENs received. KEEPALIVE sent/received to confirm agreement.	"OpenConfirm = both sides agreed"
6. Established	Session FULLY operational. UPDATE messages (routes) exchanged. KEEPALIVEs maintain session.	"Established = ONLY state with routes!"

BGP State → Troubleshooting Map

Stuck in State	Root Cause	Verify
Idle	No route to neighbor, BGP shut	ping neighbor-IP, show bgp neighbors
Active (long)	ACL blocking TCP 179, wrong IP, firewall	telnet neighbor-IP 179
OpenSent	Wrong remote-AS, auth failure, version mismatch	show running \| section bgp
OpenConfirm	Capability mismatch (address family)	debug ip bgp events
Established (no routes)	Policy filtering, next-hop unreachable	show ip bgp, show ip bgp summary

BGP Best Path Selection — All 13 Steps

Prerequisite: Next-Hop must be reachable via IGP. If not, route is discarded immediately.

#	Attribute	Prefer	Scope
0	Next-Hop Reachability	Must be reachable	Prerequisite
1	Weight (Cisco proprietary)	Highest	Local router only
2	Local Preference	Highest	Within AS (iBGP)
3	Locally Originated	Prefer local	network/redistribute
4	Shortest AIGP	Lowest	Multi-AS (optional)
5	Shortest AS-PATH	Shortest	Loop prevention
6	Origin (i > e > ?)	IGP > EGP > ?	How route entered BGP
7	Lowest MED	Lowest	Hint to neighbor AS
8	eBGP over iBGP	eBGP	Peer type
9	Lowest IGP metric to Next-Hop	Lowest	Internal cost
10	Oldest eBGP path (stability)	Oldest	Cisco stability mech
11	Lowest Router-ID	Lowest	Tiebreaker
12	Min Cluster-List Length	Shortest	Route Reflector only
13	Lowest Neighbor IP	Lowest	Final tiebreaker

💡 Memory trick: We Love Orangutans And More Exciting Interesting Reasoning

🔬 Transit BGP Turn-Up Process

In an interview context, they are testing whether you understand what information and coordination is required between two Autonomous Systems before turning up transit BGP. A solid answer focuses on information exchange, policy agreement, and validation — not just commands.

Phase	What You Coordinate	Why It Matters
1. BGP Info Exchange	ASN, peering IPs, eBGP single-hop vs multihop, address families (IPv4/v6)	Session can't form without matching config on both sides
2. Routing Policy	What prefixes you advertise, what they send (full table vs default), prefix limits, communities, Local Preference expectations	Prevents route leaks and asymmetric routing
3. Auth & Security	MD5 password, TTL security (GTSM), max-prefix limits + warning thresholds, RPKI validation	Interviewers like hearing you think about failure containment
4. Filtering & Validation	IRR route objects for your prefixes, which IRR databases they check, RPKI ROA validity enforcement	Shows operational maturity — real-world transit requirement
5. Operational Details	NOC contacts, maintenance windows, escalation procedures, expected turn-up steps	BGP is an operational relationship, not just a protocol
6. Testing & Turn-Up	Bring up in restricted state, verify prefix counts, AS paths, traffic symmetry, monitor for flaps/leaks	Only after validation is session production-ready

! Transit BGP Configuration

router bgp 65001

bgp router-id 1.1.1.1

neighbor 203.0.113.1 remote-as 65002

neighbor 203.0.113.1 description TRANSIT-ISP1

neighbor 203.0.113.1 password SECRETKEY

neighbor 203.0.113.1 ttl-security hops 1

neighbor 203.0.113.1 maximum-prefix 500 80

neighbor 203.0.113.1 prefix-list MY_PREFIXES out

neighbor 203.0.113.1 prefix-list TRANSIT_IN in

! What to advertise to transit (your prefixes only)

ip prefix-list MY_PREFIXES seq 10 permit 203.0.113.0/24

ip prefix-list MY_PREFIXES seq 999 deny 0.0.0.0/0 le 32

! Verification after turn-up

show ip bgp summary

show ip bgp neighbors 203.0.113.1 advertised-routes

show ip bgp neighbors 203.0.113.1 received-routes

💡 One-line interview summary: "When configuring transit BGP, I coordinate ASN and IP details, agree on routing and security policies, validate filtering requirements, exchange operational contacts, and perform controlled testing before full production turn-up."

🎯 CCIE Interview Questions — BGP

Q: BGP is in Active state for a long time. Walk through your troubleshooting steps.▶

Active state = TCP connection failing repeatedly. Steps: ①ping neighbor-IP — verify basic reachability. ②telnet neighbor-IP 179 — test if TCP 179 reaches the neighbor. ③show tcp brief | include neighbor-IP — check for half-open TCP connections. ④Check ACLs: show access-lists — look for denies on port 179. ⑤Check interface: show ip interface brief — confirm interface used for peering is up. ⑥Verify configuration: show running | section router bgp — correct remote-AS, correct neighbor IP, correct update-source if using loopback. ⑦If using loopback: verify ebgp-multihop is configured (TTL=1 by default drops multihop eBGP). "Active does NOT mean working — it means retrying."

Q: Explain BGP Weight vs Local Preference vs MED — scope and use case.▶

Weight (Cisco only, not advertised): Local to the router. Set per neighbor. Used to prefer one neighbor's routes over another on a SINGLE router. Higher=better. Local Preference: Shared within the AS via iBGP. Controls which exit point the ENTIRE AS uses to reach external destinations. Higher=better. Set on inbound eBGP routes. MED: Sent to eBGP neighbors to influence how traffic ENTERS your AS. The remote AS may or may not honor it. Lower=better. Only compared between paths from the same AS by default (bgp always-compare-med changes this). Analogy: Weight = personal preference (just you), Local Pref = company policy (whole AS), MED = suggestion to your ISP (may be ignored).

🔧 BGP Troubleshooting — Structured Methodology

Complete structured troubleshooting methodology — BGP and OSPF

BGP Troubleshooting — Step-by-Step

Step	Command	What to verify
1. Neighbor Status	show ip bgp summary	State = Established. Any other state = issue.
2. IP Connectivity	ping [neighbor-ip] traceroute [neighbor-ip]	Basic reachability to peer IP.
3. TCP Session	show tcp brief \| include [ip] telnet [ip] 179	TCP port 179 must be reachable.
4. BGP Config	show run \| section router bgp	Correct neighbor IP, remote-AS, update-source.
5. Interface Status	show ip interface brief show interfaces [int]	Interface up/up. Check error counters.
6. BGP Timers	show ip bgp neighbors [ip]	Hold time & keepalive must match both sides.
7. Authentication	show run \| include neighbor.*password	MD5 keys must match exactly (case-sensitive).
8. ACL/Firewall	show access-lists	No ACL blocking TCP 179.
9. Route Policies	show ip bgp neighbors [ip] route-map	No policy blocking session establishment.
10. Debug (last resort)	debug ip bgp [ip] events debug ip tcp transactions	Use only in production with caution — verbose!

🔬 BGP Troubleshooting EVE-NG Topology

After Session is Established — Routes Missing?

! Check what's being advertised/received

show ip bgp neighbors [ip] advertised-routes

show ip bgp neighbors [ip] received-routes

show ip bgp ← full BGP table

show ip bgp [prefix] ← specific prefix path

! Soft reset without tearing down session

clear ip bgp * soft ← request route-refresh

clear ip bgp [neighbor] soft in ← inbound only

! Hard reset — tears down session

clear ip bgp * ← use only when necessary!

🎯 Interview Questions — BGP Troubleshooting

Q: BGP neighbor is established but routes are not appearing. What do you check?▶

Established = session is up, but routes may be filtered or invalid. Checklist: ①show ip bgp summary → PfxRcd column shows 0 = neighbor not sending routes. ②show ip bgp neighbors [ip] received-routes → if empty, peer is not advertising. ③show ip bgp neighbors [ip] advertised-routes → check what WE are sending. ④Check route-maps: show ip bgp neighbors [ip] route-map. ⑤Check next-hop: if iBGP, next-hop may not be reachable — need next-hop-self. ⑥Check network commands — prefix must exist in routing table exactly. ⑦show ip bgp [prefix] → look for "not advertised to any peer" messages with reason. ROUTE-REFRESH: use clear ip bgp * soft after changing policy — avoids hard reset.

BGP Route Policy Troubleshooting — Routes Present but Not Advertised

The hardest BGP problems are not session failures — they're policy bugs. Session is up, routes are received, but something in your outbound policy is silently dropping them. This section covers the full diagnostic workflow.

SCENARIO: BGP session up, route 10.0.0.0/8 in

your table, but NOT reaching the neighbor.

Step 1: Check if route is being advertised

show ip bgp neighbors [IP] advertised-routes

→ If 10.0.0.0/8 not here: policy blocking it

Step 2: Check what BGP "thinks" about the route

show ip bgp 10.0.0.0/8

→ Look for: best path marker (*>)

→ "not advertised to any peer" message

→ Next-hop: 0.0.0.0 = locally originated

Step 3: Check outbound route-map

show ip bgp neighbors [IP] | include route-map

show route-map [NAME]

→ Is your prefix matching the permit clause?

Step 4: Check prefix-list if applied

show ip prefix-list [NAME]

→ Does 10.0.0.0/8 match a permit entry?

Step 5: Check if iBGP next-hop issue

show ip bgp 10.0.0.0/8 | include Next Hop

→ iBGP: next-hop not changed unless next-hop-self

→ If neighbor can't reach next-hop: route unusable!

Fix: neighbor [IP] next-hop-self

BGP Route Not Being Installed — Reasons

Symptom in BGP table	Meaning	Fix
r 10.0.0.0/8 via 1.2.3.4	r = RIB failure. Route was rejected by routing table (lower AD route exists)	Check AD conflict with another protocol for same prefix
* 10.0.0.0/8 (not >)	Valid but not best path selected	Check best path selection — weight, local-pref, AS-path, etc.
10.0.0.0/8 inaccessible	Next-hop IP not reachable via IGP	Add next-hop to IGP or use next-hop-self
No entry at all	Route not received OR filtered on inbound	Check neighbor received-routes; check inbound filter
h 10.0.0.0/8	h = history. Was valid, now withdrawn	Peer withdrew it — check peer's routing table
d 10.0.0.0/8	d = damped. Route flapped, currently suppressed	Route dampening active — wait for half-life or clear

BGP Soft Reset vs Hard Reset

! Soft reset — does NOT drop the session

clear ip bgp [ip] soft ← both directions

clear ip bgp [ip] soft in ← inbound only (re-apply in policy)

clear ip bgp [ip] soft out ← outbound (re-advertise to peer)

Uses ROUTE-REFRESH capability (RFC 2918)

Peer must support it (virtually all modern routers do)

! Hard reset — DROPS the TCP session and all routes

clear ip bgp [ip] ← hard reset one peer

clear ip bgp * ← hard reset ALL peers

Use hard reset only when soft reset fails or for complete

re-negotiation (capability change, auth key change)

BGP Route Reflector & Confederation — iBGP Scalability

iBGP has a full-mesh requirement: every iBGP router must peer with every other. For 100 routers: 100×99/2 = 4950 sessions. Route Reflectors solve this by allowing one router to re-advertise iBGP routes to other iBGP peers (which is normally not allowed).

