Download Implementing Cisco Enterprise Advanced Routing and Services (300-410 ENARSI).300-410.Pass4Sure.2024-11-10.180q.tqb

Secure Shell MFG traffic from the host 10.2.3.4 is unaffected by the policy map. The policy-map in this scenario is a Control Plane Policing (CoPP) policy. CoPP is a Cisco IOS QoS feature that is designed to protect the control and management planes of a router or a switch. Because CoPP is a QoS feature, you must use the Cisco IOS modular QoS command-line interface (MQC) to define and implement a CoPP policy. You can create a CoPP policy by performing four basic steps in the following order:   1. Define a class map.  2. Define a policy map.  3. Enter control plane configuration mode.  4. Apply a Quality of Service (QoS) policy.   To create a CoPP policy, you must first define a traffic class. A traffic class identifies packets based on parameters that you specify. You should issue the class-map command to create a traffic class and to place the device in class-map configuration mode. From class-map configuration mode, you can use match statements to identify the characteristics of the traffic that will belong to the traffic class you have defined. A match statement can natively identify traffic based on IP precedence or Differentiated Services Code Point (DSCP) values. Alternatively, you can specify an access control list (ACL) in a match statement for greater control. For example, the command set below creates an ACL that identifies SSH traffic, defines a traffic class named secure-shell, and then uses the ACL in a match statement for the traffic class:   Router(config)#access-list 111 deny tcp host 10.2.3.4 any eq ssh  Router(config)#access-list 111 permit tcp any any eq ssh  Router(config)#class-map secure-shell  Router(config-cmap)#match access-group 111  Router(config-cmap)#exit   Because ACL 111 denies SSH traffic that originates from the host 10.2.3.4, SSH traffic from that host is unaffected by the class-map named secure-shell and any service policies in which that class is used. It is important to note that if an ACL has a deny statement and the ACL is used in a match statement of a class-map, then effect of the class map or the policy-map in which the class map is used will not be applied to the denied traffic.   Next, you should issue the policy-map command to create a policy map and to enter policy-map configuration mode. A policy map ties a traffic class to a QoS policy. A policy map is used to define actions that are performed on packets identified in a particular class map. For example, the command set below creates a policy map named CoPP-policy and then specifies that any packets identified by the traffic class named secure-shell should be dropped.   Router(config)#policy-map CoPP-policy Router(config-pmap)#class secure-shell  Router(config-pmap-c)#drop  Router(config-pmap-c)#exit  Router(config-pmap)#exit   Finally, you should issue the control-plane command to enter control plane configuration mode and then issue the service-policy command to apply a QoS policy. Because the control plane is treated like an interface on the device, you can apply a service policy in the inbound or outbound direction. Typically, CoPP service policies are applied in the inbound direction. The command set below places the router into control plane configuration mode and then applies the service policy named CoPP-policy to the control plane in the inbound direction.   Router(config)#control-plane  Router(config-cp)#service-policy input CoPP-policy  Router(config-cp)#exit   Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/cpp.html#wp1094638 CCNP Enterprise Advanced Routing ENARSI 300-410 Official Cert Guide, Chapter 15: RouteMaps and Conditional Forwarding, Access Control Lists (ACLs)  CCNP Enterprise Advanced Routing ENARSI 300-410 Official Cert Guide, Chapter 21:Troubleshooting ACLs and Prefix Lists, Troubleshooting IPv4 ACLs  CCNP Enterprise Advanced Routing ENARSI 300-410 Official Cert Guide, Chapter 22:Infrastructure Security, Troubleshooting Control Plane Policing (CoPP)

Traffic policing is used to slow down traffic to a value that the medium can support, to enforce Service Level Agreement (SLA) limits at the service provider edge, and to re-mark traffic that exceeds the SLA. With traffic policing, traffic that exceeds the committed information rate (CIR) either will be dropped or will have its QoS markings modified to increase the likelihood of its being dropped farther along the transit path. Traffic policing compares the current rate of a class of traffic to its configured maximum rate.  You can use the police command in policy-map class configuration mode to explicitly configure traffic policing. The syntax of the police command is dependent on the type of traffic policing that will be configured. For example, to configure traffic policing based on a CIR, the police cir command should be used. The syntax for the police cir command is police cir bps [[bc] normal-burst-bytes [maximum-burst-bytes / [be] [burst-bytes]]] [pir bps [be burst-bytes]] [conform-action  action [exceed-action action [violate-action action]]], where the optional bps represents the CIR expressed in bits-per-second (bps) and normal-burst-bytes represents the committed burst size expressed in bytes. For example, the police cir 1000000 bc 1000 command configures a CIR of 1000000 bps and a committed burst size of 1000 bytes.  