Hitchikers Guide to the CCIE V011 Jan2014

CISQUEROS.BLOGSPOT.COM

presents

Hitchhikers Guide to the CCIE v0.1

http://cisqueros.blogspot.com/

2 cisqueros.blogspot.com

This page was intentionally left blank.


About

This is nothing more but a script of simple guidelines I made during my CCIE preparations, 2012-2014. Have in mind

that I created this script throughout the entire preparation period, so some topics might be pretty basic as my level

was CCNP, while some othersrequire the reader to have the almost-CCIE level.

I will keep updating the script, and you will always be able to find the last version on my blog, and on the

CertCollection blog: http://certcollection.org/

If you find my notes useful – I’m more than glad I could help. You can use it, share it, whatever, as long as you don’t

try to sell it or publish it as your own.

If for any reason you´d like to get in touch with me, regardless if it´s just to give me the feedback about the script, or

propose any kind of collaboration, you’re more than welcome to contact me via my Blog, or via my LinkedIn profile:

http://cisqueros.blogspot.com.es/

http://es.linkedin.com/in/matejajovanovic

http://certcollection.org/

http://cisqueros.blogspot.com.es/

http://es.linkedin.com/in/matejajovanovic


Table of Contents

About ............................................................................................................................................................................. 3

LAN Switching ................................................................................................................................................................. 10

Tips and Tricks ............................................................................................................................................................. 11

VLAN Filters for NON-IP Traffic ................................................................................................................................... 11

MEMORY OPTIMIZATION - SDM (Switch Database Management) ............................................................................ 12

INTERFACE Statuses .................................................................................................................................................... 13

CAM TABLE .................................................................................................................................................................. 13

VTP - VLAN Trunking Protocol ..................................................................................................................................... 13

VMPS - VLAN Membership Policy Server .................................................................................................................... 14

TRUNKS and DTP (Dynamic Trunking Protocol) .......................................................................................................... 14

PRIVATE VLANS ........................................................................................................................................................... 15

Dot1q Tunneling: 802.1q, QinQ Tunneling ................................................................................................................. 16

SPANNING TREE PROTOCOL (STP) .............................................................................................................................. 16

MULTIPLE SPANNING TREE (MSTP) ............................................................................................................................ 18

PORTFAST .................................................................................................................................................................... 18

BPDU GUARD .............................................................................................................................................................. 18

UDLD - Unidirectional Link Detection ......................................................................................................................... 19

SOURCE GUARD and DHCP SNOOPING ....................................................................................................................... 20

ETHERCHANNEL .......................................................................................................................................................... 20

DAI (Dynamic ARP Inspection) .................................................................................................................................... 22

SNMP ........................................................................................................................................................................... 23

MONITORING .............................................................................................................................................................. 24

LOGGING ..................................................................................................................................................................... 24

STORM CONTROL ........................................................................................................................................................ 25

HTTP Server (HTTP access) on a Switch ...................................................................................................................... 25

Router on a STICK and IP BRIDGING ........................................................................................................................... 25

IP Services ....................................................................................................................................................................... 26

IP Services Tips and Tricks ........................................................................................................................................... 27

HSRP - Hot Standby Routing Protocol ......................................................................................................................... 27

VRRP - Virtual Routing Redundancy Protocol ............................................................................................................. 28

GLBP - Global Load Balancing Protocol ....................................................................................................................... 29

IRDP - ICMP Router Discovery Protocol ...................................................................................................................... 30

DRP - Cisco Distributed Route Processor .................................................................................................................... 31

WAAS and WCCP Protocol .......................................................................................................................................... 31


NTP - Network Time Protocol ..................................................................................................................................... 32

IP SLA - Monitor the Network Performance ............................................................................................................... 33

STATIC NAT .................................................................................................................................................................. 34

DYNAMIC NAT ............................................................................................................................................................. 35

Load Balancing using NAT ........................................................................................................................................... 35

PAT (NAT Overload) .................................................................................................................................................... 36

PAR - When you need to implement traffic redirections using NAT .......................................................................... 36

Static NAT redundancy with HSRP .............................................................................................................................. 37

Scalability for Stateful NAT (SNAT) ............................................................................................................................. 37

NAT Translations with the Outside Source ................................................................................................................. 38

NAT on a Stick ............................................................................................................................................................. 38

DHCP Server ................................................................................................................................................................ 39

CNS (Cisco Networking Services) ................................................................................................................................ 39

GRE Tunnels ................................................................................................................................................................ 40

Various IOS Tricks ........................................................................................................................................................ 40

IP Routing ........................................................................................................................................................................ 42

PBR - Policy Based Routing ......................................................................................................................................... 43

ODR - ON-DEMAND ROUTING .................................................................................................................................... 43

RIP ............................................................................................................................................................................... 43

RIP: Authentication ..................................................................................................................................................... 44

RIP: Timers .................................................................................................................................................................. 44

RIP: Updates Control ................................................................................................................................................... 45

RIP: OFFSET LISTS ........................................................................................................................................................ 45

RIP: Update Source Control ........................................................................................................................................ 46

RIP: Route Summarizing .............................................................................................................................................. 46

RIP: Route Filtering using Prefix Lists .......................................................................................................................... 46

OSPF ............................................................................................................................................................................ 48

OSPF over Frame-Relay, focus on Network Types ...................................................................................................... 48

OSPF: Configuration on INTERFACE LEVEL .................................................................................................................. 49

OSPF: Timers ............................................................................................................................................................... 49

OSPF: Authentication .................................................................................................................................................. 50

OSPF: Route Redistribution ......................................................................................................................................... 50

OSPF Route Summarization ........................................................................................................................................ 51

OSPF Virtual Link ......................................................................................................................................................... 51

OSPF Cost .................................................................................................................................................................... 52

Redirecting Traffic (FORCING A PATH) ........................................................................................................................ 52


OSPF and the GRE Tunnels .......................................................................................................................................... 53

OSPF LSA Types and AREA TYPES ................................................................................................................................ 53

OSPF STUBS ................................................................................................................................................................. 55

OSPF Route Filtering ................................................................................................................................................... 56

OSPF Non-Broadcast Networks ................................................................................................................................... 57

OSPF NBMA (Non Broadcast Multiple Access) Networks ........................................................................................... 58

OSPF BROADCAST vs. POINT-TO-POINT vs. POINT-TO-MULTIPOINT Networks ......................................................... 58

DNS Lookup in OSPF .................................................................................................................................................... 59

ISPF .............................................................................................................................................................................. 59

Forward Address Suppression .................................................................................................................................... 59

OSPF Sham Link ........................................................................................................................................................... 60

OSPF in MPLS .............................................................................................................................................................. 61

EIGRP ........................................................................................................................................................................... 62

EIGRP "show neighbors" command ............................................................................................................................ 62

EIGRP Metric - K Values .............................................................................................................................................. 63

EIGRP Route Summarization and Leak Maps .............................................................................................................. 64

EIGRP Default Gateway ............................................................................................................................................... 64

VARIANCE Command .................................................................................................................................................. 65

EIGRP Authentication .................................................................................................................................................. 65

EIGRP: Maximum Hops ............................................................................................................................................... 65

EIGRP Administrative Distance ................................................................................................................................... 66

EIGRP Updates BW Percent ........................................................................................................................................ 66

EIGRP Redistribute Routes into EIGRP ........................................................................................................................ 66

EIGRP offset-list [metric adjustments] ........................................................................................................................ 66

EIGRP Stub................................................................................................................................................................... 66

MP-EIGRP .................................................................................................................................................................... 67

EIGRP Route Filtering .................................................................................................................................................. 67

BGP TIPs and Best Practices ........................................................................................................................................ 68

BGP Version................................................................................................................................................................. 70

BGP Peer-Group .......................................................................................................................................................... 70

BGP Peer-Session and Peer-Policy Templates ............................................................................................................ 71

BGP Authentication ..................................................................................................................................................... 71

BGP Route Reflectors .................................................................................................................................................. 72

BGP BACKDOOR Route ................................................................................................................................................ 73

BGP CONDITIONAL Advertisements - Advertise Maps ............................................................................................... 73

BGP Route Dampening ................................................................................................................................................ 74


BGP Route Summarization .......................................................................................................................................... 75

BGP INJECT and EXIST map ......................................................................................................................................... 75

BGP Community Attribute .......................................................................................................................................... 75

BGP & Load Balancing ................................................................................................................................................. 76

1. AS-Path (The less ASs in the path - the Better) ....................................................................................................... 77

2. Weight (the Higher - the Better) ............................................................................................................................. 78

3. MED (Multi Exit Discriminator) ............................................................................................................................... 79

4. LOCAL PREFERENCE................................................................................................................................................. 79

BGP Filters: Distribution and Prefix lists ..................................................................................................................... 80

BGP: Regular Expressions ............................................................................................................................................ 80

BGP Confederations .................................................................................................................................................... 81

MP-BGP (Multi-Protocol BGP)..................................................................................................................................... 82

Route Redistribution TIPs ....................................................................................................................................... 83

QoS .................................................................................................................................................................................. 84

QoS TIPS ...................................................................................................................................................................... 85

QoS on Access Ports ................................................................................................................................................ 85

DSCP and COS MAPPING ......................................................................................................................................... 87

Map COS to DSCP on a device ................................................................................................................................. 88

QoS POLICING - INDIVIDUAL and AGGREGATE POLICER......................................................................................... 88

PRIORITY QUEUING (priority-list) & CUSTOM QUEUING (queue-list) .................................................................... 88

WFQ - By default works with IP PRESEDENCE ........................................................................................................ 89

RSVP - Resource Reservation Protocol ................................................................................................................... 90

IPv6 QoS .................................................................................................................................................................. 90

Match MAC ADDRESS ............................................................................................................................................. 90

QoS Frame-Relay SHAPING ..................................................................................................................................... 91

QoS Frame-Relay PIPQ (PER-INTERFACE PRIORITY QUEUING) ............................................................................... 93

QoS Frame-Relay PAYLOAD and HEADER COMPRESSION ...................................................................................... 94

QoS CBWFQ - configured using MQC ...................................................................................................................... 94

QoS LLQ (Low Latency Queuing) - "priority" and "priority percent" command ..................................................... 94

Define the QoS Schedule (TIME-RANGE command) ............................................................................................... 95

QoS CAR (Committed Access Rate) - "rate-limit" Interface Command .................................................................. 95

NBAR (match protocol XXX) - if you need to match the port without the ACL ...................................................... 95

DUAL RATE - DUAL BUCKET ..................................................................................................................................... 96

WRED - Weighted Random Early Detection and CB-WRED .................................................................................... 96

WAN ................................................................................................................................................................................ 97

Frame-Relay TIPS ........................................................................................................................................................ 98


FRAME RELAY QoS ...................................................................................................................................................... 98

PHYSICAL INTERFACE CONFIGURATION: .................................................................................................................... 99

POINT-TO-POINT SUB-INTERFACE: ............................................................................................................................. 99

POINT-TO-MULTIPOINT SUB-INTERFACE: ................................................................................................................. 100

VIRTUAL TEMPLATE .................................................................................................................................................. 100

FRAME RELAY AUTHENTICATION .............................................................................................................................. 101

FRAME RELAY End-to-End KEEPALIVE ....................................................................................................................... 102

FRAME-RELAY MULTILINKING ................................................................................................................................... 103

FRAME-RELAY AUTO-INSTALL ................................................................................................................................... 104

IP Multicast ................................................................................................................................................................... 105

Multicast TIPS ............................................................................................................................................................ 106

Multicast - IGMP ....................................................................................................................................................... 106

Configure PIM Multicast ........................................................................................................................................... 107

PIM Dense Mode, PIM-DM - For the applications EVERYONE wants ....................................................................... 109

STATIC RENDEZVOUZ POINT (RP) Configuration ...................................................................................................... 110

DESIGNATED ROUTER (DR) Configuration ................................................................................................................ 110

IP MULTICAST: AUTOMATIC RENDEZVOUZ POINT (Auto-RP) Configuration ............................................................ 111

IP MULTICAST: BSR (Bootstrap Router) Configuration ............................................................................................. 112

IP MULTICAST: MSDP (Multicast Source Discovery Protocol) Configuration ........................................................... 113

Multiprotocol BGP (MP-BGP) & IP Multicast ............................................................................................................ 113

IP MULTICAST: Configuring SSM (Source Specific Multicast) ................................................................................... 114

IP MULTICAST: Bidirectional PIM (Bidir-PIM) ........................................................................................................... 115

IP MULTICAST: Helper Map ....................................................................................................................................... 116

MULTICAST Helper Map & Helper-address .............................................................................................................. 117

Security ......................................................................................................................................................................... 118

Security TIPS .............................................................................................................................................................. 119

Router Security - Best Practices ................................................................................................................................ 119

KNOWN ATTACKS and how to prevent ..................................................................................................................... 120

BANNER and MENU Configuration ........................................................................................................................... 121

Configure SSH Access ................................................................................................................................................ 121

ADVANCED Access Lists (ACL) Configuration ............................................................................................................ 122

DYNAMIC ACL (aka Lock and key ACL) ...................................................................................................................... 123

REFLEXIVE ACL - For Session Filtering ....................................................................................................................... 123

TCP INTERCEPT - To prevent TCP SYN DoS attacks ................................................................................................... 124

CBAC - Context Based Access Control Firewall ......................................................................................................... 124

PAM - Port to Application Mapping .......................................................................................................................... 125


uRPF - Unicast Reverse Path Forwarding .................................................................................................................. 126

Zone Based Firewall .................................................................................................................................................. 127

CONTROL Plane Policy (CPPr).................................................................................................................................... 128

IOS IPS (Intrusion Prevention System) ...................................................................................................................... 129

AAA Authentication .................................................................................................................................................. 130

MPLS.............................................................................................................................................................................. 131

MPLS Configuration .................................................................................................................................................. 132

MPLS LFIB and Labels (Label Spacing) ....................................................................................................................... 133

MPLS Session Protection ........................................................................................................................................... 134

MPLS VRFs, RD (Route Distinguisher) and RT (Route Target) ................................................................................... 135

L2VPN - AToM (Any Transport over MPLS) ............................................................................................................... 136

IPv6 ................................................................................................................................................................................ 137

IPv6 TIPS .................................................................................................................................................................... 138

IPv6 Basics ................................................................................................................................................................. 138

Convert MAC to Link Local IPv6 Address .................................................................................................................. 140

IPv6 Routing .............................................................................................................................................................. 141

OSPFv3 ...................................................................................................................................................................... 142

EIGRP IPv6 ................................................................................................................................................................. 143

IPv6 Tunnels .............................................................................................................................................................. 144

IPv6 Multicast Routing .............................................................................................................................................. 145


LAN Switching


____________________________________________________________________________________________________________________

Tips and Tricks ____________________________________________________________________________________________________________________

Remove a FOLDER from the flash: #delete /force /recursive flash:c3750-ipbase-mz.122-35.SE5

TIP: When there is a CISCO Phone attached to an access port- configure the "switchport voice vlan X" on an access port.

____________________________________________________________________________________________________________________

VLAN Filters for NON-IP Traffic ____________________________________________________________________________________________________________________

These are not used in the production environment very often, but in the CCIE exam this can be useful to know.

On Cisco Docs can be found under the "Network Security with ACLs" under the Switch Configuration Guide:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swacl.html

STEP 1: Basically instead of IP ACL, we're creating the MAC ACL in order to later apply it. For example here there's an MAC Access-list created

to filter out BPDU-s of a certain type (check all the NON-IP stuff we can filter out):

(config)# mac access-list extended DENY_BPDU

(config-ext-macl)# permit host 000.0c00.0111 any

(config-ext-macl)# permit any any ?

<0-65535> An arbitrary EtherType in decimal, hex, or octal

aarp EtherType: AppleTalk ARP

amber EtherType: DEC-Amber

appletalk EtherType: AppleTalk/EtherTalk

cos CoS value

dec-spanning EtherType: DEC-Spanning-Tree

decnet-iv EtherType: DECnet Phase IV

diagnostic EtherType: DEC-Diagnostic

dsm EtherType: DEC-DSM

etype-6000 EtherType: 0x6000

etype-8042 EtherType: 0x8042

lat EtherType: DEC-LAT

lavc-sca EtherType: DEC-LAVC-SCA

lsap LSAP value

mop-console EtherType: DEC-MOP Remote Console

mop-dump EtherType: DEC-MOP Dump

msdos EtherType: DEC-MSDOS

mumps EtherType: DEC-MUMPS

netbios EtherType: DEC-NETBIOS

vines-echo EtherType: VINES Echo

vines-ip EtherType: VINES IP

xns-idp EtherType: XNS IDP

STEP 2: After the MAC ACL is created, we need to Applying a MAC ACL to a Layer 2 Interface. This can be done in one of 2 ways:

1. Directly using the "mac access-group MACL in" command

2. Using the VLAN Maps

VLAN Maps are the only way to control filtering within a VLAN. You can define the DROP or FWD action:

(config)#vlan access-map VLANACM 10 <-10 IS THE SEQ NUMBER

(config-access-map)#action drop

(config-access-map)#match mac address DENY_BPDU <-MATCH THE DEFINED MAC ACL

!!!IMPORTANT: ORDER IS IRRELEVANT HERE!!! First we're saying DROP, and then matching what to drop.

(config)#vlan access-map VLANACM 20

(config-access-map)#action forward <-TO PERMIT ALL OTHER TRAFFIC

STEP 3: At the end you need to APPLY the VLAN Access-Map to the VLAN (MEMORIZE THIS STUFF):

(config)#vlan filter VLANACM vlan-list ?

<1-4094> VLAN id

all Add this filter to all VLANs

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swacl.html


____________________________________________________________________________________________________________________

MEMORY OPTIMIZATION - SDM (Switch Database Management) ____________________________________________________________________________________________________________________

Cisco Docs: 3560->Consolidated Platform Configuration Guides->SystemManagement->SDM Templates

Depending on the Switch purpose (L2 Switching that uses CEF or IP Routing or IPv6), Memory allocations can be optimized using the SDM

(Switch Database Management), and there are 4 templates:

- ACCESS - For QoS and Security

- ROUTING - for IP Routing

- VLAN - Sets Switch to L2 and disables IP Routing

- Extended Match - for WCCP and multiple VRF (reformats memory space to allow 144-bit L3 TCAM support)

(config)#sdm prefer [routing | dual-ipv4-and-ipv6 | vlan]

(config)#sdm prefer ?

access Access bias

default Default bias

dual-ipv4-and-ipv6 Support both IPv4 and IPv6 <-USE THIS MODE WHEN YOU HAVE BOTH, IPv4 and IPv6

ipe IPe bias

routing Unicast bias <-SWITCH TO YOU USE AS A ROUTER, ONLY IPv4

vlan VLAN bias <-ONLY L2 SWITCH

Check the achieved results:

#show sdm prefer

The current template is "desktop default" template. <--- COMMAND NOT ACTIVE BEFORE THE SWITCH HAS BEEN

REBOOTED

The selected template optimizes the resources in

the switch to support this level of features for

8 routed interfaces and 1024 VLANs.

number of unicast mac addresses: 6K

number of IPv4 IGMP groups + multicast routes: 1K

number of IPv4 unicast routes: 8K

number of directly-connected IPv4 hosts: 6K

number of indirect IPv4 routes: 2K

number of IPv4 policy based routing aces: 0

number of IPv4/MAC qos aces: 0.5K

number of IPv4/MAC security aces: 1K

#show sdm prefer

The current template is "desktop routing" template. <--- AFTER THE REBOOT SWITCH CHANGES THE SDM MODE

The selected template optimizes the resources in

the switch to support this level of features for

8 routed interfaces and 1024 VLANs.

number of unicast mac addresses: 3K

number of IPv4 IGMP groups + multicast routes: 1K <--- MEMORY ALLOCATION HAS BEEN CHANGED

number of IPv4 unicast routes: 11K

number of directly-connected IPv4 hosts: 3K

number of indirect IPv4 routes: 8K

number of IPv4 policy based routing aces: 0.5K

number of IPv4/MAC qos aces: 0.5K

number of IPv4/MAC security aces: 1K

It can happen that you need to use IPv6 on a switch, and the command "ipv6 unicast routing" is not working. If the switch seems not to

support the command, in reality you only need to change the buffer allocation first (Apply a different SDM template). The problem is that you

have to SAVE and RELOAD, so be sure you do it before the LAB if you know you'll be using both ipv4 and ipv6. Make sure you need to

reconfigure by checking the current SDM:

settings "show SDM prefer"

(config)#sdm prefer dual-ipv4-and-ipv6 routing


____________________________________________________________________________________________________________________

INTERFACE Statuses ____________________________________________________________________________________________________________________

INTERFACE "no shut" BUT NOT CONNECTED TO ANYTHING:

GigabitEthernet3/0/1 unassigned YES unset down down

INTERFACE "shutdown":

GigabitEthernet3/0/17 unassigned YES unset administratively down down

INTERFACE "no shut" and CONNECTED:

GigabitEthernet3/0/19 unassigned YES unset up up

____________________________________________________________________________________________________________________

CAM TABLE ____________________________________________________________________________________________________________________

You can set up the MAC Aging Time, and Security (enable the known and secure MAC addresses)

(config)#mac address-table aging-time 600 <--- if not active for 10 minutes REMOVE from the CAM table

(config)#mac-address-table secure 48BIT_MAC_ADDRESS Gi3/0/15

____________________________________________________________________________________________________________________

VTP - VLAN Trunking Protocol ____________________________________________________________________________________________________________________

Most commands can be configured in PRIVILEGED, CONFIGURE or DATABASE mode. Have in mind that there is no way to dis-configure the VTP

DOMAIN NAME (by default it’s NULL). You have to delete flash:vlan.dat and erase the startup-config and reload the router.

You can configure the source IP of all the VTP messages:

(config)#vtp interface Loopback 1 [only] <- It will not be propagated

To restrict FLOOD TRAFFIC to TRUNK Interfaces, use VTP PRUNING.

4 types of VTP Advertisements are being exchanged between the switches:

1. Summary Advertisements - every time VTP database changes (every 300 ms)

2. Subset Advertisements - sent right after SUMMARY, includes what exactly changed

3. Advertisements requested from clients - client requests info to update the VTP database, server responds

4. VTP Membership announcements - when PRUNING is enabled, they tell the neighbor WHAT VLANs they want (if the VLAN is not

announced with this message, it is not on the trunk)

You can adjust the VLANs that are being pruned on the interface, so for example to PRUNE ALL BUT VLAN 8:

(config-if)#switchport trunk pruning vlan 2-7,9-1001

OR

(config-if)#switchport trunk pruning vlan remove 8

Check the PRUNING STATUS:

#show interfaces pruning

Port Vlan traffic requested of neighbor <-!!!THE ALLOWED VLANS ARE DISPLAYED HERE!!!

Fa1/0/13 1,6-8,12,36,43,45,77,255,258

Fa1/0/14 1,6-7,12,36,43,45,77,88,255,258

Fa1/0/15 1,6-7,12,36,43,45,77,88,255,258

Fa1/0/19 1,7,12,36,45,77,88,255,258

Fa1/0/20 1,6-7,12,36,43,45,77,88,255,258

Fa1/0/21 1,6-7,12,36,43,45,77,88,255,258


ENABLE PRUNING (can be done ONLY ON VTP SERVER Switch):

#vtp pruning <--- PROPAGATED TO ALL SWITCHES WITHIN THE VTP DOMAIN

Pruning switched on

*VLAN 1 CANNOT BE PRUNED!!!

**VLANs that are used locally also CANNOT BE PRUNED. VLANs that are ELIGIBLE for Pruning are 2-1001 only

____________________________________________________________________________________________________________________

VMPS - VLAN Membership Policy Server ____________________________________________________________________________________________________________________

VLAN Membership Policy Server - provides a centralized server for selecting the VLAN for a port dynamically based on the MAC address of the

device connected to the port. VMPS uses a UDP port to listen to VQP (VLAN Query Protocol) requests from clients, so, it is not necessary for

VMPS clients to know if the VMPS resides on a local or remote device on the network. Upon receiving a valid request from a VMPS client, a

VMPS server searches its database for an entry of a MAC-address to VLAN mapping.

When a port is configured as "dynamic," it receives VLAN information based on the MAC-address that is on the port. The VLAN is not statically

assigned to the port; it is dynamically acquired from the VMPS based on the MAC-address on the port.

SECURE MODE: If MAC not found in VMPS Server - shut down the port

Configuration is done on a per-role basis, on Client and Server. On the VMPS Server:

(config)#vmps server [ipaddress | hostname] primary

And on all the switches in the LAN (VMPS Clients):

(config-if)#switchport access vlan dynamic

Define how many times you want Client to contact the Server, like if you want to retry 5 times:

(config)#vmps retry 5

(config)#vmps reconfirm 30 <--- RETRY IN 30 MINUTES IF 5 ATTEMPTS FAIL

____________________________________________________________________________________________________________________

TRUNKS and DTP (Dynamic Trunking Protocol) ____________________________________________________________________________________________________________________

Dynamic Trunking Protocol PRE-REQUISITE: BOTH sides MUST have THE SAME SPEED and DUPLEX CONFIGURED!!!

*You don't need to set the ENCAPSULATION on BOTH sides if you are using DTP

To turn the DTP OFF, set the PERMANENT TRUNK MODE, (TURNS DTP OFF) and negotiates to CONVERT the Neighbor. The interface becomes a

TRUNK even if the other side is not a trunk.

(config-if)#switchport mode trunk

Dynamic Desirable - Actively attempts to convert to TRUNK, but it's NOT in PERMANENT TRUNK mode:

(config-if)#switchport mode dynamic desirable

Dynamic Auto - Negotiate TRUNK ONLY if Negotiation Packet received from a Neighbour

(config-if)#switchport mode dynamic auto

Nonegotiate - Prevents the interface from generating DTP frames. You can use this command only when the interface

switchport mode is access or trunk

(config-if)#switchport mode nonegotiate


____________________________________________________________________________________________________________________

PRIVATE VLANS ____________________________________________________________________________________________________________________

*REQUIRES VTP MODE TO BE SET TO TRANSPARENT, which disables VTP!!!

(config-if)#vtp mode transparent

This topic belongs to L2 SECURITY rather than L2 SWITCHING.

Primary VLAN can have MANY COMMUNITIES but ONLY ONE ISOLATED VLAN!!!

1. Promiscuous - belongs to PRIMARY VLAN, can communicate with EVERYONE

(config)#vlan 10

(config-vlan)#private-vlan primary

(config-vlan)#private-vlan association add 20,30,40 <-DONT FORGET TO ASSOCIATE EVEN WITH ISOLATED

Then configure the interface:

(config-if)#switchport mode private-vlan promiscuous

(config-if)#switchport private-vlan mapping 10 add 30,40,50 <-Map Promiscuous VLAN 10 to Community and

Isolated VLANs

2. Isolated - can only communicate with Promiscuous

(config)#vlan 40

(config-vlan)#private-vlan isolated

(config-if)#switchport mode private-vlan host

(config-if)#switchport private-vlan host-association 10 40

3. Community - Can communicate within the SAME community or with Promiscuous

(config)#vlan 30

(config-vlan)#private-vlan community

(config-if)#switchport mode private-vlan host

(config-if)#switchport private-vlan host-association 10 20 <-Associate Community VLAN 20 with Promiscuous

VLAN 10

DONT FORGET TO ASSOCIATE Secondary VLANs to the Primary, so that they can all communicate with Promiscuous:

(config-vlan)#private-vlan association add 20,30,40

#show vlan private-vlan

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

10 20 community Et0/2

10 30 community Et0/0

10 40 isolated Et0/0

GREAT Example of PRIVATE VLANs is 2 HOSTS on a SWITCH that should NOT communicate to each other, and 1 router that should

communicate with BOTH HOSTS. You should do VLAN XXX for HOSTS as ISOLATED, and VLAN for the ROUTER as the PROMISCUOUS, and

associate it to the ISOLATED VLAN.


____________________________________________________________________________________________________________________

Dot1q Tunneling: 802.1q, QinQ Tunneling ____________________________________________________________________________________________________________________

When a TUNNEL port receives Customers Traffic, INGRESS PORT adds 2 Byte Ether Type field 0x8100 + 2 Bytes for CoS and

VLAN Egress tunnel port STRIPS THESE 4 BYTES

(config-if)#switchport access vlan 100

(config-if)#switchport mode dot1q-tunnel <-CHECK THE EXPLANATION BELOW

You can also configure L2 TUNNELING (CDP, STP and VTP can be tunnelled)

(config-if)#l2protocol-tunnel [cdp | stp | vtp]

#show l2protocol-tunnel summary

*Take SPECIAL CARE about the MTU SIZE on Switches (might need to set to 1504 due to the ADDED 4 BYTES IN THE TUNNEL)

(config)#system mtu 1504

Make sure if you need to define a TUNNEL PORT for QinQ!!! When is this necessary? When the ROUTER is TAGGING the traffic towards the

switch (using the 802.1Q TRUNK), you have to establish the DOT1Q TUNNEL, along with L2 tunnel. If you are using the NATIVE VLAN to do this,

make sure that the TRUNK port is also tagging the NATIVE VLAN:

(config-if)#switchport mode dot1q-tunnel

(config)#vlan dot1q tag native <-TO TAG THE NATIVE PORT ON 802.1q TRUNK WITH THE ROUTER

____________________________________________________________________________________________________________________

SPANNING TREE PROTOCOL (STP) ____________________________________________________________________________________________________________________

When setting the root, you can set the priority, or use the command "root primary" that sets the priority to:

If CURRENT ROOT PRIORITY > 24576 - sets the priority to 24576 (priority 24576 sys-id-ext 12)

If CURRENT ROOT PRIORITY =< 24576 - sets the priority to 4096

The "root secondary" command always sets the priority to 28762

GREAT COMMAND:

#show spanning-tree bridge <- See the MAC address of the Switch

#show version | i Base

#show spanning-tree vlan 12

VLAN0012

Spanning tree enabled protocol ieee

Root ID Priority 24588 <-ABOUT THE ROOT BRIDGE, 24588 = 32768 + 12 (vlan 12) - 8192

Address ec44.768a.6d80

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 24588 (priority 24576 sys-id-ext 12) <--- ABOUT THIS SWITCH (LOCAL Bridge)

Address ec44.768a.6d80 <-- ON ROOT BridgeID and RootID have the same MAC

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

Interface Role Sts Cost Prio.Nbr Type <-ABOUT INTERFACES IN THIS VLAN

------------------- ---- --- --------- -------- ------

Gi3/0/19 Desg FWD 4 128.127 P2p <--- COST IS 4 CAUSE THIS IS GigabitEthernet Port


Gi3/0/20 Desg FWD 4 128.128 P2p (on FastEth is would be 19)

Great command to check the ROOT:

#show spanning-tree root

Root Hello Max Fwd

Vlan Root ID Cost Time Age Dly Root Port

---------------- -------------------- --------- ----- --- --- ------------

VLAN0001 32769 aabb.cc00.0600 200 2 20 15 Et2/2

VLAN0100 24676 aabb.cc00.0600 200 2 20 15 Et2/2

VLAN0200 24776 aabb.cc00.0700 100 2 20 15 Et2/2

VLAN0300 24876 aabb.cc00.0800 100 2 20 15 Et3/1

VLAN0400 24976 aabb.cc00.0900 0 2 20 15 <--- COST TO ROOT IS 0, SO I'm the ROOT!!!

BEST PRACTICE:

Change the COST on the interface level to change the PATH

Change the PORT PRIORITY to influence ONLY the NEIGHBORING SWITCH

!!!IMPORTANT: WHEN GOING TOWARDS THE STP ROOT - USE COST

WHEN GOING AWAY FROM THE ROOT - USE PORT-PRIORITY

UPLINKFAST: FAST Convergence in case of DIRECT failure of the ROOT port (Natively included in RSTP)

If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port. By enabling UPLINKFAST

Globally you SPEED UP the choice of NEW ROOT PORT when a link or switch fails or when the spanning tree reconfigures itself:

(config)#spanning-tree uplinkfast

*Transitions to FWD STATE without going through LISTENING or LEARNING STATE:

*Mar 1 08:46.476: %SPANTREE_FAST-7-PORT_FWD_UPLINK: VLAN0044 GigabitEthernet1/0/15 moved to Forwarding

(UplinkFast)

!!!UplinkFast is most useful in wiring-closet switches at the access or edge of the network. It is not appropriate for backbone devices

BACKBONEFAST: Complementary feature to UPLINKFAST, detects indirect failures in the core of the backbone.

When a switch receives an inferior BPDU from the designated port of another switch, the BPDU is a signal that the other switch might have lost

its path to the root, and BackboneFast tries to find an alternate path to the root.

(config)#spanning-tree backbonefast


____________________________________________________________________________________________________________________

MULTIPLE SPANNING TREE (MSTP) ____________________________________________________________________________________________________________________

Supports up to 4096 instances of Spanning Tree

(config)#spanning-tree mode mst

(config)#spanning-tree mst configuration

(config-mst)#revision 1

(config-mst)#instance 1 vlan 12, 34

(config-mst)#instance 2 vlan 56, 90

(config-mst)#name CCIE <--- MST REGION NAME

SW2#show spanning-tree mst configuration

Name []

Revision 1 Instances configured 3

Instance Vlans mapped

-------- ---------------------------------------------------------------------

0 1-11,13-33,35-55,57-89,91-4094

1 12,34

2 56,90

-------------------------------------------------------------------------------

Check the ROOT:

#show spanning-tree root

Root Hello Max Fwd

MST Instance Root ID Cost Time Age Dly Root Port

---------------- -------------------- --------- ----- --- --- ------------

MST0 32768 aabb.cc00.0600 0 2 20 15

MST1 1 aabb.cc00.0600 0 2 20 15

MST2 4098 aabb.cc00.0600 0 2 20 15

____________________________________________________________________________________________________________________

PORTFAST ____________________________________________________________________________________________________________________

Quick transition, BYPASS LISTENING & LEARNING

(config-if-range)#spanning-tree portfast

%Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to

this interface when portfast is enabled, can cause temporary bridging loops.

PORTFAST reduces significantly the overhead, because TCN (Topology Change Notification) BPDUs will not be generated.

____________________________________________________________________________________________________________________

BPDU GUARD ____________________________________________________________________________________________________________________

This feature is used to disable anything but a Workstation to be connected to a port we are configuring with PortFast. It should be configured

on the Interfaces where BPDU should NEVER be received. If BPDU received go into "ERRDISABLE" state (disable the port)

(config-if-range)#spanning-tree bpduguard enable

There are to options to return to the normal state. One is to manually type “shut” and “no shut” command. Another option is to define an

ERRDISABLE RECOVERY:

(config)#errdisable recovery cause bpduguard <-MANY CAUSES CAN BE DEFINED HERE, do “show errdisable recovery”

(config)#errdisable recovery cause interval 360


____________________________________________________________________________________________________________________

UDLD - Unidirectional Link Detection ____________________________________________________________________________________________________________________

UDLD is used to detect the SEND part of the cable as DOWN, while the RECEIVE part is still active. This happens on a Fiber Optic cable quite

often. UDLD sends L2 pings between neighbors to check if it's responding. To enable Unidirectional Link Detection on an Interface:

(config-if)#udld port aggressive

GLOBAL COMMAND "udld enable" ONLY APPLIES TO FIBER OPTIC INTERFACES!!!

IT’S RECOMMENDED TO USE UDLD WITH LOOPGUARD!!! (For the port to enter the DISABLE state when BPDU are no longer received)

Normally when unidirectional link occurs, the other side stops receiving BPDUs, and assumes that STP ROOT is no longer available, so - it

declares itself as a NEW STP ROOT. Loopguard prevents this.

(config-if)#spanning-tree guard loop <-CONFIGURE ON UPLINK PORTS

If it´s a TWISTED PAIR - use AGGRESSIVE mode!

To automatically recover from err-disable state in x seconds (x=120 in this case)

(config)#errdisable recovery cause udld

(config)#errdisable recovery interval 120

To RESET all ports from the ERRSISABLE state:

#udld reset

#show errdisable recovery

ErrDisable Reason Timer Status

----------------- --------------

arp-inspection Disabled

bpduguard Disabled

channel-misconfig Disabled

dhcp-rate-limit Disabled

dtp-flap Disabled

gbic-invalid Disabled

inline-power Disabled

l2ptguard Disabled

link-flap Disabled

mac-limit Disabled

loopback Disabled

pagp-flap Disabled

port-mode-failure Disabled

psecure-violation Disabled

security-violation Disabled

sfp-config-mismatch Disabled

small-frame Disabled

storm-control Disabled

udld Enabled <--- UDLD CAUSE IS ON FOR ERRDISABLE

vmps Disabled

Timer interval: 120 seconds


____________________________________________________________________________________________________________________

SOURCE GUARD and DHCP SNOOPING ____________________________________________________________________________________________________________________

!!!! SOURCE GUARD WILL NOT WORK IF DHCP SNOOPING IS NOT ENABLED!!!

(config)#ip dhcp snooping <--- DONT FORGET TO ENABLE IT FIRST!!!

(config)#ip dhcp snooping vlan 2

When configuring the DHCP Snooping, make sure you set the DHCP TRUST on all the UPLINK TRUNKS, or the DHCP responses will be

IGNORED!!!

(config-if)#ip dhcp snooping trust

!!!DONT FORGET TO EITHER DISABLE INFORMATION OPTION (option 82), OR CONFIGURE DHCP SERVER TO REJECT TRANSIT DHCP

MESSAGES, because DHCP SNOOPING can insert EMPTY GIADDR FIELD!!!

(config)#ip dhcp relay information trust-all

First Enable Source Guard directly on the interface, WILL VERIFY IP ADDRESS ONLY!

(config-if)#ip verify source

(config-if)#ip verify source port-security <--- TO VERIFY MAC AND IP

(config-if)#SWItchport PORT-security <--- MUST ENABLE (permits L3 checks on a pure L2 interface)

Then add Dynamic or Static IP-to-MAC bindings. Static:

(config)#ip source binding 0000.2222.2222 vlan 2 10.1.1.2 interface e0/1

#show ip source binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

------------------ --------------- ---------- ------------- ---- --------------------

00:00:22:22:22:22 10.1.1.2 infinite static 2 Ethernet0/1



Total number of bindings: 3

____________________________________________________________________________________________________________________

ETHERCHANNEL ____________________________________________________________________________________________________________________

PAgP (Port Aggregation Protocol) - Cisco Prop. DESIRABLE or AUTO or NONEGOTIATE

*in case the link is configured as ACCESS, or the "switchport nonegotiate" command

- Protocol Value: 0x0104

- Same multicast group MAC like CDP

LACP (Link Aggregation Control Protocol) - 802.3ad - ACTIVE or PASSIVE

- Multicast MAC: 01-80-C2-00-00-02

- During Detection transmits packets every second

TIP: To make SW1 Priority higher to allow it control the BUNDLE CREATION:

(config)#lacp system-priority 1


Check the DEFAULT PARAMETERS:

2#show lacp 1 internal

Flags: S - Device is requesting Slow LACPDUs

F - Device is requesting Fast LACPDUs

A - Device is in Active mode P - Device is in Passive mode

Channel group 1

LACP port Admin Oper Port Port

Port Flags State Priority Key Key Number State

Gi3/0/19 SA bndl 32768 0x1 0x1 0x7F 0x3D

Gi3/0/20 SA bndl 32768 0x1 0x1 0x80 0x3D

"ON" - Doesn’t use LACP or PaGP. BOTH sides MUST BE ON!!!

#do show etherch protocol

Channel-group listing:

----------------------

Group: 13

----------

Protocol: - (Mode ON)

You can configure MAX 16 PORTS, out of which: MAXIMUM 8 ACTIVE PORTS, and the other HOT STANDBY (activate if one of the first 8 fail).

