OSPF NSSA

OSPF Not-So-Stubby Areas

A Note On Section Initial Configuration Files: You must load the

initial configuration files for the section, named Basic OSPF Routing,

which can be found in CCIE R&S v5 Topology Diagrams & Initial

Configurations. Reference the Advanced Technology Labs OSPF

Diagram to complete this task.

Task

Configure Loopback100 on R6 and R8 with IP addressing in the format of

160.1.Y.Y/32, wherr Y is the router number.

Redistribute these prefixes into OSPF.

Configure OSPF area 3 so that R5 filters external routes out as they are sent from

area 0 to area 3.

Routers in area 3 should still be allowed to redistribute into OSPF.

Configuration

R5, R8 , R10:

router ospf 1

area 3 nssa

R6:

interface Loopback100

ip address 160.1.6.6 255.255.255.255

!

route-map CONNECTED->OSPF permit 10

match interface Loopback100

!

router ospf 1

redistribute connected subnets route-map CONNECTED->OSPF

R8:

interface Loopback100

ip address 160.1.8.8 255.255.255.255

!

route-map CONNECTED->OSPF permit 10

match interface Loopback100

!

router ospf 1

redistribute connected subnets route-map CONNECTED->OSPF

Verification

The OSPF Not-So-Stubby Area (NSSA) Option, as defined in RFC 3101, extends

the functionality of a stub area to allow the importing of a subset of external routes

into the area. Recall that with the stub area, Type-5 External LSA information is

suppressed from entering the database and is replaced with a default route

originated by the ABR(s). Because all Type-5 LSAs are suppressed, this also

implies that redistribution cannot occur within the area as well. This problem can be

seen from the parser error generated when redistribution and stub areas are

configured together:

R10#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.R10(config)#router ospf 1

R10(config-router)#area 3 stub

R10(config-router)#redistribute connected subnets

%OSPF-4-ASBR_WITHOUT_VALID_AREA: Router is currently an ASBR while having only one area which is a stub area

The OSPF NSSA option changes this behavior by allowing redistribution to occur

within the stub area, while still blocking external routes from entering the area

through the ABR(s). Specifically, this is implemented through the introduction of a

new link-state advertisement type, the Type-7 NSSA External LSA.

Routes that are redistributed directly into the NSSA are generated as Type-7 NSSA

External LSAs. Like Type-5 External LSAs, two subtypes of Type-7 NSSA External

LSAs exist, type 1 (N1) and type 2 (N2). N1, similar to E1, considers the metric that

the ASBR reports into the OSPF domain along with the metric needed to reach the

ABSR. N2, similar to E2, separates the metric into the flat value that the ASBR

reports into the OSPF domain, which is installed in the routing table, and the value

needed to reach the ASBR, known as the forwarding metric.

From the output below, we can see that with the default redistribution values, R8

originates the Type-7 NSSA External LSAs as metric-type 2, with a metric value of

20. The detailed output from R5’s routing table indicates a metric of 20 reported in

by R8, and a forward metric of 2, R5’s metric to reach R8's Loopback:

R5#show ip route ospf | include N

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

O N2 160.1.8.8 [110/20] via 155.1.58.8, 00:08:26, GigabitEthernet1.58

!

!R5#show ip route 160.1.8.8

Routing entry for 160.1.8.8/32 Known via "ospf 1", distance 110,

metric 20, type NSSA extern 2, forward metric 2

Last update from 155.1.58.8 on GigabitEthernet1.58, 00:08:39 ago

Routing Descriptor Blocks:

* 155.1.58.8, from 150.1.8.8, 00:08:39 ago, via GigabitEthernet1.58

Route metric is 20, traffic share count is 1

!

!R5#show ip ospf database nssa-external

OSPF Router with ID (150.1.5.5) (Process ID 1)

Type-7 AS External Link States (Area 3)

Routing Bit Set on this LSA in topology Base with MTID 0

LS age: 646

Options: (No TOS-capability, Type 7/5 translation, DC, Upward)

LS Type: AS External Link Link State ID: 160.1.8.8 (External Network Number )

Advertising Router: 150.1.8.8

LS Seq Number: 80000001

Checksum: 0x187D

Length: 36 Network Mask: /32

Metric Type: 2 (Larger than any link state path)

MTID: 0

Metric: 20 Forward Address: 150.1.8.8

External Route Tag: 0

When the Type-7 NSSA External LSA is received by the ABR and is moved into

area 0, the information contained in the Type-7 LSA is translated to a normal Type-5

External LSA. If multiple ABRs exist, only one of them performs the translation

through an election process, which is discussed in depth in a later task. In this

fashion, OSPF devices outside of the NSSA do not know that the NSSA exists,

which is analogous to how a Confederation works in BGP.

Note that R5 receives the Type-7 NSSA External LSA with the forward address set

to 150.1.8.8, which happens to be R8’s router-ID. With the previous Type-5 external

lookups, we saw the forward address set to 0.0.0.0, which meant to route toward the

advertising router to reach the final destination. In this case, the forward address is

non-zero, which causes the lookup to be performed toward 150.1.8.8. This is a

subtle difference in the lookup process, and this particular case results in the same

path selection even if the lookup had occurred on the advertising router (150.1.8.8)

instead of the forward address (150.1.8.8). There can, however, be certain designs

where there is a shorter path to the forward address than the advertising router’s

address, which is explored in a later task related to multiple exit points out of the

NSSA. The result of the translation on R5 is that devices in area 0 see the routes as

Type-5 External LSAs, not Type-7:

R1#show ip ospf database | begin Type-5

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag 160.1.6.6 150.1.6.6

909 0x80000001 0x0093BB 0

160.1.8.8 150.1.5.5 895 0x80000001 0x00D3D1 0

!

!R1#show ip ospf database external 160.1.8.8

OSPF Router with ID (150.1.1.1) (Process ID 1)

Type-5 AS External Link States

Routing Bit Set on this LSA in topology Base with MTID 0

LS age: 870

Options: (No TOS-capability, DC, Upward)

LS Type: AS External Link

Link State ID: 160.1.8.8 (External Network Number ) Advertising Router: 150.1.5.5

LS Seq Number: 80000001

Checksum: 0xD3D1

Length: 36 Network Mask: /32

Metric Type: 2 (Larger than any link state path)

MTID: 0

Metric: 20 Forward Address: 150.1.8.8

External Route Tag: 0

R1 performs a lookup on the now Type-5 External LSA, and, like R5, sees the

forward address set to 150.1.8.8. Again, note that the lookup process for this

translated Type-7 LSA is performed differently than a normal inter-area Type-5

external LSA lookup, because R1 computes its metric toward 150.1.8.8, and not a

Type-4 LSA describing the ASBR. Furthermore, note that R5 does not generate a

Type-4 ASBR Summary LSA describing R8:

R5#show ip ospf database asbr-summary 150.1.8.8

OSPF Router with ID (150.1.5.5) (Process ID 1) R5#

!