By contrast, traffic shaping changes in response to network conditions. Traffic shaping is used to slow down traffic due to congestion, to enforce bandwidth rates, and to send traffic classes at different rates. Unlike traffic policing, traffic shaping is not applied to inbound and outbound traffic; it is applied to outbound traffic only.  You can use the shape command in policy-map class configuration mode to explicitly configure traffic shaping. The syntax of the shape command is shape {}{average | peak} dr [bc] [be], where cir is the CIR expressed in bps, bc is the committed burst size specified in bits, and be is the excess burst size specified in bits. The CIR can be expressed in shorthand by using a postfix notation of k for kilobits, m for megabits, or g for gigabits. For example, the shape average 1000k 500 500 command configures a CIR of 1000 kilobits, a committed burst size of 500 bits, and an excess burst size of 500 bits.  Traffic policing does not buffer excess traffic. Instead, excess traffic is dropped or re-marked and transmitted. Therefore, traffic policing does not create queuing delay. By contrast, traffic shaping buffers excess traffic in memory and drops the excess traffic only if the queue is full. Because traffic shaping does not re-mark traffic, it can create queuing delay, particularly when queues are large and traffic flow is heavy. Traffic policing is typically performed at the service provider edge, not at the customer edge (CE) device. Traffic policing is applied to inbound and outbound traffic on the interface that is connected to the customer. By contrast, traffic shaping is typically performed at the CE device. Traffic shaping is applied to outbound traffic that passes through the interface that is connected to the service provider.  Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/cpp.html#wp1094638 https://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-policing/19645-policevsshape.html CCNP Enterprise Advanced Routing ENARSI 300-410 Official Cert Guide, Chapter 22: Infrastructure Security, Troubleshooting Control Plane Policing (CoPP)

You should issue the following commands on RouterB to ensure that the route to 192.168.5.0/24 will not be advertised to RouterA:   RouterB(config)#access-list 10 deny 192.168.5.0 0.0.0.255  RouterB(config)#access-list 10 permit any  RouterB(config)#router eigrp 20  RouterB(config-router)#distribute-list 10 out S0/0   The access-list 10 deny 192.168.5.0 0.0.0.255 command defines a standard IP access list named 10 with a default action of deny that will match the 192.168.5.0/24 network. The syntax for creating a standard IP access list is access-list access-list-number {}{deny | permit} {any | source  [source-wildcard]}. The access-list-number can be a number from 1 through 99 or from 1300 through 1399. The permit keyword filters all IP addresses or prefixes that do not match the source IP address and the optional source-wildcard mask. The deny keyword filters only IP addresses or prefixes that match the source IP address and the optional source-wildcard mask. A wildcard mask, not a subnet mask, is required for IP access lists; a wildcard mask is basically a reverse subnet mask that indicates which bits are ignored when determining whether an address is affected by the access list. To calculate the appropriate wildcard mask, you should subtract the subnet mask from 255.255.255.255. For example, the 192.168.5.0 network has a 24-bit subnet mask, which is 255.255.255.0. Subtracting 255.255.255.0 from 255.255.255.255 yields a wildcard mask of 0.0.0.255.   The access-list 10 permit any command adds an additional statement to access list 10; this statement permits any routes that have not been filtered by the access-list 10 deny 192.168.5.0 0.0.0.255 command. The any keyword can be used in place of a source IP address and source-wildcard mask to indicate that any IP address or prefix will satisfy the access list. Access lists also have an implicit deny any statement that is applied to any routes that have not been explicitly permitted or denied by previous access-list statements. Access lists are processed in sequential order, and the first match found dictates what action is taken. Once a match has been found, no further access-list statements are processed.   The router eigrp 20 command places the router into router configuration mode for Enhanced Interior Gateway Routing Protocol (EIGRP) autonomous system (AS) 20. The distribute-list 10 out S0/0 command filters outbound route advertisements on interface S0/0 that match access list 10.   