Common BGP Misconfigurations & Fixes

Problem	Symptom	Root Cause & Fix
AS-path loop	Route received but not installed; BGP drops it	Own AS number appears in AS-path. Normal for loop prevention. If intentional (AS override): `neighbor X allowas-in`
Sync issue	iBGP route not installed (legacy IOS)	Old synchronization rule: iBGP route must also exist in IGP. Fix: `no synchronization` (default off now)
Missing network statement	Route not advertised to eBGP peer	`network 10.0.0.0 mask 255.0.0.0` — prefix must match routing table EXACTLY (including mask)
Max-prefix exceeded	Session drops with notification	Peer sent more prefixes than configured limit. Increase: `neighbor X maximum-prefix 1000`
Hold-timer expire	Session drops every 90s	Keepalives not reaching peer (congestion, CPU). Default hold 90s, keepalive 30s. Both sides must agree.

BGP Attributes Summary — What You Can Manipulate

Attribute	Type	To influence	Higher or lower?
Weight	Cisco local	Outbound path from this router	Higher wins
Local-Pref	Well-known discretionary	Exit point for your entire AS	Higher wins
AS-Path prepend	Well-known mandatory	Make path look longer → less preferred	Shorter wins
MED	Optional non-transitive	Influence how traffic ENTERS your AS	Lower wins
Community	Optional transitive	Tag routes for policy — no routing impact alone	Depends on peer policy

🎯 Advanced BGP Troubleshooting Q&A

Q: You're advertising a /24 to an eBGP peer but they're receiving a /23 instead. You have no summarization configured. Why might this happen?▶

Several causes for unexpected summarization: ①Auto-summary: On older IOS or if auto-summary is enabled under BGP (legacy feature, disabled by default since IOS 12.3), BGP summarizes classful boundaries. A 10.1.1.0/24 might be summarized to 10.0.0.0/8. Fix: no auto-summary. ②Aggregate-address command: Check for aggregate-address statements: show run | include aggregate. If aggregate-address 10.1.0.0 255.255.254.0 exists, it generates a /23 summary AND may suppress the specific /24 (depends on summary-only keyword). ③BGP network statement: The network statement with the wrong mask — network 10.1.0.0 mask 255.255.254.0 directly advertises a /23. ④Peer is doing summarization: Your peer's router is summarizing on their end before you see it — their ISP may have aggregate-address. ⑤Route received from another peer: Another upstream is advertising the /23 and your peer prefers that over your /24. BGP prefers longer prefix (more specific), so your /24 should win — unless the /23 is also being advertised and something is filtering your /24. Verify with show ip bgp [peer-ip] advertised-routes to confirm exactly what you're sending.

🏷️ MPLS — Multiprotocol Label Switching

MPLS Label Stack

Role	Device	Action
Ingress	LER	PUSH label onto IP packet
Transit	LSR	SWAP incoming label with new label
Egress	LER	POP label, forward as IP
PHP	Penultimate hop	POP early to reduce egress work

MPLS Label Format (32 bits)

MPLS L3VPN — Terms

Term	Meaning
CE	Customer Edge — customer router at PE
PE	Provider Edge — imports routes into VRF, two-label stack
P	Provider core — label swap only, no VRF
VRF	Virtual Routing/Forwarding — per-customer routing table
RD	Route Distinguisher — makes VPN prefixes unique in MP-BGP
RT	Route Target — controls import/export between VRFs

🎯 MPLS Interview Questions

Q: What is Penultimate Hop Popping and why is it done?▶

PHP is where the second-to-last LSR pops the outer MPLS label before forwarding to the egress LER. This saves the egress PE from doing two lookups (MPLS + IP/VPN) — it only needs the IP/VPN lookup. The penultimate router signals PHP by advertising label 3 (implicit null). Without PHP: egress PE receives labeled packet → MPLS lookup → IP lookup → forward (two lookups). With PHP: penultimate LSR pops label → egress PE receives unlabeled IP packet → one lookup → forward. Critical for high-throughput PE routers.

MPLS — Label Distribution Protocol & L3VPN Deep Dive

How MPLS Forwarding Works — Step by Step

PACKET JOURNEY: CE-A → PE1 → P1 → P2 → PE2 → CE-B

CE-A sends plain IP packet to PE1:

Src: 10.1.1.10 Dst: 10.2.2.10 TTL: 64

PE1 (Ingress LER) — PUSH TWO labels:

Outer label: 300 (transport/LDP label to PE2)

Inner label: 24 (VPN/service label for VRF)

Stack: [300 | 24 | IP Header | Data]

P1 (Transit LSR) — SWAP outer label:

300 → 400 (LDP next-hop label swap)

Stack: [400 | 24 | IP Header | Data]

P2 (Penultimate hop) — POP outer label (PHP):

Removes transport label 400

Stack: [24 | IP Header | Data]

PE2 (Egress LER) — POP VPN label, lookup VRF:

Inner label 24 → VRF CUSTOMER_A

Forward plain IP packet to CE-B

LDP — Label Distribution Protocol

LDP automatically distributes labels for all prefixes in the routing table. Two MPLS routers form an LDP session (TCP port 646) and exchange label-to-prefix bindings. Every prefix gets a locally significant label — the LFIB (Label Forwarding Information Base) maps incoming labels to outgoing labels.

LDP Step	Process
Discovery	Multicast Hello on 224.0.0.2 UDP 646 — finds LDP neighbors on links
Session	TCP 646 session established, LDP-ID exchanged
Label binding	Each router assigns local label per FIB prefix, advertises to all LDP peers
LFIB building	Incoming label + outgoing label + next-hop installed in hardware LFIB

MPLS Command	Shows
show mpls forwarding-table	LFIB — local label, outgoing label, next-hop, interface
show mpls ldp neighbor	LDP peers, session state, local/remote LDP-ID
show mpls ldp bindings	Label bindings for all prefixes
show ip vrf	All VRFs, associated interfaces, RD
show ip route vrf CUST_A	Routing table for specific VRF
ping vrf CUST_A 10.2.2.10	Test connectivity within a VRF

MPLS L3VPN — VRF Configuration (PE Router)

! Step 1: Create VRF on PE router

ip vrf CUSTOMER_A

rd 65001:100

route-target export 65001:100

route-target import 65001:100

! Step 2: Assign CE-facing interface to VRF

interface GigabitEthernet0/1

ip vrf forwarding CUSTOMER_A

ip address 10.1.1.1 255.255.255.0

! Step 3: BGP with MP-BGP VPNv4 address family

router bgp 65001

address-family vpnv4

neighbor 2.2.2.2 activate

neighbor 2.2.2.2 send-community extended

RD vs RT — The Key Difference:
RD (Route Distinguisher): Makes routes globally unique in the BGP table. Two customers can both use 10.0.0.0/8 — RD makes them distinct: 65001:100:10.0.0.0/8 vs 65001:200:10.0.0.0/8. It's just a prefix tag — it has no import/export policy meaning.

RT (Route Target): Controls WHICH VRFs import which routes. If Customer A's VRF exports with RT 65001:100, any PE VRF with route-target import 65001:100 will import those routes. This is how extranet VPNs (shared services) work — a shared services VRF exports with a RT that many customer VRFs import.

Reserved Labels	Value	Used For
Implicit Null	3	PHP signal — penultimate router pops outer label
Explicit Null	0	Keep label stack but with null value (preserve EXP bits for QoS)
Router Alert	1	Punt to route processor (RSVP, OAM)
OAM Alert	14	MPLS OAM functions

🎯 MPLS Interview Q&A

Q: Two MPLS L3VPN customers both use 10.0.0.0/8 internally. How does the PE router tell their routes apart?▶

The Route Distinguisher (RD) makes them globally unique. Customer A's 10.0.0.0/8 becomes VPN prefix 65001:100:10.0.0.0/8 and Customer B's becomes 65001:200:10.0.0.0/8. These are completely separate entries in the MP-BGP VPNv4 table. The PE router stores both, and the Route Target (RT) controls which prefixes get imported into which VRF: when PE2 receives both prefixes via BGP, it looks at the RT extended community. Customer A's VRF has route-target import 65001:100 — it imports only the :100 prefixed route. Customer B's VRF imports :200. Both customers' 10.0.0.0/8 routes exist on the same PE router but in completely separate VRF routing tables, with separate forwarding tables and separate CEF tables per VRF. They can never reach each other unless explicitly configured with extranet VPN (cross-importing each other's RTs).

📊 QoS — Quality of Service

DSCP Markings — IP Header Bits

DSCP	PHB	Use Case	Queue
EF (46)	Expedited Fwd	VoIP RTP	Priority queue (LLQ)
CS7 (56)	Net Control	Routing protocols	High priority
AF41 (34)	Assured Fwd 4-1	Video conferencing	Bandwidth guarantee
AF31 (26)	Assured Fwd 3-1	Call signaling	Bandwidth guarantee
BE (0)	Best Effort	Default / internet	FIFO, lowest priority

Policing vs Shaping vs Queuing

Tool	Excess action	Adds delay?	Direction
Policing	Drop or re-mark	❌	Ingress or Egress
Shaping	Buffer & delay	✅	Egress only
CBWFQ	Guaranteed BW per class	Minimal	Egress
LLQ	Strict priority + CBWFQ	Minimal	Egress (VoIP)

QoS — End-to-End Quality of Service Architecture

QoS Tools — Classification, Marking, Queuing, Policing, Shaping

Tool	Where in pipeline	What it does
Classification	Entry point	Identify traffic type (ACL, NBAR, DSCP, CoS)
Marking	Entry point	Set DSCP bits in IP header for downstream handling
Policing	Ingress or Egress	Enforce rate limit — exceed = drop or re-mark
Shaping	Egress only	Buffer excess — smooth traffic to conform to rate
Queuing (CBWFQ/LLQ)	Egress	Schedule which queue transmits during congestion
Congestion avoidance (WRED)	Queue	Drop packets early before queue fills — avoid TCP sync

DSCP → PHB Mapping

DSCP Value	PHB	Traffic Type	Drop Behavior
EF (46)	Expedited Forwarding	VoIP RTP media	Priority queue — never dropped if within rate
CS6 (48)	Network Control	OSPF, BGP, routing	High — protect routing protocol traffic
CS5 (40)	—	Signaling (SIP, H.323)	Medium-high
AF41 (34)	Assured Fwd 4-1	Video conferencing	Low drop probability in class 4
AF42 (36)	Assured Fwd 4-2	Video streaming	Medium drop probability
AF43 (38)	Assured Fwd 4-3	Video burst	High drop probability
AF31 (26)	Assured Fwd 3-1	Call signaling	Low drop in class 3
AF21 (18)	Assured Fwd 2-1	Business critical data	Low drop in class 2
CS1 (8)	Scavenger	Bulk/P2P	Drop first during congestion
BE / CS0 (0)	Best Effort	Default internet	FIFO, no guarantee

MQC — Modular QoS CLI (Cisco Standard)

! Step 1: Classify traffic (class-map)

class-map match-any VOIP_TRAFFIC

match dscp ef ← already marked EF

match protocol rtp ← NBAR RTP detection

class-map match-any VIDEO

match dscp af41 af42

! Step 2: Define policy (policy-map)

policy-map WAN_POLICY

class VOIP_TRAFFIC

priority 512 ← LLQ: 512 kbps strict

class VIDEO

bandwidth percent 30 ← CBWFQ: 30% guaranteed

queue-limit 64 ← max queue depth

class class-default

fair-queue ← WFQ for remainder

! Step 3: Apply (service-policy)

interface Serial0/0

service-policy output WAN_POLICY

! Verify

show policy-map interface Serial0/0

show policy-map interface Serial0/0 output class VOIP

⚠️ LLQ (Low Latency Queuing): The priority command creates a strict priority queue — VOIP traffic is ALWAYS dequeued first, regardless of other class demands. Risk: if VoIP exceeds its configured rate, excess is dropped (policed). Too much priority traffic can starve other classes. Always set a bandwidth cap on the priority class.