!R5#show ip route 150.1.8.8

Routing entry for 150.1.8.8/32 Known via "ospf 1", distance 110, metric 2, type intra area

Last update from 155.1.58.8 on GigabitEthernet1.58, 00:17:43 ago

Routing Descriptor Blocks: * 155.1.58.8, from 150.1.8.8, 00:17:43 ago, via GigabitEthernet1.58

Route metric is 2, traffic share count is 1

R1’s metric to the forwarding address 150.1.8.8 is 1002 via R5. This is the value

installed as the forward metric for the translated Type-7 LSA, with a metric of 20

from the Type-5 LSA itself:

R1#show ip route 150.1.8.8

Routing entry for 150.1.8.8/32 Known via "ospf 1", distance 110, metric 1002, type inter area

Last update from 155.1.0.5 on Tunnel0, 00:19:03 ago

Routing Descriptor Blocks: * 155.1.0.5, from 150.1.5.5, 00:19:03 ago, via Tunnel0

Route metric is 1002, traffic share count is 1

!

!R1#show ip route 160.1.8.8

Routing entry for 160.1.8.8/32 Known via "ospf 1", distance 110,

metric 20, type extern 2, forward metric 1002

Last update from 155.1.0.5 on Tunnel0, 00:19:06 ago

Routing Descriptor Blocks: * 155.1.0.5, from 150.1.5.5, 00:19:06 ago, via Tunnel0

Route metric is 20, traffic share count is 1

Similar to the stub area, the NSSA flag must be agreed upon by all devices in the

area, or adjacency cannot occur. This implies that the area is a normal area, a stub

area, or an NSSA, but no combination of the three. Furthermore, like the stub area,

Type-5 external LSAs are blocked from entering the NSSA area on the ABR(s), note

that R6's Loopback0 is known in area 0, but not in area 3:

R5#show ip route 160.1.6.6

Routing entry for 160.1.6.6/32 Known via "ospf 1", distance 110,

metric 20, type extern 2, forward metric 2

Last update from 155.1.45.4 on GigabitEthernet1.45, 00:20:55 ago

Routing Descriptor Blocks: * 155.1.45.4, from 150.1.6.6, 00:20:55 ago, via GigabitEthernet1.45

Route metric is 20, traffic share count is 1

!

!R8#show ip route 160.1.6.6

% Subnet not in table

Pitfall

The other key difference between stub and NSSA areas is how default

routing works. The stub area removes external LSAs and replaces them with

a default route. The totally stubby area extends this by replacing external

LSAs and inter-area LSAs with a default route. However, with the NSSA, a

default route is not automatically originated by the ABR. This means that

devices within the NSSA will have reachability to their own area and to other

areas, but not to destinations outside of the OSPF domain:

R8#show ip route 150.1.4.4

Routing entry for 150.1.4.4/32

Known via "ospf 1", distance 110, metric 3, type inter area

Last update from 155.1.58.5 on GigabitEthernet1.58, 00:23:20 ago

Routing Descriptor Blocks: * 155.1.58.5, from 150.1.5.5, 00:23:20 ago, via GigabitEthernet1.58

Route metric is 3, traffic share count is 1

!

!R8#traceroute 150.1.4.4

Type escape sequence to abort.

Tracing the route to 150.1.4.4

VRF info: (vrf in name/id, vrf out name/id)

1 155.1.58.5 11 msec 2 msec 3 msec 2 155.1.45.4 17 msec * 6 msec

!

!R8#show ip cef 160.1.6.6

0.0.0.0/0 no route

!

!R8#traceroute 160.1.6.6 ttl 2 2

Type escape sequence to abort.

Tracing the route to 160.1.6.6

VRF info: (vrf in name/id, vrf out name/id) 2 * * *

Verify that area 3 is configured as NSSA:

R5#show ip ospf | begin Area 3

Area 3

Number of interfaces in this area is 2 It is a NSSA area

Perform type-7/type-5 LSA translation

Area has no authentication

SPF algorithm last executed 00:39:47.094 ago

SPF algorithm executed 36 times

Area ranges are

Number of LSA 28. Checksum Sum 0x0D7257

Number of opaque link LSA 0. Checksum Sum 0x000000

Number of DCbitless LSA 0

Number of indication LSA 0

Number of DoNotAge LSA 0

Flood list length 0

EIGRP

EIGRP Summarization with Default Routing:
=====================================
ip prefix-list CONNECTED_TO_EIGRP seq 5 permit 4.0.0.0/24
ip prefix-list CONNECTED_TO_EIGRP seq 10 permit 4.0.1.0/24
ip prefix-list CONNECTED_TO_EIGRP seq 15 permit 4.0.2.0/24
ip prefix-list CONNECTED_TO_EIGRP seq 20 permit 4.0.3.0/24
!
route-map CONNECTED_TO_EIGRP permit 10
match ip address prefix-list CONNECTED_TO_EIGRP
!
router eigrp 100
redistribute connected route-map CONNECTED_TO_EIGRP
!
interface Tunnel0
ip summary-address eigrp 100 0.0.0.0 0.0.0.0


Summarization can also be used to originate a default route in EIGRP. The
disadvantage of this configuration, however, is that all subnets previously advertised
out an interface will be suppressed, because all IPv4 networks are a subnet of the

EIGRP Summarization with Leak Map
=================================

ip prefix-list CONNECTED_TO_EIGRP seq 5 permit 4.0.0.0/24
ip prefix-list CONNECTED_TO_EIGRP seq 10 permit 4.0.1.0/24
!
route-map CONNECTED_TO_EIGRP permit 10
match ip address prefix-list CONNECTED_TO_EIGRP
!
ip prefix-list LOOPBACK40 seq 5 permit 4.0.0.0/24
!
route-map LEAK_LOOPBACK40 permit 10
match ip address prefix-list LOOPBACK40
!
router eigrp 100
redistribute connected route-map CONNECTED_TO_EIGRP
!
interface Tunnel0
ip summary-address eigrp 100 0.0.0.0 0.0.0.0 leak-map LEAK_LOOPBACK40

EIGRP Floating Summarization:
============================

When summaries are created in EIGRP, OSPF, and BGP, the router automatically
installs a route to Null0 to match the summary. This is used to prevent the router
from forwarding traffic for destinations inside the summary that it does not have a
longer match for. However, in certain designs this can be an undesirable behavior.
To resolve this, EIGRP sets its interface-level summaries to have an administrative
distance of 5 by default. This means that any other route with a distance of 1–4 will
take precedence over the summary.