The following commands will not prevent the route to 192.168.5.0/24 from being advertised to RouterA:   RouterB(config)#access-list 10 deny 192.168.5.0 0.0.0.255  RouterB(config)#access-list 10 permit any  RouterB(config)#router eigrp 20  RouterB(config-router)#distribute-list 10 in S0/0   The distribute list defined by the distribute-list 10 in S0/0 command filters inbound route advertisements on interface S0/0 that match access list 10; outbound route advertisements are not affected. Only routes advertised from RouterA to RouterB enter through the S0/0 interface. The route to network 192.168.5.0/24 is advertised from RouterC to RouterB through the S0/1 interface and is therefore unaffected by the distribute-list 10 in S0/0 command. Distribute lists are often used with two-way redistribution in order to prevent routing loops.   The following commands will not prevent only the route to 192.168.5.0/24 from being advertised toRouterA:   RouterB(config)#access-list 10 deny 192.168.5.0 255.255.255.0  RouterB(config)#access-list 10 permit any  RouterB(config)#router eigrp 20  RouterB(config-router)#distribute-list 10 out S0/0   The standard IP access list defined by the access-list 10 deny 192.168.5.0 255.255.255.0  command specifies a subnet mask of 255.255.255.0 instead of a wildcard mask of 0.0.0.255.When the access list is applied by using the distribute-list 10 out S0/0 command, this wildcard mask filters all the networks in the AS; thus, the networks are not sent to RouterA. A wildcard mask, not a subnet mask, is required for IP access lists. To calculate the appropriate wildcard mask, subtract the subnet mask from 255.255.255.255.   The following commands will not prevent only the route to 192.168.5.0/24 from being advertised to RouterA:   RouterB(config)#access-list 10 deny 192.168.5.0 255.255.255.0  RouterB(config)#access-list 10 permit any  RouterB(config)#router eigrp 20  RouterB(config-router)#distribute-list 10 in S0/0   The standard IP access list defined by the access-list 10 deny 192.168.5.0 255.255.255.0 command also incorrectly specifies the subnet mask of 255.255.255.0 as the wildcard mask.When the access list is applied by using the distribute-list 10 in S0/0 command on RouterB, the wildcard mask filters all the networks that RouterA advertises to RouterB but does not prevent routes from being advertised from RouterB to RouterA.  Reference: https://www.cisco.com/c/en/us/support/docs/ip/interior-gateway-routing-protocol-igrp/9105-34.html https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/xe-16-12/ire-xe-16-12-book/eigrp-route-map.html#GUID-FEA676E4-4D36-45E1-9CD4-21DF654941B3 CCNP Enterprise Advanced Routing ENARSI 300-410 Official Cert Guide, Chapter 12: Advanced BGP, Distribution List Filtering

IP version 6 (IPv6) Neighbor Discovery (ND) Inspection is an IPv6 first-hop security feature that builds and maintains a trusted binding table for Stateless Address Automatic Configuration (SLAAC) addresses. The binding table maps trusted IPv6 addresses to Media Access Control (MAC) addresses. Data for the binding table can come from several different sources on a router such as IPv6 ND Inspection, which is also known as IPv6 snooping, and IPv6 gleaning, which uses Dynamic Host Configuration Protocol for IPv6 (DHCPv6) information to populate the binding table. If the device reboots, the binding table is automatically recovered.   IPv6 ND inspection examines the data in ND messages and adds entries to the binding table, which include the IPv6 address, the MAC address, the received interface, and the associated VLAN. If an entry already exists, the data in the binding table will be compared with the data in the ND message. If the data does not match, the ND message will be discarded. Because IPv6 ND Inspection maintains mappings between MAC addresses and IPv6 addresses, it is considered to operate at Layer 2 of the Open Systems Interconnection (050 model.   IPv6 Source Guard uses data from the IPv6 binding table to filter unauthorized traffic. Because IPv6 ND Inspection can filter only ND messages, other security features must be used to filter unauthorized data traffic. IPv6 Source Guard uses the binding table data that was populated by IPv6 ND Inspection and IPv6 gleaning to determine whether traffic passing through an interface is from an unknown or unauthorized source. Traffic from known sources is permitted to flow unhindered, whereas traffic from unknown or unauthorized sources is discarded.   DHCPv6 Guard is an IPv6 first-hop security feature that can be used to mitigate Denial of Service (DoS) attacks that attempt to exploit weaknesses in the DHCP process. With DHCPv6 Guard, trusted DHCP servers and clients are tracked along with their associated local interfaces. If DHCP advertisement or reply messages are detected from untrusted servers or on untrusted ports, they can be blocked before they reach any potential client devices. DHCPv6 Guard prevents traffic from unauthorized DHCP servers and relays, but it does not interfere with client traffic, such as DHCP request messages.   