Policing vs Shaping — Deep Comparison

Feature	Policing	Shaping
Excess action	Drop or re-mark immediately	Buffer (delay) excess packets in queue
Adds delay?	No — drop is instant	Yes — queuing delay increases
Direction	Ingress OR Egress	Egress ONLY
Traffic profile	Hard limit — exceed = action	Smooth bursty traffic to average rate
TCP behavior	Drops cause TCP retransmits → oscillation	Buffers → TCP window reduces gracefully
Use case	ISP rate enforcement, DDoS mitigation	WAN link rate matching (DSL, Frame Relay CIR)
Cisco keyword	police rate / police percent	shape average / shape peak

🎯 QoS Interview Q&A

Q: Your VoIP calls are choppy and experiencing jitter. You have QoS configured. Walk through your troubleshooting process.▶

VoIP quality issues: ①Is traffic being classified correctly? show policy-map interface [int] output class VOIP — check if the VoIP class has packet hits. If 0 hits, traffic isn't matching the class-map. Verify DSCP markings: show interfaces [int] | include DSCP or use Wireshark to check EF bit. ②Is priority queue being policed/dropped? Same show policy-map output — look for "drops" in the priority class. If VoIP exceeds its configured priority rate, excess is dropped. Either increase the priority bandwidth or find what's generating excess VoIP traffic. ③Check interface for congestion: show interfaces [int] — check output queue drops (not just errors). High output drops mean the interface is congested even WITH QoS. ④Path MTU / fragmentation: Large packets ahead of VoIP packets in the queue cause serialization delay. On slow WAN links, enable LFI (Link Fragmentation and Interleaving) — fragments large packets so VoIP can interleave. ⑤Jitter buffer at endpoint: Some jitter is at the phone/codec, not network. Check endpoint statistics. ⑥DSCP remarking midpath: Some ISPs zero out DSCP bits. Verify EF markings are preserved end-to-end with Wireshark captures at multiple points.

🛡️ IPSec VPN

Tunnel Mode vs Transport Mode

Mode	New IP Hdr?	Protects	Used for
Tunnel	✅ Added	Entire original packet	Site-to-site VPN
Transport	❌ Original kept	IP payload only	Host-to-host

IKE Phase 1 & 2

Phase	Result	Negotiates
IKE Phase 1	ISAKMP SA (bidir)	Encryption, Hash, DH group, Auth, Lifetime
IKE Phase 2	IPSec SA (unidir×2)	ESP/AH, encryption, PFS, traffic selectors

IPSec VPN — IKE Phases, ESP vs AH, Site-to-Site Config

IKE Phase 1 — Building the Management Tunnel

IKE Phase 1 creates a secure, authenticated channel (ISAKMP SA) used to negotiate IPSec parameters. It uses UDP port 500 (or 4500 for NAT traversal). Two modes: Main Mode (6 messages, identity protected) or Aggressive Mode (3 messages, faster but identity exposed).

IKE Phase 1 Parameter	Options (must match both sides)
Encryption	AES-128, AES-256, 3DES (deprecated), DES (never use)
Hash (Integrity)	SHA-256, SHA-384, SHA-512, MD5 (deprecated)
Authentication	Pre-shared key (PSK), RSA signature (certificates), ECDSA
DH Group	Group 14 (2048-bit), Group 19/20 (ECDH 256/384-bit). Groups 1,2,5 = insecure
Lifetime	Default 86400s (24hrs). SA re-keyed before expiry.

IKE Phase 2 — IPSec SA (The Actual Data Tunnel)

Phase 2 Parameter	Options	Notes
Protocol	ESP (50) or AH (51)	Use ESP — AH can't traverse NAT
Encryption	AES-256-GCM, AES-256-CBC	GCM provides auth+encrypt in one pass
Integrity	SHA-256 HMAC, SHA-512	Not needed if using GCM (built-in)
PFS	Enabled (any DH group) or Disabled	Perfect Forward Secrecy — new DH each Phase 2
Lifetime	3600s (default), or bytes-based	SA re-keyed before expiry

ESP vs AH — What's Protected

! Site-to-site IPSec troubleshooting

show crypto isakmp sa ← Phase 1 SAs (should be QM_IDLE)

show crypto ipsec sa ← Phase 2 SAs + packet counters

show crypto isakmp peers ← IKE peers

debug crypto isakmp ← Phase 1 negotiation

debug crypto ipsec ← Phase 2 negotiation

! If Phase 1 fails: check PSK, encryption/hash mismatch

! If Phase 2 fails: check crypto ACL mismatch (must mirror)

🎯 IPSec Interview Q&A

Q: IPSec tunnel comes up (Phase 1 QM_IDLE) but no traffic passes. What do you check?▶

Phase 1 up but no traffic = Phase 2 not establishing or traffic not matching. ①show crypto ipsec sa — check if Phase 2 SAs exist. If not, Phase 2 failed. ②Crypto ACL mismatch (most common): The "interesting traffic" ACL must be a MIRROR on both sides. Site A: permit ip 10.1.0.0/24 10.2.0.0/24. Site B must have: permit ip 10.2.0.0/24 10.1.0.0/24. If they don't match exactly, Phase 2 negotiations fail (proxy ID mismatch). ③Phase 2 parameter mismatch: Encryption/hash/PFS settings must match. Check with debug crypto ipsec for "no matching transforms" errors. ④If Phase 2 SAs exist but packets = 0: Traffic isn't matching the crypto ACL. Verify routing — the packets must hit the interface where the crypto map is applied. ⑤NAT conflict: If NAT is also configured, NAT happens before crypto ACL evaluation on outbound. Traffic gets NATted and no longer matches the crypto ACL (10.1.0.0 becomes public IP). Fix: ip nat inside source list ... route-map ... no-nat to exclude VPN traffic from NAT. ⑥show crypto ipsec sa → look at "pkts encrypt" and "pkts decrypt" counters — if encrypting but not decrypting, the remote end may be dropping or not decrypting properly.

⚙️ SD-WAN & SDN

Traditional vs SDN Architecture

Aspect	Traditional	SDN
Control Plane	Distributed (each device)	Centralized (controller)
Config	Per-device CLI	Centralized API/GUI
Protocol	OSPF, BGP, EIGRP	OpenFlow, NETCONF/YANG

Cisco SD-WAN Components

Component	Role
vManage	Management plane — GUI, policy, monitoring
vSmart	Control plane — distributes OMP routes to vEdges
vBond	Orchestrator — initial auth, NAT traversal
vEdge	Data plane — forwards traffic, enforces policy

Cisco SD-WAN (Viptela) — Architecture Deep Dive

Cisco SD-WAN separates the control plane (vSmart), management plane (vManage), and orchestration (vBond) from the data plane (vEdge/cEdge). This allows centralized policy with distributed forwarding — the core SDN principle applied to WAN.

SD-WAN Components — Deep Dive

Component	Plane	What It Does in Detail
vManage	Management	Single-pane-of-glass GUI. Pushes configs via NETCONF/RESTCONF. Stores templates (device + feature templates). Generates certificates. Real-time monitoring, alerts, dashboards. REST API for automation.
vSmart	Control	Runs OMP (Overlay Management Protocol) — SD-WAN's BGP equivalent. Distributes routes, policy, and security info to all vEdges. Centralized route reflector for the overlay. Two vSmarts for HA.
vBond	Orchestration	First point of contact for newly deployed vEdges. Authenticates devices using certificates. Facilitates NAT traversal so vEdges behind NAT can reach vSmart. Acts as STUN server for NAT detection.
vEdge/cEdge	Data	Physical or virtual router at branch/DC/cloud. Builds IPSec tunnels to other vEdges. Implements QoS, application-aware routing, policy enforcement. cEdge = Cisco IOS-XE router running SD-WAN software.

OMP — Overlay Management Protocol

OMP carries three types of routes:

OMP routes: vEdge LAN-side prefixes (like BGP NLRI)

TLOCs: Transport Locators — public IP + color + encap

Service routes: VPN/service chaining info

TLOC = the physical WAN interface identifier:

System-IP: 1.1.1.1

Color: mpls (or biz-internet, lte, public-internet)

Encapsulation: IPSec or GRE

vEdge uses TLOC to build direct IPSec tunnels

to other vEdges — vSmart is NOT in data path

Application-Aware Routing & Policies — SD-WAN's Key Feature

Traditional WAN: all traffic uses the same link regardless of type. SD-WAN application-aware routing measures link quality (loss, latency, jitter) in real-time and steers each application to the best available transport.

App / Traffic Type	Preferred Transport	Metric Threshold
VoIP (RTP)	MPLS (low latency)	Jitter <30ms, Loss <1%
Video conf (Webex)	MPLS or broadband	Latency <150ms
SaaS (Microsoft 365)	Direct Internet (DIA)	Optimal path to Microsoft cloud
Backup/bulk transfer	LTE / cheaper link	No real-time requirement
Guest WiFi	Internet only, isolated	Segmented from corp

SD-WAN vs Traditional WAN vs MPLS

Feature	MPLS	SD-WAN
Transport	Private MPLS circuits	Any: MPLS + broadband + LTE + cloud
Config	Per-device CLI, manual	Centralized templates, zero-touch
Visibility	Limited, per-device	Application-level, real-time
Failover	Minutes (BGP reconverge)	Seconds (SLA-based steering)
Cost	High (private circuits)	Lower (commodity internet)
Security	Layer 2/3 isolation	IPSec everywhere + segmentation policies
Cloud access	Via datacenter backhauling	Direct Internet Access per branch

! SD-WAN troubleshooting commands (vEdge)

show sdwan omp peers ← OMP sessions to vSmart

show sdwan omp routes ← overlay routes from vSmart

show sdwan bfd sessions ← IPSec tunnel health (BFD)

show sdwan app-route statistics ← SLA metrics per TLOC

show sdwan policy access-list-log ← policy hit counters

show sdwan control connections ← vSmart/vManage/vBond status

SDN — Software Defined Networking Fundamentals

Plane	Traditional	SDN
Control Plane	Distributed — OSPF/BGP runs on every device	Centralized SDN Controller (ONOS, OpenDaylight, Cisco APIC)
Data Plane	Hardware ASIC forwarding (CEF, LFIB)	Programmable via OpenFlow or P4 instructions from controller
Management Plane	Per-device CLI, SNMP, syslog	Centralized REST API, NETCONF/YANG, streaming telemetry

OpenFlow: Protocol between SDN controller and switch. Controller pushes flow entries (match-action rules) to switch hardware. Switch forwards packets based on those rules — no local routing decision. Used in data center fabrics, Google B4 WAN.