EIGRP Poisoned Floating Summarization:
======================================

On R5:

router eigrp 100
network 155.1.45.0 0.0.0.255
network 155.1.58.0 0.0.0.255
network 160.1.5.0 0.0.0.255
summary-metric 160.1.4.0/23 distance 255
!
interface GigabitEthernet1.58 -- To R8
ip summary-address eigrp 100 160.1.4.0 255.255.254.0

Before Applying:
---------------

R8#show ip route eigrp | b Gateway
Gateway of last resort is 155.1.58.5 to network 0.0.0.0
D* 0.0.0.0/0 [90/3328] via 155.1.58.5, 00:19:31, GigabitEthernet1.58
155.1.0.0/16 is variably subnetted, 7 subnets, 2 masks
D 155.1.45.0/24 [90/3072] via 155.1.58.5, 00:19:31, GigabitEthernet1.58
160.1.0.0/24 is subnetted, 1 subnets
D 160.1.5.0 [90/130816] via 155.1.58.5, 00:00:32, GigabitEthernet1.58

With only summary route:
------------------------
!R8#show ip route eigrp | b Gateway
Gateway of last resort is 155.1.58.5 to network 0.0.0.0
D* 0.0.0.0/0 [90/3328] via 155.1.58.5, 00:23:16, GigabitEthernet1.58
155.1.0.0/16 is variably subnetted, 7 subnets, 2 masks
D 160.1.4.0 [90/130816] via 155.1.58.5, 00:00:22, GigabitEthernet1.58

!R5#show ip route eigrp | b Gateway
Gateway of last resort is 155.1.45.4 to network 0.0.0.0
D* 0.0.0.0/0 [90/3072] via 155.1.45.4, 00:23:37, GigabitEthernet1.45
160.1.0.0/16 is variably subnetted, 3 subnets, 3 masks
D 160.1.4.0/23 is a summary, 00:00:42, Null0

After poisoning:
---------------
!R5#show ip route eigrp | b Gateway
Gateway of last resort is 155.1.45.4 to network 0.0.0.0
D* 0.0.0.0/0 [90/3072] via 155.1.45.4, 00:27:26, GigabitEthernet1.45
!R8#show ip route eigrp | b Gateway
Gateway of last resort is 155.1.58.5 to network 0.0.0.0
D* 0.0.0.0/0 [90/3328] via 155.1.58.5, 00:27:39, GigabitEthernet1.58


EIGRP Metric Weights
====================

By default, EIGRP uses only bandwidth and delay to calculate its composite metric,
as K1=K3=1 and K2=K4=K5=K6=0. Load, reliability, and extended attributes can
also be used, or the ratio at which bandwidth and delay are used can be changed,
by modifying the metric weights . Specifically, the calculation is as follows for
Classic EIGRP, which uses a 32-bit metric:

For 32 bit:

Metric = 256*[(K1*Scaled Bw) + (K2*Scaled Bw)/(256 - Load) + (K3*Scaled Delay)]*[K5/(Reliability + K4)]

For 64 bit:

Metric = [(K1*Minimum Throughput + (K2*Minimum Throughput/(256-Load) + (K3*Total Latency) + (K6*Extended Attributes)

If K5 equals zero, the second half of the equation is ignored in both cases. "Scaled
Bw" equals 107/(Minimum Bw/Kbps) and "Scaled Delay" equals (Delay/10) in
microseconds. "Minimum Throughput" equals (107 * 65535)/(Minimum Bw/Kbps),
"Total Latency" equals (Delay * 65536)/10 in microseconds for links below 1
GigabitEthernet and (107 * 65536/10)/Bw in microseconds for links above 1
GigabitEthernet.

R8#show ip protocols | section eigrp
Routing Protocol is "eigrp 100"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP-IPv4 Protocol for AS(100) Metric weight K1=0, K2=0, K3=1, K4=0, K5=0

EIGRP Unequal Cost Load Balancing:
=================================

router eigrp 100
variance 5

EIGRP Convergence Timers:
=========================

interface GigabitEthernet1.146
ip hello-interval eigrp 100 1
ip hold-time eigrp 100 3

Unlike OSPF, EIGRP hello and hold-time intervals do not need to match to form
adjacencies. Just like OSPF, the locally configured Hello interval defines the local
rate interval for sending EIGRP hello packets, but the value is not transmitted in
EIGRP Hello packets. Unlike OSPF, the locally configured Hold-Time interval
defines for how long the remote router will wait for a EIGRP packet before resetting
the adjacency, so the value is transmitted in EIGRP Hello packets

EIGRP Stub Routing:
===================

router eigrp 100
eigrp stub connected

The EIGRP stub feature is used to limit the scope of EIGRP query messages and to
further limit which routes a neighbor advertises

EIGRP Stub Routing with Leak Map:
=============================
ip prefix-list R8_LOOPBACK0 seq 5 permit 150.1.8.8/32
!
route-map STUB_LEAK_MAP deny 10
match ip address prefix-list R8_LOOPBACK0
!
route-map STUB_LEAK_MAP permit 20
!
router eigrp 100
eigrp stub connected leak-map STUB_LEAK_MAP

EIGRP Filtering with Passive Interface:
====================================
router eigrp 100
passive-interface default
no passive-interface GigabitEthernet1.67

The passive-interface command in EIGRP, like in RIPv2, stops the sending of
updates out an interface. Unlike RIPv2, however, passive-interface in EIGRP will
prevent forming of an adjacency on the interface because it stops sending EIGRP
Hello packets as well, and hence the learning of any updates on the link.