Which ones belong to the ACTIVE group depends on the LACP PRIORITY that can be configured:

(config-if)#lacp port-priority 1 <--- LOWER IS BETTER!!! (default is 32768)

L3 ETHERCHANNEL: Configure the Port-Channel interface statically, and all L3 configuration under it

Summary: 32 Po32(RU) - Gi1/0/23(P) Gi1/0/24(P)

L2 ETHERCHANNEL: LOGICAL INTERFACE CREATED AUTOMATICALLY. Best Practice (CONFIGURATION):

- Default Interface

- Channel Protocol and Group on physical interface (this creates Port Channel)

- Configure TRUNKING ENCAPSULATION under the PORT CHANNEL directly

- SHUT -> NO SHUT on PHYSICAL INTERFACES

Summary: 24 Po24(SU) PAgP Gi1/0/21(P) Gi1/0/22(P)

* "show interface trunk" Will show only Port Channel, but "show interface XX switchport" will show that the INT IS TRUNK

LOAD BALANCE the Etherchannel (CONFIGURED in the Global Config mode):

(config)#port-channel load-balance ?

dst-ip Dst IP Addr

dst-mac Dst Mac Addr

src-dst-ip Src XOR Dst IP Addr

src-dst-mac Src XOR Dst Mac Addr

src-ip Src IP Addr

src-mac Src Mac Addr

#show etherchannel load-balance

Ether Channel Load-Balancing Configuration:

dst-mac

Ether Channel Load-Balancing Addresses Used Per-Protocol:

Non-IP: Destination MAC address

IPv4: Destination MAC address

IPv6: Destination MAC address

Spanning Tree treats the Etherchannel Link as a SINGLE LINK, by sending the BPDUs only over one of the physical links


____________________________________________________________________________________________________________________

DAI (Dynamic ARP Inspection) ____________________________________________________________________________________________________________________

(config)#ip arp inspection vlan 2 <--- Inspect ARP within the VLAN 2

You can create an ARP Access List and map the IP to MAC, and apply it to DAI:

(config)#arp access-list ARP_ACL_20

(config-arp-nacl)#permit ip host 20.1.1.2 mac host 0000.1111.1111

(config-arp-nacl)#permit ip host 20.1.1.3 mac host 0000.3333.3333

And now APPLY:

(config)#ip arp inspection filter ARP_ACL_20 vlan 2

#show ip arp inspection

Source Mac Validation : Disabled

Destination Mac Validation : Disabled

IP Address Validation : Disabled

Vlan Configuration Operation ACL Match Static ACL

---- ------------- --------- --------- ----------

2 Enabled Active ARP_ACL_20 No

Vlan ACL Logging DHCP Logging Probe Logging

---- ----------- ------------ -------------

2 Deny Deny Off

Vlan Forwarded Dropped DHCP Drops ACL Drops

---- --------- ------- ---------- ---------

2 0 0 0 0

The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent

a denial-of-service attack.

(config-if)#ip arp inspection limit rate 5 <--- DEFAULT IS 15 PPS (packets per second)

#show ip arp inspection interfaces

Interface Trust State Rate (pps) Burst Interval

--------------- ----------- ---------- --------------

Gi3/0/1 Untrusted 5 1 <--- THE CHANGED ONE

Gi3/0/2 Untrusted 15 1 <--- 15 pps IS THE DEFAULT VALUE

To monitor the DROPPED packets due to DAI:

(config)#ip arp inspection log-buffer logs 0 interval 5 <--- LOG 0 - NO SYSTEM MESSAGE GENERATED

Check the log for details:

#show ip arp inspection log

Total Log Buffer Size : 32

Syslog rate : 0 entries per 5 seconds.


____________________________________________________________________________________________________________________

SNMP ____________________________________________________________________________________________________________________

Send the SNMP traps, Community "Public" to the NMS Server:

(config)#snmp-server host 192.168.1.1 traps [Public | Private]

If you need to define the VERSION and the COMMUNITY STRING:

(config)#snmp-server host 192.168.1.100 traps version 2c cisco

To define RO and RW COMMUNITY:

(config)#snmp-server community TST-RO ro <--- READ ONLY COMMUNITY STRING

(config)#snmp-server community TST-RW rw <--- RE-WRITE COMMUNITY STRING

Specify the TRAPS TYPE:

(config)#snmp-server enable traps [mac-notification | bgp | pim | ...] <-FIRST ENABLE TRAPS OF A TYPE

(config)#snmp-server host 192.168.1.100 traps version 2c cisco [mac-notification | bgp | pim…] <-SEND TRAPS

When the traps contain MAC Address Add/Remove notifications, have in mind the QUANTITY, so control it with:

(config)#mac address-table notification change history-size 150 <--- LIMIT THE TABLE CAPACITY TO 150

(config)#mac address-table notification change interval 1800 <--- SEND TRAP EVERY 30 MINUTES (1800 seconds)

DO NOT FORGET to ENABLE the CAM notifications in Global Configure mode:

(config)#mac address-table notification change

And to make sure:

#show mac address-table notification change interface Gi3/0/1

MAC Notification Feature is Enabled on the switch

Interface MAC Added Trap MAC Removed Trap

--------- -------------- ----------------

GigabitEthernet3/0/1 Enabled Enabled

#show mac address-table notification change

MAC Notification Feature is Enabled on the switch

Interval between Notification Traps : 1800 secs

Number of MAC Addresses Added : 0

Number of MAC Addresses Removed : 0

Number of Notifications sent to NMS : 0

Maximum Number of entries configured in History Table : 150

Current History Table Length : 0

MAC Notification Traps are Enabled

History Table contents

----------------------

And apply to the interface to GENERATE A TRAP when something happens:

(config-if)#snmp trap mac-notification change added

If you need to configure some deeper changes, or set timers, they are done within each particular COMMAND/TRAP, so;

(config)#mac address-table notification [more options like INTERVAL...]


____________________________________________________________________________________________________________________

MONITORING ____________________________________________________________________________________________________________________

RSPAN - Dont forget to CREATE the VLAN specially for the RSPAN

(config)#vlan 22

(config-vlan)#remote-span

____________________________________________________________________________________________________________________

LOGGING ____________________________________________________________________________________________________________________

Remote IP:

(config)#logging x.y.z.w

Or Localy in a FILE:

(config)#logging file flash:syslog 7 <--- 7 is DEBUGGING, so LOG EVERYTHING 0-7

emergencies System is unusable (severity=0)

alerts Immediate action needed (severity=1)

critical Critical conditions (severity=2)

errors Error conditions (severity=3)

warnings Warning conditions (severity=4)

notifications Normal but significant conditions (severity=5)

informational Informational messages (severity=6)

debugging Debugging messages (severity=7)

Set SEVERITY level:

(config)#logging trap 4 <--- FROM WARNING-4 (INCLUDING 4) TO MORE CRITICAL (ALERT-1, CRITICAL-2, ERROR-3)

Add SEQUENCE numbers:

(config)#service sequence-numbers <--- "SERVICE" command IS FOR SYSTEM GENERAL SETTINGS

Add/Remove TIMESTAMPS

(config)#no service timestamps debug

(config)#no service timestamps log

Set the LOGGING messages to be saved in Local:

(config)#logging facility local4

Specific (more GRANULAR) logging settings can be configured on the INTERFACE LEVEL:

(config-if)#logging event ?

bundle-status BUNDLE/UNBUNDLE messages

link-status UPDOWN and CHANGE messages

nfas-status NFAS D-channel status messages

power-inline-status Inline power messages

spanning-tree Spanning-tree Interface events

status Spanning-tree state change messages

subif-link-status Sub-interface UPDOWN and CHANGE messages

trunk-status TRUNK status messages


____________________________________________________________________________________________________________________

STORM CONTROL ____________________________________________________________________________________________________________________

To LIMIT the type of traffic (BROADCAST or MULTICAST or UNICAST). To limit the Broadcast to 50%:

(config-if)#storm-control broadcast level 50.00 <-LIMIT THIS TYPE OF TRAFFIC (also valid for MULTICAST or

UNICAST)

(config-if)#storm-control action [shutdown | trap] <-DEFINE THE ACTION

OR LIMIT the number of packets per second:

(config-if)#storm-control unicast level pps 250

#sh storm-control unicast

Interface Filter State Upper Lower Current

--------- ------------- ----------- ----------- ----------

Fa1/0/1 Forwarding 250 pps 250 pps 1 pps

____________________________________________________________________________________________________________________

HTTP Server (HTTP access) on a Switch ____________________________________________________________________________________________________________________

This is a simple feature, which we don´t really recommend in the production environment.

(config)#ip http server

(config)#ip http path flash: <-- define the PATH where files are

#show ip http server status

HTTP server status: Enabled

HTTP server port: 80

HTTP server authentication method: enable

HTTP server access class: 0

HTTP server base path: flash:

____________________________________________________________________________________________________________________

Router on a STICK and IP BRIDGING ____________________________________________________________________________________________________________________

Integrated Routing and Bridging enables a user to route a given protocol between routed interfaces and bridge groups or route a given

protocol between the bridge groups. Normally the protocol can be ROUTED or BRIDGED. By using IRB (INTEGRATED ROUTING and BRIDGING) -

we overcome this. So the first step here is to define the BRIDGE MODE to be the IRB:

(config)#bridge irb

*BRIDGE GROUP is a VIRTUAL BRIDGE inside the Router, with its own MAC address table.

To configure a VLAN associated with a bridge group with a default native VLAN:

(config)#interface FastEthernet0/0.16

(config-subif)#encapsulation dot1Q 16 <-FOR VLAN 16

(config-subif)#bridge-group 1

You need to define the BRIDGING PROTOCOL, and set it to ROUTE the IP traffic:

(config)#bridge 1 protocol ieee

(config)#bridge 1 route ip

If, for example, VLAN 16 ends on the other side in a SVI, and you want it to be PING-able from the local router.


IP Services


____________________________________________________________________________________________________________________

IP Services Tips and Tricks ____________________________________________________________________________________________________________________

IMPORTANT:

HSRP: UDP to Multicast Address 224.0.0.2 (all routers), VRRP: Directly over IP, Protocol 112

HSRPv2: Also UDP, solves the conflict between the CGMP Leave Messages, Multicast Address 224.0.0.105

TIP: When a CLIENT sends a request for an IP which is out of that segment, the router responds with its own MAC address. This is called the

ARP Proxy, it's ON by default on Fast Ethernet, and it can be disabled:

(config-if)#no ip proxy-arp

____________________________________________________________________________________________________________________

HSRP - Hot Standby Routing Protocol ____________________________________________________________________________________________________________________

HSRP is a Cisco Proprietary protocol. There are 3 types of HSRP messages: HELLO, COUP (used by a router with the highest priority, which is

currently NOT ACTIVE, to tell others that it should be ACTIVE) and RESIGN

Configuration is quite straight-forward, but there are many ways to tune it, in accordance with your needs:

interface FastEthernet0/0

ip address 172.25.25.2 255.255.255.0

standby 1 ip 172.25.25.22 <- Group 1 VIRTUAL IP Address

standby 1 timers 5 15 <- Can also be done in milliseconds using "standby 1 timers msec 250 800"

standby 1 priority 150 <- Default it 100

standby 1 preempt <-TAKE BACK THE ACTIVE ROLE

standby 1 authentication Cisco

standby 1 name R2-Act <-Name of the HSRP Group 1

standby 2 ip 172.25.25.55

standby 2 timers 5 15

standby 2 authentication Cisco

standby 2 name R5-Act <-Name of the HSRP Group 2

"07-ac" is the SIGNARURE part of Virtual MAC Address of the HSRP:

#sh standby | i 07

Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default)

To check the current configuration, including the HSRP Status and whether the preempt option is configured:

#sh standby brief

P indicates configured to preempt. Interface Grp Prio P State Active Standby Virtual IP

Fa0/0 1 100 Standby 172.25.25.2 local 172.25.25.22

Fa0/0 2 200 P Active local 172.25.25.2 172.25.25.55

If you need to TRACK an interface, be sure to define for how much you want to decrease the HSRP priority in order to fail over to the HSRP

Peer, and be sure that the active neighbor has Preempt configured:

(config-if)#standby 1 track serial 0/1/0.21 60


____________________________________________________________________________________________________________________

VRRP - Virtual Routing Redundancy Protocol ____________________________________________________________________________________________________________________

The VRRP configuration is similar to the HSRP, with a few slight differences. For example, there are no ACTIVE and STANDBY, but MASTER

and BACKUP router, as shown below:

#show vrrp brief

Interface Grp Pri Time Own Pre State Master addr Group addr

Fa0/0 1 200 3218 Y Master 172.25.12.1 172.25.12.22

Fa0/0 2 100 3609 Y Backup 172.25.12.2 172.25.12.11

TIMERS are a bit different to configure. You need to tell Master to ADVERTISE the Hello Timer value to the Backup, and tell the Backup to

LEARN the Hello Timer from the Master:

(config-if)#vrrp 1 timers advertise 10

(config-if)#vrrp 2 timers learn

*Router is Master for VRRP Group 1 and Backup for VRRP Group 2

VRRP Authentication is configured PER GROUP using the command "vrrp X authentication text PASSWORD", and the debug on the VRRP Pair

router is as follows (before the authentication is configured on BOTH):

#debug vrrp

*13 15:04:37.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0

*13 15:04:38.001: VRRP: Grp 1 sending Advertisement checksum EBE4





*13 15:04:40.973: VRRP: Grp 2 sending Advertisement checksum 87E5




#u all

All possible debugging has been turned off

The configuration on the interface will look similar to the HSRP:

interface FastEthernet0/0

ip address 172.25.12.2 255.255.255.0

vrrp 1 description MAT1

vrrp 1 ip 172.25.12.22

vrrp 1 timers learn

vrrp 1 authentication cisco

vrrp 2 description MAT2

vrrp 2 ip 172.25.12.11

vrrp 2 timers advertise 10

vrrp 2 priority 200

end

!!!IMPORTANT DIFFERENCE between HSRP and VRRP: VRRP has Preempt enabled by default!


____________________________________________________________________________________________________________________

GLBP - Global Load Balancing Protocol ____________________________________________________________________________________________________________________

GLBP is different from HSRP and VRRP, as in - it's more complex and gives more possibilities, such as Load Balancing Feature.

It's got 1 VIRTUAL IP, and VARIOUS MACs, where the AVG (defined below) is deciding the times when to announce which MAC of the

destination router to the client.

You can have UP TO 4 ROUTERS IN A GLBP GROUP!!!

GLBP Group Members communicate using HELLOs 224.0.0.102, UDP/3222, by default Hello Timer = 3 sec

Basically there are 2 roles:

AVG (Active Virtual Gateway) MASTER Router in charge of Assigning Virtual MAC Addresses to other Routers and it has to know ALL the

MACs of the AVFs

AVFs (Active Virtual Forwarders) the rest of the Routers, which take AVG function if AVG dies.

#sh glbp br

Interface Grp Fwd Pri State Address Active router Standby route

Fa0/0 1 - 100 Standby 10.1.1.100 10.1.1.2 local

Fa0/0 1 1 7 Active 0007.b400.0101 local -

Fa0/0 1 2 7 Listen 0007.b400.0102 10.1.1.2 -

You can tune GLBP as you like, which means that (besides all the stuff you can also do in HSRP and VRRP) you can choose the Load Balancing

method:

(config-if)#glbp 1 load-balancing ?

host-dependent Load balance equally, source MAC determines forwarder choice

round-robin Load balance equally using each forwarder in turn

weighted Load balance in proportion to forwarder weighting (GLBP places WEIGHT on each router)

<cr>

As an additional GLBP feature, there is a REDIRECT timer, which sets the time-out for assigning the Virtual MAC of AVF that has failed.

(config-if)#glbp 1 timers ?

<1-60> Hello interval in seconds

msec Specify hello interval in milliseconds

redirect Specify time-out values for failed forwarders

Tracking is also different on GLBP, as in - it's configured in the Global Configuration mode, with a global Track Object. The advantage is that

you can track 2 interfaces at once!!!

(config)#track 1 interface fa0/0 ?

ip IP parameters <- TO TRACK IP ROUTING

line-protocol Track interface line-protocol <- TRACK IF THE INTERFACE IS DOWN

(config)#track 1 interface fa0/0 line-protocol

(config)#track 2 interface s0/1/0 line-protocol

#show track

Track 1

Interface FastEthernet0/1 line-protocol

Line protocol is Up

1 change, last change 00:02:39

Track 2

Interface Serial0/1/0 line-protocol

Line protocol is Up

1 change, last change 00:02:10

Now the TRACK OBJECTS need to be applied to the Interface where GLBP is configured (If any of the tracked interfaces go DOWN, the WEIGHT

will be decremented by 10, but these values can be tuned):

(config-if)#glbp 1 weighting track 1 <-MEMORIZE as it's a bit NON-INTUITIVE (config-if)#glbp 1 weighting track 2


____________________________________________________________________________________________________________________

IRDP - ICMP Router Discovery Protocol ____________________________________________________________________________________________________________________

IRDP enables Routers to automatically discover the IP of their potential Default Gateway. It uses ICMP and Solicitation Messages.

Potential GW Routers periodically announce the IP address of their IRDP configured interface to a broadcast destination. IRDP Preference

value is advertised with these messages, along with the IP Address.

Step 1:

The configuration is pretty straight-forward. First you MUST turn the Routing off on the router that you want to discover its own GW:

(config)#no ip routing

Step 2:

IRDP needs to be enabled on the Router:

(config)#ip gdp ?

eigrp Discover routers transmitting EIGRP router updates

irdp Discover routers transmitting IRDP router updates <- THIS ONE is the one we want here

rip Discover routers transmitting RIP router updates

Step 3:

Here is what needs to be defined on the interface:

(config-if)#ip irdp <- ENABLE IRDP ON THE INTERFACE

(config-if)#ip irdp maxadvertinterval 5 <- DEFINE THE ADVERTISING TIMERS

(config-if)#ip irdp minadvertinterval 3

(config-if)#ip irdp holdtime 15

(config-if)#ip irdp preference 600 <- DEFINE THE ROUTER PREFERENCE

Step 4:

TEST by pinging the IP behind the routers that are supposedly advertising the GW. PING will work ONLY if Proxy-ARP is enabled on the IP

Interface:

#sh ip inter fa0/0 | i ARP

Proxy ARP is enabled <- THIS ONE MATTERS

Local Proxy ARP is disabled

#show ip route

Gateway Using Interval Priority Interface

10.187.117.2 IRDP 4 600 FastEthernet0/0

10.187.117.1 IRDP 4 200 FastEthernet0/0

When you do a DEBUG of ICMP, you see that IRDP is using the ICMP Type 9 Code 0 messages to advertise the GW:

#debug ip icmp

ICMP packet debugging is on

*Nov 14 16:03:08.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2











____________________________________________________________________________________________________________________

DRP - Cisco Distributed Route Processor ____________________________________________________________________________________________________________________

It's a UDP based application, which enables Cisco Distributed Director to QUERY ROUTES (DRP Agent). It transparently REDIRECTS end-user

service requests to CLOSEST RESPONSIVE SERVER. The configuration is straight-forward:

Step 1: Enable the DRP Server Agent:

(config)#ip drp server

Step 2: Define the ACL to define who will be able to send queries to DRP

(config)#access-list 11 permit 10.182.131.15

Step 3: Attach the ACL to the DRP:

(config)#ip drp access-group 11

Step 4: Create the key-chain and set the DRP to use it for authentication:

(config)#ip drp authentication key-chain DRP_CHAIN

____________________________________________________________________________________________________________________

WAAS and WCCP Protocol ____________________________________________________________________________________________________________________

WCCP is a Web Cache Communication Protocol, and it enables the redirection of client web requests to one or more Web Cache Engines,

which improves Web Browsing on the slow links. The only INTERFACE command to allow this for the users of that VLAN is "ip wccp web-

cache redirect [in | out]" If you set OUT - the Router is listening to the HTTP requests going OUT of that interface, and it's most

commonly enabled on the WAN interface.

First you need to enable the WCCP (protocol for web caching) globally on a router:

(config)#ip wccp web-cache

On the WAN interface enable checking if the packets need to be redirected to a web cache. Enable the redirection of outgoing destination

port 80 packets on the interface:

(config-if)#ip wccp web-cache redirect out

Define the ACL that only contains the Cache Engine IP:


Attach the configured ACL to the WCCP configuration:

(config)#ip wccp web-cache group-list 11


____________________________________________________________________________________________________________________

NTP - Network Time Protocol ____________________________________________________________________________________________________________________

First there is an "old school" method of setting time on your IOS Device, which is fine if you're one of those :)

#clock set 16:50:00 15 NOVEMBER 2013

*%SYS-6-CLOCKUPDATE: System clock has been updated from 15:50:31 UTC Fri Nov 15 2013 to 16:50:00 UTC

Fri Nov 15 2013, configured from console by console.

Now if you set this time really well, and the Switch is new generation and you really trust it, then in order to have an entire network to be

synchronized (and absolutely no external NTP available), set the most awesome switch to be a NTP Server:

(config)#ntp master ?

<1-15> Stratum number <- STRATUM Number, all DOWNFLOW routers shall have SERVER + Number of HOPS

#show ntp status

Clock is synchronized, stratum 2, reference is 127.127.7.1

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18

reference time is D630D0D3.99A45AAB (16:56:51.600 UTC Fri Nov 15 2013)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.02 msec, peer dispersion is 0.02 msec

Then configure ALL the other Devices to synchronize their time based on the Awesome NTP Master Switch:

(config)#ntp server 131.1.13.1

Don’t forget to configure the NTP BROADCAST on the Interfaces of the NTP Master/Client Switches:

(config-if)#ntp broadcast <- On the NTP MASTER

(config-if)#ntp broadcast client <-ON NTP CLIENTS

If you want to PEER two switches within the network, so that they synchronize the time together:

(config)#ntp peer 150.1.2.2

Make sure that it "worked":

#sh ntp associations

address ref clock st when poll reach delay offset disp

~150.1.2.2 .INIT. 16 - 64 0 0.000 0.000 16000.

~150.1.3.3 .INIT. 16 - 64 0 0.000 0.000 15937.

* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured


____________________________________________________________________________________________________________________

IP SLA - Monitor the Network Performance ____________________________________________________________________________________________________________________

Probably the most typical usage of IP SLA is to measure the UDP Jitter and Echo, in order to make sure that the path is good enough to

send the sensitive VoIP traffic. Two sides need to be configured, CLIENT and SERVER (RESPONDER).

IP SLA can be configured without configuring a specific PROBE, just configure sending a generated packet to the RESPONDER, where the

RESPONDER is configured to respond with a TIME STAMP information, so the source can calculate the performance values. CAREFULL with

the times, configure NTP if you're not certain the devices are synced.

To configure the RESPONDER with the IP and PORT of the RESPONDER:

(config)#ip sla monitor responder

Make sure you configure the CLIENT device in accordance with these defined parameters:

(config)#ip sla monitor 10

(config-sla-monitor)#type udpEcho dest-ipaddr 10.187.122.2 dest-port 500

(config-sla-monitor-udp)#frequency 5 <- IN SECONDS

(config-sla-monitor-udp)#hours-of-statistics-kept 1 <-HOW MUCH TIME THE STATISCICS ARE KEPT

(config-sla-monitor-udp)#request-data-size 1500 <- PACKET SIZE

And then just START the IP SLA on the CLIENT (in this case starts immediately and lasts for 100 seconds only):

(config)#ip sla monitor schedule 10 start-time now life 100

Check the statistics:

#sh ip sla monit statistics

Round trip time (RTT) Index 10

Latest RTT: 2 ms <- THIS IS WHAT YOU WANT TO KNOW, the ROUND TRIP TIME (RTT)

Latest operation start time: *14:47:06.923 UTC Fri Dec 6 2013

Latest operation return code: OK

Number of successes: 10

Number of failures: 0

Operation time to live: 52 sec

And on the RESPONDER:

#sh ip sla monit responder

IP SLA Monitor Responder is: Enabled

Number of control message received: 17 Number of errors: 0

Recent sources:

10.187.122.1 [14:25:11.241 UTC Fri Dec 6 2013]

10.187.122.1 [14:25:06.241 UTC Fri Dec 6 2013]

10.187.122.1 [14:25:01.237 UTC Fri Dec 6 2013]

10.187.122.1 [14:24:56.237 UTC Fri Dec 6 2013]

10.187.122.1 [14:24:51.237 UTC Fri Dec 6 2013]

If you are using IP SLA for ROUTING, meaning - you want to TRACK a certain route using ICMP (ping), and depending on the result - "tune" the

routing table, you have 2 options:

OPTION 1: Use a simple TRACK object to track a certain route, and attach it to the STATIC ROUTE:

(config)#track 10 ip route 10.1.12.0 255.255.255.0 reachability

(config)#ip route 1.0.0.0 255.0.0.0 10.1.12.2 track 10

Check the status of the TRACK 10 object, and based on that - you can know if your STATIC route is UP:

#sh track 10

Track 10

IP route 10.1.12.0 255.255.255.0 reachability

Reachability is Up (connected)

3 changes, last change 00:04:04

First-hop interface is Serial0/1/0

Tracked by:

STATIC-IP-ROUTING 0

IMPORTANT: Make sure that the prefix you are tracking isn't available using some other protocol, like OSPF:


#sh track 10

Track 10

IP route 10.1.12.0 255.255.255.0 reachability

Reachability is Up (OSPF) <- THIS IS NOT WHAT WE WANTED TO ACHIEVE HERE


First-hop interface is FastEthernet0/0

Tracked by:

STATIC-IP-ROUTING 0

OPTION 2: Use the IP SLA ICMP ECHO (ipIcmpEcho) to monitor end-to-end response

STEP 1: DEFINE THE IP SLA OBJECT

(config)#ip sla monitor 10

(config-sla-monitor)#$type echo protocol ipIcmpEcho 10.1.12.2 source-ipaddr 10.1.12.1

(config-sla-monitor-echo)#frequency 5

STEP 2: DONT FORGET TO LAUNCH THE IP SLA:

(config)#ip sla monitor schedule 10 start-time now life forever

STEP 3: DEFINE THE TRACK Object using the defined IP SLA:

(config)#track 15 rtr 10 reachability <- 15 is RTR NUMBER, 10 is the IP SLA we're attaching

Make sure the TRACK is UP before you attach it to the route:

#sh track 15

Track 15

Response Time Reporter 10 reachability

Reachability is Up


Latest operation return code: OK

Latest RTT (millisecs) 36

Tracked by:

STATIC-IP-ROUTING 0

STEP 4: Attach the TRACK OBJECT to the STATIC ROUTE, like in the option 1.

____________________________________________________________________________________________________________________

STATIC NAT ____________________________________________________________________________________________________________________

You can do STATIC NAT and just "go out" of the router with a different IP address:

(config)#ip nat inside source static 10.2.2.1 131.1.12.3 [extendable]

*Traffic sourced from 10.2.2.1 sent to ALL destinations will seem from 131.1.12.3 to the outside world

*Extendable is used if you need 1 LOCAL IP to be mapped to Various Public IPs

Be sure to DEFINE the NAT INTERFACES:

(config)#int lo0 <- PRIVATE IP (config-if)#ip nat inside

(config-if)#int s0/1/0.21 <- PUBLIC (Global) IP (config-subif)#ip nat outside

#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 131.1.12.3 10.2.2.1 --- ---

Inside Local - Private IP of the host in your Network

Inside Global - Public IP that the outside network sees your hosts as

Outside Local - How the local network sees IP of the remote host

Outside Global - Public IP of the remote host

If you want to do static NAT for a SUBNET:

(config)#ip nat inside source static network 10.2.2.0 200.2.2.0 /24


____________________________________________________________________________________________________________________

DYNAMIC NAT ____________________________________________________________________________________________________________________

Step 1: Define the POOL of the Inside Global IPs (Public), which your Private IPs will be NAT-ed into:

(config)#ip nat pool INSIDE_GLOBAL 131.1.12.3 131.1.12.8 prefix-length 24

Step 2: Define the ACCESS-LIST of the PRIVATE IPs, which are the ones that will be NAT-ed (Inside Local)

(config)#access-list 1 permit 10.2.2.0 0.0.0.255

Step 3: Implement the NAT from-ACL-to-POOL IPs

(config)#ip nat inside source list 1 pool INSIDE_GLOBAL

Do not forget to specify the INSIDE and the OUTSIDE Interface (I often do, and the Troubleshooting is not as much fun as you might expect)

#sh ip nat translations <- BE SURE TO PING SOMETHING BEFORE YOU CHECK THE TRANSLATIONS:


icmp 131.1.12.3:2 10.2.2.2:2 15.10.1.1:2 15.10.1.1:2

--- 131.1.12.3 10.2.2.2 --- ---

DEBUG IP NAT:

*Oct 29 16:25:54.766: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [64]

Meaning: source=10.2.2.1 (SOURCE ACL)->inside global 131.1.12.3 (NAT POOL) *Oct 29 16:25:54.822: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [64]

*Oct 29 16:25:54.822: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [65]

*Oct 29 16:25:54.878: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [65]

*Oct 29 16:25:54.878: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [66]

*Oct 29 16:25:54.938: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [66]

*Oct 29 16:25:54.938: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [67]

*Oct 29 16:25:54.994: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [67]

*Oct 29 16:25:54.994: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [68]

*Oct 29 16:25:55.050: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [68]

If you need the HOST portion matched, add the "type match-host" argument to the NAT POOL definition:

(config)#ip nat pool LAB4 200.2.2.1 200.2.2.5 prefix-length 24 type match-host

If you need the SOURCE&DESTINATION matched, define it in the EXTENDED ACL, and match it in Route Map, do not attach the ACL directly to

the "ip nat" configuration line.

____________________________________________________________________________________________________________________

Load Balancing using NAT ____________________________________________________________________________________________________________________

Step 1: Create a POOL of all the INSIDE LOCAL IPs, and define the pool type "type rotary":

(config)#ip nat pool TASK1 10.2.2.1 10.2.2.5 prefix-length 24 type rotary

Step 2: Define an ACL with the Inside Global IP (Public ones, the one we´re NAT-ing into):


Step 3: Do the inside NAT with the ACL 1 as the DESTINATION list, and the POOL or LOCAL IPs:

(config)#ip nat inside destination list 1 pool ?

WORD Pool name for local addresses


Step 4: Define the NAT inside and outside interfaces, exactly like in case of Static/Dynamic NAT:

(config)#int lo0

(config-if)#ip nat inside

(config-if)#

(config-if)#int s0/1/0.21

(config-subif)#ip nat outside

Be sure that the routing is in place (both, go and return path towards the NAT-ed IP, 200.2.2.2)!!!

Step 5: Make sure that the IP NAT Translations are correct, and that the sources VARY:

#sh ip nat translations


tcp 200.2.2.2:23 10.2.2.1:23 131.1.12.1:20186 131.1.12.1:20186

tcp 200.2.2.2:23 10.2.2.2:23 131.1.12.1:25096 131.1.12.1:25096

tcp 200.2.2.2:23 10.2.2.3:23 131.1.12.1:20389 131.1.12.1:20389

____________________________________________________________________________________________________________________

PAT (NAT Overload) ____________________________________________________________________________________________________________________

Port Address Translation (PAT) means using PORTS in order to NAT various Inside Local IPs to ONE SINGLE Inside Global IP.

Step 1: Create an ACL with all the Inside Local addresses:


Step 2: There are 2 ways to configure PAT, described in Steps 2.1 and 2.2:

Step 2.1: Create the Inside Global IP Pool of any addresses from the Link towards the other Router and Configure the NAT Overload with the

defined pool:

(config)#ip nat pool OVERLOAD 15.10.1.2 15.10.1.2 prefix-length 24

(config)#ip nat inside source list 1 pool TASK2 overload

Step 2.2: Configure the NAT to point to the Interface you need the traffic to go out from:

(config)#ip nat inside source list 1 interface s0/1/0.21

*The system adds "overload" argument:

(config)#do sh run | i nat inside

ip nat inside

ip nat inside source list 1 interface Serial0/1/0.21 overload

____________________________________________________________________________________________________________________

PAR - When you need to implement traffic redirections using NAT ____________________________________________________________________________________________________________________

You can define the traffic redirection using Static Entries, but there is a trick. For example you want all the http traffic DESTINED FOR s0/0.5 of

R1 to be REDIRECTED to the IP 15.10.123.3 instead. You can configure this by defining the static NAT:

(config)#ip nat inside source static tcp 15.10.123.3 80 int s0/0.5 80

*MAKE SURE YOU UNDERSTAND THIS COMMAND, IT’S A BIT BACKWORDS!!!

#telnet 131.1.14.1 80 (131.1.14.1 is the IP configured on the s0/0.5 interface of R1)

Trying 131.1.14.1, 80 ... Open

So when you try to telnet R1s IP using the port 80, from the router on the s0/0.5 side you see the following debug:

*Nov 6 15:54:48.703: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23053] <- 131.1.14.4: Router from where

we telnet

*Nov 6 15:54:48.707: NAT*: s=15.10.123.3->131.1.14.1, d=131.1.14.4 [31747] <- NATed and FWD-ed to to

15.10.123.3

*Nov 6 15:54:48.735: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23054]

*Nov 6 15:54:48.739: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23055]

*Nov 6 15:55:48.739: NAT*: s=15.10.123.3->131.1.14.1, d=131.1.14.4 [31748]

*Nov 6 15:55:48.767: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23056]

*Nov 6 15:56:48.763: NAT*: s=15.10.123.3->131.1.14.1, d=131.1.14.4 [31749]

*Nov 6 15:56:48.791: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23057]

*Nov 6 15:57:12.959: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23058]


____________________________________________________________________________________________________________________

Static NAT redundancy with HSRP ____________________________________________________________________________________________________________________

This approach is used when you want to configure NAT and integrate it with HSRP (enable the same NAT on all the routers that form the HSRP

group). In order to do this, it's necessary to NAME each of the HSRP groups:

Step 1: Name the already configured HSRP group:

(config-if)#standby name HSRP-1 <- HSRP Group Name is HSRP-1

Step 2: Configure NAT on the relevant interfaces

(config-if)#ip nat inside <- NAT inside interface

Step 3: Static NAT redundancy with HSRP. After you've named the HSRP group, configure the Redundancy NAT:

(config)#ip nat inside source static 10.185.117.1 152.168.13.9 redundancy HSRP-1

This means that the traffic originated from the IP 10.185.117.1 will be NAT-ed into 152.168.13.9

Tests:

In this example the router 10.185.117.1 is pinging the IP 10.185.117.4. The final router (232.32.32.4) does have the route back to 152.168.13.9.

When the DEBUG is done on the router, the PING done from 10.185.117.1 gives the following display:

*Nov 7 11:34:02.606: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [226]

*Nov 7 11:34:02.606: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [226]

*Nov 7 11:34:02.610: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [227]

*Nov 7 11:34:04.606: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [228]

*Nov 7 11:34:04.606: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [228]

*Nov 7 11:34:04.606: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [229]

*Nov 7 11:34:04.606: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [229]

*Nov 7 11:34:04.610: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [230]

*Nov 7 11:34:04.610: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [230]

____________________________________________________________________________________________________________________

Scalability for Stateful NAT (SNAT) ____________________________________________________________________________________________________________________

Scalability for Stateful NAT feature allows Stateful Network Address Translation (SNAT) to control the Hot Standby Router Protocol (HSRP)

state change until the NAT information is completely exchanged.

Reference: http://www.cisco.com/en/US/docs/ios/12_4/12_4_mainline/snatsca.html

Step 1: You need to create the SNAT group, and assign a unique identifier to each router within the group:

(config)#ip nat stateful id 1

Step 2: In order to configure the Stateful Failover, you need to have the HSRP previously configured. Within the Stateful NAT group

configuration, assign the HSRP redundancy name to the router:

(config-ipnat-snat)#redundancy HSRP-1

Step 3: The Active HSRP Router sends the NAT Translation to the Standby Routers. This translation is assigned an ID, which is called "mapping-

id" and it MUST BE THE SAME ON THE ENTIRE GROUP.

(config-ipnat-snat-red)#mapping-id 1

Step 4: Consider adding features such Asymmetric queuing, or define a specific protocol for the redundancy group. IP Stateful NAT

Redundancy mode configuration commands:

as-queuing Disable asymmetric process for this redundancy group

exit Exit from IP Stateful NAT Redundancy config mode

mapping-id Configure mapping-id for this redundancy group

no Negate or set default values of a command

protocol Select transport protocol for this redundancy group

http://www.cisco.com/en/US/docs/ios/12_4/12_4_mainline/snatsca.html


Step 5: Configure the Dynamic NAT, as described in my previous posts, and just attach the configured mapping-id:

(config)#ip nat inside source route-map ROUTE_MAP_MATCHING_ACL pool INSIDE_GLOBAL mapping-id 1

Step 6: Check the translations

#sh ip snat distributed

Stateful NAT Connected Peers

No entries will appear until you perform a PING, and when you do, and do a debug, you'll see:

*Nov 7 14:47:12.081: SNAT (Add_node): Allocated database distributed-id 1

*Nov 7 14:47:12.081: SNAT (Add_node): Init RTree for distributed-id 1

*Nov 7 14:47:12.081: SNAT (Add_node): Allocate Node for nat-id 19, Router-id 1

*Nov 7 14:47:12.081: NAT: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [271]

*Nov 7 14:47:12.081: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [271]

*Nov 7 14:47:12.085: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [272]

*Nov 7 14:47:12.085: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [272]

*Nov 7 14:47:12.085: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [273]

*Nov 7 14:47:12.085: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [273]

*Nov 7 14:47:12.089: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [274]

*Nov 7 14:47:12.089: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [274]

*Nov 7 14:47:12.089: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [275]

*Nov 7 14:47:12.089: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [275]

____________________________________________________________________________________________________________________

NAT Translations with the Outside Source ____________________________________________________________________________________________________________________

Just the other way around from the standard NAT, do the "ip nat outside" and define the interface from where the traffic will be coming with

"ip nat outside". This will translate the incoming traffic with the source 2.2.2.2 into the LOCAL traffic with the source 200.2.2.2:

(config)#ip nat outside source static 2.2.2.2 200.2.2.2

____________________________________________________________________________________________________________________

NAT on a Stick ____________________________________________________________________________________________________________________

When a NAT router has the same interface for both, INSIDE and OUTSIDE NAT, the trick is to use:

Step 1: Define the following:

- One normal interface, Fa0/0 for example for ip nat outside and PBR (ip policy-route map NAT_MAP) & "no ip redirect"

- One Loopback interface for ip nat inside

Step 2:

Define the Policy Map MATCHING the Source and Destination IP ACL, and SETTING the Loopback interface

(config)#route-map NAT_MAP

(config-rmap)#match ip add ACL_1

(config-rmap)#set interface lo0

Step 3: Define "inside" AND "outside" static NAT


____________________________________________________________________________________________________________________

DHCP Server ____________________________________________________________________________________________________________________

Using the DHCP Pool configured on an IOS device is somewhat obsolete, but in cases of smaller companies where this solution is inevitable (or

in a case such as mine, preparations for a CCIE exam) - you should know how to configure a full DHCP on a Cisco Router:

Step 1: Enable a DHCP Server on a Device (Don’t forget this step!!!):

(config)#service dhcp

Step 2: Configure global DHCP options:

(config)#ip dhcp pool Cisco

(config-dhcp)#network 172.25.185.0 255.255.255.0 <- Network Range

(config-dhcp)#netbios-note-type h-node <- If you're using WINS, set the HYBRID TYPE

(config-dhcp)#netbios-name-server 172.25.185.253 <- WINS Server IP

(config-dhcp)#dns-server 172.25.185.200 172.25.185.201 <- Primary and Secondary IPs

(config-dhcp)#lease 3 5 <- The duration of the DHCP Lease (3 days 5 hours)

(config-dhcp)#update arp <-Router updates ARP table based on DHCP Database Contents

(config-dhcp)#default-router 172.25.185.254 <-GW to be ALLOCATED TO THE HOSTS

Step 3: Configure the IP Exclusions (IPs) you do not want to lease, in the Global Config mode:

(config)#ip dhcp excluded-address 172.25.185.252 172.25.185.254

Step 4: Disable the DSCP Logging of the Conflicts, because quite a few are likely to occur, and your log file can fill in the memory:

(config)#no ip dhcp conflict logging

Step 5: Static DHCP entries must be configured IN A SEPARATE POOL!!! This is a trick that you need to know by heart because there is no other

(more intuitive) way to do it. So - create another DHCP pool, and assign the hosts IP and the MAC address (THIS HOST WILL INHERIT THE

CONFIG FROM THE DEFAULT POOL):

(dhcp-config)#host 10.184.117.37

(dhcp-config)#hardware-address 0014.2526.ef46

Check if your manual entry was configured:

#sh ip dhcp binding

Bindings from all pools not associated with VRF:

IP address Client-ID/ Lease expiration Type

Hardware address/

User name

10.184.117.37 0014.2526.ef46 Infinite Manual

____________________________________________________________________________________________________________________

CNS (Cisco Networking Services) ____________________________________________________________________________________________________________________

KRON - The Command Scheduler (KRON) Policy for System Startup feature enables support for the Command Scheduler upon system startup.