NETCONF / YANG — Modern Network Automation

Technology	Purpose	vs. Old Way
NETCONF	Protocol for device config/state (RFC 6241). Uses SSH transport, XML encoding	Replaces CLI/SNMP for config. Transactional — commit or rollback.
YANG	Data modeling language — defines structure of config data	Like a schema for network config. "What fields can a BGP neighbor have?"
RESTCONF	HTTP/JSON version of NETCONF (RFC 8040)	Same as NETCONF but REST API — easier for developers
gNMI/gRPC	Google's high-speed streaming telemetry + config	Replaces SNMP polling — push-based real-time stats
Ansible/Python	Automation layer using above protocols	Replace manual CLI — deploy configs to 1000 devices in seconds

🎯 SD-WAN & SDN Interview Q&A

Q: A branch vEdge router can't connect to the internet even though its SD-WAN control connections to vBond and vSmart are up. What do you check?▶

Control connections up but no internet = data plane problem, not control plane. ①show sdwan bfd sessions — BFD (Bidirectional Forwarding Detection) monitors the IPSec tunnels to all remote vEdges. If BFD sessions are down, tunnel is down. Check for: link flapping, high packet loss, firewall blocking UDP 12346 (DTLS) or 4500 (IKE/IPSec NAT-T). ②show sdwan app-route statistics — shows measured latency/loss/jitter per transport. If SLA thresholds are exceeded, traffic is steered away from that transport. If ALL transports are bad, traffic may have nowhere to go. ③Data policy: Check if a centralized data policy is blocking traffic. show sdwan policy access-list-log for drops. ④Service VPN routing: The vEdge has separate VPNs (VPN 0 = transport/management, VPN 1+ = service/user traffic). Check if a default route exists in the service VPN: show ip route vrf 1. If no default route, user traffic has nowhere to go. ⑤DIA (Direct Internet Access): If this branch uses DIA, the internet-facing interface must have the right route. NAT must be configured for the DIA interface: check show sdwan interface for NAT status. ⑥DNS: Even if routing works, if DNS is broken, users see "no internet" — test with ping 8.8.8.8 vs ping google.com to distinguish DNS from routing failure.

Q: What is the difference between NETCONF, RESTCONF, gNMI, and traditional SNMP? When would you use each?▶

SNMP (traditional): Polling-based — NMS sends GET requests, device responds. SNMP traps for alerts. Limited to pre-defined MIB variables. Unreliable (UDP), difficult to program against, limited granularity. Use only for legacy monitoring where modern alternatives aren't available. NETCONF (RFC 6241): Configuration management protocol over SSH with XML data. Supports YANG data models, transactional commits (all-or-nothing), rollback on error, candidate configuration datastores. Use for programmatic device configuration — Ansible playbooks, Python scripts, CI/CD pipelines. RESTCONF (RFC 8040): HTTP/JSON-based NETCONF — same data models (YANG) but accessible via standard REST API calls (GET/POST/PUT/DELETE). Use when you prefer JSON over XML or are integrating with web-based automation tools. gNMI/gRPC: Google's modern approach — uses Protocol Buffers (binary, faster than XML/JSON), supports streaming telemetry (subscribe and get pushed real-time stats vs poll every 5 minutes). Use for high-frequency monitoring (per-second interface counters, BGP route change events) where SNMP polling latency is unacceptable. Cisco, Juniper, Arista all support gNMI. At Akamai scale: gNMI streaming telemetry to Kafka → real-time dashboards without polling.

🔬 Network Troubleshooting Methodology

Essential Cisco Show Commands

show ip interface brief

→ Interface status + IP — FIRST command always

show ip route [prefix]

→ Routing table — verify routing decisions

show ip ospf neighbor

→ Neighbor state — FULL = working

show ip bgp summary

→ BGP peers state + prefix counts

show interfaces [name]

→ Input/output errors, CRC, resets, duplex

show ip arp

→ ARP table — verify L2 reachability

show mac address-table

→ Switch MAC table — L2 forwarding

show processes cpu sorted

→ High CPU → debug still on? CEF disabled?

Common Failures Quick Reference

Symptom	Likely Cause	First Check
OSPF stuck Init	Hello not received back (firewall blocking 224.0.0.5)	show ip ospf interface
OSPF stuck ExStart	MTU mismatch	show interfaces — compare MTU
BGP neighbor Active	ACL blocking TCP 179	telnet neighbor-IP 179
Route missing from table	AD conflict / distribute-list filter	show ip route — check code
Intermittent packet loss	Duplex mismatch — half duplex collisions	show interfaces — check runts/collisions
VLAN not working	Not in trunk allowed list	show interfaces trunk
High CPU on router	CEF off / debug left on	show processes cpu sorted

⚡ EIGRP & DUAL — Diffusing Update Algorithm

DUAL convergence · Feasibility Condition · Stuck-in-Active · Named mode · UCMP with variance · Stub routing · OTP

EIGRP Composite Metric — The Full Formula

CLASSIC METRIC (K-values K1-K5):

Metric = [K1×BW + (K2×BW)/(256-Load) + K3×Delay] × [K5/(Reliability+K4)]

Default: K1=1, K2=0, K3=1, K4=0, K5=0

SIMPLIFIED (default K-values):

Metric = (10^7 / BW_kbps) + Sum_of_delays_in_10us_units

BW = minimum bandwidth on path (kbps)

Delay = cumulative delay on ALL interfaces on path (×10 usec)

EXAMPLE (R1→R2, GbE 1ns delay):

BW = 10^7 / 1000000 kbps = 10

Delay = 10 (GbE default 10usec × 1 hop) = 10

Metric = (10 + 10) × 256 = 5120

WIDE METRIC (EIGRP named mode):

Metric = Throughput + Latency (64-bit, supports 100GbE+)

Classic metric maxes at 1GbE (all higher = same metric)

Wide metric: 10^13 / throughput_bps + latency_in_picoseconds

Interface	BW (kbps)	Delay (usec)	Classic Metric contribution
Serial T1	1544	20000 (20ms)	BW=6476, Delay=2000
FastEthernet	100000	100	BW=100, Delay=10
GigabitEthernet	1000000	10	BW=10, Delay=1 (SAME AS 10GbE!)
10GigabitEthernet	10000000	10	BW=1 (rounded), Delay=1 (SAME!)

⚠️ CCIE trap: EIGRP classic metric cannot distinguish GbE from 10GbE. This causes EQUAL-COST paths where UCMP would be more appropriate. Fix: use EIGRP Named Mode with Wide Metrics.

DUAL Algorithm — Feasibility Condition & Loop Prevention

DUAL (Diffusing Update Algorithm) guarantees loop-free convergence. The key insight: a neighbor's path is loop-free IF its distance to the destination is LESS than your current best distance.

TERMINOLOGY:

FD (Feasible Distance) = best metric from THIS router to destination

RD (Reported Distance) = neighbor's metric to destination (what they report)

Successor = current best path (lowest FD)

Feasible Successor (FS) = backup path meeting Feasibility Condition

FEASIBILITY CONDITION:

RD_of_neighbor < FD_of_current_successor

If this is true → neighbor cannot have a loop through us

because their path is SHORTER than our current best

EXAMPLE TOPOLOGY:

R1 → Dest: FD=30 (via R2)

R3 → Dest: RD=20 (R3 reports metric 20)

FC: 20 < 30 ✓ → R3 is a Feasible Successor!

R4 → Dest: RD=35 (R4 reports metric 35)

FC: 35 < 30 ✗ → R4 is NOT a FS (could create loop)

CONVERGENCE WITH FS:

Successor fails → instantly promote FS → NO query needed

No FS → go Active, send Query to all neighbors

Stuck-in-Active: neighbor doesn't reply to Query in 3 min → reset adjacency

EIGRP Named Mode + UCMP with Variance

! EIGRP Named Mode (modern, preferred)

router eigrp MYNET

address-family ipv4 unicast autonomous-system 1

af-interface GigabitEthernet0/0

summary-address 10.0.0.0/8 ← per-interface summary

authentication mode md5

topology base

variance 2 ← UCMP!

maximum-paths 4

VARIANCE AND UCMP (Unequal-Cost Multi-Path):

variance N: routes with FD ≤ N × best_FD are installed

Path 1: FD=100 (Successor)

Path 2: FD=180 (FS)

Path 3: FD=210 (FS)

variance 2: install paths with FD ≤ 200

→ Path 1 + Path 2 installed (210 > 200, Path 3 excluded)

Traffic split proportionally: Path1 gets 180/280, Path2 gets 100/280

STUB ROUTING (hub-spoke):

eigrp stub connected summary ← advertise connected+summary only

Hub never queries stub routers (no Query propagation)

Prevents Stuck-in-Active in large hub-spoke networks

🎯 EIGRP CCIE Interview Q&A

Q: EIGRP neighbor is Stuck-in-Active. What exactly is happening and how do you resolve it?▶

Stuck-in-Active (SIA) occurs when a router loses its Successor, has no Feasible Successor, and sends a Query to neighbors. If a neighbor doesn't reply within the Active timer (default 3 minutes), the querying router declares that neighbor SIA and resets the adjacency. Root causes: ①Neighbor is overloaded — CPU/memory too high to process queries. ②Query propagation to a far end — a stub router at the edge of the network gets a query and can't answer (no route). ③Unidirectional link — router sends query but reply gets lost. ④Large network with excessive Query propagation. Solutions: ①EIGRP stub routing on spoke routers — hub never queries stubs. ②Route summarization at distribution layer — limits Query scope (summarized routes don't propagate queries beyond the summarizing router). ③Increase Active timer: timers active-time 5 (5 minutes) — buys time on slow links. ④Check show ip eigrp topology active — shows which queries are outstanding and to which neighbors. Fix the underlying cause, not just the timer.

🌍 BGP Path Selection — All 13 Attributes in Order

Weight → Local Pref → Locally originated → AS-PATH → Origin → MED → eBGP/iBGP → IGP metric → oldest → Router ID → Cluster list → Neighbor IP

BGP Path Selection — The Complete Decision Process

BGP never installs ALL paths — it selects ONE best path per prefix. The decision process is sequential: if a step produces a clear winner, stop. Only proceed to the next step if paths tie at that step. Memorize the order — CCIE lab asks you to manipulate specific steps.