EIGRP Filtering with Prefix-Lists:
=================================

Configure prefix-list filtering on R1 so that it does not install any updates received
from R4 on the VLAN 146 segment.
Allow all routes to be received from all other EIGRP neighbors

ip prefix-list NOT_FROM_R4 seq 5 deny 155.1.146.4/32
ip prefix-list NOT_FROM_R4 seq 10 permit 0.0.0.0/0 le 32
!
ip prefix-list PERMIT_ALL seq 5 permit 0.0.0.0/0 le 32
!
router eigrp 100
distribute-list prefix PERMIT_ALL gateway NOT_FROM_R4 in

EIGRP Filtering with Standard Access-Lists:
=========================================

Configure a one-line standard access-list on R9 to filter out all routes coming from R7
that have an odd number in the third octet.

access-list 1 permit 0.0.0.0 255.255.254.255
!
router eigrp 100
distribute-list 1 in GigabitEthernet1.79

EIGRP Filtering with Extended Access-Lists:
==========================================

Like RIP, extended access-lists when called as a distribute-list in IGP have a
different meaning than in redistribution or in BGP. With BGP and redistribution, the
“source” field in the ACL represents the network address, and the “destination” field
represents the subnet mask. In IGP distribute-list application, the “source” field in
the ACL matches the update source of the route, and the “destination” field
represents the network address. This implementation allows us to control which
networks we are receiving, but more importantly who we are receiving them from.
With VLAN 45 interface disabled and before the filter is applied, R5 routes as
follows

EIGRP Filtering with Offset Lists:
=================================

Configure an offset-list on R7 so traffic destined for R3’s Loopback0 prefix is sent to
R6.
If the Ethernet link to R6 is down, traffic should be rerouted directly to R3.

R7:
access-list 1 permit host 150.1.3.3
!
router eigrp 100
offset-list 1 in 2000 GigabitEthernet1.37


Like in RIP, the offset-list feature in EIGRP is used to modify the metric on a perroute
basis or a per-interface basis. Before any metric modifications, we can see
that R7 is routing directly to R3 to reach 150.1.3.3/32. There are no additional
entries in the EIGRP topology table of R7 for this prefix because R6 also routes
through R7 to reach it:

R7#show ip route 150.1.3.3
Routing entry for 150.1.3.3/32
Known via "eigrp 100", distance 90, metric 130816, type internal
Redistributing via eigrp 100
Last update from 155.1.37.3 on GigabitEthernet1.37, 01:05:42 ago
Routing Descriptor Blocks: * 155.1.37.3, from 155.1.37.3, 01:05:42 ago, via GigabitEthernet1.37

!R7#show ip eigrp topology 150.1.3.3/32
EIGRP-IPv4 Topology Entry for AS(100)/ID(150.1.7.7) for 150.1.3.3/32
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 130816
Descriptor Blocks: 155.1.37.3 (GigabitEtherGigabitEthernet1.37), from 155.1.37.3, Send flag is 0x0
Composite metric is (130816/128256)
****************

R7#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.R7(config)#router eigrp 100
R7(config-router)#offset-list 1 in 2000 GigabitEthernet1.37****************

!R7#show ip route 150.1.3.3
Routing entry for 150.1.3.3/32
Known via "eigrp 100", distance 90, metric 131328, type internal
Redistributing via eigrp 100
Last update from 155.1.67.6 on GigabitEthernet1.67, 00:00:15 ago
Routing Descriptor Blocks: * 155.1.67.6, from 155.1.67.6, 00:00:15 ago, via GigabitEthernet1.67
!R7#show ip eigrp topology 150.1.3.3/32
EIGRP-IPv4 Topology Entry for AS(100)/ID(150.1.7.7) for 150.1.3.3/32
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 131328
Descriptor Blocks: 155.1.67.6 (GigabitEthernet1.67), from 155.1.67.6, Send flag is 0x0
Composite metric is (131328/131072)
155.1.37.3 (GigabitEthernet1.37), from 155.1.37.3, Send flag is 0x0
Composite metric is (132816/130256), route is Internal*************************


EIGRP Filtering with Administrative Distance:
============================================

Configure administrative distance filtering on R6 so that it does not install the route to
R4’s Loopback0 prefix.

R6:
access-list 4 permit host 150.1.4.4
!
router eigrp 100
distance 255 0.0.0.0 255.255.255.255 4

EIGRP Filtering with Per Neighbor AD:
======================================

Configure administrative distance filtering on R3 so that traffic destined for R7’s
Loopback0 prefix is sent to R1.
ensure R3 never uses the direct path via R7.

R3:
access-list 7 permit host 150.1.7.7
!
router eigrp 100
distance 255 155.1.37.7 0.0.0.0 7

The administrative distance for EIGRP internal routes can be changed on a
per-prefix basis, but external EIGRP routes cannot

EIGRP Filtering with Route Maps:
=================================

route-map FILTER_ON_TAGS deny 10
match tag 4
!
route-map FILTER_ON_TAGS permit 20
!
router eigrp 100
distribute-list route-map FILTER_ON_TAGS in

Unlike BGP, filtering with route-maps in IGP is usually limited to redistribution
filtering only. However, EIGRP supports route-map filtering as a distribute-list with
matches on metric and tag values. Route tags are set at the time of redistribution
and can be used like BGP community values to group prefixes together without
having to match on the actual route in a prefix-list or access-list.

EIGRP Bandwidth Pacing:
======================

Configure R5 so that EIGRP cannot use more than 200Kbps of bandwidth on its
DMVPN connection, assuming that the link speed is 2Mbps.

interface Tunnel0
bandwidth 2000
ip bandwidth-percent eigrp 100 10

By default EIGRP can use up to maximum 50% of the administrative bandwidth of
the interface. The absolut value can be changed by modifying the bandwidth on the
interface or by changing the percentage level with interface-level command
ip bandwidth-percent eigrp <AS_NR> <percentage> . Verify the SRTT and Pacing timers
for the tunnel interface before bandwidth usage is changed:

EIGRP Default Metric:
=====================

ip route 160.1.2.2 255.255.255.255 155.1.23.2
!
router eigrp 100
redistribute static
default-metric 100000 10 255 1 1500

When redistributing static and connected prefixes into EIGRP or between EIGRP
processes, metrics are automatically derived from the source prefix. For all other
redistribution, the metric must be manually set on the redistribute statement, under a
route-map, or from the default metric. The default metric affects all redistributed
prefixes for which a specific metric has not been configured.