STEP 1: Define the KRONE Policy Map, and enter the KRON configuration mode:

(config)#kron policy-list cns-weekly

STEP 2: Define the CLI command you want executed:

(config-kron-policy)#cli ?

LINE Exec level cli to be executed, E

Example: (config-kron-policy)#cli coy startup-config tftp//r4-config


STEP 3: Define when the KRON is being executed:

(config)#kron occurrence week in 7:1:30 recurring

(config-kron-occurrence)# policy-list cns-weekly

STEP 4: Check the KRON status:

#show kron schedule

Kron Occurrence Schedule

week inactive, will run again in 7 days 01:25:17

____________________________________________________________________________________________________________________

GRE Tunnels ____________________________________________________________________________________________________________________

Cisco Documentation: Interface and Hardware Component Configuration Guide->Implementing Tunnels

GRE is the Generic Encapsulation Tunnel, and it's the basic one and the most simple to implement. For starters you need to define the Tunnel

interface:

(config)#interface tunnel 0

Define the IP Address of the Tunnel Interface, and assign it the SOURCE and DESTINATION IP (These must be mutually PINGable):

(config-if)#ip address 10.187.134.121

(config-if)#tunnel source 131.1.12.1 <-YOU CAN USE IP ADDRESS OR AN INTERFACE AS A SOURCE

(config-if)#tunnel destination 131.1.12.2

*you'll get a message that the interface went UP

**Check if you need to tune the routing protocols metrics on the Tunnel interfaces, if you want to prefer those, because by default the Tunnel

Interface will have a higher metric. BEST PRACTICE is to configure the tunnel using the Loopback Interfaces, and make sure you have enough

redundancy so that the Loopbacks are always PING-able

____________________________________________________________________________________________________________________

Various IOS Tricks ____________________________________________________________________________________________________________________

Define a name of a remote host:

(config)#ip host REMOTE_HOST 10.1.12.1

Configure a "Busy-message" (response when the hos/service is not available)

(config)#Busy-message REMOTE_HOST @NOT AVAILABLE@

To hide a hostname IP when doing a Telnet:

(config)#service hide-telnet-addresses

To use the decompressed IOS in the DRAM, and not the compressed one in the flash

(config)#warm-reboot

To make a prompt dissapear:

(config)#prompt New_prompt

(config)#no service prompt config


To prevent the stupid message "Password required but none set" (don't do this!!!):

(config)#line vty 0 4

(config-vty)#no login

(config-vty)#privilege level 15 <- TO GO TO PRIVILEGE MODE DIRECTLY

To avoid sending a packet for each keystroke typed:

(config)#service nagle

To "tune" CDP:

(config)#cdp timer 10

If you want to keep your configuration change logs in the NVRAM:

(config)#archive

(config-archive)#log config <- TO LOG ALL THE CONFIGURATION CHANGES

*"config" is the only option you will have here

(config-archive-log-config)#logging enable

(config-archive-log-config)#logging size SIZE <- in KB

(config-archive-log-config)#hidekeys

(config-archive-log-config)#notify syslog <- TO DISPLAY THE CONFIG CHANGE

To test:

#show archive config differences


IP Routing


____________________________________________________________________________________________________________________

PBR - Policy Based Routing ____________________________________________________________________________________________________________________

The most important thing here is to know how to DEBUG the Policy Map:

#debug ip policy

To match the SOURCE IP use the standard ACL:

(config)#access-list 2 permit host 100.1.1.1

To match the FLOW use the EXTENDED ACL:

(config)#ip access-list extended FLOW1

(config-ext-nacl)#permit ip host 1.1.1.1 host 2.2.2.2 <-TO MATCH THE FLOW

(config-ext-nacl)#permit tcp any any eq 23 <- TO MATCH THE PROTOCOL (PORT)

ROUTE-MAP can be applied GLOBALLY on a router, to change the Routing Table:

(config)#ip local policy route-map ROUTE_MAP

This will not work for traffic transiting this router. For that you need to apply it on the interface

____________________________________________________________________________________________________________________

ODR - ON-DEMAND ROUTING ____________________________________________________________________________________________________________________

On-Demand Routing is not a routing protocol. It uses Cisco Discovery Protocol (CDP) to propagate the IP prefix. ODR is a perfect solution for

hub and spoke topology when the spoke routers act as stub routers by connecting to. ODR is a feature that provides IP routing for stub sites,

with minimum overhead. Configuration is quite simple:

Step 1: Enable ODR globally on a HUB router:

(config)#router odr <-HUB router begins installing stub network routes in the IP forwarding table

*don’t configure ANY routing protocol on a STUB

Step 2: Adjust CDP timers, as ODR uses CDP as a transport protocol (Ensure CDP versions match)

(config)#cdp timer seconds

____________________________________________________________________________________________________________________

RIP ____________________________________________________________________________________________________________________

RIP Protocol uses the Multicast Address 224.0.0.9 to send Hellos/updates via port UDP-520. "no summary" - disables the CLASSFULL NATURE

of RIP, allows classless routing, so when you check the RIP database:

#show ip rip database

1.0.0.0/8 auto-summary *** <--- the AUTO SUMMARIES are not ADVERTISED

1.0.0.0/8 directly connected, Loopback0

10.0.0.0/8 auto-summary ***

10.1.1.0/24 directly connected, Serial1/0.123

Network Layer Reachability Information (NLRI) - Means pure reachability contained by ROUTING UPDATES

When you need to send the RIP Updates using the UNICAST instead of Multicast packets, the “neighbor” command is used. Be sure to check

the SPLIT HORIZON in the case of HUB-and-SPOKE configuration. If you need to DISABLE it for routing, BE SURE TO CONFIGURE FRAME-RELAY

IP-DLCI mappings manually!

* BY DEFAULT SPLIT HORIZON is DISABLED ON PHYSICAL, AND ENABLED ON MULTIPOINT INT.

#show ip inter s1/0.123 | i Split

Split horizon is enabled

To avoid the SPLIT HORIZON and ADDITIONAL IP-DLCI mappings, you can use PPP and VIRTUAL TEMPLATES


____________________________________________________________________________________________________________________

RIP: Authentication ____________________________________________________________________________________________________________________

TIP: If you configure a "neighbor" command, that neighbor will RECEIVE the RIP updates using UNICAST, because this way the router updates

are sent as UNICAST, not MULTICAST. Don't forget to define the "passive-interface default" to stop the MULTICAST updates.

RIP Version 2 supports clear text and MD5 Authentication. The key-chain needs to be defined, and applied to the physical interface using the

command:

(config-if)#ip rip authentication mode md5

(config-if)#ip rip authentication key-chain CISQUEROS_CHAIN

If configured on one side only, the DEBUG IP RIP EVENTS will show:

*Aug 18 08:57:04.391: RIP: ignored v2 packet from 10.1.1.1 (invalid authentication)

IT WILL TAKE A LOOONG TIME FOR RIP TO UPDATE THE DATABASE!!! So do the:

#clear ip route *

First step is to build a KEY-CHAIN

key chain RIP_12

key 1 <--- TEXT Authentication KEY NUMBERS DONT HAVE TO MATCH. MD5 - Numbers MUST MATCH!!! key-string cisco

IMPORTANT: The passwords and the key numbers MUST be the same on all the routers for MD5.

In case the Key numbers are different:

- Router with the HIGHER key number will receive ALL the routes

- Router with the LOWER key number will IGNORE (reject) the received all routes received from the other router

____________________________________________________________________________________________________________________

RIP: Timers ____________________________________________________________________________________________________________________

*To see the default values:

#show ip protocol

...

Sending updates every 30 seconds, next due in 20 seconds

Invalid after 180 seconds, hold down 180, flushed after 240

(config-router)#timers basic ?

<1-4294967295> Interval between updates for RIP

(config-router)#timers basic 60 ?

<1-4294967295> Invalid

(config-router)#timers basic 60 360 ?

<0-4294967295> Holddown

(config-router)#timers basic 60 360 360 ?

<1-4294967295> Flush

(config-router)#timers basic 60 360 360 480 ?

<1-4294967295> Sleep time, in milliseconds

<cr>

(config-router)#timers basic 60 360 360 480

To AVOID COLLISIONS you can INSERT A DELAY every time updates are sent by adding the last attribute to the TIMER SETTING:

(config-router)#timers basic 60 360 360 480 ?

<1-4294967295> Sleep time, in milliseconds


Other RIP Specific Configuration parameters:

SUPRESS flash updates when the periodic update comes in less than configured time:

(config-router)#flash-update-threshold

Validate the Update Source:

(config-router)#validate-update-source

*Enabled by default, makes sure source IP of RIP advertising router matches connection IP. Needs to

be disabled when you are playing with LOOPBACKS

Change the unprocessed RIP queue depth. Good practice on SLOW ROUTERS, and also prevents routing info from being lost

(config-router)#input-queue 75 <-DEFAULT IS 50

Define the DELAY when sending the UPDATES, when FAST router is neighbors with the SLOW one:

(config-router)#output-delay 10 <-BY DEFAULT THERE IS NO INTER-PACKET DELAY, this timer is in range 8-50ms

____________________________________________________________________________________________________________________

RIP: Updates Control ____________________________________________________________________________________________________________________

By default Version 1 uses Broadcast to send its updates. Version 2 uses Multicast, with the destination address 224.0.0.9. If you need to send

the Updates only when something changes in the topology, there is an INTERFACE command "ip rip triggered":

(config-if)#ip rip triggered

There is a way to "force" the routing updates to only one of the neighbors (UNICAST UPDATES). To achieve this you need to manually define

the neighbor using the "neighbor" command, and define the interface towards the defined neighbor as PASSIVE, to prevent the Multicast

Updates that are sent by default (If the interface is not defined as passive, both UNICAST and MULTICAST Updates will be sent).

There is also a way to force Broadcast Updates (ip 255.255.255.255 instead of default multicast destination 224.0.0.9) in Version 2 of RIP, and

it´s achieved using the Interface Command:

(config-if)#ip rip v2-broadcast

Another RIP-specific feature is injecting the default route using the "ip default-network" command. This is done in the Global Configuration

mode. Don’t forget to advertise the network into RIP protocol:

(config)#ip default-network 4.0.0.0

(config-router)#network 4.0.0.0

____________________________________________________________________________________________________________________

RIP: OFFSET LISTS ____________________________________________________________________________________________________________________

In the RIP Protocol the METRIC IS ACTUALLY the HOP COUNT, so if you want it to be UNREACHABLE - set METRIC to 16. RIP offset list is used to

INCREASE the Hop Count. Define the ACL (10 in this example), and set the Hop Count to be increased by a value, in this example 13:

(config-router)#offset-list 10 out 13 Fa0/0

Offset Lists work only with RIP and EIGRP


____________________________________________________________________________________________________________________

RIP: Update Source Control ____________________________________________________________________________________________________________________

RIP Validates the source for the Update packets, so they need to be from the same subnet as the interconnection is. If they are not, like in the

case the routes are sourced by a Loopback, you can force the route updates by turning off the Source IP Validation:

(config-router)#no validate-update-source

This way the RIP routes will be exchanged, but if the L3 Reachability is not established between the routers - the RIP routes will not be

reachable.

If you need to define the EXACT SOURCES (RIP Neighbors) you want to receive the RIP Updates from - use "gateway" word on a distribute-list.

This will work for RIP and EIGRP only.

Start by defining 2 PREFIX LISTS, one for WHERE you want updates from, another to filter UPDATES you want. Once you’ve got your Prefix Lists

configured, apply them via Distribute List in the Router Configuration Mode:

(config-router)#distribute-list UPDATE_PREFIXES gateway PREFIX_UPDATE_SOURCES in Fa0/0

____________________________________________________________________________________________________________________

RIP: Route Summarizing ____________________________________________________________________________________________________________________

Done on the interface level:

(config-if)#ip summary-address rip 150.1.0.0 255.255.252.0

#show ip rip database

150.1.0.0/22 int-summary <-MANUAL SUMMARY

____________________________________________________________________________________________________________________

RIP: Route Filtering using Prefix Lists ____________________________________________________________________________________________________________________

PREFIX LISTS are used to implement the Route Filtering in RIP, and are applied via the DISTRIBUTION LISTS. The main trick is to wait for the

timer to END before checking if the filter worked, or even better CLEAR THE ROUTING TABLE. The same principle applies to most of the

Routing Protocols.

#clear ip route *

Step 1: Define the IP Prefix List. In this example we´re allowing only the prefix 192.1.1.0/24, & denying everything else (remember this

structure of selecting ALL in the Prefix List: deny 0.0.0.0/0 le 32):

(config)#ip prefix-list TEST_MAT_2 seq 5 permit 192.1.1.0/24

(config)#ip prefix-list TEST_MAT_2 seq 10 deny 0.0.0.0/0 le 32

*NOTE that THERE IS A DEFAULT DENY ALL IN THE END, so the Second Entry was added ONLY FOR LOGGING

Step 2: Apply the filtering using the Distribution List within the Router Protocol configuration, in the INBOUND direction, meaning – filter the

routes learned via RIP:

(config-router)#distribute-list prefix TEST_MAT_2 in

Step 3: Clear the routing table and check if the filtering has been applied correctly by reviewing the Routing Table

#clear ip route *


Also make sure how your Prefix List is doing:

#sh ip prefix-list detail

Prefix-list with the last deletion/insertion: TEST_MAT_2

ip prefix-list TEST_MAT_2:

count: 2, range entries: 1, sequences: 5 - 10, refcount: 3

seq 5 permit 192.1.1.0/24 (hit count: 37, refcount: 1)

seq 10 deny 0.0.0.0/0 le 32 (hit count: 595, refcount: 1) <-CHECK HOW MANY HITS PER ENTRY

*The HITS are actually from the ROUTING PROTOCOL UPDATE PACKETS

If you want to use PREFIX LISTS to filter, for example, all subnets that DO NOT belong to RFC 1918 class A:

ip prefix-list FILTER_A seq 5 permit 0.0.0.0/1 le 8 ge 8 <- CLASS A has a first bit 0, and Subnet Mask 8

So, check the following examples:

Class A would be: permit 0.0.0.0/1 ge 8 le 8

Class B would be: permit 128.0.0.0/2 ge 16 le 16

Class C would be: permit 192.0.0.0/3 ge 24 le 24


____________________________________________________________________________________________________________________

OSPF ____________________________________________________________________________________________________________________

OSPF Multicasts: 224.0.0.5 send Hello packets to all OSPF routers on a network segment, 224.0.0.6 Send info to the DR

TIP: When using BROADCAST and NON-BROADCAST in order to PEER you MUST ADJUST THE TIMERS!!!

TIP: When you need to do a CONDITION, like – do something if a certain route exists in a routing table - just use the PREFIX-LIST, and match it

in the route-map "match ip address prefix-list ROUTE_EXISTS"

TIP: When you have the L2 tunnel directly attached to an OSPF interface, better configure ignoring of MTU:

(config-if)#ip ospf mtu-ignore

TIP: To IGNORE stuff in the ospf, like LSA6 (MOSPF), under the routing process:

(config-router)#ignore lsa mospf

WHEN you need to advertise Loopbacks with the CORRECT MASKS, be sure to do "ip ospf network point-to-point", otherwise it will be sent

with /32 (/32 Might be required for Multicast or MPLS, so be careful with this!)

____________________________________________________________________________________________________________________

OSPF over Frame-Relay, focus on Network Types ____________________________________________________________________________________________________________________

TIP: Revise DR->"neighbor" command->TIMERS

Don't forget that in Frame-Relay "broadcast" is defined ONLY DIRECTLY HUB AND A SPOKE, ON BOTH SIDES of the pvc!!! What this does is tell

the routers “Hey if you have any broadcast messages, go ahead and send them down this DLCI as a unicast” So basically it is a way to send

broadcast messages on a non-broadcast medium. Don't include "broadcast" between the SPOKEs, as the Hellos won't be able to traverse the

HUB.

Type 1: NON-BROADCAST - use "neighbor" command on HUB to use UNICAST for OSPF

OSPF uses Multicast, which Router considers to be a kind of Broadcast. Due to the non-broadcast nature of Frame-Relay it can be assumed

that this is the DEFULT OSPF network type over FR.

- Set the OSPF Priority to 0 on all the SPOKEs, so HUB is elected as the DR, and SPOKEs neither DR nor BDR

- Non-broadcast network type in OSPF uses “slow” timers meaning 30 second hello and 120 second dead-time. Here it will not affect us, as all

neighbor types match.

Type 2: BROADCAST - two important things:

- As BROADCAST is meant to be FASTER timers are 10/40 seconds by default

- Include the "broadcast" when mapping DLCI to IP. Also set the SPOKEs OSPF Priority to 0, we don’t want them to be DR

Type 3: POINT-TO-POINT

- Really simple, POINT-TO-XXX (P2P or P2MP) does not do the DR/BDR election

- Timers 10/40 seconds

TIP: When doing a HUB-AND-SPOKE, configure Point-to-Multipoint on a HUB, and ADJUST THE TIMERS!!!


Type 4: POINT-TO-MULTIPOINT

No DR, no "neighbor" commands. Slow timers (120/30 seconds). "broadcast" is mandatory on FR Mappings!!!

HUB will just advertise the learned routes from ONE SPOKE to the other, like if it were the DR.

!!!HUB must have .multipoint Sub-interface, while on SPOKES you can do .multipoint or Physical Interface.

Type 5: POINT-TO-MULTIPOINT NON-BROADCAST

Cisco Proprietary, like P2MP, with NO BROADCASTS ALLOWED! Timers are still slow, 30 and 120 Seconds.

Next hop is ALWAYS the router you are directly connected to.

(config-if)#ip ospf network point-to-multipoint non-broadcast

____________________________________________________________________________________________________________________

OSPF: Configuration on INTERFACE LEVEL ____________________________________________________________________________________________________________________

The routes can be advertised using the "network" command, but there is also another way. You can do an entire OSPF configuration on the

Interface Level:

(config-if)#ip ospf network point-to-point

(config-if)#ip ospf 1 area 0

This will automatically CREATE the OSPF process on the router:

#sh run | s router ospf

router ospf 1

log-adjacency-changes

Even so, you should define "router ospf 1" process in the Global Configuration mode before the interface (it's not necessary for the OSPF

PEERING, but to avoid restarting the OSPF process later cause of Router ID change). Being defined as a P2P network - DR and BDR election will

not take place.

The state of all the OSPF Neighbors will be "FULL/-", as presented below:

#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

3.3.3.3 0 FULL/ - 00:00:30 10.1.23.3 GigabitEthernet0/0

1.1.1.1 0 FULL/ - 00:00:34 10.1.12.1 Serial1/0

This way the interface is configured to automatically belong to the Area 0, and the interface Subnet will be "injected" into the OSPF Area. If

there is SECONDARY IP configured on the interface - it will also be advertised. If however you do NOT want to advertise the Secondary IP, you

can do the following specific OSPF command:

(config-if)#ip ospf 1 area 0 secondaries none

____________________________________________________________________________________________________________________

OSPF: Timers ____________________________________________________________________________________________________________________

Standard commands for setting the OSPF timers are "ip ospf hello-timer" and "ip ospf dead-timer" on the interface level. If you

need smaller values then 1 second for hello, you need to use the following (minimal means less then 1 second):

(config-if)#ip ospf dead-interval minimal hello-multiplier 4

*VALUE MUST MATCH BETWEEN THE NEIGHBORING INTERFACES

When ACK hasnt been received for the LSA, the router keeps LSA, and default is to wait 5 secs to re-send. To change:

(config-if)#ip ospf retransmit-interval 10

retransmit-interval Time between retransmitting lost link state advertisements


____________________________________________________________________________________________________________________

OSPF: Authentication ____________________________________________________________________________________________________________________

You can enable the OSPF Authentication:

1. Globally on the Router, in the "router ospf" configuration, so it's enabled on all the Interfaces:

(config-router)#area 0 authentication <- Plain Text Authentication

(config-router)#area 0 message-digest <- MD5 Authentication

2. Directly on the Interface

(config-if)#ip ospf authentication message-digest <-MD5 Authentication

OSPF supports two types of Authentication:

1. Plain Text (64-bit Password)

(config-if)#ip ospf authentication-key ^&*(^*&&%

2. MD5 (ID + 128-bit Password):

(config-if)#ip ospf message-digest-key 1 MD5 ^&*^&^*

To DISABLE the authentication on an interface:

(config-if)#ip ospf authentication null

Check what type of OSPF Authentication has been configured and what Key/Password is applied:

#show ip ospf interface s1/0.12 | b authentic

Simple password authentication enabled

When you need to CHANGE the PASSWORD without the service interruption, configure the 2nd KEY, and remove the 1st:

(config-if)#ip ospf message-digest-key 2 MD5 SECOND_KEY

*Authentication always uses the YOUNGEST KEY (the one that was configured last)

____________________________________________________________________________________________________________________

OSPF: Route Redistribution ____________________________________________________________________________________________________________________

(config-router)#redistribute eigrp 1 subnets

- Be sure to include the word "subnets", otherwise it's going to redistribute the classfull ONLY!

- By default the routes are being redistributed into OSPF with the Metric 20, Metric-type 2 (E2). AD is still 110.

You can define the MAXIMAL NUMBER of prefixes to be redistributed into OSPF, and the % when to give the first warning message. Here MAX

10 prefixes can be redistributed, and on 70% of that Warning Message is displayed:

(config-router)#redistribute maximum-prefix 10 70 warning-only


____________________________________________________________________________________________________________________

OSPF Route Summarization ____________________________________________________________________________________________________________________

This is to be done under the ROUTING PROCESS configuration. Routing process auto-injects DISCARD ROUTE (Null0) to avoid loops.

ABR for the Internal Routes, using the "AREA X RANGE" command

(config-router)#area 2 range 4.4.0.0 255.255.252.0 advertise cost 10

ASBR for the External (redistributed into OSPF) Routes, using the "summary-address" command

(config-router)#summary-address 4.4.0.0 255.255.252.0

If you want to prevent the route Null0 in the routing table, just exclude the discard-route:

(config-router)#no discard-route [internal | external] <- INTERNAL on ABR, EXTERNAL on ASBR

____________________________________________________________________________________________________________________

OSPF Virtual Link ____________________________________________________________________________________________________________________

Configure between two routers out of which none is in the Area 0 (Backbone Area). Once it's configured - a new OSPF neighbor will be added

as a Virtual-Link neighbor:



4.4.4.4 0 FULL/ - 00:00:05 10.1.34.4 OSPF_VL0 <--- VIRTUAL LINK NEIGHBOR

2.2.2.2 0 FULL/ - 00:00:30 10.1.23.2 Serial1/0.32

4.4.4.4 0 FULL/ - 00:00:34 10.1.34.4 Serial1/0.34

Can multiple Virtual Links be formed? YES!!! So for example if we have the following scenario:

Cisqueros_R1 - Area 0 - Cisqueros_R2 - Area 1 - Cisqueros_R3 - Area 2 - Cisqueros_R4 - Area 3 - Cisqueros_R5

We would need to create 2 virtual links:

- AREA 1 VIRTUAL LINK between Cisqueros_R2 and Cisqueros_R3 so that Area 2 would have the communication with the Area 0

- AREA 2 VIRTUAL LINK between Cisqueros_R3 and Cisqueros_R4 so that Area 3 could communicate with Area 1, and therefore with Area 0

Cisqueros_R2:

(config-router)#area 1 virtual-link 3.3.3.3

Cisqueros_R3:



Cisqueros_R4:


Let's check the OSPF Neighbors again on Cisqueros_R3 router:



2.2.2.2 0 FULL/ - - 10.1.23.2 OSPF_VL1

4.4.4.4 0 FULL/ - - 10.1.34.4 OSPF_VL0

2.2.2.2 0 FULL/ - 00:00:34 10.1.23.2 Serial1/0.32

4.4.4.4 0 FULL/ - 00:00:33 10.1.34.4 Serial1/0.34


Check the Virtual Link Details:

#show ip ospf virtual-links

Have in mind that routers Cisqueros_R3 and Cisqueros_R4 are now VIRTUALLY connected to Area 0, so if you enable the authentication on the

Cisqueros_R1 interface towards Cisqueros_R2, you also must enable it on Cisqueros_R3 and Cisqueros_R4 FOR AREA 0!!!

If you need AUTHENTICATION for the Virtual Link, configure in the continuation:

(config-router)#area 1 virtual-link 2.2.2.2 authentication [md5 | WORD]

____________________________________________________________________________________________________________________

OSPF Cost ____________________________________________________________________________________________________________________

NLRI - Network Layer Reachability Information

OSPF routes are mainly classified based on their metric, where the Metric and Cost are calculated based only on the Link Bandwidth.

Cost = 100/(BW[Mbps])

There are two things you could play with here:

1. Set the REFERENCE BW (because with the formula above the Max cost value is 1, and we don’t want the same values for 100M and 10G

link). Don’t forget to clear the OSPF process in order for the changes to take effect:

(config-router)#auto-cost reference-bandwidth 10000 <--- it's in Mbps

#clear ip ospf process

2. Directly change the COST in the Interface Configuration

(config-if)#ip ospf cost 20

#show ip ospf inter Lo0 | i Cost

Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 20

Then check the metric on the OSPF Neighbor:

#show ip route 1.0.0.0

Routing entry for 1.0.0.0/8

Known via "ospf 1", distance 110, metric 84, type intra area

Last update from 10.1.12.1 on Serial1/0.21, 00:02:31 ago

Routing Descriptor Blocks:

* 10.1.12.1, from 1.1.1.1, 00:02:31 ago, via Serial1/0.21

Route metric is 84, traffic share count is 1

Metric is 84, which is the cost of the Serial interface between routers 1 and 2, and the Cost of the Loopback0 interface on Router 1. Default

cost of the Loopback interface is 1, so it actually increased for 20-1 = 19

____________________________________________________________________________________________________________________

Redirecting Traffic (FORCING A PATH) ____________________________________________________________________________________________________________________

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/12-4t/iro-stub-router.html

"max-metric" command is used for the router to originate LSAs with a max metric of 0xffff (INFINITY). This way the other routers DONT

PREFER this router as a TRANSIT HOP:

(config-router)#max-metric router-lsa <-Configured "ON-STARTUP" or on graceful shutdown (no argument)

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/12-4t/iro-stub-router.html


____________________________________________________________________________________________________________________

OSPF and the GRE Tunnels ____________________________________________________________________________________________________________________

In this example there is a need to establish the connectivity between some OSPF Areas that are not connected to the Area 0, and we do not

want to use the Virtual Links. GRE is a pretty simple concept, where you basically create a TUNNEL between 2 points, and extend the Area 0 to

the other end of the tunnel. To configure it, do on BOTH ENDS of the tunnel:

Step 1. Create a Tunnel Interface and assign the IP Address

(config)#int tunnel 1

(config-if)#ip add 172.25.185.3 255.255.255.0

Step 2. Define the SOURCE and the DESTINATION of the tunnel, MAKE SURE THESE ARE REACHABLE

(config-if)#tunnel source 100.10.34.3

(config-if)#tunnel destination 100.10.34.4

If we are using OSPF then the Tunnel subnet needs to be advertised with the "network" command on both ends of tunnel:

(config-router)#network 172.25.185.0 0.0.0.255 area 0

*The IP Address of the Tunnel MUST be advertised into Area 0 on BOTH ENDS OF TUNNEL!!!

You will see that the OSPF Neighbor will be formed on the Tunnel 1 interface.



3.3.3.3 0 FULL/ - 00:00:38 172.25.185.3 Tunnel1

3.3.3.3 0 FULL/ - 00:00:38 100.10.34.3 Serial1/0.43

5.5.5.5 1 FULL/DR 00:00:38 100.10.45.5 GigabitEthernet5/12

____________________________________________________________________________________________________________________

OSPF LSA Types and AREA TYPES ____________________________________________________________________________________________________________________

First let’s make sure we're comfortable with the LSA types, because you will not understand Stubs before you understand all the LSAs and who

exactly CREATES and ADVERTISES each type. LSA is the OSPF Link State Advertisement; Each LSA has a LSID (Link State ID, like Router-ID for the

LSAs)

LSA 1 - Router LSA, One per Router (Generated by Each Router)

LSA 2 - Network LSA, One per Network (Generated by DR)

LSA 3 - Summary LSA, One per Area (generated by ABR when LSAs 1 and 2 are injected into another Area).

LSA3 = Subnet + Mask + Cost to reach the Network

LSA 4 - Summary External LSA, One per Autonomous System (Generated by ASBR)

LSA 5 - External LSA, Injected into OSPF from another routing process (non-ospf), Generated by ASBR

LSA 6 - Grout Membership LSA, used for Multicast OSPF (MOSPF). It’s not supported by Cisco

Cisco routers do not support LSA Type 6 Multicast OSPF (MOSPF), and they generate syslog messages if they receive such packets. If the router

is receiving many MOSPF packets, you might want to configure the router to ignore the packets and thus prevent a large number of syslog

messages. To disable SYSLOG generation (IGNORE LSA Type-6):

(config-router)#ignore lsa mospf

LSA 7 - NSSA External, Generated by ASBR inside the NSSA instead of LSA 5 (details explained below, NSSA Section)


LSA 8-11 - Not implemented by Cisco

Check the LSA Statistics using the command:

(config-router)#do show ip ospf stat

OSPF Router with ID (3.3.3.3) (Process ID 1)

Area 0: SPF algorithm executed 4 times

Summary OSPF SPF statistic

SPF calculation time

Delta T Intra D-Intra Summ D-Summ Ext D-Ext Total Reason

00:22:26 0 0 0 0 0 0 0 R

00:22:16 0 0 0 0 0 0 0 R

00:21:47 0 0 0 0 0 0 0 R, N, SN

00:20:01 0 0 0 0 0 0 0 R, SN

Check the OSPF DATABASE and all the LSAs currently in it:

#show ip ospf database


Router Link States (Area 0) <- LSA1

Link ID ADV Router Age Seq# Checksum Link count

2.2.2.2 2.2.2.2 79 0x80000003 0x000E94 2

3.3.3.3 3.3.3.3 78 0x80000007 0x006F2C 4

4.4.4.4 4.4.4.4 52 0x80000004 0x007781 3

Net Link States (Area 0) <- LSA2

Link ID ADV Router Age Seq# Checksum

10.1.23.3 3.3.3.3 78 0x80000001 0x00658F

Summary Net Link States (Area 0) <- LSA3

Link ID ADV Router Age Seq# Checksum

1.1.1.0 2.2.2.2 124 0x80000002 0x00B33C

2.2.2.0 2.2.2.2 124 0x80000002 0x000D20

10.1.12.0 2.2.2.2 124 0x80000002 0x00BA22

10.1.45.0 4.4.4.4 43 0x80000001 0x00F5F4

44.4.4.0 4.4.4.4 43 0x80000001 0x008077



3.3.3.3 3.3.3.3 89 0x80000007 0x00AC78 0



3.3.3.3 3.3.3.3 90 0x80000006 0x00AE77 0

To LIMIT the LSAs that can be STORED IN THE LOCAL DATABASE:

(config-router)#max-lsa 900 ?

<1-100> Threshold value (%) at which to generate a warning msg

ignore-count maximum number of times adjacencies can be suppressed

ignore-time time during which all adjacencies are suppressed

reset-time time after which ignore-count is reset to zero

warning-only Only give warning message when limit is exceeded

<cr>


____________________________________________________________________________________________________________________

OSPF STUBS ____________________________________________________________________________________________________________________

STUB Area - Blocks OSPF External Routes (LSA4 and LSA5), so - all the LSAs are generated by the ASBR.

Totally-Stubby Area is a STUB Area, with no LSA3 (Summary LSAs originated by the ABR). ABR generates a DEFAULT ROUTE and advertises it

into the Totally Stubby area. The "no-summary" attribute is ONLY necessary on ABR, because the ABR is the only router that actually originates

the LSA 3.

NSSA Area - Like a STUB (blocks LSA4&5) where the REDISTRIBUTION is allowed from the NSSA area, using the LSA7. ASBR Generates the LSA

type 7 instead of LSA 5 because the LSA 5 is not supported by NSSA. Then the ABR transforms it into the LSA 5 on the ingress from NSSA to the

regular OSPF Area (shown as "N1 or N2" in the routing table):

(config-router)#do sh ip route | i E1|E2|N

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

O N2 11.1.0.0 [110/20] via 10.1.12.1, 00:01:27, Serial1/0.21

O N2 11.1.1.0 [110/20] via 10.1.12.1, 00:01:27, Serial1/0.21

O N2 11.1.2.0 [110/20] via 10.1.12.1, 00:01:27, Serial1/0.21

O N2 11.1.3.0 [110/20] via 10.1.12.1, 00:01:27, Serial1/0.21

When you need the ABR to also inject the DEFAULT ROUTE, use on the ABR:

(config-router)#area X nssa default-information-originate

*Default Route will be injected as N2 route, as in NSSA the LSA5 is not allowed

**When it’s a "Totally Stubby NSSA" no need for this, because "no-summary" ALLWAYS generates default route!

NOT-SO-Totally-Stubby Area - NSSA without LSA3, ALSO originates the default route by default

IMPORTANT: Stubby Areas DO NOT SUPPORT VIRTUAL LINKS!!! The only way to solve this is the Tunnel

No LSA 5 (E1 and E2) advertised on ABRs. ABR Injects the DEFAULT ROUTE (with Cost 1) to Stub Area, to reach external routes. You cannot use

a Virtual Link here, but GRE Tunnel is an option. STUB Area cannot contain an ASBR, because if it does – it’s considered a NSSA. Backbone Area

cannot be a STUB. To configure an area as a Stub, configure on ALL ROUTERS in an Area:

(config-router)#area X stub

When you apply STUB configuration on 1 router within an AREA, the Neighbor goes down. Then apply it on the others, and observe the

ADJACENCY DEBUG:

319: OSPF: Rcv DBD from 2.2.2.2 on Serial1/0.12 seq 0x1001 opt0x50 flag 0x7 len 32 mtu 1500 state INIT

319: OSPF: 2 Way Communication to 2.2.2.2 on Serial1/0.12, state 2WAY

319: OSPF: Serial1/0.12 Nbr 2.2.2.2: Prepare dbase exchange

319: OSPF: Send DBD to 2.2.2.2 on Serial1/0.12 seq 0x1000 opt 0x50 flag 0x7 len 32

319: OSPF: NBR Negotiation Done. We are the SLAVE

319: OSPF: Serial1/0.12 Nbr 2.2.2.2: Summary list built, size 12


515: OSPF: Rcv DBD from 2.2.2.2 on Serial1/0.12 seq 0x1002 opt0x50 flag 0x1 len 272 mtu 1500 state EXCHANGE

515: OSPF: Exchange Done with 2.2.2.2 on Serial1/0.12

515: OSPF: Send LS REQ to 2.2.2.2 length 120 LSA count 10


735: OSPF: Rcv LS UPD from 2.2.2.2 on Serial1/0.12 length 328 LSA count 10

735: OSPF: Synchronized with 2.2.2.2 on Serial1/0.12, state FULL

735: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Serial1/0.12 from LOADING to FULL, Loading Done

735: OSPF: Rcv LS REQ from 2.2.2.2 on Serial1/0.12 length 60 LSA count 3

*Oct 5 11:04:08.235: OSPF: Build router LSA for area 1, router ID 1.1.1.1, seq0x80000005, process 1

#u all

All possible debugging has been turned off

If you need to change the cost of the DEFAULT ROUTE Injected by default by ABR into the STUB Area:

(config-router)#area X default-cost 10 <- Change COST from 1 (default) to 10


____________________________________________________________________________________________________________________

OSPF Route Filtering ____________________________________________________________________________________________________________________

1. DISTRIBUTE LIST - Filters all LSAs from the Routing Table, but they stay in the OSPF Database. You can use IN or OUT filter, but have in

mind that the “distribute-list OUT” even though works on both, routing table and OSPF database, but ONLY on ASBR for LSA5 and

7!!! The easiest way to filter the OSPF routes from being added to the Routing Table is the distribute-list. DISTRIBUTE-LIST only affects the local

router!!! Meaning - the Update will be distributed to the other routers; the subnets will only be filtered out the local IP ROUTING TABLE

The advantage is that it's rather easy to implement, and it can filter any type of LSA:

(config-router)#distribute-list prefix MY_PREFIX_LIST in <-OUT would only work on ASBR TO FILTER LSA5 & LSA7

The big CON is that even though the Route is not added to the Routing Table - it will stay in the database, and it will be further propagated to

the other OSPF Neighbors. The route will therefore appear in the Routing Table, but it will not be reachable, as one of the routers along the

path does not have it in its Routing Table.

The second way is reserved ONLY for the External Routes, and it's the "not-advertised" applied to the "summary-address" command:

(config-router)#summary-address 172.29.189.0 255.255.255.0 not-advertise <--- NEEDS TO BE APPLIED ON ASBR

2. FILTER LIST - Filters only LSA3, so - only on ABR, but filters from OSPF Database. Filter-list can be applied: IN - into the area, OUT - out of

the area. This ONLY works for LSA-3 (Summary), and therefore needs to be configured on the ABR only. Let’s say that we want to filter the

network 172.25.185.0/24 from the Area 2. Then on the ABR we define the prefix list that DENIES that network, and ALLOWS everything else

(config)#ip prefix-list JEDANES seq 10 deny 172.25.185.0/24

(config)#ip prefix-list JEDANES seq 20 permit 0.0.0.0/0 le 32

Then apply the prefix-list as a filter-list within a OSPF configuration process for Area 2:

(config-router)#area 2 filter-list prefix JEDANES in

This will prevent the network from being redistributed into Area 2. Note that IN/OUT means that the network is being advertised into or out-

from the AREA 2.

3. NOT-ADVERTISE - ONLY filter LSA Types 1 and 2, apply on ABR (filters both, routing table and OSPF Database). It can be used with both,

"area X range" (ABR) and "summary-address" (ASBR) commands. If you need to filter LSAs 1 and 2, you can use the "not-advertise" command,

but also ONLY ON ABR!

(config-router)#area 1 range 172.25.182.0 255.255.255.0 not-advertise

4. Tune the ADVERTISED DISTANCE - Set the AD of the advertised routes to 255, so that they are UNREACHABLE

(config-router)#distance 255 3.3.3.3 0.0.0.0 10 <- 10 is an ACL, it's OPTIONAL

5. DATABASE-FILTER - If you want to prevent ANY LSAs from being advertised (can be applied per neighbor or on INT):

(config-subif)#ip ospf database-filter all out <- PER INTERFACE

(config-router)#neighbor x.x.x.x database-filter all out <- PER NEIGHBOR

6. MATCH IP ROUTE-SOURCE in the Route-map - In OSPF it's not the NEXT HOP but the ORIGINATOR Router-ID of the PREFIX

(config-route-map)#match ip route-source 4 <- ACL 4 includes the Router-ID

Also the SOURCE PROTOCOL can be matched:

(config-route-map)#match source-protocol ?

bgp Border Gateway Protocol (BGP)

connected Connected

eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)

isis ISO IS-IS

mobile Mobile routes

ospf Open Shortest Path First (OSPF)

rip Routing Information Protocol (RIP)

static Static routes

<cr>


Be sure which type of LSA you need to filter by making sure in which part of database the route is:

#show ip ospf database [router | network | summary | internal | external]

*If you need to reach the route without passing through the router that cannot reach it - define the route-map with the next hop pointing

towards an alternative path, and apply it in the Global Configuration mode:

(config-router)#ip local policy route-map ROUTE_MAP

7. Filter OSPF per Interface - If you wish to prevent LSAs to be sent via particular Interface:

(config-if)#ip ospf database-filter all out

* ALL and OUT are the only options, which means you cannot apply a specific filter on the OSPF interface

8. Filter OSPF per NEIGHBOR - Even though OSPF doesn't require that we manually configure the Neighbors, we do need to use the

"neighbor" command in order to configure the OSPF database filtering:

(config-router)#neighbor 5.5.5.5 database-filter all out

*Network MUST be configured as POINT-TO-POINT (on the Interface Configuration)


____________________________________________________________________________________________________________________

OSPF Non-Broadcast Networks ____________________________________________________________________________________________________________________

To check the NEIGHBOR NETWORK TYPE, do the following command and check the column "State":

#sh ip ospf interface brief

Interface PID Area IP Address/Mask Cost State Nbrs F/C

Lo0 1 0 1.1.1.1/8 1 P2P 0/0

Se0/1/0.14 1 2 10.1.12.1/24 64 P2P 1/1

Se0/1/0.13 1 3 10.1.13.1/24 64 P2P 1/1

Se0/1/0.41 1 4 10.1.14.1/24 64 DR 1/1

On the Multipoint Frame-Relay network the default OSPF type is NON-BROADCAST. This means that the OSPF Neighbors will not be formed

like on the standard Broadcast Network Segment.