#	Attribute	Winner	Scope	How to Manipulate
1	Weight	Highest	Cisco only, local router (not advertised)	route-map set weight N on neighbor
2	Local Preference	Highest	Within AS (iBGP only, advertised)	set local-preference N in route-map
3	Locally originated	Prefer local	Local router — network/redistribute wins over aggregate wins over iBGP	Redistribute vs network command
4	AS-PATH length	Shortest	Advertised globally	as-path prepend (add fake AS hops)
5	Origin code	IGP > EGP > ?	Advertised globally	set origin igp/incomplete in route-map
6	MED	Lowest	Between eBGP peers in same AS (complex rules)	set metric N in route-map
7	eBGP over iBGP	eBGP preferred	Route source type	bgp bestpath as-path multipath-relax
8	IGP metric to next-hop	Lowest	Local routing table cost to BGP next-hop	Adjust IGP costs
9	Oldest eBGP path	Oldest	Prefer most stable path (less churn)	bgp bestpath compare-routerid (disables)
10	BGP Router ID	Lowest	Originating router's RID	bgp router-id
11	Cluster list length	Shortest	Route reflector path	RR topology design
12	Neighbor IP address	Lowest	Final tiebreaker	Change neighbor IP (not practical)

Weight vs Local Preference vs MED — Critical Differences

WEIGHT — Cisco proprietary, LOCAL only:

• Not advertised to ANY peer (not even iBGP)

• Set on THIS router only — affects THIS router's decision

• Use case: prefer path for outbound traffic on THIS router

neighbor 10.1.1.1 route-map SET-WEIGHT in

route-map SET-WEIGHT permit 10 ; set weight 200

LOCAL PREFERENCE — iBGP scope:

• Advertised to ALL iBGP peers within the AS

• Affects ALL routers in AS → consistent exit point

• Use case: define preferred exit AS for the ENTIRE AS

bgp default local-preference 100 ← change default

route-map SET-LP ; set local-preference 200

MED — Inter-AS metric hint:

• Sent to eBGP peers — they CAN use it (optional)

• Only compared between paths from SAME AS (normally)

• Use case: tell neighboring AS which link to prefer for INBOUND

bgp always-compare-med ← compare MED across different ASes (non-standard)

bgp bestpath med confed ← compare within confederation

BGP Policy Lab — Controlling Traffic In & Out

OUTBOUND TRAFFIC CONTROL (how our AS reaches others):

Use Weight (local) or Local Preference (AS-wide)

AS 100 has two eBGP peers: ISP-A and ISP-B

Goal: prefer ISP-A for all outbound traffic

router bgp 100

neighbor ISP-A route-map PREFER-A in

route-map PREFER-A permit 10

set local-preference 200 ← higher = preferred

(ISP-B default local-pref = 100 → ISP-A wins)

INBOUND TRAFFIC CONTROL (how others reach our AS):

Use AS-PATH prepend (make one path look longer)

Or use MED to signal preference to neighbor AS

Goal: make ISP-B prefer sending traffic via ISP-A link

neighbor ISP-B route-map PREPEND out

route-map PREPEND permit 10

set as-path prepend 100 100 100 ← 3× prepend = longer path

ISP-B sees our AS-PATH as 100 100 100 100 (4 hops)

vs ISP-A path showing 100 (1 hop) → ISP-B prefers ISP-A

🎯 BGP CCIE Interview Q&A

Q: MED is set to 50 on one path and 100 on another, but BGP is not choosing the lower MED. Why?▶

MED is only compared between routes that come from the SAME autonomous system. If path 1 (MED=50) came from AS 200 and path 2 (MED=100) came from AS 300, BGP will NOT compare the MEDs — they're from different neighbors. It will skip step 6 and proceed to step 7 (eBGP vs iBGP). If you want to always compare MED regardless of source AS: bgp always-compare-med. This is non-standard behavior and some networks disable it. Also check: if either path has no MED attribute at all, Cisco treats it as MED=0 by default (bgp bestpath missing-as-worst makes missing MED = 4294967295 instead). Another trap: if the same prefix is coming from two different ASBR routers within your AS via iBGP, MED comparison works because they're from the same external AS — this is the normal use case for MED.

🌐 IP Multicast — IGMP, PIM-SM, RP, RPT vs SPT

IGMP v1/v2/v3 · PIM-SM Join/Prune · Rendezvous Point (Auto-RP/BSR/Anycast) · Shared tree vs Source tree · SSM · MSDP

Multicast Address Space & Group Model

Range	Type	Use
224.0.0.0/24	Link-Local	Routing protocols (OSPF=224.0.0.5/6, EIGRP=224.0.0.10, HSRP=224.0.0.2)
224.0.1.0-238.255.255.255	Global ASM	Any-Source Multicast — IANA assigned + user
232.0.0.0/8	SSM range	Source-Specific Multicast (IGMPv3 required)
233.0.0.0/8	GLOP	RFC 2770: embed AS number into multicast group
239.0.0.0/8	Admin Scoped	Private/enterprise use — like RFC 1918 for multicast
FF00::/8	IPv6 Multicast	FF02::1=all-nodes, FF02::2=all-routers, FF02::5=OSPFv3

MULTICAST MAC ADDRESS MAPPING:

Multicast IP → MAC: 01:00:5e:XX:XX:XX

Low 23 bits of IP group → last 23 bits of MAC

224.1.2.3 → 01:00:5e:01:02:03

OVERLAP: 224.1.2.3 and 225.1.2.3 and 226.1.2.3 map to SAME MAC!

(High bit differs but gets dropped in mapping)

→ L2 switch delivers both groups to same port even if only one subscribed

IGMP SNOOPING resolves this at L2:

Switch tracks per-port group membership → targeted delivery

show ip igmp snooping groups

PIM-SM — Shared Tree (RPT) vs Source Tree (SPT)

PHASE 1: SHARED TREE (RPT) — (*,G) entries

1. Receiver sends IGMPv2 Membership Report for group G

2. DR on receiver LAN sends PIM Join (*,G) toward RP

3. Each router on path creates (*,G) state and joins RPT

4. Source starts sending → Register to RP (unicast encap)

5. RP decapsulates, forwards down shared tree

PHASE 2: SPT SWITCHOVER — (S,G) entries

When traffic rate exceeds SPT threshold (default 0 kbps = immediate):

6. DR near receiver sends PIM Join (S,G) toward SOURCE

7. (S,G) state created along shortest path to source

8. Once SPT data arrives at receiver DR, it sends Prune (*,G) toward RP

9. RP prunes its tree if no other receivers on that branch

Result: receiver now on optimal SPT (shortest source→receiver path)

ip pim spt-threshold infinity ← stay on RPT forever (saves state)

Used when source is far — SPT isn't actually shorter

IGMP Version Comparison

Feature	IGMPv1	IGMPv2	IGMPv3
Leave group	No (wait for timeout)	Leave Group message	Leave + source filtering
Source filtering	No	No	YES (INCLUDE/EXCLUDE)
SSM support	No	No	YES
Querier election	No (DR is querier)	Lowest IP wins	Lowest IP wins
RFC	RFC 1112	RFC 2236	RFC 3376

RP Discovery — Auto-RP, BSR, Anycast RP

AUTO-RP (Cisco proprietary):

ip pim send-rp-announce Lo0 scope 16 ← candidate RP

ip pim send-rp-discovery Lo1 scope 16 ← RP mapping agent

Candidate RPs announce to 224.0.1.39 (CISCO-RP-ANNOUNCE)

Mapping Agent listens, elects RP, announces to 224.0.1.40 (CISCO-RP-DISCOVERY)

CHICKEN-AND-EGG: How do routers join 224.0.1.39/40 if they don't know the RP?

Fix: ip pim autorp listener OR sparse-dense-mode on interfaces

BSR (RFC standard — PIMv2):

ip pim bsr-candidate Lo0 32 ← BSR candidate

ip pim rp-candidate Lo0 group-list ALL ← RP candidate

BSR floods RP info in BSR messages (hop-by-hop)

No chicken-and-egg problem — flooded via PIM hello

ANYCAST RP (RFC 4610):

Multiple RPs share same IP address (e.g. 10.0.0.1)

Sources register to nearest RP → MSDP syncs state between RPs

Provides RP redundancy + load balancing across RPs

PIM Config — Complete Router Setup

ip multicast-routing ← enable globally

interface GigabitEthernet0/0

ip pim sparse-mode ← PIM-SM (most common)

ip igmp version 3 ← IGMPv3 for SSM

! Static RP (simplest)

ip pim rp-address 10.0.0.1 override ← override Auto-RP

! Verification

show ip mroute ← multicast routing table

show ip pim neighbor ← PIM adjacencies

show ip igmp groups ← IGMP group membership

show ip pim rp mapping ← RP for each group

mrinfo 10.0.0.1 ← query multicast router

🔀 Route Redistribution — Metrics, Loops & Policy

Default metrics · Seed metrics · Route tagging · Mutual redistribution loops · Administrative distance manipulation · Conditional redistribution

Redistribution Default Metrics

⚠️ If you redistribute without setting a metric, some protocols use a default metric (which may be usable) while others use an infinite metric (route is installed but unreachable). Always set explicit metrics.

Redistributing INTO	Default metric if unset	Recommended
RIP	Infinity (∞) — unusable	default-metric 5 (or set in route-map)
OSPF	20 (E2 external)	default-metric 100 + metric-type 1
EIGRP	Infinity — unusable without metric	default-metric 10000 100 255 1 1500
BGP	0 (IGP metric)	Set MED via route-map
IS-IS	0	Set explicit metric

! Redistribute OSPF into EIGRP with full metric

router eigrp 1

redistribute ospf 1 metric 10000 100 255 1 1500

BW(kbps) delay(us) reliability load MTU

! Redistribute EIGRP into OSPF

router ospf 1

redistribute eigrp 1 subnets metric 100 metric-type 1

subnets: redistribute all subnets (not just classful)

Mutual Redistribution Loop — Formation & Prevention

⚠️ The most dangerous redistribution scenario: two routers doing mutual redistribution between OSPF and EIGRP. Routes can loop back and form sub-optimal or infinite routing loops.

LOOP SCENARIO:

Router A redistributes OSPF→EIGRP on left side

Router B redistributes EIGRP→OSPF on right side

Problem: OSPF route on Router A leaks into EIGRP

Router B takes it, puts it back into OSPF with E2 metric

Now two OSPF routes for same prefix — possibly the WRONG one wins!