EIGRP Neighbor Logging:
=====================
router eigrp 100
no eigrp log-neighbor-changes
eigrp log-neighbor-warnings 20

EIGRP Router-ID:
==============

EIGRP uses the router-id field in external routes as a loop prevention mechanism.
The router that originates the external route inserts its EIGRP router-id into the
update. If an update is received back in with a router-id in this field matching the
local router-id, the update is dropped.

EIGRP Maximum Hops:
==================
Configure all devices in EIGRP AS 100 so that routes with a hop count of greater
than 5 are considered invalid


R1 – R10:
router eigrp 100
metric maximum-hops 5

RIP

RIPv2 Offset List --
================
router rip
offset-list 1 in 3 GigabitEthernet1.13

RIPv2 Filtering with Prefix-Lists --
=================================
router rip
distribute-list prefix RIP_FILTER_TO_R8 out GigabitEthernet1.58
distribute-list prefix PERMIT_ALL gateway NOT_FROM_R4 in

The prefix-list named RIP_FILTER_TO_R8 filters R6 and R7
Loopback0 prefixes from being advertises out on VLAN 58 and
permits all others. The syntax 0.0.0.0/0 le 32 in a prefix-list
means match all routes, similar to the any keyword from accesslists.
The second route filtering is based on both the routes being
learned and whom they are learned from. This filter says match any
route coming in any interface, per the PERMIT_ALL prefix-list, and
allow them to come in as long as they were not learned from R4, per
the deny 155.1.0.4/32 syntax.

RIPv2 Filtering with  Access-Lists:
==========================================
Configure a one-line standard access-list on R6 to filter out the IPv4 prefixes that
have an even number in the third octet

access-list 1 permit 0.0.1.0 255.255.254.255
!
router rip
distribute-list 1 in

When extended access-lists are used as distribute-list for IGP filtering, the
functionality is different than when used for route redistribution or in BGP. With BGP
and redistribution, the source field in the ACL represents the network address, and
the destination field represents the subnet mask. In IGP distribute-list application,
the source field in the ACL matches the update source of the route, and the
destination field represents the network address. This implementation allows us to
control which routes we accept, but more importantly who do we accept it from.
Before the filter is applied, R5 routes to R3 for VLANs 7 and 9, and to R1 for VLAN
146 and R1’s Loopback

Admin Distance:
===============

access-list 1 permit host 150.1.4.4
!
router rip
distance 255 0.0.0.0 255.255.255.255 1


access-list 2 permit 150.1.3.3
!
router rip
distance 255 155.1.37.3 0.0.0.0 2

Default Route:
===============

Note in the above output that R6 does not have a default route installed in
the routing table. Unlike OSPF, RIP does not require that a default route
actually be installed in the routing table before originating one. For this
reason, route feedback of R6’s default origination will occur in this topology


Conditional Default Route
--------------------------
ip prefix-list ROUTE_TO_R9_LOOP seq 5 permit 150.1.9.9/32
!
route-map TRACK_ROUTE_TO_R9_LOOP permit 10
match ip address prefix-list ROUTE_TO_R9_LOOP
!
router rip
default-information originate route-map TRACK_ROUTE_TO_R9_LOOP

Reliable Conditional Default Route:
-----------------------------------
Configure R1 to originate a default route.
Configure IP SLA on R1 to track ICMP reachability to R7's IPv4 address on VLAN 7.
ICMP Echo-Request should be sent each 5 seconds.
Configure IP SLA tracking on R1 so that if an ICMP Echo-Reply is not received from
VLAN 7, R1 withdraws its default route advertisement.

ip sla 1
frequency 5
icmp-echo 155.1.7.7
!
ip sla schedule 1 start-time now life forever
!
track 1 ip sla 1
!
ip route 169.254.0.1 255.255.255.255 Null0 track 1
!
ip prefix-list DUMMY_ROUTE_TRACKED_VIA_SLA seq 5 permit 169.254.0.1/32
!
route-map RELIABLY_TRACK_LINK_TO_VLAN7 permit 10
match ip address prefix-list DUMMY_ROUTE_TRACKED_VIA_SLA
!
router rip
default-information originate route-map RELIABLY_TRACK_LINK_TO_VLAN7

As long as R4 has a route to the network 150.1.9.9/32 installed in the routing table,
it will advertise a default route.

RIPv2 Source Validation:
========================

R7:
router rip
no validate-update-source
R9:
interface GigabitEthernet1.79
ip unnumbered Loopback0

Verify that before IP unnumbered is configured on R9, RIP routes are correctly
installed in both the R7 and R9 routing tables, and there is IPv4 connectivity.

After applying the IP unnumbered configuration on R9, because R9 will be sending
RIP updates out on VLAN 79 Ethernet segment with a IPv4 address not in the same
subnet as R7's IPv4 address, R7 will ignore these updates, and all RIP routes
learned from R9 will slowly be removed from the routing table based on the flush
timer.

MPLS-LDP

1) To enable MPLS switching on an interface and start LDP on the same

interface, you must enter the interface-level command "mpls ip" . If you have

too many interfaces to enable MPLS on, you may use MPLS LDP auto

configuration, which is available when you run OSPF as your IGP protocol.

Under the OSPF process, enter the command "mpls ldp autoconfig" to

activate LDP/MPLS switching on all interfaces running OSPF.

2) Upon hearing from the other LDP routers, LDP learns their LDP Router IDs,

which is by default the highest Loopback IP addresses. You may change

the Router-ID by using the command 

"mpls ldp router-id <interface> force"

3) If for some reason the Loopback IP addresses are unreachable, a TCP

connection will not be established. If you want LDP to establish a TCP

connection using the physical interface IP address, use the interface-level

command "mpls ldp discovery transport-address interface"

4) Using the Router ID IP addresses as sources, two routers that heard from

each other establish a TCP transport connection using the destination port

of 646. This connection could be authenticated using an MD5 hash TCP

option. The hashing key is defined per-neighbor by using the command

mpls ldp neighbor <IP> password <password> . The IP address here is the

neighbor’s LDP Router ID. To make the use of passwords mandatory, you

need the global command mpls ldp password required .

To disable mpls labels during trace router issue command "no mpls label ttl-prop"

Port Based Traffic Control

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/swtrafc.html#pgfId-1038501

Security Violations

It is a security violation when one of these situations occurs:

• The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.x
• An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs:

• protect—when the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

---

Note We do not recommend configuring the protect violation mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.