IPv6 Router Advertisement (RA) Guard is an IPv6 first-hop security feature that filters Layer 2 advertisements and redirects from unauthorized devices. RA messages are transmitted periodically by routers to inform other devices on the network of their capabilities. Host devices can use RA messages to dynamically determine IPv6 configuration information such as their network prefix, their SLAAC address, and their default route. Because host devices do not scrutinize RA messages, they can be vulnerable to redirects and other forms of traffic manipulation by unauthorized routers. With IPv6 RA Guard, you can create policies to verify, control, and filter RA messages.   Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-e/ip6f-15-e-book/ip6-dhcpv6-guard.html#GUID-A69D7EF0-4C23-42B5-A78C-51430AE4BDB4 https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-e/ip6f-15-e-book/ip6-snooping.html#GUID-706C02E3-18F6-4FBB-9882-145D7CDC57F3 https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-e/ip6f-15-e-book/ip6f-15-e-book_chapter_0110.html#GUID-F19C46FE-F0C2-441A-80B7-054C30A85985 https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-e/ip6f-15-e-book/ip6-ra-guard.html#GUID-C6F564CF-E355-4917-9978-3F06BB1E009C CCNP Enterprise Advanced Routing ENARSI 300-410 Official Cert Guide, Chapter 22: Infrastructure Security, IPv6 First-Hop Security

Dynamic Multipoint virtual private network (DMVPN) is a Cisco-proprietary virtual private network (VPN) technology that leverages the strengths of IP Security (IPSec), Generic Routing Encapsulation (GRE), and Next-Hop Resolution Protocol (NHRP) in order to simplify the implementation of highly scalable, secure networks. In a DMVPN implementation, each spoke router is configured to initiate a connection to a central hub router. The hub router dynamically discovers the spoke's address during the initial contact and establishes an IPSec tunnel with the spoke router. This IPSec connection forms part of a star topology between the hub router and its corresponding spoke routers.  DMVPN supports two types of topologies: hub-and-spoke and spoke-to-spoke. DMVPN Phase 1 allows hub-to-spoke communication. In a hub-and-spoke topology, spoke routers use NHRP to register with the hub router and then to initiate a tunnel connection. The hub router uses the NHRP mappings to determine the destination IP address for the dynamic multipoint GRE (mGRE) tunnel to the spoke router. The dynamic creation of tunnels enables the spoke routers to use dynamically assigned addresses on their Internet-facing interfaces and significantly reduces the configuration and management load on the hub router. However, spoke router traffic must always flow through the hub router if it is destined to other spokes in the network. DMVPN Phase 2 allows spoke-to-spoke communication in which the hub-and-spoke topology is dynamically modified when spokes require direct communication. Each spoke router uses NHRP to communicate with the hub router and to learn the public IP address of the other spoke. Once the public IP addresses are known, the spoke routers can establish a tunnel between them and no longer require the hub router to relay traffic. Because these tunnels are dynamically created on demand, scalability is not limited as it would be in a standard hub-and-spoke topology or even in a full-mesh topology.  DMVPN Phase 3 improves upon Phase 2 by using NHRP redirects. In Phase 3, when a spoke router sends traffic through the hub to another spoke router, the hub router sends an NHRP traffic indication message to the source spoke indicating that a better path exists to the destination network. The source spoke router modifies its routing table and sends traffic directly to the destination. To configure a DMVPN topology to use Phase 3, you should issue the ip nhrp redirect command on the hub and the ip nhrp shortcut command on the spokes. Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-dmvpn.html#GUID-17D28C87-97ED-4177-A1D9-6962E86F143A https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nhrp/configuration/xe-3s/nhrp-xe-3s-book/nhrp-switch-enhancemts-dmvpn.html#GUID-5EEEFC20-D114-46D8-8BC4-7CFFF7761B83 CCNP Enterprise Advanced Routing ENARSI 300-410 Official Cert Guide, Chapter 19: DMVPN Tunnels, DMVPN Configuration for Phase 3 DMVPN (Multipoint)