SOLUTION 1: Route Tagging

! On Router A (OSPF → EIGRP): tag routes from OSPF

route-map OSPF-TO-EIGRP permit 10

set tag 100

! On Router B (EIGRP → OSPF): deny routes with tag 100

route-map EIGRP-TO-OSPF deny 10

match tag 100 ← block routes that came from OSPF originally

route-map EIGRP-TO-OSPF permit 20

SOLUTION 2: Administrative Distance Manipulation

Make EIGRP internal routes preferred over OSPF external:

distance ospf external 200 ← OSPF external AD = 200 (high)

EIGRP internal (90) < OSPF external (200) → EIGRP always wins

Administrative Distance — Full Table & Manipulation

Source	Default AD	Notes
Connected	0	Always preferred
Static	1	Overrides everything except connected
EIGRP Summary	5	Summary routes only
eBGP	20	eBGP preferred over IGP
EIGRP Internal	90	Best IGP for Cisco
IGRP	100	Legacy
OSPF	110	Standard choice after EIGRP
IS-IS	115	Service provider default
RIP	120	Legacy distance vector
EIGRP External	170	Redistributed into EIGRP
iBGP	200	Lowest trust among dynamic

⚠️ Floating static route: ip route 0.0.0.0 0.0.0.0 10.0.0.1 200 — AD 200 means it's only used if iBGP (AD=200) fails. Wait — iBGP is also AD 200! First installed wins. Better to use AD 210: ip route 0.0.0.0 0.0.0.0 backup 210.

🎯 Redistribution Interview Q&A

Q: What is the difference between OSPF E1 and E2 external routes, and why does it matter during redistribution?▶

E2 (Type 2 External): The metric is the cost set at the ASBR and does NOT increase as the route travels through the OSPF domain. If 3 routers are between you and the ASBR, each with cost 10, your total cost to the external network is still just the ASBR's set cost (e.g., 20). This is the DEFAULT. E1 (Type 1 External): The metric is the set cost AT the ASBR plus the OSPF path cost TO the ASBR. As the route travels further from the ASBR, the metric grows. Why it matters: If you have two ASBRs redistributing the same external prefix (dual-homed OSPF domain), E2 routes always prefer the ASBR with the lower seed metric — regardless of how far away it is. This can cause suboptimal routing: a router might choose a distant ASBR with metric 100 over a nearby ASBR with metric 110, even though the nearby one has a total path of 110+5=115 vs the distant one's 100+50=150. E1 accounts for the intra-domain cost, giving more realistic path selection for multi-ASBR scenarios. Best practice: use E1 when you have redundant redistribution points. Use E2 when you have only one ASBR (simpler, lower overhead).

🏷️ Segment Routing — SR-MPLS, SRv6 & TI-LFA

SRGB · Node-SID · Adjacency-SID · SR-TE · TI-LFA for sub-50ms FRR · SRv6 with SRH · PCEP integration

Segment Routing vs Traditional MPLS — Why SR Wins

Feature	Traditional MPLS (LDP/RSVP)	Segment Routing
Label distribution	LDP (per-prefix, every hop)	Distributed via IGP (OSPF/IS-IS extensions)
TE signaling	RSVP-TE (complex, stateful)	SR-TE (source-routed, stateless)
Per-router state	High — LDP/RSVP state on every node	Low — only head-end knows path
Fast reroute	RSVP FRR (50ms, complex)	TI-LFA (50ms, automatically computed from IGP)
Scale	Limited by per-LSP state	Scales to 100K+ paths (stateless mid-points)
Programmability	Limited (static config)	PCE/PCEP, YANG/NETCONF, SRv6 service chaining

SR-MPLS Segment Types — SID Taxonomy

SRGB (Segment Routing Global Block):

Default: labels 16000-23999 (8000 labels)

Node-SID = SRGB_start + SID_index

Router A: index 1 → label 16001

Router B: index 2 → label 16002

NODE-SID (Prefix-SID):

• Globally unique index assigned to a router's loopback

• Distributed via IGP (OSPF SR-extension TLV, IS-IS TLV 135)

• Behavior: CONTINUE — forward toward that router via SPF

segment-routing mpls ; connected-prefix-sid-map ; address-family ipv4 ; 10.0.0.1/32 index 1 range 1

ADJACENCY-SID (Adj-SID):

• Locally significant (not global)

• Represents a specific link to a neighbor

• Behavior: NEXT — forward out this specific interface

• Used for TE (explicit path via specific links)

• Auto-allocated from dynamic range (not SRGB)

SERVICE-SID (for SRv6/VPN):

• VPN labels, service function indicators

• BGP distributes these for VPN services

TI-LFA — Topology Independent Loop-Free Alternate

TI-LFA provides sub-50ms FRR protection using SR labels without any TE signaling. The IGP computes a post-convergence path to the destination ASSUMING the protected link/node is down, then encodes that path as a segment list.

TI-LFA operation:

1. IGP computes P-space (nodes reachable without failed link)

2. Computes Q-space (nodes that can reach destination without failed link)

3. Finds P-Q node (intersection = repair node)

4. Installs pre-computed repair path in FIB

When primary link fails:

5. Router immediately pushes SR labels for repair path

6. Traffic follows pre-computed path to repair node

7. Repair node routes normally → traffic reaches destination

8. IGP reconverges (~100-500ms) → primary path restored

Config:

router ospf 1 ; segment-routing mpls ; fast-reroute per-prefix enable ; fast-reroute ti-lfa

SRv6 — Segment Routing over IPv6

SRv6 encodes the segment list directly in the IPv6 header using a Segment Routing Header (SRH). No MPLS labels needed — pure IPv6.

SRv6 SID FORMAT:

128-bit SID = Locator (64b) + Function (16b) + Arguments (48b)

Example: 2001:db8:100::/48 = locator for Node A

2001:db8:100::1 = End (node SID, like Node-SID in SR-MPLS)

2001:db8:100::2 = End.X (adj-SID to neighbor)

2001:db8:100::4 = End.DT4 (VPNv4 decap + lookup)

SRH (Segment Routing Header):

IPv6 Next Header: 43 (Routing Extension Header)

Routing Type: 4 (SRH)

Segments Left: counter, decremented at each segment endpoint

Segment List[0..n]: ordered SID list (last SID = destination)

IPv6 DA = current active SID (changed at each hop)

SRv6 advantage: native IPv6 encap — works across IPv6 internet

No MPLS label stack limit — supports deep service chains

SRv6 overhead: 40B IPv6 + 8B SRH base + 16B × n segments

🎯 Segment Routing Interview Q&A

Q: How does SR-TE differ from RSVP-TE and why are SPs migrating to SR?▶

RSVP-TE: Every router along the TE tunnel must maintain per-LSP state (PATH/RESV messages). For 10,000 TE tunnels, every transit router has 10,000 RSVP states. Soft-state requires periodic refresh. Any topology change requires RSVP re-signaling. Head-end must do CSPF to find path. SR-TE: Only the head-end router knows the explicit path (encoded as segment list). Transit routers are completely stateless — they just forward based on the top label. No RSVP, no per-path state in the network. A path change only requires updating the head-end's segment list. Why SPs migrate: ①Massive scale — SR-TE can support millions of paths with zero transit state. ②Simplification — no RSVP, no LDP needed (single protocol). ③PCE integration — a centralized PCE can compute and push segment lists via PCEP, enabling real-time TE. ④TI-LFA automatically protects every SR-TE path using the same SR labels — no separate FRR config. ⑤Gradual migration — SR can coexist with existing LDP/RSVP.

🏢 EVPN & VXLAN — Data Center Fabric

VXLAN encapsulation · BGP EVPN control plane · VTEP · Type 2/3/5 routes · Symmetric IRB · ARP suppression · DCI

VXLAN Encapsulation — 50-Byte Overhead Explained

VXLAN PACKET FORMAT (inner L2 frame):

Outer Ethernet Header : 14 bytes

Outer IP Header : 20 bytes

Outer UDP Header : 8 bytes (UDP dst=4789)

VXLAN Header : 8 bytes (VNI = 24-bit segment ID)

Inner Ethernet Header : 14 bytes (original L2 frame)

Inner IP + Payload : variable

Total overhead : 50 bytes minimum

VNI (VXLAN Network Identifier):

24-bit field → 16 million VNIs (vs 4096 VLANs)

L2 VNI: maps to a VLAN (bridge domain) — same subnet

L3 VNI: maps to a VRF — enables inter-VLAN routing

VTEP (VXLAN Tunnel Endpoint):

Physical device performing VXLAN encap/decap

Usually: ToR (Top of Rack) switch or hypervisor vSwitch

Identified by its loopback IP in the underlay network

BGP EVPN Route Type	Name	Carries	Purpose
Type 1	Ethernet Auto-Discovery	ESI (Ethernet Segment ID)	Multi-homing, mass withdrawal
Type 2	MAC/IP Advertisement	MAC + IP + VNI + VTEP IP	L2 host learning (replaces flood-learn)
Type 3	Inclusive Multicast	VTEP IP + L2 VNI	VTEP discovery + BUM handling
Type 4	Ethernet Segment	ESI + DF election	Designated Forwarder election
Type 5	IP Prefix	IP prefix + L3 VNI + VTEP	Inter-subnet routing, DCI

Type 2 routes replace the flood-and-learn behavior of traditional VXLAN. Instead of flooding ARP requests across all VTEPs, the BGP control plane distributes MAC/IP bindings. ARP requests are suppressed at the local VTEP — the VTEP answers ARPs itself using the BGP-learned table.

Symmetric vs Asymmetric IRB

IRB = Integrated Routing and Bridging. This is how VXLAN handles inter-VLAN (inter-subnet) routing.

ASYMMETRIC IRB (simpler, but doesn't scale):

• Local VTEP routes to destination subnet using its SVI

• Switches to destination VNI, forwards as L2

• Remote VTEP receives as L2 in correct VNI — no routing needed

Problem: ALL VTEPs must have ALL VLANs/SVIs configured

In large fabrics: 1000 VLANs × 100 VTEPs = 100K SVIs

SYMMETRIC IRB (scalable — recommended):

• Uses L3 VNI (per VRF) for inter-subnet routing

• Source VTEP: route in VRF, encap with L3 VNI, forward

• Transit: forward based on outer IP (underlay)

• Dest VTEP: decap L3 VNI, look up in VRF, switch to L2 VNI

Only need: SVIs for LOCAL subnets + 1 L3 VNI per VRF

Scales to any number of VLANs — remote VTEPs only need L3 VNI

BGP EVPN Configuration Skeleton

! Underlay (spine/leaf IGP or eBGP)

router bgp 65001

bgp router-id 10.0.0.1

no bgp default ipv4-unicast

! iBGP to spine (route reflector)

neighbor 10.0.0.100 remote-as 65001

neighbor 10.0.0.100 update-source Loopback0

neighbor 10.0.0.100 send-community extended

! Enable L2VPN EVPN address family

address-family l2vpn evpn

neighbor 10.0.0.100 activate

neighbor 10.0.0.100 send-community extended

! VNI to VLAN mapping (NX-OS style)

vlan 10

vn-segment 10010 ← L2 VNI for VLAN 10

vrf context TENANT-A

vni 50001 ← L3 VNI for this VRF

rd auto ; address-family ipv4 unicast ; route-target both auto evpn

! VTEP (NVE interface)

interface nve1

no shutdown ; source-interface loopback0

member vni 10010 ; suppress-arp ; ingress-replication protocol bgp

member vni 50001 associate-vrf

🤖 Network Automation — Python, NETCONF, YANG & Ansible

Netmiko · NAPALM · nornir · YANG data models · RESTCONF/NETCONF · Ansible for networks · Jinja2 · gRPC telemetry · GitOps