---

• restrict—when the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
• shutdown—a port security violation causes the interface to become error-disabled and to shut down immediately, and the port LED turns off. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. This is the default mode.
• shutdown vlan—Use to set the security violation mode per-VLAN. In this mode, the VLAN is error disabled instead of the entire port when a violation occur

Table 1-1 Security Violation Mode Actions

Violation Mode	Traffic is forwarded 1	Sends SNMP trap	Sends syslog message	Displays error message 2	Violation counter increments	Shuts down port
protect	No	No	No	No	No	No
restrict	No	Yes	Yes	No	Yes	No
shutdown	No	No	No	No	Yes	Yes
shutdown vlan	No	No	Yes	No	Yes	No3

1.Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses. 2.The switch returns an error message if you manually configure an address that would cause a security violation. 3.Shuts down only the VLAN on which the violation occurred.

-> Port security can be applied to access and trunk ports but not to a dynamic ports

-> Secure MAC addresses

      - can belong to only one port

      - static

      -learned(dynamic)

      -sticky

->Trunk Ports

       - Support per vlan limits

       -port limit is aggregate across all VLANS

IOS Device Access Security

R1(config)#username vamsi password krishna

by default its saved in clear text format

Alternatives:
-----------

1) username vamsi secret cisco - enrypts with MD5 which is type 5
2)service password-encryption - converts all passwords on the box to type 7 encryption
         and its reversible

Modes:
=====
exec --- R1#
config --- R1(config)#
interface --- R1(config-if)#

Without aaa:
=========
username vamsi  privilege 5 password 0 cisco
line vty 0 4
login local

when logged in vamsi will have privilege of 5

With aaa:
======
1) aaa new-model
aaa authentication login LOCAL_DATABASE group tacacs+ local
line vty 0 4
 password starent
 login authentication LOCAL_DATABASE

By default if vamsi is logged in he will have privilege of 1 at login level and 15 at exec level

2) To change the authorization of commands at different privileges when aaa new-model is enabled:

aaa authorization exec EXEC_AUTHOR group tacacs+ local
aaa authorization exec EXEC_AUTHOR group tacacs+ local
aaa authorization commands 0 TACACS_AU group tacacs+
aaa authorization commands 1 TACACS_AU group tacacs+
aaa authorization commands 15 TACACS_AU group tacacs+
line vty 0 4
 password starent
 authorization commands 0 TACACS_AU
 authorization commands 1 TACACS_AU
 authorization commands 15 TACACS_AU
 authorization exec EXEC_AUTHOR
 login authentication LOCAL_DATABASE

R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification

Username: vamsi
Password:

R1>en
% Authorization failed
R1>show pri
% Authorization failed

To fix the above:

aaa new-model
aaa authentication login LOCAL_DATABASE group tacacs+ local
aaa authorization config-commands
aaa authorization exec EXEC_AUTHOR group tacacs+ local
aaa authorization commands 0 TACACS_AU group tacacs+ none
aaa authorization commands 1 TACACS_AU group tacacs+ none
aaa authorization commands 15 TACACS_AU group tacacs+ none
line vty 0 4
 password starent
 authorization commands 0 TACACS_AU
 authorization commands 1 TACACS_AU
 authorization commands 15 TACACS_AU
 authorization exec EXEC_AUTHOR
 login authentication LOCAL_DATABASE

R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open


User Access Verification

Username: vamsi
Password:

R1>en
Password:
R1#show privilege
Current privilege level is 15
R1#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#end
R1#show ip int br
Interface              IP-Address      OK? Method Status                Protocol
Ethernet0/0            unassigned      YES unset  administratively down down  
GigabitEthernet0/0     10.1.1.1        YES manual up                    up    
FastEthernet1/0        unassigned      YES unset  administratively down down  
FastEthernet1/1        unassigned      YES unset  administratively down down  
Ethernet2/0            unassigned      YES unset  administratively down down  
Ethernet2/1            unassigned      YES unset  administratively down down  
Ethernet2/2            unassigned      YES unset  administratively down down  
Ethernet2/3            unassigned      YES unset  administratively down down  
R1#

3) Moving the privileges.

Task: Vamsi to be assigned with privilege 5 and go to global and add ip to an interface

Normal process:

-->
R3#show running-config | sec vty|user
username pri password 0 cisco
line vty 0 4
 login local

R1#telnet 20.1.1.2
Trying 20.1.1.2 ... Open

User Access Verification

Username: pri
Password:
R3#show run
         ^
% Invalid input detected at '^' marker.
R3#conf t
      ^
% Invalid input detected at '^' marker.
R3#show privilege
Current privilege level is 5

-->
R3(config)#privilege  exec level 5 configure  terminal
Commands added on run-config
privilege exec level 5 configure terminal
privilege exec level 5 configure
On Telnet
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#interface fa1/0
           ^
% Invalid input detected at '^' marker.

-->
R3(config)#privilege configure level 5 interface
On telnet
R3(config)#interface fa1/0
R3(config-if)#
R3(config-if)#ip address ?      
% Unrecognized command

-->
R3(config)#privilege interface level 5 ip address
Commands added on run-config
privilege interface level 5 ip address
privilege interface level 5 ip
On Telnet
R3(config-if)#ip address  30.1.1.1 255.255.255.0
R3(config-if)#ipv6 address ?
% Unrecognized command

Role Bases Access List (logging in using Views instead of privilege)
----------------------

R2#show run | sec user|vty
aaa authorization exec default local
username infy view view1 password 0 cisco
parser view view1
 secret 5 $1$u2AH$mvoK9aVion/jmSLpUW0B20
 commands router include all network
 commands configure include all router
 commands exec include all show
 commands exec include configure terminal
line vty 0 4

On Telnet:

R1#telnet 10.1.1.2
Trying 10.1.1.2 ... Open

User Access Verification

Username: infy
Password:

R2>show parser view
Current view is 'view1'
R2>show privi
Currently in View Context with view 'view1'
R2>show run
Building configuration...

Current configuration : 76 bytes
!
! Last configuration change at 21:05:21 UTC Wed Nov 4 2015
!
!
!
!
!
end
R2>show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/24 is directly connected, GigabitEthernet0/0
L        10.1.1.2/32 is directly connected, GigabitEthernet0/0
R2>show ip int br
Interface              IP-Address      OK? Method Status                Protocol
Ethernet0/0            unassigned      YES unset  administratively down down  
GigabitEthernet0/0     10.1.1.2        YES manual up                    up    
FastEthernet1/0        unassigned      YES unset  administratively down down  
FastEthernet1/1        unassigned      YES unset  administratively down down  
Ethernet2/0            unassigned      YES unset  administratively down down  
Ethernet2/1            unassigned      YES unset  administratively down down  
Ethernet2/2            unassigned      YES unset  administratively down down  
Ethernet2/3            unassigned      YES unset  administratively down down  

R2>conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)>end
            ^
% Invalid input detected at '^' marker.