#show ip ospf inter s1/0

Serial1/0 is up, line protocol is up

Internet Address 10.1.1.1/24, Area 0

Process ID 1, Router ID 1.1.1.1, Network Type NON_BROADCAST, Cost: 64

Topology-MTID Cost Disabled Shutdown Topology Name

0 64 no no Base

...

So in order to establish the OSPF Neighbors, we can for example use the "network" command in order to transform the OSPF link from

MULTICAST to UNICAST:

(config-router)#neighbor 172.128.185.66

No need to keep "broadcast" on frame relay configuration if you use "neighbor" command, as only UNICAST is then used, so also do this:

(config-if)#frame-relay map ip 10.1.1.4 104 broadcast -> frame-relay map ip 10.1.1.4 104 (REMOVE "broadcast")

*In HUB-AND-SPOKE the Spokes do not have the Layer 2 reachability, so this command makes no sense. Instead just be sure to set their

(HUBS) OSPF priority to 0, so that they don’t participate the DR/BDR Election

(config-if)#ip ospf priority 0

The HUB Router will be elected as DR on every Link and exchange OSPF Database with each of the Spokes:


#show ip ospf neighbor <--- R1 IS THE HUB


2.2.2.2 0 FULL/DROTHER 00:01:51 10.1.1.2 Serial1/0



*In this kind of OSPF Topology - it's not necessary to have the Frame-Relay interface configured with the "broadcast" keyword, because we are

manually defining the OSPF Neighbor and turning the Links into UNICASTS.

____________________________________________________________________________________________________________________

OSPF NBMA (Non Broadcast Multiple Access) Networks ____________________________________________________________________________________________________________________

Once the interface is defined as NON-BROADCAST, the "neighbor" command should be used to establish OSPF peering. First you need to

define the interface as a OSPF non-broadcast:

(config)#interface Serial0/1/0.14 point-to-point

(config-if)# ip ospf network non-broadcast

Then under the OSPF process define the neighbor.

(config-router)#neighbor 10.1.12.2 [priority 0] <- PRIORITY 0 if you want the other side to not be the DR

!!!BE SURE TO ADJUST THE TIMERS ON BOTH SIDE INTERFACES, otherwise the Routers will establish the peering, but they will not exchange

the routes!!!

#sh ip ospf int s0/1/0.14 | i Hello|Network

Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

Hello due in 00:00:05

Also you need to match AREA ID and Area STUB FLAG and they must be of the SAME TYPE (Normal, BB, Stub or NSSA)

____________________________________________________________________________________________________________________

OSPF BROADCAST vs. POINT-TO-POINT vs. POINT-TO-MULTIPOINT Networks ____________________________________________________________________________________________________________________

If you wish to convert the previous network into the Broadcast Network, the following command needs to be applied:

(config-if)#ip ospf network broadcast

In HUB AND SPOKE topology you want to AVOID the SPOKE being elected as the DR, so set the OSPF priority to 0:

(config-if)#ip ospf priority 0 <- ON ALL THE SPOKE Routers

A router with a router priority set to zero is ineligible to become the DR or BDR, which is why it´s better to set the Priority on Spokes to 0,

otherwise we have to clear the OSPF process. Then check on the HUB router, and make sure all SPOKEs appear as DROTHERs:

#sh ip ospf nei





And in case it needs to be Point-to-Point:



The main difference here is the NEXT HOP:

BROADCAST: Next Hop is the router that ORIGINATED the Route

POINT-TO-POINT: Next Hop is the router that ADVERTISED the Route

POINT-TO-MULTIPOINT: Next Hop is also the router that ADVERTISED the Route, but NLRI is achieved because it fixes the Spoke-to-Spoke

reachability from L3 perspective.

____________________________________________________________________________________________________________________

DNS Lookup in OSPF ____________________________________________________________________________________________________________________

Enable OSPF to lookup the names:

(config)#ip ospf name-lookup

And define the NAME-IP correlation:

(config)#ip host R5 5.5.5.5

____________________________________________________________________________________________________________________

ISPF ____________________________________________________________________________________________________________________

Incremental SPF is more efficient than the full SPF algorithm, thereby allowing OSPF to converge faster on a new routing topology in reaction

to a network event.

____________________________________________________________________________________________________________________

Forward Address Suppression ____________________________________________________________________________________________________________________

The aim is to SUPRESS the address of the router that originated the Prefix. When the area is NSSA, and you want CONTROL the remap process

of the LSA7 to LSA5, but use 0.0.0.0 as the forwarding address instead of the one specified in the LSA7:

(config-router)#area 1 nssa translate type7 suppress-fa ?

default-information-originate Originate Type 7 default into NSSA area

no-redistribution No redistribution into this NSSA area

no-summary Do not send summary LSA into NSSA

<cr>

Before the command has been applied the external (LSA5) subnet within the area 0 is seen as:

#sh ip ospf database external 6.0.0.0


Type-5 AS External Link States

LS age: 557

Options: (No TOS-capability, DC)

LS Type: AS External Link

Link State ID: 6.0.0.0 (External Network Number )

Advertising Router: 3.3.3.3

LS Seq Number: 80000003

Checksum: 0x1286

Length: 36

Network Mask: /8

Metric Type: 2 (Larger than any link state path)

MTID: 0

Metric: 20

Forward Address: 200.1.36.6

External Route Tag: 0


While after the command has been implemented, we have:

#sh ip ospf database external 6.0.0.0


Type-5 AS External Link States

Routing Bit Set on this LSA in topology Base with MTID 0

LS age: 41

Options: (No TOS-capability, DC)

LS Type: AS External Link

Link State ID: 6.0.0.0 (External Network Number )

Advertising Router: 3.3.3.3

LS Seq Number: 80000004

Checksum: 0x3952

Length: 36

Network Mask: /8

Metric Type: 2 (Larger than any link state path)

MTID: 0

Metric: 20

Forward Address: 0.0.0.0 <- THE FORWARD ADDRESS HAD CHANGED

External Route Tag: 0

If you add "no-summary" to this command, LSA3s are filtered, and the default route is advertised instead. You can use the similar approach to

NOT ADVERTISE THE SPECIFIC PREFIXES into the NSSA, but advertise only the default route on the ABR. In this example the Area 1 is NSSA:

(config-router)#area 1 nssa default-information-originate no-summary

Area 1 (NSSA Area) will learn the Default Route as the LSA7 (N2):

#sh ip route

...

Gateway of last resort is 205.1.36.3 to network 0.0.0.0

O*N2 0.0.0.0/0 [110/1] via 205.1.36.3, 00:05:21, Serial1/0.63

1.0.0.0/32 is subnetted, 1 subnets

The Default Route will be injected into that area regardless of whether you´re using the "nssa default-information-originate" or the

"nssa no-summary" command in the OSPF Area. The difference is the route type:

NSSA NO-SUMMARY


O*IA 0.0.0.0/0 [110/65] via 10.1.34.3, 00:04:22, Serial1/0.43

NSSA DEFAULT-INFORMATION-ORIGINATE


O*N2 0.0.0.0/0 [110/1] via 10.1.35.3, 00:00:22, Serial1/0.53

1.0.0.0/32 is subnetted, 1 subnets

____________________________________________________________________________________________________________________

OSPF Sham Link ____________________________________________________________________________________________________________________

In an MPLS VPN configuration, when there are 2 ways for the CE routers to communicate:

1 over the PEs and the MPLS link

2 over the OSPF link

*It is assumed that Customer CEs and the PEs have the OSPF implemented between them.


The OSPF will always be preferred, simply because nothing beats the INTERNAL (Intra Area) OSPF route (O). Regardless of the COST and the AD

of E1/E2 and O IA (Inter-Area) Routes will never be preferred.

The way to solve this is using the SHAM links, that have been designed specifically for such a scenario. Namely the LINK is created between the

PE routers, so that ALL the OSPF Prefixes appear as INTERNAL OSPF routes on the CE routers, and that we can just influence the preferred path

using the OSPF COST on the Interface.

STEP 1: Create /32 Loopback Interfaces to the PE routers, and add them into the appropriate VRF:

PE1:

(config)#interface Loopback1

(config-if)#ip vrf forwarding CA

(config-if)#ip address 192.168.1.1 255.255.255.255

PE2:

(config)#interface Loopback1



STEP 2: Advertise these networks via the BGP process in the PEs, so that they are reachable:

(config)#address-family ipv4 vrf CA

(config-router)#redistribute ospf 15 vrf CA

(config-router)#network 192.168.1.1 mask 255.255.255.255

STEP 3: Create OSPF SHAM-LINK between the PR Routers, with the Loopback1 /32 addresses as SOURCE and DESTINATION (these should

already be reachable via BGP). Make sure that new OSPF adjacency appears between the PEs:

(config)#router ospf 15 vrf CA

(config-router)#area 0 sham-link 192.168.1.1 192.168.1.2 cost 1

*Dec 20 11:59:28.206: %OSPF-5-ADJCHG: Process 15, Nbr 10.1.45.4 on OSPF_SL2 from LOADING to FULL, Loading

Done

TIP: Filter these Loopbacks from the CUSTOMERS network, so that the Tunnel which is the Sham Link isn’t routed through the Customers

routers.

STEP 4: The LAST step is now to tune the OSPF COST on the link between the CEs, so that it would be LESS PREFERRED:

(config-if)#ip ospf cost 500

____________________________________________________________________________________________________________________

OSPF in MPLS ____________________________________________________________________________________________________________________

TIP: Be sure the set the domain-id to match (default domain is based on the OSPF Process Number):

(config)#ip ospf 1 vrf VRF_XXX

(config-router)#domain-id 55.55.55.55

*this way the LSA Type 3 will be translated properly


____________________________________________________________________________________________________________________

EIGRP ____________________________________________________________________________________________________________________

EIGRP uses the IP Protocol 88 (doesn't use specific TCP or UDP port), HELLOs - Multicast to 224.0.0.10

TIP: When you need to FILTER EIGRP, you can do "permit eigrp any any" within the extended ACL

TIP: "default-information [ in|out ]" in EIGRP does NOT generate the Default Route, it only allows it to be sent to the neighbor or received, if

it already exists.

The EIGRP timers are configured on the interface towards the EIGRP neighbor. Set the Hello timer and the HOLD Time (which is actually the

Dead Timer) for the EIGRP 100 process:

(config-if)#ip hello-interval eigrp 100 30

(config-if)#ip hold-time eigrp 100 120

Check the configured Timers using the command:

#show ip eigrp interfaces detail

EIGRP-IPv4 Interfaces for AS(200)

Xmit Queue Mean Pacing Time Multicast Pending

Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes

Et0/0 1 0/0 12 0/2 80 0

Hello-interval is 30, Hold-time is 120 <--- TIMERS VALUES

Split-horizon is enabled

Next xmit serial <none>

Un/reliable mcasts: 0/2 Un/reliable ucasts: 1/6

Mcast exceptions: 2 CR packets: 0 ACKs suppressed: 1

Retransmissions sent: 0 Out-of-sequence rcvd: 0

Topology-ids on interface - 0

Authentication mode is not set

____________________________________________________________________________________________________________________

EIGRP "show neighbors" command ____________________________________________________________________________________________________________________

#show ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(100)

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 10.1.12.2 Se1/0.12 115 00:10:04 26 200 0 32

How to interpret this output:

H - The order in which neighbors were formed, starting from 0

Address - Neighbors IP

Interface - From where we see the Neighbor

Holdtime - How long we have left before we declare the neighbor down (if no Hello is received)

Uptime - How long since we first found out about the neighbor

SRTT - Smooth Round Trip Time - time required for EIGRP packet to reach the neighbor and receive the ACK

RTO - Retransmission Time-Out - how long before the packet is re-transmitted

Q Count - Number of packets in the EIGRP queue

SeqNum - Sequence Number of the last received EIGRP packet


If you want to disable the logging of neighbor changes:

(config-router)#no eigrp log-neighbor-changes OR log-neighbor-warnings

Once it's enabled/disabled, define the TIMES for WARNINGS only:

(config-router)#eigrp log-neighbor-warnings X (X is seconds)

____________________________________________________________________________________________________________________

EIGRP Metric - K Values ____________________________________________________________________________________________________________________

5 K-Values are used to calculate the EIGRP Metric. It´s pretty important to know at least which one is which of the K values:

K1 - Bandwidth

K2 - Load

K3 - Delay

K4 - Reliability

K5 - Reliability

Metric = (K1*BW + (K2*BW)/(256-Load) + K3*Delay) * 256

Little better explained: Metric = (10.000.000/LowestPathBW + Sum of all DELAYS/10)*256

By default K2 = K4 = K5 = 0, so the Metric depends on the Bandwidth and Delay only. To check the parameters on the interface:

#SHOW Interfaces e0/0 | i BW

MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec

If you need the EIGRP Metric to depend on some other values the command is (ToS should be left 0):

(config-router)#metric weight tos k1 k2 k3 k4 k5

BE CAREFULL when you change this BECAUSE K VALUES NEED TO MATCH BETWEEN THE EIGRP NEIGHBORS!!! The following MUST match in

order for 2 routers to become EIGRP adjacent:

K values

AS numbers

They must share same L2 data link

Authentication


____________________________________________________________________________________________________________________

EIGRP Route Summarization and Leak Maps ____________________________________________________________________________________________________________________

The EIGRP route Summarization is done exactly the same like RIP Summarization, which makes sense because both protocols have the

Distance Vector nature. It can also be done on ANY of the routers within the same EIGRP process, unlike the Link State protocols. It's done on

the Interface using the command:

(config-if)#ip summary-address eigrp 100 3.0.0.0 255.0.0.0

And don’t be afraid when you see the following message:

*Apr 27 12:53:32.203: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.1.12.1 (Serial1/0) is resync: summary

configured

The interface towards Null0 Interface is created automatically. So don’t worry, because EIGRP adds this "discard route" for Loop Avoidance.

Check if "it worked":

#show ip route | i summ

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

D 3.0.0.0/8 is a summary, 00:02:52, Null0

If you wish to have greater granular control the solution presented since 12.3(13) is - the LEAK MAP (It’s something like the SUPRESS Maps in

the BGP, but itp cannot be used under the SUB-Interface). If the Leak Map is configured, and it references a non-existing Route Map - The

summary route is advertised, more specific routes are suppressed. If the Route Map however exists, and references a non-existing ACCESS LIST

- both the summary route and the more specific routes are advertised. If the Access List also exists - it lets us define the routes that will be

advertised IN ADDITION to the Summarized Route! To configure the Leak Map just attach a route-map to the "eigrp summary" command:

(config-if)#ip summary-address eigrp 100 2.2.4.0 255.255.252.0 leak-map ROUTE_MAP

SUB-INTERFACE LEAK MAPS: Since the LEAK Maps are not available on the SUB-interface, there is a workaround, and it’s done using the

VIRTUAL TEMPLATE Interface. We would then configure the Route Summarization and a Leak Map under it:

(config-if)#interface Virtual-template 13

(config-if)#ip summary-address eigrp 100 2.2.4.0 255.255.252.0 leak-map ROUTE_MAP

And then under the SUB-Interface assign the Virtual Template (SUB-INTERFACE needs to be of a MULTIPOINT TYPE, or this will not work)

(config-subif)#no ip add

(config-subif)#frame-relay interface-dlci 103 ppp Virtual-template 13

____________________________________________________________________________________________________________________

EIGRP Default Gateway ____________________________________________________________________________________________________________________

The command we all know from OSPF and BGP "default-information originate [always]" will not work in EIGRP. Instead we need to:

Option 1: Configure the static route and redistribute it into the EIGRP

Option 2: Summarize the routes into a Default Route using the previously described summarization method (leak map is added if we wish to

inject another routes besides the default route)

(config-if)#ip summary-address eigrp 100 0.0.0.0 0.0.0.0 [leak-map ROUTE_MAP]


____________________________________________________________________________________________________________________

VARIANCE Command ____________________________________________________________________________________________________________________

Variance is an EIGRP feature that enables UNEQUAL load balancing. The only condition that needs to be met is that all the Paths need to be in

the routing table and MEAT THE FEASIBILITY CONDITION! (Routes ADVERTISED Distance must be lower than the local routes FAESIBLE

Distance). It’s configured in the EIGRP configuration mode:

(config-router)#variance 2

This means that it will include the routes with the metric value up to 2 times greater than the Best Route metric. If you need more GRANULAR

control, or more precise variance, get the METRIC from the EIGRP TOPOLOGY:

#show ip ei 400 topology 10.1.56.0/24 | i metric

Composite metric is (2195456/281600), route is Internal

Vector metric:

Composite metric is (319545/281600), route is Internal

Vector metric:

There are 2 routes, 1 with metric 2195456, and the other with metric 319545, and both meet the Feasibility Condition. To get the VARIANCE

you need, divide them and circle up to the BIGGER value:

2195456/319545 = 6.87 => Variance will be 7!

____________________________________________________________________________________________________________________

EIGRP Authentication ____________________________________________________________________________________________________________________

Like in OSPF - the configuration is done in the Interface Configuration mode. Unlike OSPF - EIGRP supports only MD5 authentication. You need

to set the mode to MD5, even though it's the default mode on most devices. This is an example of Frame relay P2P Interface and EIGRP

authentication:

(config)#interface Serial4/1.25 point-to-point

(config-if)#ip authentication mode eigrp 100 md5

(config-if)#ip authentication key-chain eigrp 100 EIGRP_CHAIN

____________________________________________________________________________________________________________________

EIGRP: Maximum Hops ____________________________________________________________________________________________________________________

Another attribute that can be useful for controlling the routes is the "maximum-hops". To see each routes hop count:

#show ip route 172.28.185.0

Known via "eigrp 100", distance 90, metric 2297856, type internal

Redistributing via eigrp 100

Last update from 131.1.12.2 on Serial1/0.12, 00:13:47 ago

Routing Descriptor Blocks:

* 131.1.12.2, from 131.1.12.2, 00:13:47 ago, via Serial1/0.12

Route metric is 2297856, traffic share count is 1

Total delay is 25000 microseconds, minimum bandwidth is 1544 Kbit

Reliability 255/255, minimum MTU 1500 bytes

Loading 1/255, Hops 12 <-- 12 HOPS TO THIS ROUTE!!!

To change the Maximum number of Hops to, for example, 110 (Its 100 by Default):

(config-router)#metric maximum-hops 110

#show eigrp protocols | i hop

Maximum hopcount 110


____________________________________________________________________________________________________________________

EIGRP Administrative Distance ____________________________________________________________________________________________________________________

By default EIGRP has the following Administrative Distance values:

170 - External EIGRP Routes

90 - Internal EIGRP Routes

5 - EIGRP Summary Routes

You can make EIGRP External routes smaller if you need them to not be less preferred then, for example, OSPF, that has AD 110 for External

routes:

(config-router)#distance eigrp 90 100

____________________________________________________________________________________________________________________

EIGRP Updates BW Percent ____________________________________________________________________________________________________________________

The default configuration for EIGRP is to use up to 50 percent of the available bandwidth, but this can be changed with the following

command on the interface level:

(config-if)#ip bandwidth-percent eigrp 200 30

____________________________________________________________________________________________________________________

EIGRP Redistribute Routes into EIGRP ____________________________________________________________________________________________________________________

*YOU NEED TO DEFINE THE METRIC, either a DEFAULT one:

(config-router)#default-metric 1500 20000 255 1 1500

Or when configuring the redistribution:

(config-router)#redistribute static metric 150 20000 255 1 1500

____________________________________________________________________________________________________________________

EIGRP offset-list [metric adjustments] ____________________________________________________________________________________________________________________

Offset List is used to INCREASE or DECREASE an EIGRP or RIP metric for the OFFSET value you define:

(config-router)#offset-list 3 in 50 s1/1 <-Match ACL 3, INCREASE the metric for 50 on routes learned on s1/1

____________________________________________________________________________________________________________________

EIGRP Stub ____________________________________________________________________________________________________________________

First a heads up - it's a bit complicated because there are just too many details... Subjective impression! The command is rather straight

forward:

(config-router)#eigrp stub [connected | summary | static | receive-only | redistributed]

You can ALSO use LEAK-MAPS here, like in the SUMMARIZATION, to allow some subnets out (matched in route-map).

When the EIGRP process is configured as STUB on a router using the "stub connected" command:

(config-router)#eigrp stub connected


That Router will ONLY see the Summary (if configured), and also Static and Redistributed routes (because the STUB doesn't affect the Router

where it's configured). The EIGRP Neighbor(s) will NOT see the Summary, Static or Redistributed Routes, ONLY the specific routes BECAUSE

ONLY Connected Routes are advertised

If however we use the "stub summary" command to configure the STUB:

(config-router)#eigrp stub stub summary

The router will keep the same EIGRP routes in the routing table. The EIGRP Neighbor(s) will ONLY see the Summary

Now with the "stub static" or "stub redistributed":

(config-router)#eigrp stub stub [static | redistributed]

This router keeps behaving exactly the same, while the EIGRP Neighbors ONLY receive the Static OR Redistributed routes

With the "stub receive-only":

(config-router)#eigrp stub receive-only

This router keeps behaving exactly the same, while the EIGRP Neighbors stop receiving ANY routes from the Router

And finally the "eigrp stub" command can be configured without any attributes, so just:

(config-router)#eigrp stub

in which case the EIGRP neighbors ONLY receive the Summary Route

____________________________________________________________________________________________________________________

MP-EIGRP ____________________________________________________________________________________________________________________

When configuring the ADDRESS FAMILY within the EIGRP process, the most important thing to have in mind is to DEFINE THE AS NUMBER

AGAIN WITHIN THE AF CONFIGURATION, or the peering will not be established.

(config)#router eigrp 100

(config-router)#no auto-summary

!

(config-router)#address-family ipv4 vrf CA

(config-router-af)#network 4.4.4.4 0.0.0.0

(config-router-af)# network 10.1.45.4 0.0.0.0

(config-router-af)# no auto-summary

(config-router-af)#autonomous-system 200

____________________________________________________________________________________________________________________

EIGRP Route Filtering ____________________________________________________________________________________________________________________

EIGRP uses the DISTRIBUTE LIST to filter the prefixes, but there is also an advanced option - it also filters the PREFIX GATEWAYS (Originator

IPs). So if you configure 2 PREFIX LISTS:

PREFIX-LIST NOT_R4 to filter OUT the updates ORIGINATED by 10.10.1.4:

(config)#ip prefix-list NOT_R4 deny 10.10.1.4/32 – Deny updates from this neighbor

(config)#ip prefix-list NOT_R4 permit 0.0.0.0/0 le 32 – Allow updates from everyone else

PREFIX-LIST ALLOW_ALL - which you can play with to filter some incoming PREFIXES:

(config)#ip prefix-list ALLOW_ALL permit 0.0.0.0/0 le 32

Apply the 1st PREFIX-LIST as the GATEWAY to the second PREFIX-LIST route filter:

(config-router)#distribute-list prefix ALLOW_ALL gateway NOT_R4 in


____________________________________________________________________________________________________________________

BGP TIPs and Best Practices ____________________________________________________________________________________________________________________

Two first things that are considered the "BGP configuration best practice" are to disable the SYNCHRONIZATION and disable the Auto

Summarization. Why?

Auto-summary - to enable the CLASSLESS BGP behavior

(config-router)#no auto-summary

Synchronization - it's an old loop prevention mechanism that is no longer used, so there is no need to have it enabled. In the newer versions of

IOS it's disabled by default. It was originally created to prevent the BLACK HOLE Advertising. Basically the SYNC Logic is: Do not consider an

iBGP route in the BGP table BEST unless the EXACT PREFIX was learned via IGP and is currently in the routing table.

(config-router)#no synchronization

When adding a new NEIGHBOR, you need to specify their AS Number using the "remote-as":

(config-router)#neighbor 10.1.1.2 remote-as 100

Debug looks like this:

*Nov 23 12:34:55.223: BGP: 10.1.1.2 active OPEN has CAPABILITY code: 131, length 1

*Nov 23 12:34:55.223: BGP: 10.1.1.2 active OPEN has MULTISESSION capability, without grouping

*Nov 23 12:34:55.223: BGP: 10.1.1.2 active rcvd OPEN w/ optional parameter type 2 (Capability) len 6

*Nov 23 12:34:55.223: BGP: 10.1.1.2 active OPEN has CAPABILITY code: 65, length 4

*Nov 23 12:34:55.223: BGP: 10.1.1.2 active OPEN has 4-byte ASN CAP for: 100

*Nov 23 12:34:55.223: BGP: nbr global 10.1.1.2 neighbor does not have IPv4 MDT topology activated

*Nov 23 12:34:55.223: BGP: 10.1.1.2 active rcvd OPEN w/ remote AS 100, 4-byte remote AS 100

*Nov 23 12:34:55.223: BGP: 10.1.1.2 active went from OpenSent to OpenConfirm

*Nov 23 12:34:55.223: BGP: 10.1.1.2 active went from OpenConfirm to Established

*Nov 23 12:34:55.223: BGP: ses global 10.1.1.2 (0xAF0217D0:1) Up

*Nov 23 12:34:55.223: %BGP-5-ADJCHANGE: neighbor 10.1.1.2 Up

Once you've got the neighbors configured using the "neighbor" command, you should be able to identify the outputs:

(config-router)#do show ip bgp summary | b Neighbor

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

100.11.1.1 4 100 9 9 5 0 0 00:05:23 1

100.11.1.3 4 100 9 9 5 0 0 00:05:12 1

100.11.1.4 4 100 8 8 5 0 0 00:04:57 1

(config-router)#do show ip bgp

BGP table version is 5, local router ID is 192.168.2.2

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*>i1.0.0.0 10.1.1.1 0 100 0 i

*> 2.0.0.0 0.0.0.0 0 32768 i

*>i4.0.0.0 10.1.1.4 0 100 0 i

* - The entry in the table is valid

> - It's the BEST entry for that prefix

i - learned via iBGP

Network - prefix entry, mask is assumed

Next Hop - Next Hop IP (if it's 0.0.0.0 - it's locally originated prefix)

Metric - MED Attribute

LocPrf - Local Preference, HIGHER IS BETTER, and default is 100. It can be changed by "bgp default local-preference"

Weight - No.1 Attribute for Path Determination, LOCAL will have 32768, Originated by NEIGHBOR will have 0

Path - iBGP will have "i", and eBGP will have all BGP AS Numbers you need to traverse to get to the prefix (max 255)


(config-router)#do show ip bgp <-CASE OF ONLY Ebgp ROUTES






* 1.0.0.0 10.1.1.1 0 300 100 i

* 10.1.1.1 0 200 100 i

*> 10.1.1.1 0 0 100 i

* 2.0.0.0 10.1.1.2 0 100 200 i

* 10.1.1.2 0 300 200 i

*> 10.1.1.2 0 0 200 i

*> 3.0.0.0 10.1.1.3 0 0 300 i

*> 4.0.0.0 0.0.0.0 0 32768 i

Notice that the PATH is no longer marked as "i" for iBGP, but it shows an entire AS-PATH now (list of all the BGP Autonomous Systems the

route needs to pass in order to reach the route)

Also Local Preference is no longer marked as 100 (default for iBGP)

MED is 0 or BLANC. MED is set to 0 when the advertised by the originating AS, but when the SAME prefix is advertised by another AS, then

the MED value is removed.

If you are peering eBGP using the LOOPBACKS, don't forget to use the "ebgp-multihop" command!!!

From Cisco Docs: By design, a BGP routing process expects eBGP peers to be directly connected, for example, over a WAN connection.

However, there are many real-world scenarios where this rule would prevent routing from occurring. Peering sessions for multihop neighbors

are configured with the neighbor ebgp-multihop command:

(config-router)#neighbor 2.2.2.2 ebgp-multihop 2

ALTERNATIVE TO MULTIHOP:

If loopback interfaces are used to connect single-hop eBGP peers, you can configure the "neighbor disable-connected-check" command

before you can establish the eBGP peering session:

(config-router)#neighbor 10.1.12.1 disable-connected-check <-DISABLES CONNECTION VERIFICATION

When you want to DISABLE prefixes removed from the BGP table when the neighbor goes down:

(config-router)#fast-external-failover

When you want to advertise the prefixes and HIDE THE LOCAL AS number:

(config-router)#neighbor 10.1.45.5 remove-private-as

SECURITY in BGP can be also provided by TTL check, but it's considered a LIGHT security. It's done by DEFINING THE MAXIMAL TTL on the

received routes; let’s say we want to define max 2 hops:

(config-router)#neighbor 10.1.45.5 ttl-security hops 2

Also the MAXIMUM AS NUMBER can be defined, so that routes that go through more than 10 ASs are rejected:

(config-router)#bgp maxas-limit 20

To CHANGE the ADMINISTRATIVE DISTANCE (AD):

(config-router)#distance bgp 150 200 1 <- OTHER AS : LOCAL AS : LOCALLY ORIGINATED


OR to change the AD of the PREFIXES originated by the PARTICULAR NEIGHBOR:

(config-router)#distance 150 10.1.23.3 0.0.0.0 [ACL] <- ATTACH AN ACL TO CHOOSE THE PREFIXES TO APPLY THE AD

There is another BGP TUNING, when you want to ADVERTISE the prefix to the AS, learn from the SAME AS:

(AS 100)-->(AS 200)-->(AS 100)

On the EGRESS of AS200 the route will not be advertised to AS100 due to the LOOP PREVENTION mechanism. If you need to correct this on

your network, there is a "allow-as" command which stops this loop prevention. On the EDGE router of AS 100 towards the AS 200 do:

(config-router)#neighbor 100.1.1.100 allowas-in <- WILL ALLOW THE PREFIXES WITH OUR OWN AS

___________________________________________________________________________________________________________________

BGP Version ____________________________________________________________________________________________________________________

Cisco IOS 12.0 support BGP versions 2, 3 and 4, but the NEWER IOS versions support ONLY BGP Version 4. In order to change that (on the IOS

models where it's allowed), in order to peer with, for example, different vendor routers:

(config-router)#neighbor version 4

____________________________________________________________________________________________________________________

BGP Peer-Group ____________________________________________________________________________________________________________________

It's a simple concept, just a group of neighbors we want to configure with the same group of parameters. It's defined in 3 steps:

Step 1. Define/Configure the Peer Group

(config-router)#neighbor CISQUEROS peer-group

Step 2. Add the individual neighbors into the configured peer group

*Be sure to configure the interface used as the UPDATE-SOURCE, using the "neighbor x.x.x.x update-source lo0"

(config-router)#neighbor 2.2.2.2 peer-group CISQUEROS

(config-router)#NEIghbor 3.3.3.3 PEER-group CISQUEROS

Be sure to configure ROUTER-ID Manually using "bgp router-id" command, or you will get this message:

*Nov 23 13:48:02.535: %BGP-4-NORTRID: BGP could not pick a router-id. Please configure manually.

Expect the following message:

*May 5 10:13:21.395: %BGP_SESSION-5-ADJCHANGE: neighbor 3.3.3.3 IPv4 Unicast topology base removed from

session

Member added to peergroup

*May 5 10:13:21.395: %BGP-5-ADJCHANGE: neighbor 3.3.3.3 Down Member added to peergroup

*May 5 10:13:22.283: %BGP-5-ADJCHANGE: neighbor 3.3.3.3 Up

Both neighbors remain UP!

If you CANNOT bring the BGP neighbors UP, use the PHYSICAL IPs. Then both Neighbors will appear. Once you've got the peering - you can

remove the neighbor added using the Physical IP.

Step 3. Apply the set of parameters to the Peer Group, and the parameters will apply to each of the Peers. For example, lets configure the

Password:

(config-router)#neighbor CISQUEROS password cisco


____________________________________________________________________________________________________________________

BGP Peer-Session and Peer-Policy Templates ____________________________________________________________________________________________________________________

Another way to make the BGP configuration easier by avoiding configuring the same command set on every router.

Step 1: Define the peer-session and give it a name:

(config-router)#template peer-session MYBGP

Step 2: Assign the attributes to the peer-session:

(config-router-stmp)#version 4

(config-router-stmp)#update-source lo0

(config-router-stmp)#password Cisqueros

Step 3: If you have more groups of neighbors, and they all have some common settings (for example the ones defined in the template IBGP),

and some different ones. Then create another template, and inherit the first template:

(config-router)#template peer-session GROUP_1

(config-router-stmp)#inherit peer-session MYBGP

(config-router-stmp)#remote-as 100

(config-router)#template peer-session GROUP_2

(config-router-stmp)#inherit peer-session MYBGP

(config-router-stmp)#remote-as 200

Step 4: Apply the LAST defined Template to RELEVANT NEIGHBORS, which inherited the settings of the initial Templates:

(config-router)#neighbor 1.1.1.1 inherit peer-session GROUP_1



Peer-Policy has the similar purpose. The difference is the commands inside, and Peer-Session CANNOT INHERIT Peer-Policy template. Here is

an example of a peer policy template:

(config)#router bgp 200

(config-router)#template peer-policy FORCE_SELF_AS_NEXT_HOP

(config-router-ptmp)#next-hop-self

(config-router-ptmp)#exit-peer-policy

____________________________________________________________________________________________________________________

BGP Authentication ____________________________________________________________________________________________________________________

It's configured on PER-NEIGHBOR, or as described in the Previous Post - on the PER-PEER-GROUP basis.

(config-router)#neighbor CISQUEROS password cisco

From Jeff Doyle ROUTING TCP/IP Vol2 (Routing Bible in my opinion, even though I hope it gets updated soon, it's been 12 years!): “The IOS

uses MD5 authentication when a BGP neighbor password is configured. MD5 is a one-way message digest or secure hash function produced by

RSA Data Security, Inc. It also is occasionally referred to as a cryptographic checksum, because it works in somewhat the same way as an

arithmetic checksum. MD5 computes a 128-bit hash value from a plain-text message of arbitrary length (in this case, a BGP message) and a

password. This "fingerprint" is transmitted along with the message. The receiver, knowing the same password, calculates its own hash value. If

nothing in the message has changed, the receiver's hash value should match the sender's value transmitted with the message. The hash value is

impossible to decipher (without a huge amount of computing power) without knowing the password so that an unauthorized router cannot,

either maliciously or by accident, peer with a router running neighbor authentication.”


____________________________________________________________________________________________________________________

BGP Route Reflectors ____________________________________________________________________________________________________________________

*Configuring Multi-protocol BGP (MP-BGP) Support for CLNS on Cisco Docs

Like the BGP Confederations - Route Reflectors REMOVE THE NEED FOR FULL-MESH iBGP peering. Route Reflectors let all the routers learn all

the iBGP routes, and prevent loops.

Route Reflector SERVERS: Allowed to learn the iBGP routes from their CLIENTS, and advertise them to other iBGP peers. RR Servers act as

normal BGP peers with the NON-RR-CLIENT peers and the eBGP peers; they send all the BGP Updates

Route Reflector CLUSTER - One or more RR Servers and their clients. With MULTIPLE Clusters - at least one of the RRs must be peered with

at least one RR in Each Cluster.

There are 3 implemented LOOP PREVENTION Mechanisms:

1. CLUSTER_LIST - The Cluster ID is automatically included into the BGP PA (path attribute) when generated, so the RR rejects the prefixes

where their own Cluster ID appears. It's similar to AS_PATH attribute, but instead of AS it has a list of CLUSTED IDs.

2. ORIGINATOR_ID - Attribute created by the RR. It's the Router ID of the first iBGP peer to advertise the route into the AS. RR will not

advertise the prefix back to the originator.

3. Only advertise BEST routes

The configuration is rather simple, and it contains of 2 steps:

Step 1: Define the CLUSTER ID on ALL the routers (this is NOT MANDATORY)

(config-router)#bgp cluster-id 3

Step 2: There is a difference between the RR SERVER and RR CLIENT (under the BGP configuration). On RR SERVER configure ALL the clients:

(config-router)#neighbor 172.25.185.22 route-reflector-client

(config-router)#neighbor 172.25.186.59 route-reflector-client

Step 3: Check the status of each Client on the RR SERVER ROUTER:

#show ip bgp neighbors 172.25.185.22 | i Reflector

Route-Reflector Client

Also make sure that the routes you expect to learn from RR Clients look like this:

#sh ip bgp 2.0.0.0/8

BGP routing table entry for 2.0.0.0/8, version 23

Paths: (1 available, best #1, table default)

Advertised to update-groups:

4

Local, (Received from a RR-client)

#sh ip bgp 6.6.6.6

BGP routing table entry for 6.0.0.0/8, version 7

Paths: (1 available, best #1, table default)

Not advertised to any peer

Local

10.1.46.6 (metric 2) from 10.1.13.1 (1.1.1.1)

Origin IGP, metric 0, localpref 100, valid, internal, best

Originator: 6.6.6.6, Cluster list: 1.1.1.1, 4.4.4.4 <- CLUSTER LIST

DON’T forget to remove the iBGP sessions between CLIENTS, because... well, that's the point of implementing the RRs, to decrease the number

of BGP peering The Route Reflector will "reflect" the routes received from one iBGP peer to the others. In the normal configuration (without

root reflectors) the iBGP neighbors must be FULLY MESHED due to the SPLIT HORIZON rule (a prefix learned from iBGP peer will NEVER be

announced to another iBGP peer). Have in mind that the RR is a single point of failure in the Network, so - BEST PRACTICE is to have MULTIPLE

RR SERVERS, and make sure that RR SERVERS HAVE A FULL MESH.


____________________________________________________________________________________________________________________

BGP BACKDOOR Route ____________________________________________________________________________________________________________________

When you need to prefer LESS the eBGP route - you need a way to tune it, because not many routing protocols "beat" the eBGPs

Administrative Distance (20). The "backdoor" argument sets the routes AD to 200 (like it were an iBGP instead of eBGP route), and alters the

order of preference in the routing table.

It's quite easy to configure - you configure a regular network using a "network" command, but add a "backdoor" argument at the end. This will

advertise the route into the BGP process, but it will note add it to the routing table unless the same prefix doesn’t appear in the routing table

at all.

*BE CAREFUL!!! The BACKDOOR argument is applied to the network advertised TO YOU, not from you like in the normal "network" command

application.

(config-router)#network 150.1.2.0 mask 255.255.255.0 backdoor

Note that you will not SEE this route in the routing table unless the route with the bigger AD is down. Also, in the BGP table it will have the "r"

symbol, meaning - not eligible to be added to the routing table

#sh ip bgp | i 150.1.2

r> 150.1.2.0/24 10.1.13.1 0 100 200 ?

____________________________________________________________________________________________________________________

BGP CONDITIONAL Advertisements - Advertise Maps ____________________________________________________________________________________________________________________

This is a simple feature, but you really need to know the BGP philosophy and maybe even have some basic experience in programming. The

trick is to change the behavior of the BGP advertisements depending on the routes that are being learned.

Step 1: Configure 2 Route Maps, one for the CHECK condition, and another for PREFIXES you will advertise if CHECK passes. For example we

want to CHECK if the 2.0.0.0 is learned:


(config)#route-map CHECK permit 10

(config-rmap)#match ip address 2

And ONLY if it's NOT in the routing table, we want to advertise 2.0.0.0


(config)#route-map ADVERTISE permit 10

(config-rmap)#match ip address 1

Step 2:

Configure the advertise map and the condition in the BGP routing process:

(config)#router bgp 65545

(config-router)#neighbor 10.1.12.2 advertise-map ADVERTISE ?

exist-map advertise prefix only if prefix is in the condition exists <- CHECK THESE OPTIONS

non-exist-map advertise prefix only if prefix in the condition does not exist

(config-router)#neighbor 10.1.12.2 advertise-map ADVERTISE non-exist-map CHECK

Intuitively we can see that the ADV_ROUTE_MAP is the route map that defines the routes that will be broadcast, in this case if the conditions

defined in the route-map CONDITION_ROUTE_MAP is NOT satisfied, meaning - if the prefixes are NOT in the table.