RouterA will advertise routes to RouterB but will not receive routes from RouterB. The access-list 10 deny any command denies any network contained in a routing update when standard IP access list 10 is applied to a distribute list. The distribute-list 10 out FastEthernet 0/0 command applies access list 10 to all the routing updates that are transmitted out of FastEthernet 0/0; the out keyword indicates that only outbound routing updates are affected. Therefore, no routing updates will be transmitted from RouterB out of the FastEthernet 0/0 interface after these commands have been issued on RouterB. The filter does not match inbound routing updates on any interface, so RouterB will continue to receive routing updates advertised by RouterA.  RouterA will receive routes from RouterB but will not advertise routes to RouterB if you issue the following commands on RouterB:   RouterB(config)#access-list 10 deny any RouterB(config)#router eigrp 10   RouterB(config-router)#distribute-list 10 in FastEthernet 0/0    The distribute-list 10 in FastEthernet 0/0 command applies access list 10 to all the routing updates that are received on FastEthernet 0/0; the in keyword indicates that only inbound routing updates are affected. Therefore, no routing updates will be received from RouterA on FastEthernet 0/0 after these commands have been issued on RouterB. The filter does not match outbound routing updates on any interface, so RouterB will continue to send routing updates to RouterA.   RouterA will neither send routes to nor receive routes from RouterB if you issue the following commands on RouterA: RouterA(config)#router eigrp 10  RouterA(config-router)#passive-interface FastEthernet 0/0   The passive-interface command prevents FastEthernet 0/0 from participating in Enhanced Interior Gateway Routing Protocol (EIGRP). This command effectively disables EIGRP on the specified interface because the interface will no longer send or receive any EIGRP routing information.  RouterA will send routes to and receive routes from RouterB if no passive interfaces are specified and no distribute lists are applied. This is the normal operation for EGIRP interfaces.  Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/xe-16-12/ire-xe-16-12-book/eigrp-route-map.html#GUID-FEA676E4-4D36-45E1-9CD4-21DF654941B3  CCNP Enterprise Advanced Routing ENARSI 300-410 Official Cert Guide, Chapter 12: Advanced BGP, Distribution List Filtering 

Notifications are sent as traps, and the noAuthNoPriv security level is applied to the host. Simple Network Management Protocol (SNMP) is used to remotely monitor and manage network devices. The basic syntax of the snmp-server host command is snmp-server host {}{hostname | ip-address} [vrf vrf-name | informs | traps | version {}{1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port [notification-type] | notification-type]. Therefore, the command snmp-server host auth version 3 dot1x specifies that the switch should send SNMP version 3 (SNMPv3) notifications to a device with the hostname auth using the community string dot1x.  By default, notifications are sent as traps. You can also explicitly specify that notifications be sent as traps by issuing the traps keyword in the snmp-server host command. To send notifications as informs, you should issue the informs keyword in the snmp-server host command. Informs are acknowledged reliably; traps are not acknowledged reliably.  There are three SNMPv3 security levels: noAuthNoPriv, authNoPriv, and authPriv. If no security level is specified in the snmp-server host command, the noAuthNoPriv security level is used. The noAuthNoPriv security level, which is also enabled by issuing the noauth keyword, authenticates by matching the user name in clear text. The authNoPriv security level, which is enabled by issuing the auth keyword, matches an unencrypted Message Digest 5 (MDS) or Secure Hash Algorithm (SHA) hash of the user name in order to authenticate. The authPriv security level, which is enabled by issuing the priv keyword, authenticates by matching an MDS or SHA hash of the user name that is also encrypted by using either Data Encryption Standard (DES), Triple DES (3DES), or Advanced Encryption Standard (AES). In this scenario, the placement of the auth keyword configures a host name, not a security level.  If a notification type is not specified in the snmp-server host command, all notification types are sent. Although the dot1x keyword can be used to specify that 802.1X notifications are sent, the placement of the dot1x keyword in this scenario configures a community string, not a notification type.  Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipswitch/command/isw-cr-book/isw-s3.html#wp3482803949

RouterA will begin to drop packets when the burst rate exceeds 64,000 bits. You can issue the police command to explicitly configure a maximum bandwidth limit. The syntax of the police command is police bps [burst-normal] [burst-max] conform-action action exceed-action action [violate-action action]. The bps parameter is the average rate specified in bits per second, and the optional burst-normal and burst-max parameters are specified in bytes. When traffic exceeds the burst-normal rate, the router will perform the exceed-action action, and when traffic exceeds the burst-max rate, the router will perform the violate-action action. Traffic policing is used to slow down traffic to a value that the medium can support, to monitor bandwidth utilization, to enforce bandwidth limitations at the service provider edge, and to re-mark traffic that exceeds the Service Level Agreement (SLA). Excess traffic and out-of-profile packets are dropped or re-marked and transmitted. By contrast, traffic shaping buffers excess traffic and out-of-profile packets in memory and drops traffic only if the queue is full. Because traffic shaping does not re-mark traffic, it can create queuing delay, particularly when queues are large and traffic flow is heavy.  