Automation Stack — SSH vs NETCONF vs gRPC

Method	Transport	Data Format	Use Case	CCIE Relevance
SSH/CLI (Netmiko)	SSH	Screen scraping (regex)	Legacy devices, quick scripts	Understand limitations — not reliable for structured data
NETCONF	SSH port 830	XML (YANG-modeled)	Config management, transactions	IOS-XE/XR support, candidate datastore, rollback
RESTCONF	HTTPS	JSON or XML	REST API, programmable controllers	Easier than NETCONF for developers — same YANG models
gRPC/gNMI	HTTP/2	Protobuf	Streaming telemetry, high-performance	OpenConfig, replacing SNMP for monitoring
SNMP	UDP	ASN.1/BER	Legacy monitoring	Being replaced by gRPC telemetry

Python Automation — Netmiko, NAPALM & nornir

NETMIKO — SSH, screen scraping:

from netmiko import ConnectHandler

device = {

"device_type": "cisco_ios",

"host": "192.168.1.1",

"username": "admin",

"password": "secret",

}

with ConnectHandler(**device) as net_connect:

output = net_connect.send_command("show ip route")

net_connect.send_config_set(["interface Gi0/0", "description WAN"])

NAPALM — Multi-vendor structured data:

import napalm

driver = napalm.get_network_driver("ios")

device = driver("192.168.1.1", "admin", "secret")

device.open()

bgp_neighbors = device.get_bgp_neighbors() ← structured dict!

device.load_merge_candidate(config="...")

diff = device.compare_config() ← see diffs before pushing

device.commit_config() ← atomic commit

NORNIR — Parallel automation framework:

Manages inventory, threading, task execution

Run same task against 1000 devices in parallel

nr = InitNornir(config_file="config.yaml")

result = nr.run(task=netmiko_send_command, command_string="show ver")

Jinja2 Templates — Config Generation at Scale

! Template: interfaces.j2

{% for intf in interfaces %}

interface {{ intf.name }}

description {{ intf.description }}

ip address {{ intf.ip }} {{ intf.mask }}

{% if intf.ospf %}ip ospf 1 area {{ intf.ospf_area }}{% endif %}

no shutdown

{% endfor %}

! Render in Python:

from jinja2 import Environment, FileSystemLoader

env = Environment(loader=FileSystemLoader("templates/"))

template = env.get_template("interfaces.j2")

config = template.render(interfaces=my_data)

my_data loaded from YAML/JSON inventory

Same template → consistent configs across 1000 devices

YANG & NETCONF — Structured Configuration

YANG Model Hierarchy:

OpenConfig → vendor-neutral (Google-led initiative)

Native YANG → Cisco IOS-XE / IOS-XR native models

IETF YANG → RFC standard models (interfaces, routing)

NETCONF Get config via Python:

from ncclient import manager

with manager.connect(host="192.168.1.1", port=830,

username="admin", password="secret",

hostkey_verify=False) as m:

result = m.get_config(source="running",

filter=("xpath", "/native/interface"))

print(result.xml)

RESTCONF GET BGP config:

GET https://router/restconf/data/Cisco-IOS-XE-native:native/router/bgp

Headers: Accept: application/yang-data+json

Returns JSON — parse with Python json module

gNMI Streaming Telemetry:

Subscribe to interface counters every 30s:

gnmic subscribe --path "openconfig:interfaces/interface[name=Gi0/0]/state/counters" --stream-mode sample --sample-interval 30s

Ansible for Networks — Idempotent Config Management

! inventory.yml

all:

hosts:

router1:

ansible_host: 192.168.1.1

ansible_network_os: ios

ansible_user: admin

! playbook.yml — configure OSPF on all routers

- name: Configure OSPF

hosts: all

gather_facts: no

tasks:

- name: Configure OSPF process

cisco.ios.ios_ospfv2:

config:

processes:

- process_id: 1

router_id: "{{ router_id }}"

network:

- address: 10.0.0.0

wildcard_bits: 0.255.255.255

area: 0

state: merged ← idempotent!

Run: ansible-playbook -i inventory.yml playbook.yml

📡 IS-IS — Intermediate System to Intermediate System

OSI NSAP/NET addressing · PDU types · L1/L2/L1L2 routers · Route leaking · DIS election · TLV extensibility · Multi-topology

IS-IS vs OSPF — Why Service Providers Prefer IS-IS

Feature	OSPF	IS-IS	IS-IS Advantage
Runs on top of	IP (protocol 89)	L2 directly (OSI CLNP)	IP routing problem can't break IS-IS — it runs under IP!
Area hierarchy	Area + backbone area 0	L1 area + L2 backbone	Simpler — L2 IS IS the backbone
Adjacency on segment	DR/BDR only go FULL	All form adjacency (DIS replaces DR)	No BDR — DIS handles LSP flooding
Extensibility	Opaque LSAs (awkward)	New TLVs — just add (no version change)	SR, TE, IPv6 all added via TLVs
IPv6	OSPFv3 (separate process)	Multi-topology (same process!)	MT-IS-IS: one adjacency, two topologies
Large network scale	Limited (SPF complexity)	Preferred for SP backbone (flat L2)	T-Systems, Level3, AT&T use IS-IS

IS-IS Addressing — NSAP and NET

NET (Network Entity Title) FORMAT:

49.0001.0100.0000.0001.00

├── 49 ← AFI (Authority Format Identifier): 49 = private

├── 0001 ← Area ID (variable length, 1-13 bytes)

├── 0100.0000.0001 ← System ID (6 bytes — like a MAC address)

└── 00 ← NSEL (always 00 for routers)

Practical System ID: use router loopback

Loopback: 10.0.0.1 → System ID: 0100.0000.0001

Loopback: 10.0.0.2 → System ID: 0100.0000.0002

! Cisco IOS-XR config:

router isis CORE

net 49.0001.0100.0000.0001.00

is-type level-2-only ← backbone router (SP)

interface GigabitEthernet0/0

isis circuit-type level-2-only

isis metric 10

L1/L2 Router Types & Route Leaking

Type	Adjacency	LSDB	Use
L1 (L1-only)	L1 same area only	L1 LSDB	Edge router in area
L2 (L2-only)	L2 any area	L2 LSDB	Backbone router
L1L2 (ABR equiv)	Both L1+L2	Both LSDBs	Area border router

L1 routers know their area topology + default route to L1L2

L1 routers do NOT know inter-area routes (like OSPF totally stub)

ROUTE LEAKING (L2→L1): inject specific L2 routes into L1

address-family ipv4 unicast

propagate-level { 2 into 1 } route-policy LEAK-TO-L1

Use case: leak specific prefixes to L1 for more precise routing

instead of just a default route

IS-IS PDU Types & TLV Architecture

PDU	Full Name	Purpose
IIH	IS-IS Hello	Neighbor discovery, adjacency maintenance (LAN vs P2P IIH)
LSP	Link State PDU	Carries topology (like OSPF LSA). L1-LSP and L2-LSP separate.
CSNP	Complete Sequence Number PDU	Sent by DIS — describes entire LSDB. Used for sync.
PSNP	Partial Sequence Number PDU	Acknowledge LSP receipt OR request missing LSPs

TLV extensibility — IS-IS's biggest advantage: IS-IS PDUs carry information as TLVs (Type-Length-Value). New protocols just add new TLVs — no version change needed. SR-MPLS added TLV 22/23 for adj-SID, TLV 135 for prefix-SID. IPv6 added TLV 232. OSPF required separate opaque LSAs and eventually a new version (OSPFv3) for IPv6. IS-IS just added a TLV.

DIS (Designated IS) vs OSPF DR:

IS-IS: ALL routers form adjacency with each other on LAN

DIS sends CSNPs to keep all routers in sync

NO backup DIS (unlike OSPF BDR)

DIS preemption: higher priority IMMEDIATELY becomes DIS

Election: priority (highest) → MAC address (highest)

🎯 IS-IS Interview Q&A

Q: Why does IS-IS run on top of L2 while OSPF runs on top of IP, and why does that matter?▶

IS-IS was designed as part of the OSI protocol suite. It uses OSI's CLNP (Connectionless Network Protocol) addressing and runs directly over Layer 2. This gives IS-IS a critical operational advantage: if the IP routing table is empty or broken, IS-IS can still run and rebuild the routing table, because it doesn't depend on IP for its own transport. OSPF, by contrast, runs as IP protocol number 89 — if you have a routing problem severe enough to break all IP forwarding, OSPF packets can't travel either. This was a significant concern in large SP networks during network reconvergence events. In practice, both protocols usually converge fine, but IS-IS's immunity to IP-level problems is why major Internet backbone operators (AT&T, Deutsche Telekom, etc.) chose IS-IS over OSPF. The second advantage is that IS-IS uses binary encoding (TLVs) and doesn't rely on IP headers, making it slightly more efficient and easier to extend. For IPv6: IS-IS just adds new TLVs in the same process (Multi-Topology IS-IS) — one process, one adjacency, two topologies. OSPFv3 is a completely separate process from OSPFv2.

🔧 Advanced BGP — Route Reflectors, Communities & PIC

RR cluster architecture · Confederations · BGP communities · AS-PATH manipulation · BGP PIC · Graceful Restart · BGP Add-Paths · FlowSpec

Route Reflectors — Scaling iBGP Without Full Mesh

iBGP requires full mesh (every iBGP router peers with every other). In a 100-router AS: 100×99/2 = 4,950 peerings. Route Reflectors eliminate the full mesh.

RR REFLECTION RULES:

RR receives from eBGP peer → reflects to ALL iBGP clients + non-clients

RR receives from RR Client → reflects to eBGP + other clients + non-clients

RR receives from non-client iBGP → reflects to RR clients ONLY

RR does NOT change NEXT_HOP when reflecting (unlike eBGP)

Clients must have IGP reachability to all next-hops!

LOOP PREVENTION ATTRIBUTES:

ORIGINATOR_ID: RID of the first RR that reflected this route

→ If received back (routing loop), discard based on matching own RID

CLUSTER_LIST: list of cluster IDs the route passed through

→ If own cluster ID seen, discard (loop prevention between RRs)

! RR Config:

router bgp 65000

neighbor 10.0.0.2 remote-as 65000

neighbor 10.0.0.2 route-reflector-client

bgp cluster-id 1 ← needed when 2+ RRs in same cluster

BGP Communities — Tagging for Policy

WELL-KNOWN COMMUNITIES (RFC 1997):

NO_EXPORT (0xFFFFFF01) ← don't advertise to eBGP peers

NO_ADVERTISE (0xFFFFFF02) ← don't advertise to ANY peer

LOCAL_AS (0xFFFFFF03) ← don't advertise outside confederation sub-AS

REGULAR COMMUNITIES (AS:VALUE format):

65000:100 ← "this prefix belongs to customer 100"

65000:666 ← "blackhole this prefix" (ISP convention)

65000:200 ← "set local-pref 200 on receive"

LARGE COMMUNITIES (RFC 8092 — 4-byte ASN support):

131072:100:200 ← Global Admin : Local Data 1 : Local Data 2

! Set and match communities:

route-map TAG-CUSTOMER permit 10

set community 65000:100 additive

route-map PROCESS-COMMUNITY permit 10

match community COMM-LIST-100

set local-preference 200

ip community-list standard COMM-LIST-100 permit 65000:100

neighbor X send-community both ← required to send communities!