____________________________________________________________________________________________________________________

BGP Route Dampening ____________________________________________________________________________________________________________________

Cisco Docs: Advanced BGP Features

TIP: Don't forget to define the "set dampening ..." within the route-map configuration or you will be getting the following message when

checking the parameters:

#sh ip bgp dampening parameters

% dampening reconfiguration in progress for IPv4 Unicast

When you check the BGP prefixes using the "show ip bgp", besides the arguments that appeared so far (*, >, r) there is another "Tag" that can

appear, and it's a letter "d", which stands for DAMPENING.

#show ip bgp


Status codes: s suppressed, d damped, h history, * valid, > best, i - internal <- CHECK THIS LINE


From Cisco Docs: "Route dampening is a BGP feature designed to minimize the propagation of flapping routes across an internetwork. A route

is considered to be flapping when its availability alternates repeatedly"

If you're configuring it without any parameter tuning, there is an enable command under the BGP process:

(config-router)#bgp dampening

If you want to use this feature - make sure you understand the concept of PENALTIES being "rewarded" to a route every time it FLAPS, and

make sure you're familiar with the PARAMETERS of BGP DAMPENING:

#sh ip bgp dampening parameters

dampening 15 750 2000 60 (DEFAULT)

Half-life time : 15 mins Decay Time : 2320 secs

Max suppress penalty: 12000 Max suppress time: 60 mins

Suppress penalty : 2000 Reuse penalty : 750

1. HALF-TIME (default 15 minutes): When the penalty is assigned to a route, the accumulated penalty is decreased every 5 seconds. When

the half-time expires, accumulated penalties are reduced by half. Default HALF-TIME is 15 minutes, and range 1-45 minutes.

2. REUSE (default 750): The route can be REUSABLE if the penalties for flapping route go BELOW THIS VALUE. By default it's 750, and the

range is 1 to 20000

3. SUPRESS: The route is SUPRESSED when the penalties REACH THIS VALUE. Default is 2000, and the range is 1-20000

4. MAX-SUPRESS-TIME: Max time that the route can STAY SUPRESSED. Default is 4 times Half-Time value (60 minutes), range is 1-255

If you need to configure the BGP DAMPENING for a certain routes, use the ROUTE-MAP:

(config-router)#route-map DAMPEN_1

(config-route-map)#match ip add 15 <- CONFIGURE THE ROUTES YOU ARE DAMPENING IN AN ACL

(config-route-map)#set dampening 15 700 2000 60 <- SET DESIRED DAMPENING PARAMETERS

*Parameters can be defined directly under the BGP process, or within the Route-Map like here

Then apply it within the BGP configuration process:

(config-router)#bgp dampening route-map DAMPEN_1

This configuration can get quite complicated, so you might need to MATCH THE AS-PATH, for this you need to be quite comfortable with META

CHARACTERS, so for example match prefixes originated in AS 300:

(config)#ip as-path access-list 15 permit ^300$

And then MATCH it in the route-map and SET the dampening parameters:

(config-router)#route-map DAMPEN_2

(config-route-map)#match as-path 15

(config-route-map)#set dampening 15 700 2000 60


____________________________________________________________________________________________________________________

BGP Route Summarization ____________________________________________________________________________________________________________________

BGP Routes can be summarized in the BGP process configuration using the "aggregate-address" command. AGGREGATE is ONLY created if

at least one of the specific prefixes exists in BGP table.

(config-router)#aggregate-address 2.2.0.0 255.255.0.0 ?

advertise-map Set condition to advertise attribute <- ASSIGN THE ROUTE-MAP

as-confed-set Generate AS confed set path information

as-set Generate AS set path information

attribute-map Set attributes of aggregate <- SET ATTRIBUTES such as COST/METRIC using ROUTE-MAP

route-map Set parameters of aggregate

summary-only Filter more specific routes from updates <- ONLY THE SUMMARY, SUPRESSES OTHER PREFIXES

suppress-map Conditionally filter more specific routes from updates

<cr>

*If you need to UN-SUPRESS some prefixes from the Summary route, the command is applied PER NEIGHBOR

Another way to achieve the same effect is to create STATIC ROUTE to Null0, and advertise using "network" command.

ATOMIC-AGGREGATE is an attribute that is assigned AUTOMATICALLY to the aggregate route if the "as-set" argument is NOT used in the

"aggregate-address" command (AS-SET reveals the AS number that some routes were originated from)

Additional arguments (route-maps) are a bit complicated, so you need to know exactly what which one is for:

Suppress-map - suppress the prefix defined in the ACL (it ADVERTISES prefixes DENIED by the ACL). The reverse (UNSUPRESS with the

REVERSE logic) can be configured on the NEIGHBOR basis:

(config-router)#neighbor x.x.x.x unsupress-map UNSUPP

____________________________________________________________________________________________________________________

BGP INJECT and EXIST map ___________________________________________________________________________________________________________________

This is not so common, and they are used for a more granular control of the advertised routes. For example if you want to make sure that a

certain prefix is learned (EXIST) from a certain router (match route-source), then inject the specific prefixes (INJECT) into the routers BGP table:

(config-router)#bgp inject-map INJECT exist-map EXIST

____________________________________________________________________________________________________________________

BGP Community Attribute ___________________________________________________________________________________________________________________

*Under SERVICE PROVIDER in the Cisco Docs

Community attribute is one of those non-standard BGP attributes that you really need to know well if you wish to use. The big advantage is

that from time to time you will just swoop in and solve a big architecture problem your colleague Network Engineers are having. The down

side is that it's a bit tacky. For example, these are the communities you can set within the route-map configuration:

(config-route-map)#set community ?

<1-4294967295> community number

aa:nn community number in aa:nn format

additive Add to the existing community

internet Internet (well-known community) <-ADVERTISE these networks to ALL neighbors

local-AS Do not send outside local AS (well-known community) <-ONLY advertise within the AS

no-advertise Do not advertise to any peer (well-known community) <-Do not advertise to any peer.

no-export Do not export to next AS (well-known community) <-Do not advertise to eBGP peers.

none No community attribute

<cr>

*IMPORTANT: Do not forget to actually SEND the community to the neighbor, or your configuration will not work!!!

(config-router)#neighbor x.x.x.x send-community


You can of course apply the BGP community attributes on the INBOUND and OUTBOUND direction, where you automatically override the

existing value. Besides these well-known community values, you can also assign a random community number and use them later as BGP

TAGS.

Extended community attributes are used to configure, filter, and identify routes for virtual routing and forwarding (VRF) instances and

Multi-protocol Label Switching (MPLS) Virtual Private Networks (VPNs)

COST is an example of an EXTENDED COMMUNITY Attribute. It allows you to customize the local route preference, and in that way influence

the best path selection. It's configured under the route-map:

(config-route-map)#set extcommunity cost ?

<0-255> Community ID

igp Compare following IGP cost comparison

pre-bestpath Compare before all other steps in bestpath calculation <-CHECK THIS OUT!!!

So if you need to influence the path ABSOLUTELY:

(config-route-map)#set extcommunity cost PRE-bestpath 100 ? <-COST ID) IS USED AS A TIE BREAKER

<0-4294967295> Cost Value (No-preference Cost = 2147483647) <-LOWER VALUE IS BETTER

There are 3 EXTENDED COMMUNITY attributes:

(config-route-map)#set extcommunity ?

cost Cost extended community

rt Route Target extended community <- FOR MPLS

soo Site-of-Origin extended community

____________________________________________________________________________________________________________________

BGP & Load Balancing ____________________________________________________________________________________________________________________

If you see the same route from 2 different sources:

#sh ip bgp | b Network


* 10.1.23.0/24 10.1.12.2 0 0 300 i

*> 10.1.13.3 0 0 300 i

And in the routing table only one of them appears:

#sh ip route bgp

B 10.1.23.0/24 [20/0] via 10.1.13.3, 00:00:01

You can increase the MAXIMUM PATH number, and add 2 (or more) different paths to the routing table:

(config-router)#maximum-paths 2

Check if the parameter "took":

#sh ip protocols | i Maxim

Maximum path: 1

And make sure the routing table has been updated (happens intermediately)

#sh ip route bgp

B 10.1.23.0/24 [20/0] via 10.1.13.3, 00:00:04

[20/0] via 10.1.12.2, 00:00:04


UNIQUAL COST BALANCING When you wish to Load Balance based on each the Link BW. This feature is used together with BGP

MULTIPATH to advertise the exit links BW as EXTENDED COMMUNITY to iBGP peers. The configuration is somewhat weird:

Step 1: Enable DMZLINK-BW

(config-router)#bgp dmzlink-bw <ON BORDER AND INTERNAL ROUTERS

Step 2: Configure BGP to include the BW value to external interface on extended community, per neighbor:

(config-router)#neighbor 10.1.1.2 dmzlink-bw

BE SURE the neighbor is a SINGLE HOP eBGP PEER, or you will get a message:

%BGP: Propagation of DMZ-Link-Bandwidth is supported only for single-hop EBGP peers

Step 3: Send the COMMUNITY

(config-router)#neighbor 10.1.1.2 send-community extended

____________________________________________________________________________________________________________________

1. AS-Path (The less ASs in the path - the Better) ____________________________________________________________________________________________________________________

Used to influence another AS by adding or PREPENDING the AS's to the prefix using the Route Map:

(config-route-map)#set as-path prepend 111 <- WITHIN ROUTE-MAP CONFIG

When you want to NOT-PREPEND the LOCAL AS to the advertised prefixes:

(config-router)#neighbor 10.1.1.2 local-as 100 no-prepend

When you want to REPLACE the PREPENDED AS to the advertised prefixes:

(config-router)#nei 10.1.1.2 local-as 100 no-prepend replace-as

*"replace-as" Instructs NOT TO PREPEND the REAL AS

You can do a pretty granular control here using the AS-PATCH Access Lists. You do need a basic knowledge of META Language for this, so

basically if you need to match all the prefixes that pass through the AS 65505 you do this:

(config)#ip as-path access-list 10 permit ^65505$ <-you can go wild with the filters

*in this case we are filtering the prefixes originated and advertised directly by AS 65505

The AS-PATH ACL can also be applied to a neighbor as a FILTER-LIST

(config-router)#neighbor 172.25.185.45 filter-list 10 in


REMINDER of the META Characters:

^ - START of Line

$ - END of Line

| - Logical OR

_ - ANY DELIMETER (, or _ or whatever)

? - ZERO instances of the PRECEDING character

* - ZERO OR MODE instances of the PRECEDING character

+ - ONE OR MORE instances of the PRECEDING character

(x) - Combine the enclosed String as a single entity

[x] - Wildcard where any position can match the position in AS-Path

. - Any Character

After this you just match this condition in the route-map in order to set some parameter later:

(config-route-map)#match as-path 10

____________________________________________________________________________________________________________________

2. Weight (the Higher - the Better) ____________________________________________________________________________________________________________________

It's a CISCO Proprietary Attribute, Used ONLY LOCALY to influence the LOCAL AS by assigning the WEIGHT attribute to prefixes learned from a

BGP Neighbor.

First you need to set up the route-map. You can use the MATCH condition, but you don’t have to. In this case we will apply the weight to all

the prefixes announced by a neighbor.

route-map SET_WEIGHT permit 10

match ...

set weight 500

And apply the route-map to a neighbor in the INBOUND direction (prefixes coming IN, meaning - are announced by that neighbor):

router bgp 65535

neighbor 172.21.12.2 remote-as 64500

neighbor 172.21.12.2 route-map SET_WEIGHT in

Or you can simply apply the WEIGHT attribute to the neighbor directly:

router bgp 65535


neighbor 172.21.12.2 weight 500


____________________________________________________________________________________________________________________

3. MED (Multi Exit Discriminator) ____________________________________________________________________________________________________________________

* Attribute; RFC 1771 - Optional and Non-Transitive; The Smaller the Better

Router will compare the MED attribute for paths only from BGP peers that reside in the same autonomous system. In the CCIE the MED can be

used to also influence the ISP BGP Neighbors to prefer one or the other point of exit of your network, but in the real world most ISPs will

DISCARD the MED attribute to try and enforce the HOT POTATO strategy, where if the route is not destined for the providers network it

prefers sending the traffic out to another provider ASAP.

This is the most similar Attribute to the OSPF Metric that there is in BGP. The nature of this attribute is similar to the AS-Path, because they are

both used to influence the other AS by tuning the attributes of the Locally Originated and Advertised Prefixes. You can simply set it (set metric

X) within the route-map configuration, and apply it to the BGP Neighbor in the OUTBOUND direction

MED is used only for the routes from one AS to another. It makes no sense to compare MED values of the learned BGP routes from different

ASs.

If you wish to RE-ARRANGE the Attribute Comparison order, and for example wish to compare the MED value before the AS-Path (meaning -

prefer the lower MED, regardless of the AS-Path), you can use this command under the BGP configuration:

(config-router)#bgp always-compare-med <-to compare MED value even if there is higher ranked attribute

(config-router)#bgp bestpath as-path ignore <--- to IGNORE the AS-Path attribute, HIDDEN COMMAND on IOS!!!

*BE CAREFULL with the second command, the TAB key will not work and the "?" will not show you the "as-path" option

By default the MISSING MED value is considered the BEST one because on most IOS-s it picks up the value 0. To change this use:

(config-router)#bgp bestpath med missing-as-worst <- Treat the non-defined MED as the WORST

____________________________________________________________________________________________________________________

4. LOCAL PREFERENCE ____________________________________________________________________________________________________________________

It's used to PREFER AN EXIT POINT of a LOCAL BGP AS. Bigger is Better, DEFAULT: 100. There are 2 ways to configure the LOCAL PREFERENCE

WAY 1: TRY AND INFLUENCE DOWNSTREAM BGP NEIGHBORS.

If we configure this one, all the routes we announce will have Local Preference 500, unless RE-WRITTEN.

(config-router)#bgp default local-preference 500

The same effect is achieved by defining a ROUTE-MAP, setting the Local Preference and applying it OUTBOUND:

(config-router)#nei 10.1.34.4 route-map LOCPREF_PREFIXESRM out

*configuration similar to the one explained below, within the Way2.

WAY 2: SUPERSEEDS the 1st way

Applied INBOUND to the LEARNED routes we want to PREFER. It OVERWRITES the Local Preference announced by the upstream BGP

Neighbors.

Step 1: Define a PREFIX LIST with the PREFIXES you want to assign the Local preference to:

(config-router)#ip prefix-list LOCPREF_PREFIXES seq 5 permit 1.0.0.0/8

Step 2: Define a ROUTE-MAP to match the PREFIX and SET THE LOCAL PREFERENCE (in this case 500):

(config)#route-map LOCPREF_PREFIXESRM permit 10

(config-route-map)# match ip address prefix-list LOCPREF_PREFIXES

(config-route-map)#set local-preference 500


Step 3: Apply the ROUTE-MAP to the BGP process, INBOUND!!!

(config-router)#nei 10.1.34.4 route-map LOCPREF_PREFIXESRM in

Step 4: Clear the BGP process INBOUND, and check the BGP table:

#clear ip bgp * in

#sh ip bgp | i 1.0.0.0


*>i1.0.0.0 10.1.14.1 0 500 0 100 i <- LOC.PREF IS 500

BE CAREFULL WITH THE NEXT HOP!!! So, if you cannot reach the IP in the Next Hop, do this:

(config-router)#neighbor 10.1.34.4 next-hop-self <-POINT TO ME TO REACH ALL THE PREFIXES I KNOW AND YOU DONT

The alternative to this is to add a ROUTE-MAP pointing to the neighbor, and within it alter the next hop.

____________________________________________________________________________________________________________________

BGP Filters: Distribution and Prefix lists ____________________________________________________________________________________________________________________

The main difference between applying the DISTRIBUTE list and the PREFIX list to the BGP neighbor is:

DISTRIBUTE LIST: You need to define the ACL, and apply it in the form of a Distribution List:

(config)#access-list 1 deny 172.12.25.0 0.0.0.255

(config-router)#neighbor 5.5.5.5 distribute-list 1 in

PREFIX LIST: You define the PREFIX list, and apply the same prefix list to the BGP neighbor

(config-router)#neighbor 5.5.5.5 prefix-list PREF_LIST in

____________________________________________________________________________________________________________________

BGP: Regular Expressions ____________________________________________________________________________________________________________________

!!!Additional and Legacy protocols>IOS Terminal Services Configuration Guide>APPENDIXES (within the Cisco Docs)

REMINDER of the META Characters

^ - START of Line

$ - END of Line

| - Logical OR

_ - ANY DELIMETER

? - ZERO instances of the PRECEDING character

* - ZERO OR MODE instances of the PRECEDING character

+ - ONE OR MORE instances of the PRECEDING character

(x) - Combine the enclosed String as a single entity

[x] - Wildcard where any position can match the position in AS-Path

. - Any Character


EXAMPLES (REMEMBER THESE!!!)

_65505$ - Prefixes that END with the AS 65505, meaning - they were originated by that AS

_65505_ - Prefixes that traversed the AS 65505

^$ - Locally Originated Prefixes (START and END of the line)

.* - ANY prefix (zero or more instances of ANY character)

^[0-9]+$ - All the prefixes from DIRECTLY CONNECTED ASs (meaning - they have only 1 AS in the AS PAth)

BEFORE CREATING THE AS-PATH ACL: If you want to STOP using the recursive algorithm in order to be able to control more complex regular

expressions

(config-router)#bgp regexp deterministic

Now you can actually DISPLAY the prefixes that match your condition in the AS-PATH before defining the AS-PATH ACL

#show ip bgp regexp REGULAR_EXPRESSION

*There is a TRICK here; you need to add a MEMORY location you want to temporarily place the results, so instead of the expression ^300$ you

would have to type

#show ip bgp regexp (^300$)(_\1)*$

You can also display the Filter List before applying it to the neighbor:

#show ip bgp filter-list 1

____________________________________________________________________________________________________________________

BGP Confederations ____________________________________________________________________________________________________________________

BGP Confederation Identifier is used to configure a GROUP OF SMALL ASs as a SINGLE AS. It's used to reduce iBGP mesh. On ALL the routers

within ALL ASs issue the command:

(config-router)#bgp confederation identifier 250

Once the Identifier is configured, you need to configure all the directly connected eBGP peers (this command is not needed if there are no

eBGP sub confederation peers):

(config-router)#bgp confederation peers 65505 65409 65111 <-DEFINE ALL ASs WITHIN CONFEDERATION, BUT LOCAL

If you want to create the NEIGHBOR with the confederation, use the CONFEDERATION IDENTIFIER AS THE AS:

(config-router)#neighbor 10.1.45.4 remote-as 250

Check the BGP table, and make sure all the prefixes are sourced by the VIRTUAL AS 250:

(config-router)#do sh ip bgp






*> 1.0.0.0 10.1.45.4 0 250 i

*> 2.0.0.0 10.1.45.4 0 250 i

*> 3.0.0.0 10.1.45.4 0 250 i

*> 4.0.0.0 10.1.45.4 0 0 250 i

*> 5.0.0.0 0.0.0.0 0 32768 i


____________________________________________________________________________________________________________________

MP-BGP (Multi-Protocol BGP) ____________________________________________________________________________________________________________________

By default, commands entered under the router bgp command apply to the IPv4 address family. This will continue to be the case unless you

enter the ¨"no bgp default ipv4-unicast" as the first command under the router bgp command:

(config-router)#no bgp default ipv4-unicast

*The PEERING will NOT be established, unless you do the ACTIVATE command under the BGP process:

(config-router)#address-family vpnv4

(config-router-af)#neighbor 3.3.3.3 activate

Make sure you´re checking for the neighbors under the VPNv4 UNICAST Address Family:

#sh bgp vpnv4 unicast all summary

BGP router identifier 4.4.4.4, local AS number 65001

BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

3.3.3.3 4 65001 19 19 1 0 0 00:03:47 0

When you have various VRFs on the router, and you´re configuring the BGP peering with the CLIENT router within the VRF assigned to that

client, note 2 things:

1. The separate IPv4 VRF process has been created under the BGP. When you configure the BGP PEERING with the CLIENT, you should

configure it under that specific AF:

router bgp 65001

no bgp default ipv4-unicast

bgp log-neighbor-changes


neighbor 3.3.3.3 update-source Loopback0

!

address-family vpnv4

neighbor 3.3.3.3 activate

neighbor 3.3.3.3 send-community extended

exit-address-family

!

address-family ipv4 vrf CLIENT_VRF <-AUTOMATICALLY CREATED AF UNDER THE BGP

neighbor 10.1.45.5 remote-as 65015 <-ADD PEERING WITH THE CLIENT

neighbor 10.1.45.5 activate <-COMMAND ADDED AUTOMATICALLY STARTING FROM 12.4

no synchronization

exit-address-family

2. On the CLIENT side you will NOT LEARN the BGP routes announced by other CEs of the same client, due to the LOOP PREVENTION

mechanism implemented in BGP (routes that have the same AS in the AS-PATH will not be accepted in the routing table). To change this

behavior, on clients CE do:

(config-router)#neighbor 10.1.45.4 allowas-in ?

<1-10> Number of occurances of AS number (I RECOMMEND TO NOT EXAGERATE, SO - ONLY 1!)

Another way would be to OVERRIDE the AS number on the PE. This way the PE advertises BGP routes with its own AS number attached instead

of the ORIGINATING AS:

(config-router-af)#neighbor 10.1.13.1 as-override


____________________________________________________________________________________________________________________

Route Redistribution TIPs ____________________________________________________________________________________________________________________

RIP: Metric are HOPS, so if you want next router not to learn it set the HOPS to 16 (max):

(config-rmap)#set metric 16

!!!NOTE that RIP will not advertise a route if it didn’t make the ROUTING TABLE

OSPF: You might need to TUNE THE ADMINISTRATIVE DISTANCE:

(config-router)#distance 150 3.3.3.3 0.0.0.0 10 <- 10 is an ACL, it's OPTIONAL, and 150 is the new AD

DISCARD ROUTE is a route injected automatically when we SUMMARIZE OSPF, for LOOP PREVENTION. To remove it:

(config-router)#no discard-route [internal | external] <- INTERNAL on ABR, EXTERNAL on ASBR

HAVE IN MIND that SOURCE IP and SOURCE PROTOCOL can be matched within the Route-maps. MATCH IP ROUTE-SOURCE in the Route-map -

In OSPF it's not the NEXT HOP but the ORIGINATOR Router-ID of the PREFIX

(config-route-map)#match ip route-source 4 <- ACL 4 includes the Router-ID

Also the SOURCE PROTOCOL can be matched, when we wont to PREVENT certain protocol prefixes in the Route Table:

(config-route-map)#match source-protocol ?

bgp Border Gateway Protocol (BGP)

connected Connected

eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)

isis ISO IS-IS

mobile Mobile routes

ospf Open Shortest Path First (OSPF)

rip Routing Information Protocol (RIP)

static Static routes

<cr>

EIGRP: When you have a COMPOSITE METRIC, like 22222 and 44444, then the METRIC VALUE is the MIDDLE, so>

METRIC = 22222 + 44444 /2 = 33333

DEVIATION = (44444 - 22222)/2 = 11111

So when you're MATCHIN THE METRIC of the EIGRP within the Route Map:

(config-route-map)#match metric 33333 +- 11111


QoS


____________________________________________________________________________________________________________________

QoS TIPS ____________________________________________________________________________________________________________________

TIP: When you need to MAXIMIZE EFFICIENCY on a Serial Link, use the COMPRESS PREDICTOR or COMPRESS STACKER (STACKER is more CPU

consuming, but better for MEMORY, and PREDICTOR the other way around)

(config)#compress predictor | stacker

TIP: Shape AVERAGE - In the default conditions, Shape ADAPTIVE - when the notification was received, like BECN

(config-pmap-c)#shape ?

adaptive Enable Traffic Shaping adaptation to BECN

average configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],

send out Bc only per interval

fecn-adapt Enable Traffic Shaping reflection of FECN as BECN

If normal shaping is needed on a Frame-Relay link, just configure DIRECTLY ON THE INTERFACE AND configure the rest of the required

parameters within the Map-Class:

(config-if)#frame-relay traffic-shaping

____________________________________________________________________________________________________________________

QoS on Access Ports ____________________________________________________________________________________________________________________

When there is a CISCO Phone behind, configure the port as ACCESS:

(config-if)#switchport access vlan 3 <--- data VLAN

(config-if)#switchport mode access

(config-if)#switchport voice vlan 5 <--- Cisco Phone VLAN

If you want to trust the Phone CoS markings:

(config-if)#mls qos trust device cisco-phone

Mark all incoming traffic:

(config-if)#mls qos cos 2 <-ONLY MARKS THE NON-MARKED TRAFFIC, use OVERRIDE to MARK ALL

And to REMARK the DATA traffic (VLAN 3 IN THIS CASE)

(config-if)#switchport priority extend CoS 1

If you want to check how the traffic is reaching the router from the configured switched interface, make the class map on a ROUTER matching

the DSCP or COS values you are interested in:

(config)#class-map cos2

(config-cmap)#match CoS 2

...

Then create a Policy Map that includes this Class:

(config)#policy-map QoS_test

(config-pmap)#Class cos2

...

And apply it to an Interface directly connected to the Switch that marks the traffic:

(config-if)#service-policy QoS_test in


To check:

#show policy-map interface Fa0/1.100

FastEthernet0/1.100

Service-policy input: QOS_IN

Class-map: COS1 (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps <--- LOAD INTERVAL is 5 Minutes by default, can be changed ON INTERFACE

Match: cos 1


5 packets, 590 bytes

5 minute offered rate 0 bps

Match: cos 2


0 packets, 0 bytes


Match: cos 4


0 packets, 0 bytes


Match: cos 5

*Change LOAD INTERVAL:

(config-if)#load-interval ?

<30-600> Load interval delay in seconds <--- DEFAULT IS 5 MINUTES, as shown above

(config-if)#load-interval 30

And now:

#show policy-map interface

FastEthernet0/1

Service-policy input: MATCHES

Class-map: DSCP10 (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps <--- TA-DAAAAA

Match: ip dscp af11 (10)

Make sure you have "mls qos trust cos" OR "mls qos cos override" configured!

#show mls qos interface GigabitEthernet 3/0/2

GigabitEthernet3/0/2

trust state: trust cos

trust mode: trust cos

trust enabled flag: ena

COS override: dis

default COS: 2

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: none

qos mode: port-based

If you want all the traffic going out of a port to be marked with a particular DSCP value, use the "class-default":

(config)@policy-map SET-ALL-5

(config-pmap)#class class-default

(config-pmap-c)#set ip presedence 5

And then apply it in the OUTBOUND direction on the interface:

(config-if)#service-policy out SET-ALL-5


____________________________________________________________________________________________________________________

DSCP and COS MAPPING ____________________________________________________________________________________________________________________

QoS MUTATION: If you need to RE-MARK all the packets with the particular value of DSCP/CoS

Step 1: Check if the QoS has been globally enabled on the Switch:

QoS_UP_SW1#show mls qos

QoS is enabled

QoS ip packet dscp rewrite is enabled

Step 2: Define the DSCP Mutation Map:

(config)#mls qos map dscp-mutation MUTATION_NAME 1 to 60

This map will re-mark all the DSCP value to 60, but only of all the packets that have it set to 1

Step 3: Check if the "mls qos trust" command has been applied, it´s a must. Apply the Mutation Map to the Physical Interface:

(config-if)#mls qos dscp-mutation MUTATION_NAME

Note that for this to work, the DSCP REWRITE has to be enabled globally on a switch *IT IS ENABLED BY DEFAULT:

(config)#mls qos rewrite ip dscp <--- DISABLE IF YOU NEED TO CONFIGURE QoS, BUT DONT WANT TRAFFIC TO BE

REMARKED TO 0

Check if it "worked":

#show mls qos map dscp-mutation

Dscp-dscp mutation map (D1D2 = VALUE OF DSCP):

MUTATION_NAME:

d1 : d2 0 1 2 3 4 5 6 7 8 9

---------------------------------------

0 : 00 60 02 03 04 05 06 07 08 09 <--- HERE, THE D1:D2=0:1 MUTATES TO D1:D2=0:60

1 : 10 11 12 13 14 15 16 17 18 19

2 : 20 21 22 23 24 25 26 27 28 29

3 : 30 31 32 33 34 35 36 37 38 39

4 : 40 41 42 43 44 45 46 47 48 49

5 : 50 51 52 53 54 55 56 57 58 59

6 : 60 61 62 63

Dscp-dscp mutation map:

Default DSCP Mutation Map:

d1 : d2 0 1 2 3 4 5 6 7 8 9

---------------------------------------

0 : 00 01 02 03 04 05 06 07 08 09 <--- BY DEFAULT IT STAYS 0:1

1 : 10 11 12 13 14 15 16 17 18 19

2 : 20 21 22 23 24 25 26 27 28 29

3 : 30 31 32 33 34 35 36 37 38 39

4 : 40 41 42 43 44 45 46 47 48 49

5 : 50 51 52 53 54 55 56 57 58 59


____________________________________________________________________________________________________________________

Map COS to DSCP on a device ____________________________________________________________________________________________________________________

#show mls qos maps cos-dscp

Cos-dscp map:

cos: 0 1 2 3 4 5 6 7

--------------------------------

dscp: 0 8 16 24 32 40 48 56

(config)#mls qos map cos-dscp 0 8 16 24 32 40 48 7 <--- MAP COS 7 to DSCP 7

#show mls qos maps cos-dscp

Cos-dscp map:

cos: 0 1 2 3 4 5 6 7

--------------------------------

dscp: 0 8 16 24 32 40 48 7

____________________________________________________________________________________________________________________

QoS POLICING - INDIVIDUAL and AGGREGATE POLICER

____________________________________________________________________________________________________________________

! Be sure to do "no mls qos", and after a few seconds "mls qos" to be sure POLICING takes effect

INDIVIDUAL POLICER: Basic, per CLASS that matches a DSCP value

AGGREGATE POLICER: "mls aggregate-policer":

mls qos aggregate-policer AGGREG 500000 25000 exceed-action drop

(config)#policy-map CISQUEROS

(config-pmap)#class DSCP10 <--- APPLY TO ALL CLASSES YOU WANT TO AGGREGATE THE POLICY ON

(config-pmap-c)#police aggregate AGGREG

____________________________________________________________________________________________________________________

PRIORITY QUEUING (priority-list) & CUSTOM QUEUING (queue-list) ____________________________________________________________________________________________________________________

Uses 4 queues:

1. HIGH

2. MEDIUM

3. NORMAL

4. LOW

Define the PRIORITY LIST. Priority-list works like an access-list, it's processed from top to the bottom so define the MORE SPECIFFIC policies

first:

(config)#priority-list 1 protocol http ?

high

medium

normal

low

(config)#priority-list 1 protocol ip normal udp tftp <--- for IP protocols

(config)#priority-list 1 default LOW

Then just apply it on an interface:

(config-if)#priority-group 1 <--- ITS ALLWAYS AN OUTBOUND DIRECTION


If you also need to LIMIT THE QUEUE sizes PER CLASS :

(config)#priority-list 1 queue-limit 80 60 40 20 <--- HIGH>80 , MEDIUM>60 , NORMAL>40 , DEFAULT>20

QUEUE LIST defines !!!17 QUEUES!!! All queues have the SAME WEIGHT, and are serviced in ROUND ROBIN

Queue 1 - System or Priority queue (IP Routing UPDATES do NOT go here!!! only L2 Keepalives & Neighbor Discovery)

(config)#queue-list 1 protocol http 4

(config)#queue-list 1 protocol ip 3 tcp telnet

(config)#queue-list 1 protocol ip 6 udp tftp

(config)#queue-list 1 default 5

Also applied on the interface:

(config-if)#custom-queue-list 1 <--- ALWAYS OUTBOUND!!!

#show queueing custom

Current custom queue configuration:

List Queue Args

1 5 default

1 4 protocol http

1 3 protocol ip tcp port telnet

1 6 protocol ip udp port tftp

Also the BANDWIDTH can be allocated to each of the queues using the "byte-count" parameter:

(config)#queue-list 1 queue 1 byte-count 1500

____________________________________________________________________________________________________________________

WFQ - By default works with IP PRESEDENCE ____________________________________________________________________________________________________________________

DEDICATES MORE BANDWIDTH TO THE HIGHER IP PRECEDENCE TRAFFIC!!! Check the Interface Capabilities and Thresholds on a Router:

#show inter s0/1/0 | b Output

Output queue: 0/1000/64/0 (size/max total/threshold/drops)<-HOLD-QUEUE LIMIT is 1000,DISCARD THRESHOLD is 64

Conversations 0/2/256 (active/max active/max total) <--- MAX DYNAMIC QUEUE NUMBER IS 256

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 1158 kilobits/sec

Check the current FAIR QUEUE settings:

#show queueing fair

Current fair queue configuration:

Interface Discard Dynamic Reserved Link Priority

threshold queues queues queues queues

Serial0/1/0 64 256 0 8 1

Serial0/1/1 64 256 0 8 1

And apply the changes on the INTERFACE level:

(config-if)#fair-queue 128 512 <-DISCARD THRESHOLD 128, DYNAMIC QUEUES 256

(config-if)#hold-queue 1200 out <-HOLD QUEUE, Max number of queues a system can hold


____________________________________________________________________________________________________________________

RSVP - Resource Reservation Protocol ____________________________________________________________________________________________________________________

SENDER sends PATH MESSAGES through the network. When RSVP is enabled, router receives PATH message:

| FROM | TO | PREV_HOP | BW | <--- PATH message, stored on the Router and forwarded down the PATH

RECEIVER receives the PATH MESSAGE and forms the RESERVATION MESSAGE (RSVP Reservation Request), which is propagated up the exactly

same route of the path message. Each ROUTER on the PATH either ACCEPTS or REJECTS the RSVP Reservation Request, based on its

RESOURCES. SENDER receives the RESERVATION MESSAGE and it's ready to start the transmission

First under the SOURCE and DESTINATION interface reserve the BW:

(config-if)#ip rsvp bandwidth 400 180 <--- 400 RESERVATION, AND 180 is SINGLE reservation

To define the SENDER and the RECEIVER:

(config)#ip rsvp sender-host 10.1.112.2 10.1.112.1 tcp 0 0 10 5 <-to GENERATE and SEND PATH MESSAGES,

These 0s mean - IGNORE THE PORT ADDRESSES

(config)#ip rsvp reservation-host 1.1.1.1 2.2.2.2 tcp 0 0 ?

ff Single Reservation

se Shared Reservation, Limited Scope

wf Shared Reservation, Unlimited Scope

(config)#ip rsvp reservation-host 10.1.112.2 10.1.112.1 tcp 0 0 ff rate 10 5 <-RECEIVER WITH SINGLE

RESERVATION

DEBUG RSVP:

*Aug 22 15:54:23.323: RSVP 10.1.112.1_0->10.1.112.2_0[0.0.0.0]: Refresh RESV, req=659606AC,

refresh interval=30000mSec [cleanup timer is not awake]

*Aug 22 15:54:23.323: RSVP 10.1.112.1_0->10.1.112.2_0[0.0.0.0]: Sending Resv message to 10.1.112.1

*Aug 22 15:54:33.595: RSVP 10.1.112.1_0->10.1.112.2_0[0.0.0.0]: Received Path message from 10.1.112.1

(on FastEthernet0/0)

If you want the Router to be the RSVP PROXY:

ip rsvp sender 10.1.112.2 1.1.1.1 tcp 0 0 1.1.1.1 lo0 10 5

____________________________________________________________________________________________________________________

IPv6 QoS ____________________________________________________________________________________________________________________

"match ip precedence" ONLY matches the IPv4, not IPv6 If you want IPv4 AND IPv6 to be matched - use "match precedence"

___________________________________________________________________________________________________________________

Match MAC ADDRESS ____________________________________________________________________________________________________________________

(config)#class-map SRV1

(config-cmap)#match sou

(config-cmap)#match source-address ?

mac MAC address

Be careful, because if you match the SOURCE MAC - you wont be able to apply the service-policy OUTBOUND!!! Therefore - create the ACL

matching the MAC, and match the ACCESS-GROUP


____________________________________________________________________________________________________________________

QoS Frame-Relay SHAPING ____________________________________________________________________________________________________________________

FRTS - Frame-Relay Traffic Shaping. There are 4 general ways to implement the TRAFFIC SHAPING:

1. Legacy Generic Traffic Shaping (GTS)

2. Legacy Frame-Relay Traffic Shaping (for FR it's the MOST USED method)

3. MQC-Based Frame-Relay Traffic Shaping

4. MQC-Based Class Based Traffic Shaping

Shaping is used only to "spread" the queue, it adds the delay and jitter, but it doesn’t cause drops unless the entire queue is full. For LEGACY

FRTS to be implemented, frame relay traffic shaping must be enabled first:

(config-if)#frame-relay traffic-shaping

#show traffic-shape <--- SHOW THE FR TRAFFIC SHAPING

Interface Se0/1/0

Access Target Byte Sustain(Bc) Excess(Be) Interval(Tc) Increment Adapt

VC(DLCI)List Rate Limit bits/int bits/int (ms) (bytes) Active

103 56000 875 7000 0 125 875 -

104 56000 875 7000 0 125 875 -

102 56000 875 7000 0 125 875 -

AR, or AIR - Max number of bits that can be sent by a router (actual interface speed)

CIR - Average Speed, Target Rate

Mincir - This is a TELCO DEFINED CIR (Contracted Rate, Guaranteed by the Provider where the DE bit is set in the frames above this rate)

Bc - Committed Burst, by default it's CIR/8 because the default Tc is 125ms (Bc = CIR x Tc)

!!!Magic Formula is Bc = CIR x 1.5s because RTT is by average ~ 1.5 seconds over the big networks

Be - Number of NON-COMMITED bits accepted by Frame-relay switch. If Be is not configured in Class-Based FRTS - it's equal to Bc

For granular QoS Frame Relay control - use the MAP CLASS:

(config)#MAP-class frame-relay FRTS

(config-map-class)#frame-relay ?

adaptive-shaping Adaptive traffic rate adjustment, Default = none

bc Committed burst size (Bc), Default = 7000 bits

be Excess burst size (Be), Default = 0 bits

cir Committed Information Rate (CIR), Default = 56000 bps

congestion Congestion management parameters

custom-queue-list VC custom queueing

end-to-end Configure frame-relay end-to-end VC parameters

fair-queue VC fair queueing

fecn-adapt Enable Traffic Shaping reflection of FECN as BECN

fragment fragmentation - Requires Frame Relay traffic-shaping to be configured at the interface

level

holdq Hold queue size for VC

idle-timer Idle timeout for a SVC, Default = 120 sec

interface-queue PVC interface queue parameters

ip Assign a priority queue for RTP streams

mincir Minimum acceptable CIR, Default = CIR/2 bps

priority-group VC priority queueing

tc Policing Measurement Interval (Tc)

traffic-rate VC traffic rate

voice voice options


2. Legacy Frame-Relay Traffic Shaping (for FR it's the MOST USED method)

Normally you do something like this:

map-class frame-relay FRTS

frame-relay cir 64000 <-- AVERAGE BW

frame-relay mincir 32000 <-- MINIMUM GUARANTEED BW

frame-relay adaptive-shaping becn <-- Turn ADAPTIVE shaping with BECN marking enabled to indicate congestion

frame-relay bc 8000 <-- CIR*1/8

frame-relay be 16000 <-- Depends on the requirements

And then APPLY it under the INTERFACE:

(config-if)#frame-relay class FRTS

Or under the DLCI, if you need it to apply only to ONE DLCI:

(config-if)#frame-relay interface-dlci 102

(config-fr-dlci)#class FRTS

To check the configured shaping do:

#show frame-relay pvc 201

PVC Statistics for interface Serial0/1/0 (Frame Relay DTE)

DLCI = 201, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/1/0

input pkts 30 output pkts 31 in bytes 31120

out bytes 31154 dropped pkts 0 in pkts dropped 0

out pkts dropped 0 out bytes dropped 0

in FECN pkts 0 in BECN pkts 0 out FECN pkts 0

out BECN pkts 0 in DE pkts 0 out DE pkts 0

out bcast pkts 1 out bcast bytes 34

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

Shaping adapts to BECN <--- BECN SHAPING ENABLED

pvc create time 2d19h, last time pvc status changed 00:40:28

cir 64000 bc 8000 be 0 byte limit 1000 interval 125 <--- SHAPING ATTRIBUTES

mincir 32000 byte increment 1000 Adaptive Shaping BECN

pkts 0 bytes 0 pkts delayed 0 bytes delayed 0

shaping inactive

traffic shaping drops 0

Queueing strategy: fifo

Output queue 0/40, 0 drop, 0 dequeued

#show traffic-shape

Interface Se0/1/0

Access Target Byte Sustain Excess Interval Increment Adapt

VC List Rate Limit bits/int bits/int (ms) (bytes) Active

513 128000 800 6400 0 50 800 -

504 512000 12800 25600 76800 50 3200 -

503 56000 875 7000 0 125 875 -

502 56000 875 7000 0 125 875 -

501 56000 875 7000 0 125 875 -

3. MQC-Based Frame-Relay Traffic Shaping

If you want to do the same effect using the MQC method, the equivalent commands within the class map are:

policy-map FRTS

class class-default <-- ONLY ALLOWED CLASS ON FR VC

shape average 64000 8000 0 <-- CIR = 64 kbps, Bc = 8 kbps, Be = 0 kbps

shape adaptive 32000 <-- MINCIR (Minimum Guaranteed BW)

!!!ONLY CLASS-DEFAULT IS ALLOWED OVER FR VCs!!!