In this scenario, the burst-max rate is set to a value of 8,000 bytes, which is equal to 64,000 bits.The action that corresponds to the violate-action keyword is drop. The drop keyword configures the router to silently drop packets. Therefore, when burst traffic exceeds 64,000 bits, some packets will be dropped.  RouterA will not begin to drop packets when the burst rate exceeds 5,000 bits or 8,000 bits. The burst-normal and burst-max parameters are specified in bytes, not bits.  RouterA will not begin to drop packets when the burst rate exceeds 40,000 bits. The burst-normal rate is set to a value of 5,000 bytes, which is equal to 40,000 bits. The action that corresponds to the exceed-action keyword is set-qos-transmit 4. Therefore, when burst traffic exceeds 40,000 bits, some packets will begin to be reclassified with a Quality of Service (QoS) value of 4 and will be transmitted.  RouterA will begin to drop packets before the burst rate exceeds 100,000 bits. The bit rate indicates the average rate of burst traffic, not the rate at which packets will begin to be dropped.   Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos/command/qos-cr-book/qos-n1.html#wp3614705404

You should issue the area 0 range 192.168.0.0 255.255.0.0 command on RouterD. The area range command is used to summarize internal routes at an area border router (ABR). The syntax of the area range command is area area-id range ip-address mask. If the area range command has not been issued on RouterD, RouterD will send a Type 3 link-state advertisement (LSA) when a link that is connected to RouterA, RouterB, or RouterC fails; RouterE will then perform a shortest path first (SPF) calculation to determine a better route to the lost destination network. When the area range command has been issued on RouterD, RouterD will not send an LSA update for the 192.168.0.0/16 network range when a link that is connected to one of the Area 0 routers fails; therefore, RouterE will not have to perform an SPF calculation to determine a better route to the destination network.  You should not issue the summary-address 192.168.0.0 255.255.0.0 command. The summary-address command is used to summarize external routes at an autonomous system boundary router (ASBR). The 192.168.1.0, 192.168.2.0, and 192.168.3.0 networks are not external networks; they are internal networks that originate inside Area 0.  You should not issue the area 1 stub command, which specifies that Area 1 is a stub area. Stub areas do not accept Type 5 LSAs, but they do accept Type 3 LSAs. If Area 1 were a stub area, RouterD would send a Type 3 LSA if a link connected to RouterA, RouterB, or RouterC failed; RouterE would then perform an SPF calculation to determine a better route to the lost destination network.  You should not issue the area 1 nssa command, which specifies that Area 1 is a not-so-stubby area (NSSA). An NSSA is basically a stub area that contains one or more ASBRs. Like stub areas, NSSAs do not accept Type 5 LSAs, but they do accept Type 3 LSAs. If Area 1 were an NSSA, RouterD would send a Type 3 LSA if a link connected to RouterA, RouterB, or RouterC failed; RouterE would then perform an SPF calculation to determine a better route to the lost destination network.  Reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/7039-1.html#t29

Cisco Express Forwarding (CEF) is a router packet switching mechanism that switches packets by using two different tables: the Forwarding Information Base (FIB) and the adjacency table. Packet switching is the process of making routing decisions for all frames in a flow.  The FIB table contains all the IP prefixes from the IP routing table. It remains synchronized with the IP routing table during topology changes and does not influence the data plane. A FIB entry is comprised of an IP network prefix, a next-hop address, and the outgoing interface used to reach the next-hop address. The adjacency table is used to store Layer 2 next-hop information that is discovered by using Address Resolution Protocol (ARP) requests.  A nonbroadcast multiaccess (NBMA) network does not support broadcasts but does support multiple devices being connected to the network. NBMA networks typically use a hub-and-spoke topology. An example of an NBMA network is a Frame Relay network. Policy-Based Routing (PBR) can be used to selectively modify the way a router makes forwarding decisions. When a router is configured with a dynamic routing protocol, such as Enhanced Interior Gateway Routing Protocol (EIGRP), a packet is generally forwarded to the most appropriate interface based on the packet's destination IP address and the metrics assigned by the routing protocol.  Reference: https://www.cisco.com/c/en/us/support/docs/routers/12000-series-routers/47321-ciscoef.html#overview