R2(config)>exit


Change logging (Archiving):
---------------------------

-->R2#show running-config | sec archive
archive
 log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys

-->On Telnet:

R2>conf t
Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)>exit
R2>conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CNTL/Z.

R2>show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/24 is directly connected, GigabitEthernet0/0
L        10.1.1.2/32 is directly connected, GigabitEthernet0/0
R2>

--> On Console:

R2#show archive log config all    
 idx   sess           user@line      Logged command
    1     1        console@console  |  logging enable
    2     1        console@console  |  logging size 100
    3     1        console@console  |  notify syslog
    4     2           infy@vty0     |configure


Login Enhancements-Login Block:
------------------------------

"login block-for seconds attempts tries within seconds "

R2(config)#login block-for 30 attempts 2 within 10

If the configured number of connection attempts fail within a specified time period, the Cisco IOS device does not accept any additional connections for a “quiet period.” (Hosts that are permitted by a predefined access-control list [ACL] are excluded from the quiet period.)

IOS Resilient Config:
----------------------

Used to prevent config or IOS image from being deleted
-> hides the config and IOS image on flash/nvram
-> 'secure boot-config'  and 'secure boot-image'



LOCAL DATABSE
R1(config)#username CISCO privilege 15 password CISCO123         (sets username and password with privilege level 15 in LOCAL database)
R1(config)#username ADMIN privilege 7 password ADMIN123       (sets username and password with privilege level 7 in LOCAL database)
R1(config)#enable password CISCO123                                                      (sets enable unencrypted password in LOCAL database)
R1(config)#enable password CISCO123                                                      (sets enable unencrypted password in LOCAL database)
R1(config)#enable secret CISCO123                                                             (sets enable encrypted password in LOCAL database)
ENABLE AAA
R1(config)#aaa new-model                 (enables aaa new model)
AAA TACACS/RADIUS CONFIG
R1(config)#tacacs-server host 150.100.220.20                      (use TACACS+ server at the IP address 150.100.220.20)
R1(config)#radius-server host 150.100.220.21                      (use Radius server at the IP address 150.100.220.21)
R1(config)#tacacs-server key CISCO                                          (encrypts communication between R1 and TACACS with password CISCO)
R1(config)#radius-server key CISCO                                         (encrypts communication between R1 and RADIUS with password CISCO)
R1(config)#ip tacacs source-interface loopback 0                (sources TACACS packets from the Loopback 0 interface)
R1(config)#ip radius source-interface loopback 0               (sources Radius packets from the Loopback 0 interface)
AAA CUSTOMIZATION
R1(config)#aaa authentication password-prompt “Password Required”        (creates custom prompt password message)
R1(config)#aaa authentication userame-prompt “Username Required”         (creates custom prompt username message)
R1(config)#aaa authentication banner #                          (creates custom banner message)
Enter TEXT message.  End with the character ‘#’.
This system requires authentication#
R1(config)#aaa authentication fail-message #              (creates custom authetication failed message)
Enter TEXT message.  End with the character ‘#’.
Authentication Failed , try again#
AAA AUTHENTICAION
R1(config)#aaa authentication login CONSOLE local                                              (configures router to use LOCAL database authentication)
R1(config)#aaa authentication login VTY group tacacs+ local                              (configures router to first use TACAcs and then local database)
R1(config)#aaa authentication login VTY group tacacs+ local-case                   (configures router to first use TACAcs and then local database, same as local but makes password case sensitive)
R1(config)#aaa authentication login VTY group tacacs+ line                                (configures router to first use TACAcs and then line database, make sure password is set under line vty)
R1(config)#aaa authentication enable default group tacacs+ none                     (privilege mode will be authenticated first against TACACS+ then it’ll fall back to no authentication)
R1(config)#aaa authentication attempts login 3                                                             (specifies number of valid login attempts)
R1(config)#aaa authentication ppp default group tacacs+ group radius local none  (for all PPP authentication request use TACACS then RADIUS then LOCAL then NONE authen method)
LINE PORTS
R1(config)#line con 0
R1(config-line)#login authentication CONSOLE     (login to consolse as specified under aaa CONSOLE statement above)
R1(config)#line vty 0 15
R1(config-line)#login authentication VTY   (login to vty as specified under aaa VTY statement above)
R1(config-line)#password CISCO                    (login to vty — see above aaa VTY second statement)
AAA AUTHORIZATION
R1(config)#aaa authorization console                                                                    (enables console authorization)
R1(config)#aaa authorization exec CONSOLE group tacacs+ local             (console line should authorize users with TACACS then LOCAL database)
R1(config)#aaa authorization exec VTY group tacacs+ if-authenticated  (authorises any authenticated users if TACASE server fails)
DIFFERENCE BETWEEN NONE AND IF-AUTHENTICATED METHODS:
EXAMPLE 1
R1(config)#aaa authentication login default group tacacs+ none
R1(config)#aaa authorization exec default none
R1(config)#line con 0
R1(config-line)#privilege level 15
If TACACS server is not available the router will allow incoming connections
EXAMPLE2
R1(config)#aaa authentication login default group tacacs+ none
R1(config)#aaa authorization exec default if-authenticated
R1(config)#line con 0
R1(config-line)#privilege level 15
If TACACS server is not available the router grants access but fails authorization
LINE PORTS
R1(config)#line con 0
R1(config-line)#authorization exec CONSOLE               (ensure the console line is authorized, see above aaa config)

DMVPN

http://packetlife.net/blog/2008/jul/23/dynamic-multipoint-vpn-dmvpn/

DMVPN Phase 1:
==============

HUB:

interface Loopback0
 ip address 150.1.1.1 255.255.255.0

interface Loopback 1
 ip address 10.0.1.1 255.255.255.0

interface Tunnel0

 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip nhrp authentication test
 ip nhrp map multicast dynamic
 ip nhrp network-id 99
 tunnel source GigabitEthernet0/0.100
 tunnel mode gre multipoint
end