Now, STILL in Frame-Relay the ONLY WAY TO APPLY IS THROUGH THE MAP-CLASS:

(config)#map-class frame-relay FRTS

(config-mc)#service-policy out FRTS


(config-fr-dlci)#class FRTS


#show policy-map interface s0/1/0

Serial0/1/0: DLCI 201 -

Service-policy output: TASK2

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Traffic Shaping

Target/Average Byte Sustain Excess Interval Increment

Rate Limit bits/int bits/int (ms) (bytes)

64000/64000 1000 8000 0 125 1000 <--- SHAPING ATTRIBUTES

Adapt Queue Packets Bytes Packets Bytes Shaping

Active Depth Delayed Delayed Active

BECN 0 0 0 0 0 no

Frame-Relay FRAGMENTATION (define the largest packet size, end-to-end):

(config-if)#frame-relay fragment 80 end-to-end

4. MQC-Based Class Based Traffic Shaping

Like in the standard MQC configuration, with one difference - the policy-map can be directly applied to the DLCI:

(config-if)#frame interface-dlci 513

(config-fr-dlci)#service-policy output CBWFQ

____________________________________________________________________________________________________________________

QoS Frame-Relay PIPQ (PER-INTERFACE PRIORITY QUEUING) ____________________________________________________________________________________________________________________

First enable the PIPQ globally on the Router:

(config)#frame-relay interface-queue priority

Then define the MAP-CLASSes:

(config)#map-class frame-relay R2

(config-map-class)#frame-relay interface-queue priority ?

high

medium

normal

low

And then apply the map classes to different PVCs:

(config-fr-dlci)#frame-relay interface-dlci 102

(config-fr-dlci)#class R2

And define the QUEUE SIZES on the interface:

(config-if)#frame-relay interface-queue priority ?

<1-1024> High limit

(config-if)#frame-relay interface-queue priority 40 ?

<1-1024> Medium limit

(config-if)#frame-relay interface-queue priority 40 80 ?

<1-1024> Normal limit

(config-if)#frame-relay interface-queue priority 40 80 120 ?

<1-1024> Lower limit

Now check the PRIORITY on the DLCI:

#sh frame-relay pvc 102 | i pri

priority low


____________________________________________________________________________________________________________________

QoS Frame-Relay PAYLOAD and HEADER COMPRESSION ____________________________________________________________________________________________________________________

(has to be configured on BOTH ENDS). PAYLOAD COMPRESSION POINT-TO-POINT LINK:

(config-subif)#frame-relay payload-compression ?

FRF9 FRF9 encapsulation

data-stream cisco proprietary encapsulation

packet-by-packet cisco proprietary encapsulation <--- WHEN THE SUB-INTERFACE IS POINT-TO-POINT

PAYLOAD COMPRESSION, MULTIPOINT LINK:

If the SUB-interface is MULTIPOINT:

(config-subif)#frame map ip 10.1.13.3 103 payload-compression packet-by-packet

HEADER COMPRESSION:

(config-subif)#frame-relay ip tcp header-compression ?

passive Compress for destinations sending compressed headers <--- COMPRESS IF THE RECEIVED TRAFFIS IS

COMPRESSED

<cr>

You can also configure RTP Header Compression, not only TCP:

(config-if)#frame-relay map ip 162.1.0.3 403 broadcast rtp header-compression

____________________________________________________________________________________________________________________

QoS CBWFQ - configured using MQC ____________________________________________________________________________________________________________________

- Guarantee a MINIMUM BANDWIDTH, multiple FIFO queues

- Can be combined with WRED to prevent CONGESTION

- Default queue limit is 64, after this the packets are dropped, to change do:

(config-pmap-c)#queue-limit 128

- Only 75% of the BW can be defined (can be changed, "max-reserved bandwidth" command)

- To define the Fair Queuing:

(config-pmap-c)#fair-queue [1024] <-1024 is the number of Dynamic Conversation Queues

____________________________________________________________________________________________________________________

QoS LLQ (Low Latency Queuing) - "priority" and "priority percent" command ____________________________________________________________________________________________________________________

LLQ Introduces STRICT PRIORITY to CBWFQ. Unlike PRIORITY-QUEUING it uses ONLY 1 QUEUE and is NOT subject to starvation "priority 256"

ensures that all traffic UP TO 256kbps is SERVED FIRST. The LLQ scheduler only triggers WHEN THERE IS CONGESTION (When Tx ring is FULL), so

in the non-congestion situations - this class CAN USE MORE BW!!!

"priority" - Guarantees the BW, during congestion the exceeded traffic is DROPPED

Can also be defined using the percentage using the command "priority percent X"

You can define the BURST bits, because for the VoIP traffic for example it's much better to burst in small packets:

(config-pmap-c)#priority 128000 6400 <-Bc is 6400 BYTES


____________________________________________________________________________________________________________________

Define the QoS Schedule (TIME-RANGE command) ____________________________________________________________________________________________________________________

Start by defining the time using the "time-range" command:

(config)#time-range WEEKDAYS

(config-time-range)#periodic weekdays 11:00 to 15:00

and ATTACH it to the ACL:

(config)#access-list 100 permit tcp any any eq www time-range WEEKDAYS

____________________________________________________________________________________________________________________

QoS CAR (Committed Access Rate) - "rate-limit" Interface Command ____________________________________________________________________________________________________________________

It is another way of defining the CIR/Bc/Be and EXCEED, CONFORM and VIOLATE Action directly on interface.

Instead of CLASS-MAP the ACL needs to be defined to match the traffic, in this case ACCESS-LIST 100

(config-if)#rate-limit output access-group 100 24000 3750 3750

(3750 is the BURST, and ITS IN BYTES not bites!!! Consult the proctor about this!)

#show interface Fa0/0 rate-limit <-- Check the PARAMETERS

____________________________________________________________________________________________________________________

NBAR (match protocol XXX) - if you need to match the port without the ACL ____________________________________________________________________________________________________________________

The QoS policy can also be applied in order to filter traffic of some protocol. For example if oyu want to filter URL of the HTTP request, first

define the class map where you match the protocol HTTP and the URL:

(config)#class-map match-all FILTER_HTTP:

(config-cmap)#match protocol http url *.mp3|*.avi <-- THIS WILL FILTER ALL THE MP3 AND AVI FILES VIA HTTP

and then configure the DROP action within the policy:

policy-map FILTER_HTTP_POLICY

class FILTER_HTTP

drop

CEF must be enabled to run NBAR!!!

(config)#ip cef

First time it will take some time to MATCH the PROTOCOL as NBAR is DOWNLOADING PDLMs (Signature Files) into memory, but then it will go

faster.

IMPORTANT: If the Bc isn’t specified - it will match the CIR/32 or 1500 Bytes (Whichever is HIGHER!!!) with Tc = 250 ms

SINGLE RATE - SINGLE BUCKET: Be is DISABLED (If it´s configure the system will ignore it)

BURST: Minimal Amount:

(config-pmap-c)#police 10000000 bc ?

<1000-512000000> Burst bytes <--- so 1000 is the MINIMAL BURST

conform-action action when rate is less than conform burst

pir Peak Information Rate

<cr>

(config-pmap-c)#police 10000000 bc 1000 conform-action transmit exceed-actio$

Conform burst size increased to 5000 <--- SETS IT TO THE MINIMUM DEPENDING ON THE BW


____________________________________________________________________________________________________________________

DUAL RATE - DUAL BUCKET ____________________________________________________________________________________________________________________

DUAL RATE traffic contract: supply customer with two sending rates (CIR and PIR), but only guarantee the smaller one. In case of congestion in

the network, discard traffic that exceeds the committed rate more aggressively and signal the customer to slow down to the committed rate.

Peak Information Rate (PIR) is the Additional parameter compared to SINGLE BUCKET Traffic Contract. It defines the MAXIMUM average

sending rate for the customer.

Bc: If Bc is not configured - the HIGHEST value is chosen between 1500 Bytes and CIR/32

Be: If Be is not configured - the HIGHEST value is chosen between 1500 Bytes and PIR/32 (PIR-Peak Information Rate)

=> Either define PIR and CIR, or Bc and Be

!!!In DUAL RATE - Be has a different meaning, Be = PIR x Te

____________________________________________________________________________________________________________________

WRED - Weighted Random Early Detection and CB-WRED ____________________________________________________________________________________________________________________

THRESHOLDS need to be defined (how many packets from the end of the queue are to be dropped)

WRED drops SOME packets between MIN and MAX THRESHOLD (based on mark probability denominator)

WRED drops ALL packets above the MAX

(config-pmap-c)#random-detect precedence 4 ? <- PRECEDENCE VALUE 4

<1-4096> minimum threshold (number of packets)

(config-pmap-c)#random-detect precedence 4 24 ? <- MINIMUM THRESHOLD (DROPPED packet number in the queue)

<1-4096> maximum threshold (number of packets)

(config-pmap-c)#random-detect precedence 4 24 40 ? <- MAXIMUM THRESHOLD is 40

<1-65535> mark probability denominator

<cr>

(config-pmap-c)#random-detect precedence 4 24 40 10

Mark probability denominator means one in how many packets are dropped. So, by the time there are 40 packets in the queue ONE IN EVERY

10 PACKETS will be dropped if the mark probability denominator has a value of 10.

*To configure RED, rather than WRED, use the same parameters for each precedence


WAN


____________________________________________________________________________________________________________________

Frame-Relay TIPS ____________________________________________________________________________________________________________________

TIP: Make sure KEEPALIVEs are ENABLED on a Frame-Relay interface!!! The MODE of the operation of the EEK (End to End Keepalive) requests

can be configured within the class-map:

(config)#map-class frame-relay KEEPALIVE

(config-map-class)#frame-relay end-to-end keepalive mode ?

bidirectional Set bidirectional mode

passive-reply Set passive-reply mode

reply Set unidirectional reply mode

request Set unidirectional request mode

TIP: When you want to configure one interface to be another's BACKUP, just do this command on the primary interface:

(config-subif)#backup interface Serial 0/1/1

*Jan 12 18:23:49.599: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1, changed state to down

(config-subif)#backup delay 0 300 <-CONFIGURE A 5 MINUTE PREEMPT DELAY

____________________________________________________________________________________________________________________

FRAME RELAY QoS ____________________________________________________________________________________________________________________

QoS is different on Frame-relay links. First of all - about the QoS marking and how to collect this information. There is an implemented feature

called IP ACCOUNTING, used to collect various data.

(config-if)#ip accounting ?

access-violations Account for IP packets violating access lists on this interface

output-packets Account for IP packets output on this interface

precedence Count packets by IP precedence on this interface

(config-if)#ip accounting precedence input <-CHECK IP PRESEDENCE OF THE INCOMMING PACKETS

Define the THRESHOLD (how many packets to monitor):

(config)#ip accounting-threshold 5000

Check the accounted PRESEDENCE values:

#sh inter s0/1/0 precedence

Serial0/1/0

Input

Precedence 0: 50 packets, 5200 bytes

Precedence 6: 16 packets, 850 bytes

To configure the traffic SHAPING on Frame Relay interface, you can use the MQC, CBTS or simplest- Legacy MAP-CLASS:

(config)#map-class frame-relay R4_504

frame-relay cir 512000

frame-relay bc 25600

frame-relay be 76800 <-SPECIAL ATTENTION WHEN CONFIGURING Be!!!

*Be is a BURST when enough CREDIT has been acumulated. This still means that the Bc and the Be together

cannot

exceed the PHYSICAL INTERFACE RATE (AIR) => (Bc+Be) x Tc <= AIR

frame-relay mincir 384000

frame-relay adaptive-shaping interface-congestion

(config)#map-class frame-relay R3_513

frame-relay cir 128000

frame-relay bc 6400

frame-relay be 0 <-YOU HAVE TO SET IT TO 0 IF NO BURST IT ALLOWED

frame-relay mincir 96000

frame-relay adaptive-shaping [interface-congestion | becn] <-BE SURE WHAT YOU'RE ASKED TO DO HERE

*BECN is a CONGESTION NOTIFICATION for the senders to slow down with SENDING RATE, so if you set BECN here this router will engage the

SHAPING feature upon receiving the BECN flag in the frame

And then apply it on the INTERFACE, or directly to the DLCI:

(config-if)#frame interface-dlci 513

(config-fr-dlci)#class R3_513


(config-fr-dlci)#class R4_504


____________________________________________________________________________________________________________________

PHYSICAL INTERFACE CONFIGURATION: ____________________________________________________________________________________________________________________

- Disable Inverse ARP because IP/DLCI Mapping is configured manually

- BROADCAST at the end of the MAPPING line

On a HUB Router:

interface Serial1/0

ip address 10.1.100.1 255.255.255.0

encapsulation frame-relay

frame-relay map ip 10.1.100.2 102 broadcast



no frame-relay inverse-arp

On SPOKE Routers:

interface Serial1/0

ip address 10.1.100.2 255.255.255.0

encapsulation frame-relay

frame-relay map ip 10.1.100.4 201 <--- NO NEED TO ""Broadcast" TO OTHER HUBS, creates extra traffic

frame-relay map ip 10.1.100.3 201

frame-relay map ip 10.1.100.2 201


no frame-relay inverse-arp

!!! Dont forget to check THE CONTROLLER on the interface, and see if we are DTE or DCE

#show controllers s1/0

If we are DCE - CLOCKRATE NEEDS TO BE SET or VC will not transition into UP/UP

LMI - Keepalives in Frame Relay, you can see them:

#show frame-relay lmi | i Status

Invalid Status Message 0 Invalid Lock Shift 0

Num Status Enq. Sent 108 Num Status msgs Rcvd 108

If you want to FORCE the DCE and provide the clocking:

(config-if)#frame-relay intf-type dce

Frame Relay Header - 2 BYTES:

| DLCI (6) | C/R (1) | EA(1) || DLCI(4) | FECN(1) | BECN(1) | DE(1) | EA(1) |

| Byte 1 || Byte 2 |

____________________________________________________________________________________________________________________

POINT-TO-POINT SUB-INTERFACE: ____________________________________________________________________________________________________________________

- No need for Inverse ARP disabling, as it's P2P Link so it's disabled by default

- Only define a INTERFACE DLCI, because it's a direct connection

interface Serial1/0.21 point-to-point

ip address 10.1.12.2 255.255.255.0

frame-relay interface-dlci 201

#show frame-relay map

Serial1/0.12 (up): point-to-point dlci, dlci 102(0x66,0x1860), broadcast

status defined, active






____________________________________________________________________________________________________________________

POINT-TO-MULTIPOINT SUB-INTERFACE: ____________________________________________________________________________________________________________________

- Configure the DLCI-to-IP mapping, without broadcast

____________________________________________________________________________________________________________________

VIRTUAL TEMPLATE (CAN ONLY BE DONE ON MULTIPOINT OR PHYSICAL INTERFACE)

____________________________________________________________________________________________________________________

If MAPPING is not allowed:

(config-if)#frame-relay interface-dlci 102 ?

ppp Use RFC1973 Encapsulation to support PPP over FR

switched Define a switched DLCI

<cr>

(config-if)#frame-relay interface-dlci 102 ppp ?

Virtual-Template Virtual Template interface

(config-if)#frame-relay interface-dlci 102 ppp Vir

(config-if)#frame-relay interface-dlci 102 ppp Virtual-Template ?

<1-200> Virtual-Template interface number

(config-if)#frame-relay interface-dlci 102 ppp Virtual-Template 1

And only assign the IP Address (L3) to the Virtual Template interface:

interface Virtual-Template1

ip address 10.1.100.1 255.255.255.0

OR, if you want to RE-USE the defined IP on a Loopback:

(config-if)#ip unnumbered lo0 <-under the Virtual Template interface

Now on the Routing Table the INJECTED HOST ROUTES can be found:

#show ip route

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 10.1.100.0/24 is directly connected, Virtual-Access1

L 10.1.100.1/32 is directly connected, Virtual-Access1

C 10.1.100.2/32 is directly connected, Virtual-Access1


____________________________________________________________________________________________________________________

FRAME RELAY AUTHENTICATION ____________________________________________________________________________________________________________________

CONFIGURED IN THE VIRTUAL TEMPLATE (refer to the description above)

First in the Global Config mode define the credentials (username and password):

(config)#username R2 password 0 cisco12 <--- R2 is HOSTNAME of the OTHER SIDE!!!

Create a VIRTUAL TEMPLATE and assign IP ADDRESSES to VIRTUAL TEMPLATE:

(config-subif)#frame-relay interface-dlci 102 ppp Virtual-Template 1

*Aug 17 11:12:46.763: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up

Then configure the authentication details:

(config-if)#ppp chap hostname R1

(config-if)#ppp authentication chap ? <---DEFINE WHEN TO AUTHENTICATE

WORD Use an authentication list with this name

callback Authenticate remote on callback only

callin Authenticate remote on incoming call only <---SEND CHALLENGE WHEN CALLED

callout Authenticate remote on outgoing call only

default Use the default authentication list

eap Extensible Authentication Protocol (EAP)

ms-chap Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

ms-chap-v2 Microsoft CHAP Version 2 (MS-CHAP-V2)

one-time Allow use of username*OTP for one-time passwords

optional Allow peer to refuse to authenticate

pap Password Authentication Protocol (PAP)

<cr>

On the other side of the P2P link, configure USERNAME as CHAP HOSTNAME:

(config)#username R1 password 0 cisco12

And here is some PPP Authentication DEBUG:

*Aug 17 11:42:23.371: Vi1 PPP: Using default call direction

*Aug 17 11:42:23.371: Vi1 PPP: Treating connection as a dedicated line

*Aug 17 11:42:23.371: Vi1 PPP: Session handle[C400010C] Session id[266]

*Aug 17 11:42:23.443: Vi1 CHAP: I CHALLENGE id 1 len 23 from "R1" <--- CHALLENGE INBOUND

*Aug 17 11:42:23.443: Vi1 PPP: Sent CHAP SENDAUTH Request

*Aug 17 11:42:23.447: Vi1 PPP: Received SENDAUTH Response PASS

*Aug 17 11:42:23.447: Vi1 CHAP: Using hostname from interface CHAP

*Aug 17 11:42:23.447: Vi1 CHAP: Using password from AAA

*Aug 17 11:42:23.447: Vi1 CHAP: O RESPONSE id 1 len 23 from "R2" <--- RESPONSE OUTBOUND

*Aug 17 11:42:23.463: Vi1 CHAP: I SUCCESS id 1 len 4

For PAP the HOSTNAME is sent outbound (as a Challenge) using:

(config-if)#ppp pap sent-username USERNAME password 0 Cisqueros


____________________________________________________________________________________________________________________

FRAME RELAY End-to-End KEEPALIVE ____________________________________________________________________________________________________________________

Routers depend on LMI to maintain the ACTIVE CONNECTION, but it’s not END-TO-END as intermediate switches may not support NNI LMIs. =>

FREEK (Frame Relay End-to-End Keepalive) is used to provide a local router status of the other end

FREEK Maintains 2 interval keepalives:

1. Send side> Send keepalive and handle the responses

2. Receive side> Handle and reply the requests

So it needs to be configured ON BOTH SIDES! It's configured within the MAP CLASS!!!

(config)#map-class frame-relay FREEK

(config-map-class)#frame-relay end-to-end keepalive ?

error-threshold End-to-end keepalive error threshold

event-window End-to-end keepalive event window

mode End-to-end keepalive mode

success-events End-to-end keepalive success events

timer End-to-end keepalive timer

(config-map-class)#frame-relay end-to-end keepalive mode ?

bidirectional Set bidirectional mode <--- BOTH SIDES REPLY AND REQUEST

passive-reply Set passive-reply mode

reply Set unidirectional reply mode <--- THE OTHER SIDE REQUESTS, THIS SIDE REPLIES

request Set unidirectional request mode <--- THIS SIDE REQUESTS, OTHER SIDE REPLIES

Once the MAP CLASS has been defined, apply under DLCI on the SUB-INF:

(config-map-class)#int s1/0.21

(config-subif)#frame-relay interface-dlci 201

(config-fr-dlci)#class FREEK <--- APPLY THE DEFINED MAP CLASS

*Aug 17 13:47:13.179: %FR_EEK-5-FAILED: Interface Serial1/0.21 - DLCI 201

Before applying the FREEK to the other side of the link:

#show frame-relay end-to-end keepalive

End-to-end Keepalive Statistics for Interface Serial1/0 (Frame Relay DTE)

DLCI = 102, DLCI USAGE = LOCAL, VC STATUS = ACTIVE (EEK DOWN)

SEND SIDE STATISTICS

Send Sequence Number: 7, Receive Sequence Number: 4

Configured Event Window: 3, Configured Error Threshold: 2

Total Observed Events: 9, Total Observed Errors: 3

Monitored Events: 3, Monitored Errors: 3

Successive Successes: 0, End-to-end VC Status: DOWN

RECEIVE SIDE STATISTICS

Send Sequence Number: 3, Receive Sequence Number: 2

Configured Event Window: 3, Configured Error Threshold: 2

Total Observed Events: 8, Total Observed Errors: 3

Monitored Events: 3, Monitored Errors: 3

Successive Successes: 0, End-to-end VC Status: DOWN

Failures Since Started: 1, Last Failure: 00:00:16

Once the FREEK has been applied to BOTH SIDES, the VC goes "UP" (both SEND and RECEIVE side). DEBUG FREEK:

#debug frame-relay end-to-end keepalive events

Frame-relay EEK events debugging is on

*Aug 17 13:51:42.775: EEK SUCCESS (reply, Serial1/0.12 DLCI 102)

*Aug 17 13:51:44.063: EEK SUCCESS (request, Serial1/0.12 DLCI 102)

FREEK TIMERS can also be tuned, using:

(config-map-class)#frame-relay end-to-end keepalive timer [send | receive] 3 <--- DEPENDS IF ITS SEND OR

RECEIVE SIDE


____________________________________________________________________________________________________________________

FRAME-RELAY MULTILINKING ____________________________________________________________________________________________________________________

If you need 2 LINKS to appear as ONE FRAME RELAY LINK => use PPP MULTILINK. This might seem a bit illogical in the beginning, but once

you´ve been through it a few times - you get the philosophy of it. This feature is also used when you need to implement the features not

supported natively on Frame Relay, such as Authentication, fragmentation schemes

Start by creating a MULTILINK INTERFACE, and define it as PPP Multilink:

(config)#interface multilink 12

(config-if)#ppp multilink

Define the MAX number of links within the MULTILINK, if you want:

(config-if)#ppp multilink links maximum 2

(config-if)#ppp multilink links minimum 1

Create the MULTILINK GROUP:

(config-if)#ppp multilink group 12 <--- PPP MULTILINK GROUP

Now, create a VIRTUAL-TEMPLATE interface and assign the created MULTILINK GROUP to it:

(config)#interface virtual-template 12

(config-if)#ppp multilink group 12

Lastly create the MULTIPOINT sub-interface, and connect it to the VIRTUAL TEMPLATE

(config)#inter serial 1/0.12 multipoint <--- ON ALL THE INTERFACES WE WANT "MULTILINKED"

(config-subif)#frame-relay interface-dlci 102 ppp virtual-Template 12

Check the Multilink:

#show ppp multilink

Multilink12

Bundle name: R2

Remote Endpoint Discriminator: [1] R2

Local Endpoint Discriminator: [1] R1

Bundle up for 00:01:10, total bandwidth 100000, load 1/255

Receive buffer limit 12000 bytes, frag timeout 1000 ms

0/0 fragments/bytes in reassembly list

0 lost fragments, 0 reordered

0/0 discarded fragments/bytes, 0 lost received

0x0 received sequence, 0x0 sent sequence

Member links: 1 active, 1 inactive (max 2, min not set)

Vi4, since 00:01:10

Vt12 (inactive)

No inactive multilink interfaces

*If you want AUTHENTICATION, be sure to configure it under the VIRTUAL TEMPLATE interface:

(config)#int Virtual-Template23

(config-if)#ppp authentication chap

NO FRAME RELAY SWITCH:

If there is NO FRAMERELAY SWITCH : THERE IS NO LMI, so KEEPALIVE needs to be DISABLED!!!

- DLCI should be identical on both sides

- clock rate HAS TO BE SET ON DCE SIDE


____________________________________________________________________________________________________________________

FRAME-RELAY AUTO-INSTALL ____________________________________________________________________________________________________________________

A router is a BOOTP server by default, unless the feature has been turned off. So if you need a FR interface to get the IP address from a remote

server, use the "ip helper-address", and POINT TO THE BROADCAST

(config-if)#ip helper-address 172.28.185.255

Make sure that the DIRECTED INTERFACE supports broadcast:

(config-if)#ip directed-broadcast


IP Multicast


____________________________________________________________________________________________________________________

Multicast TIPS ____________________________________________________________________________________________________________________

TIP: On Frame-Relay, besides the "pim sparse-mode" configure the "ip pim nbma-mode". This way there will not be a pseudo broadcast to

detect PIM neighbors, and multicast sources. Each node will be treated as a P2P connection, and it´s done ONLY on the interfaces that should

RECEIVE from ONE and SEND to ANOTHER PIM Neighbor on SAME INTERFACE

TIP: Use interface commands “ip multicast boundary ACL” and “ip pim neighbor-filter ACL” to filter out IGMP Groups and PIM Neighbors

TIP: To LIMIT the OUTBOUND Multicast RATE on the interface, in this example to 1Mbps, use the command:

(config-if)#ip multicast rate-limit out 1000

REMINDER:

SHARED TREE - The traffic goes to the RP first

SOURCE BASED TREE - Directly send the traffic to the Multicast clients

If you need to define the BW limit to switch to the SOURCE BASED TREE:

(config)#ip pim spt-threshold 128

____________________________________________________________________________________________________________________

Multicast - IGMP ____________________________________________________________________________________________________________________

Applications that take advantage of multicast include video conferencing, corporate communications, distance learning and distribution of

software, stock quotes, and news.

IP multicast routing enables a host (source) to send packets to a group of hosts (receivers) anywhere within the IP network by using a special

form of IP address called the IP multicast group address. The sending host inserts the multicast group address into the IP destination address

field. Any host, regardless of whether it is a member of a group, can send to a group. However, only the members of a group receive the

message.

IOS supports the following protocols to implement IP multicast routing:

1. IGMP - used between hosts on a LAN and routers on that LAN to track multicast groups of which hosts are members.

2. PIM (Protocol Independent Multicast) - used between routers so that they can track which multicast packets to forward to each other and to

their directly connected LANs.

3. DVMRP (Distance Vector Multicast Routing Protocol) is used on the MBONE (the multicast backbone of the Internet). The software supports

PIM-to-DVMRP interaction.

4. CGMP (Cisco Group Management Protocol) perform tasks similar to IGMP

Any Source Multicast (ASM)

G group - a multicast group for ASM. By joining this group, the receiver HOST IS INDICATING THAT HE WANTS TO RECEIVE IP multicast traffic

SENT BY ANY SOURCE to group G.

ASM group should only be used by a single application!!!

Source Specific Multicast (SSM)

A datagram delivery model that best supports one-to-many applications (targeted for AUDIO and VIDEO) IP multicast receiver host must use

IGMP Version 3 (IGMPv3) to subscribe to channel (S,G) if he wants to receive IP MULTICAST TRAFFIC SENT BY SOURCE HOST S TO GROUP G.

IP multicast packets are delivered to all hosts in the network that have subscribed to the channel (S, G).


PIM (Protocol Independent Multicast)

PIM is not dependent on a specific unicast routing protocol; it is IP routing protocol independent and can leverage whichever unicast routing

protocols are used to populate the unicast routing table.

It uses the unicast routing table to perform the REVERSE PATH FORWARDING (RPF) check function instead of building up a completely

independent multicast routing table.

PIM can operate in dense mode or sparse mode.

PIM DENSE mode (PIM-DM) uses a push model to flood multicast traffic to every corner of the network. In dense mode, a router assumes

that all other routers want to forward multicast packets for a group. If a router receives a multicast packet and has no directly connected

members or PIM neighbors present, a prune message is sent back to the source.

*Dense mode is not often used and its use is not recommended.

PIM SPARSE mode (PIM-SM) uses a pull model to deliver multicast traffic. Only network segments with active receivers that have

EXPLICITLY requested the data will receive the traffic. Sparse mode interfaces are added to the multicast routing table only when periodic Join

messages are received from downstream routers, or when a directly connected member is on the interface.

If a group has no known RP and the interface is configured to be sparse-dense mode, the interface is treated as if it were in dense mode, and

data is flooded over the interface.

____________________________________________________________________________________________________________________

Configure PIM Multicast ____________________________________________________________________________________________________________________

PIM (Protocol Independent Multicast) sends HELLOs to 224.0.0.13 Multicast every 30s, uses the Protocol number 103

DENSE MODE - Sends to ALL unless the Prune Message received from the DOWNSTREAM ROUTER

SPARSE MODE - Sends ONLY if the downstream router JOINS the Multicast Group using IGMP Protocol

IGMP operates between the client computer and a local multicast router. Switches featuring IGMP snooping derive useful information by

observing these IGMP transactions. Protocol Independent Multicast (PIM) is then used between the local and remote multicast routers, to

direct multicast traffic from multicast server to many multicast clients.

Once you decide the Multicast mode you will be configuring, the configuration is rather simple.

STEP 1: Enable the Multicast Routing on a Device:

(config)#ip multicast-routing

STEP 2: Configure the PIM MODE on the Interface (or a range), in this case we´re doing the PIM, DENSE MODE:

(config-if-range)#ip pim dense-mode

You will see the MULTICAST NEIGHBORS getting up:

*Dec 9 14:37:26.975: %PIM-5-NBRCHG: neighbor 10.1.100.1 UP on interface FastEthernet0/0 (vrf default)

#sh ip pim neighbor

PIM Neighbor Table

Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,

S - State Refresh Capable

Neighbor Interface Uptime/Expires Ver DR

Address Prio/Mode

10.1.100.1 FastEthernet0/0 00:01:43/00:01:29 v2 1 / S

NOTE that there is still no RENDEZVOUZ POINT (RP):

#sh ip pim rp

NO OUTPUT


STEP 3: Check the MULTICAST ROUTING Table

NOTE that when PIM is enabled, IGMP is ALSO ENABLED!!!

#sh ip mroute

IP Multicast Routing Table

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,

L - Local, P - Pruned, R - RP-bit set, F - Register flag,

T - SPT-bit set, J - Join SPT, M - MSDP created entry,

X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,

U - URD, I - Received Source Specific Host Report,

Z - Multicast Tunnel, z - MDT-data group sender,

Y - Joined MDT-data group, y - Sending to MDT-data group

Outgoing interface flags: H - Hardware switched, A - Assert winner

Timers: Uptime/Expires

Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 224.0.1.40), 00:17:16/00:02:23, RP 0.0.0.0, flags: DCL <-AUTOMATICALLY GENERATED WHEN PIM IS ENABLED

Incoming interface: Null, RPF nbr 0.0.0.0

Outgoing interface list:

FastEthernet0/0, Forward/Dense, 00:17:16/00:00:00

STEP 4: Check the IGMP on the interface:

#show ip igmp interface fa0/0

FastEthernet0/0 is up, line protocol is up

Internet address is 10.1.100.1/24

IGMP is enabled on interface <-THIS IS IMPORTANT, THAT IGMPv2 IS ON WHEN PIM IS ENABLED

Current IGMP host version is 2

Current IGMP router version is 2

IGMP query interval is 60 seconds<-FREQUENCY OF QUERIES, SET BY "ip igmp query-interval"

IGMP querier timeout is 120 seconds<-"ip igmp query-timeout"

IGMP max query response time is 10 seconds

Last member query count is 2

Last member query response interval is 1000 ms

Inbound IGMP access group is not set

IGMP activity: 1 joins, 0 leaves

Multicast routing is enabled on interface

Multicast TTL threshold is 0

Multicast designated router (DR) is 10.1.100.2<-LOWEST SOURCE IP AS THE IGMP QUERIER

IGMP querying router is 10.1.100.1 (this system)

Multicast groups joined by this system (number of users): 224.0.1.40(1)

STEP 4: IMPORTANT: Neither of the following 2 commands are not needed if the APPLICATION supports IGMP!!!

If you want the host to JOIN a specific MULTICAST GROUP, you can do it with 2 similar commands:

(config-if)#ip igmp join-group 224.1.1.1<-RESPONDS TO PING, EXPIRE TIMER WILL SHOW "STOPPED"

(ICMP: This device will respond to pings to 224.1.1.1, THROUGH THE RPF-FREE PATH)

OR

(config-if)#ip igmp static-group 224.1.1.1<-STATIC MEMBERSHIP,IT WILL CAUSE UPSTREAM ROUTERS TO MAINTAIN

MROUTE TABLE

*static-group cannot respond to PINGs, it doesn't cause the devices to process multicast packets themselves. Instead they just FORWARD the

packets out the interface. ALSO "static-group" command will cause the device to FAST-SWITCH the group, not like with "join-group" command

where the groups are PROCESS SWITCHED.

#sh ip igmp membership | b Uptime

Channel/Group Reporter Uptime Exp. Flags Interface

*,224.1.1.1 0.0.0.0 00:01:23 stop 2SA Fa0/0

*,224.0.1.39 136.1.245.5 1d17h 02:53 2A Se0/1/0

*,224.0.1.40 136.1.245.2 2d03h 02:43 2LA Se0/1/0

MULTICAST TIMERS AND STATE LIMITS

To IMMEDIATELY STOP any kind of MULTICAST upon receiving a LEAVE message apply the "immediate leave" command (if you apply it in a

Global Config mode, it will apply to ALL the interfaces), and define the ACL 1 to cover all the multicast IPs (224.0.0.0/4):

(config-if)#ip igmp immediate-leave group-list 1



If you want to send some QUERY messages before the Router stops forwarding Multicast Traffic:

(config-if)#ip igmp last-member-query-count 2 <-SEND 2 QUERY MESSAGES

(config-if)#ip igmp last-member-query-interval 500 <-SEND QUERIES EVERY 500ms

Another interesting setting within the mroute table is the NUMBER OF STATE CHANGES (could be configured on the interface, or in the global

config more)

(config-if)#ip igmp limit 3

The other tune-able timers are:

(config-if)#ip igmp quer?

querier-timeout DEAD time of the querier

query-interval INTERVAL between each 2 queries

query-max-response-time - MAX time to wait between 2 queries

Have in mind that PIM-SM actually builds 2 TREES: UNIDIRECTIONAL SPT (Shortest Path Tree) from SOURCE to the RP and the

UNIDIRECTIONAL SHARED TREE from RP to RECEIVERS. Remember that the SOURCE BASED TREE is the DEFAULT type, and it's rooted at

the SOURCE of the Multicast Stream, while the SHARED TREE is where all the packets are sent to RP first, and then redistributed to the

receivers.

____________________________________________________________________________________________________________________

PIM Dense Mode, PIM-DM - For the applications EVERYONE wants ____________________________________________________________________________________________________________________

The DENSE mode would be a good choice if you're implementing the MULTICAST to support one of the applications that many users within

your network will use, because it forwards the traffic assuming that there are users on all routers. The basic configuration consists of 2 steps:

Enable the Multicast on the router and configure the Dense Mode on the interface:

(config)#ip multicast-routing

(config)#int lo0

(config-if)#ip pim dense-mode <-IGMPv2 IS ENABLED BY DEFAULT

#debug ip pim hello <-AND OBSERVE WHAT HAPPENS

*Dec 10 17:24:50.139: PIM(0): Send periodic v2 Hello on Serial0/1/0.34 with GenID = 3542869676

*Dec 10 17:24:50.159: PIM(0): Received v2 hello on Serial0/1/1 from 10.1.13.1

*Dec 10 17:24:50.159: PIM(0): Neighbor (10.1.13.1) Hello GENID = 4018201785

*Dec 10 17:24:50.199: PIM(0): Received v2 hello on Serial0/1/0.34 from 10.1.34.4


*Dec 10 17:24:51.075: PIM(0): Send periodic v2 Hello on Serial0/1/1 with GenID = 3542792495

*Dec 10 17:24:51.131: PIM(0): Send periodic v2 Hello on Loopback0 with GenID = 3542761484

*Dec 10 17:24:51.131: PIM(0): Received v2 hello on Loopback0 from 3.3.3.3

*Dec 10 17:25:19.455: PIM(0): Send periodic v2 Hello on Serial0/1/0.34 with GenID = 3542869676

*Dec 10 17:25:19.631: PIM(0): Received v2 hello on Serial0/1/1 from 10.1.13.1


*Dec 10 17:25:20.107: PIM(0): Received v2 hello on Serial0/1/0.34 from 10.1.34.4


*Dec 10 17:25:20.395: PIM(0): Send periodic v2 Hello on Serial0/1/1 with GenID = 3542792495

#sh ip pim neighbor | i v2 Prio/Mode

10.1.13.1 Serial0/1/1 00:14:14/00:01:17 v2 1 / S

10.1.34.4 Serial0/1/0.34 00:13:14/00:01:18 v2 1 / S

PRUNING

PIM-DM keeps a timer on a PRUNED INTERFACE, and when the timer expires - Multicast traffic runs again, until the new PRUNE message is

received from a DOWNSTREAM router. You can change how often the CONTROL PACKET is sent down it's PRUNED INTERFACE

(config-if)#ip pim state-refresh origination-interval 60


____________________________________________________________________________________________________________________

STATIC RENDEZVOUZ POINT (RP) Configuration ____________________________________________________________________________________________________________________

A rendezvous point (RP) is required in networks running Protocol Independent Multicast sparse mode (PIM-SM). In PIM-SM, traffic will be

forwarded only to segments with active receivers that explicitly requested multicast data.

STATIC RP CONFIGURATION NEEDS TO BE SAME ON ALL THE ROUTERS, including the RP!!!

Specify the router to be the RP for a specific group:

(config)#ip pim rp-address 192.168.0.0 [override] [access-list 1]

*If the override keyword is not specified and there is RP address conflict, dynamic group-to-RP mappings will take precedence over static

group-to-RP mappings.

*Dec 14 19:45:20.411: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

#sh ip pim rp map

PIM Group-to-RP Mappings

Acl: 1, Static

RP: 1.1.1.2 (?)

Group(s): 224.0.0.0/4, Static <-WHEN ACL IS NOT SPECIFIED, BEST PRACTICE: CONFIGURE ACL WITH GROUPS TO DENY

RP: 1.1.1.3 (?)

If two RPs have OVERLAPPING SCOPE of Groups - HIGHER SOURCE IP WINS

____________________________________________________________________________________________________________________

DESIGNATED ROUTER (DR) Configuration ____________________________________________________________________________________________________________________

IMPORTANT: Designated Router works ONLY with IGMPv1, and it determines the Router that sends the IGMP Queries. In IGMPv2 the Querier

is elected directly by the protocol (router with the LOWEST IP address), so no DR is needed. To check who the DR is currently, check for the

PIM neighbors:

#SH ip pim nei | i DR

10.1.12.2 FastEthernet0/0 2d01h/00:01:28 v2 1 / DR S

The criteria for determining the DR on the subnet is similar like in the OSPF:

- Choose the router with the HIGHEST DR PRIORITY (default is 1)

- If the priorities are the same - choose the router with the highest IP address

To change the DR priority, go to the interface configuration:

(config-if)#ip pim dr-priority 100

To FILTER and not become NEIGHBOR with certain IPs, use the "ip pim neighbor-filter 1", where 1 is an ACL.