BGP PIC — Prefix Independent Convergence

Traditional BGP convergence: when primary next-hop fails, BGP withdraws route, installs backup — takes 100ms-5s. BGP PIC pre-installs backup paths in FIB, enabling sub-50ms failover.

PIC EDGE (external BGP failover):

Two eBGP paths: Path-A (primary) + Path-B (backup)

PIC pre-installs Path-B in FIB as backup

When Path-A NH fails: FIB switches to Path-B instantly

BGP convergence still happens in background (slower)

bgp additional-paths install

bgp additional-paths select best 2

PIC CORE (iBGP PE failover in MPLS VPN):

PE router has two paths to same VPN prefix (via two remote PEs)

Pre-installed in FIB → PE failure = instant switchover

BGP ADD-PATHS (RFC 7911):

Normally BGP advertises only ONE best path per prefix

Add-Paths: advertise MULTIPLE paths for same prefix

RR clients get backup paths pre-loaded → PIC Edge

neighbor X additional-paths send ; additional-paths receive

address-family ipv4 ; bgp additional-paths select best 3

BGP Graceful Restart & Long-Lived Graceful Restart

GRACEFUL RESTART (RFC 4724):

BGP process restarts but forwarding plane continues

Restarting router: signals GR capability in OPEN message

Helper routers: keep forwarding for restart time (default 120s)

Restarting router: re-establishes session, re-syncs table

bgp graceful-restart

bgp graceful-restart restart-time 120

bgp graceful-restart stalepath-time 360

LLGR (Long-Lived Graceful Restart, RFC 9494):

Extends GR to hours/days — for planned maintenance

Stale routes marked with LLGR_STALE community

Only used as last resort — proper paths preferred

🚦 MPLS Traffic Engineering — RSVP-TE, CSPF & Fast Reroute

RSVP PATH/RESV messages · ERO · CSPF algorithm · Bandwidth reservation · FRR one-to-one vs facility backup · TE tunnel interaction with IGP

MPLS-TE Architecture — Why TE Exists

IP routing follows shortest paths (lowest cost). MPLS-TE forces traffic onto SPECIFIC paths regardless of IGP costs — enabling bandwidth guarantees, optimizing link utilization, and providing guaranteed backup paths. Critical for SP voice/video SLAs.

Component	Role	Protocol
CSPF (Constrained Shortest Path First)	Compute path meeting constraints (BW, affinity, SRLG)	Runs on head-end, uses TE-extended LSDB
RSVP-TE (Resource Reservation Protocol)	Signal and establish the LSP along computed path	PATH (head→tail) + RESV (tail→head)
OSPF-TE / IS-IS-TE	Flood bandwidth + TE metric in LSAs/LSPs	OSPF Opaque Type 10 / IS-IS TE TLVs
FRR (Fast Reroute)	Pre-signal backup bypass tunnel for sub-50ms failover	RSVP-TE with detour/facility signaling

RSVP-TE Signaling — PATH & RESV Deep Dive

PATH MESSAGE (head-end → tail-end):

Carries: Session (tunnel endpoint + ID) + PHOP (previous hop)

ERO (Explicit Route Object): list of hops to follow

{Strict: 10.0.1.1, Strict: 10.0.2.1, Loose: 10.0.3.1}

Strict = must go through that exact next-hop

Loose = go toward that destination (IGP decides)

LABEL_REQUEST: request a label from tail

SESSION_ATTRIBUTE: priority, preemption, affinity bits

RESV MESSAGE (tail-end → head-end):

Carries: FLOWSPEC (requested BW) + LABEL (assigned label)

Each router allocates BW + assigns label → upstream

RECORD_ROUTE: records actual path taken

Soft state: PATH/RESV refreshed every 30s (default)

If refresh stops: reservation times out after 3.5× refresh

! Head-end config (IOS-XE):

interface Tunnel1

ip unnumbered Loopback0

tunnel mode mpls traffic-eng

tunnel destination 10.0.0.5

tunnel mpls traffic-eng bandwidth 100000 ← 100Mbps reserved

tunnel mpls traffic-eng path-option 10 dynamic ← CSPF

tunnel mpls traffic-eng path-option 20 explicit name BACKUP

tunnel mpls traffic-eng fast-reroute

FRR — One-to-One vs Facility Backup

ONE-TO-ONE (DETOUR) BACKUP:

Each protected LSP has its OWN detour LSP

10 protected LSPs = 10 detour LSPs

Detour merges back into primary after the failure point

State per protected LSP = doesn't scale (1000 LSPs = 1000 detours)

FACILITY BACKUP (BYPASS TUNNEL) — RECOMMENDED:

ONE bypass tunnel protects ALL LSPs on a given link/node

PLR (Point of Local Repair): router upstream of failure

MP (Merge Point): router downstream of failure

On failure: PLR pushes BYPASS tunnel label on ALL affected LSPs

Bypass carries them around the failure → MP pops bypass label

1000 LSPs protected by 1 bypass = massive state savings

! PLR bypass tunnel config:

interface Tunnel100 ← bypass tunnel

tunnel mpls traffic-eng path-option 10 dynamic

tunnel mpls traffic-eng bandwidth 500000

tunnel mpls traffic-eng fast-reroute

mpls traffic-eng fast-reroute

interface GigabitEthernet0/0

mpls traffic-eng backup-path Tunnel100 ← protect this link

🎯 MPLS-TE Interview Q&A

Q: MPLS-TE tunnel is up but traffic is not going through it. What are the possible causes?▶

A common misunderstanding: a TE tunnel being UP (RSVP established, label assigned) does NOT automatically mean traffic uses it. Traffic only enters the tunnel if: ①Autoroute announce: tunnel mpls traffic-eng autoroute announce makes the tunnel appear as an IGP next-hop. Without this, the routing table doesn't see the tunnel as a path. ②Autoroute metric: If autoroute is configured but the tunnel metric is higher than the regular IGP path, IGP still wins. Set tunnel mpls traffic-eng autoroute metric absolute 1 to force preference. ③Forwarding adjacency: Advertises the tunnel as a link into the IGP LSDB — more powerful than autoroute, allows SPF to compute paths across the tunnel. ④Static route or PBR: Explicitly route traffic into the tunnel with ip route x.x.x.x y.y.y.y Tunnel1. ⑤Check: show mpls traffic-eng tunnels brief — look at "Admin: up Oper: up" AND "Inuse". "Inuse" means traffic is actually flowing. Debug: debug mpls traffic-eng events.

Decision Result

Best path selected

—

Step-by-step decision walkthrough

Attribute comparison

Generated Cisco IOS config

Scenario timeline

Load a scenario or fire events manually

Current state

—

What's happening

Select a protocol and fire an event.

Progress

0/0

State diagram

Packet / message detail

Fire an event to see packet fields.

0

Correct

0

Wrong

0

Remaining

0%

Score

—

Select a deck above to begin

Click to reveal answer

Protocol — Select Sample or Paste Hex

Hex Dump (space-separated bytes)

Decoded Fields

Select a sample or paste hex bytes to decode...

Click canvas to place a router

Selected Element

Nothing selected — click a router or link

Place routers and links to see OSPF state.

Network topology — animated packet

Label stack at current hop

Hop detail — what this router does

Press play or use step buttons.

Timeline

MPLS operations

PUSH — Ingress LER adds label(s)

SWAP — Transit LSR swaps top label

POP — Penultimate or egress removes label

IP — Egress routes natively

LFIB entry at current hop

—

Encapsulated packet — click any layer to explore

Layer detail

Click a header layer above to see its fields.

Overhead analysis

Configure packet

Inner source IP

Inner destination IP

Payload size (bytes)

Tunnel info

Internet topology — watch traffic flow change

Current step explanation

Select a scenario and press play.

Attack timeline

Routing tables

Prevention

Paste "show ip route" output

LPM lookup:

Route statistics

Paste a routing table to analyze.

Protocol breakdown

AD / metric anomalies

—

Paste any show command output

Paste show output above to see annotated interpretation.

Detected command

—

Field-by-field explanation

Paste output to begin.

Anomalies & flags

—

Suggested next commands

—

Convergence timeline

Phase breakdown

Recommendations

← Select a challenge

Generated configuration

Complete the wizard steps to generate configurations.

Protocol

Switches

➕ Add Custom Link

Connect any two switches with a custom cost (parallel links supported)

↔

Cost:

Switch Config

Simulation

Legend

Root Port (RP)

Designated Port (DP)

Alternate Port (AP)

Backup Port (BP)

Failed Link

💡 Drag switches · Right-click link to remove · Parallel links allowed

Topology Canvas STP 802.1D Idle — press Run Election

◉ Event Log

👣 Step-by-Step Election Walkthrough Step 0 / 6

Press 👣 Step-by-Step Mode to start the guided walkthrough, or ▶ Run Election to auto-animate.

VLAN Setup

💡 Define up to 6 VLANs. Each VLAN gets a colour-coded frame so you can see tags being added/removed as packets traverse the trunk.

Switch Topology

💡 Two switches connected by a trunk. Assign ports as Access (single VLAN) or Trunk (all VLANs). Select native VLAN on trunk ports — mismatch causes silent forwarding errors!

Frame Simulation

Source Port Destination Port

Live Topology & Frame Animation

802.1Q Frame Structure

Select ports and click Send Frame to see the 802.1Q tag detail.

Event Log

Connection Parameters

Client Initial Seq (ISN)

Server Initial Seq (ISN)

Data Payload (bytes)

Trigger Events

State Machine

Packet Timeline

CLOSED

LISTEN

Packet Detail

Click any packet arrow on the diagram to inspect its headers.

Prefix-List Entries

💡 Each entry has a sequence number, permit/deny action, a network prefix, and optional ge/le length qualifiers. Lower sequence = evaluated first.

Route-Map Clauses

💡 Route-maps apply to matched prefixes. Each clause can set local-preference, MED, community, next-hop, or AS-path prepend.

Test Prefix Validator

Test Prefix (e.g. 10.0.5.0/24)

Generated Config

Configure entries above to generate config...

Policy Walk Visualizer

Enter a test prefix above to see the match walk.

BGP Policy Reference

ge (≥) — MINIMUM prefix length · more specific · greater-or-equal

le (≤) — MAXIMUM prefix length · less specific · less-or-equal

exact — no ge/le = matches that prefix length only

0.0.0.0/0 le 32 — matches ALL prefixes

implicit deny — unmatched prefixes denied at end

Configure entries on the left to see the analysis here.