SPOKE:

interface Loopback0
 ip address 150.1.2.2 255.255.255.0
!
interface Loopback 1
 ip address 10.0.2.2 255.255.255.0
!

interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 ip nhrp authentication test
 ip nhrp map 10.0.0.1 169.254.100.1
 ip nhrp map multicast 169.254.100.1
 ip nhrp network-id 99
 ip nhrp nhs 10.0.0.1
 tunnel source GigabitEthernet0/0.100
 tunnel destination 169.254.100.1
end


DMVPN Phase 2:
==============

HUB:

interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip next-hop-self eigrp 100
 no ip split-horizon eigrp 100
 ip nhrp authentication test
 ip nhrp map multicast dynamic
 ip nhrp network-id 99
 tunnel source GigabitEthernet0/0.100
 tunnel mode gre multipoint
 tunnel key 10000

 SPOKE:

 interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 ip nhrp authentication test
 ip nhrp map multicast 169.254.100.1
 ip nhrp map 10.0.0.1 169.254.100.1
 ip nhrp network-id 99
 ip nhrp nhs 10.0.0.1
 tunnel source GigabitEthernet0/0.100
 tunnel mode gre multipoint
 tunnel key 10000
end

DMVPN Phase 3:
==============

HUB:

interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip next-hop-self eigrp 100
 no ip split-horizon eigrp 100
 ip nhrp authentication test
 ip nhrp map multicast dynamic
 ip nhrp redirect
 ip nhrp network-id 99
 tunnel source GigabitEthernet0/0.100
 tunnel mode gre multipoint
 tunnel key 10000

 SPOKE:

 interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 ip nhrp authentication test
 ip nhrp map multicast 169.254.100.1
 ip nhrp map 10.0.0.1 169.254.100.1
 ip nhrp network-id 99
 ip nhrp nhs 10.0.0.1
 ip nhrp shortcut
 tunnel source GigabitEthernet0/0.100
 tunnel mode gre multipoint
 tunnel key 10000
end

EIGRP:
=====

DMVPN phase 1:
--------------------

Hub:
-----

interface Tunnel0

ip address 155.1.0.5 255.255.255.0

ip mtu 1400

ip nhrp authentication NHRPAUTH

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip tcp adjust-mss 1360

tunnel source GigabitEthernet1.100

tunnel mode gre multipoint

tunnel key 2

tunnel protection ipsec profile DMVPN_PROFILE

no shutdown

!

router eigrp DMVPN

!

address-family ipv4 unicast autonomous-system 100

!

af-interface default

passive-interface

exit-af-interface

!

af-interface Tunnel0

no passive-interface

no split-horizon

exit-af-interface

!

topology base

exit-af-topology

network 150.1.0.0

network 155.1.0.0

exit-address-family

Spoke:
------

interface Tunnel0

ip address 155.1.0.1 255.255.255.0

ip mtu 1400

ip nhrp authentication NHRPAUTH

ip nhrp map 155.1.0.5 169.254.100.5

ip nhrp map multicast 169.254.100.5

ip nhrp network-id 1

ip nhrp nhs 155.1.0.5

ip tcp adjust-mss 1360

tunnel source GigabitEthernet1.100

tunnel destination 169.254.100.5

tunnel key 2

tunnel protection ipsec profile DMVPN_PROFILE

no shutdown

!

router eigrp DMVPN

!

address-family ipv4 unicast autonomous-system 100

!

af-interface default

passive-interface

exit-af-interface

!

af-interface Tunnel0

no passive-interface

exit-af-interface

!

topology base

exit-af-topology

network 150.1.0.0

network 155.1.0.0

exit-address-family

DMVPN Phase 2:

---------------------

No change on spoke but on hub 

router eigrp DMVPN

!

address-family ipv4 unicast autonomous-system 100

!

af-interface default

passive-interface

exit-af-interface

!

af-interface Tunnel0

no next-hop-self

no passive-interface

no split-horizon

exit-af-interface

!

topology base

exit-af-topology

network 150.1.0.0

network 155.1.0.0

exit-address-family

OSPF:
====

DMVPN phase 1:
--------------------

Hub:
-----

interface Tunnel0

ip address 155.1.0.5 255.255.255.0

ip mtu 1400

ip nhrp authentication NHRPAUTH

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip tcp adjust-mss 1360

tunnel source GigabitEthernet1.100

tunnel mode gre multipoint

tunnel key 2

tunnel protection ipsec profile DMVPN_PROFILE

ip ospf network point-to-multipoint

ip ospf hello-interval 10

no shutdown

!

router ospf 1

network 150.1.0.0 0.0.255.255 area 0

network 155.1.0.0 0.0.0.255 area 0

Spoke:

------

interface Tunnel0

ip address 155.1.0.1 255.255.255.0

ip mtu 1400

ip nhrp authentication NHRPAUTH

ip nhrp map 155.1.0.5 169.254.100.5

ip nhrp map multicast 169.254.100.5

ip nhrp network-id 1

ip nhrp nhs 155.1.0.5

ip tcp adjust-mss 1360

tunnel source GigabitEthernet1.100

tunnel destination 169.254.100.5

tunnel key 2

tunnel protection ipsec profile DMVPN_PROFILE

no shutdown

!

router ospf 1

network 150.1.0.0 0.0.255.255 area 0

network 155.1.0.0 0.0.0.255 area 0

DMVPN Phase 2:

---------------------

Hub:

-----

interface Tunnel0

ip address 155.1.0.5 255.255.255.0

ip mtu 1400

ip nhrp authentication NHRPAUTH

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip tcp adjust-mss 1360

tunnel source GigabitEthernet1.100

tunnel mode gre multipoint

tunnel key 2

tunnel protection ipsec profile DMVPN_PROFILE

ip ospf 1 area 0

ip ospf priority 255

ip ospf network broadcast

no shutdown

!

Spoke:

------

interface Tunnel0

ip address 155.1.0.1 255.255.255.0

ip mtu 1400

ip nhrp authentication NHRPAUTH

ip nhrp map 155.1.0.5 169.254.100.5

ip nhrp map multicast 169.254.100.5

ip nhrp network-id 1

ip nhrp nhs 155.1.0.5

ip tcp adjust-mss 1360

tunnel source GigabitEthernet1.100

tunnel mode gre multipoint

tunnel key 2

tunnel protection ipsec profile DMVPN_PROFILE

ip ospf 1 area 0

ip ospf priority 0

ip ospf network broadcast

no shutdown

!