(config-if)#ip pim neighbor-filter 1


____________________________________________________________________________________________________________________

IP MULTICAST: AUTOMATIC RENDEZVOUZ POINT (Auto-RP) Configuration ____________________________________________________________________________________________________________________

Auto-RP automates the distribution of group-to-rendezvous point (RP) mappings in a PIM network. IANA has assigned two group addresses,

224.0.1.39 and 224.0.1.40, for Auto-RP. NOTE that these will work ONLY IN A DENSE MODE, which is why SPARSE-DENSE mode is REQUIRED

for Auto-RP to be configured. If you need SPARSE mode you will need to manually configure the Auto-RP listener:

(config)#ip pim autorp listener

*If the interfaces have been configured in the SPARSE-DENSE mode, no need to manually configure the listener. You can configure 2 Routers as

the RP and have them ANNOUNCE themselves as the RPs, and aside you would have the MAPPING AGENT who will COLLECT the

announcements and DECIDE THE REAL RP. Auto-RP Configuration requires you to define the CANDIDATE RP, and MAPPING AGENT before you

get into the configuration.

STEP 1: Configure CANDIDATE-RP, so that the RP can announce itself as the RP to the other routers. The destination for these announcements

is by default 239.0.1.39. SCOPE CAN BE USED TO LIMIT THE RANGE THE RP IS ANNOUNCED.

(config)#ip pim send-rp-announce Loopback0 scope 2 group-list 1

*SCOPE defines the TTL, and 1 is the ACL for Multicast Groups you want the RP to announce

STEP 2: ALL routers receive the announcements; ONLY MAPPING AGENT will process them. Configure the MAPPING AGENT, that will PROCESS

the RP announce messages and decide RP to Group mapping.

If there are more than one RPs, the one with HIGHEST SOURCE IP wins and gets announced.

(config)# ip pim send-rp-discovery lo1 scope 31

When you DEBUG the Auto-RP on the MAPPING AGENT:

*Dec 14 11:42:26.019: Auto-RP(0): Received RP-announce packet of length 48, from 1.1.1.4, RP_cnt 1, ht 181

*Dec 14 11:42:26.019: (0): pim_add_prm:: 238.0.0.0/255.0.0.0,

rp=1.1.1.4, repl = 0, ver =3, is_neg =0, bidir = 0, crp = 0 create_new = 1

*Dec 14 11:42:26.019: Auto-RP(0): Added with

*Dec 14 11:42:26.019: prm_rp->bidir_mode = 0 vs bidir = 0 (238.0.0.0/8, RP:1.1.1.4), PIMv2 v1

*Dec 14 11:42:26.019: Auto-RP(0): Build RP-Discovery packet

*Dec 14 11:42:26.019: Auto-RP(0): Build mapping (238.0.0.0/8, RP:1.1.1.4), PIMv2 v1,

*Dec 14 11:42:26.019: Auto-RP(0): Send RP-discovery packet of length 48 on Ethernet0/0 (1 RP entries)

*Dec 14 11:42:26.019: Auto-RP(0): Send RP-discovery packet of length 48 on Serial1/0.53 (1 RP entries)

*Dec 14 11:42:26.019: Auto-RP(0): Send RP-discovery packet of length 48 on Serial1/0.45 (1 RP entries)

*Dec 14 11:42:26.019: Auto-RP(0): Send RP-discovery packet of length 48 on Loopback0(*) (1 RP entries)

*Dec 14 11:45:02.551: prm_rp->bidir_mode = 0 vs bidir = 0 (238.0.0.0/8, RP:1.1.1.3), PIMv2 v1

*Dec 14 11:45:02.551: Auto-RP(0): Received RP-announce packet of length 48, from 1.1.1.3, RP_cnt 1, ht 181

*Dec 14 11:45:02.551: (0): pim_add_prm:: 238.0.0.0/255.0.0.0,

rp=1.1.1.3, repl = 0, ver =3, is_neg =0, bidir = 0, crp = 0

*Dec 14 11:45:02.551: Auto-RP(0): Update

So if you have 2 CANDIDATE-RPs and check the MAPPING AGENT:

#sh ip pim rp mapping | b Group

Group(s) 238.0.0.0/8

RP 1.1.1.4 (?), v2v1

Info source: 1.1.1.4 (?), elected via Auto-RP <-ELECTED DUE TO THE HIGHER IP ADDRESS VALUE

Uptime: 00:01:52, expires: 00:02:05

RP 1.1.1.3 (?), v2v1

Info source: 1.1.1.3 (?), via Auto-RP

Uptime: 00:02:15, expires: 00:02:43

The other routers within the domain will learn the RP IP address with the Mapping Agent as the Source:

#sh ip pim rp mapp | i RP|source

RP 1.1.1.4 (?), v2v1

Info source: 1.1.1.5 (?), elected via Auto-RP


If you want to LIMIT (FILTER) WHERE the RP announcements are forwarded, define the MULTICAST BOUNDARY on the interface towards that

HOST, and add the known Auto-RP Multicast IP 224.0.1.40 in ACL 1:

(config)#access-list 1 deny host 224.0.1.40

(config-if)#ip multicast boundary 1

*NOTE that the DEAD TIMER is 3 minutes, so you have to be patient here

When you're filtering the MULTICAST GROUPS you're announcing to the other hosts, use ANNOUNCE-FILTER:

(config)#ip pim rp-announce-filter group-list 6 <-6 IS THE ACL OF ANNOUNCE DESTINATIONS

FILTERING of the RP Announcements can be done using the RP-LIST, BUT WATCH OUT, THESE HAVE THE OPPOSITE LOGIC:

(config)# ip pim rp-announce-filter rp-list 4 [group-list 5]<-ACL 4 PERMITS the RPs that will NOT be

advertised!!!

*GROUP-LIST is ACL with MULTICAST GROUPS for which you DONT want this RP to be advertised

You can set the ROUTER to run the STP (shortest path tree) SWITCH ONLY if group reaches certain BW, in this case we're analysing Multicast

groups in the ACL 1 if they reach 20kbps:

(config)#ip pim spt-threshold 20 group-list 1

If you want to FILTER THE INCOMING groups, define the ACL and apply it DIRECTLY on the incoming interface:

(config)#access-list 52 permit host 225.25.25.25 <-MULTICAST SOURCES WE WANT TO PERMIT


(config-if)#ip igmp access-group 52 <-YOU WILL NOT HAVE IN|OUT OPTION HERE, as logical

____________________________________________________________________________________________________________________

IP MULTICAST: BSR (Bootstrap Router) Configuration ____________________________________________________________________________________________________________________

BSR has the same function as the Auto-RP, but the BSR is part of the PIM Version 2 specification. BSR interoperates with Auto-RP on Cisco

routers. A BSR is elected among the candidate BSRs automatically; they use bootstrap messages to discover which BSR has the highest

priority. This router then announces to all PIM routers in the PIM domain that it is the BSR.

BSR ADVANTAGE: There is a PRIORITY COMMAND! Auto-RP doesn't have the option to set the Router with the Lower IP as the RP.

STEP 1: Enable Multicast Routing and configure all the relevant interfaces in PIM SPARSE MODE

STEP 2: Configures the router to announce its candidacy as a bootstrap router (BSR). Note that if you get the message "Warning: PIMv2 not

configured", you need to configure "ip pim sparse-mode" on the interface:

(config)#ip pim BSR-candidate lo0

STEP 3: Configure PIM Version 2 candidates to be the RP to the BSR, also defining the priority if needed:

(config)#ip pim RP-candidate lo0 priority 100 <-LOWER PRIORITY IS BETTER, default is 0

Once the CANDIDATE RPs know the BSR address - they send UNICAST messages to BSR identifying themselves as candidates.

To check the RP election, the command is the same like in Auto-RP:

#sh ip pim rp mapp | b Group

Group(s) 224.0.0.0/4

RP 1.1.1.3 (?), v2

Info source: 1.1.1.4 (?), via bootstrap, priority 0, holdtime 150 <-INFO SOURCE IS ALWAYS RP

Uptime: 00:14:16, expires: 00:02:18

RP 1.1.1.4 (?), v2

Info source: 1.1.1.4 (?), via bootstrap, priority 50, holdtime 150 <-INFO SOURCE IS ALWAYS RP

Uptime: 00:14:09, expires: 00:02:18


FILTERING WITH TTL is another option not to forget when working on MULTICAST. There is an interface command that sets the TTL

THRESHOLD for MULTICAST packets, so like SCOPE feature in Auto-RP - you can use this to control the remote Multicast packets. In these

example routers more than 3 hops away (255-252) will not reach local router.

(config-if)#ip multicast ttl-threshold 252

The same filter can be used OUTBOUND, using the SAME command, so if you want to make sure that no multicast packet with TTL<13 goes out

the interface, use:

(config-if)#ip multicast ttl-threshold 13

*This command is under "PIM>Using MSDP to Interconnect Multiple PIM-SM Domains" in Cisco Docs

(MSDP is a mechanism to connect multiple PIM-SM domains. The purpose of MSDP is to discover multicast sources in other PIM domains.)

____________________________________________________________________________________________________________________

IP MULTICAST: MSDP (Multicast Source Discovery Protocol) Configuration ____________________________________________________________________________________________________________________

MSDP is the mechanism to connect multiple PIM-SM domains. MSDP peering is configured BETWEEN THE RPs (RPs run port 639 to

synchronize the sources each one knows). In anycast RP, all the RPs are configured to be MSDP peers of each other. When MULTICAST

SOURCE is initiated - the first hop router encapsulates register messages and UNICASTSs it to the RP. RP de-encapsulates and sends towards

the last hop. SA (Source Active) messages identify the Source IP and the Group.

MSDP peering connections need to be established between all MSDP peers:

(config)#ip msdp peer 1.1.1.5 connect-source lo0

#sh ip msdp peer

MSDP Peer 1.1.1.5 (?), AS ?

Connection status:

State: Up, Resets: 0, Connection source: Loopback0 (1.1.1.2)

*SA messages are used to advertise active sources in a domain.

Anycast-IP

In anycast RP, two or more RPs are configured with the SAME IP ADDRESS on their loopback interfaces. The anycast RP loopback address

should be configured with a 32-bit mask, making it a host address. IP routing will automatically select the topologically closest RP.

IMPORTANT: In anycast RP, all the RPs are configured to be MSDP peers of each other

____________________________________________________________________________________________________________________

Multiprotocol BGP (MP-BGP) & IP Multicast ____________________________________________________________________________________________________________________

First you would need to DISABLE the default BGP behavior, which is IPv4-Unicast:

(config-router)#no bgp default ipv4-unicast

Now within the BGP process you can define the Address Families (AF) Configuration Commands apart, among them you can define the

"address-family ipv4 UNICAST" and "address-family ipv4 MULTICAST":

(config-router)#address-family ipv4 unicast

(config-router-af)#neighbor 100.1.34.4 activate

(config-router-af)#network 1.1.1.1 mask 255.255.255.255 <-CAN BE KNOWN VIA OTHER PROTOCOL

(config-router-af)#no auto-summary <-ALSO NEEDED WITHIN AF


____________________________________________________________________________________________________________________

IP MULTICAST: Configuring SSM (Source Specific Multicast) ____________________________________________________________________________________________________________________

Source Specific Multicast (SSM) is an extension of IP multicast where datagram traffic is forwarded to receivers from only those multicast

sources that the receivers have explicitly joined. For multicast groups configured for SSM, only source-specific multicast distribution trees (not

shared trees) are created.

SSM best supports ONE-TO-MANY applications, also known as BROADCAST applications. The following two components together support the

implementation of SSM:

- Protocol Independent Multicast source-specific mode (PIM-SSM)

- Internet Group Management Protocol Version 3 (IGMPv3), that introduces the ability for hosts to signal group membership that

allows filtering capabilities with respect to sources.

Default SSM Scope is 232.0.0.0/8. The router CLOSEST to the RECEIVING HOSTS should have SSM enabled. Configuration is quite simple,

define the ACL, and enable the SSM for that range in the Global Configuration mode:

(config-router)#access-list 1 permit 230.0.0.0 0.255.255.255

(config)#ip pim ssm [range ACL | default] <-DEFAULT COVERS STANDARD SSM RANGE 239.0.0.0/8

DO NOT FORGET to set the IGMP version to IGMPv3 on the interfaces:

(config-subif)#ip igmp version 3

Then in the Global Configuration mode set the DEFAULT mode to SSM:

(config)#ip pim ssm default <-SETS USAGE OF SSM DEDICATED RANGE 232.0.0.0/8 ON

Once the interface IGMP version is set, you can configure a SOURCE SPEFICIS Multicast:

(config-if)#ip igmp join-group 232.6.6.6 source 10.1.56.6

Now Verify in the Multicast Routing Table of the UPSTREAM ROUTER (interface towards this router must be IGMPv3):

#sh ip mroute | s 232.6.6.6

(10.1.56.6, 232.6.6.6), 00:00:27/00:02:32, flags: sTI

Incoming interface: Serial1/0.24, RPF nbr 10.1.24.4


Ethernet0/0, Forward/Sparse, 00:00:27/00:02:32

There is another option IGMPv3 allows you, and it's called "explicit-tracking" (IGMPv3 Interface command). It causes the router to TRACK ALL

REPORTERS and not only the last one, and it enables LEAVING (S,G) as soon as the last host leaves that (S,G) without sending a query:

(config-if)#ip igmp explicit-tracking

*Make sure you see the "T" flag in the MROUTE table:

#sh ip mroute | i 232.6.6.6

(10.1.56.6, 232.6.6.6), 00:09:16/00:02:25, flags: sTI <-T means TRACKED


____________________________________________________________________________________________________________________

IP MULTICAST: Bidirectional PIM (Bidir-PIM) ____________________________________________________________________________________________________________________

In bidirectional mode, traffic is routed only along a bidirectional shared tree that is rooted at RP for the group. Membership in a bidirectional

group is signaled by way of explicit Join messages. Traffic is ALWAYS sent to RP, and passed down the tree. PIM-SM has been improved, so now

traffic can go UPSTREAM if needed just to reach the RP.

The new concept was introduced as the LOOP PREVENTION within the BIDIR-PIM, it's called DESIGNATED FORWARDER (DF).

BIDIRECTIONAL PIM removes the RPF (Reverse Path Forwarding) rules, and it REMOVES (S,G) entries from the route table, leaves ALL (*,G)

entries

DESIGNATED FORWARDER (DF) is the Multicast Router that can forward (*,G) state in 2 DIFFERENT DIRECTIONS for the same group address.

DF winner is determined by IGP cost on a link by link basis.

STEP 1: First the Bidirectional PIM needs to be enabled on ALL THE ROUTERS:

(config)# ip pim bidir-enable

STEP 2: Statically configure the RP, also on ALL the routers (INCLUDING THE RP ITSELF):

(config)#ip pim rp-address 1.1.1.3 bidir

To make sure that the router 1.1.1.3 is REALLY the DF on the interface:

#sh ip pim inter s1/0.32 df 1.1.1.3

Designated Forwarder election for Serial1/0.32, 10.1.23.3, RP 1.1.1.3

State DF

Offer count is 0

Current DF ip address 10.1.23.3

DF winner up time 00:04:19

Last winner metric preference 0

Last winner metric 0

Next winner will be sent in 45360 ms

Once a host joins a Multicast Group, for example 234.1.2.3, in a network configured as BIDIR-PIM:

#sh ip mroute bidirectional | s 224.1.2.3

(*, 224.1.2.3), 00:00:41/00:02:48, RP 1.1.1.3, flags: B <-BIDIRECTIONAL FLAG

Bidir-Upstream: Serial1/0.53, RPF nbr 10.1.35.3


Ethernet0/0, Forward/Sparse, 00:00:41/00:02:48

Serial1/0.53, Bidir-Upstream/Sparse, 00:00:41/00:00:00


____________________________________________________________________________________________________________________

IP MULTICAST: Helper Map ____________________________________________________________________________________________________________________

Perform this task to convert broadcast traffic to IP multicast traffic on the first hop router. The first hop router is on the border between the

broadcast-only network and IP multicast network.

*NOTE that you MUST have Multicast configured between the two broadcast-only networks, even on the interfaces towards the BROADCAST-

ONLY network segments.

You can use this for ROUTING PROTOCOLS, but remember to change the updates to BROADCASTS, for example RIP:

(config-if)#ip rip v2-broadcast

STEP 1: Create an extended IP access list to control which UDP broadcast packets are translated. in this example the RIP protocol is configured,

and how the BROADCAST RIP packets going from source 10.1.12.1 are matched:

(config)#access-list 101 permit udp host 10.1.12.1 eq rip host 255.255.255.255 eq rip

(config)#ip forward-protocol udp rip <-SPECIFY HOW BROADCAST MESSAGES ARE FORWARDED

STEP 2: Define the HELPER MAP to convert the INCOMING BROADCAST traffic on the interface towards the incoming BROADCAST traffic INTO

the MULTICAST traffic sourced by 224.1.1.1 with TTL 3 (only 3 hops allowed):

(config-if)#ip multicast helper-map broadcast 224.1.1.1 101 ttl 3

STEP 3: On the LAST HOP router towards another BROADCAST network segment identify the RIP traffic using the ACL:

(config)#access-list 102 permit udp host 10.1.12.1 any eq rip

(config)#ip forward-protocol udp

STEP 4: Use the HELPER MAP on the LAST HOP INTERFACE towards the MULTICAST segment (to from where the MULTICAST traffic will be

coming) to CONVERT MULTICAST BACK TO BROADCAST (10.1.45.255 is the RIP packets final destination):

(config-subif)#ip multicast helper-map 224.1.1.1 10.1.45.255 102

STEP 5: On the INTERFACE towards the BROADCAST SEGMENT:

(config-if)#ip directed-broadcast

In this particular case we would also have to TUNE RIP a little bit, not to validate the UPDATE SOURCE:

(config-router)#no validate-update-source


____________________________________________________________________________________________________________________

MULTICAST Helper Map & Helper-address ____________________________________________________________________________________________________________________

Helper Map is used to convert the UDP BROADCAST to MULTICAST packets. So when by default the application is sending the BROADCAST, we

need to use this feature. Another option would be to convert BROADCAST to UNICAST packets, using the "ip helper-address". Two major steps

need to be taken here:

*Helper-Map is configured on BOTH INCOMING INTERFACES!!!

IMPORTANT: The traffic needs to be PROCESS SWITCHED in order for Helper Map to work, so if you're using the broadcasts on port UDP/3999,

on BOTH routers also configure:

(config)#ip forward-protocol udp 3999

STEP 1: On the BROADCAST SOURCE convert the BROADCAST traffic to MULTICAST

(config-if)#ip multicast helper-map broadcast MULTICAST_GROUP ACL_PERMITTING_THE_PORT

Example:

(config-if)#ip multicast helper-map broadcast 239.39.39.39 101

(config)#access-list 101 permit udp any any eq 3999

STEP 2: On the CLIENT, convert the traffic BACK TO BROADCAST for the client to receive it as the application was designed.

(config-if)#ip multicast helper-map MULTICAST_GROUP 192.168.1.255 101

*192.168.1.255 is the IP of the final interface, but in the broadcast form

(config-if)#ip directed-broadcast - TARGET INTERFACE MUST SUPPORT A DIRECTED BROADCAST

This feature is also used in a MULTICAST STUB. When the next router cannot (or we don't want it to) become a PIM neighbor, configure the

IGMP Helper Address in order to still receive the Multicast from that router:

(config-if)#ip igmp helper-address 10.1.15.66

*configure on the interface towards the receiver of Multicast


Security


____________________________________________________________________________________________________________________

Security TIPS ____________________________________________________________________________________________________________________

TIP - ICMP: When you want to prevent the router response with "Host Unreachable" messages (U.U.U), on the interface:

(config-if)#no ip unreachables

(config-if)#no ip mask-reply <-DONT REVEAL NETWORK MASK

TIP - TELNET: When you need to control only access to TELNET, apply directly to the VTY:


(config-line)#access-class 1 in <-1 IS THE LIST OF CLIENTS ALLOWED TO TELNET

TIP - SNMP: You can allow only some of the HOSTS to access the routers SNMP agent:

(config)#snmp-server community mYcOMMUNITY RO 22


TIP: 802.1x, Don't forget to enable the 802.1x GLOBALLY:

(config)#dot1x system-auth-control

#sh dot1x all | i auth <-CHECK IF IT WORKED

Sysauthcontrol Enabled

EAP - Extensible Authentication Protocol allows the device to forward authentication request to the server, bypassing the local security.

TIP: When creating a USER with only one function, or a MENU, implement the AUTOCOMMAND feature:

(config)#username TEST_USER autocommand menu NOC <-NOC IS A MENU NAME

TIP: When you want to DISABLE the DOMAIN LOOKUP, but only on the CONSOLE port, there is a TRICK:

(config)#line con 0

(config-line)#transport preferred none

TIP: Don't forget the POLICE RATE command within the Policy-Map when you need to polica by PPS:

(config-pmap-c)#police rate 100 pps

TIP: When you want to DISABLE SOURCE ROUTING, just do the global command:

(config)#no ip source-route

____________________________________________________________________________________________________________________

Router Security - Best Practices ____________________________________________________________________________________________________________________

First you should define some RULES for the password definitions. For example - Minimal Password Length:

(config)#security passwords min-length 7

Permit users to have to wait for 1 minute if they attempt to log in for 3 times, and LOG it:

(config)#login block-for 60 attempts 3 within 60 <- ALLOW 3 ATTEMPTS WITHIN 1 MINUTE

(config)#security authentication failure rate 3 log <- LOG FAILED ATTEMPTS

To set up a PRIVILEGE mode password, that used an MD5 hashing:

(config)#enable secret level 15 0 Cisco07

*TIP: If your password contains "?", you need to press "ESC+Q" or “CTRL+V” before you enter the "?" sign.


To define the USERNAME and assign it a MD5 Hash Password:

(config)#username cisqueros secret 0 Cisco07

(config)#do sh run | i username

username cisqueros secret 5 $1$YyRE$V60bOcwZ7ZK0LMusIVnhs/

No Service Password-Recovery feature is a security enhancement to prevent anyone with console access from accessing the router

configuration and clearing the password. If you want to do this, make sure the Conf.Register is 0x2102:

#sh ver | i register

Configuration register 0x2102 (Ignores break, Boots into ROM if initial boot fails, 9600 console baud rate

default)

More about Configuration Register Values:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a008022493f.shtml

The apply the command. *This command is HIDDEN, so the "?" will not display it! You will also be WARNED by IOS:

(config)#no service password-recovery

WARNING: Executing this command will disable password recovery mechanism.

Do not execute this command without another plan for password recovery.

Are you sure you want to continue? [yes/no]:

Don´t forget to configure both - CONSOLE Port (line con 0) and AUXILIARY Port as a backup solution (line aux 0). You should automatically

DISCONNECT these sessions (CON & AUX) after some time of inactivity:

(config-line)#session-timeout 300 <-DISCONNECT IF NO INPUT FOR 5 MINUTES

(config-line)#exit-timeout 300 <-TERMINATE CONSOLE CONNECTION IF NO INPUT FOR 5 MINUTES

If you have more than one administrator, and you want to limit them to a certain commands, use "privilege EXEC", and define the Privilege

Level 9 commands:

(config)#privilege exec level 9 show interfaces <- BOTH "SHOW" AND "SHOW INT" WILL APPEAR IN "SHOW RUN"

(config)#privilege exec level 9 ping

(config)#privilege exec level 9 traceroute

Be sure to apply the usage of the local user database on the CONSOLE PORT:

(config)#line con 0

(config-line)#login local

To disable showing WHO IS CURRENTLU LOGGED INTO the device:

(config)#no ip finger

____________________________________________________________________________________________________________________

KNOWN ATTACKS and how to prevent ____________________________________________________________________________________________________________________

SMURF ATTACK: Large number of ICMPs sent to the Router subnets BROADCAST to provoke DoS. You can create the ACL that denies the

x.x.x.255, or do the INTERFACE command (enabled by default in new IOS):

(config-subif)#no ip directed-broadcast

Trin00 ATTACK: SYN DoS attack that uses UDP FLOODS, uses TCP 1524,27665 and UDP 27444,31335

Trinityv3 ATTACK: Include UDP Fragment, SYN, RST, ACK. It uses IRC, mainly TCP/6667 with a client TCP/33270

ICMP echo, are used for many ATTACKS, so they should be disabled on the entrance to your network:

(config)#access-list 102 deny icmp any any mask-request

(config)#access-list 102 deny icmp any any redirect

(config)#access-list 102 deny icmp any any echo

TRACEROUTE uses the PORT range 33400-34400, so think if you want to disable those as well.

http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a008022493f.shtml


____________________________________________________________________________________________________________________

BANNER and MENU Configuration ____________________________________________________________________________________________________________________

If you need to define a BANNNER to display the user restrictions, have in mind that you can use the variables:

$(hostname) $(line) $(domain)

You also have an option of creating the DYNAMIC ENTRIES as a banner, and let user use the VARIABLES as a response:

Cisco Docs: Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4T>Banner Configuration

Step 1: Define the MENU TITLE

(config)#menu MYMENU title & This is the AXA menu

Step 2: Define the TEXT ITEMS:

(config)#meny MYMENU text 1 Display all interfaces with their IPs

(config)#meny MYMENU text 2 Display the configuration of Fa1/0/1

(config)#meny MYMENU text 3 Logout

(config)#meny MYMENU text 4 Exit the Menu

Step 3: Specify the UNDERLYING COMMAND of each item in the MENU:

(config)#menu MYMENU command 1 sh ip int br

(config)#menu MYMENU command 2 sh run int fa1/0/1

(config)#menu MYMENU command 9 sh menu-exit

Step 4: Define the DEFAULT action:

(config)#menu MYMENU default 9

Step 5: Define the GLOBAL commands, for example to clean the screen when the MENU starts:

(config)#menu MYMENU clear-screen

____________________________________________________________________________________________________________________

Configure SSH Access ____________________________________________________________________________________________________________________

Cisco Documents:Security>AAA>Secure Shell Configuration Guide:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-4t/sec-cfg-secure-shell.html

First step would be to make sure that all the devices within your network SUPPORT the Secure Shell. The you need to make sure HOW you

want to implement it, as there are 2 options:

1. Configuring a Router for SSH Version 2 Using a Hostname and Domain Name

2. Configuring a Router for SSH Version 2 Using RSA Key Pairs

In the first configuration type, these are the steps to follow:

Step 1: Be sure to have the Hostname and the IP Domain Name configured:

(config)#ip domain name SNArchs

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-4t/sec-cfg-secure-shell.html


Step 2: Decide the key pair (in bits, by defaut its 512 bits) and generate the RSA key. This ENABLES SSHv2:

(config)#crypto key generate rsa usage-keys

The name for the keys will be: ES-MAT-AES-SR04.SNArchs

Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key

modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]:

Choose the size of the key modulus in the range of 360 to 2048 for your

Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 512

% Generating 512 bit RSA keys, keys will be non-exportable...[OK]

% Generating 512 bit RSA keys, keys will be non-exportable...[OK]

*Dec 5 12:58:48.123: %SSH-5-ENABLED: SSH 2.0 has been enabled

Then configure the VTY port for the user database to use (TACACS or LOCAL), and to use SSH:


(config-line)#login local <-WONT BE AVAILABLE AFTER SSH IS ENABLED

(config-line)#transport input ssh

*When testing the access via SSH don’t forget to use the "-l" to define the username:

#ssh -l mat 10.1.12.2

You can also use AAA to define the AUTHENTICATION PROFILE (AAA_AUTH), that can later be applied to ALL VTY ports:

(config)#aaa new-model

(config)#aaa authentication login AAA_AUTH local

Now apply it to the VTY port:


(config-line)#transport input ssh

(config-line)#login authentication AAA_AUTH

*"rotary" command under the VTY changes the telnet port to that line. "rotary 5" sets the port on that line to 3005

____________________________________________________________________________________________________________________

ADVANCED Access Lists (ACL) Configuration ____________________________________________________________________________________________________________________

TIP: ACL is applied directly to the interface using the "ip access-group" command:

(config-subif)#ip access-group EXTENDED_OR_STANDARD_ACL [in | out]

TIP: Watch out not to ban the routing protocol traffic!!! You might need to add this to your filter ACL:

(config-ext-nacl)#permit ospf any any

TIP: “deny any any” doesn't affect the locally generated traffic on the router

It's enough to configure the extended ACL, and hit a question mark when you want to define a PORT, just to realize that there is an entire

world of ACL configuration options that we never knew about.

One of the awesome features is playing with the ESTABLISHED attribute, which means - allow back the traffic from the hosts TCP session has

already been established with. In this example we're allowing back in the TELNET and HTTP traffic to HOST 10.187.12.1:

(config-ext-nacl)#permit tcp any range 80 23 host 10.187.12.1 established

TIME-BASED ACL

STEP 1: define the time range using the "time-range TIMERANGE" command in the global configuration mode. Be sure the Clock is correct

using the "show clock", and if not - set it using the "clock set", or with NTP server

STEP 2: attach the time-range to the ACL:

(Config)#access-list 120 permit tcp any any eq 23 time-range TIMERANGE


____________________________________________________________________________________________________________________

DYNAMIC ACL (aka Lock and key ACL) ____________________________________________________________________________________________________________________

Special Feature used for AUTHENTICATION of other devices. Like the time-range, but instead of the time we permit or deny ACLs actions based

on Authentication. The ACL is defined using "access-list 102 dynamic..."

STEP 1: Create and EXTENDED ACL, but be sure to allow all the needed protocols before you apply it on the interface:

(config)#access-list 100 permit eigrp any any

(config)#access-list 100 permit icmp any any

STEP 2: Create a DYNAMIC entry in the defined ACL, which will create a Dynamic ACL called DYN_ACL:

(config)#access-list 100 dynamic DYN_ACL permit ip any any

STEP 3: Apply the ACL on the interface:

(config-if)#ip access-group 100 in

STEP 4: Configure the VTY line for the dynamic ACL using the AUTOCOMMAND feature:

(config-line)#autocommand access-enable host

*"access-enable" is an EXEC, it doesn't appear when "?" is pressed

**AUTOCOMMAND links the DYNAMIC ACL to TELNET AUTHENTICATION

*"rotary" command under the VTY changes the telnet port to that line. "rotary 5" sets the port on that line

to 3005

You can also apply the "autocommand" sirectly to the USERNAME, if we want to apply the DYNAMIC ACL to one user:

(config)#username TELNET password CISCO

(config)#username TELNET autocommand access-enable

____________________________________________________________________________________________________________________

REFLEXIVE ACL - For Session Filtering ____________________________________________________________________________________________________________________

Applied on the outbound interface of the router, we're taking care of the outgoing traffic, and then we CHECK THE RETURNING TRAFFIC,

meaning - we are making sure that the returning traffic is opposite of what went out. When configuring, you need 2 ACLs:

STEP 1 - OUTBOUND ACL, for the outbound within the extended ACL configure:

(config)#ip access-list extended OUT_ACL

(config-ext-nacl)#permit tcp host any any eq www reflect REFLECT_ACL

(config-ext-nacl)#permit tcp host any any eq telnet reflect REFLECT_ACL

(config-ext-nacl)#permit tcp host any any eq https reflect REFLECT_ACL

STEP 2: And on the INBOUND ACL within the extended ACL configuration:

(config)#ip access-list extended IN_ACL

(config-ext-nacl)#permit ospf any any <-YOU HAVE TO ALLOW THESE MANUALLY CAUSE THE PACKETS ORIGINATED BY THE

ROUTER

ITSELF WILL NOT BE REFLECTED

(config-ext-nacl)#permit tcp any any eq bgp

(config-ext-nacl)#permit tcp any eq bgp any

(config-ext-nacl)#evaluate REFLECT_ACL

*You should consider permitting ICMP time-excedeed and port-unreachable packets, for when you're pinging stuff outside your network

STEP 3: Then apply the first one outbound, and the second one inbound on the same interface.

(config-subif)#ip access-group OUT_ACL out

(config-subif)#ip access-group IN_ACL in

After 5 minutes of inactivity the entries expire. it can be modified using the command "ip reflexive-list timeout X":

(config)#ip reflexive-list timeout 120 <-TIME REFLEXIVE ACL EXISTS WHEN NO PACKETS ARE DETECTED (default 300

seconds)


____________________________________________________________________________________________________________________

TCP INTERCEPT - To prevent TCP SYN DoS attacks ____________________________________________________________________________________________________________________

When you want to perform LOGGING of the SYN ATTACKS using the ACLs, you can automatically include into the log the MAC address of the

Device that forwarded the packet into the segment by simply adding to the Extended ACL:

(config-ext-nacl)# permit tcp any host 192.1.28.100 eq www syn log-input

(config-ext-nacl)# permit ip any any <-DONT FORGET TO ADD THIS, OR YOU JEAPARDIZE THE FLOWS

TCP INTERCEPT takes care that the 3-WAY TCP Handshake is correctly performed. So it observes the SYN done from the OUTSIDE towards the

inside Web Server (for example), server replies with the "SYN ACK", and that's where the TCP INTERCEPT does it's job waiting for the CLIENT to

send the ACK and establish the TCP Session. If the ACK is NOT received - the Router decides to TIME OUT the session, and send RESET to the

Server. (in TCP SYN attack thousands of TCP sessions are started with the servers, taking out Server resources). There are 2 modes of TCP

INTERCEPT:

INTERCEPT MODE - router actively intercepts the TCP session

WATCH MODE - router only MONITORS the TCP session and sends the RST (session reset) to the Server if ACK not received

(config)#ip tcp intercept list 101 <-SERVERS YOU'RE PROTECTING

(config)#ip tcp intercept watch-timeout 15 <-IF ACK NOT RECEIVED IN 15 SECONDS, SEND RST

(config)#ip tcp intercept mode watch

____________________________________________________________________________________________________________________

CBAC - Context Based Access Control Firewall ____________________________________________________________________________________________________________________

Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Context-Based Access Control Firewall

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/12-4t/sec-data-cbac-fw-12-4t-book.html

Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport

layer. However, CBAC examines not only network layer and transport layer information but also examines the application-layer protocol

information (such as FTP connection information) to learn about the state of the session. This allows support of protocols that involve multiple

channels created as a result of negotiations in the control channel. Most of the multimedia protocols as well as some other protocols (such as

FTP, RPC, and SQL*Net) involve multiple channels.

CBAC creates TEMPORARY OPENINGS in ACLs at firewall interfaces. These openings are created when specified traffic exits your internal

network through the firewall. The openings ALLOW RETURNING TRAFFIC (that would normally be blocked) and additional data channels to

enter your internal network back through the firewall.

You can also configure CBAC to specifically inspect certain application-layer protocols. The following application-layer protocols can all be

configured for CBAC:

CU-SeeMe (only the White Pine version)

FTP

H.323 (such as NetMeeting, ProShare)

HTTP (Java blocking)

Microsoft NetShow

UNIX R-commands (such as rlogin, rexec, and rsh)

RealAudio

RTSP (Real Time Streaming Protocol)

RPC (Sun RPC, not DCE RPC)

SMTP (Simple Mail Transport Protocol)

The basic (GENERIC) CBAC is quite simple to configure. Define the INSPECTION RULES, and apply them on the interface:

(config)#ip inspect name INP_POL1 tcp

(config)#ip inspect name INP_POL1 udp

(config)#ip inspect name INP_POL1 icmp

APPLY the Inspection Rules to the interface, towards the OUTSIDE network:

(config-if)#ip inspect INP_POL1 out



To allow the initiated traffic BACK IN, define the ACL with what you want to permit and apply it:

(config)#access-list 100 permit eigrp any any

(config)#access-list 100 permit icmp any any

(config-if)#ip access-group 100 in

Check the established sessions:

#sh ip inspect sessions

Established Sessions

Session AEA5F2E0 (10.1.13.3:52287)=>(10.1.12.2:23) tcp SIS_OPEN

CBAC can be configured to inspect various traffic types. These are the global CBAC parameters that can be tuned:

(config)#ip inspect ?

WAAS Firewall and Cisco WAE interoperability configuration

alert-off Disable alert

audit-trail Enable the logging of session information (addresses and

bytes)

dns-timeout Specify timeout for DNS

hashtable-size Specify size of hashtable

log Inspect packet logging

max-incomplete Specify maximum number of incomplete connections before

clamping

name Specify an inspection rule

one-minute Specify one-minute-sample watermarks for clamping

tcp Config timeout values for tcp connections

udp Config timeout values for udp flows

<cr>

Also some specific HTTP types of traffic can be inspected, such as JAVA:

(config)#ip inspect name FW_INSPECT http ?

alert Turn on/off alert

audit-trail Turn on/off audit trail

java-list Specify a standard access-list to apply the Java blocking. If

specified, MUST appear directly after option "http"

timeout Specify the inactivity timeout time

urlfilter Specify URL filtering for HTTP traffic

<cr>

____________________________________________________________________________________________________________________

PAM - Port to Application Mapping ____________________________________________________________________________________________________________________

Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Context-Based Access Control Firewall


PAM is a way to MAP a PORT (or a group of ports) to the already defined, or a new application. For example http is already mapped to port

TCP 80, but we can also add 8000 and 8080 to HTTP:

(config)#ip port-map http port tcp 8080

(config)#ip port-map http port tcp 8000

Check if it "worked"

#sh ip port-map http

Default mapping: http tcp port 80 system defined

Default mapping: http tcp port 8000 user defined

Default mapping: http tcp port 8080 user defined

Now if you want to inspect the NEW http, define the INSPECT operation and apply it just like in CBAC:

(config)#ip inspect name INS_WEB http

(config-if)#ip inspect INS_WEB out



____________________________________________________________________________________________________________________

uRPF - Unicast Reverse Path Forwarding ____________________________________________________________________________________________________________________

Designed for DoS attacks based on SPOOFING (forging the IP source)

TIP: When you see IP SPOOFING - it's a "trigger" to use the uRPF

Cisco Docs: Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Unicast Reverse Path Forwarding

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_urpf/configuration/12-4t/sec-data-urpf-12-4t-book.html

The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses

into a network by discarding IP packets that lack a verifiable IP source address. Configure the receiving interface, which allows Unicast RPF to

verify the best return path before forwarding the packet on to the next destination. For example, verify if the SOURCE IP is reachable via that

exact interface:

(config-subif)#ip verify unicast source reachable-via ?

any Source is reachable via any interface

rx Source is reachable via interface on which packet was received <-EXACT INTERFACE

#sh ip int s1/0.21 | b verify

IP verify source reachable-via RX

0 verification drops

0 suppressed verification drops

0 verification drop-rate

!!!If the check fails, and this is NOT the best interface to reach the IP from which the incoming packed was sourced the packed it DROPPED.

This feature can also be configured using the multiple extended ACLs, where you would DENY the traffic with your LAN IPs as source to come

from the PROVIDERs network.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_urpf/configuration/12-4t/sec-data-urpf-12-4t-book.html


____________________________________________________________________________________________________________________

Zone Based Firewall ____________________________________________________________________________________________________________________

Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Zone-Based Policy Firewall:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-data-zbf-12-4t-book.html

To configure the Zone Based FW, the approach is somewhat similar to the MQC method in the QoS configuration.

STEP 1: Start by creating a class map of INSPECT TYPE, and match HTTP, and DROP everything else:

(config)#class-map type inspect match-any OUTSIDE

(config-cmap)#match protocol http <-WITHIN HTTP YOU CAN ALSO MATCH URL, JUST ADDING "http url "blabla" "

(config-pmap)#class type inspect OUTSIDE

(config-pmap-c)#drop

STEP 2: Create a inspect type POLICY-MAP that matches the defined CLASS-MAP, and INSPECTS:

(config)#policy-map type inspect OUTSIDE_POLICY

(config-pmap)#class OUTSIDE

(config-pmap-c)#inspect ?

WORD Parameter-map (inspect) name <PARAMETER MAP CAN BE DEFINED to tune the inspection

<cr>

(config-pmap-c)#inspect

STEP 3: Define the SECURITY ZONES for the interfaces you need, and assign them to the interfaces:

(config)#zone security DMZ

(config-if)#zone-member security DMZ

(config)#zone security OUTSIDE

(config-if)#zone-member security OUTSIDE

STEP 4: Set the POLICIES between each ZONE PAIR:

(config)#zone-pair security OUT-to-DMZ source OUTSIDE destination DMZ

(config-sec-zone-pair)#service-policy type inspect OUTSIDE_POLICY

#show policy-map type inspect zone-pair session

policy exists on zp OUT-to-DMZ

Zone-pair: OUT-to-DMZ

Service-policy inspect : OUTSIDE_POLICY

Class-map: INSIDE (match-any)

Match: protocol tcp

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol udp

0 packets, 0 bytes


Match: protocol icmp

0 packets, 0 bytes


Inspect

Class-map: class-default (match-any)

Match: any

Drop

0 packets, 0 bytes

PARAMETER MAP can be created to tune to drop logs, handle alarms, max&min session numbers and much more, for example:

(config)#parameter-map type inspect eng-network-profile

(config-profile)#tcp synwait-time 3 <-HOW LONG TO WAIT FOR SYN FOR THE TCP SESSION

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-data-zbf-12-4t-book.html


____________________________________________________________________________________________________________________

CONTROL Plane Policy (CPPr) ____________________________________________________________________________________________________________________

QoS: Policing and Shaping Configuration Guide>Control Plane Policing

http://www.cisco.com/en/US/docs/ios-xml/ios/qos_plcshp/configuration/12-4t/qos-plcshp-ctrl-pln-plc.html

CPPr works treating the RP (Route Processor) as the VIRTUAL INTERFACE attached to the Router. You need to take care which EXACT control

plane VIRTUAL SUB-INTERFACE you want to apply the policy to.

1. Control-plane HOST - Control plane for TCP/UDP traffic destined for one of the Physical Interfaces. Here you can use the PORT-FILTERING

and drop automatically packets destined to a certain port.

Within the class-map do, for example:

(config-cmap)#match port tcp 1996

Per-Protocol filtering is also possible, so you can set selective QUEUE LIMITS for BGP, OSPF, HTTP, SNMP...

2. Control-plane TRANSIT - For transit IP packets not handled by CEF

3. Control-plane cef-exception - For the NON TCP/UDP Traffic

When you are asked to limit the packets going to Routers CPU to protect from Flood Attacks - this is the answer. It's very simple actually.

Define the Policy Map like in MQC for QoS, and instead of the interface,

APPLY IT DIRECTLY TO THE CONTROL PLANE

CBAC and Zone Based FW are all DATA Plane policies. Another type of Security Policies is a Control Plane Policy. This is quite similar to Cisco's

MQC used for the QoS traffic shaping and policing. You can also use the commands like from MQC to limit (POLICE) the Control Traffic.

You can use STANDARD CLASS-MAPS like in MQC to match PROTOCOL or ACLs (access-group), but you can also use, for example, the LOGGING

TYPE CLASS-MAPS:

(config)#class-map type logging match-any LOGGING

(config-cmap)#match packets ?

dropped Packets dropped by control-plane protection features <-IN ORDER TO VIEW THE CONTROL PLANE

error Error packets dropped by control-plane protection features

permitted Packets permitted by control-plane protection features

You can also MATCH the CLOSED PORTS within the class-map, or match the FRAGMENTED PACKETS within the ACL. Within the POLICY-MAP,

the actions are to POLICE based on the number of PACKETS PER SECOND and allow BURST PACKETS, or based on BW, or just PASS or DROP the

traffic within the matched Class-Map

(config)#policy-map POLICE_50KBPS

(config-pmap)#class CONTROL_BW

(config-pmap-c)#police 50000 conform-action transmit exceed-action drop violate-action drop

OR

(config-pmap-c)#police rate 100 pps burst 20 packets

The trick is to APPLY the Policy Map to the CONTROL PLANE:

(config)#control-plane

(config-cp)#service-policy input POLICE_50KBPS

*Jan 3 16:34:23.467: %CP-5-FEATURE: Control-plane Policing feature enabled on Control plane cef-exception

path

Don't forget to check if your changes have been applied:

#sh control-plane features

http://www.cisco.com/en/US/docs/ios-xml/ios/qos_plcshp/configuration/12-4t/qos-plcshp-ctrl-pln-plc.html


____________________________________________________________________________________________________________________

IOS IPS (Intrusion Prevention System) ____________________________________________________________________________________________________________________

Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Cisco IOS Intrusion Prevention System

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_ios_ips/configuration/12-4t/sec-data-ios-ips-12-4t-book.html

IPS is watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures.

When packets in a session match a signature, Cisco IOS IPS can take any of the actions:

- Send an alarm to a syslog server or a centralized management interface

- Drop the packet

- Reset the connection

- Deny traffic from the source IP address of the attacker for a specified amount of time

- Deny traffic on the connection for which the signature was seen for a specified amount of time

SDEE is application-level communication protocol, used to exchange IPS messages between IPS clients and IPS servers.

If you want to configure transparent Cisco IOS IPS, you must configure bridge group before loading IPS onto a device:

(config)#bridge 1 protocol [dec | ibm | ieee | vlan-bridge]

*1 IS A BRIDGE-GROUP NUMBER

Then apply the defined bridge group 1 to the interface you want:

(config-if)#bridge-group 1

First you need to specify the location in which the router loads the SDF (Signature Definition File), because in the IOS there are NO DEFAULT

SIGNATURES:

(config)# ip ips sdf location disk2:attack-drop.sdf

If you're configuring the IP IPS on a new router, first CREATE the IPS, name it, and define it, in this case to send the events as SYSLOG

messages:

(config)#ip ips name MYIPS

(config)#ip ips notify log

*Be sure to have a SYSLOG SERVER defined:

(config)#logging 10.187.145.12

(config)#logging ON

Specify where the IPS configuration will be stored:

(config)#ip ips config location flash:MYIPS

Apply the configured IPS to the interface:

(config-if)#ip ips MYIPS out

*THIS WILL NOT WORK UNLESS YOU HAVE THE SIGNATURES. To check the signatures:

#sh ip ips signatures

Cisco SDF release version S0.0

Trend SDF release version V0.0

En - possible values are Y, Y*, N, or N*

Y: signature is enabled

N: enabled=false in the signature definition file

*: retired=true in the signature definition file

Cmp - possible values are Y, Ni, Nr, Nf, or No

Y: signature is compiled

Ni: signature not compiled due to invalid or missing parameters

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_ios_ips/configuration/12-4t/sec-data-ios-ips-12-4t-book.html


Nr: signature not compiled because it is retired

Nf: signature compile failed

No: signature is obsoleted

Nd: signature is disallowed

Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low

Trait=alert-traits EC=event-count AI=alert-interval

GST=global-summary-threshold SI=summary-interval SM=summary-mode

SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release

Signature Micro-Engine: atomic-ip (INACTIVE)

Signature Micro-Engine: normalizer (INACTIVE)

Signature Micro-Engine: service-http-v2 (INACTIVE)

Signature Micro-Engine: service-http (INACTIVE)

...

You might need to generate the SDF using the .txt file downloaded from the cisco.com to your flash:

#more flash:downloaded_key.txt <-COPY THE CONTENT TO LATER PASTE INTO THE KEY

Now create the key:

(config)#crypto key pubkey-chain rsa

(config-pubkey-chain)#named-key DOWNLOADED_KEY signature

(config-pubkey-key)#key-string

Enter a public key as a hexidecimal number ....

(config-pubkey)#(ENTER THE COPIED CONTENT HERE, and type "quit")

____________________________________________________________________________________________________________________

AAA Authentication ____________________________________________________________________________________________________________________

Cisco Docs: Securing User Services Configuration>Authentication Authorization and Accounting

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/12-4t/sec-cfg-authentifcn.html

This is pretty straight forward, because on CCIE R&S exam you wont have to configure an actual ACS server. For starters be sure that the "aaa

new-model" is configured.

Turn the TACACS+ authentication ON, and set LOCAL DB as backup:

(config)#aaa authentication login MYTACACS group tacacs+ local enable

*MYTACACS is the authentication policy. If you put "default" instead of specifying the policy, there is no need to assign the policy to VTY line

later, it's a default policy on a device, from where ever you try to authenticate. In case you have a default policy, you need to ALSO define a

NO_AUTH policy to apply where you don’t want TACACS, like AUX and CONSOLE ports maybe.

Define the TACACS+ as a server, and set the Shared Secret:

(config)#tacacs-server host 10.1.1.10 key cisco

Define the source interface from which you will authenticate:

(config)#ip tacacs source-interface Loopback0

Apply the authentication settings to the VTY line:

(config-line)#login authentication MYTACACS

Test the access via TACACS:

#test aaa group tacacs+ USERNAME PASSWORD legacy

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/12-4t/sec-cfg-authentifcn.html


MPLS


____________________________________________________________________________________________________________________

MPLS Configuration ____________________________________________________________________________________________________________________

This post will assume that you´ve already know how the protocol works. If you don´t - go read that first, what are you waiting for... dont you

know how important MPLS is. MPLS Neighbor Discovery uses Hello messages, 224.0.0.2, Port UDP-646

LSR - Label Switching Router

LDP - Label Distribution Protocol

To configure the MPLS you first need to enable it globally on a router and on all the relevant interfaces. You also have to define the actual

PROTOCOL for the LABEL DISTRIBUTION (LDP or TDP, which is a DEFAULT setting to IOS versions prior to 12.4, but it's no longer in use):

(config)#mpls ip

(config)#mpls label protocol ldp <-ALL THE INTERFACES WILL INHERIT IT

(config)#int fa0/1

(config-if)#mpls ip <-TURN IT ON ON THE INTERFACE

You will get this message: *Dec 17 18:11:50.430: %LDP-5-NBRCHG: LDP Neighbor 11.1.1.1:0 (1) is UP

As the ALTERNATIVE you can use the Auto configuration, so under the ROUTING PROTOCOL (OSPF in this example):

(config)#router ospf 1

(config-router)#mpls ldp autoconfig area 0

*if you need to specifically disable MPLS on some interface, do:

(config)#no mpls ldp igp autoconfig

As in most other protocol LDP Router-ID needs to be assigned. The "mpls ldp router-id" command allows you to establish the IP address of an

interface as the LDP router ID (L-ID), in this example Loopback 0 IP. Be sure that all the routers have to have the L-ID reachability:

config)#mpls ldp router-id lo0 [force]

When you issue the mpls ldp router-id command without the force keyword, the router select selects the IP address of the specified interface

(provided that the interface is operational) the next time it is necessary to select an LDP router ID, which is typically the next time the interface

is shut down or the address is configured.

IMPORTANT: VPMv4 Peering If MUST be /32, so make sure you're learning the Lo0 with the /32 mask, so set it:


If, however, you wish to force the Router-ID to be the PHYSICAL INTERFACE of the router:

(config-if)#mpls ldp discovery transport-address interface

#sh mpls interfaces

Interface IP Tunnel BGP Static Operational

FastEthernet0/1 Yes (ldp) No No No Yes

Serial0/1/0.34 Yes (ldp) No No No Yes

Serial0/1/0.35 Yes (ldp) No No No Yes

#sh mpls ldp neighbor | i Peer

Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 3.3.3.3:0



When you want to see other LDP PARAMETERS (can be usefull if you're looking to see what can be optimized):

#sh mpls ldp param

Protocol version: 1

Session hold time: 90 sec; keep alive interval: 30 sec

Discovery hello: holdtime: 45 sec; interval: 15 sec

Discovery targeted hello: holdtime: 90 sec; interval: 10 sec

Downstream on Demand max hop count: 255

Downstream on Demand Path Vector Limit: 255

LDP for targeted sessions

LDP initial/maximum backoff: 15/120 sec

LDP loop detection: off


DISCOVERY process in MPLS: There are 2 Types of Discovery:

1. BASIC Discovery - for the DIRECTLY CONNECTED LDP LSRs, the Hellos are sent of ALL interfaces LDP is enabled

2. EXTENDED Discovery - for the NON DIRECTLY CONNECTED LDP LSRs. LSR sends TARGETED Hellos to a SPECIFIC IP.

Authentication between two MPLS neighbors can be configured PER-NEIGHBOR, or GLOBALLY.

(config)#mpls ldp neighbor 11.1.1.1 password cisco

To FILTER for which IPs exactly you´re generating the labels, define the ACL and apply in the global config mode:


(config)#no mpls ldp advertise-labels <-FIRST DISABLE FOR ALL

(config)#mpls ldp advertise-labels for 41 ?

to Access-list specifying controls on LDP peers <-OPTIONAL, TO CONTROL WHERE YOU´RE SENDING WHICH LABELS

<cr>

____________________________________________________________________________________________________________________

MPLS LFIB and Labels (Label Spacing) ____________________________________________________________________________________________________________________

Maybe the MOST important thing in the LDP, and the overall MPLS LABEL CONTROL is understanding all the TABLES, and how they are formed.

FIB (FORWARDING Information Base) - CEF table, gets build based on RIB (Routing Information Base)

#show ip cef

LIB - LABEL INFORMATION BASE

#sh mpls ldp bindings 177.7.7.0 24

lib entry: 177.7.7.0/24, rev 35

local binding: label: 113

remote binding: lsr: 2.2.2.2:0, label: 213

LFIB - LABEL FORWARDING INFORMATION BASE

#show mpls forwarding-table

IN THE CCIE LAB, FIRST CHECK IF THE LABEL RANGE IS CHANGED BECAUSE ROUTERS NEED TO BE RELOADED!!! The LABEL SPACE is Platform-

Dependent, and the LABEL planning is done in the DESIGN phase of the Project. You can SET the RANGE of labels you want to be used on that

router:

(config)#mpls label range 100 199

% Label range changes will take effect at the next reload.

#sh mpls label range

Downstream Generic label region: Min/Max label: 17/199

[Configured range for next reload: Min/Max label: 100/199]

#sh mpls ldp bin local

tib entry: 1.1.1.0/24, rev 14

local binding: tag: 103

tib entry: 2.2.2.0/24, rev 16


tib entry: 3.3.3.0/24, rev 18


...


LFIB is the MOST IMPORTANT table in the MPLS Architecture. You can literally follow exactly what's happening on the router regarding the

MPLS Labels and the IPs:

#sh mpls forwarding-table

Local Outgoing Prefix Bytes Label Outgoing Next Hop

Label Label or VC or Tunnel Id Switched interface

17 Untagged 7.7.7.0/24 0 Se0/1/0.35 point2point

18 18 6.6.6.6/32 0 Se0/1/0.35 point2point

27 28 1.1.1.0/24 0 Fa0/1 10.1.23.2

28 Pop Label 2.2.2.0/24 0 Fa0/1 10.1.23.2

29 Pop Label 4.4.4.0/24 0 Se0/1/0.34 point2point


32 Pop Label 10.1.12.0/24 0 Fa0/1 10.1.23.2


Pop Label 10.1.45.0/24 0 Se0/1/0.35 point2point


35 34 10.1.67.0/24 0 Se0/1/0.35 point2point

36 38 11.1.1.0/24 0 Fa0/1 10.1.23.2


"Untagged" as Outgoing Label - Remove ALL the labe;s and forward as the IP traffic

"Pop Label" as Outgoing Label - Remove the TOP label, and forward the packet to the defined interface

NOTHING in the Local Label column - Refers to the label above, this means that Load Balancing is occurring Local & Outgoing Labels

Numerical Value - SWAP the Local with the Outgoing Label

IMPORTANT: FIB (ip cef) and LFIB information MUST be IN ACCORDANCE!!!

EXPLICIT NULL should be configured for all the DIRECTLY CONNECTED prefixes for which you want the previous router to replace the label with

"EXPLICIT NULL" label. Next router will perform the PHP (Penultimate Hop Popping) by default because Implicit Null is marked by default for all

the directly connected subnets.

(config)#mpls ldp explicit-null

LDP Conditional Label Advertising

If you want to advertise or stop advertising some prefixes, there is a special command for that. First you need to define the ACL where you

PERMIT the prefixes you WANT and DENY prefixes you DONT WANT to advertise (ACL_FROM). Then you need ANOTHER ACL where you will

define the peers these labels will be advertised to (ACL_TO)

(config)#mpls ldp advertise-labels for ACL_FROM to ACL_TO

If you need to HIDE the MPLS LABELS from the Customer, there is command that STOPS the TTL propagation, and therefore stops the MPLS

structure from the LSRs:

(config)#no mpls ip propagate-ttl forwarded

(config)#no mpls ip propagate-ttl local

____________________________________________________________________________________________________________________

MPLS Session Protection ____________________________________________________________________________________________________________________

When a link between two LSRs go down - LDP session goes down, and if they come back LIB and LFIB need to be re-populated. This is why it

might be a good idea to PROTECT THE SESSION. This feature provides faster label distribution protocol convergence when a link recovers

following an outage.

The configuration consists of building a REDUNDANT link that stays up, which is used to maintain the targeted LDP session UP until the primary

link comes back up. To enable this use the Global Config command, that needs to be configured on ALL the routers, or configured on one

router and configure the ACCEPTANCE Of TARGETED LDP HELLOs on the other router using the "mpls ldp discovery targeted-hello accept":

(config)#mpls ldp session protection


____________________________________________________________________________________________________________________

MPLS VRFs, RD (Route Distinguisher) and RT (Route Target) ____________________________________________________________________________________________________________________

VRF stands for Virtual Router Forwarding. Simply put - represents another routing process within the same router.

STEP 1: VRF. To configure a VRF instance on a router with a name VRF_1 do (This name is LOCALLY SIGNIFICANT):

(config)#ip vrf VRF_1

STEP 2: RD and RT

Within the VRF you will need a Route Distinguisher (RD), used to make the VRF prefix unique within the cloud, and the Route Target (RT) that

you will later IMPORT/EXPORT to define the end-to-end communication of the VRF:

(config-vrf)#rd 1:10 <-VRF IS NOT ACTIVE UNTIL RD IS DEFINED

(config-vrf)#route-target [import|export|both] 1:100

*RD does NOT indicate to which VRF the prefix belongs to!!! Route-Target is used for that.

RD is a 64 bit value used to transform users IPv4 IP address into UNIQUE 96 bit address called VPNv4.

THESE ADDRESSES ARE EXCHANGED ONLY BETWEEN PEs, NEVER BETWEEN CEs!!! PE takes the update it receives from CE, and sticks the RD to

it, making the VPNv4 96-bit address.

"Route Target Import|Export" command defines the RT, which is a BGP Extended Community that indicated which routes should be

exported/imported from MP-BGP to VRF. That is why when you configure the VPNv4 AF under the MP-BGP, you automatically get the

following command under the BGP process (IF NOT, ADD IT MANUALLY)

(config-router-af)#neighbor 3.3.3.3 send-community extended

"route-target export" - Specifies RT attached to every routed exported from the Local VRF to MP-BGP.

"route-target import" - RT to be used as an IMPORT FILTER, so only the routes matching the filter are imported to VRF

STEP 3: VRF INTERFACES. If you check the configured VRF at this point:

#sh ip vrf det

VRF CB; default RD 1:20; default VPNID <not set>

No interfaces <-NO INTERFACES!!!

VRF Table ID = 212

Export VPN route-target communities

RT:1:100

Import VPN route-target communities

RT:1:100

VRFs have more or less similar phylosophy like VLANs - you need to assign the interfaces to the VLAN. NOTE that the IP address of the interface

will automatically be removed:


% Interface Serial0/1/1 IP address 10.1.13.3 removed due to enabling VRF CA

(config-if)#ip add 10.1.13.3 255.255.255.0

*YOU WILL BE ABLE TO PING THE NEIGHBOR ON THIS INTERFACE ONLY UNDER THE VRF:

#ping vrf CA 10.1.13.1

Sending 5, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms

MP-BGP: When you create RD and RT, and you have the BGP configured, notice that the new address family appears within the BGP process:

address-family ipv4 vrf CB

*When the ROUTE-TARGET is not imported and exported where needed between the MP-BGP neighbors - the routes will NOT advertised via

BGP.


____________________________________________________________________________________________________________________

L2VPN - AToM (Any Transport over MPLS) ____________________________________________________________________________________________________________________

AToM encapsulates Layer 2 frames at the ingress PE and sends them to a corresponding PE at the other end of a pseudo wire, which is a

connection between the two PE routers. The egress PE removes the encapsulation and sends out the Layer 2 frame.

The combination of the peer router ID and the VC ID must be unique on the router. Two circuits cannot use the same combination of the peer

router ID and VC ID. Specify the tunneling method used to encapsulate data in the pseudo wire. AToM uses MPLS as the tunneling method.

(config-if)# xconnect peer-router-id vcid encapsulation mpls

Used to interconnect VLANs of the remote MPLS CE routers. Configured on the PE interface towards the CE.Create a SUB-INTERFACE under the

interface pointing to your VLAN, and define the Dot1Q encapsulation on it:

(config)#interface FastEthernet0/1.4

encapsulation dot1Q 4

no cdp enable

xconnect 150.1.6.6 2 encapsulation mpls <-DESTINATION PE IP ADDRESS, and 2 is a VIRTUAL CIRCUIT IDENTIFIER

(VCI)

remote circuit id 2

If there is no MPLS IN THE ENTIRE PATH - you need to create a TUNNEL to traverse the NON-MPLS part

#show mpls l2transport vc detail

Local interface: Fa0/1.4 up, line protocol up, Eth VLAN 4 up

Destination address: 150.1.6.6, VC ID: 2, VC status: down

Output interface: none, imposed label stack {}

Preferred path: not configured

Default path: no route

No adjacency

Create time: 00:04:55, last status change time: 00:04:48

Signaling protocol: LDP, peer 150.1.6.6:0 up

MPLS VC labels: local 32, remote 31

Group ID: local 0, remote 0

MTU: local 1500, remote 1500

Remote interface description:

Sequencing: receive disabled, send disabled

VC statistics:

packet totals: receive 0, send 0

byte totals: receive 0, send 0

packet drops: receive 0, seq error 0, send 0


IPv6


____________________________________________________________________________________________________________________

IPv6 TIPS ____________________________________________________________________________________________________________________

TIP: When doing IPv6 over Frame-Relay, ALWAYS configure, and MAP the Link-Local address as well!!!

TIP: To filter the IPv6 traffic have in mind 2 things:

1. When you try to configure the IPv6 ACL, it will not give you the NAME options, but it can be done:

(config)#ipv6 access-list ACL_IPV6

2. Apply the filter DIRECTLY ON THE INTERFACE using the IPv6 Traffic Filter:

(config-if)#ipv6 traffic-filter ACL_IPV6 in

____________________________________________________________________________________________________________________

IPv6 Basics ____________________________________________________________________________________________________________________

Loopback: ::1/128

Multicast: FF00::/8

Link Local: FE80::/10 - used for stateless auto-configuration, Neighbor discovery, Router discovery

FC00::/7 Unique Local, Unicast (equivalent to the IPv4 private addresses), not routable via global BGP

EUI-64 - always use the /64 addresses for all the INTERFACES (MAC can be converted into EUI-64 format to get the interface address)

Router can assign the HOST portion of the Network AUTOMATICALLY using the MAC of the first LAN interface:

(config-if)#ipv add 2:2:2:2::/64 eui-64

When you need to MANUALY do this, find the MAC address of the highest interface, for example Fa0/0, and modify it.

#sh int fa0/0 | i bia

Hardware is Gt96k FE, address is 001e.be5d.27f0 (bia 001e.be5d.27f0)

So MAC is 001e.be5d.27f0. Add "FFFE" in the middle, and you get the HOST PORTION: 001e:beff:ee5d:27f0

ARP has been replaced with ICMPv6 Neighbor Discovery (ND). Inverse ARP has been removed, so for NBMA networks we need to provide a

static L2-L3 mapping

TIP: before enabling IPv6 on a router and configuring the interfaces male sure there is a IPv4 connectivity

IPv6 is not enabled by default, so first enable IPv6 globally on the Router/Switch:

(config)#ipv6 unicast-routing

On a ROUTER you should enable IPv6 on an interface:

(config-if)#ipv6 enable

LINK-LOCAL address is generated based on the interfaces MAC Address by doing "ipv6 enable"

Assign the UNICAST IPv6 address:

(config-if)#no switchport <--- DONT FORGET on 3560 OR 3750

(config-if)#ipv6 add 12:1:1::3/64


#show ipv6 inter lo0

Loopback0 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::21E:BEFF:FE5D:27F0

Global unicast address(es):

2:2:2:2:21E:BEFF:FE5D:27F0, subnet is 2:2:2:2::/64 [EUI]

Assign a LINK-LOCAL IPv6 Address, if you want to configure it STATICALLY:

(config-if)#ipv6 address FE80::1 link-local

*Be sure it starts with FE80, or you will get a message "% Invalid link-local address"

By default IPv6 has Neighbor Discovery as a L2-L3 mapping mechanism, instead of ARP. To debug it do:

#debug ipv6 nd

When you configure the "ipv6 enable" on the interface, the Link Local address is assigned:

*Nov 21 08:21:02.068: ICMPv6-ND: Sending NS for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0

!!!NS -Neighbor Solicitation

*Nov 21 08:21:03.068: ICMPv6-ND: DAD: FE80::21E:BEFF:FE5D:27F0 is unique.

!!!FE80::21E:BEFF:FE5D:27F0 Assigned. DAD - Duplicate Address Detection confirms IP is UNIQUE!

*Nov 21 08:21:03.068: ICMPv6-ND: Sending NA for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0

!!!NA - Neighbor Advertisement for routers Link Local address

*Nov 21 08:21:03.068: ICMPv6-ND: Address FE80::21E:BEFF:FE5D:27F0/10 is up on FastEthernet0/0

!!!Interface comes UP because no one complained

Check if the interface got the correct IPv6 Address:

#sh ipv6 int br

FastEthernet0/0 [up/up]

FE80::21E:BEFF:FE5D:27F0

FastEthernet0/1 [administratively down/down]

Serial0/1/0 [up/down]

Serial0/1/1 [administratively down/down]

Serial0/2/0 [administratively down/down]

When you SHUT the local interface, the Link Local address is deleted:

*Nov 21 08:19:12.972: ICMPv6-ND: Sending Final RA on FastEthernet0/0

*Nov 21 08:19:12.984: ICMPv6-ND: STALE -> DELETE: FE80::213:60FF:FE85:AEEA

And we are finally reaching my favorite change in the IPv6, the NEIGHBOR DISCOVERY and DISPLAY:

#show ipv6 neighbors

IPv6 Address Age Link-layer Addr State Interface

12:1:1:12::1 0 0013.6085.aeea STALE Fa0/0 <- UNICAST

FE80::1 0 0013.6085.aeea STALE Fa0/0 <- LINK-LOCAL

123::21E:BEFF:FE5D:27F0 166 001e.be5d.27f0 STALE Fa0/0

FE80::3 0 0013.6085.e3c6 REACH Fa0/0

You can configure the IPv6 Neighbor statically, using the Global Configuration command:

(config)#ipv6 neighbor 123::21E:BEFF:FE5D:27F0 Fa0/0 001e.be5d.27f0

The neighbors can have one of the following statuses:

- REACH

- STALE

You can tune the TIMERS for STATE TRANSITIONING. To check the current values do:


#sh ipv int fa0/0 | i time

ND reachable time is 30000 milliseconds <- When not responding for 30 Secs, Neighbor transitions to STALE

ND advertised reachable time is 0 milliseconds

If you want to CHANGE this value (time it takes the neighbor to go to STALE from REACHABLE):

(config-if)#ipv6 nd reachable-time 50000

There is also an AUTOMATIC IPv6 address assigning, called STATELESS AUTOCONFIG. The SERVER that assigns the IPv6 addresses should have

the "ipv6 unicast-routing" configured. The router assigns the addresses, and even if that router goes down - the IPs will remain active for 30

days if their interfaces don't go down. To activate this:

(config-if)#ipv6 address autoconfig

____________________________________________________________________________________________________________________

Convert MAC to Link Local IPv6 Address ____________________________________________________________________________________________________________________

Check how the Link Local address has been generated using the interface MAC address

#sh int fa0/0 | i Hard

Hardware is Gt96k FE, address is 001e.be5d.27f0 (bia 001e.be5d.27f0)

IPv6: FE80::21E:BEFF:FE5D:27F0

FE80:: - For Link Local IPv6 Addresses

First two 0s from MAC are replaced with a HEX 2, to complete MACs 48 bits up to 64 we need

Then the "1e.be" part is COPIED and PAST 2|1E:BE|FF:FE|5D:27F0

FFFE is added after this, in the MIDDLE of the MAC address

The rest of MAC follows

So - 2 + 4HEXofMAC + FFEE + 6HEXofMAC

Now check the complete IPv6 configuration of the interface:

#SH ipv6 int fa0/0

FastEthernet0/0 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::21E:BEFF:FE5D:27F0

No global unicast address is configured

Joined group address(es):

FF02::1 <- 0 after F means the IPv6 is PERMANENT (if it were 1 - it would be temporal)

FF02::2 <- Subnet routers MULTICAST

FF02::1:FF5D:27F0 <- Solicited-Node-Multicast Address


____________________________________________________________________________________________________________________

IPv6 Routing ____________________________________________________________________________________________________________________

STATIC ROUTING is similar to the IPv6 Static Routing, but have in mind that you need to point to the IPv6 address of the IPv6 Neighbor. Link

Local IPv6 can also be used.

In IPv6 REDISTRIBUTION the LOCAL CONNECTED routes are NOT included, even if they are part of local advertisement.

Step 1: First check the neighbors IP displaying the IPv6 neighbors:

#sh ipv6 nei

IPv6 Address Age Link-layer Addr State Interface

12:1:1:12::1 1 0013.6085.aeea STALE Fa0/0

FE80::1 1 0013.6085.aeea STALE Fa0/0

Step 2: And then add the route pointing to the appropriate address:

(config)#ipv6 route 1:1:1:1::/64 12:1:1:12::1

If you want to use the LINK LOCAL address, you also need to specify the INTERFACE:

(config)#ipv6 route 1:1:1:1::/64 fa0/0 FE80::1

If you need to add the DEFAULT ROUTE only:

(config)#ipv6 route 0::/64 fa0/0 FE80::2

Step 3: And check the Routing Table for Static Entries:

#sh ipv6 route static | b 64

S 1:1:1:1::/64 [1/0]

via 12:1:1:12::1

Or in the case of the Default Route:

#sh ipv6 route | b S

S ::/64 [1/0]

via FE80::2, FastEthernet0/0

Step 4: OPTIONAL: Configure HOST for the hosts you ping frequently, because IPv6 addresses are a bit robust. If you name the host R2_lo1,

you can later ping is using "ping R2_lo1":

(config)#ipv6 host R2_lo1 ?

<0-65535> Default telnet port number <- CAN BE USEFULL

X:X:X:X::X IPv6 address

(config)#ipv6 host R2_lo1 1:1:1:1:213:60FF:FE85:AEEA


____________________________________________________________________________________________________________________

OSPFv3 ____________________________________________________________________________________________________________________

Don’t forget to define the router-id, because if there are no IPv4 addresses on the router - it cannot pick one!

So - FIRST define the RID, and THEN configure OSPF, to avoid restarting the OSPF process later

In OSPFv3 over Frame-Relay DONT FORGET TO create frame relay mappings for the link-local (FE80::/10) addresses. This being said, you might

as well create manually the Link Local addresses to the FR interfaces:

(config-if)#ipv6 address FE80::2 link-local

LSA Changes: Even though most LSA definitions stay the same, there are a few changes in OSPFv3:

OSPFv3 OSPFv2

0x2001 Router LSA 1 Router LSA

0x2002 Network LSA 2 Network LSA

0x2003 Inter-area Prefix LSA 3 Network Summary LSA

0x2004 Inter-area Router LSA 4 ASBR Summary LSA

0x4005 AS-External LSA 5 AS-External LSA

0x2006 Group Membership LSA 6 Group Membership LSA

0x2007 Type-7 LSA 7 NSSA External LSA

0x0008 Link LSA

0x2009 Intra-area Prefix LSA

*If you want an area not to receive LSA4 and LSA5, configure it as stub:

(config-rtr)#area 12 stub <- ADDS A DEFAULT ROUTE TO ISOLATED ROUTER (the router that only has stub area)

Default Route added: OI ::/0 [110/2] via FE80::2, FastEthernet0/0 <- INSTEAD OF ALL EXTERNAL ROUTES

If you want the router to maintain IO INTRA AREA routes only, configure it as NSSA "stub no-summary"

If you want not to propagate EXTERNAL routes- configure an area as NSSA (routes redistributed into NSSA area will appear marked with

"ON2"). You can add "default-information-originate" to inject the default route into nssa area

To change the METRIC/COST you can do two things. Either change the DEFAULT COST under OSPF process:

(config-rtr)#auto-cost reference-bandwidth 10000

Or use the "ipv6 ospf cost" command under EACH INTERFACE.


____________________________________________________________________________________________________________________

EIGRP IPv6 ____________________________________________________________________________________________________________________

The difference with OSPF is that even if you configure it on the interface:

(config-if)#ipv6 eigrp 100

it will not form an adjacency unless you DEFINE THE ROUTER-ID, and do a NO SHUT:

(config-rtr)#eigrp router-id 1.1.1.1

(config-rtr)#no shut <-ON SOME IOS VERSIONS NOT NEEDED, BUT DO IT JUST IN CASE...

*Dec 1 11:18:08.343: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::4 (Serial1/0.14) is up: new adjacency

BE SURE TO DEFINE THE METRIC WHEN REDISTRIBUTING INTO EIGRP, or it will not work!!!

(config-rtr)#no redistribute ospf 1 metric 1 1 1 1 1

To change the timers on the interface the command is a bit BACKWARDS, as in - "" ipv6 hello-interval eigrp..":

(config-if)#ipv6 hello-time eigrp 100 10 <-HELLO

(config-if)#ipv6 hold-time eigrp 100 40 <-DEAD

The command for checking the current timers is also unintuitive, cause you need to add "details" to the end:

#sh ipv6 eigrp interfaces detail | i Hello

Hello-interval is 10, Hold-time is 40

Hello-interval is 60, Hold-time is 180

BE CAREFULL WITH FRAME RELAY, because EIGRP has SPLIT HORIZON enabled by default on multipoint interfaces:

(config-subif)#no ipv6 split-horizon eigrp 100

Like in EIGRPv4, on EIGRPv6 EIGRP Patckets use UP TO 50% of the Links BW. To change that (to 25% in this example):

(config-subif)#ipv6 bandwidth-percent eigrp 100 25

Another similarity to EIGRPv4, you can use "summary-address" to inject the default route:

(config-if)#ipv6 summary-address eigrp 100 ::0/0

%DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::2 (Ethernet0/0) is resync: summary configured

%DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::3 (Ethernet0/0) is resync: summary configured

EIGRPv6 Authentication: Also similar to EIGRPv4

Step 1: Define the Key Chain

(config)#key chain MAT

(config-keychain)#key 1

(config-keychain-key)#key-string Cisqueros

Step 2: Apply the key chain to the interface:

(config-if)#ipv6 authentication key-chain eigrp 100 MAT

Step 3: Turn ON the authentication on the interface, in this example MD5:

(config-if)#ipv6 authentication mode eigrp 100 md5

Some ADDITIONAL features:

Make sure the incoming prefixes are in less than 50 hops (TTL <= 50)

(config-rtr)#metric maximum-hops 50

"Tune" the Active Time (time before declaring a router STUCK IN ACTIVE - SIA)

(config-rtr)#timers active-time ?

<1-65535> active state time limit in minutes

disabled disable time limit for active state


____________________________________________________________________________________________________________________

IPv6 Tunnels ____________________________________________________________________________________________________________________

When you configure them MANUALLY (this means that you define both, source and the destination of the tunnel) the Tunnel mode can be

IPv6IP or GRE, depends what you are asked to do:

(config)#interface tunnel 0

(config-if)#tunnel mode ipv6ip <- DEFAULT IS GRE

The difference between IPv6IP and GRE will be in the TUNNEL PROTOCOL, so in GRE:

#sh int tunnel 3 | i transport

Tunnel protocol/transport GRE/IP

While in IPv6IP:

#sh int tunnel 3 | i transport

Tunnel protocol/transport IPv6/IP

GRE is Protocol 47, and IPV6IP is Protocol 41. You can check this by PINGING one side from another, and debuging

"ip packet details" on the other side:

IPv6IP - PROTOCOL 41:

*Nov 29 18:23:52.126: IP: tableid=0, s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), routed via

RIB

*Nov 29 18:23:52.126: IP: s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), len 136, rcvd 3,

proto=41

*Nov 29 18:23:52.126: IP: s=10.1.12.2 (Tunnel0), d=10.1.12.1 (Serial0/1/0.21), len 96, sending, proto=41


RIB


proto=41

GRE - PROTOCOL 47:


RIB


proto=47

*Nov 29 18:25:30.574: IP: s=10.1.12.2 (Tunnel0), d=10.1.12.1 (Serial0/1/0.21), len 140, sending, proto=47


RIB


proto=47

6to4 Tunnels: AUTOMATICALLY established, allowing IPv6 connection through IPv4. They require SPECIAL ADDRESSING: IPv6 of 2002

followed by TRANSLATED IPv4 address. So, we need these steps:

Step 1: Translate IPv4 into IPv6 address. For example 10.1.1.1:

10 1 1 1

0A 01 01 01

Step 2: Identify tunnel source. IMPORTANT: Tunnel is AUTOMATIC, so DONT CONFIGURE THE DESTINATION

So using the 2002 which is the 6to4 marker, you get> 2002:A01:101::/128, so:

(config-if)#ipv6 add 2002:A01:101::/128

Step 3: Configure the TUNNEL MODE as IPV6IP 6to4:

(config-if)#tunnel mode ipv6ip 6to4


Step 4: Make sure that the Tunnel Interface is going UP/UP

*Nov 29 19:10:13.709: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel7, changed state to up

ISATAP Tunnel: It's a IETF transition mechanism that allows IPv6 networks to connect over IPv4 Networks. The IPv6 tunnel interface must be

configured with a modified EUI-64 address because the last 32 bits in the interface identifier are constructed using the IPv4 tunnel source

address. ISATAP also has its own IPv6 Address Format, which is formed like this:

NETWORK PORTION: can be any IPv6 address

HOST PORTION: starts with 0000:5EFE, and the rest of host portion is TRANSLATED IPv4 of the TUNNEL SOURCE

Step 1: Define the Tunnel SOURCE address

(config-if)#tunnel source 10.44:44:44

Step 2: Sending of IPv6 router advertisements is disabled by default on tunnel interfaces. This command re-enables the sending of IPv6 router

advertisements to allow client auto-configuration:

(config-if)# no ipv6 nd ra suppress

Step 3: ISATAP

The only difference from standard IPv6IP configuration is that the IPv6 address needs to be eui-64 generated, and that the MODE needs to be

defined as ISATAP:

(config-if)#ipv6 address 46:1:46::/64 eui-64 <- EUI CONVERTS IPv4 TO IPv6 AUTOMATICALLY

(config-if)#tunnel mode ipv6ip isatap

____________________________________________________________________________________________________________________

IPv6 Multicast Routing ____________________________________________________________________________________________________________________

To start implementing multicasting in the campus network, users must first define who receives the multicast. The MLD protocol is used by

IPv6 routers to discover the presence of multicast listeners. MLD uses ICMP for messages.

Multicast QUERIER is a ROUTER that sends queries to discover the group members.

Multicast HOST is the RECEIVER (including routers) that sends REPORTS to inform the querier.

IPv6 RP and BSR (Boot-Strap Router)

BSR protocol for PIM-SM provides a mechanism to distribute group-to-RP mapping information throughout a domain.If the RP is unreachable -

BSR will detect it and modify the mapping tables. A few routers are configured as candidate bootstrap routers (C-BSRs) and a single BSR is

selected for that domain.

To set a router to be a BSR candidate - enable IPv6 Multicast globally, make sure IPv6 is also enabled, and use one of its local IPv6 addresses.

Assign the router BSR priority:

(config)#ipv6 pim bsr candidate bsr 2001:CC1E:1:404:21A:E2FF:FEAB:FF29 priority 100

Configure a Router that will be Sending PIM RP Advertisements to the BSR:

(config)#ipv6 pim bsr candidate rp 2001:CC1E:1:505:21B:2AFF:FE0C:E0C0

#sh ipv pim bsr rp-cache

PIMv2 BSR C-RP Cache

BSR Candidate RP Cache

Group(s) FF00::/8, RP count 1

RP 2001:CC1E:1:505:21B:2AFF:FE0C:E0C0 SM

Priority 192, Holdtime 150

Uptime: 00:02:46, expires: 00:01:43

The big challenge in any Multicast configuration is the verification. This can be done by debuging the ICMP packets that are used for the MLD,

and then pinging the MULTICAST IPv6 source from the other side:

#debug ipv6 icmp

Hitchikers Guide to the CCIE V011 Jan2014

Documents

Transcript of Hitchikers Guide to the CCIE V011 Jan2014